Home| summaryrefslogtreecommitdiff |
diff options
| author | Kernel Build Daemon <kbuild@suse.de> | 2019-02-22 07:01:08 +0100 |
|---|---|---|
| committer | Kernel Build Daemon <kbuild@suse.de> | 2019-02-22 07:01:08 +0100 |
| commit | 23a9ccb5cae9f391afe8f418681bd01809802537 (patch) | |
| tree | a9e5515c90a31d59817cc6800845f4131f8ae22f | |
| parent | 7e31bdd77345b8eda56d5a7828744ec5d5014d7a (diff) | |
| parent | 047a6d3830bd9a82ac9e3255f163d70303839117 (diff) | |
Merge branch 'SLE12-SP3' into SLE12-SP3-AZURESLE12-SP3-AZURE
159 files changed, 9164 insertions, 745 deletions
diff --git a/patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios b/patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios index c9d3e1bf1f..88d15f5996 100644 --- a/patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios +++ b/patches.arch/0015-x86-platform-uv-add-obtaining-gam-range-table-from-uv-bios @@ -33,15 +33,15 @@ Link: http://lkml.kernel.org/r/20160429215405.329827545@asylum.americas.sgi.com Signed-off-by: Ingo Molnar <mingo@kernel.org> Acked-by: Joerg Roedel <jroedel@suse.de> --- - arch/x86/include/asm/uv/bios.h | 59 +++++++++++++++++++++++++++++++++++++++-- - arch/x86/platform/uv/bios_uv.c | 48 ++++++++++++++++----------------- - arch/x86/platform/uv/uv_sysfs.c | 2 +- + arch/x86/include/asm/uv/bios.h | 59 ++++++++++++++++++++++++++++++++++++++-- + arch/x86/platform/uv/bios_uv.c | 48 +++++++++++++++----------------- + arch/x86/platform/uv/uv_sysfs.c | 2 - 3 files changed, 81 insertions(+), 28 deletions(-) --- a/arch/x86/include/asm/uv/bios.h +++ b/arch/x86/include/asm/uv/bios.h -@@ -51,15 +51,66 @@ enum { - BIOS_STATUS_UNAVAIL = -EBUSY +@@ -52,15 +52,66 @@ enum { + BIOS_STATUS_ABORT = -EINTR, }; +/* Address map parameters */ @@ -108,7 +108,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de> enum { BIOS_FREQ_BASE_PLATFORM = 0, -@@ -99,7 +150,11 @@ extern s64 uv_bios_change_memprotect(u64 +@@ -100,7 +151,11 @@ extern s64 uv_bios_change_memprotect(u64 extern s64 uv_bios_reserved_page_pa(u64, u64 *, u64 *, u64 *); extern int uv_bios_set_legacy_vga_target(bool decode, int domain, int bus); @@ -120,7 +120,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de> extern unsigned long sn_rtc_cycles_per_second; extern int uv_type; -@@ -107,7 +162,7 @@ extern long sn_partition_id; +@@ -108,7 +163,7 @@ extern long sn_partition_id; extern long sn_coherency_id; extern long sn_region_size; extern long system_serial_number; @@ -131,7 +131,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de> --- a/arch/x86/platform/uv/bios_uv.c +++ b/arch/x86/platform/uv/bios_uv.c -@@ -21,19 +21,20 @@ +@@ -21,20 +21,21 @@ #include <linux/efi.h> #include <linux/export.h> @@ -144,7 +144,8 @@ Acked-by: Joerg Roedel <jroedel@suse.de> -static struct uv_systab uv_systab; +struct uv_systab *uv_systab; - s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) + static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, + u64 a4, u64 a5) { - struct uv_systab *tab = &uv_systab; + struct uv_systab *tab = uv_systab; @@ -155,7 +156,7 @@ Acked-by: Joerg Roedel <jroedel@suse.de> /* * BIOS does not support UV systab */ -@@ -183,34 +184,31 @@ int uv_bios_set_legacy_vga_target(bool d +@@ -202,34 +203,31 @@ int uv_bios_set_legacy_vga_target(bool d } EXPORT_SYMBOL_GPL(uv_bios_set_legacy_vga_target); diff --git a/patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch b/patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch index ef7c5a6581..80baae6ed9 100644 --- a/patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch +++ b/patches.arch/arm64-bsc1031492-0077-KVM-arm-arm64-Move-shared-files-to-virt-kvm-arm.patch @@ -25,22 +25,22 @@ Signed-off-by: Alexander Graf <agraf@suse.de> --- arch/arm/kvm/Makefile | 7 - arch/arm/kvm/arm.c | 1483 ---------------------------------- - arch/arm/kvm/mmio.c | 217 ---- + arch/arm/kvm/arm.c | 1476 --------------------------------- + arch/arm/kvm/mmio.c | 218 ----- arch/arm/kvm/mmu.c | 2001 ---------------------------------------------- arch/arm/kvm/perf.c | 68 - arch/arm/kvm/psci.c | 332 ------- arch/arm/kvm/trace.h | 247 ----- arch/arm64/kvm/Makefile | 5 - virt/kvm/arm/arm.c | 1483 ++++++++++++++++++++++++++++++++++ - virt/kvm/arm/mmio.c | 217 ++++ + virt/kvm/arm/arm.c | 1476 +++++++++++++++++++++++++++++++++ + virt/kvm/arm/mmio.c | 218 +++++ virt/kvm/arm/mmu.c | 2001 ++++++++++++++++++++++++++++++++++++++++++++++ virt/kvm/arm/perf.c | 68 + virt/kvm/arm/psci.c | 332 +++++++ virt/kvm/arm/trace.h | 246 +++++ virt/kvm/arm/vgic/trace.h | 37 virt/kvm/arm/vgic/vgic.c | 2 - 16 files changed, 4381 insertions(+), 4365 deletions(-) + 16 files changed, 4375 insertions(+), 4359 deletions(-) delete mode 100644 arch/arm/kvm/arm.c delete mode 100644 arch/arm/kvm/mmio.c delete mode 100644 arch/arm/kvm/mmu.c @@ -1551,7 +1551,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de> -module_init(arm_init); --- a/arch/arm/kvm/mmio.c +++ /dev/null -@@ -1,217 +0,0 @@ +@@ -1,218 +0,0 @@ -/* - * Copyright (C) 2012 - Virtual Open Systems and Columbia University - * Author: Christoffer Dall <c.dall@virtualopensystems.com> @@ -1671,6 +1671,12 @@ Signed-off-by: Alexander Graf <agraf@suse.de> - vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); - } - +- /* +- * The MMIO instruction is emulated and should not be re-executed +- * in the guest. +- */ +- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); +- - return 0; -} - @@ -1698,11 +1704,6 @@ Signed-off-by: Alexander Graf <agraf@suse.de> - vcpu->arch.mmio_decode.sign_extend = sign_extend; - vcpu->arch.mmio_decode.rt = rt; - -- /* -- * The MMIO instruction is emulated and should not be re-executed -- * in the guest. -- */ -- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); - return 0; -} - @@ -5949,7 +5950,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de> +module_init(arm_init); --- /dev/null +++ b/virt/kvm/arm/mmio.c -@@ -0,0 +1,217 @@ +@@ -0,0 +1,218 @@ +/* + * Copyright (C) 2012 - Virtual Open Systems and Columbia University + * Author: Christoffer Dall <c.dall@virtualopensystems.com> @@ -6069,6 +6070,12 @@ Signed-off-by: Alexander Graf <agraf@suse.de> + vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); + } + ++ /* ++ * The MMIO instruction is emulated and should not be re-executed ++ * in the guest. ++ */ ++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); ++ + return 0; +} + @@ -6096,11 +6103,6 @@ Signed-off-by: Alexander Graf <agraf@suse.de> + vcpu->arch.mmio_decode.sign_extend = sign_extend; + vcpu->arch.mmio_decode.rt = rt; + -+ /* -+ * The MMIO instruction is emulated and should not be re-executed -+ * in the guest. -+ */ -+ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 0; +} + diff --git a/patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch b/patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch index 0c60fab6e3..a34c92475e 100644 --- a/patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch +++ b/patches.drivers/0088-fs-have-submit_bh-users-pass-in-op-and-flags-separat.patch @@ -15,43 +15,41 @@ Reviewed-by: Hannes Reinecke <hare@suse.com> Signed-off-by: Jens Axboe <axboe@fb.com> Acked-by: Hannes Reinecke <hare@suse.de> --- - drivers/md/bitmap.c | 4 ++-- - fs/btrfs/check-integrity.c | 24 ++++++++++---------- - fs/btrfs/check-integrity.h | 2 +- - fs/btrfs/disk-io.c | 4 ++-- - fs/buffer.c | 53 +++++++++++++++++++++++---------------------- - fs/ext4/balloc.c | 2 +- - fs/ext4/ialloc.c | 2 +- - fs/ext4/inode.c | 2 +- - fs/ext4/mmp.c | 4 ++-- - fs/fat/misc.c | 2 +- - fs/gfs2/bmap.c | 2 +- - fs/gfs2/dir.c | 2 +- - fs/gfs2/meta_io.c | 8 +++---- - fs/jbd2/commit.c | 6 ++--- - fs/jbd2/journal.c | 8 +++---- - fs/nilfs2/btnode.c | 6 ++--- - fs/nilfs2/btnode.h | 2 +- - fs/nilfs2/btree.c | 6 +++-- - fs/nilfs2/gcinode.c | 5 +++-- - fs/nilfs2/mdt.c | 11 +++++----- - fs/ntfs/aops.c | 6 ++--- - fs/ntfs/compress.c | 2 +- - fs/ntfs/file.c | 2 +- - fs/ntfs/logfile.c | 2 +- - fs/ntfs/mft.c | 4 ++-- - fs/ocfs2/buffer_head_io.c | 8 +++---- - fs/reiserfs/inode.c | 4 ++-- - fs/reiserfs/journal.c | 6 ++--- - fs/ufs/util.c | 2 +- - include/linux/buffer_head.h | 9 ++++---- + drivers/md/bitmap.c | 4 +-- + fs/btrfs/check-integrity.c | 24 +++++++++---------- + fs/btrfs/check-integrity.h | 2 - + fs/btrfs/disk-io.c | 4 +-- + fs/buffer.c | 53 ++++++++++++++++++++++---------------------- + fs/ext4/balloc.c | 2 - + fs/ext4/ialloc.c | 2 - + fs/ext4/inode.c | 2 - + fs/ext4/mmp.c | 4 +-- + fs/fat/misc.c | 2 - + fs/gfs2/bmap.c | 2 - + fs/gfs2/dir.c | 2 - + fs/gfs2/meta_io.c | 8 +++--- + fs/jbd2/commit.c | 6 ++-- + fs/jbd2/journal.c | 8 +++--- + fs/nilfs2/btnode.c | 6 ++-- + fs/nilfs2/btnode.h | 2 - + fs/nilfs2/btree.c | 6 +++- + fs/nilfs2/gcinode.c | 5 ++-- + fs/nilfs2/mdt.c | 11 ++++----- + fs/ntfs/aops.c | 6 ++-- + fs/ntfs/compress.c | 2 - + fs/ntfs/file.c | 2 - + fs/ntfs/logfile.c | 2 - + fs/ntfs/mft.c | 4 +-- + fs/ocfs2/buffer_head_io.c | 8 +++--- + fs/reiserfs/inode.c | 4 +-- + fs/reiserfs/journal.c | 6 ++-- + fs/ufs/util.c | 2 - + include/linux/buffer_head.h | 9 ++++--- 30 files changed, 103 insertions(+), 97 deletions(-) -diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c -index c160055..4829e1c 100644 --- a/drivers/md/bitmap.c +++ b/drivers/md/bitmap.c -@@ -297,7 +297,7 @@ static void write_page(struct bitmap *bitmap, struct page *page, int wait) +@@ -297,7 +297,7 @@ static void write_page(struct bitmap *bi atomic_inc(&bitmap->pending_writes); set_buffer_locked(bh); set_buffer_mapped(bh); @@ -60,7 +58,7 @@ index c160055..4829e1c 100644 bh = bh->b_this_page; } -@@ -392,7 +392,7 @@ static int read_page(struct file *file, unsigned long index, +@@ -392,7 +392,7 @@ static int read_page(struct file *file, atomic_inc(&bitmap->pending_writes); set_buffer_locked(bh); set_buffer_mapped(bh); @@ -69,11 +67,9 @@ index c160055..4829e1c 100644 } block++; bh = bh->b_this_page; -diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c -index dff4ab4..036598f 100644 --- a/fs/btrfs/check-integrity.c +++ b/fs/btrfs/check-integrity.c -@@ -2898,12 +2898,12 @@ static struct btrfsic_dev_state *btrfsic_dev_state_lookup( +@@ -2898,12 +2898,12 @@ static struct btrfsic_dev_state *btrfsic return ds; } @@ -88,7 +84,7 @@ index dff4ab4..036598f 100644 mutex_lock(&btrfsic_mutex); /* since btrfsic_submit_bh() might also be called before -@@ -2912,26 +2912,26 @@ int btrfsic_submit_bh(int rw, struct buffer_head *bh) +@@ -2912,26 +2912,26 @@ int btrfsic_submit_bh(int rw, struct buf /* Only called to write the superblock (incl. FLUSH/FUA) */ if (NULL != dev_state && @@ -123,7 +119,7 @@ index dff4ab4..036598f 100644 if (!dev_state->dummy_block_for_bio_bh_flush.is_iodone) { if ((dev_state->state->print_mask & (BTRFSIC_PRINT_MASK_SUBMIT_BIO_BH | -@@ -2949,7 +2949,7 @@ int btrfsic_submit_bh(int rw, struct buffer_head *bh) +@@ -2949,7 +2949,7 @@ int btrfsic_submit_bh(int rw, struct buf block->never_written = 0; block->iodone_w_error = 0; block->flush_gen = dev_state->last_flush_gen + 1; @@ -132,7 +128,7 @@ index dff4ab4..036598f 100644 block->orig_bio_bh_private = bh->b_private; block->orig_bio_bh_end_io.bh = bh->b_end_io; block->next_in_same_bio = NULL; -@@ -2958,7 +2958,7 @@ int btrfsic_submit_bh(int rw, struct buffer_head *bh) +@@ -2958,7 +2958,7 @@ int btrfsic_submit_bh(int rw, struct buf } } mutex_unlock(&btrfsic_mutex); @@ -141,8 +137,6 @@ index dff4ab4..036598f 100644 } static void __btrfsic_submit_bio(struct bio *bio) -diff --git a/fs/btrfs/check-integrity.h b/fs/btrfs/check-integrity.h -index c04e249..f78dff1 100644 --- a/fs/btrfs/check-integrity.h +++ b/fs/btrfs/check-integrity.h @@ -20,7 +20,7 @@ @@ -154,11 +148,9 @@ index c04e249..f78dff1 100644 void btrfsic_submit_bio(struct bio *bio); int btrfsic_submit_bio_wait(struct bio *bio); #else -diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c -index 3f41f08..ced8279 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c -@@ -3369,9 +3369,9 @@ static int write_dev_supers(struct btrfs_device *device, +@@ -3304,9 +3304,9 @@ static int write_dev_supers(struct btrfs * to go down lazy. */ if (i == 0) @@ -170,8 +162,6 @@ index 3f41f08..ced8279 100644 if (ret) errors++; } -diff --git a/fs/buffer.c b/fs/buffer.c -index ffef54d..bc13eeb 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -45,7 +45,7 @@ @@ -183,7 +173,7 @@ index ffef54d..bc13eeb 100644 unsigned long bio_flags, struct writeback_control *wbc); -@@ -1236,7 +1236,7 @@ static struct buffer_head *__bread_slow(struct buffer_head *bh) +@@ -1236,7 +1236,7 @@ static struct buffer_head *__bread_slow( } else { get_bh(bh); bh->b_end_io = end_buffer_read_sync; @@ -192,7 +182,7 @@ index ffef54d..bc13eeb 100644 wait_on_buffer(bh); if (buffer_uptodate(bh)) return bh; -@@ -1708,7 +1708,7 @@ static int __block_write_full_page(struct inode *inode, struct page *page, +@@ -1708,7 +1708,7 @@ static int __block_write_full_page(struc struct buffer_head *bh, *head; unsigned int blocksize, bbits; int nr_underway = 0; @@ -201,7 +191,7 @@ index ffef54d..bc13eeb 100644 head = create_page_buffers(page, inode, (1 << BH_Dirty)|(1 << BH_Uptodate)); -@@ -1797,7 +1797,7 @@ static int __block_write_full_page(struct inode *inode, struct page *page, +@@ -1797,7 +1797,7 @@ static int __block_write_full_page(struc do { struct buffer_head *next = bh->b_this_page; if (buffer_async_write(bh)) { @@ -219,7 +209,7 @@ index ffef54d..bc13eeb 100644 nr_underway++; } bh = next; -@@ -2259,7 +2259,7 @@ int block_read_full_page(struct page *page, get_block_t *get_block) +@@ -2259,7 +2259,7 @@ int block_read_full_page(struct page *pa if (buffer_uptodate(bh)) end_buffer_async_read(bh, 1); else @@ -228,7 +218,7 @@ index ffef54d..bc13eeb 100644 } return 0; } -@@ -2593,7 +2593,7 @@ int nobh_write_begin(struct address_space *mapping, +@@ -2593,7 +2593,7 @@ int nobh_write_begin(struct address_spac if (block_start < from || block_end > to) { lock_buffer(bh); bh->b_end_io = end_buffer_read_nobh; @@ -237,7 +227,7 @@ index ffef54d..bc13eeb 100644 nr_reads++; } } -@@ -2960,7 +2960,7 @@ static void end_bio_bh_io_sync(struct bio *bio) +@@ -2960,7 +2960,7 @@ static void end_bio_bh_io_sync(struct bi * errors, this only handles the "we need to be able to * do IO at the final sector" case. */ @@ -246,7 +236,7 @@ index ffef54d..bc13eeb 100644 { sector_t maxsector; struct bio_vec *bvec = &bio->bi_io_vec[bio->bi_vcnt - 1]; -@@ -2990,13 +2990,13 @@ void guard_bio_eod(int rw, struct bio *bio) +@@ -2990,13 +2990,13 @@ void guard_bio_eod(int rw, struct bio *b bvec->bv_len -= truncated_bytes; /* ..and clear the end of the buffer for reads */ @@ -262,7 +252,7 @@ index ffef54d..bc13eeb 100644 unsigned long bio_flags, struct writeback_control *wbc) { struct bio *bio; -@@ -3010,7 +3010,7 @@ static int submit_bh_wbc(int rw, struct buffer_head *bh, +@@ -3010,7 +3010,7 @@ static int submit_bh_wbc(int rw, struct /* * Only clear out a write error when rewriting */ @@ -271,7 +261,7 @@ index ffef54d..bc13eeb 100644 clear_buffer_write_io_error(bh); /* -@@ -3035,27 +3035,28 @@ static int submit_bh_wbc(int rw, struct buffer_head *bh, +@@ -3035,27 +3035,28 @@ static int submit_bh_wbc(int rw, struct bio->bi_flags |= bio_flags; /* Take care of bh's that straddle the end of the device */ @@ -308,7 +298,7 @@ index ffef54d..bc13eeb 100644 } EXPORT_SYMBOL(submit_bh); -@@ -3097,14 +3098,14 @@ void ll_rw_block(int rw, int nr, struct buffer_head *bhs[]) +@@ -3097,14 +3098,14 @@ void ll_rw_block(int rw, int nr, struct if (test_clear_buffer_dirty(bh)) { bh->b_end_io = end_buffer_write_sync; get_bh(bh); @@ -325,7 +315,7 @@ index ffef54d..bc13eeb 100644 continue; } } -@@ -3113,7 +3114,7 @@ void ll_rw_block(int rw, int nr, struct buffer_head *bhs[]) +@@ -3113,7 +3114,7 @@ void ll_rw_block(int rw, int nr, struct } EXPORT_SYMBOL(ll_rw_block); @@ -334,7 +324,7 @@ index ffef54d..bc13eeb 100644 { lock_buffer(bh); if (!test_clear_buffer_dirty(bh)) { -@@ -3122,7 +3123,7 @@ void write_dirty_buffer(struct buffer_head *bh, int rw) +@@ -3122,7 +3123,7 @@ void write_dirty_buffer(struct buffer_he } bh->b_end_io = end_buffer_write_sync; get_bh(bh); @@ -352,7 +342,7 @@ index ffef54d..bc13eeb 100644 { int ret = 0; -@@ -3140,7 +3141,7 @@ int __sync_dirty_buffer(struct buffer_head *bh, int rw) +@@ -3140,7 +3141,7 @@ int __sync_dirty_buffer(struct buffer_he if (test_clear_buffer_dirty(bh)) { get_bh(bh); bh->b_end_io = end_buffer_write_sync; @@ -361,7 +351,7 @@ index ffef54d..bc13eeb 100644 wait_on_buffer(bh); if (!ret && !buffer_uptodate(bh)) ret = -EIO; -@@ -3403,7 +3404,7 @@ int bh_submit_read(struct buffer_head *bh) +@@ -3403,7 +3404,7 @@ int bh_submit_read(struct buffer_head *b get_bh(bh); bh->b_end_io = end_buffer_read_sync; @@ -370,11 +360,9 @@ index ffef54d..bc13eeb 100644 wait_on_buffer(bh); if (buffer_uptodate(bh)) return 0; -diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c -index 1ea5054..2dacc9c0 100644 --- a/fs/ext4/balloc.c +++ b/fs/ext4/balloc.c -@@ -473,7 +473,7 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) +@@ -493,7 +493,7 @@ ext4_read_block_bitmap_nowait(struct sup trace_ext4_read_block_bitmap_load(sb, block_group); bh->b_end_io = ext4_end_bitmap_read; get_bh(bh); @@ -383,11 +371,9 @@ index 1ea5054..2dacc9c0 100644 return bh; verify: err = ext4_validate_block_bitmap(sb, desc, block_group, bh); -diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c -index 5388207..1348763 100644 --- a/fs/ext4/ialloc.c +++ b/fs/ext4/ialloc.c -@@ -214,7 +214,7 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) +@@ -192,7 +192,7 @@ ext4_read_inode_bitmap(struct super_bloc trace_ext4_load_inode_bitmap(sb, block_group); bh->b_end_io = ext4_end_bitmap_read; get_bh(bh); @@ -396,11 +382,9 @@ index 5388207..1348763 100644 wait_on_buffer(bh); if (!buffer_uptodate(bh)) { put_bh(bh); -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index f18b96905..8e0d5c4 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c -@@ -4303,7 +4303,7 @@ make_io: +@@ -4340,7 +4340,7 @@ make_io: trace_ext4_load_inode(inode); get_bh(bh); bh->b_end_io = end_buffer_read_sync; @@ -409,11 +393,9 @@ index f18b96905..8e0d5c4 100644 wait_on_buffer(bh); if (!buffer_uptodate(bh)) { EXT4_ERROR_INODE_BLOCK(inode, block, -diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c -index ec67ce3..517d902 100644 --- a/fs/ext4/mmp.c +++ b/fs/ext4/mmp.c -@@ -52,7 +52,7 @@ static int write_mmp_block(struct super_block *sb, struct buffer_head *bh) +@@ -51,7 +51,7 @@ static int write_mmp_block(struct super_ lock_buffer(bh); bh->b_end_io = end_buffer_write_sync; get_bh(bh); @@ -422,7 +404,7 @@ index ec67ce3..517d902 100644 wait_on_buffer(bh); sb_end_write(sb); if (unlikely(!buffer_uptodate(bh))) -@@ -88,7 +88,7 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh, +@@ -87,7 +87,7 @@ static int read_mmp_block(struct super_b get_bh(*bh); lock_buffer(*bh); (*bh)->b_end_io = end_buffer_read_sync; @@ -431,11 +413,9 @@ index ec67ce3..517d902 100644 wait_on_buffer(*bh); if (!buffer_uptodate(*bh)) { brelse(*bh); -diff --git a/fs/fat/misc.c b/fs/fat/misc.c -index c4589e9..8a86981 100644 --- a/fs/fat/misc.c +++ b/fs/fat/misc.c -@@ -267,7 +267,7 @@ int fat_sync_bhs(struct buffer_head **bhs, int nr_bhs) +@@ -267,7 +267,7 @@ int fat_sync_bhs(struct buffer_head **bh int i, err = 0; for (i = 0; i < nr_bhs; i++) @@ -444,11 +424,9 @@ index c4589e9..8a86981 100644 for (i = 0; i < nr_bhs; i++) { wait_on_buffer(bhs[i]); -diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c -index 61296ec..967154c 100644 --- a/fs/gfs2/bmap.c +++ b/fs/gfs2/bmap.c -@@ -285,7 +285,7 @@ static void gfs2_metapath_ra(struct gfs2_glock *gl, +@@ -285,7 +285,7 @@ static void gfs2_metapath_ra(struct gfs2 if (trylock_buffer(rabh)) { if (!buffer_uptodate(rabh)) { rabh->b_end_io = end_buffer_read_sync; @@ -457,11 +435,9 @@ index 61296ec..967154c 100644 continue; } unlock_buffer(rabh); -diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c -index ad8a5b7..d16f556 100644 --- a/fs/gfs2/dir.c +++ b/fs/gfs2/dir.c -@@ -1423,7 +1423,7 @@ static void gfs2_dir_readahead(struct inode *inode, unsigned hsize, u32 index, +@@ -1423,7 +1423,7 @@ static void gfs2_dir_readahead(struct in continue; } bh->b_end_io = end_buffer_read_sync; @@ -470,11 +446,9 @@ index ad8a5b7..d16f556 100644 continue; } brelse(bh); -diff --git a/fs/gfs2/meta_io.c b/fs/gfs2/meta_io.c -index 0e1d4be..ff483bc 100644 --- a/fs/gfs2/meta_io.c +++ b/fs/gfs2/meta_io.c -@@ -37,8 +37,8 @@ static int gfs2_aspace_writepage(struct page *page, struct writeback_control *wb +@@ -37,8 +37,8 @@ static int gfs2_aspace_writepage(struct { struct buffer_head *bh, *head; int nr_underway = 0; @@ -485,7 +459,7 @@ index 0e1d4be..ff483bc 100644 BUG_ON(!PageLocked(page)); BUG_ON(!page_has_buffers(page)); -@@ -79,7 +79,7 @@ static int gfs2_aspace_writepage(struct page *page, struct writeback_control *wb +@@ -79,7 +79,7 @@ static int gfs2_aspace_writepage(struct do { struct buffer_head *next = bh->b_this_page; if (buffer_async_write(bh)) { @@ -494,7 +468,7 @@ index 0e1d4be..ff483bc 100644 nr_underway++; } bh = next; -@@ -217,7 +217,7 @@ int gfs2_meta_read(struct gfs2_glock *gl, u64 blkno, int flags, +@@ -217,7 +217,7 @@ int gfs2_meta_read(struct gfs2_glock *gl } bh->b_end_io = end_buffer_read_sync; get_bh(bh); @@ -503,11 +477,9 @@ index 0e1d4be..ff483bc 100644 if (!(flags & DIO_WAIT)) return 0; -diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c -index 2d964ce..71cdc16 100644 --- a/fs/jbd2/commit.c +++ b/fs/jbd2/commit.c -@@ -157,9 +157,9 @@ static int journal_submit_commit_record(journal_t *journal, +@@ -157,9 +157,9 @@ static int journal_submit_commit_record( if (journal->j_flags & JBD2_BARRIER && !jbd2_has_feature_async_commit(journal)) @@ -528,11 +500,9 @@ index 2d964ce..71cdc16 100644 } cond_resched(); stats.run.rs_blocks_logged += bufs; -diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c -index f1c8cdc..babfb6a 100644 --- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c -@@ -1325,15 +1325,15 @@ static int journal_reset(journal_t *journal) +@@ -1323,15 +1323,15 @@ static int journal_reset(journal_t *jour return jbd2_journal_start_thread(journal); } @@ -551,7 +521,7 @@ index f1c8cdc..babfb6a 100644 lock_buffer(bh); if (buffer_write_io_error(bh)) { /* -@@ -1353,7 +1353,7 @@ static int jbd2_write_superblock(journal_t *journal, int write_op) +@@ -1351,7 +1351,7 @@ static int jbd2_write_superblock(journal jbd2_superblock_csum_set(journal, sb); get_bh(bh); bh->b_end_io = end_buffer_write_sync; @@ -560,11 +530,9 @@ index f1c8cdc..babfb6a 100644 wait_on_buffer(bh); if (buffer_write_io_error(bh)) { clear_buffer_write_io_error(bh); -diff --git a/fs/nilfs2/btnode.c b/fs/nilfs2/btnode.c -index a35ae35..07fe874 100644 --- a/fs/nilfs2/btnode.c +++ b/fs/nilfs2/btnode.c -@@ -67,7 +67,7 @@ nilfs_btnode_create_block(struct address_space *btnc, __u64 blocknr) +@@ -67,7 +67,7 @@ nilfs_btnode_create_block(struct address } int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr, @@ -573,7 +541,7 @@ index a35ae35..07fe874 100644 struct buffer_head **pbh, sector_t *submit_ptr) { struct buffer_head *bh; -@@ -100,7 +100,7 @@ int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr, +@@ -100,7 +100,7 @@ int nilfs_btnode_submit_block(struct add } } @@ -582,7 +550,7 @@ index a35ae35..07fe874 100644 if (pblocknr != *submit_ptr + 1 || !trylock_buffer(bh)) { err = -EBUSY; /* internal code */ brelse(bh); -@@ -119,7 +119,7 @@ int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr, +@@ -119,7 +119,7 @@ int nilfs_btnode_submit_block(struct add bh->b_blocknr = pblocknr; /* set block address for read */ bh->b_end_io = end_buffer_read_sync; get_bh(bh); @@ -591,11 +559,9 @@ index a35ae35..07fe874 100644 bh->b_blocknr = blocknr; /* set back to the given block address */ *submit_ptr = pblocknr; err = 0; -diff --git a/fs/nilfs2/btnode.h b/fs/nilfs2/btnode.h -index d876b56..3f93197 100644 --- a/fs/nilfs2/btnode.h +++ b/fs/nilfs2/btnode.h -@@ -47,7 +47,7 @@ void nilfs_btnode_cache_clear(struct address_space *); +@@ -47,7 +47,7 @@ void nilfs_btnode_cache_clear(struct add struct buffer_head *nilfs_btnode_create_block(struct address_space *btnc, __u64 blocknr); int nilfs_btnode_submit_block(struct address_space *, __u64, sector_t, int, @@ -604,11 +570,9 @@ index d876b56..3f93197 100644 void nilfs_btnode_delete(struct buffer_head *); int nilfs_btnode_prepare_change_key(struct address_space *, struct nilfs_btnode_chkey_ctxt *); -diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c -index 3a3821b..5d6a2c6 100644 --- a/fs/nilfs2/btree.c +++ b/fs/nilfs2/btree.c -@@ -480,7 +480,8 @@ static int __nilfs_btree_get_block(const struct nilfs_bmap *btree, __u64 ptr, +@@ -480,7 +480,8 @@ static int __nilfs_btree_get_block(const sector_t submit_ptr = 0; int ret; @@ -618,7 +582,7 @@ index 3a3821b..5d6a2c6 100644 if (ret) { if (ret != -EEXIST) return ret; -@@ -496,7 +497,8 @@ static int __nilfs_btree_get_block(const struct nilfs_bmap *btree, __u64 ptr, +@@ -496,7 +497,8 @@ static int __nilfs_btree_get_block(const n > 0 && i < ra->ncmax; n--, i++) { ptr2 = nilfs_btree_node_get_ptr(ra->node, i, ra->ncmax); @@ -628,11 +592,9 @@ index 3a3821b..5d6a2c6 100644 &ra_bh, &submit_ptr); if (likely(!ret || ret == -EEXIST)) brelse(ra_bh); -diff --git a/fs/nilfs2/gcinode.c b/fs/nilfs2/gcinode.c -index 748ca23..1f18ffc 100644 --- a/fs/nilfs2/gcinode.c +++ b/fs/nilfs2/gcinode.c -@@ -106,7 +106,7 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, +@@ -106,7 +106,7 @@ int nilfs_gccache_submit_read_data(struc bh->b_blocknr = pbn; bh->b_end_io = end_buffer_read_sync; get_bh(bh); @@ -641,7 +603,7 @@ index 748ca23..1f18ffc 100644 if (vbn) bh->b_blocknr = vbn; out: -@@ -143,7 +143,8 @@ int nilfs_gccache_submit_read_node(struct inode *inode, sector_t pbn, +@@ -143,7 +143,8 @@ int nilfs_gccache_submit_read_node(struc int ret; ret = nilfs_btnode_submit_block(&NILFS_I(inode)->i_btnode_cache, @@ -651,11 +613,9 @@ index 748ca23..1f18ffc 100644 if (ret == -EEXIST) /* internal code (cache hit) */ ret = 0; return ret; -diff --git a/fs/nilfs2/mdt.c b/fs/nilfs2/mdt.c -index 1125f40..92e627d 100644 --- a/fs/nilfs2/mdt.c +++ b/fs/nilfs2/mdt.c -@@ -124,7 +124,7 @@ static int nilfs_mdt_create_block(struct inode *inode, unsigned long block, +@@ -124,7 +124,7 @@ static int nilfs_mdt_create_block(struct static int nilfs_mdt_submit_block(struct inode *inode, unsigned long blkoff, @@ -664,7 +624,7 @@ index 1125f40..92e627d 100644 { struct buffer_head *bh; __u64 blknum = 0; -@@ -138,7 +138,7 @@ nilfs_mdt_submit_block(struct inode *inode, unsigned long blkoff, +@@ -138,7 +138,7 @@ nilfs_mdt_submit_block(struct inode *ino if (buffer_uptodate(bh)) goto out; @@ -673,7 +633,7 @@ index 1125f40..92e627d 100644 if (!trylock_buffer(bh)) { ret = -EBUSY; goto failed_bh; -@@ -160,7 +160,7 @@ nilfs_mdt_submit_block(struct inode *inode, unsigned long blkoff, +@@ -160,7 +160,7 @@ nilfs_mdt_submit_block(struct inode *ino bh->b_end_io = end_buffer_read_sync; get_bh(bh); @@ -682,7 +642,7 @@ index 1125f40..92e627d 100644 ret = 0; trace_nilfs2_mdt_submit_block(inode, inode->i_ino, blkoff, mode); -@@ -184,7 +184,7 @@ static int nilfs_mdt_read_block(struct inode *inode, unsigned long block, +@@ -184,7 +184,7 @@ static int nilfs_mdt_read_block(struct i int i, nr_ra_blocks = NILFS_MDT_MAX_RA_BLOCKS; int err; @@ -691,7 +651,7 @@ index 1125f40..92e627d 100644 if (err == -EEXIST) /* internal code */ goto out; -@@ -194,7 +194,8 @@ static int nilfs_mdt_read_block(struct inode *inode, unsigned long block, +@@ -194,7 +194,8 @@ static int nilfs_mdt_read_block(struct i if (readahead) { blkoff = block + 1; for (i = 0; i < nr_ra_blocks; i++, blkoff++) { @@ -701,8 +661,6 @@ index 1125f40..92e627d 100644 if (likely(!err || err == -EEXIST)) brelse(bh); else if (err != -EBUSY) -diff --git a/fs/ntfs/aops.c b/fs/ntfs/aops.c -index 7521e11..57c64bd 100644 --- a/fs/ntfs/aops.c +++ b/fs/ntfs/aops.c @@ -362,7 +362,7 @@ handle_zblock: @@ -732,8 +690,6 @@ index 7521e11..57c64bd 100644 } /* Synchronize the mft mirror now if not @sync. */ if (is_mft && !sync) -diff --git a/fs/ntfs/compress.c b/fs/ntfs/compress.c -index f82498c..1fd482c 100644 --- a/fs/ntfs/compress.c +++ b/fs/ntfs/compress.c @@ -674,7 +674,7 @@ lock_retry_remap: @@ -745,11 +701,9 @@ index f82498c..1fd482c 100644 } /* Wait for io completion on all buffer heads. */ -diff --git a/fs/ntfs/file.c b/fs/ntfs/file.c -index 9d383e5..03a1a32 100644 --- a/fs/ntfs/file.c +++ b/fs/ntfs/file.c -@@ -553,7 +553,7 @@ static inline int ntfs_submit_bh_for_read(struct buffer_head *bh) +@@ -553,7 +553,7 @@ static inline int ntfs_submit_bh_for_rea lock_buffer(bh); get_bh(bh); bh->b_end_io = end_buffer_read_sync; @@ -758,8 +712,6 @@ index 9d383e5..03a1a32 100644 } /** -diff --git a/fs/ntfs/logfile.c b/fs/ntfs/logfile.c -index c71de29..1c95c41 100644 --- a/fs/ntfs/logfile.c +++ b/fs/ntfs/logfile.c @@ -821,7 +821,7 @@ map_vcn: @@ -771,11 +723,9 @@ index c71de29..1c95c41 100644 if (should_wait) { should_wait = false; wait_on_buffer(bh); -diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c -index 3014a36..38c6f7a 100644 --- a/fs/ntfs/mft.c +++ b/fs/ntfs/mft.c -@@ -592,7 +592,7 @@ int ntfs_sync_mft_mirror(ntfs_volume *vol, const unsigned long mft_no, +@@ -592,7 +592,7 @@ int ntfs_sync_mft_mirror(ntfs_volume *vo clear_buffer_dirty(tbh); get_bh(tbh); tbh->b_end_io = end_buffer_write_sync; @@ -784,7 +734,7 @@ index 3014a36..38c6f7a 100644 } /* Wait on i/o completion of buffers. */ for (i_bhs = 0; i_bhs < nr_bhs; i_bhs++) { -@@ -785,7 +785,7 @@ int write_mft_record_nolock(ntfs_inode *ni, MFT_RECORD *m, int sync) +@@ -785,7 +785,7 @@ int write_mft_record_nolock(ntfs_inode * clear_buffer_dirty(tbh); get_bh(tbh); tbh->b_end_io = end_buffer_write_sync; @@ -793,11 +743,9 @@ index 3014a36..38c6f7a 100644 } /* Synchronize the mft mirror now if not @sync. */ if (!sync && ni->mft_no < vol->mftmirr_size) -diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c -index fe50ded..fb775c9 100644 --- a/fs/ocfs2/buffer_head_io.c +++ b/fs/ocfs2/buffer_head_io.c -@@ -79,7 +79,7 @@ int ocfs2_write_block(struct ocfs2_super *osb, struct buffer_head *bh, +@@ -79,7 +79,7 @@ int ocfs2_write_block(struct ocfs2_super get_bh(bh); /* for end_buffer_write_sync() */ bh->b_end_io = end_buffer_write_sync; @@ -806,8 +754,8 @@ index fe50ded..fb775c9 100644 wait_on_buffer(bh); -@@ -149,7 +149,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block, - clear_buffer_uptodate(bh); +@@ -148,7 +148,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_ + get_bh(bh); /* for end_buffer_read_sync() */ bh->b_end_io = end_buffer_read_sync; - submit_bh(READ, bh); @@ -815,7 +763,7 @@ index fe50ded..fb775c9 100644 } for (i = nr; i > 0; i--) { -@@ -305,7 +305,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, +@@ -303,7 +303,7 @@ int ocfs2_read_blocks(struct ocfs2_cachi if (validate) set_buffer_needs_validate(bh); bh->b_end_io = end_buffer_read_sync; @@ -824,7 +772,7 @@ index fe50ded..fb775c9 100644 continue; } } -@@ -419,7 +419,7 @@ int ocfs2_write_super_or_backup(struct ocfs2_super *osb, +@@ -418,7 +418,7 @@ int ocfs2_write_super_or_backup(struct o get_bh(bh); /* for end_buffer_write_sync() */ bh->b_end_io = end_buffer_write_sync; ocfs2_compute_meta_ecc(osb->sb, bh->b_data, &di->i_check); @@ -833,11 +781,9 @@ index fe50ded..fb775c9 100644 wait_on_buffer(bh); -diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c -index c0db7f3..5822c06 100644 --- a/fs/reiserfs/inode.c +++ b/fs/reiserfs/inode.c -@@ -2667,7 +2667,7 @@ static int reiserfs_write_full_page(struct page *page, +@@ -2667,7 +2667,7 @@ static int reiserfs_write_full_page(stru do { struct buffer_head *next = bh->b_this_page; if (buffer_async_write(bh)) { @@ -855,11 +801,9 @@ index c0db7f3..5822c06 100644 nr++; } put_bh(bh); -diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c -index 9d6486d..9e63bc2 100644 --- a/fs/reiserfs/journal.c +++ b/fs/reiserfs/journal.c -@@ -654,7 +654,7 @@ static void submit_logged_buffer(struct buffer_head *bh) +@@ -654,7 +654,7 @@ static void submit_logged_buffer(struct BUG(); if (!buffer_uptodate(bh)) BUG(); @@ -868,7 +812,7 @@ index 9d6486d..9e63bc2 100644 } static void submit_ordered_buffer(struct buffer_head *bh) -@@ -664,7 +664,7 @@ static void submit_ordered_buffer(struct buffer_head *bh) +@@ -664,7 +664,7 @@ static void submit_ordered_buffer(struct clear_buffer_dirty(bh); if (!buffer_uptodate(bh)) BUG(); @@ -886,11 +830,9 @@ index 9d6486d..9e63bc2 100644 } for (i = 0; i < get_desc_trans_len(desc); i++) { wait_on_buffer(real_blocks[i]); -diff --git a/fs/ufs/util.c b/fs/ufs/util.c -index b6c2f94..5f68b1a 100644 --- a/fs/ufs/util.c +++ b/fs/ufs/util.c -@@ -118,7 +118,7 @@ void ubh_sync_block(struct ufs_buffer_head *ubh) +@@ -118,7 +118,7 @@ void ubh_sync_block(struct ufs_buffer_he unsigned i; for (i = 0; i < ubh->count; i++) @@ -899,11 +841,9 @@ index b6c2f94..5f68b1a 100644 for (i = 0; i < ubh->count; i++) wait_on_buffer(ubh->bh[i]); -diff --git a/include/linux/buffer_head.h b/include/linux/buffer_head.h -index 89d9aa9e..f7cc163 100644 --- a/include/linux/buffer_head.h +++ b/include/linux/buffer_head.h -@@ -189,10 +189,11 @@ void unlock_buffer(struct buffer_head *bh); +@@ -189,10 +189,11 @@ void unlock_buffer(struct buffer_head *b void __lock_buffer(struct buffer_head *bh); void ll_rw_block(int, int, struct buffer_head * bh[]); int sync_dirty_buffer(struct buffer_head *bh); @@ -919,6 +859,3 @@ index 89d9aa9e..f7cc163 100644 void write_boundary_block(struct block_device *bdev, sector_t bblock, unsigned blocksize); int bh_uptodate_or_lock(struct buffer_head *bh); --- -1.8.5.6 - diff --git a/patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch b/patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch deleted file mode 100644 index 5e921636f4..0000000000 --- a/patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch +++ /dev/null @@ -1,190 +0,0 @@ -From: Selvin Xavier <selvin.xavier@broadcom.com> -Date: Thu, 15 Feb 2018 21:20:11 -0800 -Subject: RDMA/bnxt_re: Synchronize destroy_qp with poll_cq -Patch-mainline: v4.16-rc3 -Git-commit: 3b921e3bc4c20af58a663ed238ad57e87493dde2 -References: bsc#1125446 - -Avoid system crash when destroy_qp is invoked while -the driver is processing the poll_cq. Synchronize these -functions using the cq_lock. - -Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com> -Signed-off-by: Doug Ledford <dledford@redhat.com> -Acked-by: Denis Kirjanov <dkirjanov@suse.com> ---- - drivers/infiniband/hw/bnxt_re/ib_verbs.c | 39 +++++++++++++++++++++++++++++--- - drivers/infiniband/hw/bnxt_re/ib_verbs.h | 2 ++ - drivers/infiniband/hw/bnxt_re/qplib_fp.c | 21 +++++------------ - drivers/infiniband/hw/bnxt_re/qplib_fp.h | 4 +++- - 4 files changed, 47 insertions(+), 19 deletions(-) ---- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c -+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c -@@ -803,19 +803,50 @@ int bnxt_re_query_ah(struct ib_ah *ib_ah - return 0; - } - -+static unsigned long bnxt_re_lock_cqs(struct bnxt_re_qp *qp) -+ __acquires(&qp->scq->cq_lock) __acquires(&qp->rcq->cq_lock) -+{ -+ unsigned long flags; -+ -+ spin_lock_irqsave(&qp->scq->cq_lock, flags); -+ if (qp->rcq != qp->scq) -+ spin_lock(&qp->rcq->cq_lock); -+ else -+ __acquire(&qp->rcq->cq_lock); -+ -+ return flags; -+} -+ -+static void bnxt_re_unlock_cqs(struct bnxt_re_qp *qp, -+ unsigned long flags) -+ __releases(&qp->scq->cq_lock) __releases(&qp->rcq->cq_lock) -+{ -+ if (qp->rcq != qp->scq) -+ spin_unlock(&qp->rcq->cq_lock); -+ else -+ __release(&qp->rcq->cq_lock); -+ spin_unlock_irqrestore(&qp->scq->cq_lock, flags); -+} -+ - /* Queue Pairs */ - int bnxt_re_destroy_qp(struct ib_qp *ib_qp) - { - struct bnxt_re_qp *qp = container_of(ib_qp, struct bnxt_re_qp, ib_qp); - struct bnxt_re_dev *rdev = qp->rdev; - int rc; -+ unsigned int flags; - -- bnxt_qplib_del_flush_qp(&qp->qplib_qp); - rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp); - if (rc) { - dev_err(rdev_to_dev(rdev), "Failed to destroy HW QP"); - return rc; - } -+ -+ flags = bnxt_re_lock_cqs(qp); -+ bnxt_qplib_clean_qp(&qp->qplib_qp); -+ bnxt_re_unlock_cqs(qp, flags); -+ bnxt_qplib_free_qp_res(&rdev->qplib_res, &qp->qplib_qp); -+ - if (ib_qp->qp_type == IB_QPT_GSI && rdev->qp1_sqp) { - rc = bnxt_qplib_destroy_ah(&rdev->qplib_res, - &rdev->sqp_ah->qplib_ah); -@@ -825,7 +856,7 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_ - return rc; - } - -- bnxt_qplib_del_flush_qp(&qp->qplib_qp); -+ bnxt_qplib_clean_qp(&qp->qplib_qp); - rc = bnxt_qplib_destroy_qp(&rdev->qplib_res, - &rdev->qp1_sqp->qplib_qp); - if (rc) { -@@ -1085,6 +1116,7 @@ struct ib_qp *bnxt_re_create_qp(struct i - goto fail; - } - qp->qplib_qp.scq = &cq->qplib_cq; -+ qp->scq = cq; - } - - if (qp_init_attr->recv_cq) { -@@ -1096,6 +1128,7 @@ struct ib_qp *bnxt_re_create_qp(struct i - goto fail; - } - qp->qplib_qp.rcq = &cq->qplib_cq; -+ qp->rcq = cq; - } - - if (qp_init_attr->srq) { -@@ -1385,7 +1418,7 @@ int bnxt_re_modify_qp(struct ib_qp *ib_q - dev_dbg(rdev_to_dev(rdev), - "Move QP = %p out of flush list\n", - qp); -- bnxt_qplib_del_flush_qp(&qp->qplib_qp); -+ bnxt_qplib_clean_qp(&qp->qplib_qp); - } - } - if (qp_attr_mask & IB_QP_EN_SQD_ASYNC_NOTIFY) { ---- a/drivers/infiniband/hw/bnxt_re/ib_verbs.h -+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.h -@@ -80,6 +80,8 @@ struct bnxt_re_qp { - /* QP1 */ - u32 send_psn; - struct ib_ud_header qp1_hdr; -+ struct bnxt_re_cq *scq; -+ struct bnxt_re_cq *rcq; - }; - - struct bnxt_re_cq { ---- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c -+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c -@@ -115,7 +115,7 @@ void bnxt_qplib_add_flush_qp(struct bnxt - } - } - --void bnxt_qplib_del_flush_qp(struct bnxt_qplib_qp *qp) -+void bnxt_qplib_clean_qp(struct bnxt_qplib_qp *qp) - { - struct bnxt_qplib_cq *scq, *rcq; - unsigned long flags; -@@ -1096,7 +1096,6 @@ int bnxt_qplib_destroy_qp(struct bnxt_qp - struct bnxt_qplib_rcfw *rcfw = res->rcfw; - struct cmdq_destroy_qp req; - struct creq_destroy_qp_resp resp; -- unsigned long flags; - u16 cmd_flags = 0; - int rc; - -@@ -1114,18 +1113,13 @@ int bnxt_qplib_destroy_qp(struct bnxt_qp - return rc; - } - -- /* Must walk the associated CQs to nullified the QP ptr */ -- spin_lock_irqsave(&qp->scq->hwq.lock, flags); -+ return 0; -+} - -- __clean_cq(qp->scq, (u64)(unsigned long)qp); - -- if (qp->rcq && qp->rcq != qp->scq) { -- spin_lock(&qp->rcq->hwq.lock); -- __clean_cq(qp->rcq, (u64)(unsigned long)qp); -- spin_unlock(&qp->rcq->hwq.lock); -- } -- -- spin_unlock_irqrestore(&qp->scq->hwq.lock, flags); -+void bnxt_qplib_free_qp_res(struct bnxt_qplib_res *res, -+ struct bnxt_qplib_qp *qp) -+{ - - bnxt_qplib_free_qp_hdr_buf(res, qp); - bnxt_qplib_free_hwq(res->pdev, &qp->sq.hwq); -@@ -1139,7 +1133,6 @@ int bnxt_qplib_destroy_qp(struct bnxt_qp - if (qp->orrq.max_elements) - bnxt_qplib_free_hwq(res->pdev, &qp->orrq); - -- return 0; - } - - void *bnxt_qplib_get_qp1_sq_buf(struct bnxt_qplib_qp *qp, ---- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h -+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h -@@ -449,6 +449,9 @@ int bnxt_qplib_create_qp(struct bnxt_qpl - int bnxt_qplib_modify_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp); - int bnxt_qplib_query_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp); - int bnxt_qplib_destroy_qp(struct bnxt_qplib_res *res, struct bnxt_qplib_qp *qp); -+void bnxt_qplib_clean_qp(struct bnxt_qplib_qp *qp); -+void bnxt_qplib_free_qp_res(struct bnxt_qplib_res *res, -+ struct bnxt_qplib_qp *qp); - void *bnxt_qplib_get_qp1_sq_buf(struct bnxt_qplib_qp *qp, - struct bnxt_qplib_sge *sge); - void *bnxt_qplib_get_qp1_rq_buf(struct bnxt_qplib_qp *qp, -@@ -470,7 +473,6 @@ void bnxt_qplib_req_notify_cq(struct bnx - void bnxt_qplib_free_nq(struct bnxt_qplib_nq *nq); - int bnxt_qplib_alloc_nq(struct pci_dev *pdev, struct bnxt_qplib_nq *nq); - void bnxt_qplib_add_flush_qp(struct bnxt_qplib_qp *qp); --void bnxt_qplib_del_flush_qp(struct bnxt_qplib_qp *qp); - int bnxt_qplib_process_flush_list(struct bnxt_qplib_cq *cq, - struct bnxt_qplib_cqe *cqe, - int num_cqes); diff --git a/patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch b/patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch deleted file mode 100644 index c247b20a9c..0000000000 --- a/patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Somnath Kotur <somnath.kotur@broadcom.com> -Date: Wed, 5 Sep 2018 13:20:34 +0530 -Subject: bnxt_re: Fix couple of memory leaks that could lead to IOMMU call - traces -Patch-mainline: v4.19-rc4 -Git-commit: f40f299bbe806a2e2c8b0d7cdda822fa3bdd171b -References: bsc#1020413, FATE#321905 - -1. DMA-able memory allocated for Shadow QP was not being freed. -2. bnxt_qplib_alloc_qp_hdr_buf() had a bug wherein the SQ pointer was - erroneously pointing to the RQ. But since the corresponding - free_qp_hdr_buf() was correct, memory being free was less than what was - allocated. - -Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") -Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com> -Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> -Acked-by: Denis Kirjanov <dkirjanov@suse.com> ---- - drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 ++ - drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 +- - 2 files changed, 3 insertions(+), 1 deletion(-) ---- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c -+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c -@@ -864,6 +864,8 @@ int bnxt_re_destroy_qp(struct ib_qp *ib_ - "Failed to destroy Shadow QP"); - return rc; - } -+ bnxt_qplib_free_qp_res(&rdev->qplib_res, -+ &rdev->qp1_sqp->qplib_qp); - mutex_lock(&rdev->qp_lock); - list_del(&rdev->qp1_sqp->list); - atomic_dec(&rdev->qp_count); ---- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c -+++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c -@@ -186,7 +186,7 @@ static int bnxt_qplib_alloc_qp_hdr_buf(s - struct bnxt_qplib_qp *qp) - { - struct bnxt_qplib_q *rq = &qp->rq; -- struct bnxt_qplib_q *sq = &qp->rq; -+ struct bnxt_qplib_q *sq = &qp->sq; - int rc = 0; - - if (qp->sq_hdr_buf_size && sq->hwq.max_elements) { diff --git a/patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch b/patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch index b637ef06b9..f7f9cfc366 100644 --- a/patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch +++ b/patches.drivers/dm-thin-fix-a-race-condition-between-discarding-and-.patch @@ -28,16 +28,14 @@ Signed-off-by: Joe Thornber <ejt@redhat.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Acked-by: Hannes Reinecke <hare@suse.de> --- - drivers/md/dm-thin-metadata.c | 30 +++++++++++++ - drivers/md/dm-thin-metadata.h | 3 ++ - drivers/md/dm-thin.c | 102 +++++++++++++++++++++++++++++++++++++----- + drivers/md/dm-thin-metadata.c | 30 ++++++++++++ + drivers/md/dm-thin-metadata.h | 3 + + drivers/md/dm-thin.c | 102 +++++++++++++++++++++++++++++++++++++----- 3 files changed, 124 insertions(+), 11 deletions(-) -diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c -index 43824d7..a15091a 100644 --- a/drivers/md/dm-thin-metadata.c +++ b/drivers/md/dm-thin-metadata.c -@@ -1677,6 +1677,36 @@ int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *resu +@@ -1703,6 +1703,36 @@ int dm_pool_block_is_used(struct dm_pool return r; } @@ -74,11 +72,9 @@ index 43824d7..a15091a 100644 bool dm_thin_changed_this_transaction(struct dm_thin_device *td) { int r; -diff --git a/drivers/md/dm-thin-metadata.h b/drivers/md/dm-thin-metadata.h -index a938bab..35e954e 100644 --- a/drivers/md/dm-thin-metadata.h +++ b/drivers/md/dm-thin-metadata.h -@@ -197,6 +197,9 @@ int dm_pool_get_data_dev_size(struct dm_pool_metadata *pmd, dm_block_t *result); +@@ -197,6 +197,9 @@ int dm_pool_get_data_dev_size(struct dm_ int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result); @@ -88,19 +84,17 @@ index a938bab..35e954e 100644 /* * Returns -ENOSPC if the new size is too small and already allocated * blocks would be lost. -diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c -index 5f9e3d7..197ea20 100644 --- a/drivers/md/dm-thin.c +++ b/drivers/md/dm-thin.c -@@ -253,6 +253,7 @@ struct pool { - struct bio_list deferred_flush_bios; +@@ -260,6 +260,7 @@ struct pool { + struct bio_list deferred_flush_completions; struct list_head prepared_mappings; struct list_head prepared_discards; + struct list_head prepared_discards_pt2; struct list_head active_thins; struct dm_deferred_set *shared_read_ds; -@@ -269,6 +270,7 @@ struct pool { +@@ -276,6 +277,7 @@ struct pool { process_mapping_fn process_prepared_mapping; process_mapping_fn process_prepared_discard; @@ -108,7 +102,7 @@ index 5f9e3d7..197ea20 100644 struct dm_bio_prison_cell **cell_sort_array; }; -@@ -1001,7 +1003,8 @@ static void process_prepared_discard_no_passdown(struct dm_thin_new_mapping *m) +@@ -1041,7 +1043,8 @@ static void process_prepared_discard_no_ /*----------------------------------------------------------------*/ @@ -118,7 +112,7 @@ index 5f9e3d7..197ea20 100644 { /* * We've already unmapped this range of blocks, but before we -@@ -1014,7 +1017,7 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m +@@ -1054,7 +1057,7 @@ static void passdown_double_checking_sha dm_block_t b = m->data_block, e, end = m->data_block + m->virt_end - m->virt_begin; struct discard_op op; @@ -127,7 +121,7 @@ index 5f9e3d7..197ea20 100644 while (b != end) { /* find start of unmapped run */ for (; b < end; b++) { -@@ -1049,28 +1052,101 @@ out: +@@ -1089,28 +1092,101 @@ out: end_discard(&op, r); } @@ -237,7 +231,7 @@ index 5f9e3d7..197ea20 100644 cell_defer_no_holder(tc, m->cell); mempool_free(m, pool->mapping_pool); } -@@ -2215,6 +2291,8 @@ static void do_worker(struct work_struct *ws) +@@ -2316,6 +2392,8 @@ static void do_worker(struct work_struct throttle_work_update(&pool->throttle); process_prepared(pool, &pool->prepared_discards, &pool->process_prepared_discard); throttle_work_update(&pool->throttle); @@ -246,7 +240,7 @@ index 5f9e3d7..197ea20 100644 process_deferred_bios(pool); throttle_work_complete(&pool->throttle); } -@@ -2343,7 +2421,8 @@ static void set_discard_callbacks(struct pool *pool) +@@ -2444,7 +2522,8 @@ static void set_discard_callbacks(struct if (passdown_enabled(pt)) { pool->process_discard_cell = process_discard_cell_passdown; @@ -256,14 +250,11 @@ index 5f9e3d7..197ea20 100644 } else { pool->process_discard_cell = process_discard_cell_no_passdown; pool->process_prepared_discard = process_prepared_discard_no_passdown; -@@ -2830,6 +2909,7 @@ static struct pool *pool_create(struct mapped_device *pool_md, - bio_list_init(&pool->deferred_flush_bios); +@@ -2933,6 +3012,7 @@ static struct pool *pool_create(struct m + bio_list_init(&pool->deferred_flush_completions); INIT_LIST_HEAD(&pool->prepared_mappings); INIT_LIST_HEAD(&pool->prepared_discards); + INIT_LIST_HEAD(&pool->prepared_discards_pt2); INIT_LIST_HEAD(&pool->active_thins); pool->low_water_triggered = false; pool->suspended = true; --- -1.8.5.6 - diff --git a/patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch b/patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch index 064e8a80c6..bd0a058849 100644 --- a/patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch +++ b/patches.drivers/treewide-replace-dev-trans_start-update-with-helper.patch @@ -284,7 +284,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> if (++priv->tx_outstanding == ipoib_sendq_size) { --- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c -@@ -633,7 +633,7 @@ void ipoib_send(struct net_device *dev, +@@ -635,7 +635,7 @@ void ipoib_send(struct net_device *dev, if (netif_queue_stopped(dev)) netif_wake_queue(dev); } else { @@ -379,7 +379,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> if (!test_bit(F_TX_WAIT_ALL, &priv->flags)) --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c -@@ -523,7 +523,7 @@ static void ems_usb_write_bulk_callback( +@@ -525,7 +525,7 @@ static void ems_usb_write_bulk_callback( if (urb->status) netdev_info(netdev, "Tx URB aborted (%d)\n", urb->status); @@ -388,7 +388,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> /* transmission complete interrupt */ netdev->stats.tx_packets++; -@@ -837,7 +837,7 @@ static netdev_tx_t ems_usb_start_xmit(st +@@ -839,7 +839,7 @@ static netdev_tx_t ems_usb_start_xmit(st stats->tx_dropped++; } } else { @@ -399,7 +399,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> if (atomic_read(&dev->active_tx_urbs) >= MAX_TX_URBS || --- a/drivers/net/can/usb/esd_usb2.c +++ b/drivers/net/can/usb/esd_usb2.c -@@ -480,7 +480,7 @@ static void esd_usb2_write_bulk_callback +@@ -482,7 +482,7 @@ static void esd_usb2_write_bulk_callback if (urb->status) netdev_info(netdev, "Tx URB aborted (%d)\n", urb->status); @@ -408,7 +408,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> } static ssize_t show_firmware(struct device *d, -@@ -820,7 +820,7 @@ static netdev_tx_t esd_usb2_start_xmit(s +@@ -822,7 +822,7 @@ static netdev_tx_t esd_usb2_start_xmit(s goto releasebuf; } @@ -773,7 +773,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> netif_tx_disable(alx->dev); --- a/drivers/net/ethernet/broadcom/bcmsysport.c +++ b/drivers/net/ethernet/broadcom/bcmsysport.c -@@ -1128,7 +1128,7 @@ static void bcm_sysport_tx_timeout(struc +@@ -1116,7 +1116,7 @@ static void bcm_sysport_tx_timeout(struc { netdev_warn(dev, "transmit timeout!\n"); @@ -784,7 +784,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> netif_tx_wake_all_queues(dev); --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c -@@ -3032,7 +3032,7 @@ static void bcmgenet_timeout(struct net_ +@@ -3083,7 +3083,7 @@ static void bcmgenet_timeout(struct net_ bcmgenet_intrl2_0_writel(priv, int0_enable, INTRL2_CPU_MASK_CLEAR); bcmgenet_intrl2_1_writel(priv, int1_enable, INTRL2_CPU_MASK_CLEAR); @@ -826,7 +826,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> stats->tx_done++; stats->tx_tot_bytes += skb->len; -@@ -2930,7 +2930,7 @@ static void liquidio_tx_timeout(struct n +@@ -2931,7 +2931,7 @@ static void liquidio_tx_timeout(struct n netif_info(lio, tx_err, lio->netdev, "Transmit timeout tx_dropped:%ld, waking up queues now!!\n", netdev->stats.tx_dropped); @@ -1032,7 +1032,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> } --- a/drivers/net/ethernet/freescale/gianfar.c +++ b/drivers/net/ethernet/freescale/gianfar.c -@@ -2077,7 +2077,7 @@ void gfar_start(struct gfar_private *pri +@@ -2079,7 +2079,7 @@ void gfar_start(struct gfar_private *pri gfar_ints_enable(priv); @@ -1094,7 +1094,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> hns_nic_net_reinit(priv->netdev); --- a/drivers/net/ethernet/hp/hp100.c +++ b/drivers/net/ethernet/hp/hp100.c -@@ -1106,7 +1106,7 @@ static int hp100_open(struct net_device +@@ -1102,7 +1102,7 @@ static int hp100_open(struct net_device return -EAGAIN; } @@ -1156,7 +1156,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> mal_poll_disable(dev->mal, &dev->commac); netif_tx_disable(dev->ndev); } -@@ -1377,7 +1377,7 @@ static inline int emac_xmit_finish(struc +@@ -1395,7 +1395,7 @@ static inline int emac_xmit_finish(struc DBG2(dev, "stopped TX queue" NL); } @@ -1397,7 +1397,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> --- a/drivers/net/ethernet/qualcomm/qca_spi.c +++ b/drivers/net/ethernet/qualcomm/qca_spi.c -@@ -719,7 +719,7 @@ qcaspi_netdev_xmit(struct sk_buff *skb, +@@ -720,7 +720,7 @@ qcaspi_netdev_xmit(struct sk_buff *skb, qca->stats.ring_full++; } @@ -1570,7 +1570,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> --- a/drivers/net/ethernet/sun/niu.c +++ b/drivers/net/ethernet/sun/niu.c -@@ -6431,7 +6431,7 @@ static int niu_ioctl(struct net_device * +@@ -6430,7 +6430,7 @@ static int niu_ioctl(struct net_device * static void niu_netif_stop(struct niu *np) { @@ -1581,7 +1581,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> --- a/drivers/net/ethernet/sun/sungem.c +++ b/drivers/net/ethernet/sun/sungem.c -@@ -227,7 +227,7 @@ static void gem_put_cell(struct gem *gp) +@@ -226,7 +226,7 @@ static void gem_put_cell(struct gem *gp) static inline void gem_netif_stop(struct gem *gp) { @@ -1623,7 +1623,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> ndev->stats.tx_bytes += skb->len; --- a/drivers/net/ethernet/ti/cpsw.c +++ b/drivers/net/ethernet/ti/cpsw.c -@@ -1389,7 +1389,7 @@ static netdev_tx_t cpsw_ndo_start_xmit(s +@@ -1414,7 +1414,7 @@ static netdev_tx_t cpsw_ndo_start_xmit(s struct cpsw_priv *priv = netdev_priv(ndev); int ret; @@ -1742,7 +1742,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> /** --- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c +++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c -@@ -531,7 +531,7 @@ static void xemaclite_tx_timeout(struct +@@ -543,7 +543,7 @@ static void xemaclite_tx_timeout(struct } /* To exclude tx timeout */ @@ -1751,7 +1751,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> /* We're all ready to go. Start the queue */ netif_wake_queue(dev); -@@ -563,7 +563,7 @@ static void xemaclite_tx_handler(struct +@@ -575,7 +575,7 @@ static void xemaclite_tx_handler(struct dev->stats.tx_bytes += lp->deferred_skb->len; dev_kfree_skb_irq(lp->deferred_skb); lp->deferred_skb = NULL; @@ -1773,7 +1773,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> --- a/drivers/net/fjes/fjes_main.c +++ b/drivers/net/fjes/fjes_main.c -@@ -702,7 +702,7 @@ fjes_xmit_frame(struct sk_buff *skb, str +@@ -705,7 +705,7 @@ fjes_xmit_frame(struct sk_buff *skb, str ret = NETDEV_TX_OK; } else { @@ -2015,7 +2015,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> netif_wake_queue(catc->netdev); --- a/drivers/net/usb/kaweth.c +++ b/drivers/net/usb/kaweth.c -@@ -938,7 +938,7 @@ static void kaweth_tx_timeout(struct net +@@ -932,7 +932,7 @@ static void kaweth_tx_timeout(struct net dev_warn(&net->dev, "%s: Tx timed out. Resetting.\n", net->name); kaweth->stats.tx_errors++; @@ -2026,7 +2026,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> } --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c -@@ -2661,7 +2661,7 @@ gso_skb: +@@ -2651,7 +2651,7 @@ gso_skb: ret = usb_submit_urb(urb, GFP_ATOMIC); switch (ret) { case 0: @@ -2035,7 +2035,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> lan78xx_queue_skb(&dev->txq, skb, tx_start); if (skb_queue_len(&dev->txq) >= dev->tx_qlen) netif_stop_queue(dev->net); -@@ -3303,7 +3303,7 @@ int lan78xx_resume(struct usb_interface +@@ -3293,7 +3293,7 @@ int lan78xx_resume(struct usb_interface usb_free_urb(res); usb_autopm_put_interface_async(dev->intf); } else { @@ -2046,7 +2046,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> } --- a/drivers/net/usb/pegasus.c +++ b/drivers/net/usb/pegasus.c -@@ -615,7 +615,7 @@ static void write_bulk_callback(struct u +@@ -636,7 +636,7 @@ static void write_bulk_callback(struct u break; } @@ -2057,7 +2057,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> --- a/drivers/net/usb/rtl8150.c +++ b/drivers/net/usb/rtl8150.c -@@ -451,7 +451,7 @@ static void write_bulk_callback(struct u +@@ -471,7 +471,7 @@ static void write_bulk_callback(struct u if (status) dev_info(&urb->dev->dev, "%s: Tx status %d\n", dev->netdev->name, status); @@ -2066,7 +2066,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> netif_wake_queue(dev->netdev); } -@@ -694,7 +694,7 @@ static netdev_tx_t rtl8150_start_xmit(st +@@ -714,7 +714,7 @@ static netdev_tx_t rtl8150_start_xmit(st } else { netdev->stats.tx_packets++; netdev->stats.tx_bytes += skb->len; @@ -2077,7 +2077,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> return NETDEV_TX_OK; --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c -@@ -1412,7 +1412,7 @@ netdev_tx_t usbnet_start_xmit (struct sk +@@ -1413,7 +1413,7 @@ netdev_tx_t usbnet_start_xmit (struct sk "tx: submit urb err %d\n", retval); break; case 0: @@ -2086,7 +2086,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> __usbnet_queue_skb(&dev->txq, skb, tx_start); if (dev->txq.qlen >= TX_QLEN (dev)) netif_stop_queue (net); -@@ -1841,7 +1841,7 @@ int usbnet_resume (struct usb_interface +@@ -1842,7 +1842,7 @@ int usbnet_resume (struct usb_interface usb_free_urb(res); usb_autopm_put_interface_async(dev->intf); } else { @@ -2215,7 +2215,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> priv->fids[fid] &= 0xffff; --- a/drivers/net/wireless/hostap/hostap_hw.c +++ b/drivers/net/wireless/hostap/hostap_hw.c -@@ -1789,7 +1789,7 @@ static int prism2_transmit(struct net_de +@@ -1794,7 +1794,7 @@ static int prism2_transmit(struct net_de netif_wake_queue(dev); return -1; } @@ -2454,7 +2454,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> /* count only the packet payload */ --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c -@@ -2679,7 +2679,7 @@ static int gsm_mux_net_start_xmit(struct +@@ -2700,7 +2700,7 @@ static int gsm_mux_net_start_xmit(struct STATS(net).tx_bytes += skb->len; gsm_dlci_data_kick(dlci); /* And tell the kernel when the last transmit started. */ @@ -2525,7 +2525,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> /* inform generic HDLC layer of current DCD status */ --- a/drivers/usb/gadget/function/u_ether.c +++ b/drivers/usb/gadget/function/u_ether.c -@@ -600,7 +600,7 @@ static netdev_tx_t eth_start_xmit(struct +@@ -590,7 +590,7 @@ static netdev_tx_t eth_start_xmit(struct DBG(dev, "tx queue err %d\n", retval); break; case 0: @@ -2536,7 +2536,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> --- a/net/atm/lec.c +++ b/net/atm/lec.c -@@ -194,7 +194,7 @@ lec_send(struct atm_vcc *vcc, struct sk_ +@@ -197,7 +197,7 @@ lec_send(struct atm_vcc *vcc, struct sk_ static void lec_tx_timeout(struct net_device *dev) { pr_info("%s\n", dev->name); @@ -2545,7 +2545,7 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> netif_wake_queue(dev); } -@@ -324,7 +324,7 @@ static netdev_tx_t lec_start_xmit(struct +@@ -327,7 +327,7 @@ static netdev_tx_t lec_start_xmit(struct out: if (entry) lec_arp_put(entry); @@ -2563,8 +2563,8 @@ Acked-by: Benjamin Poirier <bpoirier@suse.com> - soft_iface->trans_start = jiffies; + netif_trans_update(soft_iface); vid = batadv_get_vid(skb, 0); - ethhdr = eth_hdr(skb); + skb_reset_mac_header(skb); --- a/net/bluetooth/bnep/netdev.c +++ b/net/bluetooth/bnep/netdev.c @@ -188,7 +188,7 @@ static netdev_tx_t bnep_net_xmit(struct diff --git a/patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch b/patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch new file mode 100644 index 0000000000..2b2234c853 --- /dev/null +++ b/patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch @@ -0,0 +1,51 @@ +From 4265b6f6e5f5e2bba956e36f74aeb1411c3bffb4 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel <jroedel@suse.de> +Date: Thu, 21 Feb 2019 13:43:19 +0100 +Subject: [PATCH] KVM: VMX: Fix x2apic check in vmx_msr_bitmap_mode() +Patch-mainline: No, submitted for inclusion to stable-4.4.y +References: bsc#1124166 + +The stable backport of upstream commit + + 904e14fb7cb96 KVM: VMX: make MSR bitmaps per-VCPU + +has a bug in vmx_msr_bitmap_mode(). It enables the x2apic +MSR-bitmap when the kernel emulates x2apic for the guest in +software. The upstream version of the commit checkes whether +the hardware has virtualization enabled for x2apic +emulation. + +Since KVM emulates x2apic for guests even when the host does +not support x2apic in hardware, this causes the intercept of +at least the X2APIC_TASKPRI MSR to be disabled on machines +not supporting that MSR. The result is undefined behavior, +on some machines (Intel Westmere based) it causes a crash of +the guest kernel when it tries to access that MSR. + +Change the check in vmx_msr_bitmap_mode() to match the upstream +code. This fixes the guest crashes observed with stable +kernels starting with v4.4.168 through v4.4.175. + +Signed-off-by: Joerg Roedel <jroedel@suse.de> +--- + arch/x86/kvm/vmx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index aee2886a387c..14553f6c03a6 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -4628,7 +4628,9 @@ static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu) + { + u8 mode = 0; + +- if (irqchip_in_kernel(vcpu->kvm) && apic_x2apic_mode(vcpu->arch.apic)) { ++ if (cpu_has_secondary_exec_ctrls() && ++ (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) & ++ SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) { + mode |= MSR_BITMAP_MODE_X2APIC; + if (enable_apicv) + mode |= MSR_BITMAP_MODE_X2APIC_APICV; +-- +2.16.3 + diff --git a/patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch b/patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch new file mode 100644 index 0000000000..3a0c97175f --- /dev/null +++ b/patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch @@ -0,0 +1,36 @@ +From c2c190f127d51fe1067687aa7bb1cd26613ba914 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel <jroedel@suse.de> +Date: Thu, 21 Feb 2019 14:49:58 +0100 +Subject: [PATCH] KVM: VMX: Missing part of upstream commit 904e14fb7cb9 +Git-commit: 904e14fb7cb96401a7dc803ca2863fd5ba32ffe6 +Patch-mainline: v4.16-rc1 +References: bsc#1124166 + +Stable backport of upstream commit removed the check added +here because stable-4.4.y does not have support for per-vcpu +apicv disabling. + +SLE12-SP3 adds support for this so we need to add the check +too. + +Signed-off-by: Joerg Roedel <jroedel@suse.de> +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 14553f6c03a6..e28b67e33300 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -4632,7 +4632,7 @@ static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu) + (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) & + SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) { + mode |= MSR_BITMAP_MODE_X2APIC; +- if (enable_apicv) ++ if (enable_apicv && kvm_vcpu_apicv_active(vcpu)) + mode |= MSR_BITMAP_MODE_X2APIC_APICV; + } + +-- +2.16.3 + diff --git a/patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch b/patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch new file mode 100644 index 0000000000..b489dad6f2 --- /dev/null +++ b/patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch @@ -0,0 +1,42 @@ +From: Jiri Slaby <jslaby@suse.cz> +Subject: kABI: protect linux/kfifo.h include in hid-debug +Patch-mainline: never, kabi +References: kabi + +In 4.4.175, commit b661fff5f8a0f19824df91cc3905ba2c5b54dc87 (HID: +debug: fix the ring buffer implementation), upstream commit +13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 added linux/kfifo.h include +to hid-debug.c and it made some of the symbols defined. + +Protect the include by __GENKSYMS__ to satisfy the kABI checker. + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hid/hid-debug.c | 2 ++ + include/linux/hid-debug.h | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -30,7 +30,9 @@ + + #include <linux/debugfs.h> + #include <linux/seq_file.h> ++#ifndef __GENKSYMS__ + #include <linux/kfifo.h> ++#endif + #include <linux/sched.h> + #include <linux/export.h> + #include <linux/slab.h> +--- a/include/linux/hid-debug.h ++++ b/include/linux/hid-debug.h +@@ -24,7 +24,9 @@ + + #ifdef CONFIG_DEBUG_FS + ++#ifndef __GENKSYMS__ + #include <linux/kfifo.h> ++#endif + + #define HID_DEBUG_BUFSIZE 512 + #define HID_DEBUG_FIFOSIZE 512 diff --git a/patches.kabi/kabi-protect-struct-hda_bus.patch b/patches.kabi/kabi-protect-struct-hda_bus.patch new file mode 100644 index 0000000000..b2ee7f97e5 --- /dev/null +++ b/patches.kabi/kabi-protect-struct-hda_bus.patch @@ -0,0 +1,30 @@ +From: Jiri Slaby <jslaby@suse.cz> +Subject: kABI: protect struct hda_bus +Patch-mainline: never, kabi +References: kabi + +In 4.4.175, commit 71ce2e8957ff6eed31953f54a02fc3bd083f0d26 (ALSA: hda +- Serialize codec registrations), upstream commit +305a0ade180981686eec1f92aa6252a7c6ebb1cf added a bit to struct +hda_bus. It made the kABI checker to complain. + +Given this is only an HDA's internal header, just hide the change from +the kABI checker. + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/hda/hda_codec.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/hda_codec.h ++++ b/sound/pci/hda/hda_codec.h +@@ -68,7 +68,9 @@ struct hda_bus { + unsigned int response_reset:1; /* controller was reset */ + unsigned int in_reset:1; /* during reset operation */ + unsigned int no_response_fallback:1; /* don't fallback at RIRB error */ ++#ifndef __GENKSYMS__ + unsigned int bus_probing :1; /* during probing process */ ++#endif + + int primary_dig_out_type; /* primary digital out PCM type */ + unsigned int mixer_assigned; /* codec addr for mixer name */ diff --git a/patches.kabi/revert-most-of-4.4.174.patch b/patches.kabi/revert-most-of-4.4.174.patch index 4e28ab44df..f2de9d895d 100644 --- a/patches.kabi/revert-most-of-4.4.174.patch +++ b/patches.kabi/revert-most-of-4.4.174.patch @@ -43,29 +43,30 @@ ca26893f05e8 (rhashtable: Add rhashtable_lookup()) 093ba72914b6 (inet: frags: add a pointer to struct netns_frags) 5eb2471ef43e (inet: frags: change inet_frags_init_net() return value) +And this 4.4.175 commit: +29c84aa9f2a2 (Documentation/network: reword kernel version reference) + Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - Documentation/networking/ip-sysctl.txt | 13 +- - include/linux/rhashtable.h | 143 ++---- - include/linux/skbuff.h | 16 +- - include/net/inet_frag.h | 133 +++--- - include/net/ip.h | 1 + - include/net/ipv6.h | 26 +- - include/uapi/linux/snmp.h | 1 - - lib/rhashtable.c | 15 +- - net/core/skbuff.c | 21 +- - net/ieee802154/6lowpan/6lowpan_i.h | 26 +- - net/ieee802154/6lowpan/reassembly.c | 148 +++--- - net/ipv4/inet_fragment.c | 389 ++++++++++++---- - net/ipv4/ip_fragment.c | 571 +++++++++++------------- - net/ipv4/proc.c | 7 +- - net/ipv6/netfilter/nf_conntrack_reasm.c | 100 +++-- - net/ipv6/proc.c | 5 +- - net/ipv6/reassembly.c | 209 +++++---- - 17 files changed, 959 insertions(+), 865 deletions(-) + Documentation/networking/ip-sysctl.txt | 11 + include/linux/rhashtable.h | 143 +------- + include/linux/skbuff.h | 16 + include/net/inet_frag.h | 133 +++---- + include/net/ip.h | 1 + include/net/ipv6.h | 26 + + include/uapi/linux/snmp.h | 1 + lib/rhashtable.c | 15 + net/core/skbuff.c | 21 - + net/ieee802154/6lowpan/6lowpan_i.h | 26 + + net/ieee802154/6lowpan/reassembly.c | 150 ++++---- + net/ipv4/inet_fragment.c | 387 ++++++++++++++++----- + net/ipv4/ip_fragment.c | 571 ++++++++++++++------------------ + net/ipv4/proc.c | 7 + net/ipv6/netfilter/nf_conntrack_reasm.c | 96 +++-- + net/ipv6/proc.c | 5 + net/ipv6/reassembly.c | 211 +++++------ + 17 files changed, 957 insertions(+), 863 deletions(-) -diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt -index 7c229f59016f..2ea4c45cf1c8 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -112,11 +112,14 @@ min_adv_mss - INTEGER @@ -74,22 +75,19 @@ index 7c229f59016f..2ea4c45cf1c8 100644 -ipfrag_high_thresh - LONG INTEGER - Maximum memory used to reassemble IP fragments. -- --ipfrag_low_thresh - LONG INTEGER -- (Obsolete since linux-4.17) +ipfrag_high_thresh - INTEGER + Maximum memory used to reassemble IP fragments. When + ipfrag_high_thresh bytes of memory is allocated for this purpose, + the fragment handler will toss packets until ipfrag_low_thresh + is reached. This also serves as a maximum limit to namespaces + different from the initial one. -+ + +-ipfrag_low_thresh - LONG INTEGER +- (Obsolete since linux-4.4.174, backported from linux-4.17) +ipfrag_low_thresh - INTEGER Maximum memory used to reassemble IP fragments before the kernel begins to remove incomplete fragment queues to free up resources. The kernel still accepts new fragments for defragmentation. -diff --git a/include/linux/rhashtable.h b/include/linux/rhashtable.h -index e97cdfd6cba9..e50b31d18462 100644 --- a/include/linux/rhashtable.h +++ b/include/linux/rhashtable.h @@ -133,23 +133,23 @@ struct rhashtable_params { @@ -118,7 +116,7 @@ index e97cdfd6cba9..e50b31d18462 100644 }; /** -@@ -343,8 +343,7 @@ int rhashtable_init(struct rhashtable *ht, +@@ -343,8 +343,7 @@ int rhashtable_init(struct rhashtable *h struct bucket_table *rhashtable_insert_slow(struct rhashtable *ht, const void *key, struct rhash_head *obj, @@ -128,7 +126,7 @@ index e97cdfd6cba9..e50b31d18462 100644 int rhashtable_insert_rehash(struct rhashtable *ht, struct bucket_table *tbl); int rhashtable_walk_init(struct rhashtable *ht, struct rhashtable_iter *iter); -@@ -515,8 +514,18 @@ static inline int rhashtable_compare(struct rhashtable_compare_arg *arg, +@@ -515,8 +514,18 @@ static inline int rhashtable_compare(str return memcmp(ptr + ht->p.key_offset, arg->key, ht->p.key_len); } @@ -149,7 +147,7 @@ index e97cdfd6cba9..e50b31d18462 100644 struct rhashtable *ht, const void *key, const struct rhashtable_params params) { -@@ -528,6 +537,8 @@ static inline struct rhash_head *__rhashtable_lookup( +@@ -528,6 +537,8 @@ static inline struct rhash_head *__rhash struct rhash_head *he; unsigned int hash; @@ -236,7 +234,7 @@ index e97cdfd6cba9..e50b31d18462 100644 struct rhashtable *ht, const void *key, struct rhash_head *obj, const struct rhashtable_params params) { -@@ -615,7 +576,6 @@ static inline void *__rhashtable_insert_fast( +@@ -615,7 +576,6 @@ static inline void *__rhashtable_insert_ spinlock_t *lock; unsigned int elasticity; unsigned int hash; @@ -300,7 +298,7 @@ index e97cdfd6cba9..e50b31d18462 100644 } /** -@@ -717,13 +674,7 @@ static inline int rhashtable_insert_fast( +@@ -717,13 +674,7 @@ static inline int rhashtable_insert_fast struct rhashtable *ht, struct rhash_head *obj, const struct rhashtable_params params) { @@ -315,7 +313,7 @@ index e97cdfd6cba9..e50b31d18462 100644 } /** -@@ -752,15 +703,11 @@ static inline int rhashtable_lookup_insert_fast( +@@ -752,15 +703,11 @@ static inline int rhashtable_lookup_inse const struct rhashtable_params params) { const char *key = rht_obj(ht, obj); @@ -333,11 +331,10 @@ index e97cdfd6cba9..e50b31d18462 100644 } /** -@@ -788,32 +735,6 @@ static inline int rhashtable_lookup_insert_fast( - static inline int rhashtable_lookup_insert_key( +@@ -789,32 +736,6 @@ static inline int rhashtable_lookup_inse struct rhashtable *ht, const void *key, struct rhash_head *obj, const struct rhashtable_params params) --{ + { - void *ret; - - BUG_ON(!ht->p.obj_hashfn || !key); @@ -363,11 +360,10 @@ index e97cdfd6cba9..e50b31d18462 100644 -static inline void *rhashtable_lookup_get_insert_key( - struct rhashtable *ht, const void *key, struct rhash_head *obj, - const struct rhashtable_params params) - { +-{ BUG_ON(!ht->p.obj_hashfn || !key); -diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 502787c29ce9..6d39d81d3c38 100644 + return __rhashtable_insert_fast(ht, key, obj, params); --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -556,14 +556,9 @@ struct sk_buff { @@ -387,7 +383,7 @@ index 502787c29ce9..6d39d81d3c38 100644 struct net_device *dev; /* -@@ -2278,7 +2273,7 @@ static inline void __skb_queue_purge(struct sk_buff_head *list) +@@ -2278,7 +2273,7 @@ static inline void __skb_queue_purge(str kfree_skb(skb); } @@ -396,7 +392,7 @@ index 502787c29ce9..6d39d81d3c38 100644 void *netdev_alloc_frag(unsigned int fragsz); -@@ -2796,7 +2791,6 @@ static inline unsigned char *skb_push_rcsum(struct sk_buff *skb, +@@ -2796,7 +2791,6 @@ static inline unsigned char *skb_push_rc return skb->data; } @@ -404,7 +400,7 @@ index 502787c29ce9..6d39d81d3c38 100644 /** * pskb_trim_rcsum - trim received skb and update checksum * @skb: buffer to trim -@@ -2811,7 +2805,9 @@ static inline int pskb_trim_rcsum(struct sk_buff *skb, unsigned int len) +@@ -2811,7 +2805,9 @@ static inline int pskb_trim_rcsum(struct { if (likely(len >= skb->len)) return 0; @@ -415,8 +411,6 @@ index 502787c29ce9..6d39d81d3c38 100644 } #define rb_to_skb(rb) rb_entry_safe(rb, struct sk_buff, rbnode) -diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h -index 6260ec146142..c26a6e4dc306 100644 --- a/include/net/inet_frag.h +++ b/include/net/inet_frag.h @@ -1,19 +1,13 @@ @@ -627,11 +621,9 @@ index 6260ec146142..c26a6e4dc306 100644 } /* RFC 3168 support : -diff --git a/include/net/ip.h b/include/net/ip.h -index 7b968927477d..0530bcdbc212 100644 --- a/include/net/ip.h +++ b/include/net/ip.h -@@ -524,6 +524,7 @@ static inline struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *s +@@ -524,6 +524,7 @@ static inline struct sk_buff *ip_check_d return skb; } #endif @@ -639,11 +631,9 @@ index 7b968927477d..0530bcdbc212 100644 /* * Functions provided by ip_forward.c -diff --git a/include/net/ipv6.h b/include/net/ipv6.h -index c07cf9596b6f..0e01d570fa22 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h -@@ -320,6 +320,13 @@ static inline bool ipv6_accept_ra(struct inet6_dev *idev) +@@ -320,6 +320,13 @@ static inline bool ipv6_accept_ra(struct idev->cnf.accept_ra; } @@ -676,7 +666,7 @@ index c07cf9596b6f..0e01d570fa22 100644 /* * Equivalent of ipv4 struct ip -@@ -507,13 +523,19 @@ extern const struct rhashtable_params ip6_rhash_params; +@@ -507,13 +523,19 @@ extern const struct rhashtable_params ip struct frag_queue { struct inet_frag_queue q; @@ -697,8 +687,6 @@ index c07cf9596b6f..0e01d570fa22 100644 static inline bool ipv6_addr_any(const struct in6_addr *a) { -diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h -index 9de808ebce05..25a9ad8bcef1 100644 --- a/include/uapi/linux/snmp.h +++ b/include/uapi/linux/snmp.h @@ -55,7 +55,6 @@ enum @@ -709,11 +697,9 @@ index 9de808ebce05..25a9ad8bcef1 100644 __IPSTATS_MIB_MAX }; -diff --git a/lib/rhashtable.c b/lib/rhashtable.c -index 7bb8649429bf..37ea94b636a3 100644 --- a/lib/rhashtable.c +++ b/lib/rhashtable.c -@@ -250,10 +250,8 @@ static int rhashtable_rehash_table(struct rhashtable *ht) +@@ -250,10 +250,8 @@ static int rhashtable_rehash_table(struc if (!new_tbl) return 0; @@ -725,7 +711,7 @@ index 7bb8649429bf..37ea94b636a3 100644 /* Publish the new table pointer. */ rcu_assign_pointer(ht->tbl, new_tbl); -@@ -443,8 +441,7 @@ EXPORT_SYMBOL_GPL(rhashtable_insert_rehash); +@@ -443,8 +441,7 @@ EXPORT_SYMBOL_GPL(rhashtable_insert_reha struct bucket_table *rhashtable_insert_slow(struct rhashtable *ht, const void *key, struct rhash_head *obj, @@ -735,7 +721,7 @@ index 7bb8649429bf..37ea94b636a3 100644 { struct rhash_head *head; unsigned int hash; -@@ -455,11 +452,8 @@ struct bucket_table *rhashtable_insert_slow(struct rhashtable *ht, +@@ -455,11 +452,8 @@ struct bucket_table *rhashtable_insert_s spin_lock_nested(rht_bucket_lock(tbl, hash), SINGLE_DEPTH_NESTING); err = -EEXIST; @@ -749,7 +735,7 @@ index 7bb8649429bf..37ea94b636a3 100644 err = -E2BIG; if (unlikely(rht_grow_above_max(ht, tbl))) -@@ -844,7 +838,6 @@ void rhashtable_free_and_destroy(struct rhashtable *ht, +@@ -844,7 +838,6 @@ void rhashtable_free_and_destroy(struct for (i = 0; i < tbl->size; i++) { struct rhash_head *pos, *next; @@ -757,8 +743,6 @@ index 7bb8649429bf..37ea94b636a3 100644 for (pos = rht_dereference(tbl->buckets[i], ht), next = !rht_is_a_nulls(pos) ? rht_dereference(pos->next, ht) : NULL; -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index fea7c24e99d0..8a57bbaf7452 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1502,21 +1502,6 @@ done: @@ -812,11 +796,9 @@ index fea7c24e99d0..8a57bbaf7452 100644 } /** -diff --git a/net/ieee802154/6lowpan/6lowpan_i.h b/net/ieee802154/6lowpan/6lowpan_i.h -index fdbebe51446f..b4e17a7c0df0 100644 --- a/net/ieee802154/6lowpan/6lowpan_i.h +++ b/net/ieee802154/6lowpan/6lowpan_i.h -@@ -16,19 +16,37 @@ typedef unsigned __bitwise__ lowpan_rx_result; +@@ -16,19 +16,37 @@ typedef unsigned __bitwise__ lowpan_rx_r #define LOWPAN_DISPATCH_FRAG1 0xc0 #define LOWPAN_DISPATCH_FRAGN 0xe0 @@ -858,8 +840,6 @@ index fdbebe51446f..b4e17a7c0df0 100644 /* private device info */ struct lowpan_dev_info { struct net_device *wdev; /* wpan device ptr */ -diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c -index 6183730d38db..12e8cf4bda9f 100644 --- a/net/ieee802154/6lowpan/reassembly.c +++ b/net/ieee802154/6lowpan/reassembly.c @@ -37,15 +37,47 @@ static struct inet_frags lowpan_frags; @@ -913,7 +893,7 @@ index 6183730d38db..12e8cf4bda9f 100644 } static void lowpan_frag_expire(unsigned long data) -@@ -61,10 +93,10 @@ static void lowpan_frag_expire(unsigned long data) +@@ -61,10 +93,10 @@ static void lowpan_frag_expire(unsigned if (fq->q.flags & INET_FRAG_COMPLETE) goto out; @@ -926,7 +906,7 @@ index 6183730d38db..12e8cf4bda9f 100644 } static inline struct lowpan_frag_queue * -@@ -72,20 +104,25 @@ fq_find(struct net *net, const struct lowpan_802154_cb *cb, +@@ -72,20 +104,25 @@ fq_find(struct net *net, const struct lo const struct ieee802154_addr *src, const struct ieee802154_addr *dst) { @@ -942,26 +922,27 @@ index 6183730d38db..12e8cf4bda9f 100644 - key.d_size = cb->d_size; - key.src = *src; - key.dst = *dst; +- +- q = inet_frag_find(&ieee802154_lowpan->frags, &key); +- if (!q) + arg.tag = cb->d_tag; + arg.d_size = cb->d_size; + arg.src = src; + arg.dst = dst; - -- q = inet_frag_find(&ieee802154_lowpan->frags, &key); -- if (!q) -- return NULL; ++ + hash = lowpan_hash_frag(cb->d_tag, cb->d_size, src, dst); - ++ + q = inet_frag_find(&ieee802154_lowpan->frags, + &lowpan_frags, &arg, hash); + if (IS_ERR_OR_NULL(q)) { + inet_frag_maybe_warn_overflow(q, pr_fmt()); -+ return NULL; + return NULL; +- + } return container_of(q, struct lowpan_frag_queue, q); } -@@ -192,7 +229,7 @@ static int lowpan_frag_reasm(struct lowpan_frag_queue *fq, struct sk_buff *prev, +@@ -192,7 +229,7 @@ static int lowpan_frag_reasm(struct lowp struct sk_buff *fp, *head = fq->q.fragments; int sum_truesize; @@ -970,7 +951,7 @@ index 6183730d38db..12e8cf4bda9f 100644 /* Make the one we just received the head. */ if (prev) { -@@ -371,7 +408,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, u8 frag_type) +@@ -371,7 +408,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, struct lowpan_frag_queue *fq; struct net *net = dev_net(skb->dev); struct lowpan_802154_cb *cb = lowpan_802154_cb(skb); @@ -979,7 +960,7 @@ index 6183730d38db..12e8cf4bda9f 100644 int err; if (ieee802154_hdr_peek_addrs(skb, &hdr) < 0) -@@ -400,7 +437,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, u8 frag_type) +@@ -400,7 +437,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, ret = lowpan_frag_queue(fq, skb, frag_type); spin_unlock(&fq->q.lock); @@ -1017,7 +998,7 @@ index 6183730d38db..12e8cf4bda9f 100644 .extra2 = &init_net.ieee802154_lowpan.frags.high_thresh }, { -@@ -541,20 +580,14 @@ static int __net_init lowpan_frags_init_net(struct net *net) +@@ -541,20 +580,14 @@ static int __net_init lowpan_frags_init_ { struct netns_ieee802154_lowpan *ieee802154_lowpan = net_ieee802154_lowpan(net); @@ -1041,7 +1022,7 @@ index 6183730d38db..12e8cf4bda9f 100644 } static void __net_exit lowpan_frags_exit_net(struct net *net) -@@ -563,7 +596,7 @@ static void __net_exit lowpan_frags_exit_net(struct net *net) +@@ -563,7 +596,7 @@ static void __net_exit lowpan_frags_exit net_ieee802154_lowpan(net); lowpan_frags_ns_sysctl_unregister(net); @@ -1050,7 +1031,7 @@ index 6183730d38db..12e8cf4bda9f 100644 } static struct pernet_operations lowpan_frags_ops = { -@@ -571,64 +604,33 @@ static struct pernet_operations lowpan_frags_ops = { +@@ -571,64 +604,33 @@ static struct pernet_operations lowpan_f .exit = lowpan_frags_exit_net, }; @@ -1106,7 +1087,7 @@ index 6183730d38db..12e8cf4bda9f 100644 lowpan_frags.frags_cache_name = lowpan_frags_cache_name; - lowpan_frags.rhash_params = lowpan_rhash_params; ret = inet_frags_init(&lowpan_frags); -- if (ret) + if (ret) - goto out; - - ret = lowpan_frags_sysctl_register(); @@ -1114,7 +1095,7 @@ index 6183730d38db..12e8cf4bda9f 100644 - goto err_sysctl; - - ret = register_pernet_subsys(&lowpan_frags_ops); - if (ret) +- if (ret) goto err_pernet; -out: + @@ -1126,8 +1107,6 @@ index 6183730d38db..12e8cf4bda9f 100644 return ret; } -diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c -index c03e5f5859e1..b2001b20e029 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -25,6 +25,12 @@ @@ -1402,7 +1381,7 @@ index c03e5f5859e1..b2001b20e029 100644 atomic_dec(&fq->refcnt); } } -@@ -119,23 +294,11 @@ static inline void frag_kfree_skb(struct netns_frags *nf, struct inet_frags *f, +@@ -119,23 +294,11 @@ static inline void frag_kfree_skb(struct kfree_skb(skb); } @@ -1427,7 +1406,7 @@ index c03e5f5859e1..b2001b20e029 100644 WARN_ON(!(q->flags & INET_FRAG_COMPLETE)); WARN_ON(del_timer(&q->timer) != 0); -@@ -143,35 +306,64 @@ void inet_frag_destroy(struct inet_frag_queue *q) +@@ -143,35 +306,64 @@ void inet_frag_destroy(struct inet_frag_ /* Release all fragment data. */ fp = q->fragments; nf = q->net; @@ -1507,7 +1486,7 @@ index c03e5f5859e1..b2001b20e029 100644 q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC); if (!q) return NULL; -@@ -182,52 +374,75 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf, +@@ -182,52 +374,75 @@ static struct inet_frag_queue *inet_frag setup_timer(&q->timer, f->frag_expire, (unsigned long)q); spin_lock_init(&q->lock); @@ -1529,21 +1508,20 @@ index c03e5f5859e1..b2001b20e029 100644 q = inet_frag_alloc(nf, f, arg); - if (!q) { - *prev = ERR_PTR(-ENOMEM); -- return NULL; ++ if (!q) + return NULL; - } - mod_timer(&q->timer, jiffies + nf->timeout); -- + - *prev = rhashtable_lookup_get_insert_key(&nf->rhashtable, &q->key, - &q->node, f->rhash_params); - if (*prev) { - q->flags |= INET_FRAG_COMPLETE; - inet_frag_kill(q); - inet_frag_destroy(q); -+ if (!q) - return NULL; +- return NULL; - } - return q; -+ + return inet_frag_intern(nf, q, f, arg); } -EXPORT_SYMBOL(inet_frag_create); @@ -1558,11 +1536,21 @@ index c03e5f5859e1..b2001b20e029 100644 + struct inet_frag_bucket *hb; + struct inet_frag_queue *q; + int depth = 0; -+ + +- rcu_read_lock(); +- prev = rhashtable_lookup(&nf->rhashtable, key, nf->f->rhash_params); +- if (!prev) +- fq = inet_frag_create(nf, key, &prev); +- if (prev && !IS_ERR(prev)) { +- fq = prev; +- if (!atomic_inc_not_zero(&fq->refcnt)) +- fq = NULL; + if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) { + inet_frag_schedule_worker(f); + return NULL; -+ } + } +- rcu_read_unlock(); +- return fq; + + if (frag_mem_limit(nf) > nf->low_thresh) + inet_frag_schedule_worker(f); @@ -1583,22 +1571,12 @@ index c03e5f5859e1..b2001b20e029 100644 + + if (depth <= INETFRAGS_MAXDEPTH) + return inet_frag_create(nf, f, key); - -- rcu_read_lock(); -- prev = rhashtable_lookup(&nf->rhashtable, key, nf->f->rhash_params); -- if (!prev) -- fq = inet_frag_create(nf, key, &prev); -- if (prev && !IS_ERR(prev)) { -- fq = prev; -- if (!atomic_inc_not_zero(&fq->refcnt)) -- fq = NULL; ++ + if (inet_frag_may_rebuild(f)) { + if (!f->rebuild) + f->rebuild = true; + inet_frag_schedule_worker(f); - } -- rcu_read_unlock(); -- return fq; ++ } + + return ERR_PTR(-ENOBUFS); } @@ -1615,8 +1593,6 @@ index c03e5f5859e1..b2001b20e029 100644 + net_dbg_ratelimited("%s%s", prefix, msg); +} +EXPORT_SYMBOL(inet_frag_maybe_warn_overflow); -diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c -index 9b09a9b5a4fe..72915658a6b1 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -58,64 +58,27 @@ @@ -1713,7 +1689,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 + u32 user; + int vif; +}; - ++ +static unsigned int ipqhashfn(__be16 id, __be32 saddr, __be32 daddr, u8 prot) +{ + net_get_random_once(&ip4_frags.rnd, sizeof(ip4_frags.rnd)); @@ -1734,7 +1710,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 +{ + const struct ipq *qp; + const struct ip4_create_arg *arg = a; -+ + + qp = container_of(q, struct ipq, q); + return qp->id == arg->iph->id && + qp->saddr == arg->iph->saddr && @@ -1746,7 +1722,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 static void ip4_frag_init(struct inet_frag_queue *q, const void *a) { -@@ -138,12 +141,17 @@ static void ip4_frag_init(struct inet_frag_queue *q, const void *a) +@@ -138,12 +141,17 @@ static void ip4_frag_init(struct inet_fr frags); struct net *net = container_of(ipv4, struct net, ipv4); @@ -1768,7 +1744,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 NULL; } -@@ -161,7 +169,7 @@ static void ip4_frag_free(struct inet_frag_queue *q) +@@ -161,7 +169,7 @@ static void ip4_frag_free(struct inet_fr static void ipq_put(struct ipq *ipq) { @@ -1786,7 +1762,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 } static bool frag_expire_skip_icmp(u32 user) -@@ -186,11 +194,8 @@ static bool frag_expire_skip_icmp(u32 user) +@@ -186,11 +194,8 @@ static bool frag_expire_skip_icmp(u32 us */ static void ip_expire(unsigned long arg) { @@ -1914,22 +1890,22 @@ index 9b09a9b5a4fe..72915658a6b1 100644 - q = inet_frag_find(&net->ipv4.frags, &key); - if (!q) -- return NULL; + arg.iph = iph; + arg.user = user; + arg.vif = vif; + + hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol); - ++ + q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash); + if (IS_ERR_OR_NULL(q)) { + inet_frag_maybe_warn_overflow(q, pr_fmt()); -+ return NULL; + return NULL; +- + } return container_of(q, struct ipq, q); } -@@ -304,7 +296,7 @@ static int ip_frag_too_far(struct ipq *qp) +@@ -304,7 +296,7 @@ static int ip_frag_too_far(struct ipq *q end = atomic_inc_return(&peer->rid); qp->rid = end; @@ -1938,7 +1914,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 if (rc) { struct net *net; -@@ -318,6 +310,7 @@ static int ip_frag_too_far(struct ipq *qp) +@@ -318,6 +310,7 @@ static int ip_frag_too_far(struct ipq *q static int ip_frag_reinit(struct ipq *qp) { @@ -1946,7 +1922,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 unsigned int sum_truesize = 0; if (!mod_timer(&qp->q.timer, jiffies + qp->q.net->timeout)) { -@@ -325,16 +318,21 @@ static int ip_frag_reinit(struct ipq *qp) +@@ -325,16 +318,21 @@ static int ip_frag_reinit(struct ipq *qp return -ETIMEDOUT; } @@ -1971,7 +1947,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 qp->iif = 0; qp->ecn = 0; -@@ -344,13 +342,11 @@ static int ip_frag_reinit(struct ipq *qp) +@@ -344,13 +342,11 @@ static int ip_frag_reinit(struct ipq *qp /* Add new segment to existing queue. */ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) { @@ -1987,7 +1963,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 int err = -ENOENT; u8 ecn; -@@ -409,68 +405,94 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) +@@ -409,68 +405,94 @@ static int ip_frag_queue(struct ipq *qp, if (err) goto err; @@ -2008,7 +1984,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 + /* Find out which fragments are in front and at the back of us + * in the chain of fragments so far. We must know where to put + * this fragment, right? - */ ++ */ + prev = qp->q.fragments_tail; + if (!prev || FRAG_CB(prev)->offset < offset) { + next = NULL; @@ -2020,6 +1996,14 @@ index 9b09a9b5a4fe..72915658a6b1 100644 + break; /* bingo! */ + prev = next; + } ++ ++found: ++ /* We found where to put this one. Check for overlap with ++ * preceding fragment, and, if needed, align things so that ++ * any overlaps are eliminated. + */ ++ if (prev) { ++ int i = (FRAG_CB(prev)->offset + prev->len) - offset; - err = -EINVAL; - /* Find out where to put this fragment. */ @@ -2052,14 +2036,6 @@ index 9b09a9b5a4fe..72915658a6b1 100644 - else if (offset >= skb1->ip_defrag_offset && - end <= skb1_run_end) - goto err; /* No new data, potential duplicate */ -+found: -+ /* We found where to put this one. Check for overlap with -+ * preceding fragment, and, if needed, align things so that -+ * any overlaps are eliminated. -+ */ -+ if (prev) { -+ int i = (FRAG_CB(prev)->offset + prev->len) - offset; -+ + if (i > 0) { + offset += i; + err = -EINVAL; @@ -2138,7 +2114,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 qp->q.stamp = skb->tstamp; qp->q.meat += skb->len; qp->ecn |= ecn; -@@ -492,7 +514,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) +@@ -492,7 +514,7 @@ static int ip_frag_queue(struct ipq *qp, unsigned long orefdst = skb->_skb_refdst; skb->_skb_refdst = 0UL; @@ -2147,7 +2123,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 skb->_skb_refdst = orefdst; return err; } -@@ -500,23 +522,20 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) +@@ -500,23 +522,20 @@ static int ip_frag_queue(struct ipq *qp, skb_dst_drop(skb); return -EINPROGRESS; @@ -2176,7 +2152,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 int len; int ihlen; int err; -@@ -530,27 +549,26 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb, +@@ -530,27 +549,26 @@ static int ip_frag_reasm(struct ipq *qp, goto out_fail; } /* Make the one we just received the head. */ @@ -2219,7 +2195,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 /* Allocate a new buffer for the datagram. */ ihlen = ip_hdrlen(head); -@@ -574,61 +592,35 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb, +@@ -574,61 +592,35 @@ static int ip_frag_reasm(struct ipq *qp, clone = alloc_skb(0, GFP_ATOMIC); if (!clone) goto out_nomem; @@ -2294,7 +2270,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 head->dev = dev; head->tstamp = qp->q.stamp; IPCB(head)->frag_max_size = max(qp->max_df_size, qp->q.max_size); -@@ -656,9 +648,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb, +@@ -656,9 +648,7 @@ static int ip_frag_reasm(struct ipq *qp, IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS); qp->q.fragments = NULL; @@ -2313,7 +2289,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 out_fail: IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS); return err; -@@ -744,46 +734,25 @@ struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *skb, u32 user) +@@ -744,46 +734,25 @@ struct sk_buff *ip_check_defrag(struct n } EXPORT_SYMBOL(ip_check_defrag); @@ -2366,7 +2342,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 .extra2 = &init_net.ipv4.frags.high_thresh }, { -@@ -812,7 +781,7 @@ static struct ctl_table ip4_frags_ctl_table[] = { +@@ -812,7 +781,7 @@ static struct ctl_table ip4_frags_ctl_ta .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec_minmax, @@ -2375,7 +2351,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 }, { } }; -@@ -884,8 +853,6 @@ static void __init ip4_frags_ctl_register(void) +@@ -884,8 +853,6 @@ static void __init ip4_frags_ctl_registe static int __net_init ipv4_frags_init_net(struct net *net) { @@ -2384,7 +2360,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 /* Fragment cache limits. * * The fragment memory accounting code, (tries to) account for -@@ -909,21 +876,15 @@ static int __net_init ipv4_frags_init_net(struct net *net) +@@ -909,21 +876,15 @@ static int __net_init ipv4_frags_init_ne */ net->ipv4.frags.timeout = IP_FRAG_TIME; @@ -2409,7 +2385,7 @@ index 9b09a9b5a4fe..72915658a6b1 100644 } static struct pernet_operations ip4_frags_ops = { -@@ -931,50 +892,18 @@ static struct pernet_operations ip4_frags_ops = { +@@ -931,50 +892,18 @@ static struct pernet_operations ip4_frag .exit = ipv4_frags_exit_net, }; @@ -2464,8 +2440,6 @@ index 9b09a9b5a4fe..72915658a6b1 100644 - ip4_frags_ctl_register(); - register_pernet_subsys(&ip4_frags_ops); } -diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c -index b001ad668108..3abd9d7a3adf 100644 --- a/net/ipv4/proc.c +++ b/net/ipv4/proc.c @@ -52,6 +52,7 @@ @@ -2476,7 +2450,7 @@ index b001ad668108..3abd9d7a3adf 100644 int orphans, sockets; local_bh_disable(); -@@ -71,9 +72,8 @@ static int sockstat_seq_show(struct seq_file *seq, void *v) +@@ -71,9 +72,8 @@ static int sockstat_seq_show(struct seq_ sock_prot_inuse_get(net, &udplite_prot)); seq_printf(seq, "RAW: inuse %d\n", sock_prot_inuse_get(net, &raw_prot)); @@ -2488,7 +2462,7 @@ index b001ad668108..3abd9d7a3adf 100644 return 0; } -@@ -132,7 +132,6 @@ static const struct snmp_mib snmp4_ipextstats_list[] = { +@@ -132,7 +132,6 @@ static const struct snmp_mib snmp4_ipext SNMP_MIB_ITEM("InECT1Pkts", IPSTATS_MIB_ECT1PKTS), SNMP_MIB_ITEM("InECT0Pkts", IPSTATS_MIB_ECT0PKTS), SNMP_MIB_ITEM("InCEPkts", IPSTATS_MIB_CEPKTS), @@ -2496,8 +2470,6 @@ index b001ad668108..3abd9d7a3adf 100644 SNMP_MIB_SENTINEL }; -diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c -index 664c84e47bab..5a9ae56e7868 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -64,6 +64,7 @@ struct nf_ct_frag6_skb_cb @@ -2508,7 +2480,7 @@ index 664c84e47bab..5a9ae56e7868 100644 static struct ctl_table nf_ct_frag6_sysctl_table[] = { { -@@ -76,17 +77,18 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = { +@@ -76,17 +77,18 @@ static struct ctl_table nf_ct_frag6_sysc { .procname = "nf_conntrack_frag6_low_thresh", .data = &init_net.nf_frag.frags.low_thresh, @@ -2531,7 +2503,7 @@ index 664c84e47bab..5a9ae56e7868 100644 .extra1 = &init_net.nf_frag.frags.low_thresh }, { } -@@ -151,6 +153,23 @@ static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h) +@@ -151,6 +153,23 @@ static inline u8 ip6_frag_ecn(const stru return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK); } @@ -2555,7 +2527,7 @@ index 664c84e47bab..5a9ae56e7868 100644 static void nf_skb_free(struct sk_buff *skb) { if (NFCT_FRAG6_CB(skb)->orig) -@@ -165,26 +184,34 @@ static void nf_ct_frag6_expire(unsigned long data) +@@ -165,26 +184,34 @@ static void nf_ct_frag6_expire(unsigned fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q); net = container_of(fq->q.net, struct net, nf_frag.frags); @@ -2578,12 +2550,11 @@ index 664c84e47bab..5a9ae56e7868 100644 - .iif = iif, - }; struct inet_frag_queue *q; -- -- q = inet_frag_find(&net->nf_frag.frags, &key); -- if (!q) + struct ip6_create_arg arg; + unsigned int hash; -+ + +- q = inet_frag_find(&net->nf_frag.frags, &key); +- if (!q) + arg.id = id; + arg.user = user; + arg.src = src; @@ -2613,7 +2584,7 @@ index 664c84e47bab..5a9ae56e7868 100644 err: return -1; } -@@ -356,7 +383,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev) +@@ -356,7 +383,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, int payload_len; u8 ecn; @@ -2622,7 +2593,7 @@ index 664c84e47bab..5a9ae56e7868 100644 WARN_ON(head == NULL); WARN_ON(NFCT_FRAG6_CB(head)->offset != 0); -@@ -427,7 +454,6 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev) +@@ -427,7 +454,6 @@ nf_ct_frag6_reasm(struct frag_queue *fq, else if (head->ip_summed == CHECKSUM_COMPLETE) head->csum = csum_add(head->csum, fp->csum); head->truesize += fp->truesize; @@ -2630,7 +2601,7 @@ index 664c84e47bab..5a9ae56e7868 100644 } sub_frag_mem_limit(fq->q.net, head->truesize); -@@ -446,7 +472,6 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev) +@@ -446,7 +472,6 @@ nf_ct_frag6_reasm(struct frag_queue *fq, head->csum); fq->q.fragments = NULL; @@ -2638,7 +2609,7 @@ index 664c84e47bab..5a9ae56e7868 100644 fq->q.fragments_tail = NULL; /* all original skbs are linked into the NFCT_FRAG6_CB(head).orig */ -@@ -576,13 +601,9 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use +@@ -576,13 +601,9 @@ struct sk_buff *nf_ct_frag6_gather(struc hdr = ipv6_hdr(clone); fhdr = (struct frag_hdr *)skb_transport_header(clone); @@ -2654,7 +2625,7 @@ index 664c84e47bab..5a9ae56e7868 100644 if (fq == NULL) { pr_debug("Can't find and can't create new queue\n"); goto ret_orig; -@@ -593,7 +614,7 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use +@@ -593,7 +614,7 @@ struct sk_buff *nf_ct_frag6_gather(struc if (nf_ct_frag6_queue(fq, clone, fhdr, nhoff) < 0) { spin_unlock_bh(&fq->q.lock); pr_debug("Can't insert skb to queue\n"); @@ -2663,7 +2634,7 @@ index 664c84e47bab..5a9ae56e7868 100644 goto ret_orig; } -@@ -605,7 +626,7 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use +@@ -605,7 +626,7 @@ struct sk_buff *nf_ct_frag6_gather(struc } spin_unlock_bh(&fq->q.lock); @@ -2672,7 +2643,7 @@ index 664c84e47bab..5a9ae56e7868 100644 return ret_skb; ret_orig: -@@ -629,26 +650,18 @@ EXPORT_SYMBOL_GPL(nf_ct_frag6_consume_orig); +@@ -629,26 +650,18 @@ EXPORT_SYMBOL_GPL(nf_ct_frag6_consume_or static int nf_ct_net_init(struct net *net) { @@ -2682,7 +2653,8 @@ index 664c84e47bab..5a9ae56e7868 100644 net->nf_frag.frags.low_thresh = IPV6_FRAG_LOW_THRESH; net->nf_frag.frags.timeout = IPV6_FRAG_TIMEOUT; - net->nf_frag.frags.f = &nf_frags; -- ++ inet_frags_init_net(&net->nf_frag.frags); + - res = inet_frags_init_net(&net->nf_frag.frags); - if (res < 0) - return res; @@ -2690,8 +2662,6 @@ index 664c84e47bab..5a9ae56e7868 100644 - if (res < 0) - inet_frags_exit_net(&net->nf_frag.frags); - return res; -+ inet_frags_init_net(&net->nf_frag.frags); -+ + return nf_ct_frag6_sysctl_register(net); } @@ -2719,8 +2689,6 @@ index 664c84e47bab..5a9ae56e7868 100644 ret = inet_frags_init(&nf_frags); if (ret) goto out; -diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c -index 73e766e7bc37..679253d0af84 100644 --- a/net/ipv6/proc.c +++ b/net/ipv6/proc.c @@ -33,6 +33,7 @@ @@ -2731,7 +2699,7 @@ index 73e766e7bc37..679253d0af84 100644 seq_printf(seq, "TCP6: inuse %d\n", sock_prot_inuse_get(net, &tcpv6_prot)); -@@ -42,9 +43,7 @@ static int sockstat6_seq_show(struct seq_file *seq, void *v) +@@ -42,9 +43,7 @@ static int sockstat6_seq_show(struct seq sock_prot_inuse_get(net, &udplitev6_prot)); seq_printf(seq, "RAW6: inuse %d\n", sock_prot_inuse_get(net, &rawv6_prot)); @@ -2742,8 +2710,6 @@ index 73e766e7bc37..679253d0af84 100644 return 0; } -diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c -index ec917f58d105..58f2139ebb5e 100644 --- a/net/ipv6/reassembly.c +++ b/net/ipv6/reassembly.c @@ -79,58 +79,94 @@ static struct inet_frags ip6_frags; @@ -2863,7 +2829,7 @@ index ec917f58d105..58f2139ebb5e 100644 } EXPORT_SYMBOL(ip6_expire_frag_queue); -@@ -142,29 +178,31 @@ static void ip6_frag_expire(unsigned long data) +@@ -142,29 +178,31 @@ static void ip6_frag_expire(unsigned lon fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q); net = container_of(fq->q.net, struct net, ipv6.frags); @@ -2890,22 +2856,23 @@ index ec917f58d105..58f2139ebb5e 100644 - if (!(ipv6_addr_type(&hdr->daddr) & (IPV6_ADDR_MULTICAST | - IPV6_ADDR_LINKLOCAL))) - key.iif = 0; +- +- q = inet_frag_find(&net->ipv6.frags, &key); +- if (!q) + arg.id = id; + arg.user = IP6_DEFRAG_LOCAL_DELIVER; + arg.src = src; + arg.dst = dst; + arg.iif = iif; + arg.ecn = ecn; - -- q = inet_frag_find(&net->ipv6.frags, &key); -- if (!q) -- return NULL; ++ + hash = inet6_hash_frag(id, src, dst); - ++ + q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash); + if (IS_ERR_OR_NULL(q)) { + inet_frag_maybe_warn_overflow(q, pr_fmt()); -+ return NULL; + return NULL; +- + } return container_of(q, struct frag_queue, q); } @@ -2919,7 +2886,7 @@ index ec917f58d105..58f2139ebb5e 100644 err: IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMFAILS); -@@ -348,7 +386,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, +@@ -348,7 +386,7 @@ static int ip6_frag_reasm(struct frag_qu int sum_truesize; u8 ecn; @@ -2928,7 +2895,7 @@ index ec917f58d105..58f2139ebb5e 100644 ecn = ip_frag_ecn_table[fq->ecn]; if (unlikely(ecn == 0xff)) -@@ -465,7 +503,6 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, +@@ -465,7 +503,6 @@ static int ip6_frag_reasm(struct frag_qu IP6_INC_STATS_BH(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS); rcu_read_unlock(); fq->q.fragments = NULL; @@ -2936,7 +2903,7 @@ index ec917f58d105..58f2139ebb5e 100644 fq->q.fragments_tail = NULL; return 1; -@@ -487,7 +524,6 @@ static int ipv6_frag_rcv(struct sk_buff *skb) +@@ -487,7 +524,6 @@ static int ipv6_frag_rcv(struct sk_buff struct frag_queue *fq; const struct ipv6hdr *hdr = ipv6_hdr(skb); struct net *net = dev_net(skb_dst(skb)->dev); @@ -2944,7 +2911,7 @@ index ec917f58d105..58f2139ebb5e 100644 if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED) goto fail_hdr; -@@ -516,22 +552,17 @@ static int ipv6_frag_rcv(struct sk_buff *skb) +@@ -516,22 +552,17 @@ static int ipv6_frag_rcv(struct sk_buff return 1; } @@ -2970,7 +2937,7 @@ index ec917f58d105..58f2139ebb5e 100644 return ret; } -@@ -552,22 +583,24 @@ static const struct inet6_protocol frag_protocol = { +@@ -552,22 +583,24 @@ static const struct inet6_protocol frag_ }; #ifdef CONFIG_SYSCTL @@ -2999,7 +2966,7 @@ index ec917f58d105..58f2139ebb5e 100644 .extra2 = &init_net.ipv6.frags.high_thresh }, { -@@ -675,27 +708,19 @@ static void ip6_frags_sysctl_unregister(void) +@@ -675,27 +708,19 @@ static void ip6_frags_sysctl_unregister( static int __net_init ipv6_frags_init_net(struct net *net) { @@ -3030,7 +2997,7 @@ index ec917f58d105..58f2139ebb5e 100644 } static struct pernet_operations ip6_frags_ops = { -@@ -703,54 +728,13 @@ static struct pernet_operations ip6_frags_ops = { +@@ -703,54 +728,13 @@ static struct pernet_operations ip6_frag .exit = ipv6_frags_exit_net, }; @@ -3113,6 +3080,3 @@ index ec917f58d105..58f2139ebb5e 100644 goto out; } --- -2.20.1 - diff --git a/patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch b/patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch new file mode 100644 index 0000000000..ff9e0b49bd --- /dev/null +++ b/patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch @@ -0,0 +1,58 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 16 Oct 2018 11:55:49 +0200 +Subject: [PATCH] drm/bufs: Fix Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: a37805098900a6e73a55b3a43b7d3bcd987bb3f4 + +[ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ] + +idx can be indirectly controlled by user-space, hence leading to a +potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential +spectre issue 'dma->buflist' [r] (local cap) + +Fix this by sanitizing idx before using it to index dma->buflist + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/gpu/drm/drm_bufs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c +index f1a204d253cc..ac22b8d86249 100644 +--- a/drivers/gpu/drm/drm_bufs.c ++++ b/drivers/gpu/drm/drm_bufs.c +@@ -36,6 +36,8 @@ + #include <drm/drmP.h> + #include "drm_legacy.h" + ++#include <linux/nospec.h> ++ + static struct drm_map_list *drm_find_matching_map(struct drm_device *dev, + struct drm_local_map *map) + { +@@ -1332,6 +1334,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data, + idx, dma->buf_count - 1); + return -EINVAL; + } ++ idx = array_index_nospec(idx, dma->buf_count); + buf = dma->buflist[idx]; + if (buf->file_priv != file_priv) { + DRM_ERROR("Process %d freeing buffer not owned\n", +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch b/patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch new file mode 100644 index 0000000000..1913ac25cd --- /dev/null +++ b/patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch @@ -0,0 +1,74 @@ +From: Slawomir Stepien <sst@poczta.fm> +Date: Sat, 20 Oct 2018 23:04:11 +0200 +Subject: [PATCH] staging: iio: adc: ad7280a: handle error from + __ad7280_read32() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 0559ef7fde67bc6c83c6eb6329dbd6649528263e + +[ Upstream commit 0559ef7fde67bc6c83c6eb6329dbd6649528263e ] + +Inside __ad7280_read32(), the spi_sync_transfer() can fail with negative +error code. This change will ensure that this error is being passed up +in the call stack, so it can be handled. + +Signed-off-by: Slawomir Stepien <sst@poczta.fm> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/staging/iio/adc/ad7280a.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c +index 35acb1a4669b..db8390022732 100644 +--- a/drivers/staging/iio/adc/ad7280a.c ++++ b/drivers/staging/iio/adc/ad7280a.c +@@ -250,7 +250,9 @@ static int ad7280_read(struct ad7280_state *st, unsigned devaddr, + if (ret) + return ret; + +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -288,7 +290,9 @@ static int ad7280_read_channel(struct ad7280_state *st, unsigned devaddr, + + ad7280_delay(st); + +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -321,7 +325,9 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned cnt, + ad7280_delay(st); + + for (i = 0; i < cnt; i++) { +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -364,7 +370,10 @@ static int ad7280_chain_setup(struct ad7280_state *st) + return ret; + + for (n = 0; n <= AD7280A_MAX_CHAIN; n++) { +- __ad7280_read32(st, &val); ++ ret = __ad7280_read32(st, &val); ++ if (ret) ++ return ret; ++ + if (val == 0) + return n - 1; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch b/patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch new file mode 100644 index 0000000000..e2bc8481e7 --- /dev/null +++ b/patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch @@ -0,0 +1,57 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Sat, 3 Nov 2018 22:21:22 +0100 +Subject: [PATCH] ASoC: Intel: mrfld: fix uninitialized variable access +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 1539c7f23f256120f89f8b9ec53160790bce9ed2 + +[ Upstream commit 1539c7f23f256120f89f8b9ec53160790bce9ed2 ] + +Randconfig testing revealed a very old bug, with gcc-8: + +sound/soc/intel/atom/sst/sst_loader.c: In function 'sst_load_fw': +sound/soc/intel/atom/sst/sst_loader.c:357:5: error: 'fw' may be used uninitialized in this function [-Werror=maybe-uninitialized] + if (fw == NULL) { + ^ +sound/soc/intel/atom/sst/sst_loader.c:354:25: note: 'fw' was declared here + const struct firmware *fw; + +We must check the return code of request_firmware() before we look at the +pointer result that may be uninitialized when the function fails. + +Fixes: 9012c9544eea ("ASoC: Intel: mrfld - Add DSP load and management") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/soc/intel/atom/sst/sst_loader.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/intel/atom/sst/sst_loader.c b/sound/soc/intel/atom/sst/sst_loader.c +index 33917146d9c4..054b1d514e8a 100644 +--- a/sound/soc/intel/atom/sst/sst_loader.c ++++ b/sound/soc/intel/atom/sst/sst_loader.c +@@ -354,14 +354,14 @@ static int sst_request_fw(struct intel_sst_drv *sst) + const struct firmware *fw; + + retval = request_firmware(&fw, sst->firmware_name, sst->dev); +- if (fw == NULL) { +- dev_err(sst->dev, "fw is returning as null\n"); +- return -EINVAL; +- } + if (retval) { + dev_err(sst->dev, "request fw failed %d\n", retval); + return retval; + } ++ if (fw == NULL) { ++ dev_err(sst->dev, "fw is returning as null\n"); ++ return -EINVAL; ++ } + mutex_lock(&sst->sst_lock); + retval = sst_cache_and_parse_fw(sst, fw); + mutex_unlock(&sst->sst_lock); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch b/patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch new file mode 100644 index 0000000000..fdd62310cf --- /dev/null +++ b/patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch @@ -0,0 +1,40 @@ +From: James Smart <jsmart2021@gmail.com> +Date: Tue, 23 Oct 2018 13:41:07 -0700 +Subject: [PATCH] scsi: lpfc: Correct LCB RJT handling +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: b114d9009d386276bfc3352289fc235781ae3353 + +[ Upstream commit b114d9009d386276bfc3352289fc235781ae3353 ] + +When LCB's are rejected, if beaconing was already in progress, the +Reason Code Explanation was not being set. Should have been set to +command in progress. + +Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> +Signed-off-by: James Smart <jsmart2021@gmail.com> +Reviewed-by: Hannes Reinecke <hare@suse.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/scsi/lpfc/lpfc_els.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index fd8fe1202dbe..398c9a0a5ade 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -5105,6 +5105,9 @@ lpfc_els_lcb_rsp(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) + stat = (struct ls_rjt *)(pcmd + sizeof(uint32_t)); + stat->un.b.lsRjtRsnCode = LSRJT_UNABLE_TPC; + ++ if (shdr_add_status == ADD_STATUS_OPERATION_ALREADY_ACTIVE) ++ stat->un.b.lsRjtRsnCodeExp = LSEXP_CMD_IN_PROGRESS; ++ + elsiocb->iocb_cmpl = lpfc_cmpl_els_rsp; + phba->fc_stat.elsXmitLSRJT++; + rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch b/patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch new file mode 100644 index 0000000000..9eadf281de --- /dev/null +++ b/patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch @@ -0,0 +1,66 @@ +From: Yufen Wang <wangyufen@huawei.com> +Date: Fri, 2 Nov 2018 11:51:31 +0100 +Subject: [PATCH] ARM: 8808/1: kexec:offline panic_smp_self_stop CPU +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 82c08c3e7f171aa7f579b231d0abbc1d62e91974 + +[ Upstream commit 82c08c3e7f171aa7f579b231d0abbc1d62e91974 ] + +In case panic() and panic() called at the same time on different CPUS. +For example: +CPU 0: + panic() + __crash_kexec + machine_crash_shutdown + crash_smp_send_stop + machine_kexec + BUG_ON(num_online_cpus() > 1); + +CPU 1: + panic() + local_irq_disable + panic_smp_self_stop + +If CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop(), kdump +fails. CPU1 can't receive the ipi irq, CPU1 will be always online. +To fix this problem, this patch split out the panic_smp_self_stop() +and add set_cpu_online(smp_processor_id(), false). + +Signed-off-by: Yufen Wang <wangyufen@huawei.com> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/kernel/smp.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index b26361355dae..e42be5800f37 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -687,6 +687,21 @@ void smp_send_stop(void) + pr_warn("SMP: failed to stop secondary CPUs\n"); + } + ++/* In case panic() and panic() called at the same time on CPU1 and CPU2, ++ * and CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop() ++ * CPU1 can't receive the ipi irqs from CPU2, CPU1 will be always online, ++ * kdump fails. So split out the panic_smp_self_stop() and add ++ * set_cpu_online(smp_processor_id(), false). ++ */ ++void panic_smp_self_stop(void) ++{ ++ pr_debug("CPU %u will stop doing anything useful since another CPU has paniced\n", ++ smp_processor_id()); ++ set_cpu_online(smp_processor_id(), false); ++ while (1) ++ cpu_relax(); ++} ++ + /* + * not supported here + */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch b/patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch new file mode 100644 index 0000000000..8bd706eb8c --- /dev/null +++ b/patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch @@ -0,0 +1,64 @@ +From: Bob Peterson <rpeterso@redhat.com> +Date: Thu, 8 Nov 2018 14:04:50 -0500 +Subject: [PATCH] dlm: Don't swamp the CPU with callbacks queued during + recovery +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 216f0efd19b9cc32207934fd1b87a45f2c4c593e + +[ Upstream commit 216f0efd19b9cc32207934fd1b87a45f2c4c593e ] + +Before this patch, recovery would cause all callbacks to be delayed, +put on a queue, and afterward they were all queued to the callback +work queue. This patch does the same thing, but occasionally takes +a break after 25 of them so it won't swamp the CPU at the expense +of other RT processes like corosync. + +Signed-off-by: Bob Peterson <rpeterso@redhat.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/ast.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/dlm/ast.c b/fs/dlm/ast.c +index dcea1e37a1b7..f18619bc2e09 100644 +--- a/fs/dlm/ast.c ++++ b/fs/dlm/ast.c +@@ -290,6 +290,8 @@ void dlm_callback_suspend(struct dlm_ls *ls) + flush_workqueue(ls->ls_callback_wq); + } + ++#define MAX_CB_QUEUE 25 ++ + void dlm_callback_resume(struct dlm_ls *ls) + { + struct dlm_lkb *lkb, *safe; +@@ -300,15 +302,23 @@ void dlm_callback_resume(struct dlm_ls *ls) + if (!ls->ls_callback_wq) + return; + ++more: + mutex_lock(&ls->ls_cb_mutex); + list_for_each_entry_safe(lkb, safe, &ls->ls_cb_delay, lkb_cb_list) { + list_del_init(&lkb->lkb_cb_list); + queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work); + count++; ++ if (count == MAX_CB_QUEUE) ++ break; + } + mutex_unlock(&ls->ls_cb_mutex); + + if (count) + log_rinfo(ls, "dlm_callback_resume %d", count); ++ if (count == MAX_CB_QUEUE) { ++ count = 0; ++ cond_resched(); ++ goto more; ++ } + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch b/patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch new file mode 100644 index 0000000000..8809dd61da --- /dev/null +++ b/patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch @@ -0,0 +1,46 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Thu, 25 Oct 2018 14:52:31 +0100 +Subject: [PATCH] x86/PCI: Fix Broadcom CNB20LE unintended sign extension + (redux) +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 53bb565fc5439f2c8c57a786feea5946804aa3e9 + +[ Upstream commit 53bb565fc5439f2c8c57a786feea5946804aa3e9 ] + +In the expression "word1 << 16", word1 starts as u16, but is promoted to a +signed int, then sign-extended to resource_size_t, which is probably not +what was intended. Cast to resource_size_t to avoid the sign extension. + +This fixes an identical issue as fixed by commit 0b2d70764bb3 ("x86/PCI: +Fix Broadcom CNB20LE unintended sign extension") back in 2014. + +Detected by CoverityScan, CID#138749, 138750 ("Unintended sign extension") + +Fixes: 3f6ea84a3035 ("PCI: read memory ranges out of Broadcom CNB20LE host bridge") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Bjorn Helgaas <helgaas@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/pci/broadcom_bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/pci/broadcom_bus.c b/arch/x86/pci/broadcom_bus.c +index 526536c81ddc..ca1e8e6dccc8 100644 +--- a/arch/x86/pci/broadcom_bus.c ++++ b/arch/x86/pci/broadcom_bus.c +@@ -50,8 +50,8 @@ static void __init cnb20le_res(u8 bus, u8 slot, u8 func) + word1 = read_pci_config_16(bus, slot, func, 0xc0); + word2 = read_pci_config_16(bus, slot, func, 0xc2); + if (word1 != word2) { +- res.start = (word1 << 16) | 0x0000; +- res.end = (word2 << 16) | 0xffff; ++ res.start = ((resource_size_t) word1 << 16) | 0x0000; ++ res.end = ((resource_size_t) word2 << 16) | 0xffff; + res.flags = IORESOURCE_MEM; + update_res(info, res.start, res.end, res.flags, 0); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch b/patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch new file mode 100644 index 0000000000..0fc79a2aff --- /dev/null +++ b/patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch @@ -0,0 +1,48 @@ +From: Frank Rowand <frank.rowand@sony.com> +Date: Thu, 4 Oct 2018 20:27:16 -0700 +Subject: [PATCH] powerpc/pseries: add of_node_put() in dlpar_detach_node() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 5b3f5c408d8cc59b87e47f1ab9803dbd006e4a91 + +[ Upstream commit 5b3f5c408d8cc59b87e47f1ab9803dbd006e4a91 ] + +The previous commit, "of: overlay: add missing of_node_get() in +__of_attach_node_sysfs" added a missing of_node_get() to +__of_attach_node_sysfs(). This results in a refcount imbalance +for nodes attached with dlpar_attach_node(). The calling sequence +from dlpar_attach_node() to __of_attach_node_sysfs() is: + + dlpar_attach_node() + of_attach_node() + __of_attach_node_sysfs() + +For more detailed description of the node refcount, see +commit 68baf692c435 ("powerpc/pseries: Fix of_node_put() underflow +during DLPAR remove"). + +Tested-by: Alan Tull <atull@kernel.org> +Acked-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Frank Rowand <frank.rowand@sony.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/powerpc/platforms/pseries/dlpar.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index 96536c969c9c..a8efed3b4691 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -280,6 +280,8 @@ int dlpar_detach_node(struct device_node *dn) + if (rc) + return rc; + ++ of_node_put(dn); ++ + return 0; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch b/patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch new file mode 100644 index 0000000000..a2da0823f9 --- /dev/null +++ b/patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch @@ -0,0 +1,53 @@ +From: Andy Duan <fugang.duan@nxp.com> +Date: Tue, 16 Oct 2018 07:32:22 +0000 +Subject: [PATCH] serial: fsl_lpuart: clear parity enable bit when disable + parity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 397bd9211fe014b347ca8f95a8f4e1017bac1aeb + +[ Upstream commit 397bd9211fe014b347ca8f95a8f4e1017bac1aeb ] + +Current driver only enable parity enable bit and never clear it +when user set the termios. The fix clear the parity enable bit when +PARENB flag is not set in termios->c_cflag. + +Cc: Lukas Wunner <lukas@wunner.de> +Signed-off-by: Andy Duan <fugang.duan@nxp.com> +Reviewed-by: Fabio Estevam <festevam@gmail.com> +Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 01e2274b23f2..8b5ec9386f0f 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1267,6 +1267,8 @@ lpuart_set_termios(struct uart_port *port, struct ktermios *termios, + else + cr1 &= ~UARTCR1_PT; + } ++ } else { ++ cr1 &= ~UARTCR1_PE; + } + + /* ask the core to calculate the divisor */ +@@ -1402,6 +1404,8 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, + else + ctrl &= ~UARTCTRL_PT; + } ++ } else { ++ ctrl &= ~UARTCTRL_PE; + } + + /* ask the core to calculate the divisor */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch b/patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch new file mode 100644 index 0000000000..14a80fe5cc --- /dev/null +++ b/patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch @@ -0,0 +1,48 @@ +From: Miroslav Lichvar <mlichvar@redhat.com> +Date: Fri, 9 Nov 2018 11:14:43 +0100 +Subject: [PATCH] ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 83d0bdc7390b890905634186baaa294475cd6a06 + +[ Upstream commit 83d0bdc7390b890905634186baaa294475cd6a06 ] + +If a gettime64 call fails, return the error and avoid copying data back +to user. + +Cc: Richard Cochran <richardcochran@gmail.com> +Cc: Jacob Keller <jacob.e.keller@intel.com> +Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/ptp/ptp_chardev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c +index 4eb254a273f8..4861cfddcdd3 100644 +--- a/drivers/ptp/ptp_chardev.c ++++ b/drivers/ptp/ptp_chardev.c +@@ -204,7 +204,9 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg) + pct->sec = ts.tv_sec; + pct->nsec = ts.tv_nsec; + pct++; +- ptp->info->gettime64(ptp->info, &ts); ++ err = ptp->info->gettime64(ptp->info, &ts); ++ if (err) ++ goto out; + pct->sec = ts.tv_sec; + pct->nsec = ts.tv_nsec; + pct++; +@@ -257,6 +259,7 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg) + break; + } + ++out: + kfree(sysoff); + return err; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch b/patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch new file mode 100644 index 0000000000..963db3d59f --- /dev/null +++ b/patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch @@ -0,0 +1,49 @@ +From: Matheus Tavares <matheus.bernardino@usp.br> +Date: Sat, 3 Nov 2018 19:49:44 -0300 +Subject: [PATCH] staging:iio:ad2s90: Make probe handle spi_setup failure +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: b3a3eafeef769c6982e15f83631dcbf8d1794efb + +[ Upstream commit b3a3eafeef769c6982e15f83631dcbf8d1794efb ] + +Previously, ad2s90_probe ignored the return code from spi_setup, not +handling its possible failure. This patch makes ad2s90_probe check if +the code is an error code and, if so, do the following: + +- Call dev_err with an appropriate error message. +- Return the spi_setup's error code. + +Note: The 'return ret' statement could be out of the 'if' block, but +this whole block will be moved up in the function in the patch: +'staging:iio:ad2s90: Move device registration to the end of probe'. + +Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/staging/iio/resolver/ad2s90.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/iio/resolver/ad2s90.c b/drivers/staging/iio/resolver/ad2s90.c +index 5b1c0db33e7f..b44253eb62ec 100644 +--- a/drivers/staging/iio/resolver/ad2s90.c ++++ b/drivers/staging/iio/resolver/ad2s90.c +@@ -86,7 +86,12 @@ static int ad2s90_probe(struct spi_device *spi) + /* need 600ns between CS and the first falling edge of SCLK */ + spi->max_speed_hz = 830000; + spi->mode = SPI_MODE_3; +- spi_setup(spi); ++ ret = spi_setup(spi); ++ ++ if (ret < 0) { ++ dev_err(&spi->dev, "spi_setup failed!\n"); ++ return ret; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch b/patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch new file mode 100644 index 0000000000..4a03668502 --- /dev/null +++ b/patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch @@ -0,0 +1,47 @@ +From: Renato Lui Geh <renatogeh@gmail.com> +Date: Mon, 5 Nov 2018 17:14:58 -0200 +Subject: [PATCH] staging: iio: ad7780: update voltage on read +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 336650c785b62c3bea7c8cf6061c933a90241f67 + +[ Upstream commit 336650c785b62c3bea7c8cf6061c933a90241f67 ] + +The ad7780 driver previously did not read the correct device output, as +it read an outdated value set at initialization. It now updates its +voltage on read. + +Signed-off-by: Renato Lui Geh <renatogeh@gmail.com> +Acked-by: Alexandru Ardelean <alexandru.ardelean@analog.com> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/staging/iio/adc/ad7780.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/iio/adc/ad7780.c b/drivers/staging/iio/adc/ad7780.c +index 3abc7789237f..531338ea5eb4 100644 +--- a/drivers/staging/iio/adc/ad7780.c ++++ b/drivers/staging/iio/adc/ad7780.c +@@ -90,12 +90,16 @@ static int ad7780_read_raw(struct iio_dev *indio_dev, + long m) + { + struct ad7780_state *st = iio_priv(indio_dev); ++ int voltage_uv; + + switch (m) { + case IIO_CHAN_INFO_RAW: + return ad_sigma_delta_single_conversion(indio_dev, chan, val); + case IIO_CHAN_INFO_SCALE: +- *val = st->int_vref_mv * st->gain; ++ voltage_uv = regulator_get_voltage(st->reg); ++ if (voltage_uv < 0) ++ return voltage_uv; ++ *val = (voltage_uv / 1000) * st->gain; + *val2 = chan->scan_type.realbits - 1; + return IIO_VAL_FRACTIONAL_LOG2; + case IIO_CHAN_INFO_OFFSET: +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch b/patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch new file mode 100644 index 0000000000..f03dd0878b --- /dev/null +++ b/patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch @@ -0,0 +1,79 @@ +From: Nathan Chancellor <natechancellor@gmail.com> +Date: Wed, 17 Oct 2018 17:52:07 -0700 +Subject: [PATCH] ARM: OMAP2+: hwmod: Fix some section annotations +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: c10b26abeb53cabc1e6271a167d3f3d396ce0218 + +[ Upstream commit c10b26abeb53cabc1e6271a167d3f3d396ce0218 ] + +When building the kernel with Clang, the following section mismatch +warnings appears: + +WARNING: vmlinux.o(.text+0x2d398): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_iclk_autoidle() +The function _setup() references +the function __init _setup_iclk_autoidle(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_iclk_autoidle is wrong. + +WARNING: vmlinux.o(.text+0x2d3a0): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_reset() +The function _setup() references +the function __init _setup_reset(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_reset is wrong. + +WARNING: vmlinux.o(.text+0x2d408): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_postsetup() +The function _setup() references +the function __init _setup_postsetup(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_postsetup is wrong. + +_setup is used in omap_hwmod_allocate_module, which isn't marked __init +and looks like it shouldn't be, meaning to fix these warnings, those +functions must be moved out of the init section, which this patch does. + +Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> +Signed-off-by: Tony Lindgren <tony@atomide.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/mach-omap2/omap_hwmod.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c +index 147c90e70b2e..36706d32d656 100644 +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -2526,7 +2526,7 @@ static int __init _init(struct omap_hwmod *oh, void *data) + * a stub; implementing this properly requires iclk autoidle usecounting in + * the clock code. No return value. + */ +-static void __init _setup_iclk_autoidle(struct omap_hwmod *oh) ++static void _setup_iclk_autoidle(struct omap_hwmod *oh) + { + struct omap_hwmod_ocp_if *os; + struct list_head *p; +@@ -2561,7 +2561,7 @@ static void __init _setup_iclk_autoidle(struct omap_hwmod *oh) + * reset. Returns 0 upon success or a negative error code upon + * failure. + */ +-static int __init _setup_reset(struct omap_hwmod *oh) ++static int _setup_reset(struct omap_hwmod *oh) + { + int r; + +@@ -2622,7 +2622,7 @@ static int __init _setup_reset(struct omap_hwmod *oh) + * + * No return value. + */ +-static void __init _setup_postsetup(struct omap_hwmod *oh) ++static void _setup_postsetup(struct omap_hwmod *oh) + { + u8 postsetup_state; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch b/patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch new file mode 100644 index 0000000000..963deb77fd --- /dev/null +++ b/patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch @@ -0,0 +1,105 @@ +From: Sami Tolvanen <samitolvanen@google.com> +Date: Tue, 23 Oct 2018 15:15:35 -0700 +Subject: [PATCH] modpost: validate symbol names also in find_elf_symbol +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 5818c683a619c534c113e1f66d24f636defc29bc + +[ Upstream commit 5818c683a619c534c113e1f66d24f636defc29bc ] + +If an ARM mapping symbol shares an address with a valid symbol, +find_elf_symbol can currently return the mapping symbol instead, as the +symbol is not validated. This can result in confusing warnings: + + WARNING: vmlinux.o(.text+0x18f4028): Section mismatch in reference + from the function set_reset_devices() to the variable .init.text:$x.0 + +This change adds a call to is_valid_name to find_elf_symbol, similarly +to how it's already used in find_elf_symbol2. + +Signed-off-by: Sami Tolvanen <samitolvanen@google.com> +Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + scripts/mod/modpost.c | 50 ++++++++++++++++++++++--------------------- + 1 file changed, 26 insertions(+), 24 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 064fbfbbb22c..81b1c02a76fa 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1197,6 +1197,30 @@ static int secref_whitelist(const struct sectioncheck *mismatch, + return 1; + } + ++static inline int is_arm_mapping_symbol(const char *str) ++{ ++ return str[0] == '$' && strchr("axtd", str[1]) ++ && (str[2] == '\0' || str[2] == '.'); ++} ++ ++/* ++ * If there's no name there, ignore it; likewise, ignore it if it's ++ * one of the magic symbols emitted used by current ARM tools. ++ * ++ * Otherwise if find_symbols_between() returns those symbols, they'll ++ * fail the whitelist tests and cause lots of false alarms ... fixable ++ * only by merging __exit and __init sections into __text, bloating ++ * the kernel (which is especially evil on embedded platforms). ++ */ ++static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym) ++{ ++ const char *name = elf->strtab + sym->st_name; ++ ++ if (!name || !strlen(name)) ++ return 0; ++ return !is_arm_mapping_symbol(name); ++} ++ + /** + * Find symbol based on relocation record info. + * In some cases the symbol supplied is a valid symbol so +@@ -1222,6 +1246,8 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (ELF_ST_TYPE(sym->st_info) == STT_SECTION) + continue; ++ if (!is_valid_name(elf, sym)) ++ continue; + if (sym->st_value == addr) + return sym; + /* Find a symbol nearby - addr are maybe negative */ +@@ -1240,30 +1266,6 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + return NULL; + } + +-static inline int is_arm_mapping_symbol(const char *str) +-{ +- return str[0] == '$' && strchr("axtd", str[1]) +- && (str[2] == '\0' || str[2] == '.'); +-} +- +-/* +- * If there's no name there, ignore it; likewise, ignore it if it's +- * one of the magic symbols emitted used by current ARM tools. +- * +- * Otherwise if find_symbols_between() returns those symbols, they'll +- * fail the whitelist tests and cause lots of false alarms ... fixable +- * only by merging __exit and __init sections into __text, bloating +- * the kernel (which is especially evil on embedded platforms). +- */ +-static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym) +-{ +- const char *name = elf->strtab + sym->st_name; +- +- if (!name || !strlen(name)) +- return 0; +- return !is_arm_mapping_symbol(name); +-} +- + /* + * Find symbols before or equal addr and after addr - in the section sec. + * If we find two symbols with equal offset prefer one with a valid name. +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch b/patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch new file mode 100644 index 0000000000..cf7feed785 --- /dev/null +++ b/patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch @@ -0,0 +1,45 @@ +From: Pu Wen <puwen@hygon.cn> +Date: Mon, 12 Nov 2018 15:40:51 +0800 +Subject: [PATCH] perf tools: Add Hygon Dhyana support +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 4787eff3fa88f62fede6ed7afa06477ae6bf984d + +[ Upstream commit 4787eff3fa88f62fede6ed7afa06477ae6bf984d ] + +The tool perf is useful for the performance analysis on the Hygon Dhyana +platform. But right now there is no Hygon support for it to analyze the +KVM guest os data. So add Hygon Dhyana support to it by checking vendor +string to share the code path of AMD. + +Signed-off-by: Pu Wen <puwen@hygon.cn> +Acked-by: Borislav Petkov <bp@suse.de> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Jiri Olsa <jolsa@kernel.org> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Link: http://lkml.kernel.org/r/1542008451-31735-1-git-send-email-puwen@hygon.cn +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + tools/perf/arch/x86/util/kvm-stat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/arch/x86/util/kvm-stat.c b/tools/perf/arch/x86/util/kvm-stat.c +index 14e4e668fad7..f97696a418cc 100644 +--- a/tools/perf/arch/x86/util/kvm-stat.c ++++ b/tools/perf/arch/x86/util/kvm-stat.c +@@ -146,7 +146,7 @@ int cpu_isa_init(struct perf_kvm_stat *kvm, const char *cpuid) + if (strstr(cpuid, "Intel")) { + kvm->exit_reasons = vmx_exit_reasons; + kvm->exit_reasons_isa = "VMX"; +- } else if (strstr(cpuid, "AMD")) { ++ } else if (strstr(cpuid, "AMD") || strstr(cpuid, "Hygon")) { + kvm->exit_reasons = svm_exit_reasons; + kvm->exit_reasons_isa = "SVM"; + } else +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch b/patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch new file mode 100644 index 0000000000..ee07df7115 --- /dev/null +++ b/patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch @@ -0,0 +1,47 @@ +From: Yangtao Li <tiny.windzz@gmail.com> +Date: Wed, 21 Nov 2018 07:49:12 -0500 +Subject: [PATCH] soc/tegra: Don't leak device tree node reference +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9eb40fa2cd2d1f6829e7b49bb22692f754b9cfe0 + +[ Upstream commit 9eb40fa2cd2d1f6829e7b49bb22692f754b9cfe0 ] + +of_find_node_by_path() acquires a reference to the node returned by it +and that reference needs to be dropped by its caller. soc_is_tegra() +doesn't do that, so fix it. + +Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> +Acked-by: Jon Hunter <jonathanh@nvidia.com> +[treding: slightly rewrite to avoid inline comparison] +Signed-off-by: Thierry Reding <treding@nvidia.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/soc/tegra/common.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/common.c b/drivers/soc/tegra/common.c +index cd8f41351add..7bfb154d6fa5 100644 +--- a/drivers/soc/tegra/common.c ++++ b/drivers/soc/tegra/common.c +@@ -22,11 +22,15 @@ static const struct of_device_id tegra_machine_match[] = { + + bool soc_is_tegra(void) + { ++ const struct of_device_id *match; + struct device_node *root; + + root = of_find_node_by_path("/"); + if (!root) + return false; + +- return of_match_node(tegra_machine_match, root) != NULL; ++ match = of_match_node(tegra_machine_match, root); ++ of_node_put(root); ++ ++ return match != NULL; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch b/patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch new file mode 100644 index 0000000000..87d1bb67de --- /dev/null +++ b/patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch @@ -0,0 +1,51 @@ +From: Yunlei He <heyunlei@huawei.com> +Date: Tue, 6 Nov 2018 10:25:29 +0800 +Subject: [PATCH] f2fs: move dir data flush to write checkpoint process +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: b61ac5b720146c619c7cdf17eff2551b934399e5 + +[ Upstream commit b61ac5b720146c619c7cdf17eff2551b934399e5 ] + +This patch move dir data flush to write checkpoint process, by +doing this, it may reduce some time for dir fsync. + +pre: + -f2fs_do_sync_file enter + -file_write_and_wait_range <- flush & wait + -write_checkpoint + -do_checkpoint <- wait all + -f2fs_do_sync_file exit + +now: + -f2fs_do_sync_file enter + -write_checkpoint + -block_operations <- flush dir & no wait + -do_checkpoint <- wait all + -f2fs_do_sync_file exit + +Signed-off-by: Yunlei He <heyunlei@huawei.com> +Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/f2fs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 96bfd9f0ea02..bee3bc7a16ac 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -200,6 +200,9 @@ int f2fs_sync_file(struct file *file, loff_t start, loff_t end, int datasync) + + trace_f2fs_sync_file_enter(inode); + ++ if (S_ISDIR(inode->i_mode)) ++ goto go_write; ++ + /* if fdatasync is triggered, let's do in-place-update */ + if (get_dirty_pages(inode) <= SM_I(sbi)->min_fsync_blocks) + set_inode_flag(fi, FI_NEED_IPU); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch b/patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch new file mode 100644 index 0000000000..3d0b1fe1c5 --- /dev/null +++ b/patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch @@ -0,0 +1,64 @@ +From: Tiezhu Yang <kernelpatch@126.com> +Date: Wed, 21 Nov 2018 07:21:38 +0800 +Subject: [PATCH] f2fs: fix wrong return value of f2fs_acl_create +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: f6176473a0c7472380eef72ebeb330cf9485bf0a + +[ Upstream commit f6176473a0c7472380eef72ebeb330cf9485bf0a ] + +When call f2fs_acl_create_masq() failed, the caller f2fs_acl_create() +should return -EIO instead of -ENOMEM, this patch makes it consistent +with posix_acl_create() which has been fixed in commit beaf226b863a +("posix_acl: don't ignore return value of posix_acl_create_masq()"). + +Fixes: 83dfe53c185e ("f2fs: fix reference leaks in f2fs_acl_create") +Signed-off-by: Tiezhu Yang <kernelpatch@126.com> +Reviewed-by: Chao Yu <yuchao0@huawei.com> +Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/f2fs/acl.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c +index 83dcf7bfd7b8..f0ea91925343 100644 +--- a/fs/f2fs/acl.c ++++ b/fs/f2fs/acl.c +@@ -350,12 +350,14 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode, + return PTR_ERR(p); + + clone = f2fs_acl_clone(p, GFP_NOFS); +- if (!clone) +- goto no_mem; ++ if (!clone) { ++ ret = -ENOMEM; ++ goto release_acl; ++ } + + ret = f2fs_acl_create_masq(clone, mode); + if (ret < 0) +- goto no_mem_clone; ++ goto release_clone; + + if (ret == 0) + posix_acl_release(clone); +@@ -369,11 +371,11 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode, + + return 0; + +-no_mem_clone: ++release_clone: + posix_acl_release(clone); +-no_mem: ++release_acl: + posix_acl_release(p); +- return -ENOMEM; ++ return ret; + } + + int f2fs_init_acl(struct inode *inode, struct inode *dir, struct page *ipage, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch b/patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch new file mode 100644 index 0000000000..1f043b1165 --- /dev/null +++ b/patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch @@ -0,0 +1,57 @@ +From: Young Xiao <YangX92@hotmail.com> +Date: Wed, 28 Nov 2018 12:36:39 +0000 +Subject: [PATCH] sunvdc: Do not spin in an infinite loop when vio_ldc_send() + returns EAGAIN +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: a11f6ca9aef989b56cd31ff4ee2af4fb31a172ec + +[ Upstream commit a11f6ca9aef989b56cd31ff4ee2af4fb31a172ec ] + +__vdc_tx_trigger should only loop on EAGAIN a finite +number of times. + +See commit adddc32d6fde ("sunvnet: Do not spin in an +infinite loop when vio_ldc_send() returns EAGAIN") for detail. + +Signed-off-by: Young Xiao <YangX92@hotmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/block/sunvdc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c +index 4b911ed96ea3..31219fb9e7f4 100644 +--- a/drivers/block/sunvdc.c ++++ b/drivers/block/sunvdc.c +@@ -40,6 +40,8 @@ MODULE_VERSION(DRV_MODULE_VERSION); + #define WAITING_FOR_GEN_CMD 0x04 + #define WAITING_FOR_ANY -1 + ++#define VDC_MAX_RETRIES 10 ++ + static struct workqueue_struct *sunvdc_wq; + + struct vdc_req_entry { +@@ -419,6 +421,7 @@ static int __vdc_tx_trigger(struct vdc_port *port) + .end_idx = dr->prod, + }; + int err, delay; ++ int retries = 0; + + hdr.seq = dr->snd_nxt; + delay = 1; +@@ -431,6 +434,8 @@ static int __vdc_tx_trigger(struct vdc_port *port) + udelay(delay); + if ((delay <<= 1) > 128) + delay = 128; ++ if (retries++ > VDC_MAX_RETRIES) ++ break; + } while (err == -EAGAIN); + + if (err == -ENOTCONN) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch b/patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch new file mode 100644 index 0000000000..25e39ee28c --- /dev/null +++ b/patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch @@ -0,0 +1,43 @@ +From: "J. Bruce Fields" <bfields@redhat.com> +Date: Tue, 27 Nov 2018 15:54:17 -0500 +Subject: [PATCH] nfsd4: fix crash on writing v4_end_grace before nfsd startup +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 62a063b8e7d1db684db3f207261a466fa3194e72 + +[ Upstream commit 62a063b8e7d1db684db3f207261a466fa3194e72 ] + +Anatoly Trosinenko reports that this: + +1) Checkout fresh master Linux branch (tested with commit e195ca6cb) +2) Copy x84_64-config-4.14 to .config, then enable NFS server v4 and build +3) From `kvm-xfstests shell`: + +results in NULL dereference in locks_end_grace. + +Check that nfsd has been started before trying to end the grace period. + +Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/nfsd/nfsctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index 9690cb4dd588..03c7a4e7b6ba 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1106,6 +1106,8 @@ static ssize_t write_v4_end_grace(struct file *file, char *buf, size_t size) + case 'Y': + case 'y': + case '1': ++ if (nn->nfsd_serv) ++ return -EBUSY; + nfsd4_end_grace(nn); + break; + default: +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch b/patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch new file mode 100644 index 0000000000..26fdc5797c --- /dev/null +++ b/patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch @@ -0,0 +1,56 @@ +From: Mark Rutland <mark.rutland@arm.com> +Date: Thu, 15 Nov 2018 22:42:01 +0000 +Subject: [PATCH] arm64: ftrace: don't adjust the LR value +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 6e803e2e6e367db9a0d6ecae1bd24bb5752011bd + +[ Upstream commit 6e803e2e6e367db9a0d6ecae1bd24bb5752011bd ] + +The core ftrace code requires that when it is handed the PC of an +instrumented function, this PC is the address of the instrumented +instruction. This is necessary so that the core ftrace code can identify +the specific instrumentation site. Since the instrumented function will +be a BL, the address of the instrumented function is LR - 4 at entry to +the ftrace code. + +This fixup is applied in the mcount_get_pc and mcount_get_pc0 helpers, +which acquire the PC of the instrumented function. + +The mcount_get_lr helper is used to acquire the LR of the instrumented +function, whose value does not require this adjustment, and cannot be +adjusted to anything meaningful. No adjustment of this value is made on +other architectures, including arm. However, arm64 adjusts this value by +4. + +This patch brings arm64 in line with other architectures and removes the +adjustment of the LR value. + +Signed-off-by: Mark Rutland <mark.rutland@arm.com> +Cc: AKASHI Takahiro <takahiro.akashi@linaro.org> +Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Cc: Catalin Marinas <catalin.marinas@arm.com> +Cc: Torsten Duwe <duwe@suse.de> +Cc: Will Deacon <will.deacon@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm64/kernel/entry-ftrace.S | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/kernel/entry-ftrace.S b/arch/arm64/kernel/entry-ftrace.S +index 0f03a8fe2314..d18d15810d19 100644 +--- a/arch/arm64/kernel/entry-ftrace.S ++++ b/arch/arm64/kernel/entry-ftrace.S +@@ -78,7 +78,6 @@ + .macro mcount_get_lr reg + ldr \reg, [x29] + ldr \reg, [\reg, #8] +- mcount_adjust_addr \reg, \reg + .endm + + .macro mcount_get_lr_addr reg +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch b/patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch new file mode 100644 index 0000000000..742c2bc0b8 --- /dev/null +++ b/patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch @@ -0,0 +1,59 @@ +From: Lubomir Rintel <lkundrak@v3.sk> +Date: Wed, 28 Nov 2018 18:53:10 +0100 +Subject: [PATCH] ARM: dts: mmp2: fix TWSI2 +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 1147e05ac9fc2ef86a3691e7ca5c2db7602d81dd + +[ Upstream commit 1147e05ac9fc2ef86a3691e7ca5c2db7602d81dd ] + +Marvell keeps their MMP2 datasheet secret, but there are good clues +that TWSI2 is not on 0xd4025000 on that platform, not does it use +IRQ 58. In fact, the IRQ 58 on MMP2 seems to be a signal processor: + + arch/arm/mach-mmp/irqs.h:#define IRQ_MMP2_MSP 58 + +I'm taking a somewhat educated guess that is probably a copy & paste +error from PXA168 or PXA910 and that the real controller in fact hides +at address 0xd4031000 and uses an interrupt line multiplexed via IRQ 17. + +I'm also copying some properties from TWSI1 that were missing or +incorrect. + +Tested on a OLPC XO 1.75 machine, where the RTC is on TWSI2. + +Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> +Tested-by: Pavel Machek <pavel@ucw.cz> +Signed-off-by: Olof Johansson <olof@lixom.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/boot/dts/mmp2.dtsi | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/mmp2.dtsi b/arch/arm/boot/dts/mmp2.dtsi +index 766bbb8495b6..47e5b63339d1 100644 +--- a/arch/arm/boot/dts/mmp2.dtsi ++++ b/arch/arm/boot/dts/mmp2.dtsi +@@ -220,12 +220,15 @@ + status = "disabled"; + }; + +- twsi2: i2c@d4025000 { ++ twsi2: i2c@d4031000 { + compatible = "mrvl,mmp-twsi"; +- reg = <0xd4025000 0x1000>; +- interrupts = <58>; ++ reg = <0xd4031000 0x1000>; ++ interrupt-parent = <&intcmux17>; ++ interrupts = <0>; + clocks = <&soc_clocks MMP2_CLK_TWSI1>; + resets = <&soc_clocks MMP2_CLK_TWSI1>; ++ #address-cells = <1>; ++ #size-cells = <0>; + status = "disabled"; + }; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch b/patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch new file mode 100644 index 0000000000..4be371ea6f --- /dev/null +++ b/patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch @@ -0,0 +1,57 @@ +From: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Date: Wed, 28 Nov 2018 23:20:11 +0100 +Subject: [PATCH] x86/fpu: Add might_fault() to user_insn() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 6637401c35b2f327a35d27f44bda05e327f2f017 + +[ Upstream commit 6637401c35b2f327a35d27f44bda05e327f2f017 ] + +Every user of user_insn() passes an user memory pointer to this macro. + +Add might_fault() to user_insn() so we can spot users which are using +this macro in sections where page faulting is not allowed. + + [ bp: Space it out to make it more visible. ] + +Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Signed-off-by: Borislav Petkov <bp@suse.de> +Reviewed-by: Rik van Riel <riel@surriel.com> +Cc: "H. Peter Anvin" <hpa@zytor.com> +Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Dave Hansen <dave.hansen@linux.intel.com> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Jann Horn <jannh@google.com> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Cc: Radim Krčmář <rkrcmar@redhat.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: kvm ML <kvm@vger.kernel.org> +Cc: x86-ml <x86@kernel.org> +Link: https://lkml.kernel.org/r/20181128222035.2996-6-bigeasy@linutronix.de +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/include/asm/fpu/internal.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h +index 16825dda18dc..66a5e60f60c4 100644 +--- a/arch/x86/include/asm/fpu/internal.h ++++ b/arch/x86/include/asm/fpu/internal.h +@@ -94,6 +94,9 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu); + #define user_insn(insn, output, input...) \ + ({ \ + int err; \ ++ \ ++ might_fault(); \ ++ \ + asm volatile(ASM_STAC "\n" \ + "1:" #insn "\n\t" \ + "2: " ASM_CLAC "\n" \ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch b/patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch new file mode 100644 index 0000000000..c1b5cca8a7 --- /dev/null +++ b/patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch @@ -0,0 +1,58 @@ +From: Alexey Khoroshilov <khoroshilov@ispras.ru> +Date: Fri, 23 Nov 2018 16:56:26 -0500 +Subject: [PATCH] media: DaVinci-VPBE: fix error handling in vpbe_initialize() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: aa35dc3c71950e3fec3e230c06c27c0fbd0067f8 + +[ Upstream commit aa35dc3c71950e3fec3e230c06c27c0fbd0067f8 ] + +If vpbe_set_default_output() or vpbe_set_default_mode() fails, +vpbe_initialize() returns error code without releasing resources. + +The patch adds error handling for that case. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/media/platform/davinci/vpbe.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c +index 9a6c2cc38acb..abce9c4a1a8e 100644 +--- a/drivers/media/platform/davinci/vpbe.c ++++ b/drivers/media/platform/davinci/vpbe.c +@@ -753,7 +753,7 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev) + if (ret) { + v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default output %s", + def_output); +- return ret; ++ goto fail_kfree_amp; + } + + printk(KERN_NOTICE "Setting default mode to %s\n", def_mode); +@@ -761,12 +761,15 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev) + if (ret) { + v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default mode %s", + def_mode); +- return ret; ++ goto fail_kfree_amp; + } + vpbe_dev->initialized = 1; + /* TBD handling of bootargs for default output and mode */ + return 0; + ++fail_kfree_amp: ++ mutex_lock(&vpbe_dev->lock); ++ kfree(vpbe_dev->amp); + fail_kfree_encoders: + kfree(vpbe_dev->encoders); + fail_dev_unregister: +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch b/patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch new file mode 100644 index 0000000000..924fd9d4c3 --- /dev/null +++ b/patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch @@ -0,0 +1,69 @@ +From: Zoran Markovic <zmarkovic@sierrawireless.com> +Date: Wed, 17 Oct 2018 16:25:44 -0700 +Subject: [PATCH] smack: fix access permissions for keyring +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 5b841bfab695e3b8ae793172a9ff7990f99cc3e2 + +[ Upstream commit 5b841bfab695e3b8ae793172a9ff7990f99cc3e2 ] + +Function smack_key_permission() only issues smack requests for the +following operations: + - KEY_NEED_READ (issues MAY_READ) + - KEY_NEED_WRITE (issues MAY_WRITE) + - KEY_NEED_LINK (issues MAY_WRITE) + - KEY_NEED_SETATTR (issues MAY_WRITE) +A blank smack request is issued in all other cases, resulting in +smack access being granted if there is any rule defined between +subject and object, or denied with -EACCES otherwise. + +Request MAY_READ access for KEY_NEED_SEARCH and KEY_NEED_VIEW. +Fix the logic in the unlikely case when both MAY_READ and +MAY_WRITE are needed. Validate access permission field for valid +contents. + +Signed-off-by: Zoran Markovic <zmarkovic@sierrawireless.com> +Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> +Cc: Casey Schaufler <casey@schaufler-ca.com> +Cc: James Morris <jmorris@namei.org> +Cc: "Serge E. Hallyn" <serge@hallyn.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + security/smack/smack_lsm.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index c73361859d11..9db7c80a74aa 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4311,6 +4311,12 @@ static int smack_key_permission(key_ref_t key_ref, + int request = 0; + int rc; + ++ /* ++ * Validate requested permissions ++ */ ++ if (perm & ~KEY_NEED_ALL) ++ return -EINVAL; ++ + keyp = key_ref_to_ptr(key_ref); + if (keyp == NULL) + return -EINVAL; +@@ -4330,10 +4336,10 @@ static int smack_key_permission(key_ref_t key_ref, + ad.a.u.key_struct.key = keyp->serial; + ad.a.u.key_struct.key_desc = keyp->description; + #endif +- if (perm & KEY_NEED_READ) +- request = MAY_READ; ++ if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) ++ request |= MAY_READ; + if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) +- request = MAY_WRITE; ++ request |= MAY_WRITE; + rc = smk_access(tkp, keyp->security, request, &ad); + rc = smk_bu_note("key access", tkp, keyp->security, request, rc); + return rc; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch b/patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch new file mode 100644 index 0000000000..2ea9da481e --- /dev/null +++ b/patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch @@ -0,0 +1,53 @@ +From: Mathias Nyman <mathias.nyman@linux.intel.com> +Date: Wed, 28 Nov 2018 15:55:21 +0200 +Subject: [PATCH] usb: hub: delay hub autosuspend if USB3 port is still link + training +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: e86108940e541febf35813402ff29fa6f4a9ac0b + +[ Upstream commit e86108940e541febf35813402ff29fa6f4a9ac0b ] + +When initializing a hub we want to give a USB3 port in link training +the same debounce delay time before autosuspening the hub as already +trained, connected enabled ports. + +USB3 ports won't reach the enabled state with "current connect status" and +"connect status change" bits set until the USB3 link training finishes. + +Catching the port in link training (polling) and adding the debounce delay +prevents unnecessary failed attempts to autosuspend the hub. + +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/core/hub.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index be63db142d3f..3a6978458d95 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1092,6 +1092,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + USB_PORT_FEAT_ENABLE); + } + ++ /* ++ * Add debounce if USB3 link is in polling/link training state. ++ * Link will automatically transition to Enabled state after ++ * link training completes. ++ */ ++ if (hub_is_superspeed(hdev) && ++ ((portstatus & USB_PORT_STAT_LINK_STATE) == ++ USB_SS_PORT_LS_POLLING)) ++ need_debounce_delay = true; ++ + /* Clear status-change flags; we'll debounce later */ + if (portchange & USB_PORT_STAT_C_CONNECTION) { + need_debounce_delay = true; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch b/patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch new file mode 100644 index 0000000000..cb1b866028 --- /dev/null +++ b/patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch @@ -0,0 +1,48 @@ +From: Bart Van Assche <bvanassche@acm.org> +Date: Wed, 28 Nov 2018 15:43:09 -0800 +Subject: [PATCH] timekeeping: Use proper seqcount initializer +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: ce10a5b3954f2514af726beb78ed8d7350c5e41c + +[ Upstream commit ce10a5b3954f2514af726beb78ed8d7350c5e41c ] + +tk_core.seq is initialized open coded, but that misses to initialize the +lockdep map when lockdep is enabled. Lockdep splats involving tk_core seq +consequently lack a name and are hard to read. + +Use the proper initializer which takes care of the lockdep map +initialization. + +[ tglx: Massaged changelog ] + +Signed-off-by: Bart Van Assche <bvanassche@acm.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: peterz@infradead.org +Cc: tj@kernel.org +Cc: johannes.berg@intel.com +Link: https://lkml.kernel.org/r/20181128234325.110011-12-bvanassche@acm.org +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/time/timekeeping.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index fed86b2dfc89..d9837d25dfe0 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -39,7 +39,9 @@ + static struct { + seqcount_t seq; + struct timekeeper timekeeper; +-} tk_core ____cacheline_aligned; ++} tk_core ____cacheline_aligned = { ++ .seq = SEQCNT_ZERO(tk_core.seq), ++}; + + static DEFINE_RAW_SPINLOCK(timekeeper_lock); + static struct timekeeper shadow_timekeeper; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch b/patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch new file mode 100644 index 0000000000..f62f9742a3 --- /dev/null +++ b/patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch @@ -0,0 +1,68 @@ +From: Russell King - ARM Linux <linux@armlinux.org.uk> +Date: Fri, 7 Dec 2018 09:17:07 -0800 +Subject: [PATCH] ARM: dts: Fix OMAP4430 SDP Ethernet startup +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 84fb6c7feb1494ebb7d1ec8b95cfb7ada0264465 + +[ Upstream commit 84fb6c7feb1494ebb7d1ec8b95cfb7ada0264465 ] + +It was noticed that unbinding and rebinding the KSZ8851 ethernet +resulted in the driver reporting "failed to read device ID" at probe. +Probing the reset line with a 'scope while repeatedly attempting to +bind the driver in a shell loop revealed that the KSZ8851 RSTN pin is +constantly held at zero, meaning the device is held in reset, and +does not respond on the SPI bus. + +Experimentation with the startup delay on the regulator set to 50ms +shows that the reset is positively released after 20ms. + +Schematics for this board are not available, and the traces are buried +in the inner layers of the board which makes tracing where the RSTN pin +extremely difficult. We can only guess that the RSTN pin is wired to a +reset generator chip driven off the ethernet supply, which fits the +observed behaviour. + +Include this delay in the regulator startup delay - effectively +treating the reset as a "supply stable" indicator. + +This can not be modelled as a delay in the KSZ8851 driver since the +reset generation is board specific - if the RSTN pin had been wired to +a GPIO, reset could be released earlier via the already provided support +in the KSZ8851 driver. + +This also got confirmed by Peter Ujfalusi <peter.ujfalusi@ti.com> based +on Blaze schematics that should be very close to SDP4430: + +TPS22902YFPR is used as the regulator switch (gpio48 controlled): +Convert arm boot_lock to raw The VOUT is routed to TPS3808G01DBV. +(SCH Note: Threshold set at 90%. Vsense: 0.405V). + +According to the TPS3808 data sheet the RESET delay time when Ct is +open (this is the case in the schema): MIN/TYP/MAX: 12/20/28 ms. + +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com> +[tony@atomide.com: updated with notes from schematics from Peter] +Signed-off-by: Tony Lindgren <tony@atomide.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/boot/dts/omap4-sdp.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/omap4-sdp.dts b/arch/arm/boot/dts/omap4-sdp.dts +index f0bdc41f8eff..235d1493f8aa 100644 +--- a/arch/arm/boot/dts/omap4-sdp.dts ++++ b/arch/arm/boot/dts/omap4-sdp.dts +@@ -33,6 +33,7 @@ + gpio = <&gpio2 16 GPIO_ACTIVE_HIGH>; /* gpio line 48 */ + enable-active-high; + regulator-boot-on; ++ startup-delay-us = <25000>; + }; + + vbat: fixedregulator-vbat { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch b/patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch new file mode 100644 index 0000000000..092ea0da54 --- /dev/null +++ b/patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch @@ -0,0 +1,50 @@ +From: Jiong Wang <jiong.wang@netronome.com> +Date: Mon, 3 Dec 2018 17:27:54 -0500 +Subject: [PATCH] mips: bpf: fix encoding bug for mm_srlv32_op +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 17f6c83fb5ebf7db4fcc94a5be4c22d5a7bfe428 + +[ Upstream commit 17f6c83fb5ebf7db4fcc94a5be4c22d5a7bfe428 ] + +For micro-mips, srlv inside POOL32A encoding space should use 0x50 +sub-opcode, NOT 0x90. + +Some early version ISA doc describes the encoding as 0x90 for both srlv and +srav, this looks to me was a typo. I checked Binutils libopcode +implementation which is using 0x50 for srlv and 0x90 for srav. + +v1->v2: + - Keep mm_srlv32_op sorted by value. + +Fixes: f31318fdf324 ("MIPS: uasm: Add srlv uasm instruction") +Cc: Markos Chandras <markos.chandras@imgtec.com> +Cc: Paul Burton <paul.burton@mips.com> +Cc: linux-mips@vger.kernel.org +Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Acked-by: Song Liu <songliubraving@fb.com> +Signed-off-by: Jiong Wang <jiong.wang@netronome.com> +Signed-off-by: Alexei Starovoitov <ast@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/mips/include/uapi/asm/inst.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h +index 1b6f2f219298..9db764b51ffe 100644 +--- a/arch/mips/include/uapi/asm/inst.h ++++ b/arch/mips/include/uapi/asm/inst.h +@@ -290,8 +290,8 @@ enum mm_32a_minor_op { + mm_ext_op = 0x02c, + mm_pool32axf_op = 0x03c, + mm_srl32_op = 0x040, ++ mm_srlv32_op = 0x050, + mm_sra_op = 0x080, +- mm_srlv32_op = 0x090, + mm_rotr_op = 0x0c0, + mm_lwxs_op = 0x118, + mm_addu32_op = 0x150, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch b/patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch new file mode 100644 index 0000000000..6b59de47da --- /dev/null +++ b/patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch @@ -0,0 +1,51 @@ +From: Will Deacon <will.deacon@arm.com> +Date: Wed, 7 Nov 2018 22:58:24 +0000 +Subject: [PATCH] iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: a868e8530441286342f90c1fd9c5f24de3aa2880 + +[ Upstream commit a868e8530441286342f90c1fd9c5f24de3aa2880 ] + +After removing an entry from a queue (e.g. reading an event in +arm_smmu_evtq_thread()) it is necessary to advance the MMIO consumer +pointer to free the queue slot back to the SMMU. A memory barrier is +required here so that all reads targetting the queue entry have +completed before the consumer pointer is updated. + +The implementation of queue_inc_cons() relies on a writel() to complete +the previous reads, but this is incorrect because writel() is only +guaranteed to complete prior writes. This patch replaces the call to +writel() with an mb(); writel_relaxed() sequence, which gives us the +read->write ordering which we require. + +Cc: Robin Murphy <robin.murphy@arm.com> +Signed-off-by: Will Deacon <will.deacon@arm.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/iommu/arm-smmu-v3.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index fc6eb752ab35..eb9937225d64 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -683,7 +683,13 @@ static void queue_inc_cons(struct arm_smmu_queue *q) + u32 cons = (Q_WRP(q, q->cons) | Q_IDX(q, q->cons)) + 1; + + q->cons = Q_OVF(q, q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons); +- writel(q->cons, q->cons_reg); ++ ++ /* ++ * Ensure that all CPU accesses (reads and writes) to the queue ++ * are complete before we update the cons pointer. ++ */ ++ mb(); ++ writel_relaxed(q->cons, q->cons_reg); + } + + static int queue_sync_prod(struct arm_smmu_queue *q) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch b/patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch new file mode 100644 index 0000000000..e6ccd10a99 --- /dev/null +++ b/patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch @@ -0,0 +1,44 @@ +From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> +Date: Sat, 24 Nov 2018 21:14:16 +0300 +Subject: [PATCH] sata_rcar: fix deferred probing +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9f83cfdb1ace3ef268ecc6fda50058d2ec37d603 + +[ Upstream commit 9f83cfdb1ace3ef268ecc6fda50058d2ec37d603 ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Switch to propagating the +error code upstream, still checking/overriding IRQ0 as libata regards it +as "no IRQ" (thus polling) anyway... + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Reviewed-by: Simon Horman <horms+renesas@verge.net.au> +Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/ata/sata_rcar.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c +index 8804127b108c..21b80f5ee092 100644 +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -875,7 +875,9 @@ static int sata_rcar_probe(struct platform_device *pdev) + int ret = 0; + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) ++ if (irq < 0) ++ return irq; ++ if (!irq) + return -EINVAL; + + priv = devm_kzalloc(&pdev->dev, sizeof(struct sata_rcar_priv), +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch b/patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch new file mode 100644 index 0000000000..869bd34071 --- /dev/null +++ b/patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch @@ -0,0 +1,49 @@ +From: Anson Huang <anson.huang@nxp.com> +Date: Fri, 30 Nov 2018 07:23:47 +0000 +Subject: [PATCH] clk: imx6sl: ensure MMDC CH0 handshake is bypassed +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 0efcc2c0fd2001a83240a8c3d71f67770484917e + +[ Upstream commit 0efcc2c0fd2001a83240a8c3d71f67770484917e ] + +Same as other i.MX6 SoCs, ensure unused MMDC channel's +handshake is bypassed, this is to make sure no request +signal will be generated when periphe_clk_sel is changed +or SRC warm reset is triggered. + +Signed-off-by: Anson Huang <Anson.Huang@nxp.com> +Signed-off-by: Stephen Boyd <sboyd@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/clk/imx/clk-imx6sl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/imx/clk-imx6sl.c b/drivers/clk/imx/clk-imx6sl.c +index 1be6230a07af..8b6306dc5fc6 100644 +--- a/drivers/clk/imx/clk-imx6sl.c ++++ b/drivers/clk/imx/clk-imx6sl.c +@@ -17,6 +17,8 @@ + + #include "clk.h" + ++#define CCDR 0x4 ++#define BM_CCM_CCDR_MMDC_CH0_MASK (1 << 17) + #define CCSR 0xc + #define BM_CCSR_PLL1_SW_CLK_SEL (1 << 2) + #define CACRR 0x10 +@@ -414,6 +416,10 @@ static void __init imx6sl_clocks_init(struct device_node *ccm_node) + clks[IMX6SL_CLK_USDHC3] = imx_clk_gate2("usdhc3", "usdhc3_podf", base + 0x80, 6); + clks[IMX6SL_CLK_USDHC4] = imx_clk_gate2("usdhc4", "usdhc4_podf", base + 0x80, 8); + ++ /* Ensure the MMDC CH0 handshake is bypassed */ ++ writel_relaxed(readl_relaxed(base + CCDR) | ++ BM_CCM_CCDR_MMDC_CH0_MASK, base + CCDR); ++ + imx_check_clocks(clks, ARRAY_SIZE(clks)); + + clk_data.clks = clks; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch b/patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch new file mode 100644 index 0000000000..fbeeae32e3 --- /dev/null +++ b/patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch @@ -0,0 +1,50 @@ +From: Yangtao Li <tiny.windzz@gmail.com> +Date: Mon, 10 Dec 2018 11:26:41 -0500 +Subject: [PATCH] cpuidle: big.LITTLE: fix refcount leak +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9456823c842f346c74265fcd98d008d87a7eb6f5 + +[ Upstream commit 9456823c842f346c74265fcd98d008d87a7eb6f5 ] + +of_find_node_by_path() acquires a reference to the node +returned by it and that reference needs to be dropped by its caller. +bl_idle_init() doesn't do that, so fix it. + +Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> +Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/cpuidle/cpuidle-big_little.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/cpuidle-big_little.c b/drivers/cpuidle/cpuidle-big_little.c +index db2ede565f1a..b44476a1b7ad 100644 +--- a/drivers/cpuidle/cpuidle-big_little.c ++++ b/drivers/cpuidle/cpuidle-big_little.c +@@ -167,6 +167,7 @@ static int __init bl_idle_init(void) + { + int ret; + struct device_node *root = of_find_node_by_path("/"); ++ const struct of_device_id *match_id; + + if (!root) + return -ENODEV; +@@ -174,7 +175,11 @@ static int __init bl_idle_init(void) + /* + * Initialize the driver just for a compliant set of machines + */ +- if (!of_match_node(compatible_machine_match, root)) ++ match_id = of_match_node(compatible_machine_match, root); ++ ++ of_node_put(root); ++ ++ if (!match_id) + return -ENODEV; + + if (!mcpm_is_available()) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch b/patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch new file mode 100644 index 0000000000..59e9d03053 --- /dev/null +++ b/patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch @@ -0,0 +1,88 @@ +From: "Adamski, Krzysztof (Nokia - PL/Wroclaw)" <krzysztof.adamski@nokia.com> +Date: Mon, 10 Dec 2018 15:01:27 +0000 +Subject: [PATCH] i2c-axxia: check for error conditions first +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 4f5c85fe3a60ace555d09898166af372547f97fc + +[ Upstream commit 4f5c85fe3a60ace555d09898166af372547f97fc ] + +It was observed that when using seqentional mode contrary to the +documentation, the SS bit (which is supposed to only be set if +automatic/sequence command completed normally), is sometimes set +together with NA (NAK in address phase) causing transfer to falsely be +considered successful. + +My assumption is that this does not happen during manual mode since the +controller is stopping its work the moment it sets NA/ND bit in status +register. This is not the case in Automatic/Sequentional mode where it +is still working to send STOP condition and the actual status we get +depends on the time when the ISR is run. + +This patch changes the order of checking status bits in ISR - error +conditions are checked first and only if none of them occurred, the +transfer may be considered successful. This is required to introduce +using of sequentional mode in next patch. + +Signed-off-by: Krzysztof Adamski <krzysztof.adamski@nokia.com> +Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/i2c/busses/i2c-axxia.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-axxia.c b/drivers/i2c/busses/i2c-axxia.c +index 9c9fd2e87a4b..1c68b05c8649 100644 +--- a/drivers/i2c/busses/i2c-axxia.c ++++ b/drivers/i2c/busses/i2c-axxia.c +@@ -296,22 +296,7 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev) + i2c_int_disable(idev, MST_STATUS_TFL); + } + +- if (status & MST_STATUS_SCC) { +- /* Stop completed */ +- i2c_int_disable(idev, ~MST_STATUS_TSS); +- complete(&idev->msg_complete); +- } else if (status & MST_STATUS_SNS) { +- /* Transfer done */ +- i2c_int_disable(idev, ~MST_STATUS_TSS); +- if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len) +- axxia_i2c_empty_rx_fifo(idev); +- complete(&idev->msg_complete); +- } else if (status & MST_STATUS_TSS) { +- /* Transfer timeout */ +- idev->msg_err = -ETIMEDOUT; +- i2c_int_disable(idev, ~MST_STATUS_TSS); +- complete(&idev->msg_complete); +- } else if (unlikely(status & MST_STATUS_ERR)) { ++ if (unlikely(status & MST_STATUS_ERR)) { + /* Transfer error */ + i2c_int_disable(idev, ~0); + if (status & MST_STATUS_AL) +@@ -328,6 +313,21 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev) + readl(idev->base + MST_TX_BYTES_XFRD), + readl(idev->base + MST_TX_XFER)); + complete(&idev->msg_complete); ++ } else if (status & MST_STATUS_SCC) { ++ /* Stop completed */ ++ i2c_int_disable(idev, ~MST_STATUS_TSS); ++ complete(&idev->msg_complete); ++ } else if (status & MST_STATUS_SNS) { ++ /* Transfer done */ ++ i2c_int_disable(idev, ~MST_STATUS_TSS); ++ if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len) ++ axxia_i2c_empty_rx_fifo(idev); ++ complete(&idev->msg_complete); ++ } else if (status & MST_STATUS_TSS) { ++ /* Transfer timeout */ ++ idev->msg_err = -ETIMEDOUT; ++ i2c_int_disable(idev, ~MST_STATUS_TSS); ++ complete(&idev->msg_complete); + } + + out: +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch b/patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch new file mode 100644 index 0000000000..356e9a96d0 --- /dev/null +++ b/patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch @@ -0,0 +1,41 @@ +From: Jan Kara <jack@suse.cz> +Date: Wed, 12 Dec 2018 14:29:20 +0100 +Subject: [PATCH] udf: Fix BUG on corrupted inode +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: d288d95842f1503414b7eebce3773bac3390457e + +[ Upstream commit d288d95842f1503414b7eebce3773bac3390457e ] + +When inode is corrupted so that extent type is invalid, some functions +(such as udf_truncate_extents()) will just BUG. Check that extent type +is valid when loading the inode to memory. + +Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/udf/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 0e659d9c69a1..613193c6bb42 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1364,6 +1364,12 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode) + + iinfo->i_alloc_type = le16_to_cpu(fe->icbTag.flags) & + ICBTAG_FLAG_AD_MASK; ++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_SHORT && ++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_LONG && ++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB) { ++ ret = -EIO; ++ goto out; ++ } + iinfo->i_unique = 0; + iinfo->i_lenEAttr = 0; + iinfo->i_lenExtents = 0; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch b/patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch new file mode 100644 index 0000000000..6bd866b5a0 --- /dev/null +++ b/patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch @@ -0,0 +1,79 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Mon, 10 Dec 2018 22:58:39 +0100 +Subject: [PATCH] ARM: pxa: avoid section mismatch warning +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 88af3209aa0881aa5ffd99664b6080a4be5f24e5 + +[ Upstream commit 88af3209aa0881aa5ffd99664b6080a4be5f24e5 ] + +WARNING: vmlinux.o(.text+0x19f90): Section mismatch in reference from the function littleton_init_lcd() to the function .init.text:pxa_set_fb_info() +The function littleton_init_lcd() references +the function __init pxa_set_fb_info(). +This is often because littleton_init_lcd lacks a __init +annotation or the annotation of pxa_set_fb_info is wrong. + +WARNING: vmlinux.o(.text+0xf824): Section mismatch in reference from the function zeus_register_ohci() to the function .init.text:pxa_set_ohci_info() +The function zeus_register_ohci() references +the function __init pxa_set_ohci_info(). +This is often because zeus_register_ohci lacks a __init +annotation or the annotation of pxa_set_ohci_info is wrong. + +WARNING: vmlinux.o(.text+0xf95c): Section mismatch in reference from the function cm_x300_init_u2d() to the function .init.text:pxa3xx_set_u2d_info() +The function cm_x300_init_u2d() references +the function __init pxa3xx_set_u2d_info(). +This is often because cm_x300_init_u2d lacks a __init +annotation or the annotation of pxa3xx_set_u2d_info is wrong. + +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Olof Johansson <olof@lixom.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/mach-pxa/cm-x300.c | 2 +- + arch/arm/mach-pxa/littleton.c | 2 +- + arch/arm/mach-pxa/zeus.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c +index a7dae60810e8..307fc18edede 100644 +--- a/arch/arm/mach-pxa/cm-x300.c ++++ b/arch/arm/mach-pxa/cm-x300.c +@@ -547,7 +547,7 @@ static struct pxa3xx_u2d_platform_data cm_x300_u2d_platform_data = { + .exit = cm_x300_u2d_exit, + }; + +-static void cm_x300_init_u2d(void) ++static void __init cm_x300_init_u2d(void) + { + pxa3xx_set_u2d_info(&cm_x300_u2d_platform_data); + } +diff --git a/arch/arm/mach-pxa/littleton.c b/arch/arm/mach-pxa/littleton.c +index 5d665588c7eb..05aa7071efd6 100644 +--- a/arch/arm/mach-pxa/littleton.c ++++ b/arch/arm/mach-pxa/littleton.c +@@ -183,7 +183,7 @@ static struct pxafb_mach_info littleton_lcd_info = { + .lcd_conn = LCD_COLOR_TFT_16BPP, + }; + +-static void littleton_init_lcd(void) ++static void __init littleton_init_lcd(void) + { + pxa_set_fb_info(NULL, &littleton_lcd_info); + } +diff --git a/arch/arm/mach-pxa/zeus.c b/arch/arm/mach-pxa/zeus.c +index d757cfb5f8a6..4da2458d7f32 100644 +--- a/arch/arm/mach-pxa/zeus.c ++++ b/arch/arm/mach-pxa/zeus.c +@@ -558,7 +558,7 @@ static struct pxaohci_platform_data zeus_ohci_platform_data = { + .flags = ENABLE_PORT_ALL | POWER_SENSE_LOW, + }; + +-static void zeus_register_ohci(void) ++static void __init zeus_register_ohci(void) + { + /* Port 2 is shared between host and client interface. */ + UP2OCR = UP2OCR_HXOE | UP2OCR_HXS | UP2OCR_DMPDE | UP2OCR_DPPDE; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch b/patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch new file mode 100644 index 0000000000..85e27b4612 --- /dev/null +++ b/patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch @@ -0,0 +1,48 @@ +From: Fabio Estevam <festevam@gmail.com> +Date: Thu, 13 Dec 2018 00:08:38 -0200 +Subject: [PATCH] ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: add6883619a9e3bf9658eaff1a547354131bbcd9 + +[ Upstream commit add6883619a9e3bf9658eaff1a547354131bbcd9 ] + +eukrea-tlv320.c machine driver runs on non-DT platforms +and include <asm/mach-types.h> header file in order to be able +to use some machine_is_eukrea_xxx() macros. + +Building it for ARM64 causes the following build error: + +sound/soc/fsl/eukrea-tlv320.c:28:10: fatal error: asm/mach-types.h: No such file or directory + +Avoid this error by not allowing to build the SND_SOC_EUKREA_TLV320 +driver when ARM64 is selected. + +This is needed in preparation for the i.MX8M support. + +Reported-by: kbuild test robot <lkp@intel.com> +Signed-off-by: Fabio Estevam <festevam@gmail.com> +Acked-by: Shawn Guo <shawnguo@kernel.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/soc/fsl/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig +index 14dfdee05fd5..3066e068aae5 100644 +--- a/sound/soc/fsl/Kconfig ++++ b/sound/soc/fsl/Kconfig +@@ -219,7 +219,7 @@ config SND_SOC_PHYCORE_AC97 + + config SND_SOC_EUKREA_TLV320 + tristate "Eukrea TLV320" +- depends on ARCH_MXC && I2C ++ depends on ARCH_MXC && !ARM64 && I2C + select SND_SOC_TLV320AIC23_I2C + select SND_SOC_IMX_AUDMUX + select SND_SOC_IMX_SSI +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch b/patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch new file mode 100644 index 0000000000..285696461b --- /dev/null +++ b/patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch @@ -0,0 +1,60 @@ +From: Kai-Heng Feng <kai.heng.feng@canonical.com> +Date: Mon, 5 Nov 2018 16:45:04 +0800 +Subject: [PATCH] memstick: Prevent memstick host from getting runtime + suspended during card detection +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: e03e303edf1c63e6dd455ccd568c74e93ef3ba8c + +[ Upstream commit e03e303edf1c63e6dd455ccd568c74e93ef3ba8c ] + +We can use MEMSTICK_POWER_{ON,OFF} along with pm_runtime_{get,put} +helpers to let memstick host support runtime pm. + +The rpm count may go down to zero before the memstick host powers on, so +the host can be runtime suspended. + +So before doing card detection, increment the rpm count to avoid the +host gets runtime suspended. Balance the rpm count after card detection +is done. + +Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> +Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name> +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/memstick/core/memstick.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c +index a0547dbf9806..4d673a626db4 100644 +--- a/drivers/memstick/core/memstick.c ++++ b/drivers/memstick/core/memstick.c +@@ -18,6 +18,7 @@ + #include <linux/delay.h> + #include <linux/slab.h> + #include <linux/module.h> ++#include <linux/pm_runtime.h> + + #define DRIVER_NAME "memstick" + +@@ -436,6 +437,7 @@ static void memstick_check(struct work_struct *work) + struct memstick_dev *card; + + dev_dbg(&host->dev, "memstick_check started\n"); ++ pm_runtime_get_noresume(host->dev.parent); + mutex_lock(&host->lock); + if (!host->card) { + if (memstick_power_on(host)) +@@ -479,6 +481,7 @@ static void memstick_check(struct work_struct *work) + host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF); + + mutex_unlock(&host->lock); ++ pm_runtime_put(host->dev.parent); + dev_dbg(&host->dev, "memstick_check finished\n"); + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch b/patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch new file mode 100644 index 0000000000..7fbfb5a707 --- /dev/null +++ b/patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch @@ -0,0 +1,48 @@ +From: Beomho Seo <beomho.seo@samsung.com> +Date: Fri, 14 Dec 2018 12:34:08 +0100 +Subject: [PATCH] tty: serial: samsung: Properly set flags in autoCTS mode +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 31e933645742ee6719d37573a27cce0761dcf92b + +[ Upstream commit 31e933645742ee6719d37573a27cce0761dcf92b ] + +Commit 391f93f2ec9f ("serial: core: Rework hw-assited flow control support") +has changed the way the autoCTS mode is handled. + +According to that change, serial drivers which enable H/W autoCTS mode must +set UPSTAT_AUTOCTS to prevent the serial core from inadvertently disabling +TX. This patch adds proper handling of UPSTAT_AUTOCTS flag. + +Signed-off-by: Beomho Seo <beomho.seo@samsung.com> +[mszyprow: rephrased commit message] +Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/tty/serial/samsung.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 4d532a085db9..12bac2cbae4b 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1329,11 +1329,14 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, + wr_regl(port, S3C2410_ULCON, ulcon); + wr_regl(port, S3C2410_UBRDIV, quot); + ++ port->status &= ~UPSTAT_AUTOCTS; ++ + umcon = rd_regl(port, S3C2410_UMCON); + if (termios->c_cflag & CRTSCTS) { + umcon |= S3C2410_UMCOM_AFC; + /* Disable RTS when RX FIFO contains 63 bytes */ + umcon &= ~S3C2412_UMCON_AFC_8; ++ port->status = UPSTAT_AUTOCTS; + } else { + umcon &= ~S3C2410_UMCOM_AFC; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch b/patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch new file mode 100644 index 0000000000..8129d12477 --- /dev/null +++ b/patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch @@ -0,0 +1,66 @@ +From: Mark Rutland <mark.rutland@arm.com> +Date: Fri, 9 Nov 2018 15:07:10 +0000 +Subject: [PATCH] arm64: KVM: Skip MMIO insn after emulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 0d640732dbebed0f10f18526de21652931f0b2f2 + +[ Upstream commit 0d640732dbebed0f10f18526de21652931f0b2f2 ] + +When we emulate an MMIO instruction, we advance the CPU state within +decode_hsr(), before emulating the instruction effects. + +Having this logic in decode_hsr() is opaque, and advancing the state +before emulation is problematic. It gets in the way of applying +consistent single-step logic, and it prevents us from being able to fail +an MMIO instruction with a synchronous exception. + +Clean this up by only advancing the CPU state *after* the effects of the +instruction are emulated. + +Cc: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Alex Bennée <alex.bennee@linaro.org> +Reviewed-by: Christoffer Dall <christoffer.dall@arm.com> +Signed-off-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/kvm/mmio.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c +index 387ee2a11e36..885cd0e0015b 100644 +--- a/arch/arm/kvm/mmio.c ++++ b/arch/arm/kvm/mmio.c +@@ -118,6 +118,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); + } + ++ /* ++ * The MMIO instruction is emulated and should not be re-executed ++ * in the guest. ++ */ ++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); ++ + return 0; + } + +@@ -151,11 +157,6 @@ static int decode_hsr(struct kvm_vcpu *vcpu, bool *is_write, int *len) + vcpu->arch.mmio_decode.sign_extend = sign_extend; + vcpu->arch.mmio_decode.rt = rt; + +- /* +- * The MMIO instruction is emulated and should not be re-executed +- * in the guest. +- */ +- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 0; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch b/patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch new file mode 100644 index 0000000000..7e3320da29 --- /dev/null +++ b/patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch @@ -0,0 +1,48 @@ +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Mon, 10 Dec 2018 06:50:09 +0000 +Subject: [PATCH] powerpc/uaccess: fix warning/error with access_ok() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 05a4ab823983d9136a460b7b5e0d49ee709a6f86 + +[ Upstream commit 05a4ab823983d9136a460b7b5e0d49ee709a6f86 ] + +With the following piece of code, the following compilation warning +is encountered: + + if (_IOC_DIR(ioc) != _IOC_NONE) { + int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ; + + if (!access_ok(verify, ioarg, _IOC_SIZE(ioc))) { + +drivers/platform/test/dev.c: In function 'my_ioctl': +drivers/platform/test/dev.c:219:7: warning: unused variable 'verify' [-Wunused-variable] + int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ; + +This patch fixes it by referencing 'type' in the macro allthough +doing nothing with it. + +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/powerpc/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h +index a5ffe0207c16..05f1389228d2 100644 +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -59,7 +59,7 @@ + #endif + + #define access_ok(type, addr, size) \ +- (__chk_user_ptr(addr), \ ++ (__chk_user_ptr(addr), (void)(type), \ + __access_ok((__force unsigned long)(addr), (size), get_fs())) + + /* +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch b/patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch new file mode 100644 index 0000000000..8eab171ffa --- /dev/null +++ b/patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch @@ -0,0 +1,53 @@ +From: Johannes Berg <johannes.berg@intel.com> +Date: Sat, 15 Dec 2018 11:03:12 +0200 +Subject: [PATCH] mac80211: fix radiotap vendor presence bitmap handling +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: efc38dd7d5fa5c8cdd0c917c5d00947aa0539443 + +[ Upstream commit efc38dd7d5fa5c8cdd0c917c5d00947aa0539443 ] + +Due to the alignment handling, it actually matters where in the code +we add the 4 bytes for the presence bitmap to the length; the first +field is the timestamp with 8 byte alignment so we need to add the +space for the extra vendor namespace presence bitmap *before* we do +any alignment for the fields. + +Move the presence bitmap length accounting to the right place to fix +the alignment for the data properly. + +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Luca Coelho <luciano.coelho@intel.com> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/mac80211/rx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 64f76f88f819..acacceec8cd8 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -149,6 +149,9 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local, + /* allocate extra bitmaps */ + if (status->chains) + len += 4 * hweight8(status->chains); ++ /* vendor presence bitmap */ ++ if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) ++ len += 4; + + if (ieee80211_have_rx_timestamp(status)) { + len = ALIGN(len, 8); +@@ -185,8 +188,6 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local, + if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) { + struct ieee80211_vendor_radiotap *rtap = (void *)skb->data; + +- /* vendor presence bitmap */ +- len += 4; + /* alignment for fixed 6-byte vendor data header */ + len = ALIGN(len, 2); + /* vendor data header */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch b/patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch new file mode 100644 index 0000000000..bab4254408 --- /dev/null +++ b/patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch @@ -0,0 +1,42 @@ +From: YueHaibing <yuehaibing@huawei.com> +Date: Wed, 19 Dec 2018 14:45:09 +0800 +Subject: [PATCH] xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: fa89a4593b927b3f59c3b69379f31d3b22272e4e + +[ Upstream commit fa89a4593b927b3f59c3b69379f31d3b22272e4e ] + +gcc warn this: + +net/ipv6/xfrm6_tunnel.c:143 __xfrm6_tunnel_alloc_spi() warn: + always true condition '(spi <= 4294967295) => (0-u32max <= u32max)' + +'spi' is u32, which always not greater than XFRM6_TUNNEL_SPI_MAX +because of wrap around. So the second forloop will never reach. + +Signed-off-by: YueHaibing <yuehaibing@huawei.com> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/xfrm6_tunnel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c +index 5743044cd660..56b72cada346 100644 +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -144,6 +144,9 @@ static u32 __xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr) + index = __xfrm6_tunnel_spi_check(net, spi); + if (index >= 0) + goto alloc_spi; ++ ++ if (spi == XFRM6_TUNNEL_SPI_MAX) ++ break; + } + for (spi = XFRM6_TUNNEL_SPI_MIN; spi < xfrm6_tn->spi; spi++) { + index = __xfrm6_tunnel_spi_check(net, spi); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch b/patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch new file mode 100644 index 0000000000..cee96f3462 --- /dev/null +++ b/patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch @@ -0,0 +1,47 @@ +From: Johan Hedberg <johan.hedberg@intel.com> +Date: Tue, 27 Nov 2018 11:37:46 +0200 +Subject: [PATCH] Bluetooth: Fix unnecessary error message for HCI request + completion +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 1629db9c75342325868243d6bca5853017d91cf8 + +[ Upstream commit 1629db9c75342325868243d6bca5853017d91cf8 ] + +In case a command which completes in Command Status was sent using the +hci_cmd_send-family of APIs there would be a misleading error in the +hci_get_cmd_complete function, since the code would be trying to fetch +the Command Complete parameters when there are none. + +Avoid the misleading error and silently bail out from the function in +case the received event is a command status. + +Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> +Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/bluetooth/hci_event.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index d40d32a2c12d..37fe2b158c2a 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5185,6 +5185,12 @@ static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, + return true; + } + ++ /* Check if request ended in Command Status - no way to retreive ++ * any extra parameters in this case. ++ */ ++ if (hdr->evt == HCI_EV_CMD_STATUS) ++ return false; ++ + if (hdr->evt != HCI_EV_CMD_COMPLETE) { + BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt); + return false; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch b/patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch new file mode 100644 index 0000000000..7d322be0d5 --- /dev/null +++ b/patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch @@ -0,0 +1,85 @@ +From: Jia-Ju Bai <baijiaju1990@gmail.com> +Date: Fri, 14 Dec 2018 11:55:21 +0800 +Subject: [PATCH] cw1200: Fix concurrency use-after-free bugs in + cw1200_hw_scan() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 4f68ef64cd7feb1220232bd8f501d8aad340a099 + +[ Upstream commit 4f68ef64cd7feb1220232bd8f501d8aad340a099 ] + +The function cw1200_bss_info_changed() and cw1200_hw_scan() can be +concurrently executed. +The two functions both access a possible shared variable "frame.skb". + +This shared variable is freed by dev_kfree_skb() in cw1200_upload_beacon(), +which is called by cw1200_bss_info_changed(). The free operation is +protected by a mutex lock "priv->conf_mutex" in cw1200_bss_info_changed(). + +In cw1200_hw_scan(), this shared variable is accessed without the +protection of the mutex lock "priv->conf_mutex". +Thus, concurrency use-after-free bugs may occur. + +To fix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and +mutex_unlock(&priv->conf_mutex) are moved to the places, which can +protect the accesses to the shared variable. + +Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/wireless/cw1200/scan.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/cw1200/scan.c b/drivers/net/wireless/cw1200/scan.c +index bff81b8d4164..9f1037e7e55c 100644 +--- a/drivers/net/wireless/cw1200/scan.c ++++ b/drivers/net/wireless/cw1200/scan.c +@@ -78,6 +78,10 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + if (req->n_ssids > WSM_SCAN_MAX_NUM_OF_SSIDS) + return -EINVAL; + ++ /* will be unlocked in cw1200_scan_work() */ ++ down(&priv->scan.lock); ++ mutex_lock(&priv->conf_mutex); ++ + frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0, + req->ie_len); + if (!frame.skb) +@@ -86,19 +90,15 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + if (req->ie_len) + memcpy(skb_put(frame.skb, req->ie_len), req->ie, req->ie_len); + +- /* will be unlocked in cw1200_scan_work() */ +- down(&priv->scan.lock); +- mutex_lock(&priv->conf_mutex); +- + ret = wsm_set_template_frame(priv, &frame); + if (!ret) { + /* Host want to be the probe responder. */ + ret = wsm_set_probe_responder(priv, true); + } + if (ret) { ++ dev_kfree_skb(frame.skb); + mutex_unlock(&priv->conf_mutex); + up(&priv->scan.lock); +- dev_kfree_skb(frame.skb); + return ret; + } + +@@ -120,10 +120,9 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + ++priv->scan.n_ssids; + } + +- mutex_unlock(&priv->conf_mutex); +- + if (frame.skb) + dev_kfree_skb(frame.skb); ++ mutex_unlock(&priv->conf_mutex); + queue_work(priv->workqueue, &priv->scan.work); + return 0; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch b/patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch new file mode 100644 index 0000000000..39ac038a09 --- /dev/null +++ b/patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch @@ -0,0 +1,85 @@ +From: Roland Kammerer <roland.kammerer@linbit.com> +Date: Thu, 20 Dec 2018 17:23:28 +0100 +Subject: [PATCH] drbd: narrow rcu_read_lock in drbd_sync_handshake +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: d29e89e34952a9ad02c77109c71a80043544296e + +[ Upstream commit d29e89e34952a9ad02c77109c71a80043544296e ] + +So far there was the possibility that we called +genlmsg_new(GFP_NOIO)/mutex_lock() while holding an rcu_read_lock(). + +This included cases like: + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + drbd_bcast_event + genlmsg_new(GFP_NOIO) --> may sleep + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + notify_helper + genlmsg_new(GFP_NOIO) --> may sleep + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + notify_helper + mutex_lock --> may sleep + +While using GFP_ATOMIC whould have been possible in the first two cases, +the real fix is to narrow the rcu_read_lock. + +Reported-by: Jia-Ju Bai <baijiaju1990@163.com> +Reviewed-by: Lars Ellenberg <lars.ellenberg@linbit.com> +Signed-off-by: Roland Kammerer <roland.kammerer@linbit.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/block/drbd/drbd_receiver.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index b4b5680ac6ad..2fedab9349f6 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -3126,7 +3126,7 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + enum drbd_conns rv = C_MASK; + enum drbd_disk_state mydisk; + struct net_conf *nc; +- int hg, rule_nr, rr_conflict, tentative; ++ int hg, rule_nr, rr_conflict, tentative, always_asbp; + + mydisk = device->state.disk; + if (mydisk == D_NEGOTIATING) +@@ -3168,8 +3168,12 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + + rcu_read_lock(); + nc = rcu_dereference(peer_device->connection->net_conf); ++ always_asbp = nc->always_asbp; ++ rr_conflict = nc->rr_conflict; ++ tentative = nc->tentative; ++ rcu_read_unlock(); + +- if (hg == 100 || (hg == -100 && nc->always_asbp)) { ++ if (hg == 100 || (hg == -100 && always_asbp)) { + int pcount = (device->state.role == R_PRIMARY) + + (peer_role == R_PRIMARY); + int forced = (hg == -100); +@@ -3208,9 +3212,6 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + "Sync from %s node\n", + (hg < 0) ? "peer" : "this"); + } +- rr_conflict = nc->rr_conflict; +- tentative = nc->tentative; +- rcu_read_unlock(); + + if (hg == -100) { + /* FIXME this log message is not correct if we end up here +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch b/patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch new file mode 100644 index 0000000000..a1610943a3 --- /dev/null +++ b/patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch @@ -0,0 +1,50 @@ +From: Lars Ellenberg <lars.ellenberg@linbit.com> +Date: Thu, 20 Dec 2018 17:23:32 +0100 +Subject: [PATCH] drbd: disconnect, if the wrong UUIDs are attached on a + connected peer +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: b17b59602b6dcf8f97a7dc7bc489a48388d7063a + +[ Upstream commit b17b59602b6dcf8f97a7dc7bc489a48388d7063a ] + +With "on-no-data-accessible suspend-io", DRBD requires the next attach +or connect to be to the very same data generation uuid tag it lost last. + +If we first lost connection to the peer, +then later lost connection to our own disk, +we would usually refuse to re-connect to the peer, +because it presents the wrong data set. + +However, if the peer first connects without a disk, +and then attached its disk, we accepted that same wrong data set, +which would be "unexpected" by any user of that DRBD +and cause "undefined results" (read: very likely data corruption). + +The fix is to forcefully disconnect as soon as we notice that the peer +attached to the "wrong" dataset. + +Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/block/drbd/drbd_receiver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 2fedab9349f6..b1ee358edd3b 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -3890,7 +3890,7 @@ static int receive_uuids(struct drbd_connection *connection, struct packet_info + kfree(device->p_uuid); + device->p_uuid = p_uuid; + +- if (device->state.conn < C_CONNECTED && ++ if ((device->state.conn < C_CONNECTED || device->state.pdsk == D_DISKLESS) && + device->state.disk < D_INCONSISTENT && + device->state.role == R_PRIMARY && + (device->ed_uuid & ~((u64)1)) != (p_uuid[UI_CURRENT] & ~((u64)1))) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch b/patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch new file mode 100644 index 0000000000..58204f2c6d --- /dev/null +++ b/patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch @@ -0,0 +1,63 @@ +From: Lars Ellenberg <lars.ellenberg@linbit.com> +Date: Thu, 20 Dec 2018 17:23:41 +0100 +Subject: [PATCH] drbd: skip spurious timeout (ping-timeo) when failing promote +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9848b6ddd8c92305252f94592c5e278574e7a6ac + +[ Upstream commit 9848b6ddd8c92305252f94592c5e278574e7a6ac ] + +If you try to promote a Secondary while connected to a Primary +and allow-two-primaries is NOT set, we will wait for "ping-timeout" +to give this node a chance to detect a dead primary, +in case the cluster manager noticed faster than we did. + +But if we then are *still* connected to a Primary, +we fail (after an additional timeout of ping-timout). + +This change skips the spurious second timeout. + +Most people won't notice really, +since "ping-timeout" by default is half a second. + +But in some installations, ping-timeout may be 10 or 20 seconds or more, +and spuriously delaying the error return becomes annoying. + +Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/block/drbd/drbd_nl.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c +index e80cbefbc2b5..27e1abcf5710 100644 +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -632,14 +632,15 @@ drbd_set_role(struct drbd_device *const device, enum drbd_role new_role, int for + if (rv == SS_TWO_PRIMARIES) { + /* Maybe the peer is detected as dead very soon... + retry at most once more in this case. */ +- int timeo; +- rcu_read_lock(); +- nc = rcu_dereference(connection->net_conf); +- timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1; +- rcu_read_unlock(); +- schedule_timeout_interruptible(timeo); +- if (try < max_tries) ++ if (try < max_tries) { ++ int timeo; + try = max_tries - 1; ++ rcu_read_lock(); ++ nc = rcu_dereference(connection->net_conf); ++ timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1; ++ rcu_read_unlock(); ++ schedule_timeout_interruptible(timeo); ++ } + continue; + } + if (rv < SS_SUCCESS) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch b/patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch new file mode 100644 index 0000000000..52ce1eb0fe --- /dev/null +++ b/patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch @@ -0,0 +1,75 @@ +From: Nathan Chancellor <natechancellor@gmail.com> +Date: Thu, 20 Dec 2018 17:23:43 +0100 +Subject: [PATCH] drbd: Avoid Clang warning about pointless switch statment +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: a52c5a16cf19d8a85831bb1b915a221dd4ffae3c + +[ Upstream commit a52c5a16cf19d8a85831bb1b915a221dd4ffae3c ] + +There are several warnings from Clang about no case statement matching +the constant 0: + +In file included from drivers/block/drbd/drbd_receiver.c:48: +In file included from drivers/block/drbd/drbd_int.h:48: +In file included from ./include/linux/drbd_genl_api.h:54: +In file included from ./include/linux/genl_magic_struct.h:236: +./include/linux/drbd_genl.h:321:1: warning: no case matching constant +switch condition '0' +GENL_struct(DRBD_NLA_HELPER, 24, drbd_helper_info, +^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./include/linux/genl_magic_struct.h:220:10: note: expanded from macro +'GENL_struct' + switch (0) { + ^ + +Silence this warning by adding a 'case 0:' statement. Additionally, +adjust the alignment of the statements in the ct_assert_unique macro to +avoid a checkpatch warning. + +This solution was originally sent by Arnd Bergmann with a default case +statement: https://lore.kernel.org/patchwork/patch/756723/ + +Link: https://github.com/ClangBuiltLinux/linux/issues/43 +Suggested-by: Lars Ellenberg <lars.ellenberg@linbit.com> +Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/linux/genl_magic_struct.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/genl_magic_struct.h b/include/linux/genl_magic_struct.h +index eecd19b37001..250e9be65e74 100644 +--- a/include/linux/genl_magic_struct.h ++++ b/include/linux/genl_magic_struct.h +@@ -185,6 +185,7 @@ static inline void ct_assert_unique_operations(void) + { + switch (0) { + #include GENL_MAGIC_INCLUDE_FILE ++ case 0: + ; + } + } +@@ -203,6 +204,7 @@ static inline void ct_assert_unique_top_level_attributes(void) + { + switch (0) { + #include GENL_MAGIC_INCLUDE_FILE ++ case 0: + ; + } + } +@@ -212,7 +214,8 @@ static inline void ct_assert_unique_top_level_attributes(void) + static inline void ct_assert_unique_ ## s_name ## _attributes(void) \ + { \ + switch (0) { \ +- s_fields \ ++ s_fields \ ++ case 0: \ + ; \ + } \ + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch b/patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch new file mode 100644 index 0000000000..f179c5600c --- /dev/null +++ b/patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch @@ -0,0 +1,50 @@ +From: Alexey Khoroshilov <khoroshilov@ispras.ru> +Date: Thu, 20 Dec 2018 19:13:07 +0100 +Subject: [PATCH] video: clps711x-fb: release disp device node in probe() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: fdac751355cd76e049f628afe6acb8ff4b1399f7 + +[ Upstream commit fdac751355cd76e049f628afe6acb8ff4b1399f7 ] + +clps711x_fb_probe() increments refcnt of disp device node by +of_parse_phandle() and leaves it undecremented on both +successful and error paths. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> +Cc: Alexander Shiyan <shc_work@mail.ru> +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/video/fbdev/clps711x-fb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/clps711x-fb.c b/drivers/video/fbdev/clps711x-fb.c +index 649b32f78c08..c55109524fd5 100644 +--- a/drivers/video/fbdev/clps711x-fb.c ++++ b/drivers/video/fbdev/clps711x-fb.c +@@ -287,14 +287,17 @@ static int clps711x_fb_probe(struct platform_device *pdev) + } + + ret = of_get_fb_videomode(disp, &cfb->mode, OF_USE_NATIVE_MODE); +- if (ret) ++ if (ret) { ++ of_node_put(disp); + goto out_fb_release; ++ } + + of_property_read_u32(disp, "ac-prescale", &cfb->ac_prescale); + cfb->cmap_invert = of_property_read_bool(disp, "cmap-invert"); + + ret = of_property_read_u32(disp, "bits-per-pixel", + &info->var.bits_per_pixel); ++ of_node_put(disp); + if (ret) + goto out_fb_release; + +-- +2.20.1 + diff --git a/patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch b/patches.kernel.org/4.4.175-051-fbdev-fbmem-behave-better-with-small-rotated-.patch index 29fdfd8d35..dc7bb8f13d 100644 --- a/patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch +++ b/patches.kernel.org/4.4.175-051-fbdev-fbmem-behave-better-with-small-rotated-.patch @@ -1,10 +1,12 @@ -From f75df8d4b4fabfad7e3cba2debfad12741c6fde7 Mon Sep 17 00:00:00 2001 From: Peter Rosin <peda@axentia.se> Date: Thu, 20 Dec 2018 19:13:07 +0100 -Subject: fbdev: fbmem: behave better with small rotated displays and many CPUs +Subject: [PATCH] fbdev: fbmem: behave better with small rotated displays and + many CPUs +Patch-mainline: 4.4.175 +References: bnc#1012382 bsc#1106929 Git-commit: f75df8d4b4fabfad7e3cba2debfad12741c6fde7 -Patch-mainline: v5.0-rc1 -References: bsc#1106929 + +[ Upstream commit f75df8d4b4fabfad7e3cba2debfad12741c6fde7 ] Blitting an image with "negative" offsets is not working since there is no clipping. It hopefully just crashes. For the bootup logo, there @@ -27,16 +29,17 @@ Cc: Geert Uytterhoeven <geert+renesas@glider.be> cc: Geoff Levand <geoff@infradead.org> Cc: James Simmons <jsimmons@users.sf.net> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> -Acked-by: Thomas Zimmermann <tzimmermann@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/video/fbdev/core/fbmem.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c -index 861bf8081619..7dd6924feaa8 100644 +index 8a29ec5992fd..ea2bd6208a2f 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c -@@ -436,7 +436,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, +@@ -433,7 +433,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, image->dx += image->width + 8; } } else if (rotate == FB_ROTATE_UD) { @@ -47,7 +50,7 @@ index 861bf8081619..7dd6924feaa8 100644 info->fbops->fb_imageblit(info, image); image->dx -= image->width + 8; } -@@ -448,7 +450,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, +@@ -445,7 +447,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, image->dy += image->height + 8; } } else if (rotate == FB_ROTATE_CCW) { diff --git a/patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch b/patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch new file mode 100644 index 0000000000..5bd9660314 --- /dev/null +++ b/patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch @@ -0,0 +1,52 @@ +From: Kai-Heng Feng <kai.heng.feng@canonical.com> +Date: Mon, 3 Dec 2018 13:54:38 +0800 +Subject: [PATCH] igb: Fix an issue that PME is not enabled during runtime + suspend +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 1fb3a7a75e2efcc83ef21f2434069cddd6fae6f5 + +[ Upstream commit 1fb3a7a75e2efcc83ef21f2434069cddd6fae6f5 ] + +I210 ethernet card doesn't wakeup when a cable gets plugged. It's +because its PME is not set. + +Since commit 42eca2302146 ("PCI: Don't touch card regs after runtime +suspend D3"), if the PCI state is saved, pci_pm_runtime_suspend() stops +calling pci_finish_runtime_suspend(), which enables the PCI PME. + +To fix the issue, let's not to save PCI states when it's runtime +suspend, to let the PCI subsystem enables PME. + +Fixes: 42eca2302146 ("PCI: Don't touch card regs after runtime suspend D3") +Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> +Tested-by: Aaron Brown <aaron.f.brown@intel.com> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/intel/igb/igb_main.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 02b23f6277fb..c1796aa2dde5 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7339,9 +7339,11 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + rtnl_unlock(); + + #ifdef CONFIG_PM +- retval = pci_save_state(pdev); +- if (retval) +- return retval; ++ if (!runtime) { ++ retval = pci_save_state(pdev); ++ if (retval) ++ return retval; ++ } + #endif + + status = rd32(E1000_STATUS); +-- +2.20.1 + diff --git a/patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch b/patches.kernel.org/4.4.175-053-fbdev-fbcon-Fix-unregister-crash-when-more-th.patch index aadbe3083d..b40fdaa941 100644 --- a/patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch +++ b/patches.kernel.org/4.4.175-053-fbdev-fbcon-Fix-unregister-crash-when-more-th.patch @@ -1,13 +1,15 @@ -From 2122b40580dd9d0620398739c773d07a7b7939d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= <noralf@tronnes.org> Date: Thu, 20 Dec 2018 19:13:09 +0100 -Subject: fbdev: fbcon: Fix unregister crash when more than one framebuffer +Subject: [PATCH] fbdev: fbcon: Fix unregister crash when more than one + framebuffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +Patch-mainline: 4.4.175 +References: bnc#1012382 bsc#1106929 Git-commit: 2122b40580dd9d0620398739c773d07a7b7939d0 -Patch-mainline: v5.0-rc1 -References: bsc#1106929 + +[ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ] When unregistering fbdev using unregister_framebuffer(), any bound console will unbind automatically. This is working fine if this is the @@ -62,11 +64,14 @@ Signed-off-by: Noralf Trønnes <noralf@tronnes.org> Reviewed-by: Mikulas Patocka <mpatocka@redhat.com> Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> -Acked-by: Thomas Zimmermann <tzimmermann@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - drivers/video/console/fbcon.c | 2 +- + drivers/video/console/fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c +index 4e3c78d88832..c03c5b9602bb 100644 --- a/drivers/video/console/fbcon.c +++ b/drivers/video/console/fbcon.c @@ -3032,7 +3032,7 @@ static int fbcon_fb_unbind(int idx) @@ -78,3 +83,6 @@ Acked-by: Thomas Zimmermann <tzimmermann@suse.de> break; } } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch b/patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch new file mode 100644 index 0000000000..fb5504e30e --- /dev/null +++ b/patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch @@ -0,0 +1,48 @@ +From: Vitaly Kuznetsov <vkuznets@redhat.com> +Date: Wed, 19 Dec 2018 12:06:13 +0100 +Subject: [PATCH] KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: e87555e550cef4941579cd879759a7c0dee24e68 + +[ Upstream commit e87555e550cef4941579cd879759a7c0dee24e68 ] + +AMD doesn't seem to implement MSR_IA32_MCG_EXT_CTL and svm code in kvm +knows nothing about it, however, this MSR is among emulated_msrs and +thus returned with KVM_GET_MSR_INDEX_LIST. The consequent KVM_GET_MSRS, +of course, fails. + +Report the MSR as unsupported to not confuse userspace. + +Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> +Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/kvm/svm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index ecdf724da371..7ce1a19d9d8b 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -4156,6 +4156,13 @@ static bool svm_cpu_has_accelerated_tpr(void) + + static bool svm_has_emulated_msr(int index) + { ++ switch (index) { ++ case MSR_IA32_MCG_EXT_CTL: ++ return false; ++ default: ++ break; ++ } ++ + return true; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch b/patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch new file mode 100644 index 0000000000..1b08a1d2df --- /dev/null +++ b/patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch @@ -0,0 +1,58 @@ +From: Chris Perl <cperl@janestreet.com> +Date: Mon, 17 Dec 2018 10:56:38 -0500 +Subject: [PATCH] NFS: nfs_compare_mount_options always compare auth flavors. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 594d1644cd59447f4fceb592448d5cd09eb09b5e + +[ Upstream commit 594d1644cd59447f4fceb592448d5cd09eb09b5e ] + +This patch removes the check from nfs_compare_mount_options to see if a +`sec' option was passed for the current mount before comparing auth +flavors and instead just always compares auth flavors. + +Consider the following scenario: + +You have a server with the address 192.168.1.1 and two exports /export/a +and /export/b. The first export supports `sys' and `krb5' security, the +second just `sys'. + +Assume you start with no mounts from the server. + +The following results in EIOs being returned as the kernel nfs client +incorrectly thinks it can share the underlying `struct nfs_server's: + +$ mkdir /tmp/{a,b} +$ sudo mount -t nfs -o vers=3,sec=krb5 192.168.1.1:/export/a /tmp/a +$ sudo mount -t nfs -o vers=3 192.168.1.1:/export/b /tmp/b +$ df >/dev/null +df: ‘/tmp/b’: Input/output error + +Signed-off-by: Chris Perl <cperl@janestreet.com> +Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/nfs/super.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 62f358f67764..412fcfbc50e2 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2376,8 +2376,7 @@ static int nfs_compare_mount_options(const struct super_block *s, const struct n + goto Ebusy; + if (a->acdirmax != b->acdirmax) + goto Ebusy; +- if (b->auth_info.flavor_len > 0 && +- clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor) ++ if (clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor) + goto Ebusy; + return 1; + Ebusy: +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch b/patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch new file mode 100644 index 0000000000..49cd80c558 --- /dev/null +++ b/patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch @@ -0,0 +1,61 @@ +From: Kangjie Lu <kjlu@umn.edu> +Date: Fri, 21 Dec 2018 13:01:33 -0600 +Subject: [PATCH] hwmon: (lm80) fix a missing check of the status of SMBus read +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: c9c63915519b1def7043b184680f33c24cd49d7b + +[ Upstream commit c9c63915519b1def7043b184680f33c24cd49d7b ] + +If lm80_read_value() fails, it returns a negative number instead of the +correct read data. Therefore, we should avoid using the data if it +fails. + +The fix checks if lm80_read_value() fails, and if so, returns with the +error number. + +Signed-off-by: Kangjie Lu <kjlu@umn.edu> +[groeck: One variable for return values is enough] +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hwmon/lm80.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c +index 4bcd9b882948..47ddae6b7038 100644 +--- a/drivers/hwmon/lm80.c ++++ b/drivers/hwmon/lm80.c +@@ -360,9 +360,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr, + struct i2c_client *client = data->client; + unsigned long min, val; + u8 reg; +- int err = kstrtoul(buf, 10, &val); +- if (err < 0) +- return err; ++ int rv; ++ ++ rv = kstrtoul(buf, 10, &val); ++ if (rv < 0) ++ return rv; + + /* Save fan_min */ + mutex_lock(&data->update_lock); +@@ -390,8 +392,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr, + return -EINVAL; + } + +- reg = (lm80_read_value(client, LM80_REG_FANDIV) & +- ~(3 << (2 * (nr + 1)))) | (data->fan_div[nr] << (2 * (nr + 1))); ++ rv = lm80_read_value(client, LM80_REG_FANDIV); ++ if (rv < 0) ++ return rv; ++ reg = (rv & ~(3 << (2 * (nr + 1)))) ++ | (data->fan_div[nr] << (2 * (nr + 1))); + lm80_write_value(client, LM80_REG_FANDIV, reg); + + /* Restore fan_min */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch b/patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch new file mode 100644 index 0000000000..754d47acd4 --- /dev/null +++ b/patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch @@ -0,0 +1,56 @@ +From: Kangjie Lu <kjlu@umn.edu> +Date: Fri, 21 Dec 2018 13:10:39 -0600 +Subject: [PATCH] hwmon: (lm80) fix a missing check of bus read in lm80 probe +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315 + +[ Upstream commit 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315 ] + +In lm80_probe(), if lm80_read_value() fails, it returns a negative +error number which is stored to data->fan[f_min] and will be further +used. We should avoid using the data if the read fails. + +The fix checks if lm80_read_value() fails, and if so, returns with the +error number. + +Signed-off-by: Kangjie Lu <kjlu@umn.edu> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hwmon/lm80.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c +index 47ddae6b7038..cb6606a0470d 100644 +--- a/drivers/hwmon/lm80.c ++++ b/drivers/hwmon/lm80.c +@@ -628,6 +628,7 @@ static int lm80_probe(struct i2c_client *client, + struct device *dev = &client->dev; + struct device *hwmon_dev; + struct lm80_data *data; ++ int rv; + + data = devm_kzalloc(dev, sizeof(struct lm80_data), GFP_KERNEL); + if (!data) +@@ -640,8 +641,14 @@ static int lm80_probe(struct i2c_client *client, + lm80_init_client(client); + + /* A few vars need to be filled upon startup */ +- data->fan[f_min][0] = lm80_read_value(client, LM80_REG_FAN_MIN(1)); +- data->fan[f_min][1] = lm80_read_value(client, LM80_REG_FAN_MIN(2)); ++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(1)); ++ if (rv < 0) ++ return rv; ++ data->fan[f_min][0] = rv; ++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(2)); ++ if (rv < 0) ++ return rv; ++ data->fan[f_min][1] = rv; + + hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name, + data, lm80_groups); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch b/patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch new file mode 100644 index 0000000000..4b8d091eea --- /dev/null +++ b/patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch @@ -0,0 +1,72 @@ +From: Michael Ellerman <mpe@ellerman.id.au> +Date: Fri, 19 Oct 2018 15:21:08 +1100 +Subject: [PATCH] seq_buf: Make seq_buf_puts() null-terminate the buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 0464ed24380905d640030d368cd84a4e4d1e15e2 + +[ Upstream commit 0464ed24380905d640030d368cd84a4e4d1e15e2 ] + +Currently seq_buf_puts() will happily create a non null-terminated +string for you in the buffer. This is particularly dangerous if the +buffer is on the stack. + +For example: + + char buf[8]; + char secret = "secret"; + struct seq_buf s; + + seq_buf_init(&s, buf, sizeof(buf)); + seq_buf_puts(&s, "foo"); + printk("Message is %s\n", buf); + +Can result in: + + Message is fooªªªªªsecret + +We could require all users to memset() their buffer to zero before +use. But that seems likely to be forgotten and lead to bugs. + +Instead we can change seq_buf_puts() to always leave the buffer in a +null-terminated state. + +The only downside is that this makes the buffer 1 character smaller +for seq_buf_puts(), but that seems like a good trade off. + +Link: http://lkml.kernel.org/r/20181019042109.8064-1-mpe@ellerman.id.au + +Acked-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + lib/seq_buf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/seq_buf.c b/lib/seq_buf.c +index 5c94e1012a91..cbef5ee4c459 100644 +--- a/lib/seq_buf.c ++++ b/lib/seq_buf.c +@@ -143,9 +143,13 @@ int seq_buf_puts(struct seq_buf *s, const char *str) + + WARN_ON(s->size == 0); + ++ /* Add 1 to len for the trailing null byte which must be there */ ++ len += 1; ++ + if (seq_buf_can_fit(s, len)) { + memcpy(s->buffer + s->len, str, len); +- s->len += len; ++ /* Don't count the trailing null byte against the capacity */ ++ s->len += len - 1; + return 0; + } + seq_buf_set_overflow(s); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch b/patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch new file mode 100644 index 0000000000..5e79ed55b4 --- /dev/null +++ b/patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch @@ -0,0 +1,65 @@ +From: Nathan Chancellor <natechancellor@gmail.com> +Date: Mon, 10 Dec 2018 16:49:29 -0700 +Subject: [PATCH] crypto: ux500 - Use proper enum in cryp_set_dma_transfer +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9d880c5945c748d8edcac30965f3349a602158c4 + +[ Upstream commit 9d880c5945c748d8edcac30965f3349a602158c4 ] + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/crypto/ux500/cryp/cryp_core.c:559:5: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, DMA_CTRL_ACK); + ^~~~~~~~~ +drivers/crypto/ux500/cryp/cryp_core.c:583:5: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, + ^~~~~~~~~ +2 warnings generated. + +dmaengine_prep_slave_sg expects an enum from dma_transfer_direction. +Because we know the value of the dma_data_direction enum from the +switch statement, we can just use the proper value from +dma_transfer_direction so there is no more conversion. + +DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1 +DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2 + +Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/crypto/ux500/cryp/cryp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/ux500/cryp/cryp_core.c b/drivers/crypto/ux500/cryp/cryp_core.c +index 790f7cadc1ed..efebc484e371 100644 +--- a/drivers/crypto/ux500/cryp/cryp_core.c ++++ b/drivers/crypto/ux500/cryp/cryp_core.c +@@ -555,7 +555,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx, + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg_src, + ctx->device->dma.sg_src_len, +- direction, DMA_CTRL_ACK); ++ DMA_MEM_TO_DEV, DMA_CTRL_ACK); + break; + + case DMA_FROM_DEVICE: +@@ -579,7 +579,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx, + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg_dst, + ctx->device->dma.sg_dst_len, +- direction, ++ DMA_DEV_TO_MEM, + DMA_CTRL_ACK | + DMA_PREP_INTERRUPT); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch b/patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch new file mode 100644 index 0000000000..1d570a3b7b --- /dev/null +++ b/patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch @@ -0,0 +1,50 @@ +From: Nathan Chancellor <natechancellor@gmail.com> +Date: Mon, 10 Dec 2018 16:49:54 -0700 +Subject: [PATCH] crypto: ux500 - Use proper enum in hash_set_dma_transfer +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 5ac93f808338f4dd465402e91869702eb87db241 + +[ Upstream commit 5ac93f808338f4dd465402e91869702eb87db241 ] + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/crypto/ux500/hash/hash_core.c:169:4: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); + ^~~~~~~~~ +1 warning generated. + +dmaengine_prep_slave_sg expects an enum from dma_transfer_direction. +We know that the only direction supported by this function is +DMA_TO_DEVICE because of the check at the top of this function so we can +just use the equivalent value from dma_transfer_direction. + +DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1 + +Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/crypto/ux500/hash/hash_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index cd4398498495..bca6b701c067 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -181,7 +181,7 @@ static int hash_set_dma_transfer(struct hash_ctx *ctx, struct scatterlist *sg, + __func__); + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg, ctx->device->dma.sg_len, +- direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); ++ DMA_MEM_TO_DEV, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); + if (!desc) { + dev_err(ctx->device->dev, + "%s: dmaengine_prep_slave_sg() failed!\n", __func__); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch b/patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch new file mode 100644 index 0000000000..ee98cc88cd --- /dev/null +++ b/patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch @@ -0,0 +1,51 @@ +From: Ronnie Sahlberg <lsahlber@redhat.com> +Date: Thu, 13 Dec 2018 08:06:16 +1000 +Subject: [PATCH] cifs: check ntwrk_buf_start for NULL before dereferencing it +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 59a63e479ce36a3f24444c3a36efe82b78e4a8e0 + +[ Upstream commit 59a63e479ce36a3f24444c3a36efe82b78e4a8e0 ] + +RHBZ: 1021460 + +There is an issue where when multiple threads open/close the same directory +ntwrk_buf_start might end up being NULL, causing the call to smbCalcSize +later to oops with a NULL deref. + +The real bug is why this happens and why this can become NULL for an +open cfile, which should not be allowed. +This patch tries to avoid a oops until the time when we fix the underlying +issue. + +Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/cifs/readdir.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index 57b039ebfb1f..43fa471c88d7 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -652,7 +652,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos, + /* scan and find it */ + int i; + char *cur_ent; +- char *end_of_smb = cfile->srch_inf.ntwrk_buf_start + ++ char *end_of_smb; ++ ++ if (cfile->srch_inf.ntwrk_buf_start == NULL) { ++ cifs_dbg(VFS, "ntwrk_buf_start is NULL during readdir\n"); ++ return -EIO; ++ } ++ ++ end_of_smb = cfile->srch_inf.ntwrk_buf_start + + server->ops->calc_smb_size( + cfile->srch_inf.ntwrk_buf_start); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch b/patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch new file mode 100644 index 0000000000..a2d45a1962 --- /dev/null +++ b/patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch @@ -0,0 +1,59 @@ +From: Anton Ivanov <anton.ivanov@cambridgegreys.com> +Date: Wed, 5 Dec 2018 12:37:41 +0000 +Subject: [PATCH] um: Avoid marking pages with "changed protection" +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 8892d8545f2d0342b9c550defbfb165db237044b + +[ Upstream commit 8892d8545f2d0342b9c550defbfb165db237044b ] + +Changing protection is a very high cost operation in UML +because in addition to an extra syscall it also interrupts +mmap merge sequences generated by the tlb. + +While the condition is not particularly common it is worth +avoiding. + +Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/um/include/asm/pgtable.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/um/include/asm/pgtable.h b/arch/um/include/asm/pgtable.h +index 18eb9924dda3..aeb430212947 100644 +--- a/arch/um/include/asm/pgtable.h ++++ b/arch/um/include/asm/pgtable.h +@@ -197,12 +197,17 @@ static inline pte_t pte_mkold(pte_t pte) + + static inline pte_t pte_wrprotect(pte_t pte) + { +- pte_clear_bits(pte, _PAGE_RW); ++ if (likely(pte_get_bits(pte, _PAGE_RW))) ++ pte_clear_bits(pte, _PAGE_RW); ++ else ++ return pte; + return(pte_mknewprot(pte)); + } + + static inline pte_t pte_mkread(pte_t pte) + { ++ if (unlikely(pte_get_bits(pte, _PAGE_USER))) ++ return pte; + pte_set_bits(pte, _PAGE_USER); + return(pte_mknewprot(pte)); + } +@@ -221,6 +226,8 @@ static inline pte_t pte_mkyoung(pte_t pte) + + static inline pte_t pte_mkwrite(pte_t pte) + { ++ if (unlikely(pte_get_bits(pte, _PAGE_RW))) ++ return pte; + pte_set_bits(pte, _PAGE_RW); + return(pte_mknewprot(pte)); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch b/patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch new file mode 100644 index 0000000000..eb5530f63a --- /dev/null +++ b/patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch @@ -0,0 +1,52 @@ +From: Kangjie Lu <kjlu@umn.edu> +Date: Tue, 25 Dec 2018 01:56:14 -0600 +Subject: [PATCH] niu: fix missing checks of niu_pci_eeprom_read +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 26fd962bde0b15e54234fe762d86bc0349df1de4 + +[ Upstream commit 26fd962bde0b15e54234fe762d86bc0349df1de4 ] + +niu_pci_eeprom_read() may fail, so we should check its return value +before using the read data. + +Signed-off-by: Kangjie Lu <kjlu@umn.edu> +Acked-by: Shannon Nelson <shannon.lee.nelson@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/sun/niu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index ccebf89aa1e4..85f3a2c0d4dd 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -8121,6 +8121,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + start += 3; + + prop_len = niu_pci_eeprom_read(np, start + 4); ++ if (prop_len < 0) ++ return prop_len; + err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64); + if (err < 0) + return err; +@@ -8165,8 +8167,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + netif_printk(np, probe, KERN_DEBUG, np->dev, + "VPD_SCAN: Reading in property [%s] len[%d]\n", + namebuf, prop_len); +- for (i = 0; i < prop_len; i++) +- *prop_buf++ = niu_pci_eeprom_read(np, off + i); ++ for (i = 0; i < prop_len; i++) { ++ err = niu_pci_eeprom_read(np, off + i); ++ if (err >= 0) ++ *prop_buf = err; ++ ++prop_buf; ++ } + } + + start += len; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch b/patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch new file mode 100644 index 0000000000..dc0a7bd60c --- /dev/null +++ b/patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch @@ -0,0 +1,51 @@ +From: Marc Zyngier <marc.zyngier@arm.com> +Date: Fri, 28 Dec 2018 00:31:25 -0800 +Subject: [PATCH] scripts/decode_stacktrace: only strip base path when a prefix + of the path +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 67a28de47faa83585dd644bd4c31e5a1d9346c50 + +[ Upstream commit 67a28de47faa83585dd644bd4c31e5a1d9346c50 ] + +Running something like: + + decodecode vmlinux . + +leads to interested results where not only the leading "." gets stripped +from the displayed paths, but also anywhere in the string, displaying +something like: + + kvm_vcpu_check_block (arch/arm64/kvm/virt/kvm/kvm_mainc:2141) + +which doesn't help further processing. + +Fix it by only stripping the base path if it is a prefix of the path. + +Link: http://lkml.kernel.org/r/20181210174659.31054-3-marc.zyngier@arm.com +Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> +Cc: Will Deacon <will.deacon@arm.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + scripts/decode_stacktrace.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh +index 00d6d53c2681..ffc46c7c3afb 100755 +--- a/scripts/decode_stacktrace.sh ++++ b/scripts/decode_stacktrace.sh +@@ -64,7 +64,7 @@ parse_symbol() { + fi + + # Strip out the base of the path +- code=${code//$basepath/""} ++ code=${code//^$basepath/""} + + # In the case of inlines, move everything to same line + code=${code//$'\n'/' '} +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch b/patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch new file mode 100644 index 0000000000..332e2c0b69 --- /dev/null +++ b/patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch @@ -0,0 +1,71 @@ +From: Junxiao Bi <junxiao.bi@oracle.com> +Date: Fri, 28 Dec 2018 00:32:57 -0800 +Subject: [PATCH] ocfs2: don't clear bh uptodate for block read +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 70306d9dce75abde855cefaf32b3f71eed8602a3 + +[ Upstream commit 70306d9dce75abde855cefaf32b3f71eed8602a3 ] + +For sync io read in ocfs2_read_blocks_sync(), first clear bh uptodate flag +and submit the io, second wait io done, last check whether bh uptodate, if +not return io error. + +If two sync io for the same bh were issued, it could be the first io done +and set uptodate flag, but just before check that flag, the second io came +in and cleared uptodate, then ocfs2_read_blocks_sync() for the first io +will return IO error. + +Indeed it's not necessary to clear uptodate flag, as the io end handler +end_buffer_read_sync() will set or clear it based on io succeed or failed. + +The following message was found from a nfs server but the underlying +storage returned no error. + +[4106438.567376] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2780 ERROR: read block 1238823695 failed -5 +[4106438.567569] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2812 ERROR: status = -5 +[4106438.567611] (nfsd,7146,3):ocfs2_test_inode_bit:2894 ERROR: get alloc slot and bit failed -5 +[4106438.567643] (nfsd,7146,3):ocfs2_test_inode_bit:2932 ERROR: status = -5 +[4106438.567675] (nfsd,7146,3):ocfs2_get_dentry:94 ERROR: test inode bit failed -5 + +Same issue in non sync read ocfs2_read_blocks(), fixed it as well. + +Link: http://lkml.kernel.org/r/20181121020023.3034-4-junxiao.bi@oracle.com +Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> +Reviewed-by: Changwei Ge <ge.changwei@h3c.com> +Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com> +Cc: Joel Becker <jlbec@evilplan.org> +Cc: Joseph Qi <jiangqi903@gmail.com> +Cc: Jun Piao <piaojun@huawei.com> +Cc: Mark Fasheh <mfasheh@versity.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ocfs2/buffer_head_io.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c +index 272269f1c310..9ee8bcfbf00f 100644 +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -146,7 +146,6 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block, + BUG(); + } + +- clear_buffer_uptodate(bh); + get_bh(bh); /* for end_buffer_read_sync() */ + bh->b_end_io = end_buffer_read_sync; + submit_bh(READ, bh); +@@ -300,7 +299,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + continue; + } + +- clear_buffer_uptodate(bh); + get_bh(bh); /* for end_buffer_read_sync() */ + if (validate) + set_buffer_needs_validate(bh); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch b/patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch new file mode 100644 index 0000000000..4582c85fb4 --- /dev/null +++ b/patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch @@ -0,0 +1,56 @@ +From: Jia-Ju Bai <baijiaju1990@gmail.com> +Date: Wed, 26 Dec 2018 22:09:34 +0800 +Subject: [PATCH] isdn: hisax: hfc_pci: Fix a possible concurrency + use-after-free bug in HFCPCI_l1hw() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 7418e6520f22a2e35815122fa5a53d5bbfa2c10f + +[ Upstream commit 7418e6520f22a2e35815122fa5a53d5bbfa2c10f ] + +In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and +HFCPCI_l1hw() may be concurrently executed. + +HFCPCI_l1hw() + line 1173: if (!cs->tx_skb) + +hfcpci_interrupt() + line 942: spin_lock_irqsave(); + line 1066: dev_kfree_skb_irq(cs->tx_skb); + +Thus, a possible concurrency use-after-free bug may occur +in HFCPCI_l1hw(). + +To fix these bugs, the calls to spin_lock_irqsave() and +spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the +access to cs->tx_skb. + +Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/isdn/hisax/hfc_pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c +index 90449e1e91e5..1b1453d62fed 100644 +--- a/drivers/isdn/hisax/hfc_pci.c ++++ b/drivers/isdn/hisax/hfc_pci.c +@@ -1169,11 +1169,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg) + if (cs->debug & L1_DEB_LAPD) + debugl1(cs, "-> PH_REQUEST_PULL"); + #endif ++ spin_lock_irqsave(&cs->lock, flags); + if (!cs->tx_skb) { + test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags); + st->l1.l1l2(st, PH_PULL | CONFIRM, NULL); + } else + test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags); ++ spin_unlock_irqrestore(&cs->lock, flags); + break; + case (HW_RESET | REQUEST): + spin_lock_irqsave(&cs->lock, flags); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch b/patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch new file mode 100644 index 0000000000..3f8de6fb02 --- /dev/null +++ b/patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch @@ -0,0 +1,42 @@ +From: Wenwen Wang <wang6495@umn.edu> +Date: Wed, 26 Dec 2018 20:15:13 -0600 +Subject: [PATCH] gdrom: fix a memory leak bug +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017 + +[ Upstream commit 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017 ] + +In probe_gdrom(), the buffer pointed by 'gd.cd_info' is allocated through +kzalloc() and is used to hold the information of the gdrom device. To +register and unregister the device, the pointer 'gd.cd_info' is passed to +the functions register_cdrom() and unregister_cdrom(), respectively. +However, this buffer is not freed after it is used, which can cause a +memory leak bug. + +This patch simply frees the buffer 'gd.cd_info' in exit_gdrom() to fix the +above issue. + +Signed-off-by: Wenwen Wang <wang6495@umn.edu> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/cdrom/gdrom.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c +index e2808fefbb78..1852d19d0d7b 100644 +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -882,6 +882,7 @@ static void __exit exit_gdrom(void) + platform_device_unregister(pd); + platform_driver_unregister(&gdrom_driver); + kfree(gd.toc); ++ kfree(gd.cd_info); + } + + module_init(init_gdrom); +-- +2.20.1 + diff --git a/patches.suse/0001-block-swim3-Fix-EBUSY-error-when-re-opening-device-a.patch b/patches.kernel.org/4.4.175-068-block-swim3-Fix-EBUSY-error-when-re-opening-d.patch index 814542abed..50c1d7821a 100644 --- a/patches.suse/0001-block-swim3-Fix-EBUSY-error-when-re-opening-device-a.patch +++ b/patches.kernel.org/4.4.175-068-block-swim3-Fix-EBUSY-error-when-re-opening-d.patch @@ -1,11 +1,12 @@ -From 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 Mon Sep 17 00:00:00 2001 From: Finn Thain <fthain@telegraphics.com.au> Date: Mon, 31 Dec 2018 16:44:09 +1100 Subject: [PATCH] block/swim3: Fix -EBUSY error when re-opening device after unmount +Patch-mainline: 4.4.175 +References: Git-fixes bnc#1012382 Git-commit: 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 -Patch-mainline: v5.0-rc1 -References: Git-fixes + +[ Upstream commit 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 ] When the block device is opened with FMODE_EXCL, ref_count is set to -1. This value doesn't get reset when the device is closed which means the @@ -17,16 +18,17 @@ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Finn Thain <fthain@telegraphics.com.au> Signed-off-by: Jens Axboe <axboe@kernel.dk> -Signed-off-by: Coly Li <colyli@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/block/swim3.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c -index ba1190f1276b..87ca8f207c7c 100644 +index c264f2d284a7..2e0a9e2531cb 100644 --- a/drivers/block/swim3.c +++ b/drivers/block/swim3.c -@@ -995,7 +995,11 @@ static void floppy_release(struct gendisk *disk, fmode_t mode) +@@ -1027,7 +1027,11 @@ static void floppy_release(struct gendisk *disk, fmode_t mode) struct swim3 __iomem *sw = fs->swim3; mutex_lock(&swim3_mutex); @@ -40,5 +42,5 @@ index ba1190f1276b..87ca8f207c7c 100644 out_8(&sw->control_bic, 0xff); swim3_select(fs, RELAX); -- -2.16.4 +2.20.1 diff --git a/patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch b/patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch new file mode 100644 index 0000000000..3fa479be7e --- /dev/null +++ b/patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch @@ -0,0 +1,51 @@ +From: Aditya Pakki <pakki001@umn.edu> +Date: Mon, 24 Dec 2018 15:39:14 -0600 +Subject: [PATCH] HID: lenovo: Add checks to fix of_led_classdev_register +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 6ae16dfb61bce538d48b7fe98160fada446056c5 + +[ Upstream commit 6ae16dfb61bce538d48b7fe98160fada446056c5 ] + +In lenovo_probe_tpkbd(), the function of_led_classdev_register() could +return an error value that is unchecked. The fix adds these checks. + +Signed-off-by: Aditya Pakki <pakki001@umn.edu> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hid/hid-lenovo.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c +index 8979f1fd5208..24a4a23bdc90 100644 +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -703,7 +703,9 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev) + data_pointer->led_mute.brightness_get = lenovo_led_brightness_get_tpkbd; + data_pointer->led_mute.brightness_set = lenovo_led_brightness_set_tpkbd; + data_pointer->led_mute.dev = dev; +- led_classdev_register(dev, &data_pointer->led_mute); ++ ret = led_classdev_register(dev, &data_pointer->led_mute); ++ if (ret < 0) ++ goto err; + + data_pointer->led_micmute.name = name_micmute; + data_pointer->led_micmute.brightness_get = +@@ -711,7 +713,11 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev) + data_pointer->led_micmute.brightness_set = + lenovo_led_brightness_set_tpkbd; + data_pointer->led_micmute.dev = dev; +- led_classdev_register(dev, &data_pointer->led_micmute); ++ ret = led_classdev_register(dev, &data_pointer->led_micmute); ++ if (ret < 0) { ++ led_classdev_unregister(&data_pointer->led_mute); ++ goto err; ++ } + + lenovo_features_set_tpkbd(hdev); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch b/patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch new file mode 100644 index 0000000000..5cd96aa72d --- /dev/null +++ b/patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch @@ -0,0 +1,72 @@ +From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Date: Thu, 3 Jan 2019 15:26:31 -0800 +Subject: [PATCH] kernel/hung_task.c: break RCU locks based on jiffies +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 304ae42739b108305f8d7b3eb3c1aec7c2b643a9 + +[ Upstream commit 304ae42739b108305f8d7b3eb3c1aec7c2b643a9 ] + +check_hung_uninterruptible_tasks() is currently calling rcu_lock_break() +for every 1024 threads. But check_hung_task() is very slow if printk() +was called, and is very fast otherwise. + +If many threads within some 1024 threads called printk(), the RCU grace +period might be extended enough to trigger RCU stall warnings. +Therefore, calling rcu_lock_break() for every some fixed jiffies will be +safer. + +Link: http://lkml.kernel.org/r/1544800658-11423-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> +Acked-by: Paul E. McKenney <paulmck@linux.ibm.com> +Cc: Petr Mladek <pmladek@suse.com> +Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> +Cc: Dmitry Vyukov <dvyukov@google.com> +Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> +Cc: Vitaly Kuznetsov <vkuznets@redhat.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/hung_task.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/hung_task.c b/kernel/hung_task.c +index e0f90c2b57aa..cc05b97ba569 100644 +--- a/kernel/hung_task.c ++++ b/kernel/hung_task.c +@@ -30,7 +30,7 @@ int __read_mostly sysctl_hung_task_check_count = PID_MAX_LIMIT; + * is disabled during the critical section. It also controls the size of + * the RCU grace period. So it needs to be upper-bound. + */ +-#define HUNG_TASK_BATCHING 1024 ++#define HUNG_TASK_LOCK_BREAK (HZ / 10) + + /* + * Zero means infinite timeout - no checking done: +@@ -158,7 +158,7 @@ static bool rcu_lock_break(struct task_struct *g, struct task_struct *t) + static void check_hung_uninterruptible_tasks(unsigned long timeout) + { + int max_count = sysctl_hung_task_check_count; +- int batch_count = HUNG_TASK_BATCHING; ++ unsigned long last_break = jiffies; + struct task_struct *g, *t; + + /* +@@ -172,10 +172,10 @@ static void check_hung_uninterruptible_tasks(unsigned long timeout) + for_each_process_thread(g, t) { + if (!max_count--) + goto unlock; +- if (!--batch_count) { +- batch_count = HUNG_TASK_BATCHING; ++ if (time_after(jiffies, last_break + HUNG_TASK_LOCK_BREAK)) { + if (!rcu_lock_break(g, t)) + goto unlock; ++ last_break = jiffies; + } + /* use "==" to skip the TASK_KILLABLE tasks waiting on NFS */ + if (t->state == TASK_UNINTERRUPTIBLE) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch b/patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch new file mode 100644 index 0000000000..22fc95f5c1 --- /dev/null +++ b/patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch @@ -0,0 +1,58 @@ +From: Davidlohr Bueso <dave@stgolabs.net> +Date: Thu, 3 Jan 2019 15:27:09 -0800 +Subject: [PATCH] fs/epoll: drop ovflist branch prediction +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 76699a67f3041ff4c7af6d6ee9be2bfbf1ffb671 + +[ Upstream commit 76699a67f3041ff4c7af6d6ee9be2bfbf1ffb671 ] + +The ep->ovflist is a secondary ready-list to temporarily store events +that might occur when doing sproc without holding the ep->wq.lock. This +accounts for every time we check for ready events and also send events +back to userspace; both callbacks, particularly the latter because of +copy_to_user, can account for a non-trivial time. + +As such, the unlikely() check to see if the pointer is being used, seems +both misleading and sub-optimal. In fact, we go to an awful lot of +trouble to sync both lists, and populating the ovflist is far from an +uncommon scenario. + +For example, profiling a concurrent epoll_wait(2) benchmark, with +CONFIG_PROFILE_ANNOTATED_BRANCHES shows that for a two threads a 33% +incorrect rate was seen; and when incrementally increasing the number of +epoll instances (which is used, for example for multiple queuing load +balancing models), up to a 90% incorrect rate was seen. + +Similarly, by deleting the prediction, 3% throughput boost was seen +across incremental threads. + +Link: http://lkml.kernel.org/r/20181108051006.18751-4-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> +Reviewed-by: Andrew Morton <akpm@linux-foundation.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Cc: Jason Baron <jbaron@akamai.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/eventpoll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 1b08556776ce..240d9ceb8d0c 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1034,7 +1034,7 @@ static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *k + * semantics). All the events that happen during that period of time are + * chained in ep->ovflist and requeued later on. + */ +- if (unlikely(ep->ovflist != EP_UNACTIVE_PTR)) { ++ if (ep->ovflist != EP_UNACTIVE_PTR) { + if (epi->next == EP_UNACTIVE_PTR) { + epi->next = ep->ovflist; + ep->ovflist = epi; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch b/patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch new file mode 100644 index 0000000000..cc39f6b697 --- /dev/null +++ b/patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch @@ -0,0 +1,57 @@ +From: Oleg Nesterov <oleg@redhat.com> +Date: Thu, 3 Jan 2019 15:28:07 -0800 +Subject: [PATCH] exec: load_script: don't blindly truncate shebang string +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 8099b047ecc431518b9bb6bdbba3549bbecdc343 + +[ Upstream commit 8099b047ecc431518b9bb6bdbba3549bbecdc343 ] + +load_script() simply truncates bprm->buf and this is very wrong if the +length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently +truncate i_arg or (worse) we can execute the wrong binary if buf[2:126] +happens to be the valid executable path. + +Change load_script() to return ENOEXEC if it can't find '\n' or zero in +bprm->buf. Note that '\0' can come from either +prepare_binprm()->memset() or from kernel_read(), we do not care. + +Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com +Signed-off-by: Oleg Nesterov <oleg@redhat.com> +Acked-by: Kees Cook <keescook@chromium.org> +Acked-by: Michal Hocko <mhocko@suse.com> +Cc: Ben Woodard <woodard@redhat.com> +Cc: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/binfmt_script.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index afdf4e3cafc2..634bdbb23851 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -43,10 +43,14 @@ static int load_script(struct linux_binprm *bprm) + fput(bprm->file); + bprm->file = NULL; + +- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; +- if ((cp = strchr(bprm->buf, '\n')) == NULL) +- cp = bprm->buf+BINPRM_BUF_SIZE-1; ++ for (cp = bprm->buf+2;; cp++) { ++ if (cp >= bprm->buf + BINPRM_BUF_SIZE) ++ return -ENOEXEC; ++ if (!*cp || (*cp == '\n')) ++ break; ++ } + *cp = '\0'; ++ + while (cp > bprm->buf) { + cp--; + if ((*cp == ' ') || (*cp == '\t')) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch b/patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch new file mode 100644 index 0000000000..f27e880a38 --- /dev/null +++ b/patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch @@ -0,0 +1,49 @@ +From: Eduardo Valentin <edubezval@gmail.com> +Date: Wed, 2 Jan 2019 00:34:03 +0000 +Subject: [PATCH] thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is + not set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 03334ba8b425b2ad275c8f390cf83c7b081c3095 + +commit 03334ba8b425b2ad275c8f390cf83c7b081c3095 upstream. + +Avoid warnings like this: +thermal_hwmon.h:29:1: warning: ‘thermal_remove_hwmon_sysfs’ defined but not used [-Wunused-function] + thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz) + +Fixes: 0dd88793aacd ("thermal: hwmon: move hwmon support to single file") +Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> +Signed-off-by: Eduardo Valentin <edubezval@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/thermal/thermal_hwmon.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/thermal_hwmon.h b/drivers/thermal/thermal_hwmon.h +index c798fdb2ae43..f97f76691bd0 100644 +--- a/drivers/thermal/thermal_hwmon.h ++++ b/drivers/thermal/thermal_hwmon.h +@@ -34,13 +34,13 @@ + int thermal_add_hwmon_sysfs(struct thermal_zone_device *tz); + void thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz); + #else +-static int ++static inline int + thermal_add_hwmon_sysfs(struct thermal_zone_device *tz) + { + return 0; + } + +-static void ++static inline void + thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz) + { + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch b/patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch new file mode 100644 index 0000000000..49de781da8 --- /dev/null +++ b/patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch @@ -0,0 +1,43 @@ +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Fri, 30 Nov 2018 12:13:15 -0800 +Subject: [PATCH] test_hexdump: use memcpy instead of strncpy +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: b1286ed7158e9b62787508066283ab0b8850b518 + +commit b1286ed7158e9b62787508066283ab0b8850b518 upstream. + +New versions of gcc reasonably warn about the odd pattern of + + strncpy(p, q, strlen(q)); + +which really doesn't make sense: the strncpy() ends up being just a slow +and odd way to write memcpy() in this case. + +Apparently there was a patch for this floating around earlier, but it +got lost. + +Acked-again-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + lib/test-hexdump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/test-hexdump.c b/lib/test-hexdump.c +index 5241df36eedf..dadcabe50988 100644 +--- a/lib/test-hexdump.c ++++ b/lib/test-hexdump.c +@@ -81,7 +81,7 @@ static void __init test_hexdump(size_t len, int rowsize, int groupsize, + const char *q = *result++; + size_t amount = strlen(q); + +- strncpy(p, q, amount); ++ memcpy(p, q, amount); + p += amount + 1; + } + if (i) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch b/patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch new file mode 100644 index 0000000000..eef5836a5c --- /dev/null +++ b/patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch @@ -0,0 +1,48 @@ +From: Guoqing Jiang <gqjiang@suse.com> +Date: Fri, 19 Oct 2018 12:08:22 +0800 +Subject: [PATCH] tipc: use destination length for copy string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 29e270fc32192e7729057963ae7120663856c93e + +commit 29e270fc32192e7729057963ae7120663856c93e upstream. + +Got below warning with gcc 8.2 compiler. + +net/tipc/topsrv.c: In function ‘tipc_topsrv_start’: +net/tipc/topsrv.c:660:2: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] + strncpy(srv->name, name, strlen(name) + 1); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +net/tipc/topsrv.c:660:27: note: length computed here + strncpy(srv->name, name, strlen(name) + 1); + ^~~~~~~~~~~~ +So change it to correct length and use strscpy. + +Signed-off-by: Guoqing Jiang <gqjiang@suse.com> +Acked-by: Ying Xue <ying.xue@windriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/tipc/subscr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c +index f9ff73a8d815..500c9e614a06 100644 +--- a/net/tipc/subscr.c ++++ b/net/tipc/subscr.c +@@ -337,7 +337,7 @@ int tipc_topsrv_start(struct net *net) + topsrv->tipc_conn_new = tipc_subscrb_connect_cb; + topsrv->tipc_conn_shutdown = tipc_subscrb_shutdown_cb; + +- strncpy(topsrv->name, name, strlen(name) + 1); ++ strscpy(topsrv->name, name, sizeof(topsrv->name)); + tn->topsrv = topsrv; + atomic_set(&tn->subscription_count, 0); + +-- +2.20.1 + diff --git a/patches.fixes/string-drop-__must_check-from-strscpy-and-restore-st.patch b/patches.kernel.org/4.4.175-076-string-drop-__must_check-from-strscpy-and-res.patch index 89c5811b46..d0cb160106 100644 --- a/patches.fixes/string-drop-__must_check-from-strscpy-and-restore-st.patch +++ b/patches.kernel.org/4.4.175-076-string-drop-__must_check-from-strscpy-and-res.patch @@ -1,16 +1,15 @@ -From 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7 Mon Sep 17 00:00:00 2001 From: Tejun Heo <tj@kernel.org> Date: Tue, 9 Jan 2018 07:21:15 -0800 -Subject: [PATCH] string: drop __must_check from strscpy() and restore strscpy() usages in cgroup -Mime-version: 1.0 -Content-type: text/plain; charset=UTF-8 -Content-transfer-encoding: 8bit -Git-commit: 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7 (partial) -Patch-mainline: v4.16-rc1 -References: bsc#1107319 +Subject: [PATCH] string: drop __must_check from strscpy() and restore + strscpy() usages in cgroup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: 4.4.175 +References: bnc#1012382 bsc#1107319 +Git-commit: 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7 -[ backport note: this patch contains *only* the change in string.h. - cgroup code changes are dropped as not applicable to SLE12-SP3 -- tiwai ] +commit 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7 upstream. e7fd37ba1217 ("cgroup: avoid copying strings longer than the buffers") converted possibly unsafe strncpy() usages in cgroup to strscpy(). @@ -47,15 +46,18 @@ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Chris Metcalf <cmetcalf@ezchip.com> -Acked-by: Takashi Iwai <tiwai@suse.de> - +[backport only the string.h portion to remove build warnings starting to show up - gregkh] +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - include/linux/string.h | 2 +- + include/linux/string.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/include/linux/string.h b/include/linux/string.h +index 98bb781a2eff..c026b7a19e26 100644 --- a/include/linux/string.h +++ b/include/linux/string.h -@@ -27,7 +27,7 @@ extern char * strncpy(char *,const char +@@ -26,7 +26,7 @@ extern char * strncpy(char *,const char *, __kernel_size_t); size_t strlcpy(char *, const char *, size_t); #endif #ifndef __HAVE_ARCH_STRSCPY @@ -64,3 +66,6 @@ Acked-by: Takashi Iwai <tiwai@suse.de> #endif #ifndef __HAVE_ARCH_STRCAT extern char * strcat(char *, const char *); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch b/patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch new file mode 100644 index 0000000000..5af381252f --- /dev/null +++ b/patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch @@ -0,0 +1,112 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 30 Jan 2019 11:39:41 -0800 +Subject: [PATCH] dccp: fool proof ccid_hc_[rt]x_parse_options() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9b1f19d810e92d6cdc68455fbc22d9f961a58ce1 + +[ Upstream commit 9b1f19d810e92d6cdc68455fbc22d9f961a58ce1 ] + +Similarly to commit 276bdb82dedb ("dccp: check ccid before dereferencing") +it is wise to test for a NULL ccid. + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline] +RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233 +Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b +kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env +RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000 +RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001 +RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80 +R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0 +kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5' +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654 + dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688 + sk_backlog_rcv include/net/sock.h:936 [inline] + __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473 + dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880 + ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208 + ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255 + dst_input include/net/dst.h:450 [inline] + ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524 + __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973 + __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083 + process_backlog+0x206/0x750 net/core/dev.c:5923 + napi_poll net/core/dev.c:6346 [inline] + net_rx_action+0x76d/0x1930 net/core/dev.c:6412 + __do_softirq+0x30b/0xb11 kernel/softirq.c:292 + run_ksoftirqd kernel/softirq.c:654 [inline] + run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646 + smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164 + kthread+0x357/0x430 kernel/kthread.c:246 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 +Modules linked in: +---[ end trace 58a0ba03bea2c376 ]--- +RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline] +RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233 +Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b +RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000 +RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001 +RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80 +R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/dccp/ccid.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h +index 6eb837a47b5c..baaaeb2b2c42 100644 +--- a/net/dccp/ccid.h ++++ b/net/dccp/ccid.h +@@ -202,7 +202,7 @@ static inline void ccid_hc_tx_packet_recv(struct ccid *ccid, struct sock *sk, + static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk, + u8 pkt, u8 opt, u8 *val, u8 len) + { +- if (ccid->ccid_ops->ccid_hc_tx_parse_options == NULL) ++ if (!ccid || !ccid->ccid_ops->ccid_hc_tx_parse_options) + return 0; + return ccid->ccid_ops->ccid_hc_tx_parse_options(sk, pkt, opt, val, len); + } +@@ -214,7 +214,7 @@ static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk, + static inline int ccid_hc_rx_parse_options(struct ccid *ccid, struct sock *sk, + u8 pkt, u8 opt, u8 *val, u8 len) + { +- if (ccid->ccid_ops->ccid_hc_rx_parse_options == NULL) ++ if (!ccid || !ccid->ccid_ops->ccid_hc_rx_parse_options) + return 0; + return ccid->ccid_ops->ccid_hc_rx_parse_options(sk, pkt, opt, val, len); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch b/patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch new file mode 100644 index 0000000000..8db63b6937 --- /dev/null +++ b/patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch @@ -0,0 +1,36 @@ +From: Govindarajulu Varadarajan <gvaradar@cisco.com> +Date: Wed, 30 Jan 2019 06:59:00 -0800 +Subject: [PATCH] enic: fix checksum validation for IPv6 +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 7596175e99b3d4bce28022193efd954c201a782a + +[ Upstream commit 7596175e99b3d4bce28022193efd954c201a782a ] + +In case of IPv6 pkts, ipv4_csum_ok is 0. Because of this, driver does +not set skb->ip_summed. So IPv6 rx checksum is not offloaded. + +Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 0433fdebda25..9ef4caa4b84d 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1180,7 +1180,7 @@ static void enic_rq_indicate_buf(struct vnic_rq *rq, + * CHECSUM_UNNECESSARY. + */ + if ((netdev->features & NETIF_F_RXCSUM) && tcp_udp_csum_ok && +- ipv4_csum_ok) ++ (ipv4_csum_ok || ipv6)) + skb->ip_summed = CHECKSUM_UNNECESSARY; + + if (vlan_stripped) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch b/patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch new file mode 100644 index 0000000000..8388bf392c --- /dev/null +++ b/patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch @@ -0,0 +1,89 @@ +From: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Date: Mon, 4 Feb 2019 11:20:29 +0100 +Subject: [PATCH] net: dp83640: expire old TX-skb +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 53bc8d2af08654659abfadfd3e98eb9922ff787c + +[ Upstream commit 53bc8d2af08654659abfadfd3e98eb9922ff787c ] + +During sendmsg() a cloned skb is saved via dp83640_txtstamp() in +->tx_queue. After the NIC sends this packet, the PHY will reply with a +timestamp for that TX packet. If the cable is pulled at the right time I +don't see that packet. It might gets flushed as part of queue shutdown +on NIC's side. +Once the link is up again then after the next sendmsg() we enqueue +another skb in dp83640_txtstamp() and have two on the list. Then the PHY +will send a reply and decode_txts() attaches it to the first skb on the +list. +No crash occurs since refcounting works but we are one packet behind. +linuxptp/ptp4l usually closes the socket and opens a new one (in such a +timeout case) so those "stale" replies never get there. However it does +not resume normal operation anymore. + +Purge old skbs in decode_txts(). + +Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de> +Acked-by: Richard Cochran <richardcochran@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/phy/dp83640.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c +index dc934347ae28..e6f564d50663 100644 +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -890,14 +890,14 @@ static void decode_txts(struct dp83640_private *dp83640, + struct phy_txts *phy_txts) + { + struct skb_shared_hwtstamps shhwtstamps; ++ struct dp83640_skb_info *skb_info; + struct sk_buff *skb; +- u64 ns; + u8 overflow; ++ u64 ns; + + /* We must already have the skb that triggered this. */ +- ++again: + skb = skb_dequeue(&dp83640->tx_queue); +- + if (!skb) { + pr_debug("have timestamp but tx_queue empty\n"); + return; +@@ -912,6 +912,11 @@ static void decode_txts(struct dp83640_private *dp83640, + } + return; + } ++ skb_info = (struct dp83640_skb_info *)skb->cb; ++ if (time_after(jiffies, skb_info->tmo)) { ++ kfree_skb(skb); ++ goto again; ++ } + + ns = phy2txts(phy_txts); + memset(&shhwtstamps, 0, sizeof(shhwtstamps)); +@@ -1461,6 +1466,7 @@ static bool dp83640_rxtstamp(struct phy_device *phydev, + static void dp83640_txtstamp(struct phy_device *phydev, + struct sk_buff *skb, int type) + { ++ struct dp83640_skb_info *skb_info = (struct dp83640_skb_info *)skb->cb; + struct dp83640_private *dp83640 = phydev->priv; + + switch (dp83640->hwts_tx_en) { +@@ -1473,6 +1479,7 @@ static void dp83640_txtstamp(struct phy_device *phydev, + /* fall through */ + case HWTSTAMP_TX_ON: + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; ++ skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT; + skb_queue_tail(&dp83640->tx_queue, skb); + break; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch b/patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch new file mode 100644 index 0000000000..a19f1294e2 --- /dev/null +++ b/patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch @@ -0,0 +1,43 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Fri, 1 Feb 2019 11:28:16 +0300 +Subject: [PATCH] skge: potential memory corruption in skge_get_regs() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 294c149a209c6196c2de85f512b52ef50f519949 + +[ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ] + +The "p" buffer is 0x4000 bytes long. B3_RI_WTO_R1 is 0x190. The value +of "regs->len" is in the 1-0x4000 range. The bug here is that +"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to +memory corruption and an abrupt crash. + +Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/marvell/skge.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c +index 7173836fe361..c9f4b5412844 100644 +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_device *dev, struct ethtool_regs *regs, + memset(p, 0, regs->len); + memcpy_fromio(p, io, B3_RAM_ADDR); + +- memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1, +- regs->len - B3_RI_WTO_R1); ++ if (regs->len > B3_RI_WTO_R1) { ++ memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1, ++ regs->len - B3_RI_WTO_R1); ++ } + } + + /* Wake on Lan only supported on Yukon chips with rev 1 or above */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch b/patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch new file mode 100644 index 0000000000..1fd24602fc --- /dev/null +++ b/patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch @@ -0,0 +1,112 @@ +From: Florian Fainelli <f.fainelli@gmail.com> +Date: Fri, 1 Feb 2019 13:23:38 -0800 +Subject: [PATCH] net: systemport: Fix WoL with password after deep sleep +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e + +[ Upstream commit 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e ] + +Broadcom STB chips support a deep sleep mode where all register +contents are lost. Because we were stashing the MagicPacket password +into some of these registers a suspend into that deep sleep then a +resumption would not lead to being able to wake-up from MagicPacket with +password again. + +Fix this by keeping a software copy of the password and program it +during suspend. + +Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support") +Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 25 +++++++++------------- + drivers/net/ethernet/broadcom/bcmsysport.h | 2 ++ + 2 files changed, 12 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 7a6dd5e5e498..143b9a384af8 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -400,7 +400,6 @@ static void bcm_sysport_get_wol(struct net_device *dev, + struct ethtool_wolinfo *wol) + { + struct bcm_sysport_priv *priv = netdev_priv(dev); +- u32 reg; + + wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE; + wol->wolopts = priv->wolopts; +@@ -408,11 +407,7 @@ static void bcm_sysport_get_wol(struct net_device *dev, + if (!(priv->wolopts & WAKE_MAGICSECURE)) + return; + +- /* Return the programmed SecureOn password */ +- reg = umac_readl(priv, UMAC_PSW_MS); +- put_unaligned_be16(reg, &wol->sopass[0]); +- reg = umac_readl(priv, UMAC_PSW_LS); +- put_unaligned_be32(reg, &wol->sopass[2]); ++ memcpy(wol->sopass, priv->sopass, sizeof(priv->sopass)); + } + + static int bcm_sysport_set_wol(struct net_device *dev, +@@ -428,13 +423,8 @@ static int bcm_sysport_set_wol(struct net_device *dev, + if (wol->wolopts & ~supported) + return -EINVAL; + +- /* Program the SecureOn password */ +- if (wol->wolopts & WAKE_MAGICSECURE) { +- umac_writel(priv, get_unaligned_be16(&wol->sopass[0]), +- UMAC_PSW_MS); +- umac_writel(priv, get_unaligned_be32(&wol->sopass[2]), +- UMAC_PSW_LS); +- } ++ if (wol->wolopts & WAKE_MAGICSECURE) ++ memcpy(priv->sopass, wol->sopass, sizeof(priv->sopass)); + + /* Flag the device and relevant IRQ as wakeup capable */ + if (wol->wolopts) { +@@ -1889,12 +1879,17 @@ static int bcm_sysport_suspend_to_wol(struct bcm_sysport_priv *priv) + unsigned int timeout = 1000; + u32 reg; + +- /* Password has already been programmed */ + reg = umac_readl(priv, UMAC_MPD_CTRL); + reg |= MPD_EN; + reg &= ~PSW_EN; +- if (priv->wolopts & WAKE_MAGICSECURE) ++ if (priv->wolopts & WAKE_MAGICSECURE) { ++ /* Program the SecureOn password */ ++ umac_writel(priv, get_unaligned_be16(&priv->sopass[0]), ++ UMAC_PSW_MS); ++ umac_writel(priv, get_unaligned_be32(&priv->sopass[2]), ++ UMAC_PSW_LS); + reg |= PSW_EN; ++ } + umac_writel(priv, reg, UMAC_MPD_CTRL); + + /* Make sure RBUF entered WoL mode as result */ +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.h b/drivers/net/ethernet/broadcom/bcmsysport.h +index 8ace6ecb5f79..e668b1ce5828 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.h ++++ b/drivers/net/ethernet/broadcom/bcmsysport.h +@@ -11,6 +11,7 @@ + #ifndef __BCM_SYSPORT_H + #define __BCM_SYSPORT_H + ++#include <linux/ethtool.h> + #include <linux/if_vlan.h> + + /* Receive/transmit descriptor format */ +@@ -682,6 +683,7 @@ struct bcm_sysport_priv { + unsigned int crc_fwd:1; + u16 rev; + u32 wolopts; ++ u8 sopass[SOPASS_MAX]; + unsigned int wol_irq_disabled:1; + + /* MIB related fields */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch b/patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch new file mode 100644 index 0000000000..4ad769fcc3 --- /dev/null +++ b/patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch @@ -0,0 +1,60 @@ +From: Rundong Ge <rdong.ge@gmail.com> +Date: Sat, 2 Feb 2019 14:29:35 +0000 +Subject: [PATCH] net: dsa: slave: Don't propagate flag changes on down slave + interfaces +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 + +[ Upstream commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 ] + +The unbalance of master's promiscuity or allmulti will happen after ifdown +and ifup a slave interface which is in a bridge. + +When we ifdown a slave interface , both the 'dsa_slave_close' and +'dsa_slave_change_rx_flags' will clear the master's flags. The flags +of master will be decrease twice. +In the other hand, if we ifup the slave interface again, since the +slave's flags were cleared the 'dsa_slave_open' won't set the master's +flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if' +will set the master's flags. The flags of master is increase once. + +Only propagating flag changes when a slave interface is up makes +sure this does not happen. The 'vlan_dev_change_rx_flags' had the +same problem and was fixed, and changes here follows that fix. + +Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support") +Signed-off-by: Rundong Ge <rdong.ge@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/dsa/slave.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/dsa/slave.c b/net/dsa/slave.c +index 48b28a7ecc7a..4256ac95a141 100644 +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -157,10 +157,14 @@ static void dsa_slave_change_rx_flags(struct net_device *dev, int change) + struct dsa_slave_priv *p = netdev_priv(dev); + struct net_device *master = p->parent->dst->master_netdev; + +- if (change & IFF_ALLMULTI) +- dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1); +- if (change & IFF_PROMISC) +- dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1); ++ if (dev->flags & IFF_UP) { ++ if (change & IFF_ALLMULTI) ++ dev_set_allmulti(master, ++ dev->flags & IFF_ALLMULTI ? 1 : -1); ++ if (change & IFF_PROMISC) ++ dev_set_promiscuity(master, ++ dev->flags & IFF_PROMISC ? 1 : -1); ++ } + } + + static void dsa_slave_set_rx_mode(struct net_device *dev) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch b/patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch new file mode 100644 index 0000000000..31ae93de3e --- /dev/null +++ b/patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch @@ -0,0 +1,57 @@ +From: Charles Keepax <ckeepax@opensource.cirrus.com> +Date: Tue, 5 Feb 2019 16:29:40 +0000 +Subject: [PATCH] ALSA: compress: Fix stop handling on compressed capture + streams +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 + +commit 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 upstream. + +It is normal user behaviour to start, stop, then start a stream +again without closing it. Currently this works for compressed +playback streams but not capture ones. + +The states on a compressed capture stream go directly from OPEN to +PREPARED, unlike a playback stream which moves to SETUP and waits +for a write of data before moving to PREPARED. Currently however, +when a stop is sent the state is set to SETUP for both types of +streams. This leaves a capture stream in the situation where a new +start can't be sent as that requires the state to be PREPARED and +a new set_params can't be sent as that requires the state to be +OPEN. The only option being to close the stream, and then reopen. + +Correct this issues by allowing snd_compr_drain_notify to set the +state depending on the stream direction, as we already do in +set_params. + +Fixes: 49bb6402f1aa ("ALSA: compress_core: Add support for capture streams") +Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/sound/compress_driver.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h +index fa1d05512c09..85ff3181e6f1 100644 +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -178,7 +178,11 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream) + if (snd_BUG_ON(!stream)) + return; + +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; ++ if (stream->direction == SND_COMPRESS_PLAYBACK) ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; ++ else ++ stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ + wake_up(&stream->runtime->sleep); + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch b/patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch new file mode 100644 index 0000000000..5aea5df72e --- /dev/null +++ b/patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch @@ -0,0 +1,79 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 30 Jan 2019 17:46:03 +0100 +Subject: [PATCH] ALSA: hda - Serialize codec registrations +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 305a0ade180981686eec1f92aa6252a7c6ebb1cf + +commit 305a0ade180981686eec1f92aa6252a7c6ebb1cf upstream. + +In the current code, the codec registration may happen both at the +codec bind time and the end of the controller probe time. In a rare +occasion, they race with each other, leading to Oops due to the still +uninitialized card device. + +This patch introduces a simple flag to prevent the codec registration +at the codec bind time as long as the controller probe is going on. +The controller probe invokes snd_card_register() that does the whole +registration task, and we don't need to register each piece +beforehand. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/hda/hda_bind.c | 3 ++- + sound/pci/hda/hda_codec.h | 1 + + sound/pci/hda/hda_intel.c | 2 ++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c +index 6efadbfb3fe3..7ea201c05e5d 100644 +--- a/sound/pci/hda/hda_bind.c ++++ b/sound/pci/hda/hda_bind.c +@@ -109,7 +109,8 @@ static int hda_codec_driver_probe(struct device *dev) + err = snd_hda_codec_build_controls(codec); + if (err < 0) + goto error_module; +- if (codec->card->registered) { ++ /* only register after the bus probe finished; otherwise it's racy */ ++ if (!codec->bus->bus_probing && codec->card->registered) { + err = snd_card_register(codec->card); + if (err < 0) + goto error_module; +diff --git a/sound/pci/hda/hda_codec.h b/sound/pci/hda/hda_codec.h +index 776dffa88aee..171e11be938d 100644 +--- a/sound/pci/hda/hda_codec.h ++++ b/sound/pci/hda/hda_codec.h +@@ -68,6 +68,7 @@ struct hda_bus { + unsigned int response_reset:1; /* controller was reset */ + unsigned int in_reset:1; /* during reset operation */ + unsigned int no_response_fallback:1; /* don't fallback at RIRB error */ ++ unsigned int bus_probing :1; /* during probing process */ + + int primary_dig_out_type; /* primary digital out PCM type */ + unsigned int mixer_assigned; /* codec addr for mixer name */ +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index f964743b104c..74c9600876d6 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2100,6 +2100,7 @@ static int azx_probe_continue(struct azx *chip) + int val; + int err; + ++ to_hda_bus(bus)->bus_probing = 1; + hda->probe_continued = 1; + + /* Request display power well for the HDA controller or codec. For +@@ -2200,6 +2201,7 @@ static int azx_probe_continue(struct azx *chip) + if (err < 0) + hda->init_failed = 1; + complete_all(&hda->probe_wait); ++ to_hda_bus(bus)->bus_probing = 0; + return err; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch b/patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch new file mode 100644 index 0000000000..ca76b3ddff --- /dev/null +++ b/patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch @@ -0,0 +1,48 @@ +From: Jann Horn <jannh@google.com> +Date: Sat, 12 Jan 2019 02:39:05 +0100 +Subject: [PATCH] fuse: call pipe_buf_release() under pipe lock +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9509941e9c534920ccc4771ae70bd6cbbe79df1c + +commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream. + +Some of the pipe_buf_release() handlers seem to assume that the pipe is +locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page +without taking any extra locks. From a glance through the callers of +pipe_buf_release(), it looks like FUSE is the only one that calls +pipe_buf_release() without having the pipe locked. + +This bug should only lead to a memory leak, nothing terrible. + +Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn <jannh@google.com> +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/fuse/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index e566652ac922..a2cd166a6c69 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -2074,10 +2074,13 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe, + + ret = fuse_dev_do_write(fud, &cs, len); + ++ pipe_lock(pipe); + for (idx = 0; idx < nbuf; idx++) { + struct pipe_buffer *buf = &bufs[idx]; + buf->ops->release(pipe, buf); + } ++ pipe_unlock(pipe); ++ + out: + kfree(bufs); + return ret; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch b/patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch new file mode 100644 index 0000000000..d68db753a8 --- /dev/null +++ b/patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch @@ -0,0 +1,37 @@ +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Wed, 16 Jan 2019 10:27:59 +0100 +Subject: [PATCH] fuse: decrement NR_WRITEBACK_TEMP on the right page +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: a2ebba824106dabe79937a9f29a875f837e1b6d4 + +commit a2ebba824106dabe79937a9f29a875f837e1b6d4 upstream. + +NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not +the page cache page. + +Fixes: 8b284dc47291 ("fuse: writepages: handle same page rewrites") +Cc: <stable@vger.kernel.org> # v3.13 +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 7014318f6d18..d40c2451487c 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1784,7 +1784,7 @@ static bool fuse_writepage_in_flight(struct fuse_req *new_req, + spin_unlock(&fc->lock); + + dec_wb_stat(&bdi->wb, WB_WRITEBACK); +- dec_zone_page_state(page, NR_WRITEBACK_TEMP); ++ dec_zone_page_state(new_req->pages[0], NR_WRITEBACK_TEMP); + wb_writeout_inc(&bdi->wb); + fuse_writepage_free(fc, new_req); + fuse_request_free(new_req); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch b/patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch new file mode 100644 index 0000000000..1a7dc713fd --- /dev/null +++ b/patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch @@ -0,0 +1,45 @@ +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Wed, 16 Jan 2019 10:27:59 +0100 +Subject: [PATCH] fuse: handle zero sized retrieve correctly +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 97e1532ef81acb31c30f9e75bf00306c33a77812 + +commit 97e1532ef81acb31c30f9e75bf00306c33a77812 upstream. + +Dereferencing req->page_descs[0] will Oops if req->max_pages is zero. + +Reported-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com +Tested-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com +Fixes: b2430d7567a3 ("fuse: add per-page descriptor <offset, length> to fuse_req") +Cc: <stable@vger.kernel.org> # v3.9 +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/fuse/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index a2cd166a6c69..341196338e48 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1741,7 +1741,6 @@ static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode, + req->in.h.nodeid = outarg->nodeid; + req->in.numargs = 2; + req->in.argpages = 1; +- req->page_descs[0].offset = offset; + req->end = fuse_retrieve_end; + + index = outarg->offset >> PAGE_CACHE_SHIFT; +@@ -1756,6 +1755,7 @@ static int fuse_retrieve(struct fuse_conn *fc, struct inode *inode, + + this_num = min_t(unsigned, num, PAGE_CACHE_SIZE - offset); + req->pages[req->num_pages] = page; ++ req->page_descs[req->num_pages].offset = offset; + req->page_descs[req->num_pages].length = this_num; + req->num_pages++; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch b/patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch new file mode 100644 index 0000000000..005eb8833d --- /dev/null +++ b/patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch @@ -0,0 +1,69 @@ +From: Leonid Iziumtsev <leonid.iziumtsev@gmail.com> +Date: Tue, 15 Jan 2019 17:15:23 +0000 +Subject: [PATCH] dmaengine: imx-dma: fix wrong callback invoke +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 341198eda723c8c1cddbb006a89ad9e362502ea2 + +commit 341198eda723c8c1cddbb006a89ad9e362502ea2 upstream. + +Once the "ld_queue" list is not empty, next descriptor will migrate +into "ld_active" list. The "desc" variable will be overwritten +during that transition. And later the dmaengine_desc_get_callback_invoke() +will use it as an argument. As result we invoke wrong callback. + +That behaviour was in place since: +commit fcaaba6c7136 ("dmaengine: imx-dma: fix callback path in tasklet"). +But after commit 4cd13c21b207 ("softirq: Let ksoftirqd do its job") +things got worse, since possible delay between tasklet_schedule() +from DMA irq handler and actual tasklet function execution got bigger. +And that gave more time for new DMA request to be submitted and +to be put into "ld_queue" list. + +It has been noticed that DMA issue is causing problems for "mxc-mmc" +driver. While stressing the system with heavy network traffic and +writing/reading to/from sd card simultaneously the timeout may happen: + +10013000.sdhci: mxcmci_watchdog: read time out (status = 0x30004900) + +That often lead to file system corruption. + +Signed-off-by: Leonid Iziumtsev <leonid.iziumtsev@gmail.com> +Signed-off-by: Vinod Koul <vkoul@kernel.org> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/dma/imx-dma.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/imx-dma.c b/drivers/dma/imx-dma.c +index 48d85f8b95fe..dfa337ae06fc 100644 +--- a/drivers/dma/imx-dma.c ++++ b/drivers/dma/imx-dma.c +@@ -619,7 +619,7 @@ static void imxdma_tasklet(unsigned long data) + { + struct imxdma_channel *imxdmac = (void *)data; + struct imxdma_engine *imxdma = imxdmac->imxdma; +- struct imxdma_desc *desc; ++ struct imxdma_desc *desc, *next_desc; + unsigned long flags; + + spin_lock_irqsave(&imxdma->lock, flags); +@@ -649,10 +649,10 @@ static void imxdma_tasklet(unsigned long data) + list_move_tail(imxdmac->ld_active.next, &imxdmac->ld_free); + + if (!list_empty(&imxdmac->ld_queue)) { +- desc = list_first_entry(&imxdmac->ld_queue, struct imxdma_desc, +- node); ++ next_desc = list_first_entry(&imxdmac->ld_queue, ++ struct imxdma_desc, node); + list_move_tail(imxdmac->ld_queue.next, &imxdmac->ld_active); +- if (imxdma_xfer_desc(desc) < 0) ++ if (imxdma_xfer_desc(next_desc) < 0) + dev_warn(imxdma->dev, "%s: channel: %d couldn't xfer desc\n", + __func__, imxdmac->channel); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch b/patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch new file mode 100644 index 0000000000..7e7650c801 --- /dev/null +++ b/patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch @@ -0,0 +1,50 @@ +From: Bin Liu <b-liu@ti.com> +Date: Wed, 16 Jan 2019 11:54:07 -0600 +Subject: [PATCH] usb: phy: am335x: fix race condition in _probe +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: a53469a68eb886e84dd8b69a1458a623d3591793 + +commit a53469a68eb886e84dd8b69a1458a623d3591793 upstream. + +power off the phy should be done before populate the phy. Otherwise, +am335x_init() could be called by the phy owner to power on the phy first, +then am335x_phy_probe() turns off the phy again without the caller knowing +it. + +Fixes: 2fc711d76352 ("usb: phy: am335x: Enable USB remote wakeup using PHY wakeup") +Cc: stable@vger.kernel.org # v3.18+ +Signed-off-by: Bin Liu <b-liu@ti.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/phy/phy-am335x.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/usb/phy/phy-am335x.c b/drivers/usb/phy/phy-am335x.c +index 90b67a4ca221..558f33a75fd9 100644 +--- a/drivers/usb/phy/phy-am335x.c ++++ b/drivers/usb/phy/phy-am335x.c +@@ -56,9 +56,6 @@ static int am335x_phy_probe(struct platform_device *pdev) + if (ret) + return ret; + +- ret = usb_add_phy_dev(&am_phy->usb_phy_gen.phy); +- if (ret) +- return ret; + am_phy->usb_phy_gen.phy.init = am335x_init; + am_phy->usb_phy_gen.phy.shutdown = am335x_shutdown; + +@@ -77,7 +74,7 @@ static int am335x_phy_probe(struct platform_device *pdev) + device_set_wakeup_enable(dev, false); + phy_ctrl_power(am_phy->phy_ctrl, am_phy->id, false); + +- return 0; ++ return usb_add_phy_dev(&am_phy->usb_phy_gen.phy); + } + + static int am335x_phy_remove(struct platform_device *pdev) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch b/patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch new file mode 100644 index 0000000000..b6aa1cf248 --- /dev/null +++ b/patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch @@ -0,0 +1,48 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 22 Jan 2019 15:28:08 -0600 +Subject: [PATCH] usb: gadget: udc: net2272: Fix bitwise and boolean operations +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 07c69f1148da7de3978686d3af9263325d9d60bd + +commit 07c69f1148da7de3978686d3af9263325d9d60bd upstream. + +(!x & y) strikes again. + +Fix bitwise and boolean operations by enclosing the expression: + + intcsr & (1 << NET2272_PCI_IRQ) + +in parentheses, before applying the boolean operator '!'. + +Notice that this code has been there since 2011. So, it would +be helpful if someone can double-check this. + +This issue was detected with the help of Coccinelle. + +Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/gadget/udc/net2272.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c +index 18f5ebd447b8..3b6e34fc032b 100644 +--- a/drivers/usb/gadget/udc/net2272.c ++++ b/drivers/usb/gadget/udc/net2272.c +@@ -2100,7 +2100,7 @@ static irqreturn_t net2272_irq(int irq, void *_dev) + #if defined(PLX_PCI_RDK2) + /* see if PCI int for us by checking irqstat */ + intcsr = readl(dev->rdk2.fpga_base_addr + RDK2_IRQSTAT); +- if (!intcsr & (1 << NET2272_PCI_IRQ)) { ++ if (!(intcsr & (1 << NET2272_PCI_IRQ))) { + spin_unlock(&dev->lock); + return IRQ_NONE; + } +-- +2.20.1 + diff --git a/patches.arch/kvm-x86-work-around-leak-of-uninitialized-stack-contents-cve-2019-7222 b/patches.kernel.org/4.4.175-091-KVM-x86-work-around-leak-of-uninitialized-sta.patch index 61206e844e..d66b06a42f 100644 --- a/patches.arch/kvm-x86-work-around-leak-of-uninitialized-stack-contents-cve-2019-7222 +++ b/patches.kernel.org/4.4.175-091-KVM-x86-work-around-leak-of-uninitialized-sta.patch @@ -1,10 +1,12 @@ From: Paolo Bonzini <pbonzini@redhat.com> Date: Tue, 29 Jan 2019 18:41:16 +0100 -Subject: KVM: x86: work around leak of uninitialized stack contents +Subject: [PATCH] KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) +Patch-mainline: 4.4.175 +References: CVE-2019-7222 bnc#1012382 bsc#1124735 Git-commit: 353c0956a618a07ba4bbe7ad00ff29fe70e8412a -Patch-mainline: v5.0-rc6 -References: CVE-2019-7222 bsc#1124735 + +commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a upstream. Bugzilla: 1671930 @@ -22,14 +24,17 @@ Embargoed until Feb 7th 2019. Reported-by: Felix Wilhelm <fwilhelm@google.com> Cc: stable@kernel.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Acked-by: Joerg Roedel <jroedel@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - arch/x86/kvm/x86.c | 7 +++++++ + arch/x86/kvm/x86.c | 7 +++++++ 1 file changed, 7 insertions(+) +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 758e2b39567d..6bd0538d8ebf 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -4315,6 +4315,13 @@ int kvm_read_guest_virt(struct kvm_vcpu +@@ -4247,6 +4247,13 @@ int kvm_read_guest_virt(struct kvm_vcpu *vcpu, { u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; @@ -43,3 +48,6 @@ Acked-by: Joerg Roedel <jroedel@suse.de> return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, exception); } +-- +2.20.1 + diff --git a/patches.arch/kvm-nvmx-unconditionally-cancel-preemption-timer-in-free_nested-cve-2019-7221 b/patches.kernel.org/4.4.175-092-KVM-nVMX-unconditionally-cancel-preemption-ti.patch index 1e35bb04dd..344e2cc71c 100644 --- a/patches.arch/kvm-nvmx-unconditionally-cancel-preemption-timer-in-free_nested-cve-2019-7221 +++ b/patches.kernel.org/4.4.175-092-KVM-nVMX-unconditionally-cancel-preemption-ti.patch @@ -1,10 +1,12 @@ From: Peter Shier <pshier@google.com> Date: Thu, 11 Oct 2018 11:46:46 -0700 -Subject: KVM: nVMX: unconditionally cancel preemption timer in free_nested - (CVE-2019-7221) +Subject: [PATCH] KVM: nVMX: unconditionally cancel preemption timer in + free_nested (CVE-2019-7221) +Patch-mainline: 4.4.175 +References: CVE-2019-7221 bnc#1012382 bsc#1124732 Git-commit: ecec76885bcfe3294685dc363fd1273df0d5d65f -Patch-mainline: v5.0-rc6 -References: CVE-2019-7221 bsc#1124732 + +commit ecec76885bcfe3294685dc363fd1273df0d5d65f upstream. Bugzilla: 1671904 @@ -22,14 +24,17 @@ Reported-by: Felix Wilhelm <fwilhelm@google.com> Cc: stable@kernel.org Message-Id: <20181011184646.154065-1-pshier@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Acked-by: Joerg Roedel <jroedel@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - arch/x86/kvm/vmx/nested.c | 1 + + arch/x86/kvm/vmx.c | 1 + 1 file changed, 1 insertion(+) +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 3bdb2e747b89..aee2886a387c 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c -@@ -6887,6 +6887,7 @@ static void free_nested(struct vcpu_vmx +@@ -6965,6 +6965,7 @@ static void free_nested(struct vcpu_vmx *vmx) if (!vmx->nested.vmxon) return; @@ -37,3 +42,6 @@ Acked-by: Joerg Roedel <jroedel@suse.de> vmx->nested.vmxon = false; free_vpid(vmx->nested.vpid02); nested_release_vmcs12(vmx); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch b/patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch new file mode 100644 index 0000000000..fbf3977b87 --- /dev/null +++ b/patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch @@ -0,0 +1,68 @@ +From: Kan Liang <kan.liang@linux.intel.com> +Date: Sun, 27 Jan 2019 06:53:14 -0800 +Subject: [PATCH] perf/x86/intel/uncore: Add Node ID mask +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9e63a7894fd302082cf3627fe90844421a6cbe7f + +commit 9e63a7894fd302082cf3627fe90844421a6cbe7f upstream. + +Some PCI uncore PMUs cannot be registered on an 8-socket system (HPE +Superdome Flex). + +To understand which Socket the PCI uncore PMUs belongs to, perf retrieves +the local Node ID of the uncore device from CPUNODEID(0xC0) of the PCI +configuration space, and the mapping between Socket ID and Node ID from +GIDNIDMAP(0xD4). The Socket ID can be calculated accordingly. + +The local Node ID is only available at bit 2:0, but current code doesn't +mask it. If a BIOS doesn't clear the rest of the bits, an incorrect Node ID +will be fetched. + +Filter the Node ID by adding a mask. + +Reported-by: Song Liu <songliubraving@fb.com> +Tested-by: Song Liu <songliubraving@fb.com> +Signed-off-by: Kan Liang <kan.liang@linux.intel.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: <stable@vger.kernel.org> # v3.7+ +Fixes: 7c94ee2e0917 ("perf/x86: Add Intel Nehalem and Sandy Bridge-EP uncore support") +Link: https://lkml.kernel.org/r/1548600794-33162-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c b/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c +index f0f4fcba252e..947579425861 100644 +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c +@@ -1081,6 +1081,8 @@ static struct pci_driver snbep_uncore_pci_driver = { + .id_table = snbep_uncore_pci_ids, + }; + ++#define NODE_ID_MASK 0x7 ++ + /* + * build pci bus to socket mapping + */ +@@ -1102,7 +1104,7 @@ static int snbep_pci2phy_map_init(int devid) + err = pci_read_config_dword(ubox_dev, 0x40, &config); + if (err) + break; +- nodeid = config; ++ nodeid = config & NODE_ID_MASK; + /* get the Node ID mapping */ + err = pci_read_config_dword(ubox_dev, 0x54, &config); + if (err) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch b/patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch new file mode 100644 index 0000000000..2f004a5479 --- /dev/null +++ b/patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch @@ -0,0 +1,57 @@ +From: Tony Luck <tony.luck@intel.com> +Date: Thu, 31 Jan 2019 16:33:41 -0800 +Subject: [PATCH] x86/MCE: Initialize mce.bank in the case of a fatal error in + mce_no_way_out() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: d28af26faa0b1daf3c692603d46bc4687c16f19e + +commit d28af26faa0b1daf3c692603d46bc4687c16f19e upstream. + +Internal injection testing crashed with a console log that said: + + mce: [Hardware Error]: CPU 7: Machine Check Exception: f Bank 0: bd80000000100134 + +This caused a lot of head scratching because the MCACOD (bits 15:0) of +that status is a signature from an L1 data cache error. But Linux says +that it found it in "Bank 0", which on this model CPU only reports L1 +instruction cache errors. + +The answer was that Linux doesn't initialize "m->bank" in the case that +it finds a fatal error in the mce_no_way_out() pre-scan of banks. If +this was a local machine check, then this partially initialized struct +mce is being passed to mce_panic(). + +Fix is simple: just initialize m->bank in the case of a fatal error. + +Fixes: 40c36e2741d7 ("x86/mce: Fix incorrect "Machine check from unknown source" message") +Signed-off-by: Tony Luck <tony.luck@intel.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +Cc: "H. Peter Anvin" <hpa@zytor.com> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Vishal Verma <vishal.l.verma@intel.com> +Cc: x86-ml <x86@kernel.org> +Cc: stable@vger.kernel.org # v4.18 Note pre-v5.0 arch/x86/kernel/cpu/mce/core.c was called arch/x86/kernel/cpu/mcheck/mce.c +Link: https://lkml.kernel.org/r/20190201003341.10638-1-tony.luck@intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/kernel/cpu/mcheck/mce.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index 7b8c8c838191..77f7580e22c6 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -670,6 +670,7 @@ static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp, + } + + if (mce_severity(m, mca_cfg.tolerant, &tmp, true) >= MCE_PANIC_SEVERITY) { ++ m->bank = i; + *msg = tmp; + ret = 1; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch b/patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch new file mode 100644 index 0000000000..d4fa223ae8 --- /dev/null +++ b/patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch @@ -0,0 +1,60 @@ +From: Mark Rutland <mark.rutland@arm.com> +Date: Thu, 10 Jan 2019 14:27:45 +0000 +Subject: [PATCH] perf/core: Don't WARN() for impossible ring-buffer sizes +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9dff0aa95a324e262ffb03f425d00e4751f3294e + +commit 9dff0aa95a324e262ffb03f425d00e4751f3294e upstream. + +The perf tool uses /proc/sys/kernel/perf_event_mlock_kb to determine how +large its ringbuffer mmap should be. This can be configured to arbitrary +values, which can be larger than the maximum possible allocation from +kmalloc. + +When this is configured to a suitably large value (e.g. thanks to the +perf fuzzer), attempting to use perf record triggers a WARN_ON_ONCE() in +__alloc_pages_nodemask(): + + WARNING: CPU: 2 PID: 5666 at mm/page_alloc.c:4511 __alloc_pages_nodemask+0x3f8/0xbc8 + +Let's avoid this by checking that the requested allocation is possible +before calling kzalloc. + +Reported-by: Julien Thierry <julien.thierry@arm.com> +Signed-off-by: Mark Rutland <mark.rutland@arm.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Reviewed-by: Julien Thierry <julien.thierry@arm.com> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: <stable@vger.kernel.org> +Link: https://lkml.kernel.org/r/20190110142745.25495-1-mark.rutland@arm.com +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/events/ring_buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 58013ef228a1..93bfb61506fa 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -637,6 +637,9 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags) + size = sizeof(struct ring_buffer); + size += nr_pages * sizeof(void *); + ++ if (order_base_2(size) >= MAX_ORDER) ++ goto fail; ++ + rb = kzalloc(size, GFP_KERNEL); + if (!rb) + goto fail; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch b/patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch new file mode 100644 index 0000000000..89c43b246c --- /dev/null +++ b/patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch @@ -0,0 +1,48 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 22 Jan 2019 17:34:39 -0600 +Subject: [PATCH] perf tests evsel-tp-sched: Fix bitwise operator +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 489338a717a0dfbbd5a3fabccf172b78f0ac9015 + +commit 489338a717a0dfbbd5a3fabccf172b78f0ac9015 upstream. + +Notice that the use of the bitwise OR operator '|' always leads to true +in this particular case, which seems a bit suspicious due to the context +in which this expression is being used. + +Fix this by using bitwise AND operator '&' instead. + +This bug was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Acked-by: Jiri Olsa <jolsa@kernel.org> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: stable@vger.kernel.org +Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields") +Link: http://lkml.kernel.org/r/20190122233439.GA5868@embeddedor +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + tools/perf/tests/evsel-tp-sched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c +index 790e413d9a1f..da474d743b6a 100644 +--- a/tools/perf/tests/evsel-tp-sched.c ++++ b/tools/perf/tests/evsel-tp-sched.c +@@ -16,7 +16,7 @@ static int perf_evsel__test_field(struct perf_evsel *evsel, const char *name, + return -1; + } + +- is_signed = !!(field->flags | FIELD_IS_SIGNED); ++ is_signed = !!(field->flags & FIELD_IS_SIGNED); + if (should_be_signed && !is_signed) { + pr_debug("%s: \"%s\" signedness(%d) is wrong, should be %d\n", + evsel->name, name, is_signed, should_be_signed); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch b/patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch new file mode 100644 index 0000000000..a17eba2bba --- /dev/null +++ b/patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch @@ -0,0 +1,91 @@ +From: Martin Kepplinger <martin.kepplinger@ginzinger.com> +Date: Tue, 5 Feb 2019 16:52:51 +0100 +Subject: [PATCH] mtd: rawnand: gpmi: fix MX28 bus master lockup problem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: d5d27fd9826b59979b184ec288e4812abac0e988 + +commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream. + +Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft +reset may cause bus master lock up") for MX28 too. It has the same +problem. + +Observed problem: once per 100,000+ MX28 reboots NAND read failed on +DMA timeout errors: +[ 1.770823] UBI: attaching mtd3 to ubi0 +[ 2.768088] gpmi_nand: DMA timeout, last DMA :1 +[ 3.958087] gpmi_nand: BCH timeout, last DMA :1 +[ 4.156033] gpmi_nand: Error in ECC-based read: -110 +[ 4.161136] UBI warning: ubi_io_read: error -110 while reading 64 +bytes from PEB 0:0, read only 0 bytes, retry +[ 4.171283] step 1 error +[ 4.173846] gpmi_nand: Chip: 0, Error -1 + +Without BCH soft reset we successfully executed 1,000,000 MX28 reboots. + +I have a quote from NXP regarding this problem, from July 18th 2016: + +"As the i.MX23 and i.MX28 are of the same generation, they share many +characteristics. Unfortunately, also the erratas may be shared. +In case of the documented erratas and the workarounds, you can also +apply the workaround solution of one device on the other one. This have +been reported, but I’m afraid that there are not an estimated date for +updating the Errata documents. +Please accept our apologies for any inconveniences this may cause." + +Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems") +Cc: stable@vger.kernel.org +Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com> +Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com> +Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> +Reviewed-by: Fabio Estevam <festevam@gmail.com> +Acked-by: Han Xu <han.xu@nxp.com> +Signed-off-by: Boris Brezillon <bbrezillon@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/mtd/nand/gpmi-nand/gpmi-lib.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-lib.c b/drivers/mtd/nand/gpmi-nand/gpmi-lib.c +index 43fa16b5f510..672c02e32a39 100644 +--- a/drivers/mtd/nand/gpmi-nand/gpmi-lib.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-lib.c +@@ -168,9 +168,10 @@ int gpmi_init(struct gpmi_nand_data *this) + + /* + * Reset BCH here, too. We got failures otherwise :( +- * See later BCH reset for explanation of MX23 handling ++ * See later BCH reset for explanation of MX23 and MX28 handling + */ +- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this)); ++ ret = gpmi_reset_block(r->bch_regs, ++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this)); + if (ret) + goto err_out; + +@@ -274,13 +275,11 @@ int bch_set_geometry(struct gpmi_nand_data *this) + + /* + * Due to erratum #2847 of the MX23, the BCH cannot be soft reset on this +- * chip, otherwise it will lock up. So we skip resetting BCH on the MX23. +- * On the other hand, the MX28 needs the reset, because one case has been +- * seen where the BCH produced ECC errors constantly after 10000 +- * consecutive reboots. The latter case has not been seen on the MX23 +- * yet, still we don't know if it could happen there as well. ++ * chip, otherwise it will lock up. So we skip resetting BCH on the MX23 ++ * and MX28. + */ +- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this)); ++ ret = gpmi_reset_block(r->bch_regs, ++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this)); + if (ret) + goto err_out; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch b/patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch new file mode 100644 index 0000000000..7b8e343f43 --- /dev/null +++ b/patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch @@ -0,0 +1,70 @@ +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Wed, 6 Feb 2019 18:39:40 -0600 +Subject: [PATCH] signal: Always notice exiting tasks +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 35634ffa1751b6efd8cf75010b509dcb0263e29b + +commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream. + +Recently syzkaller was able to create unkillablle processes by +creating a timer that is delivered as a thread local signal on SIGHUP, +and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop +failing to deliver SIGHUP but always trying. + +Upon examination it turns out part of the problem is actually most of +the solution. Since 2.5 signal delivery has found all fatal signals, +marked the signal group for death, and queued SIGKILL in every threads +thread queue relying on signal->group_exit_code to preserve the +information of which was the actual fatal signal. + +The conversion of all fatal signals to SIGKILL results in the +synchronous signal heuristic in next_signal kicking in and preferring +SIGHUP to SIGKILL. Which is especially problematic as all +fatal signals have already been transformed into SIGKILL. + +Instead of dequeueing signals and depending upon SIGKILL to +be the first signal dequeued, first test if the signal group +has already been marked for death. This guarantees that +nothing in the signal queue can prevent a process that needs +to exit from exiting. + +Cc: stable@vger.kernel.org +Tested-by: Dmitry Vyukov <dvyukov@google.com> +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/signal.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 5b1313309356..f26cabeb705d 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2198,6 +2198,11 @@ int get_signal(struct ksignal *ksig) + goto relock; + } + ++ /* Has this task already been marked for death? */ ++ ksig->info.si_signo = signr = SIGKILL; ++ if (signal_group_exit(signal)) ++ goto fatal; ++ + for (;;) { + struct k_sigaction *ka; + +@@ -2293,6 +2298,7 @@ int get_signal(struct ksignal *ksig) + continue; + } + ++ fatal: + spin_unlock_irq(&sighand->siglock); + + /* +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch b/patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch new file mode 100644 index 0000000000..d89f023a8e --- /dev/null +++ b/patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch @@ -0,0 +1,121 @@ +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Wed, 6 Feb 2019 17:51:47 -0600 +Subject: [PATCH] signal: Better detection of synchronous signals +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 7146db3317c67b517258cb5e1b08af387da0618b + +commit 7146db3317c67b517258cb5e1b08af387da0618b upstream. + +Recently syzkaller was able to create unkillablle processes by +creating a timer that is delivered as a thread local signal on SIGHUP, +and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing +to deliver SIGHUP but always trying. + +When the stack overflows delivery of SIGHUP fails and force_sigsegv is +called. Unfortunately because SIGSEGV is numerically higher than +SIGHUP next_signal tries again to deliver a SIGHUP. + +From a quality of implementation standpoint attempting to deliver the +timer SIGHUP signal is wrong. We should attempt to deliver the +synchronous SIGSEGV signal we just forced. + +We can make that happening in a fairly straight forward manner by +instead of just looking at the signal number we also look at the +si_code. In particular for exceptions (aka synchronous signals) the +si_code is always greater than 0. + +That still has the potential to pick up a number of asynchronous +signals as in a few cases the same si_codes that are used +for synchronous signals are also used for asynchronous signals, +and SI_KERNEL is also included in the list of possible si_codes. + +Still the heuristic is much better and timer signals are definitely +excluded. Which is enough to prevent all known ways for someone +sending a process signals fast enough to cause unexpected and +arguably incorrect behavior. + +Cc: stable@vger.kernel.org +Fixes: a27341cd5fcb ("Prioritize synchronous signals over 'normal' signals") +Tested-by: Dmitry Vyukov <dvyukov@google.com> +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/signal.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 51 insertions(+), 1 deletion(-) + +diff --git a/kernel/signal.c b/kernel/signal.c +index f26cabeb705d..e464a2ef4ff5 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -696,6 +696,48 @@ static inline bool si_fromuser(const struct siginfo *info) + (!is_si_special(info) && SI_FROMUSER(info)); + } + ++static int dequeue_synchronous_signal(siginfo_t *info) ++{ ++ struct task_struct *tsk = current; ++ struct sigpending *pending = &tsk->pending; ++ struct sigqueue *q, *sync = NULL; ++ ++ /* ++ * Might a synchronous signal be in the queue? ++ */ ++ if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK)) ++ return 0; ++ ++ /* ++ * Return the first synchronous signal in the queue. ++ */ ++ list_for_each_entry(q, &pending->list, list) { ++ /* Synchronous signals have a postive si_code */ ++ if ((q->info.si_code > SI_USER) && ++ (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) { ++ sync = q; ++ goto next; ++ } ++ } ++ return 0; ++next: ++ /* ++ * Check if there is another siginfo for the same signal. ++ */ ++ list_for_each_entry_continue(q, &pending->list, list) { ++ if (q->info.si_signo == sync->info.si_signo) ++ goto still_pending; ++ } ++ ++ sigdelset(&pending->signal, sync->info.si_signo); ++ recalc_sigpending(); ++still_pending: ++ list_del_init(&sync->list); ++ copy_siginfo(info, &sync->info); ++ __sigqueue_free(sync); ++ return info->si_signo; ++} ++ + /* + * called with RCU read lock from check_kill_permission() + */ +@@ -2216,7 +2258,15 @@ int get_signal(struct ksignal *ksig) + goto relock; + } + +- signr = dequeue_signal(current, ¤t->blocked, &ksig->info); ++ /* ++ * Signals generated by the execution of an instruction ++ * need to be delivered before any other pending signals ++ * so that the instruction pointer in the signal stack ++ * frame points to the faulting instruction. ++ */ ++ signr = dequeue_synchronous_signal(&ksig->info); ++ if (!signr) ++ signr = dequeue_signal(current, ¤t->blocked, &ksig->info); + + if (!signr) + break; /* will return 0 */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch b/patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch new file mode 100644 index 0000000000..7f506d1b7d --- /dev/null +++ b/patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch @@ -0,0 +1,40 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Mon, 3 Dec 2018 17:52:19 +0300 +Subject: [PATCH] misc: vexpress: Off by one in vexpress_syscfg_exec() +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: f8a70d8b889f180e6860cb1f85fed43d37844c5a + +commit f8a70d8b889f180e6860cb1f85fed43d37844c5a upstream. + +The > comparison should be >= to prevent reading beyond the end of the +func->template[] array. + +(The func->template array is allocated in vexpress_syscfg_regmap_init() +and it has func->num_templates elements.) + +Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Acked-by: Sudeep Holla <sudeep.holla@arm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/misc/vexpress-syscfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/vexpress-syscfg.c b/drivers/misc/vexpress-syscfg.c +index c344483fa7d6..9f257c53e6d4 100644 +--- a/drivers/misc/vexpress-syscfg.c ++++ b/drivers/misc/vexpress-syscfg.c +@@ -61,7 +61,7 @@ static int vexpress_syscfg_exec(struct vexpress_syscfg_func *func, + int tries; + long timeout; + +- if (WARN_ON(index > func->num_templates)) ++ if (WARN_ON(index >= func->num_templates)) + return -EINVAL; + + command = readl(syscfg->base + SYS_CFGCTRL); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch b/patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch new file mode 100644 index 0000000000..5d86a142a5 --- /dev/null +++ b/patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch @@ -0,0 +1,44 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Wed, 23 Jan 2019 11:27:02 +0100 +Subject: [PATCH] debugfs: fix debugfs_rename parameter checking +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: d88c93f090f708c18195553b352b9f205e65418f + +commit d88c93f090f708c18195553b352b9f205e65418f upstream. + +debugfs_rename() needs to check that the dentries passed into it really +are valid, as sometimes they are not (i.e. if the return value of +another debugfs call is passed into this one.) So fix this up by +properly checking if the two parent directories are errors (they are +allowed to be NULL), and if the dentry to rename is not NULL or an +error. + +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/debugfs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index e49ba072bd64..22fe11baef2b 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -671,6 +671,13 @@ struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry, + struct dentry *dentry = NULL, *trap; + struct name_snapshot old_name; + ++ if (IS_ERR(old_dir)) ++ return old_dir; ++ if (IS_ERR(new_dir)) ++ return new_dir; ++ if (IS_ERR_OR_NULL(old_dentry)) ++ return old_dentry; ++ + trap = lock_rename(new_dir, old_dir); + /* Source or destination directories don't exist? */ + if (d_really_is_negative(old_dir) || d_really_is_negative(new_dir)) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch b/patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch new file mode 100644 index 0000000000..00950851dc --- /dev/null +++ b/patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch @@ -0,0 +1,47 @@ +From: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com> +Date: Wed, 6 Feb 2019 13:46:17 +0200 +Subject: [PATCH] mips: cm: reprime error cause +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 05dc6001af0630e200ad5ea08707187fe5537e6d + +commit 05dc6001af0630e200ad5ea08707187fe5537e6d upstream. + +Accordingly to the documentation +---cut--- +The GCR_ERROR_CAUSE.ERR_TYPE field and the GCR_ERROR_MULT.ERR_TYPE +fields can be cleared by either a reset or by writing the current +value of GCR_ERROR_CAUSE.ERR_TYPE to the +GCR_ERROR_CAUSE.ERR_TYPE register. +---cut--- +Do exactly this. Original value of cm_error may be safely written back; +it clears error cause and keeps other bits untouched. + +Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors") +Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com> +Signed-off-by: Paul Burton <paul.burton@mips.com> +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: James Hogan <jhogan@kernel.org> +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/mips/kernel/mips-cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c +index 1448c1f43d4e..76f18c56141c 100644 +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -424,5 +424,5 @@ void mips_cm_error_report(void) + } + + /* reprime cause register */ +- write_gcr_error_cause(0); ++ write_gcr_error_cause(cm_error); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch b/patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch new file mode 100644 index 0000000000..8a54bb39b2 --- /dev/null +++ b/patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch @@ -0,0 +1,55 @@ +From: Aaro Koskinen <aaro.koskinen@iki.fi> +Date: Sun, 27 Jan 2019 23:28:33 +0200 +Subject: [PATCH] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is + disabled +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: dcf300a69ac307053dfb35c2e33972e754a98bce + +commit dcf300a69ac307053dfb35c2e33972e754a98bce upstream. + +Don't set octeon_dma_bar_type if PCI is disabled. This avoids creation +of the MSI irqchip later on, and saves a bit of memory. + +Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> +Signed-off-by: Paul Burton <paul.burton@mips.com> +Fixes: a214720cbf50 ("Disable MSI also when pcie-octeon.pcie_disable on") +Cc: stable@vger.kernel.org # v3.3+ +Cc: linux-mips@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/mips/pci/pci-octeon.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/mips/pci/pci-octeon.c b/arch/mips/pci/pci-octeon.c +index c258cd406fbb..b36bbda31058 100644 +--- a/arch/mips/pci/pci-octeon.c ++++ b/arch/mips/pci/pci-octeon.c +@@ -571,6 +571,11 @@ static int __init octeon_pci_setup(void) + if (octeon_has_feature(OCTEON_FEATURE_PCIE)) + return 0; + ++ if (!octeon_is_pci_host()) { ++ pr_notice("Not in host mode, PCI Controller not initialized\n"); ++ return 0; ++ } ++ + /* Point pcibios_map_irq() to the PCI version of it */ + octeon_pcibios_map_irq = octeon_pci_pcibios_map_irq; + +@@ -582,11 +587,6 @@ static int __init octeon_pci_setup(void) + else + octeon_dma_bar_type = OCTEON_DMA_BAR_TYPE_BIG; + +- if (!octeon_is_pci_host()) { +- pr_notice("Not in host mode, PCI Controller not initialized\n"); +- return 0; +- } +- + /* PCI I/O and PCI MEM values */ + set_io_port_base(OCTEON_PCI_IOSPACE_BASE); + ioport_resource.start = 0; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch b/patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch new file mode 100644 index 0000000000..7f6d22e949 --- /dev/null +++ b/patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch @@ -0,0 +1,67 @@ +From: Paul Burton <paul.burton@mips.com> +Date: Mon, 28 Jan 2019 23:16:22 +0000 +Subject: [PATCH] MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 67fc5dc8a541e8f458d7f08bf88ff55933bf9f9d + +commit 67fc5dc8a541e8f458d7f08bf88ff55933bf9f9d upstream. + +When generating vdso-o32.lds & vdso-n32.lds for use with programs +running as compat ABIs under 64b kernels, we previously haven't included +the compiler flags that are supposedly common to all ABIs - ie. those in +the ccflags-vdso variable. + +This is problematic in cases where we need to provide the -m%-float flag +in order to ensure that we don't attempt to use a floating point ABI +that's incompatible with the target CPU & ABI. For example a toolchain +using current gcc trunk configured --with-fp-32=xx fails to build a +64r6el_defconfig kernel with the following error: + + cc1: error: '-march=mips1' requires '-mfp32' + make[2]: *** [arch/mips/vdso/Makefile:135: arch/mips/vdso/vdso-o32.lds] Error 1 + +Include $(ccflags-vdso) for the compat VDSO .lds builds, just as it is +included for the native VDSO .lds & when compiling objects for the +compat VDSOs. This ensures we consistently provide the -msoft-float flag +amongst others, avoiding the problem by ensuring we're agnostic to the +toolchain defaults. + +Signed-off-by: Paul Burton <paul.burton@mips.com> +Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") +Cc: linux-mips@vger.kernel.org +Cc: Kevin Hilman <khilman@baylibre.com> +Cc: Guenter Roeck <linux@roeck-us.net> +Cc: Maciej W . Rozycki <macro@linux-mips.org> +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/mips/vdso/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/vdso/Makefile b/arch/mips/vdso/Makefile +index 6c7d78546eee..886005b1e87d 100644 +--- a/arch/mips/vdso/Makefile ++++ b/arch/mips/vdso/Makefile +@@ -107,7 +107,7 @@ $(obj)/%-o32.o: $(src)/%.c FORCE + $(call cmd,force_checksrc) + $(call if_changed_rule,cc_o_c) + +-$(obj)/vdso-o32.lds: KBUILD_CPPFLAGS := -mabi=32 ++$(obj)/vdso-o32.lds: KBUILD_CPPFLAGS := $(ccflags-vdso) -mabi=32 + $(obj)/vdso-o32.lds: $(src)/vdso.lds.S FORCE + $(call if_changed_dep,cpp_lds_S) + +@@ -143,7 +143,7 @@ $(obj)/%-n32.o: $(src)/%.c FORCE + $(call cmd,force_checksrc) + $(call if_changed_rule,cc_o_c) + +-$(obj)/vdso-n32.lds: KBUILD_CPPFLAGS := -mabi=n32 ++$(obj)/vdso-n32.lds: KBUILD_CPPFLAGS := $(ccflags-vdso) -mabi=n32 + $(obj)/vdso-n32.lds: $(src)/vdso.lds.S FORCE + $(call if_changed_dep,cpp_lds_S) + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch b/patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch new file mode 100644 index 0000000000..925bd2ffbf --- /dev/null +++ b/patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch @@ -0,0 +1,38 @@ +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Fri, 25 Jan 2019 20:10:15 +0000 +Subject: [PATCH] ARM: iop32x/n2100: fix PCI IRQ mapping +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: db4090920ba2d61a5827a23e441447926a02ffee + +commit db4090920ba2d61a5827a23e441447926a02ffee upstream. + +Booting 4.20 on a TheCUS N2100 results in a kernel oops while probing +PCI, due to n2100_pci_map_irq() having been discarded during boot. + +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Cc: stable@vger.kernel.org # 2.6.18+ +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/mach-iop32x/n2100.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm/mach-iop32x/n2100.c b/arch/arm/mach-iop32x/n2100.c +index c1cd80ecc219..a904244264ce 100644 +--- a/arch/arm/mach-iop32x/n2100.c ++++ b/arch/arm/mach-iop32x/n2100.c +@@ -75,8 +75,7 @@ void __init n2100_map_io(void) + /* + * N2100 PCI. + */ +-static int __init +-n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin) ++static int n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin) + { + int irq; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch b/patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch new file mode 100644 index 0000000000..932890c4b0 --- /dev/null +++ b/patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch @@ -0,0 +1,63 @@ +From: Felix Fietkau <nbd@nbd.name> +Date: Tue, 29 Jan 2019 11:10:57 +0100 +Subject: [PATCH] mac80211: ensure that mgmt tx skbs have tailroom for + encryption +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9d0f50b80222dc273e67e4e14410fcfa4130a90c + +commit 9d0f50b80222dc273e67e4e14410fcfa4130a90c upstream. + +Some drivers use IEEE80211_KEY_FLAG_SW_MGMT_TX to indicate that management +frames need to be software encrypted. Since normal data packets are still +encrypted by the hardware, crypto_tx_tailroom_needed_cnt gets decremented +after key upload to hw. This can lead to passing skbs to ccmp_encrypt_skb, +which don't have the necessary tailroom for software encryption. + +Change the code to add tailroom for encrypted management packets, even if +crypto_tx_tailroom_needed_cnt is 0. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau <nbd@nbd.name> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/mac80211/tx.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index c1c27a516e45..41f3eb565ef3 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1599,9 +1599,16 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata, + int head_need, bool may_encrypt) + { + struct ieee80211_local *local = sdata->local; ++ struct ieee80211_hdr *hdr; ++ bool enc_tailroom; + int tail_need = 0; + +- if (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt) { ++ hdr = (struct ieee80211_hdr *) skb->data; ++ enc_tailroom = may_encrypt && ++ (sdata->crypto_tx_tailroom_needed_cnt || ++ ieee80211_is_mgmt(hdr->frame_control)); ++ ++ if (enc_tailroom) { + tail_need = IEEE80211_ENCRYPT_TAILROOM; + tail_need -= skb_tailroom(skb); + tail_need = max_t(int, tail_need, 0); +@@ -1609,8 +1616,7 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata, + + if (skb_cloned(skb) && + (!ieee80211_hw_check(&local->hw, SUPPORTS_CLONED_SKBS) || +- !skb_clone_writable(skb, ETH_HLEN) || +- (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt))) ++ !skb_clone_writable(skb, ETH_HLEN) || enc_tailroom)) + I802_DEBUG_INC(local->tx_expand_skb_head_cloned); + else if (head_need || tail_need) + I802_DEBUG_INC(local->tx_expand_skb_head); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch b/patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch new file mode 100644 index 0000000000..972f6709af --- /dev/null +++ b/patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch @@ -0,0 +1,107 @@ +From: Tina Zhang <tina.zhang@intel.com> +Date: Wed, 23 Jan 2019 15:28:59 +0800 +Subject: [PATCH] drm/modes: Prevent division by zero htotal +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: a2fcd5c84f7a7825e028381b10182439067aa90d + +commit a2fcd5c84f7a7825e028381b10182439067aa90d upstream. + +This patch prevents division by zero htotal. + +In a follow-up mail Tina writes: + +> > How did you manage to get here with htotal == 0? This needs backtraces (or if +> > this is just about static checkers, a mention of that). +> > -Daniel +> +> In GVT-g, we are trying to enable a virtual display w/o setting timings for a pipe +> (a.k.a htotal=0), then we met the following kernel panic: +> +> [ 32.832048] divide error: 0000 [#1] SMP PTI +> [ 32.833614] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.0-rc4-sriov+ #33 +> [ 32.834438] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.10.1-0-g8891697-dirty-20180511_165818-tinazhang-linux-1 04/01/2014 +> [ 32.835901] RIP: 0010:drm_mode_hsync+0x1e/0x40 +> [ 32.836004] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 <f7> f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66 +> [ 32.836004] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206 +> [ 32.836004] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000 +> [ 32.836004] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0 +> [ 32.836004] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330 +> [ 32.836004] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000 +> [ 32.836004] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800 +> [ 32.836004] FS: 0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000 +> [ 32.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> [ 32.836004] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0 +> [ 32.836004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +> [ 32.836004] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +> [ 32.836004] Call Trace: +> [ 32.836004] intel_mode_from_pipe_config+0x72/0x90 +> [ 32.836004] intel_modeset_setup_hw_state+0x569/0xf90 +> [ 32.836004] intel_modeset_init+0x905/0x1db0 +> [ 32.836004] i915_driver_load+0xb8c/0x1120 +> [ 32.836004] i915_pci_probe+0x4d/0xb0 +> [ 32.836004] local_pci_probe+0x44/0xa0 +> [ 32.836004] ? pci_assign_irq+0x27/0x130 +> [ 32.836004] pci_device_probe+0x102/0x1c0 +> [ 32.836004] driver_probe_device+0x2b8/0x480 +> [ 32.836004] __driver_attach+0x109/0x110 +> [ 32.836004] ? driver_probe_device+0x480/0x480 +> [ 32.836004] bus_for_each_dev+0x67/0xc0 +> [ 32.836004] ? klist_add_tail+0x3b/0x70 +> [ 32.836004] bus_add_driver+0x1e8/0x260 +> [ 32.836004] driver_register+0x5b/0xe0 +> [ 32.836004] ? mipi_dsi_bus_init+0x11/0x11 +> [ 32.836004] do_one_initcall+0x4d/0x1eb +> [ 32.836004] kernel_init_freeable+0x197/0x237 +> [ 32.836004] ? rest_init+0xd0/0xd0 +> [ 32.836004] kernel_init+0xa/0x110 +> [ 32.836004] ret_from_fork+0x35/0x40 +> [ 32.836004] Modules linked in: +> [ 32.859183] ---[ end trace 525608b0ed0e8665 ]--- +> [ 32.859722] RIP: 0010:drm_mode_hsync+0x1e/0x40 +> [ 32.860287] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 <f7> f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66 +> [ 32.862680] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206 +> [ 32.863309] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000 +> [ 32.864182] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0 +> [ 32.865206] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330 +> [ 32.866359] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000 +> [ 32.867213] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800 +> [ 32.868075] FS: 0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000 +> [ 32.868983] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> [ 32.869659] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0 +> [ 32.870599] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +> [ 32.871598] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +> [ 32.872549] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b +> +> Since drm_mode_hsync() has the logic to check mode->htotal, I just extend it to cover the case htotal==0. + +Signed-off-by: Tina Zhang <tina.zhang@intel.com> +Cc: Adam Jackson <ajax@redhat.com> +Cc: Dave Airlie <airlied@redhat.com> +Cc: Daniel Vetter <daniel@ffwll.ch> +[danvet: Add additional explanations + cc: stable.] +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: https://patchwork.freedesktop.org/patch/msgid/1548228539-3061-1-git-send-email-tina.zhang@intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/gpu/drm/drm_modes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c +index 71a10f08522e..a5b052203c2c 100644 +--- a/drivers/gpu/drm/drm_modes.c ++++ b/drivers/gpu/drm/drm_modes.c +@@ -722,7 +722,7 @@ int drm_mode_hsync(const struct drm_display_mode *mode) + if (mode->hsync) + return mode->hsync; + +- if (mode->htotal < 0) ++ if (mode->htotal <= 0) + return 0; + + calc_val = (mode->clock * 1000) / mode->htotal; /* hsync in Hz */ +-- +2.20.1 + diff --git a/patches.fixes/0001-drm-vmwgfx-Fix-setting-of-dma-masks.patch b/patches.kernel.org/4.4.175-108-drm-vmwgfx-Fix-setting-of-dma-masks.patch index f096e24b5b..2f6421ebee 100644 --- a/patches.fixes/0001-drm-vmwgfx-Fix-setting-of-dma-masks.patch +++ b/patches.kernel.org/4.4.175-108-drm-vmwgfx-Fix-setting-of-dma-masks.patch @@ -1,10 +1,11 @@ -From 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b Mon Sep 17 00:00:00 2001 From: Thomas Hellstrom <thellstrom@vmware.com> Date: Mon, 28 Jan 2019 10:31:33 +0100 -Subject: drm/vmwgfx: Fix setting of dma masks +Subject: [PATCH] drm/vmwgfx: Fix setting of dma masks +Patch-mainline: 4.4.175 +References: bnc#1012382 bsc#1106929 Git-commit: 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b -Patch-mainline: v5.0-rc6 -References: bsc#1106929 + +commit 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b upstream. Previously we set only the dma mask and not the coherent mask. Fix that. Also, for clarity, make sure both are initially set to 64 bits. @@ -13,14 +14,17 @@ Cc: <stable@vger.kernel.org> Fixes: 0d00c488f3de: ("drm/vmwgfx: Fix the driver for large dma addresses") Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Deepak Rawat <drawat@vmware.com> -Acked-by: Thomas Zimmermann <tzimmermann@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 9 ++++++--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index be3971b22a02..ed92b9ac01b2 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c -@@ -594,13 +594,16 @@ out_fixup: +@@ -594,13 +594,16 @@ static int vmw_dma_select_mode(struct vmw_private *dev_priv) static int vmw_dma_masks(struct vmw_private *dev_priv) { struct drm_device *dev = dev_priv->dev; @@ -40,3 +44,6 @@ Acked-by: Thomas Zimmermann <tzimmermann@suse.de> } #else static int vmw_dma_masks(struct vmw_private *dev_priv) +-- +2.20.1 + diff --git a/patches.fixes/0001-drm-vmwgfx-Return-error-code-from-vmw_execbuf_copy_f.patch b/patches.kernel.org/4.4.175-109-drm-vmwgfx-Return-error-code-from-vmw_execbuf.patch index e7bbade1f0..433e986421 100644 --- a/patches.fixes/0001-drm-vmwgfx-Return-error-code-from-vmw_execbuf_copy_f.patch +++ b/patches.kernel.org/4.4.175-109-drm-vmwgfx-Return-error-code-from-vmw_execbuf.patch @@ -1,10 +1,12 @@ -From 728354c005c36eaf44b6e5552372b67e60d17f56 Mon Sep 17 00:00:00 2001 From: Thomas Hellstrom <thellstrom@vmware.com> Date: Thu, 31 Jan 2019 10:55:37 +0100 -Subject: drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user +Subject: [PATCH] drm/vmwgfx: Return error code from + vmw_execbuf_copy_fence_user +Patch-mainline: 4.4.175 +References: bnc#1012382 bsc#1106929 Git-commit: 728354c005c36eaf44b6e5552372b67e60d17f56 -Patch-mainline: v5.0-rc6 -References: bsc#1106929 + +commit 728354c005c36eaf44b6e5552372b67e60d17f56 upstream. The function was unconditionally returning 0, and a caller would have to rely on the returned fence pointer being NULL to detect errors. However, @@ -18,16 +20,17 @@ Cc: <stable@vger.kernel.org> Fixes: ae2a104058e2: ("vmwgfx: Implement fence objects") Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Reviewed-by: Deepak Rawat <drawat@vmware.com> -Acked-by: Thomas Zimmermann <tzimmermann@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c -index f2d13a72c05d..88b8178d4687 100644 +index fda8e85dd5a2..ad0dd566aded 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c -@@ -3570,7 +3570,7 @@ int vmw_execbuf_fence_commands(struct drm_file *file_priv, +@@ -3663,7 +3663,7 @@ int vmw_execbuf_fence_commands(struct drm_file *file_priv, *p_fence = NULL; } diff --git a/patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch b/patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch new file mode 100644 index 0000000000..36bd8d91aa --- /dev/null +++ b/patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch @@ -0,0 +1,281 @@ +From: Vladis Dronov <vdronov@redhat.com> +Date: Tue, 29 Jan 2019 11:58:35 +0100 +Subject: [PATCH] HID: debug: fix the ring buffer implementation +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 + +commit 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 upstream. + +Ring buffer implementation in hid_debug_event() and hid_debug_events_read() +is strange allowing lost or corrupted data. After commit 717adfdaf147 +("HID: debug: check length before copy_to_user()") it is possible to enter +an infinite loop in hid_debug_events_read() by providing 0 as count, this +locks up a system. Fix this by rewriting the ring buffer implementation +with kfifo and simplify the code. + +This fixes CVE-2019-3819. + +v2: fix an execution logic and add a comment +v3: use __set_current_state() instead of set_current_state() + +Backport to v4.4: some (tree-wide) patches are missing in v4.4 so +cherry-pick relevant pieces from: + * 6396bb22151 ("treewide: kzalloc() -> kcalloc()") + * a9a08845e9ac ("vfs: do bulk POLL* -> EPOLL* replacement") + * 92529623d242 ("HID: debug: improve hid_debug_event()") + * 174cd4b1e5fb ("sched/headers: Prepare to move signal wakeup & sigpending + methods from <linux/sched.h> into <linux/sched/signal.h>") + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187 +Cc: stable@vger.kernel.org # v4.18+ +Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping") +Fixes: 717adfdaf147 ("HID: debug: check length before copy_to_user()") +Signed-off-by: Vladis Dronov <vdronov@redhat.com> +Reviewed-by: Oleg Nesterov <oleg@redhat.com> +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hid/hid-debug.c | 122 +++++++++++++++----------------------- + include/linux/hid-debug.h | 9 ++- + 2 files changed, 52 insertions(+), 79 deletions(-) + +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index 6c60f4b63d21..d7179dd3c9ef 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -30,6 +30,7 @@ + + #include <linux/debugfs.h> + #include <linux/seq_file.h> ++#include <linux/kfifo.h> + #include <linux/sched.h> + #include <linux/export.h> + #include <linux/slab.h> +@@ -455,7 +456,7 @@ static char *resolv_usage_page(unsigned page, struct seq_file *f) { + char *buf = NULL; + + if (!f) { +- buf = kzalloc(sizeof(char) * HID_DEBUG_BUFSIZE, GFP_ATOMIC); ++ buf = kzalloc(HID_DEBUG_BUFSIZE, GFP_ATOMIC); + if (!buf) + return ERR_PTR(-ENOMEM); + } +@@ -659,17 +660,12 @@ EXPORT_SYMBOL_GPL(hid_dump_device); + /* enqueue string to 'events' ring buffer */ + void hid_debug_event(struct hid_device *hdev, char *buf) + { +- int i; + struct hid_debug_list *list; + unsigned long flags; + + spin_lock_irqsave(&hdev->debug_list_lock, flags); +- list_for_each_entry(list, &hdev->debug_list, node) { +- for (i = 0; i < strlen(buf); i++) +- list->hid_debug_buf[(list->tail + i) % HID_DEBUG_BUFSIZE] = +- buf[i]; +- list->tail = (list->tail + i) % HID_DEBUG_BUFSIZE; +- } ++ list_for_each_entry(list, &hdev->debug_list, node) ++ kfifo_in(&list->hid_debug_fifo, buf, strlen(buf)); + spin_unlock_irqrestore(&hdev->debug_list_lock, flags); + + wake_up_interruptible(&hdev->debug_wait); +@@ -720,8 +716,7 @@ void hid_dump_input(struct hid_device *hdev, struct hid_usage *usage, __s32 valu + hid_debug_event(hdev, buf); + + kfree(buf); +- wake_up_interruptible(&hdev->debug_wait); +- ++ wake_up_interruptible(&hdev->debug_wait); + } + EXPORT_SYMBOL_GPL(hid_dump_input); + +@@ -1086,8 +1081,8 @@ static int hid_debug_events_open(struct inode *inode, struct file *file) + goto out; + } + +- if (!(list->hid_debug_buf = kzalloc(sizeof(char) * HID_DEBUG_BUFSIZE, GFP_KERNEL))) { +- err = -ENOMEM; ++ err = kfifo_alloc(&list->hid_debug_fifo, HID_DEBUG_FIFOSIZE, GFP_KERNEL); ++ if (err) { + kfree(list); + goto out; + } +@@ -1107,77 +1102,57 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, + size_t count, loff_t *ppos) + { + struct hid_debug_list *list = file->private_data; +- int ret = 0, len; ++ int ret = 0, copied; + DECLARE_WAITQUEUE(wait, current); + + mutex_lock(&list->read_mutex); +- while (ret == 0) { +- if (list->head == list->tail) { +- add_wait_queue(&list->hdev->debug_wait, &wait); +- set_current_state(TASK_INTERRUPTIBLE); +- +- while (list->head == list->tail) { +- if (file->f_flags & O_NONBLOCK) { +- ret = -EAGAIN; +- break; +- } +- if (signal_pending(current)) { +- ret = -ERESTARTSYS; +- break; +- } ++ if (kfifo_is_empty(&list->hid_debug_fifo)) { ++ add_wait_queue(&list->hdev->debug_wait, &wait); ++ set_current_state(TASK_INTERRUPTIBLE); ++ ++ while (kfifo_is_empty(&list->hid_debug_fifo)) { ++ if (file->f_flags & O_NONBLOCK) { ++ ret = -EAGAIN; ++ break; ++ } + +- if (!list->hdev || !list->hdev->debug) { +- ret = -EIO; +- set_current_state(TASK_RUNNING); +- goto out; +- } ++ if (signal_pending(current)) { ++ ret = -ERESTARTSYS; ++ break; ++ } + +- /* allow O_NONBLOCK from other threads */ +- mutex_unlock(&list->read_mutex); +- schedule(); +- mutex_lock(&list->read_mutex); +- set_current_state(TASK_INTERRUPTIBLE); ++ /* if list->hdev is NULL we cannot remove_wait_queue(). ++ * if list->hdev->debug is 0 then hid_debug_unregister() ++ * was already called and list->hdev is being destroyed. ++ * if we add remove_wait_queue() here we can hit a race. ++ */ ++ if (!list->hdev || !list->hdev->debug) { ++ ret = -EIO; ++ set_current_state(TASK_RUNNING); ++ goto out; + } + +- set_current_state(TASK_RUNNING); +- remove_wait_queue(&list->hdev->debug_wait, &wait); ++ /* allow O_NONBLOCK from other threads */ ++ mutex_unlock(&list->read_mutex); ++ schedule(); ++ mutex_lock(&list->read_mutex); ++ set_current_state(TASK_INTERRUPTIBLE); + } + +- if (ret) +- goto out; ++ __set_current_state(TASK_RUNNING); ++ remove_wait_queue(&list->hdev->debug_wait, &wait); + +- /* pass the ringbuffer contents to userspace */ +-copy_rest: +- if (list->tail == list->head) ++ if (ret) + goto out; +- if (list->tail > list->head) { +- len = list->tail - list->head; +- if (len > count) +- len = count; +- +- if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { +- ret = -EFAULT; +- goto out; +- } +- ret += len; +- list->head += len; +- } else { +- len = HID_DEBUG_BUFSIZE - list->head; +- if (len > count) +- len = count; +- +- if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { +- ret = -EFAULT; +- goto out; +- } +- list->head = 0; +- ret += len; +- count -= len; +- if (count > 0) +- goto copy_rest; +- } +- + } ++ ++ /* pass the fifo content to userspace, locking is not needed with only ++ * one concurrent reader and one concurrent writer ++ */ ++ ret = kfifo_to_user(&list->hid_debug_fifo, buffer, count, &copied); ++ if (ret) ++ goto out; ++ ret = copied; + out: + mutex_unlock(&list->read_mutex); + return ret; +@@ -1188,7 +1163,7 @@ static unsigned int hid_debug_events_poll(struct file *file, poll_table *wait) + struct hid_debug_list *list = file->private_data; + + poll_wait(file, &list->hdev->debug_wait, wait); +- if (list->head != list->tail) ++ if (!kfifo_is_empty(&list->hid_debug_fifo)) + return POLLIN | POLLRDNORM; + if (!list->hdev->debug) + return POLLERR | POLLHUP; +@@ -1203,7 +1178,7 @@ static int hid_debug_events_release(struct inode *inode, struct file *file) + spin_lock_irqsave(&list->hdev->debug_list_lock, flags); + list_del(&list->node); + spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags); +- kfree(list->hid_debug_buf); ++ kfifo_free(&list->hid_debug_fifo); + kfree(list); + + return 0; +@@ -1254,4 +1229,3 @@ void hid_debug_exit(void) + { + debugfs_remove_recursive(hid_debug_root); + } +- +diff --git a/include/linux/hid-debug.h b/include/linux/hid-debug.h +index 8663f216c563..2d6100edf204 100644 +--- a/include/linux/hid-debug.h ++++ b/include/linux/hid-debug.h +@@ -24,7 +24,10 @@ + + #ifdef CONFIG_DEBUG_FS + ++#include <linux/kfifo.h> ++ + #define HID_DEBUG_BUFSIZE 512 ++#define HID_DEBUG_FIFOSIZE 512 + + void hid_dump_input(struct hid_device *, struct hid_usage *, __s32); + void hid_dump_report(struct hid_device *, int , u8 *, int); +@@ -37,11 +40,8 @@ void hid_debug_init(void); + void hid_debug_exit(void); + void hid_debug_event(struct hid_device *, char *); + +- + struct hid_debug_list { +- char *hid_debug_buf; +- int head; +- int tail; ++ DECLARE_KFIFO_PTR(hid_debug_fifo, char); + struct fasync_struct *fasync; + struct hid_device *hdev; + struct list_head node; +@@ -64,4 +64,3 @@ struct hid_debug_list { + #endif + + #endif +- +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch b/patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch new file mode 100644 index 0000000000..3d45c069ef --- /dev/null +++ b/patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch @@ -0,0 +1,68 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Sat, 1 Aug 2015 06:59:29 -0700 +Subject: [PATCH] NFC: nxp-nci: Include unaligned.h instead of access_ok.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 2eee74b7e2a496dea49847c36fd09320505f45b7 + +commit 2eee74b7e2a496dea49847c36fd09320505f45b7 upstream. + +Directly including access_ok.h can result in the following compile errors +if an architecture such as ia64 does not support direct unaligned accesses. + +include/linux/unaligned/access_ok.h:7:19: error: + redefinition of 'get_unaligned_le16' +include/linux/unaligned/le_struct.h:6:19: note: + previous definition of 'get_unaligned_le16' was here +include/linux/unaligned/access_ok.h:12:19: error: + redefinition of 'get_unaligned_le32' +include/linux/unaligned/le_struct.h:11:19: note: + previous definition of 'get_unaligned_le32' was here + +Include asm/unaligned.h instead and let the architecture decide which +access functions to use. + +Cc: Clément Perrochaud <clement.perrochaud@effinnov.com> +Cc: Samuel Ortiz <sameo@linux.intel.com> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> +Cc: Matthias Kaehlcke <mka@chromium.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/nfc/nxp-nci/firmware.c | 2 +- + drivers/nfc/nxp-nci/i2c.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/nxp-nci/firmware.c b/drivers/nfc/nxp-nci/firmware.c +index 5291797324ba..553011f58339 100644 +--- a/drivers/nfc/nxp-nci/firmware.c ++++ b/drivers/nfc/nxp-nci/firmware.c +@@ -24,7 +24,7 @@ + #include <linux/completion.h> + #include <linux/firmware.h> + #include <linux/nfc.h> +-#include <linux/unaligned/access_ok.h> ++#include <asm/unaligned.h> + + #include "nxp-nci.h" + +diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c +index df4333c7ee0f..0b1122cb5d0c 100644 +--- a/drivers/nfc/nxp-nci/i2c.c ++++ b/drivers/nfc/nxp-nci/i2c.c +@@ -36,7 +36,7 @@ + #include <linux/of_gpio.h> + #include <linux/of_irq.h> + #include <linux/platform_data/nxp-nci.h> +-#include <linux/unaligned/access_ok.h> ++#include <asm/unaligned.h> + + #include <net/nfc/nfc.h> + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch b/patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch new file mode 100644 index 0000000000..01a6e0fd75 --- /dev/null +++ b/patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch @@ -0,0 +1,47 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Wed, 13 Feb 2019 16:01:54 +0100 +Subject: [PATCH] Revert "cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on + legacy (insecure cifs)" +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 6e785302dad32228819d8066e5376acd15d0e6ba + +This reverts commit 60da90b224ba77a934decbb8129dabc861edd526 which is +commit 6e785302dad32228819d8066e5376acd15d0e6ba upstream. + +Yi writes: + I notice that 4.4.169 merged 60da90b224ba7 ("cifs: In Kconfig + CONFIG_CIFS_POSIX needs depends on legacy (insecure cifs)") add + a Kconfig dependency CIFS_ALLOW_INSECURE_LEGACY, which was not + defined in 4.4 stable, so after this patch we are not able to + enable CIFS_POSIX anymore. Linux 4.4 stable didn't merge the + legacy dialects codes, so do we really need this patch for 4.4? + +So revert this patch. + +Reported-by: "zhangyi (F)" <yi.zhang@huawei.com> +Cc: Steve French <stfrench@microsoft.com> +Cc: Pavel Shilovsky <pshilov@microsoft.com> +Cc: Sasha Levin <sashal@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/cifs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig +index 8bef27b8f85d..e7b478b49985 100644 +--- a/fs/cifs/Kconfig ++++ b/fs/cifs/Kconfig +@@ -111,7 +111,7 @@ config CIFS_XATTR + + config CIFS_POSIX + bool "CIFS POSIX Extensions" +- depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR ++ depends on CIFS_XATTR + help + Enabling this option will cause the cifs client to attempt to + negotiate a newer dialect with servers, such as Samba 3.0.5 +-- +2.20.1 + diff --git a/patches.fixes/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch b/patches.kernel.org/4.4.175-113-libceph-avoid-KEEPALIVE_PENDING-races-in-ceph.patch index d0b84ee127..e2b003110d 100644 --- a/patches.fixes/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch +++ b/patches.kernel.org/4.4.175-113-libceph-avoid-KEEPALIVE_PENDING-races-in-ceph.patch @@ -1,9 +1,12 @@ From: Ilya Dryomov <idryomov@gmail.com> Date: Mon, 14 Jan 2019 21:13:10 +0100 -Subject: libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() +Subject: [PATCH] libceph: avoid KEEPALIVE_PENDING races in + ceph_con_keepalive() +Patch-mainline: 4.4.175 +References: bnc#1012382 bsc#1125810 Git-commit: 4aac9228d16458cedcfd90c7fb37211cf3653ac3 -Patch-mainline: v5.0-rc4 -References: bsc#1125810 + +commit 4aac9228d16458cedcfd90c7fb37211cf3653ac3 upstream. con_fault() can transition the connection into STANDBY right after ceph_con_keepalive() clears STANDBY in clear_standby(): @@ -35,14 +38,17 @@ could have been a non-atomic flag. Reported-by: syzbot+acdeb633f6211ccdf886@syzkaller.appspotmail.com Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Tested-by: Myungho Jung <mhjungk@gmail.com> -Acked-by: Luis Henriques <lhenriques@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - net/ceph/messenger.c | 5 +++-- + net/ceph/messenger.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index ad3c9e96a275..3e6897efe1eb 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c -@@ -3208,9 +3208,10 @@ void ceph_con_keepalive(struct ceph_conn +@@ -3181,9 +3181,10 @@ void ceph_con_keepalive(struct ceph_connection *con) dout("con_keepalive %p\n", con); mutex_lock(&con->mutex); clear_standby(con); @@ -55,3 +61,6 @@ Acked-by: Luis Henriques <lhenriques@suse.com> queue_con(con); } EXPORT_SYMBOL(ceph_con_keepalive); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch b/patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch new file mode 100644 index 0000000000..b883962d21 --- /dev/null +++ b/patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch @@ -0,0 +1,69 @@ +From: Florian Westphal <fw@strlen.de> +Date: Wed, 9 Jan 2019 14:37:34 +0100 +Subject: [PATCH] xfrm: refine validation of template and selector families +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 35e6103861a3a970de6c84688c6e7a1f65b164ca + +commit 35e6103861a3a970de6c84688c6e7a1f65b164ca upstream. + +The check assumes that in transport mode, the first templates family +must match the address family of the policy selector. + +Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION, +with ipv4-in-ipv6 chain, leading to following splat: + +BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854 +Read of size 4 at addr ffff888063e57aa0 by task a.out/2050 + xfrm_state_find+0x1db/0x1854 + xfrm_tmpl_resolve+0x100/0x1d0 + xfrm_resolve_and_create_bundle+0x108/0x1000 [..] + +Problem is that addresses point into flowi4 struct, but xfrm_state_find +treats them as being ipv6 because it uses templ->encap_family is used +(AF_INET6 in case of reproducer) rather than family (AF_INET). + +This patch inverts the logic: Enforce 'template family must match +selector' EXCEPT for tunnel and BEET mode. + +In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local +address pointers changed to point at the addresses found in the template, +rather than the flowi ones, so no oob read will occur. + +Reported-by: 3ntr0py1337@gmail.com +Reported-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/xfrm/xfrm_user.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 476f1fc6d655..177a6c75f136 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1404,10 +1404,15 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) + if (!ut[i].family) + ut[i].family = family; + +- if ((ut[i].mode == XFRM_MODE_TRANSPORT) && +- (ut[i].family != prev_family)) +- return -EINVAL; +- ++ switch (ut[i].mode) { ++ case XFRM_MODE_TUNNEL: ++ case XFRM_MODE_BEET: ++ break; ++ default: ++ if (ut[i].family != prev_family) ++ return -EINVAL; ++ break; ++ } + if (ut[i].mode >= XFRM_MODE_MAX) + return -EINVAL; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch b/patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch new file mode 100644 index 0000000000..26568734ea --- /dev/null +++ b/patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch @@ -0,0 +1,57 @@ +From: Sven Eckelmann <sven@narfation.org> +Date: Sun, 30 Dec 2018 12:46:01 +0100 +Subject: [PATCH] batman-adv: Avoid WARN on net_device without parent in netns +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 955d3411a17f590364238bd0d3329b61f20c1cd2 + +commit 955d3411a17f590364238bd0d3329b61f20c1cd2 upstream. + +It is not allowed to use WARN* helpers on potential incorrect input from +the user or transient problems because systems configured as panic_on_warn +will reboot due to such a problem. + +A NULL return value of __dev_get_by_index can be caused by various problems +which can either be related to the system configuration or problems +(incorrectly returned network namespaces) in other (virtual) net_device +drivers. batman-adv should not cause a (harmful) WARN in this situation and +instead only report it via a simple message. + +Fixes: b7eddd0b3950 ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface") +Reported-by: syzbot+c764de0fcfadca9a8595@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: Sven Eckelmann <sven@narfation.org> +Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/batman-adv/hard-interface.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c +index f11345e163d7..3c8d8142e8c6 100644 +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -18,7 +18,6 @@ + #include "hard-interface.h" + #include "main.h" + +-#include <linux/bug.h> + #include <linux/byteorder/generic.h> + #include <linux/errno.h> + #include <linux/fs.h> +@@ -104,8 +103,10 @@ static bool batadv_is_on_batman_iface(const struct net_device *net_dev) + /* recurse over the parent device */ + parent_dev = __dev_get_by_index(&init_net, dev_get_iflink(net_dev)); + /* if we got a NULL parent_dev there is something broken.. */ +- if (WARN(!parent_dev, "Cannot find parent device")) ++ if (!parent_dev) { ++ pr_err("Cannot find parent device\n"); + return false; ++ } + + ret = batadv_is_on_batman_iface(parent_dev); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch b/patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch new file mode 100644 index 0000000000..cf6aeae9c7 --- /dev/null +++ b/patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch @@ -0,0 +1,48 @@ +From: Sven Eckelmann <sven@narfation.org> +Date: Mon, 31 Dec 2018 22:31:01 +0100 +Subject: [PATCH] batman-adv: Force mac header to start of data on xmit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 9114daa825fc3f335f9bea3313ce667090187280 + +commit 9114daa825fc3f335f9bea3313ce667090187280 upstream. + +The caller of ndo_start_xmit may not already have called +skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr +therefore can be in the wrong position and even outside the current skbuff. +This for example happens when the user binds to the device using a +PF_PACKET-SOCK_RAW with enabled qdisc-bypass: + + int opt = 4; + setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt)); + +Since eth_hdr is used all over the codebase, the batadv_interface_tx +function must always take care of resetting it. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com +Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com +Signed-off-by: Sven Eckelmann <sven@narfation.org> +Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/batman-adv/soft-interface.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 9f1fe6169bef..5aeb585571ed 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -209,6 +209,8 @@ static int batadv_interface_tx(struct sk_buff *skb, + + soft_iface->trans_start = jiffies; + vid = batadv_get_vid(skb, 0); ++ ++ skb_reset_mac_header(skb); + ethhdr = eth_hdr(skb); + + switch (ntohs(ethhdr->h_proto)) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch b/patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch new file mode 100644 index 0000000000..7644151a48 --- /dev/null +++ b/patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch @@ -0,0 +1,51 @@ +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Thu, 14 Feb 2019 15:02:18 -0800 +Subject: [PATCH] Revert "exec: load_script: don't blindly truncate shebang + string" +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: cb5b020a8d38f77209d0472a0fea755299a8ec78 + +commit cb5b020a8d38f77209d0472a0fea755299a8ec78 upstream. + +This reverts commit 8099b047ecc431518b9bb6bdbba3549bbecdc343. + +It turns out that people do actually depend on the shebang string being +truncated, and on the fact that an interpreter (like perl) will often +just re-interpret it entirely to get the full argument list. + +Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com> +Acked-by: Kees Cook <keescook@chromium.org> +Cc: Oleg Nesterov <oleg@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/binfmt_script.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index 634bdbb23851..afdf4e3cafc2 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -43,14 +43,10 @@ static int load_script(struct linux_binprm *bprm) + fput(bprm->file); + bprm->file = NULL; + +- for (cp = bprm->buf+2;; cp++) { +- if (cp >= bprm->buf + BINPRM_BUF_SIZE) +- return -ENOEXEC; +- if (!*cp || (*cp == '\n')) +- break; +- } ++ bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; ++ if ((cp = strchr(bprm->buf, '\n')) == NULL) ++ cp = bprm->buf+BINPRM_BUF_SIZE-1; + *cp = '\0'; +- + while (cp > bprm->buf) { + cp--; + if ((*cp == ' ') || (*cp == '\t')) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch b/patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch new file mode 100644 index 0000000000..0e50d7a3a5 --- /dev/null +++ b/patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch @@ -0,0 +1,70 @@ +From: Hauke Mehrtens <hauke@hauke-m.de> +Date: Thu, 14 Feb 2019 14:18:00 +0100 +Subject: [PATCH] uapi/if_ether.h: prevent redefinition of struct ethhdr +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 6926e041a8920c8ec27e4e155efa760aa01551fd + +commit 6926e041a8920c8ec27e4e155efa760aa01551fd upstream. + +Musl provides its own ethhdr struct definition. Add a guard to prevent +its definition of the appropriate musl header has already been included. + +glibc does not implement this header, but when glibc will implement this +they can just define __UAPI_DEF_ETHHDR 0 to make it work with the +kernel. + +Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/uapi/linux/if_ether.h | 3 +++ + include/uapi/linux/libc-compat.h | 6 ++++++ + 2 files changed, 9 insertions(+) + +diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h +index 064d2026ab38..cb490cd9376f 100644 +--- a/include/uapi/linux/if_ether.h ++++ b/include/uapi/linux/if_ether.h +@@ -22,6 +22,7 @@ + #define _UAPI_LINUX_IF_ETHER_H + + #include <linux/types.h> ++#include <linux/libc-compat.h> + + /* + * IEEE 802.3 Ethernet magic constants. The frame sizes omit the preamble +@@ -136,11 +137,13 @@ + * This is an Ethernet frame header. + */ + ++#if __UAPI_DEF_ETHHDR + struct ethhdr { + unsigned char h_dest[ETH_ALEN]; /* destination eth addr */ + unsigned char h_source[ETH_ALEN]; /* source ether addr */ + __be16 h_proto; /* packet type ID field */ + } __attribute__((packed)); ++#endif + + + #endif /* _UAPI_LINUX_IF_ETHER_H */ +diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h +index e4f048ee7043..5da44c571cdd 100644 +--- a/include/uapi/linux/libc-compat.h ++++ b/include/uapi/linux/libc-compat.h +@@ -184,4 +184,10 @@ + + #endif /* __GLIBC__ */ + ++/* Definitions for if_ether.h */ ++/* allow libcs like musl to deactivate this, glibc does not implement this. */ ++#ifndef __UAPI_DEF_ETHHDR ++#define __UAPI_DEF_ETHHDR 1 ++#endif ++ + #endif /* _UAPI_LIBC_COMPAT_H */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch b/patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch new file mode 100644 index 0000000000..1dbb329df4 --- /dev/null +++ b/patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch @@ -0,0 +1,39 @@ +From: Peter Ujfalusi <peter.ujfalusi@ti.com> +Date: Wed, 19 Dec 2018 13:47:24 +0200 +Subject: [PATCH] ARM: dts: da850-evm: Correct the sound card name +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 7fca69d4e43fa1ae9cb4f652772c132dc5a659c6 + +[ Upstream commit 7fca69d4e43fa1ae9cb4f652772c132dc5a659c6 ] + +To avoid the following error: +asoc-simple-card sound: ASoC: Failed to create card debugfs directory + +Which is because the card name contains '/' character, which can not be +used in file or directory names. + +Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com> +Signed-off-by: Sekhar Nori <nsekhar@ti.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/boot/dts/da850-evm.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/da850-evm.dts b/arch/arm/boot/dts/da850-evm.dts +index 6881757b03e8..67369f284b91 100644 +--- a/arch/arm/boot/dts/da850-evm.dts ++++ b/arch/arm/boot/dts/da850-evm.dts +@@ -147,7 +147,7 @@ + + sound { + compatible = "simple-audio-card"; +- simple-audio-card,name = "DA850/OMAP-L138 EVM"; ++ simple-audio-card,name = "DA850-OMAPL138 EVM"; + simple-audio-card,widgets = + "Line", "Line In", + "Line", "Line Out"; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch b/patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch new file mode 100644 index 0000000000..8b7cb14ced --- /dev/null +++ b/patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch @@ -0,0 +1,51 @@ +From: Linus Walleij <linus.walleij@linaro.org> +Date: Tue, 8 Jan 2019 00:08:18 +0100 +Subject: [PATCH] ARM: dts: kirkwood: Fix polarity of GPIO fan lines +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: b5f034845e70916fd33e172fad5ad530a29c10ab + +[ Upstream commit b5f034845e70916fd33e172fad5ad530a29c10ab ] + +These two lines are active high, not active low. The bug was +found when we changed the kernel to respect the polarity defined +in the device tree. + +Fixes: 1b90e06b1429 ("ARM: kirkwood: Use devicetree to define DNS-32[05] fan") +Cc: Jamie Lentin <jm@lentin.co.uk> +Cc: Guenter Roeck <linux@roeck-us.net> +Cc: Jason Cooper <jason@lakedaemon.net> +Cc: Andrew Lunn <andrew@lunn.ch> +Cc: Gregory Clement <gregory.clement@bootlin.com> +Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com> +Cc: Julien D'Ascenzio <jdascenzio@posteo.net> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Tested-by: Jamie Lentin <jm@lentin.co.uk> +Reported-by: Julien D'Ascenzio <jdascenzio@posteo.net> +Tested-by: Julien D'Ascenzio <jdascenzio@posteo.net> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/boot/dts/kirkwood-dnskw.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/kirkwood-dnskw.dtsi b/arch/arm/boot/dts/kirkwood-dnskw.dtsi +index 113dcf056dcf..1b2dacfa6132 100644 +--- a/arch/arm/boot/dts/kirkwood-dnskw.dtsi ++++ b/arch/arm/boot/dts/kirkwood-dnskw.dtsi +@@ -35,8 +35,8 @@ + compatible = "gpio-fan"; + pinctrl-0 = <&pmx_fan_high_speed &pmx_fan_low_speed>; + pinctrl-names = "default"; +- gpios = <&gpio1 14 GPIO_ACTIVE_LOW +- &gpio1 13 GPIO_ACTIVE_LOW>; ++ gpios = <&gpio1 14 GPIO_ACTIVE_HIGH ++ &gpio1 13 GPIO_ACTIVE_HIGH>; + gpio-fan,speed-map = <0 0 + 3000 1 + 6000 2>; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch b/patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch new file mode 100644 index 0000000000..170b60fff5 --- /dev/null +++ b/patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch @@ -0,0 +1,46 @@ +From: Nicholas Mc Guire <hofrat@osadl.org> +Date: Sat, 1 Dec 2018 12:57:18 +0100 +Subject: [PATCH] gpio: pl061: handle failed allocations +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: df209c43a0e8258e096fb722dfbdae4f0dd13fde + +[ Upstream commit df209c43a0e8258e096fb722dfbdae4f0dd13fde ] + +devm_kzalloc(), devm_kstrdup() and devm_kasprintf() all can +fail internal allocation and return NULL. Using any of the assigned +objects without checking is not safe. As this is early in the boot +phase and these allocations really should not fail, any failure here +is probably an indication of a more serious issue so it makes little +sense to try and rollback the previous allocated resources or try to +continue; but rather the probe function is simply exited with -ENOMEM. + +Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org> +Fixes: 684284b64aae ("ARM: integrator: add MMCI device to IM-PD1") +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/mach-integrator/impd1.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-integrator/impd1.c b/arch/arm/mach-integrator/impd1.c +index 38b0da300dd5..423a88ff908c 100644 +--- a/arch/arm/mach-integrator/impd1.c ++++ b/arch/arm/mach-integrator/impd1.c +@@ -394,7 +394,11 @@ static int __init_refok impd1_probe(struct lm_device *dev) + sizeof(*lookup) + 3 * sizeof(struct gpiod_lookup), + GFP_KERNEL); + chipname = devm_kstrdup(&dev->dev, devname, GFP_KERNEL); +- mmciname = kasprintf(GFP_KERNEL, "lm%x:00700", dev->id); ++ mmciname = devm_kasprintf(&dev->dev, GFP_KERNEL, ++ "lm%x:00700", dev->id); ++ if (!lookup || !chipname || !mmciname) ++ return -ENOMEM; ++ + lookup->dev_id = mmciname; + /* + * Offsets on GPIO block 1: +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch b/patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch new file mode 100644 index 0000000000..a795288b8b --- /dev/null +++ b/patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch @@ -0,0 +1,76 @@ +From: Ross Lagerwall <ross.lagerwall@citrix.com> +Date: Tue, 8 Jan 2019 18:30:56 +0000 +Subject: [PATCH] cifs: Limit memory used by lock request calls to a page +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 92a8109e4d3a34fb6b115c9098b51767dc933444 + +[ Upstream commit 92a8109e4d3a34fb6b115c9098b51767dc933444 ] + +The code tries to allocate a contiguous buffer with a size supplied by +the server (maxBuf). This could fail if memory is fragmented since it +results in high order allocations for commonly used server +implementations. It is also wasteful since there are probably +few locks in the usual case. Limit the buffer to be no larger than a +page to avoid memory allocation failures due to fragmentation. + +Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/cifs/file.c | 8 ++++++++ + fs/cifs/smb2file.c | 4 ++++ + 2 files changed, 12 insertions(+) + +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 026b399af215..1062e96ee272 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -1081,6 +1081,10 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile) + return -EINVAL; + } + ++ BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) > ++ PAGE_SIZE); ++ max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr), ++ PAGE_SIZE); + max_num = (max_buf - sizeof(struct smb_hdr)) / + sizeof(LOCKING_ANDX_RANGE); + buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL); +@@ -1410,6 +1414,10 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, + if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) + return -EINVAL; + ++ BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) > ++ PAGE_SIZE); ++ max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr), ++ PAGE_SIZE); + max_num = (max_buf - sizeof(struct smb_hdr)) / + sizeof(LOCKING_ANDX_RANGE); + buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL); +diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c +index b7885dc0d9bb..dee5250701de 100644 +--- a/fs/cifs/smb2file.c ++++ b/fs/cifs/smb2file.c +@@ -129,6 +129,8 @@ smb2_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, + if (max_buf < sizeof(struct smb2_lock_element)) + return -EINVAL; + ++ BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE); ++ max_buf = min_t(unsigned int, max_buf, PAGE_SIZE); + max_num = max_buf / sizeof(struct smb2_lock_element); + buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL); + if (!buf) +@@ -265,6 +267,8 @@ smb2_push_mandatory_locks(struct cifsFileInfo *cfile) + return -EINVAL; + } + ++ BUILD_BUG_ON(sizeof(struct smb2_lock_element) > PAGE_SIZE); ++ max_buf = min_t(unsigned int, max_buf, PAGE_SIZE); + max_num = max_buf / sizeof(struct smb2_lock_element); + buf = kcalloc(max_num, sizeof(struct smb2_lock_element), GFP_KERNEL); + if (!buf) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch b/patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch new file mode 100644 index 0000000000..d57e8d6613 --- /dev/null +++ b/patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch @@ -0,0 +1,34 @@ +From: Mark Rustad <mrustad@gmail.com> +Date: Fri, 15 Feb 2019 08:19:55 -0800 +Subject: [PATCH] Documentation/network: reword kernel version reference +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 29c84aa9f2a2c5215b910685549e798e7514ae6c + +It seemed odd to say "since 4.17" in a 4.4 kernel. Consider +rewording the reference to indicate where in the stable series +it was introduced as well as where it originated. + +Signed-off-by: Mark Rustad <mrustad@gmail.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + Documentation/networking/ip-sysctl.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index 7c229f59016f..2fb35658d151 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -116,7 +116,7 @@ ipfrag_high_thresh - LONG INTEGER + Maximum memory used to reassemble IP fragments. + + ipfrag_low_thresh - LONG INTEGER +- (Obsolete since linux-4.17) ++ (Obsolete since linux-4.4.174, backported from linux-4.17) + Maximum memory used to reassemble IP fragments before the kernel + begins to remove incomplete fragment queues to free up resources. + The kernel still accepts new fragments for defragmentation. +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch b/patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch new file mode 100644 index 0000000000..260c81beeb --- /dev/null +++ b/patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch @@ -0,0 +1,40 @@ +From: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Date: Mon, 11 Feb 2019 14:32:40 -0800 +Subject: [PATCH] Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS + Aspire F5-573G" +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: f420c54e4b12c1361c6ed313002ee7bd7ac58362 + +commit f420c54e4b12c1361c6ed313002ee7bd7ac58362 upstream. + +This reverts commit 7db54c89f0b30a101584e09d3729144e6170059d as it +breaks Acer Aspire V-371 and other devices. According to Elan: + +"Acer Aspire F5-573G is MS Precision touchpad which should use hid + multitouch driver. ELAN0501 should not be added in elan_i2c." + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202503 +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/mouse/elan_i2c_core.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 30adc5745cba..471984ec2db0 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1240,7 +1240,6 @@ MODULE_DEVICE_TABLE(i2c, elan_id); + static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0000", 0 }, + { "ELAN0100", 0 }, +- { "ELAN0501", 0 }, + { "ELAN0600", 0 }, + { "ELAN0602", 0 }, + { "ELAN0605", 0 }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch b/patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch new file mode 100644 index 0000000000..a23f75149b --- /dev/null +++ b/patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch @@ -0,0 +1,37 @@ +From: Mauro Ciancio <mauro@acadeu.com> +Date: Mon, 14 Jan 2019 10:24:53 -0300 +Subject: [PATCH] Input: elan_i2c - add ACPI ID for touchpad in Lenovo + V330-15ISK +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 7ad222b3aed350adfc27ee7eec4587ffe55dfdce + +commit 7ad222b3aed350adfc27ee7eec4587ffe55dfdce upstream. + +This adds ELAN0617 to the ACPI table to support Elan touchpad found in +Lenovo V330-15ISK. + +Signed-off-by: Mauro Ciancio <mauro@acadeu.com> +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 471984ec2db0..25ce9047b682 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1250,6 +1250,7 @@ static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN060C", 0 }, + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, ++ { "ELAN0617", 0 }, + { "ELAN0618", 0 }, + { "ELAN061C", 0 }, + { "ELAN061D", 0 }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch b/patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch new file mode 100644 index 0000000000..515a50fc08 --- /dev/null +++ b/patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch @@ -0,0 +1,69 @@ +From: Ingo Molnar <mingo@kernel.org> +Date: Wed, 13 Feb 2019 07:57:02 +0100 +Subject: [PATCH] perf/core: Fix impossible ring-buffer sizes warning +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 528871b456026e6127d95b1b2bd8e3a003dc1614 + +commit 528871b456026e6127d95b1b2bd8e3a003dc1614 upstream. + +The following commit: + + 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes") + +results in perf recording failures with larger mmap areas: + + root@skl:/tmp# perf record -g -a + failed to mmap with 12 (Cannot allocate memory) + +The root cause is that the following condition is buggy: + + if (order_base_2(size) >= MAX_ORDER) + goto fail; + +The problem is that @size is in bytes and MAX_ORDER is in pages, +so the right test is: + + if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER) + goto fail; + +Fix it. + +Reported-by: "Jin, Yao" <yao.jin@linux.intel.com> +Bisected-by: Borislav Petkov <bp@alien8.de> +Analyzed-by: Peter Zijlstra <peterz@infradead.org> +Cc: Julien Thierry <julien.thierry@arm.com> +Cc: Mark Rutland <mark.rutland@arm.com> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Arnaldo Carvalho de Melo <acme@redhat.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: <stable@vger.kernel.org> +Fixes: 9dff0aa95a32 ("perf/core: Don't WARN() for impossible ring-buffer sizes") +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/events/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 93bfb61506fa..358bb53c1e74 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -637,7 +637,7 @@ struct ring_buffer *rb_alloc(int nr_pages, long watermark, int cpu, int flags) + size = sizeof(struct ring_buffer); + size += nr_pages * sizeof(void *); + +- if (order_base_2(size) >= MAX_ORDER) ++ if (order_base_2(size) >= PAGE_SHIFT+MAX_ORDER) + goto fail; + + rb = kzalloc(size, GFP_KERNEL); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch b/patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch new file mode 100644 index 0000000000..7fdf747747 --- /dev/null +++ b/patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch @@ -0,0 +1,36 @@ +From: Jurica Vukadin <jurica.vukadin@rt-rk.com> +Date: Thu, 7 Feb 2019 16:29:37 +0100 +Subject: [PATCH] ALSA: hda - Add quirk for HP EliteBook 840 G5 +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e + +commit 4cd3016ce996494f78fdfd87ea35c8ca5d0b413e upstream. + +This enables mute LED support and fixes switching jacks when the laptop +is docked. + +Signed-off-by: Jurica Vukadin <jurica.vukadin@rt-rk.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 536184ac315d..40dd46556452 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -854,6 +854,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x83b2, "HP EliteBook 840 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch b/patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch new file mode 100644 index 0000000000..e5a0c2f28c --- /dev/null +++ b/patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch @@ -0,0 +1,63 @@ +From: Manuel Reinhardt <manuel.rhdt@gmail.com> +Date: Thu, 31 Jan 2019 15:32:35 +0100 +Subject: [PATCH] ALSA: usb-audio: Fix implicit fb endpoint setup by quirk +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 2bc16b9f3223d049b57202ee702fcb5b9b507019 + +commit 2bc16b9f3223d049b57202ee702fcb5b9b507019 upstream. + +The commit a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to +separate function") introduced an error in the handling of quirks for +implicit feedback endpoints. This commit fixes this. + +If a quirk successfully sets up an implicit feedback endpoint, usb-audio +no longer tries to find the implicit fb endpoint itself. + +Fixes: a60945fd08e4 ("ALSA: usb-audio: move implicit fb quirks to separate function") +Signed-off-by: Manuel Reinhardt <manuel.rhdt@gmail.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/usb/pcm.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index a9079654107c..1ea1384bc236 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -313,6 +313,9 @@ static int search_roland_implicit_fb(struct usb_device *dev, int ifnum, + return 0; + } + ++/* Setup an implicit feedback endpoint from a quirk. Returns 0 if no quirk ++ * applies. Returns 1 if a quirk was found. ++ */ + static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs, + struct usb_device *dev, + struct usb_interface_descriptor *altsd, +@@ -381,7 +384,7 @@ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs, + + subs->data_endpoint->sync_master = subs->sync_endpoint; + +- return 0; ++ return 1; + } + + static int set_sync_endpoint(struct snd_usb_substream *subs, +@@ -420,6 +423,10 @@ static int set_sync_endpoint(struct snd_usb_substream *subs, + if (err < 0) + return err; + ++ /* endpoint set by quirk */ ++ if (err > 0) ++ return 0; ++ + if (altsd->bNumEndpoints < 2) + return 0; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch b/patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch new file mode 100644 index 0000000000..da973200c4 --- /dev/null +++ b/patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch @@ -0,0 +1,112 @@ +From: Jonathan Bakker <xc-racer2@live.ca> +Date: Wed, 6 Feb 2019 10:45:37 -0800 +Subject: [PATCH] Input: bma150 - register input device after setting private + data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 90cc55f067f6ca0e64e5e52883ece47d8af7b67b + +commit 90cc55f067f6ca0e64e5e52883ece47d8af7b67b upstream. + +Otherwise we introduce a race condition where userspace can request input +before we're ready leading to null pointer dereference such as + +input: bma150 as /devices/platform/i2c-gpio-2/i2c-5/5-0038/input/input3 +Unable to handle kernel NULL pointer dereference at virtual address 00000018 +pgd = (ptrval) +[00000018] *pgd=55dac831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +Modules linked in: bma150 input_polldev [last unloaded: bma150] +CPU: 0 PID: 2870 Comm: accelerometer Not tainted 5.0.0-rc3-dirty #46 +Hardware name: Samsung S5PC110/S5PV210-based board +PC is at input_event+0x8/0x60 +LR is at bma150_report_xyz+0x9c/0xe0 [bma150] +pc : [<80450f70>] lr : [<7f0a614c>] psr: 800d0013 +sp : a4c1fd78 ip : 00000081 fp : 00020000 +r10: 00000000 r9 : a5e2944c r8 : a7455000 +r7 : 00000016 r6 : 00000101 r5 : a7617940 r4 : 80909048 +r3 : fffffff2 r2 : 00000000 r1 : 00000003 r0 : 00000000 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 54e34019 DAC: 00000051 +Process accelerometer (pid: 2870, stack limit = 0x(ptrval)) +Stackck: (0xa4c1fd78 to 0xa4c20000) +fd60: fffffff3 fc813f6c +fd80: 40410581 d7530ce3 a5e2817c a7617f00 a5e29404 a5e2817c 00000000 7f008324 +fda0: a5e28000 8044f59c a5fdd9d0 a5e2945c a46a4a00 a5e29668 a7455000 80454f10 +fdc0: 80909048 a5e29668 a5fdd9d0 a46a4a00 806316d0 00000000 a46a4a00 801df5f0 +fde0: 00000000 d7530ce3 a4c1fec0 a46a4a00 00000000 a5fdd9d0 a46a4a08 801df53c +fe00: 00000000 801d74bc a4c1fec0 00000000 a4c1ff70 00000000 a7038da8 00000000 +fe20: a46a4a00 801e91fc a411bbe0 801f2e88 00000004 00000000 80909048 00000041 +fe40: 00000000 00020000 00000000 dead4ead a6a88da0 00000000 ffffe000 806fcae8 +fe60: a4c1fec8 00000000 80909048 00000002 a5fdd9d0 a7660110 a411bab0 00000001 +fe80: dead4ead ffffffff ffffffff a4c1fe8c a4c1fe8c d7530ce3 20000013 80909048 +fea0: 80909048 a4c1ff70 00000001 fffff000 a4c1e000 00000005 00026038 801eabd8 +fec0: a7660110 a411bab0 b9394901 00000006 a696201b 76fb3000 00000000 a7039720 +fee0: a5fdd9d0 00000101 00000002 00000096 00000000 00000000 00000000 a4c1ff00 +ff00: a6b310f4 805cb174 a6b310f4 00000010 00000fe0 00000010 a4c1e000 d7530ce3 +ff20: 00000003 a5f41400 a5f41424 00000000 a6962000 00000000 00000003 00000002 +ff40: ffffff9c 000a0000 80909048 d7530ce3 a6962000 00000003 80909048 ffffff9c +ff60: a6962000 801d890c 00000000 00000000 00020000 a7590000 00000004 00000100 +ff80: 00000001 d7530ce3 000288b8 00026320 000288b8 00000005 80101204 a4c1e000 +ffa0: 00000005 80101000 000288b8 00026320 000288b8 000a0000 00000000 00000000 +ffc0: 000288b8 00026320 000288b8 00000005 7eef3bac 000264e8 00028ad8 00026038 +ffe0: 00000005 7eef3300 76f76e91 76f78546 800d0030 000288b8 00000000 00000000 +[<80450f70>] (input_event) from [<a5e2817c>] (0xa5e2817c) +Code: e1a08148 eaffffa8 e351001f 812fff1e (e590c018) +---[ end trace 1c691ee85f2ff243 ]--- + +Signed-off-by: Jonathan Bakker <xc-racer2@live.ca> +Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com> +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/misc/bma150.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/misc/bma150.c b/drivers/input/misc/bma150.c +index 1d0e61d7c131..b6c1d1d482c1 100644 +--- a/drivers/input/misc/bma150.c ++++ b/drivers/input/misc/bma150.c +@@ -482,13 +482,14 @@ static int bma150_register_input_device(struct bma150_data *bma150) + idev->close = bma150_irq_close; + input_set_drvdata(idev, bma150); + ++ bma150->input = idev; ++ + error = input_register_device(idev); + if (error) { + input_free_device(idev); + return error; + } + +- bma150->input = idev; + return 0; + } + +@@ -511,15 +512,15 @@ static int bma150_register_polled_device(struct bma150_data *bma150) + + bma150_init_input_device(bma150, ipoll_dev->input); + ++ bma150->input_polled = ipoll_dev; ++ bma150->input = ipoll_dev->input; ++ + error = input_register_polled_device(ipoll_dev); + if (error) { + input_free_polled_device(ipoll_dev); + return error; + } + +- bma150->input_polled = ipoll_dev; +- bma150->input = ipoll_dev->input; +- + return 0; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch b/patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch new file mode 100644 index 0000000000..c4a4c04cbf --- /dev/null +++ b/patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch @@ -0,0 +1,58 @@ +From: Matti Kurkela <Matti.Kurkela@iki.fi> +Date: Thu, 7 Feb 2019 23:49:23 -0800 +Subject: [PATCH] Input: elantech - enable 3rd button support on Fujitsu + CELSIUS H780 +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 + +commit e8b22d0a329f0fb5c7ef95406872d268f01ee3b1 upstream. + +Like Fujitsu CELSIUS H760, the H780 also has a three-button Elantech +touchpad, but the driver needs to be told so to enable the middle touchpad +button. + +The elantech_dmi_force_crc_enabled quirk was not necessary with the H780. + +Also document the fw_version and caps values detected for both H760 and +H780 models. + +Signed-off-by: Matti Kurkela <Matti.Kurkela@iki.fi> +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/mouse/elantech.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 84aead19622c..4c1e527f14a5 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1121,6 +1121,8 @@ static int elantech_get_resolution_v4(struct psmouse *psmouse, + * Asus UX31 0x361f00 20, 15, 0e clickpad + * Asus UX32VD 0x361f02 00, 15, 0e clickpad + * Avatar AVIU-145A2 0x361f00 ? clickpad ++ * Fujitsu CELSIUS H760 0x570f02 40, 14, 0c 3 hw buttons (**) ++ * Fujitsu CELSIUS H780 0x5d0f02 41, 16, 0d 3 hw buttons (**) + * Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons + * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons + * Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons +@@ -1173,6 +1175,13 @@ static const struct dmi_system_id elantech_dmi_has_middle_button[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H760"), + }, + }, ++ { ++ /* Fujitsu H780 also has a middle button */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CELSIUS H780"), ++ }, ++ }, + #endif + { } + }; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch b/patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch new file mode 100644 index 0000000000..e3aa5a176b --- /dev/null +++ b/patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch @@ -0,0 +1,123 @@ +From: Sergei Trofimovich <slyfox@gentoo.org> +Date: Mon, 31 Dec 2018 11:53:55 +0000 +Subject: [PATCH] alpha: fix page fault handling for r16-r18 targets +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 491af60ffb848b59e82f7c9145833222e0bf27a5 + +commit 491af60ffb848b59e82f7c9145833222e0bf27a5 upstream. + +Fix page fault handling code to fixup r16-r18 registers. +Before the patch code had off-by-two registers bug. +This bug caused overwriting of ps,pc,gp registers instead +of fixing intended r16,r17,r18 (see `struct pt_regs`). + +More details: + +Initially Dmitry noticed a kernel bug as a failure +on strace test suite. Test passes unmapped userspace +pointer to io_submit: + +```c + #include <err.h> + #include <unistd.h> + #include <sys/mman.h> + #include <asm/unistd.h> + int main(void) + { + unsigned long ctx = 0; + if (syscall(__NR_io_setup, 1, &ctx)) + err(1, "io_setup"); + const size_t page_size = sysconf(_SC_PAGESIZE); + const size_t size = page_size * 2; + void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (MAP_FAILED == ptr) + err(1, "mmap(%zu)", size); + if (munmap(ptr, size)) + err(1, "munmap"); + syscall(__NR_io_submit, ctx, 1, ptr + page_size); + syscall(__NR_io_destroy, ctx); + return 0; + } +``` + +Running this test causes kernel to crash when handling page fault: + +``` + Unable to handle kernel paging request at virtual address ffffffffffff9468 + CPU 3 + aio(26027): Oops 0 + pc = [<fffffc00004eddf8>] ra = [<fffffc00004edd5c>] ps = 0000 Not tainted + pc is at sys_io_submit+0x108/0x200 + ra is at sys_io_submit+0x6c/0x200 + v0 = fffffc00c58e6300 t0 = fffffffffffffff2 t1 = 000002000025e000 + t2 = fffffc01f159fef8 t3 = fffffc0001009640 t4 = fffffc0000e0f6e0 + t5 = 0000020001002e9e t6 = 4c41564e49452031 t7 = fffffc01f159c000 + s0 = 0000000000000002 s1 = 000002000025e000 s2 = 0000000000000000 + s3 = 0000000000000000 s4 = 0000000000000000 s5 = fffffffffffffff2 + s6 = fffffc00c58e6300 + a0 = fffffc00c58e6300 a1 = 0000000000000000 a2 = 000002000025e000 + a3 = 00000200001ac260 a4 = 00000200001ac1e8 a5 = 0000000000000001 + t8 = 0000000000000008 t9 = 000000011f8bce30 t10= 00000200001ac440 + t11= 0000000000000000 pv = fffffc00006fd320 at = 0000000000000000 + gp = 0000000000000000 sp = 00000000265fd174 + Disabling lock debugging due to kernel taint + Trace: + [<fffffc0000311404>] entSys+0xa4/0xc0 +``` + +Here `gp` has invalid value. `gp is s overwritten by a fixup for the +following page fault handler in `io_submit` syscall handler: + +``` + __se_sys_io_submit + ... + ldq a1,0(t1) + bne t0,4280 <__se_sys_io_submit+0x180> +``` + +After a page fault `t0` should contain -EFALUT and `a1` is 0. +Instead `gp` was overwritten in place of `a1`. + +This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18` +(aka `a0-a2`). + +I think the bug went unnoticed for a long time as `gp` is one +of scratch registers. Any kernel function call would re-calculate `gp`. + +Dmitry tracked down the bug origin back to 2.1.32 kernel version +where trap_a{0,1,2} fields were inserted into struct pt_regs. +And even before that `dpf_reg()` contained off-by-one error. + +Cc: Richard Henderson <rth@twiddle.net> +Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> +Cc: linux-alpha@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Reported-and-reviewed-by: "Dmitry V. Levin" <ldv@altlinux.org> +Cc: stable@vger.kernel.org # v2.1.32+ +Bug: https://bugs.gentoo.org/672040 +Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> +Signed-off-by: Matt Turner <mattst88@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/alpha/mm/fault.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c +index 4a905bd667e2..0f68f0de9b5e 100644 +--- a/arch/alpha/mm/fault.c ++++ b/arch/alpha/mm/fault.c +@@ -77,7 +77,7 @@ __load_new_mm_context(struct mm_struct *next_mm) + /* Macro for exception fixup code to access integer registers. */ + #define dpf_reg(r) \ + (((unsigned long *)regs)[(r) <= 8 ? (r) : (r) <= 15 ? (r)-16 : \ +- (r) <= 18 ? (r)+8 : (r)-10]) ++ (r) <= 18 ? (r)+10 : (r)-10]) + + asmlinkage void + do_page_fault(unsigned long address, unsigned long mmcsr, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch b/patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch new file mode 100644 index 0000000000..9601c2b1af --- /dev/null +++ b/patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch @@ -0,0 +1,56 @@ +From: Meelis Roos <mroos@linux.ee> +Date: Fri, 12 Oct 2018 12:27:51 +0300 +Subject: [PATCH] alpha: Fix Eiger NR_IRQS to 128 +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: bfc913682464f45bc4d6044084e370f9048de9d5 + +commit bfc913682464f45bc4d6044084e370f9048de9d5 upstream. + +Eiger machine vector definition has nr_irqs 128, and working 2.6.26 +boot shows SCSI getting IRQ-s 64 and 65. Current kernel boot fails +because Symbios SCSI fails to request IRQ-s and does not find the disks. +It has been broken at least since 3.18 - the earliest I could test with +my gcc-5. + +The headers have moved around and possibly another order of defines has +worked in the past - but since 128 seems to be correct and used, fix +arch/alpha/include/asm/irq.h to have NR_IRQS=128 for Eiger. + +This fixes 4.19-rc7 boot on my Force Flexor A264 (Eiger subarch). + +Cc: stable@vger.kernel.org # v3.18+ +Signed-off-by: Meelis Roos <mroos@linux.ee> +Signed-off-by: Matt Turner <mattst88@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/alpha/include/asm/irq.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/alpha/include/asm/irq.h b/arch/alpha/include/asm/irq.h +index 06377400dc09..469642801a68 100644 +--- a/arch/alpha/include/asm/irq.h ++++ b/arch/alpha/include/asm/irq.h +@@ -55,15 +55,15 @@ + + #elif defined(CONFIG_ALPHA_DP264) || \ + defined(CONFIG_ALPHA_LYNX) || \ +- defined(CONFIG_ALPHA_SHARK) || \ +- defined(CONFIG_ALPHA_EIGER) ++ defined(CONFIG_ALPHA_SHARK) + # define NR_IRQS 64 + + #elif defined(CONFIG_ALPHA_TITAN) + #define NR_IRQS 80 + + #elif defined(CONFIG_ALPHA_RAWHIDE) || \ +- defined(CONFIG_ALPHA_TAKARA) ++ defined(CONFIG_ALPHA_TAKARA) || \ ++ defined(CONFIG_ALPHA_EIGER) + # define NR_IRQS 128 + + #elif defined(CONFIG_ALPHA_WILDFIRE) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch b/patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch new file mode 100644 index 0000000000..08f985862b --- /dev/null +++ b/patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch @@ -0,0 +1,84 @@ +From: Andreas Ziegler <andreas.ziegler@fau.de> +Date: Wed, 16 Jan 2019 15:16:29 +0100 +Subject: [PATCH] tracing/uprobes: Fix output for multiple string arguments +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 0722069a5374b904ec1a67f91249f90e1cfae259 + +commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream. + +When printing multiple uprobe arguments as strings the output for the +earlier arguments would also include all later string arguments. + +This is best explained in an example: + +Consider adding a uprobe to a function receiving two strings as +parameters which is at offset 0xa0 in strlib.so and we want to print +both parameters when the uprobe is hit (on x86_64): + +$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \ + /sys/kernel/debug/tracing/uprobe_events + +When the function is called as func("foo", "bar") and we hit the probe, +the trace file shows a line like the following: + + [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar" + +Note the extra "bar" printed as part of arg1. This behaviour stacks up +for additional string arguments. + +The strings are stored in a dynamically growing part of the uprobe +buffer by fetch_store_string() after copying them from userspace via +strncpy_from_user(). The return value of strncpy_from_user() is then +directly used as the required size for the string. However, this does +not take the terminating null byte into account as the documentation +for strncpy_from_user() cleary states that it "[...] returns the +length of the string (not including the trailing NUL)" even though the +null byte will be copied to the destination. + +Therefore, subsequent calls to fetch_store_string() will overwrite +the terminating null byte of the most recently fetched string with +the first character of the current string, leading to the +"accumulation" of strings in earlier arguments in the output. + +Fix this by incrementing the return value of strncpy_from_user() by +one if we did not hit the maximum buffer size. + +Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de + +Cc: Ingo Molnar <mingo@redhat.com> +Cc: stable@vger.kernel.org +Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") +Acked-by: Masami Hiramatsu <mhiramat@kernel.org> +Signed-off-by: Andreas Ziegler <andreas.ziegler@fau.de> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/trace/trace_uprobe.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index 1dc887bab085..518e62a398d2 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -150,7 +150,14 @@ static void FETCH_FUNC_NAME(memory, string)(struct pt_regs *regs, + + ret = strncpy_from_user(dst, src, maxlen); + if (ret == maxlen) +- dst[--ret] = '\0'; ++ dst[ret - 1] = '\0'; ++ else if (ret >= 0) ++ /* ++ * Include the terminating null byte. In this case it ++ * was copied by strncpy_from_user but not accounted ++ * for in ret. ++ */ ++ ret++; + + if (ret < 0) { /* Failed to fetch string */ + ((u8 *)get_rloc_data(dest))[0] = '\0'; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch b/patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch new file mode 100644 index 0000000000..48f8c836d1 --- /dev/null +++ b/patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch @@ -0,0 +1,135 @@ +From: Hedi Berriche <hedi.berriche@hpe.com> +Date: Wed, 13 Feb 2019 19:34:13 +0000 +Subject: [PATCH] x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: f331e766c4be33f4338574f3c9f7f77e98ab4571 + +commit f331e766c4be33f4338574f3c9f7f77e98ab4571 upstream. + +Calls into UV firmware must be protected against concurrency, expose the +efi_runtime_lock to the UV platform, and use it to serialise UV BIOS +calls. + +Signed-off-by: Hedi Berriche <hedi.berriche@hpe.com> +Signed-off-by: Borislav Petkov <bp@suse.de> +Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Reviewed-by: Russ Anderson <rja@hpe.com> +Reviewed-by: Dimitri Sivanich <sivanich@hpe.com> +Reviewed-by: Mike Travis <mike.travis@hpe.com> +Cc: Andy Shevchenko <andy@infradead.org> +Cc: Bhupesh Sharma <bhsharma@redhat.com> +Cc: Darren Hart <dvhart@infradead.org> +Cc: "H. Peter Anvin" <hpa@zytor.com> +Cc: Ingo Molnar <mingo@redhat.com> +Cc: linux-efi <linux-efi@vger.kernel.org> +Cc: platform-driver-x86@vger.kernel.org +Cc: stable@vger.kernel.org # v4.9+ +Cc: Steve Wahl <steve.wahl@hpe.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: x86-ml <x86@kernel.org> +Link: https://lkml.kernel.org/r/20190213193413.25560-5-hedi.berriche@hpe.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/include/asm/uv/bios.h | 8 +++++++- + arch/x86/platform/uv/bios_uv.c | 23 +++++++++++++++++++++-- + drivers/firmware/efi/runtime-wrappers.c | 7 +++++++ + 3 files changed, 35 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/uv/bios.h b/arch/x86/include/asm/uv/bios.h +index 71605c7d5c5c..8b7594f2d48f 100644 +--- a/arch/x86/include/asm/uv/bios.h ++++ b/arch/x86/include/asm/uv/bios.h +@@ -48,7 +48,8 @@ enum { + BIOS_STATUS_SUCCESS = 0, + BIOS_STATUS_UNIMPLEMENTED = -ENOSYS, + BIOS_STATUS_EINVAL = -EINVAL, +- BIOS_STATUS_UNAVAIL = -EBUSY ++ BIOS_STATUS_UNAVAIL = -EBUSY, ++ BIOS_STATUS_ABORT = -EINTR, + }; + + /* +@@ -111,4 +112,9 @@ extern long system_serial_number; + + extern struct kobject *sgi_uv_kobj; /* /sys/firmware/sgi_uv */ + ++/* ++ * EFI runtime lock; cf. firmware/efi/runtime-wrappers.c for details ++ */ ++extern struct semaphore __efi_uv_runtime_lock; ++ + #endif /* _ASM_X86_UV_BIOS_H */ +diff --git a/arch/x86/platform/uv/bios_uv.c b/arch/x86/platform/uv/bios_uv.c +index 1584cbed0dce..a45a1c5aabea 100644 +--- a/arch/x86/platform/uv/bios_uv.c ++++ b/arch/x86/platform/uv/bios_uv.c +@@ -28,7 +28,8 @@ + + static struct uv_systab uv_systab; + +-s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) ++static s64 __uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, ++ u64 a4, u64 a5) + { + struct uv_systab *tab = &uv_systab; + s64 ret; +@@ -43,6 +44,19 @@ s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) + a1, a2, a3, a4, a5); + return ret; + } ++ ++s64 uv_bios_call(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, u64 a4, u64 a5) ++{ ++ s64 ret; ++ ++ if (down_interruptible(&__efi_uv_runtime_lock)) ++ return BIOS_STATUS_ABORT; ++ ++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5); ++ up(&__efi_uv_runtime_lock); ++ ++ return ret; ++} + EXPORT_SYMBOL_GPL(uv_bios_call); + + s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, +@@ -51,10 +65,15 @@ s64 uv_bios_call_irqsave(enum uv_bios_cmd which, u64 a1, u64 a2, u64 a3, + unsigned long bios_flags; + s64 ret; + ++ if (down_interruptible(&__efi_uv_runtime_lock)) ++ return BIOS_STATUS_ABORT; ++ + local_irq_save(bios_flags); +- ret = uv_bios_call(which, a1, a2, a3, a4, a5); ++ ret = __uv_bios_call(which, a1, a2, a3, a4, a5); + local_irq_restore(bios_flags); + ++ up(&__efi_uv_runtime_lock); ++ + return ret; + } + +diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c +index 228bbf910461..906d0224f50d 100644 +--- a/drivers/firmware/efi/runtime-wrappers.c ++++ b/drivers/firmware/efi/runtime-wrappers.c +@@ -87,6 +87,13 @@ static DEFINE_SPINLOCK(efi_runtime_lock); + * context through efi_pstore_write(). + */ + ++/* ++ * Expose the EFI runtime lock to the UV platform ++ */ ++#ifdef CONFIG_X86_UV ++extern struct semaphore __efi_uv_runtime_lock __alias(efi_runtime_lock); ++#endif ++ + /* + * As per commit ef68c8f87ed1 ("x86: Serialize EFI time accesses on rtc_lock"), + * the EFI specification requires that callers of the time related runtime +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch b/patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch new file mode 100644 index 0000000000..fe9fbb7806 --- /dev/null +++ b/patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch @@ -0,0 +1,63 @@ +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 11 Feb 2019 23:27:42 -0600 +Subject: [PATCH] signal: Restore the stop PTRACE_EVENT_EXIT +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: cf43a757fd49442bc38f76088b70c2299eed2c2f + +commit cf43a757fd49442bc38f76088b70c2299eed2c2f upstream. + +In the middle of do_exit() there is there is a call +"ptrace_event(PTRACE_EVENT_EXIT, code);" That call places the process +in TACKED_TRACED aka "(TASK_WAKEKILL | __TASK_TRACED)" and waits for +for the debugger to release the task or SIGKILL to be delivered. + +Skipping past dequeue_signal when we know a fatal signal has already +been delivered resulted in SIGKILL remaining pending and +TIF_SIGPENDING remaining set. This in turn caused the +scheduler to not sleep in PTACE_EVENT_EXIT as it figured +a fatal signal was pending. This also caused ptrace_freeze_traced +in ptrace_check_attach to fail because it left a per thread +SIGKILL pending which is what fatal_signal_pending tests for. + +This difference in signal state caused strace to report +strace: Exit of unknown pid NNNNN ignored + +Therefore update the signal handling state like dequeue_signal +would when removing a per thread SIGKILL, by removing SIGKILL +from the per thread signal mask and clearing TIF_SIGPENDING. + +Acked-by: Oleg Nesterov <oleg@redhat.com> +Reported-by: Oleg Nesterov <oleg@redhat.com> +Reported-by: Ivan Delalande <colona@arista.com> +Cc: stable@vger.kernel.org +Fixes: 35634ffa1751 ("signal: Always notice exiting tasks") +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/signal.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/kernel/signal.c b/kernel/signal.c +index e464a2ef4ff5..96e8c3cbfa38 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2241,9 +2241,12 @@ int get_signal(struct ksignal *ksig) + } + + /* Has this task already been marked for death? */ +- ksig->info.si_signo = signr = SIGKILL; +- if (signal_group_exit(signal)) ++ if (signal_group_exit(signal)) { ++ ksig->info.si_signo = signr = SIGKILL; ++ sigdelset(¤t->pending.signal, SIGKILL); ++ recalc_sigpending(); + goto fatal; ++ } + + for (;;) { + struct k_sigaction *ka; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch b/patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch new file mode 100644 index 0000000000..9611d59a82 --- /dev/null +++ b/patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch @@ -0,0 +1,64 @@ +From: Borislav Petkov <bp@suse.de> +Date: Tue, 12 Feb 2019 14:28:03 +0100 +Subject: [PATCH] x86/a.out: Clear the dump structure initially +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c + +commit 10970e1b4be9c74fce8ab6e3c34a7d718f063f2c upstream. + +dump_thread32() in aout_core_dump() does not clear the user32 structure +allocated on the stack as the first thing on function entry. + +As a result, the dump.u_comm, dump.u_ar0 and dump.signal which get +assigned before the clearing, get overwritten. + +Rename that function to fill_dump() to make it clear what it does and +call it first thing. + +This was caught while staring at a patch by Derek Robson +<robsonde@gmail.com>. + +Signed-off-by: Borislav Petkov <bp@suse.de> +Cc: Derek Robson <robsonde@gmail.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Michael Matz <matz@suse.de> +Cc: x86@kernel.org +Cc: <stable@vger.kernel.org> +Link: https://lkml.kernel.org/r/20190202005512.3144-1-robsonde@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/ia32/ia32_aout.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c +index ae6aad1d24f7..b348c4641312 100644 +--- a/arch/x86/ia32/ia32_aout.c ++++ b/arch/x86/ia32/ia32_aout.c +@@ -50,7 +50,7 @@ static unsigned long get_dr(int n) + /* + * fill in the user structure for a core dump.. + */ +-static void dump_thread32(struct pt_regs *regs, struct user32 *dump) ++static void fill_dump(struct pt_regs *regs, struct user32 *dump) + { + u32 fs, gs; + memset(dump, 0, sizeof(*dump)); +@@ -156,10 +156,12 @@ static int aout_core_dump(struct coredump_params *cprm) + fs = get_fs(); + set_fs(KERNEL_DS); + has_dumped = 1; ++ ++ fill_dump(cprm->regs, &dump); ++ + strncpy(dump.u_comm, current->comm, sizeof(current->comm)); + dump.u_ar0 = offsetof(struct user32, regs); + dump.signal = cprm->siginfo->si_signo; +- dump_thread32(cprm->regs, &dump); + + /* + * If the size of the dump file exceeds the rlimit, then see +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch b/patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch new file mode 100644 index 0000000000..c8e0d2d0be --- /dev/null +++ b/patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch @@ -0,0 +1,162 @@ +From: Nikos Tsironis <ntsironis@arrikto.com> +Date: Thu, 14 Feb 2019 20:38:47 +0200 +Subject: [PATCH] dm thin: fix bug where bio that overwrites thin block ignores + FUA +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 + +commit 4ae280b4ee3463fa57bbe6eede26b97daff8a0f1 upstream. + +When provisioning a new data block for a virtual block, either because +the block was previously unallocated or because we are breaking sharing, +if the whole block of data is being overwritten the bio that triggered +the provisioning is issued immediately, skipping copying or zeroing of +the data block. + +When this bio completes the new mapping is inserted in to the pool's +metadata by process_prepared_mapping(), where the bio completion is +signaled to the upper layers. + +This completion is signaled without first committing the metadata. If +the bio in question has the REQ_FUA flag set and the system crashes +right after its completion and before the next metadata commit, then the +write is lost despite the REQ_FUA flag requiring that I/O completion for +this request must only be signaled after the data has been committed to +non-volatile storage. + +Fix this by deferring the completion of overwrite bios, with the REQ_FUA +flag set, until after the metadata has been committed. + +Cc: stable@vger.kernel.org +Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com> +Acked-by: Joe Thornber <ejt@redhat.com> +Acked-by: Mikulas Patocka <mpatocka@redhat.com> +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/md/dm-thin.c | 55 ++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 50 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index bc4e6825ff62..07eaa9f90712 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -256,6 +256,7 @@ struct pool { + + spinlock_t lock; + struct bio_list deferred_flush_bios; ++ struct bio_list deferred_flush_completions; + struct list_head prepared_mappings; + struct list_head prepared_discards; + struct list_head active_thins; +@@ -920,6 +921,39 @@ static void process_prepared_mapping_fail(struct dm_thin_new_mapping *m) + mempool_free(m, m->tc->pool->mapping_pool); + } + ++static void complete_overwrite_bio(struct thin_c *tc, struct bio *bio) ++{ ++ struct pool *pool = tc->pool; ++ unsigned long flags; ++ ++ /* ++ * If the bio has the REQ_FUA flag set we must commit the metadata ++ * before signaling its completion. ++ */ ++ if (!bio_triggers_commit(tc, bio)) { ++ bio_endio(bio); ++ return; ++ } ++ ++ /* ++ * Complete bio with an error if earlier I/O caused changes to the ++ * metadata that can't be committed, e.g, due to I/O errors on the ++ * metadata device. ++ */ ++ if (dm_thin_aborted_changes(tc->td)) { ++ bio_io_error(bio); ++ return; ++ } ++ ++ /* ++ * Batch together any bios that trigger commits and then issue a ++ * single commit for them in process_deferred_bios(). ++ */ ++ spin_lock_irqsave(&pool->lock, flags); ++ bio_list_add(&pool->deferred_flush_completions, bio); ++ spin_unlock_irqrestore(&pool->lock, flags); ++} ++ + static void process_prepared_mapping(struct dm_thin_new_mapping *m) + { + struct thin_c *tc = m->tc; +@@ -952,7 +986,7 @@ static void process_prepared_mapping(struct dm_thin_new_mapping *m) + */ + if (bio) { + inc_remap_and_issue_cell(tc, m->cell, m->data_block); +- bio_endio(bio); ++ complete_overwrite_bio(tc, bio); + } else { + inc_all_io_entry(tc->pool, m->cell->holder); + remap_and_issue(tc, m->cell->holder, m->data_block); +@@ -2228,7 +2262,7 @@ static void process_deferred_bios(struct pool *pool) + { + unsigned long flags; + struct bio *bio; +- struct bio_list bios; ++ struct bio_list bios, bio_completions; + struct thin_c *tc; + + tc = get_first_thin(pool); +@@ -2239,26 +2273,36 @@ static void process_deferred_bios(struct pool *pool) + } + + /* +- * If there are any deferred flush bios, we must commit +- * the metadata before issuing them. ++ * If there are any deferred flush bios, we must commit the metadata ++ * before issuing them or signaling their completion. + */ + bio_list_init(&bios); ++ bio_list_init(&bio_completions); ++ + spin_lock_irqsave(&pool->lock, flags); + bio_list_merge(&bios, &pool->deferred_flush_bios); + bio_list_init(&pool->deferred_flush_bios); ++ ++ bio_list_merge(&bio_completions, &pool->deferred_flush_completions); ++ bio_list_init(&pool->deferred_flush_completions); + spin_unlock_irqrestore(&pool->lock, flags); + +- if (bio_list_empty(&bios) && ++ if (bio_list_empty(&bios) && bio_list_empty(&bio_completions) && + !(dm_pool_changed_this_transaction(pool->pmd) && need_commit_due_to_time(pool))) + return; + + if (commit(pool)) { ++ bio_list_merge(&bios, &bio_completions); ++ + while ((bio = bio_list_pop(&bios))) + bio_io_error(bio); + return; + } + pool->last_commit_jiffies = jiffies; + ++ while ((bio = bio_list_pop(&bio_completions))) ++ bio_endio(bio); ++ + while ((bio = bio_list_pop(&bios))) + generic_make_request(bio); + } +@@ -2885,6 +2929,7 @@ static struct pool *pool_create(struct mapped_device *pool_md, + INIT_DELAYED_WORK(&pool->no_space_timeout, do_no_space_timeout); + spin_lock_init(&pool->lock); + bio_list_init(&pool->deferred_flush_bios); ++ bio_list_init(&pool->deferred_flush_completions); + INIT_LIST_HEAD(&pool->prepared_mappings); + INIT_LIST_HEAD(&pool->prepared_discards); + INIT_LIST_HEAD(&pool->active_thins); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch b/patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch new file mode 100644 index 0000000000..16dc7c6194 --- /dev/null +++ b/patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch @@ -0,0 +1,52 @@ +From: James Hughes <james.hughes@raspberrypi.org> +Date: Wed, 19 Apr 2017 11:13:40 +0100 +Subject: [PATCH] smsc95xx: Use skb_cow_head to deal with cloned skbs +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: e9156cd26a495a18706e796f02a81fee41ec14f4 + +commit e9156cd26a495a18706e796f02a81fee41ec14f4 upstream. + +The driver was failing to check that the SKB wasn't cloned +before adding checksum data. +Replace existing handling to extend/copy the header buffer +with skb_cow_head. + +Signed-off-by: James Hughes <james.hughes@raspberrypi.org> +Acked-by: Eric Dumazet <edumazet@google.com> +Acked-by: Woojung Huh <Woojung.Huh@microchip.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/usb/smsc95xx.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 7cee7777d13f..b6b8aec73b28 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -1838,13 +1838,13 @@ static struct sk_buff *smsc95xx_tx_fixup(struct usbnet *dev, + /* We do not advertise SG, so skbs should be already linearized */ + BUG_ON(skb_shinfo(skb)->nr_frags); + +- if (skb_headroom(skb) < overhead) { +- struct sk_buff *skb2 = skb_copy_expand(skb, +- overhead, 0, flags); ++ /* Make writable and expand header space by overhead if required */ ++ if (skb_cow_head(skb, overhead)) { ++ /* Must deallocate here as returning NULL to indicate error ++ * means the skb won't be deallocated in the caller. ++ */ + dev_kfree_skb_any(skb); +- skb = skb2; +- if (!skb) +- return NULL; ++ return NULL; + } + + if (csum) { +-- +2.20.1 + diff --git a/patches.fixes/0001-ch9200-use-skb_cow_head-to-deal-with-cloned-skbs.patch b/patches.kernel.org/4.4.175-139-ch9200-use-skb_cow_head-to-deal-with-cloned-s.patch index 11ccafd4ae..b2ba19f9f7 100644 --- a/patches.fixes/0001-ch9200-use-skb_cow_head-to-deal-with-cloned-skbs.patch +++ b/patches.kernel.org/4.4.175-139-ch9200-use-skb_cow_head-to-deal-with-cloned-s.patch @@ -1,10 +1,11 @@ -From 6bc6895bdd6744e0136eaa4a11fbdb20a7db4e40 Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet@google.com> Date: Wed, 19 Apr 2017 09:59:25 -0700 Subject: [PATCH] ch9200: use skb_cow_head() to deal with cloned skbs -References: bsc#1088684 +Patch-mainline: 4.4.175 +References: bnc#1012382 bsc#1088684 Git-commit: 6bc6895bdd6744e0136eaa4a11fbdb20a7db4e40 -Patch-mainline: v4.11 + +commit 6bc6895bdd6744e0136eaa4a11fbdb20a7db4e40 upstream. We need to ensure there is enough headroom to push extra header, but we also need to check if we are allowed to change headers. @@ -16,16 +17,18 @@ Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: James Hughes <james.hughes@raspberrypi.org> Cc: Matthew Garrett <mjg59@srcf.ucam.org> Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/net/usb/ch9200.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c -index 8a40202c0a17..c4f1c363e24b 100644 +index 5e151e6a3e09..3c7715ea40c1 100644 --- a/drivers/net/usb/ch9200.c +++ b/drivers/net/usb/ch9200.c -@@ -254,14 +254,9 @@ static struct sk_buff *ch9200_tx_fixup(struct usbnet *dev, struct sk_buff *skb, +@@ -255,14 +255,9 @@ static struct sk_buff *ch9200_tx_fixup(struct usbnet *dev, struct sk_buff *skb, tx_overhead = 0x40; len = skb->len; @@ -43,5 +46,5 @@ index 8a40202c0a17..c4f1c363e24b 100644 __skb_push(skb, tx_overhead); -- -2.13.6 +2.20.1 diff --git a/patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch b/patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch new file mode 100644 index 0000000000..8094182199 --- /dev/null +++ b/patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch @@ -0,0 +1,55 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 19 Apr 2017 09:59:26 -0700 +Subject: [PATCH] kaweth: use skb_cow_head() to deal with cloned skbs +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 39fba7835aacda65284a86e611774cbba71dac20 + +commit 39fba7835aacda65284a86e611774cbba71dac20 upstream. + +We can use skb_cow_head() to properly deal with clones, +especially the ones coming from TCP stack that allow their head being +modified. This avoids a copy. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: James Hughes <james.hughes@raspberrypi.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/usb/kaweth.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c +index cd93220c9b45..a628db738b8a 100644 +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -812,18 +812,12 @@ static netdev_tx_t kaweth_start_xmit(struct sk_buff *skb, + } + + /* We now decide whether we can put our special header into the sk_buff */ +- if (skb_cloned(skb) || skb_headroom(skb) < 2) { +- /* no such luck - we make our own */ +- struct sk_buff *copied_skb; +- copied_skb = skb_copy_expand(skb, 2, 0, GFP_ATOMIC); +- dev_kfree_skb_irq(skb); +- skb = copied_skb; +- if (!copied_skb) { +- kaweth->stats.tx_errors++; +- netif_start_queue(net); +- spin_unlock_irq(&kaweth->device_lock); +- return NETDEV_TX_OK; +- } ++ if (skb_cow_head(skb, 2)) { ++ kaweth->stats.tx_errors++; ++ netif_start_queue(net); ++ spin_unlock_irq(&kaweth->device_lock); ++ dev_kfree_skb_any(skb); ++ return NETDEV_TX_OK; + } + + private_header = (__le16 *)__skb_push(skb, 2); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch b/patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch new file mode 100644 index 0000000000..b219700b1b --- /dev/null +++ b/patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch @@ -0,0 +1,36 @@ +From: John Youn <johnyoun@synopsys.com> +Date: Thu, 3 Nov 2016 17:55:45 -0700 +Subject: [PATCH] usb: dwc2: Remove unnecessary kfree +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: cd4b1e34655d46950c065d9284b596cd8d7b28cd + +commit cd4b1e34655d46950c065d9284b596cd8d7b28cd upstream. + +This shouldn't be freed by the HCD as it is owned by the core and +allocated with devm_kzalloc. + +Signed-off-by: John Youn <johnyoun@synopsys.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/dwc2/hcd.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index 85fb6226770c..98339a850940 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -3164,7 +3164,6 @@ int dwc2_hcd_init(struct dwc2_hsotg *hsotg, int irq) + error2: + usb_put_hcd(hcd); + error1: +- kfree(hsotg->core_params); + + #ifdef CONFIG_USB_DWC2_TRACK_MISSED_SOFS + kfree(hsotg->last_frame_num_array); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch b/patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch new file mode 100644 index 0000000000..8e0e84d99d --- /dev/null +++ b/patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch @@ -0,0 +1,106 @@ +From: Christian Lamparter <chunkeey@gmail.com> +Date: Mon, 21 May 2018 22:57:37 +0200 +Subject: [PATCH] pinctrl: msm: fix gpio-hog related boot issues +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: a86caa9ba5d70696ceb35d1d39caa20d8b641387 + +commit a86caa9ba5d70696ceb35d1d39caa20d8b641387 upstream. + +Sven Eckelmann reported an issue with the current IPQ4019 pinctrl. +Setting up any gpio-hog in the device-tree for his device would +"kill the bootup completely": + +| [ 0.477838] msm_serial 78af000.serial: could not find pctldev for node /soc/pinctrl@1000000/serial_pinmux, deferring probe +| [ 0.499828] spi_qup 78b5000.spi: could not find pctldev for node /soc/pinctrl@1000000/spi_0_pinmux, deferring probe +| [ 1.298883] requesting hog GPIO enable USB2 power (chip 1000000.pinctrl, offset 58) failed, -517 +| [ 1.299609] gpiochip_add_data: GPIOs 0..99 (1000000.pinctrl) failed to register +| [ 1.308589] ipq4019-pinctrl 1000000.pinctrl: Failed register gpiochip +| [ 1.316586] msm_serial 78af000.serial: could not find pctldev for node /soc/pinctrl@1000000/serial_pinmux, deferring probe +| [ 1.322415] spi_qup 78b5000.spi: could not find pctldev for node /soc/pinctrl@1000000/spi_0_pinmux, deferri + +This was also verified on a RT-AC58U (IPQ4018) which would +no longer boot, if a gpio-hog was specified. (Tried forcing +the USB LED PIN (GPIO0) to high.). + +The problem is that Pinctrl+GPIO registration is currently +peformed in the following order in pinctrl-msm.c: + 1. pinctrl_register() + 2. gpiochip_add() + 3. gpiochip_add_pin_range() + +The actual error code -517 == -EPROBE_DEFER is coming from +pinctrl_get_device_gpio_range(), which is called through: + gpiochip_add + of_gpiochip_add + of_gpiochip_scan_gpios + gpiod_hog + gpiochip_request_own_desc + __gpiod_request + chip->request + gpiochip_generic_request + pinctrl_gpio_request + pinctrl_get_device_gpio_range + +pinctrl_get_device_gpio_range() is unable to find any valid +pin ranges, since nothing has been added to the pinctrldev_list yet. +so the range can't be found, and the operation fails with -EPROBE_DEFER. + +This patch fixes the issue by adding the "gpio-ranges" property to +the pinctrl device node of all upstream Qcom SoC. The pin ranges are +then added by the gpio core. + +In order to remain compatible with older, existing DTs (and ACPI) +a check for the "gpio-ranges" property has been added to +msm_gpio_init(). This prevents the driver of adding the same entry +to the pinctrldev_list twice. + +Reported-by: Sven Eckelmann <sven.eckelmann@openmesh.com> +Tested-by: Sven Eckelmann <sven.eckelmann@openmesh.com> [ipq4019] +Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> +Signed-off-by: Christian Lamparter <chunkeey@gmail.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Amit Pundir <amit.pundir@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c +index 9736f9be5447..a9d2e8a0aa85 100644 +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -806,11 +806,24 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl) + return ret; + } + +- ret = gpiochip_add_pin_range(&pctrl->chip, dev_name(pctrl->dev), 0, 0, chip->ngpio); +- if (ret) { +- dev_err(pctrl->dev, "Failed to add pin range\n"); +- gpiochip_remove(&pctrl->chip); +- return ret; ++ /* ++ * For DeviceTree-supported systems, the gpio core checks the ++ * pinctrl's device node for the "gpio-ranges" property. ++ * If it is present, it takes care of adding the pin ranges ++ * for the driver. In this case the driver can skip ahead. ++ * ++ * In order to remain compatible with older, existing DeviceTree ++ * files which don't set the "gpio-ranges" property or systems that ++ * utilize ACPI the driver has to call gpiochip_add_pin_range(). ++ */ ++ if (!of_property_read_bool(pctrl->dev->of_node, "gpio-ranges")) { ++ ret = gpiochip_add_pin_range(&pctrl->chip, ++ dev_name(pctrl->dev), 0, 0, chip->ngpio); ++ if (ret) { ++ dev_err(pctrl->dev, "Failed to add pin range\n"); ++ gpiochip_remove(&pctrl->chip); ++ return ret; ++ } + } + + ret = gpiochip_irqchip_add(chip, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch b/patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch new file mode 100644 index 0000000000..df931faf89 --- /dev/null +++ b/patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch @@ -0,0 +1,94 @@ +From: Hauke Mehrtens <hauke@hauke-m.de> +Date: Mon, 12 Feb 2018 23:59:51 +0100 +Subject: [PATCH] uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: da360299b6734135a5f66d7db458dcc7801c826a + +commit da360299b6734135a5f66d7db458dcc7801c826a upstream. + +This fixes a compile problem of some user space applications by not +including linux/libc-compat.h in uapi/if_ether.h. + +linux/libc-compat.h checks which "features" the header files, included +from the libc, provide to make the Linux kernel uapi header files only +provide no conflicting structures and enums. If a user application mixes +kernel headers and libc headers it could happen that linux/libc-compat.h +gets included too early where not all other libc headers are included +yet. Then the linux/libc-compat.h would not prevent all the +redefinitions and we run into compile problems. +This patch removes the include of linux/libc-compat.h from +uapi/if_ether.h to fix the recently introduced case, but not all as this +is more or less impossible. + +It is no problem to do the check directly in the if_ether.h file and not +in libc-compat.h as this does not need any fancy glibc header detection +as glibc never provided struct ethhdr and should define +__UAPI_DEF_ETHHDR by them self when they will provide this. + +The following test program did not compile correctly any more: + +#include <linux/if_ether.h> +#include <netinet/in.h> +#include <linux/in.h> + +int main(void) +{ + return 0; +} + +Fixes: 6926e041a892 ("uapi/if_ether.h: prevent redefinition of struct ethhdr") +Reported-by: Guillaume Nault <g.nault@alphalink.fr> +Cc: <stable@vger.kernel.org> # 4.15 +Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/uapi/linux/if_ether.h | 6 +++++- + include/uapi/linux/libc-compat.h | 6 ------ + 2 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h +index cb490cd9376f..373afec2ed34 100644 +--- a/include/uapi/linux/if_ether.h ++++ b/include/uapi/linux/if_ether.h +@@ -22,7 +22,6 @@ + #define _UAPI_LINUX_IF_ETHER_H + + #include <linux/types.h> +-#include <linux/libc-compat.h> + + /* + * IEEE 802.3 Ethernet magic constants. The frame sizes omit the preamble +@@ -137,6 +136,11 @@ + * This is an Ethernet frame header. + */ + ++/* allow libcs like musl to deactivate this, glibc does not implement this. */ ++#ifndef __UAPI_DEF_ETHHDR ++#define __UAPI_DEF_ETHHDR 1 ++#endif ++ + #if __UAPI_DEF_ETHHDR + struct ethhdr { + unsigned char h_dest[ETH_ALEN]; /* destination eth addr */ +diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h +index 5da44c571cdd..e4f048ee7043 100644 +--- a/include/uapi/linux/libc-compat.h ++++ b/include/uapi/linux/libc-compat.h +@@ -184,10 +184,4 @@ + + #endif /* __GLIBC__ */ + +-/* Definitions for if_ether.h */ +-/* allow libcs like musl to deactivate this, glibc does not implement this. */ +-#ifndef __UAPI_DEF_ETHHDR +-#define __UAPI_DEF_ETHHDR 1 +-#endif +- + #endif /* _UAPI_LIBC_COMPAT_H */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.175-144-Linux-4.4.175.patch b/patches.kernel.org/4.4.175-144-Linux-4.4.175.patch new file mode 100644 index 0000000000..8eea1d8fef --- /dev/null +++ b/patches.kernel.org/4.4.175-144-Linux-4.4.175.patch @@ -0,0 +1,27 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Wed, 20 Feb 2019 10:13:24 +0100 +Subject: [PATCH] Linux 4.4.175 +References: bnc#1012382 +Patch-mainline: 4.4.175 +Git-commit: 332deb1f5ce960682d35a2519f1bd50f8ba52820 + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 1fa281069379..5f0bdef2af99 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 174 ++SUBLEVEL = 175 + EXTRAVERSION = + NAME = Blurry Fish Butt + +-- +2.20.1 + diff --git a/patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch b/patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch index bd1bbf1fd8..a07b432b44 100644 --- a/patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch +++ b/patches.suse/0020-perf-x86-intel-uncore-remove-hard-coded-implementation-for-node-id-mapping-location.patch @@ -74,7 +74,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de> + err = pci_read_config_dword(ubox_dev, nodeid_loc, &config); if (err) break; - nodeid = config; + nodeid = config & NODE_ID_MASK; /* get the Node ID mapping */ - err = pci_read_config_dword(ubox_dev, 0x54, &config); + err = pci_read_config_dword(ubox_dev, idmap_loc, &config); @@ -125,7 +125,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de> if (ret) return ret; uncore_pci_uncores = ivbep_pci_uncores; -@@ -2901,7 +2914,7 @@ static struct pci_driver hswep_uncore_pc +@@ -2899,7 +2912,7 @@ static struct pci_driver hswep_uncore_pc int hswep_uncore_pci_init(void) { @@ -134,7 +134,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de> if (ret) return ret; uncore_pci_uncores = hswep_pci_uncores; -@@ -3205,7 +3218,7 @@ static struct pci_driver bdx_uncore_pci_ +@@ -3188,7 +3201,7 @@ static struct pci_driver bdx_uncore_pci_ int bdx_uncore_pci_init(void) { diff --git a/patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch b/patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch new file mode 100644 index 0000000000..8297262590 --- /dev/null +++ b/patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch @@ -0,0 +1,32 @@ +From: Wei Yongjun <weiyongjun1@huawei.com> +Date: Wed, 26 Dec 2018 11:28:24 +0000 +Subject: hwmon: (lm80) Fix missing unlock on error in set_fan_div() +Git-commit: 07bd14ccc3049f9c0147a91a4227a571f981601a +Patch-mainline: v5.0-rc3 +References: git-fixes + +Add the missing unlock before return from function set_fan_div() +in the error handling case. + +Fixes: c9c63915519b ("hwmon: (lm80) fix a missing check of the status of SMBus read") +Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hwmon/lm80.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/lm80.c ++++ b/drivers/hwmon/lm80.c +@@ -393,8 +393,10 @@ static ssize_t set_fan_div(struct device + } + + rv = lm80_read_value(client, LM80_REG_FANDIV); +- if (rv < 0) ++ if (rv < 0) { ++ mutex_unlock(&data->update_lock); + return rv; ++ } + reg = (rv & ~(3 << (2 * (nr + 1)))) + | (data->fan_div[nr] << (2 * (nr + 1))); + lm80_write_value(client, LM80_REG_FANDIV, reg); diff --git a/series.conf b/series.conf index 03516b2950..0023c3b2bc 100644 --- a/series.conf +++ b/series.conf @@ -5498,6 +5498,150 @@ patches.kernel.org/4.4.174-033-net-ipv4-do-not-handle-duplicate-fragments-as.patch patches.kernel.org/4.4.174-034-rcu-Force-boolean-subscript-for-expedited-sta.patch patches.kernel.org/4.4.174-035-Linux-4.4.174.patch + patches.kernel.org/4.4.175-001-drm-bufs-Fix-Spectre-v1-vulnerability.patch + patches.kernel.org/4.4.175-002-staging-iio-adc-ad7280a-handle-error-from-__a.patch + patches.kernel.org/4.4.175-003-ASoC-Intel-mrfld-fix-uninitialized-variable-a.patch + patches.kernel.org/4.4.175-004-scsi-lpfc-Correct-LCB-RJT-handling.patch + patches.kernel.org/4.4.175-005-ARM-8808-1-kexec-offline-panic_smp_self_stop-.patch + patches.kernel.org/4.4.175-006-dlm-Don-t-swamp-the-CPU-with-callbacks-queued.patch + patches.kernel.org/4.4.175-007-x86-PCI-Fix-Broadcom-CNB20LE-unintended-sign-.patch + patches.kernel.org/4.4.175-008-powerpc-pseries-add-of_node_put-in-dlpar_deta.patch + patches.kernel.org/4.4.175-009-serial-fsl_lpuart-clear-parity-enable-bit-whe.patch + patches.kernel.org/4.4.175-010-ptp-check-gettime64-return-code-in-PTP_SYS_OF.patch + patches.kernel.org/4.4.175-011-staging-iio-ad2s90-Make-probe-handle-spi_setu.patch + patches.kernel.org/4.4.175-012-staging-iio-ad7780-update-voltage-on-read.patch + patches.kernel.org/4.4.175-013-ARM-OMAP2-hwmod-Fix-some-section-annotations.patch + patches.kernel.org/4.4.175-014-modpost-validate-symbol-names-also-in-find_el.patch + patches.kernel.org/4.4.175-015-perf-tools-Add-Hygon-Dhyana-support.patch + patches.kernel.org/4.4.175-016-soc-tegra-Don-t-leak-device-tree-node-referen.patch + patches.kernel.org/4.4.175-017-f2fs-move-dir-data-flush-to-write-checkpoint-.patch + patches.kernel.org/4.4.175-018-f2fs-fix-wrong-return-value-of-f2fs_acl_creat.patch + patches.kernel.org/4.4.175-019-sunvdc-Do-not-spin-in-an-infinite-loop-when-v.patch + patches.kernel.org/4.4.175-020-nfsd4-fix-crash-on-writing-v4_end_grace-befor.patch + patches.kernel.org/4.4.175-021-arm64-ftrace-don-t-adjust-the-LR-value.patch + patches.kernel.org/4.4.175-022-ARM-dts-mmp2-fix-TWSI2.patch + patches.kernel.org/4.4.175-023-x86-fpu-Add-might_fault-to-user_insn.patch + patches.kernel.org/4.4.175-024-media-DaVinci-VPBE-fix-error-handling-in-vpbe.patch + patches.kernel.org/4.4.175-025-smack-fix-access-permissions-for-keyring.patch + patches.kernel.org/4.4.175-026-usb-hub-delay-hub-autosuspend-if-USB3-port-is.patch + patches.kernel.org/4.4.175-027-timekeeping-Use-proper-seqcount-initializer.patch + patches.kernel.org/4.4.175-028-ARM-dts-Fix-OMAP4430-SDP-Ethernet-startup.patch + patches.kernel.org/4.4.175-029-mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch + patches.kernel.org/4.4.175-030-iommu-arm-smmu-v3-Use-explicit-mb-when-moving.patch + patches.kernel.org/4.4.175-031-sata_rcar-fix-deferred-probing.patch + patches.kernel.org/4.4.175-032-clk-imx6sl-ensure-MMDC-CH0-handshake-is-bypas.patch + patches.kernel.org/4.4.175-033-cpuidle-big.LITTLE-fix-refcount-leak.patch + patches.kernel.org/4.4.175-034-i2c-axxia-check-for-error-conditions-first.patch + patches.kernel.org/4.4.175-035-udf-Fix-BUG-on-corrupted-inode.patch + patches.kernel.org/4.4.175-036-ARM-pxa-avoid-section-mismatch-warning.patch + patches.kernel.org/4.4.175-037-ASoC-fsl-Fix-SND_SOC_EUKREA_TLV320-build-erro.patch + patches.kernel.org/4.4.175-038-memstick-Prevent-memstick-host-from-getting-r.patch + patches.kernel.org/4.4.175-039-tty-serial-samsung-Properly-set-flags-in-auto.patch + patches.kernel.org/4.4.175-040-arm64-KVM-Skip-MMIO-insn-after-emulation.patch + patches.kernel.org/4.4.175-041-powerpc-uaccess-fix-warning-error-with-access.patch + patches.kernel.org/4.4.175-042-mac80211-fix-radiotap-vendor-presence-bitmap-.patch + patches.kernel.org/4.4.175-043-xfrm6_tunnel-Fix-spi-check-in-__xfrm6_tunnel_.patch + patches.kernel.org/4.4.175-044-Bluetooth-Fix-unnecessary-error-message-for-H.patch + patches.kernel.org/4.4.175-045-cw1200-Fix-concurrency-use-after-free-bugs-in.patch + patches.kernel.org/4.4.175-046-drbd-narrow-rcu_read_lock-in-drbd_sync_handsh.patch + patches.kernel.org/4.4.175-047-drbd-disconnect-if-the-wrong-UUIDs-are-attach.patch + patches.kernel.org/4.4.175-048-drbd-skip-spurious-timeout-ping-timeo-when-fa.patch + patches.kernel.org/4.4.175-049-drbd-Avoid-Clang-warning-about-pointless-swit.patch + patches.kernel.org/4.4.175-050-video-clps711x-fb-release-disp-device-node-in.patch + patches.kernel.org/4.4.175-051-fbdev-fbmem-behave-better-with-small-rotated-.patch + patches.kernel.org/4.4.175-052-igb-Fix-an-issue-that-PME-is-not-enabled-duri.patch + patches.kernel.org/4.4.175-053-fbdev-fbcon-Fix-unregister-crash-when-more-th.patch + patches.kernel.org/4.4.175-054-KVM-x86-svm-report-MSR_IA32_MCG_EXT_CTL-as-un.patch + patches.kernel.org/4.4.175-055-NFS-nfs_compare_mount_options-always-compare-.patch + patches.kernel.org/4.4.175-056-hwmon-lm80-fix-a-missing-check-of-the-status-.patch + patches.kernel.org/4.4.175-057-hwmon-lm80-fix-a-missing-check-of-bus-read-in.patch + patches.kernel.org/4.4.175-058-seq_buf-Make-seq_buf_puts-null-terminate-the-.patch + patches.kernel.org/4.4.175-059-crypto-ux500-Use-proper-enum-in-cryp_set_dma_.patch + patches.kernel.org/4.4.175-060-crypto-ux500-Use-proper-enum-in-hash_set_dma_.patch + patches.kernel.org/4.4.175-061-cifs-check-ntwrk_buf_start-for-NULL-before-de.patch + patches.kernel.org/4.4.175-062-um-Avoid-marking-pages-with-changed-protectio.patch + patches.kernel.org/4.4.175-063-niu-fix-missing-checks-of-niu_pci_eeprom_read.patch + patches.kernel.org/4.4.175-064-scripts-decode_stacktrace-only-strip-base-pat.patch + patches.kernel.org/4.4.175-065-ocfs2-don-t-clear-bh-uptodate-for-block-read.patch + patches.kernel.org/4.4.175-066-isdn-hisax-hfc_pci-Fix-a-possible-concurrency.patch + patches.kernel.org/4.4.175-067-gdrom-fix-a-memory-leak-bug.patch + patches.kernel.org/4.4.175-068-block-swim3-Fix-EBUSY-error-when-re-opening-d.patch + patches.kernel.org/4.4.175-069-HID-lenovo-Add-checks-to-fix-of_led_classdev_.patch + patches.kernel.org/4.4.175-070-kernel-hung_task.c-break-RCU-locks-based-on-j.patch + patches.kernel.org/4.4.175-071-fs-epoll-drop-ovflist-branch-prediction.patch + patches.kernel.org/4.4.175-072-exec-load_script-don-t-blindly-truncate-sheba.patch + patches.kernel.org/4.4.175-073-thermal-hwmon-inline-helpers-when-CONFIG_THER.patch + patches.kernel.org/4.4.175-074-test_hexdump-use-memcpy-instead-of-strncpy.patch + patches.kernel.org/4.4.175-075-tipc-use-destination-length-for-copy-string.patch + patches.kernel.org/4.4.175-076-string-drop-__must_check-from-strscpy-and-res.patch + patches.kernel.org/4.4.175-077-dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch + patches.kernel.org/4.4.175-078-enic-fix-checksum-validation-for-IPv6.patch + patches.kernel.org/4.4.175-079-net-dp83640-expire-old-TX-skb.patch + patches.kernel.org/4.4.175-080-skge-potential-memory-corruption-in-skge_get_.patch + patches.kernel.org/4.4.175-081-net-systemport-Fix-WoL-with-password-after-de.patch + patches.kernel.org/4.4.175-082-net-dsa-slave-Don-t-propagate-flag-changes-on.patch + patches.kernel.org/4.4.175-083-ALSA-compress-Fix-stop-handling-on-compressed.patch + patches.kernel.org/4.4.175-084-ALSA-hda-Serialize-codec-registrations.patch + patches.kernel.org/4.4.175-085-fuse-call-pipe_buf_release-under-pipe-lock.patch + patches.kernel.org/4.4.175-086-fuse-decrement-NR_WRITEBACK_TEMP-on-the-right.patch + patches.kernel.org/4.4.175-087-fuse-handle-zero-sized-retrieve-correctly.patch + patches.kernel.org/4.4.175-088-dmaengine-imx-dma-fix-wrong-callback-invoke.patch + patches.kernel.org/4.4.175-089-usb-phy-am335x-fix-race-condition-in-_probe.patch + patches.kernel.org/4.4.175-090-usb-gadget-udc-net2272-Fix-bitwise-and-boolea.patch + patches.kernel.org/4.4.175-091-KVM-x86-work-around-leak-of-uninitialized-sta.patch + patches.kernel.org/4.4.175-092-KVM-nVMX-unconditionally-cancel-preemption-ti.patch + patches.kernel.org/4.4.175-093-perf-x86-intel-uncore-Add-Node-ID-mask.patch + patches.kernel.org/4.4.175-094-x86-MCE-Initialize-mce.bank-in-the-case-of-a-.patch + patches.kernel.org/4.4.175-095-perf-core-Don-t-WARN-for-impossible-ring-buff.patch + patches.kernel.org/4.4.175-096-perf-tests-evsel-tp-sched-Fix-bitwise-operato.patch + patches.kernel.org/4.4.175-097-mtd-rawnand-gpmi-fix-MX28-bus-master-lockup-p.patch + patches.kernel.org/4.4.175-098-signal-Always-notice-exiting-tasks.patch + patches.kernel.org/4.4.175-099-signal-Better-detection-of-synchronous-signal.patch + patches.kernel.org/4.4.175-100-misc-vexpress-Off-by-one-in-vexpress_syscfg_e.patch + patches.kernel.org/4.4.175-101-debugfs-fix-debugfs_rename-parameter-checking.patch + patches.kernel.org/4.4.175-102-mips-cm-reprime-error-cause.patch + patches.kernel.org/4.4.175-103-MIPS-OCTEON-don-t-set-octeon_dma_bar_type-if-.patch + patches.kernel.org/4.4.175-104-MIPS-VDSO-Include-ccflags-vdso-in-o32-n32-.ld.patch + patches.kernel.org/4.4.175-105-ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch + patches.kernel.org/4.4.175-106-mac80211-ensure-that-mgmt-tx-skbs-have-tailro.patch + patches.kernel.org/4.4.175-107-drm-modes-Prevent-division-by-zero-htotal.patch + patches.kernel.org/4.4.175-108-drm-vmwgfx-Fix-setting-of-dma-masks.patch + patches.kernel.org/4.4.175-109-drm-vmwgfx-Return-error-code-from-vmw_execbuf.patch + patches.kernel.org/4.4.175-110-HID-debug-fix-the-ring-buffer-implementation.patch + patches.kernel.org/4.4.175-111-NFC-nxp-nci-Include-unaligned.h-instead-of-ac.patch + patches.kernel.org/4.4.175-112-Revert-cifs-In-Kconfig-CONFIG_CIFS_POSIX-need.patch + patches.kernel.org/4.4.175-113-libceph-avoid-KEEPALIVE_PENDING-races-in-ceph.patch + patches.kernel.org/4.4.175-114-xfrm-refine-validation-of-template-and-select.patch + patches.kernel.org/4.4.175-115-batman-adv-Avoid-WARN-on-net_device-without-p.patch + patches.kernel.org/4.4.175-116-batman-adv-Force-mac-header-to-start-of-data-.patch + patches.kernel.org/4.4.175-117-Revert-exec-load_script-don-t-blindly-truncat.patch + patches.kernel.org/4.4.175-118-uapi-if_ether.h-prevent-redefinition-of-struc.patch + patches.kernel.org/4.4.175-119-ARM-dts-da850-evm-Correct-the-sound-card-name.patch + patches.kernel.org/4.4.175-120-ARM-dts-kirkwood-Fix-polarity-of-GPIO-fan-lin.patch + patches.kernel.org/4.4.175-121-gpio-pl061-handle-failed-allocations.patch + patches.kernel.org/4.4.175-122-cifs-Limit-memory-used-by-lock-request-calls-.patch + patches.kernel.org/4.4.175-123-Documentation-network-reword-kernel-version-r.patch + patches.kernel.org/4.4.175-124-Revert-Input-elan_i2c-add-ACPI-ID-for-touchpa.patch + patches.kernel.org/4.4.175-125-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-Le.patch + patches.kernel.org/4.4.175-126-perf-core-Fix-impossible-ring-buffer-sizes-wa.patch + patches.kernel.org/4.4.175-127-ALSA-hda-Add-quirk-for-HP-EliteBook-840-G5.patch + patches.kernel.org/4.4.175-128-ALSA-usb-audio-Fix-implicit-fb-endpoint-setup.patch + patches.kernel.org/4.4.175-129-Input-bma150-register-input-device-after-sett.patch + patches.kernel.org/4.4.175-130-Input-elantech-enable-3rd-button-support-on-F.patch + patches.kernel.org/4.4.175-131-alpha-fix-page-fault-handling-for-r16-r18-tar.patch + patches.kernel.org/4.4.175-132-alpha-Fix-Eiger-NR_IRQS-to-128.patch + patches.kernel.org/4.4.175-133-tracing-uprobes-Fix-output-for-multiple-strin.patch + patches.kernel.org/4.4.175-134-x86-platform-UV-Use-efi_runtime_lock-to-seria.patch + patches.kernel.org/4.4.175-135-signal-Restore-the-stop-PTRACE_EVENT_EXIT.patch + patches.kernel.org/4.4.175-136-x86-a.out-Clear-the-dump-structure-initially.patch + patches.kernel.org/4.4.175-137-dm-thin-fix-bug-where-bio-that-overwrites-thi.patch + patches.kernel.org/4.4.175-138-smsc95xx-Use-skb_cow_head-to-deal-with-cloned.patch + patches.kernel.org/4.4.175-139-ch9200-use-skb_cow_head-to-deal-with-cloned-s.patch + patches.kernel.org/4.4.175-140-kaweth-use-skb_cow_head-to-deal-with-cloned-s.patch + patches.kernel.org/4.4.175-141-usb-dwc2-Remove-unnecessary-kfree.patch + patches.kernel.org/4.4.175-142-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch + patches.kernel.org/4.4.175-143-uapi-if_ether.h-move-__UAPI_DEF_ETHHDR-libc-d.patch + patches.kernel.org/4.4.175-144-Linux-4.4.175.patch ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -20056,7 +20200,6 @@ patches.drivers/qed-sp3-0226-qed-Fix-sending-an-invalid-PFC-error-mask-to-MFW.patch patches.drivers/qed-sp3-0227-qed-Fix-possible-system-hang-in-the-dcbnl-getdcbx-pa.patch patches.drivers/qed-sp3-0228-qed-Fix-issue-in-populating-the-PFC-config-paramters.patch - patches.fixes/0001-ch9200-use-skb_cow_head-to-deal-with-cloned-skbs.patch patches.arch/x86-mce-make-the-mce-notifier-a-blocking-one.patch patches.fixes/scsi-return-correct-blkprep-status-code-in-case-scsi.patch patches.drivers/net-mlx5e-Fix-race-in-mlx5e_sw_stats-and-mlx5e_vport.patch @@ -23030,7 +23173,6 @@ patches.arch/arm64-Run-enable-method-for-errata-work-arounds-on-l.patch patches.suse/0027-arm64-Branch-predictor-hardening-for-Cavium-ThunderX.patch patches.suse/0029-arm64-Turn-on-KPTI-only-on-CPUs-that-need-it.patch - patches.fixes/string-drop-__must_check-from-strscpy-and-restore-st.patch patches.fixes/xprtrdma-Fix-backchannel-allocation-of-extra-rpcrdma.patch patches.drivers/scsi-lpfc-FLOGI-failures-are-reported-when-connected.patch patches.drivers/scsi-lpfc-Expand-WQE-capability-of-every-NVME-hardwa.patch @@ -23293,7 +23435,6 @@ patches.drivers/ibmvnic-Clean-RX-pool-buffers-during-device-close.patch patches.drivers/PCI-cxgb4-Extend-T3-PCI-quirk-to-T4-devices.patch patches.drivers/RDMA-uverbs-Protect-from-command-mask-overflow.patch - patches.drivers/RDMA-bnxt_re-Synchronize-destroy_qp-with-poll_cq.patch patches.drivers/scsi-mpt3sas-fix-an-out-of-bound-write patches.drivers/scsi-qla2xxx-Fix-a-locking-imbalance-in-qlt_24xx_han.patch patches.drivers/scsi-qla2xxx-Fix-double-free-bug-after-firmware-time.patch @@ -24209,7 +24350,6 @@ patches.fixes/cifs-connect-to-servername-instead-of-IP-for-IPC-share.patch patches.fixes/ceph-avoid-a-use-after-free-in-ceph_destroy_options.patch patches.arch/0006-kvm-x86-do-not-re-try-execute-after-failed-emulation-in-l2 - patches.drivers/bnxt_re-Fix-couple-of-memory-leaks-that-could-lead-t.patch patches.arch/s390-sles12sp3-22-01-01-net-af_iucv-drop-inbound-packets-with-invalid-flags.patch patches.arch/s390-sles12sp3-22-01-02-net-af_iucv-fix-skb-handling-on-HiperTransport-xmit-.patch patches.drivers/net-ena-fix-surprise-unplug-NULL-dereference-kernel-.patch @@ -24417,13 +24557,10 @@ patches.suse/tty-ldsem-Decrement-wait_readers-on-timeouted-down_r.patch patches.drivers/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems patches.drivers/iommu-amd-fix-amd_iommu-force_isolation - patches.suse/0001-block-swim3-Fix-EBUSY-error-when-re-opening-device-a.patch - patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch - patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch patches.fixes/rbd-don-t-return-0-on-unmap-if-rbd_dev_flag_removing-is-set.patch patches.suse/tty-Don-t-hold-ldisc-lock-in-tty_reopen-if-ldisc-pre.patch + patches.suse/hwmon-lm80-Fix-missing-unlock-on-error-in-set_fan_di.patch patches.fixes/ceph-clear-inode-pointer-when-snap-realm-gets-dropped-by-its-inode.patch - patches.fixes/libceph-avoid-keepalive_pending-races-in-ceph_con_keepalive.patch patches.drivers/ibmveth-Do-not-process-frames-after-calling-napi_res.patch patches.fixes/acpi-nfit-block-function-zero-dsms.patch patches.fixes/acpi-nfit-fix-command-supported-detection.patch @@ -24437,10 +24574,6 @@ patches.drivers/iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions patches.drivers/iommu-amd-fix-iommu-page-flush-when-detach-device-from-a-domain patches.arch/kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974 - patches.arch/kvm-x86-work-around-leak-of-uninitialized-stack-contents-cve-2019-7222 - patches.arch/kvm-nvmx-unconditionally-cancel-preemption-timer-in-free_nested-cve-2019-7221 - patches.fixes/0001-drm-vmwgfx-Return-error-code-from-vmw_execbuf_copy_f.patch - patches.fixes/0001-drm-vmwgfx-Fix-setting-of-dma-masks.patch patches.fixes/0001-gpu-ipu-v3-Fix-i.MX51-CSI-control-registers-offset.patch patches.fixes/0002-gpu-ipu-v3-Fix-CSI-offsets-for-imx53.patch patches.fixes/0003-drm-i915-Block-fbdev-HPD-processing-during-suspend.patch @@ -25434,6 +25567,9 @@ patches.kabi/kabi-KVM-x86-kABI-workaround-for-PKRU-fixes.patch + patches.fixes/0001-KVM-VMX-Fix-x2apic-check-in-vmx_msr_bitmap_mode.patch + patches.fixes/0001-KVM-VMX-Missing-part-of-upstream-commit-904e14fb7cb9.patch + ######################################################## # IOMMU patches ######################################################## @@ -25837,6 +25973,8 @@ patches.kabi/KVM-VMX-Work-around-kABI-breakage-in-enum-vmx_l1d_fl.patch patches.kabi/bpf-ssbd-removal-workaround.patch patches.kabi/fix-kvm-kabi.patch + patches.kabi/kabi-protect-struct-hda_bus.patch + patches.kabi/kabi-protect-kfifo-include-in-hid-debug.patch # bsc#1114417 patches.suse/hpwdt-calculate-reload-each-use.patch |