summaryrefslogtreecommitdiff |
diff options
author | Olaf Hering <ohering@suse.de> | 2019-01-16 08:12:02 +0100 |
---|---|---|
committer | Olaf Hering <ohering@suse.de> | 2019-01-16 08:12:02 +0100 |
commit | f1219fe318d019c8b9c1deb160dd0ad6766ed432 (patch) | |
tree | 19397cf696ddf38440792f660c7d634ed6fdf40f | |
parent | 7336445d0d9324f3d8d1d5e0727e943f7cf7dd61 (diff) | |
parent | c5890e62790abce676538a0759234cc0382e8c84 (diff) |
Merge remote-tracking branch 'kerncvs/SLE12-SP3' into SLE12-SP3-AZURE
138 files changed, 8103 insertions, 319 deletions
diff --git a/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch b/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch index dadc54e379..47241e7cec 100644 --- a/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch +++ b/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch @@ -46,7 +46,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #include <linux/nmi.h> #include <linux/gfp.h> #include <linux/kcore.h> -@@ -722,6 +723,12 @@ static void __meminit free_pagetable(str +@@ -724,6 +725,12 @@ static void __meminit free_pagetable(str { unsigned long magic; unsigned int nr_pages = 1 << order; @@ -59,7 +59,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> /* bootmem page has reserved flag */ if (PageReserved(page)) { -@@ -1026,13 +1033,19 @@ int __ref arch_remove_memory(u64 start, +@@ -1028,13 +1035,19 @@ int __ref arch_remove_memory(u64 start, { unsigned long start_pfn = start >> PAGE_SHIFT; unsigned long nr_pages = size >> PAGE_SHIFT; @@ -81,7 +81,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> return ret; } -@@ -1244,7 +1257,7 @@ static void __meminitdata *p_start, *p_e +@@ -1246,7 +1259,7 @@ static void __meminitdata *p_start, *p_e static int __meminitdata node_start; static int __meminit vmemmap_populate_hugepages(unsigned long start, @@ -90,7 +90,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> { unsigned long addr; unsigned long next; -@@ -1267,7 +1280,7 @@ static int __meminit vmemmap_populate_hu +@@ -1269,7 +1282,7 @@ static int __meminit vmemmap_populate_hu if (pmd_none(*pmd)) { void *p; @@ -99,7 +99,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> if (p) { pte_t entry; -@@ -1288,7 +1301,8 @@ static int __meminit vmemmap_populate_hu +@@ -1290,7 +1303,8 @@ static int __meminit vmemmap_populate_hu addr_end = addr + PMD_SIZE; p_end = p + PMD_SIZE; continue; @@ -109,7 +109,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> } else if (pmd_large(*pmd)) { vmemmap_verify((pte_t *)pmd, node, addr, next); continue; -@@ -1301,11 +1315,16 @@ static int __meminit vmemmap_populate_hu +@@ -1304,11 +1318,16 @@ static int __meminit vmemmap_populate_hu int __meminit vmemmap_populate(unsigned long start, unsigned long end, int node) { @@ -140,7 +140,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> pmem->pfn_flags |= PFN_MAP; } else pmem->virt_addr = (void __pmem *) devm_memremap(dev, -@@ -386,7 +387,8 @@ static int nvdimm_namespace_attach_pfn(s +@@ -387,7 +388,8 @@ static int nvdimm_namespace_attach_pfn(s /* establish pfn range for lookup, and switch to direct map */ pmem = dev_get_drvdata(dev); devm_memunmap(dev, (void __force *) pmem->virt_addr); @@ -229,7 +229,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #endif /* _LINUX_MEMREMAP_H_ */ --- a/include/linux/mm.h +++ b/include/linux/mm.h -@@ -2250,7 +2250,14 @@ pud_t *vmemmap_pud_populate(pgd_t *pgd, +@@ -2236,7 +2236,14 @@ pud_t *vmemmap_pud_populate(pgd_t *pgd, pmd_t *vmemmap_pmd_populate(pud_t *pud, unsigned long addr, int node); pte_t *vmemmap_pte_populate(pmd_t *pmd, unsigned long addr, int node); void *vmemmap_alloc_block(unsigned long size, int node); @@ -297,9 +297,9 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> struct page_map *page_map; int error, nid; -@@ -224,14 +240,27 @@ void *devm_memremap_pages(struct device - if (is_ram == REGION_INTERSECTS) - return __va(res->start); +@@ -221,14 +237,27 @@ void *devm_memremap_pages(struct device + return ERR_PTR(-ENXIO); + } + if (altmap && !IS_ENABLED(CONFIG_SPARSEMEM_VMEMMAP)) { + dev_err(dev, "%s: altmap requires CONFIG_SPARSEMEM_VMEMMAP=y\n", @@ -326,7 +326,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> mutex_lock(&pgmap_lock); error = 0; for (key = res->start; key <= res->end; key += SECTION_SIZE) { -@@ -283,4 +312,43 @@ void *devm_memremap_pages(struct device +@@ -276,4 +305,43 @@ void *devm_memremap_pages(struct device return ERR_PTR(error); } EXPORT_SYMBOL(devm_memremap_pages); @@ -380,7 +380,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #include <linux/memory_hotplug.h> #include <linux/highmem.h> #include <linux/vmalloc.h> -@@ -321,13 +322,27 @@ int __ref __add_pages(int nid, unsigned +@@ -506,6 +507,7 @@ int __ref __add_pages(int nid, struct zo unsigned long i; int err = 0; int start_sec, end_sec; @@ -388,7 +388,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> clear_zone_contiguous(zone); - /* during initialize mem_map, align hot-added range to section */ +@@ -513,6 +515,19 @@ int __ref __add_pages(int nid, struct zo start_sec = pfn_to_section_nr(phys_start_pfn); end_sec = pfn_to_section_nr(phys_start_pfn + nr_pages - 1); @@ -408,7 +408,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> for (i = start_sec; i <= end_sec; i++) { err = __add_section(nid, zone, section_nr_to_pfn(i)); -@@ -548,7 +563,8 @@ static void __remove_zone(struct zone *z +@@ -736,7 +751,8 @@ static void __remove_zone(struct zone *z pgdat_resize_unlock(zone->zone_pgdat, &flags); } @@ -418,7 +418,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> { unsigned long start_pfn; int scn_nr; -@@ -565,7 +581,7 @@ static int __remove_section(struct zone +@@ -753,7 +769,7 @@ static int __remove_section(struct zone start_pfn = section_nr_to_pfn(scn_nr); __remove_zone(zone, start_pfn); @@ -427,7 +427,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> return 0; } -@@ -584,9 +600,32 @@ int __remove_pages(struct zone *zone, un +@@ -772,9 +788,32 @@ int __remove_pages(struct zone *zone, un unsigned long nr_pages) { unsigned long i; @@ -463,7 +463,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> clear_zone_contiguous(zone); -@@ -596,23 +635,11 @@ int __remove_pages(struct zone *zone, un +@@ -784,23 +823,11 @@ int __remove_pages(struct zone *zone, un BUG_ON(phys_start_pfn & ~PAGE_SECTION_MASK); BUG_ON(nr_pages % PAGES_PER_SECTION); @@ -499,7 +499,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #include <linux/stop_machine.h> #include <linux/sort.h> #include <linux/pfn.h> -@@ -4914,8 +4915,9 @@ void __ref build_all_zonelists(pg_data_t +@@ -4912,8 +4913,9 @@ static inline unsigned long wait_table_b void __meminit memmap_init_zone(unsigned long size, int nid, unsigned long zone, unsigned long start_pfn, enum memmap_context context) { @@ -510,7 +510,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> unsigned long pfn; struct zone *z; unsigned long nr_initialised = 0; -@@ -4926,6 +4928,13 @@ void __meminit memmap_init_zone(unsigned +@@ -4921,6 +4923,13 @@ void __meminit memmap_init_zone(unsigned if (highest_memmap_pfn < end_pfn - 1) highest_memmap_pfn = end_pfn - 1; @@ -534,7 +534,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #include <linux/highmem.h> #include <linux/slab.h> #include <linux/spinlock.h> -@@ -74,7 +75,7 @@ void * __meminit vmemmap_alloc_block(uns +@@ -70,7 +71,7 @@ void * __meminit vmemmap_alloc_block(uns } /* need to make sure size is all the same during early stage */ @@ -543,7 +543,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> { void *ptr; -@@ -91,6 +92,77 @@ void * __meminit vmemmap_alloc_block_buf +@@ -87,6 +88,77 @@ void * __meminit vmemmap_alloc_block_buf return ptr; } @@ -621,7 +621,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> void __meminit vmemmap_verify(pte_t *pte, int node, unsigned long start, unsigned long end) { -@@ -107,7 +179,7 @@ pte_t * __meminit vmemmap_pte_populate(p +@@ -103,7 +175,7 @@ pte_t * __meminit vmemmap_pte_populate(p pte_t *pte = pte_offset_kernel(pmd, addr); if (pte_none(*pte)) { pte_t entry; @@ -632,7 +632,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> entry = pfn_pte(__pa(p) >> PAGE_SHIFT, PAGE_KERNEL); --- a/mm/sparse.c +++ b/mm/sparse.c -@@ -747,7 +747,7 @@ static void clear_hwpoisoned_pages(struc +@@ -748,7 +748,7 @@ static void clear_hwpoisoned_pages(struc if (!memmap) return; @@ -641,7 +641,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> if (PageHWPoison(&memmap[i])) { atomic_long_sub(1, &num_poisoned_pages); ClearPageHWPoison(&memmap[i]); -@@ -787,7 +787,8 @@ static void free_section_usemap(struct p +@@ -788,7 +788,8 @@ static void free_section_usemap(struct p free_map_bootmem(memmap); } @@ -651,7 +651,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> { struct page *memmap = NULL; unsigned long *usemap = NULL, flags; -@@ -803,7 +804,8 @@ void sparse_remove_one_section(struct zo +@@ -804,7 +805,8 @@ void sparse_remove_one_section(struct zo } pgdat_resize_unlock(pgdat, &flags); diff --git a/patches.drivers/0085-Replace-asm-uaccess.h-with-linux-uaccess.h-globally.patch b/patches.drivers/0085-Replace-asm-uaccess.h-with-linux-uaccess.h-globally.patch index 632f2fb801..3260451327 100644 --- a/patches.drivers/0085-Replace-asm-uaccess.h-with-linux-uaccess.h-globally.patch +++ b/patches.drivers/0085-Replace-asm-uaccess.h-with-linux-uaccess.h-globally.patch @@ -889,12 +889,6 @@ Signed-off-by: Coly Li <colyli@suse.de> fs/dcache.c | 2 +- fs/dcookies.c | 2 +- fs/dlm/dlm_internal.h | 2 +- - fs/dmapi/dmapi_config.c | 2 +- - fs/dmapi/dmapi_event.c | 2 +- - fs/dmapi/dmapi_register.c | 2 +- - fs/dmapi/dmapi_right.c | 2 +- - fs/dmapi/dmapi_session.c | 2 +- - fs/dmapi/dmapi_sysent.c | 2 +- fs/efs/efs.h | 2 +- fs/eventpoll.c | 2 +- fs/exec.c | 2 +- @@ -1134,7 +1128,7 @@ Signed-off-by: Coly Li <colyli@suse.de> sound/oss/swarm_cs4297a.c | 2 +- sound/sound_firmware.c | 2 +- virt/kvm/kvm_main.c | 2 +- - 1115 files changed, 1115 insertions(+), 1115 deletions(-) + 1109 files changed, 1109 insertions(+), 1109 deletions(-) --- a/arch/alpha/boot/misc.c +++ b/arch/alpha/boot/misc.c @@ -1336,7 +1330,7 @@ Signed-off-by: Coly Li <colyli@suse.de> * Error-checking SWP macros implemented using ldrex{b}/strex{b} --- a/arch/arm/kvm/arm.c +++ b/arch/arm/kvm/arm.c -@@ -32,7 +32,7 @@ +@@ -33,7 +33,7 @@ #define CREATE_TRACE_POINTS #include "trace.h" @@ -1424,7 +1418,7 @@ Signed-off-by: Coly Li <colyli@suse.de> #include <mach/time.h> --- a/arch/arm64/kernel/armv8_deprecated.c +++ b/arch/arm64/kernel/armv8_deprecated.c -@@ -21,7 +21,7 @@ +@@ -19,7 +19,7 @@ #include <asm/sysreg.h> #include <asm/system_misc.h> #include <asm/traps.h> @@ -3393,7 +3387,7 @@ Signed-off-by: Coly Li <colyli@suse.de> #define MODULE_VERS "1.0" --- a/arch/powerpc/kernel/rtasd.c +++ b/arch/powerpc/kernel/rtasd.c -@@ -23,7 +23,7 @@ +@@ -22,7 +22,7 @@ #include <linux/workqueue.h> #include <linux/slab.h> @@ -3613,7 +3607,7 @@ Signed-off-by: Coly Li <colyli@suse.de> int len, __wsum sum, int *err_ptr) --- a/arch/powerpc/lib/code-patching.c +++ b/arch/powerpc/lib/code-patching.c -@@ -15,7 +15,7 @@ +@@ -13,7 +13,7 @@ #include <linux/mm.h> #include <asm/page.h> #include <asm/code-patching.h> @@ -6131,7 +6125,7 @@ Signed-off-by: Coly Li <colyli@suse.de> --- a/drivers/acpi/thermal.c +++ b/drivers/acpi/thermal.c -@@ -41,7 +41,7 @@ +@@ -40,7 +40,7 @@ #include <linux/thermal.h> #include <linux/acpi.h> #include <linux/workqueue.h> @@ -9739,7 +9733,7 @@ Signed-off-by: Coly Li <colyli@suse.de> #include <scsi/scsi_tcq.h> --- a/drivers/scsi/aacraid/aachba.c +++ b/drivers/scsi/aacraid/aachba.c -@@ -38,7 +38,7 @@ +@@ -32,7 +32,7 @@ #include <linux/slab.h> #include <linux/completion.h> #include <linux/blkdev.h> @@ -9750,7 +9744,7 @@ Signed-off-by: Coly Li <colyli@suse.de> --- a/drivers/scsi/aacraid/commctrl.c +++ b/drivers/scsi/aacraid/commctrl.c -@@ -42,7 +42,7 @@ +@@ -41,7 +41,7 @@ #include <linux/delay.h> /* ssleep prototype */ #include <linux/kthread.h> #include <linux/semaphore.h> @@ -10443,8 +10437,8 @@ Signed-off-by: Coly Li <colyli@suse.de> static struct proc_dir_entry *proc_afs; --- a/fs/aio.c +++ b/fs/aio.c -@@ -42,7 +42,7 @@ - #include <linux/mount.h> +@@ -43,7 +43,7 @@ + #include <linux/nospec.h> #include <asm/kmap_types.h> -#include <asm/uaccess.h> @@ -11773,7 +11767,7 @@ Signed-off-by: Coly Li <colyli@suse.de> --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c -@@ -50,7 +50,7 @@ +@@ -47,7 +47,7 @@ #include <linux/ctype.h> #include <linux/uio.h> @@ -11971,7 +11965,7 @@ Signed-off-by: Coly Li <colyli@suse.de> --- a/mm/memory.c +++ b/mm/memory.c -@@ -67,7 +67,7 @@ +@@ -68,7 +68,7 @@ #include <asm/io.h> #include <asm/mmu_context.h> #include <asm/pgalloc.h> @@ -12444,7 +12438,7 @@ Signed-off-by: Coly Li <colyli@suse.de> #include <net/protocol.h> --- a/net/core/utils.c +++ b/net/core/utils.c -@@ -35,7 +35,7 @@ +@@ -31,7 +31,7 @@ #include <net/net_ratelimit.h> #include <asm/byteorder.h> @@ -13280,7 +13274,7 @@ Signed-off-by: Coly Li <colyli@suse.de> static int do_mod_firmware_load(const char *fn, char **fp) --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c -@@ -53,7 +53,7 @@ +@@ -54,7 +54,7 @@ #include <asm/processor.h> #include <asm/io.h> #include <asm/ioctl.h> diff --git a/patches.drivers/genwqe-ensure-zero-initialization.patch b/patches.drivers/genwqe-ensure-zero-initialization.patch index 679bcbfbe5..350da36811 100644 --- a/patches.drivers/genwqe-ensure-zero-initialization.patch +++ b/patches.drivers/genwqe-ensure-zero-initialization.patch @@ -18,15 +18,13 @@ Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Michal Suchanek <msuchanek@suse.de> --- - drivers/misc/genwqe/card_ddcb.c | 2 -- - drivers/misc/genwqe/card_utils.c | 4 ++-- + drivers/misc/genwqe/card_ddcb.c | 2 -- + drivers/misc/genwqe/card_utils.c | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) -diff --git a/drivers/misc/genwqe/card_ddcb.c b/drivers/misc/genwqe/card_ddcb.c -index 353ee0c..ddfeefe 100644 --- a/drivers/misc/genwqe/card_ddcb.c +++ b/drivers/misc/genwqe/card_ddcb.c -@@ -1048,8 +1048,6 @@ static int setup_ddcb_queue(struct genwqe_dev *cd, struct ddcb_queue *queue) +@@ -1048,8 +1048,6 @@ static int setup_ddcb_queue(struct genwq "[%s] **err: could not allocate DDCB **\n", __func__); return -ENOMEM; } @@ -35,12 +33,10 @@ index 353ee0c..ddfeefe 100644 queue->ddcb_req = kzalloc(sizeof(struct ddcb_requ *) * queue->ddcb_max, GFP_KERNEL); if (!queue->ddcb_req) { -diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c -index 222367c..8a679ec 100644 --- a/drivers/misc/genwqe/card_utils.c +++ b/drivers/misc/genwqe/card_utils.c -@@ -220,8 +220,8 @@ void *__genwqe_alloc_consistent(struct genwqe_dev *cd, size_t size, - if (get_order(size) > MAX_ORDER) +@@ -220,8 +220,8 @@ void *__genwqe_alloc_consistent(struct g + if (get_order(size) >= MAX_ORDER) return NULL; - return dma_alloc_coherent(&cd->pci_dev->dev, size, dma_handle, @@ -50,6 +46,3 @@ index 222367c..8a679ec 100644 } void __genwqe_free_consistent(struct genwqe_dev *cd, size_t size, --- -2.10.2 - diff --git a/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch b/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch index 3be6e02df6..e3405e30f8 100644 --- a/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch +++ b/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch @@ -35,19 +35,17 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Jeff Mahoney <jeffm@suse.com> --- - drivers/nvdimm/pmem.c | 6 ++++-- - include/linux/list.h | 11 ++++++++++ - include/linux/memremap.h | 49 ++++++++++++++++++++++++++++++++++++++++++-- - include/linux/mm_types.h | 5 +++++ - kernel/memremap.c | 53 ++++++++++++++++++++++++++++++++++++++++++++---- - lib/list_debug.c | 9 ++++++++ + drivers/nvdimm/pmem.c | 6 +++-- + include/linux/list.h | 11 +++++++++ + include/linux/memremap.h | 49 +++++++++++++++++++++++++++++++++++++++++-- + include/linux/mm_types.h | 5 ++++ + kernel/memremap.c | 53 +++++++++++++++++++++++++++++++++++++++++++---- + lib/list_debug.c | 9 +++++++ 6 files changed, 125 insertions(+), 8 deletions(-) -diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c -index 328173d..7edf316 100644 --- a/drivers/nvdimm/pmem.c +++ b/drivers/nvdimm/pmem.c -@@ -184,7 +184,7 @@ static struct pmem_device *pmem_alloc(struct device *dev, +@@ -184,7 +184,7 @@ static struct pmem_device *pmem_alloc(st pmem->pfn_flags = PFN_DEV; if (pmem_should_map_pages(dev)) { pmem->virt_addr = (void __pmem *) devm_memremap_pages(dev, res, @@ -56,7 +54,7 @@ index 328173d..7edf316 100644 pmem->pfn_flags |= PFN_MAP; } else pmem->virt_addr = (void __pmem *) devm_memremap(dev, -@@ -365,6 +365,7 @@ static int nvdimm_namespace_attach_pfn(struct nd_namespace_common *ndns) +@@ -365,6 +365,7 @@ static int nvdimm_namespace_attach_pfn(s struct vmem_altmap *altmap; struct nd_pfn_sb *pfn_sb; struct pmem_device *pmem; @@ -64,7 +62,7 @@ index 328173d..7edf316 100644 phys_addr_t offset; int rc; struct vmem_altmap __altmap = { -@@ -406,9 +407,10 @@ static int nvdimm_namespace_attach_pfn(struct nd_namespace_common *ndns) +@@ -406,9 +407,10 @@ static int nvdimm_namespace_attach_pfn(s /* establish pfn range for lookup, and switch to direct map */ pmem = dev_get_drvdata(dev); @@ -76,11 +74,9 @@ index 328173d..7edf316 100644 pmem->pfn_flags |= PFN_MAP; if (IS_ERR(pmem->virt_addr)) { rc = PTR_ERR(pmem->virt_addr); -diff --git a/include/linux/list.h b/include/linux/list.h -index 5356f4d..30cf420 100644 --- a/include/linux/list.h +++ b/include/linux/list.h -@@ -113,6 +113,17 @@ extern void __list_del_entry(struct list_head *entry); +@@ -113,6 +113,17 @@ extern void __list_del_entry(struct list extern void list_del(struct list_head *entry); #endif @@ -98,8 +94,6 @@ index 5356f4d..30cf420 100644 /** * list_replace - replace old entry by new one * @old : the element to be replaced -diff --git a/include/linux/memremap.h b/include/linux/memremap.h -index aa3e82a..bcaa634 100644 --- a/include/linux/memremap.h +++ b/include/linux/memremap.h @@ -1,6 +1,8 @@ @@ -111,7 +105,7 @@ index aa3e82a..bcaa634 100644 struct resource; struct device; -@@ -36,21 +38,25 @@ static inline struct vmem_altmap *to_vmem_altmap(unsigned long memmap_start) +@@ -36,21 +38,25 @@ static inline struct vmem_altmap *to_vme /** * struct dev_pagemap - metadata for ZONE_DEVICE mappings * @altmap: pre-allocated/reserved memory for vmemmap allocations @@ -139,7 +133,7 @@ index aa3e82a..bcaa634 100644 { /* * Fail attempts to call devm_memremap_pages() without -@@ -66,4 +72,43 @@ static inline struct dev_pagemap *find_dev_pagemap(resource_size_t phys) +@@ -66,4 +72,43 @@ static inline struct dev_pagemap *find_d return NULL; } #endif @@ -183,11 +177,9 @@ index aa3e82a..bcaa634 100644 + percpu_ref_put(pgmap->ref); +} #endif /* _LINUX_MEMREMAP_H_ */ -diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 2dd9c31..d3ebb9d 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h -@@ -116,6 +116,11 @@ struct page { +@@ -124,6 +124,11 @@ struct page { * Can be used as a generic list * by the page owner. */ @@ -199,11 +191,9 @@ index 2dd9c31..d3ebb9d 100644 struct { /* slub per cpu partial pages */ struct page *next; /* Next partial slab */ #ifdef CONFIG_64BIT -diff --git a/kernel/memremap.c b/kernel/memremap.c -index 562f647..3eb8944 100644 --- a/kernel/memremap.c +++ b/kernel/memremap.c -@@ -179,6 +179,29 @@ static void pgmap_radix_release(struct resource *res) +@@ -181,6 +181,29 @@ static void pgmap_radix_release(struct r mutex_unlock(&pgmap_lock); } @@ -233,7 +223,7 @@ index 562f647..3eb8944 100644 static void devm_memremap_pages_release(struct device *dev, void *data) { struct page_map *page_map = data; -@@ -186,6 +209,11 @@ static void devm_memremap_pages_release(struct device *dev, void *data) +@@ -188,6 +211,11 @@ static void devm_memremap_pages_release( resource_size_t align_start, align_size; struct dev_pagemap *pgmap = &page_map->pgmap; @@ -245,7 +235,7 @@ index 562f647..3eb8944 100644 pgmap_radix_release(res); /* pages are dead and unused, undo the arch mapping */ -@@ -211,20 +239,26 @@ struct dev_pagemap *find_dev_pagemap(resource_size_t phys) +@@ -215,20 +243,26 @@ struct dev_pagemap *find_dev_pagemap(res * devm_memremap_pages - remap and provide memmap backing for the given resource * @dev: hosting device for @res * @res: "host memory" address range @@ -275,8 +265,8 @@ index 562f647..3eb8944 100644 + unsigned long pfn; int error, nid; - if (is_ram == REGION_MIXED) { -@@ -242,6 +276,9 @@ void *devm_memremap_pages(struct device *dev, struct resource *res, + if (is_ram != REGION_DISJOINT) { +@@ -243,6 +277,9 @@ void *devm_memremap_pages(struct device return ERR_PTR(-ENXIO); } @@ -286,7 +276,7 @@ index 562f647..3eb8944 100644 page_map = devres_alloc_node(devm_memremap_pages_release, sizeof(*page_map), GFP_KERNEL, dev_to_node(dev)); if (!page_map) -@@ -255,6 +292,7 @@ void *devm_memremap_pages(struct device *dev, struct resource *res, +@@ -256,6 +293,7 @@ void *devm_memremap_pages(struct device memcpy(&page_map->altmap, altmap, sizeof(*altmap)); pgmap->altmap = &page_map->altmap; } @@ -294,7 +284,7 @@ index 562f647..3eb8944 100644 pgmap->res = &page_map->res; mutex_lock(&pgmap_lock); -@@ -292,6 +330,13 @@ void *devm_memremap_pages(struct device *dev, struct resource *res, +@@ -295,6 +333,13 @@ void *devm_memremap_pages(struct device if (error) goto err_add_memory; @@ -308,8 +298,6 @@ index 562f647..3eb8944 100644 devres_add(dev, page_map); return __va(res->start); -diff --git a/lib/list_debug.c b/lib/list_debug.c -index 3859bf6..3345a08 100644 --- a/lib/list_debug.c +++ b/lib/list_debug.c @@ -12,6 +12,13 @@ @@ -335,5 +323,3 @@ index 3859bf6..3345a08 100644 WARN(next->prev != prev, "list_add corruption. next->prev should be " "prev (%p), but was %p. (next=%p).\n", - - diff --git a/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch b/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch index 02b15ab04a..2dec33b881 100644 --- a/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch +++ b/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch @@ -45,16 +45,16 @@ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> --- a/kernel/memremap.c +++ b/kernel/memremap.c -@@ -275,7 +275,7 @@ void *devm_memremap_pages(struct device +@@ -290,7 +290,7 @@ void *devm_memremap_pages(struct device struct dev_pagemap *pgmap; struct page_map *page_map; unsigned long pfn; - int error, nid; + int error, nid, i = 0; - if (is_ram == REGION_MIXED) { - WARN_ONCE(1, "%s attempted on mixed region %pr\n", -@@ -358,6 +358,8 @@ void *devm_memremap_pages(struct device + if (is_ram != REGION_DISJOINT) { + WARN_ONCE(1, "%s attempted on %s region %pr\n", __func__, +@@ -376,6 +376,8 @@ void *devm_memremap_pages(struct device /* ZONE_DEVICE pages must never appear on a slab lru */ list_force_poison(&page->lru); page->pgmap = pgmap; diff --git a/patches.fixes/vfs-Avoid-softlockups-in-drop_pagecache_sb.patch b/patches.fixes/vfs-Avoid-softlockups-in-drop_pagecache_sb.patch new file mode 100644 index 0000000000..2d5366d23d --- /dev/null +++ b/patches.fixes/vfs-Avoid-softlockups-in-drop_pagecache_sb.patch @@ -0,0 +1,53 @@ +From 9a6b7c0ff64945366c05338873e2456b990948e9 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Thu, 6 Dec 2018 17:06:08 +0100 +Subject: [PATCH] vfs: Avoid softlockups in drop_pagecache_sb() +Patch-mainline: Submitted, Jan 14 2019 +References: bsc#1118505 + +When superblock has lots of inodes without any pagecache (like is the +case for /proc), drop_pagecache_sb() will iterate through all of them +without dropping sb->s_inode_list_lock which can lead to softlockups +(one of our customers hit this). + +Fix the problem by going to the slow path and doing cond_resched() in +case the process needs rescheduling. + +Acked-by: Michal Hocko <mhocko@suse.com> +Signed-off-by: Jan Kara <jack@suse.cz> +Acked-by: Jan Kara <jack@suse.cz> + +--- + fs/drop_caches.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/drop_caches.c b/fs/drop_caches.c +index 82377017130f..d31b6c72b476 100644 +--- a/fs/drop_caches.c ++++ b/fs/drop_caches.c +@@ -21,8 +21,13 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_lock(&sb->s_inode_list_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + spin_lock(&inode->i_lock); ++ /* ++ * We must skip inodes in unusual state. We may also skip ++ * inodes without pages but we deliberately won't in case ++ * we need to reschedule to avoid softlockups. ++ */ + if ((inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) || +- (inode->i_mapping->nrpages == 0)) { ++ (inode->i_mapping->nrpages == 0 && !need_resched())) { + spin_unlock(&inode->i_lock); + continue; + } +@@ -30,6 +35,7 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_unlock(&inode->i_lock); + spin_unlock(&sb->s_inode_list_lock); + ++ cond_resched(); + invalidate_mapping_pages(inode->i_mapping, 0, -1); + iput(toput_inode); + toput_inode = inode; +-- +2.16.4 + diff --git a/patches.kernel.org/4.4.169-001-lib-interval_tree_test.c-make-test-options-mo.patch b/patches.kernel.org/4.4.169-001-lib-interval_tree_test.c-make-test-options-mo.patch new file mode 100644 index 0000000000..d4d80c2629 --- /dev/null +++ b/patches.kernel.org/4.4.169-001-lib-interval_tree_test.c-make-test-options-mo.patch @@ -0,0 +1,148 @@ +From: Davidlohr Bueso <dave@stgolabs.net> +Date: Mon, 10 Jul 2017 15:51:46 -0700 +Subject: [PATCH] lib/interval_tree_test.c: make test options module parameters +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: a54dae0338b7f01eb0f9c7571fb9b74f791d1c6b + +[ Upstream commit a54dae0338b7f01eb0f9c7571fb9b74f791d1c6b ] + +Allows for more flexible debugging. + +Link: http://lkml.kernel.org/r/20170518174936.20265-3-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + lib/interval_tree_test.c | 57 ++++++++++++++++++++++++++++------------ + 1 file changed, 40 insertions(+), 17 deletions(-) + +diff --git a/lib/interval_tree_test.c b/lib/interval_tree_test.c +index 245900b98c8e..1093f0496d5e 100644 +--- a/lib/interval_tree_test.c ++++ b/lib/interval_tree_test.c +@@ -1,16 +1,25 @@ + #include <linux/module.h> ++#include <linux/moduleparam.h> + #include <linux/interval_tree.h> + #include <linux/random.h> ++#include <linux/slab.h> + #include <asm/timex.h> + +-#define NODES 100 +-#define PERF_LOOPS 100000 +-#define SEARCHES 100 +-#define SEARCH_LOOPS 10000 ++#define __param(type, name, init, msg) \ ++ static type name = init; \ ++ module_param(name, type, 0444); \ ++ MODULE_PARM_DESC(name, msg); ++ ++__param(int, nnodes, 100, "Number of nodes in the interval tree"); ++__param(int, perf_loops, 100000, "Number of iterations modifying the tree"); ++ ++__param(int, nsearches, 100, "Number of searches to the interval tree"); ++__param(int, search_loops, 10000, "Number of iterations searching the tree"); ++ + + static struct rb_root root = RB_ROOT; +-static struct interval_tree_node nodes[NODES]; +-static u32 queries[SEARCHES]; ++static struct interval_tree_node *nodes = NULL; ++static u32 *queries = NULL; + + static struct rnd_state rnd; + +@@ -29,7 +38,8 @@ search(unsigned long query, struct rb_root *root) + static void init(void) + { + int i; +- for (i = 0; i < NODES; i++) { ++ ++ for (i = 0; i < nnodes; i++) { + u32 a = prandom_u32_state(&rnd); + u32 b = prandom_u32_state(&rnd); + if (a <= b) { +@@ -40,7 +50,7 @@ static void init(void) + nodes[i].last = a; + } + } +- for (i = 0; i < SEARCHES; i++) ++ for (i = 0; i < nsearches; i++) + queries[i] = prandom_u32_state(&rnd); + } + +@@ -50,6 +60,16 @@ static int interval_tree_test_init(void) + unsigned long results; + cycles_t time1, time2, time; + ++ nodes = kmalloc(nnodes * sizeof(struct interval_tree_node), GFP_KERNEL); ++ if (!nodes) ++ return -ENOMEM; ++ ++ queries = kmalloc(nsearches * sizeof(int), GFP_KERNEL); ++ if (!queries) { ++ kfree(nodes); ++ return -ENOMEM; ++ } ++ + printk(KERN_ALERT "interval tree insert/remove"); + + prandom_seed_state(&rnd, 3141592653589793238ULL); +@@ -57,39 +77,42 @@ static int interval_tree_test_init(void) + + time1 = get_cycles(); + +- for (i = 0; i < PERF_LOOPS; i++) { +- for (j = 0; j < NODES; j++) ++ for (i = 0; i < perf_loops; i++) { ++ for (j = 0; j < nnodes; j++) + interval_tree_insert(nodes + j, &root); +- for (j = 0; j < NODES; j++) ++ for (j = 0; j < nnodes; j++) + interval_tree_remove(nodes + j, &root); + } + + time2 = get_cycles(); + time = time2 - time1; + +- time = div_u64(time, PERF_LOOPS); ++ time = div_u64(time, perf_loops); + printk(" -> %llu cycles\n", (unsigned long long)time); + + printk(KERN_ALERT "interval tree search"); + +- for (j = 0; j < NODES; j++) ++ for (j = 0; j < nnodes; j++) + interval_tree_insert(nodes + j, &root); + + time1 = get_cycles(); + + results = 0; +- for (i = 0; i < SEARCH_LOOPS; i++) +- for (j = 0; j < SEARCHES; j++) ++ for (i = 0; i < search_loops; i++) ++ for (j = 0; j < nsearches; j++) + results += search(queries[j], &root); + + time2 = get_cycles(); + time = time2 - time1; + +- time = div_u64(time, SEARCH_LOOPS); +- results = div_u64(results, SEARCH_LOOPS); ++ time = div_u64(time, search_loops); ++ results = div_u64(results, search_loops); + printk(" -> %llu cycles (%lu results)\n", + (unsigned long long)time, results); + ++ kfree(queries); ++ kfree(nodes); ++ + return -EAGAIN; /* Fail will directly unload the module */ + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-002-lib-interval_tree_test.c-allow-full-tree-sear.patch b/patches.kernel.org/4.4.169-002-lib-interval_tree_test.c-allow-full-tree-sear.patch new file mode 100644 index 0000000000..40fd19957b --- /dev/null +++ b/patches.kernel.org/4.4.169-002-lib-interval_tree_test.c-allow-full-tree-sear.patch @@ -0,0 +1,70 @@ +From: Davidlohr Bueso <dave@stgolabs.net> +Date: Mon, 10 Jul 2017 15:51:52 -0700 +Subject: [PATCH] lib/interval_tree_test.c: allow full tree search +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: c46ecce431ebe6b1a9551d1f530eb432dae5c39b + +[ Upstream commit c46ecce431ebe6b1a9551d1f530eb432dae5c39b ] + +... such that a user can specify visiting all the nodes in the tree +(intersects with the world). This is a nice opposite from the very +basic default query which is a single point. + +Link: http://lkml.kernel.org/r/20170518174936.20265-5-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + lib/interval_tree_test.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/lib/interval_tree_test.c b/lib/interval_tree_test.c +index 1093f0496d5e..409383463879 100644 +--- a/lib/interval_tree_test.c ++++ b/lib/interval_tree_test.c +@@ -15,6 +15,7 @@ __param(int, perf_loops, 100000, "Number of iterations modifying the tree"); + + __param(int, nsearches, 100, "Number of searches to the interval tree"); + __param(int, search_loops, 10000, "Number of iterations searching the tree"); ++__param(bool, search_all, false, "Searches will iterate all nodes in the tree"); + + + static struct rb_root root = RB_ROOT; +@@ -24,13 +25,13 @@ static u32 *queries = NULL; + static struct rnd_state rnd; + + static inline unsigned long +-search(unsigned long query, struct rb_root *root) ++search(struct rb_root *root, unsigned long start, unsigned long last) + { + struct interval_tree_node *node; + unsigned long results = 0; + +- for (node = interval_tree_iter_first(root, query, query); node; +- node = interval_tree_iter_next(node, query, query)) ++ for (node = interval_tree_iter_first(root, start, last); node; ++ node = interval_tree_iter_next(node, start, last)) + results++; + return results; + } +@@ -99,8 +100,12 @@ static int interval_tree_test_init(void) + + results = 0; + for (i = 0; i < search_loops; i++) +- for (j = 0; j < nsearches; j++) +- results += search(queries[j], &root); ++ for (j = 0; j < nsearches; j++) { ++ unsigned long start = search_all ? 0 : queries[j]; ++ unsigned long last = search_all ? max_endpoint : queries[j]; ++ ++ results += search(&root, start, last); ++ } + + time2 = get_cycles(); + time = time2 - time1; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-003-lib-rbtree_test.c-make-input-module-parameter.patch b/patches.kernel.org/4.4.169-003-lib-rbtree_test.c-make-input-module-parameter.patch new file mode 100644 index 0000000000..d4cf285780 --- /dev/null +++ b/patches.kernel.org/4.4.169-003-lib-rbtree_test.c-make-input-module-parameter.patch @@ -0,0 +1,158 @@ +From: Davidlohr Bueso <dave@stgolabs.net> +Date: Fri, 8 Sep 2017 16:14:46 -0700 +Subject: [PATCH] lib/rbtree_test.c: make input module parameters +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 223f8911eace60c787f8767c25148b80ece9732a + +[ Upstream commit 223f8911eace60c787f8767c25148b80ece9732a ] + +Allows for more flexible debugging. + +Link: http://lkml.kernel.org/r/20170719014603.19029-5-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + lib/rbtree_test.c | 55 +++++++++++++++++++++++++++++------------------ + 1 file changed, 34 insertions(+), 21 deletions(-) + +diff --git a/lib/rbtree_test.c b/lib/rbtree_test.c +index 8b3c9dc88262..e83331aa1b7f 100644 +--- a/lib/rbtree_test.c ++++ b/lib/rbtree_test.c +@@ -1,11 +1,18 @@ + #include <linux/module.h> ++#include <linux/moduleparam.h> + #include <linux/rbtree_augmented.h> + #include <linux/random.h> ++#include <linux/slab.h> + #include <asm/timex.h> + +-#define NODES 100 +-#define PERF_LOOPS 100000 +-#define CHECK_LOOPS 100 ++#define __param(type, name, init, msg) \ ++ static type name = init; \ ++ module_param(name, type, 0444); \ ++ MODULE_PARM_DESC(name, msg); ++ ++__param(int, nnodes, 100, "Number of nodes in the rb-tree"); ++__param(int, perf_loops, 100000, "Number of iterations modifying the rb-tree"); ++__param(int, check_loops, 100, "Number of iterations modifying and verifying the rb-tree"); + + struct test_node { + u32 key; +@@ -17,7 +24,7 @@ struct test_node { + }; + + static struct rb_root root = RB_ROOT; +-static struct test_node nodes[NODES]; ++static struct test_node *nodes = NULL; + + static struct rnd_state rnd; + +@@ -95,7 +102,7 @@ static void erase_augmented(struct test_node *node, struct rb_root *root) + static void init(void) + { + int i; +- for (i = 0; i < NODES; i++) { ++ for (i = 0; i < nnodes; i++) { + nodes[i].key = prandom_u32_state(&rnd); + nodes[i].val = prandom_u32_state(&rnd); + } +@@ -177,6 +184,10 @@ static int __init rbtree_test_init(void) + int i, j; + cycles_t time1, time2, time; + ++ nodes = kmalloc(nnodes * sizeof(*nodes), GFP_KERNEL); ++ if (!nodes) ++ return -ENOMEM; ++ + printk(KERN_ALERT "rbtree testing"); + + prandom_seed_state(&rnd, 3141592653589793238ULL); +@@ -184,27 +195,27 @@ static int __init rbtree_test_init(void) + + time1 = get_cycles(); + +- for (i = 0; i < PERF_LOOPS; i++) { +- for (j = 0; j < NODES; j++) ++ for (i = 0; i < perf_loops; i++) { ++ for (j = 0; j < nnodes; j++) + insert(nodes + j, &root); +- for (j = 0; j < NODES; j++) ++ for (j = 0; j < nnodes; j++) + erase(nodes + j, &root); + } + + time2 = get_cycles(); + time = time2 - time1; + +- time = div_u64(time, PERF_LOOPS); ++ time = div_u64(time, perf_loops); + printk(" -> %llu cycles\n", (unsigned long long)time); + +- for (i = 0; i < CHECK_LOOPS; i++) { ++ for (i = 0; i < check_loops; i++) { + init(); +- for (j = 0; j < NODES; j++) { ++ for (j = 0; j < nnodes; j++) { + check(j); + insert(nodes + j, &root); + } +- for (j = 0; j < NODES; j++) { +- check(NODES - j); ++ for (j = 0; j < nnodes; j++) { ++ check(nnodes - j); + erase(nodes + j, &root); + } + check(0); +@@ -216,32 +227,34 @@ static int __init rbtree_test_init(void) + + time1 = get_cycles(); + +- for (i = 0; i < PERF_LOOPS; i++) { +- for (j = 0; j < NODES; j++) ++ for (i = 0; i < perf_loops; i++) { ++ for (j = 0; j < nnodes; j++) + insert_augmented(nodes + j, &root); +- for (j = 0; j < NODES; j++) ++ for (j = 0; j < nnodes; j++) + erase_augmented(nodes + j, &root); + } + + time2 = get_cycles(); + time = time2 - time1; + +- time = div_u64(time, PERF_LOOPS); ++ time = div_u64(time, perf_loops); + printk(" -> %llu cycles\n", (unsigned long long)time); + +- for (i = 0; i < CHECK_LOOPS; i++) { ++ for (i = 0; i < check_loops; i++) { + init(); +- for (j = 0; j < NODES; j++) { ++ for (j = 0; j < nnodes; j++) { + check_augmented(j); + insert_augmented(nodes + j, &root); + } +- for (j = 0; j < NODES; j++) { +- check_augmented(NODES - j); ++ for (j = 0; j < nnodes; j++) { ++ check_augmented(nnodes - j); + erase_augmented(nodes + j, &root); + } + check_augmented(0); + } + ++ kfree(nodes); ++ + return -EAGAIN; /* Fail will directly unload the module */ + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-004-lib-rbtree-test-lower-default-params.patch b/patches.kernel.org/4.4.169-004-lib-rbtree-test-lower-default-params.patch new file mode 100644 index 0000000000..d5b2bef244 --- /dev/null +++ b/patches.kernel.org/4.4.169-004-lib-rbtree-test-lower-default-params.patch @@ -0,0 +1,61 @@ +From: Davidlohr Bueso <dave@stgolabs.net> +Date: Fri, 17 Nov 2017 15:28:27 -0800 +Subject: [PATCH] lib/rbtree-test: lower default params +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 0b548e33e6cb2bff240fdaf1783783be15c29080 + +[ Upstream commit 0b548e33e6cb2bff240fdaf1783783be15c29080 ] + +Fengguang reported soft lockups while running the rbtree and interval +tree test modules. The logic for these tests all occur in init phase, +and we currently are pounding with the default values for number of +nodes and number of iterations of each test. Reduce the latter by two +orders of magnitude. This does not influence the value of the tests in +that one thousand times by default is enough to get the picture. + +Link: http://lkml.kernel.org/r/20171109161715.xai2dtwqw2frhkcm@linux-n805 +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> +Reported-by: Fengguang Wu <fengguang.wu@intel.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + lib/interval_tree_test.c | 4 ++-- + lib/rbtree_test.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/interval_tree_test.c b/lib/interval_tree_test.c +index 409383463879..bababcf7ffdd 100644 +--- a/lib/interval_tree_test.c ++++ b/lib/interval_tree_test.c +@@ -11,10 +11,10 @@ + MODULE_PARM_DESC(name, msg); + + __param(int, nnodes, 100, "Number of nodes in the interval tree"); +-__param(int, perf_loops, 100000, "Number of iterations modifying the tree"); ++__param(int, perf_loops, 1000, "Number of iterations modifying the tree"); + + __param(int, nsearches, 100, "Number of searches to the interval tree"); +-__param(int, search_loops, 10000, "Number of iterations searching the tree"); ++__param(int, search_loops, 1000, "Number of iterations searching the tree"); + __param(bool, search_all, false, "Searches will iterate all nodes in the tree"); + + +diff --git a/lib/rbtree_test.c b/lib/rbtree_test.c +index e83331aa1b7f..afedd3770562 100644 +--- a/lib/rbtree_test.c ++++ b/lib/rbtree_test.c +@@ -11,7 +11,7 @@ + MODULE_PARM_DESC(name, msg); + + __param(int, nnodes, 100, "Number of nodes in the rb-tree"); +-__param(int, perf_loops, 100000, "Number of iterations modifying the rb-tree"); ++__param(int, perf_loops, 1000, "Number of iterations modifying the rb-tree"); + __param(int, check_loops, 100, "Number of iterations modifying and verifying the rb-tree"); + + struct test_node { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-005-lib-interval_tree_test.c-allow-users-to-limit.patch b/patches.kernel.org/4.4.169-005-lib-interval_tree_test.c-allow-users-to-limit.patch new file mode 100644 index 0000000000..bb6ed1dcb7 --- /dev/null +++ b/patches.kernel.org/4.4.169-005-lib-interval_tree_test.c-allow-users-to-limit.patch @@ -0,0 +1,69 @@ +From: Davidlohr Bueso <dave@stgolabs.net> +Date: Mon, 10 Jul 2017 15:51:49 -0700 +Subject: [PATCH] lib/interval_tree_test.c: allow users to limit scope of + endpoint +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: a8ec14d4f6aa8e245efacc992c8ee6ea0464ce2a + +[ Upstream commit a8ec14d4f6aa8e245efacc992c8ee6ea0464ce2a ] + +Add a 'max_endpoint' parameter such that users may easily limit the size +of the intervals that are randomly generated. + +Link: http://lkml.kernel.org/r/20170518174936.20265-4-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso <dbueso@suse.de> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + lib/interval_tree_test.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/lib/interval_tree_test.c b/lib/interval_tree_test.c +index bababcf7ffdd..222c8010bda0 100644 +--- a/lib/interval_tree_test.c ++++ b/lib/interval_tree_test.c +@@ -17,6 +17,7 @@ __param(int, nsearches, 100, "Number of searches to the interval tree"); + __param(int, search_loops, 1000, "Number of iterations searching the tree"); + __param(bool, search_all, false, "Searches will iterate all nodes in the tree"); + ++__param(uint, max_endpoint, ~0, "Largest value for the interval's endpoint"); + + static struct rb_root root = RB_ROOT; + static struct interval_tree_node *nodes = NULL; +@@ -41,18 +42,20 @@ static void init(void) + int i; + + for (i = 0; i < nnodes; i++) { +- u32 a = prandom_u32_state(&rnd); +- u32 b = prandom_u32_state(&rnd); +- if (a <= b) { +- nodes[i].start = a; +- nodes[i].last = b; +- } else { +- nodes[i].start = b; +- nodes[i].last = a; +- } ++ u32 b = (prandom_u32_state(&rnd) >> 4) % max_endpoint; ++ u32 a = (prandom_u32_state(&rnd) >> 4) % b; ++ ++ nodes[i].start = a; ++ nodes[i].last = b; + } ++ ++ /* ++ * Limit the search scope to what the user defined. ++ * Otherwise we are merely measuring empty walks, ++ * which is pointless. ++ */ + for (i = 0; i < nsearches; i++) +- queries[i] = prandom_u32_state(&rnd); ++ queries[i] = (prandom_u32_state(&rnd) >> 4) % max_endpoint; + } + + static int interval_tree_test_init(void) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-006-timer-debug-Change-proc-timer_list-from-0444-.patch b/patches.kernel.org/4.4.169-006-timer-debug-Change-proc-timer_list-from-0444-.patch new file mode 100644 index 0000000000..23bd42e01d --- /dev/null +++ b/patches.kernel.org/4.4.169-006-timer-debug-Change-proc-timer_list-from-0444-.patch @@ -0,0 +1,39 @@ +From: Ingo Molnar <mingo@kernel.org> +Date: Mon, 13 Nov 2017 07:15:41 +0100 +Subject: [PATCH] timer/debug: Change /proc/timer_list from 0444 to 0400 +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 8e7df2b5b7f245c9bd11064712db5cb69044a362 + +[ Upstream commit 8e7df2b5b7f245c9bd11064712db5cb69044a362 ] + +While it uses %pK, there's still few reasons to read this file +as non-root. + +Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> +Acked-by: Thomas Gleixner <tglx@linutronix.de> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/time/timer_list.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c +index ef4f16e81283..1407ed20ea93 100644 +--- a/kernel/time/timer_list.c ++++ b/kernel/time/timer_list.c +@@ -399,7 +399,7 @@ static int __init init_timer_list_procfs(void) + { + struct proc_dir_entry *pe; + +- pe = proc_create("timer_list", 0444, NULL, &timer_list_fops); ++ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops); + if (!pe) + return -ENOMEM; + return 0; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-007-powerpc-boot-Fix-random-libfdt-related-build-.patch b/patches.kernel.org/4.4.169-007-powerpc-boot-Fix-random-libfdt-related-build-.patch new file mode 100644 index 0000000000..44457c8e18 --- /dev/null +++ b/patches.kernel.org/4.4.169-007-powerpc-boot-Fix-random-libfdt-related-build-.patch @@ -0,0 +1,61 @@ +From: Guenter Roeck <linux@roeck-us.net> +Date: Sat, 15 Dec 2018 07:30:39 -0800 +Subject: [PATCH] powerpc/boot: Fix random libfdt related build errors +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 64c3f648c25d108f346fdc96c15180c6b7d250e9 + +[ Upstream commit 64c3f648c25d108f346fdc96c15180c6b7d250e9 ] + +Once in a while I see build errors similar to the following +when building images from a clean tree. + + Building powerpc:virtex-ml507:44x/virtex5_defconfig ... failed + ------------ + Error log: + arch/powerpc/boot/treeboot-akebono.c:37:20: fatal error: + libfdt.h: No such file or directory + + Building powerpc:bamboo:smpdev:44x/bamboo_defconfig ... failed + ------------ + Error log: + arch/powerpc/boot/treeboot-akebono.c:37:20: fatal error: + libfdt.h: No such file or directory + + arch/powerpc/boot/treeboot-currituck.c:35:20: fatal error: + libfdt.h: No such file or directory + +Rebuilds will succeed. + +Turns out that several source files in arch/powerpc/boot/ include +libfdt.h, but Makefile dependencies are incomplete. Let's fix that. + +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[groeck: Backport to v4.4.y] +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/powerpc/boot/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile +index 99e4487248ff..57003d1bd243 100644 +--- a/arch/powerpc/boot/Makefile ++++ b/arch/powerpc/boot/Makefile +@@ -70,7 +70,8 @@ $(addprefix $(obj)/,$(zlib) cuboot-c2k.o gunzip_util.o main.o): \ + libfdt := fdt.c fdt_ro.c fdt_wip.c fdt_sw.c fdt_rw.c fdt_strerror.c + libfdtheader := fdt.h libfdt.h libfdt_internal.h + +-$(addprefix $(obj)/,$(libfdt) libfdt-wrapper.o simpleboot.o epapr.o): \ ++$(addprefix $(obj)/,$(libfdt) libfdt-wrapper.o simpleboot.o epapr.o \ ++ treeboot-akebono.o treeboot-currituck.o treeboot-iss4xx.o): \ + $(addprefix $(obj)/,$(libfdtheader)) + + src-wlib-y := string.S crt0.S crtsavres.S stdio.c main.c \ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-008-pinctrl-sunxi-a83t-Fix-IRQ-offset-typo-for-PH.patch b/patches.kernel.org/4.4.169-008-pinctrl-sunxi-a83t-Fix-IRQ-offset-typo-for-PH.patch new file mode 100644 index 0000000000..c9ed658a8e --- /dev/null +++ b/patches.kernel.org/4.4.169-008-pinctrl-sunxi-a83t-Fix-IRQ-offset-typo-for-PH.patch @@ -0,0 +1,42 @@ +From: Chen-Yu Tsai <wens@csie.org> +Date: Tue, 4 Dec 2018 17:04:57 +0800 +Subject: [PATCH] pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 478b6767ad26ab86d9ecc341027dd09a87b1f997 + +commit 478b6767ad26ab86d9ecc341027dd09a87b1f997 upstream. + +Pin PH11 is used on various A83T board to detect a change in the OTG +port's ID pin, as in when an OTG host cable is plugged in. + +The incorrect offset meant the gpiochip/irqchip was activating the wrong +pin for interrupts. + +Fixes: 4730f33f0d82 ("pinctrl: sunxi: add allwinner A83T PIO controller support") +Cc: <stable@vger.kernel.org> +Signed-off-by: Chen-Yu Tsai <wens@csie.org> +Acked-by: Maxime Ripard <maxime.ripard@bootlin.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c b/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c +index a7c81e988656..383977ea3a3c 100644 +--- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c +@@ -568,7 +568,7 @@ static const struct sunxi_desc_pin sun8i_a83t_pins[] = { + SUNXI_PIN(SUNXI_PINCTRL_PIN(H, 11), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION_IRQ_BANK(0x6, 2, 1)), /* PH_EINT11 */ ++ SUNXI_FUNCTION_IRQ_BANK(0x6, 2, 11)), /* PH_EINT11 */ + }; + + static const struct sunxi_pinctrl_desc sun8i_a83t_pinctrl_data = { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-009-aio-fix-spectre-gadget-in-lookup_ioctx.patch b/patches.kernel.org/4.4.169-009-aio-fix-spectre-gadget-in-lookup_ioctx.patch new file mode 100644 index 0000000000..99b3dbc913 --- /dev/null +++ b/patches.kernel.org/4.4.169-009-aio-fix-spectre-gadget-in-lookup_ioctx.patch @@ -0,0 +1,47 @@ +From: Jeff Moyer <jmoyer@redhat.com> +Date: Tue, 11 Dec 2018 12:37:49 -0500 +Subject: [PATCH] aio: fix spectre gadget in lookup_ioctx +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: a538e3ff9dabcdf6c3f477a373c629213d1c3066 + +commit a538e3ff9dabcdf6c3f477a373c629213d1c3066 upstream. + +Matthew pointed out that the ioctx_table is susceptible to spectre v1, +because the index can be controlled by an attacker. The below patch +should mitigate the attack for all of the aio system calls. + +Cc: stable@vger.kernel.org +Reported-by: Matthew Wilcox <willy@infradead.org> +Reported-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Jeff Moyer <jmoyer@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/aio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/aio.c b/fs/aio.c +index c283eb03cb38..7187d03aa0bc 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -40,6 +40,7 @@ + #include <linux/ramfs.h> + #include <linux/percpu-refcount.h> + #include <linux/mount.h> ++#include <linux/nospec.h> + + #include <asm/kmap_types.h> + #include <asm/uaccess.h> +@@ -1063,6 +1064,7 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id) + if (!table || id >= table->nr) + goto out; + ++ id = array_index_nospec(id, table->nr); + ctx = rcu_dereference(table->table[id]); + if (ctx && ctx->user_id == ctx_id) { + if (percpu_ref_tryget_live(&ctx->users)) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-010-MMC-OMAP-fix-broken-MMC-on-OMAP15XX-OMAP5910-.patch b/patches.kernel.org/4.4.169-010-MMC-OMAP-fix-broken-MMC-on-OMAP15XX-OMAP5910-.patch new file mode 100644 index 0000000000..d254c38220 --- /dev/null +++ b/patches.kernel.org/4.4.169-010-MMC-OMAP-fix-broken-MMC-on-OMAP15XX-OMAP5910-.patch @@ -0,0 +1,133 @@ +From: Aaro Koskinen <aaro.koskinen@iki.fi> +Date: Tue, 20 Nov 2018 01:14:00 +0200 +Subject: [PATCH] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: e8cde625bfe8a714a856e1366bcbb259d7346095 + +commit e8cde625bfe8a714a856e1366bcbb259d7346095 upstream. + +Since v2.6.22 or so there has been reports [1] about OMAP MMC being +broken on OMAP15XX based hardware (OMAP5910 and OMAP310). The breakage +seems to have been caused by commit 46a6730e3ff9 ("mmc-omap: Fix +omap to use MMC_POWER_ON") that changed clock enabling to be done +on MMC_POWER_ON. This can happen multiple times in a row, and on 15XX +the hardware doesn't seem to like it and the MMC just stops responding. +Fix by memorizing the power mode and do the init only when necessary. + +Before the patch (on Palm TE): + + mmc0: new SD card at address b368 + mmcblk0: mmc0:b368 SDC 977 MiB + mmci-omap mmci-omap.0: command timeout (CMD18) + mmci-omap mmci-omap.0: command timeout (CMD13) + mmci-omap mmci-omap.0: command timeout (CMD13) + mmci-omap mmci-omap.0: command timeout (CMD12) [x 6] + mmci-omap mmci-omap.0: command timeout (CMD13) [x 6] + mmcblk0: error -110 requesting status + mmci-omap mmci-omap.0: command timeout (CMD8) + mmci-omap mmci-omap.0: command timeout (CMD18) + mmci-omap mmci-omap.0: command timeout (CMD13) + mmci-omap mmci-omap.0: command timeout (CMD13) + mmci-omap mmci-omap.0: command timeout (CMD12) [x 6] + mmci-omap mmci-omap.0: command timeout (CMD13) [x 6] + mmcblk0: error -110 requesting status + mmcblk0: recovery failed! + print_req_error: I/O error, dev mmcblk0, sector 0 + Buffer I/O error on dev mmcblk0, logical block 0, async page read + mmcblk0: unable to read partition table + +After the patch: + + mmc0: new SD card at address b368 + mmcblk0: mmc0:b368 SDC 977 MiB + mmcblk0: p1 + +The patch is based on a fix and analysis done by Ladislav Michl. + +Tested on OMAP15XX/OMAP310 (Palm TE), OMAP1710 (Nokia 770) +and OMAP2420 (Nokia N810). + +[1] https://marc.info/?t=123175197000003&r=1&w=2 + +Fixes: 46a6730e3ff9 ("mmc-omap: Fix omap to use MMC_POWER_ON") +Reported-by: Ladislav Michl <ladis@linux-mips.org> +Reported-by: Andrzej Zaborowski <balrogg@gmail.com> +Tested-by: Ladislav Michl <ladis@linux-mips.org> +Acked-by: Tony Lindgren <tony@atomide.com> +Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/mmc/host/omap.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c +index b9958a123594..5bcf4f45f8b4 100644 +--- a/drivers/mmc/host/omap.c ++++ b/drivers/mmc/host/omap.c +@@ -105,6 +105,7 @@ struct mmc_omap_slot { + unsigned int vdd; + u16 saved_con; + u16 bus_mode; ++ u16 power_mode; + unsigned int fclk_freq; + + struct tasklet_struct cover_tasklet; +@@ -1156,7 +1157,7 @@ static void mmc_omap_set_ios(struct mmc_host *mmc, struct mmc_ios *ios) + struct mmc_omap_slot *slot = mmc_priv(mmc); + struct mmc_omap_host *host = slot->host; + int i, dsor; +- int clk_enabled; ++ int clk_enabled, init_stream; + + mmc_omap_select_slot(slot, 0); + +@@ -1166,6 +1167,7 @@ static void mmc_omap_set_ios(struct mmc_host *mmc, struct mmc_ios *ios) + slot->vdd = ios->vdd; + + clk_enabled = 0; ++ init_stream = 0; + switch (ios->power_mode) { + case MMC_POWER_OFF: + mmc_omap_set_power(slot, 0, ios->vdd); +@@ -1173,13 +1175,17 @@ static void mmc_omap_set_ios(struct mmc_host *mmc, struct mmc_ios *ios) + case MMC_POWER_UP: + /* Cannot touch dsor yet, just power up MMC */ + mmc_omap_set_power(slot, 1, ios->vdd); ++ slot->power_mode = ios->power_mode; + goto exit; + case MMC_POWER_ON: + mmc_omap_fclk_enable(host, 1); + clk_enabled = 1; + dsor |= 1 << 11; ++ if (slot->power_mode != MMC_POWER_ON) ++ init_stream = 1; + break; + } ++ slot->power_mode = ios->power_mode; + + if (slot->bus_mode != ios->bus_mode) { + if (slot->pdata->set_bus_mode != NULL) +@@ -1195,7 +1201,7 @@ static void mmc_omap_set_ios(struct mmc_host *mmc, struct mmc_ios *ios) + for (i = 0; i < 2; i++) + OMAP_MMC_WRITE(host, CON, dsor); + slot->saved_con = dsor; +- if (ios->power_mode == MMC_POWER_ON) { ++ if (init_stream) { + /* worst case at 400kHz, 80 cycles makes 200 microsecs */ + int usecs = 250; + +@@ -1233,6 +1239,7 @@ static int mmc_omap_new_slot(struct mmc_omap_host *host, int id) + slot->host = host; + slot->mmc = mmc; + slot->id = id; ++ slot->power_mode = MMC_POWER_UNDEFINED; + slot->pdata = &host->pdata->slots[id]; + + host->slots[id] = slot; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-011-tracing-Fix-memory-leak-in-set_trigger_filter.patch b/patches.kernel.org/4.4.169-011-tracing-Fix-memory-leak-in-set_trigger_filter.patch new file mode 100644 index 0000000000..d00d951504 --- /dev/null +++ b/patches.kernel.org/4.4.169-011-tracing-Fix-memory-leak-in-set_trigger_filter.patch @@ -0,0 +1,50 @@ +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Sun, 9 Dec 2018 21:17:30 -0500 +Subject: [PATCH] tracing: Fix memory leak in set_trigger_filter() +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 3cec638b3d793b7cacdec5b8072364b41caeb0e1 + +commit 3cec638b3d793b7cacdec5b8072364b41caeb0e1 upstream. + +When create_event_filter() fails in set_trigger_filter(), the filter may +still be allocated and needs to be freed. The caller expects the +data->filter to be updated with the new filter, even if the new filter +failed (we could add an error message by setting set_str parameter of +create_event_filter(), but that's another update). + +But because the error would just exit, filter was left hanging and +nothing could free it. + +Found by kmemleak detector. + +Cc: stable@vger.kernel.org +Fixes: bac5fb97a173a ("tracing: Add and use generic set_trigger_filter() implementation") +Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/trace/trace_events_trigger.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c +index b8a894adab2c..8be66a2b0cac 100644 +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -727,8 +727,10 @@ static int set_trigger_filter(char *filter_str, + + /* The filter is for the 'trigger' event, not the triggered event */ + ret = create_event_filter(file->event_call, filter_str, false, &filter); +- if (ret) +- goto out; ++ /* ++ * If create_event_filter() fails, filter still needs to be freed. ++ * Which the calling code will do with data->filter. ++ */ + assign: + tmp = rcu_access_pointer(data->filter); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-012-tracing-Fix-memory-leak-of-instance-function-.patch b/patches.kernel.org/4.4.169-012-tracing-Fix-memory-leak-of-instance-function-.patch new file mode 100644 index 0000000000..0c60810bb5 --- /dev/null +++ b/patches.kernel.org/4.4.169-012-tracing-Fix-memory-leak-of-instance-function-.patch @@ -0,0 +1,46 @@ +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Mon, 10 Dec 2018 23:58:01 -0500 +Subject: [PATCH] tracing: Fix memory leak of instance function hash filters +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 2840f84f74035e5a535959d5f17269c69fa6edc5 + +commit 2840f84f74035e5a535959d5f17269c69fa6edc5 upstream. + +The following commands will cause a memory leak: + + # cd /sys/kernel/tracing + # mkdir instances/foo + # echo schedule > instance/foo/set_ftrace_filter + # rmdir instances/foo + +The reason is that the hashes that hold the filters to set_ftrace_filter and +set_ftrace_notrace are not freed if they contain any data on the instance +and the instance is removed. + +Found by kmemleak detector. + +Cc: stable@vger.kernel.org +Fixes: 591dffdade9f ("ftrace: Allow for function tracing instance to filter functions") +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/trace/ftrace.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index ac758a53fcea..d90b42b39908 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4767,6 +4767,7 @@ void ftrace_destroy_filter_files(struct ftrace_ops *ops) + if (ops->flags & FTRACE_OPS_FL_ENABLED) + ftrace_shutdown(ops, 0); + ops->flags |= FTRACE_OPS_FL_DELETED; ++ ftrace_free_filter(ops); + mutex_unlock(&ftrace_lock); + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-013-powerpc-msi-Fix-NULL-pointer-access-in-teardo.patch b/patches.kernel.org/4.4.169-013-powerpc-msi-Fix-NULL-pointer-access-in-teardo.patch new file mode 100644 index 0000000000..b564d3f77a --- /dev/null +++ b/patches.kernel.org/4.4.169-013-powerpc-msi-Fix-NULL-pointer-access-in-teardo.patch @@ -0,0 +1,59 @@ +From: Radu Rendec <radu.rendec@gmail.com> +Date: Tue, 27 Nov 2018 22:20:48 -0500 +Subject: [PATCH] powerpc/msi: Fix NULL pointer access in teardown code +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa + +commit 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa upstream. + +The arch_teardown_msi_irqs() function assumes that controller ops +pointers were already checked in arch_setup_msi_irqs(), but this +assumption is wrong: arch_teardown_msi_irqs() can be called even when +arch_setup_msi_irqs() returns an error (-ENOSYS). + +This can happen in the following scenario: + - msi_capability_init() calls pci_msi_setup_msi_irqs() + - pci_msi_setup_msi_irqs() returns -ENOSYS + - msi_capability_init() notices the error and calls free_msi_irqs() + - free_msi_irqs() calls pci_msi_teardown_msi_irqs() + +This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and +pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just +aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs(). + +The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure +seems legit, as it does additional cleanup; e.g. +list_del(&entry->list) and kfree(entry) inside free_msi_irqs() do +happen (MSI descriptors are allocated before pci_msi_setup_msi_irqs() +is called and need to be cleaned up if that fails). + +Fixes: 6b2fd7efeb88 ("PCI/MSI/PPC: Remove arch_msi_check_device()") +Cc: stable@vger.kernel.org # v3.18+ +Signed-off-by: Radu Rendec <radu.rendec@gmail.com> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/powerpc/kernel/msi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/msi.c b/arch/powerpc/kernel/msi.c +index dab616a33b8d..f2197654be07 100644 +--- a/arch/powerpc/kernel/msi.c ++++ b/arch/powerpc/kernel/msi.c +@@ -34,5 +34,10 @@ void arch_teardown_msi_irqs(struct pci_dev *dev) + { + struct pci_controller *phb = pci_bus_to_host(dev->bus); + +- phb->controller_ops.teardown_msi_irqs(dev); ++ /* ++ * We can be called even when arch_setup_msi_irqs() returns -ENOSYS, ++ * so check the pointer again. ++ */ ++ if (phb->controller_ops.teardown_msi_irqs) ++ phb->controller_ops.teardown_msi_irqs(dev); + } +-- +2.20.1 + diff --git a/patches.fixes/0001-Revert-drm-rockchip-Allow-driver-to-be-shutdown-on-r.patch b/patches.kernel.org/4.4.169-014-Revert-drm-rockchip-Allow-driver-to-be-shutdo.patch index 1942091540..efac3d4b2f 100644 --- a/patches.fixes/0001-Revert-drm-rockchip-Allow-driver-to-be-shutdown-on-r.patch +++ b/patches.kernel.org/4.4.169-014-Revert-drm-rockchip-Allow-driver-to-be-shutdo.patch @@ -1,10 +1,12 @@ -From 63238173b2faf3d6b85a416f1c69af6c7be2413f Mon Sep 17 00:00:00 2001 From: Brian Norris <briannorris@chromium.org> Date: Wed, 5 Dec 2018 10:16:57 -0800 -Subject: Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" +Subject: [PATCH] Revert "drm/rockchip: Allow driver to be shutdown on + reboot/kexec" +Patch-mainline: 4.4.169 +References: bnc#1012382 bsc#1106929 Git-commit: 63238173b2faf3d6b85a416f1c69af6c7be2413f -Patch-mainline: v4.20-rc7 -References: bsc#1106929 + +commit 63238173b2faf3d6b85a416f1c69af6c7be2413f upstream. This reverts commit 7f3ef5dedb146e3d5063b6845781ad1bb59b92b5. @@ -60,16 +62,17 @@ Cc: stable@vger.kernel.org Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Heiko Stuebner <heiko@sntech.de> Link: https://patchwork.freedesktop.org/patch/msgid/20181205181657.177703-1-briannorris@chromium.org -Acked-by: Thomas Zimmermann <tzimmermann@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c -index 941f35233b1f..5864cb452c5c 100644 +index d1f3be78c649..f22e1e1ee64a 100644 --- a/drivers/gpu/drm/rockchip/rockchip_drm_drv.c +++ b/drivers/gpu/drm/rockchip/rockchip_drm_drv.c -@@ -448,11 +448,6 @@ static int rockchip_drm_platform_remove(struct platform_device *pdev) +@@ -547,11 +547,6 @@ static int rockchip_drm_platform_remove(struct platform_device *pdev) return 0; } @@ -81,7 +84,7 @@ index 941f35233b1f..5864cb452c5c 100644 static const struct of_device_id rockchip_drm_dt_ids[] = { { .compatible = "rockchip,display-subsystem", }, { /* sentinel */ }, -@@ -462,7 +457,6 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_ids); +@@ -561,7 +556,6 @@ MODULE_DEVICE_TABLE(of, rockchip_drm_dt_ids); static struct platform_driver rockchip_drm_platform_driver = { .probe = rockchip_drm_platform_probe, .remove = rockchip_drm_platform_remove, diff --git a/patches.fixes/0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch b/patches.kernel.org/4.4.169-015-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_con.patch index 1f326fd8e4..a46c326baf 100644 --- a/patches.fixes/0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch +++ b/patches.kernel.org/4.4.169-015-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_con.patch @@ -1,10 +1,11 @@ -From e8ad4f9a609fb14bbd3d32602145e569e489a418 Mon Sep 17 00:00:00 2001 From: Yunlei He <heyunlei@huawei.com> Date: Thu, 1 Jun 2017 16:43:51 +0800 Subject: [PATCH] f2fs: fix a panic caused by NULL flush_cmd_control +Patch-mainline: 4.4.169 +References: CVE-2017-18241 bnc#1012382 bsc#1086400 Git-commit: d4fdf8ba0e5808ba9ad6b44337783bd9935e0982 -Patch-mainline: v4.13-rc1 -References: bsc#1086400, CVE-2017-18241 + +commit d4fdf8ba0e5808ba9ad6b44337783bd9935e0982 upstream. Mount fs with option noflush_merge, boot failed for illegal address fcc in function f2fs_issue_flush: @@ -17,16 +18,18 @@ fcc in function f2fs_issue_flush: Signed-off-by: Yunlei He <heyunlei@huawei.com> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> -Acked-by: Nikolay Borisov <nborisov@suse.com> +[bwh: Backported to 4.9: adjust context] +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- fs/f2fs/segment.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c -index 0b00bbadc864..f85d5b3765fc 100644 +index 2bba0c4ef4b7..39ec9da08bb5 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c -@@ -396,6 +396,9 @@ int create_flush_cmd_control(struct f2fs_sb_info *sbi) +@@ -398,6 +398,9 @@ int create_flush_cmd_control(struct f2fs_sb_info *sbi) init_waitqueue_head(&fcc->flush_wait_queue); init_llist_head(&fcc->issue_list); SM_I(sbi)->cmd_control_info = fcc; @@ -36,7 +39,7 @@ index 0b00bbadc864..f85d5b3765fc 100644 fcc->f2fs_issue_flush = kthread_run(issue_flush_thread, sbi, "f2fs_flush-%u:%u", MAJOR(dev), MINOR(dev)); if (IS_ERR(fcc->f2fs_issue_flush)) { -@@ -2314,7 +2317,7 @@ int build_segment_manager(struct f2fs_sb_info *sbi) +@@ -2316,7 +2319,7 @@ int build_segment_manager(struct f2fs_sb_info *sbi) INIT_LIST_HEAD(&sm_info->sit_entry_set); @@ -46,5 +49,5 @@ index 0b00bbadc864..f85d5b3765fc 100644 if (err) return err; -- -2.7.4 +2.20.1 diff --git a/patches.drivers/mac80211-don-t-WARN-on-bad-WMM-parameters-from-buggy b/patches.kernel.org/4.4.169-016-mac80211-don-t-WARN-on-bad-WMM-parameters-fro.patch index fc160d475a..3bfba31f84 100644 --- a/patches.drivers/mac80211-don-t-WARN-on-bad-WMM-parameters-from-buggy +++ b/patches.kernel.org/4.4.169-016-mac80211-don-t-WARN-on-bad-WMM-parameters-fro.patch @@ -1,10 +1,11 @@ -From c470bdc1aaf36669e04ba65faf1092b2d1c6cabe Mon Sep 17 00:00:00 2001 From: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Date: Mon, 26 Mar 2018 16:21:04 +0300 Subject: [PATCH] mac80211: don't WARN on bad WMM parameters from buggy APs +Patch-mainline: 4.4.169 +References: bnc#1012382 bsc#1031717 Git-commit: c470bdc1aaf36669e04ba65faf1092b2d1c6cabe -Patch-mainline: v4.17-rc1 -References: bsc#1031717 + +[ Upstream commit c470bdc1aaf36669e04ba65faf1092b2d1c6cabe ] Apparently, some APs are buggy enough to send a zeroed WMM IE. Don't WARN on this since this is not caused by a bug @@ -21,15 +22,17 @@ https://bugzilla.kernel.org/show_bug.cgi?id=199161 Fixes: f409079bb678 ("mac80211: sanity check CW_min/CW_max towards driver") Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Acked-by: Takashi Iwai <tiwai@suse.de> - +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - net/mac80211/mlme.c | 3 ++- + net/mac80211/mlme.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index a5e11280f405..51f31e77c19b 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c -@@ -1829,7 +1829,8 @@ static bool ieee80211_sta_wmm_params(str +@@ -1886,7 +1886,8 @@ static bool ieee80211_sta_wmm_params(struct ieee80211_local *local, params[ac].acm = acm; params[ac].uapsd = uapsd; @@ -39,3 +42,6 @@ Acked-by: Takashi Iwai <tiwai@suse.de> sdata_info(sdata, "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n", params[ac].cw_min, params[ac].cw_max, aci); +-- +2.20.1 + diff --git a/patches.drivers/mac80211-Fix-condition-validating-WMM-IE b/patches.kernel.org/4.4.169-017-mac80211-Fix-condition-validating-WMM-IE.patch index 719c49f0f7..12c2994d96 100644 --- a/patches.drivers/mac80211-Fix-condition-validating-WMM-IE +++ b/patches.kernel.org/4.4.169-017-mac80211-Fix-condition-validating-WMM-IE.patch @@ -1,10 +1,11 @@ -From 911a26484c33e10de6237228ca1d7293548e9f49 Mon Sep 17 00:00:00 2001 From: Ilan Peer <ilan.peer@intel.com> Date: Tue, 3 Apr 2018 11:35:22 +0300 Subject: [PATCH] mac80211: Fix condition validating WMM IE +Patch-mainline: 4.4.169 +References: bnc#1012382 bsc#1099732 bsc#1099810 Git-commit: 911a26484c33e10de6237228ca1d7293548e9f49 -Patch-mainline: v4.17-rc5 -References: bsc#1099810,bsc#1099732 + +[ Upstream commit 911a26484c33e10de6237228ca1d7293548e9f49 ] Commit c470bdc1aaf3 ("mac80211: don't WARN on bad WMM parameters from buggy APs") handled cases where an AP reports a zeroed WMM @@ -16,15 +17,17 @@ Fixes: c470bdc1aaf3 ("mac80211: don't WARN on bad WMM parameters from buggy APs" Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Acked-by: Takashi Iwai <tiwai@suse.de> - +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - net/mac80211/mlme.c | 2 +- + net/mac80211/mlme.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 51f31e77c19b..ed4fef32b394 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c -@@ -1829,7 +1829,7 @@ static bool ieee80211_sta_wmm_params(str +@@ -1886,7 +1886,7 @@ static bool ieee80211_sta_wmm_params(struct ieee80211_local *local, params[ac].acm = acm; params[ac].uapsd = uapsd; @@ -33,3 +36,6 @@ Acked-by: Takashi Iwai <tiwai@suse.de> params[ac].cw_min > params[ac].cw_max) { sdata_info(sdata, "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n", +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-018-mac80211_hwsim-fix-module-init-error-paths-fo.patch b/patches.kernel.org/4.4.169-018-mac80211_hwsim-fix-module-init-error-paths-fo.patch new file mode 100644 index 0000000000..df7f13a275 --- /dev/null +++ b/patches.kernel.org/4.4.169-018-mac80211_hwsim-fix-module-init-error-paths-fo.patch @@ -0,0 +1,62 @@ +From: Alexey Khoroshilov <khoroshilov@ispras.ru> +Date: Fri, 5 Oct 2018 23:22:06 +0300 +Subject: [PATCH] mac80211_hwsim: fix module init error paths for netlink +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 05cc09de4c017663a217630682041066f2f9a5cd + +[ Upstream commit 05cc09de4c017663a217630682041066f2f9a5cd ] + +There is no unregister netlink notifier and family on error paths +in init_mac80211_hwsim(). Also there is an error path where +hwsim_class is not destroyed. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> +Fixes: 62759361eb49 ("mac80211-hwsim: Provide multicast event for HWSIM_CMD_NEW_RADIO") +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/wireless/mac80211_hwsim.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index ab480ea6d95a..0d1abcfec003 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3195,16 +3195,16 @@ static int __init init_mac80211_hwsim(void) + if (err) + return err; + ++ err = hwsim_init_netlink(); ++ if (err) ++ goto out_unregister_driver; ++ + hwsim_class = class_create(THIS_MODULE, "mac80211_hwsim"); + if (IS_ERR(hwsim_class)) { + err = PTR_ERR(hwsim_class); +- goto out_unregister_driver; ++ goto out_exit_netlink; + } + +- err = hwsim_init_netlink(); +- if (err < 0) +- goto out_unregister_driver; +- + for (i = 0; i < radios; i++) { + struct hwsim_new_radio_params param = { 0 }; + +@@ -3310,6 +3310,8 @@ static int __init init_mac80211_hwsim(void) + free_netdev(hwsim_mon); + out_free_radios: + mac80211_hwsim_free(); ++out_exit_netlink: ++ hwsim_exit_netlink(); + out_unregister_driver: + platform_driver_unregister(&mac80211_hwsim_driver); + return err; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-019-scsi-libiscsi-Fix-NULL-pointer-dereference-in.patch b/patches.kernel.org/4.4.169-019-scsi-libiscsi-Fix-NULL-pointer-dereference-in.patch new file mode 100644 index 0000000000..e3225d3891 --- /dev/null +++ b/patches.kernel.org/4.4.169-019-scsi-libiscsi-Fix-NULL-pointer-dereference-in.patch @@ -0,0 +1,42 @@ +From: Fred Herard <fred.herard@oracle.com> +Date: Tue, 20 Nov 2018 20:22:45 -0500 +Subject: [PATCH] scsi: libiscsi: Fix NULL pointer dereference in + iscsi_eh_session_reset +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 5db6dd14b31397e8cccaaddab2ff44ebec1acf25 + +[ Upstream commit 5db6dd14b31397e8cccaaddab2ff44ebec1acf25 ] + +This commit addresses NULL pointer dereference in iscsi_eh_session_reset. +Reference should not be made to session->leadconn when session->state is +set to ISCSI_STATE_TERMINATE. + +Signed-off-by: Fred Herard <fred.herard@oracle.com> +Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Reviewed-by: Lee Duncan <lduncan@suse.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/scsi/libiscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index a74f8fbefd33..009a2ef829d6 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -2416,8 +2416,8 @@ int iscsi_eh_session_reset(struct scsi_cmnd *sc) + failed: + ISCSI_DBG_EH(session, + "failing session reset: Could not log back into " +- "%s, %s [age %d]\n", session->targetname, +- conn->persistent_address, session->age); ++ "%s [age %d]\n", session->targetname, ++ session->age); + spin_unlock_bh(&session->frwd_lock); + mutex_unlock(&session->eh_mutex); + return FAILED; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-020-scsi-vmw_pscsi-Rearrange-code-to-avoid-multip.patch b/patches.kernel.org/4.4.169-020-scsi-vmw_pscsi-Rearrange-code-to-avoid-multip.patch new file mode 100644 index 0000000000..20f219c055 --- /dev/null +++ b/patches.kernel.org/4.4.169-020-scsi-vmw_pscsi-Rearrange-code-to-avoid-multip.patch @@ -0,0 +1,58 @@ +From: Cathy Avery <cavery@redhat.com> +Date: Tue, 27 Nov 2018 14:28:53 -0500 +Subject: [PATCH] scsi: vmw_pscsi: Rearrange code to avoid multiple calls to + free_irq during unload +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 02f425f811cefcc4d325d7a72272651e622dc97e + +[ Upstream commit 02f425f811cefcc4d325d7a72272651e622dc97e ] + +Currently pvscsi_remove calls free_irq more than once as +pvscsi_release_resources and __pvscsi_shutdown both call +pvscsi_shutdown_intr. This results in a 'Trying to free already-free IRQ' +warning and stack trace. To solve the problem pvscsi_shutdown_intr has been +moved out of pvscsi_release_resources. + +Signed-off-by: Cathy Avery <cavery@redhat.com> +Reviewed-by: Ewan D. Milne <emilne@redhat.com> +Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/scsi/vmw_pvscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/vmw_pvscsi.c b/drivers/scsi/vmw_pvscsi.c +index 0de2f9069e23..23081ed8f1e3 100644 +--- a/drivers/scsi/vmw_pvscsi.c ++++ b/drivers/scsi/vmw_pvscsi.c +@@ -1199,8 +1199,6 @@ static void pvscsi_shutdown_intr(struct pvscsi_adapter *adapter) + + static void pvscsi_release_resources(struct pvscsi_adapter *adapter) + { +- pvscsi_shutdown_intr(adapter); +- + if (adapter->workqueue) + destroy_workqueue(adapter->workqueue); + +@@ -1529,6 +1527,7 @@ static int pvscsi_probe(struct pci_dev *pdev, const struct pci_device_id *id) + out_reset_adapter: + ll_adapter_reset(adapter); + out_release_resources: ++ pvscsi_shutdown_intr(adapter); + pvscsi_release_resources(adapter); + scsi_host_put(host); + out_disable_device: +@@ -1537,6 +1536,7 @@ static int pvscsi_probe(struct pci_dev *pdev, const struct pci_device_id *id) + return error; + + out_release_resources_and_disable: ++ pvscsi_shutdown_intr(adapter); + pvscsi_release_resources(adapter); + goto out_disable_device; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-021-x86-earlyprintk-efi-Fix-infinite-loop-on-some.patch b/patches.kernel.org/4.4.169-021-x86-earlyprintk-efi-Fix-infinite-loop-on-some.patch new file mode 100644 index 0000000000..7d5ae6c60a --- /dev/null +++ b/patches.kernel.org/4.4.169-021-x86-earlyprintk-efi-Fix-infinite-loop-on-some.patch @@ -0,0 +1,66 @@ +From: YiFei Zhu <zhuyifei1999@gmail.com> +Date: Thu, 29 Nov 2018 18:12:30 +0100 +Subject: [PATCH] x86/earlyprintk/efi: Fix infinite loop on some screen widths +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 79c2206d369b87b19ac29cb47601059b6bf5c291 + +[ Upstream commit 79c2206d369b87b19ac29cb47601059b6bf5c291 ] + +An affected screen resolution is 1366 x 768, which width is not +divisible by 8, the default font width. On such screens, when longer +lines are earlyprintk'ed, overflow-to-next-line can never trigger, +due to the left-most x-coordinate of the next character always less +than the screen width. Earlyprintk will infinite loop in trying to +print the rest of the string but unable to, due to the line being +full. + +This patch makes the trigger consider the right-most x-coordinate, +instead of left-most, as the value to compare against the screen +width threshold. + +Signed-off-by: YiFei Zhu <zhuyifei1999@gmail.com> +Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Arend van Spriel <arend.vanspriel@broadcom.com> +Cc: Bhupesh Sharma <bhsharma@redhat.com> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Dave Hansen <dave.hansen@intel.com> +Cc: Eric Snowberg <eric.snowberg@oracle.com> +Cc: Hans de Goede <hdegoede@redhat.com> +Cc: Joe Perches <joe@perches.com> +Cc: Jon Hunter <jonathanh@nvidia.com> +Cc: Julien Thierry <julien.thierry@arm.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Marc Zyngier <marc.zyngier@arm.com> +Cc: Matt Fleming <matt@codeblueprint.co.uk> +Cc: Nathan Chancellor <natechancellor@gmail.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com> +Cc: Sedat Dilek <sedat.dilek@gmail.com> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20181129171230.18699-12-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/platform/efi/early_printk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/platform/efi/early_printk.c b/arch/x86/platform/efi/early_printk.c +index 524142117296..82324fc25d5e 100644 +--- a/arch/x86/platform/efi/early_printk.c ++++ b/arch/x86/platform/efi/early_printk.c +@@ -179,7 +179,7 @@ early_efi_write(struct console *con, const char *str, unsigned int num) + num--; + } + +- if (efi_x >= si->lfb_width) { ++ if (efi_x + font->width > si->lfb_width) { + efi_x = 0; + efi_y += font->height; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-022-drm-msm-Grab-a-vblank-reference-when-waiting-.patch b/patches.kernel.org/4.4.169-022-drm-msm-Grab-a-vblank-reference-when-waiting-.patch new file mode 100644 index 0000000000..0335e1d76c --- /dev/null +++ b/patches.kernel.org/4.4.169-022-drm-msm-Grab-a-vblank-reference-when-waiting-.patch @@ -0,0 +1,42 @@ +From: Sean Paul <seanpaul@chromium.org> +Date: Wed, 3 Oct 2018 16:22:31 -0400 +Subject: [PATCH] drm/msm: Grab a vblank reference when waiting for commit_done +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 3b712e43e3876b42b38321ecf790a1f5fe59c834 + +[ Upstream commit 3b712e43e3876b42b38321ecf790a1f5fe59c834 ] + +Similar to the atomic helpers, we should enable vblank while we're +waiting for the commit to finish. DPU needs this, MDP5 seems to work +fine without it. + +Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org> +Signed-off-by: Sean Paul <seanpaul@chromium.org> +Signed-off-by: Rob Clark <robdclark@gmail.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/gpu/drm/msm/msm_atomic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c +index 7eb253bc24df..221eaea651d4 100644 +--- a/drivers/gpu/drm/msm/msm_atomic.c ++++ b/drivers/gpu/drm/msm/msm_atomic.c +@@ -107,7 +107,12 @@ static void msm_atomic_wait_for_commit_done(struct drm_device *dev, + if (old_state->legacy_cursor_update) + continue; + ++ if (drm_crtc_vblank_get(crtc)) ++ continue; ++ + kms->funcs->wait_for_crtc_commit_done(kms, crtc); ++ ++ drm_crtc_vblank_put(crtc); + } + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-023-ARC-io.h-Implement-reads-x-writes-x.patch b/patches.kernel.org/4.4.169-023-ARC-io.h-Implement-reads-x-writes-x.patch new file mode 100644 index 0000000000..38b4daf256 --- /dev/null +++ b/patches.kernel.org/4.4.169-023-ARC-io.h-Implement-reads-x-writes-x.patch @@ -0,0 +1,146 @@ +From: Jose Abreu <joabreu@synopsys.com> +Date: Fri, 30 Nov 2018 09:47:31 +0000 +Subject: [PATCH] ARC: io.h: Implement reads{x}()/writes{x}() +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 10d443431dc2bb733cf7add99b453e3fb9047a2e + +[ Upstream commit 10d443431dc2bb733cf7add99b453e3fb9047a2e ] + +Some ARC CPU's do not support unaligned loads/stores. Currently, generic +implementation of reads{b/w/l}()/writes{b/w/l}() is being used with ARC. +This can lead to misfunction of some drivers as generic functions do a +plain dereference of a pointer that can be unaligned. + +Let's use {get/put}_unaligned() helpers instead of plain dereference of +pointer in order to fix. The helpers allow to get and store data from an +unaligned address whilst preserving the CPU internal alignment. +According to [1], the use of these helpers are costly in terms of +performance so we added an initial check for a buffer already aligned so +that the usage of the helpers can be avoided, when possible. + +[1] Documentation/unaligned-memory-access.txt + +Cc: Alexey Brodkin <abrodkin@synopsys.com> +Cc: Joao Pinto <jpinto@synopsys.com> +Cc: David Laight <David.Laight@ACULAB.COM> +Tested-by: Vitor Soares <soares@synopsys.com> +Signed-off-by: Jose Abreu <joabreu@synopsys.com> +Signed-off-by: Vineet Gupta <vgupta@synopsys.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arc/include/asm/io.h | 72 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 72 insertions(+) + +diff --git a/arch/arc/include/asm/io.h b/arch/arc/include/asm/io.h +index cb69299a492e..f120d823e8c2 100644 +--- a/arch/arc/include/asm/io.h ++++ b/arch/arc/include/asm/io.h +@@ -12,6 +12,7 @@ + #include <linux/types.h> + #include <asm/byteorder.h> + #include <asm/page.h> ++#include <asm/unaligned.h> + + #ifdef CONFIG_ISA_ARCV2 + #include <asm/barrier.h> +@@ -85,6 +86,42 @@ static inline u32 __raw_readl(const volatile void __iomem *addr) + return w; + } + ++/* ++ * {read,write}s{b,w,l}() repeatedly access the same IO address in ++ * native endianness in 8-, 16-, 32-bit chunks {into,from} memory, ++ * @count times ++ */ ++#define __raw_readsx(t,f) \ ++static inline void __raw_reads##f(const volatile void __iomem *addr, \ ++ void *ptr, unsigned int count) \ ++{ \ ++ bool is_aligned = ((unsigned long)ptr % ((t) / 8)) == 0; \ ++ u##t *buf = ptr; \ ++ \ ++ if (!count) \ ++ return; \ ++ \ ++ /* Some ARC CPU's don't support unaligned accesses */ \ ++ if (is_aligned) { \ ++ do { \ ++ u##t x = __raw_read##f(addr); \ ++ *buf++ = x; \ ++ } while (--count); \ ++ } else { \ ++ do { \ ++ u##t x = __raw_read##f(addr); \ ++ put_unaligned(x, buf++); \ ++ } while (--count); \ ++ } \ ++} ++ ++#define __raw_readsb __raw_readsb ++__raw_readsx(8, b) ++#define __raw_readsw __raw_readsw ++__raw_readsx(16, w) ++#define __raw_readsl __raw_readsl ++__raw_readsx(32, l) ++ + #define __raw_writeb __raw_writeb + static inline void __raw_writeb(u8 b, volatile void __iomem *addr) + { +@@ -117,6 +154,35 @@ static inline void __raw_writel(u32 w, volatile void __iomem *addr) + + } + ++#define __raw_writesx(t,f) \ ++static inline void __raw_writes##f(volatile void __iomem *addr, \ ++ const void *ptr, unsigned int count) \ ++{ \ ++ bool is_aligned = ((unsigned long)ptr % ((t) / 8)) == 0; \ ++ const u##t *buf = ptr; \ ++ \ ++ if (!count) \ ++ return; \ ++ \ ++ /* Some ARC CPU's don't support unaligned accesses */ \ ++ if (is_aligned) { \ ++ do { \ ++ __raw_write##f(*buf++, addr); \ ++ } while (--count); \ ++ } else { \ ++ do { \ ++ __raw_write##f(get_unaligned(buf++), addr); \ ++ } while (--count); \ ++ } \ ++} ++ ++#define __raw_writesb __raw_writesb ++__raw_writesx(8, b) ++#define __raw_writesw __raw_writesw ++__raw_writesx(16, w) ++#define __raw_writesl __raw_writesl ++__raw_writesx(32, l) ++ + /* + * MMIO can also get buffered/optimized in micro-arch, so barriers needed + * Based on ARM model for the typical use case +@@ -132,10 +198,16 @@ static inline void __raw_writel(u32 w, volatile void __iomem *addr) + #define readb(c) ({ u8 __v = readb_relaxed(c); __iormb(); __v; }) + #define readw(c) ({ u16 __v = readw_relaxed(c); __iormb(); __v; }) + #define readl(c) ({ u32 __v = readl_relaxed(c); __iormb(); __v; }) ++#define readsb(p,d,l) ({ __raw_readsb(p,d,l); __iormb(); }) ++#define readsw(p,d,l) ({ __raw_readsw(p,d,l); __iormb(); }) ++#define readsl(p,d,l) ({ __raw_readsl(p,d,l); __iormb(); }) + + #define writeb(v,c) ({ __iowmb(); writeb_relaxed(v,c); }) + #define writew(v,c) ({ __iowmb(); writew_relaxed(v,c); }) + #define writel(v,c) ({ __iowmb(); writel_relaxed(v,c); }) ++#define writesb(p,d,l) ({ __iowmb(); __raw_writesb(p,d,l); }) ++#define writesw(p,d,l) ({ __iowmb(); __raw_writesw(p,d,l); }) ++#define writesl(p,d,l) ({ __iowmb(); __raw_writesl(p,d,l); }) + + /* + * Relaxed API for drivers which can handle barrier ordering themselves +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-024-bonding-fix-802.3ad-state-sent-to-partner-whe.patch b/patches.kernel.org/4.4.169-024-bonding-fix-802.3ad-state-sent-to-partner-whe.patch new file mode 100644 index 0000000000..7bdd916bed --- /dev/null +++ b/patches.kernel.org/4.4.169-024-bonding-fix-802.3ad-state-sent-to-partner-whe.patch @@ -0,0 +1,64 @@ +From: Toni Peltonen <peltzi@peltzi.fi> +Date: Tue, 27 Nov 2018 16:56:57 +0200 +Subject: [PATCH] bonding: fix 802.3ad state sent to partner when unbinding + slave +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 3b5b3a3331d141e8f2a7aaae3a94dfa1e61ecbe4 + +[ Upstream commit 3b5b3a3331d141e8f2a7aaae3a94dfa1e61ecbe4 ] + +Previously when unbinding a slave the 802.3ad implementation only told +partner that the port is not suitable for aggregation by setting the port +aggregation state from aggregatable to individual. This is not enough. If the +physical layer still stays up and we only unbinded this port from the bond there +is nothing in the aggregation status alone to prevent the partner from sending +traffic towards us. To ensure that the partner doesn't consider this +port at all anymore we should also disable collecting and distributing to +signal that this actor is going away. Also clear AD_STATE_SYNCHRONIZATION to +ensure partner exits collecting + distributing state. + +I have tested this behaviour againts Arista EOS switches with mlx5 cards +(physical link stays up even when interface is down) and simulated +the same situation virtually Linux <-> Linux with two network namespaces +running two veth device pairs. In both cases setting aggregation to +individual doesn't alone prevent traffic from being to sent towards this +port given that the link stays up in partners end. Partner still keeps +it's end in collecting + distributing state and continues until timeout is +reached. In most cases this means we are losing the traffic partner sends +towards our port while we wait for timeout. This is most visible with slow +periodic time (LACP rate slow). + +Other open source implementations like Open VSwitch and libreswitch, and +vendor implementations like Arista EOS, seem to disable collecting + +distributing to when doing similar port disabling/detaching/removing change. +With this patch kernel implementation would behave the same way and ensure +partner doesn't consider our actor viable anymore. + +Signed-off-by: Toni Peltonen <peltzi@peltzi.fi> +Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com> +Acked-by: Jonathan Toppins <jtoppins@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/bonding/bond_3ad.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c +index 940e2ebbdea8..399c627b15cc 100644 +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -2011,6 +2011,9 @@ void bond_3ad_unbind_slave(struct slave *slave) + aggregator->aggregator_identifier); + + /* Tell the partner that this port is not suitable for aggregation */ ++ port->actor_oper_port_state &= ~AD_STATE_SYNCHRONIZATION; ++ port->actor_oper_port_state &= ~AD_STATE_COLLECTING; ++ port->actor_oper_port_state &= ~AD_STATE_DISTRIBUTING; + port->actor_oper_port_state &= ~AD_STATE_AGGREGATION; + __update_lacpdu_from_port(port); + ad_lacpdu_send(port); +-- +2.20.1 + diff --git a/patches.fixes/SUNRPC-Fix-a-potential-race-in-xprt_connect.patch b/patches.kernel.org/4.4.169-025-SUNRPC-Fix-a-potential-race-in-xprt_connect.patch index a7d796ec7a..34a8c8e104 100644 --- a/patches.fixes/SUNRPC-Fix-a-potential-race-in-xprt_connect.patch +++ b/patches.kernel.org/4.4.169-025-SUNRPC-Fix-a-potential-race-in-xprt_connect.patch @@ -1,9 +1,11 @@ From: Trond Myklebust <trond.myklebust@hammerspace.com> Date: Sat, 1 Dec 2018 23:18:00 -0500 Subject: [PATCH] SUNRPC: Fix a potential race in xprt_connect() +Patch-mainline: 4.4.169 +References: bnc#1012382 git-fixes Git-commit: 0a9a4304f3614e25d9de9b63502ca633c01c0d70 -Patch-mainline: v4.20 -References: git-fixes + +[ Upstream commit 0a9a4304f3614e25d9de9b63502ca633c01c0d70 ] If an asynchronous connection attempt completes while another task is in xprt_connect(), then the call to rpc_sleep_on() could end up @@ -14,12 +16,14 @@ can be no asynchronous connection attempts still in progress. Fixes: 0b9e79431377d ("SUNRPC: Move the test for XPRT_CONNECTING into...") Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> -Acked-by: NeilBrown <neilb@suse.com> - +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - net/sunrpc/xprt.c | 11 +++++++++-- + net/sunrpc/xprt.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index 2e98f4a243e5..112c191b8336 100644 --- a/net/sunrpc/xprt.c +++ b/net/sunrpc/xprt.c @@ -758,8 +758,15 @@ void xprt_connect(struct rpc_task *task) @@ -40,3 +44,6 @@ Acked-by: NeilBrown <neilb@suse.com> } xprt_release_write(xprt, task); } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-026-sbus-char-add-of_node_put.patch b/patches.kernel.org/4.4.169-026-sbus-char-add-of_node_put.patch new file mode 100644 index 0000000000..7112dde3af --- /dev/null +++ b/patches.kernel.org/4.4.169-026-sbus-char-add-of_node_put.patch @@ -0,0 +1,34 @@ +From: Yangtao Li <tiny.windzz@gmail.com> +Date: Tue, 20 Nov 2018 08:30:40 -0500 +Subject: [PATCH] sbus: char: add of_node_put() +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 87d81a23e24f24ebe014891e8bdf3ff8785031e8 + +[ Upstream commit 87d81a23e24f24ebe014891e8bdf3ff8785031e8 ] + +use of_node_put() to release the refcount. + +Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/sbus/char/display7seg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/sbus/char/display7seg.c b/drivers/sbus/char/display7seg.c +index 33fbe8249fd5..044cffbc45e8 100644 +--- a/drivers/sbus/char/display7seg.c ++++ b/drivers/sbus/char/display7seg.c +@@ -221,6 +221,7 @@ static int d7s_probe(struct platform_device *op) + dev_set_drvdata(&op->dev, p); + d7s_device = p; + err = 0; ++ of_node_put(opts); + + out: + return err; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-027-drivers-sbus-char-add-of_node_put.patch b/patches.kernel.org/4.4.169-027-drivers-sbus-char-add-of_node_put.patch new file mode 100644 index 0000000000..25ac26b229 --- /dev/null +++ b/patches.kernel.org/4.4.169-027-drivers-sbus-char-add-of_node_put.patch @@ -0,0 +1,37 @@ +From: Yangtao Li <tiny.windzz@gmail.com> +Date: Tue, 20 Nov 2018 08:38:26 -0500 +Subject: [PATCH] drivers/sbus/char: add of_node_put() +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 6bd520ab7cf69486ea81fd3cdfd2d5a390ad1100 + +[ Upstream commit 6bd520ab7cf69486ea81fd3cdfd2d5a390ad1100 ] + +use of_node_put() to release the refcount. + +Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/sbus/char/envctrl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/sbus/char/envctrl.c b/drivers/sbus/char/envctrl.c +index 5609b602c54d..baa9b322520b 100644 +--- a/drivers/sbus/char/envctrl.c ++++ b/drivers/sbus/char/envctrl.c +@@ -910,8 +910,10 @@ static void envctrl_init_i2c_child(struct device_node *dp, + for (len = 0; len < PCF8584_MAX_CHANNELS; ++len) { + pchild->mon_type[len] = ENVCTRL_NOMON; + } ++ of_node_put(root_node); + return; + } ++ of_node_put(root_node); + } + + /* Get the monitor channels. */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-028-drivers-tty-add-missing-of_node_put.patch b/patches.kernel.org/4.4.169-028-drivers-tty-add-missing-of_node_put.patch new file mode 100644 index 0000000000..b52ebce89c --- /dev/null +++ b/patches.kernel.org/4.4.169-028-drivers-tty-add-missing-of_node_put.patch @@ -0,0 +1,36 @@ +From: Yangtao Li <tiny.windzz@gmail.com> +Date: Wed, 21 Nov 2018 10:22:54 -0500 +Subject: [PATCH] drivers/tty: add missing of_node_put() +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: dac097c4546e4c5b16dd303a1e97c1d319c8ab3e + +[ Upstream commit dac097c4546e4c5b16dd303a1e97c1d319c8ab3e ] + +of_find_node_by_path() acquires a reference to the node +returned by it and that reference needs to be dropped by its caller. +This place is not doing this, so fix it. + +Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/tty/serial/suncore.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/suncore.c b/drivers/tty/serial/suncore.c +index 127472bd6a7c..209f314745ab 100644 +--- a/drivers/tty/serial/suncore.c ++++ b/drivers/tty/serial/suncore.c +@@ -111,6 +111,7 @@ void sunserial_console_termios(struct console *con, struct device_node *uart_dp) + mode = of_get_property(dp, mode_prop, NULL); + if (!mode) + mode = "9600,8,n,1,-"; ++ of_node_put(dp); + } + + cflag = CREAD | HUPCL | CLOCAL; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-029-ide-pmac-add-of_node_put.patch b/patches.kernel.org/4.4.169-029-ide-pmac-add-of_node_put.patch new file mode 100644 index 0000000000..fa67ae716a --- /dev/null +++ b/patches.kernel.org/4.4.169-029-ide-pmac-add-of_node_put.patch @@ -0,0 +1,34 @@ +From: Yangtao Li <tiny.windzz@gmail.com> +Date: Tue, 20 Nov 2018 08:02:49 -0500 +Subject: [PATCH] ide: pmac: add of_node_put() +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: a51921c0db3fd26c4ed83dc0ec5d32988fa02aa5 + +[ Upstream commit a51921c0db3fd26c4ed83dc0ec5d32988fa02aa5 ] + +use of_node_put() to release the refcount. + +Signed-off-by: Yangtao Li <tiny.windzz@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/ide/pmac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ide/pmac.c b/drivers/ide/pmac.c +index 96a345248224..0add5bb3cee8 100644 +--- a/drivers/ide/pmac.c ++++ b/drivers/ide/pmac.c +@@ -920,6 +920,7 @@ static u8 pmac_ide_cable_detect(ide_hwif_t *hwif) + struct device_node *root = of_find_node_by_path("/"); + const char *model = of_get_property(root, "model", NULL); + ++ of_node_put(root); + /* Get cable type from device-tree. */ + if (cable && !strncmp(cable, "80-", 3)) { + /* Some drives fail to detect 80c cable in PowerBook */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-030-clk-mmp-Off-by-one-in-mmp_clk_add.patch b/patches.kernel.org/4.4.169-030-clk-mmp-Off-by-one-in-mmp_clk_add.patch new file mode 100644 index 0000000000..9284018fd9 --- /dev/null +++ b/patches.kernel.org/4.4.169-030-clk-mmp-Off-by-one-in-mmp_clk_add.patch @@ -0,0 +1,40 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Mon, 3 Dec 2018 17:51:43 +0300 +Subject: [PATCH] clk: mmp: Off by one in mmp_clk_add() +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 2e85c57493e391b93445c1e0d530b36b95becc64 + +[ Upstream commit 2e85c57493e391b93445c1e0d530b36b95becc64 ] + +The > comparison should be >= or we write one element beyond the end of +the unit->clk_table[] array. + +(The unit->clk_table[] array is allocated in the mmp_clk_init() function +and it has unit->nr_clks elements). + +Fixes: 4661fda10f8b ("clk: mmp: add basic support functions for DT support") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Stephen Boyd <sboyd@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/clk/mmp/clk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/mmp/clk.c b/drivers/clk/mmp/clk.c +index 61893fe73251..18b6c9b55b95 100644 +--- a/drivers/clk/mmp/clk.c ++++ b/drivers/clk/mmp/clk.c +@@ -182,7 +182,7 @@ void mmp_clk_add(struct mmp_clk_unit *unit, unsigned int id, + pr_err("CLK %d has invalid pointer %p\n", id, clk); + return; + } +- if (id > unit->nr_clks) { ++ if (id >= unit->nr_clks) { + pr_err("CLK %d is invalid\n", id); + return; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-031-Input-omap-keypad-fix-keyboard-debounce-confi.patch b/patches.kernel.org/4.4.169-031-Input-omap-keypad-fix-keyboard-debounce-confi.patch new file mode 100644 index 0000000000..526b19e24a --- /dev/null +++ b/patches.kernel.org/4.4.169-031-Input-omap-keypad-fix-keyboard-debounce-confi.patch @@ -0,0 +1,70 @@ +From: Tony Lindgren <tony@atomide.com> +Date: Mon, 3 Dec 2018 11:24:30 -0800 +Subject: [PATCH] Input: omap-keypad - fix keyboard debounce configuration +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 6c3516fed7b61a3527459ccfa67fab130d910610 + +[ Upstream commit 6c3516fed7b61a3527459ccfa67fab130d910610 ] + +I noticed that the Android v3.0.8 kernel on droid4 is using different +keypad values from the mainline kernel and does not have issues with +keys occasionally being stuck until pressed again. Turns out there was +an earlier patch posted to fix this as "Input: omap-keypad: errata i689: +Correct debounce time", but it was never reposted to fix use macros +for timing calculations. + +This updated version is using macros, and also fixes the use of the +input clock rate to use 32768KiHz instead of 32000KiHz. And we want to +use the known good Android kernel values of 3 and 6 instead of 2 and 6 +in the earlier patch. + +Reported-by: Pavel Machek <pavel@ucw.cz> +Signed-off-by: Tony Lindgren <tony@atomide.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/keyboard/omap4-keypad.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c +index 6639b2b8528a..f78c464899db 100644 +--- a/drivers/input/keyboard/omap4-keypad.c ++++ b/drivers/input/keyboard/omap4-keypad.c +@@ -60,8 +60,18 @@ + + /* OMAP4 values */ + #define OMAP4_VAL_IRQDISABLE 0x0 +-#define OMAP4_VAL_DEBOUNCINGTIME 0x7 +-#define OMAP4_VAL_PVT 0x7 ++ ++/* ++ * Errata i689: If a key is released for a time shorter than debounce time, ++ * the keyboard will idle and never detect the key release. The workaround ++ * is to use at least a 12ms debounce time. See omap5432 TRM chapter ++ * "26.4.6.2 Keyboard Controller Timer" for more information. ++ */ ++#define OMAP4_KEYPAD_PTV_DIV_128 0x6 ++#define OMAP4_KEYPAD_DEBOUNCINGTIME_MS(dbms, ptv) \ ++ ((((dbms) * 1000) / ((1 << ((ptv) + 1)) * (1000000 / 32768))) - 1) ++#define OMAP4_VAL_DEBOUNCINGTIME_16MS \ ++ OMAP4_KEYPAD_DEBOUNCINGTIME_MS(16, OMAP4_KEYPAD_PTV_DIV_128) + + enum { + KBD_REVISION_OMAP4 = 0, +@@ -181,9 +191,9 @@ static int omap4_keypad_open(struct input_dev *input) + + kbd_writel(keypad_data, OMAP4_KBD_CTRL, + OMAP4_DEF_CTRL_NOSOFTMODE | +- (OMAP4_VAL_PVT << OMAP4_DEF_CTRL_PTV_SHIFT)); ++ (OMAP4_KEYPAD_PTV_DIV_128 << OMAP4_DEF_CTRL_PTV_SHIFT)); + kbd_writel(keypad_data, OMAP4_KBD_DEBOUNCINGTIME, +- OMAP4_VAL_DEBOUNCINGTIME); ++ OMAP4_VAL_DEBOUNCINGTIME_16MS); + /* clear pending interrupts */ + kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS, + kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS)); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-032-libata-whitelist-all-SAMSUNG-MZ7KM-solid-stat.patch b/patches.kernel.org/4.4.169-032-libata-whitelist-all-SAMSUNG-MZ7KM-solid-stat.patch new file mode 100644 index 0000000000..b1ec401811 --- /dev/null +++ b/patches.kernel.org/4.4.169-032-libata-whitelist-all-SAMSUNG-MZ7KM-solid-stat.patch @@ -0,0 +1,37 @@ +From: Juha-Matti Tilli <juha-matti.tilli@iki.fi> +Date: Sun, 2 Dec 2018 12:47:08 +0200 +Subject: [PATCH] libata: whitelist all SAMSUNG MZ7KM* solid-state disks +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: fd6f32f78645db32b6b95a42e45da2ddd6de0e67 + +[ Upstream commit fd6f32f78645db32b6b95a42e45da2ddd6de0e67 ] + +These devices support read zero after trim (RZAT), as they advertise to +the OS. However, the OS doesn't believe the SSDs unless they are +explicitly whitelisted. + +Acked-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Juha-Matti Tilli <juha-matti.tilli@iki.fi> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/ata/libata-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index ba514fa733de..d543172b20b3 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4297,6 +4297,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + { "SSD*INTEL*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Samsung*SSD*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "SAMSUNG*SSD*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, }, ++ { "SAMSUNG*MZ7KM*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "ST[1248][0248]0[FH]*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, }, + + /* +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-033-mv88e6060-disable-hardware-level-MAC-learning.patch b/patches.kernel.org/4.4.169-033-mv88e6060-disable-hardware-level-MAC-learning.patch new file mode 100644 index 0000000000..6340709552 --- /dev/null +++ b/patches.kernel.org/4.4.169-033-mv88e6060-disable-hardware-level-MAC-learning.patch @@ -0,0 +1,55 @@ +From: Anderson Luiz Alves <alacn1@gmail.com> +Date: Fri, 30 Nov 2018 21:58:36 -0200 +Subject: [PATCH] mv88e6060: disable hardware level MAC learning +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: a74515604a7b171f2702bdcbd1e231225fb456d0 + +[ Upstream commit a74515604a7b171f2702bdcbd1e231225fb456d0 ] + +Disable hardware level MAC learning because it breaks station roaming. +When enabled it drops all frames that arrive from a MAC address +that is on a different port at learning table. + +Signed-off-by: Anderson Luiz Alves <alacn1@gmail.com> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/dsa/mv88e6060.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6060.c b/drivers/net/dsa/mv88e6060.c +index 0527f485c3dc..973fcd442aea 100644 +--- a/drivers/net/dsa/mv88e6060.c ++++ b/drivers/net/dsa/mv88e6060.c +@@ -98,8 +98,7 @@ static int mv88e6060_switch_reset(struct dsa_switch *ds) + /* Reset the switch. */ + REG_WRITE(REG_GLOBAL, GLOBAL_ATU_CONTROL, + GLOBAL_ATU_CONTROL_SWRESET | +- GLOBAL_ATU_CONTROL_ATUSIZE_1024 | +- GLOBAL_ATU_CONTROL_ATE_AGE_5MIN); ++ GLOBAL_ATU_CONTROL_LEARNDIS); + + /* Wait up to one second for reset to complete. */ + timeout = jiffies + 1 * HZ; +@@ -124,13 +123,10 @@ static int mv88e6060_setup_global(struct dsa_switch *ds) + */ + REG_WRITE(REG_GLOBAL, GLOBAL_CONTROL, GLOBAL_CONTROL_MAX_FRAME_1536); + +- /* Enable automatic address learning, set the address +- * database size to 1024 entries, and set the default aging +- * time to 5 minutes. ++ /* Disable automatic address learning. + */ + REG_WRITE(REG_GLOBAL, GLOBAL_ATU_CONTROL, +- GLOBAL_ATU_CONTROL_ATUSIZE_1024 | +- GLOBAL_ATU_CONTROL_ATE_AGE_5MIN); ++ GLOBAL_ATU_CONTROL_LEARNDIS); + + return 0; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-034-ARM-8814-1-mm-improve-fix-ARM-v7_dma_inv_rang.patch b/patches.kernel.org/4.4.169-034-ARM-8814-1-mm-improve-fix-ARM-v7_dma_inv_rang.patch new file mode 100644 index 0000000000..4b2df5d223 --- /dev/null +++ b/patches.kernel.org/4.4.169-034-ARM-8814-1-mm-improve-fix-ARM-v7_dma_inv_rang.patch @@ -0,0 +1,77 @@ +From: Chris Cole <chris@sageembedded.com> +Date: Fri, 23 Nov 2018 12:20:45 +0100 +Subject: [PATCH] ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned + address handling +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: a1208f6a822ac29933e772ef1f637c5d67838da9 + +[ Upstream commit a1208f6a822ac29933e772ef1f637c5d67838da9 ] + +This patch addresses possible memory corruption when +v7_dma_inv_range(start_address, end_address) address parameters are not +aligned to whole cache lines. This function issues "invalidate" cache +management operations to all cache lines from start_address (inclusive) +to end_address (exclusive). When start_address and/or end_address are +not aligned, the start and/or end cache lines are first issued "clean & +invalidate" operation. The assumption is this is done to ensure that any +dirty data addresses outside the address range (but part of the first or +last cache lines) are cleaned/flushed so that data is not lost, which +could happen if just an invalidate is issued. + +The problem is that these first/last partial cache lines are issued +"clean & invalidate" and then "invalidate". This second "invalidate" is +not required and worse can cause "lost" writes to addresses outside the +address range but part of the cache line. If another component writes to +its part of the cache line between the "clean & invalidate" and +"invalidate" operations, the write can get lost. This fix is to remove +the extra "invalidate" operation when unaligned addressed are used. + +A kernel module is available that has a stress test to reproduce the +issue and a unit test of the updated v7_dma_inv_range(). It can be +downloaded from +http://ftp.sageembedded.com/outgoing/linux/cache-test-20181107.tgz. + +v7_dma_inv_range() is call by dmac_[un]map_area(addr, len, direction) +when the direction is DMA_FROM_DEVICE. One can (I believe) successfully +argue that DMA from a device to main memory should use buffers aligned +to cache line size, because the "clean & invalidate" might overwrite +data that the device just wrote using DMA. But if a driver does use +unaligned buffers, at least this fix will prevent memory corruption +outside the buffer. + +Signed-off-by: Chris Cole <chris@sageembedded.com> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/mm/cache-v7.S | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mm/cache-v7.S b/arch/arm/mm/cache-v7.S +index a134d8a13d00..11d699af30ed 100644 +--- a/arch/arm/mm/cache-v7.S ++++ b/arch/arm/mm/cache-v7.S +@@ -359,14 +359,16 @@ v7_dma_inv_range: + ALT_UP(W(nop)) + #endif + mcrne p15, 0, r0, c7, c14, 1 @ clean & invalidate D / U line ++ addne r0, r0, r2 + + tst r1, r3 + bic r1, r1, r3 + mcrne p15, 0, r1, c7, c14, 1 @ clean & invalidate D / U line +-1: +- mcr p15, 0, r0, c7, c6, 1 @ invalidate D / U line +- add r0, r0, r2 + cmp r0, r1 ++1: ++ mcrlo p15, 0, r0, c7, c6, 1 @ invalidate D / U line ++ addlo r0, r0, r2 ++ cmplo r0, r1 + blo 1b + dsb st + ret lr +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-035-cifs-In-Kconfig-CONFIG_CIFS_POSIX-needs-depen.patch b/patches.kernel.org/4.4.169-035-cifs-In-Kconfig-CONFIG_CIFS_POSIX-needs-depen.patch new file mode 100644 index 0000000000..f7523465d1 --- /dev/null +++ b/patches.kernel.org/4.4.169-035-cifs-In-Kconfig-CONFIG_CIFS_POSIX-needs-depen.patch @@ -0,0 +1,38 @@ +From: Steve French <stfrench@microsoft.com> +Date: Sat, 3 Nov 2018 15:02:44 -0500 +Subject: [PATCH] cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy + (insecure cifs) +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 6e785302dad32228819d8066e5376acd15d0e6ba + +[ Upstream commit 6e785302dad32228819d8066e5376acd15d0e6ba ] + +Missing a dependency. Shouldn't show cifs posix extensions +in Kconfig if CONFIG_CIFS_ALLOW_INSECURE_DIALECTS (ie SMB1 +protocol) is disabled. + +Signed-off-by: Steve French <stfrench@microsoft.com> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/cifs/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig +index e7b478b49985..8bef27b8f85d 100644 +--- a/fs/cifs/Kconfig ++++ b/fs/cifs/Kconfig +@@ -111,7 +111,7 @@ config CIFS_XATTR + + config CIFS_POSIX + bool "CIFS POSIX Extensions" +- depends on CIFS_XATTR ++ depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR + help + Enabling this option will cause the cifs client to attempt to + negotiate a newer dialect with servers, such as Samba 3.0.5 +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-036-i2c-axxia-properly-handle-master-timeout.patch b/patches.kernel.org/4.4.169-036-i2c-axxia-properly-handle-master-timeout.patch new file mode 100644 index 0000000000..761038d83e --- /dev/null +++ b/patches.kernel.org/4.4.169-036-i2c-axxia-properly-handle-master-timeout.patch @@ -0,0 +1,176 @@ +From: "Adamski, Krzysztof (Nokia - PL/Wroclaw)" <krzysztof.adamski@nokia.com> +Date: Fri, 16 Nov 2018 13:24:41 +0000 +Subject: [PATCH] i2c: axxia: properly handle master timeout +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 6c7f25cae54b840302e4f1b371dbf318fbf09ab2 + +[ Upstream commit 6c7f25cae54b840302e4f1b371dbf318fbf09ab2 ] + +According to Intel (R) Axxia TM Lionfish Communication Processor +Peripheral Subsystem Hardware Reference Manual, the AXXIA I2C module +have a programmable Master Wait Timer, which among others, checks the +time between commands send in manual mode. When a timeout (25ms) passes, +TSS bit is set in Master Interrupt Status register and a Stop command is +issued by the hardware. + +The axxia_i2c_xfer(), does not properly handle this situation, however. +For each message a separate axxia_i2c_xfer_msg() is called and this +function incorrectly assumes that any interrupt might happen only when +waiting for completion. This is mostly correct but there is one +exception - a master timeout can trigger if enough time has passed +between individual transfers. It will, by definition, happen between +transfers when the interrupts are disabled by the code. If that happens, +the hardware issues Stop command. + +The interrupt indicating timeout will not be triggered as soon as we +enable them since the Master Interrupt Status is cleared when master +mode is entered again (which happens before enabling irqs) meaning this +error is lost and the transfer is continued even though the Stop was +issued on the bus. The subsequent operations completes without error but +a bogus value (0xFF in case of read) is read as the client device is +confused because aborted transfer. No error is returned from +master_xfer() making caller believe that a valid value was read. + +To fix the problem, the TSS bit (indicating timeout) in Master Interrupt +Status register is checked before each transfer. If it is set, there was +a timeout before this transfer and (as described above) the hardware +already issued Stop command so the transaction should be aborted thus +-ETIMEOUT is returned from the master_xfer() callback. In order to be +sure no timeout was issued we can't just read the status just before +starting new transaction as there will always be a small window of time +(few CPU cycles at best) where this might still happen. For this reason +we have to temporally disable the timer before checking for TSS bit. +Disabling it will, however, clear the TSS bit so in order to preserve +that information, we have to read it in ISR so we have to ensure that +the TSS interrupt is not masked between transfers of one transaction. +There is no need to call bus recovery or controller reinitialization if +that happens so it's skipped. + +Signed-off-by: Krzysztof Adamski <krzysztof.adamski@nokia.com> +Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/i2c/busses/i2c-axxia.c | 40 ++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-axxia.c b/drivers/i2c/busses/i2c-axxia.c +index c335cc7852f9..9c9fd2e87a4b 100644 +--- a/drivers/i2c/busses/i2c-axxia.c ++++ b/drivers/i2c/busses/i2c-axxia.c +@@ -74,8 +74,7 @@ + MST_STATUS_ND) + #define MST_STATUS_ERR (MST_STATUS_NAK | \ + MST_STATUS_AL | \ +- MST_STATUS_IP | \ +- MST_STATUS_TSS) ++ MST_STATUS_IP) + #define MST_TX_BYTES_XFRD 0x50 + #define MST_RX_BYTES_XFRD 0x54 + #define SCL_HIGH_PERIOD 0x80 +@@ -241,7 +240,7 @@ static int axxia_i2c_empty_rx_fifo(struct axxia_i2c_dev *idev) + */ + if (c <= 0 || c > I2C_SMBUS_BLOCK_MAX) { + idev->msg_err = -EPROTO; +- i2c_int_disable(idev, ~0); ++ i2c_int_disable(idev, ~MST_STATUS_TSS); + complete(&idev->msg_complete); + break; + } +@@ -299,14 +298,19 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev) + + if (status & MST_STATUS_SCC) { + /* Stop completed */ +- i2c_int_disable(idev, ~0); ++ i2c_int_disable(idev, ~MST_STATUS_TSS); + complete(&idev->msg_complete); + } else if (status & MST_STATUS_SNS) { + /* Transfer done */ +- i2c_int_disable(idev, ~0); ++ i2c_int_disable(idev, ~MST_STATUS_TSS); + if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len) + axxia_i2c_empty_rx_fifo(idev); + complete(&idev->msg_complete); ++ } else if (status & MST_STATUS_TSS) { ++ /* Transfer timeout */ ++ idev->msg_err = -ETIMEDOUT; ++ i2c_int_disable(idev, ~MST_STATUS_TSS); ++ complete(&idev->msg_complete); + } else if (unlikely(status & MST_STATUS_ERR)) { + /* Transfer error */ + i2c_int_disable(idev, ~0); +@@ -339,10 +343,10 @@ static int axxia_i2c_xfer_msg(struct axxia_i2c_dev *idev, struct i2c_msg *msg) + u32 rx_xfer, tx_xfer; + u32 addr_1, addr_2; + unsigned long time_left; ++ unsigned int wt_value; + + idev->msg = msg; + idev->msg_xfrd = 0; +- idev->msg_err = 0; + reinit_completion(&idev->msg_complete); + + if (i2c_m_ten(msg)) { +@@ -382,9 +386,18 @@ static int axxia_i2c_xfer_msg(struct axxia_i2c_dev *idev, struct i2c_msg *msg) + else if (axxia_i2c_fill_tx_fifo(idev) != 0) + int_mask |= MST_STATUS_TFL; + ++ wt_value = WT_VALUE(readl(idev->base + WAIT_TIMER_CONTROL)); ++ /* Disable wait timer temporarly */ ++ writel(wt_value, idev->base + WAIT_TIMER_CONTROL); ++ /* Check if timeout error happened */ ++ if (idev->msg_err) ++ goto out; ++ + /* Start manual mode */ + writel(CMD_MANUAL, idev->base + MST_COMMAND); + ++ writel(WT_EN | wt_value, idev->base + WAIT_TIMER_CONTROL); ++ + i2c_int_enable(idev, int_mask); + + time_left = wait_for_completion_timeout(&idev->msg_complete, +@@ -395,13 +408,15 @@ static int axxia_i2c_xfer_msg(struct axxia_i2c_dev *idev, struct i2c_msg *msg) + if (readl(idev->base + MST_COMMAND) & CMD_BUSY) + dev_warn(idev->dev, "busy after xfer\n"); + +- if (time_left == 0) ++ if (time_left == 0) { + idev->msg_err = -ETIMEDOUT; +- +- if (idev->msg_err == -ETIMEDOUT) + i2c_recover_bus(&idev->adapter); ++ axxia_i2c_init(idev); ++ } + +- if (unlikely(idev->msg_err) && idev->msg_err != -ENXIO) ++out: ++ if (unlikely(idev->msg_err) && idev->msg_err != -ENXIO && ++ idev->msg_err != -ETIMEDOUT) + axxia_i2c_init(idev); + + return idev->msg_err; +@@ -409,7 +424,7 @@ static int axxia_i2c_xfer_msg(struct axxia_i2c_dev *idev, struct i2c_msg *msg) + + static int axxia_i2c_stop(struct axxia_i2c_dev *idev) + { +- u32 int_mask = MST_STATUS_ERR | MST_STATUS_SCC; ++ u32 int_mask = MST_STATUS_ERR | MST_STATUS_SCC | MST_STATUS_TSS; + unsigned long time_left; + + reinit_completion(&idev->msg_complete); +@@ -436,6 +451,9 @@ axxia_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], int num) + int i; + int ret = 0; + ++ idev->msg_err = 0; ++ i2c_int_enable(idev, MST_STATUS_TSS); ++ + for (i = 0; ret == 0 && i < num; ++i) + ret = axxia_i2c_xfer_msg(idev, &msgs[i]); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-037-i2c-scmi-Fix-probe-error-on-devices-with-an-e.patch b/patches.kernel.org/4.4.169-037-i2c-scmi-Fix-probe-error-on-devices-with-an-e.patch new file mode 100644 index 0000000000..a9f81f0940 --- /dev/null +++ b/patches.kernel.org/4.4.169-037-i2c-scmi-Fix-probe-error-on-devices-with-an-e.patch @@ -0,0 +1,75 @@ +From: Hans de Goede <hdegoede@redhat.com> +Date: Wed, 21 Nov 2018 10:19:55 +0100 +Subject: [PATCH] i2c: scmi: Fix probe error on devices with an empty SMB0001 + ACPI device node +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 0544ee4b1ad574aec3b6379af5f5cdee42840971 + +[ Upstream commit 0544ee4b1ad574aec3b6379af5f5cdee42840971 ] + +Some AMD based HP laptops have a SMB0001 ACPI device node which does not +define any methods. + +This leads to the following error in dmesg: + +[ 5.222731] cmi: probe of SMB0001:00 failed with error -5 + +This commit makes acpi_smbus_cmi_add() return -ENODEV instead in this case +silencing the error. In case of a failure of the i2c_add_adapter() call +this commit now propagates the error from that call instead of -EIO. + +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Wolfram Sang <wsa@the-dreams.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/i2c/busses/i2c-scmi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-scmi.c b/drivers/i2c/busses/i2c-scmi.c +index efefcfa24a4c..d2178f701b41 100644 +--- a/drivers/i2c/busses/i2c-scmi.c ++++ b/drivers/i2c/busses/i2c-scmi.c +@@ -364,6 +364,7 @@ static int acpi_smbus_cmi_add(struct acpi_device *device) + { + struct acpi_smbus_cmi *smbus_cmi; + const struct acpi_device_id *id; ++ int ret; + + smbus_cmi = kzalloc(sizeof(struct acpi_smbus_cmi), GFP_KERNEL); + if (!smbus_cmi) +@@ -385,8 +386,10 @@ static int acpi_smbus_cmi_add(struct acpi_device *device) + acpi_walk_namespace(ACPI_TYPE_METHOD, smbus_cmi->handle, 1, + acpi_smbus_cmi_query_methods, NULL, smbus_cmi, NULL); + +- if (smbus_cmi->cap_info == 0) ++ if (smbus_cmi->cap_info == 0) { ++ ret = -ENODEV; + goto err; ++ } + + snprintf(smbus_cmi->adapter.name, sizeof(smbus_cmi->adapter.name), + "SMBus CMI adapter %s", +@@ -397,7 +400,8 @@ static int acpi_smbus_cmi_add(struct acpi_device *device) + smbus_cmi->adapter.class = I2C_CLASS_HWMON | I2C_CLASS_SPD; + smbus_cmi->adapter.dev.parent = &device->dev; + +- if (i2c_add_adapter(&smbus_cmi->adapter)) { ++ ret = i2c_add_adapter(&smbus_cmi->adapter); ++ if (ret) { + dev_err(&device->dev, "Couldn't register adapter!\n"); + goto err; + } +@@ -407,7 +411,7 @@ static int acpi_smbus_cmi_add(struct acpi_device *device) + err: + kfree(smbus_cmi); + device->driver_data = NULL; +- return -EIO; ++ return ret; + } + + static int acpi_smbus_cmi_remove(struct acpi_device *device) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-038-rtc-snvs-add-a-missing-write-sync.patch b/patches.kernel.org/4.4.169-038-rtc-snvs-add-a-missing-write-sync.patch new file mode 100644 index 0000000000..58021e83ee --- /dev/null +++ b/patches.kernel.org/4.4.169-038-rtc-snvs-add-a-missing-write-sync.patch @@ -0,0 +1,36 @@ +From: Guy Shapiro <guy.shapiro@mobi-wize.com> +Date: Sun, 29 Jan 2017 11:57:19 +0200 +Subject: [PATCH] rtc: snvs: add a missing write sync +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 7bb633b1a9812a6b9f3e49d0cf17f60a633914e5 + +[ Upstream commit 7bb633b1a9812a6b9f3e49d0cf17f60a633914e5 ] + +The clear of the LPTA_EN flag should be synced before writing to the +alarm register. Omitting this synchronization creates a race when +trying to change existing alarm. + +Signed-off-by: Guy Shapiro <guy.shapiro@mobi-wize.com> +Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/rtc/rtc-snvs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c +index a161fbf6f172..af131682dbc9 100644 +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -187,6 +187,7 @@ static int snvs_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm) + rtc_tm_to_time(alrm_tm, &time); + + regmap_update_bits(data->regmap, data->offset + SNVS_LPCR, SNVS_LPCR_LPTA_EN, 0); ++ rtc_write_sync_lp(data); + regmap_write(data->regmap, data->offset + SNVS_LPTAR, time); + + /* Clear alarm interrupt status bit */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-039-rtc-snvs-Add-timeouts-to-avoid-kernel-lockups.patch b/patches.kernel.org/4.4.169-039-rtc-snvs-Add-timeouts-to-avoid-kernel-lockups.patch new file mode 100644 index 0000000000..da68c4d213 --- /dev/null +++ b/patches.kernel.org/4.4.169-039-rtc-snvs-Add-timeouts-to-avoid-kernel-lockups.patch @@ -0,0 +1,199 @@ +From: Trent Piepho <tpiepho@impinj.com> +Date: Wed, 16 May 2018 16:45:51 -0700 +Subject: [PATCH] rtc: snvs: Add timeouts to avoid kernel lockups +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: cd7f3a249dbed2858e6c2f30e5be7f1f7a709ee2 + +[ Upstream commit cd7f3a249dbed2858e6c2f30e5be7f1f7a709ee2 ] + +In order to read correctly from asynchronously updated RTC registers, +it's necessary to read repeatedly until their values do not change from +read to read. It's also necessary to wait for three RTC clock ticks for +certain operations. There are no timeouts in this code and these +operations could possibly loop forever. + +To avoid kernel hangs, put in timeouts. + +The iMX7d can be configured to stop the SRTC on a tamper event, which +will lockup the kernel inside this driver as described above. + +These hangs can happen when running under qemu, which doesn't emulate +the SNVS RTC, though currently the driver will refuse to load on qemu +due to a timeout in the driver probe method. + +It could also happen if the SRTC block where somehow placed into reset +or the slow speed clock that drives the SRTC counter (but not the CPU) +were to stop. + +The symptoms on a two core iMX7d are a work queue hang on +rtc_timer_do_work(), which eventually blocks a systemd fsnotify +operation that triggers a work queue flush, causing systemd to hang and +thus causing all services that should be started by systemd, like a +console getty, to fail to start or stop. + +Also optimize the wait code to wait less. It only needs to wait for the +clock to advance three ticks, not to see it change three times. + +Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com> +Cc: Alessandro Zummo <a.zummo@towertech.it> +Cc: Fabio Estevam <fabio.estevam@nxp.com> +Cc: Shawn Guo <shawn.guo@linaro.org> +Cc: Bryan O'Donoghue <pure.logic@nexus-software.ie> +Signed-off-by: Trent Piepho <tpiepho@impinj.com> +Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/rtc/rtc-snvs.c | 105 +++++++++++++++++++++++++++-------------- + 1 file changed, 70 insertions(+), 35 deletions(-) + +diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c +index af131682dbc9..63ad5b543f14 100644 +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -47,49 +47,83 @@ struct snvs_rtc_data { + struct clk *clk; + }; + ++/* Read 64 bit timer register, which could be in inconsistent state */ ++static u64 rtc_read_lpsrt(struct snvs_rtc_data *data) ++{ ++ u32 msb, lsb; ++ ++ regmap_read(data->regmap, data->offset + SNVS_LPSRTCMR, &msb); ++ regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &lsb); ++ return (u64)msb << 32 | lsb; ++} ++ ++/* Read the secure real time counter, taking care to deal with the cases of the ++ * counter updating while being read. ++ */ + static u32 rtc_read_lp_counter(struct snvs_rtc_data *data) + { + u64 read1, read2; +- u32 val; ++ unsigned int timeout = 100; + ++ /* As expected, the registers might update between the read of the LSB ++ * reg and the MSB reg. It's also possible that one register might be ++ * in partially modified state as well. ++ */ ++ read1 = rtc_read_lpsrt(data); + do { +- regmap_read(data->regmap, data->offset + SNVS_LPSRTCMR, &val); +- read1 = val; +- read1 <<= 32; +- regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &val); +- read1 |= val; +- +- regmap_read(data->regmap, data->offset + SNVS_LPSRTCMR, &val); +- read2 = val; +- read2 <<= 32; +- regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &val); +- read2 |= val; +- } while (read1 != read2); ++ read2 = read1; ++ read1 = rtc_read_lpsrt(data); ++ } while (read1 != read2 && --timeout); ++ if (!timeout) ++ dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n"); + + /* Convert 47-bit counter to 32-bit raw second count */ + return (u32) (read1 >> CNTR_TO_SECS_SH); + } + +-static void rtc_write_sync_lp(struct snvs_rtc_data *data) ++/* Just read the lsb from the counter, dealing with inconsistent state */ ++static int rtc_read_lp_counter_lsb(struct snvs_rtc_data *data, u32 *lsb) + { +- u32 count1, count2, count3; +- int i; +- +- /* Wait for 3 CKIL cycles */ +- for (i = 0; i < 3; i++) { +- do { +- regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1); +- regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count2); +- } while (count1 != count2); +- +- /* Now wait until counter value changes */ +- do { +- do { +- regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count2); +- regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count3); +- } while (count2 != count3); +- } while (count3 == count1); ++ u32 count1, count2; ++ unsigned int timeout = 100; ++ ++ regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1); ++ do { ++ count2 = count1; ++ regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1); ++ } while (count1 != count2 && --timeout); ++ if (!timeout) { ++ dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n"); ++ return -ETIMEDOUT; + } ++ ++ *lsb = count1; ++ return 0; ++} ++ ++static int rtc_write_sync_lp(struct snvs_rtc_data *data) ++{ ++ u32 count1, count2; ++ u32 elapsed; ++ unsigned int timeout = 1000; ++ int ret; ++ ++ ret = rtc_read_lp_counter_lsb(data, &count1); ++ if (ret) ++ return ret; ++ ++ /* Wait for 3 CKIL cycles, about 61.0-91.5 µs */ ++ do { ++ ret = rtc_read_lp_counter_lsb(data, &count2); ++ if (ret) ++ return ret; ++ elapsed = count2 - count1; /* wrap around _is_ handled! */ ++ } while (elapsed < 3 && --timeout); ++ if (!timeout) { ++ dev_err(&data->rtc->dev, "Timeout waiting for LPSRT Counter to change\n"); ++ return -ETIMEDOUT; ++ } ++ return 0; + } + + static int snvs_rtc_enable(struct snvs_rtc_data *data, bool enable) +@@ -173,9 +207,7 @@ static int snvs_rtc_alarm_irq_enable(struct device *dev, unsigned int enable) + (SNVS_LPCR_LPTA_EN | SNVS_LPCR_LPWUI_EN), + enable ? (SNVS_LPCR_LPTA_EN | SNVS_LPCR_LPWUI_EN) : 0); + +- rtc_write_sync_lp(data); +- +- return 0; ++ return rtc_write_sync_lp(data); + } + + static int snvs_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm) +@@ -183,11 +215,14 @@ static int snvs_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm) + struct snvs_rtc_data *data = dev_get_drvdata(dev); + struct rtc_time *alrm_tm = &alrm->time; + unsigned long time; ++ int ret; + + rtc_tm_to_time(alrm_tm, &time); + + regmap_update_bits(data->regmap, data->offset + SNVS_LPCR, SNVS_LPCR_LPTA_EN, 0); +- rtc_write_sync_lp(data); ++ ret = rtc_write_sync_lp(data); ++ if (ret) ++ return ret; + regmap_write(data->regmap, data->offset + SNVS_LPTAR, time); + + /* Clear alarm interrupt status bit */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-040-ALSA-isa-wavefront-prevent-some-out-of-bound-.patch b/patches.kernel.org/4.4.169-040-ALSA-isa-wavefront-prevent-some-out-of-bound-.patch new file mode 100644 index 0000000000..b8215c7c7f --- /dev/null +++ b/patches.kernel.org/4.4.169-040-ALSA-isa-wavefront-prevent-some-out-of-bound-.patch @@ -0,0 +1,57 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 4 May 2016 09:27:37 +0300 +Subject: [PATCH] ALSA: isa/wavefront: prevent some out of bound writes +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: 84d7a4470dbac0dd9389050100b54a1625d04264 + +[ Upstream commit 84d7a4470dbac0dd9389050100b54a1625d04264 ] + +"header->number" can be up to USHRT_MAX and it comes from the ioctl so +it needs to be capped. + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/isa/wavefront/wavefront_synth.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/isa/wavefront/wavefront_synth.c b/sound/isa/wavefront/wavefront_synth.c +index 69f76ff5693d..718d5e3b7806 100644 +--- a/sound/isa/wavefront/wavefront_synth.c ++++ b/sound/isa/wavefront/wavefront_synth.c +@@ -785,6 +785,9 @@ wavefront_send_patch (snd_wavefront_t *dev, wavefront_patch_info *header) + DPRINT (WF_DEBUG_LOAD_PATCH, "downloading patch %d\n", + header->number); + ++ if (header->number >= ARRAY_SIZE(dev->patch_status)) ++ return -EINVAL; ++ + dev->patch_status[header->number] |= WF_SLOT_FILLED; + + bptr = buf; +@@ -809,6 +812,9 @@ wavefront_send_program (snd_wavefront_t *dev, wavefront_patch_info *header) + DPRINT (WF_DEBUG_LOAD_PATCH, "downloading program %d\n", + header->number); + ++ if (header->number >= ARRAY_SIZE(dev->prog_status)) ++ return -EINVAL; ++ + dev->prog_status[header->number] = WF_SLOT_USED; + + /* XXX need to zero existing SLOT_USED bit for program_status[i] +@@ -898,6 +904,9 @@ wavefront_send_sample (snd_wavefront_t *dev, + header->number = x; + } + ++ if (header->number >= WF_MAX_SAMPLE) ++ return -EINVAL; ++ + if (header->size) { + + /* XXX it's a debatable point whether or not RDONLY semantics +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.169-041-Linux-4.4.169.patch b/patches.kernel.org/4.4.169-041-Linux-4.4.169.patch new file mode 100644 index 0000000000..4ec2ea7650 --- /dev/null +++ b/patches.kernel.org/4.4.169-041-Linux-4.4.169.patch @@ -0,0 +1,27 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Fri, 21 Dec 2018 14:09:54 +0100 +Subject: [PATCH] Linux 4.4.169 +References: bnc#1012382 +Patch-mainline: 4.4.169 +Git-commit: ba0da581b466dcd333eeb326919a698116926258 + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 082f82471b51..0d41b0626c0c 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 168 ++SUBLEVEL = 169 + EXTRAVERSION = + NAME = Blurry Fish Butt + +-- +2.20.1 + diff --git a/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch index b37f019f89..df3a869902 100644 --- a/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch +++ b/patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch @@ -1,10 +1,12 @@ -From 5146f95df782b0ac61abde36567e718692725c89 Mon Sep 17 00:00:00 2001 From: Hui Peng <benquike@gmail.com> Date: Wed, 12 Dec 2018 12:42:24 +0100 -Subject: [PATCH] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data +Subject: [PATCH] USB: hso: Fix OOB memory access in + hso_probe/hso_get_config_data +Patch-mainline: 4.4.170 +References: CVE-2018-19985 bnc#1012382 bsc#1120743 Git-commit: 5146f95df782b0ac61abde36567e718692725c89 -Patch-mainline: v4.20 -References: CVE-2018-19985,bsc#1120743 + +commit 5146f95df782b0ac61abde36567e718692725c89 upstream. The function hso_probe reads if_num from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read @@ -22,17 +24,17 @@ Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: David S. Miller <davem@davemloft.net> -Acked-by: Takashi Iwai <tiwai@suse.de> - +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/net/usb/hso.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c -index 184c24baca15..d6916f787fce 100644 +index 111d907e0c11..79cede19e0c4 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c -@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface) +@@ -2825,6 +2825,12 @@ static int hso_get_config_data(struct usb_interface *interface) return -EIO; } @@ -45,7 +47,7 @@ index 184c24baca15..d6916f787fce 100644 switch (config_data[if_num]) { case 0x0: result = 0; -@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface, +@@ -2895,10 +2901,18 @@ static int hso_probe(struct usb_interface *interface, /* Get the interface/port specification from either driver_info or from * the device itself */ diff --git a/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch b/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch new file mode 100644 index 0000000000..79bc545794 --- /dev/null +++ b/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch @@ -0,0 +1,45 @@ +From: Mathias Nyman <mathias.nyman@linux.intel.com> +Date: Fri, 14 Dec 2018 10:54:43 +0200 +Subject: [PATCH] xhci: Don't prevent USB2 bus suspend in state check intended + for USB3 only +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 45f750c16cae3625014c14c77bd9005eda975d35 + +commit 45f750c16cae3625014c14c77bd9005eda975d35 upstream. + +The code to prevent a bus suspend if a USB3 port was still in link training +also reacted to USB2 port polling state. +This caused bus suspend to busyloop in some cases. +USB2 polling state is different from USB3, and should not prevent bus +suspend. + +Limit the USB3 link training state check to USB3 root hub ports only. +The origial commit went to stable so this need to be applied there as well + +Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change or polling state is detected") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/host/xhci-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 5d21cd8359d4..421825b44202 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1329,7 +1329,8 @@ int xhci_bus_suspend(struct usb_hcd *hcd) + portsc_buf[port_index] = 0; + + /* Bail out if a USB3 port has a new device in link training */ +- if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) { ++ if ((hcd->speed >= HCD_USB3) && ++ (t1 & PORT_PLS_MASK) == XDEV_POLLING) { + bus_state->bus_suspended = 0; + spin_unlock_irqrestore(&xhci->lock, flags); + xhci_dbg(xhci, "Bus suspend bailout, port in polling\n"); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch b/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch new file mode 100644 index 0000000000..8e475f64b2 --- /dev/null +++ b/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch @@ -0,0 +1,75 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Tue, 11 Dec 2018 18:28:28 +0100 +Subject: [PATCH] USB: serial: option: add GosunCn ZTE WeLink ME3630 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 70a7444c550a75584ffcfae95267058817eff6a7 + +commit 70a7444c550a75584ffcfae95267058817eff6a7 upstream. + +Added USB serial option driver support for GosunCn ZTE WeLink ME3630 +series cellular modules for USB modes ECM/NCM and MBIM. + +usb-devices output MBIM mode: +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=19d2 ProdID=0602 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber= +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim + +usb-devices output ECM/NCM mode: +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=19d2 ProdID=1476 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber= +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 2b81939fecd7..b2aa7c70560f 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1327,6 +1327,7 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff), + .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff, 0xff), +@@ -1530,6 +1531,7 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff, 0xff), /* Telewell TW-LTE 4G v2 */ + .driver_info = RSVD(2) }, ++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch b/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch new file mode 100644 index 0000000000..8161be467a --- /dev/null +++ b/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch @@ -0,0 +1,88 @@ +From: Tore Anderson <tore@fud.no> +Date: Sat, 8 Dec 2018 19:05:12 +0100 +Subject: [PATCH] USB: serial: option: add HP lt4132 +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 + +commit d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 upstream. + +The HP lt4132 is a rebranded Huawei ME906s-158 LTE modem. + +The interface with protocol 0x16 is "CDC ECM & NCM" according to the *.inf +files included with the Windows driver. Attaching the option driver to it +doesn't result in a /dev/ttyUSB* device being created, so I've excluded it. +Note that it is also excluded for corresponding Huawei-branded devices, cf. +commit d544db293a44 ("USB: support new huawei devices in option.c"). + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3 +P: Vendor=03f0 ProdID=a31d Rev=01.02 +S: Manufacturer=HP Inc. +S: Product=HP lt4132 LTE/HSPA+ 4G Module +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=2mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option +I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option +I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=06 Prot=16 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3 +P: Vendor=03f0 ProdID=a31d Rev=01.02 +S: Manufacturer=HP Inc. +S: Product=HP lt4132 LTE/HSPA+ 4G Module +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=2mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=06 Prot=00 Driver=cdc_ether +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option +I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option +I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3 +P: Vendor=03f0 ProdID=a31d Rev=01.02 +S: Manufacturer=HP Inc. +S: Product=HP lt4132 LTE/HSPA+ 4G Module +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 3 Cfg#= 3 Atr=a0 MxPwr=2mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option + +Signed-off-by: Tore Anderson <tore@fud.no> +Cc: stable@vger.kernel.org +[ johan: drop id defines ] +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index b2aa7c70560f..4cd445efe249 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1943,7 +1943,12 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) }, +- { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x10) }, /* HP lt4132 (Huawei ME906s-158) */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x12) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch b/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch new file mode 100644 index 0000000000..99eea54c91 --- /dev/null +++ b/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch @@ -0,0 +1,54 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Wed, 12 Dec 2018 08:39:39 +0100 +Subject: [PATCH] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: cc6730df08a291e51e145bc65e24ffb5e2f17ab6 + +commit cc6730df08a291e51e145bc65e24ffb5e2f17ab6 upstream. + +Added USB serial option driver support for Simcom SIM7500/SIM7600 series +cellular modules exposing MBIM interface (VID 0x1e0e,PID 0x9003) + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 14 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1e0e ProdID=9003 Rev=03.18 +S: Manufacturer=SimTech, Incorporated +S: Product=SimTech, Incorporated +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 5 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#= 6 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 4cd445efe249..f7c13e5f7cae 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1759,6 +1759,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, + { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E), + .driver_info = RSVD(5) | RSVD(6) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom SIM7500/SIM7600 MBIM mode */ + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200), + .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D), +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch b/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch new file mode 100644 index 0000000000..6a4307d1e5 --- /dev/null +++ b/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch @@ -0,0 +1,71 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Wed, 12 Dec 2018 21:47:36 +0100 +Subject: [PATCH] USB: serial: option: add Fibocom NL668 series +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 30360224441ce89a98ed627861e735beb4010775 + +commit 30360224441ce89a98ed627861e735beb4010775 upstream. + +Added USB serial option driver support for Fibocom NL668 series cellular +modules. Reserved USB endpoints 4, 5 and 6 for network + ADB interfaces. + +usb-devices output (QMI mode) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1508 ProdID=1001 Rev=03.18 +S: Manufacturer=Nodecom NL668 Modem +S: Product=Nodecom NL668-CN Modem +S: SerialNumber= +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +usb-devices output (ECM mode) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1508 ProdID=1001 Rev=03.18 +S: Manufacturer=Nodecom NL668 Modem +S: Product=Nodecom NL668-CN Modem +S: SerialNumber= +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index f7c13e5f7cae..412d9442a760 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1950,6 +1950,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, ++ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */ ++ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch b/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch new file mode 100644 index 0000000000..d414d62b27 --- /dev/null +++ b/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch @@ -0,0 +1,71 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Thu, 13 Dec 2018 17:32:08 +0100 +Subject: [PATCH] USB: serial: option: add Telit LN940 series +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 28a86092b1753b802ef7e3de8a4c4a69a9c1bb03 + +commit 28a86092b1753b802ef7e3de8a4c4a69a9c1bb03 upstream. + +Added USB serial option driver support for Telit LN940 series cellular +modules. Covering both QMI and MBIM modes. + +usb-devices output (0x1900): +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1900 Rev=03.10 +S: Manufacturer=Telit +S: Product=Telit LN940 Mobile Broadband +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option + +usb-devices output (0x1901): +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 20 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1901 Rev=03.10 +S: Manufacturer=Telit +S: Product=Telit LN940 Mobile Broadband +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 412d9442a760..1e3445dd84b2 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1163,6 +1163,10 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1213, 0xff) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, 0x1900), /* Telit LN940 (QMI) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */ ++ .driver_info = NCTRL(0) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff), + .driver_info = RSVD(1) }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch b/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch new file mode 100644 index 0000000000..8f86d9b884 --- /dev/null +++ b/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch @@ -0,0 +1,44 @@ +From: Ulf Hansson <ulf.hansson@linaro.org> +Date: Mon, 10 Dec 2018 17:52:36 +0100 +Subject: [PATCH] mmc: core: Reset HPI enabled state during re-init and in case + of errors +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: a0741ba40a009f97c019ae7541dc61c1fdf41efb + +commit a0741ba40a009f97c019ae7541dc61c1fdf41efb upstream. + +During a re-initialization of the eMMC card, we may fail to re-enable HPI. +In these cases, that isn't properly reflected in the card->ext_csd.hpi_en +bit, as it keeps being set. This may cause following attempts to use HPI, +even if's not enabled. Let's fix this! + +Fixes: eb0d8f135b67 ("mmc: core: support HPI send command") +Cc: <stable@vger.kernel.org> +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/mmc/core/mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c +index 79a0c26e1419..a31789be0840 100644 +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1608,9 +1608,11 @@ static int mmc_init_card(struct mmc_host *host, u32 ocr, + if (err) { + pr_warn("%s: Enabling HPI failed\n", + mmc_hostname(card->host)); ++ card->ext_csd.hpi_en = 0; + err = 0; +- } else ++ } else { + card->ext_csd.hpi_en = 1; ++ } + } + + /* +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch b/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch new file mode 100644 index 0000000000..114e1faed7 --- /dev/null +++ b/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch @@ -0,0 +1,71 @@ +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Tue, 11 Dec 2018 14:41:31 +0000 +Subject: [PATCH] mmc: omap_hsmmc: fix DMA API warning +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 0b479790684192ab7024ce6a621f93f6d0a64d92 + +commit 0b479790684192ab7024ce6a621f93f6d0a64d92 upstream. + +While booting with rootfs on MMC, the following warning is encountered +on OMAP4430: + +omap-dma-engine 4a056000.dma-controller: DMA-API: mapping sg segment longer than device claims to support [len=69632] [max=65536] + +This is because the DMA engine has a default maximum segment size of 64K +but HSMMC sets: + + mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ + mmc->max_blk_count = 0xFFFF; /* No. of Blocks is 16 bits */ + mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; + mmc->max_seg_size = mmc->max_req_size; + +which ends up telling the block layer that we support a maximum segment +size of 65535*512, which exceeds the advertised DMA engine capabilities. + +Fix this by clamping the maximum segment size to the lower of the +maximum request size and of the DMA engine device used for either DMA +channel. + +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Cc: <stable@vger.kernel.org> +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/mmc/host/omap_hsmmc.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c +index 6b814d7d6560..af937d3e8c3e 100644 +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -2117,7 +2117,6 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ + mmc->max_blk_count = 0xFFFF; /* No. of Blocks is 16 bits */ + mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; +- mmc->max_seg_size = mmc->max_req_size; + + mmc->caps |= MMC_CAP_MMC_HIGHSPEED | MMC_CAP_SD_HIGHSPEED | + MMC_CAP_WAIT_WHILE_BUSY | MMC_CAP_ERASE; +@@ -2174,6 +2173,17 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + goto err_irq; + } + ++ /* ++ * Limit the maximum segment size to the lower of the request size ++ * and the DMA engine device segment size limits. In reality, with ++ * 32-bit transfers, the DMA engine can do longer segments than this ++ * but there is no way to represent that in the DMA model - if we ++ * increase this figure here, we get warnings from the DMA API debug. ++ */ ++ mmc->max_seg_size = min3(mmc->max_req_size, ++ dma_get_max_seg_size(host->rx_chan->device->dev), ++ dma_get_max_seg_size(host->tx_chan->device->dev)); ++ + /* Request IRQ for MMC operations */ + ret = devm_request_irq(&pdev->dev, host->irq, omap_hsmmc_irq, 0, + mmc_hostname(mmc), host); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch b/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch new file mode 100644 index 0000000000..2313f64653 --- /dev/null +++ b/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch @@ -0,0 +1,59 @@ +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Fri, 7 Dec 2018 13:07:55 +0000 +Subject: [PATCH] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: abf221d2f51b8ce7b9959a8953f880a8b0a1400d + +commit abf221d2f51b8ce7b9959a8953f880a8b0a1400d upstream. + +spi_read() and spi_write() require DMA-safe memory. When +CONFIG_VMAP_STACK is selected, those functions cannot be used +with buffers on stack. + +This patch replaces calls to spi_read() and spi_write() by +spi_write_then_read() which doesn't require DMA-safe buffers. + +Fixes: 0c36ec314735 ("gpio: gpio driver for max7301 SPI GPIO expander") +Cc: <stable@vger.kernel.org> +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/gpio/gpio-max7301.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpio/gpio-max7301.c b/drivers/gpio/gpio-max7301.c +index 05813fbf3daf..647dfbbc4e1c 100644 +--- a/drivers/gpio/gpio-max7301.c ++++ b/drivers/gpio/gpio-max7301.c +@@ -25,7 +25,7 @@ static int max7301_spi_write(struct device *dev, unsigned int reg, + struct spi_device *spi = to_spi_device(dev); + u16 word = ((reg & 0x7F) << 8) | (val & 0xFF); + +- return spi_write(spi, (const u8 *)&word, sizeof(word)); ++ return spi_write_then_read(spi, &word, sizeof(word), NULL, 0); + } + + /* A read from the MAX7301 means two transfers; here, one message each */ +@@ -37,14 +37,8 @@ static int max7301_spi_read(struct device *dev, unsigned int reg) + struct spi_device *spi = to_spi_device(dev); + + word = 0x8000 | (reg << 8); +- ret = spi_write(spi, (const u8 *)&word, sizeof(word)); +- if (ret) +- return ret; +- /* +- * This relies on the fact, that a transfer with NULL tx_buf shifts out +- * zero bytes (=NOOP for MAX7301) +- */ +- ret = spi_read(spi, (u8 *)&word, sizeof(word)); ++ ret = spi_write_then_read(spi, &word, sizeof(word), &word, ++ sizeof(word)); + if (ret) + return ret; + return word & 0xff; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch b/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch new file mode 100644 index 0000000000..b11d1bf9e3 --- /dev/null +++ b/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch @@ -0,0 +1,125 @@ +From: Dexuan Cui <decui@microsoft.com> +Date: Thu, 13 Dec 2018 16:35:43 +0000 +Subject: [PATCH] Drivers: hv: vmbus: Return -EINVAL for the sys files for + unopened channels +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce + +commit fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce upstream. + +Before 98f4c651762c, we returned zeros for unopened channels. +With 98f4c651762c, we started to return random on-stack values. + +We'd better return -EINVAL instead. + +Fixes: 98f4c651762c ("hv: move ringbuffer bus attributes to dev_groups") +Cc: stable@vger.kernel.org +Cc: K. Y. Srinivasan <kys@microsoft.com> +Cc: Haiyang Zhang <haiyangz@microsoft.com> +Cc: Stephen Hemminger <sthemmin@microsoft.com> +Signed-off-by: Dexuan Cui <decui@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hv/vmbus_drv.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 802dcb409030..b877cce0409b 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -316,6 +316,8 @@ static ssize_t out_intr_mask_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.current_interrupt_mask); + } +@@ -329,6 +331,8 @@ static ssize_t out_read_index_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.current_read_index); + } +@@ -343,6 +347,8 @@ static ssize_t out_write_index_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.current_write_index); + } +@@ -357,6 +363,8 @@ static ssize_t out_read_bytes_avail_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.bytes_avail_toread); + } +@@ -371,6 +379,8 @@ static ssize_t out_write_bytes_avail_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.bytes_avail_towrite); + } +@@ -384,6 +394,8 @@ static ssize_t in_intr_mask_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.current_interrupt_mask); + } +@@ -397,6 +409,8 @@ static ssize_t in_read_index_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.current_read_index); + } +@@ -410,6 +424,8 @@ static ssize_t in_write_index_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.current_write_index); + } +@@ -424,6 +440,8 @@ static ssize_t in_read_bytes_avail_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.bytes_avail_toread); + } +@@ -438,6 +456,8 @@ static ssize_t in_write_bytes_avail_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.bytes_avail_towrite); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch b/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch new file mode 100644 index 0000000000..361dc8c88b --- /dev/null +++ b/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch @@ -0,0 +1,47 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Tue, 18 Dec 2018 17:29:56 +0000 +Subject: [PATCH] x86/mtrr: Don't copy uninitialized gentry fields back to + userspace +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 32043fa065b51e0b1433e48d118821c71b5cd65d + +commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream. + +Currently the copy_to_user of data in the gentry struct is copying +uninitiaized data in field _pad from the stack to userspace. + +Fix this by explicitly memset'ing gentry to zero, this also will zero any +compiler added padding fields that may be in struct (currently there are +none). + +Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable") + +Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Tyler Hicks <tyhicks@canonical.com> +Cc: security@kernel.org +Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/kernel/cpu/mtrr/if.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c +index d76f13d6d8d6..ec894bf5eeb0 100644 +--- a/arch/x86/kernel/cpu/mtrr/if.c ++++ b/arch/x86/kernel/cpu/mtrr/if.c +@@ -173,6 +173,8 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg) + struct mtrr_gentry gentry; + void __user *arg = (void __user *) __arg; + ++ memset(&gentry, 0, sizeof(gentry)); ++ + switch (cmd) { + case MTRRIOC_ADD_ENTRY: + case MTRRIOC_SET_ENTRY: +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch b/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch new file mode 100644 index 0000000000..42ad4ba542 --- /dev/null +++ b/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch @@ -0,0 +1,80 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 19 Dec 2018 18:00:15 -0600 +Subject: [PATCH] drm/ioctl: Fix Spectre v1 vulnerabilities +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 505b5240329b922f21f91d5b5d1e535c805eca6d + +commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream. + +nr is indirectly controlled by user-space, hence leading to a +potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r] +drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap) +drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap) + +Fix this by sanitizing nr before using it to index dev->driver->ioctls +and drm_ioctls. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/gpu/drm/drm_ioctl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index 8ce2a0c59116..a7030ada81fd 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -36,6 +36,7 @@ + + #include <linux/pci.h> + #include <linux/export.h> ++#include <linux/nospec.h> + + static int drm_version(struct drm_device *dev, void *data, + struct drm_file *file_priv); +@@ -702,13 +703,17 @@ long drm_ioctl(struct file *filp, + + if (is_driver_ioctl) { + /* driver ioctl */ +- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls) ++ unsigned int index = nr - DRM_COMMAND_BASE; ++ ++ if (index >= dev->driver->num_ioctls) + goto err_i1; +- ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; ++ index = array_index_nospec(index, dev->driver->num_ioctls); ++ ioctl = &dev->driver->ioctls[index]; + } else { + /* core ioctl */ + if (nr >= DRM_CORE_IOCTL_COUNT) + goto err_i1; ++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT); + ioctl = &drm_ioctls[nr]; + } + +@@ -810,6 +815,7 @@ bool drm_ioctl_flags(unsigned int nr, unsigned int *flags) + + if (nr >= DRM_CORE_IOCTL_COUNT) + return false; ++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT); + + *flags = drm_ioctls[nr].flags; + return true; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch b/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch new file mode 100644 index 0000000000..c186e2b772 --- /dev/null +++ b/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch @@ -0,0 +1,65 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 11 Dec 2018 14:10:08 -0600 +Subject: [PATCH] ip6mr: Fix potential Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 69d2c86766da2ded2b70281f1bf242cb0d58a778 + +[ Upstream commit 69d2c86766da2ded2b70281f1bf242cb0d58a778 ] + +vr.mifi is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +net/ipv6/ip6mr.c:1845 ip6mr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap) +net/ipv6/ip6mr.c:1919 ip6mr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap) + +Fix this by sanitizing vr.mifi before using it to index mrt->vif_table' + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/ip6mr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 9b92960f024d..74b3e9718e84 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -72,6 +72,8 @@ struct mr6_table { + #endif + }; + ++#include <linux/nospec.h> ++ + struct ip6mr_rule { + struct fib_rule common; + }; +@@ -1871,6 +1873,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg) + return -EFAULT; + if (vr.mifi >= mrt->maxvif) + return -EINVAL; ++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif); + read_lock(&mrt_lock); + vif = &mrt->vif6_table[vr.mifi]; + if (MIF_EXISTS(mrt, vr.mifi)) { +@@ -1945,6 +1948,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg) + return -EFAULT; + if (vr.mifi >= mrt->maxvif) + return -EINVAL; ++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif); + read_lock(&mrt_lock); + vif = &mrt->vif6_table[vr.mifi]; + if (MIF_EXISTS(mrt, vr.mifi)) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch b/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch new file mode 100644 index 0000000000..d9dbe88579 --- /dev/null +++ b/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch @@ -0,0 +1,56 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Mon, 10 Dec 2018 12:41:24 -0600 +Subject: [PATCH] ipv4: Fix potential Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 5648451e30a0d13d11796574919a359025d52cce + +[ Upstream commit 5648451e30a0d13d11796574919a359025d52cce ] + +vr.vifi is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +net/ipv4/ipmr.c:1616 ipmr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap) +net/ipv4/ipmr.c:1690 ipmr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap) + +Fix this by sanitizing vr.vifi before using it to index mrt->vif_table' + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/ipmr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 8e77786549c6..1cb865fcc91b 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -66,6 +66,7 @@ + #include <net/netlink.h> + #include <net/fib_rules.h> + #include <linux/netconf.h> ++#include <linux/nospec.h> + + #if defined(CONFIG_IP_PIMSM_V1) || defined(CONFIG_IP_PIMSM_V2) + #define CONFIG_IP_PIMSM 1 +@@ -1574,6 +1575,7 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg) + return -EFAULT; + if (vr.vifi >= mrt->maxvif) + return -EINVAL; ++ vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif); + read_lock(&mrt_lock); + vif = &mrt->vif_table[vr.vifi]; + if (VIF_EXISTS(mrt, vr.vifi)) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch b/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch new file mode 100644 index 0000000000..e3a3880ffa --- /dev/null +++ b/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch @@ -0,0 +1,81 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Sat, 29 Dec 2018 13:56:36 -0800 +Subject: [PATCH] ax25: fix a use-after-free in ax25_fillin_cb() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: c433570458e49bccea5c551df628d058b3526289 + +[ Upstream commit c433570458e49bccea5c551df628d058b3526289 ] + +There are multiple issues here: + +1. After freeing dev->ax25_ptr, we need to set it to NULL otherwise + we may use a dangling pointer. + +2. There is a race between ax25_setsockopt() and device notifier as + reported by syzbot. Close it by holding RTNL lock. + +3. We need to test if dev->ax25_ptr is NULL before using it. + +Reported-and-tested-by: syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ax25/af_ax25.c | 11 +++++++++-- + net/ax25/ax25_dev.c | 2 ++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 2fdebabbfacd..2772f6a13fcb 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- dev = dev_get_by_name(&init_net, devname); ++ rtnl_lock(); ++ dev = __dev_get_by_name(&init_net, devname); + if (!dev) { ++ rtnl_unlock(); + res = -ENODEV; + break; + } + + ax25->ax25_dev = ax25_dev_ax25dev(dev); ++ if (!ax25->ax25_dev) { ++ rtnl_unlock(); ++ res = -ENODEV; ++ break; ++ } + ax25_fillin_cb(ax25, ax25->ax25_dev); +- dev_put(dev); ++ rtnl_unlock(); + break; + + default: +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index 3d106767b272..5faca5db6385 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev) + if ((s = ax25_dev_list) == ax25_dev) { + ax25_dev_list = s->next; + spin_unlock_bh(&ax25_dev_lock); ++ dev->ax25_ptr = NULL; + dev_put(dev); + kfree(ax25_dev); + return; +@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev) + if (s->next == ax25_dev) { + s->next = ax25_dev->next; + spin_unlock_bh(&ax25_dev_lock); ++ dev->ax25_ptr = NULL; + dev_put(dev); + kfree(ax25_dev); + return; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch b/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch new file mode 100644 index 0000000000..74ed595dfb --- /dev/null +++ b/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch @@ -0,0 +1,66 @@ +From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com> +Date: Mon, 31 Dec 2018 15:43:01 -0600 +Subject: [PATCH] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 756af9c642329d54f048bac2a62f829b391f6944 + +[ Upstream commit 756af9c642329d54f048bac2a62f829b391f6944 ] + +Commit 33a48ab105a7 ("ibmveth: Fix DMA unmap error") fixed an issue in the +normal code path of ibmveth_xmit_start() that was originally introduced by +Commit 6e8ab30ec677 ("ibmveth: Add scatter-gather support"). This original +fix missed the error path where dma_unmap_page is wrongly called on the +header portion in descs[0] which was mapped with dma_map_single. As a +result a failure to DMA map any of the frags results in a dmesg warning +when CONFIG_DMA_API_DEBUG is enabled. + +------------[ cut here ]------------ +DMA-API: ibmveth 30000002: device driver frees DMA memory with wrong function + [device address=0x000000000a430000] [size=172 bytes] [mapped as page] [unmapped as single] +WARNING: CPU: 1 PID: 8426 at kernel/dma/debug.c:1085 check_unmap+0x4fc/0xe10 +... +<snip> +... +DMA-API: Mapped at: +ibmveth_start_xmit+0x30c/0xb60 +dev_hard_start_xmit+0x100/0x450 +sch_direct_xmit+0x224/0x490 +__qdisc_run+0x20c/0x980 +__dev_queue_xmit+0x1bc/0xf20 + +This fixes the API misuse by unampping descs[0] with dma_unmap_single. + +Fixes: 6e8ab30ec677 ("ibmveth: Add scatter-gather support") +Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/ibm/ibmveth.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 2f9b12cf9ee5..61a9ab4fe047 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1163,11 +1163,15 @@ static netdev_tx_t ibmveth_start_xmit(struct sk_buff *skb, + + map_failed_frags: + last = i+1; +- for (i = 0; i < last; i++) ++ for (i = 1; i < last; i++) + dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address, + descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK, + DMA_TO_DEVICE); + ++ dma_unmap_single(&adapter->vdev->dev, ++ descs[0].fields.address, ++ descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK, ++ DMA_TO_DEVICE); + map_failed: + if (!firmware_has_feature(FW_FEATURE_CMO)) + netdev_err(netdev, "tx: unable to map xmit buffer\n"); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch b/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch new file mode 100644 index 0000000000..de8b5cafe9 --- /dev/null +++ b/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch @@ -0,0 +1,39 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Sun, 23 Dec 2018 12:52:18 -0500 +Subject: [PATCH] ieee802154: lowpan_header_create check must check daddr +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 40c3ff6d5e0809505a067dd423c110c5658c478c + +[ Upstream commit 40c3ff6d5e0809505a067dd423c110c5658c478c ] + +Packet sockets may call dev_header_parse with NULL daddr. Make +lowpan_header_ops.create fail. + +Fixes: 87a93e4eceb4 ("ieee802154: change needed headroom/tailroom") +Signed-off-by: Willem de Bruijn <willemb@google.com> +Acked-by: Alexander Aring <aring@mojatatu.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ieee802154/6lowpan/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c +index a10db45b2e1e..df32134da924 100644 +--- a/net/ieee802154/6lowpan/tx.c ++++ b/net/ieee802154/6lowpan/tx.c +@@ -55,6 +55,9 @@ int lowpan_header_create(struct sk_buff *skb, struct net_device *ldev, + const u8 *daddr = _daddr; + struct lowpan_addr_info *info; + ++ if (!daddr) ++ return -EINVAL; ++ + /* TODO: + * if this package isn't ipv6 one, where should it be routed? + */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch b/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch new file mode 100644 index 0000000000..c37ef75c19 --- /dev/null +++ b/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch @@ -0,0 +1,54 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Tue, 18 Dec 2018 21:17:44 -0800 +Subject: [PATCH] ipv6: explicitly initialize udp6_addr in udp_sock_create6() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: fb24274546310872eeeaf3d1d53799d8414aa0f2 + +[ Upstream commit fb24274546310872eeeaf3d1d53799d8414aa0f2 ] + +syzbot reported the use of uninitialized udp6_addr::sin6_scope_id. +We can just set ::sin6_scope_id to zero, as tunnels are unlikely +to use an IPv6 address that needs a scope id and there is no +interface to bind in this context. + +For net-next, it looks different as we have cfg->bind_ifindex there +so we can probably call ipv6_iface_scope_id(). + +Same for ::sin6_flowinfo, tunnels don't use it. + +Fixes: 8024e02879dd ("udp: Add udp_sock_create for UDP tunnels to open listener socket") +Reported-by: syzbot+c56449ed3652e6720f30@syzkaller.appspotmail.com +Cc: Jon Maloy <jon.maloy@ericsson.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/ip6_udp_tunnel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c +index 14dacf1df529..30b03d8e321a 100644 +--- a/net/ipv6/ip6_udp_tunnel.c ++++ b/net/ipv6/ip6_udp_tunnel.c +@@ -15,7 +15,7 @@ + int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- struct sockaddr_in6 udp6_addr; ++ struct sockaddr_in6 udp6_addr = {}; + int err; + struct socket *sock = NULL; + +@@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + goto error; + + if (cfg->peer_udp_port) { ++ memset(&udp6_addr, 0, sizeof(udp6_addr)); + udp6_addr.sin6_family = AF_INET6; + memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6, + sizeof(udp6_addr.sin6_addr)); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch b/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch new file mode 100644 index 0000000000..2ee7adec52 --- /dev/null +++ b/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch @@ -0,0 +1,86 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 2 Jan 2019 09:20:27 -0800 +Subject: [PATCH] isdn: fix kernel-infoleak in capi_unlocked_ioctl +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: d63967e475ae10f286dbd35e189cb241e0b1f284 + +[ Upstream commit d63967e475ae10f286dbd35e189cb241e0b1f284 ] + +Since capi_ioctl() copies 64 bytes after calling +capi20_get_manufacturer() we need to ensure to not leak +information to user. + +BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 +CPU: 0 PID: 11245 Comm: syz-executor633 Not tainted 4.20.0-rc7+ #2 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + kmsan_internal_check_memory+0x9d4/0xb00 mm/kmsan/kmsan.c:704 + kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 + _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 + capi_ioctl include/linux/uaccess.h:177 [inline] + capi_unlocked_ioctl+0x1a0b/0x1bf0 drivers/isdn/capi/capi.c:939 + do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46 + ksys_ioctl fs/ioctl.c:713 [inline] + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718 + __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x440019 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffdd4659fb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019 +RDX: 0000000020000080 RSI: 00000000c0044306 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 +R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004018a0 +R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000 + +Local variable description: ----data.i@capi_unlocked_ioctl +Variable was created at: + capi_ioctl drivers/isdn/capi/capi.c:747 [inline] + capi_unlocked_ioctl+0x82/0x1bf0 drivers/isdn/capi/capi.c:939 + do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46 + +Bytes 12-63 of 64 are uninitialized +Memory access of size 64 starts at ffff88807ac5fce8 +Data copied to user address 0000000020000080 + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: Karsten Keil <isdn@linux-pingi.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/isdn/capi/kcapi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c +index dd7e38ac29bd..d15347de415a 100644 +--- a/drivers/isdn/capi/kcapi.c ++++ b/drivers/isdn/capi/kcapi.c +@@ -851,7 +851,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf) + u16 ret; + + if (contr == 0) { +- strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN); ++ strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN); + return CAPI_NOERROR; + } + +@@ -859,7 +859,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf) + + ctr = get_capi_ctr_by_nr(contr); + if (ctr && ctr->state == CAPI_CTR_RUNNING) { +- strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN); ++ strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN); + ret = CAPI_NOERROR; + } else + ret = CAPI_REGNOTINSTALLED; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch b/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch new file mode 100644 index 0000000000..40b485675e --- /dev/null +++ b/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch @@ -0,0 +1,107 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Sat, 29 Dec 2018 13:56:38 -0800 +Subject: [PATCH] netrom: fix locking in nr_find_socket() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 7314f5480f3e37e570104dc5e0f28823ef849e72 + +[ Upstream commit 7314f5480f3e37e570104dc5e0f28823ef849e72 ] + +nr_find_socket(), nr_find_peer() and nr_find_listener() lock the +sock after finding it in the global list. However, the call path +requires BH disabled for the sock lock consistently. + +Actually the locking is unnecessary at this point, we can just hold +the sock refcnt to make sure it is not gone after we unlock the global +list, and lock it later only when needed. + +Reported-and-tested-by: syzbot+f621cda8b7e598908efa@syzkaller.appspotmail.com +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/netrom/af_netrom.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index ed212ffc1d9d..046ae1caecea 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr) + sk_for_each(s, &nr_list) + if (!ax25cmp(&nr_sk(s)->source_addr, addr) && + s->sk_state == TCP_LISTEN) { +- bh_lock_sock(s); ++ sock_hold(s); + goto found; + } + s = NULL; +@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id) + struct nr_sock *nr = nr_sk(s); + + if (nr->my_index == index && nr->my_id == id) { +- bh_lock_sock(s); ++ sock_hold(s); + goto found; + } + } +@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id, + + if (nr->your_index == index && nr->your_id == id && + !ax25cmp(&nr->dest_addr, dest)) { +- bh_lock_sock(s); ++ sock_hold(s); + goto found; + } + } +@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void) + if (i != 0 && j != 0) { + if ((sk=nr_find_socket(i, j)) == NULL) + break; +- bh_unlock_sock(sk); ++ sock_put(sk); + } + + id++; +@@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + } + + if (sk != NULL) { ++ bh_lock_sock(sk); + skb_reset_transport_header(skb); + + if (frametype == NR_CONNACK && skb->len == 22) +@@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + + ret = nr_process_rx_frame(sk, skb); + bh_unlock_sock(sk); ++ sock_put(sk); + return ret; + } + +@@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + (make = nr_make_new(sk)) == NULL) { + nr_transmit_refusal(skb, 0); + if (sk) +- bh_unlock_sock(sk); ++ sock_put(sk); + return 0; + } + ++ bh_lock_sock(sk); ++ + window = skb->data[20]; + + skb->sk = make; +@@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + sk->sk_data_ready(sk); + + bh_unlock_sock(sk); ++ sock_put(sk); + + nr_insert_socket(make); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch b/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch new file mode 100644 index 0000000000..76af422f1f --- /dev/null +++ b/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch @@ -0,0 +1,46 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Fri, 21 Dec 2018 12:06:59 -0500 +Subject: [PATCH] packet: validate address length +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 99137b7888f4058087895d035d81c6b2d31015c5 + +[ Upstream commit 99137b7888f4058087895d035d81c6b2d31015c5 ] + +Packet sockets with SOCK_DGRAM may pass an address for use in +dev_hard_header. Ensure that it is of sufficient length. + +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/packet/af_packet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 07668f152a3a..050dcb71e54e 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2513,6 +2513,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + proto = saddr->sll_protocol; + addr = saddr->sll_addr; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); ++ if (addr && dev && saddr->sll_halen < dev->addr_len) ++ goto out; + } + + err = -ENXIO; +@@ -2680,6 +2682,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + proto = saddr->sll_protocol; + addr = saddr->sll_addr; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); ++ if (addr && dev && saddr->sll_halen < dev->addr_len) ++ goto out; + } + + err = -ENXIO; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch b/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch new file mode 100644 index 0000000000..fc5d30c172 --- /dev/null +++ b/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch @@ -0,0 +1,47 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Sat, 22 Dec 2018 16:53:45 -0500 +Subject: [PATCH] packet: validate address length if non-zero +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 6b8d95f1795c42161dc0984b6863e95d6acf24ed + +[ Upstream commit 6b8d95f1795c42161dc0984b6863e95d6acf24ed ] + +Validate packet socket address length if a length is given. Zero +length is equivalent to not setting an address. + +Fixes: 99137b7888f4 ("packet: validate address length") +Reported-by: Ido Schimmel <idosch@idosch.org> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/packet/af_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 050dcb71e54e..0f50977ed53b 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2511,7 +2511,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_addr; ++ addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); + if (addr && dev && saddr->sll_halen < dev->addr_len) + goto out; +@@ -2680,7 +2680,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_addr; ++ addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); + if (addr && dev && saddr->sll_halen < dev->addr_len) + goto out; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch b/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch new file mode 100644 index 0000000000..eaa9821176 --- /dev/null +++ b/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch @@ -0,0 +1,68 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Mon, 10 Dec 2018 18:00:52 +0800 +Subject: [PATCH] sctp: initialize sin6_flowinfo for ipv6 addrs in + sctp_inet6addr_event +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 4a2eb0c37b4759416996fbb4c45b932500cf06d3 + +[ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ] + +syzbot reported a kernel-infoleak, which is caused by an uninitialized +field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event(). +The call trace is as below: + + BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33 + CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS + Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x32d/0x480 lib/dump_stack.c:113 + kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 + kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 + kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 + _copy_to_user+0x19a/0x230 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:183 [inline] + sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline] + sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477 + sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 + __sys_getsockopt+0x489/0x550 net/socket.c:1939 + __do_sys_getsockopt net/socket.c:1950 [inline] + __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 + __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 + do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +sin6_flowinfo is not really used by SCTP, so it will be fixed by simply +setting it to 0. + +The issue exists since very beginning. +Thanks Alexander for the reproducer provided. + +Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/sctp/ipv6.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 5ca8309ea7b1..7dffc97a953c 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev, + if (addr) { + addr->a.v6.sin6_family = AF_INET6; + addr->a.v6.sin6_port = 0; ++ addr->a.v6.sin6_flowinfo = 0; + addr->a.v6.sin6_addr = ifa->addr; + addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; + addr->valid = 1; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch b/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch new file mode 100644 index 0000000000..38de96249d --- /dev/null +++ b/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch @@ -0,0 +1,40 @@ +From: Jason Wang <jasowang@redhat.com> +Date: Thu, 13 Dec 2018 10:53:37 +0800 +Subject: [PATCH] vhost: make sure used idx is seen before log in + vhost_add_used_n() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 841df922417eb82c835e93d4b93eb6a68c99d599 + +[ Upstream commit 841df922417eb82c835e93d4b93eb6a68c99d599 ] + +We miss a write barrier that guarantees used idx is updated and seen +before log. This will let userspace sync and copy used ring before +used idx is update. Fix this by adding a barrier before log_write(). + +Fixes: 8dd014adfea6f ("vhost-net: mergeable buffers support") +Acked-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/vhost/vhost.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index c54d388310f0..2ed0a356d1d3 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1550,6 +1550,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads, + return -EFAULT; + } + if (unlikely(vq->log_used)) { ++ /* Make sure used idx is seen before log. */ ++ smp_wmb(); + /* Log used index update. */ + log_write(vq->log_base, + vq->log_addr + offsetof(struct vring_used, idx), +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch b/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch new file mode 100644 index 0000000000..04408e1786 --- /dev/null +++ b/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch @@ -0,0 +1,135 @@ +From: Jorgen Hansen <jhansen@vmware.com> +Date: Tue, 18 Dec 2018 00:34:06 -0800 +Subject: [PATCH] VSOCK: Send reset control packet when socket is partially + bound +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: a915b982d8f5e4295f64b8dd37ce753874867e88 + +[ Upstream commit a915b982d8f5e4295f64b8dd37ce753874867e88 ] + +If a server side socket is bound to an address, but not in the listening +state yet, incoming connection requests should receive a reset control +packet in response. However, the function used to send the reset +silently drops the reset packet if the sending socket isn't bound +to a remote address (as is the case for a bound socket not yet in +the listening state). This change fixes this by using the src +of the incoming packet as destination for the reset packet in +this case. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reviewed-by: Adit Ranadive <aditr@vmware.com> +Reviewed-by: Vishnu Dasa <vdasa@vmware.com> +Signed-off-by: Jorgen Hansen <jhansen@vmware.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/vmw_vsock/vmci_transport.c | 67 +++++++++++++++++++++++++--------- + 1 file changed, 50 insertions(+), 17 deletions(-) + +diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c +index 589c8b9908a5..d24773552b64 100644 +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -272,6 +272,31 @@ vmci_transport_send_control_pkt_bh(struct sockaddr_vm *src, + false); + } + ++static int ++vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src, ++ struct sockaddr_vm *dst, ++ enum vmci_transport_packet_type type, ++ u64 size, ++ u64 mode, ++ struct vmci_transport_waiting_info *wait, ++ u16 proto, ++ struct vmci_handle handle) ++{ ++ struct vmci_transport_packet *pkt; ++ int err; ++ ++ pkt = kmalloc(sizeof(*pkt), GFP_KERNEL); ++ if (!pkt) ++ return -ENOMEM; ++ ++ err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size, ++ mode, wait, proto, handle, ++ true); ++ kfree(pkt); ++ ++ return err; ++} ++ + static int + vmci_transport_send_control_pkt(struct sock *sk, + enum vmci_transport_packet_type type, +@@ -281,9 +306,7 @@ vmci_transport_send_control_pkt(struct sock *sk, + u16 proto, + struct vmci_handle handle) + { +- struct vmci_transport_packet *pkt; + struct vsock_sock *vsk; +- int err; + + vsk = vsock_sk(sk); + +@@ -293,17 +316,10 @@ vmci_transport_send_control_pkt(struct sock *sk, + if (!vsock_addr_bound(&vsk->remote_addr)) + return -EINVAL; + +- pkt = kmalloc(sizeof(*pkt), GFP_KERNEL); +- if (!pkt) +- return -ENOMEM; +- +- err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr, +- &vsk->remote_addr, type, size, +- mode, wait, proto, handle, +- true); +- kfree(pkt); +- +- return err; ++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, ++ &vsk->remote_addr, ++ type, size, mode, ++ wait, proto, handle); + } + + static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst, +@@ -321,12 +337,29 @@ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst, + static int vmci_transport_send_reset(struct sock *sk, + struct vmci_transport_packet *pkt) + { ++ struct sockaddr_vm *dst_ptr; ++ struct sockaddr_vm dst; ++ struct vsock_sock *vsk; ++ + if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST) + return 0; +- return vmci_transport_send_control_pkt(sk, +- VMCI_TRANSPORT_PACKET_TYPE_RST, +- 0, 0, NULL, VSOCK_PROTO_INVALID, +- VMCI_INVALID_HANDLE); ++ ++ vsk = vsock_sk(sk); ++ ++ if (!vsock_addr_bound(&vsk->local_addr)) ++ return -EINVAL; ++ ++ if (vsock_addr_bound(&vsk->remote_addr)) { ++ dst_ptr = &vsk->remote_addr; ++ } else { ++ vsock_addr_init(&dst, pkt->dg.src.context, ++ pkt->src_port); ++ dst_ptr = &dst; ++ } ++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr, ++ VMCI_TRANSPORT_PACKET_TYPE_RST, ++ 0, 0, NULL, VSOCK_PROTO_INVALID, ++ VMCI_INVALID_HANDLE); + } + + static int vmci_transport_send_negotiate(struct sock *sk, size_t size) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch b/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch new file mode 100644 index 0000000000..e90747ca8f --- /dev/null +++ b/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch @@ -0,0 +1,41 @@ +From: Juergen Gross <jgross@suse.com> +Date: Tue, 18 Dec 2018 16:06:19 +0100 +Subject: [PATCH] xen/netfront: tolerate frags with no data +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: d81c5054a5d1d4999c7cdead7636b6cd4af83d36 + +[ Upstream commit d81c5054a5d1d4999c7cdead7636b6cd4af83d36 ] + +At least old Xen net backends seem to send frags with no real data +sometimes. In case such a fragment happens to occur with the frag limit +already reached the frontend will BUG currently even if this situation +is easily recoverable. + +Modify the BUG_ON() condition accordingly. + +Tested-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com> +Signed-off-by: Juergen Gross <jgross@suse.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/xen-netfront.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 0a4bd73caae5..6f55ab4f7959 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -889,7 +889,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, + if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) { + unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; + +- BUG_ON(pull_to <= skb_headlen(skb)); ++ BUG_ON(pull_to < skb_headlen(skb)); + __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); + } + if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch b/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch new file mode 100644 index 0000000000..1d01b29b85 --- /dev/null +++ b/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch @@ -0,0 +1,83 @@ +From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> +Date: Wed, 19 Dec 2018 23:23:00 +0100 +Subject: [PATCH] gro_cell: add napi_disable in gro_cells_destroy +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 8e1da73acded4751a93d4166458a7e640f37d26c + +[ Upstream commit 8e1da73acded4751a93d4166458a7e640f37d26c ] + +Add napi_disable routine in gro_cells_destroy since starting from +commit c42858eaf492 ("gro_cells: remove spinlock protecting receive +queues") gro_cell_poll and gro_cells_destroy can run concurrently on +napi_skbs list producing a kernel Oops if the tunnel interface is +removed while gro_cell_poll is running. The following Oops has been +triggered removing a vxlan device while the interface is receiving +traffic + +[ 5628.948853] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +[ 5628.949981] PGD 0 P4D 0 +[ 5628.950308] Oops: 0002 [#1] SMP PTI +[ 5628.950748] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #41 +[ 5628.952940] RIP: 0010:gro_cell_poll+0x49/0x80 +[ 5628.955615] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202 +[ 5628.956250] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000 +[ 5628.957102] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150 +[ 5628.957940] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000 +[ 5628.958803] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040 +[ 5628.959661] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040 +[ 5628.960682] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000 +[ 5628.961616] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5628.962359] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0 +[ 5628.963188] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 5628.964034] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 5628.964871] Call Trace: +[ 5628.965179] net_rx_action+0xf0/0x380 +[ 5628.965637] __do_softirq+0xc7/0x431 +[ 5628.966510] run_ksoftirqd+0x24/0x30 +[ 5628.966957] smpboot_thread_fn+0xc5/0x160 +[ 5628.967436] kthread+0x113/0x130 +[ 5628.968283] ret_from_fork+0x3a/0x50 +[ 5628.968721] Modules linked in: +[ 5628.969099] CR2: 0000000000000008 +[ 5628.969510] ---[ end trace 9d9dedc7181661fe ]--- +[ 5628.970073] RIP: 0010:gro_cell_poll+0x49/0x80 +[ 5628.972965] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202 +[ 5628.973611] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000 +[ 5628.974504] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150 +[ 5628.975462] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000 +[ 5628.976413] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040 +[ 5628.977375] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040 +[ 5628.978296] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000 +[ 5628.979327] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5628.980044] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0 +[ 5628.980929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 5628.981736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 5628.982409] Kernel panic - not syncing: Fatal exception in interrupt +[ 5628.983307] Kernel Offset: disabled + +Fixes: c42858eaf492 ("gro_cells: remove spinlock protecting receive queues") +Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> +Acked-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/net/gro_cells.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h +index cf6c74550baa..86316f90ea1e 100644 +--- a/include/net/gro_cells.h ++++ b/include/net/gro_cells.h +@@ -84,6 +84,7 @@ static inline void gro_cells_destroy(struct gro_cells *gcells) + for_each_possible_cpu(i) { + struct gro_cell *cell = per_cpu_ptr(gcells->cells, i); + ++ napi_disable(&cell->napi); + netif_napi_del(&cell->napi); + __skb_queue_purge(&cell->napi_skbs); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch b/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch new file mode 100644 index 0000000000..1e4497d9ae --- /dev/null +++ b/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch @@ -0,0 +1,192 @@ +From: Deepa Dinamani <deepa.kernel@gmail.com> +Date: Thu, 27 Dec 2018 18:55:09 -0800 +Subject: [PATCH] sock: Make sock->sk_stamp thread-safe +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 3a0ed3e9619738067214871e9cb826fa23b2ddb9 + +[ Upstream commit 3a0ed3e9619738067214871e9cb826fa23b2ddb9 ] + +Al Viro mentioned (Message-ID +<20170626041334.GZ10672@ZenIV.linux.org.uk>) +that there is probably a race condition +lurking in accesses of sk_stamp on 32-bit machines. + +sock->sk_stamp is of type ktime_t which is always an s64. +On a 32 bit architecture, we might run into situations of +unsafe access as the access to the field becomes non atomic. + +Use seqlocks for synchronization. +This allows us to avoid using spinlocks for readers as +readers do not need mutual exclusion. + +Another approach to solve this is to require sk_lock for all +modifications of the timestamps. The current approach allows +for timestamps to have their own lock: sk_stamp_lock. +This allows for the patch to not compete with already +existing critical sections, and side effects are limited +to the paths in the patch. + +The addition of the new field maintains the data locality +optimizations from +commit 9115e8cd2a0c ("net: reorganize struct sock for better data +locality") + +Note that all the instances of the sk_stamp accesses +are either through the ioctl or the syscall recvmsg. + +Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/net/sock.h | 36 ++++++++++++++++++++++++++++++++++-- + net/compat.c | 15 +++++++++------ + net/core/sock.c | 3 +++ + net/sunrpc/svcsock.c | 2 +- + 4 files changed, 47 insertions(+), 9 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 577075713ad5..7420299c31f5 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -299,6 +299,7 @@ struct cg_proto; + * @sk_filter: socket filtering instructions + * @sk_timer: sock cleanup timer + * @sk_stamp: time stamp of last packet received ++ * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only + * @sk_tsflags: SO_TIMESTAMPING socket options + * @sk_tskey: counter to disambiguate concurrent tstamp requests + * @sk_socket: Identd and reporting IO signals +@@ -434,6 +435,9 @@ struct sock { + long sk_sndtimeo; + struct timer_list sk_timer; + ktime_t sk_stamp; ++#if BITS_PER_LONG==32 ++ seqlock_t sk_stamp_seq; ++#endif + u16 sk_tsflags; + u32 sk_tskey; + struct socket *sk_socket; +@@ -2146,6 +2150,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb) + atomic_add(segs, &sk->sk_drops); + } + ++static inline ktime_t sock_read_timestamp(struct sock *sk) ++{ ++#if BITS_PER_LONG==32 ++ unsigned int seq; ++ ktime_t kt; ++ ++ do { ++ seq = read_seqbegin(&sk->sk_stamp_seq); ++ kt = sk->sk_stamp; ++ } while (read_seqretry(&sk->sk_stamp_seq, seq)); ++ ++ return kt; ++#else ++ return sk->sk_stamp; ++#endif ++} ++ ++static inline void sock_write_timestamp(struct sock *sk, ktime_t kt) ++{ ++#if BITS_PER_LONG==32 ++ write_seqlock(&sk->sk_stamp_seq); ++ sk->sk_stamp = kt; ++ write_sequnlock(&sk->sk_stamp_seq); ++#else ++ sk->sk_stamp = kt; ++#endif ++} ++ + void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk, + struct sk_buff *skb); + void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk, +@@ -2170,7 +2202,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb) + (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE))) + __sock_recv_timestamp(msg, sk, skb); + else +- sk->sk_stamp = kt; ++ sock_write_timestamp(sk, kt); + + if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid) + __sock_recv_wifi_status(msg, sk, skb); +@@ -2190,7 +2222,7 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk, + if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY) + __sock_recv_ts_and_drops(msg, sk, skb); + else +- sk->sk_stamp = skb->tstamp; ++ sock_write_timestamp(sk, skb->tstamp); + } + + void __sock_tx_timestamp(const struct sock *sk, __u8 *tx_flags); +diff --git a/net/compat.c b/net/compat.c +index 17e97b106458..d67684010455 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -443,12 +443,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp) + err = -ENOENT; + if (!sock_flag(sk, SOCK_TIMESTAMP)) + sock_enable_timestamp(sk, SOCK_TIMESTAMP); +- tv = ktime_to_timeval(sk->sk_stamp); ++ tv = ktime_to_timeval(sock_read_timestamp(sk)); ++ + if (tv.tv_sec == -1) + return err; + if (tv.tv_sec == 0) { +- sk->sk_stamp = ktime_get_real(); +- tv = ktime_to_timeval(sk->sk_stamp); ++ ktime_t kt = ktime_get_real(); ++ sock_write_timestamp(sk, kt); ++ tv = ktime_to_timeval(kt); + } + err = 0; + if (put_user(tv.tv_sec, &ctv->tv_sec) || +@@ -471,12 +473,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta + err = -ENOENT; + if (!sock_flag(sk, SOCK_TIMESTAMP)) + sock_enable_timestamp(sk, SOCK_TIMESTAMP); +- ts = ktime_to_timespec(sk->sk_stamp); ++ ts = ktime_to_timespec(sock_read_timestamp(sk)); + if (ts.tv_sec == -1) + return err; + if (ts.tv_sec == 0) { +- sk->sk_stamp = ktime_get_real(); +- ts = ktime_to_timespec(sk->sk_stamp); ++ ktime_t kt = ktime_get_real(); ++ sock_write_timestamp(sk, kt); ++ ts = ktime_to_timespec(kt); + } + err = 0; + if (put_user(ts.tv_sec, &ctv->tv_sec) || +diff --git a/net/core/sock.c b/net/core/sock.c +index 4238835a0e4e..9fb1c073d0c4 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2423,6 +2423,9 @@ void sock_init_data(struct socket *sock, struct sock *sk) + sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; + + sk->sk_stamp = ktime_set(-1L, 0); ++#if BITS_PER_LONG==32 ++ seqlock_init(&sk->sk_stamp_seq); ++#endif + + #ifdef CONFIG_NET_RX_BUSY_POLL + sk->sk_napi_id = 0; +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index 1413cdcc131c..9701fcca002c 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -614,7 +614,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp) + /* Don't enable netstamp, sunrpc doesn't + need that much accuracy */ + } +- svsk->sk_sk->sk_stamp = skb->tstamp; ++ sock_write_timestamp(svsk->sk_sk, skb->tstamp); + set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */ + + len = skb->len - sizeof(struct udphdr); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch b/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch new file mode 100644 index 0000000000..a28abcca22 --- /dev/null +++ b/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch @@ -0,0 +1,76 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 18 Dec 2018 11:18:34 -0600 +Subject: [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 0b84304ef5da92add8dc75a1b07879c5374cdb05 + +commit 0b84304ef5da92add8dc75a1b07879c5374cdb05 upstream. + +info->channel is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap) + +Fix this by sanitizing info->channel before using it to index hdsp->channel_map + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +Also, notice that I refactored the code a bit in order to get rid of the +following checkpatch warning: + +ERROR: do not use assignment in if condition +FILE: sound/pci/rme9652/hdsp.c:4103: + if ((mapped_channel = hdsp->channel_map[info->channel]) < 0) + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/rme9652/hdsp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index 7c8941b8b2de..dd6c9e6a1d53 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -30,6 +30,7 @@ + #include <linux/math64.h> + #include <linux/vmalloc.h> + #include <linux/io.h> ++#include <linux/nospec.h> + + #include <sound/core.h> + #include <sound/control.h> +@@ -4065,15 +4066,16 @@ static int snd_hdsp_channel_info(struct snd_pcm_substream *substream, + struct snd_pcm_channel_info *info) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- int mapped_channel; ++ unsigned int channel = info->channel; + +- if (snd_BUG_ON(info->channel >= hdsp->max_channels)) ++ if (snd_BUG_ON(channel >= hdsp->max_channels)) + return -EINVAL; ++ channel = array_index_nospec(channel, hdsp->max_channels); + +- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0) ++ if (hdsp->channel_map[channel] < 0) + return -EINVAL; + +- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES; ++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES; + info->first = 0; + info->step = 32; + return 0; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch b/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch new file mode 100644 index 0000000000..315998c849 --- /dev/null +++ b/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch @@ -0,0 +1,67 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 18 Dec 2018 11:52:16 -0600 +Subject: [PATCH] ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 5ae4f61f012a097df93de2285070ec8e34716d29 + +commit 5ae4f61f012a097df93de2285070ec8e34716d29 upstream. + +ipcm->substream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/pci/emu10k1/emufx.c:1031 snd_emu10k1_ipcm_poke() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap) +sound/pci/emu10k1/emufx.c:1075 snd_emu10k1_ipcm_peek() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap) + +Fix this by sanitizing ipcm->substream before using it to index emu->fx8010.pcm + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/emu10k1/emufx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c +index 50b216fc369f..5d422d65e62b 100644 +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -36,6 +36,7 @@ + #include <linux/init.h> + #include <linux/mutex.h> + #include <linux/moduleparam.h> ++#include <linux/nospec.h> + + #include <sound/core.h> + #include <sound/tlv.h> +@@ -1000,6 +1001,8 @@ static int snd_emu10k1_ipcm_poke(struct snd_emu10k1 *emu, + + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT) + return -EINVAL; ++ ipcm->substream = array_index_nospec(ipcm->substream, ++ EMU10K1_FX8010_PCM_COUNT); + if (ipcm->channels > 32) + return -EINVAL; + pcm = &emu->fx8010.pcm[ipcm->substream]; +@@ -1046,6 +1049,8 @@ static int snd_emu10k1_ipcm_peek(struct snd_emu10k1 *emu, + + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT) + return -EINVAL; ++ ipcm->substream = array_index_nospec(ipcm->substream, ++ EMU10K1_FX8010_PCM_COUNT); + pcm = &emu->fx8010.pcm[ipcm->substream]; + mutex_lock(&emu->fx8010.lock); + spin_lock_irq(&emu->reg_lock); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch b/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch new file mode 100644 index 0000000000..7bfb372de5 --- /dev/null +++ b/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch @@ -0,0 +1,56 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 12 Dec 2018 15:36:28 -0600 +Subject: [PATCH] ALSA: pcm: Fix potential Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 94ffb030b6d31ec840bb811be455dd2e26a4f43e + +commit 94ffb030b6d31ec840bb811be455dd2e26a4f43e upstream. + +stream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap) + +Fix this by sanitizing stream before using it to index pcm->streams + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/core/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/core/pcm.c b/sound/core/pcm.c +index 6bda8f6c5f84..cdff5f976480 100644 +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -25,6 +25,7 @@ + #include <linux/time.h> + #include <linux/mutex.h> + #include <linux/device.h> ++#include <linux/nospec.h> + #include <sound/core.h> + #include <sound/minors.h> + #include <sound/pcm.h> +@@ -125,6 +126,7 @@ static int snd_pcm_control_ioctl(struct snd_card *card, + return -EFAULT; + if (stream < 0 || stream > 1) + return -EINVAL; ++ stream = array_index_nospec(stream, 2); + if (get_user(subdevice, &info->subdevice)) + return -EFAULT; + mutex_lock(®ister_mutex); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch b/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch new file mode 100644 index 0000000000..ec3bde23a3 --- /dev/null +++ b/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch @@ -0,0 +1,74 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 12 Dec 2018 11:20:49 -0600 +Subject: [PATCH] ALSA: emux: Fix potential Spectre v1 vulnerabilities +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 + +commit 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 upstream. + +info.mode and info.port are indirectly controlled by user-space, +hence leading to a potential exploitation of the Spectre variant 1 +vulnerability. + +These issues were detected with the help of Smatch: + +sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap) +sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap) +sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap) + +Fix this by sanitizing both info.mode and info.port before using them +to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and +emu->portptrs. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/synth/emux/emux_hwdep.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/synth/emux/emux_hwdep.c b/sound/synth/emux/emux_hwdep.c +index e557946718a9..d9fcae071b47 100644 +--- a/sound/synth/emux/emux_hwdep.c ++++ b/sound/synth/emux/emux_hwdep.c +@@ -22,9 +22,9 @@ + #include <sound/core.h> + #include <sound/hwdep.h> + #include <linux/uaccess.h> ++#include <linux/nospec.h> + #include "emux_voice.h" + +- + #define TMP_CLIENT_ID 0x1001 + + /* +@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux *emu, void __user *arg) + return -EFAULT; + if (info.mode < 0 || info.mode >= EMUX_MD_END) + return -EINVAL; ++ info.mode = array_index_nospec(info.mode, EMUX_MD_END); + + if (info.port < 0) { + for (i = 0; i < emu->num_ports; i++) + emu->portptrs[i]->ctrls[info.mode] = info.value; + } else { +- if (info.port < emu->num_ports) ++ if (info.port < emu->num_ports) { ++ info.port = array_index_nospec(info.port, emu->num_ports); + emu->portptrs[info.port]->ctrls[info.mode] = info.value; ++ } + } + return 0; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch b/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch new file mode 100644 index 0000000000..ef3103a76b --- /dev/null +++ b/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch @@ -0,0 +1,41 @@ +From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= <grawity@gmail.com> +Date: Sun, 16 Dec 2018 15:44:47 +0200 +Subject: [PATCH] ALSA: hda: add mute LED support for HP EliteBook 840 G4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 40906ebe3af6a48457151b3c6726b480f6a6cb13 + +commit 40906ebe3af6a48457151b3c6726b480f6a6cb13 upstream. + +Tested with 4.19.9. + +v2: Changed from CXT_FIXUP_MUTE_LED_GPIO to CXT_FIXUP_HP_DOCK because + that's what the existing fixups for EliteBooks use. + +Signed-off-by: Mantas Mikulėnas <grawity@gmail.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index aea3cc2abe3a..536184ac315d 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch b/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch new file mode 100644 index 0000000000..e4093a3f7d --- /dev/null +++ b/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch @@ -0,0 +1,48 @@ +From: Sameer Pujar <spujar@nvidia.com> +Date: Wed, 26 Dec 2018 16:04:49 +0530 +Subject: [PATCH] ALSA: hda/tegra: clear pending irq handlers +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 63d2a9ec310d8bcc955574220d4631aa55c1a80c + +commit 63d2a9ec310d8bcc955574220d4631aa55c1a80c upstream. + +Even after disabling interrupts on the module, it could be possible +that irq handlers are still running. System hang is seen during +suspend path. It was found that, there were pending writes on the +HDA bus and clock was disabled by that time. + +Above mentioned issue is fixed by clearing any pending irq handlers +before disabling clocks and returning from hda suspend. + +Suggested-by: Mohan Kumar <mkumard@nvidia.com> +Suggested-by: Dara Ramesh <dramesh@nvidia.com> +Signed-off-by: Sameer Pujar <spujar@nvidia.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/hda/hda_tegra.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c +index 17fd81736d3d..039fbbb1e53c 100644 +--- a/sound/pci/hda/hda_tegra.c ++++ b/sound/pci/hda/hda_tegra.c +@@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct device *dev) + struct snd_card *card = dev_get_drvdata(dev); + struct azx *chip = card->private_data; + struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip); ++ struct hdac_bus *bus = azx_bus(chip); + + snd_power_change_state(card, SNDRV_CTL_POWER_D3hot); + + azx_stop_chip(chip); ++ synchronize_irq(bus->irq); + azx_enter_link_reset(chip); + hda_tegra_disable_clocks(hda); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch b/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch new file mode 100644 index 0000000000..03a460300b --- /dev/null +++ b/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch @@ -0,0 +1,69 @@ +From: Scott Chen <scott@labau.com.tw> +Date: Thu, 13 Dec 2018 06:01:47 -0500 +Subject: [PATCH] USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole + displays +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 8d503f206c336677954160ac62f0c7d9c219cd89 + +commit 8d503f206c336677954160ac62f0c7d9c219cd89 upstream. + +Add device ids to pl2303 for the HP POS pole displays: +LM920: 03f0:026b +TD620: 03f0:0956 +LD960TA: 03f0:4439 +LD220TA: 03f0:4349 +LM940: 03f0:5039 + +Signed-off-by: Scott Chen <scott@labau.com.tw> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/pl2303.c | 5 +++++ + drivers/usb/serial/pl2303.h | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index 3da25ad267a2..4966768d3c98 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -86,9 +86,14 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) }, + { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) }, + { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) }, + { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) }, + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) }, +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index 123289085ee2..a84f0959ab34 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -123,10 +123,15 @@ + + /* Hewlett-Packard POS Pole Displays */ + #define HP_VENDOR_ID 0x03f0 ++#define HP_LM920_PRODUCT_ID 0x026b ++#define HP_TD620_PRODUCT_ID 0x0956 + #define HP_LD960_PRODUCT_ID 0x0b39 + #define HP_LCM220_PRODUCT_ID 0x3139 + #define HP_LCM960_PRODUCT_ID 0x3239 + #define HP_LD220_PRODUCT_ID 0x3524 ++#define HP_LD220TA_PRODUCT_ID 0x4349 ++#define HP_LD960TA_PRODUCT_ID 0x4439 ++#define HP_LM940_PRODUCT_ID 0x5039 + + /* Cressi Edy (diving computer) PC interface */ + #define CRESSI_VENDOR_ID 0x04b8 +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch b/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch new file mode 100644 index 0000000000..9d07704c7e --- /dev/null +++ b/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch @@ -0,0 +1,72 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Fri, 21 Dec 2018 14:40:44 +0100 +Subject: [PATCH] USB: serial: option: add Fibocom NL678 series +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 4b2c01ad902ec02fa962b233decd2f14be3714ba + +commit 4b2c01ad902ec02fa962b233decd2f14be3714ba upstream. + +Added USB serial option driver support for Fibocom NL678 series cellular +module: VID 2cb7 and PIDs 0x0104 and 0x0105. +Reserved network and ADB interfaces. + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0104 Rev=03.10 +S: Manufacturer=Fibocom +S: Product=Fibocom NL678-E Modem +S: SerialNumber=12345678 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0105 Rev=03.10 +S: Manufacturer=Fibocom +S: Product=Fibocom NL678-E Modem +S: SerialNumber=12345678 +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Acked-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 1e3445dd84b2..7bc2c9fef605 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1956,6 +1956,10 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */ + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, ++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */ ++ .driver_info = RSVD(4) | RSVD(5) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */ ++ .driver_info = RSVD(6) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch b/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch new file mode 100644 index 0000000000..9668882407 --- /dev/null +++ b/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch @@ -0,0 +1,73 @@ +From: Jia-Ju Bai <baijiaju1990@gmail.com> +Date: Tue, 18 Dec 2018 20:04:25 +0800 +Subject: [PATCH] usb: r8a66597: Fix a possible concurrency use-after-free bug + in r8a66597_endpoint_disable() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: c85400f886e3d41e69966470879f635a2b50084c + +commit c85400f886e3d41e69966470879f635a2b50084c upstream. + +The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may +be concurrently executed. +The two functions both access a possible shared variable "hep->hcpriv". + +This shared variable is freed by r8a66597_endpoint_disable() via the +call path: +r8a66597_endpoint_disable + kfree(hep->hcpriv) (line 1995 in Linux-4.19) + +This variable is read by r8a66597_urb_enqueue() via the call path: +r8a66597_urb_enqueue + spin_lock_irqsave(&r8a66597->lock) + init_pipe_info + enable_r8a66597_pipe + pipe = hep->hcpriv (line 802 in Linux-4.19) + +The read operation is protected by a spinlock, but the free operation +is not protected by this spinlock, thus a concurrency use-after-free bug +may occur. + +To fix this bug, the spin-lock and spin-unlock function calls in +r8a66597_endpoint_disable() are moved to protect the free operation. + +Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/host/r8a66597-hcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c +index a11c2c8bda53..a217f71b45c6 100644 +--- a/drivers/usb/host/r8a66597-hcd.c ++++ b/drivers/usb/host/r8a66597-hcd.c +@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, + + static void r8a66597_endpoint_disable(struct usb_hcd *hcd, + struct usb_host_endpoint *hep) ++__acquires(r8a66597->lock) ++__releases(r8a66597->lock) + { + struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd); + struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv; +@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, + return; + pipenum = pipe->info.pipenum; + ++ spin_lock_irqsave(&r8a66597->lock, flags); + if (pipenum == 0) { + kfree(hep->hcpriv); + hep->hcpriv = NULL; ++ spin_unlock_irqrestore(&r8a66597->lock, flags); + return; + } + +- spin_lock_irqsave(&r8a66597->lock, flags); + pipe_stop(r8a66597, pipe); + pipe_irq_disable(r8a66597, pipenum); + disable_irq_empty(r8a66597, pipenum); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch b/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch new file mode 100644 index 0000000000..f43389f72a --- /dev/null +++ b/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch @@ -0,0 +1,37 @@ +From: Patrick Dreyer <Patrick@Dreyer.name> +Date: Sun, 23 Dec 2018 10:06:35 -0800 +Subject: [PATCH] Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire + F5-573G +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 7db54c89f0b30a101584e09d3729144e6170059d + +commit 7db54c89f0b30a101584e09d3729144e6170059d upstream. + +This adds ELAN0501 to the ACPI table to support Elan touchpad found in ASUS +Aspire F5-573G. + +Signed-off-by: Patrick Dreyer <Patrick.Dreyer@gmail.com> +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 471984ec2db0..30adc5745cba 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1240,6 +1240,7 @@ MODULE_DEVICE_TABLE(i2c, elan_id); + static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0000", 0 }, + { "ELAN0100", 0 }, ++ { "ELAN0501", 0 }, + { "ELAN0600", 0 }, + { "ELAN0602", 0 }, + { "ELAN0605", 0 }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch b/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch new file mode 100644 index 0000000000..e2f6310bd3 --- /dev/null +++ b/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch @@ -0,0 +1,141 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Thu, 20 Dec 2018 14:21:08 -0800 +Subject: [PATCH] KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: e81434995081fd7efb755fd75576b35dbb0850b1 + +commit e81434995081fd7efb755fd75576b35dbb0850b1 upstream. + +____kvm_handle_fault_on_reboot() provides a generic exception fixup +handler that is used to cleanly handle faults on VMX/SVM instructions +during reboot (or at least try to). If there isn't a reboot in +progress, ____kvm_handle_fault_on_reboot() treats any exception as +fatal to KVM and invokes kvm_spurious_fault(), which in turn generates +a BUG() to get a stack trace and die. + +When it was originally added by commit 4ecac3fd6dc2 ("KVM: Handle +virtualization instruction #UD faults during reboot"), the "call" to +kvm_spurious_fault() was handcoded as PUSH+JMP, where the PUSH'd value +is the RIP of the faulting instructing. + +The PUSH+JMP trickery is necessary because the exception fixup handler +code lies outside of its associated function, e.g. right after the +function. An actual CALL from the .fixup code would show a slightly +bogus stack trace, e.g. an extra "random" function would be inserted +into the trace, as the return RIP on the stack would point to no known +function (and the unwinder will likely try to guess who owns the RIP). + +Unfortunately, the JMP was replaced with a CALL when the macro was +reworked to not spin indefinitely during reboot (commit b7c4145ba2eb +"KVM: Don't spin on virt instruction faults during reboot"). This +causes the aforementioned behavior where a bogus function is inserted +into the stack trace, e.g. my builds like to blame free_kvm_area(). + +Revert the CALL back to a JMP. The changelog for commit b7c4145ba2eb +("KVM: Don't spin on virt instruction faults during reboot") contains +nothing that indicates the switch to CALL was deliberate. This is +backed up by the fact that the PUSH <insn RIP> was left intact. + +Note that an alternative to the PUSH+JMP magic would be to JMP back +to the "real" code and CALL from there, but that would require adding +a JMP in the non-faulting path to avoid calling kvm_spurious_fault() +and would add no value, i.e. the stack trace would be the same. + +Using CALL: + +------------[ cut here ]------------ +kernel BUG at /home/sean/go/src/kernel.org/linux/arch/x86/kvm/x86.c:356! +invalid opcode: 0000 [#1] SMP +CPU: 4 PID: 1057 Comm: qemu-system-x86 Not tainted 4.20.0-rc6+ #75 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +RIP: 0010:kvm_spurious_fault+0x5/0x10 [kvm] +Code: <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 +RSP: 0018:ffffc900004bbcc8 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffffffffff +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffff888273fd8000 R08: 00000000000003e8 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000784 R12: ffffc90000371fb0 +R13: 0000000000000000 R14: 000000026d763cf4 R15: ffff888273fd8000 +FS: 00007f3d69691700(0000) GS:ffff888277800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055f89bc56fe0 CR3: 0000000271a5a001 CR4: 0000000000362ee0 +Call Trace: + free_kvm_area+0x1044/0x43ea [kvm_intel] + ? vmx_vcpu_run+0x156/0x630 [kvm_intel] + ? kvm_arch_vcpu_ioctl_run+0x447/0x1a40 [kvm] + ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm] + ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm] + ? __set_task_blocked+0x38/0x90 + ? __set_current_blocked+0x50/0x60 + ? __fpu__restore_sig+0x97/0x490 + ? do_vfs_ioctl+0xa1/0x620 + ? __x64_sys_futex+0x89/0x180 + ? ksys_ioctl+0x66/0x70 + ? __x64_sys_ioctl+0x16/0x20 + ? do_syscall_64+0x4f/0x100 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Modules linked in: vhost_net vhost tap kvm_intel kvm irqbypass bridge stp llc +---[ end trace 9775b14b123b1713 ]--- + +Using JMP: + +------------[ cut here ]------------ +kernel BUG at /home/sean/go/src/kernel.org/linux/arch/x86/kvm/x86.c:356! +invalid opcode: 0000 [#1] SMP +CPU: 6 PID: 1067 Comm: qemu-system-x86 Not tainted 4.20.0-rc6+ #75 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +RIP: 0010:kvm_spurious_fault+0x5/0x10 [kvm] +Code: <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 +RSP: 0018:ffffc90000497cd0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffffffffff +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffff88827058bd40 R08: 00000000000003e8 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000784 R12: ffffc90000369fb0 +R13: 0000000000000000 R14: 00000003c8fc6642 R15: ffff88827058bd40 +FS: 00007f3d7219e700(0000) GS:ffff888277900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f3d64001000 CR3: 0000000271c6b004 CR4: 0000000000362ee0 +Call Trace: + vmx_vcpu_run+0x156/0x630 [kvm_intel] + ? kvm_arch_vcpu_ioctl_run+0x447/0x1a40 [kvm] + ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm] + ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm] + ? __set_task_blocked+0x38/0x90 + ? __set_current_blocked+0x50/0x60 + ? __fpu__restore_sig+0x97/0x490 + ? do_vfs_ioctl+0xa1/0x620 + ? __x64_sys_futex+0x89/0x180 + ? ksys_ioctl+0x66/0x70 + ? __x64_sys_ioctl+0x16/0x20 + ? do_syscall_64+0x4f/0x100 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Modules linked in: vhost_net vhost tap kvm_intel kvm irqbypass bridge stp llc +---[ end trace f9daedb85ab3ddba ]--- + +Fixes: b7c4145ba2eb ("KVM: Don't spin on virt instruction faults during reboot") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/include/asm/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index c048d0d70cc4..2cb49ac1b2b2 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1200,7 +1200,7 @@ asmlinkage void kvm_spurious_fault(void); + "cmpb $0, kvm_rebooting \n\t" \ + "jne 668b \n\t" \ + __ASM_SIZE(push) " $666b \n\t" \ +- "call kvm_spurious_fault \n\t" \ ++ "jmp kvm_spurious_fault \n\t" \ + ".popsection \n\t" \ + _ASM_EXTABLE(666b, 667b) + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch b/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch new file mode 100644 index 0000000000..a885ff8200 --- /dev/null +++ b/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch @@ -0,0 +1,81 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 11 Nov 2018 18:45:24 +0000 +Subject: [PATCH] perf pmu: Suppress potential format-truncation warning +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 11a64a05dc649815670b1be9fe63d205cb076401 + +commit 11a64a05dc649815670b1be9fe63d205cb076401 upstream. + +Depending on which functions are inlined in util/pmu.c, the snprintf() +calls in perf_pmu__parse_{scale,unit,per_pkg,snapshot}() might trigger a +warning: + + util/pmu.c: In function 'pmu_aliases': + util/pmu.c:178:31: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=] + snprintf(path, PATH_MAX, "%s/%s.unit", dir, name); + ^~ + +I found this when trying to build perf from Linux 3.16 with gcc 8. +However I can reproduce the problem in mainline if I force +__perf_pmu__new_alias() to be inlined. + +Suppress this by using scnprintf() as has been done elsewhere in perf. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20181111184524.fux4taownc6ndbx6@decadent.org.uk +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + tools/perf/util/pmu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c +index 593066c68e3d..4f650ebd564a 100644 +--- a/tools/perf/util/pmu.c ++++ b/tools/perf/util/pmu.c +@@ -100,7 +100,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * + char path[PATH_MAX]; + const char *lc; + +- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) +@@ -147,7 +147,7 @@ static int perf_pmu__parse_unit(struct perf_pmu_alias *alias, char *dir, char *n + ssize_t sret; + int fd; + +- snprintf(path, PATH_MAX, "%s/%s.unit", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.unit", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) +@@ -177,7 +177,7 @@ perf_pmu__parse_per_pkg(struct perf_pmu_alias *alias, char *dir, char *name) + char path[PATH_MAX]; + int fd; + +- snprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) +@@ -195,7 +195,7 @@ static int perf_pmu__parse_snapshot(struct perf_pmu_alias *alias, + char path[PATH_MAX]; + int fd; + +- snprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch b/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch new file mode 100644 index 0000000000..839ca4c7ed --- /dev/null +++ b/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch @@ -0,0 +1,42 @@ +From: Pan Bian <bianpan2016@163.com> +Date: Mon, 3 Dec 2018 23:28:02 -0500 +Subject: [PATCH] ext4: fix possible use after free in ext4_quota_enable +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 61157b24e60fb3cd1f85f2c76a7b1d628f970144 + +commit 61157b24e60fb3cd1f85f2c76a7b1d628f970144 upstream. + +The function frees qf_inode via iput but then pass qf_inode to +lockdep_set_quota_inode on the failure path. This may result in a +use-after-free bug. The patch frees df_inode only when it is never used. + +Fixes: daf647d2dd5 ("ext4: add lockdep annotations for i_data_sem") +Cc: stable@kernel.org # 4.6 +Reviewed-by: Jan Kara <jack@suse.cz> +Signed-off-by: Pan Bian <bianpan2016@163.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ext4/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index cd9cd581fd92..62a6b75969cf 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5184,9 +5184,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id, + qf_inode->i_flags |= S_NOQUOTA; + lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA); + err = dquot_enable(qf_inode, type, format_id, flags); +- iput(qf_inode); + if (err) + lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL); ++ iput(qf_inode); + + return err; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch b/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch new file mode 100644 index 0000000000..8b00b9a607 --- /dev/null +++ b/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch @@ -0,0 +1,43 @@ +From: Maurizio Lombardi <mlombard@redhat.com> +Date: Tue, 4 Dec 2018 00:06:53 -0500 +Subject: [PATCH] ext4: missing unlock/put_page() in + ext4_try_to_write_inline_data() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 132d00becb31e88469334e1e62751c81345280e0 + +commit 132d00becb31e88469334e1e62751c81345280e0 upstream. + +In case of error, ext4_try_to_write_inline_data() should unlock +and release the page it holds. + +Fixes: f19d5870cbf7 ("ext4: add normal write support for inline data") +Cc: stable@kernel.org # 3.8 +Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ext4/inline.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 1aec46733ef8..46d4fac48cf4 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -701,8 +701,11 @@ int ext4_try_to_write_inline_data(struct address_space *mapping, + + if (!PageUptodate(page)) { + ret = ext4_read_inline_page(inode, page); +- if (ret < 0) ++ if (ret < 0) { ++ unlock_page(page); ++ put_page(page); + goto out_up_read; ++ } + } + + ret = 1; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch b/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch new file mode 100644 index 0000000000..6983fbfaa1 --- /dev/null +++ b/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch @@ -0,0 +1,45 @@ +From: =?UTF-8?q?ruippan=20=28=E6=BD=98=E7=9D=BF=29?= <ruippan@tencent.com> +Date: Tue, 4 Dec 2018 01:04:12 -0500 +Subject: [PATCH] ext4: fix EXT4_IOC_GROUP_ADD ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: e647e29196b7f802f8242c39ecb7cc937f5ef217 + +commit e647e29196b7f802f8242c39ecb7cc937f5ef217 upstream. + +Commit e2b911c53584 ("ext4: clean up feature test macros with +predicate functions") broke the EXT4_IOC_GROUP_ADD ioctl. This was +not noticed since only very old versions of resize2fs (before +e2fsprogs 1.42) use this ioctl. However, using a new kernel with an +enterprise Linux userspace will cause attempts to use online resize to +fail with "No reserved GDT blocks". + +Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate...") +Cc: stable@kernel.org # v4.4 +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: ruippan (潘睿) <ruippan@tencent.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ext4/resize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index bad13f049fb0..2fc1564f62dd 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1600,7 +1600,7 @@ int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input) + } + + if (reserved_gdb || gdb_off == 0) { +- if (ext4_has_feature_resize_inode(sb) || ++ if (!ext4_has_feature_resize_inode(sb) || + !le16_to_cpu(es->s_reserved_gdt_blocks)) { + ext4_warning(sb, + "No reserved GDT blocks, can't resize"); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch b/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch new file mode 100644 index 0000000000..a0adffcf72 --- /dev/null +++ b/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch @@ -0,0 +1,93 @@ +From: Theodore Ts'o <tytso@mit.edu> +Date: Wed, 19 Dec 2018 14:07:58 -0500 +Subject: [PATCH] ext4: force inode writes when nfsd calls commit_metadata() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: fde872682e175743e0c3ef939c89e3c6008a1529 + +commit fde872682e175743e0c3ef939c89e3c6008a1529 upstream. + +Some time back, nfsd switched from calling vfs_fsync() to using a new +commit_metadata() hook in export_operations(). If the file system did +not provide a commit_metadata() hook, it fell back to using +sync_inode_metadata(). Unfortunately doesn't work on all file +systems. In particular, it doesn't work on ext4 due to how the inode +gets journalled --- the VFS writeback code will not always call +ext4_write_inode(). + +So we need to provide our own ext4_nfs_commit_metdata() method which +calls ext4_write_inode() directly. + +Google-Bug-Id: 121195940 +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ext4/super.c | 11 +++++++++++ + include/trace/events/ext4.h | 20 ++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 62a6b75969cf..6a7df72cb3da 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1049,6 +1049,16 @@ static struct dentry *ext4_fh_to_parent(struct super_block *sb, struct fid *fid, + ext4_nfs_get_inode); + } + ++static int ext4_nfs_commit_metadata(struct inode *inode) ++{ ++ struct writeback_control wbc = { ++ .sync_mode = WB_SYNC_ALL ++ }; ++ ++ trace_ext4_nfs_commit_metadata(inode); ++ return ext4_write_inode(inode, &wbc); ++} ++ + /* + * Try to release metadata pages (indirect blocks, directories) which are + * mapped via the block device. Since these pages could have journal heads +@@ -1143,6 +1153,7 @@ static const struct export_operations ext4_export_ops = { + .fh_to_dentry = ext4_fh_to_dentry, + .fh_to_parent = ext4_fh_to_parent, + .get_parent = ext4_get_parent, ++ .commit_metadata = ext4_nfs_commit_metadata, + }; + + enum { +diff --git a/include/trace/events/ext4.h b/include/trace/events/ext4.h +index 594b4b29a224..7ef11b97cb2a 100644 +--- a/include/trace/events/ext4.h ++++ b/include/trace/events/ext4.h +@@ -223,6 +223,26 @@ TRACE_EVENT(ext4_drop_inode, + (unsigned long) __entry->ino, __entry->drop) + ); + ++TRACE_EVENT(ext4_nfs_commit_metadata, ++ TP_PROTO(struct inode *inode), ++ ++ TP_ARGS(inode), ++ ++ TP_STRUCT__entry( ++ __field( dev_t, dev ) ++ __field( ino_t, ino ) ++ ), ++ ++ TP_fast_assign( ++ __entry->dev = inode->i_sb->s_dev; ++ __entry->ino = inode->i_ino; ++ ), ++ ++ TP_printk("dev %d,%d ino %lu", ++ MAJOR(__entry->dev), MINOR(__entry->dev), ++ (unsigned long) __entry->ino) ++); ++ + TRACE_EVENT(ext4_mark_inode_dirty, + TP_PROTO(struct inode *inode, unsigned long IP), + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch b/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch new file mode 100644 index 0000000000..438d96da60 --- /dev/null +++ b/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch @@ -0,0 +1,67 @@ +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 8 Nov 2018 08:06:10 +0100 +Subject: [PATCH] spi: bcm2835: Fix race on DMA termination +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: e82b0b3828451c1cd331d9f304c6078fcd43b62e + +commit e82b0b3828451c1cd331d9f304c6078fcd43b62e upstream. + +If a DMA transfer finishes orderly right when spi_transfer_one_message() +determines that it has timed out, the callbacks bcm2835_spi_dma_done() +and bcm2835_spi_handle_err() race to call dmaengine_terminate_all(), +potentially leading to double termination. + +Prevent by atomically changing the dma_pending flag before calling +dmaengine_terminate_all(). + +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Fixes: 3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers meeting certain conditions") +Cc: stable@vger.kernel.org # v4.2+ +Cc: Mathias Duckeck <m.duckeck@kunbus.de> +Cc: Frank Pavlic <f.pavlic@kunbus.de> +Cc: Martin Sperl <kernel@martin.sperl.org> +Cc: Noralf Trønnes <noralf@tronnes.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/spi/spi-bcm2835.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index cf04960cc3e6..62875d855627 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -233,10 +233,9 @@ static void bcm2835_spi_dma_done(void *data) + * is called the tx-dma must have finished - can't get to this + * situation otherwise... + */ +- dmaengine_terminate_all(master->dma_tx); +- +- /* mark as no longer pending */ +- bs->dma_pending = 0; ++ if (cmpxchg(&bs->dma_pending, true, false)) { ++ dmaengine_terminate_all(master->dma_tx); ++ } + + /* and mark as completed */; + complete(&master->xfer_completion); +@@ -617,10 +616,9 @@ static void bcm2835_spi_handle_err(struct spi_master *master, + struct bcm2835_spi *bs = spi_master_get_devdata(master); + + /* if an error occurred and we have an active dma, then terminate */ +- if (bs->dma_pending) { ++ if (cmpxchg(&bs->dma_pending, true, false)) { + dmaengine_terminate_all(master->dma_tx); + dmaengine_terminate_all(master->dma_rx); +- bs->dma_pending = 0; + } + /* and reset */ + bcm2835_spi_reset_hw(master); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch b/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch new file mode 100644 index 0000000000..27062809cc --- /dev/null +++ b/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch @@ -0,0 +1,50 @@ +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 8 Nov 2018 08:06:10 +0100 +Subject: [PATCH] spi: bcm2835: Fix book-keeping of DMA termination +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: dbc944115eed48af110646992893dc43321368d8 + +commit dbc944115eed48af110646992893dc43321368d8 upstream. + +If submission of a DMA TX transfer succeeds but submission of the +corresponding RX transfer does not, the BCM2835 SPI driver terminates +the TX transfer but neglects to reset the dma_pending flag to false. + +Thus, if the next transfer uses interrupt mode (because it is shorter +than BCM2835_SPI_DMA_MIN_LENGTH) and runs into a timeout, +dmaengine_terminate_all() will be called both for TX (once more) and +for RX (which was never started in the first place). Fix it. + +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Fixes: 3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers meeting certain conditions") +Cc: stable@vger.kernel.org # v4.2+ +Cc: Mathias Duckeck <m.duckeck@kunbus.de> +Cc: Frank Pavlic <f.pavlic@kunbus.de> +Cc: Martin Sperl <kernel@martin.sperl.org> +Cc: Noralf Trønnes <noralf@tronnes.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/spi/spi-bcm2835.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index 62875d855627..bb0ea7b578d1 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -341,6 +341,7 @@ static int bcm2835_spi_transfer_one_dma(struct spi_master *master, + if (ret) { + /* need to reset on errors */ + dmaengine_terminate_all(master->dma_tx); ++ bs->dma_pending = false; + bcm2835_spi_reset_hw(master); + return ret; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch b/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch new file mode 100644 index 0000000000..39b6953854 --- /dev/null +++ b/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch @@ -0,0 +1,66 @@ +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 8 Nov 2018 08:06:10 +0100 +Subject: [PATCH] spi: bcm2835: Avoid finishing transfer prematurely in IRQ + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 56c1723426d3cfd4723bfbfce531d7b38bae6266 + +commit 56c1723426d3cfd4723bfbfce531d7b38bae6266 upstream. + +The IRQ handler bcm2835_spi_interrupt() first reads as much as possible +from the RX FIFO, then writes as much as possible to the TX FIFO. +Afterwards it decides whether the transfer is finished by checking if +the TX FIFO is empty. + +If very few bytes were written to the TX FIFO, they may already have +been transmitted by the time the FIFO's emptiness is checked. As a +result, the transfer will be declared finished and the chip will be +reset without reading the corresponding received bytes from the RX FIFO. + +The odds of this happening increase with a high clock frequency (such +that the TX FIFO drains quickly) and either passing "threadirqs" on the +command line or enabling CONFIG_PREEMPT_RT_BASE (such that the IRQ +handler may be preempted between filling the TX FIFO and checking its +emptiness). + +Fix by instead checking whether rx_len has reached zero, which means +that the transfer has been received in full. This is also more +efficient as it avoids one bus read access per interrupt. Note that +bcm2835_spi_transfer_one_poll() likewise uses rx_len to determine +whether the transfer has finished. + +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Fixes: e34ff011c70e ("spi: bcm2835: move to the transfer_one driver model") +Cc: stable@vger.kernel.org # v4.1+ +Cc: Mathias Duckeck <m.duckeck@kunbus.de> +Cc: Frank Pavlic <f.pavlic@kunbus.de> +Cc: Martin Sperl <kernel@martin.sperl.org> +Cc: Noralf Trønnes <noralf@tronnes.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/spi/spi-bcm2835.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index bb0ea7b578d1..92f45b6fd278 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -155,8 +155,7 @@ static irqreturn_t bcm2835_spi_interrupt(int irq, void *dev_id) + /* Write as many bytes as possible to FIFO */ + bcm2835_wr_fifo(bs); + +- /* based on flags decide if we can finish the transfer */ +- if (bcm2835_rd(bs, BCM2835_SPI_CS) & BCM2835_SPI_CS_DONE) { ++ if (!bs->rx_len) { + /* Transfer complete - reset SPI HW */ + bcm2835_spi_reset_hw(master); + /* wake up the framework */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch b/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch new file mode 100644 index 0000000000..154e590ff5 --- /dev/null +++ b/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch @@ -0,0 +1,87 @@ +From: Macpaul Lin <macpaul.lin@mediatek.com> +Date: Wed, 19 Dec 2018 12:11:03 +0800 +Subject: [PATCH] cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: eafb27fa5283599ce6c5492ea18cf636a28222bb + +commit eafb27fa5283599ce6c5492ea18cf636a28222bb upstream. + +Mediatek Preloader is a proprietary embedded boot loader for loading +Little Kernel and Linux into device DRAM. + +This boot loader also handle firmware update. Mediatek Preloader will be +enumerated as a virtual COM port when the device is connected to Windows +or Linux OS via CDC-ACM class driver. When the USB enumeration has been +done, Mediatek Preloader will send out handshake command "READY" to PC +actively instead of waiting command from the download tool. + +Since Linux 4.12, the commit "tty: reset termios state on device +registration" (93857edd9829e144acb6c7e72d593f6e01aead66) causes Mediatek +Preloader receiving some abnoraml command like "READYXX" as it sent. +This will be recognized as an incorrect response. The behavior change +also causes the download handshake fail. This change only affects +subsequent connects if the reconnected device happens to get the same minor +number. + +By disabling the ECHO termios flag could avoid this problem. However, it +cannot be done by user space configuration when download tool open +/dev/ttyACM0. This is because the device running Mediatek Preloader will +send handshake command "READY" immediately once the CDC-ACM driver is +ready. + +This patch wants to fix above problem by introducing "DISABLE_ECHO" +property in driver_info. When Mediatek Preloader is connected, the +CDC-ACM driver could disable ECHO flag in termios to avoid the problem. + +Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> +Cc: stable@vger.kernel.org +Reviewed-by: Johan Hovold <johan@kernel.org> +Acked-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/class/cdc-acm.c | 10 ++++++++++ + drivers/usb/class/cdc-acm.h | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 0a8e5ac891d4..3919ea066bf9 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -507,6 +507,13 @@ static int acm_tty_install(struct tty_driver *driver, struct tty_struct *tty) + if (retval) + goto error_init_termios; + ++ /* ++ * Suppress initial echoing for some devices which might send data ++ * immediately after acm driver has been installed. ++ */ ++ if (acm->quirks & DISABLE_ECHO) ++ tty->termios.c_lflag &= ~ECHO; ++ + tty->driver_data = acm; + + return 0; +@@ -1677,6 +1684,9 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x0e8d, 0x2000), /* MediaTek Inc Preloader */ ++ .driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */ ++ }, + { USB_DEVICE(0x0e8d, 0x3329), /* MediaTek Inc GPS */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h +index b30ac5fcde68..1ad9ff9f493d 100644 +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -134,3 +134,4 @@ struct acm { + #define QUIRK_CONTROL_LINE_STATE BIT(6) + #define CLEAR_HALT_CONDITIONS BIT(7) + #define SEND_ZERO_PACKET BIT(8) ++#define DISABLE_ECHO BIT(9) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch b/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch new file mode 100644 index 0000000000..cb38a4d11a --- /dev/null +++ b/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch @@ -0,0 +1,38 @@ +From: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Date: Fri, 9 Nov 2018 08:37:44 -0500 +Subject: [PATCH] media: vivid: free bitmap_cap when updating std/timings/etc. +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 + +commit 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 upstream. + +When vivid_update_format_cap() is called it should free any overlay +bitmap since the compose size will change. + +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com +Cc: <stable@vger.kernel.org> # for v3.18 and up +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c +index ef5412311b2f..a84954f1be34 100644 +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -461,6 +461,8 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls) + tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap)); + break; + } ++ vfree(dev->bitmap_cap); ++ dev->bitmap_cap = NULL; + vivid_update_quality(dev); + tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap); + dev->crop_cap = dev->src_rect; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch b/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch new file mode 100644 index 0000000000..01f9b292af --- /dev/null +++ b/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch @@ -0,0 +1,50 @@ +From: Huacai Chen <chenhc@lemote.com> +Date: Thu, 15 Nov 2018 15:53:54 +0800 +Subject: [PATCH] MIPS: Ensure pmd_present() returns false after + pmd_mknotpresent() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a + +commit 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a upstream. + +This patch is borrowed from ARM64 to ensure pmd_present() returns false +after pmd_mknotpresent(). This is needed for THP. + +References: 5bb1cc0ff9a6 ("arm64: Ensure pmd_present() returns false after pmd_mknotpresent()") +Reviewed-by: James Hogan <jhogan@kernel.org> +Signed-off-by: Huacai Chen <chenhc@lemote.com> +Signed-off-by: Paul Burton <paul.burton@mips.com> +Patchwork: https://patchwork.linux-mips.org/patch/21135/ +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: James Hogan <james.hogan@mips.com> +Cc: Steven J . Hill <Steven.Hill@cavium.com> +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang <zhangfx@lemote.com> +Cc: Zhangjin Wu <wuzhangjin@gmail.com> +Cc: <stable@vger.kernel.org> # 3.8+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/mips/include/asm/pgtable-64.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h +index cf661a2fb141..16fade4f49dd 100644 +--- a/arch/mips/include/asm/pgtable-64.h ++++ b/arch/mips/include/asm/pgtable-64.h +@@ -189,6 +189,11 @@ static inline int pmd_bad(pmd_t pmd) + + static inline int pmd_present(pmd_t pmd) + { ++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT ++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE)) ++ return pmd_val(pmd) & _PAGE_PRESENT; ++#endif ++ + return pmd_val(pmd) != (unsigned long) invalid_pte_table; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch b/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch new file mode 100644 index 0000000000..18e13e683b --- /dev/null +++ b/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch @@ -0,0 +1,62 @@ +From: Huacai Chen <chenhc@lemote.com> +Date: Thu, 15 Nov 2018 15:53:56 +0800 +Subject: [PATCH] MIPS: Align kernel load address to 64KB +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: bec0de4cfad21bd284dbddee016ed1767a5d2823 + +commit bec0de4cfad21bd284dbddee016ed1767a5d2823 upstream. + +KEXEC needs the new kernel's load address to be aligned on a page +boundary (see sanity_check_segment_list()), but on MIPS the default +vmlinuz load address is only explicitly aligned to 16 bytes. + +Since the largest PAGE_SIZE supported by MIPS kernels is 64KB, increase +the alignment calculated by calc_vmlinuz_load_addr to 64KB. + +Signed-off-by: Huacai Chen <chenhc@lemote.com> +Signed-off-by: Paul Burton <paul.burton@mips.com> +Patchwork: https://patchwork.linux-mips.org/patch/21131/ +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: James Hogan <james.hogan@mips.com> +Cc: Steven J . Hill <Steven.Hill@cavium.com> +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang <zhangfx@lemote.com> +Cc: Zhangjin Wu <wuzhangjin@gmail.com> +Cc: <stable@vger.kernel.org> # 2.6.36+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +index 37fe58c19a90..542c3ede9722 100644 +--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c ++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +@@ -13,6 +13,7 @@ + #include <stdint.h> + #include <stdio.h> + #include <stdlib.h> ++#include "../../../../include/linux/sizes.h" + + int main(int argc, char *argv[]) + { +@@ -45,11 +46,11 @@ int main(int argc, char *argv[]) + vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size; + + /* +- * Align with 16 bytes: "greater than that used for any standard data +- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition). ++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE, ++ * which may be as large as 64KB depending on the kernel configuration. + */ + +- vmlinuz_load_addr += (16 - vmlinux_size % 16); ++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K); + + printf("0x%llx\n", vmlinuz_load_addr); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch b/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch new file mode 100644 index 0000000000..072742ff9a --- /dev/null +++ b/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch @@ -0,0 +1,58 @@ +From: Georgy A Bystrenin <gkot@altlinux.org> +Date: Fri, 21 Dec 2018 00:11:42 -0600 +Subject: [PATCH] CIFS: Fix error mapping for SMB2_LOCK command which caused + OFD lock problem +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 9a596f5b39593414c0ec80f71b94a226286f084e + +commit 9a596f5b39593414c0ec80f71b94a226286f084e upstream. + +While resolving a bug with locks on samba shares found a strange behavior. +When a file locked by one node and we trying to lock it from another node +it fail with errno 5 (EIO) but in that case errno must be set to +(EACCES | EAGAIN). +This isn't happening when we try to lock file second time on same node. +In this case it returns EACCES as expected. +Also this issue not reproduces when we use SMB1 protocol (vers=1.0 in +mount options). + +Further investigation showed that the mapping from status_to_posix_error +is different for SMB1 and SMB2+ implementations. +For SMB1 mapping is [NT_STATUS_LOCK_NOT_GRANTED to ERRlock] +(See fs/cifs/netmisc.c line 66) +but for SMB2+ mapping is [STATUS_LOCK_NOT_GRANTED to -EIO] +(see fs/cifs/smb2maperror.c line 383) + +Quick changes in SMB2+ mapping from EIO to EACCES has fixed issue. + +BUG: https://bugzilla.kernel.org/show_bug.cgi?id=201971 + +Signed-off-by: Georgy A Bystrenin <gkot@altlinux.org> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +CC: Stable <stable@vger.kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/cifs/smb2maperror.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index 8257a5a97cc0..98c25b969ab8 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -377,8 +377,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_NONEXISTENT_EA_ENTRY, -EIO, "STATUS_NONEXISTENT_EA_ENTRY"}, + {STATUS_NO_EAS_ON_FILE, -ENODATA, "STATUS_NO_EAS_ON_FILE"}, + {STATUS_EA_CORRUPT_ERROR, -EIO, "STATUS_EA_CORRUPT_ERROR"}, +- {STATUS_FILE_LOCK_CONFLICT, -EIO, "STATUS_FILE_LOCK_CONFLICT"}, +- {STATUS_LOCK_NOT_GRANTED, -EIO, "STATUS_LOCK_NOT_GRANTED"}, ++ {STATUS_FILE_LOCK_CONFLICT, -EACCES, "STATUS_FILE_LOCK_CONFLICT"}, ++ {STATUS_LOCK_NOT_GRANTED, -EACCES, "STATUS_LOCK_NOT_GRANTED"}, + {STATUS_DELETE_PENDING, -ENOENT, "STATUS_DELETE_PENDING"}, + {STATUS_CTL_FILE_NOT_SUPPORTED, -ENOSYS, + "STATUS_CTL_FILE_NOT_SUPPORTED"}, +-- +2.20.1 + diff --git a/patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch b/patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch index f85b8bb4c4..1a24412a9b 100644 --- a/patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch +++ b/patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch @@ -1,13 +1,15 @@ -From d391f1207067268261add0485f0f34503539c5b0 Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov <vkuznets@redhat.com> Date: Thu, 25 Jan 2018 16:37:07 +0100 -Subject: [PATCH] x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested -Mime-version: 1.0 -Content-type: text/plain; charset=UTF-8 -Content-transfer-encoding: 8bit +Subject: [PATCH] x86/kvm/vmx: do not use vm-exit instruction length for fast + MMIO when running nested +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: 4.4.170 +References: bnc#1012382 bsc#1081431 Git-commit: d391f1207067268261add0485f0f34503539c5b0 -Patch-mainline: v4.16-rc1 -References: bsc#1081431 + +commit d391f1207067268261add0485f0f34503539c5b0 upstream. I was investigating an issue with seabios >= 1.10 which stopped working for nested KVM on Hyper-V. The problem appears to be in @@ -33,17 +35,21 @@ Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> -Signed-off-by: Matwey V. Kornilov <matwey.kornilov@gmail.com> -Acked-by: Takashi Iwai <tiwai@suse.de> - +Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> +[mhaboustak: backport to 4.9.y] +Signed-off-by: Mike Haboustak <haboustak@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - arch/x86/kvm/vmx.c | 19 +++++++++++++++++-- - arch/x86/kvm/x86.c | 3 ++- + arch/x86/kvm/vmx.c | 19 +++++++++++++++++-- + arch/x86/kvm/x86.c | 3 ++- 2 files changed, 19 insertions(+), 3 deletions(-) +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index e4b5fd72ca24..3bdb2e747b89 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c -@@ -5986,9 +5986,24 @@ static int handle_ept_misconfig(struct k +@@ -6163,9 +6163,24 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu) gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS); if (!kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) { @@ -51,28 +57,30 @@ Acked-by: Takashi Iwai <tiwai@suse.de> trace_kvm_fast_mmio(gpa); - return 1; + /* -+ * Doing kvm_skip_emulated_instruction() depends on undefined -+ * behavior: Intel's manual doesn't mandate -+ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG -+ * occurs and while on real hardware it was observed to be set, -+ * other hypervisors (namely Hyper-V) don't set it, we end up -+ * advancing IP with some random value. Disable fast mmio when -+ * running nested and keep it for real hardware in hope that -+ * VM_EXIT_INSTRUCTION_LEN will always be set correctly. -+ */ ++ * Doing kvm_skip_emulated_instruction() depends on undefined ++ * behavior: Intel's manual doesn't mandate ++ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG ++ * occurs and while on real hardware it was observed to be set, ++ * other hypervisors (namely Hyper-V) don't set it, we end up ++ * advancing IP with some random value. Disable fast mmio when ++ * running nested and keep it for real hardware in hope that ++ * VM_EXIT_INSTRUCTION_LEN will always be set correctly. ++ */ + if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) { + skip_emulated_instruction(vcpu); + return 1; -+ } else { ++ } ++ else + return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP, + NULL, 0) == EMULATE_DONE; -+ } } ret = handle_mmio_page_fault(vcpu, gpa, true); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index aa1a0277a678..1a934bb8ed1c 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -5408,7 +5408,8 @@ int x86_emulate_instruction(struct kvm_v +@@ -5436,7 +5436,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, * handle watchpoints yet, those would be handled in * the emulate_ops. */ @@ -82,3 +90,6 @@ Acked-by: Takashi Iwai <tiwai@suse.de> return r; ctxt->interruptibility = 0; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch b/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch new file mode 100644 index 0000000000..fe24f342d3 --- /dev/null +++ b/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch @@ -0,0 +1,47 @@ +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 29 Nov 2018 15:14:49 +0100 +Subject: [PATCH] spi: bcm2835: Unbreak the build of esoteric configs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 29bdedfd9cf40e59456110ca417a8cb672ac9b92 + +commit 29bdedfd9cf40e59456110ca417a8cb672ac9b92 upstream. + +Commit e82b0b382845 ("spi: bcm2835: Fix race on DMA termination") broke +the build with COMPILE_TEST=y on arches whose cmpxchg() requires 32-bit +operands (xtensa, older arm ISAs). + +Fix by changing the dma_pending flag's type from bool to unsigned int. + +Fixes: e82b0b382845 ("spi: bcm2835: Fix race on DMA termination") +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: Frank Pavlic <f.pavlic@kunbus.de> +Cc: Martin Sperl <kernel@martin.sperl.org> +Cc: Noralf Trønnes <noralf@tronnes.org> +Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/spi/spi-bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index 92f45b6fd278..1a1368f5863c 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -88,7 +88,7 @@ struct bcm2835_spi { + u8 *rx_buf; + int tx_len; + int rx_len; +- bool dma_pending; ++ unsigned int dma_pending; + }; + + static inline u32 bcm2835_rd(struct bcm2835_spi *bs, unsigned reg) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch b/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch new file mode 100644 index 0000000000..60bb177616 --- /dev/null +++ b/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch @@ -0,0 +1,59 @@ +From: Paul Mackerras <paulus@ozlabs.org> +Date: Tue, 27 Nov 2018 09:01:54 +1100 +Subject: [PATCH] powerpc: Fix COFF zImage booting on old powermacs +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 5564597d51c8ff5b88d95c76255e18b13b760879 + +[ Upstream commit 5564597d51c8ff5b88d95c76255e18b13b760879 ] + +Commit 6975a783d7b4 ("powerpc/boot: Allow building the zImage wrapper +as a relocatable ET_DYN", 2011-04-12) changed the procedure descriptor +at the start of crt0.S to have a hard-coded start address of 0x500000 +rather than a reference to _zimage_start, presumably because having +a reference to a symbol introduced a relocation which is awkward to +handle in a position-independent executable. Unfortunately, what is +at 0x500000 in the COFF image is not the first instruction, but the +procedure descriptor itself, that is, a word containing 0x500000, +which is not a valid instruction. Hence, booting a COFF zImage +results in a "DEFAULT CATCH!, code=FFF00700" message from Open +Firmware. + +This fixes the problem by (a) putting the procedure descriptor in the +data section and (b) adding a branch to _zimage_start as the first +instruction in the program. + +Fixes: 6975a783d7b4 ("powerpc/boot: Allow building the zImage wrapper as a relocatable ET_DYN") +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/powerpc/boot/crt0.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/boot/crt0.S b/arch/powerpc/boot/crt0.S +index 5c2199857aa8..a3550e8f1a77 100644 +--- a/arch/powerpc/boot/crt0.S ++++ b/arch/powerpc/boot/crt0.S +@@ -15,7 +15,7 @@ + RELA = 7 + RELACOUNT = 0x6ffffff9 + +- .text ++ .data + /* A procedure descriptor used when booting this as a COFF file. + * When making COFF, this comes first in the link and we're + * linked at 0x500000. +@@ -23,6 +23,8 @@ RELACOUNT = 0x6ffffff9 + .globl _zimage_start_opd + _zimage_start_opd: + .long 0x500000, 0, 0, 0 ++ .text ++ b _zimage_start + + #ifdef __powerpc64__ + .balign 8 +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch b/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch new file mode 100644 index 0000000000..6a50bbe816 --- /dev/null +++ b/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch @@ -0,0 +1,43 @@ +From: Anson Huang <anson.huang@nxp.com> +Date: Tue, 4 Dec 2018 03:17:45 +0000 +Subject: [PATCH] ARM: imx: update the cpu power up timing setting on i.mx6sx +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 1e434b703248580b7aaaf8a115d93e682f57d29f + +[ Upstream commit 1e434b703248580b7aaaf8a115d93e682f57d29f ] + +The sw2iso count should cover ARM LDO ramp-up time, +the MAX ARM LDO ramp-up time may be up to more than +100us on some boards, this patch sets sw2iso to 0xf +(~384us) which is the reset value, and it is much +more safe to cover different boards, since we have +observed that some customer boards failed with current +setting of 0x2. + +Fixes: 05136f0897b5 ("ARM: imx: support arm power off in cpuidle for i.mx6sx") +Signed-off-by: Anson Huang <Anson.Huang@nxp.com> +Reviewed-by: Fabio Estevam <festevam@gmail.com> +Signed-off-by: Shawn Guo <shawnguo@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/mach-imx/cpuidle-imx6sx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-imx/cpuidle-imx6sx.c b/arch/arm/mach-imx/cpuidle-imx6sx.c +index 3c6672b3796b..7f5df8992008 100644 +--- a/arch/arm/mach-imx/cpuidle-imx6sx.c ++++ b/arch/arm/mach-imx/cpuidle-imx6sx.c +@@ -97,7 +97,7 @@ int __init imx6sx_cpuidle_init(void) + * except for power up sw2iso which need to be + * larger than LDO ramp up time. + */ +- imx_gpc_set_arm_power_up_timing(2, 1); ++ imx_gpc_set_arm_power_up_timing(0xf, 1); + imx_gpc_set_arm_power_down_timing(1, 1); + + return cpuidle_register(&imx6sx_cpuidle_driver, NULL); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch b/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch new file mode 100644 index 0000000000..1be1144c2d --- /dev/null +++ b/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch @@ -0,0 +1,46 @@ +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 6 Dec 2018 09:03:36 +1000 +Subject: [PATCH] Input: restore EV_ABS ABS_RESERVED +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: c201e3808e0e4be9b98d192802085a9f491bd80c + +[ Upstream commit c201e3808e0e4be9b98d192802085a9f491bd80c ] + +ABS_RESERVED was added in d9ca1c990a7 and accidentally removed as part of +ffe0e7cf290f5c9 when the high-resolution scrolling code was removed. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Martin Kepplinger <martin.kepplinger@ginzinger.com> +Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/uapi/linux/input-event-codes.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h +index 87cf351bab03..9e07bf4259e1 100644 +--- a/include/uapi/linux/input-event-codes.h ++++ b/include/uapi/linux/input-event-codes.h +@@ -708,6 +708,15 @@ + + #define ABS_MISC 0x28 + ++/* ++ * 0x2e is reserved and should not be used in input drivers. ++ * It was used by HID as ABS_MISC+6 and userspace needs to detect if ++ * the next ABS_* event is correct or is just ABS_MISC + n. ++ * We define here ABS_RESERVED so userspace can rely on it and detect ++ * the situation described above. ++ */ ++#define ABS_RESERVED 0x2e ++ + #define ABS_MT_SLOT 0x2f /* MT slot being modified */ + #define ABS_MT_TOUCH_MAJOR 0x30 /* Major axis of touching ellipse */ + #define ABS_MT_TOUCH_MINOR 0x31 /* Minor axis (omit if circular) */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch b/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch new file mode 100644 index 0000000000..cc39e4e4cc --- /dev/null +++ b/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch @@ -0,0 +1,49 @@ +From: Qian Cai <cai@lca.pw> +Date: Fri, 14 Dec 2018 14:17:20 -0800 +Subject: [PATCH] checkstack.pl: fix for aarch64 +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: f1733a1d3cd32a9492f4cf866be37bb46e10163d + +[ Upstream commit f1733a1d3cd32a9492f4cf866be37bb46e10163d ] + +There is actually a space after "sp," like this, + + ffff2000080813c8: a9bb7bfd stp x29, x30, [sp, #-80]! + +Right now, checkstack.pl isn't able to print anything on aarch64, +because it won't be able to match the stating objdump line of a function +due to this missing space. Hence, it displays every stack as zero-size. + +After this patch, checkpatch.pl is able to match the start of a +function's objdump, and is then able to calculate each function's stack +correctly. + +Link: http://lkml.kernel.org/r/20181207195843.38528-1-cai@lca.pw +Signed-off-by: Qian Cai <cai@lca.pw> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + scripts/checkstack.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/checkstack.pl b/scripts/checkstack.pl +index dd8397894d5c..12a6940741fe 100755 +--- a/scripts/checkstack.pl ++++ b/scripts/checkstack.pl +@@ -46,8 +46,8 @@ my (@stack, $re, $dre, $x, $xs, $funcre); + $xs = "[0-9a-f ]"; # hex character or space + $funcre = qr/^$x* <(.*)>:$/; + if ($arch eq 'aarch64') { +- #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp,#-80]! +- $re = qr/^.*stp.*sp,\#-([0-9]{1,8})\]\!/o; ++ #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp, #-80]! ++ $re = qr/^.*stp.*sp, \#-([0-9]{1,8})\]\!/o; + } elsif ($arch eq 'arm') { + #c0008ffc: e24dd064 sub sp, sp, #100 ; 0x64 + $re = qr/.*sub.*sp, sp, #(([0-9]{2}|[3-9])[0-9]{2})/o; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch b/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch new file mode 100644 index 0000000000..db67a06235 --- /dev/null +++ b/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch @@ -0,0 +1,37 @@ +From: Benjamin Poirier <bpoirier@suse.com> +Date: Mon, 5 Nov 2018 17:00:53 +0900 +Subject: [PATCH] xfrm: Fix bucket count reported to userspace +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: ca92e173ab34a4f7fc4128bd372bd96f1af6f507 + +[ Upstream commit ca92e173ab34a4f7fc4128bd372bd96f1af6f507 ] + +sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the +hash mask. + +Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.") +Signed-off-by: Benjamin Poirier <bpoirier@suse.com> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/xfrm/xfrm_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 9b6e51450fc5..13f261feb75c 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -623,7 +623,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si) + { + spin_lock_bh(&net->xfrm.xfrm_state_lock); + si->sadcnt = net->xfrm.state_num; +- si->sadhcnt = net->xfrm.state_hmask; ++ si->sadhcnt = net->xfrm.state_hmask + 1; + si->sadhmcnt = xfrm_state_hashmax; + spin_unlock_bh(&net->xfrm.xfrm_state_lock); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch b/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch new file mode 100644 index 0000000000..b833e1a875 --- /dev/null +++ b/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch @@ -0,0 +1,37 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 1 Nov 2018 08:25:30 +0300 +Subject: [PATCH] scsi: bnx2fc: Fix NULL dereference in error handling +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 9ae4f8420ed7be4b13c96600e3568c144d101a23 + +[ Upstream commit 9ae4f8420ed7be4b13c96600e3568c144d101a23 ] + +If "interface" is NULL then we can't release it and trying to will only +lead to an Oops. + +Fixes: aea71a024914 ("[SCSI] bnx2fc: Introduce interface structure for each vlan interface") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +index d0b227ffbd5f..573aeec7a02b 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -2279,7 +2279,7 @@ static int _bnx2fc_create(struct net_device *netdev, + if (!interface) { + printk(KERN_ERR PFX "bnx2fc_interface_create failed\n"); + rc = -ENOMEM; +- goto ifput_err; ++ goto netdev_err; + } + + if (netdev->priv_flags & IFF_802_1Q_VLAN) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch b/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch new file mode 100644 index 0000000000..d0129cb3e1 --- /dev/null +++ b/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch @@ -0,0 +1,86 @@ +From: Tony Lindgren <tony@atomide.com> +Date: Tue, 4 Dec 2018 13:52:49 -0800 +Subject: [PATCH] Input: omap-keypad - fix idle configuration to not block SoC + idle states +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: e2ca26ec4f01486661b55b03597c13e2b9c18b73 + +[ Upstream commit e2ca26ec4f01486661b55b03597c13e2b9c18b73 ] + +With PM enabled, I noticed that pressing a key on the droid4 keyboard will +block deeper idle states for the SoC. Let's fix this by using IRQF_ONESHOT +and stop constantly toggling the device OMAP4_KBD_IRQENABLE register as +suggested by Dmitry Torokhov <dmitry.torokhov@gmail.com>. + +From the hardware point of view, looks like we need to manage the registers +for OMAP4_KBD_IRQENABLE and OMAP4_KBD_WAKEUPENABLE together to avoid +blocking deeper SoC idle states. And with toggling of OMAP4_KBD_IRQENABLE +register now gone with IRQF_ONESHOT, also the SoC idle state problem is +gone during runtime. We still also need to clear OMAP4_KBD_WAKEUPENABLE in +omap4_keypad_close() though to pair it with omap4_keypad_open() to prevent +blocking deeper SoC idle states after rmmod omap4-keypad. + +Reported-by: Pavel Machek <pavel@ucw.cz> +Signed-off-by: Tony Lindgren <tony@atomide.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/keyboard/omap4-keypad.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c +index f78c464899db..3d2c60c8de83 100644 +--- a/drivers/input/keyboard/omap4-keypad.c ++++ b/drivers/input/keyboard/omap4-keypad.c +@@ -126,12 +126,8 @@ static irqreturn_t omap4_keypad_irq_handler(int irq, void *dev_id) + { + struct omap4_keypad *keypad_data = dev_id; + +- if (kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS)) { +- /* Disable interrupts */ +- kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE, +- OMAP4_VAL_IRQDISABLE); ++ if (kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS)) + return IRQ_WAKE_THREAD; +- } + + return IRQ_NONE; + } +@@ -173,11 +169,6 @@ static irqreturn_t omap4_keypad_irq_thread_fn(int irq, void *dev_id) + kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS, + kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS)); + +- /* enable interrupts */ +- kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE, +- OMAP4_DEF_IRQENABLE_EVENTEN | +- OMAP4_DEF_IRQENABLE_LONGKEY); +- + return IRQ_HANDLED; + } + +@@ -214,9 +205,10 @@ static void omap4_keypad_close(struct input_dev *input) + + disable_irq(keypad_data->irq); + +- /* Disable interrupts */ ++ /* Disable interrupts and wake-up events */ + kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE, + OMAP4_VAL_IRQDISABLE); ++ kbd_writel(keypad_data, OMAP4_KBD_WAKEUPENABLE, 0); + + /* clear pending interrupts */ + kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS, +@@ -364,7 +356,7 @@ static int omap4_keypad_probe(struct platform_device *pdev) + } + + error = request_threaded_irq(keypad_data->irq, omap4_keypad_irq_handler, +- omap4_keypad_irq_thread_fn, 0, ++ omap4_keypad_irq_thread_fn, IRQF_ONESHOT, + "omap4-keypad", keypad_data); + if (error) { + dev_err(&pdev->dev, "failed to register interrupt\n"); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch b/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch new file mode 100644 index 0000000000..c7154b441c --- /dev/null +++ b/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch @@ -0,0 +1,98 @@ +From: Steffen Maier <maier@linux.ibm.com> +Date: Thu, 6 Dec 2018 17:31:20 +0100 +Subject: [PATCH] scsi: zfcp: fix posting too many status read buffers leading + to adapter shutdown +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 60a161b7e5b2a252ff0d4c622266a7d8da1120ce + +commit 60a161b7e5b2a252ff0d4c622266a7d8da1120ce upstream. + +Suppose adapter (open) recovery is between opened QDIO queues and before +(the end of) initial posting of status read buffers (SRBs). This time +window can be seconds long due to FSF_PROT_HOST_CONNECTION_INITIALIZING +causing by design looping with exponential increase sleeps in the function +performing exchange config data during recovery +[zfcp_erp_adapter_strat_fsf_xconf()]. Recovery triggered by local link up. + +Suppose an event occurs for which the FCP channel would send an unsolicited +notification to zfcp by means of a previously posted SRB. We saw it with +local cable pull (link down) in multi-initiator zoning with multiple +NPIV-enabled subchannels of the same shared FCP channel. + +As soon as zfcp_erp_adapter_strategy_open_fsf() starts posting the initial +status read buffers from within the adapter's ERP thread, the channel does +send an unsolicited notification. + +Since v2.6.27 commit d26ab06ede83 ("[SCSI] zfcp: receiving an unsolicted +status can lead to I/O stall"), zfcp_fsf_status_read_handler() schedules +adapter->stat_work to re-fill the just consumed SRB from a work item. + +Now the ERP thread and the work item post SRBs in parallel. Both contexts +call the helper function zfcp_status_read_refill(). The tracking of +missing (to be posted / re-filled) SRBs is not thread-safe due to separate +atomic_read() and atomic_dec(), in order to depend on posting +success. Hence, both contexts can see +atomic_read(&adapter->stat_miss) == 1. One of the two contexts posts +one too many SRB. Zfcp gets QDIO_ERROR_SLSB_STATE on the output queue +(trace tag "qdireq1") leading to zfcp_erp_adapter_shutdown() in +zfcp_qdio_handler_error(). + +An obvious and seemingly clean fix would be to schedule stat_work from the +ERP thread and wait for it to finish. This would serialize all SRB +re-fills. However, we already have another work item wait on the ERP +thread: adapter->scan_work runs zfcp_fc_scan_ports() which calls +zfcp_fc_eval_gpn_ft(). The latter calls zfcp_erp_wait() to wait for all the +open port recoveries during zfcp auto port scan, but in fact it waits for +any pending recovery including an adapter recovery. This approach leads to +a deadlock. [see also v3.19 commit 18f87a67e6d6 ("zfcp: auto port scan +resiliency"); v2.6.37 commit d3e1088d6873 +("[SCSI] zfcp: No ERP escalation on gpn_ft eval"); +v2.6.28 commit fca55b6fb587 +("[SCSI] zfcp: fix deadlock between wq triggered port scan and ERP") +fixing v2.6.27 commit c57a39a45a76 +("[SCSI] zfcp: wait until adapter is finished with ERP during auto-port"); +v2.6.27 commit cc8c282963bd +("[SCSI] zfcp: Automatically attach remote ports")] + +Instead make the accounting of missing SRBs atomic for parallel execution +in both the ERP thread and adapter->stat_work. + +Signed-off-by: Steffen Maier <maier@linux.ibm.com> +Fixes: d26ab06ede83 ("[SCSI] zfcp: receiving an unsolicted status can lead to I/O stall") +Cc: <stable@vger.kernel.org> #2.6.27+ +Reviewed-by: Jens Remus <jremus@linux.ibm.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/s390/scsi/zfcp_aux.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/scsi/zfcp_aux.c b/drivers/s390/scsi/zfcp_aux.c +index 38c8e308d4c8..a96c98e3fc73 100644 +--- a/drivers/s390/scsi/zfcp_aux.c ++++ b/drivers/s390/scsi/zfcp_aux.c +@@ -275,16 +275,16 @@ static void zfcp_free_low_mem_buffers(struct zfcp_adapter *adapter) + */ + int zfcp_status_read_refill(struct zfcp_adapter *adapter) + { +- while (atomic_read(&adapter->stat_miss) > 0) ++ while (atomic_add_unless(&adapter->stat_miss, -1, 0)) + if (zfcp_fsf_status_read(adapter->qdio)) { ++ atomic_inc(&adapter->stat_miss); /* undo add -1 */ + if (atomic_read(&adapter->stat_miss) >= + adapter->stat_read_buf_num) { + zfcp_erp_adapter_reopen(adapter, 0, "axsref1"); + return 1; + } + break; +- } else +- atomic_dec(&adapter->stat_miss); ++ } + return 0; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch b/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch new file mode 100644 index 0000000000..d1a04b69b8 --- /dev/null +++ b/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch @@ -0,0 +1,83 @@ +From: David Herrmann <dh.herrmann@gmail.com> +Date: Tue, 8 Jan 2019 13:58:52 +0100 +Subject: [PATCH] fork: record start_time late +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 7b55851367136b1efd84d98fea81ba57a98304cf + +commit 7b55851367136b1efd84d98fea81ba57a98304cf upstream. + +This changes the fork(2) syscall to record the process start_time after +initializing the basic task structure but still before making the new +process visible to user-space. + +Technically, we could record the start_time anytime during fork(2). But +this might lead to scenarios where a start_time is recorded long before +a process becomes visible to user-space. For instance, with +userfaultfd(2) and TLS, user-space can delay the execution of fork(2) +for an indefinite amount of time (and will, if this causes network +access, or similar). + +By recording the start_time late, it much closer reflects the point in +time where the process becomes live and can be observed by other +processes. + +Lastly, this makes it much harder for user-space to predict and control +the start_time they get assigned. Previously, user-space could fork a +process and stall it in copy_thread_tls() before its pid is allocated, +but after its start_time is recorded. This can be misused to later-on +cycle through PIDs and resume the stalled fork(2) yielding a process +that has the same pid and start_time as a process that existed before. +This can be used to circumvent security systems that identify processes +by their pid+start_time combination. + +Even though user-space was always aware that start_time recording is +flaky (but several projects are known to still rely on start_time-based +identification), changing the start_time to be recorded late will help +mitigate existing attacks and make it much harder for user-space to +control the start_time a process gets assigned. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Tom Gundersen <teg@jklm.no> +Signed-off-by: David Herrmann <dh.herrmann@gmail.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/fork.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/kernel/fork.c b/kernel/fork.c +index dd2f79ac0771..e4b81913a998 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1411,8 +1411,6 @@ static struct task_struct *copy_process(unsigned long clone_flags, + + posix_cpu_timers_init(p); + +- p->start_time = ktime_get_ns(); +- p->real_start_time = ktime_get_boot_ns(); + p->io_context = NULL; + p->audit_context = NULL; + cgroup_fork(p); +@@ -1572,6 +1570,17 @@ static struct task_struct *copy_process(unsigned long clone_flags, + if (retval) + goto bad_fork_free_pid; + ++ /* ++ * From this point on we must avoid any synchronous user-space ++ * communication until we take the tasklist-lock. In particular, we do ++ * not want user-space to be able to predict the process start-time by ++ * stalling fork(2) after we recorded the start_time but before it is ++ * visible to the system. ++ */ ++ ++ p->start_time = ktime_get_ns(); ++ p->real_start_time = ktime_get_boot_ns(); ++ + /* + * Make it visible to the rest of the system, but dont wake it up yet. + * Need tasklist lock for parent etc handling! +-- +2.20.1 + diff --git a/patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch b/patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch index 95eb48f8b2..158eb70bd4 100644 --- a/patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch +++ b/patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch @@ -1,52 +1,55 @@ -From 51c2cfdd270f76f068ea875fba77384e49156ac6 Mon Sep 17 00:00:00 2001 From: Michal Hocko <mhocko@suse.com> -Date: Mon, 3 Dec 2018 10:27:18 +0100 -Subject: [RFC PATCH] hwpoison, memory_hotplug: allow hwpoisoned pages to be +Date: Fri, 28 Dec 2018 00:38:01 -0800 +Subject: [PATCH] hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined -Patch-mainline: not yet, under discussion -References: bnc#1116336 +References: bnc#1012382 bnc#1116336 +Patch-mainline: 4.4.170 +Git-commit: b15c87263a69272423771118c653e9a1d0672caa + +commit b15c87263a69272423771118c653e9a1d0672caa upstream. We have received a bug report that an injected MCE about faulty memory -prevents memory offline to succeed on 4.4 base kernel. The underlying -reason was that the HWPoison page has an elevated reference count and -the migration keeps failing. There are two problems with that. First -of all it is dubious to migrate the poisoned page because we know that -accessing that memory is possible to fail. Secondly it doesn't make any -sense to migrate a potentially broken content and preserve the memory -corruption over to a new location. +prevents memory offline to succeed on 4.4 base kernel. The underlying +reason was that the HWPoison page has an elevated reference count and the +migration keeps failing. There are two problems with that. First of all +it is dubious to migrate the poisoned page because we know that accessing +that memory is possible to fail. Secondly it doesn't make any sense to +migrate a potentially broken content and preserve the memory corruption +over to a new location. Oscar has found out that 4.4 and the current upstream kernels behave slightly differently with his simply testcase + === int main(void) { - int ret; - int i; - int fd; - char *array = malloc(4096); - char *array_locked = malloc(4096); + int ret; + int i; + int fd; + char *array = malloc(4096); + char *array_locked = malloc(4096); - fd = open("/tmp/data", O_RDONLY); - read(fd, array, 4095); + fd = open("/tmp/data", O_RDONLY); + read(fd, array, 4095); - for (i = 0; i < 4096; i++) - array_locked[i] = 'd'; + for (i = 0; i < 4096; i++) + array_locked[i] = 'd'; - ret = mlock((void *)PAGE_ALIGN((unsigned long)array_locked), sizeof(array_locked)); - if (ret) - perror("mlock"); + ret = mlock((void *)PAGE_ALIGN((unsigned long)array_locked), sizeof(array_locked)); + if (ret) + perror("mlock"); - sleep (20); + sleep (20); - ret = madvise((void *)PAGE_ALIGN((unsigned long)array_locked), 4096, MADV_HWPOISON); - if (ret) - perror("madvise"); + ret = madvise((void *)PAGE_ALIGN((unsigned long)array_locked), 4096, MADV_HWPOISON); + if (ret) + perror("madvise"); - for (i = 0; i < 4096; i++) - array_locked[i] = 'd'; + for (i = 0; i < 4096; i++) + array_locked[i] = 'd'; - return 0; + return 0; } === @@ -75,27 +78,29 @@ kernel: [<ffffffff81215f08>] do_execve+0x28/0x30 kernel: [<ffffffff81095ddb>] call_usermodehelper_exec_async+0xfb/0x130 kernel: [<ffffffff8161c045>] ret_from_fork+0x55/0x80 -And that later confuses the hotremove path because an LRU page is +And that latter confuses the hotremove path because an LRU page is attempted to be migrated and that fails due to an elevated reference -count. It is quite possible that the reuse of the HWPoisoned page is -some kind of fixed race condition but I am not really sure about that. +count. It is quite possible that the reuse of the HWPoisoned page is some +kind of fixed race condition but I am not really sure about that. -With the upstream kernel the failure is slightly different. The page -doesn't seem to have LRU bit set but isolate_movable_page simply fails -and do_migrate_range simply puts all the isolated pages back to LRU and +With the upstream kernel the failure is slightly different. The page +doesn't seem to have LRU bit set but isolate_movable_page simply fails and +do_migrate_range simply puts all the isolated pages back to LRU and therefore no progress is made and scan_movable_pages finds same set of pages over and over again. -Fix both cases by explicitly checking HWPoisoned pages before we even -try to get a reference on the page, try to unmap it if it is still -mapped. As explained by Naoya +Fix both cases by explicitly checking HWPoisoned pages before we even try +to get reference on the page, try to unmap it if it is still mapped. As +explained by Naoya: + : Hwpoison code never unmapped those for no big reason because : Ksm pages never dominate memory, so we simply didn't have strong : motivation to save the pages. Also put WARN_ON(PageLRU) in case there is a race and we can hit LRU -HWPoison pages which shouldn't happen but I couldn't convince myself -about that. Naoya has noted the following +HWPoison pages which shouldn't happen but I couldn't convince myself about +that. Naoya has noted the following: + : Theoretically no such gurantee, because try_to_unmap() doesn't have a : guarantee of success and then memory_failure() returns immediately : when hwpoison_user_mappings fails. @@ -115,29 +120,35 @@ about that. Naoya has noted the following : So I think it's OK to keep "if (WARN_ON(PageLRU(page)))" block in : current version of your patch. -Debugged-by: Oscar Salvador <osalvador@suse.com> -Cc: stable +Link: http://lkml.kernel.org/r/20181206120135.14079-1-mhocko@kernel.org +Signed-off-by: Michal Hocko <mhocko@suse.com> Reviewed-by: Oscar Salvador <osalvador@suse.com> +Debugged-by: Oscar Salvador <osalvador@suse.com> Tested-by: Oscar Salvador <osalvador@suse.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> -Signed-off-by: Michal Hocko <mhocko@suse.com> - +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - mm/memory_hotplug.c | 16 ++++++++++++++++ + mm/memory_hotplug.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index a18923e4359d..0addef5f8aa3 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c -@@ -34,6 +34,7 @@ +@@ -32,6 +32,7 @@ + #include <linux/hugetlb.h> #include <linux/memblock.h> #include <linux/bootmem.h> - #include <linux/compaction.h> +#include <linux/rmap.h> #include <asm/tlbflush.h> -@@ -1453,6 +1454,21 @@ do_migrate_range(unsigned long start_pfn +@@ -1471,6 +1472,21 @@ do_migrate_range(unsigned long start_pfn, unsigned long end_pfn) continue; } @@ -159,3 +170,6 @@ Signed-off-by: Michal Hocko <mhocko@suse.com> if (!get_page_unless_zero(page)) continue; /* +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch b/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch new file mode 100644 index 0000000000..5c3dda2d35 --- /dev/null +++ b/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch @@ -0,0 +1,65 @@ +From: Dan Williams <dan.j.williams@intel.com> +Date: Fri, 28 Dec 2018 00:34:54 -0800 +Subject: [PATCH] mm, devm_memremap_pages: kill mapping "System RAM" support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 06489cfbd915ff36c8e36df27f1c2dc60f97ca56 + +commit 06489cfbd915ff36c8e36df27f1c2dc60f97ca56 upstream. + +Given the fact that devm_memremap_pages() requires a percpu_ref that is +torn down by devm_memremap_pages_release() the current support for mapping +RAM is broken. + +Support for remapping "System RAM" has been broken since the beginning and +there is no existing user of this this code path, so just kill the support +and make it an explicit error. + +This cleanup also simplifies a follow-on patch to fix the error path when +setting a devm release action for devm_memremap_pages_release() fails. + +Link: http://lkml.kernel.org/r/154275557997.76910.14689813630968180480.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Dan Williams <dan.j.williams@intel.com> +Reviewed-by: "Jérôme Glisse" <jglisse@redhat.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Logan Gunthorpe <logang@deltatee.com> +Cc: Balbir Singh <bsingharora@gmail.com> +Cc: Michal Hocko <mhocko@suse.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/memremap.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/kernel/memremap.c b/kernel/memremap.c +index 71d28a5dbfc2..1be42f9b3e00 100644 +--- a/kernel/memremap.c ++++ b/kernel/memremap.c +@@ -171,15 +171,12 @@ void *devm_memremap_pages(struct device *dev, struct resource *res) + struct page_map *page_map; + int error, nid; + +- if (is_ram == REGION_MIXED) { +- WARN_ONCE(1, "%s attempted on mixed region %pr\n", +- __func__, res); ++ if (is_ram != REGION_DISJOINT) { ++ WARN_ONCE(1, "%s attempted on %s region %pr\n", __func__, ++ is_ram == REGION_MIXED ? "mixed" : "ram", res); + return ERR_PTR(-ENXIO); + } + +- if (is_ram == REGION_INTERSECTS) +- return __va(res->start); +- + page_map = devres_alloc_node(devm_memremap_pages_release, + sizeof(*page_map), GFP_KERNEL, dev_to_node(dev)); + if (!page_map) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch b/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch new file mode 100644 index 0000000000..bcbd91e004 --- /dev/null +++ b/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch @@ -0,0 +1,74 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Wed, 28 Nov 2018 11:45:57 +0300 +Subject: [PATCH] sunrpc: fix cache_head leak due to queued request +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 4ecd55ea074217473f94cfee21bb72864d39f8d7 + +commit 4ecd55ea074217473f94cfee21bb72864d39f8d7 upstream. + +After commit d202cce8963d, an expired cache_head can be removed from the +cache_detail's hash. + +However, the expired cache_head may be waiting for a reply from a +previously submitted request. Such a cache_head has an increased +refcounter and therefore it won't be freed after cache_put(freeme). + +Because the cache_head was removed from the hash it cannot be found +during cache_clean() and can be leaked forever, together with stalled +cache_request and other taken resources. + +In our case we noticed it because an entry in the export cache was +holding a reference on a filesystem. + +Fixes d202cce8963d ("sunrpc: never return expired entries in sunrpc_cache_lookup") +Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> +Cc: stable@kernel.org # 2.6.35 +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Reviewed-by: NeilBrown <neilb@suse.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/sunrpc/cache.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 63fb5ee212cf..af17b00145e1 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -54,6 +54,11 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail) + h->last_refresh = now; + } + ++static void cache_fresh_locked(struct cache_head *head, time_t expiry, ++ struct cache_detail *detail); ++static void cache_fresh_unlocked(struct cache_head *head, ++ struct cache_detail *detail); ++ + struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + struct cache_head *key, int hash) + { +@@ -95,6 +100,7 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + if (cache_is_expired(detail, tmp)) { + hlist_del_init(&tmp->cache_list); + detail->entries --; ++ cache_fresh_locked(tmp, 0, detail); + freeme = tmp; + break; + } +@@ -110,8 +116,10 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + cache_get(new); + write_unlock(&detail->hash_lock); + +- if (freeme) ++ if (freeme) { ++ cache_fresh_unlocked(freeme, detail); + cache_put(freeme, detail); ++ } + return new; + } + EXPORT_SYMBOL_GPL(sunrpc_cache_lookup); +-- +2.20.1 + diff --git a/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch b/patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch index ba4231c4ba..a7ac7feeb7 100644 --- a/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch +++ b/patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch @@ -1,21 +1,26 @@ From: Vasily Averin <vvs@virtuozzo.com> Date: Mon, 24 Dec 2018 14:44:42 +0300 Subject: [PATCH] sunrpc: use SVC_NET() in svcauth_gss_* functions -Patch-mainline: Submitted, Mon, 24 Dec 2018 14:44:42 +0300 - linux-nfs@vger.kernel.org -References: bsc#1119946 CVE-2018-16884 +References: bnc#1012382 bsc#1119946 CVE-2018-16884 +Patch-mainline: 4.4.170 +Git-commit: b8be5674fa9a6f3677865ea93f7803c4212f3e10 +commit b8be5674fa9a6f3677865ea93f7803c4212f3e10 upstream. Signed-off-by: Vasily Averin <vvs@virtuozzo.com> -Signed-off-by: NeilBrown <neilb@suse.com> -Acked-by: NeilBrown <neilb@suse.com> - +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - net/sunrpc/auth_gss/svcauth_gss.c | 8 ++++---- + net/sunrpc/auth_gss/svcauth_gss.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 036bbf2b44c1..b5291ea54a3d 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -1104,7 +1104,7 @@ static int svcauth_gss_legacy_init(struc +@@ -1105,7 +1105,7 @@ static int svcauth_gss_legacy_init(struct svc_rqst *rqstp, struct kvec *resv = &rqstp->rq_res.head[0]; struct rsi *rsip, rsikey; int ret; @@ -24,7 +29,7 @@ Acked-by: NeilBrown <neilb@suse.com> memset(&rsikey, 0, sizeof(rsikey)); ret = gss_read_verf(gc, argv, authp, -@@ -1215,7 +1215,7 @@ static int svcauth_gss_proxy_init(struct +@@ -1216,7 +1216,7 @@ static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, uint64_t handle; int status; int ret; @@ -33,7 +38,7 @@ Acked-by: NeilBrown <neilb@suse.com> struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); memset(&ud, 0, sizeof(ud)); -@@ -1405,7 +1405,7 @@ svcauth_gss_accept(struct svc_rqst *rqst +@@ -1406,7 +1406,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp) __be32 *rpcstart; __be32 *reject_stat = resv->iov_base + resv->iov_len; int ret; @@ -42,7 +47,7 @@ Acked-by: NeilBrown <neilb@suse.com> dprintk("RPC: svcauth_gss: argv->iov_len = %zd\n", argv->iov_len); -@@ -1693,7 +1693,7 @@ svcauth_gss_release(struct svc_rqst *rqs +@@ -1694,7 +1694,7 @@ svcauth_gss_release(struct svc_rqst *rqstp) struct rpc_gss_wire_cred *gc = &gsd->clcred; struct xdr_buf *resbuf = &rqstp->rq_res; int stat = -EINVAL; @@ -51,3 +56,6 @@ Acked-by: NeilBrown <neilb@suse.com> if (gc->gc_proc != RPC_GSS_PROC_DATA) goto out; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch b/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch new file mode 100644 index 0000000000..3f95bde17f --- /dev/null +++ b/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch @@ -0,0 +1,43 @@ +From: Eric Biggers <ebiggers@google.com> +Date: Mon, 7 Jan 2019 15:15:59 -0800 +Subject: [PATCH] crypto: x86/chacha20 - avoid sleeping with preemption + disabled +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 557f16c7fe26a2d16013c2821c5ce5a90a7da97e + +In chacha20-simd, clear the MAY_SLEEP flag in the blkcipher_desc to +prevent sleeping with preemption disabled, under kernel_fpu_begin(). + +This was fixed upstream incidentally by a large refactoring, +commit 9ae433bc79f9 ("crypto: chacha20 - convert generic and x86 +versions to skcipher"). But syzkaller easily trips over this when +running on older kernels, as it's easily reachable via AF_ALG. +Therefore, this patch makes the minimal fix for older kernels. + +Fixes: c9320b6dcb89 ("crypto: chacha20 - Add a SSSE3 SIMD variant for x86_64") +Cc: linux-crypto@vger.kernel.org +Cc: Martin Willi <martin@strongswan.org> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/crypto/chacha20_glue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/crypto/chacha20_glue.c b/arch/x86/crypto/chacha20_glue.c +index 8baaff5af0b5..75b9d43069f1 100644 +--- a/arch/x86/crypto/chacha20_glue.c ++++ b/arch/x86/crypto/chacha20_glue.c +@@ -77,6 +77,7 @@ static int chacha20_simd(struct blkcipher_desc *desc, struct scatterlist *dst, + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, CHACHA20_BLOCK_SIZE); ++ desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; + + crypto_chacha20_init(state, crypto_blkcipher_ctx(desc->tfm), walk.iv); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch b/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch new file mode 100644 index 0000000000..50b46a3d02 --- /dev/null +++ b/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch @@ -0,0 +1,39 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 8 Jan 2019 10:43:30 +0300 +Subject: [PATCH] ALSA: cs46xx: Potential NULL dereference in probe +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 1524f4e47f90b27a3ac84efbdd94c63172246a6f + +commit 1524f4e47f90b27a3ac84efbdd94c63172246a6f upstream. + +The "chip->dsp_spos_instance" can be NULL on some of the ealier error +paths in snd_cs46xx_create(). + +Reported-by: "Yavuz, Tuba" <tuba@ece.ufl.edu> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/cs46xx/dsp_spos.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/cs46xx/dsp_spos.c b/sound/pci/cs46xx/dsp_spos.c +index d2951ed4bf71..1984291ebd07 100644 +--- a/sound/pci/cs46xx/dsp_spos.c ++++ b/sound/pci/cs46xx/dsp_spos.c +@@ -899,6 +899,9 @@ int cs46xx_dsp_proc_done (struct snd_cs46xx *chip) + struct dsp_spos_instance * ins = chip->dsp_spos_instance; + int i; + ++ if (!ins) ++ return 0; ++ + snd_info_free_entry(ins->proc_sym_info_entry); + ins->proc_sym_info_entry = NULL; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch b/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch new file mode 100644 index 0000000000..0bf9c172d3 --- /dev/null +++ b/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch @@ -0,0 +1,54 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 19 Dec 2018 12:36:27 +0100 +Subject: [PATCH] ALSA: usb-audio: Avoid access before bLength check in + build_audio_procunit() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: f4351a199cc120ff9d59e06d02e8657d08e6cc46 + +commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream. + +The parser for the processing unit reads bNrInPins field before the +bLength sanity check, which may lead to an out-of-bound access when a +malformed descriptor is given. Fix it by assignment after the bLength +check. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/usb/mixer.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 97d6a18e6956..f7eb0d2f797b 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1816,7 +1816,7 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, + char *name) + { + struct uac_processing_unit_descriptor *desc = raw_desc; +- int num_ins = desc->bNrInPins; ++ int num_ins; + struct usb_mixer_elem_info *cval; + struct snd_kcontrol *kctl; + int i, err, nameid, type, len; +@@ -1831,7 +1831,13 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, + 0, NULL, default_value_info + }; + +- if (desc->bLength < 13 || desc->bLength < 13 + num_ins || ++ if (desc->bLength < 13) { ++ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); ++ return -EINVAL; ++ } ++ ++ num_ins = desc->bNrInPins; ++ if (desc->bLength < 13 + num_ins || + desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) { + usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); + return -EINVAL; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch b/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch new file mode 100644 index 0000000000..74e0bc687a --- /dev/null +++ b/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch @@ -0,0 +1,51 @@ +From: Hui Peng <benquike@163.com> +Date: Tue, 25 Dec 2018 18:11:52 -0500 +Subject: [PATCH] ALSA: usb-audio: Fix an out-of-bound read in + create_composite_quirks +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 + +commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream. + +In `create_composite_quirk`, the terminating condition of for loops is +`quirk->ifnum < 0`. So any composite quirks should end with `struct +snd_usb_audio_quirk` object with ifnum < 0. + + for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) { + + ..... + } + +the data field of Bower's & Wilkins PX headphones usb device device quirks +do not end with {.ifnum = -1}, wihch may result in out-of-bound read. + +This Patch fix the bug by adding an ending quirk object. + +Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones") +Signed-off-by: Hui Peng <benquike@163.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/usb/quirks-table.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 15cbe2565703..d32727c74a16 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3321,6 +3321,9 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + } + } + }, ++ { ++ .ifnum = -1 ++ }, + } + } + }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch b/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch new file mode 100644 index 0000000000..9e0f6342ce --- /dev/null +++ b/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch @@ -0,0 +1,46 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Thu, 15 Nov 2018 13:15:05 +0300 +Subject: [PATCH] dlm: fixed memory leaks after failed ls_remove_names + allocation +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: b982896cdb6e6a6b89d86dfb39df489d9df51e14 + +commit b982896cdb6e6a6b89d86dfb39df489d9df51e14 upstream. + +If allocation fails on last elements of array need to free already +allocated elements. + +v2: just move existing out_rsbtbl label to right place + +Fixes 789924ba635f ("dlm: fix race between remove and lookup") +Cc: stable@kernel.org # 3.6 + +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index f3e72787e7f9..30e4e01db35a 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -673,11 +673,11 @@ static int new_lockspace(const char *name, const char *cluster, + kfree(ls->ls_recover_buf); + out_lkbidr: + idr_destroy(&ls->ls_lkbidr); ++ out_rsbtbl: + for (i = 0; i < DLM_REMOVE_NAMES_MAX; i++) { + if (ls->ls_remove_names[i]) + kfree(ls->ls_remove_names[i]); + } +- out_rsbtbl: + vfree(ls->ls_rsbtbl); + out_lsfree: + if (do_unreg) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch b/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch new file mode 100644 index 0000000000..f6a3f03dc8 --- /dev/null +++ b/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch @@ -0,0 +1,35 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Thu, 15 Nov 2018 13:18:18 +0300 +Subject: [PATCH] dlm: possible memory leak on error path in create_lkb() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 23851e978f31eda8b2d01bd410d3026659ca06c7 + +commit 23851e978f31eda8b2d01bd410d3026659ca06c7 upstream. + +Fixes 3d6aa675fff9 ("dlm: keep lkbs in idr") +Cc: stable@kernel.org # 3.1 + +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/lock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 35502d4046f5..1d404c832e33 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -1210,6 +1210,7 @@ static int create_lkb(struct dlm_ls *ls, struct dlm_lkb **lkb_ret) + + if (rv < 0) { + log_error(ls, "create_lkb idr error %d", rv); ++ dlm_free_lkb(lkb); + return rv; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch b/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch new file mode 100644 index 0000000000..587a30980e --- /dev/null +++ b/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch @@ -0,0 +1,44 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Thu, 15 Nov 2018 13:18:24 +0300 +Subject: [PATCH] dlm: lost put_lkb on error path in receive_convert() and + receive_unlock() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: c0174726c3976e67da8649ac62cae43220ae173a + +commit c0174726c3976e67da8649ac62cae43220ae173a upstream. + +Fixes 6d40c4a708e0 ("dlm: improve error and debug messages") +Cc: stable@kernel.org # 3.5 + +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/lock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 1d404c832e33..1e6a3a391849 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -4178,6 +4178,7 @@ static int receive_convert(struct dlm_ls *ls, struct dlm_message *ms) + (unsigned long long)lkb->lkb_recover_seq, + ms->m_header.h_nodeid, ms->m_lkid); + error = -ENOENT; ++ dlm_put_lkb(lkb); + goto fail; + } + +@@ -4231,6 +4232,7 @@ static int receive_unlock(struct dlm_ls *ls, struct dlm_message *ms) + lkb->lkb_id, lkb->lkb_remid, + ms->m_header.h_nodeid, ms->m_lkid); + error = -ENOENT; ++ dlm_put_lkb(lkb); + goto fail; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch b/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch new file mode 100644 index 0000000000..5ea5b940ba --- /dev/null +++ b/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch @@ -0,0 +1,61 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Thu, 15 Nov 2018 13:18:56 +0300 +Subject: [PATCH] dlm: memory leaks on error path in dlm_user_request() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: d47b41aceeadc6b58abc9c7c6485bef7cfb75636 + +commit d47b41aceeadc6b58abc9c7c6485bef7cfb75636 upstream. + +According to comment in dlm_user_request() ua should be freed +in dlm_free_lkb() after successful attach to lkb. + +However ua is attached to lkb not in set_lock_args() but later, +inside request_lock(). + +Fixes 597d0cae0f99 ("[DLM] dlm: user locks") +Cc: stable@kernel.org # 2.6.19 + +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/lock.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 1e6a3a391849..3a7f401e943c 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -5795,20 +5795,20 @@ int dlm_user_request(struct dlm_ls *ls, struct dlm_user_args *ua, + goto out; + } + } +- +- /* After ua is attached to lkb it will be freed by dlm_free_lkb(). +- When DLM_IFL_USER is set, the dlm knows that this is a userspace +- lock and that lkb_astparam is the dlm_user_args structure. */ +- + error = set_lock_args(mode, &ua->lksb, flags, namelen, timeout_cs, + fake_astfn, ua, fake_bastfn, &args); +- lkb->lkb_flags |= DLM_IFL_USER; +- + if (error) { ++ kfree(ua->lksb.sb_lvbptr); ++ ua->lksb.sb_lvbptr = NULL; ++ kfree(ua); + __put_lkb(ls, lkb); + goto out; + } + ++ /* After ua is attached to lkb it will be freed by dlm_free_lkb(). ++ When DLM_IFL_USER is set, the dlm knows that this is a userspace ++ lock and that lkb_astparam is the dlm_user_args structure. */ ++ lkb->lkb_flags |= DLM_IFL_USER; + error = request_lock(ls, lkb, name, namelen, &args); + + switch (error) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch b/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch new file mode 100644 index 0000000000..65175eba55 --- /dev/null +++ b/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch @@ -0,0 +1,42 @@ +From: Andreas Gruenbacher <agruenba@redhat.com> +Date: Tue, 4 Dec 2018 15:06:27 +0100 +Subject: [PATCH] gfs2: Fix loop in gfs2_rbm_find +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 2d29f6b96d8f80322ed2dd895bca590491c38d34 + +commit 2d29f6b96d8f80322ed2dd895bca590491c38d34 upstream. + +Fix the resource group wrap-around logic in gfs2_rbm_find that commit +e579ed4f44 broke. The bug can lead to unnecessary repeated scanning of the +same bitmaps; there is a risk that future changes will turn this into an +endless loop. + +Fixes: e579ed4f44 ("GFS2: Introduce rbm field bii") +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> +Signed-off-by: Bob Peterson <rpeterso@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/gfs2/rgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index ef24894edecc..763fe7737065 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1720,9 +1720,9 @@ static int gfs2_rbm_find(struct gfs2_rbm *rbm, u8 state, u32 *minext, + goto next_iter; + } + if (ret == -E2BIG) { ++ n += rbm->bii - initial_bii; + rbm->bii = 0; + rbm->offset = 0; +- n += (rbm->bii - initial_bii); + goto res_covered_end_of_rgrp; + } + return ret; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch b/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch new file mode 100644 index 0000000000..2557b80ccf --- /dev/null +++ b/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch @@ -0,0 +1,48 @@ +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Mon, 19 Nov 2018 20:01:24 +0200 +Subject: [PATCH] b43: Fix error in cordic routine +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 8ea3819c0bbef57a51d8abe579e211033e861677 + +commit 8ea3819c0bbef57a51d8abe579e211033e861677 upstream. + +The cordic routine for calculating sines and cosines that was added in +commit 6f98e62a9f1b ("b43: update cordic code to match current specs") +contains an error whereby a quantity declared u32 can in fact go negative. + +This problem was detected by Priit Laes who is switching b43 to use the +routine in the library functions of the kernel. + +Fixes: 986504540306 ("b43: make cordic common (LP-PHY and N-PHY need it)") +Reported-by: Priit Laes <plaes@plaes.org> +Cc: Rafał Miłecki <zajec5@gmail.com> +Cc: Stable <stable@vger.kernel.org> # 2.6.34 +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Priit Laes <plaes@plaes.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/wireless/b43/phy_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/b43/phy_common.c b/drivers/net/wireless/b43/phy_common.c +index ec2b9c577b90..3644c9edaf81 100644 +--- a/drivers/net/wireless/b43/phy_common.c ++++ b/drivers/net/wireless/b43/phy_common.c +@@ -616,7 +616,7 @@ struct b43_c32 b43_cordic(int theta) + u8 i; + s32 tmp; + s8 signx = 1; +- u32 angle = 0; ++ s32 angle = 0; + struct b43_c32 ret = { .i = 39797, .q = 0, }; + + while (theta > (180 << 16)) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch b/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch new file mode 100644 index 0000000000..d444f6b239 --- /dev/null +++ b/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch @@ -0,0 +1,86 @@ +From: Dominique Martinet <dominique.martinet@cea.fr> +Date: Mon, 5 Nov 2018 09:52:48 +0100 +Subject: [PATCH] 9p/net: put a lower bound on msize +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 + +commit 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 upstream. + +If the requested msize is too small (either from command line argument +or from the server version reply), we won't get any work done. +If it's *really* too small, nothing will work, and this got caught by +syzbot recently (on a new kmem_cache_create_usercopy() call) + +Just set a minimum msize to 4k in both code paths, until someone +complains they have a use-case for a smaller msize. + +We need to check in both mount option and server reply individually +because the msize for the first version request would be unchecked +with just a global check on clnt->msize. + +Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org +Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com +Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr> +Cc: Eric Van Hensbergen <ericvh@gmail.com> +Cc: Latchesar Ionkov <lucho@ionkov.net> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/9p/client.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/net/9p/client.c b/net/9p/client.c +index ed8738c4dc09..8fba9cd973c1 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -156,6 +156,12 @@ static int parse_opts(char *opts, struct p9_client *clnt) + ret = r; + continue; + } ++ if (option < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "msize should be at least 4k\n"); ++ ret = -EINVAL; ++ continue; ++ } + clnt->msize = option; + break; + case Opt_trans: +@@ -972,10 +978,18 @@ static int p9_client_version(struct p9_client *c) + else if (!strncmp(version, "9P2000", 6)) + c->proto_version = p9_proto_legacy; + else { ++ p9_debug(P9_DEBUG_ERROR, ++ "server returned an unknown version: %s\n", version); + err = -EREMOTEIO; + goto error; + } + ++ if (msize < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "server returned a msize < 4096: %d\n", msize); ++ err = -EREMOTEIO; ++ goto error; ++ } + if (msize < c->msize) + c->msize = msize; + +@@ -1040,6 +1054,13 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) + if (clnt->msize > clnt->trans_mod->maxsize) + clnt->msize = clnt->trans_mod->maxsize; + ++ if (clnt->msize < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "Please specify a msize of at least 4k\n"); ++ err = -EINVAL; ++ goto free_client; ++ } ++ + err = p9_client_version(clnt); + if (err) + goto close_trans; +-- +2.20.1 + diff --git a/patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw b/patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch index 5ea5bb81ef..42b1e88d82 100644 --- a/patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw +++ b/patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch @@ -1,9 +1,11 @@ From: Sohil Mehta <sohil.mehta@intel.com> Date: Wed, 21 Nov 2018 15:29:33 -0800 -Subject: iommu/vt-d: Handle domain agaw being less than iommu agaw +Subject: [PATCH] iommu/vt-d: Handle domain agaw being less than iommu agaw +Patch-mainline: 4.4.170 +References: bnc#1012382 bsc#1106105 Git-commit: 3569dd07aaad71920c5ea4da2d5cc9a167c1ffd4 -Patch-mainline: v5.0-rc1 -References: bsc#1106105 + +commit 3569dd07aaad71920c5ea4da2d5cc9a167c1ffd4 upstream. The Intel IOMMU driver opportunistically skips a few top level page tables from the domain paging directory while programming the IOMMU @@ -29,15 +31,17 @@ Reported-by: Ramos Falcon, Ernesto R <ernesto.r.ramos.falcon@intel.com> Tested-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Signed-off-by: Sohil Mehta <sohil.mehta@intel.com> Signed-off-by: Joerg Roedel <jroedel@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/iommu/intel-iommu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index f3ccf025108b..fdf79baf1d79 100644 +index 7feaa82f8c7c..8b4a4d95669a 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c -@@ -2044,7 +2044,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain, +@@ -2041,7 +2041,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain, * than default. Unnecessary for PT mode. */ if (translation != CONTEXT_TT_PASS_THROUGH) { @@ -46,7 +50,7 @@ index f3ccf025108b..fdf79baf1d79 100644 ret = -ENOMEM; pgd = phys_to_virt(dma_pte_addr(pgd)); if (!dma_pte_present(pgd)) -@@ -2058,7 +2058,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain, +@@ -2055,7 +2055,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain, translation = CONTEXT_TT_MULTI_LEVEL; context_set_address_root(context, virt_to_phys(pgd)); @@ -55,4 +59,6 @@ index f3ccf025108b..fdf79baf1d79 100644 } else { /* * In pass through mode, AW must be programmed to +-- +2.20.1 diff --git a/patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch b/patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch index 6d6a130efa..14884e1afa 100644 --- a/patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch +++ b/patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch @@ -1,9 +1,12 @@ From: "Yan, Zheng" <zyan@redhat.com> Date: Thu, 29 Nov 2018 11:22:50 +0800 -Subject: ceph: don't update importing cap's mseq when handing cap export +Subject: [PATCH] ceph: don't update importing cap's mseq when handing cap + export +Patch-mainline: 4.4.170 +References: bnc#1012382 bsc#1121275 Git-commit: 3c1392d4c49962a31874af14ae9ff289cb2b3851 -Patch-mainline: v5.0-rc1 -References: bsc#1121275 + +commit 3c1392d4c49962a31874af14ae9ff289cb2b3851 upstream. Updating mseq makes client think importer mds has accepted all prior cap messages and importer mds knows what caps client wants. Actually @@ -15,16 +18,17 @@ reset by cap import message. Cc: stable@vger.kernel.org Signed-off-by: "Yan, Zheng" <zyan@redhat.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> -Acked-by: Luis Henriques <lhenriques@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- fs/ceph/caps.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c -index f3496db4bb3e..a58666a3f8dd 100644 +index 0e3de1bb6500..e7b54514d99a 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c -@@ -3569,7 +3569,6 @@ static void handle_cap_export(struct inode *inode, struct ceph_mds_caps *ex, +@@ -3243,7 +3243,6 @@ static void handle_cap_export(struct inode *inode, struct ceph_mds_caps *ex, tcap->cap_id = t_cap_id; tcap->seq = t_seq - 1; tcap->issue_seq = t_seq - 1; @@ -32,4 +36,6 @@ index f3496db4bb3e..a58666a3f8dd 100644 tcap->issued |= issued; tcap->implemented |= issued; if (cap == ci->i_auth_cap) +-- +2.20.1 diff --git a/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch b/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch new file mode 100644 index 0000000000..653d40ca2b --- /dev/null +++ b/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch @@ -0,0 +1,70 @@ +From: Christian Borntraeger <borntraeger@de.ibm.com> +Date: Wed, 12 Dec 2018 14:45:18 +0100 +Subject: [PATCH] genwqe: Fix size check +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: fdd669684655c07dacbdb0d753fd13833de69a33 + +commit fdd669684655c07dacbdb0d753fd13833de69a33 upstream. + +Calling the test program genwqe_cksum with the default buffer size of +2MB triggers the following kernel warning on s390: + +WARNING: CPU: 30 PID: 9311 at mm/page_alloc.c:3189 __alloc_pages_nodemask+0x45c/0xbe0 +CPU: 30 PID: 9311 Comm: genwqe_cksum Kdump: loaded Not tainted 3.10.0-957.el7.s390x #1 +task: 00000005e5d13980 ti: 00000005e7c6c000 task.ti: 00000005e7c6c000 +Krnl PSW : 0704c00180000000 00000000002780ac (__alloc_pages_nodemask+0x45c/0xbe0) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3 +Krnl GPRS: 00000000002932b8 0000000000b73d7c 0000000000000010 0000000000000009 + 0000000000000041 00000005e7c6f9b8 0000000000000001 00000000000080d0 + 0000000000000000 0000000000b70500 0000000000000001 0000000000000000 + 0000000000b70528 00000000007682c0 0000000000277df2 00000005e7c6f9a0 +Krnl Code: 000000000027809e: de7195001000 ed 1280(114,%r9),0(%r1) + 00000000002780a4: a774fead brc 7,277dfe + #00000000002780a8: a7f40001 brc 15,2780aa + >00000000002780ac: 92011000 mvi 0(%r1),1 + 00000000002780b0: a7f4fea7 brc 15,277dfe + 00000000002780b4: 9101c6b6 tm 1718(%r12),1 + 00000000002780b8: a784ff3a brc 8,277f2c + 00000000002780bc: a7f4fe2e brc 15,277d18 +Call Trace: +([<0000000000277df2>] __alloc_pages_nodemask+0x1a2/0xbe0) + [<000000000013afae>] s390_dma_alloc+0xfe/0x310 + [<000003ff8065f362>] __genwqe_alloc_consistent+0xfa/0x148 [genwqe_card] + [<000003ff80658f7a>] genwqe_mmap+0xca/0x248 [genwqe_card] + [<00000000002b2712>] mmap_region+0x4e2/0x778 + [<00000000002b2c54>] do_mmap+0x2ac/0x3e0 + [<0000000000292d7e>] vm_mmap_pgoff+0xd6/0x118 + [<00000000002b081c>] SyS_mmap_pgoff+0xdc/0x268 + [<00000000002b0a34>] SyS_old_mmap+0x8c/0xb0 + [<000000000074e518>] sysc_tracego+0x14/0x1e + [<000003ffacf87dc6>] 0x3ffacf87dc6 + +turns out the check in __genwqe_alloc_consistent uses "> MAX_ORDER" +while the mm code uses ">= MAX_ORDER". Fix genwqe. + +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/misc/genwqe/card_utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c +index 524660510599..0c15ba21fa54 100644 +--- a/drivers/misc/genwqe/card_utils.c ++++ b/drivers/misc/genwqe/card_utils.c +@@ -217,7 +217,7 @@ u32 genwqe_crc32(u8 *buff, size_t len, u32 init) + void *__genwqe_alloc_consistent(struct genwqe_dev *cd, size_t size, + dma_addr_t *dma_handle) + { +- if (get_order(size) > MAX_ORDER) ++ if (get_order(size) >= MAX_ORDER) + return NULL; + + return dma_alloc_coherent(&cd->pci_dev->dev, size, dma_handle, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch b/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch new file mode 100644 index 0000000000..5ab97df4ba --- /dev/null +++ b/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch @@ -0,0 +1,57 @@ +From: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Date: Wed, 19 Dec 2018 17:19:22 +0200 +Subject: [PATCH] intel_th: msu: Fix an off-by-one in attribute store +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: ec5b5ad6e272d8d6b92d1007f79574919862a2d2 + +commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream. + +The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated +list of window sizes, passed from userspace. However, there is a bug in +the string parsing logic wherein it doesn't exclude the comma character +from the range of characters as it consumes them. This leads to an +out-of-bounds access given a sufficiently long list. For example: + +> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages +> ================================================================== +> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40 +> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825 +> +> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+ +> Call Trace: +> dump_stack+0x7c/0xc0 +> print_address_description+0x6c/0x23c +> ? memchr+0x1e/0x40 +> kasan_report.cold.5+0x241/0x308 +> memchr+0x1e/0x40 +> nr_pages_store+0x203/0xd00 [intel_th_msu] + +Fix this by accounting for the comma character. + +Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hwtracing/intel_th/msu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c +index 70ca27e45602..9d9e47eb0842 100644 +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -1418,7 +1418,8 @@ nr_pages_store(struct device *dev, struct device_attribute *attr, + if (!end) + break; + +- len -= end - p; ++ /* consume the number and the following comma, hence +1 */ ++ len -= end - p + 1; + p = end + 1; + } while (len); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch b/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch new file mode 100644 index 0000000000..bee05dee49 --- /dev/null +++ b/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch @@ -0,0 +1,56 @@ +From: Lubomir Rintel <lkundrak@v3.sk> +Date: Fri, 16 Nov 2018 17:23:47 +0100 +Subject: [PATCH] power: supply: olpc_battery: correct the temperature units +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: ed54ffbe554f0902689fd6d1712bbacbacd11376 + +commit ed54ffbe554f0902689fd6d1712bbacbacd11376 upstream. + +According to [1] and [2], the temperature values are in tenths of degree +Celsius. Exposing the Celsius value makes the battery appear on fire: + + $ upower -i /org/freedesktop/UPower/devices/battery_olpc_battery + ... + temperature: 236.9 degrees C + +Tested on OLPC XO-1 and OLPC XO-1.75 laptops. + +[1] include/linux/power_supply.h +[2] Documentation/power/power_supply_class.txt + +Fixes: fb972873a767 ("[BATTERY] One Laptop Per Child power/battery driver") +Cc: stable@vger.kernel.org +Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> +Acked-by: Pavel Machek <pavel@ucw.cz> +Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/power/olpc_battery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/olpc_battery.c b/drivers/power/olpc_battery.c +index 9e29b1321648..15783869e1a0 100644 +--- a/drivers/power/olpc_battery.c ++++ b/drivers/power/olpc_battery.c +@@ -427,14 +427,14 @@ static int olpc_bat_get_property(struct power_supply *psy, + if (ret) + return ret; + +- val->intval = (s16)be16_to_cpu(ec_word) * 100 / 256; ++ val->intval = (s16)be16_to_cpu(ec_word) * 10 / 256; + break; + case POWER_SUPPLY_PROP_TEMP_AMBIENT: + ret = olpc_ec_cmd(EC_AMB_TEMP, NULL, 0, (void *)&ec_word, 2); + if (ret) + return ret; + +- val->intval = (int)be16_to_cpu(ec_word) * 100 / 256; ++ val->intval = (int)be16_to_cpu(ec_word) * 10 / 256; + break; + case POWER_SUPPLY_PROP_CHARGE_COUNTER: + ret = olpc_ec_cmd(EC_BAT_ACR, NULL, 0, (void *)&ec_word, 2); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch b/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch new file mode 100644 index 0000000000..5c5018f9c9 --- /dev/null +++ b/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch @@ -0,0 +1,27 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Sun, 13 Jan 2019 10:05:34 +0100 +Subject: [PATCH] Linux 4.4.170 +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: b83b3fa78445387f351cef477a112e503d72b9f0 + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 0d41b0626c0c..bc58f206c0da 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 169 ++SUBLEVEL = 170 + EXTRAVERSION = + NAME = Blurry Fish Butt + +-- +2.20.1 + diff --git a/patches.rpmify/ppc64le-build-vmlinux.patch b/patches.rpmify/ppc64le-build-vmlinux.patch index 997def9a00..485d83e2e7 100644 --- a/patches.rpmify/ppc64le-build-vmlinux.patch +++ b/patches.rpmify/ppc64le-build-vmlinux.patch @@ -1,6 +1,6 @@ From: Dinar Valeev <dvaleev@suse.com> Subject: PPC: Build only vmlinux target -Patch-Mainline: no, tbd (ancient patch) +Patch-Mainline: no, not needed References: bsc#1070805 @@ -8,6 +8,9 @@ The zImage target doesn't build on ppc64le and we only ever care about the resulting vmlinux file anyway, so drop compilation of the zImage target for us. +This works out of the box with 4.12 so the zImage issue was resolved upsttream +eventually. + Signed-off-by: Dinar Valeev <dvaleev@suse.com> Signed-off-by: Alexander Graf <agraf@suse.de> @@ -18,8 +21,51 @@ Signed-off-by: Alexander Graf <agraf@suse.de> # Default to zImage, override when needed -all: zImage -+all: vmlinux ++all: vmlinux # With make 3.82 we cannot mix normal and wildcard targets BOOT_TARGETS1 := zImage zImage.initrd uImage +diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile +index b45a0e54f14b..075c37b9b5db 100644 +--- a/arch/powerpc/boot/Makefile ++++ b/arch/powerpc/boot/Makefile +@@ -17,7 +17,7 @@ + # CROSS32_COMPILE is setup as a prefix just like CROSS_COMPILE + # in the toplevel makefile. + +-all: $(obj)/zImage ++all: $(obj)/vmlinux + + BOOTCFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \ + -fno-strict-aliasing -Os -msoft-float -pipe \ +@@ -213,18 +213,18 @@ quiet_cmd_wrap = WRAP $@ + cmd_wrap =$(CONFIG_SHELL) $(wrapper) -c -o $@ -p $2 $(CROSSWRAP) \ + $(if $3, -s $3)$(if $4, -d $4)$(if $5, -i $5) vmlinux + +-image-$(CONFIG_PPC_PSERIES) += zImage.pseries +-image-$(CONFIG_PPC_POWERNV) += zImage.pseries +-image-$(CONFIG_PPC_MAPLE) += zImage.maple +-image-$(CONFIG_PPC_IBM_CELL_BLADE) += zImage.pseries +-image-$(CONFIG_PPC_PS3) += dtbImage.ps3 +-image-$(CONFIG_PPC_CELL_QPACE) += zImage.pseries +-image-$(CONFIG_PPC_CHRP) += zImage.chrp +-image-$(CONFIG_PPC_EFIKA) += zImage.chrp +-image-$(CONFIG_PPC_PMAC) += zImage.pmac +-image-$(CONFIG_PPC_HOLLY) += dtbImage.holly ++image-$(CONFIG_PPC_PSERIES) += ++image-$(CONFIG_PPC_POWERNV) += ++image-$(CONFIG_PPC_MAPLE) += ++image-$(CONFIG_PPC_IBM_CELL_BLADE) += ++image-$(CONFIG_PPC_PS3) += ++image-$(CONFIG_PPC_CELL_QPACE) += ++image-$(CONFIG_PPC_CHRP) += ++image-$(CONFIG_PPC_EFIKA) += ++image-$(CONFIG_PPC_PMAC) += ++image-$(CONFIG_PPC_HOLLY) += + image-$(CONFIG_DEFAULT_UIMAGE) += uImage +-image-$(CONFIG_EPAPR_BOOT) += zImage.epapr ++image-$(CONFIG_EPAPR_BOOT) += + + # + # Targets which embed a device tree blob diff --git a/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale b/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale index 39475866e0..78522abe34 100644 --- a/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale +++ b/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale @@ -19,23 +19,21 @@ Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/20160308184230.GB7897@krava.redhat.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> --- - tools/perf/util/pmu.c | 4 ++-- + tools/perf/util/pmu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c -index d8cd038baed2..adef23b1352e 100644 --- a/tools/perf/util/pmu.c +++ b/tools/perf/util/pmu.c -@@ -98,7 +98,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * +@@ -98,7 +98,7 @@ static int perf_pmu__parse_scale(struct char scale[128]; int fd, ret = -1; char path[PATH_MAX]; - const char *lc; + char *lc; - snprintf(path, PATH_MAX, "%s/%s.scale", dir, name); + scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name); -@@ -146,7 +146,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * +@@ -146,7 +146,7 @@ static int perf_pmu__parse_scale(struct /* restore locale */ setlocale(LC_NUMERIC, lc); @@ -44,4 +42,3 @@ index d8cd038baed2..adef23b1352e 100644 ret = 0; error: - diff --git a/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code b/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code index 0f72b1728e..ffbf74e477 100644 --- a/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code +++ b/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code @@ -17,14 +17,12 @@ Link: http://lkml.kernel.org/r/20170103150833.6694-2-andi@firstfloor.org [ Keep returning -ENOMEM when strdup() fails in perf_pmu__parse_scale()/convert_scale() ] Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> --- - tools/perf/util/pmu.c | 62 ++++++++++++++++++++++++++++----------------------- + tools/perf/util/pmu.c | 62 +++++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 28 deletions(-) -diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c -index dc6ccaa4e927..78b16100567d 100644 --- a/tools/perf/util/pmu.c +++ b/tools/perf/util/pmu.c -@@ -94,32 +94,10 @@ static int pmu_format(const char *name, struct list_head *format) +@@ -94,32 +94,10 @@ static int pmu_format(const char *name, return 0; } @@ -38,7 +36,7 @@ index dc6ccaa4e927..78b16100567d 100644 - char path[PATH_MAX]; char *lc; - -- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name); +- scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name); - - fd = open(path, O_RDONLY); - if (fd == -1) @@ -59,7 +57,7 @@ index dc6ccaa4e927..78b16100567d 100644 /* * save current locale -@@ -134,7 +112,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * +@@ -134,7 +112,7 @@ static int perf_pmu__parse_scale(struct lc = strdup(lc); if (!lc) { ret = -ENOMEM; @@ -68,7 +66,7 @@ index dc6ccaa4e927..78b16100567d 100644 } /* -@@ -144,14 +122,42 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * +@@ -144,14 +122,42 @@ static int perf_pmu__parse_scale(struct */ setlocale(LC_NUMERIC, "C"); @@ -91,7 +89,7 @@ index dc6ccaa4e927..78b16100567d 100644 + int fd, ret = -1; + char path[PATH_MAX]; + -+ snprintf(path, PATH_MAX, "%s/%s.scale", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) @@ -114,4 +112,3 @@ index dc6ccaa4e927..78b16100567d 100644 error: close(fd); return ret; - diff --git a/patches.suse/mm-compaction-introduce-kcompactd.patch b/patches.suse/mm-compaction-introduce-kcompactd.patch index 141f8fc6f7..41aab0fdeb 100644 --- a/patches.suse/mm-compaction-introduce-kcompactd.patch +++ b/patches.suse/mm-compaction-introduce-kcompactd.patch @@ -96,21 +96,19 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Mel Gorman <mgorman@suse.de> --- - include/linux/compaction.h | 16 +++ - include/linux/mmzone.h | 6 ++ - include/linux/vm_event_item.h | 1 + - include/trace/events/compaction.h | 55 ++++++++++ - mm/compaction.c | 222 ++++++++++++++++++++++++++++++++++++++ - mm/memory_hotplug.c | 9 +- - mm/page_alloc.c | 3 + - mm/vmstat.c | 1 + + include/linux/compaction.h | 16 ++ + include/linux/mmzone.h | 6 + + include/linux/vm_event_item.h | 1 + include/trace/events/compaction.h | 55 +++++++++ + mm/compaction.c | 222 ++++++++++++++++++++++++++++++++++++++ + mm/memory_hotplug.c | 9 + + mm/page_alloc.c | 3 + mm/vmstat.c | 1 8 files changed, 311 insertions(+), 2 deletions(-) -diff --git a/include/linux/compaction.h b/include/linux/compaction.h -index 4cd4ddf64cc7..d7c8de583a23 100644 --- a/include/linux/compaction.h +++ b/include/linux/compaction.h -@@ -52,6 +52,10 @@ extern void compaction_defer_reset(struct zone *zone, int order, +@@ -52,6 +52,10 @@ extern void compaction_defer_reset(struc bool alloc_success); extern bool compaction_restarting(struct zone *zone, int order); @@ -121,7 +119,7 @@ index 4cd4ddf64cc7..d7c8de583a23 100644 #else static inline unsigned long try_to_compact_pages(gfp_t gfp_mask, unsigned int order, int alloc_flags, -@@ -84,6 +88,18 @@ static inline bool compaction_deferred(struct zone *zone, int order) +@@ -84,6 +88,18 @@ static inline bool compaction_deferred(s return true; } @@ -140,11 +138,9 @@ index 4cd4ddf64cc7..d7c8de583a23 100644 #endif /* CONFIG_COMPACTION */ #if defined(CONFIG_COMPACTION) && defined(CONFIG_SYSFS) && defined(CONFIG_NUMA) -diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h -index 5a2c3d3d824f..5b557150f83f 100644 --- a/include/linux/mmzone.h +++ b/include/linux/mmzone.h -@@ -674,6 +674,12 @@ typedef struct pglist_data { +@@ -669,6 +669,12 @@ typedef struct pglist_data { mem_hotplug_begin/end() */ int kswapd_max_order; enum zone_type classzone_idx; @@ -157,11 +153,9 @@ index 5a2c3d3d824f..5b557150f83f 100644 #ifdef CONFIG_NUMA_BALANCING /* Lock serializing the migrate rate limiting window */ spinlock_t numabalancing_migrate_lock; -diff --git a/include/linux/vm_event_item.h b/include/linux/vm_event_item.h -index e623d392db0c..823a629f9033 100644 --- a/include/linux/vm_event_item.h +++ b/include/linux/vm_event_item.h -@@ -52,6 +52,7 @@ enum vm_event_item { PGPGIN, PGPGOUT, PSWPIN, PSWPOUT, +@@ -53,6 +53,7 @@ enum vm_event_item { PGPGIN, PGPGOUT, PS COMPACTMIGRATE_SCANNED, COMPACTFREE_SCANNED, COMPACTISOLATED, COMPACTSTALL, COMPACTFAIL, COMPACTSUCCESS, @@ -169,11 +163,9 @@ index e623d392db0c..823a629f9033 100644 #endif #ifdef CONFIG_HUGETLB_PAGE HTLB_BUDDY_PGALLOC, HTLB_BUDDY_PGALLOC_FAIL, -diff --git a/include/trace/events/compaction.h b/include/trace/events/compaction.h -index c92d1e1cbad9..223450aeb49e 100644 --- a/include/trace/events/compaction.h +++ b/include/trace/events/compaction.h -@@ -350,6 +350,61 @@ DEFINE_EVENT(mm_compaction_defer_template, mm_compaction_defer_reset, +@@ -350,6 +350,61 @@ DEFINE_EVENT(mm_compaction_defer_templat ); #endif @@ -235,8 +227,6 @@ index c92d1e1cbad9..223450aeb49e 100644 #endif /* _TRACE_COMPACTION_H */ /* This part must be outside protection */ -diff --git a/mm/compaction.c b/mm/compaction.c -index 1ffc62a05d27..da34d4397f1f 100644 --- a/mm/compaction.c +++ b/mm/compaction.c @@ -7,6 +7,7 @@ @@ -256,7 +246,7 @@ index 1ffc62a05d27..da34d4397f1f 100644 #include "internal.h" #ifdef CONFIG_COMPACTION -@@ -1732,4 +1735,223 @@ void compaction_unregister_node(struct node *node) +@@ -1721,4 +1724,223 @@ void compaction_unregister_node(struct n } #endif /* CONFIG_SYSFS && CONFIG_NUMA */ @@ -480,19 +470,17 @@ index 1ffc62a05d27..da34d4397f1f 100644 +subsys_initcall(kcompactd_init) + #endif /* CONFIG_COMPACTION */ -diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c -index 6c3c05849484..afca0da46d6b 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c -@@ -32,6 +32,7 @@ +@@ -33,6 +33,7 @@ #include <linux/hugetlb.h> #include <linux/memblock.h> #include <linux/bootmem.h> +#include <linux/compaction.h> + #include <linux/rmap.h> #include <asm/tlbflush.h> - -@@ -1073,8 +1074,10 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ +@@ -1101,8 +1102,10 @@ int __ref online_pages(unsigned long pfn init_per_zone_wmark_min(); @@ -504,7 +492,7 @@ index 6c3c05849484..afca0da46d6b 100644 vm_total_pages = nr_free_pagecache_pages(); -@@ -1838,8 +1841,10 @@ static int __ref __offline_pages(unsigned long start_pfn, +@@ -1895,8 +1898,10 @@ repeat: zone_pcp_update(zone); node_states_clear_node(node, &arg); @@ -516,11 +504,9 @@ index 6c3c05849484..afca0da46d6b 100644 vm_total_pages = nr_free_pagecache_pages(); writeback_set_ratelimit(); -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 33974cda62de..2a1031669034 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c -@@ -5282,6 +5282,9 @@ static void __paginginit free_area_init_core(struct pglist_data *pgdat) +@@ -5737,6 +5737,9 @@ static void __paginginit free_area_init_ #endif init_waitqueue_head(&pgdat->kswapd_wait); init_waitqueue_head(&pgdat->pfmemalloc_wait); @@ -530,11 +516,9 @@ index 33974cda62de..2a1031669034 100644 pgdat_page_ext_init(pgdat); for (j = 0; j < MAX_NR_ZONES; j++) { -diff --git a/mm/vmstat.c b/mm/vmstat.c -index 88011eca5283..d267d426ce3b 100644 --- a/mm/vmstat.c +++ b/mm/vmstat.c -@@ -825,6 +825,7 @@ const char * const vmstat_text[] = { +@@ -801,6 +801,7 @@ const char * const vmstat_text[] = { "compact_stall", "compact_fail", "compact_success", diff --git a/patches.suse/msft-hv-1269-net-next-treewide-use-is_vlan_dev-helper-function.patch b/patches.suse/msft-hv-1269-net-next-treewide-use-is_vlan_dev-helper-function.patch index 0426975277..4516da66e6 100644 --- a/patches.suse/msft-hv-1269-net-next-treewide-use-is_vlan_dev-helper-function.patch +++ b/patches.suse/msft-hv-1269-net-next-treewide-use-is_vlan_dev-helper-function.patch @@ -35,7 +35,7 @@ Acked-by: David Chang <dchang@suse.com> --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c -@@ -2417,14 +2417,12 @@ static int iboe_tos_to_sl(struct net_dev +@@ -2480,14 +2480,12 @@ static int iboe_tos_to_sl(struct net_dev struct net_device *dev; prio = rt_tos2priority(tos); @@ -87,7 +87,7 @@ Acked-by: David Chang <dchang@suse.com> e->vlan = VLAN_NONE; --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c -@@ -2223,7 +2223,7 @@ static void check_neigh_update(struct ne +@@ -1805,7 +1805,7 @@ static void check_neigh_update(struct ne const struct device *parent; const struct net_device *netdev = neigh->dev; @@ -96,7 +96,7 @@ Acked-by: David Chang <dchang@suse.com> netdev = vlan_dev_real_dev(netdev); parent = netdev->dev.parent; if (parent && parent->driver == &cxgb4_driver.driver) -@@ -2643,7 +2643,7 @@ static int cxgb4_inet6addr_handler(struc +@@ -2111,7 +2111,7 @@ static int cxgb4_inet6addr_handler(struc #if IS_ENABLED(CONFIG_BONDING) struct adapter *adap; #endif @@ -176,7 +176,7 @@ Acked-by: David Chang <dchang@suse.com> } --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c -@@ -1495,7 +1495,7 @@ static int netvsc_netdev_event(struct no +@@ -1604,7 +1604,7 @@ static int netvsc_netdev_event(struct no return NOTIFY_DONE; /* Avoid Vlan dev with same MAC registering as VF */ @@ -187,7 +187,7 @@ Acked-by: David Chang <dchang@suse.com> /* Avoid Bonding master dev with same MAC registering as VF */ --- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c -@@ -2290,7 +2290,7 @@ static int _bnx2fc_create(struct net_dev +@@ -2295,7 +2295,7 @@ static int _bnx2fc_create(struct net_dev } /* obtain physical netdev */ @@ -196,8 +196,8 @@ Acked-by: David Chang <dchang@suse.com> phys_dev = vlan_dev_real_dev(netdev); /* verify if the physical device is a netxtreme2 device */ -@@ -2328,7 +2328,7 @@ static int _bnx2fc_create(struct net_dev - goto ifput_err; +@@ -2333,7 +2333,7 @@ static int _bnx2fc_create(struct net_dev + goto netdev_err; } - if (netdev->priv_flags & IFF_802_1Q_VLAN) { @@ -205,7 +205,7 @@ Acked-by: David Chang <dchang@suse.com> vlan_id = vlan_dev_vlan_id(netdev); interface->vlan_enabled = 1; } -@@ -2546,7 +2546,7 @@ static bool bnx2fc_match(struct net_devi +@@ -2551,7 +2551,7 @@ static bool bnx2fc_match(struct net_devi struct net_device *phys_dev = netdev; mutex_lock(&bnx2fc_dev_lock); @@ -216,7 +216,7 @@ Acked-by: David Chang <dchang@suse.com> if (bnx2fc_hba_lookup(phys_dev)) { --- a/drivers/scsi/cxgbi/libcxgbi.c +++ b/drivers/scsi/cxgbi/libcxgbi.c -@@ -220,7 +220,7 @@ struct cxgbi_device *cxgbi_device_find_b +@@ -223,7 +223,7 @@ struct cxgbi_device *cxgbi_device_find_b struct cxgbi_device *cdev, *tmp; int i; @@ -225,7 +225,7 @@ Acked-by: David Chang <dchang@suse.com> vdev = ndev; ndev = vlan_dev_real_dev(ndev); log_debug(1 << CXGBI_DBG_DEV, -@@ -253,7 +253,7 @@ struct cxgbi_device *cxgbi_device_find_b +@@ -256,7 +256,7 @@ struct cxgbi_device *cxgbi_device_find_b struct cxgbi_device *cdev; int i; @@ -234,7 +234,7 @@ Acked-by: David Chang <dchang@suse.com> vdev = ndev; ndev = vlan_dev_real_dev(ndev); pr_info("vlan dev %s -> %s.\n", vdev->name, ndev->name); -@@ -287,7 +287,7 @@ static struct cxgbi_device *cxgbi_device +@@ -290,7 +290,7 @@ static struct cxgbi_device *cxgbi_device struct cxgbi_device *cdev, *tmp; int i; @@ -255,7 +255,7 @@ Acked-by: David Chang <dchang@suse.com> fcoe->realdev = real_dev; rcu_read_lock(); for_each_dev_addr(real_dev, ha) { -@@ -746,7 +745,7 @@ static int fcoe_netdev_config(struct fc_ +@@ -752,7 +751,7 @@ static int fcoe_netdev_config(struct fc_ ctlr = fcoe_to_ctlr(fcoe); /* Figure out the VLAN ID, if any */ @@ -264,7 +264,7 @@ Acked-by: David Chang <dchang@suse.com> lport->vlan = vlan_dev_vlan_id(netdev); else lport->vlan = 0; -@@ -975,13 +974,13 @@ static inline int fcoe_em_config(struct +@@ -981,13 +980,13 @@ static inline int fcoe_em_config(struct * Reuse existing offload em instance in case * it is already allocated on real eth device */ @@ -280,7 +280,7 @@ Acked-by: David Chang <dchang@suse.com> old_real_dev = vlan_dev_real_dev(oldfcoe->netdev); else old_real_dev = oldfcoe->netdev; -@@ -1579,7 +1578,7 @@ static int fcoe_xmit(struct fc_lport *lp +@@ -1585,7 +1584,7 @@ static int fcoe_xmit(struct fc_lport *lp skb->protocol = htons(ETH_P_FCOE); skb->priority = fcoe->priority; @@ -289,7 +289,7 @@ Acked-by: David Chang <dchang@suse.com> fcoe->realdev->features & NETIF_F_HW_VLAN_CTAG_TX) { /* must set skb->dev before calling vlan_put_tag */ skb->dev = fcoe->realdev; -@@ -1809,7 +1808,7 @@ fcoe_hostlist_lookup_realdev_port(struct +@@ -1815,7 +1814,7 @@ fcoe_hostlist_lookup_realdev_port(struct struct net_device *real_dev; list_for_each_entry(fcoe, &fcoe_hostlist, list) { @@ -300,7 +300,7 @@ Acked-by: David Chang <dchang@suse.com> real_dev = fcoe->netdev; --- a/include/rdma/ib_addr.h +++ b/include/rdma/ib_addr.h -@@ -160,8 +160,7 @@ static inline int rdma_addr_gid_offset(s +@@ -162,8 +162,7 @@ static inline int rdma_addr_gid_offset(s static inline u16 rdma_vlan_dev_vlan_id(const struct net_device *dev) { diff --git a/series.conf b/series.conf index 22738277dc..126d5d524f 100644 --- a/series.conf +++ b/series.conf @@ -4789,7 +4789,6 @@ patches.kernel.org/4.4.164-159-drm-dp_mst-Check-if-primary-mstb-is-null.patch patches.kernel.org/4.4.164-160-drm-i915-hdmi-Add-HDMI-2.0-audio-clock-recove.patch patches.kernel.org/4.4.164-161-Linux-4.4.164.patch - patches.kernel.org/4.4.165-001-flow_dissector-do-not-dissect-l4-ports-for-fr.patch patches.kernel.org/4.4.165-002-ip_tunnel-don-t-force-DF-when-MTU-is-locked.patch patches.kernel.org/4.4.165-003-net-gro-reset-skb-pkt_type-in-napi_reuse_skb.patch @@ -5126,6 +5125,132 @@ patches.kernel.org/4.4.168-087-rocker-fix-rocker_tlv_put_-functions-for-KASA.patch patches.kernel.org/4.4.168-088-selftests-Move-networking-timestamping-from-D.patch patches.kernel.org/4.4.168-089-Linux-4.4.168.patch + patches.kernel.org/4.4.169-001-lib-interval_tree_test.c-make-test-options-mo.patch + patches.kernel.org/4.4.169-002-lib-interval_tree_test.c-allow-full-tree-sear.patch + patches.kernel.org/4.4.169-003-lib-rbtree_test.c-make-input-module-parameter.patch + patches.kernel.org/4.4.169-004-lib-rbtree-test-lower-default-params.patch + patches.kernel.org/4.4.169-005-lib-interval_tree_test.c-allow-users-to-limit.patch + patches.kernel.org/4.4.169-006-timer-debug-Change-proc-timer_list-from-0444-.patch + patches.kernel.org/4.4.169-007-powerpc-boot-Fix-random-libfdt-related-build-.patch + patches.kernel.org/4.4.169-008-pinctrl-sunxi-a83t-Fix-IRQ-offset-typo-for-PH.patch + patches.kernel.org/4.4.169-009-aio-fix-spectre-gadget-in-lookup_ioctx.patch + patches.kernel.org/4.4.169-010-MMC-OMAP-fix-broken-MMC-on-OMAP15XX-OMAP5910-.patch + patches.kernel.org/4.4.169-011-tracing-Fix-memory-leak-in-set_trigger_filter.patch + patches.kernel.org/4.4.169-012-tracing-Fix-memory-leak-of-instance-function-.patch + patches.kernel.org/4.4.169-013-powerpc-msi-Fix-NULL-pointer-access-in-teardo.patch + patches.kernel.org/4.4.169-014-Revert-drm-rockchip-Allow-driver-to-be-shutdo.patch + patches.kernel.org/4.4.169-015-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_con.patch + patches.kernel.org/4.4.169-016-mac80211-don-t-WARN-on-bad-WMM-parameters-fro.patch + patches.kernel.org/4.4.169-017-mac80211-Fix-condition-validating-WMM-IE.patch + patches.kernel.org/4.4.169-018-mac80211_hwsim-fix-module-init-error-paths-fo.patch + patches.kernel.org/4.4.169-019-scsi-libiscsi-Fix-NULL-pointer-dereference-in.patch + patches.kernel.org/4.4.169-020-scsi-vmw_pscsi-Rearrange-code-to-avoid-multip.patch + patches.kernel.org/4.4.169-021-x86-earlyprintk-efi-Fix-infinite-loop-on-some.patch + patches.kernel.org/4.4.169-022-drm-msm-Grab-a-vblank-reference-when-waiting-.patch + patches.kernel.org/4.4.169-023-ARC-io.h-Implement-reads-x-writes-x.patch + patches.kernel.org/4.4.169-024-bonding-fix-802.3ad-state-sent-to-partner-whe.patch + patches.kernel.org/4.4.169-025-SUNRPC-Fix-a-potential-race-in-xprt_connect.patch + patches.kernel.org/4.4.169-026-sbus-char-add-of_node_put.patch + patches.kernel.org/4.4.169-027-drivers-sbus-char-add-of_node_put.patch + patches.kernel.org/4.4.169-028-drivers-tty-add-missing-of_node_put.patch + patches.kernel.org/4.4.169-029-ide-pmac-add-of_node_put.patch + patches.kernel.org/4.4.169-030-clk-mmp-Off-by-one-in-mmp_clk_add.patch + patches.kernel.org/4.4.169-031-Input-omap-keypad-fix-keyboard-debounce-confi.patch + patches.kernel.org/4.4.169-032-libata-whitelist-all-SAMSUNG-MZ7KM-solid-stat.patch + patches.kernel.org/4.4.169-033-mv88e6060-disable-hardware-level-MAC-learning.patch + patches.kernel.org/4.4.169-034-ARM-8814-1-mm-improve-fix-ARM-v7_dma_inv_rang.patch + patches.kernel.org/4.4.169-035-cifs-In-Kconfig-CONFIG_CIFS_POSIX-needs-depen.patch + patches.kernel.org/4.4.169-036-i2c-axxia-properly-handle-master-timeout.patch + patches.kernel.org/4.4.169-037-i2c-scmi-Fix-probe-error-on-devices-with-an-e.patch + patches.kernel.org/4.4.169-038-rtc-snvs-add-a-missing-write-sync.patch + patches.kernel.org/4.4.169-039-rtc-snvs-Add-timeouts-to-avoid-kernel-lockups.patch + patches.kernel.org/4.4.169-040-ALSA-isa-wavefront-prevent-some-out-of-bound-.patch + patches.kernel.org/4.4.169-041-Linux-4.4.169.patch + patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch + patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch + patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch + patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch + patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch + patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch + patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch + patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch + patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch + patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch + patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch + patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch + patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch + patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch + patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch + patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch + patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch + patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch + patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch + patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch + patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch + patches.kernel.org/4.4.170-022-packet-validate-address-length.patch + patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch + patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch + patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch + patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch + patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch + patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch + patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch + patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch + patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch + patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch + patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch + patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch + patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch + patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch + patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch + patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch + patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch + patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch + patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch + patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch + patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch + patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch + patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch + patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch + patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch + patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch + patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch + patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch + patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch + patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch + patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch + patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch + patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch + patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch + patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch + patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch + patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch + patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch + patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch + patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch + patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch + patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch + patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch + patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch + patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch + patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch + patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch + patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch + patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch + patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch + patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch + patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch + patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch + patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch + patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch + patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch + patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch + patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch + patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch + patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch + patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch + patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch + patches.kernel.org/4.4.170-086-Linux-4.4.170.patch ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -21340,7 +21465,6 @@ patches.drivers/0022-ipmi_ssif-remove-redundant-null-check-on-array-clien.patch patches.drivers/0023-ipmi-Use-the-proper-default-value-for-register-size-.patch patches.drivers/0024-ipmi-ssif-Use-i2c_adapter_id-instead-of-adapter-nr.patch - patches.fixes/0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch patches.fixes/mm-make-PR_SET_THP_DISABLE-immediately-active.patch patches.suse/0001-mm-memory_hotplug-support-movable_node-for-hotplugab.patch patches.fixes/0001-mm-memory_hotplug-simplify-empty-node-mask-handling-.patch @@ -22857,7 +22981,6 @@ patches.drivers/ibmvnic-Remove-skb-protocol-checks-in-ibmvnic_xmit.patch patches.fixes/0001-seq_file-fix-incomplete-reset-on-read-from-zero-offs.patch patches.drivers/0004-KVM-arm-arm64-Handle-CPU_PM_ENTER_FAILED.patch - patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch patches.suse/msft-hv-1588-x86-hyperv-Check-for-required-priviliges-in-hyperv_i.patch patches.suse/msft-hv-1589-x86-hyperv-Add-a-function-to-read-both-TSC-and-TSC-p.patch patches.suse/msft-hv-1590-x86-hyperv-Reenlightenment-notifications-support.patch @@ -23047,7 +23170,6 @@ patches.drivers/ibmvnic-Potential-NULL-dereference-in-clean_one_tx_p.patch patches.drivers/net-ena-Eliminate-duplicate-barriers-on-weakly-order.patch patches.drivers/net-mlx5e-Remove-unused-define-MLX5_MPWRQ_STRIDES_PE.patch - patches.drivers/mac80211-don-t-WARN-on-bad-WMM-parameters-from-buggy patches.suse/msft-hv-1655-hv_netvsc-Clean-up-extra-parameter-from-rndis_filter.patch patches.drivers/ibmvnic-Disable-irqs-before-exiting-reset-from-close.patch patches.drivers/media-au0828-fix-VIDEO_V4L2-dependency @@ -23298,7 +23420,6 @@ patches.arch/powerpc-pseries-Fix-CONFIG_NUMA-n-build.patch patches.fixes/ceph-fix-rsize-wsize-capping-in-ceph_direct_read_write.patch patches.suse/msft-hv-1674-hv_netvsc-Fix-net-device-attach-on-older-Windows-hos.patch - patches.drivers/mac80211-Fix-condition-validating-WMM-IE patches.suse/msft-hv-1676-hv_netvsc-set-master-device.patch patches.drivers/net-mlx5-E-Switch-Include-VF-RDMA-stats-in-vport-sta.patch patches.drivers/net-mlx5e-Err-if-asked-to-offload-TC-match-on-frag-b.patch @@ -23887,17 +24008,14 @@ patches.fixes/0001-fscache-Fix-race-in-fscache_op_complete-due-to-split.patch patches.fixes/0001-xen-x86-add-diagnostic-printout-to-xen_mc_flush-in-c.patch patches.fixes/scsi-lpfc-fix-block-guard-enablement-on-sli3-adapters.patch - patches.fixes/SUNRPC-Fix-a-potential-race-in-xprt_connect.patch patches.fixes/nvme-validate-controller-state-before-rescheduling-k.patch patches.drivers/revert-pci-aspm-do-not-initialize-link-state-when-aspm_disabled-is-set patches.drivers/net-ibmvnic-Fix-RTNL-deadlock-during-device-reset.patch patches.fixes/ipv4-ipv6-netfilter-Adjust-the-frag-mem-limit-when-t.patch patches.drivers/net-mlx4_core-Correctly-set-PFC-param-if-global-paus.patch patches.drivers/IB-hfi1-Fix-an-out-of-bounds-access-in-get_hw_stats.patch - patches.fixes/0001-Revert-drm-rockchip-Allow-driver-to-be-shutdown-on-r.patch patches.arch/ibmvnic-Convert-reset-work-item-mutex-to-spin-lock.patch patches.arch/ibmvnic-Fix-non-atomic-memory-allocation-in-IRQ-cont.patch - patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch patches.fixes/net-ipv4-do-not-handle-duplicate-fragments-as-overla.patch patches.fixes/0001-drm-rcar-du-Fix-vblank-initialization.patch patches.fixes/0001-drm-rcar-du-Fix-external-clock-error-checks.patch @@ -23905,9 +24023,7 @@ patches.fixes/scsi-target-add-emulate_pr-backstore-attr-to-toggle-.patch patches.fixes/scsi-target-drop-unused-pi_prot_format-attribute-sto.patch patches.drivers/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems - patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw patches.drivers/iommu-amd-fix-amd_iommu-force_isolation - patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch @@ -24186,12 +24302,13 @@ patches.fixes/0005-mm-memory_hotplug-be-more-verbose-for-memory-offline.patch patches.fixes/mm-put_and_wait_on_page_locked-while-page-is-migrated.patch - patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch patches.kabi/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be-kabi.patch # bsc#1119204 patches.fixes/0001-fix-huge_pte_alloc-bug-on.patch + patches.fixes/vfs-Avoid-softlockups-in-drop_pagecache_sb.patch + ######################################################## # IPC patches ######################################################## @@ -24537,7 +24654,6 @@ patches.fixes/nfs-direct-write-fix.patch patches.kabi/0008-pnfs-set-NFS_IOHDR_REDO-in-pnfs_read_resend_pnfs.patch patches.kabi/0001-NFS-Ensure-we-commit-after-writeback-is-complete.kabi - patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch patches.kabi/sunrpc-use-after-free-in-svc_process_common.patch |