summaryrefslogtreecommitdiff |
diff options
author | Jiri Slaby <jslaby@suse.cz> | 2019-01-15 07:14:13 +0100 |
---|---|---|
committer | Jiri Slaby <jslaby@suse.cz> | 2019-01-15 10:06:02 +0100 |
commit | 5698b8ae04f37a54cc752447a6f73769a9991aac (patch) | |
tree | f423afdb373aba1e139099a2b6f16f4ee4abc7e3 | |
parent | d7fef27dc68ba8520f49d1ad41798d83e70143e2 (diff) |
- Linux 4.4.170 (bnc#1012382).
- xhci: Don't prevent USB2 bus suspend in state check intended
for USB3 only (bnc#1012382).
- USB: serial: option: add GosunCn ZTE WeLink ME3630
(bnc#1012382).
- USB: serial: option: add HP lt4132 (bnc#1012382).
- USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
(bnc#1012382).
- USB: serial: option: add Fibocom NL668 series (bnc#1012382).
- USB: serial: option: add Telit LN940 series (bnc#1012382).
- mmc: core: Reset HPI enabled state during re-init and in case
of errors (bnc#1012382).
- mmc: omap_hsmmc: fix DMA API warning (bnc#1012382).
- gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
(bnc#1012382).
- Drivers: hv: vmbus: Return -EINVAL for the sys files for
unopened channels (bnc#1012382).
- x86/mtrr: Don't copy uninitialized gentry fields back to
userspace (bnc#1012382).
- drm/ioctl: Fix Spectre v1 vulnerabilities (bnc#1012382).
- ip6mr: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ipv4: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ax25: fix a use-after-free in ax25_fillin_cb() (bnc#1012382).
- ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
(bnc#1012382).
- ieee802154: lowpan_header_create check must check daddr
(bnc#1012382).
- ipv6: explicitly initialize udp6_addr in udp_sock_create6()
(bnc#1012382).
- isdn: fix kernel-infoleak in capi_unlocked_ioctl (bnc#1012382).
- netrom: fix locking in nr_find_socket() (bnc#1012382).
- packet: validate address length (bnc#1012382).
- packet: validate address length if non-zero (bnc#1012382).
- sctp: initialize sin6_flowinfo for ipv6 addrs in
sctp_inet6addr_event (bnc#1012382).
- vhost: make sure used idx is seen before log in
vhost_add_used_n() (bnc#1012382).
- VSOCK: Send reset control packet when socket is partially bound
(bnc#1012382).
- xen/netfront: tolerate frags with no data (bnc#1012382).
- gro_cell: add napi_disable in gro_cells_destroy (bnc#1012382).
- sock: Make sock->sk_stamp thread-safe (bnc#1012382).
- ALSA: rme9652: Fix potential Spectre v1 vulnerability
(bnc#1012382).
- ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities
(bnc#1012382).
- ALSA: pcm: Fix potential Spectre v1 vulnerability (bnc#1012382).
- ALSA: emux: Fix potential Spectre v1 vulnerabilities
(bnc#1012382).
- ALSA: hda: add mute LED support for HP EliteBook 840 G4
(bnc#1012382).
- ALSA: hda/tegra: clear pending irq handlers (bnc#1012382).
- USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole
displays (bnc#1012382).
- USB: serial: option: add Fibocom NL678 series (bnc#1012382).
- usb: r8a66597: Fix a possible concurrency use-after-free bug
in r8a66597_endpoint_disable() (bnc#1012382).
- Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire
F5-573G (bnc#1012382).
- KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup
(bnc#1012382).
- perf pmu: Suppress potential format-truncation warning
(bnc#1012382).
- ext4: fix possible use after free in ext4_quota_enable
(bnc#1012382).
- ext4: missing unlock/put_page() in
ext4_try_to_write_inline_data() (bnc#1012382).
- ext4: fix EXT4_IOC_GROUP_ADD ioctl (bnc#1012382).
- ext4: force inode writes when nfsd calls commit_metadata()
(bnc#1012382).
- spi: bcm2835: Fix race on DMA termination (bnc#1012382).
- spi: bcm2835: Fix book-keeping of DMA termination (bnc#1012382).
- spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode
(bnc#1012382).
- cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader
(bnc#1012382).
- media: vivid: free bitmap_cap when updating std/timings/etc
(bnc#1012382).
- MIPS: Ensure pmd_present() returns false after
pmd_mknotpresent() (bnc#1012382).
- MIPS: Align kernel load address to 64KB (bnc#1012382).
- CIFS: Fix error mapping for SMB2_LOCK command which caused
OFD lock problem (bnc#1012382).
- spi: bcm2835: Unbreak the build of esoteric configs
(bnc#1012382).
- powerpc: Fix COFF zImage booting on old powermacs (bnc#1012382).
- ARM: imx: update the cpu power up timing setting on i.mx6sx
(bnc#1012382).
- Input: restore EV_ABS ABS_RESERVED (bnc#1012382).
- checkstack.pl: fix for aarch64 (bnc#1012382).
- xfrm: Fix bucket count reported to userspace (bnc#1012382).
- scsi: bnx2fc: Fix NULL dereference in error handling
(bnc#1012382).
- Input: omap-keypad - fix idle configuration to not block SoC
idle states (bnc#1012382).
- scsi: zfcp: fix posting too many status read buffers leading
to adapter shutdown (bnc#1012382).
- fork: record start_time late (bnc#1012382).
- mm, devm_memremap_pages: kill mapping "System RAM" support
(bnc#1012382).
- sunrpc: fix cache_head leak due to queued request (bnc#1012382).
- crypto: x86/chacha20 - avoid sleeping with preemption disabled
(bnc#1012382).
- ALSA: cs46xx: Potential NULL dereference in probe (bnc#1012382).
- ALSA: usb-audio: Avoid access before bLength check in
build_audio_procunit() (bnc#1012382).
- ALSA: usb-audio: Fix an out-of-bound read in
create_composite_quirks (bnc#1012382).
- dlm: fixed memory leaks after failed ls_remove_names allocation
(bnc#1012382).
- dlm: possible memory leak on error path in create_lkb()
(bnc#1012382).
- dlm: lost put_lkb on error path in receive_convert() and
receive_unlock() (bnc#1012382).
- dlm: memory leaks on error path in dlm_user_request()
(bnc#1012382).
- gfs2: Fix loop in gfs2_rbm_find (bnc#1012382).
- b43: Fix error in cordic routine (bnc#1012382).
- 9p/net: put a lower bound on msize (bnc#1012382).
- genwqe: Fix size check (bnc#1012382).
- intel_th: msu: Fix an off-by-one in attribute store
(bnc#1012382).
- power: supply: olpc_battery: correct the temperature units
(bnc#1012382).
- Refresh
patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch.
- Refresh patches.drivers/genwqe-ensure-zero-initialization.patch.
- Refresh
patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch.
- Refresh
patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch.
- Refresh
patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch.
- Refresh
patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale.
- Refresh
patches.suse/0047-perf-pmu-factor-out-scale-conversion-code.
- Refresh patches.suse/mm-compaction-introduce-kcompactd.patch.
94 files changed, 5394 insertions, 256 deletions
diff --git a/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch b/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch index dadc54e379..47241e7cec 100644 --- a/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch +++ b/patches.drivers/0019-x86-mm-introduce-vmem_altmap-to-augment-vmemmap_populate.patch @@ -46,7 +46,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #include <linux/nmi.h> #include <linux/gfp.h> #include <linux/kcore.h> -@@ -722,6 +723,12 @@ static void __meminit free_pagetable(str +@@ -724,6 +725,12 @@ static void __meminit free_pagetable(str { unsigned long magic; unsigned int nr_pages = 1 << order; @@ -59,7 +59,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> /* bootmem page has reserved flag */ if (PageReserved(page)) { -@@ -1026,13 +1033,19 @@ int __ref arch_remove_memory(u64 start, +@@ -1028,13 +1035,19 @@ int __ref arch_remove_memory(u64 start, { unsigned long start_pfn = start >> PAGE_SHIFT; unsigned long nr_pages = size >> PAGE_SHIFT; @@ -81,7 +81,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> return ret; } -@@ -1244,7 +1257,7 @@ static void __meminitdata *p_start, *p_e +@@ -1246,7 +1259,7 @@ static void __meminitdata *p_start, *p_e static int __meminitdata node_start; static int __meminit vmemmap_populate_hugepages(unsigned long start, @@ -90,7 +90,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> { unsigned long addr; unsigned long next; -@@ -1267,7 +1280,7 @@ static int __meminit vmemmap_populate_hu +@@ -1269,7 +1282,7 @@ static int __meminit vmemmap_populate_hu if (pmd_none(*pmd)) { void *p; @@ -99,7 +99,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> if (p) { pte_t entry; -@@ -1288,7 +1301,8 @@ static int __meminit vmemmap_populate_hu +@@ -1290,7 +1303,8 @@ static int __meminit vmemmap_populate_hu addr_end = addr + PMD_SIZE; p_end = p + PMD_SIZE; continue; @@ -109,7 +109,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> } else if (pmd_large(*pmd)) { vmemmap_verify((pte_t *)pmd, node, addr, next); continue; -@@ -1301,11 +1315,16 @@ static int __meminit vmemmap_populate_hu +@@ -1304,11 +1318,16 @@ static int __meminit vmemmap_populate_hu int __meminit vmemmap_populate(unsigned long start, unsigned long end, int node) { @@ -140,7 +140,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> pmem->pfn_flags |= PFN_MAP; } else pmem->virt_addr = (void __pmem *) devm_memremap(dev, -@@ -386,7 +387,8 @@ static int nvdimm_namespace_attach_pfn(s +@@ -387,7 +388,8 @@ static int nvdimm_namespace_attach_pfn(s /* establish pfn range for lookup, and switch to direct map */ pmem = dev_get_drvdata(dev); devm_memunmap(dev, (void __force *) pmem->virt_addr); @@ -229,7 +229,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #endif /* _LINUX_MEMREMAP_H_ */ --- a/include/linux/mm.h +++ b/include/linux/mm.h -@@ -2250,7 +2250,14 @@ pud_t *vmemmap_pud_populate(pgd_t *pgd, +@@ -2236,7 +2236,14 @@ pud_t *vmemmap_pud_populate(pgd_t *pgd, pmd_t *vmemmap_pmd_populate(pud_t *pud, unsigned long addr, int node); pte_t *vmemmap_pte_populate(pmd_t *pmd, unsigned long addr, int node); void *vmemmap_alloc_block(unsigned long size, int node); @@ -297,9 +297,9 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> struct page_map *page_map; int error, nid; -@@ -224,14 +240,27 @@ void *devm_memremap_pages(struct device - if (is_ram == REGION_INTERSECTS) - return __va(res->start); +@@ -221,14 +237,27 @@ void *devm_memremap_pages(struct device + return ERR_PTR(-ENXIO); + } + if (altmap && !IS_ENABLED(CONFIG_SPARSEMEM_VMEMMAP)) { + dev_err(dev, "%s: altmap requires CONFIG_SPARSEMEM_VMEMMAP=y\n", @@ -326,7 +326,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> mutex_lock(&pgmap_lock); error = 0; for (key = res->start; key <= res->end; key += SECTION_SIZE) { -@@ -283,4 +312,43 @@ void *devm_memremap_pages(struct device +@@ -276,4 +305,43 @@ void *devm_memremap_pages(struct device return ERR_PTR(error); } EXPORT_SYMBOL(devm_memremap_pages); @@ -380,7 +380,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #include <linux/memory_hotplug.h> #include <linux/highmem.h> #include <linux/vmalloc.h> -@@ -321,13 +322,27 @@ int __ref __add_pages(int nid, unsigned +@@ -506,6 +507,7 @@ int __ref __add_pages(int nid, struct zo unsigned long i; int err = 0; int start_sec, end_sec; @@ -388,7 +388,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> clear_zone_contiguous(zone); - /* during initialize mem_map, align hot-added range to section */ +@@ -513,6 +515,19 @@ int __ref __add_pages(int nid, struct zo start_sec = pfn_to_section_nr(phys_start_pfn); end_sec = pfn_to_section_nr(phys_start_pfn + nr_pages - 1); @@ -408,7 +408,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> for (i = start_sec; i <= end_sec; i++) { err = __add_section(nid, zone, section_nr_to_pfn(i)); -@@ -548,7 +563,8 @@ static void __remove_zone(struct zone *z +@@ -736,7 +751,8 @@ static void __remove_zone(struct zone *z pgdat_resize_unlock(zone->zone_pgdat, &flags); } @@ -418,7 +418,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> { unsigned long start_pfn; int scn_nr; -@@ -565,7 +581,7 @@ static int __remove_section(struct zone +@@ -753,7 +769,7 @@ static int __remove_section(struct zone start_pfn = section_nr_to_pfn(scn_nr); __remove_zone(zone, start_pfn); @@ -427,7 +427,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> return 0; } -@@ -584,9 +600,32 @@ int __remove_pages(struct zone *zone, un +@@ -772,9 +788,32 @@ int __remove_pages(struct zone *zone, un unsigned long nr_pages) { unsigned long i; @@ -463,7 +463,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> clear_zone_contiguous(zone); -@@ -596,23 +635,11 @@ int __remove_pages(struct zone *zone, un +@@ -784,23 +823,11 @@ int __remove_pages(struct zone *zone, un BUG_ON(phys_start_pfn & ~PAGE_SECTION_MASK); BUG_ON(nr_pages % PAGES_PER_SECTION); @@ -499,7 +499,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #include <linux/stop_machine.h> #include <linux/sort.h> #include <linux/pfn.h> -@@ -4914,8 +4915,9 @@ void __ref build_all_zonelists(pg_data_t +@@ -4912,8 +4913,9 @@ static inline unsigned long wait_table_b void __meminit memmap_init_zone(unsigned long size, int nid, unsigned long zone, unsigned long start_pfn, enum memmap_context context) { @@ -510,7 +510,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> unsigned long pfn; struct zone *z; unsigned long nr_initialised = 0; -@@ -4926,6 +4928,13 @@ void __meminit memmap_init_zone(unsigned +@@ -4921,6 +4923,13 @@ void __meminit memmap_init_zone(unsigned if (highest_memmap_pfn < end_pfn - 1) highest_memmap_pfn = end_pfn - 1; @@ -534,7 +534,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> #include <linux/highmem.h> #include <linux/slab.h> #include <linux/spinlock.h> -@@ -74,7 +75,7 @@ void * __meminit vmemmap_alloc_block(uns +@@ -70,7 +71,7 @@ void * __meminit vmemmap_alloc_block(uns } /* need to make sure size is all the same during early stage */ @@ -543,7 +543,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> { void *ptr; -@@ -91,6 +92,77 @@ void * __meminit vmemmap_alloc_block_buf +@@ -87,6 +88,77 @@ void * __meminit vmemmap_alloc_block_buf return ptr; } @@ -621,7 +621,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> void __meminit vmemmap_verify(pte_t *pte, int node, unsigned long start, unsigned long end) { -@@ -107,7 +179,7 @@ pte_t * __meminit vmemmap_pte_populate(p +@@ -103,7 +175,7 @@ pte_t * __meminit vmemmap_pte_populate(p pte_t *pte = pte_offset_kernel(pmd, addr); if (pte_none(*pte)) { pte_t entry; @@ -632,7 +632,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> entry = pfn_pte(__pa(p) >> PAGE_SHIFT, PAGE_KERNEL); --- a/mm/sparse.c +++ b/mm/sparse.c -@@ -747,7 +747,7 @@ static void clear_hwpoisoned_pages(struc +@@ -748,7 +748,7 @@ static void clear_hwpoisoned_pages(struc if (!memmap) return; @@ -641,7 +641,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> if (PageHWPoison(&memmap[i])) { atomic_long_sub(1, &num_poisoned_pages); ClearPageHWPoison(&memmap[i]); -@@ -787,7 +787,8 @@ static void free_section_usemap(struct p +@@ -788,7 +788,8 @@ static void free_section_usemap(struct p free_map_bootmem(memmap); } @@ -651,7 +651,7 @@ Acked-by: Johannes Thumshirn <jthumshirn@suse.com> { struct page *memmap = NULL; unsigned long *usemap = NULL, flags; -@@ -803,7 +804,8 @@ void sparse_remove_one_section(struct zo +@@ -804,7 +805,8 @@ void sparse_remove_one_section(struct zo } pgdat_resize_unlock(pgdat, &flags); diff --git a/patches.drivers/genwqe-ensure-zero-initialization.patch b/patches.drivers/genwqe-ensure-zero-initialization.patch index 679bcbfbe5..350da36811 100644 --- a/patches.drivers/genwqe-ensure-zero-initialization.patch +++ b/patches.drivers/genwqe-ensure-zero-initialization.patch @@ -18,15 +18,13 @@ Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Michal Suchanek <msuchanek@suse.de> --- - drivers/misc/genwqe/card_ddcb.c | 2 -- - drivers/misc/genwqe/card_utils.c | 4 ++-- + drivers/misc/genwqe/card_ddcb.c | 2 -- + drivers/misc/genwqe/card_utils.c | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) -diff --git a/drivers/misc/genwqe/card_ddcb.c b/drivers/misc/genwqe/card_ddcb.c -index 353ee0c..ddfeefe 100644 --- a/drivers/misc/genwqe/card_ddcb.c +++ b/drivers/misc/genwqe/card_ddcb.c -@@ -1048,8 +1048,6 @@ static int setup_ddcb_queue(struct genwqe_dev *cd, struct ddcb_queue *queue) +@@ -1048,8 +1048,6 @@ static int setup_ddcb_queue(struct genwq "[%s] **err: could not allocate DDCB **\n", __func__); return -ENOMEM; } @@ -35,12 +33,10 @@ index 353ee0c..ddfeefe 100644 queue->ddcb_req = kzalloc(sizeof(struct ddcb_requ *) * queue->ddcb_max, GFP_KERNEL); if (!queue->ddcb_req) { -diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c -index 222367c..8a679ec 100644 --- a/drivers/misc/genwqe/card_utils.c +++ b/drivers/misc/genwqe/card_utils.c -@@ -220,8 +220,8 @@ void *__genwqe_alloc_consistent(struct genwqe_dev *cd, size_t size, - if (get_order(size) > MAX_ORDER) +@@ -220,8 +220,8 @@ void *__genwqe_alloc_consistent(struct g + if (get_order(size) >= MAX_ORDER) return NULL; - return dma_alloc_coherent(&cd->pci_dev->dev, size, dma_handle, @@ -50,6 +46,3 @@ index 222367c..8a679ec 100644 } void __genwqe_free_consistent(struct genwqe_dev *cd, size_t size, --- -2.10.2 - diff --git a/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch b/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch index 3be6e02df6..e3405e30f8 100644 --- a/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch +++ b/patches.drivers/mm-dax-pmem-introduce-get_put-dev_pagemap-for-dax-gup.patch @@ -35,19 +35,17 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Jeff Mahoney <jeffm@suse.com> --- - drivers/nvdimm/pmem.c | 6 ++++-- - include/linux/list.h | 11 ++++++++++ - include/linux/memremap.h | 49 ++++++++++++++++++++++++++++++++++++++++++-- - include/linux/mm_types.h | 5 +++++ - kernel/memremap.c | 53 ++++++++++++++++++++++++++++++++++++++++++++---- - lib/list_debug.c | 9 ++++++++ + drivers/nvdimm/pmem.c | 6 +++-- + include/linux/list.h | 11 +++++++++ + include/linux/memremap.h | 49 +++++++++++++++++++++++++++++++++++++++++-- + include/linux/mm_types.h | 5 ++++ + kernel/memremap.c | 53 +++++++++++++++++++++++++++++++++++++++++++---- + lib/list_debug.c | 9 +++++++ 6 files changed, 125 insertions(+), 8 deletions(-) -diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c -index 328173d..7edf316 100644 --- a/drivers/nvdimm/pmem.c +++ b/drivers/nvdimm/pmem.c -@@ -184,7 +184,7 @@ static struct pmem_device *pmem_alloc(struct device *dev, +@@ -184,7 +184,7 @@ static struct pmem_device *pmem_alloc(st pmem->pfn_flags = PFN_DEV; if (pmem_should_map_pages(dev)) { pmem->virt_addr = (void __pmem *) devm_memremap_pages(dev, res, @@ -56,7 +54,7 @@ index 328173d..7edf316 100644 pmem->pfn_flags |= PFN_MAP; } else pmem->virt_addr = (void __pmem *) devm_memremap(dev, -@@ -365,6 +365,7 @@ static int nvdimm_namespace_attach_pfn(struct nd_namespace_common *ndns) +@@ -365,6 +365,7 @@ static int nvdimm_namespace_attach_pfn(s struct vmem_altmap *altmap; struct nd_pfn_sb *pfn_sb; struct pmem_device *pmem; @@ -64,7 +62,7 @@ index 328173d..7edf316 100644 phys_addr_t offset; int rc; struct vmem_altmap __altmap = { -@@ -406,9 +407,10 @@ static int nvdimm_namespace_attach_pfn(struct nd_namespace_common *ndns) +@@ -406,9 +407,10 @@ static int nvdimm_namespace_attach_pfn(s /* establish pfn range for lookup, and switch to direct map */ pmem = dev_get_drvdata(dev); @@ -76,11 +74,9 @@ index 328173d..7edf316 100644 pmem->pfn_flags |= PFN_MAP; if (IS_ERR(pmem->virt_addr)) { rc = PTR_ERR(pmem->virt_addr); -diff --git a/include/linux/list.h b/include/linux/list.h -index 5356f4d..30cf420 100644 --- a/include/linux/list.h +++ b/include/linux/list.h -@@ -113,6 +113,17 @@ extern void __list_del_entry(struct list_head *entry); +@@ -113,6 +113,17 @@ extern void __list_del_entry(struct list extern void list_del(struct list_head *entry); #endif @@ -98,8 +94,6 @@ index 5356f4d..30cf420 100644 /** * list_replace - replace old entry by new one * @old : the element to be replaced -diff --git a/include/linux/memremap.h b/include/linux/memremap.h -index aa3e82a..bcaa634 100644 --- a/include/linux/memremap.h +++ b/include/linux/memremap.h @@ -1,6 +1,8 @@ @@ -111,7 +105,7 @@ index aa3e82a..bcaa634 100644 struct resource; struct device; -@@ -36,21 +38,25 @@ static inline struct vmem_altmap *to_vmem_altmap(unsigned long memmap_start) +@@ -36,21 +38,25 @@ static inline struct vmem_altmap *to_vme /** * struct dev_pagemap - metadata for ZONE_DEVICE mappings * @altmap: pre-allocated/reserved memory for vmemmap allocations @@ -139,7 +133,7 @@ index aa3e82a..bcaa634 100644 { /* * Fail attempts to call devm_memremap_pages() without -@@ -66,4 +72,43 @@ static inline struct dev_pagemap *find_dev_pagemap(resource_size_t phys) +@@ -66,4 +72,43 @@ static inline struct dev_pagemap *find_d return NULL; } #endif @@ -183,11 +177,9 @@ index aa3e82a..bcaa634 100644 + percpu_ref_put(pgmap->ref); +} #endif /* _LINUX_MEMREMAP_H_ */ -diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h -index 2dd9c31..d3ebb9d 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h -@@ -116,6 +116,11 @@ struct page { +@@ -124,6 +124,11 @@ struct page { * Can be used as a generic list * by the page owner. */ @@ -199,11 +191,9 @@ index 2dd9c31..d3ebb9d 100644 struct { /* slub per cpu partial pages */ struct page *next; /* Next partial slab */ #ifdef CONFIG_64BIT -diff --git a/kernel/memremap.c b/kernel/memremap.c -index 562f647..3eb8944 100644 --- a/kernel/memremap.c +++ b/kernel/memremap.c -@@ -179,6 +179,29 @@ static void pgmap_radix_release(struct resource *res) +@@ -181,6 +181,29 @@ static void pgmap_radix_release(struct r mutex_unlock(&pgmap_lock); } @@ -233,7 +223,7 @@ index 562f647..3eb8944 100644 static void devm_memremap_pages_release(struct device *dev, void *data) { struct page_map *page_map = data; -@@ -186,6 +209,11 @@ static void devm_memremap_pages_release(struct device *dev, void *data) +@@ -188,6 +211,11 @@ static void devm_memremap_pages_release( resource_size_t align_start, align_size; struct dev_pagemap *pgmap = &page_map->pgmap; @@ -245,7 +235,7 @@ index 562f647..3eb8944 100644 pgmap_radix_release(res); /* pages are dead and unused, undo the arch mapping */ -@@ -211,20 +239,26 @@ struct dev_pagemap *find_dev_pagemap(resource_size_t phys) +@@ -215,20 +243,26 @@ struct dev_pagemap *find_dev_pagemap(res * devm_memremap_pages - remap and provide memmap backing for the given resource * @dev: hosting device for @res * @res: "host memory" address range @@ -275,8 +265,8 @@ index 562f647..3eb8944 100644 + unsigned long pfn; int error, nid; - if (is_ram == REGION_MIXED) { -@@ -242,6 +276,9 @@ void *devm_memremap_pages(struct device *dev, struct resource *res, + if (is_ram != REGION_DISJOINT) { +@@ -243,6 +277,9 @@ void *devm_memremap_pages(struct device return ERR_PTR(-ENXIO); } @@ -286,7 +276,7 @@ index 562f647..3eb8944 100644 page_map = devres_alloc_node(devm_memremap_pages_release, sizeof(*page_map), GFP_KERNEL, dev_to_node(dev)); if (!page_map) -@@ -255,6 +292,7 @@ void *devm_memremap_pages(struct device *dev, struct resource *res, +@@ -256,6 +293,7 @@ void *devm_memremap_pages(struct device memcpy(&page_map->altmap, altmap, sizeof(*altmap)); pgmap->altmap = &page_map->altmap; } @@ -294,7 +284,7 @@ index 562f647..3eb8944 100644 pgmap->res = &page_map->res; mutex_lock(&pgmap_lock); -@@ -292,6 +330,13 @@ void *devm_memremap_pages(struct device *dev, struct resource *res, +@@ -295,6 +333,13 @@ void *devm_memremap_pages(struct device if (error) goto err_add_memory; @@ -308,8 +298,6 @@ index 562f647..3eb8944 100644 devres_add(dev, page_map); return __va(res->start); -diff --git a/lib/list_debug.c b/lib/list_debug.c -index 3859bf6..3345a08 100644 --- a/lib/list_debug.c +++ b/lib/list_debug.c @@ -12,6 +12,13 @@ @@ -335,5 +323,3 @@ index 3859bf6..3345a08 100644 WARN(next->prev != prev, "list_add corruption. next->prev should be " "prev (%p), but was %p. (next=%p).\n", - - diff --git a/patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch b/patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch index 0426975277..4516da66e6 100644 --- a/patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch +++ b/patches.drivers/net-next-treewide-use-is_vlan_dev-helper-function.patch @@ -35,7 +35,7 @@ Acked-by: David Chang <dchang@suse.com> --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c -@@ -2417,14 +2417,12 @@ static int iboe_tos_to_sl(struct net_dev +@@ -2480,14 +2480,12 @@ static int iboe_tos_to_sl(struct net_dev struct net_device *dev; prio = rt_tos2priority(tos); @@ -87,7 +87,7 @@ Acked-by: David Chang <dchang@suse.com> e->vlan = VLAN_NONE; --- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c -@@ -2223,7 +2223,7 @@ static void check_neigh_update(struct ne +@@ -1805,7 +1805,7 @@ static void check_neigh_update(struct ne const struct device *parent; const struct net_device *netdev = neigh->dev; @@ -96,7 +96,7 @@ Acked-by: David Chang <dchang@suse.com> netdev = vlan_dev_real_dev(netdev); parent = netdev->dev.parent; if (parent && parent->driver == &cxgb4_driver.driver) -@@ -2643,7 +2643,7 @@ static int cxgb4_inet6addr_handler(struc +@@ -2111,7 +2111,7 @@ static int cxgb4_inet6addr_handler(struc #if IS_ENABLED(CONFIG_BONDING) struct adapter *adap; #endif @@ -176,7 +176,7 @@ Acked-by: David Chang <dchang@suse.com> } --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c -@@ -1495,7 +1495,7 @@ static int netvsc_netdev_event(struct no +@@ -1604,7 +1604,7 @@ static int netvsc_netdev_event(struct no return NOTIFY_DONE; /* Avoid Vlan dev with same MAC registering as VF */ @@ -187,7 +187,7 @@ Acked-by: David Chang <dchang@suse.com> /* Avoid Bonding master dev with same MAC registering as VF */ --- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c -@@ -2290,7 +2290,7 @@ static int _bnx2fc_create(struct net_dev +@@ -2295,7 +2295,7 @@ static int _bnx2fc_create(struct net_dev } /* obtain physical netdev */ @@ -196,8 +196,8 @@ Acked-by: David Chang <dchang@suse.com> phys_dev = vlan_dev_real_dev(netdev); /* verify if the physical device is a netxtreme2 device */ -@@ -2328,7 +2328,7 @@ static int _bnx2fc_create(struct net_dev - goto ifput_err; +@@ -2333,7 +2333,7 @@ static int _bnx2fc_create(struct net_dev + goto netdev_err; } - if (netdev->priv_flags & IFF_802_1Q_VLAN) { @@ -205,7 +205,7 @@ Acked-by: David Chang <dchang@suse.com> vlan_id = vlan_dev_vlan_id(netdev); interface->vlan_enabled = 1; } -@@ -2546,7 +2546,7 @@ static bool bnx2fc_match(struct net_devi +@@ -2551,7 +2551,7 @@ static bool bnx2fc_match(struct net_devi struct net_device *phys_dev = netdev; mutex_lock(&bnx2fc_dev_lock); @@ -216,7 +216,7 @@ Acked-by: David Chang <dchang@suse.com> if (bnx2fc_hba_lookup(phys_dev)) { --- a/drivers/scsi/cxgbi/libcxgbi.c +++ b/drivers/scsi/cxgbi/libcxgbi.c -@@ -220,7 +220,7 @@ struct cxgbi_device *cxgbi_device_find_b +@@ -223,7 +223,7 @@ struct cxgbi_device *cxgbi_device_find_b struct cxgbi_device *cdev, *tmp; int i; @@ -225,7 +225,7 @@ Acked-by: David Chang <dchang@suse.com> vdev = ndev; ndev = vlan_dev_real_dev(ndev); log_debug(1 << CXGBI_DBG_DEV, -@@ -253,7 +253,7 @@ struct cxgbi_device *cxgbi_device_find_b +@@ -256,7 +256,7 @@ struct cxgbi_device *cxgbi_device_find_b struct cxgbi_device *cdev; int i; @@ -234,7 +234,7 @@ Acked-by: David Chang <dchang@suse.com> vdev = ndev; ndev = vlan_dev_real_dev(ndev); pr_info("vlan dev %s -> %s.\n", vdev->name, ndev->name); -@@ -287,7 +287,7 @@ static struct cxgbi_device *cxgbi_device +@@ -290,7 +290,7 @@ static struct cxgbi_device *cxgbi_device struct cxgbi_device *cdev, *tmp; int i; @@ -255,7 +255,7 @@ Acked-by: David Chang <dchang@suse.com> fcoe->realdev = real_dev; rcu_read_lock(); for_each_dev_addr(real_dev, ha) { -@@ -746,7 +745,7 @@ static int fcoe_netdev_config(struct fc_ +@@ -752,7 +751,7 @@ static int fcoe_netdev_config(struct fc_ ctlr = fcoe_to_ctlr(fcoe); /* Figure out the VLAN ID, if any */ @@ -264,7 +264,7 @@ Acked-by: David Chang <dchang@suse.com> lport->vlan = vlan_dev_vlan_id(netdev); else lport->vlan = 0; -@@ -975,13 +974,13 @@ static inline int fcoe_em_config(struct +@@ -981,13 +980,13 @@ static inline int fcoe_em_config(struct * Reuse existing offload em instance in case * it is already allocated on real eth device */ @@ -280,7 +280,7 @@ Acked-by: David Chang <dchang@suse.com> old_real_dev = vlan_dev_real_dev(oldfcoe->netdev); else old_real_dev = oldfcoe->netdev; -@@ -1579,7 +1578,7 @@ static int fcoe_xmit(struct fc_lport *lp +@@ -1585,7 +1584,7 @@ static int fcoe_xmit(struct fc_lport *lp skb->protocol = htons(ETH_P_FCOE); skb->priority = fcoe->priority; @@ -289,7 +289,7 @@ Acked-by: David Chang <dchang@suse.com> fcoe->realdev->features & NETIF_F_HW_VLAN_CTAG_TX) { /* must set skb->dev before calling vlan_put_tag */ skb->dev = fcoe->realdev; -@@ -1809,7 +1808,7 @@ fcoe_hostlist_lookup_realdev_port(struct +@@ -1815,7 +1814,7 @@ fcoe_hostlist_lookup_realdev_port(struct struct net_device *real_dev; list_for_each_entry(fcoe, &fcoe_hostlist, list) { @@ -300,7 +300,7 @@ Acked-by: David Chang <dchang@suse.com> real_dev = fcoe->netdev; --- a/include/rdma/ib_addr.h +++ b/include/rdma/ib_addr.h -@@ -160,8 +160,7 @@ static inline int rdma_addr_gid_offset(s +@@ -162,8 +162,7 @@ static inline int rdma_addr_gid_offset(s static inline u16 rdma_vlan_dev_vlan_id(const struct net_device *dev) { diff --git a/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch b/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch index 02b15ab04a..2dec33b881 100644 --- a/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch +++ b/patches.fixes/0003-memremap-add-scheduling-point-to-devm_memremap_pages.patch @@ -45,16 +45,16 @@ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> --- a/kernel/memremap.c +++ b/kernel/memremap.c -@@ -275,7 +275,7 @@ void *devm_memremap_pages(struct device +@@ -290,7 +290,7 @@ void *devm_memremap_pages(struct device struct dev_pagemap *pgmap; struct page_map *page_map; unsigned long pfn; - int error, nid; + int error, nid, i = 0; - if (is_ram == REGION_MIXED) { - WARN_ONCE(1, "%s attempted on mixed region %pr\n", -@@ -358,6 +358,8 @@ void *devm_memremap_pages(struct device + if (is_ram != REGION_DISJOINT) { + WARN_ONCE(1, "%s attempted on %s region %pr\n", __func__, +@@ -376,6 +376,8 @@ void *devm_memremap_pages(struct device /* ZONE_DEVICE pages must never appear on a slab lru */ list_force_poison(&page->lru); page->pgmap = pgmap; diff --git a/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch b/patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch index b37f019f89..df3a869902 100644 --- a/patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch +++ b/patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch @@ -1,10 +1,12 @@ -From 5146f95df782b0ac61abde36567e718692725c89 Mon Sep 17 00:00:00 2001 From: Hui Peng <benquike@gmail.com> Date: Wed, 12 Dec 2018 12:42:24 +0100 -Subject: [PATCH] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data +Subject: [PATCH] USB: hso: Fix OOB memory access in + hso_probe/hso_get_config_data +Patch-mainline: 4.4.170 +References: CVE-2018-19985 bnc#1012382 bsc#1120743 Git-commit: 5146f95df782b0ac61abde36567e718692725c89 -Patch-mainline: v4.20 -References: CVE-2018-19985,bsc#1120743 + +commit 5146f95df782b0ac61abde36567e718692725c89 upstream. The function hso_probe reads if_num from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read @@ -22,17 +24,17 @@ Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net> Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: David S. Miller <davem@davemloft.net> -Acked-by: Takashi Iwai <tiwai@suse.de> - +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/net/usb/hso.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c -index 184c24baca15..d6916f787fce 100644 +index 111d907e0c11..79cede19e0c4 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c -@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct usb_interface *interface) +@@ -2825,6 +2825,12 @@ static int hso_get_config_data(struct usb_interface *interface) return -EIO; } @@ -45,7 +47,7 @@ index 184c24baca15..d6916f787fce 100644 switch (config_data[if_num]) { case 0x0: result = 0; -@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interface *interface, +@@ -2895,10 +2901,18 @@ static int hso_probe(struct usb_interface *interface, /* Get the interface/port specification from either driver_info or from * the device itself */ diff --git a/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch b/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch new file mode 100644 index 0000000000..79bc545794 --- /dev/null +++ b/patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch @@ -0,0 +1,45 @@ +From: Mathias Nyman <mathias.nyman@linux.intel.com> +Date: Fri, 14 Dec 2018 10:54:43 +0200 +Subject: [PATCH] xhci: Don't prevent USB2 bus suspend in state check intended + for USB3 only +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 45f750c16cae3625014c14c77bd9005eda975d35 + +commit 45f750c16cae3625014c14c77bd9005eda975d35 upstream. + +The code to prevent a bus suspend if a USB3 port was still in link training +also reacted to USB2 port polling state. +This caused bus suspend to busyloop in some cases. +USB2 polling state is different from USB3, and should not prevent bus +suspend. + +Limit the USB3 link training state check to USB3 root hub ports only. +The origial commit went to stable so this need to be applied there as well + +Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change or polling state is detected") +Cc: stable@vger.kernel.org +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/host/xhci-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 5d21cd8359d4..421825b44202 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1329,7 +1329,8 @@ int xhci_bus_suspend(struct usb_hcd *hcd) + portsc_buf[port_index] = 0; + + /* Bail out if a USB3 port has a new device in link training */ +- if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) { ++ if ((hcd->speed >= HCD_USB3) && ++ (t1 & PORT_PLS_MASK) == XDEV_POLLING) { + bus_state->bus_suspended = 0; + spin_unlock_irqrestore(&xhci->lock, flags); + xhci_dbg(xhci, "Bus suspend bailout, port in polling\n"); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch b/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch new file mode 100644 index 0000000000..8e475f64b2 --- /dev/null +++ b/patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch @@ -0,0 +1,75 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Tue, 11 Dec 2018 18:28:28 +0100 +Subject: [PATCH] USB: serial: option: add GosunCn ZTE WeLink ME3630 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 70a7444c550a75584ffcfae95267058817eff6a7 + +commit 70a7444c550a75584ffcfae95267058817eff6a7 upstream. + +Added USB serial option driver support for GosunCn ZTE WeLink ME3630 +series cellular modules for USB modes ECM/NCM and MBIM. + +usb-devices output MBIM mode: +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=19d2 ProdID=0602 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber= +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim + +usb-devices output ECM/NCM mode: +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=19d2 ProdID=1476 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber= +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 2b81939fecd7..b2aa7c70560f 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1327,6 +1327,7 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff), + .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff, 0xff), +@@ -1530,6 +1531,7 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(2) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff, 0xff), /* Telewell TW-LTE 4G v2 */ + .driver_info = RSVD(2) }, ++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch b/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch new file mode 100644 index 0000000000..8161be467a --- /dev/null +++ b/patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch @@ -0,0 +1,88 @@ +From: Tore Anderson <tore@fud.no> +Date: Sat, 8 Dec 2018 19:05:12 +0100 +Subject: [PATCH] USB: serial: option: add HP lt4132 +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 + +commit d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 upstream. + +The HP lt4132 is a rebranded Huawei ME906s-158 LTE modem. + +The interface with protocol 0x16 is "CDC ECM & NCM" according to the *.inf +files included with the Windows driver. Attaching the option driver to it +doesn't result in a /dev/ttyUSB* device being created, so I've excluded it. +Note that it is also excluded for corresponding Huawei-branded devices, cf. +commit d544db293a44 ("USB: support new huawei devices in option.c"). + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3 +P: Vendor=03f0 ProdID=a31d Rev=01.02 +S: Manufacturer=HP Inc. +S: Product=HP lt4132 LTE/HSPA+ 4G Module +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=2mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option +I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option +I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=06 Prot=16 Driver=(none) +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3 +P: Vendor=03f0 ProdID=a31d Rev=01.02 +S: Manufacturer=HP Inc. +S: Product=HP lt4132 LTE/HSPA+ 4G Module +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=2mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=06 Prot=00 Driver=cdc_ether +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option +I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option +I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option +I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3 +P: Vendor=03f0 ProdID=a31d Rev=01.02 +S: Manufacturer=HP Inc. +S: Product=HP lt4132 LTE/HSPA+ 4G Module +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 3 Cfg#= 3 Atr=a0 MxPwr=2mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option + +Signed-off-by: Tore Anderson <tore@fud.no> +Cc: stable@vger.kernel.org +[ johan: drop id defines ] +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index b2aa7c70560f..4cd445efe249 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1943,7 +1943,12 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) }, +- { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x10) }, /* HP lt4132 (Huawei ME906s-158) */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x12) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch b/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch new file mode 100644 index 0000000000..99eea54c91 --- /dev/null +++ b/patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch @@ -0,0 +1,54 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Wed, 12 Dec 2018 08:39:39 +0100 +Subject: [PATCH] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: cc6730df08a291e51e145bc65e24ffb5e2f17ab6 + +commit cc6730df08a291e51e145bc65e24ffb5e2f17ab6 upstream. + +Added USB serial option driver support for Simcom SIM7500/SIM7600 series +cellular modules exposing MBIM interface (VID 0x1e0e,PID 0x9003) + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 14 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1e0e ProdID=9003 Rev=03.18 +S: Manufacturer=SimTech, Incorporated +S: Product=SimTech, Incorporated +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 5 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#= 6 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 4cd445efe249..f7c13e5f7cae 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1759,6 +1759,7 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, + { USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E), + .driver_info = RSVD(5) | RSVD(6) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom SIM7500/SIM7600 MBIM mode */ + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200), + .driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D), +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch b/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch new file mode 100644 index 0000000000..6a4307d1e5 --- /dev/null +++ b/patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch @@ -0,0 +1,71 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Wed, 12 Dec 2018 21:47:36 +0100 +Subject: [PATCH] USB: serial: option: add Fibocom NL668 series +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 30360224441ce89a98ed627861e735beb4010775 + +commit 30360224441ce89a98ed627861e735beb4010775 upstream. + +Added USB serial option driver support for Fibocom NL668 series cellular +modules. Reserved USB endpoints 4, 5 and 6 for network + ADB interfaces. + +usb-devices output (QMI mode) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1508 ProdID=1001 Rev=03.18 +S: Manufacturer=Nodecom NL668 Modem +S: Product=Nodecom NL668-CN Modem +S: SerialNumber= +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +usb-devices output (ECM mode) +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1508 ProdID=1001 Rev=03.18 +S: Manufacturer=Nodecom NL668 Modem +S: Product=Nodecom NL668-CN Modem +S: SerialNumber= +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index f7c13e5f7cae..412d9442a760 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1950,6 +1950,8 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, ++ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */ ++ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch b/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch new file mode 100644 index 0000000000..d414d62b27 --- /dev/null +++ b/patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch @@ -0,0 +1,71 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Thu, 13 Dec 2018 17:32:08 +0100 +Subject: [PATCH] USB: serial: option: add Telit LN940 series +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 28a86092b1753b802ef7e3de8a4c4a69a9c1bb03 + +commit 28a86092b1753b802ef7e3de8a4c4a69a9c1bb03 upstream. + +Added USB serial option driver support for Telit LN940 series cellular +modules. Covering both QMI and MBIM modes. + +usb-devices output (0x1900): +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1900 Rev=03.10 +S: Manufacturer=Telit +S: Product=Telit LN940 Mobile Broadband +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option + +usb-devices output (0x1901): +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 20 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1901 Rev=03.10 +S: Manufacturer=Telit +S: Product=Telit LN940 Mobile Broadband +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 412d9442a760..1e3445dd84b2 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1163,6 +1163,10 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1213, 0xff) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, ++ { USB_DEVICE(TELIT_VENDOR_ID, 0x1900), /* Telit LN940 (QMI) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff), /* Telit LN940 (MBIM) */ ++ .driver_info = NCTRL(0) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff), + .driver_info = RSVD(1) }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch b/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch new file mode 100644 index 0000000000..8f86d9b884 --- /dev/null +++ b/patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch @@ -0,0 +1,44 @@ +From: Ulf Hansson <ulf.hansson@linaro.org> +Date: Mon, 10 Dec 2018 17:52:36 +0100 +Subject: [PATCH] mmc: core: Reset HPI enabled state during re-init and in case + of errors +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: a0741ba40a009f97c019ae7541dc61c1fdf41efb + +commit a0741ba40a009f97c019ae7541dc61c1fdf41efb upstream. + +During a re-initialization of the eMMC card, we may fail to re-enable HPI. +In these cases, that isn't properly reflected in the card->ext_csd.hpi_en +bit, as it keeps being set. This may cause following attempts to use HPI, +even if's not enabled. Let's fix this! + +Fixes: eb0d8f135b67 ("mmc: core: support HPI send command") +Cc: <stable@vger.kernel.org> +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/mmc/core/mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c +index 79a0c26e1419..a31789be0840 100644 +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1608,9 +1608,11 @@ static int mmc_init_card(struct mmc_host *host, u32 ocr, + if (err) { + pr_warn("%s: Enabling HPI failed\n", + mmc_hostname(card->host)); ++ card->ext_csd.hpi_en = 0; + err = 0; +- } else ++ } else { + card->ext_csd.hpi_en = 1; ++ } + } + + /* +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch b/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch new file mode 100644 index 0000000000..114e1faed7 --- /dev/null +++ b/patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch @@ -0,0 +1,71 @@ +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Tue, 11 Dec 2018 14:41:31 +0000 +Subject: [PATCH] mmc: omap_hsmmc: fix DMA API warning +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 0b479790684192ab7024ce6a621f93f6d0a64d92 + +commit 0b479790684192ab7024ce6a621f93f6d0a64d92 upstream. + +While booting with rootfs on MMC, the following warning is encountered +on OMAP4430: + +omap-dma-engine 4a056000.dma-controller: DMA-API: mapping sg segment longer than device claims to support [len=69632] [max=65536] + +This is because the DMA engine has a default maximum segment size of 64K +but HSMMC sets: + + mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ + mmc->max_blk_count = 0xFFFF; /* No. of Blocks is 16 bits */ + mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; + mmc->max_seg_size = mmc->max_req_size; + +which ends up telling the block layer that we support a maximum segment +size of 65535*512, which exceeds the advertised DMA engine capabilities. + +Fix this by clamping the maximum segment size to the lower of the +maximum request size and of the DMA engine device used for either DMA +channel. + +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Cc: <stable@vger.kernel.org> +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/mmc/host/omap_hsmmc.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c +index 6b814d7d6560..af937d3e8c3e 100644 +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -2117,7 +2117,6 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ + mmc->max_blk_count = 0xFFFF; /* No. of Blocks is 16 bits */ + mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; +- mmc->max_seg_size = mmc->max_req_size; + + mmc->caps |= MMC_CAP_MMC_HIGHSPEED | MMC_CAP_SD_HIGHSPEED | + MMC_CAP_WAIT_WHILE_BUSY | MMC_CAP_ERASE; +@@ -2174,6 +2173,17 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + goto err_irq; + } + ++ /* ++ * Limit the maximum segment size to the lower of the request size ++ * and the DMA engine device segment size limits. In reality, with ++ * 32-bit transfers, the DMA engine can do longer segments than this ++ * but there is no way to represent that in the DMA model - if we ++ * increase this figure here, we get warnings from the DMA API debug. ++ */ ++ mmc->max_seg_size = min3(mmc->max_req_size, ++ dma_get_max_seg_size(host->rx_chan->device->dev), ++ dma_get_max_seg_size(host->tx_chan->device->dev)); ++ + /* Request IRQ for MMC operations */ + ret = devm_request_irq(&pdev->dev, host->irq, omap_hsmmc_irq, 0, + mmc_hostname(mmc), host); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch b/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch new file mode 100644 index 0000000000..2313f64653 --- /dev/null +++ b/patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch @@ -0,0 +1,59 @@ +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Fri, 7 Dec 2018 13:07:55 +0000 +Subject: [PATCH] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: abf221d2f51b8ce7b9959a8953f880a8b0a1400d + +commit abf221d2f51b8ce7b9959a8953f880a8b0a1400d upstream. + +spi_read() and spi_write() require DMA-safe memory. When +CONFIG_VMAP_STACK is selected, those functions cannot be used +with buffers on stack. + +This patch replaces calls to spi_read() and spi_write() by +spi_write_then_read() which doesn't require DMA-safe buffers. + +Fixes: 0c36ec314735 ("gpio: gpio driver for max7301 SPI GPIO expander") +Cc: <stable@vger.kernel.org> +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/gpio/gpio-max7301.c | 12 +++--------- + 1 file changed, 3 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpio/gpio-max7301.c b/drivers/gpio/gpio-max7301.c +index 05813fbf3daf..647dfbbc4e1c 100644 +--- a/drivers/gpio/gpio-max7301.c ++++ b/drivers/gpio/gpio-max7301.c +@@ -25,7 +25,7 @@ static int max7301_spi_write(struct device *dev, unsigned int reg, + struct spi_device *spi = to_spi_device(dev); + u16 word = ((reg & 0x7F) << 8) | (val & 0xFF); + +- return spi_write(spi, (const u8 *)&word, sizeof(word)); ++ return spi_write_then_read(spi, &word, sizeof(word), NULL, 0); + } + + /* A read from the MAX7301 means two transfers; here, one message each */ +@@ -37,14 +37,8 @@ static int max7301_spi_read(struct device *dev, unsigned int reg) + struct spi_device *spi = to_spi_device(dev); + + word = 0x8000 | (reg << 8); +- ret = spi_write(spi, (const u8 *)&word, sizeof(word)); +- if (ret) +- return ret; +- /* +- * This relies on the fact, that a transfer with NULL tx_buf shifts out +- * zero bytes (=NOOP for MAX7301) +- */ +- ret = spi_read(spi, (u8 *)&word, sizeof(word)); ++ ret = spi_write_then_read(spi, &word, sizeof(word), &word, ++ sizeof(word)); + if (ret) + return ret; + return word & 0xff; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch b/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch new file mode 100644 index 0000000000..b11d1bf9e3 --- /dev/null +++ b/patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch @@ -0,0 +1,125 @@ +From: Dexuan Cui <decui@microsoft.com> +Date: Thu, 13 Dec 2018 16:35:43 +0000 +Subject: [PATCH] Drivers: hv: vmbus: Return -EINVAL for the sys files for + unopened channels +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce + +commit fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce upstream. + +Before 98f4c651762c, we returned zeros for unopened channels. +With 98f4c651762c, we started to return random on-stack values. + +We'd better return -EINVAL instead. + +Fixes: 98f4c651762c ("hv: move ringbuffer bus attributes to dev_groups") +Cc: stable@vger.kernel.org +Cc: K. Y. Srinivasan <kys@microsoft.com> +Cc: Haiyang Zhang <haiyangz@microsoft.com> +Cc: Stephen Hemminger <sthemmin@microsoft.com> +Signed-off-by: Dexuan Cui <decui@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hv/vmbus_drv.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 802dcb409030..b877cce0409b 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -316,6 +316,8 @@ static ssize_t out_intr_mask_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.current_interrupt_mask); + } +@@ -329,6 +331,8 @@ static ssize_t out_read_index_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.current_read_index); + } +@@ -343,6 +347,8 @@ static ssize_t out_write_index_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.current_write_index); + } +@@ -357,6 +363,8 @@ static ssize_t out_read_bytes_avail_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.bytes_avail_toread); + } +@@ -371,6 +379,8 @@ static ssize_t out_write_bytes_avail_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); + return sprintf(buf, "%d\n", outbound.bytes_avail_towrite); + } +@@ -384,6 +394,8 @@ static ssize_t in_intr_mask_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.current_interrupt_mask); + } +@@ -397,6 +409,8 @@ static ssize_t in_read_index_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.current_read_index); + } +@@ -410,6 +424,8 @@ static ssize_t in_write_index_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.current_write_index); + } +@@ -424,6 +440,8 @@ static ssize_t in_read_bytes_avail_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.bytes_avail_toread); + } +@@ -438,6 +456,8 @@ static ssize_t in_write_bytes_avail_show(struct device *dev, + + if (!hv_dev->channel) + return -ENODEV; ++ if (hv_dev->channel->state != CHANNEL_OPENED_STATE) ++ return -EINVAL; + hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); + return sprintf(buf, "%d\n", inbound.bytes_avail_towrite); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch b/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch new file mode 100644 index 0000000000..361dc8c88b --- /dev/null +++ b/patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch @@ -0,0 +1,47 @@ +From: Colin Ian King <colin.king@canonical.com> +Date: Tue, 18 Dec 2018 17:29:56 +0000 +Subject: [PATCH] x86/mtrr: Don't copy uninitialized gentry fields back to + userspace +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 32043fa065b51e0b1433e48d118821c71b5cd65d + +commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream. + +Currently the copy_to_user of data in the gentry struct is copying +uninitiaized data in field _pad from the stack to userspace. + +Fix this by explicitly memset'ing gentry to zero, this also will zero any +compiler added padding fields that may be in struct (currently there are +none). + +Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable") + +Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls") +Signed-off-by: Colin Ian King <colin.king@canonical.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Tyler Hicks <tyhicks@canonical.com> +Cc: security@kernel.org +Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/kernel/cpu/mtrr/if.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c +index d76f13d6d8d6..ec894bf5eeb0 100644 +--- a/arch/x86/kernel/cpu/mtrr/if.c ++++ b/arch/x86/kernel/cpu/mtrr/if.c +@@ -173,6 +173,8 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg) + struct mtrr_gentry gentry; + void __user *arg = (void __user *) __arg; + ++ memset(&gentry, 0, sizeof(gentry)); ++ + switch (cmd) { + case MTRRIOC_ADD_ENTRY: + case MTRRIOC_SET_ENTRY: +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch b/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch new file mode 100644 index 0000000000..42ad4ba542 --- /dev/null +++ b/patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch @@ -0,0 +1,80 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 19 Dec 2018 18:00:15 -0600 +Subject: [PATCH] drm/ioctl: Fix Spectre v1 vulnerabilities +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 505b5240329b922f21f91d5b5d1e535c805eca6d + +commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream. + +nr is indirectly controlled by user-space, hence leading to a +potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r] +drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap) +drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap) + +Fix this by sanitizing nr before using it to index dev->driver->ioctls +and drm_ioctls. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> +Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/gpu/drm/drm_ioctl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index 8ce2a0c59116..a7030ada81fd 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -36,6 +36,7 @@ + + #include <linux/pci.h> + #include <linux/export.h> ++#include <linux/nospec.h> + + static int drm_version(struct drm_device *dev, void *data, + struct drm_file *file_priv); +@@ -702,13 +703,17 @@ long drm_ioctl(struct file *filp, + + if (is_driver_ioctl) { + /* driver ioctl */ +- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls) ++ unsigned int index = nr - DRM_COMMAND_BASE; ++ ++ if (index >= dev->driver->num_ioctls) + goto err_i1; +- ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; ++ index = array_index_nospec(index, dev->driver->num_ioctls); ++ ioctl = &dev->driver->ioctls[index]; + } else { + /* core ioctl */ + if (nr >= DRM_CORE_IOCTL_COUNT) + goto err_i1; ++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT); + ioctl = &drm_ioctls[nr]; + } + +@@ -810,6 +815,7 @@ bool drm_ioctl_flags(unsigned int nr, unsigned int *flags) + + if (nr >= DRM_CORE_IOCTL_COUNT) + return false; ++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT); + + *flags = drm_ioctls[nr].flags; + return true; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch b/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch new file mode 100644 index 0000000000..c186e2b772 --- /dev/null +++ b/patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch @@ -0,0 +1,65 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 11 Dec 2018 14:10:08 -0600 +Subject: [PATCH] ip6mr: Fix potential Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 69d2c86766da2ded2b70281f1bf242cb0d58a778 + +[ Upstream commit 69d2c86766da2ded2b70281f1bf242cb0d58a778 ] + +vr.mifi is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +net/ipv6/ip6mr.c:1845 ip6mr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap) +net/ipv6/ip6mr.c:1919 ip6mr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap) + +Fix this by sanitizing vr.mifi before using it to index mrt->vif_table' + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/ip6mr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c +index 9b92960f024d..74b3e9718e84 100644 +--- a/net/ipv6/ip6mr.c ++++ b/net/ipv6/ip6mr.c +@@ -72,6 +72,8 @@ struct mr6_table { + #endif + }; + ++#include <linux/nospec.h> ++ + struct ip6mr_rule { + struct fib_rule common; + }; +@@ -1871,6 +1873,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg) + return -EFAULT; + if (vr.mifi >= mrt->maxvif) + return -EINVAL; ++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif); + read_lock(&mrt_lock); + vif = &mrt->vif6_table[vr.mifi]; + if (MIF_EXISTS(mrt, vr.mifi)) { +@@ -1945,6 +1948,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg) + return -EFAULT; + if (vr.mifi >= mrt->maxvif) + return -EINVAL; ++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif); + read_lock(&mrt_lock); + vif = &mrt->vif6_table[vr.mifi]; + if (MIF_EXISTS(mrt, vr.mifi)) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch b/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch new file mode 100644 index 0000000000..d9dbe88579 --- /dev/null +++ b/patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch @@ -0,0 +1,56 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Mon, 10 Dec 2018 12:41:24 -0600 +Subject: [PATCH] ipv4: Fix potential Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 5648451e30a0d13d11796574919a359025d52cce + +[ Upstream commit 5648451e30a0d13d11796574919a359025d52cce ] + +vr.vifi is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +net/ipv4/ipmr.c:1616 ipmr_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap) +net/ipv4/ipmr.c:1690 ipmr_compat_ioctl() warn: potential spectre issue 'mrt->vif_table' [r] (local cap) + +Fix this by sanitizing vr.vifi before using it to index mrt->vif_table' + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv4/ipmr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c +index 8e77786549c6..1cb865fcc91b 100644 +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -66,6 +66,7 @@ + #include <net/netlink.h> + #include <net/fib_rules.h> + #include <linux/netconf.h> ++#include <linux/nospec.h> + + #if defined(CONFIG_IP_PIMSM_V1) || defined(CONFIG_IP_PIMSM_V2) + #define CONFIG_IP_PIMSM 1 +@@ -1574,6 +1575,7 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg) + return -EFAULT; + if (vr.vifi >= mrt->maxvif) + return -EINVAL; ++ vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif); + read_lock(&mrt_lock); + vif = &mrt->vif_table[vr.vifi]; + if (VIF_EXISTS(mrt, vr.vifi)) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch b/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch new file mode 100644 index 0000000000..e3a3880ffa --- /dev/null +++ b/patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch @@ -0,0 +1,81 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Sat, 29 Dec 2018 13:56:36 -0800 +Subject: [PATCH] ax25: fix a use-after-free in ax25_fillin_cb() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: c433570458e49bccea5c551df628d058b3526289 + +[ Upstream commit c433570458e49bccea5c551df628d058b3526289 ] + +There are multiple issues here: + +1. After freeing dev->ax25_ptr, we need to set it to NULL otherwise + we may use a dangling pointer. + +2. There is a race between ax25_setsockopt() and device notifier as + reported by syzbot. Close it by holding RTNL lock. + +3. We need to test if dev->ax25_ptr is NULL before using it. + +Reported-and-tested-by: syzbot+ae6bb869cbed29b29040@syzkaller.appspotmail.com +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ax25/af_ax25.c | 11 +++++++++-- + net/ax25/ax25_dev.c | 2 ++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 2fdebabbfacd..2772f6a13fcb 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, + break; + } + +- dev = dev_get_by_name(&init_net, devname); ++ rtnl_lock(); ++ dev = __dev_get_by_name(&init_net, devname); + if (!dev) { ++ rtnl_unlock(); + res = -ENODEV; + break; + } + + ax25->ax25_dev = ax25_dev_ax25dev(dev); ++ if (!ax25->ax25_dev) { ++ rtnl_unlock(); ++ res = -ENODEV; ++ break; ++ } + ax25_fillin_cb(ax25, ax25->ax25_dev); +- dev_put(dev); ++ rtnl_unlock(); + break; + + default: +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c +index 3d106767b272..5faca5db6385 100644 +--- a/net/ax25/ax25_dev.c ++++ b/net/ax25/ax25_dev.c +@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev) + if ((s = ax25_dev_list) == ax25_dev) { + ax25_dev_list = s->next; + spin_unlock_bh(&ax25_dev_lock); ++ dev->ax25_ptr = NULL; + dev_put(dev); + kfree(ax25_dev); + return; +@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev) + if (s->next == ax25_dev) { + s->next = ax25_dev->next; + spin_unlock_bh(&ax25_dev_lock); ++ dev->ax25_ptr = NULL; + dev_put(dev); + kfree(ax25_dev); + return; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch b/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch new file mode 100644 index 0000000000..74ed595dfb --- /dev/null +++ b/patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch @@ -0,0 +1,66 @@ +From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com> +Date: Mon, 31 Dec 2018 15:43:01 -0600 +Subject: [PATCH] ibmveth: fix DMA unmap error in ibmveth_xmit_start error path +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 756af9c642329d54f048bac2a62f829b391f6944 + +[ Upstream commit 756af9c642329d54f048bac2a62f829b391f6944 ] + +Commit 33a48ab105a7 ("ibmveth: Fix DMA unmap error") fixed an issue in the +normal code path of ibmveth_xmit_start() that was originally introduced by +Commit 6e8ab30ec677 ("ibmveth: Add scatter-gather support"). This original +fix missed the error path where dma_unmap_page is wrongly called on the +header portion in descs[0] which was mapped with dma_map_single. As a +result a failure to DMA map any of the frags results in a dmesg warning +when CONFIG_DMA_API_DEBUG is enabled. + +------------[ cut here ]------------ +DMA-API: ibmveth 30000002: device driver frees DMA memory with wrong function + [device address=0x000000000a430000] [size=172 bytes] [mapped as page] [unmapped as single] +WARNING: CPU: 1 PID: 8426 at kernel/dma/debug.c:1085 check_unmap+0x4fc/0xe10 +... +<snip> +... +DMA-API: Mapped at: +ibmveth_start_xmit+0x30c/0xb60 +dev_hard_start_xmit+0x100/0x450 +sch_direct_xmit+0x224/0x490 +__qdisc_run+0x20c/0x980 +__dev_queue_xmit+0x1bc/0xf20 + +This fixes the API misuse by unampping descs[0] with dma_unmap_single. + +Fixes: 6e8ab30ec677 ("ibmveth: Add scatter-gather support") +Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/ethernet/ibm/ibmveth.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 2f9b12cf9ee5..61a9ab4fe047 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1163,11 +1163,15 @@ static netdev_tx_t ibmveth_start_xmit(struct sk_buff *skb, + + map_failed_frags: + last = i+1; +- for (i = 0; i < last; i++) ++ for (i = 1; i < last; i++) + dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address, + descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK, + DMA_TO_DEVICE); + ++ dma_unmap_single(&adapter->vdev->dev, ++ descs[0].fields.address, ++ descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK, ++ DMA_TO_DEVICE); + map_failed: + if (!firmware_has_feature(FW_FEATURE_CMO)) + netdev_err(netdev, "tx: unable to map xmit buffer\n"); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch b/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch new file mode 100644 index 0000000000..de8b5cafe9 --- /dev/null +++ b/patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch @@ -0,0 +1,39 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Sun, 23 Dec 2018 12:52:18 -0500 +Subject: [PATCH] ieee802154: lowpan_header_create check must check daddr +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 40c3ff6d5e0809505a067dd423c110c5658c478c + +[ Upstream commit 40c3ff6d5e0809505a067dd423c110c5658c478c ] + +Packet sockets may call dev_header_parse with NULL daddr. Make +lowpan_header_ops.create fail. + +Fixes: 87a93e4eceb4 ("ieee802154: change needed headroom/tailroom") +Signed-off-by: Willem de Bruijn <willemb@google.com> +Acked-by: Alexander Aring <aring@mojatatu.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ieee802154/6lowpan/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c +index a10db45b2e1e..df32134da924 100644 +--- a/net/ieee802154/6lowpan/tx.c ++++ b/net/ieee802154/6lowpan/tx.c +@@ -55,6 +55,9 @@ int lowpan_header_create(struct sk_buff *skb, struct net_device *ldev, + const u8 *daddr = _daddr; + struct lowpan_addr_info *info; + ++ if (!daddr) ++ return -EINVAL; ++ + /* TODO: + * if this package isn't ipv6 one, where should it be routed? + */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch b/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch new file mode 100644 index 0000000000..c37ef75c19 --- /dev/null +++ b/patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch @@ -0,0 +1,54 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Tue, 18 Dec 2018 21:17:44 -0800 +Subject: [PATCH] ipv6: explicitly initialize udp6_addr in udp_sock_create6() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: fb24274546310872eeeaf3d1d53799d8414aa0f2 + +[ Upstream commit fb24274546310872eeeaf3d1d53799d8414aa0f2 ] + +syzbot reported the use of uninitialized udp6_addr::sin6_scope_id. +We can just set ::sin6_scope_id to zero, as tunnels are unlikely +to use an IPv6 address that needs a scope id and there is no +interface to bind in this context. + +For net-next, it looks different as we have cfg->bind_ifindex there +so we can probably call ipv6_iface_scope_id(). + +Same for ::sin6_flowinfo, tunnels don't use it. + +Fixes: 8024e02879dd ("udp: Add udp_sock_create for UDP tunnels to open listener socket") +Reported-by: syzbot+c56449ed3652e6720f30@syzkaller.appspotmail.com +Cc: Jon Maloy <jon.maloy@ericsson.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/ipv6/ip6_udp_tunnel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c +index 14dacf1df529..30b03d8e321a 100644 +--- a/net/ipv6/ip6_udp_tunnel.c ++++ b/net/ipv6/ip6_udp_tunnel.c +@@ -15,7 +15,7 @@ + int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + struct socket **sockp) + { +- struct sockaddr_in6 udp6_addr; ++ struct sockaddr_in6 udp6_addr = {}; + int err; + struct socket *sock = NULL; + +@@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, + goto error; + + if (cfg->peer_udp_port) { ++ memset(&udp6_addr, 0, sizeof(udp6_addr)); + udp6_addr.sin6_family = AF_INET6; + memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6, + sizeof(udp6_addr.sin6_addr)); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch b/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch new file mode 100644 index 0000000000..2ee7adec52 --- /dev/null +++ b/patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch @@ -0,0 +1,86 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 2 Jan 2019 09:20:27 -0800 +Subject: [PATCH] isdn: fix kernel-infoleak in capi_unlocked_ioctl +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: d63967e475ae10f286dbd35e189cb241e0b1f284 + +[ Upstream commit d63967e475ae10f286dbd35e189cb241e0b1f284 ] + +Since capi_ioctl() copies 64 bytes after calling +capi20_get_manufacturer() we need to ensure to not leak +information to user. + +BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 +CPU: 0 PID: 11245 Comm: syz-executor633 Not tainted 4.20.0-rc7+ #2 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + kmsan_internal_check_memory+0x9d4/0xb00 mm/kmsan/kmsan.c:704 + kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 + _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 + capi_ioctl include/linux/uaccess.h:177 [inline] + capi_unlocked_ioctl+0x1a0b/0x1bf0 drivers/isdn/capi/capi.c:939 + do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46 + ksys_ioctl fs/ioctl.c:713 [inline] + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718 + __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x440019 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffdd4659fb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019 +RDX: 0000000020000080 RSI: 00000000c0044306 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 +R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004018a0 +R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000 + +Local variable description: ----data.i@capi_unlocked_ioctl +Variable was created at: + capi_ioctl drivers/isdn/capi/capi.c:747 [inline] + capi_unlocked_ioctl+0x82/0x1bf0 drivers/isdn/capi/capi.c:939 + do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46 + +Bytes 12-63 of 64 are uninitialized +Memory access of size 64 starts at ffff88807ac5fce8 +Data copied to user address 0000000020000080 + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: Karsten Keil <isdn@linux-pingi.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/isdn/capi/kcapi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c +index dd7e38ac29bd..d15347de415a 100644 +--- a/drivers/isdn/capi/kcapi.c ++++ b/drivers/isdn/capi/kcapi.c +@@ -851,7 +851,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf) + u16 ret; + + if (contr == 0) { +- strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN); ++ strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN); + return CAPI_NOERROR; + } + +@@ -859,7 +859,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf) + + ctr = get_capi_ctr_by_nr(contr); + if (ctr && ctr->state == CAPI_CTR_RUNNING) { +- strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN); ++ strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN); + ret = CAPI_NOERROR; + } else + ret = CAPI_REGNOTINSTALLED; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch b/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch new file mode 100644 index 0000000000..40b485675e --- /dev/null +++ b/patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch @@ -0,0 +1,107 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Sat, 29 Dec 2018 13:56:38 -0800 +Subject: [PATCH] netrom: fix locking in nr_find_socket() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 7314f5480f3e37e570104dc5e0f28823ef849e72 + +[ Upstream commit 7314f5480f3e37e570104dc5e0f28823ef849e72 ] + +nr_find_socket(), nr_find_peer() and nr_find_listener() lock the +sock after finding it in the global list. However, the call path +requires BH disabled for the sock lock consistently. + +Actually the locking is unnecessary at this point, we can just hold +the sock refcnt to make sure it is not gone after we unlock the global +list, and lock it later only when needed. + +Reported-and-tested-by: syzbot+f621cda8b7e598908efa@syzkaller.appspotmail.com +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/netrom/af_netrom.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index ed212ffc1d9d..046ae1caecea 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr) + sk_for_each(s, &nr_list) + if (!ax25cmp(&nr_sk(s)->source_addr, addr) && + s->sk_state == TCP_LISTEN) { +- bh_lock_sock(s); ++ sock_hold(s); + goto found; + } + s = NULL; +@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id) + struct nr_sock *nr = nr_sk(s); + + if (nr->my_index == index && nr->my_id == id) { +- bh_lock_sock(s); ++ sock_hold(s); + goto found; + } + } +@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id, + + if (nr->your_index == index && nr->your_id == id && + !ax25cmp(&nr->dest_addr, dest)) { +- bh_lock_sock(s); ++ sock_hold(s); + goto found; + } + } +@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void) + if (i != 0 && j != 0) { + if ((sk=nr_find_socket(i, j)) == NULL) + break; +- bh_unlock_sock(sk); ++ sock_put(sk); + } + + id++; +@@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + } + + if (sk != NULL) { ++ bh_lock_sock(sk); + skb_reset_transport_header(skb); + + if (frametype == NR_CONNACK && skb->len == 22) +@@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + + ret = nr_process_rx_frame(sk, skb); + bh_unlock_sock(sk); ++ sock_put(sk); + return ret; + } + +@@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + (make = nr_make_new(sk)) == NULL) { + nr_transmit_refusal(skb, 0); + if (sk) +- bh_unlock_sock(sk); ++ sock_put(sk); + return 0; + } + ++ bh_lock_sock(sk); ++ + window = skb->data[20]; + + skb->sk = make; +@@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) + sk->sk_data_ready(sk); + + bh_unlock_sock(sk); ++ sock_put(sk); + + nr_insert_socket(make); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch b/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch new file mode 100644 index 0000000000..76af422f1f --- /dev/null +++ b/patches.kernel.org/4.4.170-022-packet-validate-address-length.patch @@ -0,0 +1,46 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Fri, 21 Dec 2018 12:06:59 -0500 +Subject: [PATCH] packet: validate address length +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 99137b7888f4058087895d035d81c6b2d31015c5 + +[ Upstream commit 99137b7888f4058087895d035d81c6b2d31015c5 ] + +Packet sockets with SOCK_DGRAM may pass an address for use in +dev_hard_header. Ensure that it is of sufficient length. + +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/packet/af_packet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 07668f152a3a..050dcb71e54e 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2513,6 +2513,8 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + proto = saddr->sll_protocol; + addr = saddr->sll_addr; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); ++ if (addr && dev && saddr->sll_halen < dev->addr_len) ++ goto out; + } + + err = -ENXIO; +@@ -2680,6 +2682,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + proto = saddr->sll_protocol; + addr = saddr->sll_addr; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); ++ if (addr && dev && saddr->sll_halen < dev->addr_len) ++ goto out; + } + + err = -ENXIO; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch b/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch new file mode 100644 index 0000000000..fc5d30c172 --- /dev/null +++ b/patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch @@ -0,0 +1,47 @@ +From: Willem de Bruijn <willemb@google.com> +Date: Sat, 22 Dec 2018 16:53:45 -0500 +Subject: [PATCH] packet: validate address length if non-zero +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 6b8d95f1795c42161dc0984b6863e95d6acf24ed + +[ Upstream commit 6b8d95f1795c42161dc0984b6863e95d6acf24ed ] + +Validate packet socket address length if a length is given. Zero +length is equivalent to not setting an address. + +Fixes: 99137b7888f4 ("packet: validate address length") +Reported-by: Ido Schimmel <idosch@idosch.org> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/packet/af_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 050dcb71e54e..0f50977ed53b 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2511,7 +2511,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_addr; ++ addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); + if (addr && dev && saddr->sll_halen < dev->addr_len) + goto out; +@@ -2680,7 +2680,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr))) + goto out; + proto = saddr->sll_protocol; +- addr = saddr->sll_addr; ++ addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); + if (addr && dev && saddr->sll_halen < dev->addr_len) + goto out; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch b/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch new file mode 100644 index 0000000000..eaa9821176 --- /dev/null +++ b/patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch @@ -0,0 +1,68 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Mon, 10 Dec 2018 18:00:52 +0800 +Subject: [PATCH] sctp: initialize sin6_flowinfo for ipv6 addrs in + sctp_inet6addr_event +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 4a2eb0c37b4759416996fbb4c45b932500cf06d3 + +[ Upstream commit 4a2eb0c37b4759416996fbb4c45b932500cf06d3 ] + +syzbot reported a kernel-infoleak, which is caused by an uninitialized +field(sin6_flowinfo) of addr->a.v6 in sctp_inet6addr_event(). +The call trace is as below: + + BUG: KMSAN: kernel-infoleak in _copy_to_user+0x19a/0x230 lib/usercopy.c:33 + CPU: 1 PID: 8164 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #95 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS + Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x32d/0x480 lib/dump_stack.c:113 + kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 + kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 + kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 + _copy_to_user+0x19a/0x230 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:183 [inline] + sctp_getsockopt_local_addrs net/sctp/socket.c:5998 [inline] + sctp_getsockopt+0x15248/0x186f0 net/sctp/socket.c:7477 + sock_common_getsockopt+0x13f/0x180 net/core/sock.c:2937 + __sys_getsockopt+0x489/0x550 net/socket.c:1939 + __do_sys_getsockopt net/socket.c:1950 [inline] + __se_sys_getsockopt+0xe1/0x100 net/socket.c:1947 + __x64_sys_getsockopt+0x62/0x80 net/socket.c:1947 + do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +sin6_flowinfo is not really used by SCTP, so it will be fixed by simply +setting it to 0. + +The issue exists since very beginning. +Thanks Alexander for the reproducer provided. + +Reported-by: syzbot+ad5d327e6936a2e284be@syzkaller.appspotmail.com +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/sctp/ipv6.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 5ca8309ea7b1..7dffc97a953c 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev, + if (addr) { + addr->a.v6.sin6_family = AF_INET6; + addr->a.v6.sin6_port = 0; ++ addr->a.v6.sin6_flowinfo = 0; + addr->a.v6.sin6_addr = ifa->addr; + addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex; + addr->valid = 1; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch b/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch new file mode 100644 index 0000000000..38de96249d --- /dev/null +++ b/patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch @@ -0,0 +1,40 @@ +From: Jason Wang <jasowang@redhat.com> +Date: Thu, 13 Dec 2018 10:53:37 +0800 +Subject: [PATCH] vhost: make sure used idx is seen before log in + vhost_add_used_n() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 841df922417eb82c835e93d4b93eb6a68c99d599 + +[ Upstream commit 841df922417eb82c835e93d4b93eb6a68c99d599 ] + +We miss a write barrier that guarantees used idx is updated and seen +before log. This will let userspace sync and copy used ring before +used idx is update. Fix this by adding a barrier before log_write(). + +Fixes: 8dd014adfea6f ("vhost-net: mergeable buffers support") +Acked-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/vhost/vhost.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index c54d388310f0..2ed0a356d1d3 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1550,6 +1550,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads, + return -EFAULT; + } + if (unlikely(vq->log_used)) { ++ /* Make sure used idx is seen before log. */ ++ smp_wmb(); + /* Log used index update. */ + log_write(vq->log_base, + vq->log_addr + offsetof(struct vring_used, idx), +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch b/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch new file mode 100644 index 0000000000..04408e1786 --- /dev/null +++ b/patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch @@ -0,0 +1,135 @@ +From: Jorgen Hansen <jhansen@vmware.com> +Date: Tue, 18 Dec 2018 00:34:06 -0800 +Subject: [PATCH] VSOCK: Send reset control packet when socket is partially + bound +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: a915b982d8f5e4295f64b8dd37ce753874867e88 + +[ Upstream commit a915b982d8f5e4295f64b8dd37ce753874867e88 ] + +If a server side socket is bound to an address, but not in the listening +state yet, incoming connection requests should receive a reset control +packet in response. However, the function used to send the reset +silently drops the reset packet if the sending socket isn't bound +to a remote address (as is the case for a bound socket not yet in +the listening state). This change fixes this by using the src +of the incoming packet as destination for the reset packet in +this case. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reviewed-by: Adit Ranadive <aditr@vmware.com> +Reviewed-by: Vishnu Dasa <vdasa@vmware.com> +Signed-off-by: Jorgen Hansen <jhansen@vmware.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/vmw_vsock/vmci_transport.c | 67 +++++++++++++++++++++++++--------- + 1 file changed, 50 insertions(+), 17 deletions(-) + +diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c +index 589c8b9908a5..d24773552b64 100644 +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -272,6 +272,31 @@ vmci_transport_send_control_pkt_bh(struct sockaddr_vm *src, + false); + } + ++static int ++vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src, ++ struct sockaddr_vm *dst, ++ enum vmci_transport_packet_type type, ++ u64 size, ++ u64 mode, ++ struct vmci_transport_waiting_info *wait, ++ u16 proto, ++ struct vmci_handle handle) ++{ ++ struct vmci_transport_packet *pkt; ++ int err; ++ ++ pkt = kmalloc(sizeof(*pkt), GFP_KERNEL); ++ if (!pkt) ++ return -ENOMEM; ++ ++ err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size, ++ mode, wait, proto, handle, ++ true); ++ kfree(pkt); ++ ++ return err; ++} ++ + static int + vmci_transport_send_control_pkt(struct sock *sk, + enum vmci_transport_packet_type type, +@@ -281,9 +306,7 @@ vmci_transport_send_control_pkt(struct sock *sk, + u16 proto, + struct vmci_handle handle) + { +- struct vmci_transport_packet *pkt; + struct vsock_sock *vsk; +- int err; + + vsk = vsock_sk(sk); + +@@ -293,17 +316,10 @@ vmci_transport_send_control_pkt(struct sock *sk, + if (!vsock_addr_bound(&vsk->remote_addr)) + return -EINVAL; + +- pkt = kmalloc(sizeof(*pkt), GFP_KERNEL); +- if (!pkt) +- return -ENOMEM; +- +- err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr, +- &vsk->remote_addr, type, size, +- mode, wait, proto, handle, +- true); +- kfree(pkt); +- +- return err; ++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, ++ &vsk->remote_addr, ++ type, size, mode, ++ wait, proto, handle); + } + + static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst, +@@ -321,12 +337,29 @@ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst, + static int vmci_transport_send_reset(struct sock *sk, + struct vmci_transport_packet *pkt) + { ++ struct sockaddr_vm *dst_ptr; ++ struct sockaddr_vm dst; ++ struct vsock_sock *vsk; ++ + if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST) + return 0; +- return vmci_transport_send_control_pkt(sk, +- VMCI_TRANSPORT_PACKET_TYPE_RST, +- 0, 0, NULL, VSOCK_PROTO_INVALID, +- VMCI_INVALID_HANDLE); ++ ++ vsk = vsock_sk(sk); ++ ++ if (!vsock_addr_bound(&vsk->local_addr)) ++ return -EINVAL; ++ ++ if (vsock_addr_bound(&vsk->remote_addr)) { ++ dst_ptr = &vsk->remote_addr; ++ } else { ++ vsock_addr_init(&dst, pkt->dg.src.context, ++ pkt->src_port); ++ dst_ptr = &dst; ++ } ++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr, ++ VMCI_TRANSPORT_PACKET_TYPE_RST, ++ 0, 0, NULL, VSOCK_PROTO_INVALID, ++ VMCI_INVALID_HANDLE); + } + + static int vmci_transport_send_negotiate(struct sock *sk, size_t size) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch b/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch new file mode 100644 index 0000000000..e90747ca8f --- /dev/null +++ b/patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch @@ -0,0 +1,41 @@ +From: Juergen Gross <jgross@suse.com> +Date: Tue, 18 Dec 2018 16:06:19 +0100 +Subject: [PATCH] xen/netfront: tolerate frags with no data +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: d81c5054a5d1d4999c7cdead7636b6cd4af83d36 + +[ Upstream commit d81c5054a5d1d4999c7cdead7636b6cd4af83d36 ] + +At least old Xen net backends seem to send frags with no real data +sometimes. In case such a fragment happens to occur with the frag limit +already reached the frontend will BUG currently even if this situation +is easily recoverable. + +Modify the BUG_ON() condition accordingly. + +Tested-by: Dietmar Hahn <dietmar.hahn@ts.fujitsu.com> +Signed-off-by: Juergen Gross <jgross@suse.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/xen-netfront.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 0a4bd73caae5..6f55ab4f7959 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -889,7 +889,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue, + if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) { + unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; + +- BUG_ON(pull_to <= skb_headlen(skb)); ++ BUG_ON(pull_to < skb_headlen(skb)); + __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); + } + if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch b/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch new file mode 100644 index 0000000000..1d01b29b85 --- /dev/null +++ b/patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch @@ -0,0 +1,83 @@ +From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> +Date: Wed, 19 Dec 2018 23:23:00 +0100 +Subject: [PATCH] gro_cell: add napi_disable in gro_cells_destroy +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 8e1da73acded4751a93d4166458a7e640f37d26c + +[ Upstream commit 8e1da73acded4751a93d4166458a7e640f37d26c ] + +Add napi_disable routine in gro_cells_destroy since starting from +commit c42858eaf492 ("gro_cells: remove spinlock protecting receive +queues") gro_cell_poll and gro_cells_destroy can run concurrently on +napi_skbs list producing a kernel Oops if the tunnel interface is +removed while gro_cell_poll is running. The following Oops has been +triggered removing a vxlan device while the interface is receiving +traffic + +[ 5628.948853] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +[ 5628.949981] PGD 0 P4D 0 +[ 5628.950308] Oops: 0002 [#1] SMP PTI +[ 5628.950748] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #41 +[ 5628.952940] RIP: 0010:gro_cell_poll+0x49/0x80 +[ 5628.955615] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202 +[ 5628.956250] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000 +[ 5628.957102] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150 +[ 5628.957940] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000 +[ 5628.958803] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040 +[ 5628.959661] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040 +[ 5628.960682] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000 +[ 5628.961616] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5628.962359] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0 +[ 5628.963188] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 5628.964034] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 5628.964871] Call Trace: +[ 5628.965179] net_rx_action+0xf0/0x380 +[ 5628.965637] __do_softirq+0xc7/0x431 +[ 5628.966510] run_ksoftirqd+0x24/0x30 +[ 5628.966957] smpboot_thread_fn+0xc5/0x160 +[ 5628.967436] kthread+0x113/0x130 +[ 5628.968283] ret_from_fork+0x3a/0x50 +[ 5628.968721] Modules linked in: +[ 5628.969099] CR2: 0000000000000008 +[ 5628.969510] ---[ end trace 9d9dedc7181661fe ]--- +[ 5628.970073] RIP: 0010:gro_cell_poll+0x49/0x80 +[ 5628.972965] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202 +[ 5628.973611] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000 +[ 5628.974504] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150 +[ 5628.975462] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000 +[ 5628.976413] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040 +[ 5628.977375] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040 +[ 5628.978296] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000 +[ 5628.979327] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 5628.980044] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0 +[ 5628.980929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 5628.981736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 5628.982409] Kernel panic - not syncing: Fatal exception in interrupt +[ 5628.983307] Kernel Offset: disabled + +Fixes: c42858eaf492 ("gro_cells: remove spinlock protecting receive queues") +Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> +Acked-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/net/gro_cells.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h +index cf6c74550baa..86316f90ea1e 100644 +--- a/include/net/gro_cells.h ++++ b/include/net/gro_cells.h +@@ -84,6 +84,7 @@ static inline void gro_cells_destroy(struct gro_cells *gcells) + for_each_possible_cpu(i) { + struct gro_cell *cell = per_cpu_ptr(gcells->cells, i); + ++ napi_disable(&cell->napi); + netif_napi_del(&cell->napi); + __skb_queue_purge(&cell->napi_skbs); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch b/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch new file mode 100644 index 0000000000..1e4497d9ae --- /dev/null +++ b/patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch @@ -0,0 +1,192 @@ +From: Deepa Dinamani <deepa.kernel@gmail.com> +Date: Thu, 27 Dec 2018 18:55:09 -0800 +Subject: [PATCH] sock: Make sock->sk_stamp thread-safe +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 3a0ed3e9619738067214871e9cb826fa23b2ddb9 + +[ Upstream commit 3a0ed3e9619738067214871e9cb826fa23b2ddb9 ] + +Al Viro mentioned (Message-ID +<20170626041334.GZ10672@ZenIV.linux.org.uk>) +that there is probably a race condition +lurking in accesses of sk_stamp on 32-bit machines. + +sock->sk_stamp is of type ktime_t which is always an s64. +On a 32 bit architecture, we might run into situations of +unsafe access as the access to the field becomes non atomic. + +Use seqlocks for synchronization. +This allows us to avoid using spinlocks for readers as +readers do not need mutual exclusion. + +Another approach to solve this is to require sk_lock for all +modifications of the timestamps. The current approach allows +for timestamps to have their own lock: sk_stamp_lock. +This allows for the patch to not compete with already +existing critical sections, and side effects are limited +to the paths in the patch. + +The addition of the new field maintains the data locality +optimizations from +commit 9115e8cd2a0c ("net: reorganize struct sock for better data +locality") + +Note that all the instances of the sk_stamp accesses +are either through the ioctl or the syscall recvmsg. + +Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/net/sock.h | 36 ++++++++++++++++++++++++++++++++++-- + net/compat.c | 15 +++++++++------ + net/core/sock.c | 3 +++ + net/sunrpc/svcsock.c | 2 +- + 4 files changed, 47 insertions(+), 9 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 577075713ad5..7420299c31f5 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -299,6 +299,7 @@ struct cg_proto; + * @sk_filter: socket filtering instructions + * @sk_timer: sock cleanup timer + * @sk_stamp: time stamp of last packet received ++ * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only + * @sk_tsflags: SO_TIMESTAMPING socket options + * @sk_tskey: counter to disambiguate concurrent tstamp requests + * @sk_socket: Identd and reporting IO signals +@@ -434,6 +435,9 @@ struct sock { + long sk_sndtimeo; + struct timer_list sk_timer; + ktime_t sk_stamp; ++#if BITS_PER_LONG==32 ++ seqlock_t sk_stamp_seq; ++#endif + u16 sk_tsflags; + u32 sk_tskey; + struct socket *sk_socket; +@@ -2146,6 +2150,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb) + atomic_add(segs, &sk->sk_drops); + } + ++static inline ktime_t sock_read_timestamp(struct sock *sk) ++{ ++#if BITS_PER_LONG==32 ++ unsigned int seq; ++ ktime_t kt; ++ ++ do { ++ seq = read_seqbegin(&sk->sk_stamp_seq); ++ kt = sk->sk_stamp; ++ } while (read_seqretry(&sk->sk_stamp_seq, seq)); ++ ++ return kt; ++#else ++ return sk->sk_stamp; ++#endif ++} ++ ++static inline void sock_write_timestamp(struct sock *sk, ktime_t kt) ++{ ++#if BITS_PER_LONG==32 ++ write_seqlock(&sk->sk_stamp_seq); ++ sk->sk_stamp = kt; ++ write_sequnlock(&sk->sk_stamp_seq); ++#else ++ sk->sk_stamp = kt; ++#endif ++} ++ + void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk, + struct sk_buff *skb); + void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk, +@@ -2170,7 +2202,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb) + (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE))) + __sock_recv_timestamp(msg, sk, skb); + else +- sk->sk_stamp = kt; ++ sock_write_timestamp(sk, kt); + + if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid) + __sock_recv_wifi_status(msg, sk, skb); +@@ -2190,7 +2222,7 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk, + if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY) + __sock_recv_ts_and_drops(msg, sk, skb); + else +- sk->sk_stamp = skb->tstamp; ++ sock_write_timestamp(sk, skb->tstamp); + } + + void __sock_tx_timestamp(const struct sock *sk, __u8 *tx_flags); +diff --git a/net/compat.c b/net/compat.c +index 17e97b106458..d67684010455 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -443,12 +443,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp) + err = -ENOENT; + if (!sock_flag(sk, SOCK_TIMESTAMP)) + sock_enable_timestamp(sk, SOCK_TIMESTAMP); +- tv = ktime_to_timeval(sk->sk_stamp); ++ tv = ktime_to_timeval(sock_read_timestamp(sk)); ++ + if (tv.tv_sec == -1) + return err; + if (tv.tv_sec == 0) { +- sk->sk_stamp = ktime_get_real(); +- tv = ktime_to_timeval(sk->sk_stamp); ++ ktime_t kt = ktime_get_real(); ++ sock_write_timestamp(sk, kt); ++ tv = ktime_to_timeval(kt); + } + err = 0; + if (put_user(tv.tv_sec, &ctv->tv_sec) || +@@ -471,12 +473,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta + err = -ENOENT; + if (!sock_flag(sk, SOCK_TIMESTAMP)) + sock_enable_timestamp(sk, SOCK_TIMESTAMP); +- ts = ktime_to_timespec(sk->sk_stamp); ++ ts = ktime_to_timespec(sock_read_timestamp(sk)); + if (ts.tv_sec == -1) + return err; + if (ts.tv_sec == 0) { +- sk->sk_stamp = ktime_get_real(); +- ts = ktime_to_timespec(sk->sk_stamp); ++ ktime_t kt = ktime_get_real(); ++ sock_write_timestamp(sk, kt); ++ ts = ktime_to_timespec(kt); + } + err = 0; + if (put_user(ts.tv_sec, &ctv->tv_sec) || +diff --git a/net/core/sock.c b/net/core/sock.c +index 4238835a0e4e..9fb1c073d0c4 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2423,6 +2423,9 @@ void sock_init_data(struct socket *sock, struct sock *sk) + sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; + + sk->sk_stamp = ktime_set(-1L, 0); ++#if BITS_PER_LONG==32 ++ seqlock_init(&sk->sk_stamp_seq); ++#endif + + #ifdef CONFIG_NET_RX_BUSY_POLL + sk->sk_napi_id = 0; +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c +index 1413cdcc131c..9701fcca002c 100644 +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -614,7 +614,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp) + /* Don't enable netstamp, sunrpc doesn't + need that much accuracy */ + } +- svsk->sk_sk->sk_stamp = skb->tstamp; ++ sock_write_timestamp(svsk->sk_sk, skb->tstamp); + set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */ + + len = skb->len - sizeof(struct udphdr); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch b/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch new file mode 100644 index 0000000000..a28abcca22 --- /dev/null +++ b/patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch @@ -0,0 +1,76 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 18 Dec 2018 11:18:34 -0600 +Subject: [PATCH] ALSA: rme9652: Fix potential Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 0b84304ef5da92add8dc75a1b07879c5374cdb05 + +commit 0b84304ef5da92add8dc75a1b07879c5374cdb05 upstream. + +info->channel is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/pci/rme9652/hdsp.c:4100 snd_hdsp_channel_info() warn: potential spectre issue 'hdsp->channel_map' [r] (local cap) + +Fix this by sanitizing info->channel before using it to index hdsp->channel_map + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +Also, notice that I refactored the code a bit in order to get rid of the +following checkpatch warning: + +ERROR: do not use assignment in if condition +FILE: sound/pci/rme9652/hdsp.c:4103: + if ((mapped_channel = hdsp->channel_map[info->channel]) < 0) + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/rme9652/hdsp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c +index 7c8941b8b2de..dd6c9e6a1d53 100644 +--- a/sound/pci/rme9652/hdsp.c ++++ b/sound/pci/rme9652/hdsp.c +@@ -30,6 +30,7 @@ + #include <linux/math64.h> + #include <linux/vmalloc.h> + #include <linux/io.h> ++#include <linux/nospec.h> + + #include <sound/core.h> + #include <sound/control.h> +@@ -4065,15 +4066,16 @@ static int snd_hdsp_channel_info(struct snd_pcm_substream *substream, + struct snd_pcm_channel_info *info) + { + struct hdsp *hdsp = snd_pcm_substream_chip(substream); +- int mapped_channel; ++ unsigned int channel = info->channel; + +- if (snd_BUG_ON(info->channel >= hdsp->max_channels)) ++ if (snd_BUG_ON(channel >= hdsp->max_channels)) + return -EINVAL; ++ channel = array_index_nospec(channel, hdsp->max_channels); + +- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0) ++ if (hdsp->channel_map[channel] < 0) + return -EINVAL; + +- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES; ++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES; + info->first = 0; + info->step = 32; + return 0; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch b/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch new file mode 100644 index 0000000000..315998c849 --- /dev/null +++ b/patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch @@ -0,0 +1,67 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Tue, 18 Dec 2018 11:52:16 -0600 +Subject: [PATCH] ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 5ae4f61f012a097df93de2285070ec8e34716d29 + +commit 5ae4f61f012a097df93de2285070ec8e34716d29 upstream. + +ipcm->substream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/pci/emu10k1/emufx.c:1031 snd_emu10k1_ipcm_poke() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap) +sound/pci/emu10k1/emufx.c:1075 snd_emu10k1_ipcm_peek() warn: potential spectre issue 'emu->fx8010.pcm' [r] (local cap) + +Fix this by sanitizing ipcm->substream before using it to index emu->fx8010.pcm + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/emu10k1/emufx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c +index 50b216fc369f..5d422d65e62b 100644 +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -36,6 +36,7 @@ + #include <linux/init.h> + #include <linux/mutex.h> + #include <linux/moduleparam.h> ++#include <linux/nospec.h> + + #include <sound/core.h> + #include <sound/tlv.h> +@@ -1000,6 +1001,8 @@ static int snd_emu10k1_ipcm_poke(struct snd_emu10k1 *emu, + + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT) + return -EINVAL; ++ ipcm->substream = array_index_nospec(ipcm->substream, ++ EMU10K1_FX8010_PCM_COUNT); + if (ipcm->channels > 32) + return -EINVAL; + pcm = &emu->fx8010.pcm[ipcm->substream]; +@@ -1046,6 +1049,8 @@ static int snd_emu10k1_ipcm_peek(struct snd_emu10k1 *emu, + + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT) + return -EINVAL; ++ ipcm->substream = array_index_nospec(ipcm->substream, ++ EMU10K1_FX8010_PCM_COUNT); + pcm = &emu->fx8010.pcm[ipcm->substream]; + mutex_lock(&emu->fx8010.lock); + spin_lock_irq(&emu->reg_lock); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch b/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch new file mode 100644 index 0000000000..7bfb372de5 --- /dev/null +++ b/patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch @@ -0,0 +1,56 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 12 Dec 2018 15:36:28 -0600 +Subject: [PATCH] ALSA: pcm: Fix potential Spectre v1 vulnerability +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 94ffb030b6d31ec840bb811be455dd2e26a4f43e + +commit 94ffb030b6d31ec840bb811be455dd2e26a4f43e upstream. + +stream is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +sound/core/pcm.c:140 snd_pcm_control_ioctl() warn: potential spectre issue 'pcm->streams' [r] (local cap) + +Fix this by sanitizing stream before using it to index pcm->streams + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/core/pcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/core/pcm.c b/sound/core/pcm.c +index 6bda8f6c5f84..cdff5f976480 100644 +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -25,6 +25,7 @@ + #include <linux/time.h> + #include <linux/mutex.h> + #include <linux/device.h> ++#include <linux/nospec.h> + #include <sound/core.h> + #include <sound/minors.h> + #include <sound/pcm.h> +@@ -125,6 +126,7 @@ static int snd_pcm_control_ioctl(struct snd_card *card, + return -EFAULT; + if (stream < 0 || stream > 1) + return -EINVAL; ++ stream = array_index_nospec(stream, 2); + if (get_user(subdevice, &info->subdevice)) + return -EFAULT; + mutex_lock(®ister_mutex); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch b/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch new file mode 100644 index 0000000000..ec3bde23a3 --- /dev/null +++ b/patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch @@ -0,0 +1,74 @@ +From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> +Date: Wed, 12 Dec 2018 11:20:49 -0600 +Subject: [PATCH] ALSA: emux: Fix potential Spectre v1 vulnerabilities +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 + +commit 4aea96f4237cea0c51a8bc87c0db31f0f932f1f0 upstream. + +info.mode and info.port are indirectly controlled by user-space, +hence leading to a potential exploitation of the Spectre variant 1 +vulnerability. + +These issues were detected with the help of Smatch: + +sound/synth/emux/emux_hwdep.c:72 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[i]->ctrls' [w] (local cap) +sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs' [w] (local cap) +sound/synth/emux/emux_hwdep.c:75 snd_emux_hwdep_misc_mode() warn: potential spectre issue 'emu->portptrs[info.port]->ctrls' [w] (local cap) + +Fix this by sanitizing both info.mode and info.port before using them +to index emu->portptrs[i]->ctrls, emu->portptrs[info.port]->ctrls and +emu->portptrs. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/synth/emux/emux_hwdep.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/synth/emux/emux_hwdep.c b/sound/synth/emux/emux_hwdep.c +index e557946718a9..d9fcae071b47 100644 +--- a/sound/synth/emux/emux_hwdep.c ++++ b/sound/synth/emux/emux_hwdep.c +@@ -22,9 +22,9 @@ + #include <sound/core.h> + #include <sound/hwdep.h> + #include <linux/uaccess.h> ++#include <linux/nospec.h> + #include "emux_voice.h" + +- + #define TMP_CLIENT_ID 0x1001 + + /* +@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux *emu, void __user *arg) + return -EFAULT; + if (info.mode < 0 || info.mode >= EMUX_MD_END) + return -EINVAL; ++ info.mode = array_index_nospec(info.mode, EMUX_MD_END); + + if (info.port < 0) { + for (i = 0; i < emu->num_ports; i++) + emu->portptrs[i]->ctrls[info.mode] = info.value; + } else { +- if (info.port < emu->num_ports) ++ if (info.port < emu->num_ports) { ++ info.port = array_index_nospec(info.port, emu->num_ports); + emu->portptrs[info.port]->ctrls[info.mode] = info.value; ++ } + } + return 0; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch b/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch new file mode 100644 index 0000000000..ef3103a76b --- /dev/null +++ b/patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch @@ -0,0 +1,41 @@ +From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= <grawity@gmail.com> +Date: Sun, 16 Dec 2018 15:44:47 +0200 +Subject: [PATCH] ALSA: hda: add mute LED support for HP EliteBook 840 G4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 40906ebe3af6a48457151b3c6726b480f6a6cb13 + +commit 40906ebe3af6a48457151b3c6726b480f6a6cb13 upstream. + +Tested with 4.19.9. + +v2: Changed from CXT_FIXUP_MUTE_LED_GPIO to CXT_FIXUP_HP_DOCK because + that's what the existing fixups for EliteBooks use. + +Signed-off-by: Mantas Mikulėnas <grawity@gmail.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index aea3cc2abe3a..536184ac315d 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), ++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch b/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch new file mode 100644 index 0000000000..e4093a3f7d --- /dev/null +++ b/patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch @@ -0,0 +1,48 @@ +From: Sameer Pujar <spujar@nvidia.com> +Date: Wed, 26 Dec 2018 16:04:49 +0530 +Subject: [PATCH] ALSA: hda/tegra: clear pending irq handlers +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 63d2a9ec310d8bcc955574220d4631aa55c1a80c + +commit 63d2a9ec310d8bcc955574220d4631aa55c1a80c upstream. + +Even after disabling interrupts on the module, it could be possible +that irq handlers are still running. System hang is seen during +suspend path. It was found that, there were pending writes on the +HDA bus and clock was disabled by that time. + +Above mentioned issue is fixed by clearing any pending irq handlers +before disabling clocks and returning from hda suspend. + +Suggested-by: Mohan Kumar <mkumard@nvidia.com> +Suggested-by: Dara Ramesh <dramesh@nvidia.com> +Signed-off-by: Sameer Pujar <spujar@nvidia.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/hda/hda_tegra.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c +index 17fd81736d3d..039fbbb1e53c 100644 +--- a/sound/pci/hda/hda_tegra.c ++++ b/sound/pci/hda/hda_tegra.c +@@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct device *dev) + struct snd_card *card = dev_get_drvdata(dev); + struct azx *chip = card->private_data; + struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip); ++ struct hdac_bus *bus = azx_bus(chip); + + snd_power_change_state(card, SNDRV_CTL_POWER_D3hot); + + azx_stop_chip(chip); ++ synchronize_irq(bus->irq); + azx_enter_link_reset(chip); + hda_tegra_disable_clocks(hda); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch b/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch new file mode 100644 index 0000000000..03a460300b --- /dev/null +++ b/patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch @@ -0,0 +1,69 @@ +From: Scott Chen <scott@labau.com.tw> +Date: Thu, 13 Dec 2018 06:01:47 -0500 +Subject: [PATCH] USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole + displays +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 8d503f206c336677954160ac62f0c7d9c219cd89 + +commit 8d503f206c336677954160ac62f0c7d9c219cd89 upstream. + +Add device ids to pl2303 for the HP POS pole displays: +LM920: 03f0:026b +TD620: 03f0:0956 +LD960TA: 03f0:4439 +LD220TA: 03f0:4349 +LM940: 03f0:5039 + +Signed-off-by: Scott Chen <scott@labau.com.tw> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/pl2303.c | 5 +++++ + drivers/usb/serial/pl2303.h | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index 3da25ad267a2..4966768d3c98 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -86,9 +86,14 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) }, + { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) }, + { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) }, ++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) }, + { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) }, + { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) }, + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) }, +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index 123289085ee2..a84f0959ab34 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -123,10 +123,15 @@ + + /* Hewlett-Packard POS Pole Displays */ + #define HP_VENDOR_ID 0x03f0 ++#define HP_LM920_PRODUCT_ID 0x026b ++#define HP_TD620_PRODUCT_ID 0x0956 + #define HP_LD960_PRODUCT_ID 0x0b39 + #define HP_LCM220_PRODUCT_ID 0x3139 + #define HP_LCM960_PRODUCT_ID 0x3239 + #define HP_LD220_PRODUCT_ID 0x3524 ++#define HP_LD220TA_PRODUCT_ID 0x4349 ++#define HP_LD960TA_PRODUCT_ID 0x4439 ++#define HP_LM940_PRODUCT_ID 0x5039 + + /* Cressi Edy (diving computer) PC interface */ + #define CRESSI_VENDOR_ID 0x04b8 +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch b/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch new file mode 100644 index 0000000000..9d07704c7e --- /dev/null +++ b/patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch @@ -0,0 +1,72 @@ +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com> +Date: Fri, 21 Dec 2018 14:40:44 +0100 +Subject: [PATCH] USB: serial: option: add Fibocom NL678 series +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 4b2c01ad902ec02fa962b233decd2f14be3714ba + +commit 4b2c01ad902ec02fa962b233decd2f14be3714ba upstream. + +Added USB serial option driver support for Fibocom NL678 series cellular +module: VID 2cb7 and PIDs 0x0104 and 0x0105. +Reserved network and ADB interfaces. + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0104 Rev=03.10 +S: Manufacturer=Fibocom +S: Product=Fibocom NL678-E Modem +S: SerialNumber=12345678 +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2cb7 ProdID=0105 Rev=03.10 +S: Manufacturer=Fibocom +S: Product=Fibocom NL678-E Modem +S: SerialNumber=12345678 +C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether +I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether +I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + +Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> +Cc: stable <stable@vger.kernel.org> +Acked-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 1e3445dd84b2..7bc2c9fef605 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1956,6 +1956,10 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */ + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, ++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */ ++ .driver_info = RSVD(4) | RSVD(5) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */ ++ .driver_info = RSVD(6) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch b/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch new file mode 100644 index 0000000000..9668882407 --- /dev/null +++ b/patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch @@ -0,0 +1,73 @@ +From: Jia-Ju Bai <baijiaju1990@gmail.com> +Date: Tue, 18 Dec 2018 20:04:25 +0800 +Subject: [PATCH] usb: r8a66597: Fix a possible concurrency use-after-free bug + in r8a66597_endpoint_disable() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: c85400f886e3d41e69966470879f635a2b50084c + +commit c85400f886e3d41e69966470879f635a2b50084c upstream. + +The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may +be concurrently executed. +The two functions both access a possible shared variable "hep->hcpriv". + +This shared variable is freed by r8a66597_endpoint_disable() via the +call path: +r8a66597_endpoint_disable + kfree(hep->hcpriv) (line 1995 in Linux-4.19) + +This variable is read by r8a66597_urb_enqueue() via the call path: +r8a66597_urb_enqueue + spin_lock_irqsave(&r8a66597->lock) + init_pipe_info + enable_r8a66597_pipe + pipe = hep->hcpriv (line 802 in Linux-4.19) + +The read operation is protected by a spinlock, but the free operation +is not protected by this spinlock, thus a concurrency use-after-free bug +may occur. + +To fix this bug, the spin-lock and spin-unlock function calls in +r8a66597_endpoint_disable() are moved to protect the free operation. + +Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/host/r8a66597-hcd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c +index a11c2c8bda53..a217f71b45c6 100644 +--- a/drivers/usb/host/r8a66597-hcd.c ++++ b/drivers/usb/host/r8a66597-hcd.c +@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, + + static void r8a66597_endpoint_disable(struct usb_hcd *hcd, + struct usb_host_endpoint *hep) ++__acquires(r8a66597->lock) ++__releases(r8a66597->lock) + { + struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd); + struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv; +@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd, + return; + pipenum = pipe->info.pipenum; + ++ spin_lock_irqsave(&r8a66597->lock, flags); + if (pipenum == 0) { + kfree(hep->hcpriv); + hep->hcpriv = NULL; ++ spin_unlock_irqrestore(&r8a66597->lock, flags); + return; + } + +- spin_lock_irqsave(&r8a66597->lock, flags); + pipe_stop(r8a66597, pipe); + pipe_irq_disable(r8a66597, pipenum); + disable_irq_empty(r8a66597, pipenum); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch b/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch new file mode 100644 index 0000000000..f43389f72a --- /dev/null +++ b/patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch @@ -0,0 +1,37 @@ +From: Patrick Dreyer <Patrick@Dreyer.name> +Date: Sun, 23 Dec 2018 10:06:35 -0800 +Subject: [PATCH] Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire + F5-573G +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 7db54c89f0b30a101584e09d3729144e6170059d + +commit 7db54c89f0b30a101584e09d3729144e6170059d upstream. + +This adds ELAN0501 to the ACPI table to support Elan touchpad found in ASUS +Aspire F5-573G. + +Signed-off-by: Patrick Dreyer <Patrick.Dreyer@gmail.com> +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 471984ec2db0..30adc5745cba 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1240,6 +1240,7 @@ MODULE_DEVICE_TABLE(i2c, elan_id); + static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0000", 0 }, + { "ELAN0100", 0 }, ++ { "ELAN0501", 0 }, + { "ELAN0600", 0 }, + { "ELAN0602", 0 }, + { "ELAN0605", 0 }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch b/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch new file mode 100644 index 0000000000..e2f6310bd3 --- /dev/null +++ b/patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch @@ -0,0 +1,141 @@ +From: Sean Christopherson <sean.j.christopherson@intel.com> +Date: Thu, 20 Dec 2018 14:21:08 -0800 +Subject: [PATCH] KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: e81434995081fd7efb755fd75576b35dbb0850b1 + +commit e81434995081fd7efb755fd75576b35dbb0850b1 upstream. + +____kvm_handle_fault_on_reboot() provides a generic exception fixup +handler that is used to cleanly handle faults on VMX/SVM instructions +during reboot (or at least try to). If there isn't a reboot in +progress, ____kvm_handle_fault_on_reboot() treats any exception as +fatal to KVM and invokes kvm_spurious_fault(), which in turn generates +a BUG() to get a stack trace and die. + +When it was originally added by commit 4ecac3fd6dc2 ("KVM: Handle +virtualization instruction #UD faults during reboot"), the "call" to +kvm_spurious_fault() was handcoded as PUSH+JMP, where the PUSH'd value +is the RIP of the faulting instructing. + +The PUSH+JMP trickery is necessary because the exception fixup handler +code lies outside of its associated function, e.g. right after the +function. An actual CALL from the .fixup code would show a slightly +bogus stack trace, e.g. an extra "random" function would be inserted +into the trace, as the return RIP on the stack would point to no known +function (and the unwinder will likely try to guess who owns the RIP). + +Unfortunately, the JMP was replaced with a CALL when the macro was +reworked to not spin indefinitely during reboot (commit b7c4145ba2eb +"KVM: Don't spin on virt instruction faults during reboot"). This +causes the aforementioned behavior where a bogus function is inserted +into the stack trace, e.g. my builds like to blame free_kvm_area(). + +Revert the CALL back to a JMP. The changelog for commit b7c4145ba2eb +("KVM: Don't spin on virt instruction faults during reboot") contains +nothing that indicates the switch to CALL was deliberate. This is +backed up by the fact that the PUSH <insn RIP> was left intact. + +Note that an alternative to the PUSH+JMP magic would be to JMP back +to the "real" code and CALL from there, but that would require adding +a JMP in the non-faulting path to avoid calling kvm_spurious_fault() +and would add no value, i.e. the stack trace would be the same. + +Using CALL: + +------------[ cut here ]------------ +kernel BUG at /home/sean/go/src/kernel.org/linux/arch/x86/kvm/x86.c:356! +invalid opcode: 0000 [#1] SMP +CPU: 4 PID: 1057 Comm: qemu-system-x86 Not tainted 4.20.0-rc6+ #75 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +RIP: 0010:kvm_spurious_fault+0x5/0x10 [kvm] +Code: <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 +RSP: 0018:ffffc900004bbcc8 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffffffffff +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffff888273fd8000 R08: 00000000000003e8 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000784 R12: ffffc90000371fb0 +R13: 0000000000000000 R14: 000000026d763cf4 R15: ffff888273fd8000 +FS: 00007f3d69691700(0000) GS:ffff888277800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055f89bc56fe0 CR3: 0000000271a5a001 CR4: 0000000000362ee0 +Call Trace: + free_kvm_area+0x1044/0x43ea [kvm_intel] + ? vmx_vcpu_run+0x156/0x630 [kvm_intel] + ? kvm_arch_vcpu_ioctl_run+0x447/0x1a40 [kvm] + ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm] + ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm] + ? __set_task_blocked+0x38/0x90 + ? __set_current_blocked+0x50/0x60 + ? __fpu__restore_sig+0x97/0x490 + ? do_vfs_ioctl+0xa1/0x620 + ? __x64_sys_futex+0x89/0x180 + ? ksys_ioctl+0x66/0x70 + ? __x64_sys_ioctl+0x16/0x20 + ? do_syscall_64+0x4f/0x100 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Modules linked in: vhost_net vhost tap kvm_intel kvm irqbypass bridge stp llc +---[ end trace 9775b14b123b1713 ]--- + +Using JMP: + +------------[ cut here ]------------ +kernel BUG at /home/sean/go/src/kernel.org/linux/arch/x86/kvm/x86.c:356! +invalid opcode: 0000 [#1] SMP +CPU: 6 PID: 1067 Comm: qemu-system-x86 Not tainted 4.20.0-rc6+ #75 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 +RIP: 0010:kvm_spurious_fault+0x5/0x10 [kvm] +Code: <0f> 0b 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 55 49 89 fd 41 +RSP: 0018:ffffc90000497cd0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffffffffff +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffff88827058bd40 R08: 00000000000003e8 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000784 R12: ffffc90000369fb0 +R13: 0000000000000000 R14: 00000003c8fc6642 R15: ffff88827058bd40 +FS: 00007f3d7219e700(0000) GS:ffff888277900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f3d64001000 CR3: 0000000271c6b004 CR4: 0000000000362ee0 +Call Trace: + vmx_vcpu_run+0x156/0x630 [kvm_intel] + ? kvm_arch_vcpu_ioctl_run+0x447/0x1a40 [kvm] + ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm] + ? kvm_vcpu_ioctl+0x368/0x5c0 [kvm] + ? __set_task_blocked+0x38/0x90 + ? __set_current_blocked+0x50/0x60 + ? __fpu__restore_sig+0x97/0x490 + ? do_vfs_ioctl+0xa1/0x620 + ? __x64_sys_futex+0x89/0x180 + ? ksys_ioctl+0x66/0x70 + ? __x64_sys_ioctl+0x16/0x20 + ? do_syscall_64+0x4f/0x100 + ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +Modules linked in: vhost_net vhost tap kvm_intel kvm irqbypass bridge stp llc +---[ end trace f9daedb85ab3ddba ]--- + +Fixes: b7c4145ba2eb ("KVM: Don't spin on virt instruction faults during reboot") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/include/asm/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index c048d0d70cc4..2cb49ac1b2b2 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1200,7 +1200,7 @@ asmlinkage void kvm_spurious_fault(void); + "cmpb $0, kvm_rebooting \n\t" \ + "jne 668b \n\t" \ + __ASM_SIZE(push) " $666b \n\t" \ +- "call kvm_spurious_fault \n\t" \ ++ "jmp kvm_spurious_fault \n\t" \ + ".popsection \n\t" \ + _ASM_EXTABLE(666b, 667b) + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch b/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch new file mode 100644 index 0000000000..a885ff8200 --- /dev/null +++ b/patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch @@ -0,0 +1,81 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 11 Nov 2018 18:45:24 +0000 +Subject: [PATCH] perf pmu: Suppress potential format-truncation warning +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 11a64a05dc649815670b1be9fe63d205cb076401 + +commit 11a64a05dc649815670b1be9fe63d205cb076401 upstream. + +Depending on which functions are inlined in util/pmu.c, the snprintf() +calls in perf_pmu__parse_{scale,unit,per_pkg,snapshot}() might trigger a +warning: + + util/pmu.c: In function 'pmu_aliases': + util/pmu.c:178:31: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size between 0 and 4095 [-Werror=format-truncation=] + snprintf(path, PATH_MAX, "%s/%s.unit", dir, name); + ^~ + +I found this when trying to build perf from Linux 3.16 with gcc 8. +However I can reproduce the problem in mainline if I force +__perf_pmu__new_alias() to be inlined. + +Suppress this by using scnprintf() as has been done elsewhere in perf. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Jiri Olsa <jolsa@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20181111184524.fux4taownc6ndbx6@decadent.org.uk +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + tools/perf/util/pmu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c +index 593066c68e3d..4f650ebd564a 100644 +--- a/tools/perf/util/pmu.c ++++ b/tools/perf/util/pmu.c +@@ -100,7 +100,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * + char path[PATH_MAX]; + const char *lc; + +- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) +@@ -147,7 +147,7 @@ static int perf_pmu__parse_unit(struct perf_pmu_alias *alias, char *dir, char *n + ssize_t sret; + int fd; + +- snprintf(path, PATH_MAX, "%s/%s.unit", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.unit", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) +@@ -177,7 +177,7 @@ perf_pmu__parse_per_pkg(struct perf_pmu_alias *alias, char *dir, char *name) + char path[PATH_MAX]; + int fd; + +- snprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) +@@ -195,7 +195,7 @@ static int perf_pmu__parse_snapshot(struct perf_pmu_alias *alias, + char path[PATH_MAX]; + int fd; + +- snprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch b/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch new file mode 100644 index 0000000000..839ca4c7ed --- /dev/null +++ b/patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch @@ -0,0 +1,42 @@ +From: Pan Bian <bianpan2016@163.com> +Date: Mon, 3 Dec 2018 23:28:02 -0500 +Subject: [PATCH] ext4: fix possible use after free in ext4_quota_enable +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 61157b24e60fb3cd1f85f2c76a7b1d628f970144 + +commit 61157b24e60fb3cd1f85f2c76a7b1d628f970144 upstream. + +The function frees qf_inode via iput but then pass qf_inode to +lockdep_set_quota_inode on the failure path. This may result in a +use-after-free bug. The patch frees df_inode only when it is never used. + +Fixes: daf647d2dd5 ("ext4: add lockdep annotations for i_data_sem") +Cc: stable@kernel.org # 4.6 +Reviewed-by: Jan Kara <jack@suse.cz> +Signed-off-by: Pan Bian <bianpan2016@163.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ext4/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index cd9cd581fd92..62a6b75969cf 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5184,9 +5184,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id, + qf_inode->i_flags |= S_NOQUOTA; + lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA); + err = dquot_enable(qf_inode, type, format_id, flags); +- iput(qf_inode); + if (err) + lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL); ++ iput(qf_inode); + + return err; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch b/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch new file mode 100644 index 0000000000..8b00b9a607 --- /dev/null +++ b/patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch @@ -0,0 +1,43 @@ +From: Maurizio Lombardi <mlombard@redhat.com> +Date: Tue, 4 Dec 2018 00:06:53 -0500 +Subject: [PATCH] ext4: missing unlock/put_page() in + ext4_try_to_write_inline_data() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 132d00becb31e88469334e1e62751c81345280e0 + +commit 132d00becb31e88469334e1e62751c81345280e0 upstream. + +In case of error, ext4_try_to_write_inline_data() should unlock +and release the page it holds. + +Fixes: f19d5870cbf7 ("ext4: add normal write support for inline data") +Cc: stable@kernel.org # 3.8 +Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ext4/inline.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 1aec46733ef8..46d4fac48cf4 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -701,8 +701,11 @@ int ext4_try_to_write_inline_data(struct address_space *mapping, + + if (!PageUptodate(page)) { + ret = ext4_read_inline_page(inode, page); +- if (ret < 0) ++ if (ret < 0) { ++ unlock_page(page); ++ put_page(page); + goto out_up_read; ++ } + } + + ret = 1; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch b/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch new file mode 100644 index 0000000000..6983fbfaa1 --- /dev/null +++ b/patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch @@ -0,0 +1,45 @@ +From: =?UTF-8?q?ruippan=20=28=E6=BD=98=E7=9D=BF=29?= <ruippan@tencent.com> +Date: Tue, 4 Dec 2018 01:04:12 -0500 +Subject: [PATCH] ext4: fix EXT4_IOC_GROUP_ADD ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: e647e29196b7f802f8242c39ecb7cc937f5ef217 + +commit e647e29196b7f802f8242c39ecb7cc937f5ef217 upstream. + +Commit e2b911c53584 ("ext4: clean up feature test macros with +predicate functions") broke the EXT4_IOC_GROUP_ADD ioctl. This was +not noticed since only very old versions of resize2fs (before +e2fsprogs 1.42) use this ioctl. However, using a new kernel with an +enterprise Linux userspace will cause attempts to use online resize to +fail with "No reserved GDT blocks". + +Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate...") +Cc: stable@kernel.org # v4.4 +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: ruippan (潘睿) <ruippan@tencent.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ext4/resize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index bad13f049fb0..2fc1564f62dd 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1600,7 +1600,7 @@ int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input) + } + + if (reserved_gdb || gdb_off == 0) { +- if (ext4_has_feature_resize_inode(sb) || ++ if (!ext4_has_feature_resize_inode(sb) || + !le16_to_cpu(es->s_reserved_gdt_blocks)) { + ext4_warning(sb, + "No reserved GDT blocks, can't resize"); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch b/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch new file mode 100644 index 0000000000..a0adffcf72 --- /dev/null +++ b/patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch @@ -0,0 +1,93 @@ +From: Theodore Ts'o <tytso@mit.edu> +Date: Wed, 19 Dec 2018 14:07:58 -0500 +Subject: [PATCH] ext4: force inode writes when nfsd calls commit_metadata() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: fde872682e175743e0c3ef939c89e3c6008a1529 + +commit fde872682e175743e0c3ef939c89e3c6008a1529 upstream. + +Some time back, nfsd switched from calling vfs_fsync() to using a new +commit_metadata() hook in export_operations(). If the file system did +not provide a commit_metadata() hook, it fell back to using +sync_inode_metadata(). Unfortunately doesn't work on all file +systems. In particular, it doesn't work on ext4 due to how the inode +gets journalled --- the VFS writeback code will not always call +ext4_write_inode(). + +So we need to provide our own ext4_nfs_commit_metdata() method which +calls ext4_write_inode() directly. + +Google-Bug-Id: 121195940 +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/ext4/super.c | 11 +++++++++++ + include/trace/events/ext4.h | 20 ++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 62a6b75969cf..6a7df72cb3da 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1049,6 +1049,16 @@ static struct dentry *ext4_fh_to_parent(struct super_block *sb, struct fid *fid, + ext4_nfs_get_inode); + } + ++static int ext4_nfs_commit_metadata(struct inode *inode) ++{ ++ struct writeback_control wbc = { ++ .sync_mode = WB_SYNC_ALL ++ }; ++ ++ trace_ext4_nfs_commit_metadata(inode); ++ return ext4_write_inode(inode, &wbc); ++} ++ + /* + * Try to release metadata pages (indirect blocks, directories) which are + * mapped via the block device. Since these pages could have journal heads +@@ -1143,6 +1153,7 @@ static const struct export_operations ext4_export_ops = { + .fh_to_dentry = ext4_fh_to_dentry, + .fh_to_parent = ext4_fh_to_parent, + .get_parent = ext4_get_parent, ++ .commit_metadata = ext4_nfs_commit_metadata, + }; + + enum { +diff --git a/include/trace/events/ext4.h b/include/trace/events/ext4.h +index 594b4b29a224..7ef11b97cb2a 100644 +--- a/include/trace/events/ext4.h ++++ b/include/trace/events/ext4.h +@@ -223,6 +223,26 @@ TRACE_EVENT(ext4_drop_inode, + (unsigned long) __entry->ino, __entry->drop) + ); + ++TRACE_EVENT(ext4_nfs_commit_metadata, ++ TP_PROTO(struct inode *inode), ++ ++ TP_ARGS(inode), ++ ++ TP_STRUCT__entry( ++ __field( dev_t, dev ) ++ __field( ino_t, ino ) ++ ), ++ ++ TP_fast_assign( ++ __entry->dev = inode->i_sb->s_dev; ++ __entry->ino = inode->i_ino; ++ ), ++ ++ TP_printk("dev %d,%d ino %lu", ++ MAJOR(__entry->dev), MINOR(__entry->dev), ++ (unsigned long) __entry->ino) ++); ++ + TRACE_EVENT(ext4_mark_inode_dirty, + TP_PROTO(struct inode *inode, unsigned long IP), + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch b/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch new file mode 100644 index 0000000000..438d96da60 --- /dev/null +++ b/patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch @@ -0,0 +1,67 @@ +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 8 Nov 2018 08:06:10 +0100 +Subject: [PATCH] spi: bcm2835: Fix race on DMA termination +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: e82b0b3828451c1cd331d9f304c6078fcd43b62e + +commit e82b0b3828451c1cd331d9f304c6078fcd43b62e upstream. + +If a DMA transfer finishes orderly right when spi_transfer_one_message() +determines that it has timed out, the callbacks bcm2835_spi_dma_done() +and bcm2835_spi_handle_err() race to call dmaengine_terminate_all(), +potentially leading to double termination. + +Prevent by atomically changing the dma_pending flag before calling +dmaengine_terminate_all(). + +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Fixes: 3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers meeting certain conditions") +Cc: stable@vger.kernel.org # v4.2+ +Cc: Mathias Duckeck <m.duckeck@kunbus.de> +Cc: Frank Pavlic <f.pavlic@kunbus.de> +Cc: Martin Sperl <kernel@martin.sperl.org> +Cc: Noralf Trønnes <noralf@tronnes.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/spi/spi-bcm2835.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index cf04960cc3e6..62875d855627 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -233,10 +233,9 @@ static void bcm2835_spi_dma_done(void *data) + * is called the tx-dma must have finished - can't get to this + * situation otherwise... + */ +- dmaengine_terminate_all(master->dma_tx); +- +- /* mark as no longer pending */ +- bs->dma_pending = 0; ++ if (cmpxchg(&bs->dma_pending, true, false)) { ++ dmaengine_terminate_all(master->dma_tx); ++ } + + /* and mark as completed */; + complete(&master->xfer_completion); +@@ -617,10 +616,9 @@ static void bcm2835_spi_handle_err(struct spi_master *master, + struct bcm2835_spi *bs = spi_master_get_devdata(master); + + /* if an error occurred and we have an active dma, then terminate */ +- if (bs->dma_pending) { ++ if (cmpxchg(&bs->dma_pending, true, false)) { + dmaengine_terminate_all(master->dma_tx); + dmaengine_terminate_all(master->dma_rx); +- bs->dma_pending = 0; + } + /* and reset */ + bcm2835_spi_reset_hw(master); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch b/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch new file mode 100644 index 0000000000..27062809cc --- /dev/null +++ b/patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch @@ -0,0 +1,50 @@ +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 8 Nov 2018 08:06:10 +0100 +Subject: [PATCH] spi: bcm2835: Fix book-keeping of DMA termination +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: dbc944115eed48af110646992893dc43321368d8 + +commit dbc944115eed48af110646992893dc43321368d8 upstream. + +If submission of a DMA TX transfer succeeds but submission of the +corresponding RX transfer does not, the BCM2835 SPI driver terminates +the TX transfer but neglects to reset the dma_pending flag to false. + +Thus, if the next transfer uses interrupt mode (because it is shorter +than BCM2835_SPI_DMA_MIN_LENGTH) and runs into a timeout, +dmaengine_terminate_all() will be called both for TX (once more) and +for RX (which was never started in the first place). Fix it. + +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Fixes: 3ecd37edaa2a ("spi: bcm2835: enable dma modes for transfers meeting certain conditions") +Cc: stable@vger.kernel.org # v4.2+ +Cc: Mathias Duckeck <m.duckeck@kunbus.de> +Cc: Frank Pavlic <f.pavlic@kunbus.de> +Cc: Martin Sperl <kernel@martin.sperl.org> +Cc: Noralf Trønnes <noralf@tronnes.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/spi/spi-bcm2835.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index 62875d855627..bb0ea7b578d1 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -341,6 +341,7 @@ static int bcm2835_spi_transfer_one_dma(struct spi_master *master, + if (ret) { + /* need to reset on errors */ + dmaengine_terminate_all(master->dma_tx); ++ bs->dma_pending = false; + bcm2835_spi_reset_hw(master); + return ret; + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch b/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch new file mode 100644 index 0000000000..39b6953854 --- /dev/null +++ b/patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch @@ -0,0 +1,66 @@ +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 8 Nov 2018 08:06:10 +0100 +Subject: [PATCH] spi: bcm2835: Avoid finishing transfer prematurely in IRQ + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 56c1723426d3cfd4723bfbfce531d7b38bae6266 + +commit 56c1723426d3cfd4723bfbfce531d7b38bae6266 upstream. + +The IRQ handler bcm2835_spi_interrupt() first reads as much as possible +from the RX FIFO, then writes as much as possible to the TX FIFO. +Afterwards it decides whether the transfer is finished by checking if +the TX FIFO is empty. + +If very few bytes were written to the TX FIFO, they may already have +been transmitted by the time the FIFO's emptiness is checked. As a +result, the transfer will be declared finished and the chip will be +reset without reading the corresponding received bytes from the RX FIFO. + +The odds of this happening increase with a high clock frequency (such +that the TX FIFO drains quickly) and either passing "threadirqs" on the +command line or enabling CONFIG_PREEMPT_RT_BASE (such that the IRQ +handler may be preempted between filling the TX FIFO and checking its +emptiness). + +Fix by instead checking whether rx_len has reached zero, which means +that the transfer has been received in full. This is also more +efficient as it avoids one bus read access per interrupt. Note that +bcm2835_spi_transfer_one_poll() likewise uses rx_len to determine +whether the transfer has finished. + +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Fixes: e34ff011c70e ("spi: bcm2835: move to the transfer_one driver model") +Cc: stable@vger.kernel.org # v4.1+ +Cc: Mathias Duckeck <m.duckeck@kunbus.de> +Cc: Frank Pavlic <f.pavlic@kunbus.de> +Cc: Martin Sperl <kernel@martin.sperl.org> +Cc: Noralf Trønnes <noralf@tronnes.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/spi/spi-bcm2835.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index bb0ea7b578d1..92f45b6fd278 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -155,8 +155,7 @@ static irqreturn_t bcm2835_spi_interrupt(int irq, void *dev_id) + /* Write as many bytes as possible to FIFO */ + bcm2835_wr_fifo(bs); + +- /* based on flags decide if we can finish the transfer */ +- if (bcm2835_rd(bs, BCM2835_SPI_CS) & BCM2835_SPI_CS_DONE) { ++ if (!bs->rx_len) { + /* Transfer complete - reset SPI HW */ + bcm2835_spi_reset_hw(master); + /* wake up the framework */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch b/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch new file mode 100644 index 0000000000..154e590ff5 --- /dev/null +++ b/patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch @@ -0,0 +1,87 @@ +From: Macpaul Lin <macpaul.lin@mediatek.com> +Date: Wed, 19 Dec 2018 12:11:03 +0800 +Subject: [PATCH] cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: eafb27fa5283599ce6c5492ea18cf636a28222bb + +commit eafb27fa5283599ce6c5492ea18cf636a28222bb upstream. + +Mediatek Preloader is a proprietary embedded boot loader for loading +Little Kernel and Linux into device DRAM. + +This boot loader also handle firmware update. Mediatek Preloader will be +enumerated as a virtual COM port when the device is connected to Windows +or Linux OS via CDC-ACM class driver. When the USB enumeration has been +done, Mediatek Preloader will send out handshake command "READY" to PC +actively instead of waiting command from the download tool. + +Since Linux 4.12, the commit "tty: reset termios state on device +registration" (93857edd9829e144acb6c7e72d593f6e01aead66) causes Mediatek +Preloader receiving some abnoraml command like "READYXX" as it sent. +This will be recognized as an incorrect response. The behavior change +also causes the download handshake fail. This change only affects +subsequent connects if the reconnected device happens to get the same minor +number. + +By disabling the ECHO termios flag could avoid this problem. However, it +cannot be done by user space configuration when download tool open +/dev/ttyACM0. This is because the device running Mediatek Preloader will +send handshake command "READY" immediately once the CDC-ACM driver is +ready. + +This patch wants to fix above problem by introducing "DISABLE_ECHO" +property in driver_info. When Mediatek Preloader is connected, the +CDC-ACM driver could disable ECHO flag in termios to avoid the problem. + +Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> +Cc: stable@vger.kernel.org +Reviewed-by: Johan Hovold <johan@kernel.org> +Acked-by: Oliver Neukum <oneukum@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/usb/class/cdc-acm.c | 10 ++++++++++ + drivers/usb/class/cdc-acm.h | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index 0a8e5ac891d4..3919ea066bf9 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -507,6 +507,13 @@ static int acm_tty_install(struct tty_driver *driver, struct tty_struct *tty) + if (retval) + goto error_init_termios; + ++ /* ++ * Suppress initial echoing for some devices which might send data ++ * immediately after acm driver has been installed. ++ */ ++ if (acm->quirks & DISABLE_ECHO) ++ tty->termios.c_lflag &= ~ECHO; ++ + tty->driver_data = acm; + + return 0; +@@ -1677,6 +1684,9 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x0e8d, 0x2000), /* MediaTek Inc Preloader */ ++ .driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */ ++ }, + { USB_DEVICE(0x0e8d, 0x3329), /* MediaTek Inc GPS */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h +index b30ac5fcde68..1ad9ff9f493d 100644 +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -134,3 +134,4 @@ struct acm { + #define QUIRK_CONTROL_LINE_STATE BIT(6) + #define CLEAR_HALT_CONDITIONS BIT(7) + #define SEND_ZERO_PACKET BIT(8) ++#define DISABLE_ECHO BIT(9) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch b/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch new file mode 100644 index 0000000000..cb38a4d11a --- /dev/null +++ b/patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch @@ -0,0 +1,38 @@ +From: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Date: Fri, 9 Nov 2018 08:37:44 -0500 +Subject: [PATCH] media: vivid: free bitmap_cap when updating std/timings/etc. +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 + +commit 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 upstream. + +When vivid_update_format_cap() is called it should free any overlay +bitmap since the compose size will change. + +Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> +Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com +Cc: <stable@vger.kernel.org> # for v3.18 and up +Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c +index ef5412311b2f..a84954f1be34 100644 +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -461,6 +461,8 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls) + tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap)); + break; + } ++ vfree(dev->bitmap_cap); ++ dev->bitmap_cap = NULL; + vivid_update_quality(dev); + tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap); + dev->crop_cap = dev->src_rect; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch b/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch new file mode 100644 index 0000000000..01f9b292af --- /dev/null +++ b/patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch @@ -0,0 +1,50 @@ +From: Huacai Chen <chenhc@lemote.com> +Date: Thu, 15 Nov 2018 15:53:54 +0800 +Subject: [PATCH] MIPS: Ensure pmd_present() returns false after + pmd_mknotpresent() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a + +commit 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a upstream. + +This patch is borrowed from ARM64 to ensure pmd_present() returns false +after pmd_mknotpresent(). This is needed for THP. + +References: 5bb1cc0ff9a6 ("arm64: Ensure pmd_present() returns false after pmd_mknotpresent()") +Reviewed-by: James Hogan <jhogan@kernel.org> +Signed-off-by: Huacai Chen <chenhc@lemote.com> +Signed-off-by: Paul Burton <paul.burton@mips.com> +Patchwork: https://patchwork.linux-mips.org/patch/21135/ +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: James Hogan <james.hogan@mips.com> +Cc: Steven J . Hill <Steven.Hill@cavium.com> +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang <zhangfx@lemote.com> +Cc: Zhangjin Wu <wuzhangjin@gmail.com> +Cc: <stable@vger.kernel.org> # 3.8+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/mips/include/asm/pgtable-64.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h +index cf661a2fb141..16fade4f49dd 100644 +--- a/arch/mips/include/asm/pgtable-64.h ++++ b/arch/mips/include/asm/pgtable-64.h +@@ -189,6 +189,11 @@ static inline int pmd_bad(pmd_t pmd) + + static inline int pmd_present(pmd_t pmd) + { ++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT ++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE)) ++ return pmd_val(pmd) & _PAGE_PRESENT; ++#endif ++ + return pmd_val(pmd) != (unsigned long) invalid_pte_table; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch b/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch new file mode 100644 index 0000000000..18e13e683b --- /dev/null +++ b/patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch @@ -0,0 +1,62 @@ +From: Huacai Chen <chenhc@lemote.com> +Date: Thu, 15 Nov 2018 15:53:56 +0800 +Subject: [PATCH] MIPS: Align kernel load address to 64KB +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: bec0de4cfad21bd284dbddee016ed1767a5d2823 + +commit bec0de4cfad21bd284dbddee016ed1767a5d2823 upstream. + +KEXEC needs the new kernel's load address to be aligned on a page +boundary (see sanity_check_segment_list()), but on MIPS the default +vmlinuz load address is only explicitly aligned to 16 bytes. + +Since the largest PAGE_SIZE supported by MIPS kernels is 64KB, increase +the alignment calculated by calc_vmlinuz_load_addr to 64KB. + +Signed-off-by: Huacai Chen <chenhc@lemote.com> +Signed-off-by: Paul Burton <paul.burton@mips.com> +Patchwork: https://patchwork.linux-mips.org/patch/21131/ +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: James Hogan <james.hogan@mips.com> +Cc: Steven J . Hill <Steven.Hill@cavium.com> +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang <zhangfx@lemote.com> +Cc: Zhangjin Wu <wuzhangjin@gmail.com> +Cc: <stable@vger.kernel.org> # 2.6.36+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +index 37fe58c19a90..542c3ede9722 100644 +--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c ++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +@@ -13,6 +13,7 @@ + #include <stdint.h> + #include <stdio.h> + #include <stdlib.h> ++#include "../../../../include/linux/sizes.h" + + int main(int argc, char *argv[]) + { +@@ -45,11 +46,11 @@ int main(int argc, char *argv[]) + vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size; + + /* +- * Align with 16 bytes: "greater than that used for any standard data +- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition). ++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE, ++ * which may be as large as 64KB depending on the kernel configuration. + */ + +- vmlinuz_load_addr += (16 - vmlinux_size % 16); ++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K); + + printf("0x%llx\n", vmlinuz_load_addr); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch b/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch new file mode 100644 index 0000000000..072742ff9a --- /dev/null +++ b/patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch @@ -0,0 +1,58 @@ +From: Georgy A Bystrenin <gkot@altlinux.org> +Date: Fri, 21 Dec 2018 00:11:42 -0600 +Subject: [PATCH] CIFS: Fix error mapping for SMB2_LOCK command which caused + OFD lock problem +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 9a596f5b39593414c0ec80f71b94a226286f084e + +commit 9a596f5b39593414c0ec80f71b94a226286f084e upstream. + +While resolving a bug with locks on samba shares found a strange behavior. +When a file locked by one node and we trying to lock it from another node +it fail with errno 5 (EIO) but in that case errno must be set to +(EACCES | EAGAIN). +This isn't happening when we try to lock file second time on same node. +In this case it returns EACCES as expected. +Also this issue not reproduces when we use SMB1 protocol (vers=1.0 in +mount options). + +Further investigation showed that the mapping from status_to_posix_error +is different for SMB1 and SMB2+ implementations. +For SMB1 mapping is [NT_STATUS_LOCK_NOT_GRANTED to ERRlock] +(See fs/cifs/netmisc.c line 66) +but for SMB2+ mapping is [STATUS_LOCK_NOT_GRANTED to -EIO] +(see fs/cifs/smb2maperror.c line 383) + +Quick changes in SMB2+ mapping from EIO to EACCES has fixed issue. + +BUG: https://bugzilla.kernel.org/show_bug.cgi?id=201971 + +Signed-off-by: Georgy A Bystrenin <gkot@altlinux.org> +Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com> +CC: Stable <stable@vger.kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/cifs/smb2maperror.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c +index 8257a5a97cc0..98c25b969ab8 100644 +--- a/fs/cifs/smb2maperror.c ++++ b/fs/cifs/smb2maperror.c +@@ -377,8 +377,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = { + {STATUS_NONEXISTENT_EA_ENTRY, -EIO, "STATUS_NONEXISTENT_EA_ENTRY"}, + {STATUS_NO_EAS_ON_FILE, -ENODATA, "STATUS_NO_EAS_ON_FILE"}, + {STATUS_EA_CORRUPT_ERROR, -EIO, "STATUS_EA_CORRUPT_ERROR"}, +- {STATUS_FILE_LOCK_CONFLICT, -EIO, "STATUS_FILE_LOCK_CONFLICT"}, +- {STATUS_LOCK_NOT_GRANTED, -EIO, "STATUS_LOCK_NOT_GRANTED"}, ++ {STATUS_FILE_LOCK_CONFLICT, -EACCES, "STATUS_FILE_LOCK_CONFLICT"}, ++ {STATUS_LOCK_NOT_GRANTED, -EACCES, "STATUS_LOCK_NOT_GRANTED"}, + {STATUS_DELETE_PENDING, -ENOENT, "STATUS_DELETE_PENDING"}, + {STATUS_CTL_FILE_NOT_SUPPORTED, -ENOSYS, + "STATUS_CTL_FILE_NOT_SUPPORTED"}, +-- +2.20.1 + diff --git a/patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch b/patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch index f85b8bb4c4..1a24412a9b 100644 --- a/patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch +++ b/patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch @@ -1,13 +1,15 @@ -From d391f1207067268261add0485f0f34503539c5b0 Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov <vkuznets@redhat.com> Date: Thu, 25 Jan 2018 16:37:07 +0100 -Subject: [PATCH] x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested -Mime-version: 1.0 -Content-type: text/plain; charset=UTF-8 -Content-transfer-encoding: 8bit +Subject: [PATCH] x86/kvm/vmx: do not use vm-exit instruction length for fast + MMIO when running nested +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: 4.4.170 +References: bnc#1012382 bsc#1081431 Git-commit: d391f1207067268261add0485f0f34503539c5b0 -Patch-mainline: v4.16-rc1 -References: bsc#1081431 + +commit d391f1207067268261add0485f0f34503539c5b0 upstream. I was investigating an issue with seabios >= 1.10 which stopped working for nested KVM on Hyper-V. The problem appears to be in @@ -33,17 +35,21 @@ Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com> -Signed-off-by: Matwey V. Kornilov <matwey.kornilov@gmail.com> -Acked-by: Takashi Iwai <tiwai@suse.de> - +Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> +[mhaboustak: backport to 4.9.y] +Signed-off-by: Mike Haboustak <haboustak@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - arch/x86/kvm/vmx.c | 19 +++++++++++++++++-- - arch/x86/kvm/x86.c | 3 ++- + arch/x86/kvm/vmx.c | 19 +++++++++++++++++-- + arch/x86/kvm/x86.c | 3 ++- 2 files changed, 19 insertions(+), 3 deletions(-) +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index e4b5fd72ca24..3bdb2e747b89 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c -@@ -5986,9 +5986,24 @@ static int handle_ept_misconfig(struct k +@@ -6163,9 +6163,24 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu) gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS); if (!kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) { @@ -51,28 +57,30 @@ Acked-by: Takashi Iwai <tiwai@suse.de> trace_kvm_fast_mmio(gpa); - return 1; + /* -+ * Doing kvm_skip_emulated_instruction() depends on undefined -+ * behavior: Intel's manual doesn't mandate -+ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG -+ * occurs and while on real hardware it was observed to be set, -+ * other hypervisors (namely Hyper-V) don't set it, we end up -+ * advancing IP with some random value. Disable fast mmio when -+ * running nested and keep it for real hardware in hope that -+ * VM_EXIT_INSTRUCTION_LEN will always be set correctly. -+ */ ++ * Doing kvm_skip_emulated_instruction() depends on undefined ++ * behavior: Intel's manual doesn't mandate ++ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG ++ * occurs and while on real hardware it was observed to be set, ++ * other hypervisors (namely Hyper-V) don't set it, we end up ++ * advancing IP with some random value. Disable fast mmio when ++ * running nested and keep it for real hardware in hope that ++ * VM_EXIT_INSTRUCTION_LEN will always be set correctly. ++ */ + if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) { + skip_emulated_instruction(vcpu); + return 1; -+ } else { ++ } ++ else + return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP, + NULL, 0) == EMULATE_DONE; -+ } } ret = handle_mmio_page_fault(vcpu, gpa, true); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index aa1a0277a678..1a934bb8ed1c 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c -@@ -5408,7 +5408,8 @@ int x86_emulate_instruction(struct kvm_v +@@ -5436,7 +5436,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, * handle watchpoints yet, those would be handled in * the emulate_ops. */ @@ -82,3 +90,6 @@ Acked-by: Takashi Iwai <tiwai@suse.de> return r; ctxt->interruptibility = 0; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch b/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch new file mode 100644 index 0000000000..fe24f342d3 --- /dev/null +++ b/patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch @@ -0,0 +1,47 @@ +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 29 Nov 2018 15:14:49 +0100 +Subject: [PATCH] spi: bcm2835: Unbreak the build of esoteric configs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 29bdedfd9cf40e59456110ca417a8cb672ac9b92 + +commit 29bdedfd9cf40e59456110ca417a8cb672ac9b92 upstream. + +Commit e82b0b382845 ("spi: bcm2835: Fix race on DMA termination") broke +the build with COMPILE_TEST=y on arches whose cmpxchg() requires 32-bit +operands (xtensa, older arm ISAs). + +Fix by changing the dma_pending flag's type from bool to unsigned int. + +Fixes: e82b0b382845 ("spi: bcm2835: Fix race on DMA termination") +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: Frank Pavlic <f.pavlic@kunbus.de> +Cc: Martin Sperl <kernel@martin.sperl.org> +Cc: Noralf Trønnes <noralf@tronnes.org> +Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/spi/spi-bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c +index 92f45b6fd278..1a1368f5863c 100644 +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -88,7 +88,7 @@ struct bcm2835_spi { + u8 *rx_buf; + int tx_len; + int rx_len; +- bool dma_pending; ++ unsigned int dma_pending; + }; + + static inline u32 bcm2835_rd(struct bcm2835_spi *bs, unsigned reg) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch b/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch new file mode 100644 index 0000000000..60bb177616 --- /dev/null +++ b/patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch @@ -0,0 +1,59 @@ +From: Paul Mackerras <paulus@ozlabs.org> +Date: Tue, 27 Nov 2018 09:01:54 +1100 +Subject: [PATCH] powerpc: Fix COFF zImage booting on old powermacs +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 5564597d51c8ff5b88d95c76255e18b13b760879 + +[ Upstream commit 5564597d51c8ff5b88d95c76255e18b13b760879 ] + +Commit 6975a783d7b4 ("powerpc/boot: Allow building the zImage wrapper +as a relocatable ET_DYN", 2011-04-12) changed the procedure descriptor +at the start of crt0.S to have a hard-coded start address of 0x500000 +rather than a reference to _zimage_start, presumably because having +a reference to a symbol introduced a relocation which is awkward to +handle in a position-independent executable. Unfortunately, what is +at 0x500000 in the COFF image is not the first instruction, but the +procedure descriptor itself, that is, a word containing 0x500000, +which is not a valid instruction. Hence, booting a COFF zImage +results in a "DEFAULT CATCH!, code=FFF00700" message from Open +Firmware. + +This fixes the problem by (a) putting the procedure descriptor in the +data section and (b) adding a branch to _zimage_start as the first +instruction in the program. + +Fixes: 6975a783d7b4 ("powerpc/boot: Allow building the zImage wrapper as a relocatable ET_DYN") +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/powerpc/boot/crt0.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/boot/crt0.S b/arch/powerpc/boot/crt0.S +index 5c2199857aa8..a3550e8f1a77 100644 +--- a/arch/powerpc/boot/crt0.S ++++ b/arch/powerpc/boot/crt0.S +@@ -15,7 +15,7 @@ + RELA = 7 + RELACOUNT = 0x6ffffff9 + +- .text ++ .data + /* A procedure descriptor used when booting this as a COFF file. + * When making COFF, this comes first in the link and we're + * linked at 0x500000. +@@ -23,6 +23,8 @@ RELACOUNT = 0x6ffffff9 + .globl _zimage_start_opd + _zimage_start_opd: + .long 0x500000, 0, 0, 0 ++ .text ++ b _zimage_start + + #ifdef __powerpc64__ + .balign 8 +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch b/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch new file mode 100644 index 0000000000..6a50bbe816 --- /dev/null +++ b/patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch @@ -0,0 +1,43 @@ +From: Anson Huang <anson.huang@nxp.com> +Date: Tue, 4 Dec 2018 03:17:45 +0000 +Subject: [PATCH] ARM: imx: update the cpu power up timing setting on i.mx6sx +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 1e434b703248580b7aaaf8a115d93e682f57d29f + +[ Upstream commit 1e434b703248580b7aaaf8a115d93e682f57d29f ] + +The sw2iso count should cover ARM LDO ramp-up time, +the MAX ARM LDO ramp-up time may be up to more than +100us on some boards, this patch sets sw2iso to 0xf +(~384us) which is the reset value, and it is much +more safe to cover different boards, since we have +observed that some customer boards failed with current +setting of 0x2. + +Fixes: 05136f0897b5 ("ARM: imx: support arm power off in cpuidle for i.mx6sx") +Signed-off-by: Anson Huang <Anson.Huang@nxp.com> +Reviewed-by: Fabio Estevam <festevam@gmail.com> +Signed-off-by: Shawn Guo <shawnguo@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/arm/mach-imx/cpuidle-imx6sx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-imx/cpuidle-imx6sx.c b/arch/arm/mach-imx/cpuidle-imx6sx.c +index 3c6672b3796b..7f5df8992008 100644 +--- a/arch/arm/mach-imx/cpuidle-imx6sx.c ++++ b/arch/arm/mach-imx/cpuidle-imx6sx.c +@@ -97,7 +97,7 @@ int __init imx6sx_cpuidle_init(void) + * except for power up sw2iso which need to be + * larger than LDO ramp up time. + */ +- imx_gpc_set_arm_power_up_timing(2, 1); ++ imx_gpc_set_arm_power_up_timing(0xf, 1); + imx_gpc_set_arm_power_down_timing(1, 1); + + return cpuidle_register(&imx6sx_cpuidle_driver, NULL); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch b/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch new file mode 100644 index 0000000000..1be1144c2d --- /dev/null +++ b/patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch @@ -0,0 +1,46 @@ +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Thu, 6 Dec 2018 09:03:36 +1000 +Subject: [PATCH] Input: restore EV_ABS ABS_RESERVED +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: c201e3808e0e4be9b98d192802085a9f491bd80c + +[ Upstream commit c201e3808e0e4be9b98d192802085a9f491bd80c ] + +ABS_RESERVED was added in d9ca1c990a7 and accidentally removed as part of +ffe0e7cf290f5c9 when the high-resolution scrolling code was removed. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> +Reviewed-by: Martin Kepplinger <martin.kepplinger@ginzinger.com> +Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + include/uapi/linux/input-event-codes.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h +index 87cf351bab03..9e07bf4259e1 100644 +--- a/include/uapi/linux/input-event-codes.h ++++ b/include/uapi/linux/input-event-codes.h +@@ -708,6 +708,15 @@ + + #define ABS_MISC 0x28 + ++/* ++ * 0x2e is reserved and should not be used in input drivers. ++ * It was used by HID as ABS_MISC+6 and userspace needs to detect if ++ * the next ABS_* event is correct or is just ABS_MISC + n. ++ * We define here ABS_RESERVED so userspace can rely on it and detect ++ * the situation described above. ++ */ ++#define ABS_RESERVED 0x2e ++ + #define ABS_MT_SLOT 0x2f /* MT slot being modified */ + #define ABS_MT_TOUCH_MAJOR 0x30 /* Major axis of touching ellipse */ + #define ABS_MT_TOUCH_MINOR 0x31 /* Minor axis (omit if circular) */ +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch b/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch new file mode 100644 index 0000000000..cc39e4e4cc --- /dev/null +++ b/patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch @@ -0,0 +1,49 @@ +From: Qian Cai <cai@lca.pw> +Date: Fri, 14 Dec 2018 14:17:20 -0800 +Subject: [PATCH] checkstack.pl: fix for aarch64 +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: f1733a1d3cd32a9492f4cf866be37bb46e10163d + +[ Upstream commit f1733a1d3cd32a9492f4cf866be37bb46e10163d ] + +There is actually a space after "sp," like this, + + ffff2000080813c8: a9bb7bfd stp x29, x30, [sp, #-80]! + +Right now, checkstack.pl isn't able to print anything on aarch64, +because it won't be able to match the stating objdump line of a function +due to this missing space. Hence, it displays every stack as zero-size. + +After this patch, checkpatch.pl is able to match the start of a +function's objdump, and is then able to calculate each function's stack +correctly. + +Link: http://lkml.kernel.org/r/20181207195843.38528-1-cai@lca.pw +Signed-off-by: Qian Cai <cai@lca.pw> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + scripts/checkstack.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/checkstack.pl b/scripts/checkstack.pl +index dd8397894d5c..12a6940741fe 100755 +--- a/scripts/checkstack.pl ++++ b/scripts/checkstack.pl +@@ -46,8 +46,8 @@ my (@stack, $re, $dre, $x, $xs, $funcre); + $xs = "[0-9a-f ]"; # hex character or space + $funcre = qr/^$x* <(.*)>:$/; + if ($arch eq 'aarch64') { +- #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp,#-80]! +- $re = qr/^.*stp.*sp,\#-([0-9]{1,8})\]\!/o; ++ #ffffffc0006325cc: a9bb7bfd stp x29, x30, [sp, #-80]! ++ $re = qr/^.*stp.*sp, \#-([0-9]{1,8})\]\!/o; + } elsif ($arch eq 'arm') { + #c0008ffc: e24dd064 sub sp, sp, #100 ; 0x64 + $re = qr/.*sub.*sp, sp, #(([0-9]{2}|[3-9])[0-9]{2})/o; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch b/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch new file mode 100644 index 0000000000..db67a06235 --- /dev/null +++ b/patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch @@ -0,0 +1,37 @@ +From: Benjamin Poirier <bpoirier@suse.com> +Date: Mon, 5 Nov 2018 17:00:53 +0900 +Subject: [PATCH] xfrm: Fix bucket count reported to userspace +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: ca92e173ab34a4f7fc4128bd372bd96f1af6f507 + +[ Upstream commit ca92e173ab34a4f7fc4128bd372bd96f1af6f507 ] + +sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the +hash mask. + +Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.") +Signed-off-by: Benjamin Poirier <bpoirier@suse.com> +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/xfrm/xfrm_state.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 9b6e51450fc5..13f261feb75c 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -623,7 +623,7 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si) + { + spin_lock_bh(&net->xfrm.xfrm_state_lock); + si->sadcnt = net->xfrm.state_num; +- si->sadhcnt = net->xfrm.state_hmask; ++ si->sadhcnt = net->xfrm.state_hmask + 1; + si->sadhmcnt = xfrm_state_hashmax; + spin_unlock_bh(&net->xfrm.xfrm_state_lock); + } +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch b/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch new file mode 100644 index 0000000000..b833e1a875 --- /dev/null +++ b/patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch @@ -0,0 +1,37 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Thu, 1 Nov 2018 08:25:30 +0300 +Subject: [PATCH] scsi: bnx2fc: Fix NULL dereference in error handling +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 9ae4f8420ed7be4b13c96600e3568c144d101a23 + +[ Upstream commit 9ae4f8420ed7be4b13c96600e3568c144d101a23 ] + +If "interface" is NULL then we can't release it and trying to will only +lead to an Oops. + +Fixes: aea71a024914 ("[SCSI] bnx2fc: Introduce interface structure for each vlan interface") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +index d0b227ffbd5f..573aeec7a02b 100644 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -2279,7 +2279,7 @@ static int _bnx2fc_create(struct net_device *netdev, + if (!interface) { + printk(KERN_ERR PFX "bnx2fc_interface_create failed\n"); + rc = -ENOMEM; +- goto ifput_err; ++ goto netdev_err; + } + + if (netdev->priv_flags & IFF_802_1Q_VLAN) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch b/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch new file mode 100644 index 0000000000..d0129cb3e1 --- /dev/null +++ b/patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch @@ -0,0 +1,86 @@ +From: Tony Lindgren <tony@atomide.com> +Date: Tue, 4 Dec 2018 13:52:49 -0800 +Subject: [PATCH] Input: omap-keypad - fix idle configuration to not block SoC + idle states +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: e2ca26ec4f01486661b55b03597c13e2b9c18b73 + +[ Upstream commit e2ca26ec4f01486661b55b03597c13e2b9c18b73 ] + +With PM enabled, I noticed that pressing a key on the droid4 keyboard will +block deeper idle states for the SoC. Let's fix this by using IRQF_ONESHOT +and stop constantly toggling the device OMAP4_KBD_IRQENABLE register as +suggested by Dmitry Torokhov <dmitry.torokhov@gmail.com>. + +From the hardware point of view, looks like we need to manage the registers +for OMAP4_KBD_IRQENABLE and OMAP4_KBD_WAKEUPENABLE together to avoid +blocking deeper SoC idle states. And with toggling of OMAP4_KBD_IRQENABLE +register now gone with IRQF_ONESHOT, also the SoC idle state problem is +gone during runtime. We still also need to clear OMAP4_KBD_WAKEUPENABLE in +omap4_keypad_close() though to pair it with omap4_keypad_open() to prevent +blocking deeper SoC idle states after rmmod omap4-keypad. + +Reported-by: Pavel Machek <pavel@ucw.cz> +Signed-off-by: Tony Lindgren <tony@atomide.com> +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/input/keyboard/omap4-keypad.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c +index f78c464899db..3d2c60c8de83 100644 +--- a/drivers/input/keyboard/omap4-keypad.c ++++ b/drivers/input/keyboard/omap4-keypad.c +@@ -126,12 +126,8 @@ static irqreturn_t omap4_keypad_irq_handler(int irq, void *dev_id) + { + struct omap4_keypad *keypad_data = dev_id; + +- if (kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS)) { +- /* Disable interrupts */ +- kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE, +- OMAP4_VAL_IRQDISABLE); ++ if (kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS)) + return IRQ_WAKE_THREAD; +- } + + return IRQ_NONE; + } +@@ -173,11 +169,6 @@ static irqreturn_t omap4_keypad_irq_thread_fn(int irq, void *dev_id) + kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS, + kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS)); + +- /* enable interrupts */ +- kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE, +- OMAP4_DEF_IRQENABLE_EVENTEN | +- OMAP4_DEF_IRQENABLE_LONGKEY); +- + return IRQ_HANDLED; + } + +@@ -214,9 +205,10 @@ static void omap4_keypad_close(struct input_dev *input) + + disable_irq(keypad_data->irq); + +- /* Disable interrupts */ ++ /* Disable interrupts and wake-up events */ + kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQENABLE, + OMAP4_VAL_IRQDISABLE); ++ kbd_writel(keypad_data, OMAP4_KBD_WAKEUPENABLE, 0); + + /* clear pending interrupts */ + kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS, +@@ -364,7 +356,7 @@ static int omap4_keypad_probe(struct platform_device *pdev) + } + + error = request_threaded_irq(keypad_data->irq, omap4_keypad_irq_handler, +- omap4_keypad_irq_thread_fn, 0, ++ omap4_keypad_irq_thread_fn, IRQF_ONESHOT, + "omap4-keypad", keypad_data); + if (error) { + dev_err(&pdev->dev, "failed to register interrupt\n"); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch b/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch new file mode 100644 index 0000000000..c7154b441c --- /dev/null +++ b/patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch @@ -0,0 +1,98 @@ +From: Steffen Maier <maier@linux.ibm.com> +Date: Thu, 6 Dec 2018 17:31:20 +0100 +Subject: [PATCH] scsi: zfcp: fix posting too many status read buffers leading + to adapter shutdown +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 60a161b7e5b2a252ff0d4c622266a7d8da1120ce + +commit 60a161b7e5b2a252ff0d4c622266a7d8da1120ce upstream. + +Suppose adapter (open) recovery is between opened QDIO queues and before +(the end of) initial posting of status read buffers (SRBs). This time +window can be seconds long due to FSF_PROT_HOST_CONNECTION_INITIALIZING +causing by design looping with exponential increase sleeps in the function +performing exchange config data during recovery +[zfcp_erp_adapter_strat_fsf_xconf()]. Recovery triggered by local link up. + +Suppose an event occurs for which the FCP channel would send an unsolicited +notification to zfcp by means of a previously posted SRB. We saw it with +local cable pull (link down) in multi-initiator zoning with multiple +NPIV-enabled subchannels of the same shared FCP channel. + +As soon as zfcp_erp_adapter_strategy_open_fsf() starts posting the initial +status read buffers from within the adapter's ERP thread, the channel does +send an unsolicited notification. + +Since v2.6.27 commit d26ab06ede83 ("[SCSI] zfcp: receiving an unsolicted +status can lead to I/O stall"), zfcp_fsf_status_read_handler() schedules +adapter->stat_work to re-fill the just consumed SRB from a work item. + +Now the ERP thread and the work item post SRBs in parallel. Both contexts +call the helper function zfcp_status_read_refill(). The tracking of +missing (to be posted / re-filled) SRBs is not thread-safe due to separate +atomic_read() and atomic_dec(), in order to depend on posting +success. Hence, both contexts can see +atomic_read(&adapter->stat_miss) == 1. One of the two contexts posts +one too many SRB. Zfcp gets QDIO_ERROR_SLSB_STATE on the output queue +(trace tag "qdireq1") leading to zfcp_erp_adapter_shutdown() in +zfcp_qdio_handler_error(). + +An obvious and seemingly clean fix would be to schedule stat_work from the +ERP thread and wait for it to finish. This would serialize all SRB +re-fills. However, we already have another work item wait on the ERP +thread: adapter->scan_work runs zfcp_fc_scan_ports() which calls +zfcp_fc_eval_gpn_ft(). The latter calls zfcp_erp_wait() to wait for all the +open port recoveries during zfcp auto port scan, but in fact it waits for +any pending recovery including an adapter recovery. This approach leads to +a deadlock. [see also v3.19 commit 18f87a67e6d6 ("zfcp: auto port scan +resiliency"); v2.6.37 commit d3e1088d6873 +("[SCSI] zfcp: No ERP escalation on gpn_ft eval"); +v2.6.28 commit fca55b6fb587 +("[SCSI] zfcp: fix deadlock between wq triggered port scan and ERP") +fixing v2.6.27 commit c57a39a45a76 +("[SCSI] zfcp: wait until adapter is finished with ERP during auto-port"); +v2.6.27 commit cc8c282963bd +("[SCSI] zfcp: Automatically attach remote ports")] + +Instead make the accounting of missing SRBs atomic for parallel execution +in both the ERP thread and adapter->stat_work. + +Signed-off-by: Steffen Maier <maier@linux.ibm.com> +Fixes: d26ab06ede83 ("[SCSI] zfcp: receiving an unsolicted status can lead to I/O stall") +Cc: <stable@vger.kernel.org> #2.6.27+ +Reviewed-by: Jens Remus <jremus@linux.ibm.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/s390/scsi/zfcp_aux.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/s390/scsi/zfcp_aux.c b/drivers/s390/scsi/zfcp_aux.c +index 38c8e308d4c8..a96c98e3fc73 100644 +--- a/drivers/s390/scsi/zfcp_aux.c ++++ b/drivers/s390/scsi/zfcp_aux.c +@@ -275,16 +275,16 @@ static void zfcp_free_low_mem_buffers(struct zfcp_adapter *adapter) + */ + int zfcp_status_read_refill(struct zfcp_adapter *adapter) + { +- while (atomic_read(&adapter->stat_miss) > 0) ++ while (atomic_add_unless(&adapter->stat_miss, -1, 0)) + if (zfcp_fsf_status_read(adapter->qdio)) { ++ atomic_inc(&adapter->stat_miss); /* undo add -1 */ + if (atomic_read(&adapter->stat_miss) >= + adapter->stat_read_buf_num) { + zfcp_erp_adapter_reopen(adapter, 0, "axsref1"); + return 1; + } + break; +- } else +- atomic_dec(&adapter->stat_miss); ++ } + return 0; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch b/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch new file mode 100644 index 0000000000..d1a04b69b8 --- /dev/null +++ b/patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch @@ -0,0 +1,83 @@ +From: David Herrmann <dh.herrmann@gmail.com> +Date: Tue, 8 Jan 2019 13:58:52 +0100 +Subject: [PATCH] fork: record start_time late +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 7b55851367136b1efd84d98fea81ba57a98304cf + +commit 7b55851367136b1efd84d98fea81ba57a98304cf upstream. + +This changes the fork(2) syscall to record the process start_time after +initializing the basic task structure but still before making the new +process visible to user-space. + +Technically, we could record the start_time anytime during fork(2). But +this might lead to scenarios where a start_time is recorded long before +a process becomes visible to user-space. For instance, with +userfaultfd(2) and TLS, user-space can delay the execution of fork(2) +for an indefinite amount of time (and will, if this causes network +access, or similar). + +By recording the start_time late, it much closer reflects the point in +time where the process becomes live and can be observed by other +processes. + +Lastly, this makes it much harder for user-space to predict and control +the start_time they get assigned. Previously, user-space could fork a +process and stall it in copy_thread_tls() before its pid is allocated, +but after its start_time is recorded. This can be misused to later-on +cycle through PIDs and resume the stalled fork(2) yielding a process +that has the same pid and start_time as a process that existed before. +This can be used to circumvent security systems that identify processes +by their pid+start_time combination. + +Even though user-space was always aware that start_time recording is +flaky (but several projects are known to still rely on start_time-based +identification), changing the start_time to be recorded late will help +mitigate existing attacks and make it much harder for user-space to +control the start_time a process gets assigned. + +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Tom Gundersen <teg@jklm.no> +Signed-off-by: David Herrmann <dh.herrmann@gmail.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/fork.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/kernel/fork.c b/kernel/fork.c +index dd2f79ac0771..e4b81913a998 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1411,8 +1411,6 @@ static struct task_struct *copy_process(unsigned long clone_flags, + + posix_cpu_timers_init(p); + +- p->start_time = ktime_get_ns(); +- p->real_start_time = ktime_get_boot_ns(); + p->io_context = NULL; + p->audit_context = NULL; + cgroup_fork(p); +@@ -1572,6 +1570,17 @@ static struct task_struct *copy_process(unsigned long clone_flags, + if (retval) + goto bad_fork_free_pid; + ++ /* ++ * From this point on we must avoid any synchronous user-space ++ * communication until we take the tasklist-lock. In particular, we do ++ * not want user-space to be able to predict the process start-time by ++ * stalling fork(2) after we recorded the start_time but before it is ++ * visible to the system. ++ */ ++ ++ p->start_time = ktime_get_ns(); ++ p->real_start_time = ktime_get_boot_ns(); ++ + /* + * Make it visible to the rest of the system, but dont wake it up yet. + * Need tasklist lock for parent etc handling! +-- +2.20.1 + diff --git a/patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch b/patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch index 95eb48f8b2..158eb70bd4 100644 --- a/patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch +++ b/patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch @@ -1,52 +1,55 @@ -From 51c2cfdd270f76f068ea875fba77384e49156ac6 Mon Sep 17 00:00:00 2001 From: Michal Hocko <mhocko@suse.com> -Date: Mon, 3 Dec 2018 10:27:18 +0100 -Subject: [RFC PATCH] hwpoison, memory_hotplug: allow hwpoisoned pages to be +Date: Fri, 28 Dec 2018 00:38:01 -0800 +Subject: [PATCH] hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined -Patch-mainline: not yet, under discussion -References: bnc#1116336 +References: bnc#1012382 bnc#1116336 +Patch-mainline: 4.4.170 +Git-commit: b15c87263a69272423771118c653e9a1d0672caa + +commit b15c87263a69272423771118c653e9a1d0672caa upstream. We have received a bug report that an injected MCE about faulty memory -prevents memory offline to succeed on 4.4 base kernel. The underlying -reason was that the HWPoison page has an elevated reference count and -the migration keeps failing. There are two problems with that. First -of all it is dubious to migrate the poisoned page because we know that -accessing that memory is possible to fail. Secondly it doesn't make any -sense to migrate a potentially broken content and preserve the memory -corruption over to a new location. +prevents memory offline to succeed on 4.4 base kernel. The underlying +reason was that the HWPoison page has an elevated reference count and the +migration keeps failing. There are two problems with that. First of all +it is dubious to migrate the poisoned page because we know that accessing +that memory is possible to fail. Secondly it doesn't make any sense to +migrate a potentially broken content and preserve the memory corruption +over to a new location. Oscar has found out that 4.4 and the current upstream kernels behave slightly differently with his simply testcase + === int main(void) { - int ret; - int i; - int fd; - char *array = malloc(4096); - char *array_locked = malloc(4096); + int ret; + int i; + int fd; + char *array = malloc(4096); + char *array_locked = malloc(4096); - fd = open("/tmp/data", O_RDONLY); - read(fd, array, 4095); + fd = open("/tmp/data", O_RDONLY); + read(fd, array, 4095); - for (i = 0; i < 4096; i++) - array_locked[i] = 'd'; + for (i = 0; i < 4096; i++) + array_locked[i] = 'd'; - ret = mlock((void *)PAGE_ALIGN((unsigned long)array_locked), sizeof(array_locked)); - if (ret) - perror("mlock"); + ret = mlock((void *)PAGE_ALIGN((unsigned long)array_locked), sizeof(array_locked)); + if (ret) + perror("mlock"); - sleep (20); + sleep (20); - ret = madvise((void *)PAGE_ALIGN((unsigned long)array_locked), 4096, MADV_HWPOISON); - if (ret) - perror("madvise"); + ret = madvise((void *)PAGE_ALIGN((unsigned long)array_locked), 4096, MADV_HWPOISON); + if (ret) + perror("madvise"); - for (i = 0; i < 4096; i++) - array_locked[i] = 'd'; + for (i = 0; i < 4096; i++) + array_locked[i] = 'd'; - return 0; + return 0; } === @@ -75,27 +78,29 @@ kernel: [<ffffffff81215f08>] do_execve+0x28/0x30 kernel: [<ffffffff81095ddb>] call_usermodehelper_exec_async+0xfb/0x130 kernel: [<ffffffff8161c045>] ret_from_fork+0x55/0x80 -And that later confuses the hotremove path because an LRU page is +And that latter confuses the hotremove path because an LRU page is attempted to be migrated and that fails due to an elevated reference -count. It is quite possible that the reuse of the HWPoisoned page is -some kind of fixed race condition but I am not really sure about that. +count. It is quite possible that the reuse of the HWPoisoned page is some +kind of fixed race condition but I am not really sure about that. -With the upstream kernel the failure is slightly different. The page -doesn't seem to have LRU bit set but isolate_movable_page simply fails -and do_migrate_range simply puts all the isolated pages back to LRU and +With the upstream kernel the failure is slightly different. The page +doesn't seem to have LRU bit set but isolate_movable_page simply fails and +do_migrate_range simply puts all the isolated pages back to LRU and therefore no progress is made and scan_movable_pages finds same set of pages over and over again. -Fix both cases by explicitly checking HWPoisoned pages before we even -try to get a reference on the page, try to unmap it if it is still -mapped. As explained by Naoya +Fix both cases by explicitly checking HWPoisoned pages before we even try +to get reference on the page, try to unmap it if it is still mapped. As +explained by Naoya: + : Hwpoison code never unmapped those for no big reason because : Ksm pages never dominate memory, so we simply didn't have strong : motivation to save the pages. Also put WARN_ON(PageLRU) in case there is a race and we can hit LRU -HWPoison pages which shouldn't happen but I couldn't convince myself -about that. Naoya has noted the following +HWPoison pages which shouldn't happen but I couldn't convince myself about +that. Naoya has noted the following: + : Theoretically no such gurantee, because try_to_unmap() doesn't have a : guarantee of success and then memory_failure() returns immediately : when hwpoison_user_mappings fails. @@ -115,29 +120,35 @@ about that. Naoya has noted the following : So I think it's OK to keep "if (WARN_ON(PageLRU(page)))" block in : current version of your patch. -Debugged-by: Oscar Salvador <osalvador@suse.com> -Cc: stable +Link: http://lkml.kernel.org/r/20181206120135.14079-1-mhocko@kernel.org +Signed-off-by: Michal Hocko <mhocko@suse.com> Reviewed-by: Oscar Salvador <osalvador@suse.com> +Debugged-by: Oscar Salvador <osalvador@suse.com> Tested-by: Oscar Salvador <osalvador@suse.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> -Signed-off-by: Michal Hocko <mhocko@suse.com> - +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - mm/memory_hotplug.c | 16 ++++++++++++++++ + mm/memory_hotplug.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index a18923e4359d..0addef5f8aa3 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c -@@ -34,6 +34,7 @@ +@@ -32,6 +32,7 @@ + #include <linux/hugetlb.h> #include <linux/memblock.h> #include <linux/bootmem.h> - #include <linux/compaction.h> +#include <linux/rmap.h> #include <asm/tlbflush.h> -@@ -1453,6 +1454,21 @@ do_migrate_range(unsigned long start_pfn +@@ -1471,6 +1472,21 @@ do_migrate_range(unsigned long start_pfn, unsigned long end_pfn) continue; } @@ -159,3 +170,6 @@ Signed-off-by: Michal Hocko <mhocko@suse.com> if (!get_page_unless_zero(page)) continue; /* +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch b/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch new file mode 100644 index 0000000000..5c3dda2d35 --- /dev/null +++ b/patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch @@ -0,0 +1,65 @@ +From: Dan Williams <dan.j.williams@intel.com> +Date: Fri, 28 Dec 2018 00:34:54 -0800 +Subject: [PATCH] mm, devm_memremap_pages: kill mapping "System RAM" support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 06489cfbd915ff36c8e36df27f1c2dc60f97ca56 + +commit 06489cfbd915ff36c8e36df27f1c2dc60f97ca56 upstream. + +Given the fact that devm_memremap_pages() requires a percpu_ref that is +torn down by devm_memremap_pages_release() the current support for mapping +RAM is broken. + +Support for remapping "System RAM" has been broken since the beginning and +there is no existing user of this this code path, so just kill the support +and make it an explicit error. + +This cleanup also simplifies a follow-on patch to fix the error path when +setting a devm release action for devm_memremap_pages_release() fails. + +Link: http://lkml.kernel.org/r/154275557997.76910.14689813630968180480.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Dan Williams <dan.j.williams@intel.com> +Reviewed-by: "Jérôme Glisse" <jglisse@redhat.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Logan Gunthorpe <logang@deltatee.com> +Cc: Balbir Singh <bsingharora@gmail.com> +Cc: Michal Hocko <mhocko@suse.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + kernel/memremap.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/kernel/memremap.c b/kernel/memremap.c +index 71d28a5dbfc2..1be42f9b3e00 100644 +--- a/kernel/memremap.c ++++ b/kernel/memremap.c +@@ -171,15 +171,12 @@ void *devm_memremap_pages(struct device *dev, struct resource *res) + struct page_map *page_map; + int error, nid; + +- if (is_ram == REGION_MIXED) { +- WARN_ONCE(1, "%s attempted on mixed region %pr\n", +- __func__, res); ++ if (is_ram != REGION_DISJOINT) { ++ WARN_ONCE(1, "%s attempted on %s region %pr\n", __func__, ++ is_ram == REGION_MIXED ? "mixed" : "ram", res); + return ERR_PTR(-ENXIO); + } + +- if (is_ram == REGION_INTERSECTS) +- return __va(res->start); +- + page_map = devres_alloc_node(devm_memremap_pages_release, + sizeof(*page_map), GFP_KERNEL, dev_to_node(dev)); + if (!page_map) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch b/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch new file mode 100644 index 0000000000..bcbd91e004 --- /dev/null +++ b/patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch @@ -0,0 +1,74 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Wed, 28 Nov 2018 11:45:57 +0300 +Subject: [PATCH] sunrpc: fix cache_head leak due to queued request +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 4ecd55ea074217473f94cfee21bb72864d39f8d7 + +commit 4ecd55ea074217473f94cfee21bb72864d39f8d7 upstream. + +After commit d202cce8963d, an expired cache_head can be removed from the +cache_detail's hash. + +However, the expired cache_head may be waiting for a reply from a +previously submitted request. Such a cache_head has an increased +refcounter and therefore it won't be freed after cache_put(freeme). + +Because the cache_head was removed from the hash it cannot be found +during cache_clean() and can be leaked forever, together with stalled +cache_request and other taken resources. + +In our case we noticed it because an entry in the export cache was +holding a reference on a filesystem. + +Fixes d202cce8963d ("sunrpc: never return expired entries in sunrpc_cache_lookup") +Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> +Cc: stable@kernel.org # 2.6.35 +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Reviewed-by: NeilBrown <neilb@suse.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/sunrpc/cache.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 63fb5ee212cf..af17b00145e1 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -54,6 +54,11 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail) + h->last_refresh = now; + } + ++static void cache_fresh_locked(struct cache_head *head, time_t expiry, ++ struct cache_detail *detail); ++static void cache_fresh_unlocked(struct cache_head *head, ++ struct cache_detail *detail); ++ + struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + struct cache_head *key, int hash) + { +@@ -95,6 +100,7 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + if (cache_is_expired(detail, tmp)) { + hlist_del_init(&tmp->cache_list); + detail->entries --; ++ cache_fresh_locked(tmp, 0, detail); + freeme = tmp; + break; + } +@@ -110,8 +116,10 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + cache_get(new); + write_unlock(&detail->hash_lock); + +- if (freeme) ++ if (freeme) { ++ cache_fresh_unlocked(freeme, detail); + cache_put(freeme, detail); ++ } + return new; + } + EXPORT_SYMBOL_GPL(sunrpc_cache_lookup); +-- +2.20.1 + diff --git a/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch b/patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch index ba4231c4ba..a7ac7feeb7 100644 --- a/patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch +++ b/patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch @@ -1,21 +1,26 @@ From: Vasily Averin <vvs@virtuozzo.com> Date: Mon, 24 Dec 2018 14:44:42 +0300 Subject: [PATCH] sunrpc: use SVC_NET() in svcauth_gss_* functions -Patch-mainline: Submitted, Mon, 24 Dec 2018 14:44:42 +0300 - linux-nfs@vger.kernel.org -References: bsc#1119946 CVE-2018-16884 +References: bnc#1012382 bsc#1119946 CVE-2018-16884 +Patch-mainline: 4.4.170 +Git-commit: b8be5674fa9a6f3677865ea93f7803c4212f3e10 +commit b8be5674fa9a6f3677865ea93f7803c4212f3e10 upstream. Signed-off-by: Vasily Averin <vvs@virtuozzo.com> -Signed-off-by: NeilBrown <neilb@suse.com> -Acked-by: NeilBrown <neilb@suse.com> - +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- - net/sunrpc/auth_gss/svcauth_gss.c | 8 ++++---- + net/sunrpc/auth_gss/svcauth_gss.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 036bbf2b44c1..b5291ea54a3d 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -1104,7 +1104,7 @@ static int svcauth_gss_legacy_init(struc +@@ -1105,7 +1105,7 @@ static int svcauth_gss_legacy_init(struct svc_rqst *rqstp, struct kvec *resv = &rqstp->rq_res.head[0]; struct rsi *rsip, rsikey; int ret; @@ -24,7 +29,7 @@ Acked-by: NeilBrown <neilb@suse.com> memset(&rsikey, 0, sizeof(rsikey)); ret = gss_read_verf(gc, argv, authp, -@@ -1215,7 +1215,7 @@ static int svcauth_gss_proxy_init(struct +@@ -1216,7 +1216,7 @@ static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, uint64_t handle; int status; int ret; @@ -33,7 +38,7 @@ Acked-by: NeilBrown <neilb@suse.com> struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); memset(&ud, 0, sizeof(ud)); -@@ -1405,7 +1405,7 @@ svcauth_gss_accept(struct svc_rqst *rqst +@@ -1406,7 +1406,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp) __be32 *rpcstart; __be32 *reject_stat = resv->iov_base + resv->iov_len; int ret; @@ -42,7 +47,7 @@ Acked-by: NeilBrown <neilb@suse.com> dprintk("RPC: svcauth_gss: argv->iov_len = %zd\n", argv->iov_len); -@@ -1693,7 +1693,7 @@ svcauth_gss_release(struct svc_rqst *rqs +@@ -1694,7 +1694,7 @@ svcauth_gss_release(struct svc_rqst *rqstp) struct rpc_gss_wire_cred *gc = &gsd->clcred; struct xdr_buf *resbuf = &rqstp->rq_res; int stat = -EINVAL; @@ -51,3 +56,6 @@ Acked-by: NeilBrown <neilb@suse.com> if (gc->gc_proc != RPC_GSS_PROC_DATA) goto out; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch b/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch new file mode 100644 index 0000000000..3f95bde17f --- /dev/null +++ b/patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch @@ -0,0 +1,43 @@ +From: Eric Biggers <ebiggers@google.com> +Date: Mon, 7 Jan 2019 15:15:59 -0800 +Subject: [PATCH] crypto: x86/chacha20 - avoid sleeping with preemption + disabled +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 557f16c7fe26a2d16013c2821c5ce5a90a7da97e + +In chacha20-simd, clear the MAY_SLEEP flag in the blkcipher_desc to +prevent sleeping with preemption disabled, under kernel_fpu_begin(). + +This was fixed upstream incidentally by a large refactoring, +commit 9ae433bc79f9 ("crypto: chacha20 - convert generic and x86 +versions to skcipher"). But syzkaller easily trips over this when +running on older kernels, as it's easily reachable via AF_ALG. +Therefore, this patch makes the minimal fix for older kernels. + +Fixes: c9320b6dcb89 ("crypto: chacha20 - Add a SSSE3 SIMD variant for x86_64") +Cc: linux-crypto@vger.kernel.org +Cc: Martin Willi <martin@strongswan.org> +Signed-off-by: Eric Biggers <ebiggers@google.com> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + arch/x86/crypto/chacha20_glue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/crypto/chacha20_glue.c b/arch/x86/crypto/chacha20_glue.c +index 8baaff5af0b5..75b9d43069f1 100644 +--- a/arch/x86/crypto/chacha20_glue.c ++++ b/arch/x86/crypto/chacha20_glue.c +@@ -77,6 +77,7 @@ static int chacha20_simd(struct blkcipher_desc *desc, struct scatterlist *dst, + + blkcipher_walk_init(&walk, dst, src, nbytes); + err = blkcipher_walk_virt_block(desc, &walk, CHACHA20_BLOCK_SIZE); ++ desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; + + crypto_chacha20_init(state, crypto_blkcipher_ctx(desc->tfm), walk.iv); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch b/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch new file mode 100644 index 0000000000..50b46a3d02 --- /dev/null +++ b/patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch @@ -0,0 +1,39 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 8 Jan 2019 10:43:30 +0300 +Subject: [PATCH] ALSA: cs46xx: Potential NULL dereference in probe +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 1524f4e47f90b27a3ac84efbdd94c63172246a6f + +commit 1524f4e47f90b27a3ac84efbdd94c63172246a6f upstream. + +The "chip->dsp_spos_instance" can be NULL on some of the ealier error +paths in snd_cs46xx_create(). + +Reported-by: "Yavuz, Tuba" <tuba@ece.ufl.edu> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/pci/cs46xx/dsp_spos.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/cs46xx/dsp_spos.c b/sound/pci/cs46xx/dsp_spos.c +index d2951ed4bf71..1984291ebd07 100644 +--- a/sound/pci/cs46xx/dsp_spos.c ++++ b/sound/pci/cs46xx/dsp_spos.c +@@ -899,6 +899,9 @@ int cs46xx_dsp_proc_done (struct snd_cs46xx *chip) + struct dsp_spos_instance * ins = chip->dsp_spos_instance; + int i; + ++ if (!ins) ++ return 0; ++ + snd_info_free_entry(ins->proc_sym_info_entry); + ins->proc_sym_info_entry = NULL; + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch b/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch new file mode 100644 index 0000000000..0bf9c172d3 --- /dev/null +++ b/patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch @@ -0,0 +1,54 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 19 Dec 2018 12:36:27 +0100 +Subject: [PATCH] ALSA: usb-audio: Avoid access before bLength check in + build_audio_procunit() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: f4351a199cc120ff9d59e06d02e8657d08e6cc46 + +commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream. + +The parser for the processing unit reads bNrInPins field before the +bLength sanity check, which may lead to an out-of-bound access when a +malformed descriptor is given. Fix it by assignment after the bLength +check. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/usb/mixer.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 97d6a18e6956..f7eb0d2f797b 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1816,7 +1816,7 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, + char *name) + { + struct uac_processing_unit_descriptor *desc = raw_desc; +- int num_ins = desc->bNrInPins; ++ int num_ins; + struct usb_mixer_elem_info *cval; + struct snd_kcontrol *kctl; + int i, err, nameid, type, len; +@@ -1831,7 +1831,13 @@ static int build_audio_procunit(struct mixer_build *state, int unitid, + 0, NULL, default_value_info + }; + +- if (desc->bLength < 13 || desc->bLength < 13 + num_ins || ++ if (desc->bLength < 13) { ++ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); ++ return -EINVAL; ++ } ++ ++ num_ins = desc->bNrInPins; ++ if (desc->bLength < 13 + num_ins || + desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) { + usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid); + return -EINVAL; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch b/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch new file mode 100644 index 0000000000..74e0bc687a --- /dev/null +++ b/patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch @@ -0,0 +1,51 @@ +From: Hui Peng <benquike@163.com> +Date: Tue, 25 Dec 2018 18:11:52 -0500 +Subject: [PATCH] ALSA: usb-audio: Fix an out-of-bound read in + create_composite_quirks +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 + +commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream. + +In `create_composite_quirk`, the terminating condition of for loops is +`quirk->ifnum < 0`. So any composite quirks should end with `struct +snd_usb_audio_quirk` object with ifnum < 0. + + for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) { + + ..... + } + +the data field of Bower's & Wilkins PX headphones usb device device quirks +do not end with {.ifnum = -1}, wihch may result in out-of-bound read. + +This Patch fix the bug by adding an ending quirk object. + +Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones") +Signed-off-by: Hui Peng <benquike@163.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + sound/usb/quirks-table.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index 15cbe2565703..d32727c74a16 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3321,6 +3321,9 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + } + } + }, ++ { ++ .ifnum = -1 ++ }, + } + } + }, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch b/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch new file mode 100644 index 0000000000..9e0f6342ce --- /dev/null +++ b/patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch @@ -0,0 +1,46 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Thu, 15 Nov 2018 13:15:05 +0300 +Subject: [PATCH] dlm: fixed memory leaks after failed ls_remove_names + allocation +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: b982896cdb6e6a6b89d86dfb39df489d9df51e14 + +commit b982896cdb6e6a6b89d86dfb39df489d9df51e14 upstream. + +If allocation fails on last elements of array need to free already +allocated elements. + +v2: just move existing out_rsbtbl label to right place + +Fixes 789924ba635f ("dlm: fix race between remove and lookup") +Cc: stable@kernel.org # 3.6 + +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index f3e72787e7f9..30e4e01db35a 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -673,11 +673,11 @@ static int new_lockspace(const char *name, const char *cluster, + kfree(ls->ls_recover_buf); + out_lkbidr: + idr_destroy(&ls->ls_lkbidr); ++ out_rsbtbl: + for (i = 0; i < DLM_REMOVE_NAMES_MAX; i++) { + if (ls->ls_remove_names[i]) + kfree(ls->ls_remove_names[i]); + } +- out_rsbtbl: + vfree(ls->ls_rsbtbl); + out_lsfree: + if (do_unreg) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch b/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch new file mode 100644 index 0000000000..f6a3f03dc8 --- /dev/null +++ b/patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch @@ -0,0 +1,35 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Thu, 15 Nov 2018 13:18:18 +0300 +Subject: [PATCH] dlm: possible memory leak on error path in create_lkb() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 23851e978f31eda8b2d01bd410d3026659ca06c7 + +commit 23851e978f31eda8b2d01bd410d3026659ca06c7 upstream. + +Fixes 3d6aa675fff9 ("dlm: keep lkbs in idr") +Cc: stable@kernel.org # 3.1 + +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/lock.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 35502d4046f5..1d404c832e33 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -1210,6 +1210,7 @@ static int create_lkb(struct dlm_ls *ls, struct dlm_lkb **lkb_ret) + + if (rv < 0) { + log_error(ls, "create_lkb idr error %d", rv); ++ dlm_free_lkb(lkb); + return rv; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch b/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch new file mode 100644 index 0000000000..587a30980e --- /dev/null +++ b/patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch @@ -0,0 +1,44 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Thu, 15 Nov 2018 13:18:24 +0300 +Subject: [PATCH] dlm: lost put_lkb on error path in receive_convert() and + receive_unlock() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: c0174726c3976e67da8649ac62cae43220ae173a + +commit c0174726c3976e67da8649ac62cae43220ae173a upstream. + +Fixes 6d40c4a708e0 ("dlm: improve error and debug messages") +Cc: stable@kernel.org # 3.5 + +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/lock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 1d404c832e33..1e6a3a391849 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -4178,6 +4178,7 @@ static int receive_convert(struct dlm_ls *ls, struct dlm_message *ms) + (unsigned long long)lkb->lkb_recover_seq, + ms->m_header.h_nodeid, ms->m_lkid); + error = -ENOENT; ++ dlm_put_lkb(lkb); + goto fail; + } + +@@ -4231,6 +4232,7 @@ static int receive_unlock(struct dlm_ls *ls, struct dlm_message *ms) + lkb->lkb_id, lkb->lkb_remid, + ms->m_header.h_nodeid, ms->m_lkid); + error = -ENOENT; ++ dlm_put_lkb(lkb); + goto fail; + } + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch b/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch new file mode 100644 index 0000000000..5ea5b940ba --- /dev/null +++ b/patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch @@ -0,0 +1,61 @@ +From: Vasily Averin <vvs@virtuozzo.com> +Date: Thu, 15 Nov 2018 13:18:56 +0300 +Subject: [PATCH] dlm: memory leaks on error path in dlm_user_request() +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: d47b41aceeadc6b58abc9c7c6485bef7cfb75636 + +commit d47b41aceeadc6b58abc9c7c6485bef7cfb75636 upstream. + +According to comment in dlm_user_request() ua should be freed +in dlm_free_lkb() after successful attach to lkb. + +However ua is attached to lkb not in set_lock_args() but later, +inside request_lock(). + +Fixes 597d0cae0f99 ("[DLM] dlm: user locks") +Cc: stable@kernel.org # 2.6.19 + +Signed-off-by: Vasily Averin <vvs@virtuozzo.com> +Signed-off-by: David Teigland <teigland@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/dlm/lock.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 1e6a3a391849..3a7f401e943c 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -5795,20 +5795,20 @@ int dlm_user_request(struct dlm_ls *ls, struct dlm_user_args *ua, + goto out; + } + } +- +- /* After ua is attached to lkb it will be freed by dlm_free_lkb(). +- When DLM_IFL_USER is set, the dlm knows that this is a userspace +- lock and that lkb_astparam is the dlm_user_args structure. */ +- + error = set_lock_args(mode, &ua->lksb, flags, namelen, timeout_cs, + fake_astfn, ua, fake_bastfn, &args); +- lkb->lkb_flags |= DLM_IFL_USER; +- + if (error) { ++ kfree(ua->lksb.sb_lvbptr); ++ ua->lksb.sb_lvbptr = NULL; ++ kfree(ua); + __put_lkb(ls, lkb); + goto out; + } + ++ /* After ua is attached to lkb it will be freed by dlm_free_lkb(). ++ When DLM_IFL_USER is set, the dlm knows that this is a userspace ++ lock and that lkb_astparam is the dlm_user_args structure. */ ++ lkb->lkb_flags |= DLM_IFL_USER; + error = request_lock(ls, lkb, name, namelen, &args); + + switch (error) { +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch b/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch new file mode 100644 index 0000000000..65175eba55 --- /dev/null +++ b/patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch @@ -0,0 +1,42 @@ +From: Andreas Gruenbacher <agruenba@redhat.com> +Date: Tue, 4 Dec 2018 15:06:27 +0100 +Subject: [PATCH] gfs2: Fix loop in gfs2_rbm_find +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 2d29f6b96d8f80322ed2dd895bca590491c38d34 + +commit 2d29f6b96d8f80322ed2dd895bca590491c38d34 upstream. + +Fix the resource group wrap-around logic in gfs2_rbm_find that commit +e579ed4f44 broke. The bug can lead to unnecessary repeated scanning of the +same bitmaps; there is a risk that future changes will turn this into an +endless loop. + +Fixes: e579ed4f44 ("GFS2: Introduce rbm field bii") +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> +Signed-off-by: Bob Peterson <rpeterso@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + fs/gfs2/rgrp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index ef24894edecc..763fe7737065 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1720,9 +1720,9 @@ static int gfs2_rbm_find(struct gfs2_rbm *rbm, u8 state, u32 *minext, + goto next_iter; + } + if (ret == -E2BIG) { ++ n += rbm->bii - initial_bii; + rbm->bii = 0; + rbm->offset = 0; +- n += (rbm->bii - initial_bii); + goto res_covered_end_of_rgrp; + } + return ret; +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch b/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch new file mode 100644 index 0000000000..2557b80ccf --- /dev/null +++ b/patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch @@ -0,0 +1,48 @@ +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Mon, 19 Nov 2018 20:01:24 +0200 +Subject: [PATCH] b43: Fix error in cordic routine +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 8ea3819c0bbef57a51d8abe579e211033e861677 + +commit 8ea3819c0bbef57a51d8abe579e211033e861677 upstream. + +The cordic routine for calculating sines and cosines that was added in +commit 6f98e62a9f1b ("b43: update cordic code to match current specs") +contains an error whereby a quantity declared u32 can in fact go negative. + +This problem was detected by Priit Laes who is switching b43 to use the +routine in the library functions of the kernel. + +Fixes: 986504540306 ("b43: make cordic common (LP-PHY and N-PHY need it)") +Reported-by: Priit Laes <plaes@plaes.org> +Cc: Rafał Miłecki <zajec5@gmail.com> +Cc: Stable <stable@vger.kernel.org> # 2.6.34 +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Priit Laes <plaes@plaes.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/net/wireless/b43/phy_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/b43/phy_common.c b/drivers/net/wireless/b43/phy_common.c +index ec2b9c577b90..3644c9edaf81 100644 +--- a/drivers/net/wireless/b43/phy_common.c ++++ b/drivers/net/wireless/b43/phy_common.c +@@ -616,7 +616,7 @@ struct b43_c32 b43_cordic(int theta) + u8 i; + s32 tmp; + s8 signx = 1; +- u32 angle = 0; ++ s32 angle = 0; + struct b43_c32 ret = { .i = 39797, .q = 0, }; + + while (theta > (180 << 16)) +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch b/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch new file mode 100644 index 0000000000..d444f6b239 --- /dev/null +++ b/patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch @@ -0,0 +1,86 @@ +From: Dominique Martinet <dominique.martinet@cea.fr> +Date: Mon, 5 Nov 2018 09:52:48 +0100 +Subject: [PATCH] 9p/net: put a lower bound on msize +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 + +commit 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 upstream. + +If the requested msize is too small (either from command line argument +or from the server version reply), we won't get any work done. +If it's *really* too small, nothing will work, and this got caught by +syzbot recently (on a new kmem_cache_create_usercopy() call) + +Just set a minimum msize to 4k in both code paths, until someone +complains they have a use-case for a smaller msize. + +We need to check in both mount option and server reply individually +because the msize for the first version request would be unchecked +with just a global check on clnt->msize. + +Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org +Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com +Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr> +Cc: Eric Van Hensbergen <ericvh@gmail.com> +Cc: Latchesar Ionkov <lucho@ionkov.net> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + net/9p/client.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/net/9p/client.c b/net/9p/client.c +index ed8738c4dc09..8fba9cd973c1 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -156,6 +156,12 @@ static int parse_opts(char *opts, struct p9_client *clnt) + ret = r; + continue; + } ++ if (option < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "msize should be at least 4k\n"); ++ ret = -EINVAL; ++ continue; ++ } + clnt->msize = option; + break; + case Opt_trans: +@@ -972,10 +978,18 @@ static int p9_client_version(struct p9_client *c) + else if (!strncmp(version, "9P2000", 6)) + c->proto_version = p9_proto_legacy; + else { ++ p9_debug(P9_DEBUG_ERROR, ++ "server returned an unknown version: %s\n", version); + err = -EREMOTEIO; + goto error; + } + ++ if (msize < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "server returned a msize < 4096: %d\n", msize); ++ err = -EREMOTEIO; ++ goto error; ++ } + if (msize < c->msize) + c->msize = msize; + +@@ -1040,6 +1054,13 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) + if (clnt->msize > clnt->trans_mod->maxsize) + clnt->msize = clnt->trans_mod->maxsize; + ++ if (clnt->msize < 4096) { ++ p9_debug(P9_DEBUG_ERROR, ++ "Please specify a msize of at least 4k\n"); ++ err = -EINVAL; ++ goto free_client; ++ } ++ + err = p9_client_version(clnt); + if (err) + goto close_trans; +-- +2.20.1 + diff --git a/patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw b/patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch index 5ea5bb81ef..42b1e88d82 100644 --- a/patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw +++ b/patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch @@ -1,9 +1,11 @@ From: Sohil Mehta <sohil.mehta@intel.com> Date: Wed, 21 Nov 2018 15:29:33 -0800 -Subject: iommu/vt-d: Handle domain agaw being less than iommu agaw +Subject: [PATCH] iommu/vt-d: Handle domain agaw being less than iommu agaw +Patch-mainline: 4.4.170 +References: bnc#1012382 bsc#1106105 Git-commit: 3569dd07aaad71920c5ea4da2d5cc9a167c1ffd4 -Patch-mainline: v5.0-rc1 -References: bsc#1106105 + +commit 3569dd07aaad71920c5ea4da2d5cc9a167c1ffd4 upstream. The Intel IOMMU driver opportunistically skips a few top level page tables from the domain paging directory while programming the IOMMU @@ -29,15 +31,17 @@ Reported-by: Ramos Falcon, Ernesto R <ernesto.r.ramos.falcon@intel.com> Tested-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Signed-off-by: Sohil Mehta <sohil.mehta@intel.com> Signed-off-by: Joerg Roedel <jroedel@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- drivers/iommu/intel-iommu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c -index f3ccf025108b..fdf79baf1d79 100644 +index 7feaa82f8c7c..8b4a4d95669a 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c -@@ -2044,7 +2044,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain, +@@ -2041,7 +2041,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain, * than default. Unnecessary for PT mode. */ if (translation != CONTEXT_TT_PASS_THROUGH) { @@ -46,7 +50,7 @@ index f3ccf025108b..fdf79baf1d79 100644 ret = -ENOMEM; pgd = phys_to_virt(dma_pte_addr(pgd)); if (!dma_pte_present(pgd)) -@@ -2058,7 +2058,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain, +@@ -2055,7 +2055,7 @@ static int domain_context_mapping_one(struct dmar_domain *domain, translation = CONTEXT_TT_MULTI_LEVEL; context_set_address_root(context, virt_to_phys(pgd)); @@ -55,4 +59,6 @@ index f3ccf025108b..fdf79baf1d79 100644 } else { /* * In pass through mode, AW must be programmed to +-- +2.20.1 diff --git a/patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch b/patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch index 6d6a130efa..14884e1afa 100644 --- a/patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch +++ b/patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch @@ -1,9 +1,12 @@ From: "Yan, Zheng" <zyan@redhat.com> Date: Thu, 29 Nov 2018 11:22:50 +0800 -Subject: ceph: don't update importing cap's mseq when handing cap export +Subject: [PATCH] ceph: don't update importing cap's mseq when handing cap + export +Patch-mainline: 4.4.170 +References: bnc#1012382 bsc#1121275 Git-commit: 3c1392d4c49962a31874af14ae9ff289cb2b3851 -Patch-mainline: v5.0-rc1 -References: bsc#1121275 + +commit 3c1392d4c49962a31874af14ae9ff289cb2b3851 upstream. Updating mseq makes client think importer mds has accepted all prior cap messages and importer mds knows what caps client wants. Actually @@ -15,16 +18,17 @@ reset by cap import message. Cc: stable@vger.kernel.org Signed-off-by: "Yan, Zheng" <zyan@redhat.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> -Acked-by: Luis Henriques <lhenriques@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> --- fs/ceph/caps.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c -index f3496db4bb3e..a58666a3f8dd 100644 +index 0e3de1bb6500..e7b54514d99a 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c -@@ -3569,7 +3569,6 @@ static void handle_cap_export(struct inode *inode, struct ceph_mds_caps *ex, +@@ -3243,7 +3243,6 @@ static void handle_cap_export(struct inode *inode, struct ceph_mds_caps *ex, tcap->cap_id = t_cap_id; tcap->seq = t_seq - 1; tcap->issue_seq = t_seq - 1; @@ -32,4 +36,6 @@ index f3496db4bb3e..a58666a3f8dd 100644 tcap->issued |= issued; tcap->implemented |= issued; if (cap == ci->i_auth_cap) +-- +2.20.1 diff --git a/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch b/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch new file mode 100644 index 0000000000..653d40ca2b --- /dev/null +++ b/patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch @@ -0,0 +1,70 @@ +From: Christian Borntraeger <borntraeger@de.ibm.com> +Date: Wed, 12 Dec 2018 14:45:18 +0100 +Subject: [PATCH] genwqe: Fix size check +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: fdd669684655c07dacbdb0d753fd13833de69a33 + +commit fdd669684655c07dacbdb0d753fd13833de69a33 upstream. + +Calling the test program genwqe_cksum with the default buffer size of +2MB triggers the following kernel warning on s390: + +WARNING: CPU: 30 PID: 9311 at mm/page_alloc.c:3189 __alloc_pages_nodemask+0x45c/0xbe0 +CPU: 30 PID: 9311 Comm: genwqe_cksum Kdump: loaded Not tainted 3.10.0-957.el7.s390x #1 +task: 00000005e5d13980 ti: 00000005e7c6c000 task.ti: 00000005e7c6c000 +Krnl PSW : 0704c00180000000 00000000002780ac (__alloc_pages_nodemask+0x45c/0xbe0) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3 +Krnl GPRS: 00000000002932b8 0000000000b73d7c 0000000000000010 0000000000000009 + 0000000000000041 00000005e7c6f9b8 0000000000000001 00000000000080d0 + 0000000000000000 0000000000b70500 0000000000000001 0000000000000000 + 0000000000b70528 00000000007682c0 0000000000277df2 00000005e7c6f9a0 +Krnl Code: 000000000027809e: de7195001000 ed 1280(114,%r9),0(%r1) + 00000000002780a4: a774fead brc 7,277dfe + #00000000002780a8: a7f40001 brc 15,2780aa + >00000000002780ac: 92011000 mvi 0(%r1),1 + 00000000002780b0: a7f4fea7 brc 15,277dfe + 00000000002780b4: 9101c6b6 tm 1718(%r12),1 + 00000000002780b8: a784ff3a brc 8,277f2c + 00000000002780bc: a7f4fe2e brc 15,277d18 +Call Trace: +([<0000000000277df2>] __alloc_pages_nodemask+0x1a2/0xbe0) + [<000000000013afae>] s390_dma_alloc+0xfe/0x310 + [<000003ff8065f362>] __genwqe_alloc_consistent+0xfa/0x148 [genwqe_card] + [<000003ff80658f7a>] genwqe_mmap+0xca/0x248 [genwqe_card] + [<00000000002b2712>] mmap_region+0x4e2/0x778 + [<00000000002b2c54>] do_mmap+0x2ac/0x3e0 + [<0000000000292d7e>] vm_mmap_pgoff+0xd6/0x118 + [<00000000002b081c>] SyS_mmap_pgoff+0xdc/0x268 + [<00000000002b0a34>] SyS_old_mmap+0x8c/0xb0 + [<000000000074e518>] sysc_tracego+0x14/0x1e + [<000003ffacf87dc6>] 0x3ffacf87dc6 + +turns out the check in __genwqe_alloc_consistent uses "> MAX_ORDER" +while the mm code uses ">= MAX_ORDER". Fix genwqe. + +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/misc/genwqe/card_utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c +index 524660510599..0c15ba21fa54 100644 +--- a/drivers/misc/genwqe/card_utils.c ++++ b/drivers/misc/genwqe/card_utils.c +@@ -217,7 +217,7 @@ u32 genwqe_crc32(u8 *buff, size_t len, u32 init) + void *__genwqe_alloc_consistent(struct genwqe_dev *cd, size_t size, + dma_addr_t *dma_handle) + { +- if (get_order(size) > MAX_ORDER) ++ if (get_order(size) >= MAX_ORDER) + return NULL; + + return dma_alloc_coherent(&cd->pci_dev->dev, size, dma_handle, +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch b/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch new file mode 100644 index 0000000000..5ab97df4ba --- /dev/null +++ b/patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch @@ -0,0 +1,57 @@ +From: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Date: Wed, 19 Dec 2018 17:19:22 +0200 +Subject: [PATCH] intel_th: msu: Fix an off-by-one in attribute store +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: ec5b5ad6e272d8d6b92d1007f79574919862a2d2 + +commit ec5b5ad6e272d8d6b92d1007f79574919862a2d2 upstream. + +The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated +list of window sizes, passed from userspace. However, there is a bug in +the string parsing logic wherein it doesn't exclude the comma character +from the range of characters as it consumes them. This leads to an +out-of-bounds access given a sufficiently long list. For example: + +> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages +> ================================================================== +> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40 +> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825 +> +> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+ +> Call Trace: +> dump_stack+0x7c/0xc0 +> print_address_description+0x6c/0x23c +> ? memchr+0x1e/0x40 +> kasan_report.cold.5+0x241/0x308 +> memchr+0x1e/0x40 +> nr_pages_store+0x203/0xd00 [intel_th_msu] + +Fix this by accounting for the comma character. + +Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/hwtracing/intel_th/msu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c +index 70ca27e45602..9d9e47eb0842 100644 +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -1418,7 +1418,8 @@ nr_pages_store(struct device *dev, struct device_attribute *attr, + if (!end) + break; + +- len -= end - p; ++ /* consume the number and the following comma, hence +1 */ ++ len -= end - p + 1; + p = end + 1; + } while (len); + +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch b/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch new file mode 100644 index 0000000000..bee05dee49 --- /dev/null +++ b/patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch @@ -0,0 +1,56 @@ +From: Lubomir Rintel <lkundrak@v3.sk> +Date: Fri, 16 Nov 2018 17:23:47 +0100 +Subject: [PATCH] power: supply: olpc_battery: correct the temperature units +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: ed54ffbe554f0902689fd6d1712bbacbacd11376 + +commit ed54ffbe554f0902689fd6d1712bbacbacd11376 upstream. + +According to [1] and [2], the temperature values are in tenths of degree +Celsius. Exposing the Celsius value makes the battery appear on fire: + + $ upower -i /org/freedesktop/UPower/devices/battery_olpc_battery + ... + temperature: 236.9 degrees C + +Tested on OLPC XO-1 and OLPC XO-1.75 laptops. + +[1] include/linux/power_supply.h +[2] Documentation/power/power_supply_class.txt + +Fixes: fb972873a767 ("[BATTERY] One Laptop Per Child power/battery driver") +Cc: stable@vger.kernel.org +Signed-off-by: Lubomir Rintel <lkundrak@v3.sk> +Acked-by: Pavel Machek <pavel@ucw.cz> +Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + drivers/power/olpc_battery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/olpc_battery.c b/drivers/power/olpc_battery.c +index 9e29b1321648..15783869e1a0 100644 +--- a/drivers/power/olpc_battery.c ++++ b/drivers/power/olpc_battery.c +@@ -427,14 +427,14 @@ static int olpc_bat_get_property(struct power_supply *psy, + if (ret) + return ret; + +- val->intval = (s16)be16_to_cpu(ec_word) * 100 / 256; ++ val->intval = (s16)be16_to_cpu(ec_word) * 10 / 256; + break; + case POWER_SUPPLY_PROP_TEMP_AMBIENT: + ret = olpc_ec_cmd(EC_AMB_TEMP, NULL, 0, (void *)&ec_word, 2); + if (ret) + return ret; + +- val->intval = (int)be16_to_cpu(ec_word) * 100 / 256; ++ val->intval = (int)be16_to_cpu(ec_word) * 10 / 256; + break; + case POWER_SUPPLY_PROP_CHARGE_COUNTER: + ret = olpc_ec_cmd(EC_BAT_ACR, NULL, 0, (void *)&ec_word, 2); +-- +2.20.1 + diff --git a/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch b/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch new file mode 100644 index 0000000000..5c5018f9c9 --- /dev/null +++ b/patches.kernel.org/4.4.170-086-Linux-4.4.170.patch @@ -0,0 +1,27 @@ +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Sun, 13 Jan 2019 10:05:34 +0100 +Subject: [PATCH] Linux 4.4.170 +References: bnc#1012382 +Patch-mainline: 4.4.170 +Git-commit: b83b3fa78445387f351cef477a112e503d72b9f0 + +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 0d41b0626c0c..bc58f206c0da 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 169 ++SUBLEVEL = 170 + EXTRAVERSION = + NAME = Blurry Fish Butt + +-- +2.20.1 + diff --git a/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale b/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale index 39475866e0..78522abe34 100644 --- a/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale +++ b/patches.suse/0046-perf-tools-omit-unnecessary-cast-in-perf_pmu__parse_scale @@ -19,23 +19,21 @@ Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/20160308184230.GB7897@krava.redhat.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> --- - tools/perf/util/pmu.c | 4 ++-- + tools/perf/util/pmu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c -index d8cd038baed2..adef23b1352e 100644 --- a/tools/perf/util/pmu.c +++ b/tools/perf/util/pmu.c -@@ -98,7 +98,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * +@@ -98,7 +98,7 @@ static int perf_pmu__parse_scale(struct char scale[128]; int fd, ret = -1; char path[PATH_MAX]; - const char *lc; + char *lc; - snprintf(path, PATH_MAX, "%s/%s.scale", dir, name); + scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name); -@@ -146,7 +146,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * +@@ -146,7 +146,7 @@ static int perf_pmu__parse_scale(struct /* restore locale */ setlocale(LC_NUMERIC, lc); @@ -44,4 +42,3 @@ index d8cd038baed2..adef23b1352e 100644 ret = 0; error: - diff --git a/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code b/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code index 0f72b1728e..ffbf74e477 100644 --- a/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code +++ b/patches.suse/0047-perf-pmu-factor-out-scale-conversion-code @@ -17,14 +17,12 @@ Link: http://lkml.kernel.org/r/20170103150833.6694-2-andi@firstfloor.org [ Keep returning -ENOMEM when strdup() fails in perf_pmu__parse_scale()/convert_scale() ] Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> --- - tools/perf/util/pmu.c | 62 ++++++++++++++++++++++++++++----------------------- + tools/perf/util/pmu.c | 62 +++++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 28 deletions(-) -diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c -index dc6ccaa4e927..78b16100567d 100644 --- a/tools/perf/util/pmu.c +++ b/tools/perf/util/pmu.c -@@ -94,32 +94,10 @@ static int pmu_format(const char *name, struct list_head *format) +@@ -94,32 +94,10 @@ static int pmu_format(const char *name, return 0; } @@ -38,7 +36,7 @@ index dc6ccaa4e927..78b16100567d 100644 - char path[PATH_MAX]; char *lc; - -- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name); +- scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name); - - fd = open(path, O_RDONLY); - if (fd == -1) @@ -59,7 +57,7 @@ index dc6ccaa4e927..78b16100567d 100644 /* * save current locale -@@ -134,7 +112,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * +@@ -134,7 +112,7 @@ static int perf_pmu__parse_scale(struct lc = strdup(lc); if (!lc) { ret = -ENOMEM; @@ -68,7 +66,7 @@ index dc6ccaa4e927..78b16100567d 100644 } /* -@@ -144,14 +122,42 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char * +@@ -144,14 +122,42 @@ static int perf_pmu__parse_scale(struct */ setlocale(LC_NUMERIC, "C"); @@ -91,7 +89,7 @@ index dc6ccaa4e927..78b16100567d 100644 + int fd, ret = -1; + char path[PATH_MAX]; + -+ snprintf(path, PATH_MAX, "%s/%s.scale", dir, name); ++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name); + + fd = open(path, O_RDONLY); + if (fd == -1) @@ -114,4 +112,3 @@ index dc6ccaa4e927..78b16100567d 100644 error: close(fd); return ret; - diff --git a/patches.suse/mm-compaction-introduce-kcompactd.patch b/patches.suse/mm-compaction-introduce-kcompactd.patch index 141f8fc6f7..41aab0fdeb 100644 --- a/patches.suse/mm-compaction-introduce-kcompactd.patch +++ b/patches.suse/mm-compaction-introduce-kcompactd.patch @@ -96,21 +96,19 @@ Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Mel Gorman <mgorman@suse.de> --- - include/linux/compaction.h | 16 +++ - include/linux/mmzone.h | 6 ++ - include/linux/vm_event_item.h | 1 + - include/trace/events/compaction.h | 55 ++++++++++ - mm/compaction.c | 222 ++++++++++++++++++++++++++++++++++++++ - mm/memory_hotplug.c | 9 +- - mm/page_alloc.c | 3 + - mm/vmstat.c | 1 + + include/linux/compaction.h | 16 ++ + include/linux/mmzone.h | 6 + + include/linux/vm_event_item.h | 1 + include/trace/events/compaction.h | 55 +++++++++ + mm/compaction.c | 222 ++++++++++++++++++++++++++++++++++++++ + mm/memory_hotplug.c | 9 + + mm/page_alloc.c | 3 + mm/vmstat.c | 1 8 files changed, 311 insertions(+), 2 deletions(-) -diff --git a/include/linux/compaction.h b/include/linux/compaction.h -index 4cd4ddf64cc7..d7c8de583a23 100644 --- a/include/linux/compaction.h +++ b/include/linux/compaction.h -@@ -52,6 +52,10 @@ extern void compaction_defer_reset(struct zone *zone, int order, +@@ -52,6 +52,10 @@ extern void compaction_defer_reset(struc bool alloc_success); extern bool compaction_restarting(struct zone *zone, int order); @@ -121,7 +119,7 @@ index 4cd4ddf64cc7..d7c8de583a23 100644 #else static inline unsigned long try_to_compact_pages(gfp_t gfp_mask, unsigned int order, int alloc_flags, -@@ -84,6 +88,18 @@ static inline bool compaction_deferred(struct zone *zone, int order) +@@ -84,6 +88,18 @@ static inline bool compaction_deferred(s return true; } @@ -140,11 +138,9 @@ index 4cd4ddf64cc7..d7c8de583a23 100644 #endif /* CONFIG_COMPACTION */ #if defined(CONFIG_COMPACTION) && defined(CONFIG_SYSFS) && defined(CONFIG_NUMA) -diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h -index 5a2c3d3d824f..5b557150f83f 100644 --- a/include/linux/mmzone.h +++ b/include/linux/mmzone.h -@@ -674,6 +674,12 @@ typedef struct pglist_data { +@@ -669,6 +669,12 @@ typedef struct pglist_data { mem_hotplug_begin/end() */ int kswapd_max_order; enum zone_type classzone_idx; @@ -157,11 +153,9 @@ index 5a2c3d3d824f..5b557150f83f 100644 #ifdef CONFIG_NUMA_BALANCING /* Lock serializing the migrate rate limiting window */ spinlock_t numabalancing_migrate_lock; -diff --git a/include/linux/vm_event_item.h b/include/linux/vm_event_item.h -index e623d392db0c..823a629f9033 100644 --- a/include/linux/vm_event_item.h +++ b/include/linux/vm_event_item.h -@@ -52,6 +52,7 @@ enum vm_event_item { PGPGIN, PGPGOUT, PSWPIN, PSWPOUT, +@@ -53,6 +53,7 @@ enum vm_event_item { PGPGIN, PGPGOUT, PS COMPACTMIGRATE_SCANNED, COMPACTFREE_SCANNED, COMPACTISOLATED, COMPACTSTALL, COMPACTFAIL, COMPACTSUCCESS, @@ -169,11 +163,9 @@ index e623d392db0c..823a629f9033 100644 #endif #ifdef CONFIG_HUGETLB_PAGE HTLB_BUDDY_PGALLOC, HTLB_BUDDY_PGALLOC_FAIL, -diff --git a/include/trace/events/compaction.h b/include/trace/events/compaction.h -index c92d1e1cbad9..223450aeb49e 100644 --- a/include/trace/events/compaction.h +++ b/include/trace/events/compaction.h -@@ -350,6 +350,61 @@ DEFINE_EVENT(mm_compaction_defer_template, mm_compaction_defer_reset, +@@ -350,6 +350,61 @@ DEFINE_EVENT(mm_compaction_defer_templat ); #endif @@ -235,8 +227,6 @@ index c92d1e1cbad9..223450aeb49e 100644 #endif /* _TRACE_COMPACTION_H */ /* This part must be outside protection */ -diff --git a/mm/compaction.c b/mm/compaction.c -index 1ffc62a05d27..da34d4397f1f 100644 --- a/mm/compaction.c +++ b/mm/compaction.c @@ -7,6 +7,7 @@ @@ -256,7 +246,7 @@ index 1ffc62a05d27..da34d4397f1f 100644 #include "internal.h" #ifdef CONFIG_COMPACTION -@@ -1732,4 +1735,223 @@ void compaction_unregister_node(struct node *node) +@@ -1721,4 +1724,223 @@ void compaction_unregister_node(struct n } #endif /* CONFIG_SYSFS && CONFIG_NUMA */ @@ -480,19 +470,17 @@ index 1ffc62a05d27..da34d4397f1f 100644 +subsys_initcall(kcompactd_init) + #endif /* CONFIG_COMPACTION */ -diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c -index 6c3c05849484..afca0da46d6b 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c -@@ -32,6 +32,7 @@ +@@ -33,6 +33,7 @@ #include <linux/hugetlb.h> #include <linux/memblock.h> #include <linux/bootmem.h> +#include <linux/compaction.h> + #include <linux/rmap.h> #include <asm/tlbflush.h> - -@@ -1073,8 +1074,10 @@ int __ref online_pages(unsigned long pfn, unsigned long nr_pages, int online_typ +@@ -1101,8 +1102,10 @@ int __ref online_pages(unsigned long pfn init_per_zone_wmark_min(); @@ -504,7 +492,7 @@ index 6c3c05849484..afca0da46d6b 100644 vm_total_pages = nr_free_pagecache_pages(); -@@ -1838,8 +1841,10 @@ static int __ref __offline_pages(unsigned long start_pfn, +@@ -1895,8 +1898,10 @@ repeat: zone_pcp_update(zone); node_states_clear_node(node, &arg); @@ -516,11 +504,9 @@ index 6c3c05849484..afca0da46d6b 100644 vm_total_pages = nr_free_pagecache_pages(); writeback_set_ratelimit(); -diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 33974cda62de..2a1031669034 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c -@@ -5282,6 +5282,9 @@ static void __paginginit free_area_init_core(struct pglist_data *pgdat) +@@ -5737,6 +5737,9 @@ static void __paginginit free_area_init_ #endif init_waitqueue_head(&pgdat->kswapd_wait); init_waitqueue_head(&pgdat->pfmemalloc_wait); @@ -530,11 +516,9 @@ index 33974cda62de..2a1031669034 100644 pgdat_page_ext_init(pgdat); for (j = 0; j < MAX_NR_ZONES; j++) { -diff --git a/mm/vmstat.c b/mm/vmstat.c -index 88011eca5283..d267d426ce3b 100644 --- a/mm/vmstat.c +++ b/mm/vmstat.c -@@ -825,6 +825,7 @@ const char * const vmstat_text[] = { +@@ -801,6 +801,7 @@ const char * const vmstat_text[] = { "compact_stall", "compact_fail", "compact_success", diff --git a/series.conf b/series.conf index ebd8efad24..fe5f7bbdb1 100644 --- a/series.conf +++ b/series.conf @@ -5166,6 +5166,91 @@ patches.kernel.org/4.4.169-039-rtc-snvs-Add-timeouts-to-avoid-kernel-lockups.patch patches.kernel.org/4.4.169-040-ALSA-isa-wavefront-prevent-some-out-of-bound-.patch patches.kernel.org/4.4.169-041-Linux-4.4.169.patch + patches.kernel.org/4.4.170-001-USB-hso-Fix-OOB-memory-access-in-hso_probe-hs.patch + patches.kernel.org/4.4.170-002-xhci-Don-t-prevent-USB2-bus-suspend-in-state-.patch + patches.kernel.org/4.4.170-003-USB-serial-option-add-GosunCn-ZTE-WeLink-ME36.patch + patches.kernel.org/4.4.170-004-USB-serial-option-add-HP-lt4132.patch + patches.kernel.org/4.4.170-005-USB-serial-option-add-Simcom-SIM7500-SIM7600-.patch + patches.kernel.org/4.4.170-006-USB-serial-option-add-Fibocom-NL668-series.patch + patches.kernel.org/4.4.170-007-USB-serial-option-add-Telit-LN940-series.patch + patches.kernel.org/4.4.170-008-mmc-core-Reset-HPI-enabled-state-during-re-in.patch + patches.kernel.org/4.4.170-009-mmc-omap_hsmmc-fix-DMA-API-warning.patch + patches.kernel.org/4.4.170-010-gpio-max7301-fix-driver-for-use-with-CONFIG_V.patch + patches.kernel.org/4.4.170-011-Drivers-hv-vmbus-Return-EINVAL-for-the-sys-fi.patch + patches.kernel.org/4.4.170-012-x86-mtrr-Don-t-copy-uninitialized-gentry-fiel.patch + patches.kernel.org/4.4.170-013-drm-ioctl-Fix-Spectre-v1-vulnerabilities.patch + patches.kernel.org/4.4.170-014-ip6mr-Fix-potential-Spectre-v1-vulnerability.patch + patches.kernel.org/4.4.170-015-ipv4-Fix-potential-Spectre-v1-vulnerability.patch + patches.kernel.org/4.4.170-016-ax25-fix-a-use-after-free-in-ax25_fillin_cb.patch + patches.kernel.org/4.4.170-017-ibmveth-fix-DMA-unmap-error-in-ibmveth_xmit_s.patch + patches.kernel.org/4.4.170-018-ieee802154-lowpan_header_create-check-must-ch.patch + patches.kernel.org/4.4.170-019-ipv6-explicitly-initialize-udp6_addr-in-udp_s.patch + patches.kernel.org/4.4.170-020-isdn-fix-kernel-infoleak-in-capi_unlocked_ioc.patch + patches.kernel.org/4.4.170-021-netrom-fix-locking-in-nr_find_socket.patch + patches.kernel.org/4.4.170-022-packet-validate-address-length.patch + patches.kernel.org/4.4.170-023-packet-validate-address-length-if-non-zero.patch + patches.kernel.org/4.4.170-024-sctp-initialize-sin6_flowinfo-for-ipv6-addrs-.patch + patches.kernel.org/4.4.170-025-vhost-make-sure-used-idx-is-seen-before-log-i.patch + patches.kernel.org/4.4.170-026-VSOCK-Send-reset-control-packet-when-socket-i.patch + patches.kernel.org/4.4.170-027-xen-netfront-tolerate-frags-with-no-data.patch + patches.kernel.org/4.4.170-028-gro_cell-add-napi_disable-in-gro_cells_destro.patch + patches.kernel.org/4.4.170-029-sock-Make-sock-sk_stamp-thread-safe.patch + patches.kernel.org/4.4.170-030-ALSA-rme9652-Fix-potential-Spectre-v1-vulnera.patch + patches.kernel.org/4.4.170-031-ALSA-emu10k1-Fix-potential-Spectre-v1-vulnera.patch + patches.kernel.org/4.4.170-032-ALSA-pcm-Fix-potential-Spectre-v1-vulnerabili.patch + patches.kernel.org/4.4.170-033-ALSA-emux-Fix-potential-Spectre-v1-vulnerabil.patch + patches.kernel.org/4.4.170-034-ALSA-hda-add-mute-LED-support-for-HP-EliteBoo.patch + patches.kernel.org/4.4.170-035-ALSA-hda-tegra-clear-pending-irq-handlers.patch + patches.kernel.org/4.4.170-036-USB-serial-pl2303-add-ids-for-Hewlett-Packard.patch + patches.kernel.org/4.4.170-037-USB-serial-option-add-Fibocom-NL678-series.patch + patches.kernel.org/4.4.170-038-usb-r8a66597-Fix-a-possible-concurrency-use-a.patch + patches.kernel.org/4.4.170-039-Input-elan_i2c-add-ACPI-ID-for-touchpad-in-AS.patch + patches.kernel.org/4.4.170-040-KVM-x86-Use-jmp-to-invoke-kvm_spurious_fault-.patch + patches.kernel.org/4.4.170-041-perf-pmu-Suppress-potential-format-truncation.patch + patches.kernel.org/4.4.170-042-ext4-fix-possible-use-after-free-in-ext4_quot.patch + patches.kernel.org/4.4.170-043-ext4-missing-unlock-put_page-in-ext4_try_to_w.patch + patches.kernel.org/4.4.170-044-ext4-fix-EXT4_IOC_GROUP_ADD-ioctl.patch + patches.kernel.org/4.4.170-045-ext4-force-inode-writes-when-nfsd-calls-commi.patch + patches.kernel.org/4.4.170-046-spi-bcm2835-Fix-race-on-DMA-termination.patch + patches.kernel.org/4.4.170-047-spi-bcm2835-Fix-book-keeping-of-DMA-terminati.patch + patches.kernel.org/4.4.170-048-spi-bcm2835-Avoid-finishing-transfer-prematur.patch + patches.kernel.org/4.4.170-049-cdc-acm-fix-abnormal-DATA-RX-issue-for-Mediat.patch + patches.kernel.org/4.4.170-050-media-vivid-free-bitmap_cap-when-updating-std.patch + patches.kernel.org/4.4.170-051-MIPS-Ensure-pmd_present-returns-false-after-p.patch + patches.kernel.org/4.4.170-052-MIPS-Align-kernel-load-address-to-64KB.patch + patches.kernel.org/4.4.170-053-CIFS-Fix-error-mapping-for-SMB2_LOCK-command-.patch + patches.kernel.org/4.4.170-054-x86-kvm-vmx-do-not-use-vm-exit-instruction-le.patch + patches.kernel.org/4.4.170-055-spi-bcm2835-Unbreak-the-build-of-esoteric-con.patch + patches.kernel.org/4.4.170-056-powerpc-Fix-COFF-zImage-booting-on-old-powerm.patch + patches.kernel.org/4.4.170-057-ARM-imx-update-the-cpu-power-up-timing-settin.patch + patches.kernel.org/4.4.170-058-Input-restore-EV_ABS-ABS_RESERVED.patch + patches.kernel.org/4.4.170-059-checkstack.pl-fix-for-aarch64.patch + patches.kernel.org/4.4.170-060-xfrm-Fix-bucket-count-reported-to-userspace.patch + patches.kernel.org/4.4.170-061-scsi-bnx2fc-Fix-NULL-dereference-in-error-han.patch + patches.kernel.org/4.4.170-062-Input-omap-keypad-fix-idle-configuration-to-n.patch + patches.kernel.org/4.4.170-063-scsi-zfcp-fix-posting-too-many-status-read-bu.patch + patches.kernel.org/4.4.170-064-fork-record-start_time-late.patch + patches.kernel.org/4.4.170-065-hwpoison-memory_hotplug-allow-hwpoisoned-page.patch + patches.kernel.org/4.4.170-067-mm-devm_memremap_pages-kill-mapping-System-RA.patch + patches.kernel.org/4.4.170-068-sunrpc-fix-cache_head-leak-due-to-queued-requ.patch + patches.kernel.org/4.4.170-069-sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch + patches.kernel.org/4.4.170-070-crypto-x86-chacha20-avoid-sleeping-with-preem.patch + patches.kernel.org/4.4.170-071-ALSA-cs46xx-Potential-NULL-dereference-in-pro.patch + patches.kernel.org/4.4.170-072-ALSA-usb-audio-Avoid-access-before-bLength-ch.patch + patches.kernel.org/4.4.170-073-ALSA-usb-audio-Fix-an-out-of-bound-read-in-cr.patch + patches.kernel.org/4.4.170-074-dlm-fixed-memory-leaks-after-failed-ls_remove.patch + patches.kernel.org/4.4.170-075-dlm-possible-memory-leak-on-error-path-in-cre.patch + patches.kernel.org/4.4.170-076-dlm-lost-put_lkb-on-error-path-in-receive_con.patch + patches.kernel.org/4.4.170-077-dlm-memory-leaks-on-error-path-in-dlm_user_re.patch + patches.kernel.org/4.4.170-078-gfs2-Fix-loop-in-gfs2_rbm_find.patch + patches.kernel.org/4.4.170-079-b43-Fix-error-in-cordic-routine.patch + patches.kernel.org/4.4.170-080-9p-net-put-a-lower-bound-on-msize.patch + patches.kernel.org/4.4.170-081-iommu-vt-d-Handle-domain-agaw-being-less-than.patch + patches.kernel.org/4.4.170-082-ceph-don-t-update-importing-cap-s-mseq-when-h.patch + patches.kernel.org/4.4.170-083-genwqe-Fix-size-check.patch + patches.kernel.org/4.4.170-084-intel_th-msu-Fix-an-off-by-one-in-attribute-s.patch + patches.kernel.org/4.4.170-085-power-supply-olpc_battery-correct-the-tempera.patch + patches.kernel.org/4.4.170-086-Linux-4.4.170.patch ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -22843,7 +22928,6 @@ patches.drivers/ibmvnic-Remove-skb-protocol-checks-in-ibmvnic_xmit.patch patches.fixes/0001-seq_file-fix-incomplete-reset-on-read-from-zero-offs.patch patches.drivers/0004-KVM-arm-arm64-Handle-CPU_PM_ENTER_FAILED.patch - patches.fixes/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-fo.patch patches.arch/KVM-PPC-Book3S-PR-Fix-svcpu-copying-with-preemption-.patch patches.drivers/0040-bcache-add-journal-statistic.patch patches.drivers/0041-bcache-fix-high-CPU-occupancy-during-journal.patch @@ -23762,7 +23846,6 @@ patches.drivers/IB-hfi1-Fix-an-out-of-bounds-access-in-get_hw_stats.patch patches.arch/ibmvnic-Convert-reset-work-item-mutex-to-spin-lock.patch patches.arch/ibmvnic-Fix-non-atomic-memory-allocation-in-IRQ-cont.patch - patches.drivers/USB-hso-Fix-OOB-memory-access-in-hso_probe-hso_get_c.patch patches.fixes/net-ipv4-do-not-handle-duplicate-fragments-as-overla.patch patches.fixes/0001-drm-rcar-du-Fix-vblank-initialization.patch patches.fixes/0001-drm-rcar-du-Fix-external-clock-error-checks.patch @@ -23770,9 +23853,7 @@ patches.fixes/scsi-target-add-emulate_pr-backstore-attr-to-toggle-.patch patches.fixes/scsi-target-drop-unused-pi_prot_format-attribute-sto.patch patches.drivers/revert-iommu-io-pgtable-arm-check-for-v7s-incapable-systems - patches.drivers/iommu-vt-d-handle-domain-agaw-being-less-than-iommu-agaw patches.drivers/iommu-amd-fix-amd_iommu-force_isolation - patches.fixes/ceph-don-t-update-importing-cap-s-mseq-when-handing-cap-export.patch patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch @@ -24051,7 +24132,6 @@ patches.fixes/0005-mm-memory_hotplug-be-more-verbose-for-memory-offline.patch patches.fixes/mm-put_and_wait_on_page_locked-while-page-is-migrated.patch - patches.fixes/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be.patch patches.kabi/0001-hwpoison-memory_hotplug-allow-hwpoisoned-pages-to-be-kabi.patch # bsc#1119204 @@ -24402,7 +24482,6 @@ patches.fixes/nfs-direct-write-fix.patch patches.kabi/0008-pnfs-set-NFS_IOHDR_REDO-in-pnfs_read_resend_pnfs.patch patches.kabi/0001-NFS-Ensure-we-commit-after-writeback-is-complete.kabi - patches.fixes/sunrpc-use-SVC_NET-in-svcauth_gss_-functions.patch patches.fixes/sunrpc-use-after-free-in-svc_process_common.patch patches.kabi/sunrpc-use-after-free-in-svc_process_common.patch |