Add commits cc'd to stable, up to 5.5 ...plus their obvious dependencies, and some follow-up fixes.
diff --git a/queue-3.16/6pack-mkiss-fix-possible-deadlock.patch b/queue-3.16/6pack-mkiss-fix-possible-deadlock.patch new file mode 100644 index 0000000..dd2d68d --- /dev/null +++ b/queue-3.16/6pack-mkiss-fix-possible-deadlock.patch
@@ -0,0 +1,174 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 12 Dec 2019 10:32:13 -0800 +Subject: 6pack,mkiss: fix possible deadlock + +commit 5c9934b6767b16ba60be22ec3cbd4379ad64170d upstream. + +We got another syzbot report [1] that tells us we must use +write_lock_irq()/write_unlock_irq() to avoid possible deadlock. + +[1] + +WARNING: inconsistent lock state +5.5.0-rc1-syzkaller #0 Not tainted +-------------------------------- +inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage. +syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes: +ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 +{HARDIRQ-ON-W} state was registered at: + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline] + _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319 + sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657 + tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489 + tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585 + tiocsetd drivers/tty/tty_io.c:2337 [inline] + tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597 + vfs_ioctl fs/ioctl.c:47 [inline] + file_ioctl fs/ioctl.c:545 [inline] + do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 + ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 + __do_sys_ioctl fs/ioctl.c:756 [inline] + __se_sys_ioctl fs/ioctl.c:754 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +irq event stamp: 3946 +hardirqs last enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] +hardirqs last enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199 +hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42 +softirqs last enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline] +softirqs last enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222 +softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline] +softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(disc_data_lock); + <Interrupt> + lock(disc_data_lock); + + *** DEADLOCK *** + +5 locks held by syz-executor826/9605: + #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 + #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413 + #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] + #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116 + #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823 + #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288 + +stack backtrace: +CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + <IRQ> + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101 + valid_state kernel/locking/lockdep.c:3112 [inline] + mark_lock_irq kernel/locking/lockdep.c:3309 [inline] + mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666 + mark_usage kernel/locking/lockdep.c:3554 [inline] + __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909 + lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485 + __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] + _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223 + sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138 + sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402 + tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536 + tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50 + tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387 + uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104 + serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761 + serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834 + serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline] + serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850 + serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126 + __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149 + handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189 + handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206 + handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830 + generic_handle_irq_desc include/linux/irqdesc.h:156 [inline] + do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607 + </IRQ> +RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline] +RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579 +Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7 +RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7 +RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd +RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000 +RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899 +R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138 +R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000 + mutex_optimistic_spin kernel/locking/mutex.c:673 [inline] + __mutex_lock_common kernel/locking/mutex.c:962 [inline] + __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106 + mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121 + tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19 + tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665 + __fput+0x2ff/0x890 fs/file_table.c:280 + ____fput+0x16/0x20 fs/file_table.c:313 + task_work_run+0x145/0x1c0 kernel/task_work.c:113 + exit_task_work include/linux/task_work.h:22 [inline] + do_exit+0x8e7/0x2ef0 kernel/exit.c:797 + do_group_exit+0x135/0x360 kernel/exit.c:895 + __do_sys_exit_group kernel/exit.c:906 [inline] + __se_sys_exit_group kernel/exit.c:904 [inline] + __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x43fef8 +Code: Bad RIP value. +RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8 +RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 +RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0 +R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 +R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 + +Fixes: 6e4e2f811bad ("6pack,mkiss: fix lock inconsistency") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/hamradio/6pack.c | 4 ++-- + drivers/net/hamradio/mkiss.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -685,10 +685,10 @@ static void sixpack_close(struct tty_str + { + struct sixpack *sp; + +- write_lock_bh(&disc_data_lock); ++ write_lock_irq(&disc_data_lock); + sp = tty->disc_data; + tty->disc_data = NULL; +- write_unlock_bh(&disc_data_lock); ++ write_unlock_irq(&disc_data_lock); + if (!sp) + return; + +--- a/drivers/net/hamradio/mkiss.c ++++ b/drivers/net/hamradio/mkiss.c +@@ -811,10 +811,10 @@ static void mkiss_close(struct tty_struc + { + struct mkiss *ax; + +- write_lock_bh(&disc_data_lock); ++ write_lock_irq(&disc_data_lock); + ax = tty->disc_data; + tty->disc_data = NULL; +- write_unlock_bh(&disc_data_lock); ++ write_unlock_irq(&disc_data_lock); + + if (!ax) + return;
diff --git a/queue-3.16/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch b/queue-3.16/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch new file mode 100644 index 0000000..0acf475 --- /dev/null +++ b/queue-3.16/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
@@ -0,0 +1,49 @@ +From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> +Date: Wed, 4 Dec 2019 02:54:27 +0100 +Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices + +commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream. + +Certain ACPI-enumerated devices represented as platform devices in +Linux, like fans, require special low-level power management handling +implemented by their drivers that is not in agreement with the ACPI +PM domain behavior. That leads to problems with managing ACPI fans +during system-wide suspend and resume. + +For this reason, make acpi_dev_pm_attach() skip the affected devices +by adding a list of device IDs to avoid to it and putting the IDs of +the affected devices into that list. + +Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems) +Reported-by: Zhang Rui <rui.zhang@intel.com> +Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/acpi/device_pm.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -1041,9 +1041,19 @@ static struct dev_pm_domain acpi_general + */ + int acpi_dev_pm_attach(struct device *dev, bool power_on) + { ++ /* ++ * Skip devices whose ACPI companions match the device IDs below, ++ * because they require special power management handling incompatible ++ * with the generic ACPI PM domain. ++ */ ++ static const struct acpi_device_id special_pm_ids[] = { ++ {"PNP0C0B", }, /* Generic ACPI fan */ ++ {"INT3404", }, /* Fan */ ++ {} ++ }; + struct acpi_device *adev = ACPI_COMPANION(dev); + +- if (!adev) ++ if (!adev || !acpi_match_device_ids(adev, special_pm_ids)) + return -ENODEV; + + if (dev->pm_domain)
diff --git a/queue-3.16/af_packet-set-defaule-value-for-tmo.patch b/queue-3.16/af_packet-set-defaule-value-for-tmo.patch new file mode 100644 index 0000000..334dc10 --- /dev/null +++ b/queue-3.16/af_packet-set-defaule-value-for-tmo.patch
@@ -0,0 +1,51 @@ +From: Mao Wenan <maowenan@huawei.com> +Date: Mon, 9 Dec 2019 21:31:25 +0800 +Subject: af_packet: set defaule value for tmo + +commit b43d1f9f7067c6759b1051e8ecb84e82cef569fe upstream. + +There is softlockup when using TPACKET_V3: +... +NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms! +(__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54) +(_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c) +(mod_timer) from [<c0549c30>] +(prb_retire_rx_blk_timer_expired+0x68/0x11c) +(prb_retire_rx_blk_timer_expired) from [<c027a7ac>] +(call_timer_fn+0x90/0x17c) +(call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc) +(run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318) +(__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac) +(irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4) +(msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4) +(handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118) +(gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c) +... + +If __ethtool_get_link_ksettings() is failed in +prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies +is zero and the timer expire for retire_blk_timer is turn to +mod_timer(&pkc->retire_blk_timer, jiffies + 0), +which will trigger cpu usage of softirq is 100%. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Tested-by: Xiao Jiangfeng <xiaojiangfeng@huawei.com> +Signed-off-by: Mao Wenan <maowenan@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/packet/af_packet.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -608,7 +608,8 @@ static int prb_calc_retire_blk_tmo(struc + msec = 1; + div = speed / 1000; + } +- } ++ } else ++ return DEFAULT_PRB_RETIRE_TOV; + + mbits = (blk_size_in_bytes * 8) / (1024 * 1024); +
diff --git a/queue-3.16/alsa-hda-ca0132-avoid-endless-loop.patch b/queue-3.16/alsa-hda-ca0132-avoid-endless-loop.patch new file mode 100644 index 0000000..f3fbded --- /dev/null +++ b/queue-3.16/alsa-hda-ca0132-avoid-endless-loop.patch
@@ -0,0 +1,37 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Fri, 13 Dec 2019 09:51:10 +0100 +Subject: ALSA: hda/ca0132 - Avoid endless loop + +commit cb04fc3b6b076f67d228a0b7d096c69ad486c09c upstream. + +Introduce a timeout to dspio_clear_response_queue() so that it won't +be caught in an endless loop even if the hardware doesn't respond +properly. + +Fixes: a73d511c4867 ("ALSA: hda/ca0132: Add unsol handler for DSP and jack detection") +Link: https://lore.kernel.org/r/20191213085111.22855-3-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/pci/hda/patch_ca0132.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1271,13 +1271,14 @@ struct scp_msg { + + static void dspio_clear_response_queue(struct hda_codec *codec) + { ++ unsigned long timeout = jiffies + msecs_to_jiffies(1000); + unsigned int dummy = 0; +- int status = -1; ++ int status; + + /* clear all from the response queue */ + do { + status = dspio_read(codec, &dummy); +- } while (status == 0); ++ } while (status == 0 && time_before(jiffies, timeout)); + } + + static int dspio_get_response_data(struct hda_codec *codec)
diff --git a/queue-3.16/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch b/queue-3.16/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch new file mode 100644 index 0000000..4be48aa --- /dev/null +++ b/queue-3.16/alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch
@@ -0,0 +1,59 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 18 Dec 2019 20:26:06 +0100 +Subject: ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code + +commit 0aec96f5897ac16ad9945f531b4bef9a2edd2ebd upstream. + +Jia-Ju Bai reported a possible sleep-in-atomic scenario in the ice1724 +driver with Infrasonic Quartet support code: namely, ice->set_rate +callback gets called inside ice->reg_lock spinlock, while the callback +in quartet.c holds ice->gpio_mutex. + +This patch fixes the invalid call: it simply moves the calls of +ice->set_rate and ice->set_mclk callbacks outside the spinlock. + +Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com> +Link: https://lore.kernel.org/r/5d43135e-73b9-a46a-2155-9e91d0dcdf83@gmail.com +Link: https://lore.kernel.org/r/20191218192606.12866-1-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/pci/ice1712/ice1724.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/pci/ice1712/ice1724.c ++++ b/sound/pci/ice1712/ice1724.c +@@ -663,6 +663,7 @@ static int snd_vt1724_set_pro_rate(struc + unsigned long flags; + unsigned char mclk_change; + unsigned int i, old_rate; ++ bool call_set_rate = false; + + if (rate > ice->hw_rates->list[ice->hw_rates->count - 1]) + return -EINVAL; +@@ -686,7 +687,7 @@ static int snd_vt1724_set_pro_rate(struc + * setting clock rate for internal clock mode */ + old_rate = ice->get_rate(ice); + if (force || (old_rate != rate)) +- ice->set_rate(ice, rate); ++ call_set_rate = true; + else if (rate == ice->cur_rate) { + spin_unlock_irqrestore(&ice->reg_lock, flags); + return 0; +@@ -694,12 +695,14 @@ static int snd_vt1724_set_pro_rate(struc + } + + ice->cur_rate = rate; ++ spin_unlock_irqrestore(&ice->reg_lock, flags); ++ ++ if (call_set_rate) ++ ice->set_rate(ice, rate); + + /* setting master clock */ + mclk_change = ice->set_mclk(ice, rate); + +- spin_unlock_irqrestore(&ice->reg_lock, flags); +- + if (mclk_change && ice->gpio.i2s_mclk_changed) + ice->gpio.i2s_mclk_changed(ice); + if (ice->gpio.set_pro_rate)
diff --git a/queue-3.16/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch b/queue-3.16/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch new file mode 100644 index 0000000..5d19c99 --- /dev/null +++ b/queue-3.16/alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch
@@ -0,0 +1,39 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 11 Dec 2019 16:57:42 +0100 +Subject: ALSA: pcm: Avoid possible info leaks from PCM stream buffers + +commit add9d56d7b3781532208afbff5509d7382fb6efe upstream. + +The current PCM code doesn't initialize explicitly the buffers +allocated for PCM streams, hence it might leak some uninitialized +kernel data or previous stream contents by mmapping or reading the +buffer before actually starting the stream. + +Since this is a common problem, this patch simply adds the clearance +of the buffer data at hw_params callback. Although this does only +zero-clear no matter which format is used, which doesn't mean the +silence for some formats, but it should be OK because the intention is +just to clear the previous data on the buffer. + +Reported-by: Lionel Koenig <lionel.koenig@gmail.com> +Link: https://lore.kernel.org/r/20191211155742.3213-1-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/pcm_native.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -459,6 +459,10 @@ static int snd_pcm_hw_params(struct snd_ + while (runtime->boundary * 2 <= LONG_MAX - runtime->buffer_size) + runtime->boundary *= 2; + ++ /* clear the buffer for avoiding possible kernel info leaks */ ++ if (runtime->dma_area) ++ memset(runtime->dma_area, 0, runtime->dma_bytes); ++ + snd_pcm_timer_resolution_change(substream); + snd_pcm_set_state(substream, SNDRV_PCM_STATE_SETUP); +
diff --git a/queue-3.16/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch b/queue-3.16/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch new file mode 100644 index 0000000..6c74252 --- /dev/null +++ b/queue-3.16/alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch
@@ -0,0 +1,49 @@ +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 15 Jan 2020 21:37:33 +0100 +Subject: ALSA: seq: Fix racy access for queue timer in proc read + +commit 60adcfde92fa40fcb2dbf7cc52f9b096e0cd109a upstream. + +snd_seq_info_timer_read() reads the information of the timer assigned +for each queue, but it's done in a racy way which may lead to UAF as +spotted by syzkaller. + +This patch applies the missing q->timer_mutex lock while accessing the +timer object as well as a slight code change to adapt the standard +coding style. + +Reported-by: syzbot+2b2ef983f973e5c40943@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20200115203733.26530-1-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/core/seq/seq_timer.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/sound/core/seq/seq_timer.c ++++ b/sound/core/seq/seq_timer.c +@@ -484,15 +484,19 @@ void snd_seq_info_timer_read(struct snd_ + q = queueptr(idx); + if (q == NULL) + continue; +- if ((tmr = q->timer) == NULL || +- (ti = tmr->timeri) == NULL) { +- queuefree(q); +- continue; +- } ++ mutex_lock(&q->timer_mutex); ++ tmr = q->timer; ++ if (!tmr) ++ goto unlock; ++ ti = tmr->timeri; ++ if (!ti) ++ goto unlock; + snd_iprintf(buffer, "Timer for queue %i : %s\n", q->queue, ti->timer->name); + resolution = snd_timer_resolution(ti) * tmr->ticks; + snd_iprintf(buffer, " Period time : %lu.%09lu\n", resolution / 1000000000, resolution % 1000000000); + snd_iprintf(buffer, " Skew : %u / %u\n", tmr->skew, tmr->skew_base); ++unlock: ++ mutex_unlock(&q->timer_mutex); + queuefree(q); + } + }
diff --git a/queue-3.16/alsa-usb-audio-add-implicit-fb-quirk-for-axe-fx-ii.patch b/queue-3.16/alsa-usb-audio-add-implicit-fb-quirk-for-axe-fx-ii.patch new file mode 100644 index 0000000..0829c50 --- /dev/null +++ b/queue-3.16/alsa-usb-audio-add-implicit-fb-quirk-for-axe-fx-ii.patch
@@ -0,0 +1,44 @@ +From: Alberto Aguirre <albaguirre@gmail.com> +Date: Thu, 8 Dec 2016 00:36:48 -0600 +Subject: ALSA: usb-audio: add implicit fb quirk for Axe-Fx II + +commit 17f08b0d9aafccdb10038ab6dbd9ddb6433c13e2 upstream. + +The Axe-Fx II implicit feedback end point and the data sync endpoint +are in different interface descriptors. Add quirk to ensure a sync +endpoint is properly configured. + +Signed-off-by: Alberto Aguirre <albaguirre@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/usb/pcm.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -351,6 +351,15 @@ static int set_sync_ep_implicit_fb_quirk + + alts = &iface->altsetting[1]; + goto add_sync_ep; ++ case USB_ID(0x2466, 0x8003): ++ ep = 0x86; ++ iface = usb_ifnum_to_if(dev, 2); ++ ++ if (!iface || iface->num_altsetting == 0) ++ return -EINVAL; ++ ++ alts = &iface->altsetting[1]; ++ goto add_sync_ep; + case USB_ID(0x1397, 0x0002): + ep = 0x81; + iface = usb_ifnum_to_if(dev, 1); +@@ -360,6 +369,7 @@ static int set_sync_ep_implicit_fb_quirk + + alts = &iface->altsetting[1]; + goto add_sync_ep; ++ + } + if (attr == USB_ENDPOINT_SYNC_ASYNC && + altsd->bInterfaceClass == USB_CLASS_VENDOR_SPEC &&
diff --git a/queue-3.16/alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch b/queue-3.16/alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch new file mode 100644 index 0000000..c501961 --- /dev/null +++ b/queue-3.16/alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch
@@ -0,0 +1,37 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 14 Jan 2020 09:39:53 +0100 +Subject: ALSA: usb-audio: fix sync-ep altsetting sanity check + +commit 5d1b71226dc4d44b4b65766fa9d74492f9d4587b upstream. + +The altsetting sanity check in set_sync_ep_implicit_fb_quirk() was +checking for there to be at least one altsetting but then went on to +access the second one, which may not exist. + +This could lead to random slab data being used to initialise the sync +endpoint in snd_usb_add_endpoint(). + +Fixes: c75a8a7ae565 ("ALSA: snd-usb: add support for implicit feedback") +Fixes: ca10a7ebdff1 ("ALSA: usb-audio: FT C400 sync playback EP to capture EP") +Fixes: 5e35dc0338d8 ("ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204") +Fixes: 17f08b0d9aaf ("ALSA: usb-audio: add implicit fb quirk for Axe-Fx II") +Fixes: 103e9625647a ("ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk") +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20200114083953.1106-1-johan@kernel.org +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/usb/pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -368,7 +368,7 @@ static int set_sync_ep_implicit_fb_quirk + add_sync_ep_from_ifnum: + iface = usb_ifnum_to_if(dev, ifnum); + +- if (!iface || iface->num_altsetting == 0) ++ if (!iface || iface->num_altsetting < 2) + return -EINVAL; + + alts = &iface->altsetting[1];
diff --git a/queue-3.16/alsa-usb-audio-simplify-set_sync_ep_implicit_fb_quirk.patch b/queue-3.16/alsa-usb-audio-simplify-set_sync_ep_implicit_fb_quirk.patch new file mode 100644 index 0000000..c68b1c1 --- /dev/null +++ b/queue-3.16/alsa-usb-audio-simplify-set_sync_ep_implicit_fb_quirk.patch
@@ -0,0 +1,94 @@ +From: Alberto Aguirre <albaguirre@gmail.com> +Date: Wed, 18 Apr 2018 09:35:34 -0500 +Subject: ALSA: usb-audio: simplify set_sync_ep_implicit_fb_quirk + +commit 103e9625647ad74d201e26fb74afcd8479142a37 upstream. + +Signed-off-by: Alberto Aguirre <albaguirre@gmail.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/usb/pcm.c | 52 +++++++++++++++++++------------------------------ + 1 file changed, 20 insertions(+), 32 deletions(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -324,6 +324,7 @@ static int set_sync_ep_implicit_fb_quirk + struct usb_host_interface *alts; + struct usb_interface *iface; + unsigned int ep; ++ unsigned int ifnum; + + /* Implicit feedback sync EPs consumers are always playback EPs */ + if (subs->direction != SNDRV_PCM_STREAM_PLAYBACK) +@@ -333,44 +334,23 @@ static int set_sync_ep_implicit_fb_quirk + case USB_ID(0x0763, 0x2030): /* M-Audio Fast Track C400 */ + case USB_ID(0x0763, 0x2031): /* M-Audio Fast Track C600 */ + ep = 0x81; +- iface = usb_ifnum_to_if(dev, 3); +- +- if (!iface || iface->num_altsetting == 0) +- return -EINVAL; +- +- alts = &iface->altsetting[1]; +- goto add_sync_ep; +- break; ++ ifnum = 3; ++ goto add_sync_ep_from_ifnum; + case USB_ID(0x0763, 0x2080): /* M-Audio FastTrack Ultra */ + case USB_ID(0x0763, 0x2081): + ep = 0x81; +- iface = usb_ifnum_to_if(dev, 2); +- +- if (!iface || iface->num_altsetting == 0) +- return -EINVAL; +- +- alts = &iface->altsetting[1]; +- goto add_sync_ep; +- case USB_ID(0x2466, 0x8003): ++ ifnum = 2; ++ goto add_sync_ep_from_ifnum; ++ case USB_ID(0x2466, 0x8003): /* Fractal Audio Axe-Fx II */ + ep = 0x86; +- iface = usb_ifnum_to_if(dev, 2); +- +- if (!iface || iface->num_altsetting == 0) +- return -EINVAL; +- +- alts = &iface->altsetting[1]; +- goto add_sync_ep; +- case USB_ID(0x1397, 0x0002): ++ ifnum = 2; ++ goto add_sync_ep_from_ifnum; ++ case USB_ID(0x1397, 0x0002): /* Behringer UFX1204 */ + ep = 0x81; +- iface = usb_ifnum_to_if(dev, 1); +- +- if (!iface || iface->num_altsetting == 0) +- return -EINVAL; +- +- alts = &iface->altsetting[1]; +- goto add_sync_ep; +- ++ ifnum = 1; ++ goto add_sync_ep_from_ifnum; + } ++ + if (attr == USB_ENDPOINT_SYNC_ASYNC && + altsd->bInterfaceClass == USB_CLASS_VENDOR_SPEC && + altsd->bInterfaceProtocol == 2 && +@@ -385,6 +365,14 @@ static int set_sync_ep_implicit_fb_quirk + /* No quirk */ + return 0; + ++add_sync_ep_from_ifnum: ++ iface = usb_ifnum_to_if(dev, ifnum); ++ ++ if (!iface || iface->num_altsetting == 0) ++ return -EINVAL; ++ ++ alts = &iface->altsetting[1]; ++ + add_sync_ep: + subs->sync_endpoint = snd_usb_add_endpoint(subs->stream->chip, + alts, ep, !subs->direction,
diff --git a/queue-3.16/arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch b/queue-3.16/arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch new file mode 100644 index 0000000..8c9a100 --- /dev/null +++ b/queue-3.16/arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch
@@ -0,0 +1,125 @@ +From: Alex Sverdlin <alexander.sverdlin@nokia.com> +Date: Wed, 8 Jan 2020 15:57:47 +0100 +Subject: ARM: 8950/1: ftrace/recordmcount: filter relocation types + +commit 927d780ee371d7e121cea4fc7812f6ef2cea461c upstream. + +Scenario 1, ARMv7 +================= + +If code in arch/arm/kernel/ftrace.c would operate on mcount() pointer +the following may be generated: + +00000230 <prealloc_fixed_plts>: + 230: b5f8 push {r3, r4, r5, r6, r7, lr} + 232: b500 push {lr} + 234: f7ff fffe bl 0 <__gnu_mcount_nc> + 234: R_ARM_THM_CALL __gnu_mcount_nc + 238: f240 0600 movw r6, #0 + 238: R_ARM_THM_MOVW_ABS_NC __gnu_mcount_nc + 23c: f8d0 1180 ldr.w r1, [r0, #384] ; 0x180 + +FTRACE currently is not able to deal with it: + +WARNING: CPU: 0 PID: 0 at .../kernel/trace/ftrace.c:1979 ftrace_bug+0x1ad/0x230() +... +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.116-... #1 +... +[<c0314e3d>] (unwind_backtrace) from [<c03115e9>] (show_stack+0x11/0x14) +[<c03115e9>] (show_stack) from [<c051a7f1>] (dump_stack+0x81/0xa8) +[<c051a7f1>] (dump_stack) from [<c0321c5d>] (warn_slowpath_common+0x69/0x90) +[<c0321c5d>] (warn_slowpath_common) from [<c0321cf3>] (warn_slowpath_null+0x17/0x1c) +[<c0321cf3>] (warn_slowpath_null) from [<c038ee9d>] (ftrace_bug+0x1ad/0x230) +[<c038ee9d>] (ftrace_bug) from [<c038f1f9>] (ftrace_process_locs+0x27d/0x444) +[<c038f1f9>] (ftrace_process_locs) from [<c08915bd>] (ftrace_init+0x91/0xe8) +[<c08915bd>] (ftrace_init) from [<c0885a67>] (start_kernel+0x34b/0x358) +[<c0885a67>] (start_kernel) from [<00308095>] (0x308095) +---[ end trace cb88537fdc8fa200 ]--- +ftrace failed to modify [<c031266c>] prealloc_fixed_plts+0x8/0x60 + actual: 44:f2:e1:36 +ftrace record flags: 0 + (0) expected tramp: c03143e9 + +Scenario 2, ARMv4T +================== + +ftrace: allocating 14435 entries in 43 pages +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:2029 ftrace_bug+0x204/0x310 +CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.5 #1 +Hardware name: Cirrus Logic EDB9302 Evaluation Board +[<c0010a24>] (unwind_backtrace) from [<c000ecb0>] (show_stack+0x20/0x2c) +[<c000ecb0>] (show_stack) from [<c03c72e8>] (dump_stack+0x20/0x30) +[<c03c72e8>] (dump_stack) from [<c0021c18>] (__warn+0xdc/0x104) +[<c0021c18>] (__warn) from [<c0021d7c>] (warn_slowpath_null+0x4c/0x5c) +[<c0021d7c>] (warn_slowpath_null) from [<c0095360>] (ftrace_bug+0x204/0x310) +[<c0095360>] (ftrace_bug) from [<c04dabac>] (ftrace_init+0x3b4/0x4d4) +[<c04dabac>] (ftrace_init) from [<c04cef4c>] (start_kernel+0x20c/0x410) +[<c04cef4c>] (start_kernel) from [<00000000>] ( (null)) +---[ end trace 0506a2f5dae6b341 ]--- +ftrace failed to modify +[<c000c350>] perf_trace_sys_exit+0x5c/0xe8 + actual: 1e:ff:2f:e1 +Initializing ftrace call sites +ftrace record flags: 0 + (0) + expected tramp: c000fb24 + +The analysis for this problem has been already performed previously, +refer to the link below. + +Fix the above problems by allowing only selected reloc types in +__mcount_loc. The list itself comes from the legacy recordmcount.pl +script. + +Link: https://lore.kernel.org/lkml/56961010.6000806@pengutronix.de/ +Fixes: ed60453fa8f8 ("ARM: 6511/1: ftrace: add ARM support for C version of recordmcount") +Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com> +Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + scripts/recordmcount.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -52,6 +52,10 @@ + #define R_AARCH64_ABS64 257 + #endif + ++#define R_ARM_PC24 1 ++#define R_ARM_THM_CALL 10 ++#define R_ARM_CALL 28 ++ + static int fd_map; /* File descriptor for file being modified. */ + static int mmap_failed; /* Boolean flag. */ + static char gpfx; /* prefix for global symbol name (sometimes '_') */ +@@ -355,6 +359,18 @@ is_mcounted_section_name(char const *con + #define RECORD_MCOUNT_64 + #include "recordmcount.h" + ++static int arm_is_fake_mcount(Elf32_Rel const *rp) ++{ ++ switch (ELF32_R_TYPE(w(rp->r_info))) { ++ case R_ARM_THM_CALL: ++ case R_ARM_CALL: ++ case R_ARM_PC24: ++ return 0; ++ } ++ ++ return 1; ++} ++ + /* 64-bit EM_MIPS has weird ELF64_Rela.r_info. + * http://techpubs.sgi.com/library/manuals/4000/007-4658-001/pdf/007-4658-001.pdf + * We interpret Table 29 Relocation Operation (Elf64_Rel, Elf64_Rela) [p.40] +@@ -443,6 +459,7 @@ do_file(char const *const fname) + break; + case EM_ARM: reltype = R_ARM_ABS32; + altmcount = "__gnu_mcount_nc"; ++ is_fake_mcount32 = arm_is_fake_mcount; + break; + case EM_AARCH64: + reltype = R_AARCH64_ABS64; gpfx = '_'; break;
diff --git a/queue-3.16/arm-8955-1-virt-relax-arch-timer-version-check-during-early-boot.patch b/queue-3.16/arm-8955-1-virt-relax-arch-timer-version-check-during-early-boot.patch new file mode 100644 index 0000000..c89e54f --- /dev/null +++ b/queue-3.16/arm-8955-1-virt-relax-arch-timer-version-check-during-early-boot.patch
@@ -0,0 +1,42 @@ +From: Vladimir Murzin <vladimir.murzin@arm.com> +Date: Mon, 20 Jan 2020 15:07:46 +0100 +Subject: ARM: 8955/1: virt: Relax arch timer version check during early boot + +commit 6849b5eba1965ceb0cad3a75877ef4569dd3638e upstream. + +Updates to the Generic Timer architecture allow ID_PFR1.GenTimer to +have values other than 0 or 1 while still preserving backward +compatibility. At the moment, Linux is quite strict in the way it +handles this field at early boot and will not configure arch timer if +it doesn't find the value 1. + +Since here use ubfx for arch timer version extraction (hyb-stub build +with -march=armv7-a, so it is safe) + +To help backports (even though the code was correct at the time of writing) + +Fixes: 8ec58be9f3ff ("ARM: virt: arch_timers: enable access to physical timers") +Acked-by: Marc Zyngier <maz@kernel.org> +Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/arm/kernel/hyp-stub.S | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/arm/kernel/hyp-stub.S ++++ b/arch/arm/kernel/hyp-stub.S +@@ -144,10 +144,9 @@ ARM_BE8(orr r7, r7, #(1 << 25)) @ HS + #if !defined(ZIMAGE) && defined(CONFIG_ARM_ARCH_TIMER) + @ make CNTP_* and CNTPCT accessible from PL1 + mrc p15, 0, r7, c0, c1, 1 @ ID_PFR1 +- lsr r7, #16 +- and r7, #0xf +- cmp r7, #1 +- bne 1f ++ ubfx r7, r7, #16, #4 ++ teq r7, #0 ++ beq 1f + mrc p15, 4, r7, c14, c1, 0 @ CNTHCTL + orr r7, r7, #3 @ PL1PCEN | PL1PCTEN + mcr p15, 4, r7, c14, c1, 0 @ CNTHCTL
diff --git a/queue-3.16/asoc-wm8962-fix-lambda-value.patch b/queue-3.16/asoc-wm8962-fix-lambda-value.patch new file mode 100644 index 0000000..4081557 --- /dev/null +++ b/queue-3.16/asoc-wm8962-fix-lambda-value.patch
@@ -0,0 +1,39 @@ +From: Shengjiu Wang <shengjiu.wang@nxp.com> +Date: Wed, 11 Dec 2019 19:57:22 +0800 +Subject: ASoC: wm8962: fix lambda value + +commit 556672d75ff486e0b6786056da624131679e0576 upstream. + +According to user manual, it is required that FLL_LAMBDA > 0 +in all cases (Integer and Franctional modes). + +Fixes: 9a76f1ff6e29 ("ASoC: Add initial WM8962 CODEC driver") +Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com> +Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com> +Link: https://lore.kernel.org/r/1576065442-19763-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + sound/soc/codecs/wm8962.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -2795,7 +2795,7 @@ static int fll_factors(struct _fll_div * + + if (target % Fref == 0) { + fll_div->theta = 0; +- fll_div->lambda = 0; ++ fll_div->lambda = 1; + } else { + gcd_fll = gcd(target, fratio * Fref); + +@@ -2865,7 +2865,7 @@ static int wm8962_set_fll(struct snd_soc + return -EINVAL; + } + +- if (fll_div.theta || fll_div.lambda) ++ if (fll_div.theta) + fll1 |= WM8962_FLL_FRAC; + + /* Stop the FLL while we reconfigure */
diff --git a/queue-3.16/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch b/queue-3.16/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch new file mode 100644 index 0000000..9955c49 --- /dev/null +++ b/queue-3.16/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
@@ -0,0 +1,41 @@ +From: Sven Eckelmann <sven@narfation.org> +Date: Thu, 28 Nov 2019 12:25:45 +0100 +Subject: batman-adv: Fix DAT candidate selection on little endian systems + +commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream. + +The distributed arp table is using a DHT to store and retrieve MAC address +information for an IP address. This is done using unicast messages to +selected peers. The potential peers are looked up using the IP address and +the VID. + +While the IP address is always stored in big endian byte order, this is not +the case of the VID. It can (depending on the host system) either be big +endian or little endian. The host must therefore always convert it to big +endian to ensure that all devices calculate the same peers for the same +lookup data. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Sven Eckelmann <sven@narfation.org> +Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/batman-adv/distributed-arp-table.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -207,9 +207,11 @@ static uint32_t batadv_hash_dat(const vo + { + uint32_t hash = 0; + const struct batadv_dat_entry *dat = data; ++ __be16 vid; + + hash = batadv_hash_bytes(hash, &dat->ip, sizeof(dat->ip)); +- hash = batadv_hash_bytes(hash, &dat->vid, sizeof(dat->vid)); ++ vid = htons(dat->vid); ++ hash = batadv_hash_bytes(hash, &vid, sizeof(vid)); + + hash += (hash << 3); + hash ^= (hash >> 11);
diff --git a/queue-3.16/block-fix-an-integer-overflow-in-logical-block-size.patch b/queue-3.16/block-fix-an-integer-overflow-in-logical-block-size.patch new file mode 100644 index 0000000..c74b486 --- /dev/null +++ b/queue-3.16/block-fix-an-integer-overflow-in-logical-block-size.patch
@@ -0,0 +1,112 @@ +From: Mikulas Patocka <mpatocka@redhat.com> +Date: Wed, 15 Jan 2020 08:35:25 -0500 +Subject: block: fix an integer overflow in logical block size + +commit ad6bf88a6c19a39fb3b0045d78ea880325dfcf15 upstream. + +Logical block size has type unsigned short. That means that it can be at +most 32768. However, there are architectures that can run with 64k pages +(for example arm64) and on these architectures, it may be possible to +create block devices with 64k block size. + +For exmaple (run this on an architecture with 64k pages): + +Mount will fail with this error because it tries to read the superblock using 2-sector +access: + device-mapper: writecache: I/O is not aligned, sector 2, size 1024, block size 65536 + EXT4-fs (dm-0): unable to read superblock + +This patch changes the logical block size from unsigned short to unsigned +int to avoid the overflow. + +Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> +Reviewed-by: Ming Lei <ming.lei@redhat.com> +Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + block/blk-settings.c | 2 +- + drivers/md/dm-snap-persistent.c | 2 +- + drivers/md/raid0.c | 2 +- + include/linux/blkdev.h | 8 ++++---- + 4 files changed, 7 insertions(+), 7 deletions(-) + +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -373,7 +373,7 @@ EXPORT_SYMBOL(blk_queue_max_segment_size + * storage device can address. The default of 512 covers most + * hardware. + **/ +-void blk_queue_logical_block_size(struct request_queue *q, unsigned short size) ++void blk_queue_logical_block_size(struct request_queue *q, unsigned int size) + { + q->limits.logical_block_size = size; + +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -16,7 +16,7 @@ + #include "dm-bufio.h" + + #define DM_MSG_PREFIX "persistent snapshot" +-#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32 /* 16KB */ ++#define DM_CHUNK_SIZE_DEFAULT_SECTORS 32U /* 16KB */ + + #define DM_PREFETCH_CHUNKS 12 + +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -88,7 +88,7 @@ static int create_strip_zones(struct mdd + char b[BDEVNAME_SIZE]; + char b2[BDEVNAME_SIZE]; + struct r0conf *conf = kzalloc(sizeof(*conf), GFP_KERNEL); +- unsigned short blksize = 512; ++ unsigned blksize = 512; + + if (!conf) + return -ENOMEM; +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -284,6 +284,7 @@ struct queue_limits { + unsigned int max_sectors; + unsigned int max_segment_size; + unsigned int physical_block_size; ++ unsigned int logical_block_size; + unsigned int alignment_offset; + unsigned int io_min; + unsigned int io_opt; +@@ -292,7 +293,6 @@ struct queue_limits { + unsigned int discard_granularity; + unsigned int discard_alignment; + +- unsigned short logical_block_size; + unsigned short max_segments; + unsigned short max_integrity_segments; + +@@ -1017,7 +1017,7 @@ extern void blk_queue_max_discard_sector + unsigned int max_discard_sectors); + extern void blk_queue_max_write_same_sectors(struct request_queue *q, + unsigned int max_write_same_sectors); +-extern void blk_queue_logical_block_size(struct request_queue *, unsigned short); ++extern void blk_queue_logical_block_size(struct request_queue *, unsigned int); + extern void blk_queue_physical_block_size(struct request_queue *, unsigned int); + extern void blk_queue_alignment_offset(struct request_queue *q, + unsigned int alignment); +@@ -1232,7 +1232,7 @@ static inline unsigned int queue_max_seg + return q->limits.max_segment_size; + } + +-static inline unsigned short queue_logical_block_size(struct request_queue *q) ++static inline unsigned queue_logical_block_size(struct request_queue *q) + { + int retval = 512; + +@@ -1242,7 +1242,7 @@ static inline unsigned short queue_logic + return retval; + } + +-static inline unsigned short bdev_logical_block_size(struct block_device *bdev) ++static inline unsigned int bdev_logical_block_size(struct block_device *bdev) + { + return queue_logical_block_size(bdev_get_queue(bdev)); + }
diff --git a/queue-3.16/bonding-fix-bond_neigh_init.patch b/queue-3.16/bonding-fix-bond_neigh_init.patch new file mode 100644 index 0000000..a7a98db --- /dev/null +++ b/queue-3.16/bonding-fix-bond_neigh_init.patch
@@ -0,0 +1,168 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Sat, 7 Dec 2019 14:10:34 -0800 +Subject: bonding: fix bond_neigh_init() + +commit 9e99bfefdbce2e23ef37487a3bcb4adf90a791d1 upstream. + +1) syzbot reported an uninit-value in bond_neigh_setup() [1] + + bond_neigh_setup() uses a temporary on-stack 'struct neigh_parms parms', + but only clears parms.neigh_setup field. + + A stacked bonding device would then enter bond_neigh_setup() + and read garbage from parms->dev. + + If we get really unlucky and garbage is matching @dev, then we + could recurse and eventually crash. + + Let's make sure the whole structure is cleared to avoid surprises. + +2) bond_neigh_setup() can be called while another cpu manipulates + the master device, removing or adding a slave. + We need at least rcu protection to prevent use-after-free. + +Note: Prior code does not support a stack of bonding devices, + this patch does not attempt to fix this, and leave a comment instead. + +[1] + +BUG: KMSAN: uninit-value in bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655 +CPU: 0 PID: 11256 Comm: syz-executor.0 Not tainted 5.4.0-rc8-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + <IRQ> + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 + __msan_warning+0x57/0xa0 mm/kmsan/kmsan_instr.c:245 + bond_neigh_setup+0xa4/0x110 drivers/net/bonding/bond_main.c:3655 + bond_neigh_init+0x216/0x4b0 drivers/net/bonding/bond_main.c:3626 + ___neigh_create+0x169e/0x2c40 net/core/neighbour.c:613 + __neigh_create+0xbd/0xd0 net/core/neighbour.c:674 + ip6_finish_output2+0x149a/0x2670 net/ipv6/ip6_output.c:113 + __ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142 + ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152 + NF_HOOK_COND include/linux/netfilter.h:294 [inline] + ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175 + dst_output include/net/dst.h:436 [inline] + NF_HOOK include/linux/netfilter.h:305 [inline] + mld_sendpack+0xebd/0x13d0 net/ipv6/mcast.c:1682 + mld_send_cr net/ipv6/mcast.c:1978 [inline] + mld_ifc_timer_expire+0x116b/0x1680 net/ipv6/mcast.c:2477 + call_timer_fn+0x232/0x530 kernel/time/timer.c:1404 + expire_timers kernel/time/timer.c:1449 [inline] + __run_timers+0xd60/0x1270 kernel/time/timer.c:1773 + run_timer_softirq+0x2d/0x50 kernel/time/timer.c:1786 + __do_softirq+0x4a1/0x83a kernel/softirq.c:293 + invoke_softirq kernel/softirq.c:375 [inline] + irq_exit+0x230/0x280 kernel/softirq.c:416 + exiting_irq+0xe/0x10 arch/x86/include/asm/apic.h:536 + smp_apic_timer_interrupt+0x48/0x70 arch/x86/kernel/apic/apic.c:1138 + apic_timer_interrupt+0x2e/0x40 arch/x86/entry/entry_64.S:835 + </IRQ> +RIP: 0010:kmsan_free_page+0x18d/0x1c0 mm/kmsan/kmsan_shadow.c:439 +Code: 4c 89 ff 44 89 f6 e8 82 0d ee ff 65 ff 0d 9f 26 3b 60 65 8b 05 98 26 3b 60 85 c0 75 24 e8 5b f6 35 ff 4c 89 6d d0 ff 75 d0 9d <48> 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 0f 0b 0f 0b 0f +RSP: 0018:ffffb328034af818 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +RAX: 0000000000000000 RBX: ffffe2d7471f8360 RCX: 0000000000000000 +RDX: ffffffffadea7000 RSI: 0000000000000004 RDI: ffff93496fcda104 +RBP: ffffb328034af850 R08: ffff934a47e86d00 R09: ffff93496fc41900 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 +R13: 0000000000000246 R14: 0000000000000000 R15: ffffe2d7472225c0 + free_pages_prepare mm/page_alloc.c:1138 [inline] + free_pcp_prepare mm/page_alloc.c:1230 [inline] + free_unref_page_prepare+0x1d9/0x770 mm/page_alloc.c:3025 + free_unref_page mm/page_alloc.c:3074 [inline] + free_the_page mm/page_alloc.c:4832 [inline] + __free_pages+0x154/0x230 mm/page_alloc.c:4840 + __vunmap+0xdac/0xf20 mm/vmalloc.c:2277 + __vfree mm/vmalloc.c:2325 [inline] + vfree+0x7c/0x170 mm/vmalloc.c:2355 + copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:883 [inline] + get_entries net/ipv6/netfilter/ip6_tables.c:1041 [inline] + do_ip6t_get_ctl+0xfa4/0x1030 net/ipv6/netfilter/ip6_tables.c:1709 + nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] + nf_getsockopt+0x481/0x4e0 net/netfilter/nf_sockopt.c:122 + ipv6_getsockopt+0x264/0x510 net/ipv6/ipv6_sockglue.c:1400 + tcp_getsockopt+0x1c6/0x1f0 net/ipv4/tcp.c:3688 + sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3110 + __sys_getsockopt+0x533/0x7b0 net/socket.c:2129 + __do_sys_getsockopt net/socket.c:2144 [inline] + __se_sys_getsockopt+0xe1/0x100 net/socket.c:2141 + __x64_sys_getsockopt+0x62/0x80 net/socket.c:2141 + do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45d20a +Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 8d 8b fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 6a 8b fb ff c3 66 0f 1f 84 00 00 00 00 00 +RSP: 002b:0000000000a6f618 EFLAGS: 00000212 ORIG_RAX: 0000000000000037 +RAX: ffffffffffffffda RBX: 0000000000a6f640 RCX: 000000000045d20a +RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003 +RBP: 0000000000717cc0 R08: 0000000000a6f63c R09: 0000000000004000 +R10: 0000000000a6f740 R11: 0000000000000212 R12: 0000000000000003 +R13: 0000000000000000 R14: 0000000000000029 R15: 0000000000715b00 + +Local variable description: ----parms@bond_neigh_init +Variable was created at: + bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617 + bond_neigh_init+0x8c/0x4b0 drivers/net/bonding/bond_main.c:3617 + +Fixes: 9918d5bf329d ("bonding: modify only neigh_parms owned by us") +Fixes: 234bcf8a499e ("net/bonding: correctly proxy slave neigh param setup ndo function") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Cc: Jay Vosburgh <j.vosburgh@gmail.com> +Cc: Veaceslav Falico <vfalico@gmail.com> +Cc: Andy Gospodarek <andy@greyhouse.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/bonding/bond_main.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3421,24 +3421,35 @@ static int bond_neigh_init(struct neighb + const struct net_device_ops *slave_ops; + struct neigh_parms parms; + struct slave *slave; +- int ret; ++ int ret = 0; + +- slave = bond_first_slave(bond); ++ rcu_read_lock(); ++ slave = bond_first_slave_rcu(bond); + if (!slave) +- return 0; ++ goto out; + slave_ops = slave->dev->netdev_ops; + if (!slave_ops->ndo_neigh_setup) +- return 0; ++ goto out; + +- parms.neigh_setup = NULL; ++ /* TODO: find another way [1] to implement this. ++ * Passing a zeroed structure is fragile, ++ * but at least we do not pass garbage. ++ * ++ * [1] One way would be that ndo_neigh_setup() never touch ++ * struct neigh_parms, but propagate the new neigh_setup() ++ * back to ___neigh_create() / neigh_parms_alloc() ++ */ ++ memset(&parms, 0, sizeof(parms)); + ret = slave_ops->ndo_neigh_setup(slave->dev, &parms); +- if (ret) +- return ret; + +- if (!parms.neigh_setup) +- return 0; ++ if (ret) ++ goto out; + +- return parms.neigh_setup(n); ++ if (parms.neigh_setup) ++ ret = parms.neigh_setup(n); ++out: ++ rcu_read_unlock(); ++ return ret; + } + + /*
diff --git a/queue-3.16/btrfs-abort-transaction-after-failed-inode-updates-in-create_subvol.patch b/queue-3.16/btrfs-abort-transaction-after-failed-inode-updates-in-create_subvol.patch new file mode 100644 index 0000000..e34c4fd --- /dev/null +++ b/queue-3.16/btrfs-abort-transaction-after-failed-inode-updates-in-create_subvol.patch
@@ -0,0 +1,45 @@ +From: Josef Bacik <josef@toxicpanda.com> +Date: Fri, 6 Dec 2019 09:37:15 -0500 +Subject: btrfs: abort transaction after failed inode updates in create_subvol + +commit c7e54b5102bf3614cadb9ca32d7be73bad6cecf0 upstream. + +We can just abort the transaction here, and in fact do that for every +other failure in this function except these two cases. + +Reviewed-by: Filipe Manana <fdmanana@suse.com> +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: + - Add root as second argument to btrfs_abort_transaction() + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/ioctl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -580,12 +580,18 @@ static noinline int create_subvol(struct + + btrfs_i_size_write(dir, dir->i_size + namelen * 2); + ret = btrfs_update_inode(trans, root, dir); +- BUG_ON(ret); ++ if (ret) { ++ btrfs_abort_transaction(trans, root, ret); ++ goto fail; ++ } + + ret = btrfs_add_root_ref(trans, root->fs_info->tree_root, + objectid, root->root_key.objectid, + btrfs_ino(dir), index, name, namelen); +- BUG_ON(ret); ++ if (ret) { ++ btrfs_abort_transaction(trans, root, ret); ++ goto fail; ++ } + + ret = btrfs_uuid_tree_add(trans, root->fs_info->uuid_root, + root_item.uuid, BTRFS_UUID_KEY_SUBVOL,
diff --git a/queue-3.16/btrfs-check-rw_devices-not-num_devices-for-balance.patch b/queue-3.16/btrfs-check-rw_devices-not-num_devices-for-balance.patch new file mode 100644 index 0000000..b81017d --- /dev/null +++ b/queue-3.16/btrfs-check-rw_devices-not-num_devices-for-balance.patch
@@ -0,0 +1,88 @@ +From: Josef Bacik <josef@toxicpanda.com> +Date: Fri, 10 Jan 2020 11:11:24 -0500 +Subject: btrfs: check rw_devices, not num_devices for balance + +commit b35cf1f0bf1f2b0b193093338414b9bd63b29015 upstream. + +The fstest btrfs/154 reports + + [ 8675.381709] BTRFS: Transaction aborted (error -28) + [ 8675.383302] WARNING: CPU: 1 PID: 31900 at fs/btrfs/block-group.c:2038 btrfs_create_pending_block_groups+0x1e0/0x1f0 [btrfs] + [ 8675.390925] CPU: 1 PID: 31900 Comm: btrfs Not tainted 5.5.0-rc6-default+ #935 + [ 8675.392780] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014 + [ 8675.395452] RIP: 0010:btrfs_create_pending_block_groups+0x1e0/0x1f0 [btrfs] + [ 8675.402672] RSP: 0018:ffffb2090888fb00 EFLAGS: 00010286 + [ 8675.404413] RAX: 0000000000000000 RBX: ffff92026dfa91c8 RCX: 0000000000000001 + [ 8675.406609] RDX: 0000000000000000 RSI: ffffffff8e100899 RDI: ffffffff8e100971 + [ 8675.408775] RBP: ffff920247c61660 R08: 0000000000000000 R09: 0000000000000000 + [ 8675.410978] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffffe4 + [ 8675.412647] R13: ffff92026db74000 R14: ffff920247c616b8 R15: ffff92026dfbc000 + [ 8675.413994] FS: 00007fd5e57248c0(0000) GS:ffff92027d800000(0000) knlGS:0000000000000000 + [ 8675.416146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 8675.417833] CR2: 0000564aa51682d8 CR3: 000000006dcbc004 CR4: 0000000000160ee0 + [ 8675.419801] Call Trace: + [ 8675.420742] btrfs_start_dirty_block_groups+0x355/0x480 [btrfs] + [ 8675.422600] btrfs_commit_transaction+0xc8/0xaf0 [btrfs] + [ 8675.424335] reset_balance_state+0x14a/0x190 [btrfs] + [ 8675.425824] btrfs_balance.cold+0xe7/0x154 [btrfs] + [ 8675.427313] ? kmem_cache_alloc_trace+0x235/0x2c0 + [ 8675.428663] btrfs_ioctl_balance+0x298/0x350 [btrfs] + [ 8675.430285] btrfs_ioctl+0x466/0x2550 [btrfs] + [ 8675.431788] ? mem_cgroup_charge_statistics+0x51/0xf0 + [ 8675.433487] ? mem_cgroup_commit_charge+0x56/0x400 + [ 8675.435122] ? do_raw_spin_unlock+0x4b/0xc0 + [ 8675.436618] ? _raw_spin_unlock+0x1f/0x30 + [ 8675.438093] ? __handle_mm_fault+0x499/0x740 + [ 8675.439619] ? do_vfs_ioctl+0x56e/0x770 + [ 8675.441034] do_vfs_ioctl+0x56e/0x770 + [ 8675.442411] ksys_ioctl+0x3a/0x70 + [ 8675.443718] ? trace_hardirqs_off_thunk+0x1a/0x1c + [ 8675.445333] __x64_sys_ioctl+0x16/0x20 + [ 8675.446705] do_syscall_64+0x50/0x210 + [ 8675.448059] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [ 8675.479187] BTRFS: error (device vdb) in btrfs_create_pending_block_groups:2038: errno=-28 No space left + +We now use btrfs_can_overcommit() to see if we can flip a block group +read only. Before this would fail because we weren't taking into +account the usable un-allocated space for allocating chunks. With my +patches we were allowed to do the balance, which is technically correct. + +The test is trying to start balance on degraded mount. So now we're +trying to allocate a chunk and cannot because we want to allocate a +RAID1 chunk, but there's only 1 device that's available for usage. This +results in an ENOSPC. + +But we shouldn't even be making it this far, we don't have enough +devices to restripe. The problem is we're using btrfs_num_devices(), +that also includes missing devices. That's not actually what we want, we +need to use rw_devices. + +The chunk_mutex is not needed here, rw_devices changes only in device +add, remove or replace, all are excluded by EXCL_OP mechanism. + +Fixes: e4d8ec0f65b9 ("Btrfs: implement online profile changing") +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: David Sterba <dsterba@suse.com> +[ add stacktrace, update changelog, drop chunk_mutex ] +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/volumes.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3248,7 +3248,11 @@ int btrfs_balance(struct btrfs_balance_c + } + } + +- num_devices = fs_info->fs_devices->num_devices; ++ /* ++ * rw_devices will not change at the moment, device add/delete/replace ++ * are excluded by EXCL_OP ++ */ ++ num_devices = fs_info->fs_devices->rw_devices; + btrfs_dev_replace_lock(&fs_info->dev_replace); + if (btrfs_dev_replace_is_ongoing(&fs_info->dev_replace)) { + BUG_ON(num_devices < 1);
diff --git a/queue-3.16/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch b/queue-3.16/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch new file mode 100644 index 0000000..edd668f --- /dev/null +++ b/queue-3.16/btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch
@@ -0,0 +1,50 @@ +From: Josef Bacik <josef@toxicpanda.com> +Date: Tue, 19 Nov 2019 13:59:35 -0500 +Subject: btrfs: do not call synchronize_srcu() in inode_tree_del + +commit f72ff01df9cf5db25c76674cac16605992d15467 upstream. + +Testing with the new fsstress uncovered a pretty nasty deadlock with +lookup and snapshot deletion. + +Process A +unlink + -> final iput + -> inode_tree_del + -> synchronize_srcu(subvol_srcu) + +Process B +btrfs_lookup <- srcu_read_lock() acquired here + -> btrfs_iget + -> find inode that has I_FREEING set + -> __wait_on_freeing_inode() + +We're holding the srcu_read_lock() while doing the iget in order to make +sure our fs root doesn't go away, and then we are waiting for the inode +to finish freeing. However because the free'ing process is doing a +synchronize_srcu() we deadlock. + +Fix this by dropping the synchronize_srcu() in inode_tree_del(). We +don't need people to stop accessing the fs root at this point, we're +only adding our empty root to the dead roots list. + +A larger much more invasive fix is forthcoming to address how we deal +with fs roots, but this fixes the immediate problem. + +Fixes: 76dda93c6ae2 ("Btrfs: add snapshot/subvolume destroy ioctl") +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: No fs_info variable was used here] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5140,7 +5140,6 @@ static void inode_tree_del(struct inode + spin_unlock(&root->inode_lock); + + if (empty && btrfs_root_refs(&root->root_item) == 0) { +- synchronize_srcu(&root->fs_info->subvol_srcu); + spin_lock(&root->inode_lock); + empty = RB_EMPTY_ROOT(&root->inode_tree); + spin_unlock(&root->inode_lock);
diff --git a/queue-3.16/btrfs-do-not-delete-mismatched-root-refs.patch b/queue-3.16/btrfs-do-not-delete-mismatched-root-refs.patch new file mode 100644 index 0000000..dbda11f --- /dev/null +++ b/queue-3.16/btrfs-do-not-delete-mismatched-root-refs.patch
@@ -0,0 +1,40 @@ +From: Josef Bacik <josef@toxicpanda.com> +Date: Wed, 18 Dec 2019 17:20:29 -0500 +Subject: btrfs: do not delete mismatched root refs + +commit 423a716cd7be16fb08690760691befe3be97d3fc upstream. + +btrfs_del_root_ref() will simply WARN_ON() if the ref doesn't match in +any way, and then continue to delete the reference. This shouldn't +happen, we have these values because there's more to the reference than +the original root and the sub root. If any of these checks fail, return +-ENOENT. + +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/root-tree.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/root-tree.c ++++ b/fs/btrfs/root-tree.c +@@ -373,11 +373,13 @@ again: + leaf = path->nodes[0]; + ref = btrfs_item_ptr(leaf, path->slots[0], + struct btrfs_root_ref); +- +- WARN_ON(btrfs_root_ref_dirid(leaf, ref) != dirid); +- WARN_ON(btrfs_root_ref_name_len(leaf, ref) != name_len); + ptr = (unsigned long)(ref + 1); +- WARN_ON(memcmp_extent_buffer(leaf, name, ptr, name_len)); ++ if ((btrfs_root_ref_dirid(leaf, ref) != dirid) || ++ (btrfs_root_ref_name_len(leaf, ref) != name_len) || ++ memcmp_extent_buffer(leaf, name, ptr, name_len)) { ++ err = -ENOENT; ++ goto out; ++ } + *sequence = btrfs_root_ref_sequence(leaf, ref); + + ret = btrfs_del_item(trans, tree_root, path);
diff --git a/queue-3.16/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch b/queue-3.16/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch new file mode 100644 index 0000000..a31dd08 --- /dev/null +++ b/queue-3.16/btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch
@@ -0,0 +1,32 @@ +From: Josef Bacik <josef@toxicpanda.com> +Date: Fri, 6 Dec 2019 09:37:18 -0500 +Subject: btrfs: do not leak reloc root if we fail to read the fs root + +commit ca1aa2818a53875cfdd175fb5e9a2984e997cce9 upstream. + +If we fail to read the fs root corresponding with a reloc root we'll +just break out and free the reloc roots. But we remove our current +reloc_root from this list higher up, which means we'll leak this +reloc_root. Fix this by adding ourselves back to the reloc_roots list +so we are properly cleaned up. + +Reviewed-by: Filipe Manana <fdmanana@suse.com> +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/relocation.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -4449,6 +4449,7 @@ int btrfs_recover_relocation(struct btrf + reloc_root->root_key.offset); + if (IS_ERR(fs_root)) { + err = PTR_ERR(fs_root); ++ list_add_tail(&reloc_root->root_list, &reloc_roots); + goto out_free; + } +
diff --git a/queue-3.16/btrfs-fix-infinite-loop-during-nocow-writeback-due-to-race.patch b/queue-3.16/btrfs-fix-infinite-loop-during-nocow-writeback-due-to-race.patch new file mode 100644 index 0000000..9af02e0 --- /dev/null +++ b/queue-3.16/btrfs-fix-infinite-loop-during-nocow-writeback-due-to-race.patch
@@ -0,0 +1,204 @@ +From: Filipe Manana <fdmanana@suse.com> +Date: Wed, 11 Dec 2019 09:01:40 +0000 +Subject: Btrfs: fix infinite loop during nocow writeback due to race + +commit de7999afedff02c6631feab3ea726a0e8f8c3d40 upstream. + +When starting writeback for a range that covers part of a preallocated +extent, due to a race with writeback for another range that also covers +another part of the same preallocated extent, we can end up in an infinite +loop. + +Consider the following example where for inode 280 we have two dirty +ranges: + + range A, from 294912 to 303103, 8192 bytes + range B, from 348160 to 438271, 90112 bytes + +and we have the following file extent item layout for our inode: + + leaf 38895616 gen 24544 total ptrs 29 free space 13820 owner 5 + (...) + item 27 key (280 108 200704) itemoff 14598 itemsize 53 + extent data disk bytenr 0 nr 0 type 1 (regular) + extent data offset 0 nr 94208 ram 94208 + item 28 key (280 108 294912) itemoff 14545 itemsize 53 + extent data disk bytenr 10433052672 nr 81920 type 2 (prealloc) + extent data offset 0 nr 81920 ram 81920 + +Then the following happens: + +1) Writeback starts for range B (from 348160 to 438271), execution of + run_delalloc_nocow() starts; + +2) The first iteration of run_delalloc_nocow()'s whil loop leaves us at + the extent item at slot 28, pointing to the prealloc extent item + covering the range from 294912 to 376831. This extent covers part of + our range; + +3) An ordered extent is created against that extent, covering the file + range from 348160 to 376831 (28672 bytes); + +4) We adjust 'cur_offset' to 376832 and move on to the next iteration of + the while loop; + +5) The call to btrfs_lookup_file_extent() leaves us at the same leaf, + pointing to slot 29, 1 slot after the last item (the extent item + we processed in the previous iteration); + +6) Because we are a slot beyond the last item, we call btrfs_next_leaf(), + which releases the search path before doing a another search for the + last key of the leaf (280 108 294912); + +7) Right after btrfs_next_leaf() released the path, and before it did + another search for the last key of the leaf, writeback for the range + A (from 294912 to 303103) completes (it was previously started at + some point); + +8) Upon completion of the ordered extent for range A, the prealloc extent + we previously found got split into two extent items, one covering the + range from 294912 to 303103 (8192 bytes), with a type of regular extent + (and no longer prealloc) and another covering the range from 303104 to + 376831 (73728 bytes), with a type of prealloc and an offset of 8192 + bytes. So our leaf now has the following layout: + + leaf 38895616 gen 24544 total ptrs 31 free space 13664 owner 5 + (...) + item 27 key (280 108 200704) itemoff 14598 itemsize 53 + extent data disk bytenr 0 nr 0 type 1 + extent data offset 0 nr 8192 ram 94208 + item 28 key (280 108 208896) itemoff 14545 itemsize 53 + extent data disk bytenr 10433142784 nr 86016 type 1 + extent data offset 0 nr 86016 ram 86016 + item 29 key (280 108 294912) itemoff 14492 itemsize 53 + extent data disk bytenr 10433052672 nr 81920 type 1 + extent data offset 0 nr 8192 ram 81920 + item 30 key (280 108 303104) itemoff 14439 itemsize 53 + extent data disk bytenr 10433052672 nr 81920 type 2 + extent data offset 8192 nr 73728 ram 81920 + +9) After btrfs_next_leaf() returns, we have our path pointing to that same + leaf and at slot 30, since it has a key we didn't have before and it's + the first key greater then the key that was previously the last key of + the leaf (key (280 108 294912)); + +10) The extent item at slot 30 covers the range from 303104 to 376831 + which is in our target range, so we process it, despite having already + created an ordered extent against this extent for the file range from + 348160 to 376831. This is because we skip to the next extent item only + if its end is less than or equals to the start of our delalloc range, + and not less than or equals to the current offset ('cur_offset'); + +11) As a result we compute 'num_bytes' as: + + num_bytes = min(end + 1, extent_end) - cur_offset; + = min(438271 + 1, 376832) - 376832 = 0 + +12) We then call create_io_em() for a 0 bytes range starting at offset + 376832; + +13) Then create_io_em() enters an infinite loop because its calls to + btrfs_drop_extent_cache() do nothing due to the 0 length range + passed to it. So no existing extent maps that cover the offset + 376832 get removed, and therefore calls to add_extent_mapping() + return -EEXIST, resulting in an infinite loop. This loop from + create_io_em() is the following: + + do { + btrfs_drop_extent_cache(BTRFS_I(inode), em->start, + em->start + em->len - 1, 0); + write_lock(&em_tree->lock); + ret = add_extent_mapping(em_tree, em, 1); + write_unlock(&em_tree->lock); + /* + * The caller has taken lock_extent(), who could race with us + * to add em? + */ + } while (ret == -EEXIST); + +Also, each call to btrfs_drop_extent_cache() triggers a warning because +the start offset passed to it (376832) is smaller then the end offset +(376832 - 1) passed to it by -1, due to the 0 length: + + [258532.052621] ------------[ cut here ]------------ + [258532.052643] WARNING: CPU: 0 PID: 9987 at fs/btrfs/file.c:602 btrfs_drop_extent_cache+0x3f4/0x590 [btrfs] + (...) + [258532.052672] CPU: 0 PID: 9987 Comm: fsx Tainted: G W 5.4.0-rc7-btrfs-next-64 #1 + [258532.052673] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 + [258532.052691] RIP: 0010:btrfs_drop_extent_cache+0x3f4/0x590 [btrfs] + (...) + [258532.052695] RSP: 0018:ffffb4be0153f860 EFLAGS: 00010287 + [258532.052700] RAX: ffff975b445ee360 RBX: ffff975b44eb3e08 RCX: 0000000000000000 + [258532.052700] RDX: 0000000000038fff RSI: 0000000000039000 RDI: ffff975b445ee308 + [258532.052700] RBP: 0000000000038fff R08: 0000000000000000 R09: 0000000000000001 + [258532.052701] R10: ffff975b513c5c10 R11: 00000000e3c0cfa9 R12: 0000000000039000 + [258532.052703] R13: ffff975b445ee360 R14: 00000000ffffffef R15: ffff975b445ee308 + [258532.052705] FS: 00007f86a821de80(0000) GS:ffff975b76a00000(0000) knlGS:0000000000000000 + [258532.052707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [258532.052708] CR2: 00007fdacf0f3ab4 CR3: 00000001f9d26002 CR4: 00000000003606f0 + [258532.052712] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [258532.052717] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [258532.052717] Call Trace: + [258532.052718] ? preempt_schedule_common+0x32/0x70 + [258532.052722] ? ___preempt_schedule+0x16/0x20 + [258532.052741] create_io_em+0xff/0x180 [btrfs] + [258532.052767] run_delalloc_nocow+0x942/0xb10 [btrfs] + [258532.052791] btrfs_run_delalloc_range+0x30b/0x520 [btrfs] + [258532.052812] ? find_lock_delalloc_range+0x221/0x250 [btrfs] + [258532.052834] writepage_delalloc+0xe4/0x140 [btrfs] + [258532.052855] __extent_writepage+0x110/0x4e0 [btrfs] + [258532.052876] extent_write_cache_pages+0x21c/0x480 [btrfs] + [258532.052906] extent_writepages+0x52/0xb0 [btrfs] + [258532.052911] do_writepages+0x23/0x80 + [258532.052915] __filemap_fdatawrite_range+0xd2/0x110 + [258532.052938] btrfs_fdatawrite_range+0x1b/0x50 [btrfs] + [258532.052954] start_ordered_ops+0x57/0xa0 [btrfs] + [258532.052973] ? btrfs_sync_file+0x225/0x490 [btrfs] + [258532.052988] btrfs_sync_file+0x225/0x490 [btrfs] + [258532.052997] __x64_sys_msync+0x199/0x200 + [258532.053004] do_syscall_64+0x5c/0x250 + [258532.053007] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [258532.053010] RIP: 0033:0x7f86a7dfd760 + (...) + [258532.053014] RSP: 002b:00007ffd99af0368 EFLAGS: 00000246 ORIG_RAX: 000000000000001a + [258532.053016] RAX: ffffffffffffffda RBX: 0000000000000ec9 RCX: 00007f86a7dfd760 + [258532.053017] RDX: 0000000000000004 RSI: 000000000000836c RDI: 00007f86a8221000 + [258532.053019] RBP: 0000000000021ec9 R08: 0000000000000003 R09: 00007f86a812037c + [258532.053020] R10: 0000000000000001 R11: 0000000000000246 R12: 00000000000074a3 + [258532.053021] R13: 00007f86a8221000 R14: 000000000000836c R15: 0000000000000001 + [258532.053032] irq event stamp: 1653450494 + [258532.053035] hardirqs last enabled at (1653450493): [<ffffffff9dec69f9>] _raw_spin_unlock_irq+0x29/0x50 + [258532.053037] hardirqs last disabled at (1653450494): [<ffffffff9d4048ea>] trace_hardirqs_off_thunk+0x1a/0x20 + [258532.053039] softirqs last enabled at (1653449852): [<ffffffff9e200466>] __do_softirq+0x466/0x6bd + [258532.053042] softirqs last disabled at (1653449845): [<ffffffff9d4c8a0c>] irq_exit+0xec/0x120 + [258532.053043] ---[ end trace 8476fce13d9ce20a ]--- + +Which results in flooding dmesg/syslog since btrfs_drop_extent_cache() +uses WARN_ON() and not WARN_ON_ONCE(). + +So fix this issue by changing run_delalloc_nocow()'s loop to move to the +next extent item when the current extent item ends at at offset less than +or equals to the current offset instead of the start offset. + +Fixes: 80ff385665b7fc ("Btrfs: update nodatacow code v2") +Reviewed-by: Josef Bacik <josef@toxicpanda.com> +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1283,7 +1283,11 @@ next_slot: + btrfs_file_extent_num_bytes(leaf, fi); + disk_num_bytes = + btrfs_file_extent_disk_num_bytes(leaf, fi); +- if (extent_end <= start) { ++ /* ++ * If the extent we got ends before our current offset, ++ * skip to the next extent. ++ */ ++ if (extent_end <= cur_offset) { + path->slots[0]++; + goto next_slot; + }
diff --git a/queue-3.16/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to.patch b/queue-3.16/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to.patch new file mode 100644 index 0000000..496b2b8 --- /dev/null +++ b/queue-3.16/btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to.patch
@@ -0,0 +1,109 @@ +From: Filipe Manana <fdmanana@suse.com> +Date: Fri, 6 Dec 2019 12:27:39 +0000 +Subject: Btrfs: fix removal logic of the tree mod log that leads to + use-after-free issues + +commit 6609fee8897ac475378388238456c84298bff802 upstream. + +When a tree mod log user no longer needs to use the tree it calls +btrfs_put_tree_mod_seq() to remove itself from the list of users and +delete all no longer used elements of the tree's red black tree, which +should be all elements with a sequence number less then our equals to +the caller's sequence number. However the logic is broken because it +can delete and free elements from the red black tree that have a +sequence number greater then the caller's sequence number: + +1) At a point in time we have sequence numbers 1, 2, 3 and 4 in the + tree mod log; + +2) The task which got assigned the sequence number 1 calls + btrfs_put_tree_mod_seq(); + +3) Sequence number 1 is deleted from the list of sequence numbers; + +4) The current minimum sequence number is computed to be the sequence + number 2; + +5) A task using sequence number 2 is at tree_mod_log_rewind() and gets + a pointer to one of its elements from the red black tree through + a call to tree_mod_log_search(); + +6) The task with sequence number 1 iterates the red black tree of tree + modification elements and deletes (and frees) all elements with a + sequence number less then or equals to 2 (the computed minimum sequence + number) - it ends up only leaving elements with sequence numbers of 3 + and 4; + +7) The task with sequence number 2 now uses the pointer to its element, + already freed by the other task, at __tree_mod_log_rewind(), resulting + in a use-after-free issue. When CONFIG_DEBUG_PAGEALLOC=y it produces + a trace like the following: + + [16804.546854] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI + [16804.547451] CPU: 0 PID: 28257 Comm: pool Tainted: G W 5.4.0-rc8-btrfs-next-51 #1 + [16804.548059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 + [16804.548666] RIP: 0010:rb_next+0x16/0x50 + (...) + [16804.550581] RSP: 0018:ffffb948418ef9b0 EFLAGS: 00010202 + [16804.551227] RAX: 6b6b6b6b6b6b6b6b RBX: ffff90e0247f6600 RCX: 6b6b6b6b6b6b6b6b + [16804.551873] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff90e0247f6600 + [16804.552504] RBP: ffff90dffe0d4688 R08: 0000000000000001 R09: 0000000000000000 + [16804.553136] R10: ffff90dffa4a0040 R11: 0000000000000000 R12: 000000000000002e + [16804.553768] R13: ffff90e0247f6600 R14: 0000000000001663 R15: ffff90dff77862b8 + [16804.554399] FS: 00007f4b197ae700(0000) GS:ffff90e036a00000(0000) knlGS:0000000000000000 + [16804.555039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [16804.555683] CR2: 00007f4b10022000 CR3: 00000002060e2004 CR4: 00000000003606f0 + [16804.556336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [16804.556968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [16804.557583] Call Trace: + [16804.558207] __tree_mod_log_rewind+0xbf/0x280 [btrfs] + [16804.558835] btrfs_search_old_slot+0x105/0xd00 [btrfs] + [16804.559468] resolve_indirect_refs+0x1eb/0xc70 [btrfs] + [16804.560087] ? free_extent_buffer.part.19+0x5a/0xc0 [btrfs] + [16804.560700] find_parent_nodes+0x388/0x1120 [btrfs] + [16804.561310] btrfs_check_shared+0x115/0x1c0 [btrfs] + [16804.561916] ? extent_fiemap+0x59d/0x6d0 [btrfs] + [16804.562518] extent_fiemap+0x59d/0x6d0 [btrfs] + [16804.563112] ? __might_fault+0x11/0x90 + [16804.563706] do_vfs_ioctl+0x45a/0x700 + [16804.564299] ksys_ioctl+0x70/0x80 + [16804.564885] ? trace_hardirqs_off_thunk+0x1a/0x20 + [16804.565461] __x64_sys_ioctl+0x16/0x20 + [16804.566020] do_syscall_64+0x5c/0x250 + [16804.566580] entry_SYSCALL_64_after_hwframe+0x49/0xbe + [16804.567153] RIP: 0033:0x7f4b1ba2add7 + (...) + [16804.568907] RSP: 002b:00007f4b197adc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [16804.569513] RAX: ffffffffffffffda RBX: 00007f4b100210d8 RCX: 00007f4b1ba2add7 + [16804.570133] RDX: 00007f4b100210d8 RSI: 00000000c020660b RDI: 0000000000000003 + [16804.570726] RBP: 000055de05a6cfe0 R08: 0000000000000000 R09: 00007f4b197add44 + [16804.571314] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b197add48 + [16804.571905] R13: 00007f4b197add40 R14: 00007f4b100210d0 R15: 00007f4b197add50 + (...) + [16804.575623] ---[ end trace 87317359aad4ba50 ]--- + +Fix this by making btrfs_put_tree_mod_seq() skip deletion of elements that +have a sequence number equals to the computed minimum sequence number, and +not just elements with a sequence number greater then that minimum. + +Fixes: bd989ba359f2ac ("Btrfs: add tree modification log functions") +Reviewed-by: Josef Bacik <josef@toxicpanda.com> +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/ctree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -418,7 +418,7 @@ void btrfs_put_tree_mod_seq(struct btrfs + for (node = rb_first(tm_root); node; node = next) { + next = rb_next(node); + tm = container_of(node, struct tree_mod_elem, node); +- if (tm->seq > min_seq) ++ if (tm->seq >= min_seq) + continue; + rb_erase(node, tm_root); + kfree(tm);
diff --git a/queue-3.16/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch b/queue-3.16/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch new file mode 100644 index 0000000..57e6aa1 --- /dev/null +++ b/queue-3.16/btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch
@@ -0,0 +1,32 @@ +From: Josef Bacik <josef@toxicpanda.com> +Date: Fri, 6 Dec 2019 11:39:00 -0500 +Subject: btrfs: handle ENOENT in btrfs_uuid_tree_iterate + +commit 714cd3e8cba6841220dce9063a7388a81de03825 upstream. + +If we get an -ENOENT back from btrfs_uuid_iter_rem when iterating the +uuid tree we'll just continue and do btrfs_next_item(). However we've +done a btrfs_release_path() at this point and no longer have a valid +path. So increment the key and go back and do a normal search. + +Reviewed-by: Filipe Manana <fdmanana@suse.com> +Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/uuid-tree.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/uuid-tree.c ++++ b/fs/btrfs/uuid-tree.c +@@ -333,6 +333,8 @@ again_search_slot: + } + if (ret < 0 && ret != -ENOENT) + goto out; ++ key.offset++; ++ goto again_search_slot; + } + item_size -= sizeof(subid_le); + offset += sizeof(subid_le);
diff --git a/queue-3.16/btrfs-remove-redundant-btrfs_release_path-from-btrfs_unlink_subvol.patch b/queue-3.16/btrfs-remove-redundant-btrfs_release_path-from-btrfs_unlink_subvol.patch new file mode 100644 index 0000000..151e57a --- /dev/null +++ b/queue-3.16/btrfs-remove-redundant-btrfs_release_path-from-btrfs_unlink_subvol.patch
@@ -0,0 +1,30 @@ +From: Lu Fengqi <lufq.fnst@cn.fujitsu.com> +Date: Wed, 1 Aug 2018 11:32:31 +0800 +Subject: btrfs: Remove redundant btrfs_release_path from btrfs_unlink_subvol + +commit 5b7d687ad5913a56b6a8788435d7a53990b4176d upstream. + +Although it is safe to call this on already released paths with no locks +held or extent buffers, removing the redundant btrfs_release_path is +reasonable. + +Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16 as dependency of commit d49d3287e74f + "btrfs: fix invalid removal of root ref"] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/btrfs/inode.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4031,7 +4031,6 @@ int btrfs_unlink_subvol(struct btrfs_tra + + leaf = path->nodes[0]; + btrfs_item_key_to_cpu(leaf, &key, path->slots[0]); +- btrfs_release_path(path); + index = key.offset; + } + btrfs_release_path(path);
diff --git a/queue-3.16/btrfs-skip-log-replay-on-orphaned-roots.patch b/queue-3.16/btrfs-skip-log-replay-on-orphaned-roots.patch new file mode 100644 index 0000000..80d6104 --- /dev/null +++ b/queue-3.16/btrfs-skip-log-replay-on-orphaned-roots.patch
@@ -0,0 +1,75 @@ +From: Josef Bacik <josef@toxicpanda.com> +Date: Fri, 6 Dec 2019 09:37:17 -0500 +Subject: btrfs: skip log replay on orphaned roots + +commit 9bc574de590510eff899c3ca8dbaf013566b5efe upstream. + +My fsstress modifications coupled with generic/475 uncovered a failure +to mount and replay the log if we hit a orphaned root. We do not want +to replay the log for an orphan root, but it's completely legitimate to +have an orphaned root with a log attached. Fix this by simply skipping +replaying the log. We still need to pin it's root node so that we do +not overwrite it while replaying other logs, as we re-read the log root +at every stage of the replay. + +Reviewed-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: Josef Bacik <josef@toxicpanda.com> +Signed-off-by: David Sterba <dsterba@suse.com> +[bwh: Backported to 3.16: + - Pass fs_info->extent_root, instead of fs_info, as first argument to + btrfs_pin_extent_for_log_replay() + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4583,9 +4583,29 @@ again: + wc.replay_dest = btrfs_read_fs_root_no_name(fs_info, &tmp_key); + if (IS_ERR(wc.replay_dest)) { + ret = PTR_ERR(wc.replay_dest); ++ ++ /* ++ * We didn't find the subvol, likely because it was ++ * deleted. This is ok, simply skip this log and go to ++ * the next one. ++ * ++ * We need to exclude the root because we can't have ++ * other log replays overwriting this log as we'll read ++ * it back in a few more times. This will keep our ++ * block from being modified, and we'll just bail for ++ * each subsequent pass. ++ */ ++ if (ret == -ENOENT) ++ ret = btrfs_pin_extent_for_log_replay( ++ fs_info->extent_root, ++ log->node->start, ++ log->node->len); + free_extent_buffer(log->node); + free_extent_buffer(log->commit_root); + kfree(log); ++ ++ if (!ret) ++ goto next; + btrfs_error(fs_info, ret, "Couldn't read target root " + "for tree log recovery."); + goto error; +@@ -4600,7 +4620,6 @@ again: + path); + } + +- key.offset = found_key.offset - 1; + wc.replay_dest->log_root = NULL; + free_extent_buffer(log->node); + free_extent_buffer(log->commit_root); +@@ -4608,9 +4627,10 @@ again: + + if (ret) + goto error; +- ++next: + if (found_key.offset == 0) + break; ++ key.offset = found_key.offset - 1; + } + btrfs_release_path(path); +
diff --git a/queue-3.16/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch b/queue-3.16/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch new file mode 100644 index 0000000..4adce78 --- /dev/null +++ b/queue-3.16/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
@@ -0,0 +1,38 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:32:31 +0100 +Subject: can: gs_usb: gs_usb_probe(): use descriptors of current altsetting + +commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream. + +Make sure to always use the descriptors of the current alternate setting +to avoid future issues when accessing fields that may differ between +settings. + +Signed-off-by: Johan Hovold <johan@kernel.org> +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/can/usb/gs_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -846,7 +846,7 @@ static int gs_usb_probe(struct usb_inter + GS_USB_BREQ_HOST_FORMAT, + USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, + 1, +- intf->altsetting[0].desc.bInterfaceNumber, ++ intf->cur_altsetting->desc.bInterfaceNumber, + hconf, + sizeof(*hconf), + 1000); +@@ -869,7 +869,7 @@ static int gs_usb_probe(struct usb_inter + GS_USB_BREQ_DEVICE_CONFIG, + USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, + 1, +- intf->altsetting[0].desc.bInterfaceNumber, ++ intf->cur_altsetting->desc.bInterfaceNumber, + dconf, + sizeof(*dconf), + 1000);
diff --git a/queue-3.16/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from.patch b/queue-3.16/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from.patch new file mode 100644 index 0000000..9ad5bcd --- /dev/null +++ b/queue-3.16/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from.patch
@@ -0,0 +1,71 @@ +From: Florian Faber <faber@faberman.de> +Date: Thu, 26 Dec 2019 19:51:24 +0100 +Subject: can: mscan: mscan_rx_poll(): fix rx path lockup when returning from + polling to irq mode + +commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream. + +Under load, the RX side of the mscan driver can get stuck while TX still +works. Restarting the interface locks up the system. This behaviour +could be reproduced reliably on a MPC5121e based system. + +The patch fixes the return value of the NAPI polling function (should be +the number of processed packets, not constant 1) and the condition under +which IRQs are enabled again after polling is finished. + +With this patch, no more lockups were observed over a test period of ten +days. + +Fixes: afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan") +Signed-off-by: Florian Faber <faber@faberman.de> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/can/mscan/mscan.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/drivers/net/can/mscan/mscan.c ++++ b/drivers/net/can/mscan/mscan.c +@@ -412,13 +412,12 @@ static int mscan_rx_poll(struct napi_str + struct net_device *dev = napi->dev; + struct mscan_regs __iomem *regs = priv->reg_base; + struct net_device_stats *stats = &dev->stats; +- int npackets = 0; +- int ret = 1; ++ int work_done = 0; + struct sk_buff *skb; + struct can_frame *frame; + u8 canrflg; + +- while (npackets < quota) { ++ while (work_done < quota) { + canrflg = in_8(®s->canrflg); + if (!(canrflg & (MSCAN_RXF | MSCAN_ERR_IF))) + break; +@@ -439,18 +438,18 @@ static int mscan_rx_poll(struct napi_str + + stats->rx_packets++; + stats->rx_bytes += frame->can_dlc; +- npackets++; ++ work_done++; + netif_receive_skb(skb); + } + +- if (!(in_8(®s->canrflg) & (MSCAN_RXF | MSCAN_ERR_IF))) { +- napi_complete(&priv->napi); +- clear_bit(F_RX_PROGRESS, &priv->flags); +- if (priv->can.state < CAN_STATE_BUS_OFF) +- out_8(®s->canrier, priv->shadow_canrier); +- ret = 0; ++ if (work_done < quota) { ++ if (likely(napi_complete_done(&priv->napi, work_done))) { ++ clear_bit(F_RX_PROGRESS, &priv->flags); ++ if (priv->can.state < CAN_STATE_BUS_OFF) ++ out_8(®s->canrier, priv->shadow_canrier); ++ } + } +- return ret; ++ return work_done; + } + + static irqreturn_t mscan_isr(int irq, void *dev_id)
diff --git a/queue-3.16/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch b/queue-3.16/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch new file mode 100644 index 0000000..57037f8 --- /dev/null +++ b/queue-3.16/can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch
@@ -0,0 +1,106 @@ +From: Richard Palethorpe <rpalethorpe@suse.com> +Date: Tue, 21 Jan 2020 14:42:58 +0100 +Subject: can, slip: Protect tty->disc_data in write_wakeup and close with RCU + +commit 0ace17d56824165c7f4c68785d6b58971db954dd upstream. + +write_wakeup can happen in parallel with close/hangup where tty->disc_data +is set to NULL and the netdevice is freed thus also freeing +disc_data. write_wakeup accesses disc_data so we must prevent close from +freeing the netdev while write_wakeup has a non-NULL view of +tty->disc_data. + +We also need to make sure that accesses to disc_data are atomic. Which can +all be done with RCU. + +This problem was found by Syzkaller on SLCAN, but the same issue is +reproducible with the SLIP line discipline using an LTP test based on the +Syzkaller reproducer. + +A fix which didn't use RCU was posted by Hillf Danton. + +Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup") +Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip") +Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com +Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com> +Cc: Wolfgang Grandegger <wg@grandegger.com> +Cc: Marc Kleine-Budde <mkl@pengutronix.de> +Cc: "David S. Miller" <davem@davemloft.net> +Cc: Tyler Hall <tylerwhall@gmail.com> +Cc: linux-can@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: syzkaller@googlegroups.com +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/can/slcan.c | 12 ++++++++++-- + drivers/net/slip/slip.c | 12 ++++++++++-- + 2 files changed, 20 insertions(+), 4 deletions(-) + +--- a/drivers/net/can/slcan.c ++++ b/drivers/net/can/slcan.c +@@ -346,9 +346,16 @@ static void slcan_transmit(struct work_s + */ + static void slcan_write_wakeup(struct tty_struct *tty) + { +- struct slcan *sl = tty->disc_data; ++ struct slcan *sl; ++ ++ rcu_read_lock(); ++ sl = rcu_dereference(tty->disc_data); ++ if (!sl) ++ goto out; + + schedule_work(&sl->tx_work); ++out: ++ rcu_read_unlock(); + } + + /* Send a can_frame to a TTY queue. */ +@@ -640,10 +647,11 @@ static void slcan_close(struct tty_struc + return; + + spin_lock_bh(&sl->lock); +- tty->disc_data = NULL; ++ rcu_assign_pointer(tty->disc_data, NULL); + sl->tty = NULL; + spin_unlock_bh(&sl->lock); + ++ synchronize_rcu(); + flush_work(&sl->tx_work); + + /* Flush network side */ +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -452,9 +452,16 @@ static void slip_transmit(struct work_st + */ + static void slip_write_wakeup(struct tty_struct *tty) + { +- struct slip *sl = tty->disc_data; ++ struct slip *sl; ++ ++ rcu_read_lock(); ++ sl = rcu_dereference(tty->disc_data); ++ if (!sl) ++ goto out; + + schedule_work(&sl->tx_work); ++out: ++ rcu_read_unlock(); + } + + static void sl_tx_timeout(struct net_device *dev) +@@ -885,10 +892,11 @@ static void slip_close(struct tty_struct + return; + + spin_lock_bh(&sl->lock); +- tty->disc_data = NULL; ++ rcu_assign_pointer(tty->disc_data, NULL); + sl->tty = NULL; + spin_unlock_bh(&sl->lock); + ++ synchronize_rcu(); + flush_work(&sl->tx_work); + + /* VSV = very important to remove timers */
diff --git a/queue-3.16/chardev-avoid-potential-use-after-free-in-chrdev_open.patch b/queue-3.16/chardev-avoid-potential-use-after-free-in-chrdev_open.patch new file mode 100644 index 0000000..4f8f9e5 --- /dev/null +++ b/queue-3.16/chardev-avoid-potential-use-after-free-in-chrdev_open.patch
@@ -0,0 +1,92 @@ +From: Will Deacon <will@kernel.org> +Date: Thu, 19 Dec 2019 12:02:03 +0000 +Subject: chardev: Avoid potential use-after-free in 'chrdev_open()' + +commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 upstream. + +'chrdev_open()' calls 'cdev_get()' to obtain a reference to the +'struct cdev *' stashed in the 'i_cdev' field of the target inode +structure. If the pointer is NULL, then it is initialised lazily by +looking up the kobject in the 'cdev_map' and so the whole procedure is +protected by the 'cdev_lock' spinlock to serialise initialisation of +the shared pointer. + +Unfortunately, it is possible for the initialising thread to fail *after* +installing the new pointer, for example if the subsequent '->open()' call +on the file fails. In this case, 'cdev_put()' is called, the reference +count on the kobject is dropped and, if nobody else has taken a reference, +the release function is called which finally clears 'inode->i_cdev' from +'cdev_purge()' before potentially freeing the object. The problem here +is that a racing thread can happily take the 'cdev_lock' and see the +non-NULL pointer in the inode, which can result in a refcount increment +from zero and a warning: + + | ------------[ cut here ]------------ + | refcount_t: addition on 0; use-after-free. + | WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0 + | Modules linked in: + | CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22 + | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 + | RIP: 0010:refcount_warn_saturate+0x6d/0xf0 + | Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08 + | RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282 + | RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000 + | RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798 + | RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039 + | R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700 + | R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700 + | FS: 00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000 + | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + | CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0 + | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + | DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + | Call Trace: + | kobject_get+0x5c/0x60 + | cdev_get+0x2b/0x60 + | chrdev_open+0x55/0x220 + | ? cdev_put.part.3+0x20/0x20 + | do_dentry_open+0x13a/0x390 + | path_openat+0x2c8/0x1470 + | do_filp_open+0x93/0x100 + | ? selinux_file_ioctl+0x17f/0x220 + | do_sys_open+0x186/0x220 + | do_syscall_64+0x48/0x150 + | entry_SYSCALL_64_after_hwframe+0x44/0xa9 + | RIP: 0033:0x7f3b87efcd0e + | Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4 + | RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 + | RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e + | RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c + | RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000 + | R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e + | R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000 + | ---[ end trace 24f53ca58db8180a ]--- + +Since 'cdev_get()' can already fail to obtain a reference, simply move +it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()', +which will cause the racing thread to return -ENXIO if the initialising +thread fails unexpectedly. + +Cc: Hillf Danton <hdanton@sina.com> +Cc: Andrew Morton <akpm@linux-foundation.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com +Signed-off-by: Will Deacon <will@kernel.org> +Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/char_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/char_dev.c ++++ b/fs/char_dev.c +@@ -348,7 +348,7 @@ static struct kobject *cdev_get(struct c + + if (owner && !try_module_get(owner)) + return NULL; +- kobj = kobject_get(&p->kobj); ++ kobj = kobject_get_unless_zero(&p->kobj); + if (!kobj) + module_put(owner); + return kobj;
diff --git a/queue-3.16/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch b/queue-3.16/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch new file mode 100644 index 0000000..3101e5b --- /dev/null +++ b/queue-3.16/dm-btree-increase-rebalance-threshold-in-__rebalance2.patch
@@ -0,0 +1,62 @@ +From: Hou Tao <houtao1@huawei.com> +Date: Tue, 3 Dec 2019 19:42:58 +0800 +Subject: dm btree: increase rebalance threshold in __rebalance2() + +commit 474e559567fa631dea8fb8407ab1b6090c903755 upstream. + +We got the following warnings from thin_check during thin-pool setup: + + $ thin_check /dev/vdb + examining superblock + examining devices tree + missing devices: [1, 84] + too few entries in btree_node: 41, expected at least 42 (block 138, max_entries = 126) + examining mapping tree + +The phenomenon is the number of entries in one node of details_info tree is +less than (max_entries / 3). And it can be easily reproduced by the following +procedures: + + $ new a thin pool + $ presume the max entries of details_info tree is 126 + $ new 127 thin devices (e.g. 1~127) to make the root node being full + and then split + $ remove the first 43 (e.g. 1~43) thin devices to make the children + reblance repeatedly + $ stop the thin pool + $ thin_check + +The root cause is that the B-tree removal procedure in __rebalance2() +doesn't guarantee the invariance: the minimal number of entries in +non-root node should be >= (max_entries / 3). + +Simply fix the problem by increasing the rebalance threshold to +make sure the number of entries in each child will be greater +than or equal to (max_entries / 3 + 1), so no matter which +child is used for removal, the number will still be valid. + +Signed-off-by: Hou Tao <houtao1@huawei.com> +Acked-by: Joe Thornber <ejt@redhat.com> +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/md/persistent-data/dm-btree-remove.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-btree-remove.c ++++ b/drivers/md/persistent-data/dm-btree-remove.c +@@ -203,7 +203,13 @@ static void __rebalance2(struct dm_btree + struct btree_node *right = r->n; + uint32_t nr_left = le32_to_cpu(left->header.nr_entries); + uint32_t nr_right = le32_to_cpu(right->header.nr_entries); +- unsigned threshold = 2 * merge_threshold(left) + 1; ++ /* ++ * Ensure the number of entries in each child will be greater ++ * than or equal to (max_entries / 3 + 1), so no matter which ++ * child is used for removal, the number will still be not ++ * less than (max_entries / 3). ++ */ ++ unsigned int threshold = 2 * (merge_threshold(left) + 1); + + if (nr_left + nr_right < threshold) { + /*
diff --git a/queue-3.16/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch b/queue-3.16/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch new file mode 100644 index 0000000..fa241ef --- /dev/null +++ b/queue-3.16/dm-thin-metadata-add-support-for-a-pre-commit-callback.patch
@@ -0,0 +1,99 @@ +From: Nikos Tsironis <ntsironis@arrikto.com> +Date: Wed, 4 Dec 2019 16:07:41 +0200 +Subject: dm thin metadata: Add support for a pre-commit callback + +commit ecda7c0280e6b3398459dc589b9a41c1adb45529 upstream. + +Add support for one pre-commit callback which is run right before the +metadata are committed. + +This allows the thin provisioning target to run a callback before the +metadata are committed and is required by the next commit. + +Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com> +Acked-by: Joe Thornber <ejt@redhat.com> +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +[bwh: Backported to 3.16: + - Open-code pmd_write_{lock_in_core,unlock}() + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/md/dm-thin-metadata.c | 29 +++++++++++++++++++++++++++++ + drivers/md/dm-thin-metadata.h | 7 +++++++ + 2 files changed, 36 insertions(+) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -198,6 +198,15 @@ struct dm_pool_metadata { + bool fail_io:1; + + /* ++ * Pre-commit callback. ++ * ++ * This allows the thin provisioning target to run a callback before ++ * the metadata are committed. ++ */ ++ dm_pool_pre_commit_fn pre_commit_fn; ++ void *pre_commit_context; ++ ++ /* + * Reading the space map roots can fail, so we read it into these + * buffers before the superblock is locked and updated. + */ +@@ -784,6 +793,14 @@ static int __commit_transaction(struct d + */ + BUILD_BUG_ON(sizeof(struct thin_disk_superblock) > 512); + ++ if (pmd->pre_commit_fn) { ++ r = pmd->pre_commit_fn(pmd->pre_commit_context); ++ if (r < 0) { ++ DMERR("pre-commit callback failed"); ++ return r; ++ } ++ } ++ + r = __write_changed_details(pmd); + if (r < 0) + return r; +@@ -844,6 +861,8 @@ struct dm_pool_metadata *dm_pool_metadat + pmd->fail_io = false; + pmd->bdev = bdev; + pmd->data_block_size = data_block_size; ++ pmd->pre_commit_fn = NULL; ++ pmd->pre_commit_context = NULL; + + r = __create_persistent_data_objects(pmd, format_device); + if (r) { +@@ -1789,6 +1808,16 @@ int dm_pool_register_metadata_threshold( + return r; + } + ++void dm_pool_register_pre_commit_callback(struct dm_pool_metadata *pmd, ++ dm_pool_pre_commit_fn fn, ++ void *context) ++{ ++ down_write(&pmd->root_lock); ++ pmd->pre_commit_fn = fn; ++ pmd->pre_commit_context = context; ++ up_write(&pmd->root_lock); ++} ++ + int dm_pool_metadata_set_needs_check(struct dm_pool_metadata *pmd) + { + int r; +--- a/drivers/md/dm-thin-metadata.h ++++ b/drivers/md/dm-thin-metadata.h +@@ -213,6 +213,13 @@ int dm_pool_register_metadata_threshold( + int dm_pool_metadata_set_needs_check(struct dm_pool_metadata *pmd); + bool dm_pool_metadata_needs_check(struct dm_pool_metadata *pmd); + ++/* Pre-commit callback */ ++typedef int (*dm_pool_pre_commit_fn)(void *context); ++ ++void dm_pool_register_pre_commit_callback(struct dm_pool_metadata *pmd, ++ dm_pool_pre_commit_fn fn, ++ void *context); ++ + /*----------------------------------------------------------------*/ + + #endif
diff --git a/queue-3.16/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch b/queue-3.16/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch new file mode 100644 index 0000000..d7b21bf --- /dev/null +++ b/queue-3.16/do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch
@@ -0,0 +1,70 @@ +From: Al Viro <viro@zeniv.linux.org.uk> +Date: Sun, 26 Jan 2020 09:29:34 -0500 +Subject: do_last(): fetch directory ->i_mode and ->i_uid before it's too late + +commit d0cb50185ae942b03c4327be322055d622dc79f6 upstream. + +may_create_in_sticky() call is done when we already have dropped the +reference to dir. + +Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files) +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/namei.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -843,7 +843,8 @@ static int may_linkat(struct path *link) + * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory + * should be allowed, or not, on files that already + * exist. +- * @dir: the sticky parent directory ++ * @dir_mode: mode bits of directory ++ * @dir_uid: owner of directory + * @inode: the inode of the file to open + * + * Block an O_CREAT open of a FIFO (or a regular file) when: +@@ -859,18 +860,18 @@ static int may_linkat(struct path *link) + * + * Returns 0 if the open is allowed, -ve on error. + */ +-static int may_create_in_sticky(struct dentry * const dir, ++static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid, + struct inode * const inode) + { + if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) || + (!sysctl_protected_regular && S_ISREG(inode->i_mode)) || +- likely(!(dir->d_inode->i_mode & S_ISVTX)) || +- uid_eq(inode->i_uid, dir->d_inode->i_uid) || ++ likely(!(dir_mode & S_ISVTX)) || ++ uid_eq(inode->i_uid, dir_uid) || + uid_eq(current_fsuid(), inode->i_uid)) + return 0; + +- if (likely(dir->d_inode->i_mode & 0002) || +- (dir->d_inode->i_mode & 0020 && ++ if (likely(dir_mode & 0002) || ++ (dir_mode & 0020 && + ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) || + (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) { + return -EACCES; +@@ -2944,6 +2945,8 @@ static int do_last(struct nameidata *nd, + int *opened, struct filename *name) + { + struct dentry *dir = nd->path.dentry; ++ kuid_t dir_uid = dir->d_inode->i_uid; ++ umode_t dir_mode = dir->d_inode->i_mode; + int open_flag = op->open_flag; + bool will_truncate = (open_flag & O_TRUNC) != 0; + bool got_write = false; +@@ -3102,7 +3105,7 @@ finish_open: + error = -EISDIR; + if (d_is_dir(nd->path.dentry)) + goto out; +- error = may_create_in_sticky(dir, ++ error = may_create_in_sticky(dir_mode, dir_uid, + d_backing_inode(nd->path.dentry)); + if (unlikely(error)) + goto out;
diff --git a/queue-3.16/ext4-check-for-directory-entries-too-close-to-block-end.patch b/queue-3.16/ext4-check-for-directory-entries-too-close-to-block-end.patch new file mode 100644 index 0000000..4bb7869 --- /dev/null +++ b/queue-3.16/ext4-check-for-directory-entries-too-close-to-block-end.patch
@@ -0,0 +1,34 @@ +From: Jan Kara <jack@suse.cz> +Date: Mon, 2 Dec 2019 18:02:13 +0100 +Subject: ext4: check for directory entries too close to block end + +commit 109ba779d6cca2d519c5dd624a3276d03e21948e upstream. + +ext4_check_dir_entry() currently does not catch a case when a directory +entry ends so close to the block end that the header of the next +directory entry would not fit in the remaining space. This can lead to +directory iteration code trying to access address beyond end of current +buffer head leading to oops. + +Signed-off-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@suse.cz +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext4/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -78,6 +78,11 @@ int __ext4_check_dir_entry(const char *f + error_msg = "rec_len is too small for name_len"; + else if (unlikely(((char *) de - buf) + rlen > size)) + error_msg = "directory entry overrun"; ++ else if (unlikely(((char *) de - buf) + rlen > ++ size - EXT4_DIR_REC_LEN(1) && ++ ((char *) de - buf) + rlen != size)) { ++ error_msg = "directory entry too close to block end"; ++ } + else if (unlikely(le32_to_cpu(de->inode) > + le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) + error_msg = "inode out of bounds";
diff --git a/queue-3.16/ext4-update-c-mtime-on-truncate-up.patch b/queue-3.16/ext4-update-c-mtime-on-truncate-up.patch new file mode 100644 index 0000000..0e5775e --- /dev/null +++ b/queue-3.16/ext4-update-c-mtime-on-truncate-up.patch
@@ -0,0 +1,39 @@ +From: Eryu Guan <guaneryu@gmail.com> +Date: Tue, 28 Jul 2015 15:08:41 -0400 +Subject: ext4: update c/mtime on truncate up + +commit 911af577de4e444622d46500c1f9a37ab4335d3a upstream. + +Commit 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize") +introduced a bug that c/mtime is not updated on truncate up. + +Fix the issue by setting c/mtime explicitly in the truncate up case. + +Note that ftruncate(2) is not affected, so you won't see this bug using +truncate(1) and xfs_io(1). + +Signed-off-by: Zirong Lang <zorro.lang@gmail.com> +Signed-off-by: Eryu Guan <guaneryu@gmail.com> +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/ext4/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4843,6 +4843,14 @@ int ext4_setattr(struct dentry *dentry, + error = ext4_orphan_add(handle, inode); + orphan = 1; + } ++ /* ++ * Update c/mtime on truncate up, ext4_truncate() will ++ * update c/mtime in shrink case below ++ */ ++ if (!shrink) { ++ inode->i_mtime = ext4_current_time(inode); ++ inode->i_ctime = inode->i_mtime; ++ } + down_write(&EXT4_I(inode)->i_data_sem); + EXT4_I(inode)->i_disksize = attr->ia_size; + rc = ext4_mark_inode_dirty(handle, inode);
diff --git a/queue-3.16/fix-built-in-early-load-intel-microcode-alignment.patch b/queue-3.16/fix-built-in-early-load-intel-microcode-alignment.patch new file mode 100644 index 0000000..ce1636c --- /dev/null +++ b/queue-3.16/fix-built-in-early-load-intel-microcode-alignment.patch
@@ -0,0 +1,50 @@ +From: Jari Ruusu <jari.ruusu@gmail.com> +Date: Sun, 12 Jan 2020 15:00:53 +0200 +Subject: Fix built-in early-load Intel microcode alignment + +commit f5ae2ea6347a308cfe91f53b53682ce635497d0d upstream. + +Intel Software Developer's Manual, volume 3, chapter 9.11.6 says: + + "Note that the microcode update must be aligned on a 16-byte boundary + and the size of the microcode update must be 1-KByte granular" + +When early-load Intel microcode is loaded from initramfs, userspace tool +'iucode_tool' has already 16-byte aligned those microcode bits in that +initramfs image. Image that was created something like this: + + iucode_tool --write-earlyfw=FOO.cpio microcode-files... + +However, when early-load Intel microcode is loaded from built-in +firmware BLOB using CONFIG_EXTRA_FIRMWARE= kernel config option, that +16-byte alignment is not guaranteed. + +Fix this by forcing all built-in firmware BLOBs to 16-byte alignment. + +[ If we end up having other firmware with much bigger alignment + requirements, we might need to introduce some method for the firmware + to specify it, this is the minimal "just increase the alignment a bit + to account for this one special case" patch - Linus ] + +Signed-off-by: Jari Ruusu <jari.ruusu@gmail.com> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Fenghua Yu <fenghua.yu@intel.com> +Cc: Luis Chamberlain <mcgrof@kernel.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: adjust filename, context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + firmware/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/firmware/Makefile ++++ b/firmware/Makefile +@@ -156,7 +156,7 @@ quiet_cmd_fwbin = MK_FW $@ + PROGBITS=$(if $(CONFIG_ARM),%,@)progbits; \ + echo "/* Generated by firmware/Makefile */" > $@;\ + echo " .section .rodata" >>$@;\ +- echo " .p2align $${ASM_ALIGN}" >>$@;\ ++ echo " .p2align 4" >>$@;\ + echo "_fw_$${FWSTR}_bin:" >>$@;\ + echo " .incbin \"$(2)\"" >>$@;\ + echo "_fw_end:" >>$@;\
diff --git a/queue-3.16/ftrace-avoid-potential-division-by-zero-in-function-profiler.patch b/queue-3.16/ftrace-avoid-potential-division-by-zero-in-function-profiler.patch new file mode 100644 index 0000000..e9c4597 --- /dev/null +++ b/queue-3.16/ftrace-avoid-potential-division-by-zero-in-function-profiler.patch
@@ -0,0 +1,45 @@ +From: Wen Yang <wenyang@linux.alibaba.com> +Date: Fri, 3 Jan 2020 11:02:48 +0800 +Subject: ftrace: Avoid potential division by zero in function profiler + +commit e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d upstream. + +The ftrace_profile->counter is unsigned long and +do_div truncates it to 32 bits, which means it can test +non-zero and be truncated to zero for division. +Fix this issue by using div64_ul() instead. + +Link: http://lkml.kernel.org/r/20200103030248.14516-1-wenyang@linux.alibaba.com + +Fixes: e330b3bcd8319 ("tracing: Show sample std dev in function profiling") +Fixes: 34886c8bc590f ("tracing: add average time in function to function profiler") +Signed-off-by: Wen Yang <wenyang@linux.alibaba.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/trace/ftrace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -595,8 +595,7 @@ static int function_stat_show(struct seq + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + seq_printf(m, " "); +- avg = rec->time; +- do_div(avg, rec->counter); ++ avg = div64_ul(rec->time, rec->counter); + + /* Sample standard deviation (s^2) */ + if (rec->counter <= 1) +@@ -613,7 +612,8 @@ static int function_stat_show(struct seq + * Divide only 1000 for ns^2 -> us^2 conversion. + * trace_print_graph_duration will divide 1000 again. + */ +- do_div(stddev, rec->counter * (rec->counter - 1) * 1000); ++ stddev = div64_ul(stddev, ++ rec->counter * (rec->counter - 1) * 1000); + } + + trace_seq_init(&s);
diff --git a/queue-3.16/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch b/queue-3.16/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch new file mode 100644 index 0000000..82d45d6 --- /dev/null +++ b/queue-3.16/gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch
@@ -0,0 +1,42 @@ +From: Geert Uytterhoeven <geert+renesas@glider.be> +Date: Wed, 27 Nov 2019 10:59:19 +0100 +Subject: gpio: Fix error message on out-of-range GPIO in lookup table + +commit d935bd50dd14a7714cbdba9a76435dbb56edb1ae upstream. + +When a GPIO offset in a lookup table is out-of-range, the printed error +message (1) does not include the actual out-of-range value, and (2) +contains an off-by-one error in the upper bound. + +Avoid user confusion by also printing the actual GPIO offset, and +correcting the upper bound of the range. +While at it, use "%u" for unsigned int. + +Sample impact: + + -requested GPIO 0 is out of range [0..32] for chip e6052000.gpio + +requested GPIO 0 (45) is out of range [0..31] for chip e6052000.gpio + +Fixes: 2a3cf6a3599e9015 ("gpiolib: return -ENOENT if no GPIO mapping exists") +Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> +Link: https://lore.kernel.org/r/20191127095919.4214-1-geert+renesas@glider.be +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpio/gpiolib.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -2743,8 +2743,9 @@ static struct gpio_desc *gpiod_find(stru + + if (chip->ngpio <= p->chip_hwnum) { + dev_err(dev, +- "requested GPIO %d is out of range [0..%d] for chip %s\n", +- idx, chip->ngpio, chip->label); ++ "requested GPIO %u (%u) is out of range [0..%u] for chip %s\n", ++ idx, p->chip_hwnum, chip->ngpio - 1, ++ chip->label); + return ERR_PTR(-EINVAL); + } +
diff --git a/queue-3.16/gpiolib-fix-up-emulated-open-drain-outputs.patch b/queue-3.16/gpiolib-fix-up-emulated-open-drain-outputs.patch new file mode 100644 index 0000000..5386ad7 --- /dev/null +++ b/queue-3.16/gpiolib-fix-up-emulated-open-drain-outputs.patch
@@ -0,0 +1,39 @@ +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Sat, 7 Dec 2019 16:20:18 +0000 +Subject: gpiolib: fix up emulated open drain outputs + +commit 256efaea1fdc4e38970489197409a26125ee0aaa upstream. + +gpiolib has a corner case with open drain outputs that are emulated. +When such outputs are outputting a logic 1, emulation will set the +hardware to input mode, which will cause gpiod_get_direction() to +report that it is in input mode. This is different from the behaviour +with a true open-drain output. + +Unify the semantics here. + +Suggested-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/gpio/gpiolib.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -273,6 +273,14 @@ int gpiod_get_direction(const struct gpi + chip = gpiod_to_chip(desc); + offset = gpio_chip_hwgpio(desc); + ++ /* ++ * Open drain emulation using input mode may incorrectly report ++ * input here, fix that up. ++ */ ++ if (test_bit(FLAG_OPEN_DRAIN, &desc->flags) && ++ test_bit(FLAG_IS_OUT, &desc->flags)) ++ return 0; ++ + if (!chip->get_direction) + return status; +
diff --git a/queue-3.16/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch b/queue-3.16/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch new file mode 100644 index 0000000..f9e132f --- /dev/null +++ b/queue-3.16/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
@@ -0,0 +1,47 @@ +From: Alan Stern <stern@rowland.harvard.edu> +Date: Tue, 10 Dec 2019 16:26:11 -0500 +Subject: HID: Fix slab-out-of-bounds read in hid_field_extract + +commit 8ec321e96e056de84022c032ffea253431a83c3c upstream. + +The syzbot fuzzer found a slab-out-of-bounds bug in the HID report +handler. The bug was caused by a report descriptor which included a +field with size 12 bits and count 4899, for a total size of 7349 +bytes. + +The usbhid driver uses at most a single-page 4-KB buffer for reports. +In the test there wasn't any problem about overflowing the buffer, +since only one byte was received from the device. Rather, the bug +occurred when the HID core tried to extract the data from the report +fields, which caused it to try reading data beyond the end of the +allocated buffer. + +This patch fixes the problem by rejecting any report whose total +length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow +for a possible report index). In theory a device could have a report +longer than that, but if there was such a thing we wouldn't handle it +correctly anyway. + +Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hid/hid-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -248,6 +248,12 @@ static int hid_add_field(struct hid_pars + offset = report->size; + report->size += parser->global.report_size * parser->global.report_count; + ++ /* Total size check: Allow for possible report index byte */ ++ if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) { ++ hid_err(parser->device, "report is too long\n"); ++ return -1; ++ } ++ + if (!parser->local.usage_index) /* Ignore padding fields */ + return 0; +
diff --git a/queue-3.16/hid-hid-input-clear-unmapped-usages.patch b/queue-3.16/hid-hid-input-clear-unmapped-usages.patch new file mode 100644 index 0000000..da4cacb --- /dev/null +++ b/queue-3.16/hid-hid-input-clear-unmapped-usages.patch
@@ -0,0 +1,68 @@ +From: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Date: Sat, 7 Dec 2019 13:05:18 -0800 +Subject: HID: hid-input: clear unmapped usages + +commit 4f3882177240a1f55e45a3d241d3121341bead78 upstream. + +We should not be leaving half-mapped usages with potentially invalid +keycodes, as that may confuse hidinput_find_key() when the key is located +by index, which may end up feeding way too large keycode into the VT +keyboard handler and cause OOB write there: + +BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline] +BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] +BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 +Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722 +... + kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline] + kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495 + input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118 + input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145 + input_pass_values drivers/input/input.c:949 [inline] + input_set_keycode+0x290/0x320 drivers/input/input.c:954 + evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882 + evdev_do_ioctl drivers/input/evdev.c:1150 [inline] + +Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hid/hid-input.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -947,9 +947,15 @@ static void hidinput_configure_usage(str + } + + mapped: +- if (device->driver->input_mapped && device->driver->input_mapped(device, +- hidinput, field, usage, &bit, &max) < 0) +- goto ignore; ++ if (device->driver->input_mapped && ++ device->driver->input_mapped(device, hidinput, field, usage, ++ &bit, &max) < 0) { ++ /* ++ * The driver indicated that no further generic handling ++ * of the usage is desired. ++ */ ++ return; ++ } + + set_bit(usage->type, input->evbit); + +@@ -1008,9 +1014,11 @@ mapped: + set_bit(MSC_SCAN, input->mscbit); + } + +-ignore: + return; + ++ignore: ++ usage->type = 0; ++ usage->code = 0; + } + + void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct hid_usage *usage, __s32 value)
diff --git a/queue-3.16/hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch b/queue-3.16/hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch new file mode 100644 index 0000000..2e83aaa --- /dev/null +++ b/queue-3.16/hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch
@@ -0,0 +1,40 @@ +From: Marcel Holtmann <marcel@holtmann.org> +Date: Wed, 4 Dec 2019 03:37:13 +0100 +Subject: HID: hidraw: Fix returning EPOLLOUT from hidraw_poll + +commit 9f3b61dc1dd7b81e99e7ed23776bb64a35f39e1a upstream. + +When polling a connected /dev/hidrawX device, it is useful to get the +EPOLLOUT when writing is possible. Since writing is possible as soon as +the device is connected, always return it. + +Right now EPOLLOUT is only returned when there are also input reports +are available. This works if devices start sending reports when +connected, but some HID devices might need an output report first before +sending any input reports. This change will allow using EPOLLOUT here as +well. + +Fixes: 378b80370aa1 ("hidraw: Return EPOLLOUT from hidraw_poll") +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +[bwh: Backported to 3.16: s/EPOLL/POLL/g] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hid/hidraw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -265,10 +265,10 @@ static unsigned int hidraw_poll(struct f + + poll_wait(file, &list->hidraw->wait, wait); + if (list->head != list->tail) +- return POLLIN | POLLRDNORM | POLLOUT; ++ return POLLIN | POLLRDNORM; + if (!list->hidraw->exist) + return POLLERR | POLLHUP; +- return 0; ++ return POLLOUT | POLLWRNORM; + } + + static int hidraw_open(struct inode *inode, struct file *file)
diff --git a/queue-3.16/hid-hidraw-uhid-always-report-epollout.patch b/queue-3.16/hid-hidraw-uhid-always-report-epollout.patch new file mode 100644 index 0000000..040f0b9 --- /dev/null +++ b/queue-3.16/hid-hidraw-uhid-always-report-epollout.patch
@@ -0,0 +1,62 @@ +From: Jiri Kosina <jkosina@suse.cz> +Date: Fri, 10 Jan 2020 15:32:51 +0100 +Subject: HID: hidraw, uhid: Always report EPOLLOUT + +commit 9e635c2851df6caee651e589fbf937b637973c91 upstream. + +hidraw and uhid device nodes are always available for writing so we should +always report EPOLLOUT and EPOLLWRNORM bits, not only in the cases when +there is nothing to read. + +Reported-by: Linus Torvalds <torvalds@linux-foundation.org> +Fixes: be54e7461ffdc ("HID: uhid: Fix returning EPOLLOUT from uhid_char_poll") +Fixes: 9f3b61dc1dd7b ("HID: hidraw: Fix returning EPOLLOUT from hidraw_poll") +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +[bwh: Backported to 3.16: + - Use unsigned int type instead of __poll_t + - s/EPOLL/POLL/g] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hid/hidraw.c | 7 ++++--- + drivers/hid/uhid.c | 5 +++-- + 2 files changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -262,13 +262,14 @@ out: + static unsigned int hidraw_poll(struct file *file, poll_table *wait) + { + struct hidraw_list *list = file->private_data; ++ unsigned int mask = POLLOUT | POLLWRNORM; /* hidraw is always writable */ + + poll_wait(file, &list->hidraw->wait, wait); + if (list->head != list->tail) +- return POLLIN | POLLRDNORM; ++ mask |= POLLIN | POLLRDNORM; + if (!list->hidraw->exist) +- return POLLERR | POLLHUP; +- return POLLOUT | POLLWRNORM; ++ mask |= POLLERR | POLLHUP; ++ return mask; + } + + static int hidraw_open(struct inode *inode, struct file *file) +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -720,13 +720,14 @@ unlock: + static unsigned int uhid_char_poll(struct file *file, poll_table *wait) + { + struct uhid_device *uhid = file->private_data; ++ unsigned int mask = POLLOUT | POLLWRNORM; /* uhid is always writable */ + + poll_wait(file, &uhid->waitq, wait); + + if (uhid->head != uhid->tail) +- return POLLIN | POLLRDNORM; ++ mask |= POLLIN | POLLRDNORM; + +- return POLLOUT | POLLWRNORM; ++ return mask; + } + + static const struct file_operations uhid_fops = {
diff --git a/queue-3.16/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch b/queue-3.16/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch new file mode 100644 index 0000000..f83862e --- /dev/null +++ b/queue-3.16/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
@@ -0,0 +1,29 @@ +From: Marcel Holtmann <marcel@holtmann.org> +Date: Wed, 4 Dec 2019 03:43:55 +0100 +Subject: HID: uhid: Fix returning EPOLLOUT from uhid_char_poll + +commit be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 upstream. + +Always return EPOLLOUT from uhid_char_poll to allow polling /dev/uhid +for writable state. + +Fixes: 1f9dec1e0164 ("HID: uhid: allow poll()'ing on uhid devices") +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +[bwh: Backported to 3.16: s/EPOLL/POLL/g] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hid/uhid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/uhid.c ++++ b/drivers/hid/uhid.c +@@ -726,7 +726,7 @@ static unsigned int uhid_char_poll(struc + if (uhid->head != uhid->tail) + return POLLIN | POLLRDNORM; + +- return 0; ++ return POLLOUT | POLLWRNORM; + } + + static const struct file_operations uhid_fops = {
diff --git a/queue-3.16/hidraw-return-epollout-from-hidraw_poll.patch b/queue-3.16/hidraw-return-epollout-from-hidraw_poll.patch new file mode 100644 index 0000000..6a7b3f0 --- /dev/null +++ b/queue-3.16/hidraw-return-epollout-from-hidraw_poll.patch
@@ -0,0 +1,33 @@ +From: Fabian Henneke <fabian.henneke@gmail.com> +Date: Tue, 9 Jul 2019 13:03:37 +0200 +Subject: hidraw: Return EPOLLOUT from hidraw_poll + +commit 378b80370aa1fe50f9c48a3ac8af3e416e73b89f upstream. + +Always return EPOLLOUT from hidraw_poll when a device is connected. +This is safe since writes are always possible (but will always block). + +hidraw does not support non-blocking writes and instead always calls +blocking backend functions on write requests. Hence, so far, a call to +poll never returned EPOLLOUT, which confuses tools like socat. + +Signed-off-by: Fabian Henneke <fabian.henneke@gmail.com> +In-reply-to: <CA+hv5qkyis03CgYTWeWX9cr0my-d2Oe+aZo+mjmWRXgjrGqyrw@mail.gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +[bwh: Backported to 3.16: s/EPOLL/POLL/] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hid/hidraw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hidraw.c ++++ b/drivers/hid/hidraw.c +@@ -265,7 +265,7 @@ static unsigned int hidraw_poll(struct f + + poll_wait(file, &list->hidraw->wait, wait); + if (list->head != list->tail) +- return POLLIN | POLLRDNORM; ++ return POLLIN | POLLRDNORM | POLLOUT; + if (!list->hidraw->exist) + return POLLERR | POLLHUP; + return 0;
diff --git a/queue-3.16/hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch b/queue-3.16/hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch new file mode 100644 index 0000000..f6e71c6 --- /dev/null +++ b/queue-3.16/hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch
@@ -0,0 +1,39 @@ +From: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz> +Date: Fri, 6 Dec 2019 12:16:59 +1300 +Subject: hwmon: (adt7475) Make volt2reg return same reg as reg2volt input + +commit cf3ca1877574a306c0207cbf7fdf25419d9229df upstream. + +reg2volt returns the voltage that matches a given register value. +Converting this back the other way with volt2reg didn't return the same +register value because it used truncation instead of rounding. + +This meant that values read from sysfs could not be written back to sysfs +to set back the same register value. + +With this change, volt2reg will return the same value for every voltage +previously returned by reg2volt (for the set of possible input values) + +Signed-off-by: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz> +Link: https://lore.kernel.org/r/20191205231659.1301-1-luuk.paulussen@alliedtelesis.co.nz +Signed-off-by: Guenter Roeck <linux@roeck-us.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/hwmon/adt7475.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -268,9 +268,10 @@ static inline u16 volt2reg(int channel, + long reg; + + if (bypass_attn & (1 << channel)) +- reg = (volt * 1024) / 2250; ++ reg = DIV_ROUND_CLOSEST(volt * 1024, 2250); + else +- reg = (volt * r[1] * 1024) / ((r[0] + r[1]) * 2250); ++ reg = DIV_ROUND_CLOSEST(volt * r[1] * 1024, ++ (r[0] + r[1]) * 2250); + return clamp_val(reg, 0, 1023) & (0xff << 2); + } +
diff --git a/queue-3.16/ib-mlx4-avoid-executing-gid-task-when-device-is-being-removed.patch b/queue-3.16/ib-mlx4-avoid-executing-gid-task-when-device-is-being-removed.patch new file mode 100644 index 0000000..a0d4edd --- /dev/null +++ b/queue-3.16/ib-mlx4-avoid-executing-gid-task-when-device-is-being-removed.patch
@@ -0,0 +1,51 @@ +From: Moni Shoua <monis@mellanox.com> +Date: Thu, 21 Aug 2014 14:28:42 +0300 +Subject: IB/mlx4: Avoid executing gid task when device is being removed + +commit 4bf9715f184969dc703bde7be94919995024a6a9 upstream. + +When device is being removed (e.g during VPI port link type change +from ETH to IB), tasks for gid table changes should not be executed. + +Flush the current queue of tasks and block further tasks from entering the queue. + +Signed-off-by: Moni Shoua <monis@mellanox.com> +Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com> +Signed-off-by: Roland Dreier <roland@purestorage.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/infiniband/hw/mlx4/main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -1395,6 +1395,9 @@ static void update_gids_task(struct work + int err; + struct mlx4_dev *dev = gw->dev->dev; + ++ if (!gw->dev->ib_active) ++ return; ++ + mailbox = mlx4_alloc_cmd_mailbox(dev); + if (IS_ERR(mailbox)) { + pr_warn("update gid table failed %ld\n", PTR_ERR(mailbox)); +@@ -1425,6 +1428,9 @@ static void reset_gids_task(struct work_ + int err; + struct mlx4_dev *dev = gw->dev->dev; + ++ if (!gw->dev->ib_active) ++ return; ++ + mailbox = mlx4_alloc_cmd_mailbox(dev); + if (IS_ERR(mailbox)) { + pr_warn("reset gid table failed\n"); +@@ -2363,6 +2369,9 @@ static void mlx4_ib_remove(struct mlx4_d + struct mlx4_ib_dev *ibdev = ibdev_ptr; + int p; + ++ ibdev->ib_active = false; ++ flush_workqueue(wq); ++ + mlx4_ib_close_sriov(ibdev); + mlx4_ib_mad_cleanup(ibdev); + ib_unregister_device(&ibdev->ib_dev);
diff --git a/queue-3.16/ib-mlx4-follow-mirror-sequence-of-device-add-during-device-removal.patch b/queue-3.16/ib-mlx4-follow-mirror-sequence-of-device-add-during-device-removal.patch new file mode 100644 index 0000000..72c7727 --- /dev/null +++ b/queue-3.16/ib-mlx4-follow-mirror-sequence-of-device-add-during-device-removal.patch
@@ -0,0 +1,54 @@ +From: Parav Pandit <parav@mellanox.com> +Date: Thu, 12 Dec 2019 11:12:13 +0200 +Subject: IB/mlx4: Follow mirror sequence of device add during device removal + +commit 89f988d93c62384758b19323c886db917a80c371 upstream. + +Current code device add sequence is: + +ib_register_device() +ib_mad_init() +init_sriov_init() +register_netdev_notifier() + +Therefore, the remove sequence should be, + +unregister_netdev_notifier() +close_sriov() +mad_cleanup() +ib_unregister_device() + +However it is not above. +Hence, make do above remove sequence. + +Fixes: fa417f7b520ee ("IB/mlx4: Add support for IBoE") +Signed-off-by: Parav Pandit <parav@mellanox.com> +Reviewed-by: Maor Gottlieb <maorg@mellanox.com> +Signed-off-by: Leon Romanovsky <leonro@mellanox.com> +Link: https://lore.kernel.org/r/20191212091214.315005-3-leon@kernel.org +Signed-off-by: Doug Ledford <dledford@redhat.com> +[bwh: Backported to 3.16: No need to call mlx4_ib_diag_cleanup()] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -2372,15 +2372,16 @@ static void mlx4_ib_remove(struct mlx4_d + ibdev->ib_active = false; + flush_workqueue(wq); + +- mlx4_ib_close_sriov(ibdev); +- mlx4_ib_mad_cleanup(ibdev); +- ib_unregister_device(&ibdev->ib_dev); + if (ibdev->iboe.nb.notifier_call) { + if (unregister_netdevice_notifier(&ibdev->iboe.nb)) + pr_warn("failure unregistering notifier\n"); + ibdev->iboe.nb.notifier_call = NULL; + } + ++ mlx4_ib_close_sriov(ibdev); ++ mlx4_ib_mad_cleanup(ibdev); ++ ib_unregister_device(&ibdev->ib_dev); ++ + mlx4_qp_release_range(dev, ibdev->steer_qpn_base, + ibdev->steer_qpn_count); + kfree(ibdev->ib_uc_qpns_bitmap);
diff --git a/queue-3.16/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest.patch b/queue-3.16/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest.patch new file mode 100644 index 0000000..3b1d935 --- /dev/null +++ b/queue-3.16/iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest.patch
@@ -0,0 +1,60 @@ +From: =?UTF-8?q?Lars=20M=C3=B6llendorf?= <lars.moellendorf@plating.de> +Date: Fri, 13 Dec 2019 14:50:55 +0100 +Subject: iio: buffer: align the size of scan bytes to size of the largest + element +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 883f616530692d81cb70f8a32d85c0d2afc05f69 upstream. + +Previous versions of `iio_compute_scan_bytes` only aligned each element +to its own length (i.e. its own natural alignment). Because multiple +consecutive sets of scan elements are buffered this does not work in +case the computed scan bytes do not align with the natural alignment of +the first scan element in the set. + +This commit fixes this by aligning the scan bytes to the natural +alignment of the largest scan element in the set. + +Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") +Signed-off-by: Lars Möllendorf <lars.moellendorf@plating.de> +Reviewed-by: Lars-Peter Clausen <lars@metafoo.de> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/iio/industrialio-buffer.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -478,7 +478,7 @@ static int iio_compute_scan_bytes(struct + { + const struct iio_chan_spec *ch; + unsigned bytes = 0; +- int length, i; ++ int length, i, largest = 0; + + /* How much space will the demuxed element take? */ + for_each_set_bit(i, mask, +@@ -491,6 +491,7 @@ static int iio_compute_scan_bytes(struct + length = ch->scan_type.storagebits / 8; + bytes = ALIGN(bytes, length); + bytes += length; ++ largest = max(largest, length); + } + if (timestamp) { + ch = iio_find_channel_from_si(indio_dev, +@@ -502,7 +503,10 @@ static int iio_compute_scan_bytes(struct + length = ch->scan_type.storagebits / 8; + bytes = ALIGN(bytes, length); + bytes += length; ++ largest = max(largest, length); + } ++ ++ bytes = ALIGN(bytes, largest); + return bytes; + } +
diff --git a/queue-3.16/input-aiptek-fix-endpoint-sanity-check.patch b/queue-3.16/input-aiptek-fix-endpoint-sanity-check.patch new file mode 100644 index 0000000..c3f191a --- /dev/null +++ b/queue-3.16/input-aiptek-fix-endpoint-sanity-check.patch
@@ -0,0 +1,43 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 10 Jan 2020 11:59:32 -0800 +Subject: Input: aiptek - fix endpoint sanity check + +commit 3111491fca4f01764e0c158c5e0f7ced808eef51 upstream. + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could lead to the +driver binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") +Signed-off-by: Johan Hovold <johan@kernel.org> +Acked-by: Vladis Dronov <vdronov@redhat.com> +Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/input/tablet/aiptek.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/input/tablet/aiptek.c ++++ b/drivers/input/tablet/aiptek.c +@@ -1820,14 +1820,14 @@ aiptek_probe(struct usb_interface *intf, + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); + + /* Verify that a device really has an endpoint */ +- if (intf->altsetting[0].desc.bNumEndpoints < 1) { ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&intf->dev, + "interface has %d endpoints, but must have minimum 1\n", +- intf->altsetting[0].desc.bNumEndpoints); ++ intf->cur_altsetting->desc.bNumEndpoints); + err = -EINVAL; + goto fail3; + } +- endpoint = &intf->altsetting[0].endpoint[0].desc; ++ endpoint = &intf->cur_altsetting->endpoint[0].desc; + + /* Go set up our URB, which is called when the tablet receives + * input.
diff --git a/queue-3.16/input-gtco-fix-endpoint-sanity-check.patch b/queue-3.16/input-gtco-fix-endpoint-sanity-check.patch new file mode 100644 index 0000000..aba5a70 --- /dev/null +++ b/queue-3.16/input-gtco-fix-endpoint-sanity-check.patch
@@ -0,0 +1,55 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 10 Jan 2020 12:00:18 -0800 +Subject: Input: gtco - fix endpoint sanity check + +commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream. + +The driver was checking the number of endpoints of the first alternate +setting instead of the current one, something which could lead to the +driver binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints") +Signed-off-by: Johan Hovold <johan@kernel.org> +Acked-by: Vladis Dronov <vdronov@redhat.com> +Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/input/tablet/gtco.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/drivers/input/tablet/gtco.c ++++ b/drivers/input/tablet/gtco.c +@@ -886,18 +886,14 @@ static int gtco_probe(struct usb_interfa + } + + /* Sanity check that a device has an endpoint */ +- if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) { ++ if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) { + dev_err(&usbinterface->dev, + "Invalid number of endpoints\n"); + error = -EINVAL; + goto err_free_urb; + } + +- /* +- * The endpoint is always altsetting 0, we know this since we know +- * this device only has one interrupt endpoint +- */ +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc; ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; + + /* Some debug */ + dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting); +@@ -984,7 +980,7 @@ static int gtco_probe(struct usb_interfa + input_dev->dev.parent = &usbinterface->dev; + + /* Setup the URB, it will be posted later on open of input device */ +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc; ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc; + + usb_fill_int_urb(gtco->urbinfo, + gtco->usbdev,
diff --git a/queue-3.16/input-keyspan-remote-fix-control-message-timeouts.patch b/queue-3.16/input-keyspan-remote-fix-control-message-timeouts.patch new file mode 100644 index 0000000..232833d --- /dev/null +++ b/queue-3.16/input-keyspan-remote-fix-control-message-timeouts.patch
@@ -0,0 +1,58 @@ +From: Johan Hovold <johan@kernel.org> +Date: Mon, 13 Jan 2020 10:38:57 -0800 +Subject: Input: keyspan-remote - fix control-message timeouts + +commit ba9a103f40fc4a3ec7558ec9b0b97d4f92034249 upstream. + +The driver was issuing synchronous uninterruptible control requests +without using a timeout. This could lead to the driver hanging on probe +due to a malfunctioning (or malicious) device until the device is +physically disconnected. While sleeping in probe the driver prevents +other devices connected to the same hub from being added to (or removed +from) the bus. + +The USB upper limit of five seconds per request should be more than +enough. + +Fixes: 99f83c9c9ac9 ("[PATCH] USB: add driver for Keyspan Digital Remote") +Signed-off-by: Johan Hovold <johan@kernel.org> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Link: https://lore.kernel.org/r/20200113171715.30621-1-johan@kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/input/misc/keyspan_remote.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/input/misc/keyspan_remote.c ++++ b/drivers/input/misc/keyspan_remote.c +@@ -344,7 +344,8 @@ static int keyspan_setup(struct usb_devi + int retval = 0; + + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- 0x11, 0x40, 0x5601, 0x0, NULL, 0, 0); ++ 0x11, 0x40, 0x5601, 0x0, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); + if (retval) { + dev_dbg(&dev->dev, "%s - failed to set bit rate due to error: %d\n", + __func__, retval); +@@ -352,7 +353,8 @@ static int keyspan_setup(struct usb_devi + } + + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- 0x44, 0x40, 0x0, 0x0, NULL, 0, 0); ++ 0x44, 0x40, 0x0, 0x0, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); + if (retval) { + dev_dbg(&dev->dev, "%s - failed to set resume sensitivity due to error: %d\n", + __func__, retval); +@@ -360,7 +362,8 @@ static int keyspan_setup(struct usb_devi + } + + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), +- 0x22, 0x40, 0x0, 0x0, NULL, 0, 0); ++ 0x22, 0x40, 0x0, 0x0, NULL, 0, ++ USB_CTRL_SET_TIMEOUT); + if (retval) { + dev_dbg(&dev->dev, "%s - failed to turn receive on due to error: %d\n", + __func__, retval);
diff --git a/queue-3.16/input-sur40-fix-interface-sanity-checks.patch b/queue-3.16/input-sur40-fix-interface-sanity-checks.patch new file mode 100644 index 0000000..34c52ff --- /dev/null +++ b/queue-3.16/input-sur40-fix-interface-sanity-checks.patch
@@ -0,0 +1,33 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 10 Jan 2020 12:01:27 -0800 +Subject: Input: sur40 - fix interface sanity checks + +commit 6b32391ed675827f8425a414abbc6fbd54ea54fe upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +This in turn could cause the driver to misbehave or trigger a WARN() in +usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)") +Signed-off-by: Johan Hovold <johan@kernel.org> +Acked-by: Vladis Dronov <vdronov@redhat.com> +Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org +Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/input/touchscreen/sur40.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -357,7 +357,7 @@ static int sur40_probe(struct usb_interf + int error; + + /* Check if we really have the right interface. */ +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bInterfaceClass != 0xFF) + return -ENODEV; +
diff --git a/queue-3.16/ixgbevf-remove-limit-of-10-entries-for-unicast-filter-list.patch b/queue-3.16/ixgbevf-remove-limit-of-10-entries-for-unicast-filter-list.patch new file mode 100644 index 0000000..dc19f9c --- /dev/null +++ b/queue-3.16/ixgbevf-remove-limit-of-10-entries-for-unicast-filter-list.patch
@@ -0,0 +1,34 @@ +From: Radoslaw Tyl <radoslawx.tyl@intel.com> +Date: Mon, 25 Nov 2019 15:24:52 +0100 +Subject: ixgbevf: Remove limit of 10 entries for unicast filter list + +commit aa604651d523b1493988d0bf6710339f3ee60272 upstream. + +Currently, though the FDB entry is added to VF, it does not appear in +RAR filters. VF driver only allows to add 10 entries. Attempting to add +another causes an error. This patch removes limitation and allows use of +all free RAR entries for the FDB if needed. + +Fixes: 46ec20ff7d ("ixgbevf: Add macvlan support in the set rx mode op") +Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com> +Acked-by: Paul Menzel <pmenzel@molgen.mpg.de> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -1465,11 +1465,6 @@ static int ixgbevf_write_uc_addr_list(st + struct ixgbe_hw *hw = &adapter->hw; + int count = 0; + +- if ((netdev_uc_count(netdev)) > 10) { +- pr_err("Too many unicast filters - No Space\n"); +- return -ENOSPC; +- } +- + if (!netdev_uc_empty(netdev)) { + struct netdev_hw_addr *ha; + netdev_for_each_uc_addr(ha, netdev) {
diff --git a/queue-3.16/kernel-trace-fix-do-not-unregister-tracepoints-when-register.patch b/queue-3.16/kernel-trace-fix-do-not-unregister-tracepoints-when-register.patch new file mode 100644 index 0000000..b70f0c8 --- /dev/null +++ b/queue-3.16/kernel-trace-fix-do-not-unregister-tracepoints-when-register.patch
@@ -0,0 +1,41 @@ +From: Kaitao Cheng <pilgrimtao@gmail.com> +Date: Tue, 31 Dec 2019 05:35:30 -0800 +Subject: kernel/trace: Fix do not unregister tracepoints when register + sched_migrate_task fail + +commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream. + +In the function, if register_trace_sched_migrate_task() returns error, +sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is +why fail_deprobe_sched_switch was added. + +Link: http://lkml.kernel.org/r/20191231133530.2794-1-pilgrimtao@gmail.com + +Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing") +Signed-off-by: Kaitao Cheng <pilgrimtao@gmail.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/trace/trace_sched_wakeup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_sched_wakeup.c ++++ b/kernel/trace/trace_sched_wakeup.c +@@ -567,7 +567,7 @@ static void start_wakeup_tracer(struct t + if (ret) { + pr_info("wakeup trace: Couldn't activate tracepoint" + " probe to kernel_sched_migrate_task\n"); +- return; ++ goto fail_deprobe_sched_switch; + } + + wakeup_reset(tr); +@@ -585,6 +585,8 @@ static void start_wakeup_tracer(struct t + printk(KERN_ERR "failed to start wakeup tracer\n"); + + return; ++fail_deprobe_sched_switch: ++ unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL); + fail_deprobe_wake_new: + unregister_trace_sched_wakeup_new(probe_wakeup, NULL); + fail_deprobe:
diff --git a/queue-3.16/kobject-export-kobject_get_unless_zero.patch b/queue-3.16/kobject-export-kobject_get_unless_zero.patch new file mode 100644 index 0000000..53fff61 --- /dev/null +++ b/queue-3.16/kobject-export-kobject_get_unless_zero.patch
@@ -0,0 +1,51 @@ +From: Jan Kara <jack@suse.cz> +Date: Thu, 23 Mar 2017 01:37:01 +0100 +Subject: kobject: Export kobject_get_unless_zero() + +commit c70c176ff8c3ff0ac6ef9a831cd591ea9a66bd1a upstream. + +Make the function available for outside use and fortify it against NULL +kobject. + +CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com> +Acked-by: Tejun Heo <tj@kernel.org> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Jens Axboe <axboe@fb.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/kobject.h | 2 ++ + lib/kobject.c | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/include/linux/kobject.h ++++ b/include/linux/kobject.h +@@ -107,6 +107,8 @@ extern int __must_check kobject_rename(s + extern int __must_check kobject_move(struct kobject *, struct kobject *); + + extern struct kobject *kobject_get(struct kobject *kobj); ++extern struct kobject * __must_check kobject_get_unless_zero( ++ struct kobject *kobj); + extern void kobject_put(struct kobject *kobj); + + extern const void *kobject_namespace(struct kobject *kobj); +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -581,12 +581,15 @@ struct kobject *kobject_get(struct kobje + return kobj; + } + +-static struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj) ++struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj) + { ++ if (!kobj) ++ return NULL; + if (!kref_get_unless_zero(&kobj->kref)) + kobj = NULL; + return kobj; + } ++EXPORT_SYMBOL(kobject_get_unless_zero); + + /* + * kobject_cleanup - free kobject resources.
diff --git a/queue-3.16/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature.patch b/queue-3.16/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature.patch new file mode 100644 index 0000000..5686f9e --- /dev/null +++ b/queue-3.16/kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature.patch
@@ -0,0 +1,44 @@ +From: Jim Mattson <jmattson@google.com> +Date: Fri, 13 Dec 2019 16:15:15 -0800 +Subject: kvm: x86: Host feature SSBD doesn't imply guest feature + SPEC_CTRL_SSBD + +commit 396d2e878f92ec108e4293f1c77ea3bc90b414ff upstream. + +The host reports support for the synthetic feature X86_FEATURE_SSBD +when any of the three following hardware features are set: + CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] + CPUID.80000008H:EBX.AMD_SSBD[bit 24] + CPUID.80000008H:EBX.VIRT_SSBD[bit 25] + +Either of the first two hardware features implies the existence of the +IA32_SPEC_CTRL MSR, but CPUID.80000008H:EBX.VIRT_SSBD[bit 25] does +not. Therefore, CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] should only be +set in the guest if CPUID.(EAX=7,ECX=0):EDX.SSBD[bit 31] or +CPUID.80000008H:EBX.AMD_SSBD[bit 24] is set on the host. + +Fixes: 0c54914d0c52a ("KVM: x86: use Intel speculation bugs and features as derived in generic x86 code") +Signed-off-by: Jim Mattson <jmattson@google.com> +Reviewed-by: Jacob Xu <jacobhxu@google.com> +Reviewed-by: Peter Shier <pshier@google.com> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Reported-by: Eric Biggers <ebiggers@kernel.org> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +[bwh: Backported to 3.16: adjust indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/kvm/cpuid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -400,7 +400,8 @@ static inline int __do_cpuid_ent(struct + entry->edx |= F(SPEC_CTRL); + if (boot_cpu_has(X86_FEATURE_STIBP)) + entry->edx |= F(INTEL_STIBP); +- if (boot_cpu_has(X86_FEATURE_SSBD)) ++ if (boot_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) || ++ boot_cpu_has(X86_FEATURE_AMD_SSBD)) + entry->edx |= F(SPEC_CTRL_SSBD); + /* + * We emulate ARCH_CAPABILITIES in software even
diff --git a/queue-3.16/libertas-don-t-exit-from-lbs_ibss_join_existing-with-rcu-read-lock.patch b/queue-3.16/libertas-don-t-exit-from-lbs_ibss_join_existing-with-rcu-read-lock.patch new file mode 100644 index 0000000..14236a0 --- /dev/null +++ b/queue-3.16/libertas-don-t-exit-from-lbs_ibss_join_existing-with-rcu-read-lock.patch
@@ -0,0 +1,33 @@ +From: Nicolai Stange <nstange@suse.de> +Date: Tue, 14 Jan 2020 11:39:02 +0100 +Subject: libertas: don't exit from lbs_ibss_join_existing() with RCU read lock + held + +commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 upstream. + +Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss +descriptor") introduced a bounds check on the number of supplied rates to +lbs_ibss_join_existing(). + +Unfortunately, it introduced a return path from within a RCU read side +critical section without a corresponding rcu_read_unlock(). Fix this. + +Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") +Signed-off-by: Nicolai Stange <nstange@suse.de> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/libertas/cfg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/libertas/cfg.c ++++ b/drivers/net/wireless/libertas/cfg.c +@@ -1855,6 +1855,7 @@ static int lbs_ibss_join_existing(struct + rates_max = rates_eid[1]; + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); ++ rcu_read_unlock(); + goto out; + } + rates = cmd.bss.rates;
diff --git a/queue-3.16/libertas-make-lbs_ibss_join_existing-return-error-code-on-rates.patch b/queue-3.16/libertas-make-lbs_ibss_join_existing-return-error-code-on-rates.patch new file mode 100644 index 0000000..0ee7b0b --- /dev/null +++ b/queue-3.16/libertas-make-lbs_ibss_join_existing-return-error-code-on-rates.patch
@@ -0,0 +1,37 @@ +From: Nicolai Stange <nstange@suse.de> +Date: Tue, 14 Jan 2020 11:39:03 +0100 +Subject: libertas: make lbs_ibss_join_existing() return error code on rates + overflow + +commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb upstream. + +Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss +descriptor") introduced a bounds check on the number of supplied rates to +lbs_ibss_join_existing() and made it to return on overflow. + +However, the aforementioned commit doesn't set the return value accordingly +and thus, lbs_ibss_join_existing() would return with zero even though it +failed. + +Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the +number of supplied rates fails. + +Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") +Signed-off-by: Nicolai Stange <nstange@suse.de> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/wireless/libertas/cfg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/libertas/cfg.c ++++ b/drivers/net/wireless/libertas/cfg.c +@@ -1856,6 +1856,7 @@ static int lbs_ibss_join_existing(struct + if (rates_max > MAX_RATES) { + lbs_deb_join("invalid rates"); + rcu_read_unlock(); ++ ret = -EINVAL; + goto out; + } + rates = cmd.bss.rates;
diff --git a/queue-3.16/locks-print-unsigned-ino-in-proc-locks.patch b/queue-3.16/locks-print-unsigned-ino-in-proc-locks.patch new file mode 100644 index 0000000..b29caf5 --- /dev/null +++ b/queue-3.16/locks-print-unsigned-ino-in-proc-locks.patch
@@ -0,0 +1,27 @@ +From: Amir Goldstein <amir73il@gmail.com> +Date: Sun, 22 Dec 2019 20:45:28 +0200 +Subject: locks: print unsigned ino in /proc/locks + +commit 98ca480a8f22fdbd768e3dad07024c8d4856576c upstream. + +An ino is unsigned, so display it as such in /proc/locks. + +Signed-off-by: Amir Goldstein <amir73il@gmail.com> +Signed-off-by: Jeff Layton <jlayton@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/locks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -2488,7 +2488,7 @@ static void lock_get_status(struct seq_f + inode->i_sb->s_id, inode->i_ino); + #else + /* userspace relies on this representation of dev_t ;-( */ +- seq_printf(f, "%d %02x:%02x:%ld ", fl_pid, ++ seq_printf(f, "%d %02x:%02x:%lu ", fl_pid, + MAJOR(inode->i_sb->s_dev), + MINOR(inode->i_sb->s_dev), inode->i_ino); + #endif
diff --git a/queue-3.16/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch b/queue-3.16/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch new file mode 100644 index 0000000..0800a96 --- /dev/null +++ b/queue-3.16/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch
@@ -0,0 +1,168 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 6 Jan 2020 12:30:48 -0800 +Subject: macvlan: do not assume mac_header is set in macvlan_broadcast() + +commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 upstream. + +Use of eth_hdr() in tx path is error prone. + +Many drivers call skb_reset_mac_header() before using it, +but others do not. + +Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") +attempted to fix this generically, but commit d346a3fae3ff +("packet: introduce PACKET_QDISC_BYPASS socket option") brought +back the macvlan bug. + +Lets add a new helper, so that tx paths no longer have +to call skb_reset_mac_header() only to get a pointer +to skb->data. + +Hopefully we will be able to revert 6d1ccff62780 +("net: reset mac header in dev_start_xmit()") and save few cycles +in transmit fast path. + +BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] +BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] +BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 +Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 + +CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x197/0x210 lib/dump_stack.c:118 + print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 + __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:639 + __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 + __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] + mc_hash drivers/net/macvlan.c:251 [inline] + macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 + macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] + macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 + __netdev_start_xmit include/linux/netdevice.h:4447 [inline] + netdev_start_xmit include/linux/netdevice.h:4461 [inline] + dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 + packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 + packet_snd net/packet/af_packet.c:2966 [inline] + packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:659 + __sys_sendto+0x262/0x380 net/socket.c:1985 + __do_sys_sendto net/socket.c:1997 [inline] + __se_sys_sendto net/socket.c:1993 [inline] + __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x442639 +Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 +RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 +RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 + +Allocated by task 9389: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc mm/kasan/common.c:513 [inline] + __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 + __do_kmalloc mm/slab.c:3656 [inline] + __kmalloc+0x163/0x770 mm/slab.c:3665 + kmalloc include/linux/slab.h:561 [inline] + tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 + tomoyo_get_realpath security/tomoyo/file.c:151 [inline] + tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 + tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 + security_inode_getattr+0xf2/0x150 security/security.c:1222 + vfs_getattr+0x25/0x70 fs/stat.c:115 + vfs_statx_fd+0x71/0xc0 fs/stat.c:145 + vfs_fstat include/linux/fs.h:3265 [inline] + __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 + __se_sys_newfstat fs/stat.c:375 [inline] + __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 9389: + save_stack+0x23/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:335 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 + __cache_free mm/slab.c:3426 [inline] + kfree+0x10a/0x2c0 mm/slab.c:3757 + tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 + tomoyo_get_realpath security/tomoyo/file.c:151 [inline] + tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 + tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 + security_inode_getattr+0xf2/0x150 security/security.c:1222 + vfs_getattr+0x25/0x70 fs/stat.c:115 + vfs_statx_fd+0x71/0xc0 fs/stat.c:145 + vfs_fstat include/linux/fs.h:3265 [inline] + __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 + __se_sys_newfstat fs/stat.c:375 [inline] + __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8880a4932000 + which belongs to the cache kmalloc-4k of size 4096 +The buggy address is located 1025 bytes inside of + 4096-byte region [ffff8880a4932000, ffff8880a4933000) +The buggy address belongs to the page: +page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 +raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 +raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: b863ceb7ddce ("[NET]: Add macvlan driver") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/macvlan.c | 2 +- + include/linux/if_ether.h | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -162,7 +162,7 @@ static void macvlan_broadcast(struct sk_ + struct net_device *src, + enum macvlan_mode mode) + { +- const struct ethhdr *eth = eth_hdr(skb); ++ const struct ethhdr *eth = skb_eth_hdr(skb); + const struct macvlan_dev *vlan; + struct sk_buff *nskb; + unsigned int i; +--- a/include/linux/if_ether.h ++++ b/include/linux/if_ether.h +@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con + return (struct ethhdr *)skb_mac_header(skb); + } + ++/* Prefer this version in TX path, instead of ++ * skb_reset_mac_header() + eth_hdr() ++ */ ++static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb) ++{ ++ return (struct ethhdr *)skb->data; ++} ++ + int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); + + extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len);
diff --git a/queue-3.16/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xmit.patch b/queue-3.16/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xmit.patch new file mode 100644 index 0000000..4bb4ec4 --- /dev/null +++ b/queue-3.16/macvlan-use-skb_reset_mac_header-in-macvlan_queue_xmit.patch
@@ -0,0 +1,46 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 14 Jan 2020 13:00:35 -0800 +Subject: macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() + +commit 1712b2fff8c682d145c7889d2290696647d82dab upstream. + +I missed the fact that macvlan_broadcast() can be used both +in RX and TX. + +skb_eth_hdr() makes only sense in TX paths, so we can not +use it blindly in macvlan_broadcast() + +Fixes: 96cc4b69581d ("macvlan: do not assume mac_header is set in macvlan_broadcast()") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: Jurgen Van Ham <juvanham@gmail.com> +Tested-by: Matteo Croce <mcroce@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/macvlan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -162,7 +162,7 @@ static void macvlan_broadcast(struct sk_ + struct net_device *src, + enum macvlan_mode mode) + { +- const struct ethhdr *eth = skb_eth_hdr(skb); ++ const struct ethhdr *eth = eth_hdr(skb); + const struct macvlan_dev *vlan; + struct sk_buff *nskb; + unsigned int i; +@@ -345,10 +345,11 @@ static int macvlan_queue_xmit(struct sk_ + const struct macvlan_dev *dest; + + if (vlan->mode == MACVLAN_MODE_BRIDGE) { +- const struct ethhdr *eth = (void *)skb->data; ++ const struct ethhdr *eth = skb_eth_hdr(skb); + + /* send to other bridge ports directly */ + if (is_multicast_ether_addr(eth->h_dest)) { ++ skb_reset_mac_header(skb); + macvlan_broadcast(skb, port, dev, MACVLAN_MODE_BRIDGE); + goto xmit_world; + }
diff --git a/queue-3.16/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch b/queue-3.16/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch new file mode 100644 index 0000000..5941c52 --- /dev/null +++ b/queue-3.16/mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch
@@ -0,0 +1,50 @@ +From: =?UTF-8?q?Micha=C5=82=20Miros=C5=82aw?= <mirq-linux@rere.qmqm.pl> +Date: Wed, 15 Jan 2020 10:54:35 +0100 +Subject: mmc: sdhci: fix minimum clock rate for v3 controller +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 2a187d03352086e300daa2044051db00044cd171 upstream. + +For SDHCIv3+ with programmable clock mode, minimal clock frequency is +still base clock / max(divider). Minimal programmable clock frequency is +always greater than minimal divided clock frequency. Without this patch, +SDHCI uses out-of-spec initial frequency when multiplier is big enough: + +mmc1: mmc_rescan_try_freq: trying to init card at 468750 Hz +[for 480 MHz source clock divided by 1024] + +The code in sdhci_calc_clk() already chooses a correct SDCLK clock mode. + +Fixes: c3ed3877625f ("mmc: sdhci: add support for programmable clock mode") +Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> +Acked-by: Adrian Hunter <adrian.hunter@intel.com> +Link: https://lore.kernel.org/r/ffb489519a446caffe7a0a05c4b9372bd52397bb.1579082031.git.mirq-linux@rere.qmqm.pl +Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/mmc/host/sdhci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -2945,11 +2945,13 @@ int sdhci_add_host(struct sdhci_host *ho + if (host->ops->get_min_clock) + mmc->f_min = host->ops->get_min_clock(host); + else if (host->version >= SDHCI_SPEC_300) { +- if (host->clk_mul) { +- mmc->f_min = (host->max_clk * host->clk_mul) / 1024; ++ if (host->clk_mul) + mmc->f_max = host->max_clk * host->clk_mul; +- } else +- mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300; ++ /* ++ * Divided Clock Mode minimum clock rate is always less than ++ * Programmable Clock Mode minimum clock rate. ++ */ ++ mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300; + } else + mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_200; +
diff --git a/queue-3.16/mod_devicetable-fix-phy-module-format.patch b/queue-3.16/mod_devicetable-fix-phy-module-format.patch new file mode 100644 index 0000000..a77da0f --- /dev/null +++ b/queue-3.16/mod_devicetable-fix-phy-module-format.patch
@@ -0,0 +1,40 @@ +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Thu, 19 Dec 2019 23:24:47 +0000 +Subject: mod_devicetable: fix PHY module format + +commit d2ed49cf6c13e379c5819aa5ac20e1f9674ebc89 upstream. + +When a PHY is probed, if the top bit is set, we end up requesting a +module with the string "mdio:-10101110000000100101000101010001" - +the top bit is printed to a signed -1 value. This leads to the module +not being loaded. + +Fix the module format string and the macro generating the values for +it to ensure that we only print unsigned types and the top bit is +always 0/1. We correctly end up with +"mdio:10101110000000100101000101010001". + +Fixes: 8626d3b43280 ("phylib: Support phy module autoloading") +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/mod_devicetable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/mod_devicetable.h ++++ b/include/linux/mod_devicetable.h +@@ -497,9 +497,9 @@ struct platform_device_id { + + #define MDIO_MODULE_PREFIX "mdio:" + +-#define MDIO_ID_FMT "%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d" ++#define MDIO_ID_FMT "%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u" + #define MDIO_ID_ARGS(_id) \ +- (_id)>>31, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ ++ ((_id)>>31) & 1, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \ + ((_id)>>27) & 1, ((_id)>>26) & 1, ((_id)>>25) & 1, ((_id)>>24) & 1, \ + ((_id)>>23) & 1, ((_id)>>22) & 1, ((_id)>>21) & 1, ((_id)>>20) & 1, \ + ((_id)>>19) & 1, ((_id)>>18) & 1, ((_id)>>17) & 1, ((_id)>>16) & 1, \
diff --git a/queue-3.16/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch b/queue-3.16/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch new file mode 100644 index 0000000..590334f --- /dev/null +++ b/queue-3.16/namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch
@@ -0,0 +1,229 @@ +From: Salvatore Mesoraca <s.mesoraca16@gmail.com> +Date: Thu, 23 Aug 2018 17:00:35 -0700 +Subject: namei: allow restricted O_CREAT of FIFOs and regular files + +commit 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 upstream. + +Disallows open of FIFOs or regular files not owned by the user in world +writable sticky directories, unless the owner is the same as that of the +directory or the file is opened without the O_CREAT flag. The purpose +is to make data spoofing attacks harder. This protection can be turned +on and off separately for FIFOs and regular files via sysctl, just like +the symlinks/hardlinks protection. This patch is based on Openwall's +"HARDEN_FIFO" feature by Solar Designer. + +This is a brief list of old vulnerabilities that could have been prevented +by this feature, some of them even allow for privilege escalation: + +CVE-2000-1134 +CVE-2007-3852 +CVE-2008-0525 +CVE-2009-0416 +CVE-2011-4834 +CVE-2015-1838 +CVE-2015-7442 +CVE-2016-7489 + +This list is not meant to be complete. It's difficult to track down all +vulnerabilities of this kind because they were often reported without any +mention of this particular attack vector. In fact, before +hardlinks/symlinks restrictions, fifos/regular files weren't the favorite +vehicle to exploit them. + +[s.mesoraca16@gmail.com: fix bug reported by Dan Carpenter] + Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda + Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@gmail.com +[keescook@chromium.org: drop pr_warn_ratelimited() in favor of audit changes in the future] +[keescook@chromium.org: adjust commit subjet] +Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast +Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com> +Signed-off-by: Kees Cook <keescook@chromium.org> +Suggested-by: Solar Designer <solar@openwall.com> +Suggested-by: Kees Cook <keescook@chromium.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Cc: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + Documentation/sysctl/fs.txt | 36 +++++++++++++++++++++++++ + fs/namei.c | 53 ++++++++++++++++++++++++++++++++++--- + include/linux/fs.h | 2 ++ + kernel/sysctl.c | 18 +++++++++++++ + 4 files changed, 106 insertions(+), 3 deletions(-) + +--- a/Documentation/sysctl/fs.txt ++++ b/Documentation/sysctl/fs.txt +@@ -34,7 +34,9 @@ Currently, these files are in /proc/sys/ + - overflowgid + - pipe-user-pages-hard + - pipe-user-pages-soft ++- protected_fifos + - protected_hardlinks ++- protected_regular + - protected_symlinks + - suid_dumpable + - super-max +@@ -182,6 +184,24 @@ applied. + + ============================================================== + ++protected_fifos: ++ ++The intent of this protection is to avoid unintentional writes to ++an attacker-controlled FIFO, where a program expected to create a regular ++file. ++ ++When set to "0", writing to FIFOs is unrestricted. ++ ++When set to "1" don't allow O_CREAT open on FIFOs that we don't own ++in world writable sticky directories, unless they are owned by the ++owner of the directory. ++ ++When set to "2" it also applies to group writable sticky directories. ++ ++This protection is based on the restrictions in Openwall. ++ ++============================================================== ++ + protected_hardlinks: + + A long-standing class of security issues is the hardlink-based +@@ -202,6 +222,22 @@ This protection is based on the restrict + + ============================================================== + ++protected_regular: ++ ++This protection is similar to protected_fifos, but it ++avoids writes to an attacker-controlled regular file, where a program ++expected to create one. ++ ++When set to "0", writing to regular files is unrestricted. ++ ++When set to "1" don't allow O_CREAT open on regular files that we ++don't own in world writable sticky directories, unless they are ++owned by the owner of the directory. ++ ++When set to "2" it also applies to group writable sticky directories. ++ ++============================================================== ++ + protected_symlinks: + + A long-standing class of security issues is the symlink-based +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -723,6 +723,8 @@ static inline void put_link(struct namei + + int sysctl_protected_symlinks __read_mostly = 0; + int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_fifos __read_mostly; ++int sysctl_protected_regular __read_mostly; + + /** + * may_follow_link - Check symlink following for unsafe situations +@@ -837,6 +839,45 @@ static int may_linkat(struct path *link) + return -EPERM; + } + ++/** ++ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory ++ * should be allowed, or not, on files that already ++ * exist. ++ * @dir: the sticky parent directory ++ * @inode: the inode of the file to open ++ * ++ * Block an O_CREAT open of a FIFO (or a regular file) when: ++ * - sysctl_protected_fifos (or sysctl_protected_regular) is enabled ++ * - the file already exists ++ * - we are in a sticky directory ++ * - we don't own the file ++ * - the owner of the directory doesn't own the file ++ * - the directory is world writable ++ * If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2 ++ * the directory doesn't have to be world writable: being group writable will ++ * be enough. ++ * ++ * Returns 0 if the open is allowed, -ve on error. ++ */ ++static int may_create_in_sticky(struct dentry * const dir, ++ struct inode * const inode) ++{ ++ if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) || ++ (!sysctl_protected_regular && S_ISREG(inode->i_mode)) || ++ likely(!(dir->d_inode->i_mode & S_ISVTX)) || ++ uid_eq(inode->i_uid, dir->d_inode->i_uid) || ++ uid_eq(current_fsuid(), inode->i_uid)) ++ return 0; ++ ++ if (likely(dir->d_inode->i_mode & 0002) || ++ (dir->d_inode->i_mode & 0020 && ++ ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) || ++ (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) { ++ return -EACCES; ++ } ++ return 0; ++} ++ + static __always_inline int + follow_link(struct path *link, struct nameidata *nd, void **p) + { +@@ -3057,9 +3098,15 @@ finish_open: + return error; + } + audit_inode(name, nd->path.dentry, 0); +- error = -EISDIR; +- if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry)) +- goto out; ++ if (open_flag & O_CREAT) { ++ error = -EISDIR; ++ if (d_is_dir(nd->path.dentry)) ++ goto out; ++ error = may_create_in_sticky(dir, ++ d_backing_inode(nd->path.dentry)); ++ if (unlikely(error)) ++ goto out; ++ } + error = -ENOTDIR; + if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry)) + goto out; +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -61,6 +61,8 @@ extern struct inodes_stat_t inodes_stat; + extern int leases_enable, lease_break_time; + extern int sysctl_protected_symlinks; + extern int sysctl_protected_hardlinks; ++extern int sysctl_protected_fifos; ++extern int sysctl_protected_regular; + + struct buffer_head; + typedef int (get_block_t)(struct inode *inode, sector_t iblock, +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1653,6 +1653,24 @@ static struct ctl_table fs_table[] = { + .extra2 = &one, + }, + { ++ .procname = "protected_fifos", ++ .data = &sysctl_protected_fifos, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &two, ++ }, ++ { ++ .procname = "protected_regular", ++ .data = &sysctl_protected_regular, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &two, ++ }, ++ { + .procname = "suid_dumpable", + .data = &suid_dumpable, + .maxlen = sizeof(int),
diff --git a/queue-3.16/neighbour-remove-neigh_cleanup-method.patch b/queue-3.16/neighbour-remove-neigh_cleanup-method.patch new file mode 100644 index 0000000..e1ca97b --- /dev/null +++ b/queue-3.16/neighbour-remove-neigh_cleanup-method.patch
@@ -0,0 +1,63 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Sat, 7 Dec 2019 12:23:21 -0800 +Subject: neighbour: remove neigh_cleanup() method + +commit f394722fb0d0f701119368959d7cd0ecbc46363a upstream. + +neigh_cleanup() has not been used for seven years, and was a wrong design. + +Messing with shared pointer in bond_neigh_init() without proper +memory barriers would at least trigger syzbot complains eventually. + +It is time to remove this stuff. + +Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup in xmit path") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3431,19 +3431,10 @@ static int bond_neigh_init(struct neighb + return 0; + + parms.neigh_setup = NULL; +- parms.neigh_cleanup = NULL; + ret = slave_ops->ndo_neigh_setup(slave->dev, &parms); + if (ret) + return ret; + +- /* +- * Assign slave's neigh_cleanup to neighbour in case cleanup is called +- * after the last slave has been detached. Assumes that all slaves +- * utilize the same neigh_cleanup (true at this writing as only user +- * is ipoib). +- */ +- n->parms->neigh_cleanup = parms.neigh_cleanup; +- + if (!parms.neigh_setup) + return 0; + +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -71,7 +71,6 @@ struct neigh_parms { + struct net_device *dev; + struct neigh_parms *next; + int (*neigh_setup)(struct neighbour *); +- void (*neigh_cleanup)(struct neighbour *); + struct neigh_table *tbl; + + void *sysctl_table; +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -103,9 +103,6 @@ static int neigh_blackhole(struct neighb + + static void neigh_cleanup_and_release(struct neighbour *neigh) + { +- if (neigh->parms->neigh_cleanup) +- neigh->parms->neigh_cleanup(neigh); +- + __neigh_notify(neigh, RTM_DELNEIGH, 0); + neigh_release(neigh); + }
diff --git a/queue-3.16/net-sonic-add-mutual-exclusion-for-accessing-shared-state.patch b/queue-3.16/net-sonic-add-mutual-exclusion-for-accessing-shared-state.patch new file mode 100644 index 0000000..e7612f0 --- /dev/null +++ b/queue-3.16/net-sonic-add-mutual-exclusion-for-accessing-shared-state.patch
@@ -0,0 +1,148 @@ +From: Finn Thain <fthain@telegraphics.com.au> +Date: Thu, 23 Jan 2020 09:07:26 +1100 +Subject: net/sonic: Add mutual exclusion for accessing shared state + +commit 865ad2f2201dc18685ba2686f13217f8b3a9c52c upstream. + +The netif_stop_queue() call in sonic_send_packet() races with the +netif_wake_queue() call in sonic_interrupt(). This causes issues +like "NETDEV WATCHDOG: eth0 (macsonic): transmit queue 0 timed out". +Fix this by disabling interrupts when accessing tx_skb[] and next_tx. +Update a comment to clarify the synchronization properties. + +Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update") +Tested-by: Stan Johnson <userm57@yahoo.com> +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/natsemi/sonic.c | 49 ++++++++++++++++++++-------- + drivers/net/ethernet/natsemi/sonic.h | 1 + + 2 files changed, 36 insertions(+), 14 deletions(-) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -50,6 +50,8 @@ static int sonic_open(struct net_device + if (sonic_debug > 2) + printk("sonic_open: initializing sonic driver.\n"); + ++ spin_lock_init(&lp->lock); ++ + for (i = 0; i < SONIC_NUM_RRS; i++) { + struct sk_buff *skb = netdev_alloc_skb(dev, SONIC_RBSIZE + 2); + if (skb == NULL) { +@@ -194,8 +196,6 @@ static void sonic_tx_timeout(struct net_ + * wake the tx queue + * Concurrently with all of this, the SONIC is potentially writing to + * the status flags of the TDs. +- * Until some mutual exclusion is added, this code will not work with SMP. However, +- * MIPS Jazz machines and m68k Macs were all uni-processor machines. + */ + + static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev) +@@ -203,7 +203,8 @@ static int sonic_send_packet(struct sk_b + struct sonic_local *lp = netdev_priv(dev); + dma_addr_t laddr; + int length; +- int entry = lp->next_tx; ++ int entry; ++ unsigned long flags; + + if (sonic_debug > 2) + printk("sonic_send_packet: skb=%p, dev=%p\n", skb, dev); +@@ -226,6 +227,10 @@ static int sonic_send_packet(struct sk_b + return NETDEV_TX_OK; + } + ++ spin_lock_irqsave(&lp->lock, flags); ++ ++ entry = lp->next_tx; ++ + sonic_tda_put(dev, entry, SONIC_TD_STATUS, 0); /* clear status */ + sonic_tda_put(dev, entry, SONIC_TD_FRAG_COUNT, 1); /* single fragment */ + sonic_tda_put(dev, entry, SONIC_TD_PKTSIZE, length); /* length of packet */ +@@ -235,10 +240,6 @@ static int sonic_send_packet(struct sk_b + sonic_tda_put(dev, entry, SONIC_TD_LINK, + sonic_tda_get(dev, entry, SONIC_TD_LINK) | SONIC_EOL); + +- /* +- * Must set tx_skb[entry] only after clearing status, and +- * before clearing EOL and before stopping queue +- */ + wmb(); + lp->tx_len[entry] = length; + lp->tx_laddr[entry] = laddr; +@@ -263,6 +264,8 @@ static int sonic_send_packet(struct sk_b + + SONIC_WRITE(SONIC_CMD, SONIC_CR_TXP); + ++ spin_unlock_irqrestore(&lp->lock, flags); ++ + return NETDEV_TX_OK; + } + +@@ -275,9 +278,21 @@ static irqreturn_t sonic_interrupt(int i + struct net_device *dev = dev_id; + struct sonic_local *lp = netdev_priv(dev); + int status; ++ unsigned long flags; ++ ++ /* The lock has two purposes. Firstly, it synchronizes sonic_interrupt() ++ * with sonic_send_packet() so that the two functions can share state. ++ * Secondly, it makes sonic_interrupt() re-entrant, as that is required ++ * by macsonic which must use two IRQs with different priority levels. ++ */ ++ spin_lock_irqsave(&lp->lock, flags); ++ ++ status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT; ++ if (!status) { ++ spin_unlock_irqrestore(&lp->lock, flags); + +- if (!(status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT)) + return IRQ_NONE; ++ } + + do { + if (status & SONIC_INT_PKTRX) { +@@ -292,11 +307,12 @@ static irqreturn_t sonic_interrupt(int i + int td_status; + int freed_some = 0; + +- /* At this point, cur_tx is the index of a TD that is one of: +- * unallocated/freed (status set & tx_skb[entry] clear) +- * allocated and sent (status set & tx_skb[entry] set ) +- * allocated and not yet sent (status clear & tx_skb[entry] set ) +- * still being allocated by sonic_send_packet (status clear & tx_skb[entry] clear) ++ /* The state of a Transmit Descriptor may be inferred ++ * from { tx_skb[entry], td_status } as follows. ++ * { clear, clear } => the TD has never been used ++ * { set, clear } => the TD was handed to SONIC ++ * { set, set } => the TD was handed back ++ * { clear, set } => the TD is available for re-use + */ + + if (sonic_debug > 2) +@@ -398,7 +414,12 @@ static irqreturn_t sonic_interrupt(int i + /* load CAM done */ + if (status & SONIC_INT_LCD) + SONIC_WRITE(SONIC_ISR, SONIC_INT_LCD); /* clear the interrupt */ +- } while((status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT)); ++ ++ status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT; ++ } while (status); ++ ++ spin_unlock_irqrestore(&lp->lock, flags); ++ + return IRQ_HANDLED; + } + +--- a/drivers/net/ethernet/natsemi/sonic.h ++++ b/drivers/net/ethernet/natsemi/sonic.h +@@ -320,6 +320,7 @@ struct sonic_local { + unsigned int next_tx; /* next free TD */ + struct device *device; /* generic device */ + struct net_device_stats stats; ++ spinlock_t lock; + }; + + #define TX_TIMEOUT (3 * HZ)
diff --git a/queue-3.16/net-sonic-fix-receive-buffer-handling.patch b/queue-3.16/net-sonic-fix-receive-buffer-handling.patch new file mode 100644 index 0000000..954c7ae --- /dev/null +++ b/queue-3.16/net-sonic-fix-receive-buffer-handling.patch
@@ -0,0 +1,106 @@ +From: Finn Thain <fthain@telegraphics.com.au> +Date: Thu, 23 Jan 2020 09:07:26 +1100 +Subject: net/sonic: Fix receive buffer handling + +commit 9e311820f67e740f4fb8dcb82b4c4b5b05bdd1a5 upstream. + +The SONIC can sometimes advance its rx buffer pointer (RRP register) +without advancing its rx descriptor pointer (CRDA register). As a result +the index of the current rx descriptor may not equal that of the current +rx buffer. The driver mistakenly assumes that they are always equal. +This assumption leads to incorrect packet lengths and possible packet +duplication. Avoid this by calling a new function to locate the buffer +corresponding to a given descriptor. + +Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update") +Tested-by: Stan Johnson <userm57@yahoo.com> +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/natsemi/sonic.c | 35 ++++++++++++++++++++++++---- + drivers/net/ethernet/natsemi/sonic.h | 5 ++-- + 2 files changed, 33 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -423,6 +423,21 @@ static irqreturn_t sonic_interrupt(int i + return IRQ_HANDLED; + } + ++/* Return the array index corresponding to a given Receive Buffer pointer. */ ++static int index_from_addr(struct sonic_local *lp, dma_addr_t addr, ++ unsigned int last) ++{ ++ unsigned int i = last; ++ ++ do { ++ i = (i + 1) & SONIC_RRS_MASK; ++ if (addr == lp->rx_laddr[i]) ++ return i; ++ } while (i != last); ++ ++ return -ENOENT; ++} ++ + /* + * We have a good packet(s), pass it/them up the network stack. + */ +@@ -442,6 +457,16 @@ static void sonic_rx(struct net_device * + + status = sonic_rda_get(dev, entry, SONIC_RD_STATUS); + if (status & SONIC_RCR_PRX) { ++ u32 addr = (sonic_rda_get(dev, entry, ++ SONIC_RD_PKTPTR_H) << 16) | ++ sonic_rda_get(dev, entry, SONIC_RD_PKTPTR_L); ++ int i = index_from_addr(lp, addr, entry); ++ ++ if (i < 0) { ++ WARN_ONCE(1, "failed to find buffer!\n"); ++ break; ++ } ++ + /* Malloc up new buffer. */ + new_skb = netdev_alloc_skb(dev, SONIC_RBSIZE + 2); + if (new_skb == NULL) { +@@ -463,7 +488,7 @@ static void sonic_rx(struct net_device * + + /* now we have a new skb to replace it, pass the used one up the stack */ + dma_unmap_single(lp->device, lp->rx_laddr[entry], SONIC_RBSIZE, DMA_FROM_DEVICE); +- used_skb = lp->rx_skb[entry]; ++ used_skb = lp->rx_skb[i]; + pkt_len = sonic_rda_get(dev, entry, SONIC_RD_PKTLEN); + skb_trim(used_skb, pkt_len); + used_skb->protocol = eth_type_trans(used_skb, dev); +@@ -472,13 +497,13 @@ static void sonic_rx(struct net_device * + lp->stats.rx_bytes += pkt_len; + + /* and insert the new skb */ +- lp->rx_laddr[entry] = new_laddr; +- lp->rx_skb[entry] = new_skb; ++ lp->rx_laddr[i] = new_laddr; ++ lp->rx_skb[i] = new_skb; + + bufadr_l = (unsigned long)new_laddr & 0xffff; + bufadr_h = (unsigned long)new_laddr >> 16; +- sonic_rra_put(dev, entry, SONIC_RR_BUFADR_L, bufadr_l); +- sonic_rra_put(dev, entry, SONIC_RR_BUFADR_H, bufadr_h); ++ sonic_rra_put(dev, i, SONIC_RR_BUFADR_L, bufadr_l); ++ sonic_rra_put(dev, i, SONIC_RR_BUFADR_H, bufadr_h); + } else { + /* This should only happen, if we enable accepting broken packets. */ + lp->stats.rx_errors++; +--- a/drivers/net/ethernet/natsemi/sonic.h ++++ b/drivers/net/ethernet/natsemi/sonic.h +@@ -273,8 +273,9 @@ + #define SONIC_NUM_RDS SONIC_NUM_RRS /* number of receive descriptors */ + #define SONIC_NUM_TDS 16 /* number of transmit descriptors */ + +-#define SONIC_RDS_MASK (SONIC_NUM_RDS-1) +-#define SONIC_TDS_MASK (SONIC_NUM_TDS-1) ++#define SONIC_RRS_MASK (SONIC_NUM_RRS - 1) ++#define SONIC_RDS_MASK (SONIC_NUM_RDS - 1) ++#define SONIC_TDS_MASK (SONIC_NUM_TDS - 1) + + #define SONIC_RBSIZE 1520 /* size of one resource buffer */ +
diff --git a/queue-3.16/net-sonic-quiesce-sonic-before-re-initializing-descriptor-memory.patch b/queue-3.16/net-sonic-quiesce-sonic-before-re-initializing-descriptor-memory.patch new file mode 100644 index 0000000..34e61b5 --- /dev/null +++ b/queue-3.16/net-sonic-quiesce-sonic-before-re-initializing-descriptor-memory.patch
@@ -0,0 +1,87 @@ +From: Finn Thain <fthain@telegraphics.com.au> +Date: Thu, 23 Jan 2020 09:07:26 +1100 +Subject: net/sonic: Quiesce SONIC before re-initializing descriptor memory + +commit 3f4b7e6a2be982fd8820a2b54d46dd9c351db899 upstream. + +Make sure the SONIC's DMA engine is idle before altering the transmit +and receive descriptors. Add a helper for this as it will be needed +again. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Tested-by: Stan Johnson <userm57@yahoo.com> +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/natsemi/sonic.c | 25 +++++++++++++++++++++++++ + drivers/net/ethernet/natsemi/sonic.h | 3 +++ + 2 files changed, 28 insertions(+) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -103,6 +103,24 @@ static int sonic_open(struct net_device + return 0; + } + ++/* Wait for the SONIC to become idle. */ ++static void sonic_quiesce(struct net_device *dev, u16 mask) ++{ ++ struct sonic_local * __maybe_unused lp = netdev_priv(dev); ++ int i; ++ u16 bits; ++ ++ for (i = 0; i < 1000; ++i) { ++ bits = SONIC_READ(SONIC_CMD) & mask; ++ if (!bits) ++ return; ++ if (irqs_disabled() || in_interrupt()) ++ udelay(20); ++ else ++ usleep_range(100, 200); ++ } ++ WARN_ONCE(1, "command deadline expired! 0x%04x\n", bits); ++} + + /* + * Close the SONIC device +@@ -120,6 +138,9 @@ static int sonic_close(struct net_device + /* + * stop the SONIC, disable interrupts + */ ++ SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS); ++ sonic_quiesce(dev, SONIC_CR_ALL); ++ + SONIC_WRITE(SONIC_IMR, 0); + SONIC_WRITE(SONIC_ISR, 0x7fff); + SONIC_WRITE(SONIC_CMD, SONIC_CR_RST); +@@ -159,6 +180,9 @@ static void sonic_tx_timeout(struct net_ + * put the Sonic into software-reset mode and + * disable all interrupts before releasing DMA buffers + */ ++ SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS); ++ sonic_quiesce(dev, SONIC_CR_ALL); ++ + SONIC_WRITE(SONIC_IMR, 0); + SONIC_WRITE(SONIC_ISR, 0x7fff); + SONIC_WRITE(SONIC_CMD, SONIC_CR_RST); +@@ -638,6 +662,7 @@ static int sonic_init(struct net_device + */ + SONIC_WRITE(SONIC_CMD, 0); + SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS); ++ sonic_quiesce(dev, SONIC_CR_ALL); + + /* + * initialize the receive resource area +--- a/drivers/net/ethernet/natsemi/sonic.h ++++ b/drivers/net/ethernet/natsemi/sonic.h +@@ -109,6 +109,9 @@ + #define SONIC_CR_TXP 0x0002 + #define SONIC_CR_HTX 0x0001 + ++#define SONIC_CR_ALL (SONIC_CR_LCAM | SONIC_CR_RRRA | \ ++ SONIC_CR_RXEN | SONIC_CR_TXP) ++ + /* + * SONIC data configuration bits + */
diff --git a/queue-3.16/net-sonic-return-netdev_tx_ok-if-failed-to-map-buffer.patch b/queue-3.16/net-sonic-return-netdev_tx_ok-if-failed-to-map-buffer.patch new file mode 100644 index 0000000..3b92630 --- /dev/null +++ b/queue-3.16/net-sonic-return-netdev_tx_ok-if-failed-to-map-buffer.patch
@@ -0,0 +1,34 @@ +From: Mao Wenan <maowenan@huawei.com> +Date: Thu, 5 Sep 2019 09:57:12 +0800 +Subject: net: sonic: return NETDEV_TX_OK if failed to map buffer + +commit 6e1cdedcf0362fed3aedfe051d46bd7ee2a85fe1 upstream. + +NETDEV_TX_BUSY really should only be used by drivers that call +netif_tx_stop_queue() at the wrong moment. If dma_map_single() is +failed to map tx DMA buffer, it might trigger an infinite loop. +This patch use NETDEV_TX_OK instead of NETDEV_TX_BUSY, and change +printk to pr_err_ratelimited. + +Fixes: d9fb9f384292 ("*sonic/natsemi/ns83829: Move the National Semi-conductor drivers") +Signed-off-by: Mao Wenan <maowenan@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/natsemi/sonic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/natsemi/sonic.c ++++ b/drivers/net/ethernet/natsemi/sonic.c +@@ -221,9 +221,9 @@ static int sonic_send_packet(struct sk_b + + laddr = dma_map_single(lp->device, skb->data, length, DMA_TO_DEVICE); + if (!laddr) { +- printk(KERN_ERR "%s: failed to map tx DMA buffer.\n", dev->name); ++ pr_err_ratelimited("%s: failed to map tx DMA buffer.\n", dev->name); + dev_kfree_skb(skb); +- return NETDEV_TX_BUSY; ++ return NETDEV_TX_OK; + } + + sonic_tda_put(dev, entry, SONIC_TD_STATUS, 0); /* clear status */
diff --git a/queue-3.16/net-sonic-use-mmio-accessors.patch b/queue-3.16/net-sonic-use-mmio-accessors.patch new file mode 100644 index 0000000..32a4e7b --- /dev/null +++ b/queue-3.16/net-sonic-use-mmio-accessors.patch
@@ -0,0 +1,61 @@ +From: Finn Thain <fthain@telegraphics.com.au> +Date: Thu, 23 Jan 2020 09:07:26 +1100 +Subject: net/sonic: Use MMIO accessors + +commit e3885f576196ddfc670b3d53e745de96ffcb49ab upstream. + +The driver accesses descriptor memory which is simultaneously accessed by +the chip, so the compiler must not be allowed to re-order CPU accesses. +sonic_buf_get() used 'volatile' to prevent that. sonic_buf_put() should +have done so too but was overlooked. + +Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update") +Tested-by: Stan Johnson <userm57@yahoo.com> +Signed-off-by: Finn Thain <fthain@telegraphics.com.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/natsemi/sonic.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/natsemi/sonic.h ++++ b/drivers/net/ethernet/natsemi/sonic.h +@@ -342,30 +342,30 @@ static void sonic_tx_timeout(struct net_ + as far as we can tell. */ + /* OpenBSD calls this "SWO". I'd like to think that sonic_buf_put() + is a much better name. */ +-static inline void sonic_buf_put(void* base, int bitmode, ++static inline void sonic_buf_put(u16 *base, int bitmode, + int offset, __u16 val) + { + if (bitmode) + #ifdef __BIG_ENDIAN +- ((__u16 *) base + (offset*2))[1] = val; ++ __raw_writew(val, base + (offset * 2) + 1); + #else +- ((__u16 *) base + (offset*2))[0] = val; ++ __raw_writew(val, base + (offset * 2) + 0); + #endif + else +- ((__u16 *) base)[offset] = val; ++ __raw_writew(val, base + (offset * 1) + 0); + } + +-static inline __u16 sonic_buf_get(void* base, int bitmode, ++static inline __u16 sonic_buf_get(u16 *base, int bitmode, + int offset) + { + if (bitmode) + #ifdef __BIG_ENDIAN +- return ((volatile __u16 *) base + (offset*2))[1]; ++ return __raw_readw(base + (offset * 2) + 1); + #else +- return ((volatile __u16 *) base + (offset*2))[0]; ++ return __raw_readw(base + (offset * 2) + 0); + #endif + else +- return ((volatile __u16 *) base)[offset]; ++ return __raw_readw(base + (offset * 1) + 0); + } + + /* Inlines that you should actually use for reading/writing DMA buffers */
diff --git a/queue-3.16/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch b/queue-3.16/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch new file mode 100644 index 0000000..041dca9 --- /dev/null +++ b/queue-3.16/net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch
@@ -0,0 +1,30 @@ +From: Jose Abreu <Jose.Abreu@synopsys.com> +Date: Wed, 18 Dec 2019 11:17:41 +0100 +Subject: net: stmmac: 16KB buffer must be 16 byte aligned + +commit 8605131747e7e1fd8f6c9f97a00287aae2b2c640 upstream. + +The 16KB RX Buffer must also be 16 byte aligned. Fix it. + +Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver") +Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/stmicro/stmmac/common.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/common.h ++++ b/drivers/net/ethernet/stmicro/stmmac/common.h +@@ -270,9 +270,8 @@ struct dma_features { + unsigned int enh_desc; + }; + +-/* GMAC TX FIFO is 8K, Rx FIFO is 16K */ +-#define BUF_SIZE_16KiB 16384 +-/* RX Buffer size must be < 8191 and multiple of 4/8/16 bytes */ ++/* RX Buffer size must be multiple of 4/8/16 bytes */ ++#define BUF_SIZE_16KiB 16368 + #define BUF_SIZE_8KiB 8188 + #define BUF_SIZE_4KiB 4096 + #define BUF_SIZE_2KiB 2048
diff --git a/queue-3.16/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch b/queue-3.16/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch new file mode 100644 index 0000000..17ce557 --- /dev/null +++ b/queue-3.16/net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch
@@ -0,0 +1,29 @@ +From: Chen-Yu Tsai <wens@csie.org> +Date: Mon, 6 Jan 2020 11:09:22 +0800 +Subject: net: stmmac: dwmac-sunxi: Allow all RGMII modes + +commit 52cc73e5404c7ba0cbfc50cb4c265108c84b3d5a upstream. + +Allow all the RGMII modes to be used. This would allow us to represent +the hardware better in the device tree with RGMII_ID where in most +cases the PHY's internal delay for both RX and TX are used. + +Fixes: af0bd4e9ba80 ("net: stmmac: sunxi platform extensions for GMAC in Allwinner A20 SoC's") +Signed-off-by: Chen-Yu Tsai <wens@csie.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c +@@ -78,7 +78,7 @@ static int sun7i_gmac_init(struct platfo + * rate, which then uses the auto-reparenting feature of the + * clock driver, and enabling/disabling the clock. + */ +- if (gmac->interface == PHY_INTERFACE_MODE_RGMII) { ++ if (phy_interface_mode_is_rgmii(gmac->interface)) { + clk_set_rate(gmac->tx_clk, SUN7I_GMAC_GMII_RGMII_RATE); + clk_prepare_enable(gmac->tx_clk); + gmac->clk_enabled = 1;
diff --git a/queue-3.16/net-stmmac-enable-16kb-buffer-size.patch b/queue-3.16/net-stmmac-enable-16kb-buffer-size.patch new file mode 100644 index 0000000..b724c27 --- /dev/null +++ b/queue-3.16/net-stmmac-enable-16kb-buffer-size.patch
@@ -0,0 +1,30 @@ +From: Jose Abreu <Jose.Abreu@synopsys.com> +Date: Wed, 18 Dec 2019 11:17:42 +0100 +Subject: net: stmmac: Enable 16KB buffer size + +commit b2f3a481c4cd62f78391b836b64c0a6e72b503d2 upstream. + +XGMAC supports maximum MTU that can go to 16KB. Lets add this check in +the calculation of RX buffer size. + +Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver") +Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -904,7 +904,9 @@ static int stmmac_set_bfsize(int mtu, in + { + int ret = bufsize; + +- if (mtu >= BUF_SIZE_4KiB) ++ if (mtu >= BUF_SIZE_8KiB) ++ ret = BUF_SIZE_16KiB; ++ else if (mtu >= BUF_SIZE_4KiB) + ret = BUF_SIZE_8KiB; + else if (mtu >= BUF_SIZE_2KiB) + ret = BUF_SIZE_4KiB;
diff --git a/queue-3.16/net_sched-fix-datalen-for-ematch.patch b/queue-3.16/net_sched-fix-datalen-for-ematch.patch new file mode 100644 index 0000000..a9d2e13 --- /dev/null +++ b/queue-3.16/net_sched-fix-datalen-for-ematch.patch
@@ -0,0 +1,45 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Wed, 22 Jan 2020 15:42:02 -0800 +Subject: net_sched: fix datalen for ematch + +commit 61678d28d4a45ef376f5d02a839cc37509ae9281 upstream. + +syzbot reported an out-of-bound access in em_nbyte. As initially +analyzed by Eric, this is because em_nbyte sets its own em->datalen +in em_nbyte_change() other than the one specified by user, but this +value gets overwritten later by its caller tcf_em_validate(). +We should leave em->datalen untouched to respect their choices. + +I audit all the in-tree ematch users, all of those implement +->change() set em->datalen, so we can just avoid setting it twice +in this case. + +Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com +Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/sched/ematch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/ematch.c ++++ b/net/sched/ematch.c +@@ -266,12 +266,12 @@ static int tcf_em_validate(struct tcf_pr + } + em->data = (unsigned long) v; + } ++ em->datalen = data_len; + } + } + + em->matchid = em_hdr->matchid; + em->flags = em_hdr->flags; +- em->datalen = data_len; + + err = 0; + errout:
diff --git a/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch b/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch new file mode 100644 index 0000000..5fcc661 --- /dev/null +++ b/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch
@@ -0,0 +1,146 @@ +From: Florian Westphal <fw@strlen.de> +Date: Fri, 27 Dec 2019 01:33:10 +0100 +Subject: netfilter: arp_tables: init netns pointer in xt_tgchk_param struct + +commit 1b789577f655060d98d20ed0c6f9fbd469d6ba63 upstream. + +We get crash when the targets checkentry function tries to make +use of the network namespace pointer for arptables. + +When the net pointer got added back in 2010, only ip/ip6/ebtables were +changed to initialize it, so arptables has this set to NULL. + +This isn't a problem for normal arptables because no existing +arptables target has a checkentry function that makes use of par->net. + +However, direct users of the setsockopt interface can provide any +target they want as long as its registered for ARP or UNPSEC protocols. + +syzkaller managed to send a semi-valid arptables rule for RATEEST target +which is enough to trigger NULL deref: + +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109 +[..] + xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019 + check_target net/ipv4/netfilter/arp_tables.c:399 [inline] + find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline] + translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572 + do_replace net/ipv4/netfilter/arp_tables.c:977 [inline] + do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456 + +Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") +Reported-by: syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal <fw@strlen.de> +Acked-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/netfilter/arp_tables.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -480,11 +480,12 @@ static int mark_source_chains(const stru + return 1; + } + +-static inline int check_target(struct arpt_entry *e, const char *name) ++static int check_target(struct arpt_entry *e, struct net *net, const char *name) + { + struct xt_entry_target *t = arpt_get_target(e); + int ret; + struct xt_tgchk_param par = { ++ .net = net, + .table = name, + .entryinfo = e, + .target = t->u.kernel.target, +@@ -502,8 +503,9 @@ static inline int check_target(struct ar + return 0; + } + +-static inline int +-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size) ++static int ++find_check_entry(struct arpt_entry *e, struct net *net, const char *name, ++ unsigned int size) + { + struct xt_entry_target *t; + struct xt_target *target; +@@ -519,7 +521,7 @@ find_check_entry(struct arpt_entry *e, c + } + t->u.kernel.target = target; + +- ret = check_target(e, name); ++ ret = check_target(e, net, name); + if (ret) + goto err; + return 0; +@@ -617,7 +619,9 @@ static inline void cleanup_entry(struct + /* Checks and translates the user-supplied table segment (held in + * newinfo). + */ +-static int translate_table(struct xt_table_info *newinfo, void *entry0, ++static int translate_table(struct net *net, ++ struct xt_table_info *newinfo, ++ void *entry0, + const struct arpt_replace *repl) + { + struct arpt_entry *iter; +@@ -692,7 +696,7 @@ static int translate_table(struct xt_tab + /* Finally, each sanity check must pass */ + i = 0; + xt_entry_foreach(iter, entry0, newinfo->size) { +- ret = find_check_entry(iter, repl->name, repl->size); ++ ret = find_check_entry(iter, net, repl->name, repl->size); + if (ret != 0) + break; + ++i; +@@ -1100,7 +1104,7 @@ static int do_replace(struct net *net, c + goto free_newinfo; + } + +- ret = translate_table(newinfo, loc_cpu_entry, &tmp); ++ ret = translate_table(net, newinfo, loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +@@ -1287,7 +1291,8 @@ compat_copy_entry_from_user(struct compa + } + } + +-static int translate_compat_table(struct xt_table_info **pinfo, ++static int translate_compat_table(struct net *net, ++ struct xt_table_info **pinfo, + void **pentry0, + const struct compat_arpt_replace *compatr) + { +@@ -1356,7 +1361,7 @@ static int translate_compat_table(struct + repl.num_counters = 0; + repl.counters = NULL; + repl.size = newinfo->size; +- ret = translate_table(newinfo, entry1, &repl); ++ ret = translate_table(net, newinfo, entry1, &repl); + if (ret) + goto free_newinfo; + +@@ -1412,7 +1417,7 @@ static int compat_do_replace(struct net + goto free_newinfo; + } + +- ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp); ++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp); + if (ret != 0) + goto free_newinfo; + +@@ -1685,7 +1690,7 @@ struct xt_table *arpt_register_table(str + loc_cpu_entry = newinfo->entries[raw_smp_processor_id()]; + memcpy(loc_cpu_entry, repl->entries, repl->size); + +- ret = translate_table(newinfo, loc_cpu_entry, repl); ++ ret = translate_table(net, newinfo, loc_cpu_entry, repl); + duprintf("arpt_register_table: translate table gives %d\n", ret); + if (ret != 0) + goto out_free;
diff --git a/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch b/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch new file mode 100644 index 0000000..0b506b0 --- /dev/null +++ b/queue-3.16/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch
@@ -0,0 +1,126 @@ +From: Florian Westphal <fw@strlen.de> +Date: Sat, 11 Jan 2020 23:19:53 +0100 +Subject: netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct + +commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream. + +An earlier commit (1b789577f655060d98d20e, +"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct") +fixed missing net initialization for arptables, but turns out it was +incomplete. We can get a very similar struct net NULL deref during +error unwinding: + +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77 + xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175 + cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline] + translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587 + do_replace net/ipv4/netfilter/arp_tables.c:981 [inline] + do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461 + +Also init the netns pointer in xt_tgdtor_param struct. + +Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") +Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +[bwh: Backported to 3.16: + - __arpt_unregister_table() has not been split out of + arpt_unregister_table() + - Add "net" parameter to arpt_unregister_table() and update its only + caller in arptable_filter.c] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/include/linux/netfilter_arp/arp_tables.h ++++ b/include/linux/netfilter_arp/arp_tables.h +@@ -51,7 +51,7 @@ extern void *arpt_alloc_initial_table(co + extern struct xt_table *arpt_register_table(struct net *net, + const struct xt_table *table, + const struct arpt_replace *repl); +-extern void arpt_unregister_table(struct xt_table *table); ++extern void arpt_unregister_table(struct net *, struct xt_table *table); + extern unsigned int arpt_do_table(struct sk_buff *skb, + unsigned int hook, + const struct net_device *in, +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -602,12 +602,13 @@ static inline int check_entry_size_and_h + return 0; + } + +-static inline void cleanup_entry(struct arpt_entry *e) ++static void cleanup_entry(struct arpt_entry *e, struct net *net) + { + struct xt_tgdtor_param par; + struct xt_entry_target *t; + + t = arpt_get_target(e); ++ par.net = net; + par.target = t->u.kernel.target; + par.targinfo = t->data; + par.family = NFPROTO_ARP; +@@ -706,7 +707,7 @@ static int translate_table(struct net *n + xt_entry_foreach(iter, entry0, newinfo->size) { + if (i-- == 0) + break; +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + } + return ret; + } +@@ -1051,7 +1052,7 @@ static int __do_replace(struct net *net, + /* Decrease module usage counts and free resource */ + loc_cpu_old_entry = oldinfo->entries[raw_smp_processor_id()]; + xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +@@ -1118,7 +1119,7 @@ static int do_replace(struct net *net, c + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1431,7 +1432,7 @@ static int compat_do_replace(struct net + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1708,7 +1709,7 @@ out: + return ERR_PTR(ret); + } + +-void arpt_unregister_table(struct xt_table *table) ++void arpt_unregister_table(struct net *net, struct xt_table *table) + { + struct xt_table_info *private; + void *loc_cpu_entry; +@@ -1720,7 +1721,7 @@ void arpt_unregister_table(struct xt_tab + /* Decrease module usage counts and free resources */ + loc_cpu_entry = private->entries[raw_smp_processor_id()]; + xt_entry_foreach(iter, loc_cpu_entry, private->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + if (private->number > private->initial_entries) + module_put(table_owner); + xt_free_table_info(private); +--- a/net/ipv4/netfilter/arptable_filter.c ++++ b/net/ipv4/netfilter/arptable_filter.c +@@ -54,7 +54,7 @@ static int __net_init arptable_filter_ne + + static void __net_exit arptable_filter_net_exit(struct net *net) + { +- arpt_unregister_table(net->ipv4.arptable_filter); ++ arpt_unregister_table(net, net->ipv4.arptable_filter); + } + + static struct pernet_operations arptable_filter_net_ops = {
diff --git a/queue-3.16/netfilter-bridge-make-sure-to-pull-arp-header-in.patch b/queue-3.16/netfilter-bridge-make-sure-to-pull-arp-header-in.patch new file mode 100644 index 0000000..d9ad846 --- /dev/null +++ b/queue-3.16/netfilter-bridge-make-sure-to-pull-arp-header-in.patch
@@ -0,0 +1,108 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Sat, 7 Dec 2019 14:43:39 -0800 +Subject: netfilter: bridge: make sure to pull arp header in + br_nf_forward_arp() + +commit 5604285839aaedfb23ebe297799c6e558939334d upstream. + +syzbot is kind enough to remind us we need to call skb_may_pull() + +BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665 +CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + <IRQ> + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108 + __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245 + br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665 + nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline] + nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512 + nf_hook include/linux/netfilter.h:260 [inline] + NF_HOOK include/linux/netfilter.h:303 [inline] + __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109 + br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234 + br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162 + nf_hook_bridge_pre net/bridge/br_input.c:245 [inline] + br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348 + __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830 + __netif_receive_skb_one_core net/core/dev.c:4927 [inline] + __netif_receive_skb net/core/dev.c:5043 [inline] + process_backlog+0x610/0x13c0 net/core/dev.c:5874 + napi_poll net/core/dev.c:6311 [inline] + net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379 + __do_softirq+0x4a1/0x83a kernel/softirq.c:293 + do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091 + </IRQ> + do_softirq kernel/softirq.c:338 [inline] + __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190 + local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 + rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline] + __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819 + dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825 + packet_snd net/packet/af_packet.c:2959 [inline] + packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg net/socket.c:657 [inline] + __sys_sendto+0xc44/0xc70 net/socket.c:1952 + __do_sys_sendto net/socket.c:1964 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1960 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1960 + do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45a679 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679 +RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003 +RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4 +R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline] + kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132 + kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86 + slab_alloc_node mm/slub.c:2773 [inline] + __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381 + __kmalloc_reserve net/core/skbuff.c:141 [inline] + __alloc_skb+0x306/0xa10 net/core/skbuff.c:209 + alloc_skb include/linux/skbuff.h:1049 [inline] + alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662 + sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244 + packet_alloc_skb net/packet/af_packet.c:2807 [inline] + packet_snd net/packet/af_packet.c:2902 [inline] + packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg net/socket.c:657 [inline] + __sys_sendto+0xc44/0xc70 net/socket.c:1952 + __do_sys_sendto net/socket.c:1964 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1960 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1960 + do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Reviewed-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bridge/br_netfilter.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bridge/br_netfilter.c ++++ b/net/bridge/br_netfilter.c +@@ -850,6 +850,9 @@ static unsigned int br_nf_forward_arp(co + nf_bridge_pull_encap_header(skb); + } + ++ if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr)))) ++ return NF_DROP; ++ + if (arp_hdr(skb)->ar_pln != 4) { + if (IS_VLAN_ARP(skb)) + nf_bridge_push_encap_header(skb);
diff --git a/queue-3.16/netfilter-ctnetlink-netns-exit-must-wait-for-callbacks.patch b/queue-3.16/netfilter-ctnetlink-netns-exit-must-wait-for-callbacks.patch new file mode 100644 index 0000000..6b330d7 --- /dev/null +++ b/queue-3.16/netfilter-ctnetlink-netns-exit-must-wait-for-callbacks.patch
@@ -0,0 +1,71 @@ +From: Florian Westphal <fw@strlen.de> +Date: Fri, 15 Nov 2019 12:39:23 +0100 +Subject: netfilter: ctnetlink: netns exit must wait for callbacks + +commit 18a110b022a5c02e7dc9f6109d0bd93e58ac6ebb upstream. + +Curtis Taylor and Jon Maxwell reported and debugged a crash on 3.10 +based kernel. + +Crash occurs in ctnetlink_conntrack_events because net->nfnl socket is +NULL. The nfnl socket was set to NULL by netns destruction running on +another cpu. + +The exiting network namespace calls the relevant destructors in the +following order: + +1. ctnetlink_net_exit_batch + +This nulls out the event callback pointer in struct netns. + +2. nfnetlink_net_exit_batch + +This nulls net->nfnl socket and frees it. + +3. nf_conntrack_cleanup_net_list + +This removes all remaining conntrack entries. + +This is order is correct. The only explanation for the crash so ar is: + +cpu1: conntrack is dying, eviction occurs: + -> nf_ct_delete() + -> nf_conntrack_event_report \ + -> nf_conntrack_eventmask_report + -> notify->fcn() (== ctnetlink_conntrack_events). + +cpu1: a. fetches rcu protected pointer to obtain ctnetlink event callback. + b. gets interrupted. + cpu2: runs netns exit handlers: + a runs ctnetlink destructor, event cb pointer set to NULL. + b runs nfnetlink destructor, nfnl socket is closed and set to NULL. +cpu1: c. resumes and trips over NULL net->nfnl. + +Problem appears to be that ctnetlink_net_exit_batch only prevents future +callers of nf_conntrack_eventmask_report() from obtaining the callback. +It doesn't wait of other cpus that might have already obtained the +callbacks address. + +I don't see anything in upstream kernels that would prevent similar +crash: We need to wait for all cpus to have exited the event callback. + +Fixes: 9592a5c01e79dbc59eb56fa ("netfilter: ctnetlink: netns support") +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/netfilter/nf_conntrack_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3225,6 +3225,9 @@ static void __net_exit ctnetlink_net_exi + + list_for_each_entry(net, net_exit_list, exit_list) + ctnetlink_net_exit(net); ++ ++ /* wait for other cpus until they are done with ctnl_notifiers */ ++ synchronize_rcu(); + } + + static struct pernet_operations ctnetlink_net_ops = {
diff --git a/queue-3.16/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch b/queue-3.16/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch new file mode 100644 index 0000000..637676f --- /dev/null +++ b/queue-3.16/netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch
@@ -0,0 +1,134 @@ +From: Florian Westphal <fw@strlen.de> +Date: Sun, 15 Dec 2019 03:49:25 +0100 +Subject: netfilter: ebtables: compat: reject all padding in matches/watchers + +commit e608f631f0ba5f1fc5ee2e260a3a35d13107cbfe upstream. + +syzbot reported following splat: + +BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline] +BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155 +Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937 + +CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0 + size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline] + compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155 + compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249 + compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333 + [..] + +Because padding isn't considered during computation of ->buf_user_offset, +"total" is decremented by fewer bytes than it should. + +Therefore, the first part of + +if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry)) + +will pass, -- it should not have. This causes oob access: +entry->next_offset is past the vmalloced size. + +Reject padding and check that computed user offset (sum of ebt_entry +structure plus all individual matches/watchers/targets) is same +value that userspace gave us as the offset of the next entry. + +Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bridge/netfilter/ebtables.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1855,7 +1855,7 @@ static int ebt_buf_count(struct ebt_entr + } + + static int ebt_buf_add(struct ebt_entries_buf_state *state, +- void *data, unsigned int sz) ++ const void *data, unsigned int sz) + { + if (state->buf_kern_start == NULL) + goto count_only; +@@ -1889,7 +1889,7 @@ enum compat_mwt { + EBT_COMPAT_TARGET, + }; + +-static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt, ++static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt, + enum compat_mwt compat_mwt, + struct ebt_entries_buf_state *state, + const unsigned char *base) +@@ -1966,22 +1966,23 @@ static int compat_mtw_from_user(struct c + * return size of all matches, watchers or target, including necessary + * alignment and padding. + */ +-static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, ++static int ebt_size_mwt(const struct compat_ebt_entry_mwt *match32, + unsigned int size_left, enum compat_mwt type, + struct ebt_entries_buf_state *state, const void *base) + { ++ const char *buf = (const char *)match32; + int growth = 0; +- char *buf; + + if (size_left == 0) + return 0; + +- buf = (char *) match32; +- +- while (size_left >= sizeof(*match32)) { ++ do { + struct ebt_entry_match *match_kern; + int ret; + ++ if (size_left < sizeof(*match32)) ++ return -EINVAL; ++ + match_kern = (struct ebt_entry_match *) state->buf_kern_start; + if (match_kern) { + char *tmp; +@@ -2018,22 +2019,18 @@ static int ebt_size_mwt(struct compat_eb + if (match_kern) + match_kern->match_size = ret; + +- /* rule should have no remaining data after target */ +- if (type == EBT_COMPAT_TARGET && size_left) +- return -EINVAL; +- + match32 = (struct compat_ebt_entry_mwt *) buf; +- } ++ } while (size_left); + + return growth; + } + + /* called for all ebt_entry structures. */ +-static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, ++static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *base, + unsigned int *total, + struct ebt_entries_buf_state *state) + { +- unsigned int i, j, startoff, new_offset = 0; ++ unsigned int i, j, startoff, next_expected_off, new_offset = 0; + /* stores match/watchers/targets & offset of next struct ebt_entry: */ + unsigned int offsets[4]; + unsigned int *offsets_update = NULL; +@@ -2121,11 +2118,13 @@ static int size_entry_mwt(struct ebt_ent + return ret; + } + +- startoff = state->buf_user_offset - startoff; ++ next_expected_off = state->buf_user_offset - startoff; ++ if (next_expected_off != entry->next_offset) ++ return -EINVAL; + +- if (WARN_ON(*total < startoff)) ++ if (*total < entry->next_offset) + return -EINVAL; +- *total -= startoff; ++ *total -= entry->next_offset; + return 0; + } +
diff --git a/queue-3.16/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch b/queue-3.16/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch new file mode 100644 index 0000000..00ca11f --- /dev/null +++ b/queue-3.16/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch
@@ -0,0 +1,103 @@ +From: Florian Westphal <fw@strlen.de> +Date: Mon, 19 Feb 2018 01:24:53 +0100 +Subject: netfilter: ebtables: convert BUG_ONs to WARN_ONs + +commit fc6a5d0601c5ac1d02f283a46f60b87b2033e5ca upstream. + +All of these conditions are not fatal and should have +been WARN_ONs from the get-go. + +Convert them to WARN_ONs and bail out. + +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/bridge/netfilter/ebtables.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1603,7 +1603,8 @@ static int compat_match_to_user(struct e + int off = ebt_compat_match_offset(match, m->match_size); + compat_uint_t msize = m->match_size - off; + +- BUG_ON(off >= m->match_size); ++ if (WARN_ON(off >= m->match_size)) ++ return -EINVAL; + + if (copy_to_user(cm->u.name, match->name, + strlen(match->name) + 1) || put_user(msize, &cm->match_size)) +@@ -1630,7 +1631,8 @@ static int compat_target_to_user(struct + int off = xt_compat_target_offset(target); + compat_uint_t tsize = t->target_size - off; + +- BUG_ON(off >= t->target_size); ++ if (WARN_ON(off >= t->target_size)) ++ return -EINVAL; + + if (copy_to_user(cm->u.name, target->name, + strlen(target->name) + 1) || put_user(tsize, &cm->match_size)) +@@ -1858,7 +1860,8 @@ static int ebt_buf_add(struct ebt_entrie + if (state->buf_kern_start == NULL) + goto count_only; + +- BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len); ++ if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len)) ++ return -EINVAL; + + memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz); + +@@ -1871,7 +1874,8 @@ static int ebt_buf_add_pad(struct ebt_en + { + char *b = state->buf_kern_start; + +- BUG_ON(b && state->buf_kern_offset > state->buf_kern_len); ++ if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len)) ++ return -EINVAL; + + if (b != NULL && sz > 0) + memset(b + state->buf_kern_offset, 0, sz); +@@ -1949,8 +1953,10 @@ static int compat_mtw_from_user(struct c + pad = XT_ALIGN(size_kern) - size_kern; + + if (pad > 0 && dst) { +- BUG_ON(state->buf_kern_len <= pad); +- BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad); ++ if (WARN_ON(state->buf_kern_len <= pad)) ++ return -EINVAL; ++ if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad)) ++ return -EINVAL; + memset(dst + size_kern, 0, pad); + } + return off + match_size; +@@ -2001,7 +2007,8 @@ static int ebt_size_mwt(struct compat_eb + if (ret < 0) + return ret; + +- BUG_ON(ret < match32->match_size); ++ if (WARN_ON(ret < match32->match_size)) ++ return -EINVAL; + growth += ret - match32->match_size; + growth += ebt_compat_entry_padsize(); + +@@ -2116,7 +2123,8 @@ static int size_entry_mwt(struct ebt_ent + + startoff = state->buf_user_offset - startoff; + +- BUG_ON(*total < startoff); ++ if (WARN_ON(*total < startoff)) ++ return -EINVAL; + *total -= startoff; + return 0; + } +@@ -2246,7 +2254,8 @@ static int compat_do_replace(struct net + state.buf_kern_len = size64; + + ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); +- BUG_ON(ret < 0); /* parses same data again */ ++ if (WARN_ON(ret < 0)) ++ goto out_unlock; + + vfree(entries_tmp); + tmp.entries_size = size64;
diff --git a/queue-3.16/netfilter-fix-a-use-after-free-in-mtype_destroy.patch b/queue-3.16/netfilter-fix-a-use-after-free-in-mtype_destroy.patch new file mode 100644 index 0000000..e752149 --- /dev/null +++ b/queue-3.16/netfilter-fix-a-use-after-free-in-mtype_destroy.patch
@@ -0,0 +1,36 @@ +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Fri, 10 Jan 2020 11:53:08 -0800 +Subject: netfilter: fix a use-after-free in mtype_destroy() + +commit c120959387efa51479056fd01dc90adfba7a590c upstream. + +map->members is freed by ip_set_free() right before using it in +mtype_ext_cleanup() again. So we just have to move it down. + +Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com +Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function") +Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_gen.h ++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h +@@ -66,12 +66,12 @@ mtype_destroy(struct ip_set *set) + if (SET_WITH_TIMEOUT(set)) + del_timer_sync(&map->gc); + +- ip_set_free(map->members); + if (set->dsize) { + if (set->extensions & IPSET_EXT_DESTROY) + mtype_ext_cleanup(set); + ip_set_free(map->extensions); + } ++ ip_set_free(map->members); + kfree(map); + + set->data = NULL;
diff --git a/queue-3.16/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch b/queue-3.16/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch new file mode 100644 index 0000000..982895d --- /dev/null +++ b/queue-3.16/netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch
@@ -0,0 +1,56 @@ +From: Florian Westphal <fw@strlen.de> +Date: Wed, 8 Jan 2020 10:59:38 +0100 +Subject: netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present + +commit 22dad713b8a5ff488e07b821195270672f486eb2 upstream. + +The set uadt functions assume lineno is never NULL, but it is in +case of ip_set_utest(). + +syzkaller managed to generate a netlink message that calls this with +LINENO attr present: + +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104 +Call Trace: + ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867 + nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563 + +pass a dummy lineno storage, its easier than patching all set +implementations. + +This seems to be a day-0 bug. + +Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> +Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com +Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support") +Signed-off-by: Florian Westphal <fw@strlen.de> +Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/netfilter/ipset/ip_set_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1549,6 +1549,7 @@ ip_set_utest(struct sock *ctnl, struct s + struct ip_set *set; + struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {}; + int ret = 0; ++ u32 lineno; + + if (unlikely(protocol_failed(attr) || + attr[IPSET_ATTR_SETNAME] == NULL || +@@ -1565,7 +1566,7 @@ ip_set_utest(struct sock *ctnl, struct s + return -IPSET_ERR_PROTOCOL; + + read_lock_bh(&set->lock); +- ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0); ++ ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0); + read_unlock_bh(&set->lock); + /* Userspace can't trigger element to be re-added */ + if (ret == -EAGAIN)
diff --git a/queue-3.16/netfilter-nf_tables-missing-sanitization-in-data-from-userspace.patch b/queue-3.16/netfilter-nf_tables-missing-sanitization-in-data-from-userspace.patch new file mode 100644 index 0000000..f3f503b --- /dev/null +++ b/queue-3.16/netfilter-nf_tables-missing-sanitization-in-data-from-userspace.patch
@@ -0,0 +1,75 @@ +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Mon, 15 May 2017 11:17:29 +0100 +Subject: netfilter: nf_tables: missing sanitization in data from userspace + +commit 71df14b0ce094be46d105b5a3ededd83b8e779a0 upstream. + +Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and +cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it +is still possible to handcraft a netlink message using this incorrect +data type. + +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/netfilter/nft_bitwise.c | 19 ++++++++++++++----- + net/netfilter/nft_cmp.c | 12 ++++++++++-- + 2 files changed, 24 insertions(+), 7 deletions(-) + +--- a/net/netfilter/nft_bitwise.c ++++ b/net/netfilter/nft_bitwise.c +@@ -86,16 +86,25 @@ static int nft_bitwise_init(const struct + err = nft_data_init(NULL, &priv->mask, &d1, tb[NFTA_BITWISE_MASK]); + if (err < 0) + return err; +- if (d1.len != priv->len) +- return -EINVAL; ++ if (d1.len != priv->len) { ++ err = -EINVAL; ++ goto err1; ++ } + + err = nft_data_init(NULL, &priv->xor, &d2, tb[NFTA_BITWISE_XOR]); + if (err < 0) +- return err; +- if (d2.len != priv->len) +- return -EINVAL; ++ goto err1; ++ if (d2.len != priv->len) { ++ err = -EINVAL; ++ goto err2; ++ } + + return 0; ++err2: ++ nft_data_uninit(&priv->xor, d2.type); ++err1: ++ nft_data_uninit(&priv->mask, d1.type); ++ return err; + } + + static int nft_bitwise_dump(struct sk_buff *skb, const struct nft_expr *expr) +--- a/net/netfilter/nft_cmp.c ++++ b/net/netfilter/nft_cmp.c +@@ -201,10 +201,18 @@ nft_cmp_select_ops(const struct nft_ctx + if (err < 0) + return ERR_PTR(err); + ++ if (desc.type != NFT_DATA_VALUE) { ++ err = -EINVAL; ++ goto err1; ++ } ++ + if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ) + return &nft_cmp_fast_ops; +- else +- return &nft_cmp_ops; ++ ++ return &nft_cmp_ops; ++err1: ++ nft_data_uninit(&data, desc.type); ++ return ERR_PTR(-EINVAL); + } + + static struct nft_expr_type nft_cmp_type __read_mostly = {
diff --git a/queue-3.16/netfilter-nf_tables-validate-nft_data_value-after-nft_data_init.patch b/queue-3.16/netfilter-nf_tables-validate-nft_data_value-after-nft_data_init.patch new file mode 100644 index 0000000..f95db03 --- /dev/null +++ b/queue-3.16/netfilter-nf_tables-validate-nft_data_value-after-nft_data_init.patch
@@ -0,0 +1,55 @@ +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Fri, 6 Dec 2019 22:09:14 +0100 +Subject: netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init() + +commit 0d2c96af797ba149e559c5875c0151384ab6dd14 upstream. + +Userspace might bogusly sent NFT_DATA_VERDICT in several netlink +attributes that assume NFT_DATA_VALUE. Moreover, make sure that error +path invokes nft_data_release() to decrement the reference count on the +chain object. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression") +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +[bwh: Backported to 3.16: + - Drop changes in nft_get_set_elem(), nft_range + - Call nft_data_uninit() instead of nft_data_release() + - Adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/netfilter/nft_bitwise.c ++++ b/net/netfilter/nft_bitwise.c +@@ -86,7 +86,7 @@ static int nft_bitwise_init(const struct + err = nft_data_init(NULL, &priv->mask, &d1, tb[NFTA_BITWISE_MASK]); + if (err < 0) + return err; +- if (d1.len != priv->len) { ++ if (d1.type != NFT_DATA_VALUE || d1.len != priv->len) { + err = -EINVAL; + goto err1; + } +@@ -94,7 +94,7 @@ static int nft_bitwise_init(const struct + err = nft_data_init(NULL, &priv->xor, &d2, tb[NFTA_BITWISE_XOR]); + if (err < 0) + goto err1; +- if (d2.len != priv->len) { ++ if (d2.type != NFT_DATA_VALUE || d2.len != priv->len) { + err = -EINVAL; + goto err2; + } +--- a/net/netfilter/nft_cmp.c ++++ b/net/netfilter/nft_cmp.c +@@ -84,6 +84,12 @@ static int nft_cmp_init(const struct nft + if (desc.len > U8_MAX) + return -ERANGE; + ++ if (desc.type != NFT_DATA_VALUE) { ++ err = -EINVAL; ++ nft_data_uninit(&priv->data, desc.type); ++ return err; ++ } ++ + priv->len = desc.len; + return 0; + }
diff --git a/queue-3.16/pinctrl-baytrail-clear-interrupt-triggering-from-pins-that-are-in.patch b/queue-3.16/pinctrl-baytrail-clear-interrupt-triggering-from-pins-that-are-in.patch new file mode 100644 index 0000000..022bde0 --- /dev/null +++ b/queue-3.16/pinctrl-baytrail-clear-interrupt-triggering-from-pins-that-are-in.patch
@@ -0,0 +1,90 @@ +From: Mika Westerberg <mika.westerberg@linux.intel.com> +Date: Mon, 23 Feb 2015 14:53:11 +0200 +Subject: pinctrl: baytrail: Clear interrupt triggering from pins that are in + GPIO mode + +commit 95f0972c7e4cbf3fc68160131c5ac2f033481d00 upstream. + +If the pin is already configured as GPIO and it has any of the triggering +flags set, we may get spurious interrupts depending on the state of the +pin. + +Prevent this by clearing the triggering flags on such pins. However, if the +pin is also configured as "direct IRQ" we leave the flags as is. Otherwise +it will prevent interrupts that are routed directly to IO-APIC. + +Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +[bwh: Backported to 3.16: + - Add definition of BYT_DIRECT_IRQ_EN + - Adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/pinctrl/pinctrl-baytrail.c ++++ b/drivers/pinctrl/pinctrl-baytrail.c +@@ -44,6 +44,7 @@ + + /* BYT_CONF0_REG register bits */ + #define BYT_IODEN BIT(31) ++#define BYT_DIRECT_IRQ_EN BIT(27) + #define BYT_TRIG_NEG BIT(26) + #define BYT_TRIG_POS BIT(25) + #define BYT_TRIG_LVL BIT(24) +@@ -160,6 +161,19 @@ static void __iomem *byt_gpio_reg(struct + return vg->reg_base + reg_offset + reg; + } + ++static void byt_gpio_clear_triggering(struct byt_gpio *vg, unsigned offset) ++{ ++ void __iomem *reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG); ++ unsigned long flags; ++ u32 value; ++ ++ spin_lock_irqsave(&vg->lock, flags); ++ value = readl(reg); ++ value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); ++ writel(value, reg); ++ spin_unlock_irqrestore(&vg->lock, flags); ++} ++ + static u32 byt_get_gpio_mux(struct byt_gpio *vg, unsigned offset) + { + /* SCORE pin 92-93 */ +@@ -213,14 +227,8 @@ static int byt_gpio_request(struct gpio_ + static void byt_gpio_free(struct gpio_chip *chip, unsigned offset) + { + struct byt_gpio *vg = to_byt_gpio(chip); +- void __iomem *reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG); +- u32 value; +- +- /* clear interrupt triggering */ +- value = readl(reg); +- value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); +- writel(value, reg); + ++ byt_gpio_clear_triggering(vg, offset); + pm_runtime_put(&vg->pdev->dev); + } + +@@ -496,6 +504,21 @@ static void byt_gpio_irq_init_hw(struct + { + void __iomem *reg; + u32 base, value; ++ int i; ++ ++ /* ++ * Clear interrupt triggers for all pins that are GPIOs and ++ * do not use direct IRQ mode. This will prevent spurious ++ * interrupts from misconfigured pins. ++ */ ++ for (i = 0; i < vg->chip.ngpio; i++) { ++ value = readl(byt_gpio_reg(&vg->chip, i, BYT_CONF0_REG)); ++ if ((value & BYT_PIN_MUX) == byt_get_gpio_mux(vg, i) && ++ !(value & BYT_DIRECT_IRQ_EN)) { ++ byt_gpio_clear_triggering(vg, i); ++ dev_dbg(&vg->pdev->dev, "disabling GPIO %d\n", i); ++ } ++ } + + /* clear interrupt status trigger registers */ + for (base = 0; base < vg->chip.ngpio; base += 32) {
diff --git a/queue-3.16/pinctrl-baytrail-really-serialize-all-register-accesses.patch b/queue-3.16/pinctrl-baytrail-really-serialize-all-register-accesses.patch new file mode 100644 index 0000000..580257d --- /dev/null +++ b/queue-3.16/pinctrl-baytrail-really-serialize-all-register-accesses.patch
@@ -0,0 +1,260 @@ +From: Hans de Goede <hdegoede@redhat.com> +Date: Tue, 19 Nov 2019 16:46:41 +0100 +Subject: pinctrl: baytrail: Really serialize all register accesses + +commit 40ecab551232972a39cdd8b6f17ede54a3fdb296 upstream. + +Commit 39ce8150a079 ("pinctrl: baytrail: Serialize all register access") +added a spinlock around all register accesses because: + +"There is a hardware issue in Intel Baytrail where concurrent GPIO register + access might result reads of 0xffffffff and writes might get dropped + completely." + +Testing has shown that this does not catch all cases, there are still +2 problems remaining + +1) The original fix uses a spinlock per byt_gpio device / struct, +additional testing has shown that this is not sufficient concurent +accesses to 2 different GPIO banks also suffer from the same problem. + +This commit fixes this by moving to a single global lock. + +2) The original fix did not add a lock around the register accesses in +the suspend/resume handling. + +Since pinctrl-baytrail.c is using normal suspend/resume handlers, +interrupts are still enabled during suspend/resume handling. Nothing +should be using the GPIOs when they are being taken down, _but_ the +GPIOs themselves may still cause interrupts, which are likely to +use (read) the triggering GPIO. So we need to protect against +concurrent GPIO register accesses in the suspend/resume handlers too. + +This commit fixes this by adding the missing spin_lock / unlock calls. + +The 2 fixes together fix the Acer Switch 10 SW5-012 getting completely +confused after a suspend resume. The DSDT for this device has a bug +in its _LID method which reprograms the home and power button trigger- +flags requesting both high and low _level_ interrupts so the IRQs for +these 2 GPIOs continuously fire. This combined with the saving of +registers during suspend, triggers concurrent GPIO register accesses +resulting in saving 0xffffffff as pconf0 value during suspend and then +when restoring this on resume the pinmux settings get all messed up, +resulting in various I2C busses being stuck, the wifi no longer working +and often the tablet simply not coming out of suspend at all. + +Fixes: 39ce8150a079 ("pinctrl: baytrail: Serialize all register access") +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +[bwh: Backported to 3.16: + - Drop changes in functions that don't exist here + - Delete local pointers to byt_gpio that become unused + - Adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/pinctrl/pinctrl-baytrail.c ++++ b/drivers/pinctrl/pinctrl-baytrail.c +@@ -140,13 +140,14 @@ struct byt_gpio { + struct gpio_chip chip; + struct irq_domain *domain; + struct platform_device *pdev; +- spinlock_t lock; + void __iomem *reg_base; + struct pinctrl_gpio_range *range; + }; + + #define to_byt_gpio(c) container_of(c, struct byt_gpio, chip) + ++static DEFINE_RAW_SPINLOCK(byt_lock); ++ + static void __iomem *byt_gpio_reg(struct gpio_chip *chip, unsigned offset, + int reg) + { +@@ -167,11 +168,11 @@ static void byt_gpio_clear_triggering(st + unsigned long flags; + u32 value; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + value = readl(reg); + value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); + writel(value, reg); +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + } + + static u32 byt_get_gpio_mux(struct byt_gpio *vg, unsigned offset) +@@ -196,7 +197,7 @@ static int byt_gpio_request(struct gpio_ + u32 value, gpio_mux; + unsigned long flags; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + + /* + * In most cases, func pin mux 000 means GPIO function. +@@ -218,7 +219,7 @@ static int byt_gpio_request(struct gpio_ + "pin %u forcibly re-configured as GPIO\n", offset); + } + +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + + pm_runtime_get(&vg->pdev->dev); + +@@ -244,7 +245,7 @@ static int byt_irq_type(struct irq_data + if (offset >= vg->chip.ngpio) + return -EINVAL; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + value = readl(reg); + + /* For level trigges the BYT_TRIG_POS and BYT_TRIG_NEG bits +@@ -259,7 +260,7 @@ static int byt_irq_type(struct irq_data + else if (type & IRQ_TYPE_LEVEL_MASK) + __irq_set_handler_locked(d->irq, handle_level_irq); + +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + + return 0; + } +@@ -267,25 +268,23 @@ static int byt_irq_type(struct irq_data + static int byt_gpio_get(struct gpio_chip *chip, unsigned offset) + { + void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG); +- struct byt_gpio *vg = to_byt_gpio(chip); + unsigned long flags; + u32 val; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + val = readl(reg); +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + + return val & BYT_LEVEL; + } + + static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value) + { +- struct byt_gpio *vg = to_byt_gpio(chip); + void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG); + unsigned long flags; + u32 old_val; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + + old_val = readl(reg); + +@@ -294,23 +293,22 @@ static void byt_gpio_set(struct gpio_chi + else + writel(old_val & ~BYT_LEVEL, reg); + +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + } + + static int byt_gpio_direction_input(struct gpio_chip *chip, unsigned offset) + { +- struct byt_gpio *vg = to_byt_gpio(chip); + void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG); + unsigned long flags; + u32 value; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + + value = readl(reg) | BYT_DIR_MASK; + value &= ~BYT_INPUT_EN; /* active low */ + writel(value, reg); + +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + + return 0; + } +@@ -318,12 +316,11 @@ static int byt_gpio_direction_input(stru + static int byt_gpio_direction_output(struct gpio_chip *chip, + unsigned gpio, int value) + { +- struct byt_gpio *vg = to_byt_gpio(chip); + void __iomem *reg = byt_gpio_reg(chip, gpio, BYT_VAL_REG); + unsigned long flags; + u32 reg_val; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + + reg_val = readl(reg) | BYT_DIR_MASK; + reg_val &= ~(BYT_OUTPUT_EN | BYT_INPUT_EN); +@@ -333,7 +330,7 @@ static int byt_gpio_direction_output(str + else + writel(reg_val & ~BYT_LEVEL, reg); + +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + + return 0; + } +@@ -345,7 +342,7 @@ static void byt_gpio_dbg_show(struct seq + unsigned long flags; + u32 conf0, val, offs; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + + for (i = 0; i < vg->chip.ngpio; i++) { + const char *pull_str = NULL; +@@ -406,7 +403,7 @@ static void byt_gpio_dbg_show(struct seq + + seq_puts(s, "\n"); + } +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + } + + static int byt_gpio_to_irq(struct gpio_chip *chip, unsigned offset) +@@ -444,10 +441,10 @@ static void byt_irq_ack(struct irq_data + unsigned offset = irqd_to_hwirq(d); + void __iomem *reg; + +- spin_lock(&vg->lock); ++ raw_spin_lock(&byt_lock); + reg = byt_gpio_reg(&vg->chip, offset, BYT_INT_STAT_REG); + writel(BIT(offset % 32), reg); +- spin_unlock(&vg->lock); ++ raw_spin_unlock(&byt_lock); + } + + static void byt_irq_unmask(struct irq_data *d) +@@ -459,7 +456,7 @@ static void byt_irq_unmask(struct irq_da + void __iomem *reg; + u32 value; + +- spin_lock_irqsave(&vg->lock, flags); ++ raw_spin_lock_irqsave(&byt_lock, flags); + + reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG); + value = readl(reg); +@@ -482,7 +479,7 @@ static void byt_irq_unmask(struct irq_da + + writel(value, reg); + +- spin_unlock_irqrestore(&vg->lock, flags); ++ raw_spin_unlock_irqrestore(&byt_lock, flags); + } + + static void byt_irq_mask(struct irq_data *d) +@@ -613,8 +610,6 @@ static int byt_gpio_probe(struct platfor + if (IS_ERR(vg->reg_base)) + return PTR_ERR(vg->reg_base); + +- spin_lock_init(&vg->lock); +- + gc = &vg->chip; + gc->label = dev_name(&pdev->dev); + gc->owner = THIS_MODULE;
diff --git a/queue-3.16/pinctrl-baytrail-relax-gpio-request-rules.patch b/queue-3.16/pinctrl-baytrail-relax-gpio-request-rules.patch new file mode 100644 index 0000000..31dad02 --- /dev/null +++ b/queue-3.16/pinctrl-baytrail-relax-gpio-request-rules.patch
@@ -0,0 +1,96 @@ +From: Mika Westerberg <mika.westerberg@linux.intel.com> +Date: Mon, 23 Feb 2015 14:53:10 +0200 +Subject: pinctrl: baytrail: Relax GPIO request rules + +commit f8323b6bb2cc7d26941d4838dd4375952980a88a upstream. + +Zotac ZBOX PI320, a Baytrail based mini-PC, has power button connected to a +GPIO pin and it is exposed to the operating system as Windows 8 button +array. This is implemented in Linux as a driver using gpio_keys. + +However, BIOS on this particula machine forgot to mux the pin to be a GPIO +instead of native function, which results following message to be seen on +the console: + + byt_gpio INT33FC:02: pin 16 cannot be used as GPIO. + +This causes power button to not work as the driver was not able to request +the GPIO it needs. + +So instead of completely preventing this we allow turning the pin as GPIO +but issue warning that something might be wrong. + +Reported-by: Benjamin Adler <benadler@gmx.net> +Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pinctrl/pinctrl-baytrail.c | 35 +++++++++++++++--------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +--- a/drivers/pinctrl/pinctrl-baytrail.c ++++ b/drivers/pinctrl/pinctrl-baytrail.c +@@ -160,40 +160,49 @@ static void __iomem *byt_gpio_reg(struct + return vg->reg_base + reg_offset + reg; + } + +-static bool is_special_pin(struct byt_gpio *vg, unsigned offset) ++static u32 byt_get_gpio_mux(struct byt_gpio *vg, unsigned offset) + { + /* SCORE pin 92-93 */ + if (!strcmp(vg->range->name, BYT_SCORE_ACPI_UID) && + offset >= 92 && offset <= 93) +- return true; ++ return 1; + + /* SUS pin 11-21 */ + if (!strcmp(vg->range->name, BYT_SUS_ACPI_UID) && + offset >= 11 && offset <= 21) +- return true; ++ return 1; + +- return false; ++ return 0; + } + + static int byt_gpio_request(struct gpio_chip *chip, unsigned offset) + { + struct byt_gpio *vg = to_byt_gpio(chip); + void __iomem *reg = byt_gpio_reg(chip, offset, BYT_CONF0_REG); +- u32 value; +- bool special; ++ u32 value, gpio_mux; + + /* + * In most cases, func pin mux 000 means GPIO function. + * But, some pins may have func pin mux 001 represents +- * GPIO function. Only allow user to export pin with +- * func pin mux preset as GPIO function by BIOS/FW. ++ * GPIO function. ++ * ++ * Because there are devices out there where some pins were not ++ * configured correctly we allow changing the mux value from ++ * request (but print out warning about that). + */ + value = readl(reg) & BYT_PIN_MUX; +- special = is_special_pin(vg, offset); +- if ((special && value != 1) || (!special && value)) { +- dev_err(&vg->pdev->dev, +- "pin %u cannot be used as GPIO.\n", offset); +- return -EINVAL; ++ gpio_mux = byt_get_gpio_mux(vg, offset); ++ if (WARN_ON(gpio_mux != value)) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&vg->lock, flags); ++ value = readl(reg) & ~BYT_PIN_MUX; ++ value |= gpio_mux; ++ writel(value, reg); ++ spin_unlock_irqrestore(&vg->lock, flags); ++ ++ dev_warn(&vg->pdev->dev, ++ "pin %u forcibly re-configured as GPIO\n", offset); + } + + pm_runtime_get(&vg->pdev->dev);
diff --git a/queue-3.16/pinctrl-baytrail-rework-interrupt-handling.patch b/queue-3.16/pinctrl-baytrail-rework-interrupt-handling.patch new file mode 100644 index 0000000..f05a6d1 --- /dev/null +++ b/queue-3.16/pinctrl-baytrail-rework-interrupt-handling.patch
@@ -0,0 +1,175 @@ +From: Mika Westerberg <mika.westerberg@linux.intel.com> +Date: Mon, 23 Feb 2015 14:53:12 +0200 +Subject: pinctrl: baytrail: Rework interrupt handling + +commit 31e4329f99062a06dca5a493bb4495a63b2dc6ba upstream. + +Instead of handling everything in the driver's first level interrupt +handler, we can take advantage of already existing flow handlers that are +provided by the IRQ core. + +This changes the functionality a bit also. Previously the driver looped +over pending interrupts in a single loop, restarting the loop if some +interrupt changed state. This caused problem with Lenovo Thinkpad 10 +digitizer that it was not able to deassert the interrupt before the driver +disabled the interrupt for good (looplimit was exhausted). + +Rework the interrupt handling logic a bit so that we provide proper mask, +ack and unmask operations in terms of Baytrail GPIO hardware and loop over +pending interrupts only once. If the interrupt remains asserted the first +level handler will be re-triggered automatically. + +Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +[bwh: Backported to 3.16 as dependency of commit 39ce8150a079 + "pinctrl: baytrail: Serialize all register access": + - Adjust filename, context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pinctrl/pinctrl-baytrail.c | 100 +++++++++++++---------- + 1 file changed, 56 insertions(+), 44 deletions(-) + +--- a/drivers/pinctrl/pinctrl-baytrail.c ++++ b/drivers/pinctrl/pinctrl-baytrail.c +@@ -251,23 +251,13 @@ static int byt_irq_type(struct irq_data + */ + value &= ~(BYT_TRIG_POS | BYT_TRIG_NEG | BYT_TRIG_LVL); + +- switch (type) { +- case IRQ_TYPE_LEVEL_HIGH: +- value |= BYT_TRIG_LVL; +- case IRQ_TYPE_EDGE_RISING: +- value |= BYT_TRIG_POS; +- break; +- case IRQ_TYPE_LEVEL_LOW: +- value |= BYT_TRIG_LVL; +- case IRQ_TYPE_EDGE_FALLING: +- value |= BYT_TRIG_NEG; +- break; +- case IRQ_TYPE_EDGE_BOTH: +- value |= (BYT_TRIG_NEG | BYT_TRIG_POS); +- break; +- } + writel(value, reg); + ++ if (type & IRQ_TYPE_EDGE_BOTH) ++ __irq_set_handler_locked(d->irq, handle_edge_irq); ++ else if (type & IRQ_TYPE_LEVEL_MASK) ++ __irq_set_handler_locked(d->irq, handle_level_irq); ++ + spin_unlock_irqrestore(&vg->lock, flags); + + return 0; +@@ -421,54 +411,75 @@ static void byt_gpio_irq_handler(unsigne + struct irq_data *data = irq_desc_get_irq_data(desc); + struct byt_gpio *vg = irq_data_get_irq_handler_data(data); + struct irq_chip *chip = irq_data_get_irq_chip(data); +- u32 base, pin, mask; ++ u32 base, pin; + void __iomem *reg; +- u32 pending; ++ unsigned long pending; + unsigned virq; +- int looplimit = 0; + + /* check from GPIO controller which pin triggered the interrupt */ + for (base = 0; base < vg->chip.ngpio; base += 32) { +- + reg = byt_gpio_reg(&vg->chip, base, BYT_INT_STAT_REG); +- +- while ((pending = readl(reg))) { +- pin = __ffs(pending); +- mask = BIT(pin); +- /* Clear before handling so we can't lose an edge */ +- writel(mask, reg); +- ++ pending = readl(reg); ++ for_each_set_bit(pin, &pending, 32) { + virq = irq_find_mapping(vg->domain, base + pin); + generic_handle_irq(virq); +- +- /* In case bios or user sets triggering incorretly a pin +- * might remain in "interrupt triggered" state. +- */ +- if (looplimit++ > 32) { +- dev_err(&vg->pdev->dev, +- "Gpio %d interrupt flood, disabling\n", +- base + pin); +- +- reg = byt_gpio_reg(&vg->chip, base + pin, +- BYT_CONF0_REG); +- mask = readl(reg); +- mask &= ~(BYT_TRIG_NEG | BYT_TRIG_POS | +- BYT_TRIG_LVL); +- writel(mask, reg); +- mask = readl(reg); /* flush */ +- break; +- } + } + } + chip->irq_eoi(data); + } + ++static void byt_irq_ack(struct irq_data *d) ++{ ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ struct byt_gpio *vg = to_byt_gpio(gc); ++ unsigned offset = irqd_to_hwirq(d); ++ void __iomem *reg; ++ ++ reg = byt_gpio_reg(&vg->chip, offset, BYT_INT_STAT_REG); ++ writel(BIT(offset % 32), reg); ++} ++ + static void byt_irq_unmask(struct irq_data *d) + { ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ struct byt_gpio *vg = to_byt_gpio(gc); ++ unsigned offset = irqd_to_hwirq(d); ++ unsigned long flags; ++ void __iomem *reg; ++ u32 value; ++ ++ spin_lock_irqsave(&vg->lock, flags); ++ ++ reg = byt_gpio_reg(&vg->chip, offset, BYT_CONF0_REG); ++ value = readl(reg); ++ ++ switch (irqd_get_trigger_type(d)) { ++ case IRQ_TYPE_LEVEL_HIGH: ++ value |= BYT_TRIG_LVL; ++ case IRQ_TYPE_EDGE_RISING: ++ value |= BYT_TRIG_POS; ++ break; ++ case IRQ_TYPE_LEVEL_LOW: ++ value |= BYT_TRIG_LVL; ++ case IRQ_TYPE_EDGE_FALLING: ++ value |= BYT_TRIG_NEG; ++ break; ++ case IRQ_TYPE_EDGE_BOTH: ++ value |= (BYT_TRIG_NEG | BYT_TRIG_POS); ++ break; ++ } ++ ++ writel(value, reg); ++ ++ spin_unlock_irqrestore(&vg->lock, flags); + } + + static void byt_irq_mask(struct irq_data *d) + { ++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d); ++ struct byt_gpio *vg = to_byt_gpio(gc); ++ ++ byt_gpio_clear_triggering(vg, irqd_to_hwirq(d)); + } + + static int byt_irq_reqres(struct irq_data *d) +@@ -493,6 +504,7 @@ static void byt_irq_relres(struct irq_da + + static struct irq_chip byt_irqchip = { + .name = "BYT-GPIO", ++ .irq_ack = byt_irq_ack, + .irq_mask = byt_irq_mask, + .irq_unmask = byt_irq_unmask, + .irq_set_type = byt_irq_type,
diff --git a/queue-3.16/pinctrl-baytrail-serialize-all-register-access.patch b/queue-3.16/pinctrl-baytrail-serialize-all-register-access.patch new file mode 100644 index 0000000..834bfc2 --- /dev/null +++ b/queue-3.16/pinctrl-baytrail-serialize-all-register-access.patch
@@ -0,0 +1,83 @@ +From: Mika Westerberg <mika.westerberg@linux.intel.com> +Date: Tue, 4 Aug 2015 15:03:14 +0300 +Subject: pinctrl: baytrail: Serialize all register access + +commit 39ce8150a079e3ae6ed9abf26d7918a558ef7c19 upstream. + +There is a hardware issue in Intel Baytrail where concurrent GPIO register +access might result reads of 0xffffffff and writes might get dropped +completely. + +Prevent this from happening by taking the serializing lock in all places +where it is possible that more than one thread might be accessing the +hardware concurrently. + +Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/pinctrl/pinctrl-baytrail.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/pinctrl/pinctrl-baytrail.c ++++ b/drivers/pinctrl/pinctrl-baytrail.c +@@ -194,6 +194,9 @@ static int byt_gpio_request(struct gpio_ + struct byt_gpio *vg = to_byt_gpio(chip); + void __iomem *reg = byt_gpio_reg(chip, offset, BYT_CONF0_REG); + u32 value, gpio_mux; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&vg->lock, flags); + + /* + * In most cases, func pin mux 000 means GPIO function. +@@ -207,18 +210,16 @@ static int byt_gpio_request(struct gpio_ + value = readl(reg) & BYT_PIN_MUX; + gpio_mux = byt_get_gpio_mux(vg, offset); + if (WARN_ON(gpio_mux != value)) { +- unsigned long flags; +- +- spin_lock_irqsave(&vg->lock, flags); + value = readl(reg) & ~BYT_PIN_MUX; + value |= gpio_mux; + writel(value, reg); +- spin_unlock_irqrestore(&vg->lock, flags); + + dev_warn(&vg->pdev->dev, + "pin %u forcibly re-configured as GPIO\n", offset); + } + ++ spin_unlock_irqrestore(&vg->lock, flags); ++ + pm_runtime_get(&vg->pdev->dev); + + return 0; +@@ -266,7 +267,15 @@ static int byt_irq_type(struct irq_data + static int byt_gpio_get(struct gpio_chip *chip, unsigned offset) + { + void __iomem *reg = byt_gpio_reg(chip, offset, BYT_VAL_REG); +- return readl(reg) & BYT_LEVEL; ++ struct byt_gpio *vg = to_byt_gpio(chip); ++ unsigned long flags; ++ u32 val; ++ ++ spin_lock_irqsave(&vg->lock, flags); ++ val = readl(reg); ++ spin_unlock_irqrestore(&vg->lock, flags); ++ ++ return val & BYT_LEVEL; + } + + static void byt_gpio_set(struct gpio_chip *chip, unsigned offset, int value) +@@ -435,8 +444,10 @@ static void byt_irq_ack(struct irq_data + unsigned offset = irqd_to_hwirq(d); + void __iomem *reg; + ++ spin_lock(&vg->lock); + reg = byt_gpio_reg(&vg->chip, offset, BYT_INT_STAT_REG); + writel(BIT(offset % 32), reg); ++ spin_unlock(&vg->lock); + } + + static void byt_irq_unmask(struct irq_data *d)
diff --git a/queue-3.16/pkt_sched-fq-avoid-hang-when-quantum-0.patch b/queue-3.16/pkt_sched-fq-avoid-hang-when-quantum-0.patch new file mode 100644 index 0000000..f93a631 --- /dev/null +++ b/queue-3.16/pkt_sched-fq-avoid-hang-when-quantum-0.patch
@@ -0,0 +1,40 @@ +From: Kenneth Klette Jonassen <kennetkl@ifi.uio.no> +Date: Tue, 3 Feb 2015 17:49:18 +0100 +Subject: pkt_sched: fq: avoid hang when quantum 0 + +commit 3725a269815ba6dbb415feddc47da5af7d1fac58 upstream. + +Configuring fq with quantum 0 hangs the system, presumably because of a +non-interruptible infinite loop. Either way quantum 0 does not make sense. + +Reproduce with: +sudo tc qdisc add dev lo root fq quantum 0 initial_quantum 0 +ping 127.0.0.1 + +Signed-off-by: Kenneth Klette Jonassen <kennetkl@ifi.uio.no> +Acked-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/sched/sch_fq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -687,8 +687,14 @@ static int fq_change(struct Qdisc *sch, + if (tb[TCA_FQ_FLOW_PLIMIT]) + q->flow_plimit = nla_get_u32(tb[TCA_FQ_FLOW_PLIMIT]); + +- if (tb[TCA_FQ_QUANTUM]) +- q->quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]); ++ if (tb[TCA_FQ_QUANTUM]) { ++ u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]); ++ ++ if (quantum > 0) ++ q->quantum = quantum; ++ else ++ err = -EINVAL; ++ } + + if (tb[TCA_FQ_INITIAL_QUANTUM]) + q->initial_quantum = nla_get_u32(tb[TCA_FQ_INITIAL_QUANTUM]);
diff --git a/queue-3.16/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch b/queue-3.16/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch new file mode 100644 index 0000000..d54f038 --- /dev/null +++ b/queue-3.16/pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch
@@ -0,0 +1,42 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 6 Jan 2020 06:10:39 -0800 +Subject: pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM + +commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 upstream. + +As diagnosed by Florian : + +If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue() +can loop forever in : + +if (f->credit <= 0) { + f->credit += q->quantum; + goto begin; +} + +... because f->credit is either 0 or -2147483648. + +Let's limit TCA_FQ_QUANTUM to no more than 1 << 20 : +This max value should limit risks of breaking user setups +while fixing this bug. + +Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Diagnosed-by: Florian Westphal <fw@strlen.de> +Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com +Signed-off-by: David S. Miller <davem@davemloft.net> +[bwh: Backported to 3.16: Drop call to NL_SET_ERR_MSG_MOD() as extack is + not supported.] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -690,7 +690,7 @@ static int fq_change(struct Qdisc *sch, + if (tb[TCA_FQ_QUANTUM]) { + u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]); + +- if (quantum > 0) ++ if (quantum > 0 && quantum <= (1 << 20)) + q->quantum = quantum; + else + err = -EINVAL;
diff --git a/queue-3.16/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch b/queue-3.16/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch new file mode 100644 index 0000000..71a8a9a --- /dev/null +++ b/queue-3.16/platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch
@@ -0,0 +1,36 @@ +From: Jian-Hong Pan <jian-hong@endlessm.com> +Date: Mon, 30 Dec 2019 16:30:45 +0800 +Subject: platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 + +commit 176a7fca81c5090a7240664e3002c106d296bf31 upstream. + +Some of ASUS laptops like UX431FL keyboard backlight cannot be set to +brightness 0. According to ASUS' information, the brightness should be +0x80 ~ 0x83. This patch fixes it by following the logic. + +Fixes: e9809c0b9670 ("asus-wmi: add keyboard backlight support") +Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com> +Reviewed-by: Daniel Drake <drake@endlessm.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/platform/x86/asus-wmi.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -386,13 +386,7 @@ static void kbd_led_update(struct work_s + + asus = container_of(work, struct asus_wmi, kbd_led_work); + +- /* +- * bits 0-2: level +- * bit 7: light on/off +- */ +- if (asus->kbd_led_wk > 0) +- ctrl_param = 0x80 | (asus->kbd_led_wk & 0x7F); +- ++ ctrl_param = 0x80 | (asus->kbd_led_wk & 0x7F); + asus_wmi_set_devstate(ASUS_WMI_DEVID_KBD_BACKLIGHT, ctrl_param, NULL); + } +
diff --git a/queue-3.16/platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch b/queue-3.16/platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch new file mode 100644 index 0000000..5ca4cae --- /dev/null +++ b/queue-3.16/platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch
@@ -0,0 +1,38 @@ +From: Hans de Goede <hdegoede@redhat.com> +Date: Tue, 17 Dec 2019 20:06:04 +0100 +Subject: platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes + +commit 133b2acee3871ae6bf123b8fe34be14464aa3d2c upstream. + +At least on the HP Envy x360 15-cp0xxx model the WMI interface +for HPWMI_FEATURE2_QUERY requires an outsize of at least 128 bytes, +otherwise it fails with an error code 5 (HPWMI_RET_INVALID_PARAMETERS): + +Dec 06 00:59:38 kernel: hp_wmi: query 0xd returned error 0x5 + +We do not care about the contents of the buffer, we just want to know +if the HPWMI_FEATURE2_QUERY command is supported. + +This commits bumps the buffer size, fixing the error. + +Fixes: 8a1513b4932 ("hp-wmi: limit hotkey enable") +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703 +Signed-off-by: Hans de Goede <hdegoede@redhat.com> +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/platform/x86/hp-wmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -309,7 +309,7 @@ static int __init hp_wmi_bios_2008_later + + static int __init hp_wmi_bios_2009_later(void) + { +- int state = 0; ++ u8 state[128]; + int ret = hp_wmi_perform_query(HPWMI_FEATURE2_QUERY, 0, &state, + sizeof(state), sizeof(state)); + if (!ret)
diff --git a/queue-3.16/powerpc-irq-fix-stack-overflow-verification.patch b/queue-3.16/powerpc-irq-fix-stack-overflow-verification.patch new file mode 100644 index 0000000..28d6862 --- /dev/null +++ b/queue-3.16/powerpc-irq-fix-stack-overflow-verification.patch
@@ -0,0 +1,45 @@ +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Mon, 9 Dec 2019 06:19:08 +0000 +Subject: powerpc/irq: fix stack overflow verification + +commit 099bc4812f09155da77eeb960a983470249c9ce1 upstream. + +Before commit 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of +the irq stack"), check_stack_overflow() was called by do_IRQ(), before +switching to the irq stack. +In that commit, do_IRQ() was renamed __do_irq(), and is now executing +on the irq stack, so check_stack_overflow() has just become almost +useless. + +Move check_stack_overflow() call in do_IRQ() to do the check while +still on the current stack. + +Fixes: 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of the irq stack") +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> +Link: https://lore.kernel.org/r/e033aa8116ab12b7ca9a9c75189ad0741e3b9b5f.1575872340.git.christophe.leroy@c-s.fr +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/powerpc/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -471,8 +471,6 @@ void __do_irq(struct pt_regs *regs) + + trace_irq_entry(regs); + +- check_stack_overflow(); +- + /* + * Query the platform PIC for the interrupt & ack it. + * +@@ -504,6 +502,8 @@ void do_IRQ(struct pt_regs *regs) + irqtp = hardirq_ctx[raw_smp_processor_id()]; + sirqtp = softirq_ctx[raw_smp_processor_id()]; + ++ check_stack_overflow(); ++ + /* Already there ? */ + if (unlikely(curtp == irqtp || curtp == sirqtp)) { + __do_irq(regs);
diff --git a/queue-3.16/quota-fix-wrong-condition-in-is_quota_modification.patch b/queue-3.16/quota-fix-wrong-condition-in-is_quota_modification.patch new file mode 100644 index 0000000..3b8025a --- /dev/null +++ b/queue-3.16/quota-fix-wrong-condition-in-is_quota_modification.patch
@@ -0,0 +1,42 @@ +From: Chao Yu <yuchao0@huawei.com> +Date: Wed, 11 Sep 2019 17:36:50 +0800 +Subject: quota: fix wrong condition in is_quota_modification() + +commit 6565c182094f69e4ffdece337d395eb7ec760efc upstream. + +Quoted from +commit 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize") + +" At LSF we decided that if we truncate up from isize we shouldn't trim + fallocated blocks that were fallocated with KEEP_SIZE and are past the + new i_size. This patch fixes ext4 to do this. " + +And generic/092 of fstest have covered this case for long time, however +is_quota_modification() didn't adjust based on that rule, so that in +below condition, we will lose to quota block change: +- fallocate blocks beyond EOF +- remount +- truncate(file_path, file_size) + +Fix it. + +Link: https://lore.kernel.org/r/20190911093650.35329-1-yuchao0@huawei.com +Fixes: 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize") +Signed-off-by: Chao Yu <yuchao0@huawei.com> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + include/linux/quotaops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/quotaops.h ++++ b/include/linux/quotaops.h +@@ -21,7 +21,7 @@ static inline struct quota_info *sb_dqop + /* i_mutex must being held */ + static inline bool is_quota_modification(struct inode *inode, struct iattr *ia) + { +- return (ia->ia_valid & ATTR_SIZE && ia->ia_size != inode->i_size) || ++ return (ia->ia_valid & ATTR_SIZE) || + (ia->ia_valid & ATTR_UID && !uid_eq(ia->ia_uid, inode->i_uid)) || + (ia->ia_valid & ATTR_GID && !gid_eq(ia->ia_gid, inode->i_gid)); + }
diff --git a/queue-3.16/r8152-add-missing-endpoint-sanity-check.patch b/queue-3.16/r8152-add-missing-endpoint-sanity-check.patch new file mode 100644 index 0000000..ea0db1c --- /dev/null +++ b/queue-3.16/r8152-add-missing-endpoint-sanity-check.patch
@@ -0,0 +1,32 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 14 Jan 2020 09:27:29 +0100 +Subject: r8152: add missing endpoint sanity check + +commit 86f3f4cd53707ceeec079b83205c8d3c756eca93 upstream. + +Add missing endpoint sanity check to probe in order to prevent a +NULL-pointer dereference (or slab out-of-bounds access) when retrieving +the interrupt-endpoint bInterval on ndo_open() in case a device lacks +the expected endpoints. + +Fixes: 40a82917b1d3 ("net/usb/r8152: enable interrupt transfer") +Cc: hayeswang <hayeswang@realtek.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/usb/r8152.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3425,6 +3425,9 @@ static int rtl8152_probe(struct usb_inte + return -ENODEV; + } + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) ++ return -ENODEV; ++ + usb_reset_device(udev); + netdev = alloc_etherdev(sizeof(struct r8152)); + if (!netdev) {
diff --git a/queue-3.16/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch b/queue-3.16/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch new file mode 100644 index 0000000..0ab2bac --- /dev/null +++ b/queue-3.16/scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch
@@ -0,0 +1,41 @@ +From: James Bottomley <James.Bottomley@HansenPartnership.com> +Date: Wed, 8 Jan 2020 17:21:32 -0800 +Subject: scsi: enclosure: Fix stale device oops with hot replug + +commit 529244bd1afc102ab164429d338d310d5d65e60d upstream. + +Doing an add/remove/add on a SCSI device in an enclosure leads to an oops +caused by poisoned values in the enclosure device list pointers. The +reason is because we are keeping the enclosure device across the enclosed +device add/remove/add but the current code is doing a +device_add/device_del/device_add on it. This is the wrong thing to do in +sysfs, so fix it by not doing a device_del on the enclosure device simply +because of a hot remove of the drive in the slot. + +[mkp: added missing email addresses] + +Fixes: 43d8eb9cfd0a ("[SCSI] ses: add support for enclosure component hot removal") +Link: https://lore.kernel.org/r/1578532892.3852.10.camel@HansenPartnership.com +Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> +Reported-by: Luo Jiaxing <luojiaxing@huawei.com> +Tested-by: John Garry <john.garry@huawei.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/misc/enclosure.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -364,10 +364,9 @@ int enclosure_remove_device(struct enclo + cdev = &edev->component[i]; + if (cdev->dev == dev) { + enclosure_remove_links(cdev); +- device_del(&cdev->cdev); + put_device(dev); + cdev->dev = NULL; +- return device_add(&cdev->cdev); ++ return 0; + } + } + return -ENODEV;
diff --git a/queue-3.16/scsi-fnic-fix-invalid-stack-access.patch b/queue-3.16/scsi-fnic-fix-invalid-stack-access.patch new file mode 100644 index 0000000..7da0bac --- /dev/null +++ b/queue-3.16/scsi-fnic-fix-invalid-stack-access.patch
@@ -0,0 +1,119 @@ +From: Arnd Bergmann <arnd@arndb.de> +Date: Tue, 7 Jan 2020 21:15:49 +0100 +Subject: scsi: fnic: fix invalid stack access + +commit 42ec15ceaea74b5f7a621fc6686cbf69ca66c4cf upstream. + +gcc -O3 warns that some local variables are not properly initialized: + +drivers/scsi/fnic/vnic_dev.c: In function 'fnic_dev_hang_notify': +drivers/scsi/fnic/vnic_dev.c:511:16: error: 'a0' is used uninitialized in this function [-Werror=uninitialized] + vdev->args[0] = *a0; + ~~~~~~~~~~~~~~^~~~~ +drivers/scsi/fnic/vnic_dev.c:691:6: note: 'a0' was declared here + u64 a0, a1; + ^~ +drivers/scsi/fnic/vnic_dev.c:512:16: error: 'a1' is used uninitialized in this function [-Werror=uninitialized] + vdev->args[1] = *a1; + ~~~~~~~~~~~~~~^~~~~ +drivers/scsi/fnic/vnic_dev.c:691:10: note: 'a1' was declared here + u64 a0, a1; + ^~ +drivers/scsi/fnic/vnic_dev.c: In function 'fnic_dev_mac_addr': +drivers/scsi/fnic/vnic_dev.c:512:16: error: 'a1' is used uninitialized in this function [-Werror=uninitialized] + vdev->args[1] = *a1; + ~~~~~~~~~~~~~~^~~~~ +drivers/scsi/fnic/vnic_dev.c:698:10: note: 'a1' was declared here + u64 a0, a1; + ^~ + +Apparently the code relies on the local variables occupying adjacent memory +locations in the same order, but this is of course not guaranteed. + +Use an array of two u64 variables where needed to make it work correctly. + +I suspect there is also an endianness bug here, but have not digged in deep +enough to be sure. + +Fixes: 5df6d737dd4b ("[SCSI] fnic: Add new Cisco PCI-Express FCoE HBA") +Fixes: mmtom ("init/Kconfig: enable -O3 for all arches") +Link: https://lore.kernel.org/r/20200107201602.4096790-1-arnd@arndb.de +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/fnic/vnic_dev.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/scsi/fnic/vnic_dev.c ++++ b/drivers/scsi/fnic/vnic_dev.c +@@ -445,26 +445,26 @@ int vnic_dev_soft_reset_done(struct vnic + + int vnic_dev_hang_notify(struct vnic_dev *vdev) + { +- u64 a0, a1; ++ u64 a0 = 0, a1 = 0; + int wait = 1000; + return vnic_dev_cmd(vdev, CMD_HANG_NOTIFY, &a0, &a1, wait); + } + + int vnic_dev_mac_addr(struct vnic_dev *vdev, u8 *mac_addr) + { +- u64 a0, a1; ++ u64 a[2] = {}; + int wait = 1000; + int err, i; + + for (i = 0; i < ETH_ALEN; i++) + mac_addr[i] = 0; + +- err = vnic_dev_cmd(vdev, CMD_MAC_ADDR, &a0, &a1, wait); ++ err = vnic_dev_cmd(vdev, CMD_MAC_ADDR, &a[0], &a[1], wait); + if (err) + return err; + + for (i = 0; i < ETH_ALEN; i++) +- mac_addr[i] = ((u8 *)&a0)[i]; ++ mac_addr[i] = ((u8 *)&a)[i]; + + return 0; + } +@@ -489,15 +489,15 @@ void vnic_dev_packet_filter(struct vnic_ + + void vnic_dev_add_addr(struct vnic_dev *vdev, u8 *addr) + { +- u64 a0 = 0, a1 = 0; ++ u64 a[2] = {}; + int wait = 1000; + int err; + int i; + + for (i = 0; i < ETH_ALEN; i++) +- ((u8 *)&a0)[i] = addr[i]; ++ ((u8 *)&a)[i] = addr[i]; + +- err = vnic_dev_cmd(vdev, CMD_ADDR_ADD, &a0, &a1, wait); ++ err = vnic_dev_cmd(vdev, CMD_ADDR_ADD, &a[0], &a[1], wait); + if (err) + printk(KERN_ERR + "Can't add addr [%02x:%02x:%02x:%02x:%02x:%02x], %d\n", +@@ -507,15 +507,15 @@ void vnic_dev_add_addr(struct vnic_dev * + + void vnic_dev_del_addr(struct vnic_dev *vdev, u8 *addr) + { +- u64 a0 = 0, a1 = 0; ++ u64 a[2] = {}; + int wait = 1000; + int err; + int i; + + for (i = 0; i < ETH_ALEN; i++) +- ((u8 *)&a0)[i] = addr[i]; ++ ((u8 *)&a)[i] = addr[i]; + +- err = vnic_dev_cmd(vdev, CMD_ADDR_DEL, &a0, &a1, wait); ++ err = vnic_dev_cmd(vdev, CMD_ADDR_DEL, &a[0], &a[1], wait); + if (err) + printk(KERN_ERR + "Can't del addr [%02x:%02x:%02x:%02x:%02x:%02x], %d\n",
diff --git a/queue-3.16/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch b/queue-3.16/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch new file mode 100644 index 0000000..63608dc --- /dev/null +++ b/queue-3.16/scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch
@@ -0,0 +1,32 @@ +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 3 Dec 2019 12:45:09 +0300 +Subject: scsi: iscsi: qla4xxx: fix double free in probe + +commit fee92f25777789d73e1936b91472e9c4644457c8 upstream. + +On this error path we call qla4xxx_mem_free() and then the caller also +calls qla4xxx_free_adapter() which calls qla4xxx_mem_free(). It leads to a +couple double frees: + +drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->chap_dma_pool' double freed +drivers/scsi/qla4xxx/ql4_os.c:8856 qla4xxx_probe_adapter() warn: 'ha->fw_ddb_dma_pool' double freed + +Fixes: afaf5a2d341d ("[SCSI] Initial Commit of qla4xxx") +Link: https://lore.kernel.org/r/20191203094421.hw7ex7qr3j2rbsmx@kili.mountain +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/qla4xxx/ql4_os.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -4269,7 +4269,6 @@ static int qla4xxx_mem_alloc(struct scsi + return QLA_SUCCESS; + + mem_alloc_error_exit: +- qla4xxx_mem_free(ha); + return QLA_ERROR; + } +
diff --git a/queue-3.16/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without.patch b/queue-3.16/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without.patch new file mode 100644 index 0000000..b38194d --- /dev/null +++ b/queue-3.16/scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without.patch
@@ -0,0 +1,39 @@ +From: Xiang Chen <chenxiang66@hisilicon.com> +Date: Thu, 9 Jan 2020 09:12:24 +0800 +Subject: scsi: sd: Clear sdkp->protection_type if disk is reformatted without + PI + +commit 465f4edaecc6c37f81349233e84d46246bcac11a upstream. + +If an attached disk with protection information enabled is reformatted +to Type 0 the revalidation code does not clear the original protection +type and subsequent accesses will keep setting RDPROTECT/WRPROTECT. + +Set the protection type to 0 if the disk reports PROT_EN=0 in READ +CAPACITY(16). + +[mkp: commit desc] + +Fixes: fe542396da73 ("[SCSI] sd: Ensure we correctly disable devices with unknown protection type") +Link: https://lore.kernel.org/r/1578532344-101668-1-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/scsi/sd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1910,8 +1910,10 @@ static int sd_read_protection_type(struc + u8 type; + int ret = 0; + +- if (scsi_device_protection(sdp) == 0 || (buffer[12] & 1) == 0) ++ if (scsi_device_protection(sdp) == 0 || (buffer[12] & 1) == 0) { ++ sdkp->protection_type = 0; + return ret; ++ } + + type = ((buffer[12] >> 1) & 7) + 1; /* P_TYPE 0 = Type 1 */ +
diff --git a/queue-3.16/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch b/queue-3.16/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch new file mode 100644 index 0000000..009107f --- /dev/null +++ b/queue-3.16/sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch
@@ -0,0 +1,91 @@ +From: Xin Long <lucien.xin@gmail.com> +Date: Sat, 4 Jan 2020 14:15:02 +0800 +Subject: sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY + +commit be7a7729207797476b6666f046d765bdf9630407 upstream. + +This patch is to fix a memleak caused by no place to free cmd->obj.chunk +for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to +process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq +with an allocated chunk in cmd->obj.chunk. + +So fix it by freeing cmd->obj.chunk for each SCTP_CMD_REPLY cmd left on +the cmd seq when any cmd returns error. While at it, also remove 'nomem' +label. + +Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/sctp/sm_sideeffect.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/net/sctp/sm_sideeffect.c ++++ b/net/sctp/sm_sideeffect.c +@@ -1327,8 +1327,10 @@ static int sctp_cmd_interpreter(sctp_eve + /* Generate an INIT ACK chunk. */ + new_obj = sctp_make_init_ack(asoc, chunk, GFP_ATOMIC, + 0); +- if (!new_obj) +- goto nomem; ++ if (!new_obj) { ++ error = -ENOMEM; ++ break; ++ } + + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); +@@ -1350,7 +1352,8 @@ static int sctp_cmd_interpreter(sctp_eve + if (!new_obj) { + if (cmd->obj.chunk) + sctp_chunk_free(cmd->obj.chunk); +- goto nomem; ++ error = -ENOMEM; ++ break; + } + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); +@@ -1397,8 +1400,10 @@ static int sctp_cmd_interpreter(sctp_eve + + /* Generate a SHUTDOWN chunk. */ + new_obj = sctp_make_shutdown(asoc, chunk); +- if (!new_obj) +- goto nomem; ++ if (!new_obj) { ++ error = -ENOMEM; ++ break; ++ } + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, + SCTP_CHUNK(new_obj)); + break; +@@ -1727,11 +1732,17 @@ static int sctp_cmd_interpreter(sctp_eve + break; + } + +- if (error) ++ if (error) { ++ cmd = sctp_next_cmd(commands); ++ while (cmd) { ++ if (cmd->verb == SCTP_CMD_REPLY) ++ sctp_chunk_free(cmd->obj.chunk); ++ cmd = sctp_next_cmd(commands); ++ } + break; ++ } + } + +-out: + /* If this is in response to a received chunk, wait until + * we are done with the packet to open the queue so that we don't + * send multiple packets in response to a single request. +@@ -1742,8 +1753,5 @@ out: + } else if (local_cork) + error = sctp_outq_uncork(&asoc->outqueue); + return error; +-nomem: +- error = -ENOMEM; +- goto out; + } +
diff --git a/queue-3.16/series b/queue-3.16/series index 04a6049..023b478 100644 --- a/queue-3.16/series +++ b/queue-3.16/series
@@ -1,5 +1,7 @@ mwifiex-fix-unbalanced-locking-in-mwifiex_process_country_ie.patch libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch +libertas-don-t-exit-from-lbs_ibss_join_existing-with-rcu-read-lock.patch +libertas-make-lbs_ibss_join_existing-return-error-code-on-rates.patch mwifiex-fix-probable-memory-corruption-while-processing-tdls-frame.patch mwifiex-fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public.patch @@ -7,6 +9,8 @@ x86-microcode-amd-add-support-for-fam17h-microcode-loading.patch ext4-wait-for-existing-dio-workers-in-ext4_alloc_file_blocks.patch ext4-only-call-ext4_truncate-when-size-isize.patch +ext4-update-c-mtime-on-truncate-up.patch +quota-fix-wrong-condition-in-is_quota_modification.patch ext4-fix-races-between-page-faults-and-hole-punching.patch ext4-move-unlocked-dio-protection-from-ext4_alloc_file_blocks.patch ext4-fix-races-between-buffered-io-and-collapse-insert-range.patch @@ -54,3 +58,154 @@ dm-flakey-fix-reads-to-be-issued-if-drop_writes-configured.patch dm-flakey-check-for-null-arg_name-in-parse_features.patch x86-pti-efi-broken-conversion-from-efi-to-kernel-page-table.patch +batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch +netfilter-ctnetlink-netns-exit-must-wait-for-callbacks.patch +taskstats-fix-data-race.patch +dm-btree-increase-rebalance-threshold-in-__rebalance2.patch +dm-thin-metadata-add-support-for-a-pre-commit-callback.patch +pinctrl-baytrail-relax-gpio-request-rules.patch +pinctrl-baytrail-clear-interrupt-triggering-from-pins-that-are-in.patch +pinctrl-baytrail-rework-interrupt-handling.patch +pinctrl-baytrail-serialize-all-register-access.patch +pinctrl-baytrail-really-serialize-all-register-accesses.patch +netfilter-nf_tables-missing-sanitization-in-data-from-userspace.patch +netfilter-nf_tables-validate-nft_data_value-after-nft_data_init.patch +netfilter-bridge-make-sure-to-pull-arp-header-in.patch +hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch +gpio-fix-error-message-on-out-of-range-gpio-in-lookup-table.patch +neighbour-remove-neigh_cleanup-method.patch +bonding-fix-bond_neigh_init.patch +af_packet-set-defaule-value-for-tmo.patch +acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch +scsi-iscsi-qla4xxx-fix-double-free-in-probe.patch +staging-gigaset-fix-general-protection-fault-on-probe.patch +staging-gigaset-fix-illegal-free-on-probe-errors.patch +staging-gigaset-add-endpoint-type-sanity-check.patch +usb-core-urb-fix-urb-structure-initialization-function.patch +usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch +usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch +usb-idmouse-fix-interface-sanity-checks.patch +usb-adutux-fix-interface-sanity-check.patch +usb-atm-ueagle-atm-add-missing-endpoint-check.patch +staging-rtl8188eu-fix-interface-sanity-check.patch +staging-rtl8712-fix-interface-sanity-check.patch +gpiolib-fix-up-emulated-open-drain-outputs.patch +virtio-balloon-fix-managed-page-counts-when-migrating-pages-between.patch +hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch +xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default.patch +xhci-make-sure-interrupts-are-restored-to-correct-state.patch +usb-dwc3-pci-add-pci-id-for-intel-braswell.patch +usb-dwc3-pci-add-support-for-intel-sunrise-point-pch.patch +usb-dwc3-pci-add-support-for-intel-broxton-soc.patch +usb-dwc3-pci-add-id-for-one-more-intel-broxton-platform.patch +usb-dwc3-pci-add-intel-kabylake-pci-id.patch +usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch +usb-dwc3-pci-add-intel-cannonlake-pci-ids.patch +usb-dwc3-pci-add-support-for-intel-icelake.patch +usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch +usb-dwc3-pci-add-support-for-intel-elkhart-lake-devices.patch +usb-dwc3-pci-add-support-for-tigerlake-devices.patch +usb-dwc3-pci-add-id-for-the-intel-comet-lake-h-variant.patch +tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch +ib-mlx4-avoid-executing-gid-task-when-device-is-being-removed.patch +ib-mlx4-follow-mirror-sequence-of-device-add-during-device-removal.patch +hid-hid-input-clear-unmapped-usages.patch +btrfs-do-not-call-synchronize_srcu-in-inode_tree_del.patch +btrfs-fix-removal-logic-of-the-tree-mod-log-that-leads-to.patch +btrfs-abort-transaction-after-failed-inode-updates-in-create_subvol.patch +btrfs-handle-enoent-in-btrfs_uuid_tree_iterate.patch +btrfs-skip-log-replay-on-orphaned-roots.patch +btrfs-do-not-leak-reloc-root-if-we-fail-to-read-the-fs-root.patch +btrfs-fix-infinite-loop-during-nocow-writeback-due-to-race.patch +btrfs-remove-redundant-btrfs_release_path-from-btrfs_unlink_subvol.patch +btrfs-do-not-delete-mismatched-root-refs.patch +btrfs-check-rw_devices-not-num_devices-for-balance.patch +ext4-check-for-directory-entries-too-close-to-block-end.patch +powerpc-irq-fix-stack-overflow-verification.patch +6pack-mkiss-fix-possible-deadlock.patch +tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch +alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch +alsa-hda-ca0132-avoid-endless-loop.patch +asoc-wm8962-fix-lambda-value.patch +tty-link-tty-and-port-before-configuring-it-as-console.patch +usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch +usbip-fix-error-path-of-vhci_recv_ret_submit.patch +kvm-x86-host-feature-ssbd-doesn-t-imply-guest-feature.patch +net-stmmac-16kb-buffer-must-be-16-byte-aligned.patch +net-stmmac-enable-16kb-buffer-size.patch +netfilter-ebtables-convert-bug_ons-to-warn_ons.patch +netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch +platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch +mod_devicetable-fix-phy-module-format.patch +x86-efistub-disable-paging-at-mixed-mode-entry.patch +alsa-ice1724-fix-sleep-in-atomic-in-infrasonic-quartet-support-code.patch +locks-print-unsigned-ino-in-proc-locks.patch +netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch +tty-always-relink-the-port.patch +usb-core-fix-check-for-duplicate-endpoints.patch +usb-core-add-endpoint-blacklist-quirk.patch +usb-quirks-blacklist-duplicate-ep-on-sound-devices-usbpre2.patch +usb-musb-dma-correct-parameter-passed-to-irq-handler.patch +can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch +can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from.patch +tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch +vxlan-fix-tos-value-before-xmit.patch +tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not.patch +ftrace-avoid-potential-division-by-zero-in-function-profiler.patch +staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch +kernel-trace-fix-do-not-unregister-tracepoints-when-register.patch +kobject-export-kobject_get_unless_zero.patch +chardev-avoid-potential-use-after-free-in-chrdev_open.patch +sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch +vlan-vlan_changelink-should-propagate-errors.patch +net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch +pkt_sched-fq-avoid-hang-when-quantum-0.patch +pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch +macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch +netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch +ixgbevf-remove-limit-of-10-entries-for-unicast-filter-list.patch +scsi-sd-clear-sdkp-protection_type-if-disk-is-reformatted-without.patch +scsi-enclosure-fix-stale-device-oops-with-hot-replug.patch +hidraw-return-epollout-from-hidraw_poll.patch +hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch +hid-hidraw-uhid-always-report-epollout.patch +input-aiptek-fix-endpoint-sanity-check.patch +input-gtco-fix-endpoint-sanity-check.patch +input-sur40-fix-interface-sanity-checks.patch +platform-x86-asus-wmi-fix-keyboard-brightness-cannot-be-set-to-0.patch +iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest.patch +usb-serial-simple-add-motorola-solutions-tetra-mtp3xxx-and-mtp85xx.patch +netfilter-fix-a-use-after-free-in-mtype_destroy.patch +netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch +alsa-usb-audio-add-implicit-fb-quirk-for-axe-fx-ii.patch +alsa-usb-audio-simplify-set_sync_ep_implicit_fb_quirk.patch +alsa-usb-audio-fix-sync-ep-altsetting-sanity-check.patch +usb-serial-opticon-fix-control-message-timeouts.patch +r8152-add-missing-endpoint-sanity-check.patch +usb-core-hub-improved-device-recognition-on-remote-wakeup.patch +fix-built-in-early-load-intel-microcode-alignment.patch +alsa-seq-fix-racy-access-for-queue-timer-in-proc-read.patch +scsi-fnic-fix-invalid-stack-access.patch +block-fix-an-integer-overflow-in-logical-block-size.patch +macvlan-use-skb_reset_mac_header-in-macvlan_queue_xmit.patch +input-keyspan-remote-fix-control-message-timeouts.patch +usb-serial-suppress-driver-bind-attributes.patch +usb-serial-ch341-handle-unbound-port-at-reset_resume.patch +usb-serial-io_edgeport-handle-unbound-ports-on-urb-completion.patch +usb-serial-io_edgeport-add-missing-active-port-sanity-check.patch +usb-serial-keyspan-handle-unbound-ports.patch +usb-serial-quatech2-handle-unbound-ports.patch +hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch +arm-8950-1-ftrace-recordmcount-filter-relocation-types.patch +mmc-sdhci-fix-minimum-clock-rate-for-v3-controller.patch +arm-8955-1-virt-relax-arch-timer-version-check-during-early-boot.patch +can-slip-protect-tty-disc_data-in-write_wakeup-and-close-with-rcu.patch +net-sonic-return-netdev_tx_ok-if-failed-to-map-buffer.patch +net-sonic-add-mutual-exclusion-for-accessing-shared-state.patch +net-sonic-use-mmio-accessors.patch +net-sonic-fix-receive-buffer-handling.patch +net-sonic-quiesce-sonic-before-re-initializing-descriptor-memory.patch +net_sched-fix-datalen-for-ematch.patch +namei-allow-restricted-o_creat-of-fifos-and-regular-files.patch +do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch +vfs-fix-do_last-regression.patch
diff --git a/queue-3.16/staging-gigaset-add-endpoint-type-sanity-check.patch b/queue-3.16/staging-gigaset-add-endpoint-type-sanity-check.patch new file mode 100644 index 0000000..3a1e867 --- /dev/null +++ b/queue-3.16/staging-gigaset-add-endpoint-type-sanity-check.patch
@@ -0,0 +1,48 @@ +From: Johan Hovold <johan@kernel.org> +Date: Mon, 2 Dec 2019 09:56:10 +0100 +Subject: staging: gigaset: add endpoint-type sanity check + +commit ed9ed5a89acba51b82bdff61144d4e4a4245ec8a upstream. + +Add missing endpoint-type sanity checks to probe. + +This specifically prevents a warning in USB core on URB submission when +fuzzing USB descriptors. + +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191202085610.12719-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/isdn/gigaset/usb-gigaset.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -713,6 +713,12 @@ static int gigaset_probe(struct usb_inte + + endpoint = &hostif->endpoint[0].desc; + ++ if (!usb_endpoint_is_bulk_out(endpoint)) { ++ dev_err(&interface->dev, "missing bulk-out endpoint\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + buffer_size = le16_to_cpu(endpoint->wMaxPacketSize); + ucs->bulk_out_size = buffer_size; + ucs->bulk_out_endpointAddr = endpoint->bEndpointAddress; +@@ -732,6 +738,12 @@ static int gigaset_probe(struct usb_inte + + endpoint = &hostif->endpoint[1].desc; + ++ if (!usb_endpoint_is_int_in(endpoint)) { ++ dev_err(&interface->dev, "missing int-in endpoint\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + ucs->busy = 0; + + ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL);
diff --git a/queue-3.16/staging-gigaset-fix-general-protection-fault-on-probe.patch b/queue-3.16/staging-gigaset-fix-general-protection-fault-on-probe.patch new file mode 100644 index 0000000..95dce06 --- /dev/null +++ b/queue-3.16/staging-gigaset-fix-general-protection-fault-on-probe.patch
@@ -0,0 +1,37 @@ +From: Johan Hovold <johan@kernel.org> +Date: Mon, 2 Dec 2019 09:56:08 +0100 +Subject: staging: gigaset: fix general protection fault on probe + +commit 53f35a39c3860baac1e5ca80bf052751cfb24a99 upstream. + +Fix a general protection fault when accessing the endpoint descriptors +which could be triggered by a malicious device due to missing sanity +checks on the number of endpoints. + +Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com +Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter") +Cc: Hansjoerg Lipp <hjlipp@web.de> +Cc: Tilman Schmidt <tilman@imap.cc> +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191202085610.12719-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/isdn/gigaset/usb-gigaset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -693,6 +693,11 @@ static int gigaset_probe(struct usb_inte + return -ENODEV; + } + ++ if (hostif->desc.bNumEndpoints < 2) { ++ dev_err(&interface->dev, "missing endpoints\n"); ++ return -ENODEV; ++ } ++ + dev_info(&udev->dev, "%s: Device matched ... !\n", __func__); + + /* allocate memory for our device state and initialize it */
diff --git a/queue-3.16/staging-gigaset-fix-illegal-free-on-probe-errors.patch b/queue-3.16/staging-gigaset-fix-illegal-free-on-probe-errors.patch new file mode 100644 index 0000000..46ecd3e --- /dev/null +++ b/queue-3.16/staging-gigaset-fix-illegal-free-on-probe-errors.patch
@@ -0,0 +1,44 @@ +From: Johan Hovold <johan@kernel.org> +Date: Mon, 2 Dec 2019 09:56:09 +0100 +Subject: staging: gigaset: fix illegal free on probe errors + +commit 84f60ca7b326ed8c08582417493982fe2573a9ad upstream. + +The driver failed to initialise its receive-buffer pointer, something +which could lead to an illegal free on late probe errors. + +Fix this by making sure to clear all driver data at allocation. + +Fixes: 2032e2c2309d ("usb_gigaset: code cleanup") +Cc: Tilman Schmidt <tilman@imap.cc> +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191202085610.12719-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/isdn/gigaset/usb-gigaset.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/isdn/gigaset/usb-gigaset.c ++++ b/drivers/isdn/gigaset/usb-gigaset.c +@@ -578,8 +578,7 @@ static int gigaset_initcshw(struct cards + { + struct usb_cardstate *ucs; + +- cs->hw.usb = ucs = +- kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL); ++ cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL); + if (!ucs) { + pr_err("out of memory\n"); + return -ENOMEM; +@@ -591,9 +590,6 @@ static int gigaset_initcshw(struct cards + ucs->bchars[3] = 0; + ucs->bchars[4] = 0x11; + ucs->bchars[5] = 0x13; +- ucs->bulk_out_buffer = NULL; +- ucs->bulk_out_urb = NULL; +- ucs->read_urb = NULL; + tasklet_init(&cs->write_tasklet, + gigaset_modem_fill, (unsigned long) cs); +
diff --git a/queue-3.16/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch b/queue-3.16/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch new file mode 100644 index 0000000..a8875c6 --- /dev/null +++ b/queue-3.16/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
@@ -0,0 +1,28 @@ +From: Michael Straube <straube.linux@gmail.com> +Date: Sat, 28 Dec 2019 15:37:25 +0100 +Subject: staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 + +commit 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a upstream. + +This device was added to the stand-alone driver on github. +Add it to the staging driver as well. + +Link: https://github.com/lwfinger/rtl8188eu/commit/b9b537aa25a8 +Signed-off-by: Michael Straube <straube.linux@gmail.com> +Link: https://lore.kernel.org/r/20191228143725.24455-1-straube.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -61,6 +61,7 @@ static struct usb_device_id rtw_usb_id_t + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ + {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */ + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ ++ {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ + {} /* Terminating entry */
diff --git a/queue-3.16/staging-rtl8188eu-fix-interface-sanity-check.patch b/queue-3.16/staging-rtl8188eu-fix-interface-sanity-check.patch new file mode 100644 index 0000000..e3c631a --- /dev/null +++ b/queue-3.16/staging-rtl8188eu-fix-interface-sanity-check.patch
@@ -0,0 +1,32 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:47:50 +0100 +Subject: staging: rtl8188eu: fix interface sanity check + +commit 74ca34118a0e05793935d804ccffcedd6eb56596 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20") +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -141,7 +141,7 @@ static struct dvobj_priv *usb_dvobj_init + phost_conf = pusbd->actconfig; + pconf_desc = &phost_conf->desc; + +- phost_iface = &usb_intf->altsetting[0]; ++ phost_iface = usb_intf->cur_altsetting; + piface_desc = &phost_iface->desc; + + pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces;
diff --git a/queue-3.16/staging-rtl8712-fix-interface-sanity-check.patch b/queue-3.16/staging-rtl8712-fix-interface-sanity-check.patch new file mode 100644 index 0000000..cf83e9a --- /dev/null +++ b/queue-3.16/staging-rtl8712-fix-interface-sanity-check.patch
@@ -0,0 +1,33 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:47:51 +0100 +Subject: staging: rtl8712: fix interface sanity check + +commit c724f776f048538ecfdf53a52b7a522309f5c504 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210114751.5119-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/rtl8712/usb_intf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -269,7 +269,7 @@ static uint r8712_usb_dvobj_init(struct + pdev_desc = &pusbd->descriptor; + phost_conf = pusbd->actconfig; + pconf_desc = &phost_conf->desc; +- phost_iface = &pintf->altsetting[0]; ++ phost_iface = pintf->cur_altsetting; + piface_desc = &phost_iface->desc; + pdvobjpriv->nr_endpoint = piface_desc->bNumEndpoints; + if (pusbd->speed == USB_SPEED_HIGH) {
diff --git a/queue-3.16/taskstats-fix-data-race.patch b/queue-3.16/taskstats-fix-data-race.patch new file mode 100644 index 0000000..d0d58ab --- /dev/null +++ b/queue-3.16/taskstats-fix-data-race.patch
@@ -0,0 +1,96 @@ +From: Christian Brauner <christian.brauner@ubuntu.com> +Date: Wed, 9 Oct 2019 13:48:09 +0200 +Subject: taskstats: fix data-race + +commit 0b8d616fb5a8ffa307b1d3af37f55c15dae14f28 upstream. + +When assiging and testing taskstats in taskstats_exit() there's a race +when setting up and reading sig->stats when a thread-group with more +than one thread exits: + +write to 0xffff8881157bbe10 of 8 bytes by task 7951 on cpu 0: + taskstats_tgid_alloc kernel/taskstats.c:567 [inline] + taskstats_exit+0x6b7/0x717 kernel/taskstats.c:596 + do_exit+0x2c2/0x18e0 kernel/exit.c:864 + do_group_exit+0xb4/0x1c0 kernel/exit.c:983 + get_signal+0x2a2/0x1320 kernel/signal.c:2734 + do_signal+0x3b/0xc00 arch/x86/kernel/signal.c:815 + exit_to_usermode_loop+0x250/0x2c0 arch/x86/entry/common.c:159 + prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] + syscall_return_slowpath arch/x86/entry/common.c:274 [inline] + do_syscall_64+0x2d7/0x2f0 arch/x86/entry/common.c:299 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +read to 0xffff8881157bbe10 of 8 bytes by task 7949 on cpu 1: + taskstats_tgid_alloc kernel/taskstats.c:559 [inline] + taskstats_exit+0xb2/0x717 kernel/taskstats.c:596 + do_exit+0x2c2/0x18e0 kernel/exit.c:864 + do_group_exit+0xb4/0x1c0 kernel/exit.c:983 + __do_sys_exit_group kernel/exit.c:994 [inline] + __se_sys_exit_group kernel/exit.c:992 [inline] + __x64_sys_exit_group+0x2e/0x30 kernel/exit.c:992 + do_syscall_64+0xcf/0x2f0 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fix this by using smp_load_acquire() and smp_store_release(). + +Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com +Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") +Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> +Acked-by: Marco Elver <elver@google.com> +Reviewed-by: Will Deacon <will@kernel.org> +Reviewed-by: Andrea Parri <parri.andrea@gmail.com> +Reviewed-by: Dmitry Vyukov <dvyukov@google.com> +Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/taskstats.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +--- a/kernel/taskstats.c ++++ b/kernel/taskstats.c +@@ -591,25 +591,33 @@ static int taskstats_user_cmd(struct sk_ + static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) + { + struct signal_struct *sig = tsk->signal; +- struct taskstats *stats; ++ struct taskstats *stats_new, *stats; + +- if (sig->stats || thread_group_empty(tsk)) +- goto ret; ++ /* Pairs with smp_store_release() below. */ ++ stats = smp_load_acquire(&sig->stats); ++ if (stats || thread_group_empty(tsk)) ++ return stats; + + /* No problem if kmem_cache_zalloc() fails */ +- stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); ++ stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); + + spin_lock_irq(&tsk->sighand->siglock); +- if (!sig->stats) { +- sig->stats = stats; +- stats = NULL; ++ stats = sig->stats; ++ if (!stats) { ++ /* ++ * Pairs with smp_store_release() above and order the ++ * kmem_cache_zalloc(). ++ */ ++ smp_store_release(&sig->stats, stats_new); ++ stats = stats_new; ++ stats_new = NULL; + } + spin_unlock_irq(&tsk->sighand->siglock); + +- if (stats) +- kmem_cache_free(taskstats_cache, stats); +-ret: +- return sig->stats; ++ if (stats_new) ++ kmem_cache_free(taskstats_cache, stats_new); ++ ++ return stats; + } + + /* Send pid data out on exit */
diff --git a/queue-3.16/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch b/queue-3.16/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch new file mode 100644 index 0000000..5d948bf --- /dev/null +++ b/queue-3.16/tcp-do-not-send-empty-skb-from-tcp_write_xmit.patch
@@ -0,0 +1,51 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 12 Dec 2019 12:55:29 -0800 +Subject: tcp: do not send empty skb from tcp_write_xmit() + +commit 1f85e6267caca44b30c54711652b0726fadbb131 upstream. + +Backport of commit fdfc5c8594c2 ("tcp: remove empty skb from +write queue in error cases") in linux-4.14 stable triggered +various bugs. One of them has been fixed in commit ba2ddb43f270 +("tcp: Don't dequeue SYN/FIN-segments from write-queue"), but +we still have crashes in some occasions. + +Root-cause is that when tcp_sendmsg() has allocated a fresh +skb and could not append a fragment before being blocked +in sk_stream_wait_memory(), tcp_write_xmit() might be called +and decide to send this fresh and empty skb. + +Sending an empty packet is not only silly, it might have caused +many issues we had in the past with tp->packets_out being +out of sync. + +Fixes: c65f7f00c587 ("[TCP]: Simplify SKB data portion allocation with NETIF_F_SG.") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Christoph Paasch <cpaasch@apple.com> +Acked-by: Neal Cardwell <ncardwell@google.com> +Cc: Jason Baron <jbaron@akamai.com> +Acked-by: Soheil Hassas Yeganeh <soheil@google.com> +Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/tcp_output.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1992,6 +1992,14 @@ static bool tcp_write_xmit(struct sock * + unlikely(tso_fragment(sk, skb, limit, mss_now, gfp))) + break; + ++ /* Argh, we hit an empty skb(), presumably a thread ++ * is sleeping in sendmsg()/sk_stream_wait_memory(). ++ * We do not want to send a pure-ack packet and have ++ * a strange looking rtx queue with empty packet(s). ++ */ ++ if (TCP_SKB_CB(skb)->end_seq == TCP_SKB_CB(skb)->seq) ++ break; ++ + TCP_SKB_CB(skb)->when = tcp_time_stamp; + + if (unlikely(tcp_transmit_skb(sk, skb, 1, gfp)))
diff --git a/queue-3.16/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch b/queue-3.16/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch new file mode 100644 index 0000000..b4cc6a1 --- /dev/null +++ b/queue-3.16/tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch
@@ -0,0 +1,43 @@ +From: Pengcheng Yang <yangpc@wangsu.com> +Date: Mon, 30 Dec 2019 17:54:41 +0800 +Subject: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK + +commit c9655008e7845bcfdaac10a1ed8554ec167aea88 upstream. + +When we receive a D-SACK, where the sequence number satisfies: + undo_marker <= start_seq < end_seq <= prior_snd_una +we consider this is a valid D-SACK and tcp_is_sackblock_valid() +returns true, then this D-SACK is discarded as "old stuff", +but the variable first_sack_index is not marked as negative +in tcp_sacktag_write_queue(). + +If this D-SACK also carries a SACK that needs to be processed +(for example, the previous SACK segment was lost), this SACK +will be treated as a D-SACK in the following processing of +tcp_sacktag_write_queue(), which will eventually lead to +incorrect updates of undo_retrans and reordering. + +Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification & simplify access to them") +Signed-off-by: Pengcheng Yang <yangpc@wangsu.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ipv4/tcp_input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1713,8 +1713,11 @@ tcp_sacktag_write_queue(struct sock *sk, + } + + /* Ignore very old stuff early */ +- if (!after(sp[used_sacks].end_seq, prior_snd_una)) ++ if (!after(sp[used_sacks].end_seq, prior_snd_una)) { ++ if (i == 0) ++ first_sack_index = -1; + continue; ++ } + + used_sacks++; + }
diff --git a/queue-3.16/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not.patch b/queue-3.16/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not.patch new file mode 100644 index 0000000..70c5667 --- /dev/null +++ b/queue-3.16/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not.patch
@@ -0,0 +1,35 @@ +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Thu, 2 Jan 2020 22:02:41 -0500 +Subject: tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not + defined + +commit b8299d362d0837ae39e87e9019ebe6b736e0f035 upstream. + +On some archs with some configurations, MCOUNT_INSN_SIZE is not defined, and +this makes the stack tracer fail to compile. Just define it to zero in this +case. + +Link: https://lore.kernel.org/r/202001020219.zvE3vsty%lkp@intel.com + +Fixes: 4df297129f622 ("tracing: Remove most or all of stack tracer stack size from stack_max_size") +Reported-by: kbuild test robot <lkp@intel.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + kernel/trace/trace_stack.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/trace/trace_stack.c ++++ b/kernel/trace/trace_stack.c +@@ -182,6 +182,11 @@ check_stack(unsigned long ip, unsigned l + local_irq_restore(flags); + } + ++/* Some archs may not define MCOUNT_INSN_SIZE */ ++#ifndef MCOUNT_INSN_SIZE ++# define MCOUNT_INSN_SIZE 0 ++#endif ++ + static void + stack_trace_call(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *op, struct pt_regs *pt_regs)
diff --git a/queue-3.16/tty-always-relink-the-port.patch b/queue-3.16/tty-always-relink-the-port.patch new file mode 100644 index 0000000..b475db7 --- /dev/null +++ b/queue-3.16/tty-always-relink-the-port.patch
@@ -0,0 +1,33 @@ +From: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Date: Fri, 27 Dec 2019 17:44:34 +0000 +Subject: tty: always relink the port + +commit 273f632912f1b24b642ba5b7eb5022e43a72f3b5 upstream. + +If the serial device is disconnected and reconnected, it re-enumerates +properly but does not link it. fwiw, linking means just saving the port +index, so allow it always as there is no harm in saving the same value +again even if it tries to relink with the same port. + +Fixes: fb2b90014d78 ("tty: link tty and port before configuring it as console") +Reported-by: Kenneth R. Crudup <kenny@panix.com> +Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Link: https://lore.kernel.org/r/20191227174434.12057-1-sudipm.mukherjee@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/tty_port.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -49,8 +49,7 @@ void tty_port_link_device(struct tty_por + { + if (WARN_ON(index >= driver->num)) + return; +- if (!driver->ports[index]) +- driver->ports[index] = port; ++ driver->ports[index] = port; + } + EXPORT_SYMBOL_GPL(tty_port_link_device); +
diff --git a/queue-3.16/tty-link-tty-and-port-before-configuring-it-as-console.patch b/queue-3.16/tty-link-tty-and-port-before-configuring-it-as-console.patch new file mode 100644 index 0000000..b85d792 --- /dev/null +++ b/queue-3.16/tty-link-tty-and-port-before-configuring-it-as-console.patch
@@ -0,0 +1,65 @@ +From: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Date: Thu, 12 Dec 2019 13:16:02 +0000 +Subject: tty: link tty and port before configuring it as console + +commit fb2b90014d782d80d7ebf663e50f96d8c507a73c upstream. + +There seems to be a race condition in tty drivers and I could see on +many boot cycles a NULL pointer dereference as tty_init_dev() tries to +do 'tty->port->itty = tty' even though tty->port is NULL. +'tty->port' will be set by the driver and if the driver has not yet done +it before we open the tty device we can get to this situation. By adding +some extra debug prints, I noticed that: + +6.650130: uart_add_one_port +6.663849: register_console +6.664846: tty_open +6.674391: tty_init_dev +6.675456: tty_port_link_device + +uart_add_one_port() registers the console, as soon as it registers, the +userspace tries to use it and that leads to tty_open() but +uart_add_one_port() has not yet done tty_port_link_device() and so +tty->port is not yet configured when control reaches tty_init_dev(). + +Further look into the code and tty_port_link_device() is done by +uart_add_one_port(). After registering the console uart_add_one_port() +will call tty_port_register_device_attr_serdev() and +tty_port_link_device() is called from this. + +Call add tty_port_link_device() before uart_configure_port() is done and +add a check in tty_port_link_device() so that it only links the port if +it has not been done yet. + +Suggested-by: Jiri Slaby <jslaby@suse.com> +Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> +Link: https://lore.kernel.org/r/20191212131602.29504-1-sudipm.mukherjee@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/serial_core.c | 1 + + drivers/tty/tty_port.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2639,6 +2639,7 @@ int uart_add_one_port(struct uart_driver + lockdep_set_class(&uport->lock, &port_lock_key); + } + ++ tty_port_link_device(port, drv->tty_driver, uport->line); + uart_configure_port(drv, state, uport); + + /* +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -49,7 +49,8 @@ void tty_port_link_device(struct tty_por + { + if (WARN_ON(index >= driver->num)) + return; +- driver->ports[index] = port; ++ if (!driver->ports[index]) ++ driver->ports[index] = port; + } + EXPORT_SYMBOL_GPL(tty_port_link_device); +
diff --git a/queue-3.16/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch b/queue-3.16/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch new file mode 100644 index 0000000..0ab8057 --- /dev/null +++ b/queue-3.16/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
@@ -0,0 +1,64 @@ +From: Leo Yan <leo.yan@linaro.org> +Date: Wed, 27 Nov 2019 22:15:43 +0800 +Subject: tty: serial: msm_serial: Fix lockup for sysrq and oops + +commit 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e upstream. + +As the commit 677fe555cbfb ("serial: imx: Fix recursive locking bug") +has mentioned the uart driver might cause recursive locking between +normal printing and the kernel debugging facilities (e.g. sysrq and +oops). In the commit it gave out suggestion for fixing recursive +locking issue: "The solution is to avoid locking in the sysrq case +and trylock in the oops_in_progress case." + +This patch follows the suggestion (also used the exactly same code with +other serial drivers, e.g. amba-pl011.c) to fix the recursive locking +issue, this can avoid stuck caused by deadlock and print out log for +sysrq and oops. + +Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.") +Signed-off-by: Leo Yan <leo.yan@linaro.org> +Reviewed-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com> +Link: https://lore.kernel.org/r/20191127141544.4277-2-leo.yan@linaro.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/tty/serial/msm_serial.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -857,6 +857,7 @@ static void msm_console_write(struct con + struct msm_port *msm_port; + int num_newlines = 0; + bool replaced = false; ++ int locked = 1; + + BUG_ON(co->index < 0 || co->index >= UART_NR); + +@@ -869,7 +870,13 @@ static void msm_console_write(struct con + num_newlines++; + count += num_newlines; + +- spin_lock(&port->lock); ++ if (port->sysrq) ++ locked = 0; ++ else if (oops_in_progress) ++ locked = spin_trylock(&port->lock); ++ else ++ spin_lock(&port->lock); ++ + if (msm_port->is_uartdm) + reset_dm_count(port, count); + +@@ -906,7 +913,9 @@ static void msm_console_write(struct con + msm_write(port, *bf, msm_port->is_uartdm ? UARTDM_TF : UART_TF); + i += num_chars; + } +- spin_unlock(&port->lock); ++ ++ if (locked) ++ spin_unlock(&port->lock); + } + + static int __init msm_console_setup(struct console *co, char *options)
diff --git a/queue-3.16/usb-adutux-fix-interface-sanity-check.patch b/queue-3.16/usb-adutux-fix-interface-sanity-check.patch new file mode 100644 index 0000000..402889b --- /dev/null +++ b/queue-3.16/usb-adutux-fix-interface-sanity-check.patch
@@ -0,0 +1,33 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:25:59 +0100 +Subject: USB: adutux: fix interface sanity check + +commit 3c11c4bed02b202e278c0f5c319ae435d7fb9815 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices") +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/misc/adutux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/adutux.c ++++ b/drivers/usb/misc/adutux.c +@@ -682,7 +682,7 @@ static int adu_probe(struct usb_interfac + init_waitqueue_head(&dev->read_wait); + init_waitqueue_head(&dev->write_wait); + +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
diff --git a/queue-3.16/usb-atm-ueagle-atm-add-missing-endpoint-check.patch b/queue-3.16/usb-atm-ueagle-atm-add-missing-endpoint-check.patch new file mode 100644 index 0000000..654dc51 --- /dev/null +++ b/queue-3.16/usb-atm-ueagle-atm-add-missing-endpoint-check.patch
@@ -0,0 +1,86 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:25:58 +0100 +Subject: USB: atm: ueagle-atm: add missing endpoint check + +commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream. + +Make sure that the interrupt interface has an endpoint before trying to +access its endpoint descriptors to avoid dereferencing a NULL pointer. + +The driver binds to the interrupt interface with interface number 0, but +must not assume that this interface or its current alternate setting are +the first entries in the corresponding configuration arrays. + +Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/usb/atm/ueagle-atm.c ++++ b/drivers/usb/atm/ueagle-atm.c +@@ -2167,10 +2167,11 @@ resubmit: + /* + * Start the modem : init the data and start kernel thread + */ +-static int uea_boot(struct uea_softc *sc) ++static int uea_boot(struct uea_softc *sc, struct usb_interface *intf) + { +- int ret, size; + struct intr_pkt *intr; ++ int ret = -ENOMEM; ++ int size; + + uea_enters(INS_TO_USBDEV(sc)); + +@@ -2195,6 +2196,11 @@ static int uea_boot(struct uea_softc *sc + if (UEA_CHIP_VERSION(sc) == ADI930) + load_XILINX_firmware(sc); + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) { ++ ret = -ENODEV; ++ goto err0; ++ } ++ + intr = kmalloc(size, GFP_KERNEL); + if (!intr) { + uea_err(INS_TO_USBDEV(sc), +@@ -2211,8 +2217,7 @@ static int uea_boot(struct uea_softc *sc + usb_fill_int_urb(sc->urb_int, sc->usb_dev, + usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE), + intr, size, uea_intr, sc, +- sc->usb_dev->actconfig->interface[0]->altsetting[0]. +- endpoint[0].desc.bInterval); ++ intf->cur_altsetting->endpoint[0].desc.bInterval); + + ret = usb_submit_urb(sc->urb_int, GFP_KERNEL); + if (ret < 0) { +@@ -2227,6 +2232,7 @@ static int uea_boot(struct uea_softc *sc + sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm"); + if (IS_ERR(sc->kthread)) { + uea_err(INS_TO_USBDEV(sc), "failed to create thread\n"); ++ ret = PTR_ERR(sc->kthread); + goto err2; + } + +@@ -2241,7 +2247,7 @@ err1: + kfree(intr); + err0: + uea_leaves(INS_TO_USBDEV(sc)); +- return -ENOMEM; ++ return ret; + } + + /* +@@ -2604,7 +2610,7 @@ static int uea_bind(struct usbatm_data * + if (ret < 0) + goto error; + +- ret = uea_boot(sc); ++ ret = uea_boot(sc, intf); + if (ret < 0) + goto error_rm_grp; +
diff --git a/queue-3.16/usb-core-add-endpoint-blacklist-quirk.patch b/queue-3.16/usb-core-add-endpoint-blacklist-quirk.patch new file mode 100644 index 0000000..0daeac2 --- /dev/null +++ b/queue-3.16/usb-core-add-endpoint-blacklist-quirk.patch
@@ -0,0 +1,119 @@ +From: Johan Hovold <johan@kernel.org> +Date: Mon, 3 Feb 2020 16:38:28 +0100 +Subject: USB: core: add endpoint-blacklist quirk + +commit 73f8bda9b5dc1c69df2bc55c0cbb24461a6391a9 upstream. + +Add a new device quirk that can be used to blacklist endpoints. + +Since commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate +endpoints") USB core ignores any duplicate endpoints found during +descriptor parsing. + +In order to handle devices where the first interfaces with duplicate +endpoints are the ones that should have their endpoints ignored, we need +to add a blacklist. + +Tested-by: edes <edes@gmx.net> +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20200203153830.26394-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/core/config.c | 11 +++++++++++ + drivers/usb/core/quirks.c | 32 ++++++++++++++++++++++++++++++++ + drivers/usb/core/usb.h | 3 +++ + include/linux/usb/quirks.h | 3 +++ + 4 files changed, 49 insertions(+) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -222,6 +222,7 @@ static int usb_parse_endpoint(struct dev + struct usb_host_interface *ifp, int num_ep, + unsigned char *buffer, int size) + { ++ struct usb_device *udev = to_usb_device(ddev); + unsigned char *buffer0 = buffer; + struct usb_endpoint_descriptor *d; + struct usb_host_endpoint *endpoint; +@@ -263,6 +264,16 @@ static int usb_parse_endpoint(struct dev + goto skip_to_next_endpoint_or_interface_descriptor; + } + ++ /* Ignore blacklisted endpoints */ ++ if (udev->quirks & USB_QUIRK_ENDPOINT_BLACKLIST) { ++ if (usb_endpoint_is_blacklisted(udev, ifp, d)) { ++ dev_warn(ddev, "config %d interface %d altsetting %d has a blacklisted endpoint with address 0x%X, skipping\n", ++ cfgno, inum, asnum, ++ d->bEndpointAddress); ++ goto skip_to_next_endpoint_or_interface_descriptor; ++ } ++ } ++ + endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints]; + ++ifp->desc.bNumEndpoints; + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -318,6 +318,38 @@ static const struct usb_device_id usb_am + { } /* terminating entry must be last */ + }; + ++/* ++ * Entries for blacklisted endpoints that should be ignored when parsing ++ * configuration descriptors. ++ * ++ * Matched for devices with USB_QUIRK_ENDPOINT_BLACKLIST. ++ */ ++static const struct usb_device_id usb_endpoint_blacklist[] = { ++ { } ++}; ++ ++bool usb_endpoint_is_blacklisted(struct usb_device *udev, ++ struct usb_host_interface *intf, ++ struct usb_endpoint_descriptor *epd) ++{ ++ const struct usb_device_id *id; ++ unsigned int address; ++ ++ for (id = usb_endpoint_blacklist; id->match_flags; ++id) { ++ if (!usb_match_device(udev, id)) ++ continue; ++ ++ if (!usb_match_one_id_intf(udev, intf, id)) ++ continue; ++ ++ address = id->driver_info; ++ if (address == epd->bEndpointAddress) ++ return true; ++ } ++ ++ return false; ++} ++ + static bool usb_match_any_interface(struct usb_device *udev, + const struct usb_device_id *id) + { +--- a/drivers/usb/core/usb.h ++++ b/drivers/usb/core/usb.h +@@ -29,6 +29,9 @@ extern int usb_deauthorize_device(struct + extern int usb_authorize_device(struct usb_device *); + extern void usb_detect_quirks(struct usb_device *udev); + extern void usb_detect_interface_quirks(struct usb_device *udev); ++extern bool usb_endpoint_is_blacklisted(struct usb_device *udev, ++ struct usb_host_interface *intf, ++ struct usb_endpoint_descriptor *epd); + extern int usb_remove_device(struct usb_device *udev); + + extern int usb_get_device_descriptor(struct usb_device *dev, +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -62,4 +62,7 @@ + /* Hub needs extra delay after resetting its port. */ + #define USB_QUIRK_HUB_SLOW_RESET BIT(14) + ++/* device has blacklisted endpoints */ ++#define USB_QUIRK_ENDPOINT_BLACKLIST BIT(15) ++ + #endif /* __LINUX_USB_QUIRKS_H */
diff --git a/queue-3.16/usb-core-fix-check-for-duplicate-endpoints.patch b/queue-3.16/usb-core-fix-check-for-duplicate-endpoints.patch new file mode 100644 index 0000000..224dcab --- /dev/null +++ b/queue-3.16/usb-core-fix-check-for-duplicate-endpoints.patch
@@ -0,0 +1,124 @@ +From: Johan Hovold <johan@kernel.org> +Date: Thu, 19 Dec 2019 17:10:16 +0100 +Subject: USB: core: fix check for duplicate endpoints + +commit 3e4f8e21c4f27bcf30a48486b9dcc269512b79ff upstream. + +Amend the endpoint-descriptor sanity checks to detect all duplicate +endpoint addresses in a configuration. + +Commit 0a8fd1346254 ("USB: fix problems with duplicate endpoint +addresses") added a check for duplicate endpoint addresses within a +single alternate setting, but did not look for duplicate addresses in +other interfaces. + +The current check would also not detect all duplicate addresses when one +endpoint is as a (bi-directional) control endpoint. + +This specifically avoids overwriting the endpoint entries in struct +usb_device when enabling a duplicate endpoint, something which could +potentially lead to crashes or leaks, for example, when endpoints are +later disabled. + +Signed-off-by: Johan Hovold <johan@kernel.org> +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Link: https://lore.kernel.org/r/20191219161016.6695-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/core/config.c | 70 ++++++++++++++++++++++++++++++++------- + 1 file changed, 58 insertions(+), 12 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -169,9 +169,58 @@ static const unsigned short super_speed_ + [USB_ENDPOINT_XFER_INT] = 1024, + }; + +-static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum, +- int asnum, struct usb_host_interface *ifp, int num_ep, +- unsigned char *buffer, int size) ++static bool endpoint_is_duplicate(struct usb_endpoint_descriptor *e1, ++ struct usb_endpoint_descriptor *e2) ++{ ++ if (e1->bEndpointAddress == e2->bEndpointAddress) ++ return true; ++ ++ if (usb_endpoint_xfer_control(e1) || usb_endpoint_xfer_control(e2)) { ++ if (usb_endpoint_num(e1) == usb_endpoint_num(e2)) ++ return true; ++ } ++ ++ return false; ++} ++ ++/* ++ * Check for duplicate endpoint addresses in other interfaces and in the ++ * altsetting currently being parsed. ++ */ ++static bool config_endpoint_is_duplicate(struct usb_host_config *config, ++ int inum, int asnum, struct usb_endpoint_descriptor *d) ++{ ++ struct usb_endpoint_descriptor *epd; ++ struct usb_interface_cache *intfc; ++ struct usb_host_interface *alt; ++ int i, j, k; ++ ++ for (i = 0; i < config->desc.bNumInterfaces; ++i) { ++ intfc = config->intf_cache[i]; ++ ++ for (j = 0; j < intfc->num_altsetting; ++j) { ++ alt = &intfc->altsetting[j]; ++ ++ if (alt->desc.bInterfaceNumber == inum && ++ alt->desc.bAlternateSetting != asnum) ++ continue; ++ ++ for (k = 0; k < alt->desc.bNumEndpoints; ++k) { ++ epd = &alt->endpoint[k].desc; ++ ++ if (endpoint_is_duplicate(epd, d)) ++ return true; ++ } ++ } ++ } ++ ++ return false; ++} ++ ++static int usb_parse_endpoint(struct device *ddev, int cfgno, ++ struct usb_host_config *config, int inum, int asnum, ++ struct usb_host_interface *ifp, int num_ep, ++ unsigned char *buffer, int size) + { + unsigned char *buffer0 = buffer; + struct usb_endpoint_descriptor *d; +@@ -208,13 +257,10 @@ static int usb_parse_endpoint(struct dev + goto skip_to_next_endpoint_or_interface_descriptor; + + /* Check for duplicate endpoint addresses */ +- for (i = 0; i < ifp->desc.bNumEndpoints; ++i) { +- if (ifp->endpoint[i].desc.bEndpointAddress == +- d->bEndpointAddress) { +- dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n", +- cfgno, inum, asnum, d->bEndpointAddress); +- goto skip_to_next_endpoint_or_interface_descriptor; +- } ++ if (config_endpoint_is_duplicate(config, inum, asnum, d)) { ++ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n", ++ cfgno, inum, asnum, d->bEndpointAddress); ++ goto skip_to_next_endpoint_or_interface_descriptor; + } + + endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints]; +@@ -481,8 +527,8 @@ static int usb_parse_interface(struct de + if (((struct usb_descriptor_header *) buffer)->bDescriptorType + == USB_DT_INTERFACE) + break; +- retval = usb_parse_endpoint(ddev, cfgno, inum, asnum, alt, +- num_ep, buffer, size); ++ retval = usb_parse_endpoint(ddev, cfgno, config, inum, asnum, ++ alt, num_ep, buffer, size); + if (retval < 0) + return retval; + ++n;
diff --git a/queue-3.16/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch b/queue-3.16/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch new file mode 100644 index 0000000..9116a20 --- /dev/null +++ b/queue-3.16/usb-core-hub-improved-device-recognition-on-remote-wakeup.patch
@@ -0,0 +1,61 @@ +From: Keiya Nobuta <nobuta.keiya@fujitsu.com> +Date: Thu, 9 Jan 2020 14:14:48 +0900 +Subject: usb: core: hub: Improved device recognition on remote wakeup + +commit 9c06ac4c83df6d6fbdbf7488fbad822b4002ba19 upstream. + +If hub_activate() is called before D+ has stabilized after remote +wakeup, the following situation might occur: + + __ ___________________ + / \ / +D+ __/ \__/ + +Hub _______________________________ + | ^ ^ ^ + | | | | +Host _____v__|___|___________|______ + | | | | + | | | \-- Interrupt Transfer (*3) + | | \-- ClearPortFeature (*2) + | \-- GetPortStatus (*1) + \-- Host detects remote wakeup + +- D+ goes high, Host starts running by remote wakeup +- D+ is not stable, goes low +- Host requests GetPortStatus at (*1) and gets the following hub status: + - Current Connect Status bit is 0 + - Connect Status Change bit is 1 +- D+ stabilizes, goes high +- Host requests ClearPortFeature and thus Connect Status Change bit is + cleared at (*2) +- After waiting 100 ms, Host starts the Interrupt Transfer at (*3) +- Since the Connect Status Change bit is 0, Hub returns NAK. + +In this case, port_event() is not called in hub_event() and Host cannot +recognize device. To solve this issue, flag change_bits even if only +Connect Status Change bit is 1 when got in the first GetPortStatus. + +This issue occurs rarely because it only if D+ changes during a very +short time between GetPortStatus and ClearPortFeature. However, it is +fatal if it occurs in embedded system. + +Signed-off-by: Keiya Nobuta <nobuta.keiya@fujitsu.com> +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Link: https://lore.kernel.org/r/20200109051448.28150-1-nobuta.keiya@fujitsu.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/core/hub.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1125,6 +1125,7 @@ static void hub_activate(struct usb_hub + * PORT_OVER_CURRENT is not. So check for any of them. + */ + if (udev || (portstatus & USB_PORT_STAT_CONNECTION) || ++ (portchange & USB_PORT_STAT_C_CONNECTION) || + (portstatus & USB_PORT_STAT_OVERCURRENT) || + (portchange & USB_PORT_STAT_C_OVERCURRENT)) + set_bit(port1, hub->change_bits);
diff --git a/queue-3.16/usb-core-urb-fix-urb-structure-initialization-function.patch b/queue-3.16/usb-core-urb-fix-urb-structure-initialization-function.patch new file mode 100644 index 0000000..1aee8be --- /dev/null +++ b/queue-3.16/usb-core-urb-fix-urb-structure-initialization-function.patch
@@ -0,0 +1,30 @@ +From: Emiliano Ingrassia <ingrassia@epigenesys.com> +Date: Wed, 27 Nov 2019 17:03:55 +0100 +Subject: usb: core: urb: fix URB structure initialization function + +commit 1cd17f7f0def31e3695501c4f86cd3faf8489840 upstream. + +Explicitly initialize URB structure urb_list field in usb_init_urb(). +This field can be potentially accessed uninitialized and its +initialization is coherent with the usage of list_del_init() in +usb_hcd_unlink_urb_from_ep() and usb_giveback_urb_bh() and its +explicit initialization in usb_hcd_submit_urb() error path. + +Signed-off-by: Emiliano Ingrassia <ingrassia@epigenesys.com> +Link: https://lore.kernel.org/r/20191127160355.GA27196@ingrassia.epigenesys.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/core/urb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -40,6 +40,7 @@ void usb_init_urb(struct urb *urb) + if (urb) { + memset(urb, 0, sizeof(*urb)); + kref_init(&urb->kref); ++ INIT_LIST_HEAD(&urb->urb_list); + INIT_LIST_HEAD(&urb->anchor_list); + } + }
diff --git a/queue-3.16/usb-dwc3-pci-add-id-for-one-more-intel-broxton-platform.patch b/queue-3.16/usb-dwc3-pci-add-id-for-one-more-intel-broxton-platform.patch new file mode 100644 index 0000000..200efac --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-id-for-one-more-intel-broxton-platform.patch
@@ -0,0 +1,34 @@ +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Fri, 1 Apr 2016 17:13:10 +0300 +Subject: usb: dwc3: pci: add ID for one more Intel Broxton platform + +commit 1ffb4d5cc78a3a99109ff0808ce6915de07a0588 upstream. + +BXT-M is a Intel Broxton SoC based platform with unique PCI ID. + +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -34,6 +34,7 @@ + #define PCI_DEVICE_ID_INTEL_SPTLP 0x9d30 + #define PCI_DEVICE_ID_INTEL_SPTH 0xa130 + #define PCI_DEVICE_ID_INTEL_BXT 0x0aaa ++#define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa + #define PCI_DEVICE_ID_INTEL_APL 0x5aaa + + struct dwc3_pci { +@@ -194,6 +195,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), }, + { } /* Terminating Entry */ + };
diff --git a/queue-3.16/usb-dwc3-pci-add-id-for-the-intel-comet-lake-h-variant.patch b/queue-3.16/usb-dwc3-pci-add-id-for-the-intel-comet-lake-h-variant.patch new file mode 100644 index 0000000..620de07 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-id-for-the-intel-comet-lake-h-variant.patch
@@ -0,0 +1,42 @@ +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Thu, 12 Dec 2019 12:37:13 +0300 +Subject: usb: dwc3: pci: add ID for the Intel Comet Lake -H variant + +commit 3c3caae4cd6e122472efcf64759ff6392fb6bce2 upstream. + +The original ID that was added for Comet Lake PCH was +actually for the -LP (low power) variant even though the +constant for it said CMLH. Changing that while at it. + +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Acked-by: Felipe Balbi <balbi@kernel.org> +Link: https://lore.kernel.org/r/20191212093713.60614-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: + - No properties support + - Adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -37,7 +37,8 @@ + #define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa + #define PCI_DEVICE_ID_INTEL_APL 0x5aaa + #define PCI_DEVICE_ID_INTEL_KBP 0xa2b0 +-#define PCI_DEVICE_ID_INTEL_CMLH 0x02ee ++#define PCI_DEVICE_ID_INTEL_CMLLP 0x02ee ++#define PCI_DEVICE_ID_INTEL_CMLH 0x06ee + #define PCI_DEVICE_ID_INTEL_GLK 0x31aa + #define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee + #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e +@@ -200,6 +201,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CMLLP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CMLH), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
diff --git a/queue-3.16/usb-dwc3-pci-add-intel-cannonlake-pci-ids.patch b/queue-3.16/usb-dwc3-pci-add-intel-cannonlake-pci-ids.patch new file mode 100644 index 0000000..745dc4b --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-intel-cannonlake-pci-ids.patch
@@ -0,0 +1,37 @@ +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Fri, 1 Apr 2016 17:13:13 +0300 +Subject: usb: dwc3: pci: add Intel Cannonlake PCI IDs + +commit 682179592e48fa66056fbad1a86604be4992f885 upstream. + +Intel Cannonlake PCH has the same DWC3 than Intel +Sunrisepoint. Add the new IDs to the supported devices. + +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -38,6 +38,8 @@ + #define PCI_DEVICE_ID_INTEL_APL 0x5aaa + #define PCI_DEVICE_ID_INTEL_KBP 0xa2b0 + #define PCI_DEVICE_ID_INTEL_GLK 0x31aa ++#define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee ++#define PCI_DEVICE_ID_INTEL_CNPH 0xa36e + + struct dwc3_pci { + struct device *dev; +@@ -201,6 +203,8 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_GLK), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPLP), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPH), }, + { } /* Terminating Entry */ + }; + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch b/queue-3.16/usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch new file mode 100644 index 0000000..3efb5ad --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-intel-gemini-lake-pci-id.patch
@@ -0,0 +1,35 @@ +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Fri, 1 Apr 2016 17:13:12 +0300 +Subject: usb: dwc3: pci: add Intel Gemini Lake PCI ID + +commit 8f8983a5683623b62b339d159573f95a1fce44f3 upstream. + +Intel Gemini Lake SoC has the same DWC3 than Broxton. Add +the new ID to the supported Devices. + +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -37,6 +37,7 @@ + #define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa + #define PCI_DEVICE_ID_INTEL_APL 0x5aaa + #define PCI_DEVICE_ID_INTEL_KBP 0xa2b0 ++#define PCI_DEVICE_ID_INTEL_GLK 0x31aa + + struct dwc3_pci { + struct device *dev; +@@ -199,6 +200,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_GLK), }, + { } /* Terminating Entry */ + }; + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-intel-kabylake-pci-id.patch b/queue-3.16/usb-dwc3-pci-add-intel-kabylake-pci-id.patch new file mode 100644 index 0000000..53491e1 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-intel-kabylake-pci-id.patch
@@ -0,0 +1,35 @@ +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Fri, 1 Apr 2016 17:13:11 +0300 +Subject: usb: dwc3: pci: add Intel Kabylake PCI ID + +commit 4491ed5042f0419b22a4b08331adb54af31e2caa upstream. + +Intel Kabylake PCH has the same DWC3 than Intel +Sunrisepoint. Add the new ID to the supported devices. + +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -36,6 +36,7 @@ + #define PCI_DEVICE_ID_INTEL_BXT 0x0aaa + #define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa + #define PCI_DEVICE_ID_INTEL_APL 0x5aaa ++#define PCI_DEVICE_ID_INTEL_KBP 0xa2b0 + + struct dwc3_pci { + struct device *dev; +@@ -197,6 +198,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), }, + { } /* Terminating Entry */ + }; + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-pci-id-for-intel-braswell.patch b/queue-3.16/usb-dwc3-pci-add-pci-id-for-intel-braswell.patch new file mode 100644 index 0000000..c0f6170 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-pci-id-for-intel-braswell.patch
@@ -0,0 +1,36 @@ +From: Alan Cox <alan@linux.intel.com> +Date: Wed, 24 Sep 2014 10:40:25 +0300 +Subject: usb: dwc3: pci: Add PCI ID for Intel Braswell + +commit 7d643664ea559b36188cae264047ce3c9bfec3a2 upstream. + +The device controller is the same but it has different PCI ID. Add this new +ID to the driver's list of supported IDs. + +Signed-off-by: Alan Cox <alan@linux.intel.com> +Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -30,6 +30,7 @@ + #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3 0xabcd + #define PCI_DEVICE_ID_INTEL_BYT 0x0f37 + #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e ++#define PCI_DEVICE_ID_INTEL_BSW 0x22B7 + + struct dwc3_pci { + struct device *dev; +@@ -183,6 +184,7 @@ static const struct pci_device_id dwc3_p + PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS, + PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3), + }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, + { } /* Terminating Entry */
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch b/queue-3.16/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch new file mode 100644 index 0000000..f646d56 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-support-for-comet-lake-pch-id.patch
@@ -0,0 +1,35 @@ +From: Felipe Balbi <felipe.balbi@linux.intel.com> +Date: Thu, 31 Jan 2019 11:04:19 +0200 +Subject: usb: dwc3: pci: add support for Comet Lake PCH ID + +commit 7ae622c978db6b2e28b4fced6ecd2a174492059d upstream. + +This patch simply adds a new PCI Device ID + +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: + - No properties support + - Adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -37,6 +37,7 @@ + #define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa + #define PCI_DEVICE_ID_INTEL_APL 0x5aaa + #define PCI_DEVICE_ID_INTEL_KBP 0xa2b0 ++#define PCI_DEVICE_ID_INTEL_CMLH 0x02ee + #define PCI_DEVICE_ID_INTEL_GLK 0x31aa + #define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee + #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e +@@ -197,6 +198,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CMLH), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-intel-broxton-soc.patch b/queue-3.16/usb-dwc3-pci-add-support-for-intel-broxton-soc.patch new file mode 100644 index 0000000..12f4ee5 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-support-for-intel-broxton-soc.patch
@@ -0,0 +1,36 @@ +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Wed, 21 Oct 2015 14:37:04 +0300 +Subject: usb: dwc3: pci: add support for Intel Broxton SOC + +commit b4c580a43d520b7812c0fd064fbab929ce2f1da0 upstream. + +PCI IDs for Broxton based platforms. + +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +[bwh: Backported to 3.16: adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -33,6 +33,8 @@ + #define PCI_DEVICE_ID_INTEL_BSW 0x22B7 + #define PCI_DEVICE_ID_INTEL_SPTLP 0x9d30 + #define PCI_DEVICE_ID_INTEL_SPTH 0xa130 ++#define PCI_DEVICE_ID_INTEL_BXT 0x0aaa ++#define PCI_DEVICE_ID_INTEL_APL 0x5aaa + + struct dwc3_pci { + struct device *dev; +@@ -191,6 +193,8 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), }, + { } /* Terminating Entry */ + }; + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-intel-elkhart-lake-devices.patch b/queue-3.16/usb-dwc3-pci-add-support-for-intel-elkhart-lake-devices.patch new file mode 100644 index 0000000..1bba546 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-support-for-intel-elkhart-lake-devices.patch
@@ -0,0 +1,35 @@ +From: Felipe Balbi <felipe.balbi@linux.intel.com> +Date: Mon, 11 Jun 2018 11:21:12 +0300 +Subject: usb: dwc3: pci: Add Support for Intel Elkhart Lake Devices + +commit dbb0569de852fb4576d6f62078d515f989a181ca upstream. + +This patch simply adds a new PCI Device ID + +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: + - No properties support + - Adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -42,6 +42,7 @@ + #define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee + #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e + #define PCI_DEVICE_ID_INTEL_ICLLP 0x34ee ++#define PCI_DEVICE_ID_INTEL_EHLLP 0x4b7e + + struct dwc3_pci { + struct device *dev; +@@ -209,6 +210,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPLP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPH), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICLLP), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_EHLLP), }, + { } /* Terminating Entry */ + }; + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-intel-icelake.patch b/queue-3.16/usb-dwc3-pci-add-support-for-intel-icelake.patch new file mode 100644 index 0000000..738c242 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-support-for-intel-icelake.patch
@@ -0,0 +1,34 @@ +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Thu, 15 Jun 2017 12:57:30 +0300 +Subject: usb: dwc3: pci: add support for Intel IceLake + +commit 00908693c481f7298adf8cf4d2ff3dfbea8c375f upstream. + +PCI IDs for Intel IceLake. + +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -40,6 +40,7 @@ + #define PCI_DEVICE_ID_INTEL_GLK 0x31aa + #define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee + #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e ++#define PCI_DEVICE_ID_INTEL_ICLLP 0x34ee + + struct dwc3_pci { + struct device *dev; +@@ -205,6 +206,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_GLK), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPLP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPH), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICLLP), }, + { } /* Terminating Entry */ + }; + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-intel-sunrise-point-pch.patch b/queue-3.16/usb-dwc3-pci-add-support-for-intel-sunrise-point-pch.patch new file mode 100644 index 0000000..b8764e3 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-support-for-intel-sunrise-point-pch.patch
@@ -0,0 +1,36 @@ +From: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Date: Thu, 18 Dec 2014 16:39:14 +0200 +Subject: usb: dwc3: pci: add support for Intel Sunrise Point PCH + +commit 84a2b61b6eb94036093531cdabc448dddfbae45a upstream. + +Add PCI IDs for Intel Sunrise Point PCH. + +Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Signed-off-by: Felipe Balbi <balbi@ti.com> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -31,6 +31,8 @@ + #define PCI_DEVICE_ID_INTEL_BYT 0x0f37 + #define PCI_DEVICE_ID_INTEL_MRFLD 0x119e + #define PCI_DEVICE_ID_INTEL_BSW 0x22B7 ++#define PCI_DEVICE_ID_INTEL_SPTLP 0x9d30 ++#define PCI_DEVICE_ID_INTEL_SPTH 0xa130 + + struct dwc3_pci { + struct device *dev; +@@ -187,6 +189,8 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), }, + { } /* Terminating Entry */ + }; + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-dwc3-pci-add-support-for-tigerlake-devices.patch b/queue-3.16/usb-dwc3-pci-add-support-for-tigerlake-devices.patch new file mode 100644 index 0000000..a509bf4 --- /dev/null +++ b/queue-3.16/usb-dwc3-pci-add-support-for-tigerlake-devices.patch
@@ -0,0 +1,35 @@ +From: Felipe Balbi <felipe.balbi@linux.intel.com> +Date: Wed, 13 Dec 2017 16:03:22 +0200 +Subject: usb: dwc3: pci: add support for TigerLake Devices + +commit b3649dee5fbb0f6585010e6e9313dfcbb075b22b upstream. + +This patch adds the necessary PCI ID for TGP-LP devices. + +Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> +[bwh: Backported to 3.16: + - No properties support + - Adjust context, indentation] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -43,6 +43,7 @@ + #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e + #define PCI_DEVICE_ID_INTEL_ICLLP 0x34ee + #define PCI_DEVICE_ID_INTEL_EHLLP 0x4b7e ++#define PCI_DEVICE_ID_INTEL_TGPLP 0xa0ee + + struct dwc3_pci { + struct device *dev; +@@ -211,6 +212,7 @@ static const struct pci_device_id dwc3_p + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CNPH), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICLLP), }, + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_EHLLP), }, ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TGPLP), }, + { } /* Terminating Entry */ + }; + MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
diff --git a/queue-3.16/usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch b/queue-3.16/usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch new file mode 100644 index 0000000..04737e6 --- /dev/null +++ b/queue-3.16/usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch
@@ -0,0 +1,81 @@ +From: Erkka Talvitie <erkka.talvitie@vincit.fi> +Date: Wed, 11 Dec 2019 10:08:39 +0200 +Subject: USB: EHCI: Do not return -EPIPE when hub is disconnected + +commit 64cc3f12d1c7dd054a215bc1ff9cc2abcfe35832 upstream. + +When disconnecting a USB hub that has some child device(s) connected to it +(such as a USB mouse), then the stack tries to clear halt and +reset device(s) which are _already_ physically disconnected. + +The issue has been reproduced with: + +CPU: IMX6D5EYM10AD or MCIMX6D5EYM10AE. +SW: U-Boot 2019.07 and kernel 4.19.40. + +CPU: HP Proliant Microserver Gen8. +SW: Linux version 4.2.3-300.fc23.x86_64 + +In this situation there will be error bit for MMF active yet the +CERR equals EHCI_TUNE_CERR + halt. Existing implementation +interprets this as a stall [1] (chapter 8.4.5). + +The possible conditions when the MMF will be active + halt +can be found from [2] (Table 4-13). + +Fix for the issue is to check whether MMF is active and PID Code is +IN before checking for the stall. If these conditions are true then +it is not a stall. + +What happens after the fix is that when disconnecting a hub with +attached device(s) the situation is not interpret as a stall. + +[1] [https://www.usb.org/document-library/usb-20-specification, usb_20.pdf] +[2] [https://www.intel.com/content/dam/www/public/us/en/documents/ + technical-specifications/ehci-specification-for-usb.pdf] + +Signed-off-by: Erkka Talvitie <erkka.talvitie@vincit.fi> +Reviewed-by: Alan Stern <stern@rowland.harvard.edu> +Link: https://lore.kernel.org/r/ef70941d5f349767f19c0ed26b0dd9eed8ad81bb.1576050523.git.erkka.talvitie@vincit.fi +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/host/ehci-q.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -40,6 +40,10 @@ + + /*-------------------------------------------------------------------------*/ + ++/* PID Codes that are used here, from EHCI specification, Table 3-16. */ ++#define PID_CODE_IN 1 ++#define PID_CODE_SETUP 2 ++ + /* fill a qtd, returning how much of the buffer we were able to queue up */ + + static int +@@ -199,7 +203,7 @@ static int qtd_copy_status ( + int status = -EINPROGRESS; + + /* count IN/OUT bytes, not SETUP (even short packets) */ +- if (likely (QTD_PID (token) != 2)) ++ if (likely(QTD_PID(token) != PID_CODE_SETUP)) + urb->actual_length += length - QTD_LENGTH (token); + + /* don't modify error codes */ +@@ -215,6 +219,13 @@ static int qtd_copy_status ( + if (token & QTD_STS_BABBLE) { + /* FIXME "must" disable babbling device's port too */ + status = -EOVERFLOW; ++ /* ++ * When MMF is active and PID Code is IN, queue is halted. ++ * EHCI Specification, Table 4-13. ++ */ ++ } else if ((token & QTD_STS_MMF) && ++ (QTD_PID(token) == PID_CODE_IN)) { ++ status = -EPROTO; + /* CERR nonzero + halt --> stall */ + } else if (QTD_CERR(token)) { + status = -EPIPE;
diff --git a/queue-3.16/usb-idmouse-fix-interface-sanity-checks.patch b/queue-3.16/usb-idmouse-fix-interface-sanity-checks.patch new file mode 100644 index 0000000..ad6e7e7 --- /dev/null +++ b/queue-3.16/usb-idmouse-fix-interface-sanity-checks.patch
@@ -0,0 +1,32 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:26:00 +0100 +Subject: USB: idmouse: fix interface sanity checks + +commit 59920635b89d74b9207ea803d5e91498d39e8b69 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/misc/idmouse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -342,7 +342,7 @@ static int idmouse_probe(struct usb_inte + int result; + + /* check if we have gotten the data or the hid interface */ +- iface_desc = &interface->altsetting[0]; ++ iface_desc = interface->cur_altsetting; + if (iface_desc->desc.bInterfaceClass != 0x0A) + return -ENODEV; +
diff --git a/queue-3.16/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch b/queue-3.16/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch new file mode 100644 index 0000000..71064e7 --- /dev/null +++ b/queue-3.16/usb-mon-fix-a-deadlock-in-usbmon-between-mmap-and-read.patch
@@ -0,0 +1,100 @@ +From: Pete Zaitcev <zaitcev@redhat.com> +Date: Wed, 4 Dec 2019 20:39:41 -0600 +Subject: usb: mon: Fix a deadlock in usbmon between mmap and read + +commit 19e6317d24c25ee737c65d1ffb7483bdda4bb54a upstream. + +The problem arises because our read() function grabs a lock of the +circular buffer, finds something of interest, then invokes copy_to_user() +straight from the buffer, which in turn takes mm->mmap_sem. In the same +time, the callback mon_bin_vma_fault() is invoked under mm->mmap_sem. +It attempts to take the fetch lock and deadlocks. + +This patch does away with protecting of our page list with any +semaphores, and instead relies on the kernel not close the device +while mmap is active in a process. + +In addition, we prohibit re-sizing of a buffer while mmap is active. +This way, when (now unlocked) fault is processed, it works with the +page that is intended to be mapped-in, and not some other random page. +Note that this may have an ABI impact, but hopefully no legitimate +program is this wrong. + +Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> +Reported-by: syzbot+56f9673bb4cdcbeb0e92@syzkaller.appspotmail.com +Reviewed-by: Alan Stern <stern@rowland.harvard.edu> +Fixes: 46eb14a6e158 ("USB: fix usbmon BUG trigger") +Link: https://lore.kernel.org/r/20191204203941.3503452b@suzdal.zaitcev.lan +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/mon/mon_bin.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -1034,12 +1034,18 @@ static long mon_bin_ioctl(struct file *f + + mutex_lock(&rp->fetch_lock); + spin_lock_irqsave(&rp->b_lock, flags); +- mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); +- kfree(rp->b_vec); +- rp->b_vec = vec; +- rp->b_size = size; +- rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; +- rp->cnt_lost = 0; ++ if (rp->mmap_active) { ++ mon_free_buff(vec, size/CHUNK_SIZE); ++ kfree(vec); ++ ret = -EBUSY; ++ } else { ++ mon_free_buff(rp->b_vec, rp->b_size/CHUNK_SIZE); ++ kfree(rp->b_vec); ++ rp->b_vec = vec; ++ rp->b_size = size; ++ rp->b_read = rp->b_in = rp->b_out = rp->b_cnt = 0; ++ rp->cnt_lost = 0; ++ } + spin_unlock_irqrestore(&rp->b_lock, flags); + mutex_unlock(&rp->fetch_lock); + } +@@ -1211,13 +1217,21 @@ mon_bin_poll(struct file *file, struct p + static void mon_bin_vma_open(struct vm_area_struct *vma) + { + struct mon_reader_bin *rp = vma->vm_private_data; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&rp->b_lock, flags); + rp->mmap_active++; ++ spin_unlock_irqrestore(&rp->b_lock, flags); + } + + static void mon_bin_vma_close(struct vm_area_struct *vma) + { ++ unsigned long flags; ++ + struct mon_reader_bin *rp = vma->vm_private_data; ++ spin_lock_irqsave(&rp->b_lock, flags); + rp->mmap_active--; ++ spin_unlock_irqrestore(&rp->b_lock, flags); + } + + /* +@@ -1229,16 +1243,12 @@ static int mon_bin_vma_fault(struct vm_a + unsigned long offset, chunk_idx; + struct page *pageptr; + +- mutex_lock(&rp->fetch_lock); + offset = vmf->pgoff << PAGE_SHIFT; +- if (offset >= rp->b_size) { +- mutex_unlock(&rp->fetch_lock); ++ if (offset >= rp->b_size) + return VM_FAULT_SIGBUS; +- } + chunk_idx = offset / CHUNK_SIZE; + pageptr = rp->b_vec[chunk_idx].pg; + get_page(pageptr); +- mutex_unlock(&rp->fetch_lock); + vmf->page = pageptr; + return 0; + }
diff --git a/queue-3.16/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch b/queue-3.16/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch new file mode 100644 index 0000000..4505a72 --- /dev/null +++ b/queue-3.16/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
@@ -0,0 +1,31 @@ +From: Paul Cercueil <paul@crapouillou.net> +Date: Mon, 16 Dec 2019 10:18:43 -0600 +Subject: usb: musb: dma: Correct parameter passed to IRQ handler + +commit c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 upstream. + +The IRQ handler was passed a pointer to a struct dma_controller, but the +argument was then casted to a pointer to a struct musb_dma_controller. + +Fixes: 427c4f333474 ("usb: struct device - replace bus_id with dev_name(), dev_set_name()") +Signed-off-by: Paul Cercueil <paul@crapouillou.net> +Tested-by: Artur Rojek <contact@artur-rojek.eu> +Signed-off-by: Bin Liu <b-liu@ti.com> +Link: https://lore.kernel.org/r/20191216161844.772-2-b-liu@ti.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/musb/musbhsdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/musb/musbhsdma.c ++++ b/drivers/usb/musb/musbhsdma.c +@@ -396,7 +396,7 @@ struct dma_controller *dma_controller_cr + controller->controller.channel_abort = dma_channel_abort; + + if (request_irq(irq, dma_controller_irq, 0, +- dev_name(musb->controller), &controller->controller)) { ++ dev_name(musb->controller), controller)) { + dev_err(dev, "request_irq %d failed!\n", irq); + dma_controller_destroy(&controller->controller); +
diff --git a/queue-3.16/usb-quirks-blacklist-duplicate-ep-on-sound-devices-usbpre2.patch b/queue-3.16/usb-quirks-blacklist-duplicate-ep-on-sound-devices-usbpre2.patch new file mode 100644 index 0000000..2cd3834 --- /dev/null +++ b/queue-3.16/usb-quirks-blacklist-duplicate-ep-on-sound-devices-usbpre2.patch
@@ -0,0 +1,142 @@ +From: Johan Hovold <johan@kernel.org> +Date: Mon, 3 Feb 2020 16:38:29 +0100 +Subject: USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 + +commit bdd1b147b8026df0e4260b387026b251d888ed01 upstream. + +This device has a broken vendor-specific altsetting for interface 1, +where endpoint 0x85 is declared as an isochronous endpoint despite being +used by interface 2 for audio capture. + +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 239 Miscellaneous Device + bDeviceSubClass 2 + bDeviceProtocol 1 Interface Association + bMaxPacketSize0 64 + idVendor 0x0926 + idProduct 0x0202 + bcdDevice 1.00 + iManufacturer 1 Sound Devices + iProduct 2 USBPre2 + iSerial 3 [...] + bNumConfigurations 1 + +[...] + + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 3 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x85 EP 5 IN + bmAttributes 5 + Transfer Type Isochronous + Synch Type Asynchronous + Usage Type Data + wMaxPacketSize 0x0126 1x 294 bytes + bInterval 1 + +[...] + + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 2 + bAlternateSetting 1 + bNumEndpoints 1 + bInterfaceClass 1 Audio + bInterfaceSubClass 2 Streaming + bInterfaceProtocol 0 + iInterface 0 + AudioStreaming Interface Descriptor: + bLength 7 + bDescriptorType 36 + bDescriptorSubtype 1 (AS_GENERAL) + bTerminalLink 4 + bDelay 1 frames + wFormatTag 0x0001 PCM + AudioStreaming Interface Descriptor: + bLength 26 + bDescriptorType 36 + bDescriptorSubtype 2 (FORMAT_TYPE) + bFormatType 1 (FORMAT_TYPE_I) + bNrChannels 2 + bSubframeSize 2 + bBitResolution 16 + bSamFreqType 6 Discrete + tSamFreq[ 0] 8000 + tSamFreq[ 1] 16000 + tSamFreq[ 2] 24000 + tSamFreq[ 3] 32000 + tSamFreq[ 4] 44100 + tSamFreq[ 5] 48000 + Endpoint Descriptor: + bLength 9 + bDescriptorType 5 + bEndpointAddress 0x85 EP 5 IN + bmAttributes 5 + Transfer Type Isochronous + Synch Type Asynchronous + Usage Type Data + wMaxPacketSize 0x0126 1x 294 bytes + bInterval 4 + bRefresh 0 + bSynchAddress 0 + AudioStreaming Endpoint Descriptor: + bLength 7 + bDescriptorType 37 + bDescriptorSubtype 1 (EP_GENERAL) + bmAttributes 0x01 + Sampling Frequency + bLockDelayUnits 2 Decoded PCM samples + wLockDelay 0x0000 + +Since commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate +endpoints") USB core ignores any duplicate endpoints found during +descriptor parsing, but in this case we need to ignore the first +instance in order to avoid breaking the audio capture interface. + +Fixes: 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") +Reported-by: edes <edes@gmx.net> +Tested-by: edes <edes@gmx.net> +Link: https://lore.kernel.org/r/20200201105829.5682c887@acme7.acmenet +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20200203153830.26394-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/core/quirks.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -206,6 +206,10 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x0904, 0x6103), .driver_info = + USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, + ++ /* Sound Devices USBPre2 */ ++ { USB_DEVICE(0x0926, 0x0202), .driver_info = ++ USB_QUIRK_ENDPOINT_BLACKLIST }, ++ + /* Keytouch QWERTY Panel keyboard */ + { USB_DEVICE(0x0926, 0x3333), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, +@@ -325,6 +329,7 @@ static const struct usb_device_id usb_am + * Matched for devices with USB_QUIRK_ENDPOINT_BLACKLIST. + */ + static const struct usb_device_id usb_endpoint_blacklist[] = { ++ { USB_DEVICE_INTERFACE_NUMBER(0x0926, 0x0202, 1), .driver_info = 0x85 }, + { } + }; +
diff --git a/queue-3.16/usb-serial-ch341-handle-unbound-port-at-reset_resume.patch b/queue-3.16/usb-serial-ch341-handle-unbound-port-at-reset_resume.patch new file mode 100644 index 0000000..9c61836 --- /dev/null +++ b/queue-3.16/usb-serial-ch341-handle-unbound-port-at-reset_resume.patch
@@ -0,0 +1,35 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 17 Jan 2020 10:50:22 +0100 +Subject: USB: serial: ch341: handle unbound port at reset_resume + +commit 4d5ef53f75c22d28f490bcc5c771fcc610a9afa4 upstream. + +Check for NULL port data in reset_resume() to avoid dereferencing a NULL +pointer in case the port device isn't bound to a driver (e.g. after a +failed control request at port probe). + +Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after resume") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/ch341.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -571,9 +571,13 @@ static int ch341_tiocmget(struct tty_str + static int ch341_reset_resume(struct usb_serial *serial) + { + struct usb_serial_port *port = serial->port[0]; +- struct ch341_private *priv = usb_get_serial_port_data(port); ++ struct ch341_private *priv; + int ret; + ++ priv = usb_get_serial_port_data(port); ++ if (!priv) ++ return 0; ++ + /* reconfigure ch341 serial port after bus-reset */ + ch341_configure(serial->dev, priv); +
diff --git a/queue-3.16/usb-serial-io_edgeport-add-missing-active-port-sanity-check.patch b/queue-3.16/usb-serial-io_edgeport-add-missing-active-port-sanity-check.patch new file mode 100644 index 0000000..03f0646 --- /dev/null +++ b/queue-3.16/usb-serial-io_edgeport-add-missing-active-port-sanity-check.patch
@@ -0,0 +1,62 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 17 Jan 2020 10:50:24 +0100 +Subject: USB: serial: io_edgeport: add missing active-port sanity check + +commit 1568c58d11a7c851bd09341aeefd6a1c308ac40d upstream. + +The driver receives the active port number from the device, but never +made sure that the port number was valid. This could lead to a +NULL-pointer dereference or memory corruption in case a device sends +data for an invalid port. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/io_edgeport.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -1666,7 +1666,8 @@ static void edge_break(struct tty_struct + static void process_rcvd_data(struct edgeport_serial *edge_serial, + unsigned char *buffer, __u16 bufferLength) + { +- struct device *dev = &edge_serial->serial->dev->dev; ++ struct usb_serial *serial = edge_serial->serial; ++ struct device *dev = &serial->dev->dev; + struct usb_serial_port *port; + struct edgeport_port *edge_port; + __u16 lastBufferLength; +@@ -1771,9 +1772,8 @@ static void process_rcvd_data(struct edg + + /* spit this data back into the tty driver if this + port is open */ +- if (rxLen) { +- port = edge_serial->serial->port[ +- edge_serial->rxPort]; ++ if (rxLen && edge_serial->rxPort < serial->num_ports) { ++ port = serial->port[edge_serial->rxPort]; + edge_port = usb_get_serial_port_data(port); + if (edge_port && edge_port->open) { + dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n", +@@ -1783,8 +1783,8 @@ static void process_rcvd_data(struct edg + rxLen); + edge_port->port->icount.rx += rxLen; + } +- buffer += rxLen; + } ++ buffer += rxLen; + break; + + case EXPECT_HDR3: /* Expect 3rd byte of status header */ +@@ -1819,6 +1819,8 @@ static void process_rcvd_status(struct e + __u8 code = edge_serial->rxStatusCode; + + /* switch the port pointer to the one being currently talked about */ ++ if (edge_serial->rxPort >= edge_serial->serial->num_ports) ++ return; + port = edge_serial->serial->port[edge_serial->rxPort]; + edge_port = usb_get_serial_port_data(port); + if (edge_port == NULL) {
diff --git a/queue-3.16/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch b/queue-3.16/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch new file mode 100644 index 0000000..a28dcaf --- /dev/null +++ b/queue-3.16/usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch
@@ -0,0 +1,46 @@ +From: Johan Hovold <johan@kernel.org> +Date: Tue, 10 Dec 2019 12:26:01 +0100 +Subject: USB: serial: io_edgeport: fix epic endpoint lookup + +commit 7c5a2df3367a2c4984f1300261345817d95b71f8 upstream. + +Make sure to use the current alternate setting when looking up the +endpoints on epic devices to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver") +Signed-off-by: Johan Hovold <johan@kernel.org> +Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/io_edgeport.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2859,16 +2859,18 @@ static int edge_startup(struct usb_seria + response = 0; + + if (edge_serial->is_epic) { ++ struct usb_host_interface *alt; ++ ++ alt = serial->interface->cur_altsetting; ++ + /* EPIC thing, set up our interrupt polling now and our read + * urb, so that the device knows it really is connected. */ + interrupt_in_found = bulk_in_found = bulk_out_found = false; +- for (i = 0; i < serial->interface->altsetting[0] +- .desc.bNumEndpoints; ++i) { ++ for (i = 0; i < alt->desc.bNumEndpoints; ++i) { + struct usb_endpoint_descriptor *endpoint; + int buffer_size; + +- endpoint = &serial->interface->altsetting[0]. +- endpoint[i].desc; ++ endpoint = &alt->endpoint[i].desc; + buffer_size = usb_endpoint_maxp(endpoint); + if (!interrupt_in_found && + (usb_endpoint_is_int_in(endpoint))) {
diff --git a/queue-3.16/usb-serial-io_edgeport-handle-unbound-ports-on-urb-completion.patch b/queue-3.16/usb-serial-io_edgeport-handle-unbound-ports-on-urb-completion.patch new file mode 100644 index 0000000..0fee93d --- /dev/null +++ b/queue-3.16/usb-serial-io_edgeport-handle-unbound-ports-on-urb-completion.patch
@@ -0,0 +1,41 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 17 Jan 2020 10:50:23 +0100 +Subject: USB: serial: io_edgeport: handle unbound ports on URB completion + +commit e37d1aeda737a20b1846a91a3da3f8b0f00cf690 upstream. + +Check for NULL port data in the shared interrupt and bulk completion +callbacks to avoid dereferencing a NULL pointer in case a device sends +data for a port device which isn't bound to a driver (e.g. due to a +malicious device having unexpected endpoints or after an allocation +failure on port probe). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/io_edgeport.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -638,7 +638,7 @@ static void edge_interrupt_callback(stru + if (txCredits) { + port = edge_serial->serial->port[portNumber]; + edge_port = usb_get_serial_port_data(port); +- if (edge_port->open) { ++ if (edge_port && edge_port->open) { + spin_lock(&edge_port->ep_lock); + edge_port->txCredits += txCredits; + spin_unlock(&edge_port->ep_lock); +@@ -1775,7 +1775,7 @@ static void process_rcvd_data(struct edg + port = edge_serial->serial->port[ + edge_serial->rxPort]; + edge_port = usb_get_serial_port_data(port); +- if (edge_port->open) { ++ if (edge_port && edge_port->open) { + dev_dbg(dev, "%s - Sending %d bytes to TTY for port %d\n", + __func__, rxLen, + edge_serial->rxPort);
diff --git a/queue-3.16/usb-serial-keyspan-handle-unbound-ports.patch b/queue-3.16/usb-serial-keyspan-handle-unbound-ports.patch new file mode 100644 index 0000000..3e810a6 --- /dev/null +++ b/queue-3.16/usb-serial-keyspan-handle-unbound-ports.patch
@@ -0,0 +1,33 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 17 Jan 2020 10:50:25 +0100 +Subject: USB: serial: keyspan: handle unbound ports + +commit 3018dd3fa114b13261e9599ddb5656ef97a1fa17 upstream. + +Check for NULL port data in the control URB completion handlers to avoid +dereferencing a NULL pointer in the unlikely case where a port device +isn't bound to a driver (e.g. after an allocation failure on port +probe()). + +Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/keyspan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -962,6 +962,10 @@ static void usa67_glocont_callback(struc + for (i = 0; i < serial->num_ports; ++i) { + port = serial->port[i]; + p_priv = usb_get_serial_port_data(port); ++ if (!p_priv) ++ continue; ++ if (!p_priv) ++ continue; + + if (p_priv->resend_cont) { + dev_dbg(&port->dev, "%s - sending setup\n", __func__);
diff --git a/queue-3.16/usb-serial-opticon-fix-control-message-timeouts.patch b/queue-3.16/usb-serial-opticon-fix-control-message-timeouts.patch new file mode 100644 index 0000000..f6597e2 --- /dev/null +++ b/queue-3.16/usb-serial-opticon-fix-control-message-timeouts.patch
@@ -0,0 +1,34 @@ +From: Johan Hovold <johan@kernel.org> +Date: Mon, 13 Jan 2020 18:22:13 +0100 +Subject: USB: serial: opticon: fix control-message timeouts + +commit 5e28055f340275a8616eee88ef19186631b4d136 upstream. + +The driver was issuing synchronous uninterruptible control requests +without using a timeout. This could lead to the driver hanging +on open() or tiocmset() due to a malfunctioning (or malicious) device +until the device is physically disconnected. + +The USB upper limit of five seconds per request should be more than +enough. + +Fixes: 309a057932ab ("USB: opticon: add rts and cts support") +Cc: Martin Jansen <martin.jansen@opticon.com> +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/opticon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/opticon.c ++++ b/drivers/usb/serial/opticon.c +@@ -116,7 +116,7 @@ static int send_control_msg(struct usb_s + retval = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), + requesttype, + USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE, +- 0, 0, buffer, 1, 0); ++ 0, 0, buffer, 1, USB_CTRL_SET_TIMEOUT); + kfree(buffer); + + if (retval < 0)
diff --git a/queue-3.16/usb-serial-quatech2-handle-unbound-ports.patch b/queue-3.16/usb-serial-quatech2-handle-unbound-ports.patch new file mode 100644 index 0000000..90034a0 --- /dev/null +++ b/queue-3.16/usb-serial-quatech2-handle-unbound-ports.patch
@@ -0,0 +1,47 @@ +From: Johan Hovold <johan@kernel.org> +Date: Fri, 17 Jan 2020 15:35:26 +0100 +Subject: USB: serial: quatech2: handle unbound ports + +commit 9715a43eea77e42678a1002623f2d9a78f5b81a1 upstream. + +Check for NULL port data in the modem- and line-status handlers to avoid +dereferencing a NULL pointer in the unlikely case where a port device +isn't bound to a driver (e.g. after an allocation failure on port +probe). + +Note that the other (stubbed) event handlers qt2_process_xmit_empty() +and qt2_process_flush() would need similar sanity checks in case they +are ever implemented. + +Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/quatech2.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/quatech2.c ++++ b/drivers/usb/serial/quatech2.c +@@ -872,7 +872,10 @@ static void qt2_update_msr(struct usb_se + u8 newMSR = (u8) *ch; + unsigned long flags; + ++ /* May be called from qt2_process_read_urb() for an unbound port. */ + port_priv = usb_get_serial_port_data(port); ++ if (!port_priv) ++ return; + + spin_lock_irqsave(&port_priv->lock, flags); + port_priv->shadowMSR = newMSR; +@@ -900,7 +903,10 @@ static void qt2_update_lsr(struct usb_se + unsigned long flags; + u8 newLSR = (u8) *ch; + ++ /* May be called from qt2_process_read_urb() for an unbound port. */ + port_priv = usb_get_serial_port_data(port); ++ if (!port_priv) ++ return; + + if (newLSR & UART_LSR_BI) + newLSR &= (u8) (UART_LSR_OE | UART_LSR_BI);
diff --git a/queue-3.16/usb-serial-simple-add-motorola-solutions-tetra-mtp3xxx-and-mtp85xx.patch b/queue-3.16/usb-serial-simple-add-motorola-solutions-tetra-mtp3xxx-and-mtp85xx.patch new file mode 100644 index 0000000..310b5f5 --- /dev/null +++ b/queue-3.16/usb-serial-simple-add-motorola-solutions-tetra-mtp3xxx-and-mtp85xx.patch
@@ -0,0 +1,206 @@ +From: =?UTF-8?q?Jer=C3=B3nimo=20Borque?= <jeronimo@borque.com.ar> +Date: Thu, 9 Jan 2020 12:23:34 -0300 +Subject: USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 260e41ac4dd3e5acb90be624c03ba7f019615b75 upstream. + +Add device-ids for the Motorola Solutions TETRA radios MTP3xxx series +and MTP85xx series + +$ lsusb -vd 0cad: + +Bus 001 Device 009: ID 0cad:9015 Motorola CGISS TETRA PEI interface +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x0cad Motorola CGISS + idProduct 0x9015 + bcdDevice 24.16 + iManufacturer 1 + iProduct 2 + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x0037 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 3 + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + +Bus 001 Device 010: ID 0cad:9013 Motorola CGISS TETRA PEI interface +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x0cad Motorola CGISS + idProduct 0x9013 + bcdDevice 24.16 + iManufacturer 1 + iProduct 2 + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 0x0037 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 3 + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + +Signed-off-by: Jerónimo Borque <jeronimo@borque.com.ar> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/usb-serial-simple.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -89,6 +89,8 @@ DEVICE(moto_modem, MOTO_IDS); + #define MOTOROLA_TETRA_IDS() \ + { USB_DEVICE(0x0cad, 0x9011) }, /* Motorola Solutions TETRA PEI */ \ + { USB_DEVICE(0x0cad, 0x9012) }, /* MTP6550 */ \ ++ { USB_DEVICE(0x0cad, 0x9013) }, /* MTP3xxx */ \ ++ { USB_DEVICE(0x0cad, 0x9015) }, /* MTP85xx */ \ + { USB_DEVICE(0x0cad, 0x9016) } /* TPG2200 */ + DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS); +
diff --git a/queue-3.16/usb-serial-suppress-driver-bind-attributes.patch b/queue-3.16/usb-serial-suppress-driver-bind-attributes.patch new file mode 100644 index 0000000..64778b2 --- /dev/null +++ b/queue-3.16/usb-serial-suppress-driver-bind-attributes.patch
@@ -0,0 +1,36 @@ +From: Johan Hovold <johan@kernel.org> +Date: Thu, 16 Jan 2020 17:07:05 +0100 +Subject: USB: serial: suppress driver bind attributes + +commit fdb838efa31e1ed9a13ae6ad0b64e30fdbd00570 upstream. + +USB-serial drivers must not be unbound from their ports before the +corresponding USB driver is unbound from the parent interface so +suppress the bind and unbind attributes. + +Unbinding a serial driver while it's port is open is a sure way to +trigger a crash as any driver state is released on unbind while port +hangup is handled on the parent USB interface level. Drivers for +multiport devices where ports share a resource such as an interrupt +endpoint also generally cannot handle individual ports going away. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/serial/usb-serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -1337,6 +1337,9 @@ static int usb_serial_register(struct us + return -EINVAL; + } + ++ /* Prevent individual ports from being unbound. */ ++ driver->driver.suppress_bind_attrs = true; ++ + usb_serial_operations_init(driver); + + /* Add this device to our list of devices */
diff --git a/queue-3.16/usbip-fix-error-path-of-vhci_recv_ret_submit.patch b/queue-3.16/usbip-fix-error-path-of-vhci_recv_ret_submit.patch new file mode 100644 index 0000000..a04869a --- /dev/null +++ b/queue-3.16/usbip-fix-error-path-of-vhci_recv_ret_submit.patch
@@ -0,0 +1,67 @@ +From: Suwan Kim <suwan.kim027@gmail.com> +Date: Fri, 13 Dec 2019 11:30:55 +0900 +Subject: usbip: Fix error path of vhci_recv_ret_submit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit aabb5b833872524eaf28f52187e5987984982264 upstream. + +If a transaction error happens in vhci_recv_ret_submit(), event +handler closes connection and changes port status to kick hub_event. +Then hub tries to flush the endpoint URBs, but that causes infinite +loop between usb_hub_flush_endpoint() and vhci_urb_dequeue() because +"vhci_priv" in vhci_urb_dequeue() was already released by +vhci_recv_ret_submit() before a transmission error occurred. Thus, +vhci_urb_dequeue() terminates early and usb_hub_flush_endpoint() +continuously calls vhci_urb_dequeue(). + +The root cause of this issue is that vhci_recv_ret_submit() +terminates early without giving back URB when transaction error +occurs in vhci_recv_ret_submit(). That causes the error URB to still +be linked at endpoint list without “vhci_priv". + +So, in the case of transaction error in vhci_recv_ret_submit(), +unlink URB from the endpoint, insert proper error code in +urb->status and give back URB. + +Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> +Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> +Signed-off-by: Suwan Kim <suwan.kim027@gmail.com> +Acked-by: Shuah Khan <skhan@linuxfoundation.org> +Link: https://lore.kernel.org/r/20191213023055.19933-3-suwan.kim027@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust filename] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/staging/usbip/vhci_rx.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/staging/usbip/vhci_rx.c ++++ b/drivers/staging/usbip/vhci_rx.c +@@ -88,16 +88,21 @@ static void vhci_recv_ret_submit(struct + usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0); + + /* recv transfer buffer */ +- if (usbip_recv_xbuff(ud, urb) < 0) +- return; ++ if (usbip_recv_xbuff(ud, urb) < 0) { ++ urb->status = -EPROTO; ++ goto error; ++ } + + /* recv iso_packet_descriptor */ +- if (usbip_recv_iso(ud, urb) < 0) +- return; ++ if (usbip_recv_iso(ud, urb) < 0) { ++ urb->status = -EPROTO; ++ goto error; ++ } + + /* restore the padding in iso packets */ + usbip_pad_iso(ud, urb); + ++error: + if (usbip_dbg_flag_vhci_rx) + usbip_dump_urb(urb); +
diff --git a/queue-3.16/vfs-fix-do_last-regression.patch b/queue-3.16/vfs-fix-do_last-regression.patch new file mode 100644 index 0000000..405b4ab --- /dev/null +++ b/queue-3.16/vfs-fix-do_last-regression.patch
@@ -0,0 +1,58 @@ +From: Al Viro <viro@zeniv.linux.org.uk> +Date: Sat, 1 Feb 2020 16:26:45 +0000 +Subject: vfs: fix do_last() regression + +commit 6404674acd596de41fd3ad5f267b4525494a891a upstream. + +Brown paperbag time: fetching ->i_uid/->i_mode really should've been +done from nd->inode. I even suggested that, but the reason for that has +slipped through the cracks and I went for dir->d_inode instead - made +for more "obvious" patch. + +Analysis: + + - at the entry into do_last() and all the way to step_into(): dir (aka + nd->path.dentry) is known not to have been freed; so's nd->inode and + it's equal to dir->d_inode unless we are already doomed to -ECHILD. + inode of the file to get opened is not known. + + - after step_into(): inode of the file to get opened is known; dir + might be pointing to freed memory/be negative/etc. + + - at the call of may_create_in_sticky(): guaranteed to be out of RCU + mode; inode of the file to get opened is known and pinned; dir might + be garbage. + +The last was the reason for the original patch. Except that at the +do_last() entry we can be in RCU mode and it is possible that +nd->path.dentry->d_inode has already changed under us. + +In that case we are going to fail with -ECHILD, but we need to be +careful; nd->inode is pointing to valid struct inode and it's the same +as nd->path.dentry->d_inode in "won't fail with -ECHILD" case, so we +should use that. + +Reported-by: "Rantala, Tommi T. (Nokia - FI/Espoo)" <tommi.t.rantala@nokia.com> +Reported-by: syzbot+190005201ced78a74ad6@syzkaller.appspotmail.com +Wearing-brown-paperbag: Al Viro <viro@zeniv.linux.org.uk> +Fixes: d0cb50185ae9 ("do_last(): fetch directory ->i_mode and ->i_uid before it's too late") +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2945,8 +2945,8 @@ static int do_last(struct nameidata *nd, + int *opened, struct filename *name) + { + struct dentry *dir = nd->path.dentry; +- kuid_t dir_uid = dir->d_inode->i_uid; +- umode_t dir_mode = dir->d_inode->i_mode; ++ kuid_t dir_uid = nd->inode->i_uid; ++ umode_t dir_mode = nd->inode->i_mode; + int open_flag = op->open_flag; + bool will_truncate = (open_flag & O_TRUNC) != 0; + bool got_write = false;
diff --git a/queue-3.16/virtio-balloon-fix-managed-page-counts-when-migrating-pages-between.patch b/queue-3.16/virtio-balloon-fix-managed-page-counts-when-migrating-pages-between.patch new file mode 100644 index 0000000..13a6cef --- /dev/null +++ b/queue-3.16/virtio-balloon-fix-managed-page-counts-when-migrating-pages-between.patch
@@ -0,0 +1,153 @@ +From: David Hildenbrand <david@redhat.com> +Date: Wed, 11 Dec 2019 12:11:52 +0100 +Subject: virtio-balloon: fix managed page counts when migrating pages between + zones + +commit 63341ab03706e11a31e3dd8ccc0fbc9beaf723f0 upstream. + +In case we have to migrate a ballon page to a newpage of another zone, the +managed page count of both zones is wrong. Paired with memory offlining +(which will adjust the managed page count), we can trigger kernel crashes +and all kinds of different symptoms. + +One way to reproduce: +1. Start a QEMU guest with 4GB, no NUMA +2. Hotplug a 1GB DIMM and online the memory to ZONE_NORMAL +3. Inflate the balloon to 1GB +4. Unplug the DIMM (be quick, otherwise unmovable data ends up on it) +5. Observe /proc/zoneinfo + Node 0, zone Normal + pages free 16810 + min 24848885473806 + low 18471592959183339 + high 36918337032892872 + spanned 262144 + present 262144 + managed 18446744073709533486 +6. Do anything that requires some memory (e.g., inflate the balloon some +more). The OOM goes crazy and the system crashes + [ 238.324946] Out of memory: Killed process 537 (login) total-vm:27584kB, anon-rss:860kB, file-rss:0kB, shmem-rss:00 + [ 238.338585] systemd invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=0 + [ 238.339420] CPU: 0 PID: 1 Comm: systemd Tainted: G D W 5.4.0-next-20191204+ #75 + [ 238.340139] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu4 + [ 238.341121] Call Trace: + [ 238.341337] dump_stack+0x8f/0xd0 + [ 238.341630] dump_header+0x61/0x5ea + [ 238.341942] oom_kill_process.cold+0xb/0x10 + [ 238.342299] out_of_memory+0x24d/0x5a0 + [ 238.342625] __alloc_pages_slowpath+0xd12/0x1020 + [ 238.343024] __alloc_pages_nodemask+0x391/0x410 + [ 238.343407] pagecache_get_page+0xc3/0x3a0 + [ 238.343757] filemap_fault+0x804/0xc30 + [ 238.344083] ? ext4_filemap_fault+0x28/0x42 + [ 238.344444] ext4_filemap_fault+0x30/0x42 + [ 238.344789] __do_fault+0x37/0x1a0 + [ 238.345087] __handle_mm_fault+0x104d/0x1ab0 + [ 238.345450] handle_mm_fault+0x169/0x360 + [ 238.345790] do_user_addr_fault+0x20d/0x490 + [ 238.346154] do_page_fault+0x31/0x210 + [ 238.346468] async_page_fault+0x43/0x50 + [ 238.346797] RIP: 0033:0x7f47eba4197e + [ 238.347110] Code: Bad RIP value. + [ 238.347387] RSP: 002b:00007ffd7c0c1890 EFLAGS: 00010293 + [ 238.347834] RAX: 0000000000000002 RBX: 000055d196a20a20 RCX: 00007f47eba4197e + [ 238.348437] RDX: 0000000000000033 RSI: 00007ffd7c0c18c0 RDI: 0000000000000004 + [ 238.349047] RBP: 00007ffd7c0c1c20 R08: 0000000000000000 R09: 0000000000000033 + [ 238.349660] R10: 00000000ffffffff R11: 0000000000000293 R12: 0000000000000001 + [ 238.350261] R13: ffffffffffffffff R14: 0000000000000000 R15: 00007ffd7c0c18c0 + [ 238.350878] Mem-Info: + [ 238.351085] active_anon:3121 inactive_anon:51 isolated_anon:0 + [ 238.351085] active_file:12 inactive_file:7 isolated_file:0 + [ 238.351085] unevictable:0 dirty:0 writeback:0 unstable:0 + [ 238.351085] slab_reclaimable:5565 slab_unreclaimable:10170 + [ 238.351085] mapped:3 shmem:111 pagetables:155 bounce:0 + [ 238.351085] free:720717 free_pcp:2 free_cma:0 + [ 238.353757] Node 0 active_anon:12484kB inactive_anon:204kB active_file:48kB inactive_file:28kB unevictable:0kB iss + [ 238.355979] Node 0 DMA free:11556kB min:36kB low:48kB high:60kB reserved_highatomic:0KB active_anon:152kB inactivB + [ 238.358345] lowmem_reserve[]: 0 2955 2884 2884 2884 + [ 238.358761] Node 0 DMA32 free:2677864kB min:7004kB low:10028kB high:13052kB reserved_highatomic:0KB active_anon:0B + [ 238.361202] lowmem_reserve[]: 0 0 72057594037927865 72057594037927865 72057594037927865 + [ 238.361888] Node 0 Normal free:193448kB min:99395541895224kB low:73886371836733356kB high:147673348131571488kB reB + [ 238.364765] lowmem_reserve[]: 0 0 0 0 0 + [ 238.365101] Node 0 DMA: 7*4kB (U) 5*8kB (UE) 6*16kB (UME) 2*32kB (UM) 1*64kB (U) 2*128kB (UE) 3*256kB (UME) 2*512B + [ 238.366379] Node 0 DMA32: 0*4kB 1*8kB (U) 2*16kB (UM) 2*32kB (UM) 2*64kB (UM) 1*128kB (U) 1*256kB (U) 1*512kB (U)B + [ 238.367654] Node 0 Normal: 1985*4kB (UME) 1321*8kB (UME) 844*16kB (UME) 524*32kB (UME) 300*64kB (UME) 138*128kB (B + [ 238.369184] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB + [ 238.369915] 130 total pagecache pages + [ 238.370241] 0 pages in swap cache + [ 238.370533] Swap cache stats: add 0, delete 0, find 0/0 + [ 238.370981] Free swap = 0kB + [ 238.371239] Total swap = 0kB + [ 238.371488] 1048445 pages RAM + [ 238.371756] 0 pages HighMem/MovableOnly + [ 238.372090] 306992 pages reserved + [ 238.372376] 0 pages cma reserved + [ 238.372661] 0 pages hwpoisoned + +In another instance (older kernel), I was able to observe this +(negative page count :/): + [ 180.896971] Offlined Pages 32768 + [ 182.667462] Offlined Pages 32768 + [ 184.408117] Offlined Pages 32768 + [ 186.026321] Offlined Pages 32768 + [ 187.684861] Offlined Pages 32768 + [ 189.227013] Offlined Pages 32768 + [ 190.830303] Offlined Pages 32768 + [ 190.833071] Built 1 zonelists, mobility grouping on. Total pages: -36920272750453009 + +In another instance (older kernel), I was no longer able to start any +process: + [root@vm ~]# [ 214.348068] Offlined Pages 32768 + [ 215.973009] Offlined Pages 32768 + cat /proc/meminfo + -bash: fork: Cannot allocate memory + [root@vm ~]# cat /proc/meminfo + -bash: fork: Cannot allocate memory + +Fix it by properly adjusting the managed page count when migrating if +the zone changed. The managed page count of the zones now looks after +unplug of the DIMM (and after deflating the balloon) just like before +inflating the balloon (and plugging+onlining the DIMM). + +We'll temporarily modify the totalram page count. If this ever becomes a +problem, we can fine tune by providing helpers that don't touch +the totalram pages (e.g., adjust_zone_managed_page_count()). + +Please note that fixing up the managed page count is only necessary when +we adjusted the managed page count when inflating - only if we +don't have VIRTIO_BALLOON_F_DEFLATE_ON_OOM. With that feature, the +managed page count is not touched when inflating/deflating. + +Reported-by: Yumei Huang <yuhuang@redhat.com> +Fixes: 3dcc0571cd64 ("mm: correctly update zone->managed_pages") +Cc: "Michael S. Tsirkin" <mst@redhat.com> +Cc: Jason Wang <jasowang@redhat.com> +Cc: Jiang Liu <liuj97@gmail.com> +Cc: Andrew Morton <akpm@linux-foundation.org> +Cc: Igor Mammedov <imammedo@redhat.com> +Cc: virtualization@lists.linux-foundation.org +Signed-off-by: David Hildenbrand <david@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +[bwh: Backported to 3.16: Deflate-on-OOM is not supported at all so don't + check that flag] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -403,6 +403,16 @@ static int virtballoon_migratepage(struc + + get_page(newpage); /* balloon reference */ + ++ /* ++ * When we migrate a page to a different zone and adjusted the ++ * managed page count when inflating, we have to fixup the count of ++ * both involved zones. ++ */ ++ if (page_zone(page) != page_zone(newpage)) { ++ adjust_managed_page_count(page, 1); ++ adjust_managed_page_count(newpage, -1); ++ } ++ + /* balloon's page migration 1st step -- inflate "newpage" */ + spin_lock_irqsave(&vb_dev_info->pages_lock, flags); + balloon_page_insert(newpage, mapping, &vb_dev_info->pages);
diff --git a/queue-3.16/vlan-vlan_changelink-should-propagate-errors.patch b/queue-3.16/vlan-vlan_changelink-should-propagate-errors.patch new file mode 100644 index 0000000..08105b0 --- /dev/null +++ b/queue-3.16/vlan-vlan_changelink-should-propagate-errors.patch
@@ -0,0 +1,46 @@ +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 7 Jan 2020 01:42:25 -0800 +Subject: vlan: vlan_changelink() should propagate errors + +commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 upstream. + +Both vlan_dev_change_flags() and vlan_dev_set_egress_priority() +can return an error. vlan_changelink() should not ignore them. + +Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/8021q/vlan_netlink.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -92,11 +92,13 @@ static int vlan_changelink(struct net_de + struct ifla_vlan_flags *flags; + struct ifla_vlan_qos_mapping *m; + struct nlattr *attr; +- int rem; ++ int rem, err; + + if (data[IFLA_VLAN_FLAGS]) { + flags = nla_data(data[IFLA_VLAN_FLAGS]); +- vlan_dev_change_flags(dev, flags->flags, flags->mask); ++ err = vlan_dev_change_flags(dev, flags->flags, flags->mask); ++ if (err) ++ return err; + } + if (data[IFLA_VLAN_INGRESS_QOS]) { + nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) { +@@ -107,7 +109,9 @@ static int vlan_changelink(struct net_de + if (data[IFLA_VLAN_EGRESS_QOS]) { + nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) { + m = nla_data(attr); +- vlan_dev_set_egress_priority(dev, m->from, m->to); ++ err = vlan_dev_set_egress_priority(dev, m->from, m->to); ++ if (err) ++ return err; + } + } + return 0;
diff --git a/queue-3.16/vxlan-fix-tos-value-before-xmit.patch b/queue-3.16/vxlan-fix-tos-value-before-xmit.patch new file mode 100644 index 0000000..bfda408 --- /dev/null +++ b/queue-3.16/vxlan-fix-tos-value-before-xmit.patch
@@ -0,0 +1,34 @@ +From: Hangbin Liu <liuhangbin@gmail.com> +Date: Thu, 2 Jan 2020 17:23:45 +0800 +Subject: vxlan: fix tos value before xmit + +commit 71130f29979c7c7956b040673e6b9d5643003176 upstream. + +Before ip_tunnel_ecn_encap() and udp_tunnel_xmit_skb() we should filter +tos value by RT_TOS() instead of using config tos directly. + +vxlan_get_route() would filter the tos to fl4.flowi4_tos but we didn't +return it back, as geneve_get_v4_rt() did. So we have to use RT_TOS() +directly in function ip_tunnel_ecn_encap(). + +Fixes: 206aaafcd279 ("VXLAN: Use IP Tunnels tunnel ENC encap API") +Fixes: 1400615d64cf ("vxlan: allow setting ipv6 traffic class") +Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/net/vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1904,7 +1904,7 @@ static void vxlan_xmit_one(struct sk_buf + return; + } + +- tos = ip_tunnel_ecn_encap(tos, old_iph, skb); ++ tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb); + ttl = ttl ? : ip4_dst_hoplimit(&rt->dst); + + err = vxlan_xmit_skb(vxlan->vn_sock, rt, skb,
diff --git a/queue-3.16/x86-efistub-disable-paging-at-mixed-mode-entry.patch b/queue-3.16/x86-efistub-disable-paging-at-mixed-mode-entry.patch new file mode 100644 index 0000000..1993674 --- /dev/null +++ b/queue-3.16/x86-efistub-disable-paging-at-mixed-mode-entry.patch
@@ -0,0 +1,41 @@ +From: Ard Biesheuvel <ardb@kernel.org> +Date: Tue, 24 Dec 2019 14:29:09 +0100 +Subject: x86/efistub: Disable paging at mixed mode entry + +commit 4911ee401b7ceff8f38e0ac597cbf503d71e690c upstream. + +The EFI mixed mode entry code goes through the ordinary startup_32() +routine before jumping into the kernel's EFI boot code in 64-bit +mode. The 32-bit startup code must be entered with paging disabled, +but this is not documented as a requirement for the EFI handover +protocol, and so we should disable paging explicitly when entering +the kernel from 32-bit EFI firmware. + +Signed-off-by: Ard Biesheuvel <ardb@kernel.org> +Cc: Arvind Sankar <nivedita@alum.mit.edu> +Cc: Hans de Goede <hdegoede@redhat.com> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191224132909.102540-4-ardb@kernel.org +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + arch/x86/boot/compressed/head_64.S | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -216,6 +216,11 @@ ENTRY(efi32_stub_entry) + leal efi32_config(%ebp), %eax + movl %eax, efi_config(%ebp) + ++ /* Disable paging */ ++ movl %cr0, %eax ++ btrl $X86_CR0_PG_BIT, %eax ++ movl %eax, %cr0 ++ + jmp startup_32 + ENDPROC(efi32_stub_entry) + #endif
diff --git a/queue-3.16/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default.patch b/queue-3.16/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default.patch new file mode 100644 index 0000000..1377a18 --- /dev/null +++ b/queue-3.16/xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default.patch
@@ -0,0 +1,50 @@ +From: Mathias Nyman <mathias.nyman@linux.intel.com> +Date: Wed, 11 Dec 2019 16:20:06 +0200 +Subject: xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default + behaviour. + +commit 7ff11162808cc2ec66353fc012c58bb449c892c3 upstream. + +xhci driver claims it needs XHCI_TRUST_TX_LENGTH quirk for both +Broadcom/Cavium and a Renesas xHC controllers. + +The quirk was inteded for handling false "success" complete event for +transfers that had data left untransferred. +These transfers should complete with "short packet" events instead. + +In these two new cases the false "success" completion is reported +after a "short packet" if the TD consists of several TRBs. +xHCI specs 4.10.1.1.2 say remaining TRBs should report "short packet" +as well after the first short packet in a TD, but this issue seems so +common it doesn't make sense to add the quirk for all vendors. + +Turn these events into short packets automatically instead. + +This gets rid of the "The WARN Successful completion on short TX for +slot 1 ep 1: needs XHCI_TRUST_TX_LENGTH quirk" warning in many cases. + +Reported-by: Eli Billauer <eli.billauer@gmail.com> +Reported-by: Ard Biesheuvel <ardb@kernel.org> +Tested-by: Eli Billauer <eli.billauer@gmail.com> +Tested-by: Ard Biesheuvel <ardb@kernel.org> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Link: https://lore.kernel.org/r/20191211142007.8847-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/host/xhci-ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2345,7 +2345,8 @@ static int handle_tx_event(struct xhci_h + case COMP_SUCCESS: + if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) + break; +- if (xhci->quirks & XHCI_TRUST_TX_LENGTH) ++ if (xhci->quirks & XHCI_TRUST_TX_LENGTH || ++ ep_ring->last_td_was_short) + trb_comp_code = COMP_SHORT_TX; + else + xhci_warn_ratelimited(xhci,
diff --git a/queue-3.16/xhci-make-sure-interrupts-are-restored-to-correct-state.patch b/queue-3.16/xhci-make-sure-interrupts-are-restored-to-correct-state.patch new file mode 100644 index 0000000..53ae495 --- /dev/null +++ b/queue-3.16/xhci-make-sure-interrupts-are-restored-to-correct-state.patch
@@ -0,0 +1,61 @@ +From: Mathias Nyman <mathias.nyman@linux.intel.com> +Date: Wed, 11 Dec 2019 16:20:07 +0200 +Subject: xhci: make sure interrupts are restored to correct state + +commit bd82873f23c9a6ad834348f8b83f3b6a5bca2c65 upstream. + +spin_unlock_irqrestore() might be called with stale flags after +reading port status, possibly restoring interrupts to a incorrect +state. + +If a usb2 port just finished resuming while the port status is read +the spin lock will be temporary released and re-acquired in a separate +function. The flags parameter is passed as value instead of a pointer, +not updating flags properly before the final spin_unlock_irqrestore() +is called. + +Fixes: 8b3d45705e54 ("usb: Fix xHCI host issues on remote wakeup.") +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Link: https://lore.kernel.org/r/20191211142007.8847-7-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + drivers/usb/host/xhci-hub.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -580,7 +580,7 @@ static u32 xhci_get_port_status(struct u + struct xhci_bus_state *bus_state, + __le32 __iomem **port_array, + u16 wIndex, u32 raw_port_status, +- unsigned long flags) ++ unsigned long *flags) + __releases(&xhci->lock) + __acquires(&xhci->lock) + { +@@ -670,12 +670,12 @@ static u32 xhci_get_port_status(struct u + xhci_set_link_state(xhci, port_array, wIndex, + XDEV_U0); + +- spin_unlock_irqrestore(&xhci->lock, flags); ++ spin_unlock_irqrestore(&xhci->lock, *flags); + time_left = wait_for_completion_timeout( + &bus_state->rexit_done[wIndex], + msecs_to_jiffies( + XHCI_MAX_REXIT_TIMEOUT_MS)); +- spin_lock_irqsave(&xhci->lock, flags); ++ spin_lock_irqsave(&xhci->lock, *flags); + + if (time_left) { + slot_id = xhci_find_slot_id_by_port(hcd, +@@ -834,7 +834,7 @@ int xhci_hub_control(struct usb_hcd *hcd + break; + } + status = xhci_get_port_status(hcd, bus_state, port_array, +- wIndex, temp, flags); ++ wIndex, temp, &flags); + if (status == 0xffffffff) + goto error; +
diff --git a/upstream-head b/upstream-head index 65a384f..f9213df 100644 --- a/upstream-head +++ b/upstream-head
@@ -1 +1 @@ -e42617b825f8073569da76dc4510bfa019b1c35a +d5226fa6dbae0569ee43ecfc08bdcd6770fc4755