diff --git a/acpica-linuxize-restore-and-fix-intel-compiler-build.patch b/acpica-linuxize-restore-and-fix-intel-compiler-build.patch deleted file mode 100644 index 15bd924..0000000 --- a/acpica-linuxize-restore-and-fix-intel-compiler-build.patch +++ /dev/null @@ -1,141 +0,0 @@ -From ffab9188e444854882dbc291500d576d6bad7b7b Mon Sep 17 00:00:00 2001 -From: Lv Zheng -Date: Wed, 8 Feb 2017 11:00:01 +0800 -Subject: ACPICA: Linuxize: Restore and fix Intel compiler build - -From: Lv Zheng - -commit ffab9188e444854882dbc291500d576d6bad7b7b upstream. - -ACPICA commit b59347d0b8b676cb555fe8da5cad08fcd4eeb0d3 - -The following commit cleans up compiler specific inclusions: - - Commit: 9fa1cebdbfff3db8953cebca8ee327d75edefc40 - Subject: ACPICA: OSL: Cleanup the inclusion order of the compiler-specific headers - -But breaks one thing due to the following old issue: - - Buidling Linux kernel with Intel compiler originally depends on acgcc.h - not acintel.h. - -So after making Intel compiler build working in ACPICA upstream by -correctly using acintel.h, it becomes unable to build Linux kernel using -Intel compiler as there is no acintel.h in the kernel source tree. - -This patch releases acintel.h to Linux kernel and fixes its inclusion in -acenv.h. - -Fixes: 9fa1cebdbfff (ACPICA: OSL: Cleanup the inclusion order of the compiler-specific headers) -Link: https://github.com/acpica/acpica/commit/b59347d0 -Tested-by: Stepan M Mishura -Signed-off-by: Lv Zheng -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Greg Kroah-Hartman - ---- - include/acpi/platform/acenv.h | 2 - include/acpi/platform/acintel.h | 87 ++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 88 insertions(+), 1 deletion(-) - ---- a/include/acpi/platform/acenv.h -+++ b/include/acpi/platform/acenv.h -@@ -177,7 +177,7 @@ - #include "acmsvc.h" - - #elif defined(__INTEL_COMPILER) --#include "acintel.h" -+#include - - #endif - ---- /dev/null -+++ b/include/acpi/platform/acintel.h -@@ -0,0 +1,87 @@ -+/****************************************************************************** -+ * -+ * Name: acintel.h - VC specific defines, etc. -+ * -+ *****************************************************************************/ -+ -+/* -+ * Copyright (C) 2000 - 2017, Intel Corp. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions, and the following disclaimer, -+ * without modification. -+ * 2. Redistributions in binary form must reproduce at minimum a disclaimer -+ * substantially similar to the "NO WARRANTY" disclaimer below -+ * ("Disclaimer") and any redistribution must be conditioned upon -+ * including a substantially similar Disclaimer requirement for further -+ * binary redistribution. -+ * 3. Neither the names of the above-listed copyright holders nor the names -+ * of any contributors may be used to endorse or promote products derived -+ * from this software without specific prior written permission. -+ * -+ * Alternatively, this software may be distributed under the terms of the -+ * GNU General Public License ("GPL") version 2 as published by the Free -+ * Software Foundation. -+ * -+ * NO WARRANTY -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR -+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING -+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGES. -+ */ -+ -+#ifndef __ACINTEL_H__ -+#define __ACINTEL_H__ -+ -+/* -+ * Use compiler specific is a good practice for even when -+ * -nostdinc is specified (i.e., ACPI_USE_STANDARD_HEADERS undefined. -+ */ -+#include -+ -+/* Configuration specific to Intel 64-bit C compiler */ -+ -+#define COMPILER_DEPENDENT_INT64 __int64 -+#define COMPILER_DEPENDENT_UINT64 unsigned __int64 -+#define ACPI_INLINE __inline -+ -+/* -+ * Calling conventions: -+ * -+ * ACPI_SYSTEM_XFACE - Interfaces to host OS (handlers, threads) -+ * ACPI_EXTERNAL_XFACE - External ACPI interfaces -+ * ACPI_INTERNAL_XFACE - Internal ACPI interfaces -+ * ACPI_INTERNAL_VAR_XFACE - Internal variable-parameter list interfaces -+ */ -+#define ACPI_SYSTEM_XFACE -+#define ACPI_EXTERNAL_XFACE -+#define ACPI_INTERNAL_XFACE -+#define ACPI_INTERNAL_VAR_XFACE -+ -+/* remark 981 - operands evaluated in no particular order */ -+#pragma warning(disable:981) -+ -+/* warn C4100: unreferenced formal parameter */ -+#pragma warning(disable:4100) -+ -+/* warn C4127: conditional expression is constant */ -+#pragma warning(disable:4127) -+ -+/* warn C4706: assignment within conditional expression */ -+#pragma warning(disable:4706) -+ -+/* warn C4214: bit field types other than int */ -+#pragma warning(disable:4214) -+ -+#endif /* __ACINTEL_H__ */ diff --git a/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch b/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch deleted file mode 100644 index e23333b..0000000 --- a/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 5f478e4ea5c5560b4e40eb136991a09f9389f331 Mon Sep 17 00:00:00 2001 -From: Tejun Heo -Date: Wed, 8 Feb 2017 15:19:07 -0500 -Subject: block: fix double-free in the failure path of cgwb_bdi_init() - -From: Tejun Heo - -commit 5f478e4ea5c5560b4e40eb136991a09f9389f331 upstream. - -When !CONFIG_CGROUP_WRITEBACK, bdi has single bdi_writeback_congested -at bdi->wb_congested. cgwb_bdi_init() allocates it with kzalloc() and -doesn't do further initialization. This usually works fine as the -reference count gets bumped to 1 by wb_init() and the put from -wb_exit() releases it. - -However, when wb_init() fails, it puts the wb base ref automatically -freeing the wb and the explicit kfree() in cgwb_bdi_init() error path -ends up trying to free the same pointer the second time causing a -double-free. - -Fix it by explicitly initilizing the refcnt to 1 and putting the base -ref from cgwb_bdi_destroy(). - -Signed-off-by: Tejun Heo -Reported-by: Dmitry Vyukov -Fixes: a13f35e87140 ("writeback: don't embed root bdi_writeback_congested in bdi_writeback") -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman - ---- - mm/backing-dev.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - ---- a/mm/backing-dev.c -+++ b/mm/backing-dev.c -@@ -757,15 +757,20 @@ static int cgwb_bdi_init(struct backing_ - if (!bdi->wb_congested) - return -ENOMEM; - -+ atomic_set(&bdi->wb_congested->refcnt, 1); -+ - err = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL); - if (err) { -- kfree(bdi->wb_congested); -+ wb_congested_put(bdi->wb_congested); - return err; - } - return 0; - } - --static void cgwb_bdi_destroy(struct backing_dev_info *bdi) { } -+static void cgwb_bdi_destroy(struct backing_dev_info *bdi) -+{ -+ wb_congested_put(bdi->wb_congested); -+} - - #endif /* CONFIG_CGROUP_WRITEBACK */ - diff --git a/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch b/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch deleted file mode 100644 index 1845f4d..0000000 --- a/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch +++ /dev/null @@ -1,48 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Andrey Konovalov -Date: Thu, 16 Feb 2017 17:22:46 +0100 -Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO - -From: Andrey Konovalov - - -[ Upstream commit 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 ] - -In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet -is forcibly freed via __kfree_skb in dccp_rcv_state_process if -dccp_v6_conn_request successfully returns. - -However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb -is saved to ireq->pktopts and the ref count for skb is incremented in -dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed -in dccp_rcv_state_process. - -Fix by calling consume_skb instead of doing goto discard and therefore -calling __kfree_skb. - -Similar fixes for TCP: - -fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. -0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now -simply consumed - -Signed-off-by: Andrey Konovalov -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/dccp/input.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/dccp/input.c -+++ b/net/dccp/input.c -@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock * - if (inet_csk(sk)->icsk_af_ops->conn_request(sk, - skb) < 0) - return 1; -- goto discard; -+ consume_skb(skb); -+ return 0; - } - if (dh->dccph_type == DCCP_PKT_RESET) - goto discard; diff --git a/goldfish-sanitize-the-broken-interrupt-handler.patch b/goldfish-sanitize-the-broken-interrupt-handler.patch deleted file mode 100644 index 54bd310..0000000 --- a/goldfish-sanitize-the-broken-interrupt-handler.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 6cf18e6927c0b224f972e3042fb85770d63cb9f8 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Wed, 15 Feb 2017 11:11:51 +0100 -Subject: goldfish: Sanitize the broken interrupt handler - -From: Thomas Gleixner - -commit 6cf18e6927c0b224f972e3042fb85770d63cb9f8 upstream. - -This interrupt handler is broken in several ways: - - - It loops forever when the op code is not decodeable - - - It never returns IRQ_HANDLED because the only way to exit the loop - returns IRQ_NONE unconditionally. - -The whole concept of this is broken. Creating devices in an interrupt -handler is beyond any point of sanity. - -Make it at least behave halfways sane so accidental users do not have to -deal with a hard to debug lockup. - -Fixes: e809c22b8fb028 ("goldfish: add the goldfish virtual bus") -Reported-by: Gabriel C -Signed-off-by: Thomas Gleixner -Acked-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/platform/goldfish/pdev_bus.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - ---- a/drivers/platform/goldfish/pdev_bus.c -+++ b/drivers/platform/goldfish/pdev_bus.c -@@ -157,23 +157,26 @@ static int goldfish_new_pdev(void) - static irqreturn_t goldfish_pdev_bus_interrupt(int irq, void *dev_id) - { - irqreturn_t ret = IRQ_NONE; -+ - while (1) { - u32 op = readl(pdev_bus_base + PDEV_BUS_OP); -- switch (op) { -- case PDEV_BUS_OP_DONE: -- return IRQ_NONE; - -+ switch (op) { - case PDEV_BUS_OP_REMOVE_DEV: - goldfish_pdev_remove(); -+ ret = IRQ_HANDLED; - break; - - case PDEV_BUS_OP_ADD_DEV: - goldfish_new_pdev(); -+ ret = IRQ_HANDLED; - break; -+ -+ case PDEV_BUS_OP_DONE: -+ default: -+ return ret; - } -- ret = IRQ_HANDLED; - } -- return ret; - } - - static int goldfish_pdev_bus_probe(struct platform_device *pdev) diff --git a/ip-fix-ip_checksum-handling.patch b/ip-fix-ip_checksum-handling.patch deleted file mode 100644 index d9b6353..0000000 --- a/ip-fix-ip_checksum-handling.patch +++ /dev/null @@ -1,49 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Paolo Abeni -Date: Tue, 21 Feb 2017 09:33:18 +0100 -Subject: ip: fix IP_CHECKSUM handling - -From: Paolo Abeni - - -[ Upstream commit ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32 ] - -The skbs processed by ip_cmsg_recv() are not guaranteed to -be linear e.g. when sending UDP packets over loopback with -MSGMORE. -Using csum_partial() on [potentially] the whole skb len -is dangerous; instead be on the safe side and use skb_checksum(). - -Thanks to syzkaller team to detect the issue and provide the -reproducer. - -v1 -> v2: - - move the variable declaration in a tighter scope - -Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv") -Reported-by: Andrey Konovalov -Signed-off-by: Paolo Abeni -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv4/ip_sockglue.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/net/ipv4/ip_sockglue.c -+++ b/net/ipv4/ip_sockglue.c -@@ -105,10 +105,10 @@ static void ip_cmsg_recv_checksum(struct - if (skb->ip_summed != CHECKSUM_COMPLETE) - return; - -- if (offset != 0) -- csum = csum_sub(csum, -- csum_partial(skb_transport_header(skb) + tlen, -- offset, 0)); -+ if (offset != 0) { -+ int tend_off = skb_transport_offset(skb) + tlen; -+ csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0)); -+ } - - put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum); - } diff --git a/irda-fix-lockdep-annotations-in-hashbin_delete.patch b/irda-fix-lockdep-annotations-in-hashbin_delete.patch deleted file mode 100644 index f494444..0000000 --- a/irda-fix-lockdep-annotations-in-hashbin_delete.patch +++ /dev/null @@ -1,88 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: "David S. Miller" -Date: Fri, 17 Feb 2017 16:19:39 -0500 -Subject: irda: Fix lockdep annotations in hashbin_delete(). - -From: "David S. Miller" - - -[ Upstream commit 4c03b862b12f980456f9de92db6d508a4999b788 ] - -A nested lock depth was added to the hasbin_delete() code but it -doesn't actually work some well and results in tons of lockdep splats. - -Fix the code instead to properly drop the lock around the operation -and just keep peeking the head of the hashbin queue. - -Reported-by: Dmitry Vyukov -Tested-by: Dmitry Vyukov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/irda/irqueue.c | 34 ++++++++++++++++------------------ - 1 file changed, 16 insertions(+), 18 deletions(-) - ---- a/net/irda/irqueue.c -+++ b/net/irda/irqueue.c -@@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new); - * for deallocating this structure if it's complex. If not the user can - * just supply kfree, which should take care of the job. - */ --#ifdef CONFIG_LOCKDEP --static int hashbin_lock_depth = 0; --#endif - int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) - { - irda_queue_t* queue; -@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, - IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;); - - /* Synchronize */ -- if ( hashbin->hb_type & HB_LOCK ) { -- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags, -- hashbin_lock_depth++); -- } -+ if (hashbin->hb_type & HB_LOCK) -+ spin_lock_irqsave(&hashbin->hb_spinlock, flags); - - /* - * Free the entries in the hashbin, TODO: use hashbin_clear when - * it has been shown to work - */ - for (i = 0; i < HASHBIN_SIZE; i ++ ) { -- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); -- while (queue ) { -- if (free_func) -- (*free_func)(queue); -- queue = dequeue_first( -- (irda_queue_t**) &hashbin->hb_queue[i]); -+ while (1) { -+ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); -+ -+ if (!queue) -+ break; -+ -+ if (free_func) { -+ if (hashbin->hb_type & HB_LOCK) -+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); -+ free_func(queue); -+ if (hashbin->hb_type & HB_LOCK) -+ spin_lock_irqsave(&hashbin->hb_spinlock, flags); -+ } - } - } - -@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, - hashbin->magic = ~HB_MAGIC; - - /* Release lock */ -- if ( hashbin->hb_type & HB_LOCK) { -+ if (hashbin->hb_type & HB_LOCK) - spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); --#ifdef CONFIG_LOCKDEP -- hashbin_lock_depth--; --#endif -- } - - /* - * Free the hashbin structure diff --git a/kcm-fix-0-length-case-for-kcm_sendmsg.patch b/kcm-fix-0-length-case-for-kcm_sendmsg.patch deleted file mode 100644 index 1ec7b66..0000000 --- a/kcm-fix-0-length-case-for-kcm_sendmsg.patch +++ /dev/null @@ -1,107 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: WANG Cong -Date: Tue, 7 Feb 2017 12:59:47 -0800 -Subject: kcm: fix 0-length case for kcm_sendmsg() - -From: WANG Cong - - -[ Upstream commit 98e3862ca2b1ae595a13805dcab4c3a6d7718f4d ] - -Dmitry reported a kernel warning: - - WARNING: CPU: 3 PID: 2936 at net/kcm/kcmsock.c:627 - kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627 - CPU: 3 PID: 2936 Comm: a.out Not tainted 4.10.0-rc6+ #209 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 - Call Trace: - __dump_stack lib/dump_stack.c:15 [inline] - dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 - panic+0x1fb/0x412 kernel/panic.c:179 - __warn+0x1c4/0x1e0 kernel/panic.c:539 - warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 - kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627 - kcm_sendmsg+0x163a/0x2200 net/kcm/kcmsock.c:1029 - sock_sendmsg_nosec net/socket.c:635 [inline] - sock_sendmsg+0xca/0x110 net/socket.c:645 - sock_write_iter+0x326/0x600 net/socket.c:848 - new_sync_write fs/read_write.c:499 [inline] - __vfs_write+0x483/0x740 fs/read_write.c:512 - vfs_write+0x187/0x530 fs/read_write.c:560 - SYSC_write fs/read_write.c:607 [inline] - SyS_write+0xfb/0x230 fs/read_write.c:599 - entry_SYSCALL_64_fastpath+0x1f/0xc2 - -when calling syscall(__NR_write, sock2, 0x208aaf27ul, 0x0ul) on a KCM -seqpacket socket. It appears that kcm_sendmsg() does not handle len==0 -case correctly, which causes an empty skb is allocated and queued. -Fix this by skipping the skb allocation for len==0 case. - -Reported-by: Dmitry Vyukov -Cc: Tom Herbert -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/kcm/kcmsock.c | 40 ++++++++++++++++++++++------------------ - 1 file changed, 22 insertions(+), 18 deletions(-) - ---- a/net/kcm/kcmsock.c -+++ b/net/kcm/kcmsock.c -@@ -929,23 +929,25 @@ static int kcm_sendmsg(struct socket *so - goto out_error; - } - -- /* New message, alloc head skb */ -- head = alloc_skb(0, sk->sk_allocation); -- while (!head) { -- kcm_push(kcm); -- err = sk_stream_wait_memory(sk, &timeo); -- if (err) -- goto out_error; -- -+ if (msg_data_left(msg)) { -+ /* New message, alloc head skb */ - head = alloc_skb(0, sk->sk_allocation); -- } -+ while (!head) { -+ kcm_push(kcm); -+ err = sk_stream_wait_memory(sk, &timeo); -+ if (err) -+ goto out_error; - -- skb = head; -+ head = alloc_skb(0, sk->sk_allocation); -+ } - -- /* Set ip_summed to CHECKSUM_UNNECESSARY to avoid calling -- * csum_and_copy_from_iter from skb_do_copy_data_nocache. -- */ -- skb->ip_summed = CHECKSUM_UNNECESSARY; -+ skb = head; -+ -+ /* Set ip_summed to CHECKSUM_UNNECESSARY to avoid calling -+ * csum_and_copy_from_iter from skb_do_copy_data_nocache. -+ */ -+ skb->ip_summed = CHECKSUM_UNNECESSARY; -+ } - - start: - while (msg_data_left(msg)) { -@@ -1018,10 +1020,12 @@ wait_for_memory: - if (eor) { - bool not_busy = skb_queue_empty(&sk->sk_write_queue); - -- /* Message complete, queue it on send buffer */ -- __skb_queue_tail(&sk->sk_write_queue, head); -- kcm->seq_skb = NULL; -- KCM_STATS_INCR(kcm->stats.tx_msgs); -+ if (head) { -+ /* Message complete, queue it on send buffer */ -+ __skb_queue_tail(&sk->sk_write_queue, head); -+ kcm->seq_skb = NULL; -+ KCM_STATS_INCR(kcm->stats.tx_msgs); -+ } - - if (msg->msg_flags & MSG_BATCH) { - kcm->tx_wait_more = true; diff --git a/kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch b/kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch deleted file mode 100644 index 6429e2c..0000000 --- a/kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch +++ /dev/null @@ -1,40 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: WANG Cong -Date: Mon, 13 Feb 2017 11:13:16 -0800 -Subject: kcm: fix a null pointer dereference in kcm_sendmsg() - -From: WANG Cong - - -[ Upstream commit cd27b96bc13841ee7af25837a6ae86fee87273d6 ] - -In commit 98e3862ca2b1 ("kcm: fix 0-length case for kcm_sendmsg()") -I tried to avoid skb allocation for 0-length case, but missed -a check for NULL pointer in the non EOR case. - -Fixes: 98e3862ca2b1 ("kcm: fix 0-length case for kcm_sendmsg()") -Reported-by: Dmitry Vyukov -Cc: Tom Herbert -Signed-off-by: Cong Wang -Acked-by: Tom Herbert -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/kcm/kcmsock.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/net/kcm/kcmsock.c -+++ b/net/kcm/kcmsock.c -@@ -1044,8 +1044,10 @@ wait_for_memory: - } else { - /* Message not complete, save state */ - partial_message: -- kcm->seq_skb = head; -- kcm_tx_msg(head)->last_skb = skb; -+ if (head) { -+ kcm->seq_skb = head; -+ kcm_tx_msg(head)->last_skb = skb; -+ } - } - - KCM_STATS_ADD(kcm->stats.tx_bytes, copied); diff --git a/kernel.spec b/kernel.spec index ae92ee9..8837a13 100644 --- a/kernel.spec +++ b/kernel.spec @@ -214,40 +214,6 @@ Patch114: 0004-Turn-into-BFQ-v8r7-for-4.9.0.patch # http://bugs.rosalinux.ru/show_bug.cgi?id=7533 Patch200: i915_hack_bug_97822.patch -# Stable patch queue -Patch300: kcm-fix-0-length-case-for-kcm_sendmsg.patch -Patch301: kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch -Patch302: net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch -Patch303: net-llc-avoid-bug_on-in-skb_orphan.patch -Patch304: net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch -Patch305: packet-fix-races-in-fanout_add.patch -Patch306: packet-do-not-call-fanout_release-from-atomic-contexts.patch -Patch307: net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch -Patch308: dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch -Patch309: vxlan-fix-oops-in-dev_fill_metadata_dst.patch -Patch310: irda-fix-lockdep-annotations-in-hashbin_delete.patch -Patch311: ptr_ring-fix-race-conditions-when-resizing.patch -Patch312: ip-fix-ip_checksum-handling.patch -Patch313: net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch -Patch314: tty-serial-msm-fix-module-autoload.patch -Patch315: usb-serial-mos7840-fix-another-null-deref-at-open.patch -Patch316: usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch -Patch317: usb-serial-ftdi_sio-fix-modem-status-error-handling.patch -Patch318: usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch -Patch319: usb-serial-ftdi_sio-fix-line-status-over-reporting.patch -Patch320: usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch -Patch321: usb-serial-spcp8x5-fix-modem-status-handling.patch -Patch322: usb-serial-opticon-fix-cts-retrieval-at-open.patch -Patch323: usb-serial-ark3116-fix-register-accessor-error-handling.patch -Patch324: usb-serial-console-fix-uninitialised-spinlock.patch -Patch325: x86-platform-goldfish-prevent-unconditional-loading.patch -Patch326: goldfish-sanitize-the-broken-interrupt-handler.patch -Patch327: netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch -Patch328: acpica-linuxize-restore-and-fix-intel-compiler-build.patch -Patch329: block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch -Patch330: rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch -Patch331: xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch - # Sanitizing kernel memory # We do not use "Patch:" here because apply_patches would always apply it # then, it seems, even if we place "Patch: <..>" under a conditional. diff --git a/net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch b/net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch deleted file mode 100644 index 60a8225..0000000 --- a/net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch +++ /dev/null @@ -1,36 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Ivan Khoronzhuk -Date: Tue, 14 Feb 2017 14:42:15 +0200 -Subject: net: ethernet: ti: cpsw: fix cpsw assignment in resume - -From: Ivan Khoronzhuk - - -[ Upstream commit a60ced990e309666915d21445e95347d12406694 ] - -There is a copy-paste error, which hides breaking of resume -for CPSW driver: there was replaced netdev_priv() to ndev_to_cpsw(ndev) -in suspend, but left it unchanged in resume. - -Fixes: 606f39939595a4d4540406bfc11f265b2036af6d -(ti: cpsw: move platform data and slaves info to cpsw_common) - -Reported-by: Alexey Starikovskiy -Signed-off-by: Ivan Khoronzhuk -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/ti/cpsw.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/ethernet/ti/cpsw.c -+++ b/drivers/net/ethernet/ti/cpsw.c -@@ -2925,7 +2925,7 @@ static int cpsw_resume(struct device *de - { - struct platform_device *pdev = to_platform_device(dev); - struct net_device *ndev = platform_get_drvdata(pdev); -- struct cpsw_common *cpsw = netdev_priv(ndev); -+ struct cpsw_common *cpsw = ndev_to_cpsw(ndev); - - /* Select default pin state */ - pinctrl_pm_select_default_state(dev); diff --git a/net-llc-avoid-bug_on-in-skb_orphan.patch b/net-llc-avoid-bug_on-in-skb_orphan.patch deleted file mode 100644 index 3e110c9..0000000 --- a/net-llc-avoid-bug_on-in-skb_orphan.patch +++ /dev/null @@ -1,57 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Eric Dumazet -Date: Sun, 12 Feb 2017 14:03:52 -0800 -Subject: net/llc: avoid BUG_ON() in skb_orphan() - -From: Eric Dumazet - - -[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ] - -It seems nobody used LLC since linux-3.12. - -Fortunately fuzzers like syzkaller still know how to run this code, -otherwise it would be no fun. - -Setting skb->sk without skb->destructor leads to all kinds of -bugs, we now prefer to be very strict about it. - -Ideally here we would use skb_set_owner() but this helper does not exist yet, -only CAN seems to have a private helper for that. - -Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()") -Signed-off-by: Eric Dumazet -Reported-by: Andrey Konovalov -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/llc/llc_conn.c | 3 +++ - net/llc/llc_sap.c | 3 +++ - 2 files changed, 6 insertions(+) - ---- a/net/llc/llc_conn.c -+++ b/net/llc/llc_conn.c -@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa - * another trick required to cope with how the PROCOM state - * machine works. -acme - */ -+ skb_orphan(skb); -+ sock_hold(sk); - skb->sk = sk; -+ skb->destructor = sock_efree; - } - if (!sock_owned_by_user(sk)) - llc_conn_rcv(sk, skb); ---- a/net/llc/llc_sap.c -+++ b/net/llc/llc_sap.c -@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap * - - ev->type = LLC_SAP_EV_TYPE_PDU; - ev->reason = 0; -+ skb_orphan(skb); -+ sock_hold(sk); - skb->sk = sk; -+ skb->destructor = sock_efree; - llc_sap_state_process(sap, skb); - } - diff --git a/net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch b/net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch deleted file mode 100644 index cfe2cd7..0000000 --- a/net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch +++ /dev/null @@ -1,48 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Or Gerlitz -Date: Sun, 12 Feb 2017 11:21:31 +0200 -Subject: net/mlx5e: Disable preemption when doing TC statistics upcall - -From: Or Gerlitz - - -[ Upstream commit fed06ee89b78d3af32e235e0e89ad0d946fcb95d ] - -When called by HW offloading drivers, the TC action (e.g -net/sched/act_mirred.c) code uses this_cpu logic, e.g - - _bstats_cpu_update(this_cpu_ptr(a->cpu_bstats), bytes, packets) - -per the kernel documention, preemption should be disabled, add that. - -Before the fix, when running with CONFIG_PREEMPT set, we get a - -BUG: using smp_processor_id() in preemptible [00000000] code: tc/3793 - -asserion from the TC action (mirred) stats_update callback. - -Fixes: aad7e08d39bd ('net/mlx5e: Hardware offloaded flower filter statistics support') -Signed-off-by: Or Gerlitz -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c -@@ -567,10 +567,14 @@ int mlx5e_stats_flower(struct mlx5e_priv - - mlx5_fc_query_cached(counter, &bytes, &packets, &lastuse); - -+ preempt_disable(); -+ - tcf_exts_to_list(f->exts, &actions); - list_for_each_entry(a, &actions, list) - tcf_action_stats_update(a, bytes, packets, lastuse); - -+ preempt_enable(); -+ - return 0; - } - diff --git a/net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch b/net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch deleted file mode 100644 index 359a5ac..0000000 --- a/net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch +++ /dev/null @@ -1,56 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Marcus Huewe -Date: Wed, 15 Feb 2017 01:00:36 +0100 -Subject: net: neigh: Fix netevent NETEVENT_DELAY_PROBE_TIME_UPDATE notification - -From: Marcus Huewe - - -[ Upstream commit 7627ae6030f56a9a91a5b3867b21f35d79c16e64 ] - -When setting a neigh related sysctl parameter, we always send a -NETEVENT_DELAY_PROBE_TIME_UPDATE netevent. For instance, when -executing - - sysctl net.ipv6.neigh.wlp3s0.retrans_time_ms=2000 - -a NETEVENT_DELAY_PROBE_TIME_UPDATE netevent is generated. - -This is caused by commit 2a4501ae18b5 ("neigh: Send a -notification when DELAY_PROBE_TIME changes"). According to the -commit's description, it was intended to generate such an event -when setting the "delay_first_probe_time" sysctl parameter. - -In order to fix this, only generate this event when actually -setting the "delay_first_probe_time" sysctl parameter. This fix -should not have any unintended side-effects, because all but one -registered netevent callbacks check for other netevent event -types (the registered callbacks were obtained by grepping for -"register_netevent_notifier"). The only callback that uses the -NETEVENT_DELAY_PROBE_TIME_UPDATE event is -mlxsw_sp_router_netevent_event() (in -drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c): in case -of this event, it only accesses the DELAY_PROBE_TIME of the -passed neigh_parms. - -Fixes: 2a4501ae18b5 ("neigh: Send a notification when DELAY_PROBE_TIME changes") -Signed-off-by: Marcus Huewe -Reviewed-by: Ido Schimmel -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/core/neighbour.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/core/neighbour.c -+++ b/net/core/neighbour.c -@@ -2927,7 +2927,8 @@ static void neigh_proc_update(struct ctl - return; - - set_bit(index, p->data_state); -- call_netevent_notifiers(NETEVENT_DELAY_PROBE_TIME_UPDATE, p); -+ if (index == NEIGH_VAR_DELAY_PROBE_TIME) -+ call_netevent_notifiers(NETEVENT_DELAY_PROBE_TIME_UPDATE, p); - if (!dev) /* NULL dev means this is default value */ - neigh_copy_dflt_parms(net, p, index); - } diff --git a/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch b/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch deleted file mode 100644 index 88ae276..0000000 --- a/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch +++ /dev/null @@ -1,47 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Maxime Jayat -Date: Tue, 21 Feb 2017 18:35:51 +0100 -Subject: net: socket: fix recvmmsg not returning error from sock_error - -From: Maxime Jayat - - -[ Upstream commit e623a9e9dec29ae811d11f83d0074ba254aba374 ] - -Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"), -changed the exit path of recvmmsg to always return the datagrams -variable and modified the error paths to set the variable to the error -code returned by recvmsg if necessary. - -However in the case sock_error returned an error, the error code was -then ignored, and recvmmsg returned 0. - -Change the error path of recvmmsg to correctly return the error code -of sock_error. - -The bug was triggered by using recvmmsg on a CAN interface which was -not up. Linux 4.6 and later return 0 in this case while earlier -releases returned -ENETDOWN. - -Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path") -Signed-off-by: Maxime Jayat -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/socket.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/net/socket.c -+++ b/net/socket.c -@@ -2197,8 +2197,10 @@ int __sys_recvmmsg(int fd, struct mmsghd - return err; - - err = sock_error(sock->sk); -- if (err) -+ if (err) { -+ datagrams = err; - goto out_put; -+ } - - entry = mmsg; - compat_entry = (struct compat_mmsghdr __user *)mmsg; diff --git a/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch b/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch deleted file mode 100644 index 3052666..0000000 --- a/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch +++ /dev/null @@ -1,95 +0,0 @@ -From dfe75ff8ca74f54b0fa5a326a1aa9afa485ed802 Mon Sep 17 00:00:00 2001 -From: Jiri Kosina -Date: Wed, 1 Feb 2017 21:01:54 +0100 -Subject: netfilter: nf_ct_helper: warn when not applying default helper assignment - -From: Jiri Kosina - -commit dfe75ff8ca74f54b0fa5a326a1aa9afa485ed802 upstream. - -Commit 3bb398d925 ("netfilter: nf_ct_helper: disable automatic helper -assignment") is causing behavior regressions in firewalls, as traffic -handled by conntrack helpers is now by default not passed through even -though it was before due to missing CT targets (which were not necessary -before this commit). - -The default had to be switched off due to security reasons [1] [2] and -therefore should stay the way it is, but let's be friendly to firewall -admins and issue a warning the first time we're in situation where packet -would be likely passed through with the old default but we're likely going -to drop it on the floor now. - -Rewrite the code a little bit as suggested by Linus, so that we avoid -spaghettiing the code even more -- namely the whole decision making -process regarding helper selection (either automatic or not) is being -separated, so that the whole logic can be simplified and code (condition) -duplication reduced. - -[1] https://cansecwest.com/csw12/conntrack-attack.pdf -[2] https://home.regit.org/netfilter-en/secure-use-of-helpers/ - -Signed-off-by: Jiri Kosina -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman - ---- - net/netfilter/nf_conntrack_helper.c | 39 ++++++++++++++++++++++++------------ - 1 file changed, 26 insertions(+), 13 deletions(-) - ---- a/net/netfilter/nf_conntrack_helper.c -+++ b/net/netfilter/nf_conntrack_helper.c -@@ -188,6 +188,26 @@ nf_ct_helper_ext_add(struct nf_conn *ct, - } - EXPORT_SYMBOL_GPL(nf_ct_helper_ext_add); - -+static struct nf_conntrack_helper * -+nf_ct_lookup_helper(struct nf_conn *ct, struct net *net) -+{ -+ if (!net->ct.sysctl_auto_assign_helper) { -+ if (net->ct.auto_assign_helper_warned) -+ return NULL; -+ if (!__nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple)) -+ return NULL; -+ pr_info("nf_conntrack: default automatic helper assignment " -+ "has been turned off for security reasons and CT-based " -+ " firewall rule not found. Use the iptables CT target " -+ "to attach helpers instead.\n"); -+ net->ct.auto_assign_helper_warned = 1; -+ return NULL; -+ } -+ -+ return __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); -+} -+ -+ - int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, - gfp_t flags) - { -@@ -213,21 +233,14 @@ int __nf_ct_try_assign_helper(struct nf_ - } - - help = nfct_help(ct); -- if (net->ct.sysctl_auto_assign_helper && helper == NULL) { -- helper = __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); -- if (unlikely(!net->ct.auto_assign_helper_warned && helper)) { -- pr_info("nf_conntrack: automatic helper " -- "assignment is deprecated and it will " -- "be removed soon. Use the iptables CT target " -- "to attach helpers instead.\n"); -- net->ct.auto_assign_helper_warned = true; -- } -- } - - if (helper == NULL) { -- if (help) -- RCU_INIT_POINTER(help->helper, NULL); -- return 0; -+ helper = nf_ct_lookup_helper(ct, net); -+ if (helper == NULL) { -+ if (help) -+ RCU_INIT_POINTER(help->helper, NULL); -+ return 0; -+ } - } - - if (help == NULL) { diff --git a/packet-do-not-call-fanout_release-from-atomic-contexts.patch b/packet-do-not-call-fanout_release-from-atomic-contexts.patch deleted file mode 100644 index 19a1a94..0000000 --- a/packet-do-not-call-fanout_release-from-atomic-contexts.patch +++ /dev/null @@ -1,186 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Anoob Soman -Date: Wed, 15 Feb 2017 20:25:39 +0000 -Subject: packet: Do not call fanout_release from atomic contexts - -From: Anoob Soman - - -[ Upstream commit 2bd624b4611ffee36422782d16e1c944d1351e98 ] - -Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a -netdev"), unfortunately, introduced the following issues. - -1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside -rcu_read-side critical section. rcu_read_lock disables preemption, most often, -which prohibits calling sleeping functions. - -[ ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section! -[ ] -[ ] rcu_scheduler_active = 1, debug_locks = 0 -[ ] 4 locks held by ovs-vswitchd/1969: -[ ] #0: (cb_lock){++++++}, at: [] genl_rcv+0x19/0x40 -[ ] #1: (ovs_mutex){+.+.+.}, at: [] ovs_vport_cmd_del+0x4a/0x100 [openvswitch] -[ ] #2: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x17/0x20 -[ ] #3: (rcu_read_lock){......}, at: [] packet_notifier+0x5/0x3f0 -[ ] -[ ] Call Trace: -[ ] [] dump_stack+0x85/0xc4 -[ ] [] lockdep_rcu_suspicious+0x107/0x110 -[ ] [] ___might_sleep+0x57/0x210 -[ ] [] __might_sleep+0x70/0x90 -[ ] [] mutex_lock_nested+0x3c/0x3a0 -[ ] [] ? vprintk_default+0x1f/0x30 -[ ] [] ? printk+0x4d/0x4f -[ ] [] fanout_release+0x1d/0xe0 -[ ] [] packet_notifier+0x2f9/0x3f0 - -2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock). -"sleeping function called from invalid context" - -[ ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620 -[ ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd -[ ] INFO: lockdep is turned off. -[ ] Call Trace: -[ ] [] dump_stack+0x85/0xc4 -[ ] [] ___might_sleep+0x202/0x210 -[ ] [] __might_sleep+0x70/0x90 -[ ] [] mutex_lock_nested+0x3c/0x3a0 -[ ] [] fanout_release+0x1d/0xe0 -[ ] [] packet_notifier+0x2f9/0x3f0 - -3. calling dev_remove_pack(&fanout->prot_hook), from inside -spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack() --> synchronize_net(), which might sleep. - -[ ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002 -[ ] INFO: lockdep is turned off. -[ ] Call Trace: -[ ] [] dump_stack+0x85/0xc4 -[ ] [] __schedule_bug+0x64/0x73 -[ ] [] __schedule+0x6b/0xd10 -[ ] [] schedule+0x6b/0x80 -[ ] [] schedule_timeout+0x38d/0x410 -[ ] [] synchronize_sched_expedited+0x53d/0x810 -[ ] [] synchronize_rcu_expedited+0xe/0x10 -[ ] [] synchronize_net+0x35/0x50 -[ ] [] dev_remove_pack+0x13/0x20 -[ ] [] fanout_release+0xbe/0xe0 -[ ] [] packet_notifier+0x2f9/0x3f0 - -4. fanout_release() races with calls from different CPU. - -To fix the above problems, remove the call to fanout_release() under -rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and -netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order -to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to -__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure -fanout->prot_hook is removed as well. - -Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev") -Reported-by: Eric Dumazet -Signed-off-by: Anoob Soman -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/packet/af_packet.c | 31 ++++++++++++++++++++++--------- - 1 file changed, 22 insertions(+), 9 deletions(-) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -1497,6 +1497,8 @@ static void __fanout_link(struct sock *s - f->arr[f->num_members] = sk; - smp_wmb(); - f->num_members++; -+ if (f->num_members == 1) -+ dev_add_pack(&f->prot_hook); - spin_unlock(&f->lock); - } - -@@ -1513,6 +1515,8 @@ static void __fanout_unlink(struct sock - BUG_ON(i >= f->num_members); - f->arr[i] = f->arr[f->num_members - 1]; - f->num_members--; -+ if (f->num_members == 0) -+ __dev_remove_pack(&f->prot_hook); - spin_unlock(&f->lock); - } - -@@ -1693,7 +1697,6 @@ static int fanout_add(struct sock *sk, u - match->prot_hook.func = packet_rcv_fanout; - match->prot_hook.af_packet_priv = match; - match->prot_hook.id_match = match_fanout_group; -- dev_add_pack(&match->prot_hook); - list_add(&match->list, &fanout_list); - } - err = -EINVAL; -@@ -1718,7 +1721,12 @@ out: - return err; - } - --static void fanout_release(struct sock *sk) -+/* If pkt_sk(sk)->fanout->sk_ref is zero, this function removes -+ * pkt_sk(sk)->fanout from fanout_list and returns pkt_sk(sk)->fanout. -+ * It is the responsibility of the caller to call fanout_release_data() and -+ * free the returned packet_fanout (after synchronize_net()) -+ */ -+static struct packet_fanout *fanout_release(struct sock *sk) - { - struct packet_sock *po = pkt_sk(sk); - struct packet_fanout *f; -@@ -1728,17 +1736,17 @@ static void fanout_release(struct sock * - if (f) { - po->fanout = NULL; - -- if (atomic_dec_and_test(&f->sk_ref)) { -+ if (atomic_dec_and_test(&f->sk_ref)) - list_del(&f->list); -- dev_remove_pack(&f->prot_hook); -- fanout_release_data(f); -- kfree(f); -- } -+ else -+ f = NULL; - - if (po->rollover) - kfree_rcu(po->rollover, rcu); - } - mutex_unlock(&fanout_mutex); -+ -+ return f; - } - - static bool packet_extra_vlan_len_allowed(const struct net_device *dev, -@@ -2970,6 +2978,7 @@ static int packet_release(struct socket - { - struct sock *sk = sock->sk; - struct packet_sock *po; -+ struct packet_fanout *f; - struct net *net; - union tpacket_req_u req_u; - -@@ -3009,9 +3018,14 @@ static int packet_release(struct socket - packet_set_ring(sk, &req_u, 1, 1); - } - -- fanout_release(sk); -+ f = fanout_release(sk); - - synchronize_net(); -+ -+ if (f) { -+ fanout_release_data(f); -+ kfree(f); -+ } - /* - * Now the socket is dead. No more input will appear. - */ -@@ -3963,7 +3977,6 @@ static int packet_notifier(struct notifi - } - if (msg == NETDEV_UNREGISTER) { - packet_cached_dev_reset(po); -- fanout_release(sk); - po->ifindex = -1; - if (po->prot_hook.dev) - dev_put(po->prot_hook.dev); diff --git a/packet-fix-races-in-fanout_add.patch b/packet-fix-races-in-fanout_add.patch deleted file mode 100644 index bc770db..0000000 --- a/packet-fix-races-in-fanout_add.patch +++ /dev/null @@ -1,126 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Eric Dumazet -Date: Tue, 14 Feb 2017 09:03:51 -0800 -Subject: packet: fix races in fanout_add() - -From: Eric Dumazet - - -[ Upstream commit d199fab63c11998a602205f7ee7ff7c05c97164b ] - -Multiple threads can call fanout_add() at the same time. - -We need to grab fanout_mutex earlier to avoid races that could -lead to one thread freeing po->rollover that was set by another thread. - -Do the same in fanout_release(), for peace of mind, and to help us -finding lockdep issues earlier. - -Fixes: dc99f600698d ("packet: Add fanout support.") -Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state") -Signed-off-by: Eric Dumazet -Cc: Willem de Bruijn -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/packet/af_packet.c | 53 ++++++++++++++++++++++++++----------------------- - 1 file changed, 29 insertions(+), 24 deletions(-) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -1619,6 +1619,7 @@ static void fanout_release_data(struct p - - static int fanout_add(struct sock *sk, u16 id, u16 type_flags) - { -+ struct packet_rollover *rollover = NULL; - struct packet_sock *po = pkt_sk(sk); - struct packet_fanout *f, *match; - u8 type = type_flags & 0xff; -@@ -1641,23 +1642,28 @@ static int fanout_add(struct sock *sk, u - return -EINVAL; - } - -+ mutex_lock(&fanout_mutex); -+ -+ err = -EINVAL; - if (!po->running) -- return -EINVAL; -+ goto out; - -+ err = -EALREADY; - if (po->fanout) -- return -EALREADY; -+ goto out; - - if (type == PACKET_FANOUT_ROLLOVER || - (type_flags & PACKET_FANOUT_FLAG_ROLLOVER)) { -- po->rollover = kzalloc(sizeof(*po->rollover), GFP_KERNEL); -- if (!po->rollover) -- return -ENOMEM; -- atomic_long_set(&po->rollover->num, 0); -- atomic_long_set(&po->rollover->num_huge, 0); -- atomic_long_set(&po->rollover->num_failed, 0); -+ err = -ENOMEM; -+ rollover = kzalloc(sizeof(*rollover), GFP_KERNEL); -+ if (!rollover) -+ goto out; -+ atomic_long_set(&rollover->num, 0); -+ atomic_long_set(&rollover->num_huge, 0); -+ atomic_long_set(&rollover->num_failed, 0); -+ po->rollover = rollover; - } - -- mutex_lock(&fanout_mutex); - match = NULL; - list_for_each_entry(f, &fanout_list, list) { - if (f->id == id && -@@ -1704,11 +1710,11 @@ static int fanout_add(struct sock *sk, u - } - } - out: -- mutex_unlock(&fanout_mutex); -- if (err) { -- kfree(po->rollover); -+ if (err && rollover) { -+ kfree(rollover); - po->rollover = NULL; - } -+ mutex_unlock(&fanout_mutex); - return err; - } - -@@ -1717,23 +1723,22 @@ static void fanout_release(struct sock * - struct packet_sock *po = pkt_sk(sk); - struct packet_fanout *f; - -+ mutex_lock(&fanout_mutex); - f = po->fanout; -- if (!f) -- return; -+ if (f) { -+ po->fanout = NULL; - -- mutex_lock(&fanout_mutex); -- po->fanout = NULL; -+ if (atomic_dec_and_test(&f->sk_ref)) { -+ list_del(&f->list); -+ dev_remove_pack(&f->prot_hook); -+ fanout_release_data(f); -+ kfree(f); -+ } - -- if (atomic_dec_and_test(&f->sk_ref)) { -- list_del(&f->list); -- dev_remove_pack(&f->prot_hook); -- fanout_release_data(f); -- kfree(f); -+ if (po->rollover) -+ kfree_rcu(po->rollover, rcu); - } - mutex_unlock(&fanout_mutex); -- -- if (po->rollover) -- kfree_rcu(po->rollover, rcu); - } - - static bool packet_extra_vlan_len_allowed(const struct net_device *dev, diff --git a/ptr_ring-fix-race-conditions-when-resizing.patch b/ptr_ring-fix-race-conditions-when-resizing.patch deleted file mode 100644 index 50d4f7f..0000000 --- a/ptr_ring-fix-race-conditions-when-resizing.patch +++ /dev/null @@ -1,135 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: "Michael S. Tsirkin" -Date: Sun, 19 Feb 2017 07:17:17 +0200 -Subject: ptr_ring: fix race conditions when resizing - -From: "Michael S. Tsirkin" - - -[ Upstream commit e71695307114335be1ed912f4a347396c2ed0e69 ] - -Resizing currently drops consumer lock. This can cause entries to be -reordered, which isn't good in itself. More importantly, consumer can -detect a false ring empty condition and block forever. - -Further, nesting of consumer within producer lock is problematic for -tun, since it produces entries in a BH, which causes a lock order -reversal: - - CPU0 CPU1 - ---- ---- - consume: - lock(&(&r->consumer_lock)->rlock); - resize: - local_irq_disable(); - lock(&(&r->producer_lock)->rlock); - lock(&(&r->consumer_lock)->rlock); - - produce: - lock(&(&r->producer_lock)->rlock); - -To fix, nest producer lock within consumer lock during resize, -and keep consumer lock during the whole swap operation. - -Reported-by: Dmitry Vyukov -Cc: stable@vger.kernel.org -Cc: "David S. Miller" -Acked-by: Jason Wang -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/ptr_ring.h | 36 +++++++++++++++++++++++++++++++----- - 1 file changed, 31 insertions(+), 5 deletions(-) - ---- a/include/linux/ptr_ring.h -+++ b/include/linux/ptr_ring.h -@@ -111,6 +111,11 @@ static inline int __ptr_ring_produce(str - return 0; - } - -+/* -+ * Note: resize (below) nests producer lock within consumer lock, so if you -+ * consume in interrupt or BH context, you must disable interrupts/BH when -+ * calling this. -+ */ - static inline int ptr_ring_produce(struct ptr_ring *r, void *ptr) - { - int ret; -@@ -242,6 +247,11 @@ static inline void *__ptr_ring_consume(s - return ptr; - } - -+/* -+ * Note: resize (below) nests producer lock within consumer lock, so if you -+ * call this in interrupt or BH context, you must disable interrupts/BH when -+ * producing. -+ */ - static inline void *ptr_ring_consume(struct ptr_ring *r) - { - void *ptr; -@@ -357,7 +367,7 @@ static inline void **__ptr_ring_swap_que - void **old; - void *ptr; - -- while ((ptr = ptr_ring_consume(r))) -+ while ((ptr = __ptr_ring_consume(r))) - if (producer < size) - queue[producer++] = ptr; - else if (destroy) -@@ -372,6 +382,12 @@ static inline void **__ptr_ring_swap_que - return old; - } - -+/* -+ * Note: producer lock is nested within consumer lock, so if you -+ * resize you must make sure all uses nest correctly. -+ * In particular if you consume ring in interrupt or BH context, you must -+ * disable interrupts/BH when doing so. -+ */ - static inline int ptr_ring_resize(struct ptr_ring *r, int size, gfp_t gfp, - void (*destroy)(void *)) - { -@@ -382,17 +398,25 @@ static inline int ptr_ring_resize(struct - if (!queue) - return -ENOMEM; - -- spin_lock_irqsave(&(r)->producer_lock, flags); -+ spin_lock_irqsave(&(r)->consumer_lock, flags); -+ spin_lock(&(r)->producer_lock); - - old = __ptr_ring_swap_queue(r, queue, size, gfp, destroy); - -- spin_unlock_irqrestore(&(r)->producer_lock, flags); -+ spin_unlock(&(r)->producer_lock); -+ spin_unlock_irqrestore(&(r)->consumer_lock, flags); - - kfree(old); - - return 0; - } - -+/* -+ * Note: producer lock is nested within consumer lock, so if you -+ * resize you must make sure all uses nest correctly. -+ * In particular if you consume ring in interrupt or BH context, you must -+ * disable interrupts/BH when doing so. -+ */ - static inline int ptr_ring_resize_multiple(struct ptr_ring **rings, int nrings, - int size, - gfp_t gfp, void (*destroy)(void *)) -@@ -412,10 +436,12 @@ static inline int ptr_ring_resize_multip - } - - for (i = 0; i < nrings; ++i) { -- spin_lock_irqsave(&(rings[i])->producer_lock, flags); -+ spin_lock_irqsave(&(rings[i])->consumer_lock, flags); -+ spin_lock(&(rings[i])->producer_lock); - queues[i] = __ptr_ring_swap_queue(rings[i], queues[i], - size, gfp, destroy); -- spin_unlock_irqrestore(&(rings[i])->producer_lock, flags); -+ spin_unlock(&(rings[i])->producer_lock); -+ spin_unlock_irqrestore(&(rings[i])->consumer_lock, flags); - } - - for (i = 0; i < nrings; ++i) diff --git a/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch b/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch deleted file mode 100644 index f2b3f46..0000000 --- a/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 575ddce0507789bf9830d089557d2199d2f91865 Mon Sep 17 00:00:00 2001 -From: Michael Schenk -Date: Thu, 26 Jan 2017 11:25:04 -0600 -Subject: rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down - -From: Michael Schenk - -commit 575ddce0507789bf9830d089557d2199d2f91865 upstream. - -In the function rtl_usb_start we pre-allocate a certain number of urbs -for RX path but they will not be freed when calling rtl_usb_stop. This -results in leaking urbs when doing ifconfig up and down. Eventually, -the system has no available urbs. - -Signed-off-by: Michael Schenk -Signed-off-by: Larry Finger -Signed-off-by: Kalle Valo -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/net/wireless/realtek/rtlwifi/usb.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - ---- a/drivers/net/wireless/realtek/rtlwifi/usb.c -+++ b/drivers/net/wireless/realtek/rtlwifi/usb.c -@@ -831,12 +831,30 @@ static void rtl_usb_stop(struct ieee8021 - struct rtl_priv *rtlpriv = rtl_priv(hw); - struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); - struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw)); -+ struct urb *urb; - - /* should after adapter start and interrupt enable. */ - set_hal_stop(rtlhal); - cancel_work_sync(&rtlpriv->works.fill_h2c_cmd); - /* Enable software */ - SET_USB_STOP(rtlusb); -+ -+ /* free pre-allocated URBs from rtl_usb_start() */ -+ usb_kill_anchored_urbs(&rtlusb->rx_submitted); -+ -+ tasklet_kill(&rtlusb->rx_work_tasklet); -+ cancel_work_sync(&rtlpriv->works.lps_change_work); -+ -+ flush_workqueue(rtlpriv->works.rtl_wq); -+ -+ skb_queue_purge(&rtlusb->rx_queue); -+ -+ while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) { -+ usb_free_coherent(urb->dev, urb->transfer_buffer_length, -+ urb->transfer_buffer, urb->transfer_dma); -+ usb_free_urb(urb); -+ } -+ - rtlpriv->cfg->ops->hw_disable(hw); - } - diff --git a/tty-serial-msm-fix-module-autoload.patch b/tty-serial-msm-fix-module-autoload.patch deleted file mode 100644 index 00f8334..0000000 --- a/tty-serial-msm-fix-module-autoload.patch +++ /dev/null @@ -1,48 +0,0 @@ -From abe81f3b8ed2996e1712d26d38ff6b73f582c616 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Mon, 2 Jan 2017 11:57:20 -0300 -Subject: tty: serial: msm: Fix module autoload - -From: Javier Martinez Canillas - -commit abe81f3b8ed2996e1712d26d38ff6b73f582c616 upstream. - -If the driver is built as a module, autoload won't work because the module -alias information is not filled. So user-space can't match the registered -device with the corresponding module. - -Export the module alias information using the MODULE_DEVICE_TABLE() macro. - -Before this patch: - -$ modinfo drivers/tty/serial/msm_serial.ko | grep alias -$ - -After this patch: - -$ modinfo drivers/tty/serial/msm_serial.ko | grep alias -alias: of:N*T*Cqcom,msm-uartdmC* -alias: of:N*T*Cqcom,msm-uartdm -alias: of:N*T*Cqcom,msm-uartC* -alias: of:N*T*Cqcom,msm-uart - -Signed-off-by: Javier Martinez Canillas -Acked-by: Bjorn Andersson -Cc: stable -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/tty/serial/msm_serial.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/tty/serial/msm_serial.c -+++ b/drivers/tty/serial/msm_serial.c -@@ -1809,6 +1809,7 @@ static const struct of_device_id msm_mat - { .compatible = "qcom,msm-uartdm" }, - {} - }; -+MODULE_DEVICE_TABLE(of, msm_match_table); - - static struct platform_driver msm_platform_driver = { - .remove = msm_serial_remove, diff --git a/usb-serial-ark3116-fix-register-accessor-error-handling.patch b/usb-serial-ark3116-fix-register-accessor-error-handling.patch deleted file mode 100644 index ec1430a..0000000 --- a/usb-serial-ark3116-fix-register-accessor-error-handling.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 9fef37d7cf170522fb354d6d0ea6de09b9b16678 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 12 Jan 2017 14:56:09 +0100 -Subject: USB: serial: ark3116: fix register-accessor error handling - -From: Johan Hovold - -commit 9fef37d7cf170522fb354d6d0ea6de09b9b16678 upstream. - -The current implementation failed to detect short transfers, something -which could lead to bits of the uninitialised heap transfer buffer -leaking to user space. - -Fixes: 149fc791a452 ("USB: ark3116: Setup some basic infrastructure for new ark3116 driver.") -Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware and add close and release functions.") -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/ark3116.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - ---- a/drivers/usb/serial/ark3116.c -+++ b/drivers/usb/serial/ark3116.c -@@ -99,10 +99,17 @@ static int ark3116_read_reg(struct usb_s - usb_rcvctrlpipe(serial->dev, 0), - 0xfe, 0xc0, 0, reg, - buf, 1, ARK_TIMEOUT); -- if (result < 0) -+ if (result < 1) { -+ dev_err(&serial->interface->dev, -+ "failed to read register %u: %d\n", -+ reg, result); -+ if (result >= 0) -+ result = -EIO; -+ - return result; -- else -- return buf[0]; -+ } -+ -+ return buf[0]; - } - - static inline int calc_divisor(int bps) diff --git a/usb-serial-console-fix-uninitialised-spinlock.patch b/usb-serial-console-fix-uninitialised-spinlock.patch deleted file mode 100644 index 5f0edc3..0000000 --- a/usb-serial-console-fix-uninitialised-spinlock.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 14816b16fa0adac24f82492f18fa62c55acabbbe Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 8 Feb 2017 18:53:08 +0100 -Subject: USB: serial: console: fix uninitialised spinlock - -From: Johan Hovold - -commit 14816b16fa0adac24f82492f18fa62c55acabbbe upstream. - -Since commit 4a510969374a ("tty: Make tty_files_lock per-tty") a new -tty_struct spin lock is taken in the tty release path, but the -USB-serial-console hack was never updated hence leaving the lock of its -"fake" tty uninitialised. This was eventually detected by lockdep. - -Make sure to initialise the new lock also for the fake tty to address -this regression. - -Yes, this code is a mess, but cleaning it up is left for another day. - -Fixes: 4a510969374a ("tty: Make tty_files_lock per-tty") -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/console.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/usb/serial/console.c -+++ b/drivers/usb/serial/console.c -@@ -143,6 +143,7 @@ static int usb_console_setup(struct cons - tty->driver = usb_serial_tty_driver; - tty->index = co->index; - init_ldsem(&tty->ldisc_sem); -+ spin_lock_init(&tty->files_lock); - INIT_LIST_HEAD(&tty->tty_files); - kref_get(&tty->driver->kref); - __module_get(tty->driver->owner); diff --git a/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch b/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch deleted file mode 100644 index 8bd68ad..0000000 --- a/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9a593656def0dc2f6c227851e8e602077267a5f1 Mon Sep 17 00:00:00 2001 -From: Ken Lin -Date: Sat, 4 Feb 2017 04:00:24 +0800 -Subject: USB: serial: cp210x: add new IDs for GE Bx50v3 boards - -From: Ken Lin - -commit 9a593656def0dc2f6c227851e8e602077267a5f1 upstream. - -Add new USB IDs for cp2104/5 devices on Bx50v3 boards due to the design -change. - -Signed-off-by: Ken Lin -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/cp210x.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/usb/serial/cp210x.c -+++ b/drivers/usb/serial/cp210x.c -@@ -172,6 +172,8 @@ static const struct usb_device_id id_tab - { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ - { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ - { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ -+ { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */ -+ { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */ - { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ - { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ - { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ diff --git a/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch b/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch deleted file mode 100644 index 22c2761..0000000 --- a/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2d380889215fe20b8523345649dee0579821800c Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Tue, 31 Jan 2017 17:17:27 +0100 -Subject: USB: serial: digi_acceleport: fix OOB data sanity check - -From: Johan Hovold - -commit 2d380889215fe20b8523345649dee0579821800c upstream. - -Make sure to check for short transfers to avoid underflow in a loop -condition when parsing the receive buffer. - -Also fix an off-by-one error in the incomplete sanity check which could -lead to invalid data being parsed. - -Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/digi_acceleport.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - ---- a/drivers/usb/serial/digi_acceleport.c -+++ b/drivers/usb/serial/digi_acceleport.c -@@ -1482,16 +1482,20 @@ static int digi_read_oob_callback(struct - struct usb_serial *serial = port->serial; - struct tty_struct *tty; - struct digi_port *priv = usb_get_serial_port_data(port); -+ unsigned char *buf = urb->transfer_buffer; - int opcode, line, status, val; - int i; - unsigned int rts; - -+ if (urb->actual_length < 4) -+ return -1; -+ - /* handle each oob command */ -- for (i = 0; i < urb->actual_length - 3;) { -- opcode = ((unsigned char *)urb->transfer_buffer)[i++]; -- line = ((unsigned char *)urb->transfer_buffer)[i++]; -- status = ((unsigned char *)urb->transfer_buffer)[i++]; -- val = ((unsigned char *)urb->transfer_buffer)[i++]; -+ for (i = 0; i < urb->actual_length - 4; i += 4) { -+ opcode = buf[i]; -+ line = buf[i + 1]; -+ status = buf[i + 2]; -+ val = buf[i + 3]; - - dev_dbg(&port->dev, "digi_read_oob_callback: opcode=%d, line=%d, status=%d, val=%d\n", - opcode, line, status, val); diff --git a/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch b/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch deleted file mode 100644 index 6770d1a..0000000 --- a/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch +++ /dev/null @@ -1,51 +0,0 @@ -From c6dce2626606ef16434802989466636bc28c1419 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Wed, 25 Jan 2017 15:35:20 +0100 -Subject: USB: serial: ftdi_sio: fix extreme low-latency setting - -From: Johan Hovold - -commit c6dce2626606ef16434802989466636bc28c1419 upstream. - -Since commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY -flag") the FTDI driver has been using a receive latency-timer value of -1 ms instead of the device default of 16 ms. - -The latency timer is used to periodically empty a non-full receive -buffer, but a status header is always sent when the timer expires -including when the buffer is empty. This means that a two-byte bulk -message is received every millisecond also for an otherwise idle port as -long as it is open. - -Let's restore the pre-2009 behaviour which reduces the rate of the -status messages to 1/16th (e.g. interrupt frequency drops from 1 kHz to -62.5 Hz) by not setting ASYNC_LOW_LATENCY by default. - -Anyone willing to pay the price for the minimum-latency behaviour should -set the flag explicitly instead using the TIOCSSERIAL ioctl or a tool -such as setserial (e.g. setserial /dev/ttyUSB0 low_latency). - -Note that since commit 0cbd81a9f6ba ("USB: ftdi_sio: remove -tty->low_latency") the ASYNC_LOW_LATENCY flag has no other effects but -to set a minimal latency timer. - -Reported-by: Antoine Aubert -Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/ftdi_sio.c | 2 -- - 1 file changed, 2 deletions(-) - ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -1807,8 +1807,6 @@ static int ftdi_sio_port_probe(struct us - - mutex_init(&priv->cfg_lock); - -- priv->flags = ASYNC_LOW_LATENCY; -- - if (quirk && quirk->port_probe) - quirk->port_probe(priv); - diff --git a/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch b/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch deleted file mode 100644 index 834c1e6..0000000 --- a/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch +++ /dev/null @@ -1,75 +0,0 @@ -From a6bb1e17a39818b01b55d8e6238b4b5f06d55038 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 2 Feb 2017 17:38:35 +0100 -Subject: USB: serial: ftdi_sio: fix line-status over-reporting - -From: Johan Hovold - -commit a6bb1e17a39818b01b55d8e6238b4b5f06d55038 upstream. - -FTDI devices use a receive latency timer to periodically empty the -receive buffer and report modem and line status (also when the buffer is -empty). - -When a break or error condition is detected the corresponding status -flags will be set on a packet with nonzero data payload and the flags -are not updated until the break is over or further characters are -received. - -In order to avoid over-reporting break and error conditions, these flags -must therefore only be processed for packets with payload. - -This specifically fixes the case where after an overrun, the error -condition is continuously reported and NULL-characters inserted until -further data is received. - -Reported-by: Michael Walle -Fixes: 72fda3ca6fc1 ("USB: serial: ftd_sio: implement sysrq handling on -break") -Fixes: 166ceb690750 ("USB: ftdi_sio: clean up line-status handling") -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/ftdi_sio.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -2070,6 +2070,20 @@ static int ftdi_process_packet(struct us - priv->prev_status = status; - } - -+ /* save if the transmitter is empty or not */ -+ if (packet[1] & FTDI_RS_TEMT) -+ priv->transmit_empty = 1; -+ else -+ priv->transmit_empty = 0; -+ -+ len -= 2; -+ if (!len) -+ return 0; /* status only */ -+ -+ /* -+ * Break and error status must only be processed for packets with -+ * data payload to avoid over-reporting. -+ */ - flag = TTY_NORMAL; - if (packet[1] & FTDI_RS_ERR_MASK) { - /* Break takes precedence over parity, which takes precedence -@@ -2092,15 +2106,6 @@ static int ftdi_process_packet(struct us - } - } - -- /* save if the transmitter is empty or not */ -- if (packet[1] & FTDI_RS_TEMT) -- priv->transmit_empty = 1; -- else -- priv->transmit_empty = 0; -- -- len -= 2; -- if (!len) -- return 0; /* status only */ - port->icount.rx += len; - ch = packet + 2; - diff --git a/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch b/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch deleted file mode 100644 index 8727941..0000000 --- a/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 427c3a95e3e29e65f59d99aaf320d7506f3eed57 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 12 Jan 2017 14:56:11 +0100 -Subject: USB: serial: ftdi_sio: fix modem-status error handling - -From: Johan Hovold - -commit 427c3a95e3e29e65f59d99aaf320d7506f3eed57 upstream. - -Make sure to detect short responses when fetching the modem status in -order to avoid parsing uninitialised buffer data and having bits of it -leak to user space. - -Note that we still allow for short 1-byte responses. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/ftdi_sio.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/usb/serial/ftdi_sio.c -+++ b/drivers/usb/serial/ftdi_sio.c -@@ -2433,8 +2433,12 @@ static int ftdi_get_modem_status(struct - FTDI_SIO_GET_MODEM_STATUS_REQUEST_TYPE, - 0, priv->interface, - buf, len, WDR_TIMEOUT); -- if (ret < 0) { -+ -+ /* NOTE: We allow short responses and handle that below. */ -+ if (ret < 1) { - dev_err(&port->dev, "failed to get modem status: %d\n", ret); -+ if (ret >= 0) -+ ret = -EIO; - ret = usb_translate_errors(ret); - goto out; - } diff --git a/usb-serial-mos7840-fix-another-null-deref-at-open.patch b/usb-serial-mos7840-fix-another-null-deref-at-open.patch deleted file mode 100644 index 4ab4193..0000000 --- a/usb-serial-mos7840-fix-another-null-deref-at-open.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 9 Feb 2017 12:11:41 +0100 -Subject: USB: serial: mos7840: fix another NULL-deref at open - -From: Johan Hovold - -commit 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e upstream. - -Fix another NULL-pointer dereference at open should a malicious device -lack an interrupt-in endpoint. - -Note that the driver has a broken check for an interrupt-in endpoint -which means that an interrupt URB has never even been submitted. - -Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/mos7840.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/drivers/usb/serial/mos7840.c -+++ b/drivers/usb/serial/mos7840.c -@@ -1024,6 +1024,7 @@ static int mos7840_open(struct tty_struc - * (can't set it up in mos7840_startup as the structures * - * were not set up at that time.) */ - if (port0->open_ports == 1) { -+ /* FIXME: Buffer never NULL, so URB is not submitted. */ - if (serial->port[0]->interrupt_in_buffer == NULL) { - /* set up interrupt urb */ - usb_fill_int_urb(serial->port[0]->interrupt_in_urb, -@@ -2119,7 +2120,8 @@ static int mos7840_calc_num_ports(struct - static int mos7840_attach(struct usb_serial *serial) - { - if (serial->num_bulk_in < serial->num_ports || -- serial->num_bulk_out < serial->num_ports) { -+ serial->num_bulk_out < serial->num_ports || -+ serial->num_interrupt_in < 1) { - dev_err(&serial->interface->dev, "missing endpoints\n"); - return -ENODEV; - } diff --git a/usb-serial-opticon-fix-cts-retrieval-at-open.patch b/usb-serial-opticon-fix-cts-retrieval-at-open.patch deleted file mode 100644 index 550f5bc..0000000 --- a/usb-serial-opticon-fix-cts-retrieval-at-open.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 2eee05020a0e7ee7c04422cbacdb07859e45dce6 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Fri, 13 Jan 2017 13:21:08 +0100 -Subject: USB: serial: opticon: fix CTS retrieval at open - -From: Johan Hovold - -commit 2eee05020a0e7ee7c04422cbacdb07859e45dce6 upstream. - -The opticon driver used a control request at open to trigger a CTS -status notification to be sent over the bulk-in pipe. When the driver -was converted to using the generic read implementation, an inverted test -prevented this request from being sent, something which could lead to -TIOCMGET reporting an incorrect CTS state. - -Reported-by: Dan Carpenter -Fixes: 7a6ee2b02751 ("USB: opticon: switch to generic read implementation") -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/opticon.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/usb/serial/opticon.c -+++ b/drivers/usb/serial/opticon.c -@@ -142,7 +142,7 @@ static int opticon_open(struct tty_struc - usb_clear_halt(port->serial->dev, port->read_urb->pipe); - - res = usb_serial_generic_open(tty, port); -- if (!res) -+ if (res) - return res; - - /* Request CTS line state, sometimes during opening the current diff --git a/usb-serial-spcp8x5-fix-modem-status-handling.patch b/usb-serial-spcp8x5-fix-modem-status-handling.patch deleted file mode 100644 index aab93cd..0000000 --- a/usb-serial-spcp8x5-fix-modem-status-handling.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 5ed8d41023751bdd3546f2fe4118304357efe8d2 Mon Sep 17 00:00:00 2001 -From: Johan Hovold -Date: Thu, 12 Jan 2017 14:56:21 +0100 -Subject: USB: serial: spcp8x5: fix modem-status handling - -From: Johan Hovold - -commit 5ed8d41023751bdd3546f2fe4118304357efe8d2 upstream. - -Make sure to detect short control transfers and return zero on success -when retrieving the modem status. - -This fixes the TIOCMGET implementation which since e1ed212d8593 ("USB: -spcp8x5: add proper modem-status support") has returned TIOCM_LE on -successful retrieval, and avoids leaking bits from the stack on short -transfers. - -This also fixes the carrier-detect implementation which since the above -mentioned commit unconditionally has returned true. - -Fixes: e1ed212d8593 ("USB: spcp8x5: add proper modem-status support") -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/serial/spcp8x5.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/drivers/usb/serial/spcp8x5.c -+++ b/drivers/usb/serial/spcp8x5.c -@@ -232,11 +232,17 @@ static int spcp8x5_get_msr(struct usb_se - ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), - GET_UART_STATUS, GET_UART_STATUS_TYPE, - 0, GET_UART_STATUS_MSR, buf, 1, 100); -- if (ret < 0) -+ if (ret < 1) { - dev_err(&port->dev, "failed to get modem status: %d\n", ret); -+ if (ret >= 0) -+ ret = -EIO; -+ goto out; -+ } - - dev_dbg(&port->dev, "0xc0:0x22:0:6 %d - 0x02%x\n", ret, *buf); - *status = *buf; -+ ret = 0; -+out: - kfree(buf); - - return ret; diff --git a/vxlan-fix-oops-in-dev_fill_metadata_dst.patch b/vxlan-fix-oops-in-dev_fill_metadata_dst.patch deleted file mode 100644 index 99ce1da..0000000 --- a/vxlan-fix-oops-in-dev_fill_metadata_dst.patch +++ /dev/null @@ -1,63 +0,0 @@ -From foo@baz Thu Feb 23 21:13:05 CET 2017 -From: Paolo Abeni -Date: Fri, 17 Feb 2017 19:14:27 +0100 -Subject: vxlan: fix oops in dev_fill_metadata_dst - -From: Paolo Abeni - - -[ Upstream commit 22f0708a718daea5e79de2d29b4829de016a4ff4 ] - -Since the commit 0c1d70af924b ("net: use dst_cache for vxlan device") -vxlan_fill_metadata_dst() calls vxlan_get_route() passing a NULL -dst_cache pointer, so the latter should explicitly check for -valid dst_cache ptr. Unfortunately the commit d71785ffc7e7 ("net: add -dst_cache to ovs vxlan lwtunnel") removed said check. - -As a result is possible to trigger a null pointer access calling -vxlan_fill_metadata_dst(), e.g. with: - -ovs-vsctl add-br ovs-br0 -ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 \ - type=vxlan options:remote_ip=192.168.1.1 \ - options:key=1234 options:dst_port=4789 ofport_request=10 -ip address add dev ovs-br0 172.16.1.2/24 -ovs-vsctl set Bridge ovs-br0 ipfix=@i -- --id=@i create IPFIX \ - targets=\"172.16.1.1:1234\" sampling=1 -iperf -c 172.16.1.1 -u -l 1000 -b 10M -t 1 -p 1234 - -This commit addresses the issue passing to vxlan_get_route() the -dst_cache already available into the lwt info processed by -vxlan_fill_metadata_dst(). - -Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel") -Signed-off-by: Paolo Abeni -Acked-by: Jiri Benc -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/vxlan.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/net/vxlan.c -+++ b/drivers/net/vxlan.c -@@ -2449,7 +2449,8 @@ static int vxlan_fill_metadata_dst(struc - return -EINVAL; - rt = vxlan_get_route(vxlan, skb, 0, info->key.tos, - info->key.u.ipv4.dst, -- &info->key.u.ipv4.src, NULL, info); -+ &info->key.u.ipv4.src, -+ &info->dst_cache, info); - if (IS_ERR(rt)) - return PTR_ERR(rt); - ip_rt_put(rt); -@@ -2459,7 +2460,8 @@ static int vxlan_fill_metadata_dst(struc - - ndst = vxlan6_get_route(vxlan, skb, 0, info->key.tos, - info->key.label, &info->key.u.ipv6.dst, -- &info->key.u.ipv6.src, NULL, info); -+ &info->key.u.ipv6.src, -+ &info->dst_cache, info); - if (IS_ERR(ndst)) - return PTR_ERR(ndst); - dst_release(ndst); diff --git a/x86-platform-goldfish-prevent-unconditional-loading.patch b/x86-platform-goldfish-prevent-unconditional-loading.patch deleted file mode 100644 index 571e6a9..0000000 --- a/x86-platform-goldfish-prevent-unconditional-loading.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Wed, 15 Feb 2017 11:11:50 +0100 -Subject: x86/platform/goldfish: Prevent unconditional loading - -From: Thomas Gleixner - -commit 47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb upstream. - -The goldfish platform code registers the platform device unconditionally -which causes havoc in several ways if the goldfish_pdev_bus driver is -enabled: - - - Access to the hardcoded physical memory region, which is either not - available or contains stuff which is completely unrelated. - - - Prevents that the interrupt of the serial port can be requested - - - In case of a spurious interrupt it goes into a infinite loop in the - interrupt handler of the pdev_bus driver (which needs to be fixed - seperately). - -Add a 'goldfish' command line option to make the registration opt-in when -the platform is compiled in. - -I'm seriously grumpy about this engineering trainwreck, which has seven -SOBs from Intel developers for 50 lines of code. And none of them figured -out that this is broken. Impressive fail! - -Fixes: ddd70cf93d78 ("goldfish: platform device for x86") -Reported-by: Gabriel C -Signed-off-by: Thomas Gleixner -Acked-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - Documentation/kernel-parameters.txt | 4 ++++ - arch/x86/platform/goldfish/goldfish.c | 14 +++++++++++++- - 2 files changed, 17 insertions(+), 1 deletion(-) - ---- a/Documentation/kernel-parameters.txt -+++ b/Documentation/kernel-parameters.txt -@@ -1391,6 +1391,10 @@ bytes respectively. Such letter suffixes - When zero, profiling data is discarded and associated - debugfs files are removed at module unload time. - -+ goldfish [X86] Enable the goldfish android emulator platform. -+ Don't use this when you are not running on the -+ android emulator -+ - gpt [EFI] Forces disk with valid GPT signature but - invalid Protective MBR to be treated as GPT. If the - primary GPT is corrupted, it enables the backup/alternate ---- a/arch/x86/platform/goldfish/goldfish.c -+++ b/arch/x86/platform/goldfish/goldfish.c -@@ -42,10 +42,22 @@ static struct resource goldfish_pdev_bus - } - }; - -+static bool goldfish_enable __initdata; -+ -+static int __init goldfish_setup(char *str) -+{ -+ goldfish_enable = true; -+ return 0; -+} -+__setup("goldfish", goldfish_setup); -+ - static int __init goldfish_init(void) - { -+ if (!goldfish_enable) -+ return -ENODEV; -+ - platform_device_register_simple("goldfish_pdev_bus", -1, -- goldfish_pdev_bus_resources, 2); -+ goldfish_pdev_bus_resources, 2); - return 0; - } - device_initcall(goldfish_init); diff --git a/xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch b/xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch deleted file mode 100644 index 9f982cc..0000000 --- a/xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch +++ /dev/null @@ -1,66 +0,0 @@ -From fa7f138ac4c70dc00519c124cf7cd4862a0a5b0e Mon Sep 17 00:00:00 2001 -From: Brian Foster -Date: Thu, 16 Feb 2017 17:19:12 -0800 -Subject: xfs: clear delalloc and cache on buffered write failure - -From: Brian Foster - -commit fa7f138ac4c70dc00519c124cf7cd4862a0a5b0e upstream. - -The buffered write failure handling code in -xfs_file_iomap_end_delalloc() has a couple minor problems. First, if -written == 0, start_fsb is not rounded down and it fails to kill off a -delalloc block if the start offset is block unaligned. This results in a -lingering delalloc block and broken delalloc block accounting detected -at unmount time. Fix this by rounding down start_fsb in the unlikely -event that written == 0. - -Second, it is possible for a failed overwrite of a delalloc extent to -leave dirty pagecache around over a hole in the file. This is because is -possible to hit ->iomap_end() on write failure before the iomap code has -attempted to allocate pagecache, and thus has no need to clean it up. If -the targeted delalloc extent was successfully written by a previous -write, however, then it does still have dirty pages when ->iomap_end() -punches out the underlying blocks. This ultimately results in writeback -over a hole. To fix this problem, unconditionally punch out the -pagecache from XFS before the associated delalloc range. - -Signed-off-by: Brian Foster -Reviewed-by: Christoph Hellwig -Reviewed-by: Darrick J. Wong -Signed-off-by: Darrick J. Wong -Signed-off-by: Greg Kroah-Hartman - ---- - fs/xfs/xfs_iomap.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - ---- a/fs/xfs/xfs_iomap.c -+++ b/fs/xfs/xfs_iomap.c -@@ -1068,7 +1068,15 @@ xfs_file_iomap_end_delalloc( - xfs_fileoff_t end_fsb; - int error = 0; - -- start_fsb = XFS_B_TO_FSB(mp, offset + written); -+ /* -+ * start_fsb refers to the first unused block after a short write. If -+ * nothing was written, round offset down to point at the first block in -+ * the range. -+ */ -+ if (unlikely(!written)) -+ start_fsb = XFS_B_TO_FSBT(mp, offset); -+ else -+ start_fsb = XFS_B_TO_FSB(mp, offset + written); - end_fsb = XFS_B_TO_FSB(mp, offset + length); - - /* -@@ -1080,6 +1088,9 @@ xfs_file_iomap_end_delalloc( - * blocks in the range, they are ours. - */ - if (start_fsb < end_fsb) { -+ truncate_pagecache_range(VFS_I(ip), XFS_FSB_TO_B(mp, start_fsb), -+ XFS_FSB_TO_B(mp, end_fsb) - 1); -+ - xfs_ilock(ip, XFS_ILOCK_EXCL); - error = xfs_bmap_punch_delalloc_range(ip, start_fsb, - end_fsb - start_fsb);