From 3e203e9f797ed756cbd840f3490ba3e551b9ed15 Mon Sep 17 00:00:00 2001 From: Evgenii Shatokhin Date: Fri, 24 Feb 2017 22:32:57 +0300 Subject: [PATCH] Added patches from the stable queue --- ...restore-and-fix-intel-compiler-build.patch | 141 +++++++++++++ ...in-the-failure-path-of-cgwb_bdi_init.patch | 58 ++++++ ...g-skb-too-early-for-ipv6_recvpktinfo.patch | 48 +++++ ...anitize-the-broken-interrupt-handler.patch | 66 +++++++ ip-fix-ip_checksum-handling.patch | 49 +++++ ...ockdep-annotations-in-hashbin_delete.patch | 88 +++++++++ kcm-fix-0-length-case-for-kcm_sendmsg.patch | 107 ++++++++++ ...l-pointer-dereference-in-kcm_sendmsg.patch | 40 ++++ kernel.spec | 34 ++++ ...i-cpsw-fix-cpsw-assignment-in-resume.patch | 36 ++++ net-llc-avoid-bug_on-in-skb_orphan.patch | 57 ++++++ ...tion-when-doing-tc-statistics-upcall.patch | 48 +++++ ...delay_probe_time_update-notification.patch | 56 ++++++ ...-not-returning-error-from-sock_error.patch | 47 +++++ ...t-applying-default-helper-assignment.patch | 95 +++++++++ ...-fanout_release-from-atomic-contexts.patch | 186 ++++++++++++++++++ packet-fix-races-in-fanout_add.patch | 126 ++++++++++++ ...ng-fix-race-conditions-when-resizing.patch | 135 +++++++++++++ ...-leaking-when-doing-ifconfig-up-down.patch | 56 ++++++ tty-serial-msm-fix-module-autoload.patch | 48 +++++ ...fix-register-accessor-error-handling.patch | 46 +++++ ...l-console-fix-uninitialised-spinlock.patch | 38 ++++ ...10x-add-new-ids-for-ge-bx50v3-boards.patch | 31 +++ ...acceleport-fix-oob-data-sanity-check.patch | 53 +++++ ..._sio-fix-extreme-low-latency-setting.patch | 51 +++++ ...i_sio-fix-line-status-over-reporting.patch | 75 +++++++ ..._sio-fix-modem-status-error-handling.patch | 40 ++++ ...s7840-fix-another-null-deref-at-open.patch | 44 +++++ ...al-opticon-fix-cts-retrieval-at-open.patch | 36 ++++ ...al-spcp8x5-fix-modem-status-handling.patch | 50 +++++ vxlan-fix-oops-in-dev_fill_metadata_dst.patch | 63 ++++++ ...ldfish-prevent-unconditional-loading.patch | 79 ++++++++ ...-and-cache-on-buffered-write-failure.patch | 66 +++++++ 33 files changed, 2193 insertions(+) create mode 100644 acpica-linuxize-restore-and-fix-intel-compiler-build.patch create mode 100644 block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch create mode 100644 dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch create mode 100644 goldfish-sanitize-the-broken-interrupt-handler.patch create mode 100644 ip-fix-ip_checksum-handling.patch create mode 100644 irda-fix-lockdep-annotations-in-hashbin_delete.patch create mode 100644 kcm-fix-0-length-case-for-kcm_sendmsg.patch create mode 100644 kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch create mode 100644 net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch create mode 100644 net-llc-avoid-bug_on-in-skb_orphan.patch create mode 100644 net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch create mode 100644 net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch create mode 100644 net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch create mode 100644 netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch create mode 100644 packet-do-not-call-fanout_release-from-atomic-contexts.patch create mode 100644 packet-fix-races-in-fanout_add.patch create mode 100644 ptr_ring-fix-race-conditions-when-resizing.patch create mode 100644 rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch create mode 100644 tty-serial-msm-fix-module-autoload.patch create mode 100644 usb-serial-ark3116-fix-register-accessor-error-handling.patch create mode 100644 usb-serial-console-fix-uninitialised-spinlock.patch create mode 100644 usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch create mode 100644 usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch create mode 100644 usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch create mode 100644 usb-serial-ftdi_sio-fix-line-status-over-reporting.patch create mode 100644 usb-serial-ftdi_sio-fix-modem-status-error-handling.patch create mode 100644 usb-serial-mos7840-fix-another-null-deref-at-open.patch create mode 100644 usb-serial-opticon-fix-cts-retrieval-at-open.patch create mode 100644 usb-serial-spcp8x5-fix-modem-status-handling.patch create mode 100644 vxlan-fix-oops-in-dev_fill_metadata_dst.patch create mode 100644 x86-platform-goldfish-prevent-unconditional-loading.patch create mode 100644 xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch diff --git a/acpica-linuxize-restore-and-fix-intel-compiler-build.patch b/acpica-linuxize-restore-and-fix-intel-compiler-build.patch new file mode 100644 index 0000000..15bd924 --- /dev/null +++ b/acpica-linuxize-restore-and-fix-intel-compiler-build.patch @@ -0,0 +1,141 @@ +From ffab9188e444854882dbc291500d576d6bad7b7b Mon Sep 17 00:00:00 2001 +From: Lv Zheng +Date: Wed, 8 Feb 2017 11:00:01 +0800 +Subject: ACPICA: Linuxize: Restore and fix Intel compiler build + +From: Lv Zheng + +commit ffab9188e444854882dbc291500d576d6bad7b7b upstream. + +ACPICA commit b59347d0b8b676cb555fe8da5cad08fcd4eeb0d3 + +The following commit cleans up compiler specific inclusions: + + Commit: 9fa1cebdbfff3db8953cebca8ee327d75edefc40 + Subject: ACPICA: OSL: Cleanup the inclusion order of the compiler-specific headers + +But breaks one thing due to the following old issue: + + Buidling Linux kernel with Intel compiler originally depends on acgcc.h + not acintel.h. + +So after making Intel compiler build working in ACPICA upstream by +correctly using acintel.h, it becomes unable to build Linux kernel using +Intel compiler as there is no acintel.h in the kernel source tree. + +This patch releases acintel.h to Linux kernel and fixes its inclusion in +acenv.h. + +Fixes: 9fa1cebdbfff (ACPICA: OSL: Cleanup the inclusion order of the compiler-specific headers) +Link: https://github.com/acpica/acpica/commit/b59347d0 +Tested-by: Stepan M Mishura +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + include/acpi/platform/acenv.h | 2 + include/acpi/platform/acintel.h | 87 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 88 insertions(+), 1 deletion(-) + +--- a/include/acpi/platform/acenv.h ++++ b/include/acpi/platform/acenv.h +@@ -177,7 +177,7 @@ + #include "acmsvc.h" + + #elif defined(__INTEL_COMPILER) +-#include "acintel.h" ++#include + + #endif + +--- /dev/null ++++ b/include/acpi/platform/acintel.h +@@ -0,0 +1,87 @@ ++/****************************************************************************** ++ * ++ * Name: acintel.h - VC specific defines, etc. ++ * ++ *****************************************************************************/ ++ ++/* ++ * Copyright (C) 2000 - 2017, Intel Corp. ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions, and the following disclaimer, ++ * without modification. ++ * 2. Redistributions in binary form must reproduce at minimum a disclaimer ++ * substantially similar to the "NO WARRANTY" disclaimer below ++ * ("Disclaimer") and any redistribution must be conditioned upon ++ * including a substantially similar Disclaimer requirement for further ++ * binary redistribution. ++ * 3. Neither the names of the above-listed copyright holders nor the names ++ * of any contributors may be used to endorse or promote products derived ++ * from this software without specific prior written permission. ++ * ++ * Alternatively, this software may be distributed under the terms of the ++ * GNU General Public License ("GPL") version 2 as published by the Free ++ * Software Foundation. ++ * ++ * NO WARRANTY ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR ++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING ++ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGES. ++ */ ++ ++#ifndef __ACINTEL_H__ ++#define __ACINTEL_H__ ++ ++/* ++ * Use compiler specific is a good practice for even when ++ * -nostdinc is specified (i.e., ACPI_USE_STANDARD_HEADERS undefined. ++ */ ++#include ++ ++/* Configuration specific to Intel 64-bit C compiler */ ++ ++#define COMPILER_DEPENDENT_INT64 __int64 ++#define COMPILER_DEPENDENT_UINT64 unsigned __int64 ++#define ACPI_INLINE __inline ++ ++/* ++ * Calling conventions: ++ * ++ * ACPI_SYSTEM_XFACE - Interfaces to host OS (handlers, threads) ++ * ACPI_EXTERNAL_XFACE - External ACPI interfaces ++ * ACPI_INTERNAL_XFACE - Internal ACPI interfaces ++ * ACPI_INTERNAL_VAR_XFACE - Internal variable-parameter list interfaces ++ */ ++#define ACPI_SYSTEM_XFACE ++#define ACPI_EXTERNAL_XFACE ++#define ACPI_INTERNAL_XFACE ++#define ACPI_INTERNAL_VAR_XFACE ++ ++/* remark 981 - operands evaluated in no particular order */ ++#pragma warning(disable:981) ++ ++/* warn C4100: unreferenced formal parameter */ ++#pragma warning(disable:4100) ++ ++/* warn C4127: conditional expression is constant */ ++#pragma warning(disable:4127) ++ ++/* warn C4706: assignment within conditional expression */ ++#pragma warning(disable:4706) ++ ++/* warn C4214: bit field types other than int */ ++#pragma warning(disable:4214) ++ ++#endif /* __ACINTEL_H__ */ diff --git a/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch b/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch new file mode 100644 index 0000000..e23333b --- /dev/null +++ b/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch @@ -0,0 +1,58 @@ +From 5f478e4ea5c5560b4e40eb136991a09f9389f331 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 8 Feb 2017 15:19:07 -0500 +Subject: block: fix double-free in the failure path of cgwb_bdi_init() + +From: Tejun Heo + +commit 5f478e4ea5c5560b4e40eb136991a09f9389f331 upstream. + +When !CONFIG_CGROUP_WRITEBACK, bdi has single bdi_writeback_congested +at bdi->wb_congested. cgwb_bdi_init() allocates it with kzalloc() and +doesn't do further initialization. This usually works fine as the +reference count gets bumped to 1 by wb_init() and the put from +wb_exit() releases it. + +However, when wb_init() fails, it puts the wb base ref automatically +freeing the wb and the explicit kfree() in cgwb_bdi_init() error path +ends up trying to free the same pointer the second time causing a +double-free. + +Fix it by explicitly initilizing the refcnt to 1 and putting the base +ref from cgwb_bdi_destroy(). + +Signed-off-by: Tejun Heo +Reported-by: Dmitry Vyukov +Fixes: a13f35e87140 ("writeback: don't embed root bdi_writeback_congested in bdi_writeback") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + mm/backing-dev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/mm/backing-dev.c ++++ b/mm/backing-dev.c +@@ -757,15 +757,20 @@ static int cgwb_bdi_init(struct backing_ + if (!bdi->wb_congested) + return -ENOMEM; + ++ atomic_set(&bdi->wb_congested->refcnt, 1); ++ + err = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL); + if (err) { +- kfree(bdi->wb_congested); ++ wb_congested_put(bdi->wb_congested); + return err; + } + return 0; + } + +-static void cgwb_bdi_destroy(struct backing_dev_info *bdi) { } ++static void cgwb_bdi_destroy(struct backing_dev_info *bdi) ++{ ++ wb_congested_put(bdi->wb_congested); ++} + + #endif /* CONFIG_CGROUP_WRITEBACK */ + diff --git a/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch b/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch new file mode 100644 index 0000000..1845f4d --- /dev/null +++ b/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Andrey Konovalov +Date: Thu, 16 Feb 2017 17:22:46 +0100 +Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO + +From: Andrey Konovalov + + +[ Upstream commit 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 ] + +In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet +is forcibly freed via __kfree_skb in dccp_rcv_state_process if +dccp_v6_conn_request successfully returns. + +However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb +is saved to ireq->pktopts and the ref count for skb is incremented in +dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed +in dccp_rcv_state_process. + +Fix by calling consume_skb instead of doing goto discard and therefore +calling __kfree_skb. + +Similar fixes for TCP: + +fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed. +0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now +simply consumed + +Signed-off-by: Andrey Konovalov +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/input.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/dccp/input.c ++++ b/net/dccp/input.c +@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock * + if (inet_csk(sk)->icsk_af_ops->conn_request(sk, + skb) < 0) + return 1; +- goto discard; ++ consume_skb(skb); ++ return 0; + } + if (dh->dccph_type == DCCP_PKT_RESET) + goto discard; diff --git a/goldfish-sanitize-the-broken-interrupt-handler.patch b/goldfish-sanitize-the-broken-interrupt-handler.patch new file mode 100644 index 0000000..54bd310 --- /dev/null +++ b/goldfish-sanitize-the-broken-interrupt-handler.patch @@ -0,0 +1,66 @@ +From 6cf18e6927c0b224f972e3042fb85770d63cb9f8 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 15 Feb 2017 11:11:51 +0100 +Subject: goldfish: Sanitize the broken interrupt handler + +From: Thomas Gleixner + +commit 6cf18e6927c0b224f972e3042fb85770d63cb9f8 upstream. + +This interrupt handler is broken in several ways: + + - It loops forever when the op code is not decodeable + + - It never returns IRQ_HANDLED because the only way to exit the loop + returns IRQ_NONE unconditionally. + +The whole concept of this is broken. Creating devices in an interrupt +handler is beyond any point of sanity. + +Make it at least behave halfways sane so accidental users do not have to +deal with a hard to debug lockup. + +Fixes: e809c22b8fb028 ("goldfish: add the goldfish virtual bus") +Reported-by: Gabriel C +Signed-off-by: Thomas Gleixner +Acked-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/goldfish/pdev_bus.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/platform/goldfish/pdev_bus.c ++++ b/drivers/platform/goldfish/pdev_bus.c +@@ -157,23 +157,26 @@ static int goldfish_new_pdev(void) + static irqreturn_t goldfish_pdev_bus_interrupt(int irq, void *dev_id) + { + irqreturn_t ret = IRQ_NONE; ++ + while (1) { + u32 op = readl(pdev_bus_base + PDEV_BUS_OP); +- switch (op) { +- case PDEV_BUS_OP_DONE: +- return IRQ_NONE; + ++ switch (op) { + case PDEV_BUS_OP_REMOVE_DEV: + goldfish_pdev_remove(); ++ ret = IRQ_HANDLED; + break; + + case PDEV_BUS_OP_ADD_DEV: + goldfish_new_pdev(); ++ ret = IRQ_HANDLED; + break; ++ ++ case PDEV_BUS_OP_DONE: ++ default: ++ return ret; + } +- ret = IRQ_HANDLED; + } +- return ret; + } + + static int goldfish_pdev_bus_probe(struct platform_device *pdev) diff --git a/ip-fix-ip_checksum-handling.patch b/ip-fix-ip_checksum-handling.patch new file mode 100644 index 0000000..d9b6353 --- /dev/null +++ b/ip-fix-ip_checksum-handling.patch @@ -0,0 +1,49 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Paolo Abeni +Date: Tue, 21 Feb 2017 09:33:18 +0100 +Subject: ip: fix IP_CHECKSUM handling + +From: Paolo Abeni + + +[ Upstream commit ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32 ] + +The skbs processed by ip_cmsg_recv() are not guaranteed to +be linear e.g. when sending UDP packets over loopback with +MSGMORE. +Using csum_partial() on [potentially] the whole skb len +is dangerous; instead be on the safe side and use skb_checksum(). + +Thanks to syzkaller team to detect the issue and provide the +reproducer. + +v1 -> v2: + - move the variable declaration in a tighter scope + +Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv") +Reported-by: Andrey Konovalov +Signed-off-by: Paolo Abeni +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -105,10 +105,10 @@ static void ip_cmsg_recv_checksum(struct + if (skb->ip_summed != CHECKSUM_COMPLETE) + return; + +- if (offset != 0) +- csum = csum_sub(csum, +- csum_partial(skb_transport_header(skb) + tlen, +- offset, 0)); ++ if (offset != 0) { ++ int tend_off = skb_transport_offset(skb) + tlen; ++ csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0)); ++ } + + put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum); + } diff --git a/irda-fix-lockdep-annotations-in-hashbin_delete.patch b/irda-fix-lockdep-annotations-in-hashbin_delete.patch new file mode 100644 index 0000000..f494444 --- /dev/null +++ b/irda-fix-lockdep-annotations-in-hashbin_delete.patch @@ -0,0 +1,88 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: "David S. Miller" +Date: Fri, 17 Feb 2017 16:19:39 -0500 +Subject: irda: Fix lockdep annotations in hashbin_delete(). + +From: "David S. Miller" + + +[ Upstream commit 4c03b862b12f980456f9de92db6d508a4999b788 ] + +A nested lock depth was added to the hasbin_delete() code but it +doesn't actually work some well and results in tons of lockdep splats. + +Fix the code instead to properly drop the lock around the operation +and just keep peeking the head of the hashbin queue. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/irda/irqueue.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +--- a/net/irda/irqueue.c ++++ b/net/irda/irqueue.c +@@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new); + * for deallocating this structure if it's complex. If not the user can + * just supply kfree, which should take care of the job. + */ +-#ifdef CONFIG_LOCKDEP +-static int hashbin_lock_depth = 0; +-#endif + int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) + { + irda_queue_t* queue; +@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, + IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;); + + /* Synchronize */ +- if ( hashbin->hb_type & HB_LOCK ) { +- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags, +- hashbin_lock_depth++); +- } ++ if (hashbin->hb_type & HB_LOCK) ++ spin_lock_irqsave(&hashbin->hb_spinlock, flags); + + /* + * Free the entries in the hashbin, TODO: use hashbin_clear when + * it has been shown to work + */ + for (i = 0; i < HASHBIN_SIZE; i ++ ) { +- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); +- while (queue ) { +- if (free_func) +- (*free_func)(queue); +- queue = dequeue_first( +- (irda_queue_t**) &hashbin->hb_queue[i]); ++ while (1) { ++ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]); ++ ++ if (!queue) ++ break; ++ ++ if (free_func) { ++ if (hashbin->hb_type & HB_LOCK) ++ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); ++ free_func(queue); ++ if (hashbin->hb_type & HB_LOCK) ++ spin_lock_irqsave(&hashbin->hb_spinlock, flags); ++ } + } + } + +@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, + hashbin->magic = ~HB_MAGIC; + + /* Release lock */ +- if ( hashbin->hb_type & HB_LOCK) { ++ if (hashbin->hb_type & HB_LOCK) + spin_unlock_irqrestore(&hashbin->hb_spinlock, flags); +-#ifdef CONFIG_LOCKDEP +- hashbin_lock_depth--; +-#endif +- } + + /* + * Free the hashbin structure diff --git a/kcm-fix-0-length-case-for-kcm_sendmsg.patch b/kcm-fix-0-length-case-for-kcm_sendmsg.patch new file mode 100644 index 0000000..1ec7b66 --- /dev/null +++ b/kcm-fix-0-length-case-for-kcm_sendmsg.patch @@ -0,0 +1,107 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: WANG Cong +Date: Tue, 7 Feb 2017 12:59:47 -0800 +Subject: kcm: fix 0-length case for kcm_sendmsg() + +From: WANG Cong + + +[ Upstream commit 98e3862ca2b1ae595a13805dcab4c3a6d7718f4d ] + +Dmitry reported a kernel warning: + + WARNING: CPU: 3 PID: 2936 at net/kcm/kcmsock.c:627 + kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627 + CPU: 3 PID: 2936 Comm: a.out Not tainted 4.10.0-rc6+ #209 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:15 [inline] + dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 + panic+0x1fb/0x412 kernel/panic.c:179 + __warn+0x1c4/0x1e0 kernel/panic.c:539 + warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 + kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627 + kcm_sendmsg+0x163a/0x2200 net/kcm/kcmsock.c:1029 + sock_sendmsg_nosec net/socket.c:635 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:645 + sock_write_iter+0x326/0x600 net/socket.c:848 + new_sync_write fs/read_write.c:499 [inline] + __vfs_write+0x483/0x740 fs/read_write.c:512 + vfs_write+0x187/0x530 fs/read_write.c:560 + SYSC_write fs/read_write.c:607 [inline] + SyS_write+0xfb/0x230 fs/read_write.c:599 + entry_SYSCALL_64_fastpath+0x1f/0xc2 + +when calling syscall(__NR_write, sock2, 0x208aaf27ul, 0x0ul) on a KCM +seqpacket socket. It appears that kcm_sendmsg() does not handle len==0 +case correctly, which causes an empty skb is allocated and queued. +Fix this by skipping the skb allocation for len==0 case. + +Reported-by: Dmitry Vyukov +Cc: Tom Herbert +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/kcm/kcmsock.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -929,23 +929,25 @@ static int kcm_sendmsg(struct socket *so + goto out_error; + } + +- /* New message, alloc head skb */ +- head = alloc_skb(0, sk->sk_allocation); +- while (!head) { +- kcm_push(kcm); +- err = sk_stream_wait_memory(sk, &timeo); +- if (err) +- goto out_error; +- ++ if (msg_data_left(msg)) { ++ /* New message, alloc head skb */ + head = alloc_skb(0, sk->sk_allocation); +- } ++ while (!head) { ++ kcm_push(kcm); ++ err = sk_stream_wait_memory(sk, &timeo); ++ if (err) ++ goto out_error; + +- skb = head; ++ head = alloc_skb(0, sk->sk_allocation); ++ } + +- /* Set ip_summed to CHECKSUM_UNNECESSARY to avoid calling +- * csum_and_copy_from_iter from skb_do_copy_data_nocache. +- */ +- skb->ip_summed = CHECKSUM_UNNECESSARY; ++ skb = head; ++ ++ /* Set ip_summed to CHECKSUM_UNNECESSARY to avoid calling ++ * csum_and_copy_from_iter from skb_do_copy_data_nocache. ++ */ ++ skb->ip_summed = CHECKSUM_UNNECESSARY; ++ } + + start: + while (msg_data_left(msg)) { +@@ -1018,10 +1020,12 @@ wait_for_memory: + if (eor) { + bool not_busy = skb_queue_empty(&sk->sk_write_queue); + +- /* Message complete, queue it on send buffer */ +- __skb_queue_tail(&sk->sk_write_queue, head); +- kcm->seq_skb = NULL; +- KCM_STATS_INCR(kcm->stats.tx_msgs); ++ if (head) { ++ /* Message complete, queue it on send buffer */ ++ __skb_queue_tail(&sk->sk_write_queue, head); ++ kcm->seq_skb = NULL; ++ KCM_STATS_INCR(kcm->stats.tx_msgs); ++ } + + if (msg->msg_flags & MSG_BATCH) { + kcm->tx_wait_more = true; diff --git a/kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch b/kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch new file mode 100644 index 0000000..6429e2c --- /dev/null +++ b/kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: WANG Cong +Date: Mon, 13 Feb 2017 11:13:16 -0800 +Subject: kcm: fix a null pointer dereference in kcm_sendmsg() + +From: WANG Cong + + +[ Upstream commit cd27b96bc13841ee7af25837a6ae86fee87273d6 ] + +In commit 98e3862ca2b1 ("kcm: fix 0-length case for kcm_sendmsg()") +I tried to avoid skb allocation for 0-length case, but missed +a check for NULL pointer in the non EOR case. + +Fixes: 98e3862ca2b1 ("kcm: fix 0-length case for kcm_sendmsg()") +Reported-by: Dmitry Vyukov +Cc: Tom Herbert +Signed-off-by: Cong Wang +Acked-by: Tom Herbert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/kcm/kcmsock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1044,8 +1044,10 @@ wait_for_memory: + } else { + /* Message not complete, save state */ + partial_message: +- kcm->seq_skb = head; +- kcm_tx_msg(head)->last_skb = skb; ++ if (head) { ++ kcm->seq_skb = head; ++ kcm_tx_msg(head)->last_skb = skb; ++ } + } + + KCM_STATS_ADD(kcm->stats.tx_bytes, copied); diff --git a/kernel.spec b/kernel.spec index e40519e..f0d4cf1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -211,6 +211,40 @@ Patch114: 0004-Turn-into-BFQ-v8r7-for-4.9.0.patch # http://bugs.rosalinux.ru/show_bug.cgi?id=7533 Patch200: i915_hack_bug_97822.patch +# Stable patch queue +Patch300: kcm-fix-0-length-case-for-kcm_sendmsg.patch +Patch301: kcm-fix-a-null-pointer-dereference-in-kcm_sendmsg.patch +Patch302: net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch +Patch303: net-llc-avoid-bug_on-in-skb_orphan.patch +Patch304: net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch +Patch305: packet-fix-races-in-fanout_add.patch +Patch306: packet-do-not-call-fanout_release-from-atomic-contexts.patch +Patch307: net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch +Patch308: dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch +Patch309: vxlan-fix-oops-in-dev_fill_metadata_dst.patch +Patch310: irda-fix-lockdep-annotations-in-hashbin_delete.patch +Patch311: ptr_ring-fix-race-conditions-when-resizing.patch +Patch312: ip-fix-ip_checksum-handling.patch +Patch313: net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch +Patch314: tty-serial-msm-fix-module-autoload.patch +Patch315: usb-serial-mos7840-fix-another-null-deref-at-open.patch +Patch316: usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch +Patch317: usb-serial-ftdi_sio-fix-modem-status-error-handling.patch +Patch318: usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch +Patch319: usb-serial-ftdi_sio-fix-line-status-over-reporting.patch +Patch320: usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch +Patch321: usb-serial-spcp8x5-fix-modem-status-handling.patch +Patch322: usb-serial-opticon-fix-cts-retrieval-at-open.patch +Patch323: usb-serial-ark3116-fix-register-accessor-error-handling.patch +Patch324: usb-serial-console-fix-uninitialised-spinlock.patch +Patch325: x86-platform-goldfish-prevent-unconditional-loading.patch +Patch326: goldfish-sanitize-the-broken-interrupt-handler.patch +Patch327: netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch +Patch328: acpica-linuxize-restore-and-fix-intel-compiler-build.patch +Patch329: block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch +Patch330: rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch +Patch331: xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch + # Sanitizing kernel memory # We do not use "Patch:" here because apply_patches would always apply it # then, it seems, even if we place "Patch: <..>" under a conditional. diff --git a/net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch b/net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch new file mode 100644 index 0000000..60a8225 --- /dev/null +++ b/net-ethernet-ti-cpsw-fix-cpsw-assignment-in-resume.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Ivan Khoronzhuk +Date: Tue, 14 Feb 2017 14:42:15 +0200 +Subject: net: ethernet: ti: cpsw: fix cpsw assignment in resume + +From: Ivan Khoronzhuk + + +[ Upstream commit a60ced990e309666915d21445e95347d12406694 ] + +There is a copy-paste error, which hides breaking of resume +for CPSW driver: there was replaced netdev_priv() to ndev_to_cpsw(ndev) +in suspend, but left it unchanged in resume. + +Fixes: 606f39939595a4d4540406bfc11f265b2036af6d +(ti: cpsw: move platform data and slaves info to cpsw_common) + +Reported-by: Alexey Starikovskiy +Signed-off-by: Ivan Khoronzhuk +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -2925,7 +2925,7 @@ static int cpsw_resume(struct device *de + { + struct platform_device *pdev = to_platform_device(dev); + struct net_device *ndev = platform_get_drvdata(pdev); +- struct cpsw_common *cpsw = netdev_priv(ndev); ++ struct cpsw_common *cpsw = ndev_to_cpsw(ndev); + + /* Select default pin state */ + pinctrl_pm_select_default_state(dev); diff --git a/net-llc-avoid-bug_on-in-skb_orphan.patch b/net-llc-avoid-bug_on-in-skb_orphan.patch new file mode 100644 index 0000000..3e110c9 --- /dev/null +++ b/net-llc-avoid-bug_on-in-skb_orphan.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Eric Dumazet +Date: Sun, 12 Feb 2017 14:03:52 -0800 +Subject: net/llc: avoid BUG_ON() in skb_orphan() + +From: Eric Dumazet + + +[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ] + +It seems nobody used LLC since linux-3.12. + +Fortunately fuzzers like syzkaller still know how to run this code, +otherwise it would be no fun. + +Setting skb->sk without skb->destructor leads to all kinds of +bugs, we now prefer to be very strict about it. + +Ideally here we would use skb_set_owner() but this helper does not exist yet, +only CAN seems to have a private helper for that. + +Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()") +Signed-off-by: Eric Dumazet +Reported-by: Andrey Konovalov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/llc_conn.c | 3 +++ + net/llc/llc_sap.c | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa + * another trick required to cope with how the PROCOM state + * machine works. -acme + */ ++ skb_orphan(skb); ++ sock_hold(sk); + skb->sk = sk; ++ skb->destructor = sock_efree; + } + if (!sock_owned_by_user(sk)) + llc_conn_rcv(sk, skb); +--- a/net/llc/llc_sap.c ++++ b/net/llc/llc_sap.c +@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap * + + ev->type = LLC_SAP_EV_TYPE_PDU; + ev->reason = 0; ++ skb_orphan(skb); ++ sock_hold(sk); + skb->sk = sk; ++ skb->destructor = sock_efree; + llc_sap_state_process(sap, skb); + } + diff --git a/net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch b/net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch new file mode 100644 index 0000000..cfe2cd7 --- /dev/null +++ b/net-mlx5e-disable-preemption-when-doing-tc-statistics-upcall.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Or Gerlitz +Date: Sun, 12 Feb 2017 11:21:31 +0200 +Subject: net/mlx5e: Disable preemption when doing TC statistics upcall + +From: Or Gerlitz + + +[ Upstream commit fed06ee89b78d3af32e235e0e89ad0d946fcb95d ] + +When called by HW offloading drivers, the TC action (e.g +net/sched/act_mirred.c) code uses this_cpu logic, e.g + + _bstats_cpu_update(this_cpu_ptr(a->cpu_bstats), bytes, packets) + +per the kernel documention, preemption should be disabled, add that. + +Before the fix, when running with CONFIG_PREEMPT set, we get a + +BUG: using smp_processor_id() in preemptible [00000000] code: tc/3793 + +asserion from the TC action (mirred) stats_update callback. + +Fixes: aad7e08d39bd ('net/mlx5e: Hardware offloaded flower filter statistics support') +Signed-off-by: Or Gerlitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -567,10 +567,14 @@ int mlx5e_stats_flower(struct mlx5e_priv + + mlx5_fc_query_cached(counter, &bytes, &packets, &lastuse); + ++ preempt_disable(); ++ + tcf_exts_to_list(f->exts, &actions); + list_for_each_entry(a, &actions, list) + tcf_action_stats_update(a, bytes, packets, lastuse); + ++ preempt_enable(); ++ + return 0; + } + diff --git a/net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch b/net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch new file mode 100644 index 0000000..359a5ac --- /dev/null +++ b/net-neigh-fix-netevent-netevent_delay_probe_time_update-notification.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Marcus Huewe +Date: Wed, 15 Feb 2017 01:00:36 +0100 +Subject: net: neigh: Fix netevent NETEVENT_DELAY_PROBE_TIME_UPDATE notification + +From: Marcus Huewe + + +[ Upstream commit 7627ae6030f56a9a91a5b3867b21f35d79c16e64 ] + +When setting a neigh related sysctl parameter, we always send a +NETEVENT_DELAY_PROBE_TIME_UPDATE netevent. For instance, when +executing + + sysctl net.ipv6.neigh.wlp3s0.retrans_time_ms=2000 + +a NETEVENT_DELAY_PROBE_TIME_UPDATE netevent is generated. + +This is caused by commit 2a4501ae18b5 ("neigh: Send a +notification when DELAY_PROBE_TIME changes"). According to the +commit's description, it was intended to generate such an event +when setting the "delay_first_probe_time" sysctl parameter. + +In order to fix this, only generate this event when actually +setting the "delay_first_probe_time" sysctl parameter. This fix +should not have any unintended side-effects, because all but one +registered netevent callbacks check for other netevent event +types (the registered callbacks were obtained by grepping for +"register_netevent_notifier"). The only callback that uses the +NETEVENT_DELAY_PROBE_TIME_UPDATE event is +mlxsw_sp_router_netevent_event() (in +drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c): in case +of this event, it only accesses the DELAY_PROBE_TIME of the +passed neigh_parms. + +Fixes: 2a4501ae18b5 ("neigh: Send a notification when DELAY_PROBE_TIME changes") +Signed-off-by: Marcus Huewe +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -2927,7 +2927,8 @@ static void neigh_proc_update(struct ctl + return; + + set_bit(index, p->data_state); +- call_netevent_notifiers(NETEVENT_DELAY_PROBE_TIME_UPDATE, p); ++ if (index == NEIGH_VAR_DELAY_PROBE_TIME) ++ call_netevent_notifiers(NETEVENT_DELAY_PROBE_TIME_UPDATE, p); + if (!dev) /* NULL dev means this is default value */ + neigh_copy_dflt_parms(net, p, index); + } diff --git a/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch b/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch new file mode 100644 index 0000000..88ae276 --- /dev/null +++ b/net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Maxime Jayat +Date: Tue, 21 Feb 2017 18:35:51 +0100 +Subject: net: socket: fix recvmmsg not returning error from sock_error + +From: Maxime Jayat + + +[ Upstream commit e623a9e9dec29ae811d11f83d0074ba254aba374 ] + +Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"), +changed the exit path of recvmmsg to always return the datagrams +variable and modified the error paths to set the variable to the error +code returned by recvmsg if necessary. + +However in the case sock_error returned an error, the error code was +then ignored, and recvmmsg returned 0. + +Change the error path of recvmmsg to correctly return the error code +of sock_error. + +The bug was triggered by using recvmmsg on a CAN interface which was +not up. Linux 4.6 and later return 0 in this case while earlier +releases returned -ENETDOWN. + +Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path") +Signed-off-by: Maxime Jayat +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -2197,8 +2197,10 @@ int __sys_recvmmsg(int fd, struct mmsghd + return err; + + err = sock_error(sock->sk); +- if (err) ++ if (err) { ++ datagrams = err; + goto out_put; ++ } + + entry = mmsg; + compat_entry = (struct compat_mmsghdr __user *)mmsg; diff --git a/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch b/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch new file mode 100644 index 0000000..3052666 --- /dev/null +++ b/netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch @@ -0,0 +1,95 @@ +From dfe75ff8ca74f54b0fa5a326a1aa9afa485ed802 Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Wed, 1 Feb 2017 21:01:54 +0100 +Subject: netfilter: nf_ct_helper: warn when not applying default helper assignment + +From: Jiri Kosina + +commit dfe75ff8ca74f54b0fa5a326a1aa9afa485ed802 upstream. + +Commit 3bb398d925 ("netfilter: nf_ct_helper: disable automatic helper +assignment") is causing behavior regressions in firewalls, as traffic +handled by conntrack helpers is now by default not passed through even +though it was before due to missing CT targets (which were not necessary +before this commit). + +The default had to be switched off due to security reasons [1] [2] and +therefore should stay the way it is, but let's be friendly to firewall +admins and issue a warning the first time we're in situation where packet +would be likely passed through with the old default but we're likely going +to drop it on the floor now. + +Rewrite the code a little bit as suggested by Linus, so that we avoid +spaghettiing the code even more -- namely the whole decision making +process regarding helper selection (either automatic or not) is being +separated, so that the whole logic can be simplified and code (condition) +duplication reduced. + +[1] https://cansecwest.com/csw12/conntrack-attack.pdf +[2] https://home.regit.org/netfilter-en/secure-use-of-helpers/ + +Signed-off-by: Jiri Kosina +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_helper.c | 39 ++++++++++++++++++++++++------------ + 1 file changed, 26 insertions(+), 13 deletions(-) + +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -188,6 +188,26 @@ nf_ct_helper_ext_add(struct nf_conn *ct, + } + EXPORT_SYMBOL_GPL(nf_ct_helper_ext_add); + ++static struct nf_conntrack_helper * ++nf_ct_lookup_helper(struct nf_conn *ct, struct net *net) ++{ ++ if (!net->ct.sysctl_auto_assign_helper) { ++ if (net->ct.auto_assign_helper_warned) ++ return NULL; ++ if (!__nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple)) ++ return NULL; ++ pr_info("nf_conntrack: default automatic helper assignment " ++ "has been turned off for security reasons and CT-based " ++ " firewall rule not found. Use the iptables CT target " ++ "to attach helpers instead.\n"); ++ net->ct.auto_assign_helper_warned = 1; ++ return NULL; ++ } ++ ++ return __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); ++} ++ ++ + int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, + gfp_t flags) + { +@@ -213,21 +233,14 @@ int __nf_ct_try_assign_helper(struct nf_ + } + + help = nfct_help(ct); +- if (net->ct.sysctl_auto_assign_helper && helper == NULL) { +- helper = __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); +- if (unlikely(!net->ct.auto_assign_helper_warned && helper)) { +- pr_info("nf_conntrack: automatic helper " +- "assignment is deprecated and it will " +- "be removed soon. Use the iptables CT target " +- "to attach helpers instead.\n"); +- net->ct.auto_assign_helper_warned = true; +- } +- } + + if (helper == NULL) { +- if (help) +- RCU_INIT_POINTER(help->helper, NULL); +- return 0; ++ helper = nf_ct_lookup_helper(ct, net); ++ if (helper == NULL) { ++ if (help) ++ RCU_INIT_POINTER(help->helper, NULL); ++ return 0; ++ } + } + + if (help == NULL) { diff --git a/packet-do-not-call-fanout_release-from-atomic-contexts.patch b/packet-do-not-call-fanout_release-from-atomic-contexts.patch new file mode 100644 index 0000000..19a1a94 --- /dev/null +++ b/packet-do-not-call-fanout_release-from-atomic-contexts.patch @@ -0,0 +1,186 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Anoob Soman +Date: Wed, 15 Feb 2017 20:25:39 +0000 +Subject: packet: Do not call fanout_release from atomic contexts + +From: Anoob Soman + + +[ Upstream commit 2bd624b4611ffee36422782d16e1c944d1351e98 ] + +Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a +netdev"), unfortunately, introduced the following issues. + +1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside +rcu_read-side critical section. rcu_read_lock disables preemption, most often, +which prohibits calling sleeping functions. + +[ ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section! +[ ] +[ ] rcu_scheduler_active = 1, debug_locks = 0 +[ ] 4 locks held by ovs-vswitchd/1969: +[ ] #0: (cb_lock){++++++}, at: [] genl_rcv+0x19/0x40 +[ ] #1: (ovs_mutex){+.+.+.}, at: [] ovs_vport_cmd_del+0x4a/0x100 [openvswitch] +[ ] #2: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x17/0x20 +[ ] #3: (rcu_read_lock){......}, at: [] packet_notifier+0x5/0x3f0 +[ ] +[ ] Call Trace: +[ ] [] dump_stack+0x85/0xc4 +[ ] [] lockdep_rcu_suspicious+0x107/0x110 +[ ] [] ___might_sleep+0x57/0x210 +[ ] [] __might_sleep+0x70/0x90 +[ ] [] mutex_lock_nested+0x3c/0x3a0 +[ ] [] ? vprintk_default+0x1f/0x30 +[ ] [] ? printk+0x4d/0x4f +[ ] [] fanout_release+0x1d/0xe0 +[ ] [] packet_notifier+0x2f9/0x3f0 + +2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock). +"sleeping function called from invalid context" + +[ ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620 +[ ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd +[ ] INFO: lockdep is turned off. +[ ] Call Trace: +[ ] [] dump_stack+0x85/0xc4 +[ ] [] ___might_sleep+0x202/0x210 +[ ] [] __might_sleep+0x70/0x90 +[ ] [] mutex_lock_nested+0x3c/0x3a0 +[ ] [] fanout_release+0x1d/0xe0 +[ ] [] packet_notifier+0x2f9/0x3f0 + +3. calling dev_remove_pack(&fanout->prot_hook), from inside +spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack() +-> synchronize_net(), which might sleep. + +[ ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002 +[ ] INFO: lockdep is turned off. +[ ] Call Trace: +[ ] [] dump_stack+0x85/0xc4 +[ ] [] __schedule_bug+0x64/0x73 +[ ] [] __schedule+0x6b/0xd10 +[ ] [] schedule+0x6b/0x80 +[ ] [] schedule_timeout+0x38d/0x410 +[ ] [] synchronize_sched_expedited+0x53d/0x810 +[ ] [] synchronize_rcu_expedited+0xe/0x10 +[ ] [] synchronize_net+0x35/0x50 +[ ] [] dev_remove_pack+0x13/0x20 +[ ] [] fanout_release+0xbe/0xe0 +[ ] [] packet_notifier+0x2f9/0x3f0 + +4. fanout_release() races with calls from different CPU. + +To fix the above problems, remove the call to fanout_release() under +rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and +netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order +to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to +__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure +fanout->prot_hook is removed as well. + +Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev") +Reported-by: Eric Dumazet +Signed-off-by: Anoob Soman +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 31 ++++++++++++++++++++++--------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1497,6 +1497,8 @@ static void __fanout_link(struct sock *s + f->arr[f->num_members] = sk; + smp_wmb(); + f->num_members++; ++ if (f->num_members == 1) ++ dev_add_pack(&f->prot_hook); + spin_unlock(&f->lock); + } + +@@ -1513,6 +1515,8 @@ static void __fanout_unlink(struct sock + BUG_ON(i >= f->num_members); + f->arr[i] = f->arr[f->num_members - 1]; + f->num_members--; ++ if (f->num_members == 0) ++ __dev_remove_pack(&f->prot_hook); + spin_unlock(&f->lock); + } + +@@ -1693,7 +1697,6 @@ static int fanout_add(struct sock *sk, u + match->prot_hook.func = packet_rcv_fanout; + match->prot_hook.af_packet_priv = match; + match->prot_hook.id_match = match_fanout_group; +- dev_add_pack(&match->prot_hook); + list_add(&match->list, &fanout_list); + } + err = -EINVAL; +@@ -1718,7 +1721,12 @@ out: + return err; + } + +-static void fanout_release(struct sock *sk) ++/* If pkt_sk(sk)->fanout->sk_ref is zero, this function removes ++ * pkt_sk(sk)->fanout from fanout_list and returns pkt_sk(sk)->fanout. ++ * It is the responsibility of the caller to call fanout_release_data() and ++ * free the returned packet_fanout (after synchronize_net()) ++ */ ++static struct packet_fanout *fanout_release(struct sock *sk) + { + struct packet_sock *po = pkt_sk(sk); + struct packet_fanout *f; +@@ -1728,17 +1736,17 @@ static void fanout_release(struct sock * + if (f) { + po->fanout = NULL; + +- if (atomic_dec_and_test(&f->sk_ref)) { ++ if (atomic_dec_and_test(&f->sk_ref)) + list_del(&f->list); +- dev_remove_pack(&f->prot_hook); +- fanout_release_data(f); +- kfree(f); +- } ++ else ++ f = NULL; + + if (po->rollover) + kfree_rcu(po->rollover, rcu); + } + mutex_unlock(&fanout_mutex); ++ ++ return f; + } + + static bool packet_extra_vlan_len_allowed(const struct net_device *dev, +@@ -2970,6 +2978,7 @@ static int packet_release(struct socket + { + struct sock *sk = sock->sk; + struct packet_sock *po; ++ struct packet_fanout *f; + struct net *net; + union tpacket_req_u req_u; + +@@ -3009,9 +3018,14 @@ static int packet_release(struct socket + packet_set_ring(sk, &req_u, 1, 1); + } + +- fanout_release(sk); ++ f = fanout_release(sk); + + synchronize_net(); ++ ++ if (f) { ++ fanout_release_data(f); ++ kfree(f); ++ } + /* + * Now the socket is dead. No more input will appear. + */ +@@ -3963,7 +3977,6 @@ static int packet_notifier(struct notifi + } + if (msg == NETDEV_UNREGISTER) { + packet_cached_dev_reset(po); +- fanout_release(sk); + po->ifindex = -1; + if (po->prot_hook.dev) + dev_put(po->prot_hook.dev); diff --git a/packet-fix-races-in-fanout_add.patch b/packet-fix-races-in-fanout_add.patch new file mode 100644 index 0000000..bc770db --- /dev/null +++ b/packet-fix-races-in-fanout_add.patch @@ -0,0 +1,126 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Eric Dumazet +Date: Tue, 14 Feb 2017 09:03:51 -0800 +Subject: packet: fix races in fanout_add() + +From: Eric Dumazet + + +[ Upstream commit d199fab63c11998a602205f7ee7ff7c05c97164b ] + +Multiple threads can call fanout_add() at the same time. + +We need to grab fanout_mutex earlier to avoid races that could +lead to one thread freeing po->rollover that was set by another thread. + +Do the same in fanout_release(), for peace of mind, and to help us +finding lockdep issues earlier. + +Fixes: dc99f600698d ("packet: Add fanout support.") +Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 53 ++++++++++++++++++++++++++----------------------- + 1 file changed, 29 insertions(+), 24 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -1619,6 +1619,7 @@ static void fanout_release_data(struct p + + static int fanout_add(struct sock *sk, u16 id, u16 type_flags) + { ++ struct packet_rollover *rollover = NULL; + struct packet_sock *po = pkt_sk(sk); + struct packet_fanout *f, *match; + u8 type = type_flags & 0xff; +@@ -1641,23 +1642,28 @@ static int fanout_add(struct sock *sk, u + return -EINVAL; + } + ++ mutex_lock(&fanout_mutex); ++ ++ err = -EINVAL; + if (!po->running) +- return -EINVAL; ++ goto out; + ++ err = -EALREADY; + if (po->fanout) +- return -EALREADY; ++ goto out; + + if (type == PACKET_FANOUT_ROLLOVER || + (type_flags & PACKET_FANOUT_FLAG_ROLLOVER)) { +- po->rollover = kzalloc(sizeof(*po->rollover), GFP_KERNEL); +- if (!po->rollover) +- return -ENOMEM; +- atomic_long_set(&po->rollover->num, 0); +- atomic_long_set(&po->rollover->num_huge, 0); +- atomic_long_set(&po->rollover->num_failed, 0); ++ err = -ENOMEM; ++ rollover = kzalloc(sizeof(*rollover), GFP_KERNEL); ++ if (!rollover) ++ goto out; ++ atomic_long_set(&rollover->num, 0); ++ atomic_long_set(&rollover->num_huge, 0); ++ atomic_long_set(&rollover->num_failed, 0); ++ po->rollover = rollover; + } + +- mutex_lock(&fanout_mutex); + match = NULL; + list_for_each_entry(f, &fanout_list, list) { + if (f->id == id && +@@ -1704,11 +1710,11 @@ static int fanout_add(struct sock *sk, u + } + } + out: +- mutex_unlock(&fanout_mutex); +- if (err) { +- kfree(po->rollover); ++ if (err && rollover) { ++ kfree(rollover); + po->rollover = NULL; + } ++ mutex_unlock(&fanout_mutex); + return err; + } + +@@ -1717,23 +1723,22 @@ static void fanout_release(struct sock * + struct packet_sock *po = pkt_sk(sk); + struct packet_fanout *f; + ++ mutex_lock(&fanout_mutex); + f = po->fanout; +- if (!f) +- return; ++ if (f) { ++ po->fanout = NULL; + +- mutex_lock(&fanout_mutex); +- po->fanout = NULL; ++ if (atomic_dec_and_test(&f->sk_ref)) { ++ list_del(&f->list); ++ dev_remove_pack(&f->prot_hook); ++ fanout_release_data(f); ++ kfree(f); ++ } + +- if (atomic_dec_and_test(&f->sk_ref)) { +- list_del(&f->list); +- dev_remove_pack(&f->prot_hook); +- fanout_release_data(f); +- kfree(f); ++ if (po->rollover) ++ kfree_rcu(po->rollover, rcu); + } + mutex_unlock(&fanout_mutex); +- +- if (po->rollover) +- kfree_rcu(po->rollover, rcu); + } + + static bool packet_extra_vlan_len_allowed(const struct net_device *dev, diff --git a/ptr_ring-fix-race-conditions-when-resizing.patch b/ptr_ring-fix-race-conditions-when-resizing.patch new file mode 100644 index 0000000..50d4f7f --- /dev/null +++ b/ptr_ring-fix-race-conditions-when-resizing.patch @@ -0,0 +1,135 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: "Michael S. Tsirkin" +Date: Sun, 19 Feb 2017 07:17:17 +0200 +Subject: ptr_ring: fix race conditions when resizing + +From: "Michael S. Tsirkin" + + +[ Upstream commit e71695307114335be1ed912f4a347396c2ed0e69 ] + +Resizing currently drops consumer lock. This can cause entries to be +reordered, which isn't good in itself. More importantly, consumer can +detect a false ring empty condition and block forever. + +Further, nesting of consumer within producer lock is problematic for +tun, since it produces entries in a BH, which causes a lock order +reversal: + + CPU0 CPU1 + ---- ---- + consume: + lock(&(&r->consumer_lock)->rlock); + resize: + local_irq_disable(); + lock(&(&r->producer_lock)->rlock); + lock(&(&r->consumer_lock)->rlock); + + produce: + lock(&(&r->producer_lock)->rlock); + +To fix, nest producer lock within consumer lock during resize, +and keep consumer lock during the whole swap operation. + +Reported-by: Dmitry Vyukov +Cc: stable@vger.kernel.org +Cc: "David S. Miller" +Acked-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ptr_ring.h | 36 +++++++++++++++++++++++++++++++----- + 1 file changed, 31 insertions(+), 5 deletions(-) + +--- a/include/linux/ptr_ring.h ++++ b/include/linux/ptr_ring.h +@@ -111,6 +111,11 @@ static inline int __ptr_ring_produce(str + return 0; + } + ++/* ++ * Note: resize (below) nests producer lock within consumer lock, so if you ++ * consume in interrupt or BH context, you must disable interrupts/BH when ++ * calling this. ++ */ + static inline int ptr_ring_produce(struct ptr_ring *r, void *ptr) + { + int ret; +@@ -242,6 +247,11 @@ static inline void *__ptr_ring_consume(s + return ptr; + } + ++/* ++ * Note: resize (below) nests producer lock within consumer lock, so if you ++ * call this in interrupt or BH context, you must disable interrupts/BH when ++ * producing. ++ */ + static inline void *ptr_ring_consume(struct ptr_ring *r) + { + void *ptr; +@@ -357,7 +367,7 @@ static inline void **__ptr_ring_swap_que + void **old; + void *ptr; + +- while ((ptr = ptr_ring_consume(r))) ++ while ((ptr = __ptr_ring_consume(r))) + if (producer < size) + queue[producer++] = ptr; + else if (destroy) +@@ -372,6 +382,12 @@ static inline void **__ptr_ring_swap_que + return old; + } + ++/* ++ * Note: producer lock is nested within consumer lock, so if you ++ * resize you must make sure all uses nest correctly. ++ * In particular if you consume ring in interrupt or BH context, you must ++ * disable interrupts/BH when doing so. ++ */ + static inline int ptr_ring_resize(struct ptr_ring *r, int size, gfp_t gfp, + void (*destroy)(void *)) + { +@@ -382,17 +398,25 @@ static inline int ptr_ring_resize(struct + if (!queue) + return -ENOMEM; + +- spin_lock_irqsave(&(r)->producer_lock, flags); ++ spin_lock_irqsave(&(r)->consumer_lock, flags); ++ spin_lock(&(r)->producer_lock); + + old = __ptr_ring_swap_queue(r, queue, size, gfp, destroy); + +- spin_unlock_irqrestore(&(r)->producer_lock, flags); ++ spin_unlock(&(r)->producer_lock); ++ spin_unlock_irqrestore(&(r)->consumer_lock, flags); + + kfree(old); + + return 0; + } + ++/* ++ * Note: producer lock is nested within consumer lock, so if you ++ * resize you must make sure all uses nest correctly. ++ * In particular if you consume ring in interrupt or BH context, you must ++ * disable interrupts/BH when doing so. ++ */ + static inline int ptr_ring_resize_multiple(struct ptr_ring **rings, int nrings, + int size, + gfp_t gfp, void (*destroy)(void *)) +@@ -412,10 +436,12 @@ static inline int ptr_ring_resize_multip + } + + for (i = 0; i < nrings; ++i) { +- spin_lock_irqsave(&(rings[i])->producer_lock, flags); ++ spin_lock_irqsave(&(rings[i])->consumer_lock, flags); ++ spin_lock(&(rings[i])->producer_lock); + queues[i] = __ptr_ring_swap_queue(rings[i], queues[i], + size, gfp, destroy); +- spin_unlock_irqrestore(&(rings[i])->producer_lock, flags); ++ spin_unlock(&(rings[i])->producer_lock); ++ spin_unlock_irqrestore(&(rings[i])->consumer_lock, flags); + } + + for (i = 0; i < nrings; ++i) diff --git a/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch b/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch new file mode 100644 index 0000000..f2b3f46 --- /dev/null +++ b/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch @@ -0,0 +1,56 @@ +From 575ddce0507789bf9830d089557d2199d2f91865 Mon Sep 17 00:00:00 2001 +From: Michael Schenk +Date: Thu, 26 Jan 2017 11:25:04 -0600 +Subject: rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down + +From: Michael Schenk + +commit 575ddce0507789bf9830d089557d2199d2f91865 upstream. + +In the function rtl_usb_start we pre-allocate a certain number of urbs +for RX path but they will not be freed when calling rtl_usb_stop. This +results in leaking urbs when doing ifconfig up and down. Eventually, +the system has no available urbs. + +Signed-off-by: Michael Schenk +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -831,12 +831,30 @@ static void rtl_usb_stop(struct ieee8021 + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); + struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw)); ++ struct urb *urb; + + /* should after adapter start and interrupt enable. */ + set_hal_stop(rtlhal); + cancel_work_sync(&rtlpriv->works.fill_h2c_cmd); + /* Enable software */ + SET_USB_STOP(rtlusb); ++ ++ /* free pre-allocated URBs from rtl_usb_start() */ ++ usb_kill_anchored_urbs(&rtlusb->rx_submitted); ++ ++ tasklet_kill(&rtlusb->rx_work_tasklet); ++ cancel_work_sync(&rtlpriv->works.lps_change_work); ++ ++ flush_workqueue(rtlpriv->works.rtl_wq); ++ ++ skb_queue_purge(&rtlusb->rx_queue); ++ ++ while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) { ++ usb_free_coherent(urb->dev, urb->transfer_buffer_length, ++ urb->transfer_buffer, urb->transfer_dma); ++ usb_free_urb(urb); ++ } ++ + rtlpriv->cfg->ops->hw_disable(hw); + } + diff --git a/tty-serial-msm-fix-module-autoload.patch b/tty-serial-msm-fix-module-autoload.patch new file mode 100644 index 0000000..00f8334 --- /dev/null +++ b/tty-serial-msm-fix-module-autoload.patch @@ -0,0 +1,48 @@ +From abe81f3b8ed2996e1712d26d38ff6b73f582c616 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 2 Jan 2017 11:57:20 -0300 +Subject: tty: serial: msm: Fix module autoload + +From: Javier Martinez Canillas + +commit abe81f3b8ed2996e1712d26d38ff6b73f582c616 upstream. + +If the driver is built as a module, autoload won't work because the module +alias information is not filled. So user-space can't match the registered +device with the corresponding module. + +Export the module alias information using the MODULE_DEVICE_TABLE() macro. + +Before this patch: + +$ modinfo drivers/tty/serial/msm_serial.ko | grep alias +$ + +After this patch: + +$ modinfo drivers/tty/serial/msm_serial.ko | grep alias +alias: of:N*T*Cqcom,msm-uartdmC* +alias: of:N*T*Cqcom,msm-uartdm +alias: of:N*T*Cqcom,msm-uartC* +alias: of:N*T*Cqcom,msm-uart + +Signed-off-by: Javier Martinez Canillas +Acked-by: Bjorn Andersson +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/msm_serial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -1809,6 +1809,7 @@ static const struct of_device_id msm_mat + { .compatible = "qcom,msm-uartdm" }, + {} + }; ++MODULE_DEVICE_TABLE(of, msm_match_table); + + static struct platform_driver msm_platform_driver = { + .remove = msm_serial_remove, diff --git a/usb-serial-ark3116-fix-register-accessor-error-handling.patch b/usb-serial-ark3116-fix-register-accessor-error-handling.patch new file mode 100644 index 0000000..ec1430a --- /dev/null +++ b/usb-serial-ark3116-fix-register-accessor-error-handling.patch @@ -0,0 +1,46 @@ +From 9fef37d7cf170522fb354d6d0ea6de09b9b16678 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:09 +0100 +Subject: USB: serial: ark3116: fix register-accessor error handling + +From: Johan Hovold + +commit 9fef37d7cf170522fb354d6d0ea6de09b9b16678 upstream. + +The current implementation failed to detect short transfers, something +which could lead to bits of the uninitialised heap transfer buffer +leaking to user space. + +Fixes: 149fc791a452 ("USB: ark3116: Setup some basic infrastructure for new ark3116 driver.") +Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware and add close and release functions.") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ark3116.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/ark3116.c ++++ b/drivers/usb/serial/ark3116.c +@@ -99,10 +99,17 @@ static int ark3116_read_reg(struct usb_s + usb_rcvctrlpipe(serial->dev, 0), + 0xfe, 0xc0, 0, reg, + buf, 1, ARK_TIMEOUT); +- if (result < 0) ++ if (result < 1) { ++ dev_err(&serial->interface->dev, ++ "failed to read register %u: %d\n", ++ reg, result); ++ if (result >= 0) ++ result = -EIO; ++ + return result; +- else +- return buf[0]; ++ } ++ ++ return buf[0]; + } + + static inline int calc_divisor(int bps) diff --git a/usb-serial-console-fix-uninitialised-spinlock.patch b/usb-serial-console-fix-uninitialised-spinlock.patch new file mode 100644 index 0000000..5f0edc3 --- /dev/null +++ b/usb-serial-console-fix-uninitialised-spinlock.patch @@ -0,0 +1,38 @@ +From 14816b16fa0adac24f82492f18fa62c55acabbbe Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 8 Feb 2017 18:53:08 +0100 +Subject: USB: serial: console: fix uninitialised spinlock + +From: Johan Hovold + +commit 14816b16fa0adac24f82492f18fa62c55acabbbe upstream. + +Since commit 4a510969374a ("tty: Make tty_files_lock per-tty") a new +tty_struct spin lock is taken in the tty release path, but the +USB-serial-console hack was never updated hence leaving the lock of its +"fake" tty uninitialised. This was eventually detected by lockdep. + +Make sure to initialise the new lock also for the fake tty to address +this regression. + +Yes, this code is a mess, but cleaning it up is left for another day. + +Fixes: 4a510969374a ("tty: Make tty_files_lock per-tty") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/console.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -143,6 +143,7 @@ static int usb_console_setup(struct cons + tty->driver = usb_serial_tty_driver; + tty->index = co->index; + init_ldsem(&tty->ldisc_sem); ++ spin_lock_init(&tty->files_lock); + INIT_LIST_HEAD(&tty->tty_files); + kref_get(&tty->driver->kref); + __module_get(tty->driver->owner); diff --git a/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch b/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch new file mode 100644 index 0000000..8bd68ad --- /dev/null +++ b/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch @@ -0,0 +1,31 @@ +From 9a593656def0dc2f6c227851e8e602077267a5f1 Mon Sep 17 00:00:00 2001 +From: Ken Lin +Date: Sat, 4 Feb 2017 04:00:24 +0800 +Subject: USB: serial: cp210x: add new IDs for GE Bx50v3 boards + +From: Ken Lin + +commit 9a593656def0dc2f6c227851e8e602077267a5f1 upstream. + +Add new USB IDs for cp2104/5 devices on Bx50v3 boards due to the design +change. + +Signed-off-by: Ken Lin +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -172,6 +172,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ + { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ ++ { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */ ++ { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */ + { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ diff --git a/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch b/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch new file mode 100644 index 0000000..22c2761 --- /dev/null +++ b/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch @@ -0,0 +1,53 @@ +From 2d380889215fe20b8523345649dee0579821800c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 31 Jan 2017 17:17:27 +0100 +Subject: USB: serial: digi_acceleport: fix OOB data sanity check + +From: Johan Hovold + +commit 2d380889215fe20b8523345649dee0579821800c upstream. + +Make sure to check for short transfers to avoid underflow in a loop +condition when parsing the receive buffer. + +Also fix an off-by-one error in the incomplete sanity check which could +lead to invalid data being parsed. + +Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/digi_acceleport.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1482,16 +1482,20 @@ static int digi_read_oob_callback(struct + struct usb_serial *serial = port->serial; + struct tty_struct *tty; + struct digi_port *priv = usb_get_serial_port_data(port); ++ unsigned char *buf = urb->transfer_buffer; + int opcode, line, status, val; + int i; + unsigned int rts; + ++ if (urb->actual_length < 4) ++ return -1; ++ + /* handle each oob command */ +- for (i = 0; i < urb->actual_length - 3;) { +- opcode = ((unsigned char *)urb->transfer_buffer)[i++]; +- line = ((unsigned char *)urb->transfer_buffer)[i++]; +- status = ((unsigned char *)urb->transfer_buffer)[i++]; +- val = ((unsigned char *)urb->transfer_buffer)[i++]; ++ for (i = 0; i < urb->actual_length - 4; i += 4) { ++ opcode = buf[i]; ++ line = buf[i + 1]; ++ status = buf[i + 2]; ++ val = buf[i + 3]; + + dev_dbg(&port->dev, "digi_read_oob_callback: opcode=%d, line=%d, status=%d, val=%d\n", + opcode, line, status, val); diff --git a/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch b/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch new file mode 100644 index 0000000..6770d1a --- /dev/null +++ b/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch @@ -0,0 +1,51 @@ +From c6dce2626606ef16434802989466636bc28c1419 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 25 Jan 2017 15:35:20 +0100 +Subject: USB: serial: ftdi_sio: fix extreme low-latency setting + +From: Johan Hovold + +commit c6dce2626606ef16434802989466636bc28c1419 upstream. + +Since commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY +flag") the FTDI driver has been using a receive latency-timer value of +1 ms instead of the device default of 16 ms. + +The latency timer is used to periodically empty a non-full receive +buffer, but a status header is always sent when the timer expires +including when the buffer is empty. This means that a two-byte bulk +message is received every millisecond also for an otherwise idle port as +long as it is open. + +Let's restore the pre-2009 behaviour which reduces the rate of the +status messages to 1/16th (e.g. interrupt frequency drops from 1 kHz to +62.5 Hz) by not setting ASYNC_LOW_LATENCY by default. + +Anyone willing to pay the price for the minimum-latency behaviour should +set the flag explicitly instead using the TIOCSSERIAL ioctl or a tool +such as setserial (e.g. setserial /dev/ttyUSB0 low_latency). + +Note that since commit 0cbd81a9f6ba ("USB: ftdi_sio: remove +tty->low_latency") the ASYNC_LOW_LATENCY flag has no other effects but +to set a minimal latency timer. + +Reported-by: Antoine Aubert +Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1807,8 +1807,6 @@ static int ftdi_sio_port_probe(struct us + + mutex_init(&priv->cfg_lock); + +- priv->flags = ASYNC_LOW_LATENCY; +- + if (quirk && quirk->port_probe) + quirk->port_probe(priv); + diff --git a/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch b/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch new file mode 100644 index 0000000..834c1e6 --- /dev/null +++ b/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch @@ -0,0 +1,75 @@ +From a6bb1e17a39818b01b55d8e6238b4b5f06d55038 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 2 Feb 2017 17:38:35 +0100 +Subject: USB: serial: ftdi_sio: fix line-status over-reporting + +From: Johan Hovold + +commit a6bb1e17a39818b01b55d8e6238b4b5f06d55038 upstream. + +FTDI devices use a receive latency timer to periodically empty the +receive buffer and report modem and line status (also when the buffer is +empty). + +When a break or error condition is detected the corresponding status +flags will be set on a packet with nonzero data payload and the flags +are not updated until the break is over or further characters are +received. + +In order to avoid over-reporting break and error conditions, these flags +must therefore only be processed for packets with payload. + +This specifically fixes the case where after an overrun, the error +condition is continuously reported and NULL-characters inserted until +further data is received. + +Reported-by: Michael Walle +Fixes: 72fda3ca6fc1 ("USB: serial: ftd_sio: implement sysrq handling on +break") +Fixes: 166ceb690750 ("USB: ftdi_sio: clean up line-status handling") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2070,6 +2070,20 @@ static int ftdi_process_packet(struct us + priv->prev_status = status; + } + ++ /* save if the transmitter is empty or not */ ++ if (packet[1] & FTDI_RS_TEMT) ++ priv->transmit_empty = 1; ++ else ++ priv->transmit_empty = 0; ++ ++ len -= 2; ++ if (!len) ++ return 0; /* status only */ ++ ++ /* ++ * Break and error status must only be processed for packets with ++ * data payload to avoid over-reporting. ++ */ + flag = TTY_NORMAL; + if (packet[1] & FTDI_RS_ERR_MASK) { + /* Break takes precedence over parity, which takes precedence +@@ -2092,15 +2106,6 @@ static int ftdi_process_packet(struct us + } + } + +- /* save if the transmitter is empty or not */ +- if (packet[1] & FTDI_RS_TEMT) +- priv->transmit_empty = 1; +- else +- priv->transmit_empty = 0; +- +- len -= 2; +- if (!len) +- return 0; /* status only */ + port->icount.rx += len; + ch = packet + 2; + diff --git a/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch b/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch new file mode 100644 index 0000000..8727941 --- /dev/null +++ b/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch @@ -0,0 +1,40 @@ +From 427c3a95e3e29e65f59d99aaf320d7506f3eed57 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:11 +0100 +Subject: USB: serial: ftdi_sio: fix modem-status error handling + +From: Johan Hovold + +commit 427c3a95e3e29e65f59d99aaf320d7506f3eed57 upstream. + +Make sure to detect short responses when fetching the modem status in +order to avoid parsing uninitialised buffer data and having bits of it +leak to user space. + +Note that we still allow for short 1-byte responses. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2433,8 +2433,12 @@ static int ftdi_get_modem_status(struct + FTDI_SIO_GET_MODEM_STATUS_REQUEST_TYPE, + 0, priv->interface, + buf, len, WDR_TIMEOUT); +- if (ret < 0) { ++ ++ /* NOTE: We allow short responses and handle that below. */ ++ if (ret < 1) { + dev_err(&port->dev, "failed to get modem status: %d\n", ret); ++ if (ret >= 0) ++ ret = -EIO; + ret = usb_translate_errors(ret); + goto out; + } diff --git a/usb-serial-mos7840-fix-another-null-deref-at-open.patch b/usb-serial-mos7840-fix-another-null-deref-at-open.patch new file mode 100644 index 0000000..4ab4193 --- /dev/null +++ b/usb-serial-mos7840-fix-another-null-deref-at-open.patch @@ -0,0 +1,44 @@ +From 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 9 Feb 2017 12:11:41 +0100 +Subject: USB: serial: mos7840: fix another NULL-deref at open + +From: Johan Hovold + +commit 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e upstream. + +Fix another NULL-pointer dereference at open should a malicious device +lack an interrupt-in endpoint. + +Note that the driver has a broken check for an interrupt-in endpoint +which means that an interrupt URB has never even been submitted. + +Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mos7840.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -1024,6 +1024,7 @@ static int mos7840_open(struct tty_struc + * (can't set it up in mos7840_startup as the structures * + * were not set up at that time.) */ + if (port0->open_ports == 1) { ++ /* FIXME: Buffer never NULL, so URB is not submitted. */ + if (serial->port[0]->interrupt_in_buffer == NULL) { + /* set up interrupt urb */ + usb_fill_int_urb(serial->port[0]->interrupt_in_urb, +@@ -2119,7 +2120,8 @@ static int mos7840_calc_num_ports(struct + static int mos7840_attach(struct usb_serial *serial) + { + if (serial->num_bulk_in < serial->num_ports || +- serial->num_bulk_out < serial->num_ports) { ++ serial->num_bulk_out < serial->num_ports || ++ serial->num_interrupt_in < 1) { + dev_err(&serial->interface->dev, "missing endpoints\n"); + return -ENODEV; + } diff --git a/usb-serial-opticon-fix-cts-retrieval-at-open.patch b/usb-serial-opticon-fix-cts-retrieval-at-open.patch new file mode 100644 index 0000000..550f5bc --- /dev/null +++ b/usb-serial-opticon-fix-cts-retrieval-at-open.patch @@ -0,0 +1,36 @@ +From 2eee05020a0e7ee7c04422cbacdb07859e45dce6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 13 Jan 2017 13:21:08 +0100 +Subject: USB: serial: opticon: fix CTS retrieval at open + +From: Johan Hovold + +commit 2eee05020a0e7ee7c04422cbacdb07859e45dce6 upstream. + +The opticon driver used a control request at open to trigger a CTS +status notification to be sent over the bulk-in pipe. When the driver +was converted to using the generic read implementation, an inverted test +prevented this request from being sent, something which could lead to +TIOCMGET reporting an incorrect CTS state. + +Reported-by: Dan Carpenter +Fixes: 7a6ee2b02751 ("USB: opticon: switch to generic read implementation") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/opticon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/opticon.c ++++ b/drivers/usb/serial/opticon.c +@@ -142,7 +142,7 @@ static int opticon_open(struct tty_struc + usb_clear_halt(port->serial->dev, port->read_urb->pipe); + + res = usb_serial_generic_open(tty, port); +- if (!res) ++ if (res) + return res; + + /* Request CTS line state, sometimes during opening the current diff --git a/usb-serial-spcp8x5-fix-modem-status-handling.patch b/usb-serial-spcp8x5-fix-modem-status-handling.patch new file mode 100644 index 0000000..aab93cd --- /dev/null +++ b/usb-serial-spcp8x5-fix-modem-status-handling.patch @@ -0,0 +1,50 @@ +From 5ed8d41023751bdd3546f2fe4118304357efe8d2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:21 +0100 +Subject: USB: serial: spcp8x5: fix modem-status handling + +From: Johan Hovold + +commit 5ed8d41023751bdd3546f2fe4118304357efe8d2 upstream. + +Make sure to detect short control transfers and return zero on success +when retrieving the modem status. + +This fixes the TIOCMGET implementation which since e1ed212d8593 ("USB: +spcp8x5: add proper modem-status support") has returned TIOCM_LE on +successful retrieval, and avoids leaking bits from the stack on short +transfers. + +This also fixes the carrier-detect implementation which since the above +mentioned commit unconditionally has returned true. + +Fixes: e1ed212d8593 ("USB: spcp8x5: add proper modem-status support") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/spcp8x5.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/spcp8x5.c ++++ b/drivers/usb/serial/spcp8x5.c +@@ -232,11 +232,17 @@ static int spcp8x5_get_msr(struct usb_se + ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), + GET_UART_STATUS, GET_UART_STATUS_TYPE, + 0, GET_UART_STATUS_MSR, buf, 1, 100); +- if (ret < 0) ++ if (ret < 1) { + dev_err(&port->dev, "failed to get modem status: %d\n", ret); ++ if (ret >= 0) ++ ret = -EIO; ++ goto out; ++ } + + dev_dbg(&port->dev, "0xc0:0x22:0:6 %d - 0x02%x\n", ret, *buf); + *status = *buf; ++ ret = 0; ++out: + kfree(buf); + + return ret; diff --git a/vxlan-fix-oops-in-dev_fill_metadata_dst.patch b/vxlan-fix-oops-in-dev_fill_metadata_dst.patch new file mode 100644 index 0000000..99ce1da --- /dev/null +++ b/vxlan-fix-oops-in-dev_fill_metadata_dst.patch @@ -0,0 +1,63 @@ +From foo@baz Thu Feb 23 21:13:05 CET 2017 +From: Paolo Abeni +Date: Fri, 17 Feb 2017 19:14:27 +0100 +Subject: vxlan: fix oops in dev_fill_metadata_dst + +From: Paolo Abeni + + +[ Upstream commit 22f0708a718daea5e79de2d29b4829de016a4ff4 ] + +Since the commit 0c1d70af924b ("net: use dst_cache for vxlan device") +vxlan_fill_metadata_dst() calls vxlan_get_route() passing a NULL +dst_cache pointer, so the latter should explicitly check for +valid dst_cache ptr. Unfortunately the commit d71785ffc7e7 ("net: add +dst_cache to ovs vxlan lwtunnel") removed said check. + +As a result is possible to trigger a null pointer access calling +vxlan_fill_metadata_dst(), e.g. with: + +ovs-vsctl add-br ovs-br0 +ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 \ + type=vxlan options:remote_ip=192.168.1.1 \ + options:key=1234 options:dst_port=4789 ofport_request=10 +ip address add dev ovs-br0 172.16.1.2/24 +ovs-vsctl set Bridge ovs-br0 ipfix=@i -- --id=@i create IPFIX \ + targets=\"172.16.1.1:1234\" sampling=1 +iperf -c 172.16.1.1 -u -l 1000 -b 10M -t 1 -p 1234 + +This commit addresses the issue passing to vxlan_get_route() the +dst_cache already available into the lwt info processed by +vxlan_fill_metadata_dst(). + +Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel") +Signed-off-by: Paolo Abeni +Acked-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2449,7 +2449,8 @@ static int vxlan_fill_metadata_dst(struc + return -EINVAL; + rt = vxlan_get_route(vxlan, skb, 0, info->key.tos, + info->key.u.ipv4.dst, +- &info->key.u.ipv4.src, NULL, info); ++ &info->key.u.ipv4.src, ++ &info->dst_cache, info); + if (IS_ERR(rt)) + return PTR_ERR(rt); + ip_rt_put(rt); +@@ -2459,7 +2460,8 @@ static int vxlan_fill_metadata_dst(struc + + ndst = vxlan6_get_route(vxlan, skb, 0, info->key.tos, + info->key.label, &info->key.u.ipv6.dst, +- &info->key.u.ipv6.src, NULL, info); ++ &info->key.u.ipv6.src, ++ &info->dst_cache, info); + if (IS_ERR(ndst)) + return PTR_ERR(ndst); + dst_release(ndst); diff --git a/x86-platform-goldfish-prevent-unconditional-loading.patch b/x86-platform-goldfish-prevent-unconditional-loading.patch new file mode 100644 index 0000000..571e6a9 --- /dev/null +++ b/x86-platform-goldfish-prevent-unconditional-loading.patch @@ -0,0 +1,79 @@ +From 47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 15 Feb 2017 11:11:50 +0100 +Subject: x86/platform/goldfish: Prevent unconditional loading + +From: Thomas Gleixner + +commit 47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb upstream. + +The goldfish platform code registers the platform device unconditionally +which causes havoc in several ways if the goldfish_pdev_bus driver is +enabled: + + - Access to the hardcoded physical memory region, which is either not + available or contains stuff which is completely unrelated. + + - Prevents that the interrupt of the serial port can be requested + + - In case of a spurious interrupt it goes into a infinite loop in the + interrupt handler of the pdev_bus driver (which needs to be fixed + seperately). + +Add a 'goldfish' command line option to make the registration opt-in when +the platform is compiled in. + +I'm seriously grumpy about this engineering trainwreck, which has seven +SOBs from Intel developers for 50 lines of code. And none of them figured +out that this is broken. Impressive fail! + +Fixes: ddd70cf93d78 ("goldfish: platform device for x86") +Reported-by: Gabriel C +Signed-off-by: Thomas Gleixner +Acked-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/kernel-parameters.txt | 4 ++++ + arch/x86/platform/goldfish/goldfish.c | 14 +++++++++++++- + 2 files changed, 17 insertions(+), 1 deletion(-) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -1391,6 +1391,10 @@ bytes respectively. Such letter suffixes + When zero, profiling data is discarded and associated + debugfs files are removed at module unload time. + ++ goldfish [X86] Enable the goldfish android emulator platform. ++ Don't use this when you are not running on the ++ android emulator ++ + gpt [EFI] Forces disk with valid GPT signature but + invalid Protective MBR to be treated as GPT. If the + primary GPT is corrupted, it enables the backup/alternate +--- a/arch/x86/platform/goldfish/goldfish.c ++++ b/arch/x86/platform/goldfish/goldfish.c +@@ -42,10 +42,22 @@ static struct resource goldfish_pdev_bus + } + }; + ++static bool goldfish_enable __initdata; ++ ++static int __init goldfish_setup(char *str) ++{ ++ goldfish_enable = true; ++ return 0; ++} ++__setup("goldfish", goldfish_setup); ++ + static int __init goldfish_init(void) + { ++ if (!goldfish_enable) ++ return -ENODEV; ++ + platform_device_register_simple("goldfish_pdev_bus", -1, +- goldfish_pdev_bus_resources, 2); ++ goldfish_pdev_bus_resources, 2); + return 0; + } + device_initcall(goldfish_init); diff --git a/xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch b/xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch new file mode 100644 index 0000000..9f982cc --- /dev/null +++ b/xfs-clear-delalloc-and-cache-on-buffered-write-failure.patch @@ -0,0 +1,66 @@ +From fa7f138ac4c70dc00519c124cf7cd4862a0a5b0e Mon Sep 17 00:00:00 2001 +From: Brian Foster +Date: Thu, 16 Feb 2017 17:19:12 -0800 +Subject: xfs: clear delalloc and cache on buffered write failure + +From: Brian Foster + +commit fa7f138ac4c70dc00519c124cf7cd4862a0a5b0e upstream. + +The buffered write failure handling code in +xfs_file_iomap_end_delalloc() has a couple minor problems. First, if +written == 0, start_fsb is not rounded down and it fails to kill off a +delalloc block if the start offset is block unaligned. This results in a +lingering delalloc block and broken delalloc block accounting detected +at unmount time. Fix this by rounding down start_fsb in the unlikely +event that written == 0. + +Second, it is possible for a failed overwrite of a delalloc extent to +leave dirty pagecache around over a hole in the file. This is because is +possible to hit ->iomap_end() on write failure before the iomap code has +attempted to allocate pagecache, and thus has no need to clean it up. If +the targeted delalloc extent was successfully written by a previous +write, however, then it does still have dirty pages when ->iomap_end() +punches out the underlying blocks. This ultimately results in writeback +over a hole. To fix this problem, unconditionally punch out the +pagecache from XFS before the associated delalloc range. + +Signed-off-by: Brian Foster +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_iomap.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_iomap.c ++++ b/fs/xfs/xfs_iomap.c +@@ -1068,7 +1068,15 @@ xfs_file_iomap_end_delalloc( + xfs_fileoff_t end_fsb; + int error = 0; + +- start_fsb = XFS_B_TO_FSB(mp, offset + written); ++ /* ++ * start_fsb refers to the first unused block after a short write. If ++ * nothing was written, round offset down to point at the first block in ++ * the range. ++ */ ++ if (unlikely(!written)) ++ start_fsb = XFS_B_TO_FSBT(mp, offset); ++ else ++ start_fsb = XFS_B_TO_FSB(mp, offset + written); + end_fsb = XFS_B_TO_FSB(mp, offset + length); + + /* +@@ -1080,6 +1088,9 @@ xfs_file_iomap_end_delalloc( + * blocks in the range, they are ours. + */ + if (start_fsb < end_fsb) { ++ truncate_pagecache_range(VFS_I(ip), XFS_FSB_TO_B(mp, start_fsb), ++ XFS_FSB_TO_B(mp, end_fsb) - 1); ++ + xfs_ilock(ip, XFS_ILOCK_EXCL); + error = xfs_bmap_punch_delalloc_range(ip, start_fsb, + end_fsb - start_fsb);