4.12.8-200.fc25.gnu

9 files changed, 168 insertions, 246 deletions

diff --git a/freed-ora/current/f25/bz1471302.patch b/freed-ora/current/f25/bz1471302.patch
deleted file mode 100644
index 0a1325e78..000000000
--- a/freed-ora/current/f25/bz1471302.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: Johannes Thumshirn <jthumshirn@suse.de>
-Subject: Re: [REGRESSION] 28676d869bbb (scsi: sg: check for valid direction
- before starting the request) breaks mtx tape library control
-To: Jason L Tibbitts III <tibbs@math.uh.edu>
-Cc: Doug Gilbert <dgilbert@interlog.com>, linux-scsi@vger.kernel.org,
-	linux-kernel@vger.kernel.org, dvyukov@google.com, hare@suse.com,
-	hch@lst.de, martin.petersen@oracle.com
-Date: Wed, 26 Jul 2017 09:39:34 +0200 (6 hours, 57 minutes ago)
-
-On Tue, Jul 25, 2017 at 01:25:07PM -0500, Jason L Tibbitts III wrote:
-> >>>>> "JT" == Johannes Thumshirn <jthumshirn@suse.de> writes:
-> ioctl(3, SG_IO, {interface_id='S', dxfer_direction=SG_DXFER_TO_DEV, cmd_len=12, cmdp="\xa5\x00\x00\x00\x00\x01\x03\xe9\x00\x00\x00\x00", mx_sb_len=20, iovec_count=0, dxfer_len=0, timeout=300000, flags=0, dxferp=NULL, status=0, masked_status=0, msg_status=0, sb_len_wr=0, sbp="", host_status=0, driver_status=0, resid=0, duration=0, info=0}) = -1 EINVAL (Invalid argument)
-
-[...]
- 	case SG_DXFER_TO_DEV:
-  	case SG_DXFER_TO_FROM_DEV:
- 		if (!hp->dxferp)
-  			return false;
-  		return true;
-
-So here we go, dxfer_direction is SG_DXFER_TO_DEV, dxfer_len is 0 and dxferp
-is NULL. We bail out because dxferp is NULL here.
-
-I only looked at sg_write() and not sg_new_write() which is called by the
-SG_IO path not the fops->write() path.
-
-It's probably best to just check for dxfer_len <= 2^28 to be valid as Doug
-suggested:
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 4fe606b000b4..d7ff71e0c85c 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -751,29 +751,6 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
- 	return count;
- }
- 
--static bool sg_is_valid_dxfer(sg_io_hdr_t *hp)
--{
--	switch (hp->dxfer_direction) {
--	case SG_DXFER_NONE:
--		if (hp->dxferp || hp->dxfer_len > 0)
--			return false;
--		return true;
--	case SG_DXFER_TO_DEV:
--	case SG_DXFER_FROM_DEV:
--	case SG_DXFER_TO_FROM_DEV:
--		if (!hp->dxferp || hp->dxfer_len == 0)
--			return false;
--		return true;
--	case SG_DXFER_UNKNOWN:
--		if ((!hp->dxferp && hp->dxfer_len) ||
--		    (hp->dxferp && hp->dxfer_len == 0))
--			return false;
--		return true;
--	default:
--		return false;
--	}
--}
--
- static int
- sg_common_write(Sg_fd * sfp, Sg_request * srp,
- 		unsigned char *cmnd, int timeout, int blocking)
-@@ -800,7 +771,7 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
- 			"sg_common_write:  scsi opcode=0x%02x, cmd_size=%d\n",
- 			(int) cmnd[0], (int) hp->cmd_len));
- 
--	if (!sg_is_valid_dxfer(hp))
-+	if (hp->dxfer_len >= SZ_256M)
- 		return -EINVAL;
- 
- 	k = sg_start_req(srp, cmnd);
-
--- 
-Johannes Thumshirn                                          Storage
-jthumshirn@suse.de                                +49 911 74053 689
-SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
-GF: Felix Imendörffer, Jane Smithard, Graham Norton
-HRB 21284 (AG Nürnberg)
-Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
-
diff --git a/freed-ora/current/f25/iio-race-fix.patch b/freed-ora/current/f25/iio-race-fix.patch
new file mode 100644
index 000000000..2661fa535
--- /dev/null
+++ b/freed-ora/current/f25/iio-race-fix.patch
@@ -0,0 +1,83 @@
+From eafad73ed3851707fa6e3124a255fc049ff9545d Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Sat, 12 Aug 2017 09:09:21 -0700
+Subject: iio: hid-sensor-trigger: Fix the race with user space powering up
+ sensors
+
+It has been reported for a while that with iio-sensor-proxy service the
+rotation only works after one suspend/resume cycle. This required a wait
+in the systemd unit file to avoid race. I found a Yoga 900 where I could
+reproduce this.
+
+The problem scenerio is:
+- During sensor driver init, enable run time PM and also set a
+  auto-suspend for 3 seconds.
+	This result in one runtime resume. But there is a check to avoid
+a powerup in this sequence, but rpm is active
+- User space iio-sensor-proxy tries to power up the sensor. Since rpm is
+  active it will simply return. But sensors were not actually
+powered up in the prior sequence, so actaully the sensors will not work
+- After 3 seconds the auto suspend kicks
+
+If we add a wait in systemd service file to fire iio-sensor-proxy after
+3 seconds, then now everything will work as the runtime resume will
+actually powerup the sensor as this is a user request.
+
+To avoid this:
+- Remove the check to match user requested state, this will cause a
+  brief powerup, but if the iio-sensor-proxy starts immediately it will
+still work as the sensors are ON.
+- Also move the autosuspend delay to place when user requested turn off
+  of sensors, like after user finished raw read or buffer disable
+
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Tested-by: Bastien Nocera <hadess@hadess.net>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+---
+ drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
+index 16ade0a..0e4b379 100644
+--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
++++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
+@@ -111,8 +111,6 @@ static int _hid_sensor_power_state(struct hid_sensor_common *st, bool state)
+ 	s32 poll_value = 0;
+ 
+ 	if (state) {
+-		if (!atomic_read(&st->user_requested_state))
+-			return 0;
+ 		if (sensor_hub_device_open(st->hsdev))
+ 			return -EIO;
+ 
+@@ -161,6 +159,9 @@ static int _hid_sensor_power_state(struct hid_sensor_common *st, bool state)
+ 				       &report_val);
+ 	}
+ 
++	pr_debug("HID_SENSOR %s set power_state %d report_state %d\n",
++		 st->pdev->name, state_val, report_val);
++
+ 	sensor_hub_get_feature(st->hsdev, st->power_state.report_id,
+ 			       st->power_state.index,
+ 			       sizeof(state_val), &state_val);
+@@ -182,6 +183,7 @@ int hid_sensor_power_state(struct hid_sensor_common *st, bool state)
+ 		ret = pm_runtime_get_sync(&st->pdev->dev);
+ 	else {
+ 		pm_runtime_mark_last_busy(&st->pdev->dev);
++		pm_runtime_use_autosuspend(&st->pdev->dev);
+ 		ret = pm_runtime_put_autosuspend(&st->pdev->dev);
+ 	}
+ 	if (ret < 0) {
+@@ -285,8 +287,6 @@ int hid_sensor_setup_trigger(struct iio_dev *indio_dev, const char *name,
+ 	/* Default to 3 seconds, but can be changed from sysfs */
+ 	pm_runtime_set_autosuspend_delay(&attrb->pdev->dev,
+ 					 3000);
+-	pm_runtime_use_autosuspend(&attrb->pdev->dev);
+-
+ 	return ret;
+ error_unreg_trigger:
+ 	iio_trigger_unregister(trig);
+-- 
+cgit v1.1
+
diff --git a/freed-ora/current/f25/kernel.spec b/freed-ora/current/f25/kernel.spec
index e193842e4..ac3dde35b 100644
--- a/freed-ora/current/f25/kernel.spec
+++ b/freed-ora/current/f25/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 6
+%define stable_update 8
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -717,20 +717,18 @@ Patch616: 0016-Input-silead-Do-not-try-to-directly-access-the-GPIO-.patch
 Patch703: HID-rmi-Make-sure-the-HID-device-is-opened-on-resume.patch
 Patch704: input-rmi4-remove-the-need-for-artifical-IRQ.patch
 
-# rhbz 1471302
-Patch705: bz1471302.patch 
-
 # rhbz 1476467
 Patch706: Fix-for-module-sig-verification.patch
 
 # rhbz 1462381
 Patch707: Back-out-qxl-atomic-delay.patch
 
-# CVE-2017-1000111 rhbz 1479304 1480464
-Patch708: net-packet-fix-tp_reserve-race-in-packet_set_ring.patch
+# CVE-2017-12134 rhbz 1477656 1481786
+Patch708: xsa229.patch
+
+# request for bug fix
+Patch709: iio-race-fix.patch
 
-# CVE-2017-1000112 rhbz 1479307 1480465
-Patch709: udp-consistently-apply-ufo-or-fragmentation.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2401,6 +2399,19 @@ fi
 #
 #
 %changelog
+* Thu Aug 17 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.12.8-gnu.
+
+* Thu Aug 17 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.8-200
+- Linux v4.12.8
+- Fix for iio race
+
+* Wed Aug 16 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix xen CVE-2017-12134 (rhbz 1477656 1481786)
+
+* Mon Aug 14 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.7-200
+- Linux v4.12.7
+
 * Sat Aug 12 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.12.6-gnu.
 
diff --git a/freed-ora/current/f25/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch b/freed-ora/current/f25/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch
deleted file mode 100644
index da7103dbe..000000000
--- a/freed-ora/current/f25/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From patchwork Thu Aug 10 16:41:58 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [net] packet: fix tp_reserve race in packet_set_ring
-From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
-X-Patchwork-Id: 800274
-X-Patchwork-Delegate: davem@davemloft.net
-Message-Id: <20170810164158.52213-1-willemdebruijn.kernel@gmail.com>
-To: netdev@vger.kernel.org
-Cc: davem@davemloft.net, andreyknvl@gmail.com,
- Willem de Bruijn <willemb@google.com>
-Date: Thu, 10 Aug 2017 12:41:58 -0400
-
-From: Willem de Bruijn <willemb@google.com>
-
-Updates to tp_reserve can race with reads of the field in
-packet_set_ring. Avoid this by holding the socket lock during
-updates in setsockopt PACKET_RESERVE.
-
-This bug was discovered by syzkaller.
-
-Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Willem de Bruijn <willemb@google.com>
----
- net/packet/af_packet.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 0615c2a950fa..008a45ca3112 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
- 
- 		if (optlen != sizeof(val))
- 			return -EINVAL;
--		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
--			return -EBUSY;
- 		if (copy_from_user(&val, optval, sizeof(val)))
- 			return -EFAULT;
- 		if (val > INT_MAX)
- 			return -EINVAL;
--		po->tp_reserve = val;
--		return 0;
-+		lock_sock(sk);
-+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
-+			ret = -EBUSY;
-+		} else {
-+			po->tp_reserve = val;
-+			ret = 0;
-+		}
-+		release_sock(sk);
-+		return ret;
- 	}
- 	case PACKET_LOSS:
- 	{
diff --git a/freed-ora/current/f25/patch-4.12-gnu-4.12.6-gnu.xz.sign b/freed-ora/current/f25/patch-4.12-gnu-4.12.6-gnu.xz.sign
deleted file mode 100644
index 6f1811184..000000000
--- a/freed-ora/current/f25/patch-4.12-gnu-4.12.6-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWY7hhgAKCRC8t8+Hfn1H
-p0GmAJ9o/73gXwXKrPASgfh0jfTF48YxkACeIwEuR8u4nzWooo7TLGmJSeb3Q4Y=
-=Kaqs
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f25/patch-4.12-gnu-4.12.8-gnu.xz.sign b/freed-ora/current/f25/patch-4.12-gnu-4.12.8-gnu.xz.sign
new file mode 100644
index 000000000..ca850d4de
--- /dev/null
+++ b/freed-ora/current/f25/patch-4.12-gnu-4.12.8-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWZVetAAKCRC8t8+Hfn1H
+pzGFAKCKcuYEGAPUP7niyg14btWWzZkfxwCcDTK0vpOiVcLA6OkwEOixNyHiWe8=
+=yiYh
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f25/sources b/freed-ora/current/f25/sources
index 067976939..9161c099a 100644
--- a/freed-ora/current/f25/sources
+++ b/freed-ora/current/f25/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.12-gnu.tar.xz) = d5586dba2e4deeb42ffe98c9305111da56e0741bb4508642d103367a0ef712c837e160366c3656d18f0d636fcd5b60c27593cb9216e10025d6abc74e6cdb05e4
 SHA512 (perf-man-4.12.tar.gz) = 4d3bbda1f520dba0007c351af46f45085fe4842074eb2e01aee736fd369df595f8f72ed6c1192715f1120bf3353279777f9dca1178fe93bffe5be2de700d409c
-SHA512 (patch-4.12-gnu-4.12.6-gnu.xz) = a6d4c3aa7dd23bde069aaf0e3ef75fc9d4510615403b3ed807a186a4cf587e9851a134e00d009f7f68848b893f6f2832a169b61d9a8fa2df3d1d9e68614742f1
+SHA512 (patch-4.12-gnu-4.12.8-gnu.xz) = a2352b667dde19560fabf5253f68be6d7551ea1a842c60582633dd9e07669e260394806ccaf38dff68a2980abf73bd4a18ca4714d842b5b287e7e187f2af5211
diff --git a/freed-ora/current/f25/udp-consistently-apply-ufo-or-fragmentation.patch b/freed-ora/current/f25/udp-consistently-apply-ufo-or-fragmentation.patch
deleted file mode 100644
index 63e089b6e..000000000
--- a/freed-ora/current/f25/udp-consistently-apply-ufo-or-fragmentation.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa Mon Sep 17 00:00:00 2001
-From: Willem de Bruijn <willemb@google.com>
-Date: Thu, 10 Aug 2017 12:29:19 -0400
-Subject: udp: consistently apply ufo or fragmentation
-
-When iteratively building a UDP datagram with MSG_MORE and that
-datagram exceeds MTU, consistently choose UFO or fragmentation.
-
-Once skb_is_gso, always apply ufo. Conversely, once a datagram is
-split across multiple skbs, do not consider ufo.
-
-Sendpage already maintains the first invariant, only add the second.
-IPv6 does not have a sendpage implementation to modify.
-
-A gso skb must have a partial checksum, do not follow sk_no_check_tx
-in udp_send_skb.
-
-Found by syzkaller.
-
-Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-Signed-off-by: Willem de Bruijn <willemb@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/ip_output.c  | 8 +++++---
- net/ipv4/udp.c        | 2 +-
- net/ipv6/ip6_output.c | 7 ++++---
- 3 files changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
-index 50c74cd..e153c40 100644
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -965,11 +965,12 @@ static int __ip_append_data(struct sock *sk,
- 		csummode = CHECKSUM_PARTIAL;
- 
- 	cork->length += length;
--	if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) ||
--	     (skb && skb_is_gso(skb))) &&
-+	if ((skb && skb_is_gso(skb)) ||
-+	    (((length + (skb ? skb->len : fragheaderlen)) > mtu) &&
-+	    (skb_queue_len(queue) <= 1) &&
- 	    (sk->sk_protocol == IPPROTO_UDP) &&
- 	    (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
--	    (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
-+	    (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) {
- 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
- 					 hh_len, fragheaderlen, transhdrlen,
- 					 maxfraglen, flags);
-@@ -1288,6 +1289,7 @@ ssize_t	ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
- 		return -EINVAL;
- 
- 	if ((size + skb->len > mtu) &&
-+	    (skb_queue_len(&sk->sk_write_queue) == 1) &&
- 	    (sk->sk_protocol == IPPROTO_UDP) &&
- 	    (rt->dst.dev->features & NETIF_F_UFO)) {
- 		if (skb->ip_summed != CHECKSUM_PARTIAL)
-diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index e6276fa..a7c804f 100644
---- a/net/ipv4/udp.c
-+++ b/net/ipv4/udp.c
-@@ -802,7 +802,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4)
- 	if (is_udplite)  				 /*     UDP-Lite      */
- 		csum = udplite_csum(skb);
- 
--	else if (sk->sk_no_check_tx) {   /* UDP csum disabled */
-+	else if (sk->sk_no_check_tx && !skb_is_gso(skb)) {   /* UDP csum off */
- 
- 		skb->ip_summed = CHECKSUM_NONE;
- 		goto send;
-diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
-index 162efba..2dfe50d 100644
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1381,11 +1381,12 @@ emsgsize:
- 	 */
- 
- 	cork->length += length;
--	if ((((length + (skb ? skb->len : headersize)) > mtu) ||
--	     (skb && skb_is_gso(skb))) &&
-+	if ((skb && skb_is_gso(skb)) ||
-+	    (((length + (skb ? skb->len : headersize)) > mtu) &&
-+	    (skb_queue_len(queue) <= 1) &&
- 	    (sk->sk_protocol == IPPROTO_UDP) &&
- 	    (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
--	    (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
-+	    (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) {
- 		err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
- 					  hh_len, fragheaderlen, exthdrlen,
- 					  transhdrlen, mtu, flags, fl6);
--- 
-cgit v1.1
-
diff --git a/freed-ora/current/f25/xsa229.patch b/freed-ora/current/f25/xsa229.patch
new file mode 100644
index 000000000..47e953843
--- /dev/null
+++ b/freed-ora/current/f25/xsa229.patch
@@ -0,0 +1,59 @@
+From 84882133e793299f685991e20a9631acfd0a5608 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Tue, 18 Jul 2017 15:01:00 +0100
+Subject: xen: fix bio vec merging
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The current test for bio vec merging is not fully accurate and can be
+tricked into merging bios when certain grant combinations are used.
+The result of these malicious bio merges is a bio that extends past
+the memory page used by any of the originating bios.
+
+Take into account the following scenario, where a guest creates two
+grant references that point to the same mfn, ie: grant 1 -> mfn A,
+grant 2 -> mfn A.
+
+These references are then used in a PV block request, and mapped by
+the backend domain, thus obtaining two different pfns that point to
+the same mfn, pfn B -> mfn A, pfn C -> mfn A.
+
+If those grants happen to be used in two consecutive sectors of a disk
+IO operation becoming two different bios in the backend domain, the
+checks in xen_biovec_phys_mergeable will succeed, because bfn1 == bfn2
+(they both point to the same mfn). However due to the bio merging,
+the backend domain will end up with a bio that expands past mfn A into
+mfn A + 1.
+
+Fix this by making sure the check in xen_biovec_phys_mergeable takes
+into account the offset and the length of the bio, this basically
+replicates whats done in __BIOVEC_PHYS_MERGEABLE using mfns (bus
+addresses). While there also remove the usage of
+__BIOVEC_PHYS_MERGEABLE, since that's already checked by the callers
+of xen_biovec_phys_mergeable.
+
+Reported-by: "Jan H. Schönherr" <jschoenh@amazon.de>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+---
+ drivers/xen/biomerge.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/xen/biomerge.c b/drivers/xen/biomerge.c
+index 4da69dbf7dca..1bdd02a6d6ac 100644
+--- a/drivers/xen/biomerge.c
++++ b/drivers/xen/biomerge.c
+@@ -10,8 +10,7 @@ bool xen_biovec_phys_mergeable(const struct bio_vec *vec1,
+ 	unsigned long bfn1 = pfn_to_bfn(page_to_pfn(vec1->bv_page));
+ 	unsigned long bfn2 = pfn_to_bfn(page_to_pfn(vec2->bv_page));
+ 
+-	return __BIOVEC_PHYS_MERGEABLE(vec1, vec2) &&
+-		((bfn1 == bfn2) || ((bfn1+1) == bfn2));
++	return bfn1 + PFN_DOWN(vec1->bv_offset + vec1->bv_len) == bfn2;
+ #else
+ 	/*
+ 	 * XXX: Add support for merging bio_vec when using different page
+-- 
+2.11.0 (Apple Git-81)
+