4.14-stable patches

added patches:
	rpmsg-glink-add-missing-module_license.patch
	spi-fix-use-after-free-at-controller-deregistration.patch
	staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch
	staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
	staging-rtl8188eu-revert-4-commits-breaking-arp.patch
	staging-sm750fb-fix-parameter-mistake-in-poke32.patch
	staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch
	staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch

diff --git a/queue-4.14/rpmsg-glink-add-missing-module_license.patch b/queue-4.14/rpmsg-glink-add-missing-module_license.patch
new file mode 100644 (file)
index 0000000..a90bb26
--- /dev/null
+++ b/queue-4.14/rpmsg-glink-add-missing-module_license.patch
@@ -0,0 +1,30 @@
+From 1e0d5615bbc37deb7732491798abccf8d3c3d244 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Tue, 14 Nov 2017 21:45:34 -0800
+Subject: rpmsg: glink: Add missing MODULE_LICENSE
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+commit 1e0d5615bbc37deb7732491798abccf8d3c3d244 upstream.
+
+The qcom_glink_native driver is missing a MODULE_LICENSE(), correct
+this.
+
+Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rpmsg/qcom_glink_native.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -1616,3 +1616,6 @@ void qcom_glink_native_unregister(struct
+       device_unregister(glink->dev);
+ }
+ EXPORT_SYMBOL_GPL(qcom_glink_native_unregister);
++
++MODULE_DESCRIPTION("Qualcomm GLINK driver");
++MODULE_LICENSE("GPL v2");

diff --git a/queue-4.14/series b/queue-4.14/series
index b6db2cd9283688336849827eedf0be22e0248c08..7385813f04120182e56601809d8108c95bca912d 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -21,3 +21,11 @@ platform-x86-peaq-wmi-add-dmi-check-before-binding-to-the-wmi-interface.patch
 platform-x86-peaq_wmi-fix-missing-terminating-entry-for-peaq_dmi_table.patch
 hid-cp2112-add-hidraw-dependency.patch
 hid-wacom-generic-recognize-wacom_hid_wd_pen-as-a-type-of-pen-collection.patch
+rpmsg-glink-add-missing-module_license.patch
+staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch
+staging-sm750fb-fix-parameter-mistake-in-poke32.patch
+staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch
+staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
+staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch
+staging-rtl8188eu-revert-4-commits-breaking-arp.patch
+spi-fix-use-after-free-at-controller-deregistration.patch

diff --git a/queue-4.14/spi-fix-use-after-free-at-controller-deregistration.patch b/queue-4.14/spi-fix-use-after-free-at-controller-deregistration.patch
new file mode 100644 (file)
index 0000000..8e33834
--- /dev/null
+++ b/queue-4.14/spi-fix-use-after-free-at-controller-deregistration.patch
@@ -0,0 +1,47 @@
+From 67f7b2781fafcc0f52464880154b320fea1ae982 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 30 Oct 2017 11:35:25 +0100
+Subject: spi: fix use-after-free at controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 67f7b2781fafcc0f52464880154b320fea1ae982 upstream.
+
+The controller is typically freed as part of device_unregister() so
+store the bus id before deregistration to avoid use-after-free when the
+id is later released.
+
+Fixes: 9b61e302210e ("spi: Pick spi bus number from Linux idr or spi alias")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -2245,11 +2245,12 @@ static int __unregister(struct device *d
+ void spi_unregister_controller(struct spi_controller *ctlr)
+ {
+       struct spi_controller *found;
++      int id = ctlr->bus_num;
+       int dummy;
+ 
+       /* First make sure that this controller was ever added */
+       mutex_lock(&board_lock);
+-      found = idr_find(&spi_master_idr, ctlr->bus_num);
++      found = idr_find(&spi_master_idr, id);
+       mutex_unlock(&board_lock);
+       if (found != ctlr) {
+               dev_dbg(&ctlr->dev,
+@@ -2269,7 +2270,7 @@ void spi_unregister_controller(struct sp
+       device_unregister(&ctlr->dev);
+       /* free bus id */
+       mutex_lock(&board_lock);
+-      idr_remove(&spi_master_idr, ctlr->bus_num);
++      idr_remove(&spi_master_idr, id);
+       mutex_unlock(&board_lock);
+ }
+ EXPORT_SYMBOL_GPL(spi_unregister_controller);

diff --git a/queue-4.14/staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch b/queue-4.14/staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch
new file mode 100644 (file)
index 0000000..3c72418
--- /dev/null
+++ b/queue-4.14/staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch
@@ -0,0 +1,33 @@
+From e0b3f39092a1cff5548cbaf40096ec25e7721de6 Mon Sep 17 00:00:00 2001
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+Date: Mon, 30 Oct 2017 13:38:03 +0000
+Subject: staging: ccree: fix 64 bit scatter/gather DMA ops
+
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+
+commit e0b3f39092a1cff5548cbaf40096ec25e7721de6 upstream.
+
+Fix a wrong offset used in splitting a 64 DMA address to MSB/LSB
+parts needed for scatter/gather HW descriptors causing operations
+relying on them to fail on 64 bit platforms.
+
+Fixes: c6f7f2f4591f ("staging: ccree: refactor LLI access macros")
+Reported-by: Stuart Yoder <stuart.yoder@arm.com>
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/ccree/cc_lli_defs.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/ccree/cc_lli_defs.h
++++ b/drivers/staging/ccree/cc_lli_defs.h
+@@ -59,7 +59,7 @@ static inline void cc_lli_set_addr(u32 *
+       lli_p[LLI_WORD0_OFFSET] = (addr & U32_MAX);
+ #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT
+       lli_p[LLI_WORD1_OFFSET] &= ~LLI_HADDR_MASK;
+-      lli_p[LLI_WORD1_OFFSET] |= FIELD_PREP(LLI_HADDR_MASK, (addr >> 16));
++      lli_p[LLI_WORD1_OFFSET] |= FIELD_PREP(LLI_HADDR_MASK, (addr >> 32));
+ #endif /* CONFIG_ARCH_DMA_ADDR_T_64BIT */
+ }
+ 

diff --git a/queue-4.14/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch b/queue-4.14/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
new file mode 100644 (file)
index 0000000..1ee5e7d
--- /dev/null
+++ b/queue-4.14/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
@@ -0,0 +1,52 @@
+From 770b03c2ca4aa44d226cf248f86aa23e546147d0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 29 Oct 2017 13:01:33 +0100
+Subject: staging: greybus: spilib: fix use-after-free after deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 770b03c2ca4aa44d226cf248f86aa23e546147d0 upstream.
+
+Remove erroneous spi_master_put() after controller deregistration which
+would access the already freed spi controller.
+
+Note that spi_unregister_master() drops our only controller reference.
+
+Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/greybus/spilib.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/greybus/spilib.c
++++ b/drivers/staging/greybus/spilib.c
+@@ -544,12 +544,15 @@ int gb_spilib_master_init(struct gb_conn
+ 
+       return 0;
+ 
+-exit_spi_unregister:
+-      spi_unregister_master(master);
+ exit_spi_put:
+       spi_master_put(master);
+ 
+       return ret;
++
++exit_spi_unregister:
++      spi_unregister_master(master);
++
++      return ret;
+ }
+ EXPORT_SYMBOL_GPL(gb_spilib_master_init);
+ 
+@@ -558,7 +561,6 @@ void gb_spilib_master_exit(struct gb_con
+       struct spi_master *master = gb_connection_get_data(connection);
+ 
+       spi_unregister_master(master);
+-      spi_master_put(master);
+ }
+ EXPORT_SYMBOL_GPL(gb_spilib_master_exit);
+ 

diff --git a/queue-4.14/staging-rtl8188eu-revert-4-commits-breaking-arp.patch b/queue-4.14/staging-rtl8188eu-revert-4-commits-breaking-arp.patch
new file mode 100644 (file)
index 0000000..9cf3a2b
--- /dev/null
+++ b/queue-4.14/staging-rtl8188eu-revert-4-commits-breaking-arp.patch
@@ -0,0 +1,309 @@
+From 66d32fdcbf03851724a8b551d490ae1ddfe6eef2 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 2 Nov 2017 10:30:13 +0100
+Subject: staging: rtl8188eu: Revert 4 commits breaking ARP
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 66d32fdcbf03851724a8b551d490ae1ddfe6eef2 upstream.
+
+Commit 2ba8444c97b1 ("staging:r8188eu: move IV/ICV trimming into
+decrypt() and also place it after rtl88eu_mon_recv_hook()") breaks ARP.
+
+After this commit ssh-ing to a laptop with r8188eu wifi no longer works
+if the machine connecting has never communicated with the laptop before.
+This is 100% reproducable using "arp -d <ipv4> && ssh <ipv4>" to ssh to
+a laptop with r8188eu wifi.
+
+This commit reverts 4 commits in total:
+
+1. Commit 79650ffde38e ("staging:r8188eu: trim IV/ICV fields in
+   validate_recv_data_frame()")
+This commit depends on 2 of the other commits being reverted.
+
+2. Commit 02b19b4c4920 ("staging:r8188eu: inline unprotect_frame() in
+   mon_recv_decrypted_recv()")
+The inline code is wrong the un-inlined version contains:
+       if (skb->len < hdr_len + iv_len + icv_len)
+               return;
+       ...
+Where as the inline-ed code introduced by this commit does:
+       if (skb->len < hdr_len + iv_len + icv_len) {
+               ...
+Note the same check, but now to actually continue doing ... instead
+of to not do it, so this commit is no good.
+
+3. Commit d86e16da6a5d ("staging:r8188eu: use different mon_recv_decrypted()
+   inside rtl88eu_mon_recv_hook() and rtl88eu_mon_xmit_hook().")
+This commit introduced a 1:1 copy of a function so that one of the
+2 copies can be modified in the 2 commits we're already reverting.
+
+4. Commit 2ba8444c97b1 ("staging:r8188eu: move IV/ICV trimming into
+   decrypt() and also place it after rtl88eu_mon_recv_hook()")
+This is the commit actually breaking ARP.
+
+Note this commit is a straight-forward squash of the revert of these
+4 commits, without any changes.
+
+Cc: Ivan Safonov <insafonov@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/core/rtw_recv.c |   83 ++++++++++++++++++------------
+ drivers/staging/rtl8188eu/os_dep/mon.c    |   34 +-----------
+ 2 files changed, 55 insertions(+), 62 deletions(-)
+
+--- a/drivers/staging/rtl8188eu/core/rtw_recv.c
++++ b/drivers/staging/rtl8188eu/core/rtw_recv.c
+@@ -259,10 +259,12 @@ static int recvframe_chkmic(struct adapt
+                       }
+ 
+                       /* icv_len included the mic code */
+-                      datalen = precvframe->pkt->len-prxattrib->hdrlen - 8;
++                      datalen = precvframe->pkt->len-prxattrib->hdrlen -
++                                prxattrib->iv_len-prxattrib->icv_len-8;
+                       pframe = precvframe->pkt->data;
+-                      payload = pframe+prxattrib->hdrlen;
++                      payload = pframe+prxattrib->hdrlen+prxattrib->iv_len;
+ 
++                      RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n prxattrib->iv_len=%d prxattrib->icv_len=%d\n", prxattrib->iv_len, prxattrib->icv_len));
+                       rtw_seccalctkipmic(mickey, pframe, payload, datalen, &miccode[0],
+                                          (unsigned char)prxattrib->priority); /* care the length of the data */
+ 
+@@ -407,15 +409,9 @@ static struct recv_frame *decryptor(stru
+               default:
+                       break;
+               }
+-              if (res != _FAIL) {
+-                      memmove(precv_frame->pkt->data + precv_frame->attrib.iv_len, precv_frame->pkt->data, precv_frame->attrib.hdrlen);
+-                      skb_pull(precv_frame->pkt, precv_frame->attrib.iv_len);
+-                      skb_trim(precv_frame->pkt, precv_frame->pkt->len - precv_frame->attrib.icv_len);
+-              }
+       } else if (prxattrib->bdecrypted == 1 && prxattrib->encrypt > 0 &&
+-                 (psecuritypriv->busetkipkey == 1 || prxattrib->encrypt != _TKIP_)) {
+-              psecuritypriv->hw_decrypted = true;
+-      }
++                 (psecuritypriv->busetkipkey == 1 || prxattrib->encrypt != _TKIP_))
++                      psecuritypriv->hw_decrypted = true;
+ 
+       if (res == _FAIL) {
+               rtw_free_recvframe(return_packet, &padapter->recvpriv.free_recv_queue);
+@@ -456,7 +452,7 @@ static struct recv_frame *portctrl(struc
+ 
+       if (auth_alg == 2) {
+               /* get ether_type */
+-              ptr = ptr + pfhdr->attrib.hdrlen + LLC_HEADER_SIZE;
++              ptr = ptr + pfhdr->attrib.hdrlen + LLC_HEADER_SIZE + pfhdr->attrib.iv_len;
+               memcpy(&be_tmp, ptr, 2);
+               ether_type = ntohs(be_tmp);
+ 
+@@ -1138,8 +1134,6 @@ static int validate_recv_data_frame(stru
+       }
+ 
+       if (pattrib->privacy) {
+-              struct sk_buff *skb = precv_frame->pkt;
+-
+               RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("validate_recv_data_frame:pattrib->privacy=%x\n", pattrib->privacy));
+               RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n ^^^^^^^^^^^IS_MCAST(pattrib->ra(0x%02x))=%d^^^^^^^^^^^^^^^6\n", pattrib->ra[0], IS_MCAST(pattrib->ra)));
+ 
+@@ -1148,13 +1142,6 @@ static int validate_recv_data_frame(stru
+               RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n pattrib->encrypt=%d\n", pattrib->encrypt));
+ 
+               SET_ICE_IV_LEN(pattrib->iv_len, pattrib->icv_len, pattrib->encrypt);
+-
+-              if (pattrib->bdecrypted == 1 && pattrib->encrypt > 0) {
+-                      memmove(skb->data + pattrib->iv_len,
+-                              skb->data, pattrib->hdrlen);
+-                      skb_pull(skb, pattrib->iv_len);
+-                      skb_trim(skb, skb->len - pattrib->icv_len);
+-              }
+       } else {
+               pattrib->encrypt = 0;
+               pattrib->iv_len = 0;
+@@ -1274,7 +1261,6 @@ static int validate_recv_frame(struct ad
+        * Hence forward the frame to the monitor anyway to preserve the order
+        * in which frames were received.
+        */
+-
+       rtl88eu_mon_recv_hook(adapter->pmondev, precv_frame);
+ 
+ exit:
+@@ -1296,8 +1282,11 @@ static int wlanhdr_to_ethhdr(struct recv
+       u8 *ptr = precvframe->pkt->data;
+       struct rx_pkt_attrib *pattrib = &precvframe->attrib;
+ 
+-      psnap = (struct ieee80211_snap_hdr *)(ptr+pattrib->hdrlen);
+-      psnap_type = ptr+pattrib->hdrlen + SNAP_SIZE;
++      if (pattrib->encrypt)
++              skb_trim(precvframe->pkt, precvframe->pkt->len - pattrib->icv_len);
++
++      psnap = (struct ieee80211_snap_hdr *)(ptr+pattrib->hdrlen + pattrib->iv_len);
++      psnap_type = ptr+pattrib->hdrlen + pattrib->iv_len+SNAP_SIZE;
+       /* convert hdr + possible LLC headers into Ethernet header */
+       if ((!memcmp(psnap, rtw_rfc1042_header, SNAP_SIZE) &&
+            (!memcmp(psnap_type, SNAP_ETH_TYPE_IPX, 2) == false) &&
+@@ -1310,9 +1299,12 @@ static int wlanhdr_to_ethhdr(struct recv
+               bsnaphdr = false;
+       }
+ 
+-      rmv_len = pattrib->hdrlen + (bsnaphdr ? SNAP_SIZE : 0);
++      rmv_len = pattrib->hdrlen + pattrib->iv_len + (bsnaphdr ? SNAP_SIZE : 0);
+       len = precvframe->pkt->len - rmv_len;
+ 
++      RT_TRACE(_module_rtl871x_recv_c_, _drv_info_,
++               ("\n===pattrib->hdrlen: %x,  pattrib->iv_len:%x===\n\n", pattrib->hdrlen,  pattrib->iv_len));
++
+       memcpy(&be_tmp, ptr+rmv_len, 2);
+       eth_type = ntohs(be_tmp); /* pattrib->ether_type */
+       pattrib->eth_type = eth_type;
+@@ -1337,6 +1329,7 @@ static struct recv_frame *recvframe_defr
+                                          struct __queue *defrag_q)
+ {
+       struct list_head *plist, *phead;
++      u8 wlanhdr_offset;
+       u8      curfragnum;
+       struct recv_frame *pfhdr, *pnfhdr;
+       struct recv_frame *prframe, *pnextrframe;
+@@ -1385,7 +1378,12 @@ static struct recv_frame *recvframe_defr
+               /* copy the 2nd~n fragment frame's payload to the first fragment */
+               /* get the 2nd~last fragment frame's payload */
+ 
+-              skb_pull(pnextrframe->pkt, pnfhdr->attrib.hdrlen);
++              wlanhdr_offset = pnfhdr->attrib.hdrlen + pnfhdr->attrib.iv_len;
++
++              skb_pull(pnextrframe->pkt, wlanhdr_offset);
++
++              /* append  to first fragment frame's tail (if privacy frame, pull the ICV) */
++              skb_trim(prframe->pkt, prframe->pkt->len - pfhdr->attrib.icv_len);
+ 
+               /* memcpy */
+               memcpy(skb_tail_pointer(pfhdr->pkt), pnfhdr->pkt->data,
+@@ -1393,7 +1391,7 @@ static struct recv_frame *recvframe_defr
+ 
+               skb_put(prframe->pkt, pnfhdr->pkt->len);
+ 
+-              pfhdr->attrib.icv_len = 0;
++              pfhdr->attrib.icv_len = pnfhdr->attrib.icv_len;
+               plist = plist->next;
+       }
+ 
+@@ -1519,6 +1517,11 @@ static int amsdu_to_msdu(struct adapter
+       nr_subframes = 0;
+       pattrib = &prframe->attrib;
+ 
++      skb_pull(prframe->pkt, prframe->attrib.hdrlen);
++
++      if (prframe->attrib.iv_len > 0)
++              skb_pull(prframe->pkt, prframe->attrib.iv_len);
++
+       a_len = prframe->pkt->len;
+ 
+       pdata = prframe->pkt->data;
+@@ -1887,6 +1890,24 @@ static int process_recv_indicatepkts(str
+       return retval;
+ }
+ 
++static int recv_func_prehandle(struct adapter *padapter,
++                             struct recv_frame *rframe)
++{
++      int ret = _SUCCESS;
++      struct __queue *pfree_recv_queue = &padapter->recvpriv.free_recv_queue;
++
++      /* check the frame crtl field and decache */
++      ret = validate_recv_frame(padapter, rframe);
++      if (ret != _SUCCESS) {
++              RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("recv_func: validate_recv_frame fail! drop pkt\n"));
++              rtw_free_recvframe(rframe, pfree_recv_queue);/* free this recv_frame */
++              goto exit;
++      }
++
++exit:
++      return ret;
++}
++
+ static int recv_func_posthandle(struct adapter *padapter,
+                               struct recv_frame *prframe)
+ {
+@@ -1939,7 +1960,6 @@ static int recv_func(struct adapter *pad
+       struct rx_pkt_attrib *prxattrib = &rframe->attrib;
+       struct security_priv *psecuritypriv = &padapter->securitypriv;
+       struct mlme_priv *mlmepriv = &padapter->mlmepriv;
+-      struct __queue *pfree_recv_queue = &padapter->recvpriv.free_recv_queue;
+ 
+       /* check if need to handle uc_swdec_pending_queue*/
+       if (check_fwstate(mlmepriv, WIFI_STATION_STATE) && psecuritypriv->busetkipkey) {
+@@ -1951,12 +1971,9 @@ static int recv_func(struct adapter *pad
+               }
+       }
+ 
+-      /* check the frame crtl field and decache */
+-      ret = validate_recv_frame(padapter, rframe);
+-      if (ret != _SUCCESS) {
+-              RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("recv_func: validate_recv_frame fail! drop pkt\n"));
+-              rtw_free_recvframe(rframe, pfree_recv_queue);/* free this recv_frame */
+-      } else {
++      ret = recv_func_prehandle(padapter, rframe);
++
++      if (ret == _SUCCESS) {
+               /* check if need to enqueue into uc_swdec_pending_queue*/
+               if (check_fwstate(mlmepriv, WIFI_STATION_STATE) &&
+                   !IS_MCAST(prxattrib->ra) && prxattrib->encrypt > 0 &&
+--- a/drivers/staging/rtl8188eu/os_dep/mon.c
++++ b/drivers/staging/rtl8188eu/os_dep/mon.c
+@@ -66,34 +66,6 @@ static void mon_recv_decrypted(struct ne
+       netif_rx(skb);
+ }
+ 
+-static void mon_recv_decrypted_recv(struct net_device *dev, const u8 *data,
+-                                  int data_len)
+-{
+-      struct sk_buff *skb;
+-      struct ieee80211_hdr *hdr;
+-      int hdr_len;
+-
+-      skb = netdev_alloc_skb(dev, data_len);
+-      if (!skb)
+-              return;
+-      memcpy(skb_put(skb, data_len), data, data_len);
+-
+-      /*
+-       * Frame data is not encrypted. Strip off protection so
+-       * userspace doesn't think that it is.
+-       */
+-
+-      hdr = (struct ieee80211_hdr *)skb->data;
+-      hdr_len = ieee80211_hdrlen(hdr->frame_control);
+-
+-      if (ieee80211_has_protected(hdr->frame_control))
+-              hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_PROTECTED);
+-
+-      skb->ip_summed = CHECKSUM_UNNECESSARY;
+-      skb->protocol = eth_type_trans(skb, dev);
+-      netif_rx(skb);
+-}
+-
+ static void mon_recv_encrypted(struct net_device *dev, const u8 *data,
+                              int data_len)
+ {
+@@ -110,6 +82,7 @@ static void mon_recv_encrypted(struct ne
+ void rtl88eu_mon_recv_hook(struct net_device *dev, struct recv_frame *frame)
+ {
+       struct rx_pkt_attrib *attr;
++      int iv_len, icv_len;
+       int data_len;
+       u8 *data;
+ 
+@@ -122,8 +95,11 @@ void rtl88eu_mon_recv_hook(struct net_de
+       data = frame->pkt->data;
+       data_len = frame->pkt->len;
+ 
++      /* Broadcast and multicast frames don't have attr->{iv,icv}_len set */
++      SET_ICE_IV_LEN(iv_len, icv_len, attr->encrypt);
++
+       if (attr->bdecrypted)
+-              mon_recv_decrypted_recv(dev, data, data_len);
++              mon_recv_decrypted(dev, data, data_len, iv_len, icv_len);
+       else
+               mon_recv_encrypted(dev, data, data_len);
+ }

diff --git a/queue-4.14/staging-sm750fb-fix-parameter-mistake-in-poke32.patch b/queue-4.14/staging-sm750fb-fix-parameter-mistake-in-poke32.patch
new file mode 100644 (file)
index 0000000..dd5e02f
--- /dev/null
+++ b/queue-4.14/staging-sm750fb-fix-parameter-mistake-in-poke32.patch
@@ -0,0 +1,34 @@
+From 16808dcf605e6302319a8c3266789b76d4c0983b Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Mon, 6 Nov 2017 08:43:03 +0800
+Subject: staging: sm750fb: Fix parameter mistake in poke32
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 16808dcf605e6302319a8c3266789b76d4c0983b upstream.
+
+In commit c075b6f2d357ea9 ("staging: sm750fb: Replace POKE32 and PEEK32
+by inline functions"), POKE32 has been replaced by the inline function
+poke32. But it exchange the "addr" and "data" parameters by mistake, so
+fix it.
+
+Fixes: c075b6f2d357ea9 ("staging: sm750fb: Replace POKE32 and PEEK32 by inline functions"),
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Liangliang Huang <huangll@lemote.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/sm750fb/ddk750_chip.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/sm750fb/ddk750_chip.h
++++ b/drivers/staging/sm750fb/ddk750_chip.h
+@@ -18,7 +18,7 @@ static inline u32 peek32(u32 addr)
+       return readl(addr + mmio750);
+ }
+ 
+-static inline void poke32(u32 data, u32 addr)
++static inline void poke32(u32 addr, u32 data)
+ {
+       writel(data, addr + mmio750);
+ }

diff --git a/queue-4.14/staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch b/queue-4.14/staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch
new file mode 100644 (file)
index 0000000..2fba778
--- /dev/null
+++ b/queue-4.14/staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch
@@ -0,0 +1,113 @@
+From ce10d7b4e8e3574b9616e54a09d64521b9aeb8b6 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 12 Oct 2017 20:10:25 +0200
+Subject: staging: vboxvideo: Fix reporting invalid suggested-offset-properties
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit ce10d7b4e8e3574b9616e54a09d64521b9aeb8b6 upstream.
+
+The x and y hints receives from the host are unsigned 32 bit integers and
+they get set to -1 (0xffffffff) when invalid. Before this commit the
+vboxvideo driver was storing them in an u16 causing the -1 to be truncated
+to 65535 which, once reported to userspace, was breaking gnome 3.26+
+in Wayland mode.
+
+This commit stores the host values in 32 bit variables, removing the
+truncation and checks for -1, replacing it with 0 as -1 is not a valid
+suggested-offset-property value. Likewise the properties are now
+initialized to 0 instead of -1, since -1 is not a valid value.
+This fixes gnome 3.26+ in Wayland mode not working with the vboxvideo
+driver.
+
+Reported-by: Gianfranco Costamagna <locutusofborg@debian.org>
+Cc: Michael Thayer <michael.thayer@oracle.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vboxvideo/vbox_drv.h  |    8 ++++----
+ drivers/staging/vboxvideo/vbox_irq.c  |    4 ++--
+ drivers/staging/vboxvideo/vbox_mode.c |   26 ++++++++++++++++++--------
+ 3 files changed, 24 insertions(+), 14 deletions(-)
+
+--- a/drivers/staging/vboxvideo/vbox_drv.h
++++ b/drivers/staging/vboxvideo/vbox_drv.h
+@@ -137,8 +137,8 @@ struct vbox_connector {
+       char name[32];
+       struct vbox_crtc *vbox_crtc;
+       struct {
+-              u16 width;
+-              u16 height;
++              u32 width;
++              u32 height;
+               bool disconnected;
+       } mode_hint;
+ };
+@@ -150,8 +150,8 @@ struct vbox_crtc {
+       unsigned int crtc_id;
+       u32 fb_offset;
+       bool cursor_enabled;
+-      u16 x_hint;
+-      u16 y_hint;
++      u32 x_hint;
++      u32 y_hint;
+ };
+ 
+ struct vbox_encoder {
+--- a/drivers/staging/vboxvideo/vbox_irq.c
++++ b/drivers/staging/vboxvideo/vbox_irq.c
+@@ -150,8 +150,8 @@ static void vbox_update_mode_hints(struc
+ 
+               disconnected = !(hints->enabled);
+               crtc_id = vbox_conn->vbox_crtc->crtc_id;
+-              vbox_conn->mode_hint.width = hints->cx & 0x8fff;
+-              vbox_conn->mode_hint.height = hints->cy & 0x8fff;
++              vbox_conn->mode_hint.width = hints->cx;
++              vbox_conn->mode_hint.height = hints->cy;
+               vbox_conn->vbox_crtc->x_hint = hints->dx;
+               vbox_conn->vbox_crtc->y_hint = hints->dy;
+               vbox_conn->mode_hint.disconnected = disconnected;
+--- a/drivers/staging/vboxvideo/vbox_mode.c
++++ b/drivers/staging/vboxvideo/vbox_mode.c
+@@ -553,12 +553,22 @@ static int vbox_get_modes(struct drm_con
+               ++num_modes;
+       }
+       vbox_set_edid(connector, preferred_width, preferred_height);
+-      drm_object_property_set_value(
+-              &connector->base, vbox->dev->mode_config.suggested_x_property,
+-              vbox_connector->vbox_crtc->x_hint);
+-      drm_object_property_set_value(
+-              &connector->base, vbox->dev->mode_config.suggested_y_property,
+-              vbox_connector->vbox_crtc->y_hint);
++
++      if (vbox_connector->vbox_crtc->x_hint != -1)
++              drm_object_property_set_value(&connector->base,
++                      vbox->dev->mode_config.suggested_x_property,
++                      vbox_connector->vbox_crtc->x_hint);
++      else
++              drm_object_property_set_value(&connector->base,
++                      vbox->dev->mode_config.suggested_x_property, 0);
++
++      if (vbox_connector->vbox_crtc->y_hint != -1)
++              drm_object_property_set_value(&connector->base,
++                      vbox->dev->mode_config.suggested_y_property,
++                      vbox_connector->vbox_crtc->y_hint);
++      else
++              drm_object_property_set_value(&connector->base,
++                      vbox->dev->mode_config.suggested_y_property, 0);
+ 
+       return num_modes;
+ }
+@@ -640,9 +650,9 @@ static int vbox_connector_init(struct dr
+ 
+       drm_mode_create_suggested_offset_properties(dev);
+       drm_object_attach_property(&connector->base,
+-                                 dev->mode_config.suggested_x_property, -1);
++                                 dev->mode_config.suggested_x_property, 0);
+       drm_object_attach_property(&connector->base,
+-                                 dev->mode_config.suggested_y_property, -1);
++                                 dev->mode_config.suggested_y_property, 0);
+       drm_connector_register(connector);
+ 
+       drm_mode_connector_attach_encoder(connector, encoder);

diff --git a/queue-4.14/staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch b/queue-4.14/staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch
new file mode 100644 (file)
index 0000000..36b3f4f
--- /dev/null
+++ b/queue-4.14/staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch
@@ -0,0 +1,38 @@
+From 1bbf6a6d4091affb27ec0a19d7aa7887ce72f610 Mon Sep 17 00:00:00 2001
+From: Aditya Shankar <aditya.shankar@microchip.com>
+Date: Fri, 3 Nov 2017 14:26:27 +0530
+Subject: staging: wilc1000: Fix bssid buffer offset in Txq
+
+From: Aditya Shankar <aditya.shankar@microchip.com>
+
+commit 1bbf6a6d4091affb27ec0a19d7aa7887ce72f610 upstream.
+
+Commit 46949b48568b ("staging: wilc1000: New cfg packet
+format in handle_set_wfi_drv_handler") updated the frame
+format sent from host to the firmware. The code to update
+the bssid offset in the new frame was part of a second
+patch in the series which did not make it in and thus
+causes connection problems after associating to an AP.
+
+This fix adds the proper offset of the bssid value in the
+Tx queue buffer to fix the connection issues.
+
+Fixes: 46949b48568b ("staging: wilc1000: New cfg packet format in handle_set_wfi_drv_handler")
+Signed-off-by: Aditya Shankar <Aditya.Shankar@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wilc1000/wilc_wlan.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/wilc1000/wilc_wlan.c
++++ b/drivers/staging/wilc1000/wilc_wlan.c
+@@ -714,7 +714,7 @@ int wilc_wlan_handle_txq(struct net_devi
+                                       char *bssid = ((struct tx_complete_data *)(tqe->priv))->bssid;
+ 
+                                       buffer_offset = ETH_ETHERNET_HDR_OFFSET;
+-                                      memcpy(&txb[offset + 4], bssid, 6);
++                                      memcpy(&txb[offset + 8], bssid, 6);
+                               } else {
+                                       buffer_offset = HOST_HDR_OFFSET;
+                               }