]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.4-stable patches
authorSasha Levin <sashal@kernel.org>
Tue, 30 Oct 2018 13:15:53 +0000 (09:15 -0400)
committerSasha Levin <sashal@kernel.org>
Tue, 30 Oct 2018 13:15:53 +0000 (09:15 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
87 files changed:
queue-4.4/aacraid-start-adapter-after-updating-number-of-msix-.patch [new file with mode: 0644]
queue-4.4/af_iucv-move-sockaddr-length-checks-to-before-access.patch [new file with mode: 0644]
queue-4.4/alsa-timer-fix-zero-division-by-continue-of-uninitia.patch [new file with mode: 0644]
queue-4.4/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch [new file with mode: 0644]
queue-4.4/arm-dts-apq8064-add-ahci-ports-implemented-mask.patch [new file with mode: 0644]
queue-4.4/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch [new file with mode: 0644]
queue-4.4/arm64-fix-potential-race-with-hardware-dbm-in-ptep_s.patch [new file with mode: 0644]
queue-4.4/asix-check-for-supported-wake-on-lan-modes.patch [new file with mode: 0644]
queue-4.4/asoc-ak4613-enable-cache-usage-to-fix-crashes-on-res.patch [new file with mode: 0644]
queue-4.4/asoc-spear-fix-error-return-code-in-spdif_in_probe.patch [new file with mode: 0644]
queue-4.4/asoc-wm8940-enable-cache-usage-to-fix-crashes-on-res.patch [new file with mode: 0644]
queue-4.4/ax88179_178a-check-for-supported-wake-on-lan-modes.patch [new file with mode: 0644]
queue-4.4/bluetooth-smp-fix-crash-in-unpairing.patch [new file with mode: 0644]
queue-4.4/bonding-avoid-defaulting-hard_header_len-to-eth_hlen.patch [new file with mode: 0644]
queue-4.4/bpf-generally-move-prog-destruction-to-rcu-deferral.patch [new file with mode: 0644]
queue-4.4/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch [new file with mode: 0644]
queue-4.4/btrfs-cleaner_kthread-doesn-t-need-explicit-freeze.patch [new file with mode: 0644]
queue-4.4/btrfs-don-t-create-or-leak-aliased-root-while-cleani.patch [new file with mode: 0644]
queue-4.4/cfg80211-address-some-corner-cases-in-scan-result-ch.patch [new file with mode: 0644]
queue-4.4/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch [new file with mode: 0644]
queue-4.4/cifs-handle-guest-access-errors-to-windows-shares.patch [new file with mode: 0644]
queue-4.4/drm-nouveau-fbcon-fix-oops-without-fbdev-emulation.patch [new file with mode: 0644]
queue-4.4/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch [new file with mode: 0644]
queue-4.4/fuse-dont-call-set_page_dirty_lock-for-iter_bvec-pag.patch [new file with mode: 0644]
queue-4.4/gpio-msic-fix-error-return-code-in-platform_msic_gpi.patch [new file with mode: 0644]
queue-4.4/gpu-host1x-fix-error-return-code-in-host1x_probe.patch [new file with mode: 0644]
queue-4.4/gro-allow-tunnel-stacking-in-the-case-of-fou-gue.patch [new file with mode: 0644]
queue-4.4/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch [new file with mode: 0644]
queue-4.4/ipv6-orphan-skbs-in-reassembly-unit.patch [new file with mode: 0644]
queue-4.4/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch [new file with mode: 0644]
queue-4.4/ixgbe-correct-x550em_x-revision-check.patch [new file with mode: 0644]
queue-4.4/ixgbe-fix-rss-limit-for-x550.patch [new file with mode: 0644]
queue-4.4/ixgbevf-fix-handling-of-napi-budget-when-multiple-qu.patch [new file with mode: 0644]
queue-4.4/keys-put-keyring-if-install_session_keyring_to_cred-.patch [new file with mode: 0644]
queue-4.4/l2tp-hold-socket-before-dropping-lock-in-l2tp_ip-6-_.patch [new file with mode: 0644]
queue-4.4/lan78xx-check-for-supported-wake-on-lan-modes.patch [new file with mode: 0644]
queue-4.4/mac80211-always-report-tx-status.patch [new file with mode: 0644]
queue-4.4/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch [new file with mode: 0644]
queue-4.4/media-usbvision-revert-commit-588afcc1.patch [new file with mode: 0644]
queue-4.4/mips-dec-fix-an-int-handler.s-cpu_daddi_workarounds-.patch [new file with mode: 0644]
queue-4.4/mips-fix-fcsr-cause-bit-handling-for-correct-sigfpe-.patch [new file with mode: 0644]
queue-4.4/mips-handle-non-word-sized-instructions-when-examini.patch [new file with mode: 0644]
queue-4.4/mips-micromips-fix-decoding-of-swsp16-instruction.patch [new file with mode: 0644]
queue-4.4/net-cxgb3_main-fix-a-missing-check-bug.patch [new file with mode: 0644]
queue-4.4/net-drop-write-only-stack-variable.patch [new file with mode: 0644]
queue-4.4/net-mlx4_en-resolve-dividing-by-zero-in-32-bit-syste.patch [new file with mode: 0644]
queue-4.4/net-mlx5e-correctly-handle-rss-indirection-table-whe.patch [new file with mode: 0644]
queue-4.4/net-mlx5e-fix-lro-modify.patch [new file with mode: 0644]
queue-4.4/perf-core-don-t-leak-event-in-the-syscall-error-path.patch [new file with mode: 0644]
queue-4.4/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch [new file with mode: 0644]
queue-4.4/pm-devfreq-tegra-fix-error-return-code-in-tegra_devf.patch [new file with mode: 0644]
queue-4.4/pxa168fb-prepare-the-clock.patch [new file with mode: 0644]
queue-4.4/r8152-check-for-supported-wake-on-lan-modes.patch [new file with mode: 0644]
queue-4.4/radix-tree-fix-radix_tree_iter_retry-for-tagged-iter.patch [new file with mode: 0644]
queue-4.4/sch_red-update-backlog-as-well.patch [new file with mode: 0644]
queue-4.4/sched-cgroup-fix-cgroup-entity-load-tracking-tear-do.patch [new file with mode: 0644]
queue-4.4/scsi-aacraid-fix-typo-in-blink-status.patch [new file with mode: 0644]
queue-4.4/scsi-add-starget_created_remove-state-to-scsi_target.patch [new file with mode: 0644]
queue-4.4/ser_gigaset-use-container_of-instead-of-detour.patch [new file with mode: 0644]
queue-4.4/series [new file with mode: 0644]
queue-4.4/smsc75xx-check-for-wake-on-lan-modes.patch [new file with mode: 0644]
queue-4.4/smsc95xx-check-for-wake-on-lan-modes.patch [new file with mode: 0644]
queue-4.4/sparc-pci-refactor-dev_archdata-initialization-into-.patch [new file with mode: 0644]
queue-4.4/sparc64-fix-exception-handling-in-ultrasparc-iii-mem.patch [new file with mode: 0644]
queue-4.4/sparc64-mm-fix-more-tsb-sizing-issues.patch [new file with mode: 0644]
queue-4.4/spi-bcm63xx-fix-error-return-code-in-bcm63xx_spi_pro.patch [new file with mode: 0644]
queue-4.4/spi-bcm63xx-hspi-fix-error-return-code-in-bcm63xx_hs.patch [new file with mode: 0644]
queue-4.4/spi-xlp-fix-error-return-code-in-xlp_spi_probe.patch [new file with mode: 0644]
queue-4.4/sr9800-check-for-supported-wake-on-lan-modes.patch [new file with mode: 0644]
queue-4.4/thermal-allow-spear-thermal-driver-to-be-a-module.patch [new file with mode: 0644]
queue-4.4/thermal-allow-u8500-thermal-driver-to-be-a-module.patch [new file with mode: 0644]
queue-4.4/tpm-fix-return-rc-when-devm_add_action-fails.patch [new file with mode: 0644]
queue-4.4/tracing-skip-more-functions-when-doing-stack-tracing.patch [new file with mode: 0644]
queue-4.4/tty-serial-sprd-fix-error-return-code-in-sprd_probe.patch [new file with mode: 0644]
queue-4.4/um-avoid-longjmp-setjmp-symbol-clashes-with-libpthre.patch [new file with mode: 0644]
queue-4.4/usb-dwc3-omap-fix-error-return-code-in-dwc3_omap_pro.patch [new file with mode: 0644]
queue-4.4/usb-ehci-omap-fix-error-return-code-in-ehci_hcd_omap.patch [new file with mode: 0644]
queue-4.4/usb-imx21-hcd-fix-error-return-code-in-imx21_probe.patch [new file with mode: 0644]
queue-4.4/usb-storage-fix-bogus-hardware-error-messages-for-at.patch [new file with mode: 0644]
queue-4.4/video-fbdev-pxa3xx_gcu-fix-error-return-code-in-pxa3.patch [new file with mode: 0644]
queue-4.4/vti6-flush-x-netns-xfrm-cache-when-vti-interface-is-.patch [new file with mode: 0644]
queue-4.4/x86-mm-pat-prevent-hang-during-boot-when-mapping-pag.patch [new file with mode: 0644]
queue-4.4/x86-pci-mark-broadwell-ep-home-agent-1-as-having-non.patch [new file with mode: 0644]
queue-4.4/xfrm-clear-sk_dst_cache-when-applying-per-socket-pol.patch [new file with mode: 0644]
queue-4.4/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch [new file with mode: 0644]
queue-4.4/xfrm-validate-template-mode.patch [new file with mode: 0644]
queue-4.4/xfrm6-call-kfree_skb-when-skb-is-toobig.patch [new file with mode: 0644]

diff --git a/queue-4.4/aacraid-start-adapter-after-updating-number-of-msix-.patch b/queue-4.4/aacraid-start-adapter-after-updating-number-of-msix-.patch
new file mode 100644 (file)
index 0000000..3288ac0
--- /dev/null
@@ -0,0 +1,36 @@
+From 32fc41a2a2ad57626a67dba214b2fb16c980c3b7 Mon Sep 17 00:00:00 2001
+From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Date: Mon, 25 Apr 2016 23:31:12 -0700
+Subject: aacraid: Start adapter after updating number of MSIX vectors
+
+[ Upstream commit 116d77fea02e2a5aded7d29ba4c692774cb339f1 ]
+
+The adapter has to be started after updating the number of MSIX Vectors
+
+Fixes: ecc479e00db8 (aacraid: Set correct MSIX count for EEH recovery)
+Cc: stable@vger.kernel.org
+Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/linit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
+index 8da8b46da722..1c447405ebbf 100644
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -1416,8 +1416,8 @@ static int aac_acquire_resources(struct aac_dev *dev)
+               /* After EEH recovery or suspend resume, max_msix count
+                * may change, therfore updating in init as well.
+                */
+-              aac_adapter_start(dev);
+               dev->init->Sa_MSIXVectors = cpu_to_le32(dev->max_msix);
++              aac_adapter_start(dev);
+       }
+       return 0;
+-- 
+2.17.1
+
diff --git a/queue-4.4/af_iucv-move-sockaddr-length-checks-to-before-access.patch b/queue-4.4/af_iucv-move-sockaddr-length-checks-to-before-access.patch
new file mode 100644 (file)
index 0000000..c6d2f1b
--- /dev/null
@@ -0,0 +1,54 @@
+From eb276dba21e1b88443a7b105190a39f026725eb6 Mon Sep 17 00:00:00 2001
+From: Mateusz Jurczyk <mjurczyk@google.com>
+Date: Fri, 23 Jun 2017 19:32:28 +0200
+Subject: af_iucv: Move sockaddr length checks to before accessing sa_family in
+ bind and connect handlers
+
+[ Upstream commit e3c42b61ff813921ba58cfc0019e3fd63f651190 ]
+
+Verify that the caller-provided sockaddr structure is large enough to
+contain the sa_family field, before accessing it in bind() and connect()
+handlers of the AF_IUCV socket. Since neither syscall enforces a minimum
+size of the corresponding memory region, very short sockaddrs (zero or
+one byte long) result in operating on uninitialized memory while
+referencing .sa_family.
+
+Fixes: 52a82e23b9f2 ("af_iucv: Validate socket address length in iucv_sock_bind()")
+Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
+[jwi: removed unneeded null-check for addr]
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/af_iucv.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
+index aeffb65181f5..5984cc35d508 100644
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -705,10 +705,8 @@ static int iucv_sock_bind(struct socket *sock, struct sockaddr *addr,
+       char uid[9];
+       /* Verify the input sockaddr */
+-      if (!addr || addr->sa_family != AF_IUCV)
+-              return -EINVAL;
+-
+-      if (addr_len < sizeof(struct sockaddr_iucv))
++      if (addr_len < sizeof(struct sockaddr_iucv) ||
++          addr->sa_family != AF_IUCV)
+               return -EINVAL;
+       lock_sock(sk);
+@@ -852,7 +850,7 @@ static int iucv_sock_connect(struct socket *sock, struct sockaddr *addr,
+       struct iucv_sock *iucv = iucv_sk(sk);
+       int err;
+-      if (addr->sa_family != AF_IUCV || alen < sizeof(struct sockaddr_iucv))
++      if (alen < sizeof(struct sockaddr_iucv) || addr->sa_family != AF_IUCV)
+               return -EINVAL;
+       if (sk->sk_state != IUCV_OPEN && sk->sk_state != IUCV_BOUND)
+-- 
+2.17.1
+
diff --git a/queue-4.4/alsa-timer-fix-zero-division-by-continue-of-uninitia.patch b/queue-4.4/alsa-timer-fix-zero-division-by-continue-of-uninitia.patch
new file mode 100644 (file)
index 0000000..1099428
--- /dev/null
@@ -0,0 +1,95 @@
+From f8cb3a797c3d230b27f2a7f282f211357d03fd8c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 7 Sep 2016 15:45:31 +0200
+Subject: ALSA: timer: Fix zero-division by continue of uninitialized instance
+
+[ Upstream commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b ]
+
+When a user timer instance is continued without the explicit start
+beforehand, the system gets eventually zero-division error like:
+
+  divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
+  CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+   task: ffff88003c9b2280 task.stack: ffff880027280000
+   RIP: 0010:[<ffffffff858e1a6c>]  [<     inline     >] ktime_divns include/linux/ktime.h:195
+   RIP: 0010:[<ffffffff858e1a6c>]  [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
+  Call Trace:
+   <IRQ>
+   [<     inline     >] __run_hrtimer kernel/time/hrtimer.c:1238
+   [<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
+   [<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
+   [<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
+   [<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
+   [<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
+   <EOI>
+   .....
+
+Although a similar issue was spotted and a fix patch was merged in
+commit [6b760bb2c63a: ALSA: timer: fix division by zero after
+SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
+iceberg.
+
+In this patch, we fix the issue a bit more drastically.  Basically the
+continue of an uninitialized timer is supposed to be a fresh start, so
+we do it for user timers.  For the direct snd_timer_continue() call,
+there is no way to pass the initial tick value, so we kick out for the
+uninitialized case.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/timer.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index ef850a99d64a..f989adb98a22 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -35,6 +35,9 @@
+ #include <sound/initval.h>
+ #include <linux/kmod.h>
++/* internal flags */
++#define SNDRV_TIMER_IFLG_PAUSED               0x00010000
++
+ #if IS_ENABLED(CONFIG_SND_HRTIMER)
+ #define DEFAULT_TIMER_LIMIT 4
+ #elif IS_ENABLED(CONFIG_SND_RTCTIMER)
+@@ -547,6 +550,10 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop)
+               }
+       }
+       timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
++      if (stop)
++              timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
++      else
++              timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
+       snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
+                         SNDRV_TIMER_EVENT_PAUSE);
+  unlock:
+@@ -608,6 +615,10 @@ int snd_timer_stop(struct snd_timer_instance *timeri)
+  */
+ int snd_timer_continue(struct snd_timer_instance *timeri)
+ {
++      /* timer can continue only after pause */
++      if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
++              return -EINVAL;
++
+       if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
+               return snd_timer_start_slave(timeri, false);
+       else
+@@ -1837,6 +1848,9 @@ static int snd_timer_user_continue(struct file *file)
+       tu = file->private_data;
+       if (!tu->timeri)
+               return -EBADFD;
++      /* start timer instead of continue if it's not used before */
++      if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
++              return snd_timer_user_start(file);
+       tu->timeri->lost = 0;
+       return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
+ }
+-- 
+2.17.1
+
diff --git a/queue-4.4/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch b/queue-4.4/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch
new file mode 100644 (file)
index 0000000..8486242
--- /dev/null
@@ -0,0 +1,45 @@
+From 49459d40b57de001f56bc58246857b69226d9888 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Thu, 13 Sep 2018 16:48:08 +0100
+Subject: ARM: 8799/1: mm: fix pci_ioremap_io() offset check
+
+[ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ]
+
+IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e
+something like 0xfffff (and not 0x100000).
+
+Therefore, when offset = 0xf0000 is passed as argument, this function
+fails even though the offset + SZ_64K fits below the
+IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space
+not usable as it cannot be mapped.
+
+This patch fixes that by substracing 1 to offset + SZ_64K, so that we
+compare the addrss of the last byte of the I/O space against
+IO_SPACE_LIMIT instead of the address of the first byte of what is
+after the I/O space.
+
+Fixes: c2794437091a4 ("ARM: Add fixed PCI i/o mapping")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/ioremap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
+index 0c81056c1dd7..2a3feb73de0b 100644
+--- a/arch/arm/mm/ioremap.c
++++ b/arch/arm/mm/ioremap.c
+@@ -460,7 +460,7 @@ void pci_ioremap_set_mem_type(int mem_type)
+ int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr)
+ {
+-      BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT);
++      BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT);
+       return ioremap_page_range(PCI_IO_VIRT_BASE + offset,
+                                 PCI_IO_VIRT_BASE + offset + SZ_64K,
+-- 
+2.17.1
+
diff --git a/queue-4.4/arm-dts-apq8064-add-ahci-ports-implemented-mask.patch b/queue-4.4/arm-dts-apq8064-add-ahci-ports-implemented-mask.patch
new file mode 100644 (file)
index 0000000..4837547
--- /dev/null
@@ -0,0 +1,46 @@
+From 08a5045596be1a65b1b5ba2cd34f71d8e7bb6c15 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 1 Apr 2016 08:52:58 +0100
+Subject: ARM: dts: apq8064: add ahci ports-implemented mask
+
+[ Upstream commit bb4add2ce991e4ec891b5a0287fd1ab77b631979 ]
+
+This patch adds new ports-implemented mask, which is required to get
+achi working on the mainline. Without this patch value read from
+PORTS_IMPL register which is zero would not enable any ports for
+software to use.
+
+Fixes: 566d1827df2e ("libata: disable forced PORTS_IMPL for >= AHCI 1.3")
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Reviewed-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-apq8064.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
+index e00d50ef678f..3ff5ea16ebb3 100644
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -577,7 +577,7 @@
+               };
+               sata0: sata@29000000 {
+-                      compatible              = "generic-ahci";
++                      compatible              = "qcom,apq8064-ahci", "generic-ahci";
+                       status                  = "disabled";
+                       reg                     = <0x29000000 0x180>;
+                       interrupts              = <GIC_SPI 209 IRQ_TYPE_NONE>;
+@@ -599,6 +599,7 @@
+                       phys                    = <&sata_phy0>;
+                       phy-names               = "sata-phy";
++                      ports-implemented       = <0x1>;
+               };
+               /* Temporary fixed regulator */
+-- 
+2.17.1
+
diff --git a/queue-4.4/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch b/queue-4.4/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch
new file mode 100644 (file)
index 0000000..262c8a5
--- /dev/null
@@ -0,0 +1,46 @@
+From b81dea33984d21ff82f2156e81519e60da605d2a Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Wed, 12 Sep 2018 08:23:01 +0200
+Subject: ARM: dts: imx53-qsb: disable 1.2GHz OPP
+
+[ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ]
+
+The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the
+1.2GHz OPP. This makes the board work again with configs that have
+cpufreq enabled like imx_v6_v7_defconfig on which the board stopped
+working with the addition of cpufreq-dt support.
+
+Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support")
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi
+index 53fd75c8ffcf..47894b41e4e2 100644
+--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi
++++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi
+@@ -130,6 +130,17 @@
+       };
+ };
++&cpu0 {
++      /* CPU rated to 1GHz, not 1.2GHz as per the default settings */
++      operating-points = <
++              /* kHz   uV */
++              166666  850000
++              400000  900000
++              800000  1050000
++              1000000 1200000
++      >;
++};
++
+ &esdhc1 {
+       pinctrl-names = "default";
+       pinctrl-0 = <&pinctrl_esdhc1>;
+-- 
+2.17.1
+
diff --git a/queue-4.4/arm64-fix-potential-race-with-hardware-dbm-in-ptep_s.patch b/queue-4.4/arm64-fix-potential-race-with-hardware-dbm-in-ptep_s.patch
new file mode 100644 (file)
index 0000000..ec30210
--- /dev/null
@@ -0,0 +1,81 @@
+From 0c13f045866185fd711a70da53f0bd7c184245f4 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue, 25 Jul 2017 14:53:03 +0100
+Subject: arm64: Fix potential race with hardware DBM in
+ ptep_set_access_flags()
+
+[ Upstream commit 6d332747fa5f0a6843b56b5b129168ba909336d1 ]
+
+In a system with DBM (dirty bit management) capable agents there is a
+possible race between a CPU executing ptep_set_access_flags() (maybe
+non-DBM capable) and a hardware update of the dirty state (clearing of
+PTE_RDONLY). The scenario:
+
+a) the pte is writable (PTE_WRITE set), clean (PTE_RDONLY set) and old
+   (PTE_AF clear)
+b) ptep_set_access_flags() is called as a result of a read access and it
+   needs to set the pte to writable, clean and young (PTE_AF set)
+c) a DBM-capable agent, as a result of a different write access, is
+   marking the entry as young (setting PTE_AF) and dirty (clearing
+   PTE_RDONLY)
+
+The current ptep_set_access_flags() implementation would set the
+PTE_RDONLY bit in the resulting value overriding the DBM update and
+losing the dirty state.
+
+This patch fixes such race by setting PTE_RDONLY to the most permissive
+(lowest value) of the current entry and the new one.
+
+Fixes: 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware AF/DBM")
+Cc: Will Deacon <will.deacon@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Steve Capper <steve.capper@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/fault.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index 86485415c5f0..be7f8416809f 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -107,26 +107,27 @@ int ptep_set_access_flags(struct vm_area_struct *vma,
+       /* only preserve the access flags and write permission */
+       pte_val(entry) &= PTE_AF | PTE_WRITE | PTE_DIRTY;
+-      /*
+-       * PTE_RDONLY is cleared by default in the asm below, so set it in
+-       * back if necessary (read-only or clean PTE).
+-       */
++      /* set PTE_RDONLY if actual read-only or clean PTE */
+       if (!pte_write(entry) || !pte_sw_dirty(entry))
+               pte_val(entry) |= PTE_RDONLY;
+       /*
+        * Setting the flags must be done atomically to avoid racing with the
+-       * hardware update of the access/dirty state.
++       * hardware update of the access/dirty state. The PTE_RDONLY bit must
++       * be set to the most permissive (lowest value) of *ptep and entry
++       * (calculated as: a & b == ~(~a | ~b)).
+        */
++      pte_val(entry) ^= PTE_RDONLY;
+       asm volatile("//        ptep_set_access_flags\n"
+       "       prfm    pstl1strm, %2\n"
+       "1:     ldxr    %0, %2\n"
+-      "       and     %0, %0, %3              // clear PTE_RDONLY\n"
++      "       eor     %0, %0, %3              // negate PTE_RDONLY in *ptep\n"
+       "       orr     %0, %0, %4              // set flags\n"
++      "       eor     %0, %0, %3              // negate final PTE_RDONLY\n"
+       "       stxr    %w1, %0, %2\n"
+       "       cbnz    %w1, 1b\n"
+       : "=&r" (old_pteval), "=&r" (tmp), "+Q" (pte_val(*ptep))
+-      : "L" (~PTE_RDONLY), "r" (pte_val(entry)));
++      : "L" (PTE_RDONLY), "r" (pte_val(entry)));
+       flush_tlb_fix_spurious_fault(vma, address);
+       return 1;
+-- 
+2.17.1
+
diff --git a/queue-4.4/asix-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/asix-check-for-supported-wake-on-lan-modes.patch
new file mode 100644 (file)
index 0000000..ba5eb6a
--- /dev/null
@@ -0,0 +1,36 @@
+From 244b9e8bfa667598ce986a21f73199958d631c4c Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:50 -0700
+Subject: asix: Check for supported Wake-on-LAN modes
+
+[ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 7fbd8f044207..2092ef6431f2 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -449,6 +449,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+       struct usbnet *dev = netdev_priv(net);
+       u8 opt = 0;
++      if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++              return -EINVAL;
++
+       if (wolinfo->wolopts & WAKE_PHY)
+               opt |= AX_MONITOR_LINK;
+       if (wolinfo->wolopts & WAKE_MAGIC)
+-- 
+2.17.1
+
diff --git a/queue-4.4/asoc-ak4613-enable-cache-usage-to-fix-crashes-on-res.patch b/queue-4.4/asoc-ak4613-enable-cache-usage-to-fix-crashes-on-res.patch
new file mode 100644 (file)
index 0000000..ce5a3de
--- /dev/null
@@ -0,0 +1,44 @@
+From 3e5b79aad979a7a026e9a0de8353e0aaabf56bc8 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 16 Jun 2016 14:34:30 +0200
+Subject: ASoC: ak4613: Enable cache usage to fix crashes on resume
+
+[ Upstream commit dcd2d1f78664fdc75eadaaf65257834e24383d01 ]
+
+During system resume:
+
+    kernel BUG at drivers/base/regmap/regcache.c:347!
+    ...
+    PC is at regcache_sync+0x1c/0x128
+    LR is at ak4613_resume+0x28/0x34
+
+The ak4613 driver is using a regmap cache sync to restore the
+configuration of the chip on resume but does not actually define a
+register cache which means that the resume is never going to work and we
+trigger asserts in regmap.  Fix this by enabling caching.
+
+Based on commit d3030d11961a8c10 ("ASoC: ak4642: Enable cache usage to
+fix crashes on resume") by Mark Brown <broonie@kernel.org>.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/ak4613.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/ak4613.c b/sound/soc/codecs/ak4613.c
+index 07a266460ec3..b4b36cc92ffe 100644
+--- a/sound/soc/codecs/ak4613.c
++++ b/sound/soc/codecs/ak4613.c
+@@ -143,6 +143,7 @@ static const struct regmap_config ak4613_regmap_cfg = {
+       .max_register           = 0x16,
+       .reg_defaults           = ak4613_reg,
+       .num_reg_defaults       = ARRAY_SIZE(ak4613_reg),
++      .cache_type             = REGCACHE_RBTREE,
+ };
+ static const struct of_device_id ak4613_of_match[] = {
+-- 
+2.17.1
+
diff --git a/queue-4.4/asoc-spear-fix-error-return-code-in-spdif_in_probe.patch b/queue-4.4/asoc-spear-fix-error-return-code-in-spdif_in_probe.patch
new file mode 100644 (file)
index 0000000..28a12d7
--- /dev/null
@@ -0,0 +1,44 @@
+From 74e636af2f762d1f4b62cb2fcfa1ab18fbd17db1 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Fri, 30 Jun 2017 15:43:50 -0500
+Subject: ASoC: spear: fix error return code in spdif_in_probe()
+
+[ Upstream commit 27d30400c448264c1ac9434cb836de0c230af213 ]
+
+platform_get_irq() returns an error code, but the spdif_in driver
+ignores it and always returns -EINVAL. This is not correct, and
+prevents -EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print error message and propagate the return value of platform_get_irq
+on failure.
+
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/spear/spdif_in.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/spear/spdif_in.c b/sound/soc/spear/spdif_in.c
+index 977a078eb92f..7f32527fc3c8 100644
+--- a/sound/soc/spear/spdif_in.c
++++ b/sound/soc/spear/spdif_in.c
+@@ -223,8 +223,10 @@ static int spdif_in_probe(struct platform_device *pdev)
+       host->io_base = io_base;
+       host->irq = platform_get_irq(pdev, 0);
+-      if (host->irq < 0)
+-              return -EINVAL;
++      if (host->irq < 0) {
++              dev_warn(&pdev->dev, "failed to get IRQ: %d\n", host->irq);
++              return host->irq;
++      }
+       host->clk = devm_clk_get(&pdev->dev, NULL);
+       if (IS_ERR(host->clk))
+-- 
+2.17.1
+
diff --git a/queue-4.4/asoc-wm8940-enable-cache-usage-to-fix-crashes-on-res.patch b/queue-4.4/asoc-wm8940-enable-cache-usage-to-fix-crashes-on-res.patch
new file mode 100644 (file)
index 0000000..4c68afd
--- /dev/null
@@ -0,0 +1,39 @@
+From 9d3e49967c1cedde2f55d7774547edb5ed7cebac Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 16 Jun 2016 14:34:32 +0200
+Subject: ASoC: wm8940: Enable cache usage to fix crashes on resume
+
+[ Upstream commit 50c7a0ef2d97e56c7ce2f1ea5fe1d8e25aadc1bb ]
+
+The wm8940 driver is using a regmap cache sync to restore the
+configuration of the chip when switching from OFF to STANDBY, but does
+not actually define a register cache which means that the restore is
+never going to work and we trigger asserts in regmap.  Fix this by
+enabling caching.
+
+Based on commit d3030d11961a8c10 ("ASoC: ak4642: Enable cache usage to
+fix crashes on resume") by Mark Brown <broonie@kernel.org>.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm8940.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/wm8940.c b/sound/soc/codecs/wm8940.c
+index f6f9395ea38e..1c600819f768 100644
+--- a/sound/soc/codecs/wm8940.c
++++ b/sound/soc/codecs/wm8940.c
+@@ -743,6 +743,7 @@ static const struct regmap_config wm8940_regmap = {
+       .max_register = WM8940_MONOMIX,
+       .reg_defaults = wm8940_reg_defaults,
+       .num_reg_defaults = ARRAY_SIZE(wm8940_reg_defaults),
++      .cache_type = REGCACHE_RBTREE,
+       .readable_reg = wm8940_readable_register,
+       .volatile_reg = wm8940_volatile_register,
+-- 
+2.17.1
+
diff --git a/queue-4.4/ax88179_178a-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/ax88179_178a-check-for-supported-wake-on-lan-modes.patch
new file mode 100644 (file)
index 0000000..f973fde
--- /dev/null
@@ -0,0 +1,36 @@
+From bdd4d94f40c1f058c6796ce631c37d601e5c0b7c Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:51 -0700
+Subject: ax88179_178a: Check for supported Wake-on-LAN modes
+
+[ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ax88179_178a.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index e6338c16081a..e3f2e6098db4 100644
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+       struct usbnet *dev = netdev_priv(net);
+       u8 opt = 0;
++      if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++              return -EINVAL;
++
+       if (wolinfo->wolopts & WAKE_PHY)
+               opt |= AX_MONITOR_MODE_RWLC;
+       if (wolinfo->wolopts & WAKE_MAGIC)
+-- 
+2.17.1
+
diff --git a/queue-4.4/bluetooth-smp-fix-crash-in-unpairing.patch b/queue-4.4/bluetooth-smp-fix-crash-in-unpairing.patch
new file mode 100644 (file)
index 0000000..6a288ce
--- /dev/null
@@ -0,0 +1,194 @@
+From 1cd042b1a5e95ca2f0fd6e4787ad007206b74f7c Mon Sep 17 00:00:00 2001
+From: Matias Karhumaa <matias.karhumaa@gmail.com>
+Date: Wed, 26 Sep 2018 09:13:46 +0300
+Subject: Bluetooth: SMP: fix crash in unpairing
+
+[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ]
+
+In case unpair_device() was called through mgmt interface at the same time
+when pairing was in progress, Bluetooth kernel module crash was seen.
+
+[  600.351225] general protection fault: 0000 [#1] SMP PTI
+[  600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G           OE     4.19.0-rc1+ #1
+[  600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017
+[  600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
+[  600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
+[  600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
+[  600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
+[  600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
+[  600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
+[  600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
+[  600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
+[  600.351295] FS:  00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
+[  600.351298] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
+[  600.351302] Call Trace:
+[  600.351325]  smp_failure+0x4f/0x70 [bluetooth]
+[  600.351345]  smp_cancel_pairing+0x74/0x80 [bluetooth]
+[  600.351370]  unpair_device+0x1c1/0x330 [bluetooth]
+[  600.351399]  hci_sock_sendmsg+0x960/0x9f0 [bluetooth]
+[  600.351409]  ? apparmor_socket_sendmsg+0x1e/0x20
+[  600.351417]  sock_sendmsg+0x3e/0x50
+[  600.351422]  sock_write_iter+0x85/0xf0
+[  600.351429]  do_iter_readv_writev+0x12b/0x1b0
+[  600.351434]  do_iter_write+0x87/0x1a0
+[  600.351439]  vfs_writev+0x98/0x110
+[  600.351443]  ? ep_poll+0x16d/0x3d0
+[  600.351447]  ? ep_modify+0x73/0x170
+[  600.351451]  do_writev+0x61/0xf0
+[  600.351455]  ? do_writev+0x61/0xf0
+[  600.351460]  __x64_sys_writev+0x1c/0x20
+[  600.351465]  do_syscall_64+0x5a/0x110
+[  600.351471]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[  600.351474] RIP: 0033:0x7fb2bdb62fe0
+[  600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24
+[  600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
+[  600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0
+[  600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004
+[  600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000
+[  600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001
+[  600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000
+[  600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap
+[  600.351569]  snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi
+[  600.351637] ---[ end trace e49e9f1df09c94fb ]---
+[  600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth]
+[  600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01
+[  600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246
+[  600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60
+[  600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500
+[  600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00
+[  600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800
+[  600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00
+[  600.351684] FS:  00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000
+[  600.351686] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0
+
+Crash happened because list_del_rcu() was called twice for smp->ltk. This
+was possible if unpair_device was called right after ltk was generated
+but before keys were distributed.
+
+In this commit smp_cancel_pairing was refactored to cancel pairing if it
+is in progress and otherwise just removes keys. Once keys are removed from
+rcu list, pointers to smp context's keys are set to NULL to make sure
+removed list items are not accessed later.
+
+This commit also adjusts the functionality of mgmt unpair_device() little
+bit. Previously pairing was canceled only if pairing was in state that
+keys were already generated. With this commit unpair_device() cancels
+pairing already in earlier states.
+
+Bug was found by fuzzing kernel SMP implementation using Synopsys
+Defensics.
+
+Reported-by: Pekka Oikarainen <pekka.oikarainen@synopsys.com>
+Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c |  7 ++-----
+ net/bluetooth/smp.c  | 29 +++++++++++++++++++++++++----
+ net/bluetooth/smp.h  |  3 ++-
+ 3 files changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index b1b0a1c0bd8d..ecc3da6a14a1 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -3083,9 +3083,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+       /* LE address type */
+       addr_type = le_addr_type(cp->addr.type);
+-      hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type);
+-
+-      err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type);
++      /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */
++      err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type);
+       if (err < 0) {
+               err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE,
+                                       MGMT_STATUS_NOT_PAIRED, &rp,
+@@ -3099,8 +3098,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data,
+               goto done;
+       }
+-      /* Abort any ongoing SMP pairing */
+-      smp_cancel_pairing(conn);
+       /* Defer clearing up the connection parameters until closing to
+        * give a chance of keeping them if a repairing happens.
+diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
+index 0dc27d2e8f18..bedfaef2c59e 100644
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2371,30 +2371,51 @@ unlock:
+       return ret;
+ }
+-void smp_cancel_pairing(struct hci_conn *hcon)
++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
++                                u8 addr_type)
+ {
+-      struct l2cap_conn *conn = hcon->l2cap_data;
++      struct hci_conn *hcon;
++      struct l2cap_conn *conn;
+       struct l2cap_chan *chan;
+       struct smp_chan *smp;
++      int err;
++
++      err = hci_remove_ltk(hdev, bdaddr, addr_type);
++      hci_remove_irk(hdev, bdaddr, addr_type);
++
++      hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
++      if (!hcon)
++              goto done;
++      conn = hcon->l2cap_data;
+       if (!conn)
+-              return;
++              goto done;
+       chan = conn->smp;
+       if (!chan)
+-              return;
++              goto done;
+       l2cap_chan_lock(chan);
+       smp = chan->data;
+       if (smp) {
++              /* Set keys to NULL to make sure smp_failure() does not try to
++               * remove and free already invalidated rcu list entries. */
++              smp->ltk = NULL;
++              smp->slave_ltk = NULL;
++              smp->remote_irk = NULL;
++
+               if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
+                       smp_failure(conn, 0);
+               else
+                       smp_failure(conn, SMP_UNSPECIFIED);
++              err = 0;
+       }
+       l2cap_chan_unlock(chan);
++
++done:
++      return err;
+ }
+ static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
+diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
+index ffcc70b6b199..993cbd7bcfe7 100644
+--- a/net/bluetooth/smp.h
++++ b/net/bluetooth/smp.h
+@@ -180,7 +180,8 @@ enum smp_key_pref {
+ };
+ /* SMP Commands */
+-void smp_cancel_pairing(struct hci_conn *hcon);
++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
++                                u8 addr_type);
+ bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
+                            enum smp_key_pref key_pref);
+ int smp_conn_security(struct hci_conn *hcon, __u8 sec_level);
+-- 
+2.17.1
+
diff --git a/queue-4.4/bonding-avoid-defaulting-hard_header_len-to-eth_hlen.patch b/queue-4.4/bonding-avoid-defaulting-hard_header_len-to-eth_hlen.patch
new file mode 100644 (file)
index 0000000..d3e31dd
--- /dev/null
@@ -0,0 +1,91 @@
+From caa113e6ec6d3b03d67215aa4fa01346fc6f6f60 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 27 Apr 2017 19:29:34 +0200
+Subject: bonding: avoid defaulting hard_header_len to ETH_HLEN on slave
+ removal
+
+[ Upstream commit 19cdead3e2ef8ed765c5d1ce48057ca9d97b5094 ]
+
+On slave list updates, the bonding driver computes its hard_header_len
+as the maximum of all enslaved devices's hard_header_len.
+If the slave list is empty, e.g. on last enslaved device removal,
+ETH_HLEN is used.
+
+Since the bonding header_ops are set only when the first enslaved
+device is attached, the above can lead to header_ops->create()
+being called with the wrong skb headroom in place.
+
+If bond0 is configured on top of ipoib devices, with the
+following commands:
+
+ifup bond0
+for slave in $BOND_SLAVES_LIST; do
+       ip link set dev $slave nomaster
+done
+ping -c 1 <ip on bond0 subnet>
+
+we will obtain a skb_under_panic() with a similar call trace:
+       skb_push+0x3d/0x40
+       push_pseudo_header+0x17/0x30 [ib_ipoib]
+       ipoib_hard_header+0x4e/0x80 [ib_ipoib]
+       arp_create+0x12f/0x220
+       arp_send_dst.part.19+0x28/0x50
+       arp_solicit+0x115/0x290
+       neigh_probe+0x4d/0x70
+       __neigh_event_send+0xa7/0x230
+       neigh_resolve_output+0x12e/0x1c0
+       ip_finish_output2+0x14b/0x390
+       ip_finish_output+0x136/0x1e0
+       ip_output+0x76/0xe0
+       ip_local_out+0x35/0x40
+       ip_send_skb+0x19/0x40
+       ip_push_pending_frames+0x33/0x40
+       raw_sendmsg+0x7d3/0xb50
+       inet_sendmsg+0x31/0xb0
+       sock_sendmsg+0x38/0x50
+       SYSC_sendto+0x102/0x190
+       SyS_sendto+0xe/0x10
+       do_syscall_64+0x67/0x180
+       entry_SYSCALL64_slow_path+0x25/0x25
+
+This change addresses the issue avoiding updating the bonding device
+hard_header_len when the slaves list become empty, forbidding to
+shrink it below the value used by header_ops->create().
+
+The bug is there since commit 54ef31371407 ("[PATCH] bonding: Handle large
+hard_header_len") but the panic can be triggered only since
+commit fc791b633515 ("IB/ipoib: move back IB LL address into the hard
+header").
+
+Reported-by: Norbert P <noe@physik.uzh.ch>
+Fixes: 54ef31371407 ("[PATCH] bonding: Handle large hard_header_len")
+Fixes: fc791b633515 ("IB/ipoib: move back IB LL address into the hard header")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 339118f3c718..9e6159271c26 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1106,11 +1106,11 @@ static void bond_compute_features(struct bonding *bond)
+               gso_max_size = min(gso_max_size, slave->dev->gso_max_size);
+               gso_max_segs = min(gso_max_segs, slave->dev->gso_max_segs);
+       }
++      bond_dev->hard_header_len = max_hard_header_len;
+ done:
+       bond_dev->vlan_features = vlan_features;
+       bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL;
+-      bond_dev->hard_header_len = max_hard_header_len;
+       bond_dev->gso_max_segs = gso_max_segs;
+       netif_set_gso_max_size(bond_dev, gso_max_size);
+-- 
+2.17.1
+
diff --git a/queue-4.4/bpf-generally-move-prog-destruction-to-rcu-deferral.patch b/queue-4.4/bpf-generally-move-prog-destruction-to-rcu-deferral.patch
new file mode 100644 (file)
index 0000000..170f43c
--- /dev/null
@@ -0,0 +1,164 @@
+From 7b32bb49843fbed0707cc519311186a2b2ec7a7f Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 30 Jun 2016 17:24:43 +0200
+Subject: bpf: generally move prog destruction to RCU deferral
+
+[ Upstream commit 1aacde3d22c42281236155c1ef6d7a5aa32a826b ]
+
+Jann Horn reported following analysis that could potentially result
+in a very hard to trigger (if not impossible) UAF race, to quote his
+event timeline:
+
+ - Set up a process with threads T1, T2 and T3
+ - Let T1 set up a socket filter F1 that invokes another filter F2
+   through a BPF map [tail call]
+ - Let T1 trigger the socket filter via a unix domain socket write,
+   don't wait for completion
+ - Let T2 call PERF_EVENT_IOC_SET_BPF with F2, don't wait for completion
+ - Now T2 should be behind bpf_prog_get(), but before bpf_prog_put()
+ - Let T3 close the file descriptor for F2, dropping the reference
+   count of F2 to 2
+ - At this point, T1 should have looked up F2 from the map, but not
+   finished executing it
+ - Let T3 remove F2 from the BPF map, dropping the reference count of
+   F2 to 1
+ - Now T2 should call bpf_prog_put() (wrong BPF program type), dropping
+   the reference count of F2 to 0 and scheduling bpf_prog_free_deferred()
+   via schedule_work()
+ - At this point, the BPF program could be freed
+ - BPF execution is still running in a freed BPF program
+
+While at PERF_EVENT_IOC_SET_BPF time it's only guaranteed that the perf
+event fd we're doing the syscall on doesn't disappear from underneath us
+for whole syscall time, it may not be the case for the bpf fd used as
+an argument only after we did the put. It needs to be a valid fd pointing
+to a BPF program at the time of the call to make the bpf_prog_get() and
+while T2 gets preempted, F2 must have dropped reference to 1 on the other
+CPU. The fput() from the close() in T3 should also add additionally delay
+to the reference drop via exit_task_work() when bpf_prog_release() gets
+called as well as scheduling bpf_prog_free_deferred().
+
+That said, it makes nevertheless sense to move the BPF prog destruction
+generally after RCU grace period to guarantee that such scenario above,
+but also others as recently fixed in ceb56070359b ("bpf, perf: delay release
+of BPF prog after grace period") with regards to tail calls won't happen.
+Integrating bpf_prog_free_deferred() directly into the RCU callback is
+not allowed since the invocation might happen from either softirq or
+process context, so we're not permitted to block. Reviewing all bpf_prog_put()
+invocations from eBPF side (note, cBPF -> eBPF progs don't use this for
+their destruction) with call_rcu() look good to me.
+
+Since we don't know whether at the time of attaching the program, we're
+already part of a tail call map, we need to use RCU variant. However, due
+to this, there won't be severely more stress on the RCU callback queue:
+situations with above bpf_prog_get() and bpf_prog_put() combo in practice
+normally won't lead to releases, but even if they would, enough effort/
+cycles have to be put into loading a BPF program into the kernel already.
+
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h   |  5 -----
+ kernel/bpf/arraymap.c |  4 +---
+ kernel/bpf/syscall.c  | 13 +++----------
+ kernel/events/core.c  |  2 +-
+ 4 files changed, 5 insertions(+), 19 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 132585a7fbd8..bae3da5bcda0 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -177,7 +177,6 @@ void bpf_register_map_type(struct bpf_map_type_list *tl);
+ struct bpf_prog *bpf_prog_get(u32 ufd);
+ struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
+ void bpf_prog_put(struct bpf_prog *prog);
+-void bpf_prog_put_rcu(struct bpf_prog *prog);
+ struct bpf_map *bpf_map_get_with_uref(u32 ufd);
+ struct bpf_map *__bpf_map_get(struct fd f);
+@@ -208,10 +207,6 @@ static inline struct bpf_prog *bpf_prog_get(u32 ufd)
+ static inline void bpf_prog_put(struct bpf_prog *prog)
+ {
+ }
+-
+-static inline void bpf_prog_put_rcu(struct bpf_prog *prog)
+-{
+-}
+ #endif /* CONFIG_BPF_SYSCALL */
+ /* verifier prototypes for helper functions called from eBPF programs */
+diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
+index 0eb11b4ac4c7..daa4e0782cf7 100644
+--- a/kernel/bpf/arraymap.c
++++ b/kernel/bpf/arraymap.c
+@@ -270,9 +270,7 @@ static void *prog_fd_array_get_ptr(struct bpf_map *map, int fd)
+ static void prog_fd_array_put_ptr(void *ptr)
+ {
+-      struct bpf_prog *prog = ptr;
+-
+-      bpf_prog_put_rcu(prog);
++      bpf_prog_put(ptr);
+ }
+ /* decrement refcnt of all bpf_progs that are stored in this map */
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 4b9bbfe764e8..04fc1022ad9f 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -487,7 +487,7 @@ static void bpf_prog_uncharge_memlock(struct bpf_prog *prog)
+       free_uid(user);
+ }
+-static void __prog_put_common(struct rcu_head *rcu)
++static void __bpf_prog_put_rcu(struct rcu_head *rcu)
+ {
+       struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
+@@ -496,17 +496,10 @@ static void __prog_put_common(struct rcu_head *rcu)
+       bpf_prog_free(aux->prog);
+ }
+-/* version of bpf_prog_put() that is called after a grace period */
+-void bpf_prog_put_rcu(struct bpf_prog *prog)
+-{
+-      if (atomic_dec_and_test(&prog->aux->refcnt))
+-              call_rcu(&prog->aux->rcu, __prog_put_common);
+-}
+-
+ void bpf_prog_put(struct bpf_prog *prog)
+ {
+       if (atomic_dec_and_test(&prog->aux->refcnt))
+-              __prog_put_common(&prog->aux->rcu);
++              call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu);
+ }
+ EXPORT_SYMBOL_GPL(bpf_prog_put);
+@@ -514,7 +507,7 @@ static int bpf_prog_release(struct inode *inode, struct file *filp)
+ {
+       struct bpf_prog *prog = filp->private_data;
+-      bpf_prog_put_rcu(prog);
++      bpf_prog_put(prog);
+       return 0;
+ }
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 68b75dfceb0c..21e825250402 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7139,7 +7139,7 @@ static void perf_event_free_bpf_prog(struct perf_event *event)
+       prog = event->tp_event->prog;
+       if (prog && event->tp_event->bpf_prog_owner == event) {
+               event->tp_event->prog = NULL;
+-              bpf_prog_put_rcu(prog);
++              bpf_prog_put(prog);
+       }
+ }
+-- 
+2.17.1
+
diff --git a/queue-4.4/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch b/queue-4.4/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
new file mode 100644 (file)
index 0000000..9909086
--- /dev/null
@@ -0,0 +1,61 @@
+From e8506da61f40f35af74820cab778a1d851e899e0 Mon Sep 17 00:00:00 2001
+From: "Peter S. Housel" <housel@acm.org>
+Date: Mon, 12 Jun 2017 11:46:22 +0100
+Subject: brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
+
+[ Upstream commit 5ea59db8a375216e6c915c5586f556766673b5a7 ]
+
+An earlier change to this function (3bdae810721b) fixed a leak in the
+case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
+glom_skb buffer, used for emulating a scattering read, is never used
+or referenced after its contents are copied into the destination
+buffers, and therefore always needs to be freed by the end of the
+function.
+
+Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Cc: stable@vger.kernel.org # 4.9.x-
+Signed-off-by: Peter S. Housel <housel@acm.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
+index 91da67657f81..72e1796c8167 100644
+--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
+@@ -705,7 +705,7 @@ done:
+ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+                          struct sk_buff_head *pktq, uint totlen)
+ {
+-      struct sk_buff *glom_skb;
++      struct sk_buff *glom_skb = NULL;
+       struct sk_buff *skb;
+       u32 addr = sdiodev->sbwad;
+       int err = 0;
+@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+                       return -ENOMEM;
+               err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+                                        glom_skb);
+-              if (err) {
+-                      brcmu_pkt_buf_free_skb(glom_skb);
++              if (err)
+                       goto done;
+-              }
+               skb_queue_walk(pktq, skb) {
+                       memcpy(skb->data, glom_skb->data, skb->len);
+@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+                                           pktq);
+ done:
++      brcmu_pkt_buf_free_skb(glom_skb);
+       return err;
+ }
+-- 
+2.17.1
+
diff --git a/queue-4.4/btrfs-cleaner_kthread-doesn-t-need-explicit-freeze.patch b/queue-4.4/btrfs-cleaner_kthread-doesn-t-need-explicit-freeze.patch
new file mode 100644 (file)
index 0000000..f16d827
--- /dev/null
@@ -0,0 +1,42 @@
+From 7213b724ecae4594c59a1d3ea38375897834ab6d Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Tue, 15 Mar 2016 11:28:54 +0100
+Subject: btrfs: cleaner_kthread() doesn't need explicit freeze
+
+[ Upstream commit 838fe1887765f4cc679febea60d87d2a06bd300e ]
+
+cleaner_kthread() is not marked freezable, and therefore calling
+try_to_freeze() in its context is a pointless no-op.
+
+In addition to that, as has been clearly demonstrated by 80ad623edd2d
+("Revert "btrfs: clear PF_NOFREEZE in cleaner_kthread()"), it's perfectly
+valid / legal for cleaner_kthread() to stay scheduled out in an arbitrary
+place during suspend (in that particular example that was waiting for
+reading of extent pages), so there is no need to leave any traces of
+freezer in this kthread.
+
+Fixes: 80ad623edd2d ("Revert "btrfs: clear PF_NOFREEZE in cleaner_kthread()")
+Fixes: 696249132158 ("btrfs: clear PF_NOFREEZE in cleaner_kthread()")
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index ae6e3a30e61e..a2001abbe379 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1820,7 +1820,7 @@ static int cleaner_kthread(void *arg)
+                */
+               btrfs_delete_unused_bgs(root->fs_info);
+ sleep:
+-              if (!try_to_freeze() && !again) {
++              if (!again) {
+                       set_current_state(TASK_INTERRUPTIBLE);
+                       if (!kthread_should_stop())
+                               schedule();
+-- 
+2.17.1
+
diff --git a/queue-4.4/btrfs-don-t-create-or-leak-aliased-root-while-cleani.patch b/queue-4.4/btrfs-don-t-create-or-leak-aliased-root-while-cleani.patch
new file mode 100644 (file)
index 0000000..6f6b1c1
--- /dev/null
@@ -0,0 +1,103 @@
+From a41bfdd412a2c3a016cdfa65114cae07b794fd1c Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Wed, 17 Aug 2016 21:58:33 -0400
+Subject: btrfs: don't create or leak aliased root while cleaning up orphans
+
+[ Upstream commit 35bbb97fc898aeb874cb7c8b746f091caa359994 ]
+
+commit 909c3a22da3 (Btrfs: fix loading of orphan roots leading to BUG_ON)
+avoids the BUG_ON but can add an aliased root to the dead_roots list or
+leak the root.
+
+Since we've already been loading roots into the radix tree, we should
+use it before looking the root up on disk.
+
+Cc: <stable@vger.kernel.org> # 4.5
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c   |  4 ++--
+ fs/btrfs/disk-io.h   |  2 ++
+ fs/btrfs/root-tree.c | 27 ++++++++++++++++++---------
+ 3 files changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index a2001abbe379..120363d0f981 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1608,8 +1608,8 @@ fail:
+       return ret;
+ }
+-static struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info,
+-                                             u64 root_id)
++struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info,
++                                      u64 root_id)
+ {
+       struct btrfs_root *root;
+diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h
+index adeb31830b9c..3c9819403487 100644
+--- a/fs/btrfs/disk-io.h
++++ b/fs/btrfs/disk-io.h
+@@ -68,6 +68,8 @@ struct extent_buffer *btrfs_find_tree_block(struct btrfs_fs_info *fs_info,
+ struct btrfs_root *btrfs_read_fs_root(struct btrfs_root *tree_root,
+                                     struct btrfs_key *location);
+ int btrfs_init_fs_root(struct btrfs_root *root);
++struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info,
++                                      u64 root_id);
+ int btrfs_insert_fs_root(struct btrfs_fs_info *fs_info,
+                        struct btrfs_root *root);
+ void btrfs_free_fs_roots(struct btrfs_fs_info *fs_info);
+diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c
+index 2c849b08a91b..6a6efb26d52f 100644
+--- a/fs/btrfs/root-tree.c
++++ b/fs/btrfs/root-tree.c
+@@ -272,6 +272,23 @@ int btrfs_find_orphan_roots(struct btrfs_root *tree_root)
+               root_key.objectid = key.offset;
+               key.offset++;
++              /*
++               * The root might have been inserted already, as before we look
++               * for orphan roots, log replay might have happened, which
++               * triggers a transaction commit and qgroup accounting, which
++               * in turn reads and inserts fs roots while doing backref
++               * walking.
++               */
++              root = btrfs_lookup_fs_root(tree_root->fs_info,
++                                          root_key.objectid);
++              if (root) {
++                      WARN_ON(!test_bit(BTRFS_ROOT_ORPHAN_ITEM_INSERTED,
++                                        &root->state));
++                      if (btrfs_root_refs(&root->root_item) == 0)
++                              btrfs_add_dead_root(root);
++                      continue;
++              }
++
+               root = btrfs_read_fs_root(tree_root, &root_key);
+               err = PTR_ERR_OR_ZERO(root);
+               if (err && err != -ENOENT) {
+@@ -310,16 +327,8 @@ int btrfs_find_orphan_roots(struct btrfs_root *tree_root)
+               set_bit(BTRFS_ROOT_ORPHAN_ITEM_INSERTED, &root->state);
+               err = btrfs_insert_fs_root(root->fs_info, root);
+-              /*
+-               * The root might have been inserted already, as before we look
+-               * for orphan roots, log replay might have happened, which
+-               * triggers a transaction commit and qgroup accounting, which
+-               * in turn reads and inserts fs roots while doing backref
+-               * walking.
+-               */
+-              if (err == -EEXIST)
+-                      err = 0;
+               if (err) {
++                      BUG_ON(err == -EEXIST);
+                       btrfs_free_fs_root(root);
+                       break;
+               }
+-- 
+2.17.1
+
diff --git a/queue-4.4/cfg80211-address-some-corner-cases-in-scan-result-ch.patch b/queue-4.4/cfg80211-address-some-corner-cases-in-scan-result-ch.patch
new file mode 100644 (file)
index 0000000..3b703eb
--- /dev/null
@@ -0,0 +1,140 @@
+From 42f417212a8d02cacbd4ee288e9aa542d9283ff8 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 5 Sep 2018 18:52:22 +0300
+Subject: cfg80211: Address some corner cases in scan result channel updating
+
+[ Upstream commit 119f94a6fefcc76d47075b83d2b73d04c895df78 ]
+
+cfg80211_get_bss_channel() is used to update the RX channel based on the
+available frame payload information (channel number from DSSS Parameter
+Set element or HT Operation element). This is needed on 2.4 GHz channels
+where frames may be received on neighboring channels due to overlapping
+frequency range.
+
+This might of some use on the 5 GHz band in some corner cases, but
+things are more complex there since there is no n:1 or 1:n mapping
+between channel numbers and frequencies due to multiple different
+starting frequencies in different operating classes. This could result
+in ieee80211_channel_to_frequency() returning incorrect frequency and
+ieee80211_get_channel() returning incorrect channel information (or
+indication of no match). In the previous implementation, this could
+result in some scan results being dropped completely, e.g., for the 4.9
+GHz channels. That prevented connection to such BSSs.
+
+Fix this by using the driver-provided channel pointer if
+ieee80211_get_channel() does not find matching channel data for the
+channel number in the frame payload and if the scan is done with 5 MHz
+or 10 MHz channel bandwidth. While doing this, also add comments
+describing what the function is trying to achieve to make it easier to
+understand what happens here and why.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 58 ++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 49 insertions(+), 9 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 8dde12a11725..00219f386283 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -974,13 +974,23 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
+       return NULL;
+ }
++/*
++ * Update RX channel information based on the available frame payload
++ * information. This is mainly for the 2.4 GHz band where frames can be received
++ * from neighboring channels and the Beacon frames use the DSSS Parameter Set
++ * element to indicate the current (transmitting) channel, but this might also
++ * be needed on other bands if RX frequency does not match with the actual
++ * operating channel of a BSS.
++ */
+ static struct ieee80211_channel *
+ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
+-                       struct ieee80211_channel *channel)
++                       struct ieee80211_channel *channel,
++                       enum nl80211_bss_scan_width scan_width)
+ {
+       const u8 *tmp;
+       u32 freq;
+       int channel_number = -1;
++      struct ieee80211_channel *alt_channel;
+       tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen);
+       if (tmp && tmp[1] == 1) {
+@@ -994,16 +1004,45 @@ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen,
+               }
+       }
+-      if (channel_number < 0)
++      if (channel_number < 0) {
++              /* No channel information in frame payload */
+               return channel;
++      }
+       freq = ieee80211_channel_to_frequency(channel_number, channel->band);
+-      channel = ieee80211_get_channel(wiphy, freq);
+-      if (!channel)
+-              return NULL;
+-      if (channel->flags & IEEE80211_CHAN_DISABLED)
++      alt_channel = ieee80211_get_channel(wiphy, freq);
++      if (!alt_channel) {
++              if (channel->band == NL80211_BAND_2GHZ) {
++                      /*
++                       * Better not allow unexpected channels when that could
++                       * be going beyond the 1-11 range (e.g., discovering
++                       * BSS on channel 12 when radio is configured for
++                       * channel 11.
++                       */
++                      return NULL;
++              }
++
++              /* No match for the payload channel number - ignore it */
++              return channel;
++      }
++
++      if (scan_width == NL80211_BSS_CHAN_WIDTH_10 ||
++          scan_width == NL80211_BSS_CHAN_WIDTH_5) {
++              /*
++               * Ignore channel number in 5 and 10 MHz channels where there
++               * may not be an n:1 or 1:n mapping between frequencies and
++               * channel numbers.
++               */
++              return channel;
++      }
++
++      /*
++       * Use the channel determined through the payload channel number
++       * instead of the RX channel reported by the driver.
++       */
++      if (alt_channel->flags & IEEE80211_CHAN_DISABLED)
+               return NULL;
+-      return channel;
++      return alt_channel;
+ }
+ /* Returned bss is reference counted and must be cleaned up appropriately. */
+@@ -1028,7 +1067,8 @@ cfg80211_inform_bss_data(struct wiphy *wiphy,
+                   (data->signal < 0 || data->signal > 100)))
+               return NULL;
+-      channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan);
++      channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan,
++                                         data->scan_width);
+       if (!channel)
+               return NULL;
+@@ -1126,7 +1166,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
+               return NULL;
+       channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable,
+-                                         ielen, data->chan);
++                                         ielen, data->chan, data->scan_width);
+       if (!channel)
+               return NULL;
+-- 
+2.17.1
+
diff --git a/queue-4.4/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch b/queue-4.4/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch
new file mode 100644 (file)
index 0000000..123fea9
--- /dev/null
@@ -0,0 +1,37 @@
+From ad508508c048914bf0ce9be7c77f18963f02ebf1 Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 5 Sep 2018 08:06:12 +0300
+Subject: cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
+
+[ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ]
+
+Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since
+the regulatory request is zeroed, wiphy_idx was always implicitly set to
+0. This resulted in updating only phy #0.
+Fix that.
+
+Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy")
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+[add fixes tag]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index 06d050da0d94..50dffd183cc6 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2367,6 +2367,7 @@ static int regulatory_hint_core(const char *alpha2)
+       request->alpha2[0] = alpha2[0];
+       request->alpha2[1] = alpha2[1];
+       request->initiator = NL80211_REGDOM_SET_BY_CORE;
++      request->wiphy_idx = WIPHY_IDX_INVALID;
+       queue_regulatory_request(request);
+-- 
+2.17.1
+
diff --git a/queue-4.4/cifs-handle-guest-access-errors-to-windows-shares.patch b/queue-4.4/cifs-handle-guest-access-errors-to-windows-shares.patch
new file mode 100644 (file)
index 0000000..021443e
--- /dev/null
@@ -0,0 +1,85 @@
+From fee92cc97e3abcb287d8ce6b82aedf9532514bf2 Mon Sep 17 00:00:00 2001
+From: Mark Syms <mark.syms@citrix.com>
+Date: Tue, 29 Nov 2016 11:36:46 +0000
+Subject: CIFS: handle guest access errors to Windows shares
+
+[ Upstream commit 40920c2bb119fd49ba03e2f97a172171781be442 ]
+
+Commit 1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44 ("correctly to
+anonymous authentication for the NTLM(v2) authentication") introduces
+a regression in handling errors related to attempting a guest
+connection to a Windows share which requires authentication. This
+should result in a permission denied error but actually causes the
+kernel module to enter a never-ending loop trying to follow a DFS
+referal which doesn't exist.
+
+The base cause of this is the failure now occurs later in the process
+during tree connect and not at the session setup setup and all errors
+in tree connect are interpreted as needing to follow the DFS paths
+which isn't in this case correct. So, check the returned error against
+EACCES and fail if this is returned error.
+
+Feedback from Aurelien:
+
+  PS> net user guest /activate:no
+    PS> mkdir C:\guestshare
+      PS> icacls C:\guestshare /grant 'Everyone:(OI)(CI)F'
+        PS> new-smbshare -name guestshare -path C:\guestshare -fullaccess Everyone
+
+        I've tested v3.10, v4.4, master, master+your patch using default options
+        (empty or no user "NU") and user=abc (U).
+
+        NT_LOGON_FAILURE in session setup: LF
+        This is what you seem to have in 3.10.
+
+        NT_ACCESS_DENIED in tree connect to the share: AD
+        This is what you get before your infinite loop.
+
+                     |   NU       U
+                     --------------------------------
+                     3.10         |   LF       LF
+                     4.4          |   LF       LF
+                     master       |   AD       LF
+                     master+patch |   AD       LF
+
+                     No infinite DFS loop :(
+                     All these issues result in mount failing very fast with permission denied.
+
+                     I guess it could be from either the Windows version or the share/folder
+                     ACL. A deeper analysis of the packets might reveal more.
+
+                     In any case I did not notice any issues for on a basic DFS setup with
+                     the patch so I don't think it introduced any regressions, which is
+                     probably all that matters. It still bothers me a little I couldn't hit
+                     the bug.
+
+                     I've included kernel output w/ debugging output and network capture of
+                     my tests if anyone want to have a look at it. (master+patch = ml-guestfix).
+
+Signed-off-by: Mark Syms <mark.syms@citrix.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Tested-by: Aurelien Aptel <aaptel@suse.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 077ad3a06c9a..1eeb4780c3ed 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -3674,6 +3674,9 @@ try_mount_again:
+       if (IS_ERR(tcon)) {
+               rc = PTR_ERR(tcon);
+               tcon = NULL;
++              if (rc == -EACCES)
++                      goto mount_fail_check;
++
+               goto remote_path_check;
+       }
+-- 
+2.17.1
+
diff --git a/queue-4.4/drm-nouveau-fbcon-fix-oops-without-fbdev-emulation.patch b/queue-4.4/drm-nouveau-fbcon-fix-oops-without-fbdev-emulation.patch
new file mode 100644 (file)
index 0000000..d6f2208
--- /dev/null
@@ -0,0 +1,58 @@
+From 8fd2c738d50a34bc3dc8388f4dee7aa664aad57d Mon Sep 17 00:00:00 2001
+From: Pavel Roskin <plroskin@gmail.com>
+Date: Sat, 23 Sep 2017 13:10:33 -0700
+Subject: drm/nouveau/fbcon: fix oops without fbdev emulation
+
+[ Upstream commit 4813766325374af6ed0b66879ba6a0bbb05c83b6 ]
+
+This is similar to an earlier commit 52dfcc5ccfbb ("drm/nouveau: fix for
+disabled fbdev emulation"), but protects all occurrences of helper.fbdev
+in the source.
+
+I see oops in nouveau_fbcon_accel_save_disable() called from
+nouveau_fbcon_set_suspend_work() on Linux 3.13 when
+CONFIG_DRM_FBDEV_EMULATION option is disabled.
+
+Signed-off-by: Pavel Roskin <plroskin@gmail.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fbcon.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+index e40a1b07a014..343476d15726 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+@@ -235,7 +235,7 @@ void
+ nouveau_fbcon_accel_save_disable(struct drm_device *dev)
+ {
+       struct nouveau_drm *drm = nouveau_drm(dev);
+-      if (drm->fbcon) {
++      if (drm->fbcon && drm->fbcon->helper.fbdev) {
+               drm->fbcon->saved_flags = drm->fbcon->helper.fbdev->flags;
+               drm->fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED;
+       }
+@@ -245,7 +245,7 @@ void
+ nouveau_fbcon_accel_restore(struct drm_device *dev)
+ {
+       struct nouveau_drm *drm = nouveau_drm(dev);
+-      if (drm->fbcon) {
++      if (drm->fbcon && drm->fbcon->helper.fbdev) {
+               drm->fbcon->helper.fbdev->flags = drm->fbcon->saved_flags;
+       }
+ }
+@@ -257,7 +257,8 @@ nouveau_fbcon_accel_fini(struct drm_device *dev)
+       struct nouveau_fbdev *fbcon = drm->fbcon;
+       if (fbcon && drm->channel) {
+               console_lock();
+-              fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED;
++              if (fbcon->helper.fbdev)
++                      fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED;
+               console_unlock();
+               nouveau_channel_idle(drm->channel);
+               nvif_object_fini(&fbcon->twod);
+-- 
+2.17.1
+
diff --git a/queue-4.4/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch b/queue-4.4/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch
new file mode 100644 (file)
index 0000000..f681b6b
--- /dev/null
@@ -0,0 +1,36 @@
+From 9ef6b93f6846514c15a2a042bfbffe32f8630a58 Mon Sep 17 00:00:00 2001
+From: Khazhismel Kumykov <khazhy@google.com>
+Date: Fri, 12 Oct 2018 21:34:40 -0700
+Subject: fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
+
+[ Upstream commit ac081c3be3fae6d0cc3e1862507fca3862d30b67 ]
+
+On non-preempt kernels this loop can take a long time (more than 50 ticks)
+processing through entries.
+
+Link: http://lkml.kernel.org/r/20181010172623.57033-1-khazhy@google.com
+Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
+Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fat/fatent.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
+index a70e37c47a78..e3fc477728b3 100644
+--- a/fs/fat/fatent.c
++++ b/fs/fat/fatent.c
+@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb)
+                       if (ops->ent_get(&fatent) == FAT_ENT_FREE)
+                               free++;
+               } while (fat_ent_next(sbi, &fatent));
++              cond_resched();
+       }
+       sbi->free_clusters = free;
+       sbi->free_clus_valid = 1;
+-- 
+2.17.1
+
diff --git a/queue-4.4/fuse-dont-call-set_page_dirty_lock-for-iter_bvec-pag.patch b/queue-4.4/fuse-dont-call-set_page_dirty_lock-for-iter_bvec-pag.patch
new file mode 100644 (file)
index 0000000..ddb7403
--- /dev/null
@@ -0,0 +1,127 @@
+From 8ad8962051ad64732388a7dfa13e42e3b9597033 Mon Sep 17 00:00:00 2001
+From: Ashish Samant <ashish.samant@oracle.com>
+Date: Wed, 12 Jul 2017 19:26:58 -0700
+Subject: fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for
+ async_dio
+
+[ Upstream commit 61c12b49e1c9c77d7a1bcc161de540d0fd21cf0c ]
+
+Commit 8fba54aebbdf ("fuse: direct-io: don't dirty ITER_BVEC pages") fixes
+the ITER_BVEC page deadlock for direct io in fuse by checking in
+fuse_direct_io(), whether the page is a bvec page or not, before locking
+it.  However, this check is missed when the "async_dio" mount option is
+enabled.  In this case, set_page_dirty_lock() is called from the req->end
+callback in request_end(), when the fuse thread is returning from userspace
+to respond to the read request.  This will cause the same deadlock because
+the bvec condition is not checked in this path.
+
+Here is the stack of the deadlocked thread, while returning from userspace:
+
+[13706.656686] INFO: task glusterfs:3006 blocked for more than 120 seconds.
+[13706.657808] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables
+this message.
+[13706.658788] glusterfs       D ffffffff816c80f0     0  3006      1
+0x00000080
+[13706.658797]  ffff8800d6713a58 0000000000000086 ffff8800d9ad7000
+ffff8800d9ad5400
+[13706.658799]  ffff88011ffd5cc0 ffff8800d6710008 ffff88011fd176c0
+7fffffffffffffff
+[13706.658801]  0000000000000002 ffffffff816c80f0 ffff8800d6713a78
+ffffffff816c790e
+[13706.658803] Call Trace:
+[13706.658809]  [<ffffffff816c80f0>] ? bit_wait_io_timeout+0x80/0x80
+[13706.658811]  [<ffffffff816c790e>] schedule+0x3e/0x90
+[13706.658813]  [<ffffffff816ca7e5>] schedule_timeout+0x1b5/0x210
+[13706.658816]  [<ffffffff81073ffb>] ? gup_pud_range+0x1db/0x1f0
+[13706.658817]  [<ffffffff810668fe>] ? kvm_clock_read+0x1e/0x20
+[13706.658819]  [<ffffffff81066909>] ? kvm_clock_get_cycles+0x9/0x10
+[13706.658822]  [<ffffffff810f5792>] ? ktime_get+0x52/0xc0
+[13706.658824]  [<ffffffff816c6f04>] io_schedule_timeout+0xa4/0x110
+[13706.658826]  [<ffffffff816c8126>] bit_wait_io+0x36/0x50
+[13706.658828]  [<ffffffff816c7d06>] __wait_on_bit_lock+0x76/0xb0
+[13706.658831]  [<ffffffffa0545636>] ? lock_request+0x46/0x70 [fuse]
+[13706.658834]  [<ffffffff8118800a>] __lock_page+0xaa/0xb0
+[13706.658836]  [<ffffffff810c8500>] ? wake_atomic_t_function+0x40/0x40
+[13706.658838]  [<ffffffff81194d08>] set_page_dirty_lock+0x58/0x60
+[13706.658841]  [<ffffffffa054d968>] fuse_release_user_pages+0x58/0x70 [fuse]
+[13706.658844]  [<ffffffffa0551430>] ? fuse_aio_complete+0x190/0x190 [fuse]
+[13706.658847]  [<ffffffffa0551459>] fuse_aio_complete_req+0x29/0x90 [fuse]
+[13706.658849]  [<ffffffffa05471e9>] request_end+0xd9/0x190 [fuse]
+[13706.658852]  [<ffffffffa0549126>] fuse_dev_do_write+0x336/0x490 [fuse]
+[13706.658854]  [<ffffffffa054963e>] fuse_dev_write+0x6e/0xa0 [fuse]
+[13706.658857]  [<ffffffff812a9ef3>] ? security_file_permission+0x23/0x90
+[13706.658859]  [<ffffffff81205300>] do_iter_readv_writev+0x60/0x90
+[13706.658862]  [<ffffffffa05495d0>] ? fuse_dev_splice_write+0x350/0x350
+[fuse]
+[13706.658863]  [<ffffffff812062a1>] do_readv_writev+0x171/0x1f0
+[13706.658866]  [<ffffffff810b3d00>] ? try_to_wake_up+0x210/0x210
+[13706.658868]  [<ffffffff81206361>] vfs_writev+0x41/0x50
+[13706.658870]  [<ffffffff81206496>] SyS_writev+0x56/0xf0
+[13706.658872]  [<ffffffff810257a1>] ? syscall_trace_leave+0xf1/0x160
+[13706.658874]  [<ffffffff816cbb2e>] system_call_fastpath+0x12/0x71
+
+Fix this by making should_dirty a fuse_io_priv parameter that can be
+checked in fuse_aio_complete_req().
+
+Reported-by: Tiger Yang <tiger.yang@oracle.com>
+Signed-off-by: Ashish Samant <ashish.samant@oracle.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/file.c   | 6 +++---
+ fs/fuse/fuse_i.h | 1 +
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 8577f3ba6dc6..7014318f6d18 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -625,7 +625,7 @@ static void fuse_aio_complete_req(struct fuse_conn *fc, struct fuse_req *req)
+       struct fuse_io_priv *io = req->io;
+       ssize_t pos = -1;
+-      fuse_release_user_pages(req, !io->write);
++      fuse_release_user_pages(req, io->should_dirty);
+       if (io->write) {
+               if (req->misc.write.in.size != req->misc.write.out.size)
+@@ -1333,7 +1333,6 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
+                      loff_t *ppos, int flags)
+ {
+       int write = flags & FUSE_DIO_WRITE;
+-      bool should_dirty = !write && iter_is_iovec(iter);
+       int cuse = flags & FUSE_DIO_CUSE;
+       struct file *file = io->file;
+       struct inode *inode = file->f_mapping->host;
+@@ -1362,6 +1361,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
+                       mutex_unlock(&inode->i_mutex);
+       }
++      io->should_dirty = !write && iter_is_iovec(iter);
+       while (count) {
+               size_t nres;
+               fl_owner_t owner = current->files;
+@@ -1378,7 +1378,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
+                       nres = fuse_send_read(req, io, pos, nbytes, owner);
+               if (!io->async)
+-                      fuse_release_user_pages(req, should_dirty);
++                      fuse_release_user_pages(req, io->should_dirty);
+               if (req->out.h.error) {
+                       if (!res)
+                               res = req->out.h.error;
+diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
+index 7aafe9acc6c0..c6eb35a95fcc 100644
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -252,6 +252,7 @@ struct fuse_io_priv {
+       size_t size;
+       __u64 offset;
+       bool write;
++      bool should_dirty;
+       int err;
+       struct kiocb *iocb;
+       struct file *file;
+-- 
+2.17.1
+
diff --git a/queue-4.4/gpio-msic-fix-error-return-code-in-platform_msic_gpi.patch b/queue-4.4/gpio-msic-fix-error-return-code-in-platform_msic_gpi.patch
new file mode 100644 (file)
index 0000000..10bd22b
--- /dev/null
@@ -0,0 +1,41 @@
+From 2f05eb2ec718ed2e3e19ec0575ef000abbc2a47c Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 3 Aug 2017 17:00:01 -0500
+Subject: gpio: msic: fix error return code in platform_msic_gpio_probe()
+
+[ Upstream commit ca1f3ae3154ad6d08caa740c99be0d86644a4e44 ]
+
+platform_get_irq() returns an error code, but the gpio-msic driver
+ignores it and always returns -EINVAL. This is not correct, and
+prevents -EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-msic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-msic.c b/drivers/gpio/gpio-msic.c
+index 22523aae8abe..3abf066f93d3 100644
+--- a/drivers/gpio/gpio-msic.c
++++ b/drivers/gpio/gpio-msic.c
+@@ -266,8 +266,8 @@ static int platform_msic_gpio_probe(struct platform_device *pdev)
+       int i;
+       if (irq < 0) {
+-              dev_err(dev, "no IRQ line\n");
+-              return -EINVAL;
++              dev_err(dev, "no IRQ line: %d\n", irq);
++              return irq;
+       }
+       if (!pdata || !pdata->gpio_base) {
+-- 
+2.17.1
+
diff --git a/queue-4.4/gpu-host1x-fix-error-return-code-in-host1x_probe.patch b/queue-4.4/gpu-host1x-fix-error-return-code-in-host1x_probe.patch
new file mode 100644 (file)
index 0000000..c248dd0
--- /dev/null
@@ -0,0 +1,43 @@
+From 855795c6b9ef7528d403e4d0762dcab13d311d03 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 8 Aug 2017 00:08:06 -0500
+Subject: gpu: host1x: fix error return code in host1x_probe()
+
+[ Upstream commit 7b2c63de20080c18d0de35b292ad61fc9bc8328e ]
+
+platform_get_irq() returns an error code, but the host1x driver
+ignores it and always returns -ENXIO. This is not correct and,
+prevents -EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/host1x/dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/host1x/dev.c b/drivers/gpu/host1x/dev.c
+index 53d3d1d45b48..ce1b10a2ae85 100644
+--- a/drivers/gpu/host1x/dev.c
++++ b/drivers/gpu/host1x/dev.c
+@@ -116,8 +116,8 @@ static int host1x_probe(struct platform_device *pdev)
+       syncpt_irq = platform_get_irq(pdev, 0);
+       if (syncpt_irq < 0) {
+-              dev_err(&pdev->dev, "failed to get IRQ\n");
+-              return -ENXIO;
++              dev_err(&pdev->dev, "failed to get IRQ: %d\n", syncpt_irq);
++              return syncpt_irq;
+       }
+       host = devm_kzalloc(&pdev->dev, sizeof(*host), GFP_KERNEL);
+-- 
+2.17.1
+
diff --git a/queue-4.4/gro-allow-tunnel-stacking-in-the-case-of-fou-gue.patch b/queue-4.4/gro-allow-tunnel-stacking-in-the-case-of-fou-gue.patch
new file mode 100644 (file)
index 0000000..67783c4
--- /dev/null
@@ -0,0 +1,59 @@
+From a169a6fce0ca1ffad16080568d71125f164955de Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <aduyck@mirantis.com>
+Date: Tue, 29 Mar 2016 14:55:22 -0700
+Subject: gro: Allow tunnel stacking in the case of FOU/GUE
+
+[ Upstream commit c3483384ee511ee2af40b4076366cd82a6a47b86 ]
+
+This patch should fix the issues seen with a recent fix to prevent
+tunnel-in-tunnel frames from being generated with GRO.  The fix itself is
+correct for now as long as we do not add any devices that support
+NETIF_F_GSO_GRE_CSUM.  When such a device is added it could have the
+potential to mess things up due to the fact that the outer transport header
+points to the outer UDP header and not the GRE header as would be expected.
+
+Fixes: fac8e0f579695 ("tunnels: Don't apply GRO to multiple layers of encapsulation.")
+Signed-off-by: Alexander Duyck <aduyck@mirantis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fou.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
+index 08d8ee124538..d83888bc33d3 100644
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -195,6 +195,14 @@ static struct sk_buff **fou_gro_receive(struct sk_buff **head,
+       u8 proto = NAPI_GRO_CB(skb)->proto;
+       const struct net_offload **offloads;
++      /* We can clear the encap_mark for FOU as we are essentially doing
++       * one of two possible things.  We are either adding an L4 tunnel
++       * header to the outer L3 tunnel header, or we are are simply
++       * treating the GRE tunnel header as though it is a UDP protocol
++       * specific header such as VXLAN or GENEVE.
++       */
++      NAPI_GRO_CB(skb)->encap_mark = 0;
++
+       rcu_read_lock();
+       offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
+       ops = rcu_dereference(offloads[proto]);
+@@ -354,6 +362,14 @@ static struct sk_buff **gue_gro_receive(struct sk_buff **head,
+               }
+       }
++      /* We can clear the encap_mark for GUE as we are essentially doing
++       * one of two possible things.  We are either adding an L4 tunnel
++       * header to the outer L3 tunnel header, or we are are simply
++       * treating the GRE tunnel header as though it is a UDP protocol
++       * specific header such as VXLAN or GENEVE.
++       */
++      NAPI_GRO_CB(skb)->encap_mark = 0;
++
+       rcu_read_lock();
+       offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
+       ops = rcu_dereference(offloads[guehdr->proto_ctype]);
+-- 
+2.17.1
+
diff --git a/queue-4.4/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch b/queue-4.4/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch
new file mode 100644 (file)
index 0000000..93462c2
--- /dev/null
@@ -0,0 +1,87 @@
+From 32a6c58a59a0a2a0b4d2c8d0730622ebffb0e6c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20Gr=C3=B6nke?= <c.groenke@infodas.de>
+Date: Tue, 26 Jun 2018 10:12:18 +0000
+Subject: igb: Remove superfluous reset to PHY and page 0 selection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 2a83fba6cae89dd9c0625e68ff8ffff791c67ac0 ]
+
+This patch reverts two previous applied patches to fix an issue
+that appeared when using SGMII based SFP modules. In the current
+state the driver will try to reset the PHY before obtaining the
+phy_addr of the SGMII attached PHY. That leads to an error in
+e1000_write_phy_reg_sgmii_82575. Causing the initialization to
+fail:
+
+    igb: Intel(R) Gigabit Ethernet Network Driver - version 5.4.0-k
+    igb: Copyright (c) 2007-2014 Intel Corporation.
+    igb: probe of ????:??:??.? failed with error -3
+
+The patches being reverted are:
+
+    commit 182785335447957409282ca745aa5bc3968facee
+    Author: Aaron Sierra <asierra@xes-inc.com>
+    Date:   Tue Nov 29 10:03:56 2016 -0600
+
+        igb: reset the PHY before reading the PHY ID
+
+    commit 440aeca4b9858248d8f16d724d9fa87a4f65fa33
+    Author: Matwey V Kornilov <matwey@sai.msu.ru>
+    Date:   Thu Nov 24 13:32:48 2016 +0300
+
+         igb: Explicitly select page 0 at initialization
+
+The first reverted patch directly causes the problem mentioned above.
+In case of SGMII the phy_addr is not known at this point and will
+only be obtained by 'igb_get_phy_id_82575' further down in the code.
+The second removed patch selects forces selection of page 0 in the
+PHY. Something that the reset tries to address as well.
+
+As pointed out by Alexander Duzck, the patch below fixes the same
+issue but in the proper location:
+
+    commit 4e684f59d760a2c7c716bb60190783546e2d08a1
+    Author: Chris J Arges <christopherarges@gmail.com>
+    Date:   Wed Nov 2 09:13:42 2016 -0500
+
+        igb: Workaround for igb i210 firmware issue
+
+Reverts: 440aeca4b9858248d8f16d724d9fa87a4f65fa33.
+Reverts: 182785335447957409282ca745aa5bc3968facee.
+
+Signed-off-by: Christian Grönke <c.groenke@infodas.de>
+Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/e1000_82575.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/e1000_82575.c b/drivers/net/ethernet/intel/igb/e1000_82575.c
+index f3f3b95d5512..97bf0c3d5c69 100644
+--- a/drivers/net/ethernet/intel/igb/e1000_82575.c
++++ b/drivers/net/ethernet/intel/igb/e1000_82575.c
+@@ -223,17 +223,6 @@ static s32 igb_init_phy_params_82575(struct e1000_hw *hw)
+       hw->bus.func = (rd32(E1000_STATUS) & E1000_STATUS_FUNC_MASK) >>
+                       E1000_STATUS_FUNC_SHIFT;
+-      /* Make sure the PHY is in a good state. Several people have reported
+-       * firmware leaving the PHY's page select register set to something
+-       * other than the default of zero, which causes the PHY ID read to
+-       * access something other than the intended register.
+-       */
+-      ret_val = hw->phy.ops.reset(hw);
+-      if (ret_val) {
+-              hw_dbg("Error resetting the PHY.\n");
+-              goto out;
+-      }
+-
+       /* Set phy->phy_addr and phy->id. */
+       ret_val = igb_get_phy_id_82575(hw);
+       if (ret_val)
+-- 
+2.17.1
+
diff --git a/queue-4.4/ipv6-orphan-skbs-in-reassembly-unit.patch b/queue-4.4/ipv6-orphan-skbs-in-reassembly-unit.patch
new file mode 100644 (file)
index 0000000..9f85f13
--- /dev/null
@@ -0,0 +1,163 @@
+From 8abe36bcea94fd33c1f64646f614f41651ccc661 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 1 Mar 2017 14:45:06 -0800
+Subject: ipv6: orphan skbs in reassembly unit
+
+[ Upstream commit 48cac18ecf1de82f76259a54402c3adb7839ad01 ]
+
+Andrey reported a use-after-free in IPv6 stack.
+
+Issue here is that we free the socket while it still has skb
+in TX path and in some queues.
+
+It happens here because IPv6 reassembly unit messes skb->truesize,
+breaking skb_set_owner_w() badly.
+
+We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag:
+Always orphan skbs inside ip_defrag()")
+Acked-by: Joe Stringer <joe@ovn.org>
+
+==================================================================
+BUG: KASAN: use-after-free in sock_wfree+0x118/0x120
+Read of size 8 at addr ffff880062da0060 by task a.out/4140
+
+page:ffffea00018b6800 count:1 mapcount:0 mapping:          (null)
+index:0x0 compound_mapcount: 0
+flags: 0x100000000008100(slab|head)
+raw: 0100000000008100 0000000000000000 0000000000000000 0000000180130013
+raw: dead000000000100 dead000000000200 ffff88006741f140 0000000000000000
+page dumped because: kasan: bad access detected
+
+CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:15
+ dump_stack+0x292/0x398 lib/dump_stack.c:51
+ describe_address mm/kasan/report.c:262
+ kasan_report_error+0x121/0x560 mm/kasan/report.c:370
+ kasan_report mm/kasan/report.c:392
+ __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413
+ sock_flag ./arch/x86/include/asm/bitops.h:324
+ sock_wfree+0x118/0x120 net/core/sock.c:1631
+ skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655
+ skb_release_all+0x15/0x60 net/core/skbuff.c:668
+ __kfree_skb+0x15/0x20 net/core/skbuff.c:684
+ kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705
+ inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304
+ inet_frag_put ./include/net/inet_frag.h:133
+ nf_ct_frag6_gather+0x1125/0x38b0 net/ipv6/netfilter/nf_conntrack_reasm.c:617
+ ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
+ nf_hook_entry_hookfn ./include/linux/netfilter.h:102
+ nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310
+ nf_hook ./include/linux/netfilter.h:212
+ __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160
+ ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170
+ ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722
+ ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742
+ rawv6_push_pending_frames net/ipv6/raw.c:613
+ rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927
+ inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
+ sock_sendmsg_nosec net/socket.c:635
+ sock_sendmsg+0xca/0x110 net/socket.c:645
+ sock_write_iter+0x326/0x620 net/socket.c:848
+ new_sync_write fs/read_write.c:499
+ __vfs_write+0x483/0x760 fs/read_write.c:512
+ vfs_write+0x187/0x530 fs/read_write.c:560
+ SYSC_write fs/read_write.c:607
+ SyS_write+0xfb/0x230 fs/read_write.c:599
+ entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
+RIP: 0033:0x7ff26e6f5b79
+RSP: 002b:00007ff268e0ed98 EFLAGS: 00000206 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007ff268e0f9c0 RCX: 00007ff26e6f5b79
+RDX: 0000000000000010 RSI: 0000000020f50fe1 RDI: 0000000000000003
+RBP: 00007ff26ebc1220 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
+R13: 00007ff268e0f9c0 R14: 00007ff26efec040 R15: 0000000000000003
+
+The buggy address belongs to the object at ffff880062da0000
+ which belongs to the cache RAWv6 of size 1504
+The buggy address ffff880062da0060 is located 96 bytes inside
+ of 1504-byte region [ffff880062da0000, ffff880062da05e0)
+
+Freed by task 4113:
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:502
+ set_track mm/kasan/kasan.c:514
+ kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578
+ slab_free_hook mm/slub.c:1352
+ slab_free_freelist_hook mm/slub.c:1374
+ slab_free mm/slub.c:2951
+ kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973
+ sk_prot_free net/core/sock.c:1377
+ __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452
+ sk_destruct+0x47/0x80 net/core/sock.c:1460
+ __sk_free+0x57/0x230 net/core/sock.c:1468
+ sk_free+0x23/0x30 net/core/sock.c:1479
+ sock_put ./include/net/sock.h:1638
+ sk_common_release+0x31e/0x4e0 net/core/sock.c:2782
+ rawv6_close+0x54/0x80 net/ipv6/raw.c:1214
+ inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
+ inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431
+ sock_release+0x8d/0x1e0 net/socket.c:599
+ sock_close+0x16/0x20 net/socket.c:1063
+ __fput+0x332/0x7f0 fs/file_table.c:208
+ ____fput+0x15/0x20 fs/file_table.c:244
+ task_work_run+0x19b/0x270 kernel/task_work.c:116
+ exit_task_work ./include/linux/task_work.h:21
+ do_exit+0x186b/0x2800 kernel/exit.c:839
+ do_group_exit+0x149/0x420 kernel/exit.c:943
+ SYSC_exit_group kernel/exit.c:954
+ SyS_exit_group+0x1d/0x20 kernel/exit.c:952
+ entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
+
+Allocated by task 4115:
+ save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:502
+ set_track mm/kasan/kasan.c:514
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:544
+ slab_post_alloc_hook mm/slab.h:432
+ slab_alloc_node mm/slub.c:2708
+ slab_alloc mm/slub.c:2716
+ kmem_cache_alloc+0x1af/0x250 mm/slub.c:2721
+ sk_prot_alloc+0x65/0x2a0 net/core/sock.c:1334
+ sk_alloc+0x105/0x1010 net/core/sock.c:1396
+ inet6_create+0x44d/0x1150 net/ipv6/af_inet6.c:183
+ __sock_create+0x4f6/0x880 net/socket.c:1199
+ sock_create net/socket.c:1239
+ SYSC_socket net/socket.c:1269
+ SyS_socket+0xf9/0x230 net/socket.c:1249
+ entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203
+
+Memory state around the buggy address:
+ ffff880062d9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff880062d9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff880062da0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                                       ^
+ ffff880062da0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880062da0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index 838b65a59a73..5a9ae56e7868 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -601,6 +601,7 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use
+       hdr = ipv6_hdr(clone);
+       fhdr = (struct frag_hdr *)skb_transport_header(clone);
++      skb_orphan(skb);
+       fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
+                    skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr));
+       if (fq == NULL) {
+-- 
+2.17.1
+
diff --git a/queue-4.4/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch b/queue-4.4/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch
new file mode 100644 (file)
index 0000000..b529cb1
--- /dev/null
@@ -0,0 +1,38 @@
+From 545adfedcf2f591da5ebdb504e08ac2bb301ee8c Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 12 Aug 2016 07:48:21 +0200
+Subject: ipv6: suppress sparse warnings in IP6_ECN_set_ce()
+
+[ Upstream commit c15c0ab12fd62f2b19181d05c62d24bc9fa55a42 ]
+
+Pass the correct type __wsum to csum_sub() and csum_add(). This doesn't
+really change anything since __wsum really *is* __be32, but removes the
+address space warnings from sparse.
+
+Cc: Eric Dumazet <edumazet@google.com>
+Fixes: 34ae6a1aa054 ("ipv6: update skb->csum when CE mark is propagated")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/inet_ecn.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h
+index 0dc0a51da38f..dce2d586d9ce 100644
+--- a/include/net/inet_ecn.h
++++ b/include/net/inet_ecn.h
+@@ -128,7 +128,8 @@ static inline int IP6_ECN_set_ce(struct sk_buff *skb, struct ipv6hdr *iph)
+       to = from | htonl(INET_ECN_CE << 20);
+       *(__be32 *)iph = to;
+       if (skb->ip_summed == CHECKSUM_COMPLETE)
+-              skb->csum = csum_add(csum_sub(skb->csum, from), to);
++              skb->csum = csum_add(csum_sub(skb->csum, (__force __wsum)from),
++                                   (__force __wsum)to);
+       return 1;
+ }
+-- 
+2.17.1
+
diff --git a/queue-4.4/ixgbe-correct-x550em_x-revision-check.patch b/queue-4.4/ixgbe-correct-x550em_x-revision-check.patch
new file mode 100644 (file)
index 0000000..fee47ba
--- /dev/null
@@ -0,0 +1,64 @@
+From 24d5aa3a204e1f7902be5ae6cfa3491984f87d28 Mon Sep 17 00:00:00 2001
+From: Mark Rustad <mark.d.rustad@intel.com>
+Date: Fri, 20 Nov 2015 13:12:17 -0800
+Subject: ixgbe: Correct X550EM_x revision check
+
+[ Upstream commit 3ca2b2506ec9a3b1615930a6810d30ec9aba10a1 ]
+
+The X550EM_x revision check needs to check a value, not just a bit.
+Use a mask and check the value. Also remove the redundant check
+inside the ixgbe_enter_lplu_t_x550em, because it can only be called
+when both the mac type and revision check pass.
+
+Signed-off-by: Mark Rustad <mark.d.rustad@intel.com>
+Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 2 +-
+ drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 9 +++------
+ 2 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+index 995f03107eac..04bc4df82fa7 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+@@ -3508,7 +3508,7 @@ struct ixgbe_info {
+ #define IXGBE_FUSES0_GROUP(_i)                (0x11158 + ((_i) * 4))
+ #define IXGBE_FUSES0_300MHZ           BIT(5)
+-#define IXGBE_FUSES0_REV1             BIT(6)
++#define IXGBE_FUSES0_REV_MASK         (3 << 6)
+ #define IXGBE_KRM_PORT_CAR_GEN_CTRL(P)        ((P) ? 0x8010 : 0x4010)
+ #define IXGBE_KRM_LINK_CTRL_1(P)      ((P) ? 0x820C : 0x420C)
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+index a75f2e3ce86f..ffd2e74e5638 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+@@ -1873,10 +1873,6 @@ static s32 ixgbe_enter_lplu_t_x550em(struct ixgbe_hw *hw)
+       u32 save_autoneg;
+       bool link_up;
+-      /* SW LPLU not required on later HW revisions. */
+-      if (IXGBE_FUSES0_REV1 & IXGBE_READ_REG(hw, IXGBE_FUSES0_GROUP(0)))
+-              return 0;
+-
+       /* If blocked by MNG FW, then don't restart AN */
+       if (ixgbe_check_reset_blocked(hw))
+               return 0;
+@@ -2030,8 +2026,9 @@ static s32 ixgbe_init_phy_ops_X550em(struct ixgbe_hw *hw)
+               }
+               /* setup SW LPLU only for first revision */
+-              if (!(IXGBE_FUSES0_REV1 & IXGBE_READ_REG(hw,
+-                                                      IXGBE_FUSES0_GROUP(0))))
++              if (hw->mac.type == ixgbe_mac_X550EM_x &&
++                  !(IXGBE_READ_REG(hw, IXGBE_FUSES0_GROUP(0)) &
++                    IXGBE_FUSES0_REV_MASK))
+                       phy->ops.enter_lplu = ixgbe_enter_lplu_t_x550em;
+               phy->ops.handle_lasi = ixgbe_handle_lasi_ext_t_x550em;
+-- 
+2.17.1
+
diff --git a/queue-4.4/ixgbe-fix-rss-limit-for-x550.patch b/queue-4.4/ixgbe-fix-rss-limit-for-x550.patch
new file mode 100644 (file)
index 0000000..65b2a53
--- /dev/null
@@ -0,0 +1,37 @@
+From 23e0c6ad80a3af6e1d965a5a3d8637dad312fc9d Mon Sep 17 00:00:00 2001
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+Date: Fri, 20 Nov 2015 13:02:16 -0800
+Subject: ixgbe: fix RSS limit for X550
+
+[ Upstream commit e9ee3238f8a480bbca58e51d02a93628d7c1f265 ]
+
+X550 allows for up to 64 RSS queues, but the driver can have max
+of 63 (-1 MSIX vector for link).
+
+On systems with >= 64 CPUs the driver will set the redirection table
+for all 64 queues which will result in packets being dropped.
+
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
+index 1d2174526a4c..18e4e4a69262 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
+@@ -312,7 +312,7 @@ enum ixgbe_ring_f_enum {
+ };
+ #define IXGBE_MAX_RSS_INDICES         16
+-#define IXGBE_MAX_RSS_INDICES_X550    64
++#define IXGBE_MAX_RSS_INDICES_X550    63
+ #define IXGBE_MAX_VMDQ_INDICES                64
+ #define IXGBE_MAX_FDIR_INDICES                63      /* based on q_vector limit */
+ #define IXGBE_MAX_FCOE_INDICES                8
+-- 
+2.17.1
+
diff --git a/queue-4.4/ixgbevf-fix-handling-of-napi-budget-when-multiple-qu.patch b/queue-4.4/ixgbevf-fix-handling-of-napi-budget-when-multiple-qu.patch
new file mode 100644 (file)
index 0000000..5fdcbae
--- /dev/null
@@ -0,0 +1,36 @@
+From d89a7ec2dd4f560582ea0ba02a3dcb85ae981193 Mon Sep 17 00:00:00 2001
+From: William Dauchy <william@gandi.net>
+Date: Fri, 30 Oct 2015 18:16:30 +0100
+Subject: ixgbevf: Fix handling of NAPI budget when multiple queues are enabled
+ per vector
+
+[ Upstream commit d0f71afffa1c3d5a36a4a278f1dbbd2643176dc3 ]
+
+This is the same patch as for ixgbe but applied differently according to
+busy polling.  See commit 5d6002b7b822c74 ("ixgbe: Fix handling of NAPI
+budget when multiple queues are enabled per vector")
+
+Signed-off-by: William Dauchy <william@gandi.net>
+Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+index 50bbad37d640..723bda33472a 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+@@ -1014,6 +1014,8 @@ static int ixgbevf_poll(struct napi_struct *napi, int budget)
+       ixgbevf_for_each_ring(ring, q_vector->tx)
+               clean_complete &= ixgbevf_clean_tx_irq(q_vector, ring);
++      if (budget <= 0)
++              return budget;
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+       if (!ixgbevf_qv_lock_napi(q_vector))
+               return budget;
+-- 
+2.17.1
+
diff --git a/queue-4.4/keys-put-keyring-if-install_session_keyring_to_cred-.patch b/queue-4.4/keys-put-keyring-if-install_session_keyring_to_cred-.patch
new file mode 100644 (file)
index 0000000..b7ed23b
--- /dev/null
@@ -0,0 +1,56 @@
+From cdae7eb80f1cc3d7e310b3e0c4f26d5e21ba7638 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 8 Jun 2017 14:48:03 +0100
+Subject: KEYS: put keyring if install_session_keyring_to_cred() fails
+
+[ Upstream commit d636bd9f12a66ea3775c9fabbf3f8e118253467a ]
+
+In join_session_keyring(), if install_session_keyring_to_cred() were to
+fail, we would leak the keyring reference, just like in the bug fixed by
+commit 23567fd052a9 ("KEYS: Fix keyring ref leak in
+join_session_keyring()").  Fortunately this cannot happen currently, but
+we really should be more careful.  Do this by adding and using a new
+error label at which the keyring reference is dropped.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/keys/process_keys.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index ac1d5b2b1626..a7095372701e 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -808,15 +808,14 @@ long join_session_keyring(const char *name)
+               ret = PTR_ERR(keyring);
+               goto error2;
+       } else if (keyring == new->session_keyring) {
+-              key_put(keyring);
+               ret = 0;
+-              goto error2;
++              goto error3;
+       }
+       /* we've got a keyring - now to install it */
+       ret = install_session_keyring_to_cred(new, keyring);
+       if (ret < 0)
+-              goto error2;
++              goto error3;
+       commit_creds(new);
+       mutex_unlock(&key_session_mutex);
+@@ -826,6 +825,8 @@ long join_session_keyring(const char *name)
+ okay:
+       return ret;
++error3:
++      key_put(keyring);
+ error2:
+       mutex_unlock(&key_session_mutex);
+ error:
+-- 
+2.17.1
+
diff --git a/queue-4.4/l2tp-hold-socket-before-dropping-lock-in-l2tp_ip-6-_.patch b/queue-4.4/l2tp-hold-socket-before-dropping-lock-in-l2tp_ip-6-_.patch
new file mode 100644 (file)
index 0000000..5b54de1
--- /dev/null
@@ -0,0 +1,73 @@
+From 51391306806049b373ff0b7252a05bec2402e805 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Tue, 29 Nov 2016 13:09:45 +0100
+Subject: l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
+
+[ Upstream commit a3c18422a4b4e108bcf6a2328f48867e1003fd95 ]
+
+Socket must be held while under the protection of the l2tp lock; there
+is no guarantee that sk remains valid after the read_unlock_bh() call.
+
+Same issue for l2tp_ip and l2tp_ip6.
+
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_ip.c  | 11 ++++++-----
+ net/l2tp/l2tp_ip6.c | 11 ++++++-----
+ 2 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index 48ab93842322..c7e6098c924e 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -184,14 +184,15 @@ pass_up:
+               read_lock_bh(&l2tp_ip_lock);
+               sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id);
++              if (!sk) {
++                      read_unlock_bh(&l2tp_ip_lock);
++                      goto discard;
++              }
++
++              sock_hold(sk);
+               read_unlock_bh(&l2tp_ip_lock);
+       }
+-      if (sk == NULL)
+-              goto discard;
+-
+-      sock_hold(sk);
+-
+       if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
+               goto discard_put;
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index bcdab1cba773..5fe0a6f6af3d 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -196,14 +196,15 @@ pass_up:
+               read_lock_bh(&l2tp_ip6_lock);
+               sk = __l2tp_ip6_bind_lookup(&init_net, &iph->daddr,
+                                           0, tunnel_id);
++              if (!sk) {
++                      read_unlock_bh(&l2tp_ip6_lock);
++                      goto discard;
++              }
++
++              sock_hold(sk);
+               read_unlock_bh(&l2tp_ip6_lock);
+       }
+-      if (sk == NULL)
+-              goto discard;
+-
+-      sock_hold(sk);
+-
+       if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
+               goto discard_put;
+-- 
+2.17.1
+
diff --git a/queue-4.4/lan78xx-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/lan78xx-check-for-supported-wake-on-lan-modes.patch
new file mode 100644 (file)
index 0000000..df008ca
--- /dev/null
@@ -0,0 +1,50 @@
+From 528ac725c8a7099c4a2887004c5023fe23d9bc55 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:52 -0700
+Subject: lan78xx: Check for supported Wake-on-LAN modes
+
+[ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ]
+
+The driver supports a fair amount of Wake-on-LAN modes, but is not
+checking that the user specified one that is supported.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Woojung Huh <Woojung.Huh@Microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index 1aede726052c..45a6a7cae4bf 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -1051,19 +1051,10 @@ static int lan78xx_set_wol(struct net_device *netdev,
+       if (ret < 0)
+               return ret;
+-      pdata->wol = 0;
+-      if (wol->wolopts & WAKE_UCAST)
+-              pdata->wol |= WAKE_UCAST;
+-      if (wol->wolopts & WAKE_MCAST)
+-              pdata->wol |= WAKE_MCAST;
+-      if (wol->wolopts & WAKE_BCAST)
+-              pdata->wol |= WAKE_BCAST;
+-      if (wol->wolopts & WAKE_MAGIC)
+-              pdata->wol |= WAKE_MAGIC;
+-      if (wol->wolopts & WAKE_PHY)
+-              pdata->wol |= WAKE_PHY;
+-      if (wol->wolopts & WAKE_ARP)
+-              pdata->wol |= WAKE_ARP;
++      if (wol->wolopts & ~WAKE_ALL)
++              return -EINVAL;
++
++      pdata->wol = wol->wolopts;
+       device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts);
+-- 
+2.17.1
+
diff --git a/queue-4.4/mac80211-always-report-tx-status.patch b/queue-4.4/mac80211-always-report-tx-status.patch
new file mode 100644 (file)
index 0000000..14c22c0
--- /dev/null
@@ -0,0 +1,50 @@
+From 74528f7f857a4c9d03c4549cad4ad8de0494fc4d Mon Sep 17 00:00:00 2001
+From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Date: Wed, 5 Sep 2018 08:06:13 +0300
+Subject: mac80211: Always report TX status
+
+[ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ]
+
+If a frame is dropped for any reason, mac80211 wouldn't report the TX
+status back to user space.
+
+As the user space may rely on the TX_STATUS to kick its state
+machines, resends etc, it's better to just report this frame as not
+acked instead.
+
+Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/status.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/status.c b/net/mac80211/status.c
+index 45fb1abdb265..2731cf5bf052 100644
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -466,11 +466,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
+       if (!skb)
+               return;
+-      if (dropped) {
+-              dev_kfree_skb_any(skb);
+-              return;
+-      }
+-
+       if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+               u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie;
+               struct ieee80211_sub_if_data *sdata;
+@@ -491,6 +486,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
+               }
+               rcu_read_unlock();
++              dev_kfree_skb_any(skb);
++      } else if (dropped) {
+               dev_kfree_skb_any(skb);
+       } else {
+               /* consumes skb */
+-- 
+2.17.1
+
diff --git a/queue-4.4/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch b/queue-4.4/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch
new file mode 100644 (file)
index 0000000..1859555
--- /dev/null
@@ -0,0 +1,38 @@
+From b6371c90ebdf27f39f83dd88bc1add52fe647f01 Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@strongswan.org>
+Date: Tue, 25 Sep 2018 09:51:02 +0200
+Subject: mac80211_hwsim: do not omit multicast announce of first added radio
+
+[ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ]
+
+The allocation of hwsim radio identifiers uses a post-increment from 0,
+so the first radio has idx 0. This idx is explicitly excluded from
+multicast announcements ever since, but it is unclear why.
+
+Drop that idx check and announce the first radio as well. This makes
+userspace happy if it relies on these events.
+
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index c98cb962b454..05413176a5d6 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2547,8 +2547,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
+       list_add_tail(&data->list, &hwsim_radios);
+       spin_unlock_bh(&hwsim_radio_lock);
+-      if (idx > 0)
+-              hwsim_mcast_new_radio(idx, info, param);
++      hwsim_mcast_new_radio(idx, info, param);
+       return idx;
+-- 
+2.17.1
+
diff --git a/queue-4.4/media-usbvision-revert-commit-588afcc1.patch b/queue-4.4/media-usbvision-revert-commit-588afcc1.patch
new file mode 100644 (file)
index 0000000..95ded5e
--- /dev/null
@@ -0,0 +1,64 @@
+From 8c8cd1d97afa99aba344aa286ea8a3cd1f6d6ffe Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Sun, 31 Jan 2016 14:14:52 -0200
+Subject: [media] usbvision: revert commit 588afcc1
+
+[ Upstream commit d5468d7afaa9c9e961e150f0455a14a9f4872a98 ]
+
+Commit 588afcc1c0e4 ("[media] usbvision fix overflow of interfaces
+array")' should be reverted, because:
+
+* "!dev->actconfig->interface[ifnum]" won't catch a case where the value
+is not NULL but some garbage. This way the system may crash later with
+GPF.
+
+* "(ifnum >= USB_MAXINTERFACES)" does not cover all the error
+conditions. "ifnum" should be compared to "dev->actconfig->
+desc.bNumInterfaces", i.e. compared to the number of "struct
+usb_interface" kzalloc()-ed, not to USB_MAXINTERFACES.
+
+* There is a "struct usb_device" leak in this error path, as there is
+usb_get_dev(), but no usb_put_dev() on this path.
+
+* There is a bug of the same type several lines below with number of
+endpoints. The code is accessing hard-coded second endpoint
+("interface->endpoint[1].desc") which may not exist. It would be great
+to handle this in the same patch too.
+
+* All the concerns above are resolved by already-accepted commit fa52bd50
+("[media] usbvision: fix crash on detecting device with invalid
+configuration")
+
+* Mailing list message:
+http://www.spinics.net/lists/linux-media/msg94832.html
+
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: <stable@vger.kernel.org>      # for v4.5
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/usbvision/usbvision-video.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
+index cafc34938a79..91d709efef7a 100644
+--- a/drivers/media/usb/usbvision/usbvision-video.c
++++ b/drivers/media/usb/usbvision/usbvision-video.c
+@@ -1461,13 +1461,6 @@ static int usbvision_probe(struct usb_interface *intf,
+       printk(KERN_INFO "%s: %s found\n", __func__,
+                               usbvision_device_data[model].model_string);
+-      /*
+-       * this is a security check.
+-       * an exploit using an incorrect bInterfaceNumber is known
+-       */
+-      if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+-              return -ENODEV;
+-
+       if (usbvision_device_data[model].interface >= 0)
+               interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
+       else if (ifnum < dev->actconfig->desc.bNumInterfaces)
+-- 
+2.17.1
+
diff --git a/queue-4.4/mips-dec-fix-an-int-handler.s-cpu_daddi_workarounds-.patch b/queue-4.4/mips-dec-fix-an-int-handler.s-cpu_daddi_workarounds-.patch
new file mode 100644 (file)
index 0000000..9e1514a
--- /dev/null
@@ -0,0 +1,98 @@
+From 3e7089c9afbb6281210fda9c29625df0c7831e51 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@linux-mips.org>
+Date: Sun, 30 Jul 2017 21:28:15 +0100
+Subject: MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression
+
+[ Upstream commit 68fe55680d0f3342969f49412fceabb90bdfadba ]
+
+Fix a commit 3021773c7c3e ("MIPS: DEC: Avoid la pseudo-instruction in
+delay slots") regression and remove assembly errors:
+
+arch/mips/dec/int-handler.S: Assembler messages:
+arch/mips/dec/int-handler.S:162: Error: Macro used $at after ".set noat"
+arch/mips/dec/int-handler.S:163: Error: Macro used $at after ".set noat"
+arch/mips/dec/int-handler.S:229: Error: Macro used $at after ".set noat"
+arch/mips/dec/int-handler.S:230: Error: Macro used $at after ".set noat"
+
+triggering with with the CPU_DADDI_WORKAROUNDS option set and the DADDIU
+instruction.  This is because with that option in place the instruction
+becomes a macro, which expands to an LI/DADDU (or actually ADDIU/DADDU)
+sequence that uses $at as a temporary register.
+
+With CPU_DADDI_WORKAROUNDS we only support `-msym32' compilation though,
+and this is already enforced in arch/mips/Makefile, so choose the 32-bit
+expansion variant for the supported configurations and then replace the
+64-bit variant with #error just in case.
+
+Fixes: 3021773c7c3e ("MIPS: DEC: Avoid la pseudo-instruction in delay slots")
+Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org # 4.8+
+Patchwork: https://patchwork.linux-mips.org/patch/16893/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/dec/int-handler.S | 34 ++++++----------------------------
+ 1 file changed, 6 insertions(+), 28 deletions(-)
+
+diff --git a/arch/mips/dec/int-handler.S b/arch/mips/dec/int-handler.S
+index 554d1da97743..21f4a9fe82fa 100644
+--- a/arch/mips/dec/int-handler.S
++++ b/arch/mips/dec/int-handler.S
+@@ -147,23 +147,12 @@
+                * Find irq with highest priority
+                */
+               # open coded PTR_LA t1, cpu_mask_nr_tbl
+-#if (_MIPS_SZPTR == 32)
++#if defined(CONFIG_32BIT) || defined(KBUILD_64BIT_SYM32)
+               # open coded la t1, cpu_mask_nr_tbl
+               lui     t1, %hi(cpu_mask_nr_tbl)
+               addiu   t1, %lo(cpu_mask_nr_tbl)
+-
+-#endif
+-#if (_MIPS_SZPTR == 64)
+-              # open coded dla t1, cpu_mask_nr_tbl
+-              .set    push
+-              .set    noat
+-              lui     t1, %highest(cpu_mask_nr_tbl)
+-              lui     AT, %hi(cpu_mask_nr_tbl)
+-              daddiu  t1, t1, %higher(cpu_mask_nr_tbl)
+-              daddiu  AT, AT, %lo(cpu_mask_nr_tbl)
+-              dsll    t1, 32
+-              daddu   t1, t1, AT
+-              .set    pop
++#else
++#error GCC `-msym32' option required for 64-bit DECstation builds
+ #endif
+ 1:            lw      t2,(t1)
+               nop
+@@ -214,23 +203,12 @@
+                * Find irq with highest priority
+                */
+               # open coded PTR_LA t1,asic_mask_nr_tbl
+-#if (_MIPS_SZPTR == 32)
++#if defined(CONFIG_32BIT) || defined(KBUILD_64BIT_SYM32)
+               # open coded la t1, asic_mask_nr_tbl
+               lui     t1, %hi(asic_mask_nr_tbl)
+               addiu   t1, %lo(asic_mask_nr_tbl)
+-
+-#endif
+-#if (_MIPS_SZPTR == 64)
+-              # open coded dla t1, asic_mask_nr_tbl
+-              .set    push
+-              .set    noat
+-              lui     t1, %highest(asic_mask_nr_tbl)
+-              lui     AT, %hi(asic_mask_nr_tbl)
+-              daddiu  t1, t1, %higher(asic_mask_nr_tbl)
+-              daddiu  AT, AT, %lo(asic_mask_nr_tbl)
+-              dsll    t1, 32
+-              daddu   t1, t1, AT
+-              .set    pop
++#else
++#error GCC `-msym32' option required for 64-bit DECstation builds
+ #endif
+ 2:            lw      t2,(t1)
+               nop
+-- 
+2.17.1
+
diff --git a/queue-4.4/mips-fix-fcsr-cause-bit-handling-for-correct-sigfpe-.patch b/queue-4.4/mips-fix-fcsr-cause-bit-handling-for-correct-sigfpe-.patch
new file mode 100644 (file)
index 0000000..f5924d0
--- /dev/null
@@ -0,0 +1,302 @@
+From 848a093f91e2ecac974a4d84415ab3ba4f050316 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Fri, 28 Oct 2016 08:21:03 +0100
+Subject: MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
+
+[ Upstream commit 5a1aca4469fdccd5b74ba0b4e490173b2b447895 ]
+
+Sanitize FCSR Cause bit handling, following a trail of past attempts:
+
+* commit 4249548454f7 ("MIPS: ptrace: Fix FP context restoration FCSR
+regression"),
+
+* commit 443c44032a54 ("MIPS: Always clear FCSR cause bits after
+emulation"),
+
+* commit 64bedffe4968 ("MIPS: Clear [MSA]FPE CSR.Cause after
+notify_die()"),
+
+* commit b1442d39fac2 ("MIPS: Prevent user from setting FCSR cause
+bits"),
+
+* commit b54d2901517d ("Properly handle branch delay slots in connection
+with signals.").
+
+Specifically do not mask these bits out in ptrace(2) processing and send
+a SIGFPE signal instead whenever a matching pair of an FCSR Cause and
+Enable bit is seen as execution of an affected context is about to
+resume.  Only then clear Cause bits, and even then do not clear any bits
+that are set but masked with the respective Enable bits.  Adjust Cause
+bit clearing throughout code likewise, except within the FPU emulator
+proper where they are set according to IEEE 754 exceptions raised as the
+operation emulated executed.  Do so so that any IEEE 754 exceptions
+subject to their default handling are recorded like with operations
+executed by FPU hardware.
+
+Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+Cc: Paul Burton <paul.burton@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/14460/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/fpu_emulator.h  | 13 +++++
+ arch/mips/include/asm/switch_to.h     | 18 +++++++
+ arch/mips/kernel/mips-r2-to-r6-emul.c | 10 ++--
+ arch/mips/kernel/ptrace.c             |  7 ++-
+ arch/mips/kernel/traps.c              | 72 +++++++++++++++------------
+ 5 files changed, 78 insertions(+), 42 deletions(-)
+
+diff --git a/arch/mips/include/asm/fpu_emulator.h b/arch/mips/include/asm/fpu_emulator.h
+index 2f021cdfba4f..742223716fc8 100644
+--- a/arch/mips/include/asm/fpu_emulator.h
++++ b/arch/mips/include/asm/fpu_emulator.h
+@@ -66,6 +66,8 @@ extern int do_dsemulret(struct pt_regs *xcp);
+ extern int fpu_emulator_cop1Handler(struct pt_regs *xcp,
+                                   struct mips_fpu_struct *ctx, int has_fpu,
+                                   void *__user *fault_addr);
++void force_fcr31_sig(unsigned long fcr31, void __user *fault_addr,
++                   struct task_struct *tsk);
+ int process_fpemu_return(int sig, void __user *fault_addr,
+                        unsigned long fcr31);
+ int mm_isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn,
+@@ -92,4 +94,15 @@ static inline void fpu_emulator_init_fpu(void)
+               set_fpr64(&t->thread.fpu.fpr[i], 0, SIGNALLING_NAN);
+ }
++/*
++ * Mask the FCSR Cause bits according to the Enable bits, observing
++ * that Unimplemented is always enabled.
++ */
++static inline unsigned long mask_fcr31_x(unsigned long fcr31)
++{
++      return fcr31 & (FPU_CSR_UNI_X |
++                      ((fcr31 & FPU_CSR_ALL_E) <<
++                       (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E))));
++}
++
+ #endif /* _ASM_FPU_EMULATOR_H */
+diff --git a/arch/mips/include/asm/switch_to.h b/arch/mips/include/asm/switch_to.h
+index ebb5c0f2f90d..c0ae27971e31 100644
+--- a/arch/mips/include/asm/switch_to.h
++++ b/arch/mips/include/asm/switch_to.h
+@@ -75,6 +75,22 @@ do {        if (cpu_has_rw_llb) {                                           \
+       }                                                               \
+ } while (0)
++/*
++ * Check FCSR for any unmasked exceptions pending set with `ptrace',
++ * clear them and send a signal.
++ */
++#define __sanitize_fcr31(next)                                                \
++do {                                                                  \
++      unsigned long fcr31 = mask_fcr31_x(next->thread.fpu.fcr31);     \
++      void __user *pc;                                                \
++                                                                      \
++      if (unlikely(fcr31)) {                                          \
++              pc = (void __user *)task_pt_regs(next)->cp0_epc;        \
++              next->thread.fpu.fcr31 &= ~fcr31;                       \
++              force_fcr31_sig(fcr31, pc, next);                       \
++      }                                                               \
++} while (0)
++
+ /*
+  * For newly created kernel threads switch_to() will return to
+  * ret_from_kernel_thread, newly created user threads to ret_from_fork.
+@@ -85,6 +101,8 @@ do {        if (cpu_has_rw_llb) {                                           \
+ do {                                                                  \
+       __mips_mt_fpaff_switch_to(prev);                                \
+       lose_fpu_inatomic(1, prev);                                     \
++      if (tsk_used_math(next))                                        \
++              __sanitize_fcr31(next);                                 \
+       if (cpu_has_dsp) {                                              \
+               __save_dsp(prev);                                       \
+               __restore_dsp(next);                                    \
+diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
+index cbe0f025856d..7b887027dca2 100644
+--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
+@@ -900,7 +900,7 @@ static inline int mipsr2_find_op_func(struct pt_regs *regs, u32 inst,
+  * mipsr2_decoder: Decode and emulate a MIPS R2 instruction
+  * @regs: Process register set
+  * @inst: Instruction to decode and emulate
+- * @fcr31: Floating Point Control and Status Register returned
++ * @fcr31: Floating Point Control and Status Register Cause bits returned
+  */
+ int mipsr2_decoder(struct pt_regs *regs, u32 inst, unsigned long *fcr31)
+ {
+@@ -1183,13 +1183,13 @@ fpu_emul:
+               err = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 0,
+                                              &fault_addr);
+-              *fcr31 = current->thread.fpu.fcr31;
+               /*
+-               * We can't allow the emulated instruction to leave any of
+-               * the cause bits set in $fcr31.
++               * We can't allow the emulated instruction to leave any
++               * enabled Cause bits set in $fcr31.
+                */
+-              current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
++              *fcr31 = res = mask_fcr31_x(current->thread.fpu.fcr31);
++              current->thread.fpu.fcr31 &= ~res;
+               /*
+                * this is a tricky issue - lose_fpu() uses LL/SC atomics
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index 5a869515b393..9d04392f7ef0 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -79,16 +79,15 @@ void ptrace_disable(struct task_struct *child)
+ }
+ /*
+- * Poke at FCSR according to its mask.  Don't set the cause bits as
+- * this is currently not handled correctly in FP context restoration
+- * and will cause an oops if a corresponding enable bit is set.
++ * Poke at FCSR according to its mask.  Set the Cause bits even
++ * if a corresponding Enable bit is set.  This will be noticed at
++ * the time the thread is switched to and SIGFPE thrown accordingly.
+  */
+ static void ptrace_setfcr31(struct task_struct *child, u32 value)
+ {
+       u32 fcr31;
+       u32 mask;
+-      value &= ~FPU_CSR_ALL_X;
+       fcr31 = child->thread.fpu.fcr31;
+       mask = boot_cpu_data.fpu_msk31;
+       child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask);
+diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
+index 1b901218e3ae..6abd6b41c13d 100644
+--- a/arch/mips/kernel/traps.c
++++ b/arch/mips/kernel/traps.c
+@@ -706,6 +706,32 @@ asmlinkage void do_ov(struct pt_regs *regs)
+       exception_exit(prev_state);
+ }
++/*
++ * Send SIGFPE according to FCSR Cause bits, which must have already
++ * been masked against Enable bits.  This is impotant as Inexact can
++ * happen together with Overflow or Underflow, and `ptrace' can set
++ * any bits.
++ */
++void force_fcr31_sig(unsigned long fcr31, void __user *fault_addr,
++                   struct task_struct *tsk)
++{
++      struct siginfo si = { .si_addr = fault_addr, .si_signo = SIGFPE };
++
++      if (fcr31 & FPU_CSR_INV_X)
++              si.si_code = FPE_FLTINV;
++      else if (fcr31 & FPU_CSR_DIV_X)
++              si.si_code = FPE_FLTDIV;
++      else if (fcr31 & FPU_CSR_OVF_X)
++              si.si_code = FPE_FLTOVF;
++      else if (fcr31 & FPU_CSR_UDF_X)
++              si.si_code = FPE_FLTUND;
++      else if (fcr31 & FPU_CSR_INE_X)
++              si.si_code = FPE_FLTRES;
++      else
++              si.si_code = __SI_FAULT;
++      force_sig_info(SIGFPE, &si, tsk);
++}
++
+ int process_fpemu_return(int sig, void __user *fault_addr, unsigned long fcr31)
+ {
+       struct siginfo si = { 0 };
+@@ -715,27 +741,7 @@ int process_fpemu_return(int sig, void __user *fault_addr, unsigned long fcr31)
+               return 0;
+       case SIGFPE:
+-              si.si_addr = fault_addr;
+-              si.si_signo = sig;
+-              /*
+-               * Inexact can happen together with Overflow or Underflow.
+-               * Respect the mask to deliver the correct exception.
+-               */
+-              fcr31 &= (fcr31 & FPU_CSR_ALL_E) <<
+-                       (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E));
+-              if (fcr31 & FPU_CSR_INV_X)
+-                      si.si_code = FPE_FLTINV;
+-              else if (fcr31 & FPU_CSR_DIV_X)
+-                      si.si_code = FPE_FLTDIV;
+-              else if (fcr31 & FPU_CSR_OVF_X)
+-                      si.si_code = FPE_FLTOVF;
+-              else if (fcr31 & FPU_CSR_UDF_X)
+-                      si.si_code = FPE_FLTUND;
+-              else if (fcr31 & FPU_CSR_INE_X)
+-                      si.si_code = FPE_FLTRES;
+-              else
+-                      si.si_code = __SI_FAULT;
+-              force_sig_info(sig, &si, current);
++              force_fcr31_sig(fcr31, fault_addr, current);
+               return 1;
+       case SIGBUS:
+@@ -798,13 +804,13 @@ static int simulate_fp(struct pt_regs *regs, unsigned int opcode,
+       /* Run the emulator */
+       sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 1,
+                                      &fault_addr);
+-      fcr31 = current->thread.fpu.fcr31;
+       /*
+-       * We can't allow the emulated instruction to leave any of
+-       * the cause bits set in $fcr31.
++       * We can't allow the emulated instruction to leave any
++       * enabled Cause bits set in $fcr31.
+        */
+-      current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
++      fcr31 = mask_fcr31_x(current->thread.fpu.fcr31);
++      current->thread.fpu.fcr31 &= ~fcr31;
+       /* Restore the hardware register state */
+       own_fpu(1);
+@@ -830,7 +836,7 @@ asmlinkage void do_fpe(struct pt_regs *regs, unsigned long fcr31)
+               goto out;
+       /* Clear FCSR.Cause before enabling interrupts */
+-      write_32bit_cp1_register(CP1_STATUS, fcr31 & ~FPU_CSR_ALL_X);
++      write_32bit_cp1_register(CP1_STATUS, fcr31 & ~mask_fcr31_x(fcr31));
+       local_irq_enable();
+       die_if_kernel("FP exception in kernel code", regs);
+@@ -852,13 +858,13 @@ asmlinkage void do_fpe(struct pt_regs *regs, unsigned long fcr31)
+               /* Run the emulator */
+               sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 1,
+                                              &fault_addr);
+-              fcr31 = current->thread.fpu.fcr31;
+               /*
+-               * We can't allow the emulated instruction to leave any of
+-               * the cause bits set in $fcr31.
++               * We can't allow the emulated instruction to leave any
++               * enabled Cause bits set in $fcr31.
+                */
+-              current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
++              fcr31 = mask_fcr31_x(current->thread.fpu.fcr31);
++              current->thread.fpu.fcr31 &= ~fcr31;
+               /* Restore the hardware register state */
+               own_fpu(1);     /* Using the FPU again.  */
+@@ -1431,13 +1437,13 @@ asmlinkage void do_cpu(struct pt_regs *regs)
+               sig = fpu_emulator_cop1Handler(regs, &current->thread.fpu, 0,
+                                              &fault_addr);
+-              fcr31 = current->thread.fpu.fcr31;
+               /*
+                * We can't allow the emulated instruction to leave
+-               * any of the cause bits set in $fcr31.
++               * any enabled Cause bits set in $fcr31.
+                */
+-              current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
++              fcr31 = mask_fcr31_x(current->thread.fpu.fcr31);
++              current->thread.fpu.fcr31 &= ~fcr31;
+               /* Send a signal if required.  */
+               if (!process_fpemu_return(sig, fault_addr, fcr31) && !err)
+-- 
+2.17.1
+
diff --git a/queue-4.4/mips-handle-non-word-sized-instructions-when-examini.patch b/queue-4.4/mips-handle-non-word-sized-instructions-when-examini.patch
new file mode 100644 (file)
index 0000000..5518cdc
--- /dev/null
@@ -0,0 +1,95 @@
+From e2ff8e881b430537e27ea9ede4579849e9b73361 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Tue, 8 Aug 2017 13:22:30 +0100
+Subject: MIPS: Handle non word sized instructions when examining frame
+
+[ Upstream commit 11887ed172a6960673f130dad8f8fb42778f64d7 ]
+
+Commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.")
+added fairly broken support for handling 16bit microMIPS instructions in
+get_frame_info(). It adjusts the instruction pointer by 16bits in the
+case of a 16bit sp move instruction, but not any other 16bit
+instruction.
+
+Commit b6c7a324df37 ("MIPS: Fix get_frame_info() handling of microMIPS
+function size") goes some way to fixing get_frame_info() to iterate over
+microMIPS instuctions, but the instruction pointer is still manipulated
+using a postincrement, and is of union mips_instruction type. Since the
+union is sized to the largest member (a word), but microMIPS
+instructions are a mix of halfword and word sizes, the function does not
+always iterate correctly, ending up misaligned with the instruction
+stream and interpreting it incorrectly.
+
+Since the instruction modifying the stack pointer is usually the first
+in the function, that one is usually handled correctly. But the
+instruction which saves the return address to the sp is some variable
+number of instructions into the frame and is frequently missed due to
+not being on a word boundary, leading to incomplete walking of the
+stack.
+
+Fix this by incrementing the instruction pointer based on the size of
+the previously decoded instruction (& remove the hack introduced by
+commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.")
+which adjusts the instruction pointer in the case of a 16bit sp move
+instruction, but not any other).
+
+Fixes: 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.")
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Cc: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/16953/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/process.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index ed6cac4a4df0..a9cc74354df8 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -341,6 +341,7 @@ static int get_frame_info(struct mips_frame_info *info)
+       bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
+       union mips_instruction insn, *ip, *ip_end;
+       const unsigned int max_insns = 128;
++      unsigned int last_insn_size = 0;
+       unsigned int i;
+       info->pc_offset = -1;
+@@ -352,15 +353,19 @@ static int get_frame_info(struct mips_frame_info *info)
+       ip_end = (void *)ip + info->func_size;
+-      for (i = 0; i < max_insns && ip < ip_end; i++, ip++) {
++      for (i = 0; i < max_insns && ip < ip_end; i++) {
++              ip = (void *)ip + last_insn_size;
+               if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
+                       insn.halfword[0] = 0;
+                       insn.halfword[1] = ip->halfword[0];
++                      last_insn_size = 2;
+               } else if (is_mmips) {
+                       insn.halfword[0] = ip->halfword[1];
+                       insn.halfword[1] = ip->halfword[0];
++                      last_insn_size = 4;
+               } else {
+                       insn.word = ip->word;
++                      last_insn_size = 4;
+               }
+               if (is_jump_ins(&insn))
+@@ -382,8 +387,6 @@ static int get_frame_info(struct mips_frame_info *info)
+                                               tmp = (ip->halfword[0] >> 1);
+                                               info->frame_size = -(signed short)(tmp & 0xf);
+                                       }
+-                                      ip = (void *) &ip->halfword[1];
+-                                      ip--;
+                               } else
+ #endif
+                               info->frame_size = - ip->i_format.simmediate;
+-- 
+2.17.1
+
diff --git a/queue-4.4/mips-micromips-fix-decoding-of-swsp16-instruction.patch b/queue-4.4/mips-micromips-fix-decoding-of-swsp16-instruction.patch
new file mode 100644 (file)
index 0000000..26e45e9
--- /dev/null
@@ -0,0 +1,67 @@
+From d8659092796f2468af923e4dbc8f7806a53b55a8 Mon Sep 17 00:00:00 2001
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Tue, 8 Aug 2017 13:22:33 +0100
+Subject: MIPS: microMIPS: Fix decoding of swsp16 instruction
+
+[ Upstream commit cea8cd498f4f1c30ea27e3664b3c671e495c4fce ]
+
+When the immediate encoded in the instruction is accessed, it is sign
+extended due to being a signed value being assigned to a signed integer.
+The ISA specifies that this operation is an unsigned operation.
+The sign extension leads us to incorrectly decode:
+
+801e9c8e:       cbf1            sw      ra,68(sp)
+
+As having an immediate of 1073741809.
+
+Since the instruction format does not specify signed/unsigned, and this
+is currently the only location to use this instuction format, change it
+to an unsigned immediate.
+
+Fixes: bb9bc4689b9c ("MIPS: Calculate microMIPS ra properly when unwinding the stack")
+Suggested-by: Paul Burton <paul.burton@imgtec.com>
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Reviewed-by: James Hogan <james.hogan@imgtec.com>
+Cc: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: Miodrag Dinic <miodrag.dinic@imgtec.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: David Daney <david.daney@cavium.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/16957/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/uapi/asm/inst.h | 2 +-
+ arch/mips/kernel/process.c        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h
+index 9b44d5a816fa..1b6f2f219298 100644
+--- a/arch/mips/include/uapi/asm/inst.h
++++ b/arch/mips/include/uapi/asm/inst.h
+@@ -846,7 +846,7 @@ struct mm16_r3_format {            /* Load from global pointer format */
+ struct mm16_r5_format {               /* Load/store from stack pointer format */
+       __BITFIELD_FIELD(unsigned int opcode : 6,
+       __BITFIELD_FIELD(unsigned int rt : 5,
+-      __BITFIELD_FIELD(signed int simmediate : 5,
++      __BITFIELD_FIELD(unsigned int imm : 5,
+       __BITFIELD_FIELD(unsigned int : 16, /* Ignored */
+       ;))))
+ };
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index a9cc74354df8..ebd8a715fe38 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -207,7 +207,7 @@ static inline int is_ra_save_ins(union mips_instruction *ip, int *poff)
+                       if (ip->mm16_r5_format.rt != 31)
+                               return 0;
+-                      *poff = ip->mm16_r5_format.simmediate;
++                      *poff = ip->mm16_r5_format.imm;
+                       *poff = (*poff << 2) / sizeof(ulong);
+                       return 1;
+-- 
+2.17.1
+
diff --git a/queue-4.4/net-cxgb3_main-fix-a-missing-check-bug.patch b/queue-4.4/net-cxgb3_main-fix-a-missing-check-bug.patch
new file mode 100644 (file)
index 0000000..86c27cc
--- /dev/null
@@ -0,0 +1,111 @@
+From 14a794db141468d480f3a0dccce512119d1df2d3 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 5 Oct 2018 08:48:27 -0500
+Subject: net: cxgb3_main: fix a missing-check bug
+
+[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ]
+
+In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from
+the user-space buffer 'useraddr' to 'cmd' and checked through the
+switch statement. If the command is not as expected, an error code
+EOPNOTSUPP is returned. In the following execution, i.e., the cases of the
+switch statement, the whole buffer of 'useraddr' is copied again to a
+specific data structure, according to what kind of command is requested.
+However, after the second copy, there is no re-check on the newly-copied
+command. Given that the buffer 'useraddr' is in the user space, a malicious
+user can race to change the command between the two copies. By doing so,
+the attacker can supply malicious data to the kernel and cause undefined
+behavior.
+
+This patch adds a re-check in each case of the switch statement if there is
+a second copy in that case, to re-check whether the command obtained in the
+second copy is the same as the one in the first copy. If not, an error code
+EINVAL is returned.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+index 7ae8374bff13..3dd4c39640dc 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -2147,6 +2147,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+                       return -EPERM;
+               if (copy_from_user(&t, useraddr, sizeof(t)))
+                       return -EFAULT;
++              if (t.cmd != CHELSIO_SET_QSET_PARAMS)
++                      return -EINVAL;
+               if (t.qset_idx >= SGE_QSETS)
+                       return -EINVAL;
+               if (!in_range(t.intr_lat, 0, M_NEWTIMER) ||
+@@ -2246,6 +2248,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+               if (copy_from_user(&t, useraddr, sizeof(t)))
+                       return -EFAULT;
++              if (t.cmd != CHELSIO_GET_QSET_PARAMS)
++                      return -EINVAL;
++
+               /* Display qsets for all ports when offload enabled */
+               if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) {
+                       q1 = 0;
+@@ -2291,6 +2296,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+                       return -EBUSY;
+               if (copy_from_user(&edata, useraddr, sizeof(edata)))
+                       return -EFAULT;
++              if (edata.cmd != CHELSIO_SET_QSET_NUM)
++                      return -EINVAL;
+               if (edata.val < 1 ||
+                       (edata.val > 1 && !(adapter->flags & USING_MSIX)))
+                       return -EINVAL;
+@@ -2331,6 +2338,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+                       return -EPERM;
+               if (copy_from_user(&t, useraddr, sizeof(t)))
+                       return -EFAULT;
++              if (t.cmd != CHELSIO_LOAD_FW)
++                      return -EINVAL;
+               /* Check t.len sanity ? */
+               fw_data = memdup_user(useraddr + sizeof(t), t.len);
+               if (IS_ERR(fw_data))
+@@ -2354,6 +2363,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+                       return -EBUSY;
+               if (copy_from_user(&m, useraddr, sizeof(m)))
+                       return -EFAULT;
++              if (m.cmd != CHELSIO_SETMTUTAB)
++                      return -EINVAL;
+               if (m.nmtus != NMTUS)
+                       return -EINVAL;
+               if (m.mtus[0] < 81)     /* accommodate SACK */
+@@ -2395,6 +2406,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+                       return -EBUSY;
+               if (copy_from_user(&m, useraddr, sizeof(m)))
+                       return -EFAULT;
++              if (m.cmd != CHELSIO_SET_PM)
++                      return -EINVAL;
+               if (!is_power_of_2(m.rx_pg_sz) ||
+                       !is_power_of_2(m.tx_pg_sz))
+                       return -EINVAL; /* not power of 2 */
+@@ -2428,6 +2441,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+                       return -EIO;    /* need the memory controllers */
+               if (copy_from_user(&t, useraddr, sizeof(t)))
+                       return -EFAULT;
++              if (t.cmd != CHELSIO_GET_MEM)
++                      return -EINVAL;
+               if ((t.addr & 7) || (t.len & 7))
+                       return -EINVAL;
+               if (t.mem_id == MEM_CM)
+@@ -2480,6 +2495,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
+                       return -EAGAIN;
+               if (copy_from_user(&t, useraddr, sizeof(t)))
+                       return -EFAULT;
++              if (t.cmd != CHELSIO_SET_TRACE_FILTER)
++                      return -EINVAL;
+               tp = (const struct trace_params *)&t.sip;
+               if (t.config_tx)
+-- 
+2.17.1
+
diff --git a/queue-4.4/net-drop-write-only-stack-variable.patch b/queue-4.4/net-drop-write-only-stack-variable.patch
new file mode 100644 (file)
index 0000000..7383590
--- /dev/null
@@ -0,0 +1,52 @@
+From bde697786ee248d917716ad61fdc81739590cd6a Mon Sep 17 00:00:00 2001
+From: David Herrmann <dh.herrmann@gmail.com>
+Date: Tue, 2 Feb 2016 18:17:54 +0100
+Subject: net: drop write-only stack variable
+
+[ Upstream commit 3575dbf2cbbc8e598f17ec441aed526dbea0e1bd ]
+
+Remove a write-only stack variable from unix_attach_fds(). This is a
+left-over from the security fix in:
+
+    commit 712f4aad406bb1ed67f3f98d04c044191f0ff593
+    Author: willy tarreau <w@1wt.eu>
+    Date:   Sun Jan 10 07:54:56 2016 +0100
+
+        unix: properly account for FDs passed over unix sockets
+
+Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index e05ec54ac53f..c6b1eec94911 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1531,7 +1531,6 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ {
+       int i;
+       unsigned char max_level = 0;
+-      int unix_sock_count = 0;
+       if (too_many_unix_fds(current))
+               return -ETOOMANYREFS;
+@@ -1539,11 +1538,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+       for (i = scm->fp->count - 1; i >= 0; i--) {
+               struct sock *sk = unix_get_socket(scm->fp->fp[i]);
+-              if (sk) {
+-                      unix_sock_count++;
++              if (sk)
+                       max_level = max(max_level,
+                                       unix_sk(sk)->recursion_level);
+-              }
+       }
+       if (unlikely(max_level > MAX_RECURSION_LEVEL))
+               return -ETOOMANYREFS;
+-- 
+2.17.1
+
diff --git a/queue-4.4/net-mlx4_en-resolve-dividing-by-zero-in-32-bit-syste.patch b/queue-4.4/net-mlx4_en-resolve-dividing-by-zero-in-32-bit-syste.patch
new file mode 100644 (file)
index 0000000..8d48635
--- /dev/null
@@ -0,0 +1,41 @@
+From 1eba23415a8fe71f99eb7c5d36efa90e107873bc Mon Sep 17 00:00:00 2001
+From: Eugenia Emantayev <eugenia@mellanox.com>
+Date: Thu, 27 Oct 2016 16:27:16 +0300
+Subject: net/mlx4_en: Resolve dividing by zero in 32-bit system
+
+[ Upstream commit 4850cf4581578216468b7b3c3d06cc5abb0a697d ]
+
+When doing roundup_pow_of_two for large enough number with
+bit 31, an overflow will occur and a value equal to 1 will
+be returned. In this case 1 will be subtracted from the return
+value and division by zero will be reached.
+
+Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency")
+Signed-off-by: Eugenia Emantayev <eugenia@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_clock.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+index 4dccf7287f0f..52e4ed2f639d 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+@@ -251,8 +251,11 @@ static u32 freq_to_shift(u16 freq)
+ {
+       u32 freq_khz = freq * 1000;
+       u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC;
++      u64 tmp_rounded =
++              roundup_pow_of_two(max_val_cycles) > max_val_cycles ?
++              roundup_pow_of_two(max_val_cycles) - 1 : UINT_MAX;
+       u64 max_val_cycles_rounded = is_power_of_2(max_val_cycles + 1) ?
+-              max_val_cycles : roundup_pow_of_two(max_val_cycles) - 1;
++              max_val_cycles : tmp_rounded;
+       /* calculate max possible multiplier in order to fit in 64bit */
+       u64 max_mul = div_u64(0xffffffffffffffffULL, max_val_cycles_rounded);
+-- 
+2.17.1
+
diff --git a/queue-4.4/net-mlx5e-correctly-handle-rss-indirection-table-whe.patch b/queue-4.4/net-mlx5e-correctly-handle-rss-indirection-table-whe.patch
new file mode 100644 (file)
index 0000000..e9fc391
--- /dev/null
@@ -0,0 +1,96 @@
+From c4286b801d6f1d459c6999725b48b66b46c45427 Mon Sep 17 00:00:00 2001
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 29 Feb 2016 21:17:13 +0200
+Subject: net/mlx5e: Correctly handle RSS indirection table when changing
+ number of channels
+
+[ Upstream commit 85082dba0a5059c538cfa786d07f5ec5370d22fe ]
+
+Upon changing num_channels, reset the RSS indirection table to
+match the new value.
+
+Fixes: 2d75b2bc8a8c ('net/mlx5e: Add ethtool RSS configuration options')
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h      |  2 ++
+ .../net/ethernet/mellanox/mlx5/core/en_ethtool.c  |  2 ++
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++++----
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index 22e72bf1ae48..7a716733d9ca 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -586,6 +586,8 @@ int mlx5e_redirect_rqt(struct mlx5e_priv *priv, enum mlx5e_rqt_ix rqt_ix);
+ int mlx5e_open_locked(struct net_device *netdev);
+ int mlx5e_close_locked(struct net_device *netdev);
++void mlx5e_build_default_indir_rqt(u32 *indirection_rqt, int len,
++                                 int num_channels);
+ static inline void mlx5e_tx_notify_hw(struct mlx5e_sq *sq,
+                                     struct mlx5e_tx_wqe *wqe, int bf_sz)
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index 7cc9df717323..7ee301310817 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -385,6 +385,8 @@ static int mlx5e_set_channels(struct net_device *dev,
+               mlx5e_close_locked(dev);
+       priv->params.num_channels = count;
++      mlx5e_build_default_indir_rqt(priv->params.indirection_rqt,
++                                    MLX5E_INDIR_RQT_SIZE, count);
+       if (was_opened)
+               err = mlx5e_open_locked(dev);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 765b069d6a90..26d25ecdca7e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -1186,7 +1186,6 @@ static void mlx5e_fill_indir_rqt_rqns(struct mlx5e_priv *priv, void *rqtc)
+                       ix = mlx5e_bits_invert(i, MLX5E_LOG_INDIR_RQT_SIZE);
+               ix = priv->params.indirection_rqt[ix];
+-              ix = ix % priv->params.num_channels;
+               MLX5_SET(rqtc, rqtc, rq_num[i],
+                        test_bit(MLX5E_STATE_OPENED, &priv->state) ?
+                        priv->channel[ix]->rq.rqn :
+@@ -1983,12 +1982,20 @@ u16 mlx5e_get_max_inline_cap(struct mlx5_core_dev *mdev)
+              2 /*sizeof(mlx5e_tx_wqe.inline_hdr_start)*/;
+ }
++void mlx5e_build_default_indir_rqt(u32 *indirection_rqt, int len,
++                                 int num_channels)
++{
++      int i;
++
++      for (i = 0; i < len; i++)
++              indirection_rqt[i] = i % num_channels;
++}
++
+ static void mlx5e_build_netdev_priv(struct mlx5_core_dev *mdev,
+                                   struct net_device *netdev,
+                                   int num_channels)
+ {
+       struct mlx5e_priv *priv = netdev_priv(netdev);
+-      int i;
+       priv->params.log_sq_size           =
+               MLX5E_PARAMS_DEFAULT_LOG_SQ_SIZE;
+@@ -2012,8 +2019,8 @@ static void mlx5e_build_netdev_priv(struct mlx5_core_dev *mdev,
+       netdev_rss_key_fill(priv->params.toeplitz_hash_key,
+                           sizeof(priv->params.toeplitz_hash_key));
+-      for (i = 0; i < MLX5E_INDIR_RQT_SIZE; i++)
+-              priv->params.indirection_rqt[i] = i % num_channels;
++      mlx5e_build_default_indir_rqt(priv->params.indirection_rqt,
++                                    MLX5E_INDIR_RQT_SIZE, num_channels);
+       priv->params.lro_wqe_sz            =
+               MLX5E_PARAMS_DEFAULT_LRO_WQE_SZ;
+-- 
+2.17.1
+
diff --git a/queue-4.4/net-mlx5e-fix-lro-modify.patch b/queue-4.4/net-mlx5e-fix-lro-modify.patch
new file mode 100644 (file)
index 0000000..0f75369
--- /dev/null
@@ -0,0 +1,73 @@
+From 1b3b9fa723f61536909a37de1df9977a3bc2ce59 Mon Sep 17 00:00:00 2001
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 29 Feb 2016 21:17:10 +0200
+Subject: net/mlx5e: Fix LRO modify
+
+[ Upstream commit ab0394fe2c258fdb5086c51a251b28f8ee7ab35c ]
+
+Ethtool LRO enable/disable is broken, as of today we only modify TCP
+TIRs in order to apply the requested configuration.
+
+Hardware requires that all TIRs pointing to the same RQ should share the
+same LRO configuration. For that all other TIRs' LRO fields must be
+modified as well.
+
+Fixes: 5c50368f3831 ('net/mlx5e: Light-weight netdev open/stop')
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 90e876ecc720..765b069d6a90 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -1304,7 +1304,7 @@ static void mlx5e_build_tir_ctx_lro(void *tirc, struct mlx5e_priv *priv)
+                             lro_timer_supported_periods[2]));
+ }
+-static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt)
++static int mlx5e_modify_tirs_lro(struct mlx5e_priv *priv)
+ {
+       struct mlx5_core_dev *mdev = priv->mdev;
+@@ -1312,6 +1312,7 @@ static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt)
+       void *tirc;
+       int inlen;
+       int err;
++      int tt;
+       inlen = MLX5_ST_SZ_BYTES(modify_tir_in);
+       in = mlx5_vzalloc(inlen);
+@@ -1323,7 +1324,11 @@ static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt)
+       mlx5e_build_tir_ctx_lro(tirc, priv);
+-      err = mlx5_core_modify_tir(mdev, priv->tirn[tt], in, inlen);
++      for (tt = 0; tt < MLX5E_NUM_TT; tt++) {
++              err = mlx5_core_modify_tir(mdev, priv->tirn[tt], in, inlen);
++              if (err)
++                      break;
++      }
+       kvfree(in);
+@@ -1870,8 +1875,10 @@ static int mlx5e_set_features(struct net_device *netdev,
+                       mlx5e_close_locked(priv->netdev);
+               priv->params.lro_en = !!(features & NETIF_F_LRO);
+-              mlx5e_modify_tir_lro(priv, MLX5E_TT_IPV4_TCP);
+-              mlx5e_modify_tir_lro(priv, MLX5E_TT_IPV6_TCP);
++              err = mlx5e_modify_tirs_lro(priv);
++              if (err)
++                      mlx5_core_warn(priv->mdev, "lro modify failed, %d\n",
++                                     err);
+               if (was_opened)
+                       err = mlx5e_open_locked(priv->netdev);
+-- 
+2.17.1
+
diff --git a/queue-4.4/perf-core-don-t-leak-event-in-the-syscall-error-path.patch b/queue-4.4/perf-core-don-t-leak-event-in-the-syscall-error-path.patch
new file mode 100644 (file)
index 0000000..abb0a3c
--- /dev/null
@@ -0,0 +1,45 @@
+From 17c091d6ca477571d0d46e6bbe8f5c04f112567a Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Mon, 21 Mar 2016 10:02:42 +0200
+Subject: perf/core: Don't leak event in the syscall error path
+
+[ Upstream commit 201c2f85bd0bc13b712d9c0b3d11251b182e06ae ]
+
+In the error path, event_file not being NULL is used to determine
+whether the event itself still needs to be free'd, so fix it up to
+avoid leaking.
+
+Reported-by: Leon Yu <chianglungyu@gmail.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 130056275ade ("perf: Do not double free")
+Link: http://lkml.kernel.org/r/87twk06yxp.fsf@ashishki-desk.ger.corp.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 990ac41d8a5f..68b75dfceb0c 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -8530,6 +8530,7 @@ SYSCALL_DEFINE5(perf_event_open,
+                                       f_flags);
+       if (IS_ERR(event_file)) {
+               err = PTR_ERR(event_file);
++              event_file = NULL;
+               goto err_context;
+       }
+-- 
+2.17.1
+
diff --git a/queue-4.4/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch b/queue-4.4/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch
new file mode 100644 (file)
index 0000000..db05cce
--- /dev/null
@@ -0,0 +1,107 @@
+From ed4801ffdefb39fc33b6ff09af3b9c14daee8c65 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Sun, 23 Sep 2018 18:13:43 +0200
+Subject: perf/ring_buffer: Prevent concurent ring buffer access
+
+[ Upstream commit cd6fb677ce7e460c25bdd66f689734102ec7d642 ]
+
+Some of the scheduling tracepoints allow the perf_tp_event
+code to write to ring buffer under different cpu than the
+code is running on.
+
+This results in corrupted ring buffer data demonstrated in
+following perf commands:
+
+  # perf record -e 'sched:sched_switch,sched:sched_wakeup' perf bench sched messaging
+  # Running 'sched/messaging' benchmark:
+  # 20 sender and receiver processes per group
+  # 10 groups == 400 processes run
+
+       Total time: 0.383 [sec]
+  [ perf record: Woken up 8 times to write data ]
+  0x42b890 [0]: failed to process type: -1765585640
+  [ perf record: Captured and wrote 4.825 MB perf.data (29669 samples) ]
+
+  # perf report --stdio
+  0x42b890 [0]: failed to process type: -1765585640
+
+The reason for the corruption are some of the scheduling tracepoints,
+that have __perf_task dfined and thus allow to store data to another
+cpu ring buffer:
+
+  sched_waking
+  sched_wakeup
+  sched_wakeup_new
+  sched_stat_wait
+  sched_stat_sleep
+  sched_stat_iowait
+  sched_stat_blocked
+
+The perf_tp_event function first store samples for current cpu
+related events defined for tracepoint:
+
+    hlist_for_each_entry_rcu(event, head, hlist_entry)
+      perf_swevent_event(event, count, &data, regs);
+
+And then iterates events of the 'task' and store the sample
+for any task's event that passes tracepoint checks:
+
+  ctx = rcu_dereference(task->perf_event_ctxp[perf_sw_context]);
+
+  list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
+    if (event->attr.type != PERF_TYPE_TRACEPOINT)
+      continue;
+    if (event->attr.config != entry->type)
+      continue;
+
+    perf_swevent_event(event, count, &data, regs);
+  }
+
+Above code can race with same code running on another cpu,
+ending up with 2 cpus trying to store under the same ring
+buffer, which is specifically not allowed.
+
+This patch prevents the problem, by allowing only events with the same
+current cpu to receive the event.
+
+NOTE: this requires the use of (per-task-)per-cpu buffers for this
+feature to work; perf-record does this.
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+[peterz: small edits to Changelog]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrew Vagin <avagin@openvz.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: e6dab5ffab59 ("perf/trace: Add ability to set a target task for events")
+Link: http://lkml.kernel.org/r/20180923161343.GB15054@krava
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 990ac41d8a5f..330fcd1b1822 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7018,6 +7018,8 @@ void perf_tp_event(u64 addr, u64 count, void *record, int entry_size,
+                       goto unlock;
+               list_for_each_entry_rcu(event, &ctx->event_list, event_entry) {
++                      if (event->cpu != smp_processor_id())
++                              continue;
+                       if (event->attr.type != PERF_TYPE_TRACEPOINT)
+                               continue;
+                       if (event->attr.config != entry->type)
+-- 
+2.17.1
+
diff --git a/queue-4.4/pm-devfreq-tegra-fix-error-return-code-in-tegra_devf.patch b/queue-4.4/pm-devfreq-tegra-fix-error-return-code-in-tegra_devf.patch
new file mode 100644 (file)
index 0000000..1388623
--- /dev/null
@@ -0,0 +1,44 @@
+From bfe418fc973ae0227fbd32689ab7dec455add0b6 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Mon, 3 Jul 2017 07:47:38 -0500
+Subject: PM / devfreq: tegra: fix error return code in tegra_devfreq_probe()
+
+[ Upstream commit 9e578b37505018622dfafc40eed7cd78ff2af221 ]
+
+platform_get_irq() returns an error code, but the tegra-devfreq
+driver ignores it and always returns -ENODEV. This is not correct,
+and prevents -EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/tegra-devfreq.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c
+index 848b93ee930f..64a2e02b87d7 100644
+--- a/drivers/devfreq/tegra-devfreq.c
++++ b/drivers/devfreq/tegra-devfreq.c
+@@ -688,9 +688,9 @@ static int tegra_devfreq_probe(struct platform_device *pdev)
+       }
+       irq = platform_get_irq(pdev, 0);
+-      if (irq <= 0) {
+-              dev_err(&pdev->dev, "Failed to get IRQ\n");
+-              return -ENODEV;
++      if (irq < 0) {
++              dev_err(&pdev->dev, "Failed to get IRQ: %d\n", irq);
++              return irq;
+       }
+       platform_set_drvdata(pdev, tegra);
+-- 
+2.17.1
+
diff --git a/queue-4.4/pxa168fb-prepare-the-clock.patch b/queue-4.4/pxa168fb-prepare-the-clock.patch
new file mode 100644 (file)
index 0000000..f7cf39e
--- /dev/null
@@ -0,0 +1,80 @@
+From 2625a62692256519f46a6075c4cf9a06d5c7ca8e Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Wed, 26 Sep 2018 18:11:22 +0200
+Subject: pxa168fb: prepare the clock
+
+[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ]
+
+Add missing prepare/unprepare operations for fbi->clk,
+this fixes following kernel warning:
+
+  ------------[ cut here ]------------
+  WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0
+  Enabling unprepared disp0_clk
+  Modules linked in:
+  CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25
+  Hardware name: Marvell MMP2 (Device Tree Support)
+  [<c010f7cc>] (unwind_backtrace) from [<c010cc6c>] (show_stack+0x10/0x14)
+  [<c010cc6c>] (show_stack) from [<c011dab4>] (__warn+0xd8/0xf0)
+  [<c011dab4>] (__warn) from [<c011db10>] (warn_slowpath_fmt+0x44/0x6c)
+  [<c011db10>] (warn_slowpath_fmt) from [<c043898c>] (clk_core_enable+0x2c/0x1b0)
+  [<c043898c>] (clk_core_enable) from [<c0439ec8>] (clk_core_enable_lock+0x18/0x2c)
+  [<c0439ec8>] (clk_core_enable_lock) from [<c0436698>] (pxa168fb_probe+0x464/0x6ac)
+  [<c0436698>] (pxa168fb_probe) from [<c04779a0>] (platform_drv_probe+0x48/0x94)
+  [<c04779a0>] (platform_drv_probe) from [<c0475bec>] (driver_probe_device+0x328/0x470)
+  [<c0475bec>] (driver_probe_device) from [<c0475de4>] (__driver_attach+0xb0/0x124)
+  [<c0475de4>] (__driver_attach) from [<c0473c38>] (bus_for_each_dev+0x64/0xa0)
+  [<c0473c38>] (bus_for_each_dev) from [<c0474ee0>] (bus_add_driver+0x1b8/0x230)
+  [<c0474ee0>] (bus_add_driver) from [<c0476a20>] (driver_register+0xac/0xf0)
+  [<c0476a20>] (driver_register) from [<c0102dd4>] (do_one_initcall+0xb8/0x1f0)
+  [<c0102dd4>] (do_one_initcall) from [<c0b010a0>] (kernel_init_freeable+0x294/0x2e0)
+  [<c0b010a0>] (kernel_init_freeable) from [<c07e9eb8>] (kernel_init+0x8/0x10c)
+  [<c07e9eb8>] (kernel_init) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+  Exception stack(0xd008bfb0 to 0xd008bff8)
+  bfa0:                                     00000000 00000000 00000000 00000000
+  bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+  bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+  ---[ end trace c0af40f9e2ed7cb4 ]---
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+[b.zolnierkie: enhance patch description a bit]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxa168fb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c
+index efb57c059997..5190b1749e2a 100644
+--- a/drivers/video/fbdev/pxa168fb.c
++++ b/drivers/video/fbdev/pxa168fb.c
+@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
+       /*
+        * enable controller clock
+        */
+-      clk_enable(fbi->clk);
++      clk_prepare_enable(fbi->clk);
+       pxa168fb_set_par(info);
+@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev)
+ failed_free_cmap:
+       fb_dealloc_cmap(&info->cmap);
+ failed_free_clk:
+-      clk_disable(fbi->clk);
++      clk_disable_unprepare(fbi->clk);
+ failed_free_fbmem:
+       dma_free_coherent(fbi->dev, info->fix.smem_len,
+                       info->screen_base, fbi->fb_start_dma);
+@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev)
+       dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len),
+                               info->screen_base, info->fix.smem_start);
+-      clk_disable(fbi->clk);
++      clk_disable_unprepare(fbi->clk);
+       framebuffer_release(info);
+-- 
+2.17.1
+
diff --git a/queue-4.4/r8152-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/r8152-check-for-supported-wake-on-lan-modes.patch
new file mode 100644 (file)
index 0000000..8e92804
--- /dev/null
@@ -0,0 +1,36 @@
+From 5460e37d5dda27670eccd6d4649315b2ba6e2c9d Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:54 -0700
+Subject: r8152: Check for supported Wake-on-LAN Modes
+
+[ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: 21ff2e8976b1 ("r8152: support WOL")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 2bb336cb13ee..2d83689374bb 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -3663,6 +3663,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
+       if (!rtl_can_wakeup(tp))
+               return -EOPNOTSUPP;
++      if (wol->wolopts & ~WAKE_ANY)
++              return -EINVAL;
++
+       ret = usb_autopm_get_interface(tp->intf);
+       if (ret < 0)
+               goto out_set_wol;
+-- 
+2.17.1
+
diff --git a/queue-4.4/radix-tree-fix-radix_tree_iter_retry-for-tagged-iter.patch b/queue-4.4/radix-tree-fix-radix_tree_iter_retry-for-tagged-iter.patch
new file mode 100644 (file)
index 0000000..b21b7a5
--- /dev/null
@@ -0,0 +1,63 @@
+From 373e2d361f49acd352ad60425580142292d522d7 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Wed, 20 Jul 2016 15:45:00 -0700
+Subject: radix-tree: fix radix_tree_iter_retry() for tagged iterators.
+
+[ Upstream commit 3cb9185c67304b2a7ea9be73e7d13df6fb2793a1 ]
+
+radix_tree_iter_retry() resets slot to NULL, but it doesn't reset tags.
+Then NULL slot and non-zero iter.tags passed to radix_tree_next_slot()
+leading to crash:
+
+  RIP: radix_tree_next_slot include/linux/radix-tree.h:473
+    find_get_pages_tag+0x334/0x930 mm/filemap.c:1452
+  ....
+  Call Trace:
+    pagevec_lookup_tag+0x3a/0x80 mm/swap.c:960
+    mpage_prepare_extent_to_map+0x321/0xa90 fs/ext4/inode.c:2516
+    ext4_writepages+0x10be/0x2b20 fs/ext4/inode.c:2736
+    do_writepages+0x97/0x100 mm/page-writeback.c:2364
+    __filemap_fdatawrite_range+0x248/0x2e0 mm/filemap.c:300
+    filemap_write_and_wait_range+0x121/0x1b0 mm/filemap.c:490
+    ext4_sync_file+0x34d/0xdb0 fs/ext4/fsync.c:115
+    vfs_fsync_range+0x10a/0x250 fs/sync.c:195
+    vfs_fsync fs/sync.c:209
+    do_fsync+0x42/0x70 fs/sync.c:219
+    SYSC_fdatasync fs/sync.c:232
+    SyS_fdatasync+0x19/0x20 fs/sync.c:230
+    entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207
+
+We must reset iterator's tags to bail out from radix_tree_next_slot()
+and go to the slow-path in radix_tree_next_chunk().
+
+Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
+Link: http://lkml.kernel.org/r/1468495196-10604-1-git-send-email-aryabinin@virtuozzo.com
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Acked-by: Konstantin Khlebnikov <koct9i@gmail.com>
+Cc: Matthew Wilcox <willy@linux.intel.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/radix-tree.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h
+index 5d5174b59802..673dee29a9b9 100644
+--- a/include/linux/radix-tree.h
++++ b/include/linux/radix-tree.h
+@@ -382,6 +382,7 @@ static inline __must_check
+ void **radix_tree_iter_retry(struct radix_tree_iter *iter)
+ {
+       iter->next_index = iter->index;
++      iter->tags = 0;
+       return NULL;
+ }
+-- 
+2.17.1
+
diff --git a/queue-4.4/sch_red-update-backlog-as-well.patch b/queue-4.4/sch_red-update-backlog-as-well.patch
new file mode 100644 (file)
index 0000000..89696df
--- /dev/null
@@ -0,0 +1,55 @@
+From 225638b64131007386cad06352e76de821e2d48a Mon Sep 17 00:00:00 2001
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed, 1 Jun 2016 16:15:18 -0700
+Subject: sch_red: update backlog as well
+
+[ Upstream commit d7f4f332f082c4d4ba53582f902ed6b44fd6f45e ]
+
+Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_red.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
+index 0505b8408c8b..4bf2b599ef98 100644
+--- a/net/sched/sch_red.c
++++ b/net/sched/sch_red.c
+@@ -97,6 +97,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+       ret = qdisc_enqueue(skb, child);
+       if (likely(ret == NET_XMIT_SUCCESS)) {
++              qdisc_qstats_backlog_inc(sch, skb);
+               sch->q.qlen++;
+       } else if (net_xmit_drop_count(ret)) {
+               q->stats.pdrop++;
+@@ -118,6 +119,7 @@ static struct sk_buff *red_dequeue(struct Qdisc *sch)
+       skb = child->dequeue(child);
+       if (skb) {
+               qdisc_bstats_update(sch, skb);
++              qdisc_qstats_backlog_dec(sch, skb);
+               sch->q.qlen--;
+       } else {
+               if (!red_is_idling(&q->vars))
+@@ -143,6 +145,7 @@ static unsigned int red_drop(struct Qdisc *sch)
+       if (child->ops->drop && (len = child->ops->drop(child)) > 0) {
+               q->stats.other++;
+               qdisc_qstats_drop(sch);
++              sch->qstats.backlog -= len;
+               sch->q.qlen--;
+               return len;
+       }
+@@ -158,6 +161,7 @@ static void red_reset(struct Qdisc *sch)
+       struct red_sched_data *q = qdisc_priv(sch);
+       qdisc_reset(q->qdisc);
++      sch->qstats.backlog = 0;
+       sch->q.qlen = 0;
+       red_restart(&q->vars);
+ }
+-- 
+2.17.1
+
diff --git a/queue-4.4/sched-cgroup-fix-cgroup-entity-load-tracking-tear-do.patch b/queue-4.4/sched-cgroup-fix-cgroup-entity-load-tracking-tear-do.patch
new file mode 100644 (file)
index 0000000..2d91258
--- /dev/null
@@ -0,0 +1,140 @@
+From eaee22c5f29a8e5e65ba1dbbd9ce20fc5c2fec8e Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 21 Jan 2016 22:24:16 +0100
+Subject: sched/cgroup: Fix cgroup entity load tracking tear-down
+
+[ Upstream commit 6fe1f348b3dd1f700f9630562b7d38afd6949568 ]
+
+When a cgroup's CPU runqueue is destroyed, it should remove its
+remaining load accounting from its parent cgroup.
+
+The current site for doing so it unsuited because its far too late and
+unordered against other cgroup removal (->css_free() will be, but we're also
+in an RCU callback).
+
+Put it in the ->css_offline() callback, which is the start of cgroup
+destruction, right after the group has been made unavailable to
+userspace. The ->css_offline() callbacks are called in hierarchical order
+after the following v4.4 commit:
+
+  aa226ff4a1ce ("cgroup: make sure a parent css isn't offlined before its children")
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Li Zefan <lizefan@huawei.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20160121212416.GL6357@twins.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c  |  4 +---
+ kernel/sched/fair.c  | 37 +++++++++++++++++++++----------------
+ kernel/sched/sched.h |  2 +-
+ 3 files changed, 23 insertions(+), 20 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 65ed3501c2ca..4743e1f2a3d1 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7817,11 +7817,9 @@ void sched_destroy_group(struct task_group *tg)
+ void sched_offline_group(struct task_group *tg)
+ {
+       unsigned long flags;
+-      int i;
+       /* end participation in shares distribution */
+-      for_each_possible_cpu(i)
+-              unregister_fair_sched_group(tg, i);
++      unregister_fair_sched_group(tg);
+       spin_lock_irqsave(&task_group_lock, flags);
+       list_del_rcu(&tg->list);
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 3b136fb4422c..a0c5bb93a3ab 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -8154,11 +8154,8 @@ void free_fair_sched_group(struct task_group *tg)
+       for_each_possible_cpu(i) {
+               if (tg->cfs_rq)
+                       kfree(tg->cfs_rq[i]);
+-              if (tg->se) {
+-                      if (tg->se[i])
+-                              remove_entity_load_avg(tg->se[i]);
++              if (tg->se)
+                       kfree(tg->se[i]);
+-              }
+       }
+       kfree(tg->cfs_rq);
+@@ -8206,21 +8203,29 @@ err:
+       return 0;
+ }
+-void unregister_fair_sched_group(struct task_group *tg, int cpu)
++void unregister_fair_sched_group(struct task_group *tg)
+ {
+-      struct rq *rq = cpu_rq(cpu);
+       unsigned long flags;
++      struct rq *rq;
++      int cpu;
+-      /*
+-      * Only empty task groups can be destroyed; so we can speculatively
+-      * check on_list without danger of it being re-added.
+-      */
+-      if (!tg->cfs_rq[cpu]->on_list)
+-              return;
++      for_each_possible_cpu(cpu) {
++              if (tg->se[cpu])
++                      remove_entity_load_avg(tg->se[cpu]);
+-      raw_spin_lock_irqsave(&rq->lock, flags);
+-      list_del_leaf_cfs_rq(tg->cfs_rq[cpu]);
+-      raw_spin_unlock_irqrestore(&rq->lock, flags);
++              /*
++               * Only empty task groups can be destroyed; so we can speculatively
++               * check on_list without danger of it being re-added.
++               */
++              if (!tg->cfs_rq[cpu]->on_list)
++                      continue;
++
++              rq = cpu_rq(cpu);
++
++              raw_spin_lock_irqsave(&rq->lock, flags);
++              list_del_leaf_cfs_rq(tg->cfs_rq[cpu]);
++              raw_spin_unlock_irqrestore(&rq->lock, flags);
++      }
+ }
+ void init_tg_cfs_entry(struct task_group *tg, struct cfs_rq *cfs_rq,
+@@ -8302,7 +8307,7 @@ int alloc_fair_sched_group(struct task_group *tg, struct task_group *parent)
+       return 1;
+ }
+-void unregister_fair_sched_group(struct task_group *tg, int cpu) { }
++void unregister_fair_sched_group(struct task_group *tg) { }
+ #endif /* CONFIG_FAIR_GROUP_SCHED */
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index 0c9ebd82a684..af8d8c3eb8ab 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -308,7 +308,7 @@ extern int tg_nop(struct task_group *tg, void *data);
+ extern void free_fair_sched_group(struct task_group *tg);
+ extern int alloc_fair_sched_group(struct task_group *tg, struct task_group *parent);
+-extern void unregister_fair_sched_group(struct task_group *tg, int cpu);
++extern void unregister_fair_sched_group(struct task_group *tg);
+ extern void init_tg_cfs_entry(struct task_group *tg, struct cfs_rq *cfs_rq,
+                       struct sched_entity *se, int cpu,
+                       struct sched_entity *parent);
+-- 
+2.17.1
+
diff --git a/queue-4.4/scsi-aacraid-fix-typo-in-blink-status.patch b/queue-4.4/scsi-aacraid-fix-typo-in-blink-status.patch
new file mode 100644 (file)
index 0000000..f03256e
--- /dev/null
@@ -0,0 +1,36 @@
+From 8671bf69454889f2fcb5d8f6b307300cbddd678a Mon Sep 17 00:00:00 2001
+From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Date: Thu, 2 Mar 2017 09:21:33 -0800
+Subject: scsi: aacraid: Fix typo in blink status
+
+[ Upstream commit 934767c56b0d9dbb95a40e9e6e4d9dcdc3a165ad ]
+
+The return status of the adapter check on KERNEL_PANIC is supposed to be
+the upper 16 bits of the OMR status register.
+
+Fixes: c421530bf848604e (scsi: aacraid: Reorder Adpater status check)
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/src.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/aacraid/src.c b/drivers/scsi/aacraid/src.c
+index e415e1c58eb5..cf3ac0654a3a 100644
+--- a/drivers/scsi/aacraid/src.c
++++ b/drivers/scsi/aacraid/src.c
+@@ -444,7 +444,7 @@ err_out:
+       return -1;
+ err_blink:
+-      return (status > 16) & 0xFF;
++      return (status >> 16) & 0xFF;
+ }
+ /**
+-- 
+2.17.1
+
diff --git a/queue-4.4/scsi-add-starget_created_remove-state-to-scsi_target.patch b/queue-4.4/scsi-add-starget_created_remove-state-to-scsi_target.patch
new file mode 100644 (file)
index 0000000..405701b
--- /dev/null
@@ -0,0 +1,140 @@
+From d064c68203fb2dfdae0b6eabd3721d2f04a36bd9 Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Tue, 27 Jun 2017 14:55:58 -0400
+Subject: scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state
+
+[ Upstream commit f9279c968c257ee39b0d7bd2571a4d231a67bcc1 ]
+
+The addition of the STARGET_REMOVE state had the side effect of
+introducing a race condition that can cause a crash.
+
+scsi_target_reap_ref_release() checks the starget->state to
+see if it still in STARGET_CREATED, and if so, skips calling
+transport_remove_device() and device_del(), because the starget->state
+is only set to STARGET_RUNNING after scsi_target_add() has called
+device_add() and transport_add_device().
+
+However, if an rport loss occurs while a target is being scanned,
+it can happen that scsi_remove_target() will be called while the
+starget is still in the STARGET_CREATED state.  In this case, the
+starget->state will be set to STARGET_REMOVE, and as a result,
+scsi_target_reap_ref_release() will take the wrong path.  The end
+result is a panic:
+
+[ 1255.356653] Oops: 0000 [#1] SMP
+[ 1255.360154] Modules linked in: x86_pkg_temp_thermal kvm_intel kvm irqbypass crc32c_intel ghash_clmulni_i
+[ 1255.393234] CPU: 5 PID: 149 Comm: kworker/u96:4 Tainted: G        W       4.11.0+ #8
+[ 1255.401879] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.0.22 11/19/2013
+[ 1255.410327] Workqueue: scsi_wq_6 fc_scsi_scan_rport [scsi_transport_fc]
+[ 1255.417720] task: ffff88060ca8c8c0 task.stack: ffffc900048a8000
+[ 1255.424331] RIP: 0010:kernfs_find_ns+0x13/0xc0
+[ 1255.429287] RSP: 0018:ffffc900048abbf0 EFLAGS: 00010246
+[ 1255.435123] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 1255.443083] RDX: 0000000000000000 RSI: ffffffff8188d659 RDI: 0000000000000000
+[ 1255.451043] RBP: ffffc900048abc10 R08: 0000000000000000 R09: 0000012433fe0025
+[ 1255.459005] R10: 0000000025e5a4b5 R11: 0000000025e5a4b5 R12: ffffffff8188d659
+[ 1255.466972] R13: 0000000000000000 R14: ffff8805f55e5088 R15: 0000000000000000
+[ 1255.474931] FS:  0000000000000000(0000) GS:ffff880616b40000(0000) knlGS:0000000000000000
+[ 1255.483959] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1255.490370] CR2: 0000000000000068 CR3: 0000000001c09000 CR4: 00000000000406e0
+[ 1255.498332] Call Trace:
+[ 1255.501058]  kernfs_find_and_get_ns+0x31/0x60
+[ 1255.505916]  sysfs_unmerge_group+0x1d/0x60
+[ 1255.510498]  dpm_sysfs_remove+0x22/0x60
+[ 1255.514783]  device_del+0xf4/0x2e0
+[ 1255.518577]  ? device_remove_file+0x19/0x20
+[ 1255.523241]  attribute_container_class_device_del+0x1a/0x20
+[ 1255.529457]  transport_remove_classdev+0x4e/0x60
+[ 1255.534607]  ? transport_add_class_device+0x40/0x40
+[ 1255.540046]  attribute_container_device_trigger+0xb0/0xc0
+[ 1255.546069]  transport_remove_device+0x15/0x20
+[ 1255.551025]  scsi_target_reap_ref_release+0x25/0x40
+[ 1255.556467]  scsi_target_reap+0x2e/0x40
+[ 1255.560744]  __scsi_scan_target+0xaa/0x5b0
+[ 1255.565312]  scsi_scan_target+0xec/0x100
+[ 1255.569689]  fc_scsi_scan_rport+0xb1/0xc0 [scsi_transport_fc]
+[ 1255.576099]  process_one_work+0x14b/0x390
+[ 1255.580569]  worker_thread+0x4b/0x390
+[ 1255.584651]  kthread+0x109/0x140
+[ 1255.588251]  ? rescuer_thread+0x330/0x330
+[ 1255.592730]  ? kthread_park+0x60/0x60
+[ 1255.596815]  ret_from_fork+0x29/0x40
+[ 1255.600801] Code: 24 08 48 83 42 40 01 5b 41 5c 5d c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90
+[ 1255.621876] RIP: kernfs_find_ns+0x13/0xc0 RSP: ffffc900048abbf0
+[ 1255.628479] CR2: 0000000000000068
+[ 1255.632756] ---[ end trace 34a69ba0477d036f ]---
+
+Fix this by adding another scsi_target state STARGET_CREATED_REMOVE
+to distinguish this case.
+
+Fixes: f05795d3d771 ("scsi: Add intermediate STARGET_REMOVE state to scsi_target_state")
+Reported-by: David Jeffery <djeffery@redhat.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Laurence Oberman <loberman@redhat.com>
+Tested-by: Laurence Oberman <loberman@redhat.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_scan.c   | 5 +++--
+ drivers/scsi/scsi_sysfs.c  | 8 ++++++--
+ include/scsi/scsi_device.h | 1 +
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
+index 692445bcca6f..850ddc5fac04 100644
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -381,11 +381,12 @@ static void scsi_target_reap_ref_release(struct kref *kref)
+               = container_of(kref, struct scsi_target, reap_ref);
+       /*
+-       * if we get here and the target is still in the CREATED state that
++       * if we get here and the target is still in a CREATED state that
+        * means it was allocated but never made visible (because a scan
+        * turned up no LUNs), so don't call device_del() on it.
+        */
+-      if (starget->state != STARGET_CREATED) {
++      if ((starget->state != STARGET_CREATED) &&
++          (starget->state != STARGET_CREATED_REMOVE)) {
+               transport_remove_device(&starget->dev);
+               device_del(&starget->dev);
+       }
+diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
+index 8db0c48943d6..085e470d1c49 100644
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -1212,11 +1212,15 @@ restart:
+       spin_lock_irqsave(shost->host_lock, flags);
+       list_for_each_entry(starget, &shost->__targets, siblings) {
+               if (starget->state == STARGET_DEL ||
+-                  starget->state == STARGET_REMOVE)
++                  starget->state == STARGET_REMOVE ||
++                  starget->state == STARGET_CREATED_REMOVE)
+                       continue;
+               if (starget->dev.parent == dev || &starget->dev == dev) {
+                       kref_get(&starget->reap_ref);
+-                      starget->state = STARGET_REMOVE;
++                      if (starget->state == STARGET_CREATED)
++                              starget->state = STARGET_CREATED_REMOVE;
++                      else
++                              starget->state = STARGET_REMOVE;
+                       spin_unlock_irqrestore(shost->host_lock, flags);
+                       __scsi_remove_target(starget);
+                       scsi_target_reap(starget);
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index 293b9a7f53bc..fb53a94a5e8b 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -240,6 +240,7 @@ enum scsi_target_state {
+       STARGET_CREATED = 1,
+       STARGET_RUNNING,
+       STARGET_REMOVE,
++      STARGET_CREATED_REMOVE,
+       STARGET_DEL,
+ };
+-- 
+2.17.1
+
diff --git a/queue-4.4/ser_gigaset-use-container_of-instead-of-detour.patch b/queue-4.4/ser_gigaset-use-container_of-instead-of-detour.patch
new file mode 100644 (file)
index 0000000..954e014
--- /dev/null
@@ -0,0 +1,73 @@
+From 636e2b9a81b1bd7a59b64c6c2b5d1482c7783b4a Mon Sep 17 00:00:00 2001
+From: Paul Bolle <pebolle@tiscali.nl>
+Date: Thu, 18 Feb 2016 21:29:08 +0100
+Subject: ser_gigaset: use container_of() instead of detour
+
+[ Upstream commit 8d2c3ab4445640957d136caa3629857d63544a2a ]
+
+The purpose of gigaset_device_release() is to kfree() the struct
+ser_cardstate that contains our struct device. This is done via a bit of
+a detour. First we make our struct device's driver_data point to the
+container of our struct ser_cardstate (which is a struct cardstate). In
+gigaset_device_release() we then retrieve that driver_data again. And
+after that we finally kfree() the struct ser_cardstate that was saved in
+the struct cardstate.
+
+All of this can be achieved much easier by using container_of() to get
+from our struct device to its container, struct ser_cardstate. Do so.
+
+Note that at the time the detour was implemented commit b8b2c7d845d5
+("base/platform: assert that dev_pm_domain callbacks are called
+unconditionally") had just entered the tree. That commit disconnected
+our platform_device and our platform_driver. These were reconnected
+again in v4.5-rc2 through commit 25cad69f21f5 ("base/platform: Fix
+platform drivers with no probe callback"). And one of the consequences
+of that fix was that it broke the detour via driver_data. That's because
+it made __device_release_driver() stop being a NOP for our struct device
+and actually do stuff again. One of the things it now does, is setting
+our driver_data to NULL. That, in turn, makes it impossible for
+gigaset_device_release() to get to our struct cardstate. Which has the
+net effect of leaking a struct ser_cardstate at every call of this
+driver's tty close() operation. So using container_of() has the
+additional benefit of actually working.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
+Acked-by: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/gigaset/ser-gigaset.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
+index 74bf1a17ae7c..b90776ef56ec 100644
+--- a/drivers/isdn/gigaset/ser-gigaset.c
++++ b/drivers/isdn/gigaset/ser-gigaset.c
+@@ -373,13 +373,7 @@ static void gigaset_freecshw(struct cardstate *cs)
+ static void gigaset_device_release(struct device *dev)
+ {
+-      struct cardstate *cs = dev_get_drvdata(dev);
+-
+-      if (!cs)
+-              return;
+-      dev_set_drvdata(dev, NULL);
+-      kfree(cs->hw.ser);
+-      cs->hw.ser = NULL;
++      kfree(container_of(dev, struct ser_cardstate, dev.dev));
+ }
+ /*
+@@ -408,7 +402,6 @@ static int gigaset_initcshw(struct cardstate *cs)
+               cs->hw.ser = NULL;
+               return rc;
+       }
+-      dev_set_drvdata(&cs->hw.ser->dev.dev, cs);
+       tasklet_init(&cs->write_tasklet,
+                    gigaset_modem_fill, (unsigned long) cs);
+-- 
+2.17.1
+
diff --git a/queue-4.4/series b/queue-4.4/series
new file mode 100644 (file)
index 0000000..d3d09fd
--- /dev/null
@@ -0,0 +1,86 @@
+xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch
+xfrm6-call-kfree_skb-when-skb-is-toobig.patch
+mac80211-always-report-tx-status.patch
+cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch
+cfg80211-address-some-corner-cases-in-scan-result-ch.patch
+arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch
+xfrm-validate-template-mode.patch
+mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch
+bluetooth-smp-fix-crash-in-unpairing.patch
+pxa168fb-prepare-the-clock.patch
+asix-check-for-supported-wake-on-lan-modes.patch
+ax88179_178a-check-for-supported-wake-on-lan-modes.patch
+lan78xx-check-for-supported-wake-on-lan-modes.patch
+sr9800-check-for-supported-wake-on-lan-modes.patch
+r8152-check-for-supported-wake-on-lan-modes.patch
+smsc75xx-check-for-wake-on-lan-modes.patch
+smsc95xx-check-for-wake-on-lan-modes.patch
+perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch
+net-cxgb3_main-fix-a-missing-check-bug.patch
+keys-put-keyring-if-install_session_keyring_to_cred-.patch
+ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch
+net-drop-write-only-stack-variable.patch
+ser_gigaset-use-container_of-instead-of-detour.patch
+tracing-skip-more-functions-when-doing-stack-tracing.patch
+arm-dts-apq8064-add-ahci-ports-implemented-mask.patch
+x86-mm-pat-prevent-hang-during-boot-when-mapping-pag.patch
+btrfs-cleaner_kthread-doesn-t-need-explicit-freeze.patch
+radix-tree-fix-radix_tree_iter_retry-for-tagged-iter.patch
+af_iucv-move-sockaddr-length-checks-to-before-access.patch
+net-mlx4_en-resolve-dividing-by-zero-in-32-bit-syste.patch
+ipv6-orphan-skbs-in-reassembly-unit.patch
+um-avoid-longjmp-setjmp-symbol-clashes-with-libpthre.patch
+sched-cgroup-fix-cgroup-entity-load-tracking-tear-do.patch
+btrfs-don-t-create-or-leak-aliased-root-while-cleani.patch
+thermal-allow-spear-thermal-driver-to-be-a-module.patch
+thermal-allow-u8500-thermal-driver-to-be-a-module.patch
+tpm-fix-return-rc-when-devm_add_action-fails.patch
+x86-pci-mark-broadwell-ep-home-agent-1-as-having-non.patch
+aacraid-start-adapter-after-updating-number-of-msix-.patch
+perf-core-don-t-leak-event-in-the-syscall-error-path.patch
+media-usbvision-revert-commit-588afcc1.patch
+mips-fix-fcsr-cause-bit-handling-for-correct-sigfpe-.patch
+asoc-ak4613-enable-cache-usage-to-fix-crashes-on-res.patch
+asoc-wm8940-enable-cache-usage-to-fix-crashes-on-res.patch
+cifs-handle-guest-access-errors-to-windows-shares.patch
+arm64-fix-potential-race-with-hardware-dbm-in-ptep_s.patch
+xfrm-clear-sk_dst_cache-when-applying-per-socket-pol.patch
+scsi-add-starget_created_remove-state-to-scsi_target.patch
+sparc-pci-refactor-dev_archdata-initialization-into-.patch
+sch_red-update-backlog-as-well.patch
+usb-storage-fix-bogus-hardware-error-messages-for-at.patch
+bpf-generally-move-prog-destruction-to-rcu-deferral.patch
+drm-nouveau-fbcon-fix-oops-without-fbdev-emulation.patch
+fuse-dont-call-set_page_dirty_lock-for-iter_bvec-pag.patch
+ixgbevf-fix-handling-of-napi-budget-when-multiple-qu.patch
+net-mlx5e-fix-lro-modify.patch
+net-mlx5e-correctly-handle-rss-indirection-table-whe.patch
+ixgbe-fix-rss-limit-for-x550.patch
+ixgbe-correct-x550em_x-revision-check.patch
+alsa-timer-fix-zero-division-by-continue-of-uninitia.patch
+vti6-flush-x-netns-xfrm-cache-when-vti-interface-is-.patch
+gro-allow-tunnel-stacking-in-the-case-of-fou-gue.patch
+brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
+l2tp-hold-socket-before-dropping-lock-in-l2tp_ip-6-_.patch
+tty-serial-sprd-fix-error-return-code-in-sprd_probe.patch
+video-fbdev-pxa3xx_gcu-fix-error-return-code-in-pxa3.patch
+sparc64-mm-fix-more-tsb-sizing-issues.patch
+gpu-host1x-fix-error-return-code-in-host1x_probe.patch
+sparc64-fix-exception-handling-in-ultrasparc-iii-mem.patch
+gpio-msic-fix-error-return-code-in-platform_msic_gpi.patch
+usb-imx21-hcd-fix-error-return-code-in-imx21_probe.patch
+usb-ehci-omap-fix-error-return-code-in-ehci_hcd_omap.patch
+usb-dwc3-omap-fix-error-return-code-in-dwc3_omap_pro.patch
+spi-bcm63xx-hspi-fix-error-return-code-in-bcm63xx_hs.patch
+mips-handle-non-word-sized-instructions-when-examini.patch
+spi-bcm63xx-fix-error-return-code-in-bcm63xx_spi_pro.patch
+spi-xlp-fix-error-return-code-in-xlp_spi_probe.patch
+asoc-spear-fix-error-return-code-in-spdif_in_probe.patch
+pm-devfreq-tegra-fix-error-return-code-in-tegra_devf.patch
+bonding-avoid-defaulting-hard_header_len-to-eth_hlen.patch
+scsi-aacraid-fix-typo-in-blink-status.patch
+mips-micromips-fix-decoding-of-swsp16-instruction.patch
+igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch
+mips-dec-fix-an-int-handler.s-cpu_daddi_workarounds-.patch
+arm-dts-imx53-qsb-disable-1.2ghz-opp.patch
+fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch
diff --git a/queue-4.4/smsc75xx-check-for-wake-on-lan-modes.patch b/queue-4.4/smsc75xx-check-for-wake-on-lan-modes.patch
new file mode 100644 (file)
index 0000000..f5745eb
--- /dev/null
@@ -0,0 +1,36 @@
+From d859e2aefb438d6c7af58fc77863776d9ab94709 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:55 -0700
+Subject: smsc75xx: Check for Wake-on-LAN modes
+
+[ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: 6c636503260d ("smsc75xx: add wol magic packet support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 8dbe086e0a96..234febc6e1d9 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -728,6 +728,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net,
+       struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);
+       int ret;
++      if (wolinfo->wolopts & ~SUPPORTED_WAKE)
++              return -EINVAL;
++
+       pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
+       ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
+-- 
+2.17.1
+
diff --git a/queue-4.4/smsc95xx-check-for-wake-on-lan-modes.patch b/queue-4.4/smsc95xx-check-for-wake-on-lan-modes.patch
new file mode 100644 (file)
index 0000000..ebfcfb9
--- /dev/null
@@ -0,0 +1,36 @@
+From f42c5855ecff9fdb7ba19896bac24a841ea36393 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:56 -0700
+Subject: smsc95xx: Check for Wake-on-LAN modes
+
+[ Upstream commit c530c471ba37bdd9fe1c7185b01455c00ae606fb ]
+
+The driver does not check for Wake-on-LAN modes specified by an user,
+but will conditionally set the device as wake-up enabled or not based on
+that, which could be a very confusing user experience.
+
+Fixes: e0e474a83c18 ("smsc95xx: add wol magic packet support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 66b3ab9f614e..7cee7777d13f 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -727,6 +727,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net,
+       struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]);
+       int ret;
++      if (wolinfo->wolopts & ~SUPPORTED_WAKE)
++              return -EINVAL;
++
+       pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE;
+       ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts);
+-- 
+2.17.1
+
diff --git a/queue-4.4/sparc-pci-refactor-dev_archdata-initialization-into-.patch b/queue-4.4/sparc-pci-refactor-dev_archdata-initialization-into-.patch
new file mode 100644 (file)
index 0000000..4184905
--- /dev/null
@@ -0,0 +1,91 @@
+From afb97c8752984ad39f266680bebb499a94ed0e8a Mon Sep 17 00:00:00 2001
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Mon, 11 Apr 2016 17:57:05 -0700
+Subject: sparc/pci: Refactor dev_archdata initialization into
+ pci_init_dev_archdata
+
+[ Upstream commit 9a78d4fc28904785ffe4c2d361e25b251b479704 ]
+
+The function pcibios_add_device() added by commit d0c31e020057
+("sparc/PCI: Fix for panic while enabling SR-IOV") initializes
+the dev_archdata by doing a memcpy from the PF. This has the
+problem that it erroneously copies the OF device without
+explicitly refcounting it.
+
+As David Miller pointed out: "Generally speaking we don't
+really support hot-plug for OF probed devices, but if we did
+all of the device tree pointers have to be refcounted properly."
+
+To fix this error, and also avoid code duplication, this patch
+creates a new helper function, pci_init_dev_archdata(), that
+initializes the fields in dev_archdata, and can be invoked
+by callers after they have taken the needed refcounts
+
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Tested-by: Babu Moger <babu.moger@oracle.com>
+Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/pci.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/arch/sparc/kernel/pci.c b/arch/sparc/kernel/pci.c
+index 9f9614df9e1e..c2b202d763a1 100644
+--- a/arch/sparc/kernel/pci.c
++++ b/arch/sparc/kernel/pci.c
+@@ -245,6 +245,18 @@ static void pci_parse_of_addrs(struct platform_device *op,
+       }
+ }
++static void pci_init_dev_archdata(struct dev_archdata *sd, void *iommu,
++                                void *stc, void *host_controller,
++                                struct platform_device  *op,
++                                int numa_node)
++{
++      sd->iommu = iommu;
++      sd->stc = stc;
++      sd->host_controller = host_controller;
++      sd->op = op;
++      sd->numa_node = numa_node;
++}
++
+ static struct pci_dev *of_create_pci_dev(struct pci_pbm_info *pbm,
+                                        struct device_node *node,
+                                        struct pci_bus *bus, int devfn)
+@@ -259,13 +271,10 @@ static struct pci_dev *of_create_pci_dev(struct pci_pbm_info *pbm,
+       if (!dev)
+               return NULL;
++      op = of_find_device_by_node(node);
+       sd = &dev->dev.archdata;
+-      sd->iommu = pbm->iommu;
+-      sd->stc = &pbm->stc;
+-      sd->host_controller = pbm;
+-      sd->op = op = of_find_device_by_node(node);
+-      sd->numa_node = pbm->numa_node;
+-
++      pci_init_dev_archdata(sd, pbm->iommu, &pbm->stc, pbm, op,
++                            pbm->numa_node);
+       sd = &op->dev.archdata;
+       sd->iommu = pbm->iommu;
+       sd->stc = &pbm->stc;
+@@ -1003,9 +1012,13 @@ int pcibios_add_device(struct pci_dev *dev)
+        * Copy dev_archdata from PF to VF
+        */
+       if (dev->is_virtfn) {
++              struct dev_archdata *psd;
++
+               pdev = dev->physfn;
+-              memcpy(&dev->dev.archdata, &pdev->dev.archdata,
+-                     sizeof(struct dev_archdata));
++              psd = &pdev->dev.archdata;
++              pci_init_dev_archdata(&dev->dev.archdata, psd->iommu,
++                                    psd->stc, psd->host_controller, NULL,
++                                    psd->numa_node);
+       }
+       return 0;
+ }
+-- 
+2.17.1
+
diff --git a/queue-4.4/sparc64-fix-exception-handling-in-ultrasparc-iii-mem.patch b/queue-4.4/sparc64-fix-exception-handling-in-ultrasparc-iii-mem.patch
new file mode 100644 (file)
index 0000000..39b6bcb
--- /dev/null
@@ -0,0 +1,50 @@
+From ddd191a297aaa0b9f7390f9176d3b2793750c01b Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Fri, 4 Aug 2017 09:47:52 -0700
+Subject: sparc64: Fix exception handling in UltraSPARC-III memcpy.
+
+[ Upstream commit 0ede1c401332173ab0693121dc6cde04a4dbf131 ]
+
+Mikael Pettersson reported that some test programs in the strace-4.18
+testsuite cause an OOPS.
+
+After some debugging it turns out that garbage values are returned
+when an exception occurs, causing the fixup memset() to be run with
+bogus arguments.
+
+The problem is that two of the exception handler stubs write the
+successfully copied length into the wrong register.
+
+Fixes: ee841d0aff64 ("sparc64: Convert U3copy_{from,to}_user to accurate exception reporting.")
+Reported-by: Mikael Pettersson <mikpelinux@gmail.com>
+Tested-by: Mikael Pettersson <mikpelinux@gmail.com>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/lib/U3memcpy.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/sparc/lib/U3memcpy.S b/arch/sparc/lib/U3memcpy.S
+index 54f98706b03b..5a8cb37f0a3b 100644
+--- a/arch/sparc/lib/U3memcpy.S
++++ b/arch/sparc/lib/U3memcpy.S
+@@ -145,13 +145,13 @@ ENDPROC(U3_retl_o2_plus_GS_plus_0x08)
+ ENTRY(U3_retl_o2_and_7_plus_GS)
+       and     %o2, 7, %o2
+       retl
+-       add    %o2, GLOBAL_SPARE, %o2
++       add    %o2, GLOBAL_SPARE, %o0
+ ENDPROC(U3_retl_o2_and_7_plus_GS)
+ ENTRY(U3_retl_o2_and_7_plus_GS_plus_8)
+       add     GLOBAL_SPARE, 8, GLOBAL_SPARE
+       and     %o2, 7, %o2
+       retl
+-       add    %o2, GLOBAL_SPARE, %o2
++       add    %o2, GLOBAL_SPARE, %o0
+ ENDPROC(U3_retl_o2_and_7_plus_GS_plus_8)
+ #endif
+-- 
+2.17.1
+
diff --git a/queue-4.4/sparc64-mm-fix-more-tsb-sizing-issues.patch b/queue-4.4/sparc64-mm-fix-more-tsb-sizing-issues.patch
new file mode 100644 (file)
index 0000000..e09c935
--- /dev/null
@@ -0,0 +1,180 @@
+From d8808c345867f8c3c05cfe79f2426d869835c7bc Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Wed, 31 Aug 2016 13:48:19 -0700
+Subject: sparc64 mm: Fix more TSB sizing issues
+
+[ Upstream commit 1e953d846ac015fbfcf09c857e8f893924cb629c ]
+
+Commit af1b1a9b36b8 ("sparc64 mm: Fix base TSB sizing when hugetlb
+pages are used") addressed the difference between hugetlb and THP
+pages when computing TSB sizes.  The following additional issues
+were also discovered while working with the code.
+
+In order to save memory, THP makes use of a huge zero page.  This huge
+zero page does not count against a task's RSS, but it does consume TSB
+entries.  This is similar to hugetlb pages.  Therefore, count huge
+zero page entries in hugetlb_pte_count.
+
+Accounting of THP pages is done in the routine set_pmd_at().
+Unfortunately, this does not catch the case where a THP page is split.
+To handle this case, decrement the count in pmdp_invalidate().
+pmdp_invalidate is only called when splitting a THP.  However, 'sanity
+checks' are added in case it is ever called for other purposes.
+
+A more general issue exists with HPAGE_SIZE accounting.
+hugetlb_pte_count tracks the number of HPAGE_SIZE (8M) pages.  This
+value is used to size the TSB for HPAGE_SIZE pages.  However,
+each HPAGE_SIZE page consists of two REAL_HPAGE_SIZE (4M) pages.
+The TSB contains an entry for each REAL_HPAGE_SIZE page.  Therefore,
+the number of REAL_HPAGE_SIZE pages should be used to size the huge
+page TSB.  A new compile time constant REAL_HPAGE_PER_HPAGE is used
+to multiply hugetlb_pte_count before sizing the TSB.
+
+Changes from V1
+- Fixed build issue if hugetlb or THP not configured
+
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/include/asm/page_64.h |  1 +
+ arch/sparc/mm/fault_64.c         |  1 +
+ arch/sparc/mm/tlb.c              | 35 ++++++++++++++++++++++++++++----
+ arch/sparc/mm/tsb.c              | 18 ++++++++++------
+ 4 files changed, 45 insertions(+), 10 deletions(-)
+
+diff --git a/arch/sparc/include/asm/page_64.h b/arch/sparc/include/asm/page_64.h
+index 8c2a8c937540..c1263fc390db 100644
+--- a/arch/sparc/include/asm/page_64.h
++++ b/arch/sparc/include/asm/page_64.h
+@@ -25,6 +25,7 @@
+ #define HPAGE_MASK            (~(HPAGE_SIZE - 1UL))
+ #define HUGETLB_PAGE_ORDER    (HPAGE_SHIFT - PAGE_SHIFT)
+ #define HAVE_ARCH_HUGETLB_UNMAPPED_AREA
++#define REAL_HPAGE_PER_HPAGE  (_AC(1,UL) << (HPAGE_SHIFT - REAL_HPAGE_SHIFT))
+ #endif
+ #ifndef __ASSEMBLY__
+diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
+index e15f33715103..b01ec72522cb 100644
+--- a/arch/sparc/mm/fault_64.c
++++ b/arch/sparc/mm/fault_64.c
+@@ -487,6 +487,7 @@ good_area:
+               tsb_grow(mm, MM_TSB_BASE, mm_rss);
+ #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
+       mm_rss = mm->context.hugetlb_pte_count + mm->context.thp_pte_count;
++      mm_rss *= REAL_HPAGE_PER_HPAGE;
+       if (unlikely(mm_rss >
+                    mm->context.tsb_block[MM_TSB_HUGE].tsb_rss_limit)) {
+               if (mm->context.tsb_block[MM_TSB_HUGE].tsb)
+diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c
+index 3659d37b4d81..c56a195c9071 100644
+--- a/arch/sparc/mm/tlb.c
++++ b/arch/sparc/mm/tlb.c
+@@ -174,10 +174,25 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
+               return;
+       if ((pmd_val(pmd) ^ pmd_val(orig)) & _PAGE_PMD_HUGE) {
+-              if (pmd_val(pmd) & _PAGE_PMD_HUGE)
+-                      mm->context.thp_pte_count++;
+-              else
+-                      mm->context.thp_pte_count--;
++              /*
++               * Note that this routine only sets pmds for THP pages.
++               * Hugetlb pages are handled elsewhere.  We need to check
++               * for huge zero page.  Huge zero pages are like hugetlb
++               * pages in that there is no RSS, but there is the need
++               * for TSB entries.  So, huge zero page counts go into
++               * hugetlb_pte_count.
++               */
++              if (pmd_val(pmd) & _PAGE_PMD_HUGE) {
++                      if (is_huge_zero_page(pmd_page(pmd)))
++                              mm->context.hugetlb_pte_count++;
++                      else
++                              mm->context.thp_pte_count++;
++              } else {
++                      if (is_huge_zero_page(pmd_page(orig)))
++                              mm->context.hugetlb_pte_count--;
++                      else
++                              mm->context.thp_pte_count--;
++              }
+               /* Do not try to allocate the TSB hash table if we
+                * don't have one already.  We have various locks held
+@@ -204,6 +219,9 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr,
+       }
+ }
++/*
++ * This routine is only called when splitting a THP
++ */
+ void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+                    pmd_t *pmdp)
+ {
+@@ -213,6 +231,15 @@ void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+       set_pmd_at(vma->vm_mm, address, pmdp, entry);
+       flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE);
++
++      /*
++       * set_pmd_at() will not be called in a way to decrement
++       * thp_pte_count when splitting a THP, so do it now.
++       * Sanity check pmd before doing the actual decrement.
++       */
++      if ((pmd_val(entry) & _PAGE_PMD_HUGE) &&
++          !is_huge_zero_page(pmd_page(entry)))
++              (vma->vm_mm)->context.thp_pte_count--;
+ }
+ void pgtable_trans_huge_deposit(struct mm_struct *mm, pmd_t *pmdp,
+diff --git a/arch/sparc/mm/tsb.c b/arch/sparc/mm/tsb.c
+index 266411291634..84cd593117a6 100644
+--- a/arch/sparc/mm/tsb.c
++++ b/arch/sparc/mm/tsb.c
+@@ -489,8 +489,10 @@ retry_tsb_alloc:
+ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
+ {
++      unsigned long mm_rss = get_mm_rss(mm);
+ #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
+-      unsigned long total_huge_pte_count;
++      unsigned long saved_hugetlb_pte_count;
++      unsigned long saved_thp_pte_count;
+ #endif
+       unsigned int i;
+@@ -503,10 +505,12 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
+        * will re-increment the counters as the parent PTEs are
+        * copied into the child address space.
+        */
+-      total_huge_pte_count = mm->context.hugetlb_pte_count +
+-                       mm->context.thp_pte_count;
++      saved_hugetlb_pte_count = mm->context.hugetlb_pte_count;
++      saved_thp_pte_count = mm->context.thp_pte_count;
+       mm->context.hugetlb_pte_count = 0;
+       mm->context.thp_pte_count = 0;
++
++      mm_rss -= saved_thp_pte_count * (HPAGE_SIZE / PAGE_SIZE);
+ #endif
+       /* copy_mm() copies over the parent's mm_struct before calling
+@@ -519,11 +523,13 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
+       /* If this is fork, inherit the parent's TSB size.  We would
+        * grow it to that size on the first page fault anyways.
+        */
+-      tsb_grow(mm, MM_TSB_BASE, get_mm_rss(mm));
++      tsb_grow(mm, MM_TSB_BASE, mm_rss);
+ #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE)
+-      if (unlikely(total_huge_pte_count))
+-              tsb_grow(mm, MM_TSB_HUGE, total_huge_pte_count);
++      if (unlikely(saved_hugetlb_pte_count + saved_thp_pte_count))
++              tsb_grow(mm, MM_TSB_HUGE,
++                       (saved_hugetlb_pte_count + saved_thp_pte_count) *
++                       REAL_HPAGE_PER_HPAGE);
+ #endif
+       if (unlikely(!mm->context.tsb_block[MM_TSB_BASE].tsb))
+-- 
+2.17.1
+
diff --git a/queue-4.4/spi-bcm63xx-fix-error-return-code-in-bcm63xx_spi_pro.patch b/queue-4.4/spi-bcm63xx-fix-error-return-code-in-bcm63xx_spi_pro.patch
new file mode 100644 (file)
index 0000000..4758347
--- /dev/null
@@ -0,0 +1,43 @@
+From 0d1567fe4d4a59a1cc021cb6f8e1e59001ea2338 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 7 Aug 2017 23:52:34 -0500
+Subject: spi/bcm63xx: fix error return code in bcm63xx_spi_probe()
+
+[ Upstream commit ba8afe94723e9ba665aee9cca649fb2c80f7304c ]
+
+platform_get_irq() returns an error code, but the spi-bcm63xx driver
+ignores it and always returns -ENXIO. This is not correct and,
+prevents -EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
+index bf9a610e5b89..f14500910bc2 100644
+--- a/drivers/spi/spi-bcm63xx.c
++++ b/drivers/spi/spi-bcm63xx.c
+@@ -496,8 +496,8 @@ static int bcm63xx_spi_probe(struct platform_device *pdev)
+       irq = platform_get_irq(pdev, 0);
+       if (irq < 0) {
+-              dev_err(dev, "no irq\n");
+-              return -ENXIO;
++              dev_err(dev, "no irq: %d\n", irq);
++              return irq;
+       }
+       clk = devm_clk_get(dev, "spi");
+-- 
+2.17.1
+
diff --git a/queue-4.4/spi-bcm63xx-hspi-fix-error-return-code-in-bcm63xx_hs.patch b/queue-4.4/spi-bcm63xx-hspi-fix-error-return-code-in-bcm63xx_hs.patch
new file mode 100644 (file)
index 0000000..8d4149b
--- /dev/null
@@ -0,0 +1,43 @@
+From 6b331bfb64fa06d9a0c31fc23bc642edf844fb0f Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 7 Aug 2017 23:59:44 -0500
+Subject: spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe()
+
+[ Upstream commit 378da4a65f3a0390837b38145bb5d8c2d20c2cf7 ]
+
+platform_get_irq() returns an error code, but the spi-bcm63xx-hsspi
+driver ignores it and always returns -ENXIO. This is not correct and,
+prevents -EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx-hsspi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
+index 55789f7cda92..645f428ad0a2 100644
+--- a/drivers/spi/spi-bcm63xx-hsspi.c
++++ b/drivers/spi/spi-bcm63xx-hsspi.c
+@@ -336,8 +336,8 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev)
+       irq = platform_get_irq(pdev, 0);
+       if (irq < 0) {
+-              dev_err(dev, "no irq\n");
+-              return -ENXIO;
++              dev_err(dev, "no irq: %d\n", irq);
++              return irq;
+       }
+       res_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+-- 
+2.17.1
+
diff --git a/queue-4.4/spi-xlp-fix-error-return-code-in-xlp_spi_probe.patch b/queue-4.4/spi-xlp-fix-error-return-code-in-xlp_spi_probe.patch
new file mode 100644 (file)
index 0000000..0b12a42
--- /dev/null
@@ -0,0 +1,43 @@
+From 3a4891a2e92f66703e13b7aefa0c6e5c1cb56aea Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 7 Aug 2017 23:45:02 -0500
+Subject: spi: xlp: fix error return code in xlp_spi_probe()
+
+[ Upstream commit 9a6b94796ae6feaf275ec6200e9b2964db208182 ]
+
+platform_get_irq() returns an error code, but the spi-xlp driver ignores
+it and always returns -EINVAL. This is not correct and, prevents
+-EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-xlp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-xlp.c b/drivers/spi/spi-xlp.c
+index 8f04feca6ee3..0ddb0adaa8aa 100644
+--- a/drivers/spi/spi-xlp.c
++++ b/drivers/spi/spi-xlp.c
+@@ -392,8 +392,8 @@ static int xlp_spi_probe(struct platform_device *pdev)
+       irq = platform_get_irq(pdev, 0);
+       if (irq < 0) {
+-              dev_err(&pdev->dev, "no IRQ resource found\n");
+-              return -EINVAL;
++              dev_err(&pdev->dev, "no IRQ resource found: %d\n", irq);
++              return irq;
+       }
+       err = devm_request_irq(&pdev->dev, irq, xlp_spi_interrupt, 0,
+                       pdev->name, xspi);
+-- 
+2.17.1
+
diff --git a/queue-4.4/sr9800-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/sr9800-check-for-supported-wake-on-lan-modes.patch
new file mode 100644 (file)
index 0000000..e3e2608
--- /dev/null
@@ -0,0 +1,36 @@
+From bc616046d461daac1dd6e44fc3608433f437b537 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 28 Sep 2018 16:18:53 -0700
+Subject: sr9800: Check for supported Wake-on-LAN modes
+
+[ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ]
+
+The driver currently silently accepts unsupported Wake-on-LAN modes
+(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user,
+which is confusing.
+
+Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9800.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
+index a50df0d8fb9a..004c955c1fd1 100644
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo)
+       struct usbnet *dev = netdev_priv(net);
+       u8 opt = 0;
++      if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC))
++              return -EINVAL;
++
+       if (wolinfo->wolopts & WAKE_PHY)
+               opt |= SR_MONITOR_LINK;
+       if (wolinfo->wolopts & WAKE_MAGIC)
+-- 
+2.17.1
+
diff --git a/queue-4.4/thermal-allow-spear-thermal-driver-to-be-a-module.patch b/queue-4.4/thermal-allow-spear-thermal-driver-to-be-a-module.patch
new file mode 100644 (file)
index 0000000..438cdac
--- /dev/null
@@ -0,0 +1,41 @@
+From 6a0e98669184a4a3ab2ecf8ce0c869b35271b140 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Jan 2016 17:44:11 +0100
+Subject: thermal: allow spear-thermal driver to be a module
+
+[ Upstream commit 4d2f1794c07aae55b8f25f4d8aebcafc0d3e501d ]
+
+When the thermal subsystem is a loadable module, the spear driver
+fails to build:
+
+drivers/thermal/built-in.o: In function `spear_thermal_exit':
+spear_thermal.c:(.text+0xf8): undefined reference to `thermal_zone_device_unregister'
+drivers/thermal/built-in.o: In function `spear_thermal_probe':
+spear_thermal.c:(.text+0x230): undefined reference to `thermal_zone_device_register'
+
+This changes the symbol to a tristate, so Kconfig can track the
+dependency correctly.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/Kconfig b/drivers/thermal/Kconfig
+index 4b660b5beb98..b556fa8250fc 100644
+--- a/drivers/thermal/Kconfig
++++ b/drivers/thermal/Kconfig
+@@ -195,7 +195,7 @@ config IMX_THERMAL
+         passive trip is crossed.
+ config SPEAR_THERMAL
+-      bool "SPEAr thermal sensor driver"
++      tristate "SPEAr thermal sensor driver"
+       depends on PLAT_SPEAR || COMPILE_TEST
+       depends on OF
+       help
+-- 
+2.17.1
+
diff --git a/queue-4.4/thermal-allow-u8500-thermal-driver-to-be-a-module.patch b/queue-4.4/thermal-allow-u8500-thermal-driver-to-be-a-module.patch
new file mode 100644 (file)
index 0000000..4619f7f
--- /dev/null
@@ -0,0 +1,70 @@
+From 56c66efa8ca51fc4ed9c0c05d4958c9ab7b3c9c2 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 25 Jan 2016 17:44:12 +0100
+Subject: thermal: allow u8500-thermal driver to be a module
+
+[ Upstream commit 26716ce124fce88f288f07738ef685d5dfe5c13f ]
+
+When the thermal subsystem is a loadable module, the u8500 driver
+fails to build:
+
+drivers/thermal/built-in.o: In function `db8500_thermal_probe':
+db8500_thermal.c:(.text+0x96c): undefined reference to `thermal_zone_device_register'
+drivers/thermal/built-in.o: In function `db8500_thermal_work':
+db8500_thermal.c:(.text+0xab4): undefined reference to `thermal_zone_device_update'
+
+This changes the symbol to a tristate, so Kconfig can track the
+dependency correctly.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/db8500-prcmu.c | 3 +++
+ drivers/thermal/Kconfig    | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/db8500-prcmu.c b/drivers/mfd/db8500-prcmu.c
+index e6e4bacb09ee..12099b09a9a7 100644
+--- a/drivers/mfd/db8500-prcmu.c
++++ b/drivers/mfd/db8500-prcmu.c
+@@ -2048,6 +2048,7 @@ int db8500_prcmu_config_hotmon(u8 low, u8 high)
+       return 0;
+ }
++EXPORT_SYMBOL_GPL(db8500_prcmu_config_hotmon);
+ static int config_hot_period(u16 val)
+ {
+@@ -2074,11 +2075,13 @@ int db8500_prcmu_start_temp_sense(u16 cycles32k)
+       return config_hot_period(cycles32k);
+ }
++EXPORT_SYMBOL_GPL(db8500_prcmu_start_temp_sense);
+ int db8500_prcmu_stop_temp_sense(void)
+ {
+       return config_hot_period(0xFFFF);
+ }
++EXPORT_SYMBOL_GPL(db8500_prcmu_stop_temp_sense);
+ static int prcmu_a9wdog(u8 cmd, u8 d0, u8 d1, u8 d2, u8 d3)
+ {
+diff --git a/drivers/thermal/Kconfig b/drivers/thermal/Kconfig
+index b556fa8250fc..1def65d2f0b5 100644
+--- a/drivers/thermal/Kconfig
++++ b/drivers/thermal/Kconfig
+@@ -237,8 +237,8 @@ config DOVE_THERMAL
+         framework.
+ config DB8500_THERMAL
+-      bool "DB8500 thermal management"
+-      depends on ARCH_U8500
++      tristate "DB8500 thermal management"
++      depends on MFD_DB8500_PRCMU
+       default y
+       help
+         Adds DB8500 thermal management implementation according to the thermal
+-- 
+2.17.1
+
diff --git a/queue-4.4/tpm-fix-return-rc-when-devm_add_action-fails.patch b/queue-4.4/tpm-fix-return-rc-when-devm_add_action-fails.patch
new file mode 100644 (file)
index 0000000..2308c7e
--- /dev/null
@@ -0,0 +1,37 @@
+From cb6bb33d013990435386880e95fe9a620f6ccfea Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Date: Sat, 13 Feb 2016 11:58:16 +0200
+Subject: tpm: fix: return rc when devm_add_action() fails
+
+[ Upstream commit 4f3b193dee4423d8c89c9a3e8e05f9197ea459a4 ]
+
+Call put_device() and return error code if devm_add_action() fails.
+
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Fixes: 8e0ee3c9faed ("tpm: fix the cleanup of struct tpm_chip")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm-chip.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
+index e759100e41a7..28894878dcd5 100644
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -230,7 +230,11 @@ struct tpm_chip *tpmm_chip_alloc(struct device *dev,
+       chip->cdev.owner = dev->driver->owner;
+       chip->cdev.kobj.parent = &chip->dev.kobj;
+-      devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
++      rc = devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
++      if (rc) {
++              put_device(&chip->dev);
++              return ERR_PTR(rc);
++      }
+       return chip;
+ }
+-- 
+2.17.1
+
diff --git a/queue-4.4/tracing-skip-more-functions-when-doing-stack-tracing.patch b/queue-4.4/tracing-skip-more-functions-when-doing-stack-tracing.patch
new file mode 100644 (file)
index 0000000..30852da
--- /dev/null
@@ -0,0 +1,120 @@
+From 419e533634a2706954d37186dce961d8adf78388 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Thu, 23 Jun 2016 14:03:47 -0400
+Subject: tracing: Skip more functions when doing stack tracing of events
+
+[ Upstream commit be54f69c26193de31053190761e521903b89d098 ]
+
+ # echo 1 > options/stacktrace
+ # echo 1 > events/sched/sched_switch/enable
+ # cat trace
+          <idle>-0     [002] d..2  1982.525169: <stack trace>
+ => save_stack_trace
+ => __ftrace_trace_stack
+ => trace_buffer_unlock_commit_regs
+ => event_trigger_unlock_commit
+ => trace_event_buffer_commit
+ => trace_event_raw_event_sched_switch
+ => __schedule
+ => schedule
+ => schedule_preempt_disabled
+ => cpu_startup_entry
+ => start_secondary
+
+The above shows that we are seeing 6 functions before ever making it to the
+caller of the sched_switch event.
+
+ # echo stacktrace > events/sched/sched_switch/trigger
+ # cat trace
+          <idle>-0     [002] d..3  2146.335208: <stack trace>
+ => trace_event_buffer_commit
+ => trace_event_raw_event_sched_switch
+ => __schedule
+ => schedule
+ => schedule_preempt_disabled
+ => cpu_startup_entry
+ => start_secondary
+
+The stacktrace trigger isn't as bad, because it adds its own skip to the
+stacktracing, but still has two events extra.
+
+One issue is that if the stacktrace passes its own "regs" then there should
+be no addition to the skip, as the regs will not include the functions being
+called. This was an issue that was fixed by commit 7717c6be6999 ("tracing:
+Fix stacktrace skip depth in trace_buffer_unlock_commit_regs()" as adding
+the skip number for kprobes made the probes not have any stack at all.
+
+But since this is only an issue when regs is being used, a skip should be
+added if regs is NULL. Now we have:
+
+ # echo 1 > options/stacktrace
+ # echo 1 > events/sched/sched_switch/enable
+ # cat trace
+          <idle>-0     [000] d..2  1297.676333: <stack trace>
+ => __schedule
+ => schedule
+ => schedule_preempt_disabled
+ => cpu_startup_entry
+ => rest_init
+ => start_kernel
+ => x86_64_start_reservations
+ => x86_64_start_kernel
+
+ # echo stacktrace > events/sched/sched_switch/trigger
+ # cat trace
+          <idle>-0     [002] d..3  1370.759745: <stack trace>
+ => __schedule
+ => schedule
+ => schedule_preempt_disabled
+ => cpu_startup_entry
+ => start_secondary
+
+And kprobes are not touched.
+
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index e409ddce8754..1a47a64d623f 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -1757,7 +1757,17 @@ void trace_buffer_unlock_commit_regs(struct trace_array *tr,
+ {
+       __buffer_unlock_commit(buffer, event);
+-      ftrace_trace_stack(tr, buffer, flags, 0, pc, regs);
++      /*
++       * If regs is not set, then skip the following callers:
++       *   trace_buffer_unlock_commit_regs
++       *   event_trigger_unlock_commit
++       *   trace_event_buffer_commit
++       *   trace_event_raw_event_sched_switch
++       * Note, we can still get here via blktrace, wakeup tracer
++       * and mmiotrace, but that's ok if they lose a function or
++       * two. They are that meaningful.
++       */
++      ftrace_trace_stack(tr, buffer, flags, regs ? 0 : 4, pc, regs);
+       ftrace_trace_userstack(buffer, flags, pc);
+ }
+ EXPORT_SYMBOL_GPL(trace_buffer_unlock_commit_regs);
+@@ -1815,6 +1825,13 @@ static void __ftrace_trace_stack(struct ring_buffer *buffer,
+       trace.nr_entries        = 0;
+       trace.skip              = skip;
++      /*
++       * Add two, for this function and the call to save_stack_trace()
++       * If regs is set, then these functions will not be in the way.
++       */
++      if (!regs)
++              trace.skip += 2;
++
+       /*
+        * Since events can happen in NMIs there's no safe way to
+        * use the per cpu ftrace_stacks. We reserve it and if an interrupt
+-- 
+2.17.1
+
diff --git a/queue-4.4/tty-serial-sprd-fix-error-return-code-in-sprd_probe.patch b/queue-4.4/tty-serial-sprd-fix-error-return-code-in-sprd_probe.patch
new file mode 100644 (file)
index 0000000..9835f28
--- /dev/null
@@ -0,0 +1,43 @@
+From 45eae3da7fd08cacbb58fd9020fc245eee9beab2 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 8 Aug 2017 17:42:46 -0500
+Subject: tty: serial: sprd: fix error return code in sprd_probe()
+
+[ Upstream commit ec085c5a51b768947ca481f90b66653e36b3c566 ]
+
+platform_get_irq() returns an error code, but the sprd_serial driver
+ignores it and always returns -ENODEV. This is not correct and,
+prevents -EPROBE_DEFER from being propagated properly.
+
+Also, notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sprd_serial.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c
+index 9dbae01d41ce..1e302caaa450 100644
+--- a/drivers/tty/serial/sprd_serial.c
++++ b/drivers/tty/serial/sprd_serial.c
+@@ -731,8 +731,8 @@ static int sprd_probe(struct platform_device *pdev)
+       irq = platform_get_irq(pdev, 0);
+       if (irq < 0) {
+-              dev_err(&pdev->dev, "not provide irq resource\n");
+-              return -ENODEV;
++              dev_err(&pdev->dev, "not provide irq resource: %d\n", irq);
++              return irq;
+       }
+       up->irq = irq;
+-- 
+2.17.1
+
diff --git a/queue-4.4/um-avoid-longjmp-setjmp-symbol-clashes-with-libpthre.patch b/queue-4.4/um-avoid-longjmp-setjmp-symbol-clashes-with-libpthre.patch
new file mode 100644 (file)
index 0000000..061cc23
--- /dev/null
@@ -0,0 +1,140 @@
+From c0f92385b25f409d719ac6c2e957e98e1ac3ea9a Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 23 May 2017 17:32:31 -0700
+Subject: um: Avoid longjmp/setjmp symbol clashes with libpthread.a
+
+[ Upstream commit f44f1e7da7c8e3f4575d5d61c4df978496903fcc ]
+
+Building a statically linked UML kernel on a Centos 6.9 host resulted in
+the following linking failure (GCC 4.4, glibc-2.12):
+
+/usr/lib/gcc/x86_64-redhat-linux/4.4.7/../../../../lib64/libpthread.a(libpthread.o):
+In function `siglongjmp':
+(.text+0x8490): multiple definition of `longjmp'
+arch/x86/um/built-in.o:/local/users/fainelli/openwrt/trunk/build_dir/target-x86_64_musl/linux-uml/linux-4.4.69/arch/x86/um/setjmp_64.S:44:
+first defined here
+/usr/lib/gcc/x86_64-redhat-linux/4.4.7/../../../../lib64/libpthread.a(libpthread.o):
+In function `sem_open':
+(.text+0x77cd): warning: the use of `mktemp' is dangerous, better use
+`mkstemp'
+collect2: ld returned 1 exit status
+make[4]: *** [vmlinux] Error 1
+
+Adopt a solution similar to the one done for vmap where we define
+longjmp/setjmp to be kernel_longjmp/setjmp. In the process, make sure we
+do rename the functions in arch/x86/um/setjmp_*.S accordingly.
+
+Fixes: a7df4716d195 ("um: link with -lpthread")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/Makefile        |  4 ++++
+ arch/x86/um/setjmp_32.S | 16 ++++++++--------
+ arch/x86/um/setjmp_64.S | 16 ++++++++--------
+ 3 files changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/arch/um/Makefile b/arch/um/Makefile
+index 9ccf462131c4..d9cd7ed27834 100644
+--- a/arch/um/Makefile
++++ b/arch/um/Makefile
+@@ -59,10 +59,14 @@ KBUILD_CPPFLAGS += -I$(srctree)/$(HOST_DIR)/um
+ # Same things for in6addr_loopback and mktime - found in libc. For these two we
+ # only get link-time error, luckily.
+ #
++# -Dlongjmp=kernel_longjmp prevents anything from referencing the libpthread.a
++# embedded copy of longjmp, same thing for setjmp.
++#
+ # These apply to USER_CFLAGS to.
+ KBUILD_CFLAGS += $(CFLAGS) $(CFLAGS-y) -D__arch_um__ \
+       $(ARCH_INCLUDE) $(MODE_INCLUDE) -Dvmap=kernel_vmap      \
++      -Dlongjmp=kernel_longjmp -Dsetjmp=kernel_setjmp \
+       -Din6addr_loopback=kernel_in6addr_loopback \
+       -Din6addr_any=kernel_in6addr_any -Dstrrchr=kernel_strrchr
+diff --git a/arch/x86/um/setjmp_32.S b/arch/x86/um/setjmp_32.S
+index b766792c9933..39053192918d 100644
+--- a/arch/x86/um/setjmp_32.S
++++ b/arch/x86/um/setjmp_32.S
+@@ -16,9 +16,9 @@
+       .text
+       .align 4
+-      .globl setjmp
+-      .type setjmp, @function
+-setjmp:
++      .globl kernel_setjmp
++      .type kernel_setjmp, @function
++kernel_setjmp:
+ #ifdef _REGPARM
+       movl %eax,%edx
+ #else
+@@ -35,13 +35,13 @@ setjmp:
+       movl %ecx,20(%edx)              # Return address
+       ret
+-      .size setjmp,.-setjmp
++      .size kernel_setjmp,.-kernel_setjmp
+       .text
+       .align 4
+-      .globl longjmp
+-      .type longjmp, @function
+-longjmp:
++      .globl kernel_longjmp
++      .type kernel_longjmp, @function
++kernel_longjmp:
+ #ifdef _REGPARM
+       xchgl %eax,%edx
+ #else
+@@ -55,4 +55,4 @@ longjmp:
+       movl 16(%edx),%edi
+       jmp *20(%edx)
+-      .size longjmp,.-longjmp
++      .size kernel_longjmp,.-kernel_longjmp
+diff --git a/arch/x86/um/setjmp_64.S b/arch/x86/um/setjmp_64.S
+index 45f547b4043e..c56942e1a38c 100644
+--- a/arch/x86/um/setjmp_64.S
++++ b/arch/x86/um/setjmp_64.S
+@@ -18,9 +18,9 @@
+       .text
+       .align 4
+-      .globl setjmp
+-      .type setjmp, @function
+-setjmp:
++      .globl kernel_setjmp
++      .type kernel_setjmp, @function
++kernel_setjmp:
+       pop  %rsi                       # Return address, and adjust the stack
+       xorl %eax,%eax                  # Return value
+       movq %rbx,(%rdi)
+@@ -34,13 +34,13 @@ setjmp:
+       movq %rsi,56(%rdi)              # Return address
+       ret
+-      .size setjmp,.-setjmp
++      .size kernel_setjmp,.-kernel_setjmp
+       .text
+       .align 4
+-      .globl longjmp
+-      .type longjmp, @function
+-longjmp:
++      .globl kernel_longjmp
++      .type kernel_longjmp, @function
++kernel_longjmp:
+       movl %esi,%eax                  # Return value (int)
+       movq (%rdi),%rbx
+       movq 8(%rdi),%rsp
+@@ -51,4 +51,4 @@ longjmp:
+       movq 48(%rdi),%r15
+       jmp *56(%rdi)
+-      .size longjmp,.-longjmp
++      .size kernel_longjmp,.-kernel_longjmp
+-- 
+2.17.1
+
diff --git a/queue-4.4/usb-dwc3-omap-fix-error-return-code-in-dwc3_omap_pro.patch b/queue-4.4/usb-dwc3-omap-fix-error-return-code-in-dwc3_omap_pro.patch
new file mode 100644 (file)
index 0000000..84cfcee
--- /dev/null
@@ -0,0 +1,43 @@
+From dbc66d459b932baeebf791d8cde7d9f5fa40bb26 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 7 Aug 2017 23:25:34 -0500
+Subject: usb: dwc3: omap: fix error return code in dwc3_omap_probe()
+
+[ Upstream commit 0ae99ecba7928c7bc66cf14d8a88f0b6ec9fc78e ]
+
+platform_get_irq() returns an error code, but the dwc3-omap driver
+ignores it and always returns -EINVAL. This is not correct and,
+prevents -EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-omap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-omap.c b/drivers/usb/dwc3/dwc3-omap.c
+index 22e9606d8e08..9078af0ce06c 100644
+--- a/drivers/usb/dwc3/dwc3-omap.c
++++ b/drivers/usb/dwc3/dwc3-omap.c
+@@ -469,8 +469,8 @@ static int dwc3_omap_probe(struct platform_device *pdev)
+       irq = platform_get_irq(pdev, 0);
+       if (irq < 0) {
+-              dev_err(dev, "missing IRQ resource\n");
+-              return -EINVAL;
++              dev_err(dev, "missing IRQ resource: %d\n", irq);
++              return irq;
+       }
+       res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+-- 
+2.17.1
+
diff --git a/queue-4.4/usb-ehci-omap-fix-error-return-code-in-ehci_hcd_omap.patch b/queue-4.4/usb-ehci-omap-fix-error-return-code-in-ehci_hcd_omap.patch
new file mode 100644 (file)
index 0000000..a840301
--- /dev/null
@@ -0,0 +1,44 @@
+From 7ee6098b6360867566b556fd51c622edb7e0f563 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 8 Aug 2017 17:26:13 -0500
+Subject: usb: ehci-omap: fix error return code in ehci_hcd_omap_probe()
+
+[ Upstream commit 99dbff202e28ad1dadf55b058bcae7908678e963 ]
+
+platform_get_irq() returns an error code, but the ehci-omap driver
+ignores it and always returns -ENODEV. This is not correct and,
+prevents -EPROBE_DEFER from being propagated properly.
+
+Also, notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ehci-omap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/ehci-omap.c b/drivers/usb/host/ehci-omap.c
+index a24720beb39d..cccde8217f28 100644
+--- a/drivers/usb/host/ehci-omap.c
++++ b/drivers/usb/host/ehci-omap.c
+@@ -130,8 +130,8 @@ static int ehci_hcd_omap_probe(struct platform_device *pdev)
+       irq = platform_get_irq(pdev, 0);
+       if (irq < 0) {
+-              dev_err(dev, "EHCI irq failed\n");
+-              return -ENODEV;
++              dev_err(dev, "EHCI irq failed: %d\n", irq);
++              return irq;
+       }
+       res =  platform_get_resource(pdev, IORESOURCE_MEM, 0);
+-- 
+2.17.1
+
diff --git a/queue-4.4/usb-imx21-hcd-fix-error-return-code-in-imx21_probe.patch b/queue-4.4/usb-imx21-hcd-fix-error-return-code-in-imx21_probe.patch
new file mode 100644 (file)
index 0000000..3b9ff93
--- /dev/null
@@ -0,0 +1,46 @@
+From baaadd49906a656dc8ab6eaeb6139c2b95a74849 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 7 Aug 2017 23:14:23 -0500
+Subject: usb: imx21-hcd: fix error return code in imx21_probe()
+
+[ Upstream commit 46edf52d08342b3dc1f9a61c5200ab8b1c0f5a37 ]
+
+platform_get_irq() returns an error code, but the imx21-hcd driver
+ignores it and always returns -ENXIO. This is not correct, and
+prevents -EPROBE_DEFER from being propagated properly.
+
+Notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print error message and propagate the return value of platform_get_irq
+on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/imx21-hcd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/imx21-hcd.c b/drivers/usb/host/imx21-hcd.c
+index f542045dc2a6..e25d72e0527f 100644
+--- a/drivers/usb/host/imx21-hcd.c
++++ b/drivers/usb/host/imx21-hcd.c
+@@ -1849,8 +1849,10 @@ static int imx21_probe(struct platform_device *pdev)
+       if (!res)
+               return -ENODEV;
+       irq = platform_get_irq(pdev, 0);
+-      if (irq < 0)
+-              return -ENXIO;
++      if (irq < 0) {
++              dev_err(&pdev->dev, "Failed to get IRQ: %d\n", irq);
++              return irq;
++      }
+       hcd = usb_create_hcd(&imx21_hc_driver,
+               &pdev->dev, dev_name(&pdev->dev));
+-- 
+2.17.1
+
diff --git a/queue-4.4/usb-storage-fix-bogus-hardware-error-messages-for-at.patch b/queue-4.4/usb-storage-fix-bogus-hardware-error-messages-for-at.patch
new file mode 100644 (file)
index 0000000..08641cf
--- /dev/null
@@ -0,0 +1,92 @@
+From f25c4745ad087ec7c821854d17eec0014b8e8483 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Thu, 21 Sep 2017 16:02:05 -0400
+Subject: usb-storage: fix bogus hardware error messages for ATA pass-thru
+ devices
+
+[ Upstream commit a4fd4a724d6c30ad671046d83be2e9be2f11d275 ]
+
+Ever since commit a621bac3044e ("scsi_lib: correctly retry failed zero
+length REQ_TYPE_FS commands"), people have been getting bogus error
+messages for USB disk drives using ATA pass-thru.  For example:
+
+[ 1344.880193] sd 6:0:0:0: [sdb] Attached SCSI disk
+[ 1345.069152] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE
+[ 1345.069159] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor]
+[ 1345.069162] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information
+[ 1345.069168] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(16) 85 06 20 00 00 00 00 00 00 00 00 00 00 00 e5 00
+[ 1345.172252] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE
+[ 1345.172258] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor]
+[ 1345.172261] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information
+[ 1345.172266] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(12)/Blank a1 06 20 da 00 00 4f c2 00 b0 00 00
+
+These messages can be quite annoying, because programs like udisks2
+provoke them every 10 minutes or so.  Other programs can also have
+this effect, such as those in smartmontools.
+
+I don't fully understand how that commit induced the SCSI core to log
+these error messages, but the underlying cause for them is code added
+to usb-storage by commit f1a0743bc0e7 ("USB: storage: When a device
+returns no sense data, call it a Hardware Error").  At the time it was
+necessary to do this, in order to prevent an infinite retry loop with
+some not-so-great mass storage devices.
+
+However, the ATA pass-thru protocol uses SCSI sense data to return
+command status values, and some devices always report Check Condition
+status for ATA pass-thru commands to ensure that the host retrieves
+the sense data, even if the command succeeded.  This violates the USB
+mass-storage protocol (Check Condition status is supposed to mean the
+command failed), but we can't help that.
+
+This patch attempts to mitigate the problem of these bogus error
+reports by changing usb-storage.  The HARDWARE ERROR sense key will be
+inserted only for commands that aren't ATA pass-thru.
+
+Thanks to Ewan Milne for pointing out that this mechanism was present
+in usb-storage.  8 years after writing it, I had completely forgotten
+its existence.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Kris Lindgren <kris.lindgren@gmail.com>
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1351305
+CC: Ewan D. Milne <emilne@redhat.com>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/transport.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
+index 02f86dd1a340..90a7bffe3484 100644
+--- a/drivers/usb/storage/transport.c
++++ b/drivers/usb/storage/transport.c
+@@ -808,12 +808,24 @@ Retry_Sense:
+                       if (result == USB_STOR_TRANSPORT_GOOD) {
+                               srb->result = SAM_STAT_GOOD;
+                               srb->sense_buffer[0] = 0x0;
++                      }
++
++                      /*
++                       * ATA-passthru commands use sense data to report
++                       * the command completion status, and often devices
++                       * return Check Condition status when nothing is
++                       * wrong.
++                       */
++                      else if (srb->cmnd[0] == ATA_16 ||
++                                      srb->cmnd[0] == ATA_12) {
++                              /* leave the data alone */
++                      }
+                       /* If there was a problem, report an unspecified
+                        * hardware error to prevent the higher layers from
+                        * entering an infinite retry loop.
+                        */
+-                      } else {
++                      else {
+                               srb->result = DID_ERROR << 16;
+                               if ((sshdr.response_code & 0x72) == 0x72)
+                                       srb->sense_buffer[1] = HARDWARE_ERROR;
+-- 
+2.17.1
+
diff --git a/queue-4.4/video-fbdev-pxa3xx_gcu-fix-error-return-code-in-pxa3.patch b/queue-4.4/video-fbdev-pxa3xx_gcu-fix-error-return-code-in-pxa3.patch
new file mode 100644 (file)
index 0000000..5f11745
--- /dev/null
@@ -0,0 +1,43 @@
+From 6eae0fa084c422d40c080687d781bf928ce3d6df Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 21 Aug 2017 16:49:58 +0200
+Subject: video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe()
+
+[ Upstream commit 7588f1ecc5f0c914e669d8afb6525f47cd1c4355 ]
+
+platform_get_irq() returns an error code, but the pxa3xx_gcu driver
+ignores it and always returns -ENODEV. This is not correct and,
+prevents -EPROBE_DEFER from being propagated properly.
+
+Also, notice that platform_get_irq() no longer returns 0 on error:
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af
+
+Print and propagate the return value of platform_get_irq on failure.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/pxa3xx-gcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c
+index 50bce45e7f3d..933619da1a94 100644
+--- a/drivers/video/fbdev/pxa3xx-gcu.c
++++ b/drivers/video/fbdev/pxa3xx-gcu.c
+@@ -626,8 +626,8 @@ static int pxa3xx_gcu_probe(struct platform_device *pdev)
+       /* request the IRQ */
+       irq = platform_get_irq(pdev, 0);
+       if (irq < 0) {
+-              dev_err(dev, "no IRQ defined\n");
+-              return -ENODEV;
++              dev_err(dev, "no IRQ defined: %d\n", irq);
++              return irq;
+       }
+       ret = devm_request_irq(dev, irq, pxa3xx_gcu_handle_irq,
+-- 
+2.17.1
+
diff --git a/queue-4.4/vti6-flush-x-netns-xfrm-cache-when-vti-interface-is-.patch b/queue-4.4/vti6-flush-x-netns-xfrm-cache-when-vti-interface-is-.patch
new file mode 100644 (file)
index 0000000..345510a
--- /dev/null
@@ -0,0 +1,109 @@
+From 8ca30b392ac6df1b2086fe663fec558b6e2a66eb Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 30 Sep 2016 11:11:07 +0200
+Subject: vti6: flush x-netns xfrm cache when vti interface is removed
+
+[ Upstream commit 7f92083eb58f85ea114d97f65fcbe22be5b0468d ]
+
+This is the same fix than commit a5d0dc810abf ("vti: flush x-netns xfrm
+cache when vti interface is removed")
+
+This patch fixes a refcnt problem when a x-netns vti6 interface is removed:
+unregister_netdevice: waiting for vti6_test to become free. Usage count = 1
+
+Here is a script to reproduce the problem:
+
+ip link set dev ntfp2 up
+ip addr add dev ntfp2 2001::1/64
+ip link add vti6_test type vti6 local 2001::1 remote 2001::2 key 1
+ip netns add secure
+ip link set vti6_test netns secure
+ip netns exec secure ip link set vti6_test up
+ip netns exec secure ip link s lo up
+ip netns exec secure ip addr add dev vti6_test 2003::1/64
+ip -6 xfrm policy add dir out tmpl src 2001::1 dst 2001::2 proto esp \
+          mode tunnel mark 1
+ip -6 xfrm policy add dir in tmpl src 2001::2 dst 2001::1 proto esp \
+          mode tunnel mark 1
+ip xfrm state add src 2001::1 dst 2001::2 proto esp spi 1 mode tunnel \
+          enc des3_ede 0x112233445566778811223344556677881122334455667788 mark 1
+ip xfrm state add src 2001::2 dst 2001::1 proto esp spi 1 mode tunnel \
+          enc des3_ede 0x112233445566778811223344556677881122334455667788 mark 1
+ip netns exec secure  ping6 -c 4 2003::2
+ip netns del secure
+
+CC: Lance Richardson <lrichard@redhat.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: Lance Richardson <lrichard@redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_vti.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
+index 60d4052d97a6..51da5987952c 100644
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -1140,6 +1140,33 @@ static struct xfrm6_protocol vti_ipcomp6_protocol __read_mostly = {
+       .priority       =       100,
+ };
++static bool is_vti6_tunnel(const struct net_device *dev)
++{
++      return dev->netdev_ops == &vti6_netdev_ops;
++}
++
++static int vti6_device_event(struct notifier_block *unused,
++                           unsigned long event, void *ptr)
++{
++      struct net_device *dev = netdev_notifier_info_to_dev(ptr);
++      struct ip6_tnl *t = netdev_priv(dev);
++
++      if (!is_vti6_tunnel(dev))
++              return NOTIFY_DONE;
++
++      switch (event) {
++      case NETDEV_DOWN:
++              if (!net_eq(t->net, dev_net(dev)))
++                      xfrm_garbage_collect(t->net);
++              break;
++      }
++      return NOTIFY_DONE;
++}
++
++static struct notifier_block vti6_notifier_block __read_mostly = {
++      .notifier_call = vti6_device_event,
++};
++
+ /**
+  * vti6_tunnel_init - register protocol and reserve needed resources
+  *
+@@ -1150,6 +1177,8 @@ static int __init vti6_tunnel_init(void)
+       const char *msg;
+       int err;
++      register_netdevice_notifier(&vti6_notifier_block);
++
+       msg = "tunnel device";
+       err = register_pernet_device(&vti6_net_ops);
+       if (err < 0)
+@@ -1182,6 +1211,7 @@ xfrm_proto_ah_failed:
+ xfrm_proto_esp_failed:
+       unregister_pernet_device(&vti6_net_ops);
+ pernet_dev_failed:
++      unregister_netdevice_notifier(&vti6_notifier_block);
+       pr_err("vti6 init: failed to register %s\n", msg);
+       return err;
+ }
+@@ -1196,6 +1226,7 @@ static void __exit vti6_tunnel_cleanup(void)
+       xfrm6_protocol_deregister(&vti_ah6_protocol, IPPROTO_AH);
+       xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP);
+       unregister_pernet_device(&vti6_net_ops);
++      unregister_netdevice_notifier(&vti6_notifier_block);
+ }
+ module_init(vti6_tunnel_init);
+-- 
+2.17.1
+
diff --git a/queue-4.4/x86-mm-pat-prevent-hang-during-boot-when-mapping-pag.patch b/queue-4.4/x86-mm-pat-prevent-hang-during-boot-when-mapping-pag.patch
new file mode 100644 (file)
index 0000000..bad95a0
--- /dev/null
@@ -0,0 +1,109 @@
+From fb477ee90324828bb5aea3cdba59a8851af49eb2 Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Tue, 20 Sep 2016 14:26:21 +0100
+Subject: x86/mm/pat: Prevent hang during boot when mapping pages
+
+[ Upstream commit e535ec0899d1fe52ec3a84c9bc03457ac67ad6f7 ]
+
+There's a mixture of signed 32-bit and unsigned 32-bit and 64-bit data
+types used for keeping track of how many pages have been mapped.
+
+This leads to hangs during boot when mapping large numbers of pages
+(multiple terabytes, as reported by Waiman) because those values are
+interpreted as being negative.
+
+commit 742563777e8d ("x86/mm/pat: Avoid truncation when converting
+cpa->numpages to address") fixed one of those bugs, but there is
+another lurking in __change_page_attr_set_clr().
+
+Additionally, the return value type for the populate_*() functions can
+return negative values when a large number of pages have been mapped,
+triggering the error paths even though no error occurred.
+
+Consistently use 64-bit types on 64-bit platforms when counting pages.
+Even in the signed case this gives us room for regions 8PiB
+(pebibytes) in size whilst still allowing the usual negative value
+error checking idiom.
+
+Reported-by: Waiman Long <waiman.long@hpe.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+CC: Theodore Ts'o <tytso@mit.edu>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Scott J Norton <scott.norton@hpe.com>
+Cc: Douglas Hatch <doug.hatch@hpe.com>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/pageattr.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
+index 0e1dd7d47f05..26598e08666c 100644
+--- a/arch/x86/mm/pageattr.c
++++ b/arch/x86/mm/pageattr.c
+@@ -955,11 +955,11 @@ static void populate_pte(struct cpa_data *cpa,
+       }
+ }
+-static int populate_pmd(struct cpa_data *cpa,
+-                      unsigned long start, unsigned long end,
+-                      unsigned num_pages, pud_t *pud, pgprot_t pgprot)
++static long populate_pmd(struct cpa_data *cpa,
++                       unsigned long start, unsigned long end,
++                       unsigned num_pages, pud_t *pud, pgprot_t pgprot)
+ {
+-      unsigned int cur_pages = 0;
++      long cur_pages = 0;
+       pmd_t *pmd;
+       pgprot_t pmd_pgprot;
+@@ -1029,12 +1029,12 @@ static int populate_pmd(struct cpa_data *cpa,
+       return num_pages;
+ }
+-static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
+-                      pgprot_t pgprot)
++static long populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
++                       pgprot_t pgprot)
+ {
+       pud_t *pud;
+       unsigned long end;
+-      int cur_pages = 0;
++      long cur_pages = 0;
+       pgprot_t pud_pgprot;
+       end = start + (cpa->numpages << PAGE_SHIFT);
+@@ -1090,7 +1090,7 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd,
+       /* Map trailing leftover */
+       if (start < end) {
+-              int tmp;
++              long tmp;
+               pud = pud_offset(pgd, start);
+               if (pud_none(*pud))
+@@ -1116,7 +1116,7 @@ static int populate_pgd(struct cpa_data *cpa, unsigned long addr)
+       pgprot_t pgprot = __pgprot(_KERNPG_TABLE);
+       pud_t *pud = NULL;      /* shut up gcc */
+       pgd_t *pgd_entry;
+-      int ret;
++      long ret;
+       pgd_entry = cpa->pgd + pgd_index(addr);
+@@ -1351,7 +1351,8 @@ static int cpa_process_alias(struct cpa_data *cpa)
+ static int __change_page_attr_set_clr(struct cpa_data *cpa, int checkalias)
+ {
+-      int ret, numpages = cpa->numpages;
++      unsigned long numpages = cpa->numpages;
++      int ret;
+       while (numpages) {
+               /*
+-- 
+2.17.1
+
diff --git a/queue-4.4/x86-pci-mark-broadwell-ep-home-agent-1-as-having-non.patch b/queue-4.4/x86-pci-mark-broadwell-ep-home-agent-1-as-having-non.patch
new file mode 100644 (file)
index 0000000..3ac94be
--- /dev/null
@@ -0,0 +1,66 @@
+From 56845b437b6eece18a11d3ff3dcbf65a64cba52d Mon Sep 17 00:00:00 2001
+From: Prarit Bhargava <prarit@redhat.com>
+Date: Wed, 11 May 2016 12:27:15 -0400
+Subject: x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
+
+[ Upstream commit da77b67195de1c65bef4908fa29967c4d0af2da2 ]
+
+Commit b894157145e4 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having
+non-compliant BARs") marked Home Agent 0 & PCU has having non-compliant
+BARs.  Home Agent 1 also has non-compliant BARs.
+
+Mark Home Agent 1 as having non-compliant BARs so the PCI core doesn't
+touch them.
+
+The problem with these devices is documented in the Xeon v4 specification
+update:
+
+  BDF2          PCI BARs in the Home Agent Will Return Non-Zero Values
+                During Enumeration
+
+  Problem:      During system initialization the Operating System may access
+                the standard PCI BARs (Base Address Registers).  Due to
+                this erratum, accesses to the Home Agent BAR registers (Bus
+                1; Device 18; Function 0,4; Offsets (0x14-0x24) will return
+                non-zero values.
+
+  Implication:  The operating system may issue a warning.  Intel has not
+                observed any functional failures due to this erratum.
+
+Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
+Fixes: b894157145e4 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs")
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+CC: Thomas Gleixner <tglx@linutronix.de>
+CC: Ingo Molnar <mingo@redhat.com>
+CC: "H. Peter Anvin" <hpa@zytor.com>
+CC: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/pci/fixup.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
+index 0ae7e9fa348d..89f90549c6a8 100644
+--- a/arch/x86/pci/fixup.c
++++ b/arch/x86/pci/fixup.c
+@@ -541,9 +541,16 @@ static void twinhead_reserve_killing_zone(struct pci_dev *dev)
+ }
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone);
++/*
++ * Broadwell EP Home Agent BARs erroneously return non-zero values when read.
++ *
++ * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
++ * entry BDF2.
++ */
+ static void pci_bdwep_bar(struct pci_dev *dev)
+ {
+       dev->non_compliant_bars = 1;
+ }
++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_bdwep_bar);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_bdwep_bar);
+ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_bdwep_bar);
+-- 
+2.17.1
+
diff --git a/queue-4.4/xfrm-clear-sk_dst_cache-when-applying-per-socket-pol.patch b/queue-4.4/xfrm-clear-sk_dst_cache-when-applying-per-socket-pol.patch
new file mode 100644 (file)
index 0000000..7cc3f9e
--- /dev/null
@@ -0,0 +1,56 @@
+From b16d33706e06771fe1fea6b77f4e48efa73162e1 Mon Sep 17 00:00:00 2001
+From: Jonathan Basseri <misterikkit@google.com>
+Date: Wed, 25 Oct 2017 09:52:27 -0700
+Subject: xfrm: Clear sk_dst_cache when applying per-socket policy.
+
+[ Upstream commit 2b06cdf3e688b98fcc9945873b5d42792bd4eee0 ]
+
+If a socket has a valid dst cache, then xfrm_lookup_route will get
+skipped. However, the cache is not invalidated when applying policy to a
+socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
+sometimes ignored on those sockets. (Note: This was broken for IPv4 and
+IPv6 at different times.)
+
+This can be demonstrated like so,
+1. Create UDP socket.
+2. connect() the socket.
+3. Apply an outbound XFRM policy to the socket. (setsockopt)
+4. send() data on the socket.
+
+Packets will continue to be sent in the clear instead of matching an
+xfrm or returning a no-match error (EAGAIN). This affects calls to
+send() and not sendto().
+
+Invalidating the sk_dst_cache is necessary to correctly apply xfrm
+policies. Since we do this in xfrm_user_policy(), the sk_lock was
+already acquired in either do_ip_setsockopt() or do_ipv6_setsockopt(),
+and we may call __sk_dst_reset().
+
+Performance impact should be negligible, since this code is only called
+when changing xfrm policy, and only affects the socket in question.
+
+Fixes: 00bc0ef5880d ("ipv6: Skip XFRM lookup if dst_entry in socket cache is valid")
+Tested: https://android-review.googlesource.com/517555
+Tested: https://android-review.googlesource.com/418659
+Signed-off-by: Jonathan Basseri <misterikkit@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index d6a11af0bab1..9b6e51450fc5 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1884,6 +1884,7 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
+       if (err >= 0) {
+               xfrm_sk_policy_insert(sk, err, pol);
+               xfrm_pol_put(pol);
++              __sk_dst_reset(sk);
+               err = 0;
+       }
+-- 
+2.17.1
+
diff --git a/queue-4.4/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch b/queue-4.4/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch
new file mode 100644 (file)
index 0000000..23edd66
--- /dev/null
@@ -0,0 +1,63 @@
+From caf179fe1a0b5b6d2b0546d892f6b7fd12bd2358 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 1 Aug 2018 13:45:11 +0200
+Subject: xfrm: Validate address prefix lengths in the xfrm selector.
+
+[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ]
+
+We don't validate the address prefix lengths in the xfrm
+selector we got from userspace. This can lead to undefined
+behaviour in the address matching functions if the prefix
+is too big for the given address family. Fix this by checking
+the prefixes and refuse SA/policy insertation when a prefix
+is invalid.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Air Icy <icytxw@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index a9b4491a3cc4..c2e98dcba9fe 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+       err = -EINVAL;
+       switch (p->family) {
+       case AF_INET:
++              if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++                      goto out;
++
+               break;
+       case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++              if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++                      goto out;
++
+               break;
+ #else
+               err = -EAFNOSUPPORT;
+@@ -1312,10 +1318,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+       switch (p->sel.family) {
+       case AF_INET:
++              if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
++                      return -EINVAL;
++
+               break;
+       case AF_INET6:
+ #if IS_ENABLED(CONFIG_IPV6)
++              if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
++                      return -EINVAL;
++
+               break;
+ #else
+               return  -EAFNOSUPPORT;
+-- 
+2.17.1
+
diff --git a/queue-4.4/xfrm-validate-template-mode.patch b/queue-4.4/xfrm-validate-template-mode.patch
new file mode 100644 (file)
index 0000000..2fc5bf4
--- /dev/null
@@ -0,0 +1,64 @@
+From 895b1ce57577b529f1c9a9d12b31515ef5aa76ae Mon Sep 17 00:00:00 2001
+From: Sean Tranchetti <stranche@codeaurora.org>
+Date: Wed, 19 Sep 2018 13:54:56 -0600
+Subject: xfrm: validate template mode
+
+[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ]
+
+XFRM mode parameters passed as part of the user templates
+in the IP_XFRM_POLICY are never properly validated. Passing
+values other than valid XFRM modes can cause stack-out-of-bounds
+reads to occur later in the XFRM processing:
+
+[  140.535608] ================================================================
+[  140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4
+[  140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148
+[  140.557369]
+[  140.558927] Call trace:
+[  140.558936] dump_backtrace+0x0/0x388
+[  140.558940] show_stack+0x24/0x30
+[  140.558946] __dump_stack+0x24/0x2c
+[  140.558949] dump_stack+0x8c/0xd0
+[  140.558956] print_address_description+0x74/0x234
+[  140.558960] kasan_report+0x240/0x264
+[  140.558963] __asan_report_load4_noabort+0x2c/0x38
+[  140.558967] xfrm_state_find+0x17e4/0x1cc4
+[  140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8
+[  140.558975] xfrm_lookup+0x238/0x1444
+[  140.558977] xfrm_lookup_route+0x48/0x11c
+[  140.558984] ip_route_output_flow+0x88/0xc4
+[  140.558991] raw_sendmsg+0xa74/0x266c
+[  140.558996] inet_sendmsg+0x258/0x3b0
+[  140.559002] sock_sendmsg+0xbc/0xec
+[  140.559005] SyS_sendto+0x3a8/0x5a8
+[  140.559008] el0_svc_naked+0x34/0x38
+[  140.559009]
+[  140.592245] page dumped because: kasan: bad access detected
+[  140.597981] page_owner info is not active (free page?)
+[  140.603267]
+[  140.653503] ================================================================
+
+Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index c2e98dcba9fe..476f1fc6d655 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1408,6 +1408,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
+                   (ut[i].family != prev_family))
+                       return -EINVAL;
++              if (ut[i].mode >= XFRM_MODE_MAX)
++                      return -EINVAL;
++
+               prev_family = ut[i].family;
+               switch (ut[i].family) {
+-- 
+2.17.1
+
diff --git a/queue-4.4/xfrm6-call-kfree_skb-when-skb-is-toobig.patch b/queue-4.4/xfrm6-call-kfree_skb-when-skb-is-toobig.patch
new file mode 100644 (file)
index 0000000..7fd3866
--- /dev/null
@@ -0,0 +1,46 @@
+From 84c77fedd485e48ee5a167f6d50e84bcfd387e36 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Fri, 31 Aug 2018 08:38:49 -0300
+Subject: xfrm6: call kfree_skb when skb is toobig
+
+[ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ]
+
+After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
+and reporting on xmit"), some too big skbs might be potentially passed down to
+__xfrm6_output, causing it to fail to transmit but not free the skb, causing a
+leak of skb, and consequentially a leak of dst references.
+
+After running pmtu.sh, that shows as failure to unregister devices in a namespace:
+
+[  311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1
+
+The fix is to call kfree_skb in case of transmit failures.
+
+Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
+index 4d09ce6fa90e..64862c5084ee 100644
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -165,9 +165,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+       if (toobig && xfrm6_local_dontfrag(skb)) {
+               xfrm6_local_rxpmtu(skb, mtu);
++              kfree_skb(skb);
+               return -EMSGSIZE;
+       } else if (!skb->ignore_df && toobig && skb->sk) {
+               xfrm_local_error(skb, mtu);
++              kfree_skb(skb);
+               return -EMSGSIZE;
+       }
+-- 
+2.17.1
+