--- /dev/null
+From 48a491967cbc08bc3c1d174afae3d120160a3858 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 5 May 2017 15:30:23 -0700
+Subject: bna: ethtool: Avoid reading past end of buffer
+
+[ Upstream commit 4dc69c1c1fff2f587f8e737e70b4a4e7565a5c94 ]
+
+Using memcpy() from a string that is shorter than the length copied means
+the destination buffer is being filled with arbitrary data from the kernel
+rodata segment. Instead, use strncpy() which will fill the trailing bytes
+with zeros.
+
+This was found with the future CONFIG_FORTIFY_SOURCE feature.
+
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
+index 0e4fdc3dd729..18672ad773fb 100644
+--- a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
++++ b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c
+@@ -556,8 +556,8 @@ bnad_get_strings(struct net_device *netdev, u32 stringset, u8 *string)
+ for (i = 0; i < BNAD_ETHTOOL_STATS_NUM; i++) {
+ BUG_ON(!(strlen(bnad_net_stats_strings[i]) <
+ ETH_GSTRING_LEN));
+- memcpy(string, bnad_net_stats_strings[i],
+- ETH_GSTRING_LEN);
++ strncpy(string, bnad_net_stats_strings[i],
++ ETH_GSTRING_LEN);
+ string += ETH_GSTRING_LEN;
+ }
+ bmap = bna_tx_rid_mask(&bnad->bna);
+--
+2.17.1
+
--- /dev/null
+From eabf431ebfde07482f2060b2c1292df9baa65aae Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 22 Sep 2017 18:13:48 +0100
+Subject: e1000: avoid null pointer dereference on invalid stat type
+
+[ Upstream commit 5983587c8c5ef00d6886477544ad67d495bc5479 ]
+
+Currently if the stat type is invalid then data[i] is being set
+either by dereferencing a null pointer p, or it is reading from
+an incorrect previous location if we had a valid stat type
+previously. Fix this by skipping over the read of p on an invalid
+stat type.
+
+Detected by CoverityScan, CID#113385 ("Explicit null dereferenced")
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+index 5ae8874bbf72..d70b2e5d5222 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+@@ -1826,11 +1826,12 @@ static void e1000_get_ethtool_stats(struct net_device *netdev,
+ {
+ struct e1000_adapter *adapter = netdev_priv(netdev);
+ int i;
+- char *p = NULL;
+ const struct e1000_stats *stat = e1000_gstrings_stats;
+
+ e1000_update_stats(adapter);
+- for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++) {
++ for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++, stat++) {
++ char *p;
++
+ switch (stat->type) {
+ case NETDEV_STATS:
+ p = (char *)netdev + stat->stat_offset;
+@@ -1841,15 +1842,13 @@ static void e1000_get_ethtool_stats(struct net_device *netdev,
+ default:
+ WARN_ONCE(1, "Invalid E1000 stat type: %u index %d\n",
+ stat->type, i);
+- break;
++ continue;
+ }
+
+ if (stat->sizeof_stat == sizeof(u64))
+ data[i] = *(u64 *)p;
+ else
+ data[i] = *(u32 *)p;
+-
+- stat++;
+ }
+ /* BUG_ON(i != E1000_STATS_LEN); */
+ }
+--
+2.17.1
+
--- /dev/null
+From 8d593a92993f91a1671693b1f6f61fbbb70f2e65 Mon Sep 17 00:00:00 2001
+From: Vincenzo Maffione <v.maffione@gmail.com>
+Date: Sat, 16 Sep 2017 18:00:00 +0200
+Subject: e1000: fix race condition between e1000_down() and e1000_watchdog
+
+[ Upstream commit 44c445c3d1b4eacff23141fa7977c3b2ec3a45c9 ]
+
+This patch fixes a race condition that can result into the interface being
+up and carrier on, but with transmits disabled in the hardware.
+The bug may show up by repeatedly IFF_DOWN+IFF_UP the interface, which
+allows e1000_watchdog() interleave with e1000_down().
+
+ CPU x CPU y
+ --------------------------------------------------------------------
+ e1000_down():
+ netif_carrier_off()
+ e1000_watchdog():
+ if (carrier == off) {
+ netif_carrier_on();
+ enable_hw_transmit();
+ }
+ disable_hw_transmit();
+ e1000_watchdog():
+ /* carrier on, do nothing */
+
+Signed-off-by: Vincenzo Maffione <v.maffione@gmail.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_main.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
+index 2a1d4a9d3c19..1f84f2fa459f 100644
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -521,8 +521,6 @@ void e1000_down(struct e1000_adapter *adapter)
+ struct net_device *netdev = adapter->netdev;
+ u32 rctl, tctl;
+
+- netif_carrier_off(netdev);
+-
+ /* disable receives in the hardware */
+ rctl = er32(RCTL);
+ ew32(RCTL, rctl & ~E1000_RCTL_EN);
+@@ -538,6 +536,15 @@ void e1000_down(struct e1000_adapter *adapter)
+ E1000_WRITE_FLUSH();
+ msleep(10);
+
++ /* Set the carrier off after transmits have been disabled in the
++ * hardware, to avoid race conditions with e1000_watchdog() (which
++ * may be running concurrently to us, checking for the carrier
++ * bit to decide whether it should enable transmits again). Such
++ * a race condition would result into transmission being disabled
++ * in the hardware until the next IFF_DOWN+IFF_UP cycle.
++ */
++ netif_carrier_off(netdev);
++
+ napi_disable(&adapter->napi);
+
+ e1000_irq_disable(adapter);
+--
+2.17.1
+
--- /dev/null
+From a7045874f2c8b37d0494ec1c4ff76d3aebe29a23 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Wed, 5 Sep 2018 17:33:09 +0800
+Subject: MIPS: Loongson-3: Fix BRIDGE irq delivery problem
+
+[ Upstream commit 360fe725f8849aaddc53475fef5d4a0c439b05ae ]
+
+After commit e509bd7da149dc349160 ("genirq: Allow migration of chained
+interrupts by installing default action") Loongson-3 fails at here:
+
+setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction);
+
+This is because both chained_action and cascade_irqaction don't have
+IRQF_SHARED flag. This will cause Loongson-3 resume fails because HPET
+timer interrupt can't be delivered during S3. So we set the irqchip of
+the chained irq to loongson_irq_chip which doesn't disable the chained
+irq in CP0.Status.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20434/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: Huacai Chen <chenhuacai@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mach-loongson64/irq.h | 2 +-
+ arch/mips/loongson64/loongson-3/irq.c | 13 +++----------
+ 2 files changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/arch/mips/include/asm/mach-loongson64/irq.h b/arch/mips/include/asm/mach-loongson64/irq.h
+index d18c45c7c394..19ff9ce46c02 100644
+--- a/arch/mips/include/asm/mach-loongson64/irq.h
++++ b/arch/mips/include/asm/mach-loongson64/irq.h
+@@ -9,7 +9,7 @@
+ #define MIPS_CPU_IRQ_BASE 56
+
+ #define LOONGSON_UART_IRQ (MIPS_CPU_IRQ_BASE + 2) /* UART */
+-#define LOONGSON_HT1_IRQ (MIPS_CPU_IRQ_BASE + 3) /* HT1 */
++#define LOONGSON_BRIDGE_IRQ (MIPS_CPU_IRQ_BASE + 3) /* CASCADE */
+ #define LOONGSON_TIMER_IRQ (MIPS_CPU_IRQ_BASE + 7) /* CPU Timer */
+
+ #define LOONGSON_HT1_CFG_BASE loongson_sysconf.ht_control_base
+diff --git a/arch/mips/loongson64/loongson-3/irq.c b/arch/mips/loongson64/loongson-3/irq.c
+index 53424f2a53f3..241cb88f9c03 100644
+--- a/arch/mips/loongson64/loongson-3/irq.c
++++ b/arch/mips/loongson64/loongson-3/irq.c
+@@ -42,12 +42,6 @@ void mach_irq_dispatch(unsigned int pending)
+ }
+ }
+
+-static struct irqaction cascade_irqaction = {
+- .handler = no_action,
+- .flags = IRQF_NO_SUSPEND,
+- .name = "cascade",
+-};
+-
+ static inline void mask_loongson_irq(struct irq_data *d) { }
+ static inline void unmask_loongson_irq(struct irq_data *d) { }
+
+@@ -88,11 +82,10 @@ void __init mach_init_irq(void)
+ init_i8259_irqs();
+ irq_set_chip_and_handler(LOONGSON_UART_IRQ,
+ &loongson_irq_chip, handle_percpu_irq);
++ irq_set_chip_and_handler(LOONGSON_BRIDGE_IRQ,
++ &loongson_irq_chip, handle_percpu_irq);
+
+- /* setup HT1 irq */
+- setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction);
+-
+- set_c0_status(STATUSF_IP2 | STATUSF_IP6);
++ set_c0_status(STATUSF_IP2 | STATUSF_IP3 | STATUSF_IP6);
+ }
+
+ #ifdef CONFIG_HOTPLUG_CPU
+--
+2.17.1
+
--- /dev/null
+From ec15040b5a48f36fc26a7c8fe01c8e9c3920c38a Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Wed, 5 Sep 2018 17:33:08 +0800
+Subject: MIPS: Loongson-3: Fix CPU UART irq delivery problem
+
+[ Upstream commit d06f8a2f1befb5a3d0aa660ab1c05e9b744456ea ]
+
+Masking/unmasking the CPU UART irq in CP0_Status (and redirecting it to
+other CPUs) may cause interrupts be lost, especially in multi-package
+machines (Package-0's UART irq cannot be delivered to others). So make
+mask_loongson_irq() and unmask_loongson_irq() be no-ops.
+
+The original problem (UART IRQ may deliver to any core) is also because
+of masking/unmasking the CPU UART irq in CP0_Status. So it is safe to
+remove all of the stuff.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20433/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: Huacai Chen <chenhuacai@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/loongson64/loongson-3/irq.c | 43 ++-------------------------
+ 1 file changed, 3 insertions(+), 40 deletions(-)
+
+diff --git a/arch/mips/loongson64/loongson-3/irq.c b/arch/mips/loongson64/loongson-3/irq.c
+index 0f75b6b3d218..53424f2a53f3 100644
+--- a/arch/mips/loongson64/loongson-3/irq.c
++++ b/arch/mips/loongson64/loongson-3/irq.c
+@@ -48,45 +48,8 @@ static struct irqaction cascade_irqaction = {
+ .name = "cascade",
+ };
+
+-static inline void mask_loongson_irq(struct irq_data *d)
+-{
+- clear_c0_status(0x100 << (d->irq - MIPS_CPU_IRQ_BASE));
+- irq_disable_hazard();
+-
+- /* Workaround: UART IRQ may deliver to any core */
+- if (d->irq == LOONGSON_UART_IRQ) {
+- int cpu = smp_processor_id();
+- int node_id = cpu_logical_map(cpu) / loongson_sysconf.cores_per_node;
+- int core_id = cpu_logical_map(cpu) % loongson_sysconf.cores_per_node;
+- u64 intenclr_addr = smp_group[node_id] |
+- (u64)(&LOONGSON_INT_ROUTER_INTENCLR);
+- u64 introuter_lpc_addr = smp_group[node_id] |
+- (u64)(&LOONGSON_INT_ROUTER_LPC);
+-
+- *(volatile u32 *)intenclr_addr = 1 << 10;
+- *(volatile u8 *)introuter_lpc_addr = 0x10 + (1<<core_id);
+- }
+-}
+-
+-static inline void unmask_loongson_irq(struct irq_data *d)
+-{
+- /* Workaround: UART IRQ may deliver to any core */
+- if (d->irq == LOONGSON_UART_IRQ) {
+- int cpu = smp_processor_id();
+- int node_id = cpu_logical_map(cpu) / loongson_sysconf.cores_per_node;
+- int core_id = cpu_logical_map(cpu) % loongson_sysconf.cores_per_node;
+- u64 intenset_addr = smp_group[node_id] |
+- (u64)(&LOONGSON_INT_ROUTER_INTENSET);
+- u64 introuter_lpc_addr = smp_group[node_id] |
+- (u64)(&LOONGSON_INT_ROUTER_LPC);
+-
+- *(volatile u32 *)intenset_addr = 1 << 10;
+- *(volatile u8 *)introuter_lpc_addr = 0x10 + (1<<core_id);
+- }
+-
+- set_c0_status(0x100 << (d->irq - MIPS_CPU_IRQ_BASE));
+- irq_enable_hazard();
+-}
++static inline void mask_loongson_irq(struct irq_data *d) { }
++static inline void unmask_loongson_irq(struct irq_data *d) { }
+
+ /* For MIPS IRQs which shared by all cores */
+ static struct irq_chip loongson_irq_chip = {
+@@ -124,7 +87,7 @@ void __init mach_init_irq(void)
+ mips_cpu_irq_init();
+ init_i8259_irqs();
+ irq_set_chip_and_handler(LOONGSON_UART_IRQ,
+- &loongson_irq_chip, handle_level_irq);
++ &loongson_irq_chip, handle_percpu_irq);
+
+ /* setup HT1 irq */
+ setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction);
+--
+2.17.1
+
mm-refuse-wrapped-vm_brk-requests.patch
fs-elf-make-sure-to-page-align-bss-in-load_elf_libra.patch
mm-do-not-bug_on-on-incorrect-length-in-__mm_populat.patch
+e1000-avoid-null-pointer-dereference-on-invalid-stat.patch
+e1000-fix-race-condition-between-e1000_down-and-e100.patch
+bna-ethtool-avoid-reading-past-end-of-buffer.patch
+mips-loongson-3-fix-cpu-uart-irq-delivery-problem.patch
+mips-loongson-3-fix-bridge-irq-delivery-problem.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
