--- /dev/null
+From c988de29ca161823db6a7125e803d597ef75b49c Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <palcantara@suse.com>
+Date: Thu, 15 Nov 2018 15:20:52 +0100
+Subject: cifs: Fix separator when building path from dentry
+
+From: Paulo Alcantara <palcantara@suse.com>
+
+commit c988de29ca161823db6a7125e803d597ef75b49c upstream.
+
+Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for
+prefixpath too. Fixes a bug with smb1 UNIX extensions.
+
+Fixes: a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable")
+Signed-off-by: Paulo Alcantara <palcantara@suse.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -163,7 +163,7 @@ cifs_bp_rename_retry:
+
+ cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
+ memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
+- full_path[dfsplen] = '\\';
++ full_path[dfsplen] = dirsep;
+ for (i = 0; i < pplen-1; i++)
+ if (full_path[dfsplen+1+i] == '/')
+ full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);
--- /dev/null
+From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001
+From: Macpaul Lin <macpaul@gmail.com>
+Date: Wed, 17 Oct 2018 23:08:38 +0800
+Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
+
+From: Macpaul Lin <macpaul@gmail.com>
+
+commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.
+
+This patch is trying to fix KE issue due to
+"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
+reported by Syzkaller scan."
+
+[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
+[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
+[26364:syz-executor0]Call trace:
+[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
+[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
+[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
+[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
+[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
+[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
+[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
+[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
+[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
+[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
+[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
+[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
+[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
+[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
+[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
+[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
+[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]Memory state around the buggy address:
+[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
+[26364:syz-executor0][name:report&] ^
+[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
+[26364:syz-executor0]------------[cut here]------------
+
+After checking the source code, we've found there might be an out-of-bounds
+access to "config[len - 1]" array when the variable "len" is zero.
+
+Signed-off-by: Macpaul Lin <macpaul@gmail.com>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/kgdboc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/kgdboc.c
++++ b/drivers/tty/serial/kgdboc.c
+@@ -232,7 +232,7 @@ static void kgdboc_put_char(u8 chr)
+
+ static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
+ {
+- int len = strlen(kmessage);
++ size_t len = strlen(kmessage);
+
+ if (len >= MAX_CONFIG_LEN) {
+ printk(KERN_ERR "kgdboc: config string too long\n");
+@@ -254,7 +254,7 @@ static int param_set_kgdboc_var(const ch
+
+ strcpy(config, kmessage);
+ /* Chop out \n char as a result of echo */
+- if (config[len - 1] == '\n')
++ if (len && config[len - 1] == '\n')
+ config[len - 1] = '\0';
+
+ if (configured == 1)
--- /dev/null
+From 5c21e8100dfd57c806e833ae905e26efbb87840f Mon Sep 17 00:00:00 2001
+From: Ben Greear <greearb@candelatech.com>
+Date: Tue, 23 Oct 2018 13:36:52 -0700
+Subject: mac80211: Clear beacon_int in ieee80211_do_stop
+
+From: Ben Greear <greearb@candelatech.com>
+
+commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream.
+
+This fixes stale beacon-int values that would keep a netdev
+from going up.
+
+To reproduce:
+
+Create two VAP on one radio.
+vap1 has beacon-int 100, start it.
+vap2 has beacon-int 240, start it (and it will fail
+ because beacon-int mismatch).
+reconfigure vap2 to have beacon-int 100 and start it.
+ It will fail because the stale beacon-int 240 will be used
+ in the ifup path and hostapd never gets a chance to set the
+ new beacon interval.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -987,6 +987,8 @@ static void ieee80211_do_stop(struct iee
+ if (local->open_count == 0)
+ ieee80211_clear_tx_pending(local);
+
++ sdata->vif.bss_conf.beacon_int = 0;
++
+ /*
+ * If the interface goes down while suspended, presumably because
+ * the device was unplugged and that happens before our resume,
--- /dev/null
+From 9ec1190d065998650fd9260dea8cf3e1f56c0e8c Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 28 Nov 2018 22:39:16 +0100
+Subject: mac80211: fix reordering of buffered broadcast packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream.
+
+If the buffered broadcast queue contains packets, letting new packets bypass
+that queue can lead to heavy reordering, since the driver is probably throttling
+transmission of buffered multicast packets after beacons.
+
+Keep buffering packets until the buffer has been cleared (and no client
+is in powersave mode).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -431,8 +431,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i
+ if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL))
+ info->hw_queue = tx->sdata->vif.cab_queue;
+
+- /* no stations in PS mode */
+- if (!atomic_read(&ps->num_sta_ps))
++ /* no stations in PS mode and no buffered packets */
++ if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf))
+ return TX_CONTINUE;
+
+ info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;
--- /dev/null
+From 990d71846a0b7281bd933c34d734e6afc7408e7e Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 3 Dec 2018 21:16:07 +0200
+Subject: mac80211: ignore NullFunc frames in the duplicate detection
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 990d71846a0b7281bd933c34d734e6afc7408e7e upstream.
+
+NullFunc packets should never be duplicate just like
+QoS-NullFunc packets.
+
+We saw a client that enters / exits power save with
+NullFunc frames (and not with QoS-NullFunc) despite the
+fact that the association supports HT.
+This specific client also re-uses a non-zero sequence number
+for different NullFunc frames.
+At some point, the client had to send a retransmission of
+the NullFunc frame and we dropped it, leading to a
+misalignment in the power save state.
+Fix this by never consider a NullFunc frame as duplicate,
+just like we do for QoS NullFunc frames.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449
+
+CC: <stable@vger.kernel.org>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1109,6 +1109,7 @@ ieee80211_rx_h_check_dup(struct ieee8021
+ return RX_CONTINUE;
+
+ if (ieee80211_is_ctl(hdr->frame_control) ||
++ ieee80211_is_nullfunc(hdr->frame_control) ||
+ ieee80211_is_qos_nullfunc(hdr->frame_control) ||
+ is_multicast_ether_addr(hdr->addr1))
+ return RX_CONTINUE;
--- /dev/null
+From a317e65face482371de30246b6494feb093ff7f9 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 13 Nov 2018 20:32:13 +0100
+Subject: mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit a317e65face482371de30246b6494feb093ff7f9 upstream.
+
+Make it behave like regular ieee80211_tx_status calls, except for the lack of
+filtered frame processing.
+This fixes spurious low-ack triggered disconnections with powersave clients
+connected to an AP.
+
+Fixes: f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/status.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -648,6 +648,8 @@ void ieee80211_tx_status_noskb(struct ie
+ /* Track when last TDLS packet was ACKed */
+ if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
+ sta->status_stats.last_tdls_pkt_time = jiffies;
++ } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
++ return;
+ } else {
+ ieee80211_lost_packet(sta, info);
+ }
--- /dev/null
+From a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 Mon Sep 17 00:00:00 2001
+From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+Date: Thu, 18 Oct 2018 01:02:12 +0300
+Subject: mac80211_hwsim: Timer should be initialized before device registered
+
+From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+
+commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream.
+
+Otherwise if network manager starts configuring Wi-Fi interface
+immidiatelly after getting notification of its creation, we will get
+NULL pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
+ ...
+ Call Trace:
+ [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
+ [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
+ [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2515,6 +2515,10 @@ static int mac80211_hwsim_new_radio(stru
+ if (param->no_vif)
+ ieee80211_hw_set(hw, NO_AUTO_VIF);
+
++ tasklet_hrtimer_init(&data->beacon_timer,
++ mac80211_hwsim_beacon,
++ CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
++
+ err = ieee80211_register_hw(hw);
+ if (err < 0) {
+ printk(KERN_DEBUG "mac80211_hwsim: ieee80211_register_hw failed (%d)\n",
+@@ -2539,10 +2543,6 @@ static int mac80211_hwsim_new_radio(stru
+ data->debugfs,
+ data, &hwsim_simulate_radar);
+
+- tasklet_hrtimer_init(&data->beacon_timer,
+- mac80211_hwsim_beacon,
+- CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
+-
+ spin_lock_bh(&hwsim_radio_lock);
+ list_add_tail(&data->list, &hwsim_radios);
+ spin_unlock_bh(&hwsim_radio_lock);
dmaengine-cppi41-delete-channel-from-pending-list-when-stop-channel.patch
xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch
staging-lustre-remove-two-build-warnings.patch
+cifs-fix-separator-when-building-path-from-dentry.patch
+tty-serial-8250_mtk-always-resume-the-device-in-probe.patch
+kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch
+mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch
+mac80211-clear-beacon_int-in-ieee80211_do_stop.patch
+mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch
+mac80211-fix-reordering-of-buffered-broadcast-packets.patch
+mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch
--- /dev/null
+From 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 Mon Sep 17 00:00:00 2001
+From: Peter Shih <pihsun@chromium.org>
+Date: Tue, 27 Nov 2018 12:49:50 +0800
+Subject: tty: serial: 8250_mtk: always resume the device in probe.
+
+From: Peter Shih <pihsun@chromium.org>
+
+commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream.
+
+serial8250_register_8250_port calls uart_config_port, which calls
+config_port on the port before it tries to power on the port. So we need
+the port to be on before calling serial8250_register_8250_port. Change
+the code to always do a runtime resume in probe before registering port,
+and always do a runtime suspend in remove.
+
+This basically reverts the change in commit 68e5fc4a255a ("tty: serial:
+8250_mtk: use pm_runtime callbacks for enabling"), but still use
+pm_runtime callbacks.
+
+Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
+Signed-off-by: Peter Shih <pihsun@chromium.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_mtk.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_mtk.c
++++ b/drivers/tty/serial/8250/8250_mtk.c
+@@ -231,17 +231,17 @@ static int mtk8250_probe(struct platform
+
+ platform_set_drvdata(pdev, data);
+
+- pm_runtime_enable(&pdev->dev);
+- if (!pm_runtime_enabled(&pdev->dev)) {
+- err = mtk8250_runtime_resume(&pdev->dev);
+- if (err)
+- return err;
+- }
++ err = mtk8250_runtime_resume(&pdev->dev);
++ if (err)
++ return err;
+
+ data->line = serial8250_register_8250_port(&uart);
+ if (data->line < 0)
+ return data->line;
+
++ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_enable(&pdev->dev);
++
+ return 0;
+ }
+
+@@ -252,13 +252,11 @@ static int mtk8250_remove(struct platfor
+ pm_runtime_get_sync(&pdev->dev);
+
+ serial8250_unregister_port(data->line);
++ mtk8250_runtime_suspend(&pdev->dev);
+
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+
+- if (!pm_runtime_status_suspended(&pdev->dev))
+- mtk8250_runtime_suspend(&pdev->dev);
+-
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
