From: Sasha Levin Date: Thu, 11 Jul 2019 00:53:49 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v5.2.1~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=04fb06fa3232b4023eec4fcc7a22e7ff788567f5;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm-davinci-da850-evm-call-regulator_has_full_constr.patch b/queue-4.19/arm-davinci-da850-evm-call-regulator_has_full_constr.patch new file mode 100644 index 00000000000..8fceb8887e3 --- /dev/null +++ b/queue-4.19/arm-davinci-da850-evm-call-regulator_has_full_constr.patch @@ -0,0 +1,38 @@ +From d335ef6d06c139a194609e2bcd2cfcf86e33cff2 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 7 Jun 2019 11:02:01 +0200 +Subject: ARM: davinci: da850-evm: call regulator_has_full_constraints() + +[ Upstream commit 0c0c9b5753cd04601b17de09da1ed2885a3b42fe ] + +The BB expander at 0x21 i2c bus 1 fails to probe on da850-evm because +the board doesn't set has_full_constraints to true in the regulator +API. + +Call regulator_has_full_constraints() at the end of board registration +just like we do in da850-lcdk and da830-evm. + +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/board-da850-evm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/mach-davinci/board-da850-evm.c b/arch/arm/mach-davinci/board-da850-evm.c +index e1a949b47306..774a3e535ad0 100644 +--- a/arch/arm/mach-davinci/board-da850-evm.c ++++ b/arch/arm/mach-davinci/board-da850-evm.c +@@ -1472,6 +1472,8 @@ static __init void da850_evm_init(void) + if (ret) + pr_warn("%s: dsp/rproc registration failed: %d\n", + __func__, ret); ++ ++ regulator_has_full_constraints(); + } + + #ifdef CONFIG_SERIAL_8250_CONSOLE +-- +2.20.1 + diff --git a/queue-4.19/arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch b/queue-4.19/arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch new file mode 100644 index 00000000000..4d0cc90b48c --- /dev/null +++ b/queue-4.19/arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch @@ -0,0 +1,66 @@ +From 82ddd1910d0cf7d2ae06c26859d24acc92396b67 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 7 Jun 2019 16:33:50 +0200 +Subject: ARM: davinci: da8xx: specify dma_coherent_mask for lcdc + +[ Upstream commit 68f2515bb31a664ba3e2bc1eb78dd9f529b10067 ] + +The lcdc device is missing the dma_coherent_mask definition causing the +following warning on da850-evm: + +da8xx_lcdc da8xx_lcdc.0: found Sharp_LK043T1DG01 panel +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:247 dma_alloc_attrs+0xc8/0x110 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 5.2.0-rc3-00077-g16d72dd4891f #18 +Hardware name: DaVinci DA850/OMAP-L138/AM18x EVM +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (__warn+0xec/0x114) +[] (__warn) from [] (warn_slowpath_null+0x3c/0x48) +[] (warn_slowpath_null) from [] (dma_alloc_attrs+0xc8/0x110) +[] (dma_alloc_attrs) from [] (fb_probe+0x228/0x5a8) +[] (fb_probe) from [] (platform_drv_probe+0x48/0x9c) +[] (platform_drv_probe) from [] (really_probe+0x1d8/0x2d4) +[] (really_probe) from [] (driver_probe_device+0x5c/0x168) +[] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) +[] (device_driver_attach) from [] (__driver_attach+0x80/0xbc) +[] (__driver_attach) from [] (bus_for_each_dev+0x64/0xb4) +[] (bus_for_each_dev) from [] (bus_add_driver+0xe4/0x1d8) +[] (bus_add_driver) from [] (driver_register+0x78/0x10c) +[] (driver_register) from [] (do_one_initcall+0x48/0x1bc) +[] (do_one_initcall) from [] (kernel_init_freeable+0x10c/0x1d8) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0xf4) +[] (kernel_init) from [] (ret_from_fork+0x14/0x34) +Exception stack(0xc6837fb0 to 0xc6837ff8) +7fa0: 00000000 00000000 00000000 00000000 +7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +---[ end trace 8a8073511be81dd2 ]--- + +Add a 32-bit mask to the platform device's definition. + +Signed-off-by: Bartosz Golaszewski + +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/devices-da8xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-davinci/devices-da8xx.c b/arch/arm/mach-davinci/devices-da8xx.c +index 1fd3619f6a09..3c42bf9fa061 100644 +--- a/arch/arm/mach-davinci/devices-da8xx.c ++++ b/arch/arm/mach-davinci/devices-da8xx.c +@@ -685,6 +685,9 @@ static struct platform_device da8xx_lcdc_device = { + .id = 0, + .num_resources = ARRAY_SIZE(da8xx_lcdc_resources), + .resource = da8xx_lcdc_resources, ++ .dev = { ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ } + }; + + int __init da8xx_register_lcdc(struct da8xx_lcdc_platform_data *pdata) +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-am335x-phytec-boards-fix-cd-gpios-active-lev.patch b/queue-4.19/arm-dts-am335x-phytec-boards-fix-cd-gpios-active-lev.patch new file mode 100644 index 00000000000..354765bedb8 --- /dev/null +++ b/queue-4.19/arm-dts-am335x-phytec-boards-fix-cd-gpios-active-lev.patch @@ -0,0 +1,47 @@ +From daf861a4885ca496427c0e14aa998d2c8dec1879 Mon Sep 17 00:00:00 2001 +From: Teresa Remmet +Date: Fri, 24 May 2019 15:19:57 +0200 +Subject: ARM: dts: am335x phytec boards: Fix cd-gpios active level + +[ Upstream commit 8a0098c05a272c9a68f6885e09755755b612459c ] + +Active level of the mmc1 cd gpio needs to be low instead of high. +Fix PCM-953 and phyBOARD-WEGA. + +Signed-off-by: Teresa Remmet +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am335x-pcm-953.dtsi | 2 +- + arch/arm/boot/dts/am335x-wega.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/am335x-pcm-953.dtsi b/arch/arm/boot/dts/am335x-pcm-953.dtsi +index 1ec8e0d80191..572fbd254690 100644 +--- a/arch/arm/boot/dts/am335x-pcm-953.dtsi ++++ b/arch/arm/boot/dts/am335x-pcm-953.dtsi +@@ -197,7 +197,7 @@ + bus-width = <4>; + pinctrl-names = "default"; + pinctrl-0 = <&mmc1_pins>; +- cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>; ++ cd-gpios = <&gpio0 6 GPIO_ACTIVE_LOW>; + status = "okay"; + }; + +diff --git a/arch/arm/boot/dts/am335x-wega.dtsi b/arch/arm/boot/dts/am335x-wega.dtsi +index 8ce541739b24..83e4fe595e37 100644 +--- a/arch/arm/boot/dts/am335x-wega.dtsi ++++ b/arch/arm/boot/dts/am335x-wega.dtsi +@@ -157,7 +157,7 @@ + bus-width = <4>; + pinctrl-names = "default"; + pinctrl-0 = <&mmc1_pins>; +- cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>; ++ cd-gpios = <&gpio0 6 GPIO_ACTIVE_LOW>; + status = "okay"; + }; + +-- +2.20.1 + diff --git a/queue-4.19/bnx2x-check-if-transceiver-implements-ddm-before-acc.patch b/queue-4.19/bnx2x-check-if-transceiver-implements-ddm-before-acc.patch new file mode 100644 index 00000000000..24df7ec9a1c --- /dev/null +++ b/queue-4.19/bnx2x-check-if-transceiver-implements-ddm-before-acc.patch @@ -0,0 +1,63 @@ +From 198880370fb9da695b1fa571ba13b295471aec52 Mon Sep 17 00:00:00 2001 +From: "Mauro S. M. Rodrigues" +Date: Thu, 13 Jun 2019 16:25:40 -0300 +Subject: bnx2x: Check if transceiver implements DDM before access + +[ Upstream commit cf18cecca911c0db96b868072665347efe6df46f ] + +Some transceivers may comply with SFF-8472 even though they do not +implement the Digital Diagnostic Monitoring (DDM) interface described in +the spec. The existence of such area is specified by the 6th bit of byte +92, set to 1 if implemented. + +Currently, without checking this bit, bnx2x fails trying to read sfp +module's EEPROM with the follow message: + +ethtool -m enP5p1s0f1 +Cannot get Module EEPROM data: Input/output error + +Because it fails to read the additional 256 bytes in which it is assumed +to exist the DDM data. + +This issue was noticed using a Mellanox Passive DAC PN 01FT738. The EEPROM +data was confirmed by Mellanox as correct and similar to other Passive +DACs from other manufacturers. + +Signed-off-by: Mauro S. M. Rodrigues +Acked-by: Sudarsana Reddy Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 ++- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +index a4a90b6cdb46..c428b0655c26 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +@@ -1581,7 +1581,8 @@ static int bnx2x_get_module_info(struct net_device *dev, + } + + if (!sff8472_comp || +- (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ)) { ++ (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ) || ++ !(diag_type & SFP_EEPROM_DDM_IMPLEMENTED)) { + modinfo->type = ETH_MODULE_SFF_8079; + modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN; + } else { +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h +index b7d251108c19..7115f5025664 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h +@@ -62,6 +62,7 @@ + #define SFP_EEPROM_DIAG_TYPE_ADDR 0x5c + #define SFP_EEPROM_DIAG_TYPE_SIZE 1 + #define SFP_EEPROM_DIAG_ADDR_CHANGE_REQ (1<<2) ++#define SFP_EEPROM_DDM_IMPLEMENTED (1<<6) + #define SFP_EEPROM_SFF_8472_COMP_ADDR 0x5e + #define SFP_EEPROM_SFF_8472_COMP_SIZE 1 + +-- +2.20.1 + diff --git a/queue-4.19/bpf-devmap-add-missing-bulk-queue-free.patch b/queue-4.19/bpf-devmap-add-missing-bulk-queue-free.patch new file mode 100644 index 00000000000..8355824496a --- /dev/null +++ b/queue-4.19/bpf-devmap-add-missing-bulk-queue-free.patch @@ -0,0 +1,33 @@ +From fac515849327e2835a1c0ec743f4b196d550c2aa Mon Sep 17 00:00:00 2001 +From: Toshiaki Makita +Date: Fri, 14 Jun 2019 17:20:14 +0900 +Subject: bpf, devmap: Add missing bulk queue free + +[ Upstream commit edabf4d9dd905acd60048ea1579943801e3a4876 ] + +dev_map_free() forgot to free bulk queue when freeing its entries. + +Fixes: 5d053f9da431 ("bpf: devmap prepare xdp frames for bulking") +Signed-off-by: Toshiaki Makita +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/devmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c +index 99353ac28cd4..357d456d57b9 100644 +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -186,6 +186,7 @@ static void dev_map_free(struct bpf_map *map) + if (!dev) + continue; + ++ free_percpu(dev->bulkq); + dev_put(dev->dev); + kfree(dev); + } +-- +2.20.1 + diff --git a/queue-4.19/bpf-devmap-add-missing-rcu-read-lock-on-flush.patch b/queue-4.19/bpf-devmap-add-missing-rcu-read-lock-on-flush.patch new file mode 100644 index 00000000000..ba3914c6077 --- /dev/null +++ b/queue-4.19/bpf-devmap-add-missing-rcu-read-lock-on-flush.patch @@ -0,0 +1,59 @@ +From f478226284e2ab2f0cec6c344ebc1be8518a9679 Mon Sep 17 00:00:00 2001 +From: Toshiaki Makita +Date: Fri, 14 Jun 2019 17:20:15 +0900 +Subject: bpf, devmap: Add missing RCU read lock on flush + +[ Upstream commit 86723c8640633bee4b4588d3c7784ee7a0032f65 ] + +.ndo_xdp_xmit() assumes it is called under RCU. For example virtio_net +uses RCU to detect it has setup the resources for tx. The assumption +accidentally broke when introducing bulk queue in devmap. + +Fixes: 5d053f9da431 ("bpf: devmap prepare xdp frames for bulking") +Reported-by: David Ahern +Signed-off-by: Toshiaki Makita +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/devmap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c +index 357d456d57b9..fc500ca464d0 100644 +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -282,6 +282,7 @@ void __dev_map_flush(struct bpf_map *map) + unsigned long *bitmap = this_cpu_ptr(dtab->flush_needed); + u32 bit; + ++ rcu_read_lock(); + for_each_set_bit(bit, bitmap, map->max_entries) { + struct bpf_dtab_netdev *dev = READ_ONCE(dtab->netdev_map[bit]); + struct xdp_bulk_queue *bq; +@@ -297,6 +298,7 @@ void __dev_map_flush(struct bpf_map *map) + + __clear_bit(bit, bitmap); + } ++ rcu_read_unlock(); + } + + /* rcu_read_lock (from syscall and BPF contexts) ensures that if a delete and/or +@@ -389,6 +391,7 @@ static void dev_map_flush_old(struct bpf_dtab_netdev *dev) + + int cpu; + ++ rcu_read_lock(); + for_each_online_cpu(cpu) { + bitmap = per_cpu_ptr(dev->dtab->flush_needed, cpu); + __clear_bit(dev->bit, bitmap); +@@ -396,6 +399,7 @@ static void dev_map_flush_old(struct bpf_dtab_netdev *dev) + bq = per_cpu_ptr(dev->bulkq, cpu); + bq_xmit_all(dev, bq, XDP_XMIT_FLUSH, false); + } ++ rcu_read_unlock(); + } + } + +-- +2.20.1 + diff --git a/queue-4.19/bpf-devmap-fix-premature-entry-free-on-destroying-ma.patch b/queue-4.19/bpf-devmap-fix-premature-entry-free-on-destroying-ma.patch new file mode 100644 index 00000000000..cb6efc377a4 --- /dev/null +++ b/queue-4.19/bpf-devmap-fix-premature-entry-free-on-destroying-ma.patch @@ -0,0 +1,50 @@ +From 6acf99e0e8e7e21782aab7b6979697fb76fdda70 Mon Sep 17 00:00:00 2001 +From: Toshiaki Makita +Date: Fri, 14 Jun 2019 17:20:13 +0900 +Subject: bpf, devmap: Fix premature entry free on destroying map + +[ Upstream commit d4dd153d551634683fccf8881f606fa9f3dfa1ef ] + +dev_map_free() waits for flush_needed bitmap to be empty in order to +ensure all flush operations have completed before freeing its entries. +However the corresponding clear_bit() was called before using the +entries, so the entries could be used after free. + +All access to the entries needs to be done before clearing the bit. +It seems commit a5e2da6e9787 ("bpf: netdev is never null in +__dev_map_flush") accidentally changed the clear_bit() and memory access +order. + +Note that the problem happens only in __dev_map_flush(), not in +dev_map_flush_old(). dev_map_flush_old() is called only after nulling +out the corresponding netdev_map entry, so dev_map_free() never frees +the entry thus no such race happens there. + +Fixes: a5e2da6e9787 ("bpf: netdev is never null in __dev_map_flush") +Signed-off-by: Toshiaki Makita +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/devmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c +index 2faad033715f..99353ac28cd4 100644 +--- a/kernel/bpf/devmap.c ++++ b/kernel/bpf/devmap.c +@@ -291,10 +291,10 @@ void __dev_map_flush(struct bpf_map *map) + if (unlikely(!dev)) + continue; + +- __clear_bit(bit, bitmap); +- + bq = this_cpu_ptr(dev->bulkq); + bq_xmit_all(dev, bq, XDP_XMIT_FLUSH, true); ++ ++ __clear_bit(bit, bitmap); + } + } + +-- +2.20.1 + diff --git a/queue-4.19/bpf-sockmap-fix-use-after-free-from-sleep-in-psock-b.patch b/queue-4.19/bpf-sockmap-fix-use-after-free-from-sleep-in-psock-b.patch new file mode 100644 index 00000000000..75161ff2b0f --- /dev/null +++ b/queue-4.19/bpf-sockmap-fix-use-after-free-from-sleep-in-psock-b.patch @@ -0,0 +1,89 @@ +From 2360ea2f1287002792ebbeeec787306e596debb3 Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Fri, 24 May 2019 08:01:00 -0700 +Subject: bpf: sockmap, fix use after free from sleep in psock backlog + workqueue + +[ Upstream commit bd95e678e0f6e18351ecdc147ca819145db9ed7b ] + +Backlog work for psock (sk_psock_backlog) might sleep while waiting +for memory to free up when sending packets. However, while sleeping +the socket may be closed and removed from the map by the user space +side. + +This breaks an assumption in sk_stream_wait_memory, which expects the +wait queue to be still there when it wakes up resulting in a +use-after-free shown below. To fix his mark sendmsg as MSG_DONTWAIT +to avoid the sleep altogether. We already set the flag for the +sendpage case but we missed the case were sendmsg is used. +Sockmap is currently the only user of skb_send_sock_locked() so only +the sockmap paths should be impacted. + +================================================================== +BUG: KASAN: use-after-free in remove_wait_queue+0x31/0x70 +Write of size 8 at addr ffff888069a0c4e8 by task kworker/0:2/110 + +CPU: 0 PID: 110 Comm: kworker/0:2 Not tainted 5.0.0-rc2-00335-g28f9d1a3d4fe-dirty #14 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 +Workqueue: events sk_psock_backlog +Call Trace: + print_address_description+0x6e/0x2b0 + ? remove_wait_queue+0x31/0x70 + kasan_report+0xfd/0x177 + ? remove_wait_queue+0x31/0x70 + ? remove_wait_queue+0x31/0x70 + remove_wait_queue+0x31/0x70 + sk_stream_wait_memory+0x4dd/0x5f0 + ? sk_stream_wait_close+0x1b0/0x1b0 + ? wait_woken+0xc0/0xc0 + ? tcp_current_mss+0xc5/0x110 + tcp_sendmsg_locked+0x634/0x15d0 + ? tcp_set_state+0x2e0/0x2e0 + ? __kasan_slab_free+0x1d1/0x230 + ? kmem_cache_free+0x70/0x140 + ? sk_psock_backlog+0x40c/0x4b0 + ? process_one_work+0x40b/0x660 + ? worker_thread+0x82/0x680 + ? kthread+0x1b9/0x1e0 + ? ret_from_fork+0x1f/0x30 + ? check_preempt_curr+0xaf/0x130 + ? iov_iter_kvec+0x5f/0x70 + ? kernel_sendmsg_locked+0xa0/0xe0 + skb_send_sock_locked+0x273/0x3c0 + ? skb_splice_bits+0x180/0x180 + ? start_thread+0xe0/0xe0 + ? update_min_vruntime.constprop.27+0x88/0xc0 + sk_psock_backlog+0xb3/0x4b0 + ? strscpy+0xbf/0x1e0 + process_one_work+0x40b/0x660 + worker_thread+0x82/0x680 + ? process_one_work+0x660/0x660 + kthread+0x1b9/0x1e0 + ? __kthread_create_on_node+0x250/0x250 + ret_from_fork+0x1f/0x30 + +Fixes: 20bf50de3028c ("skbuff: Function to send an skbuf on a socket") +Reported-by: Jakub Sitnicki +Tested-by: Jakub Sitnicki +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 8b5768113acd..9b9f696281a9 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2302,6 +2302,7 @@ int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset, + kv.iov_base = skb->data + offset; + kv.iov_len = slen; + memset(&msg, 0, sizeof(msg)); ++ msg.msg_flags = MSG_DONTWAIT; + + ret = kernel_sendmsg_locked(sk, &msg, &kv, 1, slen); + if (ret <= 0) +-- +2.20.1 + diff --git a/queue-4.19/bpf-x64-fix-stack-layout-of-jited-bpf-code.patch b/queue-4.19/bpf-x64-fix-stack-layout-of-jited-bpf-code.patch new file mode 100644 index 00000000000..a862ce9f5bb --- /dev/null +++ b/queue-4.19/bpf-x64-fix-stack-layout-of-jited-bpf-code.patch @@ -0,0 +1,137 @@ +From a1106ec542051c3bad2c35f69ef04ff5b3a97bec Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov +Date: Fri, 14 Jun 2019 15:43:28 -0700 +Subject: bpf, x64: fix stack layout of JITed bpf code + +[ Upstream commit fe8d9571dc50232b569242fac7ea6332a654f186 ] + +Since commit 177366bf7ceb the %rbp stopped pointing to %rbp of the +previous stack frame. That broke frame pointer based stack unwinding. +This commit is a partial revert of it. +Note that the location of tail_call_cnt is fixed, since the verifier +enforces MAX_BPF_STACK stack size for programs with tail calls. + +Fixes: 177366bf7ceb ("bpf: change x86 JITed program stack layout") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 74 +++++++++++-------------------------- + 1 file changed, 21 insertions(+), 53 deletions(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 2580cd2e98b1..a32fc3d99407 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -190,9 +190,7 @@ struct jit_context { + #define BPF_MAX_INSN_SIZE 128 + #define BPF_INSN_SAFETY 64 + +-#define AUX_STACK_SPACE 40 /* Space for RBX, R13, R14, R15, tailcnt */ +- +-#define PROLOGUE_SIZE 37 ++#define PROLOGUE_SIZE 20 + + /* + * Emit x86-64 prologue code for BPF program and check its size. +@@ -203,44 +201,19 @@ static void emit_prologue(u8 **pprog, u32 stack_depth, bool ebpf_from_cbpf) + u8 *prog = *pprog; + int cnt = 0; + +- /* push rbp */ +- EMIT1(0x55); +- +- /* mov rbp,rsp */ +- EMIT3(0x48, 0x89, 0xE5); +- +- /* sub rsp, rounded_stack_depth + AUX_STACK_SPACE */ +- EMIT3_off32(0x48, 0x81, 0xEC, +- round_up(stack_depth, 8) + AUX_STACK_SPACE); +- +- /* sub rbp, AUX_STACK_SPACE */ +- EMIT4(0x48, 0x83, 0xED, AUX_STACK_SPACE); +- +- /* mov qword ptr [rbp+0],rbx */ +- EMIT4(0x48, 0x89, 0x5D, 0); +- /* mov qword ptr [rbp+8],r13 */ +- EMIT4(0x4C, 0x89, 0x6D, 8); +- /* mov qword ptr [rbp+16],r14 */ +- EMIT4(0x4C, 0x89, 0x75, 16); +- /* mov qword ptr [rbp+24],r15 */ +- EMIT4(0x4C, 0x89, 0x7D, 24); +- ++ EMIT1(0x55); /* push rbp */ ++ EMIT3(0x48, 0x89, 0xE5); /* mov rbp, rsp */ ++ /* sub rsp, rounded_stack_depth */ ++ EMIT3_off32(0x48, 0x81, 0xEC, round_up(stack_depth, 8)); ++ EMIT1(0x53); /* push rbx */ ++ EMIT2(0x41, 0x55); /* push r13 */ ++ EMIT2(0x41, 0x56); /* push r14 */ ++ EMIT2(0x41, 0x57); /* push r15 */ + if (!ebpf_from_cbpf) { +- /* +- * Clear the tail call counter (tail_call_cnt): for eBPF tail +- * calls we need to reset the counter to 0. It's done in two +- * instructions, resetting RAX register to 0, and moving it +- * to the counter location. +- */ +- +- /* xor eax, eax */ +- EMIT2(0x31, 0xc0); +- /* mov qword ptr [rbp+32], rax */ +- EMIT4(0x48, 0x89, 0x45, 32); +- ++ /* zero init tail_call_cnt */ ++ EMIT2(0x6a, 0x00); + BUILD_BUG_ON(cnt != PROLOGUE_SIZE); + } +- + *pprog = prog; + } + +@@ -285,13 +258,13 @@ static void emit_bpf_tail_call(u8 **pprog) + * if (tail_call_cnt > MAX_TAIL_CALL_CNT) + * goto out; + */ +- EMIT2_off32(0x8B, 0x85, 36); /* mov eax, dword ptr [rbp + 36] */ ++ EMIT2_off32(0x8B, 0x85, -36 - MAX_BPF_STACK); /* mov eax, dword ptr [rbp - 548] */ + EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT); /* cmp eax, MAX_TAIL_CALL_CNT */ + #define OFFSET2 (30 + RETPOLINE_RAX_BPF_JIT_SIZE) + EMIT2(X86_JA, OFFSET2); /* ja out */ + label2 = cnt; + EMIT3(0x83, 0xC0, 0x01); /* add eax, 1 */ +- EMIT2_off32(0x89, 0x85, 36); /* mov dword ptr [rbp + 36], eax */ ++ EMIT2_off32(0x89, 0x85, -36 - MAX_BPF_STACK); /* mov dword ptr [rbp -548], eax */ + + /* prog = array->ptrs[index]; */ + EMIT4_off32(0x48, 0x8B, 0x84, 0xD6, /* mov rax, [rsi + rdx * 8 + offsetof(...)] */ +@@ -1006,19 +979,14 @@ xadd: if (is_imm8(insn->off)) + seen_exit = true; + /* Update cleanup_addr */ + ctx->cleanup_addr = proglen; +- /* mov rbx, qword ptr [rbp+0] */ +- EMIT4(0x48, 0x8B, 0x5D, 0); +- /* mov r13, qword ptr [rbp+8] */ +- EMIT4(0x4C, 0x8B, 0x6D, 8); +- /* mov r14, qword ptr [rbp+16] */ +- EMIT4(0x4C, 0x8B, 0x75, 16); +- /* mov r15, qword ptr [rbp+24] */ +- EMIT4(0x4C, 0x8B, 0x7D, 24); +- +- /* add rbp, AUX_STACK_SPACE */ +- EMIT4(0x48, 0x83, 0xC5, AUX_STACK_SPACE); +- EMIT1(0xC9); /* leave */ +- EMIT1(0xC3); /* ret */ ++ if (!bpf_prog_was_classic(bpf_prog)) ++ EMIT1(0x5B); /* get rid of tail_call_cnt */ ++ EMIT2(0x41, 0x5F); /* pop r15 */ ++ EMIT2(0x41, 0x5E); /* pop r14 */ ++ EMIT2(0x41, 0x5D); /* pop r13 */ ++ EMIT1(0x5B); /* pop rbx */ ++ EMIT1(0xC9); /* leave */ ++ EMIT1(0xC3); /* ret */ + break; + + default: +-- +2.20.1 + diff --git a/queue-4.19/can-af_can-fix-error-path-of-can_init.patch b/queue-4.19/can-af_can-fix-error-path-of-can_init.patch new file mode 100644 index 00000000000..81472832e7a --- /dev/null +++ b/queue-4.19/can-af_can-fix-error-path-of-can_init.patch @@ -0,0 +1,70 @@ +From 2be29579b34902f688be281f0555d24bf734863d Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 16 May 2019 22:36:26 +0800 +Subject: can: af_can: Fix error path of can_init() + +[ Upstream commit c5a3aed1cd3152429348ee1fe5cdcca65fe901ce ] + +This patch add error path for can_init() to avoid possible crash if some +error occurs. + +Fixes: 0d66548a10cb ("[CAN]: Add PF_CAN core module") +Signed-off-by: YueHaibing +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/af_can.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/net/can/af_can.c b/net/can/af_can.c +index e386d654116d..04132b0b5d36 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -959,6 +959,8 @@ static struct pernet_operations can_pernet_ops __read_mostly = { + + static __init int can_init(void) + { ++ int err; ++ + /* check for correct padding to be able to use the structs similarly */ + BUILD_BUG_ON(offsetof(struct can_frame, can_dlc) != + offsetof(struct canfd_frame, len) || +@@ -972,15 +974,31 @@ static __init int can_init(void) + if (!rcv_cache) + return -ENOMEM; + +- register_pernet_subsys(&can_pernet_ops); ++ err = register_pernet_subsys(&can_pernet_ops); ++ if (err) ++ goto out_pernet; + + /* protocol register */ +- sock_register(&can_family_ops); +- register_netdevice_notifier(&can_netdev_notifier); ++ err = sock_register(&can_family_ops); ++ if (err) ++ goto out_sock; ++ err = register_netdevice_notifier(&can_netdev_notifier); ++ if (err) ++ goto out_notifier; ++ + dev_add_pack(&can_packet); + dev_add_pack(&canfd_packet); + + return 0; ++ ++out_notifier: ++ sock_unregister(PF_CAN); ++out_sock: ++ unregister_pernet_subsys(&can_pernet_ops); ++out_pernet: ++ kmem_cache_destroy(rcv_cache); ++ ++ return err; + } + + static __exit void can_exit(void) +-- +2.20.1 + diff --git a/queue-4.19/can-m_can-implement-errata-needless-activation-of-mr.patch b/queue-4.19/can-m_can-implement-errata-needless-activation-of-mr.patch new file mode 100644 index 00000000000..dc42f857cfd --- /dev/null +++ b/queue-4.19/can-m_can-implement-errata-needless-activation-of-mr.patch @@ -0,0 +1,76 @@ +From fdb615a681395a05111d10bb2c2b3e1082625f34 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Mon, 4 Mar 2019 14:44:13 +0000 +Subject: can: m_can: implement errata "Needless activation of MRAF irq" + +[ Upstream commit 3e82f2f34c930a2a0a9e69fdc2de2f2f1388b442 ] + +During frame reception while the MCAN is in Error Passive state and the +Receive Error Counter has thevalue MCAN_ECR.REC = 127, it may happen +that MCAN_IR.MRAF is set although there was no Message RAM access +failure. If MCAN_IR.MRAF is enabled, an interrupt to the Host CPU is +generated. + +Work around: +The Message RAM Access Failure interrupt routine needs to check whether + + MCAN_ECR.RP = '1' and MCAN_ECR.REC = '127'. + +In this case, reset MCAN_IR.MRAF. No further action is required. +This affects versions older than 3.2.0 + +Errata explained on Sama5d2 SoC which includes this hardware block: +http://ww1.microchip.com/downloads/en/DeviceDoc/SAMA5D2-Family-Silicon-Errata-and-Data-Sheet-Clarification-DS80000803B.pdf +chapter 6.2 + +Reproducibility: If 2 devices with m_can are connected back to back, +configuring different bitrate on them will lead to interrupt storm on +the receiving side, with error "Message RAM access failure occurred". +Another way is to have a bad hardware connection. Bad wire connection +can lead to this issue as well. + +This patch fixes the issue according to provided workaround. + +Signed-off-by: Eugen Hristev +Reviewed-by: Ludovic Desroches +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/m_can/m_can.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index 9b449400376b..deb274a19ba0 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -822,6 +822,27 @@ static int m_can_poll(struct napi_struct *napi, int quota) + if (!irqstatus) + goto end; + ++ /* Errata workaround for issue "Needless activation of MRAF irq" ++ * During frame reception while the MCAN is in Error Passive state ++ * and the Receive Error Counter has the value MCAN_ECR.REC = 127, ++ * it may happen that MCAN_IR.MRAF is set although there was no ++ * Message RAM access failure. ++ * If MCAN_IR.MRAF is enabled, an interrupt to the Host CPU is generated ++ * The Message RAM Access Failure interrupt routine needs to check ++ * whether MCAN_ECR.RP = ’1’ and MCAN_ECR.REC = 127. ++ * In this case, reset MCAN_IR.MRAF. No further action is required. ++ */ ++ if ((priv->version <= 31) && (irqstatus & IR_MRAF) && ++ (m_can_read(priv, M_CAN_ECR) & ECR_RP)) { ++ struct can_berr_counter bec; ++ ++ __m_can_get_berr_counter(dev, &bec); ++ if (bec.rxerr == 127) { ++ m_can_write(priv, M_CAN_IR, IR_MRAF); ++ irqstatus &= ~IR_MRAF; ++ } ++ } ++ + psr = m_can_read(priv, M_CAN_PSR); + if (irqstatus & IR_ERR_STATE) + work_done += m_can_handle_state_errors(dev, psr); +-- +2.20.1 + diff --git a/queue-4.19/can-mcp251x-add-support-for-mcp25625.patch b/queue-4.19/can-mcp251x-add-support-for-mcp25625.patch new file mode 100644 index 00000000000..8ebadbd14d8 --- /dev/null +++ b/queue-4.19/can-mcp251x-add-support-for-mcp25625.patch @@ -0,0 +1,134 @@ +From 0f5ba92fa078a9426dc83b206e98fe764b9b27ff Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Tue, 7 May 2019 11:34:36 +0200 +Subject: can: mcp251x: add support for mcp25625 + +[ Upstream commit 35b7fa4d07c43ad79b88e6462119e7140eae955c ] + +Fully compatible with mcp2515, the mcp25625 have integrated transceiver. + +This patch adds support for the mcp25625 to the existing mcp251x driver. + +Signed-off-by: Sean Nyekjaer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/Kconfig | 5 +++-- + drivers/net/can/spi/mcp251x.c | 25 ++++++++++++++++--------- + 2 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/can/spi/Kconfig b/drivers/net/can/spi/Kconfig +index 8f2e0dd7b756..792e9c6c4a2f 100644 +--- a/drivers/net/can/spi/Kconfig ++++ b/drivers/net/can/spi/Kconfig +@@ -8,9 +8,10 @@ config CAN_HI311X + Driver for the Holt HI311x SPI CAN controllers. + + config CAN_MCP251X +- tristate "Microchip MCP251x SPI CAN controllers" ++ tristate "Microchip MCP251x and MCP25625 SPI CAN controllers" + depends on HAS_DMA + ---help--- +- Driver for the Microchip MCP251x SPI CAN controllers. ++ Driver for the Microchip MCP251x and MCP25625 SPI CAN ++ controllers. + + endmenu +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index e90817608645..da64e71a62ee 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1,5 +1,5 @@ + /* +- * CAN bus driver for Microchip 251x CAN Controller with SPI Interface ++ * CAN bus driver for Microchip 251x/25625 CAN Controller with SPI Interface + * + * MCP2510 support and bug fixes by Christian Pellegrin + * +@@ -41,7 +41,7 @@ + * static struct spi_board_info spi_board_info[] = { + * { + * .modalias = "mcp2510", +- * // or "mcp2515" depending on your controller ++ * // "mcp2515" or "mcp25625" depending on your controller + * .platform_data = &mcp251x_info, + * .irq = IRQ_EINT13, + * .max_speed_hz = 2*1000*1000, +@@ -238,6 +238,7 @@ static const struct can_bittiming_const mcp251x_bittiming_const = { + enum mcp251x_model { + CAN_MCP251X_MCP2510 = 0x2510, + CAN_MCP251X_MCP2515 = 0x2515, ++ CAN_MCP251X_MCP25625 = 0x25625, + }; + + struct mcp251x_priv { +@@ -280,7 +281,6 @@ static inline int mcp251x_is_##_model(struct spi_device *spi) \ + } + + MCP251X_IS(2510); +-MCP251X_IS(2515); + + static void mcp251x_clean(struct net_device *net) + { +@@ -639,7 +639,7 @@ static int mcp251x_hw_reset(struct spi_device *spi) + + /* Wait for oscillator startup timer after reset */ + mdelay(MCP251X_OST_DELAY_MS); +- ++ + reg = mcp251x_read_reg(spi, CANSTAT); + if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF) + return -ENODEV; +@@ -820,9 +820,8 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) + /* receive buffer 0 */ + if (intf & CANINTF_RX0IF) { + mcp251x_hw_rx(spi, 0); +- /* +- * Free one buffer ASAP +- * (The MCP2515 does this automatically.) ++ /* Free one buffer ASAP ++ * (The MCP2515/25625 does this automatically.) + */ + if (mcp251x_is_2510(spi)) + mcp251x_write_bits(spi, CANINTF, CANINTF_RX0IF, 0x00); +@@ -831,7 +830,7 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) + /* receive buffer 1 */ + if (intf & CANINTF_RX1IF) { + mcp251x_hw_rx(spi, 1); +- /* the MCP2515 does this automatically */ ++ /* The MCP2515/25625 does this automatically. */ + if (mcp251x_is_2510(spi)) + clear_intf |= CANINTF_RX1IF; + } +@@ -1006,6 +1005,10 @@ static const struct of_device_id mcp251x_of_match[] = { + .compatible = "microchip,mcp2515", + .data = (void *)CAN_MCP251X_MCP2515, + }, ++ { ++ .compatible = "microchip,mcp25625", ++ .data = (void *)CAN_MCP251X_MCP25625, ++ }, + { } + }; + MODULE_DEVICE_TABLE(of, mcp251x_of_match); +@@ -1019,6 +1022,10 @@ static const struct spi_device_id mcp251x_id_table[] = { + .name = "mcp2515", + .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP2515, + }, ++ { ++ .name = "mcp25625", ++ .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP25625, ++ }, + { } + }; + MODULE_DEVICE_TABLE(spi, mcp251x_id_table); +@@ -1259,5 +1266,5 @@ module_spi_driver(mcp251x_can_driver); + + MODULE_AUTHOR("Chris Elston , " + "Christian Pellegrin "); +-MODULE_DESCRIPTION("Microchip 251x CAN driver"); ++MODULE_DESCRIPTION("Microchip 251x/25625 CAN driver"); + MODULE_LICENSE("GPL v2"); +-- +2.20.1 + diff --git a/queue-4.19/drm-return-efault-if-copy_to_user-fails.patch b/queue-4.19/drm-return-efault-if-copy_to_user-fails.patch new file mode 100644 index 00000000000..5866c39371d --- /dev/null +++ b/queue-4.19/drm-return-efault-if-copy_to_user-fails.patch @@ -0,0 +1,55 @@ +From e1452714f65695ddfb40b3048739441464f3de1b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 18 Jun 2019 16:18:43 +0300 +Subject: drm: return -EFAULT if copy_to_user() fails + +[ Upstream commit 74b67efa8d7b4f90137f0ab9a80dd319da050350 ] + +The copy_from_user() function returns the number of bytes remaining +to be copied but we want to return a negative error code. Otherwise +the callers treat it as a successful copy. + +Signed-off-by: Dan Carpenter +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190618131843.GA29463@mwanda +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_bufs.c | 5 ++++- + drivers/gpu/drm/drm_ioc32.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c +index e2f775d1c112..21bec4548092 100644 +--- a/drivers/gpu/drm/drm_bufs.c ++++ b/drivers/gpu/drm/drm_bufs.c +@@ -1321,7 +1321,10 @@ static int copy_one_buf(void *data, int count, struct drm_buf_entry *from) + .size = from->buf_size, + .low_mark = from->low_mark, + .high_mark = from->high_mark}; +- return copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags)); ++ ++ if (copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags))) ++ return -EFAULT; ++ return 0; + } + + int drm_legacy_infobufs(struct drm_device *dev, void *data, +diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c +index 67b1fca39aa6..138680b37c70 100644 +--- a/drivers/gpu/drm/drm_ioc32.c ++++ b/drivers/gpu/drm/drm_ioc32.c +@@ -372,7 +372,10 @@ static int copy_one_buf32(void *data, int count, struct drm_buf_entry *from) + .size = from->buf_size, + .low_mark = from->low_mark, + .high_mark = from->high_mark}; +- return copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags)); ++ ++ if (copy_to_user(to + count, &v, offsetof(drm_buf_desc32_t, flags))) ++ return -EFAULT; ++ return 0; + } + + static int drm_legacy_infobufs32(struct drm_device *dev, void *data, +-- +2.20.1 + diff --git a/queue-4.19/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch b/queue-4.19/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch new file mode 100644 index 00000000000..6922a36dcb2 --- /dev/null +++ b/queue-4.19/drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch @@ -0,0 +1,74 @@ +From 95e4941610c7102013c23d763cc1e17ab7d287f4 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 3 Jun 2019 16:44:15 -0400 +Subject: drm/vmwgfx: fix a warning due to missing dma_parms + +[ Upstream commit 39916897cd815a0ee07ba1f6820cf88a63e459fc ] + +Booting up with DMA_API_DEBUG_SG=y generates a warning due to the driver +forgot to set dma_parms appropriately. Set it just after vmw_dma_masks() +in vmw_driver_load(). + +DMA-API: vmwgfx 0000:00:0f.0: mapping sg segment longer than device +claims to support [len=2097152] [max=65536] +WARNING: CPU: 2 PID: 261 at kernel/dma/debug.c:1232 +debug_dma_map_sg+0x360/0x480 +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop +Reference Platform, BIOS 6.00 04/13/2018 +RIP: 0010:debug_dma_map_sg+0x360/0x480 +Call Trace: + vmw_ttm_map_dma+0x3b1/0x5b0 [vmwgfx] + vmw_bo_map_dma+0x25/0x30 [vmwgfx] + vmw_otables_setup+0x2a8/0x750 [vmwgfx] + vmw_request_device_late+0x78/0xc0 [vmwgfx] + vmw_request_device+0xee/0x4e0 [vmwgfx] + vmw_driver_load.cold+0x757/0xd84 [vmwgfx] + drm_dev_register+0x1ff/0x340 [drm] + drm_get_pci_dev+0x110/0x290 [drm] + vmw_probe+0x15/0x20 [vmwgfx] + local_pci_probe+0x7a/0xc0 + pci_device_probe+0x1b9/0x290 + really_probe+0x1b5/0x630 + driver_probe_device+0xa3/0x1a0 + device_driver_attach+0x94/0xa0 + __driver_attach+0xdd/0x1c0 + bus_for_each_dev+0xfe/0x150 + driver_attach+0x2d/0x40 + bus_add_driver+0x290/0x350 + driver_register+0xdc/0x1d0 + __pci_register_driver+0xda/0xf0 + vmwgfx_init+0x34/0x1000 [vmwgfx] + do_one_initcall+0xe5/0x40a + do_init_module+0x10f/0x3a0 + load_module+0x16a5/0x1a40 + __se_sys_finit_module+0x183/0x1c0 + __x64_sys_finit_module+0x43/0x50 + do_syscall_64+0xc8/0x606 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU") +Co-developed-by: Thomas Hellstrom +Signed-off-by: Qian Cai +Signed-off-by: Thomas Hellstrom +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index 82ae68716696..05a800807c26 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -789,6 +789,9 @@ static int vmw_driver_load(struct drm_device *dev, unsigned long chipset) + if (unlikely(ret != 0)) + goto out_err0; + ++ dma_set_max_seg_size(dev->dev, min_t(unsigned int, U32_MAX & PAGE_MASK, ++ SCATTERLIST_MAX_SEGMENT)); ++ + if (dev_priv->capabilities & SVGA_CAP_GMR2) { + DRM_INFO("Max GMR ids is %u\n", + (unsigned)dev_priv->max_gmr_ids); +-- +2.20.1 + diff --git a/queue-4.19/drm-vmwgfx-honor-the-sg-list-segment-size-limitation.patch b/queue-4.19/drm-vmwgfx-honor-the-sg-list-segment-size-limitation.patch new file mode 100644 index 00000000000..021ba3c4d61 --- /dev/null +++ b/queue-4.19/drm-vmwgfx-honor-the-sg-list-segment-size-limitation.patch @@ -0,0 +1,40 @@ +From 94bb4128851d49ff0fab6e8b9d2ae51ce8f0a088 Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Tue, 4 Jun 2019 13:54:26 +0200 +Subject: drm/vmwgfx: Honor the sg list segment size limitation + +[ Upstream commit bde15555ba61c7f664f40fd3c6fdbdb63f784c9b ] + +When building sg tables, honor the device sg list segment size limitation. + +Signed-off-by: Thomas Hellstrom +Reviewed-by: Deepak Rawat +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c +index 31786b200afc..f388ad51e72b 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c +@@ -448,11 +448,11 @@ static int vmw_ttm_map_dma(struct vmw_ttm_tt *vmw_tt) + if (unlikely(ret != 0)) + return ret; + +- ret = sg_alloc_table_from_pages(&vmw_tt->sgt, vsgt->pages, +- vsgt->num_pages, 0, +- (unsigned long) +- vsgt->num_pages << PAGE_SHIFT, +- GFP_KERNEL); ++ ret = __sg_alloc_table_from_pages ++ (&vmw_tt->sgt, vsgt->pages, vsgt->num_pages, 0, ++ (unsigned long) vsgt->num_pages << PAGE_SHIFT, ++ dma_get_max_seg_size(dev_priv->dev->dev), ++ GFP_KERNEL); + if (unlikely(ret != 0)) + goto out_sg_alloc_fail; + +-- +2.20.1 + diff --git a/queue-4.19/dt-bindings-can-mcp251x-add-mcp25625-support.patch b/queue-4.19/dt-bindings-can-mcp251x-add-mcp25625-support.patch new file mode 100644 index 00000000000..cdb1d6fd60d --- /dev/null +++ b/queue-4.19/dt-bindings-can-mcp251x-add-mcp25625-support.patch @@ -0,0 +1,33 @@ +From 4e761f923b519906bf1fa1d199c514a0b61c9bb7 Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Tue, 7 May 2019 11:34:37 +0200 +Subject: dt-bindings: can: mcp251x: add mcp25625 support + +[ Upstream commit 0df82dcd55832a99363ab7f9fab954fcacdac3ae ] + +Fully compatible with mcp2515, the mcp25625 have integrated transceiver. + +This patch add the mcp25625 to the device tree bindings documentation. + +Signed-off-by: Sean Nyekjaer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt +index 188c8bd4eb67..5a0111d4de58 100644 +--- a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt ++++ b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt +@@ -4,6 +4,7 @@ Required properties: + - compatible: Should be one of the following: + - "microchip,mcp2510" for MCP2510. + - "microchip,mcp2515" for MCP2515. ++ - "microchip,mcp25625" for MCP25625. + - reg: SPI chip select. + - clocks: The clock feeding the CAN controller. + - interrupts: Should contain IRQ line for the CAN controller. +-- +2.20.1 + diff --git a/queue-4.19/ibmvnic-do-not-close-unopened-driver-during-reset.patch b/queue-4.19/ibmvnic-do-not-close-unopened-driver-during-reset.patch new file mode 100644 index 00000000000..7302a6bd524 --- /dev/null +++ b/queue-4.19/ibmvnic-do-not-close-unopened-driver-during-reset.patch @@ -0,0 +1,35 @@ +From 9f874c899be29ccc56177f0d1673026b42a734f2 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Fri, 7 Jun 2019 16:03:53 -0500 +Subject: ibmvnic: Do not close unopened driver during reset + +[ Upstream commit 1f94608b0ce141be5286dde31270590bdf35b86a ] + +Check driver state before halting it during a reset. If the driver is +not running, do nothing. Otherwise, a request to deactivate a down link +can cause an error and the reset will fail. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 426789e2c23d..bf0a5fe0da17 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1754,7 +1754,8 @@ static int do_reset(struct ibmvnic_adapter *adapter, + + ibmvnic_cleanup(netdev); + +- if (adapter->reset_reason != VNIC_RESET_MOBILITY && ++ if (reset_state == VNIC_OPEN && ++ adapter->reset_reason != VNIC_RESET_MOBILITY && + adapter->reset_reason != VNIC_RESET_FAILOVER) { + rc = __ibmvnic_close(netdev); + if (rc) +-- +2.20.1 + diff --git a/queue-4.19/ibmvnic-fix-unchecked-return-codes-of-memory-allocat.patch b/queue-4.19/ibmvnic-fix-unchecked-return-codes-of-memory-allocat.patch new file mode 100644 index 00000000000..8099a63379b --- /dev/null +++ b/queue-4.19/ibmvnic-fix-unchecked-return-codes-of-memory-allocat.patch @@ -0,0 +1,52 @@ +From a8db44b1d7d861a104b2e9e559be487633c87038 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Fri, 7 Jun 2019 16:03:55 -0500 +Subject: ibmvnic: Fix unchecked return codes of memory allocations + +[ Upstream commit 7c940b1a5291e5069d561f5b8f0e51db6b7a259a ] + +The return values for these memory allocations are unchecked, +which may cause an oops if the driver does not handle them after +a failure. Fix by checking the function's return code. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index b88af81499e8..0ae43d27cdcf 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -438,9 +438,10 @@ static int reset_rx_pools(struct ibmvnic_adapter *adapter) + if (rx_pool->buff_size != be64_to_cpu(size_array[i])) { + free_long_term_buff(adapter, &rx_pool->long_term_buff); + rx_pool->buff_size = be64_to_cpu(size_array[i]); +- alloc_long_term_buff(adapter, &rx_pool->long_term_buff, +- rx_pool->size * +- rx_pool->buff_size); ++ rc = alloc_long_term_buff(adapter, ++ &rx_pool->long_term_buff, ++ rx_pool->size * ++ rx_pool->buff_size); + } else { + rc = reset_long_term_buff(adapter, + &rx_pool->long_term_buff); +@@ -706,9 +707,9 @@ static int init_tx_pools(struct net_device *netdev) + return rc; + } + +- init_one_tx_pool(netdev, &adapter->tso_pool[i], +- IBMVNIC_TSO_BUFS, +- IBMVNIC_TSO_BUF_SZ); ++ rc = init_one_tx_pool(netdev, &adapter->tso_pool[i], ++ IBMVNIC_TSO_BUFS, ++ IBMVNIC_TSO_BUF_SZ); + if (rc) { + release_tx_pools(adapter); + return rc; +-- +2.20.1 + diff --git a/queue-4.19/ibmvnic-refresh-device-multicast-list-after-reset.patch b/queue-4.19/ibmvnic-refresh-device-multicast-list-after-reset.patch new file mode 100644 index 00000000000..dfadec4493f --- /dev/null +++ b/queue-4.19/ibmvnic-refresh-device-multicast-list-after-reset.patch @@ -0,0 +1,35 @@ +From c8e98a4e42316177bf06523597f3920b46adae11 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Fri, 7 Jun 2019 16:03:54 -0500 +Subject: ibmvnic: Refresh device multicast list after reset + +[ Upstream commit be32a24372cf162e825332da1a7ccef058d4f20b ] + +It was observed that multicast packets were no longer received after +a device reset. The fix is to resend the current multicast list to +the backing device after recovery. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index bf0a5fe0da17..b88af81499e8 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1854,6 +1854,9 @@ static int do_reset(struct ibmvnic_adapter *adapter, + return 0; + } + ++ /* refresh device's multicast list */ ++ ibmvnic_set_multi(netdev); ++ + /* kick napi */ + for (i = 0; i < adapter->req_rx_queues; i++) + napi_schedule(&adapter->napi[i]); +-- +2.20.1 + diff --git a/queue-4.19/input-elantech-enable-middle-button-support-on-2-thi.patch b/queue-4.19/input-elantech-enable-middle-button-support-on-2-thi.patch new file mode 100644 index 00000000000..0f4807ff9de --- /dev/null +++ b/queue-4.19/input-elantech-enable-middle-button-support-on-2-thi.patch @@ -0,0 +1,32 @@ +From 6e1ee532e5018ee5f1c4245de7b0874466188afd Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Mon, 20 May 2019 22:09:10 -0700 +Subject: Input: elantech - enable middle button support on 2 ThinkPads + +[ Upstream commit aa440de3058a3ef530851f9ef373fbb5f694dbc3 ] + +Adding 2 new touchpad PNPIDs to enable middle button support. + +Signed-off-by: Aaron Ma +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/elantech.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index a7f8b1614559..530142b5a115 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1189,6 +1189,8 @@ static const char * const middle_button_pnp_ids[] = { + "LEN2132", /* ThinkPad P52 */ + "LEN2133", /* ThinkPad P72 w/ NFC */ + "LEN2134", /* ThinkPad P72 */ ++ "LEN0407", ++ "LEN0408", + NULL + }; + +-- +2.20.1 + diff --git a/queue-4.19/input-imx_keypad-make-sure-keyboard-can-always-wake-.patch b/queue-4.19/input-imx_keypad-make-sure-keyboard-can-always-wake-.patch new file mode 100644 index 00000000000..0a2cc102e68 --- /dev/null +++ b/queue-4.19/input-imx_keypad-make-sure-keyboard-can-always-wake-.patch @@ -0,0 +1,86 @@ +From eb5256ce119daa5329b58ba67b0ac7b8e9fb6c71 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Tue, 11 Jun 2019 17:50:44 -0700 +Subject: Input: imx_keypad - make sure keyboard can always wake up system + +[ Upstream commit ce9a53eb3dbca89e7ad86673d94ab886e9bea704 ] + +There are several scenarios that keyboard can NOT wake up system +from suspend, e.g., if a keyboard is depressed between system +device suspend phase and device noirq suspend phase, the keyboard +ISR will be called and both keyboard depress and release interrupts +will be disabled, then keyboard will no longer be able to wake up +system. Another scenario would be, if a keyboard is kept depressed, +and then system goes into suspend, the expected behavior would be +when keyboard is released, system will be waked up, but current +implementation can NOT achieve that, because both depress and release +interrupts are disabled in ISR, and the event check is still in +progress. + +To fix these issues, need to make sure keyboard's depress or release +interrupt is enabled after noirq device suspend phase, this patch +moves the suspend/resume callback to noirq suspend/resume phase, and +enable the corresponding interrupt according to current keyboard status. + +Signed-off-by: Anson Huang +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/imx_keypad.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/keyboard/imx_keypad.c b/drivers/input/keyboard/imx_keypad.c +index 539cb670de41..ae9c51cc85f9 100644 +--- a/drivers/input/keyboard/imx_keypad.c ++++ b/drivers/input/keyboard/imx_keypad.c +@@ -526,11 +526,12 @@ static int imx_keypad_probe(struct platform_device *pdev) + return 0; + } + +-static int __maybe_unused imx_kbd_suspend(struct device *dev) ++static int __maybe_unused imx_kbd_noirq_suspend(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct imx_keypad *kbd = platform_get_drvdata(pdev); + struct input_dev *input_dev = kbd->input_dev; ++ unsigned short reg_val = readw(kbd->mmio_base + KPSR); + + /* imx kbd can wake up system even clock is disabled */ + mutex_lock(&input_dev->mutex); +@@ -540,13 +541,20 @@ static int __maybe_unused imx_kbd_suspend(struct device *dev) + + mutex_unlock(&input_dev->mutex); + +- if (device_may_wakeup(&pdev->dev)) ++ if (device_may_wakeup(&pdev->dev)) { ++ if (reg_val & KBD_STAT_KPKD) ++ reg_val |= KBD_STAT_KRIE; ++ if (reg_val & KBD_STAT_KPKR) ++ reg_val |= KBD_STAT_KDIE; ++ writew(reg_val, kbd->mmio_base + KPSR); ++ + enable_irq_wake(kbd->irq); ++ } + + return 0; + } + +-static int __maybe_unused imx_kbd_resume(struct device *dev) ++static int __maybe_unused imx_kbd_noirq_resume(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct imx_keypad *kbd = platform_get_drvdata(pdev); +@@ -570,7 +578,9 @@ static int __maybe_unused imx_kbd_resume(struct device *dev) + return ret; + } + +-static SIMPLE_DEV_PM_OPS(imx_kbd_pm_ops, imx_kbd_suspend, imx_kbd_resume); ++static const struct dev_pm_ops imx_kbd_pm_ops = { ++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(imx_kbd_noirq_suspend, imx_kbd_noirq_resume) ++}; + + static struct platform_driver imx_keypad_driver = { + .driver = { +-- +2.20.1 + diff --git a/queue-4.19/ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch b/queue-4.19/ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch new file mode 100644 index 00000000000..76b9f06fc1c --- /dev/null +++ b/queue-4.19/ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch @@ -0,0 +1,40 @@ +From 1709678509cda1df611e0470819ce7428b726f8b Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 17 Jun 2019 21:34:14 +0800 +Subject: ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL + +[ Upstream commit 6f6a8622057c92408930c31698394fae1557b188 ] + +A similar fix to Patch "ip_tunnel: allow not to count pkts on tstats by +setting skb's dev to NULL" is also needed by ip6_tunnel. + +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip6_tunnel.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index 236e40ba06bf..f594eb71c274 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -156,9 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + memset(skb->cb, 0, sizeof(struct inet6_skb_parm)); + pkt_len = skb->len - skb_inner_network_offset(skb); + err = ip6_local_out(dev_net(skb_dst(skb)->dev), sk, skb); +- if (unlikely(net_xmit_eval(err))) +- pkt_len = -1; +- iptunnel_xmit_stats(dev, pkt_len); ++ ++ if (dev) { ++ if (unlikely(net_xmit_eval(err))) ++ pkt_len = -1; ++ iptunnel_xmit_stats(dev, pkt_len); ++ } + } + #endif + #endif +-- +2.20.1 + diff --git a/queue-4.19/iwlwifi-fix-double-free-problems-in-iwl_req_fw_callb.patch b/queue-4.19/iwlwifi-fix-double-free-problems-in-iwl_req_fw_callb.patch new file mode 100644 index 00000000000..44edda8393a --- /dev/null +++ b/queue-4.19/iwlwifi-fix-double-free-problems-in-iwl_req_fw_callb.patch @@ -0,0 +1,39 @@ +From 7a4c696875fbac40b571983233fa7e4c40f284f3 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Wed, 29 May 2019 16:39:54 +0300 +Subject: iwlwifi: Fix double-free problems in iwl_req_fw_callback() + +[ Upstream commit a8627176b0de7ba3f4524f641ddff4abf23ae4e4 ] + +In the error handling code of iwl_req_fw_callback(), iwl_dealloc_ucode() +is called to free data. In iwl_drv_stop(), iwl_dealloc_ucode() is called +again, which can cause double-free problems. + +To fix this bug, the call to iwl_dealloc_ucode() in +iwl_req_fw_callback() is deleted. + +This bug is found by a runtime fuzzing tool named FIZZER written by us. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +index c0631255aee7..db6628d390a2 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +@@ -1547,7 +1547,6 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context) + goto free; + + out_free_fw: +- iwl_dealloc_ucode(drv); + release_firmware(ucode_raw); + out_unbind: + complete(&drv->request_firmware_complete); +-- +2.20.1 + diff --git a/queue-4.19/kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch b/queue-4.19/kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch new file mode 100644 index 00000000000..2942e3cb148 --- /dev/null +++ b/queue-4.19/kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch @@ -0,0 +1,45 @@ +From 8f6a34f4d7e601386fdf736340c8de93908e240c Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 6 Jun 2019 11:58:07 +0100 +Subject: KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy + +[ Upstream commit 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a ] + +kvm_device->destroy() seems to be supposed to free its kvm_device +struct, but vgic_its_destroy() is not currently doing this, +resulting in a memory leak, resulting in kmemleak reports such as +the following: + +unreferenced object 0xffff800aeddfe280 (size 128): + comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s) + [...] + backtrace: + [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208 + [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0 + +Fix it. + +Cc: Andre Przywara +Fixes: 1085fdc68c60 ("KVM: arm64: vgic-its: Introduce new KVM ITS device") +Signed-off-by: Dave Martin +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/vgic/vgic-its.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c +index 621bb004067e..0dbe332eb343 100644 +--- a/virt/kvm/arm/vgic/vgic-its.c ++++ b/virt/kvm/arm/vgic/vgic-its.c +@@ -1750,6 +1750,7 @@ static void vgic_its_destroy(struct kvm_device *kvm_dev) + + mutex_unlock(&its->its_lock); + kfree(its); ++ kfree(kvm_dev);/* alloc by kvm_ioctl_create_device, free by .destroy */ + } + + int vgic_its_has_attr_regs(struct kvm_device *dev, +-- +2.20.1 + diff --git a/queue-4.19/mac80211-do-not-start-any-work-during-reconfigure-fl.patch b/queue-4.19/mac80211-do-not-start-any-work-during-reconfigure-fl.patch new file mode 100644 index 00000000000..c1740699d7b --- /dev/null +++ b/queue-4.19/mac80211-do-not-start-any-work-during-reconfigure-fl.patch @@ -0,0 +1,58 @@ +From 22d57a18c8689533b4ac0efd233ed73533a1f70a Mon Sep 17 00:00:00 2001 +From: Naftali Goldstein +Date: Wed, 29 May 2019 15:25:30 +0300 +Subject: mac80211: do not start any work during reconfigure flow + +[ Upstream commit f8891461a277ec0afc493fd30cd975a38048a038 ] + +It is not a good idea to try to perform any work (e.g. send an auth +frame) during reconfigure flow. + +Prevent this from happening, and at the end of the reconfigure flow +requeue all the works. + +Signed-off-by: Naftali Goldstein +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 7 +++++++ + net/mac80211/util.c | 4 ++++ + 2 files changed, 11 insertions(+) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 24f5ced630f5..cfd30671ccdf 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1998,6 +1998,13 @@ void __ieee80211_flush_queues(struct ieee80211_local *local, + + static inline bool ieee80211_can_run_worker(struct ieee80211_local *local) + { ++ /* ++ * It's unsafe to try to do any work during reconfigure flow. ++ * When the flow ends the work will be requeued. ++ */ ++ if (local->in_reconfig) ++ return false; ++ + /* + * If quiescing is set, we are racing with __ieee80211_suspend. + * __ieee80211_suspend flushes the workers after setting quiescing, +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 2558a34c9df1..c59638574cf8 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2224,6 +2224,10 @@ int ieee80211_reconfig(struct ieee80211_local *local) + mutex_lock(&local->mtx); + ieee80211_start_next_roc(local); + mutex_unlock(&local->mtx); ++ ++ /* Requeue all works */ ++ list_for_each_entry(sdata, &local->interfaces, list) ++ ieee80211_queue_work(&local->hw, &sdata->work); + } + + ieee80211_wake_queues_by_reason(hw, IEEE80211_MAX_QUEUE_MAP, +-- +2.20.1 + diff --git a/queue-4.19/mac80211-fix-rate-reporting-inside-cfg80211_calculat.patch b/queue-4.19/mac80211-fix-rate-reporting-inside-cfg80211_calculat.patch new file mode 100644 index 00000000000..c6b41d4d72e --- /dev/null +++ b/queue-4.19/mac80211-fix-rate-reporting-inside-cfg80211_calculat.patch @@ -0,0 +1,34 @@ +From cd964d6a909f09f35ac3f21b927b3720364e5ada Mon Sep 17 00:00:00 2001 +From: John Crispin +Date: Thu, 23 May 2019 10:27:24 +0200 +Subject: mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() + +[ Upstream commit 25d16d124a5e249e947c0487678b61dcff25cf8b ] + +The reported rate is not scaled down correctly. After applying this patch, +the function will behave just like the v/ht equivalents. + +Signed-off-by: Shashidhar Lakkavalli +Signed-off-by: John Crispin +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/util.c b/net/wireless/util.c +index aad1c8e858e5..d57e2f679a3e 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1219,7 +1219,7 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate) + if (rate->he_dcm) + result /= 2; + +- return result; ++ return result / 10000; + } + + u32 cfg80211_calculate_bitrate(struct rate_info *rate) +-- +2.20.1 + diff --git a/queue-4.19/mac80211-free-peer-keys-before-vif-down-in-mesh.patch b/queue-4.19/mac80211-free-peer-keys-before-vif-down-in-mesh.patch new file mode 100644 index 00000000000..74cb9b8dd4c --- /dev/null +++ b/queue-4.19/mac80211-free-peer-keys-before-vif-down-in-mesh.patch @@ -0,0 +1,32 @@ +From ec989de7f38734ae14078d8ccf41d06609b41e6c Mon Sep 17 00:00:00 2001 +From: Pradeep Kumar Chitrapu +Date: Tue, 28 May 2019 16:36:16 -0700 +Subject: mac80211: free peer keys before vif down in mesh + +[ Upstream commit 0112fa557c3bb3a002bc85760dc3761d737264d3 ] + +freeing peer keys after vif down is resulting in peer key uninstall +to fail due to interface lookup failure. so fix that. + +Signed-off-by: Pradeep Kumar Chitrapu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 0f9446ab7e4f..3162f955f3ae 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -923,6 +923,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata) + + /* flush STAs and mpaths on this iface */ + sta_info_flush(sdata); ++ ieee80211_free_keys(sdata, true); + mesh_path_flush_by_iface(sdata); + + /* stop the beacon */ +-- +2.20.1 + diff --git a/queue-4.19/mac80211-mesh-fix-rcu-warning.patch b/queue-4.19/mac80211-mesh-fix-rcu-warning.patch new file mode 100644 index 00000000000..eeb55570474 --- /dev/null +++ b/queue-4.19/mac80211-mesh-fix-rcu-warning.patch @@ -0,0 +1,62 @@ +From 73bba68e3a491d95f802668cb47a19909a92c93b Mon Sep 17 00:00:00 2001 +From: Thomas Pedersen +Date: Fri, 24 May 2019 21:16:24 -0700 +Subject: mac80211: mesh: fix RCU warning + +[ Upstream commit 551842446ed695641a00782cd118cbb064a416a1 ] + +ifmsh->csa is an RCU-protected pointer. The writer context +in ieee80211_mesh_finish_csa() is already mutually +exclusive with wdev->sdata.mtx, but the RCU checker did +not know this. Use rcu_dereference_protected() to avoid a +warning. + +fixes the following warning: + +[ 12.519089] ============================= +[ 12.520042] WARNING: suspicious RCU usage +[ 12.520652] 5.1.0-rc7-wt+ #16 Tainted: G W +[ 12.521409] ----------------------------- +[ 12.521972] net/mac80211/mesh.c:1223 suspicious rcu_dereference_check() usage! +[ 12.522928] other info that might help us debug this: +[ 12.523984] rcu_scheduler_active = 2, debug_locks = 1 +[ 12.524855] 5 locks held by kworker/u8:2/152: +[ 12.525438] #0: 00000000057be08c ((wq_completion)phy0){+.+.}, at: process_one_work+0x1a2/0x620 +[ 12.526607] #1: 0000000059c6b07a ((work_completion)(&sdata->csa_finalize_work)){+.+.}, at: process_one_work+0x1a2/0x620 +[ 12.528001] #2: 00000000f184ba7d (&wdev->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x2f/0x90 +[ 12.529116] #3: 00000000831a1f54 (&local->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x47/0x90 +[ 12.530233] #4: 00000000fd06f988 (&local->chanctx_mtx){+.+.}, at: ieee80211_csa_finalize_work+0x51/0x90 + +Signed-off-by: Thomas Pedersen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index d51da26e9c18..0f9446ab7e4f 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -1212,7 +1212,8 @@ int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata) + ifmsh->chsw_ttl = 0; + + /* Remove the CSA and MCSP elements from the beacon */ +- tmp_csa_settings = rcu_dereference(ifmsh->csa); ++ tmp_csa_settings = rcu_dereference_protected(ifmsh->csa, ++ lockdep_is_held(&sdata->wdev.mtx)); + RCU_INIT_POINTER(ifmsh->csa, NULL); + if (tmp_csa_settings) + kfree_rcu(tmp_csa_settings, rcu_head); +@@ -1234,6 +1235,8 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata, + struct mesh_csa_settings *tmp_csa_settings; + int ret = 0; + ++ lockdep_assert_held(&sdata->wdev.mtx); ++ + tmp_csa_settings = kmalloc(sizeof(*tmp_csa_settings), + GFP_ATOMIC); + if (!tmp_csa_settings) +-- +2.20.1 + diff --git a/queue-4.19/mac80211-only-warn-once-on-chanctx_conf-being-null.patch b/queue-4.19/mac80211-only-warn-once-on-chanctx_conf-being-null.patch new file mode 100644 index 00000000000..d467c12a26a --- /dev/null +++ b/queue-4.19/mac80211-only-warn-once-on-chanctx_conf-being-null.patch @@ -0,0 +1,49 @@ +From f20277a9c286326276708615c9f6a90bd46c1028 Mon Sep 17 00:00:00 2001 +From: Yibo Zhao +Date: Fri, 14 Jun 2019 19:01:52 +0800 +Subject: mac80211: only warn once on chanctx_conf being NULL + +[ Upstream commit 563572340173865a9a356e6bb02579e6998a876d ] + +In multiple SSID cases, it takes time to prepare every AP interface +to be ready in initializing phase. If a sta already knows everything it +needs to join one of the APs and sends authentication to the AP which +is not fully prepared at this point of time, AP's channel context +could be NULL. As a result, warning message occurs. + +Even worse, if the AP is under attack via tools such as MDK3 and massive +authentication requests are received in a very short time, console will +be hung due to kernel warning messages. + +WARN_ON_ONCE() could be a better way for indicating warning messages +without duplicate messages to flood the console. + +Johannes: We still need to address the underlying problem, but we + don't really have a good handle on it yet. Suppress the + worst side-effects for now. + +Signed-off-by: Zhi Chen +Signed-off-by: Yibo Zhao +[johannes: add note, change subject] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 35c6dfa13fa8..24f5ced630f5 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1410,7 +1410,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) + rcu_read_lock(); + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); + +- if (WARN_ON(!chanctx_conf)) { ++ if (WARN_ON_ONCE(!chanctx_conf)) { + rcu_read_unlock(); + return NULL; + } +-- +2.20.1 + diff --git a/queue-4.19/md-fix-for-divide-error-in-status_resync.patch b/queue-4.19/md-fix-for-divide-error-in-status_resync.patch new file mode 100644 index 00000000000..ad5ca01ac64 --- /dev/null +++ b/queue-4.19/md-fix-for-divide-error-in-status_resync.patch @@ -0,0 +1,91 @@ +From 5640021247357c2ae1481285e225d402e6fd6a4c Mon Sep 17 00:00:00 2001 +From: Mariusz Tkaczyk +Date: Thu, 13 Jun 2019 16:11:41 +0200 +Subject: md: fix for divide error in status_resync + +[ Upstream commit 9642fa73d073527b0cbc337cc17a47d545d82cd2 ] + +Stopping external metadata arrays during resync/recovery causes +retries, loop of interrupting and starting reconstruction, until it +hit at good moment to stop completely. While these retries +curr_mark_cnt can be small- especially on HDD drives, so subtraction +result can be smaller than 0. However it is casted to uint without +checking. As a result of it the status bar in /proc/mdstat while stopping +is strange (it jumps between 0% and 99%). + +The real problem occurs here after commit 72deb455b5ec ("block: remove +CONFIG_LBDAF"). Sector_div() macro has been changed, now the +divisor is casted to uint32. For db = -8 the divisior(db/32-1) becomes 0. + +Check if db value can be really counted and replace these macro by +div64_u64() inline. + +Signed-off-by: Mariusz Tkaczyk +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 36 ++++++++++++++++++++++-------------- + 1 file changed, 22 insertions(+), 14 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index b924f62e2cd5..fb5d702e43b5 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7625,9 +7625,9 @@ static void status_unused(struct seq_file *seq) + static int status_resync(struct seq_file *seq, struct mddev *mddev) + { + sector_t max_sectors, resync, res; +- unsigned long dt, db; +- sector_t rt; +- int scale; ++ unsigned long dt, db = 0; ++ sector_t rt, curr_mark_cnt, resync_mark_cnt; ++ int scale, recovery_active; + unsigned int per_milli; + + if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery) || +@@ -7716,22 +7716,30 @@ static int status_resync(struct seq_file *seq, struct mddev *mddev) + * db: blocks written from mark until now + * rt: remaining time + * +- * rt is a sector_t, so could be 32bit or 64bit. +- * So we divide before multiply in case it is 32bit and close +- * to the limit. +- * We scale the divisor (db) by 32 to avoid losing precision +- * near the end of resync when the number of remaining sectors +- * is close to 'db'. +- * We then divide rt by 32 after multiplying by db to compensate. +- * The '+1' avoids division by zero if db is very small. ++ * rt is a sector_t, which is always 64bit now. We are keeping ++ * the original algorithm, but it is not really necessary. ++ * ++ * Original algorithm: ++ * So we divide before multiply in case it is 32bit and close ++ * to the limit. ++ * We scale the divisor (db) by 32 to avoid losing precision ++ * near the end of resync when the number of remaining sectors ++ * is close to 'db'. ++ * We then divide rt by 32 after multiplying by db to compensate. ++ * The '+1' avoids division by zero if db is very small. + */ + dt = ((jiffies - mddev->resync_mark) / HZ); + if (!dt) dt++; +- db = (mddev->curr_mark_cnt - atomic_read(&mddev->recovery_active)) +- - mddev->resync_mark_cnt; ++ ++ curr_mark_cnt = mddev->curr_mark_cnt; ++ recovery_active = atomic_read(&mddev->recovery_active); ++ resync_mark_cnt = mddev->resync_mark_cnt; ++ ++ if (curr_mark_cnt >= (recovery_active + resync_mark_cnt)) ++ db = curr_mark_cnt - (recovery_active + resync_mark_cnt); + + rt = max_sectors - resync; /* number of remaining sectors */ +- sector_div(rt, db/32+1); ++ rt = div64_u64(rt, db/32+1); + rt *= dt; + rt >>= 5; + +-- +2.20.1 + diff --git a/queue-4.19/mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch b/queue-4.19/mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch new file mode 100644 index 00000000000..73647265718 --- /dev/null +++ b/queue-4.19/mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch @@ -0,0 +1,35 @@ +From 25b0d37008a34b632268afb9e2331a9914ca2d5d Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 11 Jun 2019 10:19:46 +0300 +Subject: mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed + +[ Upstream commit 4b14cc313f076c37b646cee06a85f0db59cf216c ] + +When PVID is removed from a bridge port, the Linux bridge drops both +untagged and prio-tagged packets. Align mlxsw with this behavior. + +Fixes: 148f472da5db ("mlxsw: reg: Add the Switch Port Acceptable Frame Types register") +Acked-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h +index 6e8b619b769b..aee58b3892f2 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h +@@ -877,7 +877,7 @@ static inline void mlxsw_reg_spaft_pack(char *payload, u8 local_port, + MLXSW_REG_ZERO(spaft, payload); + mlxsw_reg_spaft_local_port_set(payload, local_port); + mlxsw_reg_spaft_allow_untagged_set(payload, allow_untagged); +- mlxsw_reg_spaft_allow_prio_tagged_set(payload, true); ++ mlxsw_reg_spaft_allow_prio_tagged_set(payload, allow_untagged); + mlxsw_reg_spaft_allow_tagged_set(payload, true); + } + +-- +2.20.1 + diff --git a/queue-4.19/mmc-core-complete-hs400-before-checking-status.patch b/queue-4.19/mmc-core-complete-hs400-before-checking-status.patch new file mode 100644 index 00000000000..823697e99ea --- /dev/null +++ b/queue-4.19/mmc-core-complete-hs400-before-checking-status.patch @@ -0,0 +1,46 @@ +From b9168fe9910d43258799a21f80f57b9e198bd075 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Tue, 11 Jun 2019 22:03:43 +0200 +Subject: mmc: core: complete HS400 before checking status + +[ Upstream commit b0e370b95a3b231d0fb5d1958cce85ef57196fe6 ] + +We don't have a reproducible error case, yet our BSP team suggested that +the mmc_switch_status() command in mmc_select_hs400() should come after +the callback into the driver completing HS400 setup. It makes sense to +me because we want the status of a fully setup HS400, so it will +increase the reliability of the mmc_switch_status() command. + +Reported-by: Yoshihiro Shimoda +Signed-off-by: Wolfram Sang +Fixes: ba6c7ac3a2f4 ("mmc: core: more fine-grained hooks for HS400 tuning") +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/mmc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c +index 55997cf84b39..f1fe446eee66 100644 +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1209,13 +1209,13 @@ static int mmc_select_hs400(struct mmc_card *card) + mmc_set_timing(host, MMC_TIMING_MMC_HS400); + mmc_set_bus_speed(card); + ++ if (host->ops->hs400_complete) ++ host->ops->hs400_complete(host); ++ + err = mmc_switch_status(card); + if (err) + goto out_err; + +- if (host->ops->hs400_complete) +- host->ops->hs400_complete(host); +- + return 0; + + out_err: +-- +2.20.1 + diff --git a/queue-4.19/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch b/queue-4.19/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch new file mode 100644 index 00000000000..67ebd2751c7 --- /dev/null +++ b/queue-4.19/mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch @@ -0,0 +1,124 @@ +From 76c4caa60c1f5df8e6f2431cf3a071f97f2d375d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 31 May 2019 15:18:41 +0200 +Subject: mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() + +[ Upstream commit 69ae4f6aac1578575126319d3f55550e7e440449 ] + +A few places in mwifiex_uap_parse_tail_ies() perform memcpy() +unconditionally, which may lead to either buffer overflow or read over +boundary. + +This patch addresses the issues by checking the read size and the +destination size at each place more properly. Along with the fixes, +the patch cleans up the code slightly by introducing a temporary +variable for the token size, and unifies the error path with the +standard goto statement. + +Reported-by: huangwen +Signed-off-by: Takashi Iwai +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/ie.c | 47 +++++++++++++++-------- + 1 file changed, 31 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c +index 75cbd609d606..801a2d7b020a 100644 +--- a/drivers/net/wireless/marvell/mwifiex/ie.c ++++ b/drivers/net/wireless/marvell/mwifiex/ie.c +@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + struct ieee80211_vendor_ie *vendorhdr; + u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; + int left_len, parsed_len = 0; ++ unsigned int token_len; ++ int err = 0; + + if (!info->tail || !info->tail_len) + return 0; +@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + */ + while (left_len > sizeof(struct ieee_types_header)) { + hdr = (void *)(info->tail + parsed_len); ++ token_len = hdr->len + sizeof(struct ieee_types_header); ++ if (token_len > left_len) { ++ err = -EINVAL; ++ goto out; ++ } ++ + switch (hdr->element_id) { + case WLAN_EID_SSID: + case WLAN_EID_SUPP_RATES: +@@ -361,16 +369,19 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, + WLAN_OUI_TYPE_MICROSOFT_WMM, + (const u8 *)hdr, +- hdr->len + sizeof(struct ieee_types_header))) ++ token_len)) + break; + default: +- memcpy(gen_ie->ie_buffer + ie_len, hdr, +- hdr->len + sizeof(struct ieee_types_header)); +- ie_len += hdr->len + sizeof(struct ieee_types_header); ++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { ++ err = -EINVAL; ++ goto out; ++ } ++ memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len); ++ ie_len += token_len; + break; + } +- left_len -= hdr->len + sizeof(struct ieee_types_header); +- parsed_len += hdr->len + sizeof(struct ieee_types_header); ++ left_len -= token_len; ++ parsed_len += token_len; + } + + /* parse only WPA vendor IE from tail, WMM IE is configured by +@@ -380,15 +391,17 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + WLAN_OUI_TYPE_MICROSOFT_WPA, + info->tail, info->tail_len); + if (vendorhdr) { +- memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, +- vendorhdr->len + sizeof(struct ieee_types_header)); +- ie_len += vendorhdr->len + sizeof(struct ieee_types_header); ++ token_len = vendorhdr->len + sizeof(struct ieee_types_header); ++ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { ++ err = -EINVAL; ++ goto out; ++ } ++ memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len); ++ ie_len += token_len; + } + +- if (!ie_len) { +- kfree(gen_ie); +- return 0; +- } ++ if (!ie_len) ++ goto out; + + gen_ie->ie_index = cpu_to_le16(gen_idx); + gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON | +@@ -398,13 +411,15 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, + + if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL, + NULL, NULL)) { +- kfree(gen_ie); +- return -1; ++ err = -EINVAL; ++ goto out; + } + + priv->gen_idx = gen_idx; ++ ++ out: + kfree(gen_ie); +- return 0; ++ return err; + } + + /* This function parses different IEs-head & tail IEs, beacon IEs, +-- +2.20.1 + diff --git a/queue-4.19/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch b/queue-4.19/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch new file mode 100644 index 00000000000..499d2a24dff --- /dev/null +++ b/queue-4.19/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch @@ -0,0 +1,49 @@ +From d2faf1410428e37bf5a1de25ad253eb6dc418682 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 29 May 2019 14:52:19 +0200 +Subject: mwifiex: Fix possible buffer overflows at parsing bss descriptor + +[ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ] + +mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in +a couple places without checking the destination size. Since the +source is given from user-space, this may trigger a heap buffer +overflow. + +Fix it by putting the length check before performing memcpy(). + +This fix addresses CVE-2019-3846. + +Reported-by: huangwen +Signed-off-by: Takashi Iwai +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 8e483b0bc3b1..ddf985fb93ab 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + } + switch (element_id) { + case WLAN_EID_SSID: ++ if (element_len > IEEE80211_MAX_SSID_LEN) ++ return -EINVAL; + bss_entry->ssid.ssid_len = element_len; + memcpy(bss_entry->ssid.ssid, (current_ptr + 2), + element_len); +@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + break; + + case WLAN_EID_SUPP_RATES: ++ if (element_len > MWIFIEX_SUPPORTED_RATES) ++ return -EINVAL; + memcpy(bss_entry->data_rates, current_ptr + 2, + element_len); + memcpy(bss_entry->supported_rates, current_ptr + 2, +-- +2.20.1 + diff --git a/queue-4.19/net-dsa-mv88e6xxx-fix-shift-of-fid-bits-in-mv88e6185.patch b/queue-4.19/net-dsa-mv88e6xxx-fix-shift-of-fid-bits-in-mv88e6185.patch new file mode 100644 index 00000000000..76320780f8d --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-fix-shift-of-fid-bits-in-mv88e6185.patch @@ -0,0 +1,35 @@ +From d6e8dfebb2512216a46094f8c5e9a877f7965c66 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Wed, 19 Jun 2019 10:02:13 +0000 +Subject: net: dsa: mv88e6xxx: fix shift of FID bits in + mv88e6185_g1_vtu_loadpurge() + +[ Upstream commit 48620e341659f6e4b978ec229f6944dabe6df709 ] + +The comment is correct, but the code ends up moving the bits four +places too far, into the VTUOp field. + +Fixes: 11ea809f1a74 (net: dsa: mv88e6xxx: support 256 databases) +Signed-off-by: Rasmus Villemoes +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/global1_vtu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/global1_vtu.c b/drivers/net/dsa/mv88e6xxx/global1_vtu.c +index 058326924f3e..7a6667e0b9f9 100644 +--- a/drivers/net/dsa/mv88e6xxx/global1_vtu.c ++++ b/drivers/net/dsa/mv88e6xxx/global1_vtu.c +@@ -419,7 +419,7 @@ int mv88e6185_g1_vtu_loadpurge(struct mv88e6xxx_chip *chip, + * VTU DBNum[7:4] are located in VTU Operation 11:8 + */ + op |= entry->fid & 0x000f; +- op |= (entry->fid & 0x00f0) << 8; ++ op |= (entry->fid & 0x00f0) << 4; + } + + return mv88e6xxx_g1_vtu_op(chip, op); +-- +2.20.1 + diff --git a/queue-4.19/net-lio_core-fix-potential-sign-extension-overflow-o.patch b/queue-4.19/net-lio_core-fix-potential-sign-extension-overflow-o.patch new file mode 100644 index 00000000000..03956d5b69e --- /dev/null +++ b/queue-4.19/net-lio_core-fix-potential-sign-extension-overflow-o.patch @@ -0,0 +1,37 @@ +From 067a3ef242c6e501c50aceb21fa893272b65282c Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 17 Jun 2019 17:12:49 +0100 +Subject: net: lio_core: fix potential sign-extension overflow on large shift + +[ Upstream commit 9476274093a0e79b905f4cd6cf6d149f65e02c17 ] + +Left shifting the signed int value 1 by 31 bits has undefined behaviour +and the shift amount oq_no can be as much as 63. Fix this by using +BIT_ULL(oq_no) instead. + +Addresses-Coverity: ("Bad shift operation") +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Signed-off-by: Colin Ian King +Reviewed-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/lio_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_core.c b/drivers/net/ethernet/cavium/liquidio/lio_core.c +index 8093c5eafea2..781814835a4f 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_core.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_core.c +@@ -985,7 +985,7 @@ static void liquidio_schedule_droq_pkt_handlers(struct octeon_device *oct) + + if (droq->ops.poll_mode) { + droq->ops.napi_fn(droq); +- oct_priv->napi_mask |= (1 << oq_no); ++ oct_priv->napi_mask |= BIT_ULL(oq_no); + } else { + tasklet_schedule(&oct_priv->droq_tasklet); + } +-- +2.20.1 + diff --git a/queue-4.19/net-phy-rename-asix-electronics-phy-driver.patch b/queue-4.19/net-phy-rename-asix-electronics-phy-driver.patch new file mode 100644 index 00000000000..adac0521703 --- /dev/null +++ b/queue-4.19/net-phy-rename-asix-electronics-phy-driver.patch @@ -0,0 +1,79 @@ +From d19471b66aec107788f0ea218e677f9d6246d35c Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Fri, 7 Jun 2019 17:37:34 +1200 +Subject: net: phy: rename Asix Electronics PHY driver + +[ Upstream commit a9520543b123bbd7275a0ab8d0375a5412683b41 ] + +[Resent to net instead of net-next - may clash with Anders Roxell's patch +series addressing duplicate module names] + +Commit 31dd83b96641 ("net-next: phy: new Asix Electronics PHY driver") +introduced a new PHY driver drivers/net/phy/asix.c that causes a module +name conflict with a pre-existiting driver (drivers/net/usb/asix.c). + +The PHY driver is used by the X-Surf 100 ethernet card driver, and loaded +by that driver via its PHY ID. A rename of the driver looks unproblematic. + +Rename PHY driver to ax88796b.c in order to resolve name conflict. + +Signed-off-by: Michael Schmitz +Tested-by: Michael Schmitz +Fixes: 31dd83b96641 ("net-next: phy: new Asix Electronics PHY driver") +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/8390/Kconfig | 2 +- + drivers/net/phy/Kconfig | 2 +- + drivers/net/phy/Makefile | 2 +- + drivers/net/phy/{asix.c => ax88796b.c} | 0 + 4 files changed, 3 insertions(+), 3 deletions(-) + rename drivers/net/phy/{asix.c => ax88796b.c} (100%) + +diff --git a/drivers/net/ethernet/8390/Kconfig b/drivers/net/ethernet/8390/Kconfig +index f2f0264c58ba..443b34e2725f 100644 +--- a/drivers/net/ethernet/8390/Kconfig ++++ b/drivers/net/ethernet/8390/Kconfig +@@ -49,7 +49,7 @@ config XSURF100 + tristate "Amiga XSurf 100 AX88796/NE2000 clone support" + depends on ZORRO + select AX88796 +- select ASIX_PHY ++ select AX88796B_PHY + help + This driver is for the Individual Computers X-Surf 100 Ethernet + card (based on the Asix AX88796 chip). If you have such a card, +diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig +index 82070792edbb..1f5fd24cd749 100644 +--- a/drivers/net/phy/Kconfig ++++ b/drivers/net/phy/Kconfig +@@ -227,7 +227,7 @@ config AQUANTIA_PHY + ---help--- + Currently supports the Aquantia AQ1202, AQ2104, AQR105, AQR405 + +-config ASIX_PHY ++config AX88796B_PHY + tristate "Asix PHYs" + help + Currently supports the Asix Electronics PHY found in the X-Surf 100 +diff --git a/drivers/net/phy/Makefile b/drivers/net/phy/Makefile +index 5805c0b7d60e..f21cda9d865e 100644 +--- a/drivers/net/phy/Makefile ++++ b/drivers/net/phy/Makefile +@@ -46,7 +46,7 @@ obj-y += $(sfp-obj-y) $(sfp-obj-m) + + obj-$(CONFIG_AMD_PHY) += amd.o + obj-$(CONFIG_AQUANTIA_PHY) += aquantia.o +-obj-$(CONFIG_ASIX_PHY) += asix.o ++obj-$(CONFIG_AX88796B_PHY) += ax88796b.o + obj-$(CONFIG_AT803X_PHY) += at803x.o + obj-$(CONFIG_BCM63XX_PHY) += bcm63xx.o + obj-$(CONFIG_BCM7XXX_PHY) += bcm7xxx.o +diff --git a/drivers/net/phy/asix.c b/drivers/net/phy/ax88796b.c +similarity index 100% +rename from drivers/net/phy/asix.c +rename to drivers/net/phy/ax88796b.c +-- +2.20.1 + diff --git a/queue-4.19/net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch b/queue-4.19/net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch new file mode 100644 index 00000000000..1809b37483f --- /dev/null +++ b/queue-4.19/net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch @@ -0,0 +1,32 @@ +From 2455872940d371e65261fa6af400fd036e441aa1 Mon Sep 17 00:00:00 2001 +From: Lin Yi +Date: Mon, 10 Jun 2019 10:16:56 +0800 +Subject: net :sunrpc :clnt :Fix xps refcount imbalance on the error path + +[ Upstream commit b96226148491505318228ac52624956bd98f9e0c ] + +rpc_clnt_add_xprt take a reference to struct rpc_xprt_switch, but forget +to release it before return, may lead to a memory leak. + +Signed-off-by: Lin Yi +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 7e4553dbc3c7..0d7d149b1b1b 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2713,6 +2713,7 @@ int rpc_clnt_add_xprt(struct rpc_clnt *clnt, + xprt = xprt_iter_xprt(&clnt->cl_xpi); + if (xps == NULL || xprt == NULL) { + rcu_read_unlock(); ++ xprt_switch_put(xps); + return -EAGAIN; + } + resvport = xprt->resvport; +-- +2.20.1 + diff --git a/queue-4.19/nfs4-only-set-creation-opendata-if-o_creat.patch b/queue-4.19/nfs4-only-set-creation-opendata-if-o_creat.patch new file mode 100644 index 00000000000..29188ee176b --- /dev/null +++ b/queue-4.19/nfs4-only-set-creation-opendata-if-o_creat.patch @@ -0,0 +1,74 @@ +From 1cc07aef7fc4fd749d3f38ebb1a714cdb2015e64 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Fri, 7 Jun 2019 06:37:30 -0400 +Subject: NFS4: Only set creation opendata if O_CREAT + +[ Upstream commit 909105199a682cb09c500acd443d34b182846c9c ] + +We can end up in nfs4_opendata_alloc during task exit, in which case +current->fs has already been cleaned up. This leads to a crash in +current_umask(). + +Fix this by only setting creation opendata if we are actually doing an open +with O_CREAT. We can drop the check for NULL nfs4_open_createattrs, since +O_CREAT will never be set for the recovery path. + +Suggested-by: Trond Myklebust +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 53cf8599a46e..1de855e0ae61 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1243,10 +1243,20 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + atomic_inc(&sp->so_count); + p->o_arg.open_flags = flags; + p->o_arg.fmode = fmode & (FMODE_READ|FMODE_WRITE); +- p->o_arg.umask = current_umask(); + p->o_arg.claim = nfs4_map_atomic_open_claim(server, claim); + p->o_arg.share_access = nfs4_map_atomic_open_share(server, + fmode, flags); ++ if (flags & O_CREAT) { ++ p->o_arg.umask = current_umask(); ++ p->o_arg.label = nfs4_label_copy(p->a_label, label); ++ if (c->sattr != NULL && c->sattr->ia_valid != 0) { ++ p->o_arg.u.attrs = &p->attrs; ++ memcpy(&p->attrs, c->sattr, sizeof(p->attrs)); ++ ++ memcpy(p->o_arg.u.verifier.data, c->verf, ++ sizeof(p->o_arg.u.verifier.data)); ++ } ++ } + /* don't put an ACCESS op in OPEN compound if O_EXCL, because ACCESS + * will return permission denied for all bits until close */ + if (!(flags & O_EXCL)) { +@@ -1270,7 +1280,6 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + p->o_arg.server = server; + p->o_arg.bitmask = nfs4_bitmask(server, label); + p->o_arg.open_bitmap = &nfs4_fattr_bitmap[0]; +- p->o_arg.label = nfs4_label_copy(p->a_label, label); + switch (p->o_arg.claim) { + case NFS4_OPEN_CLAIM_NULL: + case NFS4_OPEN_CLAIM_DELEGATE_CUR: +@@ -1283,13 +1292,6 @@ static struct nfs4_opendata *nfs4_opendata_alloc(struct dentry *dentry, + case NFS4_OPEN_CLAIM_DELEG_PREV_FH: + p->o_arg.fh = NFS_FH(d_inode(dentry)); + } +- if (c != NULL && c->sattr != NULL && c->sattr->ia_valid != 0) { +- p->o_arg.u.attrs = &p->attrs; +- memcpy(&p->attrs, c->sattr, sizeof(p->attrs)); +- +- memcpy(p->o_arg.u.verifier.data, c->verf, +- sizeof(p->o_arg.u.verifier.data)); +- } + p->c_arg.fh = &p->o_res.fh; + p->c_arg.stateid = &p->o_res.stateid; + p->c_arg.seqid = p->o_arg.seqid; +-- +2.20.1 + diff --git a/queue-4.19/qmi_wwan-add-support-for-qmap-padding-in-the-rx-path.patch b/queue-4.19/qmi_wwan-add-support-for-qmap-padding-in-the-rx-path.patch new file mode 100644 index 00000000000..7ef6a9f6252 --- /dev/null +++ b/queue-4.19/qmi_wwan-add-support-for-qmap-padding-in-the-rx-path.patch @@ -0,0 +1,64 @@ +From 580180db1c6f47166e000d96630b3021cc803864 Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Wed, 12 Jun 2019 19:02:13 +0200 +Subject: qmi_wwan: add support for QMAP padding in the RX path + +[ Upstream commit 61356088ace1866a847a727d4d40da7bf00b67fc ] + +The QMAP code in the qmi_wwan driver is based on the CodeAurora GobiNet +driver which does not process QMAP padding in the RX path correctly. +Add support for QMAP padding to qmimux_rx_fixup() according to the +description of the rmnet driver. + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Cc: Daniele Palmas +Signed-off-by: Reinhard Speyerer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index e657d8947125..090227118d3d 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -153,7 +153,7 @@ static bool qmimux_has_slaves(struct usbnet *dev) + + static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + { +- unsigned int len, offset = 0; ++ unsigned int len, offset = 0, pad_len, pkt_len; + struct qmimux_hdr *hdr; + struct net_device *net; + struct sk_buff *skbn; +@@ -171,10 +171,16 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (hdr->pad & 0x80) + goto skip; + ++ /* extract padding length and check for valid length info */ ++ pad_len = hdr->pad & 0x3f; ++ if (len == 0 || pad_len >= len) ++ goto skip; ++ pkt_len = len - pad_len; ++ + net = qmimux_find_dev(dev, hdr->mux_id); + if (!net) + goto skip; +- skbn = netdev_alloc_skb(net, len); ++ skbn = netdev_alloc_skb(net, pkt_len); + if (!skbn) + return 0; + skbn->dev = net; +@@ -191,7 +197,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + goto skip; + } + +- skb_put_data(skbn, skb->data + offset + qmimux_hdr_sz, len); ++ skb_put_data(skbn, skb->data + offset + qmimux_hdr_sz, pkt_len); + if (netif_rx(skbn) != NET_RX_SUCCESS) + return 0; + +-- +2.20.1 + diff --git a/queue-4.19/qmi_wwan-avoid-rcu-stalls-on-device-disconnect-when-.patch b/queue-4.19/qmi_wwan-avoid-rcu-stalls-on-device-disconnect-when-.patch new file mode 100644 index 00000000000..d8f020c2f87 --- /dev/null +++ b/queue-4.19/qmi_wwan-avoid-rcu-stalls-on-device-disconnect-when-.patch @@ -0,0 +1,73 @@ +From 989975d6f2d3f2b5a1983133dbdbd9718c412d87 Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Wed, 12 Jun 2019 19:03:15 +0200 +Subject: qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode + +[ Upstream commit a8fdde1cb830e560208af42b6c10750137f53eb3 ] + +Switch qmimux_unregister_device() and qmi_wwan_disconnect() to +use unregister_netdevice_queue() and unregister_netdevice_many() +instead of unregister_netdevice(). This avoids RCU stalls which +have been observed on device disconnect in certain setups otherwise. + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Cc: Daniele Palmas +Signed-off-by: Reinhard Speyerer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 090227118d3d..44ada5c38756 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -247,13 +247,14 @@ static int qmimux_register_device(struct net_device *real_dev, u8 mux_id) + return err; + } + +-static void qmimux_unregister_device(struct net_device *dev) ++static void qmimux_unregister_device(struct net_device *dev, ++ struct list_head *head) + { + struct qmimux_priv *priv = netdev_priv(dev); + struct net_device *real_dev = priv->real_dev; + + netdev_upper_dev_unlink(real_dev, dev); +- unregister_netdevice(dev); ++ unregister_netdevice_queue(dev, head); + + /* Get rid of the reference to real_dev */ + dev_put(real_dev); +@@ -424,7 +425,7 @@ static ssize_t del_mux_store(struct device *d, struct device_attribute *attr, c + ret = -EINVAL; + goto err; + } +- qmimux_unregister_device(del_dev); ++ qmimux_unregister_device(del_dev, NULL); + + if (!qmimux_has_slaves(dev)) + info->flags &= ~QMI_WWAN_FLAG_MUX; +@@ -1434,6 +1435,7 @@ static void qmi_wwan_disconnect(struct usb_interface *intf) + struct qmi_wwan_state *info; + struct list_head *iter; + struct net_device *ldev; ++ LIST_HEAD(list); + + /* called twice if separate control and data intf */ + if (!dev) +@@ -1446,8 +1448,9 @@ static void qmi_wwan_disconnect(struct usb_interface *intf) + } + rcu_read_lock(); + netdev_for_each_upper_dev_rcu(dev->net, ldev, iter) +- qmimux_unregister_device(ldev); ++ qmimux_unregister_device(ldev, &list); + rcu_read_unlock(); ++ unregister_netdevice_many(&list); + rtnl_unlock(); + info->flags &= ~QMI_WWAN_FLAG_MUX; + } +-- +2.20.1 + diff --git a/queue-4.19/qmi_wwan-extend-permitted-qmap-mux_id-value-range.patch b/queue-4.19/qmi_wwan-extend-permitted-qmap-mux_id-value-range.patch new file mode 100644 index 00000000000..ac40ff68a1e --- /dev/null +++ b/queue-4.19/qmi_wwan-extend-permitted-qmap-mux_id-value-range.patch @@ -0,0 +1,58 @@ +From 85f41566ed1535a0c9e0cd1932d42c8b7541be15 Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer +Date: Wed, 12 Jun 2019 19:03:50 +0200 +Subject: qmi_wwan: extend permitted QMAP mux_id value range + +[ Upstream commit 36815b416fa48766ac5a98e4b2dc3ebc5887222e ] + +Permit mux_id values up to 254 to be used in qmimux_register_device() +for compatibility with ip(8) and the rmnet driver. + +Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") +Cc: Daniele Palmas +Signed-off-by: Reinhard Speyerer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-class-net-qmi | 4 ++-- + drivers/net/usb/qmi_wwan.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Documentation/ABI/testing/sysfs-class-net-qmi b/Documentation/ABI/testing/sysfs-class-net-qmi +index 7122d6264c49..c310db4ccbc2 100644 +--- a/Documentation/ABI/testing/sysfs-class-net-qmi ++++ b/Documentation/ABI/testing/sysfs-class-net-qmi +@@ -29,7 +29,7 @@ Contact: Bjørn Mork + Description: + Unsigned integer. + +- Write a number ranging from 1 to 127 to add a qmap mux ++ Write a number ranging from 1 to 254 to add a qmap mux + based network device, supported by recent Qualcomm based + modems. + +@@ -46,5 +46,5 @@ Contact: Bjørn Mork + Description: + Unsigned integer. + +- Write a number ranging from 1 to 127 to delete a previously ++ Write a number ranging from 1 to 254 to delete a previously + created qmap mux based network device. +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 44ada5c38756..128c8a327d8e 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -363,8 +363,8 @@ static ssize_t add_mux_store(struct device *d, struct device_attribute *attr, c + if (kstrtou8(buf, 0, &mux_id)) + return -EINVAL; + +- /* mux_id [1 - 0x7f] range empirically found */ +- if (mux_id < 1 || mux_id > 0x7f) ++ /* mux_id [1 - 254] for compatibility with ip(8) and the rmnet driver */ ++ if (mux_id < 1 || mux_id > 254) + return -EINVAL; + + if (!rtnl_trylock()) +-- +2.20.1 + diff --git a/queue-4.19/quota-fix-a-problem-about-transfer-quota.patch b/queue-4.19/quota-fix-a-problem-about-transfer-quota.patch new file mode 100644 index 00000000000..2502d6910bf --- /dev/null +++ b/queue-4.19/quota-fix-a-problem-about-transfer-quota.patch @@ -0,0 +1,43 @@ +From aff7ac1683eb7d2a6b4fa985efb479ba5546998f Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Tue, 26 Mar 2019 22:00:02 +0800 +Subject: quota: fix a problem about transfer quota + +[ Upstream commit c6d9c35d16f1bafd3fec64b865e569e48cbcb514 ] + +Run below script as root, dquot_add_space will return -EDQUOT since +__dquot_transfer call dquot_add_space with flags=0, and dquot_add_space +think it's a preallocation. Fix it by set flags as DQUOT_SPACE_WARN. + +mkfs.ext4 -O quota,project /dev/vdb +mount -o prjquota /dev/vdb /mnt +setquota -P 23 1 1 0 0 /dev/vdb +dd if=/dev/zero of=/mnt/test-file bs=4K count=1 +chattr -p 23 test-file + +Fixes: 7b9ca4c61bc2 ("quota: Reduce contention on dq_data_lock") +Signed-off-by: yangerkun +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index fc20e06c56ba..dd1783ea7003 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1993,8 +1993,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) + &warn_to[cnt]); + if (ret) + goto over_quota; +- ret = dquot_add_space(transfer_to[cnt], cur_space, rsv_space, 0, +- &warn_to[cnt]); ++ ret = dquot_add_space(transfer_to[cnt], cur_space, rsv_space, ++ DQUOT_SPACE_WARN, &warn_to[cnt]); + if (ret) { + spin_lock(&transfer_to[cnt]->dq_dqb_lock); + dquot_decr_inodes(transfer_to[cnt], inode_usage); +-- +2.20.1 + diff --git a/queue-4.19/riscv-fix-udelay-in-rv32.patch b/queue-4.19/riscv-fix-udelay-in-rv32.patch new file mode 100644 index 00000000000..f8646079047 --- /dev/null +++ b/queue-4.19/riscv-fix-udelay-in-rv32.patch @@ -0,0 +1,37 @@ +From 8823473deaacdf68a7b08d13bd443bb7ebc5e231 Mon Sep 17 00:00:00 2001 +From: Nick Hu +Date: Thu, 30 May 2019 15:01:17 +0800 +Subject: riscv: Fix udelay in RV32. + +[ Upstream commit d0e1f2110a5eeb6e410b2dd37d98bc5b30da7bc7 ] + +In RV32, udelay would delay the wrong cycle. When it shifts right +"UDELAY_SHIFT" bits, it either delays 0 cycle or 1 cycle. It only works +correctly in RV64. Because the 'ucycles' always needs to be 64 bits +variable. + +Signed-off-by: Nick Hu +Reviewed-by: Palmer Dabbelt +[paul.walmsley@sifive.com: fixed minor spelling error] +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/lib/delay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/lib/delay.c b/arch/riscv/lib/delay.c +index dce8ae24c6d3..ee6853c1e341 100644 +--- a/arch/riscv/lib/delay.c ++++ b/arch/riscv/lib/delay.c +@@ -88,7 +88,7 @@ EXPORT_SYMBOL(__delay); + + void udelay(unsigned long usecs) + { +- unsigned long ucycles = usecs * lpj_fine * UDELAY_MULT; ++ u64 ucycles = (u64)usecs * lpj_fine * UDELAY_MULT; + + if (unlikely(usecs > MAX_UDELAY_US)) { + __delay((u64)usecs * riscv_timebase / 1000000ULL); +-- +2.20.1 + diff --git a/queue-4.19/s390-boot-disable-address-of-packed-member-warning.patch b/queue-4.19/s390-boot-disable-address-of-packed-member-warning.patch new file mode 100644 index 00000000000..c867e22dc86 --- /dev/null +++ b/queue-4.19/s390-boot-disable-address-of-packed-member-warning.patch @@ -0,0 +1,39 @@ +From 8d0bfc4c17c27f1d1ab1003e88d5907aa02c6925 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Tue, 4 Jun 2019 13:10:51 +0200 +Subject: s390/boot: disable address-of-packed-member warning + +[ Upstream commit f9364df30420987e77599c4789ec0065c609a507 ] + +Get rid of gcc9 warnings like this: + +arch/s390/boot/ipl_report.c: In function 'find_bootdata_space': +arch/s390/boot/ipl_report.c:42:26: warning: taking address of packed member of 'struct ipl_rb_components' may result in an unaligned pointer value [-Waddress-of-packed-member] + 42 | for_each_rb_entry(comp, comps) + | ^~~~~ + +This is effectively the s390 variant of commit 20c6c1890455 +("x86/boot: Disable the address-of-packed-member compiler warning"). + +Reviewed-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/Makefile b/arch/s390/Makefile +index ee65185bbc80..e6c2e8925fef 100644 +--- a/arch/s390/Makefile ++++ b/arch/s390/Makefile +@@ -24,6 +24,7 @@ KBUILD_CFLAGS_DECOMPRESSOR += -DDISABLE_BRANCH_PROFILING -D__NO_FORTIFY + KBUILD_CFLAGS_DECOMPRESSOR += -fno-delete-null-pointer-checks -msoft-float + KBUILD_CFLAGS_DECOMPRESSOR += -fno-asynchronous-unwind-tables + KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-option,-ffreestanding) ++KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-disable-warning, address-of-packed-member) + KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO),-g) + KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO_DWARF4), $(call cc-option, -gdwarf-4,)) + UTS_MACHINE := s390x +-- +2.20.1 + diff --git a/queue-4.19/samples-bpf-fix-to-change-the-buffer-size-for-read.patch b/queue-4.19/samples-bpf-fix-to-change-the-buffer-size-for-read.patch new file mode 100644 index 00000000000..70b5d00b3b3 --- /dev/null +++ b/queue-4.19/samples-bpf-fix-to-change-the-buffer-size-for-read.patch @@ -0,0 +1,43 @@ +From 3fe9c35c942cda6999ecbe388e573a8f0b829931 Mon Sep 17 00:00:00 2001 +From: Chang-Hsien Tsai +Date: Sun, 19 May 2019 09:05:44 +0000 +Subject: samples, bpf: fix to change the buffer size for read() + +[ Upstream commit f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0 ] + +If the trace for read is larger than 4096, the return +value sz will be 4096. This results in off-by-one error +on buf: + + static char buf[4096]; + ssize_t sz; + + sz = read(trace_fd, buf, sizeof(buf)); + if (sz > 0) { + buf[sz] = 0; + puts(buf); + } + +Signed-off-by: Chang-Hsien Tsai +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + samples/bpf/bpf_load.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c +index cf40a8284a38..5061a2ec4564 100644 +--- a/samples/bpf/bpf_load.c ++++ b/samples/bpf/bpf_load.c +@@ -677,7 +677,7 @@ void read_trace_pipe(void) + static char buf[4096]; + ssize_t sz; + +- sz = read(trace_fd, buf, sizeof(buf)); ++ sz = read(trace_fd, buf, sizeof(buf) - 1); + if (sz > 0) { + buf[sz] = 0; + puts(buf); +-- +2.20.1 + diff --git a/queue-4.19/samples-bpf-suppress-compiler-warning.patch b/queue-4.19/samples-bpf-suppress-compiler-warning.patch new file mode 100644 index 00000000000..e9e7a2f4310 --- /dev/null +++ b/queue-4.19/samples-bpf-suppress-compiler-warning.patch @@ -0,0 +1,51 @@ +From 762ae16136401748832c571eb853345bc48dc01c Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Mon, 20 May 2019 23:49:38 +0200 +Subject: samples, bpf: suppress compiler warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a195cefff49f60054998333e81ee95170ce8bf92 ] + +GCC 9 fails to calculate the size of local constant strings and produces a +false positive: + +samples/bpf/task_fd_query_user.c: In function ‘test_debug_fs_uprobe’: +samples/bpf/task_fd_query_user.c:242:67: warning: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 215 [-Wformat-truncation=] + 242 | snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/%ss/%s/id", + | ^~ + 243 | event_type, event_alias); + | ~~~~~~~~~~~ +samples/bpf/task_fd_query_user.c:242:2: note: ‘snprintf’ output between 45 and 300 bytes into a destination of size 256 + 242 | snprintf(buf, sizeof(buf), "/sys/kernel/debug/tracing/events/%ss/%s/id", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 243 | event_type, event_alias); + | ~~~~~~~~~~~~~~~~~~~~~~~~ + +Workaround this by lowering the buffer size to a reasonable value. +Related GCC Bugzilla: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83431 + +Signed-off-by: Matteo Croce +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + samples/bpf/task_fd_query_user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/task_fd_query_user.c b/samples/bpf/task_fd_query_user.c +index 8381d792f138..06957f0fbe83 100644 +--- a/samples/bpf/task_fd_query_user.c ++++ b/samples/bpf/task_fd_query_user.c +@@ -216,7 +216,7 @@ static int test_debug_fs_uprobe(char *binary_path, long offset, bool is_return) + { + const char *event_type = "uprobe"; + struct perf_event_attr attr = {}; +- char buf[256], event_alias[256]; ++ char buf[256], event_alias[sizeof("test_1234567890")]; + __u64 probe_offset, probe_addr; + __u32 len, prog_id, fd_type; + int err, res, kfd, efd; +-- +2.20.1 + diff --git a/queue-4.19/scsi-qedi-check-targetname-while-finding-boot-target.patch b/queue-4.19/scsi-qedi-check-targetname-while-finding-boot-target.patch new file mode 100644 index 00000000000..3cec9225fc3 --- /dev/null +++ b/queue-4.19/scsi-qedi-check-targetname-while-finding-boot-target.patch @@ -0,0 +1,70 @@ +From daf73ec517b40ec1ff01bd9815d45d13c53cb288 Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 12 Jun 2019 01:05:41 -0700 +Subject: scsi: qedi: Check targetname while finding boot target information + +[ Upstream commit 1ac3549ed58cdfdaf43bbf31ac260e2381cc0dae ] + +The kernel panic was observed during iSCSI discovery via offload with below +call trace, + +[ 2115.646901] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 2115.646909] IP: [] strncmp+0xc/0x60 +[ 2115.646927] PGD 0 +[ 2115.646932] Oops: 0000 [#1] SMP +[ 2115.647107] CPU: 24 PID: 264 Comm: kworker/24:1 Kdump: loaded Tainted: G + OE ------------ 3.10.0-957.el7.x86_64 #1 +[ 2115.647133] Workqueue: slowpath-13:00. qed_slowpath_task [qed] +[ 2115.647135] task: ffff8d66af80b0c0 ti: ffff8d66afb80000 task.ti: ffff8d66afb80000 +[ 2115.647136] RIP: 0010:[] [] strncmp+0xc/0x60 +[ 2115.647141] RSP: 0018:ffff8d66afb83c68 EFLAGS: 00010206 +[ 2115.647143] RAX: 0000000000000001 RBX: 0000000000000007 RCX: 000000000000000a +[ 2115.647144] RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8d632b3ba040 +[ 2115.647145] RBP: ffff8d66afb83c68 R08: 0000000000000000 R09: 000000000000ffff +[ 2115.647147] R10: 0000000000000007 R11: 0000000000000800 R12: ffff8d66a30007a0 +[ 2115.647148] R13: ffff8d66747a3c10 R14: ffff8d632b3ba000 R15: ffff8d66747a32f8 +[ 2115.647149] FS: 0000000000000000(0000) GS:ffff8d66aff00000(0000) knlGS:0000000000000000 +[ 2115.647151] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2115.647152] CR2: 0000000000000000 CR3: 0000000509610000 CR4: 00000000007607e0 +[ 2115.647153] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 2115.647154] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 2115.647155] PKRU: 00000000 +[ 2115.647157] Call Trace: +[ 2115.647165] [] qedi_get_protocol_tlv_data+0x2c5/0x510 [qedi] +[ 2115.647184] [] ? qed_mfw_process_tlv_req+0x245/0xbe0 [qed] +[ 2115.647195] [] qed_mfw_fill_tlv_data+0x4b/0xb0 [qed] +[ 2115.647206] [] qed_mfw_process_tlv_req+0x261/0xbe0 [qed] +[ 2115.647215] [] ? dequeue_task_fair+0x41e/0x660 +[ 2115.647221] [] ? __switch_to+0xce/0x580 +[ 2115.647230] [] qed_slowpath_task+0xa3/0x160 [qed] +[ 2115.647278] RIP [] strncmp+0xc/0x60 + +Fix kernel panic by validating the session targetname before providing TLV +data and confirming the presence of boot targets. + +Signed-off-by: Nilesh Javali +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c +index 4de740da547b..763c7628356b 100644 +--- a/drivers/scsi/qedi/qedi_main.c ++++ b/drivers/scsi/qedi/qedi_main.c +@@ -955,6 +955,9 @@ static int qedi_find_boot_info(struct qedi_ctx *qedi, + if (!iscsi_is_session_online(cls_sess)) + continue; + ++ if (!sess->targetname) ++ continue; ++ + if (pri_ctrl_flags) { + if (!strcmp(pri_tgt->iscsi_name, sess->targetname) && + !strcmp(pri_tgt->ip_addr, ep_ip_addr)) { +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index b2f09e23041..349a49ce208 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,2 +1,55 @@ crypto-talitos-fix-hash-on-sec1.patch crypto-talitos-rename-alternative-aead-algos.patch +soc-brcmstb-fix-error-path-for-unsupported-cpus.patch +soc-bcm-brcmstb-biuctrl-register-writes-require-a-ba.patch +input-elantech-enable-middle-button-support-on-2-thi.patch +samples-bpf-fix-to-change-the-buffer-size-for-read.patch +samples-bpf-suppress-compiler-warning.patch +mac80211-fix-rate-reporting-inside-cfg80211_calculat.patch +bpf-sockmap-fix-use-after-free-from-sleep-in-psock-b.patch +soundwire-stream-fix-out-of-boundary-access-on-port-.patch +staging-iio-ad7150-fix-threshold-mode-config-bit.patch +mac80211-mesh-fix-rcu-warning.patch +mac80211-free-peer-keys-before-vif-down-in-mesh.patch +mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch +iwlwifi-fix-double-free-problems-in-iwl_req_fw_callb.patch +mwifiex-fix-heap-overflow-in-mwifiex_uap_parse_tail_.patch +soundwire-intel-set-dai-min-and-max-channels-correct.patch +dt-bindings-can-mcp251x-add-mcp25625-support.patch +can-mcp251x-add-support-for-mcp25625.patch +can-m_can-implement-errata-needless-activation-of-mr.patch +can-af_can-fix-error-path-of-can_init.patch +net-phy-rename-asix-electronics-phy-driver.patch +ibmvnic-do-not-close-unopened-driver-during-reset.patch +ibmvnic-refresh-device-multicast-list-after-reset.patch +ibmvnic-fix-unchecked-return-codes-of-memory-allocat.patch +arm-dts-am335x-phytec-boards-fix-cd-gpios-active-lev.patch +s390-boot-disable-address-of-packed-member-warning.patch +drm-vmwgfx-honor-the-sg-list-segment-size-limitation.patch +drm-vmwgfx-fix-a-warning-due-to-missing-dma_parms.patch +riscv-fix-udelay-in-rv32.patch +input-imx_keypad-make-sure-keyboard-can-always-wake-.patch +kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch +mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch +arm-davinci-da850-evm-call-regulator_has_full_constr.patch +arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch +mac80211-only-warn-once-on-chanctx_conf-being-null.patch +mac80211-do-not-start-any-work-during-reconfigure-fl.patch +bpf-devmap-fix-premature-entry-free-on-destroying-ma.patch +bpf-devmap-add-missing-bulk-queue-free.patch +bpf-devmap-add-missing-rcu-read-lock-on-flush.patch +bpf-x64-fix-stack-layout-of-jited-bpf-code.patch +qmi_wwan-add-support-for-qmap-padding-in-the-rx-path.patch +qmi_wwan-avoid-rcu-stalls-on-device-disconnect-when-.patch +qmi_wwan-extend-permitted-qmap-mux_id-value-range.patch +mmc-core-complete-hs400-before-checking-status.patch +md-fix-for-divide-error-in-status_resync.patch +bnx2x-check-if-transceiver-implements-ddm-before-acc.patch +drm-return-efault-if-copy_to_user-fails.patch +ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch +net-lio_core-fix-potential-sign-extension-overflow-o.patch +scsi-qedi-check-targetname-while-finding-boot-target.patch +quota-fix-a-problem-about-transfer-quota.patch +net-dsa-mv88e6xxx-fix-shift-of-fid-bits-in-mv88e6185.patch +nfs4-only-set-creation-opendata-if-o_creat.patch +net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch diff --git a/queue-4.19/soc-bcm-brcmstb-biuctrl-register-writes-require-a-ba.patch b/queue-4.19/soc-bcm-brcmstb-biuctrl-register-writes-require-a-ba.patch new file mode 100644 index 00000000000..39a072d8420 --- /dev/null +++ b/queue-4.19/soc-bcm-brcmstb-biuctrl-register-writes-require-a-ba.patch @@ -0,0 +1,35 @@ +From b5bdd5dee7ecca1e39375c3fb6793215c8a0786c Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 12 Apr 2019 10:15:26 -0700 +Subject: soc: bcm: brcmstb: biuctrl: Register writes require a barrier + +[ Upstream commit 6b23af0783a54efb348f0bd781b7850636023dbb ] + +The BIUCTRL register writes require that a data barrier be inserted +after comitting the write to the register for the block to latch in the +recently written values. Reads have no such requirement and are not +changed. + +Fixes: 34642650e5bc ("soc: Move brcmstb to bcm/brcmstb") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + drivers/soc/bcm/brcmstb/biuctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/bcm/brcmstb/biuctrl.c b/drivers/soc/bcm/brcmstb/biuctrl.c +index c16273b31b94..20b63bee5b09 100644 +--- a/drivers/soc/bcm/brcmstb/biuctrl.c ++++ b/drivers/soc/bcm/brcmstb/biuctrl.c +@@ -56,7 +56,7 @@ static inline void cbc_writel(u32 val, int reg) + if (offset == -1) + return; + +- writel_relaxed(val, cpubiuctrl_base + offset); ++ writel(val, cpubiuctrl_base + offset); + } + + enum cpubiuctrl_regs { +-- +2.20.1 + diff --git a/queue-4.19/soc-brcmstb-fix-error-path-for-unsupported-cpus.patch b/queue-4.19/soc-brcmstb-fix-error-path-for-unsupported-cpus.patch new file mode 100644 index 00000000000..b725d908fb4 --- /dev/null +++ b/queue-4.19/soc-brcmstb-fix-error-path-for-unsupported-cpus.patch @@ -0,0 +1,38 @@ +From 582cc7699c02f56d520a262193160ac2c29f9148 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Sun, 7 Apr 2019 14:19:07 -0700 +Subject: soc: brcmstb: Fix error path for unsupported CPUs + +[ Upstream commit 490cad5a3ad6ef0bfd3168a5063140b982f3b22a ] + +In case setup_hifcpubiuctrl_regs() returns an error, because of e.g: +an unsupported CPU type, just catch that error and return instead of +blindly continuing with the initialization. This fixes a NULL pointer +de-reference with the code continuing without having a proper array of +registers to use. + +Fixes: 22f7a9116eba ("soc: brcmstb: Correct CPU_CREDIT_REG offset for Brahma-B53 CPUs") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + drivers/soc/bcm/brcmstb/biuctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/bcm/brcmstb/biuctrl.c b/drivers/soc/bcm/brcmstb/biuctrl.c +index 6d89ebf13b8a..c16273b31b94 100644 +--- a/drivers/soc/bcm/brcmstb/biuctrl.c ++++ b/drivers/soc/bcm/brcmstb/biuctrl.c +@@ -246,7 +246,9 @@ static int __init brcmstb_biuctrl_init(void) + if (!np) + return 0; + +- setup_hifcpubiuctrl_regs(np); ++ ret = setup_hifcpubiuctrl_regs(np); ++ if (ret) ++ return ret; + + ret = mcp_write_pairing_set(); + if (ret) { +-- +2.20.1 + diff --git a/queue-4.19/soundwire-intel-set-dai-min-and-max-channels-correct.patch b/queue-4.19/soundwire-intel-set-dai-min-and-max-channels-correct.patch new file mode 100644 index 00000000000..ab25f6f7dae --- /dev/null +++ b/queue-4.19/soundwire-intel-set-dai-min-and-max-channels-correct.patch @@ -0,0 +1,35 @@ +From 091a7f36591e7de33cccaa7b1dda067337150e65 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Thu, 6 Jun 2019 12:23:04 +0100 +Subject: soundwire: intel: set dai min and max channels correctly + +[ Upstream commit 39194128701bf2af9bbc420ffe6e3cb5d2c16061 ] + +Looks like there is a copy paste error. +This patch fixes it! + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/intel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c +index 0a8990e758f9..a6e2581ada70 100644 +--- a/drivers/soundwire/intel.c ++++ b/drivers/soundwire/intel.c +@@ -651,8 +651,8 @@ static int intel_create_dai(struct sdw_cdns *cdns, + return -ENOMEM; + } + +- dais[i].playback.channels_min = 1; +- dais[i].playback.channels_max = max_ch; ++ dais[i].capture.channels_min = 1; ++ dais[i].capture.channels_max = max_ch; + dais[i].capture.rates = SNDRV_PCM_RATE_48000; + dais[i].capture.formats = SNDRV_PCM_FMTBIT_S16_LE; + } +-- +2.20.1 + diff --git a/queue-4.19/soundwire-stream-fix-out-of-boundary-access-on-port-.patch b/queue-4.19/soundwire-stream-fix-out-of-boundary-access-on-port-.patch new file mode 100644 index 00000000000..b31f224afb6 --- /dev/null +++ b/queue-4.19/soundwire-stream-fix-out-of-boundary-access-on-port-.patch @@ -0,0 +1,38 @@ +From 9f9b69b6d75c0a8dcdc3ffe98b99bbaf3e21b853 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 22 May 2019 17:24:43 +0100 +Subject: soundwire: stream: fix out of boundary access on port properties + +[ Upstream commit 03ecad90d3798be11b033248bbd4bbff4425a1c7 ] + +Assigning local iterator to array element and using it again for +indexing would cross the array boundary. +Fix this by directly referring array element without using the local +variable. + +Signed-off-by: Srinivas Kandagatla +Acked-by: Pierre-Louis Bossart +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/stream.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c +index e5c7e1ef6318..907a548645b7 100644 +--- a/drivers/soundwire/stream.c ++++ b/drivers/soundwire/stream.c +@@ -1236,9 +1236,7 @@ struct sdw_dpn_prop *sdw_get_slave_dpn_prop(struct sdw_slave *slave, + } + + for (i = 0; i < num_ports; i++) { +- dpn_prop = &dpn_prop[i]; +- +- if (dpn_prop->num == port_num) ++ if (dpn_prop[i].num == port_num) + return &dpn_prop[i]; + } + +-- +2.20.1 + diff --git a/queue-4.19/staging-iio-ad7150-fix-threshold-mode-config-bit.patch b/queue-4.19/staging-iio-ad7150-fix-threshold-mode-config-bit.patch new file mode 100644 index 00000000000..0f071b8f72f --- /dev/null +++ b/queue-4.19/staging-iio-ad7150-fix-threshold-mode-config-bit.patch @@ -0,0 +1,78 @@ +From 57ade05fab7ed70c60db105db6be5c6a3edf82aa Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Sat, 18 May 2019 22:04:56 -0300 +Subject: staging:iio:ad7150: fix threshold mode config bit + +[ Upstream commit df4d737ee4d7205aaa6275158aeebff87fd14488 ] + +According to the AD7150 configuration register description, bit 7 assumes +value 1 when the threshold mode is fixed and 0 when it is adaptive, +however, the operation that identifies this mode was considering the +opposite values. + +This patch renames the boolean variable to describe it correctly and +properly replaces it in the places where it is used. + +Fixes: 531efd6aa0991 ("staging:iio:adc:ad7150: chan_spec conv + i2c_smbus commands + drop unused poweroff timeout control.") +Signed-off-by: Melissa Wen +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/cdc/ad7150.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/staging/iio/cdc/ad7150.c b/drivers/staging/iio/cdc/ad7150.c +index d16084d7068c..a354ce6b2b7b 100644 +--- a/drivers/staging/iio/cdc/ad7150.c ++++ b/drivers/staging/iio/cdc/ad7150.c +@@ -6,6 +6,7 @@ + * Licensed under the GPL-2 or later. + */ + ++#include + #include + #include + #include +@@ -130,7 +131,7 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev, + { + int ret; + u8 threshtype; +- bool adaptive; ++ bool thrfixed; + struct ad7150_chip_info *chip = iio_priv(indio_dev); + + ret = i2c_smbus_read_byte_data(chip->client, AD7150_CFG); +@@ -138,21 +139,23 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev, + return ret; + + threshtype = (ret >> 5) & 0x03; +- adaptive = !!(ret & 0x80); ++ ++ /*check if threshold mode is fixed or adaptive*/ ++ thrfixed = FIELD_GET(AD7150_CFG_FIX, ret); + + switch (type) { + case IIO_EV_TYPE_MAG_ADAPTIVE: + if (dir == IIO_EV_DIR_RISING) +- return adaptive && (threshtype == 0x1); +- return adaptive && (threshtype == 0x0); ++ return !thrfixed && (threshtype == 0x1); ++ return !thrfixed && (threshtype == 0x0); + case IIO_EV_TYPE_THRESH_ADAPTIVE: + if (dir == IIO_EV_DIR_RISING) +- return adaptive && (threshtype == 0x3); +- return adaptive && (threshtype == 0x2); ++ return !thrfixed && (threshtype == 0x3); ++ return !thrfixed && (threshtype == 0x2); + case IIO_EV_TYPE_THRESH: + if (dir == IIO_EV_DIR_RISING) +- return !adaptive && (threshtype == 0x1); +- return !adaptive && (threshtype == 0x0); ++ return thrfixed && (threshtype == 0x1); ++ return thrfixed && (threshtype == 0x0); + default: + break; + } +-- +2.20.1 +