From: Greg Kroah-Hartman Date: Sun, 10 Feb 2019 12:38:40 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.9.156~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c3b0b28c4b04756582b83595463044ff73cd5ea;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-compress-fix-stop-handling-on-compressed-capture-streams.patch alsa-hda-serialize-codec-registrations.patch dccp-fool-proof-ccid_hc_x_parse_options.patch enic-fix-checksum-validation-for-ipv6.patch fuse-call-pipe_buf_release-under-pipe-lock.patch fuse-decrement-nr_writeback_temp-on-the-right-page.patch fuse-handle-zero-sized-retrieve-correctly.patch net-dp83640-expire-old-tx-skb.patch net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch net-systemport-fix-wol-with-password-after-deep-sleep.patch skge-potential-memory-corruption-in-skge_get_regs.patch --- diff --git a/queue-4.4/alsa-compress-fix-stop-handling-on-compressed-capture-streams.patch b/queue-4.4/alsa-compress-fix-stop-handling-on-compressed-capture-streams.patch new file mode 100644 index 00000000000..036d2070d14 --- /dev/null +++ b/queue-4.4/alsa-compress-fix-stop-handling-on-compressed-capture-streams.patch @@ -0,0 +1,51 @@ +From 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Tue, 5 Feb 2019 16:29:40 +0000 +Subject: ALSA: compress: Fix stop handling on compressed capture streams + +From: Charles Keepax + +commit 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 upstream. + +It is normal user behaviour to start, stop, then start a stream +again without closing it. Currently this works for compressed +playback streams but not capture ones. + +The states on a compressed capture stream go directly from OPEN to +PREPARED, unlike a playback stream which moves to SETUP and waits +for a write of data before moving to PREPARED. Currently however, +when a stop is sent the state is set to SETUP for both types of +streams. This leaves a capture stream in the situation where a new +start can't be sent as that requires the state to be PREPARED and +a new set_params can't be sent as that requires the state to be +OPEN. The only option being to close the stream, and then reopen. + +Correct this issues by allowing snd_compr_drain_notify to set the +state depending on the stream direction, as we already do in +set_params. + +Fixes: 49bb6402f1aa ("ALSA: compress_core: Add support for capture streams") +Signed-off-by: Charles Keepax +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/compress_driver.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -178,7 +178,11 @@ static inline void snd_compr_drain_notif + if (snd_BUG_ON(!stream)) + return; + +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; ++ if (stream->direction == SND_COMPRESS_PLAYBACK) ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; ++ else ++ stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ + wake_up(&stream->runtime->sleep); + } + diff --git a/queue-4.4/alsa-hda-serialize-codec-registrations.patch b/queue-4.4/alsa-hda-serialize-codec-registrations.patch new file mode 100644 index 00000000000..f1632253cf3 --- /dev/null +++ b/queue-4.4/alsa-hda-serialize-codec-registrations.patch @@ -0,0 +1,70 @@ +From 305a0ade180981686eec1f92aa6252a7c6ebb1cf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Jan 2019 17:46:03 +0100 +Subject: ALSA: hda - Serialize codec registrations + +From: Takashi Iwai + +commit 305a0ade180981686eec1f92aa6252a7c6ebb1cf upstream. + +In the current code, the codec registration may happen both at the +codec bind time and the end of the controller probe time. In a rare +occasion, they race with each other, leading to Oops due to the still +uninitialized card device. + +This patch introduces a simple flag to prevent the codec registration +at the codec bind time as long as the controller probe is going on. +The controller probe invokes snd_card_register() that does the whole +registration task, and we don't need to register each piece +beforehand. + +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_bind.c | 3 ++- + sound/pci/hda/hda_codec.h | 1 + + sound/pci/hda/hda_intel.c | 2 ++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_bind.c ++++ b/sound/pci/hda/hda_bind.c +@@ -109,7 +109,8 @@ static int hda_codec_driver_probe(struct + err = snd_hda_codec_build_controls(codec); + if (err < 0) + goto error_module; +- if (codec->card->registered) { ++ /* only register after the bus probe finished; otherwise it's racy */ ++ if (!codec->bus->bus_probing && codec->card->registered) { + err = snd_card_register(codec->card); + if (err < 0) + goto error_module; +--- a/sound/pci/hda/hda_codec.h ++++ b/sound/pci/hda/hda_codec.h +@@ -68,6 +68,7 @@ struct hda_bus { + unsigned int response_reset:1; /* controller was reset */ + unsigned int in_reset:1; /* during reset operation */ + unsigned int no_response_fallback:1; /* don't fallback at RIRB error */ ++ unsigned int bus_probing :1; /* during probing process */ + + int primary_dig_out_type; /* primary digital out PCM type */ + unsigned int mixer_assigned; /* codec addr for mixer name */ +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2100,6 +2100,7 @@ static int azx_probe_continue(struct azx + int val; + int err; + ++ to_hda_bus(bus)->bus_probing = 1; + hda->probe_continued = 1; + + /* Request display power well for the HDA controller or codec. For +@@ -2200,6 +2201,7 @@ i915_power_fail: + if (err < 0) + hda->init_failed = 1; + complete_all(&hda->probe_wait); ++ to_hda_bus(bus)->bus_probing = 0; + return err; + } + diff --git a/queue-4.4/dccp-fool-proof-ccid_hc_x_parse_options.patch b/queue-4.4/dccp-fool-proof-ccid_hc_x_parse_options.patch new file mode 100644 index 00000000000..fdb3681bc2b --- /dev/null +++ b/queue-4.4/dccp-fool-proof-ccid_hc_x_parse_options.patch @@ -0,0 +1,106 @@ +From foo@baz Sun Feb 10 13:03:23 CET 2019 +From: Eric Dumazet +Date: Wed, 30 Jan 2019 11:39:41 -0800 +Subject: dccp: fool proof ccid_hc_[rt]x_parse_options() + +From: Eric Dumazet + +[ Upstream commit 9b1f19d810e92d6cdc68455fbc22d9f961a58ce1 ] + +Similarly to commit 276bdb82dedb ("dccp: check ccid before dereferencing") +it is wise to test for a NULL ccid. + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline] +RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233 +Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b +kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env +RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000 +RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001 +RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80 +R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0 +kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5' +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654 + dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688 + sk_backlog_rcv include/net/sock.h:936 [inline] + __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473 + dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880 + ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208 + ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255 + dst_input include/net/dst.h:450 [inline] + ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414 + NF_HOOK include/linux/netfilter.h:289 [inline] + NF_HOOK include/linux/netfilter.h:283 [inline] + ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524 + __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973 + __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083 + process_backlog+0x206/0x750 net/core/dev.c:5923 + napi_poll net/core/dev.c:6346 [inline] + net_rx_action+0x76d/0x1930 net/core/dev.c:6412 + __do_softirq+0x30b/0xb11 kernel/softirq.c:292 + run_ksoftirqd kernel/softirq.c:654 [inline] + run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646 + smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164 + kthread+0x357/0x430 kernel/kthread.c:246 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 +Modules linked in: +---[ end trace 58a0ba03bea2c376 ]--- +RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline] +RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233 +Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b +RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000 +RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001 +RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80 +R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Gerrit Renker +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ccid.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/dccp/ccid.h ++++ b/net/dccp/ccid.h +@@ -202,7 +202,7 @@ static inline void ccid_hc_tx_packet_rec + static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk, + u8 pkt, u8 opt, u8 *val, u8 len) + { +- if (ccid->ccid_ops->ccid_hc_tx_parse_options == NULL) ++ if (!ccid || !ccid->ccid_ops->ccid_hc_tx_parse_options) + return 0; + return ccid->ccid_ops->ccid_hc_tx_parse_options(sk, pkt, opt, val, len); + } +@@ -214,7 +214,7 @@ static inline int ccid_hc_tx_parse_optio + static inline int ccid_hc_rx_parse_options(struct ccid *ccid, struct sock *sk, + u8 pkt, u8 opt, u8 *val, u8 len) + { +- if (ccid->ccid_ops->ccid_hc_rx_parse_options == NULL) ++ if (!ccid || !ccid->ccid_ops->ccid_hc_rx_parse_options) + return 0; + return ccid->ccid_ops->ccid_hc_rx_parse_options(sk, pkt, opt, val, len); + } diff --git a/queue-4.4/enic-fix-checksum-validation-for-ipv6.patch b/queue-4.4/enic-fix-checksum-validation-for-ipv6.patch new file mode 100644 index 00000000000..707e177d792 --- /dev/null +++ b/queue-4.4/enic-fix-checksum-validation-for-ipv6.patch @@ -0,0 +1,30 @@ +From foo@baz Sun Feb 10 12:58:17 CET 2019 +From: Govindarajulu Varadarajan +Date: Wed, 30 Jan 2019 06:59:00 -0800 +Subject: enic: fix checksum validation for IPv6 + +From: Govindarajulu Varadarajan + +[ Upstream commit 7596175e99b3d4bce28022193efd954c201a782a ] + +In case of IPv6 pkts, ipv4_csum_ok is 0. Because of this, driver does +not set skb->ip_summed. So IPv6 rx checksum is not offloaded. + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1180,7 +1180,7 @@ static void enic_rq_indicate_buf(struct + * CHECSUM_UNNECESSARY. + */ + if ((netdev->features & NETIF_F_RXCSUM) && tcp_udp_csum_ok && +- ipv4_csum_ok) ++ (ipv4_csum_ok || ipv6)) + skb->ip_summed = CHECKSUM_UNNECESSARY; + + if (vlan_stripped) diff --git a/queue-4.4/fuse-call-pipe_buf_release-under-pipe-lock.patch b/queue-4.4/fuse-call-pipe_buf_release-under-pipe-lock.patch new file mode 100644 index 00000000000..ccd3b59885f --- /dev/null +++ b/queue-4.4/fuse-call-pipe_buf_release-under-pipe-lock.patch @@ -0,0 +1,43 @@ +From 9509941e9c534920ccc4771ae70bd6cbbe79df1c Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 12 Jan 2019 02:39:05 +0100 +Subject: fuse: call pipe_buf_release() under pipe lock + +From: Jann Horn + +commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream. + +Some of the pipe_buf_release() handlers seem to assume that the pipe is +locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page +without taking any extra locks. From a glance through the callers of +pipe_buf_release(), it looks like FUSE is the only one that calls +pipe_buf_release() without having the pipe locked. + +This bug should only lead to a memory leak, nothing terrible. + +Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -2074,10 +2074,13 @@ static ssize_t fuse_dev_splice_write(str + + ret = fuse_dev_do_write(fud, &cs, len); + ++ pipe_lock(pipe); + for (idx = 0; idx < nbuf; idx++) { + struct pipe_buffer *buf = &bufs[idx]; + buf->ops->release(pipe, buf); + } ++ pipe_unlock(pipe); ++ + out: + kfree(bufs); + return ret; diff --git a/queue-4.4/fuse-decrement-nr_writeback_temp-on-the-right-page.patch b/queue-4.4/fuse-decrement-nr_writeback_temp-on-the-right-page.patch new file mode 100644 index 00000000000..f2699b87695 --- /dev/null +++ b/queue-4.4/fuse-decrement-nr_writeback_temp-on-the-right-page.patch @@ -0,0 +1,32 @@ +From a2ebba824106dabe79937a9f29a875f837e1b6d4 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 16 Jan 2019 10:27:59 +0100 +Subject: fuse: decrement NR_WRITEBACK_TEMP on the right page + +From: Miklos Szeredi + +commit a2ebba824106dabe79937a9f29a875f837e1b6d4 upstream. + +NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not +the page cache page. + +Fixes: 8b284dc47291 ("fuse: writepages: handle same page rewrites") +Cc: # v3.13 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1784,7 +1784,7 @@ static bool fuse_writepage_in_flight(str + spin_unlock(&fc->lock); + + dec_wb_stat(&bdi->wb, WB_WRITEBACK); +- dec_zone_page_state(page, NR_WRITEBACK_TEMP); ++ dec_zone_page_state(new_req->pages[0], NR_WRITEBACK_TEMP); + wb_writeout_inc(&bdi->wb); + fuse_writepage_free(fc, new_req); + fuse_request_free(new_req); diff --git a/queue-4.4/fuse-handle-zero-sized-retrieve-correctly.patch b/queue-4.4/fuse-handle-zero-sized-retrieve-correctly.patch new file mode 100644 index 00000000000..c9ea6d69708 --- /dev/null +++ b/queue-4.4/fuse-handle-zero-sized-retrieve-correctly.patch @@ -0,0 +1,40 @@ +From 97e1532ef81acb31c30f9e75bf00306c33a77812 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 16 Jan 2019 10:27:59 +0100 +Subject: fuse: handle zero sized retrieve correctly + +From: Miklos Szeredi + +commit 97e1532ef81acb31c30f9e75bf00306c33a77812 upstream. + +Dereferencing req->page_descs[0] will Oops if req->max_pages is zero. + +Reported-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com +Tested-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com +Fixes: b2430d7567a3 ("fuse: add per-page descriptor to fuse_req") +Cc: # v3.9 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1741,7 +1741,6 @@ static int fuse_retrieve(struct fuse_con + req->in.h.nodeid = outarg->nodeid; + req->in.numargs = 2; + req->in.argpages = 1; +- req->page_descs[0].offset = offset; + req->end = fuse_retrieve_end; + + index = outarg->offset >> PAGE_CACHE_SHIFT; +@@ -1756,6 +1755,7 @@ static int fuse_retrieve(struct fuse_con + + this_num = min_t(unsigned, num, PAGE_CACHE_SIZE - offset); + req->pages[req->num_pages] = page; ++ req->page_descs[req->num_pages].offset = offset; + req->page_descs[req->num_pages].length = this_num; + req->num_pages++; + diff --git a/queue-4.4/net-dp83640-expire-old-tx-skb.patch b/queue-4.4/net-dp83640-expire-old-tx-skb.patch new file mode 100644 index 00000000000..879608a4fde --- /dev/null +++ b/queue-4.4/net-dp83640-expire-old-tx-skb.patch @@ -0,0 +1,83 @@ +From foo@baz Sun Feb 10 13:03:23 CET 2019 +From: Sebastian Andrzej Siewior +Date: Mon, 4 Feb 2019 11:20:29 +0100 +Subject: net: dp83640: expire old TX-skb + +From: Sebastian Andrzej Siewior + +[ Upstream commit 53bc8d2af08654659abfadfd3e98eb9922ff787c ] + +During sendmsg() a cloned skb is saved via dp83640_txtstamp() in +->tx_queue. After the NIC sends this packet, the PHY will reply with a +timestamp for that TX packet. If the cable is pulled at the right time I +don't see that packet. It might gets flushed as part of queue shutdown +on NIC's side. +Once the link is up again then after the next sendmsg() we enqueue +another skb in dp83640_txtstamp() and have two on the list. Then the PHY +will send a reply and decode_txts() attaches it to the first skb on the +list. +No crash occurs since refcounting works but we are one packet behind. +linuxptp/ptp4l usually closes the socket and opens a new one (in such a +timeout case) so those "stale" replies never get there. However it does +not resume normal operation anymore. + +Purge old skbs in decode_txts(). + +Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Sebastian Andrzej Siewior +Reviewed-by: Kurt Kanzenbach +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -890,14 +890,14 @@ static void decode_txts(struct dp83640_p + struct phy_txts *phy_txts) + { + struct skb_shared_hwtstamps shhwtstamps; ++ struct dp83640_skb_info *skb_info; + struct sk_buff *skb; +- u64 ns; + u8 overflow; ++ u64 ns; + + /* We must already have the skb that triggered this. */ +- ++again: + skb = skb_dequeue(&dp83640->tx_queue); +- + if (!skb) { + pr_debug("have timestamp but tx_queue empty\n"); + return; +@@ -912,6 +912,11 @@ static void decode_txts(struct dp83640_p + } + return; + } ++ skb_info = (struct dp83640_skb_info *)skb->cb; ++ if (time_after(jiffies, skb_info->tmo)) { ++ kfree_skb(skb); ++ goto again; ++ } + + ns = phy2txts(phy_txts); + memset(&shhwtstamps, 0, sizeof(shhwtstamps)); +@@ -1461,6 +1466,7 @@ static bool dp83640_rxtstamp(struct phy_ + static void dp83640_txtstamp(struct phy_device *phydev, + struct sk_buff *skb, int type) + { ++ struct dp83640_skb_info *skb_info = (struct dp83640_skb_info *)skb->cb; + struct dp83640_private *dp83640 = phydev->priv; + + switch (dp83640->hwts_tx_en) { +@@ -1473,6 +1479,7 @@ static void dp83640_txtstamp(struct phy_ + /* fall through */ + case HWTSTAMP_TX_ON: + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; ++ skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT; + skb_queue_tail(&dp83640->tx_queue, skb); + break; + diff --git a/queue-4.4/net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch b/queue-4.4/net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch new file mode 100644 index 00000000000..953beae2971 --- /dev/null +++ b/queue-4.4/net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch @@ -0,0 +1,53 @@ +From foo@baz Sun Feb 10 12:47:17 CET 2019 +From: Rundong Ge +Date: Sat, 2 Feb 2019 14:29:35 +0000 +Subject: net: dsa: slave: Don't propagate flag changes on down slave interfaces + +From: Rundong Ge + +[ Upstream commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 ] + +The unbalance of master's promiscuity or allmulti will happen after ifdown +and ifup a slave interface which is in a bridge. + +When we ifdown a slave interface , both the 'dsa_slave_close' and +'dsa_slave_change_rx_flags' will clear the master's flags. The flags +of master will be decrease twice. +In the other hand, if we ifup the slave interface again, since the +slave's flags were cleared the 'dsa_slave_open' won't set the master's +flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if' +will set the master's flags. The flags of master is increase once. + +Only propagating flag changes when a slave interface is up makes +sure this does not happen. The 'vlan_dev_change_rx_flags' had the +same problem and was fixed, and changes here follows that fix. + +Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support") +Signed-off-by: Rundong Ge +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/slave.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -157,10 +157,14 @@ static void dsa_slave_change_rx_flags(st + struct dsa_slave_priv *p = netdev_priv(dev); + struct net_device *master = p->parent->dst->master_netdev; + +- if (change & IFF_ALLMULTI) +- dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1); +- if (change & IFF_PROMISC) +- dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1); ++ if (dev->flags & IFF_UP) { ++ if (change & IFF_ALLMULTI) ++ dev_set_allmulti(master, ++ dev->flags & IFF_ALLMULTI ? 1 : -1); ++ if (change & IFF_PROMISC) ++ dev_set_promiscuity(master, ++ dev->flags & IFF_PROMISC ? 1 : -1); ++ } + } + + static void dsa_slave_set_rx_mode(struct net_device *dev) diff --git a/queue-4.4/net-systemport-fix-wol-with-password-after-deep-sleep.patch b/queue-4.4/net-systemport-fix-wol-with-password-after-deep-sleep.patch new file mode 100644 index 00000000000..4eda88fc804 --- /dev/null +++ b/queue-4.4/net-systemport-fix-wol-with-password-after-deep-sleep.patch @@ -0,0 +1,104 @@ +From foo@baz Sun Feb 10 12:47:17 CET 2019 +From: Florian Fainelli +Date: Fri, 1 Feb 2019 13:23:38 -0800 +Subject: net: systemport: Fix WoL with password after deep sleep + +From: Florian Fainelli + +[ Upstream commit 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e ] + +Broadcom STB chips support a deep sleep mode where all register +contents are lost. Because we were stashing the MagicPacket password +into some of these registers a suspend into that deep sleep then a +resumption would not lead to being able to wake-up from MagicPacket with +password again. + +Fix this by keeping a software copy of the password and program it +during suspend. + +Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 25 ++++++++++--------------- + drivers/net/ethernet/broadcom/bcmsysport.h | 2 ++ + 2 files changed, 12 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -400,7 +400,6 @@ static void bcm_sysport_get_wol(struct n + struct ethtool_wolinfo *wol) + { + struct bcm_sysport_priv *priv = netdev_priv(dev); +- u32 reg; + + wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE; + wol->wolopts = priv->wolopts; +@@ -408,11 +407,7 @@ static void bcm_sysport_get_wol(struct n + if (!(priv->wolopts & WAKE_MAGICSECURE)) + return; + +- /* Return the programmed SecureOn password */ +- reg = umac_readl(priv, UMAC_PSW_MS); +- put_unaligned_be16(reg, &wol->sopass[0]); +- reg = umac_readl(priv, UMAC_PSW_LS); +- put_unaligned_be32(reg, &wol->sopass[2]); ++ memcpy(wol->sopass, priv->sopass, sizeof(priv->sopass)); + } + + static int bcm_sysport_set_wol(struct net_device *dev, +@@ -428,13 +423,8 @@ static int bcm_sysport_set_wol(struct ne + if (wol->wolopts & ~supported) + return -EINVAL; + +- /* Program the SecureOn password */ +- if (wol->wolopts & WAKE_MAGICSECURE) { +- umac_writel(priv, get_unaligned_be16(&wol->sopass[0]), +- UMAC_PSW_MS); +- umac_writel(priv, get_unaligned_be32(&wol->sopass[2]), +- UMAC_PSW_LS); +- } ++ if (wol->wolopts & WAKE_MAGICSECURE) ++ memcpy(priv->sopass, wol->sopass, sizeof(priv->sopass)); + + /* Flag the device and relevant IRQ as wakeup capable */ + if (wol->wolopts) { +@@ -1889,12 +1879,17 @@ static int bcm_sysport_suspend_to_wol(st + unsigned int timeout = 1000; + u32 reg; + +- /* Password has already been programmed */ + reg = umac_readl(priv, UMAC_MPD_CTRL); + reg |= MPD_EN; + reg &= ~PSW_EN; +- if (priv->wolopts & WAKE_MAGICSECURE) ++ if (priv->wolopts & WAKE_MAGICSECURE) { ++ /* Program the SecureOn password */ ++ umac_writel(priv, get_unaligned_be16(&priv->sopass[0]), ++ UMAC_PSW_MS); ++ umac_writel(priv, get_unaligned_be32(&priv->sopass[2]), ++ UMAC_PSW_LS); + reg |= PSW_EN; ++ } + umac_writel(priv, reg, UMAC_MPD_CTRL); + + /* Make sure RBUF entered WoL mode as result */ +--- a/drivers/net/ethernet/broadcom/bcmsysport.h ++++ b/drivers/net/ethernet/broadcom/bcmsysport.h +@@ -11,6 +11,7 @@ + #ifndef __BCM_SYSPORT_H + #define __BCM_SYSPORT_H + ++#include + #include + + /* Receive/transmit descriptor format */ +@@ -682,6 +683,7 @@ struct bcm_sysport_priv { + unsigned int crc_fwd:1; + u16 rev; + u32 wolopts; ++ u8 sopass[SOPASS_MAX]; + unsigned int wol_irq_disabled:1; + + /* MIB related fields */ diff --git a/queue-4.4/series b/queue-4.4/series index 4a2a423a1da..63a681d4278 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -79,3 +79,14 @@ thermal-hwmon-inline-helpers-when-config_thermal_hwmon-is-not-set.patch test_hexdump-use-memcpy-instead-of-strncpy.patch tipc-use-destination-length-for-copy-string.patch string-drop-__must_check-from-strscpy-and-restore-strscpy-usages-in-cgroup.patch +dccp-fool-proof-ccid_hc_x_parse_options.patch +enic-fix-checksum-validation-for-ipv6.patch +net-dp83640-expire-old-tx-skb.patch +skge-potential-memory-corruption-in-skge_get_regs.patch +net-systemport-fix-wol-with-password-after-deep-sleep.patch +net-dsa-slave-don-t-propagate-flag-changes-on-down-slave-interfaces.patch +alsa-compress-fix-stop-handling-on-compressed-capture-streams.patch +alsa-hda-serialize-codec-registrations.patch +fuse-call-pipe_buf_release-under-pipe-lock.patch +fuse-decrement-nr_writeback_temp-on-the-right-page.patch +fuse-handle-zero-sized-retrieve-correctly.patch diff --git a/queue-4.4/skge-potential-memory-corruption-in-skge_get_regs.patch b/queue-4.4/skge-potential-memory-corruption-in-skge_get_regs.patch new file mode 100644 index 00000000000..d8faa003353 --- /dev/null +++ b/queue-4.4/skge-potential-memory-corruption-in-skge_get_regs.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Feb 10 13:03:23 CET 2019 +From: Dan Carpenter +Date: Fri, 1 Feb 2019 11:28:16 +0300 +Subject: skge: potential memory corruption in skge_get_regs() + +From: Dan Carpenter + +[ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ] + +The "p" buffer is 0x4000 bytes long. B3_RI_WTO_R1 is 0x190. The value +of "regs->len" is in the 1-0x4000 range. The bug here is that +"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to +memory corruption and an abrupt crash. + +Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/skge.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -152,8 +152,10 @@ static void skge_get_regs(struct net_dev + memset(p, 0, regs->len); + memcpy_fromio(p, io, B3_RAM_ADDR); + +- memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1, +- regs->len - B3_RI_WTO_R1); ++ if (regs->len > B3_RI_WTO_R1) { ++ memcpy_fromio(p + B3_RI_WTO_R1, io + B3_RI_WTO_R1, ++ regs->len - B3_RI_WTO_R1); ++ } + } + + /* Wake on Lan only supported on Yukon chips with rev 1 or above */