From: Greg Kroah-Hartman Date: Wed, 14 Aug 2019 16:41:12 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.2.9~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=12033fd841df50d77574cedd2b9daa2e07b2e723;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-firewire-fix-a-memory-leak-bug.patch alsa-hda-don-t-override-global-pcm-hw-info-flag.patch alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch iwlwifi-mvm-fix-an-out-of-bound-access.patch iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch mwifiex-fix-802.11n-wpa-detection.patch nfsv4-fix-an-oops-in-nfs4_do_setattr.patch nfsv4-only-pass-the-delegation-to-setattr-if-we-re-sending-a-truncate.patch smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch smb3-send-cap_dfs-capability-during-session-setup.patch --- diff --git a/queue-4.14/alsa-firewire-fix-a-memory-leak-bug.patch b/queue-4.14/alsa-firewire-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..05ca846644c --- /dev/null +++ b/queue-4.14/alsa-firewire-fix-a-memory-leak-bug.patch @@ -0,0 +1,39 @@ +From 1be3c1fae6c1e1f5bb982b255d2034034454527a Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 8 Aug 2019 00:50:58 -0500 +Subject: ALSA: firewire: fix a memory leak bug + +From: Wenwen Wang + +commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream. + +In iso_packets_buffer_init(), 'b->packets' is allocated through +kmalloc_array(). Then, the aligned packet size is checked. If it is +larger than PAGE_SIZE, -EINVAL will be returned to indicate the error. +However, the allocated 'b->packets' is not deallocated on this path, +leading to a memory leak. + +To fix the above issue, free 'b->packets' before returning the error code. + +Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver") +Signed-off-by: Wenwen Wang +Reviewed-by: Takashi Sakamoto +Cc: # v2.6.39+ +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/packets-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/packets-buffer.c ++++ b/sound/firewire/packets-buffer.c +@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p + packets_per_page = PAGE_SIZE / packet_size; + if (WARN_ON(!packets_per_page)) { + err = -EINVAL; +- goto error; ++ goto err_packets; + } + pages = DIV_ROUND_UP(count, packets_per_page); + diff --git a/queue-4.14/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch b/queue-4.14/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch new file mode 100644 index 00000000000..f99af04e7bd --- /dev/null +++ b/queue-4.14/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch @@ -0,0 +1,42 @@ +From c1c6c877b0c79fd7e05c931435aa42211eaeebaf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2019 14:03:56 +0200 +Subject: ALSA: hda - Don't override global PCM hw info flag + +From: Takashi Iwai + +commit c1c6c877b0c79fd7e05c931435aa42211eaeebaf upstream. + +The commit bfcba288b97f ("ALSA - hda: Add support for link audio time +reporting") introduced the conditional PCM hw info setup, but it +overwrites the global azx_pcm_hw object. This will cause a problem if +any other HD-audio controller, as it'll inherit the same bit flag +although another controller doesn't support that feature. + +Fix the bug by setting the PCM hw info flag locally. + +Fixes: bfcba288b97f ("ALSA - hda: Add support for link audio time reporting") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -609,11 +609,9 @@ static int azx_pcm_open(struct snd_pcm_s + } + runtime->private_data = azx_dev; + +- if (chip->gts_present) +- azx_pcm_hw.info = azx_pcm_hw.info | +- SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME; +- + runtime->hw = azx_pcm_hw; ++ if (chip->gts_present) ++ runtime->hw.info |= SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME; + runtime->hw.channels_min = hinfo->channels_min; + runtime->hw.channels_max = hinfo->channels_max; + runtime->hw.formats = hinfo->formats; diff --git a/queue-4.14/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch b/queue-4.14/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch new file mode 100644 index 00000000000..bb4ed2efe48 --- /dev/null +++ b/queue-4.14/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch @@ -0,0 +1,202 @@ +From c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2019 17:31:48 +0200 +Subject: ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) + +From: Takashi Iwai + +commit c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db upstream. + +A long-time problem on the recent AMD chip (X370, X470, B450, etc with +PCI ID 1022:1457) with Realtek codecs is the crackled or distorted +sound for capture streams, as well as occasional playback hiccups. +After lengthy debugging sessions, the workarounds we've found are like +the following: + +- Set up the proper driver caps for this controller, similar as the + other AMD controller. + +- Correct the DMA position reporting with the fixed FIFO size, which + is similar like as workaround used for VIA chip set. + +- Even after the position correction, PulseAudio still shows + mysterious stalls of playback streams when a capture is triggered in + timer-scheduled mode. Since we have no clear way to eliminate the + stall, pass the BATCH PCM flag for PA to suppress the tsched mode as + a temporary workaround. + +This patch implements the workarounds. For the driver caps, it +defines a new preset, AXZ_DCAPS_PRESET_AMD_SB. It enables the FIFO- +corrected position reporting (corresponding to the new position_fix=6) +and enforces the SNDRV_PCM_INFO_BATCH flag. + +Note that the current implementation is merely a workaround. +Hopefully we'll find a better alternative in future, especially about +removing the BATCH flag hack again. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 7 ++++ + sound/pci/hda/hda_controller.h | 2 - + sound/pci/hda/hda_intel.c | 63 ++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 70 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -624,6 +624,13 @@ static int azx_pcm_open(struct snd_pcm_s + 20, + 178000000); + ++ /* by some reason, the playback stream stalls on PulseAudio with ++ * tsched=1 when a capture stream triggers. Until we figure out the ++ * real cause, disable tsched mode by telling the PCM info flag. ++ */ ++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) ++ runtime->hw.info |= SNDRV_PCM_INFO_BATCH; ++ + if (chip->align_buffer_size) + /* constrain buffer sizes to be multiple of 128 + bytes. This is more efficient in terms of memory +--- a/sound/pci/hda/hda_controller.h ++++ b/sound/pci/hda/hda_controller.h +@@ -40,7 +40,7 @@ + /* 14 unused */ + #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */ + #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */ +-/* 17 unused */ ++#define AZX_DCAPS_AMD_WORKAROUND (1 << 17) /* AMD-specific workaround */ + #define AZX_DCAPS_NO_64BIT (1 << 18) /* No 64bit address */ + #define AZX_DCAPS_SYNC_WRITE (1 << 19) /* sync each cmd write */ + #define AZX_DCAPS_OLD_SSYNC (1 << 20) /* Old SSYNC reg for ICH */ +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -78,6 +78,7 @@ enum { + POS_FIX_VIACOMBO, + POS_FIX_COMBO, + POS_FIX_SKL, ++ POS_FIX_FIFO, + }; + + /* Defines for ATI HD Audio support in SB450 south bridge */ +@@ -149,7 +150,7 @@ module_param_array(model, charp, NULL, 0 + MODULE_PARM_DESC(model, "Use the given board model."); + module_param_array(position_fix, int, NULL, 0444); + MODULE_PARM_DESC(position_fix, "DMA pointer read method." +- "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+)."); ++ "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+, 6 = FIFO)."); + module_param_array(bdl_pos_adj, int, NULL, 0644); + MODULE_PARM_DESC(bdl_pos_adj, "BDL position adjustment offset."); + module_param_array(probe_mask, int, NULL, 0444); +@@ -350,6 +351,11 @@ enum { + #define AZX_DCAPS_PRESET_ATI_HDMI_NS \ + (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF) + ++/* quirks for AMD SB */ ++#define AZX_DCAPS_PRESET_AMD_SB \ ++ (AZX_DCAPS_NO_TCSEL | AZX_DCAPS_SYNC_WRITE | AZX_DCAPS_AMD_WORKAROUND |\ ++ AZX_DCAPS_SNOOP_TYPE(ATI) | AZX_DCAPS_PM_RUNTIME) ++ + /* quirks for Nvidia */ + #define AZX_DCAPS_PRESET_NVIDIA \ + (AZX_DCAPS_NO_MSI | AZX_DCAPS_CORBRP_SELF_CLEAR |\ +@@ -917,6 +923,49 @@ static unsigned int azx_via_get_position + return bound_pos + mod_dma_pos; + } + ++#define AMD_FIFO_SIZE 32 ++ ++/* get the current DMA position with FIFO size correction */ ++static unsigned int azx_get_pos_fifo(struct azx *chip, struct azx_dev *azx_dev) ++{ ++ struct snd_pcm_substream *substream = azx_dev->core.substream; ++ struct snd_pcm_runtime *runtime = substream->runtime; ++ unsigned int pos, delay; ++ ++ pos = snd_hdac_stream_get_pos_lpib(azx_stream(azx_dev)); ++ if (!runtime) ++ return pos; ++ ++ runtime->delay = AMD_FIFO_SIZE; ++ delay = frames_to_bytes(runtime, AMD_FIFO_SIZE); ++ if (azx_dev->insufficient) { ++ if (pos < delay) { ++ delay = pos; ++ runtime->delay = bytes_to_frames(runtime, pos); ++ } else { ++ azx_dev->insufficient = 0; ++ } ++ } ++ ++ /* correct the DMA position for capture stream */ ++ if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) { ++ if (pos < delay) ++ pos += azx_dev->core.bufsize; ++ pos -= delay; ++ } ++ ++ return pos; ++} ++ ++static int azx_get_delay_from_fifo(struct azx *chip, struct azx_dev *azx_dev, ++ unsigned int pos) ++{ ++ struct snd_pcm_substream *substream = azx_dev->core.substream; ++ ++ /* just read back the calculated value in the above */ ++ return substream->runtime->delay; ++} ++ + static unsigned int azx_skl_get_dpib_pos(struct azx *chip, + struct azx_dev *azx_dev) + { +@@ -1484,6 +1533,7 @@ static int check_position_fix(struct azx + case POS_FIX_VIACOMBO: + case POS_FIX_COMBO: + case POS_FIX_SKL: ++ case POS_FIX_FIFO: + return fix; + } + +@@ -1500,6 +1550,10 @@ static int check_position_fix(struct azx + dev_dbg(chip->card->dev, "Using VIACOMBO position fix\n"); + return POS_FIX_VIACOMBO; + } ++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) { ++ dev_dbg(chip->card->dev, "Using FIFO position fix\n"); ++ return POS_FIX_FIFO; ++ } + if (chip->driver_caps & AZX_DCAPS_POSFIX_LPIB) { + dev_dbg(chip->card->dev, "Using LPIB position fix\n"); + return POS_FIX_LPIB; +@@ -1520,6 +1574,7 @@ static void assign_position_fix(struct a + [POS_FIX_VIACOMBO] = azx_via_get_position, + [POS_FIX_COMBO] = azx_get_pos_lpib, + [POS_FIX_SKL] = azx_get_pos_skl, ++ [POS_FIX_FIFO] = azx_get_pos_fifo, + }; + + chip->get_position[0] = chip->get_position[1] = callbacks[fix]; +@@ -1534,6 +1589,9 @@ static void assign_position_fix(struct a + azx_get_delay_from_lpib; + } + ++ if (fix == POS_FIX_FIFO) ++ chip->get_delay[0] = chip->get_delay[1] = ++ azx_get_delay_from_fifo; + } + + /* +@@ -2516,6 +2574,9 @@ static const struct pci_device_id azx_id + /* AMD Hudson */ + { PCI_DEVICE(0x1022, 0x780d), + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, ++ /* AMD, X370 & co */ ++ { PCI_DEVICE(0x1022, 0x1457), ++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB }, + /* AMD Stoney */ + { PCI_DEVICE(0x1022, 0x157a), + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB | diff --git a/queue-4.14/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch b/queue-4.14/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..850fb5a47a5 --- /dev/null +++ b/queue-4.14/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From 30a8beeb3042f49d0537b7050fd21b490166a3d9 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -852,7 +852,7 @@ static int pcan_usb_fd_init(struct peak_ + goto err_out; + + /* allocate command buffer once for all for the interface */ +- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE, ++ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE, + GFP_KERNEL); + if (!pdev->cmd_buffer_addr) + goto err_out_1; diff --git a/queue-4.14/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch b/queue-4.14/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..0de45982150 --- /dev/null +++ b/queue-4.14/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From ead16e53c2f0ed946d82d4037c630e2f60f4ab69 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com +Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c +@@ -500,7 +500,7 @@ static int pcan_usb_pro_drv_loaded(struc + u8 *buffer; + int err; + +- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); ++ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + diff --git a/queue-4.14/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch b/queue-4.14/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch new file mode 100644 index 00000000000..ac254afb256 --- /dev/null +++ b/queue-4.14/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch @@ -0,0 +1,54 @@ +From 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee Mon Sep 17 00:00:00 2001 +From: Stanislav Lisovskiy +Date: Fri, 12 Jul 2019 11:19:38 +0300 +Subject: drm/i915: Fix wrong escape clock divisor init for GLK + +From: Stanislav Lisovskiy + +commit 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee upstream. + +According to Bspec clock divisor registers in GeminiLake +should be initialized by shifting 1(<<) to amount of correspondent +divisor. While i915 was writing all this time that value as is. + +Surprisingly that it by accident worked, until we met some issues +with Microtech Etab. + +v2: Added Fixes tag and cc +v3: Added stable to cc as well. + +Signed-off-by: Stanislav Lisovskiy +Reviewed-by: Vandita Kulkarni +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108826 +Fixes: bcc657004841 ("drm/i915/glk: Program txesc clock divider for GLK") +Cc: Deepak M +Cc: Madhav Chauhan +Cc: Jani Nikula +Cc: Jani Nikula +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: intel-gfx@lists.freedesktop.org +Cc: stable@vger.kernel.org +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20190712081938.14185-1-stanislav.lisovskiy@intel.com +(cherry picked from commit ce52ad5dd52cfaf3398058384e0ff94134bbd89c) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_dsi_pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_dsi_pll.c ++++ b/drivers/gpu/drm/i915/intel_dsi_pll.c +@@ -422,8 +422,8 @@ static void glk_dsi_program_esc_clock(st + else + txesc2_div = 10; + +- I915_WRITE(MIPIO_TXESC_CLK_DIV1, txesc1_div & GLK_TX_ESC_CLK_DIV1_MASK); +- I915_WRITE(MIPIO_TXESC_CLK_DIV2, txesc2_div & GLK_TX_ESC_CLK_DIV2_MASK); ++ I915_WRITE(MIPIO_TXESC_CLK_DIV1, (1 << (txesc1_div - 1)) & GLK_TX_ESC_CLK_DIV1_MASK); ++ I915_WRITE(MIPIO_TXESC_CLK_DIV2, (1 << (txesc2_div - 1)) & GLK_TX_ESC_CLK_DIV2_MASK); + } + + /* Program BXT Mipi clocks and dividers */ diff --git a/queue-4.14/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch b/queue-4.14/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch new file mode 100644 index 00000000000..b46483cfbd3 --- /dev/null +++ b/queue-4.14/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch @@ -0,0 +1,56 @@ +From 38ada2f406a9b81fb1249c5c9227fa657e7d5671 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 26 Jul 2019 08:00:49 -0700 +Subject: hwmon: (nct7802) Fix wrong detection of in4 presence + +From: Guenter Roeck + +commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream. + +The code to detect if in4 is present is wrong; if in4 is not present, +the in4_input sysfs attribute is still present. + +In detail: + +- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug). +- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input + file under /sys and the "sensors" command displays in4_input. + But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep. + +Fix is_visible function to detect and report in4_input visibility +as expected. + +Reported-by: Gilles Buloz +Cc: Gilles Buloz +Cc: stable@vger.kernel.org +Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/nct7802.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -768,7 +768,7 @@ static struct attribute *nct7802_in_attr + &sensor_dev_attr_in3_alarm.dev_attr.attr, + &sensor_dev_attr_in3_beep.dev_attr.attr, + +- &sensor_dev_attr_in4_input.dev_attr.attr, /* 17 */ ++ &sensor_dev_attr_in4_input.dev_attr.attr, /* 16 */ + &sensor_dev_attr_in4_min.dev_attr.attr, + &sensor_dev_attr_in4_max.dev_attr.attr, + &sensor_dev_attr_in4_alarm.dev_attr.attr, +@@ -794,9 +794,9 @@ static umode_t nct7802_in_is_visible(str + + if (index >= 6 && index < 11 && (reg & 0x03) != 0x03) /* VSEN1 */ + return 0; +- if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c) /* VSEN2 */ ++ if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c) /* VSEN2 */ + return 0; +- if (index >= 17 && (reg & 0x30) != 0x30) /* VSEN3 */ ++ if (index >= 16 && (reg & 0x30) != 0x30) /* VSEN3 */ + return 0; + + return attr->mode; diff --git a/queue-4.14/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch b/queue-4.14/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch new file mode 100644 index 00000000000..dfa69b69b95 --- /dev/null +++ b/queue-4.14/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch @@ -0,0 +1,37 @@ +From 87e7e25aee6b59fef740856f4e86d4b60496c9e1 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sun, 21 Jul 2019 14:02:27 +0300 +Subject: iwlwifi: don't unmap as page memory that was mapped as single + +From: Emmanuel Grumbach + +commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 upstream. + +In order to remember how to unmap a memory (as single or +as page), we maintain a bit per Transmit Buffer (TBs) in +the meta data (structure iwl_cmd_meta). +We maintain a bitmap: 1 bit per TB. +If the TB is set, we will free the memory as a page. +This bitmap was never cleared. Fix this. + +Cc: stable@vger.kernel.org +Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +@@ -401,6 +401,8 @@ static void iwl_pcie_tfd_unmap(struct iw + DMA_TO_DEVICE); + } + ++ meta->tbs = 0; ++ + if (trans->cfg->use_tfh) { + struct iwl_tfh_tfd *tfd_fh = (void *)tfd; + diff --git a/queue-4.14/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch b/queue-4.14/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch new file mode 100644 index 00000000000..33bd5c9bae6 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch @@ -0,0 +1,73 @@ +From 39bd984c203e86f3109b49c2a2e20677c4d3ab65 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Mon, 24 Jun 2019 22:29:33 +0300 +Subject: iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41 + +From: Luca Coelho + +commit 39bd984c203e86f3109b49c2a2e20677c4d3ab65 upstream. + +Firmware versions before 41 don't support the GEO_TX_POWER_LIMIT +command, and sending it to the firmware will cause a firmware crash. +We allow this via debugfs, so we need to return an error value in case +it's not supported. + +This had already been fixed during init, when we send the command if +the ACPI WGDS table is present. Fix it also for the other, +userspace-triggered case. + +Cc: stable@vger.kernel.org +Fixes: 7fe90e0e3d60 ("iwlwifi: mvm: refactor geo init") +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -912,6 +912,17 @@ int iwl_mvm_sar_select_profile(struct iw + return iwl_mvm_send_cmd_pdu(mvm, REDUCE_TX_POWER_CMD, 0, len, &cmd); + } + ++static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm) ++{ ++ /* ++ * The GEO_TX_POWER_LIMIT command is not supported on earlier ++ * firmware versions. Unfortunately, we don't have a TLV API ++ * flag to rely on, so rely on the major version which is in ++ * the first byte of ucode_ver. ++ */ ++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41; ++} ++ + int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm) + { + struct iwl_geo_tx_power_profiles_resp *resp; +@@ -927,6 +938,9 @@ int iwl_mvm_get_sar_geo_profile(struct i + .data = { &geo_cmd }, + }; + ++ if (!iwl_mvm_sar_geo_support(mvm)) ++ return -EOPNOTSUPP; ++ + ret = iwl_mvm_send_cmd(mvm, &cmd); + if (ret) { + IWL_ERR(mvm, "Failed to get geographic profile info %d\n", ret); +@@ -952,13 +966,7 @@ static int iwl_mvm_sar_geo_init(struct i + int ret, i, j; + u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT); + +- /* +- * This command is not supported on earlier firmware versions. +- * Unfortunately, we don't have a TLV API flag to rely on, so +- * rely on the major version which is in the first byte of +- * ucode_ver. +- */ +- if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41) ++ if (!iwl_mvm_sar_geo_support(mvm)) + return 0; + + ret = iwl_mvm_sar_get_wgds_table(mvm); diff --git a/queue-4.14/iwlwifi-mvm-fix-an-out-of-bound-access.patch b/queue-4.14/iwlwifi-mvm-fix-an-out-of-bound-access.patch new file mode 100644 index 00000000000..55561b4af84 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-an-out-of-bound-access.patch @@ -0,0 +1,38 @@ +From ba3224db78034435e9ff0247277cce7c7bb1756c Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 22 Jul 2019 12:47:27 +0300 +Subject: iwlwifi: mvm: fix an out-of-bound access + +From: Emmanuel Grumbach + +commit ba3224db78034435e9ff0247277cce7c7bb1756c upstream. + +The index for the elements of the ACPI object we dereference +was static. This means that if we called the function twice +we wouldn't start from 3 again, but rather from the latest +index we reached in the previous call. +This was dutifully reported by KASAN. + +Fix this. + +Cc: stable@vger.kernel.org +Fixes: 6996490501ed ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -778,7 +778,7 @@ static int iwl_mvm_sar_get_ewrd_table(st + + for (i = 0; i < n_profiles; i++) { + /* the tables start at element 3 */ +- static int pos = 3; ++ int pos = 3; + + /* The EWRD profiles officially go from 2 to 4, but we + * save them in sar_profiles[1-3] (because we don't diff --git a/queue-4.14/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch b/queue-4.14/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch new file mode 100644 index 00000000000..5ff9ceffb2a --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch @@ -0,0 +1,43 @@ +From f5a47fae6aa3eb06f100e701d2342ee56b857bee Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Fri, 19 Jul 2019 12:21:59 +0300 +Subject: iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support + +From: Luca Coelho + +commit f5a47fae6aa3eb06f100e701d2342ee56b857bee upstream. + +We erroneously added a check for FW API version 41 before sending +GEO_TX_POWER_LIMIT, but this was already implemented in version 38. +Additionally, it was cherry-picked to older versions, namely 17, 26 +and 29, so check for those as well. + +Cc: stable@vger.kernel.org +Fixes: eca1e56ceedd ("iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares") +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -918,9 +918,14 @@ static bool iwl_mvm_sar_geo_support(stru + * The GEO_TX_POWER_LIMIT command is not supported on earlier + * firmware versions. Unfortunately, we don't have a TLV API + * flag to rely on, so rely on the major version which is in +- * the first byte of ucode_ver. ++ * the first byte of ucode_ver. This was implemented ++ * initially on version 38 and then backported to 36, 29 and ++ * 17. + */ +- return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41; ++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17; + } + + int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm) diff --git a/queue-4.14/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch b/queue-4.14/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch new file mode 100644 index 00000000000..0dcbd065e6e --- /dev/null +++ b/queue-4.14/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch @@ -0,0 +1,200 @@ +From 17e433b54393a6269acbcb792da97791fe1592d8 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 5 Aug 2019 10:03:19 +0800 +Subject: KVM: Fix leak vCPU's VMCS value into other pCPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 17e433b54393a6269acbcb792da97791fe1592d8 upstream. + +After commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts), a +five years old bug is exposed. Running ebizzy benchmark in three 80 vCPUs VMs +on one 80 pCPUs Skylake server, a lot of rcu_sched stall warning splatting +in the VMs after stress testing: + + INFO: rcu_sched detected stalls on CPUs/tasks: { 4 41 57 62 77} (detected by 15, t=60004 jiffies, g=899, c=898, q=15073) + Call Trace: + flush_tlb_mm_range+0x68/0x140 + tlb_flush_mmu.part.75+0x37/0xe0 + tlb_finish_mmu+0x55/0x60 + zap_page_range+0x142/0x190 + SyS_madvise+0x3cd/0x9c0 + system_call_fastpath+0x1c/0x21 + +swait_active() sustains to be true before finish_swait() is called in +kvm_vcpu_block(), voluntarily preempted vCPUs are taken into account +by kvm_vcpu_on_spin() loop greatly increases the probability condition +kvm_arch_vcpu_runnable(vcpu) is checked and can be true, when APICv +is enabled the yield-candidate vCPU's VMCS RVI field leaks(by +vmx_sync_pir_to_irr()) into spinning-on-a-taken-lock vCPU's current +VMCS. + +This patch fixes it by checking conservatively a subset of events. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Christian Borntraeger +Cc: Marc Zyngier +Cc: stable@vger.kernel.org +Fixes: 98f4a1467 (KVM: add kvm_arch_vcpu_runnable() test to kvm_vcpu_on_spin() loop) +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/powerpc.c | 5 +++++ + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/svm.c | 6 ++++++ + arch/x86/kvm/vmx.c | 6 ++++++ + arch/x86/kvm/x86.c | 16 ++++++++++++++++ + include/linux/kvm_host.h | 1 + + virt/kvm/kvm_main.c | 25 ++++++++++++++++++++++++- + 7 files changed, 59 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -58,6 +58,11 @@ int kvm_arch_vcpu_runnable(struct kvm_vc + return !!(v->arch.pending_exceptions) || kvm_request_pending(v); + } + ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ return kvm_arch_vcpu_runnable(vcpu); ++} ++ + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu) + { + return false; +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1077,6 +1077,7 @@ struct kvm_x86_ops { + int (*update_pi_irte)(struct kvm *kvm, unsigned int host_irq, + uint32_t guest_irq, bool set); + void (*apicv_post_state_restore)(struct kvm_vcpu *vcpu); ++ bool (*dy_apicv_has_pending_interrupt)(struct kvm_vcpu *vcpu); + + int (*set_hv_timer)(struct kvm_vcpu *vcpu, u64 guest_deadline_tsc); + void (*cancel_hv_timer)(struct kvm_vcpu *vcpu); +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -4637,6 +4637,11 @@ static void svm_deliver_avic_intr(struct + kvm_vcpu_wake_up(vcpu); + } + ++static bool svm_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu) ++{ ++ return false; ++} ++ + static void svm_ir_list_del(struct vcpu_svm *svm, struct amd_iommu_pi_data *pi) + { + unsigned long flags; +@@ -5746,6 +5751,7 @@ static struct kvm_x86_ops svm_x86_ops __ + + .pmu_ops = &amd_pmu_ops, + .deliver_posted_interrupt = svm_deliver_avic_intr, ++ .dy_apicv_has_pending_interrupt = svm_dy_apicv_has_pending_interrupt, + .update_pi_irte = svm_update_pi_irte, + .setup_mce = svm_setup_mce, + }; +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9431,6 +9431,11 @@ static int vmx_sync_pir_to_irr(struct kv + return max_irr; + } + ++static bool vmx_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu) ++{ ++ return pi_test_on(vcpu_to_pi_desc(vcpu)); ++} ++ + static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap) + { + if (!kvm_vcpu_apicv_active(vcpu)) +@@ -12756,6 +12761,7 @@ static struct kvm_x86_ops vmx_x86_ops __ + .hwapic_isr_update = vmx_hwapic_isr_update, + .sync_pir_to_irr = vmx_sync_pir_to_irr, + .deliver_posted_interrupt = vmx_deliver_posted_interrupt, ++ .dy_apicv_has_pending_interrupt = vmx_dy_apicv_has_pending_interrupt, + + .set_tss_addr = vmx_set_tss_addr, + .get_tdp_level = get_ept_level, +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -8711,6 +8711,22 @@ int kvm_arch_vcpu_runnable(struct kvm_vc + return kvm_vcpu_running(vcpu) || kvm_vcpu_has_events(vcpu); + } + ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ if (READ_ONCE(vcpu->arch.pv.pv_unhalted)) ++ return true; ++ ++ if (kvm_test_request(KVM_REQ_NMI, vcpu) || ++ kvm_test_request(KVM_REQ_SMI, vcpu) || ++ kvm_test_request(KVM_REQ_EVENT, vcpu)) ++ return true; ++ ++ if (vcpu->arch.apicv_active && kvm_x86_ops->dy_apicv_has_pending_interrupt(vcpu)) ++ return true; ++ ++ return false; ++} ++ + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu) + { + return vcpu->arch.preempted_in_kernel; +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -808,6 +808,7 @@ void kvm_arch_check_processor_compat(voi + int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu); + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu); + int kvm_arch_vcpu_should_kick(struct kvm_vcpu *vcpu); ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu); + + #ifndef __KVM_HAVE_ARCH_VM_ALLOC + static inline struct kvm *kvm_arch_alloc_vm(void) +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2314,6 +2314,29 @@ static bool kvm_vcpu_eligible_for_direct + #endif + } + ++/* ++ * Unlike kvm_arch_vcpu_runnable, this function is called outside ++ * a vcpu_load/vcpu_put pair. However, for most architectures ++ * kvm_arch_vcpu_runnable does not require vcpu_load. ++ */ ++bool __weak kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ return kvm_arch_vcpu_runnable(vcpu); ++} ++ ++static bool vcpu_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ if (kvm_arch_dy_runnable(vcpu)) ++ return true; ++ ++#ifdef CONFIG_KVM_ASYNC_PF ++ if (!list_empty_careful(&vcpu->async_pf.done)) ++ return true; ++#endif ++ ++ return false; ++} ++ + void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) + { + struct kvm *kvm = me->kvm; +@@ -2343,7 +2366,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m + continue; + if (vcpu == me) + continue; +- if (swait_active(&vcpu->wq) && !kvm_arch_vcpu_runnable(vcpu)) ++ if (swait_active(&vcpu->wq) && !vcpu_dy_runnable(vcpu)) + continue; + if (yield_to_kernel_mode && !kvm_arch_vcpu_in_kernel(vcpu)) + continue; diff --git a/queue-4.14/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch b/queue-4.14/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch new file mode 100644 index 00000000000..c5cfc298463 --- /dev/null +++ b/queue-4.14/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch @@ -0,0 +1,53 @@ +From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 26 Jul 2019 15:47:58 -0700 +Subject: mac80211: don't WARN on short WMM parameters from AP + +From: Brian Norris + +commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream. + +In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN +on bad WMM parameters from buggy APs"), an AP may not transmit a +fully-formed WMM IE. For example, it may miss or repeat an Access +Category. The above loop won't catch that and will instead leave one of +the four ACs zeroed out. This triggers the following warning in +drv_conf_tx() + + wlan0: invalid CW_min/CW_max: 0/0 + +and it may leave one of the hardware queues unconfigured. If we detect +such a case, let's just print a warning and fall back to the defaults. + +Tested with a hacked version of hostapd, intentionally corrupting the +IEs in hostapd_eid_wmm(). + +Cc: stable@vger.kernel.org +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1867,6 +1867,16 @@ static bool ieee80211_sta_wmm_params(str + } + } + ++ /* WMM specification requires all 4 ACIs. */ ++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { ++ if (params[ac].cw_min == 0) { ++ sdata_info(sdata, ++ "AP has invalid WMM params (missing AC %d), using defaults\n", ++ ac); ++ return false; ++ } ++ } ++ + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { + mlme_dbg(sdata, + "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n", diff --git a/queue-4.14/mwifiex-fix-802.11n-wpa-detection.patch b/queue-4.14/mwifiex-fix-802.11n-wpa-detection.patch new file mode 100644 index 00000000000..7b4b322a406 --- /dev/null +++ b/queue-4.14/mwifiex-fix-802.11n-wpa-detection.patch @@ -0,0 +1,52 @@ +From df612421fe2566654047769c6852ffae1a31df16 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 24 Jul 2019 12:46:34 -0700 +Subject: mwifiex: fix 802.11n/WPA detection + +From: Brian Norris + +commit df612421fe2566654047769c6852ffae1a31df16 upstream. + +Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant +vendor IEs") adjusted the ieee_types_vendor_header struct, which +inadvertently messed up the offsets used in +mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring +mwifiex_is_rsn_oui_present(). + +As it stands, commit 63d7ef36103d breaks compatibility with WPA (not +WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is +not supported by AP" case in mwifiex_is_network_compatible(). + +Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs") +Cc: +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/main.h | 1 + + drivers/net/wireless/marvell/mwifiex/scan.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/main.h ++++ b/drivers/net/wireless/marvell/mwifiex/main.h +@@ -122,6 +122,7 @@ enum { + + #define MWIFIEX_MAX_TOTAL_SCAN_TIME (MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S) + ++#define WPA_GTK_OUI_OFFSET 2 + #define RSN_GTK_OUI_OFFSET 2 + + #define MWIFIEX_OUI_NOT_PRESENT 0 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifie + u8 ret = MWIFIEX_OUI_NOT_PRESENT; + + if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) { +- iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data; ++ iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data + ++ WPA_GTK_OUI_OFFSET); + oui = &mwifiex_wpa_oui[cipher][0]; + ret = mwifiex_search_oui_in_ie(iebody, oui); + if (ret) diff --git a/queue-4.14/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch b/queue-4.14/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch new file mode 100644 index 00000000000..7bb8e28e987 --- /dev/null +++ b/queue-4.14/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch @@ -0,0 +1,34 @@ +From 09a54f0ebfe263bc27c90bbd80187b9a93283887 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 3 Aug 2019 10:28:18 -0400 +Subject: NFSv4: Fix an Oops in nfs4_do_setattr + +From: Trond Myklebust + +commit 09a54f0ebfe263bc27c90bbd80187b9a93283887 upstream. + +If the user specifies an open mode of 3, then we don't have a NFSv4 state +attached to the context, and so we Oops when we try to dereference it. + +Reported-by: Olga Kornievskaia +Fixes: 29b59f9416937 ("NFSv4: change nfs4_do_setattr to take...") +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org # v4.10: 991eedb1371dc: NFSv4: Only pass the... +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2966,7 +2966,7 @@ static int _nfs4_do_setattr(struct inode + + if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) { + /* Use that stateid */ +- } else if (ctx != NULL) { ++ } else if (ctx != NULL && ctx->state) { + struct nfs_lock_context *l_ctx; + if (!nfs4_valid_open_stateid(ctx->state)) + return -EBADF; diff --git a/queue-4.14/nfsv4-only-pass-the-delegation-to-setattr-if-we-re-sending-a-truncate.patch b/queue-4.14/nfsv4-only-pass-the-delegation-to-setattr-if-we-re-sending-a-truncate.patch new file mode 100644 index 00000000000..d13c62a3e8c --- /dev/null +++ b/queue-4.14/nfsv4-only-pass-the-delegation-to-setattr-if-we-re-sending-a-truncate.patch @@ -0,0 +1,58 @@ +From 991eedb1371dc09b0f9848f59c8898fe63d198c0 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Mon, 9 Apr 2018 11:15:30 -0400 +Subject: NFSv4: Only pass the delegation to setattr if we're sending a truncate + +From: Trond Myklebust + +commit 991eedb1371dc09b0f9848f59c8898fe63d198c0 upstream. + +Even then it isn't really necessary. The reason why we may not want to +pass in a stateid in other cases is that we cannot use the delegation +credential. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2954,7 +2954,6 @@ static int _nfs4_do_setattr(struct inode + }; + struct rpc_cred *delegation_cred = NULL; + unsigned long timestamp = jiffies; +- fmode_t fmode; + bool truncate; + int status; + +@@ -2962,11 +2961,12 @@ static int _nfs4_do_setattr(struct inode + + /* Servers should only apply open mode checks for file size changes */ + truncate = (arg->iap->ia_valid & ATTR_SIZE) ? true : false; +- fmode = truncate ? FMODE_WRITE : FMODE_READ; ++ if (!truncate) ++ goto zero_stateid; + +- if (nfs4_copy_delegation_stateid(inode, fmode, &arg->stateid, &delegation_cred)) { ++ if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) { + /* Use that stateid */ +- } else if (truncate && ctx != NULL) { ++ } else if (ctx != NULL) { + struct nfs_lock_context *l_ctx; + if (!nfs4_valid_open_stateid(ctx->state)) + return -EBADF; +@@ -2978,8 +2978,10 @@ static int _nfs4_do_setattr(struct inode + nfs_put_lock_context(l_ctx); + if (status == -EIO) + return -EBADF; +- } else ++ } else { ++zero_stateid: + nfs4_stateid_copy(&arg->stateid, &zero_stateid); ++ } + if (delegation_cred) + msg.rpc_cred = delegation_cred; + diff --git a/queue-4.14/series b/queue-4.14/series index 1548714f634..1f52709ed8e 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -49,3 +49,21 @@ test_firmware-fix-a-memory-leak-bug.patch tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch perf-core-fix-creating-kernel-counters-for-pmus-that.patch hid-sony-fix-race-condition-between-rumble-and-device-remove.patch +can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch +can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch +hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch +drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch +alsa-firewire-fix-a-memory-leak-bug.patch +alsa-hda-don-t-override-global-pcm-hw-info-flag.patch +alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch +mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch +smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch +smb3-send-cap_dfs-capability-during-session-setup.patch +nfsv4-only-pass-the-delegation-to-setattr-if-we-re-sending-a-truncate.patch +nfsv4-fix-an-oops-in-nfs4_do_setattr.patch +kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch +mwifiex-fix-802.11n-wpa-detection.patch +iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch +iwlwifi-mvm-fix-an-out-of-bound-access.patch +iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch +iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch diff --git a/queue-4.14/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch b/queue-4.14/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch new file mode 100644 index 00000000000..119f9ec6b69 --- /dev/null +++ b/queue-4.14/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch @@ -0,0 +1,38 @@ +From e99c63e4d86d3a94818693147b469fa70de6f945 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 22 Jul 2019 11:34:59 -0700 +Subject: SMB3: Fix deadlock in validate negotiate hits reconnect + +From: Pavel Shilovsky + +commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream. + +Currently we skip SMB2_TREE_CONNECT command when checking during +reconnect because Tree Connect happens when establishing +an SMB session. For SMB 3.0 protocol version the code also calls +validate negotiate which results in SMB2_IOCL command being sent +over the wire. This may deadlock on trying to acquire a mutex when +checking for reconnect. Fix this by skipping SMB2_IOCL command +when doing the reconnect check. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -166,7 +166,7 @@ smb2_reconnect(__le16 smb2_command, stru + if (tcon == NULL) + return 0; + +- if (smb2_command == SMB2_TREE_CONNECT) ++ if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL) + return 0; + + if (tcon->tidStatus == CifsExiting) { diff --git a/queue-4.14/smb3-send-cap_dfs-capability-during-session-setup.patch b/queue-4.14/smb3-send-cap_dfs-capability-during-session-setup.patch new file mode 100644 index 00000000000..12538cbbb7c --- /dev/null +++ b/queue-4.14/smb3-send-cap_dfs-capability-during-session-setup.patch @@ -0,0 +1,40 @@ +From 8d33096a460d5b9bd13300f01615df5bb454db10 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 25 Jul 2019 18:13:10 -0500 +Subject: smb3: send CAP_DFS capability during session setup + +From: Steve French + +commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream. + +We had a report of a server which did not do a DFS referral +because the session setup Capabilities field was set to 0 +(unlike negotiate protocol where we set CAP_DFS). Better to +send it session setup in the capabilities as well (this also +more closely matches Windows client behavior). + +Signed-off-by: Steve French +Reviewed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -834,7 +834,12 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_ + else + req->SecurityMode = 0; + ++#ifdef CONFIG_CIFS_DFS_UPCALL ++ req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS); ++#else + req->Capabilities = 0; ++#endif /* DFS_UPCALL */ ++ + req->Channel = 0; /* MBZ */ + + sess_data->iov[0].iov_base = (char *)req;