From: Greg Kroah-Hartman Date: Thu, 4 Oct 2018 19:38:56 +0000 (-0700) Subject: 4.9-stable patches X-Git-Tag: v4.4.160~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=12eb78993858ddee5dd5f02e4d3bdc9ff0968af2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arc-atomics-unbork-atomic_fetch_-op.patch cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch gpio-adp5588-fix-sleep-in-atomic-context-bug.patch gpio-fix-crash-due-to-registration-race.patch i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch mac80211-fix-a-race-between-restart-and-csa-flows.patch mac80211-fix-station-bandwidth-setting-after-channel-switch.patch mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch mac80211-shorten-the-ibss-debug-messages.patch mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch tools-vm-page-types.c-fix-defined-but-not-used-warning.patch tools-vm-slabinfo.c-fix-sign-compare-warning.patch --- diff --git a/queue-4.9/arc-atomics-unbork-atomic_fetch_-op.patch b/queue-4.9/arc-atomics-unbork-atomic_fetch_-op.patch new file mode 100644 index 00000000000..5952bc51c72 --- /dev/null +++ b/queue-4.9/arc-atomics-unbork-atomic_fetch_-op.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Will Deacon +Date: Thu, 30 Aug 2018 13:52:38 -0700 +Subject: ARC: atomics: unbork atomic_fetch_##op() + +From: Will Deacon + +[ Upstream commit 3fcbb8260a87efb691d837e8cd24e81f65b3eb70 ] + +In 4.19-rc1, Eugeniy reported weird boot and IO errors on ARC HSDK + +| INFO: task syslogd:77 blocked for more than 10 seconds. +| Not tainted 4.19.0-rc1-00007-gf213acea4e88 #40 +| "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this +| message. +| syslogd D 0 77 76 0x00000000 +| +| Stack Trace: +| __switch_to+0x0/0xac +| __schedule+0x1b2/0x730 +| io_schedule+0x5c/0xc0 +| __lock_page+0x98/0xdc +| find_lock_entry+0x38/0x100 +| shmem_getpage_gfp.isra.3+0x82/0xbfc +| shmem_fault+0x46/0x138 +| handle_mm_fault+0x5bc/0x924 +| do_page_fault+0x100/0x2b8 +| ret_from_exception+0x0/0x8 + +He bisected to 84c6591103db ("locking/atomics, +asm-generic/bitops/lock.h: Rewrite using atomic_fetch_*()") + +This commit however only unmasked the real issue introduced by commit +4aef66c8ae9 ("locking/atomic, arch/arc: Fix build") which missed the +retry-if-scond-failed branch in atomic_fetch_##op() macros. + +The bisected commit started using atomic_fetch_##op() macros for building +the rest of atomics. + +Fixes: 4aef66c8ae9 ("locking/atomic, arch/arc: Fix build") +Reported-by: Eugeniy Paltsev +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Will Deacon +Signed-off-by: Vineet Gupta +[vgupta: wrote changelog] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/asm/atomic.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/atomic.h ++++ b/arch/arc/include/asm/atomic.h +@@ -84,7 +84,7 @@ static inline int atomic_fetch_##op(int + "1: llock %[orig], [%[ctr]] \n" \ + " " #asm_op " %[val], %[orig], %[i] \n" \ + " scond %[val], [%[ctr]] \n" \ +- " \n" \ ++ " bnz 1b \n" \ + : [val] "=&r" (val), \ + [orig] "=&r" (orig) \ + : [ctr] "r" (&v->counter), \ diff --git a/queue-4.9/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch b/queue-4.9/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch new file mode 100644 index 00000000000..5480a4aaf56 --- /dev/null +++ b/queue-4.9/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Dan Carpenter +Date: Fri, 31 Aug 2018 11:10:55 +0300 +Subject: cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() + +From: Dan Carpenter + +[ Upstream commit 8442938c3a2177ba16043b3a935f2c78266ad399 ] + +The "chandef->center_freq1" variable is a u32 but "freq" is a u16 so we +are truncating away the high bits. I noticed this bug because in commit +9cf0a0b4b64a ("cfg80211: Add support for 60GHz band channels 5 and 6") +we made "freq <= 56160 + 2160 * 6" a valid requency when before it was +only "freq <= 56160 + 2160 * 4" that was valid. It introduces a static +checker warning: + + net/wireless/util.c:1571 ieee80211_chandef_to_operating_class() + warn: always true condition '(freq <= 56160 + 2160 * 6) => (0-u16max <= 69120)' + +But really we probably shouldn't have been truncating the high bits +away to begin with. + +Signed-off-by: Dan Carpenter +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1432,7 +1432,7 @@ bool ieee80211_chandef_to_operating_clas + u8 *op_class) + { + u8 vht_opclass; +- u16 freq = chandef->center_freq1; ++ u32 freq = chandef->center_freq1; + + if (freq >= 2412 && freq <= 2472) { + if (chandef->width > NL80211_CHAN_WIDTH_40) diff --git a/queue-4.9/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch b/queue-4.9/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch new file mode 100644 index 00000000000..b8c4bbfcdc8 --- /dev/null +++ b/queue-4.9/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Arunk Khandavalli +Date: Thu, 30 Aug 2018 00:40:16 +0300 +Subject: cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE + +From: Arunk Khandavalli + +[ Upstream commit 4f0223bfe9c3e62d8f45a85f1ef1b18a8a263ef9 ] + +nl80211_update_ft_ies() tried to validate NL80211_ATTR_IE with +is_valid_ie_attr() before dereferencing it, but that helper function +returns true in case of NULL pointer (i.e., attribute not included). +This can result to dereferencing a NULL pointer. Fix that by explicitly +checking that NL80211_ATTR_IE is included. + +Fixes: 355199e02b83 ("cfg80211: Extend support for IEEE 802.11r Fast BSS Transition") +Signed-off-by: Arunk Khandavalli +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11148,6 +11148,7 @@ static int nl80211_update_ft_ies(struct + return -EOPNOTSUPP; + + if (!info->attrs[NL80211_ATTR_MDID] || ++ !info->attrs[NL80211_ATTR_IE] || + !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE])) + return -EINVAL; + diff --git a/queue-4.9/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch b/queue-4.9/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch new file mode 100644 index 00000000000..bb7b2fedf47 --- /dev/null +++ b/queue-4.9/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Jon Kuhn +Date: Mon, 9 Jul 2018 14:33:14 +0000 +Subject: fs/cifs: don't translate SFM_SLASH (U+F026) to backslash + +From: Jon Kuhn + +[ Upstream commit c15e3f19a6d5c89b1209dc94b40e568177cb0921 ] + +When a Mac client saves an item containing a backslash to a file server +the backslash is represented in the CIFS/SMB protocol as as U+F026. +Before this change, listing a directory containing an item with a +backslash in its name will return that item with the backslash +represented with a true backslash character (U+005C) because +convert_sfm_character mapped U+F026 to U+005C when interpretting the +CIFS/SMB protocol response. However, attempting to open or stat the +path using a true backslash will result in an error because +convert_to_sfm_char does not map U+005C back to U+F026 causing the +CIFS/SMB request to be made with the backslash represented as U+005C. + +This change simply prevents the U+F026 to U+005C conversion from +happenning. This is analogous to how the code does not do any +translation of UNI_SLASH (U+F000). + +Signed-off-by: Jon Kuhn +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifs_unicode.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/fs/cifs/cifs_unicode.c ++++ b/fs/cifs/cifs_unicode.c +@@ -101,9 +101,6 @@ convert_sfm_char(const __u16 src_char, c + case SFM_LESSTHAN: + *target = '<'; + break; +- case SFM_SLASH: +- *target = '\\'; +- break; + case SFM_SPACE: + *target = ' '; + break; diff --git a/queue-4.9/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch b/queue-4.9/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch new file mode 100644 index 00000000000..27456b1a4a4 --- /dev/null +++ b/queue-4.9/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Michael Hennerich +Date: Mon, 13 Aug 2018 15:57:44 +0200 +Subject: gpio: adp5588: Fix sleep-in-atomic-context bug + +From: Michael Hennerich + +[ Upstream commit 6537886cdc9a637711fd6da980dbb87c2c87c9aa ] + +This fixes: +[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug + in adp5588_gpio_write() +[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug + in adp5588_gpio_direction_input() + +Reported-by: Jia-Ju Bai +Signed-off-by: Michael Hennerich +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-adp5588.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpio-adp5588.c ++++ b/drivers/gpio/gpio-adp5588.c +@@ -41,6 +41,8 @@ struct adp5588_gpio { + uint8_t int_en[3]; + uint8_t irq_mask[3]; + uint8_t irq_stat[3]; ++ uint8_t int_input_en[3]; ++ uint8_t int_lvl_cached[3]; + }; + + static int adp5588_gpio_read(struct i2c_client *client, u8 reg) +@@ -173,12 +175,28 @@ static void adp5588_irq_bus_sync_unlock( + struct adp5588_gpio *dev = irq_data_get_irq_chip_data(d); + int i; + +- for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) ++ for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) { ++ if (dev->int_input_en[i]) { ++ mutex_lock(&dev->lock); ++ dev->dir[i] &= ~dev->int_input_en[i]; ++ dev->int_input_en[i] = 0; ++ adp5588_gpio_write(dev->client, GPIO_DIR1 + i, ++ dev->dir[i]); ++ mutex_unlock(&dev->lock); ++ } ++ ++ if (dev->int_lvl_cached[i] != dev->int_lvl[i]) { ++ dev->int_lvl_cached[i] = dev->int_lvl[i]; ++ adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + i, ++ dev->int_lvl[i]); ++ } ++ + if (dev->int_en[i] ^ dev->irq_mask[i]) { + dev->int_en[i] = dev->irq_mask[i]; + adp5588_gpio_write(dev->client, GPIO_INT_EN1 + i, + dev->int_en[i]); + } ++ } + + mutex_unlock(&dev->irq_lock); + } +@@ -221,9 +239,7 @@ static int adp5588_irq_set_type(struct i + else + return -EINVAL; + +- adp5588_gpio_direction_input(&dev->gpio_chip, gpio); +- adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + bank, +- dev->int_lvl[bank]); ++ dev->int_input_en[bank] |= bit; + + return 0; + } diff --git a/queue-4.9/gpio-fix-crash-due-to-registration-race.patch b/queue-4.9/gpio-fix-crash-due-to-registration-race.patch new file mode 100644 index 00000000000..1c7f4572eda --- /dev/null +++ b/queue-4.9/gpio-fix-crash-due-to-registration-race.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Vincent Whitchurch +Date: Fri, 31 Aug 2018 09:04:18 +0200 +Subject: gpio: Fix crash due to registration race + +From: Vincent Whitchurch + +[ Upstream commit d49b48f088c323dbacae44dfbe56d9c985c8a2a1 ] + +gpiochip_add_data_with_key() adds the gpiochip to the gpio_devices list +before of_gpiochip_add() is called, but it's only the latter which sets +the ->of_xlate function pointer. gpiochip_find() can be called by +someone else between these two actions, and it can find the chip and +call of_gpiochip_match_node_and_xlate() which leads to the following +crash due to a NULL ->of_xlate(). + + Unhandled prefetch abort: page domain fault (0x01b) at 0x00000000 + Modules linked in: leds_gpio(+) gpio_generic(+) + CPU: 0 PID: 830 Comm: insmod Not tainted 4.18.0+ #43 + Hardware name: ARM-Versatile Express + PC is at (null) + LR is at of_gpiochip_match_node_and_xlate+0x2c/0x38 + Process insmod (pid: 830, stack limit = 0x(ptrval)) + (of_gpiochip_match_node_and_xlate) from (gpiochip_find+0x48/0x84) + (gpiochip_find) from (of_get_named_gpiod_flags+0xa8/0x238) + (of_get_named_gpiod_flags) from (gpiod_get_from_of_node+0x2c/0xc8) + (gpiod_get_from_of_node) from (devm_fwnode_get_index_gpiod_from_child+0xb8/0x144) + (devm_fwnode_get_index_gpiod_from_child) from (gpio_led_probe+0x208/0x3c4 [leds_gpio]) + (gpio_led_probe [leds_gpio]) from (platform_drv_probe+0x48/0x9c) + (platform_drv_probe) from (really_probe+0x1d0/0x3d4) + (really_probe) from (driver_probe_device+0x78/0x1c0) + (driver_probe_device) from (__driver_attach+0x120/0x13c) + (__driver_attach) from (bus_for_each_dev+0x68/0xb4) + (bus_for_each_dev) from (bus_add_driver+0x1a8/0x268) + (bus_add_driver) from (driver_register+0x78/0x10c) + (driver_register) from (do_one_initcall+0x54/0x1fc) + (do_one_initcall) from (do_init_module+0x64/0x1f4) + (do_init_module) from (load_module+0x2198/0x26ac) + (load_module) from (sys_finit_module+0xe0/0x110) + (sys_finit_module) from (ret_fast_syscall+0x0/0x54) + +One way to fix this would be to rework the hairy registration sequence +in gpiochip_add_data_with_key(), but since I'd probably introduce a +couple of new bugs if I attempted that, simply add a check for a +non-NULL of_xlate function pointer in +of_gpiochip_match_node_and_xlate(). This works since the driver looking +for the gpio will simply fail to find the gpio and defer its probe and +be reprobed when the driver which is registering the gpiochip has fully +completed its probe. + +Signed-off-by: Vincent Whitchurch +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-of.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -31,6 +31,7 @@ static int of_gpiochip_match_node_and_xl + struct of_phandle_args *gpiospec = data; + + return chip->gpiodev->dev.of_node == gpiospec->np && ++ chip->of_xlate && + chip->of_xlate(chip, gpiospec, NULL) >= 0; + } + diff --git a/queue-4.9/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch b/queue-4.9/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch new file mode 100644 index 00000000000..1393f916a82 --- /dev/null +++ b/queue-4.9/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Masahiro Yamada +Date: Fri, 31 Aug 2018 23:30:48 +0900 +Subject: i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP + +From: Masahiro Yamada + +[ Upstream commit 4c85609b08c4761eca0a40fd7beb06bc650f252d ] + +This driver currently emits a STOP if the next message is not +I2C_MD_RD. It should not do it because it disturbs the I2C_RDWR +ioctl, where read/write transactions are combined without STOP +between. + +Issue STOP only when the message is the last one _or_ flagged with +I2C_M_STOP. + +Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver") +Signed-off-by: Masahiro Yamada +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-uniphier-f.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/i2c/busses/i2c-uniphier-f.c ++++ b/drivers/i2c/busses/i2c-uniphier-f.c +@@ -400,11 +400,8 @@ static int uniphier_fi2c_master_xfer(str + return ret; + + for (msg = msgs; msg < emsg; msg++) { +- /* If next message is read, skip the stop condition */ +- bool stop = !(msg + 1 < emsg && msg[1].flags & I2C_M_RD); +- /* but, force it if I2C_M_STOP is set */ +- if (msg->flags & I2C_M_STOP) +- stop = true; ++ /* Emit STOP if it is the last message or I2C_M_STOP is set. */ ++ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP); + + ret = uniphier_fi2c_master_xfer_one(adap, msg, stop); + if (ret) diff --git a/queue-4.9/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch b/queue-4.9/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch new file mode 100644 index 00000000000..13164c2498c --- /dev/null +++ b/queue-4.9/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Masahiro Yamada +Date: Fri, 31 Aug 2018 23:30:47 +0900 +Subject: i2c: uniphier: issue STOP only for last message or I2C_M_STOP + +From: Masahiro Yamada + +[ Upstream commit 38f5d8d8cbb2ffa2b54315118185332329ec891c ] + +This driver currently emits a STOP if the next message is not +I2C_MD_RD. It should not do it because it disturbs the I2C_RDWR +ioctl, where read/write transactions are combined without STOP +between. + +Issue STOP only when the message is the last one _or_ flagged with +I2C_M_STOP. + +Fixes: dd6fd4a32793 ("i2c: uniphier: add UniPhier FIFO-less I2C driver") +Signed-off-by: Masahiro Yamada +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-uniphier.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/i2c/busses/i2c-uniphier.c ++++ b/drivers/i2c/busses/i2c-uniphier.c +@@ -247,11 +247,8 @@ static int uniphier_i2c_master_xfer(stru + return ret; + + for (msg = msgs; msg < emsg; msg++) { +- /* If next message is read, skip the stop condition */ +- bool stop = !(msg + 1 < emsg && msg[1].flags & I2C_M_RD); +- /* but, force it if I2C_M_STOP is set */ +- if (msg->flags & I2C_M_STOP) +- stop = true; ++ /* Emit STOP if it is the last message or I2C_M_STOP is set. */ ++ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP); + + ret = uniphier_i2c_master_xfer_one(adap, msg, stop); + if (ret) diff --git a/queue-4.9/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch b/queue-4.9/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch new file mode 100644 index 00000000000..fdd87fa396a --- /dev/null +++ b/queue-4.9/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Paul Mackerras +Date: Mon, 20 Aug 2018 16:05:45 +1000 +Subject: KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function + +From: Paul Mackerras + +[ Upstream commit 46dec40fb741f00f1864580130779aeeaf24fb3d ] + +This fixes a bug which causes guest virtual addresses to get translated +to guest real addresses incorrectly when the guest is using the HPT MMU +and has more than 256GB of RAM, or more specifically has a HPT larger +than 2GB. This has showed up in testing as a failure of the host to +emulate doorbell instructions correctly on POWER9 for HPT guests with +more than 256GB of RAM. + +The bug is that the HPTE index in kvmppc_mmu_book3s_64_hv_xlate() +is stored as an int, and in forming the HPTE address, the index gets +shifted left 4 bits as an int before being signed-extended to 64 bits. +The simple fix is to make the variable a long int, matching the +return type of kvmppc_hv_find_lock_hpte(), which is what calculates +the index. + +Fixes: 697d3899dcb4 ("KVM: PPC: Implement MMIO emulation support for Book3S HV guests") +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_64_mmu_hv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c +@@ -314,7 +314,7 @@ static int kvmppc_mmu_book3s_64_hv_xlate + unsigned long pp, key; + unsigned long v, gr; + __be64 *hptep; +- int index; ++ long int index; + int virtmode = vcpu->arch.shregs.msr & (data ? MSR_DR : MSR_IR); + + /* Get SLB entry */ diff --git a/queue-4.9/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch b/queue-4.9/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch new file mode 100644 index 00000000000..c55f98d9da6 --- /dev/null +++ b/queue-4.9/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Danek Duvall +Date: Wed, 22 Aug 2018 16:01:04 -0700 +Subject: mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X + +From: Danek Duvall + +[ Upstream commit 67d1ba8a6dc83d90cd58b89fa6cbf9ae35a0cf7f ] + +The mod mask for VHT capabilities intends to say that you can override +the number of STBC receive streams, and it does, but only by accident. +The IEEE80211_VHT_CAP_RXSTBC_X aren't bits to be set, but values (albeit +left-shifted). ORing the bits together gets the right answer, but we +should use the _MASK macro here instead. + +Signed-off-by: Danek Duvall +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -466,10 +466,7 @@ static const struct ieee80211_vht_cap ma + cpu_to_le32(IEEE80211_VHT_CAP_RXLDPC | + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_SHORT_GI_160 | +- IEEE80211_VHT_CAP_RXSTBC_1 | +- IEEE80211_VHT_CAP_RXSTBC_2 | +- IEEE80211_VHT_CAP_RXSTBC_3 | +- IEEE80211_VHT_CAP_RXSTBC_4 | ++ IEEE80211_VHT_CAP_RXSTBC_MASK | + IEEE80211_VHT_CAP_TXSTBC | + IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE | + IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE | diff --git a/queue-4.9/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch b/queue-4.9/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch new file mode 100644 index 00000000000..d1d4ac20807 --- /dev/null +++ b/queue-4.9/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:12 +0300 +Subject: mac80211: don't Tx a deauth frame if the AP forbade Tx + +From: Emmanuel Grumbach + +[ Upstream commit 6c18b27d6e5c6a7206364eae2b47bc8d8b2fa68f ] + +If the driver fails to properly prepare for the channel +switch, mac80211 will disconnect. If the CSA IE had mode +set to 1, it means that the clients are not allowed to send +any Tx on the current channel, and that includes the +deauthentication frame. + +Make sure that we don't send the deauthentication frame in +this case. + +In iwlwifi, this caused a failure to flush queues since the +firmware already closed the queues after having parsed the +CSA IE. Then mac80211 would wait until the deauthentication +frame would go out (drv_flush(drop=false)) and that would +never happen. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1282,6 +1282,16 @@ ieee80211_sta_process_chanswitch(struct + cbss->beacon_interval)); + return; + drop_connection: ++ /* ++ * This is just so that the disconnect flow will know that ++ * we were trying to switch channel and failed. In case the ++ * mode is 1 (we are not allowed to Tx), we will know not to ++ * send a deauthentication frame. Those two fields will be ++ * reset when the disconnection worker runs. ++ */ ++ sdata->vif.csa_active = true; ++ sdata->csa_block_tx = csa_ie.mode; ++ + ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work); + mutex_unlock(&local->chanctx_mtx); + mutex_unlock(&local->mtx); +@@ -2454,6 +2464,7 @@ static void __ieee80211_disconnect(struc + struct ieee80211_local *local = sdata->local; + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN]; ++ bool tx; + + sdata_lock(sdata); + if (!ifmgd->associated) { +@@ -2461,6 +2472,8 @@ static void __ieee80211_disconnect(struc + return; + } + ++ tx = !sdata->csa_block_tx; ++ + /* AP is probably out of range (or not reachable for another reason) so + * remove the bss struct for that AP. + */ +@@ -2468,7 +2481,7 @@ static void __ieee80211_disconnect(struc + + ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, + WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, +- true, frame_buf); ++ tx, frame_buf); + mutex_lock(&local->mtx); + sdata->vif.csa_active = false; + ifmgd->csa_waiting_bcn = false; +@@ -2479,7 +2492,7 @@ static void __ieee80211_disconnect(struc + } + mutex_unlock(&local->mtx); + +- ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true, ++ ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx, + WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY); + + sdata_unlock(sdata); diff --git a/queue-4.9/mac80211-fix-a-race-between-restart-and-csa-flows.patch b/queue-4.9/mac80211-fix-a-race-between-restart-and-csa-flows.patch new file mode 100644 index 00000000000..2861f017fc9 --- /dev/null +++ b/queue-4.9/mac80211-fix-a-race-between-restart-and-csa-flows.patch @@ -0,0 +1,95 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:06 +0300 +Subject: mac80211: fix a race between restart and CSA flows + +From: Emmanuel Grumbach + +[ Upstream commit f3ffb6c3a28963657eb8b02a795d75f2ebbd5ef4 ] + +We hit a problem with iwlwifi that was caused by a bug in +mac80211. A bug in iwlwifi caused the firwmare to crash in +certain cases in channel switch. Because of that bug, +drv_pre_channel_switch would fail and trigger the restart +flow. +Now we had the hw restart worker which runs on the system's +workqueue and the csa_connection_drop_work worker that runs +on mac80211's workqueue that can run together. This is +obviously problematic since the restart work wants to +reconfigure the connection, while the csa_connection_drop_work +worker does the exact opposite: it tries to disconnect. + +Fix this by cancelling the csa_connection_drop_work worker +in the restart worker. + +Note that this can sound racy: we could have: + +driver iface_work CSA_work restart_work ++++++++++++++++++++++++++++++++++++++++++++++ + | + <--drv_cs ---| + +-CS FAILED--> + | | + | cancel_work(CSA) + schedule | + CSA work | + | | + Race between those 2 + +But this is not possible because we flush the workqueue +in the restart worker before we cancel the CSA worker. +That would be bullet proof if we could guarantee that +we schedule the CSA worker only from the iface_work +which runs on the workqueue (and not on the system's +workqueue), but unfortunately we do have an instance +in which we schedule the CSA work outside the context +of the workqueue (ieee80211_chswitch_done). + +Note also that we should probably cancel other workers +like beacon_connection_loss_work and possibly others +for different types of interfaces, at the very least, +IBSS should suffer from the exact same problem, but for +now, do the minimum to fix the actual bug that was actually +experienced and reproduced. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -254,8 +254,27 @@ static void ieee80211_restart_work(struc + "%s called with hardware scan in progress\n", __func__); + + rtnl_lock(); +- list_for_each_entry(sdata, &local->interfaces, list) ++ list_for_each_entry(sdata, &local->interfaces, list) { ++ /* ++ * XXX: there may be more work for other vif types and even ++ * for station mode: a good thing would be to run most of ++ * the iface type's dependent _stop (ieee80211_mg_stop, ++ * ieee80211_ibss_stop) etc... ++ * For now, fix only the specific bug that was seen: race ++ * between csa_connection_drop_work and us. ++ */ ++ if (sdata->vif.type == NL80211_IFTYPE_STATION) { ++ /* ++ * This worker is scheduled from the iface worker that ++ * runs on mac80211's workqueue, so we can't be ++ * scheduling this worker after the cancel right here. ++ * The exception is ieee80211_chswitch_done. ++ * Then we can have a race... ++ */ ++ cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work); ++ } + flush_delayed_work(&sdata->dec_tailroom_needed_wk); ++ } + ieee80211_scan_cancel(local); + + /* make sure any new ROC will consider local->in_reconfig */ diff --git a/queue-4.9/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch b/queue-4.9/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch new file mode 100644 index 00000000000..ba1583b657a --- /dev/null +++ b/queue-4.9/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch @@ -0,0 +1,104 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Ilan Peer +Date: Fri, 31 Aug 2018 11:31:10 +0300 +Subject: mac80211: Fix station bandwidth setting after channel switch + +From: Ilan Peer + +[ Upstream commit 0007e94355fdb71a1cf5dba0754155cba08f0666 ] + +When performing a channel switch flow for a managed interface, the +flow did not update the bandwidth of the AP station and the rate +scale algorithm. In case of a channel width downgrade, this would +result with the rate scale algorithm using a bandwidth that does not +match the interface channel configuration. + +Fix this by updating the AP station bandwidth and rate scaling algorithm +before the actual channel change in case of a bandwidth downgrade, or +after the actual channel change in case of a bandwidth upgrade. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -989,6 +989,10 @@ static void ieee80211_chswitch_work(stru + */ + + if (sdata->reserved_chanctx) { ++ struct ieee80211_supported_band *sband = NULL; ++ struct sta_info *mgd_sta = NULL; ++ enum ieee80211_sta_rx_bandwidth bw = IEEE80211_STA_RX_BW_20; ++ + /* + * with multi-vif csa driver may call ieee80211_csa_finish() + * many times while waiting for other interfaces to use their +@@ -997,6 +1001,48 @@ static void ieee80211_chswitch_work(stru + if (sdata->reserved_ready) + goto out; + ++ if (sdata->vif.bss_conf.chandef.width != ++ sdata->csa_chandef.width) { ++ /* ++ * For managed interface, we need to also update the AP ++ * station bandwidth and align the rate scale algorithm ++ * on the bandwidth change. Here we only consider the ++ * bandwidth of the new channel definition (as channel ++ * switch flow does not have the full HT/VHT/HE ++ * information), assuming that if additional changes are ++ * required they would be done as part of the processing ++ * of the next beacon from the AP. ++ */ ++ switch (sdata->csa_chandef.width) { ++ case NL80211_CHAN_WIDTH_20_NOHT: ++ case NL80211_CHAN_WIDTH_20: ++ default: ++ bw = IEEE80211_STA_RX_BW_20; ++ break; ++ case NL80211_CHAN_WIDTH_40: ++ bw = IEEE80211_STA_RX_BW_40; ++ break; ++ case NL80211_CHAN_WIDTH_80: ++ bw = IEEE80211_STA_RX_BW_80; ++ break; ++ case NL80211_CHAN_WIDTH_80P80: ++ case NL80211_CHAN_WIDTH_160: ++ bw = IEEE80211_STA_RX_BW_160; ++ break; ++ } ++ ++ mgd_sta = sta_info_get(sdata, ifmgd->bssid); ++ sband = ++ local->hw.wiphy->bands[sdata->csa_chandef.chan->band]; ++ } ++ ++ if (sdata->vif.bss_conf.chandef.width > ++ sdata->csa_chandef.width) { ++ mgd_sta->sta.bandwidth = bw; ++ rate_control_rate_update(local, sband, mgd_sta, ++ IEEE80211_RC_BW_CHANGED); ++ } ++ + ret = ieee80211_vif_use_reserved_context(sdata); + if (ret) { + sdata_info(sdata, +@@ -1007,6 +1053,13 @@ static void ieee80211_chswitch_work(stru + goto out; + } + ++ if (sdata->vif.bss_conf.chandef.width < ++ sdata->csa_chandef.width) { ++ mgd_sta->sta.bandwidth = bw; ++ rate_control_rate_update(local, sband, mgd_sta, ++ IEEE80211_RC_BW_CHANGED); ++ } ++ + goto out; + } + diff --git a/queue-4.9/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch b/queue-4.9/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch new file mode 100644 index 00000000000..748de1c850f --- /dev/null +++ b/queue-4.9/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Yuan-Chi Pang +Date: Wed, 29 Aug 2018 09:30:08 +0800 +Subject: mac80211: mesh: fix HWMP sequence numbering to follow standard + +From: Yuan-Chi Pang + +[ Upstream commit 1f631c3201fe5491808df143d8fcba81b3197ffd ] + +IEEE 802.11-2016 14.10.8.3 HWMP sequence numbering says: +If it is a target mesh STA, it shall update its own HWMP SN to +maximum (current HWMP SN, target HWMP SN in the PREQ element) + 1 +immediately before it generates a PREP element in response to a +PREQ element. + +Signed-off-by: Yuan-Chi Pang +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_hwmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -563,6 +563,10 @@ static void hwmp_preq_frame_process(stru + forward = false; + reply = true; + target_metric = 0; ++ ++ if (SN_GT(target_sn, ifmsh->sn)) ++ ifmsh->sn = target_sn; ++ + if (time_after(jiffies, ifmsh->last_sn_update + + net_traversal_jiffies(sdata)) || + time_before(jiffies, ifmsh->last_sn_update)) { diff --git a/queue-4.9/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch b/queue-4.9/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch new file mode 100644 index 00000000000..89d0b3c935a --- /dev/null +++ b/queue-4.9/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: "Toke Høiland-Jørgensen" +Date: Mon, 13 Aug 2018 14:16:25 +0200 +Subject: mac80211: Run TXQ teardown code before de-registering interfaces + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit 77cfaf52eca5cac30ed029507e0cab065f888995 ] + +The TXQ teardown code can reference the vif data structures that are +stored in the netdev private memory area if there are still packets on +the queue when it is being freed. Since the TXQ teardown code is run +after the netdevs are freed, this can lead to a use-after-free. Fix this +by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). + +Reported-by: Ben Greear +Tested-by: Ben Greear +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1164,6 +1164,7 @@ void ieee80211_unregister_hw(struct ieee + #if IS_ENABLED(CONFIG_IPV6) + unregister_inet6addr_notifier(&local->ifa6_notifier); + #endif ++ ieee80211_txq_teardown_flows(local); + + rtnl_lock(); + +@@ -1191,7 +1192,6 @@ void ieee80211_unregister_hw(struct ieee + skb_queue_purge(&local->skb_queue); + skb_queue_purge(&local->skb_queue_unreliable); + skb_queue_purge(&local->skb_queue_tdls_chsw); +- ieee80211_txq_teardown_flows(local); + + destroy_workqueue(local->workqueue); + wiphy_unregister(local->hw.wiphy); diff --git a/queue-4.9/mac80211-shorten-the-ibss-debug-messages.patch b/queue-4.9/mac80211-shorten-the-ibss-debug-messages.patch new file mode 100644 index 00000000000..9399aee5525 --- /dev/null +++ b/queue-4.9/mac80211-shorten-the-ibss-debug-messages.patch @@ -0,0 +1,83 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:13 +0300 +Subject: mac80211: shorten the IBSS debug messages + +From: Emmanuel Grumbach + +[ Upstream commit c6e57b3896fc76299913b8cfd82d853bee8a2c84 ] + +When tracing is enabled, all the debug messages are recorded and must +not exceed MAX_MSG_LEN (100) columns. Longer debug messages grant the +user with: + +WARNING: CPU: 3 PID: 32642 at /tmp/wifi-core-20180806094828/src/iwlwifi-stack-dev/net/mac80211/./trace_msg.h:32 trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211] +Workqueue: phy1 ieee80211_iface_work [mac80211] + RIP: 0010:trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211] + Call Trace: + __sdata_dbg+0xbd/0x120 [mac80211] + ieee80211_ibss_rx_queued_mgmt+0x15f/0x510 [mac80211] + ieee80211_iface_work+0x21d/0x320 [mac80211] + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -948,8 +948,8 @@ static void ieee80211_rx_mgmt_deauth_ibs + if (len < IEEE80211_DEAUTH_FRAME_LEN) + return; + +- ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM BSSID=%pM (reason: %d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, reason); ++ ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (reason: %d)\n", mgmt->bssid, reason); + sta_info_destroy_addr(sdata, mgmt->sa); + } + +@@ -967,9 +967,9 @@ static void ieee80211_rx_mgmt_auth_ibss( + auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg); + auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction); + +- ibss_dbg(sdata, +- "RX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=%d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, auth_transaction); ++ ibss_dbg(sdata, "RX Auth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (auth_transaction=%d)\n", ++ mgmt->bssid, auth_transaction); + + if (auth_alg != WLAN_AUTH_OPEN || auth_transaction != 1) + return; +@@ -1176,10 +1176,10 @@ static void ieee80211_rx_bss_info(struct + rx_timestamp = drv_get_tsf(local, sdata); + } + +- ibss_dbg(sdata, +- "RX beacon SA=%pM BSSID=%pM TSF=0x%llx BCN=0x%llx diff=%lld @%lu\n", ++ ibss_dbg(sdata, "RX beacon SA=%pM BSSID=%pM TSF=0x%llx\n", + mgmt->sa, mgmt->bssid, +- (unsigned long long)rx_timestamp, ++ (unsigned long long)rx_timestamp); ++ ibss_dbg(sdata, "\tBCN=0x%llx diff=%lld @%lu\n", + (unsigned long long)beacon_timestamp, + (unsigned long long)(rx_timestamp - beacon_timestamp), + jiffies); +@@ -1538,9 +1538,9 @@ static void ieee80211_rx_mgmt_probe_req( + + tx_last_beacon = drv_tx_last_beacon(local); + +- ibss_dbg(sdata, +- "RX ProbeReq SA=%pM DA=%pM BSSID=%pM (tx_last_beacon=%d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, tx_last_beacon); ++ ibss_dbg(sdata, "RX ProbeReq SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (tx_last_beacon=%d)\n", ++ mgmt->bssid, tx_last_beacon); + + if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da)) + return; diff --git a/queue-4.9/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch b/queue-4.9/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch new file mode 100644 index 00000000000..0948cd9eb7c --- /dev/null +++ b/queue-4.9/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Danek Duvall +Date: Wed, 22 Aug 2018 16:01:05 -0700 +Subject: mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X + +From: Danek Duvall + +[ Upstream commit d7c863a2f65e48f442379f4ee1846d52e0c5d24d ] + +The mac80211_hwsim driver intends to say that it supports up to four +STBC receive streams, but instead it ends up saying something undefined. +The IEEE80211_VHT_CAP_RXSTBC_X macros aren't independent bits that can +be ORed together, but values. In this case, _4 is the appropriate one +to use. + +Signed-off-by: Danek Duvall +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mac80211_hwsim.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2569,9 +2569,6 @@ static int mac80211_hwsim_new_radio(stru + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_SHORT_GI_160 | + IEEE80211_VHT_CAP_TXSTBC | +- IEEE80211_VHT_CAP_RXSTBC_1 | +- IEEE80211_VHT_CAP_RXSTBC_2 | +- IEEE80211_VHT_CAP_RXSTBC_3 | + IEEE80211_VHT_CAP_RXSTBC_4 | + IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK; + sband->vht_cap.vht_mcs.rx_mcs_map = diff --git a/queue-4.9/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch b/queue-4.9/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch new file mode 100644 index 00000000000..7db4d259996 --- /dev/null +++ b/queue-4.9/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Jia-Ju Bai +Date: Sat, 1 Sep 2018 20:11:05 +0800 +Subject: net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() + +From: Jia-Ju Bai + +[ Upstream commit 16fe10cf92783ed9ceb182d6ea2b8adf5e8ec1b8 ] + +The kernel module may sleep with holding a spinlock. + +The function call paths (from bottom to top) in Linux-4.16 are: + +[FUNC] usleep_range +drivers/net/ethernet/cadence/macb_main.c, 648: + usleep_range in macb_halt_tx +drivers/net/ethernet/cadence/macb_main.c, 730: + macb_halt_tx in macb_tx_error_task +drivers/net/ethernet/cadence/macb_main.c, 721: + _raw_spin_lock_irqsave in macb_tx_error_task + +To fix this bug, usleep_range() is replaced with udelay(). + +This bug is found by my static analysis tool DSAC. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cadence/macb.c ++++ b/drivers/net/ethernet/cadence/macb.c +@@ -517,7 +517,7 @@ static int macb_halt_tx(struct macb *bp) + if (!(status & MACB_BIT(TGO))) + return 0; + +- usleep_range(10, 250); ++ udelay(250); + } while (time_before(halt_time, timeout)); + + return -ETIMEDOUT; diff --git a/queue-4.9/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch b/queue-4.9/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch new file mode 100644 index 00000000000..c9f4a8d4ed0 --- /dev/null +++ b/queue-4.9/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch @@ -0,0 +1,63 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Tony Lindgren +Date: Wed, 29 Aug 2018 08:00:24 -0700 +Subject: net: ethernet: cpsw-phy-sel: prefer phandle for phy sel + +From: Tony Lindgren + +[ Upstream commit 18eb8aea7fb2fb4490e578b1b8a1096c34b2fc48 ] + +The cpsw-phy-sel device is not a child of the cpsw interconnect target +module. It lives in the system control module. + +Let's fix this issue by trying to use cpsw-phy-sel phandle first if it +exists and if not fall back to current usage of trying to find the +cpsw-phy-sel child. That way the phy sel driver can be a child of the +system control module where it belongs in the device tree. + +Without this fix, we cannot have a proper interconnect target module +hierarchy in device tree for things like genpd. + +Note that deferred probe is mostly not supported by cpsw and this patch +does not attempt to fix that. In case deferred probe support is needed, +this could be added to cpsw_slave_open() and phy_connect() so they start +handling and returning errors. + +For documenting it, looks like the cpsw-phy-sel is used for all cpsw device +tree nodes. It's missing the related binding documentation, so let's also +update the binding documentation accordingly. + +Cc: devicetree@vger.kernel.org +Cc: Andrew Lunn +Cc: Grygorii Strashko +Cc: Ivan Khoronzhuk +Cc: Mark Rutland +Cc: Murali Karicheri +Cc: Rob Herring +Signed-off-by: Tony Lindgren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw-phy-sel.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/ti/cpsw-phy-sel.c ++++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c +@@ -170,10 +170,13 @@ void cpsw_phy_sel(struct device *dev, ph + struct device_node *node; + struct cpsw_phy_sel_priv *priv; + +- node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel"); ++ node = of_parse_phandle(dev->of_node, "cpsw-phy-sel", 0); + if (!node) { +- dev_err(dev, "Phy mode driver DT not found\n"); +- return; ++ node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel"); ++ if (!node) { ++ dev_err(dev, "Phy mode driver DT not found\n"); ++ return; ++ } + } + + dev = bus_find_device(&platform_bus_type, NULL, node, match); diff --git a/queue-4.9/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch b/queue-4.9/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch new file mode 100644 index 00000000000..07f1a848ddd --- /dev/null +++ b/queue-4.9/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Peng Li +Date: Mon, 27 Aug 2018 09:59:30 +0800 +Subject: net: hns: add netif_carrier_off before change speed and duplex + +From: Peng Li + +[ Upstream commit 455c4401fe7a538facaffb35b906ce19f1ece474 ] + +If there are packets in hardware when changing the speed +or duplex, it may cause hardware hang up. + +This patch adds netif_carrier_off before change speed and +duplex in ethtool_ops.set_link_ksettings, and adds +netif_carrier_on after complete the change. + +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c +@@ -243,7 +243,9 @@ static int hns_nic_set_link_ksettings(st + } + + if (h->dev->ops->adjust_link) { ++ netif_carrier_off(net_dev); + h->dev->ops->adjust_link(h, (int)speed, cmd->base.duplex); ++ netif_carrier_on(net_dev); + return 0; + } + diff --git a/queue-4.9/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch b/queue-4.9/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch new file mode 100644 index 00000000000..d0cb1d71c16 --- /dev/null +++ b/queue-4.9/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Xiao Ni +Date: Thu, 30 Aug 2018 15:57:09 +0800 +Subject: RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 + +From: Xiao Ni + +[ Upstream commit 1d0ffd264204eba1861865560f1f7f7a92919384 ] + +In raid10 reshape_request it gets max_sectors in read_balance. If the underlayer disks +have bad blocks, the max_sectors is less than last. It will call goto read_more many +times. It calls raise_barrier(conf, sectors_done != 0) every time. In this condition +sectors_done is not 0. So the value passed to the argument force of raise_barrier is +true. + +In raise_barrier it checks conf->barrier when force is true. If force is true and +conf->barrier is 0, it panic. In this case reshape_request submits bio to under layer +disks. And in the callback function of the bio it calls lower_barrier. If the bio +finishes before calling raise_barrier again, it can trigger the BUG_ON. + +Add one pair of raise_barrier/lower_barrier to fix this bug. + +Signed-off-by: Xiao Ni +Suggested-by: Neil Brown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -4381,11 +4381,12 @@ static sector_t reshape_request(struct m + allow_barrier(conf); + } + ++ raise_barrier(conf, 0); + read_more: + /* Now schedule reads for blocks from sector_nr to last */ + r10_bio = mempool_alloc(conf->r10buf_pool, GFP_NOIO); + r10_bio->state = 0; +- raise_barrier(conf, sectors_done != 0); ++ raise_barrier(conf, 1); + atomic_set(&r10_bio->remaining, 0); + r10_bio->mddev = mddev; + r10_bio->sector = sector_nr; +@@ -4492,6 +4493,8 @@ bio_full: + if (sector_nr <= last) + goto read_more; + ++ lower_barrier(conf); ++ + /* Now that we have done the whole section we can + * update reshape_progress + */ diff --git a/queue-4.9/series b/queue-4.9/series index cc2e0b03a5d..e78b7b1a95f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,2 +1,25 @@ serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch time-introduce-jiffies64_to_nsecs.patch +mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch +kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch +mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch +mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch +gpio-adp5588-fix-sleep-in-atomic-context-bug.patch +mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch +net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch +cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch +gpio-fix-crash-due-to-registration-race.patch +arc-atomics-unbork-atomic_fetch_-op.patch +raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch +net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch +i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch +i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch +net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch +fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch +cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch +mac80211-fix-a-race-between-restart-and-csa-flows.patch +mac80211-fix-station-bandwidth-setting-after-channel-switch.patch +mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch +mac80211-shorten-the-ibss-debug-messages.patch +tools-vm-slabinfo.c-fix-sign-compare-warning.patch +tools-vm-page-types.c-fix-defined-but-not-used-warning.patch diff --git a/queue-4.9/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch b/queue-4.9/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch new file mode 100644 index 00000000000..6cb98a3b2b1 --- /dev/null +++ b/queue-4.9/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Naoya Horiguchi +Date: Tue, 4 Sep 2018 15:45:51 -0700 +Subject: tools/vm/page-types.c: fix "defined but not used" warning + +From: Naoya Horiguchi + +[ Upstream commit 7ab660f8baecfe26c1c267fa8e64d2073feae2bb ] + +debugfs_known_mountpoints[] is not used any more, so let's remove it. + +Link: http://lkml.kernel.org/r/1535102651-19418-1-git-send-email-n-horiguchi@ah.jp.nec.com +Signed-off-by: Naoya Horiguchi +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/vm/page-types.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/tools/vm/page-types.c ++++ b/tools/vm/page-types.c +@@ -155,12 +155,6 @@ static const char * const page_flag_name + }; + + +-static const char * const debugfs_known_mountpoints[] = { +- "/sys/kernel/debug", +- "/debug", +- 0, +-}; +- + /* + * data structures + */ diff --git a/queue-4.9/tools-vm-slabinfo.c-fix-sign-compare-warning.patch b/queue-4.9/tools-vm-slabinfo.c-fix-sign-compare-warning.patch new file mode 100644 index 00000000000..67f836a68f4 --- /dev/null +++ b/queue-4.9/tools-vm-slabinfo.c-fix-sign-compare-warning.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Oct 4 12:38:43 PDT 2018 +From: Naoya Horiguchi +Date: Tue, 4 Sep 2018 15:45:48 -0700 +Subject: tools/vm/slabinfo.c: fix sign-compare warning + +From: Naoya Horiguchi + +[ Upstream commit 904506562e0856f2535d876407d087c9459d345b ] + +Currently we get the following compiler warning: + + slabinfo.c:854:22: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] + if (s->object_size < min_objsize) + ^ + +due to the mismatch of signed/unsigned comparison. ->object_size and +->slab_size are never expected to be negative, so let's define them as +unsigned int. + +[n-horiguchi@ah.jp.nec.com: convert everything - none of these can be negative] + Link: http://lkml.kernel.org/r/20180826234947.GA9787@hori1.linux.bs1.fc.nec.co.jp +Link: http://lkml.kernel.org/r/1535103134-20239-1-git-send-email-n-horiguchi@ah.jp.nec.com +Signed-off-by: Naoya Horiguchi +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/vm/slabinfo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/vm/slabinfo.c ++++ b/tools/vm/slabinfo.c +@@ -29,8 +29,8 @@ struct slabinfo { + int alias; + int refs; + int aliases, align, cache_dma, cpu_slabs, destroy_by_rcu; +- int hwcache_align, object_size, objs_per_slab; +- int sanity_checks, slab_size, store_user, trace; ++ unsigned int hwcache_align, object_size, objs_per_slab; ++ unsigned int sanity_checks, slab_size, store_user, trace; + int order, poison, reclaim_account, red_zone; + unsigned long partial, objects, slabs, objects_partial, objects_total; + unsigned long alloc_fastpath, alloc_slowpath;