From: Greg Kroah-Hartman Date: Tue, 28 Nov 2017 09:57:16 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.85~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18a2513c915f83ad17648ff59075b4d0e1d2593c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch asoc-rsnd-don-t-double-free-kctrl.patch asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch ath10k-fix-incorrect-txpower-set-by-p2p_device-interface.patch ath10k-fix-potential-memory-leak-in-ath10k_wmi_tlv_op_pull_fw_stats.patch ath10k-ignore-configuring-the-incorrect-board_id.patch ath10k-set-cts-protection-vdev-param-only-if-vdev-is-up.patch btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch dmaengine-zx-set-dma_cyclic-cap_mask-bit.patch drm-apply-range-restriction-after-color-adjustment-when-allocation.patch drm-armada-fix-compile-fail.patch iio-light-fix-improper-return-value.patch mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch mac80211-suppress-new_peer_candidate-event-if-no-room.patch net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch net-allow-ip_multicast_if-to-set-index-to-l3-slave.patch netfilter-nf_tables-fix-oob-access.patch netfilter-nft_queue-use-raw_smp_processor_id.patch pci-apply-_hpx-settings-only-to-relevant-devices.patch rds-rdma-return-appropriate-error-on-rdma-map-failures.patch s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch spi-spi_fsl_dspi-should-depend-on-has_dma.patch staging-iio-cdc-fix-improper-return-value.patch xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch --- diff --git a/queue-4.4/alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch b/queue-4.4/alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch new file mode 100644 index 00000000000..9d1e66832f6 --- /dev/null +++ b/queue-4.4/alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Gabriele Mazzotta +Date: Sat, 24 Dec 2016 19:50:00 +0100 +Subject: ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE + +From: Gabriele Mazzotta + + +[ Upstream commit 972aa2c708703c21f14eb958b37e82aae2530e44 ] + +Setting shutup when the action is HDA_FIXUP_ACT_PRE_PROBE might +not have the desired effect since it could be overridden by +another more generic shutup function. Prevent this by setting +the more specific shutup function on HDA_FIXUP_ACT_PROBE. + +Signed-off-by: Gabriele Mazzotta +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4404,7 +4404,7 @@ static void alc_no_shutup(struct hda_cod + static void alc_fixup_no_shutup(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +- if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ if (action == HDA_FIXUP_ACT_PROBE) { + struct alc_spec *spec = codec->spec; + spec->shutup = alc_no_shutup; + } diff --git a/queue-4.4/asoc-rsnd-don-t-double-free-kctrl.patch b/queue-4.4/asoc-rsnd-don-t-double-free-kctrl.patch new file mode 100644 index 00000000000..41e582eaf12 --- /dev/null +++ b/queue-4.4/asoc-rsnd-don-t-double-free-kctrl.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Colin Ian King +Date: Thu, 8 Dec 2016 13:05:43 +0000 +Subject: ASoC: rsnd: don't double free kctrl + +From: Colin Ian King + + +[ Upstream commit 0ea617a298dcdc2251b4e10f83ac3f3e627b66e3 ] + +On an error, snd_ctl_add already free's kctrl, so calling snd_ctl_free_one +to free it again leads to a double free error. Fix this by removing +the extraneous snd_ctl_free_one call. + +Issue found using static analysis with CoverityScan, CID 1372908 + +Signed-off-by: Colin Ian King +Acked-by: Kuninori Morimoto +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sh/rcar/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -1049,10 +1049,8 @@ static int __rsnd_kctrl_new(struct rsnd_ + return -ENOMEM; + + ret = snd_ctl_add(card, kctrl); +- if (ret < 0) { +- snd_ctl_free_one(kctrl); ++ if (ret < 0) + return ret; +- } + + cfg->update = update; + cfg->card = card; diff --git a/queue-4.4/asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch b/queue-4.4/asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch new file mode 100644 index 00000000000..ef6efd8bcd2 --- /dev/null +++ b/queue-4.4/asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch @@ -0,0 +1,81 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Richard Fitzgerald +Date: Tue, 20 Dec 2016 10:29:12 +0000 +Subject: ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data + +From: Richard Fitzgerald + + +[ Upstream commit 1cab2a84f470e15ecc8e5143bfe9398c6e888032 ] + +Protect against corrupt firmware files by ensuring that the length we +get for the data in a region actually lies within the available firmware +file data buffer. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wm_adsp.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -1060,7 +1060,7 @@ static int wm_adsp_load(struct wm_adsp * + const struct wmfw_region *region; + const struct wm_adsp_region *mem; + const char *region_name; +- char *file, *text; ++ char *file, *text = NULL; + struct wm_adsp_buf *buf; + unsigned int reg; + int regions = 0; +@@ -1221,10 +1221,21 @@ static int wm_adsp_load(struct wm_adsp * + regions, le32_to_cpu(region->len), offset, + region_name); + ++ if ((pos + le32_to_cpu(region->len) + sizeof(*region)) > ++ firmware->size) { ++ adsp_err(dsp, ++ "%s.%d: %s region len %d bytes exceeds file length %zu\n", ++ file, regions, region_name, ++ le32_to_cpu(region->len), firmware->size); ++ ret = -EINVAL; ++ goto out_fw; ++ } ++ + if (text) { + memcpy(text, region->data, le32_to_cpu(region->len)); + adsp_info(dsp, "%s: %s\n", file, text); + kfree(text); ++ text = NULL; + } + + if (reg) { +@@ -1269,6 +1280,7 @@ out_fw: + regmap_async_complete(regmap); + wm_adsp_buf_free(&buf_list); + release_firmware(firmware); ++ kfree(text); + out: + kfree(file); + +@@ -1730,6 +1742,17 @@ static int wm_adsp_load_coeff(struct wm_ + } + + if (reg) { ++ if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) > ++ firmware->size) { ++ adsp_err(dsp, ++ "%s.%d: %s region len %d bytes exceeds file length %zu\n", ++ file, blocks, region_name, ++ le32_to_cpu(blk->len), ++ firmware->size); ++ ret = -EINVAL; ++ goto out_fw; ++ } ++ + buf = wm_adsp_buf_alloc(blk->data, + le32_to_cpu(blk->len), + &buf_list); diff --git a/queue-4.4/ath10k-fix-incorrect-txpower-set-by-p2p_device-interface.patch b/queue-4.4/ath10k-fix-incorrect-txpower-set-by-p2p_device-interface.patch new file mode 100644 index 00000000000..145cafc7b40 --- /dev/null +++ b/queue-4.4/ath10k-fix-incorrect-txpower-set-by-p2p_device-interface.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Ryan Hsu +Date: Tue, 13 Dec 2016 14:55:19 -0800 +Subject: ath10k: fix incorrect txpower set by P2P_DEVICE interface + +From: Ryan Hsu + + +[ Upstream commit 88407beb1b1462f706a1950a355fd086e1c450b6 ] + +Ath10k reports the phy capability that supports P2P_DEVICE interface. + +When we use the P2P supported wpa_supplicant to start connection, it'll +create two interfaces, one is wlan0 (vdev_id=0) and one is P2P_DEVICE +p2p-dev-wlan0 which is for p2p control channel (vdev_id=1). + + ath10k_pci mac vdev create 0 (add interface) type 2 subtype 0 + ath10k_add_interface: vdev_id: 0, txpower: 0, bss_power: 0 + ... + ath10k_pci mac vdev create 1 (add interface) type 2 subtype 1 + ath10k_add_interface: vdev_id: 1, txpower: 0, bss_power: 0 + +And the txpower in per vif bss_conf will only be set to valid tx power when +the interface is assigned with channel_ctx. + +But this P2P_DEVICE interface will never be used for any connection, so +that the uninitialized bss_conf.txpower=0 is assinged to the +arvif->txpower when interface created. + +Since the txpower configuration is firmware per physical interface. +So the smallest txpower of all vifs will be the one limit the tx power +of the physical device, that causing the low txpower issue on other +active interfaces. + + wlan0: Limiting TX power to 21 (24 - 3) dBm + ath10k_pci mac vdev_id 0 txpower 21 + ath10k_mac_txpower_recalc: vdev_id: 1, txpower: 0 + ath10k_mac_txpower_recalc: vdev_id: 0, txpower: 21 + ath10k_pci mac txpower 0 + +This issue only happens when we use the wpa_supplicant that supports +P2P or if we use the iw tool to create the control P2P_DEVICE interface. + +Signed-off-by: Ryan Hsu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -4180,7 +4180,8 @@ static int ath10k_mac_txpower_recalc(str + lockdep_assert_held(&ar->conf_mutex); + + list_for_each_entry(arvif, &ar->arvifs, list) { +- WARN_ON(arvif->txpower < 0); ++ if (arvif->txpower <= 0) ++ continue; + + if (txpower == -1) + txpower = arvif->txpower; +@@ -4188,8 +4189,8 @@ static int ath10k_mac_txpower_recalc(str + txpower = min(txpower, arvif->txpower); + } + +- if (WARN_ON(txpower == -1)) +- return -EINVAL; ++ if (txpower == -1) ++ return 0; + + ret = ath10k_mac_txpower_setup(ar, txpower); + if (ret) { diff --git a/queue-4.4/ath10k-fix-potential-memory-leak-in-ath10k_wmi_tlv_op_pull_fw_stats.patch b/queue-4.4/ath10k-fix-potential-memory-leak-in-ath10k_wmi_tlv_op_pull_fw_stats.patch new file mode 100644 index 00000000000..543910d2972 --- /dev/null +++ b/queue-4.4/ath10k-fix-potential-memory-leak-in-ath10k_wmi_tlv_op_pull_fw_stats.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Christian Lamparter +Date: Thu, 29 Dec 2016 16:12:09 +0200 +Subject: ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats() + +From: Christian Lamparter + + +[ Upstream commit 097e46d2ae90265d1afe141ba6208ba598b79e01 ] + +ath10k_wmi_tlv_op_pull_fw_stats() uses tb = ath10k_wmi_tlv_parse_alloc(...) +function, which allocates memory. If any of the three error-paths are +taken, this tb needs to be freed. + +Signed-off-by: Christian Lamparter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -1105,8 +1105,10 @@ static int ath10k_wmi_tlv_op_pull_fw_sta + struct ath10k_fw_stats_pdev *dst; + + src = data; +- if (data_len < sizeof(*src)) ++ if (data_len < sizeof(*src)) { ++ kfree(tb); + return -EPROTO; ++ } + + data += sizeof(*src); + data_len -= sizeof(*src); +@@ -1126,8 +1128,10 @@ static int ath10k_wmi_tlv_op_pull_fw_sta + struct ath10k_fw_stats_vdev *dst; + + src = data; +- if (data_len < sizeof(*src)) ++ if (data_len < sizeof(*src)) { ++ kfree(tb); + return -EPROTO; ++ } + + data += sizeof(*src); + data_len -= sizeof(*src); +@@ -1145,8 +1149,10 @@ static int ath10k_wmi_tlv_op_pull_fw_sta + struct ath10k_fw_stats_peer *dst; + + src = data; +- if (data_len < sizeof(*src)) ++ if (data_len < sizeof(*src)) { ++ kfree(tb); + return -EPROTO; ++ } + + data += sizeof(*src); + data_len -= sizeof(*src); diff --git a/queue-4.4/ath10k-ignore-configuring-the-incorrect-board_id.patch b/queue-4.4/ath10k-ignore-configuring-the-incorrect-board_id.patch new file mode 100644 index 00000000000..c3022421dbc --- /dev/null +++ b/queue-4.4/ath10k-ignore-configuring-the-incorrect-board_id.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Ryan Hsu +Date: Thu, 22 Dec 2016 15:02:37 -0800 +Subject: ath10k: ignore configuring the incorrect board_id + +From: Ryan Hsu + + +[ Upstream commit d2e202c06ca42d353d95df12437740921a6d05b5 ] + +With command to get board_id from otp, in the case of following + + boot get otp board id result 0x00000000 board_id 0 chip_id 0 + boot using board name 'bus=pci,bmi-chip-id=0,bmi-board-id=0" + ... + failed to fetch board data for bus=pci,bmi-chip-id=0,bmi-board-id=0 from + ath10k/QCA6174/hw3.0/board-2.bin + +The invalid board_id=0 will be used as index to search in the board-2.bin. + +Ignore the case with board_id=0, as it means the otp is not carrying +the board id information. + +Signed-off-by: Ryan Hsu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -548,8 +548,11 @@ static int ath10k_core_get_board_id_from + "boot get otp board id result 0x%08x board_id %d chip_id %d\n", + result, board_id, chip_id); + +- if ((result & ATH10K_BMI_BOARD_ID_STATUS_MASK) != 0) ++ if ((result & ATH10K_BMI_BOARD_ID_STATUS_MASK) != 0 || ++ (board_id == 0)) { ++ ath10k_warn(ar, "board id is not exist in otp, ignore it\n"); + return -EOPNOTSUPP; ++ } + + ar->id.bmi_ids_valid = true; + ar->id.bmi_board_id = board_id; diff --git a/queue-4.4/ath10k-set-cts-protection-vdev-param-only-if-vdev-is-up.patch b/queue-4.4/ath10k-set-cts-protection-vdev-param-only-if-vdev-is-up.patch new file mode 100644 index 00000000000..23da50d8f89 --- /dev/null +++ b/queue-4.4/ath10k-set-cts-protection-vdev-param-only-if-vdev-is-up.patch @@ -0,0 +1,121 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Bartosz Markowski +Date: Thu, 15 Dec 2016 11:23:24 +0200 +Subject: ath10k: set CTS protection VDEV param only if VDEV is up + +From: Bartosz Markowski + + +[ Upstream commit 7cfe0455ee1218add152e986b89b4bb8dbeafcdd ] + +The cts protection vdev parameter, in new QCA9377 TF2.0 firmware, +requires bss peer to be created for the STATION vdev type. +bss peer is being allocated by the firmware after vdev_start/_up commands. +mac80211 may call the cts protection setup at any time, so the +we needs to track the situation and defer the cts configuration +to prevent firmware asserts, like below: + +[00]: 0x05020001 0x000015B3 0x0099ACE2 0x00955B31 +[04]: 0x0099ACE2 0x00060730 0x00000004 0x00000000 +[08]: 0x0044C754 0x00412C10 0x00000000 0x00409C54 +[12]: 0x00000009 0x00000000 0x00952F6C 0x00952F77 +[16]: 0x00952CC4 0x00910712 0x00000000 0x00000000 +[20]: 0x4099ACE2 0x0040E858 0x00421254 0x004127F4 +[24]: 0x8099B9B2 0x0040E8B8 0x00000000 0xC099ACE2 +[28]: 0x800B75CB 0x0040E8F8 0x00000007 0x00005008 +[32]: 0x809B048A 0x0040E958 0x00000010 0x00433B10 +[36]: 0x809AFBBC 0x0040E9A8 0x0042BB74 0x0042BBBC +[40]: 0x8091D252 0x0040E9C8 0x0042BBBC 0x00000001 +[44]: 0x809FFA45 0x0040EA78 0x0043D3E4 0x0042C2C8 +[48]: 0x809FCEF4 0x0040EA98 0x0043D3E4 0x00000001 +[52]: 0x80911210 0x0040EAE8 0x00000010 0x004041D0 +[56]: 0x80911154 0x0040EB28 0x00400000 0x00000000 + +Signed-off-by: Bartosz Markowski +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 51 ++++++++++++++++++++++++++++------ + 1 file changed, 43 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -1127,6 +1127,36 @@ static int ath10k_monitor_recalc(struct + return ath10k_monitor_stop(ar); + } + ++static bool ath10k_mac_can_set_cts_prot(struct ath10k_vif *arvif) ++{ ++ struct ath10k *ar = arvif->ar; ++ ++ lockdep_assert_held(&ar->conf_mutex); ++ ++ if (!arvif->is_started) { ++ ath10k_dbg(ar, ATH10K_DBG_MAC, "defer cts setup, vdev is not ready yet\n"); ++ return false; ++ } ++ ++ return true; ++} ++ ++static int ath10k_mac_set_cts_prot(struct ath10k_vif *arvif) ++{ ++ struct ath10k *ar = arvif->ar; ++ u32 vdev_param; ++ ++ lockdep_assert_held(&ar->conf_mutex); ++ ++ vdev_param = ar->wmi.vdev_param->protection_mode; ++ ++ ath10k_dbg(ar, ATH10K_DBG_MAC, "mac vdev %d cts_protection %d\n", ++ arvif->vdev_id, arvif->use_cts_prot); ++ ++ return ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param, ++ arvif->use_cts_prot ? 1 : 0); ++} ++ + static int ath10k_recalc_rtscts_prot(struct ath10k_vif *arvif) + { + struct ath10k *ar = arvif->ar; +@@ -4788,20 +4818,18 @@ static void ath10k_bss_info_changed(stru + + if (changed & BSS_CHANGED_ERP_CTS_PROT) { + arvif->use_cts_prot = info->use_cts_prot; +- ath10k_dbg(ar, ATH10K_DBG_MAC, "mac vdev %d cts_prot %d\n", +- arvif->vdev_id, info->use_cts_prot); + + ret = ath10k_recalc_rtscts_prot(arvif); + if (ret) + ath10k_warn(ar, "failed to recalculate rts/cts prot for vdev %d: %d\n", + arvif->vdev_id, ret); + +- vdev_param = ar->wmi.vdev_param->protection_mode; +- ret = ath10k_wmi_vdev_set_param(ar, arvif->vdev_id, vdev_param, +- info->use_cts_prot ? 1 : 0); +- if (ret) +- ath10k_warn(ar, "failed to set protection mode %d on vdev %i: %d\n", +- info->use_cts_prot, arvif->vdev_id, ret); ++ if (ath10k_mac_can_set_cts_prot(arvif)) { ++ ret = ath10k_mac_set_cts_prot(arvif); ++ if (ret) ++ ath10k_warn(ar, "failed to set cts protection for vdev %d: %d\n", ++ arvif->vdev_id, ret); ++ } + } + + if (changed & BSS_CHANGED_ERP_SLOT) { +@@ -6713,6 +6741,13 @@ ath10k_mac_op_assign_vif_chanctx(struct + arvif->is_up = true; + } + ++ if (ath10k_mac_can_set_cts_prot(arvif)) { ++ ret = ath10k_mac_set_cts_prot(arvif); ++ if (ret) ++ ath10k_warn(ar, "failed to set cts protection for vdev %d: %d\n", ++ arvif->vdev_id, ret); ++ } ++ + mutex_unlock(&ar->conf_mutex); + return 0; + diff --git a/queue-4.4/btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch b/queue-4.4/btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch new file mode 100644 index 00000000000..f1925a00ac4 --- /dev/null +++ b/queue-4.4/btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Pan Bian +Date: Sun, 4 Dec 2016 12:51:53 +0800 +Subject: btrfs: return the actual error value from from btrfs_uuid_tree_iterate + +From: Pan Bian + + +[ Upstream commit 73ba39ab9307340dc98ec3622891314bbc09cc2e ] + +In function btrfs_uuid_tree_iterate(), errno is assigned to variable ret +on errors. However, it directly returns 0. It may be better to return +ret. This patch also removes the warning, because the caller already +prints a warning. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188731 +Signed-off-by: Pan Bian +Reviewed-by: Omar Sandoval +[ edited subject ] +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/uuid-tree.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/btrfs/uuid-tree.c ++++ b/fs/btrfs/uuid-tree.c +@@ -348,7 +348,5 @@ skip: + + out: + btrfs_free_path(path); +- if (ret) +- btrfs_warn(fs_info, "btrfs_uuid_tree_iterate failed %d", ret); +- return 0; ++ return ret; + } diff --git a/queue-4.4/dmaengine-zx-set-dma_cyclic-cap_mask-bit.patch b/queue-4.4/dmaengine-zx-set-dma_cyclic-cap_mask-bit.patch new file mode 100644 index 00000000000..12bfd4cc2ec --- /dev/null +++ b/queue-4.4/dmaengine-zx-set-dma_cyclic-cap_mask-bit.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Shawn Guo +Date: Thu, 15 Dec 2016 22:03:36 +0800 +Subject: dmaengine: zx: set DMA_CYCLIC cap_mask bit + +From: Shawn Guo + + +[ Upstream commit fc318d64f3d91e15babac00e08354b1beb650b57 ] + +The zx_dma driver supports cyclic transfer mode. Let's set DMA_CYCLIC +cap_mask bit to make that clear, and avoid unnecessary failure when +clients request channel via dma_request_chan_by_mask() with DMA_CYCLIC +bit set in mask. + +Signed-off-by: Shawn Guo +Reviewed-by: Jun Nie +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/zx296702_dma.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/dma/zx296702_dma.c ++++ b/drivers/dma/zx296702_dma.c +@@ -813,6 +813,7 @@ static int zx_dma_probe(struct platform_ + INIT_LIST_HEAD(&d->slave.channels); + dma_cap_set(DMA_SLAVE, d->slave.cap_mask); + dma_cap_set(DMA_MEMCPY, d->slave.cap_mask); ++ dma_cap_set(DMA_CYCLIC, d->slave.cap_mask); + dma_cap_set(DMA_PRIVATE, d->slave.cap_mask); + d->slave.dev = &op->dev; + d->slave.device_free_chan_resources = zx_dma_free_chan_resources; diff --git a/queue-4.4/drm-apply-range-restriction-after-color-adjustment-when-allocation.patch b/queue-4.4/drm-apply-range-restriction-after-color-adjustment-when-allocation.patch new file mode 100644 index 00000000000..b46413fe235 --- /dev/null +++ b/queue-4.4/drm-apply-range-restriction-after-color-adjustment-when-allocation.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Chris Wilson +Date: Thu, 22 Dec 2016 08:36:38 +0000 +Subject: drm: Apply range restriction after color adjustment when allocation + +From: Chris Wilson + + +[ Upstream commit 3db93756b501e5f0a3951c79cfa9ed43c26d3455 ] + +mm->color_adjust() compares the hole with its neighbouring nodes. They +only abutt before we restrict the hole, so we have to apply color_adjust +before we apply the range restriction. + +Signed-off-by: Chris Wilson +Reviewed-by: Joonas Lahtinen +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/20161222083641.2691-36-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_mm.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/drm_mm.c ++++ b/drivers/gpu/drm/drm_mm.c +@@ -262,14 +262,12 @@ static void drm_mm_insert_helper_range(s + + BUG_ON(!hole_node->hole_follows || node->allocated); + +- if (adj_start < start) +- adj_start = start; +- if (adj_end > end) +- adj_end = end; +- + if (mm->color_adjust) + mm->color_adjust(hole_node, color, &adj_start, &adj_end); + ++ adj_start = max(adj_start, start); ++ adj_end = min(adj_end, end); ++ + if (flags & DRM_MM_CREATE_TOP) + adj_start = adj_end - size; + +@@ -475,17 +473,15 @@ static struct drm_mm_node *drm_mm_search + flags & DRM_MM_SEARCH_BELOW) { + u64 hole_size = adj_end - adj_start; + +- if (adj_start < start) +- adj_start = start; +- if (adj_end > end) +- adj_end = end; +- + if (mm->color_adjust) { + mm->color_adjust(entry, color, &adj_start, &adj_end); + if (adj_end <= adj_start) + continue; + } + ++ adj_start = max(adj_start, start); ++ adj_end = min(adj_end, end); ++ + if (!check_free_hole(adj_start, adj_end, size, alignment)) + continue; + diff --git a/queue-4.4/drm-armada-fix-compile-fail.patch b/queue-4.4/drm-armada-fix-compile-fail.patch new file mode 100644 index 00000000000..702905db597 --- /dev/null +++ b/queue-4.4/drm-armada-fix-compile-fail.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Daniel Vetter +Date: Fri, 30 Dec 2016 17:38:52 +0100 +Subject: drm/armada: Fix compile fail + +From: Daniel Vetter + + +[ Upstream commit 7357f89954b6d005df6ab8929759e78d7d9a80f9 ] + +I reported the include issue for tracepoints a while ago, but nothing +seems to have happened. Now it bit us, since the drm_mm_print +conversion was broken for armada. Fix it, so I can re-enable armada +in the drm-misc build configs. + +v2: Rebase just the compile fix on top of Chris' build fix. + +Cc: Russell King +Cc: Chris Wilson +Acked: Chris Wilson +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/1483115932-19584-1-git-send-email-daniel.vetter@ffwll.ch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/armada/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/armada/Makefile ++++ b/drivers/gpu/drm/armada/Makefile +@@ -4,3 +4,5 @@ armada-y += armada_510.o + armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o + + obj-$(CONFIG_DRM_ARMADA) := armada.o ++ ++CFLAGS_armada_trace.o := -I$(src) diff --git a/queue-4.4/iio-light-fix-improper-return-value.patch b/queue-4.4/iio-light-fix-improper-return-value.patch new file mode 100644 index 00000000000..db61b230674 --- /dev/null +++ b/queue-4.4/iio-light-fix-improper-return-value.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Pan Bian +Date: Sat, 3 Dec 2016 17:24:17 +0800 +Subject: iio: light: fix improper return value + +From: Pan Bian + + +[ Upstream commit db4e5376d058af8924fafd0520a0942d92538d0e ] + +In function cm3232_reg_init(), it returns 0 even if the last call to +i2c_smbus_write_byte_data() returns a negative value (indicates error). +As a result, the return value may be inconsistent with the execution +status, and the caller of cm3232_reg_init() will not be able to detect +the error. This patch fixes the bug. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188641 + +Signed-off-by: Pan Bian +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/cm3232.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/cm3232.c ++++ b/drivers/iio/light/cm3232.c +@@ -119,7 +119,7 @@ static int cm3232_reg_init(struct cm3232 + if (ret < 0) + dev_err(&chip->client->dev, "Error writing reg_cmd\n"); + +- return 0; ++ return ret; + } + + /** diff --git a/queue-4.4/mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch b/queue-4.4/mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch new file mode 100644 index 00000000000..a2f94b7eed4 --- /dev/null +++ b/queue-4.4/mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch @@ -0,0 +1,104 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Masashi Honma +Date: Thu, 8 Dec 2016 10:15:50 +0900 +Subject: mac80211: Remove invalid flag operations in mesh TSF synchronization + +From: Masashi Honma + + +[ Upstream commit 76f43b4c0a9337af22827d78de4f2b8fd5328489 ] + +mesh_sync_offset_adjust_tbtt() implements Extensible synchronization +framework ([1] 13.13.2 Extensible synchronization framework). It shall +not operate the flag "TBTT Adjusting subfield" ([1] 8.4.2.100.8 Mesh +Capability), since it is used only for MBCA ([1] 13.13.4 Mesh beacon +collision avoidance, see 13.13.4.4.3 TBTT scanning and adjustment +procedures for detail). So this patch remove the flag operations. + +[1] IEEE Std 802.11 2012 + +Signed-off-by: Masashi Honma +[remove adjusting_tbtt entirely, since it's now unused] +Signed-off-by: Johannes Berg + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 1 - + net/mac80211/mesh.c | 3 --- + net/mac80211/mesh_sync.c | 11 ----------- + 3 files changed, 15 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -682,7 +682,6 @@ struct ieee80211_if_mesh { + const struct ieee80211_mesh_sync_ops *sync_ops; + s64 sync_offset_clockdrift_max; + spinlock_t sync_offset_lock; +- bool adjusting_tbtt; + /* mesh power save */ + enum nl80211_mesh_power_mode nonpeer_pm; + int ps_peers_light_sleep; +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -295,8 +295,6 @@ int mesh_add_meshconf_ie(struct ieee8021 + /* Mesh PS mode. See IEEE802.11-2012 8.4.2.100.8 */ + *pos |= ifmsh->ps_peers_deep_sleep ? + IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL : 0x00; +- *pos++ |= ifmsh->adjusting_tbtt ? +- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING : 0x00; + *pos++ = 0x00; + + return 0; +@@ -866,7 +864,6 @@ int ieee80211_start_mesh(struct ieee8021 + ifmsh->mesh_cc_id = 0; /* Disabled */ + /* register sync ops from extensible synchronization framework */ + ifmsh->sync_ops = ieee80211_mesh_sync_ops_get(ifmsh->mesh_sp_id); +- ifmsh->adjusting_tbtt = false; + ifmsh->sync_offset_clockdrift_max = 0; + set_bit(MESH_WORK_HOUSEKEEPING, &ifmsh->wrkq_flags); + ieee80211_mesh_root_setup(ifmsh); +--- a/net/mac80211/mesh_sync.c ++++ b/net/mac80211/mesh_sync.c +@@ -119,7 +119,6 @@ static void mesh_sync_offset_rx_bcn_pres + */ + + if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) { +- clear_sta_flag(sta, WLAN_STA_TOFFSET_KNOWN); + msync_dbg(sdata, "STA %pM : is adjusting TBTT\n", + sta->sta.addr); + goto no_sync; +@@ -168,11 +167,9 @@ static void mesh_sync_offset_adjust_tbtt + struct beacon_data *beacon) + { + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; +- u8 cap; + + WARN_ON(ifmsh->mesh_sp_id != IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET); + WARN_ON(!rcu_read_lock_held()); +- cap = beacon->meshconf->meshconf_cap; + + spin_lock_bh(&ifmsh->sync_offset_lock); + +@@ -186,21 +183,13 @@ static void mesh_sync_offset_adjust_tbtt + "TBTT : kicking off TBTT adjustment with clockdrift_max=%lld\n", + ifmsh->sync_offset_clockdrift_max); + set_bit(MESH_WORK_DRIFT_ADJUST, &ifmsh->wrkq_flags); +- +- ifmsh->adjusting_tbtt = true; + } else { + msync_dbg(sdata, + "TBTT : max clockdrift=%lld; too small to adjust\n", + (long long)ifmsh->sync_offset_clockdrift_max); + ifmsh->sync_offset_clockdrift_max = 0; +- +- ifmsh->adjusting_tbtt = false; + } + spin_unlock_bh(&ifmsh->sync_offset_lock); +- +- beacon->meshconf->meshconf_cap = ifmsh->adjusting_tbtt ? +- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING | cap : +- ~IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING & cap; + } + + static const struct sync_method sync_methods[] = { diff --git a/queue-4.4/mac80211-suppress-new_peer_candidate-event-if-no-room.patch b/queue-4.4/mac80211-suppress-new_peer_candidate-event-if-no-room.patch new file mode 100644 index 00000000000..a4f2e9def17 --- /dev/null +++ b/queue-4.4/mac80211-suppress-new_peer_candidate-event-if-no-room.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Masashi Honma +Date: Wed, 30 Nov 2016 09:06:04 +0900 +Subject: mac80211: Suppress NEW_PEER_CANDIDATE event if no room + +From: Masashi Honma + + +[ Upstream commit 11197d006bcfabf0173a7820a163fcaac420d10e ] + +Previously, kernel sends NEW_PEER_CANDIDATE event to user land even if +the found peer does not have any room to accept other peer. This causes +continuous connection trials. + +Signed-off-by: Masashi Honma +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_plink.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -495,12 +495,14 @@ mesh_sta_info_alloc(struct ieee80211_sub + + /* Userspace handles station allocation */ + if (sdata->u.mesh.user_mpm || +- sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED) +- cfg80211_notify_new_peer_candidate(sdata->dev, addr, +- elems->ie_start, +- elems->total_len, +- GFP_KERNEL); +- else ++ sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED) { ++ if (mesh_peer_accepts_plinks(elems) && ++ mesh_plink_availables(sdata)) ++ cfg80211_notify_new_peer_candidate(sdata->dev, addr, ++ elems->ie_start, ++ elems->total_len, ++ GFP_KERNEL); ++ } else + sta = __mesh_sta_info_alloc(sdata, addr); + + return sta; diff --git a/queue-4.4/net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch b/queue-4.4/net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch new file mode 100644 index 00000000000..4ebd3d60cb2 --- /dev/null +++ b/queue-4.4/net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Thomas Preisner +Date: Fri, 30 Dec 2016 03:37:53 +0100 +Subject: net: 3com: typhoon: typhoon_init_one: fix incorrect return values + +From: Thomas Preisner + + +[ Upstream commit 107fded7bf616ad6f46823d98b8ed6405d7adf2d ] + +In a few cases the err-variable is not set to a negative error code if a +function call in typhoon_init_one() fails and thus 0 is returned +instead. +It may be better to set err to the appropriate negative error +code before returning. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188841 + +Reported-by: Pan Bian +Signed-off-by: Thomas Preisner +Signed-off-by: Milan Stephan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/typhoon.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/3com/typhoon.c ++++ b/drivers/net/ethernet/3com/typhoon.c +@@ -2398,8 +2398,9 @@ typhoon_init_one(struct pci_dev *pdev, c + *(__be16 *)&dev->dev_addr[0] = htons(le16_to_cpu(xp_resp[0].parm1)); + *(__be32 *)&dev->dev_addr[2] = htonl(le32_to_cpu(xp_resp[0].parm2)); + +- if(!is_valid_ether_addr(dev->dev_addr)) { ++ if (!is_valid_ether_addr(dev->dev_addr)) { + err_msg = "Could not obtain valid ethernet address, aborting"; ++ err = -EIO; + goto error_out_reset; + } + +@@ -2407,7 +2408,8 @@ typhoon_init_one(struct pci_dev *pdev, c + * later when we print out the version reported. + */ + INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_VERSIONS); +- if(typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp) < 0) { ++ err = typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp); ++ if (err < 0) { + err_msg = "Could not get Sleep Image version"; + goto error_out_reset; + } +@@ -2449,7 +2451,8 @@ typhoon_init_one(struct pci_dev *pdev, c + dev->features = dev->hw_features | + NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_RXCSUM; + +- if(register_netdev(dev) < 0) { ++ err = register_netdev(dev); ++ if (err < 0) { + err_msg = "unable to register netdev"; + goto error_out_reset; + } diff --git a/queue-4.4/net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch b/queue-4.4/net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch new file mode 100644 index 00000000000..d38c8e40501 --- /dev/null +++ b/queue-4.4/net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch @@ -0,0 +1,70 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Thomas Preisner +Date: Fri, 30 Dec 2016 03:37:54 +0100 +Subject: net: 3com: typhoon: typhoon_init_one: make return values more specific + +From: Thomas Preisner + + +[ Upstream commit 6b6bbb5922a4b1d4b58125a572da91010295fba3 ] + +In some cases the return value of a failing function is not being used +and the function typhoon_init_one() returns another negative error code +instead. + +Signed-off-by: Thomas Preisner +Signed-off-by: Milan Stephan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/typhoon.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/3com/typhoon.c ++++ b/drivers/net/ethernet/3com/typhoon.c +@@ -2366,9 +2366,9 @@ typhoon_init_one(struct pci_dev *pdev, c + * 4) Get the hardware address. + * 5) Put the card to sleep. + */ +- if (typhoon_reset(ioaddr, WaitSleep) < 0) { ++ err = typhoon_reset(ioaddr, WaitSleep); ++ if (err < 0) { + err_msg = "could not reset 3XP"; +- err = -EIO; + goto error_out_dma; + } + +@@ -2382,16 +2382,16 @@ typhoon_init_one(struct pci_dev *pdev, c + typhoon_init_interface(tp); + typhoon_init_rings(tp); + +- if(typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST) < 0) { ++ err = typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST); ++ if (err < 0) { + err_msg = "cannot boot 3XP sleep image"; +- err = -EIO; + goto error_out_reset; + } + + INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_MAC_ADDRESS); +- if(typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp) < 0) { ++ err = typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp); ++ if (err < 0) { + err_msg = "cannot read MAC address"; +- err = -EIO; + goto error_out_reset; + } + +@@ -2424,9 +2424,9 @@ typhoon_init_one(struct pci_dev *pdev, c + if(xp_resp[0].numDesc != 0) + tp->capabilities |= TYPHOON_WAKEUP_NEEDS_RESET; + +- if(typhoon_sleep(tp, PCI_D3hot, 0) < 0) { ++ err = typhoon_sleep(tp, PCI_D3hot, 0); ++ if (err < 0) { + err_msg = "cannot put adapter to sleep"; +- err = -EIO; + goto error_out_reset; + } + diff --git a/queue-4.4/net-allow-ip_multicast_if-to-set-index-to-l3-slave.patch b/queue-4.4/net-allow-ip_multicast_if-to-set-index-to-l3-slave.patch new file mode 100644 index 00000000000..fbc69d6d6ff --- /dev/null +++ b/queue-4.4/net-allow-ip_multicast_if-to-set-index-to-l3-slave.patch @@ -0,0 +1,98 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: David Ahern +Date: Thu, 29 Dec 2016 15:39:37 -0800 +Subject: net: Allow IP_MULTICAST_IF to set index to L3 slave + +From: David Ahern + + +[ Upstream commit 7bb387c5ab12aeac3d5eea28686489ff46b53ca9 ] + +IP_MULTICAST_IF fails if sk_bound_dev_if is already set and the new index +does not match it. e.g., + + ntpd[15381]: setsockopt IP_MULTICAST_IF 192.168.1.23 fails: Invalid argument + +Relax the check in setsockopt to allow setting mc_index to an L3 slave if +sk_bound_dev_if points to an L3 master. + +Make a similar change for IPv6. In this case change the device lookup to +take the rcu_read_lock avoiding a refcnt. The rcu lock is also needed for +the lookup of a potential L3 master device. + +This really only silences a setsockopt failure since uses of mc_index are +secondary to sk_bound_dev_if if it is set. In both cases, if either index +is an L3 slave or master, lookups are directed to the same FIB table so +relaxing the check at setsockopt time causes no harm. + +Patch is based on a suggested change by Darwin for a problem noted in +their code base. + +Suggested-by: Darwin Dingel +Signed-off-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 7 ++++++- + net/ipv6/ipv6_sockglue.c | 16 ++++++++++++---- + 2 files changed, 18 insertions(+), 5 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -808,6 +808,7 @@ static int do_ip_setsockopt(struct sock + { + struct ip_mreqn mreq; + struct net_device *dev = NULL; ++ int midx; + + if (sk->sk_type == SOCK_STREAM) + goto e_inval; +@@ -852,11 +853,15 @@ static int do_ip_setsockopt(struct sock + err = -EADDRNOTAVAIL; + if (!dev) + break; ++ ++ midx = l3mdev_master_ifindex(dev); ++ + dev_put(dev); + + err = -EINVAL; + if (sk->sk_bound_dev_if && +- mreq.imr_ifindex != sk->sk_bound_dev_if) ++ mreq.imr_ifindex != sk->sk_bound_dev_if && ++ (!midx || midx != sk->sk_bound_dev_if)) + break; + + inet->mc_index = mreq.imr_ifindex; +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -583,16 +583,24 @@ done: + + if (val) { + struct net_device *dev; ++ int midx; + +- if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != val) +- goto e_inval; ++ rcu_read_lock(); + +- dev = dev_get_by_index(net, val); ++ dev = dev_get_by_index_rcu(net, val); + if (!dev) { ++ rcu_read_unlock(); + retv = -ENODEV; + break; + } +- dev_put(dev); ++ midx = l3mdev_master_ifindex_rcu(dev); ++ ++ rcu_read_unlock(); ++ ++ if (sk->sk_bound_dev_if && ++ sk->sk_bound_dev_if != val && ++ (!midx || midx != sk->sk_bound_dev_if)) ++ goto e_inval; + } + np->mcast_oif = val; + retv = 0; diff --git a/queue-4.4/netfilter-nf_tables-fix-oob-access.patch b/queue-4.4/netfilter-nf_tables-fix-oob-access.patch new file mode 100644 index 00000000000..96be234a2bd --- /dev/null +++ b/queue-4.4/netfilter-nf_tables-fix-oob-access.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Florian Westphal +Date: Tue, 13 Dec 2016 13:59:33 +0100 +Subject: netfilter: nf_tables: fix oob access + +From: Florian Westphal + + +[ Upstream commit 3e38df136e453aa69eb4472108ebce2fb00b1ba6 ] + +BUG: KASAN: slab-out-of-bounds in nf_tables_rule_destroy+0xf1/0x130 at addr ffff88006a4c35c8 +Read of size 8 by task nft/1607 + +When we've destroyed last valid expr, nft_expr_next() returns an invalid expr. +We must not dereference it unless it passes != nft_expr_last() check. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1996,7 +1996,7 @@ static void nf_tables_rule_destroy(const + * is called on error from nf_tables_newrule(). + */ + expr = nft_expr_first(rule); +- while (expr->ops && expr != nft_expr_last(rule)) { ++ while (expr != nft_expr_last(rule) && expr->ops) { + nf_tables_expr_destroy(ctx, expr); + expr = nft_expr_next(expr); + } diff --git a/queue-4.4/netfilter-nft_queue-use-raw_smp_processor_id.patch b/queue-4.4/netfilter-nft_queue-use-raw_smp_processor_id.patch new file mode 100644 index 00000000000..09c3600634a --- /dev/null +++ b/queue-4.4/netfilter-nft_queue-use-raw_smp_processor_id.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Pablo Neira Ayuso +Date: Sun, 11 Dec 2016 20:46:51 +0100 +Subject: netfilter: nft_queue: use raw_smp_processor_id() + +From: Pablo Neira Ayuso + + +[ Upstream commit c2e756ff9e699865d294cdc112acfc36419cf5cc ] + +Using smp_processor_id() causes splats with PREEMPT_RCU: + +[19379.552780] BUG: using smp_processor_id() in preemptible [00000000] code: ping/32389 +[19379.552793] caller is debug_smp_processor_id+0x17/0x19 +[...] +[19379.552823] Call Trace: +[19379.552832] [] dump_stack+0x67/0x90 +[19379.552837] [] check_preemption_disabled+0xe5/0xf5 +[19379.552842] [] debug_smp_processor_id+0x17/0x19 +[19379.552849] [] nft_queue_eval+0x35/0x20c [nft_queue] + +No need to disable preemption since we only fetch the numeric value, so +let's use raw_smp_processor_id() instead. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_queue.c ++++ b/net/netfilter/nft_queue.c +@@ -37,7 +37,7 @@ static void nft_queue_eval(const struct + + if (priv->queues_total > 1) { + if (priv->flags & NFT_QUEUE_FLAG_CPU_FANOUT) { +- int cpu = smp_processor_id(); ++ int cpu = raw_smp_processor_id(); + + queue = priv->queuenum + cpu % priv->queues_total; + } else { diff --git a/queue-4.4/pci-apply-_hpx-settings-only-to-relevant-devices.patch b/queue-4.4/pci-apply-_hpx-settings-only-to-relevant-devices.patch new file mode 100644 index 00000000000..cb46bc884c2 --- /dev/null +++ b/queue-4.4/pci-apply-_hpx-settings-only-to-relevant-devices.patch @@ -0,0 +1,73 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Bjorn Helgaas +Date: Mon, 2 Jan 2017 14:04:24 -0600 +Subject: PCI: Apply _HPX settings only to relevant devices + +From: Bjorn Helgaas + + +[ Upstream commit 977509f7c5c6fb992ffcdf4291051af343b91645 ] + +Previously we didn't check the type of device before trying to apply Type 1 +(PCI-X) or Type 2 (PCIe) Setting Records from _HPX. + +We don't support PCI-X Setting Records, so this was harmless, but the +warning was useless. + +We do support PCIe Setting Records, and we didn't check whether a device +was PCIe before applying settings. I don't think anything bad happened on +non-PCIe devices because pcie_capability_clear_and_set_word(), +pcie_cap_has_lnkctl(), etc., would fail before doing any harm. But it's +ugly to depend on those internals. + +Check the device type before attempting to apply Type 1 and Type 2 Setting +Records (Type 0 records are applicable to PCI, PCI-X, and PCIe devices). + +A side benefit is that this prevents useless "not supported" warnings when +a BIOS supplies a Type 1 (PCI-X) Setting Record and we try to apply it to +every single device: + + pci 0000:00:00.0: PCI-X settings not supported + +After this patch, we'll get the warning only when a BIOS supplies a Type 1 +record and we have a PCI-X device to which it should be applied. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=187731 +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1414,8 +1414,16 @@ static void program_hpp_type0(struct pci + + static void program_hpp_type1(struct pci_dev *dev, struct hpp_type1 *hpp) + { +- if (hpp) +- dev_warn(&dev->dev, "PCI-X settings not supported\n"); ++ int pos; ++ ++ if (!hpp) ++ return; ++ ++ pos = pci_find_capability(dev, PCI_CAP_ID_PCIX); ++ if (!pos) ++ return; ++ ++ dev_warn(&dev->dev, "PCI-X settings not supported\n"); + } + + static bool pcie_root_rcb_set(struct pci_dev *dev) +@@ -1441,6 +1449,9 @@ static void program_hpp_type2(struct pci + if (!hpp) + return; + ++ if (!pci_is_pcie(dev)) ++ return; ++ + if (hpp->revision > 1) { + dev_warn(&dev->dev, "PCIe settings rev %d not supported\n", + hpp->revision); diff --git a/queue-4.4/rds-rdma-return-appropriate-error-on-rdma-map-failures.patch b/queue-4.4/rds-rdma-return-appropriate-error-on-rdma-map-failures.patch new file mode 100644 index 00000000000..e08c2ef14fb --- /dev/null +++ b/queue-4.4/rds-rdma-return-appropriate-error-on-rdma-map-failures.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Santosh Shilimkar +Date: Mon, 4 Jul 2016 17:04:37 -0700 +Subject: RDS: RDMA: return appropriate error on rdma map failures + +From: Santosh Shilimkar + + +[ Upstream commit 584a8279a44a800dea5a5c1e9d53a002e03016b4 ] + +The first message to a remote node should prompt a new +connection even if it is RDMA operation. For RDMA operation +the MR mapping can fail because connections is not yet up. + +Since the connection establishment is asynchronous, +we make sure the map failure because of unavailable +connection reach to the user by appropriate error code. +Before returning to the user, lets trigger the connection +so that its ready for the next retry. + +Signed-off-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/send.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -959,6 +959,11 @@ static int rds_cmsg_send(struct rds_sock + ret = rds_cmsg_rdma_map(rs, rm, cmsg); + if (!ret) + *allocated_mr = 1; ++ else if (ret == -ENODEV) ++ /* Accommodate the get_mr() case which can fail ++ * if connection isn't established yet. ++ */ ++ ret = -EAGAIN; + break; + case RDS_CMSG_ATOMIC_CSWP: + case RDS_CMSG_ATOMIC_FADD: +@@ -1072,8 +1077,12 @@ int rds_sendmsg(struct socket *sock, str + + /* Parse any control messages the user may have included. */ + ret = rds_cmsg_send(rs, rm, msg, &allocated_mr); +- if (ret) ++ if (ret) { ++ /* Trigger connection so that its ready for the next retry */ ++ if (ret == -EAGAIN) ++ rds_conn_connect_if_down(conn); + goto out; ++ } + + if (rm->rdma.op_active && !conn->c_trans->xmit_rdma) { + printk_ratelimited(KERN_NOTICE "rdma_op %p conn xmit_rdma %p\n", diff --git a/queue-4.4/s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch b/queue-4.4/s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch new file mode 100644 index 00000000000..d1462cf69db --- /dev/null +++ b/queue-4.4/s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Heiko Carstens +Date: Tue, 20 Dec 2016 12:58:10 +0100 +Subject: s390/kbuild: enable modversions for symbols exported from asm + +From: Heiko Carstens + + +[ Upstream commit cabab3f9f5ca077535080b3252e6168935b914af ] + +s390 version of commit 334bb7738764 ("x86/kbuild: enable modversions +for symbols exported from asm") so we get also rid of all these +warnings: + +WARNING: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "memcpy" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "memmove" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "memset" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "save_fpu_regs" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "sie64a" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "sie_exit" [vmlinux] version generation failed, symbol will not be versioned. + +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/asm-prototypes.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + create mode 100644 arch/s390/include/asm/asm-prototypes.h + +--- /dev/null ++++ b/arch/s390/include/asm/asm-prototypes.h +@@ -0,0 +1,8 @@ ++#ifndef _ASM_S390_PROTOTYPES_H ++ ++#include ++#include ++#include ++#include ++ ++#endif /* _ASM_S390_PROTOTYPES_H */ diff --git a/queue-4.4/series b/queue-4.4/series index 3eca2ae455f..b329cb338ab 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -69,3 +69,28 @@ pm-opp-add-missing-of_node_put-np.patch e1000e-fix-error-path-in-link-detection.patch e1000e-fix-return-value-test.patch e1000e-separate-signaling-for-link-check-link-up.patch +rds-rdma-return-appropriate-error-on-rdma-map-failures.patch +pci-apply-_hpx-settings-only-to-relevant-devices.patch +dmaengine-zx-set-dma_cyclic-cap_mask-bit.patch +net-allow-ip_multicast_if-to-set-index-to-l3-slave.patch +net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch +net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch +drm-armada-fix-compile-fail.patch +ath10k-fix-incorrect-txpower-set-by-p2p_device-interface.patch +ath10k-ignore-configuring-the-incorrect-board_id.patch +ath10k-fix-potential-memory-leak-in-ath10k_wmi_tlv_op_pull_fw_stats.patch +ath10k-set-cts-protection-vdev-param-only-if-vdev-is-up.patch +alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch +drm-apply-range-restriction-after-color-adjustment-when-allocation.patch +mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch +mac80211-suppress-new_peer_candidate-event-if-no-room.patch +iio-light-fix-improper-return-value.patch +staging-iio-cdc-fix-improper-return-value.patch +spi-spi_fsl_dspi-should-depend-on-has_dma.patch +netfilter-nft_queue-use-raw_smp_processor_id.patch +netfilter-nf_tables-fix-oob-access.patch +asoc-rsnd-don-t-double-free-kctrl.patch +btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch +asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch +s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch +xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch diff --git a/queue-4.4/spi-spi_fsl_dspi-should-depend-on-has_dma.patch b/queue-4.4/spi-spi_fsl_dspi-should-depend-on-has_dma.patch new file mode 100644 index 00000000000..85e5aa31963 --- /dev/null +++ b/queue-4.4/spi-spi_fsl_dspi-should-depend-on-has_dma.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Geert Uytterhoeven +Date: Wed, 14 Dec 2016 13:28:05 +0100 +Subject: spi: SPI_FSL_DSPI should depend on HAS_DMA + +From: Geert Uytterhoeven + + +[ Upstream commit dadab2d4e3cf708ceba22ecddd94aedfecb39199 ] + +If NO_DMA=y: + + ERROR: "bad_dma_ops" [drivers/spi/spi-fsl-dspi.ko] undefined! + +Add a dependency on HAS_DMA to fix this. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/spi/Kconfig ++++ b/drivers/spi/Kconfig +@@ -315,6 +315,7 @@ config SPI_FSL_SPI + config SPI_FSL_DSPI + tristate "Freescale DSPI controller" + select REGMAP_MMIO ++ depends on HAS_DMA + depends on SOC_VF610 || SOC_LS1021A || ARCH_LAYERSCAPE || COMPILE_TEST + help + This enables support for the Freescale DSPI controller in master diff --git a/queue-4.4/staging-iio-cdc-fix-improper-return-value.patch b/queue-4.4/staging-iio-cdc-fix-improper-return-value.patch new file mode 100644 index 00000000000..9d93f8d875c --- /dev/null +++ b/queue-4.4/staging-iio-cdc-fix-improper-return-value.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Pan Bian +Date: Sat, 3 Dec 2016 21:44:30 +0800 +Subject: staging: iio: cdc: fix improper return value + +From: Pan Bian + + +[ Upstream commit 91ca1a8c584f55857b1f6ab20a1d3a1ce7a559bb ] + +At the end of function ad7150_write_event_config(), directly returns 0. +As a result, the errors will be ignored by the callers. It may be better +to return variable "ret". + +Signed-off-by: Pan Bian +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/cdc/ad7150.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/cdc/ad7150.c ++++ b/drivers/staging/iio/cdc/ad7150.c +@@ -272,7 +272,7 @@ static int ad7150_write_event_config(str + error_ret: + mutex_unlock(&chip->state_lock); + +- return 0; ++ return ret; + } + + static int ad7150_read_event_value(struct iio_dev *indio_dev, diff --git a/queue-4.4/xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch b/queue-4.4/xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch new file mode 100644 index 00000000000..80bc46203b5 --- /dev/null +++ b/queue-4.4/xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Nov 28 10:56:34 CET 2017 +From: Juergen Gross +Date: Thu, 22 Dec 2016 08:19:46 +0100 +Subject: xen: xenbus driver must not accept invalid transaction ids + +From: Juergen Gross + + +[ Upstream commit 639b08810d6ad74ded2c5f6e233c4fcb9d147168 ] + +When accessing Xenstore in a transaction the user is specifying a +transaction id which he normally obtained from Xenstore when starting +the transaction. Xenstore is validating a transaction id against all +known transaction ids of the connection the request came in. As all +requests of a domain not being the one where Xenstore lives share +one connection, validation of transaction ids of different users of +Xenstore in that domain should be done by the kernel of that domain +being the multiplexer between the Xenstore users in that domain and +Xenstore. + +In order to prohibit one Xenstore user "hijacking" a transaction from +another user the xenbus driver has to verify a given transaction id +against all known transaction ids of the user before forwarding it to +Xenstore. + +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi + rc = -ENOMEM; + goto out; + } +- } else if (msg_type == XS_TRANSACTION_END) { ++ } else if (u->u.msg.tx_id != 0) { + list_for_each_entry(trans, &u->transactions, list) + if (trans->handle.id == u->u.msg.tx_id) + break;