From: Greg Kroah-Hartman Date: Tue, 11 Dec 2018 14:15:26 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.9~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1976ca32cad432006fb13377d61be01d4f28875d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch cifs-fix-separator-when-building-path-from-dentry.patch crypto-do-not-free-algorithm-before-using.patch drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch drm-i915-downgrade-gen9-plane-wm-latency-error.patch drm-lease-send-a-distinct-uevent.patch drm-msm-move-fence-put-to-where-failure-occurs.patch gnss-sirf-fix-activation-retry-handling.patch kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch mac80211-clear-beacon_int-in-ieee80211_do_stop.patch mac80211-fix-gfp_kernel-under-tasklet-context.patch mac80211-fix-reordering-of-buffered-broadcast-packets.patch mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch staging-rtl8712-fix-possible-buffer-overrun.patch tty-do-not-set-tty_io_error-flag-if-console-port.patch tty-serial-8250_mtk-always-resume-the-device-in-probe.patch x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch --- diff --git a/queue-4.19/cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch b/queue-4.19/cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch new file mode 100644 index 00000000000..99c0a6ec718 --- /dev/null +++ b/queue-4.19/cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch @@ -0,0 +1,47 @@ +From 312ca38ddda64bac6513ec68e0ac3789b4eb44dc Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Wed, 5 Dec 2018 12:55:54 +0200 +Subject: cfg80211: Fix busy loop regression in ieee80211_ie_split_ric() + +From: Jouni Malinen + +commit 312ca38ddda64bac6513ec68e0ac3789b4eb44dc upstream. + +This function was modified to support the information element extension +case (WLAN_EID_EXTENSION) in a manner that would result in an infinite +loop when going through set of IEs that include WLAN_EID_RIC_DATA and +contain an IE that is in the after_ric array. The only place where this +can currently happen is in mac80211 ieee80211_send_assoc() where +ieee80211_ie_split_ric() is called with after_ric[]. + +This can be triggered by valid data from user space nl80211 +association/connect request (i.e., requiring GENL_UNS_ADMIN_PERM). The +only known application having an option to include WLAN_EID_RIC_DATA in +these requests is wpa_supplicant and it had a bug that prevented this +specific contents from being used (and because of that, not triggering +this kernel bug in an automated test case ap_ft_ric) and now that this +bug is fixed, it has a workaround to avoid this kernel issue. +WLAN_EID_RIC_DATA is currently used only for testing purposes, so this +does not cause significant harm for production use cases. + +Fixes: 2512b1b18d07 ("mac80211: extend ieee80211_ie_split to support EXTENSION") +Cc: stable@vger.kernel.org +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/util.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1418,6 +1418,8 @@ size_t ieee80211_ie_split_ric(const u8 * + ies[pos + ext], + ext == 2)) + pos = skip_ie(ies, ielen, pos); ++ else ++ break; + } + } else { + pos = skip_ie(ies, ielen, pos); diff --git a/queue-4.19/cifs-fix-separator-when-building-path-from-dentry.patch b/queue-4.19/cifs-fix-separator-when-building-path-from-dentry.patch new file mode 100644 index 00000000000..2791a539f2f --- /dev/null +++ b/queue-4.19/cifs-fix-separator-when-building-path-from-dentry.patch @@ -0,0 +1,34 @@ +From c988de29ca161823db6a7125e803d597ef75b49c Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 15 Nov 2018 15:20:52 +0100 +Subject: cifs: Fix separator when building path from dentry + +From: Paulo Alcantara + +commit c988de29ca161823db6a7125e803d597ef75b49c upstream. + +Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for +prefixpath too. Fixes a bug with smb1 UNIX extensions. + +Fixes: a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable") +Signed-off-by: Paulo Alcantara +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -174,7 +174,7 @@ cifs_bp_rename_retry: + + cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath); + memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1); +- full_path[dfsplen] = '\\'; ++ full_path[dfsplen] = dirsep; + for (i = 0; i < pplen-1; i++) + if (full_path[dfsplen+1+i] == '/') + full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb); diff --git a/queue-4.19/crypto-do-not-free-algorithm-before-using.patch b/queue-4.19/crypto-do-not-free-algorithm-before-using.patch new file mode 100644 index 00000000000..3b145b3d8e5 --- /dev/null +++ b/queue-4.19/crypto-do-not-free-algorithm-before-using.patch @@ -0,0 +1,115 @@ +From e5bde04ccce64d808f8b00a489a1fe5825d285cb Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 22 Nov 2018 18:00:16 +0800 +Subject: crypto: do not free algorithm before using + +From: Pan Bian + +commit e5bde04ccce64d808f8b00a489a1fe5825d285cb upstream. + +In multiple functions, the algorithm fields are read after its reference +is dropped through crypto_mod_put. In this case, the algorithm memory +may be freed, resulting in use-after-free bugs. This patch delays the +put operation until the algorithm is never used. + +Fixes: 79c65d179a40 ("crypto: cbc - Convert to skcipher") +Fixes: a7d85e06ed80 ("crypto: cfb - add support for Cipher FeedBack mode") +Fixes: 043a44001b9e ("crypto: pcbc - Convert to skcipher") +Cc: +Signed-off-by: Pan Bian +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/cbc.c | 6 ++++-- + crypto/cfb.c | 6 ++++-- + crypto/pcbc.c | 6 ++++-- + 3 files changed, 12 insertions(+), 6 deletions(-) + +--- a/crypto/cbc.c ++++ b/crypto/cbc.c +@@ -140,9 +140,8 @@ static int crypto_cbc_create(struct cryp + spawn = skcipher_instance_ctx(inst); + err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst), + CRYPTO_ALG_TYPE_MASK); +- crypto_mod_put(alg); + if (err) +- goto err_free_inst; ++ goto err_put_alg; + + err = crypto_inst_setname(skcipher_crypto_instance(inst), "cbc", alg); + if (err) +@@ -174,12 +173,15 @@ static int crypto_cbc_create(struct cryp + err = skcipher_register_instance(tmpl, inst); + if (err) + goto err_drop_spawn; ++ crypto_mod_put(alg); + + out: + return err; + + err_drop_spawn: + crypto_drop_spawn(spawn); ++err_put_alg: ++ crypto_mod_put(alg); + err_free_inst: + kfree(inst); + goto out; +--- a/crypto/cfb.c ++++ b/crypto/cfb.c +@@ -286,9 +286,8 @@ static int crypto_cfb_create(struct cryp + spawn = skcipher_instance_ctx(inst); + err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst), + CRYPTO_ALG_TYPE_MASK); +- crypto_mod_put(alg); + if (err) +- goto err_free_inst; ++ goto err_put_alg; + + err = crypto_inst_setname(skcipher_crypto_instance(inst), "cfb", alg); + if (err) +@@ -317,12 +316,15 @@ static int crypto_cfb_create(struct cryp + err = skcipher_register_instance(tmpl, inst); + if (err) + goto err_drop_spawn; ++ crypto_mod_put(alg); + + out: + return err; + + err_drop_spawn: + crypto_drop_spawn(spawn); ++err_put_alg: ++ crypto_mod_put(alg); + err_free_inst: + kfree(inst); + goto out; +--- a/crypto/pcbc.c ++++ b/crypto/pcbc.c +@@ -244,9 +244,8 @@ static int crypto_pcbc_create(struct cry + spawn = skcipher_instance_ctx(inst); + err = crypto_init_spawn(spawn, alg, skcipher_crypto_instance(inst), + CRYPTO_ALG_TYPE_MASK); +- crypto_mod_put(alg); + if (err) +- goto err_free_inst; ++ goto err_put_alg; + + err = crypto_inst_setname(skcipher_crypto_instance(inst), "pcbc", alg); + if (err) +@@ -275,12 +274,15 @@ static int crypto_pcbc_create(struct cry + err = skcipher_register_instance(tmpl, inst); + if (err) + goto err_drop_spawn; ++ crypto_mod_put(alg); + + out: + return err; + + err_drop_spawn: + crypto_drop_spawn(spawn); ++err_put_alg: ++ crypto_mod_put(alg); + err_free_inst: + kfree(inst); + goto out; diff --git a/queue-4.19/drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch b/queue-4.19/drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch new file mode 100644 index 00000000000..303215b8c97 --- /dev/null +++ b/queue-4.19/drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch @@ -0,0 +1,390 @@ +From 37c2578c0c40e286bc0d30bdc05290b2058cf66e Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Mon, 3 Dec 2018 00:54:35 +0000 +Subject: Drivers: hv: vmbus: Offload the handling of channels to two workqueues + +From: Dexuan Cui + +commit 37c2578c0c40e286bc0d30bdc05290b2058cf66e upstream. + +vmbus_process_offer() mustn't call channel->sc_creation_callback() +directly for sub-channels, because sc_creation_callback() -> +vmbus_open() may never get the host's response to the +OPEN_CHANNEL message (the host may rescind a channel at any time, +e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind() +may not wake up the vmbus_open() as it's blocked due to a non-zero +vmbus_connection.offer_in_progress, and finally we have a deadlock. + +The above is also true for primary channels, if the related device +drivers use sync probing mode by default. + +And, usually the handling of primary channels and sub-channels can +depend on each other, so we should offload them to different +workqueues to avoid possible deadlock, e.g. in sync-probing mode, +NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() -> +rtnl_lock(), and causes deadlock: the former gets the rtnl_lock +and waits for all the sub-channels to appear, but the latter +can't get the rtnl_lock and this blocks the handling of sub-channels. + +The patch can fix the multiple-NIC deadlock described above for +v3.x kernels (e.g. RHEL 7.x) which don't support async-probing +of devices, and v4.4, v4.9, v4.14 and v4.18 which support async-probing +but don't enable async-probing for Hyper-V drivers (yet). + +The patch can also fix the hang issue in sub-channel's handling described +above for all versions of kernels, including v4.19 and v4.20-rc4. + +So actually the patch should be applied to all the existing kernels, +not only the kernels that have 8195b1396ec8. + +Fixes: 8195b1396ec8 ("hv_netvsc: fix deadlock on hotplug") +Cc: stable@vger.kernel.org +Cc: Stephen Hemminger +Cc: K. Y. Srinivasan +Cc: Haiyang Zhang +Signed-off-by: Dexuan Cui +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel_mgmt.c | 189 ++++++++++++++++++++++++++++++---------------- + drivers/hv/connection.c | 24 +++++ + drivers/hv/hyperv_vmbus.h | 7 + + include/linux/hyperv.h | 7 + + 4 files changed, 161 insertions(+), 66 deletions(-) + +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -447,61 +447,16 @@ void vmbus_free_channels(void) + } + } + +-/* +- * vmbus_process_offer - Process the offer by creating a channel/device +- * associated with this offer +- */ +-static void vmbus_process_offer(struct vmbus_channel *newchannel) ++/* Note: the function can run concurrently for primary/sub channels. */ ++static void vmbus_add_channel_work(struct work_struct *work) + { +- struct vmbus_channel *channel; +- bool fnew = true; ++ struct vmbus_channel *newchannel = ++ container_of(work, struct vmbus_channel, add_channel_work); ++ struct vmbus_channel *primary_channel = newchannel->primary_channel; + unsigned long flags; + u16 dev_type; + int ret; + +- /* Make sure this is a new offer */ +- mutex_lock(&vmbus_connection.channel_mutex); +- +- /* +- * Now that we have acquired the channel_mutex, +- * we can release the potentially racing rescind thread. +- */ +- atomic_dec(&vmbus_connection.offer_in_progress); +- +- list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) { +- if (!uuid_le_cmp(channel->offermsg.offer.if_type, +- newchannel->offermsg.offer.if_type) && +- !uuid_le_cmp(channel->offermsg.offer.if_instance, +- newchannel->offermsg.offer.if_instance)) { +- fnew = false; +- break; +- } +- } +- +- if (fnew) +- list_add_tail(&newchannel->listentry, +- &vmbus_connection.chn_list); +- +- mutex_unlock(&vmbus_connection.channel_mutex); +- +- if (!fnew) { +- /* +- * Check to see if this is a sub-channel. +- */ +- if (newchannel->offermsg.offer.sub_channel_index != 0) { +- /* +- * Process the sub-channel. +- */ +- newchannel->primary_channel = channel; +- spin_lock_irqsave(&channel->lock, flags); +- list_add_tail(&newchannel->sc_list, &channel->sc_list); +- channel->num_sc++; +- spin_unlock_irqrestore(&channel->lock, flags); +- } else { +- goto err_free_chan; +- } +- } +- + dev_type = hv_get_dev_type(newchannel); + + init_vp_index(newchannel, dev_type); +@@ -519,27 +474,26 @@ static void vmbus_process_offer(struct v + /* + * This state is used to indicate a successful open + * so that when we do close the channel normally, we +- * can cleanup properly ++ * can cleanup properly. + */ + newchannel->state = CHANNEL_OPEN_STATE; + +- if (!fnew) { +- struct hv_device *dev +- = newchannel->primary_channel->device_obj; ++ if (primary_channel != NULL) { ++ /* newchannel is a sub-channel. */ ++ struct hv_device *dev = primary_channel->device_obj; + + if (vmbus_add_channel_kobj(dev, newchannel)) +- goto err_free_chan; ++ goto err_deq_chan; ++ ++ if (primary_channel->sc_creation_callback != NULL) ++ primary_channel->sc_creation_callback(newchannel); + +- if (channel->sc_creation_callback != NULL) +- channel->sc_creation_callback(newchannel); + newchannel->probe_done = true; + return; + } + + /* +- * Start the process of binding this offer to the driver +- * We need to set the DeviceObject field before calling +- * vmbus_child_dev_add() ++ * Start the process of binding the primary channel to the driver + */ + newchannel->device_obj = vmbus_device_create( + &newchannel->offermsg.offer.if_type, +@@ -568,13 +522,28 @@ static void vmbus_process_offer(struct v + + err_deq_chan: + mutex_lock(&vmbus_connection.channel_mutex); +- list_del(&newchannel->listentry); ++ ++ /* ++ * We need to set the flag, otherwise ++ * vmbus_onoffer_rescind() can be blocked. ++ */ ++ newchannel->probe_done = true; ++ ++ if (primary_channel == NULL) { ++ list_del(&newchannel->listentry); ++ } else { ++ spin_lock_irqsave(&primary_channel->lock, flags); ++ list_del(&newchannel->sc_list); ++ spin_unlock_irqrestore(&primary_channel->lock, flags); ++ } ++ + mutex_unlock(&vmbus_connection.channel_mutex); + + if (newchannel->target_cpu != get_cpu()) { + put_cpu(); + smp_call_function_single(newchannel->target_cpu, +- percpu_channel_deq, newchannel, true); ++ percpu_channel_deq, ++ newchannel, true); + } else { + percpu_channel_deq(newchannel); + put_cpu(); +@@ -582,14 +551,104 @@ err_deq_chan: + + vmbus_release_relid(newchannel->offermsg.child_relid); + +-err_free_chan: + free_channel(newchannel); + } + + /* ++ * vmbus_process_offer - Process the offer by creating a channel/device ++ * associated with this offer ++ */ ++static void vmbus_process_offer(struct vmbus_channel *newchannel) ++{ ++ struct vmbus_channel *channel; ++ struct workqueue_struct *wq; ++ unsigned long flags; ++ bool fnew = true; ++ ++ mutex_lock(&vmbus_connection.channel_mutex); ++ ++ /* ++ * Now that we have acquired the channel_mutex, ++ * we can release the potentially racing rescind thread. ++ */ ++ atomic_dec(&vmbus_connection.offer_in_progress); ++ ++ list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) { ++ if (!uuid_le_cmp(channel->offermsg.offer.if_type, ++ newchannel->offermsg.offer.if_type) && ++ !uuid_le_cmp(channel->offermsg.offer.if_instance, ++ newchannel->offermsg.offer.if_instance)) { ++ fnew = false; ++ break; ++ } ++ } ++ ++ if (fnew) ++ list_add_tail(&newchannel->listentry, ++ &vmbus_connection.chn_list); ++ else { ++ /* ++ * Check to see if this is a valid sub-channel. ++ */ ++ if (newchannel->offermsg.offer.sub_channel_index == 0) { ++ mutex_unlock(&vmbus_connection.channel_mutex); ++ /* ++ * Don't call free_channel(), because newchannel->kobj ++ * is not initialized yet. ++ */ ++ kfree(newchannel); ++ WARN_ON_ONCE(1); ++ return; ++ } ++ /* ++ * Process the sub-channel. ++ */ ++ newchannel->primary_channel = channel; ++ spin_lock_irqsave(&channel->lock, flags); ++ list_add_tail(&newchannel->sc_list, &channel->sc_list); ++ spin_unlock_irqrestore(&channel->lock, flags); ++ } ++ ++ mutex_unlock(&vmbus_connection.channel_mutex); ++ ++ /* ++ * vmbus_process_offer() mustn't call channel->sc_creation_callback() ++ * directly for sub-channels, because sc_creation_callback() -> ++ * vmbus_open() may never get the host's response to the ++ * OPEN_CHANNEL message (the host may rescind a channel at any time, ++ * e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind() ++ * may not wake up the vmbus_open() as it's blocked due to a non-zero ++ * vmbus_connection.offer_in_progress, and finally we have a deadlock. ++ * ++ * The above is also true for primary channels, if the related device ++ * drivers use sync probing mode by default. ++ * ++ * And, usually the handling of primary channels and sub-channels can ++ * depend on each other, so we should offload them to different ++ * workqueues to avoid possible deadlock, e.g. in sync-probing mode, ++ * NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() -> ++ * rtnl_lock(), and causes deadlock: the former gets the rtnl_lock ++ * and waits for all the sub-channels to appear, but the latter ++ * can't get the rtnl_lock and this blocks the handling of ++ * sub-channels. ++ */ ++ INIT_WORK(&newchannel->add_channel_work, vmbus_add_channel_work); ++ wq = fnew ? vmbus_connection.handle_primary_chan_wq : ++ vmbus_connection.handle_sub_chan_wq; ++ queue_work(wq, &newchannel->add_channel_work); ++} ++ ++/* + * We use this state to statically distribute the channel interrupt load. + */ + static int next_numa_node_id; ++/* ++ * init_vp_index() accesses global variables like next_numa_node_id, and ++ * it can run concurrently for primary channels and sub-channels: see ++ * vmbus_process_offer(), so we need the lock to protect the global ++ * variables. ++ */ ++static DEFINE_SPINLOCK(bind_channel_to_cpu_lock); + + /* + * Starting with Win8, we can statically distribute the incoming +@@ -625,6 +684,8 @@ static void init_vp_index(struct vmbus_c + return; + } + ++ spin_lock(&bind_channel_to_cpu_lock); ++ + /* + * Based on the channel affinity policy, we will assign the NUMA + * nodes. +@@ -707,6 +768,8 @@ static void init_vp_index(struct vmbus_c + channel->target_cpu = cur_cpu; + channel->target_vp = hv_cpu_number_to_vp_number(cur_cpu); + ++ spin_unlock(&bind_channel_to_cpu_lock); ++ + free_cpumask_var(available_mask); + } + +--- a/drivers/hv/connection.c ++++ b/drivers/hv/connection.c +@@ -190,6 +190,20 @@ int vmbus_connect(void) + goto cleanup; + } + ++ vmbus_connection.handle_primary_chan_wq = ++ create_workqueue("hv_pri_chan"); ++ if (!vmbus_connection.handle_primary_chan_wq) { ++ ret = -ENOMEM; ++ goto cleanup; ++ } ++ ++ vmbus_connection.handle_sub_chan_wq = ++ create_workqueue("hv_sub_chan"); ++ if (!vmbus_connection.handle_sub_chan_wq) { ++ ret = -ENOMEM; ++ goto cleanup; ++ } ++ + INIT_LIST_HEAD(&vmbus_connection.chn_msg_list); + spin_lock_init(&vmbus_connection.channelmsg_lock); + +@@ -280,10 +294,14 @@ void vmbus_disconnect(void) + */ + vmbus_initiate_unload(false); + +- if (vmbus_connection.work_queue) { +- drain_workqueue(vmbus_connection.work_queue); ++ if (vmbus_connection.handle_sub_chan_wq) ++ destroy_workqueue(vmbus_connection.handle_sub_chan_wq); ++ ++ if (vmbus_connection.handle_primary_chan_wq) ++ destroy_workqueue(vmbus_connection.handle_primary_chan_wq); ++ ++ if (vmbus_connection.work_queue) + destroy_workqueue(vmbus_connection.work_queue); +- } + + if (vmbus_connection.int_page) { + free_pages((unsigned long)vmbus_connection.int_page, 0); +--- a/drivers/hv/hyperv_vmbus.h ++++ b/drivers/hv/hyperv_vmbus.h +@@ -335,7 +335,14 @@ struct vmbus_connection { + struct list_head chn_list; + struct mutex channel_mutex; + ++ /* ++ * An offer message is handled first on the work_queue, and then ++ * is further handled on handle_primary_chan_wq or ++ * handle_sub_chan_wq. ++ */ + struct workqueue_struct *work_queue; ++ struct workqueue_struct *handle_primary_chan_wq; ++ struct workqueue_struct *handle_sub_chan_wq; + }; + + +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -904,6 +904,13 @@ struct vmbus_channel { + + bool probe_done; + ++ /* ++ * We must offload the handling of the primary/sub channels ++ * from the single-threaded vmbus_connection.work_queue to ++ * two different workqueue, otherwise we can block ++ * vmbus_connection.work_queue and hang: see vmbus_process_offer(). ++ */ ++ struct work_struct add_channel_work; + }; + + static inline bool is_hvsock_channel(const struct vmbus_channel *c) diff --git a/queue-4.19/drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch b/queue-4.19/drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch new file mode 100644 index 00000000000..78617d25957 --- /dev/null +++ b/queue-4.19/drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch @@ -0,0 +1,51 @@ +From b52b6738cc2d50d2a8f4d0095bcb5a86716008a5 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 28 Nov 2018 23:28:17 -0500 +Subject: drm/amdgpu/gmc8: always load MC firmware in the driver +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit b52b6738cc2d50d2a8f4d0095bcb5a86716008a5 upstream. + +Some power features rely on the driver loaded version so always +load the MC firmware from the driver even if the vbios loaded +a version already. + +Acked-by: Christian König +Reviewed-by: Junwei Zhang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +@@ -365,7 +365,7 @@ static int gmc_v8_0_polaris_mc_load_micr + const struct mc_firmware_header_v1_0 *hdr; + const __le32 *fw_data = NULL; + const __le32 *io_mc_regs = NULL; +- u32 data, vbios_version; ++ u32 data; + int i, ucode_size, regs_size; + + /* Skip MC ucode loading on SR-IOV capable boards. +@@ -376,13 +376,6 @@ static int gmc_v8_0_polaris_mc_load_micr + if (amdgpu_sriov_bios(adev)) + return 0; + +- WREG32(mmMC_SEQ_IO_DEBUG_INDEX, 0x9F); +- data = RREG32(mmMC_SEQ_IO_DEBUG_DATA); +- vbios_version = data & 0xf; +- +- if (vbios_version == 0) +- return 0; +- + if (!adev->gmc.fw) + return -EINVAL; + diff --git a/queue-4.19/drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch b/queue-4.19/drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch new file mode 100644 index 00000000000..9a3b2eac725 --- /dev/null +++ b/queue-4.19/drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch @@ -0,0 +1,80 @@ +From a81a7c9c9ea3042ab02d66ac35def74abf091c15 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 28 Nov 2018 23:25:41 -0500 +Subject: drm/amdgpu/gmc8: update MC firmware for polaris +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit a81a7c9c9ea3042ab02d66ac35def74abf091c15 upstream. + +Some variants require different MC firmware images. + +Acked-by: Christian König +Reviewed-by: Junwei Zhang +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +@@ -55,6 +55,8 @@ MODULE_FIRMWARE("amdgpu/tonga_mc.bin"); + MODULE_FIRMWARE("amdgpu/polaris11_mc.bin"); + MODULE_FIRMWARE("amdgpu/polaris10_mc.bin"); + MODULE_FIRMWARE("amdgpu/polaris12_mc.bin"); ++MODULE_FIRMWARE("amdgpu/polaris11_k_mc.bin"); ++MODULE_FIRMWARE("amdgpu/polaris10_k_mc.bin"); + MODULE_FIRMWARE("amdgpu/polaris12_k_mc.bin"); + + static const u32 golden_settings_tonga_a11[] = +@@ -224,22 +226,39 @@ static int gmc_v8_0_init_microcode(struc + chip_name = "tonga"; + break; + case CHIP_POLARIS11: +- chip_name = "polaris11"; ++ if (((adev->pdev->device == 0x67ef) && ++ ((adev->pdev->revision == 0xe0) || ++ (adev->pdev->revision == 0xe5))) || ++ ((adev->pdev->device == 0x67ff) && ++ ((adev->pdev->revision == 0xcf) || ++ (adev->pdev->revision == 0xef) || ++ (adev->pdev->revision == 0xff)))) ++ chip_name = "polaris11_k"; ++ else if ((adev->pdev->device == 0x67ef) && ++ (adev->pdev->revision == 0xe2)) ++ chip_name = "polaris11_k"; ++ else ++ chip_name = "polaris11"; + break; + case CHIP_POLARIS10: +- chip_name = "polaris10"; ++ if ((adev->pdev->device == 0x67df) && ++ ((adev->pdev->revision == 0xe1) || ++ (adev->pdev->revision == 0xf7))) ++ chip_name = "polaris10_k"; ++ else ++ chip_name = "polaris10"; + break; + case CHIP_POLARIS12: +- chip_name = "polaris12"; + if (((adev->pdev->device == 0x6987) && + ((adev->pdev->revision == 0xc0) || + (adev->pdev->revision == 0xc3))) || + ((adev->pdev->device == 0x6981) && + ((adev->pdev->revision == 0x00) || + (adev->pdev->revision == 0x01) || +- (adev->pdev->revision == 0x10)))) { ++ (adev->pdev->revision == 0x10)))) + chip_name = "polaris12_k"; +- } ++ else ++ chip_name = "polaris12"; + break; + case CHIP_FIJI: + case CHIP_CARRIZO: diff --git a/queue-4.19/drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch b/queue-4.19/drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch new file mode 100644 index 00000000000..9a48ef99b85 --- /dev/null +++ b/queue-4.19/drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch @@ -0,0 +1,47 @@ +From d7fd67653f847327e545bdb198b901ee124afd7c Mon Sep 17 00:00:00 2001 +From: Junwei Zhang +Date: Thu, 22 Nov 2018 17:53:00 +0800 +Subject: drm/amdgpu: update mc firmware image for polaris12 variants + +From: Junwei Zhang + +commit d7fd67653f847327e545bdb198b901ee124afd7c upstream. + +Some new variants require updated firmware. + +Signed-off-by: Junwei Zhang +Reviewed-by: Evan Quan +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +@@ -55,6 +55,7 @@ MODULE_FIRMWARE("amdgpu/tonga_mc.bin"); + MODULE_FIRMWARE("amdgpu/polaris11_mc.bin"); + MODULE_FIRMWARE("amdgpu/polaris10_mc.bin"); + MODULE_FIRMWARE("amdgpu/polaris12_mc.bin"); ++MODULE_FIRMWARE("amdgpu/polaris12_k_mc.bin"); + + static const u32 golden_settings_tonga_a11[] = + { +@@ -230,6 +231,15 @@ static int gmc_v8_0_init_microcode(struc + break; + case CHIP_POLARIS12: + chip_name = "polaris12"; ++ if (((adev->pdev->device == 0x6987) && ++ ((adev->pdev->revision == 0xc0) || ++ (adev->pdev->revision == 0xc3))) || ++ ((adev->pdev->device == 0x6981) && ++ ((adev->pdev->revision == 0x00) || ++ (adev->pdev->revision == 0x01) || ++ (adev->pdev->revision == 0x10)))) { ++ chip_name = "polaris12_k"; ++ } + break; + case CHIP_FIJI: + case CHIP_CARRIZO: diff --git a/queue-4.19/drm-i915-downgrade-gen9-plane-wm-latency-error.patch b/queue-4.19/drm-i915-downgrade-gen9-plane-wm-latency-error.patch new file mode 100644 index 00000000000..c40f12ed7ee --- /dev/null +++ b/queue-4.19/drm-i915-downgrade-gen9-plane-wm-latency-error.patch @@ -0,0 +1,37 @@ +From 86c1c87d0e6241cbe35bd52badfc84b154e1b959 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 26 Jul 2018 17:15:27 +0100 +Subject: drm/i915: Downgrade Gen9 Plane WM latency error + +From: Chris Wilson + +commit 86c1c87d0e6241cbe35bd52badfc84b154e1b959 upstream. + +According to intel_read_wm_latency() it is perfectly legal for one WM +and all subsequent levels to be 0 (and the deeper powersaving states +disabled), so don't shout *ERROR*, over and over again. + +Signed-off-by: Chris Wilson +Cc: Maarten Lankhorst +Cc: Ville Syrjala +Acked-by: Maarten Lankhorst +Link: https://patchwork.freedesktop.org/patch/msgid/20180726161527.10516-1-chris@chris-wilson.co.uk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_pm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -2951,8 +2951,8 @@ static void intel_print_wm_latency(struc + unsigned int latency = wm[level]; + + if (latency == 0) { +- DRM_ERROR("%s WM%d latency not provided\n", +- name, level); ++ DRM_DEBUG_KMS("%s WM%d latency not provided\n", ++ name, level); + continue; + } + diff --git a/queue-4.19/drm-lease-send-a-distinct-uevent.patch b/queue-4.19/drm-lease-send-a-distinct-uevent.patch new file mode 100644 index 00000000000..3800153058e --- /dev/null +++ b/queue-4.19/drm-lease-send-a-distinct-uevent.patch @@ -0,0 +1,83 @@ +From ce85882860f0e756f7066cbda1c43e8b50b73ab6 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Thu, 29 Nov 2018 10:42:26 +0100 +Subject: drm/lease: Send a distinct uevent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +commit ce85882860f0e756f7066cbda1c43e8b50b73ab6 upstream. + +Sending the exact same hotplug event is not great uapi. Luckily the +only already merged implementation of leases (in the -modesetting +driver) doesn't care about what kind of uevent it gets, and +unconditionally processes both hotplug and lease changes. So we can +still adjust the uapi here. + +But e.g. weston tries to filter stuff, and I guess others might want +to do that too. Try to make that possible. Cc: stable since it's uapi +adjustement that we want to roll out everywhere. + +Michel Dänzer mentioned on irc that -amdgpu also has lease support. It +has the same code flow as -modesetting though, so we can still go +ahead. + +v2: Mention -amdgpu (Michel) + +Cc: Keith Packard +Cc: Dave Airlie +Cc: stable@vger.kernel.org +Reviewed-by: Keith Packard +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20181129094226.30591-1-daniel.vetter@ffwll.ch +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_internal.h | 2 ++ + drivers/gpu/drm/drm_lease.c | 2 +- + drivers/gpu/drm/drm_sysfs.c | 10 ++++++++++ + 3 files changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_internal.h ++++ b/drivers/gpu/drm/drm_internal.h +@@ -99,6 +99,8 @@ struct device *drm_sysfs_minor_alloc(str + int drm_sysfs_connector_add(struct drm_connector *connector); + void drm_sysfs_connector_remove(struct drm_connector *connector); + ++void drm_sysfs_lease_event(struct drm_device *dev); ++ + /* drm_gem.c */ + int drm_gem_init(struct drm_device *dev); + void drm_gem_destroy(struct drm_device *dev); +--- a/drivers/gpu/drm/drm_lease.c ++++ b/drivers/gpu/drm/drm_lease.c +@@ -296,7 +296,7 @@ void drm_lease_destroy(struct drm_master + + if (master->lessor) { + /* Tell the master to check the lessee list */ +- drm_sysfs_hotplug_event(dev); ++ drm_sysfs_lease_event(dev); + drm_master_put(&master->lessor); + } + +--- a/drivers/gpu/drm/drm_sysfs.c ++++ b/drivers/gpu/drm/drm_sysfs.c +@@ -301,6 +301,16 @@ void drm_sysfs_connector_remove(struct d + connector->kdev = NULL; + } + ++void drm_sysfs_lease_event(struct drm_device *dev) ++{ ++ char *event_string = "LEASE=1"; ++ char *envp[] = { event_string, NULL }; ++ ++ DRM_DEBUG("generating lease event\n"); ++ ++ kobject_uevent_env(&dev->primary->kdev->kobj, KOBJ_CHANGE, envp); ++} ++ + /** + * drm_sysfs_hotplug_event - generate a DRM uevent + * @dev: DRM device diff --git a/queue-4.19/drm-msm-move-fence-put-to-where-failure-occurs.patch b/queue-4.19/drm-msm-move-fence-put-to-where-failure-occurs.patch new file mode 100644 index 00000000000..1cc1ffeb0b6 --- /dev/null +++ b/queue-4.19/drm-msm-move-fence-put-to-where-failure-occurs.patch @@ -0,0 +1,71 @@ +From 2189463dba3eac10d7264a40ede12fc1a3c06fb1 Mon Sep 17 00:00:00 2001 +From: Robert Foss +Date: Mon, 5 Nov 2018 11:13:12 +0100 +Subject: drm/msm: Move fence put to where failure occurs + +From: Robert Foss + +commit 2189463dba3eac10d7264a40ede12fc1a3c06fb1 upstream. + +If dma_fence_wait fails to wait for a supplied in-fence in +msm_ioctl_gem_submit, make sure we release that in-fence. + +Also remove this dma_fence_put() from the 'out' label. + +Signed-off-by: Robert Foss +Reviewed-by: Chris Wilson +Cc: stable@vger.kernel.org +Signed-off-by: Rob Clark +Signed-off-by: Sean Paul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -410,7 +410,6 @@ int msm_ioctl_gem_submit(struct drm_devi + struct msm_file_private *ctx = file->driver_priv; + struct msm_gem_submit *submit; + struct msm_gpu *gpu = priv->gpu; +- struct dma_fence *in_fence = NULL; + struct sync_file *sync_file = NULL; + struct msm_gpu_submitqueue *queue; + struct msm_ringbuffer *ring; +@@ -443,6 +442,8 @@ int msm_ioctl_gem_submit(struct drm_devi + ring = gpu->rb[queue->prio]; + + if (args->flags & MSM_SUBMIT_FENCE_FD_IN) { ++ struct dma_fence *in_fence; ++ + in_fence = sync_file_get_fence(args->fence_fd); + + if (!in_fence) +@@ -452,11 +453,13 @@ int msm_ioctl_gem_submit(struct drm_devi + * Wait if the fence is from a foreign context, or if the fence + * array contains any fence from a foreign context. + */ +- if (!dma_fence_match_context(in_fence, ring->fctx->context)) { ++ ret = 0; ++ if (!dma_fence_match_context(in_fence, ring->fctx->context)) + ret = dma_fence_wait(in_fence, true); +- if (ret) +- return ret; +- } ++ ++ dma_fence_put(in_fence); ++ if (ret) ++ return ret; + } + + ret = mutex_lock_interruptible(&dev->struct_mutex); +@@ -582,8 +585,6 @@ int msm_ioctl_gem_submit(struct drm_devi + } + + out: +- if (in_fence) +- dma_fence_put(in_fence); + submit_cleanup(submit); + if (ret) + msm_gem_submit_free(submit); diff --git a/queue-4.19/gnss-sirf-fix-activation-retry-handling.patch b/queue-4.19/gnss-sirf-fix-activation-retry-handling.patch new file mode 100644 index 00000000000..652ac8e13d1 --- /dev/null +++ b/queue-4.19/gnss-sirf-fix-activation-retry-handling.patch @@ -0,0 +1,47 @@ +From 06fd9ab12b804451b14d538adbf98a57c2d6846b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Dec 2018 11:21:49 +0100 +Subject: gnss: sirf: fix activation retry handling + +From: Johan Hovold + +commit 06fd9ab12b804451b14d538adbf98a57c2d6846b upstream. + +Fix activation helper which would return -ETIMEDOUT even if the last +retry attempt was successful. + +Also change the semantics of the retries variable so that it actually +holds the number of retries (rather than tries). + +Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers") +Cc: stable # 4.19 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gnss/sirf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gnss/sirf.c ++++ b/drivers/gnss/sirf.c +@@ -168,7 +168,7 @@ static int sirf_set_active(struct sirf_d + else + timeout = SIRF_HIBERNATE_TIMEOUT; + +- while (retries-- > 0) { ++ do { + sirf_pulse_on_off(data); + ret = sirf_wait_for_power_state(data, active, timeout); + if (ret < 0) { +@@ -179,9 +179,9 @@ static int sirf_set_active(struct sirf_d + } + + break; +- } ++ } while (retries--); + +- if (retries == 0) ++ if (retries < 0) + return -ETIMEDOUT; + + return 0; diff --git a/queue-4.19/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch b/queue-4.19/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch new file mode 100644 index 00000000000..6f0aaf16536 --- /dev/null +++ b/queue-4.19/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch @@ -0,0 +1,82 @@ +From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001 +From: Macpaul Lin +Date: Wed, 17 Oct 2018 23:08:38 +0800 +Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() + +From: Macpaul Lin + +commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream. + +This patch is trying to fix KE issue due to +"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198" +reported by Syzkaller scan." + +[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198 +[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364 +[26364:syz-executor0][name:report&] +[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0 +[26364:syz-executor0]Call trace: +[26364:syz-executor0][] dump_bacIctrace+Ox0/0x470 +[26364:syz-executor0][] show_stack+0x20/0x30 +[26364:syz-executor0][] dump_stack+Oxd8/0x128 +[26364:syz-executor0][] print_address_description +0x80/0x4a8 +[26364:syz-executor0][] kasan_report+Ox178/0x390 +[26364:syz-executor0][] _asan_report_loadi_noabort+Ox18/0x20 +[26364:syz-executor0][] param_set_kgdboc_var+Ox194/0x198 +[26364:syz-executor0][] param_attr_store+Ox14c/0x270 +[26364:syz-executor0][] module_attr_store+0x60/0x90 +[26364:syz-executor0][] sysfs_kl_write+Ox100/0x158 +[26364:syz-executor0][] kernfs_fop_write+0x27c/0x3a8 +[26364:syz-executor0][] do_loop_readv_writev+0x114/0x1b0 +[26364:syz-executor0][] do_readv_writev+0x4f8/0x5e0 +[26364:syz-executor0][] vfs_writev+0x7c/Oxb8 +[26364:syz-executor0][] SyS_writev+Oxcc/0x208 +[26364:syz-executor0][] elO_svc_naked +0x24/0x28 +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:report&]The buggy address belongs to the variable: +[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40 +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:report&]Memory state around the buggy address: +[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa +[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa +[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 +[26364:syz-executor0][name:report&] ^ +[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa +[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint +[26364:syz-executor0]------------[cut here]------------ + +After checking the source code, we've found there might be an out-of-bounds +access to "config[len - 1]" array when the variable "len" is zero. + +Signed-off-by: Macpaul Lin +Acked-by: Daniel Thompson +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/kgdboc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -230,7 +230,7 @@ static void kgdboc_put_char(u8 chr) + static int param_set_kgdboc_var(const char *kmessage, + const struct kernel_param *kp) + { +- int len = strlen(kmessage); ++ size_t len = strlen(kmessage); + + if (len >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdboc: config string too long\n"); +@@ -252,7 +252,7 @@ static int param_set_kgdboc_var(const ch + + strcpy(config, kmessage); + /* Chop out \n char as a result of echo */ +- if (config[len - 1] == '\n') ++ if (len && config[len - 1] == '\n') + config[len - 1] = '\0'; + + if (configured == 1) diff --git a/queue-4.19/kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch b/queue-4.19/kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch new file mode 100644 index 00000000000..bcab942fc3b --- /dev/null +++ b/queue-4.19/kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch @@ -0,0 +1,92 @@ +From 43a1b0cb4cd6dbfd3cd9c10da663368394d299d8 Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Fri, 24 Aug 2018 02:16:12 +0900 +Subject: kprobes/x86: Fix instruction patching corruption when copying more than one RIP-relative instruction + +From: Masami Hiramatsu + +commit 43a1b0cb4cd6dbfd3cd9c10da663368394d299d8 upstream. + +After copy_optimized_instructions() copies several instructions +to the working buffer it tries to fix up the real RIP address, but it +adjusts the RIP-relative instruction with an incorrect RIP address +for the 2nd and subsequent instructions due to a bug in the logic. + +This will break the kernel pretty badly (with likely outcomes such as +a kernel freeze, a crash, or worse) because probed instructions can refer +to the wrong data. + +For example putting kprobes on cpumask_next() typically hits this bug. + +cpumask_next() is normally like below if CONFIG_CPUMASK_OFFSTACK=y +(in this case nr_cpumask_bits is an alias of nr_cpu_ids): + + : + 48 89 f0 mov %rsi,%rax + 8b 35 7b fb e2 00 mov 0xe2fb7b(%rip),%esi # ffffffff82db9e64 + 55 push %rbp +... + +If we put a kprobe on it and it gets jump-optimized, it gets +patched by the kprobes code like this: + + : + e9 95 7d 07 1e jmpq 0xffffffffa000207a + 7b fb jnp 0xffffffff81f8a2e2 + e2 00 loop 0xffffffff81f8a2e9 + 55 push %rbp + +This shows that the first two MOV instructions were copied to a +trampoline buffer at 0xffffffffa000207a. + +Here is the disassembled result of the trampoline, skipping +the optprobe template instructions: + + # Dump of assembly code from 0xffffffffa000207a to 0xffffffffa00020ea: + + 54 push %rsp + ... + 48 83 c4 08 add $0x8,%rsp + 9d popfq + 48 89 f0 mov %rsi,%rax + 8b 35 82 7d db e2 mov -0x1d24827e(%rip),%esi # 0xffffffff82db9e67 + +This dump shows that the second MOV accesses *(nr_cpu_ids+3) instead of +the original *nr_cpu_ids. This leads to a kernel freeze because +cpumask_next() always returns 0 and for_each_cpu() never ends. + +Fix this by adding 'len' correctly to the real RIP address while +copying. + +[ mingo: Improved the changelog. ] + +Reported-by: Michael Rodin +Signed-off-by: Masami Hiramatsu +Reviewed-by: Steven Rostedt (VMware) +Cc: Arnaldo Carvalho de Melo +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Cc: Steven Rostedt +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org # v4.15+ +Fixes: 63fef14fc98a ("kprobes/x86: Make insn buffer always ROX and use text_poke()") +Link: http://lkml.kernel.org/r/153504457253.22602.1314289671019919596.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kprobes/opt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/kprobes/opt.c ++++ b/arch/x86/kernel/kprobes/opt.c +@@ -189,7 +189,7 @@ static int copy_optimized_instructions(u + int len = 0, ret; + + while (len < RELATIVEJUMP_SIZE) { +- ret = __copy_instruction(dest + len, src + len, real, &insn); ++ ret = __copy_instruction(dest + len, src + len, real + len, &insn); + if (!ret || !can_boost(&insn, src + len)) + return -EINVAL; + len += ret; diff --git a/queue-4.19/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch b/queue-4.19/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch new file mode 100644 index 00000000000..6d7548f321a --- /dev/null +++ b/queue-4.19/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch @@ -0,0 +1,194 @@ +From ae86cbfef3818300f1972e52f67a93211acb0e24 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Sat, 24 Nov 2018 10:47:04 -0800 +Subject: libnvdimm, pfn: Pad pfn namespaces relative to other regions + +From: Dan Williams + +commit ae86cbfef3818300f1972e52f67a93211acb0e24 upstream. + +Commit cfe30b872058 "libnvdimm, pmem: adjust for section collisions with +'System RAM'" enabled Linux to workaround occasions where platform +firmware arranges for "System RAM" and "Persistent Memory" to collide +within a single section boundary. Unfortunately, as reported in this +issue [1], platform firmware can inflict the same collision between +persistent memory regions. + +The approach of interrogating iomem_resource does not work in this +case because platform firmware may merge multiple regions into a single +iomem_resource range. Instead provide a method to interrogate regions +that share the same parent bus. + +This is a stop-gap until the core-MM can grow support for hotplug on +sub-section boundaries. + +[1]: https://github.com/pmem/ndctl/issues/76 + +Fixes: cfe30b872058 ("libnvdimm, pmem: adjust for section collisions with...") +Cc: +Reported-by: Patrick Geary +Tested-by: Patrick Geary +Reviewed-by: Vishal Verma +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/nd-core.h | 2 + + drivers/nvdimm/pfn_devs.c | 64 ++++++++++++++++++++++++------------------- + drivers/nvdimm/region_devs.c | 41 +++++++++++++++++++++++++++ + 3 files changed, 80 insertions(+), 27 deletions(-) + +--- a/drivers/nvdimm/nd-core.h ++++ b/drivers/nvdimm/nd-core.h +@@ -112,6 +112,8 @@ resource_size_t nd_pmem_available_dpa(st + struct nd_mapping *nd_mapping, resource_size_t *overlap); + resource_size_t nd_blk_available_dpa(struct nd_region *nd_region); + resource_size_t nd_region_available_dpa(struct nd_region *nd_region); ++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start, ++ resource_size_t size); + resource_size_t nvdimm_allocated_dpa(struct nvdimm_drvdata *ndd, + struct nd_label_id *label_id); + int alias_dpa_busy(struct device *dev, void *data); +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -590,14 +590,47 @@ static u64 phys_pmem_align_down(struct n + ALIGN_DOWN(phys, nd_pfn->align)); + } + ++/* ++ * Check if pmem collides with 'System RAM', or other regions when ++ * section aligned. Trim it accordingly. ++ */ ++static void trim_pfn_device(struct nd_pfn *nd_pfn, u32 *start_pad, u32 *end_trunc) ++{ ++ struct nd_namespace_common *ndns = nd_pfn->ndns; ++ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev); ++ struct nd_region *nd_region = to_nd_region(nd_pfn->dev.parent); ++ const resource_size_t start = nsio->res.start; ++ const resource_size_t end = start + resource_size(&nsio->res); ++ resource_size_t adjust, size; ++ ++ *start_pad = 0; ++ *end_trunc = 0; ++ ++ adjust = start - PHYS_SECTION_ALIGN_DOWN(start); ++ size = resource_size(&nsio->res) + adjust; ++ if (region_intersects(start - adjust, size, IORESOURCE_SYSTEM_RAM, ++ IORES_DESC_NONE) == REGION_MIXED ++ || nd_region_conflict(nd_region, start - adjust, size)) ++ *start_pad = PHYS_SECTION_ALIGN_UP(start) - start; ++ ++ /* Now check that end of the range does not collide. */ ++ adjust = PHYS_SECTION_ALIGN_UP(end) - end; ++ size = resource_size(&nsio->res) + adjust; ++ if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, ++ IORES_DESC_NONE) == REGION_MIXED ++ || !IS_ALIGNED(end, nd_pfn->align) ++ || nd_region_conflict(nd_region, start, size + adjust)) ++ *end_trunc = end - phys_pmem_align_down(nd_pfn, end); ++} ++ + static int nd_pfn_init(struct nd_pfn *nd_pfn) + { + u32 dax_label_reserve = is_nd_dax(&nd_pfn->dev) ? SZ_128K : 0; + struct nd_namespace_common *ndns = nd_pfn->ndns; +- u32 start_pad = 0, end_trunc = 0; ++ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev); + resource_size_t start, size; +- struct nd_namespace_io *nsio; + struct nd_region *nd_region; ++ u32 start_pad, end_trunc; + struct nd_pfn_sb *pfn_sb; + unsigned long npfns; + phys_addr_t offset; +@@ -629,30 +662,7 @@ static int nd_pfn_init(struct nd_pfn *nd + + memset(pfn_sb, 0, sizeof(*pfn_sb)); + +- /* +- * Check if pmem collides with 'System RAM' when section aligned and +- * trim it accordingly +- */ +- nsio = to_nd_namespace_io(&ndns->dev); +- start = PHYS_SECTION_ALIGN_DOWN(nsio->res.start); +- size = resource_size(&nsio->res); +- if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, +- IORES_DESC_NONE) == REGION_MIXED) { +- start = nsio->res.start; +- start_pad = PHYS_SECTION_ALIGN_UP(start) - start; +- } +- +- start = nsio->res.start; +- size = PHYS_SECTION_ALIGN_UP(start + size) - start; +- if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, +- IORES_DESC_NONE) == REGION_MIXED +- || !IS_ALIGNED(start + resource_size(&nsio->res), +- nd_pfn->align)) { +- size = resource_size(&nsio->res); +- end_trunc = start + size - phys_pmem_align_down(nd_pfn, +- start + size); +- } +- ++ trim_pfn_device(nd_pfn, &start_pad, &end_trunc); + if (start_pad + end_trunc) + dev_info(&nd_pfn->dev, "%s alignment collision, truncate %d bytes\n", + dev_name(&ndns->dev), start_pad + end_trunc); +@@ -663,7 +673,7 @@ static int nd_pfn_init(struct nd_pfn *nd + * implementation will limit the pfns advertised through + * ->direct_access() to those that are included in the memmap. + */ +- start += start_pad; ++ start = nsio->res.start + start_pad; + size = resource_size(&nsio->res); + npfns = PFN_SECTION_ALIGN_UP((size - start_pad - end_trunc - SZ_8K) + / PAGE_SIZE); +--- a/drivers/nvdimm/region_devs.c ++++ b/drivers/nvdimm/region_devs.c +@@ -1184,6 +1184,47 @@ int nvdimm_has_cache(struct nd_region *n + } + EXPORT_SYMBOL_GPL(nvdimm_has_cache); + ++struct conflict_context { ++ struct nd_region *nd_region; ++ resource_size_t start, size; ++}; ++ ++static int region_conflict(struct device *dev, void *data) ++{ ++ struct nd_region *nd_region; ++ struct conflict_context *ctx = data; ++ resource_size_t res_end, region_end, region_start; ++ ++ if (!is_memory(dev)) ++ return 0; ++ ++ nd_region = to_nd_region(dev); ++ if (nd_region == ctx->nd_region) ++ return 0; ++ ++ res_end = ctx->start + ctx->size; ++ region_start = nd_region->ndr_start; ++ region_end = region_start + nd_region->ndr_size; ++ if (ctx->start >= region_start && ctx->start < region_end) ++ return -EBUSY; ++ if (res_end > region_start && res_end <= region_end) ++ return -EBUSY; ++ return 0; ++} ++ ++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start, ++ resource_size_t size) ++{ ++ struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nd_region->dev); ++ struct conflict_context ctx = { ++ .nd_region = nd_region, ++ .start = start, ++ .size = size, ++ }; ++ ++ return device_for_each_child(&nvdimm_bus->dev, &ctx, region_conflict); ++} ++ + void __exit nd_region_devs_exit(void) + { + ida_destroy(®ion_ida); diff --git a/queue-4.19/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch b/queue-4.19/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch new file mode 100644 index 00000000000..e2d6bb00dbd --- /dev/null +++ b/queue-4.19/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch @@ -0,0 +1,43 @@ +From 5c21e8100dfd57c806e833ae905e26efbb87840f Mon Sep 17 00:00:00 2001 +From: Ben Greear +Date: Tue, 23 Oct 2018 13:36:52 -0700 +Subject: mac80211: Clear beacon_int in ieee80211_do_stop + +From: Ben Greear + +commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream. + +This fixes stale beacon-int values that would keep a netdev +from going up. + +To reproduce: + +Create two VAP on one radio. +vap1 has beacon-int 100, start it. +vap2 has beacon-int 240, start it (and it will fail + because beacon-int mismatch). +reconfigure vap2 to have beacon-int 100 and start it. + It will fail because the stale beacon-int 240 will be used + in the ifup path and hostapd never gets a chance to set the + new beacon interval. + +Cc: stable@vger.kernel.org +Signed-off-by: Ben Greear +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/iface.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1015,6 +1015,8 @@ static void ieee80211_do_stop(struct iee + if (local->open_count == 0) + ieee80211_clear_tx_pending(local); + ++ sdata->vif.bss_conf.beacon_int = 0; ++ + /* + * If the interface goes down while suspended, presumably because + * the device was unplugged and that happens before our resume, diff --git a/queue-4.19/mac80211-fix-gfp_kernel-under-tasklet-context.patch b/queue-4.19/mac80211-fix-gfp_kernel-under-tasklet-context.patch new file mode 100644 index 00000000000..0c209a200f9 --- /dev/null +++ b/queue-4.19/mac80211-fix-gfp_kernel-under-tasklet-context.patch @@ -0,0 +1,44 @@ +From c752cac9db1b0c469db7ba9d17af4ba708984db5 Mon Sep 17 00:00:00 2001 +From: Yan-Hsuan Chuang +Date: Tue, 23 Oct 2018 11:24:44 +0800 +Subject: mac80211: fix GFP_KERNEL under tasklet context + +From: Yan-Hsuan Chuang + +commit c752cac9db1b0c469db7ba9d17af4ba708984db5 upstream. + +cfg80211_sta_opmode_change_notify needs a gfp_t flag to hint the nl80211 +stack when allocating new skb, but it is called under tasklet context +here with GFP_KERNEL and kernel will yield a warning about it. + +Cc: stable@vger.kernel.org +Fixes: ff84e7bfe176 ("mac80211: Add support to notify ht/vht opmode modification.") +Signed-off-by: Yan-Hsuan Chuang +ACKed-by: Larry Finger +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -3029,7 +3029,7 @@ ieee80211_rx_h_action(struct ieee80211_r + cfg80211_sta_opmode_change_notify(sdata->dev, + rx->sta->addr, + &sta_opmode, +- GFP_KERNEL); ++ GFP_ATOMIC); + goto handled; + } + case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: { +@@ -3066,7 +3066,7 @@ ieee80211_rx_h_action(struct ieee80211_r + cfg80211_sta_opmode_change_notify(sdata->dev, + rx->sta->addr, + &sta_opmode, +- GFP_KERNEL); ++ GFP_ATOMIC); + goto handled; + } + default: diff --git a/queue-4.19/mac80211-fix-reordering-of-buffered-broadcast-packets.patch b/queue-4.19/mac80211-fix-reordering-of-buffered-broadcast-packets.patch new file mode 100644 index 00000000000..6b41ae9cd65 --- /dev/null +++ b/queue-4.19/mac80211-fix-reordering-of-buffered-broadcast-packets.patch @@ -0,0 +1,38 @@ +From 9ec1190d065998650fd9260dea8cf3e1f56c0e8c Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 28 Nov 2018 22:39:16 +0100 +Subject: mac80211: fix reordering of buffered broadcast packets + +From: Felix Fietkau + +commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream. + +If the buffered broadcast queue contains packets, letting new packets bypass +that queue can lead to heavy reordering, since the driver is probably throttling +transmission of buffered multicast packets after beacons. + +Keep buffering packets until the buffer has been cleared (and no client +is in powersave mode). + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -439,8 +439,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i + if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL)) + info->hw_queue = tx->sdata->vif.cab_queue; + +- /* no stations in PS mode */ +- if (!atomic_read(&ps->num_sta_ps)) ++ /* no stations in PS mode and no buffered packets */ ++ if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf)) + return TX_CONTINUE; + + info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM; diff --git a/queue-4.19/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch b/queue-4.19/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch new file mode 100644 index 00000000000..ccd8a0445ba --- /dev/null +++ b/queue-4.19/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch @@ -0,0 +1,44 @@ +From 990d71846a0b7281bd933c34d734e6afc7408e7e Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 3 Dec 2018 21:16:07 +0200 +Subject: mac80211: ignore NullFunc frames in the duplicate detection + +From: Emmanuel Grumbach + +commit 990d71846a0b7281bd933c34d734e6afc7408e7e upstream. + +NullFunc packets should never be duplicate just like +QoS-NullFunc packets. + +We saw a client that enters / exits power save with +NullFunc frames (and not with QoS-NullFunc) despite the +fact that the association supports HT. +This specific client also re-uses a non-zero sequence number +for different NullFunc frames. +At some point, the client had to send a retransmission of +the NullFunc frame and we dropped it, leading to a +misalignment in the power save state. +Fix this by never consider a NullFunc frame as duplicate, +just like we do for QoS NullFunc frames. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449 + +CC: +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1372,6 +1372,7 @@ ieee80211_rx_h_check_dup(struct ieee8021 + return RX_CONTINUE; + + if (ieee80211_is_ctl(hdr->frame_control) || ++ ieee80211_is_nullfunc(hdr->frame_control) || + ieee80211_is_qos_nullfunc(hdr->frame_control) || + is_multicast_ether_addr(hdr->addr1)) + return RX_CONTINUE; diff --git a/queue-4.19/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch b/queue-4.19/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch new file mode 100644 index 00000000000..043564e8daa --- /dev/null +++ b/queue-4.19/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch @@ -0,0 +1,35 @@ +From a317e65face482371de30246b6494feb093ff7f9 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 13 Nov 2018 20:32:13 +0100 +Subject: mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext + +From: Felix Fietkau + +commit a317e65face482371de30246b6494feb093ff7f9 upstream. + +Make it behave like regular ieee80211_tx_status calls, except for the lack of +filtered frame processing. +This fixes spurious low-ack triggered disconnections with powersave clients +connected to an AP. + +Fixes: f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/status.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -964,6 +964,8 @@ void ieee80211_tx_status_ext(struct ieee + /* Track when last TDLS packet was ACKed */ + if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH)) + sta->status_stats.last_tdls_pkt_time = jiffies; ++ } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) { ++ return; + } else { + ieee80211_lost_packet(sta, info); + } diff --git a/queue-4.19/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch b/queue-4.19/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch new file mode 100644 index 00000000000..427779ca3c2 --- /dev/null +++ b/queue-4.19/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch @@ -0,0 +1,54 @@ +From a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 Mon Sep 17 00:00:00 2001 +From: Vasyl Vavrychuk +Date: Thu, 18 Oct 2018 01:02:12 +0300 +Subject: mac80211_hwsim: Timer should be initialized before device registered + +From: Vasyl Vavrychuk + +commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream. + +Otherwise if network manager starts configuring Wi-Fi interface +immidiatelly after getting notification of its creation, we will get +NULL pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [] hrtimer_active+0x28/0x50 + ... + Call Trace: + [] ? hrtimer_try_to_cancel+0x27/0x110 + [] ? hrtimer_cancel+0x15/0x20 + [] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim] + +Cc: stable@vger.kernel.org +Signed-off-by: Vasyl Vavrychuk +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mac80211_hwsim.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2889,6 +2889,10 @@ static int mac80211_hwsim_new_radio(stru + + wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_CQM_RSSI_LIST); + ++ tasklet_hrtimer_init(&data->beacon_timer, ++ mac80211_hwsim_beacon, ++ CLOCK_MONOTONIC, HRTIMER_MODE_ABS); ++ + err = ieee80211_register_hw(hw); + if (err < 0) { + pr_debug("mac80211_hwsim: ieee80211_register_hw failed (%d)\n", +@@ -2913,10 +2917,6 @@ static int mac80211_hwsim_new_radio(stru + data->debugfs, + data, &hwsim_simulate_radar); + +- tasklet_hrtimer_init(&data->beacon_timer, +- mac80211_hwsim_beacon, +- CLOCK_MONOTONIC, HRTIMER_MODE_ABS); +- + spin_lock_bh(&hwsim_radio_lock); + err = rhashtable_insert_fast(&hwsim_radios_rht, &data->rht, + hwsim_rht_params); diff --git a/queue-4.19/revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch b/queue-4.19/revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch new file mode 100644 index 00000000000..49ddec8d5c0 --- /dev/null +++ b/queue-4.19/revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch @@ -0,0 +1,33 @@ +From 87e4a5405f087427fbf8b437d2796283dce2b38f Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Tue, 27 Nov 2018 09:12:20 +0000 +Subject: Revert commit ef9209b642f "staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c" + +From: Young Xiao + +commit 87e4a5405f087427fbf8b437d2796283dce2b38f upstream. + +pstapriv->max_num_sta is always <= NUM_STA, since max_num_sta is either +set in _rtw_init_sta_priv() or rtw_set_beacon(). + +Fixes: ef9209b642f1 ("staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c") +Signed-off-by: Young Xiao +Reviewed-by: Dan Carpenter +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +@@ -1566,7 +1566,7 @@ unsigned int OnAssocReq(struct adapter * + if (pstat->aid > 0) { + DBG_871X(" old AID %d\n", pstat->aid); + } else { +- for (pstat->aid = 1; pstat->aid < NUM_STA; pstat->aid++) ++ for (pstat->aid = 1; pstat->aid <= NUM_STA; pstat->aid++) + if (pstapriv->sta_aid[pstat->aid - 1] == NULL) + break; + diff --git a/queue-4.19/series b/queue-4.19/series index 1ea94c5a256..c01e56effaa 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -90,3 +90,28 @@ xhci-workaround-css-timeout-on-amd-snps-3.0-xhc.patch xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch arm64-dts-rockchip-remove-vdd_log-from-rock960-to-fi.patch revert-x86-e820-put-e820_type_ram-regions-into-membl.patch +cifs-fix-separator-when-building-path-from-dentry.patch +staging-rtl8712-fix-possible-buffer-overrun.patch +revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch +crypto-do-not-free-algorithm-before-using.patch +drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch +drm-lease-send-a-distinct-uevent.patch +drm-msm-move-fence-put-to-where-failure-occurs.patch +drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch +drm-amdgpu-gmc8-always-load-mc-firmware-in-the-driver.patch +drm-i915-downgrade-gen9-plane-wm-latency-error.patch +kprobes-x86-fix-instruction-patching-corruption-when-copying-more-than-one-rip-relative-instruction.patch +x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch +drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch +tty-serial-8250_mtk-always-resume-the-device-in-probe.patch +tty-do-not-set-tty_io_error-flag-if-console-port.patch +gnss-sirf-fix-activation-retry-handling.patch +kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch +libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch +cfg80211-fix-busy-loop-regression-in-ieee80211_ie_split_ric.patch +mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch +mac80211-fix-gfp_kernel-under-tasklet-context.patch +mac80211-clear-beacon_int-in-ieee80211_do_stop.patch +mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch +mac80211-fix-reordering-of-buffered-broadcast-packets.patch +mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch diff --git a/queue-4.19/staging-rtl8712-fix-possible-buffer-overrun.patch b/queue-4.19/staging-rtl8712-fix-possible-buffer-overrun.patch new file mode 100644 index 00000000000..3333bb2af63 --- /dev/null +++ b/queue-4.19/staging-rtl8712-fix-possible-buffer-overrun.patch @@ -0,0 +1,47 @@ +From 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Wed, 28 Nov 2018 08:06:53 +0000 +Subject: staging: rtl8712: Fix possible buffer overrun + +From: Young Xiao + +commit 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 upstream. + +In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer +overrun") we fix a potential off by one by making the limit smaller. +The better fix is to make the buffer larger. This makes it match up +with the similar code in other drivers. + +Fixes: 8b7a13c3f404 ("staging: r8712u: Fix possible buffer overrun") +Signed-off-by: Young Xiao +Cc: stable +Reviewed-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/mlme_linux.c | 2 +- + drivers/staging/rtl8712/rtl871x_mlme.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8712/mlme_linux.c ++++ b/drivers/staging/rtl8712/mlme_linux.c +@@ -158,7 +158,7 @@ void r8712_report_sec_ie(struct _adapter + p = buff; + p += sprintf(p, "ASSOCINFO(ReqIEs="); + len = sec_ie[1] + 2; +- len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1; ++ len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX; + for (i = 0; i < len; i++) + p += sprintf(p, "%02x", sec_ie[i]); + p += sprintf(p, ")"); +--- a/drivers/staging/rtl8712/rtl871x_mlme.c ++++ b/drivers/staging/rtl8712/rtl871x_mlme.c +@@ -1358,7 +1358,7 @@ sint r8712_restruct_sec_ie(struct _adapt + u8 *out_ie, uint in_len) + { + u8 authmode = 0, match; +- u8 sec_ie[255], uncst_oui[4], bkup_ie[255]; ++ u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255]; + u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01}; + uint ielength, cnt, remove_cnt; + int iEntry; diff --git a/queue-4.19/tty-do-not-set-tty_io_error-flag-if-console-port.patch b/queue-4.19/tty-do-not-set-tty_io_error-flag-if-console-port.patch new file mode 100644 index 00000000000..6d9654ce134 --- /dev/null +++ b/queue-4.19/tty-do-not-set-tty_io_error-flag-if-console-port.patch @@ -0,0 +1,55 @@ +From 2a48602615e0a2f563549c7d5c8d507f904cf96e Mon Sep 17 00:00:00 2001 +From: Chanho Park +Date: Thu, 22 Nov 2018 18:23:47 +0900 +Subject: tty: do not set TTY_IO_ERROR flag if console port + +From: Chanho Park + +commit 2a48602615e0a2f563549c7d5c8d507f904cf96e upstream. + +Since Commit 761ed4a94582 ('tty: serial_core: convert uart_close to use +tty_port_close') and Commit 4dda864d7307 ('tty: serial_core: Fix serial +console crash on port shutdown), a serial port which is used as +console can be stuck when logging out if there is a remained process. +After logged out, agetty will try to grab the serial port but it will +be failed because the previous process did not release the port +correctly. To fix this, TTY_IO_ERROR bit should not be enabled of +tty_port_close if the port is console port. + +Reproduce step: +- Run background processes from serial console +$ while true; do sleep 10; done & + +- Log out +$ logout +-> Stuck + +- Read journal log by journalctl | tail +Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0. +Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0. +Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty + +Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") +Cc: Geert Uytterhoeven +Cc: Rob Herring +Cc: Jiri Slaby +Signed-off-by: Chanho Park +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -640,7 +640,8 @@ void tty_port_close(struct tty_port *por + if (tty_port_close_start(port, tty, filp) == 0) + return; + tty_port_shutdown(port, tty); +- set_bit(TTY_IO_ERROR, &tty->flags); ++ if (!port->console) ++ set_bit(TTY_IO_ERROR, &tty->flags); + tty_port_close_end(port, tty); + tty_port_tty_set(port, NULL); + } diff --git a/queue-4.19/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch b/queue-4.19/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch new file mode 100644 index 00000000000..a2b3d1efea7 --- /dev/null +++ b/queue-4.19/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch @@ -0,0 +1,69 @@ +From 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 Mon Sep 17 00:00:00 2001 +From: Peter Shih +Date: Tue, 27 Nov 2018 12:49:50 +0800 +Subject: tty: serial: 8250_mtk: always resume the device in probe. + +From: Peter Shih + +commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream. + +serial8250_register_8250_port calls uart_config_port, which calls +config_port on the port before it tries to power on the port. So we need +the port to be on before calling serial8250_register_8250_port. Change +the code to always do a runtime resume in probe before registering port, +and always do a runtime suspend in remove. + +This basically reverts the change in commit 68e5fc4a255a ("tty: serial: +8250_mtk: use pm_runtime callbacks for enabling"), but still use +pm_runtime callbacks. + +Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling") +Signed-off-by: Peter Shih +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_mtk.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/tty/serial/8250/8250_mtk.c ++++ b/drivers/tty/serial/8250/8250_mtk.c +@@ -213,17 +213,17 @@ static int mtk8250_probe(struct platform + + platform_set_drvdata(pdev, data); + +- pm_runtime_enable(&pdev->dev); +- if (!pm_runtime_enabled(&pdev->dev)) { +- err = mtk8250_runtime_resume(&pdev->dev); +- if (err) +- return err; +- } ++ err = mtk8250_runtime_resume(&pdev->dev); ++ if (err) ++ return err; + + data->line = serial8250_register_8250_port(&uart); + if (data->line < 0) + return data->line; + ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(&pdev->dev); ++ + return 0; + } + +@@ -234,13 +234,11 @@ static int mtk8250_remove(struct platfor + pm_runtime_get_sync(&pdev->dev); + + serial8250_unregister_port(data->line); ++ mtk8250_runtime_suspend(&pdev->dev); + + pm_runtime_disable(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); + +- if (!pm_runtime_status_suspended(&pdev->dev)) +- mtk8250_runtime_suspend(&pdev->dev); +- + return 0; + } + diff --git a/queue-4.19/x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch b/queue-4.19/x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch new file mode 100644 index 00000000000..d36e1514858 --- /dev/null +++ b/queue-4.19/x86-efi-allocate-e820-buffer-before-calling-efi_exit_boot_service.patch @@ -0,0 +1,179 @@ +From b84a64fad40637b1c9fa4f4dbf847a23e29e672b Mon Sep 17 00:00:00 2001 +From: Eric Snowberg +Date: Thu, 29 Nov 2018 18:12:20 +0100 +Subject: x86/efi: Allocate e820 buffer before calling efi_exit_boot_service + +From: Eric Snowberg + +commit b84a64fad40637b1c9fa4f4dbf847a23e29e672b upstream. + +The following commit: + + d64934019f6c ("x86/efi: Use efi_exit_boot_services()") + +introduced a regression on systems with large memory maps causing them +to hang on boot. The first "goto get_map" that was removed from +exit_boot() ensured there was enough room for the memory map when +efi_call_early(exit_boot_services) was called. This happens when +(nr_desc > ARRAY_SIZE(params->e820_table). + +Chain of events: + + exit_boot() + efi_exit_boot_services() + efi_get_memory_map <- at this point the mm can't grow over 8 desc + priv_func() + exit_boot_func() + allocate_e820ext() <- new mm grows over 8 desc from e820 alloc + efi_call_early(exit_boot_services) <- mm key doesn't match so retry + efi_call_early(get_memory_map) <- not enough room for new mm + system hangs + +This patch allocates the e820 buffer before calling efi_exit_boot_services() +and fixes the regression. + + [ mingo: minor cleanliness edits. ] + +Signed-off-by: Eric Snowberg +Signed-off-by: Ard Biesheuvel +Cc: +Cc: Andy Lutomirski +Cc: Arend van Spriel +Cc: Bhupesh Sharma +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Hans de Goede +Cc: Joe Perches +Cc: Jon Hunter +Cc: Julien Thierry +Cc: Linus Torvalds +Cc: Marc Zyngier +Cc: Matt Fleming +Cc: Nathan Chancellor +Cc: Peter Zijlstra +Cc: Sai Praneeth Prakhya +Cc: Sedat Dilek +Cc: Thomas Gleixner +Cc: YiFei Zhu +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20181129171230.18699-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/eboot.c | 65 ++++++++++++++++++++++++--------------- + 1 file changed, 41 insertions(+), 24 deletions(-) + +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -1,3 +1,4 @@ ++ + /* ----------------------------------------------------------------------- + * + * Copyright 2011 Intel Corporation; author Matt Fleming +@@ -634,37 +635,54 @@ static efi_status_t alloc_e820ext(u32 nr + return status; + } + ++static efi_status_t allocate_e820(struct boot_params *params, ++ struct setup_data **e820ext, ++ u32 *e820ext_size) ++{ ++ unsigned long map_size, desc_size, buff_size; ++ struct efi_boot_memmap boot_map; ++ efi_memory_desc_t *map; ++ efi_status_t status; ++ __u32 nr_desc; ++ ++ boot_map.map = ↦ ++ boot_map.map_size = &map_size; ++ boot_map.desc_size = &desc_size; ++ boot_map.desc_ver = NULL; ++ boot_map.key_ptr = NULL; ++ boot_map.buff_size = &buff_size; ++ ++ status = efi_get_memory_map(sys_table, &boot_map); ++ if (status != EFI_SUCCESS) ++ return status; ++ ++ nr_desc = buff_size / desc_size; ++ ++ if (nr_desc > ARRAY_SIZE(params->e820_table)) { ++ u32 nr_e820ext = nr_desc - ARRAY_SIZE(params->e820_table); ++ ++ status = alloc_e820ext(nr_e820ext, e820ext, e820ext_size); ++ if (status != EFI_SUCCESS) ++ return status; ++ } ++ ++ return EFI_SUCCESS; ++} ++ + struct exit_boot_struct { + struct boot_params *boot_params; + struct efi_info *efi; +- struct setup_data *e820ext; +- __u32 e820ext_size; + }; + + static efi_status_t exit_boot_func(efi_system_table_t *sys_table_arg, + struct efi_boot_memmap *map, + void *priv) + { +- static bool first = true; + const char *signature; + __u32 nr_desc; + efi_status_t status; + struct exit_boot_struct *p = priv; + +- if (first) { +- nr_desc = *map->buff_size / *map->desc_size; +- if (nr_desc > ARRAY_SIZE(p->boot_params->e820_table)) { +- u32 nr_e820ext = nr_desc - +- ARRAY_SIZE(p->boot_params->e820_table); +- +- status = alloc_e820ext(nr_e820ext, &p->e820ext, +- &p->e820ext_size); +- if (status != EFI_SUCCESS) +- return status; +- } +- first = false; +- } +- + signature = efi_is_64bit() ? EFI64_LOADER_SIGNATURE + : EFI32_LOADER_SIGNATURE; + memcpy(&p->efi->efi_loader_signature, signature, sizeof(__u32)); +@@ -687,8 +705,8 @@ static efi_status_t exit_boot(struct boo + { + unsigned long map_sz, key, desc_size, buff_size; + efi_memory_desc_t *mem_map; +- struct setup_data *e820ext; +- __u32 e820ext_size; ++ struct setup_data *e820ext = NULL; ++ __u32 e820ext_size = 0; + efi_status_t status; + __u32 desc_version; + struct efi_boot_memmap map; +@@ -702,8 +720,10 @@ static efi_status_t exit_boot(struct boo + map.buff_size = &buff_size; + priv.boot_params = boot_params; + priv.efi = &boot_params->efi_info; +- priv.e820ext = NULL; +- priv.e820ext_size = 0; ++ ++ status = allocate_e820(boot_params, &e820ext, &e820ext_size); ++ if (status != EFI_SUCCESS) ++ return status; + + /* Might as well exit boot services now */ + status = efi_exit_boot_services(sys_table, handle, &map, &priv, +@@ -711,9 +731,6 @@ static efi_status_t exit_boot(struct boo + if (status != EFI_SUCCESS) + return status; + +- e820ext = priv.e820ext; +- e820ext_size = priv.e820ext_size; +- + /* Historic? */ + boot_params->alt_mem_k = 32 * 1024; +