From: Greg Kroah-Hartman Date: Wed, 14 Aug 2019 16:51:42 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.2.9~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1ec68447b18a5bcdc53aeb7eca66e79a6d953555;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-firewire-fix-a-memory-leak-bug.patch alsa-hda-don-t-override-global-pcm-hw-info-flag.patch alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch alsa-hiface-fix-multiple-memory-leak-bugs.patch can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch iwlwifi-mvm-fix-an-out-of-bound-access.patch iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch mwifiex-fix-802.11n-wpa-detection.patch nfsv4-fix-an-oops-in-nfs4_do_setattr.patch smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch smb3-send-cap_dfs-capability-during-session-setup.patch --- diff --git a/queue-4.19/alsa-firewire-fix-a-memory-leak-bug.patch b/queue-4.19/alsa-firewire-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..05ca846644c --- /dev/null +++ b/queue-4.19/alsa-firewire-fix-a-memory-leak-bug.patch @@ -0,0 +1,39 @@ +From 1be3c1fae6c1e1f5bb982b255d2034034454527a Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 8 Aug 2019 00:50:58 -0500 +Subject: ALSA: firewire: fix a memory leak bug + +From: Wenwen Wang + +commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream. + +In iso_packets_buffer_init(), 'b->packets' is allocated through +kmalloc_array(). Then, the aligned packet size is checked. If it is +larger than PAGE_SIZE, -EINVAL will be returned to indicate the error. +However, the allocated 'b->packets' is not deallocated on this path, +leading to a memory leak. + +To fix the above issue, free 'b->packets' before returning the error code. + +Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver") +Signed-off-by: Wenwen Wang +Reviewed-by: Takashi Sakamoto +Cc: # v2.6.39+ +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/packets-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/packets-buffer.c ++++ b/sound/firewire/packets-buffer.c +@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p + packets_per_page = PAGE_SIZE / packet_size; + if (WARN_ON(!packets_per_page)) { + err = -EINVAL; +- goto error; ++ goto err_packets; + } + pages = DIV_ROUND_UP(count, packets_per_page); + diff --git a/queue-4.19/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch b/queue-4.19/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch new file mode 100644 index 00000000000..f99af04e7bd --- /dev/null +++ b/queue-4.19/alsa-hda-don-t-override-global-pcm-hw-info-flag.patch @@ -0,0 +1,42 @@ +From c1c6c877b0c79fd7e05c931435aa42211eaeebaf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2019 14:03:56 +0200 +Subject: ALSA: hda - Don't override global PCM hw info flag + +From: Takashi Iwai + +commit c1c6c877b0c79fd7e05c931435aa42211eaeebaf upstream. + +The commit bfcba288b97f ("ALSA - hda: Add support for link audio time +reporting") introduced the conditional PCM hw info setup, but it +overwrites the global azx_pcm_hw object. This will cause a problem if +any other HD-audio controller, as it'll inherit the same bit flag +although another controller doesn't support that feature. + +Fix the bug by setting the PCM hw info flag locally. + +Fixes: bfcba288b97f ("ALSA - hda: Add support for link audio time reporting") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -609,11 +609,9 @@ static int azx_pcm_open(struct snd_pcm_s + } + runtime->private_data = azx_dev; + +- if (chip->gts_present) +- azx_pcm_hw.info = azx_pcm_hw.info | +- SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME; +- + runtime->hw = azx_pcm_hw; ++ if (chip->gts_present) ++ runtime->hw.info |= SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME; + runtime->hw.channels_min = hinfo->channels_min; + runtime->hw.channels_max = hinfo->channels_max; + runtime->hw.formats = hinfo->formats; diff --git a/queue-4.19/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch b/queue-4.19/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch new file mode 100644 index 00000000000..006601e1255 --- /dev/null +++ b/queue-4.19/alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch @@ -0,0 +1,202 @@ +From c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 6 Aug 2019 17:31:48 +0200 +Subject: ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) + +From: Takashi Iwai + +commit c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db upstream. + +A long-time problem on the recent AMD chip (X370, X470, B450, etc with +PCI ID 1022:1457) with Realtek codecs is the crackled or distorted +sound for capture streams, as well as occasional playback hiccups. +After lengthy debugging sessions, the workarounds we've found are like +the following: + +- Set up the proper driver caps for this controller, similar as the + other AMD controller. + +- Correct the DMA position reporting with the fixed FIFO size, which + is similar like as workaround used for VIA chip set. + +- Even after the position correction, PulseAudio still shows + mysterious stalls of playback streams when a capture is triggered in + timer-scheduled mode. Since we have no clear way to eliminate the + stall, pass the BATCH PCM flag for PA to suppress the tsched mode as + a temporary workaround. + +This patch implements the workarounds. For the driver caps, it +defines a new preset, AXZ_DCAPS_PRESET_AMD_SB. It enables the FIFO- +corrected position reporting (corresponding to the new position_fix=6) +and enforces the SNDRV_PCM_INFO_BATCH flag. + +Note that the current implementation is merely a workaround. +Hopefully we'll find a better alternative in future, especially about +removing the BATCH flag hack again. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 7 ++++ + sound/pci/hda/hda_controller.h | 2 - + sound/pci/hda/hda_intel.c | 63 ++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 70 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -624,6 +624,13 @@ static int azx_pcm_open(struct snd_pcm_s + 20, + 178000000); + ++ /* by some reason, the playback stream stalls on PulseAudio with ++ * tsched=1 when a capture stream triggers. Until we figure out the ++ * real cause, disable tsched mode by telling the PCM info flag. ++ */ ++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) ++ runtime->hw.info |= SNDRV_PCM_INFO_BATCH; ++ + if (chip->align_buffer_size) + /* constrain buffer sizes to be multiple of 128 + bytes. This is more efficient in terms of memory +--- a/sound/pci/hda/hda_controller.h ++++ b/sound/pci/hda/hda_controller.h +@@ -40,7 +40,7 @@ + /* 14 unused */ + #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */ + #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */ +-/* 17 unused */ ++#define AZX_DCAPS_AMD_WORKAROUND (1 << 17) /* AMD-specific workaround */ + #define AZX_DCAPS_NO_64BIT (1 << 18) /* No 64bit address */ + #define AZX_DCAPS_SYNC_WRITE (1 << 19) /* sync each cmd write */ + #define AZX_DCAPS_OLD_SSYNC (1 << 20) /* Old SSYNC reg for ICH */ +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -78,6 +78,7 @@ enum { + POS_FIX_VIACOMBO, + POS_FIX_COMBO, + POS_FIX_SKL, ++ POS_FIX_FIFO, + }; + + /* Defines for ATI HD Audio support in SB450 south bridge */ +@@ -149,7 +150,7 @@ module_param_array(model, charp, NULL, 0 + MODULE_PARM_DESC(model, "Use the given board model."); + module_param_array(position_fix, int, NULL, 0444); + MODULE_PARM_DESC(position_fix, "DMA pointer read method." +- "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+)."); ++ "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+, 6 = FIFO)."); + module_param_array(bdl_pos_adj, int, NULL, 0644); + MODULE_PARM_DESC(bdl_pos_adj, "BDL position adjustment offset."); + module_param_array(probe_mask, int, NULL, 0444); +@@ -350,6 +351,11 @@ enum { + #define AZX_DCAPS_PRESET_ATI_HDMI_NS \ + (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF) + ++/* quirks for AMD SB */ ++#define AZX_DCAPS_PRESET_AMD_SB \ ++ (AZX_DCAPS_NO_TCSEL | AZX_DCAPS_SYNC_WRITE | AZX_DCAPS_AMD_WORKAROUND |\ ++ AZX_DCAPS_SNOOP_TYPE(ATI) | AZX_DCAPS_PM_RUNTIME) ++ + /* quirks for Nvidia */ + #define AZX_DCAPS_PRESET_NVIDIA \ + (AZX_DCAPS_NO_MSI | AZX_DCAPS_CORBRP_SELF_CLEAR |\ +@@ -920,6 +926,49 @@ static unsigned int azx_via_get_position + return bound_pos + mod_dma_pos; + } + ++#define AMD_FIFO_SIZE 32 ++ ++/* get the current DMA position with FIFO size correction */ ++static unsigned int azx_get_pos_fifo(struct azx *chip, struct azx_dev *azx_dev) ++{ ++ struct snd_pcm_substream *substream = azx_dev->core.substream; ++ struct snd_pcm_runtime *runtime = substream->runtime; ++ unsigned int pos, delay; ++ ++ pos = snd_hdac_stream_get_pos_lpib(azx_stream(azx_dev)); ++ if (!runtime) ++ return pos; ++ ++ runtime->delay = AMD_FIFO_SIZE; ++ delay = frames_to_bytes(runtime, AMD_FIFO_SIZE); ++ if (azx_dev->insufficient) { ++ if (pos < delay) { ++ delay = pos; ++ runtime->delay = bytes_to_frames(runtime, pos); ++ } else { ++ azx_dev->insufficient = 0; ++ } ++ } ++ ++ /* correct the DMA position for capture stream */ ++ if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) { ++ if (pos < delay) ++ pos += azx_dev->core.bufsize; ++ pos -= delay; ++ } ++ ++ return pos; ++} ++ ++static int azx_get_delay_from_fifo(struct azx *chip, struct azx_dev *azx_dev, ++ unsigned int pos) ++{ ++ struct snd_pcm_substream *substream = azx_dev->core.substream; ++ ++ /* just read back the calculated value in the above */ ++ return substream->runtime->delay; ++} ++ + static unsigned int azx_skl_get_dpib_pos(struct azx *chip, + struct azx_dev *azx_dev) + { +@@ -1528,6 +1577,7 @@ static int check_position_fix(struct azx + case POS_FIX_VIACOMBO: + case POS_FIX_COMBO: + case POS_FIX_SKL: ++ case POS_FIX_FIFO: + return fix; + } + +@@ -1544,6 +1594,10 @@ static int check_position_fix(struct azx + dev_dbg(chip->card->dev, "Using VIACOMBO position fix\n"); + return POS_FIX_VIACOMBO; + } ++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) { ++ dev_dbg(chip->card->dev, "Using FIFO position fix\n"); ++ return POS_FIX_FIFO; ++ } + if (chip->driver_caps & AZX_DCAPS_POSFIX_LPIB) { + dev_dbg(chip->card->dev, "Using LPIB position fix\n"); + return POS_FIX_LPIB; +@@ -1564,6 +1618,7 @@ static void assign_position_fix(struct a + [POS_FIX_VIACOMBO] = azx_via_get_position, + [POS_FIX_COMBO] = azx_get_pos_lpib, + [POS_FIX_SKL] = azx_get_pos_skl, ++ [POS_FIX_FIFO] = azx_get_pos_fifo, + }; + + chip->get_position[0] = chip->get_position[1] = callbacks[fix]; +@@ -1578,6 +1633,9 @@ static void assign_position_fix(struct a + azx_get_delay_from_lpib; + } + ++ if (fix == POS_FIX_FIFO) ++ chip->get_delay[0] = chip->get_delay[1] = ++ azx_get_delay_from_fifo; + } + + /* +@@ -2594,6 +2652,9 @@ static const struct pci_device_id azx_id + /* AMD Hudson */ + { PCI_DEVICE(0x1022, 0x780d), + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, ++ /* AMD, X370 & co */ ++ { PCI_DEVICE(0x1022, 0x1457), ++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB }, + /* AMD Stoney */ + { PCI_DEVICE(0x1022, 0x157a), + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB | diff --git a/queue-4.19/alsa-hiface-fix-multiple-memory-leak-bugs.patch b/queue-4.19/alsa-hiface-fix-multiple-memory-leak-bugs.patch new file mode 100644 index 00000000000..47c302ae759 --- /dev/null +++ b/queue-4.19/alsa-hiface-fix-multiple-memory-leak-bugs.patch @@ -0,0 +1,58 @@ +From 3d92aa45fbfd7319e3a19f4ec59fd32b3862b723 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 7 Aug 2019 04:08:51 -0500 +Subject: ALSA: hiface: fix multiple memory leak bugs + +From: Wenwen Wang + +commit 3d92aa45fbfd7319e3a19f4ec59fd32b3862b723 upstream. + +In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later +on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In +hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through +kzalloc(). However, if hiface_pcm_init_urb() fails, both 'rt' and +'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs. +Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails. + +To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'. + +Fixes: a91c3fb2f842 ("Add M2Tech hiFace USB-SPDIF driver") +Signed-off-by: Wenwen Wang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/hiface/pcm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/usb/hiface/pcm.c ++++ b/sound/usb/hiface/pcm.c +@@ -604,14 +604,13 @@ int hiface_pcm_init(struct hiface_chip * + ret = hiface_pcm_init_urb(&rt->out_urbs[i], chip, OUT_EP, + hiface_pcm_out_urb_handler); + if (ret < 0) +- return ret; ++ goto error; + } + + ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, &pcm); + if (ret < 0) { +- kfree(rt); + dev_err(&chip->dev->dev, "Cannot create pcm instance\n"); +- return ret; ++ goto error; + } + + pcm->private_data = rt; +@@ -624,4 +623,10 @@ int hiface_pcm_init(struct hiface_chip * + + chip->pcm = rt; + return 0; ++ ++error: ++ for (i = 0; i < PCM_N_URBS; i++) ++ kfree(rt->out_urbs[i].buffer); ++ kfree(rt); ++ return ret; + } diff --git a/queue-4.19/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch b/queue-4.19/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..28c96d3b0a1 --- /dev/null +++ b/queue-4.19/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From 30a8beeb3042f49d0537b7050fd21b490166a3d9 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -849,7 +849,7 @@ static int pcan_usb_fd_init(struct peak_ + goto err_out; + + /* allocate command buffer once for all for the interface */ +- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE, ++ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE, + GFP_KERNEL); + if (!pdev->cmd_buffer_addr) + goto err_out_1; diff --git a/queue-4.19/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch b/queue-4.19/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..4532553025f --- /dev/null +++ b/queue-4.19/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From ead16e53c2f0ed946d82d4037c630e2f60f4ab69 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com +Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c +@@ -502,7 +502,7 @@ static int pcan_usb_pro_drv_loaded(struc + u8 *buffer; + int err; + +- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); ++ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + diff --git a/queue-4.19/dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch b/queue-4.19/dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch new file mode 100644 index 00000000000..404c94ecefc --- /dev/null +++ b/queue-4.19/dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch @@ -0,0 +1,60 @@ +From d75996dd022b6d83bd14af59b2775b1aa639e4b9 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Fri, 2 Aug 2019 15:29:56 -0400 +Subject: dax: dax_layout_busy_page() should not unmap cow pages + +From: Vivek Goyal + +commit d75996dd022b6d83bd14af59b2775b1aa639e4b9 upstream. + +Vivek: + + "As of now dax_layout_busy_page() calls unmap_mapping_range() with last + argument as 1, which says even unmap cow pages. I am wondering who needs + to get rid of cow pages as well. + + I noticed one interesting side affect of this. I mount xfs with -o dax and + mmaped a file with MAP_PRIVATE and wrote some data to a page which created + cow page. Then I called fallocate() on that file to zero a page of file. + fallocate() called dax_layout_busy_page() which unmapped cow pages as well + and then I tried to read back the data I wrote and what I get is old + data from persistent memory. I lost the data I had written. This + read basically resulted in new fault and read back the data from + persistent memory. + + This sounds wrong. Are there any users which need to unmap cow pages + as well? If not, I am proposing changing it to not unmap cow pages. + + I noticed this while while writing virtio_fs code where when I tried + to reclaim a memory range and that corrupted the executable and I + was running from virtio-fs and program got segment violation." + +Dan: + + "In fact the unmap_mapping_range() in this path is only to synchronize + against get_user_pages_fast() and force it to call back into the + filesystem to re-establish the mapping. COW pages should be left + untouched by dax_layout_busy_page()." + +Cc: +Fixes: 5fac7408d828 ("mm, fs, dax: handle layout changes to pinned dax mappings") +Signed-off-by: Vivek Goyal +Link: https://lore.kernel.org/r/20190802192956.GA3032@redhat.com +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dax.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -659,7 +659,7 @@ struct page *dax_layout_busy_page(struct + * guaranteed to either see new references or prevent new + * references from being established. + */ +- unmap_mapping_range(mapping, 0, 0, 1); ++ unmap_mapping_range(mapping, 0, 0, 0); + + while (index < end && pagevec_lookup_entries(&pvec, mapping, index, + min(end - index, (pgoff_t)PAGEVEC_SIZE), diff --git a/queue-4.19/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch b/queue-4.19/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch new file mode 100644 index 00000000000..f48f85daac8 --- /dev/null +++ b/queue-4.19/drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch @@ -0,0 +1,54 @@ +From 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee Mon Sep 17 00:00:00 2001 +From: Stanislav Lisovskiy +Date: Fri, 12 Jul 2019 11:19:38 +0300 +Subject: drm/i915: Fix wrong escape clock divisor init for GLK + +From: Stanislav Lisovskiy + +commit 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee upstream. + +According to Bspec clock divisor registers in GeminiLake +should be initialized by shifting 1(<<) to amount of correspondent +divisor. While i915 was writing all this time that value as is. + +Surprisingly that it by accident worked, until we met some issues +with Microtech Etab. + +v2: Added Fixes tag and cc +v3: Added stable to cc as well. + +Signed-off-by: Stanislav Lisovskiy +Reviewed-by: Vandita Kulkarni +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108826 +Fixes: bcc657004841 ("drm/i915/glk: Program txesc clock divider for GLK") +Cc: Deepak M +Cc: Madhav Chauhan +Cc: Jani Nikula +Cc: Jani Nikula +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: intel-gfx@lists.freedesktop.org +Cc: stable@vger.kernel.org +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20190712081938.14185-1-stanislav.lisovskiy@intel.com +(cherry picked from commit ce52ad5dd52cfaf3398058384e0ff94134bbd89c) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/vlv_dsi_pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/vlv_dsi_pll.c ++++ b/drivers/gpu/drm/i915/vlv_dsi_pll.c +@@ -413,8 +413,8 @@ static void glk_dsi_program_esc_clock(st + else + txesc2_div = 10; + +- I915_WRITE(MIPIO_TXESC_CLK_DIV1, txesc1_div & GLK_TX_ESC_CLK_DIV1_MASK); +- I915_WRITE(MIPIO_TXESC_CLK_DIV2, txesc2_div & GLK_TX_ESC_CLK_DIV2_MASK); ++ I915_WRITE(MIPIO_TXESC_CLK_DIV1, (1 << (txesc1_div - 1)) & GLK_TX_ESC_CLK_DIV1_MASK); ++ I915_WRITE(MIPIO_TXESC_CLK_DIV2, (1 << (txesc2_div - 1)) & GLK_TX_ESC_CLK_DIV2_MASK); + } + + /* Program BXT Mipi clocks and dividers */ diff --git a/queue-4.19/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch b/queue-4.19/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch new file mode 100644 index 00000000000..b46483cfbd3 --- /dev/null +++ b/queue-4.19/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch @@ -0,0 +1,56 @@ +From 38ada2f406a9b81fb1249c5c9227fa657e7d5671 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 26 Jul 2019 08:00:49 -0700 +Subject: hwmon: (nct7802) Fix wrong detection of in4 presence + +From: Guenter Roeck + +commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream. + +The code to detect if in4 is present is wrong; if in4 is not present, +the in4_input sysfs attribute is still present. + +In detail: + +- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug). +- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input + file under /sys and the "sensors" command displays in4_input. + But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep. + +Fix is_visible function to detect and report in4_input visibility +as expected. + +Reported-by: Gilles Buloz +Cc: Gilles Buloz +Cc: stable@vger.kernel.org +Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/nct7802.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -768,7 +768,7 @@ static struct attribute *nct7802_in_attr + &sensor_dev_attr_in3_alarm.dev_attr.attr, + &sensor_dev_attr_in3_beep.dev_attr.attr, + +- &sensor_dev_attr_in4_input.dev_attr.attr, /* 17 */ ++ &sensor_dev_attr_in4_input.dev_attr.attr, /* 16 */ + &sensor_dev_attr_in4_min.dev_attr.attr, + &sensor_dev_attr_in4_max.dev_attr.attr, + &sensor_dev_attr_in4_alarm.dev_attr.attr, +@@ -794,9 +794,9 @@ static umode_t nct7802_in_is_visible(str + + if (index >= 6 && index < 11 && (reg & 0x03) != 0x03) /* VSEN1 */ + return 0; +- if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c) /* VSEN2 */ ++ if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c) /* VSEN2 */ + return 0; +- if (index >= 17 && (reg & 0x30) != 0x30) /* VSEN3 */ ++ if (index >= 16 && (reg & 0x30) != 0x30) /* VSEN3 */ + return 0; + + return attr->mode; diff --git a/queue-4.19/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch b/queue-4.19/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch new file mode 100644 index 00000000000..37c422b279e --- /dev/null +++ b/queue-4.19/iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch @@ -0,0 +1,37 @@ +From 87e7e25aee6b59fef740856f4e86d4b60496c9e1 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sun, 21 Jul 2019 14:02:27 +0300 +Subject: iwlwifi: don't unmap as page memory that was mapped as single + +From: Emmanuel Grumbach + +commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 upstream. + +In order to remember how to unmap a memory (as single or +as page), we maintain a bit per Transmit Buffer (TBs) in +the meta data (structure iwl_cmd_meta). +We maintain a bitmap: 1 bit per TB. +If the TB is set, we will free the memory as a page. +This bitmap was never cleared. Fix this. + +Cc: stable@vger.kernel.org +Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +@@ -403,6 +403,8 @@ static void iwl_pcie_tfd_unmap(struct iw + DMA_TO_DEVICE); + } + ++ meta->tbs = 0; ++ + if (trans->cfg->use_tfh) { + struct iwl_tfh_tfd *tfd_fh = (void *)tfd; + diff --git a/queue-4.19/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch b/queue-4.19/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch new file mode 100644 index 00000000000..de665c2e2ab --- /dev/null +++ b/queue-4.19/iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch @@ -0,0 +1,73 @@ +From 39bd984c203e86f3109b49c2a2e20677c4d3ab65 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Mon, 24 Jun 2019 22:29:33 +0300 +Subject: iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41 + +From: Luca Coelho + +commit 39bd984c203e86f3109b49c2a2e20677c4d3ab65 upstream. + +Firmware versions before 41 don't support the GEO_TX_POWER_LIMIT +command, and sending it to the firmware will cause a firmware crash. +We allow this via debugfs, so we need to return an error value in case +it's not supported. + +This had already been fixed during init, when we send the command if +the ACPI WGDS table is present. Fix it also for the other, +userspace-triggered case. + +Cc: stable@vger.kernel.org +Fixes: 7fe90e0e3d60 ("iwlwifi: mvm: refactor geo init") +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -836,6 +836,17 @@ int iwl_mvm_sar_select_profile(struct iw + return iwl_mvm_send_cmd_pdu(mvm, REDUCE_TX_POWER_CMD, 0, len, &cmd); + } + ++static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm) ++{ ++ /* ++ * The GEO_TX_POWER_LIMIT command is not supported on earlier ++ * firmware versions. Unfortunately, we don't have a TLV API ++ * flag to rely on, so rely on the major version which is in ++ * the first byte of ucode_ver. ++ */ ++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41; ++} ++ + int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm) + { + struct iwl_geo_tx_power_profiles_resp *resp; +@@ -851,6 +862,9 @@ int iwl_mvm_get_sar_geo_profile(struct i + .data = { &geo_cmd }, + }; + ++ if (!iwl_mvm_sar_geo_support(mvm)) ++ return -EOPNOTSUPP; ++ + ret = iwl_mvm_send_cmd(mvm, &cmd); + if (ret) { + IWL_ERR(mvm, "Failed to get geographic profile info %d\n", ret); +@@ -876,13 +890,7 @@ static int iwl_mvm_sar_geo_init(struct i + int ret, i, j; + u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT); + +- /* +- * This command is not supported on earlier firmware versions. +- * Unfortunately, we don't have a TLV API flag to rely on, so +- * rely on the major version which is in the first byte of +- * ucode_ver. +- */ +- if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41) ++ if (!iwl_mvm_sar_geo_support(mvm)) + return 0; + + ret = iwl_mvm_sar_get_wgds_table(mvm); diff --git a/queue-4.19/iwlwifi-mvm-fix-an-out-of-bound-access.patch b/queue-4.19/iwlwifi-mvm-fix-an-out-of-bound-access.patch new file mode 100644 index 00000000000..6b0e113fc81 --- /dev/null +++ b/queue-4.19/iwlwifi-mvm-fix-an-out-of-bound-access.patch @@ -0,0 +1,38 @@ +From ba3224db78034435e9ff0247277cce7c7bb1756c Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 22 Jul 2019 12:47:27 +0300 +Subject: iwlwifi: mvm: fix an out-of-bound access + +From: Emmanuel Grumbach + +commit ba3224db78034435e9ff0247277cce7c7bb1756c upstream. + +The index for the elements of the ACPI object we dereference +was static. This means that if we called the function twice +we wouldn't start from 3 again, but rather from the latest +index we reached in the previous call. +This was dutifully reported by KASAN. + +Fix this. + +Cc: stable@vger.kernel.org +Fixes: 6996490501ed ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -724,7 +724,7 @@ static int iwl_mvm_sar_get_ewrd_table(st + + for (i = 0; i < n_profiles; i++) { + /* the tables start at element 3 */ +- static int pos = 3; ++ int pos = 3; + + /* The EWRD profiles officially go from 2 to 4, but we + * save them in sar_profiles[1-3] (because we don't diff --git a/queue-4.19/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch b/queue-4.19/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch new file mode 100644 index 00000000000..e39913c3e44 --- /dev/null +++ b/queue-4.19/iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch @@ -0,0 +1,43 @@ +From f5a47fae6aa3eb06f100e701d2342ee56b857bee Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Fri, 19 Jul 2019 12:21:59 +0300 +Subject: iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support + +From: Luca Coelho + +commit f5a47fae6aa3eb06f100e701d2342ee56b857bee upstream. + +We erroneously added a check for FW API version 41 before sending +GEO_TX_POWER_LIMIT, but this was already implemented in version 38. +Additionally, it was cherry-picked to older versions, namely 17, 26 +and 29, so check for those as well. + +Cc: stable@vger.kernel.org +Fixes: eca1e56ceedd ("iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares") +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -842,9 +842,14 @@ static bool iwl_mvm_sar_geo_support(stru + * The GEO_TX_POWER_LIMIT command is not supported on earlier + * firmware versions. Unfortunately, we don't have a TLV API + * flag to rely on, so rely on the major version which is in +- * the first byte of ucode_ver. ++ * the first byte of ucode_ver. This was implemented ++ * initially on version 38 and then backported to 36, 29 and ++ * 17. + */ +- return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41; ++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 || ++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17; + } + + int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm) diff --git a/queue-4.19/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch b/queue-4.19/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch new file mode 100644 index 00000000000..7f942a71e66 --- /dev/null +++ b/queue-4.19/kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch @@ -0,0 +1,200 @@ +From 17e433b54393a6269acbcb792da97791fe1592d8 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 5 Aug 2019 10:03:19 +0800 +Subject: KVM: Fix leak vCPU's VMCS value into other pCPU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 17e433b54393a6269acbcb792da97791fe1592d8 upstream. + +After commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts), a +five years old bug is exposed. Running ebizzy benchmark in three 80 vCPUs VMs +on one 80 pCPUs Skylake server, a lot of rcu_sched stall warning splatting +in the VMs after stress testing: + + INFO: rcu_sched detected stalls on CPUs/tasks: { 4 41 57 62 77} (detected by 15, t=60004 jiffies, g=899, c=898, q=15073) + Call Trace: + flush_tlb_mm_range+0x68/0x140 + tlb_flush_mmu.part.75+0x37/0xe0 + tlb_finish_mmu+0x55/0x60 + zap_page_range+0x142/0x190 + SyS_madvise+0x3cd/0x9c0 + system_call_fastpath+0x1c/0x21 + +swait_active() sustains to be true before finish_swait() is called in +kvm_vcpu_block(), voluntarily preempted vCPUs are taken into account +by kvm_vcpu_on_spin() loop greatly increases the probability condition +kvm_arch_vcpu_runnable(vcpu) is checked and can be true, when APICv +is enabled the yield-candidate vCPU's VMCS RVI field leaks(by +vmx_sync_pir_to_irr()) into spinning-on-a-taken-lock vCPU's current +VMCS. + +This patch fixes it by checking conservatively a subset of events. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Christian Borntraeger +Cc: Marc Zyngier +Cc: stable@vger.kernel.org +Fixes: 98f4a1467 (KVM: add kvm_arch_vcpu_runnable() test to kvm_vcpu_on_spin() loop) +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/powerpc.c | 5 +++++ + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/svm.c | 6 ++++++ + arch/x86/kvm/vmx.c | 6 ++++++ + arch/x86/kvm/x86.c | 16 ++++++++++++++++ + include/linux/kvm_host.h | 1 + + virt/kvm/kvm_main.c | 25 ++++++++++++++++++++++++- + 7 files changed, 59 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -61,6 +61,11 @@ int kvm_arch_vcpu_runnable(struct kvm_vc + return !!(v->arch.pending_exceptions) || kvm_request_pending(v); + } + ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ return kvm_arch_vcpu_runnable(vcpu); ++} ++ + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu) + { + return false; +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1113,6 +1113,7 @@ struct kvm_x86_ops { + int (*update_pi_irte)(struct kvm *kvm, unsigned int host_irq, + uint32_t guest_irq, bool set); + void (*apicv_post_state_restore)(struct kvm_vcpu *vcpu); ++ bool (*dy_apicv_has_pending_interrupt)(struct kvm_vcpu *vcpu); + + int (*set_hv_timer)(struct kvm_vcpu *vcpu, u64 guest_deadline_tsc); + void (*cancel_hv_timer)(struct kvm_vcpu *vcpu); +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5146,6 +5146,11 @@ static void svm_deliver_avic_intr(struct + kvm_vcpu_wake_up(vcpu); + } + ++static bool svm_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu) ++{ ++ return false; ++} ++ + static void svm_ir_list_del(struct vcpu_svm *svm, struct amd_iommu_pi_data *pi) + { + unsigned long flags; +@@ -7203,6 +7208,7 @@ static struct kvm_x86_ops svm_x86_ops __ + + .pmu_ops = &amd_pmu_ops, + .deliver_posted_interrupt = svm_deliver_avic_intr, ++ .dy_apicv_has_pending_interrupt = svm_dy_apicv_has_pending_interrupt, + .update_pi_irte = svm_update_pi_irte, + .setup_mce = svm_setup_mce, + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10411,6 +10411,11 @@ static u8 vmx_has_apicv_interrupt(struct + return ((rvi & 0xf0) > (vppr & 0xf0)); + } + ++static bool vmx_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu) ++{ ++ return pi_test_on(vcpu_to_pi_desc(vcpu)); ++} ++ + static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap) + { + if (!kvm_vcpu_apicv_active(vcpu)) +@@ -14387,6 +14392,7 @@ static struct kvm_x86_ops vmx_x86_ops __ + .guest_apic_has_interrupt = vmx_guest_apic_has_interrupt, + .sync_pir_to_irr = vmx_sync_pir_to_irr, + .deliver_posted_interrupt = vmx_deliver_posted_interrupt, ++ .dy_apicv_has_pending_interrupt = vmx_dy_apicv_has_pending_interrupt, + + .set_tss_addr = vmx_set_tss_addr, + .set_identity_map_addr = vmx_set_identity_map_addr, +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -9336,6 +9336,22 @@ int kvm_arch_vcpu_runnable(struct kvm_vc + return kvm_vcpu_running(vcpu) || kvm_vcpu_has_events(vcpu); + } + ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ if (READ_ONCE(vcpu->arch.pv.pv_unhalted)) ++ return true; ++ ++ if (kvm_test_request(KVM_REQ_NMI, vcpu) || ++ kvm_test_request(KVM_REQ_SMI, vcpu) || ++ kvm_test_request(KVM_REQ_EVENT, vcpu)) ++ return true; ++ ++ if (vcpu->arch.apicv_active && kvm_x86_ops->dy_apicv_has_pending_interrupt(vcpu)) ++ return true; ++ ++ return false; ++} ++ + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu) + { + return vcpu->arch.preempted_in_kernel; +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -818,6 +818,7 @@ void kvm_arch_check_processor_compat(voi + int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu); + bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu); + int kvm_arch_vcpu_should_kick(struct kvm_vcpu *vcpu); ++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu); + + #ifndef __KVM_HAVE_ARCH_VM_ALLOC + /* +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2317,6 +2317,29 @@ static bool kvm_vcpu_eligible_for_direct + #endif + } + ++/* ++ * Unlike kvm_arch_vcpu_runnable, this function is called outside ++ * a vcpu_load/vcpu_put pair. However, for most architectures ++ * kvm_arch_vcpu_runnable does not require vcpu_load. ++ */ ++bool __weak kvm_arch_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ return kvm_arch_vcpu_runnable(vcpu); ++} ++ ++static bool vcpu_dy_runnable(struct kvm_vcpu *vcpu) ++{ ++ if (kvm_arch_dy_runnable(vcpu)) ++ return true; ++ ++#ifdef CONFIG_KVM_ASYNC_PF ++ if (!list_empty_careful(&vcpu->async_pf.done)) ++ return true; ++#endif ++ ++ return false; ++} ++ + void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode) + { + struct kvm *kvm = me->kvm; +@@ -2346,7 +2369,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m + continue; + if (vcpu == me) + continue; +- if (swait_active(&vcpu->wq) && !kvm_arch_vcpu_runnable(vcpu)) ++ if (swait_active(&vcpu->wq) && !vcpu_dy_runnable(vcpu)) + continue; + if (yield_to_kernel_mode && !kvm_arch_vcpu_in_kernel(vcpu)) + continue; diff --git a/queue-4.19/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch b/queue-4.19/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch new file mode 100644 index 00000000000..4cd480635b0 --- /dev/null +++ b/queue-4.19/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch @@ -0,0 +1,53 @@ +From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 26 Jul 2019 15:47:58 -0700 +Subject: mac80211: don't WARN on short WMM parameters from AP + +From: Brian Norris + +commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream. + +In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN +on bad WMM parameters from buggy APs"), an AP may not transmit a +fully-formed WMM IE. For example, it may miss or repeat an Access +Category. The above loop won't catch that and will instead leave one of +the four ACs zeroed out. This triggers the following warning in +drv_conf_tx() + + wlan0: invalid CW_min/CW_max: 0/0 + +and it may leave one of the hardware queues unconfigured. If we detect +such a case, let's just print a warning and fall back to the defaults. + +Tested with a hacked version of hostapd, intentionally corrupting the +IEs in hostapd_eid_wmm(). + +Cc: stable@vger.kernel.org +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1967,6 +1967,16 @@ ieee80211_sta_wmm_params(struct ieee8021 + ieee80211_regulatory_limit_wmm_params(sdata, ¶ms[ac], ac); + } + ++ /* WMM specification requires all 4 ACIs. */ ++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { ++ if (params[ac].cw_min == 0) { ++ sdata_info(sdata, ++ "AP has invalid WMM params (missing AC %d), using defaults\n", ++ ac); ++ return false; ++ } ++ } ++ + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { + mlme_dbg(sdata, + "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n", diff --git a/queue-4.19/mwifiex-fix-802.11n-wpa-detection.patch b/queue-4.19/mwifiex-fix-802.11n-wpa-detection.patch new file mode 100644 index 00000000000..a7340937120 --- /dev/null +++ b/queue-4.19/mwifiex-fix-802.11n-wpa-detection.patch @@ -0,0 +1,52 @@ +From df612421fe2566654047769c6852ffae1a31df16 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 24 Jul 2019 12:46:34 -0700 +Subject: mwifiex: fix 802.11n/WPA detection + +From: Brian Norris + +commit df612421fe2566654047769c6852ffae1a31df16 upstream. + +Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant +vendor IEs") adjusted the ieee_types_vendor_header struct, which +inadvertently messed up the offsets used in +mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring +mwifiex_is_rsn_oui_present(). + +As it stands, commit 63d7ef36103d breaks compatibility with WPA (not +WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is +not supported by AP" case in mwifiex_is_network_compatible(). + +Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs") +Cc: +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/main.h | 1 + + drivers/net/wireless/marvell/mwifiex/scan.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/main.h ++++ b/drivers/net/wireless/marvell/mwifiex/main.h +@@ -124,6 +124,7 @@ enum { + + #define MWIFIEX_MAX_TOTAL_SCAN_TIME (MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S) + ++#define WPA_GTK_OUI_OFFSET 2 + #define RSN_GTK_OUI_OFFSET 2 + + #define MWIFIEX_OUI_NOT_PRESENT 0 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifie + u8 ret = MWIFIEX_OUI_NOT_PRESENT; + + if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) { +- iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data; ++ iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data + ++ WPA_GTK_OUI_OFFSET); + oui = &mwifiex_wpa_oui[cipher][0]; + ret = mwifiex_search_oui_in_ie(iebody, oui); + if (ret) diff --git a/queue-4.19/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch b/queue-4.19/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch new file mode 100644 index 00000000000..3572d65df51 --- /dev/null +++ b/queue-4.19/nfsv4-fix-an-oops-in-nfs4_do_setattr.patch @@ -0,0 +1,34 @@ +From 09a54f0ebfe263bc27c90bbd80187b9a93283887 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 3 Aug 2019 10:28:18 -0400 +Subject: NFSv4: Fix an Oops in nfs4_do_setattr + +From: Trond Myklebust + +commit 09a54f0ebfe263bc27c90bbd80187b9a93283887 upstream. + +If the user specifies an open mode of 3, then we don't have a NFSv4 state +attached to the context, and so we Oops when we try to dereference it. + +Reported-by: Olga Kornievskaia +Fixes: 29b59f9416937 ("NFSv4: change nfs4_do_setattr to take...") +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org # v4.10: 991eedb1371dc: NFSv4: Only pass the... +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3133,7 +3133,7 @@ static int _nfs4_do_setattr(struct inode + + if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) { + /* Use that stateid */ +- } else if (ctx != NULL) { ++ } else if (ctx != NULL && ctx->state) { + struct nfs_lock_context *l_ctx; + if (!nfs4_valid_open_stateid(ctx->state)) + return -EBADF; diff --git a/queue-4.19/series b/queue-4.19/series index 736cda83075..5715449b25e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -70,3 +70,22 @@ s390-dma-provide-proper-arch_zone_dma_bits-value.patch hid-sony-fix-race-condition-between-rumble-and-device-remove.patch x86-purgatory-do-not-use-__builtin_memcpy-and-__builtin_memset.patch alsa-usb-audio-fix-a-memory-leak-bug.patch +can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch +can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch +hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch +drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch +alsa-firewire-fix-a-memory-leak-bug.patch +alsa-hiface-fix-multiple-memory-leak-bugs.patch +alsa-hda-don-t-override-global-pcm-hw-info-flag.patch +alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch +mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch +dax-dax_layout_busy_page-should-not-unmap-cow-pages.patch +smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch +smb3-send-cap_dfs-capability-during-session-setup.patch +nfsv4-fix-an-oops-in-nfs4_do_setattr.patch +kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch +mwifiex-fix-802.11n-wpa-detection.patch +iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch +iwlwifi-mvm-fix-an-out-of-bound-access.patch +iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch +iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch diff --git a/queue-4.19/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch b/queue-4.19/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch new file mode 100644 index 00000000000..567c2a1406c --- /dev/null +++ b/queue-4.19/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch @@ -0,0 +1,38 @@ +From e99c63e4d86d3a94818693147b469fa70de6f945 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 22 Jul 2019 11:34:59 -0700 +Subject: SMB3: Fix deadlock in validate negotiate hits reconnect + +From: Pavel Shilovsky + +commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream. + +Currently we skip SMB2_TREE_CONNECT command when checking during +reconnect because Tree Connect happens when establishing +an SMB session. For SMB 3.0 protocol version the code also calls +validate negotiate which results in SMB2_IOCL command being sent +over the wire. This may deadlock on trying to acquire a mutex when +checking for reconnect. Fix this by skipping SMB2_IOCL command +when doing the reconnect check. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -168,7 +168,7 @@ smb2_reconnect(__le16 smb2_command, stru + if (tcon == NULL) + return 0; + +- if (smb2_command == SMB2_TREE_CONNECT) ++ if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL) + return 0; + + if (tcon->tidStatus == CifsExiting) { diff --git a/queue-4.19/smb3-send-cap_dfs-capability-during-session-setup.patch b/queue-4.19/smb3-send-cap_dfs-capability-during-session-setup.patch new file mode 100644 index 00000000000..de9267dcbf6 --- /dev/null +++ b/queue-4.19/smb3-send-cap_dfs-capability-during-session-setup.patch @@ -0,0 +1,40 @@ +From 8d33096a460d5b9bd13300f01615df5bb454db10 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 25 Jul 2019 18:13:10 -0500 +Subject: smb3: send CAP_DFS capability during session setup + +From: Steve French + +commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream. + +We had a report of a server which did not do a DFS referral +because the session setup Capabilities field was set to 0 +(unlike negotiate protocol where we set CAP_DFS). Better to +send it session setup in the capabilities as well (this also +more closely matches Windows client behavior). + +Signed-off-by: Steve French +Reviewed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1006,7 +1006,12 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_ + else + req->SecurityMode = 0; + ++#ifdef CONFIG_CIFS_DFS_UPCALL ++ req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS); ++#else + req->Capabilities = 0; ++#endif /* DFS_UPCALL */ ++ + req->Channel = 0; /* MBZ */ + + sess_data->iov[0].iov_base = (char *)req;