From: Greg Kroah-Hartman Date: Mon, 22 May 2017 16:07:48 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.55~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=223fc25e6793d83de72addd4e4c00c9c2faa2e28;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: dm-btree-fix-for-dm_btree_find_lowest_key.patch dm-bufio-avoid-a-possible-abba-deadlock.patch dm-bufio-check-new-buffer-allocation-watermark-every-30-seconds.patch dm-bufio-make-the-parameter-retain_bytes-unsigned-long.patch dm-cache-metadata-fail-operations-if-fail_io-mode-has-been-established.patch dm-raid-select-the-kconfig-option-config_md_raid0.patch dm-space-map-disk-fix-some-book-keeping-in-the-disk-space-map.patch dm-thin-metadata-call-precommit-before-saving-the-roots.patch infiniband-call-ipv6-route-lookup-via-the-stub-interface.patch md-update-slab_cache-before-releasing-new-stripes-when-stripes-resizing.patch mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch tpm_crb-check-for-bad-response-size.patch --- diff --git a/queue-4.4/dm-btree-fix-for-dm_btree_find_lowest_key.patch b/queue-4.4/dm-btree-fix-for-dm_btree_find_lowest_key.patch new file mode 100644 index 00000000000..602057d4a1c --- /dev/null +++ b/queue-4.4/dm-btree-fix-for-dm_btree_find_lowest_key.patch @@ -0,0 +1,46 @@ +From 7d1fedb6e96a960aa91e4ff70714c3fb09195a5a Mon Sep 17 00:00:00 2001 +From: Vinothkumar Raja +Date: Thu, 6 Apr 2017 22:09:38 -0400 +Subject: dm btree: fix for dm_btree_find_lowest_key() + +From: Vinothkumar Raja + +commit 7d1fedb6e96a960aa91e4ff70714c3fb09195a5a upstream. + +dm_btree_find_lowest_key() is giving incorrect results. find_key() +traverses the btree correctly for finding the highest key, but there is +an error in the way it traverses the btree for retrieving the lowest +key. dm_btree_find_lowest_key() fetches the first key of the rightmost +block of the btree instead of fetching the first key from the leftmost +block. + +Fix this by conditionally passing the correct parameter to value64() +based on the @find_highest flag. + +Signed-off-by: Erez Zadok +Signed-off-by: Vinothkumar Raja +Signed-off-by: Nidhi Panpalia +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/persistent-data/dm-btree.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -887,8 +887,12 @@ static int find_key(struct ro_spine *s, + else + *result_key = le64_to_cpu(ro_node(s)->keys[0]); + +- if (next_block || flags & INTERNAL_NODE) +- block = value64(ro_node(s), i); ++ if (next_block || flags & INTERNAL_NODE) { ++ if (find_highest) ++ block = value64(ro_node(s), i); ++ else ++ block = value64(ro_node(s), 0); ++ } + + } while (flags & INTERNAL_NODE); + diff --git a/queue-4.4/dm-bufio-avoid-a-possible-abba-deadlock.patch b/queue-4.4/dm-bufio-avoid-a-possible-abba-deadlock.patch new file mode 100644 index 00000000000..8a53f738182 --- /dev/null +++ b/queue-4.4/dm-bufio-avoid-a-possible-abba-deadlock.patch @@ -0,0 +1,50 @@ +From 1b0fb5a5b2dc0dddcfa575060441a7176ba7ac37 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 30 Apr 2017 17:33:26 -0400 +Subject: dm bufio: avoid a possible ABBA deadlock + +From: Mikulas Patocka + +commit 1b0fb5a5b2dc0dddcfa575060441a7176ba7ac37 upstream. + +__get_memory_limit() tests if dm_bufio_cache_size changed and calls +__cache_size_refresh() if it did. It takes dm_bufio_clients_lock while +it already holds the client lock. However, lock ordering is violated +because in cleanup_old_buffers() dm_bufio_clients_lock is taken before +the client lock. + +This results in a possible deadlock and lockdep engine warning. + +Fix this deadlock by changing mutex_lock() to mutex_trylock(). If the +lock can't be taken, it will be re-checked next time when a new buffer +is allocated. + +Also add "unlikely" to the if condition, so that the optimizer assumes +that the condition is false. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -914,10 +914,11 @@ static void __get_memory_limit(struct dm + { + unsigned long buffers; + +- if (ACCESS_ONCE(dm_bufio_cache_size) != dm_bufio_cache_size_latch) { +- mutex_lock(&dm_bufio_clients_lock); +- __cache_size_refresh(); +- mutex_unlock(&dm_bufio_clients_lock); ++ if (unlikely(ACCESS_ONCE(dm_bufio_cache_size) != dm_bufio_cache_size_latch)) { ++ if (mutex_trylock(&dm_bufio_clients_lock)) { ++ __cache_size_refresh(); ++ mutex_unlock(&dm_bufio_clients_lock); ++ } + } + + buffers = dm_bufio_cache_size_per_client >> diff --git a/queue-4.4/dm-bufio-check-new-buffer-allocation-watermark-every-30-seconds.patch b/queue-4.4/dm-bufio-check-new-buffer-allocation-watermark-every-30-seconds.patch new file mode 100644 index 00000000000..1a75143d0cd --- /dev/null +++ b/queue-4.4/dm-bufio-check-new-buffer-allocation-watermark-every-30-seconds.patch @@ -0,0 +1,61 @@ +From 390020ad2af9ca04844c4f3b1f299ad8746d84c8 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 30 Apr 2017 17:34:53 -0400 +Subject: dm bufio: check new buffer allocation watermark every 30 seconds + +From: Mikulas Patocka + +commit 390020ad2af9ca04844c4f3b1f299ad8746d84c8 upstream. + +dm-bufio checks a watermark when it allocates a new buffer in +__bufio_new(). However, it doesn't check the watermark when the user +changes /sys/module/dm_bufio/parameters/max_cache_size_bytes. + +This may result in a problem - if the watermark is high enough so that +all possible buffers are allocated and if the user lowers the value of +"max_cache_size_bytes", the watermark will never be checked against the +new value because no new buffer would be allocated. + +To fix this, change __evict_old_buffers() so that it checks the +watermark. __evict_old_buffers() is called every 30 seconds, so if the +user reduces "max_cache_size_bytes", dm-bufio will react to this change +within 30 seconds and decrease memory consumption. + +Depends-on: 1b0fb5a5b2 ("dm bufio: avoid a possible ABBA deadlock") +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -1755,9 +1755,17 @@ static void __evict_old_buffers(struct d + struct dm_buffer *b, *tmp; + unsigned retain_target = get_retain_buffers(c); + unsigned count; ++ LIST_HEAD(write_list); + + dm_bufio_lock(c); + ++ __check_watermark(c, &write_list); ++ if (unlikely(!list_empty(&write_list))) { ++ dm_bufio_unlock(c); ++ __flush_write_list(&write_list); ++ dm_bufio_lock(c); ++ } ++ + count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY]; + list_for_each_entry_safe_reverse(b, tmp, &c->lru[LIST_CLEAN], lru_list) { + if (count <= retain_target) +@@ -1782,6 +1790,8 @@ static void cleanup_old_buffers(void) + + mutex_lock(&dm_bufio_clients_lock); + ++ __cache_size_refresh(); ++ + list_for_each_entry(c, &dm_bufio_all_clients, client_list) + __evict_old_buffers(c, max_age_hz); + diff --git a/queue-4.4/dm-bufio-make-the-parameter-retain_bytes-unsigned-long.patch b/queue-4.4/dm-bufio-make-the-parameter-retain_bytes-unsigned-long.patch new file mode 100644 index 00000000000..3a3cafe0556 --- /dev/null +++ b/queue-4.4/dm-bufio-make-the-parameter-retain_bytes-unsigned-long.patch @@ -0,0 +1,85 @@ +From 13840d38016203f0095cd547b90352812d24b787 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 30 Apr 2017 17:32:28 -0400 +Subject: dm bufio: make the parameter "retain_bytes" unsigned long + +From: Mikulas Patocka + +commit 13840d38016203f0095cd547b90352812d24b787 upstream. + +Change the type of the parameter "retain_bytes" from unsigned to +unsigned long, so that on 64-bit machines the user can set more than +4GiB of data to be retained. + +Also, change the type of the variable "count" in the function +"__evict_old_buffers" to unsigned long. The assignment +"count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY];" +could result in unsigned long to unsigned overflow and that could result +in buffers not being freed when they should. + +While at it, avoid division in get_retain_buffers(). Division is slow, +we can change it to shift because we have precalculated the log2 of +block size. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-bufio.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -222,7 +222,7 @@ static DEFINE_SPINLOCK(param_spinlock); + * Buffers are freed after this timeout + */ + static unsigned dm_bufio_max_age = DM_BUFIO_DEFAULT_AGE_SECS; +-static unsigned dm_bufio_retain_bytes = DM_BUFIO_DEFAULT_RETAIN_BYTES; ++static unsigned long dm_bufio_retain_bytes = DM_BUFIO_DEFAULT_RETAIN_BYTES; + + static unsigned long dm_bufio_peak_allocated; + static unsigned long dm_bufio_allocated_kmem_cache; +@@ -1514,10 +1514,10 @@ static bool __try_evict_buffer(struct dm + return true; + } + +-static unsigned get_retain_buffers(struct dm_bufio_client *c) ++static unsigned long get_retain_buffers(struct dm_bufio_client *c) + { +- unsigned retain_bytes = ACCESS_ONCE(dm_bufio_retain_bytes); +- return retain_bytes / c->block_size; ++ unsigned long retain_bytes = ACCESS_ONCE(dm_bufio_retain_bytes); ++ return retain_bytes >> (c->sectors_per_block_bits + SECTOR_SHIFT); + } + + static unsigned long __scan(struct dm_bufio_client *c, unsigned long nr_to_scan, +@@ -1527,7 +1527,7 @@ static unsigned long __scan(struct dm_bu + struct dm_buffer *b, *tmp; + unsigned long freed = 0; + unsigned long count = nr_to_scan; +- unsigned retain_target = get_retain_buffers(c); ++ unsigned long retain_target = get_retain_buffers(c); + + for (l = 0; l < LIST_SIZE; l++) { + list_for_each_entry_safe_reverse(b, tmp, &c->lru[l], lru_list) { +@@ -1753,8 +1753,8 @@ static bool older_than(struct dm_buffer + static void __evict_old_buffers(struct dm_bufio_client *c, unsigned long age_hz) + { + struct dm_buffer *b, *tmp; +- unsigned retain_target = get_retain_buffers(c); +- unsigned count; ++ unsigned long retain_target = get_retain_buffers(c); ++ unsigned long count; + LIST_HEAD(write_list); + + dm_bufio_lock(c); +@@ -1915,7 +1915,7 @@ MODULE_PARM_DESC(max_cache_size_bytes, " + module_param_named(max_age_seconds, dm_bufio_max_age, uint, S_IRUGO | S_IWUSR); + MODULE_PARM_DESC(max_age_seconds, "Max age of a buffer in seconds"); + +-module_param_named(retain_bytes, dm_bufio_retain_bytes, uint, S_IRUGO | S_IWUSR); ++module_param_named(retain_bytes, dm_bufio_retain_bytes, ulong, S_IRUGO | S_IWUSR); + MODULE_PARM_DESC(retain_bytes, "Try to keep at least this many bytes cached in memory"); + + module_param_named(peak_allocated_bytes, dm_bufio_peak_allocated, ulong, S_IRUGO | S_IWUSR); diff --git a/queue-4.4/dm-cache-metadata-fail-operations-if-fail_io-mode-has-been-established.patch b/queue-4.4/dm-cache-metadata-fail-operations-if-fail_io-mode-has-been-established.patch new file mode 100644 index 00000000000..6bd61403ecd --- /dev/null +++ b/queue-4.4/dm-cache-metadata-fail-operations-if-fail_io-mode-has-been-established.patch @@ -0,0 +1,65 @@ +From 10add84e276432d9dd8044679a1028dd4084117e Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Fri, 5 May 2017 14:40:13 -0400 +Subject: dm cache metadata: fail operations if fail_io mode has been established + +From: Mike Snitzer + +commit 10add84e276432d9dd8044679a1028dd4084117e upstream. + +Otherwise it is possible to trigger crashes due to the metadata being +inaccessible yet these methods don't safely account for that possibility +without these checks. + +Reported-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -1326,17 +1326,19 @@ void dm_cache_metadata_set_stats(struct + + int dm_cache_commit(struct dm_cache_metadata *cmd, bool clean_shutdown) + { +- int r; ++ int r = -EINVAL; + flags_mutator mutator = (clean_shutdown ? set_clean_shutdown : + clear_clean_shutdown); + + WRITE_LOCK(cmd); ++ if (cmd->fail_io) ++ goto out; ++ + r = __commit_transaction(cmd, mutator); + if (r) + goto out; + + r = __begin_transaction(cmd); +- + out: + WRITE_UNLOCK(cmd); + return r; +@@ -1348,7 +1350,8 @@ int dm_cache_get_free_metadata_block_cou + int r = -EINVAL; + + READ_LOCK(cmd); +- r = dm_sm_get_nr_free(cmd->metadata_sm, result); ++ if (!cmd->fail_io) ++ r = dm_sm_get_nr_free(cmd->metadata_sm, result); + READ_UNLOCK(cmd); + + return r; +@@ -1360,7 +1363,8 @@ int dm_cache_get_metadata_dev_size(struc + int r = -EINVAL; + + READ_LOCK(cmd); +- r = dm_sm_get_nr_blocks(cmd->metadata_sm, result); ++ if (!cmd->fail_io) ++ r = dm_sm_get_nr_blocks(cmd->metadata_sm, result); + READ_UNLOCK(cmd); + + return r; diff --git a/queue-4.4/dm-raid-select-the-kconfig-option-config_md_raid0.patch b/queue-4.4/dm-raid-select-the-kconfig-option-config_md_raid0.patch new file mode 100644 index 00000000000..ee8f2dd61aa --- /dev/null +++ b/queue-4.4/dm-raid-select-the-kconfig-option-config_md_raid0.patch @@ -0,0 +1,33 @@ +From 7b81ef8b14f80033e4a4168d199a0f5fd79b9426 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 28 Mar 2017 12:53:39 -0400 +Subject: dm raid: select the Kconfig option CONFIG_MD_RAID0 + +From: Mikulas Patocka + +commit 7b81ef8b14f80033e4a4168d199a0f5fd79b9426 upstream. + +Since the commit 0cf4503174c1 ("dm raid: add support for the MD RAID0 +personality"), the dm-raid subsystem can activate a RAID-0 array. +Therefore, add MD_RAID0 to the dependencies of DM_RAID, so that MD_RAID0 +will be selected when DM_RAID is selected. + +Fixes: 0cf4503174c1 ("dm raid: add support for the MD RAID0 personality") +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/Kconfig ++++ b/drivers/md/Kconfig +@@ -357,6 +357,7 @@ config DM_LOG_USERSPACE + config DM_RAID + tristate "RAID 1/4/5/6/10 target" + depends on BLK_DEV_DM ++ select MD_RAID0 + select MD_RAID1 + select MD_RAID10 + select MD_RAID456 diff --git a/queue-4.4/dm-space-map-disk-fix-some-book-keeping-in-the-disk-space-map.patch b/queue-4.4/dm-space-map-disk-fix-some-book-keeping-in-the-disk-space-map.patch new file mode 100644 index 00000000000..529c992e673 --- /dev/null +++ b/queue-4.4/dm-space-map-disk-fix-some-book-keeping-in-the-disk-space-map.patch @@ -0,0 +1,47 @@ +From 0377a07c7a035e0d033cd8b29f0cb15244c0916a Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Mon, 15 May 2017 09:45:40 -0400 +Subject: dm space map disk: fix some book keeping in the disk space map + +From: Joe Thornber + +commit 0377a07c7a035e0d033cd8b29f0cb15244c0916a upstream. + +When decrementing the reference count for a block, the free count wasn't +being updated if the reference count went to zero. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/persistent-data/dm-space-map-disk.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-space-map-disk.c ++++ b/drivers/md/persistent-data/dm-space-map-disk.c +@@ -142,10 +142,23 @@ static int sm_disk_inc_block(struct dm_s + + static int sm_disk_dec_block(struct dm_space_map *sm, dm_block_t b) + { ++ int r; ++ uint32_t old_count; + enum allocation_event ev; + struct sm_disk *smd = container_of(sm, struct sm_disk, sm); + +- return sm_ll_dec(&smd->ll, b, &ev); ++ r = sm_ll_dec(&smd->ll, b, &ev); ++ if (!r && (ev == SM_FREE)) { ++ /* ++ * It's only free if it's also free in the last ++ * transaction. ++ */ ++ r = sm_ll_lookup(&smd->old_ll, b, &old_count); ++ if (!r && !old_count) ++ smd->nr_allocated_this_transaction--; ++ } ++ ++ return r; + } + + static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b) diff --git a/queue-4.4/dm-thin-metadata-call-precommit-before-saving-the-roots.patch b/queue-4.4/dm-thin-metadata-call-precommit-before-saving-the-roots.patch new file mode 100644 index 00000000000..5a082714ee0 --- /dev/null +++ b/queue-4.4/dm-thin-metadata-call-precommit-before-saving-the-roots.patch @@ -0,0 +1,35 @@ +From 91bcdb92d39711d1adb40c26b653b7978d93eb98 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Mon, 15 May 2017 09:43:05 -0400 +Subject: dm thin metadata: call precommit before saving the roots + +From: Joe Thornber + +commit 91bcdb92d39711d1adb40c26b653b7978d93eb98 upstream. + +These calls were the wrong way round in __write_initial_superblock. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin-metadata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -485,11 +485,11 @@ static int __write_initial_superblock(st + if (r < 0) + return r; + +- r = save_sm_roots(pmd); ++ r = dm_tm_pre_commit(pmd->tm); + if (r < 0) + return r; + +- r = dm_tm_pre_commit(pmd->tm); ++ r = save_sm_roots(pmd); + if (r < 0) + return r; + diff --git a/queue-4.4/infiniband-call-ipv6-route-lookup-via-the-stub-interface.patch b/queue-4.4/infiniband-call-ipv6-route-lookup-via-the-stub-interface.patch new file mode 100644 index 00000000000..7d9eb8c1d37 --- /dev/null +++ b/queue-4.4/infiniband-call-ipv6-route-lookup-via-the-stub-interface.patch @@ -0,0 +1,42 @@ +From eea40b8f624f25cbc02d55f2d93203f60cee9341 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Fri, 28 Apr 2017 11:20:01 +0200 +Subject: infiniband: call ipv6 route lookup via the stub interface + +From: Paolo Abeni + +commit eea40b8f624f25cbc02d55f2d93203f60cee9341 upstream. + +The infiniband address handle can be triggered to resolve an ipv6 +address in response to MAD packets, regardless of the ipv6 +module being disabled via the kernel command line argument. + +That will cause a call into the ipv6 routing code, which is not +initialized, and a conseguent oops. + +This commit addresses the above issue replacing the direct lookup +call with an indirect one via the ipv6 stub, which is properly +initialized according to the ipv6 status (e.g. if ipv6 is +disabled, the routing lookup fails gracefully) + +Signed-off-by: Paolo Abeni +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/addr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -277,8 +277,8 @@ static int addr6_resolve(struct sockaddr + fl6.saddr = src_in->sin6_addr; + fl6.flowi6_oif = addr->bound_dev_if; + +- dst = ip6_route_output(addr->net, NULL, &fl6); +- if ((ret = dst->error)) ++ ret = ipv6_stub->ipv6_dst_lookup(addr->net, NULL, &dst, &fl6); ++ if (ret < 0) + goto put; + + if (ipv6_addr_any(&fl6.saddr)) { diff --git a/queue-4.4/md-update-slab_cache-before-releasing-new-stripes-when-stripes-resizing.patch b/queue-4.4/md-update-slab_cache-before-releasing-new-stripes-when-stripes-resizing.patch new file mode 100644 index 00000000000..62900ed2190 --- /dev/null +++ b/queue-4.4/md-update-slab_cache-before-releasing-new-stripes-when-stripes-resizing.patch @@ -0,0 +1,99 @@ +From 583da48e388f472e8818d9bb60ef6a1d40ee9f9d Mon Sep 17 00:00:00 2001 +From: Dennis Yang +Date: Wed, 29 Mar 2017 15:46:13 +0800 +Subject: md: update slab_cache before releasing new stripes when stripes resizing + +From: Dennis Yang + +commit 583da48e388f472e8818d9bb60ef6a1d40ee9f9d upstream. + +When growing raid5 device on machine with small memory, there is chance that +mdadm will be killed and the following bug report can be observed. The same +bug could also be reproduced in linux-4.10.6. + +[57600.075774] BUG: unable to handle kernel NULL pointer dereference at (null) +[57600.083796] IP: [] _raw_spin_lock+0x7/0x20 +[57600.110378] PGD 421cf067 PUD 4442d067 PMD 0 +[57600.114678] Oops: 0002 [#1] SMP +[57600.180799] CPU: 1 PID: 25990 Comm: mdadm Tainted: P O 4.2.8 #1 +[57600.187849] Hardware name: To be filled by O.E.M. To be filled by O.E.M./MAHOBAY, BIOS QV05AR66 03/06/2013 +[57600.197490] task: ffff880044e47240 ti: ffff880043070000 task.ti: ffff880043070000 +[57600.204963] RIP: 0010:[] [] _raw_spin_lock+0x7/0x20 +[57600.213057] RSP: 0018:ffff880043073810 EFLAGS: 00010046 +[57600.218359] RAX: 0000000000000000 RBX: 000000000000000c RCX: ffff88011e296dd0 +[57600.225486] RDX: 0000000000000001 RSI: ffffe8ffffcb46c0 RDI: 0000000000000000 +[57600.232613] RBP: ffff880043073878 R08: ffff88011e5f8170 R09: 0000000000000282 +[57600.239739] R10: 0000000000000005 R11: 28f5c28f5c28f5c3 R12: ffff880043073838 +[57600.246872] R13: ffffe8ffffcb46c0 R14: 0000000000000000 R15: ffff8800b9706a00 +[57600.253999] FS: 00007f576106c700(0000) GS:ffff88011e280000(0000) knlGS:0000000000000000 +[57600.262078] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[57600.267817] CR2: 0000000000000000 CR3: 00000000428fe000 CR4: 00000000001406e0 +[57600.274942] Stack: +[57600.276949] ffffffff8114ee35 ffff880043073868 0000000000000282 000000000000eb3f +[57600.284383] ffffffff81119043 ffff880043073838 ffff880043073838 ffff88003e197b98 +[57600.291820] ffffe8ffffcb46c0 ffff88003e197360 0000000000000286 ffff880043073968 +[57600.299254] Call Trace: +[57600.301698] [] ? cache_flusharray+0x35/0xe0 +[57600.307523] [] ? __page_cache_release+0x23/0x110 +[57600.313779] [] kmem_cache_free+0x63/0xc0 +[57600.319344] [] drop_one_stripe+0x62/0x90 +[57600.324915] [] raid5_cache_scan+0x8b/0xb0 +[57600.330563] [] shrink_slab.part.36+0x19a/0x250 +[57600.336650] [] shrink_zone+0x23c/0x250 +[57600.342039] [] do_try_to_free_pages+0x153/0x420 +[57600.348210] [] try_to_free_pages+0x91/0xa0 +[57600.353959] [] __alloc_pages_nodemask+0x4d1/0x8b0 +[57600.360303] [] check_reshape+0x62b/0x770 +[57600.365866] [] raid5_check_reshape+0x55/0xa0 +[57600.371778] [] update_raid_disks+0xc7/0x110 +[57600.377604] [] md_ioctl+0xd83/0x1b10 +[57600.382827] [] blkdev_ioctl+0x170/0x690 +[57600.388307] [] block_ioctl+0x38/0x40 +[57600.393525] [] do_vfs_ioctl+0x2b5/0x480 +[57600.399010] [] ? vfs_write+0x14b/0x1f0 +[57600.404400] [] SyS_ioctl+0x3c/0x70 +[57600.409447] [] entry_SYSCALL_64_fastpath+0x12/0x6a +[57600.415875] Code: 00 00 00 00 55 48 89 e5 8b 07 85 c0 74 04 31 c0 5d c3 ba 01 00 00 00 f0 0f b1 17 85 c0 75 ef b0 01 5d c3 90 31 c0 ba 01 00 00 00 0f b1 17 85 c0 75 01 c3 55 89 c6 48 89 e5 e8 85 d1 63 ff 5d +[57600.435460] RIP [] _raw_spin_lock+0x7/0x20 +[57600.441208] RSP +[57600.444690] CR2: 0000000000000000 +[57600.448000] ---[ end trace cbc6b5cc4bf9831d ]--- + +The problem is that resize_stripes() releases new stripe_heads before assigning new +slab cache to conf->slab_cache. If the shrinker function raid5_cache_scan() gets called +after resize_stripes() starting releasing new stripes but right before new slab cache +being assigned, it is possible that these new stripe_heads will be freed with the old +slab_cache which was already been destoryed and that triggers this bug. + +Signed-off-by: Dennis Yang +Fixes: edbe83ab4c27 ("md/raid5: allow the stripe_cache to grow and shrink.") +Reviewed-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2232,6 +2232,10 @@ static int resize_stripes(struct r5conf + err = -ENOMEM; + + mutex_unlock(&conf->cache_size_mutex); ++ ++ conf->slab_cache = sc; ++ conf->active_name = 1-conf->active_name; ++ + /* Step 4, return new stripes to service */ + while(!list_empty(&newstripes)) { + nsh = list_entry(newstripes.next, struct stripe_head, lru); +@@ -2249,8 +2253,6 @@ static int resize_stripes(struct r5conf + } + /* critical section pass, GFP_NOIO no longer needed */ + +- conf->slab_cache = sc; +- conf->active_name = 1-conf->active_name; + if (!err) + conf->pool_size = newsize; + return err; diff --git a/queue-4.4/mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch b/queue-4.4/mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch new file mode 100644 index 00000000000..f50f58f4f83 --- /dev/null +++ b/queue-4.4/mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch @@ -0,0 +1,144 @@ +From 3c8cb9ad032d737b874e402c59eb51e3c991a144 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 14 Apr 2017 14:51:17 -0700 +Subject: mwifiex: pcie: fix cmd_buf use-after-free in remove/reset + +From: Brian Norris + +commit 3c8cb9ad032d737b874e402c59eb51e3c991a144 upstream. + +Command buffers (skb's) are allocated by the main driver, and freed upon +the last use. That last use is often in mwifiex_free_cmd_buffer(). In +the meantime, if the command buffer gets used by the PCI driver, we map +it as DMA-able, and store the mapping information in the 'cb' memory. + +However, if a command was in-flight when resetting the device (and +therefore was still mapped), we don't get a chance to unmap this memory +until after the core has cleaned up its command handling. + +Let's keep a refcount within the PCI driver, so we ensure the memory +only gets freed after we've finished unmapping it. + +Noticed by KASAN when forcing a reset via: + + echo 1 > /sys/bus/pci/.../reset + +The same code path can presumably be exercised in remove() and +shutdown(). + +[ 205.390377] mwifiex_pcie 0000:01:00.0: info: shutdown mwifiex... +[ 205.400393] ================================================================== +[ 205.407719] BUG: KASAN: use-after-free in mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie] at addr ffffffc0ad471b28 +[ 205.419040] Read of size 16 by task bash/1913 +[ 205.423421] ============================================================================= +[ 205.431625] BUG skbuff_head_cache (Tainted: G B ): kasan: bad access detected +[ 205.439815] ----------------------------------------------------------------------------- +[ 205.439815] +[ 205.449534] INFO: Allocated in __build_skb+0x48/0x114 age=1311 cpu=4 pid=1913 +[ 205.456709] alloc_debug_processing+0x124/0x178 +[ 205.461282] ___slab_alloc.constprop.58+0x528/0x608 +[ 205.466196] __slab_alloc.isra.54.constprop.57+0x44/0x54 +[ 205.471542] kmem_cache_alloc+0xcc/0x278 +[ 205.475497] __build_skb+0x48/0x114 +[ 205.479019] __netdev_alloc_skb+0xe0/0x170 +[ 205.483244] mwifiex_alloc_cmd_buffer+0x68/0xdc [mwifiex] +[ 205.488759] mwifiex_init_fw+0x40/0x6cc [mwifiex] +[ 205.493584] _mwifiex_fw_dpc+0x158/0x520 [mwifiex] +[ 205.498491] mwifiex_reinit_sw+0x2c4/0x398 [mwifiex] +[ 205.503510] mwifiex_pcie_reset_notify+0x114/0x15c [mwifiex_pcie] +[ 205.509643] pci_reset_notify+0x5c/0x6c +[ 205.513519] pci_reset_function+0x6c/0x7c +[ 205.517567] reset_store+0x68/0x98 +[ 205.521003] dev_attr_store+0x54/0x60 +[ 205.524705] sysfs_kf_write+0x9c/0xb0 +[ 205.528413] INFO: Freed in __kfree_skb+0xb0/0xbc age=131 cpu=4 pid=1913 +[ 205.535064] free_debug_processing+0x264/0x370 +[ 205.539550] __slab_free+0x84/0x40c +[ 205.543075] kmem_cache_free+0x1c8/0x2a0 +[ 205.547030] __kfree_skb+0xb0/0xbc +[ 205.550465] consume_skb+0x164/0x178 +[ 205.554079] __dev_kfree_skb_any+0x58/0x64 +[ 205.558304] mwifiex_free_cmd_buffer+0xa0/0x158 [mwifiex] +[ 205.563817] mwifiex_shutdown_drv+0x578/0x5c4 [mwifiex] +[ 205.569164] mwifiex_shutdown_sw+0x178/0x310 [mwifiex] +[ 205.574353] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie] +[ 205.580398] pci_reset_notify+0x5c/0x6c +[ 205.584274] pci_dev_save_and_disable+0x24/0x6c +[ 205.588837] pci_reset_function+0x30/0x7c +[ 205.592885] reset_store+0x68/0x98 +[ 205.596324] dev_attr_store+0x54/0x60 +[ 205.600017] sysfs_kf_write+0x9c/0xb0 +... +[ 205.800488] Call trace: +[ 205.802980] [] dump_backtrace+0x0/0x190 +[ 205.808415] [] show_stack+0x20/0x28 +[ 205.813506] [] dump_stack+0xa4/0xcc +[ 205.818598] [] print_trailer+0x158/0x168 +[ 205.824120] [] object_err+0x4c/0x5c +[ 205.829210] [] kasan_report+0x334/0x500 +[ 205.834641] [] check_memory_region+0x20/0x14c +[ 205.840593] [] __asan_loadN+0x14/0x1c +[ 205.845879] [] mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie] +[ 205.854282] [] mwifiex_pcie_delete_cmdrsp_buf+0x94/0xa8 [mwifiex_pcie] +[ 205.862421] [] mwifiex_pcie_free_buffers+0x11c/0x158 [mwifiex_pcie] +[ 205.870302] [] mwifiex_pcie_down_dev+0x70/0x80 [mwifiex_pcie] +[ 205.877736] [] mwifiex_shutdown_sw+0x190/0x310 [mwifiex] +[ 205.884658] [] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie] +[ 205.892446] [] pci_reset_notify+0x5c/0x6c +[ 205.898048] [] pci_dev_save_and_disable+0x24/0x6c +[ 205.904350] [] pci_reset_function+0x30/0x7c +[ 205.910134] [] reset_store+0x68/0x98 +[ 205.915312] [] dev_attr_store+0x54/0x60 +[ 205.920750] [] sysfs_kf_write+0x9c/0xb0 +[ 205.926182] [] kernfs_fop_write+0x184/0x1f8 +[ 205.931963] [] __vfs_write+0x6c/0x17c +[ 205.937221] [] vfs_write+0xf0/0x1c4 +[ 205.942310] [] SyS_write+0x78/0xd8 +[ 205.947312] [] el0_svc_naked+0x24/0x28 +... +[ 205.998268] ================================================================== + +This bug has been around in different forms for a while. It was sort of +noticed in commit 955ab095c51a ("mwifiex: Do not kfree cmd buf while +unregistering PCIe"), but it just fixed the double-free, without +acknowledging the potential for use-after-free. + +Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe") +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/pcie.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wireless/mwifiex/pcie.c ++++ b/drivers/net/wireless/mwifiex/pcie.c +@@ -947,6 +947,7 @@ static int mwifiex_pcie_delete_cmdrsp_bu + if (card && card->cmd_buf) { + mwifiex_unmap_pci_memory(adapter, card->cmd_buf, + PCI_DMA_TODEVICE); ++ dev_kfree_skb_any(card->cmd_buf); + } + return 0; + } +@@ -1513,6 +1514,11 @@ mwifiex_pcie_send_cmd(struct mwifiex_ada + return -1; + + card->cmd_buf = skb; ++ /* ++ * Need to keep a reference, since core driver might free up this ++ * buffer before we've unmapped it. ++ */ ++ skb_get(skb); + + /* To send a command, the driver will: + 1. Write the 64bit physical address of the data buffer to +@@ -1610,6 +1616,7 @@ static int mwifiex_pcie_process_cmd_comp + if (card->cmd_buf) { + mwifiex_unmap_pci_memory(adapter, card->cmd_buf, + PCI_DMA_TODEVICE); ++ dev_kfree_skb_any(card->cmd_buf); + card->cmd_buf = NULL; + } + diff --git a/queue-4.4/rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch b/queue-4.4/rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch new file mode 100644 index 00000000000..dea6ccd4e75 --- /dev/null +++ b/queue-4.4/rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch @@ -0,0 +1,187 @@ +From 46cfa2148e7371c537efff1a1c693e58f523089d Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 16 Apr 2017 19:32:07 -0500 +Subject: rtlwifi: rtl8821ae: setup 8812ae RFE according to device type + +From: Larry Finger + +commit 46cfa2148e7371c537efff1a1c693e58f523089d upstream. + +Current channel switch implementation sets 8812ae RFE reg value assuming +that device always has type 2. + +Extend possible RFE types set and write corresponding reg values. + +Source for new code is +http://dlcdnet.asus.com/pub/ASUS/wireless/PCE-AC51/DR_PCE_AC51_20232801152016.zip + +Signed-off-by: Maxim Samoylov +Signed-off-by: Larry Finger +Cc: Yan-Hsuan Chuang +Cc: Pkshih +Cc: Birming Chiu +Cc: Shaofu +Cc: Steven Ting +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 122 ++++++++++++++++--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/reg.h | 1 + 2 files changed, 107 insertions(+), 16 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -359,6 +359,107 @@ bool rtl8821ae_phy_rf_config(struct ieee + return rtl8821ae_phy_rf6052_config(hw); + } + ++static void _rtl8812ae_phy_set_rfe_reg_24g(struct ieee80211_hw *hw) ++{ ++ struct rtl_priv *rtlpriv = rtl_priv(hw); ++ struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); ++ u8 tmp; ++ ++ switch (rtlhal->rfe_type) { ++ case 3: ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, 0x54337770); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, 0x54337770); ++ rtl_set_bbreg(hw, RA_RFE_INV, BMASKRFEINV, 0x010); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x010); ++ rtl_set_bbreg(hw, 0x900, 0x00000303, 0x1); ++ break; ++ case 4: ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, 0x77777777); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, 0x77777777); ++ rtl_set_bbreg(hw, RA_RFE_INV, BMASKRFEINV, 0x001); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x001); ++ break; ++ case 5: ++ rtl_write_byte(rtlpriv, RA_RFE_PINMUX + 2, 0x77); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, 0x77777777); ++ tmp = rtl_read_byte(rtlpriv, RA_RFE_INV + 3); ++ rtl_write_byte(rtlpriv, RA_RFE_INV + 3, tmp & ~0x1); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x000); ++ break; ++ case 1: ++ if (rtlpriv->btcoexist.bt_coexistence) { ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, 0xffffff, 0x777777); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, ++ 0x77777777); ++ rtl_set_bbreg(hw, RA_RFE_INV, 0x33f00000, 0x000); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x000); ++ break; ++ } ++ case 0: ++ case 2: ++ default: ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, 0x77777777); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, 0x77777777); ++ rtl_set_bbreg(hw, RA_RFE_INV, BMASKRFEINV, 0x000); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x000); ++ break; ++ } ++} ++ ++static void _rtl8812ae_phy_set_rfe_reg_5g(struct ieee80211_hw *hw) ++{ ++ struct rtl_priv *rtlpriv = rtl_priv(hw); ++ struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw)); ++ u8 tmp; ++ ++ switch (rtlhal->rfe_type) { ++ case 0: ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, 0x77337717); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, 0x77337717); ++ rtl_set_bbreg(hw, RA_RFE_INV, BMASKRFEINV, 0x010); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x010); ++ break; ++ case 1: ++ if (rtlpriv->btcoexist.bt_coexistence) { ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, 0xffffff, 0x337717); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, ++ 0x77337717); ++ rtl_set_bbreg(hw, RA_RFE_INV, 0x33f00000, 0x000); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x000); ++ } else { ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, ++ 0x77337717); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, ++ 0x77337717); ++ rtl_set_bbreg(hw, RA_RFE_INV, BMASKRFEINV, 0x000); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x000); ++ } ++ break; ++ case 3: ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, 0x54337717); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, 0x54337717); ++ rtl_set_bbreg(hw, RA_RFE_INV, BMASKRFEINV, 0x010); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x010); ++ rtl_set_bbreg(hw, 0x900, 0x00000303, 0x1); ++ break; ++ case 5: ++ rtl_write_byte(rtlpriv, RA_RFE_PINMUX + 2, 0x33); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, 0x77337777); ++ tmp = rtl_read_byte(rtlpriv, RA_RFE_INV + 3); ++ rtl_write_byte(rtlpriv, RA_RFE_INV + 3, tmp | 0x1); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x010); ++ break; ++ case 2: ++ case 4: ++ default: ++ rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, 0x77337777); ++ rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, 0x77337777); ++ rtl_set_bbreg(hw, RA_RFE_INV, BMASKRFEINV, 0x010); ++ rtl_set_bbreg(hw, RB_RFE_INV, BMASKRFEINV, 0x010); ++ break; ++ } ++} ++ + u32 phy_get_tx_swing_8812A(struct ieee80211_hw *hw, u8 band, + u8 rf_path) + { +@@ -553,14 +654,9 @@ void rtl8821ae_phy_switch_wirelessband(s + /* 0x82C[1:0] = 2b'00 */ + rtl_set_bbreg(hw, 0x82c, 0x3, 0); + } +- if (rtlhal->hw_type == HARDWARE_TYPE_RTL8812AE) { +- rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, +- 0x77777777); +- rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, +- 0x77777777); +- rtl_set_bbreg(hw, RA_RFE_INV, 0x3ff00000, 0x000); +- rtl_set_bbreg(hw, RB_RFE_INV, 0x3ff00000, 0x000); +- } ++ ++ if (rtlhal->hw_type == HARDWARE_TYPE_RTL8812AE) ++ _rtl8812ae_phy_set_rfe_reg_24g(hw); + + rtl_set_bbreg(hw, RTXPATH, 0xf0, 0x1); + rtl_set_bbreg(hw, RCCK_RX, 0x0f000000, 0x1); +@@ -615,14 +711,8 @@ void rtl8821ae_phy_switch_wirelessband(s + /* 0x82C[1:0] = 2'b00 */ + rtl_set_bbreg(hw, 0x82c, 0x3, 1); + +- if (rtlhal->hw_type == HARDWARE_TYPE_RTL8812AE) { +- rtl_set_bbreg(hw, RA_RFE_PINMUX, BMASKDWORD, +- 0x77337777); +- rtl_set_bbreg(hw, RB_RFE_PINMUX, BMASKDWORD, +- 0x77337777); +- rtl_set_bbreg(hw, RA_RFE_INV, 0x3ff00000, 0x010); +- rtl_set_bbreg(hw, RB_RFE_INV, 0x3ff00000, 0x010); +- } ++ if (rtlhal->hw_type == HARDWARE_TYPE_RTL8812AE) ++ _rtl8812ae_phy_set_rfe_reg_5g(hw); + + rtl_set_bbreg(hw, RTXPATH, 0xf0, 0); + rtl_set_bbreg(hw, RCCK_RX, 0x0f000000, 0xf); +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/reg.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/reg.h +@@ -2424,6 +2424,7 @@ + #define BMASKH4BITS 0xf0000000 + #define BMASKOFDM_D 0xffc00000 + #define BMASKCCK 0x3f3f3f3f ++#define BMASKRFEINV 0x3ff00000 + + #define BRFREGOFFSETMASK 0xfffff + diff --git a/queue-4.4/series b/queue-4.4/series index 50b7d22823b..474876adcda 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -5,3 +5,16 @@ watchdog-pcwd_usb-fix-null-deref-at-probe.patch char-lp-fix-possible-integer-overflow-in-lp_setup.patch usb-core-replace-p-with-pk.patch arm-tegra-paz00-mark-panel-regulator-as-enabled-on-boot.patch +tpm_crb-check-for-bad-response-size.patch +infiniband-call-ipv6-route-lookup-via-the-stub-interface.patch +dm-btree-fix-for-dm_btree_find_lowest_key.patch +dm-raid-select-the-kconfig-option-config_md_raid0.patch +dm-bufio-avoid-a-possible-abba-deadlock.patch +dm-bufio-check-new-buffer-allocation-watermark-every-30-seconds.patch +dm-cache-metadata-fail-operations-if-fail_io-mode-has-been-established.patch +dm-bufio-make-the-parameter-retain_bytes-unsigned-long.patch +dm-thin-metadata-call-precommit-before-saving-the-roots.patch +dm-space-map-disk-fix-some-book-keeping-in-the-disk-space-map.patch +md-update-slab_cache-before-releasing-new-stripes-when-stripes-resizing.patch +rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch +mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch diff --git a/queue-4.4/tpm_crb-check-for-bad-response-size.patch b/queue-4.4/tpm_crb-check-for-bad-response-size.patch new file mode 100644 index 00000000000..4d6d7805503 --- /dev/null +++ b/queue-4.4/tpm_crb-check-for-bad-response-size.patch @@ -0,0 +1,36 @@ +From 8569defde8057258835c51ce01a33de82e14b148 Mon Sep 17 00:00:00 2001 +From: Jerry Snitselaar +Date: Fri, 10 Mar 2017 17:46:04 -0700 +Subject: tpm_crb: check for bad response size + +From: Jerry Snitselaar + +commit 8569defde8057258835c51ce01a33de82e14b148 upstream. + +Make sure size of response buffer is at least 6 bytes, or +we will underflow and pass large size_t to memcpy_fromio(). +This was encountered while testing earlier version of +locality patchset. + +Fixes: 30fc8d138e912 ("tpm: TPM 2.0 CRB Interface") +Signed-off-by: Jerry Snitselaar +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm_crb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -118,8 +118,7 @@ static int crb_recv(struct tpm_chip *chi + + memcpy_fromio(buf, priv->rsp, 6); + expected = be32_to_cpup((__be32 *) &buf[2]); +- +- if (expected > count) ++ if (expected > count || expected < 6) + return -EIO; + + memcpy_fromio(&buf[6], &priv->rsp[6], expected - 6);