From: Greg Kroah-Hartman Date: Sun, 19 Nov 2017 14:26:37 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.83~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=26ef1f3a7be764d66fb85a70f1474da47aaf4631;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: rpmsg-glink-add-missing-module_license.patch spi-fix-use-after-free-at-controller-deregistration.patch staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch staging-greybus-spilib-fix-use-after-free-after-deregistration.patch staging-rtl8188eu-revert-4-commits-breaking-arp.patch staging-sm750fb-fix-parameter-mistake-in-poke32.patch staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch --- diff --git a/queue-4.14/rpmsg-glink-add-missing-module_license.patch b/queue-4.14/rpmsg-glink-add-missing-module_license.patch new file mode 100644 index 00000000000..a90bb26500b --- /dev/null +++ b/queue-4.14/rpmsg-glink-add-missing-module_license.patch @@ -0,0 +1,30 @@ +From 1e0d5615bbc37deb7732491798abccf8d3c3d244 Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Tue, 14 Nov 2017 21:45:34 -0800 +Subject: rpmsg: glink: Add missing MODULE_LICENSE + +From: Bjorn Andersson + +commit 1e0d5615bbc37deb7732491798abccf8d3c3d244 upstream. + +The qcom_glink_native driver is missing a MODULE_LICENSE(), correct +this. + +Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c") +Reported-by: Randy Dunlap +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rpmsg/qcom_glink_native.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -1616,3 +1616,6 @@ void qcom_glink_native_unregister(struct + device_unregister(glink->dev); + } + EXPORT_SYMBOL_GPL(qcom_glink_native_unregister); ++ ++MODULE_DESCRIPTION("Qualcomm GLINK driver"); ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.14/series b/queue-4.14/series index b6db2cd9283..7385813f041 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -21,3 +21,11 @@ platform-x86-peaq-wmi-add-dmi-check-before-binding-to-the-wmi-interface.patch platform-x86-peaq_wmi-fix-missing-terminating-entry-for-peaq_dmi_table.patch hid-cp2112-add-hidraw-dependency.patch hid-wacom-generic-recognize-wacom_hid_wd_pen-as-a-type-of-pen-collection.patch +rpmsg-glink-add-missing-module_license.patch +staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch +staging-sm750fb-fix-parameter-mistake-in-poke32.patch +staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch +staging-greybus-spilib-fix-use-after-free-after-deregistration.patch +staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch +staging-rtl8188eu-revert-4-commits-breaking-arp.patch +spi-fix-use-after-free-at-controller-deregistration.patch diff --git a/queue-4.14/spi-fix-use-after-free-at-controller-deregistration.patch b/queue-4.14/spi-fix-use-after-free-at-controller-deregistration.patch new file mode 100644 index 00000000000..8e338349339 --- /dev/null +++ b/queue-4.14/spi-fix-use-after-free-at-controller-deregistration.patch @@ -0,0 +1,47 @@ +From 67f7b2781fafcc0f52464880154b320fea1ae982 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 30 Oct 2017 11:35:25 +0100 +Subject: spi: fix use-after-free at controller deregistration + +From: Johan Hovold + +commit 67f7b2781fafcc0f52464880154b320fea1ae982 upstream. + +The controller is typically freed as part of device_unregister() so +store the bus id before deregistration to avoid use-after-free when the +id is later released. + +Fixes: 9b61e302210e ("spi: Pick spi bus number from Linux idr or spi alias") +Signed-off-by: Johan Hovold +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2245,11 +2245,12 @@ static int __unregister(struct device *d + void spi_unregister_controller(struct spi_controller *ctlr) + { + struct spi_controller *found; ++ int id = ctlr->bus_num; + int dummy; + + /* First make sure that this controller was ever added */ + mutex_lock(&board_lock); +- found = idr_find(&spi_master_idr, ctlr->bus_num); ++ found = idr_find(&spi_master_idr, id); + mutex_unlock(&board_lock); + if (found != ctlr) { + dev_dbg(&ctlr->dev, +@@ -2269,7 +2270,7 @@ void spi_unregister_controller(struct sp + device_unregister(&ctlr->dev); + /* free bus id */ + mutex_lock(&board_lock); +- idr_remove(&spi_master_idr, ctlr->bus_num); ++ idr_remove(&spi_master_idr, id); + mutex_unlock(&board_lock); + } + EXPORT_SYMBOL_GPL(spi_unregister_controller); diff --git a/queue-4.14/staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch b/queue-4.14/staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch new file mode 100644 index 00000000000..3c724185296 --- /dev/null +++ b/queue-4.14/staging-ccree-fix-64-bit-scatter-gather-dma-ops.patch @@ -0,0 +1,33 @@ +From e0b3f39092a1cff5548cbaf40096ec25e7721de6 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Mon, 30 Oct 2017 13:38:03 +0000 +Subject: staging: ccree: fix 64 bit scatter/gather DMA ops + +From: Gilad Ben-Yossef + +commit e0b3f39092a1cff5548cbaf40096ec25e7721de6 upstream. + +Fix a wrong offset used in splitting a 64 DMA address to MSB/LSB +parts needed for scatter/gather HW descriptors causing operations +relying on them to fail on 64 bit platforms. + +Fixes: c6f7f2f4591f ("staging: ccree: refactor LLI access macros") +Reported-by: Stuart Yoder +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ccree/cc_lli_defs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/ccree/cc_lli_defs.h ++++ b/drivers/staging/ccree/cc_lli_defs.h +@@ -59,7 +59,7 @@ static inline void cc_lli_set_addr(u32 * + lli_p[LLI_WORD0_OFFSET] = (addr & U32_MAX); + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT + lli_p[LLI_WORD1_OFFSET] &= ~LLI_HADDR_MASK; +- lli_p[LLI_WORD1_OFFSET] |= FIELD_PREP(LLI_HADDR_MASK, (addr >> 16)); ++ lli_p[LLI_WORD1_OFFSET] |= FIELD_PREP(LLI_HADDR_MASK, (addr >> 32)); + #endif /* CONFIG_ARCH_DMA_ADDR_T_64BIT */ + } + diff --git a/queue-4.14/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch b/queue-4.14/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch new file mode 100644 index 00000000000..1ee5e7d40f5 --- /dev/null +++ b/queue-4.14/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch @@ -0,0 +1,52 @@ +From 770b03c2ca4aa44d226cf248f86aa23e546147d0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sun, 29 Oct 2017 13:01:33 +0100 +Subject: staging: greybus: spilib: fix use-after-free after deregistration + +From: Johan Hovold + +commit 770b03c2ca4aa44d226cf248f86aa23e546147d0 upstream. + +Remove erroneous spi_master_put() after controller deregistration which +would access the already freed spi controller. + +Note that spi_unregister_master() drops our only controller reference. + +Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver") +Signed-off-by: Johan Hovold +Reviewed-by: Rui Miguel Silva +Acked-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/greybus/spilib.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/staging/greybus/spilib.c ++++ b/drivers/staging/greybus/spilib.c +@@ -544,12 +544,15 @@ int gb_spilib_master_init(struct gb_conn + + return 0; + +-exit_spi_unregister: +- spi_unregister_master(master); + exit_spi_put: + spi_master_put(master); + + return ret; ++ ++exit_spi_unregister: ++ spi_unregister_master(master); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(gb_spilib_master_init); + +@@ -558,7 +561,6 @@ void gb_spilib_master_exit(struct gb_con + struct spi_master *master = gb_connection_get_data(connection); + + spi_unregister_master(master); +- spi_master_put(master); + } + EXPORT_SYMBOL_GPL(gb_spilib_master_exit); + diff --git a/queue-4.14/staging-rtl8188eu-revert-4-commits-breaking-arp.patch b/queue-4.14/staging-rtl8188eu-revert-4-commits-breaking-arp.patch new file mode 100644 index 00000000000..9cf3a2bec3b --- /dev/null +++ b/queue-4.14/staging-rtl8188eu-revert-4-commits-breaking-arp.patch @@ -0,0 +1,309 @@ +From 66d32fdcbf03851724a8b551d490ae1ddfe6eef2 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 2 Nov 2017 10:30:13 +0100 +Subject: staging: rtl8188eu: Revert 4 commits breaking ARP + +From: Hans de Goede + +commit 66d32fdcbf03851724a8b551d490ae1ddfe6eef2 upstream. + +Commit 2ba8444c97b1 ("staging:r8188eu: move IV/ICV trimming into +decrypt() and also place it after rtl88eu_mon_recv_hook()") breaks ARP. + +After this commit ssh-ing to a laptop with r8188eu wifi no longer works +if the machine connecting has never communicated with the laptop before. +This is 100% reproducable using "arp -d && ssh " to ssh to +a laptop with r8188eu wifi. + +This commit reverts 4 commits in total: + +1. Commit 79650ffde38e ("staging:r8188eu: trim IV/ICV fields in + validate_recv_data_frame()") +This commit depends on 2 of the other commits being reverted. + +2. Commit 02b19b4c4920 ("staging:r8188eu: inline unprotect_frame() in + mon_recv_decrypted_recv()") +The inline code is wrong the un-inlined version contains: + if (skb->len < hdr_len + iv_len + icv_len) + return; + ... +Where as the inline-ed code introduced by this commit does: + if (skb->len < hdr_len + iv_len + icv_len) { + ... +Note the same check, but now to actually continue doing ... instead +of to not do it, so this commit is no good. + +3. Commit d86e16da6a5d ("staging:r8188eu: use different mon_recv_decrypted() + inside rtl88eu_mon_recv_hook() and rtl88eu_mon_xmit_hook().") +This commit introduced a 1:1 copy of a function so that one of the +2 copies can be modified in the 2 commits we're already reverting. + +4. Commit 2ba8444c97b1 ("staging:r8188eu: move IV/ICV trimming into + decrypt() and also place it after rtl88eu_mon_recv_hook()") +This is the commit actually breaking ARP. + +Note this commit is a straight-forward squash of the revert of these +4 commits, without any changes. + +Cc: Ivan Safonov +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/core/rtw_recv.c | 83 ++++++++++++++++++------------ + drivers/staging/rtl8188eu/os_dep/mon.c | 34 +----------- + 2 files changed, 55 insertions(+), 62 deletions(-) + +--- a/drivers/staging/rtl8188eu/core/rtw_recv.c ++++ b/drivers/staging/rtl8188eu/core/rtw_recv.c +@@ -259,10 +259,12 @@ static int recvframe_chkmic(struct adapt + } + + /* icv_len included the mic code */ +- datalen = precvframe->pkt->len-prxattrib->hdrlen - 8; ++ datalen = precvframe->pkt->len-prxattrib->hdrlen - ++ prxattrib->iv_len-prxattrib->icv_len-8; + pframe = precvframe->pkt->data; +- payload = pframe+prxattrib->hdrlen; ++ payload = pframe+prxattrib->hdrlen+prxattrib->iv_len; + ++ RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n prxattrib->iv_len=%d prxattrib->icv_len=%d\n", prxattrib->iv_len, prxattrib->icv_len)); + rtw_seccalctkipmic(mickey, pframe, payload, datalen, &miccode[0], + (unsigned char)prxattrib->priority); /* care the length of the data */ + +@@ -407,15 +409,9 @@ static struct recv_frame *decryptor(stru + default: + break; + } +- if (res != _FAIL) { +- memmove(precv_frame->pkt->data + precv_frame->attrib.iv_len, precv_frame->pkt->data, precv_frame->attrib.hdrlen); +- skb_pull(precv_frame->pkt, precv_frame->attrib.iv_len); +- skb_trim(precv_frame->pkt, precv_frame->pkt->len - precv_frame->attrib.icv_len); +- } + } else if (prxattrib->bdecrypted == 1 && prxattrib->encrypt > 0 && +- (psecuritypriv->busetkipkey == 1 || prxattrib->encrypt != _TKIP_)) { +- psecuritypriv->hw_decrypted = true; +- } ++ (psecuritypriv->busetkipkey == 1 || prxattrib->encrypt != _TKIP_)) ++ psecuritypriv->hw_decrypted = true; + + if (res == _FAIL) { + rtw_free_recvframe(return_packet, &padapter->recvpriv.free_recv_queue); +@@ -456,7 +452,7 @@ static struct recv_frame *portctrl(struc + + if (auth_alg == 2) { + /* get ether_type */ +- ptr = ptr + pfhdr->attrib.hdrlen + LLC_HEADER_SIZE; ++ ptr = ptr + pfhdr->attrib.hdrlen + LLC_HEADER_SIZE + pfhdr->attrib.iv_len; + memcpy(&be_tmp, ptr, 2); + ether_type = ntohs(be_tmp); + +@@ -1138,8 +1134,6 @@ static int validate_recv_data_frame(stru + } + + if (pattrib->privacy) { +- struct sk_buff *skb = precv_frame->pkt; +- + RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("validate_recv_data_frame:pattrib->privacy=%x\n", pattrib->privacy)); + RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n ^^^^^^^^^^^IS_MCAST(pattrib->ra(0x%02x))=%d^^^^^^^^^^^^^^^6\n", pattrib->ra[0], IS_MCAST(pattrib->ra))); + +@@ -1148,13 +1142,6 @@ static int validate_recv_data_frame(stru + RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n pattrib->encrypt=%d\n", pattrib->encrypt)); + + SET_ICE_IV_LEN(pattrib->iv_len, pattrib->icv_len, pattrib->encrypt); +- +- if (pattrib->bdecrypted == 1 && pattrib->encrypt > 0) { +- memmove(skb->data + pattrib->iv_len, +- skb->data, pattrib->hdrlen); +- skb_pull(skb, pattrib->iv_len); +- skb_trim(skb, skb->len - pattrib->icv_len); +- } + } else { + pattrib->encrypt = 0; + pattrib->iv_len = 0; +@@ -1274,7 +1261,6 @@ static int validate_recv_frame(struct ad + * Hence forward the frame to the monitor anyway to preserve the order + * in which frames were received. + */ +- + rtl88eu_mon_recv_hook(adapter->pmondev, precv_frame); + + exit: +@@ -1296,8 +1282,11 @@ static int wlanhdr_to_ethhdr(struct recv + u8 *ptr = precvframe->pkt->data; + struct rx_pkt_attrib *pattrib = &precvframe->attrib; + +- psnap = (struct ieee80211_snap_hdr *)(ptr+pattrib->hdrlen); +- psnap_type = ptr+pattrib->hdrlen + SNAP_SIZE; ++ if (pattrib->encrypt) ++ skb_trim(precvframe->pkt, precvframe->pkt->len - pattrib->icv_len); ++ ++ psnap = (struct ieee80211_snap_hdr *)(ptr+pattrib->hdrlen + pattrib->iv_len); ++ psnap_type = ptr+pattrib->hdrlen + pattrib->iv_len+SNAP_SIZE; + /* convert hdr + possible LLC headers into Ethernet header */ + if ((!memcmp(psnap, rtw_rfc1042_header, SNAP_SIZE) && + (!memcmp(psnap_type, SNAP_ETH_TYPE_IPX, 2) == false) && +@@ -1310,9 +1299,12 @@ static int wlanhdr_to_ethhdr(struct recv + bsnaphdr = false; + } + +- rmv_len = pattrib->hdrlen + (bsnaphdr ? SNAP_SIZE : 0); ++ rmv_len = pattrib->hdrlen + pattrib->iv_len + (bsnaphdr ? SNAP_SIZE : 0); + len = precvframe->pkt->len - rmv_len; + ++ RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ++ ("\n===pattrib->hdrlen: %x, pattrib->iv_len:%x===\n\n", pattrib->hdrlen, pattrib->iv_len)); ++ + memcpy(&be_tmp, ptr+rmv_len, 2); + eth_type = ntohs(be_tmp); /* pattrib->ether_type */ + pattrib->eth_type = eth_type; +@@ -1337,6 +1329,7 @@ static struct recv_frame *recvframe_defr + struct __queue *defrag_q) + { + struct list_head *plist, *phead; ++ u8 wlanhdr_offset; + u8 curfragnum; + struct recv_frame *pfhdr, *pnfhdr; + struct recv_frame *prframe, *pnextrframe; +@@ -1385,7 +1378,12 @@ static struct recv_frame *recvframe_defr + /* copy the 2nd~n fragment frame's payload to the first fragment */ + /* get the 2nd~last fragment frame's payload */ + +- skb_pull(pnextrframe->pkt, pnfhdr->attrib.hdrlen); ++ wlanhdr_offset = pnfhdr->attrib.hdrlen + pnfhdr->attrib.iv_len; ++ ++ skb_pull(pnextrframe->pkt, wlanhdr_offset); ++ ++ /* append to first fragment frame's tail (if privacy frame, pull the ICV) */ ++ skb_trim(prframe->pkt, prframe->pkt->len - pfhdr->attrib.icv_len); + + /* memcpy */ + memcpy(skb_tail_pointer(pfhdr->pkt), pnfhdr->pkt->data, +@@ -1393,7 +1391,7 @@ static struct recv_frame *recvframe_defr + + skb_put(prframe->pkt, pnfhdr->pkt->len); + +- pfhdr->attrib.icv_len = 0; ++ pfhdr->attrib.icv_len = pnfhdr->attrib.icv_len; + plist = plist->next; + } + +@@ -1519,6 +1517,11 @@ static int amsdu_to_msdu(struct adapter + nr_subframes = 0; + pattrib = &prframe->attrib; + ++ skb_pull(prframe->pkt, prframe->attrib.hdrlen); ++ ++ if (prframe->attrib.iv_len > 0) ++ skb_pull(prframe->pkt, prframe->attrib.iv_len); ++ + a_len = prframe->pkt->len; + + pdata = prframe->pkt->data; +@@ -1887,6 +1890,24 @@ static int process_recv_indicatepkts(str + return retval; + } + ++static int recv_func_prehandle(struct adapter *padapter, ++ struct recv_frame *rframe) ++{ ++ int ret = _SUCCESS; ++ struct __queue *pfree_recv_queue = &padapter->recvpriv.free_recv_queue; ++ ++ /* check the frame crtl field and decache */ ++ ret = validate_recv_frame(padapter, rframe); ++ if (ret != _SUCCESS) { ++ RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("recv_func: validate_recv_frame fail! drop pkt\n")); ++ rtw_free_recvframe(rframe, pfree_recv_queue);/* free this recv_frame */ ++ goto exit; ++ } ++ ++exit: ++ return ret; ++} ++ + static int recv_func_posthandle(struct adapter *padapter, + struct recv_frame *prframe) + { +@@ -1939,7 +1960,6 @@ static int recv_func(struct adapter *pad + struct rx_pkt_attrib *prxattrib = &rframe->attrib; + struct security_priv *psecuritypriv = &padapter->securitypriv; + struct mlme_priv *mlmepriv = &padapter->mlmepriv; +- struct __queue *pfree_recv_queue = &padapter->recvpriv.free_recv_queue; + + /* check if need to handle uc_swdec_pending_queue*/ + if (check_fwstate(mlmepriv, WIFI_STATION_STATE) && psecuritypriv->busetkipkey) { +@@ -1951,12 +1971,9 @@ static int recv_func(struct adapter *pad + } + } + +- /* check the frame crtl field and decache */ +- ret = validate_recv_frame(padapter, rframe); +- if (ret != _SUCCESS) { +- RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("recv_func: validate_recv_frame fail! drop pkt\n")); +- rtw_free_recvframe(rframe, pfree_recv_queue);/* free this recv_frame */ +- } else { ++ ret = recv_func_prehandle(padapter, rframe); ++ ++ if (ret == _SUCCESS) { + /* check if need to enqueue into uc_swdec_pending_queue*/ + if (check_fwstate(mlmepriv, WIFI_STATION_STATE) && + !IS_MCAST(prxattrib->ra) && prxattrib->encrypt > 0 && +--- a/drivers/staging/rtl8188eu/os_dep/mon.c ++++ b/drivers/staging/rtl8188eu/os_dep/mon.c +@@ -66,34 +66,6 @@ static void mon_recv_decrypted(struct ne + netif_rx(skb); + } + +-static void mon_recv_decrypted_recv(struct net_device *dev, const u8 *data, +- int data_len) +-{ +- struct sk_buff *skb; +- struct ieee80211_hdr *hdr; +- int hdr_len; +- +- skb = netdev_alloc_skb(dev, data_len); +- if (!skb) +- return; +- memcpy(skb_put(skb, data_len), data, data_len); +- +- /* +- * Frame data is not encrypted. Strip off protection so +- * userspace doesn't think that it is. +- */ +- +- hdr = (struct ieee80211_hdr *)skb->data; +- hdr_len = ieee80211_hdrlen(hdr->frame_control); +- +- if (ieee80211_has_protected(hdr->frame_control)) +- hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_PROTECTED); +- +- skb->ip_summed = CHECKSUM_UNNECESSARY; +- skb->protocol = eth_type_trans(skb, dev); +- netif_rx(skb); +-} +- + static void mon_recv_encrypted(struct net_device *dev, const u8 *data, + int data_len) + { +@@ -110,6 +82,7 @@ static void mon_recv_encrypted(struct ne + void rtl88eu_mon_recv_hook(struct net_device *dev, struct recv_frame *frame) + { + struct rx_pkt_attrib *attr; ++ int iv_len, icv_len; + int data_len; + u8 *data; + +@@ -122,8 +95,11 @@ void rtl88eu_mon_recv_hook(struct net_de + data = frame->pkt->data; + data_len = frame->pkt->len; + ++ /* Broadcast and multicast frames don't have attr->{iv,icv}_len set */ ++ SET_ICE_IV_LEN(iv_len, icv_len, attr->encrypt); ++ + if (attr->bdecrypted) +- mon_recv_decrypted_recv(dev, data, data_len); ++ mon_recv_decrypted(dev, data, data_len, iv_len, icv_len); + else + mon_recv_encrypted(dev, data, data_len); + } diff --git a/queue-4.14/staging-sm750fb-fix-parameter-mistake-in-poke32.patch b/queue-4.14/staging-sm750fb-fix-parameter-mistake-in-poke32.patch new file mode 100644 index 00000000000..dd5e02fcaab --- /dev/null +++ b/queue-4.14/staging-sm750fb-fix-parameter-mistake-in-poke32.patch @@ -0,0 +1,34 @@ +From 16808dcf605e6302319a8c3266789b76d4c0983b Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Mon, 6 Nov 2017 08:43:03 +0800 +Subject: staging: sm750fb: Fix parameter mistake in poke32 + +From: Huacai Chen + +commit 16808dcf605e6302319a8c3266789b76d4c0983b upstream. + +In commit c075b6f2d357ea9 ("staging: sm750fb: Replace POKE32 and PEEK32 +by inline functions"), POKE32 has been replaced by the inline function +poke32. But it exchange the "addr" and "data" parameters by mistake, so +fix it. + +Fixes: c075b6f2d357ea9 ("staging: sm750fb: Replace POKE32 and PEEK32 by inline functions"), +Signed-off-by: Huacai Chen +Signed-off-by: Liangliang Huang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/sm750fb/ddk750_chip.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/sm750fb/ddk750_chip.h ++++ b/drivers/staging/sm750fb/ddk750_chip.h +@@ -18,7 +18,7 @@ static inline u32 peek32(u32 addr) + return readl(addr + mmio750); + } + +-static inline void poke32(u32 data, u32 addr) ++static inline void poke32(u32 addr, u32 data) + { + writel(data, addr + mmio750); + } diff --git a/queue-4.14/staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch b/queue-4.14/staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch new file mode 100644 index 00000000000..2fba77876f8 --- /dev/null +++ b/queue-4.14/staging-vboxvideo-fix-reporting-invalid-suggested-offset-properties.patch @@ -0,0 +1,113 @@ +From ce10d7b4e8e3574b9616e54a09d64521b9aeb8b6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 12 Oct 2017 20:10:25 +0200 +Subject: staging: vboxvideo: Fix reporting invalid suggested-offset-properties + +From: Hans de Goede + +commit ce10d7b4e8e3574b9616e54a09d64521b9aeb8b6 upstream. + +The x and y hints receives from the host are unsigned 32 bit integers and +they get set to -1 (0xffffffff) when invalid. Before this commit the +vboxvideo driver was storing them in an u16 causing the -1 to be truncated +to 65535 which, once reported to userspace, was breaking gnome 3.26+ +in Wayland mode. + +This commit stores the host values in 32 bit variables, removing the +truncation and checks for -1, replacing it with 0 as -1 is not a valid +suggested-offset-property value. Likewise the properties are now +initialized to 0 instead of -1, since -1 is not a valid value. +This fixes gnome 3.26+ in Wayland mode not working with the vboxvideo +driver. + +Reported-by: Gianfranco Costamagna +Cc: Michael Thayer +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vboxvideo/vbox_drv.h | 8 ++++---- + drivers/staging/vboxvideo/vbox_irq.c | 4 ++-- + drivers/staging/vboxvideo/vbox_mode.c | 26 ++++++++++++++++++-------- + 3 files changed, 24 insertions(+), 14 deletions(-) + +--- a/drivers/staging/vboxvideo/vbox_drv.h ++++ b/drivers/staging/vboxvideo/vbox_drv.h +@@ -137,8 +137,8 @@ struct vbox_connector { + char name[32]; + struct vbox_crtc *vbox_crtc; + struct { +- u16 width; +- u16 height; ++ u32 width; ++ u32 height; + bool disconnected; + } mode_hint; + }; +@@ -150,8 +150,8 @@ struct vbox_crtc { + unsigned int crtc_id; + u32 fb_offset; + bool cursor_enabled; +- u16 x_hint; +- u16 y_hint; ++ u32 x_hint; ++ u32 y_hint; + }; + + struct vbox_encoder { +--- a/drivers/staging/vboxvideo/vbox_irq.c ++++ b/drivers/staging/vboxvideo/vbox_irq.c +@@ -150,8 +150,8 @@ static void vbox_update_mode_hints(struc + + disconnected = !(hints->enabled); + crtc_id = vbox_conn->vbox_crtc->crtc_id; +- vbox_conn->mode_hint.width = hints->cx & 0x8fff; +- vbox_conn->mode_hint.height = hints->cy & 0x8fff; ++ vbox_conn->mode_hint.width = hints->cx; ++ vbox_conn->mode_hint.height = hints->cy; + vbox_conn->vbox_crtc->x_hint = hints->dx; + vbox_conn->vbox_crtc->y_hint = hints->dy; + vbox_conn->mode_hint.disconnected = disconnected; +--- a/drivers/staging/vboxvideo/vbox_mode.c ++++ b/drivers/staging/vboxvideo/vbox_mode.c +@@ -553,12 +553,22 @@ static int vbox_get_modes(struct drm_con + ++num_modes; + } + vbox_set_edid(connector, preferred_width, preferred_height); +- drm_object_property_set_value( +- &connector->base, vbox->dev->mode_config.suggested_x_property, +- vbox_connector->vbox_crtc->x_hint); +- drm_object_property_set_value( +- &connector->base, vbox->dev->mode_config.suggested_y_property, +- vbox_connector->vbox_crtc->y_hint); ++ ++ if (vbox_connector->vbox_crtc->x_hint != -1) ++ drm_object_property_set_value(&connector->base, ++ vbox->dev->mode_config.suggested_x_property, ++ vbox_connector->vbox_crtc->x_hint); ++ else ++ drm_object_property_set_value(&connector->base, ++ vbox->dev->mode_config.suggested_x_property, 0); ++ ++ if (vbox_connector->vbox_crtc->y_hint != -1) ++ drm_object_property_set_value(&connector->base, ++ vbox->dev->mode_config.suggested_y_property, ++ vbox_connector->vbox_crtc->y_hint); ++ else ++ drm_object_property_set_value(&connector->base, ++ vbox->dev->mode_config.suggested_y_property, 0); + + return num_modes; + } +@@ -640,9 +650,9 @@ static int vbox_connector_init(struct dr + + drm_mode_create_suggested_offset_properties(dev); + drm_object_attach_property(&connector->base, +- dev->mode_config.suggested_x_property, -1); ++ dev->mode_config.suggested_x_property, 0); + drm_object_attach_property(&connector->base, +- dev->mode_config.suggested_y_property, -1); ++ dev->mode_config.suggested_y_property, 0); + drm_connector_register(connector); + + drm_mode_connector_attach_encoder(connector, encoder); diff --git a/queue-4.14/staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch b/queue-4.14/staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch new file mode 100644 index 00000000000..36b3f4f4b00 --- /dev/null +++ b/queue-4.14/staging-wilc1000-fix-bssid-buffer-offset-in-txq.patch @@ -0,0 +1,38 @@ +From 1bbf6a6d4091affb27ec0a19d7aa7887ce72f610 Mon Sep 17 00:00:00 2001 +From: Aditya Shankar +Date: Fri, 3 Nov 2017 14:26:27 +0530 +Subject: staging: wilc1000: Fix bssid buffer offset in Txq + +From: Aditya Shankar + +commit 1bbf6a6d4091affb27ec0a19d7aa7887ce72f610 upstream. + +Commit 46949b48568b ("staging: wilc1000: New cfg packet +format in handle_set_wfi_drv_handler") updated the frame +format sent from host to the firmware. The code to update +the bssid offset in the new frame was part of a second +patch in the series which did not make it in and thus +causes connection problems after associating to an AP. + +This fix adds the proper offset of the bssid value in the +Tx queue buffer to fix the connection issues. + +Fixes: 46949b48568b ("staging: wilc1000: New cfg packet format in handle_set_wfi_drv_handler") +Signed-off-by: Aditya Shankar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wilc1000/wilc_wlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/wilc1000/wilc_wlan.c ++++ b/drivers/staging/wilc1000/wilc_wlan.c +@@ -714,7 +714,7 @@ int wilc_wlan_handle_txq(struct net_devi + char *bssid = ((struct tx_complete_data *)(tqe->priv))->bssid; + + buffer_offset = ETH_ETHERNET_HDR_OFFSET; +- memcpy(&txb[offset + 4], bssid, 6); ++ memcpy(&txb[offset + 8], bssid, 6); + } else { + buffer_offset = HOST_HDR_OFFSET; + }