From: Greg Kroah-Hartman Date: Thu, 4 Oct 2018 19:32:39 +0000 (-0700) Subject: 4.18-stable patches X-Git-Tag: v4.4.160~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29ee93108a617ce9d22df467573b2c586a4a8c91;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: afs-fix-cell-specification-to-permit-an-empty-address-list.patch arc-atomics-unbork-atomic_fetch_-op.patch bpf-avoid-misuse-of-psock-when-tcp_ulp_bpf-collides-with-another-ulp.patch bpf-fix-bpf_msg_pull_data.patch bpf-fix-msg-data-data_end-after-sg-shift-repair-in-bpf_msg_pull_data.patch bpf-fix-several-offset-tests-in-bpf_msg_pull_data.patch bpf-fix-sg-shift-repair-start-offset-in-bpf_msg_pull_data.patch bpf-fix-shift-upon-scatterlist-ring-wrap-around-in-bpf_msg_pull_data.patch bpf-sockmap-decrement-copied-count-correctly-in-redirect-error-case.patch bpf-sockmap-fix-potential-use-after-free-in-bpf_tcp_close.patch bpf-sockmap-fix-psock-refcount-leak-in-bpf_tcp_recvmsg.patch btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch btrfs-fix-unexpected-failure-of-nocow-buffered-writes-after-snapshotting-when-low-on-space.patch ceph-avoid-a-use-after-free-in-ceph_destroy_options.patch cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch cfg80211-make-wmm_rule-part-of-the-reg_rule-structure.patch cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch cfg80211-remove-division-by-size-of-sizeof-struct-ieee80211_wmm_rule.patch firmware-arm_scmi-fix-divide-by-zero-when-sustained_perf_level-is-zero.patch fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch fsnotify-fix-ignore-mask-logic-in-fsnotify.patch gpio-adp5588-fix-sleep-in-atomic-context-bug.patch gpio-dwapb-fix-error-handling-in-dwapb_gpio_probe.patch gpio-fix-crash-due-to-registration-race.patch gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch ibmvnic-include-missing-return-code-checks-in-reset-function.patch kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch mac80211-always-account-for-a-msdu-header-changes.patch mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch mac80211-fix-a-race-between-restart-and-csa-flows.patch mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch mac80211-fix-station-bandwidth-setting-after-channel-switch.patch mac80211-fix-wmm-txop-calculation.patch mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch mac80211-shorten-the-ibss-debug-messages.patch mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch mac80211_hwsim-fix-possible-spectre-v1-for-hwsim_world_regdom_custom.patch mac80211_hwsim-require-at-least-one-channel.patch md-raid5-cache-disable-reshape-completely.patch nds32-add-null-entry-to-the-end-of_device_id-array.patch nds32-fix-build-error-because-of-wrong-semicolon.patch nds32-fix-empty-call-trace.patch nds32-fix-get_user-put_user-macro-expand-pointer-problem.patch nds32-fix-logic-for-module.patch nds32-linker-script-gcov-kernel-may-refers-data-in-__exit.patch net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch net-hns-add-the-code-for-cleaning-pkt-in-chip.patch net-ibm-emac-wrong-emac_calc_base-call-was-used-by-typo.patch net-mvpp2-initialize-port-of_node-pointer.patch nl80211-fix-nla_put_u8-to-u16-for-nl80211_wmmr_txop.patch nl80211-pass-center-frequency-in-khz-instead-of-mhz.patch raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch revert-blk-throttle-fix-race-between-blkcg_bio_issue_check-and-cgroup_rmdir.patch rseq-selftests-fix-parametrized-test-with-fpie.patch scsi-aacraid-fix-a-signedness-bug.patch scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch scsi-csiostor-fix-incorrect-port-capabilities.patch scsi-libata-add-missing-newline-at-end-of-file.patch selftests-pmtu-detect-correct-binary-to-ping-ipv6-addresses.patch selftests-pmtu-maximum-mtu-for-vti4-is-2-16-1-20.patch sh_eth-add-r7s9210-support.patch tc-testing-add-test-cases-for-numeric-and-invalid-control-action.patch tipc-switch-to-rhashtable-iterator.patch tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch tools-kvm_stat-fix-python3-issues.patch tools-kvm_stat-fix-updates-for-dead-guests.patch tools-vm-page-types.c-fix-defined-but-not-used-warning.patch tools-vm-slabinfo.c-fix-sign-compare-warning.patch --- diff --git a/queue-4.18/afs-fix-cell-specification-to-permit-an-empty-address-list.patch b/queue-4.18/afs-fix-cell-specification-to-permit-an-empty-address-list.patch new file mode 100644 index 00000000000..823c122975b --- /dev/null +++ b/queue-4.18/afs-fix-cell-specification-to-permit-an-empty-address-list.patch @@ -0,0 +1,67 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: David Howells +Date: Fri, 7 Sep 2018 23:55:17 +0100 +Subject: afs: Fix cell specification to permit an empty address list + +From: David Howells + +[ Upstream commit ecfe951f0c1b169ea4b7dd6f3a404dfedd795bc2 ] + +Fix the cell specification mechanism to allow cells to be pre-created +without having to specify at least one address (the addresses will be +upcalled for). + +This allows the cell information preload service to avoid the need to issue +loads of DNS lookups during boot to get the addresses for each cell (500+ +lookups for the 'standard' cell list[*]). The lookups can be done later as +each cell is accessed through the filesystem. + +Also remove the print statement that prints a line every time a new cell is +added. + +[*] There are 144 cells in the list. Each cell is first looked up for an + SRV record, and if that fails, for an AFSDB record. These get a list + of server names, each of which then has to be looked up to get the + addresses for that server. E.g.: + + dig srv _afs3-vlserver._udp.grand.central.org + +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/proc.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/fs/afs/proc.c ++++ b/fs/afs/proc.c +@@ -98,13 +98,13 @@ static int afs_proc_cells_write(struct f + goto inval; + + args = strchr(name, ' '); +- if (!args) +- goto inval; +- do { +- *args++ = 0; +- } while(*args == ' '); +- if (!*args) +- goto inval; ++ if (args) { ++ do { ++ *args++ = 0; ++ } while(*args == ' '); ++ if (!*args) ++ goto inval; ++ } + + /* determine command to perform */ + _debug("cmd=%s name=%s args=%s", buf, name, args); +@@ -120,7 +120,6 @@ static int afs_proc_cells_write(struct f + + if (test_and_set_bit(AFS_CELL_FL_NO_GC, &cell->flags)) + afs_put_cell(net, cell); +- printk("kAFS: Added new cell '%s'\n", name); + } else { + goto inval; + } diff --git a/queue-4.18/arc-atomics-unbork-atomic_fetch_-op.patch b/queue-4.18/arc-atomics-unbork-atomic_fetch_-op.patch new file mode 100644 index 00000000000..62a29c61f28 --- /dev/null +++ b/queue-4.18/arc-atomics-unbork-atomic_fetch_-op.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Will Deacon +Date: Thu, 30 Aug 2018 13:52:38 -0700 +Subject: ARC: atomics: unbork atomic_fetch_##op() + +From: Will Deacon + +[ Upstream commit 3fcbb8260a87efb691d837e8cd24e81f65b3eb70 ] + +In 4.19-rc1, Eugeniy reported weird boot and IO errors on ARC HSDK + +| INFO: task syslogd:77 blocked for more than 10 seconds. +| Not tainted 4.19.0-rc1-00007-gf213acea4e88 #40 +| "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this +| message. +| syslogd D 0 77 76 0x00000000 +| +| Stack Trace: +| __switch_to+0x0/0xac +| __schedule+0x1b2/0x730 +| io_schedule+0x5c/0xc0 +| __lock_page+0x98/0xdc +| find_lock_entry+0x38/0x100 +| shmem_getpage_gfp.isra.3+0x82/0xbfc +| shmem_fault+0x46/0x138 +| handle_mm_fault+0x5bc/0x924 +| do_page_fault+0x100/0x2b8 +| ret_from_exception+0x0/0x8 + +He bisected to 84c6591103db ("locking/atomics, +asm-generic/bitops/lock.h: Rewrite using atomic_fetch_*()") + +This commit however only unmasked the real issue introduced by commit +4aef66c8ae9 ("locking/atomic, arch/arc: Fix build") which missed the +retry-if-scond-failed branch in atomic_fetch_##op() macros. + +The bisected commit started using atomic_fetch_##op() macros for building +the rest of atomics. + +Fixes: 4aef66c8ae9 ("locking/atomic, arch/arc: Fix build") +Reported-by: Eugeniy Paltsev +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Will Deacon +Signed-off-by: Vineet Gupta +[vgupta: wrote changelog] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/asm/atomic.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/atomic.h ++++ b/arch/arc/include/asm/atomic.h +@@ -84,7 +84,7 @@ static inline int atomic_fetch_##op(int + "1: llock %[orig], [%[ctr]] \n" \ + " " #asm_op " %[val], %[orig], %[i] \n" \ + " scond %[val], [%[ctr]] \n" \ +- " \n" \ ++ " bnz 1b \n" \ + : [val] "=&r" (val), \ + [orig] "=&r" (orig) \ + : [ctr] "r" (&v->counter), \ diff --git a/queue-4.18/bpf-avoid-misuse-of-psock-when-tcp_ulp_bpf-collides-with-another-ulp.patch b/queue-4.18/bpf-avoid-misuse-of-psock-when-tcp_ulp_bpf-collides-with-another-ulp.patch new file mode 100644 index 00000000000..8fbc379164a --- /dev/null +++ b/queue-4.18/bpf-avoid-misuse-of-psock-when-tcp_ulp_bpf-collides-with-another-ulp.patch @@ -0,0 +1,70 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: John Fastabend +Date: Thu, 30 Aug 2018 21:25:02 -0700 +Subject: bpf: avoid misuse of psock when TCP_ULP_BPF collides with another ULP + +From: John Fastabend + +[ Upstream commit 597222f72a94118f593e4f32bf58ae7e049a0df1 ] + +Currently we check sk_user_data is non NULL to determine if the sk +exists in a map. However, this is not sufficient to ensure the psock +or the ULP ops are not in use by another user, such as kcm or TLS. To +avoid this when adding a sock to a map also verify it is of the +correct ULP type. Additionally, when releasing a psock verify that +it is the TCP_ULP_BPF type before releasing the ULP. The error case +where we abort an update due to ULP collision can cause this error +path. + +For example, + + __sock_map_ctx_update_elem() + [...] + err = tcp_set_ulp_id(sock, TCP_ULP_BPF) <- collides with TLS + if (err) <- so err out here + goto out_free + [...] + out_free: + smap_release_sock() <- calling tcp_cleanup_ulp releases the + TLS ULP incorrectly. + +Fixes: 2f857d04601a ("bpf: sockmap, remove STRPARSER map_flags and add multi-map support") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -1465,10 +1465,16 @@ static void smap_destroy_psock(struct rc + schedule_work(&psock->gc_work); + } + ++static bool psock_is_smap_sk(struct sock *sk) ++{ ++ return inet_csk(sk)->icsk_ulp_ops == &bpf_tcp_ulp_ops; ++} ++ + static void smap_release_sock(struct smap_psock *psock, struct sock *sock) + { + if (refcount_dec_and_test(&psock->refcnt)) { +- tcp_cleanup_ulp(sock); ++ if (psock_is_smap_sk(sock)) ++ tcp_cleanup_ulp(sock); + write_lock_bh(&sock->sk_callback_lock); + smap_stop_sock(psock, sock); + write_unlock_bh(&sock->sk_callback_lock); +@@ -1895,6 +1901,10 @@ static int __sock_map_ctx_update_elem(st + * doesn't update user data. + */ + if (psock) { ++ if (!psock_is_smap_sk(sock)) { ++ err = -EBUSY; ++ goto out_progs; ++ } + if (READ_ONCE(psock->bpf_parse) && parse) { + err = -EBUSY; + goto out_progs; diff --git a/queue-4.18/bpf-fix-bpf_msg_pull_data.patch b/queue-4.18/bpf-fix-bpf_msg_pull_data.patch new file mode 100644 index 00000000000..6bb7cf0cdce --- /dev/null +++ b/queue-4.18/bpf-fix-bpf_msg_pull_data.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Tushar Dave +Date: Fri, 31 Aug 2018 23:45:16 +0200 +Subject: bpf: Fix bpf_msg_pull_data() + +From: Tushar Dave + +[ Upstream commit 9db39f4d4f94b61e4b64b077f6ddb2bdfb533a88 ] + +Helper bpf_msg_pull_data() mistakenly reuses variable 'offset' while +linearizing multiple scatterlist elements. Variable 'offset' is used +to find first starting scatterlist element + i.e. msg->data = sg_virt(&sg[first_sg]) + start - offset" + +Use different variable name while linearizing multiple scatterlist +elements so that value contained in variable 'offset' won't get +overwritten. + +Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data") +Signed-off-by: Tushar Dave +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2282,7 +2282,7 @@ static const struct bpf_func_proto bpf_m + BPF_CALL_4(bpf_msg_pull_data, + struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags) + { +- unsigned int len = 0, offset = 0, copy = 0; ++ unsigned int len = 0, offset = 0, copy = 0, poffset = 0; + int bytes = end - start, bytes_sg_total; + struct scatterlist *sg = msg->sg_data; + int first_sg, last_sg, i, shift; +@@ -2338,16 +2338,15 @@ BPF_CALL_4(bpf_msg_pull_data, + if (unlikely(!page)) + return -ENOMEM; + p = page_address(page); +- offset = 0; + + i = first_sg; + do { + from = sg_virt(&sg[i]); + len = sg[i].length; +- to = p + offset; ++ to = p + poffset; + + memcpy(to, from, len); +- offset += len; ++ poffset += len; + sg[i].length = 0; + put_page(sg_page(&sg[i])); + diff --git a/queue-4.18/bpf-fix-msg-data-data_end-after-sg-shift-repair-in-bpf_msg_pull_data.patch b/queue-4.18/bpf-fix-msg-data-data_end-after-sg-shift-repair-in-bpf_msg_pull_data.patch new file mode 100644 index 00000000000..686a515af83 --- /dev/null +++ b/queue-4.18/bpf-fix-msg-data-data_end-after-sg-shift-repair-in-bpf_msg_pull_data.patch @@ -0,0 +1,74 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Daniel Borkmann +Date: Wed, 29 Aug 2018 16:50:34 +0200 +Subject: bpf: fix msg->data/data_end after sg shift repair in bpf_msg_pull_data + +From: Daniel Borkmann + +[ Upstream commit 0e06b227c5221dd51b5569de93f3b9f532be4a32 ] + +In the current code, msg->data is set as sg_virt(&sg[i]) + start - offset +and msg->data_end relative to it as msg->data + bytes. Using iterator i +to point to the updated starting scatterlist element holds true for some +cases, however not for all where we'd end up pointing out of bounds. It +is /correct/ for these ones: + +1) When first finding the starting scatterlist element (sge) where we + find that the page is already privately owned by the msg and where + the requested bytes and headroom fit into the sge's length. + +However, it's /incorrect/ for the following ones: + +2) After we made the requested area private and updated the newly allocated + page into first_sg slot of the scatterlist ring; when we find that no + shift repair of the ring is needed where we bail out updating msg->data + and msg->data_end. At that point i will point to last_sg, which in this + case is the next elem of first_sg in the ring. The sge at that point + might as well be invalid (e.g. i == msg->sg_end), which we use for + setting the range of sg_virt(&sg[i]). The correct one would have been + first_sg. + +3) Similar as in 2) but when we find that a shift repair of the ring is + needed. In this case we fix up all sges and stop once we've reached the + end. In this case i will point to will point to the new msg->sg_end, + and the sge at that point will be invalid. Again here the requested + range sits in first_sg. + +Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2300,6 +2300,7 @@ BPF_CALL_4(bpf_msg_pull_data, + if (unlikely(start >= offset + len)) + return -EINVAL; + ++ first_sg = i; + /* The start may point into the sg element so we need to also + * account for the headroom. + */ +@@ -2307,8 +2308,6 @@ BPF_CALL_4(bpf_msg_pull_data, + if (!msg->sg_copy[i] && bytes_sg_total <= len) + goto out; + +- first_sg = i; +- + /* At this point we need to linearize multiple scatterlist + * elements or a single shared page. Either way we need to + * copy into a linear buffer exclusively owned by BPF. Then +@@ -2390,7 +2389,7 @@ BPF_CALL_4(bpf_msg_pull_data, + if (msg->sg_end < 0) + msg->sg_end += MAX_SKB_FRAGS; + out: +- msg->data = sg_virt(&sg[i]) + start - offset; ++ msg->data = sg_virt(&sg[first_sg]) + start - offset; + msg->data_end = msg->data + bytes; + + return 0; diff --git a/queue-4.18/bpf-fix-several-offset-tests-in-bpf_msg_pull_data.patch b/queue-4.18/bpf-fix-several-offset-tests-in-bpf_msg_pull_data.patch new file mode 100644 index 00000000000..6442d31662b --- /dev/null +++ b/queue-4.18/bpf-fix-several-offset-tests-in-bpf_msg_pull_data.patch @@ -0,0 +1,108 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Daniel Borkmann +Date: Tue, 28 Aug 2018 16:15:35 +0200 +Subject: bpf: fix several offset tests in bpf_msg_pull_data + +From: Daniel Borkmann + +[ Upstream commit 5b24109b0563d45094c470684c1f8cea1af269f8 ] + +While recently going over bpf_msg_pull_data(), I noticed three +issues which are fixed in here: + +1) When we attempt to find the first scatterlist element (sge) + for the start offset, we add len to the offset before we check + for start < offset + len, whereas it should come after when + we iterate to the next sge to accumulate the offsets. For + example, given a start offset of 12 with a sge length of 8 + for the first sge in the list would lead us to determine this + sge as the first sge thinking it covers first 16 bytes where + start is located, whereas start sits in subsequent sges so + we would end up pulling in the wrong data. + +2) After figuring out the starting sge, we have a short-cut test + in !msg->sg_copy[i] && bytes <= len. This checks whether it's + not needed to make the page at the sge private where we can + just exit by updating msg->data and msg->data_end. However, + the length test is not fully correct. bytes <= len checks + whether the requested bytes (end - start offsets) fit into the + sge's length. The part that is missing is that start must not + be sge length aligned. Meaning, the start offset into the sge + needs to be accounted as well on top of the requested bytes + as otherwise we can access the sge out of bounds. For example + the sge could have length of 8, our requested bytes could have + length of 8, but at a start offset of 4, so we also would need + to pull in 4 bytes of the next sge, when we jump to the out + label we do set msg->data to sg_virt(&sg[i]) + start - offset + and msg->data_end to msg->data + bytes which would be oob. + +3) The subsequent bytes < copy test for finding the last sge has + the same issue as in point 2) but also it tests for less than + rather than less or equal to. Meaning if the sge length is of + 8 and requested bytes of 8 while having the start aligned with + the sge, we would unnecessarily go and pull in the next sge as + well to make it private. + +Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2276,10 +2276,10 @@ BPF_CALL_4(bpf_msg_pull_data, + struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags) + { + unsigned int len = 0, offset = 0, copy = 0; ++ int bytes = end - start, bytes_sg_total; + struct scatterlist *sg = msg->sg_data; + int first_sg, last_sg, i, shift; + unsigned char *p, *to, *from; +- int bytes = end - start; + struct page *page; + + if (unlikely(flags || end <= start)) +@@ -2289,9 +2289,9 @@ BPF_CALL_4(bpf_msg_pull_data, + i = msg->sg_start; + do { + len = sg[i].length; +- offset += len; + if (start < offset + len) + break; ++ offset += len; + i++; + if (i == MAX_SKB_FRAGS) + i = 0; +@@ -2300,7 +2300,11 @@ BPF_CALL_4(bpf_msg_pull_data, + if (unlikely(start >= offset + len)) + return -EINVAL; + +- if (!msg->sg_copy[i] && bytes <= len) ++ /* The start may point into the sg element so we need to also ++ * account for the headroom. ++ */ ++ bytes_sg_total = start - offset + bytes; ++ if (!msg->sg_copy[i] && bytes_sg_total <= len) + goto out; + + first_sg = i; +@@ -2320,12 +2324,12 @@ BPF_CALL_4(bpf_msg_pull_data, + i++; + if (i == MAX_SKB_FRAGS) + i = 0; +- if (bytes < copy) ++ if (bytes_sg_total <= copy) + break; + } while (i != msg->sg_end); + last_sg = i; + +- if (unlikely(copy < end - start)) ++ if (unlikely(bytes_sg_total > copy)) + return -EINVAL; + + page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC, get_order(copy)); diff --git a/queue-4.18/bpf-fix-sg-shift-repair-start-offset-in-bpf_msg_pull_data.patch b/queue-4.18/bpf-fix-sg-shift-repair-start-offset-in-bpf_msg_pull_data.patch new file mode 100644 index 00000000000..375f8a7feb1 --- /dev/null +++ b/queue-4.18/bpf-fix-sg-shift-repair-start-offset-in-bpf_msg_pull_data.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Daniel Borkmann +Date: Wed, 29 Aug 2018 16:50:36 +0200 +Subject: bpf: fix sg shift repair start offset in bpf_msg_pull_data + +From: Daniel Borkmann + +[ Upstream commit a8cf76a9023bc6709b1361d06bb2fae5227b9d68 ] + +When we perform the sg shift repair for the scatterlist ring, we +currently start out at i = first_sg + 1. However, this is not +correct since the first_sg could point to the sge sitting at slot +MAX_SKB_FRAGS - 1, and a subsequent i = MAX_SKB_FRAGS will access +the scatterlist ring (sg) out of bounds. Add the sk_msg_iter_var() +helper for iterating through the ring, and apply the same rule +for advancing to the next ring element as we do elsewhere. Later +work will use this helper also in other places. + +Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2272,6 +2272,13 @@ static const struct bpf_func_proto bpf_m + .arg2_type = ARG_ANYTHING, + }; + ++#define sk_msg_iter_var(var) \ ++ do { \ ++ var++; \ ++ if (var == MAX_SKB_FRAGS) \ ++ var = 0; \ ++ } while (0) ++ + BPF_CALL_4(bpf_msg_pull_data, + struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags) + { +@@ -2292,9 +2299,7 @@ BPF_CALL_4(bpf_msg_pull_data, + if (start < offset + len) + break; + offset += len; +- i++; +- if (i == MAX_SKB_FRAGS) +- i = 0; ++ sk_msg_iter_var(i); + } while (i != msg->sg_end); + + if (unlikely(start >= offset + len)) +@@ -2320,9 +2325,7 @@ BPF_CALL_4(bpf_msg_pull_data, + */ + do { + copy += sg[i].length; +- i++; +- if (i == MAX_SKB_FRAGS) +- i = 0; ++ sk_msg_iter_var(i); + if (bytes_sg_total <= copy) + break; + } while (i != msg->sg_end); +@@ -2348,9 +2351,7 @@ BPF_CALL_4(bpf_msg_pull_data, + sg[i].length = 0; + put_page(sg_page(&sg[i])); + +- i++; +- if (i == MAX_SKB_FRAGS) +- i = 0; ++ sk_msg_iter_var(i); + } while (i != last_sg); + + sg[first_sg].length = copy; +@@ -2367,7 +2368,8 @@ BPF_CALL_4(bpf_msg_pull_data, + if (!shift) + goto out; + +- i = first_sg + 1; ++ i = first_sg; ++ sk_msg_iter_var(i); + do { + int move_from; + +@@ -2384,9 +2386,7 @@ BPF_CALL_4(bpf_msg_pull_data, + sg[move_from].page_link = 0; + sg[move_from].offset = 0; + +- i++; +- if (i == MAX_SKB_FRAGS) +- i = 0; ++ sk_msg_iter_var(i); + } while (1); + msg->sg_end -= shift; + if (msg->sg_end < 0) diff --git a/queue-4.18/bpf-fix-shift-upon-scatterlist-ring-wrap-around-in-bpf_msg_pull_data.patch b/queue-4.18/bpf-fix-shift-upon-scatterlist-ring-wrap-around-in-bpf_msg_pull_data.patch new file mode 100644 index 00000000000..7d06c5a22b9 --- /dev/null +++ b/queue-4.18/bpf-fix-shift-upon-scatterlist-ring-wrap-around-in-bpf_msg_pull_data.patch @@ -0,0 +1,59 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Daniel Borkmann +Date: Wed, 29 Aug 2018 16:50:35 +0200 +Subject: bpf: fix shift upon scatterlist ring wrap-around in bpf_msg_pull_data + +From: Daniel Borkmann + +[ Upstream commit 2e43f95dd8ee62bc8bf57f2afac37fbd70c8d565 ] + +If first_sg and last_sg wraps around in the scatterlist ring, then we +need to account for that in the shift as well. E.g. crafting such msgs +where this is the case leads to a hang as shift becomes negative. E.g. +consider the following scenario: + + first_sg := 14 |=> shift := -12 msg->sg_start := 10 + last_sg := 3 | msg->sg_end := 5 + +round 1: i := 15, move_from := 3, sg[15] := sg[ 3] +round 2: i := 0, move_from := -12, sg[ 0] := sg[-12] +round 3: i := 1, move_from := -11, sg[ 1] := sg[-11] +round 4: i := 2, move_from := -10, sg[ 2] := sg[-10] +[...] +round 13: i := 11, move_from := -1, sg[ 2] := sg[ -1] +round 14: i := 12, move_from := 0, sg[ 2] := sg[ 0] +round 15: i := 13, move_from := 1, sg[ 2] := sg[ 1] +round 16: i := 14, move_from := 2, sg[ 2] := sg[ 2] +round 17: i := 15, move_from := 3, sg[ 2] := sg[ 3] +[...] + +This means we will loop forever and never hit the msg->sg_end condition +to break out of the loop. When we see that the ring wraps around, then +the shift should be MAX_SKB_FRAGS - first_sg + last_sg - 1. Meaning, +the remainder slots from the tail of the ring and the head until last_sg +combined. + +Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2360,7 +2360,10 @@ BPF_CALL_4(bpf_msg_pull_data, + * had a single entry though we can just replace it and + * be done. Otherwise walk the ring and shift the entries. + */ +- shift = last_sg - first_sg - 1; ++ WARN_ON_ONCE(last_sg == first_sg); ++ shift = last_sg > first_sg ? ++ last_sg - first_sg - 1 : ++ MAX_SKB_FRAGS - first_sg + last_sg - 1; + if (!shift) + goto out; + diff --git a/queue-4.18/bpf-sockmap-decrement-copied-count-correctly-in-redirect-error-case.patch b/queue-4.18/bpf-sockmap-decrement-copied-count-correctly-in-redirect-error-case.patch new file mode 100644 index 00000000000..e2527ded693 --- /dev/null +++ b/queue-4.18/bpf-sockmap-decrement-copied-count-correctly-in-redirect-error-case.patch @@ -0,0 +1,197 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: John Fastabend +Date: Fri, 24 Aug 2018 17:37:00 -0700 +Subject: bpf: sockmap, decrement copied count correctly in redirect error case + +From: John Fastabend + +[ Upstream commit 501ca81760c204ec59b73e4a00bee5971fc0f1b1 ] + +Currently, when a redirect occurs in sockmap and an error occurs in +the redirect call we unwind the scatterlist once in the error path +of bpf_tcp_sendmsg_do_redirect() and then again in sendmsg(). Then +in the error path of sendmsg we decrement the copied count by the +send size. + +However, its possible we partially sent data before the error was +generated. This can happen if do_tcp_sendpages() partially sends the +scatterlist before encountering a memory pressure error. If this +happens we need to decrement the copied value (the value tracking +how many bytes were actually sent to TCP stack) by the number of +remaining bytes _not_ the entire send size. Otherwise we risk +confusing userspace. + +Also we don't need two calls to free the scatterlist one is +good enough. So remove the one in bpf_tcp_sendmsg_do_redirect() and +then properly reduce copied by the number of remaining bytes which +may in fact be the entire send size if no bytes were sent. + +To do this use bool to indicate if free_start_sg() should do mem +accounting or not. + +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 45 ++++++++++++++++++++++----------------------- + 1 file changed, 22 insertions(+), 23 deletions(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -236,7 +236,7 @@ static int bpf_tcp_init(struct sock *sk) + } + + static void smap_release_sock(struct smap_psock *psock, struct sock *sock); +-static int free_start_sg(struct sock *sk, struct sk_msg_buff *md); ++static int free_start_sg(struct sock *sk, struct sk_msg_buff *md, bool charge); + + static void bpf_tcp_release(struct sock *sk) + { +@@ -248,7 +248,7 @@ static void bpf_tcp_release(struct sock + goto out; + + if (psock->cork) { +- free_start_sg(psock->sock, psock->cork); ++ free_start_sg(psock->sock, psock->cork, true); + kfree(psock->cork); + psock->cork = NULL; + } +@@ -330,14 +330,14 @@ static void bpf_tcp_close(struct sock *s + close_fun = psock->save_close; + + if (psock->cork) { +- free_start_sg(psock->sock, psock->cork); ++ free_start_sg(psock->sock, psock->cork, true); + kfree(psock->cork); + psock->cork = NULL; + } + + list_for_each_entry_safe(md, mtmp, &psock->ingress, list) { + list_del(&md->list); +- free_start_sg(psock->sock, md); ++ free_start_sg(psock->sock, md, true); + kfree(md); + } + +@@ -570,14 +570,16 @@ static void free_bytes_sg(struct sock *s + md->sg_start = i; + } + +-static int free_sg(struct sock *sk, int start, struct sk_msg_buff *md) ++static int free_sg(struct sock *sk, int start, ++ struct sk_msg_buff *md, bool charge) + { + struct scatterlist *sg = md->sg_data; + int i = start, free = 0; + + while (sg[i].length) { + free += sg[i].length; +- sk_mem_uncharge(sk, sg[i].length); ++ if (charge) ++ sk_mem_uncharge(sk, sg[i].length); + if (!md->skb) + put_page(sg_page(&sg[i])); + sg[i].length = 0; +@@ -594,9 +596,9 @@ static int free_sg(struct sock *sk, int + return free; + } + +-static int free_start_sg(struct sock *sk, struct sk_msg_buff *md) ++static int free_start_sg(struct sock *sk, struct sk_msg_buff *md, bool charge) + { +- int free = free_sg(sk, md->sg_start, md); ++ int free = free_sg(sk, md->sg_start, md, charge); + + md->sg_start = md->sg_end; + return free; +@@ -604,7 +606,7 @@ static int free_start_sg(struct sock *sk + + static int free_curr_sg(struct sock *sk, struct sk_msg_buff *md) + { +- return free_sg(sk, md->sg_curr, md); ++ return free_sg(sk, md->sg_curr, md, true); + } + + static int bpf_map_msg_verdict(int _rc, struct sk_msg_buff *md) +@@ -718,7 +720,7 @@ static int bpf_tcp_ingress(struct sock * + list_add_tail(&r->list, &psock->ingress); + sk->sk_data_ready(sk); + } else { +- free_start_sg(sk, r); ++ free_start_sg(sk, r, true); + kfree(r); + } + +@@ -755,14 +757,10 @@ static int bpf_tcp_sendmsg_do_redirect(s + release_sock(sk); + } + smap_release_sock(psock, sk); +- if (unlikely(err)) +- goto out; +- return 0; ++ return err; + out_rcu: + rcu_read_unlock(); +-out: +- free_bytes_sg(NULL, send, md, false); +- return err; ++ return 0; + } + + static inline void bpf_md_init(struct smap_psock *psock) +@@ -825,7 +823,7 @@ more_data: + case __SK_PASS: + err = bpf_tcp_push(sk, send, m, flags, true); + if (unlikely(err)) { +- *copied -= free_start_sg(sk, m); ++ *copied -= free_start_sg(sk, m, true); + break; + } + +@@ -848,16 +846,17 @@ more_data: + lock_sock(sk); + + if (unlikely(err < 0)) { +- free_start_sg(sk, m); ++ int free = free_start_sg(sk, m, false); ++ + psock->sg_size = 0; + if (!cork) +- *copied -= send; ++ *copied -= free; + } else { + psock->sg_size -= send; + } + + if (cork) { +- free_start_sg(sk, m); ++ free_start_sg(sk, m, true); + psock->sg_size = 0; + kfree(m); + m = NULL; +@@ -1124,7 +1123,7 @@ wait_for_memory: + err = sk_stream_wait_memory(sk, &timeo); + if (err) { + if (m && m != psock->cork) +- free_start_sg(sk, m); ++ free_start_sg(sk, m, true); + goto out_err; + } + } +@@ -1583,13 +1582,13 @@ static void smap_gc_work(struct work_str + bpf_prog_put(psock->bpf_tx_msg); + + if (psock->cork) { +- free_start_sg(psock->sock, psock->cork); ++ free_start_sg(psock->sock, psock->cork, true); + kfree(psock->cork); + } + + list_for_each_entry_safe(md, mtmp, &psock->ingress, list) { + list_del(&md->list); +- free_start_sg(psock->sock, md); ++ free_start_sg(psock->sock, md, true); + kfree(md); + } + diff --git a/queue-4.18/bpf-sockmap-fix-potential-use-after-free-in-bpf_tcp_close.patch b/queue-4.18/bpf-sockmap-fix-potential-use-after-free-in-bpf_tcp_close.patch new file mode 100644 index 00000000000..97cd028ad58 --- /dev/null +++ b/queue-4.18/bpf-sockmap-fix-potential-use-after-free-in-bpf_tcp_close.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Daniel Borkmann +Date: Fri, 24 Aug 2018 22:08:50 +0200 +Subject: bpf, sockmap: fix potential use after free in bpf_tcp_close + +From: Daniel Borkmann + +[ Upstream commit e06fa9c16ce4b740996189fa5610eabcee734e6c ] + +bpf_tcp_close() we pop the psock linkage to a map via psock_map_pop(). +A parallel update on the sock hash map can happen between psock_map_pop() +and lookup_elem_raw() where we override the element under link->hash / +link->key. In bpf_tcp_close()'s lookup_elem_raw() we subsequently only +test whether an element is present, but we do not test whether the +element is infact the element we were looking for. + +We lock the sock in bpf_tcp_close() during that time, so do we hold +the lock in sock_hash_update_elem(). However, the latter locks the +sock which is newly updated, not the one we're purging from the hash +table. This means that while one CPU is doing the lookup from bpf_tcp_close(), +another CPU is doing the map update in parallel, dropped our sock from +the hlist and released the psock. + +Subsequently the first CPU will find the new sock and attempts to drop +and release the old sock yet another time. Fix is that we need to check +the elements for a match after lookup, similar as we do in the sock map. +Note that the hash tab elems are freed via RCU, so access to their +link->hash / link->key is fine since we're under RCU read side there. + +Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -369,7 +369,7 @@ static void bpf_tcp_close(struct sock *s + /* If another thread deleted this object skip deletion. + * The refcnt on psock may or may not be zero. + */ +- if (l) { ++ if (l && l == link) { + hlist_del_rcu(&link->hash_node); + smap_release_sock(psock, link->sk); + free_htab_elem(htab, link); diff --git a/queue-4.18/bpf-sockmap-fix-psock-refcount-leak-in-bpf_tcp_recvmsg.patch b/queue-4.18/bpf-sockmap-fix-psock-refcount-leak-in-bpf_tcp_recvmsg.patch new file mode 100644 index 00000000000..24ac7334125 --- /dev/null +++ b/queue-4.18/bpf-sockmap-fix-psock-refcount-leak-in-bpf_tcp_recvmsg.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Daniel Borkmann +Date: Fri, 24 Aug 2018 22:08:51 +0200 +Subject: bpf, sockmap: fix psock refcount leak in bpf_tcp_recvmsg + +From: Daniel Borkmann + +[ Upstream commit 15c480efab01197c965ce0562a43ffedd852b8f9 ] + +In bpf_tcp_recvmsg() we first took a reference on the psock, however +once we find that there are skbs in the normal socket's receive queue +we return with processing them through tcp_recvmsg(). Problem is that +we leak the taken reference on the psock in that path. Given we don't +really do anything with the psock at this point, move the skb_queue_empty() +test before we fetch the psock to fix this case. + +Fixes: 8934ce2fd081 ("bpf: sockmap redirect ingress support") +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -915,6 +915,8 @@ static int bpf_tcp_recvmsg(struct sock * + + if (unlikely(flags & MSG_ERRQUEUE)) + return inet_recv_error(sk, msg, len, addr_len); ++ if (!skb_queue_empty(&sk->sk_receive_queue)) ++ return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); + + rcu_read_lock(); + psock = smap_psock_sk(sk); +@@ -925,9 +927,6 @@ static int bpf_tcp_recvmsg(struct sock * + goto out; + rcu_read_unlock(); + +- if (!skb_queue_empty(&sk->sk_receive_queue)) +- return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); +- + lock_sock(sk); + bytes_ready: + while (copied != len) { diff --git a/queue-4.18/btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch b/queue-4.18/btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch new file mode 100644 index 00000000000..547911780fa --- /dev/null +++ b/queue-4.18/btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch @@ -0,0 +1,66 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Anand Jain +Date: Mon, 6 Aug 2018 18:12:37 +0800 +Subject: btrfs: btrfs_shrink_device should call commit transaction at the end + +From: Anand Jain + +[ Upstream commit 801660b040d132f67fac6a95910ad307c5929b49 ] + +Test case btrfs/164 reports use-after-free: + +[ 6712.084324] general protection fault: 0000 [#1] PREEMPT SMP +.. +[ 6712.195423] btrfs_update_commit_device_size+0x75/0xf0 [btrfs] +[ 6712.201424] btrfs_commit_transaction+0x57d/0xa90 [btrfs] +[ 6712.206999] btrfs_rm_device+0x627/0x850 [btrfs] +[ 6712.211800] btrfs_ioctl+0x2b03/0x3120 [btrfs] + +Reason for this is that btrfs_shrink_device adds the resized device to +the fs_devices::resized_devices after it has called the last commit +transaction. + +So the list fs_devices::resized_devices is not empty when +btrfs_shrink_device returns. Now the parent function +btrfs_rm_device calls: + + btrfs_close_bdev(device); + call_rcu(&device->rcu, free_device_rcu); + +and then does the transactio ncommit. It goes through the +fs_devices::resized_devices in btrfs_update_commit_device_size and +leads to use-after-free. + +Fix this by making sure btrfs_shrink_device calls the last needed +btrfs_commit_transaction before the return. This is consistent with what +the grow counterpart does and this makes sure the on-disk state is +persistent when the function returns. + +Reported-by: Lu Fengqi +Tested-by: Lu Fengqi +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +[ update changelog ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4584,7 +4584,12 @@ again: + + /* Now btrfs_update_device() will change the on-disk size. */ + ret = btrfs_update_device(trans, device); +- btrfs_end_transaction(trans); ++ if (ret < 0) { ++ btrfs_abort_transaction(trans, ret); ++ btrfs_end_transaction(trans); ++ } else { ++ ret = btrfs_commit_transaction(trans); ++ } + done: + btrfs_free_path(path); + if (ret) { diff --git a/queue-4.18/btrfs-fix-unexpected-failure-of-nocow-buffered-writes-after-snapshotting-when-low-on-space.patch b/queue-4.18/btrfs-fix-unexpected-failure-of-nocow-buffered-writes-after-snapshotting-when-low-on-space.patch new file mode 100644 index 00000000000..b883ad85e0b --- /dev/null +++ b/queue-4.18/btrfs-fix-unexpected-failure-of-nocow-buffered-writes-after-snapshotting-when-low-on-space.patch @@ -0,0 +1,219 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Robbie Ko +Date: Mon, 6 Aug 2018 10:30:30 +0800 +Subject: Btrfs: fix unexpected failure of nocow buffered writes after snapshotting when low on space + +From: Robbie Ko + +[ Upstream commit 8ecebf4d767e2307a946c8905278d6358eda35c3 ] + +Commit e9894fd3e3b3 ("Btrfs: fix snapshot vs nocow writting") forced +nocow writes to fallback to COW, during writeback, when a snapshot is +created. This resulted in writes made before creating the snapshot to +unexpectedly fail with ENOSPC during writeback when success (0) was +returned to user space through the write system call. + +The steps leading to this problem are: + +1. When it's not possible to allocate data space for a write, the + buffered write path checks if a NOCOW write is possible. If it is, + it will not reserve space and success (0) is returned to user space. + +2. Then when a snapshot is created, the root's will_be_snapshotted + atomic is incremented and writeback is triggered for all inode's that + belong to the root being snapshotted. Incrementing that atomic forces + all previous writes to fallback to COW during writeback (running + delalloc). + +3. This results in the writeback for the inodes to fail and therefore + setting the ENOSPC error in their mappings, so that a subsequent + fsync on them will report the error to user space. So it's not a + completely silent data loss (since fsync will report ENOSPC) but it's + a very unexpected and undesirable behaviour, because if a clean + shutdown/unmount of the filesystem happens without previous calls to + fsync, it is expected to have the data present in the files after + mounting the filesystem again. + +So fix this by adding a new atomic named snapshot_force_cow to the +root structure which prevents this behaviour and works the following way: + +1. It is incremented when we start to create a snapshot after triggering + writeback and before waiting for writeback to finish. + +2. This new atomic is now what is used by writeback (running delalloc) + to decide whether we need to fallback to COW or not. Because we + incremented this new atomic after triggering writeback in the + snapshot creation ioctl, we ensure that all buffered writes that + happened before snapshot creation will succeed and not fallback to + COW (which would make them fail with ENOSPC). + +3. The existing atomic, will_be_snapshotted, is kept because it is used + to force new buffered writes, that start after we started + snapshotting, to reserve data space even when NOCOW is possible. + This makes these writes fail early with ENOSPC when there's no + available space to allocate, preventing the unexpected behaviour of + writeback later failing with ENOSPC due to a fallback to COW mode. + +Fixes: e9894fd3e3b3 ("Btrfs: fix snapshot vs nocow writting") +Signed-off-by: Robbie Ko +Reviewed-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.h | 1 + + fs/btrfs/disk-io.c | 1 + + fs/btrfs/inode.c | 25 ++++--------------------- + fs/btrfs/ioctl.c | 16 ++++++++++++++++ + 4 files changed, 22 insertions(+), 21 deletions(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1277,6 +1277,7 @@ struct btrfs_root { + int send_in_progress; + struct btrfs_subvolume_writers *subv_writers; + atomic_t will_be_snapshotted; ++ atomic_t snapshot_force_cow; + + /* For qgroup metadata reserved space */ + spinlock_t qgroup_meta_rsv_lock; +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1217,6 +1217,7 @@ static void __setup_root(struct btrfs_ro + atomic_set(&root->log_batch, 0); + refcount_set(&root->refs, 1); + atomic_set(&root->will_be_snapshotted, 0); ++ atomic_set(&root->snapshot_force_cow, 0); + root->log_transid = 0; + root->log_transid_committed = -1; + root->last_log_commit = 0; +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1275,7 +1275,7 @@ static noinline int run_delalloc_nocow(s + u64 disk_num_bytes; + u64 ram_bytes; + int extent_type; +- int ret, err; ++ int ret; + int type; + int nocow; + int check_prev = 1; +@@ -1407,11 +1407,8 @@ next_slot: + * if there are pending snapshots for this root, + * we fall into common COW way. + */ +- if (!nolock) { +- err = btrfs_start_write_no_snapshotting(root); +- if (!err) +- goto out_check; +- } ++ if (!nolock && atomic_read(&root->snapshot_force_cow)) ++ goto out_check; + /* + * force cow if csum exists in the range. + * this ensure that csum for a given extent are +@@ -1420,9 +1417,6 @@ next_slot: + ret = csum_exist_in_range(fs_info, disk_bytenr, + num_bytes); + if (ret) { +- if (!nolock) +- btrfs_end_write_no_snapshotting(root); +- + /* + * ret could be -EIO if the above fails to read + * metadata. +@@ -1435,11 +1429,8 @@ next_slot: + WARN_ON_ONCE(nolock); + goto out_check; + } +- if (!btrfs_inc_nocow_writers(fs_info, disk_bytenr)) { +- if (!nolock) +- btrfs_end_write_no_snapshotting(root); ++ if (!btrfs_inc_nocow_writers(fs_info, disk_bytenr)) + goto out_check; +- } + nocow = 1; + } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) { + extent_end = found_key.offset + +@@ -1453,8 +1444,6 @@ next_slot: + out_check: + if (extent_end <= start) { + path->slots[0]++; +- if (!nolock && nocow) +- btrfs_end_write_no_snapshotting(root); + if (nocow) + btrfs_dec_nocow_writers(fs_info, disk_bytenr); + goto next_slot; +@@ -1476,8 +1465,6 @@ out_check: + end, page_started, nr_written, 1, + NULL); + if (ret) { +- if (!nolock && nocow) +- btrfs_end_write_no_snapshotting(root); + if (nocow) + btrfs_dec_nocow_writers(fs_info, + disk_bytenr); +@@ -1497,8 +1484,6 @@ out_check: + ram_bytes, BTRFS_COMPRESS_NONE, + BTRFS_ORDERED_PREALLOC); + if (IS_ERR(em)) { +- if (!nolock && nocow) +- btrfs_end_write_no_snapshotting(root); + if (nocow) + btrfs_dec_nocow_writers(fs_info, + disk_bytenr); +@@ -1537,8 +1522,6 @@ out_check: + EXTENT_CLEAR_DATA_RESV, + PAGE_UNLOCK | PAGE_SET_PRIVATE2); + +- if (!nolock && nocow) +- btrfs_end_write_no_snapshotting(root); + cur_offset = extent_end; + + /* +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -761,6 +761,7 @@ static int create_snapshot(struct btrfs_ + struct btrfs_pending_snapshot *pending_snapshot; + struct btrfs_trans_handle *trans; + int ret; ++ bool snapshot_force_cow = false; + + if (!test_bit(BTRFS_ROOT_REF_COWS, &root->state)) + return -EINVAL; +@@ -777,6 +778,11 @@ static int create_snapshot(struct btrfs_ + goto free_pending; + } + ++ /* ++ * Force new buffered writes to reserve space even when NOCOW is ++ * possible. This is to avoid later writeback (running dealloc) to ++ * fallback to COW mode and unexpectedly fail with ENOSPC. ++ */ + atomic_inc(&root->will_be_snapshotted); + smp_mb__after_atomic(); + /* wait for no snapshot writes */ +@@ -787,6 +793,14 @@ static int create_snapshot(struct btrfs_ + if (ret) + goto dec_and_free; + ++ /* ++ * All previous writes have started writeback in NOCOW mode, so now ++ * we force future writes to fallback to COW mode during snapshot ++ * creation. ++ */ ++ atomic_inc(&root->snapshot_force_cow); ++ snapshot_force_cow = true; ++ + btrfs_wait_ordered_extents(root, U64_MAX, 0, (u64)-1); + + btrfs_init_block_rsv(&pending_snapshot->block_rsv, +@@ -851,6 +865,8 @@ static int create_snapshot(struct btrfs_ + fail: + btrfs_subvolume_release_metadata(fs_info, &pending_snapshot->block_rsv); + dec_and_free: ++ if (snapshot_force_cow) ++ atomic_dec(&root->snapshot_force_cow); + if (atomic_dec_and_test(&root->will_be_snapshotted)) + wake_up_var(&root->will_be_snapshotted); + free_pending: diff --git a/queue-4.18/ceph-avoid-a-use-after-free-in-ceph_destroy_options.patch b/queue-4.18/ceph-avoid-a-use-after-free-in-ceph_destroy_options.patch new file mode 100644 index 00000000000..78f2d81e3fe --- /dev/null +++ b/queue-4.18/ceph-avoid-a-use-after-free-in-ceph_destroy_options.patch @@ -0,0 +1,77 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Ilya Dryomov +Date: Fri, 24 Aug 2018 15:32:43 +0200 +Subject: ceph: avoid a use-after-free in ceph_destroy_options() + +From: Ilya Dryomov + +[ Upstream commit 8aaff15168cfbc7c8980fdb0e8a585f1afe56ec0 ] + +syzbot reported a use-after-free in ceph_destroy_options(), called from +ceph_mount(). The problem was that create_fs_client() consumed the opt +pointer on some errors, but not on all of them. Make sure it always +consumes both libceph and ceph options. + +Reported-by: syzbot+8ab6f1042021b4eed062@syzkaller.appspotmail.com +Signed-off-by: Ilya Dryomov +Reviewed-by: "Yan, Zheng" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -603,6 +603,8 @@ static int extra_mon_dispatch(struct cep + + /* + * create a new fs client ++ * ++ * Success or not, this function consumes @fsopt and @opt. + */ + static struct ceph_fs_client *create_fs_client(struct ceph_mount_options *fsopt, + struct ceph_options *opt) +@@ -610,17 +612,20 @@ static struct ceph_fs_client *create_fs_ + struct ceph_fs_client *fsc; + int page_count; + size_t size; +- int err = -ENOMEM; ++ int err; + + fsc = kzalloc(sizeof(*fsc), GFP_KERNEL); +- if (!fsc) +- return ERR_PTR(-ENOMEM); ++ if (!fsc) { ++ err = -ENOMEM; ++ goto fail; ++ } + + fsc->client = ceph_create_client(opt, fsc); + if (IS_ERR(fsc->client)) { + err = PTR_ERR(fsc->client); + goto fail; + } ++ opt = NULL; /* fsc->client now owns this */ + + fsc->client->extra_mon_dispatch = extra_mon_dispatch; + fsc->client->osdc.abort_on_full = true; +@@ -678,6 +683,9 @@ fail_client: + ceph_destroy_client(fsc->client); + fail: + kfree(fsc); ++ if (opt) ++ ceph_destroy_options(opt); ++ destroy_mount_options(fsopt); + return ERR_PTR(err); + } + +@@ -1042,8 +1050,6 @@ static struct dentry *ceph_mount(struct + fsc = create_fs_client(fsopt, opt); + if (IS_ERR(fsc)) { + res = ERR_CAST(fsc); +- destroy_mount_options(fsopt); +- ceph_destroy_options(opt); + goto out_final; + } + diff --git a/queue-4.18/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch b/queue-4.18/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch new file mode 100644 index 00000000000..d5b23c0d56b --- /dev/null +++ b/queue-4.18/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Dan Carpenter +Date: Fri, 31 Aug 2018 11:10:55 +0300 +Subject: cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() + +From: Dan Carpenter + +[ Upstream commit 8442938c3a2177ba16043b3a935f2c78266ad399 ] + +The "chandef->center_freq1" variable is a u32 but "freq" is a u16 so we +are truncating away the high bits. I noticed this bug because in commit +9cf0a0b4b64a ("cfg80211: Add support for 60GHz band channels 5 and 6") +we made "freq <= 56160 + 2160 * 6" a valid requency when before it was +only "freq <= 56160 + 2160 * 4" that was valid. It introduces a static +checker warning: + + net/wireless/util.c:1571 ieee80211_chandef_to_operating_class() + warn: always true condition '(freq <= 56160 + 2160 * 6) => (0-u16max <= 69120)' + +But really we probably shouldn't have been truncating the high bits +away to begin with. + +Signed-off-by: Dan Carpenter +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1374,7 +1374,7 @@ bool ieee80211_chandef_to_operating_clas + u8 *op_class) + { + u8 vht_opclass; +- u16 freq = chandef->center_freq1; ++ u32 freq = chandef->center_freq1; + + if (freq >= 2412 && freq <= 2472) { + if (chandef->width > NL80211_CHAN_WIDTH_40) diff --git a/queue-4.18/cfg80211-make-wmm_rule-part-of-the-reg_rule-structure.patch b/queue-4.18/cfg80211-make-wmm_rule-part-of-the-reg_rule-structure.patch new file mode 100644 index 00000000000..e723b39922a --- /dev/null +++ b/queue-4.18/cfg80211-make-wmm_rule-part-of-the-reg_rule-structure.patch @@ -0,0 +1,410 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Stanislaw Gruszka +Date: Wed, 22 Aug 2018 13:52:21 +0200 +Subject: cfg80211: make wmm_rule part of the reg_rule structure + +From: Stanislaw Gruszka + +[ Upstream commit 38cb87ee47fb825f6c9d645c019f75b3905c0ab2 ] + +Make wmm_rule be part of the reg_rule structure. This simplifies the +code a lot at the cost of having bigger memory usage. However in most +cases we have only few reg_rule's and when we do have many like in +iwlwifi we do not save memory as it allocates a separate wmm_rule for +each channel anyway. + +This also fixes a bug reported in various places where somewhere the +pointers were corrupted and we ended up doing a null-dereference. + +Fixes: 230ebaa189af ("cfg80211: read wmm rules from regulatory database") +Signed-off-by: Stanislaw Gruszka +[rephrase commit message slightly] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c | 50 +---------- + include/net/cfg80211.h | 4 + include/net/regulatory.h | 4 + net/mac80211/util.c | 8 - + net/wireless/nl80211.c | 10 +- + net/wireless/reg.c | 92 +++------------------ + 6 files changed, 32 insertions(+), 136 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c +@@ -877,15 +877,12 @@ iwl_parse_nvm_mcc_info(struct device *de + const u8 *nvm_chan = cfg->nvm_type == IWL_NVM_EXT ? + iwl_ext_nvm_channels : iwl_nvm_channels; + struct ieee80211_regdomain *regd, *copy_rd; +- int size_of_regd, regd_to_copy, wmms_to_copy; +- int size_of_wmms = 0; ++ int size_of_regd, regd_to_copy; + struct ieee80211_reg_rule *rule; +- struct ieee80211_wmm_rule *wmm_rule, *d_wmm, *s_wmm; + struct regdb_ptrs *regdb_ptrs; + enum nl80211_band band; + int center_freq, prev_center_freq = 0; +- int valid_rules = 0, n_wmms = 0; +- int i; ++ int valid_rules = 0; + bool new_rule; + int max_num_ch = cfg->nvm_type == IWL_NVM_EXT ? + IWL_NVM_NUM_CHANNELS_EXT : IWL_NVM_NUM_CHANNELS; +@@ -904,11 +901,7 @@ iwl_parse_nvm_mcc_info(struct device *de + sizeof(struct ieee80211_regdomain) + + num_of_ch * sizeof(struct ieee80211_reg_rule); + +- if (geo_info & GEO_WMM_ETSI_5GHZ_INFO) +- size_of_wmms = +- num_of_ch * sizeof(struct ieee80211_wmm_rule); +- +- regd = kzalloc(size_of_regd + size_of_wmms, GFP_KERNEL); ++ regd = kzalloc(size_of_regd, GFP_KERNEL); + if (!regd) + return ERR_PTR(-ENOMEM); + +@@ -922,8 +915,6 @@ iwl_parse_nvm_mcc_info(struct device *de + regd->alpha2[0] = fw_mcc >> 8; + regd->alpha2[1] = fw_mcc & 0xff; + +- wmm_rule = (struct ieee80211_wmm_rule *)((u8 *)regd + size_of_regd); +- + for (ch_idx = 0; ch_idx < num_of_ch; ch_idx++) { + ch_flags = (u16)__le32_to_cpup(channels + ch_idx); + band = (ch_idx < NUM_2GHZ_CHANNELS) ? +@@ -977,26 +968,10 @@ iwl_parse_nvm_mcc_info(struct device *de + band == NL80211_BAND_2GHZ) + continue; + +- if (!reg_query_regdb_wmm(regd->alpha2, center_freq, +- ®db_ptrs[n_wmms].token, wmm_rule)) { +- /* Add only new rules */ +- for (i = 0; i < n_wmms; i++) { +- if (regdb_ptrs[i].token == +- regdb_ptrs[n_wmms].token) { +- rule->wmm_rule = regdb_ptrs[i].rule; +- break; +- } +- } +- if (i == n_wmms) { +- rule->wmm_rule = wmm_rule; +- regdb_ptrs[n_wmms++].rule = wmm_rule; +- wmm_rule++; +- } +- } ++ reg_query_regdb_wmm(regd->alpha2, center_freq, rule); + } + + regd->n_reg_rules = valid_rules; +- regd->n_wmm_rules = n_wmms; + + /* + * Narrow down regdom for unused regulatory rules to prevent hole +@@ -1005,28 +980,13 @@ iwl_parse_nvm_mcc_info(struct device *de + regd_to_copy = sizeof(struct ieee80211_regdomain) + + valid_rules * sizeof(struct ieee80211_reg_rule); + +- wmms_to_copy = sizeof(struct ieee80211_wmm_rule) * n_wmms; +- +- copy_rd = kzalloc(regd_to_copy + wmms_to_copy, GFP_KERNEL); ++ copy_rd = kzalloc(regd_to_copy, GFP_KERNEL); + if (!copy_rd) { + copy_rd = ERR_PTR(-ENOMEM); + goto out; + } + + memcpy(copy_rd, regd, regd_to_copy); +- memcpy((u8 *)copy_rd + regd_to_copy, (u8 *)regd + size_of_regd, +- wmms_to_copy); +- +- d_wmm = (struct ieee80211_wmm_rule *)((u8 *)copy_rd + regd_to_copy); +- s_wmm = (struct ieee80211_wmm_rule *)((u8 *)regd + size_of_regd); +- +- for (i = 0; i < regd->n_reg_rules; i++) { +- if (!regd->reg_rules[i].wmm_rule) +- continue; +- +- copy_rd->reg_rules[i].wmm_rule = d_wmm + +- (regd->reg_rules[i].wmm_rule - s_wmm); +- } + + out: + kfree(regdb_ptrs); +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -4763,8 +4763,8 @@ const char *reg_initiator_name(enum nl80 + * + * Return: 0 on success. -ENODATA. + */ +-int reg_query_regdb_wmm(char *alpha2, int freq, u32 *ptr, +- struct ieee80211_wmm_rule *rule); ++int reg_query_regdb_wmm(char *alpha2, int freq, ++ struct ieee80211_reg_rule *rule); + + /* + * callbacks for asynchronous cfg80211 methods, notification +--- a/include/net/regulatory.h ++++ b/include/net/regulatory.h +@@ -217,15 +217,15 @@ struct ieee80211_wmm_rule { + struct ieee80211_reg_rule { + struct ieee80211_freq_range freq_range; + struct ieee80211_power_rule power_rule; +- struct ieee80211_wmm_rule *wmm_rule; ++ struct ieee80211_wmm_rule wmm_rule; + u32 flags; + u32 dfs_cac_ms; ++ bool has_wmm; + }; + + struct ieee80211_regdomain { + struct rcu_head rcu_head; + u32 n_reg_rules; +- u32 n_wmm_rules; + char alpha2[3]; + enum nl80211_dfs_regions dfs_region; + struct ieee80211_reg_rule reg_rules[]; +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1120,7 +1120,7 @@ void ieee80211_regulatory_limit_wmm_para + { + struct ieee80211_chanctx_conf *chanctx_conf; + const struct ieee80211_reg_rule *rrule; +- struct ieee80211_wmm_ac *wmm_ac; ++ const struct ieee80211_wmm_ac *wmm_ac; + u16 center_freq = 0; + + if (sdata->vif.type != NL80211_IFTYPE_AP && +@@ -1139,15 +1139,15 @@ void ieee80211_regulatory_limit_wmm_para + + rrule = freq_reg_info(sdata->wdev.wiphy, MHZ_TO_KHZ(center_freq)); + +- if (IS_ERR_OR_NULL(rrule) || !rrule->wmm_rule) { ++ if (IS_ERR_OR_NULL(rrule) || !rrule->has_wmm) { + rcu_read_unlock(); + return; + } + + if (sdata->vif.type == NL80211_IFTYPE_AP) +- wmm_ac = &rrule->wmm_rule->ap[ac]; ++ wmm_ac = &rrule->wmm_rule.ap[ac]; + else +- wmm_ac = &rrule->wmm_rule->client[ac]; ++ wmm_ac = &rrule->wmm_rule.client[ac]; + qparam->cw_min = max_t(u16, qparam->cw_min, wmm_ac->cw_min); + qparam->cw_max = max_t(u16, qparam->cw_max, wmm_ac->cw_max); + qparam->aifs = max_t(u8, qparam->aifs, wmm_ac->aifsn); +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -667,13 +667,13 @@ static int nl80211_msg_put_wmm_rules(str + goto nla_put_failure; + + if (nla_put_u16(msg, NL80211_WMMR_CW_MIN, +- rule->wmm_rule->client[j].cw_min) || ++ rule->wmm_rule.client[j].cw_min) || + nla_put_u16(msg, NL80211_WMMR_CW_MAX, +- rule->wmm_rule->client[j].cw_max) || ++ rule->wmm_rule.client[j].cw_max) || + nla_put_u8(msg, NL80211_WMMR_AIFSN, +- rule->wmm_rule->client[j].aifsn) || ++ rule->wmm_rule.client[j].aifsn) || + nla_put_u8(msg, NL80211_WMMR_TXOP, +- rule->wmm_rule->client[j].cot)) ++ rule->wmm_rule.client[j].cot)) + goto nla_put_failure; + + nla_nest_end(msg, nl_wmm_rule); +@@ -766,7 +766,7 @@ static int nl80211_msg_put_channel(struc + const struct ieee80211_reg_rule *rule = + freq_reg_info(wiphy, chan->center_freq); + +- if (!IS_ERR(rule) && rule->wmm_rule) { ++ if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) { + if (nl80211_msg_put_wmm_rules(msg, rule)) + goto nla_put_failure; + } +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -425,35 +425,23 @@ static const struct ieee80211_regdomain + reg_copy_regd(const struct ieee80211_regdomain *src_regd) + { + struct ieee80211_regdomain *regd; +- int size_of_regd, size_of_wmms; ++ int size_of_regd; + unsigned int i; +- struct ieee80211_wmm_rule *d_wmm, *s_wmm; + + size_of_regd = + sizeof(struct ieee80211_regdomain) + + src_regd->n_reg_rules * sizeof(struct ieee80211_reg_rule); +- size_of_wmms = src_regd->n_wmm_rules * +- sizeof(struct ieee80211_wmm_rule); + +- regd = kzalloc(size_of_regd + size_of_wmms, GFP_KERNEL); ++ regd = kzalloc(size_of_regd, GFP_KERNEL); + if (!regd) + return ERR_PTR(-ENOMEM); + + memcpy(regd, src_regd, sizeof(struct ieee80211_regdomain)); + +- d_wmm = (struct ieee80211_wmm_rule *)((u8 *)regd + size_of_regd); +- s_wmm = (struct ieee80211_wmm_rule *)((u8 *)src_regd + size_of_regd); +- memcpy(d_wmm, s_wmm, size_of_wmms); +- +- for (i = 0; i < src_regd->n_reg_rules; i++) { ++ for (i = 0; i < src_regd->n_reg_rules; i++) + memcpy(®d->reg_rules[i], &src_regd->reg_rules[i], + sizeof(struct ieee80211_reg_rule)); +- if (!src_regd->reg_rules[i].wmm_rule) +- continue; + +- regd->reg_rules[i].wmm_rule = d_wmm + +- (src_regd->reg_rules[i].wmm_rule - s_wmm); +- } + return regd; + } + +@@ -859,9 +847,10 @@ static bool valid_regdb(const u8 *data, + return true; + } + +-static void set_wmm_rule(struct ieee80211_wmm_rule *rule, ++static void set_wmm_rule(struct ieee80211_reg_rule *rrule, + struct fwdb_wmm_rule *wmm) + { ++ struct ieee80211_wmm_rule *rule = &rrule->wmm_rule; + unsigned int i; + + for (i = 0; i < IEEE80211_NUM_ACS; i++) { +@@ -875,11 +864,13 @@ static void set_wmm_rule(struct ieee8021 + rule->ap[i].aifsn = wmm->ap[i].aifsn; + rule->ap[i].cot = 1000 * be16_to_cpu(wmm->ap[i].cot); + } ++ ++ rrule->has_wmm = true; + } + + static int __regdb_query_wmm(const struct fwdb_header *db, + const struct fwdb_country *country, int freq, +- u32 *dbptr, struct ieee80211_wmm_rule *rule) ++ struct ieee80211_reg_rule *rule) + { + unsigned int ptr = be16_to_cpu(country->coll_ptr) << 2; + struct fwdb_collection *coll = (void *)((u8 *)db + ptr); +@@ -900,8 +891,6 @@ static int __regdb_query_wmm(const struc + wmm_ptr = be16_to_cpu(rrule->wmm_ptr) << 2; + wmm = (void *)((u8 *)db + wmm_ptr); + set_wmm_rule(rule, wmm); +- if (dbptr) +- *dbptr = wmm_ptr; + return 0; + } + } +@@ -909,8 +898,7 @@ static int __regdb_query_wmm(const struc + return -ENODATA; + } + +-int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr, +- struct ieee80211_wmm_rule *rule) ++int reg_query_regdb_wmm(char *alpha2, int freq, struct ieee80211_reg_rule *rule) + { + const struct fwdb_header *hdr = regdb; + const struct fwdb_country *country; +@@ -924,8 +912,7 @@ int reg_query_regdb_wmm(char *alpha2, in + country = &hdr->country[0]; + while (country->coll_ptr) { + if (alpha2_equal(alpha2, country->alpha2)) +- return __regdb_query_wmm(regdb, country, freq, dbptr, +- rule); ++ return __regdb_query_wmm(regdb, country, freq, rule); + + country++; + } +@@ -934,32 +921,13 @@ int reg_query_regdb_wmm(char *alpha2, in + } + EXPORT_SYMBOL(reg_query_regdb_wmm); + +-struct wmm_ptrs { +- struct ieee80211_wmm_rule *rule; +- u32 ptr; +-}; +- +-static struct ieee80211_wmm_rule *find_wmm_ptr(struct wmm_ptrs *wmm_ptrs, +- u32 wmm_ptr, int n_wmms) +-{ +- int i; +- +- for (i = 0; i < n_wmms; i++) { +- if (wmm_ptrs[i].ptr == wmm_ptr) +- return wmm_ptrs[i].rule; +- } +- return NULL; +-} +- + static int regdb_query_country(const struct fwdb_header *db, + const struct fwdb_country *country) + { + unsigned int ptr = be16_to_cpu(country->coll_ptr) << 2; + struct fwdb_collection *coll = (void *)((u8 *)db + ptr); + struct ieee80211_regdomain *regdom; +- struct ieee80211_regdomain *tmp_rd; +- unsigned int size_of_regd, i, n_wmms = 0; +- struct wmm_ptrs *wmm_ptrs; ++ unsigned int size_of_regd, i; + + size_of_regd = sizeof(struct ieee80211_regdomain) + + coll->n_rules * sizeof(struct ieee80211_reg_rule); +@@ -968,12 +936,6 @@ static int regdb_query_country(const str + if (!regdom) + return -ENOMEM; + +- wmm_ptrs = kcalloc(coll->n_rules, sizeof(*wmm_ptrs), GFP_KERNEL); +- if (!wmm_ptrs) { +- kfree(regdom); +- return -ENOMEM; +- } +- + regdom->n_reg_rules = coll->n_rules; + regdom->alpha2[0] = country->alpha2[0]; + regdom->alpha2[1] = country->alpha2[1]; +@@ -1012,37 +974,11 @@ static int regdb_query_country(const str + 1000 * be16_to_cpu(rule->cac_timeout); + if (rule->len >= offsetofend(struct fwdb_rule, wmm_ptr)) { + u32 wmm_ptr = be16_to_cpu(rule->wmm_ptr) << 2; +- struct ieee80211_wmm_rule *wmm_pos = +- find_wmm_ptr(wmm_ptrs, wmm_ptr, n_wmms); +- struct fwdb_wmm_rule *wmm; +- struct ieee80211_wmm_rule *wmm_rule; +- +- if (wmm_pos) { +- rrule->wmm_rule = wmm_pos; +- continue; +- } +- wmm = (void *)((u8 *)db + wmm_ptr); +- tmp_rd = krealloc(regdom, size_of_regd + (n_wmms + 1) * +- sizeof(struct ieee80211_wmm_rule), +- GFP_KERNEL); +- +- if (!tmp_rd) { +- kfree(regdom); +- kfree(wmm_ptrs); +- return -ENOMEM; +- } +- regdom = tmp_rd; +- +- wmm_rule = (struct ieee80211_wmm_rule *) +- ((u8 *)regdom + size_of_regd + n_wmms * +- sizeof(struct ieee80211_wmm_rule)); +- +- set_wmm_rule(wmm_rule, wmm); +- wmm_ptrs[n_wmms].ptr = wmm_ptr; +- wmm_ptrs[n_wmms++].rule = wmm_rule; ++ struct fwdb_wmm_rule *wmm = (void *)((u8 *)db + wmm_ptr); ++ ++ set_wmm_rule(rrule, wmm); + } + } +- kfree(wmm_ptrs); + + return reg_schedule_apply(regdom); + } diff --git a/queue-4.18/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch b/queue-4.18/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch new file mode 100644 index 00000000000..ec9e6aa3604 --- /dev/null +++ b/queue-4.18/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Arunk Khandavalli +Date: Thu, 30 Aug 2018 00:40:16 +0300 +Subject: cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE + +From: Arunk Khandavalli + +[ Upstream commit 4f0223bfe9c3e62d8f45a85f1ef1b18a8a263ef9 ] + +nl80211_update_ft_ies() tried to validate NL80211_ATTR_IE with +is_valid_ie_attr() before dereferencing it, but that helper function +returns true in case of NULL pointer (i.e., attribute not included). +This can result to dereferencing a NULL pointer. Fix that by explicitly +checking that NL80211_ATTR_IE is included. + +Fixes: 355199e02b83 ("cfg80211: Extend support for IEEE 802.11r Fast BSS Transition") +Signed-off-by: Arunk Khandavalli +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -12099,6 +12099,7 @@ static int nl80211_update_ft_ies(struct + return -EOPNOTSUPP; + + if (!info->attrs[NL80211_ATTR_MDID] || ++ !info->attrs[NL80211_ATTR_IE] || + !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE])) + return -EINVAL; + diff --git a/queue-4.18/cfg80211-remove-division-by-size-of-sizeof-struct-ieee80211_wmm_rule.patch b/queue-4.18/cfg80211-remove-division-by-size-of-sizeof-struct-ieee80211_wmm_rule.patch new file mode 100644 index 00000000000..295676e1128 --- /dev/null +++ b/queue-4.18/cfg80211-remove-division-by-size-of-sizeof-struct-ieee80211_wmm_rule.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Johannes Berg +Date: Mon, 18 Jun 2018 09:29:57 +0200 +Subject: cfg80211: remove division by size of sizeof(struct ieee80211_wmm_rule) + +From: Johannes Berg + +[ Upstream commit 8a54d8fc160e67ad485d95a0322ce1221f80770a ] + +Pointer arithmetic already adjusts by the size of the struct, +so the sizeof() calculation is wrong. This is basically the +same as Colin King's patch for similar code in the iwlwifi +driver. + +Fixes: 230ebaa189af ("cfg80211: read wmm rules from regulatory database") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -452,8 +452,7 @@ reg_copy_regd(const struct ieee80211_reg + continue; + + regd->reg_rules[i].wmm_rule = d_wmm + +- (src_regd->reg_rules[i].wmm_rule - s_wmm) / +- sizeof(struct ieee80211_wmm_rule); ++ (src_regd->reg_rules[i].wmm_rule - s_wmm); + } + return regd; + } diff --git a/queue-4.18/firmware-arm_scmi-fix-divide-by-zero-when-sustained_perf_level-is-zero.patch b/queue-4.18/firmware-arm_scmi-fix-divide-by-zero-when-sustained_perf_level-is-zero.patch new file mode 100644 index 00000000000..20ce28968be --- /dev/null +++ b/queue-4.18/firmware-arm_scmi-fix-divide-by-zero-when-sustained_perf_level-is-zero.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Sudeep Holla +Date: Thu, 6 Sep 2018 16:10:39 +0100 +Subject: firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero + +From: Sudeep Holla + +[ Upstream commit 96d529bac562574600eda85726fcfa3eef6dde8e ] + +Firmware can provide zero as values for sustained performance level and +corresponding sustained frequency in kHz in order to hide the actual +frequencies and provide only abstract values. It may endup with divide +by zero scenario resulting in kernel panic. + +Let's set the multiplication factor to one if either one or both of them +(sustained_perf_level and sustained_freq) are set to zero. + +Fixes: a9e3fbfaa0ff ("firmware: arm_scmi: add initial support for performance protocol") +Reported-by: Ionela Voinescu +Signed-off-by: Sudeep Holla +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_scmi/perf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/arm_scmi/perf.c ++++ b/drivers/firmware/arm_scmi/perf.c +@@ -166,7 +166,13 @@ scmi_perf_domain_attributes_get(const st + le32_to_cpu(attr->sustained_freq_khz); + dom_info->sustained_perf_level = + le32_to_cpu(attr->sustained_perf_level); +- dom_info->mult_factor = (dom_info->sustained_freq_khz * 1000) / ++ if (!dom_info->sustained_freq_khz || ++ !dom_info->sustained_perf_level) ++ /* CPUFreq converts to kHz, hence default 1000 */ ++ dom_info->mult_factor = 1000; ++ else ++ dom_info->mult_factor = ++ (dom_info->sustained_freq_khz * 1000) / + dom_info->sustained_perf_level; + memcpy(dom_info->name, attr->name, SCMI_MAX_STR_SIZE); + } diff --git a/queue-4.18/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch b/queue-4.18/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch new file mode 100644 index 00000000000..87a475465df --- /dev/null +++ b/queue-4.18/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Jon Kuhn +Date: Mon, 9 Jul 2018 14:33:14 +0000 +Subject: fs/cifs: don't translate SFM_SLASH (U+F026) to backslash + +From: Jon Kuhn + +[ Upstream commit c15e3f19a6d5c89b1209dc94b40e568177cb0921 ] + +When a Mac client saves an item containing a backslash to a file server +the backslash is represented in the CIFS/SMB protocol as as U+F026. +Before this change, listing a directory containing an item with a +backslash in its name will return that item with the backslash +represented with a true backslash character (U+005C) because +convert_sfm_character mapped U+F026 to U+005C when interpretting the +CIFS/SMB protocol response. However, attempting to open or stat the +path using a true backslash will result in an error because +convert_to_sfm_char does not map U+005C back to U+F026 causing the +CIFS/SMB request to be made with the backslash represented as U+005C. + +This change simply prevents the U+F026 to U+005C conversion from +happenning. This is analogous to how the code does not do any +translation of UNI_SLASH (U+F000). + +Signed-off-by: Jon Kuhn +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifs_unicode.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/fs/cifs/cifs_unicode.c ++++ b/fs/cifs/cifs_unicode.c +@@ -105,9 +105,6 @@ convert_sfm_char(const __u16 src_char, c + case SFM_LESSTHAN: + *target = '<'; + break; +- case SFM_SLASH: +- *target = '\\'; +- break; + case SFM_SPACE: + *target = ' '; + break; diff --git a/queue-4.18/fsnotify-fix-ignore-mask-logic-in-fsnotify.patch b/queue-4.18/fsnotify-fix-ignore-mask-logic-in-fsnotify.patch new file mode 100644 index 00000000000..91ccdffc741 --- /dev/null +++ b/queue-4.18/fsnotify-fix-ignore-mask-logic-in-fsnotify.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Amir Goldstein +Date: Sat, 1 Sep 2018 09:40:01 +0300 +Subject: fsnotify: fix ignore mask logic in fsnotify() + +From: Amir Goldstein + +[ Upstream commit 9bdda4e9cf2dcecb60a0683b10ffb8cd7e5f2f45 ] + +Commit 92183a42898d ("fsnotify: fix ignore mask logic in +send_to_group()") acknoledges the use case of ignoring an event on +an inode mark, because of an ignore mask on a mount mark of the same +group (i.e. I want to get all events on this file, except for the events +that came from that mount). + +This change depends on correctly merging the inode marks and mount marks +group lists, so that the mount mark ignore mask would be tested in +send_to_group(). Alas, the merging of the lists did not take into +account the case where event in question is not in the mask of any of +the mount marks. + +To fix this, completely remove the tests for inode and mount event masks +from the lists merging code. + +Fixes: 92183a42898d ("fsnotify: fix ignore mask logic in send_to_group") +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fsnotify.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -351,16 +351,9 @@ int fsnotify(struct inode *to_tell, __u3 + + iter_info.srcu_idx = srcu_read_lock(&fsnotify_mark_srcu); + +- if ((mask & FS_MODIFY) || +- (test_mask & to_tell->i_fsnotify_mask)) { +- iter_info.marks[FSNOTIFY_OBJ_TYPE_INODE] = +- fsnotify_first_mark(&to_tell->i_fsnotify_marks); +- } +- +- if (mnt && ((mask & FS_MODIFY) || +- (test_mask & mnt->mnt_fsnotify_mask))) { +- iter_info.marks[FSNOTIFY_OBJ_TYPE_INODE] = +- fsnotify_first_mark(&to_tell->i_fsnotify_marks); ++ iter_info.marks[FSNOTIFY_OBJ_TYPE_INODE] = ++ fsnotify_first_mark(&to_tell->i_fsnotify_marks); ++ if (mnt) { + iter_info.marks[FSNOTIFY_OBJ_TYPE_VFSMOUNT] = + fsnotify_first_mark(&mnt->mnt_fsnotify_marks); + } diff --git a/queue-4.18/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch b/queue-4.18/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch new file mode 100644 index 00000000000..97b2642e0fd --- /dev/null +++ b/queue-4.18/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Michael Hennerich +Date: Mon, 13 Aug 2018 15:57:44 +0200 +Subject: gpio: adp5588: Fix sleep-in-atomic-context bug + +From: Michael Hennerich + +[ Upstream commit 6537886cdc9a637711fd6da980dbb87c2c87c9aa ] + +This fixes: +[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug + in adp5588_gpio_write() +[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug + in adp5588_gpio_direction_input() + +Reported-by: Jia-Ju Bai +Signed-off-by: Michael Hennerich +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-adp5588.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpio-adp5588.c ++++ b/drivers/gpio/gpio-adp5588.c +@@ -41,6 +41,8 @@ struct adp5588_gpio { + uint8_t int_en[3]; + uint8_t irq_mask[3]; + uint8_t irq_stat[3]; ++ uint8_t int_input_en[3]; ++ uint8_t int_lvl_cached[3]; + }; + + static int adp5588_gpio_read(struct i2c_client *client, u8 reg) +@@ -173,12 +175,28 @@ static void adp5588_irq_bus_sync_unlock( + struct adp5588_gpio *dev = irq_data_get_irq_chip_data(d); + int i; + +- for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) ++ for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) { ++ if (dev->int_input_en[i]) { ++ mutex_lock(&dev->lock); ++ dev->dir[i] &= ~dev->int_input_en[i]; ++ dev->int_input_en[i] = 0; ++ adp5588_gpio_write(dev->client, GPIO_DIR1 + i, ++ dev->dir[i]); ++ mutex_unlock(&dev->lock); ++ } ++ ++ if (dev->int_lvl_cached[i] != dev->int_lvl[i]) { ++ dev->int_lvl_cached[i] = dev->int_lvl[i]; ++ adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + i, ++ dev->int_lvl[i]); ++ } ++ + if (dev->int_en[i] ^ dev->irq_mask[i]) { + dev->int_en[i] = dev->irq_mask[i]; + adp5588_gpio_write(dev->client, GPIO_INT_EN1 + i, + dev->int_en[i]); + } ++ } + + mutex_unlock(&dev->irq_lock); + } +@@ -221,9 +239,7 @@ static int adp5588_irq_set_type(struct i + else + return -EINVAL; + +- adp5588_gpio_direction_input(&dev->gpio_chip, gpio); +- adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + bank, +- dev->int_lvl[bank]); ++ dev->int_input_en[bank] |= bit; + + return 0; + } diff --git a/queue-4.18/gpio-dwapb-fix-error-handling-in-dwapb_gpio_probe.patch b/queue-4.18/gpio-dwapb-fix-error-handling-in-dwapb_gpio_probe.patch new file mode 100644 index 00000000000..53418e2b3f6 --- /dev/null +++ b/queue-4.18/gpio-dwapb-fix-error-handling-in-dwapb_gpio_probe.patch @@ -0,0 +1,32 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Alexey Khoroshilov +Date: Tue, 28 Aug 2018 23:40:26 +0300 +Subject: gpio: dwapb: Fix error handling in dwapb_gpio_probe() + +From: Alexey Khoroshilov + +[ Upstream commit a618cf4800970d260871c159b7eec014a1da2e81 ] + +If dwapb_gpio_add_port() fails in dwapb_gpio_probe(), +gpio->clk is left undisabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-dwapb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-dwapb.c ++++ b/drivers/gpio/gpio-dwapb.c +@@ -726,6 +726,7 @@ static int dwapb_gpio_probe(struct platf + out_unregister: + dwapb_gpio_unregister(gpio); + dwapb_irq_teardown(gpio); ++ clk_disable_unprepare(gpio->clk); + + return err; + } diff --git a/queue-4.18/gpio-fix-crash-due-to-registration-race.patch b/queue-4.18/gpio-fix-crash-due-to-registration-race.patch new file mode 100644 index 00000000000..4e404d1c900 --- /dev/null +++ b/queue-4.18/gpio-fix-crash-due-to-registration-race.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Vincent Whitchurch +Date: Fri, 31 Aug 2018 09:04:18 +0200 +Subject: gpio: Fix crash due to registration race + +From: Vincent Whitchurch + +[ Upstream commit d49b48f088c323dbacae44dfbe56d9c985c8a2a1 ] + +gpiochip_add_data_with_key() adds the gpiochip to the gpio_devices list +before of_gpiochip_add() is called, but it's only the latter which sets +the ->of_xlate function pointer. gpiochip_find() can be called by +someone else between these two actions, and it can find the chip and +call of_gpiochip_match_node_and_xlate() which leads to the following +crash due to a NULL ->of_xlate(). + + Unhandled prefetch abort: page domain fault (0x01b) at 0x00000000 + Modules linked in: leds_gpio(+) gpio_generic(+) + CPU: 0 PID: 830 Comm: insmod Not tainted 4.18.0+ #43 + Hardware name: ARM-Versatile Express + PC is at (null) + LR is at of_gpiochip_match_node_and_xlate+0x2c/0x38 + Process insmod (pid: 830, stack limit = 0x(ptrval)) + (of_gpiochip_match_node_and_xlate) from (gpiochip_find+0x48/0x84) + (gpiochip_find) from (of_get_named_gpiod_flags+0xa8/0x238) + (of_get_named_gpiod_flags) from (gpiod_get_from_of_node+0x2c/0xc8) + (gpiod_get_from_of_node) from (devm_fwnode_get_index_gpiod_from_child+0xb8/0x144) + (devm_fwnode_get_index_gpiod_from_child) from (gpio_led_probe+0x208/0x3c4 [leds_gpio]) + (gpio_led_probe [leds_gpio]) from (platform_drv_probe+0x48/0x9c) + (platform_drv_probe) from (really_probe+0x1d0/0x3d4) + (really_probe) from (driver_probe_device+0x78/0x1c0) + (driver_probe_device) from (__driver_attach+0x120/0x13c) + (__driver_attach) from (bus_for_each_dev+0x68/0xb4) + (bus_for_each_dev) from (bus_add_driver+0x1a8/0x268) + (bus_add_driver) from (driver_register+0x78/0x10c) + (driver_register) from (do_one_initcall+0x54/0x1fc) + (do_one_initcall) from (do_init_module+0x64/0x1f4) + (do_init_module) from (load_module+0x2198/0x26ac) + (load_module) from (sys_finit_module+0xe0/0x110) + (sys_finit_module) from (ret_fast_syscall+0x0/0x54) + +One way to fix this would be to rework the hairy registration sequence +in gpiochip_add_data_with_key(), but since I'd probably introduce a +couple of new bugs if I attempted that, simply add a check for a +non-NULL of_xlate function pointer in +of_gpiochip_match_node_and_xlate(). This works since the driver looking +for the gpio will simply fail to find the gpio and defer its probe and +be reprobed when the driver which is registering the gpiochip has fully +completed its probe. + +Signed-off-by: Vincent Whitchurch +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-of.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -31,6 +31,7 @@ static int of_gpiochip_match_node_and_xl + struct of_phandle_args *gpiospec = data; + + return chip->gpiodev->dev.of_node == gpiospec->np && ++ chip->of_xlate && + chip->of_xlate(chip, gpiospec, NULL) >= 0; + } + diff --git a/queue-4.18/gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch b/queue-4.18/gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch new file mode 100644 index 00000000000..f35ec0c85bf --- /dev/null +++ b/queue-4.18/gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch @@ -0,0 +1,202 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Hans de Goede +Date: Tue, 14 Aug 2018 16:07:03 +0200 +Subject: gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall + +From: Hans de Goede + +[ Upstream commit 78d3a92edbfb02e8cb83173cad84c3f2d5e1f070 ] + +GpioInt ACPI event handlers may see there IRQ triggered immediately +after requesting the IRQ (esp. level triggered ones). This means that they +may run before any other (builtin) drivers have had a chance to register +their OpRegion handlers, leading to errors like this: + +[ 1.133274] ACPI Error: No handler for Region [PMOP] ((____ptrval____)) [UserDefinedRegion] (20180531/evregion-132) +[ 1.133286] ACPI Error: Region UserDefinedRegion (ID=141) has no handler (20180531/exfldio-265) +[ 1.133297] ACPI Error: Method parse/execution failed \_SB.GPO2._L01, AE_NOT_EXIST (20180531/psparse-516) + +We already defer the manual initial trigger of edge triggered interrupts +by running it from a late_initcall handler, this commit replaces this with +deferring the entire acpi_gpiochip_request_interrupts() call till then, +fixing the problem of some OpRegions not being registered yet. + +Note that this removes the need to have a list of edge triggered handlers +which need to run, since the entire acpi_gpiochip_request_interrupts() call +is now delayed, acpi_gpiochip_request_interrupt() can call these directly +now. + +Acked-by: Mika Westerberg +Signed-off-by: Hans de Goede +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-acpi.c | 84 +++++++++++++++++++++++++------------------- + 1 file changed, 49 insertions(+), 35 deletions(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -25,7 +25,6 @@ + + struct acpi_gpio_event { + struct list_head node; +- struct list_head initial_sync_list; + acpi_handle handle; + unsigned int pin; + unsigned int irq; +@@ -49,10 +48,19 @@ struct acpi_gpio_chip { + struct mutex conn_lock; + struct gpio_chip *chip; + struct list_head events; ++ struct list_head deferred_req_irqs_list_entry; + }; + +-static LIST_HEAD(acpi_gpio_initial_sync_list); +-static DEFINE_MUTEX(acpi_gpio_initial_sync_list_lock); ++/* ++ * For gpiochips which call acpi_gpiochip_request_interrupts() before late_init ++ * (so builtin drivers) we register the ACPI GpioInt event handlers from a ++ * late_initcall_sync handler, so that other builtin drivers can register their ++ * OpRegions before the event handlers can run. This list contains gpiochips ++ * for which the acpi_gpiochip_request_interrupts() has been deferred. ++ */ ++static DEFINE_MUTEX(acpi_gpio_deferred_req_irqs_lock); ++static LIST_HEAD(acpi_gpio_deferred_req_irqs_list); ++static bool acpi_gpio_deferred_req_irqs_done; + + static int acpi_gpiochip_find(struct gpio_chip *gc, void *data) + { +@@ -89,21 +97,6 @@ static struct gpio_desc *acpi_get_gpiod( + return gpiochip_get_desc(chip, pin); + } + +-static void acpi_gpio_add_to_initial_sync_list(struct acpi_gpio_event *event) +-{ +- mutex_lock(&acpi_gpio_initial_sync_list_lock); +- list_add(&event->initial_sync_list, &acpi_gpio_initial_sync_list); +- mutex_unlock(&acpi_gpio_initial_sync_list_lock); +-} +- +-static void acpi_gpio_del_from_initial_sync_list(struct acpi_gpio_event *event) +-{ +- mutex_lock(&acpi_gpio_initial_sync_list_lock); +- if (!list_empty(&event->initial_sync_list)) +- list_del_init(&event->initial_sync_list); +- mutex_unlock(&acpi_gpio_initial_sync_list_lock); +-} +- + static irqreturn_t acpi_gpio_irq_handler(int irq, void *data) + { + struct acpi_gpio_event *event = data; +@@ -229,7 +222,6 @@ static acpi_status acpi_gpiochip_request + event->irq = irq; + event->pin = pin; + event->desc = desc; +- INIT_LIST_HEAD(&event->initial_sync_list); + + ret = request_threaded_irq(event->irq, NULL, handler, irqflags, + "ACPI:Event", event); +@@ -251,10 +243,9 @@ static acpi_status acpi_gpiochip_request + * may refer to OperationRegions from other (builtin) drivers which + * may be probed after us. + */ +- if (handler == acpi_gpio_irq_handler && +- (((irqflags & IRQF_TRIGGER_RISING) && value == 1) || +- ((irqflags & IRQF_TRIGGER_FALLING) && value == 0))) +- acpi_gpio_add_to_initial_sync_list(event); ++ if (((irqflags & IRQF_TRIGGER_RISING) && value == 1) || ++ ((irqflags & IRQF_TRIGGER_FALLING) && value == 0)) ++ handler(event->irq, event); + + return AE_OK; + +@@ -283,6 +274,7 @@ void acpi_gpiochip_request_interrupts(st + struct acpi_gpio_chip *acpi_gpio; + acpi_handle handle; + acpi_status status; ++ bool defer; + + if (!chip->parent || !chip->to_irq) + return; +@@ -295,6 +287,16 @@ void acpi_gpiochip_request_interrupts(st + if (ACPI_FAILURE(status)) + return; + ++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock); ++ defer = !acpi_gpio_deferred_req_irqs_done; ++ if (defer) ++ list_add(&acpi_gpio->deferred_req_irqs_list_entry, ++ &acpi_gpio_deferred_req_irqs_list); ++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock); ++ ++ if (defer) ++ return; ++ + acpi_walk_resources(handle, "_AEI", + acpi_gpiochip_request_interrupt, acpi_gpio); + } +@@ -325,11 +327,14 @@ void acpi_gpiochip_free_interrupts(struc + if (ACPI_FAILURE(status)) + return; + ++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock); ++ if (!list_empty(&acpi_gpio->deferred_req_irqs_list_entry)) ++ list_del_init(&acpi_gpio->deferred_req_irqs_list_entry); ++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock); ++ + list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) { + struct gpio_desc *desc; + +- acpi_gpio_del_from_initial_sync_list(event); +- + if (irqd_is_wakeup_set(irq_get_irq_data(event->irq))) + disable_irq_wake(event->irq); + +@@ -1049,6 +1054,7 @@ void acpi_gpiochip_add(struct gpio_chip + + acpi_gpio->chip = chip; + INIT_LIST_HEAD(&acpi_gpio->events); ++ INIT_LIST_HEAD(&acpi_gpio->deferred_req_irqs_list_entry); + + status = acpi_attach_data(handle, acpi_gpio_chip_dh, acpi_gpio); + if (ACPI_FAILURE(status)) { +@@ -1195,20 +1201,28 @@ bool acpi_can_fallback_to_crs(struct acp + return con_id == NULL; + } + +-/* Sync the initial state of handlers after all builtin drivers have probed */ +-static int acpi_gpio_initial_sync(void) ++/* Run deferred acpi_gpiochip_request_interrupts() */ ++static int acpi_gpio_handle_deferred_request_interrupts(void) + { +- struct acpi_gpio_event *event, *ep; ++ struct acpi_gpio_chip *acpi_gpio, *tmp; ++ ++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock); ++ list_for_each_entry_safe(acpi_gpio, tmp, ++ &acpi_gpio_deferred_req_irqs_list, ++ deferred_req_irqs_list_entry) { ++ acpi_handle handle; + +- mutex_lock(&acpi_gpio_initial_sync_list_lock); +- list_for_each_entry_safe(event, ep, &acpi_gpio_initial_sync_list, +- initial_sync_list) { +- acpi_evaluate_object(event->handle, NULL, NULL, NULL); +- list_del_init(&event->initial_sync_list); ++ handle = ACPI_HANDLE(acpi_gpio->chip->parent); ++ acpi_walk_resources(handle, "_AEI", ++ acpi_gpiochip_request_interrupt, acpi_gpio); ++ ++ list_del_init(&acpi_gpio->deferred_req_irqs_list_entry); + } +- mutex_unlock(&acpi_gpio_initial_sync_list_lock); ++ ++ acpi_gpio_deferred_req_irqs_done = true; ++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock); + + return 0; + } + /* We must use _sync so that this runs after the first deferred_probe run */ +-late_initcall_sync(acpi_gpio_initial_sync); ++late_initcall_sync(acpi_gpio_handle_deferred_request_interrupts); diff --git a/queue-4.18/gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch b/queue-4.18/gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch new file mode 100644 index 00000000000..bc211a5129b --- /dev/null +++ b/queue-4.18/gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Andy Shevchenko +Date: Mon, 13 Aug 2018 19:00:27 +0300 +Subject: gpiolib: acpi: Switch to cansleep version of GPIO library call + +From: Andy Shevchenko + +[ Upstream commit 993b9bc5c47fda86f8ab4e53d68c6fea5ff2764a ] + +The commit ca876c7483b6 + + ("gpiolib-acpi: make sure we trigger edge events at least once on boot") + +added a initial value check for pin which is about to be locked as IRQ. +Unfortunately, not all GPIO drivers can do that atomically. Thus, +switch to cansleep version of the call. Otherwise we have a warning: + +... + WARNING: CPU: 2 PID: 1408 at drivers/gpio/gpiolib.c:2883 gpiod_get_value+0x46/0x50 +... + RIP: 0010:gpiod_get_value+0x46/0x50 +... + +The change tested on Intel Broxton with Whiskey Cove PMIC GPIO controller. + +Fixes: ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events at least once on boot") +Signed-off-by: Andy Shevchenko +Cc: Hans de Goede +Cc: Benjamin Tissoires +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -186,7 +186,7 @@ static acpi_status acpi_gpiochip_request + + gpiod_direction_input(desc); + +- value = gpiod_get_value(desc); ++ value = gpiod_get_value_cansleep(desc); + + ret = gpiochip_lock_as_irq(chip, pin); + if (ret) { diff --git a/queue-4.18/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch b/queue-4.18/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch new file mode 100644 index 00000000000..0d84b8f26f3 --- /dev/null +++ b/queue-4.18/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Masahiro Yamada +Date: Fri, 31 Aug 2018 23:30:48 +0900 +Subject: i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP + +From: Masahiro Yamada + +[ Upstream commit 4c85609b08c4761eca0a40fd7beb06bc650f252d ] + +This driver currently emits a STOP if the next message is not +I2C_MD_RD. It should not do it because it disturbs the I2C_RDWR +ioctl, where read/write transactions are combined without STOP +between. + +Issue STOP only when the message is the last one _or_ flagged with +I2C_M_STOP. + +Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver") +Signed-off-by: Masahiro Yamada +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-uniphier-f.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/i2c/busses/i2c-uniphier-f.c ++++ b/drivers/i2c/busses/i2c-uniphier-f.c +@@ -401,11 +401,8 @@ static int uniphier_fi2c_master_xfer(str + return ret; + + for (msg = msgs; msg < emsg; msg++) { +- /* If next message is read, skip the stop condition */ +- bool stop = !(msg + 1 < emsg && msg[1].flags & I2C_M_RD); +- /* but, force it if I2C_M_STOP is set */ +- if (msg->flags & I2C_M_STOP) +- stop = true; ++ /* Emit STOP if it is the last message or I2C_M_STOP is set. */ ++ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP); + + ret = uniphier_fi2c_master_xfer_one(adap, msg, stop); + if (ret) diff --git a/queue-4.18/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch b/queue-4.18/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch new file mode 100644 index 00000000000..07da5cc37d0 --- /dev/null +++ b/queue-4.18/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Masahiro Yamada +Date: Fri, 31 Aug 2018 23:30:47 +0900 +Subject: i2c: uniphier: issue STOP only for last message or I2C_M_STOP + +From: Masahiro Yamada + +[ Upstream commit 38f5d8d8cbb2ffa2b54315118185332329ec891c ] + +This driver currently emits a STOP if the next message is not +I2C_MD_RD. It should not do it because it disturbs the I2C_RDWR +ioctl, where read/write transactions are combined without STOP +between. + +Issue STOP only when the message is the last one _or_ flagged with +I2C_M_STOP. + +Fixes: dd6fd4a32793 ("i2c: uniphier: add UniPhier FIFO-less I2C driver") +Signed-off-by: Masahiro Yamada +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-uniphier.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/i2c/busses/i2c-uniphier.c ++++ b/drivers/i2c/busses/i2c-uniphier.c +@@ -248,11 +248,8 @@ static int uniphier_i2c_master_xfer(stru + return ret; + + for (msg = msgs; msg < emsg; msg++) { +- /* If next message is read, skip the stop condition */ +- bool stop = !(msg + 1 < emsg && msg[1].flags & I2C_M_RD); +- /* but, force it if I2C_M_STOP is set */ +- if (msg->flags & I2C_M_STOP) +- stop = true; ++ /* Emit STOP if it is the last message or I2C_M_STOP is set. */ ++ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP); + + ret = uniphier_i2c_master_xfer_one(adap, msg, stop); + if (ret) diff --git a/queue-4.18/ibmvnic-include-missing-return-code-checks-in-reset-function.patch b/queue-4.18/ibmvnic-include-missing-return-code-checks-in-reset-function.patch new file mode 100644 index 00000000000..67011e4d248 --- /dev/null +++ b/queue-4.18/ibmvnic-include-missing-return-code-checks-in-reset-function.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Thomas Falcon +Date: Thu, 30 Aug 2018 13:19:53 -0500 +Subject: ibmvnic: Include missing return code checks in reset function + +From: Thomas Falcon + +[ Upstream commit f611a5b4a51fa36a0aa792be474f5d6aacaef7e3 ] + +Check the return codes of these functions and halt reset +in case of failure. The driver will remain in a dormant state +until the next reset event, when device initialization will be +re-attempted. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1841,11 +1841,17 @@ static int do_reset(struct ibmvnic_adapt + adapter->map_id = 1; + release_rx_pools(adapter); + release_tx_pools(adapter); +- init_rx_pools(netdev); +- init_tx_pools(netdev); ++ rc = init_rx_pools(netdev); ++ if (rc) ++ return rc; ++ rc = init_tx_pools(netdev); ++ if (rc) ++ return rc; + + release_napi(adapter); +- init_napi(adapter); ++ rc = init_napi(adapter); ++ if (rc) ++ return rc; + } else { + rc = reset_tx_pools(adapter); + if (rc) diff --git a/queue-4.18/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch b/queue-4.18/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch new file mode 100644 index 00000000000..9550013a513 --- /dev/null +++ b/queue-4.18/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Paul Mackerras +Date: Mon, 20 Aug 2018 16:05:45 +1000 +Subject: KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function + +From: Paul Mackerras + +[ Upstream commit 46dec40fb741f00f1864580130779aeeaf24fb3d ] + +This fixes a bug which causes guest virtual addresses to get translated +to guest real addresses incorrectly when the guest is using the HPT MMU +and has more than 256GB of RAM, or more specifically has a HPT larger +than 2GB. This has showed up in testing as a failure of the host to +emulate doorbell instructions correctly on POWER9 for HPT guests with +more than 256GB of RAM. + +The bug is that the HPTE index in kvmppc_mmu_book3s_64_hv_xlate() +is stored as an int, and in forming the HPTE address, the index gets +shifted left 4 bits as an int before being signed-extended to 64 bits. +The simple fix is to make the variable a long int, matching the +return type of kvmppc_hv_find_lock_hpte(), which is what calculates +the index. + +Fixes: 697d3899dcb4 ("KVM: PPC: Implement MMIO emulation support for Book3S HV guests") +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_64_mmu_hv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c +@@ -359,7 +359,7 @@ static int kvmppc_mmu_book3s_64_hv_xlate + unsigned long pp, key; + unsigned long v, orig_v, gr; + __be64 *hptep; +- int index; ++ long int index; + int virtmode = vcpu->arch.shregs.msr & (data ? MSR_DR : MSR_IR); + + if (kvm_is_radix(vcpu->kvm)) diff --git a/queue-4.18/mac80211-always-account-for-a-msdu-header-changes.patch b/queue-4.18/mac80211-always-account-for-a-msdu-header-changes.patch new file mode 100644 index 00000000000..8ba1dc8ca64 --- /dev/null +++ b/queue-4.18/mac80211-always-account-for-a-msdu-header-changes.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Johannes Berg +Date: Thu, 30 Aug 2018 10:55:49 +0200 +Subject: mac80211: always account for A-MSDU header changes + +From: Johannes Berg + +[ Upstream commit aa58acf325b4aadeecae2bfc90658273b47dbace ] + +In the error path of changing the SKB headroom of the second +A-MSDU subframe, we would not account for the already-changed +length of the first frame that just got converted to be in +A-MSDU format and thus is a bit longer now. + +Fix this by doing the necessary accounting. + +It would be possible to reorder the operations, but that would +make the code more complex (to calculate the necessary pad), +and the headroom expansion should not fail frequently enough +to make that worthwhile. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Johannes Berg +Acked-by: Lorenzo Bianconi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3239,7 +3239,7 @@ static bool ieee80211_amsdu_aggregate(st + + if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + + 2 + pad)) +- goto out; ++ goto out_recalc; + + ret = true; + data = skb_push(skb, ETH_ALEN + 2); +@@ -3256,11 +3256,13 @@ static bool ieee80211_amsdu_aggregate(st + head->data_len += skb->len; + *frag_tail = skb; + +- flow->backlog += head->len - orig_len; +- tin->backlog_bytes += head->len - orig_len; +- +- fq_recalc_backlog(fq, tin, flow); ++out_recalc: ++ if (head->len != orig_len) { ++ flow->backlog += head->len - orig_len; ++ tin->backlog_bytes += head->len - orig_len; + ++ fq_recalc_backlog(fq, tin, flow); ++ } + out: + spin_unlock_bh(&fq->lock); + diff --git a/queue-4.18/mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch b/queue-4.18/mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch new file mode 100644 index 00000000000..d44b474e4cb --- /dev/null +++ b/queue-4.18/mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch @@ -0,0 +1,110 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Sara Sharon +Date: Wed, 29 Aug 2018 08:57:02 +0200 +Subject: mac80211: avoid kernel panic when building AMSDU from non-linear SKB + +From: Sara Sharon + +[ Upstream commit 166ac9d55b0ab70b644e429be1f217fe8393cbd7 ] + +When building building AMSDU from non-linear SKB, we hit a +kernel panic when trying to push the padding to the tail. +Instead, put the padding at the head of the next subframe. +This also fixes the A-MSDU subframes to not have the padding +accounted in the length field and not have pad at all for +the last subframe, both required by the spec. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Sara Sharon +Reviewed-by: Lorenzo Bianconi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 38 +++++++++++++++++++++----------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3073,27 +3073,18 @@ void ieee80211_clear_fast_xmit(struct st + } + + static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local, +- struct sk_buff *skb, int headroom, +- int *subframe_len) ++ struct sk_buff *skb, int headroom) + { +- int amsdu_len = *subframe_len + sizeof(struct ethhdr); +- int padding = (4 - amsdu_len) & 3; +- +- if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) { ++ if (skb_headroom(skb) < headroom) { + I802_DEBUG_INC(local->tx_expand_skb_head); + +- if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) { ++ if (pskb_expand_head(skb, headroom, 0, GFP_ATOMIC)) { + wiphy_debug(local->hw.wiphy, + "failed to reallocate TX buffer\n"); + return false; + } + } + +- if (padding) { +- *subframe_len += padding; +- skb_put_zero(skb, padding); +- } +- + return true; + } + +@@ -3117,8 +3108,7 @@ static bool ieee80211_amsdu_prepare_head + if (info->control.flags & IEEE80211_TX_CTRL_AMSDU) + return true; + +- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr), +- &subframe_len)) ++ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr))) + return false; + + data = skb_push(skb, sizeof(*amsdu_hdr)); +@@ -3184,7 +3174,8 @@ static bool ieee80211_amsdu_aggregate(st + void *data; + bool ret = false; + unsigned int orig_len; +- int n = 1, nfrags; ++ int n = 1, nfrags, pad = 0; ++ u16 hdrlen; + + if (!ieee80211_hw_check(&local->hw, TX_AMSDU)) + return false; +@@ -3235,8 +3226,19 @@ static bool ieee80211_amsdu_aggregate(st + if (max_frags && nfrags > max_frags) + goto out; + +- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2, +- &subframe_len)) ++ /* ++ * Pad out the previous subframe to a multiple of 4 by adding the ++ * padding to the next one, that's being added. Note that head->len ++ * is the length of the full A-MSDU, but that works since each time ++ * we add a new subframe we pad out the previous one to a multiple ++ * of 4 and thus it no longer matters in the next round. ++ */ ++ hdrlen = fast_tx->hdr_len - sizeof(rfc1042_header); ++ if ((head->len - hdrlen) & 3) ++ pad = 4 - ((head->len - hdrlen) & 3); ++ ++ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + ++ 2 + pad)) + goto out; + + ret = true; +@@ -3248,6 +3250,8 @@ static bool ieee80211_amsdu_aggregate(st + memcpy(data, &len, 2); + memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header)); + ++ memset(skb_push(skb, pad), 0, pad); ++ + head->len += skb->len; + head->data_len += skb->len; + *frag_tail = skb; diff --git a/queue-4.18/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch b/queue-4.18/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch new file mode 100644 index 00000000000..36278501960 --- /dev/null +++ b/queue-4.18/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Danek Duvall +Date: Wed, 22 Aug 2018 16:01:04 -0700 +Subject: mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X + +From: Danek Duvall + +[ Upstream commit 67d1ba8a6dc83d90cd58b89fa6cbf9ae35a0cf7f ] + +The mod mask for VHT capabilities intends to say that you can override +the number of STBC receive streams, and it does, but only by accident. +The IEEE80211_VHT_CAP_RXSTBC_X aren't bits to be set, but values (albeit +left-shifted). ORing the bits together gets the right answer, but we +should use the _MASK macro here instead. + +Signed-off-by: Danek Duvall +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -470,10 +470,7 @@ static const struct ieee80211_vht_cap ma + cpu_to_le32(IEEE80211_VHT_CAP_RXLDPC | + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_SHORT_GI_160 | +- IEEE80211_VHT_CAP_RXSTBC_1 | +- IEEE80211_VHT_CAP_RXSTBC_2 | +- IEEE80211_VHT_CAP_RXSTBC_3 | +- IEEE80211_VHT_CAP_RXSTBC_4 | ++ IEEE80211_VHT_CAP_RXSTBC_MASK | + IEEE80211_VHT_CAP_TXSTBC | + IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE | + IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE | diff --git a/queue-4.18/mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch b/queue-4.18/mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch new file mode 100644 index 00000000000..4d9e4e1f028 --- /dev/null +++ b/queue-4.18/mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Lorenzo Bianconi +Date: Wed, 29 Aug 2018 21:03:25 +0200 +Subject: mac80211: do not convert to A-MSDU if frag/subframe limited + +From: Lorenzo Bianconi + +[ Upstream commit 1eb507903665442360a959136dfa3234c43db085 ] + +Do not start to aggregate packets in a A-MSDU frame (converting the +first subframe to A-MSDU, adding the header) if max_tx_fragments or +max_amsdu_subframes limits are already exceeded by it. In particular, +this happens when drivers set the limit to 1 to avoid A-MSDUs at all. + +Signed-off-by: Lorenzo Bianconi +[reword commit message to be more precise] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3208,9 +3208,6 @@ static bool ieee80211_amsdu_aggregate(st + if (skb->len + head->len > max_amsdu_len) + goto out; + +- if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head)) +- goto out; +- + nfrags = 1 + skb_shinfo(skb)->nr_frags; + nfrags += 1 + skb_shinfo(head)->nr_frags; + frag_tail = &skb_shinfo(head)->frag_list; +@@ -3226,6 +3223,9 @@ static bool ieee80211_amsdu_aggregate(st + if (max_frags && nfrags > max_frags) + goto out; + ++ if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head)) ++ goto out; ++ + /* + * Pad out the previous subframe to a multiple of 4 by adding the + * padding to the next one, that's being added. Note that head->len diff --git a/queue-4.18/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch b/queue-4.18/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch new file mode 100644 index 00000000000..175eccd46a9 --- /dev/null +++ b/queue-4.18/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:12 +0300 +Subject: mac80211: don't Tx a deauth frame if the AP forbade Tx + +From: Emmanuel Grumbach + +[ Upstream commit 6c18b27d6e5c6a7206364eae2b47bc8d8b2fa68f ] + +If the driver fails to properly prepare for the channel +switch, mac80211 will disconnect. If the CSA IE had mode +set to 1, it means that the clients are not allowed to send +any Tx on the current channel, and that includes the +deauthentication frame. + +Make sure that we don't send the deauthentication frame in +this case. + +In iwlwifi, this caused a failure to flush queues since the +firmware already closed the queues after having parsed the +CSA IE. Then mac80211 would wait until the deauthentication +frame would go out (drv_flush(drop=false)) and that would +never happen. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1270,6 +1270,16 @@ ieee80211_sta_process_chanswitch(struct + cbss->beacon_interval)); + return; + drop_connection: ++ /* ++ * This is just so that the disconnect flow will know that ++ * we were trying to switch channel and failed. In case the ++ * mode is 1 (we are not allowed to Tx), we will know not to ++ * send a deauthentication frame. Those two fields will be ++ * reset when the disconnection worker runs. ++ */ ++ sdata->vif.csa_active = true; ++ sdata->csa_block_tx = csa_ie.mode; ++ + ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work); + mutex_unlock(&local->chanctx_mtx); + mutex_unlock(&local->mtx); +@@ -2453,6 +2463,7 @@ static void __ieee80211_disconnect(struc + struct ieee80211_local *local = sdata->local; + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN]; ++ bool tx; + + sdata_lock(sdata); + if (!ifmgd->associated) { +@@ -2460,6 +2471,8 @@ static void __ieee80211_disconnect(struc + return; + } + ++ tx = !sdata->csa_block_tx; ++ + /* AP is probably out of range (or not reachable for another reason) so + * remove the bss struct for that AP. + */ +@@ -2467,7 +2480,7 @@ static void __ieee80211_disconnect(struc + + ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, + WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, +- true, frame_buf); ++ tx, frame_buf); + mutex_lock(&local->mtx); + sdata->vif.csa_active = false; + ifmgd->csa_waiting_bcn = false; +@@ -2478,7 +2491,7 @@ static void __ieee80211_disconnect(struc + } + mutex_unlock(&local->mtx); + +- ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true, ++ ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx, + WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY); + + sdata_unlock(sdata); diff --git a/queue-4.18/mac80211-fix-a-race-between-restart-and-csa-flows.patch b/queue-4.18/mac80211-fix-a-race-between-restart-and-csa-flows.patch new file mode 100644 index 00000000000..384de4ff804 --- /dev/null +++ b/queue-4.18/mac80211-fix-a-race-between-restart-and-csa-flows.patch @@ -0,0 +1,95 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:06 +0300 +Subject: mac80211: fix a race between restart and CSA flows + +From: Emmanuel Grumbach + +[ Upstream commit f3ffb6c3a28963657eb8b02a795d75f2ebbd5ef4 ] + +We hit a problem with iwlwifi that was caused by a bug in +mac80211. A bug in iwlwifi caused the firwmare to crash in +certain cases in channel switch. Because of that bug, +drv_pre_channel_switch would fail and trigger the restart +flow. +Now we had the hw restart worker which runs on the system's +workqueue and the csa_connection_drop_work worker that runs +on mac80211's workqueue that can run together. This is +obviously problematic since the restart work wants to +reconfigure the connection, while the csa_connection_drop_work +worker does the exact opposite: it tries to disconnect. + +Fix this by cancelling the csa_connection_drop_work worker +in the restart worker. + +Note that this can sound racy: we could have: + +driver iface_work CSA_work restart_work ++++++++++++++++++++++++++++++++++++++++++++++ + | + <--drv_cs ---| + +-CS FAILED--> + | | + | cancel_work(CSA) + schedule | + CSA work | + | | + Race between those 2 + +But this is not possible because we flush the workqueue +in the restart worker before we cancel the CSA worker. +That would be bullet proof if we could guarantee that +we schedule the CSA worker only from the iface_work +which runs on the workqueue (and not on the system's +workqueue), but unfortunately we do have an instance +in which we schedule the CSA work outside the context +of the workqueue (ieee80211_chswitch_done). + +Note also that we should probably cancel other workers +like beacon_connection_loss_work and possibly others +for different types of interfaces, at the very least, +IBSS should suffer from the exact same problem, but for +now, do the minimum to fix the actual bug that was actually +experienced and reproduced. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -255,8 +255,27 @@ static void ieee80211_restart_work(struc + + flush_work(&local->radar_detected_work); + rtnl_lock(); +- list_for_each_entry(sdata, &local->interfaces, list) ++ list_for_each_entry(sdata, &local->interfaces, list) { ++ /* ++ * XXX: there may be more work for other vif types and even ++ * for station mode: a good thing would be to run most of ++ * the iface type's dependent _stop (ieee80211_mg_stop, ++ * ieee80211_ibss_stop) etc... ++ * For now, fix only the specific bug that was seen: race ++ * between csa_connection_drop_work and us. ++ */ ++ if (sdata->vif.type == NL80211_IFTYPE_STATION) { ++ /* ++ * This worker is scheduled from the iface worker that ++ * runs on mac80211's workqueue, so we can't be ++ * scheduling this worker after the cancel right here. ++ * The exception is ieee80211_chswitch_done. ++ * Then we can have a race... ++ */ ++ cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work); ++ } + flush_delayed_work(&sdata->dec_tailroom_needed_wk); ++ } + ieee80211_scan_cancel(local); + + /* make sure any new ROC will consider local->in_reconfig */ diff --git a/queue-4.18/mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch b/queue-4.18/mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch new file mode 100644 index 00000000000..f904baf7fe9 --- /dev/null +++ b/queue-4.18/mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Lorenzo Bianconi +Date: Fri, 31 Aug 2018 01:04:13 +0200 +Subject: mac80211: fix an off-by-one issue in A-MSDU max_subframe computation + +From: Lorenzo Bianconi + +[ Upstream commit 66eb02d839e8495ae6b612e2d09ff599374b80e2 ] + +Initialize 'n' to 2 in order to take into account also the first +packet in the estimation of max_subframe limit for a given A-MSDU +since frag_tail pointer is NULL when ieee80211_amsdu_aggregate +routine analyzes the second frame. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3174,7 +3174,7 @@ static bool ieee80211_amsdu_aggregate(st + void *data; + bool ret = false; + unsigned int orig_len; +- int n = 1, nfrags, pad = 0; ++ int n = 2, nfrags, pad = 0; + u16 hdrlen; + + if (!ieee80211_hw_check(&local->hw, TX_AMSDU)) diff --git a/queue-4.18/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch b/queue-4.18/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch new file mode 100644 index 00000000000..a9f56d959c3 --- /dev/null +++ b/queue-4.18/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch @@ -0,0 +1,104 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Ilan Peer +Date: Fri, 31 Aug 2018 11:31:10 +0300 +Subject: mac80211: Fix station bandwidth setting after channel switch + +From: Ilan Peer + +[ Upstream commit 0007e94355fdb71a1cf5dba0754155cba08f0666 ] + +When performing a channel switch flow for a managed interface, the +flow did not update the bandwidth of the AP station and the rate +scale algorithm. In case of a channel width downgrade, this would +result with the rate scale algorithm using a bandwidth that does not +match the interface channel configuration. + +Fix this by updating the AP station bandwidth and rate scaling algorithm +before the actual channel change in case of a bandwidth downgrade, or +after the actual channel change in case of a bandwidth upgrade. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -978,6 +978,10 @@ static void ieee80211_chswitch_work(stru + */ + + if (sdata->reserved_chanctx) { ++ struct ieee80211_supported_band *sband = NULL; ++ struct sta_info *mgd_sta = NULL; ++ enum ieee80211_sta_rx_bandwidth bw = IEEE80211_STA_RX_BW_20; ++ + /* + * with multi-vif csa driver may call ieee80211_csa_finish() + * many times while waiting for other interfaces to use their +@@ -986,6 +990,48 @@ static void ieee80211_chswitch_work(stru + if (sdata->reserved_ready) + goto out; + ++ if (sdata->vif.bss_conf.chandef.width != ++ sdata->csa_chandef.width) { ++ /* ++ * For managed interface, we need to also update the AP ++ * station bandwidth and align the rate scale algorithm ++ * on the bandwidth change. Here we only consider the ++ * bandwidth of the new channel definition (as channel ++ * switch flow does not have the full HT/VHT/HE ++ * information), assuming that if additional changes are ++ * required they would be done as part of the processing ++ * of the next beacon from the AP. ++ */ ++ switch (sdata->csa_chandef.width) { ++ case NL80211_CHAN_WIDTH_20_NOHT: ++ case NL80211_CHAN_WIDTH_20: ++ default: ++ bw = IEEE80211_STA_RX_BW_20; ++ break; ++ case NL80211_CHAN_WIDTH_40: ++ bw = IEEE80211_STA_RX_BW_40; ++ break; ++ case NL80211_CHAN_WIDTH_80: ++ bw = IEEE80211_STA_RX_BW_80; ++ break; ++ case NL80211_CHAN_WIDTH_80P80: ++ case NL80211_CHAN_WIDTH_160: ++ bw = IEEE80211_STA_RX_BW_160; ++ break; ++ } ++ ++ mgd_sta = sta_info_get(sdata, ifmgd->bssid); ++ sband = ++ local->hw.wiphy->bands[sdata->csa_chandef.chan->band]; ++ } ++ ++ if (sdata->vif.bss_conf.chandef.width > ++ sdata->csa_chandef.width) { ++ mgd_sta->sta.bandwidth = bw; ++ rate_control_rate_update(local, sband, mgd_sta, ++ IEEE80211_RC_BW_CHANGED); ++ } ++ + ret = ieee80211_vif_use_reserved_context(sdata); + if (ret) { + sdata_info(sdata, +@@ -996,6 +1042,13 @@ static void ieee80211_chswitch_work(stru + goto out; + } + ++ if (sdata->vif.bss_conf.chandef.width < ++ sdata->csa_chandef.width) { ++ mgd_sta->sta.bandwidth = bw; ++ rate_control_rate_update(local, sband, mgd_sta, ++ IEEE80211_RC_BW_CHANGED); ++ } ++ + goto out; + } + diff --git a/queue-4.18/mac80211-fix-wmm-txop-calculation.patch b/queue-4.18/mac80211-fix-wmm-txop-calculation.patch new file mode 100644 index 00000000000..f3b389bfea5 --- /dev/null +++ b/queue-4.18/mac80211-fix-wmm-txop-calculation.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: "Dreyfuss, Haim" +Date: Fri, 31 Aug 2018 11:31:04 +0300 +Subject: mac80211: fix WMM TXOP calculation + +From: "Dreyfuss, Haim" + +[ Upstream commit abd76d255d69d70206c01b9cb19ba36a9c1df6a1 ] + +In commit 9236c4523e5b ("mac80211: limit wmm params to comply +with ETSI requirements"), we have limited the WMM parameters to +comply with 802.11 and ETSI standard. Mistakenly the TXOP value +was caluclated wrong. Fix it by taking the minimum between +802.11 to ETSI to make sure we are not violating both. + +Fixes: e552af058148 ("mac80211: limit wmm params to comply with ETSI requirements") +Signed-off-by: Haim Dreyfuss +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/util.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1151,8 +1151,7 @@ void ieee80211_regulatory_limit_wmm_para + qparam->cw_min = max_t(u16, qparam->cw_min, wmm_ac->cw_min); + qparam->cw_max = max_t(u16, qparam->cw_max, wmm_ac->cw_max); + qparam->aifs = max_t(u8, qparam->aifs, wmm_ac->aifsn); +- qparam->txop = !qparam->txop ? wmm_ac->cot / 32 : +- min_t(u16, qparam->txop, wmm_ac->cot / 32); ++ qparam->txop = min_t(u16, qparam->txop, wmm_ac->cot / 32); + rcu_read_unlock(); + } + diff --git a/queue-4.18/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch b/queue-4.18/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch new file mode 100644 index 00000000000..cf169e2f158 --- /dev/null +++ b/queue-4.18/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Yuan-Chi Pang +Date: Wed, 29 Aug 2018 09:30:08 +0800 +Subject: mac80211: mesh: fix HWMP sequence numbering to follow standard + +From: Yuan-Chi Pang + +[ Upstream commit 1f631c3201fe5491808df143d8fcba81b3197ffd ] + +IEEE 802.11-2016 14.10.8.3 HWMP sequence numbering says: +If it is a target mesh STA, it shall update its own HWMP SN to +maximum (current HWMP SN, target HWMP SN in the PREQ element) + 1 +immediately before it generates a PREP element in response to a +PREQ element. + +Signed-off-by: Yuan-Chi Pang +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_hwmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -572,6 +572,10 @@ static void hwmp_preq_frame_process(stru + forward = false; + reply = true; + target_metric = 0; ++ ++ if (SN_GT(target_sn, ifmsh->sn)) ++ ifmsh->sn = target_sn; ++ + if (time_after(jiffies, ifmsh->last_sn_update + + net_traversal_jiffies(sdata)) || + time_before(jiffies, ifmsh->last_sn_update)) { diff --git a/queue-4.18/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch b/queue-4.18/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch new file mode 100644 index 00000000000..43d03ddb96f --- /dev/null +++ b/queue-4.18/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: "Toke Høiland-Jørgensen" +Date: Mon, 13 Aug 2018 14:16:25 +0200 +Subject: mac80211: Run TXQ teardown code before de-registering interfaces + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit 77cfaf52eca5cac30ed029507e0cab065f888995 ] + +The TXQ teardown code can reference the vif data structures that are +stored in the netdev private memory area if there are still packets on +the queue when it is being freed. Since the TXQ teardown code is run +after the netdevs are freed, this can lead to a use-after-free. Fix this +by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). + +Reported-by: Ben Greear +Tested-by: Ben Greear +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1182,6 +1182,7 @@ void ieee80211_unregister_hw(struct ieee + #if IS_ENABLED(CONFIG_IPV6) + unregister_inet6addr_notifier(&local->ifa6_notifier); + #endif ++ ieee80211_txq_teardown_flows(local); + + rtnl_lock(); + +@@ -1210,7 +1211,6 @@ void ieee80211_unregister_hw(struct ieee + skb_queue_purge(&local->skb_queue); + skb_queue_purge(&local->skb_queue_unreliable); + skb_queue_purge(&local->skb_queue_tdls_chsw); +- ieee80211_txq_teardown_flows(local); + + destroy_workqueue(local->workqueue); + wiphy_unregister(local->hw.wiphy); diff --git a/queue-4.18/mac80211-shorten-the-ibss-debug-messages.patch b/queue-4.18/mac80211-shorten-the-ibss-debug-messages.patch new file mode 100644 index 00000000000..618170de554 --- /dev/null +++ b/queue-4.18/mac80211-shorten-the-ibss-debug-messages.patch @@ -0,0 +1,83 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:13 +0300 +Subject: mac80211: shorten the IBSS debug messages + +From: Emmanuel Grumbach + +[ Upstream commit c6e57b3896fc76299913b8cfd82d853bee8a2c84 ] + +When tracing is enabled, all the debug messages are recorded and must +not exceed MAX_MSG_LEN (100) columns. Longer debug messages grant the +user with: + +WARNING: CPU: 3 PID: 32642 at /tmp/wifi-core-20180806094828/src/iwlwifi-stack-dev/net/mac80211/./trace_msg.h:32 trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211] +Workqueue: phy1 ieee80211_iface_work [mac80211] + RIP: 0010:trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211] + Call Trace: + __sdata_dbg+0xbd/0x120 [mac80211] + ieee80211_ibss_rx_queued_mgmt+0x15f/0x510 [mac80211] + ieee80211_iface_work+0x21d/0x320 [mac80211] + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -947,8 +947,8 @@ static void ieee80211_rx_mgmt_deauth_ibs + if (len < IEEE80211_DEAUTH_FRAME_LEN) + return; + +- ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM BSSID=%pM (reason: %d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, reason); ++ ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (reason: %d)\n", mgmt->bssid, reason); + sta_info_destroy_addr(sdata, mgmt->sa); + } + +@@ -966,9 +966,9 @@ static void ieee80211_rx_mgmt_auth_ibss( + auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg); + auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction); + +- ibss_dbg(sdata, +- "RX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=%d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, auth_transaction); ++ ibss_dbg(sdata, "RX Auth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (auth_transaction=%d)\n", ++ mgmt->bssid, auth_transaction); + + if (auth_alg != WLAN_AUTH_OPEN || auth_transaction != 1) + return; +@@ -1175,10 +1175,10 @@ static void ieee80211_rx_bss_info(struct + rx_timestamp = drv_get_tsf(local, sdata); + } + +- ibss_dbg(sdata, +- "RX beacon SA=%pM BSSID=%pM TSF=0x%llx BCN=0x%llx diff=%lld @%lu\n", ++ ibss_dbg(sdata, "RX beacon SA=%pM BSSID=%pM TSF=0x%llx\n", + mgmt->sa, mgmt->bssid, +- (unsigned long long)rx_timestamp, ++ (unsigned long long)rx_timestamp); ++ ibss_dbg(sdata, "\tBCN=0x%llx diff=%lld @%lu\n", + (unsigned long long)beacon_timestamp, + (unsigned long long)(rx_timestamp - beacon_timestamp), + jiffies); +@@ -1537,9 +1537,9 @@ static void ieee80211_rx_mgmt_probe_req( + + tx_last_beacon = drv_tx_last_beacon(local); + +- ibss_dbg(sdata, +- "RX ProbeReq SA=%pM DA=%pM BSSID=%pM (tx_last_beacon=%d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, tx_last_beacon); ++ ibss_dbg(sdata, "RX ProbeReq SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (tx_last_beacon=%d)\n", ++ mgmt->bssid, tx_last_beacon); + + if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da)) + return; diff --git a/queue-4.18/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch b/queue-4.18/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch new file mode 100644 index 00000000000..729fa42d1fa --- /dev/null +++ b/queue-4.18/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Danek Duvall +Date: Wed, 22 Aug 2018 16:01:05 -0700 +Subject: mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X + +From: Danek Duvall + +[ Upstream commit d7c863a2f65e48f442379f4ee1846d52e0c5d24d ] + +The mac80211_hwsim driver intends to say that it supports up to four +STBC receive streams, but instead it ends up saying something undefined. +The IEEE80211_VHT_CAP_RXSTBC_X macros aren't independent bits that can +be ORed together, but values. In this case, _4 is the appropriate one +to use. + +Signed-off-by: Danek Duvall +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mac80211_hwsim.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2699,9 +2699,6 @@ static int mac80211_hwsim_new_radio(stru + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_SHORT_GI_160 | + IEEE80211_VHT_CAP_TXSTBC | +- IEEE80211_VHT_CAP_RXSTBC_1 | +- IEEE80211_VHT_CAP_RXSTBC_2 | +- IEEE80211_VHT_CAP_RXSTBC_3 | + IEEE80211_VHT_CAP_RXSTBC_4 | + IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK; + sband->vht_cap.vht_mcs.rx_mcs_map = diff --git a/queue-4.18/mac80211_hwsim-fix-possible-spectre-v1-for-hwsim_world_regdom_custom.patch b/queue-4.18/mac80211_hwsim-fix-possible-spectre-v1-for-hwsim_world_regdom_custom.patch new file mode 100644 index 00000000000..922c157ee91 --- /dev/null +++ b/queue-4.18/mac80211_hwsim-fix-possible-spectre-v1-for-hwsim_world_regdom_custom.patch @@ -0,0 +1,50 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Jinbum Park +Date: Tue, 31 Jul 2018 23:10:40 +0900 +Subject: mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom + +From: Jinbum Park + +[ Upstream commit 3a2af7cccbbaf2362db9053a946a6084e12bfa73 ] + +User controls @idx which to be used as index of hwsim_world_regdom_custom. +So, It can be exploited via Spectre-like attack. (speculative execution) + +This kind of attack leaks address of hwsim_world_regdom_custom, +It leads an attacker to bypass security mechanism such as KASLR. + +So sanitize @idx before using it to prevent attack. + +I leveraged strategy [1] to find and exploit this gadget. + +[1] https://github.com/jinb-park/linux-exploit/tree/master/exploit-remaining-spectre-gadget/ + +Signed-off-by: Jinbum Park +[johannes: unwrap URL] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mac80211_hwsim.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include "mac80211_hwsim.h" + + #define WARN_QUEUE 100 +@@ -3229,6 +3230,9 @@ static int hwsim_new_radio_nl(struct sk_ + kfree(hwname); + return -EINVAL; + } ++ ++ idx = array_index_nospec(idx, ++ ARRAY_SIZE(hwsim_world_regdom_custom)); + param.regd = hwsim_world_regdom_custom[idx]; + } + diff --git a/queue-4.18/mac80211_hwsim-require-at-least-one-channel.patch b/queue-4.18/mac80211_hwsim-require-at-least-one-channel.patch new file mode 100644 index 00000000000..1bfb436d818 --- /dev/null +++ b/queue-4.18/mac80211_hwsim-require-at-least-one-channel.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Johannes Berg +Date: Wed, 15 Aug 2018 18:17:03 +0200 +Subject: mac80211_hwsim: require at least one channel + +From: Johannes Berg + +[ Upstream commit 484004339d4514fde425f6e8a9f6a6cc979bb0c3 ] + +Syzbot continues to try to create mac80211_hwsim radios, and +manages to pass parameters that are later checked with WARN_ON +in cfg80211 - catch another one in hwsim directly. + +Reported-by: syzbot+2a12f11c306afe871c1f@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mac80211_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3194,6 +3194,11 @@ static int hwsim_new_radio_nl(struct sk_ + if (info->attrs[HWSIM_ATTR_CHANNELS]) + param.channels = nla_get_u32(info->attrs[HWSIM_ATTR_CHANNELS]); + ++ if (param.channels < 1) { ++ GENL_SET_ERR_MSG(info, "must have at least one channel"); ++ return -EINVAL; ++ } ++ + if (param.channels > CFG80211_MAX_NUM_DIFFERENT_CHANNELS) { + GENL_SET_ERR_MSG(info, "too many channels specified"); + return -EINVAL; diff --git a/queue-4.18/md-raid5-cache-disable-reshape-completely.patch b/queue-4.18/md-raid5-cache-disable-reshape-completely.patch new file mode 100644 index 00000000000..7743db782c5 --- /dev/null +++ b/queue-4.18/md-raid5-cache-disable-reshape-completely.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Shaohua Li +Date: Wed, 29 Aug 2018 11:05:42 -0700 +Subject: md/raid5-cache: disable reshape completely + +From: Shaohua Li + +[ Upstream commit e254de6bcf3f5b6e78a92ac95fb91acef8adfe1a ] + +We don't support reshape yet if an array supports log device. Previously we +determine the fact by checking ->log. However, ->log could be NULL after a log +device is removed, but the array is still marked to support log device. Don't +allow reshape in this case too. User can disable log device support by setting +'consistency_policy' to 'resync' then do reshape. + +Reported-by: Xiao Ni +Tested-by: Xiao Ni +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5-log.h | 5 +++++ + drivers/md/raid5.c | 6 +++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/md/raid5-log.h ++++ b/drivers/md/raid5-log.h +@@ -46,6 +46,11 @@ extern int ppl_modify_log(struct r5conf + extern void ppl_quiesce(struct r5conf *conf, int quiesce); + extern int ppl_handle_flush_request(struct r5l_log *log, struct bio *bio); + ++static inline bool raid5_has_log(struct r5conf *conf) ++{ ++ return test_bit(MD_HAS_JOURNAL, &conf->mddev->flags); ++} ++ + static inline bool raid5_has_ppl(struct r5conf *conf) + { + return test_bit(MD_HAS_PPL, &conf->mddev->flags); +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -735,7 +735,7 @@ static bool stripe_can_batch(struct stri + { + struct r5conf *conf = sh->raid_conf; + +- if (conf->log || raid5_has_ppl(conf)) ++ if (raid5_has_log(conf) || raid5_has_ppl(conf)) + return false; + return test_bit(STRIPE_BATCH_READY, &sh->state) && + !test_bit(STRIPE_BITMAP_PENDING, &sh->state) && +@@ -7739,7 +7739,7 @@ static int raid5_resize(struct mddev *md + sector_t newsize; + struct r5conf *conf = mddev->private; + +- if (conf->log || raid5_has_ppl(conf)) ++ if (raid5_has_log(conf) || raid5_has_ppl(conf)) + return -EINVAL; + sectors &= ~((sector_t)conf->chunk_sectors - 1); + newsize = raid5_size(mddev, sectors, mddev->raid_disks); +@@ -7790,7 +7790,7 @@ static int check_reshape(struct mddev *m + { + struct r5conf *conf = mddev->private; + +- if (conf->log || raid5_has_ppl(conf)) ++ if (raid5_has_log(conf) || raid5_has_ppl(conf)) + return -EINVAL; + if (mddev->delta_disks == 0 && + mddev->new_layout == mddev->layout && diff --git a/queue-4.18/nds32-add-null-entry-to-the-end-of_device_id-array.patch b/queue-4.18/nds32-add-null-entry-to-the-end-of_device_id-array.patch new file mode 100644 index 00000000000..5bef053e1f7 --- /dev/null +++ b/queue-4.18/nds32-add-null-entry-to-the-end-of_device_id-array.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: YueHaibing +Date: Tue, 7 Aug 2018 12:03:13 +0800 +Subject: nds32: add NULL entry to the end of_device_id array + +From: YueHaibing + +[ Upstream commit 1944a50859ec2b570b42b459ac25d607fc7c31f0 ] + +Make sure of_device_id tables are NULL terminated. +Found by coccinelle spatch "misc/of_table.cocci" + +Signed-off-by: YueHaibing +Acked-by: Greentime Hu +Signed-off-by: Greentime Hu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/nds32/kernel/atl2c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/nds32/kernel/atl2c.c ++++ b/arch/nds32/kernel/atl2c.c +@@ -9,7 +9,8 @@ + + void __iomem *atl2c_base; + static const struct of_device_id atl2c_ids[] __initconst = { +- {.compatible = "andestech,atl2c",} ++ {.compatible = "andestech,atl2c",}, ++ {} + }; + + static int __init atl2c_of_init(void) diff --git a/queue-4.18/nds32-fix-build-error-because-of-wrong-semicolon.patch b/queue-4.18/nds32-fix-build-error-because-of-wrong-semicolon.patch new file mode 100644 index 00000000000..4e0afc9e23a --- /dev/null +++ b/queue-4.18/nds32-fix-build-error-because-of-wrong-semicolon.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Greentime Hu +Date: Tue, 28 Aug 2018 16:07:39 +0800 +Subject: nds32: fix build error because of wrong semicolon + +From: Greentime Hu + +[ Upstream commit ec865393292f5ad8d52da20788b3685ebce44c48 ] + +It shall be removed in the define usage. We shall not put a semicolon there. + +/kisskb/src/arch/nds32/include/asm/elf.h:126:29: error: expected '}' before ';' token + #define ELF_DATA ELFDATA2LSB; + ^ +/kisskb/src/fs/proc/kcore.c:318:17: note: in expansion of macro 'ELF_DATA' + [EI_DATA] = ELF_DATA, + ^~~~~~~~ +/kisskb/src/fs/proc/kcore.c:312:15: note: to match this '{' + .e_ident = { + ^ +/kisskb/src/scripts/Makefile.build:307: recipe for target 'fs/proc/kcore.o' failed + +Signed-off-by: Greentime Hu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/nds32/include/asm/elf.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/nds32/include/asm/elf.h ++++ b/arch/nds32/include/asm/elf.h +@@ -121,9 +121,9 @@ struct elf32_hdr; + */ + #define ELF_CLASS ELFCLASS32 + #ifdef __NDS32_EB__ +-#define ELF_DATA ELFDATA2MSB; ++#define ELF_DATA ELFDATA2MSB + #else +-#define ELF_DATA ELFDATA2LSB; ++#define ELF_DATA ELFDATA2LSB + #endif + #define ELF_ARCH EM_NDS32 + #define USE_ELF_CORE_DUMP diff --git a/queue-4.18/nds32-fix-empty-call-trace.patch b/queue-4.18/nds32-fix-empty-call-trace.patch new file mode 100644 index 00000000000..4b020e75c35 --- /dev/null +++ b/queue-4.18/nds32-fix-empty-call-trace.patch @@ -0,0 +1,32 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Zong Li +Date: Mon, 13 Aug 2018 13:28:23 +0800 +Subject: nds32: Fix empty call trace + +From: Zong Li + +[ Upstream commit c17df7960534357fb74074c2f514c831d4a9cf5a ] + +The compiler predefined macro 'NDS32_ABI_2' had been removed, it should +use the '__NDS32_ABI_2' here. + +Signed-off-by: Zong Li +Acked-by: Greentime Hu +Signed-off-by: Greentime Hu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/nds32/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/nds32/kernel/traps.c ++++ b/arch/nds32/kernel/traps.c +@@ -137,7 +137,7 @@ static void __dump(struct task_struct *t + !((unsigned long)base_reg & 0x3) && + ((unsigned long)base_reg >= TASK_SIZE)) { + unsigned long next_fp; +-#if !defined(NDS32_ABI_2) ++#if !defined(__NDS32_ABI_2) + ret_addr = base_reg[0]; + next_fp = base_reg[1]; + #else diff --git a/queue-4.18/nds32-fix-get_user-put_user-macro-expand-pointer-problem.patch b/queue-4.18/nds32-fix-get_user-put_user-macro-expand-pointer-problem.patch new file mode 100644 index 00000000000..9eaf1b707ae --- /dev/null +++ b/queue-4.18/nds32-fix-get_user-put_user-macro-expand-pointer-problem.patch @@ -0,0 +1,88 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Zong Li +Date: Mon, 13 Aug 2018 14:48:49 +0800 +Subject: nds32: Fix get_user/put_user macro expand pointer problem + +From: Zong Li + +[ Upstream commit 6cce95a6c7d288ac2126eee4b95df448b9015b84 ] + +The pointer argument of macro need to be taken out once first, and then +use the new pointer in the macro body. + +In kernel/trace/trace.c, get_user(ch, ubuf++) causes the unexpected +increment after expand the macro. + +Signed-off-by: Zong Li +Acked-by: Greentime Hu +Signed-off-by: Greentime Hu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/nds32/include/asm/uaccess.h | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/arch/nds32/include/asm/uaccess.h ++++ b/arch/nds32/include/asm/uaccess.h +@@ -78,8 +78,9 @@ static inline void set_fs(mm_segment_t f + #define get_user(x,p) \ + ({ \ + long __e = -EFAULT; \ +- if(likely(access_ok(VERIFY_READ, p, sizeof(*p)))) { \ +- __e = __get_user(x,p); \ ++ const __typeof__(*(p)) __user *__p = (p); \ ++ if(likely(access_ok(VERIFY_READ, __p, sizeof(*__p)))) { \ ++ __e = __get_user(x, __p); \ + } else \ + x = 0; \ + __e; \ +@@ -99,10 +100,10 @@ static inline void set_fs(mm_segment_t f + + #define __get_user_err(x,ptr,err) \ + do { \ +- unsigned long __gu_addr = (unsigned long)(ptr); \ ++ const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \ + unsigned long __gu_val; \ +- __chk_user_ptr(ptr); \ +- switch (sizeof(*(ptr))) { \ ++ __chk_user_ptr(__gu_addr); \ ++ switch (sizeof(*(__gu_addr))) { \ + case 1: \ + __get_user_asm("lbi",__gu_val,__gu_addr,err); \ + break; \ +@@ -119,7 +120,7 @@ do { \ + BUILD_BUG(); \ + break; \ + } \ +- (x) = (__typeof__(*(ptr)))__gu_val; \ ++ (x) = (__typeof__(*(__gu_addr)))__gu_val; \ + } while (0) + + #define __get_user_asm(inst,x,addr,err) \ +@@ -169,8 +170,9 @@ do { \ + #define put_user(x,p) \ + ({ \ + long __e = -EFAULT; \ +- if(likely(access_ok(VERIFY_WRITE, p, sizeof(*p)))) { \ +- __e = __put_user(x,p); \ ++ __typeof__(*(p)) __user *__p = (p); \ ++ if(likely(access_ok(VERIFY_WRITE, __p, sizeof(*__p)))) { \ ++ __e = __put_user(x, __p); \ + } \ + __e; \ + }) +@@ -189,10 +191,10 @@ do { \ + + #define __put_user_err(x,ptr,err) \ + do { \ +- unsigned long __pu_addr = (unsigned long)(ptr); \ +- __typeof__(*(ptr)) __pu_val = (x); \ +- __chk_user_ptr(ptr); \ +- switch (sizeof(*(ptr))) { \ ++ __typeof__(*(ptr)) __user *__pu_addr = (ptr); \ ++ __typeof__(*(__pu_addr)) __pu_val = (x); \ ++ __chk_user_ptr(__pu_addr); \ ++ switch (sizeof(*(__pu_addr))) { \ + case 1: \ + __put_user_asm("sbi",__pu_val,__pu_addr,err); \ + break; \ diff --git a/queue-4.18/nds32-fix-logic-for-module.patch b/queue-4.18/nds32-fix-logic-for-module.patch new file mode 100644 index 00000000000..6983e192997 --- /dev/null +++ b/queue-4.18/nds32-fix-logic-for-module.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Greentime Hu +Date: Wed, 18 Jul 2018 09:54:55 +0800 +Subject: nds32: fix logic for module + +From: Greentime Hu + +[ Upstream commit 1dfdf99106668679b0de5a62fd4f42c1a11c9445 ] + +This bug is report by Dan Carpenter. We shall use ~loc_mask instead of +!loc_mask because we need to and(&) the bits of ~loc_mask. + +Reported-by: Dan Carpenter +Fixes: c9a4a8da6baa ("nds32: Loadable modules") +Signed-off-by: Greentime Hu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/nds32/kernel/module.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/nds32/kernel/module.c ++++ b/arch/nds32/kernel/module.c +@@ -40,7 +40,7 @@ void do_reloc16(unsigned int val, unsign + + tmp2 = tmp & loc_mask; + if (partial_in_place) { +- tmp &= (!loc_mask); ++ tmp &= (~loc_mask); + tmp = + tmp2 | ((tmp + ((val & val_mask) >> val_shift)) & val_mask); + } else { +@@ -70,7 +70,7 @@ void do_reloc32(unsigned int val, unsign + + tmp2 = tmp & loc_mask; + if (partial_in_place) { +- tmp &= (!loc_mask); ++ tmp &= (~loc_mask); + tmp = + tmp2 | ((tmp + ((val & val_mask) >> val_shift)) & val_mask); + } else { diff --git a/queue-4.18/nds32-linker-script-gcov-kernel-may-refers-data-in-__exit.patch b/queue-4.18/nds32-linker-script-gcov-kernel-may-refers-data-in-__exit.patch new file mode 100644 index 00000000000..073a5973d7a --- /dev/null +++ b/queue-4.18/nds32-linker-script-gcov-kernel-may-refers-data-in-__exit.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Greentime Hu +Date: Tue, 4 Sep 2018 14:25:57 +0800 +Subject: nds32: linker script: GCOV kernel may refers data in __exit + +From: Greentime Hu + +[ Upstream commit 3350139c0ff3c95724b784f7109987d533cb3ecd ] + +This patch is used to fix nds32 allmodconfig/allyesconfig build error +because GCOV kernel embeds counters in the kernel for each line +and a part of that embed in __exit text. So we need to keep the +EXIT_TEXT and EXIT_DATA if CONFIG_GCOV_KERNEL=y. + +Link: https://lkml.org/lkml/2018/9/1/125 +Signed-off-by: Greentime Hu +Reviewed-by: Masami Hiramatsu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/nds32/kernel/vmlinux.lds.S | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/nds32/kernel/vmlinux.lds.S ++++ b/arch/nds32/kernel/vmlinux.lds.S +@@ -13,14 +13,26 @@ OUTPUT_ARCH(nds32) + ENTRY(_stext_lma) + jiffies = jiffies_64; + ++#if defined(CONFIG_GCOV_KERNEL) ++#define NDS32_EXIT_KEEP(x) x ++#else ++#define NDS32_EXIT_KEEP(x) ++#endif ++ + SECTIONS + { + _stext_lma = TEXTADDR - LOAD_OFFSET; + . = TEXTADDR; + __init_begin = .; + HEAD_TEXT_SECTION ++ .exit.text : { ++ NDS32_EXIT_KEEP(EXIT_TEXT) ++ } + INIT_TEXT_SECTION(PAGE_SIZE) + INIT_DATA_SECTION(16) ++ .exit.data : { ++ NDS32_EXIT_KEEP(EXIT_DATA) ++ } + PERCPU_SECTION(L1_CACHE_BYTES) + __init_end = .; + diff --git a/queue-4.18/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch b/queue-4.18/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch new file mode 100644 index 00000000000..11053ef9336 --- /dev/null +++ b/queue-4.18/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Jia-Ju Bai +Date: Sat, 1 Sep 2018 20:11:05 +0800 +Subject: net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() + +From: Jia-Ju Bai + +[ Upstream commit 16fe10cf92783ed9ceb182d6ea2b8adf5e8ec1b8 ] + +The kernel module may sleep with holding a spinlock. + +The function call paths (from bottom to top) in Linux-4.16 are: + +[FUNC] usleep_range +drivers/net/ethernet/cadence/macb_main.c, 648: + usleep_range in macb_halt_tx +drivers/net/ethernet/cadence/macb_main.c, 730: + macb_halt_tx in macb_tx_error_task +drivers/net/ethernet/cadence/macb_main.c, 721: + _raw_spin_lock_irqsave in macb_tx_error_task + +To fix this bug, usleep_range() is replaced with udelay(). + +This bug is found by my static analysis tool DSAC. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -648,7 +648,7 @@ static int macb_halt_tx(struct macb *bp) + if (!(status & MACB_BIT(TGO))) + return 0; + +- usleep_range(10, 250); ++ udelay(250); + } while (time_before(halt_time, timeout)); + + return -ETIMEDOUT; diff --git a/queue-4.18/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch b/queue-4.18/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch new file mode 100644 index 00000000000..66cc1745d3f --- /dev/null +++ b/queue-4.18/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch @@ -0,0 +1,63 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Tony Lindgren +Date: Wed, 29 Aug 2018 08:00:24 -0700 +Subject: net: ethernet: cpsw-phy-sel: prefer phandle for phy sel + +From: Tony Lindgren + +[ Upstream commit 18eb8aea7fb2fb4490e578b1b8a1096c34b2fc48 ] + +The cpsw-phy-sel device is not a child of the cpsw interconnect target +module. It lives in the system control module. + +Let's fix this issue by trying to use cpsw-phy-sel phandle first if it +exists and if not fall back to current usage of trying to find the +cpsw-phy-sel child. That way the phy sel driver can be a child of the +system control module where it belongs in the device tree. + +Without this fix, we cannot have a proper interconnect target module +hierarchy in device tree for things like genpd. + +Note that deferred probe is mostly not supported by cpsw and this patch +does not attempt to fix that. In case deferred probe support is needed, +this could be added to cpsw_slave_open() and phy_connect() so they start +handling and returning errors. + +For documenting it, looks like the cpsw-phy-sel is used for all cpsw device +tree nodes. It's missing the related binding documentation, so let's also +update the binding documentation accordingly. + +Cc: devicetree@vger.kernel.org +Cc: Andrew Lunn +Cc: Grygorii Strashko +Cc: Ivan Khoronzhuk +Cc: Mark Rutland +Cc: Murali Karicheri +Cc: Rob Herring +Signed-off-by: Tony Lindgren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw-phy-sel.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/ti/cpsw-phy-sel.c ++++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c +@@ -170,10 +170,13 @@ void cpsw_phy_sel(struct device *dev, ph + struct device_node *node; + struct cpsw_phy_sel_priv *priv; + +- node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel"); ++ node = of_parse_phandle(dev->of_node, "cpsw-phy-sel", 0); + if (!node) { +- dev_err(dev, "Phy mode driver DT not found\n"); +- return; ++ node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel"); ++ if (!node) { ++ dev_err(dev, "Phy mode driver DT not found\n"); ++ return; ++ } + } + + dev = bus_find_device(&platform_bus_type, NULL, node, match); diff --git a/queue-4.18/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch b/queue-4.18/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch new file mode 100644 index 00000000000..381a5e6d690 --- /dev/null +++ b/queue-4.18/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Peng Li +Date: Mon, 27 Aug 2018 09:59:30 +0800 +Subject: net: hns: add netif_carrier_off before change speed and duplex + +From: Peng Li + +[ Upstream commit 455c4401fe7a538facaffb35b906ce19f1ece474 ] + +If there are packets in hardware when changing the speed +or duplex, it may cause hardware hang up. + +This patch adds netif_carrier_off before change speed and +duplex in ethtool_ops.set_link_ksettings, and adds +netif_carrier_on after complete the change. + +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c +@@ -243,7 +243,9 @@ static int hns_nic_set_link_ksettings(st + } + + if (h->dev->ops->adjust_link) { ++ netif_carrier_off(net_dev); + h->dev->ops->adjust_link(h, (int)speed, cmd->base.duplex); ++ netif_carrier_on(net_dev); + return 0; + } + diff --git a/queue-4.18/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch b/queue-4.18/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch new file mode 100644 index 00000000000..62600d60f76 --- /dev/null +++ b/queue-4.18/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch @@ -0,0 +1,500 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Peng Li +Date: Mon, 27 Aug 2018 09:59:29 +0800 +Subject: net: hns: add the code for cleaning pkt in chip + +From: Peng Li + +[ Upstream commit 31fabbee8f5c658c3fa1603c66e9e4f51ea8c2c6 ] + +If there are packets in hardware when changing the speed +or duplex, it may cause hardware hang up. + +This patch adds the code for waiting chip to clean the all +pkts(TX & RX) in chip when the driver uses the function named +"adjust link". + +This patch cleans the pkts as follows: +1) close rx of chip, close tx of protocol stack. +2) wait rcb, ppe, mac to clean. +3) adjust link +4) open rx of chip, open tx of protocol stack. + +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hnae.h | 2 + drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 67 ++++++++++++++++++++- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c | 36 +++++++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 44 +++++++++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h | 8 ++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 29 +++++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h | 3 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 23 +++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c | 23 +++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h | 1 + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 21 +++++- + 13 files changed, 255 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hnae.h ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.h +@@ -486,6 +486,8 @@ struct hnae_ae_ops { + u8 *auto_neg, u16 *speed, u8 *duplex); + void (*toggle_ring_irq)(struct hnae_ring *ring, u32 val); + void (*adjust_link)(struct hnae_handle *handle, int speed, int duplex); ++ bool (*need_adjust_link)(struct hnae_handle *handle, ++ int speed, int duplex); + int (*set_loopback)(struct hnae_handle *handle, + enum hnae_loop loop_mode, int en); + void (*get_ring_bdnum_limit)(struct hnae_queue *queue, +--- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +@@ -155,6 +155,41 @@ static void hns_ae_put_handle(struct hna + hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0; + } + ++static int hns_ae_wait_flow_down(struct hnae_handle *handle) ++{ ++ struct dsaf_device *dsaf_dev; ++ struct hns_ppe_cb *ppe_cb; ++ struct hnae_vf_cb *vf_cb; ++ int ret; ++ int i; ++ ++ for (i = 0; i < handle->q_num; i++) { ++ ret = hns_rcb_wait_tx_ring_clean(handle->qs[i]); ++ if (ret) ++ return ret; ++ } ++ ++ ppe_cb = hns_get_ppe_cb(handle); ++ ret = hns_ppe_wait_tx_fifo_clean(ppe_cb); ++ if (ret) ++ return ret; ++ ++ dsaf_dev = hns_ae_get_dsaf_dev(handle->dev); ++ if (!dsaf_dev) ++ return -EINVAL; ++ ret = hns_dsaf_wait_pkt_clean(dsaf_dev, handle->dport_id); ++ if (ret) ++ return ret; ++ ++ vf_cb = hns_ae_get_vf_cb(handle); ++ ret = hns_mac_wait_fifo_clean(vf_cb->mac_cb); ++ if (ret) ++ return ret; ++ ++ mdelay(10); ++ return 0; ++} ++ + static void hns_ae_ring_enable_all(struct hnae_handle *handle, int val) + { + int q_num = handle->q_num; +@@ -399,12 +434,41 @@ static int hns_ae_get_mac_info(struct hn + return hns_mac_get_port_info(mac_cb, auto_neg, speed, duplex); + } + ++static bool hns_ae_need_adjust_link(struct hnae_handle *handle, int speed, ++ int duplex) ++{ ++ struct hns_mac_cb *mac_cb = hns_get_mac_cb(handle); ++ ++ return hns_mac_need_adjust_link(mac_cb, speed, duplex); ++} ++ + static void hns_ae_adjust_link(struct hnae_handle *handle, int speed, + int duplex) + { + struct hns_mac_cb *mac_cb = hns_get_mac_cb(handle); + +- hns_mac_adjust_link(mac_cb, speed, duplex); ++ switch (mac_cb->dsaf_dev->dsaf_ver) { ++ case AE_VERSION_1: ++ hns_mac_adjust_link(mac_cb, speed, duplex); ++ break; ++ ++ case AE_VERSION_2: ++ /* chip need to clear all pkt inside */ ++ hns_mac_disable(mac_cb, MAC_COMM_MODE_RX); ++ if (hns_ae_wait_flow_down(handle)) { ++ hns_mac_enable(mac_cb, MAC_COMM_MODE_RX); ++ break; ++ } ++ ++ hns_mac_adjust_link(mac_cb, speed, duplex); ++ hns_mac_enable(mac_cb, MAC_COMM_MODE_RX); ++ break; ++ ++ default: ++ break; ++ } ++ ++ return; + } + + static void hns_ae_get_ring_bdnum_limit(struct hnae_queue *queue, +@@ -902,6 +966,7 @@ static struct hnae_ae_ops hns_dsaf_ops = + .get_status = hns_ae_get_link_status, + .get_info = hns_ae_get_mac_info, + .adjust_link = hns_ae_adjust_link, ++ .need_adjust_link = hns_ae_need_adjust_link, + .set_loopback = hns_ae_config_loopback, + .get_ring_bdnum_limit = hns_ae_get_ring_bdnum_limit, + .get_pauseparam = hns_ae_get_pauseparam, +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c +@@ -257,6 +257,16 @@ static void hns_gmac_get_pausefrm_cfg(vo + *tx_pause_en = dsaf_get_bit(pause_en, GMAC_PAUSE_EN_TX_FDFC_B); + } + ++static bool hns_gmac_need_adjust_link(void *mac_drv, enum mac_speed speed, ++ int duplex) ++{ ++ struct mac_driver *drv = (struct mac_driver *)mac_drv; ++ struct hns_mac_cb *mac_cb = drv->mac_cb; ++ ++ return (mac_cb->speed != speed) || ++ (mac_cb->half_duplex == duplex); ++} ++ + static int hns_gmac_adjust_link(void *mac_drv, enum mac_speed speed, + u32 full_duplex) + { +@@ -309,6 +319,30 @@ static void hns_gmac_set_promisc(void *m + hns_gmac_set_uc_match(mac_drv, en); + } + ++int hns_gmac_wait_fifo_clean(void *mac_drv) ++{ ++ struct mac_driver *drv = (struct mac_driver *)mac_drv; ++ int wait_cnt; ++ u32 val; ++ ++ wait_cnt = 0; ++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) { ++ val = dsaf_read_dev(drv, GMAC_FIFO_STATE_REG); ++ /* bit5~bit0 is not send complete pkts */ ++ if ((val & 0x3f) == 0) ++ break; ++ usleep_range(100, 200); ++ } ++ ++ if (wait_cnt >= HNS_MAX_WAIT_CNT) { ++ dev_err(drv->dev, ++ "hns ge %d fifo was not idle.\n", drv->mac_id); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + static void hns_gmac_init(void *mac_drv) + { + u32 port; +@@ -690,6 +724,7 @@ void *hns_gmac_config(struct hns_mac_cb + mac_drv->mac_disable = hns_gmac_disable; + mac_drv->mac_free = hns_gmac_free; + mac_drv->adjust_link = hns_gmac_adjust_link; ++ mac_drv->need_adjust_link = hns_gmac_need_adjust_link; + mac_drv->set_tx_auto_pause_frames = hns_gmac_set_tx_auto_pause_frames; + mac_drv->config_max_frame_length = hns_gmac_config_max_frame_length; + mac_drv->mac_pausefrm_cfg = hns_gmac_pause_frm_cfg; +@@ -717,6 +752,7 @@ void *hns_gmac_config(struct hns_mac_cb + mac_drv->get_strings = hns_gmac_get_strings; + mac_drv->update_stats = hns_gmac_update_stats; + mac_drv->set_promiscuous = hns_gmac_set_promisc; ++ mac_drv->wait_fifo_clean = hns_gmac_wait_fifo_clean; + + return (void *)mac_drv; + } +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +@@ -114,6 +114,26 @@ int hns_mac_get_port_info(struct hns_mac + return 0; + } + ++/** ++ *hns_mac_is_adjust_link - check is need change mac speed and duplex register ++ *@mac_cb: mac device ++ *@speed: phy device speed ++ *@duplex:phy device duplex ++ * ++ */ ++bool hns_mac_need_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex) ++{ ++ struct mac_driver *mac_ctrl_drv; ++ ++ mac_ctrl_drv = (struct mac_driver *)(mac_cb->priv.mac); ++ ++ if (mac_ctrl_drv->need_adjust_link) ++ return mac_ctrl_drv->need_adjust_link(mac_ctrl_drv, ++ (enum mac_speed)speed, duplex); ++ else ++ return true; ++} ++ + void hns_mac_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex) + { + int ret; +@@ -430,6 +450,16 @@ int hns_mac_vm_config_bc_en(struct hns_m + return 0; + } + ++int hns_mac_wait_fifo_clean(struct hns_mac_cb *mac_cb) ++{ ++ struct mac_driver *drv = hns_mac_get_drv(mac_cb); ++ ++ if (drv->wait_fifo_clean) ++ return drv->wait_fifo_clean(drv); ++ ++ return 0; ++} ++ + void hns_mac_reset(struct hns_mac_cb *mac_cb) + { + struct mac_driver *drv = hns_mac_get_drv(mac_cb); +@@ -999,6 +1029,20 @@ static int hns_mac_get_max_port_num(stru + return DSAF_MAX_PORT_NUM; + } + ++void hns_mac_enable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode) ++{ ++ struct mac_driver *mac_ctrl_drv = hns_mac_get_drv(mac_cb); ++ ++ mac_ctrl_drv->mac_enable(mac_cb->priv.mac, mode); ++} ++ ++void hns_mac_disable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode) ++{ ++ struct mac_driver *mac_ctrl_drv = hns_mac_get_drv(mac_cb); ++ ++ mac_ctrl_drv->mac_disable(mac_cb->priv.mac, mode); ++} ++ + /** + * hns_mac_init - init mac + * @dsaf_dev: dsa fabric device struct pointer +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h +@@ -356,6 +356,9 @@ struct mac_driver { + /*adjust mac mode of port,include speed and duplex*/ + int (*adjust_link)(void *mac_drv, enum mac_speed speed, + u32 full_duplex); ++ /* need adjust link */ ++ bool (*need_adjust_link)(void *mac_drv, enum mac_speed speed, ++ int duplex); + /* config autoegotaite mode of port*/ + void (*set_an_mode)(void *mac_drv, u8 enable); + /* config loopbank mode */ +@@ -394,6 +397,7 @@ struct mac_driver { + void (*get_info)(void *mac_drv, struct mac_info *mac_info); + + void (*update_stats)(void *mac_drv); ++ int (*wait_fifo_clean)(void *mac_drv); + + enum mac_mode mac_mode; + u8 mac_id; +@@ -427,6 +431,7 @@ void *hns_xgmac_config(struct hns_mac_cb + + int hns_mac_init(struct dsaf_device *dsaf_dev); + void mac_adjust_link(struct net_device *net_dev); ++bool hns_mac_need_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex); + void hns_mac_get_link_status(struct hns_mac_cb *mac_cb, u32 *link_status); + int hns_mac_change_vf_addr(struct hns_mac_cb *mac_cb, u32 vmid, char *addr); + int hns_mac_set_multi(struct hns_mac_cb *mac_cb, +@@ -463,5 +468,8 @@ int hns_mac_add_uc_addr(struct hns_mac_c + int hns_mac_rm_uc_addr(struct hns_mac_cb *mac_cb, u8 vf_id, + const unsigned char *addr); + int hns_mac_clr_multicast(struct hns_mac_cb *mac_cb, int vfn); ++void hns_mac_enable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode); ++void hns_mac_disable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode); ++int hns_mac_wait_fifo_clean(struct hns_mac_cb *mac_cb); + + #endif /* _HNS_DSAF_MAC_H */ +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +@@ -2733,6 +2733,35 @@ void hns_dsaf_set_promisc_tcam(struct ds + soft_mac_entry->index = enable ? entry_index : DSAF_INVALID_ENTRY_IDX; + } + ++int hns_dsaf_wait_pkt_clean(struct dsaf_device *dsaf_dev, int port) ++{ ++ u32 val, val_tmp; ++ int wait_cnt; ++ ++ if (port >= DSAF_SERVICE_NW_NUM) ++ return 0; ++ ++ wait_cnt = 0; ++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) { ++ val = dsaf_read_dev(dsaf_dev, DSAF_VOQ_IN_PKT_NUM_0_REG + ++ (port + DSAF_XGE_NUM) * 0x40); ++ val_tmp = dsaf_read_dev(dsaf_dev, DSAF_VOQ_OUT_PKT_NUM_0_REG + ++ (port + DSAF_XGE_NUM) * 0x40); ++ if (val == val_tmp) ++ break; ++ ++ usleep_range(100, 200); ++ } ++ ++ if (wait_cnt >= HNS_MAX_WAIT_CNT) { ++ dev_err(dsaf_dev->dev, "hns dsaf clean wait timeout(%u - %u).\n", ++ val, val_tmp); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + /** + * dsaf_probe - probo dsaf dev + * @pdev: dasf platform device +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h +@@ -44,6 +44,8 @@ struct hns_mac_cb; + #define DSAF_ROCE_CREDIT_CHN 8 + #define DSAF_ROCE_CHAN_MODE 3 + ++#define HNS_MAX_WAIT_CNT 10000 ++ + enum dsaf_roce_port_mode { + DSAF_ROCE_6PORT_MODE, + DSAF_ROCE_4PORT_MODE, +@@ -463,5 +465,6 @@ int hns_dsaf_rm_mac_addr( + + int hns_dsaf_clr_mac_mc_port(struct dsaf_device *dsaf_dev, + u8 mac_id, u8 port_num); ++int hns_dsaf_wait_pkt_clean(struct dsaf_device *dsaf_dev, int port); + + #endif /* __HNS_DSAF_MAIN_H__ */ +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c +@@ -274,6 +274,29 @@ static void hns_ppe_exc_irq_en(struct hn + dsaf_write_dev(ppe_cb, PPE_INTEN_REG, msk_vlue & vld_msk); + } + ++int hns_ppe_wait_tx_fifo_clean(struct hns_ppe_cb *ppe_cb) ++{ ++ int wait_cnt; ++ u32 val; ++ ++ wait_cnt = 0; ++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) { ++ val = dsaf_read_dev(ppe_cb, PPE_CURR_TX_FIFO0_REG) & 0x3ffU; ++ if (!val) ++ break; ++ ++ usleep_range(100, 200); ++ } ++ ++ if (wait_cnt >= HNS_MAX_WAIT_CNT) { ++ dev_err(ppe_cb->dev, "hns ppe tx fifo clean wait timeout, still has %u pkt.\n", ++ val); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + /** + * ppe_init_hw - init ppe + * @ppe_cb: ppe device +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h +@@ -100,6 +100,7 @@ struct ppe_common_cb { + + }; + ++int hns_ppe_wait_tx_fifo_clean(struct hns_ppe_cb *ppe_cb); + int hns_ppe_init(struct dsaf_device *dsaf_dev); + + void hns_ppe_uninit(struct dsaf_device *dsaf_dev); +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c +@@ -66,6 +66,29 @@ void hns_rcb_wait_fbd_clean(struct hnae_ + "queue(%d) wait fbd(%d) clean fail!!\n", i, fbd_num); + } + ++int hns_rcb_wait_tx_ring_clean(struct hnae_queue *qs) ++{ ++ u32 head, tail; ++ int wait_cnt; ++ ++ tail = dsaf_read_dev(&qs->tx_ring, RCB_REG_TAIL); ++ wait_cnt = 0; ++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) { ++ head = dsaf_read_dev(&qs->tx_ring, RCB_REG_HEAD); ++ if (tail == head) ++ break; ++ ++ usleep_range(100, 200); ++ } ++ ++ if (wait_cnt >= HNS_MAX_WAIT_CNT) { ++ dev_err(qs->dev->dev, "rcb wait timeout, head not equal to tail.\n"); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + /** + *hns_rcb_reset_ring_hw - ring reset + *@q: ring struct pointer +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h +@@ -136,6 +136,7 @@ void hns_rcbv2_int_clr_hw(struct hnae_qu + void hns_rcb_init_hw(struct ring_pair_cb *ring); + void hns_rcb_reset_ring_hw(struct hnae_queue *q); + void hns_rcb_wait_fbd_clean(struct hnae_queue **qs, int q_num, u32 flag); ++int hns_rcb_wait_tx_ring_clean(struct hnae_queue *qs); + u32 hns_rcb_get_rx_coalesced_frames( + struct rcb_common_cb *rcb_common, u32 port_idx); + u32 hns_rcb_get_tx_coalesced_frames( +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h +@@ -464,6 +464,7 @@ + #define RCB_RING_INTMSK_TX_OVERTIME_REG 0x000C4 + #define RCB_RING_INTSTS_TX_OVERTIME_REG 0x000C8 + ++#define GMAC_FIFO_STATE_REG 0x0000UL + #define GMAC_DUPLEX_TYPE_REG 0x0008UL + #define GMAC_FD_FC_TYPE_REG 0x000CUL + #define GMAC_TX_WATER_LINE_REG 0x0010UL +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -1212,11 +1212,26 @@ static void hns_nic_adjust_link(struct n + struct hnae_handle *h = priv->ae_handle; + int state = 1; + ++ /* If there is no phy, do not need adjust link */ + if (ndev->phydev) { +- h->dev->ops->adjust_link(h, ndev->phydev->speed, +- ndev->phydev->duplex); +- state = ndev->phydev->link; ++ /* When phy link down, do nothing */ ++ if (ndev->phydev->link == 0) ++ return; ++ ++ if (h->dev->ops->need_adjust_link(h, ndev->phydev->speed, ++ ndev->phydev->duplex)) { ++ /* because Hi161X chip don't support to change gmac ++ * speed and duplex with traffic. Delay 200ms to ++ * make sure there is no more data in chip FIFO. ++ */ ++ netif_carrier_off(ndev); ++ msleep(200); ++ h->dev->ops->adjust_link(h, ndev->phydev->speed, ++ ndev->phydev->duplex); ++ netif_carrier_on(ndev); ++ } + } ++ + state = state && h->dev->ops->get_status(h); + + if (state != priv->link) { diff --git a/queue-4.18/net-ibm-emac-wrong-emac_calc_base-call-was-used-by-typo.patch b/queue-4.18/net-ibm-emac-wrong-emac_calc_base-call-was-used-by-typo.patch new file mode 100644 index 00000000000..26bbde2e0b9 --- /dev/null +++ b/queue-4.18/net-ibm-emac-wrong-emac_calc_base-call-was-used-by-typo.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Ivan Mikhaylov +Date: Mon, 3 Sep 2018 10:26:28 +0300 +Subject: net/ibm/emac: wrong emac_calc_base call was used by typo + +From: Ivan Mikhaylov + +[ Upstream commit bf68066fccb10fce6bbffdda24ee2ae314c9c5b2 ] + +__emac_calc_base_mr1 was used instead of __emac4_calc_base_mr1 +by copy-paste mistake for emac4syn. + +Fixes: 45d6e545505fd32edb812f085be7de45b6a5c0af ("net/ibm/emac: add 8192 rx/tx fifo size") +Signed-off-by: Ivan Mikhaylov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/emac/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/ibm/emac/core.c ++++ b/drivers/net/ethernet/ibm/emac/core.c +@@ -494,9 +494,6 @@ static u32 __emac_calc_base_mr1(struct e + case 16384: + ret |= EMAC_MR1_RFS_16K; + break; +- case 8192: +- ret |= EMAC4_MR1_RFS_8K; +- break; + case 4096: + ret |= EMAC_MR1_RFS_4K; + break; +@@ -537,6 +534,9 @@ static u32 __emac4_calc_base_mr1(struct + case 16384: + ret |= EMAC4_MR1_RFS_16K; + break; ++ case 8192: ++ ret |= EMAC4_MR1_RFS_8K; ++ break; + case 4096: + ret |= EMAC4_MR1_RFS_4K; + break; diff --git a/queue-4.18/net-mvpp2-initialize-port-of_node-pointer.patch b/queue-4.18/net-mvpp2-initialize-port-of_node-pointer.patch new file mode 100644 index 00000000000..13bc05da66e --- /dev/null +++ b/queue-4.18/net-mvpp2-initialize-port-of_node-pointer.patch @@ -0,0 +1,58 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Baruch Siach +Date: Wed, 29 Aug 2018 09:44:39 +0300 +Subject: net: mvpp2: initialize port of_node pointer + +From: Baruch Siach + +[ Upstream commit c4053ef322081554765e1b708d6cdd8855e1d72d ] + +Without a valid of_node in struct device we can't find the mvpp2 port +device by its DT node. Specifically, this breaks +of_find_net_device_by_node(). + +For example, the Armada 8040 based Clearfog GT-8K uses Marvell 88E6141 +switch connected to the &cp1_eth2 port: + +&cp1_mdio { + ... + + switch0: switch0@4 { + compatible = "marvell,mv88e6085"; + ... + + ports { + ... + + port@5 { + reg = <5>; + label = "cpu"; + ethernet = <&cp1_eth2>; + }; + }; + }; +}; + +Without this patch, dsa_register_switch() returns -EPROBE_DEFER because +of_find_net_device_by_node() can't find the device_node of the &cp1_eth2 +device. + +Reviewed-by: Andrew Lunn +Signed-off-by: Baruch Siach +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -4685,6 +4685,7 @@ static int mvpp2_port_probe(struct platf + dev->min_mtu = ETH_MIN_MTU; + /* 9704 == 9728 - 20 and rounding to 8 */ + dev->max_mtu = MVPP2_BM_JUMBO_PKT_SIZE; ++ dev->dev.of_node = port_node; + + /* Phylink isn't used w/ ACPI as of now */ + if (port_node) { diff --git a/queue-4.18/nl80211-fix-nla_put_u8-to-u16-for-nl80211_wmmr_txop.patch b/queue-4.18/nl80211-fix-nla_put_u8-to-u16-for-nl80211_wmmr_txop.patch new file mode 100644 index 00000000000..9413302cbb8 --- /dev/null +++ b/queue-4.18/nl80211-fix-nla_put_u8-to-u16-for-nl80211_wmmr_txop.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Haim Dreyfuss +Date: Tue, 21 Aug 2018 09:22:19 +0300 +Subject: nl80211: Fix nla_put_u8 to u16 for NL80211_WMMR_TXOP + +From: Haim Dreyfuss + +[ Upstream commit d3c89bbc7491d5e288ca2993e999d24ba9ff52ad ] + +TXOP (also known as Channel Occupancy Time) is u16 and should be +added using nla_put_u16 instead of u8, fix that. + +Fixes: 50f32718e125 ("nl80211: Add wmm rule attribute to NL80211_CMD_GET_WIPHY dump command") +Signed-off-by: Haim Dreyfuss +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -672,8 +672,8 @@ static int nl80211_msg_put_wmm_rules(str + rule->wmm_rule.client[j].cw_max) || + nla_put_u8(msg, NL80211_WMMR_AIFSN, + rule->wmm_rule.client[j].aifsn) || +- nla_put_u8(msg, NL80211_WMMR_TXOP, +- rule->wmm_rule.client[j].cot)) ++ nla_put_u16(msg, NL80211_WMMR_TXOP, ++ rule->wmm_rule.client[j].cot)) + goto nla_put_failure; + + nla_nest_end(msg, nl_wmm_rule); diff --git a/queue-4.18/nl80211-pass-center-frequency-in-khz-instead-of-mhz.patch b/queue-4.18/nl80211-pass-center-frequency-in-khz-instead-of-mhz.patch new file mode 100644 index 00000000000..ac04b4a793e --- /dev/null +++ b/queue-4.18/nl80211-pass-center-frequency-in-khz-instead-of-mhz.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Haim Dreyfuss +Date: Tue, 21 Aug 2018 09:22:20 +0300 +Subject: nl80211: Pass center frequency in kHz instead of MHz + +From: Haim Dreyfuss + +[ Upstream commit b88d26d97c41680f7327e5fb8061ad0037877f40 ] + +freq_reg_info expects to get the frequency in kHz. Instead we +accidently pass it in MHz. Thus, currently the function always +return ERR rule. Fix that. + +Fixes: 50f32718e125 ("nl80211: Add wmm rule attribute to NL80211_CMD_GET_WIPHY dump command") +Signed-off-by: Haim Dreyfuss +Signed-off-by: Luca Coelho +[fix kHz/MHz in commit message] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -764,7 +764,7 @@ static int nl80211_msg_put_channel(struc + + if (large) { + const struct ieee80211_reg_rule *rule = +- freq_reg_info(wiphy, chan->center_freq); ++ freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq)); + + if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) { + if (nl80211_msg_put_wmm_rules(msg, rule)) diff --git a/queue-4.18/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch b/queue-4.18/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch new file mode 100644 index 00000000000..36354b21a63 --- /dev/null +++ b/queue-4.18/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Xiao Ni +Date: Thu, 30 Aug 2018 15:57:09 +0800 +Subject: RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 + +From: Xiao Ni + +[ Upstream commit 1d0ffd264204eba1861865560f1f7f7a92919384 ] + +In raid10 reshape_request it gets max_sectors in read_balance. If the underlayer disks +have bad blocks, the max_sectors is less than last. It will call goto read_more many +times. It calls raise_barrier(conf, sectors_done != 0) every time. In this condition +sectors_done is not 0. So the value passed to the argument force of raise_barrier is +true. + +In raise_barrier it checks conf->barrier when force is true. If force is true and +conf->barrier is 0, it panic. In this case reshape_request submits bio to under layer +disks. And in the callback function of the bio it calls lower_barrier. If the bio +finishes before calling raise_barrier again, it can trigger the BUG_ON. + +Add one pair of raise_barrier/lower_barrier to fix this bug. + +Signed-off-by: Xiao Ni +Suggested-by: Neil Brown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -4531,11 +4531,12 @@ static sector_t reshape_request(struct m + allow_barrier(conf); + } + ++ raise_barrier(conf, 0); + read_more: + /* Now schedule reads for blocks from sector_nr to last */ + r10_bio = raid10_alloc_init_r10buf(conf); + r10_bio->state = 0; +- raise_barrier(conf, sectors_done != 0); ++ raise_barrier(conf, 1); + atomic_set(&r10_bio->remaining, 0); + r10_bio->mddev = mddev; + r10_bio->sector = sector_nr; +@@ -4631,6 +4632,8 @@ read_more: + if (sector_nr <= last) + goto read_more; + ++ lower_barrier(conf); ++ + /* Now that we have done the whole section we can + * update reshape_progress + */ diff --git a/queue-4.18/revert-blk-throttle-fix-race-between-blkcg_bio_issue_check-and-cgroup_rmdir.patch b/queue-4.18/revert-blk-throttle-fix-race-between-blkcg_bio_issue_check-and-cgroup_rmdir.patch new file mode 100644 index 00000000000..55b0589707c --- /dev/null +++ b/queue-4.18/revert-blk-throttle-fix-race-between-blkcg_bio_issue_check-and-cgroup_rmdir.patch @@ -0,0 +1,196 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: "Dennis Zhou (Facebook)" +Date: Fri, 31 Aug 2018 16:22:42 -0400 +Subject: Revert "blk-throttle: fix race between blkcg_bio_issue_check() and cgroup_rmdir()" + +From: "Dennis Zhou (Facebook)" + +[ Upstream commit 6b06546206868f723f2061d703a3c3c378dcbf4c ] + +This reverts commit 4c6994806f708559c2812b73501406e21ae5dcd0. + +Destroying blkgs is tricky because of the nature of the relationship. A +blkg should go away when either a blkcg or a request_queue goes away. +However, blkg's pin the blkcg to ensure they remain valid. To break this +cycle, when a blkcg is offlined, blkgs put back their css ref. This +eventually lets css_free() get called which frees the blkcg. + +The above commit (4c6994806f70) breaks this order of events by trying to +destroy blkgs in css_free(). As the blkgs still hold references to the +blkcg, css_free() is never called. + +The race between blkcg_bio_issue_check() and cgroup_rmdir() will be +addressed in the following patch by delaying destruction of a blkg until +all writeback associated with the blkcg has been finished. + +Fixes: 4c6994806f70 ("blk-throttle: fix race between blkcg_bio_issue_check() and cgroup_rmdir()") +Reviewed-by: Josef Bacik +Signed-off-by: Dennis Zhou +Cc: Jiufei Xue +Cc: Joseph Qi +Cc: Tejun Heo +Cc: Jens Axboe +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 78 +++++++++------------------------------------ + include/linux/blk-cgroup.h | 1 + 2 files changed, 16 insertions(+), 63 deletions(-) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -307,28 +307,11 @@ struct blkcg_gq *blkg_lookup_create(stru + } + } + +-static void blkg_pd_offline(struct blkcg_gq *blkg) +-{ +- int i; +- +- lockdep_assert_held(blkg->q->queue_lock); +- lockdep_assert_held(&blkg->blkcg->lock); +- +- for (i = 0; i < BLKCG_MAX_POLS; i++) { +- struct blkcg_policy *pol = blkcg_policy[i]; +- +- if (blkg->pd[i] && !blkg->pd[i]->offline && +- pol->pd_offline_fn) { +- pol->pd_offline_fn(blkg->pd[i]); +- blkg->pd[i]->offline = true; +- } +- } +-} +- + static void blkg_destroy(struct blkcg_gq *blkg) + { + struct blkcg *blkcg = blkg->blkcg; + struct blkcg_gq *parent = blkg->parent; ++ int i; + + lockdep_assert_held(blkg->q->queue_lock); + lockdep_assert_held(&blkcg->lock); +@@ -337,6 +320,13 @@ static void blkg_destroy(struct blkcg_gq + WARN_ON_ONCE(list_empty(&blkg->q_node)); + WARN_ON_ONCE(hlist_unhashed(&blkg->blkcg_node)); + ++ for (i = 0; i < BLKCG_MAX_POLS; i++) { ++ struct blkcg_policy *pol = blkcg_policy[i]; ++ ++ if (blkg->pd[i] && pol->pd_offline_fn) ++ pol->pd_offline_fn(blkg->pd[i]); ++ } ++ + if (parent) { + blkg_rwstat_add_aux(&parent->stat_bytes, &blkg->stat_bytes); + blkg_rwstat_add_aux(&parent->stat_ios, &blkg->stat_ios); +@@ -379,7 +369,6 @@ static void blkg_destroy_all(struct requ + struct blkcg *blkcg = blkg->blkcg; + + spin_lock(&blkcg->lock); +- blkg_pd_offline(blkg); + blkg_destroy(blkg); + spin_unlock(&blkcg->lock); + } +@@ -1006,54 +995,21 @@ static struct cftype blkcg_legacy_files[ + * @css: css of interest + * + * This function is called when @css is about to go away and responsible +- * for offlining all blkgs pd and killing all wbs associated with @css. +- * blkgs pd offline should be done while holding both q and blkcg locks. +- * As blkcg lock is nested inside q lock, this function performs reverse +- * double lock dancing. ++ * for shooting down all blkgs associated with @css. blkgs should be ++ * removed while holding both q and blkcg locks. As blkcg lock is nested ++ * inside q lock, this function performs reverse double lock dancing. + * + * This is the blkcg counterpart of ioc_release_fn(). + */ + static void blkcg_css_offline(struct cgroup_subsys_state *css) + { + struct blkcg *blkcg = css_to_blkcg(css); +- struct blkcg_gq *blkg; + + spin_lock_irq(&blkcg->lock); + +- hlist_for_each_entry(blkg, &blkcg->blkg_list, blkcg_node) { +- struct request_queue *q = blkg->q; +- +- if (spin_trylock(q->queue_lock)) { +- blkg_pd_offline(blkg); +- spin_unlock(q->queue_lock); +- } else { +- spin_unlock_irq(&blkcg->lock); +- cpu_relax(); +- spin_lock_irq(&blkcg->lock); +- } +- } +- +- spin_unlock_irq(&blkcg->lock); +- +- wb_blkcg_offline(blkcg); +-} +- +-/** +- * blkcg_destroy_all_blkgs - destroy all blkgs associated with a blkcg +- * @blkcg: blkcg of interest +- * +- * This function is called when blkcg css is about to free and responsible for +- * destroying all blkgs associated with @blkcg. +- * blkgs should be removed while holding both q and blkcg locks. As blkcg lock +- * is nested inside q lock, this function performs reverse double lock dancing. +- */ +-static void blkcg_destroy_all_blkgs(struct blkcg *blkcg) +-{ +- spin_lock_irq(&blkcg->lock); + while (!hlist_empty(&blkcg->blkg_list)) { + struct blkcg_gq *blkg = hlist_entry(blkcg->blkg_list.first, +- struct blkcg_gq, +- blkcg_node); ++ struct blkcg_gq, blkcg_node); + struct request_queue *q = blkg->q; + + if (spin_trylock(q->queue_lock)) { +@@ -1065,7 +1021,10 @@ static void blkcg_destroy_all_blkgs(stru + spin_lock_irq(&blkcg->lock); + } + } ++ + spin_unlock_irq(&blkcg->lock); ++ ++ wb_blkcg_offline(blkcg); + } + + static void blkcg_css_free(struct cgroup_subsys_state *css) +@@ -1073,8 +1032,6 @@ static void blkcg_css_free(struct cgroup + struct blkcg *blkcg = css_to_blkcg(css); + int i; + +- blkcg_destroy_all_blkgs(blkcg); +- + mutex_lock(&blkcg_pol_mutex); + + list_del(&blkcg->all_blkcgs_node); +@@ -1412,11 +1369,8 @@ void blkcg_deactivate_policy(struct requ + + list_for_each_entry(blkg, &q->blkg_list, q_node) { + if (blkg->pd[pol->plid]) { +- if (!blkg->pd[pol->plid]->offline && +- pol->pd_offline_fn) { ++ if (pol->pd_offline_fn) + pol->pd_offline_fn(blkg->pd[pol->plid]); +- blkg->pd[pol->plid]->offline = true; +- } + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } +--- a/include/linux/blk-cgroup.h ++++ b/include/linux/blk-cgroup.h +@@ -88,7 +88,6 @@ struct blkg_policy_data { + /* the blkg and policy id this per-policy data belongs to */ + struct blkcg_gq *blkg; + int plid; +- bool offline; + }; + + /* diff --git a/queue-4.18/rseq-selftests-fix-parametrized-test-with-fpie.patch b/queue-4.18/rseq-selftests-fix-parametrized-test-with-fpie.patch new file mode 100644 index 00000000000..d84519e2f6f --- /dev/null +++ b/queue-4.18/rseq-selftests-fix-parametrized-test-with-fpie.patch @@ -0,0 +1,101 @@ +From ce01a1575f45bf319e374592656441021a7f5823 Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Thu, 27 Sep 2018 14:39:19 -0400 +Subject: rseq/selftests: fix parametrized test with -fpie + +From: Mathieu Desnoyers + +commit ce01a1575f45bf319e374592656441021a7f5823 upstream. + +On x86-64, the parametrized selftest code for rseq crashes with a +segmentation fault when compiled with -fpie. This happens when the +param_test binary is loaded at an address beyond 32-bit on x86-64. + +The issue is caused by use of a 32-bit register to hold the address +of the loop counter variable. + +Fix this by using a 64-bit register to calculate the address of the +loop counter variables as an offset from rip. + +Signed-off-by: Mathieu Desnoyers +Acked-by: "Paul E . McKenney" +Cc: # v4.18 +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: Joel Fernandes +Cc: Peter Zijlstra +Cc: Catalin Marinas +Cc: Dave Watson +Cc: Will Deacon +Cc: Andi Kleen +Cc: linux-kselftest@vger.kernel.org +Cc: "H . Peter Anvin" +Cc: Chris Lameter +Cc: Russell King +Cc: Michael Kerrisk +Cc: "Paul E . McKenney" +Cc: Paul Turner +Cc: Boqun Feng +Cc: Josh Triplett +Cc: Steven Rostedt +Cc: Ben Maurer +Cc: Andy Lutomirski +Cc: Andrew Morton +Cc: Linus Torvalds +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Greg Kroah-Hartman + + +--- + tools/testing/selftests/rseq/param_test.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/tools/testing/selftests/rseq/param_test.c ++++ b/tools/testing/selftests/rseq/param_test.c +@@ -56,15 +56,13 @@ unsigned int yield_mod_cnt, nr_abort; + printf(fmt, ## __VA_ARGS__); \ + } while (0) + +-#if defined(__x86_64__) || defined(__i386__) ++#ifdef __i386__ + + #define INJECT_ASM_REG "eax" + + #define RSEQ_INJECT_CLOBBER \ + , INJECT_ASM_REG + +-#ifdef __i386__ +- + #define RSEQ_INJECT_ASM(n) \ + "mov asm_loop_cnt_" #n ", %%" INJECT_ASM_REG "\n\t" \ + "test %%" INJECT_ASM_REG ",%%" INJECT_ASM_REG "\n\t" \ +@@ -76,9 +74,16 @@ unsigned int yield_mod_cnt, nr_abort; + + #elif defined(__x86_64__) + ++#define INJECT_ASM_REG_P "rax" ++#define INJECT_ASM_REG "eax" ++ ++#define RSEQ_INJECT_CLOBBER \ ++ , INJECT_ASM_REG_P \ ++ , INJECT_ASM_REG ++ + #define RSEQ_INJECT_ASM(n) \ +- "lea asm_loop_cnt_" #n "(%%rip), %%" INJECT_ASM_REG "\n\t" \ +- "mov (%%" INJECT_ASM_REG "), %%" INJECT_ASM_REG "\n\t" \ ++ "lea asm_loop_cnt_" #n "(%%rip), %%" INJECT_ASM_REG_P "\n\t" \ ++ "mov (%%" INJECT_ASM_REG_P "), %%" INJECT_ASM_REG "\n\t" \ + "test %%" INJECT_ASM_REG ",%%" INJECT_ASM_REG "\n\t" \ + "jz 333f\n\t" \ + "222:\n\t" \ +@@ -86,10 +91,6 @@ unsigned int yield_mod_cnt, nr_abort; + "jnz 222b\n\t" \ + "333:\n\t" + +-#else +-#error "Unsupported architecture" +-#endif +- + #elif defined(__ARMEL__) + + #define RSEQ_INJECT_INPUT \ diff --git a/queue-4.18/scsi-aacraid-fix-a-signedness-bug.patch b/queue-4.18/scsi-aacraid-fix-a-signedness-bug.patch new file mode 100644 index 00000000000..87a1638f65f --- /dev/null +++ b/queue-4.18/scsi-aacraid-fix-a-signedness-bug.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Dan Carpenter +Date: Mon, 27 Aug 2018 12:23:01 +0300 +Subject: scsi: aacraid: fix a signedness bug + +From: Dan Carpenter + +[ Upstream commit b9eb3b14f1dbf16bf27b6c1ffe6b8c00ec945c9b ] + +The problem is that ->reset_state is a u8 but it can be set to -1 or -2 in +aac_tmf_callback() and the error handling in aac_eh_target_reset() relies +on it to be signed. + +[mkp: fixed typo] + +Fixes: 0d643ff3c353 ("scsi: aacraid: use aac_tmf_callback for reset fib") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aacraid/aacraid.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/aacraid/aacraid.h ++++ b/drivers/scsi/aacraid/aacraid.h +@@ -1346,7 +1346,7 @@ struct fib { + struct aac_hba_map_info { + __le32 rmw_nexus; /* nexus for native HBA devices */ + u8 devtype; /* device type */ +- u8 reset_state; /* 0 - no reset, 1..x - */ ++ s8 reset_state; /* 0 - no reset, 1..x - */ + /* after xth TM LUN reset */ + u16 qd_limit; + u32 scan_counter; diff --git a/queue-4.18/scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch b/queue-4.18/scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch new file mode 100644 index 00000000000..b8326acc604 --- /dev/null +++ b/queue-4.18/scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Varun Prakash +Date: Sat, 11 Aug 2018 21:03:58 +0530 +Subject: scsi: csiostor: add a check for NULL pointer after kmalloc() + +From: Varun Prakash + +[ Upstream commit 89809b028b6f54187b7d81a0c69b35d394c52e62 ] + +Reported-by: Colin Ian King +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/csiostor/csio_hw.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -2275,8 +2275,8 @@ bye: + } + + /* +- * Returns -EINVAL if attempts to flash the firmware failed +- * else returns 0, ++ * Returns -EINVAL if attempts to flash the firmware failed, ++ * -ENOMEM if memory allocation failed else returns 0, + * if flashing was not attempted because the card had the + * latest firmware ECANCELED is returned + */ +@@ -2304,6 +2304,13 @@ csio_hw_flash_fw(struct csio_hw *hw, int + return -EINVAL; + } + ++ /* allocate memory to read the header of the firmware on the ++ * card ++ */ ++ card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL); ++ if (!card_fw) ++ return -ENOMEM; ++ + if (csio_is_t5(pci_dev->device & CSIO_HW_CHIP_MASK)) + fw_bin_file = FW_FNAME_T5; + else +@@ -2317,11 +2324,6 @@ csio_hw_flash_fw(struct csio_hw *hw, int + fw_size = fw->size; + } + +- /* allocate memory to read the header of the firmware on the +- * card +- */ +- card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL); +- + /* upgrade FW logic */ + ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw, + hw->fw_state, reset); diff --git a/queue-4.18/scsi-csiostor-fix-incorrect-port-capabilities.patch b/queue-4.18/scsi-csiostor-fix-incorrect-port-capabilities.patch new file mode 100644 index 00000000000..0ee5900c849 --- /dev/null +++ b/queue-4.18/scsi-csiostor-fix-incorrect-port-capabilities.patch @@ -0,0 +1,134 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Varun Prakash +Date: Sat, 11 Aug 2018 21:14:08 +0530 +Subject: scsi: csiostor: fix incorrect port capabilities + +From: Varun Prakash + +[ Upstream commit 68bdc630721c40e908d22cffe07b5ca225a69f6e ] + + - use be32_to_cpu() instead of ntohs() for 32 bit port capabilities. + + - add a new function fwcaps32_to_caps16() to convert 32 bit port + capabilities to 16 bit port capabilities. + +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/csiostor/csio_hw.c | 55 ++++++++++++++++++++++++++++++++-------- + drivers/scsi/csiostor/csio_hw.h | 1 + drivers/scsi/csiostor/csio_mb.c | 6 ++-- + 3 files changed, 48 insertions(+), 14 deletions(-) + +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -1513,6 +1513,46 @@ fw_port_cap32_t fwcaps16_to_caps32(fw_po + } + + /** ++ * fwcaps32_to_caps16 - convert 32-bit Port Capabilities to 16-bits ++ * @caps32: a 32-bit Port Capabilities value ++ * ++ * Returns the equivalent 16-bit Port Capabilities value. Note that ++ * not all 32-bit Port Capabilities can be represented in the 16-bit ++ * Port Capabilities and some fields/values may not make it. ++ */ ++fw_port_cap16_t fwcaps32_to_caps16(fw_port_cap32_t caps32) ++{ ++ fw_port_cap16_t caps16 = 0; ++ ++ #define CAP32_TO_CAP16(__cap) \ ++ do { \ ++ if (caps32 & FW_PORT_CAP32_##__cap) \ ++ caps16 |= FW_PORT_CAP_##__cap; \ ++ } while (0) ++ ++ CAP32_TO_CAP16(SPEED_100M); ++ CAP32_TO_CAP16(SPEED_1G); ++ CAP32_TO_CAP16(SPEED_10G); ++ CAP32_TO_CAP16(SPEED_25G); ++ CAP32_TO_CAP16(SPEED_40G); ++ CAP32_TO_CAP16(SPEED_100G); ++ CAP32_TO_CAP16(FC_RX); ++ CAP32_TO_CAP16(FC_TX); ++ CAP32_TO_CAP16(802_3_PAUSE); ++ CAP32_TO_CAP16(802_3_ASM_DIR); ++ CAP32_TO_CAP16(ANEG); ++ CAP32_TO_CAP16(FORCE_PAUSE); ++ CAP32_TO_CAP16(MDIAUTO); ++ CAP32_TO_CAP16(MDISTRAIGHT); ++ CAP32_TO_CAP16(FEC_RS); ++ CAP32_TO_CAP16(FEC_BASER_RS); ++ ++ #undef CAP32_TO_CAP16 ++ ++ return caps16; ++} ++ ++/** + * lstatus_to_fwcap - translate old lstatus to 32-bit Port Capabilities + * @lstatus: old FW_PORT_ACTION_GET_PORT_INFO lstatus value + * +@@ -1670,7 +1710,7 @@ csio_enable_ports(struct csio_hw *hw) + val = 1; + + csio_mb_params(hw, mbp, CSIO_MB_DEFAULT_TMO, +- hw->pfn, 0, 1, ¶m, &val, false, ++ hw->pfn, 0, 1, ¶m, &val, true, + NULL); + + if (csio_mb_issue(hw, mbp)) { +@@ -1680,16 +1720,9 @@ csio_enable_ports(struct csio_hw *hw) + return -EINVAL; + } + +- csio_mb_process_read_params_rsp(hw, mbp, &retval, 1, +- &val); +- if (retval != FW_SUCCESS) { +- csio_err(hw, "FW_PARAMS_CMD(r) port:%d failed: 0x%x\n", +- portid, retval); +- mempool_free(mbp, hw->mb_mempool); +- return -EINVAL; +- } +- +- fw_caps = val; ++ csio_mb_process_read_params_rsp(hw, mbp, &retval, ++ 0, NULL); ++ fw_caps = retval ? FW_CAPS16 : FW_CAPS32; + } + + /* Read PORT information */ +--- a/drivers/scsi/csiostor/csio_hw.h ++++ b/drivers/scsi/csiostor/csio_hw.h +@@ -639,6 +639,7 @@ int csio_handle_intr_status(struct csio_ + + fw_port_cap32_t fwcap_to_fwspeed(fw_port_cap32_t acaps); + fw_port_cap32_t fwcaps16_to_caps32(fw_port_cap16_t caps16); ++fw_port_cap16_t fwcaps32_to_caps16(fw_port_cap32_t caps32); + fw_port_cap32_t lstatus_to_fwcap(u32 lstatus); + + int csio_hw_start(struct csio_hw *); +--- a/drivers/scsi/csiostor/csio_mb.c ++++ b/drivers/scsi/csiostor/csio_mb.c +@@ -368,7 +368,7 @@ csio_mb_port(struct csio_hw *hw, struct + FW_CMD_LEN16_V(sizeof(*cmdp) / 16)); + + if (fw_caps == FW_CAPS16) +- cmdp->u.l1cfg.rcap = cpu_to_be32(fc); ++ cmdp->u.l1cfg.rcap = cpu_to_be32(fwcaps32_to_caps16(fc)); + else + cmdp->u.l1cfg32.rcap32 = cpu_to_be32(fc); + } +@@ -395,8 +395,8 @@ csio_mb_process_read_port_rsp(struct csi + *pcaps = fwcaps16_to_caps32(ntohs(rsp->u.info.pcap)); + *acaps = fwcaps16_to_caps32(ntohs(rsp->u.info.acap)); + } else { +- *pcaps = ntohs(rsp->u.info32.pcaps32); +- *acaps = ntohs(rsp->u.info32.acaps32); ++ *pcaps = be32_to_cpu(rsp->u.info32.pcaps32); ++ *acaps = be32_to_cpu(rsp->u.info32.acaps32); + } + } + } diff --git a/queue-4.18/scsi-libata-add-missing-newline-at-end-of-file.patch b/queue-4.18/scsi-libata-add-missing-newline-at-end-of-file.patch new file mode 100644 index 00000000000..1f9e25222b7 --- /dev/null +++ b/queue-4.18/scsi-libata-add-missing-newline-at-end-of-file.patch @@ -0,0 +1,31 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Geert Uytterhoeven +Date: Thu, 23 Aug 2018 23:23:06 +0200 +Subject: scsi: libata: Add missing newline at end of file + +From: Geert Uytterhoeven + +[ Upstream commit 4e8065aa6c6f50765290be27ab8a64a4e44cb009 ] + +With gcc 4.1.2: + + drivers/ata/libata-core.c:7396:33: warning: no newline at end of file + +Fixes: 2fa4a32613c9182b ("scsi: libsas: dynamically allocate and free ata host") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -7403,4 +7403,4 @@ EXPORT_SYMBOL_GPL(ata_cable_unknown); + EXPORT_SYMBOL_GPL(ata_cable_ignore); + EXPORT_SYMBOL_GPL(ata_cable_sata); + EXPORT_SYMBOL_GPL(ata_host_get); +-EXPORT_SYMBOL_GPL(ata_host_put); +\ No newline at end of file ++EXPORT_SYMBOL_GPL(ata_host_put); diff --git a/queue-4.18/selftests-pmtu-detect-correct-binary-to-ping-ipv6-addresses.patch b/queue-4.18/selftests-pmtu-detect-correct-binary-to-ping-ipv6-addresses.patch new file mode 100644 index 00000000000..44a26d342f5 --- /dev/null +++ b/queue-4.18/selftests-pmtu-detect-correct-binary-to-ping-ipv6-addresses.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Sabrina Dubroca +Date: Thu, 30 Aug 2018 16:01:18 +0200 +Subject: selftests: pmtu: detect correct binary to ping ipv6 addresses + +From: Sabrina Dubroca + +[ Upstream commit c81c7012e0c769b5704c2b07bd5224965e76fb70 ] + +Some systems don't have the ping6 binary anymore, and use ping for +everything. Detect the absence of ping6 and try to use ping instead. + +Fixes: d1f1b9cbf34c ("selftests: net: Introduce first PMTU test") +Signed-off-by: Sabrina Dubroca +Acked-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/pmtu.sh | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/pmtu.sh ++++ b/tools/testing/selftests/net/pmtu.sh +@@ -46,6 +46,9 @@ + # Kselftest framework requirement - SKIP code is 4. + ksft_skip=4 + ++# Some systems don't have a ping6 binary anymore ++which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) ++ + tests=" + pmtu_vti6_exception vti6: PMTU exceptions + pmtu_vti4_exception vti4: PMTU exceptions +@@ -274,7 +277,7 @@ test_pmtu_vti6_exception() { + mtu "${ns_b}" veth_b 4000 + mtu "${ns_a}" vti6_a 5000 + mtu "${ns_b}" vti6_b 5000 +- ${ns_a} ping6 -q -i 0.1 -w 2 -s 60000 ${vti6_b_addr} > /dev/null ++ ${ns_a} ${ping6} -q -i 0.1 -w 2 -s 60000 ${vti6_b_addr} > /dev/null + + # Check that exception was created + if [ "$(route_get_dst_pmtu_from_exception "${ns_a}" ${vti6_b_addr})" = "" ]; then diff --git a/queue-4.18/selftests-pmtu-maximum-mtu-for-vti4-is-2-16-1-20.patch b/queue-4.18/selftests-pmtu-maximum-mtu-for-vti4-is-2-16-1-20.patch new file mode 100644 index 00000000000..1d2e1ecc2e5 --- /dev/null +++ b/queue-4.18/selftests-pmtu-maximum-mtu-for-vti4-is-2-16-1-20.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Sabrina Dubroca +Date: Thu, 30 Aug 2018 16:01:17 +0200 +Subject: selftests: pmtu: maximum MTU for vti4 is 2^16-1-20 + +From: Sabrina Dubroca + +[ Upstream commit 902b5417f28d955cdb4898df6ffaab15f56c5cff ] + +Since commit 82612de1c98e ("ip_tunnel: restore binding to ifaces with a +large mtu"), the maximum MTU for vti4 is based on IP_MAX_MTU instead of +the mysterious constant 0xFFF8. This makes this selftest fail. + +Fixes: 82612de1c98e ("ip_tunnel: restore binding to ifaces with a large mtu") +Signed-off-by: Sabrina Dubroca +Acked-by: Stefano Brivio +Acked-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/pmtu.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/pmtu.sh ++++ b/tools/testing/selftests/net/pmtu.sh +@@ -334,7 +334,7 @@ test_pmtu_vti4_link_add_mtu() { + fail=0 + + min=68 +- max=$((65528 - 20)) ++ max=$((65535 - 20)) + # Check invalid values first + for v in $((min - 1)) $((max + 1)); do + ${ns_a} ip link add vti4_a mtu ${v} type vti local ${veth4_a_addr} remote ${veth4_b_addr} key 10 2>/dev/null diff --git a/queue-4.18/series b/queue-4.18/series index e69de29bb2d..af4578d41e5 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -0,0 +1,77 @@ +rseq-selftests-fix-parametrized-test-with-fpie.patch +mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch +mac80211_hwsim-require-at-least-one-channel.patch +btrfs-fix-unexpected-failure-of-nocow-buffered-writes-after-snapshotting-when-low-on-space.patch +kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch +cfg80211-remove-division-by-size-of-sizeof-struct-ieee80211_wmm_rule.patch +btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch +scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch +scsi-csiostor-fix-incorrect-port-capabilities.patch +scsi-libata-add-missing-newline-at-end-of-file.patch +scsi-aacraid-fix-a-signedness-bug.patch +bpf-sockmap-fix-potential-use-after-free-in-bpf_tcp_close.patch +bpf-sockmap-fix-psock-refcount-leak-in-bpf_tcp_recvmsg.patch +bpf-sockmap-decrement-copied-count-correctly-in-redirect-error-case.patch +mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch +mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch +cfg80211-make-wmm_rule-part-of-the-reg_rule-structure.patch +mac80211_hwsim-fix-possible-spectre-v1-for-hwsim_world_regdom_custom.patch +nl80211-fix-nla_put_u8-to-u16-for-nl80211_wmmr_txop.patch +nl80211-pass-center-frequency-in-khz-instead-of-mhz.patch +bpf-fix-several-offset-tests-in-bpf_msg_pull_data.patch +gpio-adp5588-fix-sleep-in-atomic-context-bug.patch +mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch +mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch +gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch +gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch +gpio-dwapb-fix-error-handling-in-dwapb_gpio_probe.patch +bpf-fix-msg-data-data_end-after-sg-shift-repair-in-bpf_msg_pull_data.patch +bpf-fix-shift-upon-scatterlist-ring-wrap-around-in-bpf_msg_pull_data.patch +bpf-fix-sg-shift-repair-start-offset-in-bpf_msg_pull_data.patch +tipc-switch-to-rhashtable-iterator.patch +net-hns-add-the-code-for-cleaning-pkt-in-chip.patch +net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch +sh_eth-add-r7s9210-support.patch +net-mvpp2-initialize-port-of_node-pointer.patch +tc-testing-add-test-cases-for-numeric-and-invalid-control-action.patch +cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch +mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch +mac80211-always-account-for-a-msdu-header-changes.patch +tools-kvm_stat-fix-python3-issues.patch +tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch +tools-kvm_stat-fix-updates-for-dead-guests.patch +gpio-fix-crash-due-to-registration-race.patch +arc-atomics-unbork-atomic_fetch_-op.patch +revert-blk-throttle-fix-race-between-blkcg_bio_issue_check-and-cgroup_rmdir.patch +md-raid5-cache-disable-reshape-completely.patch +raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch +selftests-pmtu-maximum-mtu-for-vti4-is-2-16-1-20.patch +selftests-pmtu-detect-correct-binary-to-ping-ipv6-addresses.patch +ibmvnic-include-missing-return-code-checks-in-reset-function.patch +bpf-fix-bpf_msg_pull_data.patch +bpf-avoid-misuse-of-psock-when-tcp_ulp_bpf-collides-with-another-ulp.patch +net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch +i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch +i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch +net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch +fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch +mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch +cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch +mac80211-fix-wmm-txop-calculation.patch +mac80211-fix-a-race-between-restart-and-csa-flows.patch +mac80211-fix-station-bandwidth-setting-after-channel-switch.patch +mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch +mac80211-shorten-the-ibss-debug-messages.patch +fsnotify-fix-ignore-mask-logic-in-fsnotify.patch +net-ibm-emac-wrong-emac_calc_base-call-was-used-by-typo.patch +nds32-fix-logic-for-module.patch +nds32-add-null-entry-to-the-end-of_device_id-array.patch +nds32-fix-empty-call-trace.patch +nds32-fix-get_user-put_user-macro-expand-pointer-problem.patch +nds32-fix-build-error-because-of-wrong-semicolon.patch +tools-vm-slabinfo.c-fix-sign-compare-warning.patch +tools-vm-page-types.c-fix-defined-but-not-used-warning.patch +nds32-linker-script-gcov-kernel-may-refers-data-in-__exit.patch +ceph-avoid-a-use-after-free-in-ceph_destroy_options.patch +firmware-arm_scmi-fix-divide-by-zero-when-sustained_perf_level-is-zero.patch +afs-fix-cell-specification-to-permit-an-empty-address-list.patch diff --git a/queue-4.18/sh_eth-add-r7s9210-support.patch b/queue-4.18/sh_eth-add-r7s9210-support.patch new file mode 100644 index 00000000000..aee371a6cbb --- /dev/null +++ b/queue-4.18/sh_eth-add-r7s9210-support.patch @@ -0,0 +1,83 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Chris Brandt +Date: Mon, 27 Aug 2018 12:42:02 -0500 +Subject: sh_eth: Add R7S9210 support + +From: Chris Brandt + +[ Upstream commit 6e0bb04d0e4f597d8d8f4f21401a9636f2809fd1 ] + +Add support for the R7S9210 which is part of the RZ/A2 series. + +Signed-off-by: Chris Brandt +Acked-by: Rob Herring +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/net/sh_eth.txt | 1 + drivers/net/ethernet/renesas/sh_eth.c | 36 +++++++++++++++++++++++ + 2 files changed, 37 insertions(+) + +--- a/Documentation/devicetree/bindings/net/sh_eth.txt ++++ b/Documentation/devicetree/bindings/net/sh_eth.txt +@@ -16,6 +16,7 @@ Required properties: + "renesas,ether-r8a7794" if the device is a part of R8A7794 SoC. + "renesas,gether-r8a77980" if the device is a part of R8A77980 SoC. + "renesas,ether-r7s72100" if the device is a part of R7S72100 SoC. ++ "renesas,ether-r7s9210" if the device is a part of R7S9210 SoC. + "renesas,rcar-gen1-ether" for a generic R-Car Gen1 device. + "renesas,rcar-gen2-ether" for a generic R-Car Gen2 or RZ/G1 + device. +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -807,6 +807,41 @@ static struct sh_eth_cpu_data r8a77980_d + .magic = 1, + .cexcr = 1, + }; ++ ++/* R7S9210 */ ++static struct sh_eth_cpu_data r7s9210_data = { ++ .soft_reset = sh_eth_soft_reset, ++ ++ .set_duplex = sh_eth_set_duplex, ++ .set_rate = sh_eth_set_rate_rcar, ++ ++ .register_type = SH_ETH_REG_FAST_SH4, ++ ++ .edtrr_trns = EDTRR_TRNS_ETHER, ++ .ecsr_value = ECSR_ICD, ++ .ecsipr_value = ECSIPR_ICDIP, ++ .eesipr_value = EESIPR_TWBIP | EESIPR_TABTIP | EESIPR_RABTIP | ++ EESIPR_RFCOFIP | EESIPR_ECIIP | EESIPR_FTCIP | ++ EESIPR_TDEIP | EESIPR_TFUFIP | EESIPR_FRIP | ++ EESIPR_RDEIP | EESIPR_RFOFIP | EESIPR_CNDIP | ++ EESIPR_DLCIP | EESIPR_CDIP | EESIPR_TROIP | ++ EESIPR_RMAFIP | EESIPR_RRFIP | EESIPR_RTLFIP | ++ EESIPR_RTSFIP | EESIPR_PREIP | EESIPR_CERFIP, ++ ++ .tx_check = EESR_FTC | EESR_CND | EESR_DLC | EESR_CD | EESR_TRO, ++ .eesr_err_check = EESR_TWB | EESR_TABT | EESR_RABT | EESR_RFE | ++ EESR_RDE | EESR_RFRMER | EESR_TFE | EESR_TDE, ++ ++ .fdr_value = 0x0000070f, ++ ++ .apr = 1, ++ .mpr = 1, ++ .tpauser = 1, ++ .hw_swap = 1, ++ .rpadir = 1, ++ .no_ade = 1, ++ .xdfar_rw = 1, ++}; + #endif /* CONFIG_OF */ + + static void sh_eth_set_rate_sh7724(struct net_device *ndev) +@@ -3131,6 +3166,7 @@ static const struct of_device_id sh_eth_ + { .compatible = "renesas,ether-r8a7794", .data = &rcar_gen2_data }, + { .compatible = "renesas,gether-r8a77980", .data = &r8a77980_data }, + { .compatible = "renesas,ether-r7s72100", .data = &r7s72100_data }, ++ { .compatible = "renesas,ether-r7s9210", .data = &r7s9210_data }, + { .compatible = "renesas,rcar-gen1-ether", .data = &rcar_gen1_data }, + { .compatible = "renesas,rcar-gen2-ether", .data = &rcar_gen2_data }, + { } diff --git a/queue-4.18/tc-testing-add-test-cases-for-numeric-and-invalid-control-action.patch b/queue-4.18/tc-testing-add-test-cases-for-numeric-and-invalid-control-action.patch new file mode 100644 index 00000000000..f557d933235 --- /dev/null +++ b/queue-4.18/tc-testing-add-test-cases-for-numeric-and-invalid-control-action.patch @@ -0,0 +1,79 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Paolo Abeni +Date: Wed, 29 Aug 2018 10:22:34 +0200 +Subject: tc-testing: add test-cases for numeric and invalid control action + +From: Paolo Abeni + +[ Upstream commit 25a8238f4cc8425d4aade4f9041be468d0e8aa2e ] + +Only the police action allows us to specify an arbitrary numeric value +for the control action. This change introduces an explicit test case +for the above feature and then leverage it for testing the kernel behavior +for invalid control actions (reject). + +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/tc-tests/actions/police.json | 48 ++++++++++ + 1 file changed, 48 insertions(+) + +--- a/tools/testing/selftests/tc-testing/tc-tests/actions/police.json ++++ b/tools/testing/selftests/tc-testing/tc-tests/actions/police.json +@@ -313,6 +313,54 @@ + ] + }, + { ++ "id": "6aaf", ++ "name": "Add police actions with conform-exceed control pass/pipe [with numeric values]", ++ "category": [ ++ "actions", ++ "police" ++ ], ++ "setup": [ ++ [ ++ "$TC actions flush action police", ++ 0, ++ 1, ++ 255 ++ ] ++ ], ++ "cmdUnderTest": "$TC actions add action police rate 3mbit burst 250k conform-exceed 0/3 index 1", ++ "expExitCode": "0", ++ "verifyCmd": "$TC actions get action police index 1", ++ "matchPattern": "action order [0-9]*: police 0x1 rate 3Mbit burst 250Kb mtu 2Kb action pass/pipe", ++ "matchCount": "1", ++ "teardown": [ ++ "$TC actions flush action police" ++ ] ++ }, ++ { ++ "id": "29b1", ++ "name": "Add police actions with conform-exceed control /drop", ++ "category": [ ++ "actions", ++ "police" ++ ], ++ "setup": [ ++ [ ++ "$TC actions flush action police", ++ 0, ++ 1, ++ 255 ++ ] ++ ], ++ "cmdUnderTest": "$TC actions add action police rate 3mbit burst 250k conform-exceed 10/drop index 1", ++ "expExitCode": "255", ++ "verifyCmd": "$TC actions ls action police", ++ "matchPattern": "action order [0-9]*: police 0x1 rate 3Mbit burst 250Kb mtu 2Kb action ", ++ "matchCount": "0", ++ "teardown": [ ++ "$TC actions flush action police" ++ ] ++ }, ++ { + "id": "c26f", + "name": "Add police action with invalid peakrate value", + "category": [ diff --git a/queue-4.18/tipc-switch-to-rhashtable-iterator.patch b/queue-4.18/tipc-switch-to-rhashtable-iterator.patch new file mode 100644 index 00000000000..7ce6847da32 --- /dev/null +++ b/queue-4.18/tipc-switch-to-rhashtable-iterator.patch @@ -0,0 +1,175 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Cong Wang +Date: Fri, 24 Aug 2018 12:28:06 -0700 +Subject: tipc: switch to rhashtable iterator + +From: Cong Wang + +[ Upstream commit 9a07efa9aea2f4a59f35da0785a4e6a6b5a96192 ] + +syzbot reported a use-after-free in tipc_group_fill_sock_diag(), +where tipc_group_fill_sock_diag() still reads tsk->group meanwhile +tipc_group_delete() just deletes it in tipc_release(). + +tipc_nl_sk_walk() aims to lock this sock when walking each sock +in the hash table to close race conditions with sock changes like +this one, by acquiring tsk->sk.sk_lock.slock spinlock, unfortunately +this doesn't work at all. All non-BH call path should take +lock_sock() instead to make it work. + +tipc_nl_sk_walk() brutally iterates with raw rht_for_each_entry_rcu() +where RCU read lock is required, this is the reason why lock_sock() +can't be taken on this path. This could be resolved by switching to +rhashtable iterator API's, where taking a sleepable lock is possible. +Also, the iterator API's are friendly for restartable calls like +diag dump, the last position is remembered behind the scence, +all we need to do here is saving the iterator into cb->args[]. + +I tested this with parallel tipc diag dump and thousands of tipc +socket creation and release, no crash or memory leak. + +Reported-by: syzbot+b9c8f3ab2994b7cd1625@syzkaller.appspotmail.com +Cc: Jon Maloy +Cc: Ying Xue +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/diag.c | 2 + + net/tipc/netlink.c | 2 + + net/tipc/socket.c | 76 ++++++++++++++++++++++++++++++++++------------------- + net/tipc/socket.h | 2 + + 4 files changed, 56 insertions(+), 26 deletions(-) + +--- a/net/tipc/diag.c ++++ b/net/tipc/diag.c +@@ -84,7 +84,9 @@ static int tipc_sock_diag_handler_dump(s + + if (h->nlmsg_flags & NLM_F_DUMP) { + struct netlink_dump_control c = { ++ .start = tipc_dump_start, + .dump = tipc_diag_dump, ++ .done = tipc_dump_done, + }; + netlink_dump_start(net->diag_nlsk, skb, h, &c); + return 0; +--- a/net/tipc/netlink.c ++++ b/net/tipc/netlink.c +@@ -167,7 +167,9 @@ static const struct genl_ops tipc_genl_v + }, + { + .cmd = TIPC_NL_SOCK_GET, ++ .start = tipc_dump_start, + .dumpit = tipc_nl_sk_dump, ++ .done = tipc_dump_done, + .policy = tipc_nl_policy, + }, + { +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -3233,45 +3233,69 @@ int tipc_nl_sk_walk(struct sk_buff *skb, + struct netlink_callback *cb, + struct tipc_sock *tsk)) + { +- struct net *net = sock_net(skb->sk); +- struct tipc_net *tn = tipc_net(net); +- const struct bucket_table *tbl; +- u32 prev_portid = cb->args[1]; +- u32 tbl_id = cb->args[0]; +- struct rhash_head *pos; ++ struct rhashtable_iter *iter = (void *)cb->args[0]; + struct tipc_sock *tsk; + int err; + +- rcu_read_lock(); +- tbl = rht_dereference_rcu((&tn->sk_rht)->tbl, &tn->sk_rht); +- for (; tbl_id < tbl->size; tbl_id++) { +- rht_for_each_entry_rcu(tsk, pos, tbl, tbl_id, node) { +- spin_lock_bh(&tsk->sk.sk_lock.slock); +- if (prev_portid && prev_portid != tsk->portid) { +- spin_unlock_bh(&tsk->sk.sk_lock.slock); ++ rhashtable_walk_start(iter); ++ while ((tsk = rhashtable_walk_next(iter)) != NULL) { ++ if (IS_ERR(tsk)) { ++ err = PTR_ERR(tsk); ++ if (err == -EAGAIN) { ++ err = 0; + continue; + } ++ break; ++ } + +- err = skb_handler(skb, cb, tsk); +- if (err) { +- prev_portid = tsk->portid; +- spin_unlock_bh(&tsk->sk.sk_lock.slock); +- goto out; +- } +- +- prev_portid = 0; +- spin_unlock_bh(&tsk->sk.sk_lock.slock); ++ sock_hold(&tsk->sk); ++ rhashtable_walk_stop(iter); ++ lock_sock(&tsk->sk); ++ err = skb_handler(skb, cb, tsk); ++ if (err) { ++ release_sock(&tsk->sk); ++ sock_put(&tsk->sk); ++ goto out; + } ++ release_sock(&tsk->sk); ++ rhashtable_walk_start(iter); ++ sock_put(&tsk->sk); + } ++ rhashtable_walk_stop(iter); + out: +- rcu_read_unlock(); +- cb->args[0] = tbl_id; +- cb->args[1] = prev_portid; +- + return skb->len; + } + EXPORT_SYMBOL(tipc_nl_sk_walk); + ++int tipc_dump_start(struct netlink_callback *cb) ++{ ++ struct rhashtable_iter *iter = (void *)cb->args[0]; ++ struct net *net = sock_net(cb->skb->sk); ++ struct tipc_net *tn = tipc_net(net); ++ ++ if (!iter) { ++ iter = kmalloc(sizeof(*iter), GFP_KERNEL); ++ if (!iter) ++ return -ENOMEM; ++ ++ cb->args[0] = (long)iter; ++ } ++ ++ rhashtable_walk_enter(&tn->sk_rht, iter); ++ return 0; ++} ++EXPORT_SYMBOL(tipc_dump_start); ++ ++int tipc_dump_done(struct netlink_callback *cb) ++{ ++ struct rhashtable_iter *hti = (void *)cb->args[0]; ++ ++ rhashtable_walk_exit(hti); ++ kfree(hti); ++ return 0; ++} ++EXPORT_SYMBOL(tipc_dump_done); ++ + int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct netlink_callback *cb, + struct tipc_sock *tsk, u32 sk_filter_state, + u64 (*tipc_diag_gen_cookie)(struct sock *sk)) +--- a/net/tipc/socket.h ++++ b/net/tipc/socket.h +@@ -68,4 +68,6 @@ int tipc_nl_sk_walk(struct sk_buff *skb, + int (*skb_handler)(struct sk_buff *skb, + struct netlink_callback *cb, + struct tipc_sock *tsk)); ++int tipc_dump_start(struct netlink_callback *cb); ++int tipc_dump_done(struct netlink_callback *cb); + #endif diff --git a/queue-4.18/tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch b/queue-4.18/tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch new file mode 100644 index 00000000000..693c628d762 --- /dev/null +++ b/queue-4.18/tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch @@ -0,0 +1,70 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Stefan Raspl +Date: Fri, 24 Aug 2018 14:03:56 +0200 +Subject: tools/kvm_stat: fix handling of invalid paths in debugfs provider + +From: Stefan Raspl + +[ Upstream commit 617c66b9f236d20f11cecbb3f45e6d5675b2fae1 ] + +When filtering by guest, kvm_stat displays garbage when the guest is +destroyed - see sample output below. +We add code to remove the invalid paths from the providers, so at least +no more garbage is displayed. +Here's a sample output to illustrate: + + kvm statistics - pid 13986 (foo) + + Event Total %Total CurAvg/s + diagnose_258 -2 0.0 0 + deliver_program_interruption -3 0.0 0 + diagnose_308 -4 0.0 0 + halt_poll_invalid -91 0.0 -6 + deliver_service_signal -244 0.0 -16 + halt_successful_poll -250 0.1 -17 + exit_pei -285 0.1 -19 + exit_external_request -312 0.1 -21 + diagnose_9c -328 0.1 -22 + userspace_handled -713 0.1 -47 + halt_attempted_poll -939 0.2 -62 + deliver_emergency_signal -3126 0.6 -208 + halt_wakeup -7199 1.5 -481 + exit_wait_state -7379 1.5 -493 + diagnose_500 -56499 11.5 -3757 + exit_null -85491 17.4 -5685 + diagnose_44 -133300 27.1 -8874 + exit_instruction -195898 39.8 -13037 + Total -492063 + +Signed-off-by: Stefan Raspl +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/kvm/kvm_stat/kvm_stat | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/tools/kvm/kvm_stat/kvm_stat ++++ b/tools/kvm/kvm_stat/kvm_stat +@@ -766,6 +766,13 @@ class DebugfsProvider(Provider): + self.do_read = True + self.reset() + ++ def _verify_paths(self): ++ """Remove invalid paths""" ++ for path in self.paths: ++ if not os.path.exists(os.path.join(PATH_DEBUGFS_KVM, path)): ++ self.paths.remove(path) ++ continue ++ + def read(self, reset=0, by_guest=0): + """Returns a dict with format:'file name / field -> current value'. + +@@ -780,6 +787,7 @@ class DebugfsProvider(Provider): + # If no debugfs filtering support is available, then don't read. + if not self.do_read: + return results ++ self._verify_paths() + + paths = self.paths + if self._pid == 0: diff --git a/queue-4.18/tools-kvm_stat-fix-python3-issues.patch b/queue-4.18/tools-kvm_stat-fix-python3-issues.patch new file mode 100644 index 00000000000..7f8491a54a3 --- /dev/null +++ b/queue-4.18/tools-kvm_stat-fix-python3-issues.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Stefan Raspl +Date: Fri, 24 Aug 2018 14:03:55 +0200 +Subject: tools/kvm_stat: fix python3 issues + +From: Stefan Raspl + +[ Upstream commit 58f33cfe73076b6497bada4f7b5bda961ed68083 ] + +Python3 returns a float for a regular division - switch to a division +operator that returns an integer. +Furthermore, filters return a generator object instead of the actual +list - wrap result in yet another list, which makes it still work in +both, Python2 and 3. + +Signed-off-by: Stefan Raspl +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/kvm/kvm_stat/kvm_stat | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/kvm/kvm_stat/kvm_stat ++++ b/tools/kvm/kvm_stat/kvm_stat +@@ -759,7 +759,7 @@ class DebugfsProvider(Provider): + if len(vms) == 0: + self.do_read = False + +- self.paths = filter(lambda x: "{}-".format(pid) in x, vms) ++ self.paths = list(filter(lambda x: "{}-".format(pid) in x, vms)) + + else: + self.paths = [] +@@ -1219,10 +1219,10 @@ class Tui(object): + (x, term_width) = self.screen.getmaxyx() + row = 2 + for line in text: +- start = (term_width - len(line)) / 2 ++ start = (term_width - len(line)) // 2 + self.screen.addstr(row, start, line) + row += 1 +- self.screen.addstr(row + 1, (term_width - len(hint)) / 2, hint, ++ self.screen.addstr(row + 1, (term_width - len(hint)) // 2, hint, + curses.A_STANDOUT) + self.screen.getkey() + diff --git a/queue-4.18/tools-kvm_stat-fix-updates-for-dead-guests.patch b/queue-4.18/tools-kvm_stat-fix-updates-for-dead-guests.patch new file mode 100644 index 00000000000..2b0c01b3db5 --- /dev/null +++ b/queue-4.18/tools-kvm_stat-fix-updates-for-dead-guests.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Stefan Raspl +Date: Fri, 24 Aug 2018 14:03:57 +0200 +Subject: tools/kvm_stat: fix updates for dead guests + +From: Stefan Raspl + +[ Upstream commit 710ab11ad9329d2d4b044405e328c994b19a2aa9 ] + +With pid filtering active, when a guest is removed e.g. via virsh shutdown, +successive updates produce garbage. +Therefore, we add code to detect this case and prevent further body updates. +Note that when displaying the help dialog via 'h' in this case, once we exit +we're stuck with the 'Collecting data...' message till we remove the filter. + +Signed-off-by: Stefan Raspl +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/kvm/kvm_stat/kvm_stat | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/kvm/kvm_stat/kvm_stat ++++ b/tools/kvm/kvm_stat/kvm_stat +@@ -1170,6 +1170,9 @@ class Tui(object): + + return sorted_items + ++ if not self._is_running_guest(self.stats.pid_filter): ++ # leave final data on screen ++ return + row = 3 + self.screen.move(row, 0) + self.screen.clrtobot() +@@ -1327,6 +1330,12 @@ class Tui(object): + msg = '"' + str(val) + '": Invalid value' + self._refresh_header() + ++ def _is_running_guest(self, pid): ++ """Check if pid is still a running process.""" ++ if not pid: ++ return True ++ return os.path.isdir(os.path.join('/proc/', str(pid))) ++ + def _show_vm_selection_by_guest(self): + """Draws guest selection mask. + +@@ -1354,7 +1363,7 @@ class Tui(object): + if not guest or guest == '0': + break + if guest.isdigit(): +- if not os.path.isdir(os.path.join('/proc/', guest)): ++ if not self._is_running_guest(guest): + msg = '"' + guest + '": Not a running process' + continue + pid = int(guest) diff --git a/queue-4.18/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch b/queue-4.18/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch new file mode 100644 index 00000000000..12085683960 --- /dev/null +++ b/queue-4.18/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Naoya Horiguchi +Date: Tue, 4 Sep 2018 15:45:51 -0700 +Subject: tools/vm/page-types.c: fix "defined but not used" warning + +From: Naoya Horiguchi + +[ Upstream commit 7ab660f8baecfe26c1c267fa8e64d2073feae2bb ] + +debugfs_known_mountpoints[] is not used any more, so let's remove it. + +Link: http://lkml.kernel.org/r/1535102651-19418-1-git-send-email-n-horiguchi@ah.jp.nec.com +Signed-off-by: Naoya Horiguchi +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/vm/page-types.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/tools/vm/page-types.c ++++ b/tools/vm/page-types.c +@@ -156,12 +156,6 @@ static const char * const page_flag_name + }; + + +-static const char * const debugfs_known_mountpoints[] = { +- "/sys/kernel/debug", +- "/debug", +- 0, +-}; +- + /* + * data structures + */ diff --git a/queue-4.18/tools-vm-slabinfo.c-fix-sign-compare-warning.patch b/queue-4.18/tools-vm-slabinfo.c-fix-sign-compare-warning.patch new file mode 100644 index 00000000000..fb5c565e5c3 --- /dev/null +++ b/queue-4.18/tools-vm-slabinfo.c-fix-sign-compare-warning.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Oct 4 12:32:08 PDT 2018 +From: Naoya Horiguchi +Date: Tue, 4 Sep 2018 15:45:48 -0700 +Subject: tools/vm/slabinfo.c: fix sign-compare warning + +From: Naoya Horiguchi + +[ Upstream commit 904506562e0856f2535d876407d087c9459d345b ] + +Currently we get the following compiler warning: + + slabinfo.c:854:22: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] + if (s->object_size < min_objsize) + ^ + +due to the mismatch of signed/unsigned comparison. ->object_size and +->slab_size are never expected to be negative, so let's define them as +unsigned int. + +[n-horiguchi@ah.jp.nec.com: convert everything - none of these can be negative] + Link: http://lkml.kernel.org/r/20180826234947.GA9787@hori1.linux.bs1.fc.nec.co.jp +Link: http://lkml.kernel.org/r/1535103134-20239-1-git-send-email-n-horiguchi@ah.jp.nec.com +Signed-off-by: Naoya Horiguchi +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/vm/slabinfo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/vm/slabinfo.c ++++ b/tools/vm/slabinfo.c +@@ -30,8 +30,8 @@ struct slabinfo { + int alias; + int refs; + int aliases, align, cache_dma, cpu_slabs, destroy_by_rcu; +- int hwcache_align, object_size, objs_per_slab; +- int sanity_checks, slab_size, store_user, trace; ++ unsigned int hwcache_align, object_size, objs_per_slab; ++ unsigned int sanity_checks, slab_size, store_user, trace; + int order, poison, reclaim_account, red_zone; + unsigned long partial, objects, slabs, objects_partial, objects_total; + unsigned long alloc_fastpath, alloc_slowpath;