From: Sasha Levin Date: Tue, 30 Oct 2018 13:15:53 +0000 (-0400) Subject: 4.4-stable patches X-Git-Tag: v4.19.1~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b87cf1e6fd760a9371a038c61946e783867ca44;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/aacraid-start-adapter-after-updating-number-of-msix-.patch b/queue-4.4/aacraid-start-adapter-after-updating-number-of-msix-.patch new file mode 100644 index 00000000000..3288ac0eae0 --- /dev/null +++ b/queue-4.4/aacraid-start-adapter-after-updating-number-of-msix-.patch @@ -0,0 +1,36 @@ +From 32fc41a2a2ad57626a67dba214b2fb16c980c3b7 Mon Sep 17 00:00:00 2001 +From: Raghava Aditya Renukunta +Date: Mon, 25 Apr 2016 23:31:12 -0700 +Subject: aacraid: Start adapter after updating number of MSIX vectors + +[ Upstream commit 116d77fea02e2a5aded7d29ba4c692774cb339f1 ] + +The adapter has to be started after updating the number of MSIX Vectors + +Fixes: ecc479e00db8 (aacraid: Set correct MSIX count for EEH recovery) +Cc: stable@vger.kernel.org +Signed-off-by: Raghava Aditya Renukunta +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/linit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c +index 8da8b46da722..1c447405ebbf 100644 +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -1416,8 +1416,8 @@ static int aac_acquire_resources(struct aac_dev *dev) + /* After EEH recovery or suspend resume, max_msix count + * may change, therfore updating in init as well. + */ +- aac_adapter_start(dev); + dev->init->Sa_MSIXVectors = cpu_to_le32(dev->max_msix); ++ aac_adapter_start(dev); + } + return 0; + +-- +2.17.1 + diff --git a/queue-4.4/af_iucv-move-sockaddr-length-checks-to-before-access.patch b/queue-4.4/af_iucv-move-sockaddr-length-checks-to-before-access.patch new file mode 100644 index 00000000000..c6d2f1b2708 --- /dev/null +++ b/queue-4.4/af_iucv-move-sockaddr-length-checks-to-before-access.patch @@ -0,0 +1,54 @@ +From eb276dba21e1b88443a7b105190a39f026725eb6 Mon Sep 17 00:00:00 2001 +From: Mateusz Jurczyk +Date: Fri, 23 Jun 2017 19:32:28 +0200 +Subject: af_iucv: Move sockaddr length checks to before accessing sa_family in + bind and connect handlers + +[ Upstream commit e3c42b61ff813921ba58cfc0019e3fd63f651190 ] + +Verify that the caller-provided sockaddr structure is large enough to +contain the sa_family field, before accessing it in bind() and connect() +handlers of the AF_IUCV socket. Since neither syscall enforces a minimum +size of the corresponding memory region, very short sockaddrs (zero or +one byte long) result in operating on uninitialized memory while +referencing .sa_family. + +Fixes: 52a82e23b9f2 ("af_iucv: Validate socket address length in iucv_sock_bind()") +Signed-off-by: Mateusz Jurczyk +[jwi: removed unneeded null-check for addr] +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/iucv/af_iucv.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index aeffb65181f5..5984cc35d508 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -705,10 +705,8 @@ static int iucv_sock_bind(struct socket *sock, struct sockaddr *addr, + char uid[9]; + + /* Verify the input sockaddr */ +- if (!addr || addr->sa_family != AF_IUCV) +- return -EINVAL; +- +- if (addr_len < sizeof(struct sockaddr_iucv)) ++ if (addr_len < sizeof(struct sockaddr_iucv) || ++ addr->sa_family != AF_IUCV) + return -EINVAL; + + lock_sock(sk); +@@ -852,7 +850,7 @@ static int iucv_sock_connect(struct socket *sock, struct sockaddr *addr, + struct iucv_sock *iucv = iucv_sk(sk); + int err; + +- if (addr->sa_family != AF_IUCV || alen < sizeof(struct sockaddr_iucv)) ++ if (alen < sizeof(struct sockaddr_iucv) || addr->sa_family != AF_IUCV) + return -EINVAL; + + if (sk->sk_state != IUCV_OPEN && sk->sk_state != IUCV_BOUND) +-- +2.17.1 + diff --git a/queue-4.4/alsa-timer-fix-zero-division-by-continue-of-uninitia.patch b/queue-4.4/alsa-timer-fix-zero-division-by-continue-of-uninitia.patch new file mode 100644 index 00000000000..10994286977 --- /dev/null +++ b/queue-4.4/alsa-timer-fix-zero-division-by-continue-of-uninitia.patch @@ -0,0 +1,95 @@ +From f8cb3a797c3d230b27f2a7f282f211357d03fd8c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 7 Sep 2016 15:45:31 +0200 +Subject: ALSA: timer: Fix zero-division by continue of uninitialized instance + +[ Upstream commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b ] + +When a user timer instance is continued without the explicit start +beforehand, the system gets eventually zero-division error like: + + divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN + CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + task: ffff88003c9b2280 task.stack: ffff880027280000 + RIP: 0010:[] [< inline >] ktime_divns include/linux/ktime.h:195 + RIP: 0010:[] [] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62 + Call Trace: + + [< inline >] __run_hrtimer kernel/time/hrtimer.c:1238 + [] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302 + [] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336 + [] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933 + [] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957 + [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487 + + ..... + +Although a similar issue was spotted and a fix patch was merged in +commit [6b760bb2c63a: ALSA: timer: fix division by zero after +SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of +iceberg. + +In this patch, we fix the issue a bit more drastically. Basically the +continue of an uninitialized timer is supposed to be a fresh start, so +we do it for user timers. For the direct snd_timer_continue() call, +there is no way to pass the initial tick value, so we kick out for the +uninitialized case. + +Reported-by: Dmitry Vyukov +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/timer.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/sound/core/timer.c b/sound/core/timer.c +index ef850a99d64a..f989adb98a22 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -35,6 +35,9 @@ + #include + #include + ++/* internal flags */ ++#define SNDRV_TIMER_IFLG_PAUSED 0x00010000 ++ + #if IS_ENABLED(CONFIG_SND_HRTIMER) + #define DEFAULT_TIMER_LIMIT 4 + #elif IS_ENABLED(CONFIG_SND_RTCTIMER) +@@ -547,6 +550,10 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop) + } + } + timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START); ++ if (stop) ++ timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED; ++ else ++ timeri->flags |= SNDRV_TIMER_IFLG_PAUSED; + snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : + SNDRV_TIMER_EVENT_PAUSE); + unlock: +@@ -608,6 +615,10 @@ int snd_timer_stop(struct snd_timer_instance *timeri) + */ + int snd_timer_continue(struct snd_timer_instance *timeri) + { ++ /* timer can continue only after pause */ ++ if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED)) ++ return -EINVAL; ++ + if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) + return snd_timer_start_slave(timeri, false); + else +@@ -1837,6 +1848,9 @@ static int snd_timer_user_continue(struct file *file) + tu = file->private_data; + if (!tu->timeri) + return -EBADFD; ++ /* start timer instead of continue if it's not used before */ ++ if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED)) ++ return snd_timer_user_start(file); + tu->timeri->lost = 0; + return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0; + } +-- +2.17.1 + diff --git a/queue-4.4/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch b/queue-4.4/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch new file mode 100644 index 00000000000..84862422277 --- /dev/null +++ b/queue-4.4/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch @@ -0,0 +1,45 @@ +From 49459d40b57de001f56bc58246857b69226d9888 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Thu, 13 Sep 2018 16:48:08 +0100 +Subject: ARM: 8799/1: mm: fix pci_ioremap_io() offset check + +[ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ] + +IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e +something like 0xfffff (and not 0x100000). + +Therefore, when offset = 0xf0000 is passed as argument, this function +fails even though the offset + SZ_64K fits below the +IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space +not usable as it cannot be mapped. + +This patch fixes that by substracing 1 to offset + SZ_64K, so that we +compare the addrss of the last byte of the I/O space against +IO_SPACE_LIMIT instead of the address of the first byte of what is +after the I/O space. + +Fixes: c2794437091a4 ("ARM: Add fixed PCI i/o mapping") +Signed-off-by: Thomas Petazzoni +Acked-by: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/ioremap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c +index 0c81056c1dd7..2a3feb73de0b 100644 +--- a/arch/arm/mm/ioremap.c ++++ b/arch/arm/mm/ioremap.c +@@ -460,7 +460,7 @@ void pci_ioremap_set_mem_type(int mem_type) + + int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr) + { +- BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT); ++ BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT); + + return ioremap_page_range(PCI_IO_VIRT_BASE + offset, + PCI_IO_VIRT_BASE + offset + SZ_64K, +-- +2.17.1 + diff --git a/queue-4.4/arm-dts-apq8064-add-ahci-ports-implemented-mask.patch b/queue-4.4/arm-dts-apq8064-add-ahci-ports-implemented-mask.patch new file mode 100644 index 00000000000..4837547aca7 --- /dev/null +++ b/queue-4.4/arm-dts-apq8064-add-ahci-ports-implemented-mask.patch @@ -0,0 +1,46 @@ +From 08a5045596be1a65b1b5ba2cd34f71d8e7bb6c15 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 1 Apr 2016 08:52:58 +0100 +Subject: ARM: dts: apq8064: add ahci ports-implemented mask + +[ Upstream commit bb4add2ce991e4ec891b5a0287fd1ab77b631979 ] + +This patch adds new ports-implemented mask, which is required to get +achi working on the mainline. Without this patch value read from +PORTS_IMPL register which is zero would not enable any ports for +software to use. + +Fixes: 566d1827df2e ("libata: disable forced PORTS_IMPL for >= AHCI 1.3") +Cc: stable@vger.kernel.org # v4.5+ +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Andy Gross +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi +index e00d50ef678f..3ff5ea16ebb3 100644 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -577,7 +577,7 @@ + }; + + sata0: sata@29000000 { +- compatible = "generic-ahci"; ++ compatible = "qcom,apq8064-ahci", "generic-ahci"; + status = "disabled"; + reg = <0x29000000 0x180>; + interrupts = ; +@@ -599,6 +599,7 @@ + + phys = <&sata_phy0>; + phy-names = "sata-phy"; ++ ports-implemented = <0x1>; + }; + + /* Temporary fixed regulator */ +-- +2.17.1 + diff --git a/queue-4.4/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch b/queue-4.4/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch new file mode 100644 index 00000000000..262c8a5bc90 --- /dev/null +++ b/queue-4.4/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch @@ -0,0 +1,46 @@ +From b81dea33984d21ff82f2156e81519e60da605d2a Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 12 Sep 2018 08:23:01 +0200 +Subject: ARM: dts: imx53-qsb: disable 1.2GHz OPP + +[ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ] + +The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the +1.2GHz OPP. This makes the board work again with configs that have +cpufreq enabled like imx_v6_v7_defconfig on which the board stopped +working with the addition of cpufreq-dt support. + +Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support") + +Signed-off-by: Sascha Hauer +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi +index 53fd75c8ffcf..47894b41e4e2 100644 +--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi ++++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi +@@ -130,6 +130,17 @@ + }; + }; + ++&cpu0 { ++ /* CPU rated to 1GHz, not 1.2GHz as per the default settings */ ++ operating-points = < ++ /* kHz uV */ ++ 166666 850000 ++ 400000 900000 ++ 800000 1050000 ++ 1000000 1200000 ++ >; ++}; ++ + &esdhc1 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_esdhc1>; +-- +2.17.1 + diff --git a/queue-4.4/arm64-fix-potential-race-with-hardware-dbm-in-ptep_s.patch b/queue-4.4/arm64-fix-potential-race-with-hardware-dbm-in-ptep_s.patch new file mode 100644 index 00000000000..ec302106822 --- /dev/null +++ b/queue-4.4/arm64-fix-potential-race-with-hardware-dbm-in-ptep_s.patch @@ -0,0 +1,81 @@ +From 0c13f045866185fd711a70da53f0bd7c184245f4 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Tue, 25 Jul 2017 14:53:03 +0100 +Subject: arm64: Fix potential race with hardware DBM in + ptep_set_access_flags() + +[ Upstream commit 6d332747fa5f0a6843b56b5b129168ba909336d1 ] + +In a system with DBM (dirty bit management) capable agents there is a +possible race between a CPU executing ptep_set_access_flags() (maybe +non-DBM capable) and a hardware update of the dirty state (clearing of +PTE_RDONLY). The scenario: + +a) the pte is writable (PTE_WRITE set), clean (PTE_RDONLY set) and old + (PTE_AF clear) +b) ptep_set_access_flags() is called as a result of a read access and it + needs to set the pte to writable, clean and young (PTE_AF set) +c) a DBM-capable agent, as a result of a different write access, is + marking the entry as young (setting PTE_AF) and dirty (clearing + PTE_RDONLY) + +The current ptep_set_access_flags() implementation would set the +PTE_RDONLY bit in the resulting value overriding the DBM update and +losing the dirty state. + +This patch fixes such race by setting PTE_RDONLY to the most permissive +(lowest value) of the current entry and the new one. + +Fixes: 66dbd6e61a52 ("arm64: Implement ptep_set_access_flags() for hardware AF/DBM") +Cc: Will Deacon +Acked-by: Mark Rutland +Acked-by: Steve Capper +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/fault.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index 86485415c5f0..be7f8416809f 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -107,26 +107,27 @@ int ptep_set_access_flags(struct vm_area_struct *vma, + /* only preserve the access flags and write permission */ + pte_val(entry) &= PTE_AF | PTE_WRITE | PTE_DIRTY; + +- /* +- * PTE_RDONLY is cleared by default in the asm below, so set it in +- * back if necessary (read-only or clean PTE). +- */ ++ /* set PTE_RDONLY if actual read-only or clean PTE */ + if (!pte_write(entry) || !pte_sw_dirty(entry)) + pte_val(entry) |= PTE_RDONLY; + + /* + * Setting the flags must be done atomically to avoid racing with the +- * hardware update of the access/dirty state. ++ * hardware update of the access/dirty state. The PTE_RDONLY bit must ++ * be set to the most permissive (lowest value) of *ptep and entry ++ * (calculated as: a & b == ~(~a | ~b)). + */ ++ pte_val(entry) ^= PTE_RDONLY; + asm volatile("// ptep_set_access_flags\n" + " prfm pstl1strm, %2\n" + "1: ldxr %0, %2\n" +- " and %0, %0, %3 // clear PTE_RDONLY\n" ++ " eor %0, %0, %3 // negate PTE_RDONLY in *ptep\n" + " orr %0, %0, %4 // set flags\n" ++ " eor %0, %0, %3 // negate final PTE_RDONLY\n" + " stxr %w1, %0, %2\n" + " cbnz %w1, 1b\n" + : "=&r" (old_pteval), "=&r" (tmp), "+Q" (pte_val(*ptep)) +- : "L" (~PTE_RDONLY), "r" (pte_val(entry))); ++ : "L" (PTE_RDONLY), "r" (pte_val(entry))); + + flush_tlb_fix_spurious_fault(vma, address); + return 1; +-- +2.17.1 + diff --git a/queue-4.4/asix-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/asix-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..ba5eb6a9a7b --- /dev/null +++ b/queue-4.4/asix-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From 244b9e8bfa667598ce986a21f73199958d631c4c Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:50 -0700 +Subject: asix: Check for supported Wake-on-LAN modes + +[ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 7fbd8f044207..2092ef6431f2 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -449,6 +449,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= AX_MONITOR_LINK; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.4/asoc-ak4613-enable-cache-usage-to-fix-crashes-on-res.patch b/queue-4.4/asoc-ak4613-enable-cache-usage-to-fix-crashes-on-res.patch new file mode 100644 index 00000000000..ce5a3de7267 --- /dev/null +++ b/queue-4.4/asoc-ak4613-enable-cache-usage-to-fix-crashes-on-res.patch @@ -0,0 +1,44 @@ +From 3e5b79aad979a7a026e9a0de8353e0aaabf56bc8 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 16 Jun 2016 14:34:30 +0200 +Subject: ASoC: ak4613: Enable cache usage to fix crashes on resume + +[ Upstream commit dcd2d1f78664fdc75eadaaf65257834e24383d01 ] + +During system resume: + + kernel BUG at drivers/base/regmap/regcache.c:347! + ... + PC is at regcache_sync+0x1c/0x128 + LR is at ak4613_resume+0x28/0x34 + +The ak4613 driver is using a regmap cache sync to restore the +configuration of the chip on resume but does not actually define a +register cache which means that the resume is never going to work and we +trigger asserts in regmap. Fix this by enabling caching. + +Based on commit d3030d11961a8c10 ("ASoC: ak4642: Enable cache usage to +fix crashes on resume") by Mark Brown . + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/ak4613.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/ak4613.c b/sound/soc/codecs/ak4613.c +index 07a266460ec3..b4b36cc92ffe 100644 +--- a/sound/soc/codecs/ak4613.c ++++ b/sound/soc/codecs/ak4613.c +@@ -143,6 +143,7 @@ static const struct regmap_config ak4613_regmap_cfg = { + .max_register = 0x16, + .reg_defaults = ak4613_reg, + .num_reg_defaults = ARRAY_SIZE(ak4613_reg), ++ .cache_type = REGCACHE_RBTREE, + }; + + static const struct of_device_id ak4613_of_match[] = { +-- +2.17.1 + diff --git a/queue-4.4/asoc-spear-fix-error-return-code-in-spdif_in_probe.patch b/queue-4.4/asoc-spear-fix-error-return-code-in-spdif_in_probe.patch new file mode 100644 index 00000000000..28a12d7f091 --- /dev/null +++ b/queue-4.4/asoc-spear-fix-error-return-code-in-spdif_in_probe.patch @@ -0,0 +1,44 @@ +From 74e636af2f762d1f4b62cb2fcfa1ab18fbd17db1 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 30 Jun 2017 15:43:50 -0500 +Subject: ASoC: spear: fix error return code in spdif_in_probe() + +[ Upstream commit 27d30400c448264c1ac9434cb836de0c230af213 ] + +platform_get_irq() returns an error code, but the spdif_in driver +ignores it and always returns -EINVAL. This is not correct, and +prevents -EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print error message and propagate the return value of platform_get_irq +on failure. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/spear/spdif_in.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/spear/spdif_in.c b/sound/soc/spear/spdif_in.c +index 977a078eb92f..7f32527fc3c8 100644 +--- a/sound/soc/spear/spdif_in.c ++++ b/sound/soc/spear/spdif_in.c +@@ -223,8 +223,10 @@ static int spdif_in_probe(struct platform_device *pdev) + + host->io_base = io_base; + host->irq = platform_get_irq(pdev, 0); +- if (host->irq < 0) +- return -EINVAL; ++ if (host->irq < 0) { ++ dev_warn(&pdev->dev, "failed to get IRQ: %d\n", host->irq); ++ return host->irq; ++ } + + host->clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(host->clk)) +-- +2.17.1 + diff --git a/queue-4.4/asoc-wm8940-enable-cache-usage-to-fix-crashes-on-res.patch b/queue-4.4/asoc-wm8940-enable-cache-usage-to-fix-crashes-on-res.patch new file mode 100644 index 00000000000..4c68afdb8af --- /dev/null +++ b/queue-4.4/asoc-wm8940-enable-cache-usage-to-fix-crashes-on-res.patch @@ -0,0 +1,39 @@ +From 9d3e49967c1cedde2f55d7774547edb5ed7cebac Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 16 Jun 2016 14:34:32 +0200 +Subject: ASoC: wm8940: Enable cache usage to fix crashes on resume + +[ Upstream commit 50c7a0ef2d97e56c7ce2f1ea5fe1d8e25aadc1bb ] + +The wm8940 driver is using a regmap cache sync to restore the +configuration of the chip when switching from OFF to STANDBY, but does +not actually define a register cache which means that the restore is +never going to work and we trigger asserts in regmap. Fix this by +enabling caching. + +Based on commit d3030d11961a8c10 ("ASoC: ak4642: Enable cache usage to +fix crashes on resume") by Mark Brown . + +Signed-off-by: Geert Uytterhoeven +Acked-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8940.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/wm8940.c b/sound/soc/codecs/wm8940.c +index f6f9395ea38e..1c600819f768 100644 +--- a/sound/soc/codecs/wm8940.c ++++ b/sound/soc/codecs/wm8940.c +@@ -743,6 +743,7 @@ static const struct regmap_config wm8940_regmap = { + .max_register = WM8940_MONOMIX, + .reg_defaults = wm8940_reg_defaults, + .num_reg_defaults = ARRAY_SIZE(wm8940_reg_defaults), ++ .cache_type = REGCACHE_RBTREE, + + .readable_reg = wm8940_readable_register, + .volatile_reg = wm8940_volatile_register, +-- +2.17.1 + diff --git a/queue-4.4/ax88179_178a-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/ax88179_178a-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..f973fde5288 --- /dev/null +++ b/queue-4.4/ax88179_178a-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From bdd4d94f40c1f058c6796ce631c37d601e5c0b7c Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:51 -0700 +Subject: ax88179_178a: Check for supported Wake-on-LAN modes + +[ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ax88179_178a.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index e6338c16081a..e3f2e6098db4 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= AX_MONITOR_MODE_RWLC; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.4/bluetooth-smp-fix-crash-in-unpairing.patch b/queue-4.4/bluetooth-smp-fix-crash-in-unpairing.patch new file mode 100644 index 00000000000..6a288ce6c2f --- /dev/null +++ b/queue-4.4/bluetooth-smp-fix-crash-in-unpairing.patch @@ -0,0 +1,194 @@ +From 1cd042b1a5e95ca2f0fd6e4787ad007206b74f7c Mon Sep 17 00:00:00 2001 +From: Matias Karhumaa +Date: Wed, 26 Sep 2018 09:13:46 +0300 +Subject: Bluetooth: SMP: fix crash in unpairing + +[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ] + +In case unpair_device() was called through mgmt interface at the same time +when pairing was in progress, Bluetooth kernel module crash was seen. + +[ 600.351225] general protection fault: 0000 [#1] SMP PTI +[ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1 +[ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017 +[ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth] +[ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01 +[ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246 +[ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60 +[ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500 +[ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00 +[ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800 +[ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00 +[ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000 +[ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0 +[ 600.351302] Call Trace: +[ 600.351325] smp_failure+0x4f/0x70 [bluetooth] +[ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth] +[ 600.351370] unpair_device+0x1c1/0x330 [bluetooth] +[ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth] +[ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20 +[ 600.351417] sock_sendmsg+0x3e/0x50 +[ 600.351422] sock_write_iter+0x85/0xf0 +[ 600.351429] do_iter_readv_writev+0x12b/0x1b0 +[ 600.351434] do_iter_write+0x87/0x1a0 +[ 600.351439] vfs_writev+0x98/0x110 +[ 600.351443] ? ep_poll+0x16d/0x3d0 +[ 600.351447] ? ep_modify+0x73/0x170 +[ 600.351451] do_writev+0x61/0xf0 +[ 600.351455] ? do_writev+0x61/0xf0 +[ 600.351460] __x64_sys_writev+0x1c/0x20 +[ 600.351465] do_syscall_64+0x5a/0x110 +[ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 600.351474] RIP: 0033:0x7fb2bdb62fe0 +[ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24 +[ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +[ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0 +[ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004 +[ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000 +[ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001 +[ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000 +[ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap +[ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi +[ 600.351637] ---[ end trace e49e9f1df09c94fb ]--- +[ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth] +[ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01 +[ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246 +[ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60 +[ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500 +[ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00 +[ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800 +[ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00 +[ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000 +[ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0 + +Crash happened because list_del_rcu() was called twice for smp->ltk. This +was possible if unpair_device was called right after ltk was generated +but before keys were distributed. + +In this commit smp_cancel_pairing was refactored to cancel pairing if it +is in progress and otherwise just removes keys. Once keys are removed from +rcu list, pointers to smp context's keys are set to NULL to make sure +removed list items are not accessed later. + +This commit also adjusts the functionality of mgmt unpair_device() little +bit. Previously pairing was canceled only if pairing was in state that +keys were already generated. With this commit unpair_device() cancels +pairing already in earlier states. + +Bug was found by fuzzing kernel SMP implementation using Synopsys +Defensics. + +Reported-by: Pekka Oikarainen +Signed-off-by: Matias Karhumaa +Signed-off-by: Johan Hedberg +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 7 ++----- + net/bluetooth/smp.c | 29 +++++++++++++++++++++++++---- + net/bluetooth/smp.h | 3 ++- + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index b1b0a1c0bd8d..ecc3da6a14a1 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -3083,9 +3083,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + /* LE address type */ + addr_type = le_addr_type(cp->addr.type); + +- hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); +- +- err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); ++ /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */ ++ err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type); + if (err < 0) { + err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, + MGMT_STATUS_NOT_PAIRED, &rp, +@@ -3099,8 +3098,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + goto done; + } + +- /* Abort any ongoing SMP pairing */ +- smp_cancel_pairing(conn); + + /* Defer clearing up the connection parameters until closing to + * give a chance of keeping them if a repairing happens. +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index 0dc27d2e8f18..bedfaef2c59e 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2371,30 +2371,51 @@ unlock: + return ret; + } + +-void smp_cancel_pairing(struct hci_conn *hcon) ++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, ++ u8 addr_type) + { +- struct l2cap_conn *conn = hcon->l2cap_data; ++ struct hci_conn *hcon; ++ struct l2cap_conn *conn; + struct l2cap_chan *chan; + struct smp_chan *smp; ++ int err; ++ ++ err = hci_remove_ltk(hdev, bdaddr, addr_type); ++ hci_remove_irk(hdev, bdaddr, addr_type); ++ ++ hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type); ++ if (!hcon) ++ goto done; + ++ conn = hcon->l2cap_data; + if (!conn) +- return; ++ goto done; + + chan = conn->smp; + if (!chan) +- return; ++ goto done; + + l2cap_chan_lock(chan); + + smp = chan->data; + if (smp) { ++ /* Set keys to NULL to make sure smp_failure() does not try to ++ * remove and free already invalidated rcu list entries. */ ++ smp->ltk = NULL; ++ smp->slave_ltk = NULL; ++ smp->remote_irk = NULL; ++ + if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) + smp_failure(conn, 0); + else + smp_failure(conn, SMP_UNSPECIFIED); ++ err = 0; + } + + l2cap_chan_unlock(chan); ++ ++done: ++ return err; + } + + static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) +diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h +index ffcc70b6b199..993cbd7bcfe7 100644 +--- a/net/bluetooth/smp.h ++++ b/net/bluetooth/smp.h +@@ -180,7 +180,8 @@ enum smp_key_pref { + }; + + /* SMP Commands */ +-void smp_cancel_pairing(struct hci_conn *hcon); ++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, ++ u8 addr_type); + bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, + enum smp_key_pref key_pref); + int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); +-- +2.17.1 + diff --git a/queue-4.4/bonding-avoid-defaulting-hard_header_len-to-eth_hlen.patch b/queue-4.4/bonding-avoid-defaulting-hard_header_len-to-eth_hlen.patch new file mode 100644 index 00000000000..d3e31dda1f2 --- /dev/null +++ b/queue-4.4/bonding-avoid-defaulting-hard_header_len-to-eth_hlen.patch @@ -0,0 +1,91 @@ +From caa113e6ec6d3b03d67215aa4fa01346fc6f6f60 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 27 Apr 2017 19:29:34 +0200 +Subject: bonding: avoid defaulting hard_header_len to ETH_HLEN on slave + removal + +[ Upstream commit 19cdead3e2ef8ed765c5d1ce48057ca9d97b5094 ] + +On slave list updates, the bonding driver computes its hard_header_len +as the maximum of all enslaved devices's hard_header_len. +If the slave list is empty, e.g. on last enslaved device removal, +ETH_HLEN is used. + +Since the bonding header_ops are set only when the first enslaved +device is attached, the above can lead to header_ops->create() +being called with the wrong skb headroom in place. + +If bond0 is configured on top of ipoib devices, with the +following commands: + +ifup bond0 +for slave in $BOND_SLAVES_LIST; do + ip link set dev $slave nomaster +done +ping -c 1 + +we will obtain a skb_under_panic() with a similar call trace: + skb_push+0x3d/0x40 + push_pseudo_header+0x17/0x30 [ib_ipoib] + ipoib_hard_header+0x4e/0x80 [ib_ipoib] + arp_create+0x12f/0x220 + arp_send_dst.part.19+0x28/0x50 + arp_solicit+0x115/0x290 + neigh_probe+0x4d/0x70 + __neigh_event_send+0xa7/0x230 + neigh_resolve_output+0x12e/0x1c0 + ip_finish_output2+0x14b/0x390 + ip_finish_output+0x136/0x1e0 + ip_output+0x76/0xe0 + ip_local_out+0x35/0x40 + ip_send_skb+0x19/0x40 + ip_push_pending_frames+0x33/0x40 + raw_sendmsg+0x7d3/0xb50 + inet_sendmsg+0x31/0xb0 + sock_sendmsg+0x38/0x50 + SYSC_sendto+0x102/0x190 + SyS_sendto+0xe/0x10 + do_syscall_64+0x67/0x180 + entry_SYSCALL64_slow_path+0x25/0x25 + +This change addresses the issue avoiding updating the bonding device +hard_header_len when the slaves list become empty, forbidding to +shrink it below the value used by header_ops->create(). + +The bug is there since commit 54ef31371407 ("[PATCH] bonding: Handle large +hard_header_len") but the panic can be triggered only since +commit fc791b633515 ("IB/ipoib: move back IB LL address into the hard +header"). + +Reported-by: Norbert P +Fixes: 54ef31371407 ("[PATCH] bonding: Handle large hard_header_len") +Fixes: fc791b633515 ("IB/ipoib: move back IB LL address into the hard header") +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: Paolo Abeni +Signed-off-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 339118f3c718..9e6159271c26 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1106,11 +1106,11 @@ static void bond_compute_features(struct bonding *bond) + gso_max_size = min(gso_max_size, slave->dev->gso_max_size); + gso_max_segs = min(gso_max_segs, slave->dev->gso_max_segs); + } ++ bond_dev->hard_header_len = max_hard_header_len; + + done: + bond_dev->vlan_features = vlan_features; + bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL; +- bond_dev->hard_header_len = max_hard_header_len; + bond_dev->gso_max_segs = gso_max_segs; + netif_set_gso_max_size(bond_dev, gso_max_size); + +-- +2.17.1 + diff --git a/queue-4.4/bpf-generally-move-prog-destruction-to-rcu-deferral.patch b/queue-4.4/bpf-generally-move-prog-destruction-to-rcu-deferral.patch new file mode 100644 index 00000000000..170f43cc4ad --- /dev/null +++ b/queue-4.4/bpf-generally-move-prog-destruction-to-rcu-deferral.patch @@ -0,0 +1,164 @@ +From 7b32bb49843fbed0707cc519311186a2b2ec7a7f Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Thu, 30 Jun 2016 17:24:43 +0200 +Subject: bpf: generally move prog destruction to RCU deferral + +[ Upstream commit 1aacde3d22c42281236155c1ef6d7a5aa32a826b ] + +Jann Horn reported following analysis that could potentially result +in a very hard to trigger (if not impossible) UAF race, to quote his +event timeline: + + - Set up a process with threads T1, T2 and T3 + - Let T1 set up a socket filter F1 that invokes another filter F2 + through a BPF map [tail call] + - Let T1 trigger the socket filter via a unix domain socket write, + don't wait for completion + - Let T2 call PERF_EVENT_IOC_SET_BPF with F2, don't wait for completion + - Now T2 should be behind bpf_prog_get(), but before bpf_prog_put() + - Let T3 close the file descriptor for F2, dropping the reference + count of F2 to 2 + - At this point, T1 should have looked up F2 from the map, but not + finished executing it + - Let T3 remove F2 from the BPF map, dropping the reference count of + F2 to 1 + - Now T2 should call bpf_prog_put() (wrong BPF program type), dropping + the reference count of F2 to 0 and scheduling bpf_prog_free_deferred() + via schedule_work() + - At this point, the BPF program could be freed + - BPF execution is still running in a freed BPF program + +While at PERF_EVENT_IOC_SET_BPF time it's only guaranteed that the perf +event fd we're doing the syscall on doesn't disappear from underneath us +for whole syscall time, it may not be the case for the bpf fd used as +an argument only after we did the put. It needs to be a valid fd pointing +to a BPF program at the time of the call to make the bpf_prog_get() and +while T2 gets preempted, F2 must have dropped reference to 1 on the other +CPU. The fput() from the close() in T3 should also add additionally delay +to the reference drop via exit_task_work() when bpf_prog_release() gets +called as well as scheduling bpf_prog_free_deferred(). + +That said, it makes nevertheless sense to move the BPF prog destruction +generally after RCU grace period to guarantee that such scenario above, +but also others as recently fixed in ceb56070359b ("bpf, perf: delay release +of BPF prog after grace period") with regards to tail calls won't happen. +Integrating bpf_prog_free_deferred() directly into the RCU callback is +not allowed since the invocation might happen from either softirq or +process context, so we're not permitted to block. Reviewing all bpf_prog_put() +invocations from eBPF side (note, cBPF -> eBPF progs don't use this for +their destruction) with call_rcu() look good to me. + +Since we don't know whether at the time of attaching the program, we're +already part of a tail call map, we need to use RCU variant. However, due +to this, there won't be severely more stress on the RCU callback queue: +situations with above bpf_prog_get() and bpf_prog_put() combo in practice +normally won't lead to releases, but even if they would, enough effort/ +cycles have to be put into loading a BPF program into the kernel already. + +Reported-by: Jann Horn +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 5 ----- + kernel/bpf/arraymap.c | 4 +--- + kernel/bpf/syscall.c | 13 +++---------- + kernel/events/core.c | 2 +- + 4 files changed, 5 insertions(+), 19 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 132585a7fbd8..bae3da5bcda0 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -177,7 +177,6 @@ void bpf_register_map_type(struct bpf_map_type_list *tl); + struct bpf_prog *bpf_prog_get(u32 ufd); + struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); + void bpf_prog_put(struct bpf_prog *prog); +-void bpf_prog_put_rcu(struct bpf_prog *prog); + + struct bpf_map *bpf_map_get_with_uref(u32 ufd); + struct bpf_map *__bpf_map_get(struct fd f); +@@ -208,10 +207,6 @@ static inline struct bpf_prog *bpf_prog_get(u32 ufd) + static inline void bpf_prog_put(struct bpf_prog *prog) + { + } +- +-static inline void bpf_prog_put_rcu(struct bpf_prog *prog) +-{ +-} + #endif /* CONFIG_BPF_SYSCALL */ + + /* verifier prototypes for helper functions called from eBPF programs */ +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index 0eb11b4ac4c7..daa4e0782cf7 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -270,9 +270,7 @@ static void *prog_fd_array_get_ptr(struct bpf_map *map, int fd) + + static void prog_fd_array_put_ptr(void *ptr) + { +- struct bpf_prog *prog = ptr; +- +- bpf_prog_put_rcu(prog); ++ bpf_prog_put(ptr); + } + + /* decrement refcnt of all bpf_progs that are stored in this map */ +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 4b9bbfe764e8..04fc1022ad9f 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -487,7 +487,7 @@ static void bpf_prog_uncharge_memlock(struct bpf_prog *prog) + free_uid(user); + } + +-static void __prog_put_common(struct rcu_head *rcu) ++static void __bpf_prog_put_rcu(struct rcu_head *rcu) + { + struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu); + +@@ -496,17 +496,10 @@ static void __prog_put_common(struct rcu_head *rcu) + bpf_prog_free(aux->prog); + } + +-/* version of bpf_prog_put() that is called after a grace period */ +-void bpf_prog_put_rcu(struct bpf_prog *prog) +-{ +- if (atomic_dec_and_test(&prog->aux->refcnt)) +- call_rcu(&prog->aux->rcu, __prog_put_common); +-} +- + void bpf_prog_put(struct bpf_prog *prog) + { + if (atomic_dec_and_test(&prog->aux->refcnt)) +- __prog_put_common(&prog->aux->rcu); ++ call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu); + } + EXPORT_SYMBOL_GPL(bpf_prog_put); + +@@ -514,7 +507,7 @@ static int bpf_prog_release(struct inode *inode, struct file *filp) + { + struct bpf_prog *prog = filp->private_data; + +- bpf_prog_put_rcu(prog); ++ bpf_prog_put(prog); + return 0; + } + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 68b75dfceb0c..21e825250402 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7139,7 +7139,7 @@ static void perf_event_free_bpf_prog(struct perf_event *event) + prog = event->tp_event->prog; + if (prog && event->tp_event->bpf_prog_owner == event) { + event->tp_event->prog = NULL; +- bpf_prog_put_rcu(prog); ++ bpf_prog_put(prog); + } + } + +-- +2.17.1 + diff --git a/queue-4.4/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch b/queue-4.4/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch new file mode 100644 index 00000000000..9909086049b --- /dev/null +++ b/queue-4.4/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch @@ -0,0 +1,61 @@ +From e8506da61f40f35af74820cab778a1d851e899e0 Mon Sep 17 00:00:00 2001 +From: "Peter S. Housel" +Date: Mon, 12 Jun 2017 11:46:22 +0100 +Subject: brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain + +[ Upstream commit 5ea59db8a375216e6c915c5586f556766673b5a7 ] + +An earlier change to this function (3bdae810721b) fixed a leak in the +case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the +glom_skb buffer, used for emulating a scattering read, is never used +or referenced after its contents are copied into the destination +buffers, and therefore always needs to be freed by the end of the +function. + +Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain") +Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support") +Cc: stable@vger.kernel.org # 4.9.x- +Signed-off-by: Peter S. Housel +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c +index 91da67657f81..72e1796c8167 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c +@@ -705,7 +705,7 @@ done: + int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev, + struct sk_buff_head *pktq, uint totlen) + { +- struct sk_buff *glom_skb; ++ struct sk_buff *glom_skb = NULL; + struct sk_buff *skb; + u32 addr = sdiodev->sbwad; + int err = 0; +@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev, + return -ENOMEM; + err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr, + glom_skb); +- if (err) { +- brcmu_pkt_buf_free_skb(glom_skb); ++ if (err) + goto done; +- } + + skb_queue_walk(pktq, skb) { + memcpy(skb->data, glom_skb->data, skb->len); +@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev, + pktq); + + done: ++ brcmu_pkt_buf_free_skb(glom_skb); + return err; + } + +-- +2.17.1 + diff --git a/queue-4.4/btrfs-cleaner_kthread-doesn-t-need-explicit-freeze.patch b/queue-4.4/btrfs-cleaner_kthread-doesn-t-need-explicit-freeze.patch new file mode 100644 index 00000000000..f16d8275001 --- /dev/null +++ b/queue-4.4/btrfs-cleaner_kthread-doesn-t-need-explicit-freeze.patch @@ -0,0 +1,42 @@ +From 7213b724ecae4594c59a1d3ea38375897834ab6d Mon Sep 17 00:00:00 2001 +From: Jiri Kosina +Date: Tue, 15 Mar 2016 11:28:54 +0100 +Subject: btrfs: cleaner_kthread() doesn't need explicit freeze + +[ Upstream commit 838fe1887765f4cc679febea60d87d2a06bd300e ] + +cleaner_kthread() is not marked freezable, and therefore calling +try_to_freeze() in its context is a pointless no-op. + +In addition to that, as has been clearly demonstrated by 80ad623edd2d +("Revert "btrfs: clear PF_NOFREEZE in cleaner_kthread()"), it's perfectly +valid / legal for cleaner_kthread() to stay scheduled out in an arbitrary +place during suspend (in that particular example that was waiting for +reading of extent pages), so there is no need to leave any traces of +freezer in this kthread. + +Fixes: 80ad623edd2d ("Revert "btrfs: clear PF_NOFREEZE in cleaner_kthread()") +Fixes: 696249132158 ("btrfs: clear PF_NOFREEZE in cleaner_kthread()") +Signed-off-by: Jiri Kosina +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index ae6e3a30e61e..a2001abbe379 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1820,7 +1820,7 @@ static int cleaner_kthread(void *arg) + */ + btrfs_delete_unused_bgs(root->fs_info); + sleep: +- if (!try_to_freeze() && !again) { ++ if (!again) { + set_current_state(TASK_INTERRUPTIBLE); + if (!kthread_should_stop()) + schedule(); +-- +2.17.1 + diff --git a/queue-4.4/btrfs-don-t-create-or-leak-aliased-root-while-cleani.patch b/queue-4.4/btrfs-don-t-create-or-leak-aliased-root-while-cleani.patch new file mode 100644 index 00000000000..6f6b1c18fb6 --- /dev/null +++ b/queue-4.4/btrfs-don-t-create-or-leak-aliased-root-while-cleani.patch @@ -0,0 +1,103 @@ +From a41bfdd412a2c3a016cdfa65114cae07b794fd1c Mon Sep 17 00:00:00 2001 +From: Jeff Mahoney +Date: Wed, 17 Aug 2016 21:58:33 -0400 +Subject: btrfs: don't create or leak aliased root while cleaning up orphans + +[ Upstream commit 35bbb97fc898aeb874cb7c8b746f091caa359994 ] + +commit 909c3a22da3 (Btrfs: fix loading of orphan roots leading to BUG_ON) +avoids the BUG_ON but can add an aliased root to the dead_roots list or +leak the root. + +Since we've already been loading roots into the radix tree, we should +use it before looking the root up on disk. + +Cc: # 4.5 +Signed-off-by: Jeff Mahoney +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 4 ++-- + fs/btrfs/disk-io.h | 2 ++ + fs/btrfs/root-tree.c | 27 ++++++++++++++++++--------- + 3 files changed, 22 insertions(+), 11 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index a2001abbe379..120363d0f981 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1608,8 +1608,8 @@ fail: + return ret; + } + +-static struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info, +- u64 root_id) ++struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info, ++ u64 root_id) + { + struct btrfs_root *root; + +diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h +index adeb31830b9c..3c9819403487 100644 +--- a/fs/btrfs/disk-io.h ++++ b/fs/btrfs/disk-io.h +@@ -68,6 +68,8 @@ struct extent_buffer *btrfs_find_tree_block(struct btrfs_fs_info *fs_info, + struct btrfs_root *btrfs_read_fs_root(struct btrfs_root *tree_root, + struct btrfs_key *location); + int btrfs_init_fs_root(struct btrfs_root *root); ++struct btrfs_root *btrfs_lookup_fs_root(struct btrfs_fs_info *fs_info, ++ u64 root_id); + int btrfs_insert_fs_root(struct btrfs_fs_info *fs_info, + struct btrfs_root *root); + void btrfs_free_fs_roots(struct btrfs_fs_info *fs_info); +diff --git a/fs/btrfs/root-tree.c b/fs/btrfs/root-tree.c +index 2c849b08a91b..6a6efb26d52f 100644 +--- a/fs/btrfs/root-tree.c ++++ b/fs/btrfs/root-tree.c +@@ -272,6 +272,23 @@ int btrfs_find_orphan_roots(struct btrfs_root *tree_root) + root_key.objectid = key.offset; + key.offset++; + ++ /* ++ * The root might have been inserted already, as before we look ++ * for orphan roots, log replay might have happened, which ++ * triggers a transaction commit and qgroup accounting, which ++ * in turn reads and inserts fs roots while doing backref ++ * walking. ++ */ ++ root = btrfs_lookup_fs_root(tree_root->fs_info, ++ root_key.objectid); ++ if (root) { ++ WARN_ON(!test_bit(BTRFS_ROOT_ORPHAN_ITEM_INSERTED, ++ &root->state)); ++ if (btrfs_root_refs(&root->root_item) == 0) ++ btrfs_add_dead_root(root); ++ continue; ++ } ++ + root = btrfs_read_fs_root(tree_root, &root_key); + err = PTR_ERR_OR_ZERO(root); + if (err && err != -ENOENT) { +@@ -310,16 +327,8 @@ int btrfs_find_orphan_roots(struct btrfs_root *tree_root) + set_bit(BTRFS_ROOT_ORPHAN_ITEM_INSERTED, &root->state); + + err = btrfs_insert_fs_root(root->fs_info, root); +- /* +- * The root might have been inserted already, as before we look +- * for orphan roots, log replay might have happened, which +- * triggers a transaction commit and qgroup accounting, which +- * in turn reads and inserts fs roots while doing backref +- * walking. +- */ +- if (err == -EEXIST) +- err = 0; + if (err) { ++ BUG_ON(err == -EEXIST); + btrfs_free_fs_root(root); + break; + } +-- +2.17.1 + diff --git a/queue-4.4/cfg80211-address-some-corner-cases-in-scan-result-ch.patch b/queue-4.4/cfg80211-address-some-corner-cases-in-scan-result-ch.patch new file mode 100644 index 00000000000..3b703eb530b --- /dev/null +++ b/queue-4.4/cfg80211-address-some-corner-cases-in-scan-result-ch.patch @@ -0,0 +1,140 @@ +From 42f417212a8d02cacbd4ee288e9aa542d9283ff8 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Wed, 5 Sep 2018 18:52:22 +0300 +Subject: cfg80211: Address some corner cases in scan result channel updating + +[ Upstream commit 119f94a6fefcc76d47075b83d2b73d04c895df78 ] + +cfg80211_get_bss_channel() is used to update the RX channel based on the +available frame payload information (channel number from DSSS Parameter +Set element or HT Operation element). This is needed on 2.4 GHz channels +where frames may be received on neighboring channels due to overlapping +frequency range. + +This might of some use on the 5 GHz band in some corner cases, but +things are more complex there since there is no n:1 or 1:n mapping +between channel numbers and frequencies due to multiple different +starting frequencies in different operating classes. This could result +in ieee80211_channel_to_frequency() returning incorrect frequency and +ieee80211_get_channel() returning incorrect channel information (or +indication of no match). In the previous implementation, this could +result in some scan results being dropped completely, e.g., for the 4.9 +GHz channels. That prevented connection to such BSSs. + +Fix this by using the driver-provided channel pointer if +ieee80211_get_channel() does not find matching channel data for the +channel number in the frame payload and if the scan is done with 5 MHz +or 10 MHz channel bandwidth. While doing this, also add comments +describing what the function is trying to achieve to make it easier to +understand what happens here and why. + +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 58 ++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 49 insertions(+), 9 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 8dde12a11725..00219f386283 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -974,13 +974,23 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + return NULL; + } + ++/* ++ * Update RX channel information based on the available frame payload ++ * information. This is mainly for the 2.4 GHz band where frames can be received ++ * from neighboring channels and the Beacon frames use the DSSS Parameter Set ++ * element to indicate the current (transmitting) channel, but this might also ++ * be needed on other bands if RX frequency does not match with the actual ++ * operating channel of a BSS. ++ */ + static struct ieee80211_channel * + cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, +- struct ieee80211_channel *channel) ++ struct ieee80211_channel *channel, ++ enum nl80211_bss_scan_width scan_width) + { + const u8 *tmp; + u32 freq; + int channel_number = -1; ++ struct ieee80211_channel *alt_channel; + + tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen); + if (tmp && tmp[1] == 1) { +@@ -994,16 +1004,45 @@ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, + } + } + +- if (channel_number < 0) ++ if (channel_number < 0) { ++ /* No channel information in frame payload */ + return channel; ++ } + + freq = ieee80211_channel_to_frequency(channel_number, channel->band); +- channel = ieee80211_get_channel(wiphy, freq); +- if (!channel) +- return NULL; +- if (channel->flags & IEEE80211_CHAN_DISABLED) ++ alt_channel = ieee80211_get_channel(wiphy, freq); ++ if (!alt_channel) { ++ if (channel->band == NL80211_BAND_2GHZ) { ++ /* ++ * Better not allow unexpected channels when that could ++ * be going beyond the 1-11 range (e.g., discovering ++ * BSS on channel 12 when radio is configured for ++ * channel 11. ++ */ ++ return NULL; ++ } ++ ++ /* No match for the payload channel number - ignore it */ ++ return channel; ++ } ++ ++ if (scan_width == NL80211_BSS_CHAN_WIDTH_10 || ++ scan_width == NL80211_BSS_CHAN_WIDTH_5) { ++ /* ++ * Ignore channel number in 5 and 10 MHz channels where there ++ * may not be an n:1 or 1:n mapping between frequencies and ++ * channel numbers. ++ */ ++ return channel; ++ } ++ ++ /* ++ * Use the channel determined through the payload channel number ++ * instead of the RX channel reported by the driver. ++ */ ++ if (alt_channel->flags & IEEE80211_CHAN_DISABLED) + return NULL; +- return channel; ++ return alt_channel; + } + + /* Returned bss is reference counted and must be cleaned up appropriately. */ +@@ -1028,7 +1067,8 @@ cfg80211_inform_bss_data(struct wiphy *wiphy, + (data->signal < 0 || data->signal > 100))) + return NULL; + +- channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan); ++ channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan, ++ data->scan_width); + if (!channel) + return NULL; + +@@ -1126,7 +1166,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, + return NULL; + + channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable, +- ielen, data->chan); ++ ielen, data->chan, data->scan_width); + if (!channel) + return NULL; + +-- +2.17.1 + diff --git a/queue-4.4/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch b/queue-4.4/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch new file mode 100644 index 00000000000..123fea9bb96 --- /dev/null +++ b/queue-4.4/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch @@ -0,0 +1,37 @@ +From ad508508c048914bf0ce9be7c77f18963f02ebf1 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Wed, 5 Sep 2018 08:06:12 +0300 +Subject: cfg80211: reg: Init wiphy_idx in regulatory_hint_core() + +[ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ] + +Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since +the regulatory request is zeroed, wiphy_idx was always implicitly set to +0. This resulted in updating only phy #0. +Fix that. + +Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy") +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +[add fixes tag] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 06d050da0d94..50dffd183cc6 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2367,6 +2367,7 @@ static int regulatory_hint_core(const char *alpha2) + request->alpha2[0] = alpha2[0]; + request->alpha2[1] = alpha2[1]; + request->initiator = NL80211_REGDOM_SET_BY_CORE; ++ request->wiphy_idx = WIPHY_IDX_INVALID; + + queue_regulatory_request(request); + +-- +2.17.1 + diff --git a/queue-4.4/cifs-handle-guest-access-errors-to-windows-shares.patch b/queue-4.4/cifs-handle-guest-access-errors-to-windows-shares.patch new file mode 100644 index 00000000000..021443e158c --- /dev/null +++ b/queue-4.4/cifs-handle-guest-access-errors-to-windows-shares.patch @@ -0,0 +1,85 @@ +From fee92cc97e3abcb287d8ce6b82aedf9532514bf2 Mon Sep 17 00:00:00 2001 +From: Mark Syms +Date: Tue, 29 Nov 2016 11:36:46 +0000 +Subject: CIFS: handle guest access errors to Windows shares + +[ Upstream commit 40920c2bb119fd49ba03e2f97a172171781be442 ] + +Commit 1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44 ("correctly to +anonymous authentication for the NTLM(v2) authentication") introduces +a regression in handling errors related to attempting a guest +connection to a Windows share which requires authentication. This +should result in a permission denied error but actually causes the +kernel module to enter a never-ending loop trying to follow a DFS +referal which doesn't exist. + +The base cause of this is the failure now occurs later in the process +during tree connect and not at the session setup setup and all errors +in tree connect are interpreted as needing to follow the DFS paths +which isn't in this case correct. So, check the returned error against +EACCES and fail if this is returned error. + +Feedback from Aurelien: + + PS> net user guest /activate:no + PS> mkdir C:\guestshare + PS> icacls C:\guestshare /grant 'Everyone:(OI)(CI)F' + PS> new-smbshare -name guestshare -path C:\guestshare -fullaccess Everyone + + I've tested v3.10, v4.4, master, master+your patch using default options + (empty or no user "NU") and user=abc (U). + + NT_LOGON_FAILURE in session setup: LF + This is what you seem to have in 3.10. + + NT_ACCESS_DENIED in tree connect to the share: AD + This is what you get before your infinite loop. + + | NU U + -------------------------------- + 3.10 | LF LF + 4.4 | LF LF + master | AD LF + master+patch | AD LF + + No infinite DFS loop :( + All these issues result in mount failing very fast with permission denied. + + I guess it could be from either the Windows version or the share/folder + ACL. A deeper analysis of the packets might reveal more. + + In any case I did not notice any issues for on a basic DFS setup with + the patch so I don't think it introduced any regressions, which is + probably all that matters. It still bothers me a little I couldn't hit + the bug. + + I've included kernel output w/ debugging output and network capture of + my tests if anyone want to have a look at it. (master+patch = ml-guestfix). + +Signed-off-by: Mark Syms +Reviewed-by: Aurelien Aptel +Tested-by: Aurelien Aptel +Acked-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 077ad3a06c9a..1eeb4780c3ed 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3674,6 +3674,9 @@ try_mount_again: + if (IS_ERR(tcon)) { + rc = PTR_ERR(tcon); + tcon = NULL; ++ if (rc == -EACCES) ++ goto mount_fail_check; ++ + goto remote_path_check; + } + +-- +2.17.1 + diff --git a/queue-4.4/drm-nouveau-fbcon-fix-oops-without-fbdev-emulation.patch b/queue-4.4/drm-nouveau-fbcon-fix-oops-without-fbdev-emulation.patch new file mode 100644 index 00000000000..d6f2208b096 --- /dev/null +++ b/queue-4.4/drm-nouveau-fbcon-fix-oops-without-fbdev-emulation.patch @@ -0,0 +1,58 @@ +From 8fd2c738d50a34bc3dc8388f4dee7aa664aad57d Mon Sep 17 00:00:00 2001 +From: Pavel Roskin +Date: Sat, 23 Sep 2017 13:10:33 -0700 +Subject: drm/nouveau/fbcon: fix oops without fbdev emulation + +[ Upstream commit 4813766325374af6ed0b66879ba6a0bbb05c83b6 ] + +This is similar to an earlier commit 52dfcc5ccfbb ("drm/nouveau: fix for +disabled fbdev emulation"), but protects all occurrences of helper.fbdev +in the source. + +I see oops in nouveau_fbcon_accel_save_disable() called from +nouveau_fbcon_set_suspend_work() on Linux 3.13 when +CONFIG_DRM_FBDEV_EMULATION option is disabled. + +Signed-off-by: Pavel Roskin +Reviewed-by: Daniel Vetter +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index e40a1b07a014..343476d15726 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -235,7 +235,7 @@ void + nouveau_fbcon_accel_save_disable(struct drm_device *dev) + { + struct nouveau_drm *drm = nouveau_drm(dev); +- if (drm->fbcon) { ++ if (drm->fbcon && drm->fbcon->helper.fbdev) { + drm->fbcon->saved_flags = drm->fbcon->helper.fbdev->flags; + drm->fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED; + } +@@ -245,7 +245,7 @@ void + nouveau_fbcon_accel_restore(struct drm_device *dev) + { + struct nouveau_drm *drm = nouveau_drm(dev); +- if (drm->fbcon) { ++ if (drm->fbcon && drm->fbcon->helper.fbdev) { + drm->fbcon->helper.fbdev->flags = drm->fbcon->saved_flags; + } + } +@@ -257,7 +257,8 @@ nouveau_fbcon_accel_fini(struct drm_device *dev) + struct nouveau_fbdev *fbcon = drm->fbcon; + if (fbcon && drm->channel) { + console_lock(); +- fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED; ++ if (fbcon->helper.fbdev) ++ fbcon->helper.fbdev->flags |= FBINFO_HWACCEL_DISABLED; + console_unlock(); + nouveau_channel_idle(drm->channel); + nvif_object_fini(&fbcon->twod); +-- +2.17.1 + diff --git a/queue-4.4/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch b/queue-4.4/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch new file mode 100644 index 00000000000..f681b6b225b --- /dev/null +++ b/queue-4.4/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch @@ -0,0 +1,36 @@ +From 9ef6b93f6846514c15a2a042bfbffe32f8630a58 Mon Sep 17 00:00:00 2001 +From: Khazhismel Kumykov +Date: Fri, 12 Oct 2018 21:34:40 -0700 +Subject: fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() + +[ Upstream commit ac081c3be3fae6d0cc3e1862507fca3862d30b67 ] + +On non-preempt kernels this loop can take a long time (more than 50 ticks) +processing through entries. + +Link: http://lkml.kernel.org/r/20181010172623.57033-1-khazhy@google.com +Signed-off-by: Khazhismel Kumykov +Acked-by: OGAWA Hirofumi +Reviewed-by: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/fat/fatent.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c +index a70e37c47a78..e3fc477728b3 100644 +--- a/fs/fat/fatent.c ++++ b/fs/fat/fatent.c +@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb) + if (ops->ent_get(&fatent) == FAT_ENT_FREE) + free++; + } while (fat_ent_next(sbi, &fatent)); ++ cond_resched(); + } + sbi->free_clusters = free; + sbi->free_clus_valid = 1; +-- +2.17.1 + diff --git a/queue-4.4/fuse-dont-call-set_page_dirty_lock-for-iter_bvec-pag.patch b/queue-4.4/fuse-dont-call-set_page_dirty_lock-for-iter_bvec-pag.patch new file mode 100644 index 00000000000..ddb7403f34b --- /dev/null +++ b/queue-4.4/fuse-dont-call-set_page_dirty_lock-for-iter_bvec-pag.patch @@ -0,0 +1,127 @@ +From 8ad8962051ad64732388a7dfa13e42e3b9597033 Mon Sep 17 00:00:00 2001 +From: Ashish Samant +Date: Wed, 12 Jul 2017 19:26:58 -0700 +Subject: fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for + async_dio + +[ Upstream commit 61c12b49e1c9c77d7a1bcc161de540d0fd21cf0c ] + +Commit 8fba54aebbdf ("fuse: direct-io: don't dirty ITER_BVEC pages") fixes +the ITER_BVEC page deadlock for direct io in fuse by checking in +fuse_direct_io(), whether the page is a bvec page or not, before locking +it. However, this check is missed when the "async_dio" mount option is +enabled. In this case, set_page_dirty_lock() is called from the req->end +callback in request_end(), when the fuse thread is returning from userspace +to respond to the read request. This will cause the same deadlock because +the bvec condition is not checked in this path. + +Here is the stack of the deadlocked thread, while returning from userspace: + +[13706.656686] INFO: task glusterfs:3006 blocked for more than 120 seconds. +[13706.657808] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables +this message. +[13706.658788] glusterfs D ffffffff816c80f0 0 3006 1 +0x00000080 +[13706.658797] ffff8800d6713a58 0000000000000086 ffff8800d9ad7000 +ffff8800d9ad5400 +[13706.658799] ffff88011ffd5cc0 ffff8800d6710008 ffff88011fd176c0 +7fffffffffffffff +[13706.658801] 0000000000000002 ffffffff816c80f0 ffff8800d6713a78 +ffffffff816c790e +[13706.658803] Call Trace: +[13706.658809] [] ? bit_wait_io_timeout+0x80/0x80 +[13706.658811] [] schedule+0x3e/0x90 +[13706.658813] [] schedule_timeout+0x1b5/0x210 +[13706.658816] [] ? gup_pud_range+0x1db/0x1f0 +[13706.658817] [] ? kvm_clock_read+0x1e/0x20 +[13706.658819] [] ? kvm_clock_get_cycles+0x9/0x10 +[13706.658822] [] ? ktime_get+0x52/0xc0 +[13706.658824] [] io_schedule_timeout+0xa4/0x110 +[13706.658826] [] bit_wait_io+0x36/0x50 +[13706.658828] [] __wait_on_bit_lock+0x76/0xb0 +[13706.658831] [] ? lock_request+0x46/0x70 [fuse] +[13706.658834] [] __lock_page+0xaa/0xb0 +[13706.658836] [] ? wake_atomic_t_function+0x40/0x40 +[13706.658838] [] set_page_dirty_lock+0x58/0x60 +[13706.658841] [] fuse_release_user_pages+0x58/0x70 [fuse] +[13706.658844] [] ? fuse_aio_complete+0x190/0x190 [fuse] +[13706.658847] [] fuse_aio_complete_req+0x29/0x90 [fuse] +[13706.658849] [] request_end+0xd9/0x190 [fuse] +[13706.658852] [] fuse_dev_do_write+0x336/0x490 [fuse] +[13706.658854] [] fuse_dev_write+0x6e/0xa0 [fuse] +[13706.658857] [] ? security_file_permission+0x23/0x90 +[13706.658859] [] do_iter_readv_writev+0x60/0x90 +[13706.658862] [] ? fuse_dev_splice_write+0x350/0x350 +[fuse] +[13706.658863] [] do_readv_writev+0x171/0x1f0 +[13706.658866] [] ? try_to_wake_up+0x210/0x210 +[13706.658868] [] vfs_writev+0x41/0x50 +[13706.658870] [] SyS_writev+0x56/0xf0 +[13706.658872] [] ? syscall_trace_leave+0xf1/0x160 +[13706.658874] [] system_call_fastpath+0x12/0x71 + +Fix this by making should_dirty a fuse_io_priv parameter that can be +checked in fuse_aio_complete_req(). + +Reported-by: Tiger Yang +Signed-off-by: Ashish Samant +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/fuse/file.c | 6 +++--- + fs/fuse/fuse_i.h | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 8577f3ba6dc6..7014318f6d18 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -625,7 +625,7 @@ static void fuse_aio_complete_req(struct fuse_conn *fc, struct fuse_req *req) + struct fuse_io_priv *io = req->io; + ssize_t pos = -1; + +- fuse_release_user_pages(req, !io->write); ++ fuse_release_user_pages(req, io->should_dirty); + + if (io->write) { + if (req->misc.write.in.size != req->misc.write.out.size) +@@ -1333,7 +1333,6 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter, + loff_t *ppos, int flags) + { + int write = flags & FUSE_DIO_WRITE; +- bool should_dirty = !write && iter_is_iovec(iter); + int cuse = flags & FUSE_DIO_CUSE; + struct file *file = io->file; + struct inode *inode = file->f_mapping->host; +@@ -1362,6 +1361,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter, + mutex_unlock(&inode->i_mutex); + } + ++ io->should_dirty = !write && iter_is_iovec(iter); + while (count) { + size_t nres; + fl_owner_t owner = current->files; +@@ -1378,7 +1378,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter, + nres = fuse_send_read(req, io, pos, nbytes, owner); + + if (!io->async) +- fuse_release_user_pages(req, should_dirty); ++ fuse_release_user_pages(req, io->should_dirty); + if (req->out.h.error) { + if (!res) + res = req->out.h.error; +diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h +index 7aafe9acc6c0..c6eb35a95fcc 100644 +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -252,6 +252,7 @@ struct fuse_io_priv { + size_t size; + __u64 offset; + bool write; ++ bool should_dirty; + int err; + struct kiocb *iocb; + struct file *file; +-- +2.17.1 + diff --git a/queue-4.4/gpio-msic-fix-error-return-code-in-platform_msic_gpi.patch b/queue-4.4/gpio-msic-fix-error-return-code-in-platform_msic_gpi.patch new file mode 100644 index 00000000000..10bd22b6f4b --- /dev/null +++ b/queue-4.4/gpio-msic-fix-error-return-code-in-platform_msic_gpi.patch @@ -0,0 +1,41 @@ +From 2f05eb2ec718ed2e3e19ec0575ef000abbc2a47c Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 3 Aug 2017 17:00:01 -0500 +Subject: gpio: msic: fix error return code in platform_msic_gpio_probe() + +[ Upstream commit ca1f3ae3154ad6d08caa740c99be0d86644a4e44 ] + +platform_get_irq() returns an error code, but the gpio-msic driver +ignores it and always returns -EINVAL. This is not correct, and +prevents -EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-msic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-msic.c b/drivers/gpio/gpio-msic.c +index 22523aae8abe..3abf066f93d3 100644 +--- a/drivers/gpio/gpio-msic.c ++++ b/drivers/gpio/gpio-msic.c +@@ -266,8 +266,8 @@ static int platform_msic_gpio_probe(struct platform_device *pdev) + int i; + + if (irq < 0) { +- dev_err(dev, "no IRQ line\n"); +- return -EINVAL; ++ dev_err(dev, "no IRQ line: %d\n", irq); ++ return irq; + } + + if (!pdata || !pdata->gpio_base) { +-- +2.17.1 + diff --git a/queue-4.4/gpu-host1x-fix-error-return-code-in-host1x_probe.patch b/queue-4.4/gpu-host1x-fix-error-return-code-in-host1x_probe.patch new file mode 100644 index 00000000000..c248dd0be52 --- /dev/null +++ b/queue-4.4/gpu-host1x-fix-error-return-code-in-host1x_probe.patch @@ -0,0 +1,43 @@ +From 855795c6b9ef7528d403e4d0762dcab13d311d03 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 8 Aug 2017 00:08:06 -0500 +Subject: gpu: host1x: fix error return code in host1x_probe() + +[ Upstream commit 7b2c63de20080c18d0de35b292ad61fc9bc8328e ] + +platform_get_irq() returns an error code, but the host1x driver +ignores it and always returns -ENXIO. This is not correct and, +prevents -EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/host1x/dev.c b/drivers/gpu/host1x/dev.c +index 53d3d1d45b48..ce1b10a2ae85 100644 +--- a/drivers/gpu/host1x/dev.c ++++ b/drivers/gpu/host1x/dev.c +@@ -116,8 +116,8 @@ static int host1x_probe(struct platform_device *pdev) + + syncpt_irq = platform_get_irq(pdev, 0); + if (syncpt_irq < 0) { +- dev_err(&pdev->dev, "failed to get IRQ\n"); +- return -ENXIO; ++ dev_err(&pdev->dev, "failed to get IRQ: %d\n", syncpt_irq); ++ return syncpt_irq; + } + + host = devm_kzalloc(&pdev->dev, sizeof(*host), GFP_KERNEL); +-- +2.17.1 + diff --git a/queue-4.4/gro-allow-tunnel-stacking-in-the-case-of-fou-gue.patch b/queue-4.4/gro-allow-tunnel-stacking-in-the-case-of-fou-gue.patch new file mode 100644 index 00000000000..67783c4b633 --- /dev/null +++ b/queue-4.4/gro-allow-tunnel-stacking-in-the-case-of-fou-gue.patch @@ -0,0 +1,59 @@ +From a169a6fce0ca1ffad16080568d71125f164955de Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Tue, 29 Mar 2016 14:55:22 -0700 +Subject: gro: Allow tunnel stacking in the case of FOU/GUE + +[ Upstream commit c3483384ee511ee2af40b4076366cd82a6a47b86 ] + +This patch should fix the issues seen with a recent fix to prevent +tunnel-in-tunnel frames from being generated with GRO. The fix itself is +correct for now as long as we do not add any devices that support +NETIF_F_GSO_GRE_CSUM. When such a device is added it could have the +potential to mess things up due to the fact that the outer transport header +points to the outer UDP header and not the GRE header as would be expected. + +Fixes: fac8e0f579695 ("tunnels: Don't apply GRO to multiple layers of encapsulation.") +Signed-off-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/fou.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index 08d8ee124538..d83888bc33d3 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -195,6 +195,14 @@ static struct sk_buff **fou_gro_receive(struct sk_buff **head, + u8 proto = NAPI_GRO_CB(skb)->proto; + const struct net_offload **offloads; + ++ /* We can clear the encap_mark for FOU as we are essentially doing ++ * one of two possible things. We are either adding an L4 tunnel ++ * header to the outer L3 tunnel header, or we are are simply ++ * treating the GRE tunnel header as though it is a UDP protocol ++ * specific header such as VXLAN or GENEVE. ++ */ ++ NAPI_GRO_CB(skb)->encap_mark = 0; ++ + rcu_read_lock(); + offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads; + ops = rcu_dereference(offloads[proto]); +@@ -354,6 +362,14 @@ static struct sk_buff **gue_gro_receive(struct sk_buff **head, + } + } + ++ /* We can clear the encap_mark for GUE as we are essentially doing ++ * one of two possible things. We are either adding an L4 tunnel ++ * header to the outer L3 tunnel header, or we are are simply ++ * treating the GRE tunnel header as though it is a UDP protocol ++ * specific header such as VXLAN or GENEVE. ++ */ ++ NAPI_GRO_CB(skb)->encap_mark = 0; ++ + rcu_read_lock(); + offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads; + ops = rcu_dereference(offloads[guehdr->proto_ctype]); +-- +2.17.1 + diff --git a/queue-4.4/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch b/queue-4.4/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch new file mode 100644 index 00000000000..93462c20220 --- /dev/null +++ b/queue-4.4/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch @@ -0,0 +1,87 @@ +From 32a6c58a59a0a2a0b4d2c8d0730622ebffb0e6c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20Gr=C3=B6nke?= +Date: Tue, 26 Jun 2018 10:12:18 +0000 +Subject: igb: Remove superfluous reset to PHY and page 0 selection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2a83fba6cae89dd9c0625e68ff8ffff791c67ac0 ] + +This patch reverts two previous applied patches to fix an issue +that appeared when using SGMII based SFP modules. In the current +state the driver will try to reset the PHY before obtaining the +phy_addr of the SGMII attached PHY. That leads to an error in +e1000_write_phy_reg_sgmii_82575. Causing the initialization to +fail: + + igb: Intel(R) Gigabit Ethernet Network Driver - version 5.4.0-k + igb: Copyright (c) 2007-2014 Intel Corporation. + igb: probe of ????:??:??.? failed with error -3 + +The patches being reverted are: + + commit 182785335447957409282ca745aa5bc3968facee + Author: Aaron Sierra + Date: Tue Nov 29 10:03:56 2016 -0600 + + igb: reset the PHY before reading the PHY ID + + commit 440aeca4b9858248d8f16d724d9fa87a4f65fa33 + Author: Matwey V Kornilov + Date: Thu Nov 24 13:32:48 2016 +0300 + + igb: Explicitly select page 0 at initialization + +The first reverted patch directly causes the problem mentioned above. +In case of SGMII the phy_addr is not known at this point and will +only be obtained by 'igb_get_phy_id_82575' further down in the code. +The second removed patch selects forces selection of page 0 in the +PHY. Something that the reset tries to address as well. + +As pointed out by Alexander Duzck, the patch below fixes the same +issue but in the proper location: + + commit 4e684f59d760a2c7c716bb60190783546e2d08a1 + Author: Chris J Arges + Date: Wed Nov 2 09:13:42 2016 -0500 + + igb: Workaround for igb i210 firmware issue + +Reverts: 440aeca4b9858248d8f16d724d9fa87a4f65fa33. +Reverts: 182785335447957409282ca745aa5bc3968facee. + +Signed-off-by: Christian Grönke +Reviewed-by: Alexander Duyck +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_82575.c | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_82575.c b/drivers/net/ethernet/intel/igb/e1000_82575.c +index f3f3b95d5512..97bf0c3d5c69 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_82575.c ++++ b/drivers/net/ethernet/intel/igb/e1000_82575.c +@@ -223,17 +223,6 @@ static s32 igb_init_phy_params_82575(struct e1000_hw *hw) + hw->bus.func = (rd32(E1000_STATUS) & E1000_STATUS_FUNC_MASK) >> + E1000_STATUS_FUNC_SHIFT; + +- /* Make sure the PHY is in a good state. Several people have reported +- * firmware leaving the PHY's page select register set to something +- * other than the default of zero, which causes the PHY ID read to +- * access something other than the intended register. +- */ +- ret_val = hw->phy.ops.reset(hw); +- if (ret_val) { +- hw_dbg("Error resetting the PHY.\n"); +- goto out; +- } +- + /* Set phy->phy_addr and phy->id. */ + ret_val = igb_get_phy_id_82575(hw); + if (ret_val) +-- +2.17.1 + diff --git a/queue-4.4/ipv6-orphan-skbs-in-reassembly-unit.patch b/queue-4.4/ipv6-orphan-skbs-in-reassembly-unit.patch new file mode 100644 index 00000000000..9f85f131889 --- /dev/null +++ b/queue-4.4/ipv6-orphan-skbs-in-reassembly-unit.patch @@ -0,0 +1,163 @@ +From 8abe36bcea94fd33c1f64646f614f41651ccc661 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 1 Mar 2017 14:45:06 -0800 +Subject: ipv6: orphan skbs in reassembly unit + +[ Upstream commit 48cac18ecf1de82f76259a54402c3adb7839ad01 ] + +Andrey reported a use-after-free in IPv6 stack. + +Issue here is that we free the socket while it still has skb +in TX path and in some queues. + +It happens here because IPv6 reassembly unit messes skb->truesize, +breaking skb_set_owner_w() badly. + +We fixed a similar issue for IPV4 in commit 8282f27449bf ("inet: frag: +Always orphan skbs inside ip_defrag()") +Acked-by: Joe Stringer + +================================================================== +BUG: KASAN: use-after-free in sock_wfree+0x118/0x120 +Read of size 8 at addr ffff880062da0060 by task a.out/4140 + +page:ffffea00018b6800 count:1 mapcount:0 mapping: (null) +index:0x0 compound_mapcount: 0 +flags: 0x100000000008100(slab|head) +raw: 0100000000008100 0000000000000000 0000000000000000 0000000180130013 +raw: dead000000000100 dead000000000200 ffff88006741f140 0000000000000000 +page dumped because: kasan: bad access detected + +CPU: 0 PID: 4140 Comm: a.out Not tainted 4.10.0-rc3+ #59 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:15 + dump_stack+0x292/0x398 lib/dump_stack.c:51 + describe_address mm/kasan/report.c:262 + kasan_report_error+0x121/0x560 mm/kasan/report.c:370 + kasan_report mm/kasan/report.c:392 + __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:413 + sock_flag ./arch/x86/include/asm/bitops.h:324 + sock_wfree+0x118/0x120 net/core/sock.c:1631 + skb_release_head_state+0xfc/0x250 net/core/skbuff.c:655 + skb_release_all+0x15/0x60 net/core/skbuff.c:668 + __kfree_skb+0x15/0x20 net/core/skbuff.c:684 + kfree_skb+0x16e/0x4e0 net/core/skbuff.c:705 + inet_frag_destroy+0x121/0x290 net/ipv4/inet_fragment.c:304 + inet_frag_put ./include/net/inet_frag.h:133 + nf_ct_frag6_gather+0x1125/0x38b0 net/ipv6/netfilter/nf_conntrack_reasm.c:617 + ipv6_defrag+0x21b/0x350 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 + nf_hook_entry_hookfn ./include/linux/netfilter.h:102 + nf_hook_slow+0xc3/0x290 net/netfilter/core.c:310 + nf_hook ./include/linux/netfilter.h:212 + __ip6_local_out+0x52c/0xaf0 net/ipv6/output_core.c:160 + ip6_local_out+0x2d/0x170 net/ipv6/output_core.c:170 + ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1722 + ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1742 + rawv6_push_pending_frames net/ipv6/raw.c:613 + rawv6_sendmsg+0x2cff/0x4130 net/ipv6/raw.c:927 + inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744 + sock_sendmsg_nosec net/socket.c:635 + sock_sendmsg+0xca/0x110 net/socket.c:645 + sock_write_iter+0x326/0x620 net/socket.c:848 + new_sync_write fs/read_write.c:499 + __vfs_write+0x483/0x760 fs/read_write.c:512 + vfs_write+0x187/0x530 fs/read_write.c:560 + SYSC_write fs/read_write.c:607 + SyS_write+0xfb/0x230 fs/read_write.c:599 + entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 +RIP: 0033:0x7ff26e6f5b79 +RSP: 002b:00007ff268e0ed98 EFLAGS: 00000206 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007ff268e0f9c0 RCX: 00007ff26e6f5b79 +RDX: 0000000000000010 RSI: 0000000020f50fe1 RDI: 0000000000000003 +RBP: 00007ff26ebc1220 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 +R13: 00007ff268e0f9c0 R14: 00007ff26efec040 R15: 0000000000000003 + +The buggy address belongs to the object at ffff880062da0000 + which belongs to the cache RAWv6 of size 1504 +The buggy address ffff880062da0060 is located 96 bytes inside + of 1504-byte region [ffff880062da0000, ffff880062da05e0) + +Freed by task 4113: + save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 + save_stack+0x43/0xd0 mm/kasan/kasan.c:502 + set_track mm/kasan/kasan.c:514 + kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:578 + slab_free_hook mm/slub.c:1352 + slab_free_freelist_hook mm/slub.c:1374 + slab_free mm/slub.c:2951 + kmem_cache_free+0xb2/0x2c0 mm/slub.c:2973 + sk_prot_free net/core/sock.c:1377 + __sk_destruct+0x49c/0x6e0 net/core/sock.c:1452 + sk_destruct+0x47/0x80 net/core/sock.c:1460 + __sk_free+0x57/0x230 net/core/sock.c:1468 + sk_free+0x23/0x30 net/core/sock.c:1479 + sock_put ./include/net/sock.h:1638 + sk_common_release+0x31e/0x4e0 net/core/sock.c:2782 + rawv6_close+0x54/0x80 net/ipv6/raw.c:1214 + inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425 + inet6_release+0x50/0x70 net/ipv6/af_inet6.c:431 + sock_release+0x8d/0x1e0 net/socket.c:599 + sock_close+0x16/0x20 net/socket.c:1063 + __fput+0x332/0x7f0 fs/file_table.c:208 + ____fput+0x15/0x20 fs/file_table.c:244 + task_work_run+0x19b/0x270 kernel/task_work.c:116 + exit_task_work ./include/linux/task_work.h:21 + do_exit+0x186b/0x2800 kernel/exit.c:839 + do_group_exit+0x149/0x420 kernel/exit.c:943 + SYSC_exit_group kernel/exit.c:954 + SyS_exit_group+0x1d/0x20 kernel/exit.c:952 + entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 + +Allocated by task 4115: + save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 + save_stack+0x43/0xd0 mm/kasan/kasan.c:502 + set_track mm/kasan/kasan.c:514 + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605 + kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:544 + slab_post_alloc_hook mm/slab.h:432 + slab_alloc_node mm/slub.c:2708 + slab_alloc mm/slub.c:2716 + kmem_cache_alloc+0x1af/0x250 mm/slub.c:2721 + sk_prot_alloc+0x65/0x2a0 net/core/sock.c:1334 + sk_alloc+0x105/0x1010 net/core/sock.c:1396 + inet6_create+0x44d/0x1150 net/ipv6/af_inet6.c:183 + __sock_create+0x4f6/0x880 net/socket.c:1199 + sock_create net/socket.c:1239 + SYSC_socket net/socket.c:1269 + SyS_socket+0xf9/0x230 net/socket.c:1249 + entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:203 + +Memory state around the buggy address: + ffff880062d9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff880062d9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff880062da0000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff880062da0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff880062da0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Reported-by: Andrey Konovalov +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index 838b65a59a73..5a9ae56e7868 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -601,6 +601,7 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use + hdr = ipv6_hdr(clone); + fhdr = (struct frag_hdr *)skb_transport_header(clone); + ++ skb_orphan(skb); + fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr, + skb->dev ? skb->dev->ifindex : 0, ip6_frag_ecn(hdr)); + if (fq == NULL) { +-- +2.17.1 + diff --git a/queue-4.4/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch b/queue-4.4/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch new file mode 100644 index 00000000000..b529cb13d89 --- /dev/null +++ b/queue-4.4/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch @@ -0,0 +1,38 @@ +From 545adfedcf2f591da5ebdb504e08ac2bb301ee8c Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 12 Aug 2016 07:48:21 +0200 +Subject: ipv6: suppress sparse warnings in IP6_ECN_set_ce() + +[ Upstream commit c15c0ab12fd62f2b19181d05c62d24bc9fa55a42 ] + +Pass the correct type __wsum to csum_sub() and csum_add(). This doesn't +really change anything since __wsum really *is* __be32, but removes the +address space warnings from sparse. + +Cc: Eric Dumazet +Fixes: 34ae6a1aa054 ("ipv6: update skb->csum when CE mark is propagated") +Signed-off-by: Johannes Berg +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/inet_ecn.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h +index 0dc0a51da38f..dce2d586d9ce 100644 +--- a/include/net/inet_ecn.h ++++ b/include/net/inet_ecn.h +@@ -128,7 +128,8 @@ static inline int IP6_ECN_set_ce(struct sk_buff *skb, struct ipv6hdr *iph) + to = from | htonl(INET_ECN_CE << 20); + *(__be32 *)iph = to; + if (skb->ip_summed == CHECKSUM_COMPLETE) +- skb->csum = csum_add(csum_sub(skb->csum, from), to); ++ skb->csum = csum_add(csum_sub(skb->csum, (__force __wsum)from), ++ (__force __wsum)to); + return 1; + } + +-- +2.17.1 + diff --git a/queue-4.4/ixgbe-correct-x550em_x-revision-check.patch b/queue-4.4/ixgbe-correct-x550em_x-revision-check.patch new file mode 100644 index 00000000000..fee47ba2264 --- /dev/null +++ b/queue-4.4/ixgbe-correct-x550em_x-revision-check.patch @@ -0,0 +1,64 @@ +From 24d5aa3a204e1f7902be5ae6cfa3491984f87d28 Mon Sep 17 00:00:00 2001 +From: Mark Rustad +Date: Fri, 20 Nov 2015 13:12:17 -0800 +Subject: ixgbe: Correct X550EM_x revision check + +[ Upstream commit 3ca2b2506ec9a3b1615930a6810d30ec9aba10a1 ] + +The X550EM_x revision check needs to check a value, not just a bit. +Use a mask and check the value. Also remove the redundant check +inside the ixgbe_enter_lplu_t_x550em, because it can only be called +when both the mac type and revision check pass. + +Signed-off-by: Mark Rustad +Tested-by: Phil Schmitt +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_type.h | 2 +- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 9 +++------ + 2 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +index 995f03107eac..04bc4df82fa7 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +@@ -3508,7 +3508,7 @@ struct ixgbe_info { + + #define IXGBE_FUSES0_GROUP(_i) (0x11158 + ((_i) * 4)) + #define IXGBE_FUSES0_300MHZ BIT(5) +-#define IXGBE_FUSES0_REV1 BIT(6) ++#define IXGBE_FUSES0_REV_MASK (3 << 6) + + #define IXGBE_KRM_PORT_CAR_GEN_CTRL(P) ((P) ? 0x8010 : 0x4010) + #define IXGBE_KRM_LINK_CTRL_1(P) ((P) ? 0x820C : 0x420C) +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +index a75f2e3ce86f..ffd2e74e5638 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -1873,10 +1873,6 @@ static s32 ixgbe_enter_lplu_t_x550em(struct ixgbe_hw *hw) + u32 save_autoneg; + bool link_up; + +- /* SW LPLU not required on later HW revisions. */ +- if (IXGBE_FUSES0_REV1 & IXGBE_READ_REG(hw, IXGBE_FUSES0_GROUP(0))) +- return 0; +- + /* If blocked by MNG FW, then don't restart AN */ + if (ixgbe_check_reset_blocked(hw)) + return 0; +@@ -2030,8 +2026,9 @@ static s32 ixgbe_init_phy_ops_X550em(struct ixgbe_hw *hw) + } + + /* setup SW LPLU only for first revision */ +- if (!(IXGBE_FUSES0_REV1 & IXGBE_READ_REG(hw, +- IXGBE_FUSES0_GROUP(0)))) ++ if (hw->mac.type == ixgbe_mac_X550EM_x && ++ !(IXGBE_READ_REG(hw, IXGBE_FUSES0_GROUP(0)) & ++ IXGBE_FUSES0_REV_MASK)) + phy->ops.enter_lplu = ixgbe_enter_lplu_t_x550em; + + phy->ops.handle_lasi = ixgbe_handle_lasi_ext_t_x550em; +-- +2.17.1 + diff --git a/queue-4.4/ixgbe-fix-rss-limit-for-x550.patch b/queue-4.4/ixgbe-fix-rss-limit-for-x550.patch new file mode 100644 index 00000000000..65b2a5308a4 --- /dev/null +++ b/queue-4.4/ixgbe-fix-rss-limit-for-x550.patch @@ -0,0 +1,37 @@ +From 23e0c6ad80a3af6e1d965a5a3d8637dad312fc9d Mon Sep 17 00:00:00 2001 +From: Emil Tantilov +Date: Fri, 20 Nov 2015 13:02:16 -0800 +Subject: ixgbe: fix RSS limit for X550 + +[ Upstream commit e9ee3238f8a480bbca58e51d02a93628d7c1f265 ] + +X550 allows for up to 64 RSS queues, but the driver can have max +of 63 (-1 MSIX vector for link). + +On systems with >= 64 CPUs the driver will set the redirection table +for all 64 queues which will result in packets being dropped. + +Signed-off-by: Emil Tantilov +Tested-by: Phil Schmitt +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h +index 1d2174526a4c..18e4e4a69262 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h +@@ -312,7 +312,7 @@ enum ixgbe_ring_f_enum { + }; + + #define IXGBE_MAX_RSS_INDICES 16 +-#define IXGBE_MAX_RSS_INDICES_X550 64 ++#define IXGBE_MAX_RSS_INDICES_X550 63 + #define IXGBE_MAX_VMDQ_INDICES 64 + #define IXGBE_MAX_FDIR_INDICES 63 /* based on q_vector limit */ + #define IXGBE_MAX_FCOE_INDICES 8 +-- +2.17.1 + diff --git a/queue-4.4/ixgbevf-fix-handling-of-napi-budget-when-multiple-qu.patch b/queue-4.4/ixgbevf-fix-handling-of-napi-budget-when-multiple-qu.patch new file mode 100644 index 00000000000..5fdcbae7b71 --- /dev/null +++ b/queue-4.4/ixgbevf-fix-handling-of-napi-budget-when-multiple-qu.patch @@ -0,0 +1,36 @@ +From d89a7ec2dd4f560582ea0ba02a3dcb85ae981193 Mon Sep 17 00:00:00 2001 +From: William Dauchy +Date: Fri, 30 Oct 2015 18:16:30 +0100 +Subject: ixgbevf: Fix handling of NAPI budget when multiple queues are enabled + per vector + +[ Upstream commit d0f71afffa1c3d5a36a4a278f1dbbd2643176dc3 ] + +This is the same patch as for ixgbe but applied differently according to +busy polling. See commit 5d6002b7b822c74 ("ixgbe: Fix handling of NAPI +budget when multiple queues are enabled per vector") + +Signed-off-by: William Dauchy +Tested-by: Phil Schmitt +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 50bbad37d640..723bda33472a 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -1014,6 +1014,8 @@ static int ixgbevf_poll(struct napi_struct *napi, int budget) + ixgbevf_for_each_ring(ring, q_vector->tx) + clean_complete &= ixgbevf_clean_tx_irq(q_vector, ring); + ++ if (budget <= 0) ++ return budget; + #ifdef CONFIG_NET_RX_BUSY_POLL + if (!ixgbevf_qv_lock_napi(q_vector)) + return budget; +-- +2.17.1 + diff --git a/queue-4.4/keys-put-keyring-if-install_session_keyring_to_cred-.patch b/queue-4.4/keys-put-keyring-if-install_session_keyring_to_cred-.patch new file mode 100644 index 00000000000..b7ed23b5f14 --- /dev/null +++ b/queue-4.4/keys-put-keyring-if-install_session_keyring_to_cred-.patch @@ -0,0 +1,56 @@ +From cdae7eb80f1cc3d7e310b3e0c4f26d5e21ba7638 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 8 Jun 2017 14:48:03 +0100 +Subject: KEYS: put keyring if install_session_keyring_to_cred() fails + +[ Upstream commit d636bd9f12a66ea3775c9fabbf3f8e118253467a ] + +In join_session_keyring(), if install_session_keyring_to_cred() were to +fail, we would leak the keyring reference, just like in the bug fixed by +commit 23567fd052a9 ("KEYS: Fix keyring ref leak in +join_session_keyring()"). Fortunately this cannot happen currently, but +we really should be more careful. Do this by adding and using a new +error label at which the keyring reference is dropped. + +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +--- + security/keys/process_keys.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index ac1d5b2b1626..a7095372701e 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -808,15 +808,14 @@ long join_session_keyring(const char *name) + ret = PTR_ERR(keyring); + goto error2; + } else if (keyring == new->session_keyring) { +- key_put(keyring); + ret = 0; +- goto error2; ++ goto error3; + } + + /* we've got a keyring - now to install it */ + ret = install_session_keyring_to_cred(new, keyring); + if (ret < 0) +- goto error2; ++ goto error3; + + commit_creds(new); + mutex_unlock(&key_session_mutex); +@@ -826,6 +825,8 @@ long join_session_keyring(const char *name) + okay: + return ret; + ++error3: ++ key_put(keyring); + error2: + mutex_unlock(&key_session_mutex); + error: +-- +2.17.1 + diff --git a/queue-4.4/l2tp-hold-socket-before-dropping-lock-in-l2tp_ip-6-_.patch b/queue-4.4/l2tp-hold-socket-before-dropping-lock-in-l2tp_ip-6-_.patch new file mode 100644 index 00000000000..5b54de1a1f4 --- /dev/null +++ b/queue-4.4/l2tp-hold-socket-before-dropping-lock-in-l2tp_ip-6-_.patch @@ -0,0 +1,73 @@ +From 51391306806049b373ff0b7252a05bec2402e805 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Tue, 29 Nov 2016 13:09:45 +0100 +Subject: l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() + +[ Upstream commit a3c18422a4b4e108bcf6a2328f48867e1003fd95 ] + +Socket must be held while under the protection of the l2tp lock; there +is no guarantee that sk remains valid after the read_unlock_bh() call. + +Same issue for l2tp_ip and l2tp_ip6. + +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_ip.c | 11 ++++++----- + net/l2tp/l2tp_ip6.c | 11 ++++++----- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 48ab93842322..c7e6098c924e 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -184,14 +184,15 @@ pass_up: + + read_lock_bh(&l2tp_ip_lock); + sk = __l2tp_ip_bind_lookup(net, iph->daddr, 0, tunnel_id); ++ if (!sk) { ++ read_unlock_bh(&l2tp_ip_lock); ++ goto discard; ++ } ++ ++ sock_hold(sk); + read_unlock_bh(&l2tp_ip_lock); + } + +- if (sk == NULL) +- goto discard; +- +- sock_hold(sk); +- + if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) + goto discard_put; + +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index bcdab1cba773..5fe0a6f6af3d 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -196,14 +196,15 @@ pass_up: + read_lock_bh(&l2tp_ip6_lock); + sk = __l2tp_ip6_bind_lookup(&init_net, &iph->daddr, + 0, tunnel_id); ++ if (!sk) { ++ read_unlock_bh(&l2tp_ip6_lock); ++ goto discard; ++ } ++ ++ sock_hold(sk); + read_unlock_bh(&l2tp_ip6_lock); + } + +- if (sk == NULL) +- goto discard; +- +- sock_hold(sk); +- + if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) + goto discard_put; + +-- +2.17.1 + diff --git a/queue-4.4/lan78xx-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/lan78xx-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..df008ca3cd7 --- /dev/null +++ b/queue-4.4/lan78xx-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,50 @@ +From 528ac725c8a7099c4a2887004c5023fe23d9bc55 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:52 -0700 +Subject: lan78xx: Check for supported Wake-on-LAN modes + +[ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ] + +The driver supports a fair amount of Wake-on-LAN modes, but is not +checking that the user specified one that is supported. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Woojung Huh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 1aede726052c..45a6a7cae4bf 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1051,19 +1051,10 @@ static int lan78xx_set_wol(struct net_device *netdev, + if (ret < 0) + return ret; + +- pdata->wol = 0; +- if (wol->wolopts & WAKE_UCAST) +- pdata->wol |= WAKE_UCAST; +- if (wol->wolopts & WAKE_MCAST) +- pdata->wol |= WAKE_MCAST; +- if (wol->wolopts & WAKE_BCAST) +- pdata->wol |= WAKE_BCAST; +- if (wol->wolopts & WAKE_MAGIC) +- pdata->wol |= WAKE_MAGIC; +- if (wol->wolopts & WAKE_PHY) +- pdata->wol |= WAKE_PHY; +- if (wol->wolopts & WAKE_ARP) +- pdata->wol |= WAKE_ARP; ++ if (wol->wolopts & ~WAKE_ALL) ++ return -EINVAL; ++ ++ pdata->wol = wol->wolopts; + + device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts); + +-- +2.17.1 + diff --git a/queue-4.4/mac80211-always-report-tx-status.patch b/queue-4.4/mac80211-always-report-tx-status.patch new file mode 100644 index 00000000000..14c22c04c26 --- /dev/null +++ b/queue-4.4/mac80211-always-report-tx-status.patch @@ -0,0 +1,50 @@ +From 74528f7f857a4c9d03c4549cad4ad8de0494fc4d Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Wed, 5 Sep 2018 08:06:13 +0300 +Subject: mac80211: Always report TX status + +[ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ] + +If a frame is dropped for any reason, mac80211 wouldn't report the TX +status back to user space. + +As the user space may rely on the TX_STATUS to kick its state +machines, resends etc, it's better to just report this frame as not +acked instead. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/status.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/status.c b/net/mac80211/status.c +index 45fb1abdb265..2731cf5bf052 100644 +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -466,11 +466,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local, + if (!skb) + return; + +- if (dropped) { +- dev_kfree_skb_any(skb); +- return; +- } +- + if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) { + u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie; + struct ieee80211_sub_if_data *sdata; +@@ -491,6 +486,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local, + } + rcu_read_unlock(); + ++ dev_kfree_skb_any(skb); ++ } else if (dropped) { + dev_kfree_skb_any(skb); + } else { + /* consumes skb */ +-- +2.17.1 + diff --git a/queue-4.4/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch b/queue-4.4/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch new file mode 100644 index 00000000000..1859555cb6d --- /dev/null +++ b/queue-4.4/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch @@ -0,0 +1,38 @@ +From b6371c90ebdf27f39f83dd88bc1add52fe647f01 Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Tue, 25 Sep 2018 09:51:02 +0200 +Subject: mac80211_hwsim: do not omit multicast announce of first added radio + +[ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ] + +The allocation of hwsim radio identifiers uses a post-increment from 0, +so the first radio has idx 0. This idx is explicitly excluded from +multicast announcements ever since, but it is unclear why. + +Drop that idx check and announce the first radio as well. This makes +userspace happy if it relies on these events. + +Signed-off-by: Martin Willi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index c98cb962b454..05413176a5d6 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2547,8 +2547,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info, + list_add_tail(&data->list, &hwsim_radios); + spin_unlock_bh(&hwsim_radio_lock); + +- if (idx > 0) +- hwsim_mcast_new_radio(idx, info, param); ++ hwsim_mcast_new_radio(idx, info, param); + + return idx; + +-- +2.17.1 + diff --git a/queue-4.4/media-usbvision-revert-commit-588afcc1.patch b/queue-4.4/media-usbvision-revert-commit-588afcc1.patch new file mode 100644 index 00000000000..95ded5e033d --- /dev/null +++ b/queue-4.4/media-usbvision-revert-commit-588afcc1.patch @@ -0,0 +1,64 @@ +From 8c8cd1d97afa99aba344aa286ea8a3cd1f6d6ffe Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Sun, 31 Jan 2016 14:14:52 -0200 +Subject: [media] usbvision: revert commit 588afcc1 + +[ Upstream commit d5468d7afaa9c9e961e150f0455a14a9f4872a98 ] + +Commit 588afcc1c0e4 ("[media] usbvision fix overflow of interfaces +array")' should be reverted, because: + +* "!dev->actconfig->interface[ifnum]" won't catch a case where the value +is not NULL but some garbage. This way the system may crash later with +GPF. + +* "(ifnum >= USB_MAXINTERFACES)" does not cover all the error +conditions. "ifnum" should be compared to "dev->actconfig-> +desc.bNumInterfaces", i.e. compared to the number of "struct +usb_interface" kzalloc()-ed, not to USB_MAXINTERFACES. + +* There is a "struct usb_device" leak in this error path, as there is +usb_get_dev(), but no usb_put_dev() on this path. + +* There is a bug of the same type several lines below with number of +endpoints. The code is accessing hard-coded second endpoint +("interface->endpoint[1].desc") which may not exist. It would be great +to handle this in the same patch too. + +* All the concerns above are resolved by already-accepted commit fa52bd50 +("[media] usbvision: fix crash on detecting device with invalid +configuration") + +* Mailing list message: +http://www.spinics.net/lists/linux-media/msg94832.html + +Signed-off-by: Vladis Dronov +Signed-off-by: Hans Verkuil +Cc: # for v4.5 +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/usbvision/usbvision-video.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c +index cafc34938a79..91d709efef7a 100644 +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1461,13 +1461,6 @@ static int usbvision_probe(struct usb_interface *intf, + printk(KERN_INFO "%s: %s found\n", __func__, + usbvision_device_data[model].model_string); + +- /* +- * this is a security check. +- * an exploit using an incorrect bInterfaceNumber is known +- */ +- if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum]) +- return -ENODEV; +- + if (usbvision_device_data[model].interface >= 0) + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; + else if (ifnum < dev->actconfig->desc.bNumInterfaces) +-- +2.17.1 + diff --git a/queue-4.4/mips-dec-fix-an-int-handler.s-cpu_daddi_workarounds-.patch b/queue-4.4/mips-dec-fix-an-int-handler.s-cpu_daddi_workarounds-.patch new file mode 100644 index 00000000000..9e1514a160b --- /dev/null +++ b/queue-4.4/mips-dec-fix-an-int-handler.s-cpu_daddi_workarounds-.patch @@ -0,0 +1,98 @@ +From 3e7089c9afbb6281210fda9c29625df0c7831e51 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Sun, 30 Jul 2017 21:28:15 +0100 +Subject: MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression + +[ Upstream commit 68fe55680d0f3342969f49412fceabb90bdfadba ] + +Fix a commit 3021773c7c3e ("MIPS: DEC: Avoid la pseudo-instruction in +delay slots") regression and remove assembly errors: + +arch/mips/dec/int-handler.S: Assembler messages: +arch/mips/dec/int-handler.S:162: Error: Macro used $at after ".set noat" +arch/mips/dec/int-handler.S:163: Error: Macro used $at after ".set noat" +arch/mips/dec/int-handler.S:229: Error: Macro used $at after ".set noat" +arch/mips/dec/int-handler.S:230: Error: Macro used $at after ".set noat" + +triggering with with the CPU_DADDI_WORKAROUNDS option set and the DADDIU +instruction. This is because with that option in place the instruction +becomes a macro, which expands to an LI/DADDU (or actually ADDIU/DADDU) +sequence that uses $at as a temporary register. + +With CPU_DADDI_WORKAROUNDS we only support `-msym32' compilation though, +and this is already enforced in arch/mips/Makefile, so choose the 32-bit +expansion variant for the supported configurations and then replace the +64-bit variant with #error just in case. + +Fixes: 3021773c7c3e ("MIPS: DEC: Avoid la pseudo-instruction in delay slots") +Signed-off-by: Maciej W. Rozycki +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # 4.8+ +Patchwork: https://patchwork.linux-mips.org/patch/16893/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +--- + arch/mips/dec/int-handler.S | 34 ++++++---------------------------- + 1 file changed, 6 insertions(+), 28 deletions(-) + +diff --git a/arch/mips/dec/int-handler.S b/arch/mips/dec/int-handler.S +index 554d1da97743..21f4a9fe82fa 100644 +--- a/arch/mips/dec/int-handler.S ++++ b/arch/mips/dec/int-handler.S +@@ -147,23 +147,12 @@ + * Find irq with highest priority + */ + # open coded PTR_LA t1, cpu_mask_nr_tbl +-#if (_MIPS_SZPTR == 32) ++#if defined(CONFIG_32BIT) || defined(KBUILD_64BIT_SYM32) + # open coded la t1, cpu_mask_nr_tbl + lui t1, %hi(cpu_mask_nr_tbl) + addiu t1, %lo(cpu_mask_nr_tbl) +- +-#endif +-#if (_MIPS_SZPTR == 64) +- # open coded dla t1, cpu_mask_nr_tbl +- .set push +- .set noat +- lui t1, %highest(cpu_mask_nr_tbl) +- lui AT, %hi(cpu_mask_nr_tbl) +- daddiu t1, t1, %higher(cpu_mask_nr_tbl) +- daddiu AT, AT, %lo(cpu_mask_nr_tbl) +- dsll t1, 32 +- daddu t1, t1, AT +- .set pop ++#else ++#error GCC `-msym32' option required for 64-bit DECstation builds + #endif + 1: lw t2,(t1) + nop +@@ -214,23 +203,12 @@ + * Find irq with highest priority + */ + # open coded PTR_LA t1,asic_mask_nr_tbl +-#if (_MIPS_SZPTR == 32) ++#if defined(CONFIG_32BIT) || defined(KBUILD_64BIT_SYM32) + # open coded la t1, asic_mask_nr_tbl + lui t1, %hi(asic_mask_nr_tbl) + addiu t1, %lo(asic_mask_nr_tbl) +- +-#endif +-#if (_MIPS_SZPTR == 64) +- # open coded dla t1, asic_mask_nr_tbl +- .set push +- .set noat +- lui t1, %highest(asic_mask_nr_tbl) +- lui AT, %hi(asic_mask_nr_tbl) +- daddiu t1, t1, %higher(asic_mask_nr_tbl) +- daddiu AT, AT, %lo(asic_mask_nr_tbl) +- dsll t1, 32 +- daddu t1, t1, AT +- .set pop ++#else ++#error GCC `-msym32' option required for 64-bit DECstation builds + #endif + 2: lw t2,(t1) + nop +-- +2.17.1 + diff --git a/queue-4.4/mips-fix-fcsr-cause-bit-handling-for-correct-sigfpe-.patch b/queue-4.4/mips-fix-fcsr-cause-bit-handling-for-correct-sigfpe-.patch new file mode 100644 index 00000000000..f5924d08106 --- /dev/null +++ b/queue-4.4/mips-fix-fcsr-cause-bit-handling-for-correct-sigfpe-.patch @@ -0,0 +1,302 @@ +From 848a093f91e2ecac974a4d84415ab3ba4f050316 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 28 Oct 2016 08:21:03 +0100 +Subject: MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue + +[ Upstream commit 5a1aca4469fdccd5b74ba0b4e490173b2b447895 ] + +Sanitize FCSR Cause bit handling, following a trail of past attempts: + +* commit 4249548454f7 ("MIPS: ptrace: Fix FP context restoration FCSR +regression"), + +* commit 443c44032a54 ("MIPS: Always clear FCSR cause bits after +emulation"), + +* commit 64bedffe4968 ("MIPS: Clear [MSA]FPE CSR.Cause after +notify_die()"), + +* commit b1442d39fac2 ("MIPS: Prevent user from setting FCSR cause +bits"), + +* commit b54d2901517d ("Properly handle branch delay slots in connection +with signals."). + +Specifically do not mask these bits out in ptrace(2) processing and send +a SIGFPE signal instead whenever a matching pair of an FCSR Cause and +Enable bit is seen as execution of an affected context is about to +resume. Only then clear Cause bits, and even then do not clear any bits +that are set but masked with the respective Enable bits. Adjust Cause +bit clearing throughout code likewise, except within the FPU emulator +proper where they are set according to IEEE 754 exceptions raised as the +operation emulated executed. Do so so that any IEEE 754 exceptions +subject to their default handling are recorded like with operations +executed by FPU hardware. + +Signed-off-by: Maciej W. Rozycki +Cc: Paul Burton +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/14460/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/fpu_emulator.h | 13 +++++ + arch/mips/include/asm/switch_to.h | 18 +++++++ + arch/mips/kernel/mips-r2-to-r6-emul.c | 10 ++-- + arch/mips/kernel/ptrace.c | 7 ++- + arch/mips/kernel/traps.c | 72 +++++++++++++++------------ + 5 files changed, 78 insertions(+), 42 deletions(-) + +diff --git a/arch/mips/include/asm/fpu_emulator.h b/arch/mips/include/asm/fpu_emulator.h +index 2f021cdfba4f..742223716fc8 100644 +--- a/arch/mips/include/asm/fpu_emulator.h ++++ b/arch/mips/include/asm/fpu_emulator.h +@@ -66,6 +66,8 @@ extern int do_dsemulret(struct pt_regs *xcp); + extern int fpu_emulator_cop1Handler(struct pt_regs *xcp, + struct mips_fpu_struct *ctx, int has_fpu, + void *__user *fault_addr); ++void force_fcr31_sig(unsigned long fcr31, void __user *fault_addr, ++ struct task_struct *tsk); + int process_fpemu_return(int sig, void __user *fault_addr, + unsigned long fcr31); + int mm_isBranchInstr(struct pt_regs *regs, struct mm_decoded_insn dec_insn, +@@ -92,4 +94,15 @@ static inline void fpu_emulator_init_fpu(void) + set_fpr64(&t->thread.fpu.fpr[i], 0, SIGNALLING_NAN); + } + ++/* ++ * Mask the FCSR Cause bits according to the Enable bits, observing ++ * that Unimplemented is always enabled. ++ */ ++static inline unsigned long mask_fcr31_x(unsigned long fcr31) ++{ ++ return fcr31 & (FPU_CSR_UNI_X | ++ ((fcr31 & FPU_CSR_ALL_E) << ++ (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E)))); ++} ++ + #endif /* _ASM_FPU_EMULATOR_H */ +diff --git a/arch/mips/include/asm/switch_to.h b/arch/mips/include/asm/switch_to.h +index ebb5c0f2f90d..c0ae27971e31 100644 +--- a/arch/mips/include/asm/switch_to.h ++++ b/arch/mips/include/asm/switch_to.h +@@ -75,6 +75,22 @@ do { if (cpu_has_rw_llb) { \ + } \ + } while (0) + ++/* ++ * Check FCSR for any unmasked exceptions pending set with `ptrace', ++ * clear them and send a signal. ++ */ ++#define __sanitize_fcr31(next) \ ++do { \ ++ unsigned long fcr31 = mask_fcr31_x(next->thread.fpu.fcr31); \ ++ void __user *pc; \ ++ \ ++ if (unlikely(fcr31)) { \ ++ pc = (void __user *)task_pt_regs(next)->cp0_epc; \ ++ next->thread.fpu.fcr31 &= ~fcr31; \ ++ force_fcr31_sig(fcr31, pc, next); \ ++ } \ ++} while (0) ++ + /* + * For newly created kernel threads switch_to() will return to + * ret_from_kernel_thread, newly created user threads to ret_from_fork. +@@ -85,6 +101,8 @@ do { if (cpu_has_rw_llb) { \ + do { \ + __mips_mt_fpaff_switch_to(prev); \ + lose_fpu_inatomic(1, prev); \ ++ if (tsk_used_math(next)) \ ++ __sanitize_fcr31(next); \ + if (cpu_has_dsp) { \ + __save_dsp(prev); \ + __restore_dsp(next); \ +diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c +index cbe0f025856d..7b887027dca2 100644 +--- a/arch/mips/kernel/mips-r2-to-r6-emul.c ++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c +@@ -900,7 +900,7 @@ static inline int mipsr2_find_op_func(struct pt_regs *regs, u32 inst, + * mipsr2_decoder: Decode and emulate a MIPS R2 instruction + * @regs: Process register set + * @inst: Instruction to decode and emulate +- * @fcr31: Floating Point Control and Status Register returned ++ * @fcr31: Floating Point Control and Status Register Cause bits returned + */ + int mipsr2_decoder(struct pt_regs *regs, u32 inst, unsigned long *fcr31) + { +@@ -1183,13 +1183,13 @@ fpu_emul: + + err = fpu_emulator_cop1Handler(regs, ¤t->thread.fpu, 0, + &fault_addr); +- *fcr31 = current->thread.fpu.fcr31; + + /* +- * We can't allow the emulated instruction to leave any of +- * the cause bits set in $fcr31. ++ * We can't allow the emulated instruction to leave any ++ * enabled Cause bits set in $fcr31. + */ +- current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X; ++ *fcr31 = res = mask_fcr31_x(current->thread.fpu.fcr31); ++ current->thread.fpu.fcr31 &= ~res; + + /* + * this is a tricky issue - lose_fpu() uses LL/SC atomics +diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c +index 5a869515b393..9d04392f7ef0 100644 +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -79,16 +79,15 @@ void ptrace_disable(struct task_struct *child) + } + + /* +- * Poke at FCSR according to its mask. Don't set the cause bits as +- * this is currently not handled correctly in FP context restoration +- * and will cause an oops if a corresponding enable bit is set. ++ * Poke at FCSR according to its mask. Set the Cause bits even ++ * if a corresponding Enable bit is set. This will be noticed at ++ * the time the thread is switched to and SIGFPE thrown accordingly. + */ + static void ptrace_setfcr31(struct task_struct *child, u32 value) + { + u32 fcr31; + u32 mask; + +- value &= ~FPU_CSR_ALL_X; + fcr31 = child->thread.fpu.fcr31; + mask = boot_cpu_data.fpu_msk31; + child->thread.fpu.fcr31 = (value & ~mask) | (fcr31 & mask); +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c +index 1b901218e3ae..6abd6b41c13d 100644 +--- a/arch/mips/kernel/traps.c ++++ b/arch/mips/kernel/traps.c +@@ -706,6 +706,32 @@ asmlinkage void do_ov(struct pt_regs *regs) + exception_exit(prev_state); + } + ++/* ++ * Send SIGFPE according to FCSR Cause bits, which must have already ++ * been masked against Enable bits. This is impotant as Inexact can ++ * happen together with Overflow or Underflow, and `ptrace' can set ++ * any bits. ++ */ ++void force_fcr31_sig(unsigned long fcr31, void __user *fault_addr, ++ struct task_struct *tsk) ++{ ++ struct siginfo si = { .si_addr = fault_addr, .si_signo = SIGFPE }; ++ ++ if (fcr31 & FPU_CSR_INV_X) ++ si.si_code = FPE_FLTINV; ++ else if (fcr31 & FPU_CSR_DIV_X) ++ si.si_code = FPE_FLTDIV; ++ else if (fcr31 & FPU_CSR_OVF_X) ++ si.si_code = FPE_FLTOVF; ++ else if (fcr31 & FPU_CSR_UDF_X) ++ si.si_code = FPE_FLTUND; ++ else if (fcr31 & FPU_CSR_INE_X) ++ si.si_code = FPE_FLTRES; ++ else ++ si.si_code = __SI_FAULT; ++ force_sig_info(SIGFPE, &si, tsk); ++} ++ + int process_fpemu_return(int sig, void __user *fault_addr, unsigned long fcr31) + { + struct siginfo si = { 0 }; +@@ -715,27 +741,7 @@ int process_fpemu_return(int sig, void __user *fault_addr, unsigned long fcr31) + return 0; + + case SIGFPE: +- si.si_addr = fault_addr; +- si.si_signo = sig; +- /* +- * Inexact can happen together with Overflow or Underflow. +- * Respect the mask to deliver the correct exception. +- */ +- fcr31 &= (fcr31 & FPU_CSR_ALL_E) << +- (ffs(FPU_CSR_ALL_X) - ffs(FPU_CSR_ALL_E)); +- if (fcr31 & FPU_CSR_INV_X) +- si.si_code = FPE_FLTINV; +- else if (fcr31 & FPU_CSR_DIV_X) +- si.si_code = FPE_FLTDIV; +- else if (fcr31 & FPU_CSR_OVF_X) +- si.si_code = FPE_FLTOVF; +- else if (fcr31 & FPU_CSR_UDF_X) +- si.si_code = FPE_FLTUND; +- else if (fcr31 & FPU_CSR_INE_X) +- si.si_code = FPE_FLTRES; +- else +- si.si_code = __SI_FAULT; +- force_sig_info(sig, &si, current); ++ force_fcr31_sig(fcr31, fault_addr, current); + return 1; + + case SIGBUS: +@@ -798,13 +804,13 @@ static int simulate_fp(struct pt_regs *regs, unsigned int opcode, + /* Run the emulator */ + sig = fpu_emulator_cop1Handler(regs, ¤t->thread.fpu, 1, + &fault_addr); +- fcr31 = current->thread.fpu.fcr31; + + /* +- * We can't allow the emulated instruction to leave any of +- * the cause bits set in $fcr31. ++ * We can't allow the emulated instruction to leave any ++ * enabled Cause bits set in $fcr31. + */ +- current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X; ++ fcr31 = mask_fcr31_x(current->thread.fpu.fcr31); ++ current->thread.fpu.fcr31 &= ~fcr31; + + /* Restore the hardware register state */ + own_fpu(1); +@@ -830,7 +836,7 @@ asmlinkage void do_fpe(struct pt_regs *regs, unsigned long fcr31) + goto out; + + /* Clear FCSR.Cause before enabling interrupts */ +- write_32bit_cp1_register(CP1_STATUS, fcr31 & ~FPU_CSR_ALL_X); ++ write_32bit_cp1_register(CP1_STATUS, fcr31 & ~mask_fcr31_x(fcr31)); + local_irq_enable(); + + die_if_kernel("FP exception in kernel code", regs); +@@ -852,13 +858,13 @@ asmlinkage void do_fpe(struct pt_regs *regs, unsigned long fcr31) + /* Run the emulator */ + sig = fpu_emulator_cop1Handler(regs, ¤t->thread.fpu, 1, + &fault_addr); +- fcr31 = current->thread.fpu.fcr31; + + /* +- * We can't allow the emulated instruction to leave any of +- * the cause bits set in $fcr31. ++ * We can't allow the emulated instruction to leave any ++ * enabled Cause bits set in $fcr31. + */ +- current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X; ++ fcr31 = mask_fcr31_x(current->thread.fpu.fcr31); ++ current->thread.fpu.fcr31 &= ~fcr31; + + /* Restore the hardware register state */ + own_fpu(1); /* Using the FPU again. */ +@@ -1431,13 +1437,13 @@ asmlinkage void do_cpu(struct pt_regs *regs) + + sig = fpu_emulator_cop1Handler(regs, ¤t->thread.fpu, 0, + &fault_addr); +- fcr31 = current->thread.fpu.fcr31; + + /* + * We can't allow the emulated instruction to leave +- * any of the cause bits set in $fcr31. ++ * any enabled Cause bits set in $fcr31. + */ +- current->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X; ++ fcr31 = mask_fcr31_x(current->thread.fpu.fcr31); ++ current->thread.fpu.fcr31 &= ~fcr31; + + /* Send a signal if required. */ + if (!process_fpemu_return(sig, fault_addr, fcr31) && !err) +-- +2.17.1 + diff --git a/queue-4.4/mips-handle-non-word-sized-instructions-when-examini.patch b/queue-4.4/mips-handle-non-word-sized-instructions-when-examini.patch new file mode 100644 index 00000000000..5518cdc90e2 --- /dev/null +++ b/queue-4.4/mips-handle-non-word-sized-instructions-when-examini.patch @@ -0,0 +1,95 @@ +From e2ff8e881b430537e27ea9ede4579849e9b73361 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 8 Aug 2017 13:22:30 +0100 +Subject: MIPS: Handle non word sized instructions when examining frame + +[ Upstream commit 11887ed172a6960673f130dad8f8fb42778f64d7 ] + +Commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") +added fairly broken support for handling 16bit microMIPS instructions in +get_frame_info(). It adjusts the instruction pointer by 16bits in the +case of a 16bit sp move instruction, but not any other 16bit +instruction. + +Commit b6c7a324df37 ("MIPS: Fix get_frame_info() handling of microMIPS +function size") goes some way to fixing get_frame_info() to iterate over +microMIPS instuctions, but the instruction pointer is still manipulated +using a postincrement, and is of union mips_instruction type. Since the +union is sized to the largest member (a word), but microMIPS +instructions are a mix of halfword and word sizes, the function does not +always iterate correctly, ending up misaligned with the instruction +stream and interpreting it incorrectly. + +Since the instruction modifying the stack pointer is usually the first +in the function, that one is usually handled correctly. But the +instruction which saves the return address to the sp is some variable +number of instructions into the frame and is frequently missed due to +not being on a word boundary, leading to incomplete walking of the +stack. + +Fix this by incrementing the instruction pointer based on the size of +the previously decoded instruction (& remove the hack introduced by +commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") +which adjusts the instruction pointer in the case of a 16bit sp move +instruction, but not any other). + +Fixes: 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") +Signed-off-by: Matt Redfearn +Cc: Marcin Nowakowski +Cc: James Hogan +Cc: Ingo Molnar +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/16953/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/process.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index ed6cac4a4df0..a9cc74354df8 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -341,6 +341,7 @@ static int get_frame_info(struct mips_frame_info *info) + bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS); + union mips_instruction insn, *ip, *ip_end; + const unsigned int max_insns = 128; ++ unsigned int last_insn_size = 0; + unsigned int i; + + info->pc_offset = -1; +@@ -352,15 +353,19 @@ static int get_frame_info(struct mips_frame_info *info) + + ip_end = (void *)ip + info->func_size; + +- for (i = 0; i < max_insns && ip < ip_end; i++, ip++) { ++ for (i = 0; i < max_insns && ip < ip_end; i++) { ++ ip = (void *)ip + last_insn_size; + if (is_mmips && mm_insn_16bit(ip->halfword[0])) { + insn.halfword[0] = 0; + insn.halfword[1] = ip->halfword[0]; ++ last_insn_size = 2; + } else if (is_mmips) { + insn.halfword[0] = ip->halfword[1]; + insn.halfword[1] = ip->halfword[0]; ++ last_insn_size = 4; + } else { + insn.word = ip->word; ++ last_insn_size = 4; + } + + if (is_jump_ins(&insn)) +@@ -382,8 +387,6 @@ static int get_frame_info(struct mips_frame_info *info) + tmp = (ip->halfword[0] >> 1); + info->frame_size = -(signed short)(tmp & 0xf); + } +- ip = (void *) &ip->halfword[1]; +- ip--; + } else + #endif + info->frame_size = - ip->i_format.simmediate; +-- +2.17.1 + diff --git a/queue-4.4/mips-micromips-fix-decoding-of-swsp16-instruction.patch b/queue-4.4/mips-micromips-fix-decoding-of-swsp16-instruction.patch new file mode 100644 index 00000000000..26e45e99bc0 --- /dev/null +++ b/queue-4.4/mips-micromips-fix-decoding-of-swsp16-instruction.patch @@ -0,0 +1,67 @@ +From d8659092796f2468af923e4dbc8f7806a53b55a8 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 8 Aug 2017 13:22:33 +0100 +Subject: MIPS: microMIPS: Fix decoding of swsp16 instruction + +[ Upstream commit cea8cd498f4f1c30ea27e3664b3c671e495c4fce ] + +When the immediate encoded in the instruction is accessed, it is sign +extended due to being a signed value being assigned to a signed integer. +The ISA specifies that this operation is an unsigned operation. +The sign extension leads us to incorrectly decode: + +801e9c8e: cbf1 sw ra,68(sp) + +As having an immediate of 1073741809. + +Since the instruction format does not specify signed/unsigned, and this +is currently the only location to use this instuction format, change it +to an unsigned immediate. + +Fixes: bb9bc4689b9c ("MIPS: Calculate microMIPS ra properly when unwinding the stack") +Suggested-by: Paul Burton +Signed-off-by: Matt Redfearn +Reviewed-by: James Hogan +Cc: Marcin Nowakowski +Cc: Miodrag Dinic +Cc: Ingo Molnar +Cc: David Daney +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/16957/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +--- + arch/mips/include/uapi/asm/inst.h | 2 +- + arch/mips/kernel/process.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h +index 9b44d5a816fa..1b6f2f219298 100644 +--- a/arch/mips/include/uapi/asm/inst.h ++++ b/arch/mips/include/uapi/asm/inst.h +@@ -846,7 +846,7 @@ struct mm16_r3_format { /* Load from global pointer format */ + struct mm16_r5_format { /* Load/store from stack pointer format */ + __BITFIELD_FIELD(unsigned int opcode : 6, + __BITFIELD_FIELD(unsigned int rt : 5, +- __BITFIELD_FIELD(signed int simmediate : 5, ++ __BITFIELD_FIELD(unsigned int imm : 5, + __BITFIELD_FIELD(unsigned int : 16, /* Ignored */ + ;)))) + }; +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index a9cc74354df8..ebd8a715fe38 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -207,7 +207,7 @@ static inline int is_ra_save_ins(union mips_instruction *ip, int *poff) + if (ip->mm16_r5_format.rt != 31) + return 0; + +- *poff = ip->mm16_r5_format.simmediate; ++ *poff = ip->mm16_r5_format.imm; + *poff = (*poff << 2) / sizeof(ulong); + return 1; + +-- +2.17.1 + diff --git a/queue-4.4/net-cxgb3_main-fix-a-missing-check-bug.patch b/queue-4.4/net-cxgb3_main-fix-a-missing-check-bug.patch new file mode 100644 index 00000000000..86c27ccf46d --- /dev/null +++ b/queue-4.4/net-cxgb3_main-fix-a-missing-check-bug.patch @@ -0,0 +1,111 @@ +From 14a794db141468d480f3a0dccce512119d1df2d3 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Fri, 5 Oct 2018 08:48:27 -0500 +Subject: net: cxgb3_main: fix a missing-check bug + +[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ] + +In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from +the user-space buffer 'useraddr' to 'cmd' and checked through the +switch statement. If the command is not as expected, an error code +EOPNOTSUPP is returned. In the following execution, i.e., the cases of the +switch statement, the whole buffer of 'useraddr' is copied again to a +specific data structure, according to what kind of command is requested. +However, after the second copy, there is no re-check on the newly-copied +command. Given that the buffer 'useraddr' is in the user space, a malicious +user can race to change the command between the two copies. By doing so, +the attacker can supply malicious data to the kernel and cause undefined +behavior. + +This patch adds a re-check in each case of the switch statement if there is +a second copy in that case, to re-check whether the command obtained in the +second copy is the same as the one in the first copy. If not, an error code +EINVAL is returned. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index 7ae8374bff13..3dd4c39640dc 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -2147,6 +2147,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EPERM; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_SET_QSET_PARAMS) ++ return -EINVAL; + if (t.qset_idx >= SGE_QSETS) + return -EINVAL; + if (!in_range(t.intr_lat, 0, M_NEWTIMER) || +@@ -2246,6 +2248,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; + ++ if (t.cmd != CHELSIO_GET_QSET_PARAMS) ++ return -EINVAL; ++ + /* Display qsets for all ports when offload enabled */ + if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) { + q1 = 0; +@@ -2291,6 +2296,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&edata, useraddr, sizeof(edata))) + return -EFAULT; ++ if (edata.cmd != CHELSIO_SET_QSET_NUM) ++ return -EINVAL; + if (edata.val < 1 || + (edata.val > 1 && !(adapter->flags & USING_MSIX))) + return -EINVAL; +@@ -2331,6 +2338,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EPERM; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_LOAD_FW) ++ return -EINVAL; + /* Check t.len sanity ? */ + fw_data = memdup_user(useraddr + sizeof(t), t.len); + if (IS_ERR(fw_data)) +@@ -2354,6 +2363,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&m, useraddr, sizeof(m))) + return -EFAULT; ++ if (m.cmd != CHELSIO_SETMTUTAB) ++ return -EINVAL; + if (m.nmtus != NMTUS) + return -EINVAL; + if (m.mtus[0] < 81) /* accommodate SACK */ +@@ -2395,6 +2406,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&m, useraddr, sizeof(m))) + return -EFAULT; ++ if (m.cmd != CHELSIO_SET_PM) ++ return -EINVAL; + if (!is_power_of_2(m.rx_pg_sz) || + !is_power_of_2(m.tx_pg_sz)) + return -EINVAL; /* not power of 2 */ +@@ -2428,6 +2441,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EIO; /* need the memory controllers */ + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_GET_MEM) ++ return -EINVAL; + if ((t.addr & 7) || (t.len & 7)) + return -EINVAL; + if (t.mem_id == MEM_CM) +@@ -2480,6 +2495,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EAGAIN; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_SET_TRACE_FILTER) ++ return -EINVAL; + + tp = (const struct trace_params *)&t.sip; + if (t.config_tx) +-- +2.17.1 + diff --git a/queue-4.4/net-drop-write-only-stack-variable.patch b/queue-4.4/net-drop-write-only-stack-variable.patch new file mode 100644 index 00000000000..73835907d1b --- /dev/null +++ b/queue-4.4/net-drop-write-only-stack-variable.patch @@ -0,0 +1,52 @@ +From bde697786ee248d917716ad61fdc81739590cd6a Mon Sep 17 00:00:00 2001 +From: David Herrmann +Date: Tue, 2 Feb 2016 18:17:54 +0100 +Subject: net: drop write-only stack variable + +[ Upstream commit 3575dbf2cbbc8e598f17ec441aed526dbea0e1bd ] + +Remove a write-only stack variable from unix_attach_fds(). This is a +left-over from the security fix in: + + commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 + Author: willy tarreau + Date: Sun Jan 10 07:54:56 2016 +0100 + + unix: properly account for FDs passed over unix sockets + +Signed-off-by: David Herrmann +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index e05ec54ac53f..c6b1eec94911 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1531,7 +1531,6 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) + { + int i; + unsigned char max_level = 0; +- int unix_sock_count = 0; + + if (too_many_unix_fds(current)) + return -ETOOMANYREFS; +@@ -1539,11 +1538,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) + for (i = scm->fp->count - 1; i >= 0; i--) { + struct sock *sk = unix_get_socket(scm->fp->fp[i]); + +- if (sk) { +- unix_sock_count++; ++ if (sk) + max_level = max(max_level, + unix_sk(sk)->recursion_level); +- } + } + if (unlikely(max_level > MAX_RECURSION_LEVEL)) + return -ETOOMANYREFS; +-- +2.17.1 + diff --git a/queue-4.4/net-mlx4_en-resolve-dividing-by-zero-in-32-bit-syste.patch b/queue-4.4/net-mlx4_en-resolve-dividing-by-zero-in-32-bit-syste.patch new file mode 100644 index 00000000000..8d4863582d3 --- /dev/null +++ b/queue-4.4/net-mlx4_en-resolve-dividing-by-zero-in-32-bit-syste.patch @@ -0,0 +1,41 @@ +From 1eba23415a8fe71f99eb7c5d36efa90e107873bc Mon Sep 17 00:00:00 2001 +From: Eugenia Emantayev +Date: Thu, 27 Oct 2016 16:27:16 +0300 +Subject: net/mlx4_en: Resolve dividing by zero in 32-bit system + +[ Upstream commit 4850cf4581578216468b7b3c3d06cc5abb0a697d ] + +When doing roundup_pow_of_two for large enough number with +bit 31, an overflow will occur and a value equal to 1 will +be returned. In this case 1 will be subtracted from the return +value and division by zero will be reached. + +Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency") +Signed-off-by: Eugenia Emantayev +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_clock.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +index 4dccf7287f0f..52e4ed2f639d 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +@@ -251,8 +251,11 @@ static u32 freq_to_shift(u16 freq) + { + u32 freq_khz = freq * 1000; + u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC; ++ u64 tmp_rounded = ++ roundup_pow_of_two(max_val_cycles) > max_val_cycles ? ++ roundup_pow_of_two(max_val_cycles) - 1 : UINT_MAX; + u64 max_val_cycles_rounded = is_power_of_2(max_val_cycles + 1) ? +- max_val_cycles : roundup_pow_of_two(max_val_cycles) - 1; ++ max_val_cycles : tmp_rounded; + /* calculate max possible multiplier in order to fit in 64bit */ + u64 max_mul = div_u64(0xffffffffffffffffULL, max_val_cycles_rounded); + +-- +2.17.1 + diff --git a/queue-4.4/net-mlx5e-correctly-handle-rss-indirection-table-whe.patch b/queue-4.4/net-mlx5e-correctly-handle-rss-indirection-table-whe.patch new file mode 100644 index 00000000000..e9fc391fcf3 --- /dev/null +++ b/queue-4.4/net-mlx5e-correctly-handle-rss-indirection-table-whe.patch @@ -0,0 +1,96 @@ +From c4286b801d6f1d459c6999725b48b66b46c45427 Mon Sep 17 00:00:00 2001 +From: Tariq Toukan +Date: Mon, 29 Feb 2016 21:17:13 +0200 +Subject: net/mlx5e: Correctly handle RSS indirection table when changing + number of channels + +[ Upstream commit 85082dba0a5059c538cfa786d07f5ec5370d22fe ] + +Upon changing num_channels, reset the RSS indirection table to +match the new value. + +Fixes: 2d75b2bc8a8c ('net/mlx5e: Add ethtool RSS configuration options') +Signed-off-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 ++ + .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 ++ + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++++---- + 3 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 22e72bf1ae48..7a716733d9ca 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -586,6 +586,8 @@ int mlx5e_redirect_rqt(struct mlx5e_priv *priv, enum mlx5e_rqt_ix rqt_ix); + + int mlx5e_open_locked(struct net_device *netdev); + int mlx5e_close_locked(struct net_device *netdev); ++void mlx5e_build_default_indir_rqt(u32 *indirection_rqt, int len, ++ int num_channels); + + static inline void mlx5e_tx_notify_hw(struct mlx5e_sq *sq, + struct mlx5e_tx_wqe *wqe, int bf_sz) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 7cc9df717323..7ee301310817 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -385,6 +385,8 @@ static int mlx5e_set_channels(struct net_device *dev, + mlx5e_close_locked(dev); + + priv->params.num_channels = count; ++ mlx5e_build_default_indir_rqt(priv->params.indirection_rqt, ++ MLX5E_INDIR_RQT_SIZE, count); + + if (was_opened) + err = mlx5e_open_locked(dev); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 765b069d6a90..26d25ecdca7e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -1186,7 +1186,6 @@ static void mlx5e_fill_indir_rqt_rqns(struct mlx5e_priv *priv, void *rqtc) + ix = mlx5e_bits_invert(i, MLX5E_LOG_INDIR_RQT_SIZE); + + ix = priv->params.indirection_rqt[ix]; +- ix = ix % priv->params.num_channels; + MLX5_SET(rqtc, rqtc, rq_num[i], + test_bit(MLX5E_STATE_OPENED, &priv->state) ? + priv->channel[ix]->rq.rqn : +@@ -1983,12 +1982,20 @@ u16 mlx5e_get_max_inline_cap(struct mlx5_core_dev *mdev) + 2 /*sizeof(mlx5e_tx_wqe.inline_hdr_start)*/; + } + ++void mlx5e_build_default_indir_rqt(u32 *indirection_rqt, int len, ++ int num_channels) ++{ ++ int i; ++ ++ for (i = 0; i < len; i++) ++ indirection_rqt[i] = i % num_channels; ++} ++ + static void mlx5e_build_netdev_priv(struct mlx5_core_dev *mdev, + struct net_device *netdev, + int num_channels) + { + struct mlx5e_priv *priv = netdev_priv(netdev); +- int i; + + priv->params.log_sq_size = + MLX5E_PARAMS_DEFAULT_LOG_SQ_SIZE; +@@ -2012,8 +2019,8 @@ static void mlx5e_build_netdev_priv(struct mlx5_core_dev *mdev, + netdev_rss_key_fill(priv->params.toeplitz_hash_key, + sizeof(priv->params.toeplitz_hash_key)); + +- for (i = 0; i < MLX5E_INDIR_RQT_SIZE; i++) +- priv->params.indirection_rqt[i] = i % num_channels; ++ mlx5e_build_default_indir_rqt(priv->params.indirection_rqt, ++ MLX5E_INDIR_RQT_SIZE, num_channels); + + priv->params.lro_wqe_sz = + MLX5E_PARAMS_DEFAULT_LRO_WQE_SZ; +-- +2.17.1 + diff --git a/queue-4.4/net-mlx5e-fix-lro-modify.patch b/queue-4.4/net-mlx5e-fix-lro-modify.patch new file mode 100644 index 00000000000..0f753693b89 --- /dev/null +++ b/queue-4.4/net-mlx5e-fix-lro-modify.patch @@ -0,0 +1,73 @@ +From 1b3b9fa723f61536909a37de1df9977a3bc2ce59 Mon Sep 17 00:00:00 2001 +From: Tariq Toukan +Date: Mon, 29 Feb 2016 21:17:10 +0200 +Subject: net/mlx5e: Fix LRO modify + +[ Upstream commit ab0394fe2c258fdb5086c51a251b28f8ee7ab35c ] + +Ethtool LRO enable/disable is broken, as of today we only modify TCP +TIRs in order to apply the requested configuration. + +Hardware requires that all TIRs pointing to the same RQ should share the +same LRO configuration. For that all other TIRs' LRO fields must be +modified as well. + +Fixes: 5c50368f3831 ('net/mlx5e: Light-weight netdev open/stop') +Signed-off-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 90e876ecc720..765b069d6a90 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -1304,7 +1304,7 @@ static void mlx5e_build_tir_ctx_lro(void *tirc, struct mlx5e_priv *priv) + lro_timer_supported_periods[2])); + } + +-static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt) ++static int mlx5e_modify_tirs_lro(struct mlx5e_priv *priv) + { + struct mlx5_core_dev *mdev = priv->mdev; + +@@ -1312,6 +1312,7 @@ static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt) + void *tirc; + int inlen; + int err; ++ int tt; + + inlen = MLX5_ST_SZ_BYTES(modify_tir_in); + in = mlx5_vzalloc(inlen); +@@ -1323,7 +1324,11 @@ static int mlx5e_modify_tir_lro(struct mlx5e_priv *priv, int tt) + + mlx5e_build_tir_ctx_lro(tirc, priv); + +- err = mlx5_core_modify_tir(mdev, priv->tirn[tt], in, inlen); ++ for (tt = 0; tt < MLX5E_NUM_TT; tt++) { ++ err = mlx5_core_modify_tir(mdev, priv->tirn[tt], in, inlen); ++ if (err) ++ break; ++ } + + kvfree(in); + +@@ -1870,8 +1875,10 @@ static int mlx5e_set_features(struct net_device *netdev, + mlx5e_close_locked(priv->netdev); + + priv->params.lro_en = !!(features & NETIF_F_LRO); +- mlx5e_modify_tir_lro(priv, MLX5E_TT_IPV4_TCP); +- mlx5e_modify_tir_lro(priv, MLX5E_TT_IPV6_TCP); ++ err = mlx5e_modify_tirs_lro(priv); ++ if (err) ++ mlx5_core_warn(priv->mdev, "lro modify failed, %d\n", ++ err); + + if (was_opened) + err = mlx5e_open_locked(priv->netdev); +-- +2.17.1 + diff --git a/queue-4.4/perf-core-don-t-leak-event-in-the-syscall-error-path.patch b/queue-4.4/perf-core-don-t-leak-event-in-the-syscall-error-path.patch new file mode 100644 index 00000000000..abb0a3cc248 --- /dev/null +++ b/queue-4.4/perf-core-don-t-leak-event-in-the-syscall-error-path.patch @@ -0,0 +1,45 @@ +From 17c091d6ca477571d0d46e6bbe8f5c04f112567a Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 21 Mar 2016 10:02:42 +0200 +Subject: perf/core: Don't leak event in the syscall error path + +[ Upstream commit 201c2f85bd0bc13b712d9c0b3d11251b182e06ae ] + +In the error path, event_file not being NULL is used to determine +whether the event itself still needs to be free'd, so fix it up to +avoid leaking. + +Reported-by: Leon Yu +Signed-off-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 130056275ade ("perf: Do not double free") +Link: http://lkml.kernel.org/r/87twk06yxp.fsf@ashishki-desk.ger.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 990ac41d8a5f..68b75dfceb0c 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8530,6 +8530,7 @@ SYSCALL_DEFINE5(perf_event_open, + f_flags); + if (IS_ERR(event_file)) { + err = PTR_ERR(event_file); ++ event_file = NULL; + goto err_context; + } + +-- +2.17.1 + diff --git a/queue-4.4/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch b/queue-4.4/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch new file mode 100644 index 00000000000..db05ccef186 --- /dev/null +++ b/queue-4.4/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch @@ -0,0 +1,107 @@ +From ed4801ffdefb39fc33b6ff09af3b9c14daee8c65 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sun, 23 Sep 2018 18:13:43 +0200 +Subject: perf/ring_buffer: Prevent concurent ring buffer access + +[ Upstream commit cd6fb677ce7e460c25bdd66f689734102ec7d642 ] + +Some of the scheduling tracepoints allow the perf_tp_event +code to write to ring buffer under different cpu than the +code is running on. + +This results in corrupted ring buffer data demonstrated in +following perf commands: + + # perf record -e 'sched:sched_switch,sched:sched_wakeup' perf bench sched messaging + # Running 'sched/messaging' benchmark: + # 20 sender and receiver processes per group + # 10 groups == 400 processes run + + Total time: 0.383 [sec] + [ perf record: Woken up 8 times to write data ] + 0x42b890 [0]: failed to process type: -1765585640 + [ perf record: Captured and wrote 4.825 MB perf.data (29669 samples) ] + + # perf report --stdio + 0x42b890 [0]: failed to process type: -1765585640 + +The reason for the corruption are some of the scheduling tracepoints, +that have __perf_task dfined and thus allow to store data to another +cpu ring buffer: + + sched_waking + sched_wakeup + sched_wakeup_new + sched_stat_wait + sched_stat_sleep + sched_stat_iowait + sched_stat_blocked + +The perf_tp_event function first store samples for current cpu +related events defined for tracepoint: + + hlist_for_each_entry_rcu(event, head, hlist_entry) + perf_swevent_event(event, count, &data, regs); + +And then iterates events of the 'task' and store the sample +for any task's event that passes tracepoint checks: + + ctx = rcu_dereference(task->perf_event_ctxp[perf_sw_context]); + + list_for_each_entry_rcu(event, &ctx->event_list, event_entry) { + if (event->attr.type != PERF_TYPE_TRACEPOINT) + continue; + if (event->attr.config != entry->type) + continue; + + perf_swevent_event(event, count, &data, regs); + } + +Above code can race with same code running on another cpu, +ending up with 2 cpus trying to store under the same ring +buffer, which is specifically not allowed. + +This patch prevents the problem, by allowing only events with the same +current cpu to receive the event. + +NOTE: this requires the use of (per-task-)per-cpu buffers for this +feature to work; perf-record does this. + +Signed-off-by: Jiri Olsa +[peterz: small edits to Changelog] +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Andrew Vagin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: e6dab5ffab59 ("perf/trace: Add ability to set a target task for events") +Link: http://lkml.kernel.org/r/20180923161343.GB15054@krava +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 990ac41d8a5f..330fcd1b1822 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7018,6 +7018,8 @@ void perf_tp_event(u64 addr, u64 count, void *record, int entry_size, + goto unlock; + + list_for_each_entry_rcu(event, &ctx->event_list, event_entry) { ++ if (event->cpu != smp_processor_id()) ++ continue; + if (event->attr.type != PERF_TYPE_TRACEPOINT) + continue; + if (event->attr.config != entry->type) +-- +2.17.1 + diff --git a/queue-4.4/pm-devfreq-tegra-fix-error-return-code-in-tegra_devf.patch b/queue-4.4/pm-devfreq-tegra-fix-error-return-code-in-tegra_devf.patch new file mode 100644 index 00000000000..13886238ee0 --- /dev/null +++ b/queue-4.4/pm-devfreq-tegra-fix-error-return-code-in-tegra_devf.patch @@ -0,0 +1,44 @@ +From bfe418fc973ae0227fbd32689ab7dec455add0b6 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 3 Jul 2017 07:47:38 -0500 +Subject: PM / devfreq: tegra: fix error return code in tegra_devfreq_probe() + +[ Upstream commit 9e578b37505018622dfafc40eed7cd78ff2af221 ] + +platform_get_irq() returns an error code, but the tegra-devfreq +driver ignores it and always returns -ENODEV. This is not correct, +and prevents -EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +Reviewed-by: Chanwoo Choi +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: MyungJoo Ham +Signed-off-by: Sasha Levin +--- + drivers/devfreq/tegra-devfreq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c +index 848b93ee930f..64a2e02b87d7 100644 +--- a/drivers/devfreq/tegra-devfreq.c ++++ b/drivers/devfreq/tegra-devfreq.c +@@ -688,9 +688,9 @@ static int tegra_devfreq_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) { +- dev_err(&pdev->dev, "Failed to get IRQ\n"); +- return -ENODEV; ++ if (irq < 0) { ++ dev_err(&pdev->dev, "Failed to get IRQ: %d\n", irq); ++ return irq; + } + + platform_set_drvdata(pdev, tegra); +-- +2.17.1 + diff --git a/queue-4.4/pxa168fb-prepare-the-clock.patch b/queue-4.4/pxa168fb-prepare-the-clock.patch new file mode 100644 index 00000000000..f7cf39ef158 --- /dev/null +++ b/queue-4.4/pxa168fb-prepare-the-clock.patch @@ -0,0 +1,80 @@ +From 2625a62692256519f46a6075c4cf9a06d5c7ca8e Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Wed, 26 Sep 2018 18:11:22 +0200 +Subject: pxa168fb: prepare the clock + +[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ] + +Add missing prepare/unprepare operations for fbi->clk, +this fixes following kernel warning: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0 + Enabling unprepared disp0_clk + Modules linked in: + CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25 + Hardware name: Marvell MMP2 (Device Tree Support) + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (__warn+0xd8/0xf0) + [] (__warn) from [] (warn_slowpath_fmt+0x44/0x6c) + [] (warn_slowpath_fmt) from [] (clk_core_enable+0x2c/0x1b0) + [] (clk_core_enable) from [] (clk_core_enable_lock+0x18/0x2c) + [] (clk_core_enable_lock) from [] (pxa168fb_probe+0x464/0x6ac) + [] (pxa168fb_probe) from [] (platform_drv_probe+0x48/0x94) + [] (platform_drv_probe) from [] (driver_probe_device+0x328/0x470) + [] (driver_probe_device) from [] (__driver_attach+0xb0/0x124) + [] (__driver_attach) from [] (bus_for_each_dev+0x64/0xa0) + [] (bus_for_each_dev) from [] (bus_add_driver+0x1b8/0x230) + [] (bus_add_driver) from [] (driver_register+0xac/0xf0) + [] (driver_register) from [] (do_one_initcall+0xb8/0x1f0) + [] (do_one_initcall) from [] (kernel_init_freeable+0x294/0x2e0) + [] (kernel_init_freeable) from [] (kernel_init+0x8/0x10c) + [] (kernel_init) from [] (ret_from_fork+0x14/0x2c) + Exception stack(0xd008bfb0 to 0xd008bff8) + bfa0: 00000000 00000000 00000000 00000000 + bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 + ---[ end trace c0af40f9e2ed7cb4 ]--- + +Signed-off-by: Lubomir Rintel +[b.zolnierkie: enhance patch description a bit] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa168fb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c +index efb57c059997..5190b1749e2a 100644 +--- a/drivers/video/fbdev/pxa168fb.c ++++ b/drivers/video/fbdev/pxa168fb.c +@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev) + /* + * enable controller clock + */ +- clk_enable(fbi->clk); ++ clk_prepare_enable(fbi->clk); + + pxa168fb_set_par(info); + +@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev) + failed_free_cmap: + fb_dealloc_cmap(&info->cmap); + failed_free_clk: +- clk_disable(fbi->clk); ++ clk_disable_unprepare(fbi->clk); + failed_free_fbmem: + dma_free_coherent(fbi->dev, info->fix.smem_len, + info->screen_base, fbi->fb_start_dma); +@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev) + dma_free_writecombine(fbi->dev, PAGE_ALIGN(info->fix.smem_len), + info->screen_base, info->fix.smem_start); + +- clk_disable(fbi->clk); ++ clk_disable_unprepare(fbi->clk); + + framebuffer_release(info); + +-- +2.17.1 + diff --git a/queue-4.4/r8152-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/r8152-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..8e92804da93 --- /dev/null +++ b/queue-4.4/r8152-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From 5460e37d5dda27670eccd6d4649315b2ba6e2c9d Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:54 -0700 +Subject: r8152: Check for supported Wake-on-LAN Modes + +[ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: 21ff2e8976b1 ("r8152: support WOL") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 2bb336cb13ee..2d83689374bb 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3663,6 +3663,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol) + if (!rtl_can_wakeup(tp)) + return -EOPNOTSUPP; + ++ if (wol->wolopts & ~WAKE_ANY) ++ return -EINVAL; ++ + ret = usb_autopm_get_interface(tp->intf); + if (ret < 0) + goto out_set_wol; +-- +2.17.1 + diff --git a/queue-4.4/radix-tree-fix-radix_tree_iter_retry-for-tagged-iter.patch b/queue-4.4/radix-tree-fix-radix_tree_iter_retry-for-tagged-iter.patch new file mode 100644 index 00000000000..b21b7a5ce3a --- /dev/null +++ b/queue-4.4/radix-tree-fix-radix_tree_iter_retry-for-tagged-iter.patch @@ -0,0 +1,63 @@ +From 373e2d361f49acd352ad60425580142292d522d7 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Wed, 20 Jul 2016 15:45:00 -0700 +Subject: radix-tree: fix radix_tree_iter_retry() for tagged iterators. + +[ Upstream commit 3cb9185c67304b2a7ea9be73e7d13df6fb2793a1 ] + +radix_tree_iter_retry() resets slot to NULL, but it doesn't reset tags. +Then NULL slot and non-zero iter.tags passed to radix_tree_next_slot() +leading to crash: + + RIP: radix_tree_next_slot include/linux/radix-tree.h:473 + find_get_pages_tag+0x334/0x930 mm/filemap.c:1452 + .... + Call Trace: + pagevec_lookup_tag+0x3a/0x80 mm/swap.c:960 + mpage_prepare_extent_to_map+0x321/0xa90 fs/ext4/inode.c:2516 + ext4_writepages+0x10be/0x2b20 fs/ext4/inode.c:2736 + do_writepages+0x97/0x100 mm/page-writeback.c:2364 + __filemap_fdatawrite_range+0x248/0x2e0 mm/filemap.c:300 + filemap_write_and_wait_range+0x121/0x1b0 mm/filemap.c:490 + ext4_sync_file+0x34d/0xdb0 fs/ext4/fsync.c:115 + vfs_fsync_range+0x10a/0x250 fs/sync.c:195 + vfs_fsync fs/sync.c:209 + do_fsync+0x42/0x70 fs/sync.c:219 + SYSC_fdatasync fs/sync.c:232 + SyS_fdatasync+0x19/0x20 fs/sync.c:230 + entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 + +We must reset iterator's tags to bail out from radix_tree_next_slot() +and go to the slow-path in radix_tree_next_chunk(). + +Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup") +Link: http://lkml.kernel.org/r/1468495196-10604-1-git-send-email-aryabinin@virtuozzo.com +Signed-off-by: Andrey Ryabinin +Reported-by: Dmitry Vyukov +Acked-by: Konstantin Khlebnikov +Cc: Matthew Wilcox +Cc: Hugh Dickins +Cc: Ross Zwisler +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/radix-tree.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h +index 5d5174b59802..673dee29a9b9 100644 +--- a/include/linux/radix-tree.h ++++ b/include/linux/radix-tree.h +@@ -382,6 +382,7 @@ static inline __must_check + void **radix_tree_iter_retry(struct radix_tree_iter *iter) + { + iter->next_index = iter->index; ++ iter->tags = 0; + return NULL; + } + +-- +2.17.1 + diff --git a/queue-4.4/sch_red-update-backlog-as-well.patch b/queue-4.4/sch_red-update-backlog-as-well.patch new file mode 100644 index 00000000000..89696dfccec --- /dev/null +++ b/queue-4.4/sch_red-update-backlog-as-well.patch @@ -0,0 +1,55 @@ +From 225638b64131007386cad06352e76de821e2d48a Mon Sep 17 00:00:00 2001 +From: WANG Cong +Date: Wed, 1 Jun 2016 16:15:18 -0700 +Subject: sch_red: update backlog as well + +[ Upstream commit d7f4f332f082c4d4ba53582f902ed6b44fd6f45e ] + +Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") +Cc: Jamal Hadi Salim +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_red.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c +index 0505b8408c8b..4bf2b599ef98 100644 +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -97,6 +97,7 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch) + + ret = qdisc_enqueue(skb, child); + if (likely(ret == NET_XMIT_SUCCESS)) { ++ qdisc_qstats_backlog_inc(sch, skb); + sch->q.qlen++; + } else if (net_xmit_drop_count(ret)) { + q->stats.pdrop++; +@@ -118,6 +119,7 @@ static struct sk_buff *red_dequeue(struct Qdisc *sch) + skb = child->dequeue(child); + if (skb) { + qdisc_bstats_update(sch, skb); ++ qdisc_qstats_backlog_dec(sch, skb); + sch->q.qlen--; + } else { + if (!red_is_idling(&q->vars)) +@@ -143,6 +145,7 @@ static unsigned int red_drop(struct Qdisc *sch) + if (child->ops->drop && (len = child->ops->drop(child)) > 0) { + q->stats.other++; + qdisc_qstats_drop(sch); ++ sch->qstats.backlog -= len; + sch->q.qlen--; + return len; + } +@@ -158,6 +161,7 @@ static void red_reset(struct Qdisc *sch) + struct red_sched_data *q = qdisc_priv(sch); + + qdisc_reset(q->qdisc); ++ sch->qstats.backlog = 0; + sch->q.qlen = 0; + red_restart(&q->vars); + } +-- +2.17.1 + diff --git a/queue-4.4/sched-cgroup-fix-cgroup-entity-load-tracking-tear-do.patch b/queue-4.4/sched-cgroup-fix-cgroup-entity-load-tracking-tear-do.patch new file mode 100644 index 00000000000..2d912585282 --- /dev/null +++ b/queue-4.4/sched-cgroup-fix-cgroup-entity-load-tracking-tear-do.patch @@ -0,0 +1,140 @@ +From eaee22c5f29a8e5e65ba1dbbd9ce20fc5c2fec8e Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 21 Jan 2016 22:24:16 +0100 +Subject: sched/cgroup: Fix cgroup entity load tracking tear-down + +[ Upstream commit 6fe1f348b3dd1f700f9630562b7d38afd6949568 ] + +When a cgroup's CPU runqueue is destroyed, it should remove its +remaining load accounting from its parent cgroup. + +The current site for doing so it unsuited because its far too late and +unordered against other cgroup removal (->css_free() will be, but we're also +in an RCU callback). + +Put it in the ->css_offline() callback, which is the start of cgroup +destruction, right after the group has been made unavailable to +userspace. The ->css_offline() callbacks are called in hierarchical order +after the following v4.4 commit: + + aa226ff4a1ce ("cgroup: make sure a parent css isn't offlined before its children") + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Christian Borntraeger +Cc: Johannes Weiner +Cc: Li Zefan +Cc: Linus Torvalds +Cc: Oleg Nesterov +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Tejun Heo +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20160121212416.GL6357@twins.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 4 +--- + kernel/sched/fair.c | 37 +++++++++++++++++++++---------------- + kernel/sched/sched.h | 2 +- + 3 files changed, 23 insertions(+), 20 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 65ed3501c2ca..4743e1f2a3d1 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -7817,11 +7817,9 @@ void sched_destroy_group(struct task_group *tg) + void sched_offline_group(struct task_group *tg) + { + unsigned long flags; +- int i; + + /* end participation in shares distribution */ +- for_each_possible_cpu(i) +- unregister_fair_sched_group(tg, i); ++ unregister_fair_sched_group(tg); + + spin_lock_irqsave(&task_group_lock, flags); + list_del_rcu(&tg->list); +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 3b136fb4422c..a0c5bb93a3ab 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -8154,11 +8154,8 @@ void free_fair_sched_group(struct task_group *tg) + for_each_possible_cpu(i) { + if (tg->cfs_rq) + kfree(tg->cfs_rq[i]); +- if (tg->se) { +- if (tg->se[i]) +- remove_entity_load_avg(tg->se[i]); ++ if (tg->se) + kfree(tg->se[i]); +- } + } + + kfree(tg->cfs_rq); +@@ -8206,21 +8203,29 @@ err: + return 0; + } + +-void unregister_fair_sched_group(struct task_group *tg, int cpu) ++void unregister_fair_sched_group(struct task_group *tg) + { +- struct rq *rq = cpu_rq(cpu); + unsigned long flags; ++ struct rq *rq; ++ int cpu; + +- /* +- * Only empty task groups can be destroyed; so we can speculatively +- * check on_list without danger of it being re-added. +- */ +- if (!tg->cfs_rq[cpu]->on_list) +- return; ++ for_each_possible_cpu(cpu) { ++ if (tg->se[cpu]) ++ remove_entity_load_avg(tg->se[cpu]); + +- raw_spin_lock_irqsave(&rq->lock, flags); +- list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); +- raw_spin_unlock_irqrestore(&rq->lock, flags); ++ /* ++ * Only empty task groups can be destroyed; so we can speculatively ++ * check on_list without danger of it being re-added. ++ */ ++ if (!tg->cfs_rq[cpu]->on_list) ++ continue; ++ ++ rq = cpu_rq(cpu); ++ ++ raw_spin_lock_irqsave(&rq->lock, flags); ++ list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); ++ raw_spin_unlock_irqrestore(&rq->lock, flags); ++ } + } + + void init_tg_cfs_entry(struct task_group *tg, struct cfs_rq *cfs_rq, +@@ -8302,7 +8307,7 @@ int alloc_fair_sched_group(struct task_group *tg, struct task_group *parent) + return 1; + } + +-void unregister_fair_sched_group(struct task_group *tg, int cpu) { } ++void unregister_fair_sched_group(struct task_group *tg) { } + + #endif /* CONFIG_FAIR_GROUP_SCHED */ + +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 0c9ebd82a684..af8d8c3eb8ab 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -308,7 +308,7 @@ extern int tg_nop(struct task_group *tg, void *data); + + extern void free_fair_sched_group(struct task_group *tg); + extern int alloc_fair_sched_group(struct task_group *tg, struct task_group *parent); +-extern void unregister_fair_sched_group(struct task_group *tg, int cpu); ++extern void unregister_fair_sched_group(struct task_group *tg); + extern void init_tg_cfs_entry(struct task_group *tg, struct cfs_rq *cfs_rq, + struct sched_entity *se, int cpu, + struct sched_entity *parent); +-- +2.17.1 + diff --git a/queue-4.4/scsi-aacraid-fix-typo-in-blink-status.patch b/queue-4.4/scsi-aacraid-fix-typo-in-blink-status.patch new file mode 100644 index 00000000000..f03256e811a --- /dev/null +++ b/queue-4.4/scsi-aacraid-fix-typo-in-blink-status.patch @@ -0,0 +1,36 @@ +From 8671bf69454889f2fcb5d8f6b307300cbddd678a Mon Sep 17 00:00:00 2001 +From: Raghava Aditya Renukunta +Date: Thu, 2 Mar 2017 09:21:33 -0800 +Subject: scsi: aacraid: Fix typo in blink status + +[ Upstream commit 934767c56b0d9dbb95a40e9e6e4d9dcdc3a165ad ] + +The return status of the adapter check on KERNEL_PANIC is supposed to be +the upper 16 bits of the OMR status register. + +Fixes: c421530bf848604e (scsi: aacraid: Reorder Adpater status check) +Reported-by: Dan Carpenter +Signed-off-by: Raghava Aditya Renukunta +Reviewed-by: Dave Carroll +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/src.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aacraid/src.c b/drivers/scsi/aacraid/src.c +index e415e1c58eb5..cf3ac0654a3a 100644 +--- a/drivers/scsi/aacraid/src.c ++++ b/drivers/scsi/aacraid/src.c +@@ -444,7 +444,7 @@ err_out: + return -1; + + err_blink: +- return (status > 16) & 0xFF; ++ return (status >> 16) & 0xFF; + } + + /** +-- +2.17.1 + diff --git a/queue-4.4/scsi-add-starget_created_remove-state-to-scsi_target.patch b/queue-4.4/scsi-add-starget_created_remove-state-to-scsi_target.patch new file mode 100644 index 00000000000..405701b9b1b --- /dev/null +++ b/queue-4.4/scsi-add-starget_created_remove-state-to-scsi_target.patch @@ -0,0 +1,140 @@ +From d064c68203fb2dfdae0b6eabd3721d2f04a36bd9 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Tue, 27 Jun 2017 14:55:58 -0400 +Subject: scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state + +[ Upstream commit f9279c968c257ee39b0d7bd2571a4d231a67bcc1 ] + +The addition of the STARGET_REMOVE state had the side effect of +introducing a race condition that can cause a crash. + +scsi_target_reap_ref_release() checks the starget->state to +see if it still in STARGET_CREATED, and if so, skips calling +transport_remove_device() and device_del(), because the starget->state +is only set to STARGET_RUNNING after scsi_target_add() has called +device_add() and transport_add_device(). + +However, if an rport loss occurs while a target is being scanned, +it can happen that scsi_remove_target() will be called while the +starget is still in the STARGET_CREATED state. In this case, the +starget->state will be set to STARGET_REMOVE, and as a result, +scsi_target_reap_ref_release() will take the wrong path. The end +result is a panic: + +[ 1255.356653] Oops: 0000 [#1] SMP +[ 1255.360154] Modules linked in: x86_pkg_temp_thermal kvm_intel kvm irqbypass crc32c_intel ghash_clmulni_i +[ 1255.393234] CPU: 5 PID: 149 Comm: kworker/u96:4 Tainted: G W 4.11.0+ #8 +[ 1255.401879] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.0.22 11/19/2013 +[ 1255.410327] Workqueue: scsi_wq_6 fc_scsi_scan_rport [scsi_transport_fc] +[ 1255.417720] task: ffff88060ca8c8c0 task.stack: ffffc900048a8000 +[ 1255.424331] RIP: 0010:kernfs_find_ns+0x13/0xc0 +[ 1255.429287] RSP: 0018:ffffc900048abbf0 EFLAGS: 00010246 +[ 1255.435123] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 1255.443083] RDX: 0000000000000000 RSI: ffffffff8188d659 RDI: 0000000000000000 +[ 1255.451043] RBP: ffffc900048abc10 R08: 0000000000000000 R09: 0000012433fe0025 +[ 1255.459005] R10: 0000000025e5a4b5 R11: 0000000025e5a4b5 R12: ffffffff8188d659 +[ 1255.466972] R13: 0000000000000000 R14: ffff8805f55e5088 R15: 0000000000000000 +[ 1255.474931] FS: 0000000000000000(0000) GS:ffff880616b40000(0000) knlGS:0000000000000000 +[ 1255.483959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1255.490370] CR2: 0000000000000068 CR3: 0000000001c09000 CR4: 00000000000406e0 +[ 1255.498332] Call Trace: +[ 1255.501058] kernfs_find_and_get_ns+0x31/0x60 +[ 1255.505916] sysfs_unmerge_group+0x1d/0x60 +[ 1255.510498] dpm_sysfs_remove+0x22/0x60 +[ 1255.514783] device_del+0xf4/0x2e0 +[ 1255.518577] ? device_remove_file+0x19/0x20 +[ 1255.523241] attribute_container_class_device_del+0x1a/0x20 +[ 1255.529457] transport_remove_classdev+0x4e/0x60 +[ 1255.534607] ? transport_add_class_device+0x40/0x40 +[ 1255.540046] attribute_container_device_trigger+0xb0/0xc0 +[ 1255.546069] transport_remove_device+0x15/0x20 +[ 1255.551025] scsi_target_reap_ref_release+0x25/0x40 +[ 1255.556467] scsi_target_reap+0x2e/0x40 +[ 1255.560744] __scsi_scan_target+0xaa/0x5b0 +[ 1255.565312] scsi_scan_target+0xec/0x100 +[ 1255.569689] fc_scsi_scan_rport+0xb1/0xc0 [scsi_transport_fc] +[ 1255.576099] process_one_work+0x14b/0x390 +[ 1255.580569] worker_thread+0x4b/0x390 +[ 1255.584651] kthread+0x109/0x140 +[ 1255.588251] ? rescuer_thread+0x330/0x330 +[ 1255.592730] ? kthread_park+0x60/0x60 +[ 1255.596815] ret_from_fork+0x29/0x40 +[ 1255.600801] Code: 24 08 48 83 42 40 01 5b 41 5c 5d c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 +[ 1255.621876] RIP: kernfs_find_ns+0x13/0xc0 RSP: ffffc900048abbf0 +[ 1255.628479] CR2: 0000000000000068 +[ 1255.632756] ---[ end trace 34a69ba0477d036f ]--- + +Fix this by adding another scsi_target state STARGET_CREATED_REMOVE +to distinguish this case. + +Fixes: f05795d3d771 ("scsi: Add intermediate STARGET_REMOVE state to scsi_target_state") +Reported-by: David Jeffery +Signed-off-by: Ewan D. Milne +Cc: +Reviewed-by: Laurence Oberman +Tested-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 5 +++-- + drivers/scsi/scsi_sysfs.c | 8 ++++++-- + include/scsi/scsi_device.h | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 692445bcca6f..850ddc5fac04 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -381,11 +381,12 @@ static void scsi_target_reap_ref_release(struct kref *kref) + = container_of(kref, struct scsi_target, reap_ref); + + /* +- * if we get here and the target is still in the CREATED state that ++ * if we get here and the target is still in a CREATED state that + * means it was allocated but never made visible (because a scan + * turned up no LUNs), so don't call device_del() on it. + */ +- if (starget->state != STARGET_CREATED) { ++ if ((starget->state != STARGET_CREATED) && ++ (starget->state != STARGET_CREATED_REMOVE)) { + transport_remove_device(&starget->dev); + device_del(&starget->dev); + } +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index 8db0c48943d6..085e470d1c49 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -1212,11 +1212,15 @@ restart: + spin_lock_irqsave(shost->host_lock, flags); + list_for_each_entry(starget, &shost->__targets, siblings) { + if (starget->state == STARGET_DEL || +- starget->state == STARGET_REMOVE) ++ starget->state == STARGET_REMOVE || ++ starget->state == STARGET_CREATED_REMOVE) + continue; + if (starget->dev.parent == dev || &starget->dev == dev) { + kref_get(&starget->reap_ref); +- starget->state = STARGET_REMOVE; ++ if (starget->state == STARGET_CREATED) ++ starget->state = STARGET_CREATED_REMOVE; ++ else ++ starget->state = STARGET_REMOVE; + spin_unlock_irqrestore(shost->host_lock, flags); + __scsi_remove_target(starget); + scsi_target_reap(starget); +diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h +index 293b9a7f53bc..fb53a94a5e8b 100644 +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -240,6 +240,7 @@ enum scsi_target_state { + STARGET_CREATED = 1, + STARGET_RUNNING, + STARGET_REMOVE, ++ STARGET_CREATED_REMOVE, + STARGET_DEL, + }; + +-- +2.17.1 + diff --git a/queue-4.4/ser_gigaset-use-container_of-instead-of-detour.patch b/queue-4.4/ser_gigaset-use-container_of-instead-of-detour.patch new file mode 100644 index 00000000000..954e014fcee --- /dev/null +++ b/queue-4.4/ser_gigaset-use-container_of-instead-of-detour.patch @@ -0,0 +1,73 @@ +From 636e2b9a81b1bd7a59b64c6c2b5d1482c7783b4a Mon Sep 17 00:00:00 2001 +From: Paul Bolle +Date: Thu, 18 Feb 2016 21:29:08 +0100 +Subject: ser_gigaset: use container_of() instead of detour + +[ Upstream commit 8d2c3ab4445640957d136caa3629857d63544a2a ] + +The purpose of gigaset_device_release() is to kfree() the struct +ser_cardstate that contains our struct device. This is done via a bit of +a detour. First we make our struct device's driver_data point to the +container of our struct ser_cardstate (which is a struct cardstate). In +gigaset_device_release() we then retrieve that driver_data again. And +after that we finally kfree() the struct ser_cardstate that was saved in +the struct cardstate. + +All of this can be achieved much easier by using container_of() to get +from our struct device to its container, struct ser_cardstate. Do so. + +Note that at the time the detour was implemented commit b8b2c7d845d5 +("base/platform: assert that dev_pm_domain callbacks are called +unconditionally") had just entered the tree. That commit disconnected +our platform_device and our platform_driver. These were reconnected +again in v4.5-rc2 through commit 25cad69f21f5 ("base/platform: Fix +platform drivers with no probe callback"). And one of the consequences +of that fix was that it broke the detour via driver_data. That's because +it made __device_release_driver() stop being a NOP for our struct device +and actually do stuff again. One of the things it now does, is setting +our driver_data to NULL. That, in turn, makes it impossible for +gigaset_device_release() to get to our struct cardstate. Which has the +net effect of leaking a struct ser_cardstate at every call of this +driver's tty close() operation. So using container_of() has the +additional benefit of actually working. + +Reported-by: Dmitry Vyukov +Tested-by: Dmitry Vyukov +Signed-off-by: Paul Bolle +Acked-by: Tilman Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/gigaset/ser-gigaset.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c +index 74bf1a17ae7c..b90776ef56ec 100644 +--- a/drivers/isdn/gigaset/ser-gigaset.c ++++ b/drivers/isdn/gigaset/ser-gigaset.c +@@ -373,13 +373,7 @@ static void gigaset_freecshw(struct cardstate *cs) + + static void gigaset_device_release(struct device *dev) + { +- struct cardstate *cs = dev_get_drvdata(dev); +- +- if (!cs) +- return; +- dev_set_drvdata(dev, NULL); +- kfree(cs->hw.ser); +- cs->hw.ser = NULL; ++ kfree(container_of(dev, struct ser_cardstate, dev.dev)); + } + + /* +@@ -408,7 +402,6 @@ static int gigaset_initcshw(struct cardstate *cs) + cs->hw.ser = NULL; + return rc; + } +- dev_set_drvdata(&cs->hw.ser->dev.dev, cs); + + tasklet_init(&cs->write_tasklet, + gigaset_modem_fill, (unsigned long) cs); +-- +2.17.1 + diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..d3d09fd309a --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,86 @@ +xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch +xfrm6-call-kfree_skb-when-skb-is-toobig.patch +mac80211-always-report-tx-status.patch +cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch +cfg80211-address-some-corner-cases-in-scan-result-ch.patch +arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch +xfrm-validate-template-mode.patch +mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch +bluetooth-smp-fix-crash-in-unpairing.patch +pxa168fb-prepare-the-clock.patch +asix-check-for-supported-wake-on-lan-modes.patch +ax88179_178a-check-for-supported-wake-on-lan-modes.patch +lan78xx-check-for-supported-wake-on-lan-modes.patch +sr9800-check-for-supported-wake-on-lan-modes.patch +r8152-check-for-supported-wake-on-lan-modes.patch +smsc75xx-check-for-wake-on-lan-modes.patch +smsc95xx-check-for-wake-on-lan-modes.patch +perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch +net-cxgb3_main-fix-a-missing-check-bug.patch +keys-put-keyring-if-install_session_keyring_to_cred-.patch +ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch +net-drop-write-only-stack-variable.patch +ser_gigaset-use-container_of-instead-of-detour.patch +tracing-skip-more-functions-when-doing-stack-tracing.patch +arm-dts-apq8064-add-ahci-ports-implemented-mask.patch +x86-mm-pat-prevent-hang-during-boot-when-mapping-pag.patch +btrfs-cleaner_kthread-doesn-t-need-explicit-freeze.patch +radix-tree-fix-radix_tree_iter_retry-for-tagged-iter.patch +af_iucv-move-sockaddr-length-checks-to-before-access.patch +net-mlx4_en-resolve-dividing-by-zero-in-32-bit-syste.patch +ipv6-orphan-skbs-in-reassembly-unit.patch +um-avoid-longjmp-setjmp-symbol-clashes-with-libpthre.patch +sched-cgroup-fix-cgroup-entity-load-tracking-tear-do.patch +btrfs-don-t-create-or-leak-aliased-root-while-cleani.patch +thermal-allow-spear-thermal-driver-to-be-a-module.patch +thermal-allow-u8500-thermal-driver-to-be-a-module.patch +tpm-fix-return-rc-when-devm_add_action-fails.patch +x86-pci-mark-broadwell-ep-home-agent-1-as-having-non.patch +aacraid-start-adapter-after-updating-number-of-msix-.patch +perf-core-don-t-leak-event-in-the-syscall-error-path.patch +media-usbvision-revert-commit-588afcc1.patch +mips-fix-fcsr-cause-bit-handling-for-correct-sigfpe-.patch +asoc-ak4613-enable-cache-usage-to-fix-crashes-on-res.patch +asoc-wm8940-enable-cache-usage-to-fix-crashes-on-res.patch +cifs-handle-guest-access-errors-to-windows-shares.patch +arm64-fix-potential-race-with-hardware-dbm-in-ptep_s.patch +xfrm-clear-sk_dst_cache-when-applying-per-socket-pol.patch +scsi-add-starget_created_remove-state-to-scsi_target.patch +sparc-pci-refactor-dev_archdata-initialization-into-.patch +sch_red-update-backlog-as-well.patch +usb-storage-fix-bogus-hardware-error-messages-for-at.patch +bpf-generally-move-prog-destruction-to-rcu-deferral.patch +drm-nouveau-fbcon-fix-oops-without-fbdev-emulation.patch +fuse-dont-call-set_page_dirty_lock-for-iter_bvec-pag.patch +ixgbevf-fix-handling-of-napi-budget-when-multiple-qu.patch +net-mlx5e-fix-lro-modify.patch +net-mlx5e-correctly-handle-rss-indirection-table-whe.patch +ixgbe-fix-rss-limit-for-x550.patch +ixgbe-correct-x550em_x-revision-check.patch +alsa-timer-fix-zero-division-by-continue-of-uninitia.patch +vti6-flush-x-netns-xfrm-cache-when-vti-interface-is-.patch +gro-allow-tunnel-stacking-in-the-case-of-fou-gue.patch +brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch +l2tp-hold-socket-before-dropping-lock-in-l2tp_ip-6-_.patch +tty-serial-sprd-fix-error-return-code-in-sprd_probe.patch +video-fbdev-pxa3xx_gcu-fix-error-return-code-in-pxa3.patch +sparc64-mm-fix-more-tsb-sizing-issues.patch +gpu-host1x-fix-error-return-code-in-host1x_probe.patch +sparc64-fix-exception-handling-in-ultrasparc-iii-mem.patch +gpio-msic-fix-error-return-code-in-platform_msic_gpi.patch +usb-imx21-hcd-fix-error-return-code-in-imx21_probe.patch +usb-ehci-omap-fix-error-return-code-in-ehci_hcd_omap.patch +usb-dwc3-omap-fix-error-return-code-in-dwc3_omap_pro.patch +spi-bcm63xx-hspi-fix-error-return-code-in-bcm63xx_hs.patch +mips-handle-non-word-sized-instructions-when-examini.patch +spi-bcm63xx-fix-error-return-code-in-bcm63xx_spi_pro.patch +spi-xlp-fix-error-return-code-in-xlp_spi_probe.patch +asoc-spear-fix-error-return-code-in-spdif_in_probe.patch +pm-devfreq-tegra-fix-error-return-code-in-tegra_devf.patch +bonding-avoid-defaulting-hard_header_len-to-eth_hlen.patch +scsi-aacraid-fix-typo-in-blink-status.patch +mips-micromips-fix-decoding-of-swsp16-instruction.patch +igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch +mips-dec-fix-an-int-handler.s-cpu_daddi_workarounds-.patch +arm-dts-imx53-qsb-disable-1.2ghz-opp.patch +fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch diff --git a/queue-4.4/smsc75xx-check-for-wake-on-lan-modes.patch b/queue-4.4/smsc75xx-check-for-wake-on-lan-modes.patch new file mode 100644 index 00000000000..f5745ebb47c --- /dev/null +++ b/queue-4.4/smsc75xx-check-for-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From d859e2aefb438d6c7af58fc77863776d9ab94709 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:55 -0700 +Subject: smsc75xx: Check for Wake-on-LAN modes + +[ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: 6c636503260d ("smsc75xx: add wol magic packet support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 8dbe086e0a96..234febc6e1d9 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -728,6 +728,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net, + struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]); + int ret; + ++ if (wolinfo->wolopts & ~SUPPORTED_WAKE) ++ return -EINVAL; ++ + pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE; + + ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts); +-- +2.17.1 + diff --git a/queue-4.4/smsc95xx-check-for-wake-on-lan-modes.patch b/queue-4.4/smsc95xx-check-for-wake-on-lan-modes.patch new file mode 100644 index 00000000000..ebfcfb9f18d --- /dev/null +++ b/queue-4.4/smsc95xx-check-for-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From f42c5855ecff9fdb7ba19896bac24a841ea36393 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:56 -0700 +Subject: smsc95xx: Check for Wake-on-LAN modes + +[ Upstream commit c530c471ba37bdd9fe1c7185b01455c00ae606fb ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: e0e474a83c18 ("smsc95xx: add wol magic packet support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 66b3ab9f614e..7cee7777d13f 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -727,6 +727,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net, + struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + int ret; + ++ if (wolinfo->wolopts & ~SUPPORTED_WAKE) ++ return -EINVAL; ++ + pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE; + + ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts); +-- +2.17.1 + diff --git a/queue-4.4/sparc-pci-refactor-dev_archdata-initialization-into-.patch b/queue-4.4/sparc-pci-refactor-dev_archdata-initialization-into-.patch new file mode 100644 index 00000000000..41849052cb3 --- /dev/null +++ b/queue-4.4/sparc-pci-refactor-dev_archdata-initialization-into-.patch @@ -0,0 +1,91 @@ +From afb97c8752984ad39f266680bebb499a94ed0e8a Mon Sep 17 00:00:00 2001 +From: Sowmini Varadhan +Date: Mon, 11 Apr 2016 17:57:05 -0700 +Subject: sparc/pci: Refactor dev_archdata initialization into + pci_init_dev_archdata + +[ Upstream commit 9a78d4fc28904785ffe4c2d361e25b251b479704 ] + +The function pcibios_add_device() added by commit d0c31e020057 +("sparc/PCI: Fix for panic while enabling SR-IOV") initializes +the dev_archdata by doing a memcpy from the PF. This has the +problem that it erroneously copies the OF device without +explicitly refcounting it. + +As David Miller pointed out: "Generally speaking we don't +really support hot-plug for OF probed devices, but if we did +all of the device tree pointers have to be refcounted properly." + +To fix this error, and also avoid code duplication, this patch +creates a new helper function, pci_init_dev_archdata(), that +initializes the fields in dev_archdata, and can be invoked +by callers after they have taken the needed refcounts + +Signed-off-by: Sowmini Varadhan +Tested-by: Babu Moger +Reviewed-by: Khalid Aziz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/kernel/pci.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/arch/sparc/kernel/pci.c b/arch/sparc/kernel/pci.c +index 9f9614df9e1e..c2b202d763a1 100644 +--- a/arch/sparc/kernel/pci.c ++++ b/arch/sparc/kernel/pci.c +@@ -245,6 +245,18 @@ static void pci_parse_of_addrs(struct platform_device *op, + } + } + ++static void pci_init_dev_archdata(struct dev_archdata *sd, void *iommu, ++ void *stc, void *host_controller, ++ struct platform_device *op, ++ int numa_node) ++{ ++ sd->iommu = iommu; ++ sd->stc = stc; ++ sd->host_controller = host_controller; ++ sd->op = op; ++ sd->numa_node = numa_node; ++} ++ + static struct pci_dev *of_create_pci_dev(struct pci_pbm_info *pbm, + struct device_node *node, + struct pci_bus *bus, int devfn) +@@ -259,13 +271,10 @@ static struct pci_dev *of_create_pci_dev(struct pci_pbm_info *pbm, + if (!dev) + return NULL; + ++ op = of_find_device_by_node(node); + sd = &dev->dev.archdata; +- sd->iommu = pbm->iommu; +- sd->stc = &pbm->stc; +- sd->host_controller = pbm; +- sd->op = op = of_find_device_by_node(node); +- sd->numa_node = pbm->numa_node; +- ++ pci_init_dev_archdata(sd, pbm->iommu, &pbm->stc, pbm, op, ++ pbm->numa_node); + sd = &op->dev.archdata; + sd->iommu = pbm->iommu; + sd->stc = &pbm->stc; +@@ -1003,9 +1012,13 @@ int pcibios_add_device(struct pci_dev *dev) + * Copy dev_archdata from PF to VF + */ + if (dev->is_virtfn) { ++ struct dev_archdata *psd; ++ + pdev = dev->physfn; +- memcpy(&dev->dev.archdata, &pdev->dev.archdata, +- sizeof(struct dev_archdata)); ++ psd = &pdev->dev.archdata; ++ pci_init_dev_archdata(&dev->dev.archdata, psd->iommu, ++ psd->stc, psd->host_controller, NULL, ++ psd->numa_node); + } + return 0; + } +-- +2.17.1 + diff --git a/queue-4.4/sparc64-fix-exception-handling-in-ultrasparc-iii-mem.patch b/queue-4.4/sparc64-fix-exception-handling-in-ultrasparc-iii-mem.patch new file mode 100644 index 00000000000..39b6bcba288 --- /dev/null +++ b/queue-4.4/sparc64-fix-exception-handling-in-ultrasparc-iii-mem.patch @@ -0,0 +1,50 @@ +From ddd191a297aaa0b9f7390f9176d3b2793750c01b Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Fri, 4 Aug 2017 09:47:52 -0700 +Subject: sparc64: Fix exception handling in UltraSPARC-III memcpy. + +[ Upstream commit 0ede1c401332173ab0693121dc6cde04a4dbf131 ] + +Mikael Pettersson reported that some test programs in the strace-4.18 +testsuite cause an OOPS. + +After some debugging it turns out that garbage values are returned +when an exception occurs, causing the fixup memset() to be run with +bogus arguments. + +The problem is that two of the exception handler stubs write the +successfully copied length into the wrong register. + +Fixes: ee841d0aff64 ("sparc64: Convert U3copy_{from,to}_user to accurate exception reporting.") +Reported-by: Mikael Pettersson +Tested-by: Mikael Pettersson +Reviewed-by: Sam Ravnborg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/lib/U3memcpy.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/sparc/lib/U3memcpy.S b/arch/sparc/lib/U3memcpy.S +index 54f98706b03b..5a8cb37f0a3b 100644 +--- a/arch/sparc/lib/U3memcpy.S ++++ b/arch/sparc/lib/U3memcpy.S +@@ -145,13 +145,13 @@ ENDPROC(U3_retl_o2_plus_GS_plus_0x08) + ENTRY(U3_retl_o2_and_7_plus_GS) + and %o2, 7, %o2 + retl +- add %o2, GLOBAL_SPARE, %o2 ++ add %o2, GLOBAL_SPARE, %o0 + ENDPROC(U3_retl_o2_and_7_plus_GS) + ENTRY(U3_retl_o2_and_7_plus_GS_plus_8) + add GLOBAL_SPARE, 8, GLOBAL_SPARE + and %o2, 7, %o2 + retl +- add %o2, GLOBAL_SPARE, %o2 ++ add %o2, GLOBAL_SPARE, %o0 + ENDPROC(U3_retl_o2_and_7_plus_GS_plus_8) + #endif + +-- +2.17.1 + diff --git a/queue-4.4/sparc64-mm-fix-more-tsb-sizing-issues.patch b/queue-4.4/sparc64-mm-fix-more-tsb-sizing-issues.patch new file mode 100644 index 00000000000..e09c935c8ff --- /dev/null +++ b/queue-4.4/sparc64-mm-fix-more-tsb-sizing-issues.patch @@ -0,0 +1,180 @@ +From d8808c345867f8c3c05cfe79f2426d869835c7bc Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Wed, 31 Aug 2016 13:48:19 -0700 +Subject: sparc64 mm: Fix more TSB sizing issues + +[ Upstream commit 1e953d846ac015fbfcf09c857e8f893924cb629c ] + +Commit af1b1a9b36b8 ("sparc64 mm: Fix base TSB sizing when hugetlb +pages are used") addressed the difference between hugetlb and THP +pages when computing TSB sizes. The following additional issues +were also discovered while working with the code. + +In order to save memory, THP makes use of a huge zero page. This huge +zero page does not count against a task's RSS, but it does consume TSB +entries. This is similar to hugetlb pages. Therefore, count huge +zero page entries in hugetlb_pte_count. + +Accounting of THP pages is done in the routine set_pmd_at(). +Unfortunately, this does not catch the case where a THP page is split. +To handle this case, decrement the count in pmdp_invalidate(). +pmdp_invalidate is only called when splitting a THP. However, 'sanity +checks' are added in case it is ever called for other purposes. + +A more general issue exists with HPAGE_SIZE accounting. +hugetlb_pte_count tracks the number of HPAGE_SIZE (8M) pages. This +value is used to size the TSB for HPAGE_SIZE pages. However, +each HPAGE_SIZE page consists of two REAL_HPAGE_SIZE (4M) pages. +The TSB contains an entry for each REAL_HPAGE_SIZE page. Therefore, +the number of REAL_HPAGE_SIZE pages should be used to size the huge +page TSB. A new compile time constant REAL_HPAGE_PER_HPAGE is used +to multiply hugetlb_pte_count before sizing the TSB. + +Changes from V1 +- Fixed build issue if hugetlb or THP not configured + +Signed-off-by: Mike Kravetz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/include/asm/page_64.h | 1 + + arch/sparc/mm/fault_64.c | 1 + + arch/sparc/mm/tlb.c | 35 ++++++++++++++++++++++++++++---- + arch/sparc/mm/tsb.c | 18 ++++++++++------ + 4 files changed, 45 insertions(+), 10 deletions(-) + +diff --git a/arch/sparc/include/asm/page_64.h b/arch/sparc/include/asm/page_64.h +index 8c2a8c937540..c1263fc390db 100644 +--- a/arch/sparc/include/asm/page_64.h ++++ b/arch/sparc/include/asm/page_64.h +@@ -25,6 +25,7 @@ + #define HPAGE_MASK (~(HPAGE_SIZE - 1UL)) + #define HUGETLB_PAGE_ORDER (HPAGE_SHIFT - PAGE_SHIFT) + #define HAVE_ARCH_HUGETLB_UNMAPPED_AREA ++#define REAL_HPAGE_PER_HPAGE (_AC(1,UL) << (HPAGE_SHIFT - REAL_HPAGE_SHIFT)) + #endif + + #ifndef __ASSEMBLY__ +diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c +index e15f33715103..b01ec72522cb 100644 +--- a/arch/sparc/mm/fault_64.c ++++ b/arch/sparc/mm/fault_64.c +@@ -487,6 +487,7 @@ good_area: + tsb_grow(mm, MM_TSB_BASE, mm_rss); + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE) + mm_rss = mm->context.hugetlb_pte_count + mm->context.thp_pte_count; ++ mm_rss *= REAL_HPAGE_PER_HPAGE; + if (unlikely(mm_rss > + mm->context.tsb_block[MM_TSB_HUGE].tsb_rss_limit)) { + if (mm->context.tsb_block[MM_TSB_HUGE].tsb) +diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c +index 3659d37b4d81..c56a195c9071 100644 +--- a/arch/sparc/mm/tlb.c ++++ b/arch/sparc/mm/tlb.c +@@ -174,10 +174,25 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr, + return; + + if ((pmd_val(pmd) ^ pmd_val(orig)) & _PAGE_PMD_HUGE) { +- if (pmd_val(pmd) & _PAGE_PMD_HUGE) +- mm->context.thp_pte_count++; +- else +- mm->context.thp_pte_count--; ++ /* ++ * Note that this routine only sets pmds for THP pages. ++ * Hugetlb pages are handled elsewhere. We need to check ++ * for huge zero page. Huge zero pages are like hugetlb ++ * pages in that there is no RSS, but there is the need ++ * for TSB entries. So, huge zero page counts go into ++ * hugetlb_pte_count. ++ */ ++ if (pmd_val(pmd) & _PAGE_PMD_HUGE) { ++ if (is_huge_zero_page(pmd_page(pmd))) ++ mm->context.hugetlb_pte_count++; ++ else ++ mm->context.thp_pte_count++; ++ } else { ++ if (is_huge_zero_page(pmd_page(orig))) ++ mm->context.hugetlb_pte_count--; ++ else ++ mm->context.thp_pte_count--; ++ } + + /* Do not try to allocate the TSB hash table if we + * don't have one already. We have various locks held +@@ -204,6 +219,9 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr, + } + } + ++/* ++ * This routine is only called when splitting a THP ++ */ + void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp) + { +@@ -213,6 +231,15 @@ void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + + set_pmd_at(vma->vm_mm, address, pmdp, entry); + flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); ++ ++ /* ++ * set_pmd_at() will not be called in a way to decrement ++ * thp_pte_count when splitting a THP, so do it now. ++ * Sanity check pmd before doing the actual decrement. ++ */ ++ if ((pmd_val(entry) & _PAGE_PMD_HUGE) && ++ !is_huge_zero_page(pmd_page(entry))) ++ (vma->vm_mm)->context.thp_pte_count--; + } + + void pgtable_trans_huge_deposit(struct mm_struct *mm, pmd_t *pmdp, +diff --git a/arch/sparc/mm/tsb.c b/arch/sparc/mm/tsb.c +index 266411291634..84cd593117a6 100644 +--- a/arch/sparc/mm/tsb.c ++++ b/arch/sparc/mm/tsb.c +@@ -489,8 +489,10 @@ retry_tsb_alloc: + + int init_new_context(struct task_struct *tsk, struct mm_struct *mm) + { ++ unsigned long mm_rss = get_mm_rss(mm); + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE) +- unsigned long total_huge_pte_count; ++ unsigned long saved_hugetlb_pte_count; ++ unsigned long saved_thp_pte_count; + #endif + unsigned int i; + +@@ -503,10 +505,12 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm) + * will re-increment the counters as the parent PTEs are + * copied into the child address space. + */ +- total_huge_pte_count = mm->context.hugetlb_pte_count + +- mm->context.thp_pte_count; ++ saved_hugetlb_pte_count = mm->context.hugetlb_pte_count; ++ saved_thp_pte_count = mm->context.thp_pte_count; + mm->context.hugetlb_pte_count = 0; + mm->context.thp_pte_count = 0; ++ ++ mm_rss -= saved_thp_pte_count * (HPAGE_SIZE / PAGE_SIZE); + #endif + + /* copy_mm() copies over the parent's mm_struct before calling +@@ -519,11 +523,13 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm) + /* If this is fork, inherit the parent's TSB size. We would + * grow it to that size on the first page fault anyways. + */ +- tsb_grow(mm, MM_TSB_BASE, get_mm_rss(mm)); ++ tsb_grow(mm, MM_TSB_BASE, mm_rss); + + #if defined(CONFIG_HUGETLB_PAGE) || defined(CONFIG_TRANSPARENT_HUGEPAGE) +- if (unlikely(total_huge_pte_count)) +- tsb_grow(mm, MM_TSB_HUGE, total_huge_pte_count); ++ if (unlikely(saved_hugetlb_pte_count + saved_thp_pte_count)) ++ tsb_grow(mm, MM_TSB_HUGE, ++ (saved_hugetlb_pte_count + saved_thp_pte_count) * ++ REAL_HPAGE_PER_HPAGE); + #endif + + if (unlikely(!mm->context.tsb_block[MM_TSB_BASE].tsb)) +-- +2.17.1 + diff --git a/queue-4.4/spi-bcm63xx-fix-error-return-code-in-bcm63xx_spi_pro.patch b/queue-4.4/spi-bcm63xx-fix-error-return-code-in-bcm63xx_spi_pro.patch new file mode 100644 index 00000000000..475834799a6 --- /dev/null +++ b/queue-4.4/spi-bcm63xx-fix-error-return-code-in-bcm63xx_spi_pro.patch @@ -0,0 +1,43 @@ +From 0d1567fe4d4a59a1cc021cb6f8e1e59001ea2338 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 7 Aug 2017 23:52:34 -0500 +Subject: spi/bcm63xx: fix error return code in bcm63xx_spi_probe() + +[ Upstream commit ba8afe94723e9ba665aee9cca649fb2c80f7304c ] + +platform_get_irq() returns an error code, but the spi-bcm63xx driver +ignores it and always returns -ENXIO. This is not correct and, +prevents -EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index bf9a610e5b89..f14500910bc2 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -496,8 +496,8 @@ static int bcm63xx_spi_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- dev_err(dev, "no irq\n"); +- return -ENXIO; ++ dev_err(dev, "no irq: %d\n", irq); ++ return irq; + } + + clk = devm_clk_get(dev, "spi"); +-- +2.17.1 + diff --git a/queue-4.4/spi-bcm63xx-hspi-fix-error-return-code-in-bcm63xx_hs.patch b/queue-4.4/spi-bcm63xx-hspi-fix-error-return-code-in-bcm63xx_hs.patch new file mode 100644 index 00000000000..8d4149b0340 --- /dev/null +++ b/queue-4.4/spi-bcm63xx-hspi-fix-error-return-code-in-bcm63xx_hs.patch @@ -0,0 +1,43 @@ +From 6b331bfb64fa06d9a0c31fc23bc642edf844fb0f Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 7 Aug 2017 23:59:44 -0500 +Subject: spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe() + +[ Upstream commit 378da4a65f3a0390837b38145bb5d8c2d20c2cf7 ] + +platform_get_irq() returns an error code, but the spi-bcm63xx-hsspi +driver ignores it and always returns -ENXIO. This is not correct and, +prevents -EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 55789f7cda92..645f428ad0a2 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -336,8 +336,8 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- dev_err(dev, "no irq\n"); +- return -ENXIO; ++ dev_err(dev, "no irq: %d\n", irq); ++ return irq; + } + + res_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); +-- +2.17.1 + diff --git a/queue-4.4/spi-xlp-fix-error-return-code-in-xlp_spi_probe.patch b/queue-4.4/spi-xlp-fix-error-return-code-in-xlp_spi_probe.patch new file mode 100644 index 00000000000..0b12a42aba5 --- /dev/null +++ b/queue-4.4/spi-xlp-fix-error-return-code-in-xlp_spi_probe.patch @@ -0,0 +1,43 @@ +From 3a4891a2e92f66703e13b7aefa0c6e5c1cb56aea Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 7 Aug 2017 23:45:02 -0500 +Subject: spi: xlp: fix error return code in xlp_spi_probe() + +[ Upstream commit 9a6b94796ae6feaf275ec6200e9b2964db208182 ] + +platform_get_irq() returns an error code, but the spi-xlp driver ignores +it and always returns -EINVAL. This is not correct and, prevents +-EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-xlp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-xlp.c b/drivers/spi/spi-xlp.c +index 8f04feca6ee3..0ddb0adaa8aa 100644 +--- a/drivers/spi/spi-xlp.c ++++ b/drivers/spi/spi-xlp.c +@@ -392,8 +392,8 @@ static int xlp_spi_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- dev_err(&pdev->dev, "no IRQ resource found\n"); +- return -EINVAL; ++ dev_err(&pdev->dev, "no IRQ resource found: %d\n", irq); ++ return irq; + } + err = devm_request_irq(&pdev->dev, irq, xlp_spi_interrupt, 0, + pdev->name, xspi); +-- +2.17.1 + diff --git a/queue-4.4/sr9800-check-for-supported-wake-on-lan-modes.patch b/queue-4.4/sr9800-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..e3e26088ee6 --- /dev/null +++ b/queue-4.4/sr9800-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From bc616046d461daac1dd6e44fc3608433f437b537 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:53 -0700 +Subject: sr9800: Check for supported Wake-on-LAN modes + +[ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9800.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c +index a50df0d8fb9a..004c955c1fd1 100644 +--- a/drivers/net/usb/sr9800.c ++++ b/drivers/net/usb/sr9800.c +@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= SR_MONITOR_LINK; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.4/thermal-allow-spear-thermal-driver-to-be-a-module.patch b/queue-4.4/thermal-allow-spear-thermal-driver-to-be-a-module.patch new file mode 100644 index 00000000000..438cdacdabc --- /dev/null +++ b/queue-4.4/thermal-allow-spear-thermal-driver-to-be-a-module.patch @@ -0,0 +1,41 @@ +From 6a0e98669184a4a3ab2ecf8ce0c869b35271b140 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 25 Jan 2016 17:44:11 +0100 +Subject: thermal: allow spear-thermal driver to be a module + +[ Upstream commit 4d2f1794c07aae55b8f25f4d8aebcafc0d3e501d ] + +When the thermal subsystem is a loadable module, the spear driver +fails to build: + +drivers/thermal/built-in.o: In function `spear_thermal_exit': +spear_thermal.c:(.text+0xf8): undefined reference to `thermal_zone_device_unregister' +drivers/thermal/built-in.o: In function `spear_thermal_probe': +spear_thermal.c:(.text+0x230): undefined reference to `thermal_zone_device_register' + +This changes the symbol to a tristate, so Kconfig can track the +dependency correctly. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +--- + drivers/thermal/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/Kconfig b/drivers/thermal/Kconfig +index 4b660b5beb98..b556fa8250fc 100644 +--- a/drivers/thermal/Kconfig ++++ b/drivers/thermal/Kconfig +@@ -195,7 +195,7 @@ config IMX_THERMAL + passive trip is crossed. + + config SPEAR_THERMAL +- bool "SPEAr thermal sensor driver" ++ tristate "SPEAr thermal sensor driver" + depends on PLAT_SPEAR || COMPILE_TEST + depends on OF + help +-- +2.17.1 + diff --git a/queue-4.4/thermal-allow-u8500-thermal-driver-to-be-a-module.patch b/queue-4.4/thermal-allow-u8500-thermal-driver-to-be-a-module.patch new file mode 100644 index 00000000000..4619f7f5180 --- /dev/null +++ b/queue-4.4/thermal-allow-u8500-thermal-driver-to-be-a-module.patch @@ -0,0 +1,70 @@ +From 56c66efa8ca51fc4ed9c0c05d4958c9ab7b3c9c2 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 25 Jan 2016 17:44:12 +0100 +Subject: thermal: allow u8500-thermal driver to be a module + +[ Upstream commit 26716ce124fce88f288f07738ef685d5dfe5c13f ] + +When the thermal subsystem is a loadable module, the u8500 driver +fails to build: + +drivers/thermal/built-in.o: In function `db8500_thermal_probe': +db8500_thermal.c:(.text+0x96c): undefined reference to `thermal_zone_device_register' +drivers/thermal/built-in.o: In function `db8500_thermal_work': +db8500_thermal.c:(.text+0xab4): undefined reference to `thermal_zone_device_update' + +This changes the symbol to a tristate, so Kconfig can track the +dependency correctly. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +--- + drivers/mfd/db8500-prcmu.c | 3 +++ + drivers/thermal/Kconfig | 4 ++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/db8500-prcmu.c b/drivers/mfd/db8500-prcmu.c +index e6e4bacb09ee..12099b09a9a7 100644 +--- a/drivers/mfd/db8500-prcmu.c ++++ b/drivers/mfd/db8500-prcmu.c +@@ -2048,6 +2048,7 @@ int db8500_prcmu_config_hotmon(u8 low, u8 high) + + return 0; + } ++EXPORT_SYMBOL_GPL(db8500_prcmu_config_hotmon); + + static int config_hot_period(u16 val) + { +@@ -2074,11 +2075,13 @@ int db8500_prcmu_start_temp_sense(u16 cycles32k) + + return config_hot_period(cycles32k); + } ++EXPORT_SYMBOL_GPL(db8500_prcmu_start_temp_sense); + + int db8500_prcmu_stop_temp_sense(void) + { + return config_hot_period(0xFFFF); + } ++EXPORT_SYMBOL_GPL(db8500_prcmu_stop_temp_sense); + + static int prcmu_a9wdog(u8 cmd, u8 d0, u8 d1, u8 d2, u8 d3) + { +diff --git a/drivers/thermal/Kconfig b/drivers/thermal/Kconfig +index b556fa8250fc..1def65d2f0b5 100644 +--- a/drivers/thermal/Kconfig ++++ b/drivers/thermal/Kconfig +@@ -237,8 +237,8 @@ config DOVE_THERMAL + framework. + + config DB8500_THERMAL +- bool "DB8500 thermal management" +- depends on ARCH_U8500 ++ tristate "DB8500 thermal management" ++ depends on MFD_DB8500_PRCMU + default y + help + Adds DB8500 thermal management implementation according to the thermal +-- +2.17.1 + diff --git a/queue-4.4/tpm-fix-return-rc-when-devm_add_action-fails.patch b/queue-4.4/tpm-fix-return-rc-when-devm_add_action-fails.patch new file mode 100644 index 00000000000..2308c7eab4f --- /dev/null +++ b/queue-4.4/tpm-fix-return-rc-when-devm_add_action-fails.patch @@ -0,0 +1,37 @@ +From cb6bb33d013990435386880e95fe9a620f6ccfea Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Sat, 13 Feb 2016 11:58:16 +0200 +Subject: tpm: fix: return rc when devm_add_action() fails + +[ Upstream commit 4f3b193dee4423d8c89c9a3e8e05f9197ea459a4 ] + +Call put_device() and return error code if devm_add_action() fails. + +Signed-off-by: Jarkko Sakkinen +Reported-by: Jason Gunthorpe +Fixes: 8e0ee3c9faed ("tpm: fix the cleanup of struct tpm_chip") +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm-chip.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c +index e759100e41a7..28894878dcd5 100644 +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -230,7 +230,11 @@ struct tpm_chip *tpmm_chip_alloc(struct device *dev, + chip->cdev.owner = dev->driver->owner; + chip->cdev.kobj.parent = &chip->dev.kobj; + +- devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev); ++ rc = devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev); ++ if (rc) { ++ put_device(&chip->dev); ++ return ERR_PTR(rc); ++ } + + return chip; + } +-- +2.17.1 + diff --git a/queue-4.4/tracing-skip-more-functions-when-doing-stack-tracing.patch b/queue-4.4/tracing-skip-more-functions-when-doing-stack-tracing.patch new file mode 100644 index 00000000000..30852dace06 --- /dev/null +++ b/queue-4.4/tracing-skip-more-functions-when-doing-stack-tracing.patch @@ -0,0 +1,120 @@ +From 419e533634a2706954d37186dce961d8adf78388 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Thu, 23 Jun 2016 14:03:47 -0400 +Subject: tracing: Skip more functions when doing stack tracing of events + +[ Upstream commit be54f69c26193de31053190761e521903b89d098 ] + + # echo 1 > options/stacktrace + # echo 1 > events/sched/sched_switch/enable + # cat trace + -0 [002] d..2 1982.525169: + => save_stack_trace + => __ftrace_trace_stack + => trace_buffer_unlock_commit_regs + => event_trigger_unlock_commit + => trace_event_buffer_commit + => trace_event_raw_event_sched_switch + => __schedule + => schedule + => schedule_preempt_disabled + => cpu_startup_entry + => start_secondary + +The above shows that we are seeing 6 functions before ever making it to the +caller of the sched_switch event. + + # echo stacktrace > events/sched/sched_switch/trigger + # cat trace + -0 [002] d..3 2146.335208: + => trace_event_buffer_commit + => trace_event_raw_event_sched_switch + => __schedule + => schedule + => schedule_preempt_disabled + => cpu_startup_entry + => start_secondary + +The stacktrace trigger isn't as bad, because it adds its own skip to the +stacktracing, but still has two events extra. + +One issue is that if the stacktrace passes its own "regs" then there should +be no addition to the skip, as the regs will not include the functions being +called. This was an issue that was fixed by commit 7717c6be6999 ("tracing: +Fix stacktrace skip depth in trace_buffer_unlock_commit_regs()" as adding +the skip number for kprobes made the probes not have any stack at all. + +But since this is only an issue when regs is being used, a skip should be +added if regs is NULL. Now we have: + + # echo 1 > options/stacktrace + # echo 1 > events/sched/sched_switch/enable + # cat trace + -0 [000] d..2 1297.676333: + => __schedule + => schedule + => schedule_preempt_disabled + => cpu_startup_entry + => rest_init + => start_kernel + => x86_64_start_reservations + => x86_64_start_kernel + + # echo stacktrace > events/sched/sched_switch/trigger + # cat trace + -0 [002] d..3 1370.759745: + => __schedule + => schedule + => schedule_preempt_disabled + => cpu_startup_entry + => start_secondary + +And kprobes are not touched. + +Reported-by: Peter Zijlstra +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index e409ddce8754..1a47a64d623f 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1757,7 +1757,17 @@ void trace_buffer_unlock_commit_regs(struct trace_array *tr, + { + __buffer_unlock_commit(buffer, event); + +- ftrace_trace_stack(tr, buffer, flags, 0, pc, regs); ++ /* ++ * If regs is not set, then skip the following callers: ++ * trace_buffer_unlock_commit_regs ++ * event_trigger_unlock_commit ++ * trace_event_buffer_commit ++ * trace_event_raw_event_sched_switch ++ * Note, we can still get here via blktrace, wakeup tracer ++ * and mmiotrace, but that's ok if they lose a function or ++ * two. They are that meaningful. ++ */ ++ ftrace_trace_stack(tr, buffer, flags, regs ? 0 : 4, pc, regs); + ftrace_trace_userstack(buffer, flags, pc); + } + EXPORT_SYMBOL_GPL(trace_buffer_unlock_commit_regs); +@@ -1815,6 +1825,13 @@ static void __ftrace_trace_stack(struct ring_buffer *buffer, + trace.nr_entries = 0; + trace.skip = skip; + ++ /* ++ * Add two, for this function and the call to save_stack_trace() ++ * If regs is set, then these functions will not be in the way. ++ */ ++ if (!regs) ++ trace.skip += 2; ++ + /* + * Since events can happen in NMIs there's no safe way to + * use the per cpu ftrace_stacks. We reserve it and if an interrupt +-- +2.17.1 + diff --git a/queue-4.4/tty-serial-sprd-fix-error-return-code-in-sprd_probe.patch b/queue-4.4/tty-serial-sprd-fix-error-return-code-in-sprd_probe.patch new file mode 100644 index 00000000000..9835f283471 --- /dev/null +++ b/queue-4.4/tty-serial-sprd-fix-error-return-code-in-sprd_probe.patch @@ -0,0 +1,43 @@ +From 45eae3da7fd08cacbb58fd9020fc245eee9beab2 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 8 Aug 2017 17:42:46 -0500 +Subject: tty: serial: sprd: fix error return code in sprd_probe() + +[ Upstream commit ec085c5a51b768947ca481f90b66653e36b3c566 ] + +platform_get_irq() returns an error code, but the sprd_serial driver +ignores it and always returns -ENODEV. This is not correct and, +prevents -EPROBE_DEFER from being propagated properly. + +Also, notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sprd_serial.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c +index 9dbae01d41ce..1e302caaa450 100644 +--- a/drivers/tty/serial/sprd_serial.c ++++ b/drivers/tty/serial/sprd_serial.c +@@ -731,8 +731,8 @@ static int sprd_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- dev_err(&pdev->dev, "not provide irq resource\n"); +- return -ENODEV; ++ dev_err(&pdev->dev, "not provide irq resource: %d\n", irq); ++ return irq; + } + up->irq = irq; + +-- +2.17.1 + diff --git a/queue-4.4/um-avoid-longjmp-setjmp-symbol-clashes-with-libpthre.patch b/queue-4.4/um-avoid-longjmp-setjmp-symbol-clashes-with-libpthre.patch new file mode 100644 index 00000000000..061cc23bb99 --- /dev/null +++ b/queue-4.4/um-avoid-longjmp-setjmp-symbol-clashes-with-libpthre.patch @@ -0,0 +1,140 @@ +From c0f92385b25f409d719ac6c2e957e98e1ac3ea9a Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Tue, 23 May 2017 17:32:31 -0700 +Subject: um: Avoid longjmp/setjmp symbol clashes with libpthread.a + +[ Upstream commit f44f1e7da7c8e3f4575d5d61c4df978496903fcc ] + +Building a statically linked UML kernel on a Centos 6.9 host resulted in +the following linking failure (GCC 4.4, glibc-2.12): + +/usr/lib/gcc/x86_64-redhat-linux/4.4.7/../../../../lib64/libpthread.a(libpthread.o): +In function `siglongjmp': +(.text+0x8490): multiple definition of `longjmp' +arch/x86/um/built-in.o:/local/users/fainelli/openwrt/trunk/build_dir/target-x86_64_musl/linux-uml/linux-4.4.69/arch/x86/um/setjmp_64.S:44: +first defined here +/usr/lib/gcc/x86_64-redhat-linux/4.4.7/../../../../lib64/libpthread.a(libpthread.o): +In function `sem_open': +(.text+0x77cd): warning: the use of `mktemp' is dangerous, better use +`mkstemp' +collect2: ld returned 1 exit status +make[4]: *** [vmlinux] Error 1 + +Adopt a solution similar to the one done for vmap where we define +longjmp/setjmp to be kernel_longjmp/setjmp. In the process, make sure we +do rename the functions in arch/x86/um/setjmp_*.S accordingly. + +Fixes: a7df4716d195 ("um: link with -lpthread") +Signed-off-by: Florian Fainelli +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/Makefile | 4 ++++ + arch/x86/um/setjmp_32.S | 16 ++++++++-------- + arch/x86/um/setjmp_64.S | 16 ++++++++-------- + 3 files changed, 20 insertions(+), 16 deletions(-) + +diff --git a/arch/um/Makefile b/arch/um/Makefile +index 9ccf462131c4..d9cd7ed27834 100644 +--- a/arch/um/Makefile ++++ b/arch/um/Makefile +@@ -59,10 +59,14 @@ KBUILD_CPPFLAGS += -I$(srctree)/$(HOST_DIR)/um + # Same things for in6addr_loopback and mktime - found in libc. For these two we + # only get link-time error, luckily. + # ++# -Dlongjmp=kernel_longjmp prevents anything from referencing the libpthread.a ++# embedded copy of longjmp, same thing for setjmp. ++# + # These apply to USER_CFLAGS to. + + KBUILD_CFLAGS += $(CFLAGS) $(CFLAGS-y) -D__arch_um__ \ + $(ARCH_INCLUDE) $(MODE_INCLUDE) -Dvmap=kernel_vmap \ ++ -Dlongjmp=kernel_longjmp -Dsetjmp=kernel_setjmp \ + -Din6addr_loopback=kernel_in6addr_loopback \ + -Din6addr_any=kernel_in6addr_any -Dstrrchr=kernel_strrchr + +diff --git a/arch/x86/um/setjmp_32.S b/arch/x86/um/setjmp_32.S +index b766792c9933..39053192918d 100644 +--- a/arch/x86/um/setjmp_32.S ++++ b/arch/x86/um/setjmp_32.S +@@ -16,9 +16,9 @@ + + .text + .align 4 +- .globl setjmp +- .type setjmp, @function +-setjmp: ++ .globl kernel_setjmp ++ .type kernel_setjmp, @function ++kernel_setjmp: + #ifdef _REGPARM + movl %eax,%edx + #else +@@ -35,13 +35,13 @@ setjmp: + movl %ecx,20(%edx) # Return address + ret + +- .size setjmp,.-setjmp ++ .size kernel_setjmp,.-kernel_setjmp + + .text + .align 4 +- .globl longjmp +- .type longjmp, @function +-longjmp: ++ .globl kernel_longjmp ++ .type kernel_longjmp, @function ++kernel_longjmp: + #ifdef _REGPARM + xchgl %eax,%edx + #else +@@ -55,4 +55,4 @@ longjmp: + movl 16(%edx),%edi + jmp *20(%edx) + +- .size longjmp,.-longjmp ++ .size kernel_longjmp,.-kernel_longjmp +diff --git a/arch/x86/um/setjmp_64.S b/arch/x86/um/setjmp_64.S +index 45f547b4043e..c56942e1a38c 100644 +--- a/arch/x86/um/setjmp_64.S ++++ b/arch/x86/um/setjmp_64.S +@@ -18,9 +18,9 @@ + + .text + .align 4 +- .globl setjmp +- .type setjmp, @function +-setjmp: ++ .globl kernel_setjmp ++ .type kernel_setjmp, @function ++kernel_setjmp: + pop %rsi # Return address, and adjust the stack + xorl %eax,%eax # Return value + movq %rbx,(%rdi) +@@ -34,13 +34,13 @@ setjmp: + movq %rsi,56(%rdi) # Return address + ret + +- .size setjmp,.-setjmp ++ .size kernel_setjmp,.-kernel_setjmp + + .text + .align 4 +- .globl longjmp +- .type longjmp, @function +-longjmp: ++ .globl kernel_longjmp ++ .type kernel_longjmp, @function ++kernel_longjmp: + movl %esi,%eax # Return value (int) + movq (%rdi),%rbx + movq 8(%rdi),%rsp +@@ -51,4 +51,4 @@ longjmp: + movq 48(%rdi),%r15 + jmp *56(%rdi) + +- .size longjmp,.-longjmp ++ .size kernel_longjmp,.-kernel_longjmp +-- +2.17.1 + diff --git a/queue-4.4/usb-dwc3-omap-fix-error-return-code-in-dwc3_omap_pro.patch b/queue-4.4/usb-dwc3-omap-fix-error-return-code-in-dwc3_omap_pro.patch new file mode 100644 index 00000000000..84cfceee7d9 --- /dev/null +++ b/queue-4.4/usb-dwc3-omap-fix-error-return-code-in-dwc3_omap_pro.patch @@ -0,0 +1,43 @@ +From dbc66d459b932baeebf791d8cde7d9f5fa40bb26 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 7 Aug 2017 23:25:34 -0500 +Subject: usb: dwc3: omap: fix error return code in dwc3_omap_probe() + +[ Upstream commit 0ae99ecba7928c7bc66cf14d8a88f0b6ec9fc78e ] + +platform_get_irq() returns an error code, but the dwc3-omap driver +ignores it and always returns -EINVAL. This is not correct and, +prevents -EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-omap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-omap.c b/drivers/usb/dwc3/dwc3-omap.c +index 22e9606d8e08..9078af0ce06c 100644 +--- a/drivers/usb/dwc3/dwc3-omap.c ++++ b/drivers/usb/dwc3/dwc3-omap.c +@@ -469,8 +469,8 @@ static int dwc3_omap_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- dev_err(dev, "missing IRQ resource\n"); +- return -EINVAL; ++ dev_err(dev, "missing IRQ resource: %d\n", irq); ++ return irq; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +-- +2.17.1 + diff --git a/queue-4.4/usb-ehci-omap-fix-error-return-code-in-ehci_hcd_omap.patch b/queue-4.4/usb-ehci-omap-fix-error-return-code-in-ehci_hcd_omap.patch new file mode 100644 index 00000000000..a8403013266 --- /dev/null +++ b/queue-4.4/usb-ehci-omap-fix-error-return-code-in-ehci_hcd_omap.patch @@ -0,0 +1,44 @@ +From 7ee6098b6360867566b556fd51c622edb7e0f563 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 8 Aug 2017 17:26:13 -0500 +Subject: usb: ehci-omap: fix error return code in ehci_hcd_omap_probe() + +[ Upstream commit 99dbff202e28ad1dadf55b058bcae7908678e963 ] + +platform_get_irq() returns an error code, but the ehci-omap driver +ignores it and always returns -ENODEV. This is not correct and, +prevents -EPROBE_DEFER from being propagated properly. + +Also, notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-omap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/ehci-omap.c b/drivers/usb/host/ehci-omap.c +index a24720beb39d..cccde8217f28 100644 +--- a/drivers/usb/host/ehci-omap.c ++++ b/drivers/usb/host/ehci-omap.c +@@ -130,8 +130,8 @@ static int ehci_hcd_omap_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- dev_err(dev, "EHCI irq failed\n"); +- return -ENODEV; ++ dev_err(dev, "EHCI irq failed: %d\n", irq); ++ return irq; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +-- +2.17.1 + diff --git a/queue-4.4/usb-imx21-hcd-fix-error-return-code-in-imx21_probe.patch b/queue-4.4/usb-imx21-hcd-fix-error-return-code-in-imx21_probe.patch new file mode 100644 index 00000000000..3b9ff932a32 --- /dev/null +++ b/queue-4.4/usb-imx21-hcd-fix-error-return-code-in-imx21_probe.patch @@ -0,0 +1,46 @@ +From baaadd49906a656dc8ab6eaeb6139c2b95a74849 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 7 Aug 2017 23:14:23 -0500 +Subject: usb: imx21-hcd: fix error return code in imx21_probe() + +[ Upstream commit 46edf52d08342b3dc1f9a61c5200ab8b1c0f5a37 ] + +platform_get_irq() returns an error code, but the imx21-hcd driver +ignores it and always returns -ENXIO. This is not correct, and +prevents -EPROBE_DEFER from being propagated properly. + +Notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print error message and propagate the return value of platform_get_irq +on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/imx21-hcd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/imx21-hcd.c b/drivers/usb/host/imx21-hcd.c +index f542045dc2a6..e25d72e0527f 100644 +--- a/drivers/usb/host/imx21-hcd.c ++++ b/drivers/usb/host/imx21-hcd.c +@@ -1849,8 +1849,10 @@ static int imx21_probe(struct platform_device *pdev) + if (!res) + return -ENODEV; + irq = platform_get_irq(pdev, 0); +- if (irq < 0) +- return -ENXIO; ++ if (irq < 0) { ++ dev_err(&pdev->dev, "Failed to get IRQ: %d\n", irq); ++ return irq; ++ } + + hcd = usb_create_hcd(&imx21_hc_driver, + &pdev->dev, dev_name(&pdev->dev)); +-- +2.17.1 + diff --git a/queue-4.4/usb-storage-fix-bogus-hardware-error-messages-for-at.patch b/queue-4.4/usb-storage-fix-bogus-hardware-error-messages-for-at.patch new file mode 100644 index 00000000000..08641cf09c3 --- /dev/null +++ b/queue-4.4/usb-storage-fix-bogus-hardware-error-messages-for-at.patch @@ -0,0 +1,92 @@ +From f25c4745ad087ec7c821854d17eec0014b8e8483 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 21 Sep 2017 16:02:05 -0400 +Subject: usb-storage: fix bogus hardware error messages for ATA pass-thru + devices + +[ Upstream commit a4fd4a724d6c30ad671046d83be2e9be2f11d275 ] + +Ever since commit a621bac3044e ("scsi_lib: correctly retry failed zero +length REQ_TYPE_FS commands"), people have been getting bogus error +messages for USB disk drives using ATA pass-thru. For example: + +[ 1344.880193] sd 6:0:0:0: [sdb] Attached SCSI disk +[ 1345.069152] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE +[ 1345.069159] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor] +[ 1345.069162] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information +[ 1345.069168] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(16) 85 06 20 00 00 00 00 00 00 00 00 00 00 00 e5 00 +[ 1345.172252] sd 6:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_ERROR driverbyte=DRIVER_SENSE +[ 1345.172258] sd 6:0:0:0: [sdb] tag#0 Sense Key : Hardware Error [current] [descriptor] +[ 1345.172261] sd 6:0:0:0: [sdb] tag#0 Add. Sense: No additional sense information +[ 1345.172266] sd 6:0:0:0: [sdb] tag#0 CDB: ATA command pass through(12)/Blank a1 06 20 da 00 00 4f c2 00 b0 00 00 + +These messages can be quite annoying, because programs like udisks2 +provoke them every 10 minutes or so. Other programs can also have +this effect, such as those in smartmontools. + +I don't fully understand how that commit induced the SCSI core to log +these error messages, but the underlying cause for them is code added +to usb-storage by commit f1a0743bc0e7 ("USB: storage: When a device +returns no sense data, call it a Hardware Error"). At the time it was +necessary to do this, in order to prevent an infinite retry loop with +some not-so-great mass storage devices. + +However, the ATA pass-thru protocol uses SCSI sense data to return +command status values, and some devices always report Check Condition +status for ATA pass-thru commands to ensure that the host retrieves +the sense data, even if the command succeeded. This violates the USB +mass-storage protocol (Check Condition status is supposed to mean the +command failed), but we can't help that. + +This patch attempts to mitigate the problem of these bogus error +reports by changing usb-storage. The HARDWARE ERROR sense key will be +inserted only for commands that aren't ATA pass-thru. + +Thanks to Ewan Milne for pointing out that this mechanism was present +in usb-storage. 8 years after writing it, I had completely forgotten +its existence. + +Signed-off-by: Alan Stern +Tested-by: Kris Lindgren +Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1351305 +CC: Ewan D. Milne +CC: +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/transport.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c +index 02f86dd1a340..90a7bffe3484 100644 +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -808,12 +808,24 @@ Retry_Sense: + if (result == USB_STOR_TRANSPORT_GOOD) { + srb->result = SAM_STAT_GOOD; + srb->sense_buffer[0] = 0x0; ++ } ++ ++ /* ++ * ATA-passthru commands use sense data to report ++ * the command completion status, and often devices ++ * return Check Condition status when nothing is ++ * wrong. ++ */ ++ else if (srb->cmnd[0] == ATA_16 || ++ srb->cmnd[0] == ATA_12) { ++ /* leave the data alone */ ++ } + + /* If there was a problem, report an unspecified + * hardware error to prevent the higher layers from + * entering an infinite retry loop. + */ +- } else { ++ else { + srb->result = DID_ERROR << 16; + if ((sshdr.response_code & 0x72) == 0x72) + srb->sense_buffer[1] = HARDWARE_ERROR; +-- +2.17.1 + diff --git a/queue-4.4/video-fbdev-pxa3xx_gcu-fix-error-return-code-in-pxa3.patch b/queue-4.4/video-fbdev-pxa3xx_gcu-fix-error-return-code-in-pxa3.patch new file mode 100644 index 00000000000..5f117454feb --- /dev/null +++ b/queue-4.4/video-fbdev-pxa3xx_gcu-fix-error-return-code-in-pxa3.patch @@ -0,0 +1,43 @@ +From 6eae0fa084c422d40c080687d781bf928ce3d6df Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 21 Aug 2017 16:49:58 +0200 +Subject: video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe() + +[ Upstream commit 7588f1ecc5f0c914e669d8afb6525f47cd1c4355 ] + +platform_get_irq() returns an error code, but the pxa3xx_gcu driver +ignores it and always returns -ENODEV. This is not correct and, +prevents -EPROBE_DEFER from being propagated properly. + +Also, notice that platform_get_irq() no longer returns 0 on error: +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e330b9a6bb35dc7097a4f02cb1ae7b6f96df92af + +Print and propagate the return value of platform_get_irq on failure. + +This issue was detected with the help of Coccinelle. + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa3xx-gcu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c +index 50bce45e7f3d..933619da1a94 100644 +--- a/drivers/video/fbdev/pxa3xx-gcu.c ++++ b/drivers/video/fbdev/pxa3xx-gcu.c +@@ -626,8 +626,8 @@ static int pxa3xx_gcu_probe(struct platform_device *pdev) + /* request the IRQ */ + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- dev_err(dev, "no IRQ defined\n"); +- return -ENODEV; ++ dev_err(dev, "no IRQ defined: %d\n", irq); ++ return irq; + } + + ret = devm_request_irq(dev, irq, pxa3xx_gcu_handle_irq, +-- +2.17.1 + diff --git a/queue-4.4/vti6-flush-x-netns-xfrm-cache-when-vti-interface-is-.patch b/queue-4.4/vti6-flush-x-netns-xfrm-cache-when-vti-interface-is-.patch new file mode 100644 index 00000000000..345510a3c3f --- /dev/null +++ b/queue-4.4/vti6-flush-x-netns-xfrm-cache-when-vti-interface-is-.patch @@ -0,0 +1,109 @@ +From 8ca30b392ac6df1b2086fe663fec558b6e2a66eb Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Fri, 30 Sep 2016 11:11:07 +0200 +Subject: vti6: flush x-netns xfrm cache when vti interface is removed + +[ Upstream commit 7f92083eb58f85ea114d97f65fcbe22be5b0468d ] + +This is the same fix than commit a5d0dc810abf ("vti: flush x-netns xfrm +cache when vti interface is removed") + +This patch fixes a refcnt problem when a x-netns vti6 interface is removed: +unregister_netdevice: waiting for vti6_test to become free. Usage count = 1 + +Here is a script to reproduce the problem: + +ip link set dev ntfp2 up +ip addr add dev ntfp2 2001::1/64 +ip link add vti6_test type vti6 local 2001::1 remote 2001::2 key 1 +ip netns add secure +ip link set vti6_test netns secure +ip netns exec secure ip link set vti6_test up +ip netns exec secure ip link s lo up +ip netns exec secure ip addr add dev vti6_test 2003::1/64 +ip -6 xfrm policy add dir out tmpl src 2001::1 dst 2001::2 proto esp \ + mode tunnel mark 1 +ip -6 xfrm policy add dir in tmpl src 2001::2 dst 2001::1 proto esp \ + mode tunnel mark 1 +ip xfrm state add src 2001::1 dst 2001::2 proto esp spi 1 mode tunnel \ + enc des3_ede 0x112233445566778811223344556677881122334455667788 mark 1 +ip xfrm state add src 2001::2 dst 2001::1 proto esp spi 1 mode tunnel \ + enc des3_ede 0x112233445566778811223344556677881122334455667788 mark 1 +ip netns exec secure ping6 -c 4 2003::2 +ip netns del secure + +CC: Lance Richardson +Signed-off-by: Nicolas Dichtel +Acked-by: Lance Richardson +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_vti.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index 60d4052d97a6..51da5987952c 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -1140,6 +1140,33 @@ static struct xfrm6_protocol vti_ipcomp6_protocol __read_mostly = { + .priority = 100, + }; + ++static bool is_vti6_tunnel(const struct net_device *dev) ++{ ++ return dev->netdev_ops == &vti6_netdev_ops; ++} ++ ++static int vti6_device_event(struct notifier_block *unused, ++ unsigned long event, void *ptr) ++{ ++ struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct ip6_tnl *t = netdev_priv(dev); ++ ++ if (!is_vti6_tunnel(dev)) ++ return NOTIFY_DONE; ++ ++ switch (event) { ++ case NETDEV_DOWN: ++ if (!net_eq(t->net, dev_net(dev))) ++ xfrm_garbage_collect(t->net); ++ break; ++ } ++ return NOTIFY_DONE; ++} ++ ++static struct notifier_block vti6_notifier_block __read_mostly = { ++ .notifier_call = vti6_device_event, ++}; ++ + /** + * vti6_tunnel_init - register protocol and reserve needed resources + * +@@ -1150,6 +1177,8 @@ static int __init vti6_tunnel_init(void) + const char *msg; + int err; + ++ register_netdevice_notifier(&vti6_notifier_block); ++ + msg = "tunnel device"; + err = register_pernet_device(&vti6_net_ops); + if (err < 0) +@@ -1182,6 +1211,7 @@ xfrm_proto_ah_failed: + xfrm_proto_esp_failed: + unregister_pernet_device(&vti6_net_ops); + pernet_dev_failed: ++ unregister_netdevice_notifier(&vti6_notifier_block); + pr_err("vti6 init: failed to register %s\n", msg); + return err; + } +@@ -1196,6 +1226,7 @@ static void __exit vti6_tunnel_cleanup(void) + xfrm6_protocol_deregister(&vti_ah6_protocol, IPPROTO_AH); + xfrm6_protocol_deregister(&vti_esp6_protocol, IPPROTO_ESP); + unregister_pernet_device(&vti6_net_ops); ++ unregister_netdevice_notifier(&vti6_notifier_block); + } + + module_init(vti6_tunnel_init); +-- +2.17.1 + diff --git a/queue-4.4/x86-mm-pat-prevent-hang-during-boot-when-mapping-pag.patch b/queue-4.4/x86-mm-pat-prevent-hang-during-boot-when-mapping-pag.patch new file mode 100644 index 00000000000..bad95a04695 --- /dev/null +++ b/queue-4.4/x86-mm-pat-prevent-hang-during-boot-when-mapping-pag.patch @@ -0,0 +1,109 @@ +From fb477ee90324828bb5aea3cdba59a8851af49eb2 Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Tue, 20 Sep 2016 14:26:21 +0100 +Subject: x86/mm/pat: Prevent hang during boot when mapping pages + +[ Upstream commit e535ec0899d1fe52ec3a84c9bc03457ac67ad6f7 ] + +There's a mixture of signed 32-bit and unsigned 32-bit and 64-bit data +types used for keeping track of how many pages have been mapped. + +This leads to hangs during boot when mapping large numbers of pages +(multiple terabytes, as reported by Waiman) because those values are +interpreted as being negative. + +commit 742563777e8d ("x86/mm/pat: Avoid truncation when converting +cpa->numpages to address") fixed one of those bugs, but there is +another lurking in __change_page_attr_set_clr(). + +Additionally, the return value type for the populate_*() functions can +return negative values when a large number of pages have been mapped, +triggering the error paths even though no error occurred. + +Consistently use 64-bit types on 64-bit platforms when counting pages. +Even in the signed case this gives us room for regions 8PiB +(pebibytes) in size whilst still allowing the usual negative value +error checking idiom. + +Reported-by: Waiman Long +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Linus Torvalds +CC: Theodore Ts'o +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Cc: Scott J Norton +Cc: Douglas Hatch +Signed-off-by: Matt Fleming +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pageattr.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c +index 0e1dd7d47f05..26598e08666c 100644 +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -955,11 +955,11 @@ static void populate_pte(struct cpa_data *cpa, + } + } + +-static int populate_pmd(struct cpa_data *cpa, +- unsigned long start, unsigned long end, +- unsigned num_pages, pud_t *pud, pgprot_t pgprot) ++static long populate_pmd(struct cpa_data *cpa, ++ unsigned long start, unsigned long end, ++ unsigned num_pages, pud_t *pud, pgprot_t pgprot) + { +- unsigned int cur_pages = 0; ++ long cur_pages = 0; + pmd_t *pmd; + pgprot_t pmd_pgprot; + +@@ -1029,12 +1029,12 @@ static int populate_pmd(struct cpa_data *cpa, + return num_pages; + } + +-static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd, +- pgprot_t pgprot) ++static long populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd, ++ pgprot_t pgprot) + { + pud_t *pud; + unsigned long end; +- int cur_pages = 0; ++ long cur_pages = 0; + pgprot_t pud_pgprot; + + end = start + (cpa->numpages << PAGE_SHIFT); +@@ -1090,7 +1090,7 @@ static int populate_pud(struct cpa_data *cpa, unsigned long start, pgd_t *pgd, + + /* Map trailing leftover */ + if (start < end) { +- int tmp; ++ long tmp; + + pud = pud_offset(pgd, start); + if (pud_none(*pud)) +@@ -1116,7 +1116,7 @@ static int populate_pgd(struct cpa_data *cpa, unsigned long addr) + pgprot_t pgprot = __pgprot(_KERNPG_TABLE); + pud_t *pud = NULL; /* shut up gcc */ + pgd_t *pgd_entry; +- int ret; ++ long ret; + + pgd_entry = cpa->pgd + pgd_index(addr); + +@@ -1351,7 +1351,8 @@ static int cpa_process_alias(struct cpa_data *cpa) + + static int __change_page_attr_set_clr(struct cpa_data *cpa, int checkalias) + { +- int ret, numpages = cpa->numpages; ++ unsigned long numpages = cpa->numpages; ++ int ret; + + while (numpages) { + /* +-- +2.17.1 + diff --git a/queue-4.4/x86-pci-mark-broadwell-ep-home-agent-1-as-having-non.patch b/queue-4.4/x86-pci-mark-broadwell-ep-home-agent-1-as-having-non.patch new file mode 100644 index 00000000000..3ac94beeafe --- /dev/null +++ b/queue-4.4/x86-pci-mark-broadwell-ep-home-agent-1-as-having-non.patch @@ -0,0 +1,66 @@ +From 56845b437b6eece18a11d3ff3dcbf65a64cba52d Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Wed, 11 May 2016 12:27:15 -0400 +Subject: x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs + +[ Upstream commit da77b67195de1c65bef4908fa29967c4d0af2da2 ] + +Commit b894157145e4 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having +non-compliant BARs") marked Home Agent 0 & PCU has having non-compliant +BARs. Home Agent 1 also has non-compliant BARs. + +Mark Home Agent 1 as having non-compliant BARs so the PCI core doesn't +touch them. + +The problem with these devices is documented in the Xeon v4 specification +update: + + BDF2 PCI BARs in the Home Agent Will Return Non-Zero Values + During Enumeration + + Problem: During system initialization the Operating System may access + the standard PCI BARs (Base Address Registers). Due to + this erratum, accesses to the Home Agent BAR registers (Bus + 1; Device 18; Function 0,4; Offsets (0x14-0x24) will return + non-zero values. + + Implication: The operating system may issue a warning. Intel has not + observed any functional failures due to this erratum. + +Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html +Fixes: b894157145e4 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs") +Signed-off-by: Prarit Bhargava +Signed-off-by: Bjorn Helgaas +CC: Thomas Gleixner +CC: Ingo Molnar +CC: "H. Peter Anvin" +CC: Andi Kleen +Signed-off-by: Sasha Levin +--- + arch/x86/pci/fixup.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c +index 0ae7e9fa348d..89f90549c6a8 100644 +--- a/arch/x86/pci/fixup.c ++++ b/arch/x86/pci/fixup.c +@@ -541,9 +541,16 @@ static void twinhead_reserve_killing_zone(struct pci_dev *dev) + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone); + ++/* ++ * Broadwell EP Home Agent BARs erroneously return non-zero values when read. ++ * ++ * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html ++ * entry BDF2. ++ */ + static void pci_bdwep_bar(struct pci_dev *dev) + { + dev->non_compliant_bars = 1; + } ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_bdwep_bar); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_bdwep_bar); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_bdwep_bar); +-- +2.17.1 + diff --git a/queue-4.4/xfrm-clear-sk_dst_cache-when-applying-per-socket-pol.patch b/queue-4.4/xfrm-clear-sk_dst_cache-when-applying-per-socket-pol.patch new file mode 100644 index 00000000000..7cc3f9e522d --- /dev/null +++ b/queue-4.4/xfrm-clear-sk_dst_cache-when-applying-per-socket-pol.patch @@ -0,0 +1,56 @@ +From b16d33706e06771fe1fea6b77f4e48efa73162e1 Mon Sep 17 00:00:00 2001 +From: Jonathan Basseri +Date: Wed, 25 Oct 2017 09:52:27 -0700 +Subject: xfrm: Clear sk_dst_cache when applying per-socket policy. + +[ Upstream commit 2b06cdf3e688b98fcc9945873b5d42792bd4eee0 ] + +If a socket has a valid dst cache, then xfrm_lookup_route will get +skipped. However, the cache is not invalidated when applying policy to a +socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are +sometimes ignored on those sockets. (Note: This was broken for IPv4 and +IPv6 at different times.) + +This can be demonstrated like so, +1. Create UDP socket. +2. connect() the socket. +3. Apply an outbound XFRM policy to the socket. (setsockopt) +4. send() data on the socket. + +Packets will continue to be sent in the clear instead of matching an +xfrm or returning a no-match error (EAGAIN). This affects calls to +send() and not sendto(). + +Invalidating the sk_dst_cache is necessary to correctly apply xfrm +policies. Since we do this in xfrm_user_policy(), the sk_lock was +already acquired in either do_ip_setsockopt() or do_ipv6_setsockopt(), +and we may call __sk_dst_reset(). + +Performance impact should be negligible, since this code is only called +when changing xfrm policy, and only affects the socket in question. + +Fixes: 00bc0ef5880d ("ipv6: Skip XFRM lookup if dst_entry in socket cache is valid") +Tested: https://android-review.googlesource.com/517555 +Tested: https://android-review.googlesource.com/418659 +Signed-off-by: Jonathan Basseri +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index d6a11af0bab1..9b6e51450fc5 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1884,6 +1884,7 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen + if (err >= 0) { + xfrm_sk_policy_insert(sk, err, pol); + xfrm_pol_put(pol); ++ __sk_dst_reset(sk); + err = 0; + } + +-- +2.17.1 + diff --git a/queue-4.4/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch b/queue-4.4/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch new file mode 100644 index 00000000000..23edd6681ea --- /dev/null +++ b/queue-4.4/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch @@ -0,0 +1,63 @@ +From caf179fe1a0b5b6d2b0546d892f6b7fd12bd2358 Mon Sep 17 00:00:00 2001 +From: Steffen Klassert +Date: Wed, 1 Aug 2018 13:45:11 +0200 +Subject: xfrm: Validate address prefix lengths in the xfrm selector. + +[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ] + +We don't validate the address prefix lengths in the xfrm +selector we got from userspace. This can lead to undefined +behaviour in the address matching functions if the prefix +is too big for the given address family. Fix this by checking +the prefixes and refuse SA/policy insertation when a prefix +is invalid. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Air Icy +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index a9b4491a3cc4..c2e98dcba9fe 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + err = -EINVAL; + switch (p->family) { + case AF_INET: ++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) ++ goto out; ++ + break; + + case AF_INET6: + #if IS_ENABLED(CONFIG_IPV6) ++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) ++ goto out; ++ + break; + #else + err = -EAFNOSUPPORT; +@@ -1312,10 +1318,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) + + switch (p->sel.family) { + case AF_INET: ++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) ++ return -EINVAL; ++ + break; + + case AF_INET6: + #if IS_ENABLED(CONFIG_IPV6) ++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) ++ return -EINVAL; ++ + break; + #else + return -EAFNOSUPPORT; +-- +2.17.1 + diff --git a/queue-4.4/xfrm-validate-template-mode.patch b/queue-4.4/xfrm-validate-template-mode.patch new file mode 100644 index 00000000000..2fc5bf4ab7d --- /dev/null +++ b/queue-4.4/xfrm-validate-template-mode.patch @@ -0,0 +1,64 @@ +From 895b1ce57577b529f1c9a9d12b31515ef5aa76ae Mon Sep 17 00:00:00 2001 +From: Sean Tranchetti +Date: Wed, 19 Sep 2018 13:54:56 -0600 +Subject: xfrm: validate template mode + +[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ] + +XFRM mode parameters passed as part of the user templates +in the IP_XFRM_POLICY are never properly validated. Passing +values other than valid XFRM modes can cause stack-out-of-bounds +reads to occur later in the XFRM processing: + +[ 140.535608] ================================================================ +[ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4 +[ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148 +[ 140.557369] +[ 140.558927] Call trace: +[ 140.558936] dump_backtrace+0x0/0x388 +[ 140.558940] show_stack+0x24/0x30 +[ 140.558946] __dump_stack+0x24/0x2c +[ 140.558949] dump_stack+0x8c/0xd0 +[ 140.558956] print_address_description+0x74/0x234 +[ 140.558960] kasan_report+0x240/0x264 +[ 140.558963] __asan_report_load4_noabort+0x2c/0x38 +[ 140.558967] xfrm_state_find+0x17e4/0x1cc4 +[ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8 +[ 140.558975] xfrm_lookup+0x238/0x1444 +[ 140.558977] xfrm_lookup_route+0x48/0x11c +[ 140.558984] ip_route_output_flow+0x88/0xc4 +[ 140.558991] raw_sendmsg+0xa74/0x266c +[ 140.558996] inet_sendmsg+0x258/0x3b0 +[ 140.559002] sock_sendmsg+0xbc/0xec +[ 140.559005] SyS_sendto+0x3a8/0x5a8 +[ 140.559008] el0_svc_naked+0x34/0x38 +[ 140.559009] +[ 140.592245] page dumped because: kasan: bad access detected +[ 140.597981] page_owner info is not active (free page?) +[ 140.603267] +[ 140.653503] ================================================================ + +Signed-off-by: Sean Tranchetti +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index c2e98dcba9fe..476f1fc6d655 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1408,6 +1408,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) + (ut[i].family != prev_family)) + return -EINVAL; + ++ if (ut[i].mode >= XFRM_MODE_MAX) ++ return -EINVAL; ++ + prev_family = ut[i].family; + + switch (ut[i].family) { +-- +2.17.1 + diff --git a/queue-4.4/xfrm6-call-kfree_skb-when-skb-is-toobig.patch b/queue-4.4/xfrm6-call-kfree_skb-when-skb-is-toobig.patch new file mode 100644 index 00000000000..7fd3866721c --- /dev/null +++ b/queue-4.4/xfrm6-call-kfree_skb-when-skb-is-toobig.patch @@ -0,0 +1,46 @@ +From 84c77fedd485e48ee5a167f6d50e84bcfd387e36 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 31 Aug 2018 08:38:49 -0300 +Subject: xfrm6: call kfree_skb when skb is toobig + +[ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ] + +After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching +and reporting on xmit"), some too big skbs might be potentially passed down to +__xfrm6_output, causing it to fail to transmit but not free the skb, causing a +leak of skb, and consequentially a leak of dst references. + +After running pmtu.sh, that shows as failure to unregister devices in a namespace: + +[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1 + +The fix is to call kfree_skb in case of transmit failures. + +Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_output.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c +index 4d09ce6fa90e..64862c5084ee 100644 +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -165,9 +165,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + + if (toobig && xfrm6_local_dontfrag(skb)) { + xfrm6_local_rxpmtu(skb, mtu); ++ kfree_skb(skb); + return -EMSGSIZE; + } else if (!skb->ignore_df && toobig && skb->sk) { + xfrm_local_error(skb, mtu); ++ kfree_skb(skb); + return -EMSGSIZE; + } + +-- +2.17.1 +