From: Greg Kroah-Hartman Date: Sat, 12 Mar 2016 07:04:06 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v4.4.6~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4382fcd13a918e0aee6de733fa35f10111c493fe;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch kvm-ppc-book3s-hv-sanitize-special-purpose-register-values-on-guest-exit.patch kvm-vmx-disable-pebs-before-a-guest-entry.patch mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch powerpc-fix-dedotify-for-binutils-2.26.patch tracing-fix-check-for-cpu-online-when-event-is-disabled.patch wext-fix-message-delay-ordering.patch --- diff --git a/queue-3.14/asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch b/queue-3.14/asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch new file mode 100644 index 00000000000..83fb7787139 --- /dev/null +++ b/queue-3.14/asoc-wm8958-fix-enum-ctl-accesses-in-a-wrong-type.patch @@ -0,0 +1,60 @@ +From d0784829ae3b0beeb69b476f017d5c8a2eb95198 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 29 Feb 2016 18:01:12 +0100 +Subject: ASoC: wm8958: Fix enum ctl accesses in a wrong type + +From: Takashi Iwai + +commit d0784829ae3b0beeb69b476f017d5c8a2eb95198 upstream. + +"MBC Mode", "VSS Mode", "VSS HPF Mode" and "Enhanced EQ Mode" ctls in +wm8958 codec driver are enum, while the current driver accesses +wrongly via value.integer.value[]. They have to be via +value.enumerated.item[] instead. + +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8958-dsp2.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/codecs/wm8958-dsp2.c ++++ b/sound/soc/codecs/wm8958-dsp2.c +@@ -459,7 +459,7 @@ static int wm8958_put_mbc_enum(struct sn + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -549,7 +549,7 @@ static int wm8958_put_vss_enum(struct sn + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -582,7 +582,7 @@ static int wm8958_put_vss_hpf_enum(struc + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ +@@ -749,7 +749,7 @@ static int wm8958_put_enh_eq_enum(struct + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); + struct wm8994 *control = wm8994->wm8994; +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + int reg; + + /* Don't allow on the fly reconfiguration */ diff --git a/queue-3.14/asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch b/queue-3.14/asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch new file mode 100644 index 00000000000..2fdc7626183 --- /dev/null +++ b/queue-3.14/asoc-wm8994-fix-enum-ctl-accesses-in-a-wrong-type.patch @@ -0,0 +1,42 @@ +From 8019c0b37cd5a87107808300a496388b777225bf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 29 Feb 2016 18:01:15 +0100 +Subject: ASoC: wm8994: Fix enum ctl accesses in a wrong type + +From: Takashi Iwai + +commit 8019c0b37cd5a87107808300a496388b777225bf upstream. + +The DRC Mode like "AIF1DRC1 Mode" and EQ Mode like "AIF1.1 EQ Mode" in +wm8994 codec driver are enum ctls, while the current driver accesses +wrongly via value.integer.value[]. They have to be via +value.enumerated.item[] instead. + +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8994.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wm8994.c ++++ b/sound/soc/codecs/wm8994.c +@@ -360,7 +360,7 @@ static int wm8994_put_drc_enum(struct sn + struct wm8994 *control = wm8994->wm8994; + struct wm8994_pdata *pdata = &control->pdata; + int drc = wm8994_get_drc(kcontrol->id.name); +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + + if (drc < 0) + return drc; +@@ -467,7 +467,7 @@ static int wm8994_put_retune_mobile_enum + struct wm8994 *control = wm8994->wm8994; + struct wm8994_pdata *pdata = &control->pdata; + int block = wm8994_get_retune_mobile_block(kcontrol->id.name); +- int value = ucontrol->value.integer.value[0]; ++ int value = ucontrol->value.enumerated.item[0]; + + if (block < 0) + return block; diff --git a/queue-3.14/iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch b/queue-3.14/iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch new file mode 100644 index 00000000000..c57a0dcc730 --- /dev/null +++ b/queue-3.14/iwlwifi-mvm-inc-pending-frames-counter-also-when-txing-non-sta.patch @@ -0,0 +1,47 @@ +From fb896c44f88a75843a072cd6961b1615732f7811 Mon Sep 17 00:00:00 2001 +From: Liad Kaufman +Date: Sun, 14 Feb 2016 15:32:58 +0200 +Subject: iwlwifi: mvm: inc pending frames counter also when txing non-sta + +From: Liad Kaufman + +commit fb896c44f88a75843a072cd6961b1615732f7811 upstream. + +Until this patch, when TXing non-sta the pending_frames counter +wasn't increased, but it WAS decreased in +iwl_mvm_rx_tx_cmd_single(), what makes it negative in certain +conditions. This in turn caused much trouble when we need to +remove the station since we won't be waiting forever until +pending_frames gets 0. In certain cases, we were exhausting +the station table even in BSS mode, because we had a lot of +stale stations. + +Increase the counter also in iwl_mvm_tx_skb_non_sta() after a +successful TX to avoid this outcome. + +Signed-off-by: Liad Kaufman +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/tx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/iwlwifi/mvm/tx.c +@@ -341,6 +341,15 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + return -1; + } + ++ /* ++ * Increase the pending frames counter, so that later when a reply comes ++ * in and the counter is decreased - we don't start getting negative ++ * values. ++ * Note that we don't need to make sure it isn't agg'd, since we're ++ * TXing non-sta ++ */ ++ atomic_inc(&mvm->pending_frames[sta_id]); ++ + return 0; + } + diff --git a/queue-3.14/kvm-ppc-book3s-hv-sanitize-special-purpose-register-values-on-guest-exit.patch b/queue-3.14/kvm-ppc-book3s-hv-sanitize-special-purpose-register-values-on-guest-exit.patch new file mode 100644 index 00000000000..b430660a1b4 --- /dev/null +++ b/queue-3.14/kvm-ppc-book3s-hv-sanitize-special-purpose-register-values-on-guest-exit.patch @@ -0,0 +1,53 @@ +From ccec44563b18a0ce90e2d4f332784b3cb25c8e9c Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Sat, 5 Mar 2016 19:34:39 +1100 +Subject: KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit + +From: Paul Mackerras + +commit ccec44563b18a0ce90e2d4f332784b3cb25c8e9c upstream. + +Thomas Huth discovered that a guest could cause a hard hang of a +host CPU by setting the Instruction Authority Mask Register (IAMR) +to a suitable value. It turns out that this is because when the +code was added to context-switch the new special-purpose registers +(SPRs) that were added in POWER8, we forgot to add code to ensure +that they were restored to a sane value on guest exit. + +This adds code to set those registers where a bad value could +compromise the execution of the host kernel to a suitable neutral +value on guest exit. + +Fixes: b005255e12a3 +Reported-by: Thomas Huth +Reviewed-by: David Gibson +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -1148,6 +1148,20 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) + std r6, VCPU_ACOP(r9) + stw r7, VCPU_GUEST_PID(r9) + std r8, VCPU_WORT(r9) ++ /* ++ * Restore various registers to 0, where non-zero values ++ * set by the guest could disrupt the host. ++ */ ++ li r0, 0 ++ mtspr SPRN_IAMR, r0 ++ mtspr SPRN_CIABR, r0 ++ mtspr SPRN_DAWRX, r0 ++ mtspr SPRN_TCSCR, r0 ++ mtspr SPRN_WORT, r0 ++ /* Set MMCRS to 1<<31 to freeze and disable the SPMC counters */ ++ li r0, 1 ++ sldi r0, r0, 31 ++ mtspr SPRN_MMCRS, r0 + 8: + + /* Save and reset AMR and UAMOR before turning on the MMU */ diff --git a/queue-3.14/kvm-vmx-disable-pebs-before-a-guest-entry.patch b/queue-3.14/kvm-vmx-disable-pebs-before-a-guest-entry.patch new file mode 100644 index 00000000000..914fdc9044b --- /dev/null +++ b/queue-3.14/kvm-vmx-disable-pebs-before-a-guest-entry.patch @@ -0,0 +1,76 @@ +From 7099e2e1f4d9051f31bbfa5803adf954bb5d76ef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Fri, 4 Mar 2016 15:08:42 +0100 +Subject: KVM: VMX: disable PEBS before a guest entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Radim Krčmář + +commit 7099e2e1f4d9051f31bbfa5803adf954bb5d76ef upstream. + +Linux guests on Haswell (and also SandyBridge and Broadwell, at least) +would crash if you decided to run a host command that uses PEBS, like + perf record -e 'cpu/mem-stores/pp' -a + +This happens because KVM is using VMX MSR switching to disable PEBS, but +SDM [2015-12] 18.4.4.4 Re-configuring PEBS Facilities explains why it +isn't safe: + When software needs to reconfigure PEBS facilities, it should allow a + quiescent period between stopping the prior event counting and setting + up a new PEBS event. The quiescent period is to allow any latent + residual PEBS records to complete its capture at their previously + specified buffer address (provided by IA32_DS_AREA). + +There might not be a quiescent period after the MSR switch, so a CPU +ends up using host's MSR_IA32_DS_AREA to access an area in guest's +memory. (Or MSR switching is just buggy on some models.) + +The guest can learn something about the host this way: +If the guest doesn't map address pointed by MSR_IA32_DS_AREA, it results +in #PF where we leak host's MSR_IA32_DS_AREA through CR2. + +After that, a malicious guest can map and configure memory where +MSR_IA32_DS_AREA is pointing and can therefore get an output from +host's tracing. + +This is not a critical leak as the host must initiate with PEBS tracing +and I have not been able to get a record from more than one instruction +before vmentry in vmx_vcpu_run() (that place has most registers already +overwritten with guest's). + +We could disable PEBS just few instructions before vmentry, but +disabling it earlier shouldn't affect host tracing too much. +We also don't need to switch MSR_IA32_PEBS_ENABLE on VMENTRY, but that +optimization isn't worth its code, IMO. + +(If you are implementing PEBS for guests, be sure to handle the case + where both host and guest enable PEBS, because this patch doesn't.) + +Fixes: 26a4f3c08de4 ("perf/x86: disable PEBS on a guest entry.") +Reported-by: Jiří Olša +Signed-off-by: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1555,6 +1555,13 @@ static void add_atomic_switch_msr(struct + return; + } + break; ++ case MSR_IA32_PEBS_ENABLE: ++ /* PEBS needs a quiescent period after being disabled (to write ++ * a record). Disabling PEBS through VMX MSR swapping doesn't ++ * provide that period, so a CPU could write host's record into ++ * guest's memory. ++ */ ++ wrmsrl(MSR_IA32_PEBS_ENABLE, 0); + } + + for (i = 0; i < m->nr; ++i) diff --git a/queue-3.14/mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch b/queue-3.14/mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch new file mode 100644 index 00000000000..bfa160244be --- /dev/null +++ b/queue-3.14/mac80211-fix-use-of-uninitialised-values-in-rx-aggregation.patch @@ -0,0 +1,52 @@ +From f39ea2690bd61efec97622c48323f40ed6e16317 Mon Sep 17 00:00:00 2001 +From: Chris Bainbridge +Date: Wed, 27 Jan 2016 15:46:18 +0000 +Subject: mac80211: fix use of uninitialised values in RX aggregation + +From: Chris Bainbridge + +commit f39ea2690bd61efec97622c48323f40ed6e16317 upstream. + +Use kzalloc instead of kmalloc for struct tid_ampdu_rx to +initialize the "removed" field (all others are initialized +manually). That fixes: + +UBSAN: Undefined behaviour in net/mac80211/rx.c:932:29 +load of value 2 is not a valid value for type '_Bool' +CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265 +Workqueue: phy0 rt2x00usb_work_rxdone + 0000000000000004 ffff880254a7ba50 ffffffff8181d866 0000000000000007 + ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d ffffffff8379b500 + ffff880254a7bab8 ffffffff81884747 0000000000000202 0000000348620032 +Call Trace: + [] dump_stack+0x45/0x5f + [] ubsan_epilogue+0xd/0x40 + [] __ubsan_handle_load_invalid_value+0x67/0x70 + [] ieee80211_sta_reorder_release.isra.16+0x5ed/0x730 + [] ieee80211_prepare_and_rx_handle+0xd04/0x1c00 + [] __ieee80211_rx_handle_packet+0x1f3/0x750 + [] ieee80211_rx_napi+0x447/0x990 + +While at it, convert to use sizeof(*tid_agg_rx) instead. + +Fixes: 788211d81bfdf ("mac80211: fix RX A-MPDU session reorder timer deletion") +Signed-off-by: Chris Bainbridge +[reword commit message, use sizeof(*tid_agg_rx)] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/agg-rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -290,7 +290,7 @@ void ieee80211_process_addba_request(str + } + + /* prepare A-MPDU MLME for Rx aggregation */ +- tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL); ++ tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL); + if (!tid_agg_rx) + goto end; + diff --git a/queue-3.14/mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch b/queue-3.14/mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch new file mode 100644 index 00000000000..432bb51651a --- /dev/null +++ b/queue-3.14/mac80211-minstrel_ht-set-default-tx-aggregation-timeout-to-0.patch @@ -0,0 +1,40 @@ +From 7a36b930e6ed4702c866dc74a5ad07318a57c688 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 18 Feb 2016 19:49:18 +0100 +Subject: mac80211: minstrel_ht: set default tx aggregation timeout to 0 + +From: Felix Fietkau + +commit 7a36b930e6ed4702c866dc74a5ad07318a57c688 upstream. + +The value 5000 was put here with the addition of the timeout field to +ieee80211_start_tx_ba_session. It was originally added in mac80211 to +save resources for drivers like iwlwifi, which only supports a limited +number of concurrent aggregation sessions. + +Since iwlwifi does not use minstrel_ht and other drivers don't need +this, 0 is a better default - especially since there have been +recent reports of aggregation setup related issues reproduced with +ath9k. This should improve stability without causing any adverse +effects. + +Acked-by: Avery Pennarun +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_minstrel_ht.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rc80211_minstrel_ht.c ++++ b/net/mac80211/rc80211_minstrel_ht.c +@@ -463,7 +463,7 @@ minstrel_aggr_check(struct ieee80211_sta + if (skb_get_queue_mapping(skb) == IEEE80211_AC_VO) + return; + +- ieee80211_start_tx_ba_session(pubsta, tid, 5000); ++ ieee80211_start_tx_ba_session(pubsta, tid, 0); + } + + static void diff --git a/queue-3.14/powerpc-fix-dedotify-for-binutils-2.26.patch b/queue-3.14/powerpc-fix-dedotify-for-binutils-2.26.patch new file mode 100644 index 00000000000..709c129dcee --- /dev/null +++ b/queue-3.14/powerpc-fix-dedotify-for-binutils-2.26.patch @@ -0,0 +1,37 @@ +From f15838e9cac8f78f0cc506529bb9d3b9fa589c1f Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Fri, 5 Feb 2016 19:50:03 +0100 +Subject: powerpc: Fix dedotify for binutils >= 2.26 + +From: Andreas Schwab + +commit f15838e9cac8f78f0cc506529bb9d3b9fa589c1f upstream. + +Since binutils 2.26 BFD is doing suffix merging on STRTAB sections. But +dedotify modifies the symbol names in place, which can also modify +unrelated symbols with a name that matches a suffix of a dotted name. To +remove the leading dot of a symbol name we can just increment the pointer +into the STRTAB section instead. + +Backport to all stables to avoid breakage when people update their +binutils - mpe. + +Signed-off-by: Andreas Schwab +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/module_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/module_64.c ++++ b/arch/powerpc/kernel/module_64.c +@@ -202,7 +202,7 @@ static void dedotify(Elf64_Sym *syms, un + if (syms[i].st_shndx == SHN_UNDEF) { + char *name = strtab + syms[i].st_name; + if (name[0] == '.') +- memmove(name, name+1, strlen(name)); ++ syms[i].st_name++; + } + } + } diff --git a/queue-3.14/tracing-fix-check-for-cpu-online-when-event-is-disabled.patch b/queue-3.14/tracing-fix-check-for-cpu-online-when-event-is-disabled.patch new file mode 100644 index 00000000000..e3df672030f --- /dev/null +++ b/queue-3.14/tracing-fix-check-for-cpu-online-when-event-is-disabled.patch @@ -0,0 +1,72 @@ +From dc17147de328a74bbdee67c1bf37d2f1992de756 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Wed, 9 Mar 2016 11:58:41 -0500 +Subject: tracing: Fix check for cpu online when event is disabled + +From: Steven Rostedt (Red Hat) + +commit dc17147de328a74bbdee67c1bf37d2f1992de756 upstream. + +Commit f37755490fe9b ("tracepoints: Do not trace when cpu is offline") added +a check to make sure that tracepoints only get called when the cpu is +online, as it uses rcu_read_lock_sched() for protection. + +Commit 3a630178fd5f3 ("tracing: generate RCU warnings even when tracepoints +are disabled") added lockdep checks (including rcu checks) for events that +are not enabled to catch possible RCU issues that would only be triggered if +a trace event was enabled. Commit f37755490fe9b only stopped the warnings +when the trace event was enabled but did not prevent warnings if the trace +event was called when disabled. + +To fix this, the cpu online check is moved to where the condition is added +to the trace event. This will place the cpu online check in all places that +it may be used now and in the future. + +Fixes: f37755490fe9b ("tracepoints: Do not trace when cpu is offline") +Fixes: 3a630178fd5f3 ("tracing: generate RCU warnings even when tracepoints are disabled") +Reported-by: Sudeep Holla +Tested-by: Sudeep Holla +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/tracepoint.h | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/include/linux/tracepoint.h ++++ b/include/linux/tracepoint.h +@@ -129,9 +129,6 @@ static inline void tracepoint_synchroniz + void *it_func; \ + void *__data; \ + \ +- if (!cpu_online(raw_smp_processor_id())) \ +- return; \ +- \ + if (!(cond)) \ + return; \ + prercu; \ +@@ -265,15 +262,19 @@ static inline void tracepoint_synchroniz + * "void *__data, proto" as the callback prototype. + */ + #define DECLARE_TRACE_NOARGS(name) \ +- __DECLARE_TRACE(name, void, , 1, void *__data, __data) ++ __DECLARE_TRACE(name, void, , \ ++ cpu_online(raw_smp_processor_id()), \ ++ void *__data, __data) + + #define DECLARE_TRACE(name, proto, args) \ +- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), 1, \ +- PARAMS(void *__data, proto), \ +- PARAMS(__data, args)) ++ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ ++ cpu_online(raw_smp_processor_id()), \ ++ PARAMS(void *__data, proto), \ ++ PARAMS(__data, args)) + + #define DECLARE_TRACE_CONDITION(name, proto, args, cond) \ +- __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), PARAMS(cond), \ ++ __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ ++ cpu_online(raw_smp_processor_id()) && (PARAMS(cond)), \ + PARAMS(void *__data, proto), \ + PARAMS(__data, args)) + diff --git a/queue-3.14/wext-fix-message-delay-ordering.patch b/queue-3.14/wext-fix-message-delay-ordering.patch new file mode 100644 index 00000000000..a683e9919f7 --- /dev/null +++ b/queue-3.14/wext-fix-message-delay-ordering.patch @@ -0,0 +1,122 @@ +From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 27 Jan 2016 12:37:52 +0100 +Subject: wext: fix message delay/ordering + +From: Johannes Berg + +commit 8bf862739a7786ae72409220914df960a0aa80d8 upstream. + +Beniamino reported that he was getting an RTM_NEWLINK message for a +given interface, after the RTM_DELLINK for it. It turns out that the +message is a wireless extensions message, which was sent because the +interface had been connected and disconnection while it was deleted +caused a wext message. + +For its netlink messages, wext uses RTM_NEWLINK, but the message is +without all the regular rtnetlink attributes, so "ip monitor link" +prints just rudimentary information: + +5: wlan1: mtu 1500 qdisc mq state DOWN group default + link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff +Deleted 5: wlan1: mtu 1500 qdisc noop state DOWN group default + link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff +5: wlan1: + link/ether +(from my hwsim reproduction) + +This can cause userspace to get confused since it doesn't expect an +RTM_NEWLINK message after RTM_DELLINK. + +The reason for this is that wext schedules a worker to send out the +messages, and the scheduling delay can cause the messages to get out +to userspace in different order. + +To fix this, have wext register a netdevice notifier and flush out +any pending messages when netdevice state changes. This fixes any +ordering whenever the original message wasn't sent by a notifier +itself. + +Reported-by: Beniamino Galvani +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-core.c | 51 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 11 deletions(-) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -342,6 +342,39 @@ static const int compat_event_type_size[ + + /* IW event code */ + ++static void wireless_nlevent_flush(void) ++{ ++ struct sk_buff *skb; ++ struct net *net; ++ ++ ASSERT_RTNL(); ++ ++ for_each_net(net) { ++ while ((skb = skb_dequeue(&net->wext_nlevents))) ++ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, ++ GFP_KERNEL); ++ } ++} ++ ++static int wext_netdev_notifier_call(struct notifier_block *nb, ++ unsigned long state, void *ptr) ++{ ++ /* ++ * When a netdev changes state in any way, flush all pending messages ++ * to avoid them going out in a strange order, e.g. RTM_NEWLINK after ++ * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close() ++ * or similar - all of which could otherwise happen due to delays from ++ * schedule_work(). ++ */ ++ wireless_nlevent_flush(); ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block wext_netdev_notifier = { ++ .notifier_call = wext_netdev_notifier_call, ++}; ++ + static int __net_init wext_pernet_init(struct net *net) + { + skb_queue_head_init(&net->wext_nlevents); +@@ -360,7 +393,12 @@ static struct pernet_operations wext_per + + static int __init wireless_nlevent_init(void) + { +- return register_pernet_subsys(&wext_pernet_ops); ++ int err = register_pernet_subsys(&wext_pernet_ops); ++ ++ if (err) ++ return err; ++ ++ return register_netdevice_notifier(&wext_netdev_notifier); + } + + subsys_initcall(wireless_nlevent_init); +@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init); + /* Process events generated by the wireless layer or the driver. */ + static void wireless_nlevent_process(struct work_struct *work) + { +- struct sk_buff *skb; +- struct net *net; +- + rtnl_lock(); +- +- for_each_net(net) { +- while ((skb = skb_dequeue(&net->wext_nlevents))) +- rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, +- GFP_KERNEL); +- } +- ++ wireless_nlevent_flush(); + rtnl_unlock(); + } +