From: Sasha Levin Date: Tue, 30 Oct 2018 13:15:53 +0000 (-0400) Subject: 4.9-stable patches X-Git-Tag: v4.19.1~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=466d3e49990ae65e3bb242142598dd395c328be1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/acpi-sysfs-make-acpi-gpe-mask-kernel-parameter-cover.patch b/queue-4.9/acpi-sysfs-make-acpi-gpe-mask-kernel-parameter-cover.patch new file mode 100644 index 00000000000..bc0c2023deb --- /dev/null +++ b/queue-4.9/acpi-sysfs-make-acpi-gpe-mask-kernel-parameter-cover.patch @@ -0,0 +1,89 @@ +From 90995ef1e7d34edc68c76d9db7b91f68ea272b6b Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Thu, 30 Nov 2017 15:05:59 -0500 +Subject: ACPI: sysfs: Make ACPI GPE mask kernel parameter cover all GPEs + +[ Upstream commit 0f27cff8597d86f881ea8274b49b63b678c14a3c ] + +The acpi_mask_gpe= kernel parameter documentation states that the range +of mask is 128 GPEs (0x00 to 0x7F). The acpi_masked_gpes mask is a u64 so +only 64 GPEs (0x00 to 0x3F) can really be masked. + +Use a bitmap of size 0xFF instead of a u64 for the GPE mask so 256 +GPEs can be masked. + +Fixes: 9c4aa1eecb48 (ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding) +Signed-off-by: Prarit Bharava +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + Documentation/kernel-parameters.txt | 1 - + drivers/acpi/sysfs.c | 26 ++++++++------------------ + 2 files changed, 8 insertions(+), 19 deletions(-) + +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index f9f67be8d3c3..c708a50b060e 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -313,7 +313,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + This facility can be used to prevent such uncontrolled + GPE floodings. + Format: +- Support masking of GPEs numbered from 0x00 to 0x7f. + + acpi_no_auto_serialize [HW,ACPI] + Disable auto-serialization of AML methods +diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c +index cf05ae973381..a36d0739dbfe 100644 +--- a/drivers/acpi/sysfs.c ++++ b/drivers/acpi/sysfs.c +@@ -724,14 +724,8 @@ end: + * interface: + * echo unmask > /sys/firmware/acpi/interrupts/gpe00 + */ +- +-/* +- * Currently, the GPE flooding prevention only supports to mask the GPEs +- * numbered from 00 to 7f. +- */ +-#define ACPI_MASKABLE_GPE_MAX 0x80 +- +-static u64 __initdata acpi_masked_gpes; ++#define ACPI_MASKABLE_GPE_MAX 0xFF ++static DECLARE_BITMAP(acpi_masked_gpes_map, ACPI_MASKABLE_GPE_MAX) __initdata; + + static int __init acpi_gpe_set_masked_gpes(char *val) + { +@@ -739,7 +733,7 @@ static int __init acpi_gpe_set_masked_gpes(char *val) + + if (kstrtou8(val, 0, &gpe) || gpe > ACPI_MASKABLE_GPE_MAX) + return -EINVAL; +- acpi_masked_gpes |= ((u64)1< +Date: Fri, 27 Apr 2018 17:17:35 +0200 +Subject: ALSA: hda - Fix incorrect usage of IS_REACHABLE() + +[ Upstream commit 6a30abaa40b62aed46ef12ea4c16c48565bdb376 ] + +The commit c469652bb5e8 ("ALSA: hda - Use IS_REACHABLE() for +dependency on input") simplified the dependencies with IS_REACHABLE() +macro, but it broke due to its incorrect usage: it should have been +IS_REACHABLE(CONFIG_INPUT) instead of IS_REACHABLE(INPUT). + +Fixes: c469652bb5e8 ("ALSA: hda - Use IS_REACHABLE() for dependency on input") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 0eee308365c4..cc48800f95e0 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3499,7 +3499,7 @@ static void alc280_fixup_hp_gpio4(struct hda_codec *codec, + } + } + +-#if IS_REACHABLE(INPUT) ++#if IS_REACHABLE(CONFIG_INPUT) + static void gpio2_mic_hotkey_event(struct hda_codec *codec, + struct hda_jack_callback *event) + { +-- +2.17.1 + diff --git a/queue-4.9/alsa-hda-no-loopback-on-alc299-codec.patch b/queue-4.9/alsa-hda-no-loopback-on-alc299-codec.patch new file mode 100644 index 00000000000..3369cdebcae --- /dev/null +++ b/queue-4.9/alsa-hda-no-loopback-on-alc299-codec.patch @@ -0,0 +1,39 @@ +From d5d47d49156d31ebcf21b3521cd595f04eced5d0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 May 2017 09:11:33 +0200 +Subject: ALSA: hda - No loopback on ALC299 codec + +[ Upstream commit fa16b69f1299004b60b625f181143500a246e5cb ] + +ALC299 has no loopback mixer, but the driver still tries to add a beep +control over the mixer NID which leads to the error at accessing it. +This patch fixes it by properly declaring mixer_nid=0 for this codec. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195775 +Fixes: 28f1f9b26cee ("ALSA: hda/realtek - Add new codec ID ALC299") +Cc: stable@vger.kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index ca2945711dbe..0eee308365c4 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6392,8 +6392,11 @@ static int patch_alc269(struct hda_codec *codec) + break; + case 0x10ec0225: + case 0x10ec0295: ++ spec->codec_variant = ALC269_TYPE_ALC225; ++ break; + case 0x10ec0299: + spec->codec_variant = ALC269_TYPE_ALC225; ++ spec->gen.mixer_nid = 0; /* no loopback on ALC299 */ + break; + case 0x10ec0234: + case 0x10ec0274: +-- +2.17.1 + diff --git a/queue-4.9/arch-sparc-increase-config_nodes_shift-on-sparc64-to.patch b/queue-4.9/arch-sparc-increase-config_nodes_shift-on-sparc64-to.patch new file mode 100644 index 00000000000..88caf8b2111 --- /dev/null +++ b/queue-4.9/arch-sparc-increase-config_nodes_shift-on-sparc64-to.patch @@ -0,0 +1,44 @@ +From dd121e00d6890eb359ce0e865b331accf3cfd75c Mon Sep 17 00:00:00 2001 +From: Jane Chu +Date: Thu, 25 May 2017 13:51:20 -0600 +Subject: arch/sparc: increase CONFIG_NODES_SHIFT on SPARC64 to 5 + +[ Upstream commit 7485af89a6fd48f7e6fab2505d2364d1817723e6 ] + +SPARC M6-32 platform has (2^5) NUMA nodes, so need to bump up the +CONFIG_NODES_SHIFT to 5. + +Orabug: 25577754 + +Signed-off-by: Jane Chu +Reviewed-by: Bob Picco +Reviewed-by: Atish Patra +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/Kconfig | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig +index 8b4152f3a764..cef42d4be292 100644 +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -290,9 +290,13 @@ config NUMA + depends on SPARC64 && SMP + + config NODES_SHIFT +- int +- default "4" ++ int "Maximum NUMA Nodes (as a power of 2)" ++ range 4 5 if SPARC64 ++ default "5" + depends on NEED_MULTIPLE_NODES ++ help ++ Specify the maximum number of NUMA Nodes available on the target ++ system. Increases memory reserved to accommodate various tables. + + # Some NUMA nodes have memory ranges that span + # other nodes. Even though a pfn is valid and +-- +2.17.1 + diff --git a/queue-4.9/arm-8677-1-boot-compressed-fix-decompressor-header-l.patch b/queue-4.9/arm-8677-1-boot-compressed-fix-decompressor-header-l.patch new file mode 100644 index 00000000000..672048df2ef --- /dev/null +++ b/queue-4.9/arm-8677-1-boot-compressed-fix-decompressor-header-l.patch @@ -0,0 +1,92 @@ +From 755d00cf687af9b34167e6a65987b250bcbfd818 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 24 May 2017 15:31:57 +0100 +Subject: ARM: 8677/1: boot/compressed: fix decompressor header layout for v7-M + +[ Upstream commit 06a4b6d009a1b74a6ec46c5418b46cc53a79fcb8 ] + +As reported by Patrice, the header layout of the decompressor is +incorrect when building for v7-M. In this case, the __nop macro +resolves to 'mov r0, r0', which is emitted as a narrow encoding, +resulting in the header data fields to end up at lower offsets than +required. + +Given the variety of targets we need to support with the same code, +the startup sequence is a bit of a jumble, and uses instructions +and macros whose encoding widths cannot be specified (badr), or only +exist in a narrow encoding (bx) + +So force the use of a wide encoding in __nop, and replace the start +sequence with a simple jump to the label marking the start of code, +preceded by a Thumb2 mode switch if required (using explicit wide +encodings where appropriate). The label itself can be moved to the +start of code [where it belongs] due to the larger range of branch +instructions as compared to adr instructions. + +Reported-by: Patrice CHOTARD +Acked-by: Nicolas Pitre +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/efi-header.S | 4 +--- + arch/arm/boot/compressed/head.S | 17 ++++++++++------- + 2 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S +index 9d5dc4fda3c1..3f7d1b74c5e0 100644 +--- a/arch/arm/boot/compressed/efi-header.S ++++ b/arch/arm/boot/compressed/efi-header.S +@@ -17,14 +17,12 @@ + @ there. + .inst 'M' | ('Z' << 8) | (0x1310 << 16) @ tstne r0, #0x4d000 + #else +- mov r0, r0 ++ W(mov) r0, r0 + #endif + .endm + + .macro __EFI_HEADER + #ifdef CONFIG_EFI_STUB +- b __efi_start +- + .set start_offset, __efi_start - start + .org start + 0x3c + @ +diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S +index fc6d541549a2..2d7f2bb0d66a 100644 +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -130,19 +130,22 @@ start: + .rept 7 + __nop + .endr +- ARM( mov r0, r0 ) +- ARM( b 1f ) +- THUMB( badr r12, 1f ) +- THUMB( bx r12 ) ++#ifndef CONFIG_THUMB2_KERNEL ++ mov r0, r0 ++#else ++ AR_CLASS( sub pc, pc, #3 ) @ A/R: switch to Thumb2 mode ++ M_CLASS( nop.w ) @ M: already in Thumb2 mode ++ .thumb ++#endif ++ W(b) 1f + + .word _magic_sig @ Magic numbers to help the loader + .word _magic_start @ absolute load/run zImage address + .word _magic_end @ zImage end address + .word 0x04030201 @ endianness flag + +- THUMB( .thumb ) +-1: __EFI_HEADER +- ++ __EFI_HEADER ++1: + ARM_BE8( setend be ) @ go BE8 if compiled for BE8 + AR_CLASS( mrs r9, cpsr ) + #ifdef CONFIG_ARM_VIRT_EXT +-- +2.17.1 + diff --git a/queue-4.9/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch b/queue-4.9/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch new file mode 100644 index 00000000000..6ce895bf265 --- /dev/null +++ b/queue-4.9/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch @@ -0,0 +1,45 @@ +From b64083661b598e4165df9615069198b9d5e9d75c Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Thu, 13 Sep 2018 16:48:08 +0100 +Subject: ARM: 8799/1: mm: fix pci_ioremap_io() offset check + +[ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ] + +IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e +something like 0xfffff (and not 0x100000). + +Therefore, when offset = 0xf0000 is passed as argument, this function +fails even though the offset + SZ_64K fits below the +IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space +not usable as it cannot be mapped. + +This patch fixes that by substracing 1 to offset + SZ_64K, so that we +compare the addrss of the last byte of the I/O space against +IO_SPACE_LIMIT instead of the address of the first byte of what is +after the I/O space. + +Fixes: c2794437091a4 ("ARM: Add fixed PCI i/o mapping") +Signed-off-by: Thomas Petazzoni +Acked-by: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/ioremap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c +index ff0eed23ddf1..66e5d8765601 100644 +--- a/arch/arm/mm/ioremap.c ++++ b/arch/arm/mm/ioremap.c +@@ -473,7 +473,7 @@ void pci_ioremap_set_mem_type(int mem_type) + + int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr) + { +- BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT); ++ BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT); + + return ioremap_page_range(PCI_IO_VIRT_BASE + offset, + PCI_IO_VIRT_BASE + offset + SZ_64K, +-- +2.17.1 + diff --git a/queue-4.9/arm-dts-bcm283x-reserve-first-page-for-firmware.patch b/queue-4.9/arm-dts-bcm283x-reserve-first-page-for-firmware.patch new file mode 100644 index 00000000000..44fd4274f60 --- /dev/null +++ b/queue-4.9/arm-dts-bcm283x-reserve-first-page-for-firmware.patch @@ -0,0 +1,44 @@ +From 8b58c06a27bdc37edb7c0c927e573a6c7039b3f0 Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Tue, 9 May 2017 10:04:30 +0100 +Subject: ARM: dts: bcm283x: Reserve first page for firmware + +[ Upstream commit b0804ed0cadd7e38d94d2f15cdcc0d9695818856 ] + +The Raspberry Pi startup stub files for multi-core BCM283X processors +make the secondary CPUs spin until the corresponding mailbox is +written. These stubs are loaded at physical address 0x00000xxx (as seen +by the ARMs), but this page will be reused by the kernel unless it is +explicitly reserved, causing the waiting cores to execute random code. + +Use the /memreserve/ Device Tree directive to mark the first page as +off-limits to the kernel. + +See: https://github.com/raspberrypi/linux/issues/1989 +Signed-off-by: Phil Elwell +Signed-off-by: Eric Anholt +Reviewed-by: Eric Anholt +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm283x.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm283x.dtsi b/arch/arm/boot/dts/bcm283x.dtsi +index c51b88ee3cec..31563007772c 100644 +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -3,6 +3,11 @@ + #include + #include + ++/* firmware-provided startup stubs live here, where the secondary CPUs are ++ * spinning. ++ */ ++/memreserve/ 0x00000000 0x00001000; ++ + /* This include file covers the common peripherals and configuration between + * bcm2835 and bcm2836 implementations, leaving the CPU configuration to + * bcm2835.dtsi and bcm2836.dtsi. +-- +2.17.1 + diff --git a/queue-4.9/arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch b/queue-4.9/arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch new file mode 100644 index 00000000000..2e96c5eedde --- /dev/null +++ b/queue-4.9/arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch @@ -0,0 +1,79 @@ +From 554fad7e15c743391d845357d52561c8eb53b654 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Wed, 19 Sep 2018 17:14:01 -0700 +Subject: ARM: dts: BCM63xx: Fix incorrect interrupt specifiers + +[ Upstream commit 3ab97942d0213b6583a5408630a8cbbfbf54730f ] + +A number of our interrupts were incorrectly specified, fix both the PPI +and SPI interrupts to be correct. + +Fixes: b5762cacc411 ("ARM: bcm63138: add NAND DT support") +Fixes: 46d4bca0445a ("ARM: BCM63XX: add BCM63138 minimal Device Tree") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm63138.dtsi | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm63138.dtsi b/arch/arm/boot/dts/bcm63138.dtsi +index d0560e8cd6de..547369c69e96 100644 +--- a/arch/arm/boot/dts/bcm63138.dtsi ++++ b/arch/arm/boot/dts/bcm63138.dtsi +@@ -105,21 +105,23 @@ + global_timer: timer@1e200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0x1e200 0x20>; +- interrupts = ; ++ interrupts = ; + clocks = <&axi_clk>; + }; + + local_timer: local-timer@1e600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0x1e600 0x20>; +- interrupts = ; ++ interrupts = ; + clocks = <&axi_clk>; + }; + + twd_watchdog: watchdog@1e620 { + compatible = "arm,cortex-a9-twd-wdt"; + reg = <0x1e620 0x20>; +- interrupts = ; ++ interrupts = ; + }; + + armpll: armpll { +@@ -157,7 +159,7 @@ + serial0: serial@600 { + compatible = "brcm,bcm6345-uart"; + reg = <0x600 0x1b>; +- interrupts = ; ++ interrupts = ; + clocks = <&periph_clk>; + clock-names = "periph"; + status = "disabled"; +@@ -166,7 +168,7 @@ + serial1: serial@620 { + compatible = "brcm,bcm6345-uart"; + reg = <0x620 0x1b>; +- interrupts = ; ++ interrupts = ; + clocks = <&periph_clk>; + clock-names = "periph"; + status = "disabled"; +@@ -179,7 +181,7 @@ + reg = <0x2000 0x600>, <0xf0 0x10>; + reg-names = "nand", "nand-int-base"; + status = "disabled"; +- interrupts = ; ++ interrupts = ; + interrupt-names = "nand"; + }; + +-- +2.17.1 + diff --git a/queue-4.9/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch b/queue-4.9/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch new file mode 100644 index 00000000000..d63ca0bc892 --- /dev/null +++ b/queue-4.9/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch @@ -0,0 +1,46 @@ +From b8febbd6d0a92500ecd7e360ae1fb08aaf5f459b Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 12 Sep 2018 08:23:01 +0200 +Subject: ARM: dts: imx53-qsb: disable 1.2GHz OPP + +[ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ] + +The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the +1.2GHz OPP. This makes the board work again with configs that have +cpufreq enabled like imx_v6_v7_defconfig on which the board stopped +working with the addition of cpufreq-dt support. + +Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support") + +Signed-off-by: Sascha Hauer +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi +index c05e7cfd0cbc..c8a6a6868c46 100644 +--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi ++++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi +@@ -130,6 +130,17 @@ + }; + }; + ++&cpu0 { ++ /* CPU rated to 1GHz, not 1.2GHz as per the default settings */ ++ operating-points = < ++ /* kHz uV */ ++ 166666 850000 ++ 400000 900000 ++ 800000 1050000 ++ 1000000 1200000 ++ >; ++}; ++ + &esdhc1 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_esdhc1>; +-- +2.17.1 + diff --git a/queue-4.9/arm-tegra-fix-ulpi-regression-on-tegra20.patch b/queue-4.9/arm-tegra-fix-ulpi-regression-on-tegra20.patch new file mode 100644 index 00000000000..e960dc33b3c --- /dev/null +++ b/queue-4.9/arm-tegra-fix-ulpi-regression-on-tegra20.patch @@ -0,0 +1,48 @@ +From 0bc3a6d4f0e519111965325703f4889555413d28 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Thu, 22 Feb 2018 15:38:25 +0100 +Subject: ARM: tegra: Fix ULPI regression on Tegra20 + +[ Upstream commit 4c9a27a6c66d4427f3cba4019d4ba738fe99fa87 ] + +Since commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting +during registration") ULPI has been broken on Tegra20 leading to the +following error message during boot: + +[ 1.974698] ulpi_phy_power_on: ulpi write failed +[ 1.979384] tegra-ehci c5004000.usb: Failed to power on the phy +[ 1.985434] tegra-ehci: probe of c5004000.usb failed with error -110 + +Debugging through the changes and finally also consulting the TRM +revealed that rather than the CDEV2 clock off OSC requiring such pin +muxing actually the PLL_P_OUT4 clock is in use. It looks like so far it +just worked by chance of that one having been enabled which Stephen's +commit now changed when reparenting sclk away from pll_p_out4 leaving +that one disabled. Fix this by properly assigning the PLL_P_OUT4 clock +as the ULPI PHY clock. + +Signed-off-by: Marcel Ziswiler +Reviewed-by: Dmitry Osipenko +Reviewed-by: Rob Herring +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/tegra20.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi +index 2207c08e3fa3..d771f24f6a26 100644 +--- a/arch/arm/boot/dts/tegra20.dtsi ++++ b/arch/arm/boot/dts/tegra20.dtsi +@@ -690,7 +690,7 @@ + phy_type = "ulpi"; + clocks = <&tegra_car TEGRA20_CLK_USB2>, + <&tegra_car TEGRA20_CLK_PLL_U>, +- <&tegra_car TEGRA20_CLK_CDEV2>; ++ <&tegra_car TEGRA20_CLK_PLL_P_OUT4>; + clock-names = "reg", "pll_u", "ulpi-link"; + resets = <&tegra_car 58>, <&tegra_car 22>; + reset-names = "usb", "utmi-pads"; +-- +2.17.1 + diff --git a/queue-4.9/asix-check-for-supported-wake-on-lan-modes.patch b/queue-4.9/asix-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..7b0a68226a8 --- /dev/null +++ b/queue-4.9/asix-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From 34ade51e53278ce2916010bdab5acd5477cbcad1 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:50 -0700 +Subject: asix: Check for supported Wake-on-LAN modes + +[ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 125cff57c759..3dbb0646b024 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -575,6 +575,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= AX_MONITOR_LINK; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.9/asoc-intel-skylake-fix-to-parse-consecutive-string-t.patch b/queue-4.9/asoc-intel-skylake-fix-to-parse-consecutive-string-t.patch new file mode 100644 index 00000000000..33423e70e48 --- /dev/null +++ b/queue-4.9/asoc-intel-skylake-fix-to-parse-consecutive-string-t.patch @@ -0,0 +1,38 @@ +From d12ccb5e1b808a6fbf12a7e15e80579399086497 Mon Sep 17 00:00:00 2001 +From: Shreyas NC +Date: Mon, 15 May 2017 19:44:30 +0530 +Subject: ASoC: Intel: Skylake: Fix to parse consecutive string tkns in + manifest + +[ Upstream commit 0a716776914ed9d7ca90b48041e6767693bfb672 ] + +Element size in the manifest should be updated for each token, so that the +loop can parse all the string elements in the manifest. This was not +happening when more than two string elements appear consecutively, as it is +not updated with correct string element size. Fixed with this patch. + +Signed-off-by: Shreyas NC +Signed-off-by: Subhransu S. Prusty +Acked-by: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/skylake/skl-topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/skylake/skl-topology.c b/sound/soc/intel/skylake/skl-topology.c +index bef8a4546c12..b0c154d5924b 100644 +--- a/sound/soc/intel/skylake/skl-topology.c ++++ b/sound/soc/intel/skylake/skl-topology.c +@@ -2325,7 +2325,7 @@ static int skl_tplg_get_manifest_tkn(struct device *dev, + + if (ret < 0) + return ret; +- tkn_count += ret; ++ tkn_count = ret; + + tuple_size += tkn_count * + sizeof(struct snd_soc_tplg_vendor_string_elem); +-- +2.17.1 + diff --git a/queue-4.9/ata-sata_rcar-handle-return-value-of-clk_prepare_ena.patch b/queue-4.9/ata-sata_rcar-handle-return-value-of-clk_prepare_ena.patch new file mode 100644 index 00000000000..c1ab5d7c334 --- /dev/null +++ b/queue-4.9/ata-sata_rcar-handle-return-value-of-clk_prepare_ena.patch @@ -0,0 +1,64 @@ +From f5e65131075d80be7b0aa6dedf6d7f16b0a935c6 Mon Sep 17 00:00:00 2001 +From: Arvind Yadav +Date: Tue, 9 May 2017 16:00:28 +0530 +Subject: ata: sata_rcar: Handle return value of clk_prepare_enable + +[ Upstream commit 5dc63fdcc09f47fb226b8bc7d83a61feb787d817 ] + +Here, Clock enable can failed. So adding an error check for +clk_prepare_enable. + +tj: minor style updates + +Signed-off-by: Arvind Yadav +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_rcar.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c +index f72d601e300a..e83a3d3421b9 100644 +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -890,7 +890,10 @@ static int sata_rcar_probe(struct platform_device *pdev) + dev_err(&pdev->dev, "failed to get access to sata clock\n"); + return PTR_ERR(priv->clk); + } +- clk_prepare_enable(priv->clk); ++ ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) ++ return ret; + + host = ata_host_alloc(&pdev->dev, 1); + if (!host) { +@@ -970,8 +973,11 @@ static int sata_rcar_resume(struct device *dev) + struct ata_host *host = dev_get_drvdata(dev); + struct sata_rcar_priv *priv = host->private_data; + void __iomem *base = priv->base; ++ int ret; + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) ++ return ret; + + /* ack and mask */ + iowrite32(0, base + SATAINTSTAT_REG); +@@ -988,8 +994,11 @@ static int sata_rcar_restore(struct device *dev) + { + struct ata_host *host = dev_get_drvdata(dev); + struct sata_rcar_priv *priv = host->private_data; ++ int ret; + +- clk_prepare_enable(priv->clk); ++ ret = clk_prepare_enable(priv->clk); ++ if (ret) ++ return ret; + + sata_rcar_setup_port(host); + +-- +2.17.1 + diff --git a/queue-4.9/ath10k-convert-warning-about-non-existent-otp-board-.patch b/queue-4.9/ath10k-convert-warning-about-non-existent-otp-board-.patch new file mode 100644 index 00000000000..a3aa1435d3c --- /dev/null +++ b/queue-4.9/ath10k-convert-warning-about-non-existent-otp-board-.patch @@ -0,0 +1,48 @@ +From 91d3c35edc8c72d1294904f2352400cbc348d7fb Mon Sep 17 00:00:00 2001 +From: Kalle Valo +Date: Mon, 13 Feb 2017 12:38:43 +0200 +Subject: ath10k: convert warning about non-existent OTP board id to debug + message + +[ Upstream commit 7be52c03bbf7c8f53211ed13810d64dcb2bc7168 ] + +Currently ath10k unncessarily warns about board id not available from OTP: + +ath10k_pci 0000:02:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0 +ath10k_pci 0000:02:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000 +ath10k_pci 0000:02:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 1 testmode 1 +ath10k_pci 0000:02:00.0: firmware ver 10.2.4.70.9-2 api 5 features no-p2p,raw-mode crc32 b8d50af5 +ath10k_pci 0000:02:00.0: board id is not exist in otp, ignore it +ath10k_pci 0000:02:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 +ath10k_pci 0000:02:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1 + +But not all boards have the board id in OTP so this is not a problem and no +need to confuse the user with that info. So this can be safely changed to a +debug message. + +Also fix grammar in the debug message. + +Fixes: d2e202c06ca4 ("ath10k: ignore configuring the incorrect board_id") +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index 65ad7a130ca1..1e41d6c6de36 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -698,7 +698,8 @@ static int ath10k_core_get_board_id_from_otp(struct ath10k *ar) + + if ((result & ATH10K_BMI_BOARD_ID_STATUS_MASK) != 0 || + (board_id == 0)) { +- ath10k_warn(ar, "board id is not exist in otp, ignore it\n"); ++ ath10k_dbg(ar, ATH10K_DBG_BOOT, ++ "board id does not exist in otp, ignore it\n"); + return -EOPNOTSUPP; + } + +-- +2.17.1 + diff --git a/queue-4.9/ath10k-fix-napi-enable-disable-symmetry-for-ahb-inte.patch b/queue-4.9/ath10k-fix-napi-enable-disable-symmetry-for-ahb-inte.patch new file mode 100644 index 00000000000..083c4b4f9e5 --- /dev/null +++ b/queue-4.9/ath10k-fix-napi-enable-disable-symmetry-for-ahb-inte.patch @@ -0,0 +1,46 @@ +From 38668c67ce8675f823e8d3203ed43c9e16574a07 Mon Sep 17 00:00:00 2001 +From: Mohammed Shafi Shajakhan +Date: Mon, 20 Mar 2017 20:52:46 +0530 +Subject: ath10k: fix NAPI enable/disable symmetry for AHB interface + +[ Upstream commit a7595a820b07db9ac0d8f479ff62002bdd32a05a ] + +Move NAPI enable to 'ath10k_ahb_hif_start' from +'ath10k_ahb_hif_power_up'. This is to maintain the symmetry +of calling napi_enable() from ath10k_ahb_hif_start() so that it +matches with napi_disable() being called from ath10k_pci_hif_stop(). + +This change is based on the crash fix from Kalle for PCI interface in +commit 1427228d5869 ("ath10k: fix napi crash during rmmod when probe +firmware fails"). + +Signed-off-by: Mohammed Shafi Shajakhan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/ahb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/ahb.c b/drivers/net/wireless/ath/ath10k/ahb.c +index 45226dbee5ce..da770af83036 100644 +--- a/drivers/net/wireless/ath/ath10k/ahb.c ++++ b/drivers/net/wireless/ath/ath10k/ahb.c +@@ -640,6 +640,7 @@ static int ath10k_ahb_hif_start(struct ath10k *ar) + { + ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot ahb hif start\n"); + ++ napi_enable(&ar->napi); + ath10k_ce_enable_interrupts(ar); + ath10k_pci_enable_legacy_irq(ar); + +@@ -692,7 +693,6 @@ static int ath10k_ahb_hif_power_up(struct ath10k *ar) + ath10k_err(ar, "could not wake up target CPU: %d\n", ret); + goto err_ce_deinit; + } +- napi_enable(&ar->napi); + + return 0; + +-- +2.17.1 + diff --git a/queue-4.9/ax88179_178a-check-for-supported-wake-on-lan-modes.patch b/queue-4.9/ax88179_178a-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..543b8fbd6ff --- /dev/null +++ b/queue-4.9/ax88179_178a-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From d90f1f21e63bffb8c77fa9c4cf6d2b1a233e9231 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:51 -0700 +Subject: ax88179_178a: Check for supported Wake-on-LAN modes + +[ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ax88179_178a.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index 8a6675d92b98..559af8e6ad90 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= AX_MONITOR_MODE_RWLC; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.9/bluetooth-smp-fix-crash-in-unpairing.patch b/queue-4.9/bluetooth-smp-fix-crash-in-unpairing.patch new file mode 100644 index 00000000000..31cc041991a --- /dev/null +++ b/queue-4.9/bluetooth-smp-fix-crash-in-unpairing.patch @@ -0,0 +1,194 @@ +From d804261f9f31ef6ebd26b5a77cabe92c0d00750f Mon Sep 17 00:00:00 2001 +From: Matias Karhumaa +Date: Wed, 26 Sep 2018 09:13:46 +0300 +Subject: Bluetooth: SMP: fix crash in unpairing + +[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ] + +In case unpair_device() was called through mgmt interface at the same time +when pairing was in progress, Bluetooth kernel module crash was seen. + +[ 600.351225] general protection fault: 0000 [#1] SMP PTI +[ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1 +[ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017 +[ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth] +[ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01 +[ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246 +[ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60 +[ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500 +[ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00 +[ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800 +[ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00 +[ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000 +[ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0 +[ 600.351302] Call Trace: +[ 600.351325] smp_failure+0x4f/0x70 [bluetooth] +[ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth] +[ 600.351370] unpair_device+0x1c1/0x330 [bluetooth] +[ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth] +[ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20 +[ 600.351417] sock_sendmsg+0x3e/0x50 +[ 600.351422] sock_write_iter+0x85/0xf0 +[ 600.351429] do_iter_readv_writev+0x12b/0x1b0 +[ 600.351434] do_iter_write+0x87/0x1a0 +[ 600.351439] vfs_writev+0x98/0x110 +[ 600.351443] ? ep_poll+0x16d/0x3d0 +[ 600.351447] ? ep_modify+0x73/0x170 +[ 600.351451] do_writev+0x61/0xf0 +[ 600.351455] ? do_writev+0x61/0xf0 +[ 600.351460] __x64_sys_writev+0x1c/0x20 +[ 600.351465] do_syscall_64+0x5a/0x110 +[ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 600.351474] RIP: 0033:0x7fb2bdb62fe0 +[ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24 +[ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +[ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0 +[ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004 +[ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000 +[ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001 +[ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000 +[ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap +[ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi +[ 600.351637] ---[ end trace e49e9f1df09c94fb ]--- +[ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth] +[ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01 +[ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246 +[ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60 +[ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500 +[ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00 +[ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800 +[ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00 +[ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000 +[ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0 + +Crash happened because list_del_rcu() was called twice for smp->ltk. This +was possible if unpair_device was called right after ltk was generated +but before keys were distributed. + +In this commit smp_cancel_pairing was refactored to cancel pairing if it +is in progress and otherwise just removes keys. Once keys are removed from +rcu list, pointers to smp context's keys are set to NULL to make sure +removed list items are not accessed later. + +This commit also adjusts the functionality of mgmt unpair_device() little +bit. Previously pairing was canceled only if pairing was in state that +keys were already generated. With this commit unpair_device() cancels +pairing already in earlier states. + +Bug was found by fuzzing kernel SMP implementation using Synopsys +Defensics. + +Reported-by: Pekka Oikarainen +Signed-off-by: Matias Karhumaa +Signed-off-by: Johan Hedberg +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 7 ++----- + net/bluetooth/smp.c | 29 +++++++++++++++++++++++++---- + net/bluetooth/smp.h | 3 ++- + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 1fba2a03f8ae..ba24f613c0fc 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2298,9 +2298,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + /* LE address type */ + addr_type = le_addr_type(cp->addr.type); + +- hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); +- +- err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); ++ /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */ ++ err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type); + if (err < 0) { + err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, + MGMT_STATUS_NOT_PAIRED, &rp, +@@ -2314,8 +2313,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + goto done; + } + +- /* Abort any ongoing SMP pairing */ +- smp_cancel_pairing(conn); + + /* Defer clearing up the connection parameters until closing to + * give a chance of keeping them if a repairing happens. +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index ead4d1baeaa6..1abfbcd8090a 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2353,30 +2353,51 @@ unlock: + return ret; + } + +-void smp_cancel_pairing(struct hci_conn *hcon) ++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, ++ u8 addr_type) + { +- struct l2cap_conn *conn = hcon->l2cap_data; ++ struct hci_conn *hcon; ++ struct l2cap_conn *conn; + struct l2cap_chan *chan; + struct smp_chan *smp; ++ int err; ++ ++ err = hci_remove_ltk(hdev, bdaddr, addr_type); ++ hci_remove_irk(hdev, bdaddr, addr_type); ++ ++ hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type); ++ if (!hcon) ++ goto done; + ++ conn = hcon->l2cap_data; + if (!conn) +- return; ++ goto done; + + chan = conn->smp; + if (!chan) +- return; ++ goto done; + + l2cap_chan_lock(chan); + + smp = chan->data; + if (smp) { ++ /* Set keys to NULL to make sure smp_failure() does not try to ++ * remove and free already invalidated rcu list entries. */ ++ smp->ltk = NULL; ++ smp->slave_ltk = NULL; ++ smp->remote_irk = NULL; ++ + if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) + smp_failure(conn, 0); + else + smp_failure(conn, SMP_UNSPECIFIED); ++ err = 0; + } + + l2cap_chan_unlock(chan); ++ ++done: ++ return err; + } + + static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) +diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h +index ffcc70b6b199..993cbd7bcfe7 100644 +--- a/net/bluetooth/smp.h ++++ b/net/bluetooth/smp.h +@@ -180,7 +180,8 @@ enum smp_key_pref { + }; + + /* SMP Commands */ +-void smp_cancel_pairing(struct hci_conn *hcon); ++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, ++ u8 addr_type); + bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, + enum smp_key_pref key_pref); + int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); +-- +2.17.1 + diff --git a/queue-4.9/bnxt_en-don-t-use-rtnl-lock-to-protect-link-change-l.patch b/queue-4.9/bnxt_en-don-t-use-rtnl-lock-to-protect-link-change-l.patch new file mode 100644 index 00000000000..fda8163b3af --- /dev/null +++ b/queue-4.9/bnxt_en-don-t-use-rtnl-lock-to-protect-link-change-l.patch @@ -0,0 +1,143 @@ +From 8c27e1e8372aad078b6c09e243a71e541896df38 Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Fri, 13 Oct 2017 21:09:30 -0400 +Subject: bnxt_en: Don't use rtnl lock to protect link change logic in + workqueue. + +[ Upstream commit e2dc9b6e38fa3919e63d6d7905da70ca41cbf908 ] + +As a further improvement to the PF/VF link change logic, use a private +mutex instead of the rtnl lock to protect link change logic. With the +new mutex, we don't have to take the rtnl lock in the workqueue when +we have to handle link related functions. If the VF and PF drivers +are running on the same host and both take the rtnl lock and one is +waiting for the other, it will cause timeout. This patch fixes these +timeouts. + +Fixes: 90c694bb7181 ("bnxt_en: Fix RTNL lock usage on bnxt_update_link().") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 25 ++++++++++--------- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +++ + .../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +++ + 3 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 208e9dacfd34..a036f7039d76 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5580,7 +5580,9 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init) + } + + if (link_re_init) { ++ mutex_lock(&bp->link_lock); + rc = bnxt_update_phy_setting(bp); ++ mutex_unlock(&bp->link_lock); + if (rc) + netdev_warn(bp->dev, "failed to update phy settings\n"); + } +@@ -6230,30 +6232,28 @@ static void bnxt_sp_task(struct work_struct *work) + if (test_and_clear_bit(BNXT_PERIODIC_STATS_SP_EVENT, &bp->sp_event)) + bnxt_hwrm_port_qstats(bp); + +- /* These functions below will clear BNXT_STATE_IN_SP_TASK. They +- * must be the last functions to be called before exiting. +- */ + if (test_and_clear_bit(BNXT_LINK_CHNG_SP_EVENT, &bp->sp_event)) { +- int rc = 0; ++ int rc; + ++ mutex_lock(&bp->link_lock); + if (test_and_clear_bit(BNXT_LINK_SPEED_CHNG_SP_EVENT, + &bp->sp_event)) + bnxt_hwrm_phy_qcaps(bp); + +- bnxt_rtnl_lock_sp(bp); +- if (test_bit(BNXT_STATE_OPEN, &bp->state)) +- rc = bnxt_update_link(bp, true); +- bnxt_rtnl_unlock_sp(bp); ++ rc = bnxt_update_link(bp, true); ++ mutex_unlock(&bp->link_lock); + if (rc) + netdev_err(bp->dev, "SP task can't update link (rc: %x)\n", + rc); + } + if (test_and_clear_bit(BNXT_HWRM_PORT_MODULE_SP_EVENT, &bp->sp_event)) { +- bnxt_rtnl_lock_sp(bp); +- if (test_bit(BNXT_STATE_OPEN, &bp->state)) +- bnxt_get_port_module_status(bp); +- bnxt_rtnl_unlock_sp(bp); ++ mutex_lock(&bp->link_lock); ++ bnxt_get_port_module_status(bp); ++ mutex_unlock(&bp->link_lock); + } ++ /* These functions below will clear BNXT_STATE_IN_SP_TASK. They ++ * must be the last functions to be called before exiting. ++ */ + if (test_and_clear_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event)) + bnxt_reset(bp, false); + +@@ -6788,6 +6788,7 @@ static int bnxt_probe_phy(struct bnxt *bp) + rc); + return rc; + } ++ mutex_init(&bp->link_lock); + + rc = bnxt_update_link(bp, false); + if (rc) { +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +index 666bc0608ed7..017c10c53715 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1109,6 +1109,10 @@ struct bnxt { + unsigned long *ntp_fltr_bmap; + int ntp_fltr_count; + ++ /* To protect link related settings during link changes and ++ * ethtool settings changes. ++ */ ++ struct mutex link_lock; + struct bnxt_link_info link_info; + struct ethtool_eee eee; + u32 lpi_tmr_lo; +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index cde4b96f3153..3a352f76e633 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -793,6 +793,7 @@ static int bnxt_get_link_ksettings(struct net_device *dev, + u32 ethtool_speed; + + ethtool_link_ksettings_zero_link_mode(lk_ksettings, supported); ++ mutex_lock(&bp->link_lock); + bnxt_fw_to_ethtool_support_spds(link_info, lk_ksettings); + + ethtool_link_ksettings_zero_link_mode(lk_ksettings, advertising); +@@ -840,6 +841,7 @@ static int bnxt_get_link_ksettings(struct net_device *dev, + base->port = PORT_FIBRE; + } + base->phy_address = link_info->phy_addr; ++ mutex_unlock(&bp->link_lock); + + return 0; + } +@@ -926,6 +928,7 @@ static int bnxt_set_link_ksettings(struct net_device *dev, + if (!BNXT_SINGLE_PF(bp)) + return -EOPNOTSUPP; + ++ mutex_lock(&bp->link_lock); + if (base->autoneg == AUTONEG_ENABLE) { + BNXT_ETHTOOL_TO_FW_SPDS(fw_advertising, lk_ksettings, + advertising); +@@ -970,6 +973,7 @@ static int bnxt_set_link_ksettings(struct net_device *dev, + rc = bnxt_hwrm_set_link_setting(bp, set_pause, false); + + set_setting_exit: ++ mutex_unlock(&bp->link_lock); + return rc; + } + +-- +2.17.1 + diff --git a/queue-4.9/bonding-ratelimit-failed-speed-duplex-update-warning.patch b/queue-4.9/bonding-ratelimit-failed-speed-duplex-update-warning.patch new file mode 100644 index 00000000000..0116f2ba9a2 --- /dev/null +++ b/queue-4.9/bonding-ratelimit-failed-speed-duplex-update-warning.patch @@ -0,0 +1,50 @@ +From 294d1947f79e885e666879d997f5b30803997c94 Mon Sep 17 00:00:00 2001 +From: Andreas Born +Date: Sat, 12 Aug 2017 00:36:55 +0200 +Subject: bonding: ratelimit failed speed/duplex update warning + +[ Upstream commit 11e9d7829dd08dbafb24517fe922f11c3a8a9dc2 ] + +bond_miimon_commit() handles the UP transition for each slave of a bond +in the case of MII. It is triggered 10 times per second for the default +MII Polling interval of 100ms. For device drivers that do not implement +__ethtool_get_link_ksettings() the call to bond_update_speed_duplex() +fails persistently while the MII status could remain UP. That is, in +this and other cases where the speed/duplex update keeps failing over a +longer period of time while the MII state is UP, a warning is printed +every MII polling interval. + +To address these excessive warnings net_ratelimit() should be used. +Printing a warning once would not be sufficient since the call to +bond_update_speed_duplex() could recover to succeed and fail again +later. In that case there would be no new indication what went wrong. + +Fixes: b5bf0f5b16b9c (bonding: correctly update link status during mii-commit phase) +Signed-off-by: Andreas Born +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b1ea29d8ad1a..389d1db69a32 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2132,9 +2132,10 @@ static void bond_miimon_commit(struct bonding *bond) + if (bond_update_speed_duplex(slave) && + bond_needs_speed_duplex(bond)) { + slave->link = BOND_LINK_DOWN; +- netdev_warn(bond->dev, +- "failed to get link speed/duplex for %s\n", +- slave->dev->name); ++ if (net_ratelimit()) ++ netdev_warn(bond->dev, ++ "failed to get link speed/duplex for %s\n", ++ slave->dev->name); + continue; + } + bond_set_slave_link_state(slave, BOND_LINK_UP, +-- +2.17.1 + diff --git a/queue-4.9/btrfs-clear-extent_defrag-bits-in-finish_ordered_io.patch b/queue-4.9/btrfs-clear-extent_defrag-bits-in-finish_ordered_io.patch new file mode 100644 index 00000000000..9a046956e83 --- /dev/null +++ b/queue-4.9/btrfs-clear-extent_defrag-bits-in-finish_ordered_io.patch @@ -0,0 +1,40 @@ +From 3d8ef16ce0e1fb9aaec31aef403950302a854532 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Fri, 26 May 2017 17:44:23 -0600 +Subject: Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io + +[ Upstream commit 452e62b71fbbefe2646fad3a968371a026936c6d ] + +Before this, we use 'filled' mode here, ie. if all range has been +filled with EXTENT_DEFRAG bits, get to clear it, but if the defrag +range joins the adjacent delalloc range, then we'll have EXTENT_DEFRAG +bits in extent_state until releasing this inode's pages, and that +prevents extent_data from being freed. + +This clears the bit if any was found within the ordered extent. + +Signed-off-by: Liu Bo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Chris Mason +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index bd036557c6bc..5ebdb58079e1 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -2966,7 +2966,7 @@ static int btrfs_finish_ordered_io(struct btrfs_ordered_extent *ordered_extent) + + ret = test_range_bit(io_tree, ordered_extent->file_offset, + ordered_extent->file_offset + ordered_extent->len - 1, +- EXTENT_DEFRAG, 1, cached_state); ++ EXTENT_DEFRAG, 0, cached_state); + if (ret) { + u64 last_snapshot = btrfs_root_last_snapshot(&root->root_item); + if (0 && last_snapshot >= BTRFS_I(inode)->generation) +-- +2.17.1 + diff --git a/queue-4.9/btrfs-fiemap-cache-and-merge-fiemap-extent-before-su.patch b/queue-4.9/btrfs-fiemap-cache-and-merge-fiemap-extent-before-su.patch new file mode 100644 index 00000000000..d34a48d7b41 --- /dev/null +++ b/queue-4.9/btrfs-fiemap-cache-and-merge-fiemap-extent-before-su.patch @@ -0,0 +1,246 @@ +From 513ff014a8c73f860539d9f9cbee5c027a06cbc9 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 7 Apr 2017 10:43:15 +0800 +Subject: btrfs: fiemap: Cache and merge fiemap extent before submit it to user + +[ Upstream commit 4751832da990a927c37526ae67b9226ea01eb99e ] + +[BUG] +Cycle mount btrfs can cause fiemap to return different result. +Like: + # mount /dev/vdb5 /mnt/btrfs + # dd if=/dev/zero bs=16K count=4 oflag=dsync of=/mnt/btrfs/file + # xfs_io -c "fiemap -v" /mnt/btrfs/file + /mnt/test/file: + EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS + 0: [0..127]: 25088..25215 128 0x1 + # umount /mnt/btrfs + # mount /dev/vdb5 /mnt/btrfs + # xfs_io -c "fiemap -v" /mnt/btrfs/file + /mnt/test/file: + EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS + 0: [0..31]: 25088..25119 32 0x0 + 1: [32..63]: 25120..25151 32 0x0 + 2: [64..95]: 25152..25183 32 0x0 + 3: [96..127]: 25184..25215 32 0x1 +But after above fiemap, we get correct merged result if we call fiemap +again. + # xfs_io -c "fiemap -v" /mnt/btrfs/file + /mnt/test/file: + EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS + 0: [0..127]: 25088..25215 128 0x1 + +[REASON] +Btrfs will try to merge extent map when inserting new extent map. + +btrfs_fiemap(start=0 len=(u64)-1) +|- extent_fiemap(start=0 len=(u64)-1) + |- get_extent_skip_holes(start=0 len=64k) + | |- btrfs_get_extent_fiemap(start=0 len=64k) + | |- btrfs_get_extent(start=0 len=64k) + | | Found on-disk (ino, EXTENT_DATA, 0) + | |- add_extent_mapping() + | |- Return (em->start=0, len=16k) + | + |- fiemap_fill_next_extent(logic=0 phys=X len=16k) + | + |- get_extent_skip_holes(start=0 len=64k) + | |- btrfs_get_extent_fiemap(start=0 len=64k) + | |- btrfs_get_extent(start=16k len=48k) + | | Found on-disk (ino, EXTENT_DATA, 16k) + | |- add_extent_mapping() + | | |- try_merge_map() + | | Merge with previous em start=0 len=16k + | | resulting em start=0 len=32k + | |- Return (em->start=0, len=32K) << Merged result + |- Stripe off the unrelated range (0~16K) of return em + |- fiemap_fill_next_extent(logic=16K phys=X+16K len=16K) + ^^^ Causing split fiemap extent. + +And since in add_extent_mapping(), em is already merged, in next +fiemap() call, we will get merged result. + +[FIX] +Here we introduce a new structure, fiemap_cache, which records previous +fiemap extent. + +And will always try to merge current fiemap_cache result before calling +fiemap_fill_next_extent(). +Only when we failed to merge current fiemap extent with cached one, we +will call fiemap_fill_next_extent() to submit cached one. + +So by this method, we can merge all fiemap extents. + +It can also be done in fs/ioctl.c, however the problem is if +fieinfo->fi_extents_max == 0, we have no space to cache previous fiemap +extent. +So I choose to merge it in btrfs. + +Signed-off-by: Qu Wenruo +Reviewed-by: Liu Bo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 124 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 122 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 2b96ca68dc10..5feaef9bcbda 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4377,6 +4377,123 @@ static struct extent_map *get_extent_skip_holes(struct inode *inode, + return NULL; + } + ++/* ++ * To cache previous fiemap extent ++ * ++ * Will be used for merging fiemap extent ++ */ ++struct fiemap_cache { ++ u64 offset; ++ u64 phys; ++ u64 len; ++ u32 flags; ++ bool cached; ++}; ++ ++/* ++ * Helper to submit fiemap extent. ++ * ++ * Will try to merge current fiemap extent specified by @offset, @phys, ++ * @len and @flags with cached one. ++ * And only when we fails to merge, cached one will be submitted as ++ * fiemap extent. ++ * ++ * Return value is the same as fiemap_fill_next_extent(). ++ */ ++static int emit_fiemap_extent(struct fiemap_extent_info *fieinfo, ++ struct fiemap_cache *cache, ++ u64 offset, u64 phys, u64 len, u32 flags) ++{ ++ int ret = 0; ++ ++ if (!cache->cached) ++ goto assign; ++ ++ /* ++ * Sanity check, extent_fiemap() should have ensured that new ++ * fiemap extent won't overlap with cahced one. ++ * Not recoverable. ++ * ++ * NOTE: Physical address can overlap, due to compression ++ */ ++ if (cache->offset + cache->len > offset) { ++ WARN_ON(1); ++ return -EINVAL; ++ } ++ ++ /* ++ * Only merges fiemap extents if ++ * 1) Their logical addresses are continuous ++ * ++ * 2) Their physical addresses are continuous ++ * So truly compressed (physical size smaller than logical size) ++ * extents won't get merged with each other ++ * ++ * 3) Share same flags except FIEMAP_EXTENT_LAST ++ * So regular extent won't get merged with prealloc extent ++ */ ++ if (cache->offset + cache->len == offset && ++ cache->phys + cache->len == phys && ++ (cache->flags & ~FIEMAP_EXTENT_LAST) == ++ (flags & ~FIEMAP_EXTENT_LAST)) { ++ cache->len += len; ++ cache->flags |= flags; ++ goto try_submit_last; ++ } ++ ++ /* Not mergeable, need to submit cached one */ ++ ret = fiemap_fill_next_extent(fieinfo, cache->offset, cache->phys, ++ cache->len, cache->flags); ++ cache->cached = false; ++ if (ret) ++ return ret; ++assign: ++ cache->cached = true; ++ cache->offset = offset; ++ cache->phys = phys; ++ cache->len = len; ++ cache->flags = flags; ++try_submit_last: ++ if (cache->flags & FIEMAP_EXTENT_LAST) { ++ ret = fiemap_fill_next_extent(fieinfo, cache->offset, ++ cache->phys, cache->len, cache->flags); ++ cache->cached = false; ++ } ++ return ret; ++} ++ ++/* ++ * Sanity check for fiemap cache ++ * ++ * All fiemap cache should be submitted by emit_fiemap_extent() ++ * Iteration should be terminated either by last fiemap extent or ++ * fieinfo->fi_extents_max. ++ * So no cached fiemap should exist. ++ */ ++static int check_fiemap_cache(struct btrfs_fs_info *fs_info, ++ struct fiemap_extent_info *fieinfo, ++ struct fiemap_cache *cache) ++{ ++ int ret; ++ ++ if (!cache->cached) ++ return 0; ++ ++ /* Small and recoverbale problem, only to info developer */ ++#ifdef CONFIG_BTRFS_DEBUG ++ WARN_ON(1); ++#endif ++ btrfs_warn(fs_info, ++ "unhandled fiemap cache detected: offset=%llu phys=%llu len=%llu flags=0x%x", ++ cache->offset, cache->phys, cache->len, cache->flags); ++ ret = fiemap_fill_next_extent(fieinfo, cache->offset, cache->phys, ++ cache->len, cache->flags); ++ cache->cached = false; ++ if (ret > 0) ++ ret = 0; ++ return ret; ++} ++ + int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, + __u64 start, __u64 len, get_extent_t *get_extent) + { +@@ -4394,6 +4511,7 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, + struct extent_state *cached_state = NULL; + struct btrfs_path *path; + struct btrfs_root *root = BTRFS_I(inode)->root; ++ struct fiemap_cache cache = { 0 }; + int end = 0; + u64 em_start = 0; + u64 em_len = 0; +@@ -4573,8 +4691,8 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, + flags |= FIEMAP_EXTENT_LAST; + end = 1; + } +- ret = fiemap_fill_next_extent(fieinfo, em_start, disko, +- em_len, flags); ++ ret = emit_fiemap_extent(fieinfo, &cache, em_start, disko, ++ em_len, flags); + if (ret) { + if (ret == 1) + ret = 0; +@@ -4582,6 +4700,8 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, + } + } + out_free: ++ if (!ret) ++ ret = check_fiemap_cache(root->fs_info, fieinfo, &cache); + free_extent_map(em); + out: + btrfs_free_path(path); +-- +2.17.1 + diff --git a/queue-4.9/btrfs-incremental-send-fix-invalid-memory-access.patch b/queue-4.9/btrfs-incremental-send-fix-invalid-memory-access.patch new file mode 100644 index 00000000000..b3daff2aaff --- /dev/null +++ b/queue-4.9/btrfs-incremental-send-fix-invalid-memory-access.patch @@ -0,0 +1,157 @@ +From 9cd0b90dd3c91e15cb5df841f12cfbfb70364b53 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 6 Jul 2017 15:31:46 +0100 +Subject: Btrfs: incremental send, fix invalid memory access + +[ Upstream commit 24e52b11e0ca788513b945a87b57cc0522a92933 ] + +When doing an incremental send, while processing an extent that changed +between the parent and send snapshots and that extent was an inline extent +in the parent snapshot, it's possible to access a memory region beyond +the end of leaf if the inline extent is very small and it is the first +item in a leaf. + +An example scenario is described below. + +The send snapshot has the following leaf: + + leaf 33865728 items 33 free space 773 generation 46 owner 5 + fs uuid ab7090d8-dafd-4fb9-9246-723b6d2e2fb7 + chunk uuid 2d16478c-c704-4ab9-b574-68bff2281b1f + (...) + item 14 key (335 EXTENT_DATA 0) itemoff 3052 itemsize 53 + generation 36 type 1 (regular) + extent data disk byte 12791808 nr 4096 + extent data offset 0 nr 4096 ram 4096 + extent compression 0 (none) + item 15 key (335 EXTENT_DATA 8192) itemoff 2999 itemsize 53 + generation 36 type 1 (regular) + extent data disk byte 138170368 nr 225280 + extent data offset 0 nr 225280 ram 225280 + extent compression 0 (none) + (...) + +And the parent snapshot has the following leaf: + + leaf 31272960 items 17 free space 17 generation 31 owner 5 + fs uuid ab7090d8-dafd-4fb9-9246-723b6d2e2fb7 + chunk uuid 2d16478c-c704-4ab9-b574-68bff2281b1f + item 0 key (335 EXTENT_DATA 0) itemoff 3951 itemsize 44 + generation 31 type 0 (inline) + inline extent data size 23 ram_bytes 613 compression 1 (zlib) + (...) + +When computing the send stream, it is detected that the extent of inode +335, at file offset 0, and at fs/btrfs/send.c:is_extent_unchanged() we +grab the leaf from the parent snapshot and access the inline extent item. +However, before jumping to the 'out' label, we access the 'offset' and +'disk_bytenr' fields of the extent item, which should not be done for +inline extents since the inlined data starts at the offset of the +'disk_bytenr' field and can be very small. For example accessing the +'offset' field of the file extent item results in the following trace: + +[ 599.705368] general protection fault: 0000 [#1] PREEMPT SMP +[ 599.706296] Modules linked in: btrfs psmouse i2c_piix4 ppdev acpi_cpufreq serio_raw parport_pc i2c_core evdev tpm_tis tpm_tis_core sg pcspkr parport tpm button su$ +[ 599.709340] CPU: 7 PID: 5283 Comm: btrfs Not tainted 4.10.0-rc8-btrfs-next-46+ #1 +[ 599.709340] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014 +[ 599.709340] task: ffff88023eedd040 task.stack: ffffc90006658000 +[ 599.709340] RIP: 0010:read_extent_buffer+0xdb/0xf4 [btrfs] +[ 599.709340] RSP: 0018:ffffc9000665ba00 EFLAGS: 00010286 +[ 599.709340] RAX: db73880000000000 RBX: 0000000000000000 RCX: 0000000000000001 +[ 599.709340] RDX: ffffc9000665ba60 RSI: db73880000000000 RDI: ffffc9000665ba5f +[ 599.709340] RBP: ffffc9000665ba30 R08: 0000000000000001 R09: ffff88020dc5e098 +[ 599.709340] R10: 0000000000001000 R11: 0000160000000000 R12: 6db6db6db6db6db7 +[ 599.709340] R13: ffff880000000000 R14: 0000000000000000 R15: ffff88020dc5e088 +[ 599.709340] FS: 00007f519555a8c0(0000) GS:ffff88023f3c0000(0000) knlGS:0000000000000000 +[ 599.709340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 599.709340] CR2: 00007f1411afd000 CR3: 0000000235f8e000 CR4: 00000000000006e0 +[ 599.709340] Call Trace: +[ 599.709340] btrfs_get_token_64+0x93/0xce [btrfs] +[ 599.709340] ? printk+0x48/0x50 +[ 599.709340] btrfs_get_64+0xb/0xd [btrfs] +[ 599.709340] process_extent+0x3a1/0x1106 [btrfs] +[ 599.709340] ? btree_read_extent_buffer_pages+0x5/0xef [btrfs] +[ 599.709340] changed_cb+0xb03/0xb3d [btrfs] +[ 599.709340] ? btrfs_get_token_32+0x7a/0xcc [btrfs] +[ 599.709340] btrfs_compare_trees+0x432/0x53d [btrfs] +[ 599.709340] ? process_extent+0x1106/0x1106 [btrfs] +[ 599.709340] btrfs_ioctl_send+0x960/0xe26 [btrfs] +[ 599.709340] btrfs_ioctl+0x181b/0x1fed [btrfs] +[ 599.709340] ? trace_hardirqs_on_caller+0x150/0x1ac +[ 599.709340] vfs_ioctl+0x21/0x38 +[ 599.709340] ? vfs_ioctl+0x21/0x38 +[ 599.709340] do_vfs_ioctl+0x611/0x645 +[ 599.709340] ? rcu_read_unlock+0x5b/0x5d +[ 599.709340] ? __fget+0x6d/0x79 +[ 599.709340] SyS_ioctl+0x57/0x7b +[ 599.709340] entry_SYSCALL_64_fastpath+0x18/0xad +[ 599.709340] RIP: 0033:0x7f51945eec47 +[ 599.709340] RSP: 002b:00007ffc21c13e98 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +[ 599.709340] RAX: ffffffffffffffda RBX: ffffffff81096459 RCX: 00007f51945eec47 +[ 599.709340] RDX: 00007ffc21c13f20 RSI: 0000000040489426 RDI: 0000000000000004 +[ 599.709340] RBP: ffffc9000665bf98 R08: 00007f519450d700 R09: 00007f519450d700 +[ 599.709340] R10: 00007f519450d9d0 R11: 0000000000000202 R12: 0000000000000046 +[ 599.709340] R13: ffffc9000665bf78 R14: 0000000000000000 R15: 00007f5195574040 +[ 599.709340] ? trace_hardirqs_off_caller+0x43/0xb1 +[ 599.709340] Code: 29 f0 49 39 d8 4c 0f 47 c3 49 03 81 58 01 00 00 44 89 c1 4c 01 c2 4c 29 c3 48 c1 f8 03 49 0f af c4 48 c1 e0 0c 4c 01 e8 48 01 c6 a4 31 f6 4$ +[ 599.709340] RIP: read_extent_buffer+0xdb/0xf4 [btrfs] RSP: ffffc9000665ba00 +[ 599.762057] ---[ end trace fe00d7af61b9f49e ]--- + +This is because the 'offset' field starts at an offset of 37 bytes +(offsetof(struct btrfs_file_extent_item, offset)), has a length of 8 +bytes and therefore attemping to read it causes a 1 byte access beyond +the end of the leaf, as the first item's content in a leaf is located +at the tail of the leaf, the item size is 44 bytes and the offset of +that field plus its length (37 + 8 = 45) goes beyond the item's size +by 1 byte. + +So fix this by accessing the 'offset' and 'disk_bytenr' fields after +jumping to the 'out' label if we are processing an inline extent. We +move the reading operation of the 'disk_bytenr' field too because we +have the same problem as for the 'offset' field explained above when +the inline data is less then 8 bytes. The access to the 'generation' +field is also moved but just for the sake of grouping access to all +the fields. + +Fixes: e1cbfd7bf6da ("Btrfs: send, fix file hole not being preserved due to inline extent") +Cc: # v4.12+ +Signed-off-by: Filipe Manana +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index c8d2eec6596b..79dc3ee1de58 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -5165,15 +5165,12 @@ static int is_extent_unchanged(struct send_ctx *sctx, + goto out; + } + +- right_disknr = btrfs_file_extent_disk_bytenr(eb, ei); + if (right_type == BTRFS_FILE_EXTENT_INLINE) { + right_len = btrfs_file_extent_inline_len(eb, slot, ei); + right_len = PAGE_ALIGN(right_len); + } else { + right_len = btrfs_file_extent_num_bytes(eb, ei); + } +- right_offset = btrfs_file_extent_offset(eb, ei); +- right_gen = btrfs_file_extent_generation(eb, ei); + + /* + * Are we at extent 8? If yes, we know the extent is changed. +@@ -5198,6 +5195,10 @@ static int is_extent_unchanged(struct send_ctx *sctx, + goto out; + } + ++ right_disknr = btrfs_file_extent_disk_bytenr(eb, ei); ++ right_offset = btrfs_file_extent_offset(eb, ei); ++ right_gen = btrfs_file_extent_generation(eb, ei); ++ + left_offset_fixed = left_offset; + if (key.offset < ekey->offset) { + /* Fix the right offset for 2a and 7. */ +-- +2.17.1 + diff --git a/queue-4.9/cfg80211-address-some-corner-cases-in-scan-result-ch.patch b/queue-4.9/cfg80211-address-some-corner-cases-in-scan-result-ch.patch new file mode 100644 index 00000000000..4890573a7f0 --- /dev/null +++ b/queue-4.9/cfg80211-address-some-corner-cases-in-scan-result-ch.patch @@ -0,0 +1,140 @@ +From 5461693523ace092f6f91944e303ec1e988bfce5 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Wed, 5 Sep 2018 18:52:22 +0300 +Subject: cfg80211: Address some corner cases in scan result channel updating + +[ Upstream commit 119f94a6fefcc76d47075b83d2b73d04c895df78 ] + +cfg80211_get_bss_channel() is used to update the RX channel based on the +available frame payload information (channel number from DSSS Parameter +Set element or HT Operation element). This is needed on 2.4 GHz channels +where frames may be received on neighboring channels due to overlapping +frequency range. + +This might of some use on the 5 GHz band in some corner cases, but +things are more complex there since there is no n:1 or 1:n mapping +between channel numbers and frequencies due to multiple different +starting frequencies in different operating classes. This could result +in ieee80211_channel_to_frequency() returning incorrect frequency and +ieee80211_get_channel() returning incorrect channel information (or +indication of no match). In the previous implementation, this could +result in some scan results being dropped completely, e.g., for the 4.9 +GHz channels. That prevented connection to such BSSs. + +Fix this by using the driver-provided channel pointer if +ieee80211_get_channel() does not find matching channel data for the +channel number in the frame payload and if the scan is done with 5 MHz +or 10 MHz channel bandwidth. While doing this, also add comments +describing what the function is trying to achieve to make it easier to +understand what happens here and why. + +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 58 ++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 49 insertions(+), 9 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 35ad69fd0838..435f904c1be5 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -978,13 +978,23 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + return NULL; + } + ++/* ++ * Update RX channel information based on the available frame payload ++ * information. This is mainly for the 2.4 GHz band where frames can be received ++ * from neighboring channels and the Beacon frames use the DSSS Parameter Set ++ * element to indicate the current (transmitting) channel, but this might also ++ * be needed on other bands if RX frequency does not match with the actual ++ * operating channel of a BSS. ++ */ + static struct ieee80211_channel * + cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, +- struct ieee80211_channel *channel) ++ struct ieee80211_channel *channel, ++ enum nl80211_bss_scan_width scan_width) + { + const u8 *tmp; + u32 freq; + int channel_number = -1; ++ struct ieee80211_channel *alt_channel; + + tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen); + if (tmp && tmp[1] == 1) { +@@ -998,16 +1008,45 @@ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, + } + } + +- if (channel_number < 0) ++ if (channel_number < 0) { ++ /* No channel information in frame payload */ + return channel; ++ } + + freq = ieee80211_channel_to_frequency(channel_number, channel->band); +- channel = ieee80211_get_channel(wiphy, freq); +- if (!channel) +- return NULL; +- if (channel->flags & IEEE80211_CHAN_DISABLED) ++ alt_channel = ieee80211_get_channel(wiphy, freq); ++ if (!alt_channel) { ++ if (channel->band == NL80211_BAND_2GHZ) { ++ /* ++ * Better not allow unexpected channels when that could ++ * be going beyond the 1-11 range (e.g., discovering ++ * BSS on channel 12 when radio is configured for ++ * channel 11. ++ */ ++ return NULL; ++ } ++ ++ /* No match for the payload channel number - ignore it */ ++ return channel; ++ } ++ ++ if (scan_width == NL80211_BSS_CHAN_WIDTH_10 || ++ scan_width == NL80211_BSS_CHAN_WIDTH_5) { ++ /* ++ * Ignore channel number in 5 and 10 MHz channels where there ++ * may not be an n:1 or 1:n mapping between frequencies and ++ * channel numbers. ++ */ ++ return channel; ++ } ++ ++ /* ++ * Use the channel determined through the payload channel number ++ * instead of the RX channel reported by the driver. ++ */ ++ if (alt_channel->flags & IEEE80211_CHAN_DISABLED) + return NULL; +- return channel; ++ return alt_channel; + } + + /* Returned bss is reference counted and must be cleaned up appropriately. */ +@@ -1032,7 +1071,8 @@ cfg80211_inform_bss_data(struct wiphy *wiphy, + (data->signal < 0 || data->signal > 100))) + return NULL; + +- channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan); ++ channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan, ++ data->scan_width); + if (!channel) + return NULL; + +@@ -1130,7 +1170,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, + return NULL; + + channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable, +- ielen, data->chan); ++ ielen, data->chan, data->scan_width); + if (!channel) + return NULL; + +-- +2.17.1 + diff --git a/queue-4.9/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch b/queue-4.9/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch new file mode 100644 index 00000000000..ee6908aa3f8 --- /dev/null +++ b/queue-4.9/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch @@ -0,0 +1,37 @@ +From 8cbb8b51b6ed792f66ed835e80b1de0f64b89202 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Wed, 5 Sep 2018 08:06:12 +0300 +Subject: cfg80211: reg: Init wiphy_idx in regulatory_hint_core() + +[ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ] + +Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since +the regulatory request is zeroed, wiphy_idx was always implicitly set to +0. This resulted in updating only phy #0. +Fix that. + +Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy") +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +[add fixes tag] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 5dbac3749738..36d1d25082e3 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2298,6 +2298,7 @@ static int regulatory_hint_core(const char *alpha2) + request->alpha2[0] = alpha2[0]; + request->alpha2[1] = alpha2[1]; + request->initiator = NL80211_REGDOM_SET_BY_CORE; ++ request->wiphy_idx = WIPHY_IDX_INVALID; + + queue_regulatory_request(request); + +-- +2.17.1 + diff --git a/queue-4.9/cifs-use-ull-suffix-for-64-bit-constant.patch b/queue-4.9/cifs-use-ull-suffix-for-64-bit-constant.patch new file mode 100644 index 00000000000..5371fe1c948 --- /dev/null +++ b/queue-4.9/cifs-use-ull-suffix-for-64-bit-constant.patch @@ -0,0 +1,40 @@ +From 8d2b2e686f182656e4eddf254a05831365a8436e Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 5 Apr 2018 14:57:11 +0200 +Subject: cifs: Use ULL suffix for 64-bit constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3995bbf53bd2047f2720c6fdd4bf38f6d942a0c0 ] + +On 32-bit (e.g. with m68k-linux-gnu-gcc-4.1): + + fs/cifs/inode.c: In function ‘simple_hashstr’: + fs/cifs/inode.c:713: warning: integer constant is too large for ‘long’ type + +Fixes: 7ea884c77e5c97f1 ("smb3: Fix root directory when server returns inode number of zero") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Sasha Levin +--- + fs/cifs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index a012f70bba5c..77a18fe10805 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -704,7 +704,7 @@ cgfi_exit: + /* Simple function to return a 64 bit hash of string. Rarely called */ + static __u64 simple_hashstr(const char *str) + { +- const __u64 hash_mult = 1125899906842597L; /* a big enough prime */ ++ const __u64 hash_mult = 1125899906842597ULL; /* a big enough prime */ + __u64 hash = 0; + + while (*str) +-- +2.17.1 + diff --git a/queue-4.9/clk-samsung-fix-m2m-scaler-clock-on-exynos542x.patch b/queue-4.9/clk-samsung-fix-m2m-scaler-clock-on-exynos542x.patch new file mode 100644 index 00000000000..31781ed28e2 --- /dev/null +++ b/queue-4.9/clk-samsung-fix-m2m-scaler-clock-on-exynos542x.patch @@ -0,0 +1,37 @@ +From 4c5c240d9003591261525828172905ed9939434a Mon Sep 17 00:00:00 2001 +From: Andrzej Pietrasiewicz +Date: Fri, 29 Sep 2017 09:32:53 +0200 +Subject: clk: samsung: Fix m2m scaler clock on Exynos542x + +[ Upstream commit c07c1a0f68d0f2f7ca9aff924e2772526027b019 ] + +The TOP "aclk400_mscl" clock should be kept enabled all the time +to allow proper access to power management control for MSC power +domain and devices that are a part of it. This change is required +for the scaler to work properly after domain power on/off sequence. + +Fixes: 318fa46cc60d ("clk/samsung: exynos542x: mark some clocks as critical") +Signed-off-by: Andrzej Pietrasiewicz +Signed-off-by: Marek Szyprowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-exynos5420.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/samsung/clk-exynos5420.c b/drivers/clk/samsung/clk-exynos5420.c +index cdc092a1d9ef..07fb667e258f 100644 +--- a/drivers/clk/samsung/clk-exynos5420.c ++++ b/drivers/clk/samsung/clk-exynos5420.c +@@ -987,7 +987,7 @@ static const struct samsung_gate_clock exynos5x_gate_clks[] __initconst = { + GATE(0, "aclk400_isp", "mout_user_aclk400_isp", + GATE_BUS_TOP, 16, 0, 0), + GATE(0, "aclk400_mscl", "mout_user_aclk400_mscl", +- GATE_BUS_TOP, 17, 0, 0), ++ GATE_BUS_TOP, 17, CLK_IS_CRITICAL, 0), + GATE(0, "aclk200_disp1", "mout_user_aclk200_disp1", + GATE_BUS_TOP, 18, CLK_IS_CRITICAL, 0), + GATE(CLK_SCLK_MPHY_IXTAL24, "sclk_mphy_ixtal24", "mphy_refclk_ixtal24", +-- +2.17.1 + diff --git a/queue-4.9/declance-fix-continuation-with-the-adapter-identific.patch b/queue-4.9/declance-fix-continuation-with-the-adapter-identific.patch new file mode 100644 index 00000000000..b925b1945be --- /dev/null +++ b/queue-4.9/declance-fix-continuation-with-the-adapter-identific.patch @@ -0,0 +1,71 @@ +From 42d7caa697c8efe9df22abc4bed1a875498042bd Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 2 Oct 2018 14:23:45 +0100 +Subject: declance: Fix continuation with the adapter identification message + +[ Upstream commit fe3a83af6a50199bf250fa331e94216912f79395 ] + +Fix a commit 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing +continuation lines") regression with the `declance' driver, which caused +the adapter identification message to be split between two lines, e.g.: + +declance.c: v0.011 by Linux MIPS DECstation task force +tc6: PMAD-AA +, addr = 08:00:2b:1b:2a:6a, irq = 14 +tc6: registered as eth0. + +Address that properly, by printing identification with a single call, +making the messages now look like: + +declance.c: v0.011 by Linux MIPS DECstation task force +tc6: PMAD-AA, addr = 08:00:2b:1b:2a:6a, irq = 14 +tc6: registered as eth0. + +Signed-off-by: Maciej W. Rozycki +Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/declance.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/amd/declance.c b/drivers/net/ethernet/amd/declance.c +index b799c7ac899b..9e80a76c3dfe 100644 +--- a/drivers/net/ethernet/amd/declance.c ++++ b/drivers/net/ethernet/amd/declance.c +@@ -1030,6 +1030,7 @@ static int dec_lance_probe(struct device *bdev, const int type) + int i, ret; + unsigned long esar_base; + unsigned char *esar; ++ const char *desc; + + if (dec_lance_debug && version_printed++ == 0) + printk(version); +@@ -1215,19 +1216,20 @@ static int dec_lance_probe(struct device *bdev, const int type) + */ + switch (type) { + case ASIC_LANCE: +- printk("%s: IOASIC onboard LANCE", name); ++ desc = "IOASIC onboard LANCE"; + break; + case PMAD_LANCE: +- printk("%s: PMAD-AA", name); ++ desc = "PMAD-AA"; + break; + case PMAX_LANCE: +- printk("%s: PMAX onboard LANCE", name); ++ desc = "PMAX onboard LANCE"; + break; + } + for (i = 0; i < 6; i++) + dev->dev_addr[i] = esar[i * 4]; + +- printk(", addr = %pM, irq = %d\n", dev->dev_addr, dev->irq); ++ printk("%s: %s, addr = %pM, irq = %d\n", ++ name, desc, dev->dev_addr, dev->irq); + + dev->netdev_ops = &lance_netdev_ops; + dev->watchdog_timeo = 5*HZ; +-- +2.17.1 + diff --git a/queue-4.9/drm-bochs-don-t-remove-uninitialized-fbdev-framebuff.patch b/queue-4.9/drm-bochs-don-t-remove-uninitialized-fbdev-framebuff.patch new file mode 100644 index 00000000000..cd18d73d164 --- /dev/null +++ b/queue-4.9/drm-bochs-don-t-remove-uninitialized-fbdev-framebuff.patch @@ -0,0 +1,111 @@ +From 5618572826552e6f81befc6e723c840046373fe9 Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Fri, 17 Mar 2017 15:14:09 -0300 +Subject: drm: bochs: Don't remove uninitialized fbdev framebuffer + +[ Upstream commit 4fa13dbe8c86382a846584e65c47bce09297f75b ] + +In the same spirit of the fix for QXL in commit 861078381ba5 ("drm: qxl: +Don't alloc fbdev if emulation is not supported"), prevent the Oops in +the unbind path of Bochs if fbdev emulation is disabled. + +[ 112.176009] Oops: 0002 [#1] SMP +[ 112.176009] Modules linked in: bochs_drm +[ 112.176009] CPU: 0 PID: 3002 Comm: bash Not tainted 4.11.0-rc1+ #111 +[ 112.176009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014 +[ 112.176009] task: ffff8800743bbac0 task.stack: ffffc90000b5c000 +[ 112.176009] RIP: 0010:mutex_lock+0x18/0x30 +[ 112.176009] RSP: 0018:ffffc90000b5fc78 EFLAGS: 00010246 +[ 112.176009] RAX: 0000000000000000 RBX: 0000000000000260 RCX: 0000000000000000 +[ 112.176009] RDX: ffff8800743bbac0 RSI: ffff8800787176e0 RDI: 0000000000000260 +[ 112.176009] RBP: ffffc90000b5fc80 R08: ffffffff00000000 R09: 00000000ffffffff +[ 112.176009] R10: ffff88007b463650 R11: 0000000000000000 R12: 0000000000000260 +[ 112.176009] R13: ffff8800787176e0 R14: ffffffffa0003068 R15: 0000000000000060 +[ 112.176009] FS: 00007f20564c7b40(0000) GS:ffff88007ce00000(0000) knlGS:0000000000000000 +[ 112.176009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 112.176009] CR2: 0000000000000260 CR3: 000000006b89c000 CR4: 00000000000006f0 +[ 112.176009] Call Trace: +[ 112.176009] drm_mode_object_unregister+0x1e/0x50 +[ 112.176009] drm_framebuffer_unregister_private+0x15/0x20 +[ 112.176009] bochs_fbdev_fini+0x57/0x70 [bochs_drm] +[ 112.176009] bochs_unload+0x16/0x50 [bochs_drm] +[ 112.176009] drm_dev_unregister+0x37/0xd0 +[ 112.176009] drm_put_dev+0x31/0x60 +[ 112.176009] bochs_pci_remove+0x10/0x20 [bochs_drm] +[ 112.176009] pci_device_remove+0x34/0xb0 +[ 112.176009] device_release_driver_internal+0x150/0x200 +[ 112.176009] device_release_driver+0xd/0x10 +[ 112.176009] unbind_store+0x108/0x150 +[ 112.176009] drv_attr_store+0x20/0x30 +[ 112.176009] sysfs_kf_write+0x32/0x40 +[ 112.176009] kernfs_fop_write+0x10b/0x190 +[ 112.176009] __vfs_write+0x23/0x120 +[ 112.176009] ? security_file_permission+0x36/0xb0 +[ 112.176009] ? rw_verify_area+0x49/0xb0 +[ 112.176009] vfs_write+0xb0/0x190 +[ 112.176009] SyS_write+0x41/0xa0 +[ 112.176009] entry_SYSCALL_64_fastpath+0x1a/0xa9 +[ 112.176009] RIP: 0033:0x7f2055bd5620 +[ 112.176009] RSP: 002b:00007ffed2f487d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 112.176009] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2055bd5620 +[ 112.176009] RDX: 000000000000000d RSI: 0000000000ee0008 RDI: 0000000000000001 +[ 112.176009] RBP: 0000000000000001 R08: 00007f2055e94760 R09: 00007f20564c7b40 +[ 112.176009] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000000 +[ 112.176009] R13: 00007ffed2f48d70 R14: 0000000000000000 R15: 0000000000000000 +[ 112.176009] Code: 00 00 00 55 be 02 00 00 00 48 89 e5 e8 62 fb ff ff 5d c3 55 48 89 e5 53 48 89 fb e8 53 e9 ff ff 65 48 8b 14 25 40 c4 00 00 31 c0 48 0f b1 13 48 85 c0 74 08 48 89 df e8c6 ff ff ff 5b 5d c3 +[ 112.176009] RIP: mutex_lock+0x18/0x30 RSP: ffffc90000b5fc78 +[ 112.176009] CR2: 0000000000000260 +[ 112.205622] ---[ end trace 76189cd7a9bdd155 ]--- + +Signed-off-by: Gabriel Krisman Bertazi +Link: http://patchwork.freedesktop.org/patch/msgid/20170317181409.4183-1-krisman@collabora.co.uk +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bochs/bochs_fbdev.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/bochs/bochs_fbdev.c b/drivers/gpu/drm/bochs/bochs_fbdev.c +index e1ec498a6b6e..35f40255644d 100644 +--- a/drivers/gpu/drm/bochs/bochs_fbdev.c ++++ b/drivers/gpu/drm/bochs/bochs_fbdev.c +@@ -138,6 +138,7 @@ static int bochsfb_create(struct drm_fb_helper *helper, + info->fix.smem_start = 0; + info->fix.smem_len = size; + ++ bochs->fb.initialized = true; + return 0; + } + +@@ -155,7 +156,6 @@ static int bochs_fbdev_destroy(struct bochs_device *bochs) + gfb->obj = NULL; + } + +- drm_fb_helper_fini(&bochs->fb.helper); + drm_framebuffer_unregister_private(&gfb->base); + drm_framebuffer_cleanup(&gfb->base); + +@@ -188,7 +188,6 @@ int bochs_fbdev_init(struct bochs_device *bochs) + if (ret) + goto fini; + +- bochs->fb.initialized = true; + return 0; + + fini: +@@ -198,9 +197,9 @@ fini: + + void bochs_fbdev_fini(struct bochs_device *bochs) + { +- if (!bochs->fb.initialized) +- return; ++ if (bochs->fb.initialized) ++ bochs_fbdev_destroy(bochs); + +- bochs_fbdev_destroy(bochs); ++ drm_fb_helper_fini(&bochs->fb.helper); + bochs->fb.initialized = false; + } +-- +2.17.1 + diff --git a/queue-4.9/drm-msm-fix-possible-null-dereference-on-failure-of-.patch b/queue-4.9/drm-msm-fix-possible-null-dereference-on-failure-of-.patch new file mode 100644 index 00000000000..605d5beed08 --- /dev/null +++ b/queue-4.9/drm-msm-fix-possible-null-dereference-on-failure-of-.patch @@ -0,0 +1,64 @@ +From 278060dee20205d52ac72ebbddb3456520c24840 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Tue, 3 Apr 2018 23:38:45 +0100 +Subject: drm/msm: Fix possible null dereference on failure of get_pages() + +[ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ] + +Commit 62e3a3e342af changed get_pages() to initialise +msm_gem_object::pages before trying to initialise msm_gem_object::sgt, +so that put_pages() would properly clean up pages in the failure +case. + +However, this means that put_pages() now needs to check that +msm_gem_object::sgt is not null before trying to clean it up, and +this check was only applied to part of the cleanup code. Move +it all into the conditional block. (Strictly speaking we don't +need to make the kfree() conditional, but since we can't avoid +checking for null ourselves we may as well do so.) + +Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages") +Signed-off-by: Ben Hutchings +Reviewed-by: Jordan Crouse +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index 7145127513c4..795660e29b2c 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -118,17 +118,19 @@ static void put_pages(struct drm_gem_object *obj) + struct msm_gem_object *msm_obj = to_msm_bo(obj); + + if (msm_obj->pages) { +- /* For non-cached buffers, ensure the new pages are clean +- * because display controller, GPU, etc. are not coherent: +- */ +- if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) +- dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, +- msm_obj->sgt->nents, DMA_BIDIRECTIONAL); ++ if (msm_obj->sgt) { ++ /* For non-cached buffers, ensure the new ++ * pages are clean because display controller, ++ * GPU, etc. are not coherent: ++ */ ++ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) ++ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, ++ msm_obj->sgt->nents, ++ DMA_BIDIRECTIONAL); + +- if (msm_obj->sgt) + sg_free_table(msm_obj->sgt); +- +- kfree(msm_obj->sgt); ++ kfree(msm_obj->sgt); ++ } + + if (use_pages(obj)) + drm_gem_put_pages(obj, msm_obj->pages, true, false); +-- +2.17.1 + diff --git a/queue-4.9/efi-fb-correct-pci_std_resource_end-usage.patch b/queue-4.9/efi-fb-correct-pci_std_resource_end-usage.patch new file mode 100644 index 00000000000..2bf0c10dc8c --- /dev/null +++ b/queue-4.9/efi-fb-correct-pci_std_resource_end-usage.patch @@ -0,0 +1,34 @@ +From aa288c63f74327a14ab0188c4def1a44b82faf36 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Fri, 19 May 2017 14:37:53 -0500 +Subject: efi/fb: Correct PCI_STD_RESOURCE_END usage + +[ Upstream commit 92a16c86299c64f58f320e491977408ba31b8c3c ] + +PCI_STD_RESOURCE_END is (confusingly) the index of the last valid BAR, not +the *number* of BARs. To iterate through all possible BARs, we need to +include PCI_STD_RESOURCE_END. + +Fixes: 55d728a40d36 ("efi/fb: Avoid reconfiguration of BAR that covers the framebuffer") +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/efifb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c +index 6f2e729a308f..f4b6d063a4b7 100644 +--- a/drivers/video/fbdev/efifb.c ++++ b/drivers/video/fbdev/efifb.c +@@ -375,7 +375,7 @@ static void efifb_fixup_resources(struct pci_dev *dev) + if (!base) + return; + +- for (i = 0; i < PCI_STD_RESOURCE_END; i++) { ++ for (i = 0; i <= PCI_STD_RESOURCE_END; i++) { + struct resource *res = &dev->resource[i]; + + if (!(res->flags & IORESOURCE_MEM)) +-- +2.17.1 + diff --git a/queue-4.9/elevator-fix-truncation-of-icq_cache_name.patch b/queue-4.9/elevator-fix-truncation-of-icq_cache_name.patch new file mode 100644 index 00000000000..70611e8df8b --- /dev/null +++ b/queue-4.9/elevator-fix-truncation-of-icq_cache_name.patch @@ -0,0 +1,52 @@ +From 132910e094a2bd544b6d36a09078df8081479c7d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 2 Jun 2017 20:35:51 -0700 +Subject: elevator: fix truncation of icq_cache_name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 9bd2bbc01d17ddd567cc0f81f77fe1163e497462 ] + +gcc 7.1 reports the following warning: + + block/elevator.c: In function ‘elv_register’: + block/elevator.c:898:5: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=] + "%s_io_cq", e->elevator_name); + ^~~~~~~~~~ + block/elevator.c:897:3: note: ‘snprintf’ output between 7 and 22 bytes into a destination of size 21 + snprintf(e->icq_cache_name, sizeof(e->icq_cache_name), + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + "%s_io_cq", e->elevator_name); + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The bug is that the name of the icq_cache is 6 characters longer than +the elevator name, but only ELV_NAME_MAX + 5 characters were reserved +for it --- so in the case of a maximum-length elevator name, the 'q' +character in "_io_cq" would be truncated by snprintf(). Fix it by +reserving ELV_NAME_MAX + 6 characters instead. + +Signed-off-by: Eric Biggers +Reviewed-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/elevator.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/elevator.h b/include/linux/elevator.h +index e7f358d2e5fc..eaa58c0f894b 100644 +--- a/include/linux/elevator.h ++++ b/include/linux/elevator.h +@@ -102,7 +102,7 @@ struct elevator_type + struct module *elevator_owner; + + /* managed by elevator core */ +- char icq_cache_name[ELV_NAME_MAX + 5]; /* elvname + "_io_cq" */ ++ char icq_cache_name[ELV_NAME_MAX + 6]; /* elvname + "_io_cq" */ + struct list_head list; + }; + +-- +2.17.1 + diff --git a/queue-4.9/enic-do-not-overwrite-error-code.patch b/queue-4.9/enic-do-not-overwrite-error-code.patch new file mode 100644 index 00000000000..746067b288f --- /dev/null +++ b/queue-4.9/enic-do-not-overwrite-error-code.patch @@ -0,0 +1,49 @@ +From 0939accd696eb0743b507c33c5e96263f936f9f1 Mon Sep 17 00:00:00 2001 +From: Govindarajulu Varadarajan +Date: Mon, 18 Jun 2018 10:01:05 -0700 +Subject: enic: do not overwrite error code + +[ Upstream commit 56f772279a762984f6e9ebbf24a7c829faba5712 ] + +In failure path, we overwrite err to what vnic_rq_disable() returns. In +case it returns 0, enic_open() returns success in case of error. + +Reported-by: Ben Hutchings +Fixes: e8588e268509 ("enic: enable rq before updating rq descriptors") +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index f314be07ec58..07282eb76867 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1708,7 +1708,7 @@ static int enic_open(struct net_device *netdev) + { + struct enic *enic = netdev_priv(netdev); + unsigned int i; +- int err; ++ int err, ret; + + err = enic_request_intr(enic); + if (err) { +@@ -1766,10 +1766,9 @@ static int enic_open(struct net_device *netdev) + + err_out_free_rq: + for (i = 0; i < enic->rq_count; i++) { +- err = vnic_rq_disable(&enic->rq[i]); +- if (err) +- return err; +- vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); ++ ret = vnic_rq_disable(&enic->rq[i]); ++ if (!ret) ++ vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); + } + enic_dev_notify_unset(enic); + err_out_free_intr: +-- +2.17.1 + diff --git a/queue-4.9/f2fs-fix-multiple-f2fs_add_link-having-same-name-for.patch b/queue-4.9/f2fs-fix-multiple-f2fs_add_link-having-same-name-for.patch new file mode 100644 index 00000000000..477baceec41 --- /dev/null +++ b/queue-4.9/f2fs-fix-multiple-f2fs_add_link-having-same-name-for.patch @@ -0,0 +1,59 @@ +From 7b8e94c5df7a107d742f8267c2d2510e534af7a0 Mon Sep 17 00:00:00 2001 +From: Sheng Yong +Date: Sat, 22 Apr 2017 10:39:20 +0800 +Subject: f2fs: fix multiple f2fs_add_link() having same name for inline dentry + +[ Upstream commit d3bb910c15d75ee3340311c64a1c05985bb663a3 ] + +Commit 88c5c13a5027 (f2fs: fix multiple f2fs_add_link() calls having +same name) does not cover the scenario where inline dentry is enabled. +In that case, F2FS_I(dir)->task will be NULL, and __f2fs_add_link will +lookup dentries one more time. + +This patch fixes it by moving the assigment of current task to a upper +level to cover both normal and inline dentry. + +Cc: +Fixes: 88c5c13a5027 (f2fs: fix multiple f2fs_add_link() calls having same name) +Signed-off-by: Sheng Yong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/dir.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c +index 8add4e8bab99..af719d93507e 100644 +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -212,13 +212,9 @@ static struct f2fs_dir_entry *find_in_level(struct inode *dir, + f2fs_put_page(dentry_page, 0); + } + +- /* This is to increase the speed of f2fs_create */ +- if (!de && room) { +- F2FS_I(dir)->task = current; +- if (F2FS_I(dir)->chash != namehash) { +- F2FS_I(dir)->chash = namehash; +- F2FS_I(dir)->clevel = level; +- } ++ if (!de && room && F2FS_I(dir)->chash != namehash) { ++ F2FS_I(dir)->chash = namehash; ++ F2FS_I(dir)->clevel = level; + } + + return de; +@@ -259,6 +255,9 @@ struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir, + break; + } + out: ++ /* This is to increase the speed of f2fs_create */ ++ if (!de) ++ F2FS_I(dir)->task = current; + return de; + } + +-- +2.17.1 + diff --git a/queue-4.9/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch b/queue-4.9/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch new file mode 100644 index 00000000000..8beef33c651 --- /dev/null +++ b/queue-4.9/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch @@ -0,0 +1,36 @@ +From 7e617e9fb4cfbee429602df20c86c862e41eed32 Mon Sep 17 00:00:00 2001 +From: Khazhismel Kumykov +Date: Fri, 12 Oct 2018 21:34:40 -0700 +Subject: fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() + +[ Upstream commit ac081c3be3fae6d0cc3e1862507fca3862d30b67 ] + +On non-preempt kernels this loop can take a long time (more than 50 ticks) +processing through entries. + +Link: http://lkml.kernel.org/r/20181010172623.57033-1-khazhy@google.com +Signed-off-by: Khazhismel Kumykov +Acked-by: OGAWA Hirofumi +Reviewed-by: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/fat/fatent.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c +index 3b7644e43796..a9cad9b60790 100644 +--- a/fs/fat/fatent.c ++++ b/fs/fat/fatent.c +@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb) + if (ops->ent_get(&fatent) == FAT_ENT_FREE) + free++; + } while (fat_ent_next(sbi, &fatent)); ++ cond_resched(); + } + sbi->free_clusters = free; + sbi->free_clus_valid = 1; +-- +2.17.1 + diff --git a/queue-4.9/futex-futex_wake_op-do-not-fail-on-invalid-op.patch b/queue-4.9/futex-futex_wake_op-do-not-fail-on-invalid-op.patch new file mode 100644 index 00000000000..a96ac039a42 --- /dev/null +++ b/queue-4.9/futex-futex_wake_op-do-not-fail-on-invalid-op.patch @@ -0,0 +1,88 @@ +From 8112703f5ecc572a5632333fc3640a88eaff144b Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 23 Oct 2017 13:41:51 +0200 +Subject: futex: futex_wake_op, do not fail on invalid op + +[ Upstream commit e78c38f6bdd900b2ad9ac9df8eff58b745dc5b3c ] + +In commit 30d6e0a4190d ("futex: Remove duplicated code and fix undefined +behaviour"), I let FUTEX_WAKE_OP to fail on invalid op. Namely when op +should be considered as shift and the shift is out of range (< 0 or > 31). + +But strace's test suite does this madness: + + futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xa0caffee); + futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xbadfaced); + futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xffffffff); + +When I pick the first 0xa0caffee, it decodes as: + + 0x80000000 & 0xa0caffee: oparg is shift + 0x70000000 & 0xa0caffee: op is FUTEX_OP_OR + 0x0f000000 & 0xa0caffee: cmp is FUTEX_OP_CMP_EQ + 0x00fff000 & 0xa0caffee: oparg is sign-extended 0xcaf = -849 + 0x00000fff & 0xa0caffee: cmparg is sign-extended 0xfee = -18 + +That means the op tries to do this: + + (futex |= (1 << (-849))) == -18 + +which is completely bogus. The new check of op in the code is: + + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { + if (oparg < 0 || oparg > 31) + return -EINVAL; + oparg = 1 << oparg; + } + +which results obviously in the "Invalid argument" errno: + + FAIL: futex + =========== + + futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xa0caffee) = -1: Invalid argument + futex.test: failed test: ../futex failed with code 1 + +So let us soften the failure to print only a (ratelimited) message, crop +the value and continue as if it were right. When userspace keeps up, we +can switch this to return -EINVAL again. + +[v2] Do not return 0 immediatelly, proceed with the cropped value. + +Fixes: 30d6e0a4190d ("futex: Remove duplicated code and fix undefined behaviour") +Signed-off-by: Jiri Slaby +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: Darren Hart +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/futex.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/kernel/futex.c b/kernel/futex.c +index c3ea6f2a6997..053d7be08be5 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1467,8 +1467,16 @@ static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr) + int oldval, ret; + + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { +- if (oparg < 0 || oparg > 31) +- return -EINVAL; ++ if (oparg < 0 || oparg > 31) { ++ char comm[sizeof(current->comm)]; ++ /* ++ * kill this print and return -EINVAL when userspace ++ * is sane again ++ */ ++ pr_info_ratelimited("futex_wake_op: %s tries to shift op by %d; fix this program\n", ++ get_task_comm(comm, current), oparg); ++ oparg &= 31; ++ } + oparg = 1 << oparg; + } + +-- +2.17.1 + diff --git a/queue-4.9/gpu-ipu-v3-fix-csi-selection-for-vdic.patch b/queue-4.9/gpu-ipu-v3-fix-csi-selection-for-vdic.patch new file mode 100644 index 00000000000..9fd2ef840ac --- /dev/null +++ b/queue-4.9/gpu-ipu-v3-fix-csi-selection-for-vdic.patch @@ -0,0 +1,56 @@ +From eda51c701e42f2395914c9494ef3bdb0aac21460 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sat, 3 Jun 2017 11:57:21 -0700 +Subject: gpu: ipu-v3: Fix CSI selection for VDIC + +[ Upstream commit b7dfee2433576f1f030cb84cdb04b70f36554992 ] + +The description of the CSI_SEL bit in the i.MX6 reference manual is +incorrect. It states "This bit defines which CSI is the input to the +IC. This bit is effective only if IC_INPUT is bit cleared". + +From experiment it was found this is in fact not correct. The CSI_SEL +bit selects which CSI is input to _both_ the VDIC _and_ the IC. If the +IC_INPUT bit is set so that the IC is receiving from the VDIC, the IC +ignores the CSI_SEL bit, but CSI_SEL still selects which CSI the VDIC +receives from in that case. + +Signed-off-by: Marek Vasut +Signed-off-by: Steve Longerbeam +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index b9539f7c5e9a..99c813a4ec1f 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -715,15 +715,16 @@ void ipu_set_ic_src_mux(struct ipu_soc *ipu, int csi_id, bool vdi) + spin_lock_irqsave(&ipu->lock, flags); + + val = ipu_cm_read(ipu, IPU_CONF); +- if (vdi) { ++ if (vdi) + val |= IPU_CONF_IC_INPUT; +- } else { ++ else + val &= ~IPU_CONF_IC_INPUT; +- if (csi_id == 1) +- val |= IPU_CONF_CSI_SEL; +- else +- val &= ~IPU_CONF_CSI_SEL; +- } ++ ++ if (csi_id == 1) ++ val |= IPU_CONF_CSI_SEL; ++ else ++ val &= ~IPU_CONF_CSI_SEL; ++ + ipu_cm_write(ipu, val, IPU_CONF); + + spin_unlock_irqrestore(&ipu->lock, flags); +-- +2.17.1 + diff --git a/queue-4.9/i2c-bcm2835-avoid-possible-null-ptr-dereference.patch b/queue-4.9/i2c-bcm2835-avoid-possible-null-ptr-dereference.patch new file mode 100644 index 00000000000..c0f0984bce7 --- /dev/null +++ b/queue-4.9/i2c-bcm2835-avoid-possible-null-ptr-dereference.patch @@ -0,0 +1,45 @@ +From 7263cf2f55935fb90e6cc5fe6c4dc3868c3cc8ae Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Thu, 16 Feb 2017 21:20:45 +0000 +Subject: i2c: bcm2835: Avoid possible NULL ptr dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ababb08938df7ac245d30a58b95b94ecf8dc04fc ] + +Since commit e2474541032d ("bcm2835: Fix hang for writing messages +larger than 16 bytes") the interrupt handler is prone to a possible +NULL pointer dereference. This could happen if an interrupt fires +before curr_msg is set by bcm2835_i2c_xfer_msg() and randomly occurs +on the RPi 3. Even this is an unexpected behavior the driver must +handle that with an error instead of a crash. + +Reported-by: Peter Robinson +Fixes: e2474541032d ("bcm2835: Fix hang for writing messages larger than 16 bytes") +Signed-off-by: Stefan Wahren +Acked-by: Noralf Trønnes +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-bcm2835.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-bcm2835.c b/drivers/i2c/busses/i2c-bcm2835.c +index f283b714aa79..7ed09865cb4b 100644 +--- a/drivers/i2c/busses/i2c-bcm2835.c ++++ b/drivers/i2c/busses/i2c-bcm2835.c +@@ -128,7 +128,9 @@ static irqreturn_t bcm2835_i2c_isr(int this_irq, void *data) + } + + if (val & BCM2835_I2C_S_DONE) { +- if (i2c_dev->curr_msg->flags & I2C_M_RD) { ++ if (!i2c_dev->curr_msg) { ++ dev_err(i2c_dev->dev, "Got unexpected interrupt (from firmware?)\n"); ++ } else if (i2c_dev->curr_msg->flags & I2C_M_RD) { + bcm2835_drain_rxfifo(i2c_dev); + val = bcm2835_i2c_readl(i2c_dev, BCM2835_I2C_S); + } +-- +2.17.1 + diff --git a/queue-4.9/i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch b/queue-4.9/i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch new file mode 100644 index 00000000000..0a0d371a5fb --- /dev/null +++ b/queue-4.9/i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch @@ -0,0 +1,262 @@ +From 4b49f448567d42ab59c970883b1e59bc8d4b4b00 Mon Sep 17 00:00:00 2001 +From: Anjali Singhai Jain +Date: Fri, 1 Sep 2017 13:42:49 -0700 +Subject: i40e: avoid NVM acquire deadlock during NVM update + +[ Upstream commit 09f79fd49d94cda5837e9bfd0cb222232b3b6d9f ] + +X722 devices use the AdminQ to access the NVM, and this requires taking +the AdminQ lock. Because of this, we lock the AdminQ during +i40e_read_nvm(), which is also called in places where the lock is +already held, such as the firmware update path which wants to lock once +and then unlock when finished after performing several tasks. + +Although this should have only affected X722 devices, commit +96a39aed25e6 ("i40e: Acquire NVM lock before reads on all devices", +2016-12-02) added locking for all NVM reads, regardless of device +family. + +This resulted in us accidentally causing NVM acquire timeouts on all +devices, causing failed firmware updates which left the eeprom in +a corrupt state. + +Create unsafe non-locked variants of i40e_read_nvm_word and +i40e_read_nvm_buffer, __i40e_read_nvm_word and __i40e_read_nvm_buffer +respectively. These variants will not take the NVM lock and are expected +to only be called in places where the NVM lock is already held if +needed. + +Since the only caller of i40e_read_nvm_buffer() was in such a path, +remove it entirely in favor of the unsafe version. If necessary we can +always add it back in the future. + +Additionally, we now need to hold the NVM lock in i40e_validate_checksum +because the call to i40e_calc_nvm_checksum now assumes that the NVM lock +is held. We can further move the call to read I40E_SR_SW_CHECKSUM_WORD +up a bit so that we do not need to acquire the NVM lock twice. + +This should resolve firmware updates and also fix potential raise that +could have caused the driver to report an invalid NVM checksum upon +driver load. + +Reported-by: Stefan Assmann +Fixes: 96a39aed25e6 ("i40e: Acquire NVM lock before reads on all devices", 2016-12-02) +Signed-off-by: Anjali Singhai Jain +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_nvm.c | 98 ++++++++++++------- + .../net/ethernet/intel/i40e/i40e_prototype.h | 2 - + 2 files changed, 60 insertions(+), 40 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_nvm.c b/drivers/net/ethernet/intel/i40e/i40e_nvm.c +index abe290bfc638..8408682efd86 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_nvm.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_nvm.c +@@ -266,7 +266,7 @@ static i40e_status i40e_read_nvm_aq(struct i40e_hw *hw, u8 module_pointer, + * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF) + * @data: word read from the Shadow RAM + * +- * Reads one 16 bit word from the Shadow RAM using the GLNVM_SRCTL register. ++ * Reads one 16 bit word from the Shadow RAM using the AdminQ + **/ + static i40e_status i40e_read_nvm_word_aq(struct i40e_hw *hw, u16 offset, + u16 *data) +@@ -280,27 +280,49 @@ static i40e_status i40e_read_nvm_word_aq(struct i40e_hw *hw, u16 offset, + } + + /** +- * i40e_read_nvm_word - Reads Shadow RAM ++ * __i40e_read_nvm_word - Reads nvm word, assumes called does the locking + * @hw: pointer to the HW structure + * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF) + * @data: word read from the Shadow RAM + * +- * Reads one 16 bit word from the Shadow RAM using the GLNVM_SRCTL register. ++ * Reads one 16 bit word from the Shadow RAM. ++ * ++ * Do not use this function except in cases where the nvm lock is already ++ * taken via i40e_acquire_nvm(). ++ **/ ++static i40e_status __i40e_read_nvm_word(struct i40e_hw *hw, ++ u16 offset, u16 *data) ++{ ++ i40e_status ret_code = 0; ++ ++ if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) ++ ret_code = i40e_read_nvm_word_aq(hw, offset, data); ++ else ++ ret_code = i40e_read_nvm_word_srctl(hw, offset, data); ++ return ret_code; ++} ++ ++/** ++ * i40e_read_nvm_word - Reads nvm word and acquire lock if necessary ++ * @hw: pointer to the HW structure ++ * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF) ++ * @data: word read from the Shadow RAM ++ * ++ * Reads one 16 bit word from the Shadow RAM. + **/ + i40e_status i40e_read_nvm_word(struct i40e_hw *hw, u16 offset, + u16 *data) + { +- enum i40e_status_code ret_code = 0; ++ i40e_status ret_code = 0; + + ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ); +- if (!ret_code) { +- if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) { +- ret_code = i40e_read_nvm_word_aq(hw, offset, data); +- } else { +- ret_code = i40e_read_nvm_word_srctl(hw, offset, data); +- } +- i40e_release_nvm(hw); +- } ++ if (ret_code) ++ return ret_code; ++ ++ ret_code = __i40e_read_nvm_word(hw, offset, data); ++ ++ i40e_release_nvm(hw); ++ + return ret_code; + } + +@@ -393,31 +415,25 @@ read_nvm_buffer_aq_exit: + } + + /** +- * i40e_read_nvm_buffer - Reads Shadow RAM buffer ++ * __i40e_read_nvm_buffer - Reads nvm buffer, caller must acquire lock + * @hw: pointer to the HW structure + * @offset: offset of the Shadow RAM word to read (0x000000 - 0x001FFF). + * @words: (in) number of words to read; (out) number of words actually read + * @data: words read from the Shadow RAM + * + * Reads 16 bit words (data buffer) from the SR using the i40e_read_nvm_srrd() +- * method. The buffer read is preceded by the NVM ownership take +- * and followed by the release. ++ * method. + **/ +-i40e_status i40e_read_nvm_buffer(struct i40e_hw *hw, u16 offset, +- u16 *words, u16 *data) ++static i40e_status __i40e_read_nvm_buffer(struct i40e_hw *hw, ++ u16 offset, u16 *words, ++ u16 *data) + { +- enum i40e_status_code ret_code = 0; ++ i40e_status ret_code = 0; + +- if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) { +- ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ); +- if (!ret_code) { +- ret_code = i40e_read_nvm_buffer_aq(hw, offset, words, +- data); +- i40e_release_nvm(hw); +- } +- } else { ++ if (hw->flags & I40E_HW_FLAG_AQ_SRCTL_ACCESS_ENABLE) ++ ret_code = i40e_read_nvm_buffer_aq(hw, offset, words, data); ++ else + ret_code = i40e_read_nvm_buffer_srctl(hw, offset, words, data); +- } + return ret_code; + } + +@@ -499,15 +515,15 @@ static i40e_status i40e_calc_nvm_checksum(struct i40e_hw *hw, + data = (u16 *)vmem.va; + + /* read pointer to VPD area */ +- ret_code = i40e_read_nvm_word(hw, I40E_SR_VPD_PTR, &vpd_module); ++ ret_code = __i40e_read_nvm_word(hw, I40E_SR_VPD_PTR, &vpd_module); + if (ret_code) { + ret_code = I40E_ERR_NVM_CHECKSUM; + goto i40e_calc_nvm_checksum_exit; + } + + /* read pointer to PCIe Alt Auto-load module */ +- ret_code = i40e_read_nvm_word(hw, I40E_SR_PCIE_ALT_AUTO_LOAD_PTR, +- &pcie_alt_module); ++ ret_code = __i40e_read_nvm_word(hw, I40E_SR_PCIE_ALT_AUTO_LOAD_PTR, ++ &pcie_alt_module); + if (ret_code) { + ret_code = I40E_ERR_NVM_CHECKSUM; + goto i40e_calc_nvm_checksum_exit; +@@ -521,7 +537,7 @@ static i40e_status i40e_calc_nvm_checksum(struct i40e_hw *hw, + if ((i % I40E_SR_SECTOR_SIZE_IN_WORDS) == 0) { + u16 words = I40E_SR_SECTOR_SIZE_IN_WORDS; + +- ret_code = i40e_read_nvm_buffer(hw, i, &words, data); ++ ret_code = __i40e_read_nvm_buffer(hw, i, &words, data); + if (ret_code) { + ret_code = I40E_ERR_NVM_CHECKSUM; + goto i40e_calc_nvm_checksum_exit; +@@ -593,14 +609,19 @@ i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw, + u16 checksum_sr = 0; + u16 checksum_local = 0; + ++ /* We must acquire the NVM lock in order to correctly synchronize the ++ * NVM accesses across multiple PFs. Without doing so it is possible ++ * for one of the PFs to read invalid data potentially indicating that ++ * the checksum is invalid. ++ */ ++ ret_code = i40e_acquire_nvm(hw, I40E_RESOURCE_READ); ++ if (ret_code) ++ return ret_code; + ret_code = i40e_calc_nvm_checksum(hw, &checksum_local); ++ __i40e_read_nvm_word(hw, I40E_SR_SW_CHECKSUM_WORD, &checksum_sr); ++ i40e_release_nvm(hw); + if (ret_code) +- goto i40e_validate_nvm_checksum_exit; +- +- /* Do not use i40e_read_nvm_word() because we do not want to take +- * the synchronization semaphores twice here. +- */ +- i40e_read_nvm_word(hw, I40E_SR_SW_CHECKSUM_WORD, &checksum_sr); ++ return ret_code; + + /* Verify read checksum from EEPROM is the same as + * calculated checksum +@@ -612,7 +633,6 @@ i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw, + if (checksum) + *checksum = checksum_local; + +-i40e_validate_nvm_checksum_exit: + return ret_code; + } + +@@ -986,6 +1006,7 @@ retry: + break; + + case I40E_NVMUPD_CSUM_CON: ++ /* Assumes the caller has acquired the nvm */ + status = i40e_update_nvm_checksum(hw); + if (status) { + *perrno = hw->aq.asq_last_status ? +@@ -1000,6 +1021,7 @@ retry: + break; + + case I40E_NVMUPD_CSUM_LCB: ++ /* Assumes the caller has acquired the nvm */ + status = i40e_update_nvm_checksum(hw); + if (status) { + *perrno = hw->aq.asq_last_status ? +diff --git a/drivers/net/ethernet/intel/i40e/i40e_prototype.h b/drivers/net/ethernet/intel/i40e/i40e_prototype.h +index 4660c5abc855..6b364118badd 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_prototype.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_prototype.h +@@ -311,8 +311,6 @@ i40e_status i40e_acquire_nvm(struct i40e_hw *hw, + void i40e_release_nvm(struct i40e_hw *hw); + i40e_status i40e_read_nvm_word(struct i40e_hw *hw, u16 offset, + u16 *data); +-i40e_status i40e_read_nvm_buffer(struct i40e_hw *hw, u16 offset, +- u16 *words, u16 *data); + i40e_status i40e_update_nvm_checksum(struct i40e_hw *hw); + i40e_status i40e_validate_nvm_checksum(struct i40e_hw *hw, + u16 *checksum); +-- +2.17.1 + diff --git a/queue-4.9/ib-core-fix-the-validations-of-a-multicast-lid-in-at.patch b/queue-4.9/ib-core-fix-the-validations-of-a-multicast-lid-in-at.patch new file mode 100644 index 00000000000..035c40ac60a --- /dev/null +++ b/queue-4.9/ib-core-fix-the-validations-of-a-multicast-lid-in-at.patch @@ -0,0 +1,99 @@ +From 1160b186c7b541636ef75e26b80a8abf7fde1dfb Mon Sep 17 00:00:00 2001 +From: Noa Osherovich +Date: Mon, 12 Jun 2017 11:14:02 +0300 +Subject: IB/core: Fix the validations of a multicast LID in attach or detach + operations + +[ Upstream commit 5236333592244557a19694a51337df6ac018f0a7 ] + +RoCE Annex (A16.9.10/11) declares that during attach (detach) QP to a +multicast group, if the QP is associated with a RoCE port, the +multicast group MLID is unused and is ignored. + +During attach or detach multicast, when the QP is associated with a +port, it is enough to check the port's link layer and validate the +LID only if it is Infiniband. Otherwise, avoid validating the +multicast LID. + +Fixes: 8561eae60ff9 ("IB/core: For multicast functions, verify that LIDs are multicast LIDs") +Signed-off-by: Noa Osherovich +Reviewed-by: Moni Shoua +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 44 ++++++++++++++++++++++++++++++--- + 1 file changed, 40 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 0e64b52af5b2..d28c4cf7c1ee 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -1510,6 +1510,44 @@ EXPORT_SYMBOL(ib_dealloc_fmr); + + /* Multicast groups */ + ++static bool is_valid_mcast_lid(struct ib_qp *qp, u16 lid) ++{ ++ struct ib_qp_init_attr init_attr = {}; ++ struct ib_qp_attr attr = {}; ++ int num_eth_ports = 0; ++ int port; ++ ++ /* If QP state >= init, it is assigned to a port and we can check this ++ * port only. ++ */ ++ if (!ib_query_qp(qp, &attr, IB_QP_STATE | IB_QP_PORT, &init_attr)) { ++ if (attr.qp_state >= IB_QPS_INIT) { ++ if (qp->device->get_link_layer(qp->device, attr.port_num) != ++ IB_LINK_LAYER_INFINIBAND) ++ return true; ++ goto lid_check; ++ } ++ } ++ ++ /* Can't get a quick answer, iterate over all ports */ ++ for (port = 0; port < qp->device->phys_port_cnt; port++) ++ if (qp->device->get_link_layer(qp->device, port) != ++ IB_LINK_LAYER_INFINIBAND) ++ num_eth_ports++; ++ ++ /* If we have at lease one Ethernet port, RoCE annex declares that ++ * multicast LID should be ignored. We can't tell at this step if the ++ * QP belongs to an IB or Ethernet port. ++ */ ++ if (num_eth_ports) ++ return true; ++ ++ /* If all the ports are IB, we can check according to IB spec. */ ++lid_check: ++ return !(lid < be16_to_cpu(IB_MULTICAST_LID_BASE) || ++ lid == be16_to_cpu(IB_LID_PERMISSIVE)); ++} ++ + int ib_attach_mcast(struct ib_qp *qp, union ib_gid *gid, u16 lid) + { + int ret; +@@ -1517,8 +1555,7 @@ int ib_attach_mcast(struct ib_qp *qp, union ib_gid *gid, u16 lid) + if (!qp->device->attach_mcast) + return -ENOSYS; + if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD || +- lid < be16_to_cpu(IB_MULTICAST_LID_BASE) || +- lid == be16_to_cpu(IB_LID_PERMISSIVE)) ++ !is_valid_mcast_lid(qp, lid)) + return -EINVAL; + + ret = qp->device->attach_mcast(qp, gid, lid); +@@ -1535,8 +1572,7 @@ int ib_detach_mcast(struct ib_qp *qp, union ib_gid *gid, u16 lid) + if (!qp->device->detach_mcast) + return -ENOSYS; + if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD || +- lid < be16_to_cpu(IB_MULTICAST_LID_BASE) || +- lid == be16_to_cpu(IB_LID_PERMISSIVE)) ++ !is_valid_mcast_lid(qp, lid)) + return -EINVAL; + + ret = qp->device->detach_mcast(qp, gid, lid); +-- +2.17.1 + diff --git a/queue-4.9/ib-ipoib-do-not-warn-if-ipoib-debugfs-doesn-t-exist.patch b/queue-4.9/ib-ipoib-do-not-warn-if-ipoib-debugfs-doesn-t-exist.patch new file mode 100644 index 00000000000..af6e5272084 --- /dev/null +++ b/queue-4.9/ib-ipoib-do-not-warn-if-ipoib-debugfs-doesn-t-exist.patch @@ -0,0 +1,40 @@ +From 9236edc16bee49b0dfea6270e5464104c516d144 Mon Sep 17 00:00:00 2001 +From: Alaa Hleihel +Date: Tue, 13 Feb 2018 12:18:27 +0200 +Subject: IB/ipoib: Do not warn if IPoIB debugfs doesn't exist + +[ Upstream commit 14fa91e0fef8e4d6feb8b1fa2a807828e0abe815 ] + +netdev_wait_allrefs() could rebroadcast NETDEV_UNREGISTER event +multiple times until all refs are gone, which will result in calling +ipoib_delete_debug_files multiple times and printing a warning. + +Remove the WARN_ONCE since checks of NULL pointers before calling +debugfs_remove are not needed. + +Fixes: 771a52584096 ("IB/IPoIB: ibX: failed to create mcg debug file") +Signed-off-by: Alaa Hleihel +Signed-off-by: Leon Romanovsky +Reviewed-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_fs.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_fs.c b/drivers/infiniband/ulp/ipoib/ipoib_fs.c +index 09396bd7b02d..63be3bcdc0e3 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c +@@ -281,8 +281,6 @@ void ipoib_delete_debug_files(struct net_device *dev) + { + struct ipoib_dev_priv *priv = netdev_priv(dev); + +- WARN_ONCE(!priv->mcg_dentry, "null mcg debug file\n"); +- WARN_ONCE(!priv->path_dentry, "null path debug file\n"); + debugfs_remove(priv->mcg_dentry); + debugfs_remove(priv->path_dentry); + priv->mcg_dentry = priv->path_dentry = NULL; +-- +2.17.1 + diff --git a/queue-4.9/ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch b/queue-4.9/ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch new file mode 100644 index 00000000000..e02e51733db --- /dev/null +++ b/queue-4.9/ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch @@ -0,0 +1,103 @@ +From 8201a4ca437e67c641cca727e9fe750c91787da0 Mon Sep 17 00:00:00 2001 +From: Alex Vesker +Date: Thu, 21 Dec 2017 17:38:27 +0200 +Subject: IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush + +[ Upstream commit 1f80bd6a6cc8358b81194e1f5fc16449947396ec ] + +The locking order of vlan_rwsem (LOCK A) and then rtnl (LOCK B), +contradicts other flows such as ipoib_open possibly causing a deadlock. +To prevent this deadlock heavy flush is called with RTNL locked and +only then tries to acquire vlan_rwsem. +This deadlock is possible only when there are child interfaces. + +[ 140.941758] ====================================================== +[ 140.946276] WARNING: possible circular locking dependency detected +[ 140.950950] 4.15.0-rc1+ #9 Tainted: G O +[ 140.954797] ------------------------------------------------------ +[ 140.959424] kworker/u32:1/146 is trying to acquire lock: +[ 140.963450] (rtnl_mutex){+.+.}, at: [] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib] +[ 140.970006] +but task is already holding lock: +[ 140.975141] (&priv->vlan_rwsem){++++}, at: [] __ipoib_ib_dev_flush+0x51/0x4e0 [ib_ipoib] +[ 140.982105] +which lock already depends on the new lock. +[ 140.990023] +the existing dependency chain (in reverse order) is: +[ 140.998650] +-> #1 (&priv->vlan_rwsem){++++}: +[ 141.005276] down_read+0x4d/0xb0 +[ 141.009560] ipoib_open+0xad/0x120 [ib_ipoib] +[ 141.014400] __dev_open+0xcb/0x140 +[ 141.017919] __dev_change_flags+0x1a4/0x1e0 +[ 141.022133] dev_change_flags+0x23/0x60 +[ 141.025695] devinet_ioctl+0x704/0x7d0 +[ 141.029156] sock_do_ioctl+0x20/0x50 +[ 141.032526] sock_ioctl+0x221/0x300 +[ 141.036079] do_vfs_ioctl+0xa6/0x6d0 +[ 141.039656] SyS_ioctl+0x74/0x80 +[ 141.042811] entry_SYSCALL_64_fastpath+0x1f/0x96 +[ 141.046891] +-> #0 (rtnl_mutex){+.+.}: +[ 141.051701] lock_acquire+0xd4/0x220 +[ 141.055212] __mutex_lock+0x88/0x970 +[ 141.058631] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib] +[ 141.063160] __ipoib_ib_dev_flush+0x71/0x4e0 [ib_ipoib] +[ 141.067648] process_one_work+0x1f5/0x610 +[ 141.071429] worker_thread+0x4a/0x3f0 +[ 141.074890] kthread+0x141/0x180 +[ 141.078085] ret_from_fork+0x24/0x30 +[ 141.081559] + +other info that might help us debug this: +[ 141.088967] Possible unsafe locking scenario: +[ 141.094280] CPU0 CPU1 +[ 141.097953] ---- ---- +[ 141.101640] lock(&priv->vlan_rwsem); +[ 141.104771] lock(rtnl_mutex); +[ 141.109207] lock(&priv->vlan_rwsem); +[ 141.114032] lock(rtnl_mutex); +[ 141.116800] + *** DEADLOCK *** + +Fixes: b4b678b06f6e ("IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop") +Signed-off-by: Alex Vesker +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +index 34122c96522b..3dd5bf6c6c7a 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -1190,13 +1190,10 @@ static void __ipoib_ib_dev_flush(struct ipoib_dev_priv *priv, + ipoib_ib_dev_down(dev); + + if (level == IPOIB_FLUSH_HEAVY) { +- rtnl_lock(); + if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags)) + ipoib_ib_dev_stop(dev); + +- result = ipoib_ib_dev_open(dev); +- rtnl_unlock(); +- if (result) ++ if (ipoib_ib_dev_open(dev)) + return; + + if (netif_queue_stopped(dev)) +@@ -1236,7 +1233,9 @@ void ipoib_ib_dev_flush_heavy(struct work_struct *work) + struct ipoib_dev_priv *priv = + container_of(work, struct ipoib_dev_priv, flush_heavy); + ++ rtnl_lock(); + __ipoib_ib_dev_flush(priv, IPOIB_FLUSH_HEAVY, 0); ++ rtnl_unlock(); + } + + void ipoib_ib_dev_cleanup(struct net_device *dev) +-- +2.17.1 + diff --git a/queue-4.9/ib-mlx4-fix-an-error-handling-path-in-mlx4_ib_rereg_.patch b/queue-4.9/ib-mlx4-fix-an-error-handling-path-in-mlx4_ib_rereg_.patch new file mode 100644 index 00000000000..8470737251a --- /dev/null +++ b/queue-4.9/ib-mlx4-fix-an-error-handling-path-in-mlx4_ib_rereg_.patch @@ -0,0 +1,39 @@ +From caedcc8038e8c5ffd2685d5a15beacafb5652b73 Mon Sep 17 00:00:00 2001 +From: Christophe Jaillet +Date: Mon, 11 Jun 2018 20:15:11 +0200 +Subject: IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()' + +[ Upstream commit 3dc7c7badb7502ec3e3aa817a8bdd9e53aa54c52 ] + +Before returning -EPERM we should release some resources, as already done +in the other error handling path of the function. + +Fixes: d8f9cc328c88 ("IB/mlx4: Mark user MR as writable if actual virtual memory is writable") +Signed-off-by: Christophe JAILLET +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/mr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/mr.c b/drivers/infiniband/hw/mlx4/mr.c +index 0d4878efd643..ddd3182138ac 100644 +--- a/drivers/infiniband/hw/mlx4/mr.c ++++ b/drivers/infiniband/hw/mlx4/mr.c +@@ -247,8 +247,11 @@ int mlx4_ib_rereg_user_mr(struct ib_mr *mr, int flags, + } + + if (flags & IB_MR_REREG_ACCESS) { +- if (ib_access_writable(mr_access_flags) && !mmr->umem->writable) +- return -EPERM; ++ if (ib_access_writable(mr_access_flags) && ++ !mmr->umem->writable) { ++ err = -EPERM; ++ goto release_mpt_entry; ++ } + + err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry, + convert_access(mr_access_flags)); +-- +2.17.1 + diff --git a/queue-4.9/ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch b/queue-4.9/ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch new file mode 100644 index 00000000000..2e9ccad3271 --- /dev/null +++ b/queue-4.9/ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch @@ -0,0 +1,60 @@ +From c47b9eb6973dc055abec524095dbee90a0873657 Mon Sep 17 00:00:00 2001 +From: Noa Osherovich +Date: Sun, 25 Feb 2018 13:39:51 +0200 +Subject: IB/mlx5: Avoid passing an invalid QP type to firmware + +[ Upstream commit e7b169f34403becd3c9fd3b6e46614ab788f2187 ] + +During QP creation, the mlx5 driver translates the QP type to an +internal value which is passed on to FW. There was no check to make +sure that the translated value is valid, and -EINVAL was coerced into +the mailbox command. + +Current firmware refuses this as an invalid QP type, but future/past +firmware may do something else. + +Fixes: 09a7d9eca1a6c ('{net,IB}/mlx5: QP/XRCD commands via mlx5 ifc') +Reviewed-by: Ilya Lesokhin +Signed-off-by: Noa Osherovich +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index abb47e780070..f8f7a2191b98 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -1523,6 +1523,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, + u32 uidx = MLX5_IB_DEFAULT_UIDX; + struct mlx5_ib_create_qp ucmd; + struct mlx5_ib_qp_base *base; ++ int mlx5_st; + void *qpc; + u32 *in; + int err; +@@ -1538,6 +1539,10 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, + spin_lock_init(&qp->sq.lock); + spin_lock_init(&qp->rq.lock); + ++ mlx5_st = to_mlx5_st(init_attr->qp_type); ++ if (mlx5_st < 0) ++ return -EINVAL; ++ + if (init_attr->rwq_ind_tbl) { + if (!udata) + return -ENOSYS; +@@ -1665,7 +1670,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, + + qpc = MLX5_ADDR_OF(create_qp_in, in, qpc); + +- MLX5_SET(qpc, qpc, st, to_mlx5_st(init_attr->qp_type)); ++ MLX5_SET(qpc, qpc, st, mlx5_st); + MLX5_SET(qpc, qpc, pm_state, MLX5_QP_PM_MIGRATED); + + if (init_attr->qp_type != MLX5_IB_QPT_REG_UMR) +-- +2.17.1 + diff --git a/queue-4.9/ib-rxe-put-the-pool-on-allocation-failure.patch b/queue-4.9/ib-rxe-put-the-pool-on-allocation-failure.patch new file mode 100644 index 00000000000..62f1c5a309e --- /dev/null +++ b/queue-4.9/ib-rxe-put-the-pool-on-allocation-failure.patch @@ -0,0 +1,60 @@ +From 027918605e719867a162666a40c529d85d7e7c78 Mon Sep 17 00:00:00 2001 +From: Doug Ledford +Date: Mon, 9 Oct 2017 09:11:32 -0400 +Subject: IB/rxe: put the pool on allocation failure + +[ Upstream commit 6b9f8970cd30929cb6b372fa44fa66da9e59c650 ] + +If the allocation of elem fails, it is not sufficient to simply check +for NULL and return. We need to also put our reference on the pool or +else we will leave the pool with a permanent ref count and we will never +be able to free it. + +Fixes: 4831ca9e4a8e ("IB/rxe: check for allocation failure on elem") +Suggested-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_pool.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_pool.c b/drivers/infiniband/sw/rxe/rxe_pool.c +index 1c4e5b2e6835..527ca662da69 100644 +--- a/drivers/infiniband/sw/rxe/rxe_pool.c ++++ b/drivers/infiniband/sw/rxe/rxe_pool.c +@@ -402,23 +402,25 @@ void *rxe_alloc(struct rxe_pool *pool) + + kref_get(&pool->rxe->ref_cnt); + +- if (atomic_inc_return(&pool->num_elem) > pool->max_elem) { +- atomic_dec(&pool->num_elem); +- rxe_dev_put(pool->rxe); +- rxe_pool_put(pool); +- return NULL; +- } ++ if (atomic_inc_return(&pool->num_elem) > pool->max_elem) ++ goto out_put_pool; + + elem = kmem_cache_zalloc(pool_cache(pool), + (pool->flags & RXE_POOL_ATOMIC) ? + GFP_ATOMIC : GFP_KERNEL); + if (!elem) +- return NULL; ++ goto out_put_pool; + + elem->pool = pool; + kref_init(&elem->ref_cnt); + + return elem; ++ ++out_put_pool: ++ atomic_dec(&pool->num_elem); ++ rxe_dev_put(pool->rxe); ++ rxe_pool_put(pool); ++ return NULL; + } + + void rxe_elem_release(struct kref *kref) +-- +2.17.1 + diff --git a/queue-4.9/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch b/queue-4.9/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch new file mode 100644 index 00000000000..27a06360d90 --- /dev/null +++ b/queue-4.9/igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch @@ -0,0 +1,89 @@ +From cbd4db989af0a1d4b85c047efd5bdb4b133da291 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20Gr=C3=B6nke?= +Date: Tue, 26 Jun 2018 10:12:18 +0000 +Subject: igb: Remove superfluous reset to PHY and page 0 selection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2a83fba6cae89dd9c0625e68ff8ffff791c67ac0 ] + +This patch reverts two previous applied patches to fix an issue +that appeared when using SGMII based SFP modules. In the current +state the driver will try to reset the PHY before obtaining the +phy_addr of the SGMII attached PHY. That leads to an error in +e1000_write_phy_reg_sgmii_82575. Causing the initialization to +fail: + + igb: Intel(R) Gigabit Ethernet Network Driver - version 5.4.0-k + igb: Copyright (c) 2007-2014 Intel Corporation. + igb: probe of ????:??:??.? failed with error -3 + +The patches being reverted are: + + commit 182785335447957409282ca745aa5bc3968facee + Author: Aaron Sierra + Date: Tue Nov 29 10:03:56 2016 -0600 + + igb: reset the PHY before reading the PHY ID + + commit 440aeca4b9858248d8f16d724d9fa87a4f65fa33 + Author: Matwey V Kornilov + Date: Thu Nov 24 13:32:48 2016 +0300 + + igb: Explicitly select page 0 at initialization + +The first reverted patch directly causes the problem mentioned above. +In case of SGMII the phy_addr is not known at this point and will +only be obtained by 'igb_get_phy_id_82575' further down in the code. +The second removed patch selects forces selection of page 0 in the +PHY. Something that the reset tries to address as well. + +As pointed out by Alexander Duzck, the patch below fixes the same +issue but in the proper location: + + commit 4e684f59d760a2c7c716bb60190783546e2d08a1 + Author: Chris J Arges + Date: Wed Nov 2 09:13:42 2016 -0500 + + igb: Workaround for igb i210 firmware issue + +Reverts: 440aeca4b9858248d8f16d724d9fa87a4f65fa33. +Reverts: 182785335447957409282ca745aa5bc3968facee. + +Signed-off-by: Christian Grönke +Reviewed-by: Alexander Duyck +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/e1000_82575.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/e1000_82575.c b/drivers/net/ethernet/intel/igb/e1000_82575.c +index 4a50870e0fa7..a61447fd778e 100644 +--- a/drivers/net/ethernet/intel/igb/e1000_82575.c ++++ b/drivers/net/ethernet/intel/igb/e1000_82575.c +@@ -245,19 +245,7 @@ static s32 igb_init_phy_params_82575(struct e1000_hw *hw) + hw->bus.func = (rd32(E1000_STATUS) & E1000_STATUS_FUNC_MASK) >> + E1000_STATUS_FUNC_SHIFT; + +- /* Make sure the PHY is in a good state. Several people have reported +- * firmware leaving the PHY's page select register set to something +- * other than the default of zero, which causes the PHY ID read to +- * access something other than the intended register. +- */ +- ret_val = hw->phy.ops.reset(hw); +- if (ret_val) { +- hw_dbg("Error resetting the PHY.\n"); +- goto out; +- } +- + /* Set phy->phy_addr and phy->id. */ +- igb_write_phy_reg_82580(hw, I347AT4_PAGE_SELECT, 0); + ret_val = igb_get_phy_id_82575(hw); + if (ret_val) + return ret_val; +-- +2.17.1 + diff --git a/queue-4.9/iio-adc-revert-axp288-drop-bogus-axp288_adc_ts_pin_c.patch b/queue-4.9/iio-adc-revert-axp288-drop-bogus-axp288_adc_ts_pin_c.patch new file mode 100644 index 00000000000..2a54b5477d5 --- /dev/null +++ b/queue-4.9/iio-adc-revert-axp288-drop-bogus-axp288_adc_ts_pin_c.patch @@ -0,0 +1,104 @@ +From 0d82809fed23b7466c96c8460247c7f6b41805f7 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 30 Jun 2017 19:42:54 +0200 +Subject: iio: adc: Revert "axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register + modifications" + +[ Upstream commit 631b010abc5b57009c6a8328f51492665f6ef310 ] + +Inheriting the ADC BIAS current settings from the BIOS instead of +hardcoding then causes the AXP288 to disable charging (I think it +mis-detects an overheated battery) on at least one model tablet. + +So lets go back to hard coding the values, this reverts +commit fa2849e9649b ("iio: adc: axp288: Drop bogus +AXP288_ADC_TS_PIN_CTRL register modifications"), fixing charging not +working on the model tablet in question. + +The exact cause is not fully understood, hence the revert to a known working +state. + +Cc: stable@vger.kernel.org +Reported-by: Umberto Ixxo +Signed-off-by: Hans de Goede +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/axp288_adc.c | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/axp288_adc.c b/drivers/iio/adc/axp288_adc.c +index 64799ad7ebad..7fd24949c0c1 100644 +--- a/drivers/iio/adc/axp288_adc.c ++++ b/drivers/iio/adc/axp288_adc.c +@@ -28,6 +28,8 @@ + #include + + #define AXP288_ADC_EN_MASK 0xF1 ++#define AXP288_ADC_TS_PIN_GPADC 0xF2 ++#define AXP288_ADC_TS_PIN_ON 0xF3 + + enum axp288_adc_id { + AXP288_ADC_TS, +@@ -121,6 +123,16 @@ static int axp288_adc_read_channel(int *val, unsigned long address, + return IIO_VAL_INT; + } + ++static int axp288_adc_set_ts(struct regmap *regmap, unsigned int mode, ++ unsigned long address) ++{ ++ /* channels other than GPADC do not need to switch TS pin */ ++ if (address != AXP288_GP_ADC_H) ++ return 0; ++ ++ return regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, mode); ++} ++ + static int axp288_adc_read_raw(struct iio_dev *indio_dev, + struct iio_chan_spec const *chan, + int *val, int *val2, long mask) +@@ -131,7 +143,16 @@ static int axp288_adc_read_raw(struct iio_dev *indio_dev, + mutex_lock(&indio_dev->mlock); + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_GPADC, ++ chan->address)) { ++ dev_err(&indio_dev->dev, "GPADC mode\n"); ++ ret = -EINVAL; ++ break; ++ } + ret = axp288_adc_read_channel(val, chan->address, info->regmap); ++ if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_ON, ++ chan->address)) ++ dev_err(&indio_dev->dev, "TS pin restore\n"); + break; + default: + ret = -EINVAL; +@@ -141,6 +162,15 @@ static int axp288_adc_read_raw(struct iio_dev *indio_dev, + return ret; + } + ++static int axp288_adc_set_state(struct regmap *regmap) ++{ ++ /* ADC should be always enabled for internal FG to function */ ++ if (regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, AXP288_ADC_TS_PIN_ON)) ++ return -EIO; ++ ++ return regmap_write(regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK); ++} ++ + static const struct iio_info axp288_adc_iio_info = { + .read_raw = &axp288_adc_read_raw, + .driver_module = THIS_MODULE, +@@ -169,7 +199,7 @@ static int axp288_adc_probe(struct platform_device *pdev) + * Set ADC to enabled state at all time, including system suspend. + * otherwise internal fuel gauge functionality may be affected. + */ +- ret = regmap_write(info->regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK); ++ ret = axp288_adc_set_state(axp20x->regmap); + if (ret) { + dev_err(&pdev->dev, "unable to enable ADC device\n"); + return ret; +-- +2.17.1 + diff --git a/queue-4.9/iio-buffer-fix-the-function-signature-to-match-imple.patch b/queue-4.9/iio-buffer-fix-the-function-signature-to-match-imple.patch new file mode 100644 index 00000000000..d4a457853e7 --- /dev/null +++ b/queue-4.9/iio-buffer-fix-the-function-signature-to-match-imple.patch @@ -0,0 +1,34 @@ +From 73a550b0ed5f4ef59ad3d58482fcf94f0614236a Mon Sep 17 00:00:00 2001 +From: Phil Reid +Date: Tue, 5 Jun 2018 14:15:10 +0800 +Subject: iio: buffer: fix the function signature to match implementation + +[ Upstream commit 92397a6c38d139d50fabbe9e2dc09b61d53b2377 ] + +linux/iio/buffer-dma.h was not updated to when length was changed to +unsigned int. + +Fixes: c043ec1ca5ba ("iio:buffer: make length types match kfifo types") +Signed-off-by: Phil Reid +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + include/linux/iio/buffer-dma.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/iio/buffer-dma.h b/include/linux/iio/buffer-dma.h +index 767467d886de..67c75372b691 100644 +--- a/include/linux/iio/buffer-dma.h ++++ b/include/linux/iio/buffer-dma.h +@@ -141,7 +141,7 @@ int iio_dma_buffer_read(struct iio_buffer *buffer, size_t n, + char __user *user_buffer); + size_t iio_dma_buffer_data_available(struct iio_buffer *buffer); + int iio_dma_buffer_set_bytes_per_datum(struct iio_buffer *buffer, size_t bpd); +-int iio_dma_buffer_set_length(struct iio_buffer *buffer, int length); ++int iio_dma_buffer_set_length(struct iio_buffer *buffer, unsigned int length); + int iio_dma_buffer_request_update(struct iio_buffer *buffer); + + int iio_dma_buffer_init(struct iio_dma_buffer_queue *queue, +-- +2.17.1 + diff --git a/queue-4.9/iio-pressure-zpa2326-remove-always-true-check-which-.patch b/queue-4.9/iio-pressure-zpa2326-remove-always-true-check-which-.patch new file mode 100644 index 00000000000..44c7bf4dc8d --- /dev/null +++ b/queue-4.9/iio-pressure-zpa2326-remove-always-true-check-which-.patch @@ -0,0 +1,66 @@ +From 0d08d761e17b5aa39f57c6dcc205ef9c46081e4d Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Jul 2017 10:14:59 +0200 +Subject: iio: pressure: zpa2326: Remove always-true check which confuses gcc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit f61dfff2f5b9fcb087bf5c444bc44b444709588f ] + +With gcc 4.1.2: + + drivers/iio/pressure/zpa2326.c: In function ‘zpa2326_wait_oneshot_completion’: + drivers/iio/pressure/zpa2326.c:868: warning: ‘ret’ may be used uninitialized in this function + +When testing for "timeout < 0", timeout is already guaranteed to be +strict negative, so the branch is always taken, and ret is thus always +initialized. But (some version of) gcc is not smart enough to notice. + +Remove the check to fix this. +As there is no other code in between assigning the error codes and +returning them, the error codes can be returned immediately, and the +intermediate variable can be dropped. +Drop the "else" to please checkpatch. + +Fixes: e7215fe4d51e69c9 ("iio: pressure: zpa2326: report interrupted case as failure") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/pressure/zpa2326.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/iio/pressure/zpa2326.c b/drivers/iio/pressure/zpa2326.c +index 2a4a62ebfd8d..cc002b958f7e 100644 +--- a/drivers/iio/pressure/zpa2326.c ++++ b/drivers/iio/pressure/zpa2326.c +@@ -869,7 +869,6 @@ complete: + static int zpa2326_wait_oneshot_completion(const struct iio_dev *indio_dev, + struct zpa2326_private *private) + { +- int ret; + unsigned int val; + long timeout; + +@@ -891,14 +890,11 @@ static int zpa2326_wait_oneshot_completion(const struct iio_dev *indio_dev, + /* Timed out. */ + zpa2326_warn(indio_dev, "no one shot interrupt occurred (%ld)", + timeout); +- ret = -ETIME; +- } else if (timeout < 0) { +- zpa2326_warn(indio_dev, +- "wait for one shot interrupt cancelled"); +- ret = -ERESTARTSYS; ++ return -ETIME; + } + +- return ret; ++ zpa2326_warn(indio_dev, "wait for one shot interrupt cancelled"); ++ return -ERESTARTSYS; + } + + static int zpa2326_init_managed_irq(struct device *parent, +-- +2.17.1 + diff --git a/queue-4.9/ip6_tunnel-correct-tos-value-in-collect_md-mode.patch b/queue-4.9/ip6_tunnel-correct-tos-value-in-collect_md-mode.patch new file mode 100644 index 00000000000..0d1efa69a4a --- /dev/null +++ b/queue-4.9/ip6_tunnel-correct-tos-value-in-collect_md-mode.patch @@ -0,0 +1,48 @@ +From 382f656e11584252dcd8aff2a2f723e29f0eafe7 Mon Sep 17 00:00:00 2001 +From: Haishuang Yan +Date: Sat, 17 Jun 2017 11:38:05 +0800 +Subject: ip6_tunnel: Correct tos value in collect_md mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 46f8cd9d2fc1e4e8b82b53a0007f6c92e80c930b ] + +Same as ip_gre, geneve and vxlan, use key->tos as traffic class value. + +CC: Peter Dawson +Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on +encapsulated packets”) +Signed-off-by: Haishuang Yan +Acked-by: Peter Dawson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index fd081a14064e..a499e585d018 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1258,7 +1258,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + fl6.flowi6_proto = IPPROTO_IPIP; + fl6.daddr = key->u.ipv6.dst; + fl6.flowlabel = key->label; +- dsfield = ip6_tclass(key->label); ++ dsfield = key->tos; + } else { + if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT)) + encap_limit = t->parms.encap_limit; +@@ -1329,7 +1329,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + fl6.flowi6_proto = IPPROTO_IPV6; + fl6.daddr = key->u.ipv6.dst; + fl6.flowlabel = key->label; +- dsfield = ip6_tclass(key->label); ++ dsfield = key->tos; + } else { + offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); + /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */ +-- +2.17.1 + diff --git a/queue-4.9/ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch b/queue-4.9/ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch new file mode 100644 index 00000000000..24009f785c6 --- /dev/null +++ b/queue-4.9/ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch @@ -0,0 +1,65 @@ +From bfbbd2e27cb41185142edad97e4c058e75136a37 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Tue, 28 Aug 2018 13:40:51 +0200 +Subject: ipv6: fix cleanup ordering for ip6_mr failure + +[ Upstream commit afe49de44c27a89e8e9631c44b5ffadf6ace65e2 ] + +Commit 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()") +moved the cleanup label for ipmr_fail, but should have changed the +contents of the cleanup labels as well. Now we can end up cleaning up +icmpv6 even though it hasn't been initialized (jump to icmp_fail or +ipmr_fail). + +Simply undo things in the reverse order of their initialization. + +Example of panic (triggered by faking a failure of icmpv6_init): + + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI + [...] + RIP: 0010:__list_del_entry_valid+0x79/0x160 + [...] + Call Trace: + ? lock_release+0x8a0/0x8a0 + unregister_pernet_operations+0xd4/0x560 + ? ops_free_list+0x480/0x480 + ? down_write+0x91/0x130 + ? unregister_pernet_subsys+0x15/0x30 + ? down_read+0x1b0/0x1b0 + ? up_read+0x110/0x110 + ? kmem_cache_create_usercopy+0x1b4/0x240 + unregister_pernet_subsys+0x1d/0x30 + icmpv6_cleanup+0x1d/0x30 + inet6_init+0x1b5/0x23f + +Fixes: 15e668070a64 ("ipv6: reorder icmpv6_init() and ip6_mr_init()") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/af_inet6.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 421379014995..f7b425615c12 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -1045,11 +1045,11 @@ netfilter_fail: + igmp_fail: + ndisc_cleanup(); + ndisc_fail: +- ip6_mr_cleanup(); ++ icmpv6_cleanup(); + icmp_fail: +- unregister_pernet_subsys(&inet6_net_ops); ++ ip6_mr_cleanup(); + ipmr_fail: +- icmpv6_cleanup(); ++ unregister_pernet_subsys(&inet6_net_ops); + register_pernet_fail: + sock_unregister(PF_INET6); + rtnl_unregister_all(PF_INET6); +-- +2.17.1 + diff --git a/queue-4.9/ipv6-set-rt6i_protocol-properly-in-the-route-when-it.patch b/queue-4.9/ipv6-set-rt6i_protocol-properly-in-the-route-when-it.patch new file mode 100644 index 00000000000..5c405651348 --- /dev/null +++ b/queue-4.9/ipv6-set-rt6i_protocol-properly-in-the-route-when-it.patch @@ -0,0 +1,86 @@ +From 31138a59535a20e005623b4e4096632159dfbe5a Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Thu, 3 Aug 2017 14:13:46 +0800 +Subject: ipv6: set rt6i_protocol properly in the route when it is installed + +[ Upstream commit b91d532928dff2141ea9c107c3e73104d9843767 ] + +After commit c2ed1880fd61 ("net: ipv6: check route protocol when +deleting routes"), ipv6 route checks rt protocol when trying to +remove a rt entry. + +It introduced a side effect causing 'ip -6 route flush cache' not +to work well. When flushing caches with iproute, all route caches +get dumped from kernel then removed one by one by sending DELROUTE +requests to kernel for each cache. + +The thing is iproute sends the request with the cache whose proto +is set with RTPROT_REDIRECT by rt6_fill_node() when kernel dumps +it. But in kernel the rt_cache protocol is still 0, which causes +the cache not to be matched and removed. + +So the real reason is rt6i_protocol in the route is not set when +it is allocated. As David Ahern's suggestion, this patch is to +set rt6i_protocol properly in the route when it is installed and +remove the codes setting rtm_protocol according to rt6i_flags in +rt6_fill_node. + +This is also an improvement to keep rt6i_protocol consistent with +rtm_protocol. + +Fixes: c2ed1880fd61 ("net: ipv6: check route protocol when deleting routes") +Reported-by: Jianlin Shi +Suggested-by: David Ahern +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 70fa31e37360..4cc12eeca7ab 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2289,6 +2289,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu + if (on_link) + nrt->rt6i_flags &= ~RTF_GATEWAY; + ++ nrt->rt6i_protocol = RTPROT_REDIRECT; + nrt->rt6i_gateway = *(struct in6_addr *)neigh->primary_key; + + if (ip6_ins_rt(nrt)) +@@ -2393,6 +2394,7 @@ static struct rt6_info *rt6_add_route_info(struct net *net, + .fc_dst_len = prefixlen, + .fc_flags = RTF_GATEWAY | RTF_ADDRCONF | RTF_ROUTEINFO | + RTF_UP | RTF_PREF(pref), ++ .fc_protocol = RTPROT_RA, + .fc_nlinfo.portid = 0, + .fc_nlinfo.nlh = NULL, + .fc_nlinfo.nl_net = net, +@@ -2445,6 +2447,7 @@ struct rt6_info *rt6_add_dflt_router(const struct in6_addr *gwaddr, + .fc_ifindex = dev->ifindex, + .fc_flags = RTF_GATEWAY | RTF_ADDRCONF | RTF_DEFAULT | + RTF_UP | RTF_EXPIRES | RTF_PREF(pref), ++ .fc_protocol = RTPROT_RA, + .fc_nlinfo.portid = 0, + .fc_nlinfo.nlh = NULL, + .fc_nlinfo.nl_net = dev_net(dev), +@@ -3241,14 +3244,6 @@ static int rt6_fill_node(struct net *net, + } + rtm->rtm_scope = RT_SCOPE_UNIVERSE; + rtm->rtm_protocol = rt->rt6i_protocol; +- if (rt->rt6i_flags & RTF_DYNAMIC) +- rtm->rtm_protocol = RTPROT_REDIRECT; +- else if (rt->rt6i_flags & RTF_ADDRCONF) { +- if (rt->rt6i_flags & (RTF_DEFAULT | RTF_ROUTEINFO)) +- rtm->rtm_protocol = RTPROT_RA; +- else +- rtm->rtm_protocol = RTPROT_KERNEL; +- } + + if (rt->rt6i_flags & RTF_CACHE) + rtm->rtm_flags |= RTM_F_CLONED; +-- +2.17.1 + diff --git a/queue-4.9/l2tp-remove-configurable-payload-offset.patch b/queue-4.9/l2tp-remove-configurable-payload-offset.patch new file mode 100644 index 00000000000..506dda1e291 --- /dev/null +++ b/queue-4.9/l2tp-remove-configurable-payload-offset.patch @@ -0,0 +1,154 @@ +From 4834d0e413ac39e9f8702eed50a893d0fdc031de Mon Sep 17 00:00:00 2001 +From: James Chapman +Date: Wed, 3 Jan 2018 22:48:06 +0000 +Subject: l2tp: remove configurable payload offset + +[ Upstream commit 900631ee6a2651dc4fbaecb8ef9fa5f1e3378853 ] + +If L2TP_ATTR_OFFSET is set to a non-zero value in L2TPv3 tunnels, it +results in L2TPv3 packets being transmitted which might not be +compliant with the L2TPv3 RFC. This patch has l2tp ignore the offset +setting and send all packets with no offset. + +In more detail: + +L2TPv2 supports a variable offset from the L2TPv2 header to the +payload. The offset value is indicated by an optional field in the +L2TP header. Our L2TP implementation already detects the presence of +the optional offset and skips that many bytes when handling data +received packets. All transmitted packets are always transmitted with +no offset. + +L2TPv3 has no optional offset field in the L2TPv3 packet +header. Instead, L2TPv3 defines optional fields in a "Layer-2 Specific +Sublayer". At the time when the original L2TP code was written, there +was talk at IETF of offset being implemented in a new Layer-2 Specific +Sublayer. A L2TP_ATTR_OFFSET netlink attribute was added so that this +offset could be configured and the intention was to allow it to be +also used to set the tx offset for L2TPv2. However, no L2TPv3 offset +was ever specified and the L2TP_ATTR_OFFSET parameter was forgotten +about. + +Setting L2TP_ATTR_OFFSET results in L2TPv3 packets being transmitted +with the specified number of bytes padding between L2TPv3 header and +payload. This is not compliant with L2TPv3 RFC3931. This change +removes the configurable offset altogether while retaining +L2TP_ATTR_OFFSET for backwards compatibility. Any L2TP_ATTR_OFFSET +value is ignored. + +Signed-off-by: James Chapman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 14 ++++---------- + net/l2tp/l2tp_core.h | 3 --- + net/l2tp/l2tp_debugfs.c | 4 ++-- + net/l2tp/l2tp_netlink.c | 3 --- + 4 files changed, 6 insertions(+), 18 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index a5333f6cb65a..b96dbe38ecad 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -845,10 +845,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, + } + } + +- /* Session data offset is handled differently for L2TPv2 and +- * L2TPv3. For L2TPv2, there is an optional 16-bit value in +- * the header. For L2TPv3, the offset is negotiated using AVPs +- * in the session setup control protocol. ++ /* Session data offset is defined only for L2TPv2 and is ++ * indicated by an optional 16-bit value in the header. + */ + if (tunnel->version == L2TP_HDR_VER_2) { + /* If offset bit set, skip it. */ +@@ -856,8 +854,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, + offset = ntohs(*(__be16 *)ptr); + ptr += 2 + offset; + } +- } else +- ptr += session->offset; ++ } + + offset = ptr - optr; + if (!pskb_may_pull(skb, offset)) +@@ -1141,8 +1138,6 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf) + } + bufp += session->l2specific_len; + } +- if (session->offset) +- bufp += session->offset; + + return bufp - optr; + } +@@ -1827,7 +1822,7 @@ void l2tp_session_set_header_len(struct l2tp_session *session, int version) + if (session->send_seq) + session->hdr_len += 4; + } else { +- session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset; ++ session->hdr_len = 4 + session->cookie_len + session->l2specific_len; + if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP) + session->hdr_len += 4; + } +@@ -1878,7 +1873,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn + session->recv_seq = cfg->recv_seq; + session->lns_mode = cfg->lns_mode; + session->reorder_timeout = cfg->reorder_timeout; +- session->offset = cfg->offset; + session->l2specific_type = cfg->l2specific_type; + session->l2specific_len = cfg->l2specific_len; + session->cookie_len = cfg->cookie_len; +diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h +index 42419f1c24cf..86356a23a0a7 100644 +--- a/net/l2tp/l2tp_core.h ++++ b/net/l2tp/l2tp_core.h +@@ -68,7 +68,6 @@ struct l2tp_session_cfg { + int debug; /* bitmask of debug message + * categories */ + u16 vlan_id; /* VLAN pseudowire only */ +- u16 offset; /* offset to payload */ + u16 l2specific_len; /* Layer 2 specific length */ + u16 l2specific_type; /* Layer 2 specific type */ + u8 cookie[8]; /* optional cookie */ +@@ -94,8 +93,6 @@ struct l2tp_session { + int cookie_len; + u8 peer_cookie[8]; + int peer_cookie_len; +- u16 offset; /* offset from end of L2TP header +- to beginning of data */ + u16 l2specific_len; + u16 l2specific_type; + u16 hdr_len; +diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c +index d100aed3d06f..2d2a73280ec2 100644 +--- a/net/l2tp/l2tp_debugfs.c ++++ b/net/l2tp/l2tp_debugfs.c +@@ -181,8 +181,8 @@ static void l2tp_dfs_seq_session_show(struct seq_file *m, void *v) + session->lns_mode ? "LNS" : "LAC", + session->debug, + jiffies_to_msecs(session->reorder_timeout)); +- seq_printf(m, " offset %hu l2specific %hu/%hu\n", +- session->offset, session->l2specific_type, session->l2specific_len); ++ seq_printf(m, " offset 0 l2specific %hu/%hu\n", ++ session->l2specific_type, session->l2specific_len); + if (session->cookie_len) { + seq_printf(m, " cookie %02x%02x%02x%02x", + session->cookie[0], session->cookie[1], +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index ee03bc866d1b..d6fccfdca201 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -536,9 +536,6 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf + } + + if (tunnel->version > 2) { +- if (info->attrs[L2TP_ATTR_OFFSET]) +- cfg.offset = nla_get_u16(info->attrs[L2TP_ATTR_OFFSET]); +- + if (info->attrs[L2TP_ATTR_DATA_SEQ]) + cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]); + +-- +2.17.1 + diff --git a/queue-4.9/lan78xx-check-for-supported-wake-on-lan-modes.patch b/queue-4.9/lan78xx-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..1b9ff75f0e0 --- /dev/null +++ b/queue-4.9/lan78xx-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,50 @@ +From 013128f1786db34e2c513def1e3b12b35dde24da Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:52 -0700 +Subject: lan78xx: Check for supported Wake-on-LAN modes + +[ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ] + +The driver supports a fair amount of Wake-on-LAN modes, but is not +checking that the user specified one that is supported. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Woojung Huh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index c5e04d1ad73a..0cbcd3f77341 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1311,19 +1311,10 @@ static int lan78xx_set_wol(struct net_device *netdev, + if (ret < 0) + return ret; + +- pdata->wol = 0; +- if (wol->wolopts & WAKE_UCAST) +- pdata->wol |= WAKE_UCAST; +- if (wol->wolopts & WAKE_MCAST) +- pdata->wol |= WAKE_MCAST; +- if (wol->wolopts & WAKE_BCAST) +- pdata->wol |= WAKE_BCAST; +- if (wol->wolopts & WAKE_MAGIC) +- pdata->wol |= WAKE_MAGIC; +- if (wol->wolopts & WAKE_PHY) +- pdata->wol |= WAKE_PHY; +- if (wol->wolopts & WAKE_ARP) +- pdata->wol |= WAKE_ARP; ++ if (wol->wolopts & ~WAKE_ALL) ++ return -EINVAL; ++ ++ pdata->wol = wol->wolopts; + + device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts); + +-- +2.17.1 + diff --git a/queue-4.9/libata-fix-error-checking-in-in-ata_parse_force_one.patch b/queue-4.9/libata-fix-error-checking-in-in-ata_parse_force_one.patch new file mode 100644 index 00000000000..1f973f96a88 --- /dev/null +++ b/queue-4.9/libata-fix-error-checking-in-in-ata_parse_force_one.patch @@ -0,0 +1,36 @@ +From e5d6aeefe900898e774fcf20cce7f370f9b0821a Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 31 May 2017 14:26:26 -0400 +Subject: libata: fix error checking in in ata_parse_force_one() + +[ Upstream commit f7cf69ae171592d133c69b9adaa5de7cfb6038ea ] + +ata_parse_force_one() was incorrectly comparing @p to @endp when it +should have been comparing @id. The only consequence is that it may +end up using an invalid port number in "libata.force" module param +instead of rejecting it. + +Signed-off-by: Tejun Heo +Reported-by: Petru-Florin Mihancea +Link: https://bugzilla.kernel.org/show_bug.cgi?id=195785 +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 73d636d35961..a166359ad5d4 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6781,7 +6781,7 @@ static int __init ata_parse_force_one(char **cur, + } + + force_ent->port = simple_strtoul(id, &endp, 10); +- if (p == endp || *endp != '\0') { ++ if (id == endp || *endp != '\0') { + *reason = "invalid port/link"; + return -EINVAL; + } +-- +2.17.1 + diff --git a/queue-4.9/libertas-call-into-generic-suspend-code-before-turni.patch b/queue-4.9/libertas-call-into-generic-suspend-code-before-turni.patch new file mode 100644 index 00000000000..2366f171f02 --- /dev/null +++ b/queue-4.9/libertas-call-into-generic-suspend-code-before-turni.patch @@ -0,0 +1,40 @@ +From 145d0f02b5d4b9611545d80897fdc8ddc6d2a609 Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Mon, 8 Oct 2018 22:03:57 +0200 +Subject: libertas: call into generic suspend code before turning off power + +[ Upstream commit 4f666675cdff0b986195413215eb062b7da6586f ] + +When powering down a SDIO connected card during suspend, make sure to call +into the generic lbs_suspend() function before pulling the plug. This will +make sure the card is successfully deregistered from the system to avoid +communication to the card starving out. + +Fixes: 7444a8092906 ("libertas: fix suspend and resume for SDIO connected cards") +Signed-off-by: Daniel Mack +Reviewed-by: Ulf Hansson +Acked-by: Kalle Valo +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/if_sdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c +index a0ae8d8763bb..06a57c708992 100644 +--- a/drivers/net/wireless/marvell/libertas/if_sdio.c ++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c +@@ -1368,6 +1368,10 @@ static int if_sdio_suspend(struct device *dev) + if (priv->wol_criteria == EHS_REMOVE_WAKEUP) { + dev_info(dev, "Suspend without wake params -- powering down card\n"); + if (priv->fw_ready) { ++ ret = lbs_suspend(priv); ++ if (ret) ++ return ret; ++ + priv->power_up_on_resume = true; + if_sdio_power_off(card); + } +-- +2.17.1 + diff --git a/queue-4.9/mac80211-always-report-tx-status.patch b/queue-4.9/mac80211-always-report-tx-status.patch new file mode 100644 index 00000000000..8da28f5c951 --- /dev/null +++ b/queue-4.9/mac80211-always-report-tx-status.patch @@ -0,0 +1,50 @@ +From 9012841fbe50f464a65b0108fdff19f77028dabf Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Wed, 5 Sep 2018 08:06:13 +0300 +Subject: mac80211: Always report TX status + +[ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ] + +If a frame is dropped for any reason, mac80211 wouldn't report the TX +status back to user space. + +As the user space may rely on the TX_STATUS to kick its state +machines, resends etc, it's better to just report this frame as not +acked instead. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/status.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/status.c b/net/mac80211/status.c +index 72fe9bc7a1f9..7892bac21eac 100644 +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -472,11 +472,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local, + if (!skb) + return; + +- if (dropped) { +- dev_kfree_skb_any(skb); +- return; +- } +- + if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) { + u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie; + struct ieee80211_sub_if_data *sdata; +@@ -497,6 +492,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local, + } + rcu_read_unlock(); + ++ dev_kfree_skb_any(skb); ++ } else if (dropped) { + dev_kfree_skb_any(skb); + } else { + /* consumes skb */ +-- +2.17.1 + diff --git a/queue-4.9/mac80211-fix-pending-queue-hang-due-to-tx_drop.patch b/queue-4.9/mac80211-fix-pending-queue-hang-due-to-tx_drop.patch new file mode 100644 index 00000000000..9893f50fdee --- /dev/null +++ b/queue-4.9/mac80211-fix-pending-queue-hang-due-to-tx_drop.patch @@ -0,0 +1,54 @@ +From 5aeddcd6b2c0cab577b5c38d46e4be6f0032a025 Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Wed, 5 Sep 2018 06:22:59 -0400 +Subject: mac80211: fix pending queue hang due to TX_DROP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 6eae4a6c2be387fec41b0d2782c4fffb57159498 ] + +In our environment running lots of mesh nodes, we are seeing the +pending queue hang periodically, with the debugfs queues file showing +lines such as: + + 00: 0x00000000/348 + +i.e. there are a large number of frames but no stop reason set. + +One way this could happen is if queue processing from the pending +tasklet exited early without processing all frames, and without having +some future event (incoming frame, stop reason flag, ...) to reschedule +it. + +Exactly this can occur today if ieee80211_tx() returns false due to +packet drops or power-save buffering in the tx handlers. In the +past, this function would return true in such cases, and the change +to false doesn't seem to be intentional. Fix this case by reverting +to the previous behavior. + +Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue") +Signed-off-by: Bob Copeland +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 84582998f65f..58fba4e569e6 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1833,7 +1833,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata, + sdata->vif.hw_queue[skb_get_queue_mapping(skb)]; + + if (invoke_tx_handlers_early(&tx)) +- return false; ++ return true; + + if (ieee80211_queue_skb(local, sdata, tx.sta, tx.skb)) + return true; +-- +2.17.1 + diff --git a/queue-4.9/mac80211-fix-tx-aggregation-start-stop-callback-race.patch b/queue-4.9/mac80211-fix-tx-aggregation-start-stop-callback-race.patch new file mode 100644 index 00000000000..eae2bade600 --- /dev/null +++ b/queue-4.9/mac80211-fix-tx-aggregation-start-stop-callback-race.patch @@ -0,0 +1,380 @@ +From 2dea1d8f98a2d0d3e98020c34b14134c8df481e2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sat, 27 May 2017 00:27:25 +0200 +Subject: mac80211: fix TX aggregation start/stop callback race + +[ Upstream commit 7a7c0a6438b8e7636d5a22e572892cc234f68297 ] + +When starting or stopping an aggregation session, one of the steps +is that the driver calls back to mac80211 that the start/stop can +proceed. This is handled by queueing up a fake SKB and processing +it from the normal iface/sdata work. Since this isn't flushed when +disassociating, the following race is possible: + + * associate + * start aggregation session + * driver callback + * disassociate + * associate again to the same AP + * callback processing runs, leading to a WARN_ON() that + the TID hadn't requested aggregation + +If the second association isn't to the same AP, there would only +be a message printed ("Could not find station: "), but the +same race could happen. + +Fix this by not going the whole detour with a fake SKB etc. but +simply looking up the aggregation session in the driver callback, +marking it with a START_CB/STOP_CB bit and then scheduling the +regular aggregation work that will now process these bits as well. +This also simplifies the code and gets rid of the whole problem +with allocation failures of said skb, which could have left the +session in limbo. + +Reported-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/agg-tx.c | 128 +++++++++++++++---------------------- + net/mac80211/ht.c | 16 +++-- + net/mac80211/ieee80211_i.h | 14 ++-- + net/mac80211/iface.c | 11 +--- + net/mac80211/sta_info.h | 2 + + 5 files changed, 71 insertions(+), 100 deletions(-) + +diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c +index 45319cc01121..80c45567ee3a 100644 +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -7,7 +7,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation +- * Copyright(c) 2015 Intel Deutschland GmbH ++ * Copyright(c) 2015-2017 Intel Deutschland GmbH + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -741,46 +741,43 @@ static void ieee80211_agg_tx_operational(struct ieee80211_local *local, + ieee80211_agg_start_txq(sta, tid, true); + } + +-void ieee80211_start_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u16 tid) ++void ieee80211_start_tx_ba_cb(struct sta_info *sta, int tid, ++ struct tid_ampdu_tx *tid_tx) + { +- struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); ++ struct ieee80211_sub_if_data *sdata = sta->sdata; + struct ieee80211_local *local = sdata->local; +- struct sta_info *sta; +- struct tid_ampdu_tx *tid_tx; + +- trace_api_start_tx_ba_cb(sdata, ra, tid); ++ if (WARN_ON(test_and_set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state))) ++ return; ++ ++ if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state)) ++ ieee80211_agg_tx_operational(local, sta, tid); ++} ++ ++static struct tid_ampdu_tx * ++ieee80211_lookup_tid_tx(struct ieee80211_sub_if_data *sdata, ++ const u8 *ra, u16 tid, struct sta_info **sta) ++{ ++ struct tid_ampdu_tx *tid_tx; + + if (tid >= IEEE80211_NUM_TIDS) { + ht_dbg(sdata, "Bad TID value: tid = %d (>= %d)\n", + tid, IEEE80211_NUM_TIDS); +- return; ++ return NULL; + } + +- mutex_lock(&local->sta_mtx); +- sta = sta_info_get_bss(sdata, ra); +- if (!sta) { +- mutex_unlock(&local->sta_mtx); ++ *sta = sta_info_get_bss(sdata, ra); ++ if (!*sta) { + ht_dbg(sdata, "Could not find station: %pM\n", ra); +- return; ++ return NULL; + } + +- mutex_lock(&sta->ampdu_mlme.mtx); +- tid_tx = rcu_dereference_protected_tid_tx(sta, tid); ++ tid_tx = rcu_dereference((*sta)->ampdu_mlme.tid_tx[tid]); + +- if (WARN_ON(!tid_tx)) { ++ if (WARN_ON(!tid_tx)) + ht_dbg(sdata, "addBA was not requested!\n"); +- goto unlock; +- } + +- if (WARN_ON(test_and_set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state))) +- goto unlock; +- +- if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state)) +- ieee80211_agg_tx_operational(local, sta, tid); +- +- unlock: +- mutex_unlock(&sta->ampdu_mlme.mtx); +- mutex_unlock(&local->sta_mtx); ++ return tid_tx; + } + + void ieee80211_start_tx_ba_cb_irqsafe(struct ieee80211_vif *vif, +@@ -788,19 +785,20 @@ void ieee80211_start_tx_ba_cb_irqsafe(struct ieee80211_vif *vif, + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); + struct ieee80211_local *local = sdata->local; +- struct ieee80211_ra_tid *ra_tid; +- struct sk_buff *skb = dev_alloc_skb(0); ++ struct sta_info *sta; ++ struct tid_ampdu_tx *tid_tx; + +- if (unlikely(!skb)) +- return; ++ trace_api_start_tx_ba_cb(sdata, ra, tid); + +- ra_tid = (struct ieee80211_ra_tid *) &skb->cb; +- memcpy(&ra_tid->ra, ra, ETH_ALEN); +- ra_tid->tid = tid; ++ rcu_read_lock(); ++ tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta); ++ if (!tid_tx) ++ goto out; + +- skb->pkt_type = IEEE80211_SDATA_QUEUE_AGG_START; +- skb_queue_tail(&sdata->skb_queue, skb); +- ieee80211_queue_work(&local->hw, &sdata->work); ++ set_bit(HT_AGG_STATE_START_CB, &tid_tx->state); ++ ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work); ++ out: ++ rcu_read_unlock(); + } + EXPORT_SYMBOL(ieee80211_start_tx_ba_cb_irqsafe); + +@@ -860,37 +858,18 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid) + } + EXPORT_SYMBOL(ieee80211_stop_tx_ba_session); + +-void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid) ++void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid, ++ struct tid_ampdu_tx *tid_tx) + { +- struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); +- struct ieee80211_local *local = sdata->local; +- struct sta_info *sta; +- struct tid_ampdu_tx *tid_tx; ++ struct ieee80211_sub_if_data *sdata = sta->sdata; + bool send_delba = false; + +- trace_api_stop_tx_ba_cb(sdata, ra, tid); +- +- if (tid >= IEEE80211_NUM_TIDS) { +- ht_dbg(sdata, "Bad TID value: tid = %d (>= %d)\n", +- tid, IEEE80211_NUM_TIDS); +- return; +- } +- +- ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n", ra, tid); +- +- mutex_lock(&local->sta_mtx); +- +- sta = sta_info_get_bss(sdata, ra); +- if (!sta) { +- ht_dbg(sdata, "Could not find station: %pM\n", ra); +- goto unlock; +- } ++ ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n", ++ sta->sta.addr, tid); + +- mutex_lock(&sta->ampdu_mlme.mtx); + spin_lock_bh(&sta->lock); +- tid_tx = rcu_dereference_protected_tid_tx(sta, tid); + +- if (!tid_tx || !test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) { ++ if (!test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) { + ht_dbg(sdata, + "unexpected callback to A-MPDU stop for %pM tid %d\n", + sta->sta.addr, tid); +@@ -906,12 +885,8 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid) + spin_unlock_bh(&sta->lock); + + if (send_delba) +- ieee80211_send_delba(sdata, ra, tid, ++ ieee80211_send_delba(sdata, sta->sta.addr, tid, + WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE); +- +- mutex_unlock(&sta->ampdu_mlme.mtx); +- unlock: +- mutex_unlock(&local->sta_mtx); + } + + void ieee80211_stop_tx_ba_cb_irqsafe(struct ieee80211_vif *vif, +@@ -919,19 +894,20 @@ void ieee80211_stop_tx_ba_cb_irqsafe(struct ieee80211_vif *vif, + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); + struct ieee80211_local *local = sdata->local; +- struct ieee80211_ra_tid *ra_tid; +- struct sk_buff *skb = dev_alloc_skb(0); ++ struct sta_info *sta; ++ struct tid_ampdu_tx *tid_tx; + +- if (unlikely(!skb)) +- return; ++ trace_api_stop_tx_ba_cb(sdata, ra, tid); + +- ra_tid = (struct ieee80211_ra_tid *) &skb->cb; +- memcpy(&ra_tid->ra, ra, ETH_ALEN); +- ra_tid->tid = tid; ++ rcu_read_lock(); ++ tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta); ++ if (!tid_tx) ++ goto out; + +- skb->pkt_type = IEEE80211_SDATA_QUEUE_AGG_STOP; +- skb_queue_tail(&sdata->skb_queue, skb); +- ieee80211_queue_work(&local->hw, &sdata->work); ++ set_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state); ++ ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work); ++ out: ++ rcu_read_unlock(); + } + EXPORT_SYMBOL(ieee80211_stop_tx_ba_cb_irqsafe); + +diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c +index f4a528773563..6ca5442b1e03 100644 +--- a/net/mac80211/ht.c ++++ b/net/mac80211/ht.c +@@ -7,6 +7,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation ++ * Copyright 2017 Intel Deutschland GmbH + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -289,8 +290,6 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta, + { + int i; + +- cancel_work_sync(&sta->ampdu_mlme.work); +- + for (i = 0; i < IEEE80211_NUM_TIDS; i++) { + __ieee80211_stop_tx_ba_session(sta, i, reason); + __ieee80211_stop_rx_ba_session(sta, i, WLAN_BACK_RECIPIENT, +@@ -298,6 +297,9 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta, + reason != AGG_STOP_DESTROY_STA && + reason != AGG_STOP_PEER_REQUEST); + } ++ ++ /* stopping might queue the work again - so cancel only afterwards */ ++ cancel_work_sync(&sta->ampdu_mlme.work); + } + + void ieee80211_ba_session_work(struct work_struct *work) +@@ -352,10 +354,16 @@ void ieee80211_ba_session_work(struct work_struct *work) + spin_unlock_bh(&sta->lock); + + tid_tx = rcu_dereference_protected_tid_tx(sta, tid); +- if (tid_tx && test_and_clear_bit(HT_AGG_STATE_WANT_STOP, +- &tid_tx->state)) ++ if (!tid_tx) ++ continue; ++ ++ if (test_and_clear_bit(HT_AGG_STATE_START_CB, &tid_tx->state)) ++ ieee80211_start_tx_ba_cb(sta, tid, tid_tx); ++ if (test_and_clear_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state)) + ___ieee80211_stop_tx_ba_session(sta, tid, + AGG_STOP_LOCAL_REQUEST); ++ if (test_and_clear_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state)) ++ ieee80211_stop_tx_ba_cb(sta, tid, tid_tx); + } + mutex_unlock(&sta->ampdu_mlme.mtx); + } +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 7fd544d970d9..8a690ebd7374 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1026,8 +1026,6 @@ struct ieee80211_rx_agg { + + enum sdata_queue_type { + IEEE80211_SDATA_QUEUE_TYPE_FRAME = 0, +- IEEE80211_SDATA_QUEUE_AGG_START = 1, +- IEEE80211_SDATA_QUEUE_AGG_STOP = 2, + IEEE80211_SDATA_QUEUE_RX_AGG_START = 3, + IEEE80211_SDATA_QUEUE_RX_AGG_STOP = 4, + }; +@@ -1416,12 +1414,6 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) + return local->hw.wiphy->bands[band]; + } + +-/* this struct represents 802.11n's RA/TID combination */ +-struct ieee80211_ra_tid { +- u8 ra[ETH_ALEN]; +- u16 tid; +-}; +- + /* this struct holds the value parsing from channel switch IE */ + struct ieee80211_csa_ie { + struct cfg80211_chan_def chandef; +@@ -1765,8 +1757,10 @@ int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, + enum ieee80211_agg_stop_reason reason); + int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, + enum ieee80211_agg_stop_reason reason); +-void ieee80211_start_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u16 tid); +-void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid); ++void ieee80211_start_tx_ba_cb(struct sta_info *sta, int tid, ++ struct tid_ampdu_tx *tid_tx); ++void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid, ++ struct tid_ampdu_tx *tid_tx); + void ieee80211_ba_session_work(struct work_struct *work); + void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid); + void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid); +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index fa7d757fef95..760ba8ec2944 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1248,7 +1248,6 @@ static void ieee80211_iface_work(struct work_struct *work) + struct ieee80211_local *local = sdata->local; + struct sk_buff *skb; + struct sta_info *sta; +- struct ieee80211_ra_tid *ra_tid; + struct ieee80211_rx_agg *rx_agg; + + if (!ieee80211_sdata_running(sdata)) +@@ -1264,15 +1263,7 @@ static void ieee80211_iface_work(struct work_struct *work) + while ((skb = skb_dequeue(&sdata->skb_queue))) { + struct ieee80211_mgmt *mgmt = (void *)skb->data; + +- if (skb->pkt_type == IEEE80211_SDATA_QUEUE_AGG_START) { +- ra_tid = (void *)&skb->cb; +- ieee80211_start_tx_ba_cb(&sdata->vif, ra_tid->ra, +- ra_tid->tid); +- } else if (skb->pkt_type == IEEE80211_SDATA_QUEUE_AGG_STOP) { +- ra_tid = (void *)&skb->cb; +- ieee80211_stop_tx_ba_cb(&sdata->vif, ra_tid->ra, +- ra_tid->tid); +- } else if (skb->pkt_type == IEEE80211_SDATA_QUEUE_RX_AGG_START) { ++ if (skb->pkt_type == IEEE80211_SDATA_QUEUE_RX_AGG_START) { + rx_agg = (void *)&skb->cb; + mutex_lock(&local->sta_mtx); + sta = sta_info_get_bss(sdata, rx_agg->addr); +diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h +index 15599c70a38f..cc808ac783e5 100644 +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -115,6 +115,8 @@ enum ieee80211_sta_info_flags { + #define HT_AGG_STATE_STOPPING 3 + #define HT_AGG_STATE_WANT_START 4 + #define HT_AGG_STATE_WANT_STOP 5 ++#define HT_AGG_STATE_START_CB 6 ++#define HT_AGG_STATE_STOP_CB 7 + + enum ieee80211_agg_stop_reason { + AGG_STOP_DECLINED, +-- +2.17.1 + diff --git a/queue-4.9/mac80211-tdls-fix-skb-queue-priority-assignment.patch b/queue-4.9/mac80211-tdls-fix-skb-queue-priority-assignment.patch new file mode 100644 index 00000000000..d9e74a920ec --- /dev/null +++ b/queue-4.9/mac80211-tdls-fix-skb-queue-priority-assignment.patch @@ -0,0 +1,55 @@ +From 487e8e42b5bb2a39617a7a2b92c957f7ecef5b79 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Sep 2018 13:34:02 +0200 +Subject: mac80211: TDLS: fix skb queue/priority assignment + +[ Upstream commit cb59bc14e830028d2244861216df038165d7625d ] + +If the TDLS setup happens over a connection to an AP that +doesn't have QoS, we nevertheless assign a non-zero TID +(skb->priority) and queue mapping, which may confuse us or +drivers later. + +Fix it by just assigning the special skb->priority and then +using ieee80211_select_queue() just like other data frames +would go through. + +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tdls.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c +index f20dcf1b1830..c64ae68ae4f8 100644 +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -16,6 +16,7 @@ + #include "ieee80211_i.h" + #include "driver-ops.h" + #include "rate.h" ++#include "wme.h" + + /* give usermode some time for retries in setting up the TDLS session */ + #define TDLS_PEER_SETUP_TIMEOUT (15 * HZ) +@@ -1019,14 +1020,13 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev, + switch (action_code) { + case WLAN_TDLS_SETUP_REQUEST: + case WLAN_TDLS_SETUP_RESPONSE: +- skb_set_queue_mapping(skb, IEEE80211_AC_BK); +- skb->priority = 2; ++ skb->priority = 256 + 2; + break; + default: +- skb_set_queue_mapping(skb, IEEE80211_AC_VI); +- skb->priority = 5; ++ skb->priority = 256 + 5; + break; + } ++ skb_set_queue_mapping(skb, ieee80211_select_queue(sdata, skb)); + + /* + * Set the WLAN_TDLS_TEARDOWN flag to indicate a teardown in progress. +-- +2.17.1 + diff --git a/queue-4.9/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch b/queue-4.9/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch new file mode 100644 index 00000000000..d077ff913fd --- /dev/null +++ b/queue-4.9/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch @@ -0,0 +1,38 @@ +From 3a26e0dfbc25ed8ac001afc781aa155d07cd42eb Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Tue, 25 Sep 2018 09:51:02 +0200 +Subject: mac80211_hwsim: do not omit multicast announce of first added radio + +[ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ] + +The allocation of hwsim radio identifiers uses a post-increment from 0, +so the first radio has idx 0. This idx is explicitly excluded from +multicast announcements ever since, but it is unclear why. + +Drop that idx check and announce the first radio as well. This makes +userspace happy if it relies on these events. + +Signed-off-by: Martin Willi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 4bb36dc73433..cbb3e902e347 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2665,8 +2665,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info, + list_add_tail(&data->list, &hwsim_radios); + spin_unlock_bh(&hwsim_radio_lock); + +- if (idx > 0) +- hwsim_mcast_new_radio(idx, info, param); ++ hwsim_mcast_new_radio(idx, info, param); + + return idx; + +-- +2.17.1 + diff --git a/queue-4.9/macsec-fix-memory-leaks-when-skb_to_sgvec-fails.patch b/queue-4.9/macsec-fix-memory-leaks-when-skb_to_sgvec-fails.patch new file mode 100644 index 00000000000..7391d7d3b83 --- /dev/null +++ b/queue-4.9/macsec-fix-memory-leaks-when-skb_to_sgvec-fails.patch @@ -0,0 +1,38 @@ +From 02673f18ad1d162eec032c9543d74d0ec73fc683 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Tue, 10 Oct 2017 17:07:12 +0200 +Subject: macsec: fix memory leaks when skb_to_sgvec fails + +[ Upstream commit 5aba2ba5030b66a6f8c93049b718556f9aacd7c6 ] + +Fixes: cda7ea690350 ("macsec: check return value of skb_to_sgvec always") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index 365a48cfcbbf..653f0b185a68 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -744,6 +744,7 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb, + sg_init_table(sg, ret); + ret = skb_to_sgvec(skb, sg, 0, skb->len); + if (unlikely(ret < 0)) { ++ aead_request_free(req); + macsec_txsa_put(tx_sa); + kfree_skb(skb); + return ERR_PTR(ret); +@@ -956,6 +957,7 @@ static struct sk_buff *macsec_decrypt(struct sk_buff *skb, + sg_init_table(sg, ret); + ret = skb_to_sgvec(skb, sg, 0, skb->len); + if (unlikely(ret < 0)) { ++ aead_request_free(req); + kfree_skb(skb); + return ERR_PTR(ret); + } +-- +2.17.1 + diff --git a/queue-4.9/mips-handle-non-word-sized-instructions-when-examini.patch b/queue-4.9/mips-handle-non-word-sized-instructions-when-examini.patch new file mode 100644 index 00000000000..317d23b20a1 --- /dev/null +++ b/queue-4.9/mips-handle-non-word-sized-instructions-when-examini.patch @@ -0,0 +1,95 @@ +From 477b55e9136344ec5dd8c7cf2ab64fc089fbfe6b Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 8 Aug 2017 13:22:30 +0100 +Subject: MIPS: Handle non word sized instructions when examining frame + +[ Upstream commit 11887ed172a6960673f130dad8f8fb42778f64d7 ] + +Commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") +added fairly broken support for handling 16bit microMIPS instructions in +get_frame_info(). It adjusts the instruction pointer by 16bits in the +case of a 16bit sp move instruction, but not any other 16bit +instruction. + +Commit b6c7a324df37 ("MIPS: Fix get_frame_info() handling of microMIPS +function size") goes some way to fixing get_frame_info() to iterate over +microMIPS instuctions, but the instruction pointer is still manipulated +using a postincrement, and is of union mips_instruction type. Since the +union is sized to the largest member (a word), but microMIPS +instructions are a mix of halfword and word sizes, the function does not +always iterate correctly, ending up misaligned with the instruction +stream and interpreting it incorrectly. + +Since the instruction modifying the stack pointer is usually the first +in the function, that one is usually handled correctly. But the +instruction which saves the return address to the sp is some variable +number of instructions into the frame and is frequently missed due to +not being on a word boundary, leading to incomplete walking of the +stack. + +Fix this by incrementing the instruction pointer based on the size of +the previously decoded instruction (& remove the hack introduced by +commit 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") +which adjusts the instruction pointer in the case of a 16bit sp move +instruction, but not any other). + +Fixes: 34c2f668d0f6b ("MIPS: microMIPS: Add unaligned access support.") +Signed-off-by: Matt Redfearn +Cc: Marcin Nowakowski +Cc: James Hogan +Cc: Ingo Molnar +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/16953/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/process.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 0211dc737a21..1cc133e7026f 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -346,6 +346,7 @@ static int get_frame_info(struct mips_frame_info *info) + bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS); + union mips_instruction insn, *ip, *ip_end; + const unsigned int max_insns = 128; ++ unsigned int last_insn_size = 0; + unsigned int i; + + info->pc_offset = -1; +@@ -357,15 +358,19 @@ static int get_frame_info(struct mips_frame_info *info) + + ip_end = (void *)ip + info->func_size; + +- for (i = 0; i < max_insns && ip < ip_end; i++, ip++) { ++ for (i = 0; i < max_insns && ip < ip_end; i++) { ++ ip = (void *)ip + last_insn_size; + if (is_mmips && mm_insn_16bit(ip->halfword[0])) { + insn.halfword[0] = 0; + insn.halfword[1] = ip->halfword[0]; ++ last_insn_size = 2; + } else if (is_mmips) { + insn.halfword[0] = ip->halfword[1]; + insn.halfword[1] = ip->halfword[0]; ++ last_insn_size = 4; + } else { + insn.word = ip->word; ++ last_insn_size = 4; + } + + if (is_jump_ins(&insn)) +@@ -387,8 +392,6 @@ static int get_frame_info(struct mips_frame_info *info) + tmp = (ip->halfword[0] >> 1); + info->frame_size = -(signed short)(tmp & 0xf); + } +- ip = (void *) &ip->halfword[1]; +- ip--; + } else + #endif + info->frame_size = - ip->i_format.simmediate; +-- +2.17.1 + diff --git a/queue-4.9/mips-micromips-fix-decoding-of-swsp16-instruction.patch b/queue-4.9/mips-micromips-fix-decoding-of-swsp16-instruction.patch new file mode 100644 index 00000000000..94e7e01ef59 --- /dev/null +++ b/queue-4.9/mips-micromips-fix-decoding-of-swsp16-instruction.patch @@ -0,0 +1,67 @@ +From 928990c84f3dade70d7e8067d7cb38cb7e0e5bc0 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 8 Aug 2017 13:22:33 +0100 +Subject: MIPS: microMIPS: Fix decoding of swsp16 instruction + +[ Upstream commit cea8cd498f4f1c30ea27e3664b3c671e495c4fce ] + +When the immediate encoded in the instruction is accessed, it is sign +extended due to being a signed value being assigned to a signed integer. +The ISA specifies that this operation is an unsigned operation. +The sign extension leads us to incorrectly decode: + +801e9c8e: cbf1 sw ra,68(sp) + +As having an immediate of 1073741809. + +Since the instruction format does not specify signed/unsigned, and this +is currently the only location to use this instuction format, change it +to an unsigned immediate. + +Fixes: bb9bc4689b9c ("MIPS: Calculate microMIPS ra properly when unwinding the stack") +Suggested-by: Paul Burton +Signed-off-by: Matt Redfearn +Reviewed-by: James Hogan +Cc: Marcin Nowakowski +Cc: Miodrag Dinic +Cc: Ingo Molnar +Cc: David Daney +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/16957/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +--- + arch/mips/include/uapi/asm/inst.h | 2 +- + arch/mips/kernel/process.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h +index 77429d1622b3..711d9b8465b8 100644 +--- a/arch/mips/include/uapi/asm/inst.h ++++ b/arch/mips/include/uapi/asm/inst.h +@@ -964,7 +964,7 @@ struct mm16_r3_format { /* Load from global pointer format */ + struct mm16_r5_format { /* Load/store from stack pointer format */ + __BITFIELD_FIELD(unsigned int opcode : 6, + __BITFIELD_FIELD(unsigned int rt : 5, +- __BITFIELD_FIELD(signed int simmediate : 5, ++ __BITFIELD_FIELD(unsigned int imm : 5, + __BITFIELD_FIELD(unsigned int : 16, /* Ignored */ + ;)))) + }; +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index ba315e523b33..0211dc737a21 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -212,7 +212,7 @@ static inline int is_ra_save_ins(union mips_instruction *ip, int *poff) + if (ip->mm16_r5_format.rt != 31) + return 0; + +- *poff = ip->mm16_r5_format.simmediate; ++ *poff = ip->mm16_r5_format.imm; + *poff = (*poff << 2) / sizeof(ulong); + return 1; + +-- +2.17.1 + diff --git a/queue-4.9/mm-frame_vector.c-release-a-semaphore-in-get_vaddr_f.patch b/queue-4.9/mm-frame_vector.c-release-a-semaphore-in-get_vaddr_f.patch new file mode 100644 index 00000000000..27ba5fbffd4 --- /dev/null +++ b/queue-4.9/mm-frame_vector.c-release-a-semaphore-in-get_vaddr_f.patch @@ -0,0 +1,45 @@ +From cea217a565dce92591af7df35041d016cc76bb78 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Thu, 14 Dec 2017 15:33:08 -0800 +Subject: mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()' + +[ Upstream commit 1f704fd0d14043e76e80f6b8b2251b9b2cedcca6 ] + +A semaphore is acquired before this check, so we must release it before +leaving. + +Link: http://lkml.kernel.org/r/20171211211009.4971-1-christophe.jaillet@wanadoo.fr +Fixes: b7f0554a56f2 ("mm: fail get_vaddr_frames() for filesystem-dax mappings") +Signed-off-by: Christophe JAILLET +Acked-by: Michal Hocko +Cc: Dan Williams +Cc: Christian Borntraeger +Cc: David Sterba +Cc: Greg Kroah-Hartman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/frame_vector.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/mm/frame_vector.c b/mm/frame_vector.c +index 375a103d7a56..d73eed0443f6 100644 +--- a/mm/frame_vector.c ++++ b/mm/frame_vector.c +@@ -61,8 +61,10 @@ int get_vaddr_frames(unsigned long start, unsigned int nr_frames, + * get_user_pages_longterm() and disallow it for filesystem-dax + * mappings. + */ +- if (vma_is_fsdax(vma)) +- return -EOPNOTSUPP; ++ if (vma_is_fsdax(vma)) { ++ ret = -EOPNOTSUPP; ++ goto out; ++ } + + if (!(vma->vm_flags & (VM_IO | VM_PFNMAP))) { + vec->got_ref = true; +-- +2.17.1 + diff --git a/queue-4.9/mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch b/queue-4.9/mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch new file mode 100644 index 00000000000..40cf5b11469 --- /dev/null +++ b/queue-4.9/mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch @@ -0,0 +1,55 @@ +From fd74c86ceb73d8c100796c25a2ce0a6ce8a00bf4 Mon Sep 17 00:00:00 2001 +From: zhong jiang +Date: Fri, 24 Feb 2017 14:59:30 -0800 +Subject: mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() + +[ Upstream commit d6d8c8a48291b929b2e039f220f0b62958cccfea ] + +When mainline introduced commit a96dfddbcc04 ("base/memory, hotplug: fix +a kernel oops in show_valid_zones()"), it obtained the valid start and +end pfn from the given pfn range. The valid start pfn can fix the +actual issue, but it introduced another issue. The valid end pfn will +may exceed the given end_pfn. + +Although the incorrect overflow will not result in actual problem at +present, but I think it need to be fixed. + +[toshi.kani@hpe.com: remove assumption that end_pfn is aligned by MAX_ORDER_NR_PAGES] +Fixes: a96dfddbcc04 ("base/memory, hotplug: fix a kernel oops in show_valid_zones()") +Link: http://lkml.kernel.org/r/1486467299-22648-1-git-send-email-zhongjiang@huawei.com +Signed-off-by: zhong jiang +Signed-off-by: Toshi Kani +Cc: Vlastimil Babka +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/memory_hotplug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index c9f715b2917f..0f962cc3f1bf 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1508,7 +1508,7 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, + while ((i < MAX_ORDER_NR_PAGES) && + !pfn_valid_within(pfn + i)) + i++; +- if (i == MAX_ORDER_NR_PAGES) ++ if (i == MAX_ORDER_NR_PAGES || pfn + i >= end_pfn) + continue; + page = pfn_to_page(pfn + i); + if (zone && page_zone(page) != zone) +@@ -1522,7 +1522,7 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, + + if (zone) { + *valid_start = start; +- *valid_end = end; ++ *valid_end = min(end, end_pfn); + return 1; + } else { + return 0; +-- +2.17.1 + diff --git a/queue-4.9/module-fix-debug_set_module_ronx-typo.patch b/queue-4.9/module-fix-debug_set_module_ronx-typo.patch new file mode 100644 index 00000000000..d40591cb59c --- /dev/null +++ b/queue-4.9/module-fix-debug_set_module_ronx-typo.patch @@ -0,0 +1,44 @@ +From d5ba8a4ed5c30be4acf1b568a69108fc55debcad Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 28 Nov 2016 15:59:13 +0100 +Subject: module: fix DEBUG_SET_MODULE_RONX typo + +[ Upstream commit 4d217a5adccf5e806790c37c61cc374a08bd7381 ] + +The newly added 'rodata_enabled' global variable is protected by +the wrong #ifdef, leading to a link error when CONFIG_DEBUG_SET_MODULE_RONX +is turned on: + +kernel/module.o: In function `disable_ro_nx': +module.c:(.text.unlikely.disable_ro_nx+0x88): undefined reference to `rodata_enabled' +kernel/module.o: In function `module_disable_ro': +module.c:(.text.module_disable_ro+0x8c): undefined reference to `rodata_enabled' +kernel/module.o: In function `module_enable_ro': +module.c:(.text.module_enable_ro+0xb0): undefined reference to `rodata_enabled' + +CONFIG_SET_MODULE_RONX does not exist, so use the correct one instead. + +Fixes: 39290b389ea2 ("module: extend 'rodata=off' boot cmdline parameter to module mappings") +Signed-off-by: Arnd Bergmann +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +--- + init/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/main.c b/init/main.c +index 4313772d634a..3c7f71d8e704 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -915,7 +915,7 @@ static int try_to_run_init_process(const char *init_filename) + + static noinline void __init kernel_init_freeable(void); + +-#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_SET_MODULE_RONX) ++#if defined(CONFIG_DEBUG_RODATA) || defined(CONFIG_DEBUG_SET_MODULE_RONX) + bool rodata_enabled __ro_after_init = true; + static int __init set_debug_rodata(char *str) + { +-- +2.17.1 + diff --git a/queue-4.9/nbd-only-set-msg_more-when-we-have-more-to-send.patch b/queue-4.9/nbd-only-set-msg_more-when-we-have-more-to-send.patch new file mode 100644 index 00000000000..1dae01284b6 --- /dev/null +++ b/queue-4.9/nbd-only-set-msg_more-when-we-have-more-to-send.patch @@ -0,0 +1,55 @@ +From d5039b9b4833a5e7d8cabb87ba6c54f9ade9b022 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 19 Jan 2017 16:08:49 -0500 +Subject: nbd: only set MSG_MORE when we have more to send + +[ Upstream commit d61b7f972dab2a7d187c38254845546dfc8eed85 ] + +A user noticed that write performance was horrible over loopback and we +traced it to an inversion of when we need to set MSG_MORE. It should be +set when we have more bvec's to send, not when we are on the last bvec. +This patch made the test go from 20 iops to 78k iops. + +Signed-off-by: Josef Bacik +Fixes: 429a787be679 ("nbd: fix use-after-free of rq/bio in the xmit path") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 4d30da269060..42a53956aefe 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -269,7 +269,7 @@ static inline int sock_send_bvec(struct nbd_device *nbd, struct bio_vec *bvec, + static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd) + { + struct request *req = blk_mq_rq_from_pdu(cmd); +- int result, flags; ++ int result; + struct nbd_request request; + unsigned long size = blk_rq_bytes(req); + struct bio *bio; +@@ -309,7 +309,6 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd) + if (type != NBD_CMD_WRITE) + return 0; + +- flags = 0; + bio = req->bio; + while (bio) { + struct bio *next = bio->bi_next; +@@ -318,9 +317,8 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd) + + bio_for_each_segment(bvec, bio, iter) { + bool is_last = !next && bio_iter_last(bvec, iter); ++ int flags = is_last ? 0 : MSG_MORE; + +- if (is_last) +- flags = MSG_MORE; + dev_dbg(nbd_to_dev(nbd), "request %p: sending %d bytes data\n", + cmd, bvec.bv_len); + result = sock_send_bvec(nbd, &bvec, flags); +-- +2.17.1 + diff --git a/queue-4.9/net-cdc_ncm-getntbformat-endian-fix.patch b/queue-4.9/net-cdc_ncm-getntbformat-endian-fix.patch new file mode 100644 index 00000000000..7acec4a8d16 --- /dev/null +++ b/queue-4.9/net-cdc_ncm-getntbformat-endian-fix.patch @@ -0,0 +1,55 @@ +From 56314bef3a6756dbcfa44078b37a214d3b1eedd9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Wed, 15 Nov 2017 09:35:02 +0100 +Subject: net: cdc_ncm: GetNtbFormat endian fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 6314dab4b8fb8493d810e175cb340376052c69b6 ] + +The GetNtbFormat and SetNtbFormat requests operate on 16 bit little +endian values. We get away with ignoring this most of the time, because +we only care about USB_CDC_NCM_NTB16_FORMAT which is 0x0000. This +fails for USB_CDC_NCM_NTB32_FORMAT. + +Fix comparison between LE value from device and constant by converting +the constant to LE. + +Reported-by: Ben Hutchings +Fixes: 2b02c20ce0c2 ("cdc_ncm: Set NTB format again after altsetting switch for Huawei devices") +Cc: Enrico Mioso +Cc: Christian Panton +Signed-off-by: Bjørn Mork +Acked-By: Enrico Mioso +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/cdc_ncm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index 3086cae62fdc..7b158674ceed 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -772,7 +772,7 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_ + int err; + u8 iface_no; + struct usb_cdc_parsed_header hdr; +- u16 curr_ntb_format; ++ __le16 curr_ntb_format; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) +@@ -890,7 +890,7 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_ + goto error2; + } + +- if (curr_ntb_format == USB_CDC_NCM_NTB32_FORMAT) { ++ if (curr_ntb_format == cpu_to_le16(USB_CDC_NCM_NTB32_FORMAT)) { + dev_info(&intf->dev, "resetting NTB format to 16-bit"); + err = usbnet_write_cmd(dev, USB_CDC_SET_NTB_FORMAT, + USB_TYPE_CLASS | USB_DIR_OUT +-- +2.17.1 + diff --git a/queue-4.9/net-cxgb3_main-fix-a-missing-check-bug.patch b/queue-4.9/net-cxgb3_main-fix-a-missing-check-bug.patch new file mode 100644 index 00000000000..12ded37e4b6 --- /dev/null +++ b/queue-4.9/net-cxgb3_main-fix-a-missing-check-bug.patch @@ -0,0 +1,111 @@ +From adb99f7e0d4ff306713c969a8c6d062a9680b2ce Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Fri, 5 Oct 2018 08:48:27 -0500 +Subject: net: cxgb3_main: fix a missing-check bug + +[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ] + +In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from +the user-space buffer 'useraddr' to 'cmd' and checked through the +switch statement. If the command is not as expected, an error code +EOPNOTSUPP is returned. In the following execution, i.e., the cases of the +switch statement, the whole buffer of 'useraddr' is copied again to a +specific data structure, according to what kind of command is requested. +However, after the second copy, there is no re-check on the newly-copied +command. Given that the buffer 'useraddr' is in the user space, a malicious +user can race to change the command between the two copies. By doing so, +the attacker can supply malicious data to the kernel and cause undefined +behavior. + +This patch adds a re-check in each case of the switch statement if there is +a second copy in that case, to re-check whether the command obtained in the +second copy is the same as the one in the first copy. If not, an error code +EINVAL is returned. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index dc0efbd91c32..ddd1ec8f7bd0 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -2150,6 +2150,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EPERM; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_SET_QSET_PARAMS) ++ return -EINVAL; + if (t.qset_idx >= SGE_QSETS) + return -EINVAL; + if (!in_range(t.intr_lat, 0, M_NEWTIMER) || +@@ -2249,6 +2251,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; + ++ if (t.cmd != CHELSIO_GET_QSET_PARAMS) ++ return -EINVAL; ++ + /* Display qsets for all ports when offload enabled */ + if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) { + q1 = 0; +@@ -2294,6 +2299,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&edata, useraddr, sizeof(edata))) + return -EFAULT; ++ if (edata.cmd != CHELSIO_SET_QSET_NUM) ++ return -EINVAL; + if (edata.val < 1 || + (edata.val > 1 && !(adapter->flags & USING_MSIX))) + return -EINVAL; +@@ -2334,6 +2341,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EPERM; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_LOAD_FW) ++ return -EINVAL; + /* Check t.len sanity ? */ + fw_data = memdup_user(useraddr + sizeof(t), t.len); + if (IS_ERR(fw_data)) +@@ -2357,6 +2366,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&m, useraddr, sizeof(m))) + return -EFAULT; ++ if (m.cmd != CHELSIO_SETMTUTAB) ++ return -EINVAL; + if (m.nmtus != NMTUS) + return -EINVAL; + if (m.mtus[0] < 81) /* accommodate SACK */ +@@ -2398,6 +2409,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&m, useraddr, sizeof(m))) + return -EFAULT; ++ if (m.cmd != CHELSIO_SET_PM) ++ return -EINVAL; + if (!is_power_of_2(m.rx_pg_sz) || + !is_power_of_2(m.tx_pg_sz)) + return -EINVAL; /* not power of 2 */ +@@ -2431,6 +2444,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EIO; /* need the memory controllers */ + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_GET_MEM) ++ return -EINVAL; + if ((t.addr & 7) || (t.len & 7)) + return -EINVAL; + if (t.mem_id == MEM_CM) +@@ -2483,6 +2498,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EAGAIN; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_SET_TRACE_FILTER) ++ return -EINVAL; + + tp = (const struct trace_params *)&t.sip; + if (t.config_tx) +-- +2.17.1 + diff --git a/queue-4.9/net-ena-fix-null-dereference-due-to-untimely-napi-in.patch b/queue-4.9/net-ena-fix-null-dereference-due-to-untimely-napi-in.patch new file mode 100644 index 00000000000..fc6f3d92c60 --- /dev/null +++ b/queue-4.9/net-ena-fix-null-dereference-due-to-untimely-napi-in.patch @@ -0,0 +1,50 @@ +From 19abf6728e9618986b7f8efd6595330cb77b575d Mon Sep 17 00:00:00 2001 +From: Arthur Kiyanovski +Date: Tue, 9 Oct 2018 11:21:29 +0300 +Subject: net: ena: fix NULL dereference due to untimely napi initialization + +[ Upstream commit 78a55d05def95144ca5fa9a64c49b2a0636a9866 ] + +napi poll functions should be initialized before running request_irq(), +to handle a rare condition where there is a pending interrupt, causing +the ISR to fire immediately while the poll function wasn't set yet, +causing a NULL dereference. + +Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Arthur Kiyanovski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 1d92e034febc..0c298878bf46 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -1482,8 +1482,6 @@ static int ena_up_complete(struct ena_adapter *adapter) + if (rc) + return rc; + +- ena_init_napi(adapter); +- + ena_change_mtu(adapter->netdev, adapter->netdev->mtu); + + ena_refill_all_rx_bufs(adapter); +@@ -1643,6 +1641,13 @@ static int ena_up(struct ena_adapter *adapter) + + ena_setup_io_intr(adapter); + ++ /* napi poll functions should be initialized before running ++ * request_irq(), to handle a rare condition where there is a pending ++ * interrupt, causing the ISR to fire immediately while the poll ++ * function wasn't set yet, causing a null dereference ++ */ ++ ena_init_napi(adapter); ++ + rc = ena_request_io_irq(adapter); + if (rc) + goto err_req_irq; +-- +2.17.1 + diff --git a/queue-4.9/net-ethernet-stmmac-fix-altr_tse_pcs-sgmii-initializ.patch b/queue-4.9/net-ethernet-stmmac-fix-altr_tse_pcs-sgmii-initializ.patch new file mode 100644 index 00000000000..17a99db2138 --- /dev/null +++ b/queue-4.9/net-ethernet-stmmac-fix-altr_tse_pcs-sgmii-initializ.patch @@ -0,0 +1,52 @@ +From bc905d73e734588d2e8108d23c664fc5fe56dfe4 Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Wed, 31 May 2017 14:28:47 -0500 +Subject: net: ethernet: stmmac: Fix altr_tse_pcs SGMII Initialization + +[ Upstream commit 77032732d0e89b83c3bca75b857a1f63e9efb44b ] + +Fix NETDEV WATCHDOG timeout on startup by adding missing register +writes that properly setup SGMII. + +Signed-off-by: Thor Thayer +Acked-by: Giuseppe Cavallaro +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c b/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c +index 489ef146201e..6a9c954492f2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c +@@ -37,6 +37,7 @@ + #define TSE_PCS_CONTROL_AN_EN_MASK BIT(12) + #define TSE_PCS_CONTROL_REG 0x00 + #define TSE_PCS_CONTROL_RESTART_AN_MASK BIT(9) ++#define TSE_PCS_CTRL_AUTONEG_SGMII 0x1140 + #define TSE_PCS_IF_MODE_REG 0x28 + #define TSE_PCS_LINK_TIMER_0_REG 0x24 + #define TSE_PCS_LINK_TIMER_1_REG 0x26 +@@ -65,6 +66,7 @@ + #define TSE_PCS_SW_RESET_TIMEOUT 100 + #define TSE_PCS_USE_SGMII_AN_MASK BIT(1) + #define TSE_PCS_USE_SGMII_ENA BIT(0) ++#define TSE_PCS_IF_USE_SGMII 0x03 + + #define SGMII_ADAPTER_CTRL_REG 0x00 + #define SGMII_ADAPTER_DISABLE 0x0001 +@@ -101,7 +103,9 @@ int tse_pcs_init(void __iomem *base, struct tse_pcs *pcs) + { + int ret = 0; + +- writew(TSE_PCS_USE_SGMII_ENA, base + TSE_PCS_IF_MODE_REG); ++ writew(TSE_PCS_IF_USE_SGMII, base + TSE_PCS_IF_MODE_REG); ++ ++ writew(TSE_PCS_CTRL_AUTONEG_SGMII, base + TSE_PCS_CONTROL_REG); + + writew(TSE_PCS_SGMII_LINK_TIMER_0, base + TSE_PCS_LINK_TIMER_0_REG); + writew(TSE_PCS_SGMII_LINK_TIMER_1, base + TSE_PCS_LINK_TIMER_1_REG); +-- +2.17.1 + diff --git a/queue-4.9/net-fec-fix-rare-tx-timeout.patch b/queue-4.9/net-fec-fix-rare-tx-timeout.patch new file mode 100644 index 00000000000..427fb73fd0f --- /dev/null +++ b/queue-4.9/net-fec-fix-rare-tx-timeout.patch @@ -0,0 +1,66 @@ +From 01a066921f495d77c6a3d3f27d8db2a648a893bd Mon Sep 17 00:00:00 2001 +From: Rickard x Andersson +Date: Tue, 2 Oct 2018 14:49:32 +0200 +Subject: net: fec: fix rare tx timeout + +[ Upstream commit 657ade07df72847f591ccdb36bd9b91ed0edbac3 ] + +During certain heavy network loads TX could time out +with TX ring dump. +TX is sometimes never restarted after reaching +"tx_stop_threshold" because function "fec_enet_tx_queue" +only tests the first queue. + +In addition the TX timeout callback function failed to +recover because it also operated only on the first queue. + +Signed-off-by: Rickard x Andersson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index fe00f71bc6b4..051ecc76a7ef 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1152,7 +1152,7 @@ static void fec_enet_timeout_work(struct work_struct *work) + napi_disable(&fep->napi); + netif_tx_lock_bh(ndev); + fec_restart(ndev); +- netif_wake_queue(ndev); ++ netif_tx_wake_all_queues(ndev); + netif_tx_unlock_bh(ndev); + napi_enable(&fep->napi); + } +@@ -1267,7 +1267,7 @@ skb_done: + + /* Since we have freed up a buffer, the ring is no longer full + */ +- if (netif_queue_stopped(ndev)) { ++ if (netif_tx_queue_stopped(nq)) { + entries_free = fec_enet_get_free_txdesc_num(txq); + if (entries_free >= txq->tx_wake_threshold) + netif_tx_wake_queue(nq); +@@ -1744,7 +1744,7 @@ static void fec_enet_adjust_link(struct net_device *ndev) + napi_disable(&fep->napi); + netif_tx_lock_bh(ndev); + fec_restart(ndev); +- netif_wake_queue(ndev); ++ netif_tx_wake_all_queues(ndev); + netif_tx_unlock_bh(ndev); + napi_enable(&fep->napi); + } +@@ -2247,7 +2247,7 @@ static int fec_enet_set_pauseparam(struct net_device *ndev, + napi_disable(&fep->napi); + netif_tx_lock_bh(ndev); + fec_restart(ndev); +- netif_wake_queue(ndev); ++ netif_tx_wake_all_queues(ndev); + netif_tx_unlock_bh(ndev); + napi_enable(&fep->napi); + } +-- +2.17.1 + diff --git a/queue-4.9/net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch b/queue-4.9/net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch new file mode 100644 index 00000000000..15ac9ffe0b7 --- /dev/null +++ b/queue-4.9/net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch @@ -0,0 +1,37 @@ +From 15114ba0d155d4e84d176aad4b6d76c866bce289 Mon Sep 17 00:00:00 2001 +From: Michal Simek +Date: Tue, 25 Sep 2018 08:32:50 +0200 +Subject: net: macb: Clean 64b dma addresses if they are not detected + +[ Upstream commit e1e5d8a9fe737d94ccc0ccbaf0c97f69a8f3e000 ] + +Clear ADDR64 dma bit in DMACFG register in case that HW_DMA_CAP_64B is +not detected on 64bit system. +The issue was observed when bootloader(u-boot) does not check macb +feature at DCFG6 register (DAW64_OFFSET) and enabling 64bit dma support +by default. Then macb driver is reading DMACFG register back and only +adding 64bit dma configuration but not cleaning it out. + +Signed-off-by: Michal Simek +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c +index 8f55c23e9821..a0d640243df2 100644 +--- a/drivers/net/ethernet/cadence/macb.c ++++ b/drivers/net/ethernet/cadence/macb.c +@@ -1737,6 +1737,7 @@ static void macb_configure_dma(struct macb *bp) + else + dmacfg &= ~GEM_BIT(TXCOEN); + ++ dmacfg &= ~GEM_BIT(ADDR64); + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT + dmacfg |= GEM_BIT(ADDR64); + #endif +-- +2.17.1 + diff --git a/queue-4.9/net-mlx5-fix-command-completion-after-timeout-access.patch b/queue-4.9/net-mlx5-fix-command-completion-after-timeout-access.patch new file mode 100644 index 00000000000..639b739d168 --- /dev/null +++ b/queue-4.9/net-mlx5-fix-command-completion-after-timeout-access.patch @@ -0,0 +1,55 @@ +From 9568c3b802edd008b90bff80e097b4883b0b79c8 Mon Sep 17 00:00:00 2001 +From: Moshe Shemesh +Date: Thu, 6 Jul 2017 15:48:40 +0300 +Subject: net/mlx5: Fix command completion after timeout access invalid + structure + +[ Upstream commit 061870800efb4e3d1ad4082a2569363629bdfcfc ] + +Completion on timeout should not free the driver command entry structure +as it will need to access it again once real completion event from FW +will occur. + +Fixes: 73dd3a4839c1 ('net/mlx5: Avoid using pending command interface slots') +Signed-off-by: Moshe Shemesh +Cc: kernel-team@fb.com +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 9680c8805178..1d5263c46eee 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -965,7 +965,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, + + err = wait_func(dev, ent); + if (err == -ETIMEDOUT) +- goto out_free; ++ goto out; + + ds = ent->ts2 - ent->ts1; + op = MLX5_GET(mbox_in, in->first.data, opcode); +@@ -1428,6 +1428,7 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool forced) + mlx5_core_err(dev, "Command completion arrived after timeout (entry idx = %d).\n", + ent->idx); + free_ent(cmd, ent->idx); ++ free_cmd(ent); + } + continue; + } +@@ -1486,7 +1487,8 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool forced) + free_msg(dev, ent->in); + + err = err ? err : ent->status; +- free_cmd(ent); ++ if (!forced) ++ free_cmd(ent); + callback(err, context); + } else { + complete(&ent->done); +-- +2.17.1 + diff --git a/queue-4.9/net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch b/queue-4.9/net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch new file mode 100644 index 00000000000..0df71869c68 --- /dev/null +++ b/queue-4.9/net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch @@ -0,0 +1,34 @@ +From c378e6f55b462eea331bceae5e996e5e386babc4 Mon Sep 17 00:00:00 2001 +From: Gal Pressman +Date: Mon, 19 Jun 2017 18:25:59 +0300 +Subject: net/mlx5: Fix driver load error flow when firmware is stuck + +[ Upstream commit 8ce59b16b4b6eacedaec1f7b652b4781cdbfe15f ] + +When wait for firmware init fails, previous code would mistakenly +return success and cause inconsistency in the driver state. + +Fixes: 6c780a0267b8 ("net/mlx5: Wait for FW readiness before initializing command interface") +Signed-off-by: Gal Pressman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 6698a3a07406..d676088512cf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -957,7 +957,7 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv, + if (err) { + dev_err(&dev->pdev->dev, "Firmware over %d MS in pre-initializing state, aborting\n", + FW_PRE_INIT_TIMEOUT_MILI); +- goto out; ++ goto out_err; + } + + err = mlx5_cmd_init(dev); +-- +2.17.1 + diff --git a/queue-4.9/net-mlx5-fix-health-work-queue-spin-lock-to-irq-safe.patch b/queue-4.9/net-mlx5-fix-health-work-queue-spin-lock-to-irq-safe.patch new file mode 100644 index 00000000000..a50d8e6449c --- /dev/null +++ b/queue-4.9/net-mlx5-fix-health-work-queue-spin-lock-to-irq-safe.patch @@ -0,0 +1,52 @@ +From 770fed98b3be8bd97cceff3ccc08464dbcd21e7b Mon Sep 17 00:00:00 2001 +From: Moshe Shemesh +Date: Thu, 19 Oct 2017 14:14:29 +0300 +Subject: net/mlx5: Fix health work queue spin lock to IRQ safe + +[ Upstream commit 6377ed0bbae6fa28853e1679d068a9106c8a8908 ] + +spin_lock/unlock of health->wq_lock should be IRQ safe. +It was changed to spin_lock_irqsave since adding commit 0179720d6be2 +("net/mlx5: Introduce trigger_health_work function") which uses +spin_lock from asynchronous event (IRQ) context. +Thus, all spin_lock/unlock of health->wq_lock should have been moved +to IRQ safe mode. +However, one occurrence on new code using this lock missed that +change, resulting in possible deadlock: + kernel: Possible unsafe locking scenario: + kernel: CPU0 + kernel: ---- + kernel: lock(&(&health->wq_lock)->rlock); + kernel: + kernel: lock(&(&health->wq_lock)->rlock); + kernel: #012 *** DEADLOCK *** + +Fixes: 2a0165a034ac ("net/mlx5: Cancel delayed recovery work when unloading the driver") +Signed-off-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/health.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/health.c b/drivers/net/ethernet/mellanox/mlx5/core/health.c +index 448e71e07668..264f51b3409d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c +@@ -369,10 +369,11 @@ void mlx5_drain_health_wq(struct mlx5_core_dev *dev) + void mlx5_drain_health_recovery(struct mlx5_core_dev *dev) + { + struct mlx5_core_health *health = &dev->priv.health; ++ unsigned long flags; + +- spin_lock(&health->wq_lock); ++ spin_lock_irqsave(&health->wq_lock, flags); + set_bit(MLX5_DROP_NEW_RECOVERY_WORK, &health->flags); +- spin_unlock(&health->wq_lock); ++ spin_unlock_irqrestore(&health->wq_lock, flags); + cancel_delayed_work_sync(&dev->priv.health.recover_work); + } + +-- +2.17.1 + diff --git a/queue-4.9/net-mlx5e-fix-fixpoint-divide-exception-in-mlx5e_am_.patch b/queue-4.9/net-mlx5e-fix-fixpoint-divide-exception-in-mlx5e_am_.patch new file mode 100644 index 00000000000..504743dfd5b --- /dev/null +++ b/queue-4.9/net-mlx5e-fix-fixpoint-divide-exception-in-mlx5e_am_.patch @@ -0,0 +1,49 @@ +From 7701389304957cf25e1fcb2adf10bc6eb49de690 Mon Sep 17 00:00:00 2001 +From: Talat Batheesh +Date: Sun, 21 Jan 2018 05:30:42 +0200 +Subject: net/mlx5e: Fix fixpoint divide exception in mlx5e_am_stats_compare + +[ Upstream commit e58edaa4863583b54409444f11b4f80dff0af1cd ] + +Helmut reported a bug about division by zero while +running traffic and doing physical cable pull test. + +When the cable unplugged the ppms become zero, so when +dividing the current ppms by the previous ppms in the +next dim iteration there is division by zero. + +This patch prevent this division for both ppms and epms. + +Fixes: c3164d2fc48f ("net/mlx5e: Added BW check for DIM decision mechanism") +Reported-by: Helmut Grauer +Signed-off-by: Talat Batheesh +Signed-off-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c +index 23ccec4cb7f5..a1f3556307c7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c +@@ -197,9 +197,15 @@ static int mlx5e_am_stats_compare(struct mlx5e_rx_am_stats *curr, + return (curr->bpms > prev->bpms) ? MLX5E_AM_STATS_BETTER : + MLX5E_AM_STATS_WORSE; + ++ if (!prev->ppms) ++ return curr->ppms ? MLX5E_AM_STATS_BETTER : ++ MLX5E_AM_STATS_SAME; ++ + if (IS_SIGNIFICANT_DIFF(curr->ppms, prev->ppms)) + return (curr->ppms > prev->ppms) ? MLX5E_AM_STATS_BETTER : + MLX5E_AM_STATS_WORSE; ++ if (!prev->epms) ++ return MLX5E_AM_STATS_SAME; + + if (IS_SIGNIFICANT_DIFF(curr->epms, prev->epms)) + return (curr->epms < prev->epms) ? MLX5E_AM_STATS_BETTER : +-- +2.17.1 + diff --git a/queue-4.9/net-phy-marvell-limit-88m1101-autoneg-errata-to-88e1.patch b/queue-4.9/net-phy-marvell-limit-88m1101-autoneg-errata-to-88e1.patch new file mode 100644 index 00000000000..c3328f75d42 --- /dev/null +++ b/queue-4.9/net-phy-marvell-limit-88m1101-autoneg-errata-to-88e1.patch @@ -0,0 +1,33 @@ +From 4385b787af4bdeb253fed5d7f59e6b91eb7b66ba Mon Sep 17 00:00:00 2001 +From: Zhao Qiang +Date: Mon, 18 Dec 2017 10:26:43 +0800 +Subject: net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. + +[ Upstream commit c505873eaece2b4aefd07d339dc7e1400e0235ac ] + +88E1145 also need this autoneg errata. + +Fixes: f2899788353c ("net: phy: marvell: Limit errata to 88m1101") +Signed-off-by: Zhao Qiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/marvell.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c +index c60c147708c4..520352327104 100644 +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1610,7 +1610,7 @@ static struct phy_driver marvell_drivers[] = { + .flags = PHY_HAS_INTERRUPT, + .probe = marvell_probe, + .config_init = &m88e1145_config_init, +- .config_aneg = &marvell_config_aneg, ++ .config_aneg = &m88e1101_config_aneg, + .read_status = &genphy_read_status, + .ack_interrupt = &marvell_ack_interrupt, + .config_intr = &marvell_config_intr, +-- +2.17.1 + diff --git a/queue-4.9/net-stmmac-ensure-jumbo_frm-error-return-is-correctl.patch b/queue-4.9/net-stmmac-ensure-jumbo_frm-error-return-is-correctl.patch new file mode 100644 index 00000000000..0706e994878 --- /dev/null +++ b/queue-4.9/net-stmmac-ensure-jumbo_frm-error-return-is-correctl.patch @@ -0,0 +1,38 @@ +From 60f95b86dc5ea8a30f8a5738bfdef9d22456f5e1 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 5 Jun 2017 10:04:52 +0100 +Subject: net: stmmac: ensure jumbo_frm error return is correctly checked for + -ve value + +[ Upstream commit 594238158bf748c285f0a73222cd9b7ccf3c525d ] + +The current comparison of entry < 0 will never be true since entry is an +unsigned integer. Make entry an int to ensure -ve error return values +from the call to jumbo_frm are correctly being caught. + +Detected by CoverityScan, CID#1238760 ("Macro compares unsigned to 0") + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 0df71865fab1..65ed02bc3ea3 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2199,7 +2199,8 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev) + unsigned int nopaged_len = skb_headlen(skb); + int i, csum_insertion = 0, is_jumbo = 0; + int nfrags = skb_shinfo(skb)->nr_frags; +- unsigned int entry, first_entry; ++ int entry; ++ unsigned int first_entry; + struct dma_desc *desc, *first; + unsigned int enh_desc; + unsigned int des; +-- +2.17.1 + diff --git a/queue-4.9/nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch b/queue-4.9/nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch new file mode 100644 index 00000000000..2ef63327ccb --- /dev/null +++ b/queue-4.9/nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch @@ -0,0 +1,31 @@ +From 0e13cd3fcc708c464bb514d2c5cfd50d85bea9ad Mon Sep 17 00:00:00 2001 +From: Masashi Honma +Date: Tue, 25 Sep 2018 11:15:00 +0900 +Subject: nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT + +[ Upstream commit 30fe6d50eb088783c8729c7d930f65296b2b3fa7 ] + +Use array_index_nospec() to sanitize ridx with respect to speculation. + +Signed-off-by: Masashi Honma +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 0e91ec49d3da..549d0a4083b3 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3422,6 +3422,7 @@ static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband, + return false; + + /* check availability */ ++ ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN); + if (sband->ht_cap.mcs.rx_mask[ridx] & rbit) + mcs[ridx] |= rbit; + else +-- +2.17.1 + diff --git a/queue-4.9/nvme-pci-fix-cmb-sysfs-file-removal-in-reset-path.patch b/queue-4.9/nvme-pci-fix-cmb-sysfs-file-removal-in-reset-path.patch new file mode 100644 index 00000000000..8adce6a0172 --- /dev/null +++ b/queue-4.9/nvme-pci-fix-cmb-sysfs-file-removal-in-reset-path.patch @@ -0,0 +1,64 @@ +From c214cd976c1c55011a712567e41486ba210b07c3 Mon Sep 17 00:00:00 2001 +From: Max Gurtovoy +Date: Sun, 30 Jul 2017 01:45:08 +0300 +Subject: nvme-pci: fix CMB sysfs file removal in reset path + +[ Upstream commit 1c78f7735b2bdd0afbe5d14c5c8b6d8d381b6f13 ] + +Currently we create the sysfs entry even if we fail mapping +it. In that case, the unmapping will not remove the sysfs created +file. There is no good reason to create a sysfs entry for a non +working CMB and show his characteristics. + +Fixes: f63572dff ("nvme: unmap CMB and remove sysfs file in reset path") +Signed-off-by: Max Gurtovoy +Reviewed-by: Stephen Bates +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index fadf151ce830..1ac4cec5f4f7 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1393,11 +1393,9 @@ static inline void nvme_release_cmb(struct nvme_dev *dev) + if (dev->cmb) { + iounmap(dev->cmb); + dev->cmb = NULL; +- if (dev->cmbsz) { +- sysfs_remove_file_from_group(&dev->ctrl.device->kobj, +- &dev_attr_cmb.attr, NULL); +- dev->cmbsz = 0; +- } ++ sysfs_remove_file_from_group(&dev->ctrl.device->kobj, ++ &dev_attr_cmb.attr, NULL); ++ dev->cmbsz = 0; + } + } + +@@ -1632,16 +1630,14 @@ static int nvme_pci_enable(struct nvme_dev *dev) + + /* + * CMBs can currently only exist on >=1.2 PCIe devices. We only +- * populate sysfs if a CMB is implemented. Note that we add the +- * CMB attribute to the nvme_ctrl kobj which removes the need to remove +- * it on exit. Since nvme_dev_attrs_group has no name we can pass +- * NULL as final argument to sysfs_add_file_to_group. ++ * populate sysfs if a CMB is implemented. Since nvme_dev_attrs_group ++ * has no name we can pass NULL as final argument to ++ * sysfs_add_file_to_group. + */ + + if (readl(dev->bar + NVME_REG_VS) >= NVME_VS(1, 2, 0)) { + dev->cmb = nvme_map_cmb(dev); +- +- if (dev->cmbsz) { ++ if (dev->cmb) { + if (sysfs_add_file_to_group(&dev->ctrl.device->kobj, + &dev_attr_cmb.attr, NULL)) + dev_warn(dev->dev, +-- +2.17.1 + diff --git a/queue-4.9/nvmet-fix-space-padding-in-serial-number.patch b/queue-4.9/nvmet-fix-space-padding-in-serial-number.patch new file mode 100644 index 00000000000..57ae80e2aa9 --- /dev/null +++ b/queue-4.9/nvmet-fix-space-padding-in-serial-number.patch @@ -0,0 +1,39 @@ +From 4eb12277cfae0de4b6c436f58bbebb264803b19e Mon Sep 17 00:00:00 2001 +From: Daniel Verkamp +Date: Thu, 12 Apr 2018 09:16:13 -0600 +Subject: nvmet: fix space padding in serial number + +[ Upstream commit c73996984902516745bc587d5e8a0b2e034aea05 ] + +Commit 42de82a8b544 previously attempted to fix this, and it did +correctly pad the MN and FR fields with spaces, but the SN field still +contains 0 bytes. The current code fills out the first 16 bytes with +hex2bin, leaving the last 4 bytes zeroed. Rather than adding a lot of +error-prone math to avoid overwriting SN twice, just set the whole thing +to spaces up front (it's only 20 bytes). + +Fixes: 42de82a8b544 ("nvmet: don't report 0-bytes in serial number") +Signed-off-by: Daniel Verkamp +Reviewed-by: Martin Wilck +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/admin-cmd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/target/admin-cmd.c b/drivers/nvme/target/admin-cmd.c +index 2caed285fd7b..cdb7752dcbb7 100644 +--- a/drivers/nvme/target/admin-cmd.c ++++ b/drivers/nvme/target/admin-cmd.c +@@ -192,6 +192,7 @@ static void nvmet_execute_identify_ctrl(struct nvmet_req *req) + id->vid = 0; + id->ssvid = 0; + ++ memset(id->sn, ' ', sizeof(id->sn)); + bin2hex(id->sn, &ctrl->subsys->serial, + min(sizeof(ctrl->subsys->serial), sizeof(id->sn) / 2)); + copy_and_pad(id->mn, sizeof(id->mn), model, sizeof(model) - 1); +-- +2.17.1 + diff --git a/queue-4.9/ocfs2-fix-deadlock-caused-by-recursive-locking-in-xa.patch b/queue-4.9/ocfs2-fix-deadlock-caused-by-recursive-locking-in-xa.patch new file mode 100644 index 00000000000..1c62a36f166 --- /dev/null +++ b/queue-4.9/ocfs2-fix-deadlock-caused-by-recursive-locking-in-xa.patch @@ -0,0 +1,151 @@ +From 5acb141b262f64a5538597fd4af51b91ee52530a Mon Sep 17 00:00:00 2001 +From: Eric Ren +Date: Fri, 23 Jun 2017 15:08:55 -0700 +Subject: ocfs2: fix deadlock caused by recursive locking in xattr + +[ Upstream commit 8818efaaacb78c60a9d90c5705b6c99b75d7d442 ] + +Another deadlock path caused by recursive locking is reported. This +kind of issue was introduced since commit 743b5f1434f5 ("ocfs2: take +inode lock in ocfs2_iop_set/get_acl()"). Two deadlock paths have been +fixed by commit b891fa5024a9 ("ocfs2: fix deadlock issue when taking +inode lock at vfs entry points"). Yes, we intend to fix this kind of +case in incremental way, because it's hard to find out all possible +paths at once. + +This one can be reproduced like this. On node1, cp a large file from +home directory to ocfs2 mountpoint. While on node2, run +setfacl/getfacl. Both nodes will hang up there. The backtraces: + +On node1: + __ocfs2_cluster_lock.isra.39+0x357/0x740 [ocfs2] + ocfs2_inode_lock_full_nested+0x17d/0x840 [ocfs2] + ocfs2_write_begin+0x43/0x1a0 [ocfs2] + generic_perform_write+0xa9/0x180 + __generic_file_write_iter+0x1aa/0x1d0 + ocfs2_file_write_iter+0x4f4/0xb40 [ocfs2] + __vfs_write+0xc3/0x130 + vfs_write+0xb1/0x1a0 + SyS_write+0x46/0xa0 + +On node2: + __ocfs2_cluster_lock.isra.39+0x357/0x740 [ocfs2] + ocfs2_inode_lock_full_nested+0x17d/0x840 [ocfs2] + ocfs2_xattr_set+0x12e/0xe80 [ocfs2] + ocfs2_set_acl+0x22d/0x260 [ocfs2] + ocfs2_iop_set_acl+0x65/0xb0 [ocfs2] + set_posix_acl+0x75/0xb0 + posix_acl_xattr_set+0x49/0xa0 + __vfs_setxattr+0x69/0x80 + __vfs_setxattr_noperm+0x72/0x1a0 + vfs_setxattr+0xa7/0xb0 + setxattr+0x12d/0x190 + path_setxattr+0x9f/0xb0 + SyS_setxattr+0x14/0x20 + +Fix this one by using ocfs2_inode_{lock|unlock}_tracker, which is +exported by commit 439a36b8ef38 ("ocfs2/dlmglue: prepare tracking logic +to avoid recursive cluster lock"). + +Link: http://lkml.kernel.org/r/20170622014746.5815-1-zren@suse.com +Fixes: 743b5f1434f5 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()") +Signed-off-by: Eric Ren +Reported-by: Thomas Voegtle +Tested-by: Thomas Voegtle +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/dlmglue.c | 4 ++++ + fs/ocfs2/xattr.c | 23 +++++++++++++---------- + 2 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c +index 785fcc29d85d..5729d55da67d 100644 +--- a/fs/ocfs2/dlmglue.c ++++ b/fs/ocfs2/dlmglue.c +@@ -2599,6 +2599,10 @@ void ocfs2_inode_unlock_tracker(struct inode *inode, + struct ocfs2_lock_res *lockres; + + lockres = &OCFS2_I(inode)->ip_inode_lockres; ++ /* had_lock means that the currect process already takes the cluster ++ * lock previously. If had_lock is 1, we have nothing to do here, and ++ * it will get unlocked where we got the lock. ++ */ + if (!had_lock) { + ocfs2_remove_holder(lockres, oh); + ocfs2_inode_unlock(inode, ex); +diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c +index 03f6ff249edb..01932763b4d1 100644 +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -1330,20 +1330,21 @@ static int ocfs2_xattr_get(struct inode *inode, + void *buffer, + size_t buffer_size) + { +- int ret; ++ int ret, had_lock; + struct buffer_head *di_bh = NULL; ++ struct ocfs2_lock_holder oh; + +- ret = ocfs2_inode_lock(inode, &di_bh, 0); +- if (ret < 0) { +- mlog_errno(ret); +- return ret; ++ had_lock = ocfs2_inode_lock_tracker(inode, &di_bh, 0, &oh); ++ if (had_lock < 0) { ++ mlog_errno(had_lock); ++ return had_lock; + } + down_read(&OCFS2_I(inode)->ip_xattr_sem); + ret = ocfs2_xattr_get_nolock(inode, di_bh, name_index, + name, buffer, buffer_size); + up_read(&OCFS2_I(inode)->ip_xattr_sem); + +- ocfs2_inode_unlock(inode, 0); ++ ocfs2_inode_unlock_tracker(inode, 0, &oh, had_lock); + + brelse(di_bh); + +@@ -3539,11 +3540,12 @@ int ocfs2_xattr_set(struct inode *inode, + { + struct buffer_head *di_bh = NULL; + struct ocfs2_dinode *di; +- int ret, credits, ref_meta = 0, ref_credits = 0; ++ int ret, credits, had_lock, ref_meta = 0, ref_credits = 0; + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); + struct inode *tl_inode = osb->osb_tl_inode; + struct ocfs2_xattr_set_ctxt ctxt = { NULL, NULL, NULL, }; + struct ocfs2_refcount_tree *ref_tree = NULL; ++ struct ocfs2_lock_holder oh; + + struct ocfs2_xattr_info xi = { + .xi_name_index = name_index, +@@ -3574,8 +3576,9 @@ int ocfs2_xattr_set(struct inode *inode, + return -ENOMEM; + } + +- ret = ocfs2_inode_lock(inode, &di_bh, 1); +- if (ret < 0) { ++ had_lock = ocfs2_inode_lock_tracker(inode, &di_bh, 1, &oh); ++ if (had_lock < 0) { ++ ret = had_lock; + mlog_errno(ret); + goto cleanup_nolock; + } +@@ -3672,7 +3675,7 @@ cleanup: + if (ret) + mlog_errno(ret); + } +- ocfs2_inode_unlock(inode, 1); ++ ocfs2_inode_unlock_tracker(inode, 1, &oh, had_lock); + cleanup_nolock: + brelse(di_bh); + brelse(xbs.xattr_bh); +-- +2.17.1 + diff --git a/queue-4.9/orangefs-off-by-ones-in-xattr-size-checks.patch b/queue-4.9/orangefs-off-by-ones-in-xattr-size-checks.patch new file mode 100644 index 00000000000..19e40fa46ba --- /dev/null +++ b/queue-4.9/orangefs-off-by-ones-in-xattr-size-checks.patch @@ -0,0 +1,58 @@ +From 431f5b6339904bbdee2be52cc8a2c8c6f84decdf Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 22 May 2017 15:08:31 +0300 +Subject: orangefs: off by ones in xattr size checks + +[ Upstream commit 5f13e58767a53ebb54265e03c0c4a67650286263 ] + +A previous patch which claimed to remove off by ones actually introduced +them. + +strlen() returns the length of the string not including the NUL +character. We are using strcpy() to copy "name" into a buffer which is +ORANGEFS_MAX_XATTR_NAMELEN characters long. We should make sure to +leave space for the NUL, otherwise we're writing one character beyond +the end of the buffer. + +Fixes: e675c5ec51fe ("orangefs: clean up oversize xattr validation") +Signed-off-by: Dan Carpenter +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/xattr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/orangefs/xattr.c b/fs/orangefs/xattr.c +index 237c9c04dc3b..a34b25be39c5 100644 +--- a/fs/orangefs/xattr.c ++++ b/fs/orangefs/xattr.c +@@ -76,7 +76,7 @@ ssize_t orangefs_inode_getxattr(struct inode *inode, const char *name, + if (S_ISLNK(inode->i_mode)) + return -EOPNOTSUPP; + +- if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) ++ if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) + return -EINVAL; + + fsuid = from_kuid(&init_user_ns, current_fsuid()); +@@ -169,7 +169,7 @@ static int orangefs_inode_removexattr(struct inode *inode, const char *name, + struct orangefs_kernel_op_s *new_op = NULL; + int ret = -ENOMEM; + +- if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) ++ if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) + return -EINVAL; + + down_write(&orangefs_inode->xattr_sem); +@@ -233,7 +233,7 @@ int orangefs_inode_setxattr(struct inode *inode, const char *name, + + if (size > ORANGEFS_MAX_XATTR_VALUELEN) + return -EINVAL; +- if (strlen(name) > ORANGEFS_MAX_XATTR_NAMELEN) ++ if (strlen(name) >= ORANGEFS_MAX_XATTR_NAMELEN) + return -EINVAL; + + internal_flag = convert_to_internal_xattr_flags(flags); +-- +2.17.1 + diff --git a/queue-4.9/pci-disable-msi-for-hisilicon-hip06-hip07-only-in-ro.patch b/queue-4.9/pci-disable-msi-for-hisilicon-hip06-hip07-only-in-ro.patch new file mode 100644 index 00000000000..6f422ab6055 --- /dev/null +++ b/queue-4.9/pci-disable-msi-for-hisilicon-hip06-hip07-only-in-ro.patch @@ -0,0 +1,42 @@ +From d668f35bb8d2f2c9aaaacf2f87e45d5726957a1f Mon Sep 17 00:00:00 2001 +From: Dongdong Liu +Date: Thu, 28 Dec 2017 17:53:32 +0800 +Subject: PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode + +[ Upstream commit deb86999323661c019ef2740eb9d479d1e526b5c ] + +HiSilicon Hip06/Hip07 can operate as either a Root Port or an Endpoint. It +always advertises an MSI capability, but it can only generate MSIs when in +Endpoint mode. + +The device has the same Vendor and Device IDs in both modes, so check the +Class Code and disable MSI only when operating as a Root Port. + +[bhelgaas: changelog] +Fixes: 72f2ff0deb87 ("PCI: Disable MSI for HiSilicon Hip06/Hip07 Root Ports") +Signed-off-by: Dongdong Liu +Signed-off-by: Bjorn Helgaas +Reviewed-by: Zhou Wang +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index c7a695c2303a..2250f0d33481 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1634,8 +1634,8 @@ static void quirk_pcie_mch(struct pci_dev *pdev) + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7520_MCH, quirk_pcie_mch); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7320_MCH, quirk_pcie_mch); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7525_MCH, quirk_pcie_mch); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_HUAWEI, 0x1610, quirk_pcie_mch); + ++DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_HUAWEI, 0x1610, PCI_CLASS_BRIDGE_PCI, 8, quirk_pcie_mch); + + /* + * It's possible for the MSI to get corrupted if shpc and acpi +-- +2.17.1 + diff --git a/queue-4.9/perf-core-fix-locking-for-children-siblings-group-re.patch b/queue-4.9/perf-core-fix-locking-for-children-siblings-group-re.patch new file mode 100644 index 00000000000..5fcb3c8c68b --- /dev/null +++ b/queue-4.9/perf-core-fix-locking-for-children-siblings-group-re.patch @@ -0,0 +1,105 @@ +From 2746521fd5e39800ea2081e2e34e568f1442aeee Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Thu, 20 Jul 2017 16:14:55 +0200 +Subject: perf/core: Fix locking for children siblings group read + +[ Upstream commit 2aeb1883547626d82c597cce2c99f0b9c62e2425 ] + +We're missing ctx lock when iterating children siblings +within the perf_read path for group reading. Following +race and crash can happen: + +User space doing read syscall on event group leader: + +T1: + perf_read + lock event->ctx->mutex + perf_read_group + lock leader->child_mutex + __perf_read_group_add(child) + list_for_each_entry(sub, &leader->sibling_list, group_entry) + +----> sub might be invalid at this point, because it could + get removed via perf_event_exit_task_context in T2 + +Child exiting and cleaning up its events: + +T2: + perf_event_exit_task_context + lock ctx->mutex + list_for_each_entry_safe(child_event, next, &child_ctx->event_list,... + perf_event_exit_event(child) + lock ctx->lock + perf_group_detach(child) + unlock ctx->lock + +----> child is removed from sibling_list without any sync + with T1 path above + + ... + free_event(child) + +Before the child is removed from the leader's child_list, +(and thus is omitted from perf_read_group processing), we +need to ensure that perf_read_group touches child's +siblings under its ctx->lock. + +Peter further notes: + +| One additional note; this bug got exposed by commit: +| +| ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP") +| +| which made it possible to actually trigger this code-path. + +Tested-by: Andi Kleen +Signed-off-by: Jiri Olsa +Acked-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: ba5213ae6b88 ("perf/core: Correct event creation with PERF_FORMAT_GROUP") +Link: http://lkml.kernel.org/r/20170720141455.2106-1-jolsa@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 95bd00d9f2c3..06b359af4322 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -4331,7 +4331,9 @@ EXPORT_SYMBOL_GPL(perf_event_read_value); + static int __perf_read_group_add(struct perf_event *leader, + u64 read_format, u64 *values) + { ++ struct perf_event_context *ctx = leader->ctx; + struct perf_event *sub; ++ unsigned long flags; + int n = 1; /* skip @nr */ + int ret; + +@@ -4361,12 +4363,15 @@ static int __perf_read_group_add(struct perf_event *leader, + if (read_format & PERF_FORMAT_ID) + values[n++] = primary_event_id(leader); + ++ raw_spin_lock_irqsave(&ctx->lock, flags); ++ + list_for_each_entry(sub, &leader->sibling_list, group_entry) { + values[n++] += perf_event_count(sub); + if (read_format & PERF_FORMAT_ID) + values[n++] = primary_event_id(sub); + } + ++ raw_spin_unlock_irqrestore(&ctx->lock, flags); + return 0; + } + +-- +2.17.1 + diff --git a/queue-4.9/perf-evsel-fix-probing-of-precise_ip-level-for-defau.patch b/queue-4.9/perf-evsel-fix-probing-of-precise_ip-level-for-defau.patch new file mode 100644 index 00000000000..568cfc80e0c --- /dev/null +++ b/queue-4.9/perf-evsel-fix-probing-of-precise_ip-level-for-defau.patch @@ -0,0 +1,272 @@ +From c1659e6f2609c44b241f0ba373bc2e066c45711a Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Fri, 9 Jun 2017 16:54:28 -0300 +Subject: perf evsel: Fix probing of precise_ip level for default cycles event + +[ Upstream commit 7a1ac110c22eb726684c837544a2d42c33e07be7 ] + +Since commit 18e7a45af91a ("perf/x86: Reject non sampling events with +precise_ip") returns -EINVAL for sys_perf_event_open() with an attribute +with (attr.precise_ip > 0 && attr.sample_period == 0), just like is done +in the routine used to probe the max precise level when no events were +passed to 'perf record' or 'perf top', i.e.: + + perf_evsel__new_cycles() + perf_event_attr__set_max_precise_ip() + +The x86 code, in x86_pmu_hw_config(), which is called all the way from +sys_perf_event_open() did, starting with the aforementioned commit: + + /* There's no sense in having PEBS for non sampling events: */ + if (!is_sampling_event(event)) + return -EINVAL; + +Which makes it fail for cycles:ppp, cycles:pp and cycles:p, always using +just the non precise cycles variant. + +To make sure that this is the case, I tested it, before this patch, +with: + + # perf probe -L x86_pmu_hw_config + + 0 int x86_pmu_hw_config(struct perf_event *event) + 1 { + 2 if (event->attr.precise_ip) { + + 17 if (event->attr.precise_ip > precise) + 18 return -EOPNOTSUPP; + + /* There's no sense in having PEBS for non sampling events: */ + 21 if (!is_sampling_event(event)) + 22 return -EINVAL; + } + + # perf probe x86_pmu_hw_config:22 + Added new events: + probe:x86_pmu_hw_config (on x86_pmu_hw_config:22) + probe:x86_pmu_hw_config_1 (on x86_pmu_hw_config:22) + + You can now use it in all perf tools, such as: + + perf record -e probe:x86_pmu_hw_config_1 -aR sleep 1 + + # perf trace -e perf_event_open,probe:x86_pmu_hwconfig*/max-stack=16/ perf record usleep 1 + 0.000 ( 0.015 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ... + 0.015 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1)) + x86_pmu_hw_config ([kernel.kallsyms]) + hsw_hw_config ([kernel.kallsyms]) + x86_pmu_event_init ([kernel.kallsyms]) + perf_try_init_event ([kernel.kallsyms]) + perf_event_alloc ([kernel.kallsyms]) + SYSC_perf_event_open ([kernel.kallsyms]) + sys_perf_event_open ([kernel.kallsyms]) + do_syscall_64 ([kernel.kallsyms]) + return_from_SYSCALL_64 ([kernel.kallsyms]) + syscall (/usr/lib64/libc-2.24.so) + perf_event_attr__set_max_precise_ip (/home/acme/bin/perf) + perf_evsel__new_cycles (/home/acme/bin/perf) + perf_evlist__add_default (/home/acme/bin/perf) + cmd_record (/home/acme/bin/perf) + run_builtin (/home/acme/bin/perf) + handle_internal_command (/home/acme/bin/perf) + 0.000 ( 0.021 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument + 0.023 ( 0.002 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ... + 0.025 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1)) + x86_pmu_hw_config ([kernel.kallsyms]) + hsw_hw_config ([kernel.kallsyms]) + x86_pmu_event_init ([kernel.kallsyms]) + perf_try_init_event ([kernel.kallsyms]) + perf_event_alloc ([kernel.kallsyms]) + SYSC_perf_event_open ([kernel.kallsyms]) + sys_perf_event_open ([kernel.kallsyms]) + do_syscall_64 ([kernel.kallsyms]) + return_from_SYSCALL_64 ([kernel.kallsyms]) + syscall (/usr/lib64/libc-2.24.so) + perf_event_attr__set_max_precise_ip (/home/acme/bin/perf) + perf_evsel__new_cycles (/home/acme/bin/perf) + perf_evlist__add_default (/home/acme/bin/perf) + cmd_record (/home/acme/bin/perf) + run_builtin (/home/acme/bin/perf) + handle_internal_command (/home/acme/bin/perf) + 0.023 ( 0.004 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument + 0.028 ( 0.002 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ... + 0.030 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1)) + x86_pmu_hw_config ([kernel.kallsyms]) + hsw_hw_config ([kernel.kallsyms]) + x86_pmu_event_init ([kernel.kallsyms]) + perf_try_init_event ([kernel.kallsyms]) + perf_event_alloc ([kernel.kallsyms]) + SYSC_perf_event_open ([kernel.kallsyms]) + sys_perf_event_open ([kernel.kallsyms]) + do_syscall_64 ([kernel.kallsyms]) + return_from_SYSCALL_64 ([kernel.kallsyms]) + syscall (/usr/lib64/libc-2.24.so) + perf_event_attr__set_max_precise_ip (/home/acme/bin/perf) + perf_evsel__new_cycles (/home/acme/bin/perf) + perf_evlist__add_default (/home/acme/bin/perf) + cmd_record (/home/acme/bin/perf) + run_builtin (/home/acme/bin/perf) + handle_internal_command (/home/acme/bin/perf) + 0.028 ( 0.004 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument + 41.018 ( 0.012 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8b5dd0, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 + 41.065 ( 0.011 ms): perf/4150 perf_event_open(attr_uptr: 0x3c7db78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 + 41.080 ( 0.006 ms): perf/4150 perf_event_open(attr_uptr: 0x3c7db78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 + 41.103 ( 0.010 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), group_fd: -1, flags: FD_CLOEXEC) = 4 + 41.115 ( 0.006 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 1, group_fd: -1, flags: FD_CLOEXEC) = 5 + 41.122 ( 0.004 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 2, group_fd: -1, flags: FD_CLOEXEC) = 6 + 41.128 ( 0.008 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 8 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.017 MB perf.data (2 samples) ] + # + +I.e. that return -EINVAL in x86_pmu_hw_config() is hit three times. + +So fix it by just setting attr.sample_period + +Now, after this patch: + + # perf trace --max-stack=2 -e perf_event_open,probe:x86_pmu_hw_config* perf record usleep 1 + [ perf record: Woken up 1 times to write data ] + 0.000 ( 0.017 ms): perf/8469 perf_event_open(attr_uptr: 0x7ffe36c27d10, pid: -1, cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 4 + syscall (/usr/lib64/libc-2.24.so) + perf_event_open_cloexec_flag (/home/acme/bin/perf) + 0.050 ( 0.031 ms): perf/8469 perf_event_open(attr_uptr: 0x24ebb78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 + syscall (/usr/lib64/libc-2.24.so) + perf_evlist__config (/home/acme/bin/perf) + 0.092 ( 0.040 ms): perf/8469 perf_event_open(attr_uptr: 0x24ebb78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 + syscall (/usr/lib64/libc-2.24.so) + perf_evlist__config (/home/acme/bin/perf) + 0.143 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, cpu: -1, group_fd: -1 ) = 4 + syscall (/usr/lib64/libc-2.24.so) + perf_event_attr__set_max_precise_ip (/home/acme/bin/perf) + 0.161 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), group_fd: -1, flags: FD_CLOEXEC) = 4 + syscall (/usr/lib64/libc-2.24.so) + perf_evsel__open (/home/acme/bin/perf) + 0.171 ( 0.005 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 1, group_fd: -1, flags: FD_CLOEXEC) = 5 + syscall (/usr/lib64/libc-2.24.so) + perf_evsel__open (/home/acme/bin/perf) + 0.180 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 2, group_fd: -1, flags: FD_CLOEXEC) = 6 + syscall (/usr/lib64/libc-2.24.so) + perf_evsel__open (/home/acme/bin/perf) + 0.190 ( 0.005 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 8 + syscall (/usr/lib64/libc-2.24.so) + perf_evsel__open (/home/acme/bin/perf) + [ perf record: Captured and wrote 0.017 MB perf.data (7 samples) ] + # + +The probe one called from perf_event_attr__set_max_precise_ip() works +the first time, with attr.precise_ip = 3, wit hthe next ones being the +per cpu ones for the cycles:ppp event. + +And here is the text from a report and alternative proposed patch by +Thomas-Mich Richter: + + --- + +On s390 the counter and sampling facility do not support a precise IP +skid level and sometimes returns EOPNOTSUPP when structure member +precise_ip in struct perf_event_attr is not set to zero. + +On s390 commnd 'perf record -- true' fails with error EOPNOTSUPP. This +happens only when no events are specified on command line. + +The functions called are +... + --> perf_evlist__add_default + --> perf_evsel__new_cycles + --> perf_event_attr__set_max_precise_ip + +The last function determines the value of structure member precise_ip by +invoking the perf_event_open() system call and checking the return code. +The first successful open is the value for precise_ip. + +However the value is determined without setting member sample_period and +indicates no sampling. + +On s390 the counter facility and sampling facility are different. The +above procedure determines a precise_ip value of 3 using the counter +facility. Later it uses the sampling facility with a value of 3 and +fails with EOPNOTSUPP. + + --- + +v2: Older compilers (e.g. gcc 4.4.7) don't support referencing members + of unnamed union members in the container struct initialization, so + move from: + + struct perf_event_attr attr = { + ... + .sample_period = 1, + }; + +to right after it as: + + struct perf_event_attr attr = { + ... + }; + + attr.sample_period = 1; + +v3: We need to reset .sample_period to 0 to let the users of +perf_evsel__new_cycles() to properly setup attr.sample_period or +attr.sample_freq. Reported by Ingo Molnar. + +Reported-and-Acked-by: Thomas-Mich Richter +Acked-by: Hendrik Brueckner +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Fixes: 18e7a45af91a ("perf/x86: Reject non sampling events with precise_ip") +Link: http://lkml.kernel.org/n/tip-yv6nnkl7tzqocrm0hl3x7vf1@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/task-exit.c | 2 +- + tools/perf/util/evsel.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/task-exit.c b/tools/perf/tests/task-exit.c +index 01a5ba2788c6..b0d005d295a9 100644 +--- a/tools/perf/tests/task-exit.c ++++ b/tools/perf/tests/task-exit.c +@@ -82,7 +82,7 @@ int test__task_exit(int subtest __maybe_unused) + + evsel = perf_evlist__first(evlist); + evsel->attr.task = 1; +- evsel->attr.sample_freq = 0; ++ evsel->attr.sample_freq = 1; + evsel->attr.inherit = 0; + evsel->attr.watermark = 0; + evsel->attr.wakeup_events = 1; +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 3be8c489884e..f7128c2a6386 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -263,8 +263,20 @@ struct perf_evsel *perf_evsel__new_cycles(void) + struct perf_evsel *evsel; + + event_attr_init(&attr); ++ /* ++ * Unnamed union member, not supported as struct member named ++ * initializer in older compilers such as gcc 4.4.7 ++ * ++ * Just for probing the precise_ip: ++ */ ++ attr.sample_period = 1; + + perf_event_attr__set_max_precise_ip(&attr); ++ /* ++ * Now let the usual logic to set up the perf_event_attr defaults ++ * to kick in when we return and before perf_evsel__open() is called. ++ */ ++ attr.sample_period = 0; + + evsel = perf_evsel__new(&attr); + if (evsel == NULL) +-- +2.17.1 + diff --git a/queue-4.9/perf-probe-fix-probe-definition-for-inlined-function.patch b/queue-4.9/perf-probe-fix-probe-definition-for-inlined-function.patch new file mode 100644 index 00000000000..742b2076162 --- /dev/null +++ b/queue-4.9/perf-probe-fix-probe-definition-for-inlined-function.patch @@ -0,0 +1,168 @@ +From fbba66b4548a9c943d57d802394077d7a327d9b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= +Date: Wed, 21 Jun 2017 18:41:34 +0200 +Subject: perf probe: Fix probe definition for inlined functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 7598f8bc1383ffd77686cb4e92e749bef3c75937 ] + +In commit 613f050d68a8 ("perf probe: Fix to probe on gcc generated +functions in modules"), the offset from symbol is, incorrectly, added +to the trace point address. This leads to incorrect probe trace points +for inlined functions and when using relative line number on symbols. + +Prior this patch: + $ perf probe -m nf_nat -D in_range + p:probe/in_range nf_nat:in_range.isra.9+0 + $ perf probe -m i40e -D i40e_clean_rx_irq + p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+2212 + $ perf probe -m i40e -D i40e_clean_rx_irq:16 + p:probe/i40e_clean_rx_irq i40e:i40e_lan_xmit_frame+626 + +After: + $ perf probe -m nf_nat -D in_range + p:probe/in_range nf_nat:in_range.isra.9+0 + $ perf probe -m i40e -D i40e_clean_rx_irq + p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+1106 + $ perf probe -m i40e -D i40e_clean_rx_irq:16 + p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+2665 + +Committer testing: + +Using 'pfunct', a tool found in the 'dwarves' package [1], one can ask what are +the functions that while not being explicitely marked as inline, were inlined +by the compiler: + + # pfunct --cc_inlined /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko | head + __ew32 + e1000_regdump + e1000e_dump_ps_pages + e1000_desc_unused + e1000e_systim_to_hwtstamp + e1000e_rx_hwtstamp + e1000e_update_rdt_wa + e1000e_update_tdt_wa + e1000_put_txbuf + e1000_consume_page + +Then ask 'perf probe' to produce the kprobe_tracer probe definitions for two of +them: + + # perf probe -m e1000e -D e1000e_rx_hwtstamp + p:probe/e1000e_rx_hwtstamp e1000e:e1000_receive_skb+74 + + # perf probe -m e1000e -D e1000_consume_page + p:probe/e1000_consume_page e1000e:e1000_clean_jumbo_rx_irq+876 + p:probe/e1000_consume_page_1 e1000e:e1000_clean_jumbo_rx_irq+1506 + p:probe/e1000_consume_page_2 e1000e:e1000_clean_rx_irq_ps+1074 + +Now lets concentrate on the 'e1000_consume_page' one, that was inlined twice in +e1000_clean_jumbo_rx_irq(), lets see what readelf says about the DWARF tags for +that function: + + $ readelf -wi /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko + + <1><13e27b>: Abbrev Number: 121 (DW_TAG_subprogram) + <13e27c> DW_AT_name : (indirect string, offset: 0xa8945): e1000_clean_jumbo_rx_irq + <13e287> DW_AT_low_pc : 0x17a30 + <3><13e6ef>: Abbrev Number: 119 (DW_TAG_inlined_subroutine) + <13e6f0> DW_AT_abstract_origin: <0x13ed2c> + <13e6f4> DW_AT_low_pc : 0x17be6 + + <1><13ed2c>: Abbrev Number: 142 (DW_TAG_subprogram) + <13ed2e> DW_AT_name : (indirect string, offset: 0xa54c3): e1000_consume_page + +So, the first time in e1000_clean_jumbo_rx_irq() where e1000_consume_page() is +inlined is at PC 0x17be6, which subtracted from e1000_clean_jumbo_rx_irq()'s +address, gives us the offset we should use in the probe definition: + + 0x17be6 - 0x17a30 = 438 + +but above we have 876, which is twice as much. + +Lets see the second inline expansion of e1000_consume_page() in +e1000_clean_jumbo_rx_irq(): + + <3><13e86e>: Abbrev Number: 119 (DW_TAG_inlined_subroutine) + <13e86f> DW_AT_abstract_origin: <0x13ed2c> + <13e873> DW_AT_low_pc : 0x17d21 + + 0x17d21 - 0x17a30 = 753 + +So we where adding it at twice the offset from the containing function as we +should. + +And then after this patch: + + # perf probe -m e1000e -D e1000e_rx_hwtstamp + p:probe/e1000e_rx_hwtstamp e1000e:e1000_receive_skb+37 + + # perf probe -m e1000e -D e1000_consume_page + p:probe/e1000_consume_page e1000e:e1000_clean_jumbo_rx_irq+438 + p:probe/e1000_consume_page_1 e1000e:e1000_clean_jumbo_rx_irq+753 + p:probe/e1000_consume_page_2 e1000e:e1000_clean_jumbo_rx_irq+1353 + # + +Which matches the two first expansions and shows that because we were +doubling the offset it would spill over the next function: + + readelf -sw /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko + 673: 0000000000017a30 1626 FUNC LOCAL DEFAULT 2 e1000_clean_jumbo_rx_irq + 674: 0000000000018090 2013 FUNC LOCAL DEFAULT 2 e1000_clean_rx_irq_ps + +This is the 3rd inline expansion of e1000_consume_page() in +e1000_clean_jumbo_rx_irq(): + + <3><13ec77>: Abbrev Number: 119 (DW_TAG_inlined_subroutine) + <13ec78> DW_AT_abstract_origin: <0x13ed2c> + <13ec7c> DW_AT_low_pc : 0x17f79 + + 0x17f79 - 0x17a30 = 1353 + + So: + + 0x17a30 + 2 * 1353 = 0x184c2 + + And: + + 0x184c2 - 0x18090 = 1074 + +Which explains the bogus third expansion for e1000_consume_page() to end up at: + + p:probe/e1000_consume_page_2 e1000e:e1000_clean_rx_irq_ps+1074 + +All fixed now :-) + +[1] https://git.kernel.org/pub/scm/devel/pahole/pahole.git/ + +Signed-off-by: Björn Töpel +Tested-by: Arnaldo Carvalho de Melo +Acked-by: Magnus Karlsson +Acked-by: Masami Hiramatsu +Cc: stable@vger.kernel.org +Fixes: 613f050d68a8 ("perf probe: Fix to probe on gcc generated functions in modules") +Link: http://lkml.kernel.org/r/20170621164134.5701-1-bjorn.topel@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c +index c93daccec755..a7452fd3b6ee 100644 +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -615,7 +615,7 @@ static int post_process_probe_trace_point(struct probe_trace_point *tp, + struct map *map, unsigned long offs) + { + struct symbol *sym; +- u64 addr = tp->address + tp->offset - offs; ++ u64 addr = tp->address - offs; + + sym = map__find_symbol(map, addr); + if (!sym) +-- +2.17.1 + diff --git a/queue-4.9/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch b/queue-4.9/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch new file mode 100644 index 00000000000..46d69b7e459 --- /dev/null +++ b/queue-4.9/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch @@ -0,0 +1,107 @@ +From 6c16f5a7abd6dc840351abc8d5d48b9c04eeb80c Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sun, 23 Sep 2018 18:13:43 +0200 +Subject: perf/ring_buffer: Prevent concurent ring buffer access + +[ Upstream commit cd6fb677ce7e460c25bdd66f689734102ec7d642 ] + +Some of the scheduling tracepoints allow the perf_tp_event +code to write to ring buffer under different cpu than the +code is running on. + +This results in corrupted ring buffer data demonstrated in +following perf commands: + + # perf record -e 'sched:sched_switch,sched:sched_wakeup' perf bench sched messaging + # Running 'sched/messaging' benchmark: + # 20 sender and receiver processes per group + # 10 groups == 400 processes run + + Total time: 0.383 [sec] + [ perf record: Woken up 8 times to write data ] + 0x42b890 [0]: failed to process type: -1765585640 + [ perf record: Captured and wrote 4.825 MB perf.data (29669 samples) ] + + # perf report --stdio + 0x42b890 [0]: failed to process type: -1765585640 + +The reason for the corruption are some of the scheduling tracepoints, +that have __perf_task dfined and thus allow to store data to another +cpu ring buffer: + + sched_waking + sched_wakeup + sched_wakeup_new + sched_stat_wait + sched_stat_sleep + sched_stat_iowait + sched_stat_blocked + +The perf_tp_event function first store samples for current cpu +related events defined for tracepoint: + + hlist_for_each_entry_rcu(event, head, hlist_entry) + perf_swevent_event(event, count, &data, regs); + +And then iterates events of the 'task' and store the sample +for any task's event that passes tracepoint checks: + + ctx = rcu_dereference(task->perf_event_ctxp[perf_sw_context]); + + list_for_each_entry_rcu(event, &ctx->event_list, event_entry) { + if (event->attr.type != PERF_TYPE_TRACEPOINT) + continue; + if (event->attr.config != entry->type) + continue; + + perf_swevent_event(event, count, &data, regs); + } + +Above code can race with same code running on another cpu, +ending up with 2 cpus trying to store under the same ring +buffer, which is specifically not allowed. + +This patch prevents the problem, by allowing only events with the same +current cpu to receive the event. + +NOTE: this requires the use of (per-task-)per-cpu buffers for this +feature to work; perf-record does this. + +Signed-off-by: Jiri Olsa +[peterz: small edits to Changelog] +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Andrew Vagin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: e6dab5ffab59 ("perf/trace: Add ability to set a target task for events") +Link: http://lkml.kernel.org/r/20180923161343.GB15054@krava +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 95bd00d9f2c3..3caf1a863a0b 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7737,6 +7737,8 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size, + goto unlock; + + list_for_each_entry_rcu(event, &ctx->event_list, event_entry) { ++ if (event->cpu != smp_processor_id()) ++ continue; + if (event->attr.type != PERF_TYPE_TRACEPOINT) + continue; + if (event->attr.config != entry->type) +-- +2.17.1 + diff --git a/queue-4.9/perf-symbols-fix-memory-corruption-because-of-zero-l.patch b/queue-4.9/perf-symbols-fix-memory-corruption-because-of-zero-l.patch new file mode 100644 index 00000000000..9c8bbf70de7 --- /dev/null +++ b/queue-4.9/perf-symbols-fix-memory-corruption-because-of-zero-l.patch @@ -0,0 +1,92 @@ +From 572193552d718ea007cda05e3ad08e506524d191 Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Tue, 24 Oct 2017 19:50:06 +0530 +Subject: perf symbols: Fix memory corruption because of zero length symbols + +[ Upstream commit 331c7cb307971eac38e9470340e10c87855bf4bc ] + +Perf top is often crashing at very random locations on powerpc. After +investigating, I found the crash only happens when sample is of zero +length symbol. Powerpc kernel has many such symbols which does not +contain length details in vmlinux binary and thus start and end +addresses of such symbols are same. + +Structure + + struct sym_hist { + u64 nr_samples; + u64 period; + struct sym_hist_entry addr[0]; + }; + +has last member 'addr[]' of size zero. 'addr[]' is an array of addresses +that belongs to one symbol (function). If function consist of 100 +instructions, 'addr' points to an array of 100 'struct sym_hist_entry' +elements. For zero length symbol, it points to the *empty* array, i.e. +no members in the array and thus offset 0 is also invalid for such +array. + + static int __symbol__inc_addr_samples(...) + { + ... + offset = addr - sym->start; + h = annotation__histogram(notes, evidx); + h->nr_samples++; + h->addr[offset].nr_samples++; + h->period += sample->period; + h->addr[offset].period += sample->period; + ... + } + +Here, when 'addr' is same as 'sym->start', 'offset' becomes 0, which is +valid for normal symbols but *invalid* for zero length symbols and thus +updating h->addr[offset] causes memory corruption. + +Fix this by adding one dummy element for zero length symbols. + +Link: https://lkml.org/lkml/2016/10/10/148 +Fixes: edee44be5919 ("perf annotate: Don't throw error for zero length symbols") +Signed-off-by: Ravi Bangoria +Acked-by: Jiri Olsa +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Jin Yao +Cc: Kim Phillips +Cc: Naveen N. Rao +Cc: Peter Zijlstra +Cc: Taeung Song +Link: http://lkml.kernel.org/r/1508854806-10542-1-git-send-email-ravi.bangoria@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index a38227eb5450..3336cbc6ec48 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -495,9 +495,19 @@ static struct ins *ins__find(const char *name) + int symbol__alloc_hist(struct symbol *sym) + { + struct annotation *notes = symbol__annotation(sym); +- const size_t size = symbol__size(sym); ++ size_t size = symbol__size(sym); + size_t sizeof_sym_hist; + ++ /* ++ * Add buffer of one element for zero length symbol. ++ * When sample is taken from first instruction of ++ * zero length symbol, perf still resolves it and ++ * shows symbol name in perf report and allows to ++ * annotate it. ++ */ ++ if (size == 0) ++ size = 1; ++ + /* Check for overflow when calculating sizeof_sym_hist */ + if (size > (SIZE_MAX - sizeof(struct sym_hist)) / sizeof(u64)) + return -1; +-- +2.17.1 + diff --git a/queue-4.9/perf-tests-fix-indexing-when-invoking-subtests.patch b/queue-4.9/perf-tests-fix-indexing-when-invoking-subtests.patch new file mode 100644 index 00000000000..da25e4ad533 --- /dev/null +++ b/queue-4.9/perf-tests-fix-indexing-when-invoking-subtests.patch @@ -0,0 +1,107 @@ +From a4a4385ab34314d8dd667f4a65190d83e51a5f6a Mon Sep 17 00:00:00 2001 +From: Sandipan Das +Date: Thu, 26 Jul 2018 22:47:33 +0530 +Subject: perf tests: Fix indexing when invoking subtests + +[ Upstream commit aa90f9f9554616d5738f7bedb4a8f0e5e14d1bc6 ] + +Recently, the subtest numbering was changed to start from 1. While it +is fine for displaying results, this should not be the case when the +subtests are actually invoked. + +Typically, the subtests are stored in zero-indexed arrays and invoked +based on the index passed to the main test function. Since the index +now starts from 1, the second subtest in the array (index 1) gets +invoked instead of the first (index 0). This applies to all of the +following subtests but for the last one, the subtest always fails +because it does not meet the boundary condition of the subtest index +being lesser than the number of subtests. + +This can be observed on powerpc64 and x86_64 systems running Fedora 28 +as shown below. + +Before: + + # perf test "builtin clang support" + 55: builtin clang support : + 55.1: builtin clang compile C source to IR : Ok + 55.2: builtin clang compile C source to ELF object : FAILED! + + # perf test "LLVM search and compile" + 38: LLVM search and compile : + 38.1: Basic BPF llvm compile : Ok + 38.2: kbuild searching : Ok + 38.3: Compile source for BPF prologue generation : Ok + 38.4: Compile source for BPF relocation : FAILED! + + # perf test "BPF filter" + 40: BPF filter : + 40.1: Basic BPF filtering : Ok + 40.2: BPF pinning : Ok + 40.3: BPF prologue generation : Ok + 40.4: BPF relocation checker : FAILED! + +After: + + # perf test "builtin clang support" + 55: builtin clang support : + 55.1: builtin clang compile C source to IR : Ok + 55.2: builtin clang compile C source to ELF object : Ok + + # perf test "LLVM search and compile" + 38: LLVM search and compile : + 38.1: Basic BPF llvm compile : Ok + 38.2: kbuild searching : Ok + 38.3: Compile source for BPF prologue generation : Ok + 38.4: Compile source for BPF relocation : Ok + + # perf test "BPF filter" + 40: BPF filter : + 40.1: Basic BPF filtering : Ok + 40.2: BPF pinning : Ok + 40.3: BPF prologue generation : Ok + 40.4: BPF relocation checker : Ok + +Signed-off-by: Sandipan Das +Reported-by: Arnaldo Carvalho de Melo +Tested-by: Arnaldo Carvalho de Melo +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Jiri Olsa +Cc: Martin Schwidefsky +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Thomas Richter +Fixes: 9ef0112442bd ("perf test: Fix subtest number when showing results") +Link: http://lkml.kernel.org/r/20180726171733.33208-1-sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/builtin-test.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c +index ade7213943ad..03239956987f 100644 +--- a/tools/perf/tests/builtin-test.c ++++ b/tools/perf/tests/builtin-test.c +@@ -335,7 +335,7 @@ static int test_and_print(struct test *t, bool force_skip, int subtest) + if (!t->subtest.get_nr) + pr_debug("%s:", t->desc); + else +- pr_debug("%s subtest %d:", t->desc, subtest); ++ pr_debug("%s subtest %d:", t->desc, subtest + 1); + + switch (err) { + case TEST_OK: +@@ -413,7 +413,7 @@ static int __cmd_test(int argc, const char *argv[], struct intlist *skiplist) + for (subi = 0; subi < subn; subi++) { + pr_info("%2d.%1d: %-*s:", i, subi + 1, subw, + t->subtest.get_desc(subi)); +- err = test_and_print(t, skip, subi + 1); ++ err = test_and_print(t, skip, subi); + if (err != TEST_OK && t->subtest.skip_if_fail) + skip = true; + } +-- +2.17.1 + diff --git a/queue-4.9/perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch b/queue-4.9/perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch new file mode 100644 index 00000000000..6de99422f0f --- /dev/null +++ b/queue-4.9/perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch @@ -0,0 +1,66 @@ +From 901b233c9a99656755141a5a2de5ad9a7de69970 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Fri, 21 Sep 2018 07:07:06 -0700 +Subject: perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX + +[ Upstream commit 9d92cfeaf5215158d26d2991be7f7ff865cb98f3 ] + +The counters on M3UPI Link 0 and Link 3 don't count properly, and writing +0 to these counters may causes system crash on some machines. + +The PCI BDF addresses of the M3UPI in the current code are incorrect. + +The correct addresses should be: + + D18:F1 0x204D + D18:F2 0x204E + D18:F5 0x204D + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: cd34cd97b7b4 ("perf/x86/intel/uncore: Add Skylake server uncore support") +Link: http://lkml.kernel.org/r/1537538826-55489-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index 6bc36944a8c1..8c2a9fa0caf3 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -3767,16 +3767,16 @@ static const struct pci_device_id skx_uncore_pci_ids[] = { + .driver_data = UNCORE_PCI_DEV_FULL_DATA(21, 5, SKX_PCI_UNCORE_M2PCIE, 3), + }, + { /* M3UPI0 Link 0 */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C), +- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 0, SKX_PCI_UNCORE_M3UPI, 0), ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D), ++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 0), + }, + { /* M3UPI0 Link 1 */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D), +- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 1), ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204E), ++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 2, SKX_PCI_UNCORE_M3UPI, 1), + }, + { /* M3UPI1 Link 2 */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C), +- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 4, SKX_PCI_UNCORE_M3UPI, 2), ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D), ++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 5, SKX_PCI_UNCORE_M3UPI, 2), + }, + { /* end: all zeroes */ } + }; +-- +2.17.1 + diff --git a/queue-4.9/platform-x86-acer-wmi-setup-accelerometer-when-acpi-.patch b/queue-4.9/platform-x86-acer-wmi-setup-accelerometer-when-acpi-.patch new file mode 100644 index 00000000000..731a43e6bc3 --- /dev/null +++ b/queue-4.9/platform-x86-acer-wmi-setup-accelerometer-when-acpi-.patch @@ -0,0 +1,68 @@ +From fd30a5819b96e3efba0b6c93c80e3abd7e372a67 Mon Sep 17 00:00:00 2001 +From: "Lee, Chun-Yi" +Date: Fri, 28 Apr 2017 16:23:59 +0800 +Subject: platform/x86: acer-wmi: setup accelerometer when ACPI device was + found + +[ Upstream commit f9ac89f5ad613b462339e845aeb8494646fd9be2 ] + +The 98d610c3739a patch was introduced since v4.11-rc1 that it causes +that the accelerometer input device will not be created on workable +machines because the HID string comparing logic is wrong. + +And, the patch doesn't prevent that the accelerometer input device +be created on the machines that have no BST0001. That's because +the acpi_get_devices() returns success even it didn't find any +match device. + +This patch fixed the HID string comparing logic of BST0001 device. +And, it also makes sure that the acpi_get_devices() returns +acpi_handle for BST0001. + +Fixes: 98d610c3739a ("acer-wmi: setup accelerometer when machine has appropriate notify event") +Reference: https://bugzilla.kernel.org/show_bug.cgi?id=193761 +Reported-by: Samuel Sieb +Signed-off-by: "Lee, Chun-Yi" +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/acer-wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c +index c29b9b611ab2..1515c9480f89 100644 +--- a/drivers/platform/x86/acer-wmi.c ++++ b/drivers/platform/x86/acer-wmi.c +@@ -1856,7 +1856,7 @@ static acpi_status __init acer_wmi_get_handle_cb(acpi_handle ah, u32 level, + if (!strcmp(ctx, "SENR")) { + if (acpi_bus_get_device(ah, &dev)) + return AE_OK; +- if (!strcmp(ACER_WMID_ACCEL_HID, acpi_device_hid(dev))) ++ if (strcmp(ACER_WMID_ACCEL_HID, acpi_device_hid(dev))) + return AE_OK; + } else + return AE_OK; +@@ -1877,8 +1877,7 @@ static int __init acer_wmi_get_handle(const char *name, const char *prop, + handle = NULL; + status = acpi_get_devices(prop, acer_wmi_get_handle_cb, + (void *)name, &handle); +- +- if (ACPI_SUCCESS(status)) { ++ if (ACPI_SUCCESS(status) && handle) { + *ah = handle; + return 0; + } else { +@@ -2247,8 +2246,8 @@ static int __init acer_wmi_init(void) + if (err) + return err; + err = acer_wmi_accel_setup(); +- if (err) +- return err; ++ if (err && err != -ENODEV) ++ pr_warn("Cannot enable accelerometer\n"); + } + + err = platform_driver_register(&acer_platform_driver); +-- +2.17.1 + diff --git a/queue-4.9/ptr_ring-fix-up-after-recent-ptr_ring-changes.patch b/queue-4.9/ptr_ring-fix-up-after-recent-ptr_ring-changes.patch new file mode 100644 index 00000000000..884de6d4082 --- /dev/null +++ b/queue-4.9/ptr_ring-fix-up-after-recent-ptr_ring-changes.patch @@ -0,0 +1,71 @@ +From 819097fd57e6821b65617e7d8d0258e0e1fd93ec Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 8 Dec 2017 17:31:37 +0200 +Subject: ptr_ring: fix up after recent ptr_ring changes + +[ Upstream commit 5790eabc6e7c3ce2d6ca2e3bbf4de467ce2b64b3 ] + +Add more stubs to make it build. + +Fixes: 81fbfe8a ("ptr_ring: use kmalloc_array()") +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + tools/virtio/ringtest/ptr_ring.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/tools/virtio/ringtest/ptr_ring.c b/tools/virtio/ringtest/ptr_ring.c +index 635b07b4fdd3..b4a2e6af515f 100644 +--- a/tools/virtio/ringtest/ptr_ring.c ++++ b/tools/virtio/ringtest/ptr_ring.c +@@ -15,24 +15,41 @@ + #define unlikely(x) (__builtin_expect(!!(x), 0)) + #define likely(x) (__builtin_expect(!!(x), 1)) + #define ALIGN(x, a) (((x) + (a) - 1) / (a) * (a)) ++#define SIZE_MAX (~(size_t)0) ++ + typedef pthread_spinlock_t spinlock_t; + + typedef int gfp_t; +-static void *kmalloc(unsigned size, gfp_t gfp) +-{ +- return memalign(64, size); +-} ++#define __GFP_ZERO 0x1 + +-static void *kzalloc(unsigned size, gfp_t gfp) ++static void *kmalloc(unsigned size, gfp_t gfp) + { + void *p = memalign(64, size); + if (!p) + return p; +- memset(p, 0, size); + ++ if (gfp & __GFP_ZERO) ++ memset(p, 0, size); + return p; + } + ++static inline void *kzalloc(unsigned size, gfp_t flags) ++{ ++ return kmalloc(size, flags | __GFP_ZERO); ++} ++ ++static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags) ++{ ++ if (size != 0 && n > SIZE_MAX / size) ++ return NULL; ++ return kmalloc(n * size, flags); ++} ++ ++static inline void *kcalloc(size_t n, size_t size, gfp_t flags) ++{ ++ return kmalloc_array(n, size, flags | __GFP_ZERO); ++} ++ + static void kfree(void *p) + { + if (p) +-- +2.17.1 + diff --git a/queue-4.9/pxa168fb-prepare-the-clock.patch b/queue-4.9/pxa168fb-prepare-the-clock.patch new file mode 100644 index 00000000000..dfb1d275849 --- /dev/null +++ b/queue-4.9/pxa168fb-prepare-the-clock.patch @@ -0,0 +1,80 @@ +From 552752caa05920eb234a866dbe4532311dd2fdf1 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Wed, 26 Sep 2018 18:11:22 +0200 +Subject: pxa168fb: prepare the clock + +[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ] + +Add missing prepare/unprepare operations for fbi->clk, +this fixes following kernel warning: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0 + Enabling unprepared disp0_clk + Modules linked in: + CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25 + Hardware name: Marvell MMP2 (Device Tree Support) + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (__warn+0xd8/0xf0) + [] (__warn) from [] (warn_slowpath_fmt+0x44/0x6c) + [] (warn_slowpath_fmt) from [] (clk_core_enable+0x2c/0x1b0) + [] (clk_core_enable) from [] (clk_core_enable_lock+0x18/0x2c) + [] (clk_core_enable_lock) from [] (pxa168fb_probe+0x464/0x6ac) + [] (pxa168fb_probe) from [] (platform_drv_probe+0x48/0x94) + [] (platform_drv_probe) from [] (driver_probe_device+0x328/0x470) + [] (driver_probe_device) from [] (__driver_attach+0xb0/0x124) + [] (__driver_attach) from [] (bus_for_each_dev+0x64/0xa0) + [] (bus_for_each_dev) from [] (bus_add_driver+0x1b8/0x230) + [] (bus_add_driver) from [] (driver_register+0xac/0xf0) + [] (driver_register) from [] (do_one_initcall+0xb8/0x1f0) + [] (do_one_initcall) from [] (kernel_init_freeable+0x294/0x2e0) + [] (kernel_init_freeable) from [] (kernel_init+0x8/0x10c) + [] (kernel_init) from [] (ret_from_fork+0x14/0x2c) + Exception stack(0xd008bfb0 to 0xd008bff8) + bfa0: 00000000 00000000 00000000 00000000 + bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 + ---[ end trace c0af40f9e2ed7cb4 ]--- + +Signed-off-by: Lubomir Rintel +[b.zolnierkie: enhance patch description a bit] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa168fb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c +index def3a501acd6..d059d04c63ac 100644 +--- a/drivers/video/fbdev/pxa168fb.c ++++ b/drivers/video/fbdev/pxa168fb.c +@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev) + /* + * enable controller clock + */ +- clk_enable(fbi->clk); ++ clk_prepare_enable(fbi->clk); + + pxa168fb_set_par(info); + +@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev) + failed_free_cmap: + fb_dealloc_cmap(&info->cmap); + failed_free_clk: +- clk_disable(fbi->clk); ++ clk_disable_unprepare(fbi->clk); + failed_free_fbmem: + dma_free_coherent(fbi->dev, info->fix.smem_len, + info->screen_base, fbi->fb_start_dma); +@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev) + dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len), + info->screen_base, info->fix.smem_start); + +- clk_disable(fbi->clk); ++ clk_disable_unprepare(fbi->clk); + + framebuffer_release(info); + +-- +2.17.1 + diff --git a/queue-4.9/qed-avoid-constant-logical-operation-warning-in-qed_.patch b/queue-4.9/qed-avoid-constant-logical-operation-warning-in-qed_.patch new file mode 100644 index 00000000000..bb0a8efed5e --- /dev/null +++ b/queue-4.9/qed-avoid-constant-logical-operation-warning-in-qed_.patch @@ -0,0 +1,53 @@ +From b663ba9588c3c98ed81a119687b7aabc4515a710 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 24 Sep 2018 15:17:03 -0700 +Subject: qed: Avoid constant logical operation warning in qed_vf_pf_acquire + +[ Upstream commit 1c492a9d55ba99079210ed901dd8a5423f980487 ] + +Clang warns when a constant is used in a boolean context as it thinks a +bitwise operation may have been intended. + +drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: warning: use of logical +'&&' with constant operand [-Wconstant-logical-operand] + if (!p_iov->b_pre_fp_hsi && + ^ +drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: use '&' for a +bitwise operation + if (!p_iov->b_pre_fp_hsi && + ^~ + & +drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: remove constant +to silence this warning + if (!p_iov->b_pre_fp_hsi && + ~^~ +1 warning generated. + +This has been here since commit 1fe614d10f45 ("qed: Relax VF firmware +requirements") and I am not entirely sure why since 0 isn't a special +case. Just remove the statement causing Clang to warn since it isn't +required. + +Link: https://github.com/ClangBuiltLinux/linux/issues/126 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c +index faf8215872de..9cc02b94328a 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -295,7 +295,6 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn) + } + + if (!p_iov->b_pre_fp_hsi && +- ETH_HSI_VER_MINOR && + (resp->pfdev_info.minor_fp_hsi < ETH_HSI_VER_MINOR)) { + DP_INFO(p_hwfn, + "PF is using older fastpath HSI; %02x.%02x is configured\n", +-- +2.17.1 + diff --git a/queue-4.9/qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch b/queue-4.9/qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch new file mode 100644 index 00000000000..4689caf9f11 --- /dev/null +++ b/queue-4.9/qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch @@ -0,0 +1,72 @@ +From 9248cf95df2d96816ca1ae3cd4c94fdf1f38bcae Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 24 Sep 2018 14:34:53 -0700 +Subject: qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor + +[ Upstream commit d3a315795b4ce8b105a64a90699103121bde04a8 ] + +Clang warns when one enumerated type is implicitly converted to another. + +drivers/net/ethernet/qlogic/qed/qed_roce.c:153:12: warning: implicit +conversion from enumeration type 'enum roce_mode' to different +enumeration type 'enum roce_flavor' [-Wenum-conversion] + flavor = ROCE_V2_IPV6; + ~ ^~~~~~~~~~~~ +drivers/net/ethernet/qlogic/qed/qed_roce.c:156:12: warning: implicit +conversion from enumeration type 'enum roce_mode' to different +enumeration type 'enum roce_flavor' [-Wenum-conversion] + flavor = MAX_ROCE_MODE; + ~ ^~~~~~~~~~~~~ +2 warnings generated. + +Use the appropriate values from the expected type, roce_flavor: + +ROCE_V2_IPV6 = RROCE_IPV6 = 2 +MAX_ROCE_MODE = MAX_ROCE_FLAVOR = 3 + +While we're add it, ditch the local variable flavor, we can just return +the value directly from the switch statement. + +Link: https://github.com/ClangBuiltLinux/linux/issues/125 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_roce.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_roce.c b/drivers/net/ethernet/qlogic/qed/qed_roce.c +index d9dcb0d1714c..07783d13df71 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_roce.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_roce.c +@@ -1059,23 +1059,16 @@ static void qed_rdma_copy_gids(struct qed_rdma_qp *qp, __le32 *src_gid, + + static enum roce_flavor qed_roce_mode_to_flavor(enum roce_mode roce_mode) + { +- enum roce_flavor flavor; +- + switch (roce_mode) { + case ROCE_V1: +- flavor = PLAIN_ROCE; +- break; ++ return PLAIN_ROCE; + case ROCE_V2_IPV4: +- flavor = RROCE_IPV4; +- break; ++ return RROCE_IPV4; + case ROCE_V2_IPV6: +- flavor = ROCE_V2_IPV6; +- break; ++ return RROCE_IPV6; + default: +- flavor = MAX_ROCE_MODE; +- break; ++ return MAX_ROCE_FLAVOR; + } +- return flavor; + } + + static int qed_roce_alloc_cid(struct qed_hwfn *p_hwfn, u16 *cid) +-- +2.17.1 + diff --git a/queue-4.9/qed-warn-ptt-usage-by-wrong-hw-function.patch b/queue-4.9/qed-warn-ptt-usage-by-wrong-hw-function.patch new file mode 100644 index 00000000000..734e6fbba07 --- /dev/null +++ b/queue-4.9/qed-warn-ptt-usage-by-wrong-hw-function.patch @@ -0,0 +1,54 @@ +From 35289d532f32f3f479ee268a27f7fd778742a438 Mon Sep 17 00:00:00 2001 +From: "Mintz, Yuval" +Date: Thu, 6 Apr 2017 15:58:28 +0300 +Subject: qed: Warn PTT usage by wrong hw-function + +[ Upstream commit 3a50d3518dcba44f8a0f9356b7140fe1499984ea ] + +PTT entries are per-hwfn; If some errneous flow is trying +to use a PTT belonging to a differnet hwfn warn user, as this +can break every register accessing flow later and is very hard +to root-cause. + +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_hw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_hw.c b/drivers/net/ethernet/qlogic/qed/qed_hw.c +index 6e4fae9b1430..944749cfe092 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_hw.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_hw.c +@@ -34,6 +34,7 @@ struct qed_ptt { + struct list_head list_entry; + unsigned int idx; + struct pxp_ptt_entry pxp; ++ u8 hwfn_id; + }; + + struct qed_ptt_pool { +@@ -55,6 +56,7 @@ int qed_ptt_pool_alloc(struct qed_hwfn *p_hwfn) + p_pool->ptts[i].idx = i; + p_pool->ptts[i].pxp.offset = QED_BAR_INVALID_OFFSET; + p_pool->ptts[i].pxp.pretend.control = 0; ++ p_pool->ptts[i].hwfn_id = p_hwfn->my_id; + if (i >= RESERVED_PTT_MAX) + list_add(&p_pool->ptts[i].list_entry, + &p_pool->free_list); +@@ -169,6 +171,11 @@ static u32 qed_set_ptt(struct qed_hwfn *p_hwfn, + + offset = hw_addr - win_hw_addr; + ++ if (p_ptt->hwfn_id != p_hwfn->my_id) ++ DP_NOTICE(p_hwfn, ++ "ptt[%d] of hwfn[%02x] is used by hwfn[%02x]!\n", ++ p_ptt->idx, p_ptt->hwfn_id, p_hwfn->my_id); ++ + /* Verify the address is within the window */ + if (hw_addr < win_hw_addr || + offset >= PXP_EXTERNAL_BAR_PF_WINDOW_SINGLE_SIZE) { +-- +2.17.1 + diff --git a/queue-4.9/qlcnic-fix-tunnel-offload-for-82xx-adapters.patch b/queue-4.9/qlcnic-fix-tunnel-offload-for-82xx-adapters.patch new file mode 100644 index 00000000000..7da3e78e28f --- /dev/null +++ b/queue-4.9/qlcnic-fix-tunnel-offload-for-82xx-adapters.patch @@ -0,0 +1,117 @@ +From 5b9aedcd0afc7c0d94875c9708a77b9deac5cea4 Mon Sep 17 00:00:00 2001 +From: "Chopra, Manish" +Date: Fri, 2 Jun 2017 06:52:54 -0700 +Subject: qlcnic: Fix tunnel offload for 82xx adapters + +[ Upstream commit 4bd7ef0b033721b659b9357057e76d1ced95c1da ] + +Qlogic's 82xx series adapter doesn't support +tunnel offloads, driver incorrectly assumes that it is +supported and causes firmware hang while running tunnel IO. + +This patch fixes this by not advertising tunnel offloads +for 82xx adapters. + +Signed-off-by: Manish Chopra +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic.h | 26 +++++++++++++++++-- + .../ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 2 ++ + .../net/ethernet/qlogic/qlcnic/qlcnic_main.c | 2 ++ + .../qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++ + 4 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h +index 5ddadcd0c8db..f1242ab32ca6 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h +@@ -1825,22 +1825,44 @@ struct qlcnic_hardware_ops { + u32 (*get_cap_size)(void *, int); + void (*set_sys_info)(void *, int, u32); + void (*store_cap_mask)(void *, u32); ++ bool (*encap_rx_offload) (struct qlcnic_adapter *adapter); ++ bool (*encap_tx_offload) (struct qlcnic_adapter *adapter); + }; + + extern struct qlcnic_nic_template qlcnic_vf_ops; + +-static inline bool qlcnic_encap_tx_offload(struct qlcnic_adapter *adapter) ++static inline bool qlcnic_83xx_encap_tx_offload(struct qlcnic_adapter *adapter) + { + return adapter->ahw->extra_capability[0] & + QLCNIC_83XX_FW_CAPAB_ENCAP_TX_OFFLOAD; + } + +-static inline bool qlcnic_encap_rx_offload(struct qlcnic_adapter *adapter) ++static inline bool qlcnic_83xx_encap_rx_offload(struct qlcnic_adapter *adapter) + { + return adapter->ahw->extra_capability[0] & + QLCNIC_83XX_FW_CAPAB_ENCAP_RX_OFFLOAD; + } + ++static inline bool qlcnic_82xx_encap_tx_offload(struct qlcnic_adapter *adapter) ++{ ++ return false; ++} ++ ++static inline bool qlcnic_82xx_encap_rx_offload(struct qlcnic_adapter *adapter) ++{ ++ return false; ++} ++ ++static inline bool qlcnic_encap_rx_offload(struct qlcnic_adapter *adapter) ++{ ++ return adapter->ahw->hw_ops->encap_rx_offload(adapter); ++} ++ ++static inline bool qlcnic_encap_tx_offload(struct qlcnic_adapter *adapter) ++{ ++ return adapter->ahw->hw_ops->encap_tx_offload(adapter); ++} ++ + static inline int qlcnic_start_firmware(struct qlcnic_adapter *adapter) + { + return adapter->nic_ops->start_firmware(adapter); +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index 05d32e86bcf7..35c5ac41c0a1 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -242,6 +242,8 @@ static struct qlcnic_hardware_ops qlcnic_83xx_hw_ops = { + .get_cap_size = qlcnic_83xx_get_cap_size, + .set_sys_info = qlcnic_83xx_set_sys_info, + .store_cap_mask = qlcnic_83xx_store_cap_mask, ++ .encap_rx_offload = qlcnic_83xx_encap_rx_offload, ++ .encap_tx_offload = qlcnic_83xx_encap_tx_offload, + }; + + static struct qlcnic_nic_template qlcnic_83xx_ops = { +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +index 3ae3968b0edf..ebf5ead16939 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +@@ -632,6 +632,8 @@ static struct qlcnic_hardware_ops qlcnic_hw_ops = { + .get_cap_size = qlcnic_82xx_get_cap_size, + .set_sys_info = qlcnic_82xx_set_sys_info, + .store_cap_mask = qlcnic_82xx_store_cap_mask, ++ .encap_rx_offload = qlcnic_82xx_encap_rx_offload, ++ .encap_tx_offload = qlcnic_82xx_encap_tx_offload, + }; + + static int qlcnic_check_multi_tx_capability(struct qlcnic_adapter *adapter) +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 2f656f395f39..c58180f40844 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -77,6 +77,8 @@ static struct qlcnic_hardware_ops qlcnic_sriov_vf_hw_ops = { + .free_mac_list = qlcnic_sriov_vf_free_mac_list, + .enable_sds_intr = qlcnic_83xx_enable_sds_intr, + .disable_sds_intr = qlcnic_83xx_disable_sds_intr, ++ .encap_rx_offload = qlcnic_83xx_encap_rx_offload, ++ .encap_tx_offload = qlcnic_83xx_encap_tx_offload, + }; + + static struct qlcnic_nic_template qlcnic_sriov_vf_ops = { +-- +2.17.1 + diff --git a/queue-4.9/r8152-check-for-supported-wake-on-lan-modes.patch b/queue-4.9/r8152-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..2052f3807ed --- /dev/null +++ b/queue-4.9/r8152-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From dfe366f3283a63b5ce66bb7efaa00a692372518c Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:54 -0700 +Subject: r8152: Check for supported Wake-on-LAN Modes + +[ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: 21ff2e8976b1 ("r8152: support WOL") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 5988674818ed..02e29562d254 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3776,6 +3776,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol) + if (!rtl_can_wakeup(tp)) + return -EOPNOTSUPP; + ++ if (wol->wolopts & ~WAKE_ANY) ++ return -EINVAL; ++ + ret = usb_autopm_get_interface(tp->intf); + if (ret < 0) + goto out_set_wol; +-- +2.17.1 + diff --git a/queue-4.9/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_.patch b/queue-4.9/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_.patch new file mode 100644 index 00000000000..77dd4ddac32 --- /dev/null +++ b/queue-4.9/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_.patch @@ -0,0 +1,48 @@ +From 9cd00dcdc4cc54cb6b3eb1b2bb8636ecc6cd5f71 Mon Sep 17 00:00:00 2001 +From: Dag Moxnes +Date: Wed, 25 Apr 2018 13:22:01 +0200 +Subject: rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 91a825290ca4eae88603bc811bf74a45f94a3f46 ] + +The function rds_ib_setup_qp is calling rds_ib_get_client_data and +should correspondingly call rds_ib_dev_put. This call was lost in +the non-error path with the introduction of error handling done in +commit 3b12f73a5c29 ("rds: ib: add error handle") + +Signed-off-by: Dag Moxnes +Reviewed-by: Håkon Bugge +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/ib_cm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/rds/ib_cm.c b/net/rds/ib_cm.c +index 169156cfd4c8..96e61eab19bc 100644 +--- a/net/rds/ib_cm.c ++++ b/net/rds/ib_cm.c +@@ -505,7 +505,7 @@ static int rds_ib_setup_qp(struct rds_connection *conn) + rdsdebug("conn %p pd %p cq %p %p\n", conn, ic->i_pd, + ic->i_send_cq, ic->i_recv_cq); + +- return ret; ++ goto out; + + sends_out: + vfree(ic->i_sends); +@@ -530,6 +530,7 @@ send_cq_out: + ic->i_send_cq = NULL; + rds_ibdev_out: + rds_ib_remove_conn(rds_ibdev, conn); ++out: + rds_ib_dev_put(rds_ibdev); + + return ret; +-- +2.17.1 + diff --git a/queue-4.9/reset-hi6220-set-module-license-so-that-it-can-be-lo.patch b/queue-4.9/reset-hi6220-set-module-license-so-that-it-can-be-lo.patch new file mode 100644 index 00000000000..faf1f4ef666 --- /dev/null +++ b/queue-4.9/reset-hi6220-set-module-license-so-that-it-can-be-lo.patch @@ -0,0 +1,34 @@ +From 650f9c207a40d6e64629fdbc441623613987cc12 Mon Sep 17 00:00:00 2001 +From: Jeremy Linton +Date: Sat, 8 Apr 2017 02:18:40 -0500 +Subject: reset: hi6220: Set module license so that it can be loaded + +[ Upstream commit 4497a224f759cd8350e07382307b55f870ef0df2 ] + +The hi6220_reset driver can be built as a standalone module +yet it cannot be loaded because it depends on GPL exported symbols. + +Lets set the module license so that the module loads, and things like +the on-board kirin drm starts working. + +Signed-off-by: Jeremy Linton +Reviewed-by: Xinliang Liu +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/hisilicon/hi6220_reset.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/reset/hisilicon/hi6220_reset.c b/drivers/reset/hisilicon/hi6220_reset.c +index 35ce53edabf9..d5e5229308f2 100644 +--- a/drivers/reset/hisilicon/hi6220_reset.c ++++ b/drivers/reset/hisilicon/hi6220_reset.c +@@ -155,3 +155,5 @@ static int __init hi6220_reset_init(void) + } + + postcore_initcall(hi6220_reset_init); ++ ++MODULE_LICENSE("GPL v2"); +-- +2.17.1 + diff --git a/queue-4.9/revert-ib-ipoib-update-broadcast-object-if-pkey-valu.patch b/queue-4.9/revert-ib-ipoib-update-broadcast-object-if-pkey-valu.patch new file mode 100644 index 00000000000..e7531cad484 --- /dev/null +++ b/queue-4.9/revert-ib-ipoib-update-broadcast-object-if-pkey-valu.patch @@ -0,0 +1,78 @@ +From 238345c78c64846c24daa9aca738cc618f64ea72 Mon Sep 17 00:00:00 2001 +From: Alex Estrin +Date: Tue, 26 Sep 2017 06:06:22 -0700 +Subject: Revert "IB/ipoib: Update broadcast object if PKey value was changed + in index 0" + +[ Upstream commit 612601d0013f03de9dc134809f242ba6da9ca252 ] + +commit 9a9b8112699d will cause core to fail UD QP from being destroyed +on ipoib unload, therefore cause resources leakage. +On pkey change event above patch modifies mgid before calling underlying +driver to detach it from QP. Drivers' detach_mcast() will fail to find +modified mgid it was never given to attach in a first place. +Core qp->usecnt will never go down, so ib_destroy_qp() will fail. + +IPoIB driver actually does take care of new broadcast mgid based on new +pkey by destroying an old mcast object in ipoib_mcast_dev_flush()) +.... + if (priv->broadcast) { + rb_erase(&priv->broadcast->rb_node, &priv->multicast_tree); + list_add_tail(&priv->broadcast->list, &remove_list); + priv->broadcast = NULL; + } +... + +then in restarted ipoib_macst_join_task() creating a new broadcast mcast +object, sending join request and on completion tells the driver to attach +to reinitialized QP: +... +if (!priv->broadcast) { +... + broadcast = ipoib_mcast_alloc(dev, 0); +... + memcpy(broadcast->mcmember.mgid.raw, priv->dev->broadcast + 4, + sizeof (union ib_gid)); + priv->broadcast = broadcast; +... + +Fixes: 9a9b8112699d ("IB/ipoib: Update broadcast object if PKey value was changed in index 0") +Cc: stable@vger.kernel.org +Reviewed-by: Mike Marciniszyn +Reviewed-by: Dennis Dalessandro +Signed-off-by: Alex Estrin +Signed-off-by: Dennis Dalessandro +Reviewed-by: Feras Daoud +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +index 3dd5bf6c6c7a..ad3089c23e18 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -974,19 +974,6 @@ static inline int update_parent_pkey(struct ipoib_dev_priv *priv) + */ + priv->dev->broadcast[8] = priv->pkey >> 8; + priv->dev->broadcast[9] = priv->pkey & 0xff; +- +- /* +- * Update the broadcast address in the priv->broadcast object, +- * in case it already exists, otherwise no one will do that. +- */ +- if (priv->broadcast) { +- spin_lock_irq(&priv->lock); +- memcpy(priv->broadcast->mcmember.mgid.raw, +- priv->dev->broadcast + 4, +- sizeof(union ib_gid)); +- spin_unlock_irq(&priv->lock); +- } +- + return 0; + } + +-- +2.17.1 + diff --git a/queue-4.9/rxe-fix-a-sleep-in-atomic-bug-in-post_one_send.patch b/queue-4.9/rxe-fix-a-sleep-in-atomic-bug-in-post_one_send.patch new file mode 100644 index 00000000000..e107f63d17c --- /dev/null +++ b/queue-4.9/rxe-fix-a-sleep-in-atomic-bug-in-post_one_send.patch @@ -0,0 +1,48 @@ +From f090ca3367a7f98550990b912d4d7f6d59f51d0d Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Mon, 5 Jun 2017 20:23:40 +0800 +Subject: rxe: Fix a sleep-in-atomic bug in post_one_send + +[ Upstream commit 07d432bb97f19dd5e784175152f9fce3b2646133 ] + +The driver may sleep under a spin lock, and the function call path is: +post_one_send (acquire the lock by spin_lock_irqsave) + init_send_wqe + copy_from_user --> may sleep + +There is no flow that makes "qp->is_user" true, and copy_from_user may +cause bug when a non-user pointer is used. So the lines of copy_from_user +and check of "qp->is_user" are removed. + +Signed-off-by: Jia-Ju Bai +Reviewed-by: Leon Romanovsky +Acked-by: Moni Shoua +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_verbs.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c +index ced416f5dffb..ef13082d6ca1 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -729,13 +729,8 @@ static int init_send_wqe(struct rxe_qp *qp, struct ib_send_wr *ibwr, + + sge = ibwr->sg_list; + for (i = 0; i < num_sge; i++, sge++) { +- if (qp->is_user && copy_from_user(p, (__user void *) +- (uintptr_t)sge->addr, sge->length)) +- return -EFAULT; +- +- else if (!qp->is_user) +- memcpy(p, (void *)(uintptr_t)sge->addr, +- sge->length); ++ memcpy(p, (void *)(uintptr_t)sge->addr, ++ sge->length); + + p += sge->length; + } +-- +2.17.1 + diff --git a/queue-4.9/rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch b/queue-4.9/rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch new file mode 100644 index 00000000000..121e8a7132c --- /dev/null +++ b/queue-4.9/rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch @@ -0,0 +1,126 @@ +From 3dd24de51ce4acd13355a59d3feb0e76cb436bdf Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 8 Oct 2018 15:46:01 +0100 +Subject: rxrpc: Don't check RXRPC_CALL_TX_LAST after calling + rxrpc_rotate_tx_window() + +[ Upstream commit c479d5f2c2e1ce609da08c075054440d97ddff52 ] + +We should only call the function to end a call's Tx phase if we rotated the +marked-last packet out of the transmission buffer. + +Make rxrpc_rotate_tx_window() return an indication of whether it just +rotated the packet marked as the last out of the transmit buffer, carrying +the information out of the locked section in that function. + +We can then check the return value instead of examining RXRPC_CALL_TX_LAST. + +Fixes: 70790dbe3f66 ("rxrpc: Pass the last Tx packet marker in the annotation buffer") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/input.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index f3ac85a285a2..7bfde4737cb3 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -216,10 +216,11 @@ static void rxrpc_send_ping(struct rxrpc_call *call, struct sk_buff *skb, + /* + * Apply a hard ACK by advancing the Tx window. + */ +-static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, ++static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, + struct rxrpc_ack_summary *summary) + { + struct sk_buff *skb, *list = NULL; ++ bool rot_last = false; + int ix; + u8 annotation; + +@@ -243,15 +244,17 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, + skb->next = list; + list = skb; + +- if (annotation & RXRPC_TX_ANNO_LAST) ++ if (annotation & RXRPC_TX_ANNO_LAST) { + set_bit(RXRPC_CALL_TX_LAST, &call->flags); ++ rot_last = true; ++ } + if ((annotation & RXRPC_TX_ANNO_MASK) != RXRPC_TX_ANNO_ACK) + summary->nr_rot_new_acks++; + } + + spin_unlock(&call->lock); + +- trace_rxrpc_transmit(call, (test_bit(RXRPC_CALL_TX_LAST, &call->flags) ? ++ trace_rxrpc_transmit(call, (rot_last ? + rxrpc_transmit_rotate_last : + rxrpc_transmit_rotate)); + wake_up(&call->waitq); +@@ -262,6 +265,8 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, + skb->next = NULL; + rxrpc_free_skb(skb, rxrpc_skb_tx_freed); + } ++ ++ return rot_last; + } + + /* +@@ -332,11 +337,11 @@ static bool rxrpc_receiving_reply(struct rxrpc_call *call) + ktime_get_real()); + } + +- if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) +- rxrpc_rotate_tx_window(call, top, &summary); + if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) { +- rxrpc_proto_abort("TXL", call, top); +- return false; ++ if (!rxrpc_rotate_tx_window(call, top, &summary)) { ++ rxrpc_proto_abort("TXL", call, top); ++ return false; ++ } + } + if (!rxrpc_end_tx_phase(call, true, "ETD")) + return false; +@@ -839,8 +844,12 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb, + if (nr_acks > call->tx_top - hard_ack) + return rxrpc_proto_abort("AKN", call, 0); + +- if (after(hard_ack, call->tx_hard_ack)) +- rxrpc_rotate_tx_window(call, hard_ack, &summary); ++ if (after(hard_ack, call->tx_hard_ack)) { ++ if (rxrpc_rotate_tx_window(call, hard_ack, &summary)) { ++ rxrpc_end_tx_phase(call, false, "ETA"); ++ return; ++ } ++ } + + if (nr_acks > 0) { + if (skb_copy_bits(skb, offset, buf.acks, nr_acks) < 0) +@@ -849,11 +858,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb, + &summary); + } + +- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags)) { +- rxrpc_end_tx_phase(call, false, "ETA"); +- return; +- } +- + if (call->rxtx_annotations[call->tx_top & RXRPC_RXTX_BUFF_MASK] & + RXRPC_TX_ANNO_LAST && + summary.nr_acks == call->tx_top - hard_ack && +@@ -875,8 +879,7 @@ static void rxrpc_input_ackall(struct rxrpc_call *call, struct sk_buff *skb) + + _proto("Rx ACKALL %%%u", sp->hdr.serial); + +- rxrpc_rotate_tx_window(call, call->tx_top, &summary); +- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags)) ++ if (rxrpc_rotate_tx_window(call, call->tx_top, &summary)) + rxrpc_end_tx_phase(call, false, "ETL"); + } + +-- +2.17.1 + diff --git a/queue-4.9/rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch b/queue-4.9/rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch new file mode 100644 index 00000000000..9d175e71c7b --- /dev/null +++ b/queue-4.9/rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch @@ -0,0 +1,58 @@ +From f8c62cf32961acca7553bca98548fde02248721b Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 8 Oct 2018 15:46:11 +0100 +Subject: rxrpc: Only take the rwind and mtu values from latest ACK + +[ Upstream commit 298bc15b2079c324e82d0a6fda39c3d762af7282 ] + +Move the out-of-order and duplicate ACK packet check to before the call to +rxrpc_input_ackinfo() so that the receive window size and MTU size are only +checked in the latest ACK packet and don't regress. + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/input.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index 7bfde4737cb3..a4380e182e6c 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -808,6 +808,16 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb, + rxrpc_propose_ack_respond_to_ack); + } + ++ /* Discard any out-of-order or duplicate ACKs. */ ++ if (before_eq(sp->hdr.serial, call->acks_latest)) { ++ _debug("discard ACK %d <= %d", ++ sp->hdr.serial, call->acks_latest); ++ return; ++ } ++ call->acks_latest_ts = skb->tstamp; ++ call->acks_latest = sp->hdr.serial; ++ ++ /* Parse rwind and mtu sizes if provided. */ + ioffset = offset + nr_acks + 3; + if (skb->len >= ioffset + sizeof(buf.info)) { + if (skb_copy_bits(skb, ioffset, &buf.info, sizeof(buf.info)) < 0) +@@ -829,15 +839,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb, + return; + } + +- /* Discard any out-of-order or duplicate ACKs. */ +- if (before_eq(sp->hdr.serial, call->acks_latest)) { +- _debug("discard ACK %d <= %d", +- sp->hdr.serial, call->acks_latest); +- return; +- } +- call->acks_latest_ts = skb->tstamp; +- call->acks_latest = sp->hdr.serial; +- + if (before(hard_ack, call->tx_hard_ack) || + after(hard_ack, call->tx_top)) + return rxrpc_proto_abort("AKW", call, 0); +-- +2.17.1 + diff --git a/queue-4.9/scsi-aacraid-fix-typo-in-blink-status.patch b/queue-4.9/scsi-aacraid-fix-typo-in-blink-status.patch new file mode 100644 index 00000000000..945bcdc8ab1 --- /dev/null +++ b/queue-4.9/scsi-aacraid-fix-typo-in-blink-status.patch @@ -0,0 +1,36 @@ +From 301c415a23d87f1f50cc8733820d37bf8c7a1e4b Mon Sep 17 00:00:00 2001 +From: Raghava Aditya Renukunta +Date: Thu, 2 Mar 2017 09:21:33 -0800 +Subject: scsi: aacraid: Fix typo in blink status + +[ Upstream commit 934767c56b0d9dbb95a40e9e6e4d9dcdc3a165ad ] + +The return status of the adapter check on KERNEL_PANIC is supposed to be +the upper 16 bits of the OMR status register. + +Fixes: c421530bf848604e (scsi: aacraid: Reorder Adpater status check) +Reported-by: Dan Carpenter +Signed-off-by: Raghava Aditya Renukunta +Reviewed-by: Dave Carroll +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/src.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/aacraid/src.c b/drivers/scsi/aacraid/src.c +index 7b178d765726..c0592fda409e 100644 +--- a/drivers/scsi/aacraid/src.c ++++ b/drivers/scsi/aacraid/src.c +@@ -445,7 +445,7 @@ err_out: + return -1; + + err_blink: +- return (status > 16) & 0xFF; ++ return (status >> 16) & 0xFF; + } + + /** +-- +2.17.1 + diff --git a/queue-4.9/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch b/queue-4.9/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch new file mode 100644 index 00000000000..9e2bbbe85e5 --- /dev/null +++ b/queue-4.9/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch @@ -0,0 +1,40 @@ +From 90c0a48c5ad7f229cb87bf1c9942e55f1e230163 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Tue, 20 Mar 2018 21:05:48 +0000 +Subject: scsi: qla2xxx: Avoid double completion of abort command + +[ Upstream commit 3a9910d7b686546dcc9986e790af17e148f1c888 ] + +qla2x00_tmf_sp_done() now deletes the timer that will run +qla2x00_tmf_iocb_timeout(), but doesn't check whether the timer already +expired. Check the return value from del_timer() to avoid calling +complete() a second time. + +Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous ...") +Fixes: 1514839b3664 ("scsi: qla2xxx: Fix NULL pointer crash due to active ...") +Signed-off-by: Ben Hutchings +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 5f66b6da65f2..b6d9e3104b89 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -368,8 +368,8 @@ qla24xx_abort_sp_done(void *data, void *ptr, int res) + srb_t *sp = (srb_t *)ptr; + struct srb_iocb *abt = &sp->u.iocb_cmd; + +- del_timer(&sp->u.iocb_cmd.timer); +- complete(&abt->u.abt.comp); ++ if (del_timer(&sp->u.iocb_cmd.timer)) ++ complete(&abt->u.abt.comp); + } + + static int +-- +2.17.1 + diff --git a/queue-4.9/sctp-use-right-member-as-the-param-of-list_for_each_.patch b/queue-4.9/sctp-use-right-member-as-the-param-of-list_for_each_.patch new file mode 100644 index 00000000000..52f6b5a69c7 --- /dev/null +++ b/queue-4.9/sctp-use-right-member-as-the-param-of-list_for_each_.patch @@ -0,0 +1,52 @@ +From d3defbed265453adbedb11d0b801d94114ca109a Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 26 Nov 2017 20:56:07 +0800 +Subject: sctp: use right member as the param of list_for_each_entry + +[ Upstream commit a8dd397903a6e57157f6265911f7d35681364427 ] + +Commit d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues +when migrating a sock") made a mistake that using 'list' as the param of +list_for_each_entry to traverse the retransmit, sacked and abandoned +queues, while chunks are using 'transmitted_list' to link into these +queues. + +It could cause NULL dereference panic if there are chunks in any of these +queues when peeling off one asoc. + +So use the chunk member 'transmitted_list' instead in this patch. + +Fixes: d04adf1b3551 ("sctp: reset owner sk for data chunks on out queues when migrating a sock") +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 64d2d9ea2f8c..16aa8673f918 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -185,13 +185,13 @@ static void sctp_for_each_tx_datachunk(struct sctp_association *asoc, + list_for_each_entry(chunk, &t->transmitted, transmitted_list) + cb(chunk); + +- list_for_each_entry(chunk, &q->retransmit, list) ++ list_for_each_entry(chunk, &q->retransmit, transmitted_list) + cb(chunk); + +- list_for_each_entry(chunk, &q->sacked, list) ++ list_for_each_entry(chunk, &q->sacked, transmitted_list) + cb(chunk); + +- list_for_each_entry(chunk, &q->abandoned, list) ++ list_for_each_entry(chunk, &q->abandoned, transmitted_list) + cb(chunk); + + list_for_each_entry(chunk, &q->out_chunk_list, list) +-- +2.17.1 + diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..a44cb168215 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,132 @@ +xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch +xfrm6-call-kfree_skb-when-skb-is-toobig.patch +mac80211-always-report-tx-status.patch +cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch +mac80211-fix-pending-queue-hang-due-to-tx_drop.patch +cfg80211-address-some-corner-cases-in-scan-result-ch.patch +mac80211-tdls-fix-skb-queue-priority-assignment.patch +arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch +xfrm-validate-template-mode.patch +arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch +net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch +soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch +soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch +nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch +mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch +bluetooth-smp-fix-crash-in-unpairing.patch +pxa168fb-prepare-the-clock.patch +qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch +qed-avoid-constant-logical-operation-warning-in-qed_.patch +asix-check-for-supported-wake-on-lan-modes.patch +ax88179_178a-check-for-supported-wake-on-lan-modes.patch +lan78xx-check-for-supported-wake-on-lan-modes.patch +sr9800-check-for-supported-wake-on-lan-modes.patch +r8152-check-for-supported-wake-on-lan-modes.patch +smsc75xx-check-for-wake-on-lan-modes.patch +smsc95xx-check-for-wake-on-lan-modes.patch +perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch +perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch +net-fec-fix-rare-tx-timeout.patch +declance-fix-continuation-with-the-adapter-identific.patch +net-cxgb3_main-fix-a-missing-check-bug.patch +perf-symbols-fix-memory-corruption-because-of-zero-l.patch +mm-memory_hotplug.c-fix-overflow-in-test_pages_in_a_.patch +mips-micromips-fix-decoding-of-swsp16-instruction.patch +mips-handle-non-word-sized-instructions-when-examini.patch +scsi-aacraid-fix-typo-in-blink-status.patch +f2fs-fix-multiple-f2fs_add_link-having-same-name-for.patch +igb-remove-superfluous-reset-to-phy-and-page-0-selec.patch +acpi-sysfs-make-acpi-gpe-mask-kernel-parameter-cover.patch +pci-disable-msi-for-hisilicon-hip06-hip07-only-in-ro.patch +i2c-bcm2835-avoid-possible-null-ptr-dereference.patch +efi-fb-correct-pci_std_resource_end-usage.patch +ipv6-set-rt6i_protocol-properly-in-the-route-when-it.patch +platform-x86-acer-wmi-setup-accelerometer-when-acpi-.patch +ib-ipoib-do-not-warn-if-ipoib-debugfs-doesn-t-exist.patch +ib-core-fix-the-validations-of-a-multicast-lid-in-at.patch +orangefs-off-by-ones-in-xattr-size-checks.patch +rxe-fix-a-sleep-in-atomic-bug-in-post_one_send.patch +nvme-pci-fix-cmb-sysfs-file-removal-in-reset-path.patch +net-phy-marvell-limit-88m1101-autoneg-errata-to-88e1.patch +net-mlx5-fix-command-completion-after-timeout-access.patch +tipc-fix-tipc_sk_reinit-handling-of-eagain.patch +tipc-fix-a-race-condition-of-releasing-subscriber-ob.patch +bnxt_en-don-t-use-rtnl-lock-to-protect-link-change-l.patch +ath10k-fix-napi-enable-disable-symmetry-for-ahb-inte.patch +arm-dts-bcm283x-reserve-first-page-for-firmware.patch +btrfs-fiemap-cache-and-merge-fiemap-extent-before-su.patch +ata-sata_rcar-handle-return-value-of-clk_prepare_ena.patch +reset-hi6220-set-module-license-so-that-it-can-be-lo.patch +asoc-intel-skylake-fix-to-parse-consecutive-string-t.patch +arch-sparc-increase-config_nodes_shift-on-sparc64-to.patch +mac80211-fix-tx-aggregation-start-stop-callback-race.patch +libata-fix-error-checking-in-in-ata_parse_force_one.patch +net-ethernet-stmmac-fix-altr_tse_pcs-sgmii-initializ.patch +qlcnic-fix-tunnel-offload-for-82xx-adapters.patch +x86-cpu-cyrix-add-alternative-device-id-of-geode-gx1.patch +arm-8677-1-boot-compressed-fix-decompressor-header-l.patch +gpu-ipu-v3-fix-csi-selection-for-vdic.patch +elevator-fix-truncation-of-icq_cache_name.patch +net-stmmac-ensure-jumbo_frm-error-return-is-correctl.patch +btrfs-clear-extent_defrag-bits-in-finish_ordered_io.patch +ufs-we-need-to-sync-inode-before-freeing-it.patch +net-mlx5e-fix-fixpoint-divide-exception-in-mlx5e_am_.patch +ip6_tunnel-correct-tos-value-in-collect_md-mode.patch +net-mlx5-fix-driver-load-error-flow-when-firmware-is.patch +perf-evsel-fix-probing-of-precise_ip-level-for-defau.patch +perf-probe-fix-probe-definition-for-inlined-function.patch +net-mlx5-fix-health-work-queue-spin-lock-to-irq-safe.patch +usb-renesas_usbhs-gadget-fix-spin_lock_init-for-uep-.patch +usb-renesas_usbhs-gadget-fix-unused-but-set-variable.patch +usb-dwc3-omap-remove-irq_noautoen-used-with-shared-i.patch +clk-samsung-fix-m2m-scaler-clock-on-exynos542x.patch +ptr_ring-fix-up-after-recent-ptr_ring-changes.patch +staging-wilc1000-fix-problem-with-wrong-vif-index.patch +rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_.patch +iio-adc-revert-axp288-drop-bogus-axp288_adc_ts_pin_c.patch +qed-warn-ptt-usage-by-wrong-hw-function.patch +ocfs2-fix-deadlock-caused-by-recursive-locking-in-xa.patch +net-cdc_ncm-getntbformat-endian-fix.patch +sctp-use-right-member-as-the-param-of-list_for_each_.patch +alsa-hda-no-loopback-on-alc299-codec.patch +x86-power-fix-some-ordering-bugs-in-__restore_proces.patch +ath10k-convert-warning-about-non-existent-otp-board-.patch +ipv6-fix-cleanup-ordering-for-ip6_mr-failure.patch +ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch +ib-rxe-put-the-pool-on-allocation-failure.patch +nbd-only-set-msg_more-when-we-have-more-to-send.patch +mm-frame_vector.c-release-a-semaphore-in-get_vaddr_f.patch +ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch +scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch +drm-bochs-don-t-remove-uninitialized-fbdev-framebuff.patch +i40e-avoid-nvm-acquire-deadlock-during-nvm-update.patch +revert-ib-ipoib-update-broadcast-object-if-pkey-valu.patch +btrfs-incremental-send-fix-invalid-memory-access.patch +drm-msm-fix-possible-null-dereference-on-failure-of-.patch +arm-tegra-fix-ulpi-regression-on-tegra20.patch +module-fix-debug_set_module_ronx-typo.patch +iio-pressure-zpa2326-remove-always-true-check-which-.patch +l2tp-remove-configurable-payload-offset.patch +macsec-fix-memory-leaks-when-skb_to_sgvec-fails.patch +perf-core-fix-locking-for-children-siblings-group-re.patch +cifs-use-ull-suffix-for-64-bit-constant.patch +futex-futex_wake_op-do-not-fail-on-invalid-op.patch +alsa-hda-fix-incorrect-usage-of-is_reachable.patch +test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch +xen-netfront-update-features-after-registering-netde.patch +sparc64-fix-regression-in-pmdp_invalidate.patch +xen-netfront-fix-mismatched-rtnl_unlock.patch +enic-do-not-overwrite-error-code.patch +bonding-ratelimit-failed-speed-duplex-update-warning.patch +nvmet-fix-space-padding-in-serial-number.patch +iio-buffer-fix-the-function-signature-to-match-imple.patch +x86-paravirt-fix-some-warning-messages.patch +ib-mlx4-fix-an-error-handling-path-in-mlx4_ib_rereg_.patch +libertas-call-into-generic-suspend-code-before-turni.patch +xhci-fix-usb3-null-pointer-dereference-at-logical-di.patch +perf-tests-fix-indexing-when-invoking-subtests.patch +arm-dts-imx53-qsb-disable-1.2ghz-opp.patch +rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch +rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch +net-ena-fix-null-dereference-due-to-untimely-napi-in.patch +fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch diff --git a/queue-4.9/smsc75xx-check-for-wake-on-lan-modes.patch b/queue-4.9/smsc75xx-check-for-wake-on-lan-modes.patch new file mode 100644 index 00000000000..b32d17aedab --- /dev/null +++ b/queue-4.9/smsc75xx-check-for-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From 470b7eb7fdfaf7d4a3b7639aeb4a44f8a3dbc092 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:55 -0700 +Subject: smsc75xx: Check for Wake-on-LAN modes + +[ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: 6c636503260d ("smsc75xx: add wol magic packet support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index 8d3f938c6a51..977d9c772554 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -731,6 +731,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net, + struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]); + int ret; + ++ if (wolinfo->wolopts & ~SUPPORTED_WAKE) ++ return -EINVAL; ++ + pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE; + + ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts); +-- +2.17.1 + diff --git a/queue-4.9/smsc95xx-check-for-wake-on-lan-modes.patch b/queue-4.9/smsc95xx-check-for-wake-on-lan-modes.patch new file mode 100644 index 00000000000..67a6d03fbe7 --- /dev/null +++ b/queue-4.9/smsc95xx-check-for-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From a8845cfa6f488f4b8346795e5647b781806fcdba Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:56 -0700 +Subject: smsc95xx: Check for Wake-on-LAN modes + +[ Upstream commit c530c471ba37bdd9fe1c7185b01455c00ae606fb ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: e0e474a83c18 ("smsc95xx: add wol magic packet support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 831aa33d078a..a167116ceeee 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -775,6 +775,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net, + struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + int ret; + ++ if (wolinfo->wolopts & ~SUPPORTED_WAKE) ++ return -EINVAL; ++ + pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE; + + ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts); +-- +2.17.1 + diff --git a/queue-4.9/soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch b/queue-4.9/soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch new file mode 100644 index 00000000000..bd607881119 --- /dev/null +++ b/queue-4.9/soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch @@ -0,0 +1,39 @@ +From e7b53b5630d7bfbbd3becb928e4df7f5d1d14594 Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Thu, 23 Aug 2018 23:36:00 +0200 +Subject: soc: fsl: qbman: qman: avoid allocating from non existing gen_pool + +[ Upstream commit 64e9e22e68512da8df3c9a7430f07621e48db3c2 ] + +If the qman driver didn't probe, calling qman_alloc_fqid_range, +qman_alloc_pool_range or qman_alloc_cgrid_range (as done in dpaa_eth) will +pass a NULL pointer to gen_pool_alloc, leading to a NULL pointer +dereference. + +Signed-off-by: Alexandre Belloni +Reviewed-by: Roy Pledge +Signed-off-by: Li Yang +(cherry picked from commit f72487a2788aa70c3aee1d0ebd5470de9bac953a) +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 2caacd9d2526..2cc82ed6433a 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -2713,6 +2713,9 @@ static int qman_alloc_range(struct gen_pool *p, u32 *result, u32 cnt) + { + unsigned long addr; + ++ if (!p) ++ return -ENODEV; ++ + addr = gen_pool_alloc(p, cnt); + if (!addr) + return -ENOMEM; +-- +2.17.1 + diff --git a/queue-4.9/soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch b/queue-4.9/soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch new file mode 100644 index 00000000000..8edc0a23f42 --- /dev/null +++ b/queue-4.9/soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch @@ -0,0 +1,37 @@ +From 05b7e9871237ade8980acfbecf24f07b6a5aabd1 Mon Sep 17 00:00:00 2001 +From: Zhao Qiang +Date: Thu, 1 Feb 2018 14:54:32 +0800 +Subject: soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift() + +[ Upstream commit 96fc74333f84cfdf8d434c6c07254e215e2aad00 ] + +There is a copy and paste bug so we accidentally use the RX_ shift when +we're in TX_ mode. + +Fixes: bb8b2062aff3 ("fsl/qe: setup clock source for TDM mode") +Signed-off-by: Dan Carpenter +Signed-off-by: Zhao Qiang +Signed-off-by: Li Yang +(cherry picked from commit 3cb31b634052ed458922e0c8e2b4b093d7fb60b9) +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/ucc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/fsl/qe/ucc.c b/drivers/soc/fsl/qe/ucc.c +index c646d8713861..681f7d4b7724 100644 +--- a/drivers/soc/fsl/qe/ucc.c ++++ b/drivers/soc/fsl/qe/ucc.c +@@ -626,7 +626,7 @@ static u32 ucc_get_tdm_sync_shift(enum comm_dir mode, u32 tdm_num) + { + u32 shift; + +- shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : RX_SYNC_SHIFT_BASE; ++ shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : TX_SYNC_SHIFT_BASE; + shift -= tdm_num * 2; + + return shift; +-- +2.17.1 + diff --git a/queue-4.9/sparc64-fix-regression-in-pmdp_invalidate.patch b/queue-4.9/sparc64-fix-regression-in-pmdp_invalidate.patch new file mode 100644 index 00000000000..3d957e63e98 --- /dev/null +++ b/queue-4.9/sparc64-fix-regression-in-pmdp_invalidate.patch @@ -0,0 +1,76 @@ +From 8e5600fb392b50affc0c5e8a9450374070fc2996 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 15 Mar 2018 14:18:00 -0700 +Subject: sparc64: Fix regression in pmdp_invalidate(). + +[ Upstream commit cfb61b5e3e09f8b49bc4d685429df75f45127adc ] + +pmdp_invalidate() was changed to update the pmd atomically +(to not lose dirty/access bits) and return the original pmd +value. + +However, in doing so, we lost a lot of the essential work that +set_pmd_at() does, namely to update hugepage mapping counts and +queuing up the batched TLB flush entry. + +Thus we were not flushing entries out of the TLB when making +such PMD changes. + +Fix this by abstracting the accounting work of set_pmd_at() out into a +separate function, and call it from pmdp_establish(). + +Fixes: a8e654f01cb7 ("sparc64: update pmdp_invalidate() to return old pmd value") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/mm/tlb.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c +index b2722ed31053..349cb83f7b5f 100644 +--- a/arch/sparc/mm/tlb.c ++++ b/arch/sparc/mm/tlb.c +@@ -163,13 +163,10 @@ static void tlb_batch_pmd_scan(struct mm_struct *mm, unsigned long vaddr, + pte_unmap(pte); + } + +-void set_pmd_at(struct mm_struct *mm, unsigned long addr, +- pmd_t *pmdp, pmd_t pmd) +-{ +- pmd_t orig = *pmdp; +- +- *pmdp = pmd; + ++static void __set_pmd_acct(struct mm_struct *mm, unsigned long addr, ++ pmd_t orig, pmd_t pmd) ++{ + if (mm == &init_mm) + return; + +@@ -219,6 +216,15 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr, + } + } + ++void set_pmd_at(struct mm_struct *mm, unsigned long addr, ++ pmd_t *pmdp, pmd_t pmd) ++{ ++ pmd_t orig = *pmdp; ++ ++ *pmdp = pmd; ++ __set_pmd_acct(mm, addr, orig, pmd); ++} ++ + static inline pmd_t pmdp_establish(struct vm_area_struct *vma, + unsigned long address, pmd_t *pmdp, pmd_t pmd) + { +@@ -227,6 +233,7 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma, + do { + old = *pmdp; + } while (cmpxchg64(&pmdp->pmd, old.pmd, pmd.pmd) != old.pmd); ++ __set_pmd_acct(vma->vm_mm, address, old, pmd); + + return old; + } +-- +2.17.1 + diff --git a/queue-4.9/sr9800-check-for-supported-wake-on-lan-modes.patch b/queue-4.9/sr9800-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..fb1afd3ce39 --- /dev/null +++ b/queue-4.9/sr9800-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From 2726931738369b05354178fca21aedf378cc8554 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:53 -0700 +Subject: sr9800: Check for supported Wake-on-LAN modes + +[ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9800.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c +index a50df0d8fb9a..004c955c1fd1 100644 +--- a/drivers/net/usb/sr9800.c ++++ b/drivers/net/usb/sr9800.c +@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= SR_MONITOR_LINK; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.9/staging-wilc1000-fix-problem-with-wrong-vif-index.patch b/queue-4.9/staging-wilc1000-fix-problem-with-wrong-vif-index.patch new file mode 100644 index 00000000000..de87a342a9a --- /dev/null +++ b/queue-4.9/staging-wilc1000-fix-problem-with-wrong-vif-index.patch @@ -0,0 +1,63 @@ +From 66b41b94504973225fbcfdd35c040d090512af94 Mon Sep 17 00:00:00 2001 +From: Aditya Shankar +Date: Fri, 7 Apr 2017 17:24:58 +0530 +Subject: staging: wilc1000: Fix problem with wrong vif index + +[ Upstream commit 0e490657c7214cce33fbca3d88227298c5c968ae ] + +The vif->idx value is always 0 for two interfaces. + +wl->vif_num = 0; + +loop { + ... + + vif->idx = wl->vif_num; + ... + wl->vif_num = i; + .... + i++; + ... +} + +At present, vif->idx is assigned the value of wl->vif_num +at the beginning of this block and device is initialized +based on this index value. +In the next iteration, wl->vif_num is still 0 as it is only updated +later but gets assigned to vif->idx in the beginning. This causes problems +later when we try to reference a particular interface and also while +configuring the firmware. + +This patch moves the assignment to vif->idx from the beginning +of the block to after wl->vif_num is updated with latest value of i. + +Fixes: commit 735bb39ca3be ("staging: wilc1000: simplify vif[i]->ndev accesses") +Cc: +Signed-off-by: Aditya Shankar +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/wilc1000/linux_wlan.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/wilc1000/linux_wlan.c b/drivers/staging/wilc1000/linux_wlan.c +index 07d6e4824a9d..2e5e3b368532 100644 +--- a/drivers/staging/wilc1000/linux_wlan.c ++++ b/drivers/staging/wilc1000/linux_wlan.c +@@ -1260,11 +1260,12 @@ int wilc_netdev_init(struct wilc **wilc, struct device *dev, int io_type, + else + strcpy(ndev->name, "p2p%d"); + +- vif->idx = wl->vif_num; + vif->wilc = *wilc; + vif->ndev = ndev; + wl->vif[i] = vif; + wl->vif_num = i; ++ vif->idx = wl->vif_num; ++ + ndev->netdev_ops = &wilc_netdev_ops; + + { +-- +2.17.1 + diff --git a/queue-4.9/test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch b/queue-4.9/test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch new file mode 100644 index 00000000000..0da350f8c8d --- /dev/null +++ b/queue-4.9/test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch @@ -0,0 +1,43 @@ +From 9a51ff5096ba5138d7e6bb9f8e6f98fc45ee4040 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 20 Mar 2018 09:58:51 -0300 +Subject: test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches + +[ Upstream commit 52fda36d63bfc8c8e8ae5eda8eb5ac6f52cd67ed ] + +Function bpf_fill_maxinsns11 is designed to not be able to be JITed on +x86_64. So, it fails when CONFIG_BPF_JIT_ALWAYS_ON=y, and +commit 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when +CONFIG_BPF_JIT_ALWAYS_ON=y") makes sure that failure is detected on that +case. + +However, it does not fail on other architectures, which have a different +JIT compiler design. So, test_bpf has started to fail to load on those. + +After this fix, test_bpf loads fine on both x86_64 and ppc64el. + +Fixes: 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + lib/test_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/test_bpf.c b/lib/test_bpf.c +index 1586dfdea809..960d4d627361 100644 +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -4874,7 +4874,7 @@ static struct bpf_test tests[] = { + { + "BPF_MAXINSNS: Jump, gap, jump, ...", + { }, +-#ifdef CONFIG_BPF_JIT_ALWAYS_ON ++#if defined(CONFIG_BPF_JIT_ALWAYS_ON) && defined(CONFIG_X86) + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + #else + CLASSIC | FLAG_NO_DATA, +-- +2.17.1 + diff --git a/queue-4.9/tipc-fix-a-race-condition-of-releasing-subscriber-ob.patch b/queue-4.9/tipc-fix-a-race-condition-of-releasing-subscriber-ob.patch new file mode 100644 index 00000000000..33bd697b2ce --- /dev/null +++ b/queue-4.9/tipc-fix-a-race-condition-of-releasing-subscriber-ob.patch @@ -0,0 +1,90 @@ +From 87a5780982aa1974965a64f45ed7aadc71f9d45f Mon Sep 17 00:00:00 2001 +From: Ying Xue +Date: Tue, 22 Aug 2017 12:28:41 +0200 +Subject: tipc: fix a race condition of releasing subscriber object + +[ Upstream commit fd849b7c41f0fabfe783d0691a63c5518e8ebc99 ] + +No matter whether a request is inserted into workqueue as a work item +to cancel a subscription or to delete a subscription's subscriber +asynchronously, the work items may be executed in different workers. +As a result, it doesn't mean that one request which is raised prior to +another request is definitely handled before the latter. By contrast, +if the latter request is executed before the former request, below +error may happen: + +[ 656.183644] BUG: spinlock bad magic on CPU#0, kworker/u8:0/12117 +[ 656.184487] general protection fault: 0000 [#1] SMP +[ 656.185160] Modules linked in: tipc ip6_udp_tunnel udp_tunnel 9pnet_virtio 9p 9pnet virtio_net virtio_pci virtio_ring virtio [last unloaded: ip6_udp_tunnel] +[ 656.187003] CPU: 0 PID: 12117 Comm: kworker/u8:0 Not tainted 4.11.0-rc7+ #6 +[ 656.187920] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +[ 656.188690] Workqueue: tipc_rcv tipc_recv_work [tipc] +[ 656.189371] task: ffff88003f5cec40 task.stack: ffffc90004448000 +[ 656.190157] RIP: 0010:spin_bug+0xdd/0xf0 +[ 656.190678] RSP: 0018:ffffc9000444bcb8 EFLAGS: 00010202 +[ 656.191375] RAX: 0000000000000034 RBX: ffff88003f8d1388 RCX: 0000000000000000 +[ 656.192321] RDX: ffff88003ba13708 RSI: ffff88003ba0cd08 RDI: ffff88003ba0cd08 +[ 656.193265] RBP: ffffc9000444bcd0 R08: 0000000000000030 R09: 000000006b6b6b6b +[ 656.194208] R10: ffff8800bde3e000 R11: 00000000000001b4 R12: 6b6b6b6b6b6b6b6b +[ 656.195157] R13: ffffffff81a3ca64 R14: ffff88003f8d1388 R15: ffff88003f8d13a0 +[ 656.196101] FS: 0000000000000000(0000) GS:ffff88003ba00000(0000) knlGS:0000000000000000 +[ 656.197172] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 656.197935] CR2: 00007f0b3d2e6000 CR3: 000000003ef9e000 CR4: 00000000000006f0 +[ 656.198873] Call Trace: +[ 656.199210] do_raw_spin_lock+0x66/0xa0 +[ 656.199735] _raw_spin_lock_bh+0x19/0x20 +[ 656.200258] tipc_subscrb_subscrp_delete+0x28/0xf0 [tipc] +[ 656.200990] tipc_subscrb_rcv_cb+0x45/0x260 [tipc] +[ 656.201632] tipc_receive_from_sock+0xaf/0x100 [tipc] +[ 656.202299] tipc_recv_work+0x2b/0x60 [tipc] +[ 656.202872] process_one_work+0x157/0x420 +[ 656.203404] worker_thread+0x69/0x4c0 +[ 656.203898] kthread+0x138/0x170 +[ 656.204328] ? process_one_work+0x420/0x420 +[ 656.204889] ? kthread_create_on_node+0x40/0x40 +[ 656.205527] ret_from_fork+0x29/0x40 +[ 656.206012] Code: 48 8b 0c 25 00 c5 00 00 48 c7 c7 f0 24 a3 81 48 81 c1 f0 05 00 00 65 8b 15 61 ef f5 7e e8 9a 4c 09 00 4d 85 e4 44 8b 4b 08 74 92 <45> 8b 84 24 40 04 00 00 49 8d 8c 24 f0 05 00 00 eb 8d 90 0f 1f +[ 656.208504] RIP: spin_bug+0xdd/0xf0 RSP: ffffc9000444bcb8 +[ 656.209798] ---[ end trace e2a800e6eb0770be ]--- + +In above scenario, the request of deleting subscriber was performed +earlier than the request of canceling a subscription although the +latter was issued before the former, which means tipc_subscrb_delete() +was called before tipc_subscrp_cancel(). As a result, when +tipc_subscrb_subscrp_delete() called by tipc_subscrp_cancel() was +executed to cancel a subscription, the subscription's subscriber +refcnt had been decreased to 1. After tipc_subscrp_delete() where +the subscriber was freed because its refcnt was decremented to zero, +but the subscriber's lock had to be released, as a consequence, panic +happened. + +By contrast, if we increase subscriber's refcnt before +tipc_subscrb_subscrp_delete() is called in tipc_subscrp_cancel(), +the panic issue can be avoided. + +Fixes: d094c4d5f5c7 ("tipc: add subscription refcount to avoid invalid delete") +Reported-by: Parthasarathy Bhuvaragan +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/subscr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c +index 271cd66e4b3b..c2646446e157 100644 +--- a/net/tipc/subscr.c ++++ b/net/tipc/subscr.c +@@ -256,7 +256,9 @@ static void tipc_subscrp_delete(struct tipc_subscription *sub) + static void tipc_subscrp_cancel(struct tipc_subscr *s, + struct tipc_subscriber *subscriber) + { ++ tipc_subscrb_get(subscriber); + tipc_subscrb_subscrp_delete(subscriber, s); ++ tipc_subscrb_put(subscriber); + } + + static struct tipc_subscription *tipc_subscrp_create(struct net *net, +-- +2.17.1 + diff --git a/queue-4.9/tipc-fix-tipc_sk_reinit-handling-of-eagain.patch b/queue-4.9/tipc-fix-tipc_sk_reinit-handling-of-eagain.patch new file mode 100644 index 00000000000..cb28b6acbe1 --- /dev/null +++ b/queue-4.9/tipc-fix-tipc_sk_reinit-handling-of-eagain.patch @@ -0,0 +1,60 @@ +From a59f2d5ea964bf68b8942379cb0a04dfb5e4d66a Mon Sep 17 00:00:00 2001 +From: Bob Peterson +Date: Wed, 23 Aug 2017 10:43:02 -0400 +Subject: tipc: Fix tipc_sk_reinit handling of -EAGAIN + +[ Upstream commit 6c7e983b220f89e03286dc70a41c7ef3a8b409df ] + +In 9dbbfb0ab6680c6a85609041011484e6658e7d3c function tipc_sk_reinit +had additional logic added to loop in the event that function +rhashtable_walk_next() returned -EAGAIN. No worries. + +However, if rhashtable_walk_start returns -EAGAIN, it does "continue", +and therefore skips the call to rhashtable_walk_stop(). That has +the effect of calling rcu_read_lock() without its paired call to +rcu_read_unlock(). Since rcu_read_lock() may be nested, the problem +may not be apparent for a while, especially since resize events may +be rare. But the comments to rhashtable_walk_start() state: + + * ...Note that we take the RCU lock in all + * cases including when we return an error. So you must always call + * rhashtable_walk_stop to clean up. + +This patch replaces the continue with a goto and label to ensure a +matching call to rhashtable_walk_stop(). + +Signed-off-by: Bob Peterson +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/socket.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 25bc5c30d7fb..9d3f047305ce 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -2277,8 +2277,8 @@ void tipc_sk_reinit(struct net *net) + + do { + tsk = ERR_PTR(rhashtable_walk_start(&iter)); +- if (tsk) +- continue; ++ if (IS_ERR(tsk)) ++ goto walk_stop; + + while ((tsk = rhashtable_walk_next(&iter)) && !IS_ERR(tsk)) { + spin_lock_bh(&tsk->sk.sk_lock.slock); +@@ -2287,7 +2287,7 @@ void tipc_sk_reinit(struct net *net) + msg_set_orignode(msg, tn->own_addr); + spin_unlock_bh(&tsk->sk.sk_lock.slock); + } +- ++walk_stop: + rhashtable_walk_stop(&iter); + } while (tsk == ERR_PTR(-EAGAIN)); + } +-- +2.17.1 + diff --git a/queue-4.9/ufs-we-need-to-sync-inode-before-freeing-it.patch b/queue-4.9/ufs-we-need-to-sync-inode-before-freeing-it.patch new file mode 100644 index 00000000000..e9708b2feee --- /dev/null +++ b/queue-4.9/ufs-we-need-to-sync-inode-before-freeing-it.patch @@ -0,0 +1,28 @@ +From a0578b054ef6a9db7e26464599a728e75b73fd96 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 10 Jun 2017 12:01:50 -0400 +Subject: ufs: we need to sync inode before freeing it + +[ Upstream commit 67a70017fa0a152657bc7e337e69bb9c9f5549bf ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/ufs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ufs/inode.c b/fs/ufs/inode.c +index a2760a2869f4..0f22c036699a 100644 +--- a/fs/ufs/inode.c ++++ b/fs/ufs/inode.c +@@ -846,6 +846,7 @@ void ufs_evict_inode(struct inode * inode) + inode->i_size = 0; + if (inode->i_blocks) + ufs_truncate_blocks(inode); ++ ufs_update_inode(inode, inode_needs_sync(inode)); + } + + invalidate_inode_buffers(inode); +-- +2.17.1 + diff --git a/queue-4.9/usb-dwc3-omap-remove-irq_noautoen-used-with-shared-i.patch b/queue-4.9/usb-dwc3-omap-remove-irq_noautoen-used-with-shared-i.patch new file mode 100644 index 00000000000..36c95a2a382 --- /dev/null +++ b/queue-4.9/usb-dwc3-omap-remove-irq_noautoen-used-with-shared-i.patch @@ -0,0 +1,69 @@ +From 23a2bb27a354ac0f8b9d716a4d0f1e50211e1ebc Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Fri, 7 Jul 2017 11:52:52 +0530 +Subject: usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq + +[ Upstream commit ee249b4554947de3be77be4e9e6077b20c0fe055 ] + +IRQ_NOAUTOEN cannot be used with shared IRQs, since commit 04c848d39879 +("genirq: Warn when IRQ_NOAUTOEN is used with shared interrupts") and +kernel now throws a warn dump. But OMAP DWC3 driver uses this flag. As +per commit 12a7f17fac5b ("usb: dwc3: omap: fix race of pm runtime with +irq handler in probe") that introduced this flag, PM runtime can race +with IRQ handler when deferred probing happens due to extcon, +therefore IRQ_NOAUTOEN needs to be set so that irq is not enabled until +extcon is registered. + +Remove setting of IRQ_NOAUTOEN and move the registration of +shared irq to a point after dwc3_omap_extcon_register() and +of_platform_populate(). This avoids possibility of probe deferring and +above said race condition. + +Reviewed-by: Grygorii Strashko +Signed-off-by: Vignesh R +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-omap.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-omap.c b/drivers/usb/dwc3/dwc3-omap.c +index f221cb479e14..8e69150776f5 100644 +--- a/drivers/usb/dwc3/dwc3-omap.c ++++ b/drivers/usb/dwc3/dwc3-omap.c +@@ -512,15 +512,6 @@ static int dwc3_omap_probe(struct platform_device *pdev) + + /* check the DMA Status */ + reg = dwc3_omap_readl(omap->base, USBOTGSS_SYSCONFIG); +- irq_set_status_flags(omap->irq, IRQ_NOAUTOEN); +- ret = devm_request_threaded_irq(dev, omap->irq, dwc3_omap_interrupt, +- dwc3_omap_interrupt_thread, IRQF_SHARED, +- "dwc3-omap", omap); +- if (ret) { +- dev_err(dev, "failed to request IRQ #%d --> %d\n", +- omap->irq, ret); +- goto err1; +- } + + ret = dwc3_omap_extcon_register(omap); + if (ret < 0) +@@ -532,8 +523,15 @@ static int dwc3_omap_probe(struct platform_device *pdev) + goto err2; + } + ++ ret = devm_request_threaded_irq(dev, omap->irq, dwc3_omap_interrupt, ++ dwc3_omap_interrupt_thread, IRQF_SHARED, ++ "dwc3-omap", omap); ++ if (ret) { ++ dev_err(dev, "failed to request IRQ #%d --> %d\n", ++ omap->irq, ret); ++ goto err1; ++ } + dwc3_omap_enable_irqs(omap); +- enable_irq(omap->irq); + return 0; + + err2: +-- +2.17.1 + diff --git a/queue-4.9/usb-renesas_usbhs-gadget-fix-spin_lock_init-for-uep-.patch b/queue-4.9/usb-renesas_usbhs-gadget-fix-spin_lock_init-for-uep-.patch new file mode 100644 index 00000000000..069d1caa557 --- /dev/null +++ b/queue-4.9/usb-renesas_usbhs-gadget-fix-spin_lock_init-for-uep-.patch @@ -0,0 +1,48 @@ +From 5c668dd496376a1331c9d4c5396a3921c09568c1 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Wed, 9 Aug 2017 19:55:24 +0900 +Subject: usb: renesas_usbhs: gadget: fix spin_lock_init() for &uep->lock + +[ Upstream commit 14a8d4bfc2102f85ce097563d151370c91c1898a ] + +This patch fixes an issue that the spin_lock_init() is not called +for almost all pipes. Otherwise, the lockdep output the following +message when we connect a usb cable using g_ncm: + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + +Reported-by: Kazuya Mizuguchi +Fixes: b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops") +Signed-off-by: Yoshihiro Shimoda +Tested-by: Kazuya Mizuguchi +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/mod_gadget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c +index 93fba9033b00..54a3237aac08 100644 +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -1085,7 +1085,6 @@ int usbhs_mod_gadget_probe(struct usbhs_priv *priv) + ret = -ENOMEM; + goto usbhs_mod_gadget_probe_err_gpriv; + } +- spin_lock_init(&uep->lock); + + gpriv->transceiver = usb_get_phy(USB_PHY_TYPE_UNDEFINED); + dev_info(dev, "%stransceiver found\n", +@@ -1135,6 +1134,7 @@ int usbhs_mod_gadget_probe(struct usbhs_priv *priv) + uep->ep.name = uep->ep_name; + uep->ep.ops = &usbhsg_ep_ops; + INIT_LIST_HEAD(&uep->ep.ep_list); ++ spin_lock_init(&uep->lock); + + /* init DCP */ + if (usbhsg_is_dcp(uep)) { +-- +2.17.1 + diff --git a/queue-4.9/usb-renesas_usbhs-gadget-fix-unused-but-set-variable.patch b/queue-4.9/usb-renesas_usbhs-gadget-fix-unused-but-set-variable.patch new file mode 100644 index 00000000000..067b84439e3 --- /dev/null +++ b/queue-4.9/usb-renesas_usbhs-gadget-fix-unused-but-set-variable.patch @@ -0,0 +1,47 @@ +From 74cc8300e77d05433c7a7fb3d0e70532ac90fc5c Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Fri, 28 Jul 2017 19:28:57 +0900 +Subject: usb: renesas_usbhs: gadget: fix unused-but-set-variable warning + +[ Upstream commit b7d44c36a6f6d956e1539e0dd42f98b26e5a4684 ] + +The commit b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps +when the driver stops") causes the unused-but-set-variable warning. +But, if the usbhsg_ep_disable() will return non-zero value, udc/core.c +doesn't clear the ep->enabled flag. So, this driver should not return +non-zero value, if the pipe is zero because this means the pipe is +already disabled. Otherwise, the ep->enabled flag is never cleared +when the usbhsg_ep_disable() is called by the renesas_usbhs driver first. + +Fixes: b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops") +Fixes: 11432050f070 ("usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/mod_gadget.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c +index 54a3237aac08..5984fb134cf4 100644 +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -639,14 +639,11 @@ static int usbhsg_ep_disable(struct usb_ep *ep) + struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); + struct usbhs_pipe *pipe; + unsigned long flags; +- int ret = 0; + + spin_lock_irqsave(&uep->lock, flags); + pipe = usbhsg_uep_to_pipe(uep); +- if (!pipe) { +- ret = -EINVAL; ++ if (!pipe) + goto out; +- } + + usbhsg_pipe_disable(uep); + usbhs_pipe_free(pipe); +-- +2.17.1 + diff --git a/queue-4.9/x86-cpu-cyrix-add-alternative-device-id-of-geode-gx1.patch b/queue-4.9/x86-cpu-cyrix-add-alternative-device-id-of-geode-gx1.patch new file mode 100644 index 00000000000..58d1f2e3c92 --- /dev/null +++ b/queue-4.9/x86-cpu-cyrix-add-alternative-device-id-of-geode-gx1.patch @@ -0,0 +1,57 @@ +From a6bfe1f8ed4e76699f9b18ebf04e4c6eb13388a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20S=C3=BCnkenberg?= + +Date: Sun, 4 Jun 2017 19:18:39 +0200 +Subject: x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ae1d557d8f30cb097b4d1f2ab04fa294588ee1cf ] + +A SoC variant of Geode GX1, notably NSC branded SC1100, seems to +report an inverted Device ID in its DIR0 configuration register, +specifically 0xb instead of the expected 0x4. + +Catch this presumably quirky version so it's properly recognized +as GX1 and has its cache switched to write-back mode, which provides +a significant performance boost in most workloads. + +SC1100's datasheet "Geode™ SC1100 Information Appliance On a Chip", +states in section 1.1.7.1 "Device ID" that device identification +values are specified in SC1100's device errata. These, however, +seem to not have been publicly released. + +Wading through a number of boot logs and /proc/cpuinfo dumps found on +pastebin and blogs, this patch should mostly be relevant for a number +of now admittedly aging Soekris NET4801 and PC Engines WRAP devices, +the latter being the platform this issue was discovered on. +Performance impact was verified using "openssl speed", with +write-back caching scaling throughput between -3% and +41%. + +Signed-off-by: Christian Sünkenberg +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1496596719.26725.14.camel@student.kit.edu +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/cyrix.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c +index 455d8ada9b9a..d39cfb2c6b63 100644 +--- a/arch/x86/kernel/cpu/cyrix.c ++++ b/arch/x86/kernel/cpu/cyrix.c +@@ -253,6 +253,7 @@ static void init_cyrix(struct cpuinfo_x86 *c) + break; + + case 4: /* MediaGX/GXm or Geode GXM/GXLV/GX1 */ ++ case 11: /* GX1 with inverted Device ID */ + #ifdef CONFIG_PCI + { + u32 vendor, device; +-- +2.17.1 + diff --git a/queue-4.9/x86-paravirt-fix-some-warning-messages.patch b/queue-4.9/x86-paravirt-fix-some-warning-messages.patch new file mode 100644 index 00000000000..80648c60003 --- /dev/null +++ b/queue-4.9/x86-paravirt-fix-some-warning-messages.patch @@ -0,0 +1,49 @@ +From 0e6c5e84213222cce65d6983af36132dce0f84a3 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 19 Sep 2018 13:35:53 +0300 +Subject: x86/paravirt: Fix some warning messages + +[ Upstream commit 571d0563c8881595f4ab027aef9ed1c55e3e7b7c ] + +The first argument to WARN_ONCE() is a condition. + +Fixes: 5800dc5c19f3 ("x86/paravirt: Fix spectre-v2 mitigations for paravirt guests") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Reviewed-by: Juergen Gross +Cc: Peter Zijlstra +Cc: Alok Kataria +Cc: "H. Peter Anvin" +Cc: virtualization@lists.linux-foundation.org +Cc: kernel-janitors@vger.kernel.org +Link: https://lkml.kernel.org/r/20180919103553.GD9238@mwanda +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/paravirt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c +index 29d465627919..bf9552bebb3c 100644 +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -90,7 +90,7 @@ unsigned paravirt_patch_call(void *insnbuf, + + if (len < 5) { + #ifdef CONFIG_RETPOLINE +- WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr); ++ WARN_ONCE(1, "Failing to patch indirect CALL in %ps\n", (void *)addr); + #endif + return len; /* call too long for patch site */ + } +@@ -110,7 +110,7 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target, + + if (len < 5) { + #ifdef CONFIG_RETPOLINE +- WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr); ++ WARN_ONCE(1, "Failing to patch indirect JMP in %ps\n", (void *)addr); + #endif + return len; /* call too long for patch site */ + } +-- +2.17.1 + diff --git a/queue-4.9/x86-power-fix-some-ordering-bugs-in-__restore_proces.patch b/queue-4.9/x86-power-fix-some-ordering-bugs-in-__restore_proces.patch new file mode 100644 index 00000000000..27fe1dcc768 --- /dev/null +++ b/queue-4.9/x86-power-fix-some-ordering-bugs-in-__restore_proces.patch @@ -0,0 +1,128 @@ +From 160052e7ad155125fa8a3993db49c5286957b11e Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Thu, 30 Nov 2017 07:57:57 -0800 +Subject: x86/power: Fix some ordering bugs in __restore_processor_context() + +[ Upstream commit 5b06bbcfc2c621da3009da8decb7511500c293ed ] + +__restore_processor_context() had a couple of ordering bugs. It +restored GSBASE after calling load_gs_index(), and the latter can +call into tracing code. It also tried to restore segment registers +before restoring the LDT, which is straight-up wrong. + +Reorder the code so that we restore GSBASE, then the descriptor +tables, then the segments. + +This fixes two bugs. First, it fixes a regression that broke resume +under certain configurations due to irqflag tracing in +native_load_gs_index(). Second, it fixes resume when the userspace +process that initiated suspect had funny segments. The latter can be +reproduced by compiling this: + +// SPDX-License-Identifier: GPL-2.0 +/* + * ldt_echo.c - Echo argv[1] while using an LDT segment + */ + +int main(int argc, char **argv) +{ + int ret; + size_t len; + char *buf; + + const struct user_desc desc = { + .entry_number = 0, + .base_addr = 0, + .limit = 0xfffff, + .seg_32bit = 1, + .contents = 0, /* Data, grow-up */ + .read_exec_only = 0, + .limit_in_pages = 1, + .seg_not_present = 0, + .useable = 0 + }; + + if (argc != 2) + errx(1, "Usage: %s STRING", argv[0]); + + len = asprintf(&buf, "%s\n", argv[1]); + if (len < 0) + errx(1, "Out of memory"); + + ret = syscall(SYS_modify_ldt, 1, &desc, sizeof(desc)); + if (ret < -1) + errno = -ret; + if (ret) + err(1, "modify_ldt"); + + asm volatile ("movw %0, %%es" :: "rm" ((unsigned short)7)); + write(1, buf, len); + return 0; +} + +and running ldt_echo >/sys/power/mem + +Without the fix, the latter causes a triple fault on resume. + +Fixes: ca37e57bbe0c ("x86/entry/64: Add missing irqflags tracing to native_load_gs_index()") +Reported-by: Jarkko Nikula +Signed-off-by: Andy Lutomirski +Signed-off-by: Thomas Gleixner +Tested-by: Jarkko Nikula +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Linus Torvalds +Link: https://lkml.kernel.org/r/6b31721ea92f51ea839e79bd97ade4a75b1eeea2.1512057304.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/power/cpu.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c +index 53cace2ec0e2..73063dfed476 100644 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -222,8 +222,20 @@ static void notrace __restore_processor_state(struct saved_context *ctxt) + load_idt((const struct desc_ptr *)&ctxt->idt_limit); + #endif + ++#ifdef CONFIG_X86_64 + /* +- * segment registers ++ * We need GSBASE restored before percpu access can work. ++ * percpu access can happen in exception handlers or in complicated ++ * helpers like load_gs_index(). ++ */ ++ wrmsrl(MSR_GS_BASE, ctxt->gs_base); ++#endif ++ ++ fix_processor_context(); ++ ++ /* ++ * Restore segment registers. This happens after restoring the GDT ++ * and LDT, which happen in fix_processor_context(). + */ + #ifdef CONFIG_X86_32 + loadsegment(es, ctxt->es); +@@ -244,13 +256,14 @@ static void notrace __restore_processor_state(struct saved_context *ctxt) + load_gs_index(ctxt->gs); + asm volatile ("movw %0, %%ss" :: "r" (ctxt->ss)); + ++ /* ++ * Restore FSBASE and user GSBASE after reloading the respective ++ * segment selectors. ++ */ + wrmsrl(MSR_FS_BASE, ctxt->fs_base); +- wrmsrl(MSR_GS_BASE, ctxt->gs_base); + wrmsrl(MSR_KERNEL_GS_BASE, ctxt->gs_kernel_base); + #endif + +- fix_processor_context(); +- + do_fpu_end(); + x86_platform.restore_sched_clock_state(); + mtrr_bp_restore(); +-- +2.17.1 + diff --git a/queue-4.9/xen-netfront-fix-mismatched-rtnl_unlock.patch b/queue-4.9/xen-netfront-fix-mismatched-rtnl_unlock.patch new file mode 100644 index 00000000000..f964d69b117 --- /dev/null +++ b/queue-4.9/xen-netfront-fix-mismatched-rtnl_unlock.patch @@ -0,0 +1,41 @@ +From dde2de20820ca0f2074f59b03c560259f3bd4437 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 21 Jun 2018 14:00:20 +0100 +Subject: xen-netfront: Fix mismatched rtnl_unlock + +[ Upstream commit cb257783c2927b73614b20f915a91ff78aa6f3e8 ] + +Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open") +Reported-by: Ben Hutchings +Signed-off-by: Ross Lagerwall +Reviewed-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index c85edd161a6c..aceae791baf3 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1848,7 +1848,7 @@ static int talk_to_netback(struct xenbus_device *dev, + err = xen_net_read_mac(dev, info->netdev->dev_addr); + if (err) { + xenbus_dev_fatal(dev, err, "parsing %s/mac", dev->nodename); +- goto out; ++ goto out_unlocked; + } + + rtnl_lock(); +@@ -1963,6 +1963,7 @@ abort_transaction_no_dev_fatal: + xennet_destroy_queues(info); + out: + rtnl_unlock(); ++out_unlocked: + device_unregister(&dev->dev); + return err; + } +-- +2.17.1 + diff --git a/queue-4.9/xen-netfront-update-features-after-registering-netde.patch b/queue-4.9/xen-netfront-update-features-after-registering-netde.patch new file mode 100644 index 00000000000..1e853889d77 --- /dev/null +++ b/queue-4.9/xen-netfront-update-features-after-registering-netde.patch @@ -0,0 +1,52 @@ +From d112f28f573e2d543cd1d52bdc8120f502a0d759 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 21 Jun 2018 14:00:21 +0100 +Subject: xen-netfront: Update features after registering netdev + +[ Upstream commit 45c8184c1bed1ca8a7f02918552063a00b909bf5 ] + +Update the features after calling register_netdev() otherwise the +device features are not set up correctly and it not possible to change +the MTU of the device. After this change, the features reported by +ethtool match the device's features before the commit which introduced +the issue and it is possible to change the device's MTU. + +Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open") +Reported-by: Liam Shepherd +Signed-off-by: Ross Lagerwall +Reviewed-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 3c1adb38412b..c85edd161a6c 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1994,10 +1994,6 @@ static int xennet_connect(struct net_device *dev) + /* talk_to_netback() sets the correct number of queues */ + num_queues = dev->real_num_tx_queues; + +- rtnl_lock(); +- netdev_update_features(dev); +- rtnl_unlock(); +- + if (dev->reg_state == NETREG_UNINITIALIZED) { + err = register_netdev(dev); + if (err) { +@@ -2007,6 +2003,10 @@ static int xennet_connect(struct net_device *dev) + } + } + ++ rtnl_lock(); ++ netdev_update_features(dev); ++ rtnl_unlock(); ++ + /* + * All public and private state should now be sane. Get + * ready to start sending and receiving packets and give the driver +-- +2.17.1 + diff --git a/queue-4.9/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch b/queue-4.9/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch new file mode 100644 index 00000000000..094362165a5 --- /dev/null +++ b/queue-4.9/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch @@ -0,0 +1,63 @@ +From ca3c37e1f304a3a40f0b409608088d3683d30eb0 Mon Sep 17 00:00:00 2001 +From: Steffen Klassert +Date: Wed, 1 Aug 2018 13:45:11 +0200 +Subject: xfrm: Validate address prefix lengths in the xfrm selector. + +[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ] + +We don't validate the address prefix lengths in the xfrm +selector we got from userspace. This can lead to undefined +behaviour in the address matching functions if the prefix +is too big for the given address family. Fix this by checking +the prefixes and refuse SA/policy insertation when a prefix +is invalid. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Air Icy +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 6e768093d7c8..b7ac834a6091 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + err = -EINVAL; + switch (p->family) { + case AF_INET: ++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) ++ goto out; ++ + break; + + case AF_INET6: + #if IS_ENABLED(CONFIG_IPV6) ++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) ++ goto out; ++ + break; + #else + err = -EAFNOSUPPORT; +@@ -1316,10 +1322,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) + + switch (p->sel.family) { + case AF_INET: ++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) ++ return -EINVAL; ++ + break; + + case AF_INET6: + #if IS_ENABLED(CONFIG_IPV6) ++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) ++ return -EINVAL; ++ + break; + #else + return -EAFNOSUPPORT; +-- +2.17.1 + diff --git a/queue-4.9/xfrm-validate-template-mode.patch b/queue-4.9/xfrm-validate-template-mode.patch new file mode 100644 index 00000000000..dad752ad497 --- /dev/null +++ b/queue-4.9/xfrm-validate-template-mode.patch @@ -0,0 +1,64 @@ +From 88629fdeab9704e2a0278ae639261aa6eba450dc Mon Sep 17 00:00:00 2001 +From: Sean Tranchetti +Date: Wed, 19 Sep 2018 13:54:56 -0600 +Subject: xfrm: validate template mode + +[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ] + +XFRM mode parameters passed as part of the user templates +in the IP_XFRM_POLICY are never properly validated. Passing +values other than valid XFRM modes can cause stack-out-of-bounds +reads to occur later in the XFRM processing: + +[ 140.535608] ================================================================ +[ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4 +[ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148 +[ 140.557369] +[ 140.558927] Call trace: +[ 140.558936] dump_backtrace+0x0/0x388 +[ 140.558940] show_stack+0x24/0x30 +[ 140.558946] __dump_stack+0x24/0x2c +[ 140.558949] dump_stack+0x8c/0xd0 +[ 140.558956] print_address_description+0x74/0x234 +[ 140.558960] kasan_report+0x240/0x264 +[ 140.558963] __asan_report_load4_noabort+0x2c/0x38 +[ 140.558967] xfrm_state_find+0x17e4/0x1cc4 +[ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8 +[ 140.558975] xfrm_lookup+0x238/0x1444 +[ 140.558977] xfrm_lookup_route+0x48/0x11c +[ 140.558984] ip_route_output_flow+0x88/0xc4 +[ 140.558991] raw_sendmsg+0xa74/0x266c +[ 140.558996] inet_sendmsg+0x258/0x3b0 +[ 140.559002] sock_sendmsg+0xbc/0xec +[ 140.559005] SyS_sendto+0x3a8/0x5a8 +[ 140.559008] el0_svc_naked+0x34/0x38 +[ 140.559009] +[ 140.592245] page dumped because: kasan: bad access detected +[ 140.597981] page_owner info is not active (free page?) +[ 140.603267] +[ 140.653503] ================================================================ + +Signed-off-by: Sean Tranchetti +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index b7ac834a6091..026770884d46 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1412,6 +1412,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) + (ut[i].family != prev_family)) + return -EINVAL; + ++ if (ut[i].mode >= XFRM_MODE_MAX) ++ return -EINVAL; ++ + prev_family = ut[i].family; + + switch (ut[i].family) { +-- +2.17.1 + diff --git a/queue-4.9/xfrm6-call-kfree_skb-when-skb-is-toobig.patch b/queue-4.9/xfrm6-call-kfree_skb-when-skb-is-toobig.patch new file mode 100644 index 00000000000..94ae691d5ab --- /dev/null +++ b/queue-4.9/xfrm6-call-kfree_skb-when-skb-is-toobig.patch @@ -0,0 +1,46 @@ +From c7033052d4a9752366664650bdce1959a54bc58a Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 31 Aug 2018 08:38:49 -0300 +Subject: xfrm6: call kfree_skb when skb is toobig + +[ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ] + +After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching +and reporting on xmit"), some too big skbs might be potentially passed down to +__xfrm6_output, causing it to fail to transmit but not free the skb, causing a +leak of skb, and consequentially a leak of dst references. + +After running pmtu.sh, that shows as failure to unregister devices in a namespace: + +[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1 + +The fix is to call kfree_skb in case of transmit failures. + +Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_output.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c +index 4d09ce6fa90e..64862c5084ee 100644 +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -165,9 +165,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + + if (toobig && xfrm6_local_dontfrag(skb)) { + xfrm6_local_rxpmtu(skb, mtu); ++ kfree_skb(skb); + return -EMSGSIZE; + } else if (!skb->ignore_df && toobig && skb->sk) { + xfrm_local_error(skb, mtu); ++ kfree_skb(skb); + return -EMSGSIZE; + } + +-- +2.17.1 + diff --git a/queue-4.9/xhci-fix-usb3-null-pointer-dereference-at-logical-di.patch b/queue-4.9/xhci-fix-usb3-null-pointer-dereference-at-logical-di.patch new file mode 100644 index 00000000000..c7a618fca09 --- /dev/null +++ b/queue-4.9/xhci-fix-usb3-null-pointer-dereference-at-logical-di.patch @@ -0,0 +1,63 @@ +From 75b041b95528e5093f0645b6d117426a9b069cc4 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 14 May 2018 11:57:23 +0300 +Subject: xhci: Fix USB3 NULL pointer dereference at logical disconnect. + +[ Upstream commit 2278446e2b7cd33ad894b32e7eb63afc7db6c86e ] + +Hub driver will try to disable a USB3 device twice at logical disconnect, +racing with xhci_free_dev() callback from the first port disable. + +This can be triggered with "udisksctl power-off --block-device " +or by writing "1" to the "remove" sysfs file for a USB3 device +in 4.17-rc4. + +USB3 devices don't have a similar disabled link state as USB2 devices, +and use a U3 suspended link state instead. In this state the port +is still enabled and connected. + +hub_port_connect() first disconnects the device, then later it notices +that device is still enabled (due to U3 states) it will try to disable +the port again (set to U3). + +The xhci_free_dev() called during device disable is async, so checking +for existing xhci->devs[i] when setting link state to U3 the second time +was successful, even if device was being freed. + +The regression was caused by, and whole thing revealed by, +Commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") +which sets xhci->devs[i]->udev to NULL before xhci_virt_dev() returned. +and causes a NULL pointer dereference the second time we try to set U3. + +Fix this by checking xhci->devs[i]->udev exists before setting link state. + +The original patch went to stable so this fix needs to be applied there as +well. + +Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") +Cc: +Reported-by: Jordan Glover +Tested-by: Jordan Glover +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index 45a03eff4db1..0f09ab5399f4 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -366,7 +366,7 @@ int xhci_find_slot_id_by_port(struct usb_hcd *hcd, struct xhci_hcd *xhci, + + slot_id = 0; + for (i = 0; i < MAX_HC_SLOTS; i++) { +- if (!xhci->devs[i]) ++ if (!xhci->devs[i] || !xhci->devs[i]->udev) + continue; + speed = xhci->devs[i]->udev->speed; + if (((speed >= USB_SPEED_SUPER) == (hcd->speed >= HCD_USB3)) +-- +2.17.1 +