From: Sasha Levin Date: Thu, 2 May 2019 13:51:58 +0000 (-0400) Subject: autosel fixes for 3.18 X-Git-Tag: v4.9.173~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b2f3529cfa071b52f3d3f2dde7301a4665e9ecd;p=thirdparty%2Fkernel%2Fstable-queue.git autosel fixes for 3.18 Signed-off-by: Sasha Levin --- diff --git a/queue-3.18/ceph-fix-use-after-free-on-symlink-traversal.patch b/queue-3.18/ceph-fix-use-after-free-on-symlink-traversal.patch new file mode 100644 index 00000000000..4c4ec32cf64 --- /dev/null +++ b/queue-3.18/ceph-fix-use-after-free-on-symlink-traversal.patch @@ -0,0 +1,42 @@ +From 76256eacb55f5fe6f970f58229fd209d3f69be12 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 26 Mar 2019 01:38:58 +0000 +Subject: ceph: fix use-after-free on symlink traversal + +[ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ] + +free the symlink body after the same RCU delay we have for freeing the +struct inode itself, so that traversal during RCU pathwalk wouldn't step +into freed memory. + +Signed-off-by: Al Viro +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin (Microsoft) +--- + fs/ceph/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 7a1df90c7771..7641fcf83ac8 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -472,6 +472,7 @@ static void ceph_i_callback(struct rcu_head *head) + struct inode *inode = container_of(head, struct inode, i_rcu); + struct ceph_inode_info *ci = ceph_inode(inode); + ++ kfree(ci->i_symlink); + kmem_cache_free(ceph_inode_cachep, ci); + } + +@@ -503,7 +504,6 @@ void ceph_destroy_inode(struct inode *inode) + ceph_put_snap_realm(mdsc, realm); + } + +- kfree(ci->i_symlink); + while ((n = rb_first(&ci->i_fragtree)) != NULL) { + frag = rb_entry(n, struct ceph_inode_frag, node); + rb_erase(n, &ci->i_fragtree); +-- +2.19.1 + diff --git a/queue-3.18/kconfig-mn-conf-handle-backspace-h-key.patch b/queue-3.18/kconfig-mn-conf-handle-backspace-h-key.patch new file mode 100644 index 00000000000..14588b940a9 --- /dev/null +++ b/queue-3.18/kconfig-mn-conf-handle-backspace-h-key.patch @@ -0,0 +1,65 @@ +From e0dbebd6ce259b7b0b6e0c572e2a20e0956b46e1 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Mon, 25 Mar 2019 15:16:47 +0000 +Subject: kconfig/[mn]conf: handle backspace (^H) key + +[ Upstream commit 9c38f1f044080392603c497ecca4d7d09876ff99 ] + +Backspace is not working on some terminal emulators which do not send the +key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127). +But currently only '^?' is handled. Let's also handle '^H' for those +terminals. + +Signed-off-by: Changbin Du +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin (Microsoft) +--- + scripts/kconfig/lxdialog/inputbox.c | 3 ++- + scripts/kconfig/nconf.c | 2 +- + scripts/kconfig/nconf.gui.c | 3 ++- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c +index d58de1dc5360..510049a7bd1d 100644 +--- a/scripts/kconfig/lxdialog/inputbox.c ++++ b/scripts/kconfig/lxdialog/inputbox.c +@@ -126,7 +126,8 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width + case KEY_DOWN: + break; + case KEY_BACKSPACE: +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + if (pos) { + wattrset(dialog, dlg.inputbox.atr); + if (input_x == 0) { +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index 984489ef2b46..e570f6c9b3ad 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -1046,7 +1046,7 @@ static int do_match(int key, struct match_state *state, int *ans) + state->match_direction = FIND_NEXT_MATCH_UP; + *ans = get_mext_match(state->pattern, + state->match_direction); +- } else if (key == KEY_BACKSPACE || key == 127) { ++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) { + state->pattern[strlen(state->pattern)-1] = '\0'; + adj_match_dir(&state->match_direction); + } else +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c +index 4b2f44c20caf..9a65035cf787 100644 +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window, + case KEY_F(F_EXIT): + case KEY_F(F_BACK): + break; +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + case KEY_BACKSPACE: + if (cursor_position > 0) { + memmove(&result[cursor_position-1], +-- +2.19.1 + diff --git a/queue-3.18/libata-fix-using-dma-buffers-on-stack.patch b/queue-3.18/libata-fix-using-dma-buffers-on-stack.patch new file mode 100644 index 00000000000..6fe1c46803e --- /dev/null +++ b/queue-3.18/libata-fix-using-dma-buffers-on-stack.patch @@ -0,0 +1,87 @@ +From 35aeae47f2b407a6492cb5149b4bbd2ad6fa5822 Mon Sep 17 00:00:00 2001 +From: raymond pang +Date: Thu, 28 Mar 2019 12:19:25 +0000 +Subject: libata: fix using DMA buffers on stack + +[ Upstream commit dd08a8d9a66de4b54575c294a92630299f7e0fe7 ] + +When CONFIG_VMAP_STACK=y, __pa() returns incorrect physical address for +a stack virtual address. Stack DMA buffers must be avoided. + +Signed-off-by: raymond pang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/ata/libata-zpodd.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index 0ad96c647541..7017a81d53cf 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -51,38 +51,52 @@ static int eject_tray(struct ata_device *dev) + /* Per the spec, only slot type and drawer type ODD can be supported */ + static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + { +- char buf[16]; ++ char *buf; + unsigned int ret; +- struct rm_feature_desc *desc = (void *)(buf + 8); ++ struct rm_feature_desc *desc; + struct ata_taskfile tf; + static const char cdb[] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +- 0, sizeof(buf), ++ 0, 16, + 0, 0, 0, + }; + ++ buf = kzalloc(16, GFP_KERNEL); ++ if (!buf) ++ return ODD_MECH_TYPE_UNSUPPORTED; ++ desc = (void *)(buf + 8); ++ + ata_tf_init(dev, &tf); + tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE; + tf.command = ATA_CMD_PACKET; + tf.protocol = ATAPI_PROT_PIO; +- tf.lbam = sizeof(buf); ++ tf.lbam = 16; + + ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE, +- buf, sizeof(buf), 0); +- if (ret) ++ buf, 16, 0); ++ if (ret) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (be16_to_cpu(desc->feature_code) != 3) ++ if (be16_to_cpu(desc->feature_code) != 3) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) ++ if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_SLOT; +- else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1) ++ } else if (desc->mech_type == 1 && desc->load == 0 && ++ desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_DRAWER; +- else ++ } else { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + } + + /* Test if ODD is zero power ready by sense code */ +-- +2.19.1 + diff --git a/queue-3.18/net-ibm-fix-possible-object-reference-leak.patch b/queue-3.18/net-ibm-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..9662654a096 --- /dev/null +++ b/queue-3.18/net-ibm-fix-possible-object-reference-leak.patch @@ -0,0 +1,40 @@ +From f32e8b1f2d51402bed35c4a8833fd4aa62054eb8 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 22 Mar 2019 11:04:08 +0800 +Subject: net: ibm: fix possible object reference leak + +[ Upstream commit be693df3cf9dd113ff1d2c0d8150199efdba37f6 ] + +The call to ehea_get_eth_dn returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/net/ethernet/ibm/ehea/ehea_main.c:3163:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3154, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Douglas Miller +Cc: "David S. Miller" +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/ibm/ehea/ehea_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c +index 566b17db135a..a718066bb99f 100644 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -3183,6 +3183,7 @@ static ssize_t ehea_probe_port(struct device *dev, + + if (ehea_add_adapter_mr(adapter)) { + pr_err("creating MR failed\n"); ++ of_node_put(eth_dn); + return -EIO; + } + +-- +2.19.1 + diff --git a/queue-3.18/net-ks8851-delay-requesting-irq-until-opened.patch b/queue-3.18/net-ks8851-delay-requesting-irq-until-opened.patch new file mode 100644 index 00000000000..a2f89f7930d --- /dev/null +++ b/queue-3.18/net-ks8851-delay-requesting-irq-until-opened.patch @@ -0,0 +1,94 @@ +From c8fd2241b41efaa127d5f467cbfdb9eab70cde14 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Delay requesting IRQ until opened + +[ Upstream commit d268f31552794abf5b6aa5af31021643411f25f5 ] + +The ks8851 driver currently requests the IRQ before registering the +net_device. Because the net_device name is used as IRQ name and is +still "eth%d" when the IRQ is requested, it's impossibe to tell IRQs +apart if multiple ks8851 chips are present. Most other drivers delay +requesting the IRQ until the net_device is opened. Do the same. + +The driver doesn't enable interrupts on the chip before opening the +net_device and disables them when closing it, so there doesn't seem to +be a need to request the IRQ already on probe. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index e218e45dcf35..f90a1396535a 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -797,6 +797,15 @@ static void ks8851_tx_work(struct work_struct *work) + static int ks8851_net_open(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); ++ int ret; ++ ++ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq, ++ IRQF_TRIGGER_LOW | IRQF_ONESHOT, ++ dev->name, ks); ++ if (ret < 0) { ++ netdev_err(dev, "failed to get irq\n"); ++ return ret; ++ } + + /* lock the card, even if we may not actually be doing anything + * else at the moment */ +@@ -911,6 +920,8 @@ static int ks8851_net_stop(struct net_device *dev) + dev_kfree_skb(txb); + } + ++ free_irq(dev->irq, ks); ++ + return 0; + } + +@@ -1542,14 +1553,6 @@ static int ks8851_probe(struct spi_device *spi) + ks8851_read_selftest(ks); + ks8851_init_mac(ks); + +- ret = request_threaded_irq(spi->irq, NULL, ks8851_irq, +- IRQF_TRIGGER_LOW | IRQF_ONESHOT, +- ndev->name, ks); +- if (ret < 0) { +- dev_err(&spi->dev, "failed to get irq\n"); +- goto err_irq; +- } +- + ret = register_netdev(ndev); + if (ret) { + dev_err(&spi->dev, "failed to register network device\n"); +@@ -1562,11 +1565,7 @@ static int ks8851_probe(struct spi_device *spi) + + return 0; + +- + err_netdev: +- free_irq(ndev->irq, ks); +- +-err_irq: + err_id: + if (gpio_is_valid(gpio)) + gpio_set_value(gpio, 0); +@@ -1587,7 +1586,6 @@ static int ks8851_remove(struct spi_device *spi) + dev_info(&spi->dev, "remove\n"); + + unregister_netdev(priv->netdev); +- free_irq(spi->irq, priv); + if (gpio_is_valid(priv->gpio)) + gpio_set_value(priv->gpio, 0); + regulator_disable(priv->vdd_reg); +-- +2.19.1 + diff --git a/queue-3.18/net-ks8851-dequeue-rx-packets-explicitly.patch b/queue-3.18/net-ks8851-dequeue-rx-packets-explicitly.patch new file mode 100644 index 00000000000..2357d7c7a47 --- /dev/null +++ b/queue-3.18/net-ks8851-dequeue-rx-packets-explicitly.patch @@ -0,0 +1,76 @@ +From d7ad39b32d99e7a2d80317ea4a735b71ef489dcc Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Dequeue RX packets explicitly + +[ Upstream commit 536d3680fd2dab5c39857d62a3e084198fc74ff9 ] + +The ks8851 driver lets the chip auto-dequeue received packets once they +have been read in full. It achieves that by setting the ADRFE flag in +the RXQCR register ("Auto-Dequeue RXQ Frame Enable"). + +However if allocation of a packet's socket buffer or retrieval of the +packet over the SPI bus fails, the packet will not have been read in +full and is not auto-dequeued. Such partial retrieval of a packet +confuses the chip's RX queue management: On the next RX interrupt, +the first packet read from the queue will be the one left there +previously and this one can be retrieved without issues. But for any +newly received packets, the frame header status and byte count registers +(RXFHSR and RXFHBCR) contain bogus values, preventing their retrieval. + +The chip allows explicitly dequeueing a packet from the RX queue by +setting the RRXEF flag in the RXQCR register ("Release RX Error Frame"). +This could be used to dequeue the packet in case of an error, but if +that error is a failed SPI transfer, it is unknown if the packet was +transferred in full and was auto-dequeued or if it was only transferred +in part and requires an explicit dequeue. The safest approach is thus +to always dequeue packets explicitly and forgo auto-dequeueing. + +Without this change, I've witnessed packet retrieval break completely +when an SPI DMA transfer fails, requiring a chip reset. Explicit +dequeueing magically fixes this and makes packet retrieval absolutely +robust for me. + +The chip's documentation suggests auto-dequeuing and uses the RRXEF +flag only to dequeue error frames which the driver doesn't want to +retrieve. But that seems to be a fair-weather approach. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index 66d4ab703f45..4a29e191819f 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -547,9 +547,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + /* set dma read address */ + ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00); + +- /* start the packet dma process, and set auto-dequeue rx */ +- ks8851_wrreg16(ks, KS_RXQCR, +- ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE); ++ /* start DMA access */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA); + + if (rxlen > 4) { + unsigned int rxalign; +@@ -580,7 +579,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + } + } + +- ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr); ++ /* end DMA access and dequeue packet */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF); + } + } + +-- +2.19.1 + diff --git a/queue-3.18/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch b/queue-3.18/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch new file mode 100644 index 00000000000..b1507c7e895 --- /dev/null +++ b/queue-3.18/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch @@ -0,0 +1,45 @@ +From 3ef78a5399eefc2f5f44b31cc0fb86eeab0b89ce Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Reassert reset pin if chip ID check fails + +[ Upstream commit 761cfa979a0c177d6c2d93ef5585cd79ae49a7d5 ] + +Commit 73fdeb82e963 ("net: ks8851: Add optional vdd_io regulator and +reset gpio") amended the ks8851 driver to briefly assert the chip's +reset pin on probe. It also amended the probe routine's error path to +reassert the reset pin if a subsequent initialization step fails. + +However the commit misplaced reassertion of the reset pin in the error +path such that it is not performed if the check of the Chip ID and +Enable Register (CIDER) fails. The error path is therefore slightly +asymmetrical to the probe routine's body. Fix it. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Stephen Boyd +Cc: Nishanth Menon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index 4a29e191819f..e218e45dcf35 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -1567,9 +1567,9 @@ static int ks8851_probe(struct spi_device *spi) + free_irq(ndev->irq, ks); + + err_irq: ++err_id: + if (gpio_is_valid(gpio)) + gpio_set_value(gpio, 0); +-err_id: + regulator_disable(ks->vdd_reg); + err_reg: + regulator_disable(ks->vdd_io); +-- +2.19.1 + diff --git a/queue-3.18/net-ks8851-set-initial-carrier-state-to-down.patch b/queue-3.18/net-ks8851-set-initial-carrier-state-to-down.patch new file mode 100644 index 00000000000..180c5221dc5 --- /dev/null +++ b/queue-3.18/net-ks8851-set-initial-carrier-state-to-down.patch @@ -0,0 +1,54 @@ +From 5874c56fb67880111df3e42dee56eaf122ef8e85 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Set initial carrier state to down + +[ Upstream commit 9624bafa5f6418b9ca5b3f66d1f6a6a2e8bf6d4c ] + +The ks8851 chip's initial carrier state is down. A Link Change Interrupt +is signaled once interrupts are enabled if the carrier is up. + +The ks8851 driver has it backwards by assuming that the initial carrier +state is up. The state is therefore misrepresented if the interface is +opened with no cable attached. Fix it. + +The Link Change interrupt is sometimes not signaled unless the P1MBSR +register (which contains the Link Status bit) is read on ->ndo_open(). +This might be a hardware erratum. Read the register by calling +mii_check_link(), which has the desirable side effect of setting the +carrier state to down if the cable was detached while the interface was +closed. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index f90a1396535a..8a94add287de 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -870,6 +870,7 @@ static int ks8851_net_open(struct net_device *dev) + netif_dbg(ks, ifup, ks->netdev, "network device up\n"); + + mutex_unlock(&ks->lock); ++ mii_check_link(&ks->mii); + return 0; + } + +@@ -1527,6 +1528,7 @@ static int ks8851_probe(struct spi_device *spi) + + spi_set_drvdata(spi, ks); + ++ netif_carrier_off(ks->netdev); + ndev->if_port = IF_PORT_100BASET; + ndev->netdev_ops = &ks8851_netdev_ops; + ndev->irq = spi->irq; +-- +2.19.1 + diff --git a/queue-3.18/qlcnic-avoid-potential-null-pointer-dereference.patch b/queue-3.18/qlcnic-avoid-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..1d39e2118db --- /dev/null +++ b/queue-3.18/qlcnic-avoid-potential-null-pointer-dereference.patch @@ -0,0 +1,33 @@ +From efa1485657d52df58f596b2b50830a4b47ce6f5a Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Thu, 14 Mar 2019 15:31:40 -0500 +Subject: qlcnic: Avoid potential NULL pointer dereference + +[ Upstream commit 5bf7295fe34a5251b1d241b9736af4697b590670 ] + +netdev_alloc_skb can fail and return a NULL pointer which is +dereferenced without a check. The patch avoids such a scenario. + +Signed-off-by: Aditya Pakki +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +index 0a2318cad34d..63ebc491057b 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +@@ -1038,6 +1038,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode) + + for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) { + skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE); ++ if (!skb) ++ break; + qlcnic_create_loopback_buff(skb->data, adapter->mac_addr); + skb_put(skb, QLCNIC_ILB_PKT_SIZE); + adapter->ahw->diag_cnt = 0; +-- +2.19.1 + diff --git a/queue-3.18/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch b/queue-3.18/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch new file mode 100644 index 00000000000..180a529be30 --- /dev/null +++ b/queue-3.18/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch @@ -0,0 +1,35 @@ +From 60eb85c9e5de239f52be27ed562484002e7dd19d Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 01:30:59 -0500 +Subject: scsi: qla4xxx: fix a potential NULL pointer dereference + +[ Upstream commit fba1bdd2a9a93f3e2181ec1936a3c2f6b37e7ed6 ] + +In case iscsi_lookup_endpoint fails, the fix returns -EINVAL to avoid NULL +pointer dereference. + +Signed-off-by: Kangjie Lu +Acked-by: Manish Rangankar +Reviewed-by: Mukesh Ojha +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index a9fac1eb8306..28f6d5ef04e0 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -3213,6 +3213,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session, + if (iscsi_conn_bind(cls_session, cls_conn, is_leading)) + return -EINVAL; + ep = iscsi_lookup_endpoint(transport_fd); ++ if (!ep) ++ return -EINVAL; + conn = cls_conn->dd_data; + qla_conn = conn->dd_data; + qla_conn->qla_ep = ep->dd_data; +-- +2.19.1 + diff --git a/queue-3.18/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch b/queue-3.18/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch new file mode 100644 index 00000000000..db6f016ee38 --- /dev/null +++ b/queue-3.18/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch @@ -0,0 +1,112 @@ +From f0ded278a184906eda2e2adf9cce2f1c3201715c Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Tue, 26 Mar 2019 14:37:00 +0100 +Subject: scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element + RSCN + +[ Upstream commit c8206579175c34a2546de8a74262456278a7795a ] + +If an incoming ELS of type RSCN contains more than one element, zfcp +suboptimally causes repeated erp trigger NOP trace records for each +previously failed port. These could be ports that went away. It loops over +each RSCN element, and for each of those in an inner loop over all +zfcp_ports. + +The trigger to recover failed ports should be just the reception of some +RSCN, no matter how many elements it has. So we can loop over failed ports +separately, and only then loop over each RSCN element to handle the +non-failed ports. + +The call chain was: + + zfcp_fc_incoming_rscn + for (i = 1; i < no_entries; i++) + _zfcp_fc_incoming_rscn + list_for_each_entry(port, &adapter->port_list, list) + if (masked port->d_id match) zfcp_fc_test_link + if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <=== + +In order the reduce the "flooding" of the REC trace area in such cases, we +factor out handling the failed ports to be outside of the entries loop: + + zfcp_fc_incoming_rscn + if (no_entries > 1) <=== + list_for_each_entry(port, &adapter->port_list, list) <=== + if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <=== + for (i = 1; i < no_entries; i++) + _zfcp_fc_incoming_rscn + list_for_each_entry(port, &adapter->port_list, list) + if (masked port->d_id match) zfcp_fc_test_link + +Abbreviated example trace records before this code change: + +Tag : fcrscn1 +WWPN : 0x500507630310d327 +ERP want : 0x02 +ERP need : 0x02 + +Tag : fcrscn1 +WWPN : 0x500507630310d327 +ERP want : 0x02 +ERP need : 0x00 NOP => superfluous trace record + +The last trace entry repeats if there are more than 2 RSCN elements. + +Signed-off-by: Steffen Maier +Reviewed-by: Benjamin Block +Reviewed-by: Jens Remus +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/s390/scsi/zfcp_fc.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c +index ca28e1c66115..f9d59262da88 100644 +--- a/drivers/s390/scsi/zfcp_fc.c ++++ b/drivers/s390/scsi/zfcp_fc.c +@@ -195,10 +195,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + list_for_each_entry(port, &adapter->port_list, list) { + if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range)) + zfcp_fc_test_link(port); +- if (!port->d_id) +- zfcp_erp_port_reopen(port, +- ZFCP_STATUS_COMMON_ERP_FAILED, +- "fcrscn1"); + } + read_unlock_irqrestore(&adapter->port_list_lock, flags); + } +@@ -206,6 +202,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + { + struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data; ++ struct zfcp_adapter *adapter = fsf_req->adapter; + struct fc_els_rscn *head; + struct fc_els_rscn_page *page; + u16 i; +@@ -218,6 +215,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + /* see FC-FS */ + no_entries = head->rscn_plen / sizeof(struct fc_els_rscn_page); + ++ if (no_entries > 1) { ++ /* handle failed ports */ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ read_lock_irqsave(&adapter->port_list_lock, flags); ++ list_for_each_entry(port, &adapter->port_list, list) { ++ if (port->d_id) ++ continue; ++ zfcp_erp_port_reopen(port, ++ ZFCP_STATUS_COMMON_ERP_FAILED, ++ "fcrscn1"); ++ } ++ read_unlock_irqrestore(&adapter->port_list_lock, flags); ++ } ++ + for (i = 1; i < no_entries; i++) { + /* skip head and start with 1st element */ + page++; +-- +2.19.1 + diff --git a/queue-3.18/series b/queue-3.18/series index 147ff7c3f62..bc7ffdf2f83 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -11,3 +11,17 @@ revert-block-loop-use-global-lock-for-ioctl-operation.patch ipv4-add-sanity-checks-in-ipv4_link_failure.patch team-fix-possible-recursive-locking-when-add-slaves.patch net-stmmac-move-stmmac_check_ether_addr-to-driver-probe.patch +qlcnic-avoid-potential-null-pointer-dereference.patch +usb-gadget-net2280-fix-overrun-of-out-messages.patch +usb-gadget-net2272-fix-net2272_dequeue.patch +net-ks8851-dequeue-rx-packets-explicitly.patch +net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch +net-ks8851-delay-requesting-irq-until-opened.patch +net-ks8851-set-initial-carrier-state-to-down.patch +net-ibm-fix-possible-object-reference-leak.patch +scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch +usb-u132-hcd-fix-resource-leak.patch +ceph-fix-use-after-free-on-symlink-traversal.patch +scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch +libata-fix-using-dma-buffers-on-stack.patch +kconfig-mn-conf-handle-backspace-h-key.patch diff --git a/queue-3.18/usb-gadget-net2272-fix-net2272_dequeue.patch b/queue-3.18/usb-gadget-net2272-fix-net2272_dequeue.patch new file mode 100644 index 00000000000..9c6461aa487 --- /dev/null +++ b/queue-3.18/usb-gadget-net2272-fix-net2272_dequeue.patch @@ -0,0 +1,41 @@ +From 651b886420bf3afca1cf203a454d1a1266f4e6d2 Mon Sep 17 00:00:00 2001 +From: Guido Kiener +Date: Mon, 18 Mar 2019 09:18:34 +0100 +Subject: usb: gadget: net2272: Fix net2272_dequeue() + +[ Upstream commit 091dacc3cc10979ab0422f0a9f7fcc27eee97e69 ] + +Restore the status of ep->stopped in function net2272_dequeue(). + +When the given request is not found in the endpoint queue +the function returns -EINVAL without restoring the state of +ep->stopped. Thus the endpoint keeps blocked and does not transfer +any data anymore. + +This fix is only compile-tested, since we do not have a +corresponding hardware. An analogous fix was tested in the sibling +driver. See "usb: gadget: net2280: Fix net2280_dequeue()" + +Acked-by: Alan Stern +Signed-off-by: Guido Kiener +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/gadget/udc/net2272.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c +index 4b2444e75840..83d0544338ca 100644 +--- a/drivers/usb/gadget/udc/net2272.c ++++ b/drivers/usb/gadget/udc/net2272.c +@@ -962,6 +962,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); + return -EINVAL; + } +-- +2.19.1 + diff --git a/queue-3.18/usb-gadget-net2280-fix-overrun-of-out-messages.patch b/queue-3.18/usb-gadget-net2280-fix-overrun-of-out-messages.patch new file mode 100644 index 00000000000..447f0ce4565 --- /dev/null +++ b/queue-3.18/usb-gadget-net2280-fix-overrun-of-out-messages.patch @@ -0,0 +1,62 @@ +From 83dedb7a0e14f19cba66b93d2543d253eb1da47c Mon Sep 17 00:00:00 2001 +From: Guido Kiener +Date: Tue, 19 Mar 2019 19:12:03 +0100 +Subject: usb: gadget: net2280: Fix overrun of OUT messages + +[ Upstream commit 9d6a54c1430647355a5e23434881b2ca3d192b48 ] + +The OUT endpoint normally blocks (NAK) subsequent packets when a +short packet was received and returns an incomplete queue entry to +the gadget driver. Thereby the gadget driver can detect a short packet +when reading queue entries with a length that is not equal to a +multiple of packet size. + +The start_queue() function enables receiving OUT packets regardless of +the content of the OUT FIFO. This results in a race: With the current +code, it's possible that the "!ep->is_in && (readl(&ep->regs->ep_stat) +& BIT(NAK_OUT_PACKETS))" test in start_dma() will fail, then a short +packet will be received, and then start_queue() will call +stop_out_naking(). That's what we don't want (OUT naking gets turned +off while there is data in the FIFO) because then the next driver +request might receive a mixture of old and new packets. + +With the patch, this race can't occur because the FIFO's state is +tested after we know that OUT naking is already turned on, and OUT +naking is stopped only when both of the conditions are met. This +ensures that all received data is delivered to the gadget driver, +which can detect a short packet now before new packets are appended +to the last short packet. + +Acked-by: Alan Stern +Signed-off-by: Guido Kiener +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/gadget/udc/net2280.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 8d13337e2dde..931765208286 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -800,9 +800,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma) + (void) readl(&ep->dev->pci->pcimstctl); + + writel(BIT(DMA_START), &dma->dmastat); +- +- if (!ep->is_in) +- stop_out_naking(ep); + } + + static void start_dma(struct net2280_ep *ep, struct net2280_request *req) +@@ -841,6 +838,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req) + writel(BIT(DMA_START), &dma->dmastat); + return; + } ++ stop_out_naking(ep); + } + + tmp = dmactl_default; +-- +2.19.1 + diff --git a/queue-3.18/usb-u132-hcd-fix-resource-leak.patch b/queue-3.18/usb-u132-hcd-fix-resource-leak.patch new file mode 100644 index 00000000000..7f8cdddc1be --- /dev/null +++ b/queue-3.18/usb-u132-hcd-fix-resource-leak.patch @@ -0,0 +1,34 @@ +From 8779df829037dc55ec17fc4730127ce09cea300f Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Tue, 26 Mar 2019 13:42:22 +0530 +Subject: usb: u132-hcd: fix resource leak + +[ Upstream commit f276e002793cdb820862e8ea8f76769d56bba575 ] + +if platform_driver_register fails, cleanup the allocated resource +gracefully. + +Signed-off-by: Mukesh Ojha +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/host/u132-hcd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c +index ab5128755672..3d9ce725d1df 100644 +--- a/drivers/usb/host/u132-hcd.c ++++ b/drivers/usb/host/u132-hcd.c +@@ -3234,6 +3234,9 @@ static int __init u132_hcd_init(void) + printk(KERN_INFO "driver %s\n", hcd_name); + workqueue = create_singlethread_workqueue("u132"); + retval = platform_driver_register(&u132_platform_driver); ++ if (retval) ++ destroy_workqueue(workqueue); ++ + return retval; + } + +-- +2.19.1 +