From: Sasha Levin Date: Mon, 22 Jul 2019 00:55:28 +0000 (-0400) Subject: fixes for 4.9 X-Git-Tag: v5.2.3~74 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=68d5d72d2c3df6caa5c0477f456a4805ba3fdbf2;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch b/queue-4.9/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch new file mode 100644 index 00000000000..b713888d5fc --- /dev/null +++ b/queue-4.9/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch @@ -0,0 +1,52 @@ +From f29a510f5e59e5d256236f3f731d8587bdbcf8c3 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 19 Jun 2019 14:18:31 +0200 +Subject: acpi/arm64: ignore 5.1 FADTs that are reported as 5.0 + +[ Upstream commit 2af22f3ec3ca452f1e79b967f634708ff01ced8a ] + +Some Qualcomm Snapdragon based laptops built to run Microsoft Windows +are clearly ACPI 5.1 based, given that that is the first ACPI revision +that supports ARM, and introduced the FADT 'arm_boot_flags' field, +which has a non-zero field on those systems. + +So in these cases, infer from the ARM boot flags that the FADT must be +5.1 or later, and treat it as 5.1. + +Acked-by: Sudeep Holla +Tested-by: Lee Jones +Reviewed-by: Graeme Gregory +Acked-by: Lorenzo Pieralisi +Acked-by: Hanjun Guo +Signed-off-by: Ard Biesheuvel +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/acpi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c +index 252a6d9c1da5..1a95d135def2 100644 +--- a/arch/arm64/kernel/acpi.c ++++ b/arch/arm64/kernel/acpi.c +@@ -157,10 +157,14 @@ static int __init acpi_fadt_sanity_check(void) + */ + if (table->revision < 5 || + (table->revision == 5 && fadt->minor_revision < 1)) { +- pr_err("Unsupported FADT revision %d.%d, should be 5.1+\n", ++ pr_err(FW_BUG "Unsupported FADT revision %d.%d, should be 5.1+\n", + table->revision, fadt->minor_revision); +- ret = -EINVAL; +- goto out; ++ ++ if (!fadt->arm_boot_flags) { ++ ret = -EINVAL; ++ goto out; ++ } ++ pr_err("FADT has ARM boot flags set, assuming 5.1\n"); + } + + if (!(fadt->flags & ACPI_FADT_HW_REDUCED)) { +-- +2.20.1 + diff --git a/queue-4.9/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch b/queue-4.9/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch new file mode 100644 index 00000000000..52a30f01aaa --- /dev/null +++ b/queue-4.9/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch @@ -0,0 +1,50 @@ +From f66803b2b6fdb21a723892d2da68b3532babacc5 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 25 May 2019 19:09:35 +0100 +Subject: af_key: fix leaks in key_pol_get_resp and dump_sp. + +[ Upstream commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 ] + +In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly +allocated sk_buff. Free it on error. + +Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.") +Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 3ba903ff2bb0..36db179d848e 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2463,8 +2463,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc + goto out; + } + err = pfkey_xfrm_policy2msg(out_skb, xp, dir); +- if (err < 0) ++ if (err < 0) { ++ kfree_skb(out_skb); + goto out; ++ } + + out_hdr = (struct sadb_msg *) out_skb->data; + out_hdr->sadb_msg_version = hdr->sadb_msg_version; +@@ -2717,8 +2719,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr) + return PTR_ERR(out_skb); + + err = pfkey_xfrm_policy2msg(out_skb, xp, dir); +- if (err < 0) ++ if (err < 0) { ++ kfree_skb(out_skb); + return err; ++ } + + out_hdr = (struct sadb_msg *) out_skb->data; + out_hdr->sadb_msg_version = pfk->dump.msg_version; +-- +2.20.1 + diff --git a/queue-4.9/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch b/queue-4.9/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch new file mode 100644 index 00000000000..0c2adee517c --- /dev/null +++ b/queue-4.9/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch @@ -0,0 +1,61 @@ +From b85e8bb976f7227e127f342de935136c8ee6bcfc Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 25 Jun 2019 21:20:17 -0700 +Subject: arm64/efi: Mark __efistub_stext_offset as an absolute symbol + explicitly + +[ Upstream commit aa69fb62bea15126e744af2e02acc0d6cf3ed4da ] + +After r363059 and r363928 in LLVM, a build using ld.lld as the linker +with CONFIG_RANDOMIZE_BASE enabled fails like so: + +ld.lld: error: relocation R_AARCH64_ABS32 cannot be used against symbol +__efistub_stext_offset; recompile with -fPIC + +Fangrui and Peter figured out that ld.lld is incorrectly considering +__efistub_stext_offset as a relative symbol because of the order in +which symbols are evaluated. _text is treated as an absolute symbol +and stext is a relative symbol, making __efistub_stext_offset a +relative symbol. + +Adding ABSOLUTE will force ld.lld to evalute this expression in the +right context and does not change ld.bfd's behavior. ld.lld will +need to be fixed but the developers do not see a quick or simple fix +without some research (see the linked issue for further explanation). +Add this simple workaround so that ld.lld can continue to link kernels. + +Link: https://github.com/ClangBuiltLinux/linux/issues/561 +Link: https://github.com/llvm/llvm-project/commit/025a815d75d2356f2944136269aa5874721ec236 +Link: https://github.com/llvm/llvm-project/commit/249fde85832c33f8b06c6b4ac65d1c4b96d23b83 +Acked-by: Ard Biesheuvel +Debugged-by: Fangrui Song +Debugged-by: Peter Smith +Suggested-by: Fangrui Song +Signed-off-by: Nathan Chancellor +[will: add comment] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/image.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/image.h b/arch/arm64/kernel/image.h +index c7fcb232fe47..d3e8c901274d 100644 +--- a/arch/arm64/kernel/image.h ++++ b/arch/arm64/kernel/image.h +@@ -73,7 +73,11 @@ + + #ifdef CONFIG_EFI + +-__efistub_stext_offset = stext - _text; ++/* ++ * Use ABSOLUTE() to avoid ld.lld treating this as a relative symbol: ++ * https://github.com/ClangBuiltLinux/linux/issues/561 ++ */ ++__efistub_stext_offset = ABSOLUTE(stext - _text); + + /* + * Prevent the symbol aliases below from being emitted into the kallsyms +-- +2.20.1 + diff --git a/queue-4.9/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch b/queue-4.9/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch new file mode 100644 index 00000000000..1af03a976e5 --- /dev/null +++ b/queue-4.9/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch @@ -0,0 +1,44 @@ +From f48893853c520d0d695b4d861152788b442f4358 Mon Sep 17 00:00:00 2001 +From: Anilkumar Kolli +Date: Wed, 6 Mar 2019 23:06:11 +0530 +Subject: ath: DFS JP domain W56 fixed pulse type 3 RADAR detection + +[ Upstream commit d8792393a783158cbb2c39939cb897dc5e5299b6 ] + +Increase pulse width range from 1-2usec to 0-4usec. +During data traffic HW occasionally fails detecting radar pulses, +so that SW cannot get enough radar reports to achieve the success rate. + +Tested ath10k hw and fw: + * QCA9888(10.4-3.5.1-00052) + * QCA4019(10.4-3.2.1.1-00017) + * QCA9984(10.4-3.6-00104) + * QCA988X(10.2.4-1.0-00041) + +Tested ath9k hw: AR9300 + +Tested-by: Tamizh chelvam +Signed-off-by: Tamizh chelvam +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/dfs_pattern_detector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c +index 4100ffd42a43..78146607f16e 100644 +--- a/drivers/net/wireless/ath/dfs_pattern_detector.c ++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c +@@ -111,7 +111,7 @@ static const struct radar_detector_specs jp_radar_ref_types[] = { + JP_PATTERN(0, 0, 1, 1428, 1428, 1, 18, 29, false), + JP_PATTERN(1, 2, 3, 3846, 3846, 1, 18, 29, false), + JP_PATTERN(2, 0, 1, 1388, 1388, 1, 18, 50, false), +- JP_PATTERN(3, 1, 2, 4000, 4000, 1, 18, 50, false), ++ JP_PATTERN(3, 0, 4, 4000, 4000, 1, 18, 50, false), + JP_PATTERN(4, 0, 5, 150, 230, 1, 23, 50, false), + JP_PATTERN(5, 6, 10, 200, 500, 1, 16, 50, false), + JP_PATTERN(6, 11, 20, 200, 500, 1, 12, 50, false), +-- +2.20.1 + diff --git a/queue-4.9/ath10k-do-not-send-probe-response-template-for-mesh.patch b/queue-4.9/ath10k-do-not-send-probe-response-template-for-mesh.patch new file mode 100644 index 00000000000..970c951775d --- /dev/null +++ b/queue-4.9/ath10k-do-not-send-probe-response-template-for-mesh.patch @@ -0,0 +1,43 @@ +From 90ab189db2116019849098e46878262ceaba5960 Mon Sep 17 00:00:00 2001 +From: Surabhi Vishnoi +Date: Wed, 17 Apr 2019 14:01:46 +0530 +Subject: ath10k: Do not send probe response template for mesh + +[ Upstream commit 97354f2c432788e3163134df6bb144f4b6289d87 ] + +Currently mac80211 do not support probe response template for +mesh point. When WMI_SERVICE_BEACON_OFFLOAD is enabled, host +driver tries to configure probe response template for mesh, but +it fails because the interface type is not NL80211_IFTYPE_AP but +NL80211_IFTYPE_MESH_POINT. + +To avoid this failure, skip sending probe response template to +firmware for mesh point. + +Tested HW: WCN3990/QCA6174/QCA9984 + +Signed-off-by: Surabhi Vishnoi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index fb632a454fc2..1588fe8110d0 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -1596,6 +1596,10 @@ static int ath10k_mac_setup_prb_tmpl(struct ath10k_vif *arvif) + if (arvif->vdev_type != WMI_VDEV_TYPE_AP) + return 0; + ++ /* For mesh, probe response and beacon share the same template */ ++ if (ieee80211_vif_is_mesh(vif)) ++ return 0; ++ + prb = ieee80211_proberesp_get(hw, vif); + if (!prb) { + ath10k_warn(ar, "failed to get probe resp template from mac80211\n"); +-- +2.20.1 + diff --git a/queue-4.9/ath10k-fix-pcie-device-wake-up-failed.patch b/queue-4.9/ath10k-fix-pcie-device-wake-up-failed.patch new file mode 100644 index 00000000000..27207bd1d60 --- /dev/null +++ b/queue-4.9/ath10k-fix-pcie-device-wake-up-failed.patch @@ -0,0 +1,49 @@ +From 56a043000e32953bcc0eae04874d4031d9b78e38 Mon Sep 17 00:00:00 2001 +From: Miaoqing Pan +Date: Thu, 30 May 2019 09:49:20 +0800 +Subject: ath10k: fix PCIE device wake up failed + +[ Upstream commit 011d4111c8c602ea829fa4917af1818eb0500a90 ] + +Observed PCIE device wake up failed after ~120 iterations of +soft-reboot test. The error message is +"ath10k_pci 0000:01:00.0: failed to wake up device : -110" + +The call trace as below: +ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait -> +ath10k_pci_is_awake + +Once trigger the device to wake up, we will continuously check the RTC +state until it returns RTC_STATE_V_ON or timeout. + +But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON. +Occasionally, we get 0x7 on the fist read, we thought as a failure +case, but actually is the right value, also verified with the spec. +So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed +~2000 iterations. + +Tested HW: QCA9984 + +Signed-off-by: Miaoqing Pan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c +index 675e75d66db2..14dc6548701c 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.c ++++ b/drivers/net/wireless/ath/ath10k/hw.c +@@ -157,7 +157,7 @@ const struct ath10k_hw_values qca6174_values = { + }; + + const struct ath10k_hw_values qca99x0_values = { +- .rtc_state_val_on = 5, ++ .rtc_state_val_on = 7, + .ce_count = 12, + .msi_assign_ce_max = 12, + .num_target_ce_config_wlan = 10, +-- +2.20.1 + diff --git a/queue-4.9/ath6kl-add-some-bounds-checking.patch b/queue-4.9/ath6kl-add-some-bounds-checking.patch new file mode 100644 index 00000000000..809d7aae8c9 --- /dev/null +++ b/queue-4.9/ath6kl-add-some-bounds-checking.patch @@ -0,0 +1,62 @@ +From bf71c00d1591b08f2737ec00a7b0bbbde04707af Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 4 Apr 2019 11:56:51 +0300 +Subject: ath6kl: add some bounds checking + +[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ] + +The "ev->traffic_class" and "reply->ac" variables come from the network +and they're used as an offset into the wmi->stream_exist_for_ac[] array. +Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[] +array only has WMM_NUM_AC (4) elements. We need to add a couple bounds +checks to prevent array overflows. + +I also modified one existing check from "if (traffic_class > 3) {" to +"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent. + +Fixes: bdcd81707973 (" Add ath6kl cleaned up driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index 3fd1cc98fd2f..55609fc4e50e 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -1178,6 +1178,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap, + return -EINVAL; + + ev = (struct wmi_pstream_timeout_event *) datap; ++ if (ev->traffic_class >= WMM_NUM_AC) { ++ ath6kl_err("invalid traffic class: %d\n", ev->traffic_class); ++ return -EINVAL; ++ } + + /* + * When the pstream (fat pipe == AC) timesout, it means there were +@@ -1519,6 +1523,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len, + return -EINVAL; + + reply = (struct wmi_cac_event *) datap; ++ if (reply->ac >= WMM_NUM_AC) { ++ ath6kl_err("invalid AC: %d\n", reply->ac); ++ return -EINVAL; ++ } + + if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) && + (reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) { +@@ -2635,7 +2643,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class, + u16 active_tsids = 0; + int ret; + +- if (traffic_class > 3) { ++ if (traffic_class >= WMM_NUM_AC) { + ath6kl_err("invalid traffic class: %d\n", traffic_class); + return -EINVAL; + } +-- +2.20.1 + diff --git a/queue-4.9/ath9k-check-for-errors-when-reading-srev-register.patch b/queue-4.9/ath9k-check-for-errors-when-reading-srev-register.patch new file mode 100644 index 00000000000..78a519b0a76 --- /dev/null +++ b/queue-4.9/ath9k-check-for-errors-when-reading-srev-register.patch @@ -0,0 +1,121 @@ +From 85e1524cb392cf9c9fb674e4c85d1e024f4d5cb0 Mon Sep 17 00:00:00 2001 +From: Tim Schumacher +Date: Mon, 18 Mar 2019 20:05:57 +0100 +Subject: ath9k: Check for errors when reading SREV register + +[ Upstream commit 2f90c7e5d09437a4d8d5546feaae9f1cf48cfbe1 ] + +Right now, if an error is encountered during the SREV register +read (i.e. an EIO in ath9k_regread()), that error code gets +passed all the way to __ath9k_hw_init(), where it is visible +during the "Chip rev not supported" message. + + ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits + ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath9k_htc: Failed to initialize the device + +Check for -EIO explicitly in ath9k_hw_read_revisions() and return +a boolean based on the success of the operation. Check for that in +__ath9k_hw_init() and abort with a more debugging-friendly message +if reading the revisions wasn't successful. + + ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits + ath: phy2: Failed to read SREV register + ath: phy2: Could not read hardware revision + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath9k_htc: Failed to initialize the device + +This helps when debugging by directly showing the first point of +failure and it could prevent possible errors if a 0x0f.3 revision +is ever supported. + +Signed-off-by: Tim Schumacher +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hw.c | 32 +++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 951bac2caf12..e7fca78cdd96 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -250,8 +250,9 @@ void ath9k_hw_get_channel_centers(struct ath_hw *ah, + /* Chip Revisions */ + /******************/ + +-static void ath9k_hw_read_revisions(struct ath_hw *ah) ++static bool ath9k_hw_read_revisions(struct ath_hw *ah) + { ++ u32 srev; + u32 val; + + if (ah->get_mac_revision) +@@ -267,25 +268,33 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah) + val = REG_READ(ah, AR_SREV); + ah->hw_version.macRev = MS(val, AR_SREV_REVISION2); + } +- return; ++ return true; + case AR9300_DEVID_AR9340: + ah->hw_version.macVersion = AR_SREV_VERSION_9340; +- return; ++ return true; + case AR9300_DEVID_QCA955X: + ah->hw_version.macVersion = AR_SREV_VERSION_9550; +- return; ++ return true; + case AR9300_DEVID_AR953X: + ah->hw_version.macVersion = AR_SREV_VERSION_9531; +- return; ++ return true; + case AR9300_DEVID_QCA956X: + ah->hw_version.macVersion = AR_SREV_VERSION_9561; +- return; ++ return true; + } + +- val = REG_READ(ah, AR_SREV) & AR_SREV_ID; ++ srev = REG_READ(ah, AR_SREV); ++ ++ if (srev == -EIO) { ++ ath_err(ath9k_hw_common(ah), ++ "Failed to read SREV register"); ++ return false; ++ } ++ ++ val = srev & AR_SREV_ID; + + if (val == 0xFF) { +- val = REG_READ(ah, AR_SREV); ++ val = srev; + ah->hw_version.macVersion = + (val & AR_SREV_VERSION2) >> AR_SREV_TYPE2_S; + ah->hw_version.macRev = MS(val, AR_SREV_REVISION2); +@@ -304,6 +313,8 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah) + if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCIE) + ah->is_pciexpress = true; + } ++ ++ return true; + } + + /************************************/ +@@ -557,7 +568,10 @@ static int __ath9k_hw_init(struct ath_hw *ah) + struct ath_common *common = ath9k_hw_common(ah); + int r = 0; + +- ath9k_hw_read_revisions(ah); ++ if (!ath9k_hw_read_revisions(ah)) { ++ ath_err(common, "Could not read hardware revisions"); ++ return -EOPNOTSUPP; ++ } + + switch (ah->hw_version.macVersion) { + case AR_SREV_VERSION_5416_PCI: +-- +2.20.1 + diff --git a/queue-4.9/batman-adv-fix-for-leaked-tvlv-handler.patch b/queue-4.9/batman-adv-fix-for-leaked-tvlv-handler.patch new file mode 100644 index 00000000000..af47fdb2621 --- /dev/null +++ b/queue-4.9/batman-adv-fix-for-leaked-tvlv-handler.patch @@ -0,0 +1,37 @@ +From 58b77c9796edfb1163987ca64285c1b520414c5c Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Tue, 21 May 2019 20:58:57 +0100 +Subject: batman-adv: fix for leaked TVLV handler. + +[ Upstream commit 17f78dd1bd624a4dd78ed5db3284a63ee807fcc3 ] + +A handler for BATADV_TVLV_ROAM was being registered when the +translation-table was initialized, but not unregistered when the +translation-table was freed. Unregister it. + +Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets") +Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: Sven Eckelmann +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index af4a02ad8503..1fab9bcf535d 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -3700,6 +3700,8 @@ static void batadv_tt_purge(struct work_struct *work) + + void batadv_tt_free(struct batadv_priv *bat_priv) + { ++ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1); ++ + batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1); + batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1); + +-- +2.20.1 + diff --git a/queue-4.9/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch b/queue-4.9/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch new file mode 100644 index 00000000000..b566ff3ed33 --- /dev/null +++ b/queue-4.9/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch @@ -0,0 +1,128 @@ +From e513a614f45a4979e6fa51c4b17256e3bac4574f Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:25 +0800 +Subject: bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() + +[ Upstream commit b387e9b58679c60f5b1e4313939bd4878204fc37 ] + +When system memory is in heavy pressure, bch_gc_thread_start() from +run_cache_set() may fail due to out of memory. In such condition, +c->gc_thread is assigned to -ENOMEM, not NULL pointer. Then in following +failure code path bch_cache_set_error(), when cache_set_flush() gets +called, the code piece to stop c->gc_thread is broken, + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +And KASAN catches such NULL pointer deference problem, with the warning +information: + +[ 561.207881] ================================================================== +[ 561.207900] BUG: KASAN: null-ptr-deref in kthread_stop+0x3b/0x440 +[ 561.207904] Write of size 4 at addr 000000000000001c by task kworker/15:1/313 + +[ 561.207913] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G W 5.0.0-vanilla+ #3 +[ 561.207916] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019 +[ 561.207935] Workqueue: events cache_set_flush [bcache] +[ 561.207940] Call Trace: +[ 561.207948] dump_stack+0x9a/0xeb +[ 561.207955] ? kthread_stop+0x3b/0x440 +[ 561.207960] ? kthread_stop+0x3b/0x440 +[ 561.207965] kasan_report+0x176/0x192 +[ 561.207973] ? kthread_stop+0x3b/0x440 +[ 561.207981] kthread_stop+0x3b/0x440 +[ 561.207995] cache_set_flush+0xd4/0x6d0 [bcache] +[ 561.208008] process_one_work+0x856/0x1620 +[ 561.208015] ? find_held_lock+0x39/0x1d0 +[ 561.208028] ? drain_workqueue+0x380/0x380 +[ 561.208048] worker_thread+0x87/0xb80 +[ 561.208058] ? __kthread_parkme+0xb6/0x180 +[ 561.208067] ? process_one_work+0x1620/0x1620 +[ 561.208072] kthread+0x326/0x3e0 +[ 561.208079] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 561.208090] ret_from_fork+0x3a/0x50 +[ 561.208110] ================================================================== +[ 561.208113] Disabling lock debugging due to kernel taint +[ 561.208115] irq event stamp: 11800231 +[ 561.208126] hardirqs last enabled at (11800231): [] do_syscall_64+0x18/0x410 +[ 561.208127] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c +[ 561.208129] #PF error: [WRITE] +[ 561.312253] hardirqs last disabled at (11800230): [] trace_hardirqs_off_thunk+0x1a/0x1c +[ 561.312259] softirqs last enabled at (11799832): [] __do_softirq+0x5c7/0x8c3 +[ 561.405975] PGD 0 P4D 0 +[ 561.442494] softirqs last disabled at (11799821): [] irq_exit+0x1ac/0x1e0 +[ 561.791359] Oops: 0002 [#1] SMP KASAN NOPTI +[ 561.791362] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G B W 5.0.0-vanilla+ #3 +[ 561.791363] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019 +[ 561.791371] Workqueue: events cache_set_flush [bcache] +[ 561.791374] RIP: 0010:kthread_stop+0x3b/0x440 +[ 561.791376] Code: 00 00 65 8b 05 26 d5 e0 7c 89 c0 48 0f a3 05 ec aa df 02 0f 82 dc 02 00 00 4c 8d 63 20 be 04 00 00 00 4c 89 e7 e8 65 c5 53 00 ff 43 20 48 8d 7b 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 +[ 561.791377] RSP: 0018:ffff88872fc8fd10 EFLAGS: 00010286 +[ 561.838895] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838916] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838934] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838948] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838966] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838979] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838996] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 563.067028] RAX: 0000000000000000 RBX: fffffffffffffffc RCX: ffffffff832dd314 +[ 563.067030] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000297 +[ 563.067032] RBP: ffff88872fc8fe88 R08: fffffbfff0b8213d R09: fffffbfff0b8213d +[ 563.067034] R10: 0000000000000001 R11: fffffbfff0b8213c R12: 000000000000001c +[ 563.408618] R13: ffff88dc61cc0f68 R14: ffff888102b94900 R15: ffff88dc61cc0f68 +[ 563.408620] FS: 0000000000000000(0000) GS:ffff888f7dc00000(0000) knlGS:0000000000000000 +[ 563.408622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 563.408623] CR2: 000000000000001c CR3: 0000000f48a1a004 CR4: 00000000007606e0 +[ 563.408625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 563.408627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 563.904795] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 563.915796] PKRU: 55555554 +[ 563.915797] Call Trace: +[ 563.915807] cache_set_flush+0xd4/0x6d0 [bcache] +[ 563.915812] process_one_work+0x856/0x1620 +[ 564.001226] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.033563] ? find_held_lock+0x39/0x1d0 +[ 564.033567] ? drain_workqueue+0x380/0x380 +[ 564.033574] worker_thread+0x87/0xb80 +[ 564.062823] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.118042] ? __kthread_parkme+0xb6/0x180 +[ 564.118046] ? process_one_work+0x1620/0x1620 +[ 564.118048] kthread+0x326/0x3e0 +[ 564.118050] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 564.167066] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.252441] ret_from_fork+0x3a/0x50 +[ 564.252447] Modules linked in: msr rpcrdma sunrpc rdma_ucm ib_iser ib_umad rdma_cm ib_ipoib i40iw configfs iw_cm ib_cm libiscsi scsi_transport_iscsi mlx4_ib ib_uverbs mlx4_en ib_core nls_iso8859_1 nls_cp437 vfat fat intel_rapl skx_edac x86_pkg_temp_thermal coretemp iTCO_wdt iTCO_vendor_support crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ses raid0 aesni_intel cdc_ether enclosure usbnet ipmi_ssif joydev aes_x86_64 i40e scsi_transport_sas mii bcache md_mod crypto_simd mei_me ioatdma crc64 ptp cryptd pcspkr i2c_i801 mlx4_core glue_helper pps_core mei lpc_ich dca wmi ipmi_si ipmi_devintf nd_pmem dax_pmem nd_btt ipmi_msghandler device_dax pcc_cpufreq button hid_generic usbhid mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect xhci_pci sysimgblt fb_sys_fops xhci_hcd ttm megaraid_sas drm usbcore nfit libnvdimm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs +[ 564.299390] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.348360] CR2: 000000000000001c +[ 564.348362] ---[ end trace b7f0e5cc7b2103b0 ]--- + +Therefore, it is not enough to only check whether c->gc_thread is NULL, +we should use IS_ERR_OR_NULL() to check both NULL pointer and error +value. + +This patch changes the above buggy code piece in this way, + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 9f2588eaaf5f..c5bc3e5e921e 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1405,7 +1405,7 @@ static void cache_set_flush(struct closure *cl) + kobject_put(&c->internal); + kobject_del(&c->kobj); + +- if (c->gc_thread) ++ if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + + if (!IS_ERR_OR_NULL(c->root)) +-- +2.20.1 + diff --git a/queue-4.9/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch b/queue-4.9/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch new file mode 100644 index 00000000000..78873cdf7ae --- /dev/null +++ b/queue-4.9/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch @@ -0,0 +1,55 @@ +From b122c041ed1b65c8db9eb19cdb62b3c58476c8c4 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 13 Jun 2019 15:30:41 -0700 +Subject: blkcg, writeback: dead memcgs shouldn't contribute to writeback + ownership arbitration + +[ Upstream commit 6631142229005e1b1c311a09efe9fb3cfdac8559 ] + +wbc_account_io() collects information on cgroup ownership of writeback +pages to determine which cgroup should own the inode. Pages can stay +associated with dead memcgs but we want to avoid attributing IOs to +dead blkcgs as much as possible as the association is likely to be +stale. However, currently, pages associated with dead memcgs +contribute to the accounting delaying and/or confusing the +arbitration. + +Fix it by ignoring pages associated with dead memcgs. + +Signed-off-by: Tejun Heo +Cc: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 8b93d4b98428..baaed9369ab4 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -721,6 +721,7 @@ void wbc_detach_inode(struct writeback_control *wbc) + void wbc_account_io(struct writeback_control *wbc, struct page *page, + size_t bytes) + { ++ struct cgroup_subsys_state *css; + int id; + + /* +@@ -732,7 +733,12 @@ void wbc_account_io(struct writeback_control *wbc, struct page *page, + if (!wbc->wb) + return; + +- id = mem_cgroup_css_from_page(page)->id; ++ css = mem_cgroup_css_from_page(page); ++ /* dead cgroups shouldn't contribute to inode ownership arbitration */ ++ if (!(css->flags & CSS_ONLINE)) ++ return; ++ ++ id = css->id; + + if (id == wbc->wb_id) { + wbc->wb_bytes += bytes; +-- +2.20.1 + diff --git a/queue-4.9/bluetooth-6lowpan-search-for-destination-address-in-.patch b/queue-4.9/bluetooth-6lowpan-search-for-destination-address-in-.patch new file mode 100644 index 00000000000..3a5ce662ab9 --- /dev/null +++ b/queue-4.9/bluetooth-6lowpan-search-for-destination-address-in-.patch @@ -0,0 +1,57 @@ +From df3edb037a2eb888b7f0dd04511e9b5ebb406277 Mon Sep 17 00:00:00 2001 +From: Josua Mayer +Date: Sat, 6 Jul 2019 17:54:46 +0200 +Subject: Bluetooth: 6lowpan: search for destination address in all peers + +[ Upstream commit b188b03270b7f8568fc714101ce82fbf5e811c5a ] + +Handle overlooked case where the target address is assigned to a peer +and neither route nor gateway exist. + +For one peer, no checks are performed to see if it is meant to receive +packets for a given address. + +As soon as there is a second peer however, checks are performed +to deal with routes and gateways for handling complex setups with +multiple hops to a target address. +This logic assumed that no route and no gateway imply that the +destination address can not be reached, which is false in case of a +direct peer. + +Acked-by: Jukka Rissanen +Tested-by: Michael Scott +Signed-off-by: Josua Mayer +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index de7b82ece499..21096c882223 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -187,10 +187,16 @@ static inline struct lowpan_peer *peer_lookup_dst(struct lowpan_btle_dev *dev, + } + + if (!rt) { +- nexthop = &lowpan_cb(skb)->gw; +- +- if (ipv6_addr_any(nexthop)) +- return NULL; ++ if (ipv6_addr_any(&lowpan_cb(skb)->gw)) { ++ /* There is neither route nor gateway, ++ * probably the destination is a direct peer. ++ */ ++ nexthop = daddr; ++ } else { ++ /* There is a known gateway ++ */ ++ nexthop = &lowpan_cb(skb)->gw; ++ } + } else { + nexthop = rt6_nexthop(rt, daddr); + +-- +2.20.1 + diff --git a/queue-4.9/bluetooth-check-state-in-l2cap_disconnect_rsp.patch b/queue-4.9/bluetooth-check-state-in-l2cap_disconnect_rsp.patch new file mode 100644 index 00000000000..9ae83391010 --- /dev/null +++ b/queue-4.9/bluetooth-check-state-in-l2cap_disconnect_rsp.patch @@ -0,0 +1,220 @@ +From 28b07247620421438d48a63276f9615419d689f2 Mon Sep 17 00:00:00 2001 +From: Matias Karhumaa +Date: Tue, 21 May 2019 13:07:22 +0300 +Subject: Bluetooth: Check state in l2cap_disconnect_rsp + +[ Upstream commit 28261da8a26f4915aa257d12d506c6ba179d961f ] + +Because of both sides doing L2CAP disconnection at the same time, it +was possible to receive L2CAP Disconnection Response with CID that was +already freed. That caused problems if CID was already reused and L2CAP +Connection Request with same CID was sent out. Before this patch kernel +deleted channel context regardless of the state of the channel. + +Example where leftover Disconnection Response (frame #402) causes local +device to delete L2CAP channel which was not yet connected. This in +turn confuses remote device's stack because same CID is re-used without +properly disconnecting. + +Btmon capture before patch: +** snip ** +> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949 + Channel: 65 len 4 [PSM 3 mode 0] {chan 2} + RFCOMM: Disconnect (DISC) (0x43) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x53 poll/final 1 + Length: 0 + FCS: 0xfd +< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062 + Channel: 65 len 4 [PSM 3 mode 0] {chan 2} + RFCOMM: Unnumbered Ack (UA) (0x63) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x73 poll/final 1 + Length: 0 + FCS: 0xd7 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073 + L2CAP: Disconnection Request (0x06) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499 + L2CAP: Disconnection Request (0x06) ident 26 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548 + L2CAP: Disconnection Response (0x07) ident 26 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459 + L2CAP: Connection Request (0x02) ident 18 len 4 + PSM: 1 (0x0001) + Source CID: 65 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148 + L2CAP: Disconnection Response (0x07) ident 17 len 4 + Destination CID: 65 + Source CID: 65 += bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447 +> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397 + L2CAP: Connection Request (0x02) ident 27 len 4 + PSM: 3 (0x0003) + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441 + L2CAP: Connection Response (0x03) ident 27 len 8 + Destination CID: 65 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449 + L2CAP: Configure Request (0x04) ident 19 len 19 + Destination CID: 65 + Flags: 0x0000 + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 1013 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Basic (0x00) + TX window size: 0 + Max transmit: 0 + Retransmission timeout: 0 + Monitor timeout: 0 + Maximum PDU size: 0 +> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942 + L2CAP: Connection Response (0x03) ident 18 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +*snip* + +Similar case after the patch: +*snip* +> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056 + Channel: 65 len 4 [PSM 3 mode 0] {chan 3} + RFCOMM: Disconnect (DISC) (0x43) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x53 poll/final 1 + Length: 0 + FCS: 0xfd +< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136 + Channel: 65 len 4 [PSM 3 mode 0] {chan 3} + RFCOMM: Unnumbered Ack (UA) (0x63) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x73 poll/final 1 + Length: 0 + FCS: 0xd7 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143 + L2CAP: Disconnection Request (0x06) ident 11 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674 + L2CAP: Disconnection Request (0x06) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762 + L2CAP: Disconnection Response (0x07) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073 + L2CAP: Connection Request (0x02) ident 12 len 4 + PSM: 1 (0x0001) + Source CID: 65 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371 + L2CAP: Disconnection Response (0x07) ident 11 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103 + L2CAP: Connection Request (0x02) ident 18 len 4 + PSM: 3 (0x0003) + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186 + L2CAP: Connection Response (0x03) ident 18 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196 + L2CAP: Configure Request (0x04) ident 13 len 19 + Destination CID: 65 + Flags: 0x0000 + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 1013 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Basic (0x00) + TX window size: 0 + Max transmit: 0 + Retransmission timeout: 0 + Monitor timeout: 0 + Maximum PDU size: 0 +> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804 + L2CAP: Connection Response (0x03) ident 12 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +*snip* + +Fix is to check that channel is in state BT_DISCONN before deleting the +channel. + +This bug was found while fuzzing Bluez's OBEX implementation using +Synopsys Defensics. + +Reported-by: Matti Kamunen +Reported-by: Ari Timonen +Signed-off-by: Matias Karhumaa +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index ec9b5d159591..48d23abfe799 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4374,6 +4374,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + + l2cap_chan_lock(chan); + ++ if (chan->state != BT_DISCONN) { ++ l2cap_chan_unlock(chan); ++ mutex_unlock(&conn->chan_lock); ++ return 0; ++ } ++ + l2cap_chan_hold(chan); + l2cap_chan_del(chan, 0); + +-- +2.20.1 + diff --git a/queue-4.9/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch b/queue-4.9/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch new file mode 100644 index 00000000000..e33fc7b8997 --- /dev/null +++ b/queue-4.9/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch @@ -0,0 +1,39 @@ +From b4e7a4cec7a4d81b448807c7daa8c6988b475410 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Tue, 28 May 2019 15:42:58 +0200 +Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb + +[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ] + +Syzkaller found that it is possible to provoke a memory leak by +never freeing rx_skb in struct bcsp_struct. + +Fix by freeing in bcsp_close() + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_bcsp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c +index a2c921faaa12..34e04bf87a62 100644 +--- a/drivers/bluetooth/hci_bcsp.c ++++ b/drivers/bluetooth/hci_bcsp.c +@@ -759,6 +759,11 @@ static int bcsp_close(struct hci_uart *hu) + skb_queue_purge(&bcsp->rel); + skb_queue_purge(&bcsp->unrel); + ++ if (bcsp->rx_skb) { ++ kfree_skb(bcsp->rx_skb); ++ bcsp->rx_skb = NULL; ++ } ++ + kfree(bcsp); + return 0; + } +-- +2.20.1 + diff --git a/queue-4.9/bluetooth-validate-ble-connection-interval-updates.patch b/queue-4.9/bluetooth-validate-ble-connection-interval-updates.patch new file mode 100644 index 00000000000..43b57f7d0f7 --- /dev/null +++ b/queue-4.9/bluetooth-validate-ble-connection-interval-updates.patch @@ -0,0 +1,92 @@ +From 8cf5c53ca631ae36bfa2680d9c1fcb1991b5d133 Mon Sep 17 00:00:00 2001 +From: csonsino +Date: Wed, 12 Jun 2019 15:00:52 -0600 +Subject: Bluetooth: validate BLE connection interval updates + +[ Upstream commit c49a8682fc5d298d44e8d911f4fa14690ea9485e ] + +Problem: The Linux Bluetooth stack yields complete control over the BLE +connection interval to the remote device. + +The Linux Bluetooth stack provides access to the BLE connection interval +min and max values through /sys/kernel/debug/bluetooth/hci0/ +conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval. +These values are used for initial BLE connections, but the remote device +has the ability to request a connection parameter update. In the event +that the remote side requests to change the connection interval, the Linux +kernel currently only validates that the desired value is within the +acceptable range in the Bluetooth specification (6 - 3200, corresponding to +7.5ms - 4000ms). There is currently no validation that the desired value +requested by the remote device is within the min/max limits specified in +the conn_min_interval/conn_max_interval configurations. This essentially +leads to Linux yielding complete control over the connection interval to +the remote device. + +The proposed patch adds a verification step to the connection parameter +update mechanism, ensuring that the desired value is within the min/max +bounds of the current connection. If the desired value is outside of the +current connection min/max values, then the connection parameter update +request is rejected and the negative response is returned to the remote +device. Recall that the initial connection is established using the local +conn_min_interval/conn_max_interval values, so this allows the Linux +administrator to retain control over the BLE connection interval. + +The one downside that I see is that the current default Linux values for +conn_min_interval and conn_max_interval typically correspond to 30ms and +50ms respectively. If this change were accepted, then it is feasible that +some devices would no longer be able to negotiate to their desired +connection interval values. This might be remedied by setting the default +Linux conn_min_interval and conn_max_interval values to the widest +supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same +behavior as the current implementation, where the remote device could +request to change the connection interval value to any value that is +permitted by the Bluetooth specification, and Linux would accept the +desired value. + +Signed-off-by: Carey Sonsino +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 5 +++++ + net/bluetooth/l2cap_core.c | 9 ++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 6f78489fdb13..163a239bda91 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5089,6 +5089,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_UNKNOWN_CONN_ID); + ++ if (min < hcon->le_conn_min_interval || ++ max > hcon->le_conn_max_interval) ++ return send_conn_param_neg_reply(hdev, handle, ++ HCI_ERROR_INVALID_LL_PARAMS); ++ + if (hci_check_conn_params(min, max, latency, timeout)) + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 48d23abfe799..4912e80dacef 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5277,7 +5277,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, + + memset(&rsp, 0, sizeof(rsp)); + +- err = hci_check_conn_params(min, max, latency, to_multiplier); ++ if (min < hcon->le_conn_min_interval || ++ max > hcon->le_conn_max_interval) { ++ BT_DBG("requested connection interval exceeds current bounds."); ++ err = -EINVAL; ++ } else { ++ err = hci_check_conn_params(min, max, latency, to_multiplier); ++ } ++ + if (err) + rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); + else +-- +2.20.1 + diff --git a/queue-4.9/bpf-silence-warning-messages-in-core.patch b/queue-4.9/bpf-silence-warning-messages-in-core.patch new file mode 100644 index 00000000000..b6b5dab5cf7 --- /dev/null +++ b/queue-4.9/bpf-silence-warning-messages-in-core.patch @@ -0,0 +1,55 @@ +From 08c0944a213a9233fcb55f099b5666d5c93b7711 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= +Date: Thu, 6 Jun 2019 22:39:27 -0400 +Subject: bpf: silence warning messages in core + +[ Upstream commit aee450cbe482a8c2f6fa5b05b178ef8b8ff107ca ] + +Compiling kernel/bpf/core.c with W=1 causes a flood of warnings: + +kernel/bpf/core.c:1198:65: warning: initialized field overwritten [-Woverride-init] + 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true + | ^~~~ +kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL' + 1087 | INSN_3(ALU, ADD, X), \ + | ^~~~~~ +kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP' + 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL), + | ^~~~~~~~~~~~ +kernel/bpf/core.c:1198:65: note: (near initialization for 'public_insntable[12]') + 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true + | ^~~~ +kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL' + 1087 | INSN_3(ALU, ADD, X), \ + | ^~~~~~ +kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP' + 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL), + | ^~~~~~~~~~~~ + +98 copies of the above. + +The attached patch silences the warnings, because we *know* we're overwriting +the default initializer. That leaves bpf/core.c with only 6 other warnings, +which become more visible in comparison. + +Signed-off-by: Valdis Kletnieks +Acked-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile +index eed911d091da..5a590f22b4d4 100644 +--- a/kernel/bpf/Makefile ++++ b/kernel/bpf/Makefile +@@ -1,4 +1,5 @@ + obj-y := core.o ++CFLAGS_core.o += $(call cc-disable-warning, override-init) + + obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o + obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o +-- +2.20.1 + diff --git a/queue-4.9/clocksource-drivers-exynos_mct-increase-priority-ove.patch b/queue-4.9/clocksource-drivers-exynos_mct-increase-priority-ove.patch new file mode 100644 index 00000000000..9e7c08dd303 --- /dev/null +++ b/queue-4.9/clocksource-drivers-exynos_mct-increase-priority-ove.patch @@ -0,0 +1,76 @@ +From fa00c8ee32b357153fcc01a4b49ffb646286511e Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 30 May 2019 12:50:43 +0200 +Subject: clocksource/drivers/exynos_mct: Increase priority over ARM arch timer + +[ Upstream commit 6282edb72bed5324352522d732080d4c1b9dfed6 ] + +Exynos SoCs based on CA7/CA15 have 2 timer interfaces: custom Exynos MCT +(Multi Core Timer) and standard ARM Architected Timers. + +There are use cases, where both timer interfaces are used simultanously. +One of such examples is using Exynos MCT for the main system timer and +ARM Architected Timers for the KVM and virtualized guests (KVM requires +arch timers). + +Exynos Multi-Core Timer driver (exynos_mct) must be however started +before ARM Architected Timers (arch_timer), because they both share some +common hardware blocks (global system counter) and turning on MCT is +needed to get ARM Architected Timer working properly. + +To ensure selecting Exynos MCT as the main system timer, increase MCT +timer rating. To ensure proper starting order of both timers during +suspend/resume cycle, increase MCT hotplug priority over ARM Archictected +Timers. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Chanwoo Choi +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/exynos_mct.c | 4 ++-- + include/linux/cpuhotplug.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c +index fb0cf8b74516..d32248e2ceab 100644 +--- a/drivers/clocksource/exynos_mct.c ++++ b/drivers/clocksource/exynos_mct.c +@@ -211,7 +211,7 @@ static void exynos4_frc_resume(struct clocksource *cs) + + static struct clocksource mct_frc = { + .name = "mct-frc", +- .rating = 400, ++ .rating = 450, /* use value higher than ARM arch timer */ + .read = exynos4_frc_read, + .mask = CLOCKSOURCE_MASK(32), + .flags = CLOCK_SOURCE_IS_CONTINUOUS, +@@ -466,7 +466,7 @@ static int exynos4_mct_starting_cpu(unsigned int cpu) + evt->set_state_oneshot_stopped = set_state_shutdown; + evt->tick_resume = set_state_shutdown; + evt->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT; +- evt->rating = 450; ++ evt->rating = 500; /* use value higher than ARM arch timer */ + + exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET); + +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index c9447a689522..1ab0273560ae 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -77,10 +77,10 @@ enum cpuhp_state { + CPUHP_AP_PERF_ARM_HW_BREAKPOINT_STARTING, + CPUHP_AP_PERF_ARM_STARTING, + CPUHP_AP_ARM_L2X0_STARTING, ++ CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING, + CPUHP_AP_ARM_ARCH_TIMER_STARTING, + CPUHP_AP_ARM_GLOBAL_TIMER_STARTING, + CPUHP_AP_JCORE_TIMER_STARTING, +- CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING, + CPUHP_AP_ARM_TWD_STARTING, + CPUHP_AP_METAG_TIMER_STARTING, + CPUHP_AP_QCOM_TIMER_STARTING, +-- +2.20.1 + diff --git a/queue-4.9/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch b/queue-4.9/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch new file mode 100644 index 00000000000..8aa1b058c37 --- /dev/null +++ b/queue-4.9/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch @@ -0,0 +1,41 @@ +From 5a971b1e230e6d194b7305d358fe9da7118e9724 Mon Sep 17 00:00:00 2001 +From: Abhishek Goel +Date: Wed, 29 May 2019 04:30:33 -0500 +Subject: cpupower : frequency-set -r option misses the last cpu in related cpu + list + +[ Upstream commit 04507c0a9385cc8280f794a36bfff567c8cc1042 ] + +To set frequency on specific cpus using cpupower, following syntax can +be used : +cpupower -c #i frequency-set -f #f -r + +While setting frequency using cpupower frequency-set command, if we use +'-r' option, it is expected to set frequency for all cpus related to +cpu #i. But it is observed to be missing the last cpu in related cpu +list. This patch fixes the problem. + +Signed-off-by: Abhishek Goel +Reviewed-by: Thomas Renninger +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/cpufreq-set.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/power/cpupower/utils/cpufreq-set.c b/tools/power/cpupower/utils/cpufreq-set.c +index 1eef0aed6423..08a405593a79 100644 +--- a/tools/power/cpupower/utils/cpufreq-set.c ++++ b/tools/power/cpupower/utils/cpufreq-set.c +@@ -306,6 +306,8 @@ int cmd_freq_set(int argc, char **argv) + bitmask_setbit(cpus_chosen, cpus->cpu); + cpus = cpus->next; + } ++ /* Set the last cpu in related cpus list */ ++ bitmask_setbit(cpus_chosen, cpus->cpu); + cpufreq_put_related_cpus(cpus); + } + } +-- +2.20.1 + diff --git a/queue-4.9/crypto-asymmetric_keys-select-crypto_hash-where-need.patch b/queue-4.9/crypto-asymmetric_keys-select-crypto_hash-where-need.patch new file mode 100644 index 00000000000..16dd115b846 --- /dev/null +++ b/queue-4.9/crypto-asymmetric_keys-select-crypto_hash-where-need.patch @@ -0,0 +1,60 @@ +From 0165cfcdd5f4cb820f41530eecf1c2216a33b406 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 18 Jun 2019 14:13:47 +0200 +Subject: crypto: asymmetric_keys - select CRYPTO_HASH where needed + +[ Upstream commit 90acc0653d2bee203174e66d519fbaaa513502de ] + +Build testing with some core crypto options disabled revealed +a few modules that are missing CRYPTO_HASH: + +crypto/asymmetric_keys/x509_public_key.o: In function `x509_get_sig_params': +x509_public_key.c:(.text+0x4c7): undefined reference to `crypto_alloc_shash' +x509_public_key.c:(.text+0x5e5): undefined reference to `crypto_shash_digest' +crypto/asymmetric_keys/pkcs7_verify.o: In function `pkcs7_digest.isra.0': +pkcs7_verify.c:(.text+0xab): undefined reference to `crypto_alloc_shash' +pkcs7_verify.c:(.text+0x1b2): undefined reference to `crypto_shash_digest' +pkcs7_verify.c:(.text+0x3c1): undefined reference to `crypto_shash_update' +pkcs7_verify.c:(.text+0x411): undefined reference to `crypto_shash_finup' + +This normally doesn't show up in randconfig tests because there is +a large number of other options that select CRYPTO_HASH. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig +index 331f6baf2df8..13f3de68b479 100644 +--- a/crypto/asymmetric_keys/Kconfig ++++ b/crypto/asymmetric_keys/Kconfig +@@ -14,6 +14,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select MPILIB + select CRYPTO_HASH_INFO + select CRYPTO_AKCIPHER ++ select CRYPTO_HASH + help + This option provides support for asymmetric public key type handling. + If signature generation and/or verification are to be used, +@@ -33,6 +34,7 @@ config X509_CERTIFICATE_PARSER + config PKCS7_MESSAGE_PARSER + tristate "PKCS#7 message parser" + depends on X509_CERTIFICATE_PARSER ++ select CRYPTO_HASH + select ASN1 + select OID_REGISTRY + help +@@ -55,6 +57,7 @@ config SIGNED_PE_FILE_VERIFICATION + bool "Support for PE file signature verification" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION ++ select CRYPTO_HASH + select ASN1 + select OID_REGISTRY + help +-- +2.20.1 + diff --git a/queue-4.9/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch b/queue-4.9/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch new file mode 100644 index 00000000000..63a4ecc00d8 --- /dev/null +++ b/queue-4.9/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch @@ -0,0 +1,42 @@ +From 0d26cbf048d047ee567381fe1296f9d70b2cd4c0 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 21 May 2019 13:34:18 +0000 +Subject: crypto: talitos - Align SEC1 accesses to 32 bits boundaries. + +[ Upstream commit c9cca7034b34a2d82e9a03b757de2485c294851c ] + +The MPC885 reference manual states: + +SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but +reads can occur on any byte boundary. Writing back a header read from a +non-32-bit-word boundary will yield unpredictable results. + +In order to ensure that, cra_alignmask is set to 3 for SEC1. + +Signed-off-by: Christophe Leroy +Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index e7864aa494a1..ea8595d2c3d8 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -3119,7 +3119,10 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev, + alg->cra_priority = t_alg->algt.priority; + else + alg->cra_priority = TALITOS_CRA_PRIORITY; +- alg->cra_alignmask = 0; ++ if (has_ftr_sec1(priv)) ++ alg->cra_alignmask = 3; ++ else ++ alg->cra_alignmask = 0; + alg->cra_ctxsize = sizeof(struct talitos_ctx); + alg->cra_flags |= CRYPTO_ALG_KERN_DRIVER_ONLY; + +-- +2.20.1 + diff --git a/queue-4.9/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch b/queue-4.9/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch new file mode 100644 index 00000000000..12f8de2d671 --- /dev/null +++ b/queue-4.9/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch @@ -0,0 +1,55 @@ +From ab06d860b2a6e497c1bbe72c2198dc368a34d967 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 15 May 2019 12:29:03 +0000 +Subject: crypto: talitos - fix skcipher failure due to wrong output IV +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3e03e792865ae48b8cfc69a0b4d65f02f467389f ] + +Selftests report the following: + +[ 2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41 +[ 3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 3.043185] 00000000: fe dc ba 98 76 54 32 10 +[ 3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 3.073818] 00000000: 7d 33 88 93 0f 93 b2 42 + +This above dumps show that the actual output IV is indeed the input IV. +This is due to the IV not being copied back into the request. + +This patch fixes that. + +Signed-off-by: Christophe Leroy +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 5a24a484ecc7..0b12772c7919 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1544,11 +1544,15 @@ static void ablkcipher_done(struct device *dev, + int err) + { + struct ablkcipher_request *areq = context; ++ struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); ++ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); ++ unsigned int ivsize = crypto_ablkcipher_ivsize(cipher); + struct talitos_edesc *edesc; + + edesc = container_of(desc, struct talitos_edesc, desc); + + common_nonsnoop_unmap(dev, edesc, areq); ++ memcpy(areq->info, ctx->iv, ivsize); + + kfree(edesc); + +-- +2.20.1 + diff --git a/queue-4.9/crypto-talitos-properly-handle-split-icv.patch b/queue-4.9/crypto-talitos-properly-handle-split-icv.patch new file mode 100644 index 00000000000..68564d1d78f --- /dev/null +++ b/queue-4.9/crypto-talitos-properly-handle-split-icv.patch @@ -0,0 +1,97 @@ +From e108b2898a88ac654e978f0ec40f426e6aefe2f5 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 21 May 2019 13:34:17 +0000 +Subject: crypto: talitos - properly handle split ICV. + +[ Upstream commit eae55a586c3c8b50982bad3c3426e9c9dd7a0075 ] + +The driver assumes that the ICV is as a single piece in the last +element of the scatterlist. This assumption is wrong. + +This patch ensures that the ICV is properly handled regardless of +the scatterlist layout. + +Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver") +Signed-off-by: Christophe Leroy +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 0b12772c7919..e7864aa494a1 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -984,7 +984,6 @@ static void ipsec_esp_encrypt_done(struct device *dev, + struct crypto_aead *authenc = crypto_aead_reqtfm(areq); + unsigned int authsize = crypto_aead_authsize(authenc); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + void *icvdata; + + edesc = container_of(desc, struct talitos_edesc, desc); +@@ -998,9 +997,8 @@ static void ipsec_esp_encrypt_done(struct device *dev, + else + icvdata = &edesc->link_tbl[edesc->src_nents + + edesc->dst_nents + 2]; +- sg = sg_last(areq->dst, edesc->dst_nents); +- memcpy((char *)sg_virt(sg) + sg->length - authsize, +- icvdata, authsize); ++ sg_pcopy_from_buffer(areq->dst, edesc->dst_nents ? : 1, icvdata, ++ authsize, areq->assoclen + areq->cryptlen); + } + + kfree(edesc); +@@ -1016,7 +1014,6 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev, + struct crypto_aead *authenc = crypto_aead_reqtfm(req); + unsigned int authsize = crypto_aead_authsize(authenc); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + char *oicv, *icv; + struct talitos_private *priv = dev_get_drvdata(dev); + bool is_sec1 = has_ftr_sec1(priv); +@@ -1026,9 +1023,18 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev, + ipsec_esp_unmap(dev, edesc, req); + + if (!err) { ++ char icvdata[SHA512_DIGEST_SIZE]; ++ int nents = edesc->dst_nents ? : 1; ++ unsigned int len = req->assoclen + req->cryptlen; ++ + /* auth check */ +- sg = sg_last(req->dst, edesc->dst_nents ? : 1); +- icv = (char *)sg_virt(sg) + sg->length - authsize; ++ if (nents > 1) { ++ sg_pcopy_to_buffer(req->dst, nents, icvdata, authsize, ++ len - authsize); ++ icv = icvdata; ++ } else { ++ icv = (char *)sg_virt(req->dst) + len - authsize; ++ } + + if (edesc->dma_len) { + if (is_sec1) +@@ -1458,7 +1464,6 @@ static int aead_decrypt(struct aead_request *req) + struct talitos_ctx *ctx = crypto_aead_ctx(authenc); + struct talitos_private *priv = dev_get_drvdata(ctx->dev); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + void *icvdata; + + req->cryptlen -= authsize; +@@ -1493,9 +1498,8 @@ static int aead_decrypt(struct aead_request *req) + else + icvdata = &edesc->link_tbl[0]; + +- sg = sg_last(req->src, edesc->src_nents ? : 1); +- +- memcpy(icvdata, (char *)sg_virt(sg) + sg->length - authsize, authsize); ++ sg_pcopy_to_buffer(req->src, edesc->src_nents ? : 1, icvdata, authsize, ++ req->assoclen + req->cryptlen - authsize); + + return ipsec_esp(edesc, req, ipsec_esp_decrypt_swauth_done); + } +-- +2.20.1 + diff --git a/queue-4.9/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch b/queue-4.9/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch new file mode 100644 index 00000000000..149c952ef9e --- /dev/null +++ b/queue-4.9/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch @@ -0,0 +1,107 @@ +From 1956945fda1fd9f0c9f20388e81321baa0981dcf Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Mon, 24 Jun 2019 10:07:31 -0400 +Subject: dmaengine: imx-sdma: fix use-after-free on probe error path + +[ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ] + +If probe() fails anywhere beyond the point where +sdma_get_firmware() is called, then a kernel oops may occur. + +Problematic sequence of events: +1. probe() calls sdma_get_firmware(), which schedules the + firmware callback to run when firmware becomes available, + using the sdma instance structure as the context +2. probe() encounters an error, which deallocates the + sdma instance structure +3. firmware becomes available, firmware callback is + called with deallocated sdma instance structure +4. use after free - kernel oops ! + +Solution: only attempt to load firmware when we're certain +that probe() will succeed. This guarantees that the firmware +callback's context will remain valid. + +Note that the remove() path is unaffected by this issue: the +firmware loader will increment the driver module's use count, +ensuring that the module cannot be unloaded while the +firmware callback is pending or running. + +Signed-off-by: Sven Van Asbroeck +Reviewed-by: Robin Gong +[vkoul: fixed braces for if condition] +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/imx-sdma.c | 48 ++++++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 21 deletions(-) + +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c +index 84856ac75a09..9f240b2d85a5 100644 +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1821,27 +1821,6 @@ static int sdma_probe(struct platform_device *pdev) + if (pdata && pdata->script_addrs) + sdma_add_scripts(sdma, pdata->script_addrs); + +- if (pdata) { +- ret = sdma_get_firmware(sdma, pdata->fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware from platform data\n"); +- } else { +- /* +- * Because that device tree does not encode ROM script address, +- * the RAM script in firmware is mandatory for device tree +- * probe, otherwise it fails. +- */ +- ret = of_property_read_string(np, "fsl,sdma-ram-script-name", +- &fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware name\n"); +- else { +- ret = sdma_get_firmware(sdma, fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware from device tree\n"); +- } +- } +- + sdma->dma_device.dev = &pdev->dev; + + sdma->dma_device.device_alloc_chan_resources = sdma_alloc_chan_resources; +@@ -1883,6 +1862,33 @@ static int sdma_probe(struct platform_device *pdev) + of_node_put(spba_bus); + } + ++ /* ++ * Kick off firmware loading as the very last step: ++ * attempt to load firmware only if we're not on the error path, because ++ * the firmware callback requires a fully functional and allocated sdma ++ * instance. ++ */ ++ if (pdata) { ++ ret = sdma_get_firmware(sdma, pdata->fw_name); ++ if (ret) ++ dev_warn(&pdev->dev, "failed to get firmware from platform data\n"); ++ } else { ++ /* ++ * Because that device tree does not encode ROM script address, ++ * the RAM script in firmware is mandatory for device tree ++ * probe, otherwise it fails. ++ */ ++ ret = of_property_read_string(np, "fsl,sdma-ram-script-name", ++ &fw_name); ++ if (ret) { ++ dev_warn(&pdev->dev, "failed to get firmware name\n"); ++ } else { ++ ret = sdma_get_firmware(sdma, fw_name); ++ if (ret) ++ dev_warn(&pdev->dev, "failed to get firmware from device tree\n"); ++ } ++ } ++ + return 0; + + err_register: +-- +2.20.1 + diff --git a/queue-4.9/edac-fix-global-out-of-bounds-write-when-setting-eda.patch b/queue-4.9/edac-fix-global-out-of-bounds-write-when-setting-eda.patch new file mode 100644 index 00000000000..d0a5ab8586b --- /dev/null +++ b/queue-4.9/edac-fix-global-out-of-bounds-write-when-setting-eda.patch @@ -0,0 +1,159 @@ +From faf155632d9ec88ea93d605af144913f58792dd4 Mon Sep 17 00:00:00 2001 +From: Eiichi Tsukata +Date: Wed, 26 Jun 2019 14:40:11 +0900 +Subject: EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec + +[ Upstream commit d8655e7630dafa88bc37f101640e39c736399771 ] + +Commit 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") assumes +edac_mc_poll_msec to be unsigned long, but the type of the variable still +remained as int. Setting edac_mc_poll_msec can trigger out-of-bounds +write. + +Reproducer: + + # echo 1001 > /sys/module/edac_core/parameters/edac_mc_poll_msec + +KASAN report: + + BUG: KASAN: global-out-of-bounds in edac_set_poll_msec+0x140/0x150 + Write of size 8 at addr ffffffffb91b2d00 by task bash/1996 + + CPU: 1 PID: 1996 Comm: bash Not tainted 5.2.0-rc6+ #23 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 + Call Trace: + dump_stack+0xca/0x13e + print_address_description.cold+0x5/0x246 + __kasan_report.cold+0x75/0x9a + ? edac_set_poll_msec+0x140/0x150 + kasan_report+0xe/0x20 + edac_set_poll_msec+0x140/0x150 + ? dimmdev_location_show+0x30/0x30 + ? vfs_lock_file+0xe0/0xe0 + ? _raw_spin_lock+0x87/0xe0 + param_attr_store+0x1b5/0x310 + ? param_array_set+0x4f0/0x4f0 + module_attr_store+0x58/0x80 + ? module_attr_show+0x80/0x80 + sysfs_kf_write+0x13d/0x1a0 + kernfs_fop_write+0x2bc/0x460 + ? sysfs_kf_bin_read+0x270/0x270 + ? kernfs_notify+0x1f0/0x1f0 + __vfs_write+0x81/0x100 + vfs_write+0x1e1/0x560 + ksys_write+0x126/0x250 + ? __ia32_sys_read+0xb0/0xb0 + ? do_syscall_64+0x1f/0x390 + do_syscall_64+0xc1/0x390 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7fa7caa5e970 + Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 04 + RSP: 002b:00007fff6acfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa7caa5e970 + RDX: 0000000000000005 RSI: 0000000000e95c08 RDI: 0000000000000001 + RBP: 0000000000e95c08 R08: 00007fa7cad1e760 R09: 00007fa7cb36a700 + R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000005 + R13: 0000000000000001 R14: 00007fa7cad1d600 R15: 0000000000000005 + + The buggy address belongs to the variable: + edac_mc_poll_msec+0x0/0x40 + + Memory state around the buggy address: + ffffffffb91b2c00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa + ffffffffb91b2c80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa + >ffffffffb91b2d00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa + ^ + ffffffffb91b2d80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + ffffffffb91b2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Fix it by changing the type of edac_mc_poll_msec to unsigned int. +The reason why this patch adopts unsigned int rather than unsigned long +is msecs_to_jiffies() assumes arg to be unsigned int. We can avoid +integer conversion bugs and unsigned int will be large enough for +edac_mc_poll_msec. + +Reviewed-by: James Morse +Fixes: 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") +Signed-off-by: Eiichi Tsukata +Signed-off-by: Tony Luck +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_mc_sysfs.c | 16 ++++++++-------- + drivers/edac/edac_module.h | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index 203ebe348b77..d59641194860 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -26,7 +26,7 @@ + static int edac_mc_log_ue = 1; + static int edac_mc_log_ce = 1; + static int edac_mc_panic_on_ue; +-static int edac_mc_poll_msec = 1000; ++static unsigned int edac_mc_poll_msec = 1000; + + /* Getter functions for above */ + int edac_mc_get_log_ue(void) +@@ -45,30 +45,30 @@ int edac_mc_get_panic_on_ue(void) + } + + /* this is temporary */ +-int edac_mc_get_poll_msec(void) ++unsigned int edac_mc_get_poll_msec(void) + { + return edac_mc_poll_msec; + } + + static int edac_set_poll_msec(const char *val, struct kernel_param *kp) + { +- unsigned long l; ++ unsigned int i; + int ret; + + if (!val) + return -EINVAL; + +- ret = kstrtoul(val, 0, &l); ++ ret = kstrtouint(val, 0, &i); + if (ret) + return ret; + +- if (l < 1000) ++ if (i < 1000) + return -EINVAL; + +- *((unsigned long *)kp->arg) = l; ++ *((unsigned int *)kp->arg) = i; + + /* notify edac_mc engine to reset the poll period */ +- edac_mc_reset_delay_period(l); ++ edac_mc_reset_delay_period(i); + + return 0; + } +@@ -82,7 +82,7 @@ MODULE_PARM_DESC(edac_mc_log_ue, + module_param(edac_mc_log_ce, int, 0644); + MODULE_PARM_DESC(edac_mc_log_ce, + "Log correctable error to console: 0=off 1=on"); +-module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_int, ++module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_uint, + &edac_mc_poll_msec, 0644); + MODULE_PARM_DESC(edac_mc_poll_msec, "Polling period in milliseconds"); + +diff --git a/drivers/edac/edac_module.h b/drivers/edac/edac_module.h +index cfaacb99c973..c36f9f721fb2 100644 +--- a/drivers/edac/edac_module.h ++++ b/drivers/edac/edac_module.h +@@ -33,7 +33,7 @@ extern int edac_mc_get_log_ue(void); + extern int edac_mc_get_log_ce(void); + extern int edac_mc_get_panic_on_ue(void); + extern int edac_get_poll_msec(void); +-extern int edac_mc_get_poll_msec(void); ++extern unsigned int edac_mc_get_poll_msec(void); + + unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf, + unsigned len); +-- +2.20.1 + diff --git a/queue-4.9/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch b/queue-4.9/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch new file mode 100644 index 00000000000..1fbf3712cd0 --- /dev/null +++ b/queue-4.9/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch @@ -0,0 +1,52 @@ +From c2ede1fc7b5626950c870b229fa8e100134ae3cd Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 18 Apr 2019 10:27:18 +0800 +Subject: EDAC/sysfs: Fix memory leak when creating a csrow object + +[ Upstream commit 585fb3d93d32dbe89e718b85009f9c322cc554cd ] + +In edac_create_csrow_object(), the reference to the object is not +released when adding the device to the device hierarchy fails +(device_add()). This may result in a memory leak. + +Signed-off-by: Pan Bian +Signed-off-by: Borislav Petkov +Reviewed-by: Greg Kroah-Hartman +Cc: James Morse +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Link: https://lkml.kernel.org/r/1555554438-103953-1-git-send-email-bianpan2016@163.com +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_mc_sysfs.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index 40d792e96b75..203ebe348b77 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -426,6 +426,8 @@ static inline int nr_pages_per_csrow(struct csrow_info *csrow) + static int edac_create_csrow_object(struct mem_ctl_info *mci, + struct csrow_info *csrow, int index) + { ++ int err; ++ + csrow->dev.type = &csrow_attr_type; + csrow->dev.bus = mci->bus; + csrow->dev.groups = csrow_dev_groups; +@@ -438,7 +440,11 @@ static int edac_create_csrow_object(struct mem_ctl_info *mci, + edac_dbg(0, "creating (virtual) csrow node %s\n", + dev_name(&csrow->dev)); + +- return device_add(&csrow->dev); ++ err = device_add(&csrow->dev); ++ if (err) ++ put_device(&csrow->dev); ++ ++ return err; + } + + /* Create a CSROW object under specifed edac_mc_device */ +-- +2.20.1 + diff --git a/queue-4.9/floppy-fix-div-by-zero-in-setup_format_params.patch b/queue-4.9/floppy-fix-div-by-zero-in-setup_format_params.patch new file mode 100644 index 00000000000..cb62084a60d --- /dev/null +++ b/queue-4.9/floppy-fix-div-by-zero-in-setup_format_params.patch @@ -0,0 +1,61 @@ +From 77163150bdc22c8ec7a3564d95b02bbbe0392bda Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:20 +0300 +Subject: floppy: fix div-by-zero in setup_format_params + +[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ] + +This fixes a divide by zero error in the setup_format_params function of +the floppy driver. + +Two consecutive ioctls can trigger the bug: The first one should set the +drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK +to become zero. Next, the floppy format operation should be called. + +A floppy disk is not required to be inserted. An unprivileged user +could trigger the bug if the device is accessible. + +The patch checks F_SECT_PER_TRACK for a non-zero value in the +set_geometry function. The proper check should involve a reasonable +upper limit for the .sect and .rate fields, but it could change the +UAPI. + +The patch also checks F_SECT_PER_TRACK in the setup_format_params, and +cancels the formatting operation in case of zero. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 6914c6e1e1a8..bb9b50d1d828 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -2113,6 +2113,9 @@ static void setup_format_params(int track) + raw_cmd->kernel_data = floppy_track_buffer; + raw_cmd->length = 4 * F_SECT_PER_TRACK; + ++ if (!F_SECT_PER_TRACK) ++ return; ++ + /* allow for about 30ms for data transport per track */ + head_shift = (F_SECT_PER_TRACK + 5) / 6; + +@@ -3235,6 +3238,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + /* sanity checking for parameters. */ + if (g->sect <= 0 || + g->head <= 0 || ++ /* check for zero in F_SECT_PER_TRACK */ ++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || + /* check if reserved bits are set */ + (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) +-- +2.20.1 + diff --git a/queue-4.9/floppy-fix-out-of-bounds-read-in-copy_buffer.patch b/queue-4.9/floppy-fix-out-of-bounds-read-in-copy_buffer.patch new file mode 100644 index 00000000000..c1012467498 --- /dev/null +++ b/queue-4.9/floppy-fix-out-of-bounds-read-in-copy_buffer.patch @@ -0,0 +1,52 @@ +From f08ab6458e0c83d14ac4e9856018fbb79b583feb Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:23 +0300 +Subject: floppy: fix out-of-bounds read in copy_buffer + +[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ] + +This fixes a global out-of-bounds read access in the copy_buffer +function of the floppy driver. + +The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect +and head fields (unsigned int) of the floppy_drive structure are used to +compute the max_sector (int) in the make_raw_rw_request function. It is +possible to overflow the max_sector. Next, max_sector is passed to the +copy_buffer function and used in one of the memcpy calls. + +An unprivileged user could trigger the bug if the device is accessible, +but requires a floppy disk to be inserted. + +The patch adds the check for the .sect * .head multiplication for not +overflowing in the set_geometry function. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index bb9b50d1d828..de76b66893aa 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3236,8 +3236,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + int cnt; + + /* sanity checking for parameters. */ +- if (g->sect <= 0 || +- g->head <= 0 || ++ if ((int)g->sect <= 0 || ++ (int)g->head <= 0 || ++ /* check for overflow in max_sector */ ++ (int)(g->sect * g->head) <= 0 || + /* check for zero in F_SECT_PER_TRACK */ + (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || +-- +2.20.1 + diff --git a/queue-4.9/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch b/queue-4.9/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch new file mode 100644 index 00000000000..afe11f5c3dc --- /dev/null +++ b/queue-4.9/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch @@ -0,0 +1,85 @@ +From e5fec4fa296287b8ce718dbafd4fde7a60719079 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 10 Jun 2019 20:10:44 +0300 +Subject: gpio: omap: ensure irq is enabled before wakeup + +[ Upstream commit c859e0d479b3b4f6132fc12637c51e01492f31f6 ] + +Documentation states: + + NOTE: There must be a correlation between the wake-up enable and + interrupt-enable registers. If a GPIO pin has a wake-up configured + on it, it must also have the corresponding interrupt enabled (on + one of the two interrupt lines). + +Ensure that this condition is always satisfied by enabling the detection +events after enabling the interrupt, and disabling the detection before +disabling the interrupt. This ensures interrupt/wakeup events can not +happen until both the wakeup and interrupt enables correlate. + +If we do any clearing, clear between the interrupt enable/disable and +trigger setting. + +Signed-off-by: Russell King +Signed-off-by: Grygorii Strashko +Tested-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index bd12b433f964..fc841ce24db7 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -786,9 +786,9 @@ static void omap_gpio_irq_shutdown(struct irq_data *d) + + raw_spin_lock_irqsave(&bank->lock, flags); + bank->irq_usage &= ~(BIT(offset)); +- omap_set_gpio_irqenable(bank, offset, 0); +- omap_clear_gpio_irqstatus(bank, offset); + omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE); ++ omap_clear_gpio_irqstatus(bank, offset); ++ omap_set_gpio_irqenable(bank, offset, 0); + if (!LINE_USED(bank->mod_usage, offset)) + omap_clear_gpio_debounce(bank, offset); + omap_disable_gpio_module(bank, offset); +@@ -830,8 +830,8 @@ static void omap_gpio_mask_irq(struct irq_data *d) + unsigned long flags; + + raw_spin_lock_irqsave(&bank->lock, flags); +- omap_set_gpio_irqenable(bank, offset, 0); + omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE); ++ omap_set_gpio_irqenable(bank, offset, 0); + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +@@ -843,9 +843,6 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + unsigned long flags; + + raw_spin_lock_irqsave(&bank->lock, flags); +- if (trigger) +- omap_set_gpio_triggering(bank, offset, trigger); +- + omap_set_gpio_irqenable(bank, offset, 1); + + /* +@@ -853,9 +850,13 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + * is cleared, thus after the handler has run. OMAP4 needs this done + * after enabing the interrupt to clear the wakeup status. + */ +- if (bank->level_mask & BIT(offset)) ++ if (bank->regs->leveldetect0 && bank->regs->wkup_en && ++ trigger & (IRQ_TYPE_LEVEL_HIGH | IRQ_TYPE_LEVEL_LOW)) + omap_clear_gpio_irqstatus(bank, offset); + ++ if (trigger) ++ omap_set_gpio_triggering(bank, offset, trigger); ++ + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +-- +2.20.1 + diff --git a/queue-4.9/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch b/queue-4.9/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch new file mode 100644 index 00000000000..ffd499b24b5 --- /dev/null +++ b/queue-4.9/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch @@ -0,0 +1,43 @@ +From 7bd355f43aca1e89c29544fb7039be3cfdbf9437 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 10 Jun 2019 20:10:45 +0300 +Subject: gpio: omap: fix lack of irqstatus_raw0 for OMAP4 + +[ Upstream commit 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 ] + +Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added +the register definition tables to the gpio-omap driver. Subsequently to +that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() +checks from *_runtime_resume()") added definitions for irqstatus_raw* +registers to the legacy OMAP4 definitions, but missed the DT +definitions. + +This causes an unintentional change of behaviour for the 1.101 errata +workaround on OMAP4 platforms. Fix this oversight. + +Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()") +Signed-off-by: Russell King +Signed-off-by: Grygorii Strashko +Tested-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index 038882183bdf..bd12b433f964 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -1585,6 +1585,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = { + .clr_dataout = OMAP4_GPIO_CLEARDATAOUT, + .irqstatus = OMAP4_GPIO_IRQSTATUS0, + .irqstatus2 = OMAP4_GPIO_IRQSTATUS1, ++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0, ++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1, + .irqenable = OMAP4_GPIO_IRQSTATUSSET0, + .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1, + .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0, +-- +2.20.1 + diff --git a/queue-4.9/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch b/queue-4.9/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch new file mode 100644 index 00000000000..12eb88b888b --- /dev/null +++ b/queue-4.9/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch @@ -0,0 +1,58 @@ +From 9d21e11ff1639db87d8a87c89a603d09b46856c3 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 1 Jul 2019 16:27:38 +0200 +Subject: gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants + +[ Upstream commit 3285170f28a850638794cdfe712eb6d93e51e706 ] + +Commit 372e722ea4dd4ca1 ("gpiolib: use descriptors internally") renamed +the functions to use a "gpiod" prefix, and commit 79a9becda8940deb +("gpiolib: export descriptor-based GPIO interface") introduced the "raw" +variants, but both changes forgot to update the comments. + +Readd a similar reference to gpiod_set_value(), which was accidentally +removed by commit 1e77fc82110ac36f ("gpio: Add missing open drain/source +handling to gpiod_set_value_cansleep()"). + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20190701142738.25219-1-geert+renesas@glider.be +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 9e2fe12c2858..a3251faa3ed8 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -2411,7 +2411,7 @@ static int _gpiod_get_raw_value(const struct gpio_desc *desc) + int gpiod_get_raw_value(const struct gpio_desc *desc) + { + VALIDATE_DESC(desc); +- /* Should be using gpio_get_value_cansleep() */ ++ /* Should be using gpiod_get_raw_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + return _gpiod_get_raw_value(desc); + } +@@ -2432,7 +2432,7 @@ int gpiod_get_value(const struct gpio_desc *desc) + int value; + + VALIDATE_DESC(desc); +- /* Should be using gpio_get_value_cansleep() */ ++ /* Should be using gpiod_get_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + + value = _gpiod_get_raw_value(desc); +@@ -2608,7 +2608,7 @@ void gpiod_set_array_value_complex(bool raw, bool can_sleep, + void gpiod_set_raw_value(struct gpio_desc *desc, int value) + { + VALIDATE_DESC_VOID(desc); +- /* Should be using gpiod_set_value_cansleep() */ ++ /* Should be using gpiod_set_raw_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + _gpiod_set_raw_value(desc, value); + } +-- +2.20.1 + diff --git a/queue-4.9/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch b/queue-4.9/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch new file mode 100644 index 00000000000..bc24e0b4781 --- /dev/null +++ b/queue-4.9/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch @@ -0,0 +1,71 @@ +From dda131c02f2fd7d62e410b9446a38ef5f4a5752b Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:23:13 +0900 +Subject: gtp: fix Illegal context switch in RCU read-side critical section. + +[ Upstream commit 3f167e1921865b379a9becf03828e7202c7b4917 ] + +ipv4_pdp_add() is called in RCU read-side critical section. +So GFP_KERNEL should not be used in the function. +This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL. + +Test commands: +gtp-link add gtp1 & +gtp-tunnel add gtp1 v1 100 200 1.1.1.1 2.2.2.2 + +Splat looks like: +[ 130.618881] ============================= +[ 130.626382] WARNING: suspicious RCU usage +[ 130.626994] 5.2.0-rc6+ #50 Not tainted +[ 130.627622] ----------------------------- +[ 130.628223] ./include/linux/rcupdate.h:266 Illegal context switch in RCU read-side critical section! +[ 130.629684] +[ 130.629684] other info that might help us debug this: +[ 130.629684] +[ 130.631022] +[ 130.631022] rcu_scheduler_active = 2, debug_locks = 1 +[ 130.632136] 4 locks held by gtp-tunnel/1025: +[ 130.632925] #0: 000000002b93c8b7 (cb_lock){++++}, at: genl_rcv+0x15/0x40 +[ 130.634159] #1: 00000000f17bc999 (genl_mutex){+.+.}, at: genl_rcv_msg+0xfb/0x130 +[ 130.635487] #2: 00000000c644ed8e (rtnl_mutex){+.+.}, at: gtp_genl_new_pdp+0x18c/0x1150 [gtp] +[ 130.636936] #3: 0000000007a1cde7 (rcu_read_lock){....}, at: gtp_genl_new_pdp+0x187/0x1150 [gtp] +[ 130.638348] +[ 130.638348] stack backtrace: +[ 130.639062] CPU: 1 PID: 1025 Comm: gtp-tunnel Not tainted 5.2.0-rc6+ #50 +[ 130.641318] Call Trace: +[ 130.641707] dump_stack+0x7c/0xbb +[ 130.642252] ___might_sleep+0x2c0/0x3b0 +[ 130.642862] kmem_cache_alloc_trace+0x1cd/0x2b0 +[ 130.643591] gtp_genl_new_pdp+0x6c5/0x1150 [gtp] +[ 130.644371] genl_family_rcv_msg+0x63a/0x1030 +[ 130.645074] ? mutex_lock_io_nested+0x1090/0x1090 +[ 130.645845] ? genl_unregister_family+0x630/0x630 +[ 130.646592] ? debug_show_all_locks+0x2d0/0x2d0 +[ 130.647293] ? check_flags.part.40+0x440/0x440 +[ 130.648099] genl_rcv_msg+0xa3/0x130 +[ ... ] + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index cb206e5526c4..60df6e391ad2 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -952,7 +952,7 @@ static int ipv4_pdp_add(struct net_device *dev, struct genl_info *info) + + } + +- pctx = kmalloc(sizeof(struct pdp_ctx), GFP_KERNEL); ++ pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC); + if (pctx == NULL) + return -ENOMEM; + +-- +2.20.1 + diff --git a/queue-4.9/gtp-fix-use-after-free-in-gtp_newlink.patch b/queue-4.9/gtp-fix-use-after-free-in-gtp_newlink.patch new file mode 100644 index 00000000000..7ceb96ace9d --- /dev/null +++ b/queue-4.9/gtp-fix-use-after-free-in-gtp_newlink.patch @@ -0,0 +1,109 @@ +From 6eeb1144a826d3ff192bbf9404c87639586f6347 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:23:42 +0900 +Subject: gtp: fix use-after-free in gtp_newlink() + +[ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ] + +Current gtp_newlink() could be called after unregister_pernet_subsys(). +gtp_newlink() uses gtp_net but it can be destroyed by +unregister_pernet_subsys(). +So unregister_pernet_subsys() should be called after +rtnl_link_unregister(). + +Test commands: + #SHELL 1 + while : + do + for i in {1..5} + do + ./gtp-link add gtp$i & + done + killall gtp-link + done + + #SHELL 2 + while : + do + modprobe -rv gtp + done + +Splat looks like: +[ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126 +[ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50 +[ 753.185801] Call Trace: +[ 753.186264] dump_stack+0x7c/0xbb +[ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.187583] print_address_description+0xc7/0x240 +[ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.189846] __kasan_report+0x12a/0x16f +[ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.191298] kasan_report+0xe/0x20 +[ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.192580] ? __netlink_ns_capable+0xc3/0xf0 +[ 753.193370] __rtnl_newlink+0xb9f/0x11b0 +[ ... ] +[ 753.241201] Allocated by task 7186: +[ 753.241844] save_stack+0x19/0x80 +[ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0 +[ 753.243192] __kmalloc+0x13e/0x300 +[ 753.243764] ops_init+0xd6/0x350 +[ 753.244314] register_pernet_operations+0x249/0x6f0 +[ ... ] +[ 753.251770] Freed by task 7178: +[ 753.252288] save_stack+0x19/0x80 +[ 753.252833] __kasan_slab_free+0x111/0x150 +[ 753.253962] kfree+0xc7/0x280 +[ 753.254509] ops_free_list.part.11+0x1c4/0x2d0 +[ 753.255241] unregister_pernet_operations+0x262/0x390 +[ ... ] +[ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next. +[ 753.287241] ------------[ cut here ]------------ +[ 753.287794] kernel BUG at lib/list_debug.c:25! +[ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50 +[ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0 +[ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b +[ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286 +[ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000 +[ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69 +[ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21 +[ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878 +[ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458 +[ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000 +[ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0 +[ 753.302183] Call Trace: +[ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp] +[ 753.303037] ? __netlink_ns_capable+0xc3/0xf0 +[ 753.303576] __rtnl_newlink+0xb9f/0x11b0 +[ 753.304092] ? rtnl_link_unregister+0x230/0x230 + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 60df6e391ad2..7e1df403a37d 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1358,9 +1358,9 @@ late_initcall(gtp_init); + + static void __exit gtp_fini(void) + { +- unregister_pernet_subsys(>p_net_ops); + genl_unregister_family(>p_genl_family); + rtnl_link_unregister(>p_link_ops); ++ unregister_pernet_subsys(>p_net_ops); + + pr_info("GTP module unloaded\n"); + } +-- +2.20.1 + diff --git a/queue-4.9/ipoib-correcly-show-a-vf-hardware-address.patch b/queue-4.9/ipoib-correcly-show-a-vf-hardware-address.patch new file mode 100644 index 00000000000..35a6b305926 --- /dev/null +++ b/queue-4.9/ipoib-correcly-show-a-vf-hardware-address.patch @@ -0,0 +1,57 @@ +From d3f9974330bf3390b3f71700e8195eee11c76e7d Mon Sep 17 00:00:00 2001 +From: Denis Kirjanov +Date: Mon, 17 Jun 2019 10:53:40 +0200 +Subject: ipoib: correcly show a VF hardware address + +[ Upstream commit 64d701c608fea362881e823b666327f5d28d7ffd ] + +in the case of IPoIB with SRIOV enabled hardware +ip link show command incorrecly prints +0 instead of a VF hardware address. + +Before: +11: ib1: mtu 2044 qdisc pfifo_fast +state UP mode DEFAULT group default qlen 256 + link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff + vf 0 MAC 00:00:00:00:00:00, spoof checking off, link-state disable, +trust off, query_rss off +... +After: +11: ib1: mtu 2044 qdisc pfifo_fast +state UP mode DEFAULT group default qlen 256 + link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff + vf 0 link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff, spoof +checking off, link-state disable, trust off, query_rss off + +v1->v2: just copy an address without modifing ifla_vf_mac +v2->v3: update the changelog + +Signed-off-by: Denis Kirjanov +Acked-by: Doug Ledford +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index 17c5bc7e8957..45504febbc2a 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -1751,6 +1751,7 @@ static int ipoib_get_vf_config(struct net_device *dev, int vf, + return err; + + ivf->vf = vf; ++ memcpy(ivf->mac, dev->dev_addr, dev->addr_len); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.9/ipsec-select-crypto-ciphers-for-xfrm_algo.patch b/queue-4.9/ipsec-select-crypto-ciphers-for-xfrm_algo.patch new file mode 100644 index 00000000000..a5a3f28ce9c --- /dev/null +++ b/queue-4.9/ipsec-select-crypto-ciphers-for-xfrm_algo.patch @@ -0,0 +1,43 @@ +From 641f1aa21a33fd867df6c51a9027ec7a43567caf Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 18 Jun 2019 13:22:13 +0200 +Subject: ipsec: select crypto ciphers for xfrm_algo + +[ Upstream commit 597179b0ba550bd83fab1a9d57c42a9343c58514 ] + +kernelci.org reports failed builds on arc because of what looks +like an old missed 'select' statement: + +net/xfrm/xfrm_algo.o: In function `xfrm_probe_algs': +xfrm_algo.c:(.text+0x1e8): undefined reference to `crypto_has_ahash' + +I don't see this in randconfig builds on other architectures, but +it's fairly clear we want to select the hash code for it, like we +do for all its other users. As Herbert points out, CRYPTO_BLKCIPHER +is also required even though it has not popped up in build tests. + +Fixes: 17bc19702221 ("ipsec: Use skcipher and ahash when probing algorithms") +Signed-off-by: Arnd Bergmann +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig +index bda1a13628a8..c09336b5a028 100644 +--- a/net/xfrm/Kconfig ++++ b/net/xfrm/Kconfig +@@ -9,6 +9,8 @@ config XFRM_ALGO + tristate + select XFRM + select CRYPTO ++ select CRYPTO_HASH ++ select CRYPTO_BLKCIPHER + + config XFRM_USER + tristate "Transformation user configuration interface" +-- +2.20.1 + diff --git a/queue-4.9/iwlwifi-mvm-drop-large-non-sta-frames.patch b/queue-4.9/iwlwifi-mvm-drop-large-non-sta-frames.patch new file mode 100644 index 00000000000..d22cc4eac98 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-drop-large-non-sta-frames.patch @@ -0,0 +1,39 @@ +From 117ab742e733425e833912a6e02b5c8a4d9070c0 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Mon, 15 Apr 2019 16:45:04 +0300 +Subject: iwlwifi: mvm: Drop large non sta frames + +[ Upstream commit ac70499ee97231a418dc1a4d6c9dc102e8f64631 ] + +In some buggy scenarios we could possible attempt to transmit frames larger +than maximum MSDU size. Since our devices don't know how to handle this, +it may result in asserts, hangs etc. +This can happen, for example, when we receive a large multicast frame +and try to transmit it back to the air in AP mode. +Since in a legal scenario this should never happen, drop such frames and +warn about it. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index bd7ff562d82d..1aa74b87599f 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -551,6 +551,9 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb) + + memcpy(&info, skb->cb, sizeof(info)); + ++ if (WARN_ON_ONCE(skb->len > IEEE80211_MAX_DATA_LEN + hdrlen)) ++ return -1; ++ + if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU)) + return -1; + +-- +2.20.1 + diff --git a/queue-4.9/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch b/queue-4.9/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch new file mode 100644 index 00000000000..b1a5e4ef981 --- /dev/null +++ b/queue-4.9/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch @@ -0,0 +1,63 @@ +From 14c082b1507b19e1f8de4d28a50e01669e1c2471 Mon Sep 17 00:00:00 2001 +From: "Mauro S. M. Rodrigues" +Date: Thu, 23 May 2019 16:11:12 -0300 +Subject: ixgbe: Check DDM existence in transceiver before access + +[ Upstream commit 655c91414579d7bb115a4f7898ee726fc18e0984 ] + +Some transceivers may comply with SFF-8472 but not implement the Digital +Diagnostic Monitoring (DDM) interface described in it. The existence of +such area is specified by bit 6 of byte 92, set to 1 if implemented. + +Currently, due to not checking this bit ixgbe fails trying to read SFP +module's eeprom with the follow message: + +ethtool -m enP51p1s0f0 +Cannot get Module EEPROM data: Input/output error + +Because it fails to read the additional 256 bytes in which it was assumed +to exist the DDM data. + +This issue was noticed using a Mellanox Passive DAC PN 01FT738. The eeprom +data was confirmed by Mellanox as correct and present in other Passive +DACs in from other manufacturers. + +Signed-off-by: "Mauro S. M. Rodrigues" +Reviewed-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 3 ++- + drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index a137e060c185..bbc23e88de89 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -3192,7 +3192,8 @@ static int ixgbe_get_module_info(struct net_device *dev, + page_swap = true; + } + +- if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap) { ++ if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap || ++ !(addr_mode & IXGBE_SFF_DDM_IMPLEMENTED)) { + /* We have a SFP, but it does not support SFF-8472 */ + modinfo->type = ETH_MODULE_SFF_8079; + modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN; +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h +index cc735ec3e045..25090b4880b3 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h +@@ -70,6 +70,7 @@ + #define IXGBE_SFF_SOFT_RS_SELECT_10G 0x8 + #define IXGBE_SFF_SOFT_RS_SELECT_1G 0x0 + #define IXGBE_SFF_ADDRESSING_MODE 0x4 ++#define IXGBE_SFF_DDM_IMPLEMENTED 0x40 + #define IXGBE_SFF_QSFP_DA_ACTIVE_CABLE 0x1 + #define IXGBE_SFF_QSFP_DA_PASSIVE_CABLE 0x8 + #define IXGBE_SFF_QSFP_CONNECTOR_NOT_SEPARABLE 0x23 +-- +2.20.1 + diff --git a/queue-4.9/libata-don-t-request-sense-data-on-zac-ata-devices.patch b/queue-4.9/libata-don-t-request-sense-data-on-zac-ata-devices.patch new file mode 100644 index 00000000000..aa1dbe64759 --- /dev/null +++ b/queue-4.9/libata-don-t-request-sense-data-on-zac-ata-devices.patch @@ -0,0 +1,68 @@ +From 1e912765b2e675a26fcea3b23eb0844070492f8d Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 24 Jun 2019 09:32:50 -0700 +Subject: libata: don't request sense data on !ZAC ATA devices + +[ Upstream commit ca156e006add67e4beea7896be395160735e09b0 ] + +ZAC support added sense data requesting on error for both ZAC and ATA +devices. This seems to cause erratic error handling behaviors on some +SSDs where the device reports sense data availability and then +delivers the wrong content making EH take the wrong actions. The +failure mode was sporadic on a LITE-ON ssd and couldn't be reliably +reproduced. + +There is no value in requesting sense data from non-ZAC ATA devices +while there's a significant risk of introducing EH misbehaviors which +are difficult to reproduce and fix. Let's do the sense data dancing +only for ZAC devices. + +Reviewed-by: Hannes Reinecke +Tested-by: Masato Suzuki +Reviewed-by: Damien Le Moal +Signed-off-by: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-eh.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 90c38778bc1f..16f8fda89981 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -1600,7 +1600,7 @@ static int ata_eh_read_log_10h(struct ata_device *dev, + tf->hob_lbah = buf[10]; + tf->nsect = buf[12]; + tf->hob_nsect = buf[13]; +- if (ata_id_has_ncq_autosense(dev->id)) ++ if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id)) + tf->auxiliary = buf[14] << 16 | buf[15] << 8 | buf[16]; + + return 0; +@@ -1849,7 +1849,8 @@ void ata_eh_analyze_ncq_error(struct ata_link *link) + memcpy(&qc->result_tf, &tf, sizeof(tf)); + qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48; + qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ; +- if ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary) { ++ if (dev->class == ATA_DEV_ZAC && ++ ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary)) { + char sense_key, asc, ascq; + + sense_key = (qc->result_tf.auxiliary >> 16) & 0xff; +@@ -1903,10 +1904,11 @@ static unsigned int ata_eh_analyze_tf(struct ata_queued_cmd *qc, + } + + switch (qc->dev->class) { +- case ATA_DEV_ATA: + case ATA_DEV_ZAC: + if (stat & ATA_SENSE) + ata_eh_request_sense(qc, qc->scsicmd); ++ /* fall through */ ++ case ATA_DEV_ATA: + if (err & ATA_ICRC) + qc->err_mask |= AC_ERR_ATA_BUS; + if (err & (ATA_UNC | ATA_AMNF)) +-- +2.20.1 + diff --git a/queue-4.9/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch b/queue-4.9/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch new file mode 100644 index 00000000000..8ffe27c7c9d --- /dev/null +++ b/queue-4.9/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch @@ -0,0 +1,102 @@ +From 93f47047ba86ea180b6492b231e0582d0b2c3b8f Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 May 2019 23:15:09 +0300 +Subject: locking/lockdep: Fix merging of hlocks with non-zero references + +[ Upstream commit d9349850e188b8b59e5322fda17ff389a1c0cd7d ] + +The sequence + + static DEFINE_WW_CLASS(test_ww_class); + + struct ww_acquire_ctx ww_ctx; + struct ww_mutex ww_lock_a; + struct ww_mutex ww_lock_b; + struct ww_mutex ww_lock_c; + struct mutex lock_c; + + ww_acquire_init(&ww_ctx, &test_ww_class); + + ww_mutex_init(&ww_lock_a, &test_ww_class); + ww_mutex_init(&ww_lock_b, &test_ww_class); + ww_mutex_init(&ww_lock_c, &test_ww_class); + + mutex_init(&lock_c); + + ww_mutex_lock(&ww_lock_a, &ww_ctx); + + mutex_lock(&lock_c); + + ww_mutex_lock(&ww_lock_b, &ww_ctx); + ww_mutex_lock(&ww_lock_c, &ww_ctx); + + mutex_unlock(&lock_c); (*) + + ww_mutex_unlock(&ww_lock_c); + ww_mutex_unlock(&ww_lock_b); + ww_mutex_unlock(&ww_lock_a); + + ww_acquire_fini(&ww_ctx); (**) + +will trigger the following error in __lock_release() when calling +mutex_release() at **: + + DEBUG_LOCKS_WARN_ON(depth <= 0) + +The problem is that the hlock merging happening at * updates the +references for test_ww_class incorrectly to 3 whereas it should've +updated it to 4 (representing all the instances for ww_ctx and +ww_lock_[abc]). + +Fix this by updating the references during merging correctly taking into +account that we can have non-zero references (both for the hlock that we +merge into another hlock or for the hlock we are merging into). + +Signed-off-by: Imre Deak +Signed-off-by: Peter Zijlstra (Intel) +Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 26fc428476b9..4b27aaffdf35 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3260,17 +3260,17 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass, + if (depth) { + hlock = curr->held_locks + depth - 1; + if (hlock->class_idx == class_idx && nest_lock) { +- if (hlock->references) { +- /* +- * Check: unsigned int references:12, overflow. +- */ +- if (DEBUG_LOCKS_WARN_ON(hlock->references == (1 << 12)-1)) +- return 0; ++ if (!references) ++ references++; + ++ if (!hlock->references) + hlock->references++; +- } else { +- hlock->references = 2; +- } ++ ++ hlock->references += references; ++ ++ /* Overflow */ ++ if (DEBUG_LOCKS_WARN_ON(hlock->references < references)) ++ return 0; + + return 1; + } +-- +2.20.1 + diff --git a/queue-4.9/media-coda-fix-mpeg2-sequence-number-handling.patch b/queue-4.9/media-coda-fix-mpeg2-sequence-number-handling.patch new file mode 100644 index 00000000000..d95509cd9e5 --- /dev/null +++ b/queue-4.9/media-coda-fix-mpeg2-sequence-number-handling.patch @@ -0,0 +1,46 @@ +From 0690ce2ea087e0eaeecb2bf57fdb6ab0b02bfc19 Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Tue, 18 Jun 2019 12:45:10 -0400 +Subject: media: coda: fix mpeg2 sequence number handling + +[ Upstream commit 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba ] + +Sequence number handling assumed that the BIT processor frame number +starts counting at 1, but this is not true for the MPEG-2 decoder, +which starts at 0. Fix the sequence counter offset detection to handle +this. + +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index 717ee9a6a80e..1b8024f86b0f 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -1581,6 +1581,7 @@ static int __coda_start_decoding(struct coda_ctx *ctx) + coda_write(dev, 0, CODA_REG_BIT_BIT_STREAM_PARAM); + return -ETIMEDOUT; + } ++ ctx->sequence_offset = ~0U; + ctx->initialized = 1; + + /* Update kfifo out pointer from coda bitstream read pointer */ +@@ -1971,7 +1972,9 @@ static void coda_finish_decode(struct coda_ctx *ctx) + v4l2_err(&dev->v4l2_dev, + "decoded frame index out of range: %d\n", decoded_idx); + } else { +- val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM) - 1; ++ val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM); ++ if (ctx->sequence_offset == -1) ++ ctx->sequence_offset = val; + val -= ctx->sequence_offset; + spin_lock_irqsave(&ctx->buffer_meta_lock, flags); + if (!list_empty(&ctx->buffer_meta_list)) { +-- +2.20.1 + diff --git a/queue-4.9/media-coda-increment-sequence-offset-for-the-last-re.patch b/queue-4.9/media-coda-increment-sequence-offset-for-the-last-re.patch new file mode 100644 index 00000000000..e9f0367ebc4 --- /dev/null +++ b/queue-4.9/media-coda-increment-sequence-offset-for-the-last-re.patch @@ -0,0 +1,37 @@ +From 3c185bf583e55988b3461aaea1c474702d184ccf Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Tue, 18 Jun 2019 12:45:22 -0400 +Subject: media: coda: increment sequence offset for the last returned frame + +[ Upstream commit b3b7d96817cdb8b6fc353867705275dce8f41ccc ] + +If no more frames are decoded in bitstream end mode, and a previously +decoded frame has been returned, the firmware still increments the frame +number. To avoid a sequence number mismatch after decoder restart, +increment the sequence_offset correction parameter. + +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index 1b8024f86b0f..df4643956c96 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -1967,6 +1967,9 @@ static void coda_finish_decode(struct coda_ctx *ctx) + else if (ctx->display_idx < 0) + ctx->hold = true; + } else if (decoded_idx == -2) { ++ if (ctx->display_idx >= 0 && ++ ctx->display_idx < ctx->num_internal_frames) ++ ctx->sequence_offset++; + /* no frame was decoded, we still return remaining buffers */ + } else if (decoded_idx < 0 || decoded_idx >= ctx->num_internal_frames) { + v4l2_err(&dev->v4l2_dev, +-- +2.20.1 + diff --git a/queue-4.9/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch b/queue-4.9/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch new file mode 100644 index 00000000000..a24f7e4328f --- /dev/null +++ b/queue-4.9/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch @@ -0,0 +1,44 @@ +From 5200ee1d6b05ddd6cb34c2adf70becc26a39e0b4 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 30 Apr 2019 09:07:36 -0400 +Subject: media: dvb: usb: fix use after free in dvb_usb_device_exit + +[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ] + +dvb_usb_device_exit() frees and uses the device name in that order. +Fix by storing the name in a buffer before freeing it. + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c +index 84308569e7dc..b3413404f91a 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c +@@ -287,12 +287,15 @@ EXPORT_SYMBOL(dvb_usb_device_init); + void dvb_usb_device_exit(struct usb_interface *intf) + { + struct dvb_usb_device *d = usb_get_intfdata(intf); +- const char *name = "generic DVB-USB module"; ++ const char *default_name = "generic DVB-USB module"; ++ char name[40]; + + usb_set_intfdata(intf, NULL); + if (d != NULL && d->desc != NULL) { +- name = d->desc->name; ++ strscpy(name, d->desc->name, sizeof(name)); + dvb_usb_exit(d); ++ } else { ++ strscpy(name, default_name, sizeof(name)); + } + info("%s successfully deinitialized and disconnected.", name); + +-- +2.20.1 + diff --git a/queue-4.9/media-i2c-fix-warning-same-module-names.patch b/queue-4.9/media-i2c-fix-warning-same-module-names.patch new file mode 100644 index 00000000000..539ef76f4c0 --- /dev/null +++ b/queue-4.9/media-i2c-fix-warning-same-module-names.patch @@ -0,0 +1,60 @@ +From e209e96630bcaa4dc91733b7306d89eb4379b4f8 Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Wed, 12 Jun 2019 12:19:35 -0400 +Subject: media: i2c: fix warning same module names + +[ Upstream commit b2ce5617dad254230551feda3599f2cc68e53ad8 ] + +When building with CONFIG_VIDEO_ADV7511 and CONFIG_DRM_I2C_ADV7511 +enabled as loadable modules, we see the following warning: + + drivers/gpu/drm/bridge/adv7511/adv7511.ko + drivers/media/i2c/adv7511.ko + +Rework so that the file is named adv7511-v4l2.c. + +Signed-off-by: Anders Roxell +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/Makefile | 2 +- + drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + rename drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} (99%) + +diff --git a/drivers/media/i2c/Makefile b/drivers/media/i2c/Makefile +index 92773b2e6225..bfe0afc209b8 100644 +--- a/drivers/media/i2c/Makefile ++++ b/drivers/media/i2c/Makefile +@@ -29,7 +29,7 @@ obj-$(CONFIG_VIDEO_ADV7393) += adv7393.o + obj-$(CONFIG_VIDEO_ADV7604) += adv7604.o + obj-$(CONFIG_VIDEO_ADV7842) += adv7842.o + obj-$(CONFIG_VIDEO_AD9389B) += ad9389b.o +-obj-$(CONFIG_VIDEO_ADV7511) += adv7511.o ++obj-$(CONFIG_VIDEO_ADV7511) += adv7511-v4l2.o + obj-$(CONFIG_VIDEO_VPX3220) += vpx3220.o + obj-$(CONFIG_VIDEO_VS6624) += vs6624.o + obj-$(CONFIG_VIDEO_BT819) += bt819.o +diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511-v4l2.c +similarity index 99% +rename from drivers/media/i2c/adv7511.c +rename to drivers/media/i2c/adv7511-v4l2.c +index 5f1c8ee8a50e..b87c9e7ff146 100644 +--- a/drivers/media/i2c/adv7511.c ++++ b/drivers/media/i2c/adv7511-v4l2.c +@@ -17,6 +17,11 @@ + * SOFTWARE. + */ + ++/* ++ * This file is named adv7511-v4l2.c so it doesn't conflict with the Analog ++ * Device ADV7511 (config fragment CONFIG_DRM_I2C_ADV7511). ++ */ ++ + + #include + #include +-- +2.20.1 + diff --git a/queue-4.9/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch b/queue-4.9/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch new file mode 100644 index 00000000000..7b8956ef198 --- /dev/null +++ b/queue-4.9/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch @@ -0,0 +1,64 @@ +From 543fc973a7dfda220387813455f9cce4fa1a791d Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Sun, 5 May 2019 10:00:23 -0400 +Subject: media: marvell-ccic: fix DMA s/g desc number calculation + +[ Upstream commit 0c7aa32966dab0b8a7424e1b34c7f206817953ec ] + +The commit d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here") +left dma_desc_nent unset. It previously contained the number of DMA +descriptors as returned from dma_map_sg(). + +We can now (since the commit referred to above) obtain the same value from +the sg_table and drop dma_desc_nent altogether. + +Tested on OLPC XO-1.75 machine. Doesn't affect the OLPC XO-1's Cafe +driver, since that one doesn't do DMA. + +[mchehab+samsung@kernel.org: fix a checkpatch warning] + +Fixes: d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here") +Signed-off-by: Lubomir Rintel +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/marvell-ccic/mcam-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c +index af59bf4dca2d..a74bfb9afc8d 100644 +--- a/drivers/media/platform/marvell-ccic/mcam-core.c ++++ b/drivers/media/platform/marvell-ccic/mcam-core.c +@@ -209,7 +209,6 @@ struct mcam_vb_buffer { + struct list_head queue; + struct mcam_dma_desc *dma_desc; /* Descriptor virtual address */ + dma_addr_t dma_desc_pa; /* Descriptor physical address */ +- int dma_desc_nent; /* Number of mapped descriptors */ + }; + + static inline struct mcam_vb_buffer *vb_to_mvb(struct vb2_v4l2_buffer *vb) +@@ -616,9 +615,11 @@ static void mcam_dma_contig_done(struct mcam_camera *cam, int frame) + static void mcam_sg_next_buffer(struct mcam_camera *cam) + { + struct mcam_vb_buffer *buf; ++ struct sg_table *sg_table; + + buf = list_first_entry(&cam->buffers, struct mcam_vb_buffer, queue); + list_del_init(&buf->queue); ++ sg_table = vb2_dma_sg_plane_desc(&buf->vb_buf.vb2_buf, 0); + /* + * Very Bad Not Good Things happen if you don't clear + * C1_DESC_ENA before making any descriptor changes. +@@ -626,7 +627,7 @@ static void mcam_sg_next_buffer(struct mcam_camera *cam) + mcam_reg_clear_bit(cam, REG_CTRL1, C1_DESC_ENA); + mcam_reg_write(cam, REG_DMA_DESC_Y, buf->dma_desc_pa); + mcam_reg_write(cam, REG_DESC_LEN_Y, +- buf->dma_desc_nent*sizeof(struct mcam_dma_desc)); ++ sg_table->nents * sizeof(struct mcam_dma_desc)); + mcam_reg_write(cam, REG_DESC_LEN_U, 0); + mcam_reg_write(cam, REG_DESC_LEN_V, 0); + mcam_reg_set_bit(cam, REG_CTRL1, C1_DESC_ENA); +-- +2.20.1 + diff --git a/queue-4.9/media-mc-device.c-don-t-memset-__user-pointer-conten.patch b/queue-4.9/media-mc-device.c-don-t-memset-__user-pointer-conten.patch new file mode 100644 index 00000000000..7f79e7bbd9e --- /dev/null +++ b/queue-4.9/media-mc-device.c-don-t-memset-__user-pointer-conten.patch @@ -0,0 +1,43 @@ +From c65dae5db76add95727edd7431afe767b5019720 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 27 May 2019 05:31:13 -0400 +Subject: media: mc-device.c: don't memset __user pointer contents + +[ Upstream commit 518fa4e0e0da97ea2e17c95ab57647ce748a96e2 ] + +You can't memset the contents of a __user pointer. Instead, call copy_to_user to +copy links.reserved (which is zeroed) to the user memory. + +This fixes this sparse warning: + +SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16: warning: incorrect type in argument 1 (different address spaces) + +Fixes: f49308878d720 ("media: media_device_enum_links32: clean a reserved field") + +Signed-off-by: Hans Verkuil +Reviewed-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/media-device.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c +index 6062c0cfa632..73a2dba475d0 100644 +--- a/drivers/media/media-device.c ++++ b/drivers/media/media-device.c +@@ -490,8 +490,9 @@ static long media_device_enum_links32(struct media_device *mdev, + if (ret) + return ret; + +- memset(ulinks->reserved, 0, sizeof(ulinks->reserved)); +- ++ if (copy_to_user(ulinks->reserved, links.reserved, ++ sizeof(ulinks->reserved))) ++ return -EFAULT; + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.9/media-media_device_enum_links32-clean-a-reserved-fie.patch b/queue-4.9/media-media_device_enum_links32-clean-a-reserved-fie.patch new file mode 100644 index 00000000000..7d4e9ee01f4 --- /dev/null +++ b/queue-4.9/media-media_device_enum_links32-clean-a-reserved-fie.patch @@ -0,0 +1,55 @@ +From ce80728bd28416d912fbde5bf92ccbbbc2c1ee54 Mon Sep 17 00:00:00 2001 +From: Jungo Lin +Date: Tue, 2 Apr 2019 21:44:27 -0400 +Subject: media: media_device_enum_links32: clean a reserved field + +[ Upstream commit f49308878d7202e07d8761238e01bd0e5fce2750 ] + +In v4l2-compliance utility, test MEDIA_IOC_ENUM_ENTITIES +will check whether reserved field of media_links_enum filled +with zero. + +However, for 32 bit program, the reserved field is missing +copy from kernel space to user space in media_device_enum_links32 +function. + +This patch adds the cleaning a reserved field logic in +media_device_enum_links32 function. + +Signed-off-by: Jungo Lin +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/media-device.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c +index 6f46c59415fe..6062c0cfa632 100644 +--- a/drivers/media/media-device.c ++++ b/drivers/media/media-device.c +@@ -474,6 +474,7 @@ static long media_device_enum_links32(struct media_device *mdev, + { + struct media_links_enum links; + compat_uptr_t pads_ptr, links_ptr; ++ int ret; + + memset(&links, 0, sizeof(links)); + +@@ -485,7 +486,13 @@ static long media_device_enum_links32(struct media_device *mdev, + links.pads = compat_ptr(pads_ptr); + links.links = compat_ptr(links_ptr); + +- return media_device_enum_links(mdev, &links); ++ ret = media_device_enum_links(mdev, &links); ++ if (ret) ++ return ret; ++ ++ memset(ulinks->reserved, 0, sizeof(ulinks->reserved)); ++ ++ return 0; + } + + #define MEDIA_IOC_ENUM_LINKS32 _IOWR('|', 0x02, struct media_links_enum32) +-- +2.20.1 + diff --git a/queue-4.9/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch b/queue-4.9/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch new file mode 100644 index 00000000000..870214b62c4 --- /dev/null +++ b/queue-4.9/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch @@ -0,0 +1,36 @@ +From 1a836bc3c5aa7ab2101f2677d236c36c6bce88ab Mon Sep 17 00:00:00 2001 +From: Shailendra Verma +Date: Thu, 24 Nov 2016 23:57:34 -0500 +Subject: media: staging: media: davinci_vpfe: - Fix for memory leak if decoder + initialization fails. + +[ Upstream commit 6995a659101bd4effa41cebb067f9dc18d77520d ] + +Fix to avoid possible memory leak if the decoder initialization +got failed.Free the allocated memory for file handle object +before return in case decoder initialization fails. + +Signed-off-by: Shailendra Verma +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/davinci_vpfe/vpfe_video.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c +index 89dd6b989254..e0440807b4ed 100644 +--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c ++++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c +@@ -423,6 +423,9 @@ static int vpfe_open(struct file *file) + /* If decoder is not initialized. initialize it */ + if (!video->initialized && vpfe_update_pipe_state(video)) { + mutex_unlock(&video->lock); ++ v4l2_fh_del(&handle->vfh); ++ v4l2_fh_exit(&handle->vfh); ++ kfree(handle); + return -ENODEV; + } + /* Increment device users counter */ +-- +2.20.1 + diff --git a/queue-4.9/media-vpss-fix-a-potential-null-pointer-dereference.patch b/queue-4.9/media-vpss-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..6b1589af8b6 --- /dev/null +++ b/queue-4.9/media-vpss-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From ca89d32dead158559c6cff666ada52062d9aed1a Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 22 Mar 2019 22:51:06 -0400 +Subject: media: vpss: fix a potential NULL pointer dereference + +[ Upstream commit e08f0761234def47961d3252eac09ccedfe4c6a0 ] + +In case ioremap fails, the fix returns -ENOMEM to avoid NULL +pointer dereference. + +Signed-off-by: Kangjie Lu +Acked-by: Lad, Prabhakar +Reviewed-by: Mukesh Ojha +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/davinci/vpss.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c +index fce86f17dffc..c2c68988e38a 100644 +--- a/drivers/media/platform/davinci/vpss.c ++++ b/drivers/media/platform/davinci/vpss.c +@@ -523,6 +523,11 @@ static int __init vpss_init(void) + return -EBUSY; + + oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4); ++ if (unlikely(!oper_cfg.vpss_regs_base2)) { ++ release_mem_region(VPSS_CLK_CTRL, 4); ++ return -ENOMEM; ++ } ++ + writel(VPSS_CLK_CTRL_VENCCLKEN | + VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); + +-- +2.20.1 + diff --git a/queue-4.9/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch b/queue-4.9/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch new file mode 100644 index 00000000000..1f5887c3ca8 --- /dev/null +++ b/queue-4.9/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch @@ -0,0 +1,100 @@ +From 7c86c20c2404a6a3be6e03e8373d8318b3f89d86 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Thu, 30 May 2019 03:25:49 -0400 +Subject: media: wl128x: Fix some error handling in fm_v4l2_init_video_device() + +[ Upstream commit 69fbb3f47327d959830c94bf31893972b8c8f700 ] + +X-Originating-IP: [10.175.113.25] +X-CFilter-Loop: Reflected +The fm_v4l2_init_video_device() forget to unregister v4l2/video device +in the error path, it could lead to UAF issue, eg, + + BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline] + BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline] + BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206 + Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659 + + CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xa9/0x10e lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline] + atomic_long_read include/asm-generic/atomic-long.h:28 [inline] + __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206 + fm_v4l2_fops_open+0xac/0x120 [fm_drv] + v4l2_open+0x191/0x390 [videodev] + chrdev_open+0x20d/0x570 fs/char_dev.c:417 + do_dentry_open+0x700/0xf30 fs/open.c:777 + do_last fs/namei.c:3416 [inline] + path_openat+0x7c4/0x2a90 fs/namei.c:3532 + do_filp_open+0x1a5/0x2b0 fs/namei.c:3563 + do_sys_open+0x302/0x490 fs/open.c:1069 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f8180c17c8e + ... + Allocated by task 3642: + set_track mm/kasan/common.c:87 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497 + fm_drv_init+0x13/0x1000 [fm_drv] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + Freed by task 3642: + set_track mm/kasan/common.c:87 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459 + slab_free_hook mm/slub.c:1429 [inline] + slab_free_freelist_hook mm/slub.c:1456 [inline] + slab_free mm/slub.c:3003 [inline] + kfree+0xe1/0x270 mm/slub.c:3958 + fm_drv_init+0x1e6/0x1000 [fm_drv] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Add relevant unregister functions to fix it. + +Cc: Hans Verkuil +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/wl128x/fmdrv_v4l2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/radio/wl128x/fmdrv_v4l2.c b/drivers/media/radio/wl128x/fmdrv_v4l2.c +index fb42f0fd0c1f..add26eac1677 100644 +--- a/drivers/media/radio/wl128x/fmdrv_v4l2.c ++++ b/drivers/media/radio/wl128x/fmdrv_v4l2.c +@@ -553,6 +553,7 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr) + + /* Register with V4L2 subsystem as RADIO device */ + if (video_register_device(&gradio_dev, VFL_TYPE_RADIO, radio_nr)) { ++ v4l2_device_unregister(&fmdev->v4l2_dev); + fmerr("Could not register video device\n"); + return -ENOMEM; + } +@@ -566,6 +567,8 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr) + if (ret < 0) { + fmerr("(fmdev): Can't init ctrl handler\n"); + v4l2_ctrl_handler_free(&fmdev->ctrl_handler); ++ video_unregister_device(fmdev->radio_dev); ++ v4l2_device_unregister(&fmdev->v4l2_dev); + return -EBUSY; + } + +-- +2.20.1 + diff --git a/queue-4.9/mips-ath79-fix-ar933x-uart-parity-mode.patch b/queue-4.9/mips-ath79-fix-ar933x-uart-parity-mode.patch new file mode 100644 index 00000000000..c2f3796a6b5 --- /dev/null +++ b/queue-4.9/mips-ath79-fix-ar933x-uart-parity-mode.patch @@ -0,0 +1,40 @@ +From 2a671f1e24b767468319c516d5fe83a690f5f647 Mon Sep 17 00:00:00 2001 +From: Stefan Hellermann +Date: Mon, 17 Jun 2019 15:43:59 +0200 +Subject: MIPS: ath79: fix ar933x uart parity mode + +[ Upstream commit db13a5ba2732755cf13320f3987b77cf2a71e790 ] + +While trying to get the uart with parity working I found setting even +parity enabled odd parity insted. Fix the register settings to match +the datasheet of AR9331. + +A similar patch was created by 8devices, but not sent upstream. +https://github.com/8devices/openwrt-8devices/commit/77c5586ade3bb72cda010afad3f209ed0c98ea7c + +Signed-off-by: Stefan Hellermann +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mach-ath79/ar933x_uart.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/mach-ath79/ar933x_uart.h b/arch/mips/include/asm/mach-ath79/ar933x_uart.h +index c2917b39966b..bba2c8837951 100644 +--- a/arch/mips/include/asm/mach-ath79/ar933x_uart.h ++++ b/arch/mips/include/asm/mach-ath79/ar933x_uart.h +@@ -27,8 +27,8 @@ + #define AR933X_UART_CS_PARITY_S 0 + #define AR933X_UART_CS_PARITY_M 0x3 + #define AR933X_UART_CS_PARITY_NONE 0 +-#define AR933X_UART_CS_PARITY_ODD 1 +-#define AR933X_UART_CS_PARITY_EVEN 2 ++#define AR933X_UART_CS_PARITY_ODD 2 ++#define AR933X_UART_CS_PARITY_EVEN 3 + #define AR933X_UART_CS_IF_MODE_S 2 + #define AR933X_UART_CS_IF_MODE_M 0x3 + #define AR933X_UART_CS_IF_MODE_NONE 0 +-- +2.20.1 + diff --git a/queue-4.9/mips-fix-build-on-non-linux-hosts.patch b/queue-4.9/mips-fix-build-on-non-linux-hosts.patch new file mode 100644 index 00000000000..0834906970b --- /dev/null +++ b/queue-4.9/mips-fix-build-on-non-linux-hosts.patch @@ -0,0 +1,67 @@ +From ca0703c714b3bcef5a0cfb66f57e083f1c1d2c56 Mon Sep 17 00:00:00 2001 +From: Kevin Darbyshire-Bryant +Date: Wed, 19 Jun 2019 15:08:18 +0100 +Subject: MIPS: fix build on non-linux hosts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1196364f21ffe5d1e6d83cafd6a2edb89404a3ae ] + +calc_vmlinuz_load_addr.c requires SZ_64K to be defined for alignment +purposes. It included "../../../../include/linux/sizes.h" to define +that size, however "sizes.h" tries to include which +assumes linux system headers. These may not exist eg. the following +error was encountered when building Linux for OpenWrt under macOS: + +In file included from arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:16: +arch/mips/boot/compressed/../../../../include/linux/sizes.h:11:10: fatal error: 'linux/const.h' file not found + ^~~~~~~~~~ + +Change makefile to force building on local linux headers instead of +system headers. Also change eye-watering relative reference in include +file spec. + +Thanks to Jo-Philip Wich & Petr Štetiar for assistance in tracking this +down & fixing. + +Suggested-by: Jo-Philipp Wich +Signed-off-by: Petr Štetiar +Signed-off-by: Kevin Darbyshire-Bryant +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/boot/compressed/Makefile | 2 ++ + arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile +index 90aca95fe314..ad31c76c7a29 100644 +--- a/arch/mips/boot/compressed/Makefile ++++ b/arch/mips/boot/compressed/Makefile +@@ -75,6 +75,8 @@ OBJCOPYFLAGS_piggy.o := --add-section=.image=$(obj)/vmlinux.bin.z \ + $(obj)/piggy.o: $(obj)/dummy.o $(obj)/vmlinux.bin.z FORCE + $(call if_changed,objcopy) + ++HOSTCFLAGS_calc_vmlinuz_load_addr.o += $(LINUXINCLUDE) ++ + # Calculate the load address of the compressed kernel image + hostprogs-y := calc_vmlinuz_load_addr + +diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +index 542c3ede9722..d14f75ec8273 100644 +--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c ++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include "../../../../include/linux/sizes.h" ++#include + + int main(int argc, char *argv[]) + { +-- +2.20.1 + diff --git a/queue-4.9/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch b/queue-4.9/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch new file mode 100644 index 00000000000..920ccfa40d5 --- /dev/null +++ b/queue-4.9/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch @@ -0,0 +1,114 @@ +From 3b891e11a93f2b3b1cf12966c86e0b0fba5088c7 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Fri, 7 Jun 2019 13:48:09 +0200 +Subject: mt7601u: do not schedule rx_tasklet when the device has been + disconnected + +[ Upstream commit 4079e8ccabc3b6d1b503f2376123cb515d14921f ] + +Do not schedule rx_tasklet when the usb dongle is disconnected. +Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb +can run concurrently with urb completion and we can unlink urbs from rx +ring in any order. +This patch fixes the common kernel warning reported when +the device is removed. + +[ 24.921354] usb 3-14: USB disconnect, device number 7 +[ 24.921593] ------------[ cut here ]------------ +[ 24.921594] RX urb mismatch +[ 24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u] +[ 24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G OE 4.19.31-041931-generic #201903231635 +[ 24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014 +[ 24.921782] Workqueue: usb_hub_wq hub_event +[ 24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u] +[ 24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086 +[ 24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006 +[ 24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420 +[ 24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8 +[ 24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c +[ 24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000 +[ 24.921807] FS: 0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000 +[ 24.921808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0 +[ 24.921809] Call Trace: +[ 24.921812] +[ 24.921819] __usb_hcd_giveback_urb+0x8b/0x140 +[ 24.921821] usb_hcd_giveback_urb+0xca/0xe0 +[ 24.921828] xhci_giveback_urb_in_irq.isra.42+0x82/0xf0 +[ 24.921834] handle_cmd_completion+0xe02/0x10d0 +[ 24.921837] xhci_irq+0x274/0x4a0 +[ 24.921838] xhci_msi_irq+0x11/0x20 +[ 24.921851] __handle_irq_event_percpu+0x44/0x190 +[ 24.921856] handle_irq_event_percpu+0x32/0x80 +[ 24.921861] handle_irq_event+0x3b/0x5a +[ 24.921867] handle_edge_irq+0x80/0x190 +[ 24.921874] handle_irq+0x20/0x30 +[ 24.921889] do_IRQ+0x4e/0xe0 +[ 24.921891] common_interrupt+0xf/0xf +[ 24.921892] +[ 24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180 +[ 24.921354] usb 3-14: USB disconnect, device number 7 + +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/dma.c | 33 +++++++++++---------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c +index a8bc064bc14f..838ad9a4be51 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/dma.c ++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c +@@ -193,10 +193,23 @@ static void mt7601u_complete_rx(struct urb *urb) + struct mt7601u_rx_queue *q = &dev->rx_q; + unsigned long flags; + +- spin_lock_irqsave(&dev->rx_lock, flags); ++ /* do no schedule rx tasklet if urb has been unlinked ++ * or the device has been removed ++ */ ++ switch (urb->status) { ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ case -ENOENT: ++ return; ++ default: ++ dev_err_ratelimited(dev->dev, "rx urb failed: %d\n", ++ urb->status); ++ /* fall through */ ++ case 0: ++ break; ++ } + +- if (mt7601u_urb_has_error(urb)) +- dev_err(dev->dev, "Error: RX urb failed:%d\n", urb->status); ++ spin_lock_irqsave(&dev->rx_lock, flags); + if (WARN_ONCE(q->e[q->end].urb != urb, "RX urb mismatch")) + goto out; + +@@ -363,19 +376,9 @@ int mt7601u_dma_enqueue_tx(struct mt7601u_dev *dev, struct sk_buff *skb, + static void mt7601u_kill_rx(struct mt7601u_dev *dev) + { + int i; +- unsigned long flags; + +- spin_lock_irqsave(&dev->rx_lock, flags); +- +- for (i = 0; i < dev->rx_q.entries; i++) { +- int next = dev->rx_q.end; +- +- spin_unlock_irqrestore(&dev->rx_lock, flags); +- usb_poison_urb(dev->rx_q.e[next].urb); +- spin_lock_irqsave(&dev->rx_lock, flags); +- } +- +- spin_unlock_irqrestore(&dev->rx_lock, flags); ++ for (i = 0; i < dev->rx_q.entries; i++) ++ usb_poison_urb(dev->rx_q.e[i].urb); + } + + static int mt7601u_submit_rx_buf(struct mt7601u_dev *dev, +-- +2.20.1 + diff --git a/queue-4.9/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch b/queue-4.9/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch new file mode 100644 index 00000000000..5b7ab37b696 --- /dev/null +++ b/queue-4.9/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch @@ -0,0 +1,125 @@ +From 68683528b535ffd704ef122e7efb5e648d3f367c Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Fri, 7 Jun 2019 13:48:10 +0200 +Subject: mt7601u: fix possible memory leak when the device is disconnected + +[ Upstream commit 23377c200b2eb48a60d0f228b2a2e75ed6ee6060 ] + +When the device is disconnected while passing traffic it is possible +to receive out of order urbs causing a memory leak since the skb linked +to the current tx urb is not removed. Fix the issue deallocating the skb +cleaning up the tx ring. Moreover this patch fixes the following kernel +warning + +[ 57.480771] usb 1-1: USB disconnect, device number 2 +[ 57.483451] ------------[ cut here ]------------ +[ 57.483462] TX urb mismatch +[ 57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00 +[ 57.483483] Modules linked in: +[ 57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72 +[ 57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014 +[ 57.483502] Workqueue: usb_hub_wq hub_event +[ 57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0 +[ 57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f +[ 57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092 +[ 57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c +[ 57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371 +[ 57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001 +[ 57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046 +[ 57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078 +[ 57.483548] FS: 0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000 +[ 57.483550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0 +[ 57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 57.483559] Call Trace: +[ 57.483561] +[ 57.483565] __usb_hcd_giveback_urb+0x77/0xe0 +[ 57.483570] xhci_giveback_urb_in_irq.isra.0+0x8b/0x140 +[ 57.483574] handle_cmd_completion+0xf5b/0x12c0 +[ 57.483577] xhci_irq+0x1f6/0x1810 +[ 57.483581] ? lockdep_hardirqs_on+0x9e/0x180 +[ 57.483584] ? _raw_spin_unlock_irq+0x24/0x30 +[ 57.483588] __handle_irq_event_percpu+0x3a/0x260 +[ 57.483592] handle_irq_event_percpu+0x1c/0x60 +[ 57.483595] handle_irq_event+0x2f/0x4c +[ 57.483599] handle_edge_irq+0x7e/0x1a0 +[ 57.483603] handle_irq+0x17/0x20 +[ 57.483607] do_IRQ+0x54/0x110 +[ 57.483610] common_interrupt+0xf/0xf +[ 57.483612] + +Acked-by: Jakub Kicinski +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/dma.c | 21 ++++++++++++++++----- + drivers/net/wireless/mediatek/mt7601u/tx.c | 4 ++-- + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c +index 838ad9a4be51..56cad16e70ca 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/dma.c ++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c +@@ -241,14 +241,25 @@ static void mt7601u_complete_tx(struct urb *urb) + struct sk_buff *skb; + unsigned long flags; + +- spin_lock_irqsave(&dev->tx_lock, flags); ++ switch (urb->status) { ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ case -ENOENT: ++ return; ++ default: ++ dev_err_ratelimited(dev->dev, "tx urb failed: %d\n", ++ urb->status); ++ /* fall through */ ++ case 0: ++ break; ++ } + +- if (mt7601u_urb_has_error(urb)) +- dev_err(dev->dev, "Error: TX urb failed:%d\n", urb->status); ++ spin_lock_irqsave(&dev->tx_lock, flags); + if (WARN_ONCE(q->e[q->start].urb != urb, "TX urb mismatch")) + goto out; + + skb = q->e[q->start].skb; ++ q->e[q->start].skb = NULL; + trace_mt_tx_dma_done(dev, skb); + + __skb_queue_tail(&dev->tx_skb_done, skb); +@@ -448,10 +459,10 @@ static void mt7601u_free_tx_queue(struct mt7601u_tx_queue *q) + { + int i; + +- WARN_ON(q->used); +- + for (i = 0; i < q->entries; i++) { + usb_poison_urb(q->e[i].urb); ++ if (q->e[i].skb) ++ mt7601u_tx_status(q->dev, q->e[i].skb); + usb_free_urb(q->e[i].urb); + } + } +diff --git a/drivers/net/wireless/mediatek/mt7601u/tx.c b/drivers/net/wireless/mediatek/mt7601u/tx.c +index ad77bec1ba0f..2cb1883c0d33 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/tx.c ++++ b/drivers/net/wireless/mediatek/mt7601u/tx.c +@@ -117,9 +117,9 @@ void mt7601u_tx_status(struct mt7601u_dev *dev, struct sk_buff *skb) + info->status.rates[0].idx = -1; + info->flags |= IEEE80211_TX_STAT_ACK; + +- spin_lock(&dev->mac_lock); ++ spin_lock_bh(&dev->mac_lock); + ieee80211_tx_status(dev->hw, skb); +- spin_unlock(&dev->mac_lock); ++ spin_unlock_bh(&dev->mac_lock); + } + + static int mt7601u_skb_rooms(struct mt7601u_dev *dev, struct sk_buff *skb) +-- +2.20.1 + diff --git a/queue-4.9/net-axienet-fix-race-condition-causing-tx-hang.patch b/queue-4.9/net-axienet-fix-race-condition-causing-tx-hang.patch new file mode 100644 index 00000000000..e6626bea244 --- /dev/null +++ b/queue-4.9/net-axienet-fix-race-condition-causing-tx-hang.patch @@ -0,0 +1,64 @@ +From e32c5e1e833e8d6636f1de62545013b555bfafe7 Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Thu, 6 Jun 2019 16:28:17 -0600 +Subject: net: axienet: Fix race condition causing TX hang + +[ Upstream commit 7de44285c1f69ccfbe8be1d6a16fcd956681fee6 ] + +It is possible that the interrupt handler fires and frees up space in +the TX ring in between checking for sufficient TX ring space and +stopping the TX queue in axienet_start_xmit. If this happens, the +queue wake from the interrupt handler will occur before the queue is +stopped, causing a lost wakeup and the adapter's transmit hanging. + +To avoid this, after stopping the queue, check again whether there is +sufficient space in the TX ring. If so, wake up the queue again. + +Signed-off-by: Robert Hancock +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/xilinx/xilinx_axienet_main.c | 20 ++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index a8afc92cbfca..5f21ddff9e0f 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -612,6 +612,10 @@ static void axienet_start_xmit_done(struct net_device *ndev) + + ndev->stats.tx_packets += packets; + ndev->stats.tx_bytes += size; ++ ++ /* Matches barrier in axienet_start_xmit */ ++ smp_mb(); ++ + netif_wake_queue(ndev); + } + +@@ -666,9 +670,19 @@ static int axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + cur_p = &lp->tx_bd_v[lp->tx_bd_tail]; + + if (axienet_check_tx_bd_space(lp, num_frag)) { +- if (!netif_queue_stopped(ndev)) +- netif_stop_queue(ndev); +- return NETDEV_TX_BUSY; ++ if (netif_queue_stopped(ndev)) ++ return NETDEV_TX_BUSY; ++ ++ netif_stop_queue(ndev); ++ ++ /* Matches barrier in axienet_start_xmit_done */ ++ smp_mb(); ++ ++ /* Space might have just been freed - check again */ ++ if (axienet_check_tx_bd_space(lp, num_frag)) ++ return NETDEV_TX_BUSY; ++ ++ netif_wake_queue(ndev); + } + + if (skb->ip_summed == CHECKSUM_PARTIAL) { +-- +2.20.1 + diff --git a/queue-4.9/net-fec-do-not-use-netdev-messages-too-early.patch b/queue-4.9/net-fec-do-not-use-netdev-messages-too-early.patch new file mode 100644 index 00000000000..464049c36f6 --- /dev/null +++ b/queue-4.9/net-fec-do-not-use-netdev-messages-too-early.patch @@ -0,0 +1,50 @@ +From ea832507b790593fe24141548245dbaec49c4f2e Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 6 Jun 2019 09:40:33 -0300 +Subject: net: fec: Do not use netdev messages too early + +[ Upstream commit a19a0582363b9a5f8ba812f34f1b8df394898780 ] + +When a valid MAC address is not found the current messages +are shown: + +fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00 +fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa + +Since the network device has not been registered at this point, it is better +to use dev_err()/dev_info() instead, which will provide cleaner log +messages like these: + +fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00 +fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa + +Tested on a imx6dl-pico-pi board. + +Signed-off-by: Fabio Estevam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 1eb34109b207..92ea760c4822 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1685,10 +1685,10 @@ static void fec_get_mac(struct net_device *ndev) + */ + if (!is_valid_ether_addr(iap)) { + /* Report it and use a random ethernet address instead */ +- netdev_err(ndev, "Invalid MAC address: %pM\n", iap); ++ dev_err(&fep->pdev->dev, "Invalid MAC address: %pM\n", iap); + eth_hw_addr_random(ndev); +- netdev_info(ndev, "Using random MAC address: %pM\n", +- ndev->dev_addr); ++ dev_info(&fep->pdev->dev, "Using random MAC address: %pM\n", ++ ndev->dev_addr); + return; + } + +-- +2.20.1 + diff --git a/queue-4.9/net-phy-check-against-net_device-being-null.patch b/queue-4.9/net-phy-check-against-net_device-being-null.patch new file mode 100644 index 00000000000..77225aee6bd --- /dev/null +++ b/queue-4.9/net-phy-check-against-net_device-being-null.patch @@ -0,0 +1,48 @@ +From 6523c93351cd8c6e00bf4b4f2ae96b83d6d41f04 Mon Sep 17 00:00:00 2001 +From: Ioana Ciornei +Date: Tue, 28 May 2019 20:38:09 +0300 +Subject: net: phy: Check against net_device being NULL + +[ Upstream commit 82c76aca81187b3d28a6fb3062f6916450ce955e ] + +In general, we don't want MAC drivers calling phy_attach_direct with the +net_device being NULL. Add checks against this in all the functions +calling it: phy_attach() and phy_connect_direct(). + +Signed-off-by: Ioana Ciornei +Suggested-by: Andrew Lunn +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 5048a6df6a8e..5c2c72b1ef8b 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -673,6 +673,9 @@ int phy_connect_direct(struct net_device *dev, struct phy_device *phydev, + { + int rc; + ++ if (!dev) ++ return -EINVAL; ++ + rc = phy_attach_direct(dev, phydev, phydev->dev_flags, interface); + if (rc) + return rc; +@@ -965,6 +968,9 @@ struct phy_device *phy_attach(struct net_device *dev, const char *bus_id, + struct device *d; + int rc; + ++ if (!dev) ++ return ERR_PTR(-EINVAL); ++ + /* Search the list of PHY devices on the mdio bus for the + * PHY with the requested name + */ +-- +2.20.1 + diff --git a/queue-4.9/net-stmmac-dwmac1000-clear-unused-address-entries.patch b/queue-4.9/net-stmmac-dwmac1000-clear-unused-address-entries.patch new file mode 100644 index 00000000000..c3592280104 --- /dev/null +++ b/queue-4.9/net-stmmac-dwmac1000-clear-unused-address-entries.patch @@ -0,0 +1,43 @@ +From de2cd0f8552261cce910d10cc41177bed19d25e3 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Fri, 24 May 2019 10:20:21 +0200 +Subject: net: stmmac: dwmac1000: Clear unused address entries + +[ Upstream commit 9463c445590091202659cdfdd44b236acadfbd84 ] + +In case we don't use a given address entry we need to clear it because +it could contain previous values that are no longer valid. + +Found out while running stmmac selftests. + +Signed-off-by: Jose Abreu +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +index 7d19029e2564..093e58e94075 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -213,6 +213,12 @@ static void dwmac1000_set_filter(struct mac_device_info *hw, + GMAC_ADDR_LOW(reg)); + reg++; + } ++ ++ while (reg <= perfect_addr_number) { ++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); ++ writel(0, ioaddr + GMAC_ADDR_LOW(reg)); ++ reg++; ++ } + } + + #ifdef FRAME_FILTER_DEBUG +-- +2.20.1 + diff --git a/queue-4.9/net-stmmac-dwmac4-5-clear-unused-address-entries.patch b/queue-4.9/net-stmmac-dwmac4-5-clear-unused-address-entries.patch new file mode 100644 index 00000000000..af23f9265b7 --- /dev/null +++ b/queue-4.9/net-stmmac-dwmac4-5-clear-unused-address-entries.patch @@ -0,0 +1,53 @@ +From cba98fbcb6f0ae764b5e99ac842c595acb3edf8f Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Fri, 24 May 2019 10:20:25 +0200 +Subject: net: stmmac: dwmac4/5: Clear unused address entries + +[ Upstream commit 0620ec6c62a5a07625b65f699adc5d1b90394ee6 ] + +In case we don't use a given address entry we need to clear it because +it could contain previous values that are no longer valid. + +Found out while running stmmac selftests. + +Signed-off-by: Jose Abreu +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 51019b794be5..f46f2bfc2cc0 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -173,14 +173,20 @@ static void dwmac4_set_filter(struct mac_device_info *hw, + * are required + */ + value |= GMAC_PACKET_FILTER_PR; +- } else if (!netdev_uc_empty(dev)) { +- int reg = 1; ++ } else { + struct netdev_hw_addr *ha; ++ int reg = 1; + + netdev_for_each_uc_addr(ha, dev) { + dwmac4_set_umac_addr(hw, ha->addr, reg); + reg++; + } ++ ++ while (reg <= GMAC_MAX_PERFECT_ADDRESSES) { ++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); ++ writel(0, ioaddr + GMAC_ADDR_LOW(reg)); ++ reg++; ++ } + } + + writel(value, ioaddr + GMAC_PACKET_FILTER); +-- +2.20.1 + diff --git a/queue-4.9/net-usb-asix-init-mac-address-buffers.patch b/queue-4.9/net-usb-asix-init-mac-address-buffers.patch new file mode 100644 index 00000000000..f36a722594e --- /dev/null +++ b/queue-4.9/net-usb-asix-init-mac-address-buffers.patch @@ -0,0 +1,121 @@ +From 3c7e7c6abc33f8f374fff8462c81b77f776d7e5c Mon Sep 17 00:00:00 2001 +From: Phong Tran +Date: Tue, 2 Jul 2019 07:10:08 +0700 +Subject: net: usb: asix: init MAC address buffers + +[ Upstream commit 78226f6eaac80bf30256a33a4926c194ceefdf36 ] + +This is for fixing bug KMSAN: uninit-value in ax88772_bind + +Tested by +https://groups.google.com/d/msg/syzkaller-bugs/aFQurGotng4/eB_HlNhhCwAJ + +Reported-by: syzbot+8a3fc6674bbc3978ed4e@syzkaller.appspotmail.com + +syzbot found the following crash on: + +HEAD commit: f75e4cfe kmsan: use kmsan_handle_urb() in urb.c +git tree: kmsan +console output: https://syzkaller.appspot.com/x/log.txt?x=136d720ea00000 +kernel config: +https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a +dashboard link: +https://syzkaller.appspot.com/bug?extid=8a3fc6674bbc3978ed4e +compiler: clang version 9.0.0 (/home/glider/llvm/clang +06d00afa61eef8f7f501ebdb4e8612ea43ec2d78) +syz repro: +https://syzkaller.appspot.com/x/repro.syz?x=12788316a00000 +C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120359aaa00000 + +================================================================== +BUG: KMSAN: uninit-value in is_valid_ether_addr +include/linux/etherdevice.h:200 [inline] +BUG: KMSAN: uninit-value in asix_set_netdev_dev_addr +drivers/net/usb/asix_devices.c:73 [inline] +BUG: KMSAN: uninit-value in ax88772_bind+0x93d/0x11e0 +drivers/net/usb/asix_devices.c:724 +CPU: 0 PID: 3348 Comm: kworker/0:2 Not tainted 5.1.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622 + __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310 + is_valid_ether_addr include/linux/etherdevice.h:200 [inline] + asix_set_netdev_dev_addr drivers/net/usb/asix_devices.c:73 [inline] + ax88772_bind+0x93d/0x11e0 drivers/net/usb/asix_devices.c:724 + usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728 + usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361 + really_probe+0xdae/0x1d80 drivers/base/dd.c:513 + driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671 + __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778 + bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454 + __device_attach+0x454/0x730 drivers/base/dd.c:844 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:891 + bus_probe_device+0x137/0x390 drivers/base/bus.c:514 + device_add+0x288d/0x30e0 drivers/base/core.c:2106 + usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027 + generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210 + usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266 + really_probe+0xdae/0x1d80 drivers/base/dd.c:513 + driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671 + __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778 + bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454 + __device_attach+0x454/0x730 drivers/base/dd.c:844 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:891 + bus_probe_device+0x137/0x390 drivers/base/bus.c:514 + device_add+0x288d/0x30e0 drivers/base/core.c:2106 + usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432 + process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269 + process_scheduled_works kernel/workqueue.c:2331 [inline] + worker_thread+0x189c/0x2460 kernel/workqueue.c:2417 + kthread+0x4b5/0x4f0 kernel/kthread.c:254 + ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 + +Signed-off-by: Phong Tran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_devices.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c +index 393fd3ed6b94..4b12b6da3fab 100644 +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -237,7 +237,7 @@ static void asix_phy_reset(struct usbnet *dev, unsigned int reset_bits) + static int ax88172_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret = 0; +- u8 buf[ETH_ALEN]; ++ u8 buf[ETH_ALEN] = {0}; + int i; + unsigned long gpio_bits = dev->driver_info->data; + +@@ -687,7 +687,7 @@ static int asix_resume(struct usb_interface *intf) + static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret, i; +- u8 buf[ETH_ALEN], chipcode = 0; ++ u8 buf[ETH_ALEN] = {0}, chipcode = 0; + u32 phyid; + struct asix_common_private *priv; + +@@ -1064,7 +1064,7 @@ static const struct net_device_ops ax88178_netdev_ops = { + static int ax88178_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret; +- u8 buf[ETH_ALEN]; ++ u8 buf[ETH_ALEN] = {0}; + + usbnet_get_endpoints(dev,intf); + +-- +2.20.1 + diff --git a/queue-4.9/ntp-limit-tai-utc-offset.patch b/queue-4.9/ntp-limit-tai-utc-offset.patch new file mode 100644 index 00000000000..74eb5b8dd5e --- /dev/null +++ b/queue-4.9/ntp-limit-tai-utc-offset.patch @@ -0,0 +1,55 @@ +From 915f0b7a80b70622f29183dc087ad53137cf388e Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Tue, 18 Jun 2019 17:47:13 +0200 +Subject: ntp: Limit TAI-UTC offset + +[ Upstream commit d897a4ab11dc8a9fda50d2eccc081a96a6385998 ] + +Don't allow the TAI-UTC offset of the system clock to be set by adjtimex() +to a value larger than 100000 seconds. + +This prevents an overflow in the conversion to int, prevents the CLOCK_TAI +clock from getting too far ahead of the CLOCK_REALTIME clock, and it is +still large enough to allow leap seconds to be inserted at the maximum rate +currently supported by the kernel (once per day) for the next ~270 years, +however unlikely it is that someone can survive a catastrophic event which +slowed down the rotation of the Earth so much. + +Reported-by: Weikang shi +Signed-off-by: Miroslav Lichvar +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Cc: Prarit Bhargava +Cc: Richard Cochran +Cc: Stephen Boyd +Link: https://lkml.kernel.org/r/20190618154713.20929-1-mlichvar@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/time/ntp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c +index 0a16419006f3..4bdb59604526 100644 +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -42,6 +42,7 @@ static u64 tick_length_base; + #define MAX_TICKADJ 500LL /* usecs */ + #define MAX_TICKADJ_SCALED \ + (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ) ++#define MAX_TAI_OFFSET 100000 + + /* + * phase-lock loop variables +@@ -639,7 +640,8 @@ static inline void process_adjtimex_modes(struct timex *txc, + time_constant = max(time_constant, 0l); + } + +- if (txc->modes & ADJ_TAI && txc->constant >= 0) ++ if (txc->modes & ADJ_TAI && ++ txc->constant >= 0 && txc->constant <= MAX_TAI_OFFSET) + *time_tai = txc->constant; + + if (txc->modes & ADJ_OFFSET) +-- +2.20.1 + diff --git a/queue-4.9/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch b/queue-4.9/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch new file mode 100644 index 00000000000..79b564d34b8 --- /dev/null +++ b/queue-4.9/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch @@ -0,0 +1,206 @@ +From 22d045cac6bfd3654556fc979d271c862847a3b3 Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Wed, 5 Jun 2019 10:16:33 -0600 +Subject: perf cs-etm: Properly set the value of 'old' and 'head' in snapshot + mode + +[ Upstream commit e45c48a9a4d20ebc7b639a62c3ef8f4b08007027 ] + +This patch adds the necessary intelligence to properly compute the value +of 'old' and 'head' when operating in snapshot mode. That way we can +get the latest information in the AUX buffer and be compatible with the +generic AUX ring buffer mechanic. + +Tester notes: + +> Leo, have you had the chance to test/review this one? Suzuki? + +Sure. I applied this patch on the perf/core branch (with latest +commit 3e4fbf36c1e3 'perf augmented_raw_syscalls: Move reading +filename to the loop') and passed testing with below steps: + + # perf record -e cs_etm/@tmc_etr0/ -S -m,64 --per-thread ./sort & + [1] 19097 + Bubble sorting array of 30000 elements + + # kill -USR2 19097 + # kill -USR2 19097 + # kill -USR2 19097 + [ perf record: Woken up 4 times to write data ] + [ perf record: Captured and wrote 0.753 MB perf.data ] + +Signed-off-by: Mathieu Poirier +Tested-by: Leo Yan +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Peter Zijlstra +Cc: Suzuki Poulouse +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190605161633.12245-1-mathieu.poirier@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/arm/util/cs-etm.c | 127 +++++++++++++++++++++++++++++- + 1 file changed, 123 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/arch/arm/util/cs-etm.c b/tools/perf/arch/arm/util/cs-etm.c +index 47d584da5819..f6cff278aa5d 100644 +--- a/tools/perf/arch/arm/util/cs-etm.c ++++ b/tools/perf/arch/arm/util/cs-etm.c +@@ -41,6 +41,8 @@ struct cs_etm_recording { + struct auxtrace_record itr; + struct perf_pmu *cs_etm_pmu; + struct perf_evlist *evlist; ++ int wrapped_cnt; ++ bool *wrapped; + bool snapshot_mode; + size_t snapshot_size; + }; +@@ -458,16 +460,131 @@ static int cs_etm_info_fill(struct auxtrace_record *itr, + return 0; + } + +-static int cs_etm_find_snapshot(struct auxtrace_record *itr __maybe_unused, ++static int cs_etm_alloc_wrapped_array(struct cs_etm_recording *ptr, int idx) ++{ ++ bool *wrapped; ++ int cnt = ptr->wrapped_cnt; ++ ++ /* Make @ptr->wrapped as big as @idx */ ++ while (cnt <= idx) ++ cnt++; ++ ++ /* ++ * Free'ed in cs_etm_recording_free(). Using realloc() to avoid ++ * cross compilation problems where the host's system supports ++ * reallocarray() but not the target. ++ */ ++ wrapped = realloc(ptr->wrapped, cnt * sizeof(bool)); ++ if (!wrapped) ++ return -ENOMEM; ++ ++ wrapped[cnt - 1] = false; ++ ptr->wrapped_cnt = cnt; ++ ptr->wrapped = wrapped; ++ ++ return 0; ++} ++ ++static bool cs_etm_buffer_has_wrapped(unsigned char *buffer, ++ size_t buffer_size, u64 head) ++{ ++ u64 i, watermark; ++ u64 *buf = (u64 *)buffer; ++ size_t buf_size = buffer_size; ++ ++ /* ++ * We want to look the very last 512 byte (chosen arbitrarily) in ++ * the ring buffer. ++ */ ++ watermark = buf_size - 512; ++ ++ /* ++ * @head is continuously increasing - if its value is equal or greater ++ * than the size of the ring buffer, it has wrapped around. ++ */ ++ if (head >= buffer_size) ++ return true; ++ ++ /* ++ * The value of @head is somewhere within the size of the ring buffer. ++ * This can be that there hasn't been enough data to fill the ring ++ * buffer yet or the trace time was so long that @head has numerically ++ * wrapped around. To find we need to check if we have data at the very ++ * end of the ring buffer. We can reliably do this because mmap'ed ++ * pages are zeroed out and there is a fresh mapping with every new ++ * session. ++ */ ++ ++ /* @head is less than 512 byte from the end of the ring buffer */ ++ if (head > watermark) ++ watermark = head; ++ ++ /* ++ * Speed things up by using 64 bit transactions (see "u64 *buf" above) ++ */ ++ watermark >>= 3; ++ buf_size >>= 3; ++ ++ /* ++ * If we find trace data at the end of the ring buffer, @head has ++ * been there and has numerically wrapped around at least once. ++ */ ++ for (i = watermark; i < buf_size; i++) ++ if (buf[i]) ++ return true; ++ ++ return false; ++} ++ ++static int cs_etm_find_snapshot(struct auxtrace_record *itr, + int idx, struct auxtrace_mmap *mm, +- unsigned char *data __maybe_unused, ++ unsigned char *data, + u64 *head, u64 *old) + { ++ int err; ++ bool wrapped; ++ struct cs_etm_recording *ptr = ++ container_of(itr, struct cs_etm_recording, itr); ++ ++ /* ++ * Allocate memory to keep track of wrapping if this is the first ++ * time we deal with this *mm. ++ */ ++ if (idx >= ptr->wrapped_cnt) { ++ err = cs_etm_alloc_wrapped_array(ptr, idx); ++ if (err) ++ return err; ++ } ++ ++ /* ++ * Check to see if *head has wrapped around. If it hasn't only the ++ * amount of data between *head and *old is snapshot'ed to avoid ++ * bloating the perf.data file with zeros. But as soon as *head has ++ * wrapped around the entire size of the AUX ring buffer it taken. ++ */ ++ wrapped = ptr->wrapped[idx]; ++ if (!wrapped && cs_etm_buffer_has_wrapped(data, mm->len, *head)) { ++ wrapped = true; ++ ptr->wrapped[idx] = true; ++ } ++ + pr_debug3("%s: mmap index %d old head %zu new head %zu size %zu\n", + __func__, idx, (size_t)*old, (size_t)*head, mm->len); + +- *old = *head; +- *head += mm->len; ++ /* No wrap has occurred, we can just use *head and *old. */ ++ if (!wrapped) ++ return 0; ++ ++ /* ++ * *head has wrapped around - adjust *head and *old to pickup the ++ * entire content of the AUX buffer. ++ */ ++ if (*head >= mm->len) { ++ *old = *head - mm->len; ++ } else { ++ *head += mm->len; ++ *old = *head - mm->len; ++ } + + return 0; + } +@@ -508,6 +625,8 @@ static void cs_etm_recording_free(struct auxtrace_record *itr) + { + struct cs_etm_recording *ptr = + container_of(itr, struct cs_etm_recording, itr); ++ ++ zfree(&ptr->wrapped); + free(ptr); + } + +-- +2.20.1 + diff --git a/queue-4.9/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch b/queue-4.9/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch new file mode 100644 index 00000000000..14db911d262 --- /dev/null +++ b/queue-4.9/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch @@ -0,0 +1,54 @@ +From cea895233682111c3a4ef8e8e55ab567d7a32f13 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Mon, 17 Jun 2019 14:32:53 -0300 +Subject: perf evsel: Make perf_evsel__name() accept a NULL argument + +[ Upstream commit fdbdd7e8580eac9bdafa532746c865644d125e34 ] + +In which case it simply returns "unknown", like when it can't figure out +the evsel->name value. + +This makes this code more robust and fixes a problem in 'perf trace' +where a NULL evsel was being passed to a routine that only used the +evsel for printing its name when a invalid syscall id was passed. + +Reported-by: Leo Yan +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-f30ztaasku3z935cn3ak3h53@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/evsel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index a62f79558146..758d0108c5a5 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -558,6 +558,9 @@ const char *perf_evsel__name(struct perf_evsel *evsel) + { + char bf[128]; + ++ if (!evsel) ++ goto out_unknown; ++ + if (evsel->name) + return evsel->name; + +@@ -594,7 +597,10 @@ const char *perf_evsel__name(struct perf_evsel *evsel) + + evsel->name = strdup(bf); + +- return evsel->name ?: "unknown"; ++ if (evsel->name) ++ return evsel->name; ++out_unknown: ++ return "unknown"; + } + + const char *perf_evsel__group_name(struct perf_evsel *evsel) +-- +2.20.1 + diff --git a/queue-4.9/perf-test-6-fix-missing-kvm-module-load-for-s390.patch b/queue-4.9/perf-test-6-fix-missing-kvm-module-load-for-s390.patch new file mode 100644 index 00000000000..1005832ed79 --- /dev/null +++ b/queue-4.9/perf-test-6-fix-missing-kvm-module-load-for-s390.patch @@ -0,0 +1,87 @@ +From 5108c199524e93ed31b82f2fa0aa27f59079a277 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 4 Jun 2019 07:35:04 +0200 +Subject: perf test 6: Fix missing kvm module load for s390 + +[ Upstream commit 53fe307dfd309e425b171f6272d64296a54f4dff ] + +Command + + # perf test -Fv 6 + +fails with error + + running test 100 'kvm-s390:kvm_s390_create_vm' failed to parse + event 'kvm-s390:kvm_s390_create_vm', err -1, str 'unknown tracepoint' + event syntax error: 'kvm-s390:kvm_s390_create_vm' + \___ unknown tracepoint + +when the kvm module is not loaded or not built in. + +Fix this by adding a valid function which tests if the module +is loaded. Loaded modules (or builtin KVM support) have a +directory named + /sys/kernel/debug/tracing/events/kvm-s390 +for this tracepoint. + +Check for existence of this directory. + +Signed-off-by: Thomas Richter +Reviewed-by: Christian Borntraeger +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Link: http://lkml.kernel.org/r/20190604053504.43073-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/parse-events.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/perf/tests/parse-events.c b/tools/perf/tests/parse-events.c +index aa9276bfe3e9..9134a0c3e99d 100644 +--- a/tools/perf/tests/parse-events.c ++++ b/tools/perf/tests/parse-events.c +@@ -12,6 +12,32 @@ + #define PERF_TP_SAMPLE_TYPE (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | \ + PERF_SAMPLE_CPU | PERF_SAMPLE_PERIOD) + ++#if defined(__s390x__) ++/* Return true if kvm module is available and loaded. Test this ++ * and retun success when trace point kvm_s390_create_vm ++ * exists. Otherwise this test always fails. ++ */ ++static bool kvm_s390_create_vm_valid(void) ++{ ++ char *eventfile; ++ bool rc = false; ++ ++ eventfile = get_events_file("kvm-s390"); ++ ++ if (eventfile) { ++ DIR *mydir = opendir(eventfile); ++ ++ if (mydir) { ++ rc = true; ++ closedir(mydir); ++ } ++ put_events_file(eventfile); ++ } ++ ++ return rc; ++} ++#endif ++ + static int test__checkevent_tracepoint(struct perf_evlist *evlist) + { + struct perf_evsel *evsel = perf_evlist__first(evlist); +@@ -1593,6 +1619,7 @@ static struct evlist_test test__events[] = { + { + .name = "kvm-s390:kvm_s390_create_vm", + .check = test__checkevent_tracepoint, ++ .valid = kvm_s390_create_vm_valid, + .id = 100, + }, + #endif +-- +2.20.1 + diff --git a/queue-4.9/perf-tools-increase-max_nr_cpus-and-max_caches.patch b/queue-4.9/perf-tools-increase-max_nr_cpus-and-max_caches.patch new file mode 100644 index 00000000000..04bc67418f5 --- /dev/null +++ b/queue-4.9/perf-tools-increase-max_nr_cpus-and-max_caches.patch @@ -0,0 +1,70 @@ +From 9fb7d08d8a1ecff76c56419828ddfbd53fe6694e Mon Sep 17 00:00:00 2001 +From: Kyle Meyer +Date: Thu, 20 Jun 2019 14:36:30 -0500 +Subject: perf tools: Increase MAX_NR_CPUS and MAX_CACHES + +[ Upstream commit 9f94c7f947e919c343b30f080285af53d0fa9902 ] + +Attempting to profile 1024 or more CPUs with perf causes two errors: + + perf record -a + [ perf record: Woken up X times to write data ] + way too many cpu caches.. + [ perf record: Captured and wrote X MB perf.data (X samples) ] + + perf report -C 1024 + Error: failed to set cpu bitmap + Requested CPU 1024 too large. Consider raising MAX_NR_CPUS + + Increasing MAX_NR_CPUS from 1024 to 2048 and redefining MAX_CACHES as + MAX_NR_CPUS * 4 returns normal functionality to perf: + + perf record -a + [ perf record: Woken up X times to write data ] + [ perf record: Captured and wrote X MB perf.data (X samples) ] + + perf report -C 1024 + ... + +Signed-off-by: Kyle Meyer +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190620193630.154025-1-meyerk@stormcage.eag.rdlabs.hpecorp.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/perf.h | 2 +- + tools/perf/util/header.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/perf.h b/tools/perf/perf.h +index 8f8d895d5b74..3b9d56125ee2 100644 +--- a/tools/perf/perf.h ++++ b/tools/perf/perf.h +@@ -23,7 +23,7 @@ static inline unsigned long long rdclock(void) + } + + #ifndef MAX_NR_CPUS +-#define MAX_NR_CPUS 1024 ++#define MAX_NR_CPUS 2048 + #endif + + extern const char *input_name; +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index de9b369d2d2e..283148104ffb 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -1008,7 +1008,7 @@ static int build_caches(struct cpu_cache_level caches[], u32 size, u32 *cntp) + return 0; + } + +-#define MAX_CACHES 2000 ++#define MAX_CACHES (MAX_NR_CPUS * 4) + + static int write_cache(int fd, struct perf_header *h __maybe_unused, + struct perf_evlist *evlist __maybe_unused) +-- +2.20.1 + diff --git a/queue-4.9/rcu-force-inlining-of-rcu_read_lock.patch b/queue-4.9/rcu-force-inlining-of-rcu_read_lock.patch new file mode 100644 index 00000000000..5d0e2034244 --- /dev/null +++ b/queue-4.9/rcu-force-inlining-of-rcu_read_lock.patch @@ -0,0 +1,55 @@ +From a894d2b2836cea02130e3c7c4d12955101b3509f Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Tue, 21 May 2019 16:48:43 -0400 +Subject: rcu: Force inlining of rcu_read_lock() + +[ Upstream commit 6da9f775175e516fc7229ceaa9b54f8f56aa7924 ] + +When debugging options are turned on, the rcu_read_lock() function +might not be inlined. This results in lockdep's print_lock() function +printing "rcu_read_lock+0x0/0x70" instead of rcu_read_lock()'s caller. +For example: + +[ 10.579995] ============================= +[ 10.584033] WARNING: suspicious RCU usage +[ 10.588074] 4.18.0.memcg_v2+ #1 Not tainted +[ 10.593162] ----------------------------- +[ 10.597203] include/linux/rcupdate.h:281 Illegal context switch in +RCU read-side critical section! +[ 10.606220] +[ 10.606220] other info that might help us debug this: +[ 10.606220] +[ 10.614280] +[ 10.614280] rcu_scheduler_active = 2, debug_locks = 1 +[ 10.620853] 3 locks held by systemd/1: +[ 10.624632] #0: (____ptrval____) (&type->i_mutex_dir_key#5){.+.+}, at: lookup_slow+0x42/0x70 +[ 10.633232] #1: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70 +[ 10.640954] #2: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70 + +These "rcu_read_lock+0x0/0x70" strings are not providing any useful +information. This commit therefore forces inlining of the rcu_read_lock() +function so that rcu_read_lock()'s caller is instead shown. + +Signed-off-by: Waiman Long +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/rcupdate.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index aa2935779e43..96037ba940ee 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -866,7 +866,7 @@ static inline void rcu_preempt_sleep_check(void) + * read-side critical sections may be preempted and they may also block, but + * only when acquiring spinlocks that are subject to priority inheritance. + */ +-static inline void rcu_read_lock(void) ++static __always_inline void rcu_read_lock(void) + { + __rcu_read_lock(); + __acquire(RCU); +-- +2.20.1 + diff --git a/queue-4.9/regmap-fix-bulk-writes-on-paged-registers.patch b/queue-4.9/regmap-fix-bulk-writes-on-paged-registers.patch new file mode 100644 index 00000000000..f7df4d96f12 --- /dev/null +++ b/queue-4.9/regmap-fix-bulk-writes-on-paged-registers.patch @@ -0,0 +1,42 @@ +From fe0eac36443916d353f74b833e54e72c7a74c9d0 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 12 Jun 2019 12:03:43 +0100 +Subject: regmap: fix bulk writes on paged registers + +[ Upstream commit db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b ] + +On buses like SlimBus and SoundWire which does not support +gather_writes yet in regmap, A bulk write on paged register +would be silently ignored after programming page. +This is because local variable 'ret' value in regmap_raw_write_impl() +gets reset to 0 once page register is written successfully and the +code below checks for 'ret' value to be -ENOTSUPP before linearising +the write buffer to send to bus->write(). + +Fix this by resetting the 'ret' value to -ENOTSUPP in cases where +gather_writes() is not supported or single register write is +not possible. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 69c84fddfe8a..1799a1dfa46e 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1506,6 +1506,8 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg, + map->format.reg_bytes + + map->format.pad_bytes, + val, val_len); ++ else ++ ret = -ENOTSUPP; + + /* If that didn't work fall back on linearising by hand. */ + if (ret == -ENOTSUPP) { +-- +2.20.1 + diff --git a/queue-4.9/rslib-fix-decoding-of-shortened-codes.patch b/queue-4.9/rslib-fix-decoding-of-shortened-codes.patch new file mode 100644 index 00000000000..04f9ff9b1af --- /dev/null +++ b/queue-4.9/rslib-fix-decoding-of-shortened-codes.patch @@ -0,0 +1,44 @@ +From 7b1d90f01973ec924c075fd9a471d154727383fe Mon Sep 17 00:00:00 2001 +From: Ferdinand Blomqvist +Date: Thu, 20 Jun 2019 17:10:34 +0300 +Subject: rslib: Fix decoding of shortened codes + +[ Upstream commit 2034a42d1747fc1e1eeef2c6f1789c4d0762cb9c ] + +The decoding of shortenend codes is broken. It only works as expected if +there are no erasures. + +When decoding with erasures, Lambda (the error and erasure locator +polynomial) is initialized from the given erasure positions. The pad +parameter is not accounted for by the initialisation code, and hence +Lambda is initialized from incorrect erasure positions. + +The fix is to adjust the erasure positions by the supplied pad. + +Signed-off-by: Ferdinand Blomqvist +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190620141039.9874-3-ferdinand.blomqvist@gmail.com +Signed-off-by: Sasha Levin +--- + lib/reed_solomon/decode_rs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c +index 0ec3f257ffdf..8eed0f9ac495 100644 +--- a/lib/reed_solomon/decode_rs.c ++++ b/lib/reed_solomon/decode_rs.c +@@ -99,9 +99,9 @@ + if (no_eras > 0) { + /* Init lambda to be the erasure locator polynomial */ + lambda[1] = alpha_to[rs_modnn(rs, +- prim * (nn - 1 - eras_pos[0]))]; ++ prim * (nn - 1 - (eras_pos[0] + pad)))]; + for (i = 1; i < no_eras; i++) { +- u = rs_modnn(rs, prim * (nn - 1 - eras_pos[i])); ++ u = rs_modnn(rs, prim * (nn - 1 - (eras_pos[i] + pad))); + for (j = i + 1; j > 0; j--) { + tmp = index_of[lambda[j - 1]]; + if (tmp != nn) { +-- +2.20.1 + diff --git a/queue-4.9/rslib-fix-handling-of-of-caller-provided-syndrome.patch b/queue-4.9/rslib-fix-handling-of-of-caller-provided-syndrome.patch new file mode 100644 index 00000000000..891b051f125 --- /dev/null +++ b/queue-4.9/rslib-fix-handling-of-of-caller-provided-syndrome.patch @@ -0,0 +1,46 @@ +From 06dc46b3b17dffa8a5f41da237125e2d850b9f28 Mon Sep 17 00:00:00 2001 +From: Ferdinand Blomqvist +Date: Thu, 20 Jun 2019 17:10:37 +0300 +Subject: rslib: Fix handling of of caller provided syndrome + +[ Upstream commit ef4d6a8556b637ad27c8c2a2cff1dda3da38e9a9 ] + +Check if the syndrome provided by the caller is zero, and act +accordingly. + +Signed-off-by: Ferdinand Blomqvist +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190620141039.9874-6-ferdinand.blomqvist@gmail.com +Signed-off-by: Sasha Levin +--- + lib/reed_solomon/decode_rs.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c +index 8eed0f9ac495..a5d313381539 100644 +--- a/lib/reed_solomon/decode_rs.c ++++ b/lib/reed_solomon/decode_rs.c +@@ -42,8 +42,18 @@ + BUG_ON(pad < 0 || pad >= nn); + + /* Does the caller provide the syndrome ? */ +- if (s != NULL) +- goto decode; ++ if (s != NULL) { ++ for (i = 0; i < nroots; i++) { ++ /* The syndrome is in index form, ++ * so nn represents zero ++ */ ++ if (s[i] != nn) ++ goto decode; ++ } ++ ++ /* syndrome is zero, no errors to correct */ ++ return 0; ++ } + + /* form the syndromes; i.e., evaluate data(x) at roots of + * g(x) */ +-- +2.20.1 + diff --git a/queue-4.9/s390-qdio-handle-pending-state-for-qebsm-devices.patch b/queue-4.9/s390-qdio-handle-pending-state-for-qebsm-devices.patch new file mode 100644 index 00000000000..80f592d0091 --- /dev/null +++ b/queue-4.9/s390-qdio-handle-pending-state-for-qebsm-devices.patch @@ -0,0 +1,39 @@ +From 77d400548c8398f2195d86d8da3da53d9efdd0af Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 3 Jun 2019 07:47:04 +0200 +Subject: s390/qdio: handle PENDING state for QEBSM devices + +[ Upstream commit 04310324c6f482921c071444833e70fe861b73d9 ] + +When a CQ-enabled device uses QEBSM for SBAL state inspection, +get_buf_states() can return the PENDING state for an Output Queue. +get_outbound_buffer_frontier() isn't prepared for this, and any PENDING +buffer will permanently stall all further completion processing on this +Queue. + +This isn't a concern for non-QEBSM devices, as get_buf_states() for such +devices will manually turn PENDING buffers into EMPTY ones. + +Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") +Signed-off-by: Julian Wiedmann +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index 18ab84e9c6b2..58cd0e0c9680 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -758,6 +758,7 @@ static int get_outbound_buffer_frontier(struct qdio_q *q) + + switch (state) { + case SLSB_P_OUTPUT_EMPTY: ++ case SLSB_P_OUTPUT_PENDING: + /* the adapter got it */ + DBF_DEV_EVENT(DBF_INFO, q->irq_ptr, + "out empty:%1d %02x", q->nr, count); +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..3ae21c91c33 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,76 @@ +mips-ath79-fix-ar933x-uart-parity-mode.patch +mips-fix-build-on-non-linux-hosts.patch +arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch +dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch +ath10k-do-not-send-probe-response-template-for-mesh.patch +ath9k-check-for-errors-when-reading-srev-register.patch +ath6kl-add-some-bounds-checking.patch +ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch +batman-adv-fix-for-leaked-tvlv-handler.patch +media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch +crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch +media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch +media-vpss-fix-a-potential-null-pointer-dereference.patch +media-media_device_enum_links32-clean-a-reserved-fie.patch +net-stmmac-dwmac1000-clear-unused-address-entries.patch +net-stmmac-dwmac4-5-clear-unused-address-entries.patch +signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch +signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch +af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch +xfrm-fix-xfrm-sel-prefix-length-validation.patch +media-mc-device.c-don-t-memset-__user-pointer-conten.patch +media-staging-media-davinci_vpfe-fix-for-memory-leak.patch +net-phy-check-against-net_device-being-null.patch +crypto-talitos-properly-handle-split-icv.patch +crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch +tua6100-avoid-build-warnings.patch +locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch +media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch +cpupower-frequency-set-r-option-misses-the-last-cpu-.patch +net-fec-do-not-use-netdev-messages-too-early.patch +net-axienet-fix-race-condition-causing-tx-hang.patch +s390-qdio-handle-pending-state-for-qebsm-devices.patch +perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch +perf-test-6-fix-missing-kvm-module-load-for-s390.patch +gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch +gpio-omap-ensure-irq-is-enabled-before-wakeup.patch +regmap-fix-bulk-writes-on-paged-registers.patch +bpf-silence-warning-messages-in-core.patch +rcu-force-inlining-of-rcu_read_lock.patch +blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch +xfrm-fix-sa-selector-validation.patch +perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch +vhost_net-disable-zerocopy-by-default.patch +ipoib-correcly-show-a-vf-hardware-address.patch +edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch +ipsec-select-crypto-ciphers-for-xfrm_algo.patch +media-i2c-fix-warning-same-module-names.patch +ntp-limit-tai-utc-offset.patch +timer_list-guard-procfs-specific-code.patch +acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch +media-coda-fix-mpeg2-sequence-number-handling.patch +media-coda-increment-sequence-offset-for-the-last-re.patch +mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch +x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch +mt7601u-fix-possible-memory-leak-when-the-device-is-.patch +ath10k-fix-pcie-device-wake-up-failed.patch +perf-tools-increase-max_nr_cpus-and-max_caches.patch +libata-don-t-request-sense-data-on-zac-ata-devices.patch +clocksource-drivers-exynos_mct-increase-priority-ove.patch +rslib-fix-decoding-of-shortened-codes.patch +rslib-fix-handling-of-of-caller-provided-syndrome.patch +ixgbe-check-ddm-existence-in-transceiver-before-acce.patch +crypto-asymmetric_keys-select-crypto_hash-where-need.patch +edac-fix-global-out-of-bounds-write-when-setting-eda.patch +bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch +iwlwifi-mvm-drop-large-non-sta-frames.patch +net-usb-asix-init-mac-address-buffers.patch +gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch +bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch +bluetooth-6lowpan-search-for-destination-address-in-.patch +bluetooth-check-state-in-l2cap_disconnect_rsp.patch +bluetooth-validate-ble-connection-interval-updates.patch +gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch +gtp-fix-use-after-free-in-gtp_newlink.patch +floppy-fix-div-by-zero-in-setup_format_params.patch +floppy-fix-out-of-bounds-read-in-copy_buffer.patch diff --git a/queue-4.9/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch b/queue-4.9/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch new file mode 100644 index 00000000000..0cc252a6171 --- /dev/null +++ b/queue-4.9/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch @@ -0,0 +1,52 @@ +From 6b774dc4e8d1e50db4a4c639b79c6f337f244728 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 15 May 2019 12:33:50 -0500 +Subject: signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of + force_sig + +[ Upstream commit 72abe3bcf0911d69b46c1e8bdb5612675e0ac42c ] + +The locking in force_sig_info is not prepared to deal with a task that +exits or execs (as sighand may change). The is not a locking problem +in force_sig as force_sig is only built to handle synchronous +exceptions. + +Further the function force_sig_info changes the signal state if the +signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the +delivery of the signal. The signal SIGKILL can not be ignored and can +not be blocked and SIGNAL_UNKILLABLE won't prevent it from being +delivered. + +So using force_sig rather than send_sig for SIGKILL is confusing +and pointless. + +Because it won't impact the sending of the signal and and because +using force_sig is wrong, replace force_sig with send_sig. + +Cc: Namjae Jeon +Cc: Jeff Layton +Cc: Steve French +Fixes: a5c3e1c725af ("Revert "cifs: No need to send SIGKILL to demux_thread during umount"") +Fixes: e7ddee9037e7 ("cifs: disable sharing session and tcon and add new TCP sharing code") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index f291ed0c155d..d1019cbf7a52 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2221,7 +2221,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect) + + task = xchg(&server->tsk, NULL); + if (task) +- force_sig(SIGKILL, task); ++ send_sig(SIGKILL, task, 1); + } + + static struct TCP_Server_Info * +-- +2.20.1 + diff --git a/queue-4.9/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch b/queue-4.9/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch new file mode 100644 index 00000000000..0534ec5b8bb --- /dev/null +++ b/queue-4.9/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch @@ -0,0 +1,50 @@ +From b0d35ff72292bf037353af3975656cc93063f0b1 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 15 May 2019 12:29:52 -0500 +Subject: signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig + +[ Upstream commit f9070dc94542093fd516ae4ccea17ef46a4362c5 ] + +The locking in force_sig_info is not prepared to deal with a task that +exits or execs (as sighand may change). The is not a locking problem +in force_sig as force_sig is only built to handle synchronous +exceptions. + +Further the function force_sig_info changes the signal state if the +signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the +delivery of the signal. The signal SIGKILL can not be ignored and can +not be blocked and SIGNAL_UNKILLABLE won't prevent it from being +delivered. + +So using force_sig rather than send_sig for SIGKILL is confusing +and pointless. + +Because it won't impact the sending of the signal and and because +using force_sig is wrong, replace force_sig with send_sig. + +Cc: Daniel Lezcano +Cc: Serge Hallyn +Cc: Oleg Nesterov +Fixes: cf3f89214ef6 ("pidns: add reboot_pid_ns() to handle the reboot syscall") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +--- + kernel/pid_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c +index 3976dd57db78..0eab538841fd 100644 +--- a/kernel/pid_namespace.c ++++ b/kernel/pid_namespace.c +@@ -344,7 +344,7 @@ int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd) + } + + read_lock(&tasklist_lock); +- force_sig(SIGKILL, pid_ns->child_reaper); ++ send_sig(SIGKILL, pid_ns->child_reaper, 1); + read_unlock(&tasklist_lock); + + do_exit(0); +-- +2.20.1 + diff --git a/queue-4.9/timer_list-guard-procfs-specific-code.patch b/queue-4.9/timer_list-guard-procfs-specific-code.patch new file mode 100644 index 00000000000..34dd5c10988 --- /dev/null +++ b/queue-4.9/timer_list-guard-procfs-specific-code.patch @@ -0,0 +1,89 @@ +From b9f4629be5e6c00acf9b5f04655fb9886bcbadf1 Mon Sep 17 00:00:00 2001 +From: Nathan Huckleberry +Date: Fri, 14 Jun 2019 11:16:04 -0700 +Subject: timer_list: Guard procfs specific code + +[ Upstream commit a9314773a91a1d3b36270085246a6715a326ff00 ] + +With CONFIG_PROC_FS=n the following warning is emitted: + +kernel/time/timer_list.c:361:36: warning: unused variable +'timer_list_sops' [-Wunused-const-variable] + static const struct seq_operations timer_list_sops = { + +Add #ifdef guard around procfs specific code. + +Signed-off-by: Nathan Huckleberry +Signed-off-by: Thomas Gleixner +Reviewed-by: Nick Desaulniers +Cc: john.stultz@linaro.org +Cc: sboyd@kernel.org +Cc: clang-built-linux@googlegroups.com +Link: https://github.com/ClangBuiltLinux/linux/issues/534 +Link: https://lkml.kernel.org/r/20190614181604.112297-1-nhuck@google.com +Signed-off-by: Sasha Levin +--- + kernel/time/timer_list.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c +index 1407ed20ea93..b7c5d230b4b2 100644 +--- a/kernel/time/timer_list.c ++++ b/kernel/time/timer_list.c +@@ -299,23 +299,6 @@ static inline void timer_list_header(struct seq_file *m, u64 now) + SEQ_printf(m, "\n"); + } + +-static int timer_list_show(struct seq_file *m, void *v) +-{ +- struct timer_list_iter *iter = v; +- +- if (iter->cpu == -1 && !iter->second_pass) +- timer_list_header(m, iter->now); +- else if (!iter->second_pass) +- print_cpu(m, iter->cpu, iter->now); +-#ifdef CONFIG_GENERIC_CLOCKEVENTS +- else if (iter->cpu == -1 && iter->second_pass) +- timer_list_show_tickdevices_header(m); +- else +- print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu); +-#endif +- return 0; +-} +- + void sysrq_timer_list_show(void) + { + u64 now = ktime_to_ns(ktime_get()); +@@ -334,6 +317,24 @@ void sysrq_timer_list_show(void) + return; + } + ++#ifdef CONFIG_PROC_FS ++static int timer_list_show(struct seq_file *m, void *v) ++{ ++ struct timer_list_iter *iter = v; ++ ++ if (iter->cpu == -1 && !iter->second_pass) ++ timer_list_header(m, iter->now); ++ else if (!iter->second_pass) ++ print_cpu(m, iter->cpu, iter->now); ++#ifdef CONFIG_GENERIC_CLOCKEVENTS ++ else if (iter->cpu == -1 && iter->second_pass) ++ timer_list_show_tickdevices_header(m); ++ else ++ print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu); ++#endif ++ return 0; ++} ++ + static void *move_iter(struct timer_list_iter *iter, loff_t offset) + { + for (; offset; offset--) { +@@ -405,3 +406,4 @@ static int __init init_timer_list_procfs(void) + return 0; + } + __initcall(init_timer_list_procfs); ++#endif +-- +2.20.1 + diff --git a/queue-4.9/tua6100-avoid-build-warnings.patch b/queue-4.9/tua6100-avoid-build-warnings.patch new file mode 100644 index 00000000000..e97e789520b --- /dev/null +++ b/queue-4.9/tua6100-avoid-build-warnings.patch @@ -0,0 +1,94 @@ +From f90e3f94dc5a620355cabf4729c7e0c7919827fa Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 30 May 2019 11:36:15 -0700 +Subject: tua6100: Avoid build warnings. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 621ccc6cc5f8d6730b740d31d4818227866c93c9 ] + +Rename _P to _P_VAL and _R to _R_VAL to avoid global +namespace conflicts: + +drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’: +drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined + #define _P 32 + +In file included from ./include/acpi/platform/aclinux.h:54, + from ./include/acpi/platform/acenv.h:152, + from ./include/acpi/acpi.h:22, + from ./include/linux/acpi.h:34, + from ./include/linux/i2c.h:17, + from drivers/media/dvb-frontends/tua6100.h:30, + from drivers/media/dvb-frontends/tua6100.c:32: +./include/linux/ctype.h:14: note: this is the location of the previous definition + #define _P 0x10 /* punct */ + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tua6100.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tua6100.c b/drivers/media/dvb-frontends/tua6100.c +index 6da12b9e55eb..02c734b8718b 100644 +--- a/drivers/media/dvb-frontends/tua6100.c ++++ b/drivers/media/dvb-frontends/tua6100.c +@@ -80,8 +80,8 @@ static int tua6100_set_params(struct dvb_frontend *fe) + struct i2c_msg msg1 = { .addr = priv->i2c_address, .flags = 0, .buf = reg1, .len = 4 }; + struct i2c_msg msg2 = { .addr = priv->i2c_address, .flags = 0, .buf = reg2, .len = 3 }; + +-#define _R 4 +-#define _P 32 ++#define _R_VAL 4 ++#define _P_VAL 32 + #define _ri 4000000 + + // setup register 0 +@@ -96,14 +96,14 @@ static int tua6100_set_params(struct dvb_frontend *fe) + else + reg1[1] = 0x0c; + +- if (_P == 64) ++ if (_P_VAL == 64) + reg1[1] |= 0x40; + if (c->frequency >= 1525000) + reg1[1] |= 0x80; + + // register 2 +- reg2[1] = (_R >> 8) & 0x03; +- reg2[2] = _R; ++ reg2[1] = (_R_VAL >> 8) & 0x03; ++ reg2[2] = _R_VAL; + if (c->frequency < 1455000) + reg2[1] |= 0x1c; + else if (c->frequency < 1630000) +@@ -115,18 +115,18 @@ static int tua6100_set_params(struct dvb_frontend *fe) + * The N divisor ratio (note: c->frequency is in kHz, but we + * need it in Hz) + */ +- prediv = (c->frequency * _R) / (_ri / 1000); +- div = prediv / _P; ++ prediv = (c->frequency * _R_VAL) / (_ri / 1000); ++ div = prediv / _P_VAL; + reg1[1] |= (div >> 9) & 0x03; + reg1[2] = div >> 1; + reg1[3] = (div << 7); +- priv->frequency = ((div * _P) * (_ri / 1000)) / _R; ++ priv->frequency = ((div * _P_VAL) * (_ri / 1000)) / _R_VAL; + + // Finally, calculate and store the value for A +- reg1[3] |= (prediv - (div*_P)) & 0x7f; ++ reg1[3] |= (prediv - (div*_P_VAL)) & 0x7f; + +-#undef _R +-#undef _P ++#undef _R_VAL ++#undef _P_VAL + #undef _ri + + if (fe->ops.i2c_gate_ctrl) +-- +2.20.1 + diff --git a/queue-4.9/vhost_net-disable-zerocopy-by-default.patch b/queue-4.9/vhost_net-disable-zerocopy-by-default.patch new file mode 100644 index 00000000000..73d8f3d8bc2 --- /dev/null +++ b/queue-4.9/vhost_net-disable-zerocopy-by-default.patch @@ -0,0 +1,43 @@ +From 5896265d12bbd8195e1335f50caa0c7e5929c4d7 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 17 Jun 2019 05:20:54 -0400 +Subject: vhost_net: disable zerocopy by default + +[ Upstream commit 098eadce3c622c07b328d0a43dda379b38cf7c5e ] + +Vhost_net was known to suffer from HOL[1] issues which is not easy to +fix. Several downstream disable the feature by default. What's more, +the datapath was split and datacopy path got the support of batching +and XDP support recently which makes it faster than zerocopy part for +small packets transmission. + +It looks to me that disable zerocopy by default is more +appropriate. It cold be enabled by default again in the future if we +fix the above issues. + +[1] https://patchwork.kernel.org/patch/3787671/ + +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/vhost/net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 681d0eade82f..75e1089dfb01 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -30,7 +30,7 @@ + + #include "vhost.h" + +-static int experimental_zcopytx = 1; ++static int experimental_zcopytx = 0; + module_param(experimental_zcopytx, int, 0444); + MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;" + " 1 -Enable; 0 - Disable"); +-- +2.20.1 + diff --git a/queue-4.9/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch b/queue-4.9/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch new file mode 100644 index 00000000000..1582ff25ae6 --- /dev/null +++ b/queue-4.9/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch @@ -0,0 +1,52 @@ +From 42d1a05466fd938486b5f94acdaed7d7fe761416 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 25 Jun 2019 16:26:22 +0900 +Subject: x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c + +[ Upstream commit bc53d3d777f81385c1bb08b07bd1c06450ecc2c1 ] + +Without 'set -e', shell scripts continue running even after any +error occurs. The missed 'set -e' is a typical bug in shell scripting. + +For example, when a disk space shortage occurs while this script is +running, it actually ends up with generating a truncated capflags.c. + +Yet, mkcapflags.sh continues running and exits with 0. So, the build +system assumes it has succeeded. + +It will not be re-generated in the next invocation of Make since its +timestamp is newer than that of any of the source files. + +Add 'set -e' so that any error in this script is caught and propagated +to the build system. + +Since 9c2af1c7377a ("kbuild: add .DELETE_ON_ERROR special target"), +make automatically deletes the target on any failure. So, the broken +capflags.c will be deleted automatically. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Thomas Gleixner +Cc: "H. Peter Anvin" +Cc: Borislav Petkov +Link: https://lkml.kernel.org/r/20190625072622.17679-1-yamada.masahiro@socionext.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mkcapflags.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh +index 6988c74409a8..711b74e0e623 100644 +--- a/arch/x86/kernel/cpu/mkcapflags.sh ++++ b/arch/x86/kernel/cpu/mkcapflags.sh +@@ -3,6 +3,8 @@ + # Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h + # + ++set -e ++ + IN=$1 + OUT=$2 + +-- +2.20.1 + diff --git a/queue-4.9/xfrm-fix-sa-selector-validation.patch b/queue-4.9/xfrm-fix-sa-selector-validation.patch new file mode 100644 index 00000000000..4ca03eb11d8 --- /dev/null +++ b/queue-4.9/xfrm-fix-sa-selector-validation.patch @@ -0,0 +1,42 @@ +From 8be486167fbaa6d61bd5b3a7d2348f08edda6e98 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Fri, 14 Jun 2019 11:13:55 +0200 +Subject: xfrm: fix sa selector validation + +[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ] + +After commit b38ff4075a80, the following command does not work anymore: +$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \ + mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \ + 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4 + +In fact, the selector is not mandatory, allow the user to provide an empty +selector. + +Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation") +CC: Anirudh Gupta +Signed-off-by: Nicolas Dichtel +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index df4b7fc721f6..f3e9d500fa5a 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + } + + switch (p->sel.family) { ++ case AF_UNSPEC: ++ break; ++ + case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + goto out; +-- +2.20.1 + diff --git a/queue-4.9/xfrm-fix-xfrm-sel-prefix-length-validation.patch b/queue-4.9/xfrm-fix-xfrm-sel-prefix-length-validation.patch new file mode 100644 index 00000000000..592cb1e01a4 --- /dev/null +++ b/queue-4.9/xfrm-fix-xfrm-sel-prefix-length-validation.patch @@ -0,0 +1,56 @@ +From 56124b2e920b7037001b2c36b67d66f82607f8e4 Mon Sep 17 00:00:00 2001 +From: Anirudh Gupta +Date: Tue, 21 May 2019 20:59:47 +0530 +Subject: xfrm: Fix xfrm sel prefix length validation + +[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ] + +Family of src/dst can be different from family of selector src/dst. +Use xfrm selector family to validate address prefix length, +while verifying new sa from userspace. + +Validated patch with this command: +ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \ +reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \ +0x1111016400000000000000000000000044440001 128 \ +sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5 + +Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") +Signed-off-by: Anirudh Gupta +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index ca5c79bfd9a5..df4b7fc721f6 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + + err = -EINVAL; + switch (p->family) { ++ case AF_INET: ++ break; ++ ++ case AF_INET6: ++#if IS_ENABLED(CONFIG_IPV6) ++ break; ++#else ++ err = -EAFNOSUPPORT; ++ goto out; ++#endif ++ ++ default: ++ goto out; ++ } ++ ++ switch (p->sel.family) { + case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + goto out; +-- +2.20.1 +