From: Sasha Levin Date: Sat, 17 Nov 2018 15:17:49 +0000 (-0500) Subject: commits for 4.4 X-Git-Tag: v4.19.3~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=695db26ad9af9c62f260971d8b941e2d362531d9;p=thirdparty%2Fkernel%2Fstable-queue.git commits for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/bna-ethtool-avoid-reading-past-end-of-buffer.patch b/queue-4.4/bna-ethtool-avoid-reading-past-end-of-buffer.patch new file mode 100644 index 00000000000..97c762bb233 --- /dev/null +++ b/queue-4.4/bna-ethtool-avoid-reading-past-end-of-buffer.patch @@ -0,0 +1,40 @@ +From 48a491967cbc08bc3c1d174afae3d120160a3858 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 5 May 2017 15:30:23 -0700 +Subject: bna: ethtool: Avoid reading past end of buffer + +[ Upstream commit 4dc69c1c1fff2f587f8e737e70b4a4e7565a5c94 ] + +Using memcpy() from a string that is shorter than the length copied means +the destination buffer is being filled with arbitrary data from the kernel +rodata segment. Instead, use strncpy() which will fill the trailing bytes +with zeros. + +This was found with the future CONFIG_FORTIFY_SOURCE feature. + +Cc: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c +index 0e4fdc3dd729..18672ad773fb 100644 +--- a/drivers/net/ethernet/brocade/bna/bnad_ethtool.c ++++ b/drivers/net/ethernet/brocade/bna/bnad_ethtool.c +@@ -556,8 +556,8 @@ bnad_get_strings(struct net_device *netdev, u32 stringset, u8 *string) + for (i = 0; i < BNAD_ETHTOOL_STATS_NUM; i++) { + BUG_ON(!(strlen(bnad_net_stats_strings[i]) < + ETH_GSTRING_LEN)); +- memcpy(string, bnad_net_stats_strings[i], +- ETH_GSTRING_LEN); ++ strncpy(string, bnad_net_stats_strings[i], ++ ETH_GSTRING_LEN); + string += ETH_GSTRING_LEN; + } + bmap = bna_tx_rid_mask(&bnad->bna); +-- +2.17.1 + diff --git a/queue-4.4/e1000-avoid-null-pointer-dereference-on-invalid-stat.patch b/queue-4.4/e1000-avoid-null-pointer-dereference-on-invalid-stat.patch new file mode 100644 index 00000000000..78ff41afd0e --- /dev/null +++ b/queue-4.4/e1000-avoid-null-pointer-dereference-on-invalid-stat.patch @@ -0,0 +1,63 @@ +From eabf431ebfde07482f2060b2c1292df9baa65aae Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 22 Sep 2017 18:13:48 +0100 +Subject: e1000: avoid null pointer dereference on invalid stat type + +[ Upstream commit 5983587c8c5ef00d6886477544ad67d495bc5479 ] + +Currently if the stat type is invalid then data[i] is being set +either by dereferencing a null pointer p, or it is reading from +an incorrect previous location if we had a valid stat type +previously. Fix this by skipping over the read of p on an invalid +stat type. + +Detected by CoverityScan, CID#113385 ("Explicit null dereferenced") + +Signed-off-by: Colin Ian King +Reviewed-by: Alexander Duyck +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +index 5ae8874bbf72..d70b2e5d5222 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -1826,11 +1826,12 @@ static void e1000_get_ethtool_stats(struct net_device *netdev, + { + struct e1000_adapter *adapter = netdev_priv(netdev); + int i; +- char *p = NULL; + const struct e1000_stats *stat = e1000_gstrings_stats; + + e1000_update_stats(adapter); +- for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++) { ++ for (i = 0; i < E1000_GLOBAL_STATS_LEN; i++, stat++) { ++ char *p; ++ + switch (stat->type) { + case NETDEV_STATS: + p = (char *)netdev + stat->stat_offset; +@@ -1841,15 +1842,13 @@ static void e1000_get_ethtool_stats(struct net_device *netdev, + default: + WARN_ONCE(1, "Invalid E1000 stat type: %u index %d\n", + stat->type, i); +- break; ++ continue; + } + + if (stat->sizeof_stat == sizeof(u64)) + data[i] = *(u64 *)p; + else + data[i] = *(u32 *)p; +- +- stat++; + } + /* BUG_ON(i != E1000_STATS_LEN); */ + } +-- +2.17.1 + diff --git a/queue-4.4/e1000-fix-race-condition-between-e1000_down-and-e100.patch b/queue-4.4/e1000-fix-race-condition-between-e1000_down-and-e100.patch new file mode 100644 index 00000000000..abdec5582f6 --- /dev/null +++ b/queue-4.4/e1000-fix-race-condition-between-e1000_down-and-e100.patch @@ -0,0 +1,65 @@ +From 8d593a92993f91a1671693b1f6f61fbbb70f2e65 Mon Sep 17 00:00:00 2001 +From: Vincenzo Maffione +Date: Sat, 16 Sep 2017 18:00:00 +0200 +Subject: e1000: fix race condition between e1000_down() and e1000_watchdog + +[ Upstream commit 44c445c3d1b4eacff23141fa7977c3b2ec3a45c9 ] + +This patch fixes a race condition that can result into the interface being +up and carrier on, but with transmits disabled in the hardware. +The bug may show up by repeatedly IFF_DOWN+IFF_UP the interface, which +allows e1000_watchdog() interleave with e1000_down(). + + CPU x CPU y + -------------------------------------------------------------------- + e1000_down(): + netif_carrier_off() + e1000_watchdog(): + if (carrier == off) { + netif_carrier_on(); + enable_hw_transmit(); + } + disable_hw_transmit(); + e1000_watchdog(): + /* carrier on, do nothing */ + +Signed-off-by: Vincenzo Maffione +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 2a1d4a9d3c19..1f84f2fa459f 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -521,8 +521,6 @@ void e1000_down(struct e1000_adapter *adapter) + struct net_device *netdev = adapter->netdev; + u32 rctl, tctl; + +- netif_carrier_off(netdev); +- + /* disable receives in the hardware */ + rctl = er32(RCTL); + ew32(RCTL, rctl & ~E1000_RCTL_EN); +@@ -538,6 +536,15 @@ void e1000_down(struct e1000_adapter *adapter) + E1000_WRITE_FLUSH(); + msleep(10); + ++ /* Set the carrier off after transmits have been disabled in the ++ * hardware, to avoid race conditions with e1000_watchdog() (which ++ * may be running concurrently to us, checking for the carrier ++ * bit to decide whether it should enable transmits again). Such ++ * a race condition would result into transmission being disabled ++ * in the hardware until the next IFF_DOWN+IFF_UP cycle. ++ */ ++ netif_carrier_off(netdev); ++ + napi_disable(&adapter->napi); + + e1000_irq_disable(adapter); +-- +2.17.1 + diff --git a/queue-4.4/mips-loongson-3-fix-bridge-irq-delivery-problem.patch b/queue-4.4/mips-loongson-3-fix-bridge-irq-delivery-problem.patch new file mode 100644 index 00000000000..a475127fb76 --- /dev/null +++ b/queue-4.4/mips-loongson-3-fix-bridge-irq-delivery-problem.patch @@ -0,0 +1,82 @@ +From a7045874f2c8b37d0494ec1c4ff76d3aebe29a23 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 5 Sep 2018 17:33:09 +0800 +Subject: MIPS: Loongson-3: Fix BRIDGE irq delivery problem + +[ Upstream commit 360fe725f8849aaddc53475fef5d4a0c439b05ae ] + +After commit e509bd7da149dc349160 ("genirq: Allow migration of chained +interrupts by installing default action") Loongson-3 fails at here: + +setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction); + +This is because both chained_action and cascade_irqaction don't have +IRQF_SHARED flag. This will cause Loongson-3 resume fails because HPET +timer interrupt can't be delivered during S3. So we set the irqchip of +the chained irq to loongson_irq_chip which doesn't disable the chained +irq in CP0.Status. + +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20434/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mach-loongson64/irq.h | 2 +- + arch/mips/loongson64/loongson-3/irq.c | 13 +++---------- + 2 files changed, 4 insertions(+), 11 deletions(-) + +diff --git a/arch/mips/include/asm/mach-loongson64/irq.h b/arch/mips/include/asm/mach-loongson64/irq.h +index d18c45c7c394..19ff9ce46c02 100644 +--- a/arch/mips/include/asm/mach-loongson64/irq.h ++++ b/arch/mips/include/asm/mach-loongson64/irq.h +@@ -9,7 +9,7 @@ + #define MIPS_CPU_IRQ_BASE 56 + + #define LOONGSON_UART_IRQ (MIPS_CPU_IRQ_BASE + 2) /* UART */ +-#define LOONGSON_HT1_IRQ (MIPS_CPU_IRQ_BASE + 3) /* HT1 */ ++#define LOONGSON_BRIDGE_IRQ (MIPS_CPU_IRQ_BASE + 3) /* CASCADE */ + #define LOONGSON_TIMER_IRQ (MIPS_CPU_IRQ_BASE + 7) /* CPU Timer */ + + #define LOONGSON_HT1_CFG_BASE loongson_sysconf.ht_control_base +diff --git a/arch/mips/loongson64/loongson-3/irq.c b/arch/mips/loongson64/loongson-3/irq.c +index 53424f2a53f3..241cb88f9c03 100644 +--- a/arch/mips/loongson64/loongson-3/irq.c ++++ b/arch/mips/loongson64/loongson-3/irq.c +@@ -42,12 +42,6 @@ void mach_irq_dispatch(unsigned int pending) + } + } + +-static struct irqaction cascade_irqaction = { +- .handler = no_action, +- .flags = IRQF_NO_SUSPEND, +- .name = "cascade", +-}; +- + static inline void mask_loongson_irq(struct irq_data *d) { } + static inline void unmask_loongson_irq(struct irq_data *d) { } + +@@ -88,11 +82,10 @@ void __init mach_init_irq(void) + init_i8259_irqs(); + irq_set_chip_and_handler(LOONGSON_UART_IRQ, + &loongson_irq_chip, handle_percpu_irq); ++ irq_set_chip_and_handler(LOONGSON_BRIDGE_IRQ, ++ &loongson_irq_chip, handle_percpu_irq); + +- /* setup HT1 irq */ +- setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction); +- +- set_c0_status(STATUSF_IP2 | STATUSF_IP6); ++ set_c0_status(STATUSF_IP2 | STATUSF_IP3 | STATUSF_IP6); + } + + #ifdef CONFIG_HOTPLUG_CPU +-- +2.17.1 + diff --git a/queue-4.4/mips-loongson-3-fix-cpu-uart-irq-delivery-problem.patch b/queue-4.4/mips-loongson-3-fix-cpu-uart-irq-delivery-problem.patch new file mode 100644 index 00000000000..c9739e810fa --- /dev/null +++ b/queue-4.4/mips-loongson-3-fix-cpu-uart-irq-delivery-problem.patch @@ -0,0 +1,94 @@ +From ec15040b5a48f36fc26a7c8fe01c8e9c3920c38a Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Wed, 5 Sep 2018 17:33:08 +0800 +Subject: MIPS: Loongson-3: Fix CPU UART irq delivery problem + +[ Upstream commit d06f8a2f1befb5a3d0aa660ab1c05e9b744456ea ] + +Masking/unmasking the CPU UART irq in CP0_Status (and redirecting it to +other CPUs) may cause interrupts be lost, especially in multi-package +machines (Package-0's UART irq cannot be delivered to others). So make +mask_loongson_irq() and unmask_loongson_irq() be no-ops. + +The original problem (UART IRQ may deliver to any core) is also because +of masking/unmasking the CPU UART irq in CP0_Status. So it is safe to +remove all of the stuff. + +Signed-off-by: Huacai Chen +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20433/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/mips/loongson64/loongson-3/irq.c | 43 ++------------------------- + 1 file changed, 3 insertions(+), 40 deletions(-) + +diff --git a/arch/mips/loongson64/loongson-3/irq.c b/arch/mips/loongson64/loongson-3/irq.c +index 0f75b6b3d218..53424f2a53f3 100644 +--- a/arch/mips/loongson64/loongson-3/irq.c ++++ b/arch/mips/loongson64/loongson-3/irq.c +@@ -48,45 +48,8 @@ static struct irqaction cascade_irqaction = { + .name = "cascade", + }; + +-static inline void mask_loongson_irq(struct irq_data *d) +-{ +- clear_c0_status(0x100 << (d->irq - MIPS_CPU_IRQ_BASE)); +- irq_disable_hazard(); +- +- /* Workaround: UART IRQ may deliver to any core */ +- if (d->irq == LOONGSON_UART_IRQ) { +- int cpu = smp_processor_id(); +- int node_id = cpu_logical_map(cpu) / loongson_sysconf.cores_per_node; +- int core_id = cpu_logical_map(cpu) % loongson_sysconf.cores_per_node; +- u64 intenclr_addr = smp_group[node_id] | +- (u64)(&LOONGSON_INT_ROUTER_INTENCLR); +- u64 introuter_lpc_addr = smp_group[node_id] | +- (u64)(&LOONGSON_INT_ROUTER_LPC); +- +- *(volatile u32 *)intenclr_addr = 1 << 10; +- *(volatile u8 *)introuter_lpc_addr = 0x10 + (1<irq == LOONGSON_UART_IRQ) { +- int cpu = smp_processor_id(); +- int node_id = cpu_logical_map(cpu) / loongson_sysconf.cores_per_node; +- int core_id = cpu_logical_map(cpu) % loongson_sysconf.cores_per_node; +- u64 intenset_addr = smp_group[node_id] | +- (u64)(&LOONGSON_INT_ROUTER_INTENSET); +- u64 introuter_lpc_addr = smp_group[node_id] | +- (u64)(&LOONGSON_INT_ROUTER_LPC); +- +- *(volatile u32 *)intenset_addr = 1 << 10; +- *(volatile u8 *)introuter_lpc_addr = 0x10 + (1<irq - MIPS_CPU_IRQ_BASE)); +- irq_enable_hazard(); +-} ++static inline void mask_loongson_irq(struct irq_data *d) { } ++static inline void unmask_loongson_irq(struct irq_data *d) { } + + /* For MIPS IRQs which shared by all cores */ + static struct irq_chip loongson_irq_chip = { +@@ -124,7 +87,7 @@ void __init mach_init_irq(void) + mips_cpu_irq_init(); + init_i8259_irqs(); + irq_set_chip_and_handler(LOONGSON_UART_IRQ, +- &loongson_irq_chip, handle_level_irq); ++ &loongson_irq_chip, handle_percpu_irq); + + /* setup HT1 irq */ + setup_irq(LOONGSON_HT1_IRQ, &cascade_irqaction); +-- +2.17.1 + diff --git a/queue-4.4/series b/queue-4.4/series index b72883fa8f3..b4df0519f0e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -114,3 +114,8 @@ binfmt_elf-fix-calculations-for-bss-padding.patch mm-refuse-wrapped-vm_brk-requests.patch fs-elf-make-sure-to-page-align-bss-in-load_elf_libra.patch mm-do-not-bug_on-on-incorrect-length-in-__mm_populat.patch +e1000-avoid-null-pointer-dereference-on-invalid-stat.patch +e1000-fix-race-condition-between-e1000_down-and-e100.patch +bna-ethtool-avoid-reading-past-end-of-buffer.patch +mips-loongson-3-fix-cpu-uart-irq-delivery-problem.patch +mips-loongson-3-fix-bridge-irq-delivery-problem.patch