From: Greg Kroah-Hartman Date: Tue, 11 Dec 2018 14:16:06 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.9~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71c2c913a55423e229c03f317758e3a1a1128427;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: cifs-fix-separator-when-building-path-from-dentry.patch kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch mac80211-clear-beacon_int-in-ieee80211_do_stop.patch mac80211-fix-reordering-of-buffered-broadcast-packets.patch mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch staging-rtl8712-fix-possible-buffer-overrun.patch tty-do-not-set-tty_io_error-flag-if-console-port.patch tty-serial-8250_mtk-always-resume-the-device-in-probe.patch --- diff --git a/queue-4.9/cifs-fix-separator-when-building-path-from-dentry.patch b/queue-4.9/cifs-fix-separator-when-building-path-from-dentry.patch new file mode 100644 index 00000000000..937bff70a85 --- /dev/null +++ b/queue-4.9/cifs-fix-separator-when-building-path-from-dentry.patch @@ -0,0 +1,34 @@ +From c988de29ca161823db6a7125e803d597ef75b49c Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 15 Nov 2018 15:20:52 +0100 +Subject: cifs: Fix separator when building path from dentry + +From: Paulo Alcantara + +commit c988de29ca161823db6a7125e803d597ef75b49c upstream. + +Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for +prefixpath too. Fixes a bug with smb1 UNIX extensions. + +Fixes: a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable") +Signed-off-by: Paulo Alcantara +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -163,7 +163,7 @@ cifs_bp_rename_retry: + + cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath); + memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1); +- full_path[dfsplen] = '\\'; ++ full_path[dfsplen] = dirsep; + for (i = 0; i < pplen-1; i++) + if (full_path[dfsplen+1+i] == '/') + full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb); diff --git a/queue-4.9/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch b/queue-4.9/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch new file mode 100644 index 00000000000..50e3199f47c --- /dev/null +++ b/queue-4.9/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch @@ -0,0 +1,82 @@ +From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001 +From: Macpaul Lin +Date: Wed, 17 Oct 2018 23:08:38 +0800 +Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() + +From: Macpaul Lin + +commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream. + +This patch is trying to fix KE issue due to +"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198" +reported by Syzkaller scan." + +[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198 +[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364 +[26364:syz-executor0][name:report&] +[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0 +[26364:syz-executor0]Call trace: +[26364:syz-executor0][] dump_bacIctrace+Ox0/0x470 +[26364:syz-executor0][] show_stack+0x20/0x30 +[26364:syz-executor0][] dump_stack+Oxd8/0x128 +[26364:syz-executor0][] print_address_description +0x80/0x4a8 +[26364:syz-executor0][] kasan_report+Ox178/0x390 +[26364:syz-executor0][] _asan_report_loadi_noabort+Ox18/0x20 +[26364:syz-executor0][] param_set_kgdboc_var+Ox194/0x198 +[26364:syz-executor0][] param_attr_store+Ox14c/0x270 +[26364:syz-executor0][] module_attr_store+0x60/0x90 +[26364:syz-executor0][] sysfs_kl_write+Ox100/0x158 +[26364:syz-executor0][] kernfs_fop_write+0x27c/0x3a8 +[26364:syz-executor0][] do_loop_readv_writev+0x114/0x1b0 +[26364:syz-executor0][] do_readv_writev+0x4f8/0x5e0 +[26364:syz-executor0][] vfs_writev+0x7c/Oxb8 +[26364:syz-executor0][] SyS_writev+Oxcc/0x208 +[26364:syz-executor0][] elO_svc_naked +0x24/0x28 +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:report&]The buggy address belongs to the variable: +[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40 +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:report&]Memory state around the buggy address: +[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa +[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa +[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 +[26364:syz-executor0][name:report&] ^ +[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa +[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint +[26364:syz-executor0]------------[cut here]------------ + +After checking the source code, we've found there might be an out-of-bounds +access to "config[len - 1]" array when the variable "len" is zero. + +Signed-off-by: Macpaul Lin +Acked-by: Daniel Thompson +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/kgdboc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -232,7 +232,7 @@ static void kgdboc_put_char(u8 chr) + + static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp) + { +- int len = strlen(kmessage); ++ size_t len = strlen(kmessage); + + if (len >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdboc: config string too long\n"); +@@ -254,7 +254,7 @@ static int param_set_kgdboc_var(const ch + + strcpy(config, kmessage); + /* Chop out \n char as a result of echo */ +- if (config[len - 1] == '\n') ++ if (len && config[len - 1] == '\n') + config[len - 1] = '\0'; + + if (configured == 1) diff --git a/queue-4.9/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch b/queue-4.9/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch new file mode 100644 index 00000000000..b988e15abfd --- /dev/null +++ b/queue-4.9/libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch @@ -0,0 +1,194 @@ +From ae86cbfef3818300f1972e52f67a93211acb0e24 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Sat, 24 Nov 2018 10:47:04 -0800 +Subject: libnvdimm, pfn: Pad pfn namespaces relative to other regions + +From: Dan Williams + +commit ae86cbfef3818300f1972e52f67a93211acb0e24 upstream. + +Commit cfe30b872058 "libnvdimm, pmem: adjust for section collisions with +'System RAM'" enabled Linux to workaround occasions where platform +firmware arranges for "System RAM" and "Persistent Memory" to collide +within a single section boundary. Unfortunately, as reported in this +issue [1], platform firmware can inflict the same collision between +persistent memory regions. + +The approach of interrogating iomem_resource does not work in this +case because platform firmware may merge multiple regions into a single +iomem_resource range. Instead provide a method to interrogate regions +that share the same parent bus. + +This is a stop-gap until the core-MM can grow support for hotplug on +sub-section boundaries. + +[1]: https://github.com/pmem/ndctl/issues/76 + +Fixes: cfe30b872058 ("libnvdimm, pmem: adjust for section collisions with...") +Cc: +Reported-by: Patrick Geary +Tested-by: Patrick Geary +Reviewed-by: Vishal Verma +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/nd-core.h | 2 + + drivers/nvdimm/pfn_devs.c | 64 ++++++++++++++++++++++++------------------- + drivers/nvdimm/region_devs.c | 41 +++++++++++++++++++++++++++ + 3 files changed, 80 insertions(+), 27 deletions(-) + +--- a/drivers/nvdimm/nd-core.h ++++ b/drivers/nvdimm/nd-core.h +@@ -95,6 +95,8 @@ resource_size_t nd_pmem_available_dpa(st + struct nd_mapping *nd_mapping, resource_size_t *overlap); + resource_size_t nd_blk_available_dpa(struct nd_region *nd_region); + resource_size_t nd_region_available_dpa(struct nd_region *nd_region); ++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start, ++ resource_size_t size); + resource_size_t nvdimm_allocated_dpa(struct nvdimm_drvdata *ndd, + struct nd_label_id *label_id); + int alias_dpa_busy(struct device *dev, void *data); +--- a/drivers/nvdimm/pfn_devs.c ++++ b/drivers/nvdimm/pfn_devs.c +@@ -569,14 +569,47 @@ static u64 phys_pmem_align_down(struct n + ALIGN_DOWN(phys, nd_pfn->align)); + } + ++/* ++ * Check if pmem collides with 'System RAM', or other regions when ++ * section aligned. Trim it accordingly. ++ */ ++static void trim_pfn_device(struct nd_pfn *nd_pfn, u32 *start_pad, u32 *end_trunc) ++{ ++ struct nd_namespace_common *ndns = nd_pfn->ndns; ++ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev); ++ struct nd_region *nd_region = to_nd_region(nd_pfn->dev.parent); ++ const resource_size_t start = nsio->res.start; ++ const resource_size_t end = start + resource_size(&nsio->res); ++ resource_size_t adjust, size; ++ ++ *start_pad = 0; ++ *end_trunc = 0; ++ ++ adjust = start - PHYS_SECTION_ALIGN_DOWN(start); ++ size = resource_size(&nsio->res) + adjust; ++ if (region_intersects(start - adjust, size, IORESOURCE_SYSTEM_RAM, ++ IORES_DESC_NONE) == REGION_MIXED ++ || nd_region_conflict(nd_region, start - adjust, size)) ++ *start_pad = PHYS_SECTION_ALIGN_UP(start) - start; ++ ++ /* Now check that end of the range does not collide. */ ++ adjust = PHYS_SECTION_ALIGN_UP(end) - end; ++ size = resource_size(&nsio->res) + adjust; ++ if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, ++ IORES_DESC_NONE) == REGION_MIXED ++ || !IS_ALIGNED(end, nd_pfn->align) ++ || nd_region_conflict(nd_region, start, size + adjust)) ++ *end_trunc = end - phys_pmem_align_down(nd_pfn, end); ++} ++ + static int nd_pfn_init(struct nd_pfn *nd_pfn) + { + u32 dax_label_reserve = is_nd_dax(&nd_pfn->dev) ? SZ_128K : 0; + struct nd_namespace_common *ndns = nd_pfn->ndns; +- u32 start_pad = 0, end_trunc = 0; ++ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev); + resource_size_t start, size; +- struct nd_namespace_io *nsio; + struct nd_region *nd_region; ++ u32 start_pad, end_trunc; + struct nd_pfn_sb *pfn_sb; + unsigned long npfns; + phys_addr_t offset; +@@ -608,30 +641,7 @@ static int nd_pfn_init(struct nd_pfn *nd + + memset(pfn_sb, 0, sizeof(*pfn_sb)); + +- /* +- * Check if pmem collides with 'System RAM' when section aligned and +- * trim it accordingly +- */ +- nsio = to_nd_namespace_io(&ndns->dev); +- start = PHYS_SECTION_ALIGN_DOWN(nsio->res.start); +- size = resource_size(&nsio->res); +- if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, +- IORES_DESC_NONE) == REGION_MIXED) { +- start = nsio->res.start; +- start_pad = PHYS_SECTION_ALIGN_UP(start) - start; +- } +- +- start = nsio->res.start; +- size = PHYS_SECTION_ALIGN_UP(start + size) - start; +- if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, +- IORES_DESC_NONE) == REGION_MIXED +- || !IS_ALIGNED(start + resource_size(&nsio->res), +- nd_pfn->align)) { +- size = resource_size(&nsio->res); +- end_trunc = start + size - phys_pmem_align_down(nd_pfn, +- start + size); +- } +- ++ trim_pfn_device(nd_pfn, &start_pad, &end_trunc); + if (start_pad + end_trunc) + dev_info(&nd_pfn->dev, "%s alignment collision, truncate %d bytes\n", + dev_name(&ndns->dev), start_pad + end_trunc); +@@ -642,7 +652,7 @@ static int nd_pfn_init(struct nd_pfn *nd + * implementation will limit the pfns advertised through + * ->direct_access() to those that are included in the memmap. + */ +- start += start_pad; ++ start = nsio->res.start + start_pad; + size = resource_size(&nsio->res); + npfns = PFN_SECTION_ALIGN_UP((size - start_pad - end_trunc - SZ_8K) + / PAGE_SIZE); +--- a/drivers/nvdimm/region_devs.c ++++ b/drivers/nvdimm/region_devs.c +@@ -991,6 +991,47 @@ int nvdimm_has_flush(struct nd_region *n + } + EXPORT_SYMBOL_GPL(nvdimm_has_flush); + ++struct conflict_context { ++ struct nd_region *nd_region; ++ resource_size_t start, size; ++}; ++ ++static int region_conflict(struct device *dev, void *data) ++{ ++ struct nd_region *nd_region; ++ struct conflict_context *ctx = data; ++ resource_size_t res_end, region_end, region_start; ++ ++ if (!is_memory(dev)) ++ return 0; ++ ++ nd_region = to_nd_region(dev); ++ if (nd_region == ctx->nd_region) ++ return 0; ++ ++ res_end = ctx->start + ctx->size; ++ region_start = nd_region->ndr_start; ++ region_end = region_start + nd_region->ndr_size; ++ if (ctx->start >= region_start && ctx->start < region_end) ++ return -EBUSY; ++ if (res_end > region_start && res_end <= region_end) ++ return -EBUSY; ++ return 0; ++} ++ ++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start, ++ resource_size_t size) ++{ ++ struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nd_region->dev); ++ struct conflict_context ctx = { ++ .nd_region = nd_region, ++ .start = start, ++ .size = size, ++ }; ++ ++ return device_for_each_child(&nvdimm_bus->dev, &ctx, region_conflict); ++} ++ + void __exit nd_region_devs_exit(void) + { + ida_destroy(®ion_ida); diff --git a/queue-4.9/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch b/queue-4.9/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch new file mode 100644 index 00000000000..82e6f0cfbf0 --- /dev/null +++ b/queue-4.9/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch @@ -0,0 +1,43 @@ +From 5c21e8100dfd57c806e833ae905e26efbb87840f Mon Sep 17 00:00:00 2001 +From: Ben Greear +Date: Tue, 23 Oct 2018 13:36:52 -0700 +Subject: mac80211: Clear beacon_int in ieee80211_do_stop + +From: Ben Greear + +commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream. + +This fixes stale beacon-int values that would keep a netdev +from going up. + +To reproduce: + +Create two VAP on one radio. +vap1 has beacon-int 100, start it. +vap2 has beacon-int 240, start it (and it will fail + because beacon-int mismatch). +reconfigure vap2 to have beacon-int 100 and start it. + It will fail because the stale beacon-int 240 will be used + in the ifup path and hostapd never gets a chance to set the + new beacon interval. + +Cc: stable@vger.kernel.org +Signed-off-by: Ben Greear +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/iface.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1025,6 +1025,8 @@ static void ieee80211_do_stop(struct iee + if (local->open_count == 0) + ieee80211_clear_tx_pending(local); + ++ sdata->vif.bss_conf.beacon_int = 0; ++ + /* + * If the interface goes down while suspended, presumably because + * the device was unplugged and that happens before our resume, diff --git a/queue-4.9/mac80211-fix-reordering-of-buffered-broadcast-packets.patch b/queue-4.9/mac80211-fix-reordering-of-buffered-broadcast-packets.patch new file mode 100644 index 00000000000..efd84f87684 --- /dev/null +++ b/queue-4.9/mac80211-fix-reordering-of-buffered-broadcast-packets.patch @@ -0,0 +1,38 @@ +From 9ec1190d065998650fd9260dea8cf3e1f56c0e8c Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 28 Nov 2018 22:39:16 +0100 +Subject: mac80211: fix reordering of buffered broadcast packets + +From: Felix Fietkau + +commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream. + +If the buffered broadcast queue contains packets, letting new packets bypass +that queue can lead to heavy reordering, since the driver is probably throttling +transmission of buffered multicast packets after beacons. + +Keep buffering packets until the buffer has been cleared (and no client +is in powersave mode). + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -434,8 +434,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i + if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL)) + info->hw_queue = tx->sdata->vif.cab_queue; + +- /* no stations in PS mode */ +- if (!atomic_read(&ps->num_sta_ps)) ++ /* no stations in PS mode and no buffered packets */ ++ if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf)) + return TX_CONTINUE; + + info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM; diff --git a/queue-4.9/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch b/queue-4.9/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch new file mode 100644 index 00000000000..9bac33a078b --- /dev/null +++ b/queue-4.9/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch @@ -0,0 +1,44 @@ +From 990d71846a0b7281bd933c34d734e6afc7408e7e Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 3 Dec 2018 21:16:07 +0200 +Subject: mac80211: ignore NullFunc frames in the duplicate detection + +From: Emmanuel Grumbach + +commit 990d71846a0b7281bd933c34d734e6afc7408e7e upstream. + +NullFunc packets should never be duplicate just like +QoS-NullFunc packets. + +We saw a client that enters / exits power save with +NullFunc frames (and not with QoS-NullFunc) despite the +fact that the association supports HT. +This specific client also re-uses a non-zero sequence number +for different NullFunc frames. +At some point, the client had to send a retransmission of +the NullFunc frame and we dropped it, leading to a +misalignment in the power save state. +Fix this by never consider a NullFunc frame as duplicate, +just like we do for QoS NullFunc frames. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449 + +CC: +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1230,6 +1230,7 @@ ieee80211_rx_h_check_dup(struct ieee8021 + return RX_CONTINUE; + + if (ieee80211_is_ctl(hdr->frame_control) || ++ ieee80211_is_nullfunc(hdr->frame_control) || + ieee80211_is_qos_nullfunc(hdr->frame_control) || + is_multicast_ether_addr(hdr->addr1)) + return RX_CONTINUE; diff --git a/queue-4.9/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch b/queue-4.9/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch new file mode 100644 index 00000000000..1d8ac61543b --- /dev/null +++ b/queue-4.9/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch @@ -0,0 +1,35 @@ +From a317e65face482371de30246b6494feb093ff7f9 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 13 Nov 2018 20:32:13 +0100 +Subject: mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext + +From: Felix Fietkau + +commit a317e65face482371de30246b6494feb093ff7f9 upstream. + +Make it behave like regular ieee80211_tx_status calls, except for the lack of +filtered frame processing. +This fixes spurious low-ack triggered disconnections with powersave clients +connected to an AP. + +Fixes: f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/status.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -660,6 +660,8 @@ void ieee80211_tx_status_noskb(struct ie + /* Track when last TDLS packet was ACKed */ + if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH)) + sta->status_stats.last_tdls_pkt_time = jiffies; ++ } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) { ++ return; + } else { + ieee80211_lost_packet(sta, info); + } diff --git a/queue-4.9/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch b/queue-4.9/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch new file mode 100644 index 00000000000..7009d8a33d0 --- /dev/null +++ b/queue-4.9/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch @@ -0,0 +1,54 @@ +From a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 Mon Sep 17 00:00:00 2001 +From: Vasyl Vavrychuk +Date: Thu, 18 Oct 2018 01:02:12 +0300 +Subject: mac80211_hwsim: Timer should be initialized before device registered + +From: Vasyl Vavrychuk + +commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream. + +Otherwise if network manager starts configuring Wi-Fi interface +immidiatelly after getting notification of its creation, we will get +NULL pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [] hrtimer_active+0x28/0x50 + ... + Call Trace: + [] ? hrtimer_try_to_cancel+0x27/0x110 + [] ? hrtimer_cancel+0x15/0x20 + [] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim] + +Cc: stable@vger.kernel.org +Signed-off-by: Vasyl Vavrychuk +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mac80211_hwsim.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2633,6 +2633,10 @@ static int mac80211_hwsim_new_radio(stru + if (param->no_vif) + ieee80211_hw_set(hw, NO_AUTO_VIF); + ++ tasklet_hrtimer_init(&data->beacon_timer, ++ mac80211_hwsim_beacon, ++ CLOCK_MONOTONIC, HRTIMER_MODE_ABS); ++ + err = ieee80211_register_hw(hw); + if (err < 0) { + printk(KERN_DEBUG "mac80211_hwsim: ieee80211_register_hw failed (%d)\n", +@@ -2657,10 +2661,6 @@ static int mac80211_hwsim_new_radio(stru + data->debugfs, + data, &hwsim_simulate_radar); + +- tasklet_hrtimer_init(&data->beacon_timer, +- mac80211_hwsim_beacon, +- CLOCK_MONOTONIC, HRTIMER_MODE_ABS); +- + spin_lock_bh(&hwsim_radio_lock); + list_add_tail(&data->list, &hwsim_radios); + spin_unlock_bh(&hwsim_radio_lock); diff --git a/queue-4.9/series b/queue-4.9/series index eb14eb7d2d7..ec29624f6b8 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -37,3 +37,14 @@ swiotlb-clean-up-reporting.patch vsock-lookup-and-setup-guest_cid-inside-vhost_vsock_.patch vhost-vsock-fix-use-after-free-in-network-stack-call.patch staging-lustre-remove-two-build-warnings.patch +cifs-fix-separator-when-building-path-from-dentry.patch +staging-rtl8712-fix-possible-buffer-overrun.patch +tty-serial-8250_mtk-always-resume-the-device-in-probe.patch +tty-do-not-set-tty_io_error-flag-if-console-port.patch +kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch +libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch +mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch +mac80211-clear-beacon_int-in-ieee80211_do_stop.patch +mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch +mac80211-fix-reordering-of-buffered-broadcast-packets.patch +mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch diff --git a/queue-4.9/staging-rtl8712-fix-possible-buffer-overrun.patch b/queue-4.9/staging-rtl8712-fix-possible-buffer-overrun.patch new file mode 100644 index 00000000000..ff0c0945b25 --- /dev/null +++ b/queue-4.9/staging-rtl8712-fix-possible-buffer-overrun.patch @@ -0,0 +1,47 @@ +From 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Wed, 28 Nov 2018 08:06:53 +0000 +Subject: staging: rtl8712: Fix possible buffer overrun + +From: Young Xiao + +commit 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 upstream. + +In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer +overrun") we fix a potential off by one by making the limit smaller. +The better fix is to make the buffer larger. This makes it match up +with the similar code in other drivers. + +Fixes: 8b7a13c3f404 ("staging: r8712u: Fix possible buffer overrun") +Signed-off-by: Young Xiao +Cc: stable +Reviewed-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/mlme_linux.c | 2 +- + drivers/staging/rtl8712/rtl871x_mlme.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8712/mlme_linux.c ++++ b/drivers/staging/rtl8712/mlme_linux.c +@@ -158,7 +158,7 @@ void r8712_report_sec_ie(struct _adapter + p = buff; + p += sprintf(p, "ASSOCINFO(ReqIEs="); + len = sec_ie[1] + 2; +- len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1; ++ len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX; + for (i = 0; i < len; i++) + p += sprintf(p, "%02x", sec_ie[i]); + p += sprintf(p, ")"); +--- a/drivers/staging/rtl8712/rtl871x_mlme.c ++++ b/drivers/staging/rtl8712/rtl871x_mlme.c +@@ -1365,7 +1365,7 @@ sint r8712_restruct_sec_ie(struct _adapt + u8 *out_ie, uint in_len) + { + u8 authmode = 0, match; +- u8 sec_ie[255], uncst_oui[4], bkup_ie[255]; ++ u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255]; + u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01}; + uint ielength, cnt, remove_cnt; + int iEntry; diff --git a/queue-4.9/tty-do-not-set-tty_io_error-flag-if-console-port.patch b/queue-4.9/tty-do-not-set-tty_io_error-flag-if-console-port.patch new file mode 100644 index 00000000000..29be64fb287 --- /dev/null +++ b/queue-4.9/tty-do-not-set-tty_io_error-flag-if-console-port.patch @@ -0,0 +1,55 @@ +From 2a48602615e0a2f563549c7d5c8d507f904cf96e Mon Sep 17 00:00:00 2001 +From: Chanho Park +Date: Thu, 22 Nov 2018 18:23:47 +0900 +Subject: tty: do not set TTY_IO_ERROR flag if console port + +From: Chanho Park + +commit 2a48602615e0a2f563549c7d5c8d507f904cf96e upstream. + +Since Commit 761ed4a94582 ('tty: serial_core: convert uart_close to use +tty_port_close') and Commit 4dda864d7307 ('tty: serial_core: Fix serial +console crash on port shutdown), a serial port which is used as +console can be stuck when logging out if there is a remained process. +After logged out, agetty will try to grab the serial port but it will +be failed because the previous process did not release the port +correctly. To fix this, TTY_IO_ERROR bit should not be enabled of +tty_port_close if the port is console port. + +Reproduce step: +- Run background processes from serial console +$ while true; do sleep 10; done & + +- Log out +$ logout +-> Stuck + +- Read journal log by journalctl | tail +Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0. +Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0. +Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty + +Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") +Cc: Geert Uytterhoeven +Cc: Rob Herring +Cc: Jiri Slaby +Signed-off-by: Chanho Park +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -531,7 +531,8 @@ void tty_port_close(struct tty_port *por + if (tty_port_close_start(port, tty, filp) == 0) + return; + tty_port_shutdown(port, tty); +- set_bit(TTY_IO_ERROR, &tty->flags); ++ if (!port->console) ++ set_bit(TTY_IO_ERROR, &tty->flags); + tty_port_close_end(port, tty); + tty_port_tty_set(port, NULL); + } diff --git a/queue-4.9/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch b/queue-4.9/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch new file mode 100644 index 00000000000..a4bbe7ee585 --- /dev/null +++ b/queue-4.9/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch @@ -0,0 +1,69 @@ +From 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 Mon Sep 17 00:00:00 2001 +From: Peter Shih +Date: Tue, 27 Nov 2018 12:49:50 +0800 +Subject: tty: serial: 8250_mtk: always resume the device in probe. + +From: Peter Shih + +commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream. + +serial8250_register_8250_port calls uart_config_port, which calls +config_port on the port before it tries to power on the port. So we need +the port to be on before calling serial8250_register_8250_port. Change +the code to always do a runtime resume in probe before registering port, +and always do a runtime suspend in remove. + +This basically reverts the change in commit 68e5fc4a255a ("tty: serial: +8250_mtk: use pm_runtime callbacks for enabling"), but still use +pm_runtime callbacks. + +Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling") +Signed-off-by: Peter Shih +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_mtk.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/tty/serial/8250/8250_mtk.c ++++ b/drivers/tty/serial/8250/8250_mtk.c +@@ -225,17 +225,17 @@ static int mtk8250_probe(struct platform + + platform_set_drvdata(pdev, data); + +- pm_runtime_enable(&pdev->dev); +- if (!pm_runtime_enabled(&pdev->dev)) { +- err = mtk8250_runtime_resume(&pdev->dev); +- if (err) +- return err; +- } ++ err = mtk8250_runtime_resume(&pdev->dev); ++ if (err) ++ return err; + + data->line = serial8250_register_8250_port(&uart); + if (data->line < 0) + return data->line; + ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(&pdev->dev); ++ + return 0; + } + +@@ -246,13 +246,11 @@ static int mtk8250_remove(struct platfor + pm_runtime_get_sync(&pdev->dev); + + serial8250_unregister_port(data->line); ++ mtk8250_runtime_suspend(&pdev->dev); + + pm_runtime_disable(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); + +- if (!pm_runtime_status_suspended(&pdev->dev)) +- mtk8250_runtime_suspend(&pdev->dev); +- + return 0; + } +