From: Sasha Levin Date: Thu, 19 Sep 2019 18:08:17 +0000 (-0400) Subject: fixes for 4.14 X-Git-Tag: v4.4.194~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=802a3c7beabc856f31b852fa8cb635a3c32798b8;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/amd-xgbe-fix-error-path-in-xgbe_mod_init.patch b/queue-4.14/amd-xgbe-fix-error-path-in-xgbe_mod_init.patch new file mode 100644 index 00000000000..7b2860c4e0a --- /dev/null +++ b/queue-4.14/amd-xgbe-fix-error-path-in-xgbe_mod_init.patch @@ -0,0 +1,50 @@ +From 7b774582f6bf546295f500ecd0b76056eec6592c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 10:46:00 +0800 +Subject: amd-xgbe: Fix error path in xgbe_mod_init() + +From: YueHaibing + +[ Upstream commit b6b4dc4c1fa7f1c99398e7dc85758049645e9588 ] + +In xgbe_mod_init(), we should do cleanup if some error occurs + +Reported-by: Hulk Robot +Fixes: efbaa828330a ("amd-xgbe: Add support to handle device renaming") +Fixes: 47f164deab22 ("amd-xgbe: Add PCI device support") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-main.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c +index e31d9d1fb6a66..e4e632e025d31 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c +@@ -487,13 +487,19 @@ static int __init xgbe_mod_init(void) + + ret = xgbe_platform_init(); + if (ret) +- return ret; ++ goto err_platform_init; + + ret = xgbe_pci_init(); + if (ret) +- return ret; ++ goto err_pci_init; + + return 0; ++ ++err_pci_init: ++ xgbe_platform_exit(); ++err_platform_init: ++ unregister_netdevice_notifier(&xgbe_netdev_notifier); ++ return ret; + } + + static void __exit xgbe_mod_exit(void) +-- +2.20.1 + diff --git a/queue-4.14/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch b/queue-4.14/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch new file mode 100644 index 00000000000..a4ccc8bb851 --- /dev/null +++ b/queue-4.14/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch @@ -0,0 +1,52 @@ +From d5168eace8179fa8de0172d0628a82cb295e9a24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2019 18:50:11 +0100 +Subject: ARM: 8874/1: mm: only adjust sections of valid mm structures + +From: Doug Berger + +[ Upstream commit c51bc12d06b3a5494fbfcbd788a8e307932a06e9 ] + +A timing hazard exists when an early fork/exec thread begins +exiting and sets its mm pointer to NULL while a separate core +tries to update the section information. + +This commit ensures that the mm pointer is not NULL before +setting its section parameters. The arguments provided by +commit 11ce4b33aedc ("ARM: 8672/1: mm: remove tasklist locking +from update_sections_early()") are equally valid for not +requiring grabbing the task_lock around this check. + +Fixes: 08925c2f124f ("ARM: 8464/1: Update all mm structures with section adjustments") +Signed-off-by: Doug Berger +Acked-by: Laura Abbott +Cc: Mike Rapoport +Cc: Andrew Morton +Cc: Florian Fainelli +Cc: Rob Herring +Cc: "Steven Rostedt (VMware)" +Cc: Peng Fan +Cc: Geert Uytterhoeven +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index defb7fc264280..4fa12fcf1f5d8 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -722,7 +722,8 @@ static void update_sections_early(struct section_perm perms[], int n) + if (t->flags & PF_KTHREAD) + continue; + for_each_thread(t, s) +- set_section_perms(perms, n, true, s->mm); ++ if (s->mm) ++ set_section_perms(perms, n, true, s->mm); + } + set_section_perms(perms, n, true, current->active_mm); + set_section_perms(perms, n, true, &init_mm); +-- +2.20.1 + diff --git a/queue-4.14/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch b/queue-4.14/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch new file mode 100644 index 00000000000..7d9ccf291fa --- /dev/null +++ b/queue-4.14/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch @@ -0,0 +1,50 @@ +From fe8e576af7b62a7f6f1fa3234b4bdd60c75b0567 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 04:07:37 +0100 +Subject: ARM: 8901/1: add a criteria for pfn_valid of arm + +From: zhaoyang + +[ Upstream commit 5b3efa4f1479c91cb8361acef55f9c6662feba57 ] + +pfn_valid can be wrong when parsing a invalid pfn whose phys address +exceeds BITS_PER_LONG as the MSB will be trimed when shifted. + +The issue originally arise from bellowing call stack, which corresponding to +an access of the /proc/kpageflags from userspace with a invalid pfn parameter +and leads to kernel panic. + +[46886.723249] c7 [] (stable_page_flags) from [] +[46886.723264] c7 [] (kpageflags_read) from [] +[46886.723280] c7 [] (proc_reg_read) from [] +[46886.723290] c7 [] (__vfs_read) from [] +[46886.723301] c7 [] (vfs_read) from [] +[46886.723315] c7 [] (SyS_pread64) from [] +(ret_fast_syscall+0x0/0x28) + +Signed-off-by: Zhaoyang Huang +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/init.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index 4fa12fcf1f5d8..27a40101dd3a7 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -195,6 +195,11 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max_low, + #ifdef CONFIG_HAVE_ARCH_PFN_VALID + int pfn_valid(unsigned long pfn) + { ++ phys_addr_t addr = __pfn_to_phys(pfn); ++ ++ if (__phys_to_pfn(addr) != pfn) ++ return 0; ++ + return memblock_is_map_memory(__pfn_to_phys(pfn)); + } + EXPORT_SYMBOL(pfn_valid); +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-dra74x-fix-iodelay-configuration-for-mmc3.patch b/queue-4.14/arm-dts-dra74x-fix-iodelay-configuration-for-mmc3.patch new file mode 100644 index 00000000000..c14dfb80f19 --- /dev/null +++ b/queue-4.14/arm-dts-dra74x-fix-iodelay-configuration-for-mmc3.patch @@ -0,0 +1,110 @@ +From e2d90ba5402529f0d4bcb489f1abdd3f075036c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2019 16:22:38 +0530 +Subject: ARM: dts: dra74x: Fix iodelay configuration for mmc3 + +From: Faiz Abbas + +[ Upstream commit 07f9a8be66a9bd86f9eaedf8f8aeb416195adab8 ] + +According to the latest am572x[1] and dra74x[2] data manuals, mmc3 +default, hs, sdr12 and sdr25 modes use iodelay values given in +MMC3_MANUAL1. Set the MODE_SELECT bit for these so that manual mode is +selected and correct iodelay values can be configured. + +[1] http://www.ti.com/lit/ds/symlink/am5728.pdf +[2] http://www.ti.com/lit/ds/symlink/dra746.pdf + +Signed-off-by: Faiz Abbas +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi | 50 +++++++++++------------ + 1 file changed, 25 insertions(+), 25 deletions(-) + +diff --git a/arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi b/arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi +index 28ebb4eb884a9..214b9e6de2c35 100644 +--- a/arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi ++++ b/arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi +@@ -32,7 +32,7 @@ + * + * Datamanual Revisions: + * +- * AM572x Silicon Revision 2.0: SPRS953B, Revised November 2016 ++ * AM572x Silicon Revision 2.0: SPRS953F, Revised May 2019 + * AM572x Silicon Revision 1.1: SPRS915R, Revised November 2016 + * + */ +@@ -229,45 +229,45 @@ + + mmc3_pins_default: mmc3_pins_default { + pinctrl-single,pins = < +- DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ +- DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ +- DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ +- DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ +- DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ +- DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ ++ DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ ++ DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ ++ DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ ++ DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ ++ DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ ++ DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ + >; + }; + + mmc3_pins_hs: mmc3_pins_hs { + pinctrl-single,pins = < +- DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ +- DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ +- DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ +- DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ +- DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ +- DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ ++ DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ ++ DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ ++ DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ ++ DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ ++ DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ ++ DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ + >; + }; + + mmc3_pins_sdr12: mmc3_pins_sdr12 { + pinctrl-single,pins = < +- DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ +- DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ +- DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ +- DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ +- DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ +- DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ ++ DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ ++ DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ ++ DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ ++ DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ ++ DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ ++ DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ + >; + }; + + mmc3_pins_sdr25: mmc3_pins_sdr25 { + pinctrl-single,pins = < +- DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ +- DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ +- DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ +- DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ +- DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ +- DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ ++ DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ ++ DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ ++ DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ ++ DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ ++ DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ ++ DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ + >; + }; + +-- +2.20.1 + diff --git a/queue-4.14/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch b/queue-4.14/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch new file mode 100644 index 00000000000..3ef19ac764b --- /dev/null +++ b/queue-4.14/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch @@ -0,0 +1,40 @@ +From eb76a4f6d5a2abf28ffb3ee71d994dcabd7d8fe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2019 03:44:52 -0700 +Subject: ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss + +From: Tony Lindgren + +[ Upstream commit afd58b162e48076e3fe66d08a69eefbd6fe71643 ] + +TRM says PWMSS_SYSCONFIG bit for SOFTRESET changes to zero when +reset is completed. Let's configure it as otherwise we get warnings +on boot when we check the data against dts provided data. Eventually +the legacy platform data will be just dropped, but let's fix the +warning first. + +Reviewed-by: Suman Anna +Tested-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/omap_hwmod_7xx_data.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c +index 2f4f7002f38d0..87b0c38b7ca59 100644 +--- a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c +@@ -389,7 +389,8 @@ static struct omap_hwmod dra7xx_dcan2_hwmod = { + static struct omap_hwmod_class_sysconfig dra7xx_epwmss_sysc = { + .rev_offs = 0x0, + .sysc_offs = 0x4, +- .sysc_flags = SYSC_HAS_SIDLEMODE | SYSC_HAS_SOFTRESET, ++ .sysc_flags = SYSC_HAS_SIDLEMODE | SYSC_HAS_SOFTRESET | ++ SYSC_HAS_RESET_STATUS, + .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART), + .sysc_fields = &omap_hwmod_sysc_type2, + }; +-- +2.20.1 + diff --git a/queue-4.14/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch b/queue-4.14/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch new file mode 100644 index 00000000000..6dcdea6c9d3 --- /dev/null +++ b/queue-4.14/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch @@ -0,0 +1,45 @@ +From f7d45c558b4c894c63dfb21ceba854ffdc52b4b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2019 04:37:45 -0700 +Subject: ARM: OMAP2+: Fix omap4 errata warning on other SoCs + +From: Tony Lindgren + +[ Upstream commit 45da5e09dd32fa98c32eaafe2513db6bd75e2f4f ] + +We have errata i688 workaround produce warnings on SoCs other than +omap4 and omap5: + +omap4_sram_init:Unable to allocate sram needed to handle errata I688 +omap4_sram_init:Unable to get sram pool needed to handle errata I688 + +This is happening because there is no ti,omap4-mpu node, or no SRAM +to configure for the other SoCs, so let's remove the warning based +on the SoC revision checks. + +As nobody has complained it seems that the other SoC variants do not +need this workaround. + +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/omap4-common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-omap2/omap4-common.c b/arch/arm/mach-omap2/omap4-common.c +index cf65ab8bb0046..e5dcbda20129d 100644 +--- a/arch/arm/mach-omap2/omap4-common.c ++++ b/arch/arm/mach-omap2/omap4-common.c +@@ -131,6 +131,9 @@ static int __init omap4_sram_init(void) + struct device_node *np; + struct gen_pool *sram_pool; + ++ if (!soc_is_omap44xx() && !soc_is_omap54xx()) ++ return 0; ++ + np = of_find_compatible_node(NULL, NULL, "ti,omap4-mpu"); + if (!np) + pr_warn("%s:Unable to allocate sram needed to handle errata I688\n", +-- +2.20.1 + diff --git a/queue-4.14/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch b/queue-4.14/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch new file mode 100644 index 00000000000..377c5ef3265 --- /dev/null +++ b/queue-4.14/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch @@ -0,0 +1,73 @@ +From ef117dd7a80187b149257ffb74a94d3468785d47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2019 08:55:36 +0200 +Subject: batman-adv: Only read OGM2 tvlv_len after buffer len check + +From: Sven Eckelmann + +[ Upstream commit 0ff0f15a32c093381ad1abc06abe85afb561ab28 ] + +Multiple batadv_ogm2_packet can be stored in an skbuff. The functions +batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there +is another additional batadv_ogm2_packet in the skb or not before they +continue processing the packet. + +The length for such an OGM2 is BATADV_OGM2_HLEN + +batadv_ogm2_packet->tvlv_len. The check must first check that at least +BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is +part of the header. Otherwise it might try read outside of the currently +available skbuff to get the content of tvlv_len. + +Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v_ogm.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c +index 8be61734fc43c..e07f636160b67 100644 +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -642,17 +642,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv, + * batadv_v_ogm_aggr_packet - checks if there is another OGM aggregated + * @buff_pos: current position in the skb + * @packet_len: total length of the skb +- * @tvlv_len: tvlv length of the previously considered OGM ++ * @ogm2_packet: potential OGM2 in buffer + * + * Return: true if there is enough space for another OGM, false otherwise. + */ +-static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len, +- __be16 tvlv_len) ++static bool ++batadv_v_ogm_aggr_packet(int buff_pos, int packet_len, ++ const struct batadv_ogm2_packet *ogm2_packet) + { + int next_buff_pos = 0; + +- next_buff_pos += buff_pos + BATADV_OGM2_HLEN; +- next_buff_pos += ntohs(tvlv_len); ++ /* check if there is enough space for the header */ ++ next_buff_pos += buff_pos + sizeof(*ogm2_packet); ++ if (next_buff_pos > packet_len) ++ return false; ++ ++ /* check if there is enough space for the optional TVLV */ ++ next_buff_pos += ntohs(ogm2_packet->tvlv_len); + + return (next_buff_pos <= packet_len) && + (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); +@@ -829,7 +835,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb, + ogm_packet = (struct batadv_ogm2_packet *)skb->data; + + while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb), +- ogm_packet->tvlv_len)) { ++ ogm_packet)) { + batadv_v_ogm_process(skb, ogm_offset, if_incoming); + + ogm_offset += BATADV_OGM2_HLEN; +-- +2.20.1 + diff --git a/queue-4.14/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch b/queue-4.14/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch new file mode 100644 index 00000000000..1d101b0f53f --- /dev/null +++ b/queue-4.14/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch @@ -0,0 +1,72 @@ +From 4fbedd9f8cb40b6aad2b94b95c7628057aa0719b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2019 08:09:50 +1000 +Subject: cifs: set domainName when a domain-key is used in multiuser + +From: Ronnie Sahlberg + +[ Upstream commit f2aee329a68f5a907bcff11a109dfe17c0b41aeb ] + +RHBZ: 1710429 + +When we use a domain-key to authenticate using multiuser we must also set +the domainnmame for the new volume as it will be used and passed to the server +in the NTLMSSP Domain-name. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 57c62ff4e8d6d..699e763ea671a 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2542,6 +2542,7 @@ static int + cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + { + int rc = 0; ++ int is_domain = 0; + const char *delim, *payload; + char *desc; + ssize_t len; +@@ -2589,6 +2590,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + rc = PTR_ERR(key); + goto out_err; + } ++ is_domain = 1; + } + + down_read(&key->sem); +@@ -2646,6 +2648,26 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + goto out_key_put; + } + ++ /* ++ * If we have a domain key then we must set the domainName in the ++ * for the request. ++ */ ++ if (is_domain && ses->domainName) { ++ vol->domainname = kstrndup(ses->domainName, ++ strlen(ses->domainName), ++ GFP_KERNEL); ++ if (!vol->domainname) { ++ cifs_dbg(FYI, "Unable to allocate %zd bytes for " ++ "domain\n", len); ++ rc = -ENOMEM; ++ kfree(vol->username); ++ vol->username = NULL; ++ kfree(vol->password); ++ vol->password = NULL; ++ goto out_key_put; ++ } ++ } ++ + out_key_put: + up_read(&key->sem); + key_put(key); +-- +2.20.1 + diff --git a/queue-4.14/cifs-use-kzfree-to-zero-out-the-password.patch b/queue-4.14/cifs-use-kzfree-to-zero-out-the-password.patch new file mode 100644 index 00000000000..26859271fa4 --- /dev/null +++ b/queue-4.14/cifs-use-kzfree-to-zero-out-the-password.patch @@ -0,0 +1,35 @@ +From 8ba5d54b0570269487ce4dc673ef76ff04e56b15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2019 13:59:17 +0300 +Subject: cifs: Use kzfree() to zero out the password + +From: Dan Carpenter + +[ Upstream commit 478228e57f81f6cb60798d54fc02a74ea7dd267e ] + +It's safer to zero out the password so that it can never be disclosed. + +Fixes: 0c219f5799c7 ("cifs: set domainName when a domain-key is used in multiuser") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 699e763ea671a..f523a9ca9574f 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2662,7 +2662,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + rc = -ENOMEM; + kfree(vol->username); + vol->username = NULL; +- kfree(vol->password); ++ kzfree(vol->password); + vol->password = NULL; + goto out_key_put; + } +-- +2.20.1 + diff --git a/queue-4.14/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch b/queue-4.14/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..11a84f7d7a8 --- /dev/null +++ b/queue-4.14/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch @@ -0,0 +1,43 @@ +From 76efcdd5792d35ae001a99286727e60bb77eebf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 01:48:55 -0500 +Subject: dmaengine: ti: dma-crossbar: Fix a memory leak bug + +From: Wenwen Wang + +[ Upstream commit 2c231c0c1dec42192aca0f87f2dc68b8f0cbc7d2 ] + +In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then +of_property_read_u32_array() is invoked to search for the property. +However, if this process fails, 'rsv_events' is not deallocated, leading to +a memory leak bug. To fix this issue, free 'rsv_events' before returning +the error. + +Signed-off-by: Wenwen Wang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/1565938136-7249-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti-dma-crossbar.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/ti-dma-crossbar.c b/drivers/dma/ti-dma-crossbar.c +index 9272b173c7465..6574cb5a12fee 100644 +--- a/drivers/dma/ti-dma-crossbar.c ++++ b/drivers/dma/ti-dma-crossbar.c +@@ -395,8 +395,10 @@ static int ti_dra7_xbar_probe(struct platform_device *pdev) + + ret = of_property_read_u32_array(node, pname, (u32 *)rsv_events, + nelm * 2); +- if (ret) ++ if (ret) { ++ kfree(rsv_events); + return ret; ++ } + + for (i = 0; i < nelm; i++) { + ti_dra7_xbar_reserve(rsv_events[i][0], rsv_events[i][1], +-- +2.20.1 + diff --git a/queue-4.14/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch b/queue-4.14/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch new file mode 100644 index 00000000000..28623a82439 --- /dev/null +++ b/queue-4.14/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch @@ -0,0 +1,41 @@ +From 01fc91364a31e55d7f72b390b4a526dbd7334dd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 01:56:08 -0500 +Subject: dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() + +From: Wenwen Wang + +[ Upstream commit 962411b05a6d3342aa649e39cda1704c1fc042c6 ] + +If devm_request_irq() fails to disable all interrupts, no cleanup is +performed before retuning the error. To fix this issue, invoke +omap_dma_free() to do the cleanup. + +Signed-off-by: Wenwen Wang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/1565938570-7528-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/omap-dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/omap-dma.c b/drivers/dma/omap-dma.c +index 8c1665c8fe33a..14b560facf779 100644 +--- a/drivers/dma/omap-dma.c ++++ b/drivers/dma/omap-dma.c +@@ -1534,8 +1534,10 @@ static int omap_dma_probe(struct platform_device *pdev) + + rc = devm_request_irq(&pdev->dev, irq, omap_dma_irq, + IRQF_SHARED, "omap-dma-engine", od); +- if (rc) ++ if (rc) { ++ omap_dma_free(od); + return rc; ++ } + } + + if (omap_dma_glbl_read(od, CAPS_0) & CAPS_0_SUPPORT_LL123) +-- +2.20.1 + diff --git a/queue-4.14/fpga-altera-ps-spi-fix-getting-of-optional-confd-gpi.patch b/queue-4.14/fpga-altera-ps-spi-fix-getting-of-optional-confd-gpi.patch new file mode 100644 index 00000000000..bb909aa2854 --- /dev/null +++ b/queue-4.14/fpga-altera-ps-spi-fix-getting-of-optional-confd-gpi.patch @@ -0,0 +1,54 @@ +From 640d709aa466115c1a71e5b22955a270fc643905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2019 10:48:45 +0800 +Subject: fpga: altera-ps-spi: Fix getting of optional confd gpio + +From: Phil Reid + +[ Upstream commit dec43da46f63eb71f519d963ba6832838e4262a3 ] + +Currently the driver does not handle EPROBE_DEFER for the confd gpio. +Use devm_gpiod_get_optional() instead of devm_gpiod_get() and return +error codes from altera_ps_probe(). + +Fixes: 5692fae0742d ("fpga manager: Add altera-ps-spi driver for Altera FPGAs") +Signed-off-by: Phil Reid +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/altera-ps-spi.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/fpga/altera-ps-spi.c b/drivers/fpga/altera-ps-spi.c +index 06d212a3d49dd..19b1cf8a82528 100644 +--- a/drivers/fpga/altera-ps-spi.c ++++ b/drivers/fpga/altera-ps-spi.c +@@ -207,7 +207,7 @@ static int altera_ps_write_complete(struct fpga_manager *mgr, + return -EIO; + } + +- if (!IS_ERR(conf->confd)) { ++ if (conf->confd) { + if (!gpiod_get_raw_value_cansleep(conf->confd)) { + dev_err(&mgr->dev, "CONF_DONE is inactive!\n"); + return -EIO; +@@ -263,10 +263,13 @@ static int altera_ps_probe(struct spi_device *spi) + return PTR_ERR(conf->status); + } + +- conf->confd = devm_gpiod_get(&spi->dev, "confd", GPIOD_IN); ++ conf->confd = devm_gpiod_get_optional(&spi->dev, "confd", GPIOD_IN); + if (IS_ERR(conf->confd)) { +- dev_warn(&spi->dev, "Not using confd gpio: %ld\n", +- PTR_ERR(conf->confd)); ++ dev_err(&spi->dev, "Failed to get confd gpio: %ld\n", ++ PTR_ERR(conf->confd)); ++ return PTR_ERR(conf->confd); ++ } else if (!conf->confd) { ++ dev_warn(&spi->dev, "Not using confd gpio"); + } + + /* Register manager with unique name */ +-- +2.20.1 + diff --git a/queue-4.14/i2c-designware-synchronize-irqs-when-unregistering-s.patch b/queue-4.14/i2c-designware-synchronize-irqs-when-unregistering-s.patch new file mode 100644 index 00000000000..4b7a6374fc8 --- /dev/null +++ b/queue-4.14/i2c-designware-synchronize-irqs-when-unregistering-s.patch @@ -0,0 +1,39 @@ +From 538b7236d001561bce7c87f34d9621d0c262934d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2019 16:52:11 +0300 +Subject: i2c: designware: Synchronize IRQs when unregistering slave client + +From: Jarkko Nikula + +[ Upstream commit c486dcd2f1bbdd524a1e0149734b79e4ae329650 ] + +Make sure interrupt handler i2c_dw_irq_handler_slave() has finished +before clearing the the dev->slave pointer in i2c_dw_unreg_slave(). + +There is possibility for a race if i2c_dw_irq_handler_slave() is running +on another CPU while clearing the dev->slave pointer. + +Reported-by: Krzysztof Adamski +Reported-by: Wolfram Sang +Signed-off-by: Jarkko Nikula +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-slave.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c +index ea9578ab19a15..fccf936f4b9b5 100644 +--- a/drivers/i2c/busses/i2c-designware-slave.c ++++ b/drivers/i2c/busses/i2c-designware-slave.c +@@ -206,6 +206,7 @@ static int i2c_dw_unreg_slave(struct i2c_client *slave) + + dev->disable_int(dev); + dev->disable(dev); ++ synchronize_irq(dev->irq); + dev->slave = NULL; + pm_runtime_put(dev->dev); + +-- +2.20.1 + diff --git a/queue-4.14/iommu-amd-fix-race-in-increase_address_space.patch b/queue-4.14/iommu-amd-fix-race-in-increase_address_space.patch new file mode 100644 index 00000000000..ff222647eae --- /dev/null +++ b/queue-4.14/iommu-amd-fix-race-in-increase_address_space.patch @@ -0,0 +1,73 @@ +From e3f62180b7552ca80f78088920a6a6dde09fa7f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2019 10:39:54 +0200 +Subject: iommu/amd: Fix race in increase_address_space() + +From: Joerg Roedel + +[ Upstream commit 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 ] + +After the conversion to lock-less dma-api call the +increase_address_space() function can be called without any +locking. Multiple CPUs could potentially race for increasing +the address space, leading to invalid domain->mode settings +and invalid page-tables. This has been happening in the wild +under high IO load and memory pressure. + +Fix the race by locking this operation. The function is +called infrequently so that this does not introduce +a performance regression in the dma-api path again. + +Reported-by: Qian Cai +Fixes: 256e4621c21a ('iommu/amd: Make use of the generic IOVA allocator') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 822c85226a29f..a1174e61daf4e 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1337,18 +1337,21 @@ static void domain_flush_devices(struct protection_domain *domain) + * another level increases the size of the address space by 9 bits to a size up + * to 64 bits. + */ +-static bool increase_address_space(struct protection_domain *domain, ++static void increase_address_space(struct protection_domain *domain, + gfp_t gfp) + { ++ unsigned long flags; + u64 *pte; + +- if (domain->mode == PAGE_MODE_6_LEVEL) ++ spin_lock_irqsave(&domain->lock, flags); ++ ++ if (WARN_ON_ONCE(domain->mode == PAGE_MODE_6_LEVEL)) + /* address space already 64 bit large */ +- return false; ++ goto out; + + pte = (void *)get_zeroed_page(gfp); + if (!pte) +- return false; ++ goto out; + + *pte = PM_LEVEL_PDE(domain->mode, + iommu_virt_to_phys(domain->pt_root)); +@@ -1356,7 +1359,10 @@ static bool increase_address_space(struct protection_domain *domain, + domain->mode += 1; + domain->updated = true; + +- return true; ++out: ++ spin_unlock_irqrestore(&domain->lock, flags); ++ ++ return; + } + + static u64 *alloc_pte(struct protection_domain *domain, +-- +2.20.1 + diff --git a/queue-4.14/iommu-amd-flush-old-domains-in-kdump-kernel.patch b/queue-4.14/iommu-amd-flush-old-domains-in-kdump-kernel.patch new file mode 100644 index 00000000000..6bfadf854f1 --- /dev/null +++ b/queue-4.14/iommu-amd-flush-old-domains-in-kdump-kernel.patch @@ -0,0 +1,84 @@ +From aaceb6bd1075acd2f17fd42457569c6eaaec47b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2019 12:09:48 -0500 +Subject: iommu/amd: Flush old domains in kdump kernel + +From: Stuart Hayes + +[ Upstream commit 36b7200f67dfe75b416b5281ed4ace9927b513bc ] + +When devices are attached to the amd_iommu in a kdump kernel, the old device +table entries (DTEs), which were copied from the crashed kernel, will be +overwritten with a new domain number. When the new DTE is written, the IOMMU +is told to flush the DTE from its internal cache--but it is not told to flush +the translation cache entries for the old domain number. + +Without this patch, AMD systems using the tg3 network driver fail when kdump +tries to save the vmcore to a network system, showing network timeouts and +(sometimes) IOMMU errors in the kernel log. + +This patch will flush IOMMU translation cache entries for the old domain when +a DTE gets overwritten with a new domain number. + +Signed-off-by: Stuart Hayes +Fixes: 3ac3e5ee5ed5 ('iommu/amd: Copy old trans table from old kernel') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 684f7cdd814b6..822c85226a29f 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1150,6 +1150,17 @@ static void amd_iommu_flush_tlb_all(struct amd_iommu *iommu) + iommu_completion_wait(iommu); + } + ++static void amd_iommu_flush_tlb_domid(struct amd_iommu *iommu, u32 dom_id) ++{ ++ struct iommu_cmd cmd; ++ ++ build_inv_iommu_pages(&cmd, 0, CMD_INV_IOMMU_ALL_PAGES_ADDRESS, ++ dom_id, 1); ++ iommu_queue_command(iommu, &cmd); ++ ++ iommu_completion_wait(iommu); ++} ++ + static void amd_iommu_flush_all(struct amd_iommu *iommu) + { + struct iommu_cmd cmd; +@@ -1835,6 +1846,7 @@ static void set_dte_entry(u16 devid, struct protection_domain *domain, bool ats) + { + u64 pte_root = 0; + u64 flags = 0; ++ u32 old_domid; + + if (domain->mode != PAGE_MODE_NONE) + pte_root = iommu_virt_to_phys(domain->pt_root); +@@ -1877,8 +1889,20 @@ static void set_dte_entry(u16 devid, struct protection_domain *domain, bool ats) + flags &= ~DEV_DOMID_MASK; + flags |= domain->id; + ++ old_domid = amd_iommu_dev_table[devid].data[1] & DEV_DOMID_MASK; + amd_iommu_dev_table[devid].data[1] = flags; + amd_iommu_dev_table[devid].data[0] = pte_root; ++ ++ /* ++ * A kdump kernel might be replacing a domain ID that was copied from ++ * the previous kernel--if so, it needs to flush the translation cache ++ * entries for the old domain ID that is being overwritten ++ */ ++ if (old_domid) { ++ struct amd_iommu *iommu = amd_iommu_rlookup_table[devid]; ++ ++ amd_iommu_flush_tlb_domid(iommu, old_domid); ++ } + } + + static void clear_dte_entry(u16 devid) +-- +2.20.1 + diff --git a/queue-4.14/kallsyms-don-t-let-kallsyms_lookup_size_offset-fail-.patch b/queue-4.14/kallsyms-don-t-let-kallsyms_lookup_size_offset-fail-.patch new file mode 100644 index 00000000000..039f5de41dc --- /dev/null +++ b/queue-4.14/kallsyms-don-t-let-kallsyms_lookup_size_offset-fail-.patch @@ -0,0 +1,86 @@ +From b892d1f104b4f46e5970237e203a1aaa6b09ae97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2019 14:12:31 +0100 +Subject: kallsyms: Don't let kallsyms_lookup_size_offset() fail on retrieving + the first symbol + +From: Marc Zyngier + +[ Upstream commit 2a1a3fa0f29270583f0e6e3100d609e09697add1 ] + +An arm64 kernel configured with + + CONFIG_KPROBES=y + CONFIG_KALLSYMS=y + # CONFIG_KALLSYMS_ALL is not set + CONFIG_KALLSYMS_BASE_RELATIVE=y + +reports the following kprobe failure: + + [ 0.032677] kprobes: failed to populate blacklist: -22 + [ 0.033376] Please take care of using kprobes. + +It appears that kprobe fails to retrieve the symbol at address +0xffff000010081000, despite this symbol being in System.map: + + ffff000010081000 T __exception_text_start + +This symbol is part of the first group of aliases in the +kallsyms_offsets array (symbol names generated using ugly hacks in +scripts/kallsyms.c): + + kallsyms_offsets: + .long 0x1000 // do_undefinstr + .long 0x1000 // efi_header_end + .long 0x1000 // _stext + .long 0x1000 // __exception_text_start + .long 0x12b0 // do_cp15instr + +Looking at the implementation of get_symbol_pos(), it returns the +lowest index for aliasing symbols. In this case, it return 0. + +But kallsyms_lookup_size_offset() considers 0 as a failure, which +is obviously wrong (there is definitely a valid symbol living there). +In turn, the kprobe blacklisting stops abruptly, hence the original +error. + +A CONFIG_KALLSYMS_ALL kernel wouldn't fail as there is always +some random symbols at the beginning of this array, which are never +looked up via kallsyms_lookup_size_offset. + +Fix it by considering that get_symbol_pos() is always successful +(which is consistent with the other uses of this function). + +Fixes: ffc5089196446 ("[PATCH] Create kallsyms_lookup_size_offset()") +Reviewed-by: Masami Hiramatsu +Cc: Arnaldo Carvalho de Melo +Cc: Peter Zijlstra +Cc: Will Deacon +Cc: Catalin Marinas +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + kernel/kallsyms.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index 127e7cfafa552..3e1b66366ac23 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -296,8 +296,10 @@ int kallsyms_lookup_size_offset(unsigned long addr, unsigned long *symbolsize, + { + char namebuf[KSYM_NAME_LEN]; + +- if (is_ksym_addr(addr)) +- return !!get_symbol_pos(addr, symbolsize, offset); ++ if (is_ksym_addr(addr)) { ++ get_symbol_pos(addr, symbolsize, offset); ++ return 1; ++ } + return !!module_address_lookup(addr, symbolsize, offset, NULL, namebuf) || + !!__bpf_address_lookup(addr, symbolsize, offset, namebuf); + } +-- +2.20.1 + diff --git a/queue-4.14/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch b/queue-4.14/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch new file mode 100644 index 00000000000..605a2e67e8e --- /dev/null +++ b/queue-4.14/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch @@ -0,0 +1,35 @@ +From 02b700d490c9567ca5b5b1e6b2fffb1acfbd2265 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2019 07:04:25 +0200 +Subject: Kconfig: Fix the reference to the IDT77105 Phy driver in the + description of ATM_NICSTAR_USE_IDT77105 + +From: Christophe JAILLET + +[ Upstream commit cd9d4ff9b78fcd0fc4708900ba3e52e71e1a7690 ] + +This should be IDT77105, not IDT77015. + +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/Kconfig b/drivers/atm/Kconfig +index 2e2efa577437e..8c37294f1d1ee 100644 +--- a/drivers/atm/Kconfig ++++ b/drivers/atm/Kconfig +@@ -200,7 +200,7 @@ config ATM_NICSTAR_USE_SUNI + make the card work). + + config ATM_NICSTAR_USE_IDT77105 +- bool "Use IDT77015 PHY driver (25Mbps)" ++ bool "Use IDT77105 PHY driver (25Mbps)" + depends on ATM_NICSTAR + help + Support for the PHYsical layer chip in ForeRunner LE25 cards. In +-- +2.20.1 + diff --git a/queue-4.14/keys-fix-missing-null-pointer-check-in-request_key_a.patch b/queue-4.14/keys-fix-missing-null-pointer-check-in-request_key_a.patch new file mode 100644 index 00000000000..6f70a66e89e --- /dev/null +++ b/queue-4.14/keys-fix-missing-null-pointer-check-in-request_key_a.patch @@ -0,0 +1,74 @@ +From ee4916e5936e7fc005c8299e4b44e885eaee4903 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2019 13:37:29 +0100 +Subject: keys: Fix missing null pointer check in request_key_auth_describe() + +From: Hillf Danton + +[ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ] + +If a request_key authentication token key gets revoked, there's a window in +which request_key_auth_describe() can see it with a NULL payload - but it +makes no check for this and something like the following oops may occur: + + BUG: Kernel NULL pointer dereference at 0x00000038 + Faulting instruction address: 0xc0000000004ddf30 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP [...] request_key_auth_describe+0x90/0xd0 + LR [...] request_key_auth_describe+0x54/0xd0 + Call Trace: + [...] request_key_auth_describe+0x54/0xd0 (unreliable) + [...] proc_keys_show+0x308/0x4c0 + [...] seq_read+0x3d0/0x540 + [...] proc_reg_read+0x90/0x110 + [...] __vfs_read+0x3c/0x70 + [...] vfs_read+0xb4/0x1b0 + [...] ksys_read+0x7c/0x130 + [...] system_call+0x5c/0x70 + +Fix this by checking for a NULL pointer when describing such a key. + +Also make the read routine check for a NULL pointer to be on the safe side. + +[DH: Modified to not take already-held rcu lock and modified to also check + in the read routine] + +Fixes: 04c567d9313e ("[PATCH] Keys: Fix race between two instantiators of a key") +Reported-by: Sachin Sant +Signed-off-by: Hillf Danton +Signed-off-by: David Howells +Tested-by: Sachin Sant +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + security/keys/request_key_auth.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +index 5e515791ccd11..1d34b2a5f485e 100644 +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -71,6 +71,9 @@ static void request_key_auth_describe(const struct key *key, + { + struct request_key_auth *rka = get_request_key_auth(key); + ++ if (!rka) ++ return; ++ + seq_puts(m, "key:"); + seq_puts(m, key->description); + if (key_is_positive(key)) +@@ -88,6 +91,9 @@ static long request_key_auth_read(const struct key *key, + size_t datalen; + long ret; + ++ if (!rka) ++ return -EKEYREVOKED; ++ + datalen = rka->callout_len; + ret = datalen; + +-- +2.20.1 + diff --git a/queue-4.14/net-seeq-fix-the-function-used-to-release-some-memor.patch b/queue-4.14/net-seeq-fix-the-function-used-to-release-some-memor.patch new file mode 100644 index 00000000000..fd20907985c --- /dev/null +++ b/queue-4.14/net-seeq-fix-the-function-used-to-release-some-memor.patch @@ -0,0 +1,56 @@ +From 2db00547f3c031b4459cc24e595c7fdacad732b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2019 09:17:51 +0200 +Subject: net: seeq: Fix the function used to release some memory in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit e1e54ec7fb55501c33b117c111cb0a045b8eded2 ] + +In commit 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv"), +a call to 'get_zeroed_page()' has been turned into a call to +'dma_alloc_coherent()'. Only the remove function has been updated to turn +the corresponding 'free_page()' into 'dma_free_attrs()'. +The error hndling path of the probe function has not been updated. + +Fix it now. + +Rename the corresponding label to something more in line. + +Fixes: 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv") +Signed-off-by: Christophe JAILLET +Reviewed-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/seeq/sgiseeq.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/seeq/sgiseeq.c b/drivers/net/ethernet/seeq/sgiseeq.c +index 84a42ed97601d..49a18439bea2b 100644 +--- a/drivers/net/ethernet/seeq/sgiseeq.c ++++ b/drivers/net/ethernet/seeq/sgiseeq.c +@@ -792,15 +792,16 @@ static int sgiseeq_probe(struct platform_device *pdev) + printk(KERN_ERR "Sgiseeq: Cannot register net device, " + "aborting.\n"); + err = -ENODEV; +- goto err_out_free_page; ++ goto err_out_free_attrs; + } + + printk(KERN_INFO "%s: %s %pM\n", dev->name, sgiseeqstr, dev->dev_addr); + + return 0; + +-err_out_free_page: +- free_page((unsigned long) sp->srings); ++err_out_free_attrs: ++ dma_free_attrs(&pdev->dev, sizeof(*sp->srings), sp->srings, ++ sp->srings_dma, DMA_ATTR_NON_CONSISTENT); + err_out_free_dev: + free_netdev(dev); + +-- +2.20.1 + diff --git a/queue-4.14/netfilter-nf_conntrack_ftp-fix-debug-output.patch b/queue-4.14/netfilter-nf_conntrack_ftp-fix-debug-output.patch new file mode 100644 index 00000000000..37c2665e39f --- /dev/null +++ b/queue-4.14/netfilter-nf_conntrack_ftp-fix-debug-output.patch @@ -0,0 +1,47 @@ +From 5cf52fd03e8ef4b138227ffbace94bac5c88bdcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 16:14:28 +0200 +Subject: netfilter: nf_conntrack_ftp: Fix debug output + +From: Thomas Jarosch + +[ Upstream commit 3a069024d371125227de3ac8fa74223fcf473520 ] + +The find_pattern() debug output was printing the 'skip' character. +This can be a NULL-byte and messes up further pr_debug() output. + +Output without the fix: +kernel: nf_conntrack_ftp: Pattern matches! +kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8 +kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8 + +Output with the fix: +kernel: nf_conntrack_ftp: Pattern matches! +kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter! +kernel: nf_conntrack_ftp: Match succeeded! +kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645) +kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8 + +Signed-off-by: Thomas Jarosch +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_ftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c +index f0e9a7511e1ac..c236c7d1655d0 100644 +--- a/net/netfilter/nf_conntrack_ftp.c ++++ b/net/netfilter/nf_conntrack_ftp.c +@@ -323,7 +323,7 @@ static int find_pattern(const char *data, size_t dlen, + i++; + } + +- pr_debug("Skipped up to `%c'!\n", skip); ++ pr_debug("Skipped up to 0x%hhx delimiter!\n", skip); + + *numoff = i; + *numlen = getnum(data + i, dlen - i, cmd, term, numoff); +-- +2.20.1 + diff --git a/queue-4.14/netfilter-xt_nfacct-fix-alignment-mismatch-in-xt_nfa.patch b/queue-4.14/netfilter-xt_nfacct-fix-alignment-mismatch-in-xt_nfa.patch new file mode 100644 index 00000000000..b073e3befd6 --- /dev/null +++ b/queue-4.14/netfilter-xt_nfacct-fix-alignment-mismatch-in-xt_nfa.patch @@ -0,0 +1,107 @@ +From ee4689098fd137fa987894706614cd4d55c91b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 17:02:22 +0200 +Subject: netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info + +From: Juliana Rodrigueiro + +[ Upstream commit 89a26cd4b501e9511d3cd3d22327fc76a75a38b3 ] + +When running a 64-bit kernel with a 32-bit iptables binary, the size of +the xt_nfacct_match_info struct diverges. + + kernel: sizeof(struct xt_nfacct_match_info) : 40 + iptables: sizeof(struct xt_nfacct_match_info)) : 36 + +Trying to append nfacct related rules results in an unhelpful message. +Although it is suggested to look for more information in dmesg, nothing +can be found there. + + # iptables -A -m nfacct --nfacct-name + iptables: Invalid argument. Run `dmesg' for more information. + +This patch fixes the memory misalignment by enforcing 8-byte alignment +within the struct's first revision. This solution is often used in many +other uapi netfilter headers. + +Signed-off-by: Juliana Rodrigueiro +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/xt_nfacct.h | 5 ++++ + net/netfilter/xt_nfacct.c | 36 ++++++++++++++++-------- + 2 files changed, 30 insertions(+), 11 deletions(-) + +diff --git a/include/uapi/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h +index 5c8a4d760ee34..b5123ab8d54a8 100644 +--- a/include/uapi/linux/netfilter/xt_nfacct.h ++++ b/include/uapi/linux/netfilter/xt_nfacct.h +@@ -11,4 +11,9 @@ struct xt_nfacct_match_info { + struct nf_acct *nfacct; + }; + ++struct xt_nfacct_match_info_v1 { ++ char name[NFACCT_NAME_MAX]; ++ struct nf_acct *nfacct __attribute__((aligned(8))); ++}; ++ + #endif /* _XT_NFACCT_MATCH_H */ +diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c +index 6f92d25590a85..ea447b437f122 100644 +--- a/net/netfilter/xt_nfacct.c ++++ b/net/netfilter/xt_nfacct.c +@@ -55,25 +55,39 @@ nfacct_mt_destroy(const struct xt_mtdtor_param *par) + nfnl_acct_put(info->nfacct); + } + +-static struct xt_match nfacct_mt_reg __read_mostly = { +- .name = "nfacct", +- .family = NFPROTO_UNSPEC, +- .checkentry = nfacct_mt_checkentry, +- .match = nfacct_mt, +- .destroy = nfacct_mt_destroy, +- .matchsize = sizeof(struct xt_nfacct_match_info), +- .usersize = offsetof(struct xt_nfacct_match_info, nfacct), +- .me = THIS_MODULE, ++static struct xt_match nfacct_mt_reg[] __read_mostly = { ++ { ++ .name = "nfacct", ++ .revision = 0, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = nfacct_mt_checkentry, ++ .match = nfacct_mt, ++ .destroy = nfacct_mt_destroy, ++ .matchsize = sizeof(struct xt_nfacct_match_info), ++ .usersize = offsetof(struct xt_nfacct_match_info, nfacct), ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "nfacct", ++ .revision = 1, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = nfacct_mt_checkentry, ++ .match = nfacct_mt, ++ .destroy = nfacct_mt_destroy, ++ .matchsize = sizeof(struct xt_nfacct_match_info_v1), ++ .usersize = offsetof(struct xt_nfacct_match_info_v1, nfacct), ++ .me = THIS_MODULE, ++ }, + }; + + static int __init nfacct_mt_init(void) + { +- return xt_register_match(&nfacct_mt_reg); ++ return xt_register_matches(nfacct_mt_reg, ARRAY_SIZE(nfacct_mt_reg)); + } + + static void __exit nfacct_mt_exit(void) + { +- xt_unregister_match(&nfacct_mt_reg); ++ xt_unregister_matches(nfacct_mt_reg, ARRAY_SIZE(nfacct_mt_reg)); + } + + module_init(nfacct_mt_init); +-- +2.20.1 + diff --git a/queue-4.14/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch b/queue-4.14/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch new file mode 100644 index 00000000000..a8d273da738 --- /dev/null +++ b/queue-4.14/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch @@ -0,0 +1,36 @@ +From 6424667d461abb80c307634d115627747fd63162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2019 14:19:09 -0400 +Subject: NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup + +From: Trond Myklebust + +[ Upstream commit 17d8c5d145000070c581f2a8aa01edc7998582ab ] + +Initialise the result count to 0 rather than initialising it to the +argument count. The reason is that we want to ensure we record the +I/O stats correctly in the case where an error is returned (for +instance in the layoutstats). + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pagelist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index 132e568524dff..ceb6892d9bbdc 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -566,7 +566,7 @@ static void nfs_pgio_rpcsetup(struct nfs_pgio_header *hdr, + } + + hdr->res.fattr = &hdr->fattr; +- hdr->res.count = count; ++ hdr->res.count = 0; + hdr->res.eof = 0; + hdr->res.verf = &hdr->verf; + nfs_fattr_init(&hdr->fattr); +-- +2.20.1 + diff --git a/queue-4.14/nfsv2-fix-eof-handling.patch b/queue-4.14/nfsv2-fix-eof-handling.patch new file mode 100644 index 00000000000..0cbb488973e --- /dev/null +++ b/queue-4.14/nfsv2-fix-eof-handling.patch @@ -0,0 +1,35 @@ +From 2b8f6630ce63c0e3c2db4f57134ee91722f97882 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 20:41:16 -0400 +Subject: NFSv2: Fix eof handling + +From: Trond Myklebust + +[ Upstream commit 71affe9be45a5c60b9772e1b2701710712637274 ] + +If we received a reply from the server with a zero length read and +no error, then that implies we are at eof. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c +index f7fd9192d4bc8..73d1f7277e482 100644 +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -589,7 +589,8 @@ static int nfs_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) + /* Emulate the eof flag, which isn't normally needed in NFSv2 + * as it is guaranteed to always return the file attributes + */ +- if (hdr->args.offset + hdr->res.count >= hdr->res.fattr->size) ++ if ((hdr->res.count == 0 && hdr->args.count > 0) || ++ hdr->args.offset + hdr->res.count >= hdr->res.fattr->size) + hdr->res.eof = 1; + } + return 0; +-- +2.20.1 + diff --git a/queue-4.14/nfsv2-fix-write-regression.patch b/queue-4.14/nfsv2-fix-write-regression.patch new file mode 100644 index 00000000000..dce9597c58e --- /dev/null +++ b/queue-4.14/nfsv2-fix-write-regression.patch @@ -0,0 +1,40 @@ +From f1a45a1352e37905a5362eb1f4362ecae2f5b828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2019 07:03:28 -0400 +Subject: NFSv2: Fix write regression + +From: Trond Myklebust + +[ Upstream commit d33d4beb522987d1c305c12500796f9be3687dee ] + +Ensure we update the write result count on success, since the +RPC call itself does not do so. + +Reported-by: Jan Stancek +Reported-by: Naresh Kamboju +Signed-off-by: Trond Myklebust +Tested-by: Jan Stancek +Signed-off-by: Sasha Levin +--- + fs/nfs/proc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c +index 73d1f7277e482..eff93315572e7 100644 +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -611,8 +611,10 @@ static int nfs_proc_pgio_rpc_prepare(struct rpc_task *task, + + static int nfs_write_done(struct rpc_task *task, struct nfs_pgio_header *hdr) + { +- if (task->tk_status >= 0) ++ if (task->tk_status >= 0) { ++ hdr->res.count = hdr->args.count; + nfs_writeback_update_inode(hdr); ++ } + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/nfsv4-fix-return-value-in-nfs_finish_open.patch b/queue-4.14/nfsv4-fix-return-value-in-nfs_finish_open.patch new file mode 100644 index 00000000000..b3f5311cbd6 --- /dev/null +++ b/queue-4.14/nfsv4-fix-return-value-in-nfs_finish_open.patch @@ -0,0 +1,35 @@ +From e8c1387f9a0d57ec39ef46b5d425fe05088e3e9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2019 12:15:07 -0400 +Subject: NFSv4: Fix return value in nfs_finish_open() + +From: Trond Myklebust + +[ Upstream commit 9821421a291b548ef4369c6998745baa36ddecd5 ] + +If the file turns out to be of the wrong type after opening, we want +to revalidate the path and retry, so return EOPENSTALE rather than +ESTALE. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 85a6fdd76e20b..50c181fa00251 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1470,7 +1470,7 @@ static int nfs_finish_open(struct nfs_open_context *ctx, + if (S_ISREG(file->f_path.dentry->d_inode->i_mode)) + nfs_file_set_open_context(file, ctx); + else +- err = -ESTALE; ++ err = -EOPENSTALE; + out: + return err; + } +-- +2.20.1 + diff --git a/queue-4.14/nfsv4-fix-return-values-for-nfs4_file_open.patch b/queue-4.14/nfsv4-fix-return-values-for-nfs4_file_open.patch new file mode 100644 index 00000000000..2e6d1113b86 --- /dev/null +++ b/queue-4.14/nfsv4-fix-return-values-for-nfs4_file_open.patch @@ -0,0 +1,51 @@ +From 94e0695ba17651a380d54dc9fbe6b488711758eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2019 15:03:11 -0400 +Subject: NFSv4: Fix return values for nfs4_file_open() + +From: Trond Myklebust + +[ Upstream commit 90cf500e338ab3f3c0f126ba37e36fb6a9058441 ] + +Currently, we are translating RPC level errors such as timeouts, +as well as interrupts etc into EOPENSTALE, which forces a single +replay of the open attempt. What we actually want to do is +force the replay only in the cases where the returned error +indicates that the file may have changed on the server. + +So the fix is to spell out the exact set of errors where we want +to return EOPENSTALE. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index 2b3e0f1ca572f..b8d316a338bc9 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -74,13 +74,13 @@ nfs4_file_open(struct inode *inode, struct file *filp) + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + switch (err) { +- case -EPERM: +- case -EACCES: +- case -EDQUOT: +- case -ENOSPC: +- case -EROFS: +- goto out_put_ctx; + default: ++ goto out_put_ctx; ++ case -ENOENT: ++ case -ESTALE: ++ case -EISDIR: ++ case -ENOTDIR: ++ case -ELOOP: + goto out_drop; + } + } +-- +2.20.1 + diff --git a/queue-4.14/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch b/queue-4.14/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch new file mode 100644 index 00000000000..0a1a1b6c51a --- /dev/null +++ b/queue-4.14/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch @@ -0,0 +1,143 @@ +From 3c88bb957afe2f7b7e2f854722eb5885f625a57d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 14:57:30 -0500 +Subject: perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops + +From: Kim Phillips + +[ Upstream commit 0f4cd769c410e2285a4e9873a684d90423f03090 ] + +When counting dispatched micro-ops with cnt_ctl=1, in order to prevent +sample bias, IBS hardware preloads the least significant 7 bits of +current count (IbsOpCurCnt) with random values, such that, after the +interrupt is handled and counting resumes, the next sample taken +will be slightly perturbed. + +The current count bitfield is in the IBS execution control h/w register, +alongside the maximum count field. + +Currently, the IBS driver writes that register with the maximum count, +leaving zeroes to fill the current count field, thereby overwriting +the random bits the hardware preloaded for itself. + +Fix the driver to actually retain and carry those random bits from the +read of the IBS control register, through to its write, instead of +overwriting the lower current count bits with zeroes. + +Tested with: + +perf record -c 100001 -e ibs_op/cnt_ctl=1/pp -a -C 0 taskset -c 0 + +'perf annotate' output before: + + 15.70 65: addsd %xmm0,%xmm1 + 17.30 add $0x1,%rax + 15.88 cmp %rdx,%rax + je 82 + 17.32 72: test $0x1,%al + jne 7c + 7.52 movapd %xmm1,%xmm0 + 5.90 jmp 65 + 8.23 7c: sqrtsd %xmm1,%xmm0 + 12.15 jmp 65 + +'perf annotate' output after: + + 16.63 65: addsd %xmm0,%xmm1 + 16.82 add $0x1,%rax + 16.81 cmp %rdx,%rax + je 82 + 16.69 72: test $0x1,%al + jne 7c + 8.30 movapd %xmm1,%xmm0 + 8.13 jmp 65 + 8.24 7c: sqrtsd %xmm1,%xmm0 + 8.39 jmp 65 + +Tested on Family 15h and 17h machines. + +Machines prior to family 10h Rev. C don't have the RDWROPCNT capability, +and have the IbsOpCurCnt bitfield reserved, so this patch shouldn't +affect their operation. + +It is unknown why commit db98c5faf8cb ("perf/x86: Implement 64-bit +counter support for IBS") ignored the lower 4 bits of the IbsOpCurCnt +field; the number of preloaded random bits has always been 7, AFAICT. + +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) +Cc: "Arnaldo Carvalho de Melo" +Cc: +Cc: Ingo Molnar +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Thomas Gleixner +Cc: "Borislav Petkov" +Cc: Stephane Eranian +Cc: Alexander Shishkin +Cc: "Namhyung Kim" +Cc: "H. Peter Anvin" +Link: https://lkml.kernel.org/r/20190826195730.30614-1-kim.phillips@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/ibs.c | 13 ++++++++++--- + arch/x86/include/asm/perf_event.h | 12 ++++++++---- + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c +index 8c51844694e2f..7a86fbc07ddc1 100644 +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -672,10 +672,17 @@ fail: + + throttle = perf_event_overflow(event, &data, ®s); + out: +- if (throttle) ++ if (throttle) { + perf_ibs_stop(event, 0); +- else +- perf_ibs_enable_event(perf_ibs, hwc, period >> 4); ++ } else { ++ period >>= 4; ++ ++ if ((ibs_caps & IBS_CAPS_RDWROPCNT) && ++ (*config & IBS_OP_CNT_CTL)) ++ period |= *config & IBS_OP_CUR_CNT_RAND; ++ ++ perf_ibs_enable_event(perf_ibs, hwc, period); ++ } + + perf_event_update_userpage(event); + +diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h +index 78241b736f2a0..f6c4915a863e0 100644 +--- a/arch/x86/include/asm/perf_event.h ++++ b/arch/x86/include/asm/perf_event.h +@@ -209,16 +209,20 @@ struct x86_pmu_capability { + #define IBSCTL_LVT_OFFSET_VALID (1ULL<<8) + #define IBSCTL_LVT_OFFSET_MASK 0x0F + +-/* ibs fetch bits/masks */ ++/* IBS fetch bits/masks */ + #define IBS_FETCH_RAND_EN (1ULL<<57) + #define IBS_FETCH_VAL (1ULL<<49) + #define IBS_FETCH_ENABLE (1ULL<<48) + #define IBS_FETCH_CNT 0xFFFF0000ULL + #define IBS_FETCH_MAX_CNT 0x0000FFFFULL + +-/* ibs op bits/masks */ +-/* lower 4 bits of the current count are ignored: */ +-#define IBS_OP_CUR_CNT (0xFFFF0ULL<<32) ++/* ++ * IBS op bits/masks ++ * The lower 7 bits of the current count are random bits ++ * preloaded by hardware and ignored in software ++ */ ++#define IBS_OP_CUR_CNT (0xFFF80ULL<<32) ++#define IBS_OP_CUR_CNT_RAND (0x0007FULL<<32) + #define IBS_OP_CNT_CTL (1ULL<<19) + #define IBS_OP_VAL (1ULL<<18) + #define IBS_OP_ENABLE (1ULL<<17) +-- +2.20.1 + diff --git a/queue-4.14/perf-x86-intel-restrict-period-on-nehalem.patch b/queue-4.14/perf-x86-intel-restrict-period-on-nehalem.patch new file mode 100644 index 00000000000..6cd4dbc2567 --- /dev/null +++ b/queue-4.14/perf-x86-intel-restrict-period-on-nehalem.patch @@ -0,0 +1,94 @@ +From 59f5920a30db7d602b80e501420f90c097644bae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2019 19:13:31 -0400 +Subject: perf/x86/intel: Restrict period on Nehalem + +From: Josh Hunt + +[ Upstream commit 44d3bbb6f5e501b873218142fe08cdf62a4ac1f3 ] + +We see our Nehalem machines reporting 'perfevents: irq loop stuck!' in +some cases when using perf: + +perfevents: irq loop stuck! +WARNING: CPU: 0 PID: 3485 at arch/x86/events/intel/core.c:2282 intel_pmu_handle_irq+0x37b/0x530 +... +RIP: 0010:intel_pmu_handle_irq+0x37b/0x530 +... +Call Trace: + +? perf_event_nmi_handler+0x2e/0x50 +? intel_pmu_save_and_restart+0x50/0x50 +perf_event_nmi_handler+0x2e/0x50 +nmi_handle+0x6e/0x120 +default_do_nmi+0x3e/0x100 +do_nmi+0x102/0x160 +end_repeat_nmi+0x16/0x50 +... +? native_write_msr+0x6/0x20 +? native_write_msr+0x6/0x20 + +intel_pmu_enable_event+0x1ce/0x1f0 +x86_pmu_start+0x78/0xa0 +x86_pmu_enable+0x252/0x310 +__perf_event_task_sched_in+0x181/0x190 +? __switch_to_asm+0x41/0x70 +? __switch_to_asm+0x35/0x70 +? __switch_to_asm+0x41/0x70 +? __switch_to_asm+0x35/0x70 +finish_task_switch+0x158/0x260 +__schedule+0x2f6/0x840 +? hrtimer_start_range_ns+0x153/0x210 +schedule+0x32/0x80 +schedule_hrtimeout_range_clock+0x8a/0x100 +? hrtimer_init+0x120/0x120 +ep_poll+0x2f7/0x3a0 +? wake_up_q+0x60/0x60 +do_epoll_wait+0xa9/0xc0 +__x64_sys_epoll_wait+0x1a/0x20 +do_syscall_64+0x4e/0x110 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fdeb1e96c03 +... +Signed-off-by: Peter Zijlstra (Intel) +Cc: acme@kernel.org +Cc: Josh Hunt +Cc: bpuranda@akamai.com +Cc: mingo@redhat.com +Cc: jolsa@redhat.com +Cc: tglx@linutronix.de +Cc: namhyung@kernel.org +Cc: alexander.shishkin@linux.intel.com +Link: https://lkml.kernel.org/r/1566256411-18820-1-git-send-email-johunt@akamai.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index d44bb077c6cfd..4a60ed8c44133 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3297,6 +3297,11 @@ static u64 bdw_limit_period(struct perf_event *event, u64 left) + return left; + } + ++static u64 nhm_limit_period(struct perf_event *event, u64 left) ++{ ++ return max(left, 32ULL); ++} ++ + PMU_FORMAT_ATTR(event, "config:0-7" ); + PMU_FORMAT_ATTR(umask, "config:8-15" ); + PMU_FORMAT_ATTR(edge, "config:18" ); +@@ -4092,6 +4097,7 @@ __init int intel_pmu_init(void) + x86_pmu.pebs_constraints = intel_nehalem_pebs_event_constraints; + x86_pmu.enable_all = intel_pmu_nhm_enable_all; + x86_pmu.extra_regs = intel_nehalem_extra_regs; ++ x86_pmu.limit_period = nhm_limit_period; + + x86_pmu.cpu_events = nhm_events_attrs; + +-- +2.20.1 + diff --git a/queue-4.14/qed-add-cleanup-in-qed_slowpath_start.patch b/queue-4.14/qed-add-cleanup-in-qed_slowpath_start.patch new file mode 100644 index 00000000000..db2becc436f --- /dev/null +++ b/queue-4.14/qed-add-cleanup-in-qed_slowpath_start.patch @@ -0,0 +1,46 @@ +From 704d0b3efa9518f718128b206a88d719d9441a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2019 23:46:36 -0500 +Subject: qed: Add cleanup in qed_slowpath_start() + +From: Wenwen Wang + +[ Upstream commit de0e4fd2f07ce3bbdb69dfb8d9426b7227451b69 ] + +If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to +memory leaks. To fix this issue, introduce the label 'err4' to perform the +cleanup work before returning the error. + +Signed-off-by: Wenwen Wang +Acked-by: Sudarsana Reddy Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index ecc2d42965260..557332f1f886c 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -1081,7 +1081,7 @@ static int qed_slowpath_start(struct qed_dev *cdev, + &drv_version); + if (rc) { + DP_NOTICE(cdev, "Failed sending drv version command\n"); +- return rc; ++ goto err4; + } + } + +@@ -1089,6 +1089,8 @@ static int qed_slowpath_start(struct qed_dev *cdev, + + return 0; + ++err4: ++ qed_ll2_dealloc_if(cdev); + err3: + qed_hw_stop(cdev); + err2: +-- +2.20.1 + diff --git a/queue-4.14/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch b/queue-4.14/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch new file mode 100644 index 00000000000..9bdb2e08f89 --- /dev/null +++ b/queue-4.14/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch @@ -0,0 +1,52 @@ +From 6a68a349675a7fbfc60a6f198f999267c3a17a39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2019 01:36:19 -0700 +Subject: r8152: Set memory to all 0xFFs on failed reg reads + +From: Prashant Malani + +[ Upstream commit f53a7ad189594a112167efaf17ea8d0242b5ac00 ] + +get_registers() blindly copies the memory written to by the +usb_control_msg() call even if the underlying urb failed. + +This could lead to junk register values being read by the driver, since +some indirect callers of get_registers() ignore the return values. One +example is: + ocp_read_dword() ignores the return value of generic_ocp_read(), which + calls get_registers(). + +So, emulate PCI "Master Abort" behavior by setting the buffer to all +0xFFs when usb_control_msg() fails. + +This patch is copied from the r8152 driver (v2.12.0) published by +Realtek (www.realtek.com). + +Signed-off-by: Prashant Malani +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 66beff4d76467..455eec3c46942 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -787,8 +787,11 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + ret = usb_control_msg(tp->udev, usb_rcvctrlpipe(tp->udev, 0), + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, + value, index, tmp, size, 500); ++ if (ret < 0) ++ memset(data, 0xff, size); ++ else ++ memcpy(data, tmp, size); + +- memcpy(data, tmp, size); + kfree(tmp); + + return ret; +-- +2.20.1 + diff --git a/queue-4.14/s390-bpf-fix-lcgr-instruction-encoding.patch b/queue-4.14/s390-bpf-fix-lcgr-instruction-encoding.patch new file mode 100644 index 00000000000..25953ea366f --- /dev/null +++ b/queue-4.14/s390-bpf-fix-lcgr-instruction-encoding.patch @@ -0,0 +1,43 @@ +From 17f9447ab5da70be8bd1256b04ea1b53a1b87703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 17:03:32 +0200 +Subject: s390/bpf: fix lcgr instruction encoding + +From: Ilya Leoshkevich + +[ Upstream commit bb2d267c448f4bc3a3389d97c56391cb779178ae ] + +"masking, test in bounds 3" fails on s390, because +BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0) ignores the top 32 bits of +BPF_REG_2. The reason is that JIT emits lcgfr instead of lcgr. +The associated comment indicates that the code was intended to +emit lcgr in the first place, it's just that the wrong opcode +was used. + +Fix by using the correct opcode. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Ilya Leoshkevich +Acked-by: Vasily Gorbik +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index bc9431aace05d..fcb9e840727cd 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -882,7 +882,7 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + break; + case BPF_ALU64 | BPF_NEG: /* dst = -dst */ + /* lcgr %dst,%dst */ +- EMIT4(0xb9130000, dst_reg, dst_reg); ++ EMIT4(0xb9030000, dst_reg, dst_reg); + break; + /* + * BPF_FROM_BE/LE +-- +2.20.1 + diff --git a/queue-4.14/s390-bpf-use-32-bit-index-for-tail-calls.patch b/queue-4.14/s390-bpf-use-32-bit-index-for-tail-calls.patch new file mode 100644 index 00000000000..7e357e3dd88 --- /dev/null +++ b/queue-4.14/s390-bpf-use-32-bit-index-for-tail-calls.patch @@ -0,0 +1,62 @@ +From 5dc8620b6b25ede83e74c898533f4a4acd575d5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 18:18:07 +0200 +Subject: s390/bpf: use 32-bit index for tail calls + +From: Ilya Leoshkevich + +[ Upstream commit 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 ] + +"p runtime/jit: pass > 32bit index to tail_call" fails when +bpf_jit_enable=1, because the tail call is not executed. + +This in turn is because the generated code assumes index is 64-bit, +while it must be 32-bit, and as a result prog array bounds check fails, +while it should pass. Even if bounds check would have passed, the code +that follows uses 64-bit index to compute prog array offset. + +Fix by using clrj instead of clgrj for comparing index with array size, +and also by using llgfr for truncating index to 32 bits before using it +to compute prog array offset. + +Fixes: 6651ee070b31 ("s390/bpf: implement bpf_tail_call() helper") +Reported-by: Yauheni Kaliuta +Acked-by: Vasily Gorbik +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index fcb9e840727cd..b8bd841048434 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -1063,8 +1063,8 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + /* llgf %w1,map.max_entries(%b2) */ + EMIT6_DISP_LH(0xe3000000, 0x0016, REG_W1, REG_0, BPF_REG_2, + offsetof(struct bpf_array, map.max_entries)); +- /* clgrj %b3,%w1,0xa,label0: if %b3 >= %w1 goto out */ +- EMIT6_PCREL_LABEL(0xec000000, 0x0065, BPF_REG_3, ++ /* clrj %b3,%w1,0xa,label0: if (u32)%b3 >= (u32)%w1 goto out */ ++ EMIT6_PCREL_LABEL(0xec000000, 0x0077, BPF_REG_3, + REG_W1, 0, 0xa); + + /* +@@ -1090,8 +1090,10 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + * goto out; + */ + +- /* sllg %r1,%b3,3: %r1 = index * 8 */ +- EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, BPF_REG_3, REG_0, 3); ++ /* llgfr %r1,%b3: %r1 = (u32) index */ ++ EMIT4(0xb9160000, REG_1, BPF_REG_3); ++ /* sllg %r1,%r1,3: %r1 *= 8 */ ++ EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, REG_1, REG_0, 3); + /* lg %r1,prog(%b2,%r1) */ + EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, BPF_REG_2, + REG_1, offsetof(struct bpf_array, ptrs)); +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index c4026a2ddfb..40639476dd4 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -12,3 +12,42 @@ serial-sprd-correct-the-wrong-sequence-of-arguments.patch tty-serial-atmel-reschedule-tx-after-rx-was-started.patch mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch +arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch +s390-bpf-fix-lcgr-instruction-encoding.patch +arm-omap2-fix-omap4-errata-warning-on-other-socs.patch +arm-dts-dra74x-fix-iodelay-configuration-for-mmc3.patch +s390-bpf-use-32-bit-index-for-tail-calls.patch +fpga-altera-ps-spi-fix-getting-of-optional-confd-gpi.patch +netfilter-xt_nfacct-fix-alignment-mismatch-in-xt_nfa.patch +nfsv4-fix-return-values-for-nfs4_file_open.patch +nfsv4-fix-return-value-in-nfs_finish_open.patch +nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch +kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch +qed-add-cleanup-in-qed_slowpath_start.patch +arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch +batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch +r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch +x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch +netfilter-nf_conntrack_ftp-fix-debug-output.patch +nfsv2-fix-eof-handling.patch +nfsv2-fix-write-regression.patch +kallsyms-don-t-let-kallsyms_lookup_size_offset-fail-.patch +cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch +cifs-use-kzfree-to-zero-out-the-password.patch +arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch +sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch +i2c-designware-synchronize-irqs-when-unregistering-s.patch +perf-x86-intel-restrict-period-on-nehalem.patch +perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch +amd-xgbe-fix-error-path-in-xgbe_mod_init.patch +tools-power-x86_energy_perf_policy-fix-uninitialized.patch +tools-power-x86_energy_perf_policy-fix-argument-pars.patch +tools-power-turbostat-fix-buffer-overrun.patch +net-seeq-fix-the-function-used-to-release-some-memor.patch +dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch +dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch +x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch +x86-hyper-v-fix-overflow-bug-in-fill_gva_list.patch +keys-fix-missing-null-pointer-check-in-request_key_a.patch +iommu-amd-flush-old-domains-in-kdump-kernel.patch +iommu-amd-fix-race-in-increase_address_space.patch diff --git a/queue-4.14/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch b/queue-4.14/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch new file mode 100644 index 00000000000..ae8d76b47ec --- /dev/null +++ b/queue-4.14/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch @@ -0,0 +1,43 @@ +From 66322dc70e1a6de167fcb538d0f60f8673ab4dc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 08:31:19 +0200 +Subject: sky2: Disable MSI on yet another ASUS boards (P6Xxxx) + +From: Takashi Iwai + +[ Upstream commit 189308d5823a089b56e2299cd96589507dac7319 ] + +A similar workaround for the suspend/resume problem is needed for yet +another ASUS machines, P6X models. Like the previous fix, the BIOS +doesn't provide the standard DMI_SYS_* entry, so again DMI_BOARD_* +entries are used instead. + +Reported-and-tested-by: SteveM +Signed-off-by: Takashi Iwai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/sky2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index 7b239af6cc040..5046efdad5390 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -4954,6 +4954,13 @@ static const struct dmi_system_id msi_blacklist[] = { + DMI_MATCH(DMI_BOARD_NAME, "P6T"), + }, + }, ++ { ++ .ident = "ASUS P6X", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "P6X"), ++ }, ++ }, + {} + }; + +-- +2.20.1 + diff --git a/queue-4.14/tools-power-turbostat-fix-buffer-overrun.patch b/queue-4.14/tools-power-turbostat-fix-buffer-overrun.patch new file mode 100644 index 00000000000..54ea962cb5f --- /dev/null +++ b/queue-4.14/tools-power-turbostat-fix-buffer-overrun.patch @@ -0,0 +1,37 @@ +From 81b45204b07a42a977a526656b7927f55fd65d48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2019 16:02:14 +0900 +Subject: tools/power turbostat: fix buffer overrun + +From: Naoya Horiguchi + +[ Upstream commit eeb71c950bc6eee460f2070643ce137e067b234c ] + +turbostat could be terminated by general protection fault on some latest +hardwares which (for example) support 9 levels of C-states and show 18 +"tADDED" lines. That bloats the total output and finally causes buffer +overrun. So let's extend the buffer to avoid this. + +Signed-off-by: Naoya Horiguchi +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 3e5f8b3db2720..19e345cf8193e 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -4488,7 +4488,7 @@ int initialize_counters(int cpu_id) + + void allocate_output_buffer() + { +- output_buffer = calloc(1, (1 + topo.num_cpus) * 1024); ++ output_buffer = calloc(1, (1 + topo.num_cpus) * 2048); + outp = output_buffer; + if (outp == NULL) + err(-1, "calloc output buffer"); +-- +2.20.1 + diff --git a/queue-4.14/tools-power-x86_energy_perf_policy-fix-argument-pars.patch b/queue-4.14/tools-power-x86_energy_perf_policy-fix-argument-pars.patch new file mode 100644 index 00000000000..7e411bbe073 --- /dev/null +++ b/queue-4.14/tools-power-x86_energy_perf_policy-fix-argument-pars.patch @@ -0,0 +1,48 @@ +From 4009117f64ea08110f9b77f88c608e360c505c6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Feb 2019 05:25:48 -0800 +Subject: tools/power x86_energy_perf_policy: Fix argument parsing + +From: Zephaniah E. Loss-Cutler-Hull + +[ Upstream commit 03531482402a2bc4ab93cf6dde46833775e035e9 ] + +The -w argument in x86_energy_perf_policy currently triggers an +unconditional segfault. + +This is because the argument string reads: "+a:c:dD:E:e:f:m:M:rt:u:vw" and +yet the argument handler expects an argument. + +When parse_optarg_string is called with a null argument, we then proceed to +crash in strncmp, not horribly friendly. + +The man page describes -w as taking an argument, the long form +(--hwp-window) is correctly marked as taking a required argument, and the +code expects it. + +As such, this patch simply marks the short form (-w) as requiring an +argument. + +Signed-off-by: Zephaniah E. Loss-Cutler-Hull +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +index bbef8bcf44d6d..2aba622d1c5aa 100644 +--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c ++++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +@@ -546,7 +546,7 @@ void cmdline(int argc, char **argv) + + progname = argv[0]; + +- while ((opt = getopt_long_only(argc, argv, "+a:c:dD:E:e:f:m:M:rt:u:vw", ++ while ((opt = getopt_long_only(argc, argv, "+a:c:dD:E:e:f:m:M:rt:u:vw:", + long_options, &option_index)) != -1) { + switch (opt) { + case 'a': +-- +2.20.1 + diff --git a/queue-4.14/tools-power-x86_energy_perf_policy-fix-uninitialized.patch b/queue-4.14/tools-power-x86_energy_perf_policy-fix-uninitialized.patch new file mode 100644 index 00000000000..ae72132f026 --- /dev/null +++ b/queue-4.14/tools-power-x86_energy_perf_policy-fix-uninitialized.patch @@ -0,0 +1,105 @@ +From 0352e4fd8c0c56b7ff9b243b52c11fe7870cf428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Sep 2018 16:05:53 +0100 +Subject: tools/power x86_energy_perf_policy: Fix "uninitialized variable" + warnings at -O2 + +From: Ben Hutchings + +[ Upstream commit adb8049097a9ec4acd09fbd3aa8636199a78df8a ] + +x86_energy_perf_policy first uses __get_cpuid() to check the maximum +CPUID level and exits if it is too low. It then assumes that later +calls will succeed (which I think is architecturally guaranteed). It +also assumes that CPUID works at all (which is not guaranteed on +x86_32). + +If optimisations are enabled, gcc warns about potentially +uninitialized variables. Fix this by adding an exit-on-error after +every call to __get_cpuid() instead of just checking the maximum +level. + +Signed-off-by: Ben Hutchings +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + .../x86_energy_perf_policy.c | 26 +++++++++++-------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +index 65bbe627a425f..bbef8bcf44d6d 100644 +--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c ++++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +@@ -1260,6 +1260,15 @@ void probe_dev_msr(void) + if (system("/sbin/modprobe msr > /dev/null 2>&1")) + err(-5, "no /dev/cpu/0/msr, Try \"# modprobe msr\" "); + } ++ ++static void get_cpuid_or_exit(unsigned int leaf, ++ unsigned int *eax, unsigned int *ebx, ++ unsigned int *ecx, unsigned int *edx) ++{ ++ if (!__get_cpuid(leaf, eax, ebx, ecx, edx)) ++ errx(1, "Processor not supported\n"); ++} ++ + /* + * early_cpuid() + * initialize turbo_is_enabled, has_hwp, has_epb +@@ -1267,15 +1276,10 @@ void probe_dev_msr(void) + */ + void early_cpuid(void) + { +- unsigned int eax, ebx, ecx, edx, max_level; ++ unsigned int eax, ebx, ecx, edx; + unsigned int fms, family, model; + +- __get_cpuid(0, &max_level, &ebx, &ecx, &edx); +- +- if (max_level < 6) +- errx(1, "Processor not supported\n"); +- +- __get_cpuid(1, &fms, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(1, &fms, &ebx, &ecx, &edx); + family = (fms >> 8) & 0xf; + model = (fms >> 4) & 0xf; + if (family == 6 || family == 0xf) +@@ -1289,7 +1293,7 @@ void early_cpuid(void) + bdx_highest_ratio = msr & 0xFF; + } + +- __get_cpuid(0x6, &eax, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(0x6, &eax, &ebx, &ecx, &edx); + turbo_is_enabled = (eax >> 1) & 1; + has_hwp = (eax >> 7) & 1; + has_epb = (ecx >> 3) & 1; +@@ -1307,7 +1311,7 @@ void parse_cpuid(void) + + eax = ebx = ecx = edx = 0; + +- __get_cpuid(0, &max_level, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(0, &max_level, &ebx, &ecx, &edx); + + if (ebx == 0x756e6547 && edx == 0x49656e69 && ecx == 0x6c65746e) + genuine_intel = 1; +@@ -1316,7 +1320,7 @@ void parse_cpuid(void) + fprintf(stderr, "CPUID(0): %.4s%.4s%.4s ", + (char *)&ebx, (char *)&edx, (char *)&ecx); + +- __get_cpuid(1, &fms, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(1, &fms, &ebx, &ecx, &edx); + family = (fms >> 8) & 0xf; + model = (fms >> 4) & 0xf; + stepping = fms & 0xf; +@@ -1341,7 +1345,7 @@ void parse_cpuid(void) + errx(1, "CPUID: no MSR"); + + +- __get_cpuid(0x6, &eax, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(0x6, &eax, &ebx, &ecx, &edx); + /* turbo_is_enabled already set */ + /* has_hwp already set */ + has_hwp_notify = eax & (1 << 8); +-- +2.20.1 + diff --git a/queue-4.14/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch b/queue-4.14/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch new file mode 100644 index 00000000000..2c277ac7cd6 --- /dev/null +++ b/queue-4.14/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch @@ -0,0 +1,71 @@ +From 793f7c7573c89aa05222354fbfd4b10575aa6e93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 15:16:31 +0200 +Subject: x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines + +From: Thomas Gleixner + +[ Upstream commit 3e5bedc2c258341702ddffbd7688c5e6eb01eafa ] + +Rahul Tanwar reported the following bug on DT systems: + +> 'ioapic_dynirq_base' contains the virtual IRQ base number. Presently, it is +> updated to the end of hardware IRQ numbers but this is done only when IOAPIC +> configuration type is IOAPIC_DOMAIN_LEGACY or IOAPIC_DOMAIN_STRICT. There is +> a third type IOAPIC_DOMAIN_DYNAMIC which applies when IOAPIC configuration +> comes from devicetree. +> +> See dtb_add_ioapic() in arch/x86/kernel/devicetree.c +> +> In case of IOAPIC_DOMAIN_DYNAMIC (DT/OF based system), 'ioapic_dynirq_base' +> remains to zero initialized value. This means that for OF based systems, +> virtual IRQ base will get set to zero. + +Such systems will very likely not even boot. + +For DT enabled machines ioapic_dynirq_base is irrelevant and not +updated, so simply map the IRQ base 1:1 instead. + +Reported-by: Rahul Tanwar +Tested-by: Rahul Tanwar +Tested-by: Andy Shevchenko +Signed-off-by: Thomas Gleixner +Cc: Alexander Shishkin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: alan@linux.intel.com +Cc: bp@alien8.de +Cc: cheol.yong.kim@intel.com +Cc: qi-ming.wu@intel.com +Cc: rahul.tanwar@intel.com +Cc: rppt@linux.ibm.com +Cc: tony.luck@intel.com +Link: http://lkml.kernel.org/r/20190821081330.1187-1-rahul.tanwar@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/io_apic.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index 96a8a68f9c793..566b7bc5deaa0 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2342,7 +2342,13 @@ unsigned int arch_dynirq_lower_bound(unsigned int from) + * dmar_alloc_hwirq() may be called before setup_IO_APIC(), so use + * gsi_top if ioapic_dynirq_base hasn't been initialized yet. + */ +- return ioapic_initialized ? ioapic_dynirq_base : gsi_top; ++ if (!ioapic_initialized) ++ return gsi_top; ++ /* ++ * For DT enabled machines ioapic_dynirq_base is irrelevant and not ++ * updated. So simply return @from if ioapic_dynirq_base == 0. ++ */ ++ return ioapic_dynirq_base ? : from; + } + + #ifdef CONFIG_X86_32 +-- +2.20.1 + diff --git a/queue-4.14/x86-hyper-v-fix-overflow-bug-in-fill_gva_list.patch b/queue-4.14/x86-hyper-v-fix-overflow-bug-in-fill_gva_list.patch new file mode 100644 index 00000000000..fa02790f9f3 --- /dev/null +++ b/queue-4.14/x86-hyper-v-fix-overflow-bug-in-fill_gva_list.patch @@ -0,0 +1,58 @@ +From 4589f3fe6fd1cd7eecd0f455083fbcf3f19110ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2019 20:41:43 +0800 +Subject: x86/hyper-v: Fix overflow bug in fill_gva_list() + +From: Tianyu Lan + +[ Upstream commit 4030b4c585c41eeefec7bd20ce3d0e100a0f2e4d ] + +When the 'start' parameter is >= 0xFF000000 on 32-bit +systems, or >= 0xFFFFFFFF'FF000000 on 64-bit systems, +fill_gva_list() gets into an infinite loop. + +With such inputs, 'cur' overflows after adding HV_TLB_FLUSH_UNIT +and always compares as less than end. Memory is filled with +guest virtual addresses until the system crashes. + +Fix this by never incrementing 'cur' to be larger than 'end'. + +Reported-by: Jong Hyun Park +Signed-off-by: Tianyu Lan +Reviewed-by: Michael Kelley +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 2ffd9e33ce4a ("x86/hyper-v: Use hypercall for remote TLB flush") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/mmu.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/hyperv/mmu.c b/arch/x86/hyperv/mmu.c +index 56c9ebac946fe..47718fff0b797 100644 +--- a/arch/x86/hyperv/mmu.c ++++ b/arch/x86/hyperv/mmu.c +@@ -57,12 +57,14 @@ static inline int fill_gva_list(u64 gva_list[], int offset, + * Lower 12 bits encode the number of additional + * pages to flush (in addition to the 'cur' page). + */ +- if (diff >= HV_TLB_FLUSH_UNIT) ++ if (diff >= HV_TLB_FLUSH_UNIT) { + gva_list[gva_n] |= ~PAGE_MASK; +- else if (diff) ++ cur += HV_TLB_FLUSH_UNIT; ++ } else if (diff) { + gva_list[gva_n] |= (diff - 1) >> PAGE_SHIFT; ++ cur = end; ++ } + +- cur += HV_TLB_FLUSH_UNIT; + gva_n++; + + } while (cur < end); +-- +2.20.1 + diff --git a/queue-4.14/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch b/queue-4.14/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch new file mode 100644 index 00000000000..4814c5be0b8 --- /dev/null +++ b/queue-4.14/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch @@ -0,0 +1,58 @@ +From 81172f582e078a59ab4b284e6d5ffadab2b95b67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 10:24:45 +0200 +Subject: x86/uaccess: Don't leak the AC flags into __get_user() argument + evaluation + +From: Peter Zijlstra + +[ Upstream commit 9b8bd476e78e89c9ea26c3b435ad0201c3d7dbf5 ] + +Identical to __put_user(); the __get_user() argument evalution will too +leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region. +While uncommon this was observed to happen for: + + drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i])) + +where UBSAN added array bound checking. + +This complements commit: + + 6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation") + +Tested-by Sedat Dilek +Reported-by: Randy Dunlap +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Josh Poimboeuf +Reviewed-by: Thomas Gleixner +Cc: broonie@kernel.org +Cc: sfr@canb.auug.org.au +Cc: akpm@linux-foundation.org +Cc: Randy Dunlap +Cc: mhocko@suse.cz +Cc: Josh Poimboeuf +Link: https://lkml.kernel.org/r/20190829082445.GM2369@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/uaccess.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h +index 4111edb3188e2..9718303410614 100644 +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -451,8 +451,10 @@ do { \ + ({ \ + int __gu_err; \ + __inttype(*(ptr)) __gu_val; \ ++ __typeof__(ptr) __gu_ptr = (ptr); \ ++ __typeof__(size) __gu_size = (size); \ + __uaccess_begin_nospec(); \ +- __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ ++ __get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err, -EFAULT); \ + __uaccess_end(); \ + (x) = (__force __typeof__(*(ptr)))__gu_val; \ + __builtin_expect(__gu_err, 0); \ +-- +2.20.1 +