From: Sasha Levin Date: Sat, 8 Dec 2018 15:08:10 +0000 (-0500) Subject: patches for 4.4 X-Git-Tag: v4.19.9~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f83e748459e27295d3f57f0bbe3478c95c3824d;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/batman-adv-expand-merged-fragment-buffer-for-full-pa.patch b/queue-4.4/batman-adv-expand-merged-fragment-buffer-for-full-pa.patch new file mode 100644 index 00000000000..b5ff5dee852 --- /dev/null +++ b/queue-4.4/batman-adv-expand-merged-fragment-buffer-for-full-pa.patch @@ -0,0 +1,53 @@ +From d4b208e50a2e7bc817d2ab68481585180072fe69 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 7 Nov 2018 23:09:12 +0100 +Subject: batman-adv: Expand merged fragment buffer for full packet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 ] + +The complete size ("total_size") of the fragmented packet is stored in the +fragment header and in the size of the fragment chain. When the fragments +are ready for merge, the skbuff's tail of the first fragment is expanded to +have enough room after the data pointer for at least total_size. This means +that it gets expanded by total_size - first_skb->len. + +But this is ignoring the fact that after expanding the buffer, the fragment +header is pulled by from this buffer. Assuming that the tailroom of the +buffer was already 0, the buffer after the data pointer of the skbuff is +now only total_size - len(fragment_header) large. When the merge function +is then processing the remaining fragments, the code to copy the data over +to the merged skbuff will cause an skb_over_panic when it tries to actually +put enough data to fill the total_size bytes of the packet. + +The size of the skb_pull must therefore also be taken into account when the +buffer's tailroom is expanded. + +Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") +Reported-by: Martin Weinelt +Co-authored-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/fragmentation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index 5d2f9d4879b2..d50c3b003dc9 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -266,7 +266,7 @@ batadv_frag_merge_packets(struct hlist_head *chain) + kfree(entry); + + packet = (struct batadv_frag_packet *)skb_out->data; +- size = ntohs(packet->total_size); ++ size = ntohs(packet->total_size) + hdr_size; + + /* Make room for the rest of the fragments. */ + if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { +-- +2.19.1 + diff --git a/queue-4.4/bnx2x-assign-unique-dmae-channel-number-for-fw-dmae-.patch b/queue-4.4/bnx2x-assign-unique-dmae-channel-number-for-fw-dmae-.patch new file mode 100644 index 00000000000..543b2ba0690 --- /dev/null +++ b/queue-4.4/bnx2x-assign-unique-dmae-channel-number-for-fw-dmae-.patch @@ -0,0 +1,66 @@ +From 174b63aa45c38182f601c963db26dbdaabc5814d Mon Sep 17 00:00:00 2001 +From: Sudarsana Reddy Kalluru +Date: Sun, 11 Nov 2018 18:27:34 -0800 +Subject: bnx2x: Assign unique DMAE channel number for FW DMAE transactions. + +[ Upstream commit 77e461d14ed141253573eeeb4d34eccc51e38328 ] + +Driver assigns DMAE channel 0 for FW as part of START_RAMROD command. FW +uses this channel for DMAE operations (e.g., TIME_SYNC implementation). +Driver also uses the same channel 0 for DMAE operations for some of the PFs +(e.g., PF0 on Port0). This could lead to concurrent access to the DMAE +channel by FW and driver which is not legal. Hence need to assign unique +DMAE id for FW. +Currently following DMAE channels are used by the clients, + MFW - OCBB/OCSD functionality uses DMAE channel 14/15 + Driver 0-3 and 8-11 (for PF dmae operations) + 4 and 12 (for stats requests) +Assigning unique dmae_id '13' to the FW. + +Changes from previous version: +------------------------------ +v2: Incorporated the review comments. + +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 7 +++++++ + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +index 1ea068815419..2491cdc2535c 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +@@ -2291,6 +2291,13 @@ void bnx2x_igu_clear_sb_gen(struct bnx2x *bp, u8 func, u8 idu_sb_id, + #define PMF_DMAE_C(bp) (BP_PORT(bp) * MAX_DMAE_C_PER_PORT + \ + E1HVN_MAX) + ++/* Following is the DMAE channel number allocation for the clients. ++ * MFW: OCBB/OCSD implementations use DMAE channels 14/15 respectively. ++ * Driver: 0-3 and 8-11 (for PF dmae operations) ++ * 4 and 12 (for stats requests) ++ */ ++#define BNX2X_FW_DMAE_C 13 /* Channel for FW DMAE operations */ ++ + /* PCIE link and speed */ + #define PCICFG_LINK_WIDTH 0x1f00000 + #define PCICFG_LINK_WIDTH_SHIFT 20 +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c +index ff702a707a91..343e3366d751 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c +@@ -5931,6 +5931,7 @@ static inline int bnx2x_func_send_start(struct bnx2x *bp, + rdata->sd_vlan_tag = cpu_to_le16(start_params->sd_vlan_tag); + rdata->path_id = BP_PATH(bp); + rdata->network_cos_mode = start_params->network_cos_mode; ++ rdata->dmae_cmd_id = BNX2X_FW_DMAE_C; + + rdata->vxlan_dst_port = cpu_to_le16(start_params->vxlan_dst_port); + rdata->geneve_dst_port = cpu_to_le16(start_params->geneve_dst_port); +-- +2.19.1 + diff --git a/queue-4.4/can-rcar_can-fix-erroneous-registration.patch b/queue-4.4/can-rcar_can-fix-erroneous-registration.patch new file mode 100644 index 00000000000..d0b0ea74fdd --- /dev/null +++ b/queue-4.4/can-rcar_can-fix-erroneous-registration.patch @@ -0,0 +1,47 @@ +From b036cbbc883d8180504e997d4c353a46c088c587 Mon Sep 17 00:00:00 2001 +From: Fabrizio Castro +Date: Mon, 10 Sep 2018 11:43:13 +0100 +Subject: can: rcar_can: Fix erroneous registration + +[ Upstream commit 68c8d209cd4337da4fa04c672f0b62bb735969bc ] + +Assigning 2 to "renesas,can-clock-select" tricks the driver into +registering the CAN interface, even though we don't want that. +This patch improves one of the checks to prevent that from happening. + +Fixes: 862e2b6af9413b43 ("can: rcar_can: support all input clocks") +Signed-off-by: Fabrizio Castro +Signed-off-by: Chris Paterson +Reviewed-by: Simon Horman +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/rcar_can.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/rcar_can.c b/drivers/net/can/rcar_can.c +index bc46be39549d..9d93492ddfcc 100644 +--- a/drivers/net/can/rcar_can.c ++++ b/drivers/net/can/rcar_can.c +@@ -24,6 +24,9 @@ + + #define RCAR_CAN_DRV_NAME "rcar_can" + ++#define RCAR_SUPPORTED_CLOCKS (BIT(CLKR_CLKP1) | BIT(CLKR_CLKP2) | \ ++ BIT(CLKR_CLKEXT)) ++ + /* Mailbox configuration: + * mailbox 60 - 63 - Rx FIFO mailboxes + * mailbox 56 - 59 - Tx FIFO mailboxes +@@ -789,7 +792,7 @@ static int rcar_can_probe(struct platform_device *pdev) + goto fail_clk; + } + +- if (clock_select >= ARRAY_SIZE(clock_names)) { ++ if (!(BIT(clock_select) & RCAR_SUPPORTED_CLOCKS)) { + err = -EINVAL; + dev_err(&pdev->dev, "invalid CAN clock selected\n"); + goto fail_clk; +-- +2.19.1 + diff --git a/queue-4.4/iommu-ipmmu-vmsa-fix-crash-on-early-domain-free.patch b/queue-4.4/iommu-ipmmu-vmsa-fix-crash-on-early-domain-free.patch new file mode 100644 index 00000000000..b55ef485693 --- /dev/null +++ b/queue-4.4/iommu-ipmmu-vmsa-fix-crash-on-early-domain-free.patch @@ -0,0 +1,55 @@ +From 6378ab0a80e59b94ea976b23783a8447bfea8796 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 7 Nov 2018 14:18:50 +0100 +Subject: iommu/ipmmu-vmsa: Fix crash on early domain free + +[ Upstream commit e5b78f2e349eef5d4fca5dc1cf5a3b4b2cc27abd ] + +If iommu_ops.add_device() fails, iommu_ops.domain_free() is still +called, leading to a crash, as the domain was only partially +initialized: + + ipmmu-vmsa e67b0000.mmu: Cannot accommodate DMA translation for IOMMU page tables + sata_rcar ee300000.sata: Unable to initialize IPMMU context + iommu: Failed to add device ee300000.sata to group 0: -22 + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 + ... + Call trace: + ipmmu_domain_free+0x1c/0xa0 + iommu_group_release+0x48/0x68 + kobject_put+0x74/0xe8 + kobject_del.part.0+0x3c/0x50 + kobject_put+0x60/0xe8 + iommu_group_get_for_dev+0xa8/0x1f0 + ipmmu_add_device+0x1c/0x40 + of_iommu_configure+0x118/0x190 + +Fix this by checking if the domain's context already exists, before +trying to destroy it. + +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Robin Murphy +Fixes: d25a2a16f0889 ('iommu: Add driver for Renesas VMSA-compatible IPMMU') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/ipmmu-vmsa.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c +index 624e7ff76166..9101be1a6b59 100644 +--- a/drivers/iommu/ipmmu-vmsa.c ++++ b/drivers/iommu/ipmmu-vmsa.c +@@ -372,6 +372,9 @@ static int ipmmu_domain_init_context(struct ipmmu_vmsa_domain *domain) + + static void ipmmu_domain_destroy_context(struct ipmmu_vmsa_domain *domain) + { ++ if (!domain->mmu) ++ return; ++ + /* + * Disable the context. Flush the TLB as required when modifying the + * context registers. +-- +2.19.1 + diff --git a/queue-4.4/iommu-vt-d-fix-null-pointer-dereference-in-prq_event.patch b/queue-4.4/iommu-vt-d-fix-null-pointer-dereference-in-prq_event.patch new file mode 100644 index 00000000000..6e3f52609b2 --- /dev/null +++ b/queue-4.4/iommu-vt-d-fix-null-pointer-dereference-in-prq_event.patch @@ -0,0 +1,38 @@ +From 45b252c153b922a01692face1146c189c8cda399 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Mon, 5 Nov 2018 10:18:58 +0800 +Subject: iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() + +[ Upstream commit 19ed3e2dd8549c1a34914e8dad01b64e7837645a ] + +When handling page request without pasid event, go to "no_pasid" +branch instead of "bad_req". Otherwise, a NULL pointer deference +will happen there. + +Cc: Ashok Raj +Cc: Jacob Pan +Cc: Sohil Mehta +Signed-off-by: Lu Baolu +Fixes: a222a7f0bb6c9 'iommu/vt-d: Implement page request handling' +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-svm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c +index 10068a481e22..cbde03e509c1 100644 +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -558,7 +558,7 @@ static irqreturn_t prq_event_thread(int irq, void *d) + pr_err("%s: Page request without PASID: %08llx %08llx\n", + iommu->name, ((unsigned long long *)req)[0], + ((unsigned long long *)req)[1]); +- goto bad_req; ++ goto no_pasid; + } + + if (!svm || svm->pasid != req->pasid) { +-- +2.19.1 + diff --git a/queue-4.4/iommu-vt-d-use-memunmap-to-free-memremap.patch b/queue-4.4/iommu-vt-d-use-memunmap-to-free-memremap.patch new file mode 100644 index 00000000000..d2ba5331b25 --- /dev/null +++ b/queue-4.4/iommu-vt-d-use-memunmap-to-free-memremap.patch @@ -0,0 +1,34 @@ +From 0576d04ef09cda3c8853683527e9e1e51b2f93b6 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 21 Nov 2018 17:53:47 +0800 +Subject: iommu/vt-d: Use memunmap to free memremap + +[ Upstream commit 829383e183728dec7ed9150b949cd6de64127809 ] + +memunmap() should be used to free the return of memremap(), not +iounmap(). + +Fixes: dfddb969edf0 ('iommu/vt-d: Switch from ioremap_cache to memremap') +Signed-off-by: Pan Bian +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index 49b266433f4c..7feaa82f8c7c 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2977,7 +2977,7 @@ static int copy_context_table(struct intel_iommu *iommu, + } + + if (old_ce) +- iounmap(old_ce); ++ memunmap(old_ce); + + ret = 0; + if (devfn < 0x80) +-- +2.19.1 + diff --git a/queue-4.4/net-amd-add-missing-of_node_put.patch b/queue-4.4/net-amd-add-missing-of_node_put.patch new file mode 100644 index 00000000000..365153b9b49 --- /dev/null +++ b/queue-4.4/net-amd-add-missing-of_node_put.patch @@ -0,0 +1,43 @@ +From 88fa7b4866200b9791657849b518dc43192369f5 Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Thu, 22 Nov 2018 07:34:41 -0500 +Subject: net: amd: add missing of_node_put() + +[ Upstream commit c44c749d3b6fdfca39002e7e48e03fe9f9fe37a3 ] + +of_find_node_by_path() acquires a reference to the node +returned by it and that reference needs to be dropped by its caller. +This place doesn't do that, so fix it. + +Signed-off-by: Yangtao Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/sunlance.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/sunlance.c b/drivers/net/ethernet/amd/sunlance.c +index 7847638bdd22..8914170fccff 100644 +--- a/drivers/net/ethernet/amd/sunlance.c ++++ b/drivers/net/ethernet/amd/sunlance.c +@@ -1419,7 +1419,7 @@ static int sparc_lance_probe_one(struct platform_device *op, + + prop = of_get_property(nd, "tpe-link-test?", NULL); + if (!prop) +- goto no_link_test; ++ goto node_put; + + if (strcmp(prop, "true")) { + printk(KERN_NOTICE "SunLance: warning: overriding option " +@@ -1428,6 +1428,8 @@ static int sparc_lance_probe_one(struct platform_device *op, + "to ecd@skynet.be\n"); + auxio_set_lte(AUXIO_LTE_ON); + } ++node_put: ++ of_node_put(nd); + no_link_test: + lp->auto_select = 1; + lp->tpe = 0; +-- +2.19.1 + diff --git a/queue-4.4/net-faraday-ftmac100-remove-netif_running-netdev-che.patch b/queue-4.4/net-faraday-ftmac100-remove-netif_running-netdev-che.patch new file mode 100644 index 00000000000..b5082c3e396 --- /dev/null +++ b/queue-4.4/net-faraday-ftmac100-remove-netif_running-netdev-che.patch @@ -0,0 +1,55 @@ +From c271ec39e847edc94a828494d92f88d04538efd8 Mon Sep 17 00:00:00 2001 +From: Vincent Chen +Date: Wed, 21 Nov 2018 09:38:11 +0800 +Subject: net: faraday: ftmac100: remove netif_running(netdev) check before + disabling interrupts + +[ Upstream commit 426a593e641ebf0d9288f0a2fcab644a86820220 ] + +In the original ftmac100_interrupt(), the interrupts are only disabled when +the condition "netif_running(netdev)" is true. However, this condition +causes kerenl hang in the following case. When the user requests to +disable the network device, kernel will clear the bit __LINK_STATE_START +from the dev->state and then call the driver's ndo_stop function. Network +device interrupts are not blocked during this process. If an interrupt +occurs between clearing __LINK_STATE_START and stopping network device, +kernel cannot disable the interrupts due to the condition +"netif_running(netdev)" in the ISR. Hence, kernel will hang due to the +continuous interruption of the network device. + +In order to solve the above problem, the interrupts of the network device +should always be disabled in the ISR without being restricted by the +condition "netif_running(netdev)". + +[V2] +Remove unnecessary curly braces. + +Signed-off-by: Vincent Chen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/faraday/ftmac100.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c +index dce5f7b7f772..05e1f923f49e 100644 +--- a/drivers/net/ethernet/faraday/ftmac100.c ++++ b/drivers/net/ethernet/faraday/ftmac100.c +@@ -865,11 +865,10 @@ static irqreturn_t ftmac100_interrupt(int irq, void *dev_id) + struct net_device *netdev = dev_id; + struct ftmac100 *priv = netdev_priv(netdev); + +- if (likely(netif_running(netdev))) { +- /* Disable interrupts for polling */ +- ftmac100_disable_all_int(priv); ++ /* Disable interrupts for polling */ ++ ftmac100_disable_all_int(priv); ++ if (likely(netif_running(netdev))) + napi_schedule(&priv->napi); +- } + + return IRQ_HANDLED; + } +-- +2.19.1 + diff --git a/queue-4.4/net-mlx4-fix-ubsan-warning-of-signed-integer-overflo.patch b/queue-4.4/net-mlx4-fix-ubsan-warning-of-signed-integer-overflo.patch new file mode 100644 index 00000000000..82725870251 --- /dev/null +++ b/queue-4.4/net-mlx4-fix-ubsan-warning-of-signed-integer-overflo.patch @@ -0,0 +1,45 @@ +From 9c9e95a65c05a718cd76d8312172e51bc57f3157 Mon Sep 17 00:00:00 2001 +From: Aya Levin +Date: Thu, 15 Nov 2018 18:05:15 +0200 +Subject: net/mlx4: Fix UBSAN warning of signed integer overflow + +[ Upstream commit a463146e67c848cbab5ce706d6528281b7cded08 ] + +UBSAN: Undefined behavior in +drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:626:29 +signed integer overflow: 1802201963 + 1802201963 cannot be represented +in type 'int' + +The union of res_reserved and res_port_rsvd[MLX4_MAX_PORTS] monitors +granting of reserved resources. The grant operation is calculated and +protected, thus both members of the union cannot be negative. Changed +type of res_reserved and of res_port_rsvd[MLX4_MAX_PORTS] from signed +int to unsigned int, allowing large value. + +Fixes: 5a0d0a6161ae ("mlx4: Structures and init/teardown for VF resource quotas") +Signed-off-by: Aya Levin +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/mlx4.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4.h b/drivers/net/ethernet/mellanox/mlx4/mlx4.h +index f5fdbd53d052..db40387ffaf6 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4.h ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4.h +@@ -537,8 +537,8 @@ struct slave_list { + struct resource_allocator { + spinlock_t alloc_lock; /* protect quotas */ + union { +- int res_reserved; +- int res_port_rsvd[MLX4_MAX_PORTS]; ++ unsigned int res_reserved; ++ unsigned int res_port_rsvd[MLX4_MAX_PORTS]; + }; + union { + int res_free; +-- +2.19.1 + diff --git a/queue-4.4/net-mlx4_core-fix-uninitialized-variable-compilation.patch b/queue-4.4/net-mlx4_core-fix-uninitialized-variable-compilation.patch new file mode 100644 index 00000000000..a3c99aae5da --- /dev/null +++ b/queue-4.4/net-mlx4_core-fix-uninitialized-variable-compilation.patch @@ -0,0 +1,33 @@ +From 5f7c68ba570b03af1291858acab7b454dea6ea91 Mon Sep 17 00:00:00 2001 +From: Tariq Toukan +Date: Thu, 15 Nov 2018 18:05:14 +0200 +Subject: net/mlx4_core: Fix uninitialized variable compilation warning + +[ Upstream commit 3ea7e7ea53c9f6ee41cb69a29c375fe9dd9a56a7 ] + +Initialize the uid variable to zero to avoid the compilation warning. + +Fixes: 7a89399ffad7 ("net/mlx4: Add mlx4_bitmap zone allocator") +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/alloc.c b/drivers/net/ethernet/mellanox/mlx4/alloc.c +index 0c51c69f802f..a4912b11e54f 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/alloc.c ++++ b/drivers/net/ethernet/mellanox/mlx4/alloc.c +@@ -339,7 +339,7 @@ void mlx4_zone_allocator_destroy(struct mlx4_zone_allocator *zone_alloc) + static u32 __mlx4_alloc_from_zone(struct mlx4_zone_entry *zone, int count, + int align, u32 skip_mask, u32 *puid) + { +- u32 uid; ++ u32 uid = 0; + u32 res; + struct mlx4_zone_allocator *zone_alloc = zone->allocator; + struct mlx4_zone_entry *curr_node; +-- +2.19.1 + diff --git a/queue-4.4/net-mlx4_core-zero-out-lkey-field-in-sw2hw_mpt-fw-co.patch b/queue-4.4/net-mlx4_core-zero-out-lkey-field-in-sw2hw_mpt-fw-co.patch new file mode 100644 index 00000000000..2f13b9551dd --- /dev/null +++ b/queue-4.4/net-mlx4_core-zero-out-lkey-field-in-sw2hw_mpt-fw-co.patch @@ -0,0 +1,47 @@ +From 8f388b1667249c38148152d3b39edee3def7fa56 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Thu, 15 Nov 2018 18:05:13 +0200 +Subject: net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command + +[ Upstream commit bd85fbc2038a1bbe84990b23ff69b6fc81a32b2c ] + +When re-registering a user mr, the mpt information for the +existing mr when running SRIOV is obtained via the QUERY_MPT +fw command. The returned information includes the mpt's lkey. + +This retrieved mpt information is used to move the mpt back +to hardware ownership in the rereg flow (via the SW2HW_MPT +fw command when running SRIOV). + +The fw API spec states that for SW2HW_MPT, the lkey field +must be zero. Any ConnectX-3 PF driver which checks for strict spec +adherence will return failure for SW2HW_MPT if the lkey field is not +zero (although the fw in practice ignores this field for SW2HW_MPT). + +Thus, in order to conform to the fw API spec, set the lkey field to zero +before invoking SW2HW_MPT when running SRIOV. + +Fixes: e630664c8383 ("mlx4_core: Add helper functions to support MR re-registration") +Signed-off-by: Jack Morgenstein +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/mr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/mr.c b/drivers/net/ethernet/mellanox/mlx4/mr.c +index 93195191f45b..53833c06696f 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mr.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mr.c +@@ -366,6 +366,7 @@ int mlx4_mr_hw_write_mpt(struct mlx4_dev *dev, struct mlx4_mr *mmr, + container_of((void *)mpt_entry, struct mlx4_cmd_mailbox, + buf); + ++ (*mpt_entry)->lkey = 0; + err = mlx4_SW2HW_MPT(dev, mailbox, key); + } + +-- +2.19.1 + diff --git a/queue-4.4/qed-fix-ptt-leak-in-qed_drain.patch b/queue-4.4/qed-fix-ptt-leak-in-qed_drain.patch new file mode 100644 index 00000000000..f6a38ac3b43 --- /dev/null +++ b/queue-4.4/qed-fix-ptt-leak-in-qed_drain.patch @@ -0,0 +1,35 @@ +From c38f6022c1cf94bb93b7c2c81e07d09304014420 Mon Sep 17 00:00:00 2001 +From: Denis Bolotin +Date: Mon, 12 Nov 2018 12:50:20 +0200 +Subject: qed: Fix PTT leak in qed_drain() + +[ Upstream commit 9aaa4e8ba12972d674caeefbc5f88d83235dd697 ] + +Release PTT before entering error flow. + +Signed-off-by: Denis Bolotin +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index 35e1468d8196..b8ae6ed5c7ba 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -1124,9 +1124,9 @@ static int qed_drain(struct qed_dev *cdev) + return -EBUSY; + } + rc = qed_mcp_drain(hwfn, ptt); ++ qed_ptt_release(hwfn, ptt); + if (rc) + return rc; +- qed_ptt_release(hwfn, ptt); + } + + return 0; +-- +2.19.1 + diff --git a/queue-4.4/qed-fix-reading-wrong-value-in-loop-condition.patch b/queue-4.4/qed-fix-reading-wrong-value-in-loop-condition.patch new file mode 100644 index 00000000000..cb89cda23b2 --- /dev/null +++ b/queue-4.4/qed-fix-reading-wrong-value-in-loop-condition.patch @@ -0,0 +1,34 @@ +From b382cc2d5c9eaa4699390bc80da6bdd0454f3639 Mon Sep 17 00:00:00 2001 +From: Denis Bolotin +Date: Mon, 12 Nov 2018 12:50:23 +0200 +Subject: qed: Fix reading wrong value in loop condition + +[ Upstream commit ed4eac20dcffdad47709422e0cb925981b056668 ] + +The value of "sb_index" is written by the hardware. Reading its value and +writing it to "index" must finish before checking the loop condition. + +Signed-off-by: Denis Bolotin +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_int.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index 9cc9d62c1fec..8b15a018d625 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -177,6 +177,8 @@ static int qed_int_attentions(struct qed_hwfn *p_hwfn) + */ + do { + index = p_sb_attn->sb_index; ++ /* finish reading index before the loop condition */ ++ dma_rmb(); + attn_bits = le32_to_cpu(p_sb_attn->atten_bits); + attn_acks = le32_to_cpu(p_sb_attn->atten_ack); + } while (index != p_sb_attn->sb_index); +-- +2.19.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 92316266687..4a0ec8accd1 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -54,3 +54,16 @@ arc-add-support-of-nfsv3-acl.patch mm-cleancache-fix-corruption-on-missed-inode-invalidation.patch mm-mlock-avoid-increase-mm-locked_vm-on-mlock-when-already-mlock2-mlock_onfault.patch usb-gadget-dummy-fix-nonsensical-comparisons.patch +iommu-vt-d-fix-null-pointer-dereference-in-prq_event.patch +iommu-ipmmu-vmsa-fix-crash-on-early-domain-free.patch +can-rcar_can-fix-erroneous-registration.patch +batman-adv-expand-merged-fragment-buffer-for-full-pa.patch +bnx2x-assign-unique-dmae-channel-number-for-fw-dmae-.patch +qed-fix-ptt-leak-in-qed_drain.patch +qed-fix-reading-wrong-value-in-loop-condition.patch +net-mlx4_core-zero-out-lkey-field-in-sw2hw_mpt-fw-co.patch +net-mlx4_core-fix-uninitialized-variable-compilation.patch +net-mlx4-fix-ubsan-warning-of-signed-integer-overflo.patch +net-faraday-ftmac100-remove-netif_running-netdev-che.patch +iommu-vt-d-use-memunmap-to-free-memremap.patch +net-amd-add-missing-of_node_put.patch