From: Sasha Levin Date: Mon, 26 Aug 2019 02:40:23 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v4.14.141~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9278b2d6e732b98773d315922be896a0444ee145;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/asoc-dapm-fix-handling-of-custom_stop_condition-on-d.patch b/queue-4.19/asoc-dapm-fix-handling-of-custom_stop_condition-on-d.patch new file mode 100644 index 00000000000..91f20a2cdba --- /dev/null +++ b/queue-4.19/asoc-dapm-fix-handling-of-custom_stop_condition-on-d.patch @@ -0,0 +1,76 @@ +From cb4b0b6c49ed214be4ea58d9aff89e3e5e27b946 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Thu, 18 Jul 2019 09:43:33 +0100 +Subject: ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks + +[ Upstream commit 8dd26dff00c0636b1d8621acaeef3f6f3a39dd77 ] + +DPCM uses snd_soc_dapm_dai_get_connected_widgets to build a +list of the widgets connected to a specific front end DAI so it +can search through this list for available back end DAIs. The +custom_stop_condition was added to is_connected_ep to facilitate this +list not containing more widgets than is necessary. Doing so both +speeds up the DPCM handling as less widgets need to be searched and +avoids issues with CODEC to CODEC links as these would be confused +with back end DAIs if they appeared in the list of available widgets. + +custom_stop_condition was implemented by aborting the graph walk +when the condition is triggered, however there is an issue with this +approach. Whilst walking the graph is_connected_ep should update the +endpoints cache on each widget, if the walk is aborted the number +of attached end points is unknown for that sub-graph. When the stop +condition triggered, the original patch ignored the triggering widget +and returned zero connected end points; a later patch updated this +to set the triggering widget's cache to 1 and return that. Both of +these approaches result in inaccurate values being stored in various +end point caches as the values propagate back through the graph, +which can result in later issues with widgets powering/not powering +unexpectedly. + +As the original goal was to reduce the size of the widget list passed +to the DPCM code, the simplest solution is to limit the functionality +of the custom_stop_condition to the widget list. This means the rest +of the graph will still be processed resulting in correct end point +caches, but only widgets up to the stop condition will be added to the +returned widget list. + +Fixes: 6742064aef7f ("ASoC: dapm: support user-defined stop condition in dai_get_connected_widgets") +Fixes: 5fdd022c2026 ("ASoC: dpcm: play nice with CODEC<->CODEC links") +Fixes: 09464974eaa8 ("ASoC: dapm: Fix to return correct path list in is_connected_ep.") +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20190718084333.15598-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 3bfc788372f31..4ce57510b6236 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -1145,8 +1145,8 @@ static __always_inline int is_connected_ep(struct snd_soc_dapm_widget *widget, + list_add_tail(&widget->work_list, list); + + if (custom_stop_condition && custom_stop_condition(widget, dir)) { +- widget->endpoints[dir] = 1; +- return widget->endpoints[dir]; ++ list = NULL; ++ custom_stop_condition = NULL; + } + + if ((widget->is_ep & SND_SOC_DAPM_DIR_TO_EP(dir)) && widget->connected) { +@@ -1183,8 +1183,8 @@ static __always_inline int is_connected_ep(struct snd_soc_dapm_widget *widget, + * + * Optionally, can be supplied with a function acting as a stopping condition. + * This function takes the dapm widget currently being examined and the walk +- * direction as an arguments, it should return true if the walk should be +- * stopped and false otherwise. ++ * direction as an arguments, it should return true if widgets from that point ++ * in the graph onwards should not be added to the widget list. + */ + static int is_connected_output_ep(struct snd_soc_dapm_widget *widget, + struct list_head *list, +-- +2.20.1 + diff --git a/queue-4.19/asoc-fail-card-instantiation-if-dai-format-setup-fai.patch b/queue-4.19/asoc-fail-card-instantiation-if-dai-format-setup-fai.patch new file mode 100644 index 00000000000..8795257e59a --- /dev/null +++ b/queue-4.19/asoc-fail-card-instantiation-if-dai-format-setup-fai.patch @@ -0,0 +1,40 @@ +From 291ce1d22a62d963e147642cd4b41a72b56f8cff Mon Sep 17 00:00:00 2001 +From: Ricard Wanderlof +Date: Wed, 24 Jul 2019 11:38:44 +0200 +Subject: ASoC: Fail card instantiation if DAI format setup fails + +[ Upstream commit 40aa5383e393d72f6aa3943a4e7b1aae25a1e43b ] + +If the DAI format setup fails, there is no valid communication format +between CPU and CODEC, so fail card instantiation, rather than continue +with a card that will most likely not function properly. + +Signed-off-by: Ricard Wanderlof +Link: https://lore.kernel.org/r/alpine.DEB.2.20.1907241132350.6338@lnxricardw1.se.axis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 62aa320c20708..dafc3b7f8d723 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1513,8 +1513,11 @@ static int soc_probe_link_dais(struct snd_soc_card *card, + } + } + +- if (dai_link->dai_fmt) +- snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); ++ if (dai_link->dai_fmt) { ++ ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); ++ if (ret) ++ return ret; ++ } + + ret = soc_post_component_init(rtd, dai_link->name); + if (ret) +-- +2.20.1 + diff --git a/queue-4.19/asoc-rockchip-fix-mono-capture.patch b/queue-4.19/asoc-rockchip-fix-mono-capture.patch new file mode 100644 index 00000000000..fe3712a8a72 --- /dev/null +++ b/queue-4.19/asoc-rockchip-fix-mono-capture.patch @@ -0,0 +1,66 @@ +From 7e8ee7c529376b34ea46378b90bedc1893c5219f Mon Sep 17 00:00:00 2001 +From: Cheng-Yi Chiang +Date: Fri, 26 Jul 2019 12:42:02 +0800 +Subject: ASoC: rockchip: Fix mono capture + +[ Upstream commit 789e162a6255325325bd321ab0cd51dc7e285054 ] + +This reverts commit db51707b9c9aeedd310ebce60f15d5bb006567e0. +Revert "ASoC: rockchip: i2s: Support mono capture" + +Previous discussion in + +https://patchwork.kernel.org/patch/10147153/ + +explains the issue of the patch. +While device is configured as 1-ch, hardware is still +generating a 2-ch stream. +When user space reads the data and assumes it is a 1-ch stream, +the rate will be slower by 2x. + +Revert the change so 1-ch is not supported. +User space can selectively take one channel data out of two channel +if 1-ch is preferred. +Currently, both channels record identical data. + +Signed-off-by: Cheng-Yi Chiang +Link: https://lore.kernel.org/r/20190726044202.26866-1-cychiang@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_i2s.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c +index 60d43d53a8f5e..11399f81c92f9 100644 +--- a/sound/soc/rockchip/rockchip_i2s.c ++++ b/sound/soc/rockchip/rockchip_i2s.c +@@ -329,7 +329,6 @@ static int rockchip_i2s_hw_params(struct snd_pcm_substream *substream, + val |= I2S_CHN_4; + break; + case 2: +- case 1: + val |= I2S_CHN_2; + break; + default: +@@ -462,7 +461,7 @@ static struct snd_soc_dai_driver rockchip_i2s_dai = { + }, + .capture = { + .stream_name = "Capture", +- .channels_min = 1, ++ .channels_min = 2, + .channels_max = 2, + .rates = SNDRV_PCM_RATE_8000_192000, + .formats = (SNDRV_PCM_FMTBIT_S8 | +@@ -662,7 +661,7 @@ static int rockchip_i2s_probe(struct platform_device *pdev) + } + + if (!of_property_read_u32(node, "rockchip,capture-channels", &val)) { +- if (val >= 1 && val <= 8) ++ if (val >= 2 && val <= 8) + soc_dai->capture.channels_max = val; + } + +-- +2.20.1 + diff --git a/queue-4.19/asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch b/queue-4.19/asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch new file mode 100644 index 00000000000..97522e28d64 --- /dev/null +++ b/queue-4.19/asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch @@ -0,0 +1,112 @@ +From 7c3f53c020dcae6b5588a4370d3cb2d37b12f7d2 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Fri, 26 Jul 2019 09:42:43 +0300 +Subject: ASoC: ti: davinci-mcasp: Correct slot_width posed constraint + +[ Upstream commit 1e112c35e3c96db7c8ca6ddaa96574f00c06e7db ] + +The slot_width is a property for the bus while the constraint for +SNDRV_PCM_HW_PARAM_SAMPLE_BITS is for the in memory format. + +Applying slot_width constraint to sample_bits works most of the time, but +it will blacklist valid formats in some cases. + +With slot_width 24 we can support S24_3LE and S24_LE formats as they both +look the same on the bus, but a a 24 constraint on sample_bits would not +allow S24_LE as it is stored in 32bits in memory. + +Implement a simple hw_rule function to allow all formats which require less +or equal number of bits on the bus as slot_width (if configured). + +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20190726064244.3762-2-peter.ujfalusi@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/davinci/davinci-mcasp.c | 43 ++++++++++++++++++++++++------- + 1 file changed, 34 insertions(+), 9 deletions(-) + +diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c +index 160b2764b2ad8..6a8c279a4b20b 100644 +--- a/sound/soc/davinci/davinci-mcasp.c ++++ b/sound/soc/davinci/davinci-mcasp.c +@@ -1150,6 +1150,28 @@ static int davinci_mcasp_trigger(struct snd_pcm_substream *substream, + return ret; + } + ++static int davinci_mcasp_hw_rule_slot_width(struct snd_pcm_hw_params *params, ++ struct snd_pcm_hw_rule *rule) ++{ ++ struct davinci_mcasp_ruledata *rd = rule->private; ++ struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); ++ struct snd_mask nfmt; ++ int i, slot_width; ++ ++ snd_mask_none(&nfmt); ++ slot_width = rd->mcasp->slot_width; ++ ++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) { ++ if (snd_mask_test(fmt, i)) { ++ if (snd_pcm_format_width(i) <= slot_width) { ++ snd_mask_set(&nfmt, i); ++ } ++ } ++ } ++ ++ return snd_mask_refine(fmt, &nfmt); ++} ++ + static const unsigned int davinci_mcasp_dai_rates[] = { + 8000, 11025, 16000, 22050, 32000, 44100, 48000, 64000, + 88200, 96000, 176400, 192000, +@@ -1257,7 +1279,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream, + struct davinci_mcasp_ruledata *ruledata = + &mcasp->ruledata[substream->stream]; + u32 max_channels = 0; +- int i, dir; ++ int i, dir, ret; + int tdm_slots = mcasp->tdm_slots; + + /* Do not allow more then one stream per direction */ +@@ -1286,6 +1308,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream, + max_channels++; + } + ruledata->serializers = max_channels; ++ ruledata->mcasp = mcasp; + max_channels *= tdm_slots; + /* + * If the already active stream has less channels than the calculated +@@ -1311,20 +1334,22 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream, + 0, SNDRV_PCM_HW_PARAM_CHANNELS, + &mcasp->chconstr[substream->stream]); + +- if (mcasp->slot_width) +- snd_pcm_hw_constraint_minmax(substream->runtime, +- SNDRV_PCM_HW_PARAM_SAMPLE_BITS, +- 8, mcasp->slot_width); ++ if (mcasp->slot_width) { ++ /* Only allow formats require <= slot_width bits on the bus */ ++ ret = snd_pcm_hw_rule_add(substream->runtime, 0, ++ SNDRV_PCM_HW_PARAM_FORMAT, ++ davinci_mcasp_hw_rule_slot_width, ++ ruledata, ++ SNDRV_PCM_HW_PARAM_FORMAT, -1); ++ if (ret) ++ return ret; ++ } + + /* + * If we rely on implicit BCLK divider setting we should + * set constraints based on what we can provide. + */ + if (mcasp->bclk_master && mcasp->bclk_div == 0 && mcasp->sysclk_freq) { +- int ret; +- +- ruledata->mcasp = mcasp; +- + ret = snd_pcm_hw_rule_add(substream->runtime, 0, + SNDRV_PCM_HW_PARAM_RATE, + davinci_mcasp_hw_rule_rate, +-- +2.20.1 + diff --git a/queue-4.19/block-bfq-handle-null-return-value-by-bfq_init_rq.patch b/queue-4.19/block-bfq-handle-null-return-value-by-bfq_init_rq.patch new file mode 100644 index 00000000000..b1d55fe04da --- /dev/null +++ b/queue-4.19/block-bfq-handle-null-return-value-by-bfq_init_rq.patch @@ -0,0 +1,76 @@ +From 3fde5c35d08619e5fd544341faf624d8769ca73a Mon Sep 17 00:00:00 2001 +From: Paolo Valente +Date: Wed, 7 Aug 2019 19:21:11 +0200 +Subject: block, bfq: handle NULL return value by bfq_init_rq() + +[ Upstream commit fd03177c33b287c6541f4048f1d67b7b45a1abc9 ] + +As reported in [1], the call bfq_init_rq(rq) may return NULL in case +of OOM (in particular, if rq->elv.icq is NULL because memory +allocation failed in failed in ioc_create_icq()). + +This commit handles this circumstance. + +[1] https://lkml.org/lkml/2019/7/22/824 + +Cc: Hsin-Yi Wang +Cc: Nicolas Boichat +Cc: Doug Anderson +Reported-by: Guenter Roeck +Reported-by: Hsin-Yi Wang +Reviewed-by: Guenter Roeck +Signed-off-by: Paolo Valente +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index becd793a258c8..d8d2ac294b0c0 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -1886,9 +1886,14 @@ static void bfq_request_merged(struct request_queue *q, struct request *req, + blk_rq_pos(container_of(rb_prev(&req->rb_node), + struct request, rb_node))) { + struct bfq_queue *bfqq = bfq_init_rq(req); +- struct bfq_data *bfqd = bfqq->bfqd; ++ struct bfq_data *bfqd; + struct request *prev, *next_rq; + ++ if (!bfqq) ++ return; ++ ++ bfqd = bfqq->bfqd; ++ + /* Reposition request in its sort_list */ + elv_rb_del(&bfqq->sort_list, req); + elv_rb_add(&bfqq->sort_list, req); +@@ -1930,6 +1935,9 @@ static void bfq_requests_merged(struct request_queue *q, struct request *rq, + struct bfq_queue *bfqq = bfq_init_rq(rq), + *next_bfqq = bfq_init_rq(next); + ++ if (!bfqq) ++ return; ++ + /* + * If next and rq belong to the same bfq_queue and next is older + * than rq, then reposition rq in the fifo (by substituting next +@@ -4590,12 +4598,12 @@ static void bfq_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq, + + spin_lock_irq(&bfqd->lock); + bfqq = bfq_init_rq(rq); +- if (at_head || blk_rq_is_passthrough(rq)) { ++ if (!bfqq || at_head || blk_rq_is_passthrough(rq)) { + if (at_head) + list_add(&rq->queuelist, &bfqd->dispatch); + else + list_add_tail(&rq->queuelist, &bfqd->dispatch); +- } else { /* bfqq is assumed to be non null here */ ++ } else { + idle_timer_disabled = __bfq_insert_request(bfqd, rq); + /* + * Update bfqq, because, if a queue merge has occurred +-- +2.20.1 + diff --git a/queue-4.19/bonding-force-slave-speed-check-after-link-state-rec.patch b/queue-4.19/bonding-force-slave-speed-check-after-link-state-rec.patch new file mode 100644 index 00000000000..2b37c4e6b4c --- /dev/null +++ b/queue-4.19/bonding-force-slave-speed-check-after-link-state-rec.patch @@ -0,0 +1,73 @@ +From 90fea1c52920aac58e976314ce68940241bf0e71 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Tue, 16 Jul 2019 17:25:10 -0500 +Subject: bonding: Force slave speed check after link state recovery for + 802.3ad + +[ Upstream commit 12185dfe44360f814ac4ead9d22ad2af7511b2e9 ] + +The following scenario was encountered during testing of logical +partition mobility on pseries partitions with bonded ibmvnic +adapters in LACP mode. + +1. Driver receives a signal that the device has been + swapped, and it needs to reset to initialize the new + device. + +2. Driver reports loss of carrier and begins initialization. + +3. Bonding driver receives NETDEV_CHANGE notifier and checks + the slave's current speed and duplex settings. Because these + are unknown at the time, the bond sets its link state to + BOND_LINK_FAIL and handles the speed update, clearing + AD_PORT_LACP_ENABLE. + +4. Driver finishes recovery and reports that the carrier is on. + +5. Bond receives a new notification and checks the speed again. + The speeds are valid but miimon has not altered the link + state yet. AD_PORT_LACP_ENABLE remains off. + +Because the slave's link state is still BOND_LINK_FAIL, +no further port checks are made when it recovers. Though +the slave devices are operational and have valid speed +and duplex settings, the bond will not send LACPDU's. The +simplest fix I can see is to force another speed check +in bond_miimon_commit. This way the bond will update +AD_PORT_LACP_ENABLE if needed when transitioning from +BOND_LINK_FAIL to BOND_LINK_UP. + +CC: Jarod Wilson +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 8f14f85b8e95e..0d2392c4b625a 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2190,6 +2190,15 @@ static void bond_miimon_commit(struct bonding *bond) + bond_for_each_slave(bond, slave, iter) { + switch (slave->new_link) { + case BOND_LINK_NOCHANGE: ++ /* For 802.3ad mode, check current slave speed and ++ * duplex again in case its port was disabled after ++ * invalid speed/duplex reporting but recovered before ++ * link monitoring could make a decision on the actual ++ * link status ++ */ ++ if (BOND_MODE(bond) == BOND_MODE_8023AD && ++ slave->link == BOND_LINK_UP) ++ bond_3ad_adapter_speed_duplex_changed(slave); + continue; + + case BOND_LINK_UP: +-- +2.20.1 + diff --git a/queue-4.19/can-dev-call-netif_carrier_off-in-register_candev.patch b/queue-4.19/can-dev-call-netif_carrier_off-in-register_candev.patch new file mode 100644 index 00000000000..1fa09bc16f2 --- /dev/null +++ b/queue-4.19/can-dev-call-netif_carrier_off-in-register_candev.patch @@ -0,0 +1,38 @@ +From 59f2469422744f5ee295a46e265956d5f30ee3ce Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Mon, 24 Jun 2019 08:34:13 +0000 +Subject: can: dev: call netif_carrier_off() in register_candev() + +[ Upstream commit c63845609c4700488e5eacd6ab4d06d5d420e5ef ] + +CONFIG_CAN_LEDS is deprecated. When trying to use the generic netdev +trigger as suggested, there's a small inconsistency with the link +property: The LED is on initially, stays on when the device is brought +up, and then turns off (as expected) when the device is brought down. + +Make sure the LED always reflects the state of the CAN device. + +Signed-off-by: Rasmus Villemoes +Acked-by: Willem de Bruijn +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index c05e4d50d43d7..bd127ce3aba24 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -1260,6 +1260,8 @@ int register_candev(struct net_device *dev) + return -EINVAL; + + dev->rtnl_link_ops = &can_link_ops; ++ netif_carrier_off(dev); ++ + return register_netdev(dev); + } + EXPORT_SYMBOL_GPL(register_candev); +-- +2.20.1 + diff --git a/queue-4.19/can-gw-fix-error-path-of-cgw_module_init.patch b/queue-4.19/can-gw-fix-error-path-of-cgw_module_init.patch new file mode 100644 index 00000000000..cf5bf558b2c --- /dev/null +++ b/queue-4.19/can-gw-fix-error-path-of-cgw_module_init.patch @@ -0,0 +1,92 @@ +From 97b86eb5736e730dfcb0ea9e85434c75450f87eb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 18 May 2019 17:35:43 +0800 +Subject: can: gw: Fix error path of cgw_module_init + +[ Upstream commit b7a14297f102b6e2ce6f16feffebbb9bde1e9b55 ] + +This patch add error path for cgw_module_init to avoid possible crash if +some error occurs. + +Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing") +Signed-off-by: YueHaibing +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/gw.c | 48 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +diff --git a/net/can/gw.c b/net/can/gw.c +index 53859346dc9a9..bd2161470e456 100644 +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -1046,32 +1046,50 @@ static __init int cgw_module_init(void) + pr_info("can: netlink gateway (rev " CAN_GW_VERSION ") max_hops=%d\n", + max_hops); + +- register_pernet_subsys(&cangw_pernet_ops); ++ ret = register_pernet_subsys(&cangw_pernet_ops); ++ if (ret) ++ return ret; ++ ++ ret = -ENOMEM; + cgw_cache = kmem_cache_create("can_gw", sizeof(struct cgw_job), + 0, 0, NULL); +- + if (!cgw_cache) +- return -ENOMEM; ++ goto out_cache_create; + + /* set notifier */ + notifier.notifier_call = cgw_notifier; +- register_netdevice_notifier(¬ifier); ++ ret = register_netdevice_notifier(¬ifier); ++ if (ret) ++ goto out_register_notifier; + + ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_GETROUTE, + NULL, cgw_dump_jobs, 0); +- if (ret) { +- unregister_netdevice_notifier(¬ifier); +- kmem_cache_destroy(cgw_cache); +- return -ENOBUFS; +- } +- +- /* Only the first call to rtnl_register_module can fail */ +- rtnl_register_module(THIS_MODULE, PF_CAN, RTM_NEWROUTE, +- cgw_create_job, NULL, 0); +- rtnl_register_module(THIS_MODULE, PF_CAN, RTM_DELROUTE, +- cgw_remove_job, NULL, 0); ++ if (ret) ++ goto out_rtnl_register1; ++ ++ ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_NEWROUTE, ++ cgw_create_job, NULL, 0); ++ if (ret) ++ goto out_rtnl_register2; ++ ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_DELROUTE, ++ cgw_remove_job, NULL, 0); ++ if (ret) ++ goto out_rtnl_register3; + + return 0; ++ ++out_rtnl_register3: ++ rtnl_unregister(PF_CAN, RTM_NEWROUTE); ++out_rtnl_register2: ++ rtnl_unregister(PF_CAN, RTM_GETROUTE); ++out_rtnl_register1: ++ unregister_netdevice_notifier(¬ifier); ++out_register_notifier: ++ kmem_cache_destroy(cgw_cache); ++out_cache_create: ++ unregister_pernet_subsys(&cangw_pernet_ops); ++ ++ return ret; + } + + static __exit void cgw_module_exit(void) +-- +2.20.1 + diff --git a/queue-4.19/can-mcp251x-add-error-check-when-wq-alloc-failed.patch b/queue-4.19/can-mcp251x-add-error-check-when-wq-alloc-failed.patch new file mode 100644 index 00000000000..1001976e080 --- /dev/null +++ b/queue-4.19/can-mcp251x-add-error-check-when-wq-alloc-failed.patch @@ -0,0 +1,105 @@ +From 10d4018f3e04e68c381ee8055337dfd50697411c Mon Sep 17 00:00:00 2001 +From: Weitao Hou +Date: Tue, 25 Jun 2019 20:50:48 +0800 +Subject: can: mcp251x: add error check when wq alloc failed + +[ Upstream commit 375f755899b8fc21196197e02aab26257df26e85 ] + +add error check when workqueue alloc failed, and remove redundant code +to make it clear. + +Fixes: e0000163e30e ("can: Driver for the Microchip MCP251x SPI CAN controllers") +Signed-off-by: Weitao Hou +Acked-by: Willem de Bruijn +Tested-by: Sean Nyekjaer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251x.c | 49 ++++++++++++++++------------------- + 1 file changed, 22 insertions(+), 27 deletions(-) + +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index da64e71a62ee2..fccb6bf21fada 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -678,17 +678,6 @@ static int mcp251x_power_enable(struct regulator *reg, int enable) + return regulator_disable(reg); + } + +-static void mcp251x_open_clean(struct net_device *net) +-{ +- struct mcp251x_priv *priv = netdev_priv(net); +- struct spi_device *spi = priv->spi; +- +- free_irq(spi->irq, priv); +- mcp251x_hw_sleep(spi); +- mcp251x_power_enable(priv->transceiver, 0); +- close_candev(net); +-} +- + static int mcp251x_stop(struct net_device *net) + { + struct mcp251x_priv *priv = netdev_priv(net); +@@ -954,37 +943,43 @@ static int mcp251x_open(struct net_device *net) + flags | IRQF_ONESHOT, DEVICE_NAME, priv); + if (ret) { + dev_err(&spi->dev, "failed to acquire irq %d\n", spi->irq); +- mcp251x_power_enable(priv->transceiver, 0); +- close_candev(net); +- goto open_unlock; ++ goto out_close; + } + + priv->wq = alloc_workqueue("mcp251x_wq", WQ_FREEZABLE | WQ_MEM_RECLAIM, + 0); ++ if (!priv->wq) { ++ ret = -ENOMEM; ++ goto out_clean; ++ } + INIT_WORK(&priv->tx_work, mcp251x_tx_work_handler); + INIT_WORK(&priv->restart_work, mcp251x_restart_work_handler); + + ret = mcp251x_hw_reset(spi); +- if (ret) { +- mcp251x_open_clean(net); +- goto open_unlock; +- } ++ if (ret) ++ goto out_free_wq; + ret = mcp251x_setup(net, spi); +- if (ret) { +- mcp251x_open_clean(net); +- goto open_unlock; +- } ++ if (ret) ++ goto out_free_wq; + ret = mcp251x_set_normal_mode(spi); +- if (ret) { +- mcp251x_open_clean(net); +- goto open_unlock; +- } ++ if (ret) ++ goto out_free_wq; + + can_led_event(net, CAN_LED_EVENT_OPEN); + + netif_wake_queue(net); ++ mutex_unlock(&priv->mcp_lock); + +-open_unlock: ++ return 0; ++ ++out_free_wq: ++ destroy_workqueue(priv->wq); ++out_clean: ++ free_irq(spi->irq, priv); ++ mcp251x_hw_sleep(spi); ++out_close: ++ mcp251x_power_enable(priv->transceiver, 0); ++ close_candev(net); + mutex_unlock(&priv->mcp_lock); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.19/can-peak_usb-force-the-string-buffer-null-terminated.patch b/queue-4.19/can-peak_usb-force-the-string-buffer-null-terminated.patch new file mode 100644 index 00000000000..41e25430680 --- /dev/null +++ b/queue-4.19/can-peak_usb-force-the-string-buffer-null-terminated.patch @@ -0,0 +1,38 @@ +From d9dd407b07403b9ebf596c87ed90f9b076a22b36 Mon Sep 17 00:00:00 2001 +From: Wang Xiayang +Date: Wed, 31 Jul 2019 15:25:59 +0800 +Subject: can: peak_usb: force the string buffer NULL-terminated + +[ Upstream commit e787f19373b8a5fa24087800ed78314fd17b984a ] + +strncpy() does not ensure NULL-termination when the input string size +equals to the destination buffer size IFNAMSIZ. The output string is +passed to dev_info() which relies on the NULL-termination. + +Use strlcpy() instead. + +This issue is identified by a Coccinelle script. + +Signed-off-by: Wang Xiayang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +index 740ef47eab017..43b0fa2b99322 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -863,7 +863,7 @@ static void peak_usb_disconnect(struct usb_interface *intf) + + dev_prev_siblings = dev->prev_siblings; + dev->state &= ~PCAN_USB_STATE_CONNECTED; +- strncpy(name, netdev->name, IFNAMSIZ); ++ strlcpy(name, netdev->name, IFNAMSIZ); + + unregister_netdev(netdev); + +-- +2.20.1 + diff --git a/queue-4.19/can-sja1000-force-the-string-buffer-null-terminated.patch b/queue-4.19/can-sja1000-force-the-string-buffer-null-terminated.patch new file mode 100644 index 00000000000..8eb1b6fa5a7 --- /dev/null +++ b/queue-4.19/can-sja1000-force-the-string-buffer-null-terminated.patch @@ -0,0 +1,38 @@ +From 890b7699ff8e5b67900a1dd7143e12f1afae1ac6 Mon Sep 17 00:00:00 2001 +From: Wang Xiayang +Date: Wed, 31 Jul 2019 15:31:14 +0800 +Subject: can: sja1000: force the string buffer NULL-terminated + +[ Upstream commit cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c ] + +strncpy() does not ensure NULL-termination when the input string size +equals to the destination buffer size IFNAMSIZ. The output string +'name' is passed to dev_info which relies on NULL-termination. + +Use strlcpy() instead. + +This issue is identified by a Coccinelle script. + +Signed-off-by: Wang Xiayang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sja1000/peak_pcmcia.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/sja1000/peak_pcmcia.c b/drivers/net/can/sja1000/peak_pcmcia.c +index b8c39ede7cd51..179bfcd541f2f 100644 +--- a/drivers/net/can/sja1000/peak_pcmcia.c ++++ b/drivers/net/can/sja1000/peak_pcmcia.c +@@ -487,7 +487,7 @@ static void pcan_free_channels(struct pcan_pccard *card) + if (!netdev) + continue; + +- strncpy(name, netdev->name, IFNAMSIZ); ++ strlcpy(name, netdev->name, IFNAMSIZ); + + unregister_sja1000dev(netdev); + +-- +2.20.1 + diff --git a/queue-4.19/drm-rockchip-suspend-dp-late.patch b/queue-4.19/drm-rockchip-suspend-dp-late.patch new file mode 100644 index 00000000000..93343e8f408 --- /dev/null +++ b/queue-4.19/drm-rockchip-suspend-dp-late.patch @@ -0,0 +1,44 @@ +From ec0917d86c6a57e300ab650b1ca6bc078e025981 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 2 Aug 2019 11:46:16 -0700 +Subject: drm/rockchip: Suspend DP late + +[ Upstream commit f7ccbed656f78212593ca965d9a8f34bf24e0aab ] + +In commit fe64ba5c6323 ("drm/rockchip: Resume DP early") we moved +resume to be early but left suspend at its normal time. This seems +like it could be OK, but casues problems if a suspend gets interrupted +partway through. The OS only balances matching suspend/resume levels. +...so if suspend was called then resume will be called. If suspend +late was called then resume early will be called. ...but if suspend +was called resume early might not get called. This leads to an +unbalance in the clock enables / disables. + +Lets take the simple fix and just move suspend to be late to match. +This makes the PM core take proper care in keeping things balanced. + +Fixes: fe64ba5c6323 ("drm/rockchip: Resume DP early") +Signed-off-by: Douglas Anderson +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20190802184616.44822-1-dianders@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/analogix_dp-rockchip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c +index 080f053521950..6a4da3a0ff1c3 100644 +--- a/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c ++++ b/drivers/gpu/drm/rockchip/analogix_dp-rockchip.c +@@ -436,7 +436,7 @@ static int rockchip_dp_resume(struct device *dev) + + static const struct dev_pm_ops rockchip_dp_pm_ops = { + #ifdef CONFIG_PM_SLEEP +- .suspend = rockchip_dp_suspend, ++ .suspend_late = rockchip_dp_suspend, + .resume_early = rockchip_dp_resume, + #endif + }; +-- +2.20.1 + diff --git a/queue-4.19/drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch b/queue-4.19/drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch new file mode 100644 index 00000000000..352d5c391be --- /dev/null +++ b/queue-4.19/drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch @@ -0,0 +1,41 @@ +From fecbaf0254158af54a10e520d035923f4d395f9b Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 24 Jun 2019 09:39:59 -0700 +Subject: drm/vmwgfx: fix memory leak when too many retries have occurred + +[ Upstream commit 6b7c3b86f0b63134b2ab56508921a0853ffa687a ] + +Currently when too many retries have occurred there is a memory +leak on the allocation for reply on the error return path. Fix +this by kfree'ing reply before returning. + +Addresses-Coverity: ("Resource leak") +Fixes: a9cd9c044aa9 ("drm/vmwgfx: Add a check to handle host message failure") +Signed-off-by: Colin Ian King +Reviewed-by: Deepak Rawat +Signed-off-by: Deepak Rawat +Signed-off-by: Thomas Hellstrom +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c +index e4e09d47c5c0e..59e9d05ab928b 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c +@@ -389,8 +389,10 @@ static int vmw_recv_msg(struct rpc_channel *channel, void **msg, + break; + } + +- if (retries == RETRIES) ++ if (retries == RETRIES) { ++ kfree(reply); + return -EINVAL; ++ } + + *msg_len = reply_len; + *msg = reply; +-- +2.20.1 + diff --git a/queue-4.19/hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch b/queue-4.19/hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch new file mode 100644 index 00000000000..9d5e8b7d976 --- /dev/null +++ b/queue-4.19/hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch @@ -0,0 +1,65 @@ +From af689f1223fc59cad7e7fa4202dd1b404b8148e3 Mon Sep 17 00:00:00 2001 +From: Ilya Trukhanov +Date: Tue, 2 Jul 2019 13:37:16 +0300 +Subject: HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT + +[ Upstream commit 65f11c72780fa9d598df88def045ccb6a885cf80 ] + +Enable force feedback for the Thrustmaster Dual Trigger 2 in 1 Rumble Force +gamepad. Compared to other Thrustmaster devices, left and right rumble +motors here are swapped. + +Signed-off-by: Ilya Trukhanov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-tmff.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/hid/hid-tmff.c b/drivers/hid/hid-tmff.c +index bea8def64f437..30b8c3256c991 100644 +--- a/drivers/hid/hid-tmff.c ++++ b/drivers/hid/hid-tmff.c +@@ -34,6 +34,8 @@ + + #include "hid-ids.h" + ++#define THRUSTMASTER_DEVICE_ID_2_IN_1_DT 0xb320 ++ + static const signed short ff_rumble[] = { + FF_RUMBLE, + -1 +@@ -88,6 +90,7 @@ static int tmff_play(struct input_dev *dev, void *data, + struct hid_field *ff_field = tmff->ff_field; + int x, y; + int left, right; /* Rumbling */ ++ int motor_swap; + + switch (effect->type) { + case FF_CONSTANT: +@@ -112,6 +115,13 @@ static int tmff_play(struct input_dev *dev, void *data, + ff_field->logical_minimum, + ff_field->logical_maximum); + ++ /* 2-in-1 strong motor is left */ ++ if (hid->product == THRUSTMASTER_DEVICE_ID_2_IN_1_DT) { ++ motor_swap = left; ++ left = right; ++ right = motor_swap; ++ } ++ + dbg_hid("(left,right)=(%08x, %08x)\n", left, right); + ff_field->value[0] = left; + ff_field->value[1] = right; +@@ -238,6 +248,8 @@ static const struct hid_device_id tm_devices[] = { + .driver_data = (unsigned long)ff_rumble }, + { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304), /* FireStorm Dual Power 2 (and 3) */ + .driver_data = (unsigned long)ff_rumble }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, THRUSTMASTER_DEVICE_ID_2_IN_1_DT), /* Dual Trigger 2-in-1 */ ++ .driver_data = (unsigned long)ff_rumble }, + { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb323), /* Dual Trigger 3-in-1 (PC Mode) */ + .driver_data = (unsigned long)ff_rumble }, + { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb324), /* Dual Trigger 3-in-1 (PS3 Mode) */ +-- +2.20.1 + diff --git a/queue-4.19/hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch b/queue-4.19/hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch new file mode 100644 index 00000000000..49e4bd8ad72 --- /dev/null +++ b/queue-4.19/hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch @@ -0,0 +1,98 @@ +From e5351bd83b9624d76841d87e0ef52ea214184466 Mon Sep 17 00:00:00 2001 +From: Nicolas Saenz Julienne +Date: Tue, 11 Jun 2019 14:13:20 +0200 +Subject: HID: input: fix a4tech horizontal wheel custom usage + +[ Upstream commit 1c703b53e5bfb5c2205c30f0fb157ce271fd42fb ] + +Some a4tech mice use the 'GenericDesktop.00b8' usage to inform whether +the previous wheel report was horizontal or vertical. Before +c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") this +usage was being mapped to 'Relative.Misc'. After the patch it's simply +ignored (usage->type == 0 & usage->code == 0). Which ultimately makes +hid-a4tech ignore the WHEEL/HWHEEL selection event, as it has no +usage->type. + +We shouldn't rely on a mapping for that usage as it's nonstandard and +doesn't really map to an input event. So we bypass the mapping and make +sure the custom event handling properly handles both reports. + +Fixes: c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-a4tech.c | 30 +++++++++++++++++++++++++++--- + 1 file changed, 27 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/hid-a4tech.c b/drivers/hid/hid-a4tech.c +index 9428ea7cdf8a0..c52bd163abb3e 100644 +--- a/drivers/hid/hid-a4tech.c ++++ b/drivers/hid/hid-a4tech.c +@@ -26,12 +26,36 @@ + #define A4_2WHEEL_MOUSE_HACK_7 0x01 + #define A4_2WHEEL_MOUSE_HACK_B8 0x02 + ++#define A4_WHEEL_ORIENTATION (HID_UP_GENDESK | 0x000000b8) ++ + struct a4tech_sc { + unsigned long quirks; + unsigned int hw_wheel; + __s32 delayed_value; + }; + ++static int a4_input_mapping(struct hid_device *hdev, struct hid_input *hi, ++ struct hid_field *field, struct hid_usage *usage, ++ unsigned long **bit, int *max) ++{ ++ struct a4tech_sc *a4 = hid_get_drvdata(hdev); ++ ++ if (a4->quirks & A4_2WHEEL_MOUSE_HACK_B8 && ++ usage->hid == A4_WHEEL_ORIENTATION) { ++ /* ++ * We do not want to have this usage mapped to anything as it's ++ * nonstandard and doesn't really behave like an HID report. ++ * It's only selecting the orientation (vertical/horizontal) of ++ * the previous mouse wheel report. The input_events will be ++ * generated once both reports are recorded in a4_event(). ++ */ ++ return -1; ++ } ++ ++ return 0; ++ ++} ++ + static int a4_input_mapped(struct hid_device *hdev, struct hid_input *hi, + struct hid_field *field, struct hid_usage *usage, + unsigned long **bit, int *max) +@@ -53,8 +77,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field, + struct a4tech_sc *a4 = hid_get_drvdata(hdev); + struct input_dev *input; + +- if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput || +- !usage->type) ++ if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput) + return 0; + + input = field->hidinput->input; +@@ -65,7 +88,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field, + return 1; + } + +- if (usage->hid == 0x000100b8) { ++ if (usage->hid == A4_WHEEL_ORIENTATION) { + input_event(input, EV_REL, value ? REL_HWHEEL : + REL_WHEEL, a4->delayed_value); + return 1; +@@ -129,6 +152,7 @@ MODULE_DEVICE_TABLE(hid, a4_devices); + static struct hid_driver a4_driver = { + .name = "a4tech", + .id_table = a4_devices, ++ .input_mapping = a4_input_mapping, + .input_mapped = a4_input_mapped, + .event = a4_event, + .probe = a4_probe, +-- +2.20.1 + diff --git a/queue-4.19/hid-quirks-set-the-increment_usage_on_duplicate-quir.patch b/queue-4.19/hid-quirks-set-the-increment_usage_on_duplicate-quir.patch new file mode 100644 index 00000000000..61ae666682a --- /dev/null +++ b/queue-4.19/hid-quirks-set-the-increment_usage_on_duplicate-quir.patch @@ -0,0 +1,53 @@ +From 7109f218cce4d8ffa8ca6df6272c083b462551a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Istv=C3=A1n=20V=C3=A1radi?= +Date: Wed, 24 Jul 2019 20:09:18 +0200 +Subject: HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 7bc74853fd61432ec59f812a40425bf6d8c986a4 ] + +The Saitek X52 joystick has a pair of axes that are originally +(by the Windows driver) used as mouse pointer controls. The corresponding +usage->hid values are 0x50024 and 0x50026. Thus they are handled +as unknown axes and both get mapped to ABS_MISC. The quirk makes +the second axis to be mapped to ABS_MISC1 and thus made available +separately. + +[jkosina@suse.cz: squashed two patches into one] +Signed-off-by: István Váradi +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 2898bb0619454..4a2fa57ddcb84 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -971,6 +971,7 @@ + #define USB_DEVICE_ID_SAITEK_RAT7 0x0cd7 + #define USB_DEVICE_ID_SAITEK_RAT9 0x0cfa + #define USB_DEVICE_ID_SAITEK_MMO7 0x0cd0 ++#define USB_DEVICE_ID_SAITEK_X52 0x075c + + #define USB_VENDOR_ID_SAMSUNG 0x0419 + #define USB_DEVICE_ID_SAMSUNG_IR_REMOTE 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index d29c7c9cd185d..e553f6fae7a4c 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -143,6 +143,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_RETROUSB, USB_DEVICE_ID_RETROUSB_SNES_RETROPAD), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE }, + { HID_USB_DEVICE(USB_VENDOR_ID_RETROUSB, USB_DEVICE_ID_RETROUSB_SNES_RETROPORT), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE }, + { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_RUMBLEPAD), HID_QUIRK_BADPAD }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_X52), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE }, + { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD2), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET }, +-- +2.20.1 + diff --git a/queue-4.19/isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch b/queue-4.19/isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch new file mode 100644 index 00000000000..a8db8d81a5b --- /dev/null +++ b/queue-4.19/isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch @@ -0,0 +1,86 @@ +From 560ba6faf1389ae0922c2541b8df7604ae12aa02 Mon Sep 17 00:00:00 2001 +From: Juliana Rodrigueiro +Date: Wed, 31 Jul 2019 15:17:23 +0200 +Subject: isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on + the stack + +[ Upstream commit d8a1de3d5bb881507602bc02e004904828f88711 ] + +Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers. + +During usb probe the driver crashes with "transfer buffer is on stack" message. + +This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro +that calls "usb_control_msg" under the hood. + +Kernel 4.19 backtrace: + +usb_hcd_submit_urb+0x3e5/0x900 +? sched_clock+0x9/0x10 +? log_store+0x203/0x270 +? get_random_u32+0x6f/0x90 +? cache_alloc_refill+0x784/0x8a0 +usb_submit_urb+0x3b4/0x550 +usb_start_wait_urb+0x4e/0xd0 +usb_control_msg+0xb8/0x120 +hfcsusb_probe+0x6bc/0xb40 [hfcsusb] +usb_probe_interface+0xc2/0x260 +really_probe+0x176/0x280 +driver_probe_device+0x49/0x130 +__driver_attach+0xa9/0xb0 +? driver_probe_device+0x130/0x130 +bus_for_each_dev+0x5a/0x90 +driver_attach+0x14/0x20 +? driver_probe_device+0x130/0x130 +bus_add_driver+0x157/0x1e0 +driver_register+0x51/0xe0 +usb_register_driver+0x5d/0x120 +? 0xf81ed000 +hfcsusb_drv_init+0x17/0x1000 [hfcsusb] +do_one_initcall+0x44/0x190 +? free_unref_page_commit+0x6a/0xd0 +do_init_module+0x46/0x1c0 +load_module+0x1dc1/0x2400 +sys_init_module+0xed/0x120 +do_fast_syscall_32+0x7a/0x200 +entry_SYSENTER_32+0x6b/0xbe + +Signed-off-by: Juliana Rodrigueiro +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c +index cfdb130cb1008..c952002c6301d 100644 +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -1705,13 +1705,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel) + static int + setup_hfcsusb(struct hfcsusb *hw) + { ++ void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL); + u_char b; ++ int ret; + + if (debug & DBG_HFC_CALL_TRACE) + printk(KERN_DEBUG "%s: %s\n", hw->name, __func__); + ++ if (!dmabuf) ++ return -ENOMEM; ++ ++ ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf); ++ ++ memcpy(&b, dmabuf, sizeof(u_char)); ++ kfree(dmabuf); ++ + /* check the chip id */ +- if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) { ++ if (ret != 1) { + printk(KERN_DEBUG "%s: %s: cannot read chip id\n", + hw->name, __func__); + return 1; +-- +2.20.1 + diff --git a/queue-4.19/isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch b/queue-4.19/isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch new file mode 100644 index 00000000000..2fa5d6184dc --- /dev/null +++ b/queue-4.19/isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch @@ -0,0 +1,49 @@ +From 8d650031a57237801b769e7142eff88455619928 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Fri, 26 Jul 2019 16:27:36 +0800 +Subject: isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in + start_isoc_chain() + +[ Upstream commit a0d57a552b836206ad7705a1060e6e1ce5a38203 ] + +In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail +and return NULL. At this time, fifo->iso[i].urb is assigned to NULL. + +Then, fifo->iso[i].urb is used at some places, such as: +LINE 1405: fill_isoc_urb(fifo->iso[i].urb, ...) + urb->number_of_packets = num_packets; + urb->transfer_flags = URB_ISO_ASAP; + urb->actual_length = 0; + urb->interval = interval; +LINE 1416: fifo->iso[i].urb->... +LINE 1419: fifo->iso[i].urb->... + +Thus, possible null-pointer dereferences may occur. + +To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb +when it is NULL. + +These bugs are found by a static analysis tool STCheck written by us. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c +index 060dc7fd66c1d..cfdb130cb1008 100644 +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -1406,6 +1406,7 @@ start_isoc_chain(struct usb_fifo *fifo, int num_packets_per_urb, + printk(KERN_DEBUG + "%s: %s: alloc urb for fifo %i failed", + hw->name, __func__, fifo->fifonum); ++ continue; + } + fifo->iso[i].owner_fifo = (struct usb_fifo *) fifo; + fifo->iso[i].indx = i; +-- +2.20.1 + diff --git a/queue-4.19/kvm-arm-don-t-write-junk-to-cp15-registers-on-reset.patch b/queue-4.19/kvm-arm-don-t-write-junk-to-cp15-registers-on-reset.patch new file mode 100644 index 00000000000..294cafce6dc --- /dev/null +++ b/queue-4.19/kvm-arm-don-t-write-junk-to-cp15-registers-on-reset.patch @@ -0,0 +1,83 @@ +From c32513ffc1e6dc3cb0de0ca21db59c072ee151f2 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 5 Aug 2019 10:34:51 +0100 +Subject: KVM: arm: Don't write junk to CP15 registers on reset + +[ Upstream commit c69509c70aa45a8c4954c88c629a64acf4ee4a36 ] + +At the moment, the way we reset CP15 registers is mildly insane: +We write junk to them, call the reset functions, and then check that +we have something else in them. + +The "fun" thing is that this can happen while the guest is running +(PSCI, for example). If anything in KVM has to evaluate the state +of a CP15 register while junk is in there, bad thing may happen. + +Let's stop doing that. Instead, we track that we have called a +reset function for that register, and assume that the reset +function has done something. + +In the end, the very need of this reset check is pretty dubious, +as it doesn't check everything (a lot of the CP15 reg leave outside +of the cp15_regs[] array). It may well be axed in the near future. + +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm/kvm/coproc.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/kvm/coproc.c b/arch/arm/kvm/coproc.c +index fd6cde23bb5d0..871fa50a09f19 100644 +--- a/arch/arm/kvm/coproc.c ++++ b/arch/arm/kvm/coproc.c +@@ -658,13 +658,22 @@ int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run) + } + + static void reset_coproc_regs(struct kvm_vcpu *vcpu, +- const struct coproc_reg *table, size_t num) ++ const struct coproc_reg *table, size_t num, ++ unsigned long *bmap) + { + unsigned long i; + + for (i = 0; i < num; i++) +- if (table[i].reset) ++ if (table[i].reset) { ++ int reg = table[i].reg; ++ + table[i].reset(vcpu, &table[i]); ++ if (reg > 0 && reg < NR_CP15_REGS) { ++ set_bit(reg, bmap); ++ if (table[i].is_64bit) ++ set_bit(reg + 1, bmap); ++ } ++ } + } + + static struct coproc_params decode_32bit_hsr(struct kvm_vcpu *vcpu) +@@ -1439,17 +1448,15 @@ void kvm_reset_coprocs(struct kvm_vcpu *vcpu) + { + size_t num; + const struct coproc_reg *table; +- +- /* Catch someone adding a register without putting in reset entry. */ +- memset(vcpu->arch.ctxt.cp15, 0x42, sizeof(vcpu->arch.ctxt.cp15)); ++ DECLARE_BITMAP(bmap, NR_CP15_REGS) = { 0, }; + + /* Generic chip reset first (so target could override). */ +- reset_coproc_regs(vcpu, cp15_regs, ARRAY_SIZE(cp15_regs)); ++ reset_coproc_regs(vcpu, cp15_regs, ARRAY_SIZE(cp15_regs), bmap); + + table = get_target_table(vcpu->arch.target, &num); +- reset_coproc_regs(vcpu, table, num); ++ reset_coproc_regs(vcpu, table, num, bmap); + + for (num = 1; num < NR_CP15_REGS; num++) +- WARN(vcpu_cp15(vcpu, num) == 0x42424242, ++ WARN(!test_bit(num, bmap), + "Didn't reset vcpu_cp15(vcpu, %zi)", num); + } +-- +2.20.1 + diff --git a/queue-4.19/kvm-arm64-don-t-write-junk-to-sysregs-on-reset.patch b/queue-4.19/kvm-arm64-don-t-write-junk-to-sysregs-on-reset.patch new file mode 100644 index 00000000000..5d11a907a93 --- /dev/null +++ b/queue-4.19/kvm-arm64-don-t-write-junk-to-sysregs-on-reset.patch @@ -0,0 +1,119 @@ +From 164ef9dc267c317b5bab128373ac0aeccba71455 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 5 Aug 2019 10:34:51 +0100 +Subject: KVM: arm64: Don't write junk to sysregs on reset + +[ Upstream commit 03fdfb2690099c19160a3f2c5b77db60b3afeded ] + +At the moment, the way we reset system registers is mildly insane: +We write junk to them, call the reset functions, and then check that +we have something else in them. + +The "fun" thing is that this can happen while the guest is running +(PSCI, for example). If anything in KVM has to evaluate the state +of a system register while junk is in there, bad thing may happen. + +Let's stop doing that. Instead, we track that we have called a +reset function for that register, and assume that the reset +function has done something. This requires fixing a couple of +sysreg refinition in the trap table. + +In the end, the very need of this reset check is pretty dubious, +as it doesn't check everything (a lot of the sysregs leave outside of +the sys_regs[] array). It may well be axed in the near future. + +Tested-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/sys_regs.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c +index d112af75680bb..6da2bbdb9648f 100644 +--- a/arch/arm64/kvm/sys_regs.c ++++ b/arch/arm64/kvm/sys_regs.c +@@ -626,7 +626,7 @@ static void reset_pmcr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r) + */ + val = ((pmcr & ~ARMV8_PMU_PMCR_MASK) + | (ARMV8_PMU_PMCR_MASK & 0xdecafbad)) & (~ARMV8_PMU_PMCR_E); +- __vcpu_sys_reg(vcpu, PMCR_EL0) = val; ++ __vcpu_sys_reg(vcpu, r->reg) = val; + } + + static bool check_pmu_access_disabled(struct kvm_vcpu *vcpu, u64 flags) +@@ -968,13 +968,13 @@ static bool access_pmuserenr(struct kvm_vcpu *vcpu, struct sys_reg_params *p, + /* Silly macro to expand the DBG{BCR,BVR,WVR,WCR}n_EL1 registers in one go */ + #define DBG_BCR_BVR_WCR_WVR_EL1(n) \ + { SYS_DESC(SYS_DBGBVRn_EL1(n)), \ +- trap_bvr, reset_bvr, n, 0, get_bvr, set_bvr }, \ ++ trap_bvr, reset_bvr, 0, 0, get_bvr, set_bvr }, \ + { SYS_DESC(SYS_DBGBCRn_EL1(n)), \ +- trap_bcr, reset_bcr, n, 0, get_bcr, set_bcr }, \ ++ trap_bcr, reset_bcr, 0, 0, get_bcr, set_bcr }, \ + { SYS_DESC(SYS_DBGWVRn_EL1(n)), \ +- trap_wvr, reset_wvr, n, 0, get_wvr, set_wvr }, \ ++ trap_wvr, reset_wvr, 0, 0, get_wvr, set_wvr }, \ + { SYS_DESC(SYS_DBGWCRn_EL1(n)), \ +- trap_wcr, reset_wcr, n, 0, get_wcr, set_wcr } ++ trap_wcr, reset_wcr, 0, 0, get_wcr, set_wcr } + + /* Macro to expand the PMEVCNTRn_EL0 register */ + #define PMU_PMEVCNTR_EL0(n) \ +@@ -1359,7 +1359,7 @@ static const struct sys_reg_desc sys_reg_descs[] = { + + { SYS_DESC(SYS_CSSELR_EL1), NULL, reset_unknown, CSSELR_EL1 }, + +- { SYS_DESC(SYS_PMCR_EL0), access_pmcr, reset_pmcr, }, ++ { SYS_DESC(SYS_PMCR_EL0), access_pmcr, reset_pmcr, PMCR_EL0 }, + { SYS_DESC(SYS_PMCNTENSET_EL0), access_pmcnten, reset_unknown, PMCNTENSET_EL0 }, + { SYS_DESC(SYS_PMCNTENCLR_EL0), access_pmcnten, NULL, PMCNTENSET_EL0 }, + { SYS_DESC(SYS_PMOVSCLR_EL0), access_pmovs, NULL, PMOVSSET_EL0 }, +@@ -2072,13 +2072,19 @@ static int emulate_sys_reg(struct kvm_vcpu *vcpu, + } + + static void reset_sys_reg_descs(struct kvm_vcpu *vcpu, +- const struct sys_reg_desc *table, size_t num) ++ const struct sys_reg_desc *table, size_t num, ++ unsigned long *bmap) + { + unsigned long i; + + for (i = 0; i < num; i++) +- if (table[i].reset) ++ if (table[i].reset) { ++ int reg = table[i].reg; ++ + table[i].reset(vcpu, &table[i]); ++ if (reg > 0 && reg < NR_SYS_REGS) ++ set_bit(reg, bmap); ++ } + } + + /** +@@ -2576,18 +2582,16 @@ void kvm_reset_sys_regs(struct kvm_vcpu *vcpu) + { + size_t num; + const struct sys_reg_desc *table; +- +- /* Catch someone adding a register without putting in reset entry. */ +- memset(&vcpu->arch.ctxt.sys_regs, 0x42, sizeof(vcpu->arch.ctxt.sys_regs)); ++ DECLARE_BITMAP(bmap, NR_SYS_REGS) = { 0, }; + + /* Generic chip reset first (so target could override). */ +- reset_sys_reg_descs(vcpu, sys_reg_descs, ARRAY_SIZE(sys_reg_descs)); ++ reset_sys_reg_descs(vcpu, sys_reg_descs, ARRAY_SIZE(sys_reg_descs), bmap); + + table = get_target_table(vcpu->arch.target, true, &num); +- reset_sys_reg_descs(vcpu, table, num); ++ reset_sys_reg_descs(vcpu, table, num, bmap); + + for (num = 1; num < NR_SYS_REGS; num++) { +- if (WARN(__vcpu_sys_reg(vcpu, num) == 0x4242424242424242, ++ if (WARN(!test_bit(num, bmap), + "Didn't reset __vcpu_sys_reg(%zi)\n", num)) + break; + } +-- +2.20.1 + diff --git a/queue-4.19/libata-add-sg-safety-checks-in-sff-pio-transfers.patch b/queue-4.19/libata-add-sg-safety-checks-in-sff-pio-transfers.patch new file mode 100644 index 00000000000..2618283ca37 --- /dev/null +++ b/queue-4.19/libata-add-sg-safety-checks-in-sff-pio-transfers.patch @@ -0,0 +1,46 @@ +From cd6e73bf4742958c33bae553ce37264d8026c32c Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 7 Aug 2019 12:23:57 -0600 +Subject: libata: add SG safety checks in SFF pio transfers + +[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ] + +Abort processing of a command if we run out of mapped data in the +SG list. This should never happen, but a previous bug caused it to +be possible. Play it safe and attempt to abort nicely if we don't +have more SG segments left. + +Reviewed-by: Kees Cook +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sff.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index c5ea0fc635e54..873cc09060551 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -674,6 +674,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) + unsigned int offset; + unsigned char *buf; + ++ if (!qc->cursg) { ++ qc->curbytes = qc->nbytes; ++ return; ++ } + if (qc->curbytes == qc->nbytes - qc->sect_size) + ap->hsm_task_state = HSM_ST_LAST; + +@@ -699,6 +703,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) + + if (qc->cursg_ofs == qc->cursg->length) { + qc->cursg = sg_next(qc->cursg); ++ if (!qc->cursg) ++ ap->hsm_task_state = HSM_ST_LAST; + qc->cursg_ofs = 0; + } + } +-- +2.20.1 + diff --git a/queue-4.19/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch b/queue-4.19/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch new file mode 100644 index 00000000000..db9c7452514 --- /dev/null +++ b/queue-4.19/libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch @@ -0,0 +1,82 @@ +From 3dcb3826f692a8392e548a67aec5b0ca9178c3b3 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 7 Aug 2019 12:20:52 -0600 +Subject: libata: have ata_scsi_rw_xlat() fail invalid passthrough requests + +[ Upstream commit 2d7271501720038381d45fb3dcbe4831228fc8cc ] + +For passthrough requests, libata-scsi takes what the user passes in +as gospel. This can be problematic if the user fills in the CDB +incorrectly. One example of that is in request sizes. For read/write +commands, the CDB contains fields describing the transfer length of +the request. These should match with the SG_IO header fields, but +libata-scsi currently does no validation of that. + +Check that the number of blocks in the CDB for passthrough requests +matches what was mapped into the request. If the CDB asks for more +data then the validated SG_IO header fields, error it. + +Reported-by: Krishna Ram Prakash R +Reviewed-by: Kees Cook +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-scsi.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 1984fc78c750b..3a64fa4aaf7e3 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -1803,6 +1803,21 @@ nothing_to_do: + return 1; + } + ++static bool ata_check_nblocks(struct scsi_cmnd *scmd, u32 n_blocks) ++{ ++ struct request *rq = scmd->request; ++ u32 req_blocks; ++ ++ if (!blk_rq_is_passthrough(rq)) ++ return true; ++ ++ req_blocks = blk_rq_bytes(rq) / scmd->device->sector_size; ++ if (n_blocks > req_blocks) ++ return false; ++ ++ return true; ++} ++ + /** + * ata_scsi_rw_xlat - Translate SCSI r/w command into an ATA one + * @qc: Storage for translated ATA taskfile +@@ -1847,6 +1862,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc) + scsi_10_lba_len(cdb, &block, &n_block); + if (cdb[1] & (1 << 3)) + tf_flags |= ATA_TFLAG_FUA; ++ if (!ata_check_nblocks(scmd, n_block)) ++ goto invalid_fld; + break; + case READ_6: + case WRITE_6: +@@ -1861,6 +1878,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc) + */ + if (!n_block) + n_block = 256; ++ if (!ata_check_nblocks(scmd, n_block)) ++ goto invalid_fld; + break; + case READ_16: + case WRITE_16: +@@ -1871,6 +1890,8 @@ static unsigned int ata_scsi_rw_xlat(struct ata_queued_cmd *qc) + scsi_16_lba_len(cdb, &block, &n_block); + if (cdb[1] & (1 << 3)) + tf_flags |= ATA_TFLAG_FUA; ++ if (!ata_check_nblocks(scmd, n_block)) ++ goto invalid_fld; + break; + default: + DPRINTK("no-byte command\n"); +-- +2.20.1 + diff --git a/queue-4.19/mac80211_hwsim-fix-possible-null-pointer-dereference.patch b/queue-4.19/mac80211_hwsim-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..8d740b8fb5f --- /dev/null +++ b/queue-4.19/mac80211_hwsim-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,51 @@ +From 5a1818eb313bc34131b3e9cf6dbef34a9ba95101 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Mon, 29 Jul 2019 16:23:32 +0800 +Subject: mac80211_hwsim: Fix possible null-pointer dereferences in + hwsim_dump_radio_nl() + +[ Upstream commit b55f3b841099e641bdb2701d361a4c304e2dbd6f ] + +In hwsim_dump_radio_nl(), when genlmsg_put() on line 3617 fails, hdr is +assigned to NULL. Then hdr is used on lines 3622 and 3623: + genl_dump_check_consistent(cb, hdr); + genlmsg_end(skb, hdr); + +Thus, possible null-pointer dereferences may occur. + +To fix these bugs, hdr is used here when it is not NULL. + +This bug is found by a static analysis tool STCheck written by us. + +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20190729082332.28895-1-baijiaju1990@gmail.com +[put braces on all branches] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 7cd428c0af433..ce2dd06af62e8 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3502,10 +3502,12 @@ static int hwsim_dump_radio_nl(struct sk_buff *skb, + hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, &hwsim_genl_family, + NLM_F_MULTI, HWSIM_CMD_GET_RADIO); +- if (!hdr) ++ if (hdr) { ++ genl_dump_check_consistent(cb, hdr); ++ genlmsg_end(skb, hdr); ++ } else { + res = -EMSGSIZE; +- genl_dump_check_consistent(cb, hdr); +- genlmsg_end(skb, hdr); ++ } + } + + done: +-- +2.20.1 + diff --git a/queue-4.19/mips-fix-cacheinfo.patch b/queue-4.19/mips-fix-cacheinfo.patch new file mode 100644 index 00000000000..dd336b136b5 --- /dev/null +++ b/queue-4.19/mips-fix-cacheinfo.patch @@ -0,0 +1,47 @@ +From dde27cc28e5216a30bbc27ce69540eb1889f3352 Mon Sep 17 00:00:00 2001 +From: Vladimir Kondratiev +Date: Tue, 16 Jul 2019 10:36:56 +0300 +Subject: mips: fix cacheinfo + +[ Upstream commit b8bea8a5e5d942e62203416ab41edecaed4fda02 ] + +Because CONFIG_OF defined for MIPS, cacheinfo attempts to fill information +from DT, ignoring data filled by architecture routine. This leads to error +reported + + cacheinfo: Unable to detect cache hierarchy for CPU 0 + +Way to fix this provided in +commit fac51482577d ("drivers: base: cacheinfo: fix x86 with + CONFIG_OF enabled") + +Utilize same mechanism to report that cacheinfo set by architecture +specific function + +Signed-off-by: Vladimir Kondratiev +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/cacheinfo.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/mips/kernel/cacheinfo.c b/arch/mips/kernel/cacheinfo.c +index 97d5239ca47ba..428ef21892039 100644 +--- a/arch/mips/kernel/cacheinfo.c ++++ b/arch/mips/kernel/cacheinfo.c +@@ -80,6 +80,8 @@ static int __populate_cache_leaves(unsigned int cpu) + if (c->tcache.waysize) + populate_cache(tcache, this_leaf, 3, CACHE_TYPE_UNIFIED); + ++ this_cpu_ci->cpu_map_populated = true; ++ + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/mips-kernel-only-use-i8253-clocksource-with-periodic.patch b/queue-4.19/mips-kernel-only-use-i8253-clocksource-with-periodic.patch new file mode 100644 index 00000000000..38f17efa93f --- /dev/null +++ b/queue-4.19/mips-kernel-only-use-i8253-clocksource-with-periodic.patch @@ -0,0 +1,38 @@ +From de31d7a5e2d518d06285579e3341f4f59eef0a3f Mon Sep 17 00:00:00 2001 +From: Thomas Bogendoerfer +Date: Mon, 13 May 2019 13:47:25 +0200 +Subject: MIPS: kernel: only use i8253 clocksource with periodic clockevent + +[ Upstream commit a07e3324538a989b7cdbf2c679be6a7f9df2544f ] + +i8253 clocksource needs a free running timer. This could only +be used, if i8253 clockevent is set up as periodic. + +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/i8253.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/kernel/i8253.c b/arch/mips/kernel/i8253.c +index 5f209f111e59e..df7ddd246eaac 100644 +--- a/arch/mips/kernel/i8253.c ++++ b/arch/mips/kernel/i8253.c +@@ -32,7 +32,8 @@ void __init setup_pit_timer(void) + + static int __init init_pit_clocksource(void) + { +- if (num_possible_cpus() > 1) /* PIT does not scale! */ ++ if (num_possible_cpus() > 1 || /* PIT does not scale! */ ++ !clockevent_state_periodic(&i8253_clockevent)) + return 0; + + return clocksource_i8253_init(); +-- +2.20.1 + diff --git a/queue-4.19/net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch b/queue-4.19/net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch new file mode 100644 index 00000000000..9a8da32950c --- /dev/null +++ b/queue-4.19/net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch @@ -0,0 +1,44 @@ +From 93f3a9288cec1a060527f3b02d3421a73962c415 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Tue, 6 Aug 2019 10:55:12 +0200 +Subject: net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' + +[ Upstream commit debea2cd3193ac868289e8893c3a719c265b0612 ] + +A call to 'kfree_skb()' is missing in the error handling path of +'init_one()'. +This is already present in 'remove_one()' but is missing here. + +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index c34ea385fe4a5..6be6de0774b61 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -3270,7 +3270,7 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + if (!adapter->regs) { + dev_err(&pdev->dev, "cannot map device registers\n"); + err = -ENOMEM; +- goto out_free_adapter; ++ goto out_free_adapter_nofail; + } + + adapter->pdev = pdev; +@@ -3398,6 +3398,9 @@ out_free_dev: + if (adapter->port[i]) + free_netdev(adapter->port[i]); + ++out_free_adapter_nofail: ++ kfree_skb(adapter->nofail_skb); ++ + out_free_adapter: + kfree(adapter); + +-- +2.20.1 + diff --git a/queue-4.19/net-ethernet-qlogic-qed-force-the-string-buffer-null.patch b/queue-4.19/net-ethernet-qlogic-qed-force-the-string-buffer-null.patch new file mode 100644 index 00000000000..c056c8e331e --- /dev/null +++ b/queue-4.19/net-ethernet-qlogic-qed-force-the-string-buffer-null.patch @@ -0,0 +1,40 @@ +From 486fb2321612e27dca9b0373e3a6f2330d2c6b09 Mon Sep 17 00:00:00 2001 +From: Wang Xiayang +Date: Wed, 31 Jul 2019 16:15:42 +0800 +Subject: net/ethernet/qlogic/qed: force the string buffer NULL-terminated + +[ Upstream commit 3690c8c9a8edff0db077a38783112d8fe12a7dd2 ] + +strncpy() does not ensure NULL-termination when the input string +size equals to the destination buffer size 30. +The output string is passed to qed_int_deassertion_aeu_bit() +which calls DP_INFO() and relies NULL-termination. + +Use strlcpy instead. The other conditional branch above strncpy() +needs no fix as snprintf() ensures NULL-termination. + +This issue is identified by a Coccinelle script. + +Signed-off-by: Wang Xiayang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_int.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c +index b22f464ea3fa7..f9e475075d3ea 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_int.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c +@@ -939,7 +939,7 @@ static int qed_int_deassertion(struct qed_hwfn *p_hwfn, + snprintf(bit_name, 30, + p_aeu->bit_name, num); + else +- strncpy(bit_name, ++ strlcpy(bit_name, + p_aeu->bit_name, 30); + + /* We now need to pass bitmask in its +-- +2.20.1 + diff --git a/queue-4.19/net-hisilicon-fix-dma_map_single-failed-on-arm64.patch b/queue-4.19/net-hisilicon-fix-dma_map_single-failed-on-arm64.patch new file mode 100644 index 00000000000..2b74c5020b5 --- /dev/null +++ b/queue-4.19/net-hisilicon-fix-dma_map_single-failed-on-arm64.patch @@ -0,0 +1,107 @@ +From 55da4c58a015f6842536db8b2256649d3391a72a Mon Sep 17 00:00:00 2001 +From: Jiangfeng Xiao +Date: Sat, 3 Aug 2019 20:31:41 +0800 +Subject: net: hisilicon: Fix dma_map_single failed on arm64 + +[ Upstream commit 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3 ] + +On the arm64 platform, executing "ifconfig eth0 up" will fail, +returning "ifconfig: SIOCSIFFLAGS: Input/output error." + +ndev->dev is not initialized, dma_map_single->get_dma_ops-> +dummy_dma_ops->__dummy_map_page will return DMA_ERROR_CODE +directly, so when we use dma_map_single, the first parameter +is to use the device of platform_device. + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index fe3b1637fd5f4..a91d49dd92ea6 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -157,6 +157,7 @@ struct hip04_priv { + unsigned int reg_inten; + + struct napi_struct napi; ++ struct device *dev; + struct net_device *ndev; + + struct tx_desc *tx_desc; +@@ -387,7 +388,7 @@ static int hip04_tx_reclaim(struct net_device *ndev, bool force) + } + + if (priv->tx_phys[tx_tail]) { +- dma_unmap_single(&ndev->dev, priv->tx_phys[tx_tail], ++ dma_unmap_single(priv->dev, priv->tx_phys[tx_tail], + priv->tx_skb[tx_tail]->len, + DMA_TO_DEVICE); + priv->tx_phys[tx_tail] = 0; +@@ -437,8 +438,8 @@ static int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + return NETDEV_TX_BUSY; + } + +- phys = dma_map_single(&ndev->dev, skb->data, skb->len, DMA_TO_DEVICE); +- if (dma_mapping_error(&ndev->dev, phys)) { ++ phys = dma_map_single(priv->dev, skb->data, skb->len, DMA_TO_DEVICE); ++ if (dma_mapping_error(priv->dev, phys)) { + dev_kfree_skb(skb); + return NETDEV_TX_OK; + } +@@ -508,7 +509,7 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget) + goto refill; + } + +- dma_unmap_single(&ndev->dev, priv->rx_phys[priv->rx_head], ++ dma_unmap_single(priv->dev, priv->rx_phys[priv->rx_head], + RX_BUF_SIZE, DMA_FROM_DEVICE); + priv->rx_phys[priv->rx_head] = 0; + +@@ -537,9 +538,9 @@ refill: + buf = netdev_alloc_frag(priv->rx_buf_size); + if (!buf) + goto done; +- phys = dma_map_single(&ndev->dev, buf, ++ phys = dma_map_single(priv->dev, buf, + RX_BUF_SIZE, DMA_FROM_DEVICE); +- if (dma_mapping_error(&ndev->dev, phys)) ++ if (dma_mapping_error(priv->dev, phys)) + goto done; + priv->rx_buf[priv->rx_head] = buf; + priv->rx_phys[priv->rx_head] = phys; +@@ -642,9 +643,9 @@ static int hip04_mac_open(struct net_device *ndev) + for (i = 0; i < RX_DESC_NUM; i++) { + dma_addr_t phys; + +- phys = dma_map_single(&ndev->dev, priv->rx_buf[i], ++ phys = dma_map_single(priv->dev, priv->rx_buf[i], + RX_BUF_SIZE, DMA_FROM_DEVICE); +- if (dma_mapping_error(&ndev->dev, phys)) ++ if (dma_mapping_error(priv->dev, phys)) + return -EIO; + + priv->rx_phys[i] = phys; +@@ -678,7 +679,7 @@ static int hip04_mac_stop(struct net_device *ndev) + + for (i = 0; i < RX_DESC_NUM; i++) { + if (priv->rx_phys[i]) { +- dma_unmap_single(&ndev->dev, priv->rx_phys[i], ++ dma_unmap_single(priv->dev, priv->rx_phys[i], + RX_BUF_SIZE, DMA_FROM_DEVICE); + priv->rx_phys[i] = 0; + } +@@ -822,6 +823,7 @@ static int hip04_mac_probe(struct platform_device *pdev) + return -ENOMEM; + + priv = netdev_priv(ndev); ++ priv->dev = d; + priv->ndev = ndev; + platform_set_drvdata(pdev, ndev); + SET_NETDEV_DEV(ndev, &pdev->dev); +-- +2.20.1 + diff --git a/queue-4.19/net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch b/queue-4.19/net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch new file mode 100644 index 00000000000..89acba00151 --- /dev/null +++ b/queue-4.19/net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch @@ -0,0 +1,41 @@ +From 68813f28959baafdb8e8e9870601a5c2ccc01ac3 Mon Sep 17 00:00:00 2001 +From: Jiangfeng Xiao +Date: Sat, 3 Aug 2019 20:31:40 +0800 +Subject: net: hisilicon: fix hip04-xmit never return TX_BUSY + +[ Upstream commit f2243b82785942be519016067ee6c55a063bbfe2 ] + +TX_DESC_NUM is 256, in tx_count, the maximum value of +mod(TX_DESC_NUM - 1) is 254, the variable "count" in +the hip04_mac_start_xmit function is never equal to +(TX_DESC_NUM - 1), so hip04_mac_start_xmit never +return NETDEV_TX_BUSY. + +tx_count is modified to mod(TX_DESC_NUM) so that +the maximum value of tx_count can reach +(TX_DESC_NUM - 1), then hip04_mac_start_xmit can reurn +NETDEV_TX_BUSY. + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 57c0afa25f9fb..fe3b1637fd5f4 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -185,7 +185,7 @@ struct hip04_priv { + + static inline unsigned int tx_count(unsigned int head, unsigned int tail) + { +- return (head - tail) % (TX_DESC_NUM - 1); ++ return (head - tail) % TX_DESC_NUM; + } + + static void hip04_config_port(struct net_device *ndev, u32 speed, u32 duplex) +-- +2.20.1 + diff --git a/queue-4.19/net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch b/queue-4.19/net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch new file mode 100644 index 00000000000..849cb23a2df --- /dev/null +++ b/queue-4.19/net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch @@ -0,0 +1,94 @@ +From 9bdea0bc1af54f29c0b7fb448e1f92828a327a63 Mon Sep 17 00:00:00 2001 +From: Jiangfeng Xiao +Date: Sat, 3 Aug 2019 20:31:39 +0800 +Subject: net: hisilicon: make hip04_tx_reclaim non-reentrant + +[ Upstream commit 1a2c070ae805910a853b4a14818481ed2e17c727 ] + +If hip04_tx_reclaim is interrupted while it is running +and then __napi_schedule continues to execute +hip04_rx_poll->hip04_tx_reclaim, reentrancy occurs +and oops is generated. So you need to mask the interrupt +during the hip04_tx_reclaim run. + +The kernel oops exception stack is as follows: + +Unable to handle kernel NULL pointer dereference +at virtual address 00000050 +pgd = c0003000 +[00000050] *pgd=80000000a04003, *pmd=00000000 +Internal error: Oops: 206 [#1] SMP ARM +Modules linked in: hip04_eth mtdblock mtd_blkdevs mtd +ohci_platform ehci_platform ohci_hcd ehci_hcd +vfat fat sd_mod usb_storage scsi_mod usbcore usb_common +CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.4.185 #1 +Hardware name: Hisilicon A15 +task: c0a250e0 task.stack: c0a00000 +PC is at hip04_tx_reclaim+0xe0/0x17c [hip04_eth] +LR is at hip04_tx_reclaim+0x30/0x17c [hip04_eth] +pc : [] lr : [] psr: 600e0313 +sp : c0a01d88 ip : 00000000 fp : c0601f9c +r10: 00000000 r9 : c3482380 r8 : 00000001 +r7 : 00000000 r6 : 000000e1 r5 : c3482000 r4 : 0000000c +r3 : f2209800 r2 : 00000000 r1 : 00000000 r0 : 00000000 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel +Control: 32c5387d Table: 03d28c80 DAC: 55555555 +Process swapper/0 (pid: 0, stack limit = 0xc0a00190) +Stack: (0xc0a01d88 to 0xc0a02000) +[] (hip04_tx_reclaim [hip04_eth]) from [] + (hip04_rx_poll+0x88/0x368 [hip04_eth]) +[] (hip04_rx_poll [hip04_eth]) from [] (net_rx_action+0x114/0x34c) +[] (net_rx_action) from [] (__do_softirq+0x218/0x318) +[] (__do_softirq) from [] (irq_exit+0x88/0xac) +[] (irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) +[] (msa_irq_exit) from [] (__handle_domain_irq+0x110/0x148) +[] (__handle_domain_irq) from [] (gic_handle_irq+0xd4/0x118) +[] (gic_handle_irq) from [] (__irq_svc+0x40/0x58) +Exception stack(0xc0a01f30 to 0xc0a01f78) +1f20: c0ae8b40 00000000 00000000 00000000 +1f40: 00000002 ffffe000 c0601f9c 00000000 ffffffff c0a2257c c0a22440 c0831a38 +1f60: c0a01ec4 c0a01f80 c0203714 c0203718 600e0213 ffffffff +[] (__irq_svc) from [] (arch_cpu_idle+0x20/0x3c) +[] (arch_cpu_idle) from [] (cpu_startup_entry+0x244/0x29c) +[] (cpu_startup_entry) from [] (rest_init+0xc8/0x10c) +[] (rest_init) from [] (start_kernel+0x468/0x514) +Code: a40599e5 016086e2 018088e2 7660efe6 (503090e5) +---[ end trace 1db21d6d09c49d74 ]--- +Kernel panic - not syncing: Fatal exception in interrupt +CPU3: stopping +CPU: 3 PID: 0 Comm: swapper/3 Tainted: G D O 4.4.185 #1 + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 6127697ede120..57c0afa25f9fb 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -497,6 +497,9 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget) + u16 len; + u32 err; + ++ /* clean up tx descriptors */ ++ tx_remaining = hip04_tx_reclaim(ndev, false); ++ + while (cnt && !last) { + buf = priv->rx_buf[priv->rx_head]; + skb = build_skb(buf, priv->rx_buf_size); +@@ -557,8 +560,7 @@ refill: + } + napi_complete_done(napi, rx); + done: +- /* clean up tx descriptors and start a new timer if necessary */ +- tx_remaining = hip04_tx_reclaim(ndev, false); ++ /* start a new timer if necessary */ + if (rx < budget && tx_remaining) + hip04_start_tx_timer(priv); + +-- +2.20.1 + diff --git a/queue-4.19/net-mvpp2-don-t-check-for-3-consecutive-idle-frames-.patch b/queue-4.19/net-mvpp2-don-t-check-for-3-consecutive-idle-frames-.patch new file mode 100644 index 00000000000..1ab12440d9e --- /dev/null +++ b/queue-4.19/net-mvpp2-don-t-check-for-3-consecutive-idle-frames-.patch @@ -0,0 +1,39 @@ +From 492b0949b435091565b595d0e4533514ce517e26 Mon Sep 17 00:00:00 2001 +From: Maxime Chevallier +Date: Fri, 19 Jul 2019 16:38:48 +0200 +Subject: net: mvpp2: Don't check for 3 consecutive Idle frames for 10G links + +[ Upstream commit bba18318e7d1d5c8b0bbafd65010a0cee3c65608 ] + +PPv2's XLGMAC can wait for 3 idle frames before triggering a link up +event. This can cause the link to be stuck low when there's traffic on +the interface, so disable this feature. + +Fixes: 4bb043262878 ("net: mvpp2: phylink support") +Signed-off-by: Maxime Chevallier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 6455511457ca3..9b608d23ff7ee 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -4412,9 +4412,9 @@ static void mvpp2_xlg_config(struct mvpp2_port *port, unsigned int mode, + if (state->pause & MLO_PAUSE_RX) + ctrl0 |= MVPP22_XLG_CTRL0_RX_FLOW_CTRL_EN; + +- ctrl4 &= ~MVPP22_XLG_CTRL4_MACMODSELECT_GMAC; +- ctrl4 |= MVPP22_XLG_CTRL4_FWD_FC | MVPP22_XLG_CTRL4_FWD_PFC | +- MVPP22_XLG_CTRL4_EN_IDLE_CHECK; ++ ctrl4 &= ~(MVPP22_XLG_CTRL4_MACMODSELECT_GMAC | ++ MVPP22_XLG_CTRL4_EN_IDLE_CHECK); ++ ctrl4 |= MVPP22_XLG_CTRL4_FWD_FC | MVPP22_XLG_CTRL4_FWD_PFC; + + writel(ctrl0, port->base + MVPP22_XLG_CTRL0_REG); + writel(ctrl4, port->base + MVPP22_XLG_CTRL4_REG); +-- +2.20.1 + diff --git a/queue-4.19/net-phy-phy_led_triggers-fix-a-possible-null-pointer.patch b/queue-4.19/net-phy-phy_led_triggers-fix-a-possible-null-pointer.patch new file mode 100644 index 00000000000..88f67248789 --- /dev/null +++ b/queue-4.19/net-phy-phy_led_triggers-fix-a-possible-null-pointer.patch @@ -0,0 +1,48 @@ +From bc7b7b3369bf8cd6f96a671003c8ad1d22ad30c1 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Tue, 30 Jul 2019 16:08:13 +0800 +Subject: net: phy: phy_led_triggers: Fix a possible null-pointer dereference + in phy_led_trigger_change_speed() + +[ Upstream commit 271da132e29b5341c31eca6ba6a72ea1302ebac8 ] + +In phy_led_trigger_change_speed(), there is an if statement on line 48 +to check whether phy->last_triggered is NULL: + if (!phy->last_triggered) + +When phy->last_triggered is NULL, it is used on line 52: + led_trigger_event(&phy->last_triggered->trigger, LED_OFF); + +Thus, a possible null-pointer dereference may occur. + +To fix this bug, led_trigger_event(&phy->last_triggered->trigger, +LED_OFF) is called when phy->last_triggered is not NULL. + +This bug is found by a static analysis tool STCheck written by +the OSLAB group in Tsinghua University. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_led_triggers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phy_led_triggers.c b/drivers/net/phy/phy_led_triggers.c +index 491efc1bf5c48..7278eca70f9f3 100644 +--- a/drivers/net/phy/phy_led_triggers.c ++++ b/drivers/net/phy/phy_led_triggers.c +@@ -58,8 +58,9 @@ void phy_led_trigger_change_speed(struct phy_device *phy) + if (!phy->last_triggered) + led_trigger_event(&phy->led_link_trigger->trigger, + LED_FULL); ++ else ++ led_trigger_event(&phy->last_triggered->trigger, LED_OFF); + +- led_trigger_event(&phy->last_triggered->trigger, LED_OFF); + led_trigger_event(&plt->trigger, LED_FULL); + phy->last_triggered = plt; + } +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-fix-issues-when-number-of-queues-4.patch b/queue-4.19/net-stmmac-fix-issues-when-number-of-queues-4.patch new file mode 100644 index 00000000000..d9eaf92abef --- /dev/null +++ b/queue-4.19/net-stmmac-fix-issues-when-number-of-queues-4.patch @@ -0,0 +1,67 @@ +From d37783abb074e3308f2b89b5ffd7ea8dee6cf7ee Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Tue, 6 Aug 2019 15:16:17 +0200 +Subject: net: stmmac: Fix issues when number of Queues >= 4 + +[ Upstream commit e8df7e8c233a18d2704e37ecff47583b494789d3 ] + +When queues >= 4 we use different registers but we were not subtracting +the offset of 4. Fix this. + +Found out by Coverity. + +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 4 ++++ + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index d0e6e1503581f..48cf5e2b24417 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -88,6 +88,8 @@ static void dwmac4_rx_queue_priority(struct mac_device_info *hw, + u32 value; + + base_register = (queue < 4) ? GMAC_RXQ_CTRL2 : GMAC_RXQ_CTRL3; ++ if (queue >= 4) ++ queue -= 4; + + value = readl(ioaddr + base_register); + +@@ -105,6 +107,8 @@ static void dwmac4_tx_queue_priority(struct mac_device_info *hw, + u32 value; + + base_register = (queue < 4) ? GMAC_TXQ_PRTY_MAP0 : GMAC_TXQ_PRTY_MAP1; ++ if (queue >= 4) ++ queue -= 4; + + value = readl(ioaddr + base_register); + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +index d182f82f7b586..870302a7177e2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +@@ -106,6 +106,8 @@ static void dwxgmac2_rx_queue_prio(struct mac_device_info *hw, u32 prio, + u32 value, reg; + + reg = (queue < 4) ? XGMAC_RXQ_CTRL2 : XGMAC_RXQ_CTRL3; ++ if (queue >= 4) ++ queue -= 4; + + value = readl(ioaddr + reg); + value &= ~XGMAC_PSRQ(queue); +@@ -169,6 +171,8 @@ static void dwxgmac2_map_mtl_to_dma(struct mac_device_info *hw, u32 queue, + u32 value, reg; + + reg = (queue < 4) ? XGMAC_MTL_RXQ_DMA_MAP0 : XGMAC_MTL_RXQ_DMA_MAP1; ++ if (queue >= 4) ++ queue -= 4; + + value = readl(ioaddr + reg); + value &= ~XGMAC_QxMDMACH(queue); +-- +2.20.1 + diff --git a/queue-4.19/net-stmmac-tc-do-not-return-a-fragment-entry.patch b/queue-4.19/net-stmmac-tc-do-not-return-a-fragment-entry.patch new file mode 100644 index 00000000000..c21fe56b685 --- /dev/null +++ b/queue-4.19/net-stmmac-tc-do-not-return-a-fragment-entry.patch @@ -0,0 +1,33 @@ +From 72f1b0c51253ee14e7720ebbdb21aa81c9290a50 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Tue, 6 Aug 2019 15:16:18 +0200 +Subject: net: stmmac: tc: Do not return a fragment entry + +[ Upstream commit 4a6a1385a4db5f42258a40fcd497cbfd22075968 ] + +Do not try to return a fragment entry from TC list. Otherwise we may not +clean properly allocated entries. + +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index 58ea18af9813a..37c0bc699cd9c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -37,7 +37,7 @@ static struct stmmac_tc_entry *tc_find_entry(struct stmmac_priv *priv, + entry = &priv->tc_entries[i]; + if (!entry->in_use && !first && free) + first = entry; +- if (entry->handle == loc && !free) ++ if ((entry->handle == loc) && !free && !entry->is_frag) + dup = entry; + } + +-- +2.20.1 + diff --git a/queue-4.19/net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch b/queue-4.19/net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch new file mode 100644 index 00000000000..9c89cbc77d9 --- /dev/null +++ b/queue-4.19/net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch @@ -0,0 +1,32 @@ +From 260e98d835e774df57966cfe8120dc3ab3c0d0ea Mon Sep 17 00:00:00 2001 +From: Bob Ham +Date: Wed, 24 Jul 2019 07:52:27 -0700 +Subject: net: usb: qmi_wwan: Add the BroadMobi BM818 card + +[ Upstream commit 9a07406b00cdc6ec689dc142540739575c717f3c ] + +The BroadMobi BM818 M.2 card uses the QMI protocol + +Signed-off-by: Bob Ham +Signed-off-by: Angus Ainslie (Purism) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 128c8a327d8ee..51017c6bb3bcb 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1231,6 +1231,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ + {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */ + {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ ++ {QMI_FIXED_INTF(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ +-- +2.20.1 + diff --git a/queue-4.19/netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch b/queue-4.19/netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch new file mode 100644 index 00000000000..0da12a2b20b --- /dev/null +++ b/queue-4.19/netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch @@ -0,0 +1,44 @@ +From 4ca9a32e9f771390fc1ed3d087386c23a13e780a Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sat, 20 Jul 2019 07:22:45 -0500 +Subject: netfilter: ebtables: fix a memory leak bug in compat + +[ Upstream commit 15a78ba1844a8e052c1226f930133de4cef4e7ad ] + +In compat_do_replace(), a temporary buffer is allocated through vmalloc() +to hold entries copied from the user space. The buffer address is firstly +saved to 'newinfo->entries', and later on assigned to 'entries_tmp'. Then +the entries in this temporary buffer is copied to the internal kernel +structure through compat_copy_entries(). If this copy process fails, +compat_do_replace() should be terminated. However, the allocated temporary +buffer is not freed on this path, leading to a memory leak. + +To fix the bug, free the buffer before returning from compat_do_replace(). + +Signed-off-by: Wenwen Wang +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 995b3842ba7c0..62ffc989a44a2 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2274,8 +2274,10 @@ static int compat_do_replace(struct net *net, void __user *user, + state.buf_kern_len = size64; + + ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); +- if (WARN_ON(ret < 0)) ++ if (WARN_ON(ret < 0)) { ++ vfree(entries_tmp); + goto out_unlock; ++ } + + vfree(entries_tmp); + tmp.entries_size = size64; +-- +2.20.1 + diff --git a/queue-4.19/netfilter-ipset-actually-allow-destination-mac-addre.patch b/queue-4.19/netfilter-ipset-actually-allow-destination-mac-addre.patch new file mode 100644 index 00000000000..ed2e61cbf22 --- /dev/null +++ b/queue-4.19/netfilter-ipset-actually-allow-destination-mac-addre.patch @@ -0,0 +1,43 @@ +From 4c3b539cc966ab0d3815010942854994cc698469 Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Mon, 24 Jun 2019 15:20:11 +0200 +Subject: netfilter: ipset: Actually allow destination MAC address for + hash:ip,mac sets too + +[ Upstream commit b89d15480d0cacacae1a0fe0b3da01b529f2914f ] + +In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address +for mac and ipmac sets"), ipset.git commit 1543514c46a7, I removed the +KADT check that prevents matching on destination MAC addresses for +hash:mac sets, but forgot to remove the same check for hash:ip,mac set. + +Drop this check: functionality is now commented in man pages and there's +no reason to restrict to source MAC address matching anymore. + +Reported-by: Chen Yi +Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets") +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_hash_ipmac.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c +index fd87de3ed55b3..75c21c8b76514 100644 +--- a/net/netfilter/ipset/ip_set_hash_ipmac.c ++++ b/net/netfilter/ipset/ip_set_hash_ipmac.c +@@ -95,10 +95,6 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb, + struct hash_ipmac4_elem e = { .ip = 0, { .foo[0] = 0, .foo[1] = 0 } }; + struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set); + +- /* MAC can be src only */ +- if (!(opt->flags & IPSET_DIM_TWO_SRC)) +- return 0; +- + if (skb_mac_header(skb) < skb->head || + (skb_mac_header(skb) + ETH_HLEN) > skb->data) + return -EINVAL; +-- +2.20.1 + diff --git a/queue-4.19/netfilter-ipset-copy-the-right-mac-address-in-bitmap.patch b/queue-4.19/netfilter-ipset-copy-the-right-mac-address-in-bitmap.patch new file mode 100644 index 00000000000..81c2456c393 --- /dev/null +++ b/queue-4.19/netfilter-ipset-copy-the-right-mac-address-in-bitmap.patch @@ -0,0 +1,87 @@ +From 8740c0fb04f9be195bf86f1963c4addb1fb1e083 Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Mon, 24 Jun 2019 15:20:12 +0200 +Subject: netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and + hash:ip,mac sets + +[ Upstream commit 1b4a75108d5bc153daf965d334e77e8e94534f96 ] + +In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address +for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the +KADT functions for sets matching on MAC addreses the copy of source or +destination MAC address depending on the configured match. + +This was done correctly for hash:mac, but for hash:ip,mac and +bitmap:ip,mac, copying and pasting the same code block presents an +obvious problem: in these two set types, the MAC address is the second +dimension, not the first one, and we are actually selecting the MAC +address depending on whether the first dimension (IP address) specifies +source or destination. + +Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags. + +This way, mixing source and destination matches for the two dimensions +of ip,mac set types works as expected. With this setup: + + ip netns add A + ip link add veth1 type veth peer name veth2 netns A + ip addr add 192.0.2.1/24 dev veth1 + ip -net A addr add 192.0.2.2/24 dev veth2 + ip link set veth1 up + ip -net A link set veth2 up + + dst=$(ip netns exec A cat /sys/class/net/veth2/address) + + ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16 + ip netns exec A ipset add test_bitmap 192.0.2.1,${dst} + ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP + + ip netns exec A ipset create test_hash hash:ip,mac + ip netns exec A ipset add test_hash 192.0.2.1,${dst} + ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP + +ipset correctly matches a test packet: + + # ping -c1 192.0.2.2 >/dev/null + # echo $? + 0 + +Reported-by: Chen Yi +Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets") +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +- + net/netfilter/ipset/ip_set_hash_ipmac.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +index 13ade5782847b..4f01321e793ce 100644 +--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c ++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c +@@ -230,7 +230,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb, + + e.id = ip_to_id(map, ip); + +- if (opt->flags & IPSET_DIM_ONE_SRC) ++ if (opt->flags & IPSET_DIM_TWO_SRC) + ether_addr_copy(e.ether, eth_hdr(skb)->h_source); + else + ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); +diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c +index 75c21c8b76514..16ec822e40447 100644 +--- a/net/netfilter/ipset/ip_set_hash_ipmac.c ++++ b/net/netfilter/ipset/ip_set_hash_ipmac.c +@@ -99,7 +99,7 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb, + (skb_mac_header(skb) + ETH_HLEN) > skb->data) + return -EINVAL; + +- if (opt->flags & IPSET_DIM_ONE_SRC) ++ if (opt->flags & IPSET_DIM_TWO_SRC) + ether_addr_copy(e.ether, eth_hdr(skb)->h_source); + else + ether_addr_copy(e.ether, eth_hdr(skb)->h_dest); +-- +2.20.1 + diff --git a/queue-4.19/netfilter-ipset-fix-rename-concurrency-with-listing.patch b/queue-4.19/netfilter-ipset-fix-rename-concurrency-with-listing.patch new file mode 100644 index 00000000000..a6db9df3529 --- /dev/null +++ b/queue-4.19/netfilter-ipset-fix-rename-concurrency-with-listing.patch @@ -0,0 +1,38 @@ +From 8ccb34e3dc214e20853f81fe446fc630961428ba Mon Sep 17 00:00:00 2001 +From: Jozsef Kadlecsik +Date: Tue, 23 Jul 2019 10:25:55 +0200 +Subject: netfilter: ipset: Fix rename concurrency with listing + +[ Upstream commit 6c1f7e2c1b96ab9b09ac97c4df2bd9dc327206f6 ] + +Shijie Luo reported that when stress-testing ipset with multiple concurrent +create, rename, flush, list, destroy commands, it can result + +ipset : Broken LIST kernel message: missing DATA part! + +error messages and broken list results. The problem was the rename operation +was not properly handled with respect of listing. The patch fixes the issue. + +Reported-by: Shijie Luo +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index 1577f2f76060d..e2538c5786714 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1157,7 +1157,7 @@ static int ip_set_rename(struct net *net, struct sock *ctnl, + return -ENOENT; + + write_lock_bh(&ip_set_ref_lock); +- if (set->ref != 0) { ++ if (set->ref != 0 || set->ref_netlink != 0) { + ret = -IPSET_ERR_REFERENCED; + goto out; + } +-- +2.20.1 + diff --git a/queue-4.19/nfs-fix-regression-whereby-fscache-errors-are-appear.patch b/queue-4.19/nfs-fix-regression-whereby-fscache-errors-are-appear.patch new file mode 100644 index 00000000000..c5eef57debb --- /dev/null +++ b/queue-4.19/nfs-fix-regression-whereby-fscache-errors-are-appear.patch @@ -0,0 +1,86 @@ +From 61508e662998028641257e58fde2beda2548b3a5 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 3 Aug 2019 13:39:24 -0400 +Subject: NFS: Fix regression whereby fscache errors are appearing on 'nofsc' + mounts + +[ Upstream commit dea1bb35c5f35e0577cfc61f79261d80b8715221 ] + +People are reporing seeing fscache errors being reported concerning +duplicate cookies even in cases where they are not setting up fscache +at all. The rule needs to be that if fscache is not enabled, then it +should have no side effects at all. + +To ensure this is the case, we disable fscache completely on all superblocks +for which the 'fsc' mount option was not set. In order to avoid issues +with '-oremount', we also disable the ability to turn fscache on via +remount. + +Fixes: f1fe29b4a02d ("NFS: Use i_writecount to control whether...") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200145 +Signed-off-by: Trond Myklebust +Cc: Steve Dickson +Cc: David Howells +Signed-off-by: Sasha Levin +--- + fs/nfs/fscache.c | 7 ++++++- + fs/nfs/fscache.h | 2 +- + fs/nfs/super.c | 1 + + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/fscache.c b/fs/nfs/fscache.c +index 4dc887813c71d..a7bc4e0494f92 100644 +--- a/fs/nfs/fscache.c ++++ b/fs/nfs/fscache.c +@@ -118,6 +118,10 @@ void nfs_fscache_get_super_cookie(struct super_block *sb, const char *uniq, int + struct rb_node **p, *parent; + int diff; + ++ nfss->fscache_key = NULL; ++ nfss->fscache = NULL; ++ if (!(nfss->options & NFS_OPTION_FSCACHE)) ++ return; + if (!uniq) { + uniq = ""; + ulen = 1; +@@ -230,10 +234,11 @@ void nfs_fscache_release_super_cookie(struct super_block *sb) + void nfs_fscache_init_inode(struct inode *inode) + { + struct nfs_fscache_inode_auxdata auxdata; ++ struct nfs_server *nfss = NFS_SERVER(inode); + struct nfs_inode *nfsi = NFS_I(inode); + + nfsi->fscache = NULL; +- if (!S_ISREG(inode->i_mode)) ++ if (!(nfss->fscache && S_ISREG(inode->i_mode))) + return; + + memset(&auxdata, 0, sizeof(auxdata)); +diff --git a/fs/nfs/fscache.h b/fs/nfs/fscache.h +index 161ba2edb9d04..6363ea9568581 100644 +--- a/fs/nfs/fscache.h ++++ b/fs/nfs/fscache.h +@@ -186,7 +186,7 @@ static inline void nfs_fscache_wait_on_invalidate(struct inode *inode) + */ + static inline const char *nfs_server_fscache_state(struct nfs_server *server) + { +- if (server->fscache && (server->options & NFS_OPTION_FSCACHE)) ++ if (server->fscache) + return "yes"; + return "no "; + } +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 6df9b85caf205..d90efdea9fbd6 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2239,6 +2239,7 @@ nfs_compare_remount_data(struct nfs_server *nfss, + data->acdirmin != nfss->acdirmin / HZ || + data->acdirmax != nfss->acdirmax / HZ || + data->timeo != (10U * nfss->client->cl_timeout->to_initval / HZ) || ++ (data->options & NFS_OPTION_FSCACHE) != (nfss->options & NFS_OPTION_FSCACHE) || + data->nfs_server.port != nfss->port || + data->nfs_server.addrlen != nfss->nfs_client->cl_addrlen || + !rpc_cmp_addr((struct sockaddr *)&data->nfs_server.address, +-- +2.20.1 + diff --git a/queue-4.19/nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch b/queue-4.19/nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch new file mode 100644 index 00000000000..f77c58f452e --- /dev/null +++ b/queue-4.19/nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch @@ -0,0 +1,142 @@ +From 8276c550c3a3fbb514fcaed66c2c60db3a942365 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 3 Aug 2019 10:11:27 -0400 +Subject: NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() + +[ Upstream commit c77e22834ae9a11891cb613bd9a551be1b94f2bc ] + +John Hubbard reports seeing the following stack trace: + +nfs4_do_reclaim + rcu_read_lock /* we are now in_atomic() and must not sleep */ + nfs4_purge_state_owners + nfs4_free_state_owner + nfs4_destroy_seqid_counter + rpc_destroy_wait_queue + cancel_delayed_work_sync + __cancel_work_timer + __flush_work + start_flush_work + might_sleep: + (kernel/workqueue.c:2975: BUG) + +The solution is to separate out the freeing of the state owners +from nfs4_purge_state_owners(), and perform that outside the atomic +context. + +Reported-by: John Hubbard +Fixes: 0aaaf5c424c7f ("NFS: Cache state owners after files are closed") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4_fs.h | 3 ++- + fs/nfs/nfs4client.c | 5 ++++- + fs/nfs/nfs4state.c | 27 ++++++++++++++++++++++----- + 3 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h +index 63287d911c088..5b61520dce888 100644 +--- a/fs/nfs/nfs4_fs.h ++++ b/fs/nfs/nfs4_fs.h +@@ -469,7 +469,8 @@ static inline void nfs4_schedule_session_recovery(struct nfs4_session *session, + + extern struct nfs4_state_owner *nfs4_get_state_owner(struct nfs_server *, struct rpc_cred *, gfp_t); + extern void nfs4_put_state_owner(struct nfs4_state_owner *); +-extern void nfs4_purge_state_owners(struct nfs_server *); ++extern void nfs4_purge_state_owners(struct nfs_server *, struct list_head *); ++extern void nfs4_free_state_owners(struct list_head *head); + extern struct nfs4_state * nfs4_get_open_state(struct inode *, struct nfs4_state_owner *); + extern void nfs4_put_open_state(struct nfs4_state *); + extern void nfs4_close_state(struct nfs4_state *, fmode_t); +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 8f53455c47653..86991bcfbeb12 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -754,9 +754,12 @@ out: + + static void nfs4_destroy_server(struct nfs_server *server) + { ++ LIST_HEAD(freeme); ++ + nfs_server_return_all_delegations(server); + unset_pnfs_layoutdriver(server); +- nfs4_purge_state_owners(server); ++ nfs4_purge_state_owners(server, &freeme); ++ nfs4_free_state_owners(&freeme); + } + + /* +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 3ba2087469ac8..c36ef75f2054b 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -628,24 +628,39 @@ void nfs4_put_state_owner(struct nfs4_state_owner *sp) + /** + * nfs4_purge_state_owners - Release all cached state owners + * @server: nfs_server with cached state owners to release ++ * @head: resulting list of state owners + * + * Called at umount time. Remaining state owners will be on + * the LRU with ref count of zero. ++ * Note that the state owners are not freed, but are added ++ * to the list @head, which can later be used as an argument ++ * to nfs4_free_state_owners. + */ +-void nfs4_purge_state_owners(struct nfs_server *server) ++void nfs4_purge_state_owners(struct nfs_server *server, struct list_head *head) + { + struct nfs_client *clp = server->nfs_client; + struct nfs4_state_owner *sp, *tmp; +- LIST_HEAD(doomed); + + spin_lock(&clp->cl_lock); + list_for_each_entry_safe(sp, tmp, &server->state_owners_lru, so_lru) { +- list_move(&sp->so_lru, &doomed); ++ list_move(&sp->so_lru, head); + nfs4_remove_state_owner_locked(sp); + } + spin_unlock(&clp->cl_lock); ++} + +- list_for_each_entry_safe(sp, tmp, &doomed, so_lru) { ++/** ++ * nfs4_purge_state_owners - Release all cached state owners ++ * @head: resulting list of state owners ++ * ++ * Frees a list of state owners that was generated by ++ * nfs4_purge_state_owners ++ */ ++void nfs4_free_state_owners(struct list_head *head) ++{ ++ struct nfs4_state_owner *sp, *tmp; ++ ++ list_for_each_entry_safe(sp, tmp, head, so_lru) { + list_del(&sp->so_lru); + nfs4_free_state_owner(sp); + } +@@ -1843,12 +1858,13 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov + struct nfs4_state_owner *sp; + struct nfs_server *server; + struct rb_node *pos; ++ LIST_HEAD(freeme); + int status = 0; + + restart: + rcu_read_lock(); + list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) { +- nfs4_purge_state_owners(server); ++ nfs4_purge_state_owners(server, &freeme); + spin_lock(&clp->cl_lock); + for (pos = rb_first(&server->state_owners); + pos != NULL; +@@ -1877,6 +1893,7 @@ restart: + spin_unlock(&clp->cl_lock); + } + rcu_read_unlock(); ++ nfs4_free_state_owners(&freeme); + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/perf-bench-numa-fix-cpu0-binding.patch b/queue-4.19/perf-bench-numa-fix-cpu0-binding.patch new file mode 100644 index 00000000000..91d816d95a5 --- /dev/null +++ b/queue-4.19/perf-bench-numa-fix-cpu0-binding.patch @@ -0,0 +1,57 @@ +From 69a79a28a76ecd3c38fca82c704e8a51f390baf0 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Thu, 1 Aug 2019 16:26:42 +0200 +Subject: perf bench numa: Fix cpu0 binding + +[ Upstream commit 6bbfe4e602691b90ac866712bd4c43c51e546a60 ] + +Michael reported an issue with perf bench numa failing with binding to +cpu0 with '-0' option. + + # perf bench numa mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd + # Running 'numa/mem' benchmark: + + # Running main, "perf bench numa numa-mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd" + binding to node 0, mask: 0000000000000001 => -1 + perf: bench/numa.c:356: bind_to_memnode: Assertion `!(ret)' failed. + Aborted (core dumped) + +This happens when the cpu0 is not part of node0, which is the benchmark +assumption and we can see that's not the case for some powerpc servers. + +Using correct node for cpu0 binding. + +Reported-by: Michael Petlan +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Satheesh Rajendran +Link: http://lkml.kernel.org/r/20190801142642.28004-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/numa.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index fa56fde6e8d80..91c0a4434da27 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -378,8 +378,10 @@ static u8 *alloc_data(ssize_t bytes0, int map_flags, + + /* Allocate and initialize all memory on CPU#0: */ + if (init_cpu0) { +- orig_mask = bind_to_node(0); +- bind_to_memnode(0); ++ int node = numa_node_of_cpu(0); ++ ++ orig_mask = bind_to_node(node); ++ bind_to_memnode(node); + } + + bytes = bytes0 + HPSIZE; +-- +2.20.1 + diff --git a/queue-4.19/perf-cpumap-fix-writing-to-illegal-memory-in-handlin.patch b/queue-4.19/perf-cpumap-fix-writing-to-illegal-memory-in-handlin.patch new file mode 100644 index 00000000000..b8678adcc7c --- /dev/null +++ b/queue-4.19/perf-cpumap-fix-writing-to-illegal-memory-in-handlin.patch @@ -0,0 +1,48 @@ +From c6c4954b1a2de4b669ab03a130da5997c051f53c Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Fri, 2 Aug 2019 16:29:52 +0800 +Subject: perf cpumap: Fix writing to illegal memory in handling cpumap mask + +[ Upstream commit 5f5e25f1c7933a6e1673515c0b1d5acd82fea1ed ] + +cpu_map__snprint_mask() would write to illegal memory pointed by +zalloc(0) when there is only one cpu. + +This patch fixes the calculation and adds sanity check against the input +parameters. + +Signed-off-by: He Zhe +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Fixes: 4400ac8a9a90 ("perf cpumap: Introduce cpu_map__snprint_mask()") +Link: http://lkml.kernel.org/r/1564734592-15624-2-git-send-email-zhe.he@windriver.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/cpumap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c +index 383674f448fcd..f93846edc1e0d 100644 +--- a/tools/perf/util/cpumap.c ++++ b/tools/perf/util/cpumap.c +@@ -701,7 +701,10 @@ size_t cpu_map__snprint_mask(struct cpu_map *map, char *buf, size_t size) + unsigned char *bitmap; + int last_cpu = cpu_map__cpu(map, map->nr - 1); + +- bitmap = zalloc((last_cpu + 7) / 8); ++ if (buf == NULL) ++ return 0; ++ ++ bitmap = zalloc(last_cpu / 8 + 1); + if (bitmap == NULL) { + buf[0] = '\0'; + return 0; +-- +2.20.1 + diff --git a/queue-4.19/perf-ftrace-fix-failure-to-set-cpumask-when-only-one.patch b/queue-4.19/perf-ftrace-fix-failure-to-set-cpumask-when-only-one.patch new file mode 100644 index 00000000000..f2887473594 --- /dev/null +++ b/queue-4.19/perf-ftrace-fix-failure-to-set-cpumask-when-only-one.patch @@ -0,0 +1,52 @@ +From cd1dffd4eb4b422e6fd2f8279b62c1dd5d388573 Mon Sep 17 00:00:00 2001 +From: He Zhe +Date: Fri, 2 Aug 2019 16:29:51 +0800 +Subject: perf ftrace: Fix failure to set cpumask when only one cpu is present + +[ Upstream commit cf30ae726c011e0372fd4c2d588466c8b50a8907 ] + +The buffer containing the string used to set cpumask is overwritten at +the end of the string later in cpu_map__snprint_mask due to not enough +memory space, when there is only one cpu. + +And thus causes the following failure: + + $ perf ftrace ls + failed to reset ftrace + $ + +This patch fixes the calculation of the cpumask string size. + +Signed-off-by: He Zhe +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Alexey Budankov +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Fixes: dc23103278c5 ("perf ftrace: Add support for -a and -C option") +Link: http://lkml.kernel.org/r/1564734592-15624-1-git-send-email-zhe.he@windriver.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c +index f42f228e88992..137955197ba8d 100644 +--- a/tools/perf/builtin-ftrace.c ++++ b/tools/perf/builtin-ftrace.c +@@ -174,7 +174,7 @@ static int set_tracing_cpumask(struct cpu_map *cpumap) + int last_cpu; + + last_cpu = cpu_map__cpu(cpumap, cpumap->nr - 1); +- mask_size = (last_cpu + 3) / 4 + 1; ++ mask_size = last_cpu / 4 + 2; /* one more byte for EOS */ + mask_size += last_cpu / 32; /* ',' is needed for every 32th cpus */ + + cpumask = malloc(mask_size); +-- +2.20.1 + diff --git a/queue-4.19/perf-pmu-events-fix-missing-cpu_clk_unhalted.core-ev.patch b/queue-4.19/perf-pmu-events-fix-missing-cpu_clk_unhalted.core-ev.patch new file mode 100644 index 00000000000..bb225904814 --- /dev/null +++ b/queue-4.19/perf-pmu-events-fix-missing-cpu_clk_unhalted.core-ev.patch @@ -0,0 +1,64 @@ +From b9ce35f68b4ae690669f066917d97e2100a5d190 Mon Sep 17 00:00:00 2001 +From: Jin Yao +Date: Mon, 29 Jul 2019 15:27:55 +0800 +Subject: perf pmu-events: Fix missing "cpu_clk_unhalted.core" event + +[ Upstream commit 8e6e5bea2e34c61291d00cb3f47560341aa84bc3 ] + +The events defined in pmu-events JSON are parsed and added into perf +tool. For fixed counters, we handle the encodings between JSON and perf +by using a static array fixed[]. + +But the fixed[] has missed an important event "cpu_clk_unhalted.core". + +For example, on the Tremont platform, + + [root@localhost ~]# perf stat -e cpu_clk_unhalted.core -a + event syntax error: 'cpu_clk_unhalted.core' + \___ parser error + +With this patch, the event cpu_clk_unhalted.core can be parsed. + + [root@localhost perf]# ./perf stat -e cpu_clk_unhalted.core -a -vvv + ------------------------------------------------------------ + perf_event_attr: + type 4 + size 112 + config 0x3c + sample_type IDENTIFIER + read_format TOTAL_TIME_ENABLED|TOTAL_TIME_RUNNING + disabled 1 + inherit 1 + exclude_guest 1 + ------------------------------------------------------------ +... + +Signed-off-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190729072755.2166-1-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/pmu-events/jevents.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c +index 68c92bb599eef..6b36b71106695 100644 +--- a/tools/perf/pmu-events/jevents.c ++++ b/tools/perf/pmu-events/jevents.c +@@ -450,6 +450,7 @@ static struct fixed { + { "inst_retired.any_p", "event=0xc0" }, + { "cpu_clk_unhalted.ref", "event=0x0,umask=0x03" }, + { "cpu_clk_unhalted.thread", "event=0x3c" }, ++ { "cpu_clk_unhalted.core", "event=0x3c" }, + { "cpu_clk_unhalted.thread_any", "event=0x3c,any=1" }, + { NULL, NULL}, + }; +-- +2.20.1 + diff --git a/queue-4.19/qed-rdma-fix-the-hw_ver-returned-in-device-attribute.patch b/queue-4.19/qed-rdma-fix-the-hw_ver-returned-in-device-attribute.patch new file mode 100644 index 00000000000..05253b6d37c --- /dev/null +++ b/queue-4.19/qed-rdma-fix-the-hw_ver-returned-in-device-attribute.patch @@ -0,0 +1,33 @@ +From 05acc884c82d9b052c5331e7ceef27eaa423125a Mon Sep 17 00:00:00 2001 +From: Michal Kalderon +Date: Thu, 25 Jul 2019 13:59:55 +0300 +Subject: qed: RDMA - Fix the hw_ver returned in device attributes + +[ Upstream commit 81af04b432fdfabcdbd2c06be2ee647e3ca41a22 ] + +The hw_ver field was initialized to zero. Return the chip revision. +This is relevant for rdma driver. + +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c +index 13802b825d65a..909422d939033 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c +@@ -442,7 +442,7 @@ static void qed_rdma_init_devinfo(struct qed_hwfn *p_hwfn, + /* Vendor specific information */ + dev->vendor_id = cdev->vendor_id; + dev->vendor_part_id = cdev->device_id; +- dev->hw_ver = 0; ++ dev->hw_ver = cdev->chip_rev; + dev->fw_ver = (FW_MAJOR_VERSION << 24) | (FW_MINOR_VERSION << 16) | + (FW_REVISION_VERSION << 8) | (FW_ENGINEERING_VERSION); + +-- +2.20.1 + diff --git a/queue-4.19/rxrpc-fix-potential-deadlock.patch b/queue-4.19/rxrpc-fix-potential-deadlock.patch new file mode 100644 index 00000000000..23a430720ae --- /dev/null +++ b/queue-4.19/rxrpc-fix-potential-deadlock.patch @@ -0,0 +1,106 @@ +From b50e0584e73e8505334d2da52f9a81d532f6f9e9 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 30 Jul 2019 14:42:50 +0100 +Subject: rxrpc: Fix potential deadlock + +[ Upstream commit 60034d3d146b11922ab1db613bce062dddc0327a ] + +There is a potential deadlock in rxrpc_peer_keepalive_dispatch() whereby +rxrpc_put_peer() is called with the peer_hash_lock held, but if it reduces +the peer's refcount to 0, rxrpc_put_peer() calls __rxrpc_put_peer() - which +the tries to take the already held lock. + +Fix this by providing a version of rxrpc_put_peer() that can be called in +situations where the lock is already held. + +The bug may produce the following lockdep report: + +============================================ +WARNING: possible recursive locking detected +5.2.0-next-20190718 #41 Not tainted +-------------------------------------------- +kworker/0:3/21678 is trying to acquire lock: +00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: spin_lock_bh +/./include/linux/spinlock.h:343 [inline] +00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: +__rxrpc_put_peer /net/rxrpc/peer_object.c:415 [inline] +00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: +rxrpc_put_peer+0x2d3/0x6a0 /net/rxrpc/peer_object.c:435 + +but task is already holding lock: +00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: spin_lock_bh +/./include/linux/spinlock.h:343 [inline] +00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: +rxrpc_peer_keepalive_dispatch /net/rxrpc/peer_event.c:378 [inline] +00000000aa5eecdf (&(&rxnet->peer_hash_lock)->rlock){+.-.}, at: +rxrpc_peer_keepalive_worker+0x6b3/0xd02 /net/rxrpc/peer_event.c:430 + +Fixes: 330bdcfadcee ("rxrpc: Fix the keepalive generator [ver #2]") +Reported-by: syzbot+72af434e4b3417318f84@syzkaller.appspotmail.com +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Reviewed-by: Jeffrey Altman +Signed-off-by: Sasha Levin +--- + net/rxrpc/ar-internal.h | 1 + + net/rxrpc/peer_event.c | 2 +- + net/rxrpc/peer_object.c | 18 ++++++++++++++++++ + 3 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h +index 03e0fc8c183f0..a4c341828b72f 100644 +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -1057,6 +1057,7 @@ void rxrpc_destroy_all_peers(struct rxrpc_net *); + struct rxrpc_peer *rxrpc_get_peer(struct rxrpc_peer *); + struct rxrpc_peer *rxrpc_get_peer_maybe(struct rxrpc_peer *); + void rxrpc_put_peer(struct rxrpc_peer *); ++void rxrpc_put_peer_locked(struct rxrpc_peer *); + + /* + * proc.c +diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c +index bd2fa3b7caa7e..dc7fdaf20445b 100644 +--- a/net/rxrpc/peer_event.c ++++ b/net/rxrpc/peer_event.c +@@ -375,7 +375,7 @@ static void rxrpc_peer_keepalive_dispatch(struct rxrpc_net *rxnet, + spin_lock_bh(&rxnet->peer_hash_lock); + list_add_tail(&peer->keepalive_link, + &rxnet->peer_keepalive[slot & mask]); +- rxrpc_put_peer(peer); ++ rxrpc_put_peer_locked(peer); + } + + spin_unlock_bh(&rxnet->peer_hash_lock); +diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c +index 5691b7d266ca0..71547e8673b99 100644 +--- a/net/rxrpc/peer_object.c ++++ b/net/rxrpc/peer_object.c +@@ -440,6 +440,24 @@ void rxrpc_put_peer(struct rxrpc_peer *peer) + } + } + ++/* ++ * Drop a ref on a peer record where the caller already holds the ++ * peer_hash_lock. ++ */ ++void rxrpc_put_peer_locked(struct rxrpc_peer *peer) ++{ ++ const void *here = __builtin_return_address(0); ++ int n; ++ ++ n = atomic_dec_return(&peer->usage); ++ trace_rxrpc_peer(peer, rxrpc_peer_put, n, here); ++ if (n == 0) { ++ hash_del_rcu(&peer->hash_link); ++ list_del_init(&peer->keepalive_link); ++ kfree_rcu(peer, rcu); ++ } ++} ++ + /* + * Make sure all peer records have been discarded. + */ +-- +2.20.1 + diff --git a/queue-4.19/rxrpc-fix-the-lack-of-notification-when-sendmsg-fail.patch b/queue-4.19/rxrpc-fix-the-lack-of-notification-when-sendmsg-fail.patch new file mode 100644 index 00000000000..8f4367901a8 --- /dev/null +++ b/queue-4.19/rxrpc-fix-the-lack-of-notification-when-sendmsg-fail.patch @@ -0,0 +1,47 @@ +From dc2b19d308af6ef7a3cd90e0ce4d198c1f1557a7 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Tue, 30 Jul 2019 14:42:50 +0100 +Subject: rxrpc: Fix the lack of notification when sendmsg() fails on a DATA + packet + +[ Upstream commit c69565ee6681e151e2bb80502930a16e04b553d1 ] + +Fix the fact that a notification isn't sent to the recvmsg side to indicate +a call failed when sendmsg() fails to transmit a DATA packet with the error +ENETUNREACH, EHOSTUNREACH or ECONNREFUSED. + +Without this notification, the afs client just sits there waiting for the +call to complete in some manner (which it's not now going to do), which +also pins the rxrpc call in place. + +This can be seen if the client has a scope-level IPv6 address, but not a +global-level IPv6 address, and we try and transmit an operation to a +server's IPv6 address. + +Looking in /proc/net/rxrpc/calls shows completed calls just sat there with +an abort code of RX_USER_ABORT and an error code of -ENETUNREACH. + +Fixes: c54e43d752c7 ("rxrpc: Fix missing start of call timeout") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Reviewed-by: Jeffrey Altman +Signed-off-by: Sasha Levin +--- + net/rxrpc/sendmsg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c +index be01f9c5d963d..5d6ab4f6fd7ab 100644 +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -230,6 +230,7 @@ static void rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call, + rxrpc_set_call_completion(call, + RXRPC_CALL_LOCAL_ERROR, + 0, ret); ++ rxrpc_notify_socket(call); + goto out; + } + _debug("need instant resend %d", ret); +-- +2.20.1 + diff --git a/queue-4.19/s390-put-_stext-and-_etext-into-.text-section.patch b/queue-4.19/s390-put-_stext-and-_etext-into-.text-section.patch new file mode 100644 index 00000000000..a382542a8c7 --- /dev/null +++ b/queue-4.19/s390-put-_stext-and-_etext-into-.text-section.patch @@ -0,0 +1,57 @@ +From dad39ec36889db758045411e204bcf89eaa7af90 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Mon, 5 Aug 2019 14:25:16 +0200 +Subject: s390: put _stext and _etext into .text section + +[ Upstream commit 24350fdadbdec780406a1ef988e6cd3875e374a8 ] + +Perf relies on _etext and _stext symbols being one of 't', 'T', 'v' or +'V'. Put them into .text section to guarantee that. + +Also moves padding to page boundary inside .text which has an effect that +.text section is now padded with nops rather than 0's, which apparently +has been the initial intention for specifying 0x0700 fill expression. + +Reported-by: Thomas Richter +Tested-by: Thomas Richter +Suggested-by: Andreas Krebbel +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/vmlinux.lds.S | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S +index b43f8d33a3697..18ede6e806b91 100644 +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -31,10 +31,9 @@ PHDRS { + SECTIONS + { + . = 0x100000; +- _stext = .; /* Start of text section */ + .text : { +- /* Text and read-only data */ +- _text = .; ++ _stext = .; /* Start of text section */ ++ _text = .; /* Text and read-only data */ + HEAD_TEXT + TEXT_TEXT + SCHED_TEXT +@@ -46,11 +45,10 @@ SECTIONS + *(.text.*_indirect_*) + *(.fixup) + *(.gnu.warning) ++ . = ALIGN(PAGE_SIZE); ++ _etext = .; /* End of text section */ + } :text = 0x0700 + +- . = ALIGN(PAGE_SIZE); +- _etext = .; /* End of text section */ +- + NOTES :text :note + + .dummy : { *(.dummy) } :data +-- +2.20.1 + diff --git a/queue-4.19/selftests-bpf-fix-sendmsg6_prog-on-s390.patch b/queue-4.19/selftests-bpf-fix-sendmsg6_prog-on-s390.patch new file mode 100644 index 00000000000..cafa0a8d2c2 --- /dev/null +++ b/queue-4.19/selftests-bpf-fix-sendmsg6_prog-on-s390.patch @@ -0,0 +1,40 @@ +From 1fac94fdf11850cc5d96bda26e6631689172058c Mon Sep 17 00:00:00 2001 +From: Ilya Leoshkevich +Date: Fri, 19 Jul 2019 11:06:11 +0200 +Subject: selftests/bpf: fix sendmsg6_prog on s390 + +[ Upstream commit c8eee4135a456bc031d67cadc454e76880d1afd8 ] + +"sendmsg6: rewrite IP & port (C)" fails on s390, because the code in +sendmsg_v6_prog() assumes that (ctx->user_ip6[0] & 0xFFFF) refers to +leading IPv6 address digits, which is not the case on big-endian +machines. + +Since checking bitwise operations doesn't seem to be the point of the +test, replace two short comparisons with a single int comparison. + +Signed-off-by: Ilya Leoshkevich +Acked-by: Andrey Ignatov +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/sendmsg6_prog.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/sendmsg6_prog.c b/tools/testing/selftests/bpf/sendmsg6_prog.c +index 5aeaa284fc474..a680628204108 100644 +--- a/tools/testing/selftests/bpf/sendmsg6_prog.c ++++ b/tools/testing/selftests/bpf/sendmsg6_prog.c +@@ -41,8 +41,7 @@ int sendmsg_v6_prog(struct bpf_sock_addr *ctx) + } + + /* Rewrite destination. */ +- if ((ctx->user_ip6[0] & 0xFFFF) == bpf_htons(0xFACE) && +- ctx->user_ip6[0] >> 16 == bpf_htons(0xB00C)) { ++ if (ctx->user_ip6[0] == bpf_htonl(0xFACEB00C)) { + ctx->user_ip6[0] = bpf_htonl(DST_REWRITE_IP6_0); + ctx->user_ip6[1] = bpf_htonl(DST_REWRITE_IP6_1); + ctx->user_ip6[2] = bpf_htonl(DST_REWRITE_IP6_2); +-- +2.20.1 + diff --git a/queue-4.19/selftests-forwarding-gre_multipath-enable-ipv4-forwa.patch b/queue-4.19/selftests-forwarding-gre_multipath-enable-ipv4-forwa.patch new file mode 100644 index 00000000000..e6309292db2 --- /dev/null +++ b/queue-4.19/selftests-forwarding-gre_multipath-enable-ipv4-forwa.patch @@ -0,0 +1,44 @@ +From fa13fc596460662699485768524b010a21f0acee Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 23 Jul 2019 11:19:25 +0300 +Subject: selftests: forwarding: gre_multipath: Enable IPv4 forwarding + +[ Upstream commit efa7b79f675da0efafe3f32ba0d6efe916cf4867 ] + +The test did not enable IPv4 forwarding during its setup phase, which +causes the test to fail on machines where IPv4 forwarding is disabled. + +Fixes: 54818c4c4b93 ("selftests: forwarding: Test multipath tunneling") +Signed-off-by: Ido Schimmel +Reported-by: Stephen Suryaputra +Tested-by: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/gre_multipath.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/net/forwarding/gre_multipath.sh b/tools/testing/selftests/net/forwarding/gre_multipath.sh +index cca2baa03fb81..37d7297e1cf8a 100755 +--- a/tools/testing/selftests/net/forwarding/gre_multipath.sh ++++ b/tools/testing/selftests/net/forwarding/gre_multipath.sh +@@ -187,12 +187,16 @@ setup_prepare() + sw1_create + sw2_create + h2_create ++ ++ forwarding_enable + } + + cleanup() + { + pre_cleanup + ++ forwarding_restore ++ + h2_destroy + sw2_destroy + sw1_destroy +-- +2.20.1 + diff --git a/queue-4.19/selftests-forwarding-gre_multipath-fix-flower-filter.patch b/queue-4.19/selftests-forwarding-gre_multipath-fix-flower-filter.patch new file mode 100644 index 00000000000..d3a2e100a2b --- /dev/null +++ b/queue-4.19/selftests-forwarding-gre_multipath-fix-flower-filter.patch @@ -0,0 +1,91 @@ +From 429ea4df794d58bfc7c709755deca28dbe28ab45 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 23 Jul 2019 11:19:26 +0300 +Subject: selftests: forwarding: gre_multipath: Fix flower filters + +[ Upstream commit 1be79d89b7ae96e004911bd228ce8c2b5cc6415f ] + +The TC filters used in the test do not work with veth devices because the +outer Ethertype is 802.1Q and not IPv4. The test passes with mlxsw +netdevs since the hardware always looks at "The first Ethertype that +does not point to either: VLAN, CNTAG or configurable Ethertype". + +Fix this by matching on the VLAN ID instead, but on the ingress side. +The reason why this is not performed at egress is explained in the +commit cited below. + +Fixes: 541ad323db3a ("selftests: forwarding: gre_multipath: Update next-hop statistics match criteria") +Signed-off-by: Ido Schimmel +Reported-by: Stephen Suryaputra +Tested-by: Stephen Suryaputra +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../selftests/net/forwarding/gre_multipath.sh | 24 +++++++++---------- + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/net/forwarding/gre_multipath.sh b/tools/testing/selftests/net/forwarding/gre_multipath.sh +index 37d7297e1cf8a..a8d8e8b3dc819 100755 +--- a/tools/testing/selftests/net/forwarding/gre_multipath.sh ++++ b/tools/testing/selftests/net/forwarding/gre_multipath.sh +@@ -93,18 +93,10 @@ sw1_create() + ip route add vrf v$ol1 192.0.2.16/28 \ + nexthop dev g1a \ + nexthop dev g1b +- +- tc qdisc add dev $ul1 clsact +- tc filter add dev $ul1 egress pref 111 prot ipv4 \ +- flower dst_ip 192.0.2.66 action pass +- tc filter add dev $ul1 egress pref 222 prot ipv4 \ +- flower dst_ip 192.0.2.82 action pass + } + + sw1_destroy() + { +- tc qdisc del dev $ul1 clsact +- + ip route del vrf v$ol1 192.0.2.16/28 + + ip route del vrf v$ol1 192.0.2.82/32 via 192.0.2.146 +@@ -139,10 +131,18 @@ sw2_create() + ip route add vrf v$ol2 192.0.2.0/28 \ + nexthop dev g2a \ + nexthop dev g2b ++ ++ tc qdisc add dev $ul2 clsact ++ tc filter add dev $ul2 ingress pref 111 prot 802.1Q \ ++ flower vlan_id 111 action pass ++ tc filter add dev $ul2 ingress pref 222 prot 802.1Q \ ++ flower vlan_id 222 action pass + } + + sw2_destroy() + { ++ tc qdisc del dev $ul2 clsact ++ + ip route del vrf v$ol2 192.0.2.0/28 + + ip route del vrf v$ol2 192.0.2.81/32 via 192.0.2.145 +@@ -215,15 +215,15 @@ multipath4_test() + nexthop dev g1a weight $weight1 \ + nexthop dev g1b weight $weight2 + +- local t0_111=$(tc_rule_stats_get $ul1 111 egress) +- local t0_222=$(tc_rule_stats_get $ul1 222 egress) ++ local t0_111=$(tc_rule_stats_get $ul2 111 ingress) ++ local t0_222=$(tc_rule_stats_get $ul2 222 ingress) + + ip vrf exec v$h1 \ + $MZ $h1 -q -p 64 -A 192.0.2.1 -B 192.0.2.18 \ + -d 1msec -t udp "sp=1024,dp=0-32768" + +- local t1_111=$(tc_rule_stats_get $ul1 111 egress) +- local t1_222=$(tc_rule_stats_get $ul1 222 egress) ++ local t1_111=$(tc_rule_stats_get $ul2 111 ingress) ++ local t1_222=$(tc_rule_stats_get $ul2 222 ingress) + + local d111=$((t1_111 - t0_111)) + local d222=$((t1_222 - t0_222)) +-- +2.20.1 + diff --git a/queue-4.19/selftests-kvm-adding-config-fragments.patch b/queue-4.19/selftests-kvm-adding-config-fragments.patch new file mode 100644 index 00000000000..86e3c5d93bb --- /dev/null +++ b/queue-4.19/selftests-kvm-adding-config-fragments.patch @@ -0,0 +1,30 @@ +From 5067de95997d402b1a6352ec3f9732cf56504061 Mon Sep 17 00:00:00 2001 +From: Naresh Kamboju +Date: Wed, 7 Aug 2019 13:58:14 +0000 +Subject: selftests: kvm: Adding config fragments + +[ Upstream commit c096397c78f766db972f923433031f2dec01cae0 ] + +selftests kvm test cases need pre-required kernel configs for the test +to get pass. + +Signed-off-by: Naresh Kamboju +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/config | 3 +++ + 1 file changed, 3 insertions(+) + create mode 100644 tools/testing/selftests/kvm/config + +diff --git a/tools/testing/selftests/kvm/config b/tools/testing/selftests/kvm/config +new file mode 100644 +index 0000000000000..63ed533f73d6e +--- /dev/null ++++ b/tools/testing/selftests/kvm/config +@@ -0,0 +1,3 @@ ++CONFIG_KVM=y ++CONFIG_KVM_INTEL=y ++CONFIG_KVM_AMD=y +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..b91259e2c69 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,58 @@ +hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch +mips-kernel-only-use-i8253-clocksource-with-periodic.patch +mips-fix-cacheinfo.patch +netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch +asoc-dapm-fix-handling-of-custom_stop_condition-on-d.patch +selftests-bpf-fix-sendmsg6_prog-on-s390.patch +bonding-force-slave-speed-check-after-link-state-rec.patch +net-mvpp2-don-t-check-for-3-consecutive-idle-frames-.patch +selftests-forwarding-gre_multipath-enable-ipv4-forwa.patch +selftests-forwarding-gre_multipath-fix-flower-filter.patch +can-dev-call-netif_carrier_off-in-register_candev.patch +can-mcp251x-add-error-check-when-wq-alloc-failed.patch +can-gw-fix-error-path-of-cgw_module_init.patch +asoc-fail-card-instantiation-if-dai-format-setup-fai.patch +st21nfca_connectivity_event_received-null-check-the-.patch +st_nci_hci_connectivity_event_received-null-check-th.patch +asoc-rockchip-fix-mono-capture.patch +asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch +net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch +qed-rdma-fix-the-hw_ver-returned-in-device-attribute.patch +isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch +mac80211_hwsim-fix-possible-null-pointer-dereference.patch +netfilter-ipset-actually-allow-destination-mac-addre.patch +netfilter-ipset-copy-the-right-mac-address-in-bitmap.patch +netfilter-ipset-fix-rename-concurrency-with-listing.patch +rxrpc-fix-potential-deadlock.patch +rxrpc-fix-the-lack-of-notification-when-sendmsg-fail.patch +isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch +net-phy-phy_led_triggers-fix-a-possible-null-pointer.patch +perf-bench-numa-fix-cpu0-binding.patch +can-sja1000-force-the-string-buffer-null-terminated.patch +can-peak_usb-force-the-string-buffer-null-terminated.patch +net-ethernet-qlogic-qed-force-the-string-buffer-null.patch +nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch +nfs-fix-regression-whereby-fscache-errors-are-appear.patch +hid-quirks-set-the-increment_usage_on_duplicate-quir.patch +hid-input-fix-a4tech-horizontal-wheel-custom-usage.patch +drm-rockchip-suspend-dp-late.patch +smb3-fix-potential-memory-leak-when-processing-compo.patch +smb3-kernel-oops-mounting-a-encryptdata-share-with-c.patch +s390-put-_stext-and-_etext-into-.text-section.patch +net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch +net-stmmac-fix-issues-when-number-of-queues-4.patch +net-stmmac-tc-do-not-return-a-fragment-entry.patch +net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch +net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch +net-hisilicon-fix-dma_map_single-failed-on-arm64.patch +libata-have-ata_scsi_rw_xlat-fail-invalid-passthroug.patch +libata-add-sg-safety-checks-in-sff-pio-transfers.patch +x86-lib-cpu-address-missing-prototypes-warning.patch +drm-vmwgfx-fix-memory-leak-when-too-many-retries-hav.patch +block-bfq-handle-null-return-value-by-bfq_init_rq.patch +perf-ftrace-fix-failure-to-set-cpumask-when-only-one.patch +perf-cpumap-fix-writing-to-illegal-memory-in-handlin.patch +perf-pmu-events-fix-missing-cpu_clk_unhalted.core-ev.patch +kvm-arm64-don-t-write-junk-to-sysregs-on-reset.patch +kvm-arm-don-t-write-junk-to-cp15-registers-on-reset.patch +selftests-kvm-adding-config-fragments.patch diff --git a/queue-4.19/smb3-fix-potential-memory-leak-when-processing-compo.patch b/queue-4.19/smb3-fix-potential-memory-leak-when-processing-compo.patch new file mode 100644 index 00000000000..760af6a80f6 --- /dev/null +++ b/queue-4.19/smb3-fix-potential-memory-leak-when-processing-compo.patch @@ -0,0 +1,87 @@ +From 0bed557084f5542665be4486a7049408af003770 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 22 Jul 2019 11:38:22 -0700 +Subject: SMB3: Fix potential memory leak when processing compound chain + +[ Upstream commit 3edeb4a4146dc3b54d6fa71b7ee0585cb52ebfdf ] + +When a reconnect happens in the middle of processing a compound chain +the code leaks a buffer from the memory pool. Fix this by properly +checking for a return code and freeing buffers in case of error. + +Also maintain a buf variable to be equal to either smallbuf or bigbuf +depending on a response buffer size while parsing a chain and when +returning to the caller. + +Signed-off-by: Pavel Shilovsky +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 0ccf8f9b63a2e..97fdbec54db97 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3121,7 +3121,6 @@ receive_encrypted_standard(struct TCP_Server_Info *server, + { + int ret, length; + char *buf = server->smallbuf; +- char *tmpbuf; + struct smb2_sync_hdr *shdr; + unsigned int pdu_length = server->pdu_size; + unsigned int buf_size; +@@ -3151,18 +3150,15 @@ receive_encrypted_standard(struct TCP_Server_Info *server, + return length; + + next_is_large = server->large_buf; +- one_more: ++one_more: + shdr = (struct smb2_sync_hdr *)buf; + if (shdr->NextCommand) { +- if (next_is_large) { +- tmpbuf = server->bigbuf; ++ if (next_is_large) + next_buffer = (char *)cifs_buf_get(); +- } else { +- tmpbuf = server->smallbuf; ++ else + next_buffer = (char *)cifs_small_buf_get(); +- } + memcpy(next_buffer, +- tmpbuf + le32_to_cpu(shdr->NextCommand), ++ buf + le32_to_cpu(shdr->NextCommand), + pdu_length - le32_to_cpu(shdr->NextCommand)); + } + +@@ -3191,12 +3187,21 @@ receive_encrypted_standard(struct TCP_Server_Info *server, + pdu_length -= le32_to_cpu(shdr->NextCommand); + server->large_buf = next_is_large; + if (next_is_large) +- server->bigbuf = next_buffer; ++ server->bigbuf = buf = next_buffer; + else +- server->smallbuf = next_buffer; +- +- buf += le32_to_cpu(shdr->NextCommand); ++ server->smallbuf = buf = next_buffer; + goto one_more; ++ } else if (ret != 0) { ++ /* ++ * ret != 0 here means that we didn't get to handle_mid() thus ++ * server->smallbuf and server->bigbuf are still valid. We need ++ * to free next_buffer because it is not going to be used ++ * anywhere. ++ */ ++ if (next_is_large) ++ free_rsp_buf(CIFS_LARGE_BUFFER, next_buffer); ++ else ++ free_rsp_buf(CIFS_SMALL_BUFFER, next_buffer); + } + + return ret; +-- +2.20.1 + diff --git a/queue-4.19/smb3-kernel-oops-mounting-a-encryptdata-share-with-c.patch b/queue-4.19/smb3-kernel-oops-mounting-a-encryptdata-share-with-c.patch new file mode 100644 index 00000000000..05be6fc3890 --- /dev/null +++ b/queue-4.19/smb3-kernel-oops-mounting-a-encryptdata-share-with-c.patch @@ -0,0 +1,43 @@ +From 73fd628be75cf15bdeeb3e0f401a3576ff8cb0a8 Mon Sep 17 00:00:00 2001 +From: Sebastien Tisserant +Date: Thu, 1 Aug 2019 12:06:08 -0500 +Subject: SMB3: Kernel oops mounting a encryptData share with + CONFIG_DEBUG_VIRTUAL + +[ Upstream commit ee9d66182392695535cc9fccfcb40c16f72de2a9 ] + +Fix kernel oops when mounting a encryptData CIFS share with +CONFIG_DEBUG_VIRTUAL + +Signed-off-by: Sebastien Tisserant +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 97fdbec54db97..cc9e846a38658 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2545,7 +2545,15 @@ fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, unsigned int orig_len, + static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf, + unsigned int buflen) + { +- sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf)); ++ void *addr; ++ /* ++ * VMAP_STACK (at least) puts stack into the vmalloc address space ++ */ ++ if (is_vmalloc_addr(buf)) ++ addr = vmalloc_to_page(buf); ++ else ++ addr = virt_to_page(buf); ++ sg_set_page(sg, addr, buflen, offset_in_page(buf)); + } + + /* Assumes the first rqst has a transform header as the first iov. +-- +2.20.1 + diff --git a/queue-4.19/st21nfca_connectivity_event_received-null-check-the-.patch b/queue-4.19/st21nfca_connectivity_event_received-null-check-the-.patch new file mode 100644 index 00000000000..280fd32ac55 --- /dev/null +++ b/queue-4.19/st21nfca_connectivity_event_received-null-check-the-.patch @@ -0,0 +1,32 @@ +From 8535849a68fc85ca5b08668fd42c9ba669c3d57f Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Tue, 23 Jul 2019 17:04:30 -0500 +Subject: st21nfca_connectivity_event_received: null check the allocation + +[ Upstream commit 9891d06836e67324c9e9c4675ed90fc8b8110034 ] + +devm_kzalloc may fail and return null. So the null check is needed. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/st21nfca/se.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c +index 4bed9e842db38..fd967a38a94a5 100644 +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -328,6 +328,8 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, + + transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev, + skb->len - 2, GFP_KERNEL); ++ if (!transaction) ++ return -ENOMEM; + + transaction->aid_len = skb->data[1]; + memcpy(transaction->aid, &skb->data[2], +-- +2.20.1 + diff --git a/queue-4.19/st_nci_hci_connectivity_event_received-null-check-th.patch b/queue-4.19/st_nci_hci_connectivity_event_received-null-check-th.patch new file mode 100644 index 00000000000..c1a4f0dc286 --- /dev/null +++ b/queue-4.19/st_nci_hci_connectivity_event_received-null-check-th.patch @@ -0,0 +1,32 @@ +From e41c80f735bdfa51a0322881b2a6f321ce58177f Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Tue, 23 Jul 2019 17:11:51 -0500 +Subject: st_nci_hci_connectivity_event_received: null check the allocation + +[ Upstream commit 3008e06fdf0973770370f97d5f1fba3701d8281d ] + +devm_kzalloc may fail and return NULL. So the null check is needed. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index f55d082ace715..5d6e7e931bc6c 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -344,6 +344,8 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + + transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev, + skb->len - 2, GFP_KERNEL); ++ if (!transaction) ++ return -ENOMEM; + + transaction->aid_len = skb->data[1]; + memcpy(transaction->aid, &skb->data[2], transaction->aid_len); +-- +2.20.1 + diff --git a/queue-4.19/x86-lib-cpu-address-missing-prototypes-warning.patch b/queue-4.19/x86-lib-cpu-address-missing-prototypes-warning.patch new file mode 100644 index 00000000000..c03cec68ab7 --- /dev/null +++ b/queue-4.19/x86-lib-cpu-address-missing-prototypes-warning.patch @@ -0,0 +1,44 @@ +From 2d900f1f92d142ac82c4f11e15c7e730997b8a6e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= +Date: Wed, 7 Aug 2019 23:27:17 -0400 +Subject: x86/lib/cpu: Address missing prototypes warning + +[ Upstream commit 04f5bda84b0712d6f172556a7e8dca9ded5e73b9 ] + +When building with W=1, warnings about missing prototypes are emitted: + + CC arch/x86/lib/cpu.o +arch/x86/lib/cpu.c:5:14: warning: no previous prototype for 'x86_family' [-Wmissing-prototypes] + 5 | unsigned int x86_family(unsigned int sig) + | ^~~~~~~~~~ +arch/x86/lib/cpu.c:18:14: warning: no previous prototype for 'x86_model' [-Wmissing-prototypes] + 18 | unsigned int x86_model(unsigned int sig) + | ^~~~~~~~~ +arch/x86/lib/cpu.c:33:14: warning: no previous prototype for 'x86_stepping' [-Wmissing-prototypes] + 33 | unsigned int x86_stepping(unsigned int sig) + | ^~~~~~~~~~~~ + +Add the proper include file so the prototypes are there. + +Signed-off-by: Valdis Kletnieks +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/42513.1565234837@turing-police +Signed-off-by: Sasha Levin +--- + arch/x86/lib/cpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/lib/cpu.c b/arch/x86/lib/cpu.c +index 2dd1fe13a37b3..19f707992db22 100644 +--- a/arch/x86/lib/cpu.c ++++ b/arch/x86/lib/cpu.c +@@ -1,5 +1,6 @@ + #include + #include ++#include + + unsigned int x86_family(unsigned int sig) + { +-- +2.20.1 +