From: Greg Kroah-Hartman Date: Thu, 4 Oct 2018 19:37:39 +0000 (-0700) Subject: 4.14-stable patches X-Git-Tag: v4.4.160~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=991ec2ca1918eeb06073206402a9b6a45d1252d7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: arc-atomics-unbork-atomic_fetch_-op.patch btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch gpio-adp5588-fix-sleep-in-atomic-context-bug.patch gpio-fix-crash-due-to-registration-race.patch gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch mac80211-always-account-for-a-msdu-header-changes.patch mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch mac80211-fix-a-race-between-restart-and-csa-flows.patch mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch mac80211-fix-station-bandwidth-setting-after-channel-switch.patch mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch mac80211-shorten-the-ibss-debug-messages.patch mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch mac80211_hwsim-require-at-least-one-channel.patch md-raid5-cache-disable-reshape-completely.patch net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch net-hns-add-the-code-for-cleaning-pkt-in-chip.patch raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch tools-kvm_stat-fix-python3-issues.patch tools-power-turbostat-fix-possible-sprintf-buffer-overflow.patch tools-vm-page-types.c-fix-defined-but-not-used-warning.patch tools-vm-slabinfo.c-fix-sign-compare-warning.patch --- diff --git a/queue-4.14/arc-atomics-unbork-atomic_fetch_-op.patch b/queue-4.14/arc-atomics-unbork-atomic_fetch_-op.patch new file mode 100644 index 00000000000..84e0d7cb403 --- /dev/null +++ b/queue-4.14/arc-atomics-unbork-atomic_fetch_-op.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Will Deacon +Date: Thu, 30 Aug 2018 13:52:38 -0700 +Subject: ARC: atomics: unbork atomic_fetch_##op() + +From: Will Deacon + +[ Upstream commit 3fcbb8260a87efb691d837e8cd24e81f65b3eb70 ] + +In 4.19-rc1, Eugeniy reported weird boot and IO errors on ARC HSDK + +| INFO: task syslogd:77 blocked for more than 10 seconds. +| Not tainted 4.19.0-rc1-00007-gf213acea4e88 #40 +| "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this +| message. +| syslogd D 0 77 76 0x00000000 +| +| Stack Trace: +| __switch_to+0x0/0xac +| __schedule+0x1b2/0x730 +| io_schedule+0x5c/0xc0 +| __lock_page+0x98/0xdc +| find_lock_entry+0x38/0x100 +| shmem_getpage_gfp.isra.3+0x82/0xbfc +| shmem_fault+0x46/0x138 +| handle_mm_fault+0x5bc/0x924 +| do_page_fault+0x100/0x2b8 +| ret_from_exception+0x0/0x8 + +He bisected to 84c6591103db ("locking/atomics, +asm-generic/bitops/lock.h: Rewrite using atomic_fetch_*()") + +This commit however only unmasked the real issue introduced by commit +4aef66c8ae9 ("locking/atomic, arch/arc: Fix build") which missed the +retry-if-scond-failed branch in atomic_fetch_##op() macros. + +The bisected commit started using atomic_fetch_##op() macros for building +the rest of atomics. + +Fixes: 4aef66c8ae9 ("locking/atomic, arch/arc: Fix build") +Reported-by: Eugeniy Paltsev +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Will Deacon +Signed-off-by: Vineet Gupta +[vgupta: wrote changelog] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/asm/atomic.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/include/asm/atomic.h ++++ b/arch/arc/include/asm/atomic.h +@@ -84,7 +84,7 @@ static inline int atomic_fetch_##op(int + "1: llock %[orig], [%[ctr]] \n" \ + " " #asm_op " %[val], %[orig], %[i] \n" \ + " scond %[val], [%[ctr]] \n" \ +- " \n" \ ++ " bnz 1b \n" \ + : [val] "=&r" (val), \ + [orig] "=&r" (orig) \ + : [ctr] "r" (&v->counter), \ diff --git a/queue-4.14/btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch b/queue-4.14/btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch new file mode 100644 index 00000000000..73b29971d53 --- /dev/null +++ b/queue-4.14/btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch @@ -0,0 +1,66 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Anand Jain +Date: Mon, 6 Aug 2018 18:12:37 +0800 +Subject: btrfs: btrfs_shrink_device should call commit transaction at the end + +From: Anand Jain + +[ Upstream commit 801660b040d132f67fac6a95910ad307c5929b49 ] + +Test case btrfs/164 reports use-after-free: + +[ 6712.084324] general protection fault: 0000 [#1] PREEMPT SMP +.. +[ 6712.195423] btrfs_update_commit_device_size+0x75/0xf0 [btrfs] +[ 6712.201424] btrfs_commit_transaction+0x57d/0xa90 [btrfs] +[ 6712.206999] btrfs_rm_device+0x627/0x850 [btrfs] +[ 6712.211800] btrfs_ioctl+0x2b03/0x3120 [btrfs] + +Reason for this is that btrfs_shrink_device adds the resized device to +the fs_devices::resized_devices after it has called the last commit +transaction. + +So the list fs_devices::resized_devices is not empty when +btrfs_shrink_device returns. Now the parent function +btrfs_rm_device calls: + + btrfs_close_bdev(device); + call_rcu(&device->rcu, free_device_rcu); + +and then does the transactio ncommit. It goes through the +fs_devices::resized_devices in btrfs_update_commit_device_size and +leads to use-after-free. + +Fix this by making sure btrfs_shrink_device calls the last needed +btrfs_commit_transaction before the return. This is consistent with what +the grow counterpart does and this makes sure the on-disk state is +persistent when the function returns. + +Reported-by: Lu Fengqi +Tested-by: Lu Fengqi +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +[ update changelog ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4517,7 +4517,12 @@ again: + + /* Now btrfs_update_device() will change the on-disk size. */ + ret = btrfs_update_device(trans, device); +- btrfs_end_transaction(trans); ++ if (ret < 0) { ++ btrfs_abort_transaction(trans, ret); ++ btrfs_end_transaction(trans); ++ } else { ++ ret = btrfs_commit_transaction(trans); ++ } + done: + btrfs_free_path(path); + if (ret) { diff --git a/queue-4.14/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch b/queue-4.14/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch new file mode 100644 index 00000000000..ac2d5a5c458 --- /dev/null +++ b/queue-4.14/cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Dan Carpenter +Date: Fri, 31 Aug 2018 11:10:55 +0300 +Subject: cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() + +From: Dan Carpenter + +[ Upstream commit 8442938c3a2177ba16043b3a935f2c78266ad399 ] + +The "chandef->center_freq1" variable is a u32 but "freq" is a u16 so we +are truncating away the high bits. I noticed this bug because in commit +9cf0a0b4b64a ("cfg80211: Add support for 60GHz band channels 5 and 6") +we made "freq <= 56160 + 2160 * 6" a valid requency when before it was +only "freq <= 56160 + 2160 * 4" that was valid. It introduces a static +checker warning: + + net/wireless/util.c:1571 ieee80211_chandef_to_operating_class() + warn: always true condition '(freq <= 56160 + 2160 * 6) => (0-u16max <= 69120)' + +But really we probably shouldn't have been truncating the high bits +away to begin with. + +Signed-off-by: Dan Carpenter +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1449,7 +1449,7 @@ bool ieee80211_chandef_to_operating_clas + u8 *op_class) + { + u8 vht_opclass; +- u16 freq = chandef->center_freq1; ++ u32 freq = chandef->center_freq1; + + if (freq >= 2412 && freq <= 2472) { + if (chandef->width > NL80211_CHAN_WIDTH_40) diff --git a/queue-4.14/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch b/queue-4.14/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch new file mode 100644 index 00000000000..9676a00f2a7 --- /dev/null +++ b/queue-4.14/cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Arunk Khandavalli +Date: Thu, 30 Aug 2018 00:40:16 +0300 +Subject: cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE + +From: Arunk Khandavalli + +[ Upstream commit 4f0223bfe9c3e62d8f45a85f1ef1b18a8a263ef9 ] + +nl80211_update_ft_ies() tried to validate NL80211_ATTR_IE with +is_valid_ie_attr() before dereferencing it, but that helper function +returns true in case of NULL pointer (i.e., attribute not included). +This can result to dereferencing a NULL pointer. Fix that by explicitly +checking that NL80211_ATTR_IE is included. + +Fixes: 355199e02b83 ("cfg80211: Extend support for IEEE 802.11r Fast BSS Transition") +Signed-off-by: Arunk Khandavalli +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -11679,6 +11679,7 @@ static int nl80211_update_ft_ies(struct + return -EOPNOTSUPP; + + if (!info->attrs[NL80211_ATTR_MDID] || ++ !info->attrs[NL80211_ATTR_IE] || + !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE])) + return -EINVAL; + diff --git a/queue-4.14/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch b/queue-4.14/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch new file mode 100644 index 00000000000..2804df01557 --- /dev/null +++ b/queue-4.14/fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Jon Kuhn +Date: Mon, 9 Jul 2018 14:33:14 +0000 +Subject: fs/cifs: don't translate SFM_SLASH (U+F026) to backslash + +From: Jon Kuhn + +[ Upstream commit c15e3f19a6d5c89b1209dc94b40e568177cb0921 ] + +When a Mac client saves an item containing a backslash to a file server +the backslash is represented in the CIFS/SMB protocol as as U+F026. +Before this change, listing a directory containing an item with a +backslash in its name will return that item with the backslash +represented with a true backslash character (U+005C) because +convert_sfm_character mapped U+F026 to U+005C when interpretting the +CIFS/SMB protocol response. However, attempting to open or stat the +path using a true backslash will result in an error because +convert_to_sfm_char does not map U+005C back to U+F026 causing the +CIFS/SMB request to be made with the backslash represented as U+005C. + +This change simply prevents the U+F026 to U+005C conversion from +happenning. This is analogous to how the code does not do any +translation of UNI_SLASH (U+F000). + +Signed-off-by: Jon Kuhn +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifs_unicode.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/fs/cifs/cifs_unicode.c ++++ b/fs/cifs/cifs_unicode.c +@@ -105,9 +105,6 @@ convert_sfm_char(const __u16 src_char, c + case SFM_LESSTHAN: + *target = '<'; + break; +- case SFM_SLASH: +- *target = '\\'; +- break; + case SFM_SPACE: + *target = ' '; + break; diff --git a/queue-4.14/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch b/queue-4.14/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch new file mode 100644 index 00000000000..b32afbd1a42 --- /dev/null +++ b/queue-4.14/gpio-adp5588-fix-sleep-in-atomic-context-bug.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Michael Hennerich +Date: Mon, 13 Aug 2018 15:57:44 +0200 +Subject: gpio: adp5588: Fix sleep-in-atomic-context bug + +From: Michael Hennerich + +[ Upstream commit 6537886cdc9a637711fd6da980dbb87c2c87c9aa ] + +This fixes: +[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug + in adp5588_gpio_write() +[BUG] gpio: gpio-adp5588: A possible sleep-in-atomic-context bug + in adp5588_gpio_direction_input() + +Reported-by: Jia-Ju Bai +Signed-off-by: Michael Hennerich +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-adp5588.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpio-adp5588.c ++++ b/drivers/gpio/gpio-adp5588.c +@@ -41,6 +41,8 @@ struct adp5588_gpio { + uint8_t int_en[3]; + uint8_t irq_mask[3]; + uint8_t irq_stat[3]; ++ uint8_t int_input_en[3]; ++ uint8_t int_lvl_cached[3]; + }; + + static int adp5588_gpio_read(struct i2c_client *client, u8 reg) +@@ -173,12 +175,28 @@ static void adp5588_irq_bus_sync_unlock( + struct adp5588_gpio *dev = irq_data_get_irq_chip_data(d); + int i; + +- for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) ++ for (i = 0; i <= ADP5588_BANK(ADP5588_MAXGPIO); i++) { ++ if (dev->int_input_en[i]) { ++ mutex_lock(&dev->lock); ++ dev->dir[i] &= ~dev->int_input_en[i]; ++ dev->int_input_en[i] = 0; ++ adp5588_gpio_write(dev->client, GPIO_DIR1 + i, ++ dev->dir[i]); ++ mutex_unlock(&dev->lock); ++ } ++ ++ if (dev->int_lvl_cached[i] != dev->int_lvl[i]) { ++ dev->int_lvl_cached[i] = dev->int_lvl[i]; ++ adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + i, ++ dev->int_lvl[i]); ++ } ++ + if (dev->int_en[i] ^ dev->irq_mask[i]) { + dev->int_en[i] = dev->irq_mask[i]; + adp5588_gpio_write(dev->client, GPIO_INT_EN1 + i, + dev->int_en[i]); + } ++ } + + mutex_unlock(&dev->irq_lock); + } +@@ -221,9 +239,7 @@ static int adp5588_irq_set_type(struct i + else + return -EINVAL; + +- adp5588_gpio_direction_input(&dev->gpio_chip, gpio); +- adp5588_gpio_write(dev->client, GPIO_INT_LVL1 + bank, +- dev->int_lvl[bank]); ++ dev->int_input_en[bank] |= bit; + + return 0; + } diff --git a/queue-4.14/gpio-fix-crash-due-to-registration-race.patch b/queue-4.14/gpio-fix-crash-due-to-registration-race.patch new file mode 100644 index 00000000000..6428d57c506 --- /dev/null +++ b/queue-4.14/gpio-fix-crash-due-to-registration-race.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Vincent Whitchurch +Date: Fri, 31 Aug 2018 09:04:18 +0200 +Subject: gpio: Fix crash due to registration race + +From: Vincent Whitchurch + +[ Upstream commit d49b48f088c323dbacae44dfbe56d9c985c8a2a1 ] + +gpiochip_add_data_with_key() adds the gpiochip to the gpio_devices list +before of_gpiochip_add() is called, but it's only the latter which sets +the ->of_xlate function pointer. gpiochip_find() can be called by +someone else between these two actions, and it can find the chip and +call of_gpiochip_match_node_and_xlate() which leads to the following +crash due to a NULL ->of_xlate(). + + Unhandled prefetch abort: page domain fault (0x01b) at 0x00000000 + Modules linked in: leds_gpio(+) gpio_generic(+) + CPU: 0 PID: 830 Comm: insmod Not tainted 4.18.0+ #43 + Hardware name: ARM-Versatile Express + PC is at (null) + LR is at of_gpiochip_match_node_and_xlate+0x2c/0x38 + Process insmod (pid: 830, stack limit = 0x(ptrval)) + (of_gpiochip_match_node_and_xlate) from (gpiochip_find+0x48/0x84) + (gpiochip_find) from (of_get_named_gpiod_flags+0xa8/0x238) + (of_get_named_gpiod_flags) from (gpiod_get_from_of_node+0x2c/0xc8) + (gpiod_get_from_of_node) from (devm_fwnode_get_index_gpiod_from_child+0xb8/0x144) + (devm_fwnode_get_index_gpiod_from_child) from (gpio_led_probe+0x208/0x3c4 [leds_gpio]) + (gpio_led_probe [leds_gpio]) from (platform_drv_probe+0x48/0x9c) + (platform_drv_probe) from (really_probe+0x1d0/0x3d4) + (really_probe) from (driver_probe_device+0x78/0x1c0) + (driver_probe_device) from (__driver_attach+0x120/0x13c) + (__driver_attach) from (bus_for_each_dev+0x68/0xb4) + (bus_for_each_dev) from (bus_add_driver+0x1a8/0x268) + (bus_add_driver) from (driver_register+0x78/0x10c) + (driver_register) from (do_one_initcall+0x54/0x1fc) + (do_one_initcall) from (do_init_module+0x64/0x1f4) + (do_init_module) from (load_module+0x2198/0x26ac) + (load_module) from (sys_finit_module+0xe0/0x110) + (sys_finit_module) from (ret_fast_syscall+0x0/0x54) + +One way to fix this would be to rework the hairy registration sequence +in gpiochip_add_data_with_key(), but since I'd probably introduce a +couple of new bugs if I attempted that, simply add a check for a +non-NULL of_xlate function pointer in +of_gpiochip_match_node_and_xlate(). This works since the driver looking +for the gpio will simply fail to find the gpio and defer its probe and +be reprobed when the driver which is registering the gpiochip has fully +completed its probe. + +Signed-off-by: Vincent Whitchurch +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-of.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -31,6 +31,7 @@ static int of_gpiochip_match_node_and_xl + struct of_phandle_args *gpiospec = data; + + return chip->gpiodev->dev.of_node == gpiospec->np && ++ chip->of_xlate && + chip->of_xlate(chip, gpiospec, NULL) >= 0; + } + diff --git a/queue-4.14/gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch b/queue-4.14/gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch new file mode 100644 index 00000000000..96c7ef5f979 --- /dev/null +++ b/queue-4.14/gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch @@ -0,0 +1,202 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Hans de Goede +Date: Tue, 14 Aug 2018 16:07:03 +0200 +Subject: gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall + +From: Hans de Goede + +[ Upstream commit 78d3a92edbfb02e8cb83173cad84c3f2d5e1f070 ] + +GpioInt ACPI event handlers may see there IRQ triggered immediately +after requesting the IRQ (esp. level triggered ones). This means that they +may run before any other (builtin) drivers have had a chance to register +their OpRegion handlers, leading to errors like this: + +[ 1.133274] ACPI Error: No handler for Region [PMOP] ((____ptrval____)) [UserDefinedRegion] (20180531/evregion-132) +[ 1.133286] ACPI Error: Region UserDefinedRegion (ID=141) has no handler (20180531/exfldio-265) +[ 1.133297] ACPI Error: Method parse/execution failed \_SB.GPO2._L01, AE_NOT_EXIST (20180531/psparse-516) + +We already defer the manual initial trigger of edge triggered interrupts +by running it from a late_initcall handler, this commit replaces this with +deferring the entire acpi_gpiochip_request_interrupts() call till then, +fixing the problem of some OpRegions not being registered yet. + +Note that this removes the need to have a list of edge triggered handlers +which need to run, since the entire acpi_gpiochip_request_interrupts() call +is now delayed, acpi_gpiochip_request_interrupt() can call these directly +now. + +Acked-by: Mika Westerberg +Signed-off-by: Hans de Goede +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-acpi.c | 84 +++++++++++++++++++++++++------------------- + 1 file changed, 49 insertions(+), 35 deletions(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -25,7 +25,6 @@ + + struct acpi_gpio_event { + struct list_head node; +- struct list_head initial_sync_list; + acpi_handle handle; + unsigned int pin; + unsigned int irq; +@@ -49,10 +48,19 @@ struct acpi_gpio_chip { + struct mutex conn_lock; + struct gpio_chip *chip; + struct list_head events; ++ struct list_head deferred_req_irqs_list_entry; + }; + +-static LIST_HEAD(acpi_gpio_initial_sync_list); +-static DEFINE_MUTEX(acpi_gpio_initial_sync_list_lock); ++/* ++ * For gpiochips which call acpi_gpiochip_request_interrupts() before late_init ++ * (so builtin drivers) we register the ACPI GpioInt event handlers from a ++ * late_initcall_sync handler, so that other builtin drivers can register their ++ * OpRegions before the event handlers can run. This list contains gpiochips ++ * for which the acpi_gpiochip_request_interrupts() has been deferred. ++ */ ++static DEFINE_MUTEX(acpi_gpio_deferred_req_irqs_lock); ++static LIST_HEAD(acpi_gpio_deferred_req_irqs_list); ++static bool acpi_gpio_deferred_req_irqs_done; + + static int acpi_gpiochip_find(struct gpio_chip *gc, void *data) + { +@@ -146,21 +154,6 @@ static struct gpio_desc *acpi_get_gpiod( + return gpiochip_get_desc(chip, offset); + } + +-static void acpi_gpio_add_to_initial_sync_list(struct acpi_gpio_event *event) +-{ +- mutex_lock(&acpi_gpio_initial_sync_list_lock); +- list_add(&event->initial_sync_list, &acpi_gpio_initial_sync_list); +- mutex_unlock(&acpi_gpio_initial_sync_list_lock); +-} +- +-static void acpi_gpio_del_from_initial_sync_list(struct acpi_gpio_event *event) +-{ +- mutex_lock(&acpi_gpio_initial_sync_list_lock); +- if (!list_empty(&event->initial_sync_list)) +- list_del_init(&event->initial_sync_list); +- mutex_unlock(&acpi_gpio_initial_sync_list_lock); +-} +- + static irqreturn_t acpi_gpio_irq_handler(int irq, void *data) + { + struct acpi_gpio_event *event = data; +@@ -290,7 +283,6 @@ static acpi_status acpi_gpiochip_request + event->irq = irq; + event->pin = pin; + event->desc = desc; +- INIT_LIST_HEAD(&event->initial_sync_list); + + ret = request_threaded_irq(event->irq, NULL, handler, irqflags, + "ACPI:Event", event); +@@ -312,10 +304,9 @@ static acpi_status acpi_gpiochip_request + * may refer to OperationRegions from other (builtin) drivers which + * may be probed after us. + */ +- if (handler == acpi_gpio_irq_handler && +- (((irqflags & IRQF_TRIGGER_RISING) && value == 1) || +- ((irqflags & IRQF_TRIGGER_FALLING) && value == 0))) +- acpi_gpio_add_to_initial_sync_list(event); ++ if (((irqflags & IRQF_TRIGGER_RISING) && value == 1) || ++ ((irqflags & IRQF_TRIGGER_FALLING) && value == 0)) ++ handler(event->irq, event); + + return AE_OK; + +@@ -344,6 +335,7 @@ void acpi_gpiochip_request_interrupts(st + struct acpi_gpio_chip *acpi_gpio; + acpi_handle handle; + acpi_status status; ++ bool defer; + + if (!chip->parent || !chip->to_irq) + return; +@@ -356,6 +348,16 @@ void acpi_gpiochip_request_interrupts(st + if (ACPI_FAILURE(status)) + return; + ++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock); ++ defer = !acpi_gpio_deferred_req_irqs_done; ++ if (defer) ++ list_add(&acpi_gpio->deferred_req_irqs_list_entry, ++ &acpi_gpio_deferred_req_irqs_list); ++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock); ++ ++ if (defer) ++ return; ++ + acpi_walk_resources(handle, "_AEI", + acpi_gpiochip_request_interrupt, acpi_gpio); + } +@@ -386,11 +388,14 @@ void acpi_gpiochip_free_interrupts(struc + if (ACPI_FAILURE(status)) + return; + ++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock); ++ if (!list_empty(&acpi_gpio->deferred_req_irqs_list_entry)) ++ list_del_init(&acpi_gpio->deferred_req_irqs_list_entry); ++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock); ++ + list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) { + struct gpio_desc *desc; + +- acpi_gpio_del_from_initial_sync_list(event); +- + if (irqd_is_wakeup_set(irq_get_irq_data(event->irq))) + disable_irq_wake(event->irq); + +@@ -1101,6 +1106,7 @@ void acpi_gpiochip_add(struct gpio_chip + + acpi_gpio->chip = chip; + INIT_LIST_HEAD(&acpi_gpio->events); ++ INIT_LIST_HEAD(&acpi_gpio->deferred_req_irqs_list_entry); + + status = acpi_attach_data(handle, acpi_gpio_chip_dh, acpi_gpio); + if (ACPI_FAILURE(status)) { +@@ -1247,20 +1253,28 @@ bool acpi_can_fallback_to_crs(struct acp + return con_id == NULL; + } + +-/* Sync the initial state of handlers after all builtin drivers have probed */ +-static int acpi_gpio_initial_sync(void) ++/* Run deferred acpi_gpiochip_request_interrupts() */ ++static int acpi_gpio_handle_deferred_request_interrupts(void) + { +- struct acpi_gpio_event *event, *ep; ++ struct acpi_gpio_chip *acpi_gpio, *tmp; ++ ++ mutex_lock(&acpi_gpio_deferred_req_irqs_lock); ++ list_for_each_entry_safe(acpi_gpio, tmp, ++ &acpi_gpio_deferred_req_irqs_list, ++ deferred_req_irqs_list_entry) { ++ acpi_handle handle; + +- mutex_lock(&acpi_gpio_initial_sync_list_lock); +- list_for_each_entry_safe(event, ep, &acpi_gpio_initial_sync_list, +- initial_sync_list) { +- acpi_evaluate_object(event->handle, NULL, NULL, NULL); +- list_del_init(&event->initial_sync_list); ++ handle = ACPI_HANDLE(acpi_gpio->chip->parent); ++ acpi_walk_resources(handle, "_AEI", ++ acpi_gpiochip_request_interrupt, acpi_gpio); ++ ++ list_del_init(&acpi_gpio->deferred_req_irqs_list_entry); + } +- mutex_unlock(&acpi_gpio_initial_sync_list_lock); ++ ++ acpi_gpio_deferred_req_irqs_done = true; ++ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock); + + return 0; + } + /* We must use _sync so that this runs after the first deferred_probe run */ +-late_initcall_sync(acpi_gpio_initial_sync); ++late_initcall_sync(acpi_gpio_handle_deferred_request_interrupts); diff --git a/queue-4.14/gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch b/queue-4.14/gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch new file mode 100644 index 00000000000..35275eee73f --- /dev/null +++ b/queue-4.14/gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Andy Shevchenko +Date: Mon, 13 Aug 2018 19:00:27 +0300 +Subject: gpiolib: acpi: Switch to cansleep version of GPIO library call + +From: Andy Shevchenko + +[ Upstream commit 993b9bc5c47fda86f8ab4e53d68c6fea5ff2764a ] + +The commit ca876c7483b6 + + ("gpiolib-acpi: make sure we trigger edge events at least once on boot") + +added a initial value check for pin which is about to be locked as IRQ. +Unfortunately, not all GPIO drivers can do that atomically. Thus, +switch to cansleep version of the call. Otherwise we have a warning: + +... + WARNING: CPU: 2 PID: 1408 at drivers/gpio/gpiolib.c:2883 gpiod_get_value+0x46/0x50 +... + RIP: 0010:gpiod_get_value+0x46/0x50 +... + +The change tested on Intel Broxton with Whiskey Cove PMIC GPIO controller. + +Fixes: ca876c7483b6 ("gpiolib-acpi: make sure we trigger edge events at least once on boot") +Signed-off-by: Andy Shevchenko +Cc: Hans de Goede +Cc: Benjamin Tissoires +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib-acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -247,7 +247,7 @@ static acpi_status acpi_gpiochip_request + + gpiod_direction_input(desc); + +- value = gpiod_get_value(desc); ++ value = gpiod_get_value_cansleep(desc); + + ret = gpiochip_lock_as_irq(chip, pin); + if (ret) { diff --git a/queue-4.14/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch b/queue-4.14/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch new file mode 100644 index 00000000000..7acc066a25b --- /dev/null +++ b/queue-4.14/i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Masahiro Yamada +Date: Fri, 31 Aug 2018 23:30:48 +0900 +Subject: i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP + +From: Masahiro Yamada + +[ Upstream commit 4c85609b08c4761eca0a40fd7beb06bc650f252d ] + +This driver currently emits a STOP if the next message is not +I2C_MD_RD. It should not do it because it disturbs the I2C_RDWR +ioctl, where read/write transactions are combined without STOP +between. + +Issue STOP only when the message is the last one _or_ flagged with +I2C_M_STOP. + +Fixes: 6a62974b667f ("i2c: uniphier_f: add UniPhier FIFO-builtin I2C driver") +Signed-off-by: Masahiro Yamada +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-uniphier-f.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/i2c/busses/i2c-uniphier-f.c ++++ b/drivers/i2c/busses/i2c-uniphier-f.c +@@ -401,11 +401,8 @@ static int uniphier_fi2c_master_xfer(str + return ret; + + for (msg = msgs; msg < emsg; msg++) { +- /* If next message is read, skip the stop condition */ +- bool stop = !(msg + 1 < emsg && msg[1].flags & I2C_M_RD); +- /* but, force it if I2C_M_STOP is set */ +- if (msg->flags & I2C_M_STOP) +- stop = true; ++ /* Emit STOP if it is the last message or I2C_M_STOP is set. */ ++ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP); + + ret = uniphier_fi2c_master_xfer_one(adap, msg, stop); + if (ret) diff --git a/queue-4.14/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch b/queue-4.14/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch new file mode 100644 index 00000000000..9c5d0d8a27f --- /dev/null +++ b/queue-4.14/i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Masahiro Yamada +Date: Fri, 31 Aug 2018 23:30:47 +0900 +Subject: i2c: uniphier: issue STOP only for last message or I2C_M_STOP + +From: Masahiro Yamada + +[ Upstream commit 38f5d8d8cbb2ffa2b54315118185332329ec891c ] + +This driver currently emits a STOP if the next message is not +I2C_MD_RD. It should not do it because it disturbs the I2C_RDWR +ioctl, where read/write transactions are combined without STOP +between. + +Issue STOP only when the message is the last one _or_ flagged with +I2C_M_STOP. + +Fixes: dd6fd4a32793 ("i2c: uniphier: add UniPhier FIFO-less I2C driver") +Signed-off-by: Masahiro Yamada +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-uniphier.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/i2c/busses/i2c-uniphier.c ++++ b/drivers/i2c/busses/i2c-uniphier.c +@@ -248,11 +248,8 @@ static int uniphier_i2c_master_xfer(stru + return ret; + + for (msg = msgs; msg < emsg; msg++) { +- /* If next message is read, skip the stop condition */ +- bool stop = !(msg + 1 < emsg && msg[1].flags & I2C_M_RD); +- /* but, force it if I2C_M_STOP is set */ +- if (msg->flags & I2C_M_STOP) +- stop = true; ++ /* Emit STOP if it is the last message or I2C_M_STOP is set. */ ++ bool stop = (msg + 1 == emsg) || (msg->flags & I2C_M_STOP); + + ret = uniphier_i2c_master_xfer_one(adap, msg, stop); + if (ret) diff --git a/queue-4.14/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch b/queue-4.14/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch new file mode 100644 index 00000000000..bcd2c535ae6 --- /dev/null +++ b/queue-4.14/kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Paul Mackerras +Date: Mon, 20 Aug 2018 16:05:45 +1000 +Subject: KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function + +From: Paul Mackerras + +[ Upstream commit 46dec40fb741f00f1864580130779aeeaf24fb3d ] + +This fixes a bug which causes guest virtual addresses to get translated +to guest real addresses incorrectly when the guest is using the HPT MMU +and has more than 256GB of RAM, or more specifically has a HPT larger +than 2GB. This has showed up in testing as a failure of the host to +emulate doorbell instructions correctly on POWER9 for HPT guests with +more than 256GB of RAM. + +The bug is that the HPTE index in kvmppc_mmu_book3s_64_hv_xlate() +is stored as an int, and in forming the HPTE address, the index gets +shifted left 4 bits as an int before being signed-extended to 64 bits. +The simple fix is to make the variable a long int, matching the +return type of kvmppc_hv_find_lock_hpte(), which is what calculates +the index. + +Fixes: 697d3899dcb4 ("KVM: PPC: Implement MMIO emulation support for Book3S HV guests") +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_64_mmu_hv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c +@@ -355,7 +355,7 @@ static int kvmppc_mmu_book3s_64_hv_xlate + unsigned long pp, key; + unsigned long v, orig_v, gr; + __be64 *hptep; +- int index; ++ long int index; + int virtmode = vcpu->arch.shregs.msr & (data ? MSR_DR : MSR_IR); + + /* Get SLB entry */ diff --git a/queue-4.14/mac80211-always-account-for-a-msdu-header-changes.patch b/queue-4.14/mac80211-always-account-for-a-msdu-header-changes.patch new file mode 100644 index 00000000000..44ce27cda0b --- /dev/null +++ b/queue-4.14/mac80211-always-account-for-a-msdu-header-changes.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Johannes Berg +Date: Thu, 30 Aug 2018 10:55:49 +0200 +Subject: mac80211: always account for A-MSDU header changes + +From: Johannes Berg + +[ Upstream commit aa58acf325b4aadeecae2bfc90658273b47dbace ] + +In the error path of changing the SKB headroom of the second +A-MSDU subframe, we would not account for the already-changed +length of the first frame that just got converted to be in +A-MSDU format and thus is a bit longer now. + +Fix this by doing the necessary accounting. + +It would be possible to reorder the operations, but that would +make the code more complex (to calculate the necessary pad), +and the headroom expansion should not fail frequently enough +to make that worthwhile. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Johannes Berg +Acked-by: Lorenzo Bianconi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3188,7 +3188,7 @@ static bool ieee80211_amsdu_aggregate(st + + if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + + 2 + pad)) +- goto out; ++ goto out_recalc; + + ret = true; + data = skb_push(skb, ETH_ALEN + 2); +@@ -3205,11 +3205,13 @@ static bool ieee80211_amsdu_aggregate(st + head->data_len += skb->len; + *frag_tail = skb; + +- flow->backlog += head->len - orig_len; +- tin->backlog_bytes += head->len - orig_len; +- +- fq_recalc_backlog(fq, tin, flow); ++out_recalc: ++ if (head->len != orig_len) { ++ flow->backlog += head->len - orig_len; ++ tin->backlog_bytes += head->len - orig_len; + ++ fq_recalc_backlog(fq, tin, flow); ++ } + out: + spin_unlock_bh(&fq->lock); + diff --git a/queue-4.14/mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch b/queue-4.14/mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch new file mode 100644 index 00000000000..1eb4de1c4c8 --- /dev/null +++ b/queue-4.14/mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch @@ -0,0 +1,110 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Sara Sharon +Date: Wed, 29 Aug 2018 08:57:02 +0200 +Subject: mac80211: avoid kernel panic when building AMSDU from non-linear SKB + +From: Sara Sharon + +[ Upstream commit 166ac9d55b0ab70b644e429be1f217fe8393cbd7 ] + +When building building AMSDU from non-linear SKB, we hit a +kernel panic when trying to push the padding to the tail. +Instead, put the padding at the head of the next subframe. +This also fixes the A-MSDU subframes to not have the padding +accounted in the length field and not have pad at all for +the last subframe, both required by the spec. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Sara Sharon +Reviewed-by: Lorenzo Bianconi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 38 +++++++++++++++++++++----------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3022,27 +3022,18 @@ void ieee80211_clear_fast_xmit(struct st + } + + static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local, +- struct sk_buff *skb, int headroom, +- int *subframe_len) ++ struct sk_buff *skb, int headroom) + { +- int amsdu_len = *subframe_len + sizeof(struct ethhdr); +- int padding = (4 - amsdu_len) & 3; +- +- if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) { ++ if (skb_headroom(skb) < headroom) { + I802_DEBUG_INC(local->tx_expand_skb_head); + +- if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) { ++ if (pskb_expand_head(skb, headroom, 0, GFP_ATOMIC)) { + wiphy_debug(local->hw.wiphy, + "failed to reallocate TX buffer\n"); + return false; + } + } + +- if (padding) { +- *subframe_len += padding; +- skb_put_zero(skb, padding); +- } +- + return true; + } + +@@ -3066,8 +3057,7 @@ static bool ieee80211_amsdu_prepare_head + if (info->control.flags & IEEE80211_TX_CTRL_AMSDU) + return true; + +- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr), +- &subframe_len)) ++ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr))) + return false; + + data = skb_push(skb, sizeof(*amsdu_hdr)); +@@ -3133,7 +3123,8 @@ static bool ieee80211_amsdu_aggregate(st + void *data; + bool ret = false; + unsigned int orig_len; +- int n = 1, nfrags; ++ int n = 1, nfrags, pad = 0; ++ u16 hdrlen; + + if (!ieee80211_hw_check(&local->hw, TX_AMSDU)) + return false; +@@ -3184,8 +3175,19 @@ static bool ieee80211_amsdu_aggregate(st + if (max_frags && nfrags > max_frags) + goto out; + +- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2, +- &subframe_len)) ++ /* ++ * Pad out the previous subframe to a multiple of 4 by adding the ++ * padding to the next one, that's being added. Note that head->len ++ * is the length of the full A-MSDU, but that works since each time ++ * we add a new subframe we pad out the previous one to a multiple ++ * of 4 and thus it no longer matters in the next round. ++ */ ++ hdrlen = fast_tx->hdr_len - sizeof(rfc1042_header); ++ if ((head->len - hdrlen) & 3) ++ pad = 4 - ((head->len - hdrlen) & 3); ++ ++ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + ++ 2 + pad)) + goto out; + + ret = true; +@@ -3197,6 +3199,8 @@ static bool ieee80211_amsdu_aggregate(st + memcpy(data, &len, 2); + memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header)); + ++ memset(skb_push(skb, pad), 0, pad); ++ + head->len += skb->len; + head->data_len += skb->len; + *frag_tail = skb; diff --git a/queue-4.14/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch b/queue-4.14/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch new file mode 100644 index 00000000000..82e3bc37592 --- /dev/null +++ b/queue-4.14/mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Danek Duvall +Date: Wed, 22 Aug 2018 16:01:04 -0700 +Subject: mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X + +From: Danek Duvall + +[ Upstream commit 67d1ba8a6dc83d90cd58b89fa6cbf9ae35a0cf7f ] + +The mod mask for VHT capabilities intends to say that you can override +the number of STBC receive streams, and it does, but only by accident. +The IEEE80211_VHT_CAP_RXSTBC_X aren't bits to be set, but values (albeit +left-shifted). ORing the bits together gets the right answer, but we +should use the _MASK macro here instead. + +Signed-off-by: Danek Duvall +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -467,10 +467,7 @@ static const struct ieee80211_vht_cap ma + cpu_to_le32(IEEE80211_VHT_CAP_RXLDPC | + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_SHORT_GI_160 | +- IEEE80211_VHT_CAP_RXSTBC_1 | +- IEEE80211_VHT_CAP_RXSTBC_2 | +- IEEE80211_VHT_CAP_RXSTBC_3 | +- IEEE80211_VHT_CAP_RXSTBC_4 | ++ IEEE80211_VHT_CAP_RXSTBC_MASK | + IEEE80211_VHT_CAP_TXSTBC | + IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE | + IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE | diff --git a/queue-4.14/mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch b/queue-4.14/mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch new file mode 100644 index 00000000000..c06ebde3b07 --- /dev/null +++ b/queue-4.14/mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Lorenzo Bianconi +Date: Wed, 29 Aug 2018 21:03:25 +0200 +Subject: mac80211: do not convert to A-MSDU if frag/subframe limited + +From: Lorenzo Bianconi + +[ Upstream commit 1eb507903665442360a959136dfa3234c43db085 ] + +Do not start to aggregate packets in a A-MSDU frame (converting the +first subframe to A-MSDU, adding the header) if max_tx_fragments or +max_amsdu_subframes limits are already exceeded by it. In particular, +this happens when drivers set the limit to 1 to avoid A-MSDUs at all. + +Signed-off-by: Lorenzo Bianconi +[reword commit message to be more precise] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3157,9 +3157,6 @@ static bool ieee80211_amsdu_aggregate(st + if (skb->len + head->len > max_amsdu_len) + goto out; + +- if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head)) +- goto out; +- + nfrags = 1 + skb_shinfo(skb)->nr_frags; + nfrags += 1 + skb_shinfo(head)->nr_frags; + frag_tail = &skb_shinfo(head)->frag_list; +@@ -3175,6 +3172,9 @@ static bool ieee80211_amsdu_aggregate(st + if (max_frags && nfrags > max_frags) + goto out; + ++ if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head)) ++ goto out; ++ + /* + * Pad out the previous subframe to a multiple of 4 by adding the + * padding to the next one, that's being added. Note that head->len diff --git a/queue-4.14/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch b/queue-4.14/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch new file mode 100644 index 00000000000..0aaceb255da --- /dev/null +++ b/queue-4.14/mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:12 +0300 +Subject: mac80211: don't Tx a deauth frame if the AP forbade Tx + +From: Emmanuel Grumbach + +[ Upstream commit 6c18b27d6e5c6a7206364eae2b47bc8d8b2fa68f ] + +If the driver fails to properly prepare for the channel +switch, mac80211 will disconnect. If the CSA IE had mode +set to 1, it means that the clients are not allowed to send +any Tx on the current channel, and that includes the +deauthentication frame. + +Make sure that we don't send the deauthentication frame in +this case. + +In iwlwifi, this caused a failure to flush queues since the +firmware already closed the queues after having parsed the +CSA IE. Then mac80211 would wait until the deauthentication +frame would go out (drv_flush(drop=false)) and that would +never happen. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1280,6 +1280,16 @@ ieee80211_sta_process_chanswitch(struct + cbss->beacon_interval)); + return; + drop_connection: ++ /* ++ * This is just so that the disconnect flow will know that ++ * we were trying to switch channel and failed. In case the ++ * mode is 1 (we are not allowed to Tx), we will know not to ++ * send a deauthentication frame. Those two fields will be ++ * reset when the disconnection worker runs. ++ */ ++ sdata->vif.csa_active = true; ++ sdata->csa_block_tx = csa_ie.mode; ++ + ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work); + mutex_unlock(&local->chanctx_mtx); + mutex_unlock(&local->mtx); +@@ -2450,6 +2460,7 @@ static void __ieee80211_disconnect(struc + struct ieee80211_local *local = sdata->local; + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN]; ++ bool tx; + + sdata_lock(sdata); + if (!ifmgd->associated) { +@@ -2457,6 +2468,8 @@ static void __ieee80211_disconnect(struc + return; + } + ++ tx = !sdata->csa_block_tx; ++ + /* AP is probably out of range (or not reachable for another reason) so + * remove the bss struct for that AP. + */ +@@ -2464,7 +2477,7 @@ static void __ieee80211_disconnect(struc + + ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, + WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, +- true, frame_buf); ++ tx, frame_buf); + mutex_lock(&local->mtx); + sdata->vif.csa_active = false; + ifmgd->csa_waiting_bcn = false; +@@ -2475,7 +2488,7 @@ static void __ieee80211_disconnect(struc + } + mutex_unlock(&local->mtx); + +- ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true, ++ ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx, + WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY); + + sdata_unlock(sdata); diff --git a/queue-4.14/mac80211-fix-a-race-between-restart-and-csa-flows.patch b/queue-4.14/mac80211-fix-a-race-between-restart-and-csa-flows.patch new file mode 100644 index 00000000000..e40dd384019 --- /dev/null +++ b/queue-4.14/mac80211-fix-a-race-between-restart-and-csa-flows.patch @@ -0,0 +1,95 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:06 +0300 +Subject: mac80211: fix a race between restart and CSA flows + +From: Emmanuel Grumbach + +[ Upstream commit f3ffb6c3a28963657eb8b02a795d75f2ebbd5ef4 ] + +We hit a problem with iwlwifi that was caused by a bug in +mac80211. A bug in iwlwifi caused the firwmare to crash in +certain cases in channel switch. Because of that bug, +drv_pre_channel_switch would fail and trigger the restart +flow. +Now we had the hw restart worker which runs on the system's +workqueue and the csa_connection_drop_work worker that runs +on mac80211's workqueue that can run together. This is +obviously problematic since the restart work wants to +reconfigure the connection, while the csa_connection_drop_work +worker does the exact opposite: it tries to disconnect. + +Fix this by cancelling the csa_connection_drop_work worker +in the restart worker. + +Note that this can sound racy: we could have: + +driver iface_work CSA_work restart_work ++++++++++++++++++++++++++++++++++++++++++++++ + | + <--drv_cs ---| + +-CS FAILED--> + | | + | cancel_work(CSA) + schedule | + CSA work | + | | + Race between those 2 + +But this is not possible because we flush the workqueue +in the restart worker before we cancel the CSA worker. +That would be bullet proof if we could guarantee that +we schedule the CSA worker only from the iface_work +which runs on the workqueue (and not on the system's +workqueue), but unfortunately we do have an instance +in which we schedule the CSA work outside the context +of the workqueue (ieee80211_chswitch_done). + +Note also that we should probably cancel other workers +like beacon_connection_loss_work and possibly others +for different types of interfaces, at the very least, +IBSS should suffer from the exact same problem, but for +now, do the minimum to fix the actual bug that was actually +experienced and reproduced. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -255,8 +255,27 @@ static void ieee80211_restart_work(struc + + flush_work(&local->radar_detected_work); + rtnl_lock(); +- list_for_each_entry(sdata, &local->interfaces, list) ++ list_for_each_entry(sdata, &local->interfaces, list) { ++ /* ++ * XXX: there may be more work for other vif types and even ++ * for station mode: a good thing would be to run most of ++ * the iface type's dependent _stop (ieee80211_mg_stop, ++ * ieee80211_ibss_stop) etc... ++ * For now, fix only the specific bug that was seen: race ++ * between csa_connection_drop_work and us. ++ */ ++ if (sdata->vif.type == NL80211_IFTYPE_STATION) { ++ /* ++ * This worker is scheduled from the iface worker that ++ * runs on mac80211's workqueue, so we can't be ++ * scheduling this worker after the cancel right here. ++ * The exception is ieee80211_chswitch_done. ++ * Then we can have a race... ++ */ ++ cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work); ++ } + flush_delayed_work(&sdata->dec_tailroom_needed_wk); ++ } + ieee80211_scan_cancel(local); + + /* make sure any new ROC will consider local->in_reconfig */ diff --git a/queue-4.14/mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch b/queue-4.14/mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch new file mode 100644 index 00000000000..3ec5f69c807 --- /dev/null +++ b/queue-4.14/mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Lorenzo Bianconi +Date: Fri, 31 Aug 2018 01:04:13 +0200 +Subject: mac80211: fix an off-by-one issue in A-MSDU max_subframe computation + +From: Lorenzo Bianconi + +[ Upstream commit 66eb02d839e8495ae6b612e2d09ff599374b80e2 ] + +Initialize 'n' to 2 in order to take into account also the first +packet in the estimation of max_subframe limit for a given A-MSDU +since frag_tail pointer is NULL when ieee80211_amsdu_aggregate +routine analyzes the second frame. + +Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3123,7 +3123,7 @@ static bool ieee80211_amsdu_aggregate(st + void *data; + bool ret = false; + unsigned int orig_len; +- int n = 1, nfrags, pad = 0; ++ int n = 2, nfrags, pad = 0; + u16 hdrlen; + + if (!ieee80211_hw_check(&local->hw, TX_AMSDU)) diff --git a/queue-4.14/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch b/queue-4.14/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch new file mode 100644 index 00000000000..527949f1887 --- /dev/null +++ b/queue-4.14/mac80211-fix-station-bandwidth-setting-after-channel-switch.patch @@ -0,0 +1,104 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Ilan Peer +Date: Fri, 31 Aug 2018 11:31:10 +0300 +Subject: mac80211: Fix station bandwidth setting after channel switch + +From: Ilan Peer + +[ Upstream commit 0007e94355fdb71a1cf5dba0754155cba08f0666 ] + +When performing a channel switch flow for a managed interface, the +flow did not update the bandwidth of the AP station and the rate +scale algorithm. In case of a channel width downgrade, this would +result with the rate scale algorithm using a bandwidth that does not +match the interface channel configuration. + +Fix this by updating the AP station bandwidth and rate scaling algorithm +before the actual channel change in case of a bandwidth downgrade, or +after the actual channel change in case of a bandwidth upgrade. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -988,6 +988,10 @@ static void ieee80211_chswitch_work(stru + */ + + if (sdata->reserved_chanctx) { ++ struct ieee80211_supported_band *sband = NULL; ++ struct sta_info *mgd_sta = NULL; ++ enum ieee80211_sta_rx_bandwidth bw = IEEE80211_STA_RX_BW_20; ++ + /* + * with multi-vif csa driver may call ieee80211_csa_finish() + * many times while waiting for other interfaces to use their +@@ -996,6 +1000,48 @@ static void ieee80211_chswitch_work(stru + if (sdata->reserved_ready) + goto out; + ++ if (sdata->vif.bss_conf.chandef.width != ++ sdata->csa_chandef.width) { ++ /* ++ * For managed interface, we need to also update the AP ++ * station bandwidth and align the rate scale algorithm ++ * on the bandwidth change. Here we only consider the ++ * bandwidth of the new channel definition (as channel ++ * switch flow does not have the full HT/VHT/HE ++ * information), assuming that if additional changes are ++ * required they would be done as part of the processing ++ * of the next beacon from the AP. ++ */ ++ switch (sdata->csa_chandef.width) { ++ case NL80211_CHAN_WIDTH_20_NOHT: ++ case NL80211_CHAN_WIDTH_20: ++ default: ++ bw = IEEE80211_STA_RX_BW_20; ++ break; ++ case NL80211_CHAN_WIDTH_40: ++ bw = IEEE80211_STA_RX_BW_40; ++ break; ++ case NL80211_CHAN_WIDTH_80: ++ bw = IEEE80211_STA_RX_BW_80; ++ break; ++ case NL80211_CHAN_WIDTH_80P80: ++ case NL80211_CHAN_WIDTH_160: ++ bw = IEEE80211_STA_RX_BW_160; ++ break; ++ } ++ ++ mgd_sta = sta_info_get(sdata, ifmgd->bssid); ++ sband = ++ local->hw.wiphy->bands[sdata->csa_chandef.chan->band]; ++ } ++ ++ if (sdata->vif.bss_conf.chandef.width > ++ sdata->csa_chandef.width) { ++ mgd_sta->sta.bandwidth = bw; ++ rate_control_rate_update(local, sband, mgd_sta, ++ IEEE80211_RC_BW_CHANGED); ++ } ++ + ret = ieee80211_vif_use_reserved_context(sdata); + if (ret) { + sdata_info(sdata, +@@ -1006,6 +1052,13 @@ static void ieee80211_chswitch_work(stru + goto out; + } + ++ if (sdata->vif.bss_conf.chandef.width < ++ sdata->csa_chandef.width) { ++ mgd_sta->sta.bandwidth = bw; ++ rate_control_rate_update(local, sband, mgd_sta, ++ IEEE80211_RC_BW_CHANGED); ++ } ++ + goto out; + } + diff --git a/queue-4.14/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch b/queue-4.14/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch new file mode 100644 index 00000000000..d92e634dd0e --- /dev/null +++ b/queue-4.14/mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Yuan-Chi Pang +Date: Wed, 29 Aug 2018 09:30:08 +0800 +Subject: mac80211: mesh: fix HWMP sequence numbering to follow standard + +From: Yuan-Chi Pang + +[ Upstream commit 1f631c3201fe5491808df143d8fcba81b3197ffd ] + +IEEE 802.11-2016 14.10.8.3 HWMP sequence numbering says: +If it is a target mesh STA, it shall update its own HWMP SN to +maximum (current HWMP SN, target HWMP SN in the PREQ element) + 1 +immediately before it generates a PREP element in response to a +PREQ element. + +Signed-off-by: Yuan-Chi Pang +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_hwmp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -572,6 +572,10 @@ static void hwmp_preq_frame_process(stru + forward = false; + reply = true; + target_metric = 0; ++ ++ if (SN_GT(target_sn, ifmsh->sn)) ++ ifmsh->sn = target_sn; ++ + if (time_after(jiffies, ifmsh->last_sn_update + + net_traversal_jiffies(sdata)) || + time_before(jiffies, ifmsh->last_sn_update)) { diff --git a/queue-4.14/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch b/queue-4.14/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch new file mode 100644 index 00000000000..d96dc67ed05 --- /dev/null +++ b/queue-4.14/mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: "Toke Høiland-Jørgensen" +Date: Mon, 13 Aug 2018 14:16:25 +0200 +Subject: mac80211: Run TXQ teardown code before de-registering interfaces + +From: "Toke Høiland-Jørgensen" + +[ Upstream commit 77cfaf52eca5cac30ed029507e0cab065f888995 ] + +The TXQ teardown code can reference the vif data structures that are +stored in the netdev private memory area if there are still packets on +the queue when it is being freed. Since the TXQ teardown code is run +after the netdevs are freed, this can lead to a use-after-free. Fix this +by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). + +Reported-by: Ben Greear +Tested-by: Ben Greear +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1171,6 +1171,7 @@ void ieee80211_unregister_hw(struct ieee + #if IS_ENABLED(CONFIG_IPV6) + unregister_inet6addr_notifier(&local->ifa6_notifier); + #endif ++ ieee80211_txq_teardown_flows(local); + + rtnl_lock(); + +@@ -1199,7 +1200,6 @@ void ieee80211_unregister_hw(struct ieee + skb_queue_purge(&local->skb_queue); + skb_queue_purge(&local->skb_queue_unreliable); + skb_queue_purge(&local->skb_queue_tdls_chsw); +- ieee80211_txq_teardown_flows(local); + + destroy_workqueue(local->workqueue); + wiphy_unregister(local->hw.wiphy); diff --git a/queue-4.14/mac80211-shorten-the-ibss-debug-messages.patch b/queue-4.14/mac80211-shorten-the-ibss-debug-messages.patch new file mode 100644 index 00000000000..e023c4b4514 --- /dev/null +++ b/queue-4.14/mac80211-shorten-the-ibss-debug-messages.patch @@ -0,0 +1,83 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Emmanuel Grumbach +Date: Fri, 31 Aug 2018 11:31:13 +0300 +Subject: mac80211: shorten the IBSS debug messages + +From: Emmanuel Grumbach + +[ Upstream commit c6e57b3896fc76299913b8cfd82d853bee8a2c84 ] + +When tracing is enabled, all the debug messages are recorded and must +not exceed MAX_MSG_LEN (100) columns. Longer debug messages grant the +user with: + +WARNING: CPU: 3 PID: 32642 at /tmp/wifi-core-20180806094828/src/iwlwifi-stack-dev/net/mac80211/./trace_msg.h:32 trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211] +Workqueue: phy1 ieee80211_iface_work [mac80211] + RIP: 0010:trace_event_raw_event_mac80211_msg_event+0xab/0xc0 [mac80211] + Call Trace: + __sdata_dbg+0xbd/0x120 [mac80211] + ieee80211_ibss_rx_queued_mgmt+0x15f/0x510 [mac80211] + ieee80211_iface_work+0x21d/0x320 [mac80211] + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -947,8 +947,8 @@ static void ieee80211_rx_mgmt_deauth_ibs + if (len < IEEE80211_DEAUTH_FRAME_LEN) + return; + +- ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM BSSID=%pM (reason: %d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, reason); ++ ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (reason: %d)\n", mgmt->bssid, reason); + sta_info_destroy_addr(sdata, mgmt->sa); + } + +@@ -966,9 +966,9 @@ static void ieee80211_rx_mgmt_auth_ibss( + auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg); + auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction); + +- ibss_dbg(sdata, +- "RX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=%d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, auth_transaction); ++ ibss_dbg(sdata, "RX Auth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (auth_transaction=%d)\n", ++ mgmt->bssid, auth_transaction); + + if (auth_alg != WLAN_AUTH_OPEN || auth_transaction != 1) + return; +@@ -1175,10 +1175,10 @@ static void ieee80211_rx_bss_info(struct + rx_timestamp = drv_get_tsf(local, sdata); + } + +- ibss_dbg(sdata, +- "RX beacon SA=%pM BSSID=%pM TSF=0x%llx BCN=0x%llx diff=%lld @%lu\n", ++ ibss_dbg(sdata, "RX beacon SA=%pM BSSID=%pM TSF=0x%llx\n", + mgmt->sa, mgmt->bssid, +- (unsigned long long)rx_timestamp, ++ (unsigned long long)rx_timestamp); ++ ibss_dbg(sdata, "\tBCN=0x%llx diff=%lld @%lu\n", + (unsigned long long)beacon_timestamp, + (unsigned long long)(rx_timestamp - beacon_timestamp), + jiffies); +@@ -1537,9 +1537,9 @@ static void ieee80211_rx_mgmt_probe_req( + + tx_last_beacon = drv_tx_last_beacon(local); + +- ibss_dbg(sdata, +- "RX ProbeReq SA=%pM DA=%pM BSSID=%pM (tx_last_beacon=%d)\n", +- mgmt->sa, mgmt->da, mgmt->bssid, tx_last_beacon); ++ ibss_dbg(sdata, "RX ProbeReq SA=%pM DA=%pM\n", mgmt->sa, mgmt->da); ++ ibss_dbg(sdata, "\tBSSID=%pM (tx_last_beacon=%d)\n", ++ mgmt->bssid, tx_last_beacon); + + if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da)) + return; diff --git a/queue-4.14/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch b/queue-4.14/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch new file mode 100644 index 00000000000..4d4c2db0d9d --- /dev/null +++ b/queue-4.14/mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Danek Duvall +Date: Wed, 22 Aug 2018 16:01:05 -0700 +Subject: mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X + +From: Danek Duvall + +[ Upstream commit d7c863a2f65e48f442379f4ee1846d52e0c5d24d ] + +The mac80211_hwsim driver intends to say that it supports up to four +STBC receive streams, but instead it ends up saying something undefined. +The IEEE80211_VHT_CAP_RXSTBC_X macros aren't independent bits that can +be ORed together, but values. In this case, _4 is the appropriate one +to use. + +Signed-off-by: Danek Duvall +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mac80211_hwsim.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2632,9 +2632,6 @@ static int mac80211_hwsim_new_radio(stru + IEEE80211_VHT_CAP_SHORT_GI_80 | + IEEE80211_VHT_CAP_SHORT_GI_160 | + IEEE80211_VHT_CAP_TXSTBC | +- IEEE80211_VHT_CAP_RXSTBC_1 | +- IEEE80211_VHT_CAP_RXSTBC_2 | +- IEEE80211_VHT_CAP_RXSTBC_3 | + IEEE80211_VHT_CAP_RXSTBC_4 | + IEEE80211_VHT_CAP_MAX_A_MPDU_LENGTH_EXPONENT_MASK; + sband->vht_cap.vht_mcs.rx_mcs_map = diff --git a/queue-4.14/mac80211_hwsim-require-at-least-one-channel.patch b/queue-4.14/mac80211_hwsim-require-at-least-one-channel.patch new file mode 100644 index 00000000000..2d870b615d4 --- /dev/null +++ b/queue-4.14/mac80211_hwsim-require-at-least-one-channel.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Johannes Berg +Date: Wed, 15 Aug 2018 18:17:03 +0200 +Subject: mac80211_hwsim: require at least one channel + +From: Johannes Berg + +[ Upstream commit 484004339d4514fde425f6e8a9f6a6cc979bb0c3 ] + +Syzbot continues to try to create mac80211_hwsim radios, and +manages to pass parameters that are later checked with WARN_ON +in cfg80211 - catch another one in hwsim directly. + +Reported-by: syzbot+2a12f11c306afe871c1f@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mac80211_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3124,6 +3124,11 @@ static int hwsim_new_radio_nl(struct sk_ + if (info->attrs[HWSIM_ATTR_CHANNELS]) + param.channels = nla_get_u32(info->attrs[HWSIM_ATTR_CHANNELS]); + ++ if (param.channels < 1) { ++ GENL_SET_ERR_MSG(info, "must have at least one channel"); ++ return -EINVAL; ++ } ++ + if (param.channels > CFG80211_MAX_NUM_DIFFERENT_CHANNELS) { + GENL_SET_ERR_MSG(info, "too many channels specified"); + return -EINVAL; diff --git a/queue-4.14/md-raid5-cache-disable-reshape-completely.patch b/queue-4.14/md-raid5-cache-disable-reshape-completely.patch new file mode 100644 index 00000000000..2364f7e8000 --- /dev/null +++ b/queue-4.14/md-raid5-cache-disable-reshape-completely.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Shaohua Li +Date: Wed, 29 Aug 2018 11:05:42 -0700 +Subject: md/raid5-cache: disable reshape completely + +From: Shaohua Li + +[ Upstream commit e254de6bcf3f5b6e78a92ac95fb91acef8adfe1a ] + +We don't support reshape yet if an array supports log device. Previously we +determine the fact by checking ->log. However, ->log could be NULL after a log +device is removed, but the array is still marked to support log device. Don't +allow reshape in this case too. User can disable log device support by setting +'consistency_policy' to 'resync' then do reshape. + +Reported-by: Xiao Ni +Tested-by: Xiao Ni +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5-log.h | 5 +++++ + drivers/md/raid5.c | 6 +++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/md/raid5-log.h ++++ b/drivers/md/raid5-log.h +@@ -43,6 +43,11 @@ extern void ppl_write_stripe_run(struct + extern void ppl_stripe_write_finished(struct stripe_head *sh); + extern int ppl_modify_log(struct r5conf *conf, struct md_rdev *rdev, bool add); + ++static inline bool raid5_has_log(struct r5conf *conf) ++{ ++ return test_bit(MD_HAS_JOURNAL, &conf->mddev->flags); ++} ++ + static inline bool raid5_has_ppl(struct r5conf *conf) + { + return test_bit(MD_HAS_PPL, &conf->mddev->flags); +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -736,7 +736,7 @@ static bool stripe_can_batch(struct stri + { + struct r5conf *conf = sh->raid_conf; + +- if (conf->log || raid5_has_ppl(conf)) ++ if (raid5_has_log(conf) || raid5_has_ppl(conf)) + return false; + return test_bit(STRIPE_BATCH_READY, &sh->state) && + !test_bit(STRIPE_BITMAP_PENDING, &sh->state) && +@@ -7717,7 +7717,7 @@ static int raid5_resize(struct mddev *md + sector_t newsize; + struct r5conf *conf = mddev->private; + +- if (conf->log || raid5_has_ppl(conf)) ++ if (raid5_has_log(conf) || raid5_has_ppl(conf)) + return -EINVAL; + sectors &= ~((sector_t)conf->chunk_sectors - 1); + newsize = raid5_size(mddev, sectors, mddev->raid_disks); +@@ -7768,7 +7768,7 @@ static int check_reshape(struct mddev *m + { + struct r5conf *conf = mddev->private; + +- if (conf->log || raid5_has_ppl(conf)) ++ if (raid5_has_log(conf) || raid5_has_ppl(conf)) + return -EINVAL; + if (mddev->delta_disks == 0 && + mddev->new_layout == mddev->layout && diff --git a/queue-4.14/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch b/queue-4.14/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch new file mode 100644 index 00000000000..3324069dbfd --- /dev/null +++ b/queue-4.14/net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Jia-Ju Bai +Date: Sat, 1 Sep 2018 20:11:05 +0800 +Subject: net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() + +From: Jia-Ju Bai + +[ Upstream commit 16fe10cf92783ed9ceb182d6ea2b8adf5e8ec1b8 ] + +The kernel module may sleep with holding a spinlock. + +The function call paths (from bottom to top) in Linux-4.16 are: + +[FUNC] usleep_range +drivers/net/ethernet/cadence/macb_main.c, 648: + usleep_range in macb_halt_tx +drivers/net/ethernet/cadence/macb_main.c, 730: + macb_halt_tx in macb_tx_error_task +drivers/net/ethernet/cadence/macb_main.c, 721: + _raw_spin_lock_irqsave in macb_tx_error_task + +To fix this bug, usleep_range() is replaced with udelay(). + +This bug is found by my static analysis tool DSAC. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -642,7 +642,7 @@ static int macb_halt_tx(struct macb *bp) + if (!(status & MACB_BIT(TGO))) + return 0; + +- usleep_range(10, 250); ++ udelay(250); + } while (time_before(halt_time, timeout)); + + return -ETIMEDOUT; diff --git a/queue-4.14/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch b/queue-4.14/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch new file mode 100644 index 00000000000..0391dfc3f74 --- /dev/null +++ b/queue-4.14/net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch @@ -0,0 +1,63 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Tony Lindgren +Date: Wed, 29 Aug 2018 08:00:24 -0700 +Subject: net: ethernet: cpsw-phy-sel: prefer phandle for phy sel + +From: Tony Lindgren + +[ Upstream commit 18eb8aea7fb2fb4490e578b1b8a1096c34b2fc48 ] + +The cpsw-phy-sel device is not a child of the cpsw interconnect target +module. It lives in the system control module. + +Let's fix this issue by trying to use cpsw-phy-sel phandle first if it +exists and if not fall back to current usage of trying to find the +cpsw-phy-sel child. That way the phy sel driver can be a child of the +system control module where it belongs in the device tree. + +Without this fix, we cannot have a proper interconnect target module +hierarchy in device tree for things like genpd. + +Note that deferred probe is mostly not supported by cpsw and this patch +does not attempt to fix that. In case deferred probe support is needed, +this could be added to cpsw_slave_open() and phy_connect() so they start +handling and returning errors. + +For documenting it, looks like the cpsw-phy-sel is used for all cpsw device +tree nodes. It's missing the related binding documentation, so let's also +update the binding documentation accordingly. + +Cc: devicetree@vger.kernel.org +Cc: Andrew Lunn +Cc: Grygorii Strashko +Cc: Ivan Khoronzhuk +Cc: Mark Rutland +Cc: Murali Karicheri +Cc: Rob Herring +Signed-off-by: Tony Lindgren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw-phy-sel.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/ti/cpsw-phy-sel.c ++++ b/drivers/net/ethernet/ti/cpsw-phy-sel.c +@@ -170,10 +170,13 @@ void cpsw_phy_sel(struct device *dev, ph + struct device_node *node; + struct cpsw_phy_sel_priv *priv; + +- node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel"); ++ node = of_parse_phandle(dev->of_node, "cpsw-phy-sel", 0); + if (!node) { +- dev_err(dev, "Phy mode driver DT not found\n"); +- return; ++ node = of_get_child_by_name(dev->of_node, "cpsw-phy-sel"); ++ if (!node) { ++ dev_err(dev, "Phy mode driver DT not found\n"); ++ return; ++ } + } + + dev = bus_find_device(&platform_bus_type, NULL, node, match); diff --git a/queue-4.14/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch b/queue-4.14/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch new file mode 100644 index 00000000000..59e41e7a034 --- /dev/null +++ b/queue-4.14/net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Peng Li +Date: Mon, 27 Aug 2018 09:59:30 +0800 +Subject: net: hns: add netif_carrier_off before change speed and duplex + +From: Peng Li + +[ Upstream commit 455c4401fe7a538facaffb35b906ce19f1ece474 ] + +If there are packets in hardware when changing the speed +or duplex, it may cause hardware hang up. + +This patch adds netif_carrier_off before change speed and +duplex in ethtool_ops.set_link_ksettings, and adds +netif_carrier_on after complete the change. + +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c +@@ -243,7 +243,9 @@ static int hns_nic_set_link_ksettings(st + } + + if (h->dev->ops->adjust_link) { ++ netif_carrier_off(net_dev); + h->dev->ops->adjust_link(h, (int)speed, cmd->base.duplex); ++ netif_carrier_on(net_dev); + return 0; + } + diff --git a/queue-4.14/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch b/queue-4.14/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch new file mode 100644 index 00000000000..23065519c8f --- /dev/null +++ b/queue-4.14/net-hns-add-the-code-for-cleaning-pkt-in-chip.patch @@ -0,0 +1,500 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Peng Li +Date: Mon, 27 Aug 2018 09:59:29 +0800 +Subject: net: hns: add the code for cleaning pkt in chip + +From: Peng Li + +[ Upstream commit 31fabbee8f5c658c3fa1603c66e9e4f51ea8c2c6 ] + +If there are packets in hardware when changing the speed +or duplex, it may cause hardware hang up. + +This patch adds the code for waiting chip to clean the all +pkts(TX & RX) in chip when the driver uses the function named +"adjust link". + +This patch cleans the pkts as follows: +1) close rx of chip, close tx of protocol stack. +2) wait rcb, ppe, mac to clean. +3) adjust link +4) open rx of chip, open tx of protocol stack. + +Signed-off-by: Peng Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hnae.h | 2 + drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 67 ++++++++++++++++++++- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c | 36 +++++++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 44 +++++++++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h | 8 ++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 29 +++++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h | 3 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 23 +++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c | 23 +++++++ + drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h | 1 + drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h | 1 + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 21 +++++- + 13 files changed, 255 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hnae.h ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.h +@@ -486,6 +486,8 @@ struct hnae_ae_ops { + u8 *auto_neg, u16 *speed, u8 *duplex); + void (*toggle_ring_irq)(struct hnae_ring *ring, u32 val); + void (*adjust_link)(struct hnae_handle *handle, int speed, int duplex); ++ bool (*need_adjust_link)(struct hnae_handle *handle, ++ int speed, int duplex); + int (*set_loopback)(struct hnae_handle *handle, + enum hnae_loop loop_mode, int en); + void (*get_ring_bdnum_limit)(struct hnae_queue *queue, +--- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +@@ -155,6 +155,41 @@ static void hns_ae_put_handle(struct hna + hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0; + } + ++static int hns_ae_wait_flow_down(struct hnae_handle *handle) ++{ ++ struct dsaf_device *dsaf_dev; ++ struct hns_ppe_cb *ppe_cb; ++ struct hnae_vf_cb *vf_cb; ++ int ret; ++ int i; ++ ++ for (i = 0; i < handle->q_num; i++) { ++ ret = hns_rcb_wait_tx_ring_clean(handle->qs[i]); ++ if (ret) ++ return ret; ++ } ++ ++ ppe_cb = hns_get_ppe_cb(handle); ++ ret = hns_ppe_wait_tx_fifo_clean(ppe_cb); ++ if (ret) ++ return ret; ++ ++ dsaf_dev = hns_ae_get_dsaf_dev(handle->dev); ++ if (!dsaf_dev) ++ return -EINVAL; ++ ret = hns_dsaf_wait_pkt_clean(dsaf_dev, handle->dport_id); ++ if (ret) ++ return ret; ++ ++ vf_cb = hns_ae_get_vf_cb(handle); ++ ret = hns_mac_wait_fifo_clean(vf_cb->mac_cb); ++ if (ret) ++ return ret; ++ ++ mdelay(10); ++ return 0; ++} ++ + static void hns_ae_ring_enable_all(struct hnae_handle *handle, int val) + { + int q_num = handle->q_num; +@@ -399,12 +434,41 @@ static int hns_ae_get_mac_info(struct hn + return hns_mac_get_port_info(mac_cb, auto_neg, speed, duplex); + } + ++static bool hns_ae_need_adjust_link(struct hnae_handle *handle, int speed, ++ int duplex) ++{ ++ struct hns_mac_cb *mac_cb = hns_get_mac_cb(handle); ++ ++ return hns_mac_need_adjust_link(mac_cb, speed, duplex); ++} ++ + static void hns_ae_adjust_link(struct hnae_handle *handle, int speed, + int duplex) + { + struct hns_mac_cb *mac_cb = hns_get_mac_cb(handle); + +- hns_mac_adjust_link(mac_cb, speed, duplex); ++ switch (mac_cb->dsaf_dev->dsaf_ver) { ++ case AE_VERSION_1: ++ hns_mac_adjust_link(mac_cb, speed, duplex); ++ break; ++ ++ case AE_VERSION_2: ++ /* chip need to clear all pkt inside */ ++ hns_mac_disable(mac_cb, MAC_COMM_MODE_RX); ++ if (hns_ae_wait_flow_down(handle)) { ++ hns_mac_enable(mac_cb, MAC_COMM_MODE_RX); ++ break; ++ } ++ ++ hns_mac_adjust_link(mac_cb, speed, duplex); ++ hns_mac_enable(mac_cb, MAC_COMM_MODE_RX); ++ break; ++ ++ default: ++ break; ++ } ++ ++ return; + } + + static void hns_ae_get_ring_bdnum_limit(struct hnae_queue *queue, +@@ -902,6 +966,7 @@ static struct hnae_ae_ops hns_dsaf_ops = + .get_status = hns_ae_get_link_status, + .get_info = hns_ae_get_mac_info, + .adjust_link = hns_ae_adjust_link, ++ .need_adjust_link = hns_ae_need_adjust_link, + .set_loopback = hns_ae_config_loopback, + .get_ring_bdnum_limit = hns_ae_get_ring_bdnum_limit, + .get_pauseparam = hns_ae_get_pauseparam, +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c +@@ -257,6 +257,16 @@ static void hns_gmac_get_pausefrm_cfg(vo + *tx_pause_en = dsaf_get_bit(pause_en, GMAC_PAUSE_EN_TX_FDFC_B); + } + ++static bool hns_gmac_need_adjust_link(void *mac_drv, enum mac_speed speed, ++ int duplex) ++{ ++ struct mac_driver *drv = (struct mac_driver *)mac_drv; ++ struct hns_mac_cb *mac_cb = drv->mac_cb; ++ ++ return (mac_cb->speed != speed) || ++ (mac_cb->half_duplex == duplex); ++} ++ + static int hns_gmac_adjust_link(void *mac_drv, enum mac_speed speed, + u32 full_duplex) + { +@@ -309,6 +319,30 @@ static void hns_gmac_set_promisc(void *m + hns_gmac_set_uc_match(mac_drv, en); + } + ++int hns_gmac_wait_fifo_clean(void *mac_drv) ++{ ++ struct mac_driver *drv = (struct mac_driver *)mac_drv; ++ int wait_cnt; ++ u32 val; ++ ++ wait_cnt = 0; ++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) { ++ val = dsaf_read_dev(drv, GMAC_FIFO_STATE_REG); ++ /* bit5~bit0 is not send complete pkts */ ++ if ((val & 0x3f) == 0) ++ break; ++ usleep_range(100, 200); ++ } ++ ++ if (wait_cnt >= HNS_MAX_WAIT_CNT) { ++ dev_err(drv->dev, ++ "hns ge %d fifo was not idle.\n", drv->mac_id); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + static void hns_gmac_init(void *mac_drv) + { + u32 port; +@@ -690,6 +724,7 @@ void *hns_gmac_config(struct hns_mac_cb + mac_drv->mac_disable = hns_gmac_disable; + mac_drv->mac_free = hns_gmac_free; + mac_drv->adjust_link = hns_gmac_adjust_link; ++ mac_drv->need_adjust_link = hns_gmac_need_adjust_link; + mac_drv->set_tx_auto_pause_frames = hns_gmac_set_tx_auto_pause_frames; + mac_drv->config_max_frame_length = hns_gmac_config_max_frame_length; + mac_drv->mac_pausefrm_cfg = hns_gmac_pause_frm_cfg; +@@ -717,6 +752,7 @@ void *hns_gmac_config(struct hns_mac_cb + mac_drv->get_strings = hns_gmac_get_strings; + mac_drv->update_stats = hns_gmac_update_stats; + mac_drv->set_promiscuous = hns_gmac_set_promisc; ++ mac_drv->wait_fifo_clean = hns_gmac_wait_fifo_clean; + + return (void *)mac_drv; + } +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c +@@ -114,6 +114,26 @@ int hns_mac_get_port_info(struct hns_mac + return 0; + } + ++/** ++ *hns_mac_is_adjust_link - check is need change mac speed and duplex register ++ *@mac_cb: mac device ++ *@speed: phy device speed ++ *@duplex:phy device duplex ++ * ++ */ ++bool hns_mac_need_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex) ++{ ++ struct mac_driver *mac_ctrl_drv; ++ ++ mac_ctrl_drv = (struct mac_driver *)(mac_cb->priv.mac); ++ ++ if (mac_ctrl_drv->need_adjust_link) ++ return mac_ctrl_drv->need_adjust_link(mac_ctrl_drv, ++ (enum mac_speed)speed, duplex); ++ else ++ return true; ++} ++ + void hns_mac_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex) + { + int ret; +@@ -432,6 +452,16 @@ int hns_mac_vm_config_bc_en(struct hns_m + return 0; + } + ++int hns_mac_wait_fifo_clean(struct hns_mac_cb *mac_cb) ++{ ++ struct mac_driver *drv = hns_mac_get_drv(mac_cb); ++ ++ if (drv->wait_fifo_clean) ++ return drv->wait_fifo_clean(drv); ++ ++ return 0; ++} ++ + void hns_mac_reset(struct hns_mac_cb *mac_cb) + { + struct mac_driver *drv = hns_mac_get_drv(mac_cb); +@@ -1001,6 +1031,20 @@ static int hns_mac_get_max_port_num(stru + return DSAF_MAX_PORT_NUM; + } + ++void hns_mac_enable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode) ++{ ++ struct mac_driver *mac_ctrl_drv = hns_mac_get_drv(mac_cb); ++ ++ mac_ctrl_drv->mac_enable(mac_cb->priv.mac, mode); ++} ++ ++void hns_mac_disable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode) ++{ ++ struct mac_driver *mac_ctrl_drv = hns_mac_get_drv(mac_cb); ++ ++ mac_ctrl_drv->mac_disable(mac_cb->priv.mac, mode); ++} ++ + /** + * hns_mac_init - init mac + * @dsaf_dev: dsa fabric device struct pointer +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.h +@@ -356,6 +356,9 @@ struct mac_driver { + /*adjust mac mode of port,include speed and duplex*/ + int (*adjust_link)(void *mac_drv, enum mac_speed speed, + u32 full_duplex); ++ /* need adjust link */ ++ bool (*need_adjust_link)(void *mac_drv, enum mac_speed speed, ++ int duplex); + /* config autoegotaite mode of port*/ + void (*set_an_mode)(void *mac_drv, u8 enable); + /* config loopbank mode */ +@@ -394,6 +397,7 @@ struct mac_driver { + void (*get_info)(void *mac_drv, struct mac_info *mac_info); + + void (*update_stats)(void *mac_drv); ++ int (*wait_fifo_clean)(void *mac_drv); + + enum mac_mode mac_mode; + u8 mac_id; +@@ -427,6 +431,7 @@ void *hns_xgmac_config(struct hns_mac_cb + + int hns_mac_init(struct dsaf_device *dsaf_dev); + void mac_adjust_link(struct net_device *net_dev); ++bool hns_mac_need_adjust_link(struct hns_mac_cb *mac_cb, int speed, int duplex); + void hns_mac_get_link_status(struct hns_mac_cb *mac_cb, u32 *link_status); + int hns_mac_change_vf_addr(struct hns_mac_cb *mac_cb, u32 vmid, char *addr); + int hns_mac_set_multi(struct hns_mac_cb *mac_cb, +@@ -463,5 +468,8 @@ int hns_mac_add_uc_addr(struct hns_mac_c + int hns_mac_rm_uc_addr(struct hns_mac_cb *mac_cb, u8 vf_id, + const unsigned char *addr); + int hns_mac_clr_multicast(struct hns_mac_cb *mac_cb, int vfn); ++void hns_mac_enable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode); ++void hns_mac_disable(struct hns_mac_cb *mac_cb, enum mac_commom_mode mode); ++int hns_mac_wait_fifo_clean(struct hns_mac_cb *mac_cb); + + #endif /* _HNS_DSAF_MAC_H */ +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +@@ -2720,6 +2720,35 @@ void hns_dsaf_set_promisc_tcam(struct ds + soft_mac_entry->index = enable ? entry_index : DSAF_INVALID_ENTRY_IDX; + } + ++int hns_dsaf_wait_pkt_clean(struct dsaf_device *dsaf_dev, int port) ++{ ++ u32 val, val_tmp; ++ int wait_cnt; ++ ++ if (port >= DSAF_SERVICE_NW_NUM) ++ return 0; ++ ++ wait_cnt = 0; ++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) { ++ val = dsaf_read_dev(dsaf_dev, DSAF_VOQ_IN_PKT_NUM_0_REG + ++ (port + DSAF_XGE_NUM) * 0x40); ++ val_tmp = dsaf_read_dev(dsaf_dev, DSAF_VOQ_OUT_PKT_NUM_0_REG + ++ (port + DSAF_XGE_NUM) * 0x40); ++ if (val == val_tmp) ++ break; ++ ++ usleep_range(100, 200); ++ } ++ ++ if (wait_cnt >= HNS_MAX_WAIT_CNT) { ++ dev_err(dsaf_dev->dev, "hns dsaf clean wait timeout(%u - %u).\n", ++ val, val_tmp); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + /** + * dsaf_probe - probo dsaf dev + * @pdev: dasf platform device +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.h +@@ -44,6 +44,8 @@ struct hns_mac_cb; + #define DSAF_ROCE_CREDIT_CHN 8 + #define DSAF_ROCE_CHAN_MODE 3 + ++#define HNS_MAX_WAIT_CNT 10000 ++ + enum dsaf_roce_port_mode { + DSAF_ROCE_6PORT_MODE, + DSAF_ROCE_4PORT_MODE, +@@ -463,5 +465,6 @@ int hns_dsaf_rm_mac_addr( + + int hns_dsaf_clr_mac_mc_port(struct dsaf_device *dsaf_dev, + u8 mac_id, u8 port_num); ++int hns_dsaf_wait_pkt_clean(struct dsaf_device *dsaf_dev, int port); + + #endif /* __HNS_DSAF_MAIN_H__ */ +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c +@@ -274,6 +274,29 @@ static void hns_ppe_exc_irq_en(struct hn + dsaf_write_dev(ppe_cb, PPE_INTEN_REG, msk_vlue & vld_msk); + } + ++int hns_ppe_wait_tx_fifo_clean(struct hns_ppe_cb *ppe_cb) ++{ ++ int wait_cnt; ++ u32 val; ++ ++ wait_cnt = 0; ++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) { ++ val = dsaf_read_dev(ppe_cb, PPE_CURR_TX_FIFO0_REG) & 0x3ffU; ++ if (!val) ++ break; ++ ++ usleep_range(100, 200); ++ } ++ ++ if (wait_cnt >= HNS_MAX_WAIT_CNT) { ++ dev_err(ppe_cb->dev, "hns ppe tx fifo clean wait timeout, still has %u pkt.\n", ++ val); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + /** + * ppe_init_hw - init ppe + * @ppe_cb: ppe device +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.h +@@ -100,6 +100,7 @@ struct ppe_common_cb { + + }; + ++int hns_ppe_wait_tx_fifo_clean(struct hns_ppe_cb *ppe_cb); + int hns_ppe_init(struct dsaf_device *dsaf_dev); + + void hns_ppe_uninit(struct dsaf_device *dsaf_dev); +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c +@@ -66,6 +66,29 @@ void hns_rcb_wait_fbd_clean(struct hnae_ + "queue(%d) wait fbd(%d) clean fail!!\n", i, fbd_num); + } + ++int hns_rcb_wait_tx_ring_clean(struct hnae_queue *qs) ++{ ++ u32 head, tail; ++ int wait_cnt; ++ ++ tail = dsaf_read_dev(&qs->tx_ring, RCB_REG_TAIL); ++ wait_cnt = 0; ++ while (wait_cnt++ < HNS_MAX_WAIT_CNT) { ++ head = dsaf_read_dev(&qs->tx_ring, RCB_REG_HEAD); ++ if (tail == head) ++ break; ++ ++ usleep_range(100, 200); ++ } ++ ++ if (wait_cnt >= HNS_MAX_WAIT_CNT) { ++ dev_err(qs->dev->dev, "rcb wait timeout, head not equal to tail.\n"); ++ return -EBUSY; ++ } ++ ++ return 0; ++} ++ + /** + *hns_rcb_reset_ring_hw - ring reset + *@q: ring struct pointer +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.h +@@ -136,6 +136,7 @@ void hns_rcbv2_int_clr_hw(struct hnae_qu + void hns_rcb_init_hw(struct ring_pair_cb *ring); + void hns_rcb_reset_ring_hw(struct hnae_queue *q); + void hns_rcb_wait_fbd_clean(struct hnae_queue **qs, int q_num, u32 flag); ++int hns_rcb_wait_tx_ring_clean(struct hnae_queue *qs); + u32 hns_rcb_get_rx_coalesced_frames( + struct rcb_common_cb *rcb_common, u32 port_idx); + u32 hns_rcb_get_tx_coalesced_frames( +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_reg.h +@@ -464,6 +464,7 @@ + #define RCB_RING_INTMSK_TX_OVERTIME_REG 0x000C4 + #define RCB_RING_INTSTS_TX_OVERTIME_REG 0x000C8 + ++#define GMAC_FIFO_STATE_REG 0x0000UL + #define GMAC_DUPLEX_TYPE_REG 0x0008UL + #define GMAC_FD_FC_TYPE_REG 0x000CUL + #define GMAC_TX_WATER_LINE_REG 0x0010UL +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -1212,11 +1212,26 @@ static void hns_nic_adjust_link(struct n + struct hnae_handle *h = priv->ae_handle; + int state = 1; + ++ /* If there is no phy, do not need adjust link */ + if (ndev->phydev) { +- h->dev->ops->adjust_link(h, ndev->phydev->speed, +- ndev->phydev->duplex); +- state = ndev->phydev->link; ++ /* When phy link down, do nothing */ ++ if (ndev->phydev->link == 0) ++ return; ++ ++ if (h->dev->ops->need_adjust_link(h, ndev->phydev->speed, ++ ndev->phydev->duplex)) { ++ /* because Hi161X chip don't support to change gmac ++ * speed and duplex with traffic. Delay 200ms to ++ * make sure there is no more data in chip FIFO. ++ */ ++ netif_carrier_off(ndev); ++ msleep(200); ++ h->dev->ops->adjust_link(h, ndev->phydev->speed, ++ ndev->phydev->duplex); ++ netif_carrier_on(ndev); ++ } + } ++ + state = state && h->dev->ops->get_status(h); + + if (state != priv->link) { diff --git a/queue-4.14/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch b/queue-4.14/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch new file mode 100644 index 00000000000..541c7d97841 --- /dev/null +++ b/queue-4.14/raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Xiao Ni +Date: Thu, 30 Aug 2018 15:57:09 +0800 +Subject: RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 + +From: Xiao Ni + +[ Upstream commit 1d0ffd264204eba1861865560f1f7f7a92919384 ] + +In raid10 reshape_request it gets max_sectors in read_balance. If the underlayer disks +have bad blocks, the max_sectors is less than last. It will call goto read_more many +times. It calls raise_barrier(conf, sectors_done != 0) every time. In this condition +sectors_done is not 0. So the value passed to the argument force of raise_barrier is +true. + +In raise_barrier it checks conf->barrier when force is true. If force is true and +conf->barrier is 0, it panic. In this case reshape_request submits bio to under layer +disks. And in the callback function of the bio it calls lower_barrier. If the bio +finishes before calling raise_barrier again, it can trigger the BUG_ON. + +Add one pair of raise_barrier/lower_barrier to fix this bug. + +Signed-off-by: Xiao Ni +Suggested-by: Neil Brown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -4394,11 +4394,12 @@ static sector_t reshape_request(struct m + allow_barrier(conf); + } + ++ raise_barrier(conf, 0); + read_more: + /* Now schedule reads for blocks from sector_nr to last */ + r10_bio = raid10_alloc_init_r10buf(conf); + r10_bio->state = 0; +- raise_barrier(conf, sectors_done != 0); ++ raise_barrier(conf, 1); + atomic_set(&r10_bio->remaining, 0); + r10_bio->mddev = mddev; + r10_bio->sector = sector_nr; +@@ -4494,6 +4495,8 @@ read_more: + if (sector_nr <= last) + goto read_more; + ++ lower_barrier(conf); ++ + /* Now that we have done the whole section we can + * update reshape_progress + */ diff --git a/queue-4.14/scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch b/queue-4.14/scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch new file mode 100644 index 00000000000..4149fee55cc --- /dev/null +++ b/queue-4.14/scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Varun Prakash +Date: Sat, 11 Aug 2018 21:03:58 +0530 +Subject: scsi: csiostor: add a check for NULL pointer after kmalloc() + +From: Varun Prakash + +[ Upstream commit 89809b028b6f54187b7d81a0c69b35d394c52e62 ] + +Reported-by: Colin Ian King +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/csiostor/csio_hw.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -2010,8 +2010,8 @@ bye: + } + + /* +- * Returns -EINVAL if attempts to flash the firmware failed +- * else returns 0, ++ * Returns -EINVAL if attempts to flash the firmware failed, ++ * -ENOMEM if memory allocation failed else returns 0, + * if flashing was not attempted because the card had the + * latest firmware ECANCELED is returned + */ +@@ -2039,6 +2039,13 @@ csio_hw_flash_fw(struct csio_hw *hw, int + return -EINVAL; + } + ++ /* allocate memory to read the header of the firmware on the ++ * card ++ */ ++ card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL); ++ if (!card_fw) ++ return -ENOMEM; ++ + if (csio_is_t5(pci_dev->device & CSIO_HW_CHIP_MASK)) + fw_bin_file = FW_FNAME_T5; + else +@@ -2052,11 +2059,6 @@ csio_hw_flash_fw(struct csio_hw *hw, int + fw_size = fw->size; + } + +- /* allocate memory to read the header of the firmware on the +- * card +- */ +- card_fw = kmalloc(sizeof(*card_fw), GFP_KERNEL); +- + /* upgrade FW logic */ + ret = csio_hw_prep_fw(hw, fw_info, fw_data, fw_size, card_fw, + hw->fw_state, reset); diff --git a/queue-4.14/series b/queue-4.14/series index 340e4ff3221..6efac2d89b3 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,3 +1,40 @@ drm-amd-pp-initialize-result-to-before-or-ing-in-data.patch drm-amdgpu-add-another-atpx-quirk-for-topaz.patch serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch +tools-power-turbostat-fix-possible-sprintf-buffer-overflow.patch +mac80211-run-txq-teardown-code-before-de-registering-interfaces.patch +mac80211_hwsim-require-at-least-one-channel.patch +kvm-ppc-book3s-hv-don-t-truncate-hpte-index-in-xlate-function.patch +btrfs-btrfs_shrink_device-should-call-commit-transaction-at-the-end.patch +scsi-csiostor-add-a-check-for-null-pointer-after-kmalloc.patch +mac80211-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch +mac80211_hwsim-correct-use-of-ieee80211_vht_cap_rxstbc_x.patch +gpio-adp5588-fix-sleep-in-atomic-context-bug.patch +mac80211-mesh-fix-hwmp-sequence-numbering-to-follow-standard.patch +mac80211-avoid-kernel-panic-when-building-amsdu-from-non-linear-skb.patch +gpiolib-acpi-switch-to-cansleep-version-of-gpio-library-call.patch +gpiolib-acpi-register-gpioint-acpi-event-handlers-from-a-late_initcall.patch +net-hns-add-the-code-for-cleaning-pkt-in-chip.patch +net-hns-add-netif_carrier_off-before-change-speed-and-duplex.patch +cfg80211-nl80211_update_ft_ies-to-validate-nl80211_attr_ie.patch +mac80211-do-not-convert-to-a-msdu-if-frag-subframe-limited.patch +mac80211-always-account-for-a-msdu-header-changes.patch +tools-kvm_stat-fix-python3-issues.patch +tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch +gpio-fix-crash-due-to-registration-race.patch +arc-atomics-unbork-atomic_fetch_-op.patch +md-raid5-cache-disable-reshape-completely.patch +raid10-bug_on-in-raise_barrier-when-force-is-true-and-conf-barrier-is-0.patch +net-ethernet-cpsw-phy-sel-prefer-phandle-for-phy-sel.patch +i2c-uniphier-issue-stop-only-for-last-message-or-i2c_m_stop.patch +i2c-uniphier-f-issue-stop-only-for-last-message-or-i2c_m_stop.patch +net-cadence-fix-a-sleep-in-atomic-context-bug-in-macb_halt_tx.patch +fs-cifs-don-t-translate-sfm_slash-u-f026-to-backslash.patch +mac80211-fix-an-off-by-one-issue-in-a-msdu-max_subframe-computation.patch +cfg80211-fix-a-type-issue-in-ieee80211_chandef_to_operating_class.patch +mac80211-fix-a-race-between-restart-and-csa-flows.patch +mac80211-fix-station-bandwidth-setting-after-channel-switch.patch +mac80211-don-t-tx-a-deauth-frame-if-the-ap-forbade-tx.patch +mac80211-shorten-the-ibss-debug-messages.patch +tools-vm-slabinfo.c-fix-sign-compare-warning.patch +tools-vm-page-types.c-fix-defined-but-not-used-warning.patch diff --git a/queue-4.14/tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch b/queue-4.14/tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch new file mode 100644 index 00000000000..f4bd7ccdc8d --- /dev/null +++ b/queue-4.14/tools-kvm_stat-fix-handling-of-invalid-paths-in-debugfs-provider.patch @@ -0,0 +1,70 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Stefan Raspl +Date: Fri, 24 Aug 2018 14:03:56 +0200 +Subject: tools/kvm_stat: fix handling of invalid paths in debugfs provider + +From: Stefan Raspl + +[ Upstream commit 617c66b9f236d20f11cecbb3f45e6d5675b2fae1 ] + +When filtering by guest, kvm_stat displays garbage when the guest is +destroyed - see sample output below. +We add code to remove the invalid paths from the providers, so at least +no more garbage is displayed. +Here's a sample output to illustrate: + + kvm statistics - pid 13986 (foo) + + Event Total %Total CurAvg/s + diagnose_258 -2 0.0 0 + deliver_program_interruption -3 0.0 0 + diagnose_308 -4 0.0 0 + halt_poll_invalid -91 0.0 -6 + deliver_service_signal -244 0.0 -16 + halt_successful_poll -250 0.1 -17 + exit_pei -285 0.1 -19 + exit_external_request -312 0.1 -21 + diagnose_9c -328 0.1 -22 + userspace_handled -713 0.1 -47 + halt_attempted_poll -939 0.2 -62 + deliver_emergency_signal -3126 0.6 -208 + halt_wakeup -7199 1.5 -481 + exit_wait_state -7379 1.5 -493 + diagnose_500 -56499 11.5 -3757 + exit_null -85491 17.4 -5685 + diagnose_44 -133300 27.1 -8874 + exit_instruction -195898 39.8 -13037 + Total -492063 + +Signed-off-by: Stefan Raspl +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/kvm/kvm_stat/kvm_stat | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/tools/kvm/kvm_stat/kvm_stat ++++ b/tools/kvm/kvm_stat/kvm_stat +@@ -731,6 +731,13 @@ class DebugfsProvider(Provider): + self.do_read = True + self.reset() + ++ def _verify_paths(self): ++ """Remove invalid paths""" ++ for path in self.paths: ++ if not os.path.exists(os.path.join(PATH_DEBUGFS_KVM, path)): ++ self.paths.remove(path) ++ continue ++ + def read(self, reset=0, by_guest=0): + """Returns a dict with format:'file name / field -> current value'. + +@@ -745,6 +752,7 @@ class DebugfsProvider(Provider): + # If no debugfs filtering support is available, then don't read. + if not self.do_read: + return results ++ self._verify_paths() + + paths = self.paths + if self._pid == 0: diff --git a/queue-4.14/tools-kvm_stat-fix-python3-issues.patch b/queue-4.14/tools-kvm_stat-fix-python3-issues.patch new file mode 100644 index 00000000000..860d7e4c555 --- /dev/null +++ b/queue-4.14/tools-kvm_stat-fix-python3-issues.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Stefan Raspl +Date: Fri, 24 Aug 2018 14:03:55 +0200 +Subject: tools/kvm_stat: fix python3 issues + +From: Stefan Raspl + +[ Upstream commit 58f33cfe73076b6497bada4f7b5bda961ed68083 ] + +Python3 returns a float for a regular division - switch to a division +operator that returns an integer. +Furthermore, filters return a generator object instead of the actual +list - wrap result in yet another list, which makes it still work in +both, Python2 and 3. + +Signed-off-by: Stefan Raspl +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/kvm/kvm_stat/kvm_stat | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/kvm/kvm_stat/kvm_stat ++++ b/tools/kvm/kvm_stat/kvm_stat +@@ -724,7 +724,7 @@ class DebugfsProvider(Provider): + if len(vms) == 0: + self.do_read = False + +- self.paths = filter(lambda x: "{}-".format(pid) in x, vms) ++ self.paths = list(filter(lambda x: "{}-".format(pid) in x, vms)) + + else: + self.paths = [] +@@ -1119,10 +1119,10 @@ class Tui(object): + (x, term_width) = self.screen.getmaxyx() + row = 2 + for line in text: +- start = (term_width - len(line)) / 2 ++ start = (term_width - len(line)) // 2 + self.screen.addstr(row, start, line) + row += 1 +- self.screen.addstr(row + 1, (term_width - len(hint)) / 2, hint, ++ self.screen.addstr(row + 1, (term_width - len(hint)) // 2, hint, + curses.A_STANDOUT) + self.screen.getkey() + diff --git a/queue-4.14/tools-power-turbostat-fix-possible-sprintf-buffer-overflow.patch b/queue-4.14/tools-power-turbostat-fix-possible-sprintf-buffer-overflow.patch new file mode 100644 index 00000000000..71941528169 --- /dev/null +++ b/queue-4.14/tools-power-turbostat-fix-possible-sprintf-buffer-overflow.patch @@ -0,0 +1,28 @@ +From 46c2797826cc6d1ae36fcbd966e76f9fa1907eef Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Fri, 8 Dec 2017 17:38:17 -0500 +Subject: tools/power turbostat: fix possible sprintf buffer overflow + +From: Len Brown + +commit 46c2797826cc6d1ae36fcbd966e76f9fa1907eef upstream. + +Signed-off-by: Len Brown +Cc: Alakesh Haloi +Signed-off-by: Greg Kroah-Hartman + +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -1485,7 +1485,7 @@ int get_mp(int cpu, struct msr_counter * + if (get_msr(cpu, mp->msr_num, counterp)) + return -1; + } else { +- char path[128]; ++ char path[128 + PATH_BYTES]; + + if (mp->flags & SYSFS_PERCPU) { + sprintf(path, "/sys/devices/system/cpu/cpu%d/%s", diff --git a/queue-4.14/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch b/queue-4.14/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch new file mode 100644 index 00000000000..378a4b6ac85 --- /dev/null +++ b/queue-4.14/tools-vm-page-types.c-fix-defined-but-not-used-warning.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Naoya Horiguchi +Date: Tue, 4 Sep 2018 15:45:51 -0700 +Subject: tools/vm/page-types.c: fix "defined but not used" warning + +From: Naoya Horiguchi + +[ Upstream commit 7ab660f8baecfe26c1c267fa8e64d2073feae2bb ] + +debugfs_known_mountpoints[] is not used any more, so let's remove it. + +Link: http://lkml.kernel.org/r/1535102651-19418-1-git-send-email-n-horiguchi@ah.jp.nec.com +Signed-off-by: Naoya Horiguchi +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/vm/page-types.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/tools/vm/page-types.c ++++ b/tools/vm/page-types.c +@@ -155,12 +155,6 @@ static const char * const page_flag_name + }; + + +-static const char * const debugfs_known_mountpoints[] = { +- "/sys/kernel/debug", +- "/debug", +- 0, +-}; +- + /* + * data structures + */ diff --git a/queue-4.14/tools-vm-slabinfo.c-fix-sign-compare-warning.patch b/queue-4.14/tools-vm-slabinfo.c-fix-sign-compare-warning.patch new file mode 100644 index 00000000000..2231bc6dc01 --- /dev/null +++ b/queue-4.14/tools-vm-slabinfo.c-fix-sign-compare-warning.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Oct 4 12:33:16 PDT 2018 +From: Naoya Horiguchi +Date: Tue, 4 Sep 2018 15:45:48 -0700 +Subject: tools/vm/slabinfo.c: fix sign-compare warning + +From: Naoya Horiguchi + +[ Upstream commit 904506562e0856f2535d876407d087c9459d345b ] + +Currently we get the following compiler warning: + + slabinfo.c:854:22: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] + if (s->object_size < min_objsize) + ^ + +due to the mismatch of signed/unsigned comparison. ->object_size and +->slab_size are never expected to be negative, so let's define them as +unsigned int. + +[n-horiguchi@ah.jp.nec.com: convert everything - none of these can be negative] + Link: http://lkml.kernel.org/r/20180826234947.GA9787@hori1.linux.bs1.fc.nec.co.jp +Link: http://lkml.kernel.org/r/1535103134-20239-1-git-send-email-n-horiguchi@ah.jp.nec.com +Signed-off-by: Naoya Horiguchi +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/vm/slabinfo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/vm/slabinfo.c ++++ b/tools/vm/slabinfo.c +@@ -30,8 +30,8 @@ struct slabinfo { + int alias; + int refs; + int aliases, align, cache_dma, cpu_slabs, destroy_by_rcu; +- int hwcache_align, object_size, objs_per_slab; +- int sanity_checks, slab_size, store_user, trace; ++ unsigned int hwcache_align, object_size, objs_per_slab; ++ unsigned int sanity_checks, slab_size, store_user, trace; + int order, poison, reclaim_account, red_zone; + unsigned long partial, objects, slabs, objects_partial, objects_total; + unsigned long alloc_fastpath, alloc_slowpath;