From: Greg Kroah-Hartman Date: Tue, 28 Nov 2017 09:58:51 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.85~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=af98e8491de741b487963608c1902108f21461f5;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch drm-armada-fix-compile-fail.patch mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch mac80211-suppress-new_peer_candidate-event-if-no-room.patch net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch netfilter-nf_tables-fix-oob-access.patch netfilter-nft_queue-use-raw_smp_processor_id.patch pci-apply-_hpx-settings-only-to-relevant-devices.patch rds-rdma-return-appropriate-error-on-rdma-map-failures.patch s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch staging-iio-cdc-fix-improper-return-value.patch xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch --- diff --git a/queue-3.18/alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch b/queue-3.18/alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch new file mode 100644 index 00000000000..fe653b3af67 --- /dev/null +++ b/queue-3.18/alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Gabriele Mazzotta +Date: Sat, 24 Dec 2016 19:50:00 +0100 +Subject: ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE + +From: Gabriele Mazzotta + + +[ Upstream commit 972aa2c708703c21f14eb958b37e82aae2530e44 ] + +Setting shutup when the action is HDA_FIXUP_ACT_PRE_PROBE might +not have the desired effect since it could be overridden by +another more generic shutup function. Prevent this by setting +the more specific shutup function on HDA_FIXUP_ACT_PROBE. + +Signed-off-by: Gabriele Mazzotta +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4289,7 +4289,7 @@ static void alc_no_shutup(struct hda_cod + static void alc_fixup_no_shutup(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +- if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ if (action == HDA_FIXUP_ACT_PROBE) { + struct alc_spec *spec = codec->spec; + spec->shutup = alc_no_shutup; + } diff --git a/queue-3.18/asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch b/queue-3.18/asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch new file mode 100644 index 00000000000..81c7b402ca1 --- /dev/null +++ b/queue-3.18/asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch @@ -0,0 +1,81 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Richard Fitzgerald +Date: Tue, 20 Dec 2016 10:29:12 +0000 +Subject: ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data + +From: Richard Fitzgerald + + +[ Upstream commit 1cab2a84f470e15ecc8e5143bfe9398c6e888032 ] + +Protect against corrupt firmware files by ensuring that the length we +get for the data in a region actually lies within the available firmware +file data buffer. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wm_adsp.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -532,7 +532,7 @@ static int wm_adsp_load(struct wm_adsp * + const struct wmfw_region *region; + const struct wm_adsp_region *mem; + const char *region_name; +- char *file, *text; ++ char *file, *text = NULL; + struct wm_adsp_buf *buf; + unsigned int reg; + int regions = 0; +@@ -677,10 +677,21 @@ static int wm_adsp_load(struct wm_adsp * + regions, le32_to_cpu(region->len), offset, + region_name); + ++ if ((pos + le32_to_cpu(region->len) + sizeof(*region)) > ++ firmware->size) { ++ adsp_err(dsp, ++ "%s.%d: %s region len %d bytes exceeds file length %zu\n", ++ file, regions, region_name, ++ le32_to_cpu(region->len), firmware->size); ++ ret = -EINVAL; ++ goto out_fw; ++ } ++ + if (text) { + memcpy(text, region->data, le32_to_cpu(region->len)); + adsp_info(dsp, "%s: %s\n", file, text); + kfree(text); ++ text = NULL; + } + + if (reg) { +@@ -737,6 +748,7 @@ out_fw: + regmap_async_complete(regmap); + wm_adsp_buf_free(&buf_list); + release_firmware(firmware); ++ kfree(text); + out: + kfree(file); + +@@ -1316,6 +1328,17 @@ static int wm_adsp_load_coeff(struct wm_ + } + + if (reg) { ++ if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) > ++ firmware->size) { ++ adsp_err(dsp, ++ "%s.%d: %s region len %d bytes exceeds file length %zu\n", ++ file, blocks, region_name, ++ le32_to_cpu(blk->len), ++ firmware->size); ++ ret = -EINVAL; ++ goto out_fw; ++ } ++ + buf = wm_adsp_buf_alloc(blk->data, + le32_to_cpu(blk->len), + &buf_list); diff --git a/queue-3.18/btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch b/queue-3.18/btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch new file mode 100644 index 00000000000..eb93917c2e3 --- /dev/null +++ b/queue-3.18/btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Pan Bian +Date: Sun, 4 Dec 2016 12:51:53 +0800 +Subject: btrfs: return the actual error value from from btrfs_uuid_tree_iterate + +From: Pan Bian + + +[ Upstream commit 73ba39ab9307340dc98ec3622891314bbc09cc2e ] + +In function btrfs_uuid_tree_iterate(), errno is assigned to variable ret +on errors. However, it directly returns 0. It may be better to return +ret. This patch also removes the warning, because the caller already +prints a warning. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188731 +Signed-off-by: Pan Bian +Reviewed-by: Omar Sandoval +[ edited subject ] +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/uuid-tree.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/btrfs/uuid-tree.c ++++ b/fs/btrfs/uuid-tree.c +@@ -348,7 +348,5 @@ skip: + + out: + btrfs_free_path(path); +- if (ret) +- btrfs_warn(fs_info, "btrfs_uuid_tree_iterate failed %d", ret); +- return 0; ++ return ret; + } diff --git a/queue-3.18/drm-armada-fix-compile-fail.patch b/queue-3.18/drm-armada-fix-compile-fail.patch new file mode 100644 index 00000000000..83acbe69bda --- /dev/null +++ b/queue-3.18/drm-armada-fix-compile-fail.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Daniel Vetter +Date: Fri, 30 Dec 2016 17:38:52 +0100 +Subject: drm/armada: Fix compile fail + +From: Daniel Vetter + + +[ Upstream commit 7357f89954b6d005df6ab8929759e78d7d9a80f9 ] + +I reported the include issue for tracepoints a while ago, but nothing +seems to have happened. Now it bit us, since the drm_mm_print +conversion was broken for armada. Fix it, so I can re-enable armada +in the drm-misc build configs. + +v2: Rebase just the compile fix on top of Chris' build fix. + +Cc: Russell King +Cc: Chris Wilson +Acked: Chris Wilson +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/1483115932-19584-1-git-send-email-daniel.vetter@ffwll.ch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/armada/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/armada/Makefile ++++ b/drivers/gpu/drm/armada/Makefile +@@ -5,3 +5,5 @@ armada-y += armada_510.o + armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o + + obj-$(CONFIG_DRM_ARMADA) := armada.o ++ ++CFLAGS_armada_trace.o := -I$(src) diff --git a/queue-3.18/mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch b/queue-3.18/mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch new file mode 100644 index 00000000000..af893e5977e --- /dev/null +++ b/queue-3.18/mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch @@ -0,0 +1,104 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Masashi Honma +Date: Thu, 8 Dec 2016 10:15:50 +0900 +Subject: mac80211: Remove invalid flag operations in mesh TSF synchronization + +From: Masashi Honma + + +[ Upstream commit 76f43b4c0a9337af22827d78de4f2b8fd5328489 ] + +mesh_sync_offset_adjust_tbtt() implements Extensible synchronization +framework ([1] 13.13.2 Extensible synchronization framework). It shall +not operate the flag "TBTT Adjusting subfield" ([1] 8.4.2.100.8 Mesh +Capability), since it is used only for MBCA ([1] 13.13.4 Mesh beacon +collision avoidance, see 13.13.4.4.3 TBTT scanning and adjustment +procedures for detail). So this patch remove the flag operations. + +[1] IEEE Std 802.11 2012 + +Signed-off-by: Masashi Honma +[remove adjusting_tbtt entirely, since it's now unused] +Signed-off-by: Johannes Berg + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 1 - + net/mac80211/mesh.c | 3 --- + net/mac80211/mesh_sync.c | 11 ----------- + 3 files changed, 15 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -640,7 +640,6 @@ struct ieee80211_if_mesh { + const struct ieee80211_mesh_sync_ops *sync_ops; + s64 sync_offset_clockdrift_max; + spinlock_t sync_offset_lock; +- bool adjusting_tbtt; + /* mesh power save */ + enum nl80211_mesh_power_mode nonpeer_pm; + int ps_peers_light_sleep; +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -289,8 +289,6 @@ int mesh_add_meshconf_ie(struct ieee8021 + /* Mesh PS mode. See IEEE802.11-2012 8.4.2.100.8 */ + *pos |= ifmsh->ps_peers_deep_sleep ? + IEEE80211_MESHCONF_CAPAB_POWER_SAVE_LEVEL : 0x00; +- *pos++ |= ifmsh->adjusting_tbtt ? +- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING : 0x00; + *pos++ = 0x00; + + return 0; +@@ -790,7 +788,6 @@ int ieee80211_start_mesh(struct ieee8021 + ifmsh->mesh_cc_id = 0; /* Disabled */ + /* register sync ops from extensible synchronization framework */ + ifmsh->sync_ops = ieee80211_mesh_sync_ops_get(ifmsh->mesh_sp_id); +- ifmsh->adjusting_tbtt = false; + ifmsh->sync_offset_clockdrift_max = 0; + set_bit(MESH_WORK_HOUSEKEEPING, &ifmsh->wrkq_flags); + ieee80211_mesh_root_setup(ifmsh); +--- a/net/mac80211/mesh_sync.c ++++ b/net/mac80211/mesh_sync.c +@@ -119,7 +119,6 @@ static void mesh_sync_offset_rx_bcn_pres + */ + + if (elems->mesh_config && mesh_peer_tbtt_adjusting(elems)) { +- clear_sta_flag(sta, WLAN_STA_TOFFSET_KNOWN); + msync_dbg(sdata, "STA %pM : is adjusting TBTT\n", + sta->sta.addr); + goto no_sync; +@@ -168,11 +167,9 @@ static void mesh_sync_offset_adjust_tbtt + struct beacon_data *beacon) + { + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; +- u8 cap; + + WARN_ON(ifmsh->mesh_sp_id != IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET); + WARN_ON(!rcu_read_lock_held()); +- cap = beacon->meshconf->meshconf_cap; + + spin_lock_bh(&ifmsh->sync_offset_lock); + +@@ -186,21 +183,13 @@ static void mesh_sync_offset_adjust_tbtt + "TBTT : kicking off TBTT adjustment with clockdrift_max=%lld\n", + ifmsh->sync_offset_clockdrift_max); + set_bit(MESH_WORK_DRIFT_ADJUST, &ifmsh->wrkq_flags); +- +- ifmsh->adjusting_tbtt = true; + } else { + msync_dbg(sdata, + "TBTT : max clockdrift=%lld; too small to adjust\n", + (long long)ifmsh->sync_offset_clockdrift_max); + ifmsh->sync_offset_clockdrift_max = 0; +- +- ifmsh->adjusting_tbtt = false; + } + spin_unlock_bh(&ifmsh->sync_offset_lock); +- +- beacon->meshconf->meshconf_cap = ifmsh->adjusting_tbtt ? +- IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING | cap : +- ~IEEE80211_MESHCONF_CAPAB_TBTT_ADJUSTING & cap; + } + + static const struct sync_method sync_methods[] = { diff --git a/queue-3.18/mac80211-suppress-new_peer_candidate-event-if-no-room.patch b/queue-3.18/mac80211-suppress-new_peer_candidate-event-if-no-room.patch new file mode 100644 index 00000000000..7a775a1890c --- /dev/null +++ b/queue-3.18/mac80211-suppress-new_peer_candidate-event-if-no-room.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Masashi Honma +Date: Wed, 30 Nov 2016 09:06:04 +0900 +Subject: mac80211: Suppress NEW_PEER_CANDIDATE event if no room + +From: Masashi Honma + + +[ Upstream commit 11197d006bcfabf0173a7820a163fcaac420d10e ] + +Previously, kernel sends NEW_PEER_CANDIDATE event to user land even if +the found peer does not have any room to accept other peer. This causes +continuous connection trials. + +Signed-off-by: Masashi Honma +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_plink.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -448,12 +448,14 @@ mesh_sta_info_alloc(struct ieee80211_sub + + /* Userspace handles station allocation */ + if (sdata->u.mesh.user_mpm || +- sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED) +- cfg80211_notify_new_peer_candidate(sdata->dev, addr, +- elems->ie_start, +- elems->total_len, +- GFP_KERNEL); +- else ++ sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED) { ++ if (mesh_peer_accepts_plinks(elems) && ++ mesh_plink_availables(sdata)) ++ cfg80211_notify_new_peer_candidate(sdata->dev, addr, ++ elems->ie_start, ++ elems->total_len, ++ GFP_KERNEL); ++ } else + sta = __mesh_sta_info_alloc(sdata, addr); + + return sta; diff --git a/queue-3.18/net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch b/queue-3.18/net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch new file mode 100644 index 00000000000..ebb0fb9b518 --- /dev/null +++ b/queue-3.18/net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Thomas Preisner +Date: Fri, 30 Dec 2016 03:37:53 +0100 +Subject: net: 3com: typhoon: typhoon_init_one: fix incorrect return values + +From: Thomas Preisner + + +[ Upstream commit 107fded7bf616ad6f46823d98b8ed6405d7adf2d ] + +In a few cases the err-variable is not set to a negative error code if a +function call in typhoon_init_one() fails and thus 0 is returned +instead. +It may be better to set err to the appropriate negative error +code before returning. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188841 + +Reported-by: Pan Bian +Signed-off-by: Thomas Preisner +Signed-off-by: Milan Stephan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/typhoon.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/3com/typhoon.c ++++ b/drivers/net/ethernet/3com/typhoon.c +@@ -2398,8 +2398,9 @@ typhoon_init_one(struct pci_dev *pdev, c + *(__be16 *)&dev->dev_addr[0] = htons(le16_to_cpu(xp_resp[0].parm1)); + *(__be32 *)&dev->dev_addr[2] = htonl(le32_to_cpu(xp_resp[0].parm2)); + +- if(!is_valid_ether_addr(dev->dev_addr)) { ++ if (!is_valid_ether_addr(dev->dev_addr)) { + err_msg = "Could not obtain valid ethernet address, aborting"; ++ err = -EIO; + goto error_out_reset; + } + +@@ -2407,7 +2408,8 @@ typhoon_init_one(struct pci_dev *pdev, c + * later when we print out the version reported. + */ + INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_VERSIONS); +- if(typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp) < 0) { ++ err = typhoon_issue_command(tp, 1, &xp_cmd, 3, xp_resp); ++ if (err < 0) { + err_msg = "Could not get Sleep Image version"; + goto error_out_reset; + } +@@ -2449,7 +2451,8 @@ typhoon_init_one(struct pci_dev *pdev, c + dev->features = dev->hw_features | + NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_RXCSUM; + +- if(register_netdev(dev) < 0) { ++ err = register_netdev(dev); ++ if (err < 0) { + err_msg = "unable to register netdev"; + goto error_out_reset; + } diff --git a/queue-3.18/net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch b/queue-3.18/net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch new file mode 100644 index 00000000000..760fe1961b1 --- /dev/null +++ b/queue-3.18/net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch @@ -0,0 +1,70 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Thomas Preisner +Date: Fri, 30 Dec 2016 03:37:54 +0100 +Subject: net: 3com: typhoon: typhoon_init_one: make return values more specific + +From: Thomas Preisner + + +[ Upstream commit 6b6bbb5922a4b1d4b58125a572da91010295fba3 ] + +In some cases the return value of a failing function is not being used +and the function typhoon_init_one() returns another negative error code +instead. + +Signed-off-by: Thomas Preisner +Signed-off-by: Milan Stephan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/typhoon.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/3com/typhoon.c ++++ b/drivers/net/ethernet/3com/typhoon.c +@@ -2366,9 +2366,9 @@ typhoon_init_one(struct pci_dev *pdev, c + * 4) Get the hardware address. + * 5) Put the card to sleep. + */ +- if (typhoon_reset(ioaddr, WaitSleep) < 0) { ++ err = typhoon_reset(ioaddr, WaitSleep); ++ if (err < 0) { + err_msg = "could not reset 3XP"; +- err = -EIO; + goto error_out_dma; + } + +@@ -2382,16 +2382,16 @@ typhoon_init_one(struct pci_dev *pdev, c + typhoon_init_interface(tp); + typhoon_init_rings(tp); + +- if(typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST) < 0) { ++ err = typhoon_boot_3XP(tp, TYPHOON_STATUS_WAITING_FOR_HOST); ++ if (err < 0) { + err_msg = "cannot boot 3XP sleep image"; +- err = -EIO; + goto error_out_reset; + } + + INIT_COMMAND_WITH_RESPONSE(&xp_cmd, TYPHOON_CMD_READ_MAC_ADDRESS); +- if(typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp) < 0) { ++ err = typhoon_issue_command(tp, 1, &xp_cmd, 1, xp_resp); ++ if (err < 0) { + err_msg = "cannot read MAC address"; +- err = -EIO; + goto error_out_reset; + } + +@@ -2424,9 +2424,9 @@ typhoon_init_one(struct pci_dev *pdev, c + if(xp_resp[0].numDesc != 0) + tp->capabilities |= TYPHOON_WAKEUP_NEEDS_RESET; + +- if(typhoon_sleep(tp, PCI_D3hot, 0) < 0) { ++ err = typhoon_sleep(tp, PCI_D3hot, 0); ++ if (err < 0) { + err_msg = "cannot put adapter to sleep"; +- err = -EIO; + goto error_out_reset; + } + diff --git a/queue-3.18/netfilter-nf_tables-fix-oob-access.patch b/queue-3.18/netfilter-nf_tables-fix-oob-access.patch new file mode 100644 index 00000000000..5fecf4e9667 --- /dev/null +++ b/queue-3.18/netfilter-nf_tables-fix-oob-access.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Florian Westphal +Date: Tue, 13 Dec 2016 13:59:33 +0100 +Subject: netfilter: nf_tables: fix oob access + +From: Florian Westphal + + +[ Upstream commit 3e38df136e453aa69eb4472108ebce2fb00b1ba6 ] + +BUG: KASAN: slab-out-of-bounds in nf_tables_rule_destroy+0xf1/0x130 at addr ffff88006a4c35c8 +Read of size 8 by task nft/1607 + +When we've destroyed last valid expr, nft_expr_next() returns an invalid expr. +We must not dereference it unless it passes != nft_expr_last() check. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1869,7 +1869,7 @@ static void nf_tables_rule_destroy(const + * is called on error from nf_tables_newrule(). + */ + expr = nft_expr_first(rule); +- while (expr->ops && expr != nft_expr_last(rule)) { ++ while (expr != nft_expr_last(rule) && expr->ops) { + nf_tables_expr_destroy(ctx, expr); + expr = nft_expr_next(expr); + } diff --git a/queue-3.18/netfilter-nft_queue-use-raw_smp_processor_id.patch b/queue-3.18/netfilter-nft_queue-use-raw_smp_processor_id.patch new file mode 100644 index 00000000000..538267f6440 --- /dev/null +++ b/queue-3.18/netfilter-nft_queue-use-raw_smp_processor_id.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Pablo Neira Ayuso +Date: Sun, 11 Dec 2016 20:46:51 +0100 +Subject: netfilter: nft_queue: use raw_smp_processor_id() + +From: Pablo Neira Ayuso + + +[ Upstream commit c2e756ff9e699865d294cdc112acfc36419cf5cc ] + +Using smp_processor_id() causes splats with PREEMPT_RCU: + +[19379.552780] BUG: using smp_processor_id() in preemptible [00000000] code: ping/32389 +[19379.552793] caller is debug_smp_processor_id+0x17/0x19 +[...] +[19379.552823] Call Trace: +[19379.552832] [] dump_stack+0x67/0x90 +[19379.552837] [] check_preemption_disabled+0xe5/0xf5 +[19379.552842] [] debug_smp_processor_id+0x17/0x19 +[19379.552849] [] nft_queue_eval+0x35/0x20c [nft_queue] + +No need to disable preemption since we only fetch the numeric value, so +let's use raw_smp_processor_id() instead. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_queue.c ++++ b/net/netfilter/nft_queue.c +@@ -37,7 +37,7 @@ static void nft_queue_eval(const struct + + if (priv->queues_total > 1) { + if (priv->flags & NFT_QUEUE_FLAG_CPU_FANOUT) { +- int cpu = smp_processor_id(); ++ int cpu = raw_smp_processor_id(); + + queue = priv->queuenum + cpu % priv->queues_total; + } else { diff --git a/queue-3.18/pci-apply-_hpx-settings-only-to-relevant-devices.patch b/queue-3.18/pci-apply-_hpx-settings-only-to-relevant-devices.patch new file mode 100644 index 00000000000..581e4fd57ea --- /dev/null +++ b/queue-3.18/pci-apply-_hpx-settings-only-to-relevant-devices.patch @@ -0,0 +1,73 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Bjorn Helgaas +Date: Mon, 2 Jan 2017 14:04:24 -0600 +Subject: PCI: Apply _HPX settings only to relevant devices + +From: Bjorn Helgaas + + +[ Upstream commit 977509f7c5c6fb992ffcdf4291051af343b91645 ] + +Previously we didn't check the type of device before trying to apply Type 1 +(PCI-X) or Type 2 (PCIe) Setting Records from _HPX. + +We don't support PCI-X Setting Records, so this was harmless, but the +warning was useless. + +We do support PCIe Setting Records, and we didn't check whether a device +was PCIe before applying settings. I don't think anything bad happened on +non-PCIe devices because pcie_capability_clear_and_set_word(), +pcie_cap_has_lnkctl(), etc., would fail before doing any harm. But it's +ugly to depend on those internals. + +Check the device type before attempting to apply Type 1 and Type 2 Setting +Records (Type 0 records are applicable to PCI, PCI-X, and PCIe devices). + +A side benefit is that this prevents useless "not supported" warnings when +a BIOS supplies a Type 1 (PCI-X) Setting Record and we try to apply it to +every single device: + + pci 0000:00:00.0: PCI-X settings not supported + +After this patch, we'll get the warning only when a BIOS supplies a Type 1 +record and we have a PCI-X device to which it should be applied. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=187731 +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1329,8 +1329,16 @@ static void program_hpp_type0(struct pci + + static void program_hpp_type1(struct pci_dev *dev, struct hpp_type1 *hpp) + { +- if (hpp) +- dev_warn(&dev->dev, "PCI-X settings not supported\n"); ++ int pos; ++ ++ if (!hpp) ++ return; ++ ++ pos = pci_find_capability(dev, PCI_CAP_ID_PCIX); ++ if (!pos) ++ return; ++ ++ dev_warn(&dev->dev, "PCI-X settings not supported\n"); + } + + static void program_hpp_type2(struct pci_dev *dev, struct hpp_type2 *hpp) +@@ -1341,6 +1349,9 @@ static void program_hpp_type2(struct pci + if (!hpp) + return; + ++ if (!pci_is_pcie(dev)) ++ return; ++ + if (hpp->revision > 1) { + dev_warn(&dev->dev, "PCIe settings rev %d not supported\n", + hpp->revision); diff --git a/queue-3.18/rds-rdma-return-appropriate-error-on-rdma-map-failures.patch b/queue-3.18/rds-rdma-return-appropriate-error-on-rdma-map-failures.patch new file mode 100644 index 00000000000..dd6bb265a6a --- /dev/null +++ b/queue-3.18/rds-rdma-return-appropriate-error-on-rdma-map-failures.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Santosh Shilimkar +Date: Mon, 4 Jul 2016 17:04:37 -0700 +Subject: RDS: RDMA: return appropriate error on rdma map failures + +From: Santosh Shilimkar + + +[ Upstream commit 584a8279a44a800dea5a5c1e9d53a002e03016b4 ] + +The first message to a remote node should prompt a new +connection even if it is RDMA operation. For RDMA operation +the MR mapping can fail because connections is not yet up. + +Since the connection establishment is asynchronous, +we make sure the map failure because of unavailable +connection reach to the user by appropriate error code. +Before returning to the user, lets trigger the connection +so that its ready for the next retry. + +Signed-off-by: Santosh Shilimkar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/send.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -903,6 +903,11 @@ static int rds_cmsg_send(struct rds_sock + ret = rds_cmsg_rdma_map(rs, rm, cmsg); + if (!ret) + *allocated_mr = 1; ++ else if (ret == -ENODEV) ++ /* Accommodate the get_mr() case which can fail ++ * if connection isn't established yet. ++ */ ++ ret = -EAGAIN; + break; + case RDS_CMSG_ATOMIC_CSWP: + case RDS_CMSG_ATOMIC_FADD: +@@ -1011,8 +1016,12 @@ int rds_sendmsg(struct kiocb *iocb, stru + + /* Parse any control messages the user may have included. */ + ret = rds_cmsg_send(rs, rm, msg, &allocated_mr); +- if (ret) ++ if (ret) { ++ /* Trigger connection so that its ready for the next retry */ ++ if (ret == -EAGAIN) ++ rds_conn_connect_if_down(conn); + goto out; ++ } + + if (rm->rdma.op_active && !conn->c_trans->xmit_rdma) { + printk_ratelimited(KERN_NOTICE "rdma_op %p conn xmit_rdma %p\n", diff --git a/queue-3.18/s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch b/queue-3.18/s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch new file mode 100644 index 00000000000..acd4964334b --- /dev/null +++ b/queue-3.18/s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Heiko Carstens +Date: Tue, 20 Dec 2016 12:58:10 +0100 +Subject: s390/kbuild: enable modversions for symbols exported from asm + +From: Heiko Carstens + + +[ Upstream commit cabab3f9f5ca077535080b3252e6168935b914af ] + +s390 version of commit 334bb7738764 ("x86/kbuild: enable modversions +for symbols exported from asm") so we get also rid of all these +warnings: + +WARNING: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "memcpy" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "memmove" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "memset" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "save_fpu_regs" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "sie64a" [vmlinux] version generation failed, symbol will not be versioned. +WARNING: EXPORT symbol "sie_exit" [vmlinux] version generation failed, symbol will not be versioned. + +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/asm-prototypes.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + create mode 100644 arch/s390/include/asm/asm-prototypes.h + +--- /dev/null ++++ b/arch/s390/include/asm/asm-prototypes.h +@@ -0,0 +1,8 @@ ++#ifndef _ASM_S390_PROTOTYPES_H ++ ++#include ++#include ++#include ++#include ++ ++#endif /* _ASM_S390_PROTOTYPES_H */ diff --git a/queue-3.18/series b/queue-3.18/series index d660b19873b..a601f047b40 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -50,3 +50,18 @@ iio-iio-trig-periodic-rtc-free-trigger-resource-correctly.patch e1000e-fix-error-path-in-link-detection.patch e1000e-fix-return-value-test.patch e1000e-separate-signaling-for-link-check-link-up.patch +rds-rdma-return-appropriate-error-on-rdma-map-failures.patch +pci-apply-_hpx-settings-only-to-relevant-devices.patch +net-3com-typhoon-typhoon_init_one-make-return-values-more-specific.patch +net-3com-typhoon-typhoon_init_one-fix-incorrect-return-values.patch +drm-armada-fix-compile-fail.patch +alsa-hda-apply-alc269_fixup_no_shutup-on-hda_fixup_act_probe.patch +mac80211-remove-invalid-flag-operations-in-mesh-tsf-synchronization.patch +mac80211-suppress-new_peer_candidate-event-if-no-room.patch +staging-iio-cdc-fix-improper-return-value.patch +netfilter-nft_queue-use-raw_smp_processor_id.patch +netfilter-nf_tables-fix-oob-access.patch +btrfs-return-the-actual-error-value-from-from-btrfs_uuid_tree_iterate.patch +asoc-wm_adsp-don-t-overrun-firmware-file-buffer-when-reading-region-data.patch +s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch +xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch diff --git a/queue-3.18/staging-iio-cdc-fix-improper-return-value.patch b/queue-3.18/staging-iio-cdc-fix-improper-return-value.patch new file mode 100644 index 00000000000..02011224419 --- /dev/null +++ b/queue-3.18/staging-iio-cdc-fix-improper-return-value.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Pan Bian +Date: Sat, 3 Dec 2016 21:44:30 +0800 +Subject: staging: iio: cdc: fix improper return value + +From: Pan Bian + + +[ Upstream commit 91ca1a8c584f55857b1f6ab20a1d3a1ce7a559bb ] + +At the end of function ad7150_write_event_config(), directly returns 0. +As a result, the errors will be ignored by the callers. It may be better +to return variable "ret". + +Signed-off-by: Pan Bian +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/iio/cdc/ad7150.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/iio/cdc/ad7150.c ++++ b/drivers/staging/iio/cdc/ad7150.c +@@ -275,7 +275,7 @@ static int ad7150_write_event_config(str + error_ret: + mutex_unlock(&chip->state_lock); + +- return 0; ++ return ret; + } + + static int ad7150_read_event_value(struct iio_dev *indio_dev, diff --git a/queue-3.18/xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch b/queue-3.18/xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch new file mode 100644 index 00000000000..9a5a0ace784 --- /dev/null +++ b/queue-3.18/xen-xenbus-driver-must-not-accept-invalid-transaction-ids.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Nov 28 10:58:31 CET 2017 +From: Juergen Gross +Date: Thu, 22 Dec 2016 08:19:46 +0100 +Subject: xen: xenbus driver must not accept invalid transaction ids + +From: Juergen Gross + + +[ Upstream commit 639b08810d6ad74ded2c5f6e233c4fcb9d147168 ] + +When accessing Xenstore in a transaction the user is specifying a +transaction id which he normally obtained from Xenstore when starting +the transaction. Xenstore is validating a transaction id against all +known transaction ids of the connection the request came in. As all +requests of a domain not being the one where Xenstore lives share +one connection, validation of transaction ids of different users of +Xenstore in that domain should be done by the kernel of that domain +being the multiplexer between the Xenstore users in that domain and +Xenstore. + +In order to prohibit one Xenstore user "hijacking" a transaction from +another user the xenbus driver has to verify a given transaction id +against all known transaction ids of the user before forwarding it to +Xenstore. + +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -316,7 +316,7 @@ static int xenbus_write_transaction(unsi + rc = -ENOMEM; + goto out; + } +- } else if (msg_type == XS_TRANSACTION_END) { ++ } else if (u->u.msg.tx_id != 0) { + list_for_each_entry(trans, &u->transactions, list) + if (trans->handle.id == u->u.msg.tx_id) + break;