From: Greg Kroah-Hartman Date: Tue, 8 Nov 2016 16:46:35 +0000 (+0100) Subject: 4.8-stable patches X-Git-Tag: v4.4.31~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b114ddb66447e9fcf6afdcf7c7b3869432410d5d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.8-stable patches added patches: arm-dts-fix-the-sd-card-on-the-snowball.patch arm-mvebu-select-corediv-clk-for-all-mvebu-v7-soc.patch dm-mirror-fix-read-error-on-recovery-after-default-leg-failure.patch dm-raid-fix-activation-of-existing-raid4-10-devices.patch dm-raid-fix-compat_features-validation.patch dm-rq-clear-kworker_task-if-kthread_run-returned-an-error.patch dm-table-fix-missing-dm_put_target_type-in-dm_table_add_target.patch firewire-net-fix-fragmented-datagram_size-off-by-one.patch firewire-net-guard-against-rx-buffer-overflows.patch input-i8042-add-xmg-c504-to-keyboard-reset-table.patch kvm-mips-make-eret-handle-erl-before-exl.patch kvm-mips-precalculate-mmio-load-resume-pc.patch kvm-s390-fix-sthyi-buffer-alignment-for-diag224.patch kvm-x86-fix-wbinvd_dirty_mask-use-after-free.patch mips-kaslr-fix-handling-of-null-fdt.patch nfsd-fix-general-protection-fault-in-release_lock_stateid.patch ovl-fix-get_acl-on-tmpfs.patch ovl-fsync-after-copy-up.patch ovl-update-s_isgid-when-setting-posix-acls.patch parisc-ensure-consistent-state-when-switching-to-kernel-stack-at-syscall-entry.patch rtl8xxxu-fix-big-endian-problem-reporting-mactime.patch rtl8xxxu-fix-memory-leak-in-handling-rxdesc16-packets.patch rtl8xxxu-fix-rtl8723bu-driver-reload-issue.patch virtio-console-unlock-vqs-while-freeing-buffers.patch virtio_pci-limit-dma-mask-to-44-bits-for-legacy-virtio-devices.patch virtio_ring-make-interrupt-suppression-spec-compliant.patch --- diff --git a/queue-4.8/arm-dts-fix-the-sd-card-on-the-snowball.patch b/queue-4.8/arm-dts-fix-the-sd-card-on-the-snowball.patch new file mode 100644 index 00000000000..6a77abe38a5 --- /dev/null +++ b/queue-4.8/arm-dts-fix-the-sd-card-on-the-snowball.patch @@ -0,0 +1,79 @@ +From 1b283eea6228880b765bc40fe4e555416437ce58 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 7 Oct 2016 10:52:17 +0200 +Subject: ARM: dts: fix the SD card on the Snowball + +From: Linus Walleij + +commit 1b283eea6228880b765bc40fe4e555416437ce58 upstream. + +This fixes a very annoying regression on the Snowball SD card +that has been around for a while. It turns out that the device +tree does not configure the direction pins properly, nor sets +up the pins for the voltage converter properly at boot. Unless +all things are correctly set up, the feedback clock will not +work, and makes the driver spew messages in the console (but +it works, very slowly): + +root@Ux500:/ mount /dev/mmcblk0p2 /mnt/ +[ 9.953460] mmci-pl18x 80126000.sdi0_per1: error during DMA transfer! +[ 9.960296] mmcblk0: error -110 sending status command, retrying +[ 9.966461] mmcblk0: error -110 sending status command, retrying +[ 9.972534] mmcblk0: error -110 sending status command, aborting + +Fix this by rectifying the device tree to correspond to that of +the Ux500 HREF boards plus the DAT31DIR setting that is unique for +the Snowball, and things start working smoothly. Add in the SDR12 +and SDR25 modes which this host can do without any problems. + +I don't know if this has ever been correct, sadly. It works after +this patch. + +Reported-by: Daniel Lezcano +Cc: Ulf Hansson +Signed-off-by: Linus Walleij +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/ste-snowball.dts | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/ste-snowball.dts ++++ b/arch/arm/boot/dts/ste-snowball.dts +@@ -239,14 +239,25 @@ + arm,primecell-periphid = <0x10480180>; + max-frequency = <100000000>; + bus-width = <4>; ++ cap-sd-highspeed; + cap-mmc-highspeed; ++ sd-uhs-sdr12; ++ sd-uhs-sdr25; ++ /* All direction control is used */ ++ st,sig-dir-cmd; ++ st,sig-dir-dat0; ++ st,sig-dir-dat2; ++ st,sig-dir-dat31; ++ st,sig-pin-fbclk; ++ full-pwr-cycle; + vmmc-supply = <&ab8500_ldo_aux3_reg>; + vqmmc-supply = <&vmmci>; + pinctrl-names = "default", "sleep"; + pinctrl-0 = <&sdi0_default_mode>; + pinctrl-1 = <&sdi0_sleep_mode>; + +- cd-gpios = <&gpio6 26 GPIO_ACTIVE_LOW>; // 218 ++ /* GPIO218 MMC_CD */ ++ cd-gpios = <&gpio6 26 GPIO_ACTIVE_LOW>; + + status = "okay"; + }; +@@ -549,7 +560,7 @@ + /* VMMCI level-shifter enable */ + snowball_cfg3 { + pins = "GPIO217_AH12"; +- ste,config = <&gpio_out_lo>; ++ ste,config = <&gpio_out_hi>; + }; + /* VMMCI level-shifter voltage select */ + snowball_cfg4 { diff --git a/queue-4.8/arm-mvebu-select-corediv-clk-for-all-mvebu-v7-soc.patch b/queue-4.8/arm-mvebu-select-corediv-clk-for-all-mvebu-v7-soc.patch new file mode 100644 index 00000000000..cf305056893 --- /dev/null +++ b/queue-4.8/arm-mvebu-select-corediv-clk-for-all-mvebu-v7-soc.patch @@ -0,0 +1,75 @@ +From 33c45ef8adc8a7cf781b2566d50e6ea8e97b3596 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Mon, 19 Sep 2016 12:02:50 +0200 +Subject: ARM: mvebu: Select corediv clk for all mvebu v7 SoC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gregory CLEMENT + +commit 33c45ef8adc8a7cf781b2566d50e6ea8e97b3596 upstream. + +Since the commit bd3677ff31a3 ("clk: mvebu: Remove corediv clock from +Armada XP"), the corediv clk is no more selected for Armada XP, however +this clock is used for Armada XP using the compatible +armada-370-corediv-clock. + +While since commit 1594d568c6e3 ("clk: mvebu: Move corediv config to +mvebu config") Armada 38x and Armada 375 got corediv support again, not +only Armada XP was missed but also Armada 39x. + +Actually all the SoC selecting MVEBU_V7 config need this clock: +git grep "\-corediv-clock" arch/arm/boot/dts +arch/arm/boot/dts/armada-370-xp.dtsi: compatible = "marvell,armada-370-corediv-clock"; +arch/arm/boot/dts/armada-375.dtsi: compatible = "marvell,armada-375-corediv-clock"; +arch/arm/boot/dts/armada-38x.dtsi: compatible = "marvell,armada-380-corediv-clock"; +arch/arm/boot/dts/armada-39x.dtsi: compatible = "marvell,armada-390-corediv-clock" + +This commit now fixes this behavior by letting MVEBU_V7 select +MVEBU_CLK_COREDIV. + +Fixes: bd3677ff31a3 ("clk: mvebu: Remove corediv clock from Armada XP") +Reported-by: Uwe Kleine-König +Acked-by: Uwe Kleine-König +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-mvebu/Kconfig | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/arm/mach-mvebu/Kconfig ++++ b/arch/arm/mach-mvebu/Kconfig +@@ -23,6 +23,7 @@ config MACH_MVEBU_V7 + select CACHE_L2X0 + select ARM_CPU_SUSPEND + select MACH_MVEBU_ANY ++ select MVEBU_CLK_COREDIV + + config MACH_ARMADA_370 + bool "Marvell Armada 370 boards" +@@ -32,7 +33,6 @@ config MACH_ARMADA_370 + select CPU_PJ4B + select MACH_MVEBU_V7 + select PINCTRL_ARMADA_370 +- select MVEBU_CLK_COREDIV + help + Say 'Y' here if you want your kernel to support boards based + on the Marvell Armada 370 SoC with device tree. +@@ -50,7 +50,6 @@ config MACH_ARMADA_375 + select HAVE_SMP + select MACH_MVEBU_V7 + select PINCTRL_ARMADA_375 +- select MVEBU_CLK_COREDIV + help + Say 'Y' here if you want your kernel to support boards based + on the Marvell Armada 375 SoC with device tree. +@@ -68,7 +67,6 @@ config MACH_ARMADA_38X + select HAVE_SMP + select MACH_MVEBU_V7 + select PINCTRL_ARMADA_38X +- select MVEBU_CLK_COREDIV + help + Say 'Y' here if you want your kernel to support boards based + on the Marvell Armada 380/385 SoC with device tree. diff --git a/queue-4.8/dm-mirror-fix-read-error-on-recovery-after-default-leg-failure.patch b/queue-4.8/dm-mirror-fix-read-error-on-recovery-after-default-leg-failure.patch new file mode 100644 index 00000000000..4bb747cc37d --- /dev/null +++ b/queue-4.8/dm-mirror-fix-read-error-on-recovery-after-default-leg-failure.patch @@ -0,0 +1,36 @@ +From dcb2ff56417362c31f6b430c3c531a84581e8721 Mon Sep 17 00:00:00 2001 +From: Heinz Mauelshagen +Date: Mon, 10 Oct 2016 17:58:32 +0200 +Subject: dm mirror: fix read error on recovery after default leg failure + +From: Heinz Mauelshagen + +commit dcb2ff56417362c31f6b430c3c531a84581e8721 upstream. + +If a default leg has failed, any read will cause a new operational +default leg to be selected and the read is resubmitted. But until now +the read will return failure even though it was successful due to +resubmission. The reason for this is bio->bi_error was not being +cleared before resubmitting the bio. + +Fix by clearing bio->bi_error before resubmission. + +Fixes: 4246a0b63bd8 ("block: add a bi_error field to struct bio") +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-raid1.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/dm-raid1.c ++++ b/drivers/md/dm-raid1.c +@@ -1292,6 +1292,7 @@ static int mirror_end_io(struct dm_targe + + dm_bio_restore(bd, bio); + bio_record->details.bi_bdev = NULL; ++ bio->bi_error = 0; + + queue_bio(ms, bio, rw); + return DM_ENDIO_INCOMPLETE; diff --git a/queue-4.8/dm-raid-fix-activation-of-existing-raid4-10-devices.patch b/queue-4.8/dm-raid-fix-activation-of-existing-raid4-10-devices.patch new file mode 100644 index 00000000000..5cc68e60061 --- /dev/null +++ b/queue-4.8/dm-raid-fix-activation-of-existing-raid4-10-devices.patch @@ -0,0 +1,85 @@ +From b052b07c39d593c9954a84d5bbe1563999483f38 Mon Sep 17 00:00:00 2001 +From: Heinz Mauelshagen +Date: Mon, 17 Oct 2016 21:20:07 +0200 +Subject: dm raid: fix activation of existing raid4/10 devices + +From: Heinz Mauelshagen + +commit b052b07c39d593c9954a84d5bbe1563999483f38 upstream. + +dm-raid 1.9.0 fails to activate existing RAID4/10 devices that have the +old superblock format (which does not have takeover/reshaping support +that was added via commit 33e53f06850f). + +Fix validation path for old superblocks by reverting to the old raid4 +layout and basing checks on mddev->new_{level,layout,...} members in +super_init_validation(). + +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/device-mapper/dm-raid.txt | 1 + + drivers/md/dm-raid.c | 12 +++++++----- + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/Documentation/device-mapper/dm-raid.txt ++++ b/Documentation/device-mapper/dm-raid.txt +@@ -309,3 +309,4 @@ Version History + with a reshape in progress. + 1.9.0 Add support for RAID level takeover/reshape/region size + and set size reduction. ++1.9.1 Fix activation of existing RAID 4/10 mapped devices +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -266,7 +266,7 @@ static struct raid_type { + {"raid10_offset", "raid10 offset (striped mirrors)", 0, 2, 10, ALGORITHM_RAID10_OFFSET}, + {"raid10_near", "raid10 near (striped mirrors)", 0, 2, 10, ALGORITHM_RAID10_NEAR}, + {"raid10", "raid10 (striped mirrors)", 0, 2, 10, ALGORITHM_RAID10_DEFAULT}, +- {"raid4", "raid4 (dedicated last parity disk)", 1, 2, 4, ALGORITHM_PARITY_N}, /* raid4 layout = raid5_n */ ++ {"raid4", "raid4 (dedicated first parity disk)", 1, 2, 5, ALGORITHM_PARITY_0}, /* raid4 layout = raid5_0 */ + {"raid5_n", "raid5 (dedicated last parity disk)", 1, 2, 5, ALGORITHM_PARITY_N}, + {"raid5_ls", "raid5 (left symmetric)", 1, 2, 5, ALGORITHM_LEFT_SYMMETRIC}, + {"raid5_rs", "raid5 (right symmetric)", 1, 2, 5, ALGORITHM_RIGHT_SYMMETRIC}, +@@ -2087,11 +2087,11 @@ static int super_init_validation(struct + /* + * No takeover/reshaping, because we don't have the extended v1.9.0 metadata + */ +- if (le32_to_cpu(sb->level) != mddev->level) { ++ if (le32_to_cpu(sb->level) != mddev->new_level) { + DMERR("Reshaping/takeover raid sets not yet supported. (raid level/stripes/size change)"); + return -EINVAL; + } +- if (le32_to_cpu(sb->layout) != mddev->layout) { ++ if (le32_to_cpu(sb->layout) != mddev->new_layout) { + DMERR("Reshaping raid sets not yet supported. (raid layout change)"); + DMERR(" 0x%X vs 0x%X", le32_to_cpu(sb->layout), mddev->layout); + DMERR(" Old layout: %s w/ %d copies", +@@ -2102,7 +2102,7 @@ static int super_init_validation(struct + raid10_md_layout_to_copies(mddev->layout)); + return -EINVAL; + } +- if (le32_to_cpu(sb->stripe_sectors) != mddev->chunk_sectors) { ++ if (le32_to_cpu(sb->stripe_sectors) != mddev->new_chunk_sectors) { + DMERR("Reshaping raid sets not yet supported. (stripe sectors change)"); + return -EINVAL; + } +@@ -2115,6 +2115,8 @@ static int super_init_validation(struct + return -EINVAL; + } + ++ DMINFO("Discovered old metadata format; upgrading to extended metadata format"); ++ + /* Table line is checked vs. authoritative superblock */ + rs_set_new(rs); + } +@@ -3647,7 +3649,7 @@ static void raid_resume(struct dm_target + + static struct target_type raid_target = { + .name = "raid", +- .version = {1, 9, 0}, ++ .version = {1, 9, 1}, + .module = THIS_MODULE, + .ctr = raid_ctr, + .dtr = raid_dtr, diff --git a/queue-4.8/dm-raid-fix-compat_features-validation.patch b/queue-4.8/dm-raid-fix-compat_features-validation.patch new file mode 100644 index 00000000000..8efe3dfefb5 --- /dev/null +++ b/queue-4.8/dm-raid-fix-compat_features-validation.patch @@ -0,0 +1,39 @@ +From 5c33677c87cbe44ae04df69c4a29c1750a9ec4e5 Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft +Date: Tue, 11 Oct 2016 15:16:57 +0100 +Subject: dm raid: fix compat_features validation + +From: Andy Whitcroft + +commit 5c33677c87cbe44ae04df69c4a29c1750a9ec4e5 upstream. + +In ecbfb9f118bce4 ("dm raid: add raid level takeover support") a new +compatible feature flag was added. Validation for these compat_features +was added but this only passes for new raid mappings with this feature +flag. This causes previously created raid mappings to be failed at +import. + +Check compat_features for the only valid combination. + +Fixes: ecbfb9f118bce4 ("dm raid: add raid level takeover support") +Signed-off-by: Andy Whitcroft +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-raid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-raid.c ++++ b/drivers/md/dm-raid.c +@@ -2258,7 +2258,8 @@ static int super_validate(struct raid_se + if (!mddev->events && super_init_validation(rs, rdev)) + return -EINVAL; + +- if (le32_to_cpu(sb->compat_features) != FEATURE_FLAG_SUPPORTS_V190) { ++ if (le32_to_cpu(sb->compat_features) && ++ le32_to_cpu(sb->compat_features) != FEATURE_FLAG_SUPPORTS_V190) { + rs->ti->error = "Unable to assemble array: Unknown flag(s) in compatible feature flags"; + return -EINVAL; + } diff --git a/queue-4.8/dm-rq-clear-kworker_task-if-kthread_run-returned-an-error.patch b/queue-4.8/dm-rq-clear-kworker_task-if-kthread_run-returned-an-error.patch new file mode 100644 index 00000000000..248d670069b --- /dev/null +++ b/queue-4.8/dm-rq-clear-kworker_task-if-kthread_run-returned-an-error.patch @@ -0,0 +1,39 @@ +From 937fa62e8a00d0b4bc2c0a40567d7c88ab2b2e8d Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Tue, 18 Oct 2016 14:02:04 -0400 +Subject: dm rq: clear kworker_task if kthread_run() returned an error + +From: Mike Snitzer + +commit 937fa62e8a00d0b4bc2c0a40567d7c88ab2b2e8d upstream. + +cleanup_mapped_device() calls kthread_stop() if kworker_task is +non-NULL. Currently the assigned value could be a valid task struct or +an error code (e.g -ENOMEM). Reset md->kworker_task to NULL if +kthread_run() returned an erorr. + +Fixes: 7193a9defc ("dm rq: check kthread_run return for .request_fn request-based DM") +Reported-by: Tahsin Erdogan +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-rq.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-rq.c ++++ b/drivers/md/dm-rq.c +@@ -835,8 +835,11 @@ int dm_old_init_request_queue(struct map + init_kthread_worker(&md->kworker); + md->kworker_task = kthread_run(kthread_worker_fn, &md->kworker, + "kdmwork-%s", dm_device_name(md)); +- if (IS_ERR(md->kworker_task)) +- return PTR_ERR(md->kworker_task); ++ if (IS_ERR(md->kworker_task)) { ++ int error = PTR_ERR(md->kworker_task); ++ md->kworker_task = NULL; ++ return error; ++ } + + elv_register_queue(md->queue); + diff --git a/queue-4.8/dm-table-fix-missing-dm_put_target_type-in-dm_table_add_target.patch b/queue-4.8/dm-table-fix-missing-dm_put_target_type-in-dm_table_add_target.patch new file mode 100644 index 00000000000..686e46a777e --- /dev/null +++ b/queue-4.8/dm-table-fix-missing-dm_put_target_type-in-dm_table_add_target.patch @@ -0,0 +1,85 @@ +From dafa724bf582181d9a7d54f5cb4ca0bf8ef29269 Mon Sep 17 00:00:00 2001 +From: "tang.junhui" +Date: Fri, 21 Oct 2016 09:35:32 +0800 +Subject: dm table: fix missing dm_put_target_type() in dm_table_add_target() + +From: tang.junhui + +commit dafa724bf582181d9a7d54f5cb4ca0bf8ef29269 upstream. + +dm_get_target_type() was previously called so any error returned from +dm_table_add_target() must first call dm_put_target_type(). Otherwise +the DM target module's reference count will leak and the associated +kernel module will be unable to be removed. + +Also, leverage the fact that r is already -EINVAL and remove an extra +newline. + +Fixes: 36a0456 ("dm table: add immutable feature") +Fixes: cc6cbe1 ("dm table: add always writeable feature") +Fixes: 3791e2f ("dm table: add singleton feature") +Signed-off-by: tang.junhui +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-table.c | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -695,37 +695,32 @@ int dm_table_add_target(struct dm_table + + tgt->type = dm_get_target_type(type); + if (!tgt->type) { +- DMERR("%s: %s: unknown target type", dm_device_name(t->md), +- type); ++ DMERR("%s: %s: unknown target type", dm_device_name(t->md), type); + return -EINVAL; + } + + if (dm_target_needs_singleton(tgt->type)) { + if (t->num_targets) { +- DMERR("%s: target type %s must appear alone in table", +- dm_device_name(t->md), type); +- return -EINVAL; ++ tgt->error = "singleton target type must appear alone in table"; ++ goto bad; + } + t->singleton = true; + } + + if (dm_target_always_writeable(tgt->type) && !(t->mode & FMODE_WRITE)) { +- DMERR("%s: target type %s may not be included in read-only tables", +- dm_device_name(t->md), type); +- return -EINVAL; ++ tgt->error = "target type may not be included in a read-only table"; ++ goto bad; + } + + if (t->immutable_target_type) { + if (t->immutable_target_type != tgt->type) { +- DMERR("%s: immutable target type %s cannot be mixed with other target types", +- dm_device_name(t->md), t->immutable_target_type->name); +- return -EINVAL; ++ tgt->error = "immutable target type cannot be mixed with other target types"; ++ goto bad; + } + } else if (dm_target_is_immutable(tgt->type)) { + if (t->num_targets) { +- DMERR("%s: immutable target type %s cannot be mixed with other target types", +- dm_device_name(t->md), tgt->type->name); +- return -EINVAL; ++ tgt->error = "immutable target type cannot be mixed with other target types"; ++ goto bad; + } + t->immutable_target_type = tgt->type; + } +@@ -740,7 +735,6 @@ int dm_table_add_target(struct dm_table + */ + if (!adjoin(t, tgt)) { + tgt->error = "Gap in table"; +- r = -EINVAL; + goto bad; + } + diff --git a/queue-4.8/firewire-net-fix-fragmented-datagram_size-off-by-one.patch b/queue-4.8/firewire-net-fix-fragmented-datagram_size-off-by-one.patch new file mode 100644 index 00000000000..5068a347916 --- /dev/null +++ b/queue-4.8/firewire-net-fix-fragmented-datagram_size-off-by-one.patch @@ -0,0 +1,86 @@ +From e9300a4b7bbae83af1f7703938c94cf6dc6d308f Mon Sep 17 00:00:00 2001 +From: Stefan Richter +Date: Sun, 30 Oct 2016 17:32:01 +0100 +Subject: firewire: net: fix fragmented datagram_size off-by-one + +From: Stefan Richter + +commit e9300a4b7bbae83af1f7703938c94cf6dc6d308f upstream. + +RFC 2734 defines the datagram_size field in fragment encapsulation +headers thus: + + datagram_size: The encoded size of the entire IP datagram. The + value of datagram_size [...] SHALL be one less than the value of + Total Length in the datagram's IP header (see STD 5, RFC 791). + +Accordingly, the eth1394 driver of Linux 2.6.36 and older set and got +this field with a -/+1 offset: + + ether1394_tx() /* transmit */ + ether1394_encapsulate_prep() + hdr->ff.dg_size = dg_size - 1; + + ether1394_data_handler() /* receive */ + if (hdr->common.lf == ETH1394_HDR_LF_FF) + dg_size = hdr->ff.dg_size + 1; + else + dg_size = hdr->sf.dg_size + 1; + +Likewise, I observe OS X 10.4 and Windows XP Pro SP3 to transmit 1500 +byte sized datagrams in fragments with datagram_size=1499 if link +fragmentation is required. + +Only firewire-net sets and gets datagram_size without this offset. The +result is lacking interoperability of firewire-net with OS X, Windows +XP, and presumably Linux' eth1394. (I did not test with the latter.) +For example, FTP data transfers to a Linux firewire-net box with max_rec +smaller than the 1500 bytes MTU + - from OS X fail entirely, + - from Win XP start out with a bunch of fragmented datagrams which + time out, then continue with unfragmented datagrams because Win XP + temporarily reduces the MTU to 576 bytes. + +So let's fix firewire-net's datagram_size accessors. + +Note that firewire-net thereby loses interoperability with unpatched +firewire-net, but only if link fragmentation is employed. (This happens +with large broadcast datagrams, and with large datagrams on several +FireWire CardBus cards with smaller max_rec than equivalent PCI cards, +and it can be worked around by setting a small enough MTU.) + +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/net.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/firewire/net.c ++++ b/drivers/firewire/net.c +@@ -73,13 +73,13 @@ struct rfc2734_header { + + #define fwnet_get_hdr_lf(h) (((h)->w0 & 0xc0000000) >> 30) + #define fwnet_get_hdr_ether_type(h) (((h)->w0 & 0x0000ffff)) +-#define fwnet_get_hdr_dg_size(h) (((h)->w0 & 0x0fff0000) >> 16) ++#define fwnet_get_hdr_dg_size(h) ((((h)->w0 & 0x0fff0000) >> 16) + 1) + #define fwnet_get_hdr_fg_off(h) (((h)->w0 & 0x00000fff)) + #define fwnet_get_hdr_dgl(h) (((h)->w1 & 0xffff0000) >> 16) + +-#define fwnet_set_hdr_lf(lf) ((lf) << 30) ++#define fwnet_set_hdr_lf(lf) ((lf) << 30) + #define fwnet_set_hdr_ether_type(et) (et) +-#define fwnet_set_hdr_dg_size(dgs) ((dgs) << 16) ++#define fwnet_set_hdr_dg_size(dgs) (((dgs) - 1) << 16) + #define fwnet_set_hdr_fg_off(fgo) (fgo) + + #define fwnet_set_hdr_dgl(dgl) ((dgl) << 16) +@@ -622,7 +622,7 @@ static int fwnet_incoming_packet(struct + fg_off = fwnet_get_hdr_fg_off(&hdr); + } + datagram_label = fwnet_get_hdr_dgl(&hdr); +- dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */ ++ dg_size = fwnet_get_hdr_dg_size(&hdr); + + if (fg_off + len > dg_size) + return 0; diff --git a/queue-4.8/firewire-net-guard-against-rx-buffer-overflows.patch b/queue-4.8/firewire-net-guard-against-rx-buffer-overflows.patch new file mode 100644 index 00000000000..c508c5cec84 --- /dev/null +++ b/queue-4.8/firewire-net-guard-against-rx-buffer-overflows.patch @@ -0,0 +1,131 @@ +From 667121ace9dbafb368618dbabcf07901c962ddac Mon Sep 17 00:00:00 2001 +From: Stefan Richter +Date: Sat, 29 Oct 2016 21:28:18 +0200 +Subject: firewire: net: guard against rx buffer overflows + +From: Stefan Richter + +commit 667121ace9dbafb368618dbabcf07901c962ddac upstream. + +The IP-over-1394 driver firewire-net lacked input validation when +handling incoming fragmented datagrams. A maliciously formed fragment +with a respectively large datagram_offset would cause a memcpy past the +datagram buffer. + +So, drop any packets carrying a fragment with offset + length larger +than datagram_size. + +In addition, ensure that + - GASP header, unfragmented encapsulation header, or fragment + encapsulation header actually exists before we access it, + - the encapsulated datagram or fragment is of nonzero size. + +Reported-by: Eyal Itkin +Reviewed-by: Eyal Itkin +Fixes: CVE 2016-8633 +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/net.c | 51 +++++++++++++++++++++++++++++++++---------------- + 1 file changed, 35 insertions(+), 16 deletions(-) + +--- a/drivers/firewire/net.c ++++ b/drivers/firewire/net.c +@@ -578,6 +578,9 @@ static int fwnet_incoming_packet(struct + int retval; + u16 ether_type; + ++ if (len <= RFC2374_UNFRAG_HDR_SIZE) ++ return 0; ++ + hdr.w0 = be32_to_cpu(buf[0]); + lf = fwnet_get_hdr_lf(&hdr); + if (lf == RFC2374_HDR_UNFRAG) { +@@ -602,7 +605,12 @@ static int fwnet_incoming_packet(struct + return fwnet_finish_incoming_packet(net, skb, source_node_id, + is_broadcast, ether_type); + } ++ + /* A datagram fragment has been received, now the fun begins. */ ++ ++ if (len <= RFC2374_FRAG_HDR_SIZE) ++ return 0; ++ + hdr.w1 = ntohl(buf[1]); + buf += 2; + len -= RFC2374_FRAG_HDR_SIZE; +@@ -616,6 +624,9 @@ static int fwnet_incoming_packet(struct + datagram_label = fwnet_get_hdr_dgl(&hdr); + dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */ + ++ if (fg_off + len > dg_size) ++ return 0; ++ + spin_lock_irqsave(&dev->lock, flags); + + peer = fwnet_peer_find_by_node_id(dev, source_node_id, generation); +@@ -722,6 +733,22 @@ static void fwnet_receive_packet(struct + fw_send_response(card, r, rcode); + } + ++static int gasp_source_id(__be32 *p) ++{ ++ return be32_to_cpu(p[0]) >> 16; ++} ++ ++static u32 gasp_specifier_id(__be32 *p) ++{ ++ return (be32_to_cpu(p[0]) & 0xffff) << 8 | ++ (be32_to_cpu(p[1]) & 0xff000000) >> 24; ++} ++ ++static u32 gasp_version(__be32 *p) ++{ ++ return be32_to_cpu(p[1]) & 0xffffff; ++} ++ + static void fwnet_receive_broadcast(struct fw_iso_context *context, + u32 cycle, size_t header_length, void *header, void *data) + { +@@ -731,9 +758,6 @@ static void fwnet_receive_broadcast(stru + __be32 *buf_ptr; + int retval; + u32 length; +- u16 source_node_id; +- u32 specifier_id; +- u32 ver; + unsigned long offset; + unsigned long flags; + +@@ -750,22 +774,17 @@ static void fwnet_receive_broadcast(stru + + spin_unlock_irqrestore(&dev->lock, flags); + +- specifier_id = (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8 +- | (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24; +- ver = be32_to_cpu(buf_ptr[1]) & 0xffffff; +- source_node_id = be32_to_cpu(buf_ptr[0]) >> 16; +- +- if (specifier_id == IANA_SPECIFIER_ID && +- (ver == RFC2734_SW_VERSION ++ if (length > IEEE1394_GASP_HDR_SIZE && ++ gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID && ++ (gasp_version(buf_ptr) == RFC2734_SW_VERSION + #if IS_ENABLED(CONFIG_IPV6) +- || ver == RFC3146_SW_VERSION ++ || gasp_version(buf_ptr) == RFC3146_SW_VERSION + #endif +- )) { +- buf_ptr += 2; +- length -= IEEE1394_GASP_HDR_SIZE; +- fwnet_incoming_packet(dev, buf_ptr, length, source_node_id, ++ )) ++ fwnet_incoming_packet(dev, buf_ptr + 2, ++ length - IEEE1394_GASP_HDR_SIZE, ++ gasp_source_id(buf_ptr), + context->card->generation, true); +- } + + packet.payload_length = dev->rcv_buffer_size; + packet.interrupt = 1; diff --git a/queue-4.8/input-i8042-add-xmg-c504-to-keyboard-reset-table.patch b/queue-4.8/input-i8042-add-xmg-c504-to-keyboard-reset-table.patch new file mode 100644 index 00000000000..73ab8b95a77 --- /dev/null +++ b/queue-4.8/input-i8042-add-xmg-c504-to-keyboard-reset-table.patch @@ -0,0 +1,51 @@ +From da25311c7ca8b0254a686fc0d597075b9aa3b683 Mon Sep 17 00:00:00 2001 +From: Patrick Scheuring +Date: Wed, 19 Oct 2016 12:04:02 -0700 +Subject: Input: i8042 - add XMG C504 to keyboard reset table + +From: Patrick Scheuring + +commit da25311c7ca8b0254a686fc0d597075b9aa3b683 upstream. + +The Schenker XMG C504 is a rebranded Gigabyte P35 v2 laptop. +Therefore it also needs a keyboard reset to detect the Elantech touchpad. +Otherwise the touchpad appears to be dead. + +With this patch the touchpad is detected: + +$ dmesg | grep -E "(i8042|Elantech|elantech)" + +[ 2.675399] i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12 +[ 2.680372] i8042: Attempting to reset device connected to KBD port +[ 2.789037] serio: i8042 KBD port at 0x60,0x64 irq 1 +[ 2.791586] serio: i8042 AUX port at 0x60,0x64 irq 12 +[ 2.813840] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4 +[ 3.811431] psmouse serio1: elantech: assuming hardware version 4 (with firmware version 0x361f0e) +[ 3.825424] psmouse serio1: elantech: Synaptics capabilities query result 0x00, 0x15, 0x0f. +[ 3.839424] psmouse serio1: elantech: Elan sample query result 03, 58, 74 +[ 3.911349] input: ETPS/2 Elantech Touchpad as /devices/platform/i8042/serio1/input/input6 + +Signed-off-by: Patrick Scheuring +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -877,6 +877,13 @@ static const struct dmi_system_id __init + DMI_MATCH(DMI_PRODUCT_NAME, "P34"), + }, + }, ++ { ++ /* Schenker XMG C504 - Elantech touchpad */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "XMG"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "C504"), ++ }, ++ }, + { } + }; + diff --git a/queue-4.8/kvm-mips-make-eret-handle-erl-before-exl.patch b/queue-4.8/kvm-mips-make-eret-handle-erl-before-exl.patch new file mode 100644 index 00000000000..fffabaaa47f --- /dev/null +++ b/queue-4.8/kvm-mips-make-eret-handle-erl-before-exl.patch @@ -0,0 +1,57 @@ +From ede5f3e7b54a4347be4d8525269eae50902bd7cd Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 25 Oct 2016 16:11:11 +0100 +Subject: KVM: MIPS: Make ERET handle ERL before EXL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Hogan + +commit ede5f3e7b54a4347be4d8525269eae50902bd7cd upstream. + +The ERET instruction to return from exception is used for returning from +exception level (Status.EXL) and error level (Status.ERL). If both bits +are set however we should be returning from ERL first, as ERL can +interrupt EXL, for example when an NMI is taken. KVM however checks EXL +first. + +Fix the order of the checks to match the pseudocode in the instruction +set manual. + +Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.") +Signed-off-by: James Hogan +Cc: Paolo Bonzini +Cc: "Radim Krčmář +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/emulate.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/kvm/emulate.c ++++ b/arch/mips/kvm/emulate.c +@@ -791,15 +791,15 @@ enum emulation_result kvm_mips_emul_eret + struct mips_coproc *cop0 = vcpu->arch.cop0; + enum emulation_result er = EMULATE_DONE; + +- if (kvm_read_c0_guest_status(cop0) & ST0_EXL) { ++ if (kvm_read_c0_guest_status(cop0) & ST0_ERL) { ++ kvm_clear_c0_guest_status(cop0, ST0_ERL); ++ vcpu->arch.pc = kvm_read_c0_guest_errorepc(cop0); ++ } else if (kvm_read_c0_guest_status(cop0) & ST0_EXL) { + kvm_debug("[%#lx] ERET to %#lx\n", vcpu->arch.pc, + kvm_read_c0_guest_epc(cop0)); + kvm_clear_c0_guest_status(cop0, ST0_EXL); + vcpu->arch.pc = kvm_read_c0_guest_epc(cop0); + +- } else if (kvm_read_c0_guest_status(cop0) & ST0_ERL) { +- kvm_clear_c0_guest_status(cop0, ST0_ERL); +- vcpu->arch.pc = kvm_read_c0_guest_errorepc(cop0); + } else { + kvm_err("[%#lx] ERET when MIPS_SR_EXL|MIPS_SR_ERL == 0\n", + vcpu->arch.pc); diff --git a/queue-4.8/kvm-mips-precalculate-mmio-load-resume-pc.patch b/queue-4.8/kvm-mips-precalculate-mmio-load-resume-pc.patch new file mode 100644 index 00000000000..d6fd522b7f8 --- /dev/null +++ b/queue-4.8/kvm-mips-precalculate-mmio-load-resume-pc.patch @@ -0,0 +1,116 @@ +From e1e575f6b026734be3b1f075e780e91ab08ca541 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 25 Oct 2016 16:11:12 +0100 +Subject: KVM: MIPS: Precalculate MMIO load resume PC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Hogan + +commit e1e575f6b026734be3b1f075e780e91ab08ca541 upstream. + +The advancing of the PC when completing an MMIO load is done before +re-entering the guest, i.e. before restoring the guest ASID. However if +the load is in a branch delay slot it may need to access guest code to +read the prior branch instruction. This isn't safe in TLB mapped code at +the moment, nor in the future when we'll access unmapped guest segments +using direct user accessors too, as it could read the branch from host +user memory instead. + +Therefore calculate the resume PC in advance while we're still in the +right context and save it in the new vcpu->arch.io_pc (replacing the no +longer needed vcpu->arch.pending_load_cause), and restore it on MMIO +completion. + +Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.") +Signed-off-by: James Hogan +Cc: Paolo Bonzini +Cc: "Radim Krčmář +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/kvm_host.h | 7 ++++--- + arch/mips/kvm/emulate.c | 24 +++++++++++++++--------- + 2 files changed, 19 insertions(+), 12 deletions(-) + +--- a/arch/mips/include/asm/kvm_host.h ++++ b/arch/mips/include/asm/kvm_host.h +@@ -279,7 +279,10 @@ struct kvm_vcpu_arch { + /* Host KSEG0 address of the EI/DI offset */ + void *kseg0_commpage; + +- u32 io_gpr; /* GPR used as IO source/target */ ++ /* Resume PC after MMIO completion */ ++ unsigned long io_pc; ++ /* GPR used as IO source/target */ ++ u32 io_gpr; + + struct hrtimer comparecount_timer; + /* Count timer control KVM register */ +@@ -301,8 +304,6 @@ struct kvm_vcpu_arch { + /* Bitmask of pending exceptions to be cleared */ + unsigned long pending_exceptions_clr; + +- u32 pending_load_cause; +- + /* Save/Restore the entryhi register when are are preempted/scheduled back in */ + unsigned long preempt_entryhi; + +--- a/arch/mips/kvm/emulate.c ++++ b/arch/mips/kvm/emulate.c +@@ -1522,13 +1522,25 @@ enum emulation_result kvm_mips_emulate_l + struct kvm_vcpu *vcpu) + { + enum emulation_result er = EMULATE_DO_MMIO; ++ unsigned long curr_pc; + u32 op, rt; + u32 bytes; + + rt = inst.i_format.rt; + op = inst.i_format.opcode; + +- vcpu->arch.pending_load_cause = cause; ++ /* ++ * Find the resume PC now while we have safe and easy access to the ++ * prior branch instruction, and save it for ++ * kvm_mips_complete_mmio_load() to restore later. ++ */ ++ curr_pc = vcpu->arch.pc; ++ er = update_pc(vcpu, cause); ++ if (er == EMULATE_FAIL) ++ return er; ++ vcpu->arch.io_pc = vcpu->arch.pc; ++ vcpu->arch.pc = curr_pc; ++ + vcpu->arch.io_gpr = rt; + + switch (op) { +@@ -2488,9 +2500,8 @@ enum emulation_result kvm_mips_complete_ + goto done; + } + +- er = update_pc(vcpu, vcpu->arch.pending_load_cause); +- if (er == EMULATE_FAIL) +- return er; ++ /* Restore saved resume PC */ ++ vcpu->arch.pc = vcpu->arch.io_pc; + + switch (run->mmio.len) { + case 4: +@@ -2512,11 +2523,6 @@ enum emulation_result kvm_mips_complete_ + break; + } + +- if (vcpu->arch.pending_load_cause & CAUSEF_BD) +- kvm_debug("[%#lx] Completing %d byte BD Load to gpr %d (0x%08lx) type %d\n", +- vcpu->arch.pc, run->mmio.len, vcpu->arch.io_gpr, *gpr, +- vcpu->mmio_needed); +- + done: + return er; + } diff --git a/queue-4.8/kvm-s390-fix-sthyi-buffer-alignment-for-diag224.patch b/queue-4.8/kvm-s390-fix-sthyi-buffer-alignment-for-diag224.patch new file mode 100644 index 00000000000..d5a9eaea413 --- /dev/null +++ b/queue-4.8/kvm-s390-fix-sthyi-buffer-alignment-for-diag224.patch @@ -0,0 +1,43 @@ +From 45c7ee43a5184ddbff652ee0d2e826f86f1b616b Mon Sep 17 00:00:00 2001 +From: Janosch Frank +Date: Wed, 26 Oct 2016 08:48:11 +0200 +Subject: KVM: s390: Fix STHYI buffer alignment for diag224 + +From: Janosch Frank + +commit 45c7ee43a5184ddbff652ee0d2e826f86f1b616b upstream. + +Diag224 requires a page-aligned 4k buffer to store the name table +into. kmalloc does not guarantee page alignment, hence we replace it +with __get_free_page for the buffer allocation. + +Reported-by: Michael Holzheu +Signed-off-by: Janosch Frank +Reviewed-by: Cornelia Huck +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/sthyi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/sthyi.c ++++ b/arch/s390/kvm/sthyi.c +@@ -315,7 +315,7 @@ static void fill_diag(struct sthyi_sctns + if (r < 0) + goto out; + +- diag224_buf = kmalloc(PAGE_SIZE, GFP_KERNEL | GFP_DMA); ++ diag224_buf = (void *)__get_free_page(GFP_KERNEL | GFP_DMA); + if (!diag224_buf || diag224(diag224_buf)) + goto out; + +@@ -378,7 +378,7 @@ static void fill_diag(struct sthyi_sctns + sctns->par.infpval1 |= PAR_WGHT_VLD; + + out: +- kfree(diag224_buf); ++ free_page((unsigned long)diag224_buf); + vfree(diag204_buf); + } + diff --git a/queue-4.8/kvm-x86-fix-wbinvd_dirty_mask-use-after-free.patch b/queue-4.8/kvm-x86-fix-wbinvd_dirty_mask-use-after-free.patch new file mode 100644 index 00000000000..2ec6d323a60 --- /dev/null +++ b/queue-4.8/kvm-x86-fix-wbinvd_dirty_mask-use-after-free.patch @@ -0,0 +1,48 @@ +From bd768e146624cbec7122ed15dead8daa137d909d Mon Sep 17 00:00:00 2001 +From: Ido Yariv +Date: Fri, 21 Oct 2016 12:39:57 -0400 +Subject: KVM: x86: fix wbinvd_dirty_mask use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ido Yariv + +commit bd768e146624cbec7122ed15dead8daa137d909d upstream. + +vcpu->arch.wbinvd_dirty_mask may still be used after freeing it, +corrupting memory. For example, the following call trace may set a bit +in an already freed cpu mask: + kvm_arch_vcpu_load + vcpu_load + vmx_free_vcpu_nested + vmx_free_vcpu + kvm_arch_vcpu_free + +Fix this by deferring freeing of wbinvd_dirty_mask. + +Signed-off-by: Ido Yariv +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7372,10 +7372,12 @@ void kvm_put_guest_fpu(struct kvm_vcpu * + + void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu) + { ++ void *wbinvd_dirty_mask = vcpu->arch.wbinvd_dirty_mask; ++ + kvmclock_reset(vcpu); + +- free_cpumask_var(vcpu->arch.wbinvd_dirty_mask); + kvm_x86_ops->vcpu_free(vcpu); ++ free_cpumask_var(wbinvd_dirty_mask); + } + + struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, diff --git a/queue-4.8/mips-kaslr-fix-handling-of-null-fdt.patch b/queue-4.8/mips-kaslr-fix-handling-of-null-fdt.patch new file mode 100644 index 00000000000..647999a35e1 --- /dev/null +++ b/queue-4.8/mips-kaslr-fix-handling-of-null-fdt.patch @@ -0,0 +1,39 @@ +From 4736697963385e6257ee8e260e97347e858cd962 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Mon, 17 Oct 2016 17:21:46 +0100 +Subject: MIPS: KASLR: Fix handling of NULL FDT + +From: Matt Redfearn + +commit 4736697963385e6257ee8e260e97347e858cd962 upstream. + +If platform code returns a NULL pointer to the FDT, initial_boot_params +will not get set to a valid pointer and attempting to find the /chosen +node in it will cause a NULL pointer dereference and the kernel to crash +immediately on startup - with no output to the console. + +Fix this by checking that initial_boot_params is valid before using it. + +Fixes: 405bc8fd12f5 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE") +Signed-off-by: Matt Redfearn +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/14414/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/relocate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/relocate.c ++++ b/arch/mips/kernel/relocate.c +@@ -200,7 +200,7 @@ static inline __init unsigned long get_r + + #if defined(CONFIG_USE_OF) + /* Get any additional entropy passed in device tree */ +- { ++ if (initial_boot_params) { + int node, len; + u64 *prop; + diff --git a/queue-4.8/nfsd-fix-general-protection-fault-in-release_lock_stateid.patch b/queue-4.8/nfsd-fix-general-protection-fault-in-release_lock_stateid.patch new file mode 100644 index 00000000000..137afa9e47f --- /dev/null +++ b/queue-4.8/nfsd-fix-general-protection-fault-in-release_lock_stateid.patch @@ -0,0 +1,106 @@ +From f46c445b79906a9da55c13e0a6f6b6a006b892fe Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sat, 29 Oct 2016 18:19:03 -0400 +Subject: nfsd: Fix general protection fault in release_lock_stateid() + +From: Chuck Lever + +commit f46c445b79906a9da55c13e0a6f6b6a006b892fe upstream. + +When I push NFSv4.1 / RDMA hard, (xfstests generic/089, for example), +I get this crash on the server: + +Oct 28 22:04:30 klimt kernel: general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC +Oct 28 22:04:30 klimt kernel: Modules linked in: cts rpcsec_gss_krb5 iTCO_wdt iTCO_vendor_support sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm btrfs irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd xor pcspkr raid6_pq i2c_i801 i2c_smbus lpc_ich mfd_core sg mei_me mei ioatdma shpchp wmi ipmi_si ipmi_msghandler rpcrdma ib_ipoib rdma_ucm acpi_power_meter acpi_pad ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb ahci libahci ptp mlx4_core pps_core dca libata i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod +Oct 28 22:04:30 klimt kernel: CPU: 7 PID: 1558 Comm: nfsd Not tainted 4.9.0-rc2-00005-g82cd754 #8 +Oct 28 22:04:30 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015 +Oct 28 22:04:30 klimt kernel: task: ffff880835c3a100 task.stack: ffff8808420d8000 +Oct 28 22:04:30 klimt kernel: RIP: 0010:[] [] release_lock_stateid+0x1f/0x60 [nfsd] +Oct 28 22:04:30 klimt kernel: RSP: 0018:ffff8808420dbce0 EFLAGS: 00010246 +Oct 28 22:04:30 klimt kernel: RAX: ffff88084e6660f0 RBX: ffff88084e667020 RCX: 0000000000000000 +Oct 28 22:04:30 klimt kernel: RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff88084e667020 +Oct 28 22:04:30 klimt kernel: RBP: ffff8808420dbcf8 R08: 0000000000000001 R09: 0000000000000000 +Oct 28 22:04:30 klimt kernel: R10: ffff880835c3a100 R11: ffff880835c3aca8 R12: 6b6b6b6b6b6b6b6b +Oct 28 22:04:30 klimt kernel: R13: ffff88084e6670d8 R14: ffff880835f546f0 R15: ffff880835f1c548 +Oct 28 22:04:30 klimt kernel: FS: 0000000000000000(0000) GS:ffff88087bdc0000(0000) knlGS:0000000000000000 +Oct 28 22:04:30 klimt kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +Oct 28 22:04:30 klimt kernel: CR2: 00007ff020389000 CR3: 0000000001c06000 CR4: 00000000001406e0 +Oct 28 22:04:30 klimt kernel: Stack: +Oct 28 22:04:30 klimt kernel: ffff88084e667020 0000000000000000 ffff88084e6670d8 ffff8808420dbd20 +Oct 28 22:04:30 klimt kernel: ffffffffa05ac80d ffff880835f54548 ffff88084e640008 ffff880835f545b0 +Oct 28 22:04:30 klimt kernel: ffff8808420dbd70 ffffffffa059803d ffff880835f1c768 0000000000000870 +Oct 28 22:04:30 klimt kernel: Call Trace: +Oct 28 22:04:30 klimt kernel: [] nfsd4_free_stateid+0xfd/0x1b0 [nfsd] +Oct 28 22:04:30 klimt kernel: [] nfsd4_proc_compound+0x40d/0x690 [nfsd] +Oct 28 22:04:30 klimt kernel: [] nfsd_dispatch+0xd4/0x1d0 [nfsd] +Oct 28 22:04:30 klimt kernel: [] svc_process_common+0x3d9/0x700 [sunrpc] +Oct 28 22:04:30 klimt kernel: [] svc_process+0xf4/0x330 [sunrpc] +Oct 28 22:04:30 klimt kernel: [] nfsd+0xfa/0x160 [nfsd] +Oct 28 22:04:30 klimt kernel: [] ? nfsd_destroy+0x170/0x170 [nfsd] +Oct 28 22:04:30 klimt kernel: [] kthread+0x10b/0x120 +Oct 28 22:04:30 klimt kernel: [] ? kthread_stop+0x280/0x280 +Oct 28 22:04:30 klimt kernel: [] ret_from_fork+0x2a/0x40 +Oct 28 22:04:30 klimt kernel: Code: c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 48 8b 87 b0 00 00 00 48 89 fb 4c 8b a0 98 00 00 00 <49> 8b 44 24 20 48 8d b8 80 03 00 00 e8 10 66 1a e1 48 89 df e8 +Oct 28 22:04:30 klimt kernel: RIP [] release_lock_stateid+0x1f/0x60 [nfsd] +Oct 28 22:04:30 klimt kernel: RSP +Oct 28 22:04:30 klimt kernel: ---[ end trace cf5d0b371973e167 ]--- + +Jeff Layton says: +> Hm...now that I look though, this is a little suspicious: +> +> struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner); +> +> I wonder if it's possible for the openstateid to have already been +> destroyed at this point. +> +> We might be better off doing something like this to get the client pointer: +> +> stp->st_stid.sc_client; +> +> ...which should be more direct and less dependent on other stateids +> staying valid. + +With the suggested change, I am no longer able to reproduce the above oops. + +v2: Fix unhash_lock_stateid() as well + +Fix-suggested-by: Jeff Layton +Fixes: 42691398be08 ('nfsd: Fix race between FREE_STATEID and LOCK') +Signed-off-by: Chuck Lever +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1147,9 +1147,7 @@ static void put_ol_stateid_locked(struct + + static bool unhash_lock_stateid(struct nfs4_ol_stateid *stp) + { +- struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner); +- +- lockdep_assert_held(&oo->oo_owner.so_client->cl_lock); ++ lockdep_assert_held(&stp->st_stid.sc_client->cl_lock); + + list_del_init(&stp->st_locks); + nfs4_unhash_stid(&stp->st_stid); +@@ -1158,12 +1156,12 @@ static bool unhash_lock_stateid(struct n + + static void release_lock_stateid(struct nfs4_ol_stateid *stp) + { +- struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner); ++ struct nfs4_client *clp = stp->st_stid.sc_client; + bool unhashed; + +- spin_lock(&oo->oo_owner.so_client->cl_lock); ++ spin_lock(&clp->cl_lock); + unhashed = unhash_lock_stateid(stp); +- spin_unlock(&oo->oo_owner.so_client->cl_lock); ++ spin_unlock(&clp->cl_lock); + if (unhashed) + nfs4_put_stid(&stp->st_stid); + } diff --git a/queue-4.8/ovl-fix-get_acl-on-tmpfs.patch b/queue-4.8/ovl-fix-get_acl-on-tmpfs.patch new file mode 100644 index 00000000000..03a53145d84 --- /dev/null +++ b/queue-4.8/ovl-fix-get_acl-on-tmpfs.patch @@ -0,0 +1,35 @@ +From b93d4a0eb308d4400b84c8b24c1b80e09a9497d0 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 31 Oct 2016 14:42:14 +0100 +Subject: ovl: fix get_acl() on tmpfs + +From: Miklos Szeredi + +commit b93d4a0eb308d4400b84c8b24c1b80e09a9497d0 upstream. + +tmpfs doesn't have ->get_acl() because it only uses cached acls. + +This fixes the acl tests in pjdfstest when tmpfs is used as the upper layer +of the overlay. + +Reported-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Fixes: 39a25b2b3762 ("ovl: define ->get_acl() for overlay inodes") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/inode.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -294,9 +294,6 @@ struct posix_acl *ovl_get_acl(struct ino + if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !IS_POSIXACL(realinode)) + return NULL; + +- if (!realinode->i_op->get_acl) +- return NULL; +- + old_cred = ovl_override_creds(inode->i_sb); + acl = get_acl(realinode, type); + revert_creds(old_cred); diff --git a/queue-4.8/ovl-fsync-after-copy-up.patch b/queue-4.8/ovl-fsync-after-copy-up.patch new file mode 100644 index 00000000000..027bba35ba3 --- /dev/null +++ b/queue-4.8/ovl-fsync-after-copy-up.patch @@ -0,0 +1,31 @@ +From 641089c1549d8d3df0b047b5de7e9a111362cdce Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 31 Oct 2016 14:42:14 +0100 +Subject: ovl: fsync after copy-up + +From: Miklos Szeredi + +commit 641089c1549d8d3df0b047b5de7e9a111362cdce upstream. + +Make sure the copied up file hits the disk before renaming to the final +destination. If this is not done then the copy-up may corrupt the data in +the file in case of a crash. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/copy_up.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -171,6 +171,8 @@ static int ovl_copy_up_data(struct path + len -= bytes; + } + ++ if (!error) ++ error = vfs_fsync(new_file, 0); + fput(new_file); + out_fput: + fput(old_file); diff --git a/queue-4.8/ovl-update-s_isgid-when-setting-posix-acls.patch b/queue-4.8/ovl-update-s_isgid-when-setting-posix-acls.patch new file mode 100644 index 00000000000..b01338b5120 --- /dev/null +++ b/queue-4.8/ovl-update-s_isgid-when-setting-posix-acls.patch @@ -0,0 +1,51 @@ +From fd3220d37b1f6f0cab6142d98b0e6c4082e63299 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 31 Oct 2016 14:42:14 +0100 +Subject: ovl: update S_ISGID when setting posix ACLs + +From: Miklos Szeredi + +commit fd3220d37b1f6f0cab6142d98b0e6c4082e63299 upstream. + +This change fixes xfstest generic/375, which failed to clear the +setgid bit in the following test case on overlayfs: + + touch $testfile + chown 100:100 $testfile + chmod 2755 $testfile + _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile + +Reported-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Tested-by: Amir Goldstein +Fixes: d837a49bd57f ("ovl: fix POSIX ACL setting") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/overlayfs/super.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -1026,6 +1026,21 @@ ovl_posix_acl_xattr_set(const struct xat + + posix_acl_release(acl); + ++ /* ++ * Check if sgid bit needs to be cleared (actual setacl operation will ++ * be done with mounter's capabilities and so that won't do it for us). ++ */ ++ if (unlikely(inode->i_mode & S_ISGID) && ++ handler->flags == ACL_TYPE_ACCESS && ++ !in_group_p(inode->i_gid) && ++ !capable_wrt_inode_uidgid(inode, CAP_FSETID)) { ++ struct iattr iattr = { .ia_valid = ATTR_KILL_SGID }; ++ ++ err = ovl_setattr(dentry, &iattr); ++ if (err) ++ return err; ++ } ++ + err = ovl_xattr_set(dentry, handler->name, value, size, flags); + if (!err) + ovl_copyattr(ovl_inode_real(inode, NULL), inode); diff --git a/queue-4.8/parisc-ensure-consistent-state-when-switching-to-kernel-stack-at-syscall-entry.patch b/queue-4.8/parisc-ensure-consistent-state-when-switching-to-kernel-stack-at-syscall-entry.patch new file mode 100644 index 00000000000..c8274ba8da1 --- /dev/null +++ b/queue-4.8/parisc-ensure-consistent-state-when-switching-to-kernel-stack-at-syscall-entry.patch @@ -0,0 +1,64 @@ +From 6ed518328d0189e0fdf1bb7c73290d546143ea66 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Fri, 28 Oct 2016 23:00:34 -0400 +Subject: parisc: Ensure consistent state when switching to kernel stack at syscall entry + +From: John David Anglin + +commit 6ed518328d0189e0fdf1bb7c73290d546143ea66 upstream. + +We have one critical section in the syscall entry path in which we switch from +the userspace stack to kernel stack. In the event of an external interrupt, the +interrupt code distinguishes between those two states by analyzing the value of +sr7. If sr7 is zero, it uses the kernel stack. Therefore it's important, that +the value of sr7 is in sync with the currently enabled stack. + +This patch now disables interrupts while executing the critical section. This +prevents the interrupt handler to possibly see an inconsistent state which in +the worst case can lead to crashes. + +Interestingly, in the syscall exit path interrupts were already disabled in the +critical section which switches back to the userspace stack. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/syscall.S | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -106,8 +106,6 @@ linux_gateway_entry: + mtsp %r0,%sr4 /* get kernel space into sr4 */ + mtsp %r0,%sr5 /* get kernel space into sr5 */ + mtsp %r0,%sr6 /* get kernel space into sr6 */ +- mfsp %sr7,%r1 /* save user sr7 */ +- mtsp %r1,%sr3 /* and store it in sr3 */ + + #ifdef CONFIG_64BIT + /* for now we can *always* set the W bit on entry to the syscall +@@ -133,6 +131,14 @@ linux_gateway_entry: + depdi 0, 31, 32, %r21 + 1: + #endif ++ ++ /* We use a rsm/ssm pair to prevent sr3 from being clobbered ++ * by external interrupts. ++ */ ++ mfsp %sr7,%r1 /* save user sr7 */ ++ rsm PSW_SM_I, %r0 /* disable interrupts */ ++ mtsp %r1,%sr3 /* and store it in sr3 */ ++ + mfctl %cr30,%r1 + xor %r1,%r30,%r30 /* ye olde xor trick */ + xor %r1,%r30,%r1 +@@ -147,6 +153,7 @@ linux_gateway_entry: + */ + + mtsp %r0,%sr7 /* get kernel space into sr7 */ ++ ssm PSW_SM_I, %r0 /* enable interrupts */ + STREGM %r1,FRAME_SIZE(%r30) /* save r1 (usp) here for now */ + mfctl %cr30,%r1 /* get task ptr in %r1 */ + LDREG TI_TASK(%r1),%r1 diff --git a/queue-4.8/rtl8xxxu-fix-big-endian-problem-reporting-mactime.patch b/queue-4.8/rtl8xxxu-fix-big-endian-problem-reporting-mactime.patch new file mode 100644 index 00000000000..99da60d2429 --- /dev/null +++ b/queue-4.8/rtl8xxxu-fix-big-endian-problem-reporting-mactime.patch @@ -0,0 +1,61 @@ +From 8a55698f2f29d227825173420d7b99b9277ca88c Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Thu, 29 Sep 2016 15:40:55 -0400 +Subject: rtl8xxxu: Fix big-endian problem reporting mactime + +From: Jes Sorensen + +commit 8a55698f2f29d227825173420d7b99b9277ca88c upstream. + +The full RX descriptor is converted so converting tsfl again would +return it to it's original endian value. + +Signed-off-by: Jes Sorensen +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 4 ++-- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +@@ -231,7 +231,7 @@ struct rtl8xxxu_rxdesc16 { + u32 pattern1match:1; + u32 pattern0match:1; + #endif +- __le32 tsfl; ++ u32 tsfl; + #if 0 + u32 bassn:12; + u32 bavld:1; +@@ -361,7 +361,7 @@ struct rtl8xxxu_rxdesc24 { + u32 ldcp:1; + u32 splcp:1; + #endif +- __le32 tsfl; ++ u32 tsfl; + }; + + struct rtl8xxxu_txdesc32 { +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5224,7 +5224,7 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x + rtl8xxxu_rx_parse_phystats(priv, rx_status, phy_stats, + rx_desc->rxmcs); + +- rx_status->mactime = le32_to_cpu(rx_desc->tsfl); ++ rx_status->mactime = rx_desc->tsfl; + rx_status->flag |= RX_FLAG_MACTIME_START; + + if (!rx_desc->swdec) +@@ -5294,7 +5294,7 @@ int rtl8xxxu_parse_rxdesc24(struct rtl8x + rtl8xxxu_rx_parse_phystats(priv, rx_status, phy_stats, + rx_desc->rxmcs); + +- rx_status->mactime = le32_to_cpu(rx_desc->tsfl); ++ rx_status->mactime = rx_desc->tsfl; + rx_status->flag |= RX_FLAG_MACTIME_START; + + if (!rx_desc->swdec) diff --git a/queue-4.8/rtl8xxxu-fix-memory-leak-in-handling-rxdesc16-packets.patch b/queue-4.8/rtl8xxxu-fix-memory-leak-in-handling-rxdesc16-packets.patch new file mode 100644 index 00000000000..959a1750a8f --- /dev/null +++ b/queue-4.8/rtl8xxxu-fix-memory-leak-in-handling-rxdesc16-packets.patch @@ -0,0 +1,41 @@ +From 1e54134ccad00f76ddf00f3e77db3dc8fdefbb47 Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Thu, 29 Sep 2016 15:40:54 -0400 +Subject: rtl8xxxu: Fix memory leak in handling rxdesc16 packets + +From: Jes Sorensen + +commit 1e54134ccad00f76ddf00f3e77db3dc8fdefbb47 upstream. + +A device running without RX package aggregation could return more data +in the USB packet than the actual network packet. In this case we +could would clone the skb but then determine that that there was no +packet to handle and exit without freeing the cloned skb first. + +This has so far only been observed with 8188eu devices, but could +affect others. + +Signed-off-by: Jes Sorensen +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5201,7 +5201,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x + pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift + + sizeof(struct rtl8xxxu_rxdesc16), 128); + +- if (pkt_cnt > 1) ++ /* ++ * Only clone the skb if there's enough data at the end to ++ * at least cover the rx descriptor ++ */ ++ if (pkt_cnt > 1 && ++ urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16))) + next_skb = skb_clone(skb, GFP_ATOMIC); + + rx_status = IEEE80211_SKB_RXCB(skb); diff --git a/queue-4.8/rtl8xxxu-fix-rtl8723bu-driver-reload-issue.patch b/queue-4.8/rtl8xxxu-fix-rtl8723bu-driver-reload-issue.patch new file mode 100644 index 00000000000..4f05320f1f9 --- /dev/null +++ b/queue-4.8/rtl8xxxu-fix-rtl8723bu-driver-reload-issue.patch @@ -0,0 +1,37 @@ +From ab05e5ec81c76f3a852919c22984c885edd2414a Mon Sep 17 00:00:00 2001 +From: Jes Sorensen +Date: Fri, 30 Sep 2016 19:35:17 -0400 +Subject: rtl8xxxu: Fix rtl8723bu driver reload issue + +From: Jes Sorensen + +commit ab05e5ec81c76f3a852919c22984c885edd2414a upstream. + +The generic disable_rf() function clears bits 22 and 23 in +REG_RX_WAIT_CCA, however we did not re-enable them again in +rtl8723b_enable_rf() + +This resolves the problem for me with 8723bu devices not working again +after reloading the driver. + +Signed-off-by: Jes Sorensen +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c +@@ -1498,6 +1498,10 @@ static void rtl8723b_enable_rf(struct rt + u32 val32; + u8 val8; + ++ val32 = rtl8xxxu_read32(priv, REG_RX_WAIT_CCA); ++ val32 |= (BIT(22) | BIT(23)); ++ rtl8xxxu_write32(priv, REG_RX_WAIT_CCA, val32); ++ + /* + * No indication anywhere as to what 0x0790 does. The 2 antenna + * vendor code preserves bits 6-7 here. diff --git a/queue-4.8/series b/queue-4.8/series index 4357e46c0c4..e3adcb9a2b2 100644 --- a/queue-4.8/series +++ b/queue-4.8/series @@ -66,3 +66,29 @@ arm64-dts-marvell-fix-clocksource-for-cp110-master-spi0.patch iio-chemical-atlas-ph-sensor-fix-use-of-32-bit-int-to-hold-16-bit-big-endian-value.patch staging-wilc1000-fix-kernel-oops-on-opening-the-device.patch dm-free-io_barrier-after-blk_cleanup_queue-call.patch +kvm-x86-fix-wbinvd_dirty_mask-use-after-free.patch +kvm-s390-fix-sthyi-buffer-alignment-for-diag224.patch +kvm-mips-make-eret-handle-erl-before-exl.patch +kvm-mips-precalculate-mmio-load-resume-pc.patch +arm-mvebu-select-corediv-clk-for-all-mvebu-v7-soc.patch +arm-dts-fix-the-sd-card-on-the-snowball.patch +nfsd-fix-general-protection-fault-in-release_lock_stateid.patch +mips-kaslr-fix-handling-of-null-fdt.patch +ovl-fix-get_acl-on-tmpfs.patch +ovl-update-s_isgid-when-setting-posix-acls.patch +ovl-fsync-after-copy-up.patch +parisc-ensure-consistent-state-when-switching-to-kernel-stack-at-syscall-entry.patch +virtio_ring-make-interrupt-suppression-spec-compliant.patch +virtio_pci-limit-dma-mask-to-44-bits-for-legacy-virtio-devices.patch +virtio-console-unlock-vqs-while-freeing-buffers.patch +dm-mirror-fix-read-error-on-recovery-after-default-leg-failure.patch +dm-table-fix-missing-dm_put_target_type-in-dm_table_add_target.patch +dm-rq-clear-kworker_task-if-kthread_run-returned-an-error.patch +dm-raid-fix-compat_features-validation.patch +dm-raid-fix-activation-of-existing-raid4-10-devices.patch +rtl8xxxu-fix-memory-leak-in-handling-rxdesc16-packets.patch +rtl8xxxu-fix-big-endian-problem-reporting-mactime.patch +rtl8xxxu-fix-rtl8723bu-driver-reload-issue.patch +input-i8042-add-xmg-c504-to-keyboard-reset-table.patch +firewire-net-guard-against-rx-buffer-overflows.patch +firewire-net-fix-fragmented-datagram_size-off-by-one.patch diff --git a/queue-4.8/virtio-console-unlock-vqs-while-freeing-buffers.patch b/queue-4.8/virtio-console-unlock-vqs-while-freeing-buffers.patch new file mode 100644 index 00000000000..59ce31f08e1 --- /dev/null +++ b/queue-4.8/virtio-console-unlock-vqs-while-freeing-buffers.patch @@ -0,0 +1,86 @@ +From 34563769e438d2881f62cf4d9badc4e589ac0ec0 Mon Sep 17 00:00:00 2001 +From: Matt Redfearn +Date: Tue, 11 Oct 2016 12:05:15 +0100 +Subject: virtio: console: Unlock vqs while freeing buffers + +From: Matt Redfearn + +commit 34563769e438d2881f62cf4d9badc4e589ac0ec0 upstream. + +Commit c6017e793b93 ("virtio: console: add locks around buffer removal +in port unplug path") added locking around the freeing of buffers in the +vq. However, when free_buf() is called with can_sleep = true and rproc +is enabled, it calls dma_free_coherent() directly, requiring interrupts +to be enabled. Currently a WARNING is triggered due to the spin locking +around free_buf, with a call stack like this: + +WARNING: CPU: 3 PID: 121 at ./include/linux/dma-mapping.h:433 +free_buf+0x1a8/0x288 +Call Trace: +[<8040c538>] show_stack+0x74/0xc0 +[<80757240>] dump_stack+0xd0/0x110 +[<80430d98>] __warn+0xfc/0x130 +[<80430ee0>] warn_slowpath_null+0x2c/0x3c +[<807e7c6c>] free_buf+0x1a8/0x288 +[<807ea590>] remove_port_data+0x50/0xac +[<807ea6a0>] unplug_port+0xb4/0x1bc +[<807ea858>] virtcons_remove+0xb0/0xfc +[<807b6734>] virtio_dev_remove+0x58/0xc0 +[<807f918c>] __device_release_driver+0xac/0x134 +[<807f924c>] device_release_driver+0x38/0x50 +[<807f7edc>] bus_remove_device+0xfc/0x130 +[<807f4b74>] device_del+0x17c/0x21c +[<807f4c38>] device_unregister+0x24/0x38 +[<807b6b50>] unregister_virtio_device+0x28/0x44 + +Fix this by restructuring the loops to allow the locks to only be taken +where it is necessary to protect the vqs, and release it while the +buffer is being freed. + +Fixes: c6017e793b93 ("virtio: console: add locks around buffer removal in port unplug path") +Signed-off-by: Matt Redfearn +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/virtio_console.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1540,19 +1540,29 @@ static void remove_port_data(struct port + spin_lock_irq(&port->inbuf_lock); + /* Remove unused data this port might have received. */ + discard_port_data(port); ++ spin_unlock_irq(&port->inbuf_lock); + + /* Remove buffers we queued up for the Host to send us data in. */ +- while ((buf = virtqueue_detach_unused_buf(port->in_vq))) +- free_buf(buf, true); +- spin_unlock_irq(&port->inbuf_lock); ++ do { ++ spin_lock_irq(&port->inbuf_lock); ++ buf = virtqueue_detach_unused_buf(port->in_vq); ++ spin_unlock_irq(&port->inbuf_lock); ++ if (buf) ++ free_buf(buf, true); ++ } while (buf); + + spin_lock_irq(&port->outvq_lock); + reclaim_consumed_buffers(port); ++ spin_unlock_irq(&port->outvq_lock); + + /* Free pending buffers from the out-queue. */ +- while ((buf = virtqueue_detach_unused_buf(port->out_vq))) +- free_buf(buf, true); +- spin_unlock_irq(&port->outvq_lock); ++ do { ++ spin_lock_irq(&port->outvq_lock); ++ buf = virtqueue_detach_unused_buf(port->out_vq); ++ spin_unlock_irq(&port->outvq_lock); ++ if (buf) ++ free_buf(buf, true); ++ } while (buf); + } + + /* diff --git a/queue-4.8/virtio_pci-limit-dma-mask-to-44-bits-for-legacy-virtio-devices.patch b/queue-4.8/virtio_pci-limit-dma-mask-to-44-bits-for-legacy-virtio-devices.patch new file mode 100644 index 00000000000..d219aac5162 --- /dev/null +++ b/queue-4.8/virtio_pci-limit-dma-mask-to-44-bits-for-legacy-virtio-devices.patch @@ -0,0 +1,56 @@ +From a0be1db4304f51c99af6b6e515549794182a94df Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 14 Sep 2016 17:33:26 +0100 +Subject: virtio_pci: Limit DMA mask to 44 bits for legacy virtio devices + +From: Will Deacon + +commit a0be1db4304f51c99af6b6e515549794182a94df upstream. + +Legacy virtio defines the virtqueue base using a 32-bit PFN field, with +a read-only register indicating a fixed page size of 4k. + +This can cause problems for DMA allocators that allocate top down from +the DMA mask, which is set to 64 bits. In this case, the addresses are +silently truncated to 44-bit, leading to IOMMU faults, failure to read +from the queue or data corruption. + +This patch restricts the coherent DMA mask for legacy PCI virtio devices +to 44 bits, which matches the specification. + +Cc: Andy Lutomirski +Cc: Michael S. Tsirkin +Cc: Benjamin Serebrin +Signed-off-by: Will Deacon +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_pci_legacy.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/virtio/virtio_pci_legacy.c ++++ b/drivers/virtio/virtio_pci_legacy.c +@@ -212,10 +212,18 @@ int virtio_pci_legacy_probe(struct virti + return -ENODEV; + } + +- rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(64)); +- if (rc) +- rc = dma_set_mask_and_coherent(&pci_dev->dev, +- DMA_BIT_MASK(32)); ++ rc = dma_set_mask(&pci_dev->dev, DMA_BIT_MASK(64)); ++ if (rc) { ++ rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32)); ++ } else { ++ /* ++ * The virtio ring base address is expressed as a 32-bit PFN, ++ * with a page size of 1 << VIRTIO_PCI_QUEUE_ADDR_SHIFT. ++ */ ++ dma_set_coherent_mask(&pci_dev->dev, ++ DMA_BIT_MASK(32 + VIRTIO_PCI_QUEUE_ADDR_SHIFT)); ++ } ++ + if (rc) + dev_warn(&pci_dev->dev, "Failed to enable 64-bit or 32-bit DMA. Trying to continue, but this might not work.\n"); + diff --git a/queue-4.8/virtio_ring-make-interrupt-suppression-spec-compliant.patch b/queue-4.8/virtio_ring-make-interrupt-suppression-spec-compliant.patch new file mode 100644 index 00000000000..d79e7bd06f4 --- /dev/null +++ b/queue-4.8/virtio_ring-make-interrupt-suppression-spec-compliant.patch @@ -0,0 +1,71 @@ +From 0ea1e4a6d9b62cf29e210d2b4ba9fd43917522e3 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Wed, 31 Aug 2016 14:00:04 +0200 +Subject: virtio_ring: Make interrupt suppression spec compliant + +From: Ladi Prosek + +commit 0ea1e4a6d9b62cf29e210d2b4ba9fd43917522e3 upstream. + +According to the spec, if the VIRTIO_RING_F_EVENT_IDX feature bit is +negotiated the driver MUST set flags to 0. Not dirtying the available +ring in virtqueue_disable_cb also has a minor positive performance +impact, improving L1 dcache load missed by ~0.5% in vring_bench. + +Writes to the used event field (vring_used_event) are still unconditional. + +Cc: Michael S. Tsirkin +Signed-off-by: Ladi Prosek +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_ring.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -732,7 +732,8 @@ void virtqueue_disable_cb(struct virtque + + if (!(vq->avail_flags_shadow & VRING_AVAIL_F_NO_INTERRUPT)) { + vq->avail_flags_shadow |= VRING_AVAIL_F_NO_INTERRUPT; +- vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow); ++ if (!vq->event) ++ vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow); + } + + } +@@ -764,7 +765,8 @@ unsigned virtqueue_enable_cb_prepare(str + * entry. Always do both to keep code simple. */ + if (vq->avail_flags_shadow & VRING_AVAIL_F_NO_INTERRUPT) { + vq->avail_flags_shadow &= ~VRING_AVAIL_F_NO_INTERRUPT; +- vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow); ++ if (!vq->event) ++ vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow); + } + vring_used_event(&vq->vring) = cpu_to_virtio16(_vq->vdev, last_used_idx = vq->last_used_idx); + END_USE(vq); +@@ -832,10 +834,11 @@ bool virtqueue_enable_cb_delayed(struct + * more to do. */ + /* Depending on the VIRTIO_RING_F_USED_EVENT_IDX feature, we need to + * either clear the flags bit or point the event index at the next +- * entry. Always do both to keep code simple. */ ++ * entry. Always update the event index to keep code simple. */ + if (vq->avail_flags_shadow & VRING_AVAIL_F_NO_INTERRUPT) { + vq->avail_flags_shadow &= ~VRING_AVAIL_F_NO_INTERRUPT; +- vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow); ++ if (!vq->event) ++ vq->vring.avail->flags = cpu_to_virtio16(_vq->vdev, vq->avail_flags_shadow); + } + /* TODO: tune this threshold */ + bufs = (u16)(vq->avail_idx_shadow - vq->last_used_idx) * 3 / 4; +@@ -953,7 +956,8 @@ struct virtqueue *__vring_new_virtqueue( + /* No callback? Tell other side not to bother us. */ + if (!callback) { + vq->avail_flags_shadow |= VRING_AVAIL_F_NO_INTERRUPT; +- vq->vring.avail->flags = cpu_to_virtio16(vdev, vq->avail_flags_shadow); ++ if (!vq->event) ++ vq->vring.avail->flags = cpu_to_virtio16(vdev, vq->avail_flags_shadow); + } + + /* Put everything in free lists. */