From: Sasha Levin Date: Thu, 9 Jan 2020 20:37:00 +0000 (-0500) Subject: fixes for 4.14 X-Git-Tag: v4.4.209~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b442e69261b3a53b9a28d15d0180b6490c5b3546;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch b/queue-4.14/arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch new file mode 100644 index 00000000000..91d8c897e23 --- /dev/null +++ b/queue-4.14/arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch @@ -0,0 +1,54 @@ +From 709aaf4194afe261c815152949e0eff305899967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2019 11:39:48 +0200 +Subject: ARM: dts: am437x-gp/epos-evm: fix panel compatible + +From: Tomi Valkeinen + +[ Upstream commit c6b16761c6908d3dc167a0a566578b4b0b972905 ] + +The LCD panel on AM4 GP EVMs and ePOS boards seems to be +osd070t1718-19ts. The current dts files say osd057T0559-34ts. Possibly +the panel has changed since the early EVMs, or there has been a mistake +with the panel type. + +Update the DT files accordingly. + +Acked-by: Laurent Pinchart +Signed-off-by: Tomi Valkeinen +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am437x-gp-evm.dts | 2 +- + arch/arm/boot/dts/am43x-epos-evm.dts | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/am437x-gp-evm.dts b/arch/arm/boot/dts/am437x-gp-evm.dts +index afb8eb0a0a16..051823b7e5a1 100644 +--- a/arch/arm/boot/dts/am437x-gp-evm.dts ++++ b/arch/arm/boot/dts/am437x-gp-evm.dts +@@ -83,7 +83,7 @@ + }; + + lcd0: display { +- compatible = "osddisplays,osd057T0559-34ts", "panel-dpi"; ++ compatible = "osddisplays,osd070t1718-19ts", "panel-dpi"; + label = "lcd"; + + panel-timing { +diff --git a/arch/arm/boot/dts/am43x-epos-evm.dts b/arch/arm/boot/dts/am43x-epos-evm.dts +index 081fa68b6f98..c4279b0b9f12 100644 +--- a/arch/arm/boot/dts/am43x-epos-evm.dts ++++ b/arch/arm/boot/dts/am43x-epos-evm.dts +@@ -45,7 +45,7 @@ + }; + + lcd0: display { +- compatible = "osddisplays,osd057T0559-34ts", "panel-dpi"; ++ compatible = "osddisplays,osd070t1718-19ts", "panel-dpi"; + label = "lcd"; + + panel-timing { +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-bcm283x-fix-critical-trip-point.patch b/queue-4.14/arm-dts-bcm283x-fix-critical-trip-point.patch new file mode 100644 index 00000000000..1b646b75ab6 --- /dev/null +++ b/queue-4.14/arm-dts-bcm283x-fix-critical-trip-point.patch @@ -0,0 +1,45 @@ +From 37285b62e671a49ff9240de22b263748a11c21bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2019 13:31:13 +0100 +Subject: ARM: dts: bcm283x: Fix critical trip point + +From: Stefan Wahren + +[ Upstream commit 30e647a764d446723a7e0fb08d209e0104f16173 ] + +During definition of the CPU thermal zone of BCM283x SoC family there +was a misunderstanding of the meaning "criticial trip point" and the +thermal throttling range of the VideoCore firmware. The latter one takes +effect when the core temperature is at least 85 degree celsius or higher + +So the current critical trip point doesn't make sense, because the +thermal shutdown appears before the firmware has a chance to throttle +the ARM core(s). + +Fix these unwanted shutdowns by increasing the critical trip point +to a value which shouldn't be reached with working thermal throttling. + +Fixes: 0fe4d2181cc4 ("ARM: dts: bcm283x: Add CPU thermal zone with 1 trip point") +Signed-off-by: Stefan Wahren +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm283x.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm283x.dtsi b/arch/arm/boot/dts/bcm283x.dtsi +index 4745e3c7806b..fdb018e1278f 100644 +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -38,7 +38,7 @@ + + trips { + cpu-crit { +- temperature = <80000>; ++ temperature = <90000>; + hysteresis = <0>; + type = "critical"; + }; +-- +2.20.1 + diff --git a/queue-4.14/arm-dts-cygnus-fix-mdio-node-address-size-cells.patch b/queue-4.14/arm-dts-cygnus-fix-mdio-node-address-size-cells.patch new file mode 100644 index 00000000000..0a2c20881f9 --- /dev/null +++ b/queue-4.14/arm-dts-cygnus-fix-mdio-node-address-size-cells.patch @@ -0,0 +1,40 @@ +From 9aee3740cb00989c4b48e3a8bbed861a738f8750 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 10:19:09 -0800 +Subject: ARM: dts: Cygnus: Fix MDIO node address/size cells + +From: Florian Fainelli + +[ Upstream commit fac2c2da3596d77c343988bb0d41a8c533b2e73c ] + +The MDIO node on Cygnus had an reversed #address-cells and + #size-cells properties, correct those. + +Fixes: 40c26d3af60a ("ARM: dts: Cygnus: Add the ethernet switch and ethernet PHY") +Reported-by: Simon Horman +Reviewed-by: Ray Jui +Reviewed-by: Simon Horman +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm-cygnus.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm-cygnus.dtsi b/arch/arm/boot/dts/bcm-cygnus.dtsi +index 8b2c65cd61a2..b822952c29f8 100644 +--- a/arch/arm/boot/dts/bcm-cygnus.dtsi ++++ b/arch/arm/boot/dts/bcm-cygnus.dtsi +@@ -165,8 +165,8 @@ + mdio: mdio@18002000 { + compatible = "brcm,iproc-mdio"; + reg = <0x18002000 0x8>; +- #size-cells = <1>; +- #address-cells = <0>; ++ #size-cells = <0>; ++ #address-cells = <1>; + status = "disabled"; + + gphy0: ethernet-phy@0 { +-- +2.20.1 + diff --git a/queue-4.14/arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch b/queue-4.14/arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch new file mode 100644 index 00000000000..11665a2d487 --- /dev/null +++ b/queue-4.14/arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch @@ -0,0 +1,70 @@ +From 4119c33deeaaf36b0cef95a2dfe03795c31d3445 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Nov 2019 15:56:40 +0000 +Subject: ARM: vexpress: Set-up shared OPP table instead of individual for each + CPU + +From: Sudeep Holla + +[ Upstream commit 2a76352ad2cc6b78e58f737714879cc860903802 ] + +Currently we add individual copy of same OPP table for each CPU within +the cluster. This is redundant and doesn't reflect the reality. + +We can't use core cpumask to set policy->cpus in ve_spc_cpufreq_init() +anymore as it gets called via cpuhp_cpufreq_online()->cpufreq_online() +->cpufreq_driver->init() and the cpumask gets updated upon CPU hotplug +operations. It also may cause issues when the vexpress_spc_cpufreq +driver is built as a module. + +Since ve_spc_clk_init is built-in device initcall, we should be able to +use the same topology_core_cpumask to set the opp sharing cpumask via +dev_pm_opp_set_sharing_cpus and use the same later in the driver via +dev_pm_opp_get_sharing_cpus. + +Cc: Liviu Dudau +Cc: Lorenzo Pieralisi +Acked-by: Viresh Kumar +Tested-by: Dietmar Eggemann +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + arch/arm/mach-vexpress/spc.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c +index fe488523694c..635b0d549487 100644 +--- a/arch/arm/mach-vexpress/spc.c ++++ b/arch/arm/mach-vexpress/spc.c +@@ -555,8 +555,9 @@ static struct clk *ve_spc_clk_register(struct device *cpu_dev) + + static int __init ve_spc_clk_init(void) + { +- int cpu; ++ int cpu, cluster; + struct clk *clk; ++ bool init_opp_table[MAX_CLUSTERS] = { false }; + + if (!info) + return 0; /* Continue only if SPC is initialised */ +@@ -582,8 +583,17 @@ static int __init ve_spc_clk_init(void) + continue; + } + ++ cluster = topology_physical_package_id(cpu_dev->id); ++ if (init_opp_table[cluster]) ++ continue; ++ + if (ve_init_opp_table(cpu_dev)) + pr_warn("failed to initialise cpu%d opp table\n", cpu); ++ else if (dev_pm_opp_set_sharing_cpus(cpu_dev, ++ topology_core_cpumask(cpu_dev->id))) ++ pr_warn("failed to mark OPPs shared for cpu%d\n", cpu); ++ else ++ init_opp_table[cluster] = true; + } + + platform_device_register_simple("vexpress-spc-cpufreq", -1, NULL, 0); +-- +2.20.1 + diff --git a/queue-4.14/asoc-topology-check-return-value-for-soc_tplg_pcm_cr.patch b/queue-4.14/asoc-topology-check-return-value-for-soc_tplg_pcm_cr.patch new file mode 100644 index 00000000000..54f42e9d963 --- /dev/null +++ b/queue-4.14/asoc-topology-check-return-value-for-soc_tplg_pcm_cr.patch @@ -0,0 +1,54 @@ +From ddb2e959c92a484e930193e6bfa470a5c85e6730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 18:39:39 -0600 +Subject: ASoC: topology: Check return value for soc_tplg_pcm_create() + +From: Dragos Tarcatu + +[ Upstream commit a3039aef52d9ffeb67e9211899cd3e8a2953a01f ] + +The return value of soc_tplg_pcm_create() is currently not checked +in soc_tplg_pcm_elems_load(). If an error is to occur there, the +topology ignores it and continues loading. + +Fix that by checking the status and rejecting the topology on error. + +Reviewed-by: Ranjani Sridharan +Signed-off-by: Dragos Tarcatu +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20191210003939.15752-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-topology.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index 2d5cf263515b..72301bcad3bd 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1921,6 +1921,7 @@ static int soc_tplg_pcm_elems_load(struct soc_tplg *tplg, + int count = hdr->count; + int i; + bool abi_match; ++ int ret; + + if (tplg->pass != SOC_TPLG_PASS_PCM_DAI) + return 0; +@@ -1957,7 +1958,12 @@ static int soc_tplg_pcm_elems_load(struct soc_tplg *tplg, + } + + /* create the FE DAIs and DAI links */ +- soc_tplg_pcm_create(tplg, _pcm); ++ ret = soc_tplg_pcm_create(tplg, _pcm); ++ if (ret < 0) { ++ if (!abi_match) ++ kfree(_pcm); ++ return ret; ++ } + + /* offset by version-specific struct size and + * real priv data size +-- +2.20.1 + diff --git a/queue-4.14/asoc-wm8962-fix-lambda-value.patch b/queue-4.14/asoc-wm8962-fix-lambda-value.patch new file mode 100644 index 00000000000..b239a5efaaa --- /dev/null +++ b/queue-4.14/asoc-wm8962-fix-lambda-value.patch @@ -0,0 +1,47 @@ +From dee19a23f0156d9ff8a8cbacc00e15e37eed528f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 19:57:22 +0800 +Subject: ASoC: wm8962: fix lambda value + +From: Shengjiu Wang + +[ Upstream commit 556672d75ff486e0b6786056da624131679e0576 ] + +According to user manual, it is required that FLL_LAMBDA > 0 +in all cases (Integer and Franctional modes). + +Fixes: 9a76f1ff6e29 ("ASoC: Add initial WM8962 CODEC driver") +Signed-off-by: Shengjiu Wang +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/1576065442-19763-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8962.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index fd2731d171dd..0e8008d38161 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -2791,7 +2791,7 @@ static int fll_factors(struct _fll_div *fll_div, unsigned int Fref, + + if (target % Fref == 0) { + fll_div->theta = 0; +- fll_div->lambda = 0; ++ fll_div->lambda = 1; + } else { + gcd_fll = gcd(target, fratio * Fref); + +@@ -2861,7 +2861,7 @@ static int wm8962_set_fll(struct snd_soc_codec *codec, int fll_id, int source, + return -EINVAL; + } + +- if (fll_div.theta || fll_div.lambda) ++ if (fll_div.theta) + fll1 |= WM8962_FLL_FRAC; + + /* Stop the FLL while we reconfigure */ +-- +2.20.1 + diff --git a/queue-4.14/block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch b/queue-4.14/block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch new file mode 100644 index 00000000000..e10e5574af1 --- /dev/null +++ b/queue-4.14/block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch @@ -0,0 +1,62 @@ +From a1a4fd11ba823986311e2d52135ecfb721886006 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 16:44:04 +0800 +Subject: block: fix memleak when __blk_rq_map_user_iov() is failed + +From: Yang Yingliang + +[ Upstream commit 3b7995a98ad76da5597b488fa84aa5a56d43b608 ] + +When I doing fuzzy test, get the memleak report: + +BUG: memory leak +unreferenced object 0xffff88837af80000 (size 4096): + comm "memleak", pid 3557, jiffies 4294817681 (age 112.499s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 20 00 00 00 10 01 00 00 00 00 00 00 01 00 00 00 ............... + backtrace: + [<000000001c894df8>] bio_alloc_bioset+0x393/0x590 + [<000000008b139a3c>] bio_copy_user_iov+0x300/0xcd0 + [<00000000a998bd8c>] blk_rq_map_user_iov+0x2f1/0x5f0 + [<000000005ceb7f05>] blk_rq_map_user+0xf2/0x160 + [<000000006454da92>] sg_common_write.isra.21+0x1094/0x1870 + [<00000000064bb208>] sg_write.part.25+0x5d9/0x950 + [<000000004fc670f6>] sg_write+0x5f/0x8c + [<00000000b0d05c7b>] __vfs_write+0x7c/0x100 + [<000000008e177714>] vfs_write+0x1c3/0x500 + [<0000000087d23f34>] ksys_write+0xf9/0x200 + [<000000002c8dbc9d>] do_syscall_64+0x9f/0x4f0 + [<00000000678d8e9a>] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +If __blk_rq_map_user_iov() is failed in blk_rq_map_user_iov(), +the bio(s) which is allocated before this failing will leak. The +refcount of the bio(s) is init to 1 and increased to 2 by calling +bio_get(), but __blk_rq_unmap_user() only decrease it to 1, so +the bio cannot be freed. Fix it by calling blk_rq_unmap_user(). + +Reviewed-by: Bob Liu +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-map.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-map.c b/block/blk-map.c +index e31be14da8ea..f72a3af689b6 100644 +--- a/block/blk-map.c ++++ b/block/blk-map.c +@@ -152,7 +152,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, + return 0; + + unmap_rq: +- __blk_rq_unmap_user(bio); ++ blk_rq_unmap_user(bio); + fail: + rq->bio = NULL; + return ret; +-- +2.20.1 + diff --git a/queue-4.14/bnx2x-do-not-handle-requests-from-vfs-after-parity.patch b/queue-4.14/bnx2x-do-not-handle-requests-from-vfs-after-parity.patch new file mode 100644 index 00000000000..66708cd1d60 --- /dev/null +++ b/queue-4.14/bnx2x-do-not-handle-requests-from-vfs-after-parity.patch @@ -0,0 +1,88 @@ +From 531fd39d73b6d53a85788e1442f37c30380aca1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 09:59:55 -0800 +Subject: bnx2x: Do not handle requests from VFs after parity + +From: Manish Chopra + +[ Upstream commit 7113f796bbbced2470cd6d7379d50d7a7a78bf34 ] + +Parity error from the hardware will cause PF to lose the state +of their VFs due to PF's internal reload and hardware reset following +the parity error. Restrict any configuration request from the VFs after +the parity as it could cause unexpected hardware behavior, only way +for VFs to recover would be to trigger FLR on VFs and reload them. + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 12 ++++++++++-- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 12 ++++++++++++ + 3 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index dbe8feec456c..b0ada7eac652 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -9995,10 +9995,18 @@ static void bnx2x_recovery_failed(struct bnx2x *bp) + */ + static void bnx2x_parity_recover(struct bnx2x *bp) + { +- bool global = false; + u32 error_recovered, error_unrecovered; +- bool is_parity; ++ bool is_parity, global = false; ++#ifdef CONFIG_BNX2X_SRIOV ++ int vf_idx; ++ ++ for (vf_idx = 0; vf_idx < bp->requested_nr_virtfn; vf_idx++) { ++ struct bnx2x_virtf *vf = BP_VF(bp, vf_idx); + ++ if (vf) ++ vf->state = VF_LOST; ++ } ++#endif + DP(NETIF_MSG_HW, "Handling parity\n"); + while (1) { + switch (bp->recovery_state) { +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h +index 53466f6cebab..a887bfa24c88 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h +@@ -139,6 +139,7 @@ struct bnx2x_virtf { + #define VF_ACQUIRED 1 /* VF acquired, but not initialized */ + #define VF_ENABLED 2 /* VF Enabled */ + #define VF_RESET 3 /* VF FLR'd, pending cleanup */ ++#define VF_LOST 4 /* Recovery while VFs are loaded */ + + bool flr_clnup_stage; /* true during flr cleanup */ + bool malicious; /* true if FW indicated so, until FLR */ +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c +index 76a4668c50fe..6d5b81a971e3 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c +@@ -2112,6 +2112,18 @@ static void bnx2x_vf_mbx_request(struct bnx2x *bp, struct bnx2x_virtf *vf, + { + int i; + ++ if (vf->state == VF_LOST) { ++ /* Just ack the FW and return if VFs are lost ++ * in case of parity error. VFs are supposed to be timedout ++ * on waiting for PF response. ++ */ ++ DP(BNX2X_MSG_IOV, ++ "VF 0x%x lost, not handling the request\n", vf->abs_vfid); ++ ++ storm_memset_vf_mbx_ack(bp, vf->abs_vfid); ++ return; ++ } ++ + /* check if tlv type is known */ + if (bnx2x_tlv_supported(mbx->first_tlv.tl.type)) { + /* Lock the per vf op mutex and note the locker's identity. +-- +2.20.1 + diff --git a/queue-4.14/bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch b/queue-4.14/bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch new file mode 100644 index 00000000000..889a6b4b1c8 --- /dev/null +++ b/queue-4.14/bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch @@ -0,0 +1,39 @@ +From 4c65a82cea1f4ab725c5570bf618b6043e7c193c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 09:59:56 -0800 +Subject: bnx2x: Fix logic to get total no. of PFs per engine + +From: Manish Chopra + +[ Upstream commit ee699f89bdbaa19c399804504241b5c531b48888 ] + +Driver doesn't calculate total number of PFs configured on a +given engine correctly which messed up resources in the PFs +loaded on that engine, leading driver to exceed configuration +of resources (like vlan filters etc.) beyond the limit per +engine, which ended up with asserts from the firmware. + +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +index 4e091a11daaf..52bce009d096 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +@@ -1112,7 +1112,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp) + for (i = 0; i < E1H_FUNC_MAX / 2; i++) { + u32 func_config = + MF_CFG_RD(bp, +- func_mf_config[BP_PORT(bp) + 2 * i]. ++ func_mf_config[BP_PATH(bp) + 2 * i]. + config); + func_num += + ((func_config & FUNC_MF_CFG_FUNC_HIDE) ? 0 : 1); +-- +2.20.1 + diff --git a/queue-4.14/bpf-mips-limit-to-33-tail-calls.patch b/queue-4.14/bpf-mips-limit-to-33-tail-calls.patch new file mode 100644 index 00000000000..4e5c2236ecb --- /dev/null +++ b/queue-4.14/bpf-mips-limit-to-33-tail-calls.patch @@ -0,0 +1,61 @@ +From c2bbcd04eb508e647163ae8cf8beb91b62b97439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 19:52:52 +0100 +Subject: bpf, mips: Limit to 33 tail calls + +From: Paul Chaignon + +[ Upstream commit e49e6f6db04e915dccb494ae10fa14888fea6f89 ] + +All BPF JIT compilers except RISC-V's and MIPS' enforce a 33-tail calls +limit at runtime. In addition, a test was recently added, in tailcalls2, +to check this limit. + +This patch updates the tail call limit in MIPS' JIT compiler to allow +33 tail calls. + +Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.") +Reported-by: Mahshid Khezri +Signed-off-by: Paul Chaignon +Signed-off-by: Daniel Borkmann +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/b8eb2caac1c25453c539248e56ca22f74b5316af.1575916815.git.paul.chaignon@gmail.com +Signed-off-by: Sasha Levin +--- + arch/mips/net/ebpf_jit.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arch/mips/net/ebpf_jit.c b/arch/mips/net/ebpf_jit.c +index 42faa95ce664..57a7a9d68475 100644 +--- a/arch/mips/net/ebpf_jit.c ++++ b/arch/mips/net/ebpf_jit.c +@@ -612,6 +612,7 @@ static void emit_const_to_reg(struct jit_ctx *ctx, int dst, u64 value) + static int emit_bpf_tail_call(struct jit_ctx *ctx, int this_idx) + { + int off, b_off; ++ int tcc_reg; + + ctx->flags |= EBPF_SEEN_TC; + /* +@@ -624,14 +625,14 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx, int this_idx) + b_off = b_imm(this_idx + 1, ctx); + emit_instr(ctx, bne, MIPS_R_AT, MIPS_R_ZERO, b_off); + /* +- * if (--TCC < 0) ++ * if (TCC-- < 0) + * goto out; + */ + /* Delay slot */ +- emit_instr(ctx, daddiu, MIPS_R_T5, +- (ctx->flags & EBPF_TCC_IN_V1) ? MIPS_R_V1 : MIPS_R_S4, -1); ++ tcc_reg = (ctx->flags & EBPF_TCC_IN_V1) ? MIPS_R_V1 : MIPS_R_S4; ++ emit_instr(ctx, daddiu, MIPS_R_T5, tcc_reg, -1); + b_off = b_imm(this_idx + 1, ctx); +- emit_instr(ctx, bltz, MIPS_R_T5, b_off); ++ emit_instr(ctx, bltz, tcc_reg, b_off); + /* + * prog = array->ptrs[index]; + * if (prog == NULL) +-- +2.20.1 + diff --git a/queue-4.14/efi-gop-fix-memory-leak-in-__gop_query32-64.patch b/queue-4.14/efi-gop-fix-memory-leak-in-__gop_query32-64.patch new file mode 100644 index 00000000000..15a653c4fa8 --- /dev/null +++ b/queue-4.14/efi-gop-fix-memory-leak-in-__gop_query32-64.patch @@ -0,0 +1,150 @@ +From 0774b924fa6a55cfd702683e999436bf6a370c11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:55:40 +0000 +Subject: efi/gop: Fix memory leak in __gop_query32/64() + +From: Arvind Sankar + +[ Upstream commit ff397be685e410a59c34b21ce0c55d4daa466bb7 ] + +efi_graphics_output_protocol::query_mode() returns info in +callee-allocated memory which must be freed by the caller, which +we aren't doing. + +We don't actually need to call query_mode() in order to obtain the +info for the current graphics mode, which is already there in +gop->mode->info, so just access it directly in the setup_gop32/64() +functions. + +Also nothing uses the size of the info structure, so don't update the +passed-in size (which is the size of the gop_handle table in bytes) +unnecessarily. + +Signed-off-by: Arvind Sankar +Signed-off-by: Ard Biesheuvel +Cc: Andy Shevchenko +Cc: Bhupesh Sharma +Cc: Masayoshi Mizuma +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191206165542.31469-5-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/gop.c | 66 ++++++------------------------ + 1 file changed, 12 insertions(+), 54 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c +index 81ffda5d1e48..fd8053f9556e 100644 +--- a/drivers/firmware/efi/libstub/gop.c ++++ b/drivers/firmware/efi/libstub/gop.c +@@ -85,30 +85,6 @@ setup_pixel_info(struct screen_info *si, u32 pixels_per_scan_line, + } + } + +-static efi_status_t +-__gop_query32(efi_system_table_t *sys_table_arg, +- struct efi_graphics_output_protocol_32 *gop32, +- struct efi_graphics_output_mode_info **info, +- unsigned long *size, u64 *fb_base) +-{ +- struct efi_graphics_output_protocol_mode_32 *mode; +- efi_graphics_output_protocol_query_mode query_mode; +- efi_status_t status; +- unsigned long m; +- +- m = gop32->mode; +- mode = (struct efi_graphics_output_protocol_mode_32 *)m; +- query_mode = (void *)(unsigned long)gop32->query_mode; +- +- status = __efi_call_early(query_mode, (void *)gop32, mode->mode, size, +- info); +- if (status != EFI_SUCCESS) +- return status; +- +- *fb_base = mode->frame_buffer_base; +- return status; +-} +- + static efi_status_t + setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + efi_guid_t *proto, unsigned long size, void **gop_handle) +@@ -130,6 +106,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + + nr_gops = size / sizeof(u32); + for (i = 0; i < nr_gops; i++) { ++ struct efi_graphics_output_protocol_mode_32 *mode; + struct efi_graphics_output_mode_info *info = NULL; + efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID; + bool conout_found = false; +@@ -147,9 +124,11 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + if (status == EFI_SUCCESS) + conout_found = true; + +- status = __gop_query32(sys_table_arg, gop32, &info, &size, +- ¤t_fb_base); +- if (status == EFI_SUCCESS && (!first_gop || conout_found) && ++ mode = (void *)(unsigned long)gop32->mode; ++ info = (void *)(unsigned long)mode->info; ++ current_fb_base = mode->frame_buffer_base; ++ ++ if ((!first_gop || conout_found) && + info->pixel_format != PIXEL_BLT_ONLY) { + /* + * Systems that use the UEFI Console Splitter may +@@ -203,30 +182,6 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + return EFI_SUCCESS; + } + +-static efi_status_t +-__gop_query64(efi_system_table_t *sys_table_arg, +- struct efi_graphics_output_protocol_64 *gop64, +- struct efi_graphics_output_mode_info **info, +- unsigned long *size, u64 *fb_base) +-{ +- struct efi_graphics_output_protocol_mode_64 *mode; +- efi_graphics_output_protocol_query_mode query_mode; +- efi_status_t status; +- unsigned long m; +- +- m = gop64->mode; +- mode = (struct efi_graphics_output_protocol_mode_64 *)m; +- query_mode = (void *)(unsigned long)gop64->query_mode; +- +- status = __efi_call_early(query_mode, (void *)gop64, mode->mode, size, +- info); +- if (status != EFI_SUCCESS) +- return status; +- +- *fb_base = mode->frame_buffer_base; +- return status; +-} +- + static efi_status_t + setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + efi_guid_t *proto, unsigned long size, void **gop_handle) +@@ -248,6 +203,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + + nr_gops = size / sizeof(u64); + for (i = 0; i < nr_gops; i++) { ++ struct efi_graphics_output_protocol_mode_64 *mode; + struct efi_graphics_output_mode_info *info = NULL; + efi_guid_t conout_proto = EFI_CONSOLE_OUT_DEVICE_GUID; + bool conout_found = false; +@@ -265,9 +221,11 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + if (status == EFI_SUCCESS) + conout_found = true; + +- status = __gop_query64(sys_table_arg, gop64, &info, &size, +- ¤t_fb_base); +- if (status == EFI_SUCCESS && (!first_gop || conout_found) && ++ mode = (void *)(unsigned long)gop64->mode; ++ info = (void *)(unsigned long)mode->info; ++ current_fb_base = mode->frame_buffer_base; ++ ++ if ((!first_gop || conout_found) && + info->pixel_format != PIXEL_BLT_ONLY) { + /* + * Systems that use the UEFI Console Splitter may +-- +2.20.1 + diff --git a/queue-4.14/efi-gop-return-efi_not_found-if-there-are-no-usable-.patch b/queue-4.14/efi-gop-return-efi_not_found-if-there-are-no-usable-.patch new file mode 100644 index 00000000000..ef4ba1b3d1d --- /dev/null +++ b/queue-4.14/efi-gop-return-efi_not_found-if-there-are-no-usable-.patch @@ -0,0 +1,91 @@ +From a51d20131b6fb28d1c73a67bbc942e54c31fae5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:55:38 +0000 +Subject: efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs + +From: Arvind Sankar + +[ Upstream commit 6fc3cec30dfeee7d3c5db8154016aff9d65503c5 ] + +If we don't find a usable instance of the Graphics Output Protocol +(GOP) because none of them have a framebuffer (i.e. they were all +PIXEL_BLT_ONLY), but all the EFI calls succeeded, we will return +EFI_SUCCESS even though we didn't find a usable GOP. + +Fix this by explicitly returning EFI_NOT_FOUND if no usable GOPs are +found, allowing the caller to probe for UGA instead. + +Signed-off-by: Arvind Sankar +Signed-off-by: Ard Biesheuvel +Cc: Andy Shevchenko +Cc: Bhupesh Sharma +Cc: Masayoshi Mizuma +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191206165542.31469-3-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/gop.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c +index 24c461dea7af..16ed61c023e8 100644 +--- a/drivers/firmware/efi/libstub/gop.c ++++ b/drivers/firmware/efi/libstub/gop.c +@@ -121,7 +121,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + u64 fb_base; + struct efi_pixel_bitmask pixel_info; + int pixel_format; +- efi_status_t status = EFI_NOT_FOUND; ++ efi_status_t status; + u32 *handles = (u32 *)(unsigned long)gop_handle; + int i; + +@@ -177,7 +177,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + + /* Did we find any GOPs? */ + if (!first_gop) +- goto out; ++ return EFI_NOT_FOUND; + + /* EFI framebuffer */ + si->orig_video_isVGA = VIDEO_TYPE_EFI; +@@ -199,7 +199,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + si->lfb_size = si->lfb_linelength * si->lfb_height; + + si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS; +-out: ++ + return status; + } + +@@ -239,7 +239,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + u64 fb_base; + struct efi_pixel_bitmask pixel_info; + int pixel_format; +- efi_status_t status = EFI_NOT_FOUND; ++ efi_status_t status; + u64 *handles = (u64 *)(unsigned long)gop_handle; + int i; + +@@ -295,7 +295,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + + /* Did we find any GOPs? */ + if (!first_gop) +- goto out; ++ return EFI_NOT_FOUND; + + /* EFI framebuffer */ + si->orig_video_isVGA = VIDEO_TYPE_EFI; +@@ -317,7 +317,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + si->lfb_size = si->lfb_linelength * si->lfb_height; + + si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS; +-out: ++ + return status; + } + +-- +2.20.1 + diff --git a/queue-4.14/efi-gop-return-efi_success-if-a-usable-gop-was-found.patch b/queue-4.14/efi-gop-return-efi_success-if-a-usable-gop-was-found.patch new file mode 100644 index 00000000000..91e80c1c2ac --- /dev/null +++ b/queue-4.14/efi-gop-return-efi_success-if-a-usable-gop-was-found.patch @@ -0,0 +1,56 @@ +From a921082aae68e949b51c035f14a19bb214e8236e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 16:55:39 +0000 +Subject: efi/gop: Return EFI_SUCCESS if a usable GOP was found + +From: Arvind Sankar + +[ Upstream commit dbd89c303b4420f6cdb689fd398349fc83b059dd ] + +If we've found a usable instance of the Graphics Output Protocol +(GOP) with a framebuffer, it is possible that one of the later EFI +calls fails while checking if any support console output. In this +case status may be an EFI error code even though we found a usable +GOP. + +Fix this by explicitly return EFI_SUCCESS if a usable GOP has been +located. + +Signed-off-by: Arvind Sankar +Signed-off-by: Ard Biesheuvel +Cc: Andy Shevchenko +Cc: Bhupesh Sharma +Cc: Masayoshi Mizuma +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191206165542.31469-4-ardb@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/gop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/efi/libstub/gop.c b/drivers/firmware/efi/libstub/gop.c +index 16ed61c023e8..81ffda5d1e48 100644 +--- a/drivers/firmware/efi/libstub/gop.c ++++ b/drivers/firmware/efi/libstub/gop.c +@@ -200,7 +200,7 @@ setup_gop32(efi_system_table_t *sys_table_arg, struct screen_info *si, + + si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS; + +- return status; ++ return EFI_SUCCESS; + } + + static efi_status_t +@@ -318,7 +318,7 @@ setup_gop64(efi_system_table_t *sys_table_arg, struct screen_info *si, + + si->capabilities |= VIDEO_CAPABILITY_SKIP_QUIRKS; + +- return status; ++ return EFI_SUCCESS; + } + + /* +-- +2.20.1 + diff --git a/queue-4.14/fs-avoid-softlockups-in-s_inodes-iterators.patch b/queue-4.14/fs-avoid-softlockups-in-s_inodes-iterators.patch new file mode 100644 index 00000000000..65e1cb4fc76 --- /dev/null +++ b/queue-4.14/fs-avoid-softlockups-in-s_inodes-iterators.patch @@ -0,0 +1,104 @@ +From afc6c4b96f0f851f1ad009bfb2015205ecbc9b81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 10:54:23 -0600 +Subject: fs: avoid softlockups in s_inodes iterators + +From: Eric Sandeen + +[ Upstream commit 04646aebd30b99f2cfa0182435a2ec252fcb16d0 ] + +Anything that walks all inodes on sb->s_inodes list without rescheduling +risks softlockups. + +Previous efforts were made in 2 functions, see: + +c27d82f fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() +ac05fbb inode: don't softlockup when evicting inodes + +but there hasn't been an audit of all walkers, so do that now. This +also consistently moves the cond_resched() calls to the bottom of each +loop in cases where it already exists. + +One loop remains: remove_dquot_ref(), because I'm not quite sure how +to deal with that one w/o taking the i_lock. + +Signed-off-by: Eric Sandeen +Reviewed-by: Jan Kara +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/drop_caches.c | 2 +- + fs/inode.c | 7 +++++++ + fs/notify/fsnotify.c | 1 + + fs/quota/dquot.c | 1 + + 4 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/fs/drop_caches.c b/fs/drop_caches.c +index d31b6c72b476..dc1a1d5d825b 100644 +--- a/fs/drop_caches.c ++++ b/fs/drop_caches.c +@@ -35,11 +35,11 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) + spin_unlock(&inode->i_lock); + spin_unlock(&sb->s_inode_list_lock); + +- cond_resched(); + invalidate_mapping_pages(inode->i_mapping, 0, -1); + iput(toput_inode); + toput_inode = inode; + ++ cond_resched(); + spin_lock(&sb->s_inode_list_lock); + } + spin_unlock(&sb->s_inode_list_lock); +diff --git a/fs/inode.c b/fs/inode.c +index 76f7535fe754..d2a700c5efce 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -656,6 +656,7 @@ int invalidate_inodes(struct super_block *sb, bool kill_dirty) + struct inode *inode, *next; + LIST_HEAD(dispose); + ++again: + spin_lock(&sb->s_inode_list_lock); + list_for_each_entry_safe(inode, next, &sb->s_inodes, i_sb_list) { + spin_lock(&inode->i_lock); +@@ -678,6 +679,12 @@ int invalidate_inodes(struct super_block *sb, bool kill_dirty) + inode_lru_list_del(inode); + spin_unlock(&inode->i_lock); + list_add(&inode->i_lru, &dispose); ++ if (need_resched()) { ++ spin_unlock(&sb->s_inode_list_lock); ++ cond_resched(); ++ dispose_list(&dispose); ++ goto again; ++ } + } + spin_unlock(&sb->s_inode_list_lock); + +diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c +index 506da82ff3f1..a308f7a7e577 100644 +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -90,6 +90,7 @@ void fsnotify_unmount_inodes(struct super_block *sb) + + iput_inode = inode; + ++ cond_resched(); + spin_lock(&sb->s_inode_list_lock); + } + spin_unlock(&sb->s_inode_list_lock); +diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c +index 3fdbdd29702b..30f5da8f4aff 100644 +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -976,6 +976,7 @@ static int add_dquot_ref(struct super_block *sb, int type) + * later. + */ + old_inode = inode; ++ cond_resched(); + spin_lock(&sb->s_inode_list_lock); + } + spin_unlock(&sb->s_inode_list_lock); +-- +2.20.1 + diff --git a/queue-4.14/hv_netvsc-fix-unwanted-rx_table-reset.patch b/queue-4.14/hv_netvsc-fix-unwanted-rx_table-reset.patch new file mode 100644 index 00000000000..d6d499f5d06 --- /dev/null +++ b/queue-4.14/hv_netvsc-fix-unwanted-rx_table-reset.patch @@ -0,0 +1,116 @@ +From af19ead418f617c46d65a8e41078e70e86617676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 18:28:10 -0800 +Subject: hv_netvsc: Fix unwanted rx_table reset + +From: Haiyang Zhang + +[ Upstream commit b0689faa8efc5a3391402d7ae93bd373b7248e51 ] + +In existing code, the receive indirection table, rx_table, is in +struct rndis_device, which will be reset when changing MTU, ringparam, +etc. User configured receive indirection table values will be lost. + +To fix this, move rx_table to struct net_device_context, and check +netif_is_rxfh_configured(), so rx_table will be set to default only +if no user configured value. + +Fixes: ff4a44199012 ("netvsc: allow get/set of RSS indirection table") +Signed-off-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/hyperv_net.h | 3 ++- + drivers/net/hyperv/netvsc_drv.c | 4 ++-- + drivers/net/hyperv/rndis_filter.c | 10 +++++++--- + 3 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h +index 0f07b5978fa1..fc794e69e6a1 100644 +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -179,7 +179,6 @@ struct rndis_device { + + u8 hw_mac_adr[ETH_ALEN]; + u8 rss_key[NETVSC_HASH_KEYLEN]; +- u16 rx_table[ITAB_NUM]; + }; + + +@@ -741,6 +740,8 @@ struct net_device_context { + + u32 tx_table[VRSS_SEND_TAB_SIZE]; + ++ u16 rx_table[ITAB_NUM]; ++ + /* Ethtool settings */ + bool udp4_l4_hash; + bool udp6_l4_hash; +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 5a44b9795266..a89de5752a8c 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1528,7 +1528,7 @@ static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key, + rndis_dev = ndev->extension; + if (indir) { + for (i = 0; i < ITAB_NUM; i++) +- indir[i] = rndis_dev->rx_table[i]; ++ indir[i] = ndc->rx_table[i]; + } + + if (key) +@@ -1558,7 +1558,7 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir, + return -EINVAL; + + for (i = 0; i < ITAB_NUM; i++) +- rndis_dev->rx_table[i] = indir[i]; ++ ndc->rx_table[i] = indir[i]; + } + + if (!key) { +diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c +index fc1d5e14d83e..b19557c035f2 100644 +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -715,6 +715,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + const u8 *rss_key, u16 flag) + { + struct net_device *ndev = rdev->ndev; ++ struct net_device_context *ndc = netdev_priv(ndev); + struct rndis_request *request; + struct rndis_set_request *set; + struct rndis_set_complete *set_complete; +@@ -754,7 +755,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + /* Set indirection table entries */ + itab = (u32 *)(rssp + 1); + for (i = 0; i < ITAB_NUM; i++) +- itab[i] = rdev->rx_table[i]; ++ itab[i] = ndc->rx_table[i]; + + /* Set hask key values */ + keyp = (u8 *)((unsigned long)rssp + rssp->kashkey_offset); +@@ -1204,6 +1205,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, + struct netvsc_device_info *device_info) + { + struct net_device *net = hv_get_drvdata(dev); ++ struct net_device_context *ndc = netdev_priv(net); + struct netvsc_device *net_device; + struct rndis_device *rndis_device; + struct ndis_recv_scale_cap rsscap; +@@ -1286,9 +1288,11 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, + /* We will use the given number of channels if available. */ + net_device->num_chn = min(net_device->max_chn, device_info->num_chn); + +- for (i = 0; i < ITAB_NUM; i++) +- rndis_device->rx_table[i] = ethtool_rxfh_indir_default( ++ if (!netif_is_rxfh_configured(net)) { ++ for (i = 0; i < ITAB_NUM; i++) ++ ndc->rx_table[i] = ethtool_rxfh_indir_default( + i, net_device->num_chn); ++ } + + atomic_set(&net_device->open_chn, 1); + vmbus_set_sc_create_callback(dev->channel, netvsc_sc_open); +-- +2.20.1 + diff --git a/queue-4.14/kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch b/queue-4.14/kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch new file mode 100644 index 00000000000..4e42831a5de --- /dev/null +++ b/queue-4.14/kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch @@ -0,0 +1,42 @@ +From 6e3f6b3300c31faa139ea45ea785fca101859c9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2019 00:19:17 -0800 +Subject: kconfig: don't crash on NULL expressions in expr_eq() + +From: Thomas Hebb + +[ Upstream commit 272a72103012862e3a24ea06635253ead0b6e808 ] + +NULL expressions are taken to always be true, as implemented by the +expr_is_yes() macro and by several other functions in expr.c. As such, +they ought to be valid inputs to expr_eq(), which compares two +expressions. + +Signed-off-by: Thomas Hebb +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/expr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c +index ed29bad1f03a..96420b620963 100644 +--- a/scripts/kconfig/expr.c ++++ b/scripts/kconfig/expr.c +@@ -201,6 +201,13 @@ static int expr_eq(struct expr *e1, struct expr *e2) + { + int res, old_count; + ++ /* ++ * A NULL expr is taken to be yes, but there's also a different way to ++ * represent yes. expr_is_yes() checks for either representation. ++ */ ++ if (!e1 || !e2) ++ return expr_is_yes(e1) && expr_is_yes(e2); ++ + if (e1->type != e2->type) + return 0; + switch (e1->type) { +-- +2.20.1 + diff --git a/queue-4.14/libtraceevent-fix-lib-installation-with-o.patch b/queue-4.14/libtraceevent-fix-lib-installation-with-o.patch new file mode 100644 index 00000000000..3e8765f266e --- /dev/null +++ b/queue-4.14/libtraceevent-fix-lib-installation-with-o.patch @@ -0,0 +1,56 @@ +From d599a3cf283b13d42611cd522bb3000f09f34430 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 11:36:09 +0000 +Subject: libtraceevent: Fix lib installation with O= + +From: Sudip Mukherjee + +[ Upstream commit 587db8ebdac2c5eb3a8851e16b26f2e2711ab797 ] + +When we use 'O=' with make to build libtraceevent in a separate folder +it fails to install libtraceevent.a and libtraceevent.so.1.1.0 with the +error: + + INSTALL /home/sudip/linux/obj-trace/libtraceevent.a + INSTALL /home/sudip/linux/obj-trace/libtraceevent.so.1.1.0 + + cp: cannot stat 'libtraceevent.a': No such file or directory + Makefile:225: recipe for target 'install_lib' failed + make: *** [install_lib] Error 1 + +I used the command: + + make O=../../../obj-trace DESTDIR=~/test prefix==/usr install + +It turns out libtraceevent Makefile, even though it builds in a separate +folder, searches for libtraceevent.a and libtraceevent.so.1.1.0 in its +source folder. + +So, add the 'OUTPUT' prefix to the source path so that 'make' looks for +the files in the correct place. + +Signed-off-by: Sudipm Mukherjee +Reviewed-by: Steven Rostedt (VMware) +Cc: linux-trace-devel@vger.kernel.org +Link: http://lore.kernel.org/lkml/20191115113610.21493-1-sudipm.mukherjee@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/traceevent/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/lib/traceevent/Makefile b/tools/lib/traceevent/Makefile +index 8107f060fa84..a0ac01c647f5 100644 +--- a/tools/lib/traceevent/Makefile ++++ b/tools/lib/traceevent/Makefile +@@ -115,6 +115,7 @@ EVENT_PARSE_VERSION = $(EP_VERSION).$(EP_PATCHLEVEL).$(EP_EXTRAVERSION) + + LIB_TARGET = libtraceevent.a libtraceevent.so.$(EVENT_PARSE_VERSION) + LIB_INSTALL = libtraceevent.a libtraceevent.so* ++LIB_INSTALL := $(addprefix $(OUTPUT),$(LIB_INSTALL)) + + INCLUDES = -I. -I $(srctree)/tools/include $(CONFIG_INCLUDES) + +-- +2.20.1 + diff --git a/queue-4.14/llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch b/queue-4.14/llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch new file mode 100644 index 00000000000..c05edc81148 --- /dev/null +++ b/queue-4.14/llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch @@ -0,0 +1,53 @@ +From 4335b61d98250aaed99e655a2005fe98c0028993 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 14:16:18 +0800 +Subject: llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and + _test_c) + +From: Chan Shu Tak, Alex + +[ Upstream commit af1c0e4e00f3cc76cb136ebf2e2c04e8b6446285 ] + +When a frame with NULL DSAP is received, llc_station_rcv is called. +In turn, llc_stat_ev_rx_null_dsap_xid_c is called to check if it is a NULL +XID frame. The return statement of llc_stat_ev_rx_null_dsap_xid_c returns 1 +when the incoming frame is not a NULL XID frame and 0 otherwise. Hence, a +NULL XID response is returned unexpectedly, e.g. when the incoming frame is +a NULL TEST command. + +To fix the error, simply remove the conditional operator. + +A similar error in llc_stat_ev_rx_null_dsap_test_c is also fixed. + +Signed-off-by: Chan Shu Tak, Alex +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/llc/llc_station.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c +index 204a8351efff..c29170e767a8 100644 +--- a/net/llc/llc_station.c ++++ b/net/llc/llc_station.c +@@ -32,7 +32,7 @@ static int llc_stat_ev_rx_null_dsap_xid_c(struct sk_buff *skb) + return LLC_PDU_IS_CMD(pdu) && /* command PDU */ + LLC_PDU_TYPE_IS_U(pdu) && /* U type PDU */ + LLC_U_PDU_CMD(pdu) == LLC_1_PDU_CMD_XID && +- !pdu->dsap ? 0 : 1; /* NULL DSAP value */ ++ !pdu->dsap; /* NULL DSAP value */ + } + + static int llc_stat_ev_rx_null_dsap_test_c(struct sk_buff *skb) +@@ -42,7 +42,7 @@ static int llc_stat_ev_rx_null_dsap_test_c(struct sk_buff *skb) + return LLC_PDU_IS_CMD(pdu) && /* command PDU */ + LLC_PDU_TYPE_IS_U(pdu) && /* U type PDU */ + LLC_U_PDU_CMD(pdu) == LLC_1_PDU_CMD_TEST && +- !pdu->dsap ? 0 : 1; /* NULL DSAP */ ++ !pdu->dsap; /* NULL DSAP */ + } + + static int llc_station_ac_send_xid_r(struct sk_buff *skb) +-- +2.20.1 + diff --git a/queue-4.14/locking-spinlock-debug-fix-various-data-races.patch b/queue-4.14/locking-spinlock-debug-fix-various-data-races.patch new file mode 100644 index 00000000000..b868a75f898 --- /dev/null +++ b/queue-4.14/locking-spinlock-debug-fix-various-data-races.patch @@ -0,0 +1,145 @@ +From 98206811ac0422c2fa609761d64da7a4f13a28fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Nov 2019 16:57:15 +0100 +Subject: locking/spinlock/debug: Fix various data races + +From: Marco Elver + +[ Upstream commit 1a365e822372ba24c9da0822bc583894f6f3d821 ] + +This fixes various data races in spinlock_debug. By testing with KCSAN, +it is observable that the console gets spammed with data races reports, +suggesting these are extremely frequent. + +Example data race report: + + read to 0xffff8ab24f403c48 of 4 bytes by task 221 on cpu 2: + debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] + do_raw_spin_lock+0x9b/0x210 kernel/locking/spinlock_debug.c:112 + __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline] + _raw_spin_lock+0x39/0x40 kernel/locking/spinlock.c:151 + spin_lock include/linux/spinlock.h:338 [inline] + get_partial_node.isra.0.part.0+0x32/0x2f0 mm/slub.c:1873 + get_partial_node mm/slub.c:1870 [inline] + + + write to 0xffff8ab24f403c48 of 4 bytes by task 167 on cpu 3: + debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] + do_raw_spin_unlock+0xc9/0x1a0 kernel/locking/spinlock_debug.c:138 + __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:159 [inline] + _raw_spin_unlock_irqrestore+0x2d/0x50 kernel/locking/spinlock.c:191 + spin_unlock_irqrestore include/linux/spinlock.h:393 [inline] + free_debug_processing+0x1b3/0x210 mm/slub.c:1214 + __slab_free+0x292/0x400 mm/slub.c:2864 + + +As a side-effect, with KCSAN, this eventually locks up the console, most +likely due to deadlock, e.g. .. -> printk lock -> spinlock_debug -> +KCSAN detects data race -> kcsan_print_report() -> printk lock -> +deadlock. + +This fix will 1) avoid the data races, and 2) allow using lock debugging +together with KCSAN. + +Reported-by: Qian Cai +Signed-off-by: Marco Elver +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/20191120155715.28089-1-elver@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/spinlock_debug.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c +index 9aa0fccd5d43..03595c29c566 100644 +--- a/kernel/locking/spinlock_debug.c ++++ b/kernel/locking/spinlock_debug.c +@@ -51,19 +51,19 @@ EXPORT_SYMBOL(__rwlock_init); + + static void spin_dump(raw_spinlock_t *lock, const char *msg) + { +- struct task_struct *owner = NULL; ++ struct task_struct *owner = READ_ONCE(lock->owner); + +- if (lock->owner && lock->owner != SPINLOCK_OWNER_INIT) +- owner = lock->owner; ++ if (owner == SPINLOCK_OWNER_INIT) ++ owner = NULL; + printk(KERN_EMERG "BUG: spinlock %s on CPU#%d, %s/%d\n", + msg, raw_smp_processor_id(), + current->comm, task_pid_nr(current)); + printk(KERN_EMERG " lock: %pS, .magic: %08x, .owner: %s/%d, " + ".owner_cpu: %d\n", +- lock, lock->magic, ++ lock, READ_ONCE(lock->magic), + owner ? owner->comm : "", + owner ? task_pid_nr(owner) : -1, +- lock->owner_cpu); ++ READ_ONCE(lock->owner_cpu)); + dump_stack(); + } + +@@ -80,16 +80,16 @@ static void spin_bug(raw_spinlock_t *lock, const char *msg) + static inline void + debug_spin_lock_before(raw_spinlock_t *lock) + { +- SPIN_BUG_ON(lock->magic != SPINLOCK_MAGIC, lock, "bad magic"); +- SPIN_BUG_ON(lock->owner == current, lock, "recursion"); +- SPIN_BUG_ON(lock->owner_cpu == raw_smp_processor_id(), ++ SPIN_BUG_ON(READ_ONCE(lock->magic) != SPINLOCK_MAGIC, lock, "bad magic"); ++ SPIN_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion"); ++ SPIN_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(), + lock, "cpu recursion"); + } + + static inline void debug_spin_lock_after(raw_spinlock_t *lock) + { +- lock->owner_cpu = raw_smp_processor_id(); +- lock->owner = current; ++ WRITE_ONCE(lock->owner_cpu, raw_smp_processor_id()); ++ WRITE_ONCE(lock->owner, current); + } + + static inline void debug_spin_unlock(raw_spinlock_t *lock) +@@ -99,8 +99,8 @@ static inline void debug_spin_unlock(raw_spinlock_t *lock) + SPIN_BUG_ON(lock->owner != current, lock, "wrong owner"); + SPIN_BUG_ON(lock->owner_cpu != raw_smp_processor_id(), + lock, "wrong CPU"); +- lock->owner = SPINLOCK_OWNER_INIT; +- lock->owner_cpu = -1; ++ WRITE_ONCE(lock->owner, SPINLOCK_OWNER_INIT); ++ WRITE_ONCE(lock->owner_cpu, -1); + } + + /* +@@ -183,8 +183,8 @@ static inline void debug_write_lock_before(rwlock_t *lock) + + static inline void debug_write_lock_after(rwlock_t *lock) + { +- lock->owner_cpu = raw_smp_processor_id(); +- lock->owner = current; ++ WRITE_ONCE(lock->owner_cpu, raw_smp_processor_id()); ++ WRITE_ONCE(lock->owner, current); + } + + static inline void debug_write_unlock(rwlock_t *lock) +@@ -193,8 +193,8 @@ static inline void debug_write_unlock(rwlock_t *lock) + RWLOCK_BUG_ON(lock->owner != current, lock, "wrong owner"); + RWLOCK_BUG_ON(lock->owner_cpu != raw_smp_processor_id(), + lock, "wrong CPU"); +- lock->owner = SPINLOCK_OWNER_INIT; +- lock->owner_cpu = -1; ++ WRITE_ONCE(lock->owner, SPINLOCK_OWNER_INIT); ++ WRITE_ONCE(lock->owner_cpu, -1); + } + + void do_raw_write_lock(rwlock_t *lock) +-- +2.20.1 + diff --git a/queue-4.14/mwifiex-fix-heap-overflow-in-mmwifiex_process_tdls_a.patch b/queue-4.14/mwifiex-fix-heap-overflow-in-mmwifiex_process_tdls_a.patch new file mode 100644 index 00000000000..8b285b6361b --- /dev/null +++ b/queue-4.14/mwifiex-fix-heap-overflow-in-mmwifiex_process_tdls_a.patch @@ -0,0 +1,165 @@ +From 84ab7c7e26c23f989b7792a41c9aab4a381cc4bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Nov 2019 18:10:54 +0800 +Subject: mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: qize wang + +[ Upstream commit 1e58252e334dc3f3756f424a157d1b7484464c40 ] + +mwifiex_process_tdls_action_frame() without checking +the incoming tdls infomation element's vality before use it, +this may cause multi heap buffer overflows. + +Fix them by putting vality check before use it. + +IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct. +the origin marvell driver code is wrong: + +memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... +memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... + +Fix the bug by changing pos(the address of IE) to +pos+2 ( the address of IE value ). + +Signed-off-by: qize wang +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/tdls.c | 70 +++++++++++++++++++-- + 1 file changed, 64 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c +index e76af2866a19..b5340af9fa5e 100644 +--- a/drivers/net/wireless/marvell/mwifiex/tdls.c ++++ b/drivers/net/wireless/marvell/mwifiex/tdls.c +@@ -956,59 +956,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv, + + switch (*pos) { + case WLAN_EID_SUPP_RATES: ++ if (pos[1] > 32) ++ return; + sta_ptr->tdls_cap.rates_len = pos[1]; + for (i = 0; i < pos[1]; i++) + sta_ptr->tdls_cap.rates[i] = pos[i + 2]; + break; + + case WLAN_EID_EXT_SUPP_RATES: ++ if (pos[1] > 32) ++ return; + basic = sta_ptr->tdls_cap.rates_len; ++ if (pos[1] > 32 - basic) ++ return; + for (i = 0; i < pos[1]; i++) + sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2]; + sta_ptr->tdls_cap.rates_len += pos[1]; + break; + case WLAN_EID_HT_CAPABILITY: +- memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos, ++ if (pos > end - sizeof(struct ieee80211_ht_cap) - 2) ++ return; ++ if (pos[1] != sizeof(struct ieee80211_ht_cap)) ++ return; ++ /* copy the ie's value into ht_capb*/ ++ memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2, + sizeof(struct ieee80211_ht_cap)); + sta_ptr->is_11n_enabled = 1; + break; + case WLAN_EID_HT_OPERATION: +- memcpy(&sta_ptr->tdls_cap.ht_oper, pos, ++ if (pos > end - ++ sizeof(struct ieee80211_ht_operation) - 2) ++ return; ++ if (pos[1] != sizeof(struct ieee80211_ht_operation)) ++ return; ++ /* copy the ie's value into ht_oper*/ ++ memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2, + sizeof(struct ieee80211_ht_operation)); + break; + case WLAN_EID_BSS_COEX_2040: ++ if (pos > end - 3) ++ return; ++ if (pos[1] != 1) ++ return; + sta_ptr->tdls_cap.coex_2040 = pos[2]; + break; + case WLAN_EID_EXT_CAPABILITY: ++ if (pos > end - sizeof(struct ieee_types_header)) ++ return; ++ if (pos[1] < sizeof(struct ieee_types_header)) ++ return; ++ if (pos[1] > 8) ++ return; + memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos, + sizeof(struct ieee_types_header) + + min_t(u8, pos[1], 8)); + break; + case WLAN_EID_RSN: ++ if (pos > end - sizeof(struct ieee_types_header)) ++ return; ++ if (pos[1] < sizeof(struct ieee_types_header)) ++ return; ++ if (pos[1] > IEEE_MAX_IE_SIZE - ++ sizeof(struct ieee_types_header)) ++ return; + memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos, + sizeof(struct ieee_types_header) + + min_t(u8, pos[1], IEEE_MAX_IE_SIZE - + sizeof(struct ieee_types_header))); + break; + case WLAN_EID_QOS_CAPA: ++ if (pos > end - 3) ++ return; ++ if (pos[1] != 1) ++ return; + sta_ptr->tdls_cap.qos_info = pos[2]; + break; + case WLAN_EID_VHT_OPERATION: +- if (priv->adapter->is_hw_11ac_capable) +- memcpy(&sta_ptr->tdls_cap.vhtoper, pos, ++ if (priv->adapter->is_hw_11ac_capable) { ++ if (pos > end - ++ sizeof(struct ieee80211_vht_operation) - 2) ++ return; ++ if (pos[1] != ++ sizeof(struct ieee80211_vht_operation)) ++ return; ++ /* copy the ie's value into vhtoper*/ ++ memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2, + sizeof(struct ieee80211_vht_operation)); ++ } + break; + case WLAN_EID_VHT_CAPABILITY: + if (priv->adapter->is_hw_11ac_capable) { +- memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos, ++ if (pos > end - ++ sizeof(struct ieee80211_vht_cap) - 2) ++ return; ++ if (pos[1] != sizeof(struct ieee80211_vht_cap)) ++ return; ++ /* copy the ie's value into vhtcap*/ ++ memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2, + sizeof(struct ieee80211_vht_cap)); + sta_ptr->is_11ac_enabled = 1; + } + break; + case WLAN_EID_AID: +- if (priv->adapter->is_hw_11ac_capable) ++ if (priv->adapter->is_hw_11ac_capable) { ++ if (pos > end - 4) ++ return; ++ if (pos[1] != 2) ++ return; + sta_ptr->tdls_cap.aid = + get_unaligned_le16((pos + 2)); ++ } ++ break; + default: + break; + } +-- +2.20.1 + diff --git a/queue-4.14/net-stmmac-do-not-accept-invalid-mtu-values.patch b/queue-4.14/net-stmmac-do-not-accept-invalid-mtu-values.patch new file mode 100644 index 00000000000..9fa595f272a --- /dev/null +++ b/queue-4.14/net-stmmac-do-not-accept-invalid-mtu-values.patch @@ -0,0 +1,59 @@ +From 637c226b0fa1421a605503f000b19c00af0dba6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 11:17:37 +0100 +Subject: net: stmmac: Do not accept invalid MTU values + +From: Jose Abreu + +[ Upstream commit eaf4fac478077d4ed57cbca2c044c4b58a96bd98 ] + +The maximum MTU value is determined by the maximum size of TX FIFO so +that a full packet can fit in the FIFO. Add a check for this in the MTU +change callback. + +Also check if provided and rounded MTU does not passes the maximum limit +of 16K. + +Changes from v2: +- Align MTU before checking if its valid + +Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver") +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index e6d16c48ffef..4ef923f1094a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3597,12 +3597,24 @@ static void stmmac_set_rx_mode(struct net_device *dev) + static int stmmac_change_mtu(struct net_device *dev, int new_mtu) + { + struct stmmac_priv *priv = netdev_priv(dev); ++ int txfifosz = priv->plat->tx_fifo_size; ++ ++ if (txfifosz == 0) ++ txfifosz = priv->dma_cap.tx_fifo_size; ++ ++ txfifosz /= priv->plat->tx_queues_to_use; + + if (netif_running(dev)) { + netdev_err(priv->dev, "must be stopped to change its MTU\n"); + return -EBUSY; + } + ++ new_mtu = STMMAC_ALIGN(new_mtu); ++ ++ /* If condition true, FIFO is too small or MTU too large */ ++ if ((txfifosz < new_mtu) || (new_mtu > BUF_SIZE_16KiB)) ++ return -EINVAL; ++ + dev->mtu = new_mtu; + + netdev_update_features(dev); +-- +2.20.1 + diff --git a/queue-4.14/net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch b/queue-4.14/net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch new file mode 100644 index 00000000000..098923e5c04 --- /dev/null +++ b/queue-4.14/net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch @@ -0,0 +1,39 @@ +From 015b30c20d0ca1c147ceaa1fdf001a428e83f592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2019 11:17:40 +0100 +Subject: net: stmmac: RX buffer size must be 16 byte aligned + +From: Jose Abreu + +[ Upstream commit 8d558f0294fe92e04af192e221d0d0f6a180ee7b ] + +We need to align the RX buffer size to at least 16 byte so that IP +doesn't mis-behave. This is required by HW. + +Changes from v2: +- Align UP and not DOWN (David) + +Fixes: 7ac6653a085b ("stmmac: Move the STMicroelectronics driver") +Signed-off-by: Jose Abreu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 4ef923f1094a..e89466bd432d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -51,7 +51,7 @@ + #include + #include "dwmac1000.h" + +-#define STMMAC_ALIGN(x) __ALIGN_KERNEL(x, SMP_CACHE_BYTES) ++#define STMMAC_ALIGN(x) ALIGN(ALIGN(x, SMP_CACHE_BYTES), 16) + #define TSO_MAX_BUFF_SIZE (SZ_16K - 1) + + /* Module parameters */ +-- +2.20.1 + diff --git a/queue-4.14/net-usb-lan78xx-fix-error-message-format-specifier.patch b/queue-4.14/net-usb-lan78xx-fix-error-message-format-specifier.patch new file mode 100644 index 00000000000..2c20c27c165 --- /dev/null +++ b/queue-4.14/net-usb-lan78xx-fix-error-message-format-specifier.patch @@ -0,0 +1,35 @@ +From 87951238aabe69e4b4c8b822004f6254c463c675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2019 18:33:11 +0200 +Subject: net: usb: lan78xx: Fix error message format specifier + +From: Cristian Birsan + +[ Upstream commit 858ce8ca62ea1530f2779d0e3f934b0176e663c3 ] + +Display the return code as decimal integer. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Cristian Birsan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 7d1d5b30ecc3..0aa6f3a5612d 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -497,7 +497,7 @@ static int lan78xx_read_stats(struct lan78xx_net *dev, + } + } else { + netdev_warn(dev->net, +- "Failed to read stat ret = 0x%x", ret); ++ "Failed to read stat ret = %d", ret); + } + + kfree(stats); +-- +2.20.1 + diff --git a/queue-4.14/netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch b/queue-4.14/netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch new file mode 100644 index 00000000000..63f4f531ed7 --- /dev/null +++ b/queue-4.14/netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch @@ -0,0 +1,79 @@ +From c07e4bb8226a30abfeb8aeb5c509c8649bca28be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Nov 2019 12:39:23 +0100 +Subject: netfilter: ctnetlink: netns exit must wait for callbacks + +From: Florian Westphal + +[ Upstream commit 18a110b022a5c02e7dc9f6109d0bd93e58ac6ebb ] + +Curtis Taylor and Jon Maxwell reported and debugged a crash on 3.10 +based kernel. + +Crash occurs in ctnetlink_conntrack_events because net->nfnl socket is +NULL. The nfnl socket was set to NULL by netns destruction running on +another cpu. + +The exiting network namespace calls the relevant destructors in the +following order: + +1. ctnetlink_net_exit_batch + +This nulls out the event callback pointer in struct netns. + +2. nfnetlink_net_exit_batch + +This nulls net->nfnl socket and frees it. + +3. nf_conntrack_cleanup_net_list + +This removes all remaining conntrack entries. + +This is order is correct. The only explanation for the crash so ar is: + +cpu1: conntrack is dying, eviction occurs: + -> nf_ct_delete() + -> nf_conntrack_event_report \ + -> nf_conntrack_eventmask_report + -> notify->fcn() (== ctnetlink_conntrack_events). + +cpu1: a. fetches rcu protected pointer to obtain ctnetlink event callback. + b. gets interrupted. + cpu2: runs netns exit handlers: + a runs ctnetlink destructor, event cb pointer set to NULL. + b runs nfnetlink destructor, nfnl socket is closed and set to NULL. +cpu1: c. resumes and trips over NULL net->nfnl. + +Problem appears to be that ctnetlink_net_exit_batch only prevents future +callers of nf_conntrack_eventmask_report() from obtaining the callback. +It doesn't wait of other cpus that might have already obtained the +callbacks address. + +I don't see anything in upstream kernels that would prevent similar +crash: We need to wait for all cpus to have exited the event callback. + +Fixes: 9592a5c01e79dbc59eb56fa ("netfilter: ctnetlink: netns support") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index c781c9a1a697..39a32edaa92c 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3422,6 +3422,9 @@ static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list) + + list_for_each_entry(net, net_exit_list, exit_list) + ctnetlink_net_exit(net); ++ ++ /* wait for other cpus until they are done with ctnl_notifiers */ ++ synchronize_rcu(); + } + + static struct pernet_operations ctnetlink_net_ops = { +-- +2.20.1 + diff --git a/queue-4.14/netfilter-nf_tables-validate-nft_set_elem_interval_e.patch b/queue-4.14/netfilter-nf_tables-validate-nft_set_elem_interval_e.patch new file mode 100644 index 00000000000..943a866ac88 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-validate-nft_set_elem_interval_e.patch @@ -0,0 +1,50 @@ +From e7354dcb258e90f90884bbe407ec7f03a0d48e6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 21:55:20 +0100 +Subject: netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END + +From: Pablo Neira Ayuso + +[ Upstream commit bffc124b6fe37d0ae9b428d104efb426403bb5c9 ] + +Only NFTA_SET_ELEM_KEY and NFTA_SET_ELEM_FLAGS make sense for elements +whose NFT_SET_ELEM_INTERVAL_END flag is set on. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 7ef126489d4e..91490446ebb4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3917,14 +3917,20 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + if (nla[NFTA_SET_ELEM_DATA] == NULL && + !(flags & NFT_SET_ELEM_INTERVAL_END)) + return -EINVAL; +- if (nla[NFTA_SET_ELEM_DATA] != NULL && +- flags & NFT_SET_ELEM_INTERVAL_END) +- return -EINVAL; + } else { + if (nla[NFTA_SET_ELEM_DATA] != NULL) + return -EINVAL; + } + ++ if ((flags & NFT_SET_ELEM_INTERVAL_END) && ++ (nla[NFTA_SET_ELEM_DATA] || ++ nla[NFTA_SET_ELEM_OBJREF] || ++ nla[NFTA_SET_ELEM_TIMEOUT] || ++ nla[NFTA_SET_ELEM_EXPIRATION] || ++ nla[NFTA_SET_ELEM_USERDATA] || ++ nla[NFTA_SET_ELEM_EXPR])) ++ return -EINVAL; ++ + timeout = 0; + if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { + if (!(set->flags & NFT_SET_TIMEOUT)) +-- +2.20.1 + diff --git a/queue-4.14/netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch b/queue-4.14/netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch new file mode 100644 index 00000000000..6af982be92c --- /dev/null +++ b/queue-4.14/netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch @@ -0,0 +1,50 @@ +From e19745afca367256665de90e78586ba1af981480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 13:35:11 +0100 +Subject: netfilter: uapi: Avoid undefined left-shift in xt_sctp.h + +From: Phil Sutter + +[ Upstream commit 164166558aacea01b99c8c8ffb710d930405ba69 ] + +With 'bytes(__u32)' being 32, a left-shift of 31 may happen which is +undefined for the signed 32-bit value 1. Avoid this by declaring 1 as +unsigned. + +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/xt_sctp.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h +index 4bc6d1a08781..b4d804a9fccb 100644 +--- a/include/uapi/linux/netfilter/xt_sctp.h ++++ b/include/uapi/linux/netfilter/xt_sctp.h +@@ -41,19 +41,19 @@ struct xt_sctp_info { + #define SCTP_CHUNKMAP_SET(chunkmap, type) \ + do { \ + (chunkmap)[type / bytes(__u32)] |= \ +- 1 << (type % bytes(__u32)); \ ++ 1u << (type % bytes(__u32)); \ + } while (0) + + #define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \ + do { \ + (chunkmap)[type / bytes(__u32)] &= \ +- ~(1 << (type % bytes(__u32))); \ ++ ~(1u << (type % bytes(__u32))); \ + } while (0) + + #define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \ + ({ \ + ((chunkmap)[type / bytes (__u32)] & \ +- (1 << (type % bytes (__u32)))) ? 1: 0; \ ++ (1u << (type % bytes (__u32)))) ? 1: 0; \ + }) + + #define SCTP_CHUNKMAP_RESET(chunkmap) \ +-- +2.20.1 + diff --git a/queue-4.14/parisc-fix-compiler-warnings-in-debug_core.c.patch b/queue-4.14/parisc-fix-compiler-warnings-in-debug_core.c.patch new file mode 100644 index 00000000000..f3af7449e5b --- /dev/null +++ b/queue-4.14/parisc-fix-compiler-warnings-in-debug_core.c.patch @@ -0,0 +1,53 @@ +From 9dfb287fbf62b4171aa6fca6b24d3f222b662cd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2019 21:00:19 +0100 +Subject: parisc: Fix compiler warnings in debug_core.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Helge Deller + +[ Upstream commit 75cf9797006a3a9f29a3a25c1febd6842a4a9eb2 ] + +Fix this compiler warning: +kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’: +arch/parisc/include/asm/cmpxchg.h:48:3: warning: value computed is not used [-Wunused-value] + 48 | ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr)))) +arch/parisc/include/asm/atomic.h:78:30: note: in expansion of macro ‘xchg’ + 78 | #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) + | ^~~~ +kernel/debug/debug_core.c:596:4: note: in expansion of macro ‘atomic_xchg’ + 596 | atomic_xchg(&kgdb_active, cpu); + | ^~~~~~~~~~~ + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/cmpxchg.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h +index f627c37dad9c..ab5c215cf46c 100644 +--- a/arch/parisc/include/asm/cmpxchg.h ++++ b/arch/parisc/include/asm/cmpxchg.h +@@ -44,8 +44,14 @@ __xchg(unsigned long x, __volatile__ void *ptr, int size) + ** if (((unsigned long)p & 0xf) == 0) + ** return __ldcw(p); + */ +-#define xchg(ptr, x) \ +- ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr)))) ++#define xchg(ptr, x) \ ++({ \ ++ __typeof__(*(ptr)) __ret; \ ++ __typeof__(*(ptr)) _x_ = (x); \ ++ __ret = (__typeof__(*(ptr))) \ ++ __xchg((unsigned long)_x_, (ptr), sizeof(*(ptr))); \ ++ __ret; \ ++}) + + /* bug catcher for when unsupported size is used - won't link */ + extern void __cmpxchg_called_with_bad_pointer(void); +-- +2.20.1 + diff --git a/queue-4.14/perf-x86-intel-fix-pt-pmi-handling.patch b/queue-4.14/perf-x86-intel-fix-pt-pmi-handling.patch new file mode 100644 index 00000000000..78053606841 --- /dev/null +++ b/queue-4.14/perf-x86-intel-fix-pt-pmi-handling.patch @@ -0,0 +1,76 @@ +From f137080ad4e0a7a0f633f94a761faf44bbc361cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2019 12:51:01 +0200 +Subject: perf/x86/intel: Fix PT PMI handling + +From: Alexander Shishkin + +[ Upstream commit 92ca7da4bdc24d63bb0bcd241c11441ddb63b80a ] + +Commit: + + ccbebba4c6bf ("perf/x86/intel/pt: Bypass PT vs. LBR exclusivity if the core supports it") + +skips the PT/LBR exclusivity check on CPUs where PT and LBRs coexist, but +also inadvertently skips the active_events bump for PT in that case, which +is a bug. If there aren't any hardware events at the same time as PT, the +PMI handler will ignore PT PMIs, as active_events reads zero in that case, +resulting in the "Uhhuh" spurious NMI warning and PT data loss. + +Fix this by always increasing active_events for PT events. + +Fixes: ccbebba4c6bf ("perf/x86/intel/pt: Bypass PT vs. LBR exclusivity if the core supports it") +Reported-by: Vitaly Slobodskoy +Signed-off-by: Alexander Shishkin +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Alexey Budankov +Cc: Jiri Olsa +Cc: Ingo Molnar +Cc: Arnaldo Carvalho de Melo +Link: https://lkml.kernel.org/r/20191210105101.77210-1-alexander.shishkin@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c +index 6ed99de2ddf5..c1f7b3cb84a9 100644 +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -375,7 +375,7 @@ int x86_add_exclusive(unsigned int what) + * LBR and BTS are still mutually exclusive. + */ + if (x86_pmu.lbr_pt_coexist && what == x86_lbr_exclusive_pt) +- return 0; ++ goto out; + + if (!atomic_inc_not_zero(&x86_pmu.lbr_exclusive[what])) { + mutex_lock(&pmc_reserve_mutex); +@@ -387,6 +387,7 @@ int x86_add_exclusive(unsigned int what) + mutex_unlock(&pmc_reserve_mutex); + } + ++out: + atomic_inc(&active_events); + return 0; + +@@ -397,11 +398,15 @@ int x86_add_exclusive(unsigned int what) + + void x86_del_exclusive(unsigned int what) + { ++ atomic_dec(&active_events); ++ ++ /* ++ * See the comment in x86_add_exclusive(). ++ */ + if (x86_pmu.lbr_pt_coexist && what == x86_lbr_exclusive_pt) + return; + + atomic_dec(&x86_pmu.lbr_exclusive[what]); +- atomic_dec(&active_events); + } + + int x86_setup_perfctr(struct perf_event *event) +-- +2.20.1 + diff --git a/queue-4.14/powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch b/queue-4.14/powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch new file mode 100644 index 00000000000..52be7888fa7 --- /dev/null +++ b/queue-4.14/powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch @@ -0,0 +1,49 @@ +From ab1c37ff22826f8523644d44807401788c63a2b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 14:35:24 +0200 +Subject: powerpc: Ensure that swiotlb buffer is allocated from low memory + +From: Mike Rapoport + +[ Upstream commit 8fabc623238e68b3ac63c0dd1657bf86c1fa33af ] + +Some powerpc platforms (e.g. 85xx) limit DMA-able memory way below 4G. +If a system has more physical memory than this limit, the swiotlb +buffer is not addressable because it is allocated from memblock using +top-down mode. + +Force memblock to bottom-up mode before calling swiotlb_init() to +ensure that the swiotlb buffer is DMA-able. + +Reported-by: Christian Zigotzky +Signed-off-by: Mike Rapoport +Reviewed-by: Christoph Hellwig +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20191204123524.22919-1-rppt@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/mem.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c +index 30bf13b72e5e..3c5abfbbe60e 100644 +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -353,6 +353,14 @@ void __init mem_init(void) + BUILD_BUG_ON(MMU_PAGE_COUNT > 16); + + #ifdef CONFIG_SWIOTLB ++ /* ++ * Some platforms (e.g. 85xx) limit DMA-able memory way below ++ * 4G. We force memblock to bottom-up mode to ensure that the ++ * memory allocated in swiotlb_init() is DMA-able. ++ * As it's the last memblock allocation, no need to reset it ++ * back to to-down. ++ */ ++ memblock_set_bottom_up(true); + swiotlb_init(0); + #endif + +-- +2.20.1 + diff --git a/queue-4.14/regulator-rn5t618-fix-module-aliases.patch b/queue-4.14/regulator-rn5t618-fix-module-aliases.patch new file mode 100644 index 00000000000..b5d5d717406 --- /dev/null +++ b/queue-4.14/regulator-rn5t618-fix-module-aliases.patch @@ -0,0 +1,36 @@ +From 23cb7ca1c739f6d15b5b93294b46f43a51b167e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2019 23:16:00 +0100 +Subject: regulator: rn5t618: fix module aliases + +From: Andreas Kemnade + +[ Upstream commit 62a1923cc8fe095912e6213ed5de27abbf1de77e ] + +platform device aliases were missing, preventing +autoloading of module. + +Fixes: 811b700630ff ("regulator: rn5t618: add driver for Ricoh RN5T618 regulators") +Signed-off-by: Andreas Kemnade +Link: https://lore.kernel.org/r/20191211221600.29438-1-andreas@kemnade.info +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/rn5t618-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/rn5t618-regulator.c b/drivers/regulator/rn5t618-regulator.c +index 790a4a73ea2c..40b74648bd31 100644 +--- a/drivers/regulator/rn5t618-regulator.c ++++ b/drivers/regulator/rn5t618-regulator.c +@@ -154,6 +154,7 @@ static struct platform_driver rn5t618_regulator_driver = { + + module_platform_driver(rn5t618_regulator_driver); + ++MODULE_ALIAS("platform:rn5t618-regulator"); + MODULE_AUTHOR("Beniamino Galvani "); + MODULE_DESCRIPTION("RN5T618 regulator driver"); + MODULE_LICENSE("GPL v2"); +-- +2.20.1 + diff --git a/queue-4.14/rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch b/queue-4.14/rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch new file mode 100644 index 00000000000..c641436c893 --- /dev/null +++ b/queue-4.14/rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch @@ -0,0 +1,44 @@ +From 123e12f4f2dcb20da71f1e09c6d84deb7f19de33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Dec 2019 09:34:08 -0600 +Subject: rfkill: Fix incorrect check to avoid NULL pointer dereference + +From: Aditya Pakki + +[ Upstream commit 6fc232db9e8cd50b9b83534de9cd91ace711b2d7 ] + +In rfkill_register, the struct rfkill pointer is first derefernced +and then checked for NULL. This patch removes the BUG_ON and returns +an error to the caller in case rfkill is NULL. + +Signed-off-by: Aditya Pakki +Link: https://lore.kernel.org/r/20191215153409.21696-1-pakki001@umn.edu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/rfkill/core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/rfkill/core.c b/net/rfkill/core.c +index 99a2e55b01cf..e31b4288f32c 100644 +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -998,10 +998,13 @@ static void rfkill_sync_work(struct work_struct *work) + int __must_check rfkill_register(struct rfkill *rfkill) + { + static unsigned long rfkill_no; +- struct device *dev = &rfkill->dev; ++ struct device *dev; + int error; + +- BUG_ON(!rfkill); ++ if (!rfkill) ++ return -EINVAL; ++ ++ dev = &rfkill->dev; + + mutex_lock(&rfkill_global_mutex); + +-- +2.20.1 + diff --git a/queue-4.14/s390-dasd-cio-interpret-ccw_device_get_mdc-return-va.patch b/queue-4.14/s390-dasd-cio-interpret-ccw_device_get_mdc-return-va.patch new file mode 100644 index 00000000000..c865126868d --- /dev/null +++ b/queue-4.14/s390-dasd-cio-interpret-ccw_device_get_mdc-return-va.patch @@ -0,0 +1,98 @@ +From fab227330bbf185969ea290d6b7868fd6156ca4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 09:43:50 +0100 +Subject: s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Höppner + +[ Upstream commit dd4b3c83b9efac10d48a94c61372119fc555a077 ] + +The max data count (mdc) is an unsigned 16-bit integer value as per AR +documentation and is received via ccw_device_get_mdc() for a specific +path mask from the CIO layer. The function itself also always returns a +positive mdc value or 0 in case mdc isn't supported or couldn't be +determined. + +Though, the comment for this function describes a negative return value +to indicate failures. + +As a result, the DASD device driver interprets the return value of +ccw_device_get_mdc() incorrectly. The error case is essentially a dead +code path. + +To fix this behaviour, check explicitly for a return value of 0 and +change the comment for ccw_device_get_mdc() accordingly. + +This fix merely enables the error code path in the DASD functions +get_fcx_max_data() and verify_fcx_max_data(). The actual functionality +stays the same and is still correct. + +Reviewed-by: Cornelia Huck +Signed-off-by: Jan Höppner +Acked-by: Peter Oberparleiter +Reviewed-by: Stefan Haberland +Signed-off-by: Stefan Haberland +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 9 +++++---- + drivers/s390/cio/device_ops.c | 2 +- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 0d5e2d92e05b..81359312a987 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -1133,7 +1133,8 @@ static u32 get_fcx_max_data(struct dasd_device *device) + { + struct dasd_eckd_private *private = device->private; + int fcx_in_css, fcx_in_gneq, fcx_in_features; +- int tpm, mdc; ++ unsigned int mdc; ++ int tpm; + + if (dasd_nofcx) + return 0; +@@ -1147,7 +1148,7 @@ static u32 get_fcx_max_data(struct dasd_device *device) + return 0; + + mdc = ccw_device_get_mdc(device->cdev, 0); +- if (mdc < 0) { ++ if (mdc == 0) { + dev_warn(&device->cdev->dev, "Detecting the maximum supported data size for zHPF requests failed\n"); + return 0; + } else { +@@ -1158,12 +1159,12 @@ static u32 get_fcx_max_data(struct dasd_device *device) + static int verify_fcx_max_data(struct dasd_device *device, __u8 lpm) + { + struct dasd_eckd_private *private = device->private; +- int mdc; ++ unsigned int mdc; + u32 fcx_max_data; + + if (private->fcx_max_data) { + mdc = ccw_device_get_mdc(device->cdev, lpm); +- if ((mdc < 0)) { ++ if (mdc == 0) { + dev_warn(&device->cdev->dev, + "Detecting the maximum data size for zHPF " + "requests failed (rc=%d) for a new path %x\n", +diff --git a/drivers/s390/cio/device_ops.c b/drivers/s390/cio/device_ops.c +index b22922ec32d1..474afec9ab87 100644 +--- a/drivers/s390/cio/device_ops.c ++++ b/drivers/s390/cio/device_ops.c +@@ -595,7 +595,7 @@ EXPORT_SYMBOL(ccw_device_tm_start_timeout); + * @mask: mask of paths to use + * + * Return the number of 64K-bytes blocks all paths at least support +- * for a transport command. Return values <= 0 indicate failures. ++ * for a transport command. Return value 0 indicates failure. + */ + int ccw_device_get_mdc(struct ccw_device *cdev, u8 mask) + { +-- +2.20.1 + diff --git a/queue-4.14/s390-dasd-fix-memleak-in-path-handling-error-case.patch b/queue-4.14/s390-dasd-fix-memleak-in-path-handling-error-case.patch new file mode 100644 index 00000000000..6bed28d7f0a --- /dev/null +++ b/queue-4.14/s390-dasd-fix-memleak-in-path-handling-error-case.patch @@ -0,0 +1,76 @@ +From 98ee1326de3f70b31bf545d45c5ae47791cfc3a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2019 09:43:51 +0100 +Subject: s390/dasd: fix memleak in path handling error case + +From: Stefan Haberland + +[ Upstream commit 00b39f698a4f1ee897227cace2e3937fc4412270 ] + +If for whatever reason the dasd_eckd_check_characteristics() function +exits after at least some paths have their configuration data +allocated those data is never freed again. In the error case the +device->private pointer is set to NULL and dasd_eckd_uncheck_device() +will exit without freeing the path data because of this NULL pointer. + +Fix by calling dasd_eckd_clear_conf_data() for error cases. + +Also use dasd_eckd_clear_conf_data() in dasd_eckd_uncheck_device() +to avoid code duplication. + +Reported-by: Qian Cai +Reviewed-by: Jan Hoeppner +Signed-off-by: Stefan Haberland +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 81359312a987..aa651403546f 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -1768,7 +1768,7 @@ dasd_eckd_check_characteristics(struct dasd_device *device) + dasd_free_block(device->block); + device->block = NULL; + out_err1: +- kfree(private->conf_data); ++ dasd_eckd_clear_conf_data(device); + kfree(device->private); + device->private = NULL; + return rc; +@@ -1777,7 +1777,6 @@ dasd_eckd_check_characteristics(struct dasd_device *device) + static void dasd_eckd_uncheck_device(struct dasd_device *device) + { + struct dasd_eckd_private *private = device->private; +- int i; + + if (!private) + return; +@@ -1787,21 +1786,7 @@ static void dasd_eckd_uncheck_device(struct dasd_device *device) + private->sneq = NULL; + private->vdsneq = NULL; + private->gneq = NULL; +- private->conf_len = 0; +- for (i = 0; i < 8; i++) { +- kfree(device->path[i].conf_data); +- if ((__u8 *)device->path[i].conf_data == +- private->conf_data) { +- private->conf_data = NULL; +- private->conf_len = 0; +- } +- device->path[i].conf_data = NULL; +- device->path[i].cssid = 0; +- device->path[i].ssid = 0; +- device->path[i].chpid = 0; +- } +- kfree(private->conf_data); +- private->conf_data = NULL; ++ dasd_eckd_clear_conf_data(device); + } + + static struct dasd_ccw_req * +-- +2.20.1 + diff --git a/queue-4.14/samples-bpf-fix-syscall_tp-due-to-unused-syscall.patch b/queue-4.14/samples-bpf-fix-syscall_tp-due-to-unused-syscall.patch new file mode 100644 index 00000000000..8a4772ae1b4 --- /dev/null +++ b/queue-4.14/samples-bpf-fix-syscall_tp-due-to-unused-syscall.patch @@ -0,0 +1,62 @@ +From 3d3e4476af048689ccb91d3a7b0df631e469a9ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 17:01:14 +0900 +Subject: samples: bpf: fix syscall_tp due to unused syscall + +From: Daniel T. Lee + +[ Upstream commit fe3300897cbfd76c6cb825776e5ac0ca50a91ca4 ] + +Currently, open() is called from the user program and it calls the syscall +'sys_openat', not the 'sys_open'. This leads to an error of the program +of user side, due to the fact that the counter maps are zero since no +function such 'sys_open' is called. + +This commit adds the kernel bpf program which are attached to the +tracepoint 'sys_enter_openat' and 'sys_enter_openat'. + +Fixes: 1da236b6be963 ("bpf: add a test case for syscalls/sys_{enter|exit}_* tracepoints") +Signed-off-by: Daniel T. Lee +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + samples/bpf/syscall_tp_kern.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/samples/bpf/syscall_tp_kern.c b/samples/bpf/syscall_tp_kern.c +index 9149c524d279..8833aacb9c8c 100644 +--- a/samples/bpf/syscall_tp_kern.c ++++ b/samples/bpf/syscall_tp_kern.c +@@ -50,13 +50,27 @@ static __always_inline void count(void *map) + SEC("tracepoint/syscalls/sys_enter_open") + int trace_enter_open(struct syscalls_enter_open_args *ctx) + { +- count((void *)&enter_open_map); ++ count(&enter_open_map); ++ return 0; ++} ++ ++SEC("tracepoint/syscalls/sys_enter_openat") ++int trace_enter_open_at(struct syscalls_enter_open_args *ctx) ++{ ++ count(&enter_open_map); + return 0; + } + + SEC("tracepoint/syscalls/sys_exit_open") + int trace_enter_exit(struct syscalls_exit_open_args *ctx) + { +- count((void *)&exit_open_map); ++ count(&exit_open_map); ++ return 0; ++} ++ ++SEC("tracepoint/syscalls/sys_exit_openat") ++int trace_enter_exit_at(struct syscalls_exit_open_args *ctx) ++{ ++ count(&exit_open_map); + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/samples-bpf-replace-symbol-compare-of-trace_event.patch b/queue-4.14/samples-bpf-replace-symbol-compare-of-trace_event.patch new file mode 100644 index 00000000000..aa490b6bb8a --- /dev/null +++ b/queue-4.14/samples-bpf-replace-symbol-compare-of-trace_event.patch @@ -0,0 +1,45 @@ +From 06b296d762c6720973489ef0b823c12dd367fc48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2019 17:01:13 +0900 +Subject: samples: bpf: Replace symbol compare of trace_event + +From: Daniel T. Lee + +[ Upstream commit bba1b2a890253528c45aa66cf856f289a215bfbc ] + +Previously, when this sample is added, commit 1c47910ef8013 +("samples/bpf: add perf_event+bpf example"), a symbol 'sys_read' and +'sys_write' has been used without no prefixes. But currently there are +no exact symbols with these under kallsyms and this leads to failure. + +This commit changes exact compare to substring compare to keep compatible +with exact symbol or prefixed symbol. + +Fixes: 1c47910ef8013 ("samples/bpf: add perf_event+bpf example") +Signed-off-by: Daniel T. Lee +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20191205080114.19766-2-danieltimlee@gmail.com +Signed-off-by: Sasha Levin +--- + samples/bpf/trace_event_user.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/samples/bpf/trace_event_user.c b/samples/bpf/trace_event_user.c +index c7d525e5696e..8c7445874662 100644 +--- a/samples/bpf/trace_event_user.c ++++ b/samples/bpf/trace_event_user.c +@@ -34,9 +34,9 @@ static void print_ksym(__u64 addr) + return; + sym = ksym_search(addr); + printf("%s;", sym->name); +- if (!strcmp(sym->name, "sys_read")) ++ if (!strstr(sym->name, "sys_read")) + sys_read_seen = true; +- else if (!strcmp(sym->name, "sys_write")) ++ else if (!strstr(sym->name, "sys_write")) + sys_write_seen = true; + } + +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 2cd6538e94e..b1ad95b5529 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,2 +1,39 @@ usb-dummy-hcd-use-usb_urb_dir_in-instead-of-usb_pipein.patch usb-dummy-hcd-increase-max-number-of-devices-to-32.patch +locking-spinlock-debug-fix-various-data-races.patch +netfilter-ctnetlink-netns-exit-must-wait-for-callbac.patch +mwifiex-fix-heap-overflow-in-mmwifiex_process_tdls_a.patch +libtraceevent-fix-lib-installation-with-o.patch +x86-efi-update-e820-with-reserved-efi-boot-services-.patch +efi-gop-return-efi_not_found-if-there-are-no-usable-.patch +efi-gop-return-efi_success-if-a-usable-gop-was-found.patch +efi-gop-fix-memory-leak-in-__gop_query32-64.patch +arm-vexpress-set-up-shared-opp-table-instead-of-indi.patch +netfilter-uapi-avoid-undefined-left-shift-in-xt_sctp.patch +netfilter-nf_tables-validate-nft_set_elem_interval_e.patch +arm-dts-cygnus-fix-mdio-node-address-size-cells.patch +spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch +asoc-topology-check-return-value-for-soc_tplg_pcm_cr.patch +arm-dts-bcm283x-fix-critical-trip-point.patch +bpf-mips-limit-to-33-tail-calls.patch +arm-dts-am437x-gp-epos-evm-fix-panel-compatible.patch +samples-bpf-replace-symbol-compare-of-trace_event.patch +samples-bpf-fix-syscall_tp-due-to-unused-syscall.patch +powerpc-ensure-that-swiotlb-buffer-is-allocated-from.patch +bnx2x-do-not-handle-requests-from-vfs-after-parity.patch +bnx2x-fix-logic-to-get-total-no.-of-pfs-per-engine.patch +net-usb-lan78xx-fix-error-message-format-specifier.patch +rfkill-fix-incorrect-check-to-avoid-null-pointer-der.patch +asoc-wm8962-fix-lambda-value.patch +regulator-rn5t618-fix-module-aliases.patch +kconfig-don-t-crash-on-null-expressions-in-expr_eq.patch +perf-x86-intel-fix-pt-pmi-handling.patch +fs-avoid-softlockups-in-s_inodes-iterators.patch +net-stmmac-do-not-accept-invalid-mtu-values.patch +net-stmmac-rx-buffer-size-must-be-16-byte-aligned.patch +s390-dasd-cio-interpret-ccw_device_get_mdc-return-va.patch +s390-dasd-fix-memleak-in-path-handling-error-case.patch +block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch +parisc-fix-compiler-warnings-in-debug_core.c.patch +llc2-fix-return-statement-of-llc_stat_ev_rx_null_dsa.patch +hv_netvsc-fix-unwanted-rx_table-reset.patch diff --git a/queue-4.14/spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch b/queue-4.14/spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch new file mode 100644 index 00000000000..9a702ae5c08 --- /dev/null +++ b/queue-4.14/spi-spi-cavium-thunderx-add-missing-pci_release_regi.patch @@ -0,0 +1,44 @@ +From db0367bf2b46d13ae70a61ea9a32a92fe42cf723 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2019 15:55:00 +0800 +Subject: spi: spi-cavium-thunderx: Add missing pci_release_regions() + +From: Chuhong Yuan + +[ Upstream commit a841e2853e1afecc2ee692b8cc5bff606bc84e4c ] + +The driver forgets to call pci_release_regions() in probe failure +and remove. +Add the missed calls to fix it. + +Signed-off-by: Chuhong Yuan +Link: https://lore.kernel.org/r/20191206075500.18525-1-hslester96@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cavium-thunderx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-cavium-thunderx.c b/drivers/spi/spi-cavium-thunderx.c +index 877937706240..828fbbebc3c4 100644 +--- a/drivers/spi/spi-cavium-thunderx.c ++++ b/drivers/spi/spi-cavium-thunderx.c +@@ -81,6 +81,7 @@ static int thunderx_spi_probe(struct pci_dev *pdev, + + error: + clk_disable_unprepare(p->clk); ++ pci_release_regions(pdev); + spi_master_put(master); + return ret; + } +@@ -95,6 +96,7 @@ static void thunderx_spi_remove(struct pci_dev *pdev) + return; + + clk_disable_unprepare(p->clk); ++ pci_release_regions(pdev); + /* Put everything in a known state. */ + writeq(0, p->register_base + OCTEON_SPI_CFG(p)); + } +-- +2.20.1 + diff --git a/queue-4.14/x86-efi-update-e820-with-reserved-efi-boot-services-.patch b/queue-4.14/x86-efi-update-e820-with-reserved-efi-boot-services-.patch new file mode 100644 index 00000000000..572d963849d --- /dev/null +++ b/queue-4.14/x86-efi-update-e820-with-reserved-efi-boot-services-.patch @@ -0,0 +1,86 @@ +From 54b20104bee5a7f55f0782362c4c44d6461634da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2019 15:52:33 +0800 +Subject: x86/efi: Update e820 with reserved EFI boot services data to fix + kexec breakage + +From: Dave Young + +[ Upstream commit af164898482817a1d487964b68f3c21bae7a1beb ] + +Michael Weiser reported that he got this error during a kexec rebooting: + + esrt: Unsupported ESRT version 2904149718861218184. + +The ESRT memory stays in EFI boot services data, and it was reserved +in kernel via efi_mem_reserve(). The initial purpose of the reservation +is to reuse the EFI boot services data across kexec reboot. For example +the BGRT image data and some ESRT memory like Michael reported. + +But although the memory is reserved it is not updated in the X86 E820 table, +and kexec_file_load() iterates system RAM in the IO resource list to find places +for kernel, initramfs and other stuff. In Michael's case the kexec loaded +initramfs overwrote the ESRT memory and then the failure happened. + +Since kexec_file_load() depends on the E820 table being updated, just fix this +by updating the reserved EFI boot services memory as reserved type in E820. + +Originally any memory descriptors with EFI_MEMORY_RUNTIME attribute are +bypassed in the reservation code path because they are assumed as reserved. + +But the reservation is still needed for multiple kexec reboots, +and it is the only possible case we come here thus just drop the code +chunk, then everything works without side effects. + +On my machine the ESRT memory sits in an EFI runtime data range, it does +not trigger the problem, but I successfully tested with BGRT instead. +both kexec_load() and kexec_file_load() work and kdump works as well. + +[ mingo: Edited the changelog. ] + +Reported-by: Michael Weiser +Tested-by: Michael Weiser +Signed-off-by: Dave Young +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Eric W. Biederman +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kexec@lists.infradead.org +Cc: linux-efi@vger.kernel.org +Link: https://lkml.kernel.org/r/20191204075233.GA10520@dhcp-128-65.nay.redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/platform/efi/quirks.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c +index 5b513ccffde4..cadd7fd290fa 100644 +--- a/arch/x86/platform/efi/quirks.c ++++ b/arch/x86/platform/efi/quirks.c +@@ -257,10 +257,6 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size) + return; + } + +- /* No need to reserve regions that will never be freed. */ +- if (md.attribute & EFI_MEMORY_RUNTIME) +- return; +- + size += addr % EFI_PAGE_SIZE; + size = round_up(size, EFI_PAGE_SIZE); + addr = round_down(addr, EFI_PAGE_SIZE); +@@ -290,6 +286,8 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size) + early_memunmap(new, new_size); + + efi_memmap_install(new_phys, num_entries); ++ e820__range_update(addr, size, E820_TYPE_RAM, E820_TYPE_RESERVED); ++ e820__update_table(e820_table); + } + + /* +-- +2.20.1 +