From: Sasha Levin Date: Thu, 28 Feb 2019 01:02:08 +0000 (-0500) Subject: patches for 3.18 X-Git-Tag: v4.9.162~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b5e011cdca62388a96b1dc4ae88e9b4cb046d5ab;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 3.18 Signed-off-by: Sasha Levin --- diff --git a/queue-3.18/alsa-compress-prevent-potential-divide-by-zero-bugs.patch b/queue-3.18/alsa-compress-prevent-potential-divide-by-zero-bugs.patch new file mode 100644 index 00000000000..aa0c7bb8bb0 --- /dev/null +++ b/queue-3.18/alsa-compress-prevent-potential-divide-by-zero-bugs.patch @@ -0,0 +1,45 @@ +From 7f13098686f08be9a08119777289e0825d89acf1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Dec 2018 12:06:58 +0300 +Subject: ALSA: compress: prevent potential divide by zero bugs + +[ Upstream commit 678e2b44c8e3fec3afc7202f1996a4500a50be93 ] + +The problem is seen in the q6asm_dai_compr_set_params() function: + + ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys, + (prtd->pcm_size / prtd->periods), + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + prtd->periods); + +In this code prtd->pcm_size is the buffer_size and prtd->periods comes +from params->buffer.fragments. If we allow the number of fragments to +be zero then it results in a divide by zero bug. One possible fix would +be to use prtd->pcm_count directly instead of using the division to +re-calculate it. But I decided that it doesn't really make sense to +allow zero fragments. + +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 53cd5d69293e9..307344452b5c0 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -500,7 +500,8 @@ static int snd_compress_check_input(struct snd_compr_params *params) + { + /* first let's check the buffer parameter's */ + if (params->buffer.fragment_size == 0 || +- params->buffer.fragments > INT_MAX / params->buffer.fragment_size) ++ params->buffer.fragments > INT_MAX / params->buffer.fragment_size || ++ params->buffer.fragments == 0) + return -EINVAL; + + /* now codec parameters */ +-- +2.19.1 + diff --git a/queue-3.18/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch b/queue-3.18/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch new file mode 100644 index 00000000000..630bfe64ed9 --- /dev/null +++ b/queue-3.18/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch @@ -0,0 +1,117 @@ +From 7ef4a1c9a3da515adb1b779ad7f7bb0adaa5958f Mon Sep 17 00:00:00 2001 +From: Silvio Cesare +Date: Tue, 15 Jan 2019 04:27:27 +0100 +Subject: ASoC: imx-audmux: change snprintf to scnprintf for possible overflow + +[ Upstream commit c407cd008fd039320d147088b52d0fa34ed3ddcb ] + +Change snprintf to scnprintf. There are generally two cases where using +snprintf causes problems. + +1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) +In this case, if snprintf would have written more characters than what the +buffer size (SIZE) is, then size will end up larger than SIZE. In later +uses of snprintf, SIZE - size will result in a negative number, leading +to problems. Note that size might already be too large by using +size = snprintf before the code reaches a case of size += snprintf. + +2) If size is ultimately used as a length parameter for a copy back to user +space, then it will potentially allow for a buffer overflow and information +disclosure when size is greater than SIZE. When the size is used to index +the buffer directly, we can have memory corruption. This also means when +size = snprintf... is used, it may also cause problems since size may become +large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel +configuration. + +The solution to these issues is to use scnprintf which returns the number of +characters actually written to the buffer, so the size variable will never +exceed SIZE. + +Signed-off-by: Silvio Cesare +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Mark Brown +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Dan Carpenter +Cc: Kees Cook +Cc: Will Deacon +Cc: Greg KH +Signed-off-by: Willy Tarreau +Acked-by: Nicolin Chen +Reviewed-by: Kees Cook +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c +index 46f9beb6b273b..57d581d05de19 100644 +--- a/sound/soc/fsl/imx-audmux.c ++++ b/sound/soc/fsl/imx-audmux.c +@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf, + if (!buf) + return -ENOMEM; + +- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", ++ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", + pdcr, ptcr); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS output from %s, ", + audmux_port_string((ptcr >> 27) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk output from %s", + audmux_port_string((ptcr >> 22) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk input"); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) { +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "Port is symmetric"); + } else { + if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS output from %s, ", + audmux_port_string((ptcr >> 17) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk output from %s", + audmux_port_string((ptcr >> 12) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk input"); + } + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "\nData received from %s\n", + audmux_port_string((pdcr >> 13) & 0x7)); + +-- +2.19.1 + diff --git a/queue-3.18/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch b/queue-3.18/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch new file mode 100644 index 00000000000..a8bceb5193b --- /dev/null +++ b/queue-3.18/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch @@ -0,0 +1,50 @@ +From 94217c27297076d9ffb8efdee0750922bf488db6 Mon Sep 17 00:00:00 2001 +From: Rander Wang +Date: Tue, 18 Dec 2018 16:24:54 +0800 +Subject: ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field + +[ Upstream commit 906a9abc5de73c383af518f5a806f4be2993a0c7 ] + +For some reason this field was set to zero when all other drivers use +.dynamic = 1 for front-ends. This change was tested on Dell XPS13 and +has no impact with the existing legacy driver. The SOF driver also works +with this change which enables it to override the fixed topology. + +Signed-off-by: Rander Wang +Acked-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/broadwell.c | 2 +- + sound/soc/intel/haswell.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/broadwell.c b/sound/soc/intel/broadwell.c +index 0e550f14028f1..4aba2286a5aba 100644 +--- a/sound/soc/intel/broadwell.c ++++ b/sound/soc/intel/broadwell.c +@@ -168,7 +168,7 @@ static struct snd_soc_dai_link broadwell_rt286_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/intel/haswell.c b/sound/soc/intel/haswell.c +index 3981982674ac9..0efd574d37706 100644 +--- a/sound/soc/intel/haswell.c ++++ b/sound/soc/intel/haswell.c +@@ -146,7 +146,7 @@ static struct snd_soc_dai_link haswell_rt5640_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +-- +2.19.1 + diff --git a/queue-3.18/cfg80211-extend-range-deviation-for-dmg.patch b/queue-3.18/cfg80211-extend-range-deviation-for-dmg.patch new file mode 100644 index 00000000000..1359930e5f6 --- /dev/null +++ b/queue-3.18/cfg80211-extend-range-deviation-for-dmg.patch @@ -0,0 +1,43 @@ +From 3aa0d9461e81a314030955b0341a1910680d3f19 Mon Sep 17 00:00:00 2001 +From: Chaitanya Tata +Date: Sat, 19 Jan 2019 03:17:47 +0530 +Subject: cfg80211: extend range deviation for DMG + +[ Upstream commit 93183bdbe73bbdd03e9566c8dc37c9d06b0d0db6 ] + +Recently, DMG frequency bands have been extended till 71GHz, so extend +the range check till 20GHz (45-71GHZ), else some channels will be marked +as disabled. + +Signed-off-by: Chaitanya Tata +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 306464b3acdbb..2f1b39577a848 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -688,7 +688,7 @@ static bool reg_does_bw_fit(const struct ieee80211_freq_range *freq_range, + * definitions (the "2.4 GHz band", the "5 GHz band" and the "60GHz band"), + * however it is safe for now to assume that a frequency rule should not be + * part of a frequency's band if the start freq or end freq are off by more +- * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 10 GHz for the ++ * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 20 GHz for the + * 60 GHz band. + * This resolution can be lowered and should be considered as we add + * regulatory rule support for other "bands". +@@ -703,7 +703,7 @@ static bool freq_in_rule_band(const struct ieee80211_freq_range *freq_range, + * with the Channel starting frequency above 45 GHz. + */ + u32 limit = freq_khz > 45 * ONE_GHZ_IN_KHZ ? +- 10 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; ++ 20 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; + if (abs(freq_khz - freq_range->start_freq_khz) <= limit) + return true; + if (abs(freq_khz - freq_range->end_freq_khz) <= limit) +-- +2.19.1 + diff --git a/queue-3.18/drm-msm-unblock-writer-if-reader-closes-file.patch b/queue-3.18/drm-msm-unblock-writer-if-reader-closes-file.patch new file mode 100644 index 00000000000..6e1e633c01e --- /dev/null +++ b/queue-3.18/drm-msm-unblock-writer-if-reader-closes-file.patch @@ -0,0 +1,45 @@ +From 2340c300ada46bbcb199c862c445fe73686c1695 Mon Sep 17 00:00:00 2001 +From: "Kristian H. Kristensen" +Date: Wed, 19 Dec 2018 08:57:41 -0800 +Subject: drm/msm: Unblock writer if reader closes file + +[ Upstream commit 99c66bc051e7407fe0bf0607b142ec0be1a1d1dd ] + +Prevents deadlock when fifo is full and reader closes file. + +Signed-off-by: Kristian H. Kristensen +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_rd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c +index 9a78c48817c6a..909a52b21ebe7 100644 +--- a/drivers/gpu/drm/msm/msm_rd.c ++++ b/drivers/gpu/drm/msm/msm_rd.c +@@ -103,7 +103,9 @@ static void rd_write(struct msm_rd_state *rd, const void *buf, int sz) + char *fptr = &fifo->buf[fifo->head]; + int n; + +- wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0); ++ wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open); ++ if (!rd->open) ++ return; + + n = min(sz, circ_space_to_end(&rd->fifo)); + memcpy(fptr, ptr, n); +@@ -192,7 +194,10 @@ static int rd_open(struct inode *inode, struct file *file) + static int rd_release(struct inode *inode, struct file *file) + { + struct msm_rd_state *rd = inode->i_private; ++ + rd->open = false; ++ wake_up_all(&rd->fifo_event); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-3.18/ibmveth-do-not-process-frames-after-calling-napi_res.patch b/queue-3.18/ibmveth-do-not-process-frames-after-calling-napi_res.patch new file mode 100644 index 00000000000..ef207e8286c --- /dev/null +++ b/queue-3.18/ibmveth-do-not-process-frames-after-calling-napi_res.patch @@ -0,0 +1,43 @@ +From 3c459549eefa0ffacce2bef596423fb7ca0450e9 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Thu, 24 Jan 2019 11:17:01 -0600 +Subject: ibmveth: Do not process frames after calling napi_reschedule + +[ Upstream commit e95d22c69b2c130ccce257b84daf283fd82d611e ] + +The IBM virtual ethernet driver's polling function continues +to process frames after rescheduling NAPI, resulting in a warning +if it exhausted its budget. Do not restart polling after calling +napi_reschedule. Instead let frames be processed in the following +instance. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 427a6674d237b..f0301b1ff56cb 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1085,7 +1085,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + int frames_processed = 0; + unsigned long lpar_rc; + +-restart_poll: + while (frames_processed < budget) { + if (!ibmveth_rxq_pending_buffer(adapter)) + break; +@@ -1154,7 +1153,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + napi_reschedule(napi)) { + lpar_rc = h_vio_signal(adapter->vdev->unit_address, + VIO_IRQ_DISABLE); +- goto restart_poll; + } + } + +-- +2.19.1 + diff --git a/queue-3.18/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch b/queue-3.18/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch new file mode 100644 index 00000000000..d30be8ad437 --- /dev/null +++ b/queue-3.18/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch @@ -0,0 +1,47 @@ +From d3ddfbe09bd96a949db509972e83ab4c33599bb1 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 7 Jan 2019 19:44:51 +0100 +Subject: KVM: nSVM: clear events pending from svm_complete_interrupts() when + exiting to L1 + +[ Upstream commit 619ad846fc3452adaf71ca246c5aa711e2055398 ] + +kvm-unit-tests' eventinj "NMI failing on IDT" test results in NMI being +delivered to the host (L1) when it's running nested. The problem seems to +be: svm_complete_interrupts() raises 'nmi_injected' flag but later we +decide to reflect EXIT_NPF to L1. The flag remains pending and we do NMI +injection upon entry so it got delivered to L1 instead of L2. + +It seems that VMX code solves the same issue in prepare_vmcs12(), this was +introduced with code refactoring in commit 5f3d5799974b ("KVM: nVMX: Rework +event injection and recovery"). + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 2e0c64a08549c..a29d59e205d39 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2431,6 +2431,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm) + kvm_mmu_reset_context(&svm->vcpu); + kvm_mmu_load(&svm->vcpu); + ++ /* ++ * Drop what we picked up for L2 via svm_complete_interrupts() so it ++ * doesn't end up in L1. ++ */ ++ svm->vcpu.arch.nmi_injected = false; ++ kvm_clear_exception_queue(&svm->vcpu); ++ kvm_clear_interrupt_queue(&svm->vcpu); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-3.18/mac80211-don-t-initiate-tdls-connection-if-station-i.patch b/queue-3.18/mac80211-don-t-initiate-tdls-connection-if-station-i.patch new file mode 100644 index 00000000000..ae3bd9e4013 --- /dev/null +++ b/queue-3.18/mac80211-don-t-initiate-tdls-connection-if-station-i.patch @@ -0,0 +1,57 @@ +From 969bc289baa2ab5a83dc2b373920d5db595fa40d Mon Sep 17 00:00:00 2001 +From: Balaji Pothunoori +Date: Mon, 21 Jan 2019 12:30:43 +0530 +Subject: mac80211: don't initiate TDLS connection if station is not associated + to AP + +[ Upstream commit 7ed5285396c257fd4070b1e29e7b2341aae2a1ce ] + +Following call trace is observed while adding TDLS peer entry in driver +during TDLS setup. + +Call Trace: +[] dump_stack+0x47/0x61 +[] __warn+0xe2/0x100 +[] ? sta_apply_parameters+0x49f/0x550 [mac80211] +[] warn_slowpath_null+0x25/0x30 +[] sta_apply_parameters+0x49f/0x550 [mac80211] +[] ? sta_info_alloc+0x1c2/0x450 [mac80211] +[] ieee80211_add_station+0xe3/0x160 [mac80211] +[] nl80211_new_station+0x273/0x420 +[] genl_rcv_msg+0x219/0x3c0 +[] ? genl_rcv+0x30/0x30 +[] netlink_rcv_skb+0x8e/0xb0 +[] genl_rcv+0x1c/0x30 +[] netlink_unicast+0x13a/0x1d0 +[] netlink_sendmsg+0x2d8/0x390 +[] sock_sendmsg+0x2d/0x40 +[] ___sys_sendmsg+0x1d9/0x1e0 + +Fixing this by allowing TDLS setup request only when we have completed +association. + +Signed-off-by: Balaji Pothunoori +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 6ba5240dd61da..ffe319309d033 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1194,6 +1194,10 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, + sta->sta.tdls = true; + } + ++ if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION && ++ !sdata->u.mgd.associated) ++ return -EINVAL; ++ + err = sta_apply_parameters(local, sta, params); + if (err) { + sta_info_free(local, sta); +-- +2.19.1 + diff --git a/queue-3.18/mac80211-fix-miscounting-of-ttl-dropped-frames.patch b/queue-3.18/mac80211-fix-miscounting-of-ttl-dropped-frames.patch new file mode 100644 index 00000000000..71a57f5cce4 --- /dev/null +++ b/queue-3.18/mac80211-fix-miscounting-of-ttl-dropped-frames.patch @@ -0,0 +1,44 @@ +From e2ed419124860131ddc75e4dc8bc5a9512f18738 Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Thu, 17 Jan 2019 16:32:42 -0500 +Subject: mac80211: fix miscounting of ttl-dropped frames + +[ Upstream commit a0dc02039a2ee54fb4ae400e0b755ed30e73e58c ] + +In ieee80211_rx_h_mesh_fwding, we increment the 'dropped_frames_ttl' +counter when we decrement the ttl to zero. For unicast frames +destined for other hosts, we stop processing the frame at that point. + +For multicast frames, we do not rebroadcast it in this case, but we +do pass the frame up the stack to process it on this STA. That +doesn't match the usual definition of "dropped," so don't count +those as such. + +With this change, something like `ping6 -i0.2 ff02::1%mesh0` from a +peer in a ttl=1 network no longer increments the counter rapidly. + +Signed-off-by: Bob Copeland +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index ea3b139875218..ccb822aa62258 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2179,7 +2179,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + skb_set_queue_mapping(skb, q); + + if (!--mesh_hdr->ttl) { +- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); ++ if (!is_multicast_ether_addr(hdr->addr1)) ++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, ++ dropped_frames_ttl); + goto out; + } + +-- +2.19.1 + diff --git a/queue-3.18/net-altera_tse-fix-connect_local_phy-error-path.patch b/queue-3.18/net-altera_tse-fix-connect_local_phy-error-path.patch new file mode 100644 index 00000000000..cb1b6c894f3 --- /dev/null +++ b/queue-3.18/net-altera_tse-fix-connect_local_phy-error-path.patch @@ -0,0 +1,37 @@ +From 4456ae701a8f8574b92eb5c07c0e12ba43589268 Mon Sep 17 00:00:00 2001 +From: Atsushi Nemoto +Date: Mon, 21 Jan 2019 17:26:41 +0900 +Subject: net: altera_tse: fix connect_local_phy error path + +[ Upstream commit 17b42a20d7ca59377788c6a2409e77569570cc10 ] + +The connect_local_phy should return NULL (not negative errno) on +error, since its caller expects it. + +Signed-off-by: Atsushi Nemoto +Acked-by: Thor Thayer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_tse_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index 2eb6404755b1f..c1b599c521953 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -706,8 +706,10 @@ static struct phy_device *connect_local_phy(struct net_device *dev) + + phydev = phy_connect(dev, phy_id_fmt, &altera_tse_adjust_link, + priv->phy_iface); +- if (IS_ERR(phydev)) ++ if (IS_ERR(phydev)) { + netdev_err(dev, "Could not attach to PHY\n"); ++ phydev = NULL; ++ } + + } else { + int ret; +-- +2.19.1 + diff --git a/queue-3.18/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch b/queue-3.18/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch new file mode 100644 index 00000000000..4be0bdf58c4 --- /dev/null +++ b/queue-3.18/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch @@ -0,0 +1,41 @@ +From 81a3fcca7517b5e0309ebb5b9112741575d7f791 Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Sat, 12 Jan 2019 22:14:30 +0530 +Subject: scsi: csiostor: fix NULL pointer dereference in + csio_vport_set_state() + +[ Upstream commit fe35a40e675473eb65f2f5462b82770f324b5689 ] + +Assign fc_vport to ln->fc_vport before calling csio_fcoe_alloc_vnp() to +avoid a NULL pointer dereference in csio_vport_set_state(). + +ln->fc_vport is dereferenced in csio_vport_set_state(). + +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_attr.c b/drivers/scsi/csiostor/csio_attr.c +index 065a87ace623b..22b800b5ac7ff 100644 +--- a/drivers/scsi/csiostor/csio_attr.c ++++ b/drivers/scsi/csiostor/csio_attr.c +@@ -582,12 +582,12 @@ csio_vport_create(struct fc_vport *fc_vport, bool disable) + } + + fc_vport_set_state(fc_vport, FC_VPORT_INITIALIZING); ++ ln->fc_vport = fc_vport; + + if (csio_fcoe_alloc_vnp(hw, ln)) + goto error; + + *(struct csio_lnode **)fc_vport->dd_data = ln; +- ln->fc_vport = fc_vport; + if (!fc_vport->node_name) + fc_vport->node_name = wwn_to_u64(csio_ln_wwnn(ln)); + if (!fc_vport->port_name) +-- +2.19.1 + diff --git a/queue-3.18/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch b/queue-3.18/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch new file mode 100644 index 00000000000..a1831fefd2e --- /dev/null +++ b/queue-3.18/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch @@ -0,0 +1,34 @@ +From e9207d1689c7a5077d310d2644ec510b8aff0184 Mon Sep 17 00:00:00 2001 +From: Tomonori Sakita +Date: Mon, 21 Jan 2019 17:34:16 +0900 +Subject: serial: fsl_lpuart: fix maximum acceptable baud rate with + over-sampling + +[ Upstream commit 815d835b7ba46685c316b000013367dacb2b461b ] + +Using over-sampling ratio, lpuart can accept baud rate upto uartclk / 4. + +Signed-off-by: Tomonori Sakita +Signed-off-by: Atsushi Nemoto +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 839e65da4d3f7..f18551ea5ba51 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1426,7 +1426,7 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, + } + + /* ask the core to calculate the divisor */ +- baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16); ++ baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 4); + + spin_lock_irqsave(&sport->port.lock, flags); + +-- +2.19.1 + diff --git a/queue-3.18/series b/queue-3.18/series index f1a50ece159..e177b923689 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -24,3 +24,18 @@ sit-check-if-ipv6-enabled-before-calling-ip6_err_gen_icmpv6_unreach.patch netlink-trim-skb-to-alloc-size-to-avoid-msg_trunc.patch libceph-handle-an-empty-authorize-reply.patch scsi-libsas-fix-rphy-phy_identifier-for-phys-with-end-devices-attached.patch +drm-msm-unblock-writer-if-reader-closes-file.patch +asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch +alsa-compress-prevent-potential-divide-by-zero-bugs.patch +usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch +usb-gadget-potential-null-dereference-on-allocation-.patch +asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch +mac80211-fix-miscounting-of-ttl-dropped-frames.patch +serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch +scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch +net-altera_tse-fix-connect_local_phy-error-path.patch +sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch +ibmveth-do-not-process-frames-after-calling-napi_res.patch +mac80211-don-t-initiate-tdls-connection-if-station-i.patch +cfg80211-extend-range-deviation-for-dmg.patch +kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch diff --git a/queue-3.18/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch b/queue-3.18/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch new file mode 100644 index 00000000000..6908f0c441d --- /dev/null +++ b/queue-3.18/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch @@ -0,0 +1,98 @@ +From bb89ece55cec6219da8c30ae560fe3789601aae9 Mon Sep 17 00:00:00 2001 +From: Edward Cree +Date: Tue, 22 Jan 2019 19:02:17 +0000 +Subject: sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe + +[ Upstream commit 3366463513f544c12c6b88c13da4462ee9e7a1a1 ] + +Use a bitmap to keep track of which partition types we've already seen; + for duplicates, return -EEXIST from efx_ef10_mtd_probe_partition() and + thus skip adding that partition. +Duplicate partitions occur because of the A/B backup scheme used by newer + sfc NICs. Prior to this patch they cause sysfs_warn_dup errors because + they have the same name, causing us not to expose any MTDs at all. + +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 010009d640174..84a17b41313c9 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -3407,22 +3407,25 @@ static const struct efx_ef10_nvram_type_info efx_ef10_nvram_types[] = { + { NVRAM_PARTITION_TYPE_LICENSE, 0, 0, "sfc_license" }, + { NVRAM_PARTITION_TYPE_PHY_MIN, 0xff, 0, "sfc_phy_fw" }, + }; ++#define EF10_NVRAM_PARTITION_COUNT ARRAY_SIZE(efx_ef10_nvram_types) + + static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + struct efx_mcdi_mtd_partition *part, +- unsigned int type) ++ unsigned int type, ++ unsigned long *found) + { + MCDI_DECLARE_BUF(inbuf, MC_CMD_NVRAM_METADATA_IN_LEN); + MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_METADATA_OUT_LENMAX); + const struct efx_ef10_nvram_type_info *info; + size_t size, erase_size, outlen; ++ int type_idx = 0; + bool protected; + int rc; + +- for (info = efx_ef10_nvram_types; ; info++) { +- if (info == +- efx_ef10_nvram_types + ARRAY_SIZE(efx_ef10_nvram_types)) ++ for (type_idx = 0; ; type_idx++) { ++ if (type_idx == EF10_NVRAM_PARTITION_COUNT) + return -ENODEV; ++ info = efx_ef10_nvram_types + type_idx; + if ((type & ~info->type_mask) == info->type) + break; + } +@@ -3435,6 +3438,13 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + if (protected) + return -ENODEV; /* hide it */ + ++ /* If we've already exposed a partition of this type, hide this ++ * duplicate. All operations on MTDs are keyed by the type anyway, ++ * so we can't act on the duplicate. ++ */ ++ if (__test_and_set_bit(type_idx, found)) ++ return -EEXIST; ++ + part->nvram_type = type; + + MCDI_SET_DWORD(inbuf, NVRAM_METADATA_IN_TYPE, type); +@@ -3463,6 +3473,7 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + static int efx_ef10_mtd_probe(struct efx_nic *efx) + { + MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_PARTITIONS_OUT_LENMAX); ++ DECLARE_BITMAP(found, EF10_NVRAM_PARTITION_COUNT); + struct efx_mcdi_mtd_partition *parts; + size_t outlen, n_parts_total, i, n_parts; + unsigned int type; +@@ -3491,11 +3502,13 @@ static int efx_ef10_mtd_probe(struct efx_nic *efx) + for (i = 0; i < n_parts_total; i++) { + type = MCDI_ARRAY_DWORD(outbuf, NVRAM_PARTITIONS_OUT_TYPE_ID, + i); +- rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type); +- if (rc == 0) +- n_parts++; +- else if (rc != -ENODEV) ++ rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type, ++ found); ++ if (rc == -EEXIST || rc == -ENODEV) ++ continue; ++ if (rc) + goto fail; ++ n_parts++; + } + + rc = efx_mtd_add(efx, &parts[0].common, n_parts, sizeof(*parts)); +-- +2.19.1 + diff --git a/queue-3.18/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch b/queue-3.18/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch new file mode 100644 index 00000000000..6c9c26c4e63 --- /dev/null +++ b/queue-3.18/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch @@ -0,0 +1,57 @@ +From 9899b69ac809a0867ec351af6279aebe2a2336a8 Mon Sep 17 00:00:00 2001 +From: Zeng Tao +Date: Wed, 26 Dec 2018 19:22:00 +0800 +Subject: usb: dwc3: gadget: Fix the uninitialized link_state when udc starts + +[ Upstream commit 88b1bb1f3b88e0bf20b05d543a53a5b99bd7ceb6 ] + +Currently the link_state is uninitialized and the default value is 0(U0) +before the first time we start the udc, and after we start the udc then + stop the udc, the link_state will be undefined. +We may have the following warnings if we start the udc again with +an undefined link_state: + +WARNING: CPU: 0 PID: 327 at drivers/usb/dwc3/gadget.c:294 dwc3_send_gadget_ep_cmd+0x304/0x308 +dwc3 100e0000.hidwc3_0: wakeup failed --> -22 +[...] +Call Trace: +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x84/0x98) +[] (dump_stack) from [] (__warn+0xe8/0x100) +[] (__warn) from [](warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [](dwc3_send_gadget_ep_cmd+0x304/0x308) +[] (dwc3_send_gadget_ep_cmd) from [](dwc3_ep0_start_trans+0x48/0xf4) +[] (dwc3_ep0_start_trans) from [](dwc3_ep0_out_start+0x64/0x80) +[] (dwc3_ep0_out_start) from [](__dwc3_gadget_start+0x1e0/0x278) +[] (__dwc3_gadget_start) from [](dwc3_gadget_start+0x88/0x10c) +[] (dwc3_gadget_start) from [](udc_bind_to_driver+0x88/0xbc) +[] (udc_bind_to_driver) from [](usb_gadget_probe_driver+0xf8/0x140) +[] (usb_gadget_probe_driver) from [](gadget_dev_desc_UDC_store+0xac/0xc4 [libcomposite]) +[] (gadget_dev_desc_UDC_store [libcomposite]) from[] (configfs_write_file+0xd4/0x160) +[] (configfs_write_file) from [] (__vfs_write+0x1c/0x114) +[] (__vfs_write) from [] (vfs_write+0xa4/0x168) +[] (vfs_write) from [] (SyS_write+0x3c/0x90) +[] (SyS_write) from [] (ret_fast_syscall+0x0/0x3c) + +Signed-off-by: Zeng Tao +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index a1ab837691911..8daf7145b3046 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1641,6 +1641,7 @@ static int dwc3_gadget_start(struct usb_gadget *g, + + /* begin to receive SETUP packets */ + dwc->ep0state = EP0_SETUP_PHASE; ++ dwc->link_state = DWC3_LINK_STATE_SS_DIS; + dwc3_ep0_out_start(dwc); + + dwc3_gadget_enable_irq(dwc); +-- +2.19.1 + diff --git a/queue-3.18/usb-gadget-potential-null-dereference-on-allocation-.patch b/queue-3.18/usb-gadget-potential-null-dereference-on-allocation-.patch new file mode 100644 index 00000000000..9d39cfd417d --- /dev/null +++ b/queue-3.18/usb-gadget-potential-null-dereference-on-allocation-.patch @@ -0,0 +1,37 @@ +From e996a99e8bf2dd2fb1811e3a3f46189f8039a92c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Dec 2018 23:42:52 +0300 +Subject: usb: gadget: Potential NULL dereference on allocation error + +[ Upstream commit df28169e1538e4a8bcd8b779b043e5aa6524545c ] + +The source_sink_alloc_func() function is supposed to return error +pointers on error. The function is called from usb_get_function() which +doesn't check for NULL returns so it would result in an Oops. + +Of course, in the current kernel, small allocations always succeed so +this doesn't affect runtime. + +Signed-off-by: Dan Carpenter +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_sourcesink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c +index 45b41d1cfd19d..ecfd9e71a0d50 100644 +--- a/drivers/usb/gadget/function/f_sourcesink.c ++++ b/drivers/usb/gadget/function/f_sourcesink.c +@@ -1149,7 +1149,7 @@ static struct usb_function *source_sink_alloc_func( + + ss = kzalloc(sizeof(*ss), GFP_KERNEL); + if (!ss) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + ss_opts = container_of(fi, struct f_ss_opts, func_inst); + +-- +2.19.1 +