From: Greg Kroah-Hartman Date: Thu, 19 Sep 2019 12:18:15 +0000 (+0200) Subject: 5.2-stable patches X-Git-Tag: v4.4.194~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b818dd317203122edb7f2eaf9f48a83826918652;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: dma-direct-only-limit-the-mapping-size-if-swiotlb-could-be-used.patch hid-wacom-generic-read-hid_dg_contactmax-from-any-feature-report.patch input-elan_i2c-remove-lenovo-legion-y7000-pnpid.patch media-stm32-dcmi-fix-irq-0-case.patch media-tm6000-double-free-if-usb-disconnect-while-streaming.patch net-aquantia-fix-limit-of-vlan-filters.patch net-hns-fix-led-configuration-for-marvell-phy.patch netfilter-nf_flow_table-set-default-timeout-after-successful-insertion.patch nfs-disable-client-side-deduplication.patch phy-renesas-rcar-gen3-usb2-disable-clearing-vbus-in-over-current.patch powerpc-mm-radix-use-the-right-page-size-for-vmemmap-mapping.patch scripts-decode_stacktrace-match-basepath-using-shell-prefix-operator-not-regex.patch sunrpc-handle-connection-breakages-correctly-in-call_status.patch usb-usbcore-fix-slab-out-of-bounds-bug-during-device-reset.patch --- diff --git a/queue-5.2/dma-direct-only-limit-the-mapping-size-if-swiotlb-could-be-used.patch b/queue-5.2/dma-direct-only-limit-the-mapping-size-if-swiotlb-could-be-used.patch new file mode 100644 index 00000000000..d89c702cc30 --- /dev/null +++ b/queue-5.2/dma-direct-only-limit-the-mapping-size-if-swiotlb-could-be-used.patch @@ -0,0 +1,40 @@ +From a5008b59cd9d8de12ab623cb5052bb4735330e5c Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 16 Jul 2019 22:00:54 +0200 +Subject: dma-direct: only limit the mapping size if swiotlb could be used + +From: Christoph Hellwig + +commit a5008b59cd9d8de12ab623cb5052bb4735330e5c upstream. + +Don't just check for a swiotlb buffer, but also if buffering might +be required for this particular device. + +Fixes: 133d624b1cee ("dma: Introduce dma_max_mapping_size()") +Reported-by: Benjamin Herrenschmidt +Signed-off-by: Christoph Hellwig +Tested-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/dma/direct.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/kernel/dma/direct.c ++++ b/kernel/dma/direct.c +@@ -393,11 +393,9 @@ int dma_direct_supported(struct device * + + size_t dma_direct_max_mapping_size(struct device *dev) + { +- size_t size = SIZE_MAX; +- + /* If SWIOTLB is active, use its maximum mapping size */ +- if (is_swiotlb_active()) +- size = swiotlb_max_mapping_size(dev); +- +- return size; ++ if (is_swiotlb_active() && ++ (dma_addressing_limited(dev) || swiotlb_force == SWIOTLB_FORCE)) ++ return swiotlb_max_mapping_size(dev); ++ return SIZE_MAX; + } diff --git a/queue-5.2/hid-wacom-generic-read-hid_dg_contactmax-from-any-feature-report.patch b/queue-5.2/hid-wacom-generic-read-hid_dg_contactmax-from-any-feature-report.patch new file mode 100644 index 00000000000..83b1f9162bd --- /dev/null +++ b/queue-5.2/hid-wacom-generic-read-hid_dg_contactmax-from-any-feature-report.patch @@ -0,0 +1,74 @@ +From 184eccd40389df29abefab88092c4ff33191fd0c Mon Sep 17 00:00:00 2001 +From: Aaron Armstrong Skomra +Date: Wed, 12 Jun 2019 14:19:29 -0700 +Subject: HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report + +From: Aaron Armstrong Skomra + +commit 184eccd40389df29abefab88092c4ff33191fd0c upstream. + +In the generic code path, HID_DG_CONTACTMAX was previously +only read from the second byte of report 0x23. + +Another report (0x82) has the HID_DG_CONTACTMAX in the +higher nibble of the third byte. We should support reading the +value of HID_DG_CONTACTMAX no matter what report we are reading +or which position that value is in. + +To do this we submit the feature report as a event report +using hid_report_raw_event(). Our modified finger event path +records the value of HID_DG_CONTACTMAX when it sees that usage. + +Fixes: 8ffffd5212846 ("HID: wacom: fix timeout on probe for some wacoms") +Signed-off-by: Aaron Armstrong Skomra +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom_sys.c | 10 ++++++---- + drivers/hid/wacom_wac.c | 4 ++++ + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -311,14 +311,16 @@ static void wacom_feature_mapping(struct + /* leave touch_max as is if predefined */ + if (!features->touch_max) { + /* read manually */ +- data = kzalloc(2, GFP_KERNEL); ++ n = hid_report_len(field->report); ++ data = hid_alloc_report_buf(field->report, GFP_KERNEL); + if (!data) + break; + data[0] = field->report->id; + ret = wacom_get_report(hdev, HID_FEATURE_REPORT, +- data, 2, WAC_CMD_RETRIES); +- if (ret == 2) { +- features->touch_max = data[1]; ++ data, n, WAC_CMD_RETRIES); ++ if (ret == n) { ++ ret = hid_report_raw_event(hdev, ++ HID_FEATURE_REPORT, data, n, 0); + } else { + features->touch_max = 16; + hid_warn(hdev, "wacom_feature_mapping: " +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2510,6 +2510,7 @@ static void wacom_wac_finger_event(struc + struct wacom *wacom = hid_get_drvdata(hdev); + struct wacom_wac *wacom_wac = &wacom->wacom_wac; + unsigned equivalent_usage = wacom_equivalent_usage(usage->hid); ++ struct wacom_features *features = &wacom->wacom_wac.features; + + switch (equivalent_usage) { + case HID_GD_X: +@@ -2530,6 +2531,9 @@ static void wacom_wac_finger_event(struc + case HID_DG_TIPSWITCH: + wacom_wac->hid_data.tipswitch = value; + break; ++ case HID_DG_CONTACTMAX: ++ features->touch_max = value; ++ return; + } + + diff --git a/queue-5.2/input-elan_i2c-remove-lenovo-legion-y7000-pnpid.patch b/queue-5.2/input-elan_i2c-remove-lenovo-legion-y7000-pnpid.patch new file mode 100644 index 00000000000..24ca4b100ec --- /dev/null +++ b/queue-5.2/input-elan_i2c-remove-lenovo-legion-y7000-pnpid.patch @@ -0,0 +1,36 @@ +From 0c043d70d04711fe6c380df9065fdc44192c49bf Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Fri, 6 Sep 2019 12:02:32 -0700 +Subject: Input: elan_i2c - remove Lenovo Legion Y7000 PnpID + +From: Benjamin Tissoires + +commit 0c043d70d04711fe6c380df9065fdc44192c49bf upstream. + +Looks like the Bios of the Lenovo Legion Y7000 is using ELAN061B +when the actual device is supposed to be used with hid-multitouch. + +Remove it from the list of the supported device, hoping that +no one will complain about the loss in functionality. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=203467 +Fixes: 738c06d0e456 ("Input: elan_i2c - add hardware ID for multiple Lenovo laptops") +Signed-off-by: Benjamin Tissoires +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1357,7 +1357,7 @@ static const struct acpi_device_id elan_ + { "ELAN0618", 0 }, + { "ELAN0619", 0 }, + { "ELAN061A", 0 }, +- { "ELAN061B", 0 }, ++/* { "ELAN061B", 0 }, not working on the Lenovo Legion Y7000 */ + { "ELAN061C", 0 }, + { "ELAN061D", 0 }, + { "ELAN061E", 0 }, diff --git a/queue-5.2/media-stm32-dcmi-fix-irq-0-case.patch b/queue-5.2/media-stm32-dcmi-fix-irq-0-case.patch new file mode 100644 index 00000000000..4e9a52a25ad --- /dev/null +++ b/queue-5.2/media-stm32-dcmi-fix-irq-0-case.patch @@ -0,0 +1,35 @@ +From dbb9fcc8c2d8d4ea1104f51d4947a8a8199a2cb5 Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Fri, 31 May 2019 05:18:15 -0400 +Subject: media: stm32-dcmi: fix irq = 0 case + +From: Fabien Dessenne + +commit dbb9fcc8c2d8d4ea1104f51d4947a8a8199a2cb5 upstream. + +Manage the irq = 0 case, where we shall return an error. + +Fixes: b5b5a27bee58 ("media: stm32-dcmi: return appropriate error codes during probe") + +Signed-off-by: Fabien Dessenne +Reported-by: Pavel Machek +Acked-by: Pavel Machek +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/stm32/stm32-dcmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/stm32/stm32-dcmi.c ++++ b/drivers/media/platform/stm32/stm32-dcmi.c +@@ -1702,7 +1702,7 @@ static int dcmi_probe(struct platform_de + if (irq <= 0) { + if (irq != -EPROBE_DEFER) + dev_err(&pdev->dev, "Could not get irq\n"); +- return irq; ++ return irq ? irq : -ENXIO; + } + + dcmi->res = platform_get_resource(pdev, IORESOURCE_MEM, 0); diff --git a/queue-5.2/media-tm6000-double-free-if-usb-disconnect-while-streaming.patch b/queue-5.2/media-tm6000-double-free-if-usb-disconnect-while-streaming.patch new file mode 100644 index 00000000000..b238c6aeb73 --- /dev/null +++ b/queue-5.2/media-tm6000-double-free-if-usb-disconnect-while-streaming.patch @@ -0,0 +1,135 @@ +From 699bf94114151aae4dceb2d9dbf1a6312839dcae Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Tue, 13 Aug 2019 13:45:09 -0300 +Subject: media: tm6000: double free if usb disconnect while streaming + +From: Sean Young + +commit 699bf94114151aae4dceb2d9dbf1a6312839dcae upstream. + +The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set +to NULL after each free. + +stop stream +urb killing +urb buffer free +tm6000: got start feed request tm6000_start_feed +tm6000: got start stream request tm6000_start_stream +tm6000: pipe reset +tm6000: got start feed request tm6000_start_feed +tm6000: got start feed request tm6000_start_feed +tm6000: got start feed request tm6000_start_feed +tm6000: got start feed request tm6000_start_feed +tm6000: IR URB failure: status: -71, length 0 +xhci_hcd 0000:00:14.0: ERROR unknown event type 37 +xhci_hcd 0000:00:14.0: ERROR unknown event type 37 +tm6000: error tm6000_urb_received +usb 1-2: USB disconnect, device number 5 +tm6000: disconnecting tm6000 #0 +================================================================== +BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb] +Read of size 8 at addr ffff888241044060 by task kworker/2:0/22 + +CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G W 5.3.0-rc4+ #1 +Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019 +Workqueue: usb_hub_wq hub_event +Call Trace: + dump_stack+0x9a/0xf0 + print_address_description.cold+0xae/0x34f + __kasan_report.cold+0x75/0x93 + ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa] + ? dvb_fini+0x75/0x140 [tm6000_dvb] + kasan_report+0xe/0x12 + dvb_fini+0x75/0x140 [tm6000_dvb] + tm6000_close_extension+0x51/0x80 [tm6000] + tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000] + usb_unbind_interface+0xe4/0x390 + device_release_driver_internal+0x121/0x250 + bus_remove_device+0x197/0x260 + device_del+0x268/0x550 + ? __device_links_no_driver+0xd0/0xd0 + ? usb_remove_ep_devs+0x30/0x3b + usb_disable_device+0x122/0x400 + usb_disconnect+0x153/0x430 + hub_event+0x800/0x1e40 + ? trace_hardirqs_on_thunk+0x1a/0x20 + ? hub_port_debounce+0x1f0/0x1f0 + ? retint_kernel+0x10/0x10 + ? lock_is_held_type+0xf1/0x130 + ? hub_port_debounce+0x1f0/0x1f0 + ? process_one_work+0x4ae/0xa00 + process_one_work+0x4ba/0xa00 + ? pwq_dec_nr_in_flight+0x160/0x160 + ? do_raw_spin_lock+0x10a/0x1d0 + worker_thread+0x7a/0x5c0 + ? process_one_work+0xa00/0xa00 + kthread+0x1d5/0x200 + ? kthread_create_worker_on_cpu+0xd0/0xd0 + ret_from_fork+0x3a/0x50 + +Allocated by task 2682: + save_stack+0x1b/0x80 + __kasan_kmalloc.constprop.0+0xc2/0xd0 + usb_alloc_urb+0x28/0x60 + tm6000_start_feed+0x10a/0x300 [tm6000_dvb] + dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core] + dvb_dmxdev_start_feed+0x121/0x180 [dvb_core] + dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core] + dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core] + dvb_usercopy+0x97/0x1f0 [dvb_core] + dvb_demux_ioctl+0x11/0x20 [dvb_core] + do_vfs_ioctl+0x5d8/0x9d0 + ksys_ioctl+0x5e/0x90 + __x64_sys_ioctl+0x3d/0x50 + do_syscall_64+0x74/0xe0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 22: + save_stack+0x1b/0x80 + __kasan_slab_free+0x12c/0x170 + kfree+0xfd/0x3a0 + xhci_giveback_urb_in_irq+0xfe/0x230 + xhci_td_cleanup+0x276/0x340 + xhci_irq+0x1129/0x3720 + __handle_irq_event_percpu+0x6e/0x420 + handle_irq_event_percpu+0x6f/0x100 + handle_irq_event+0x55/0x84 + handle_edge_irq+0x108/0x3b0 + handle_irq+0x2e/0x40 + do_IRQ+0x83/0x1a0 + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/tm6000/tm6000-dvb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -97,6 +97,7 @@ static void tm6000_urb_received(struct u + printk(KERN_ERR "tm6000: error %s\n", __func__); + kfree(urb->transfer_buffer); + usb_free_urb(urb); ++ dev->dvb->bulk_urb = NULL; + } + } + } +@@ -127,6 +128,7 @@ static int tm6000_start_stream(struct tm + dvb->bulk_urb->transfer_buffer = kzalloc(size, GFP_KERNEL); + if (!dvb->bulk_urb->transfer_buffer) { + usb_free_urb(dvb->bulk_urb); ++ dvb->bulk_urb = NULL; + return -ENOMEM; + } + +@@ -153,6 +155,7 @@ static int tm6000_start_stream(struct tm + + kfree(dvb->bulk_urb->transfer_buffer); + usb_free_urb(dvb->bulk_urb); ++ dvb->bulk_urb = NULL; + return ret; + } + diff --git a/queue-5.2/net-aquantia-fix-limit-of-vlan-filters.patch b/queue-5.2/net-aquantia-fix-limit-of-vlan-filters.patch new file mode 100644 index 00000000000..ff3261131d2 --- /dev/null +++ b/queue-5.2/net-aquantia-fix-limit-of-vlan-filters.patch @@ -0,0 +1,33 @@ +From 392349f60110dc2c3daf86464fd926afc53d6143 Mon Sep 17 00:00:00 2001 +From: Dmitry Bogdanov +Date: Fri, 30 Aug 2019 12:08:33 +0000 +Subject: net: aquantia: fix limit of vlan filters + +From: Dmitry Bogdanov + +commit 392349f60110dc2c3daf86464fd926afc53d6143 upstream. + +Fix a limit condition of vlans on the interface before setting vlan +promiscuous mode + +Fixes: 48dd73d08d4dd ("net: aquantia: fix vlans not working over bridged network") +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/aquantia/atlantic/aq_filters.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_filters.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_filters.c +@@ -843,7 +843,7 @@ int aq_filters_vlans_update(struct aq_ni + return err; + + if (aq_nic->ndev->features & NETIF_F_HW_VLAN_CTAG_FILTER) { +- if (hweight < AQ_VLAN_MAX_FILTERS && hweight > 0) { ++ if (hweight <= AQ_VLAN_MAX_FILTERS && hweight > 0) { + err = aq_hw_ops->hw_filter_vlan_ctrl(aq_hw, + !(aq_nic->packet_filter & IFF_PROMISC)); + aq_nic->aq_nic_cfg.is_vlan_force_promisc = false; diff --git a/queue-5.2/net-hns-fix-led-configuration-for-marvell-phy.patch b/queue-5.2/net-hns-fix-led-configuration-for-marvell-phy.patch new file mode 100644 index 00000000000..1d5c6a061a6 --- /dev/null +++ b/queue-5.2/net-hns-fix-led-configuration-for-marvell-phy.patch @@ -0,0 +1,79 @@ +From f4e5f775db5a4631300dccd0de5eafb50a77c131 Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Mon, 22 Jul 2019 13:59:12 +0800 +Subject: net: hns: fix LED configuration for marvell phy + +From: Yonglong Liu + +commit f4e5f775db5a4631300dccd0de5eafb50a77c131 upstream. + +Since commit(net: phy: marvell: change default m88e1510 LED configuration), +the active LED of Hip07 devices is always off, because Hip07 just +use 2 LEDs. +This patch adds a phy_register_fixup_for_uid() for m88e1510 to +correct the LED configuration. + +Fixes: 077772468ec1 ("net: phy: marvell: change default m88e1510 LED configuration") +Signed-off-by: Yonglong Liu +Reviewed-by: linyunsheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1149,6 +1150,13 @@ static void hns_nic_adjust_link(struct n + } + } + ++static int hns_phy_marvell_fixup(struct phy_device *phydev) ++{ ++ phydev->dev_flags |= MARVELL_PHY_LED0_LINK_LED1_ACTIVE; ++ ++ return 0; ++} ++ + /** + *hns_nic_init_phy - init phy + *@ndev: net device +@@ -1174,6 +1182,16 @@ int hns_nic_init_phy(struct net_device * + if (h->phy_if != PHY_INTERFACE_MODE_XGMII) { + phy_dev->dev_flags = 0; + ++ /* register the PHY fixup (for Marvell 88E1510) */ ++ ret = phy_register_fixup_for_uid(MARVELL_PHY_ID_88E1510, ++ MARVELL_PHY_ID_MASK, ++ hns_phy_marvell_fixup); ++ /* we can live without it, so just issue a warning */ ++ if (ret) ++ netdev_warn(ndev, ++ "Cannot register PHY fixup, ret=%d\n", ++ ret); ++ + ret = phy_connect_direct(ndev, phy_dev, hns_nic_adjust_link, + h->phy_if); + } else { +@@ -2429,8 +2447,11 @@ static int hns_nic_dev_remove(struct pla + hns_nic_uninit_ring_data(priv); + priv->ring_data = NULL; + +- if (ndev->phydev) ++ if (ndev->phydev) { ++ phy_unregister_fixup_for_uid(MARVELL_PHY_ID_88E1510, ++ MARVELL_PHY_ID_MASK); + phy_disconnect(ndev->phydev); ++ } + + if (!IS_ERR_OR_NULL(priv->ae_handle)) + hnae_put_handle(priv->ae_handle); diff --git a/queue-5.2/netfilter-nf_flow_table-set-default-timeout-after-successful-insertion.patch b/queue-5.2/netfilter-nf_flow_table-set-default-timeout-after-successful-insertion.patch new file mode 100644 index 00000000000..5b00b29aa74 --- /dev/null +++ b/queue-5.2/netfilter-nf_flow_table-set-default-timeout-after-successful-insertion.patch @@ -0,0 +1,31 @@ +From 110e48725db6262f260f10727d0fb2d3d25895e4 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 2 Sep 2019 19:37:43 +0200 +Subject: netfilter: nf_flow_table: set default timeout after successful insertion + +From: Pablo Neira Ayuso + +commit 110e48725db6262f260f10727d0fb2d3d25895e4 upstream. + +Set up the default timeout for this new entry otherwise the garbage +collector might quickly remove it right after the flowtable insertion. + +Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_flow_table_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_flow_table_core.c ++++ b/net/netfilter/nf_flow_table_core.c +@@ -218,7 +218,7 @@ int flow_offload_add(struct nf_flowtable + return err; + } + +- flow->timeout = (u32)jiffies; ++ flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT; + return 0; + } + EXPORT_SYMBOL_GPL(flow_offload_add); diff --git a/queue-5.2/nfs-disable-client-side-deduplication.patch b/queue-5.2/nfs-disable-client-side-deduplication.patch new file mode 100644 index 00000000000..aa631a629d4 --- /dev/null +++ b/queue-5.2/nfs-disable-client-side-deduplication.patch @@ -0,0 +1,35 @@ +From 9026b3a973b0b0b73c15ba40aff87cd0959fd0f3 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Fri, 31 May 2019 14:06:05 -0700 +Subject: nfs: disable client side deduplication + +From: Darrick J. Wong + +commit 9026b3a973b0b0b73c15ba40aff87cd0959fd0f3 upstream. + +The NFS protocol doesn't support deduplication, so turn it off again. + +Fixes: ce96e888fe48e ("Fix nfs4.2 return -EINVAL when do dedupe operation") +Signed-off-by: Darrick J. Wong +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4file.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -187,7 +187,11 @@ static loff_t nfs42_remap_file_range(str + bool same_inode = false; + int ret; + +- if (remap_flags & ~(REMAP_FILE_DEDUP | REMAP_FILE_ADVISORY)) ++ /* NFS does not support deduplication. */ ++ if (remap_flags & REMAP_FILE_DEDUP) ++ return -EOPNOTSUPP; ++ ++ if (remap_flags & ~REMAP_FILE_ADVISORY) + return -EINVAL; + + /* check alignment w.r.t. clone_blksize */ diff --git a/queue-5.2/phy-renesas-rcar-gen3-usb2-disable-clearing-vbus-in-over-current.patch b/queue-5.2/phy-renesas-rcar-gen3-usb2-disable-clearing-vbus-in-over-current.patch new file mode 100644 index 00000000000..dbcff89205d --- /dev/null +++ b/queue-5.2/phy-renesas-rcar-gen3-usb2-disable-clearing-vbus-in-over-current.patch @@ -0,0 +1,54 @@ +From e6839c31a608e79f2057fab987dd814f5d3477e6 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 6 Aug 2019 17:51:19 +0900 +Subject: phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current + +From: Yoshihiro Shimoda + +commit e6839c31a608e79f2057fab987dd814f5d3477e6 upstream. + +The hardware manual should be revised, but the initial value of +VBCTRL.OCCLREN is set to 1 actually. If the bit is set, the hardware +clears VBCTRL.VBOUT and ADPCTRL.DRVVBUS registers automatically +when the hardware detects over-current signal from a USB power switch. +However, since the hardware doesn't have any registers which +indicates over-current, the driver cannot handle it at all. So, if +"is_otg_channel" hardware detects over-current, since ADPCTRL.DRVVBUS +register is cleared automatically, the channel cannot be used after +that. + +To resolve this behavior, this patch sets the VBCTRL.OCCLREN to 0 +to keep ADPCTRL.DRVVBUS even if the "is_otg_channel" hardware +detects over-current. (We assume a USB power switch itself protects +over-current and turns the VBUS off.) + +This patch is inspired by a BSP patch from Kazuya Mizuguchi. + +Fixes: 1114e2d31731 ("phy: rcar-gen3-usb2: change the mode to OTG on the combined channel") +Cc: # v4.5+ +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/renesas/phy-rcar-gen3-usb2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c ++++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c +@@ -61,6 +61,7 @@ + USB2_OBINT_IDDIGCHG) + + /* VBCTRL */ ++#define USB2_VBCTRL_OCCLREN BIT(16) + #define USB2_VBCTRL_DRVVBUSSEL BIT(8) + + /* LINECTRL1 */ +@@ -374,6 +375,7 @@ static void rcar_gen3_init_otg(struct rc + writel(val, usb2_base + USB2_LINECTRL1); + + val = readl(usb2_base + USB2_VBCTRL); ++ val &= ~USB2_VBCTRL_OCCLREN; + writel(val | USB2_VBCTRL_DRVVBUSSEL, usb2_base + USB2_VBCTRL); + val = readl(usb2_base + USB2_ADPCTRL); + writel(val | USB2_ADPCTRL_IDPULLUP, usb2_base + USB2_ADPCTRL); diff --git a/queue-5.2/powerpc-mm-radix-use-the-right-page-size-for-vmemmap-mapping.patch b/queue-5.2/powerpc-mm-radix-use-the-right-page-size-for-vmemmap-mapping.patch new file mode 100644 index 00000000000..bf1fd82c2ee --- /dev/null +++ b/queue-5.2/powerpc-mm-radix-use-the-right-page-size-for-vmemmap-mapping.patch @@ -0,0 +1,58 @@ +From 89a3496e0664577043666791ec07fb731d57c950 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Mon, 1 Jul 2019 20:04:42 +0530 +Subject: powerpc/mm/radix: Use the right page size for vmemmap mapping + +From: Aneesh Kumar K.V + +commit 89a3496e0664577043666791ec07fb731d57c950 upstream. + +We use mmu_vmemmap_psize to find the page size for mapping the vmmemap area. +With radix translation, we are suboptimally setting this value to PAGE_SIZE. + +We do check for 2M page size support and update mmu_vmemap_psize to use +hugepage size but we suboptimally reset the value to PAGE_SIZE in +radix__early_init_mmu(). This resulted in always mapping vmemmap area with +64K page size. + +Fixes: 2bfd65e45e87 ("powerpc/mm/radix: Add radix callbacks for early init routines") +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/book3s64/radix_pgtable.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/mm/book3s64/radix_pgtable.c ++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c +@@ -515,14 +515,6 @@ void __init radix__early_init_devtree(vo + mmu_psize_defs[MMU_PAGE_64K].shift = 16; + mmu_psize_defs[MMU_PAGE_64K].ap = 0x5; + found: +-#ifdef CONFIG_SPARSEMEM_VMEMMAP +- if (mmu_psize_defs[MMU_PAGE_2M].shift) { +- /* +- * map vmemmap using 2M if available +- */ +- mmu_vmemmap_psize = MMU_PAGE_2M; +- } +-#endif /* CONFIG_SPARSEMEM_VMEMMAP */ + return; + } + +@@ -587,7 +579,13 @@ void __init radix__early_init_mmu(void) + + #ifdef CONFIG_SPARSEMEM_VMEMMAP + /* vmemmap mapping */ +- mmu_vmemmap_psize = mmu_virtual_psize; ++ if (mmu_psize_defs[MMU_PAGE_2M].shift) { ++ /* ++ * map vmemmap using 2M if available ++ */ ++ mmu_vmemmap_psize = MMU_PAGE_2M; ++ } else ++ mmu_vmemmap_psize = mmu_virtual_psize; + #endif + /* + * initialize page table size diff --git a/queue-5.2/scripts-decode_stacktrace-match-basepath-using-shell-prefix-operator-not-regex.patch b/queue-5.2/scripts-decode_stacktrace-match-basepath-using-shell-prefix-operator-not-regex.patch new file mode 100644 index 00000000000..9fe5dc97b7c --- /dev/null +++ b/queue-5.2/scripts-decode_stacktrace-match-basepath-using-shell-prefix-operator-not-regex.patch @@ -0,0 +1,35 @@ +From 31013836a71e07751a6827f9d2ad41ef502ddaff Mon Sep 17 00:00:00 2001 +From: Nicolas Boichat +Date: Thu, 11 Jul 2019 20:52:27 -0700 +Subject: scripts/decode_stacktrace: match basepath using shell prefix operator, not regex + +From: Nicolas Boichat + +commit 31013836a71e07751a6827f9d2ad41ef502ddaff upstream. + +The basepath may contain special characters, which would confuse the regex +matcher. ${var#prefix} does the right thing. + +Link: http://lkml.kernel.org/r/20190518055946.181563-1-drinkcat@chromium.org +Fixes: 67a28de47faa8358 ("scripts/decode_stacktrace: only strip base path when a prefix of the path") +Signed-off-by: Nicolas Boichat +Reviewed-by: Stephen Boyd +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/decode_stacktrace.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/decode_stacktrace.sh ++++ b/scripts/decode_stacktrace.sh +@@ -85,7 +85,7 @@ parse_symbol() { + fi + + # Strip out the base of the path +- code=${code//^$basepath/""} ++ code=${code#$basepath/} + + # In the case of inlines, move everything to same line + code=${code//$'\n'/' '} diff --git a/queue-5.2/series b/queue-5.2/series index 2846b9e9962..5b4d5a8e125 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -1 +1,15 @@ +usb-usbcore-fix-slab-out-of-bounds-bug-during-device-reset.patch +media-tm6000-double-free-if-usb-disconnect-while-streaming.patch +phy-renesas-rcar-gen3-usb2-disable-clearing-vbus-in-over-current.patch net-hns3-adjust-hns3_uninit_phy-s-location-in-the-hns3_client_uninit.patch +netfilter-nf_flow_table-set-default-timeout-after-successful-insertion.patch +hid-wacom-generic-read-hid_dg_contactmax-from-any-feature-report.patch +input-elan_i2c-remove-lenovo-legion-y7000-pnpid.patch +sunrpc-handle-connection-breakages-correctly-in-call_status.patch +media-stm32-dcmi-fix-irq-0-case.patch +nfs-disable-client-side-deduplication.patch +dma-direct-only-limit-the-mapping-size-if-swiotlb-could-be-used.patch +powerpc-mm-radix-use-the-right-page-size-for-vmemmap-mapping.patch +scripts-decode_stacktrace-match-basepath-using-shell-prefix-operator-not-regex.patch +net-hns-fix-led-configuration-for-marvell-phy.patch +net-aquantia-fix-limit-of-vlan-filters.patch diff --git a/queue-5.2/sunrpc-handle-connection-breakages-correctly-in-call_status.patch b/queue-5.2/sunrpc-handle-connection-breakages-correctly-in-call_status.patch new file mode 100644 index 00000000000..ea62b7d2771 --- /dev/null +++ b/queue-5.2/sunrpc-handle-connection-breakages-correctly-in-call_status.patch @@ -0,0 +1,31 @@ +From c82e5472c9980e0e483f4b689044150eefaca408 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 16 Aug 2019 08:58:48 -0400 +Subject: SUNRPC: Handle connection breakages correctly in call_status() + +From: Trond Myklebust + +commit c82e5472c9980e0e483f4b689044150eefaca408 upstream. + +If the connection breaks while we're waiting for a reply from the +server, then we want to immediately try to reconnect. + +Fixes: ec6017d90359 ("SUNRPC fix regression in umount of a secure mount") +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2301,7 +2301,7 @@ call_status(struct rpc_task *task) + case -ECONNABORTED: + case -ENOTCONN: + rpc_force_rebind(clnt); +- /* fall through */ ++ break; + case -EADDRINUSE: + rpc_delay(task, 3*HZ); + /* fall through */ diff --git a/queue-5.2/usb-usbcore-fix-slab-out-of-bounds-bug-during-device-reset.patch b/queue-5.2/usb-usbcore-fix-slab-out-of-bounds-bug-during-device-reset.patch new file mode 100644 index 00000000000..f8cdd24a430 --- /dev/null +++ b/queue-5.2/usb-usbcore-fix-slab-out-of-bounds-bug-during-device-reset.patch @@ -0,0 +1,112 @@ +From 3dd550a2d36596a1b0ee7955da3b611c031d3873 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 4 Sep 2019 11:56:27 -0400 +Subject: USB: usbcore: Fix slab-out-of-bounds bug during device reset + +From: Alan Stern + +commit 3dd550a2d36596a1b0ee7955da3b611c031d3873 upstream. + +The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core: + +BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904 +Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746 + +CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xca/0x13e lib/dump_stack.c:113 + print_address_description+0x6a/0x32c mm/kasan/report.c:351 + __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 + kasan_report+0xe/0x12 mm/kasan/common.c:612 + memcmp+0xa6/0xb0 lib/string.c:904 + memcmp include/linux/string.h:400 [inline] + descriptors_changed drivers/usb/core/hub.c:5579 [inline] + usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729 + usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898 + rt2x00usb_probe+0x53/0x7af +drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806 + +The error occurs when the descriptors_changed() routine (called during +a device reset) attempts to compare the old and new BOS and capability +descriptors. The length it uses for the comparison is the +wTotalLength value stored in BOS descriptor, but this value is not +necessarily the same as the length actually allocated for the +descriptors. If it is larger the routine will call memcmp() with a +length that is too big, thus reading beyond the end of the allocated +region and leading to this fault. + +The kernel reads the BOS descriptor twice: first to get the total +length of all the capability descriptors, and second to read it along +with all those other descriptors. A malicious (or very faulty) device +may send different values for the BOS descriptor fields each time. +The memory area will be allocated using the wTotalLength value read +the first time, but stored within it will be the value read the second +time. + +To prevent this possibility from causing any errors, this patch +modifies the BOS descriptor after it has been read the second time: +It sets the wTotalLength field to the actual length of the descriptors +that were read in and validated. Then the memcpy() call, or any other +code using these descriptors, will be able to rely on wTotalLength +being valid. + +Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +CC: +Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -921,7 +921,7 @@ int usb_get_bos_descriptor(struct usb_de + struct usb_bos_descriptor *bos; + struct usb_dev_cap_header *cap; + struct usb_ssp_cap_descriptor *ssp_cap; +- unsigned char *buffer; ++ unsigned char *buffer, *buffer0; + int length, total_len, num, i, ssac; + __u8 cap_type; + int ret; +@@ -966,10 +966,12 @@ int usb_get_bos_descriptor(struct usb_de + ret = -ENOMSG; + goto err; + } ++ ++ buffer0 = buffer; + total_len -= length; ++ buffer += length; + + for (i = 0; i < num; i++) { +- buffer += length; + cap = (struct usb_dev_cap_header *)buffer; + + if (total_len < sizeof(*cap) || total_len < cap->bLength) { +@@ -983,8 +985,6 @@ int usb_get_bos_descriptor(struct usb_de + break; + } + +- total_len -= length; +- + if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { + dev_warn(ddev, "descriptor type invalid, skip\n"); + continue; +@@ -1019,7 +1019,11 @@ int usb_get_bos_descriptor(struct usb_de + default: + break; + } ++ ++ total_len -= length; ++ buffer += length; + } ++ dev->bos->desc->wTotalLength = cpu_to_le16(buffer - buffer0); + + return 0; +