From: Sasha Levin Date: Tue, 30 Oct 2018 13:15:52 +0000 (-0400) Subject: 4.14-stable patches X-Git-Tag: v4.19.1~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d221e257b7420e3dd9351055df294811f72c5cb3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch b/queue-4.14/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch new file mode 100644 index 00000000000..a327430d4cf --- /dev/null +++ b/queue-4.14/arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch @@ -0,0 +1,45 @@ +From f4083e1793dd26425420f37fcf950b02d00e1ea9 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Thu, 13 Sep 2018 16:48:08 +0100 +Subject: ARM: 8799/1: mm: fix pci_ioremap_io() offset check + +[ Upstream commit 3a58ac65e2d7969bcdf1b6acb70fa4d12a88e53e ] + +IO_SPACE_LIMIT is the ending address of the PCI IO space, i.e +something like 0xfffff (and not 0x100000). + +Therefore, when offset = 0xf0000 is passed as argument, this function +fails even though the offset + SZ_64K fits below the +IO_SPACE_LIMIT. This makes the last chunk of 64 KB of the I/O space +not usable as it cannot be mapped. + +This patch fixes that by substracing 1 to offset + SZ_64K, so that we +compare the addrss of the last byte of the I/O space against +IO_SPACE_LIMIT instead of the address of the first byte of what is +after the I/O space. + +Fixes: c2794437091a4 ("ARM: Add fixed PCI i/o mapping") +Signed-off-by: Thomas Petazzoni +Acked-by: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/ioremap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c +index fc91205ff46c..5bf9443cfbaa 100644 +--- a/arch/arm/mm/ioremap.c ++++ b/arch/arm/mm/ioremap.c +@@ -473,7 +473,7 @@ void pci_ioremap_set_mem_type(int mem_type) + + int pci_ioremap_io(unsigned int offset, phys_addr_t phys_addr) + { +- BUG_ON(offset + SZ_64K > IO_SPACE_LIMIT); ++ BUG_ON(offset + SZ_64K - 1 > IO_SPACE_LIMIT); + + return ioremap_page_range(PCI_IO_VIRT_BASE + offset, + PCI_IO_VIRT_BASE + offset + SZ_64K, +-- +2.17.1 + diff --git a/queue-4.14/arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch b/queue-4.14/arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch new file mode 100644 index 00000000000..153d494a174 --- /dev/null +++ b/queue-4.14/arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch @@ -0,0 +1,79 @@ +From 42406885dafa2ad8f9b2d437b70bacec223233ae Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Wed, 19 Sep 2018 17:14:01 -0700 +Subject: ARM: dts: BCM63xx: Fix incorrect interrupt specifiers + +[ Upstream commit 3ab97942d0213b6583a5408630a8cbbfbf54730f ] + +A number of our interrupts were incorrectly specified, fix both the PPI +and SPI interrupts to be correct. + +Fixes: b5762cacc411 ("ARM: bcm63138: add NAND DT support") +Fixes: 46d4bca0445a ("ARM: BCM63XX: add BCM63138 minimal Device Tree") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm63138.dtsi | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm63138.dtsi b/arch/arm/boot/dts/bcm63138.dtsi +index 43ee992ccdcf..6df61518776f 100644 +--- a/arch/arm/boot/dts/bcm63138.dtsi ++++ b/arch/arm/boot/dts/bcm63138.dtsi +@@ -106,21 +106,23 @@ + global_timer: timer@1e200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0x1e200 0x20>; +- interrupts = ; ++ interrupts = ; + clocks = <&axi_clk>; + }; + + local_timer: local-timer@1e600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0x1e600 0x20>; +- interrupts = ; ++ interrupts = ; + clocks = <&axi_clk>; + }; + + twd_watchdog: watchdog@1e620 { + compatible = "arm,cortex-a9-twd-wdt"; + reg = <0x1e620 0x20>; +- interrupts = ; ++ interrupts = ; + }; + + armpll: armpll { +@@ -158,7 +160,7 @@ + serial0: serial@600 { + compatible = "brcm,bcm6345-uart"; + reg = <0x600 0x1b>; +- interrupts = ; ++ interrupts = ; + clocks = <&periph_clk>; + clock-names = "periph"; + status = "disabled"; +@@ -167,7 +169,7 @@ + serial1: serial@620 { + compatible = "brcm,bcm6345-uart"; + reg = <0x620 0x1b>; +- interrupts = ; ++ interrupts = ; + clocks = <&periph_clk>; + clock-names = "periph"; + status = "disabled"; +@@ -180,7 +182,7 @@ + reg = <0x2000 0x600>, <0xf0 0x10>; + reg-names = "nand", "nand-int-base"; + status = "disabled"; +- interrupts = ; ++ interrupts = ; + interrupt-names = "nand"; + }; + +-- +2.17.1 + diff --git a/queue-4.14/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch b/queue-4.14/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch new file mode 100644 index 00000000000..0185e42326b --- /dev/null +++ b/queue-4.14/arm-dts-imx53-qsb-disable-1.2ghz-opp.patch @@ -0,0 +1,46 @@ +From d7ace5b84ff675f2cf3489e144a15fd9d11b6821 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 12 Sep 2018 08:23:01 +0200 +Subject: ARM: dts: imx53-qsb: disable 1.2GHz OPP + +[ Upstream commit eea96566c189c77e5272585984eb2729881a2f1d ] + +The maximum CPU frequency for the i.MX53 QSB is 1GHz, so disable the +1.2GHz OPP. This makes the board work again with configs that have +cpufreq enabled like imx_v6_v7_defconfig on which the board stopped +working with the addition of cpufreq-dt support. + +Fixes: 791f416608 ("ARM: dts: imx53: add cpufreq-dt support") + +Signed-off-by: Sascha Hauer +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/arm/boot/dts/imx53-qsb-common.dtsi b/arch/arm/boot/dts/imx53-qsb-common.dtsi +index 683dcbe27cbd..8c11190c5218 100644 +--- a/arch/arm/boot/dts/imx53-qsb-common.dtsi ++++ b/arch/arm/boot/dts/imx53-qsb-common.dtsi +@@ -130,6 +130,17 @@ + }; + }; + ++&cpu0 { ++ /* CPU rated to 1GHz, not 1.2GHz as per the default settings */ ++ operating-points = < ++ /* kHz uV */ ++ 166666 850000 ++ 400000 900000 ++ 800000 1050000 ++ 1000000 1200000 ++ >; ++}; ++ + &esdhc1 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_esdhc1>; +-- +2.17.1 + diff --git a/queue-4.14/arm-tegra-fix-ulpi-regression-on-tegra20.patch b/queue-4.14/arm-tegra-fix-ulpi-regression-on-tegra20.patch new file mode 100644 index 00000000000..631e4220b66 --- /dev/null +++ b/queue-4.14/arm-tegra-fix-ulpi-regression-on-tegra20.patch @@ -0,0 +1,48 @@ +From 9b2a2e640f37403791b707d7a68087281d000d20 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Thu, 22 Feb 2018 15:38:25 +0100 +Subject: ARM: tegra: Fix ULPI regression on Tegra20 + +[ Upstream commit 4c9a27a6c66d4427f3cba4019d4ba738fe99fa87 ] + +Since commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting +during registration") ULPI has been broken on Tegra20 leading to the +following error message during boot: + +[ 1.974698] ulpi_phy_power_on: ulpi write failed +[ 1.979384] tegra-ehci c5004000.usb: Failed to power on the phy +[ 1.985434] tegra-ehci: probe of c5004000.usb failed with error -110 + +Debugging through the changes and finally also consulting the TRM +revealed that rather than the CDEV2 clock off OSC requiring such pin +muxing actually the PLL_P_OUT4 clock is in use. It looks like so far it +just worked by chance of that one having been enabled which Stephen's +commit now changed when reparenting sclk away from pll_p_out4 leaving +that one disabled. Fix this by properly assigning the PLL_P_OUT4 clock +as the ULPI PHY clock. + +Signed-off-by: Marcel Ziswiler +Reviewed-by: Dmitry Osipenko +Reviewed-by: Rob Herring +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/tegra20.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi +index 914f59166a99..2780e68a853b 100644 +--- a/arch/arm/boot/dts/tegra20.dtsi ++++ b/arch/arm/boot/dts/tegra20.dtsi +@@ -706,7 +706,7 @@ + phy_type = "ulpi"; + clocks = <&tegra_car TEGRA20_CLK_USB2>, + <&tegra_car TEGRA20_CLK_PLL_U>, +- <&tegra_car TEGRA20_CLK_CDEV2>; ++ <&tegra_car TEGRA20_CLK_PLL_P_OUT4>; + clock-names = "reg", "pll_u", "ulpi-link"; + resets = <&tegra_car 58>, <&tegra_car 22>; + reset-names = "usb", "utmi-pads"; +-- +2.17.1 + diff --git a/queue-4.14/arm64-hugetlb-fix-handling-of-young-ptes.patch b/queue-4.14/arm64-hugetlb-fix-handling-of-young-ptes.patch new file mode 100644 index 00000000000..a31647d458b --- /dev/null +++ b/queue-4.14/arm64-hugetlb-fix-handling-of-young-ptes.patch @@ -0,0 +1,63 @@ +From 7e053f0afd9e8fb3c1116910bdf2a578b6edae9b Mon Sep 17 00:00:00 2001 +From: Steve Capper +Date: Fri, 21 Sep 2018 16:34:04 +0100 +Subject: arm64: hugetlb: Fix handling of young ptes + +[ Upstream commit 469ed9d823b7d240d6b9574f061ded7c3834c167 ] + +In the contiguous bit hugetlb break-before-make code we assume that all +hugetlb pages are young. + +In fact, remove_migration_pte is able to place an old hugetlb pte so +this assumption is not valid. + +This patch fixes the contiguous hugetlb scanning code to preserve young +ptes. + +Fixes: d8bdcff28764 ("arm64: hugetlb: Add break-before-make logic for contiguous entries") +Signed-off-by: Steve Capper +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/hugetlbpage.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c +index 6cb0fa92a651..9f6ae9686dac 100644 +--- a/arch/arm64/mm/hugetlbpage.c ++++ b/arch/arm64/mm/hugetlbpage.c +@@ -118,11 +118,14 @@ static pte_t get_clear_flush(struct mm_struct *mm, + + /* + * If HW_AFDBM is enabled, then the HW could turn on +- * the dirty bit for any page in the set, so check +- * them all. All hugetlb entries are already young. ++ * the dirty or accessed bit for any page in the set, ++ * so check them all. + */ + if (pte_dirty(pte)) + orig_pte = pte_mkdirty(orig_pte); ++ ++ if (pte_young(pte)) ++ orig_pte = pte_mkyoung(orig_pte); + } + + if (valid) +@@ -347,10 +350,13 @@ int huge_ptep_set_access_flags(struct vm_area_struct *vma, + if (!pte_same(orig_pte, pte)) + changed = 1; + +- /* Make sure we don't lose the dirty state */ ++ /* Make sure we don't lose the dirty or young state */ + if (pte_dirty(orig_pte)) + pte = pte_mkdirty(pte); + ++ if (pte_young(orig_pte)) ++ pte = pte_mkyoung(pte); ++ + hugeprot = pte_pgprot(pte); + for (i = 0; i < ncontig; i++, ptep++, addr += pgsize, pfn += dpfn) + set_pte_at(vma->vm_mm, addr, ptep, pfn_pte(pfn, hugeprot)); +-- +2.17.1 + diff --git a/queue-4.14/asix-check-for-supported-wake-on-lan-modes.patch b/queue-4.14/asix-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..86eb03bdd5e --- /dev/null +++ b/queue-4.14/asix-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From 90b206094660e41b59f4d6616f2c78301bb44d74 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:50 -0700 +Subject: asix: Check for supported Wake-on-LAN modes + +[ Upstream commit c4ce446e33d7a0e978256ac6fea4c80e59d9de5f ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 522d2900cd1d..e9fcf6ef716a 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -607,6 +607,9 @@ int asix_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= AX_MONITOR_LINK; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.14/ax88179_178a-check-for-supported-wake-on-lan-modes.patch b/queue-4.14/ax88179_178a-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..07c910ee532 --- /dev/null +++ b/queue-4.14/ax88179_178a-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From ed84b7def3eb05a84bd871e1209541aeb0a081fd Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:51 -0700 +Subject: ax88179_178a: Check for supported Wake-on-LAN modes + +[ Upstream commit 5ba6b4aa9a410c5e2c6417df52b5e2118ea9b467 ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ax88179_178a.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index f32261ecd215..0f69b77e8502 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -566,6 +566,9 @@ ax88179_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= AX_MONITOR_MODE_RWLC; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.14/be2net-don-t-flip-hw_features-when-vxlans-are-added-.patch b/queue-4.14/be2net-don-t-flip-hw_features-when-vxlans-are-added-.patch new file mode 100644 index 00000000000..3f12d8ff6b7 --- /dev/null +++ b/queue-4.14/be2net-don-t-flip-hw_features-when-vxlans-are-added-.patch @@ -0,0 +1,60 @@ +From 4390a84790f333c871dff83c183d78f9b3a05a60 Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Wed, 3 Oct 2018 15:20:58 +0200 +Subject: be2net: don't flip hw_features when VXLANs are added/deleted + +[ Upstream commit 2d52527e80c2dc0c5f43f50adf183781262ec565 ] + +the be2net implementation of .ndo_tunnel_{add,del}() changes the value of +NETIF_F_GSO_UDP_TUNNEL bit in 'features' and 'hw_features', but it forgets +to call netdev_features_change(). Moreover, ethtool setting for that bit +can potentially be reverted after a tunnel is added or removed. + +GSO already does software segmentation when 'hw_enc_features' is 0, even +if VXLAN offload is turned on. In addition, commit 096de2f83ebc ("benet: +stricter vxlan offloading check in be_features_check") avoids hardware +segmentation of non-VXLAN tunneled packets, or VXLAN packets having wrong +destination port. So, it's safe to avoid flipping the above feature on +addition/deletion of VXLAN tunnels. + +Fixes: 630f4b70567f ("be2net: Export tunnel offloads only when a VxLAN tunnel is created") +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 7e2b70c2bba3..39f399741647 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -3900,8 +3900,6 @@ static int be_enable_vxlan_offloads(struct be_adapter *adapter) + netdev->hw_enc_features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | + NETIF_F_TSO | NETIF_F_TSO6 | + NETIF_F_GSO_UDP_TUNNEL; +- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL; +- netdev->features |= NETIF_F_GSO_UDP_TUNNEL; + + dev_info(dev, "Enabled VxLAN offloads for UDP port %d\n", + be16_to_cpu(port)); +@@ -3923,8 +3921,6 @@ static void be_disable_vxlan_offloads(struct be_adapter *adapter) + adapter->vxlan_port = 0; + + netdev->hw_enc_features = 0; +- netdev->hw_features &= ~(NETIF_F_GSO_UDP_TUNNEL); +- netdev->features &= ~(NETIF_F_GSO_UDP_TUNNEL); + } + + static void be_calculate_vf_res(struct be_adapter *adapter, u16 num_vfs, +@@ -5215,6 +5211,7 @@ static void be_netdev_init(struct net_device *netdev) + struct be_adapter *adapter = netdev_priv(netdev); + + netdev->hw_features |= NETIF_F_SG | NETIF_F_TSO | NETIF_F_TSO6 | ++ NETIF_F_GSO_UDP_TUNNEL | + NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | NETIF_F_RXCSUM | + NETIF_F_HW_VLAN_CTAG_TX; + if ((be_if_cap_flags(adapter) & BE_IF_FLAGS_RSS)) +-- +2.17.1 + diff --git a/queue-4.14/bluetooth-smp-fix-crash-in-unpairing.patch b/queue-4.14/bluetooth-smp-fix-crash-in-unpairing.patch new file mode 100644 index 00000000000..0af64bbf337 --- /dev/null +++ b/queue-4.14/bluetooth-smp-fix-crash-in-unpairing.patch @@ -0,0 +1,194 @@ +From ff41c804599bfad2d6611caa97579e31336fd140 Mon Sep 17 00:00:00 2001 +From: Matias Karhumaa +Date: Wed, 26 Sep 2018 09:13:46 +0300 +Subject: Bluetooth: SMP: fix crash in unpairing + +[ Upstream commit cb28c306b93b71f2741ce1a5a66289db26715f4d ] + +In case unpair_device() was called through mgmt interface at the same time +when pairing was in progress, Bluetooth kernel module crash was seen. + +[ 600.351225] general protection fault: 0000 [#1] SMP PTI +[ 600.351235] CPU: 1 PID: 11096 Comm: btmgmt Tainted: G OE 4.19.0-rc1+ #1 +[ 600.351238] Hardware name: Dell Inc. Latitude E5440/08RCYC, BIOS A18 05/14/2017 +[ 600.351272] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth] +[ 600.351276] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01 +[ 600.351279] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246 +[ 600.351282] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60 +[ 600.351285] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500 +[ 600.351287] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00 +[ 600.351290] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800 +[ 600.351292] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00 +[ 600.351295] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000 +[ 600.351298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 600.351300] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0 +[ 600.351302] Call Trace: +[ 600.351325] smp_failure+0x4f/0x70 [bluetooth] +[ 600.351345] smp_cancel_pairing+0x74/0x80 [bluetooth] +[ 600.351370] unpair_device+0x1c1/0x330 [bluetooth] +[ 600.351399] hci_sock_sendmsg+0x960/0x9f0 [bluetooth] +[ 600.351409] ? apparmor_socket_sendmsg+0x1e/0x20 +[ 600.351417] sock_sendmsg+0x3e/0x50 +[ 600.351422] sock_write_iter+0x85/0xf0 +[ 600.351429] do_iter_readv_writev+0x12b/0x1b0 +[ 600.351434] do_iter_write+0x87/0x1a0 +[ 600.351439] vfs_writev+0x98/0x110 +[ 600.351443] ? ep_poll+0x16d/0x3d0 +[ 600.351447] ? ep_modify+0x73/0x170 +[ 600.351451] do_writev+0x61/0xf0 +[ 600.351455] ? do_writev+0x61/0xf0 +[ 600.351460] __x64_sys_writev+0x1c/0x20 +[ 600.351465] do_syscall_64+0x5a/0x110 +[ 600.351471] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 600.351474] RIP: 0033:0x7fb2bdb62fe0 +[ 600.351477] Code: 73 01 c3 48 8b 0d b8 6e 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 69 c7 2c 00 00 75 10 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 80 01 00 48 89 04 24 +[ 600.351479] RSP: 002b:00007ffe062cb8f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 +[ 600.351484] RAX: ffffffffffffffda RBX: 000000000255b3d0 RCX: 00007fb2bdb62fe0 +[ 600.351487] RDX: 0000000000000001 RSI: 00007ffe062cb920 RDI: 0000000000000004 +[ 600.351490] RBP: 00007ffe062cb920 R08: 000000000255bd80 R09: 0000000000000000 +[ 600.351494] R10: 0000000000000353 R11: 0000000000000246 R12: 0000000000000001 +[ 600.351497] R13: 00007ffe062cbbe0 R14: 0000000000000000 R15: 0000000000000000 +[ 600.351501] Modules linked in: algif_hash algif_skcipher af_alg cmac ipt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay arc4 nls_iso8859_1 dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dell_laptop kvm_intel crct10dif_pclmul dell_smm_hwmon crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media hid_multitouch input_leds joydev serio_raw dell_wmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_smbios dcdbas sparse_keymap +[ 600.351569] snd_hda_intel btusb snd_hda_codec btrtl btbcm btintel snd_hda_core bluetooth(OE) snd_hwdep snd_pcm iwlmvm ecdh_generic wmi_bmof dell_wmi_descriptor snd_seq_midi mac80211 snd_seq_midi_event lpc_ich iwlwifi snd_rawmidi snd_seq snd_seq_device snd_timer cfg80211 snd soundcore mei_me mei dell_rbtn dell_smo8800 mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid i915 nouveau kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi psmouse ahci sdhci_pci cqhci libahci fb_sys_fops sdhci drm e1000e video wmi +[ 600.351637] ---[ end trace e49e9f1df09c94fb ]--- +[ 600.351664] RIP: 0010:smp_chan_destroy.isra.10+0xce/0x2c0 [bluetooth] +[ 600.351666] Code: c0 0f 84 b4 01 00 00 80 78 28 04 0f 84 53 01 00 00 4d 85 ed 0f 85 ab 00 00 00 48 8b 08 48 8b 50 08 be 10 00 00 00 48 89 51 08 <48> 89 0a 48 b9 00 02 00 00 00 00 ad de 48 89 48 08 48 8b 83 00 01 +[ 600.351669] RSP: 0018:ffffa9be839b3b50 EFLAGS: 00010246 +[ 600.351672] RAX: ffff9c999ac565a0 RBX: ffff9c9996e98c00 RCX: ffff9c999aa28b60 +[ 600.351674] RDX: dead000000000200 RSI: 0000000000000010 RDI: ffff9c999e403500 +[ 600.351676] RBP: ffffa9be839b3b70 R08: 0000000000000000 R09: ffffffff92a25c00 +[ 600.351679] R10: ffffa9be839b3ae8 R11: 0000000000000001 R12: ffff9c995375b800 +[ 600.351681] R13: 0000000000000000 R14: ffff9c99619a5000 R15: ffff9c9962a01c00 +[ 600.351684] FS: 00007fb2be27c700(0000) GS:ffff9c999e880000(0000) knlGS:0000000000000000 +[ 600.351686] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 600.351689] CR2: 00007fb2bdadbad0 CR3: 000000041c328001 CR4: 00000000001606e0 + +Crash happened because list_del_rcu() was called twice for smp->ltk. This +was possible if unpair_device was called right after ltk was generated +but before keys were distributed. + +In this commit smp_cancel_pairing was refactored to cancel pairing if it +is in progress and otherwise just removes keys. Once keys are removed from +rcu list, pointers to smp context's keys are set to NULL to make sure +removed list items are not accessed later. + +This commit also adjusts the functionality of mgmt unpair_device() little +bit. Previously pairing was canceled only if pairing was in state that +keys were already generated. With this commit unpair_device() cancels +pairing already in earlier states. + +Bug was found by fuzzing kernel SMP implementation using Synopsys +Defensics. + +Reported-by: Pekka Oikarainen +Signed-off-by: Matias Karhumaa +Signed-off-by: Johan Hedberg +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 7 ++----- + net/bluetooth/smp.c | 29 +++++++++++++++++++++++++---- + net/bluetooth/smp.h | 3 ++- + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 1fba2a03f8ae..ba24f613c0fc 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2298,9 +2298,8 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + /* LE address type */ + addr_type = le_addr_type(cp->addr.type); + +- hci_remove_irk(hdev, &cp->addr.bdaddr, addr_type); +- +- err = hci_remove_ltk(hdev, &cp->addr.bdaddr, addr_type); ++ /* Abort any ongoing SMP pairing. Removes ltk and irk if they exist. */ ++ err = smp_cancel_and_remove_pairing(hdev, &cp->addr.bdaddr, addr_type); + if (err < 0) { + err = mgmt_cmd_complete(sk, hdev->id, MGMT_OP_UNPAIR_DEVICE, + MGMT_STATUS_NOT_PAIRED, &rp, +@@ -2314,8 +2313,6 @@ static int unpair_device(struct sock *sk, struct hci_dev *hdev, void *data, + goto done; + } + +- /* Abort any ongoing SMP pairing */ +- smp_cancel_pairing(conn); + + /* Defer clearing up the connection parameters until closing to + * give a chance of keeping them if a repairing happens. +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index a27704ff13a9..dbcc439fc78b 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -2410,30 +2410,51 @@ unlock: + return ret; + } + +-void smp_cancel_pairing(struct hci_conn *hcon) ++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, ++ u8 addr_type) + { +- struct l2cap_conn *conn = hcon->l2cap_data; ++ struct hci_conn *hcon; ++ struct l2cap_conn *conn; + struct l2cap_chan *chan; + struct smp_chan *smp; ++ int err; ++ ++ err = hci_remove_ltk(hdev, bdaddr, addr_type); ++ hci_remove_irk(hdev, bdaddr, addr_type); ++ ++ hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type); ++ if (!hcon) ++ goto done; + ++ conn = hcon->l2cap_data; + if (!conn) +- return; ++ goto done; + + chan = conn->smp; + if (!chan) +- return; ++ goto done; + + l2cap_chan_lock(chan); + + smp = chan->data; + if (smp) { ++ /* Set keys to NULL to make sure smp_failure() does not try to ++ * remove and free already invalidated rcu list entries. */ ++ smp->ltk = NULL; ++ smp->slave_ltk = NULL; ++ smp->remote_irk = NULL; ++ + if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) + smp_failure(conn, 0); + else + smp_failure(conn, SMP_UNSPECIFIED); ++ err = 0; + } + + l2cap_chan_unlock(chan); ++ ++done: ++ return err; + } + + static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) +diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h +index 0ff6247eaa6c..121edadd5f8d 100644 +--- a/net/bluetooth/smp.h ++++ b/net/bluetooth/smp.h +@@ -181,7 +181,8 @@ enum smp_key_pref { + }; + + /* SMP Commands */ +-void smp_cancel_pairing(struct hci_conn *hcon); ++int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, ++ u8 addr_type); + bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, + enum smp_key_pref key_pref); + int smp_conn_security(struct hci_conn *hcon, __u8 sec_level); +-- +2.17.1 + diff --git a/queue-4.14/bpf-sockmap-map_release-does-not-hold-refcnt-for-pin.patch b/queue-4.14/bpf-sockmap-map_release-does-not-hold-refcnt-for-pin.patch new file mode 100644 index 00000000000..76e33838049 --- /dev/null +++ b/queue-4.14/bpf-sockmap-map_release-does-not-hold-refcnt-for-pin.patch @@ -0,0 +1,108 @@ +From cbf7569dbe4d517f8e82bb9fbf14dad22b260c46 Mon Sep 17 00:00:00 2001 +From: John Fastabend +Date: Mon, 23 Apr 2018 15:39:23 -0700 +Subject: bpf: sockmap, map_release does not hold refcnt for pinned maps + +[ Upstream commit ba6b8de423f8d0dee48d6030288ed81c03ddf9f0 ] + +Relying on map_release hook to decrement the reference counts when a +map is removed only works if the map is not being pinned. In the +pinned case the ref is decremented immediately and the BPF programs +released. After this BPF programs may not be in-use which is not +what the user would expect. + +This patch moves the release logic into bpf_map_put_uref() and brings +sockmap in-line with how a similar case is handled in prog array maps. + +Fixes: 3d9e952697de ("bpf: sockmap, fix leaking maps with attached but not detached progs") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 2 +- + kernel/bpf/arraymap.c | 3 ++- + kernel/bpf/sockmap.c | 4 ++-- + kernel/bpf/syscall.c | 4 ++-- + 4 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 5c5be80ce802..c9d2a1a3ef11 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -27,6 +27,7 @@ struct bpf_map_ops { + void (*map_release)(struct bpf_map *map, struct file *map_file); + void (*map_free)(struct bpf_map *map); + int (*map_get_next_key)(struct bpf_map *map, void *key, void *next_key); ++ void (*map_release_uref)(struct bpf_map *map); + + /* funcs callable from userspace and from eBPF programs */ + void *(*map_lookup_elem)(struct bpf_map *map, void *key); +@@ -300,7 +301,6 @@ int bpf_stackmap_copy(struct bpf_map *map, void *key, void *value); + int bpf_fd_array_map_update_elem(struct bpf_map *map, struct file *map_file, + void *key, void *value, u64 map_flags); + int bpf_fd_array_map_lookup_elem(struct bpf_map *map, void *key, u32 *value); +-void bpf_fd_array_map_clear(struct bpf_map *map); + int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file, + void *key, void *value, u64 map_flags); + int bpf_fd_htab_map_lookup_elem(struct bpf_map *map, void *key, u32 *value); +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index f57d0bdf3c9e..a8f55ea4146b 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -467,7 +467,7 @@ static u32 prog_fd_array_sys_lookup_elem(void *ptr) + } + + /* decrement refcnt of all bpf_progs that are stored in this map */ +-void bpf_fd_array_map_clear(struct bpf_map *map) ++static void bpf_fd_array_map_clear(struct bpf_map *map) + { + struct bpf_array *array = container_of(map, struct bpf_array, map); + int i; +@@ -485,6 +485,7 @@ const struct bpf_map_ops prog_array_map_ops = { + .map_fd_get_ptr = prog_fd_array_get_ptr, + .map_fd_put_ptr = prog_fd_array_put_ptr, + .map_fd_sys_lookup_elem = prog_fd_array_sys_lookup_elem, ++ .map_release_uref = bpf_fd_array_map_clear, + }; + + static struct bpf_event_entry *bpf_event_entry_gen(struct file *perf_file, +diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c +index 20eaddfa691c..22991e19c01c 100644 +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -875,7 +875,7 @@ static int sock_map_update_elem(struct bpf_map *map, + return err; + } + +-static void sock_map_release(struct bpf_map *map, struct file *map_file) ++static void sock_map_release(struct bpf_map *map) + { + struct bpf_stab *stab = container_of(map, struct bpf_stab, map); + struct bpf_prog *orig; +@@ -895,7 +895,7 @@ const struct bpf_map_ops sock_map_ops = { + .map_get_next_key = sock_map_get_next_key, + .map_update_elem = sock_map_update_elem, + .map_delete_elem = sock_map_delete_elem, +- .map_release = sock_map_release, ++ .map_release_uref = sock_map_release, + }; + + BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, bpf_sock, +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 4e933219fec6..ea22d0b6a9f0 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -214,8 +214,8 @@ static void bpf_map_free_deferred(struct work_struct *work) + static void bpf_map_put_uref(struct bpf_map *map) + { + if (atomic_dec_and_test(&map->usercnt)) { +- if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) +- bpf_fd_array_map_clear(map); ++ if (map->ops->map_release_uref) ++ map->ops->map_release_uref(map); + } + } + +-- +2.17.1 + diff --git a/queue-4.14/btrfs-quota-set-rescan-progress-to-u64-1-if-we-hit-l.patch b/queue-4.14/btrfs-quota-set-rescan-progress-to-u64-1-if-we-hit-l.patch new file mode 100644 index 00000000000..3da5b94204f --- /dev/null +++ b/queue-4.14/btrfs-quota-set-rescan-progress-to-u64-1-if-we-hit-l.patch @@ -0,0 +1,49 @@ +From cc0bacb1c97fb719b4d20060d7ab77367207a004 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Wed, 27 Jun 2018 18:19:55 +0800 +Subject: btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf + +[ Upstream commit 6f7de19ed3d4d3526ca5eca428009f97cf969c2f ] + +Commit ff3d27a048d9 ("btrfs: qgroup: Finish rescan when hit the last leaf +of extent tree") added a new exit for rescan finish. + +However after finishing quota rescan, we set +fs_info->qgroup_rescan_progress to (u64)-1 before we exit through the +original exit path. +While we missed that assignment of (u64)-1 in the new exit path. + +The end result is, the quota status item doesn't have the same value. +(-1 vs the last bytenr + 1) +Although it doesn't affect quota accounting, it's still better to keep +the original behavior. + +Reported-by: Misono Tomohiro +Fixes: ff3d27a048d9 ("btrfs: qgroup: Finish rescan when hit the last leaf of extent tree") +Signed-off-by: Qu Wenruo +Reviewed-by: Misono Tomohiro +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 473ad5985aa3..47dec283628d 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2603,8 +2603,10 @@ out: + } + btrfs_put_tree_mod_seq(fs_info, &tree_mod_seq_elem); + +- if (done && !ret) ++ if (done && !ret) { + ret = 1; ++ fs_info->qgroup_rescan_progress.objectid = (u64)-1; ++ } + return ret; + } + +-- +2.17.1 + diff --git a/queue-4.14/cfg80211-address-some-corner-cases-in-scan-result-ch.patch b/queue-4.14/cfg80211-address-some-corner-cases-in-scan-result-ch.patch new file mode 100644 index 00000000000..084408fe8c4 --- /dev/null +++ b/queue-4.14/cfg80211-address-some-corner-cases-in-scan-result-ch.patch @@ -0,0 +1,140 @@ +From 5bae10b798c5c111db4341707a83388852c8d9d0 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Wed, 5 Sep 2018 18:52:22 +0300 +Subject: cfg80211: Address some corner cases in scan result channel updating + +[ Upstream commit 119f94a6fefcc76d47075b83d2b73d04c895df78 ] + +cfg80211_get_bss_channel() is used to update the RX channel based on the +available frame payload information (channel number from DSSS Parameter +Set element or HT Operation element). This is needed on 2.4 GHz channels +where frames may be received on neighboring channels due to overlapping +frequency range. + +This might of some use on the 5 GHz band in some corner cases, but +things are more complex there since there is no n:1 or 1:n mapping +between channel numbers and frequencies due to multiple different +starting frequencies in different operating classes. This could result +in ieee80211_channel_to_frequency() returning incorrect frequency and +ieee80211_get_channel() returning incorrect channel information (or +indication of no match). In the previous implementation, this could +result in some scan results being dropped completely, e.g., for the 4.9 +GHz channels. That prevented connection to such BSSs. + +Fix this by using the driver-provided channel pointer if +ieee80211_get_channel() does not find matching channel data for the +channel number in the frame payload and if the scan is done with 5 MHz +or 10 MHz channel bandwidth. While doing this, also add comments +describing what the function is trying to achieve to make it easier to +understand what happens here and why. + +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 58 ++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 49 insertions(+), 9 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index f6c5fe482506..5ed0ed0559dc 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1055,13 +1055,23 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, + return NULL; + } + ++/* ++ * Update RX channel information based on the available frame payload ++ * information. This is mainly for the 2.4 GHz band where frames can be received ++ * from neighboring channels and the Beacon frames use the DSSS Parameter Set ++ * element to indicate the current (transmitting) channel, but this might also ++ * be needed on other bands if RX frequency does not match with the actual ++ * operating channel of a BSS. ++ */ + static struct ieee80211_channel * + cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, +- struct ieee80211_channel *channel) ++ struct ieee80211_channel *channel, ++ enum nl80211_bss_scan_width scan_width) + { + const u8 *tmp; + u32 freq; + int channel_number = -1; ++ struct ieee80211_channel *alt_channel; + + tmp = cfg80211_find_ie(WLAN_EID_DS_PARAMS, ie, ielen); + if (tmp && tmp[1] == 1) { +@@ -1075,16 +1085,45 @@ cfg80211_get_bss_channel(struct wiphy *wiphy, const u8 *ie, size_t ielen, + } + } + +- if (channel_number < 0) ++ if (channel_number < 0) { ++ /* No channel information in frame payload */ + return channel; ++ } + + freq = ieee80211_channel_to_frequency(channel_number, channel->band); +- channel = ieee80211_get_channel(wiphy, freq); +- if (!channel) +- return NULL; +- if (channel->flags & IEEE80211_CHAN_DISABLED) ++ alt_channel = ieee80211_get_channel(wiphy, freq); ++ if (!alt_channel) { ++ if (channel->band == NL80211_BAND_2GHZ) { ++ /* ++ * Better not allow unexpected channels when that could ++ * be going beyond the 1-11 range (e.g., discovering ++ * BSS on channel 12 when radio is configured for ++ * channel 11. ++ */ ++ return NULL; ++ } ++ ++ /* No match for the payload channel number - ignore it */ ++ return channel; ++ } ++ ++ if (scan_width == NL80211_BSS_CHAN_WIDTH_10 || ++ scan_width == NL80211_BSS_CHAN_WIDTH_5) { ++ /* ++ * Ignore channel number in 5 and 10 MHz channels where there ++ * may not be an n:1 or 1:n mapping between frequencies and ++ * channel numbers. ++ */ ++ return channel; ++ } ++ ++ /* ++ * Use the channel determined through the payload channel number ++ * instead of the RX channel reported by the driver. ++ */ ++ if (alt_channel->flags & IEEE80211_CHAN_DISABLED) + return NULL; +- return channel; ++ return alt_channel; + } + + /* Returned bss is reference counted and must be cleaned up appropriately. */ +@@ -1109,7 +1148,8 @@ cfg80211_inform_bss_data(struct wiphy *wiphy, + (data->signal < 0 || data->signal > 100))) + return NULL; + +- channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan); ++ channel = cfg80211_get_bss_channel(wiphy, ie, ielen, data->chan, ++ data->scan_width); + if (!channel) + return NULL; + +@@ -1207,7 +1247,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, + return NULL; + + channel = cfg80211_get_bss_channel(wiphy, mgmt->u.beacon.variable, +- ielen, data->chan); ++ ielen, data->chan, data->scan_width); + if (!channel) + return NULL; + +-- +2.17.1 + diff --git a/queue-4.14/cfg80211-fix-use-after-free-in-reg_process_hint.patch b/queue-4.14/cfg80211-fix-use-after-free-in-reg_process_hint.patch new file mode 100644 index 00000000000..03fc8779c04 --- /dev/null +++ b/queue-4.14/cfg80211-fix-use-after-free-in-reg_process_hint.patch @@ -0,0 +1,107 @@ +From 89abd480dd913a67258467200c70e800aa38978b Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Thu, 27 Sep 2018 17:05:04 -0600 +Subject: cfg80211: fix use-after-free in reg_process_hint() + +[ Upstream commit 1db58529454742f67ebd96e3588315e880b72837 ] + +reg_process_hint_country_ie() can free regulatory_request and return +REG_REQ_ALREADY_SET. We shouldn't use regulatory_request after it's +called. KASAN error was observed when this happens. + +BUG: KASAN: use-after-free in reg_process_hint+0x839/0x8aa [cfg80211] +Read of size 4 at addr ffff8800c430d434 by task kworker/1:3/89 + +Workqueue: events reg_todo [cfg80211] +Call Trace: + dump_stack+0xc1/0x10c + ? _atomic_dec_and_lock+0x1ad/0x1ad + ? _raw_spin_lock_irqsave+0xa0/0xd2 + print_address_description+0x86/0x26f + ? reg_process_hint+0x839/0x8aa [cfg80211] + kasan_report+0x241/0x29b + reg_process_hint+0x839/0x8aa [cfg80211] + reg_todo+0x204/0x5b9 [cfg80211] + process_one_work+0x55f/0x8d0 + ? worker_detach_from_pool+0x1b5/0x1b5 + ? _raw_spin_unlock_irq+0x65/0xdd + ? _raw_spin_unlock_irqrestore+0xf3/0xf3 + worker_thread+0x5dd/0x841 + ? kthread_parkme+0x1d/0x1d + kthread+0x270/0x285 + ? pr_cont_work+0xe3/0xe3 + ? rcu_read_unlock_sched_notrace+0xca/0xca + ret_from_fork+0x22/0x40 + +Allocated by task 2718: + set_track+0x63/0xfa + __kmalloc+0x119/0x1ac + regulatory_hint_country_ie+0x38/0x329 [cfg80211] + __cfg80211_connect_result+0x854/0xadd [cfg80211] + cfg80211_rx_assoc_resp+0x3bc/0x4f0 [cfg80211] +smsc95xx v1.0.6 + ieee80211_sta_rx_queued_mgmt+0x1803/0x7ed5 [mac80211] + ieee80211_iface_work+0x411/0x696 [mac80211] + process_one_work+0x55f/0x8d0 + worker_thread+0x5dd/0x841 + kthread+0x270/0x285 + ret_from_fork+0x22/0x40 + +Freed by task 89: + set_track+0x63/0xfa + kasan_slab_free+0x6a/0x87 + kfree+0xdc/0x470 + reg_process_hint+0x31e/0x8aa [cfg80211] + reg_todo+0x204/0x5b9 [cfg80211] + process_one_work+0x55f/0x8d0 + worker_thread+0x5dd/0x841 + kthread+0x270/0x285 + ret_from_fork+0x22/0x40 + + +Signed-off-by: Yu Zhao +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 6f032c7b8732..bd91de416035 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2170,11 +2170,12 @@ static void reg_process_hint(struct regulatory_request *reg_request) + { + struct wiphy *wiphy = NULL; + enum reg_request_treatment treatment; ++ enum nl80211_reg_initiator initiator = reg_request->initiator; + + if (reg_request->wiphy_idx != WIPHY_IDX_INVALID) + wiphy = wiphy_idx_to_wiphy(reg_request->wiphy_idx); + +- switch (reg_request->initiator) { ++ switch (initiator) { + case NL80211_REGDOM_SET_BY_CORE: + treatment = reg_process_hint_core(reg_request); + break; +@@ -2192,7 +2193,7 @@ static void reg_process_hint(struct regulatory_request *reg_request) + treatment = reg_process_hint_country_ie(wiphy, reg_request); + break; + default: +- WARN(1, "invalid initiator %d\n", reg_request->initiator); ++ WARN(1, "invalid initiator %d\n", initiator); + goto out_free; + } + +@@ -2207,7 +2208,7 @@ static void reg_process_hint(struct regulatory_request *reg_request) + */ + if (treatment == REG_REQ_ALREADY_SET && wiphy && + wiphy->regulatory_flags & REGULATORY_STRICT_REG) { +- wiphy_update_regulatory(wiphy, reg_request->initiator); ++ wiphy_update_regulatory(wiphy, initiator); + wiphy_all_share_dfs_chan_state(wiphy); + reg_check_channels(); + } +-- +2.17.1 + diff --git a/queue-4.14/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch b/queue-4.14/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch new file mode 100644 index 00000000000..1097da62aaa --- /dev/null +++ b/queue-4.14/cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch @@ -0,0 +1,37 @@ +From 842900e4f74ae93b26224ae799c8959b40e0a6dd Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Wed, 5 Sep 2018 08:06:12 +0300 +Subject: cfg80211: reg: Init wiphy_idx in regulatory_hint_core() + +[ Upstream commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 ] + +Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since +the regulatory request is zeroed, wiphy_idx was always implicitly set to +0. This resulted in updating only phy #0. +Fix that. + +Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy") +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +[add fixes tag] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 6e94f6934a0e..6f032c7b8732 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2384,6 +2384,7 @@ static int regulatory_hint_core(const char *alpha2) + request->alpha2[0] = alpha2[0]; + request->alpha2[1] = alpha2[1]; + request->initiator = NL80211_REGDOM_SET_BY_CORE; ++ request->wiphy_idx = WIPHY_IDX_INVALID; + + queue_regulatory_request(request); + +-- +2.17.1 + diff --git a/queue-4.14/cifs-use-ull-suffix-for-64-bit-constant.patch b/queue-4.14/cifs-use-ull-suffix-for-64-bit-constant.patch new file mode 100644 index 00000000000..9b238dbe3e1 --- /dev/null +++ b/queue-4.14/cifs-use-ull-suffix-for-64-bit-constant.patch @@ -0,0 +1,40 @@ +From 7fd5ec500bf76d8e55c7b4f29aa0e9204c2900d6 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 5 Apr 2018 14:57:11 +0200 +Subject: cifs: Use ULL suffix for 64-bit constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3995bbf53bd2047f2720c6fdd4bf38f6d942a0c0 ] + +On 32-bit (e.g. with m68k-linux-gnu-gcc-4.1): + + fs/cifs/inode.c: In function ‘simple_hashstr’: + fs/cifs/inode.c:713: warning: integer constant is too large for ‘long’ type + +Fixes: 7ea884c77e5c97f1 ("smb3: Fix root directory when server returns inode number of zero") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Steve French +Reviewed-by: Aurelien Aptel +Signed-off-by: Sasha Levin +--- + fs/cifs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index 2cd0b3053439..d01cbca84701 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -712,7 +712,7 @@ cgfi_exit: + /* Simple function to return a 64 bit hash of string. Rarely called */ + static __u64 simple_hashstr(const char *str) + { +- const __u64 hash_mult = 1125899906842597L; /* a big enough prime */ ++ const __u64 hash_mult = 1125899906842597ULL; /* a big enough prime */ + __u64 hash = 0; + + while (*str) +-- +2.17.1 + diff --git a/queue-4.14/compiler.h-allow-arch-specific-asm-compiler.h.patch b/queue-4.14/compiler.h-allow-arch-specific-asm-compiler.h.patch new file mode 100644 index 00000000000..8c37d9f2750 --- /dev/null +++ b/queue-4.14/compiler.h-allow-arch-specific-asm-compiler.h.patch @@ -0,0 +1,120 @@ +From be1c75c407e6c0beedb213c812e707a0fea11959 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 20 Aug 2018 15:36:17 -0700 +Subject: compiler.h: Allow arch-specific asm/compiler.h + +[ Upstream commit 04f264d3a8b0eb25d378127bd78c3c9a0261c828 ] + +We have a need to override the definition of +barrier_before_unreachable() for MIPS, which means we either need to add +architecture-specific code into linux/compiler-gcc.h or we need to allow +the architecture to provide a header that can define the macro before +the generic definition. The latter seems like the better approach. + +A straightforward approach to the per-arch header is to make use of +asm-generic to provide a default empty header & adjust architectures +which don't need anything specific to make use of that by adding the +header to generic-y. Unfortunately this doesn't work so well due to +commit 28128c61e08e ("kconfig.h: Include compiler types to avoid missed +struct attributes") which caused linux/compiler_types.h to be included +in the compilation of every C file via the -include linux/kconfig.h flag +in c_flags. + +Because the -include flag is present for all C files we compile, we need +the architecture-provided header to be present before any C files are +compiled. If any C files can be compiled prior to the asm-generic header +wrappers being generated then we hit a build failure due to missing +header. Such cases do exist - one pointed out by the kbuild test robot +is the compilation of arch/ia64/kernel/nr-irqs.c, which occurs as part +of the archprepare target [1]. + +This leaves us with a few options: + + 1) Use generic-y & fix any build failures we find by enforcing + ordering such that the asm-generic target occurs before any C + compilation, such that linux/compiler_types.h can always include + the generated asm-generic wrapper which in turn includes the empty + asm-generic header. This would rely on us finding all the + problematic cases - I don't know for sure that the ia64 issue is + the only one. + + 2) Add an actual empty header to each architecture, so that we don't + need the generated asm-generic wrapper. This seems messy. + + 3) Give up & add #ifdef CONFIG_MIPS or similar to + linux/compiler_types.h. This seems messy too. + + 4) Include the arch header only when it's actually needed, removing + the need for the asm-generic wrapper for all other architectures. + +This patch allows us to use approach 4, by including an asm/compiler.h +header from linux/compiler_types.h after the inclusion of the +compiler-specific linux/compiler-*.h header(s). We do this +conditionally, only when CONFIG_HAVE_ARCH_COMPILER_H is selected, in +order to avoid the need for asm-generic wrappers & the associated build +ordering issue described above. The asm/compiler.h header is included +after the generic linux/compiler-*.h header(s) for consistency with the +way linux/compiler-intel.h & linux/compiler-clang.h are included after +the linux/compiler-gcc.h header that they override. + +[1] https://lists.01.org/pipermail/kbuild-all/2018-August/051175.html + +Signed-off-by: Paul Burton +Reviewed-by: Masahiro Yamada +Patchwork: https://patchwork.linux-mips.org/patch/20269/ +Cc: Arnd Bergmann +Cc: James Hogan +Cc: Masahiro Yamada +Cc: Ralf Baechle +Cc: linux-arch@vger.kernel.org +Cc: linux-kbuild@vger.kernel.org +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +--- + arch/Kconfig | 8 ++++++++ + include/linux/compiler_types.h | 12 ++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/arch/Kconfig b/arch/Kconfig +index 40dc31fea90c..77b3e21c4844 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -965,4 +965,12 @@ config REFCOUNT_FULL + against various use-after-free conditions that can be used in + security flaw exploits. + ++config HAVE_ARCH_COMPILER_H ++ bool ++ help ++ An architecture can select this if it provides an ++ asm/compiler.h header that should be included after ++ linux/compiler-*.h in order to override macro definitions that those ++ headers generally provide. ++ + source "kernel/gcov/Kconfig" +diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h +index 6b79a9bba9a7..4be464a07612 100644 +--- a/include/linux/compiler_types.h ++++ b/include/linux/compiler_types.h +@@ -78,6 +78,18 @@ extern void __chk_io_ptr(const volatile void __iomem *); + #include + #endif + ++/* ++ * Some architectures need to provide custom definitions of macros provided ++ * by linux/compiler-*.h, and can do so using asm/compiler.h. We include that ++ * conditionally rather than using an asm-generic wrapper in order to avoid ++ * build failures if any C compilation, which will include this file via an ++ * -include argument in c_flags, occurs prior to the asm-generic wrappers being ++ * generated. ++ */ ++#ifdef CONFIG_HAVE_ARCH_COMPILER_H ++#include ++#endif ++ + /* + * Generic compiler-dependent macros required for kernel + * build go below this comment. Actual compiler/compiler version +-- +2.17.1 + diff --git a/queue-4.14/declance-fix-continuation-with-the-adapter-identific.patch b/queue-4.14/declance-fix-continuation-with-the-adapter-identific.patch new file mode 100644 index 00000000000..0045828605d --- /dev/null +++ b/queue-4.14/declance-fix-continuation-with-the-adapter-identific.patch @@ -0,0 +1,71 @@ +From 1cd588ef15a881a487f33f9ecbe724c4d467537d Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 2 Oct 2018 14:23:45 +0100 +Subject: declance: Fix continuation with the adapter identification message + +[ Upstream commit fe3a83af6a50199bf250fa331e94216912f79395 ] + +Fix a commit 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing +continuation lines") regression with the `declance' driver, which caused +the adapter identification message to be split between two lines, e.g.: + +declance.c: v0.011 by Linux MIPS DECstation task force +tc6: PMAD-AA +, addr = 08:00:2b:1b:2a:6a, irq = 14 +tc6: registered as eth0. + +Address that properly, by printing identification with a single call, +making the messages now look like: + +declance.c: v0.011 by Linux MIPS DECstation task force +tc6: PMAD-AA, addr = 08:00:2b:1b:2a:6a, irq = 14 +tc6: registered as eth0. + +Signed-off-by: Maciej W. Rozycki +Fixes: 4bcc595ccd80 ("printk: reinstate KERN_CONT for printing continuation lines") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/declance.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/amd/declance.c b/drivers/net/ethernet/amd/declance.c +index 82cc81385033..c7cde58feaf7 100644 +--- a/drivers/net/ethernet/amd/declance.c ++++ b/drivers/net/ethernet/amd/declance.c +@@ -1029,6 +1029,7 @@ static int dec_lance_probe(struct device *bdev, const int type) + int i, ret; + unsigned long esar_base; + unsigned char *esar; ++ const char *desc; + + if (dec_lance_debug && version_printed++ == 0) + printk(version); +@@ -1214,19 +1215,20 @@ static int dec_lance_probe(struct device *bdev, const int type) + */ + switch (type) { + case ASIC_LANCE: +- printk("%s: IOASIC onboard LANCE", name); ++ desc = "IOASIC onboard LANCE"; + break; + case PMAD_LANCE: +- printk("%s: PMAD-AA", name); ++ desc = "PMAD-AA"; + break; + case PMAX_LANCE: +- printk("%s: PMAX onboard LANCE", name); ++ desc = "PMAX onboard LANCE"; + break; + } + for (i = 0; i < 6; i++) + dev->dev_addr[i] = esar[i * 4]; + +- printk(", addr = %pM, irq = %d\n", dev->dev_addr, dev->irq); ++ printk("%s: %s, addr = %pM, irq = %d\n", ++ name, desc, dev->dev_addr, dev->irq); + + dev->netdev_ops = &lance_netdev_ops; + dev->watchdog_timeo = 5*HZ; +-- +2.17.1 + diff --git a/queue-4.14/dm-integrity-fail-early-if-required-hmac-key-is-not-.patch b/queue-4.14/dm-integrity-fail-early-if-required-hmac-key-is-not-.patch new file mode 100644 index 00000000000..7f361d64b96 --- /dev/null +++ b/queue-4.14/dm-integrity-fail-early-if-required-hmac-key-is-not-.patch @@ -0,0 +1,41 @@ +From e484c4fe29719f9d789793c7c491b9e17f21fb4e Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Tue, 13 Feb 2018 14:50:50 +0100 +Subject: dm integrity: fail early if required HMAC key is not available + +[ Upstream commit e16b4f99f0f79682a7efe191a8ce694d87ca9fc8 ] + +Since crypto API commit 9fa68f62004 ("crypto: hash - prevent using keyed +hashes without setting key") dm-integrity cannot use keyed algorithms +without the key being set. + +The dm-integrity recognizes this too late (during use of HMAC), so it +allows creation and formatting of superblock, but the device is in fact +unusable. + +Fix it by detecting the key requirement in integrity table constructor. + +Signed-off-by: Milan Broz +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-integrity.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c +index 898286ed47a1..b10e4c5641ea 100644 +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -2547,6 +2547,9 @@ static int get_mac(struct crypto_shash **hash, struct alg_spec *a, char **error, + *error = error_key; + return r; + } ++ } else if (crypto_shash_get_flags(*hash) & CRYPTO_TFM_NEED_KEY) { ++ *error = error_key; ++ return -ENOKEY; + } + } + +-- +2.17.1 + diff --git a/queue-4.14/enic-do-not-overwrite-error-code.patch b/queue-4.14/enic-do-not-overwrite-error-code.patch new file mode 100644 index 00000000000..8aba0de98dd --- /dev/null +++ b/queue-4.14/enic-do-not-overwrite-error-code.patch @@ -0,0 +1,49 @@ +From 87a723814f701ecbcbfcef6ffee495c36e783ec0 Mon Sep 17 00:00:00 2001 +From: Govindarajulu Varadarajan +Date: Mon, 18 Jun 2018 10:01:05 -0700 +Subject: enic: do not overwrite error code + +[ Upstream commit 56f772279a762984f6e9ebbf24a7c829faba5712 ] + +In failure path, we overwrite err to what vnic_rq_disable() returns. In +case it returns 0, enic_open() returns success in case of error. + +Reported-by: Ben Hutchings +Fixes: e8588e268509 ("enic: enable rq before updating rq descriptors") +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 2bfaf3e118b1..03f4fee1bbc9 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1879,7 +1879,7 @@ static int enic_open(struct net_device *netdev) + { + struct enic *enic = netdev_priv(netdev); + unsigned int i; +- int err; ++ int err, ret; + + err = enic_request_intr(enic); + if (err) { +@@ -1936,10 +1936,9 @@ static int enic_open(struct net_device *netdev) + + err_out_free_rq: + for (i = 0; i < enic->rq_count; i++) { +- err = vnic_rq_disable(&enic->rq[i]); +- if (err) +- return err; +- vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); ++ ret = vnic_rq_disable(&enic->rq[i]); ++ if (!ret) ++ vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); + } + enic_dev_notify_unset(enic); + err_out_free_intr: +-- +2.17.1 + diff --git a/queue-4.14/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch b/queue-4.14/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch new file mode 100644 index 00000000000..54e17cb2cd2 --- /dev/null +++ b/queue-4.14/fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch @@ -0,0 +1,36 @@ +From a9f45d5e972429fbe1c9fc13997d62e9f94f4727 Mon Sep 17 00:00:00 2001 +From: Khazhismel Kumykov +Date: Fri, 12 Oct 2018 21:34:40 -0700 +Subject: fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() + +[ Upstream commit ac081c3be3fae6d0cc3e1862507fca3862d30b67 ] + +On non-preempt kernels this loop can take a long time (more than 50 ticks) +processing through entries. + +Link: http://lkml.kernel.org/r/20181010172623.57033-1-khazhy@google.com +Signed-off-by: Khazhismel Kumykov +Acked-by: OGAWA Hirofumi +Reviewed-by: Andrew Morton +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/fat/fatent.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c +index a40f36b1b292..9635df94db7d 100644 +--- a/fs/fat/fatent.c ++++ b/fs/fat/fatent.c +@@ -681,6 +681,7 @@ int fat_count_free_clusters(struct super_block *sb) + if (ops->ent_get(&fatent) == FAT_ENT_FREE) + free++; + } while (fat_ent_next(sbi, &fatent)); ++ cond_resched(); + } + sbi->free_clusters = free; + sbi->free_clus_valid = 1; +-- +2.17.1 + diff --git a/queue-4.14/ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch b/queue-4.14/ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch new file mode 100644 index 00000000000..d8e7410a7e7 --- /dev/null +++ b/queue-4.14/ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch @@ -0,0 +1,103 @@ +From 1f2ea7a3a4b710072f70a3abecb6ef3f331b54cf Mon Sep 17 00:00:00 2001 +From: Alex Vesker +Date: Thu, 21 Dec 2017 17:38:27 +0200 +Subject: IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush + +[ Upstream commit 1f80bd6a6cc8358b81194e1f5fc16449947396ec ] + +The locking order of vlan_rwsem (LOCK A) and then rtnl (LOCK B), +contradicts other flows such as ipoib_open possibly causing a deadlock. +To prevent this deadlock heavy flush is called with RTNL locked and +only then tries to acquire vlan_rwsem. +This deadlock is possible only when there are child interfaces. + +[ 140.941758] ====================================================== +[ 140.946276] WARNING: possible circular locking dependency detected +[ 140.950950] 4.15.0-rc1+ #9 Tainted: G O +[ 140.954797] ------------------------------------------------------ +[ 140.959424] kworker/u32:1/146 is trying to acquire lock: +[ 140.963450] (rtnl_mutex){+.+.}, at: [] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib] +[ 140.970006] +but task is already holding lock: +[ 140.975141] (&priv->vlan_rwsem){++++}, at: [] __ipoib_ib_dev_flush+0x51/0x4e0 [ib_ipoib] +[ 140.982105] +which lock already depends on the new lock. +[ 140.990023] +the existing dependency chain (in reverse order) is: +[ 140.998650] +-> #1 (&priv->vlan_rwsem){++++}: +[ 141.005276] down_read+0x4d/0xb0 +[ 141.009560] ipoib_open+0xad/0x120 [ib_ipoib] +[ 141.014400] __dev_open+0xcb/0x140 +[ 141.017919] __dev_change_flags+0x1a4/0x1e0 +[ 141.022133] dev_change_flags+0x23/0x60 +[ 141.025695] devinet_ioctl+0x704/0x7d0 +[ 141.029156] sock_do_ioctl+0x20/0x50 +[ 141.032526] sock_ioctl+0x221/0x300 +[ 141.036079] do_vfs_ioctl+0xa6/0x6d0 +[ 141.039656] SyS_ioctl+0x74/0x80 +[ 141.042811] entry_SYSCALL_64_fastpath+0x1f/0x96 +[ 141.046891] +-> #0 (rtnl_mutex){+.+.}: +[ 141.051701] lock_acquire+0xd4/0x220 +[ 141.055212] __mutex_lock+0x88/0x970 +[ 141.058631] __ipoib_ib_dev_flush+0x2da/0x4e0 [ib_ipoib] +[ 141.063160] __ipoib_ib_dev_flush+0x71/0x4e0 [ib_ipoib] +[ 141.067648] process_one_work+0x1f5/0x610 +[ 141.071429] worker_thread+0x4a/0x3f0 +[ 141.074890] kthread+0x141/0x180 +[ 141.078085] ret_from_fork+0x24/0x30 +[ 141.081559] + +other info that might help us debug this: +[ 141.088967] Possible unsafe locking scenario: +[ 141.094280] CPU0 CPU1 +[ 141.097953] ---- ---- +[ 141.101640] lock(&priv->vlan_rwsem); +[ 141.104771] lock(rtnl_mutex); +[ 141.109207] lock(&priv->vlan_rwsem); +[ 141.114032] lock(rtnl_mutex); +[ 141.116800] + *** DEADLOCK *** + +Fixes: b4b678b06f6e ("IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop") +Signed-off-by: Alex Vesker +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +index c97384c914a4..d77e8e2ae05f 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -1203,13 +1203,10 @@ static void __ipoib_ib_dev_flush(struct ipoib_dev_priv *priv, + ipoib_ib_dev_down(dev); + + if (level == IPOIB_FLUSH_HEAVY) { +- rtnl_lock(); + if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags)) + ipoib_ib_dev_stop(dev); + +- result = ipoib_ib_dev_open(dev); +- rtnl_unlock(); +- if (result) ++ if (ipoib_ib_dev_open(dev)) + return; + + if (netif_queue_stopped(dev)) +@@ -1249,7 +1246,9 @@ void ipoib_ib_dev_flush_heavy(struct work_struct *work) + struct ipoib_dev_priv *priv = + container_of(work, struct ipoib_dev_priv, flush_heavy); + ++ rtnl_lock(); + __ipoib_ib_dev_flush(priv, IPOIB_FLUSH_HEAVY, 0); ++ rtnl_unlock(); + } + + void ipoib_ib_dev_cleanup(struct net_device *dev) +-- +2.17.1 + diff --git a/queue-4.14/ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch b/queue-4.14/ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch new file mode 100644 index 00000000000..4ac6868fee8 --- /dev/null +++ b/queue-4.14/ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch @@ -0,0 +1,60 @@ +From c28f984774a199f061f8cdd3bd40d16f9026265c Mon Sep 17 00:00:00 2001 +From: Noa Osherovich +Date: Sun, 25 Feb 2018 13:39:51 +0200 +Subject: IB/mlx5: Avoid passing an invalid QP type to firmware + +[ Upstream commit e7b169f34403becd3c9fd3b6e46614ab788f2187 ] + +During QP creation, the mlx5 driver translates the QP type to an +internal value which is passed on to FW. There was no check to make +sure that the translated value is valid, and -EINVAL was coerced into +the mailbox command. + +Current firmware refuses this as an invalid QP type, but future/past +firmware may do something else. + +Fixes: 09a7d9eca1a6c ('{net,IB}/mlx5: QP/XRCD commands via mlx5 ifc') +Reviewed-by: Ilya Lesokhin +Signed-off-by: Noa Osherovich +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c +index ef9ee6c328a1..dfc190055167 100644 +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -1527,6 +1527,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, + u32 uidx = MLX5_IB_DEFAULT_UIDX; + struct mlx5_ib_create_qp ucmd; + struct mlx5_ib_qp_base *base; ++ int mlx5_st; + void *qpc; + u32 *in; + int err; +@@ -1535,6 +1536,10 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, + spin_lock_init(&qp->sq.lock); + spin_lock_init(&qp->rq.lock); + ++ mlx5_st = to_mlx5_st(init_attr->qp_type); ++ if (mlx5_st < 0) ++ return -EINVAL; ++ + if (init_attr->rwq_ind_tbl) { + if (!udata) + return -ENOSYS; +@@ -1688,7 +1693,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd, + + qpc = MLX5_ADDR_OF(create_qp_in, in, qpc); + +- MLX5_SET(qpc, qpc, st, to_mlx5_st(init_attr->qp_type)); ++ MLX5_SET(qpc, qpc, st, mlx5_st); + MLX5_SET(qpc, qpc, pm_state, MLX5_QP_PM_MIGRATED); + + if (init_attr->qp_type != MLX5_IB_QPT_REG_UMR) +-- +2.17.1 + diff --git a/queue-4.14/ib-rxe-put-the-pool-on-allocation-failure.patch b/queue-4.14/ib-rxe-put-the-pool-on-allocation-failure.patch new file mode 100644 index 00000000000..8fce25f0bb1 --- /dev/null +++ b/queue-4.14/ib-rxe-put-the-pool-on-allocation-failure.patch @@ -0,0 +1,60 @@ +From a852796bce1e4bcb58b0f3e10bf77c00dc097e7d Mon Sep 17 00:00:00 2001 +From: Doug Ledford +Date: Mon, 9 Oct 2017 09:11:32 -0400 +Subject: IB/rxe: put the pool on allocation failure + +[ Upstream commit 6b9f8970cd30929cb6b372fa44fa66da9e59c650 ] + +If the allocation of elem fails, it is not sufficient to simply check +for NULL and return. We need to also put our reference on the pool or +else we will leave the pool with a permanent ref count and we will never +be able to free it. + +Fixes: 4831ca9e4a8e ("IB/rxe: check for allocation failure on elem") +Suggested-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_pool.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_pool.c b/drivers/infiniband/sw/rxe/rxe_pool.c +index 3b4916680018..b4a8acc7bb7d 100644 +--- a/drivers/infiniband/sw/rxe/rxe_pool.c ++++ b/drivers/infiniband/sw/rxe/rxe_pool.c +@@ -394,23 +394,25 @@ void *rxe_alloc(struct rxe_pool *pool) + + kref_get(&pool->rxe->ref_cnt); + +- if (atomic_inc_return(&pool->num_elem) > pool->max_elem) { +- atomic_dec(&pool->num_elem); +- rxe_dev_put(pool->rxe); +- rxe_pool_put(pool); +- return NULL; +- } ++ if (atomic_inc_return(&pool->num_elem) > pool->max_elem) ++ goto out_put_pool; + + elem = kmem_cache_zalloc(pool_cache(pool), + (pool->flags & RXE_POOL_ATOMIC) ? + GFP_ATOMIC : GFP_KERNEL); + if (!elem) +- return NULL; ++ goto out_put_pool; + + elem->pool = pool; + kref_init(&elem->ref_cnt); + + return elem; ++ ++out_put_pool: ++ atomic_dec(&pool->num_elem); ++ rxe_dev_put(pool->rxe); ++ rxe_pool_put(pool); ++ return NULL; + } + + void rxe_elem_release(struct kref *kref) +-- +2.17.1 + diff --git a/queue-4.14/ib-usnic-update-with-bug-fixes-from-core-code.patch b/queue-4.14/ib-usnic-update-with-bug-fixes-from-core-code.patch new file mode 100644 index 00000000000..a0b2247fbf3 --- /dev/null +++ b/queue-4.14/ib-usnic-update-with-bug-fixes-from-core-code.patch @@ -0,0 +1,184 @@ +From 4f3ae23e0741a5578e4f67d34b6a35c151a2910b Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 13 Jun 2018 11:19:42 -0600 +Subject: IB/usnic: Update with bug fixes from core code + +[ Upstream commit 43cbd64b1fdc1da89abdad88a022d9e87a98e9c6 ] + +usnic has a modified version of the core codes' ib_umem_get() and +related, and the copy misses many of the bug fixes done over the years: + +Commit bc3e53f682d9 ("mm: distinguish between mlocked and pinned pages") +Commit 87773dd56d54 ("IB: ib_umem_release() should decrement mm->pinned_vm + from ib_umem_get") +Commit 8494057ab5e4 ("IB/uverbs: Prevent integer overflow in ib_umem_get + address arithmetic") +Commit 8abaae62f3fd ("IB/core: disallow registering 0-sized memory region") +Commit 66578b0b2f69 ("IB/core: don't disallow registering region starting + at 0x0") +Commit 53376fedb9da ("RDMA/core: not to set page dirty bit if it's already + set.") +Commit 8e907ed48827 ("IB/umem: Use the correct mm during ib_umem_release") + +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 2 +- + drivers/infiniband/hw/usnic/usnic_uiom.c | 40 ++++++++++++++------ + drivers/infiniband/hw/usnic/usnic_uiom.h | 5 ++- + 3 files changed, 33 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +index e4113ef09315..3c3453d213dc 100644 +--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c ++++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +@@ -642,7 +642,7 @@ int usnic_ib_dereg_mr(struct ib_mr *ibmr) + + usnic_dbg("va 0x%lx length 0x%zx\n", mr->umem->va, mr->umem->length); + +- usnic_uiom_reg_release(mr->umem, ibmr->pd->uobject->context->closing); ++ usnic_uiom_reg_release(mr->umem, ibmr->uobject->context); + kfree(mr); + return 0; + } +diff --git a/drivers/infiniband/hw/usnic/usnic_uiom.c b/drivers/infiniband/hw/usnic/usnic_uiom.c +index 4381c0a9a873..9dd39daa602b 100644 +--- a/drivers/infiniband/hw/usnic/usnic_uiom.c ++++ b/drivers/infiniband/hw/usnic/usnic_uiom.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include "usnic_log.h" + #include "usnic_uiom.h" +@@ -88,7 +89,7 @@ static void usnic_uiom_put_pages(struct list_head *chunk_list, int dirty) + for_each_sg(chunk->page_list, sg, chunk->nents, i) { + page = sg_page(sg); + pa = sg_phys(sg); +- if (dirty) ++ if (!PageDirty(page) && dirty) + set_page_dirty_lock(page); + put_page(page); + usnic_dbg("pa: %pa\n", &pa); +@@ -114,6 +115,16 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable, + dma_addr_t pa; + unsigned int gup_flags; + ++ /* ++ * If the combination of the addr and size requested for this memory ++ * region causes an integer overflow, return error. ++ */ ++ if (((addr + size) < addr) || PAGE_ALIGN(addr + size) < (addr + size)) ++ return -EINVAL; ++ ++ if (!size) ++ return -EINVAL; ++ + if (!can_do_mlock()) + return -EPERM; + +@@ -127,7 +138,7 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable, + + down_write(¤t->mm->mmap_sem); + +- locked = npages + current->mm->locked_vm; ++ locked = npages + current->mm->pinned_vm; + lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; + + if ((locked > lock_limit) && !capable(CAP_IPC_LOCK)) { +@@ -143,7 +154,7 @@ static int usnic_uiom_get_pages(unsigned long addr, size_t size, int writable, + ret = 0; + + while (npages) { +- ret = get_user_pages(cur_base, ++ ret = get_user_pages_longterm(cur_base, + min_t(unsigned long, npages, + PAGE_SIZE / sizeof(struct page *)), + gup_flags, page_list, NULL); +@@ -186,7 +197,7 @@ out: + if (ret < 0) + usnic_uiom_put_pages(chunk_list, 0); + else +- current->mm->locked_vm = locked; ++ current->mm->pinned_vm = locked; + + up_write(¤t->mm->mmap_sem); + free_page((unsigned long) page_list); +@@ -420,18 +431,22 @@ out_free_uiomr: + return ERR_PTR(err); + } + +-void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing) ++void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, ++ struct ib_ucontext *ucontext) + { ++ struct task_struct *task; + struct mm_struct *mm; + unsigned long diff; + + __usnic_uiom_reg_release(uiomr->pd, uiomr, 1); + +- mm = get_task_mm(current); +- if (!mm) { +- kfree(uiomr); +- return; +- } ++ task = get_pid_task(ucontext->tgid, PIDTYPE_PID); ++ if (!task) ++ goto out; ++ mm = get_task_mm(task); ++ put_task_struct(task); ++ if (!mm) ++ goto out; + + diff = PAGE_ALIGN(uiomr->length + uiomr->offset) >> PAGE_SHIFT; + +@@ -443,7 +458,7 @@ void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing) + * up here and not be able to take the mmap_sem. In that case + * we defer the vm_locked accounting to the system workqueue. + */ +- if (closing) { ++ if (ucontext->closing) { + if (!down_write_trylock(&mm->mmap_sem)) { + INIT_WORK(&uiomr->work, usnic_uiom_reg_account); + uiomr->mm = mm; +@@ -455,9 +470,10 @@ void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing) + } else + down_write(&mm->mmap_sem); + +- current->mm->locked_vm -= diff; ++ mm->pinned_vm -= diff; + up_write(&mm->mmap_sem); + mmput(mm); ++out: + kfree(uiomr); + } + +diff --git a/drivers/infiniband/hw/usnic/usnic_uiom.h b/drivers/infiniband/hw/usnic/usnic_uiom.h +index 431efe4143f4..8c096acff123 100644 +--- a/drivers/infiniband/hw/usnic/usnic_uiom.h ++++ b/drivers/infiniband/hw/usnic/usnic_uiom.h +@@ -39,6 +39,8 @@ + + #include "usnic_uiom_interval_tree.h" + ++struct ib_ucontext; ++ + #define USNIC_UIOM_READ (1) + #define USNIC_UIOM_WRITE (2) + +@@ -89,7 +91,8 @@ void usnic_uiom_free_dev_list(struct device **devs); + struct usnic_uiom_reg *usnic_uiom_reg_get(struct usnic_uiom_pd *pd, + unsigned long addr, size_t size, + int access, int dmasync); +-void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, int closing); ++void usnic_uiom_reg_release(struct usnic_uiom_reg *uiomr, ++ struct ib_ucontext *ucontext); + int usnic_uiom_init(char *drv_name); + void usnic_uiom_fini(void); + #endif /* USNIC_UIOM_H_ */ +-- +2.17.1 + diff --git a/queue-4.14/iio-buffer-fix-the-function-signature-to-match-imple.patch b/queue-4.14/iio-buffer-fix-the-function-signature-to-match-imple.patch new file mode 100644 index 00000000000..fa58f106fd7 --- /dev/null +++ b/queue-4.14/iio-buffer-fix-the-function-signature-to-match-imple.patch @@ -0,0 +1,34 @@ +From 0d9f767b1f71a1a8d1d82fc80a004a3168f6ee99 Mon Sep 17 00:00:00 2001 +From: Phil Reid +Date: Tue, 5 Jun 2018 14:15:10 +0800 +Subject: iio: buffer: fix the function signature to match implementation + +[ Upstream commit 92397a6c38d139d50fabbe9e2dc09b61d53b2377 ] + +linux/iio/buffer-dma.h was not updated to when length was changed to +unsigned int. + +Fixes: c043ec1ca5ba ("iio:buffer: make length types match kfifo types") +Signed-off-by: Phil Reid +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + include/linux/iio/buffer-dma.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/iio/buffer-dma.h b/include/linux/iio/buffer-dma.h +index 767467d886de..67c75372b691 100644 +--- a/include/linux/iio/buffer-dma.h ++++ b/include/linux/iio/buffer-dma.h +@@ -141,7 +141,7 @@ int iio_dma_buffer_read(struct iio_buffer *buffer, size_t n, + char __user *user_buffer); + size_t iio_dma_buffer_data_available(struct iio_buffer *buffer); + int iio_dma_buffer_set_bytes_per_datum(struct iio_buffer *buffer, size_t bpd); +-int iio_dma_buffer_set_length(struct iio_buffer *buffer, int length); ++int iio_dma_buffer_set_length(struct iio_buffer *buffer, unsigned int length); + int iio_dma_buffer_request_update(struct iio_buffer *buffer); + + int iio_dma_buffer_init(struct iio_dma_buffer_queue *queue, +-- +2.17.1 + diff --git a/queue-4.14/iwlwifi-dbg-allow-wrt-collection-before-alive.patch b/queue-4.14/iwlwifi-dbg-allow-wrt-collection-before-alive.patch new file mode 100644 index 00000000000..700ddd7f6e5 --- /dev/null +++ b/queue-4.14/iwlwifi-dbg-allow-wrt-collection-before-alive.patch @@ -0,0 +1,46 @@ +From a92b5cd08830b36f17cd65b30bb365f0cf43b4e1 Mon Sep 17 00:00:00 2001 +From: Liad Kaufman +Date: Tue, 31 Oct 2017 15:54:50 +0200 +Subject: iwlwifi: dbg: allow wrt collection before ALIVE + +[ Upstream commit dfd4b08cf44f27587e2053e006e43a1603328006 ] + +Even if no ALIVE was received, the WRT data can still +be collected. Add this. + +Signed-off-by: Liad Kaufman +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index 2fa7ec466275..839010417241 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -950,7 +950,20 @@ int iwl_fw_dbg_collect_desc(struct iwl_fw_runtime *fwrt, + if (trigger) + delay = msecs_to_jiffies(le32_to_cpu(trigger->stop_delay)); + +- if (WARN(fwrt->trans->state == IWL_TRANS_NO_FW, ++ /* ++ * If the loading of the FW completed successfully, the next step is to ++ * get the SMEM config data. Thus, if fwrt->smem_cfg.num_lmacs is non ++ * zero, the FW was already loaded successully. If the state is "NO_FW" ++ * in such a case - WARN and exit, since FW may be dead. Otherwise, we ++ * can try to collect the data, since FW might just not be fully ++ * loaded (no "ALIVE" yet), and the debug data is accessible. ++ * ++ * Corner case: got the FW alive but crashed before getting the SMEM ++ * config. In such a case, due to HW access problems, we might ++ * collect garbage. ++ */ ++ if (WARN((fwrt->trans->state == IWL_TRANS_NO_FW) && ++ fwrt->smem_cfg.num_lmacs, + "Can't collect dbg data when FW isn't alive\n")) + return -EIO; + +-- +2.17.1 + diff --git a/queue-4.14/iwlwifi-fix-the-alive-notification-layout.patch b/queue-4.14/iwlwifi-fix-the-alive-notification-layout.patch new file mode 100644 index 00000000000..2e28abda681 --- /dev/null +++ b/queue-4.14/iwlwifi-fix-the-alive-notification-layout.patch @@ -0,0 +1,46 @@ +From f47dee2a37c910dbf4c6dbc22b09b1221ad95f2a Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 7 Nov 2017 23:54:17 +0200 +Subject: iwlwifi: fix the ALIVE notification layout + +[ Upstream commit 5cd2d8fc6c6bca979ac5dd8ad0e41153f1f982f9 ] + +The ucode_major and ucode_minor were swapped. This has +no practical consequences since those fields are not used. +Same goes for umac_major and umac_minor which were only +printed under certain debug flags. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/api/alive.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h b/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h +index 3684a3e180e5..007bfe7656a4 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/alive.h +@@ -95,8 +95,8 @@ enum { + #define IWL_ALIVE_FLG_RFKILL BIT(0) + + struct iwl_lmac_alive { +- __le32 ucode_minor; + __le32 ucode_major; ++ __le32 ucode_minor; + u8 ver_subtype; + u8 ver_type; + u8 mac; +@@ -113,8 +113,8 @@ struct iwl_lmac_alive { + } __packed; /* UCODE_ALIVE_NTFY_API_S_VER_3 */ + + struct iwl_umac_alive { +- __le32 umac_minor; /* UMAC version: minor */ + __le32 umac_major; /* UMAC version: major */ ++ __le32 umac_minor; /* UMAC version: minor */ + __le32 error_info_addr; /* SRAM address for UMAC error log */ + __le32 dbg_print_buff_addr; + } __packed; /* UMAC_ALIVE_DATA_API_S_VER_2 */ +-- +2.17.1 + diff --git a/queue-4.14/iwlwifi-mvm-check-for-short-gi-only-for-ofdm.patch b/queue-4.14/iwlwifi-mvm-check-for-short-gi-only-for-ofdm.patch new file mode 100644 index 00000000000..6a46dad5032 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-check-for-short-gi-only-for-ofdm.patch @@ -0,0 +1,49 @@ +From 00323326d0b80aa9bc116c93f10c596c2440e8d1 Mon Sep 17 00:00:00 2001 +From: Sara Sharon +Date: Sun, 29 Oct 2017 10:46:39 +0200 +Subject: iwlwifi: mvm: check for short GI only for OFDM + +[ Upstream commit 4c59ff5a9a9c54cc26c807dc2fa6933f7e9fa4ef ] + +This bit will be used in CCK to indicate short preamble. + +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/rx.c | 3 ++- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 4 +++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c +index 2d14a58cbdd7..c73e4be9bde3 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rx.c +@@ -439,7 +439,8 @@ void iwl_mvm_rx_rx_mpdu(struct iwl_mvm *mvm, struct napi_struct *napi, + rx_status->bw = RATE_INFO_BW_160; + break; + } +- if (rate_n_flags & RATE_MCS_SGI_MSK) ++ if (!(rate_n_flags & RATE_MCS_CCK_MSK) && ++ rate_n_flags & RATE_MCS_SGI_MSK) + rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI; + if (rate_n_flags & RATE_HT_MCS_GF_MSK) + rx_status->enc_flags |= RX_ENC_FLAG_HT_GF; +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +index e2196dc35dc6..8ba8c70571fb 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -981,7 +981,9 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi, + rx_status->bw = RATE_INFO_BW_160; + break; + } +- if (rate_n_flags & RATE_MCS_SGI_MSK) ++ ++ if (!(rate_n_flags & RATE_MCS_CCK_MSK) && ++ rate_n_flags & RATE_MCS_SGI_MSK) + rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI; + if (rate_n_flags & RATE_HT_MCS_GF_MSK) + rx_status->enc_flags |= RX_ENC_FLAG_HT_GF; +-- +2.17.1 + diff --git a/queue-4.14/kbuild-set-no-integrated-as-before-incl.-arch-makefi.patch b/queue-4.14/kbuild-set-no-integrated-as-before-incl.-arch-makefi.patch new file mode 100644 index 00000000000..94f8c33208e --- /dev/null +++ b/queue-4.14/kbuild-set-no-integrated-as-before-incl.-arch-makefi.patch @@ -0,0 +1,44 @@ +From 0c174e427f62b739835b3e78923ef30b9466bebe Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Mon, 19 Mar 2018 22:12:53 +0100 +Subject: kbuild: set no-integrated-as before incl. arch Makefile + +[ Upstream commit 0f0e8de334c54c38818a4a5390a39aa09deff5bf ] + +In order to make sure compiler flag detection for ARM works +correctly the no-integrated-as flags need to be set before +including the arch specific Makefile. + +Fixes: cfe17c9bbe6a ("kbuild: move cc-option and cc-disable-warning after incl. arch Makefile") +Signed-off-by: Stefan Agner +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 16d1a18496fb..8cc08595b760 100644 +--- a/Makefile ++++ b/Makefile +@@ -487,6 +487,8 @@ CLANG_GCC_TC := --gcc-toolchain=$(GCC_TOOLCHAIN) + endif + KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC) + KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC) ++KBUILD_CFLAGS += $(call cc-option, -no-integrated-as) ++KBUILD_AFLAGS += $(call cc-option, -no-integrated-as) + endif + + RETPOLINE_CFLAGS_GCC := -mindirect-branch=thunk-extern -mindirect-branch-register +@@ -721,8 +723,6 @@ KBUILD_CFLAGS += $(call cc-disable-warning, tautological-compare) + # See modpost pattern 2 + KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,) + KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior) +-KBUILD_CFLAGS += $(call cc-option, -no-integrated-as) +-KBUILD_AFLAGS += $(call cc-option, -no-integrated-as) + else + + # These warnings generated too much noise in a regular build. +-- +2.17.1 + diff --git a/queue-4.14/kconfig-fix-the-rule-of-mainmenu_stmt-symbol.patch b/queue-4.14/kconfig-fix-the-rule-of-mainmenu_stmt-symbol.patch new file mode 100644 index 00000000000..1ede628695f --- /dev/null +++ b/queue-4.14/kconfig-fix-the-rule-of-mainmenu_stmt-symbol.patch @@ -0,0 +1,46 @@ +From 513949532d2b504c1ae4877d24dc49651dfb81e2 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Thu, 9 Aug 2018 15:47:06 +0900 +Subject: kconfig: fix the rule of mainmenu_stmt symbol + +[ Upstream commit 56869d45e364244a721de34ce9c5dc9ed022779e ] + +The rule of mainmenu_stmt does not have debug print of zconf_lineno(), +but if it had, it would print a wrong line number for the same reason +as commit b2d00d7c61c8 ("kconfig: fix line numbers for if-entries in +menu tree"). + +The mainmenu_stmt does not need to eat following empty lines because +they are reduced to common_stmt. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/zconf.y | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/zconf.y b/scripts/kconfig/zconf.y +index 126e3f2e1ed7..2b0adeb5fc42 100644 +--- a/scripts/kconfig/zconf.y ++++ b/scripts/kconfig/zconf.y +@@ -31,7 +31,7 @@ struct symbol *symbol_hash[SYMBOL_HASHSIZE]; + static struct menu *current_menu, *current_entry; + + %} +-%expect 31 ++%expect 30 + + %union + { +@@ -112,7 +112,7 @@ start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list; + + /* mainmenu entry */ + +-mainmenu_stmt: T_MAINMENU prompt nl ++mainmenu_stmt: T_MAINMENU prompt T_EOL + { + menu_add_prompt(P_MENU, $2, NULL); + }; +-- +2.17.1 + diff --git a/queue-4.14/kvm-x86-update-the-exit_qualification-access-bits-wh.patch b/queue-4.14/kvm-x86-update-the-exit_qualification-access-bits-wh.patch new file mode 100644 index 00000000000..05333838d8f --- /dev/null +++ b/queue-4.14/kvm-x86-update-the-exit_qualification-access-bits-wh.patch @@ -0,0 +1,109 @@ +From 28c096e07e581289f13d45750fc24c948f3516cc Mon Sep 17 00:00:00 2001 +From: KarimAllah Ahmed +Date: Wed, 28 Feb 2018 19:06:48 +0100 +Subject: KVM: x86: Update the exit_qualification access bits while walking an + address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ddd6f0e94d3153951580d5b88b9d97c7e26a0e00 ] + +... to avoid having a stale value when handling an EPT misconfig for MMIO +regions. + +MMIO regions that are not passed-through to the guest are handled through +EPT misconfigs. The first time a certain MMIO page is touched it causes an +EPT violation, then KVM marks the EPT entry to cause an EPT misconfig +instead. Any subsequent accesses to the entry will generate an EPT +misconfig. + +Things gets slightly complicated with nested guest handling for MMIO +regions that are not passed through from L0 (i.e. emulated by L0 +user-space). + +An EPT violation for one of these MMIO regions from L2, exits to L0 +hypervisor. L0 would then look at the EPT12 mapping for L1 hypervisor and +realize it is not present (or not sufficient to serve the request). Then L0 +injects an EPT violation to L1. L1 would then update its EPT mappings. The +EXIT_QUALIFICATION value for L1 would come from exit_qualification variable +in "struct vcpu". The problem is that this variable is only updated on EPT +violation and not on EPT misconfig. So if an EPT violation because of a +read happened first, then an EPT misconfig because of a write happened +afterwards. The L0 hypervisor will still contain exit_qualification value +from the previous read instead of the write and end up injecting an EPT +violation to the L1 hypervisor with an out of date EXIT_QUALIFICATION. + +The EPT violation that is injected from L0 to L1 needs to have the correct +EXIT_QUALIFICATION specially for the access bits because the individual +access bits for MMIO EPTs are updated only on actual access of this +specific type. So for the example above, the L1 hypervisor will keep +updating only the read bit in the EPT then resume the L2 guest. The L2 +guest would end up causing another exit where the L0 *again* will inject +another EPT violation to L1 hypervisor with *again* an out of date +exit_qualification which indicates a read and not a write. Then this +ping-pong just keeps happening without making any forward progress. + +The behavior of mapping MMIO regions changed in: + + commit a340b3e229b24 ("kvm: Map PFN-type memory regions as writable (if possible)") + +... where an EPT violation for a read would also fixup the write bits to +avoid another EPT violation which by acciddent would fix the bug mentioned +above. + +This commit fixes this situation and ensures that the access bits for the +exit_qualifcation is up to date. That ensures that even L1 hypervisor +running with a KVM version before the commit mentioned above would still +work. + +( The description above assumes EPT to be available and used by L1 + hypervisor + the L1 hypervisor is passing through the MMIO region to the L2 + guest while this MMIO region is emulated by the L0 user-space ). + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: H. Peter Anvin +Cc: x86@kernel.org +Cc: kvm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: KarimAllah Ahmed +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/paging_tmpl.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h +index 5abae72266b7..6288e9d7068e 100644 +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -452,14 +452,21 @@ error: + * done by is_rsvd_bits_set() above. + * + * We set up the value of exit_qualification to inject: +- * [2:0] - Derive from [2:0] of real exit_qualification at EPT violation ++ * [2:0] - Derive from the access bits. The exit_qualification might be ++ * out of date if it is serving an EPT misconfiguration. + * [5:3] - Calculated by the page walk of the guest EPT page tables + * [7:8] - Derived from [7:8] of real exit_qualification + * + * The other bits are set to 0. + */ + if (!(errcode & PFERR_RSVD_MASK)) { +- vcpu->arch.exit_qualification &= 0x187; ++ vcpu->arch.exit_qualification &= 0x180; ++ if (write_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_WRITE; ++ if (user_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_READ; ++ if (fetch_fault) ++ vcpu->arch.exit_qualification |= EPT_VIOLATION_ACC_INSTR; + vcpu->arch.exit_qualification |= (pte_access & 0x7) << 3; + } + #endif +-- +2.17.1 + diff --git a/queue-4.14/l2tp-remove-configurable-payload-offset.patch b/queue-4.14/l2tp-remove-configurable-payload-offset.patch new file mode 100644 index 00000000000..51cde6a9989 --- /dev/null +++ b/queue-4.14/l2tp-remove-configurable-payload-offset.patch @@ -0,0 +1,154 @@ +From bf762feae7ea6a3a0bcf7ba59f1458c25833ee78 Mon Sep 17 00:00:00 2001 +From: James Chapman +Date: Wed, 3 Jan 2018 22:48:06 +0000 +Subject: l2tp: remove configurable payload offset + +[ Upstream commit 900631ee6a2651dc4fbaecb8ef9fa5f1e3378853 ] + +If L2TP_ATTR_OFFSET is set to a non-zero value in L2TPv3 tunnels, it +results in L2TPv3 packets being transmitted which might not be +compliant with the L2TPv3 RFC. This patch has l2tp ignore the offset +setting and send all packets with no offset. + +In more detail: + +L2TPv2 supports a variable offset from the L2TPv2 header to the +payload. The offset value is indicated by an optional field in the +L2TP header. Our L2TP implementation already detects the presence of +the optional offset and skips that many bytes when handling data +received packets. All transmitted packets are always transmitted with +no offset. + +L2TPv3 has no optional offset field in the L2TPv3 packet +header. Instead, L2TPv3 defines optional fields in a "Layer-2 Specific +Sublayer". At the time when the original L2TP code was written, there +was talk at IETF of offset being implemented in a new Layer-2 Specific +Sublayer. A L2TP_ATTR_OFFSET netlink attribute was added so that this +offset could be configured and the intention was to allow it to be +also used to set the tx offset for L2TPv2. However, no L2TPv3 offset +was ever specified and the L2TP_ATTR_OFFSET parameter was forgotten +about. + +Setting L2TP_ATTR_OFFSET results in L2TPv3 packets being transmitted +with the specified number of bytes padding between L2TPv3 header and +payload. This is not compliant with L2TPv3 RFC3931. This change +removes the configurable offset altogether while retaining +L2TP_ATTR_OFFSET for backwards compatibility. Any L2TP_ATTR_OFFSET +value is ignored. + +Signed-off-by: James Chapman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 14 ++++---------- + net/l2tp/l2tp_core.h | 3 --- + net/l2tp/l2tp_debugfs.c | 4 ++-- + net/l2tp/l2tp_netlink.c | 3 --- + 4 files changed, 6 insertions(+), 18 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 5c87f1d3e525..33ea389ee015 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -808,10 +808,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, + } + } + +- /* Session data offset is handled differently for L2TPv2 and +- * L2TPv3. For L2TPv2, there is an optional 16-bit value in +- * the header. For L2TPv3, the offset is negotiated using AVPs +- * in the session setup control protocol. ++ /* Session data offset is defined only for L2TPv2 and is ++ * indicated by an optional 16-bit value in the header. + */ + if (tunnel->version == L2TP_HDR_VER_2) { + /* If offset bit set, skip it. */ +@@ -819,8 +817,7 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, + offset = ntohs(*(__be16 *)ptr); + ptr += 2 + offset; + } +- } else +- ptr += session->offset; ++ } + + offset = ptr - optr; + if (!pskb_may_pull(skb, offset)) +@@ -1104,8 +1101,6 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf) + } + bufp += session->l2specific_len; + } +- if (session->offset) +- bufp += session->offset; + + return bufp - optr; + } +@@ -1779,7 +1774,7 @@ void l2tp_session_set_header_len(struct l2tp_session *session, int version) + if (session->send_seq) + session->hdr_len += 4; + } else { +- session->hdr_len = 4 + session->cookie_len + session->l2specific_len + session->offset; ++ session->hdr_len = 4 + session->cookie_len + session->l2specific_len; + if (session->tunnel->encap == L2TP_ENCAPTYPE_UDP) + session->hdr_len += 4; + } +@@ -1830,7 +1825,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn + session->recv_seq = cfg->recv_seq; + session->lns_mode = cfg->lns_mode; + session->reorder_timeout = cfg->reorder_timeout; +- session->offset = cfg->offset; + session->l2specific_type = cfg->l2specific_type; + session->l2specific_len = cfg->l2specific_len; + session->cookie_len = cfg->cookie_len; +diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h +index 9e2f1fda1b03..0a58c0754526 100644 +--- a/net/l2tp/l2tp_core.h ++++ b/net/l2tp/l2tp_core.h +@@ -59,7 +59,6 @@ struct l2tp_session_cfg { + int debug; /* bitmask of debug message + * categories */ + u16 vlan_id; /* VLAN pseudowire only */ +- u16 offset; /* offset to payload */ + u16 l2specific_len; /* Layer 2 specific length */ + u16 l2specific_type; /* Layer 2 specific type */ + u8 cookie[8]; /* optional cookie */ +@@ -86,8 +85,6 @@ struct l2tp_session { + int cookie_len; + u8 peer_cookie[8]; + int peer_cookie_len; +- u16 offset; /* offset from end of L2TP header +- to beginning of data */ + u16 l2specific_len; + u16 l2specific_type; + u16 hdr_len; +diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c +index 53bae54c4d6e..534cad03b9e9 100644 +--- a/net/l2tp/l2tp_debugfs.c ++++ b/net/l2tp/l2tp_debugfs.c +@@ -180,8 +180,8 @@ static void l2tp_dfs_seq_session_show(struct seq_file *m, void *v) + session->lns_mode ? "LNS" : "LAC", + session->debug, + jiffies_to_msecs(session->reorder_timeout)); +- seq_printf(m, " offset %hu l2specific %hu/%hu\n", +- session->offset, session->l2specific_type, session->l2specific_len); ++ seq_printf(m, " offset 0 l2specific %hu/%hu\n", ++ session->l2specific_type, session->l2specific_len); + if (session->cookie_len) { + seq_printf(m, " cookie %02x%02x%02x%02x", + session->cookie[0], session->cookie[1], +diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c +index c28223d8092b..001797ce4084 100644 +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -549,9 +549,6 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf + } + + if (tunnel->version > 2) { +- if (info->attrs[L2TP_ATTR_OFFSET]) +- cfg.offset = nla_get_u16(info->attrs[L2TP_ATTR_OFFSET]); +- + if (info->attrs[L2TP_ATTR_DATA_SEQ]) + cfg.data_seq = nla_get_u8(info->attrs[L2TP_ATTR_DATA_SEQ]); + +-- +2.17.1 + diff --git a/queue-4.14/lan78xx-check-for-supported-wake-on-lan-modes.patch b/queue-4.14/lan78xx-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..b68afc59260 --- /dev/null +++ b/queue-4.14/lan78xx-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,50 @@ +From 9d3b098121030d1280b9920f84f8d30333991244 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:52 -0700 +Subject: lan78xx: Check for supported Wake-on-LAN modes + +[ Upstream commit eb9ad088f96653a26b340f7c447c44cf023d5cdc ] + +The driver supports a fair amount of Wake-on-LAN modes, but is not +checking that the user specified one that is supported. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Woojung Huh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 9e3f632e22f1..00ddcaf09014 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -1375,19 +1375,10 @@ static int lan78xx_set_wol(struct net_device *netdev, + if (ret < 0) + return ret; + +- pdata->wol = 0; +- if (wol->wolopts & WAKE_UCAST) +- pdata->wol |= WAKE_UCAST; +- if (wol->wolopts & WAKE_MCAST) +- pdata->wol |= WAKE_MCAST; +- if (wol->wolopts & WAKE_BCAST) +- pdata->wol |= WAKE_BCAST; +- if (wol->wolopts & WAKE_MAGIC) +- pdata->wol |= WAKE_MAGIC; +- if (wol->wolopts & WAKE_PHY) +- pdata->wol |= WAKE_PHY; +- if (wol->wolopts & WAKE_ARP) +- pdata->wol |= WAKE_ARP; ++ if (wol->wolopts & ~WAKE_ALL) ++ return -EINVAL; ++ ++ pdata->wol = wol->wolopts; + + device_set_wakeup_enable(&dev->udev->dev, (bool)wol->wolopts); + +-- +2.17.1 + diff --git a/queue-4.14/lan78xx-don-t-reset-the-interface-on-open.patch b/queue-4.14/lan78xx-don-t-reset-the-interface-on-open.patch new file mode 100644 index 00000000000..48377082666 --- /dev/null +++ b/queue-4.14/lan78xx-don-t-reset-the-interface-on-open.patch @@ -0,0 +1,41 @@ +From 4da2e724c79fef7cc78a7bdac234c323f4ca861b Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Tue, 10 Apr 2018 13:18:25 +0100 +Subject: lan78xx: Don't reset the interface on open + +[ Upstream commit 47b998653fea4ef69e3e89574956386f262bccca ] + +Commit 92571a1aae40 ("lan78xx: Connect phy early") moves the PHY +initialisation into lan78xx_probe, but lan78xx_open subsequently calls +lan78xx_reset. As well as forcing a second round of link negotiation, +this reset frequently prevents the phy interrupt from being generated +(even though the link is up), rendering the interface unusable. + +Fix this issue by removing the lan78xx_reset call from lan78xx_open. + +Fixes: 92571a1aae40 ("lan78xx: Connect phy early") +Signed-off-by: Phil Elwell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/lan78xx.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c +index 9e3f632e22f1..a090112880fd 100644 +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2517,10 +2517,6 @@ static int lan78xx_open(struct net_device *net) + if (ret < 0) + goto out; + +- ret = lan78xx_reset(dev); +- if (ret < 0) +- goto done; +- + phy_start(net->phydev); + + netif_dbg(dev, ifup, dev->net, "phy initialised successfully"); +-- +2.17.1 + diff --git a/queue-4.14/libertas-call-into-generic-suspend-code-before-turni.patch b/queue-4.14/libertas-call-into-generic-suspend-code-before-turni.patch new file mode 100644 index 00000000000..e32582fb8a8 --- /dev/null +++ b/queue-4.14/libertas-call-into-generic-suspend-code-before-turni.patch @@ -0,0 +1,40 @@ +From 23f250873edd991257f1c044ae0c8eb11ca66e04 Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Mon, 8 Oct 2018 22:03:57 +0200 +Subject: libertas: call into generic suspend code before turning off power + +[ Upstream commit 4f666675cdff0b986195413215eb062b7da6586f ] + +When powering down a SDIO connected card during suspend, make sure to call +into the generic lbs_suspend() function before pulling the plug. This will +make sure the card is successfully deregistered from the system to avoid +communication to the card starving out. + +Fixes: 7444a8092906 ("libertas: fix suspend and resume for SDIO connected cards") +Signed-off-by: Daniel Mack +Reviewed-by: Ulf Hansson +Acked-by: Kalle Valo +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/if_sdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c +index 43743c26c071..39bf85d0ade0 100644 +--- a/drivers/net/wireless/marvell/libertas/if_sdio.c ++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c +@@ -1317,6 +1317,10 @@ static int if_sdio_suspend(struct device *dev) + if (priv->wol_criteria == EHS_REMOVE_WAKEUP) { + dev_info(dev, "Suspend without wake params -- powering down card\n"); + if (priv->fw_ready) { ++ ret = lbs_suspend(priv); ++ if (ret) ++ return ret; ++ + priv->power_up_on_resume = true; + if_sdio_power_off(card); + } +-- +2.17.1 + diff --git a/queue-4.14/locking-ww_mutex-fix-runtime-warning-in-the-ww-mutex.patch b/queue-4.14/locking-ww_mutex-fix-runtime-warning-in-the-ww-mutex.patch new file mode 100644 index 00000000000..057b62ef535 --- /dev/null +++ b/queue-4.14/locking-ww_mutex-fix-runtime-warning-in-the-ww-mutex.patch @@ -0,0 +1,88 @@ +From 60aebe4162958ce04e3558f507b3736297d683f3 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 2 Oct 2018 14:48:49 -0700 +Subject: locking/ww_mutex: Fix runtime warning in the WW mutex selftest + +[ Upstream commit e4a02ed2aaf447fa849e3254bfdb3b9b01e1e520 ] + +If CONFIG_WW_MUTEX_SELFTEST=y is enabled, booting an image +in an arm64 virtual machine results in the following +traceback if 8 CPUs are enabled: + + DEBUG_LOCKS_WARN_ON(__owner_task(owner) != current) + WARNING: CPU: 2 PID: 537 at kernel/locking/mutex.c:1033 __mutex_unlock_slowpath+0x1a8/0x2e0 + ... + Call trace: + __mutex_unlock_slowpath() + ww_mutex_unlock() + test_cycle_work() + process_one_work() + worker_thread() + kthread() + ret_from_fork() + +If requesting b_mutex fails with -EDEADLK, the error variable +is reassigned to the return value from calling ww_mutex_lock +on a_mutex again. If this call fails, a_mutex is not locked. +It is, however, unconditionally unlocked subsequently, causing +the reported warning. Fix the problem by using two error variables. + +With this change, the selftest still fails as follows: + + cyclic deadlock not resolved, ret[7/8] = -35 + +However, the traceback is gone. + +Signed-off-by: Guenter Roeck +Cc: Chris Wilson +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Fixes: d1b42b800e5d0 ("locking/ww_mutex: Add kselftests for resolving ww_mutex cyclic deadlocks") +Link: http://lkml.kernel.org/r/1538516929-9734-1-git-send-email-linux@roeck-us.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/test-ww_mutex.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/kernel/locking/test-ww_mutex.c b/kernel/locking/test-ww_mutex.c +index 0e4cd64ad2c0..654977862b06 100644 +--- a/kernel/locking/test-ww_mutex.c ++++ b/kernel/locking/test-ww_mutex.c +@@ -260,7 +260,7 @@ static void test_cycle_work(struct work_struct *work) + { + struct test_cycle *cycle = container_of(work, typeof(*cycle), work); + struct ww_acquire_ctx ctx; +- int err; ++ int err, erra = 0; + + ww_acquire_init(&ctx, &ww_class); + ww_mutex_lock(&cycle->a_mutex, &ctx); +@@ -270,17 +270,19 @@ static void test_cycle_work(struct work_struct *work) + + err = ww_mutex_lock(cycle->b_mutex, &ctx); + if (err == -EDEADLK) { ++ err = 0; + ww_mutex_unlock(&cycle->a_mutex); + ww_mutex_lock_slow(cycle->b_mutex, &ctx); +- err = ww_mutex_lock(&cycle->a_mutex, &ctx); ++ erra = ww_mutex_lock(&cycle->a_mutex, &ctx); + } + + if (!err) + ww_mutex_unlock(cycle->b_mutex); +- ww_mutex_unlock(&cycle->a_mutex); ++ if (!erra) ++ ww_mutex_unlock(&cycle->a_mutex); + ww_acquire_fini(&ctx); + +- cycle->result = err; ++ cycle->result = err ?: erra; + } + + static int __test_cycle(unsigned int nthreads) +-- +2.17.1 + diff --git a/queue-4.14/mac80211-always-report-tx-status.patch b/queue-4.14/mac80211-always-report-tx-status.patch new file mode 100644 index 00000000000..cd6cd500094 --- /dev/null +++ b/queue-4.14/mac80211-always-report-tx-status.patch @@ -0,0 +1,50 @@ +From 1f2af8d4c9fae26f03f25c44f28cc8f5b887f9e8 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Wed, 5 Sep 2018 08:06:13 +0300 +Subject: mac80211: Always report TX status + +[ Upstream commit 8682250b3c1b75a45feb7452bc413d004cfe3778 ] + +If a frame is dropped for any reason, mac80211 wouldn't report the TX +status back to user space. + +As the user space may rely on the TX_STATUS to kick its state +machines, resends etc, it's better to just report this frame as not +acked instead. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/status.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/net/mac80211/status.c b/net/mac80211/status.c +index da7427a41529..ccac205e5853 100644 +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -470,11 +470,6 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local, + if (!skb) + return; + +- if (dropped) { +- dev_kfree_skb_any(skb); +- return; +- } +- + if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) { + u64 cookie = IEEE80211_SKB_CB(skb)->ack.cookie; + struct ieee80211_sub_if_data *sdata; +@@ -495,6 +490,8 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local, + } + rcu_read_unlock(); + ++ dev_kfree_skb_any(skb); ++ } else if (dropped) { + dev_kfree_skb_any(skb); + } else { + /* consumes skb */ +-- +2.17.1 + diff --git a/queue-4.14/mac80211-fix-pending-queue-hang-due-to-tx_drop.patch b/queue-4.14/mac80211-fix-pending-queue-hang-due-to-tx_drop.patch new file mode 100644 index 00000000000..d6c0cb49978 --- /dev/null +++ b/queue-4.14/mac80211-fix-pending-queue-hang-due-to-tx_drop.patch @@ -0,0 +1,54 @@ +From 15378144b81b766b5245e1c30c144f5d3aa7941d Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Wed, 5 Sep 2018 06:22:59 -0400 +Subject: mac80211: fix pending queue hang due to TX_DROP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 6eae4a6c2be387fec41b0d2782c4fffb57159498 ] + +In our environment running lots of mesh nodes, we are seeing the +pending queue hang periodically, with the debugfs queues file showing +lines such as: + + 00: 0x00000000/348 + +i.e. there are a large number of frames but no stop reason set. + +One way this could happen is if queue processing from the pending +tasklet exited early without processing all frames, and without having +some future event (incoming frame, stop reason flag, ...) to reschedule +it. + +Exactly this can occur today if ieee80211_tx() returns false due to +packet drops or power-save buffering in the tx handlers. In the +past, this function would return true in such cases, and the change +to false doesn't seem to be intentional. Fix this case by reverting +to the previous behavior. + +Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue") +Signed-off-by: Bob Copeland +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index d8fddd88bf46..a17a56032a21 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1837,7 +1837,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata, + sdata->vif.hw_queue[skb_get_queue_mapping(skb)]; + + if (invoke_tx_handlers_early(&tx)) +- return false; ++ return true; + + if (ieee80211_queue_skb(local, sdata, tx.sta, tx.skb)) + return true; +-- +2.17.1 + diff --git a/queue-4.14/mac80211-fix-tx-status-reporting-for-ieee80211s.patch b/queue-4.14/mac80211-fix-tx-status-reporting-for-ieee80211s.patch new file mode 100644 index 00000000000..64d84b8ff05 --- /dev/null +++ b/queue-4.14/mac80211-fix-tx-status-reporting-for-ieee80211s.patch @@ -0,0 +1,91 @@ +From d13bc605c6a73208ce20ddc99dbcb8481cd134c2 Mon Sep 17 00:00:00 2001 +From: Yuan-Chi Pang +Date: Thu, 6 Sep 2018 16:57:48 +0800 +Subject: mac80211: fix TX status reporting for ieee80211s + +[ Upstream commit c42055105785580563535e6d3143cad95c7ac7ee ] + +TX status reporting to ieee80211s is through ieee80211s_update_metric. +There are two problems about ieee80211s_update_metric: + +1. The purpose is to estimate the fail probability +to a specific link. No need to restrict to data frame. + +2. Current implementation does not work if wireless driver does not +pass tx_status with skb. + +Fix this by removing ieee80211_is_data condition, passing +ieee80211_tx_status directly to ieee80211s_update_metric, and +putting it in both __ieee80211_tx_status and ieee80211_tx_status_ext. + +Signed-off-by: Yuan-Chi Pang +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.h | 3 ++- + net/mac80211/mesh_hwmp.c | 9 +++------ + net/mac80211/status.c | 4 +++- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h +index 7e5f271e3c30..4f1c61637ce3 100644 +--- a/net/mac80211/mesh.h ++++ b/net/mac80211/mesh.h +@@ -217,7 +217,8 @@ void mesh_rmc_free(struct ieee80211_sub_if_data *sdata); + int mesh_rmc_init(struct ieee80211_sub_if_data *sdata); + void ieee80211s_init(void); + void ieee80211s_update_metric(struct ieee80211_local *local, +- struct sta_info *sta, struct sk_buff *skb); ++ struct sta_info *sta, ++ struct ieee80211_tx_status *st); + void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata); + void ieee80211_mesh_teardown_sdata(struct ieee80211_sub_if_data *sdata); + int ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata); +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index 055ea36ff27b..fab0764c315f 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -295,15 +295,12 @@ int mesh_path_error_tx(struct ieee80211_sub_if_data *sdata, + } + + void ieee80211s_update_metric(struct ieee80211_local *local, +- struct sta_info *sta, struct sk_buff *skb) ++ struct sta_info *sta, ++ struct ieee80211_tx_status *st) + { +- struct ieee80211_tx_info *txinfo = IEEE80211_SKB_CB(skb); +- struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; ++ struct ieee80211_tx_info *txinfo = st->info; + int failed; + +- if (!ieee80211_is_data(hdr->frame_control)) +- return; +- + failed = !(txinfo->flags & IEEE80211_TX_STAT_ACK); + + /* moving average, scaled to 100. +diff --git a/net/mac80211/status.c b/net/mac80211/status.c +index ccac205e5853..bdf131ed5ce8 100644 +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -797,7 +797,7 @@ static void __ieee80211_tx_status(struct ieee80211_hw *hw, + + rate_control_tx_status(local, sband, status); + if (ieee80211_vif_is_mesh(&sta->sdata->vif)) +- ieee80211s_update_metric(local, sta, skb); ++ ieee80211s_update_metric(local, sta, status); + + if (!(info->flags & IEEE80211_TX_CTL_INJECTED) && acked) + ieee80211_frame_acked(sta, skb); +@@ -958,6 +958,8 @@ void ieee80211_tx_status_ext(struct ieee80211_hw *hw, + } + + rate_control_tx_status(local, sband, status); ++ if (ieee80211_vif_is_mesh(&sta->sdata->vif)) ++ ieee80211s_update_metric(local, sta, status); + } + + if (acked || noack_success) { +-- +2.17.1 + diff --git a/queue-4.14/mac80211-tdls-fix-skb-queue-priority-assignment.patch b/queue-4.14/mac80211-tdls-fix-skb-queue-priority-assignment.patch new file mode 100644 index 00000000000..45c9873d36a --- /dev/null +++ b/queue-4.14/mac80211-tdls-fix-skb-queue-priority-assignment.patch @@ -0,0 +1,55 @@ +From 2c2e5293df6d3b188aedebb20246d85bcecb2f10 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Sep 2018 13:34:02 +0200 +Subject: mac80211: TDLS: fix skb queue/priority assignment + +[ Upstream commit cb59bc14e830028d2244861216df038165d7625d ] + +If the TDLS setup happens over a connection to an AP that +doesn't have QoS, we nevertheless assign a non-zero TID +(skb->priority) and queue mapping, which may confuse us or +drivers later. + +Fix it by just assigning the special skb->priority and then +using ieee80211_select_queue() just like other data frames +would go through. + +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/tdls.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c +index 91093d4a2f84..6e7aa65cf345 100644 +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -16,6 +16,7 @@ + #include "ieee80211_i.h" + #include "driver-ops.h" + #include "rate.h" ++#include "wme.h" + + /* give usermode some time for retries in setting up the TDLS session */ + #define TDLS_PEER_SETUP_TIMEOUT (15 * HZ) +@@ -1006,14 +1007,13 @@ ieee80211_tdls_prep_mgmt_packet(struct wiphy *wiphy, struct net_device *dev, + switch (action_code) { + case WLAN_TDLS_SETUP_REQUEST: + case WLAN_TDLS_SETUP_RESPONSE: +- skb_set_queue_mapping(skb, IEEE80211_AC_BK); +- skb->priority = 2; ++ skb->priority = 256 + 2; + break; + default: +- skb_set_queue_mapping(skb, IEEE80211_AC_VI); +- skb->priority = 5; ++ skb->priority = 256 + 5; + break; + } ++ skb_set_queue_mapping(skb, ieee80211_select_queue(sdata, skb)); + + /* + * Set the WLAN_TDLS_TEARDOWN flag to indicate a teardown in progress. +-- +2.17.1 + diff --git a/queue-4.14/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch b/queue-4.14/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch new file mode 100644 index 00000000000..3f08feb72d9 --- /dev/null +++ b/queue-4.14/mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch @@ -0,0 +1,38 @@ +From c347be5a961bf6de3e769d8c2cb278647b311cfc Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Tue, 25 Sep 2018 09:51:02 +0200 +Subject: mac80211_hwsim: do not omit multicast announce of first added radio + +[ Upstream commit 28ef8b49a338dc1844e86b7954cfffc7dfa2660a ] + +The allocation of hwsim radio identifiers uses a post-increment from 0, +so the first radio has idx 0. This idx is explicitly excluded from +multicast announcements ever since, but it is unclear why. + +Drop that idx check and announce the first radio as well. This makes +userspace happy if it relies on these events. + +Signed-off-by: Martin Willi +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index aafa7aa18fbd..477f9f2f6626 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2730,8 +2730,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info, + list_add_tail(&data->list, &hwsim_radios); + spin_unlock_bh(&hwsim_radio_lock); + +- if (idx > 0) +- hwsim_mcast_new_radio(idx, info, param); ++ hwsim_mcast_new_radio(idx, info, param); + + return idx; + +-- +2.17.1 + diff --git a/queue-4.14/mips-workaround-gcc-__builtin_unreachable-reordering.patch b/queue-4.14/mips-workaround-gcc-__builtin_unreachable-reordering.patch new file mode 100644 index 00000000000..4869cf20273 --- /dev/null +++ b/queue-4.14/mips-workaround-gcc-__builtin_unreachable-reordering.patch @@ -0,0 +1,149 @@ +From 11a0823bb137b7ba18e3947cf773464206fdd461 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Mon, 20 Aug 2018 15:36:18 -0700 +Subject: MIPS: Workaround GCC __builtin_unreachable reordering bug + +[ Upstream commit 906d441febc0de974b2a6ef848a8f058f3bfada3 ] + +Some versions of GCC for the MIPS architecture suffer from a bug which +can lead to instructions from beyond an unreachable statement being +incorrectly reordered into earlier branch delay slots if the unreachable +statement is the only content of a case in a switch statement. This can +lead to seemingly random behaviour, such as invalid memory accesses from +incorrectly reordered loads or stores, and link failures on microMIPS +builds. + +See this potential GCC fix for details: + + https://gcc.gnu.org/ml/gcc-patches/2015-09/msg00360.html + +Runtime problems resulting from this bug were initially observed using a +maltasmvp_defconfig v4.4 kernel built using GCC 4.9.2 (from a Codescape +SDK 2015.06-05 toolchain), with the result being an address exception +taken after log messages about the L1 caches (during probe of the L2 +cache): + + Initmem setup node 0 [mem 0x0000000080000000-0x000000009fffffff] + VPE topology {2,2} total 4 + Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. + Primary data cache 64kB, 4-way, PIPT, no aliases, linesize 32 bytes + + +This is early enough that the kernel exception vectors are not in use, +so any further output depends upon the bootloader. This is reproducible +in QEMU where no further output occurs - ie. the system hangs here. +Given the nature of the bug it may potentially be hit with differing +symptoms. The bug is known to affect GCC versions as recent as 7.3, and +it is unclear whether GCC 8 fixed it or just happens not to encounter +the bug in the testcase found at the link above due to differing +optimizations. + +This bug can be worked around by placing a volatile asm statement, which +GCC is prevented from reordering past, prior to the +__builtin_unreachable call. + +That was actually done already for other reasons by commit 173a3efd3edb +("bug.h: work around GCC PR82365 in BUG()"), but creates problems for +microMIPS builds due to the lack of a .insn directive. The microMIPS ISA +allows for interlinking with regular MIPS32 code by repurposing bit 0 of +the program counter as an ISA mode bit. To switch modes one changes the +value of this bit in the PC. However typical branch instructions encode +their offsets as multiples of 2-byte instruction halfwords, which means +they cannot change ISA mode - this must be done using either an indirect +branch (a jump-register in MIPS terminology) or a dedicated jalx +instruction. In order to ensure that regular branches don't attempt to +target code in a different ISA which they can't actually switch to, the +linker will check that branch targets are code in the same ISA as the +branch. + +Unfortunately our empty asm volatile statements don't qualify as code, +and the link for microMIPS builds fails with errors such as: + + arch/mips/mm/dma-default.s:3265: Error: branch to a symbol in another ISA mode + arch/mips/mm/dma-default.s:5027: Error: branch to a symbol in another ISA mode + +Resolve this by adding a .insn directive within the asm statement which +declares that what comes next is code. This may or may not be true, +since we don't really know what comes next, but as this code is in an +unreachable path anyway that doesn't matter since we won't execute it. + +We do this in asm/compiler.h & select CONFIG_HAVE_ARCH_COMPILER_H in +order to have this included by linux/compiler_types.h after +linux/compiler-gcc.h. This will result in asm/compiler.h being included +in all C compilations via the -include linux/compiler_types.h argument +in c_flags, which should be harmless. + +Signed-off-by: Paul Burton +Fixes: 173a3efd3edb ("bug.h: work around GCC PR82365 in BUG()") +Patchwork: https://patchwork.linux-mips.org/patch/20270/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: Arnd Bergmann +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 1 + + arch/mips/include/asm/compiler.h | 35 ++++++++++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index c82457b0e733..23e3d3e0ee5b 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -29,6 +29,7 @@ config MIPS + select GENERIC_SMP_IDLE_THREAD + select GENERIC_TIME_VSYSCALL + select HANDLE_DOMAIN_IRQ ++ select HAVE_ARCH_COMPILER_H + select HAVE_ARCH_JUMP_LABEL + select HAVE_ARCH_KGDB + select HAVE_ARCH_MMAP_RND_BITS if MMU +diff --git a/arch/mips/include/asm/compiler.h b/arch/mips/include/asm/compiler.h +index e081a265f422..cc2eb1b06050 100644 +--- a/arch/mips/include/asm/compiler.h ++++ b/arch/mips/include/asm/compiler.h +@@ -8,6 +8,41 @@ + #ifndef _ASM_COMPILER_H + #define _ASM_COMPILER_H + ++/* ++ * With GCC 4.5 onwards we can use __builtin_unreachable to indicate to the ++ * compiler that a particular code path will never be hit. This allows it to be ++ * optimised out of the generated binary. ++ * ++ * Unfortunately at least GCC 4.6.3 through 7.3.0 inclusive suffer from a bug ++ * that can lead to instructions from beyond an unreachable statement being ++ * incorrectly reordered into earlier delay slots if the unreachable statement ++ * is the only content of a case in a switch statement. This can lead to ++ * seemingly random behaviour, such as invalid memory accesses from incorrectly ++ * reordered loads or stores. See this potential GCC fix for details: ++ * ++ * https://gcc.gnu.org/ml/gcc-patches/2015-09/msg00360.html ++ * ++ * It is unclear whether GCC 8 onwards suffer from the same issue - nothing ++ * relevant is mentioned in GCC 8 release notes and nothing obviously relevant ++ * stands out in GCC commit logs, but these newer GCC versions generate very ++ * different code for the testcase which doesn't exhibit the bug. ++ * ++ * GCC also handles stack allocation suboptimally when calling noreturn ++ * functions or calling __builtin_unreachable(): ++ * ++ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365 ++ * ++ * We work around both of these issues by placing a volatile asm statement, ++ * which GCC is prevented from reordering past, prior to __builtin_unreachable ++ * calls. ++ * ++ * The .insn statement is required to ensure that any branches to the ++ * statement, which sadly must be kept due to the asm statement, are known to ++ * be branches to code and satisfy linker requirements for microMIPS kernels. ++ */ ++#undef barrier_before_unreachable ++#define barrier_before_unreachable() asm volatile(".insn") ++ + #if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4) + #define GCC_IMM_ASM() "n" + #define GCC_REG_ACCUM "$0" +-- +2.17.1 + diff --git a/queue-4.14/mmc-dw_mmc-rockchip-correct-property-names-in-debug.patch b/queue-4.14/mmc-dw_mmc-rockchip-correct-property-names-in-debug.patch new file mode 100644 index 00000000000..959eecacfcf --- /dev/null +++ b/queue-4.14/mmc-dw_mmc-rockchip-correct-property-names-in-debug.patch @@ -0,0 +1,42 @@ +From 56958e48bc7b3a37655f80021f5472fd073b105b Mon Sep 17 00:00:00 2001 +From: John Keeping +Date: Thu, 1 Mar 2018 10:36:25 +0000 +Subject: mmc: dw_mmc-rockchip: correct property names in debug + +[ Upstream commit e988867fd774d00aeaf5d3c332032bf5b97a4147 ] + +Following up the device tree fixed in commits e78c637127ee ("ARM: dts: +rockchip: Fix DWMMC clocks") and ca9eee95a2de ("arm64: dts: rockchip: +Fix DWMMC clocks", 2018-02-15), avoid confusion by using the correct +property name in the debug output if clocks are not found. + +Signed-off-by: John Keeping +Reviewed-by: Robin Murphy +Reviewed-by: Shawn Lin +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/dw_mmc-rockchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/dw_mmc-rockchip.c b/drivers/mmc/host/dw_mmc-rockchip.c +index 339295212935..40d7de2eea12 100644 +--- a/drivers/mmc/host/dw_mmc-rockchip.c ++++ b/drivers/mmc/host/dw_mmc-rockchip.c +@@ -282,11 +282,11 @@ static int dw_mci_rk3288_parse_dt(struct dw_mci *host) + + priv->drv_clk = devm_clk_get(host->dev, "ciu-drive"); + if (IS_ERR(priv->drv_clk)) +- dev_dbg(host->dev, "ciu_drv not available\n"); ++ dev_dbg(host->dev, "ciu-drive not available\n"); + + priv->sample_clk = devm_clk_get(host->dev, "ciu-sample"); + if (IS_ERR(priv->sample_clk)) +- dev_dbg(host->dev, "ciu_sample not available\n"); ++ dev_dbg(host->dev, "ciu-sample not available\n"); + + host->priv = priv; + +-- +2.17.1 + diff --git a/queue-4.14/net-cxgb3_main-fix-a-missing-check-bug.patch b/queue-4.14/net-cxgb3_main-fix-a-missing-check-bug.patch new file mode 100644 index 00000000000..ae78a660d5c --- /dev/null +++ b/queue-4.14/net-cxgb3_main-fix-a-missing-check-bug.patch @@ -0,0 +1,111 @@ +From 00b697e536dad51b07b016764448e3421d943a70 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Fri, 5 Oct 2018 08:48:27 -0500 +Subject: net: cxgb3_main: fix a missing-check bug + +[ Upstream commit 2c05d88818ab6571816b93edce4d53703870d7ae ] + +In cxgb_extension_ioctl(), the command of the ioctl is firstly copied from +the user-space buffer 'useraddr' to 'cmd' and checked through the +switch statement. If the command is not as expected, an error code +EOPNOTSUPP is returned. In the following execution, i.e., the cases of the +switch statement, the whole buffer of 'useraddr' is copied again to a +specific data structure, according to what kind of command is requested. +However, after the second copy, there is no re-check on the newly-copied +command. Given that the buffer 'useraddr' is in the user space, a malicious +user can race to change the command between the two copies. By doing so, +the attacker can supply malicious data to the kernel and cause undefined +behavior. + +This patch adds a re-check in each case of the switch statement if there is +a second copy in that case, to re-check whether the command obtained in the +second copy is the same as the one in the first copy. If not, an error code +EINVAL is returned. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index bf291e90cdb0..79053d2ce7a3 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -2159,6 +2159,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EPERM; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_SET_QSET_PARAMS) ++ return -EINVAL; + if (t.qset_idx >= SGE_QSETS) + return -EINVAL; + if (!in_range(t.intr_lat, 0, M_NEWTIMER) || +@@ -2258,6 +2260,9 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; + ++ if (t.cmd != CHELSIO_GET_QSET_PARAMS) ++ return -EINVAL; ++ + /* Display qsets for all ports when offload enabled */ + if (test_bit(OFFLOAD_DEVMAP_BIT, &adapter->open_device_map)) { + q1 = 0; +@@ -2303,6 +2308,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&edata, useraddr, sizeof(edata))) + return -EFAULT; ++ if (edata.cmd != CHELSIO_SET_QSET_NUM) ++ return -EINVAL; + if (edata.val < 1 || + (edata.val > 1 && !(adapter->flags & USING_MSIX))) + return -EINVAL; +@@ -2343,6 +2350,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EPERM; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_LOAD_FW) ++ return -EINVAL; + /* Check t.len sanity ? */ + fw_data = memdup_user(useraddr + sizeof(t), t.len); + if (IS_ERR(fw_data)) +@@ -2366,6 +2375,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&m, useraddr, sizeof(m))) + return -EFAULT; ++ if (m.cmd != CHELSIO_SETMTUTAB) ++ return -EINVAL; + if (m.nmtus != NMTUS) + return -EINVAL; + if (m.mtus[0] < 81) /* accommodate SACK */ +@@ -2407,6 +2418,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EBUSY; + if (copy_from_user(&m, useraddr, sizeof(m))) + return -EFAULT; ++ if (m.cmd != CHELSIO_SET_PM) ++ return -EINVAL; + if (!is_power_of_2(m.rx_pg_sz) || + !is_power_of_2(m.tx_pg_sz)) + return -EINVAL; /* not power of 2 */ +@@ -2440,6 +2453,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EIO; /* need the memory controllers */ + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_GET_MEM) ++ return -EINVAL; + if ((t.addr & 7) || (t.len & 7)) + return -EINVAL; + if (t.mem_id == MEM_CM) +@@ -2492,6 +2507,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) + return -EAGAIN; + if (copy_from_user(&t, useraddr, sizeof(t))) + return -EFAULT; ++ if (t.cmd != CHELSIO_SET_TRACE_FILTER) ++ return -EINVAL; + + tp = (const struct trace_params *)&t.sip; + if (t.config_tx) +-- +2.17.1 + diff --git a/queue-4.14/net-ena-fix-null-dereference-due-to-untimely-napi-in.patch b/queue-4.14/net-ena-fix-null-dereference-due-to-untimely-napi-in.patch new file mode 100644 index 00000000000..4e8453606f0 --- /dev/null +++ b/queue-4.14/net-ena-fix-null-dereference-due-to-untimely-napi-in.patch @@ -0,0 +1,50 @@ +From ed53771291313756c7e09885ef8b2150ba587452 Mon Sep 17 00:00:00 2001 +From: Arthur Kiyanovski +Date: Tue, 9 Oct 2018 11:21:29 +0300 +Subject: net: ena: fix NULL dereference due to untimely napi initialization + +[ Upstream commit 78a55d05def95144ca5fa9a64c49b2a0636a9866 ] + +napi poll functions should be initialized before running request_irq(), +to handle a rare condition where there is a pending interrupt, causing +the ISR to fire immediately while the poll function wasn't set yet, +causing a NULL dereference. + +Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Arthur Kiyanovski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 08c9c99a8331..3c7813f04962 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -1571,8 +1571,6 @@ static int ena_up_complete(struct ena_adapter *adapter) + if (rc) + return rc; + +- ena_init_napi(adapter); +- + ena_change_mtu(adapter->netdev, adapter->netdev->mtu); + + ena_refill_all_rx_bufs(adapter); +@@ -1726,6 +1724,13 @@ static int ena_up(struct ena_adapter *adapter) + + ena_setup_io_intr(adapter); + ++ /* napi poll functions should be initialized before running ++ * request_irq(), to handle a rare condition where there is a pending ++ * interrupt, causing the ISR to fire immediately while the poll ++ * function wasn't set yet, causing a null dereference ++ */ ++ ena_init_napi(adapter); ++ + rc = ena_request_io_irq(adapter); + if (rc) + goto err_req_irq; +-- +2.17.1 + diff --git a/queue-4.14/net-ena-fix-warning-in-rmmod-caused-by-double-iounma.patch b/queue-4.14/net-ena-fix-warning-in-rmmod-caused-by-double-iounma.patch new file mode 100644 index 00000000000..ddae6887755 --- /dev/null +++ b/queue-4.14/net-ena-fix-warning-in-rmmod-caused-by-double-iounma.patch @@ -0,0 +1,44 @@ +From e55fa23ccbcfc83ac29b4c09c9dec86d4b60b6d5 Mon Sep 17 00:00:00 2001 +From: Arthur Kiyanovski +Date: Tue, 9 Oct 2018 11:21:27 +0300 +Subject: net: ena: fix warning in rmmod caused by double iounmap + +[ Upstream commit d79c3888bde6581da7ff9f9d6f581900ecb5e632 ] + +Memory mapped with devm_ioremap is automatically freed when the driver +is disconnected from the device. Therefore there is no need to +explicitly call devm_iounmap. + +Fixes: 0857d92f71b6 ("net: ena: add missing unmap bars on device removal") +Fixes: 411838e7b41c ("net: ena: fix rare kernel crash when bar memory remap fails") +Signed-off-by: Arthur Kiyanovski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 60b3ee29d82c..08c9c99a8331 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -3059,15 +3059,8 @@ err_rss_init: + + static void ena_release_bars(struct ena_com_dev *ena_dev, struct pci_dev *pdev) + { +- int release_bars; ++ int release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK; + +- if (ena_dev->mem_bar) +- devm_iounmap(&pdev->dev, ena_dev->mem_bar); +- +- if (ena_dev->reg_bar) +- devm_iounmap(&pdev->dev, ena_dev->reg_bar); +- +- release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK; + pci_release_selected_regions(pdev, release_bars); + } + +-- +2.17.1 + diff --git a/queue-4.14/net-fec-fix-rare-tx-timeout.patch b/queue-4.14/net-fec-fix-rare-tx-timeout.patch new file mode 100644 index 00000000000..65ab0ce076d --- /dev/null +++ b/queue-4.14/net-fec-fix-rare-tx-timeout.patch @@ -0,0 +1,66 @@ +From 1707ca6872080a3b268e82b9d808924987650883 Mon Sep 17 00:00:00 2001 +From: Rickard x Andersson +Date: Tue, 2 Oct 2018 14:49:32 +0200 +Subject: net: fec: fix rare tx timeout + +[ Upstream commit 657ade07df72847f591ccdb36bd9b91ed0edbac3 ] + +During certain heavy network loads TX could time out +with TX ring dump. +TX is sometimes never restarted after reaching +"tx_stop_threshold" because function "fec_enet_tx_queue" +only tests the first queue. + +In addition the TX timeout callback function failed to +recover because it also operated only on the first queue. + +Signed-off-by: Rickard x Andersson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index eb2ea231c7ca..8bfa6ef826a9 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1155,7 +1155,7 @@ static void fec_enet_timeout_work(struct work_struct *work) + napi_disable(&fep->napi); + netif_tx_lock_bh(ndev); + fec_restart(ndev); +- netif_wake_queue(ndev); ++ netif_tx_wake_all_queues(ndev); + netif_tx_unlock_bh(ndev); + napi_enable(&fep->napi); + } +@@ -1270,7 +1270,7 @@ skb_done: + + /* Since we have freed up a buffer, the ring is no longer full + */ +- if (netif_queue_stopped(ndev)) { ++ if (netif_tx_queue_stopped(nq)) { + entries_free = fec_enet_get_free_txdesc_num(txq); + if (entries_free >= txq->tx_wake_threshold) + netif_tx_wake_queue(nq); +@@ -1747,7 +1747,7 @@ static void fec_enet_adjust_link(struct net_device *ndev) + napi_disable(&fep->napi); + netif_tx_lock_bh(ndev); + fec_restart(ndev); +- netif_wake_queue(ndev); ++ netif_tx_wake_all_queues(ndev); + netif_tx_unlock_bh(ndev); + napi_enable(&fep->napi); + } +@@ -2249,7 +2249,7 @@ static int fec_enet_set_pauseparam(struct net_device *ndev, + napi_disable(&fep->napi); + netif_tx_lock_bh(ndev); + fec_restart(ndev); +- netif_wake_queue(ndev); ++ netif_tx_wake_all_queues(ndev); + netif_tx_unlock_bh(ndev); + napi_enable(&fep->napi); + } +-- +2.17.1 + diff --git a/queue-4.14/net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch b/queue-4.14/net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch new file mode 100644 index 00000000000..9d04d2e6008 --- /dev/null +++ b/queue-4.14/net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch @@ -0,0 +1,37 @@ +From d668bd281249df319124c1ca3902aef429965e9e Mon Sep 17 00:00:00 2001 +From: Michal Simek +Date: Tue, 25 Sep 2018 08:32:50 +0200 +Subject: net: macb: Clean 64b dma addresses if they are not detected + +[ Upstream commit e1e5d8a9fe737d94ccc0ccbaf0c97f69a8f3e000 ] + +Clear ADDR64 dma bit in DMACFG register in case that HW_DMA_CAP_64B is +not detected on 64bit system. +The issue was observed when bootloader(u-boot) does not check macb +feature at DCFG6 register (DAW64_OFFSET) and enabling 64bit dma support +by default. Then macb driver is reading DMACFG register back and only +adding 64bit dma configuration but not cleaning it out. + +Signed-off-by: Michal Simek +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index b4f92de1efbd..d6f8d6c8b0f1 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -2000,6 +2000,7 @@ static void macb_configure_dma(struct macb *bp) + else + dmacfg &= ~GEM_BIT(TXCOEN); + ++ dmacfg &= ~GEM_BIT(ADDR64); + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT + if (bp->hw_dma_cap & HW_DMA_CAP_64B) + dmacfg |= GEM_BIT(ADDR64); +-- +2.17.1 + diff --git a/queue-4.14/net-mlx5-fix-mlx5_get_vector_affinity-function.patch b/queue-4.14/net-mlx5-fix-mlx5_get_vector_affinity-function.patch new file mode 100644 index 00000000000..9ab74644f15 --- /dev/null +++ b/queue-4.14/net-mlx5-fix-mlx5_get_vector_affinity-function.patch @@ -0,0 +1,77 @@ +From a5a3edf588b8b7f8581f09262deafa82ba91106e Mon Sep 17 00:00:00 2001 +From: Israel Rukshin +Date: Thu, 12 Apr 2018 09:49:11 +0000 +Subject: net/mlx5: Fix mlx5_get_vector_affinity function + +[ Upstream commit 6082d9c9c94a408d7409b5f2e4e42ac9e8b16d0d ] + +Adding the vector offset when calling to mlx5_vector2eqn() is wrong. +This is because mlx5_vector2eqn() checks if EQ index is equal to vector number +and the fact that the internal completion vectors that mlx5 allocates +don't get an EQ index. + +The second problem here is that using effective_affinity_mask gives the same +CPU for different vectors. +This leads to unmapped queues when calling it from blk_mq_rdma_map_queues(). +This doesn't happen when using affinity_hint mask. + +Fixes: 2572cf57d75a ("mlx5: fix mlx5_get_vector_affinity to start from completion vector 0") +Fixes: 05e0cc84e00c ("net/mlx5: Fix get vector affinity helper function") +Signed-off-by: Israel Rukshin +Reviewed-by: Max Gurtovoy +Reviewed-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + include/linux/mlx5/driver.h | 12 +++--------- + 2 files changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index ab70194a73db..c3a4f5d92391 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -3911,7 +3911,7 @@ mlx5_ib_get_vector_affinity(struct ib_device *ibdev, int comp_vector) + { + struct mlx5_ib_dev *dev = to_mdev(ibdev); + +- return mlx5_get_vector_affinity(dev->mdev, comp_vector); ++ return mlx5_get_vector_affinity_hint(dev->mdev, comp_vector); + } + + static void *mlx5_ib_add(struct mlx5_core_dev *mdev) +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index c4d19e77fea8..5eff332092bc 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1193,25 +1193,19 @@ enum { + }; + + static inline const struct cpumask * +-mlx5_get_vector_affinity(struct mlx5_core_dev *dev, int vector) ++mlx5_get_vector_affinity_hint(struct mlx5_core_dev *dev, int vector) + { +- const struct cpumask *mask; + struct irq_desc *desc; + unsigned int irq; + int eqn; + int err; + +- err = mlx5_vector2eqn(dev, MLX5_EQ_VEC_COMP_BASE + vector, &eqn, &irq); ++ err = mlx5_vector2eqn(dev, vector, &eqn, &irq); + if (err) + return NULL; + + desc = irq_to_desc(irq); +-#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK +- mask = irq_data_get_effective_affinity_mask(&desc->irq_data); +-#else +- mask = desc->irq_common_data.affinity; +-#endif +- return mask; ++ return desc->affinity_hint; + } + + #endif /* MLX5_DRIVER_H */ +-- +2.17.1 + diff --git a/queue-4.14/net-mlx5e-refine-ets-validation-function.patch b/queue-4.14/net-mlx5e-refine-ets-validation-function.patch new file mode 100644 index 00000000000..4ecd4d69010 --- /dev/null +++ b/queue-4.14/net-mlx5e-refine-ets-validation-function.patch @@ -0,0 +1,77 @@ +From a491edc7ae707950453221f5d79fcf17defb3fa8 Mon Sep 17 00:00:00 2001 +From: Shay Agroskin +Date: Wed, 27 Jun 2018 15:43:07 +0300 +Subject: net/mlx5e: Refine ets validation function + +[ Upstream commit e279d634f3d57452eb106a0c0e99a6add3fba1a6 ] + +Removed an error message received when configuring ETS total +bandwidth to be zero. +Our hardware doesn't support such configuration, so we shall +reject it in the driver. Nevertheless, we removed the error message +in order to eliminate error messages caused by old userspace tools +who try to pass such configuration. + +Fixes: ff0891915cd7 ("net/mlx5e: Fix ETS BW check") +Signed-off-by: Shay Agroskin +Reviewed-by: Huy Nguyen +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c +index 9d64d0759ee9..a5dd99aaf321 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c +@@ -257,7 +257,8 @@ int mlx5e_dcbnl_ieee_setets_core(struct mlx5e_priv *priv, struct ieee_ets *ets) + } + + static int mlx5e_dbcnl_validate_ets(struct net_device *netdev, +- struct ieee_ets *ets) ++ struct ieee_ets *ets, ++ bool zero_sum_allowed) + { + bool have_ets_tc = false; + int bw_sum = 0; +@@ -282,8 +283,9 @@ static int mlx5e_dbcnl_validate_ets(struct net_device *netdev, + } + + if (have_ets_tc && bw_sum != 100) { +- netdev_err(netdev, +- "Failed to validate ETS: BW sum is illegal\n"); ++ if (bw_sum || (!bw_sum && !zero_sum_allowed)) ++ netdev_err(netdev, ++ "Failed to validate ETS: BW sum is illegal\n"); + return -EINVAL; + } + return 0; +@@ -298,7 +300,7 @@ static int mlx5e_dcbnl_ieee_setets(struct net_device *netdev, + if (!MLX5_CAP_GEN(priv->mdev, ets)) + return -EOPNOTSUPP; + +- err = mlx5e_dbcnl_validate_ets(netdev, ets); ++ err = mlx5e_dbcnl_validate_ets(netdev, ets, false); + if (err) + return err; + +@@ -477,12 +479,9 @@ static u8 mlx5e_dcbnl_setall(struct net_device *netdev) + ets.prio_tc[i] = cee_cfg->prio_to_pg_map[i]; + } + +- err = mlx5e_dbcnl_validate_ets(netdev, &ets); +- if (err) { +- netdev_err(netdev, +- "%s, Failed to validate ETS: %d\n", __func__, err); ++ err = mlx5e_dbcnl_validate_ets(netdev, &ets, true); ++ if (err) + goto out; +- } + + err = mlx5e_dcbnl_ieee_setets_core(priv, &ets); + if (err) { +-- +2.17.1 + diff --git a/queue-4.14/net-phy-add-general-dummy-stubs-for-mmd-register-acc.patch b/queue-4.14/net-phy-add-general-dummy-stubs-for-mmd-register-acc.patch new file mode 100644 index 00000000000..833e314d757 --- /dev/null +++ b/queue-4.14/net-phy-add-general-dummy-stubs-for-mmd-register-acc.patch @@ -0,0 +1,68 @@ +From 35419394cd2763525c4f216b1549050f8c61f223 Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Tue, 20 Mar 2018 09:44:52 +0800 +Subject: net: phy: Add general dummy stubs for MMD register access + +[ Upstream commit 5df7af85ecd88e8b5f1f31d6456c3cf38a8bbdda ] + +For some phy devices, even though they don't support the MMD extended +register access, it does have some side effect if we are trying to +read/write the MMD registers via indirect method. So introduce general +dummy stubs for MMD register access which these devices can use to avoid +such side effect. + +Fixes: b6b5e8a69118 ("gianfar: Disable EEE autoneg by default") +Signed-off-by: Kevin Hao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 17 +++++++++++++++++ + include/linux/phy.h | 4 ++++ + 2 files changed, 21 insertions(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index a174d05a9752..fe76e2c4022a 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -1641,6 +1641,23 @@ int genphy_config_init(struct phy_device *phydev) + } + EXPORT_SYMBOL(genphy_config_init); + ++/* This is used for the phy device which doesn't support the MMD extended ++ * register access, but it does have side effect when we are trying to access ++ * the MMD register via indirect method. ++ */ ++int genphy_read_mmd_unsupported(struct phy_device *phdev, int devad, u16 regnum) ++{ ++ return -EOPNOTSUPP; ++} ++EXPORT_SYMBOL(genphy_read_mmd_unsupported); ++ ++int genphy_write_mmd_unsupported(struct phy_device *phdev, int devnum, ++ u16 regnum, u16 val) ++{ ++ return -EOPNOTSUPP; ++} ++EXPORT_SYMBOL(genphy_write_mmd_unsupported); ++ + int genphy_suspend(struct phy_device *phydev) + { + int value; +diff --git a/include/linux/phy.h b/include/linux/phy.h +index dca9e926b88f..efc04c2d92c9 100644 +--- a/include/linux/phy.h ++++ b/include/linux/phy.h +@@ -879,6 +879,10 @@ static inline int genphy_no_soft_reset(struct phy_device *phydev) + { + return 0; + } ++int genphy_read_mmd_unsupported(struct phy_device *phdev, int devad, ++ u16 regnum); ++int genphy_write_mmd_unsupported(struct phy_device *phdev, int devnum, ++ u16 regnum, u16 val); + + /* Clause 45 PHY */ + int genphy_c45_restart_aneg(struct phy_device *phydev); +-- +2.17.1 + diff --git a/queue-4.14/net-phy-phylink-don-t-release-null-gpio.patch b/queue-4.14/net-phy-phylink-don-t-release-null-gpio.patch new file mode 100644 index 00000000000..de2e0a9f49a --- /dev/null +++ b/queue-4.14/net-phy-phylink-don-t-release-null-gpio.patch @@ -0,0 +1,36 @@ +From 30cbc64528ccdf4d0418929c9ad5441c84482841 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Sun, 20 May 2018 20:49:47 -0700 +Subject: net: phy: phylink: Don't release NULL GPIO + +[ Upstream commit 3bcd47726c3b744fd08781795cca905cc59a1382 ] + +If CONFIG_GPIOLIB is disabled, gpiod_put() becomes a stub that produces a +warning, this helped identify that we could be attempting to release a NULL +pl->link_gpio GPIO descriptor, so guard against that. + +Fixes: daab3349ad1a ("net: phy: phylink: Release link GPIO") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index e4a6ed88b9cf..79f28b9186c6 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -561,7 +561,7 @@ void phylink_destroy(struct phylink *pl) + { + if (pl->sfp_bus) + sfp_unregister_upstream(pl->sfp_bus); +- if (!IS_ERR(pl->link_gpio)) ++ if (!IS_ERR_OR_NULL(pl->link_gpio)) + gpiod_put(pl->link_gpio); + + cancel_work_sync(&pl->resolve); +-- +2.17.1 + diff --git a/queue-4.14/net-phy-realtek-use-the-dummy-stubs-for-mmd-register.patch b/queue-4.14/net-phy-realtek-use-the-dummy-stubs-for-mmd-register.patch new file mode 100644 index 00000000000..cb77ece2247 --- /dev/null +++ b/queue-4.14/net-phy-realtek-use-the-dummy-stubs-for-mmd-register.patch @@ -0,0 +1,41 @@ +From 3e11919c3a1a2229c066b64cf19dc9c1131aeb0a Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Tue, 20 Mar 2018 09:44:53 +0800 +Subject: net: phy: realtek: Use the dummy stubs for MMD register access for + rtl8211b + +[ Upstream commit 0231b1a074c672f8c00da00a57144072890d816b ] + +The Ethernet on mpc8315erdb is broken since commit b6b5e8a69118 +("gianfar: Disable EEE autoneg by default"). The reason is that +even though the rtl8211b doesn't support the MMD extended registers +access, it does return some random values if we trying to access +the MMD register via indirect method. This makes it seem that the +EEE is supported by this phy device. And the subsequent writing to +the MMD registers does cause the phy malfunction. So use the dummy +stubs for the MMD register access to fix this issue. + +Fixes: b6b5e8a69118 ("gianfar: Disable EEE autoneg by default") +Signed-off-by: Kevin Hao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c +index 9cbe645e3d89..7d38af5ed4b5 100644 +--- a/drivers/net/phy/realtek.c ++++ b/drivers/net/phy/realtek.c +@@ -138,6 +138,8 @@ static struct phy_driver realtek_drvs[] = { + .read_status = &genphy_read_status, + .ack_interrupt = &rtl821x_ack_interrupt, + .config_intr = &rtl8211b_config_intr, ++ .read_mmd = &genphy_read_mmd_unsupported, ++ .write_mmd = &genphy_write_mmd_unsupported, + }, { + .phy_id = 0x001cc914, + .name = "RTL8211DN Gigabit Ethernet", +-- +2.17.1 + diff --git a/queue-4.14/net-qualcomm-rmnet-skip-processing-loopback-packets.patch b/queue-4.14/net-qualcomm-rmnet-skip-processing-loopback-packets.patch new file mode 100644 index 00000000000..13874b4bfda --- /dev/null +++ b/queue-4.14/net-qualcomm-rmnet-skip-processing-loopback-packets.patch @@ -0,0 +1,37 @@ +From 43b0e3c60fa3f668288a7723f7cf7c301cbfe3d3 Mon Sep 17 00:00:00 2001 +From: Sean Tranchetti +Date: Tue, 2 Oct 2018 18:52:01 -0600 +Subject: net: qualcomm: rmnet: Skip processing loopback packets + +[ Upstream commit a07f388e2cde2be74b263f85df6f672fea0305a1 ] + +RMNET RX handler was processing invalid packets that were +originally sent on the real device and were looped back via +dev_loopback_xmit(). This was detected using syzkaller. + +Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation") +Signed-off-by: Sean Tranchetti +Signed-off-by: Subash Abhinov Kasiviswanathan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c +index 929fb8d96ec0..8d979fef5fc7 100644 +--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c ++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c +@@ -205,6 +205,9 @@ rx_handler_result_t rmnet_rx_handler(struct sk_buff **pskb) + if (!skb) + return RX_HANDLER_CONSUMED; + ++ if (skb->pkt_type == PACKET_LOOPBACK) ++ return RX_HANDLER_PASS; ++ + dev = skb->dev; + port = rmnet_get_port(dev); + +-- +2.17.1 + diff --git a/queue-4.14/net-stmmac-mark-pm-functions-as-__maybe_unused.patch b/queue-4.14/net-stmmac-mark-pm-functions-as-__maybe_unused.patch new file mode 100644 index 00000000000..87ed5689827 --- /dev/null +++ b/queue-4.14/net-stmmac-mark-pm-functions-as-__maybe_unused.patch @@ -0,0 +1,48 @@ +From 9ce3efb296e1a51dab14291f74bc376db57261c9 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 13 Aug 2018 23:50:41 +0200 +Subject: net: stmmac: mark PM functions as __maybe_unused + +[ Upstream commit 81a8b0799632627b587af31ecd06112397e4ec36 ] + +The newly added suspend/resume functions cause a build warning +when CONFIG_PM is disabled: + +drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c:324:12: error: 'stmmac_pci_resume' defined but not used [-Werror=unused-function] +drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c:306:12: error: 'stmmac_pci_suspend' defined but not used [-Werror=unused-function] + +Mark them as __maybe_unused so gcc can drop them silently. + +Fixes: b7d0f08e9129 ("net: stmmac: Fix WoL for PCI-based setups") +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +index 6a393b16a1fc..c54a50dbd5ac 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -303,7 +303,7 @@ static void stmmac_pci_remove(struct pci_dev *pdev) + pci_disable_device(pdev); + } + +-static int stmmac_pci_suspend(struct device *dev) ++static int __maybe_unused stmmac_pci_suspend(struct device *dev) + { + struct pci_dev *pdev = to_pci_dev(dev); + int ret; +@@ -321,7 +321,7 @@ static int stmmac_pci_suspend(struct device *dev) + return 0; + } + +-static int stmmac_pci_resume(struct device *dev) ++static int __maybe_unused stmmac_pci_resume(struct device *dev) + { + struct pci_dev *pdev = to_pci_dev(dev); + int ret; +-- +2.17.1 + diff --git a/queue-4.14/netfilter-bridge-don-t-sabotage-nf_hook-calls-from-a.patch b/queue-4.14/netfilter-bridge-don-t-sabotage-nf_hook-calls-from-a.patch new file mode 100644 index 00000000000..6426388284e --- /dev/null +++ b/queue-4.14/netfilter-bridge-don-t-sabotage-nf_hook-calls-from-a.patch @@ -0,0 +1,55 @@ +From c26046e9e05243361a32e5b934f8c6acf3d56247 Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Mon, 17 Sep 2018 08:20:36 -0700 +Subject: netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev + +[ Upstream commit a173f066c7cfc031acb8f541708041e009fc9812 ] + +For starters, the bridge netfilter code registers operations that +are invoked any time nh_hook is called. Specifically, ip_sabotage_in +watches for nested calls for NF_INET_PRE_ROUTING when a bridge is in +the stack. + +Packet wise, the bridge netfilter hook runs first. br_nf_pre_routing +allocates nf_bridge, sets in_prerouting to 1 and calls NF_HOOK for +NF_INET_PRE_ROUTING. It's finish function, br_nf_pre_routing_finish, +then resets in_prerouting flag to 0 and the packet continues up the +stack. The packet eventually makes it to the VRF driver and it invokes +nf_hook for NF_INET_PRE_ROUTING in case any rules have been added against +the vrf device. + +Because of the registered operations the call to nf_hook causes +ip_sabotage_in to be invoked. That function sees the nf_bridge on the +skb and that in_prerouting is not set. Thinking it is an invalid nested +call it steals (drops) the packet. + +Update ip_sabotage_in to recognize that the bridge or one of its upper +devices (e.g., vlan) can be enslaved to a VRF (L3 master device) and +allow the packet to go through the nf_hook a second time. + +Fixes: 73e20b761acf ("net: vrf: Add support for PREROUTING rules on vrf device") +Reported-by: D'Souza, Nelson +Signed-off-by: David Ahern +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index c2eea1b8737a..7582f28ab306 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -832,7 +832,8 @@ static unsigned int ip_sabotage_in(void *priv, + struct sk_buff *skb, + const struct nf_hook_state *state) + { +- if (skb->nf_bridge && !skb->nf_bridge->in_prerouting) { ++ if (skb->nf_bridge && !skb->nf_bridge->in_prerouting && ++ !netif_is_l3_master(skb->dev)) { + state->okfn(state->net, state->sk, skb); + return NF_STOLEN; + } +-- +2.17.1 + diff --git a/queue-4.14/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresho.patch b/queue-4.14/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresho.patch new file mode 100644 index 00000000000..8aa97ebb1ff --- /dev/null +++ b/queue-4.14/nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresho.patch @@ -0,0 +1,60 @@ +From 84f4d7e74d1c1804401da83685c3a3ef0e72ddc5 Mon Sep 17 00:00:00 2001 +From: Masashi Honma +Date: Tue, 25 Sep 2018 11:15:01 +0900 +Subject: nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds + +[ Upstream commit 1222a16014888ed9733c11e221730d4a8196222b ] + +Use array_index_nospec() to sanitize i with respect to speculation. + +Note that the user doesn't control i directly, but can make it out +of bounds by not finding a threshold in the array. + +Signed-off-by: Masashi Honma +[add note about user control, as explained by Masashi] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 5e7c9b361e8a..46e9812d13c0 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -9720,7 +9720,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev, + struct wireless_dev *wdev = dev->ieee80211_ptr; + s32 last, low, high; + u32 hyst; +- int i, n; ++ int i, n, low_index; + int err; + + /* RSSI reporting disabled? */ +@@ -9757,10 +9757,19 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev, + if (last < wdev->cqm_config->rssi_thresholds[i]) + break; + +- low = i > 0 ? +- (wdev->cqm_config->rssi_thresholds[i - 1] - hyst) : S32_MIN; +- high = i < n ? +- (wdev->cqm_config->rssi_thresholds[i] + hyst - 1) : S32_MAX; ++ low_index = i - 1; ++ if (low_index >= 0) { ++ low_index = array_index_nospec(low_index, n); ++ low = wdev->cqm_config->rssi_thresholds[low_index] - hyst; ++ } else { ++ low = S32_MIN; ++ } ++ if (i < n) { ++ i = array_index_nospec(i, n); ++ high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1; ++ } else { ++ high = S32_MAX; ++ } + + return rdev_set_cqm_rssi_range_config(rdev, dev, low, high); + } +-- +2.17.1 + diff --git a/queue-4.14/nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch b/queue-4.14/nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch new file mode 100644 index 00000000000..252536be68c --- /dev/null +++ b/queue-4.14/nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch @@ -0,0 +1,31 @@ +From 86e3ccc91c0644a80cd8e1073eebdcda099ff45a Mon Sep 17 00:00:00 2001 +From: Masashi Honma +Date: Tue, 25 Sep 2018 11:15:00 +0900 +Subject: nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT + +[ Upstream commit 30fe6d50eb088783c8729c7d930f65296b2b3fa7 ] + +Use array_index_nospec() to sanitize ridx with respect to speculation. + +Signed-off-by: Masashi Honma +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 3de415bca391..5e7c9b361e8a 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3480,6 +3480,7 @@ static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband, + return false; + + /* check availability */ ++ ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN); + if (sband->ht_cap.mcs.rx_mask[ridx] & rbit) + mcs[ridx] |= rbit; + else +-- +2.17.1 + diff --git a/queue-4.14/ocfs2-fix-crash-in-ocfs2_duplicate_clusters_by_page.patch b/queue-4.14/ocfs2-fix-crash-in-ocfs2_duplicate_clusters_by_page.patch new file mode 100644 index 00000000000..1af73cfc729 --- /dev/null +++ b/queue-4.14/ocfs2-fix-crash-in-ocfs2_duplicate_clusters_by_page.patch @@ -0,0 +1,90 @@ +From 836acf2b617a3bd29da17ca307b47b15fdda9e3d Mon Sep 17 00:00:00 2001 +From: Larry Chen +Date: Fri, 5 Oct 2018 15:51:37 -0700 +Subject: ocfs2: fix crash in ocfs2_duplicate_clusters_by_page() + +[ Upstream commit 69eb7765b9c6902444c89c54e7043242faf981e5 ] + +ocfs2_duplicate_clusters_by_page() may crash if one of the extent's pages +is dirty. When a page has not been written back, it is still in dirty +state. If ocfs2_duplicate_clusters_by_page() is called against the dirty +page, the crash happens. + +To fix this bug, we can just unlock the page and wait until the page until +its not dirty. + +The following is the backtrace: + +kernel BUG at /root/code/ocfs2/refcounttree.c:2961! +[exception RIP: ocfs2_duplicate_clusters_by_page+822] +__ocfs2_move_extent+0x80/0x450 [ocfs2] +? __ocfs2_claim_clusters+0x130/0x250 [ocfs2] +ocfs2_defrag_extent+0x5b8/0x5e0 [ocfs2] +__ocfs2_move_extents_range+0x2a4/0x470 [ocfs2] +ocfs2_move_extents+0x180/0x3b0 [ocfs2] +? ocfs2_wait_for_recovery+0x13/0x70 [ocfs2] +ocfs2_ioctl_move_extents+0x133/0x2d0 [ocfs2] +ocfs2_ioctl+0x253/0x640 [ocfs2] +do_vfs_ioctl+0x90/0x5f0 +SyS_ioctl+0x74/0x80 +do_syscall_64+0x74/0x140 +entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Once we find the page is dirty, we do not wait until it's clean, rather we +use write_one_page() to write it back + +Link: http://lkml.kernel.org/r/20180829074740.9438-1-lchen@suse.com +[lchen@suse.com: update comments] + Link: http://lkml.kernel.org/r/20180830075041.14879-1-lchen@suse.com +[akpm@linux-foundation.org: coding-style fixes] +Signed-off-by: Larry Chen +Acked-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/ocfs2/refcounttree.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c +index 1b1283f07941..824f407df1db 100644 +--- a/fs/ocfs2/refcounttree.c ++++ b/fs/ocfs2/refcounttree.c +@@ -2946,6 +2946,7 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle, + if (map_end & (PAGE_SIZE - 1)) + to = map_end & (PAGE_SIZE - 1); + ++retry: + page = find_or_create_page(mapping, page_index, GFP_NOFS); + if (!page) { + ret = -ENOMEM; +@@ -2954,11 +2955,18 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle, + } + + /* +- * In case PAGE_SIZE <= CLUSTER_SIZE, This page +- * can't be dirtied before we CoW it out. ++ * In case PAGE_SIZE <= CLUSTER_SIZE, we do not expect a dirty ++ * page, so write it back. + */ +- if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize) +- BUG_ON(PageDirty(page)); ++ if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize) { ++ if (PageDirty(page)) { ++ /* ++ * write_on_page will unlock the page on return ++ */ ++ ret = write_one_page(page); ++ goto retry; ++ } ++ } + + if (!PageUptodate(page)) { + ret = block_read_full_page(page, ocfs2_get_block); +-- +2.17.1 + diff --git a/queue-4.14/perf-core-fix-perf_pmu_unregister-locking.patch b/queue-4.14/perf-core-fix-perf_pmu_unregister-locking.patch new file mode 100644 index 00000000000..e23336fd1d7 --- /dev/null +++ b/queue-4.14/perf-core-fix-perf_pmu_unregister-locking.patch @@ -0,0 +1,72 @@ +From 4d03d78f1cec54ebbe22f53d8546f0f353102bed Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Tue, 25 Sep 2018 17:58:35 +0200 +Subject: perf/core: Fix perf_pmu_unregister() locking + +[ Upstream commit a9f9772114c8b07ae75bcb3654bd017461248095 ] + +When we unregister a PMU, we fail to serialize the @pmu_idr properly. +Fix that by doing the entire thing under pmu_lock. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 2e80a82a49c4 ("perf: Dynamic pmu types") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 4dbce29a9313..ee1c07c0b833 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9020,9 +9020,7 @@ static void free_pmu_context(struct pmu *pmu) + if (pmu->task_ctx_nr > perf_invalid_context) + return; + +- mutex_lock(&pmus_lock); + free_percpu(pmu->pmu_cpu_context); +- mutex_unlock(&pmus_lock); + } + + /* +@@ -9278,12 +9276,8 @@ EXPORT_SYMBOL_GPL(perf_pmu_register); + + void perf_pmu_unregister(struct pmu *pmu) + { +- int remove_device; +- + mutex_lock(&pmus_lock); +- remove_device = pmu_bus_running; + list_del_rcu(&pmu->entry); +- mutex_unlock(&pmus_lock); + + /* + * We dereference the pmu list under both SRCU and regular RCU, so +@@ -9295,13 +9289,14 @@ void perf_pmu_unregister(struct pmu *pmu) + free_percpu(pmu->pmu_disable_count); + if (pmu->type >= PERF_TYPE_MAX) + idr_remove(&pmu_idr, pmu->type); +- if (remove_device) { ++ if (pmu_bus_running) { + if (pmu->nr_addr_filters) + device_remove_file(pmu->dev, &dev_attr_nr_addr_filters); + device_del(pmu->dev); + put_device(pmu->dev); + } + free_pmu_context(pmu); ++ mutex_unlock(&pmus_lock); + } + EXPORT_SYMBOL_GPL(perf_pmu_unregister); + +-- +2.17.1 + diff --git a/queue-4.14/perf-python-use-wno-redundant-decls-to-build-with-py.patch b/queue-4.14/perf-python-use-wno-redundant-decls-to-build-with-py.patch new file mode 100644 index 00000000000..abf19036b85 --- /dev/null +++ b/queue-4.14/perf-python-use-wno-redundant-decls-to-build-with-py.patch @@ -0,0 +1,113 @@ +From 59937dbd6b3739db90ee572500871b658813a3af Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Tue, 18 Sep 2018 16:08:02 -0300 +Subject: perf python: Use -Wno-redundant-decls to build with PYTHON=python3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 05a2f54679861deb188750ba2a70187000b2c71f ] + +When building in ClearLinux using 'make PYTHON=python3' with gcc 8.2.1 +it fails with: + + GEN /tmp/build/perf/python/perf.so + In file included from /usr/include/python3.7m/Python.h:126, + from /git/linux/tools/perf/util/python.c:2: + /usr/include/python3.7m/import.h:58:24: error: redundant redeclaration of ‘_PyImport_AddModuleObject’ [-Werror=redundant-decls] + PyAPI_FUNC(PyObject *) _PyImport_AddModuleObject(PyObject *, PyObject *); + ^~~~~~~~~~~~~~~~~~~~~~~~~ + /usr/include/python3.7m/import.h:47:24: note: previous declaration of ‘_PyImport_AddModuleObject’ was here + PyAPI_FUNC(PyObject *) _PyImport_AddModuleObject(PyObject *name, + ^~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + error: command 'gcc' failed with exit status 1 + +And indeed there is a redundant declaration in that Python.h file, one +with parameter names and the other without, so just add +-Wno-error=redundant-decls to the python setup instructions. + +Now perf builds with gcc in ClearLinux with the following Dockerfile: + + # docker.io/acmel/linux-perf-tools-build-clearlinux:latest + FROM docker.io/clearlinux:latest + MAINTAINER Arnaldo Carvalho de Melo + RUN swupd update && \ + swupd bundle-add sysadmin-basic-dev + RUN mkdir -m 777 -p /git /tmp/build/perf /tmp/build/objtool /tmp/build/linux && \ + groupadd -r perfbuilder && \ + useradd -m -r -g perfbuilder perfbuilder && \ + chown -R perfbuilder.perfbuilder /tmp/build/ /git/ + USER perfbuilder + COPY rx_and_build.sh / + ENV EXTRA_MAKE_ARGS=PYTHON=python3 + ENTRYPOINT ["/rx_and_build.sh"] + +Now to figure out why the build fails with clang, that is present in the +above container as detected by the rx_and_build.sh script: + + clang version 6.0.1 (tags/RELEASE_601/final) + Target: x86_64-unknown-linux-gnu + Thread model: posix + InstalledDir: /usr/sbin + make: Entering directory '/git/linux/tools/perf' + BUILD: Doing 'make -j4' parallel build + HOSTCC /tmp/build/perf/fixdep.o + HOSTLD /tmp/build/perf/fixdep-in.o + LINK /tmp/build/perf/fixdep + + Auto-detecting system features: + ... dwarf: [ OFF ] + ... dwarf_getlocations: [ OFF ] + ... glibc: [ OFF ] + ... gtk2: [ OFF ] + ... libaudit: [ OFF ] + ... libbfd: [ OFF ] + ... libelf: [ OFF ] + ... libnuma: [ OFF ] + ... numa_num_possible_cpus: [ OFF ] + ... libperl: [ OFF ] + ... libpython: [ OFF ] + ... libslang: [ OFF ] + ... libcrypto: [ OFF ] + ... libunwind: [ OFF ] + ... libdw-dwarf-unwind: [ OFF ] + ... zlib: [ OFF ] + ... lzma: [ OFF ] + ... get_cpuid: [ OFF ] + ... bpf: [ OFF ] + + Makefile.config:331: *** No gnu/libc-version.h found, please install glibc-dev[el]. Stop. + make[1]: *** [Makefile.perf:206: sub-make] Error 2 + make: *** [Makefile:70: all] Error 2 + make: Leaving directory '/git/linux/tools/perf' + +Cc: Adrian Hunter +Cc: David Ahern +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Thiago Macieira +Cc: Wang Nan +Link: https://lkml.kernel.org/n/tip-c3khb9ac86s00qxzjrueomme@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/setup.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/setup.py b/tools/perf/util/setup.py +index da4df7fd43a2..23f1bf175179 100644 +--- a/tools/perf/util/setup.py ++++ b/tools/perf/util/setup.py +@@ -27,7 +27,7 @@ class install_lib(_install_lib): + + cflags = getenv('CFLAGS', '').split() + # switch off several checks (need to be at the end of cflags list) +-cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter' ] ++cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter', '-Wno-redundant-decls' ] + if cc != "clang": + cflags += ['-Wno-cast-function-type' ] + +-- +2.17.1 + diff --git a/queue-4.14/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch b/queue-4.14/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch new file mode 100644 index 00000000000..757cb9f4157 --- /dev/null +++ b/queue-4.14/perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch @@ -0,0 +1,107 @@ +From 6095101fc3568806f4503db78320cc351e8cbf79 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sun, 23 Sep 2018 18:13:43 +0200 +Subject: perf/ring_buffer: Prevent concurent ring buffer access + +[ Upstream commit cd6fb677ce7e460c25bdd66f689734102ec7d642 ] + +Some of the scheduling tracepoints allow the perf_tp_event +code to write to ring buffer under different cpu than the +code is running on. + +This results in corrupted ring buffer data demonstrated in +following perf commands: + + # perf record -e 'sched:sched_switch,sched:sched_wakeup' perf bench sched messaging + # Running 'sched/messaging' benchmark: + # 20 sender and receiver processes per group + # 10 groups == 400 processes run + + Total time: 0.383 [sec] + [ perf record: Woken up 8 times to write data ] + 0x42b890 [0]: failed to process type: -1765585640 + [ perf record: Captured and wrote 4.825 MB perf.data (29669 samples) ] + + # perf report --stdio + 0x42b890 [0]: failed to process type: -1765585640 + +The reason for the corruption are some of the scheduling tracepoints, +that have __perf_task dfined and thus allow to store data to another +cpu ring buffer: + + sched_waking + sched_wakeup + sched_wakeup_new + sched_stat_wait + sched_stat_sleep + sched_stat_iowait + sched_stat_blocked + +The perf_tp_event function first store samples for current cpu +related events defined for tracepoint: + + hlist_for_each_entry_rcu(event, head, hlist_entry) + perf_swevent_event(event, count, &data, regs); + +And then iterates events of the 'task' and store the sample +for any task's event that passes tracepoint checks: + + ctx = rcu_dereference(task->perf_event_ctxp[perf_sw_context]); + + list_for_each_entry_rcu(event, &ctx->event_list, event_entry) { + if (event->attr.type != PERF_TYPE_TRACEPOINT) + continue; + if (event->attr.config != entry->type) + continue; + + perf_swevent_event(event, count, &data, regs); + } + +Above code can race with same code running on another cpu, +ending up with 2 cpus trying to store under the same ring +buffer, which is specifically not allowed. + +This patch prevents the problem, by allowing only events with the same +current cpu to receive the event. + +NOTE: this requires the use of (per-task-)per-cpu buffers for this +feature to work; perf-record does this. + +Signed-off-by: Jiri Olsa +[peterz: small edits to Changelog] +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Andrew Vagin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: e6dab5ffab59 ("perf/trace: Add ability to set a target task for events") +Link: http://lkml.kernel.org/r/20180923161343.GB15054@krava +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index ee1c07c0b833..991af683ef9e 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8058,6 +8058,8 @@ void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size, + goto unlock; + + list_for_each_entry_rcu(event, &ctx->event_list, event_entry) { ++ if (event->cpu != smp_processor_id()) ++ continue; + if (event->attr.type != PERF_TYPE_TRACEPOINT) + continue; + if (event->attr.config != entry->type) +-- +2.17.1 + diff --git a/queue-4.14/perf-tests-fix-indexing-when-invoking-subtests.patch b/queue-4.14/perf-tests-fix-indexing-when-invoking-subtests.patch new file mode 100644 index 00000000000..00a0a79fb34 --- /dev/null +++ b/queue-4.14/perf-tests-fix-indexing-when-invoking-subtests.patch @@ -0,0 +1,107 @@ +From 76260dd81000f45f223bf8ec27bc5704438e1a59 Mon Sep 17 00:00:00 2001 +From: Sandipan Das +Date: Thu, 26 Jul 2018 22:47:33 +0530 +Subject: perf tests: Fix indexing when invoking subtests + +[ Upstream commit aa90f9f9554616d5738f7bedb4a8f0e5e14d1bc6 ] + +Recently, the subtest numbering was changed to start from 1. While it +is fine for displaying results, this should not be the case when the +subtests are actually invoked. + +Typically, the subtests are stored in zero-indexed arrays and invoked +based on the index passed to the main test function. Since the index +now starts from 1, the second subtest in the array (index 1) gets +invoked instead of the first (index 0). This applies to all of the +following subtests but for the last one, the subtest always fails +because it does not meet the boundary condition of the subtest index +being lesser than the number of subtests. + +This can be observed on powerpc64 and x86_64 systems running Fedora 28 +as shown below. + +Before: + + # perf test "builtin clang support" + 55: builtin clang support : + 55.1: builtin clang compile C source to IR : Ok + 55.2: builtin clang compile C source to ELF object : FAILED! + + # perf test "LLVM search and compile" + 38: LLVM search and compile : + 38.1: Basic BPF llvm compile : Ok + 38.2: kbuild searching : Ok + 38.3: Compile source for BPF prologue generation : Ok + 38.4: Compile source for BPF relocation : FAILED! + + # perf test "BPF filter" + 40: BPF filter : + 40.1: Basic BPF filtering : Ok + 40.2: BPF pinning : Ok + 40.3: BPF prologue generation : Ok + 40.4: BPF relocation checker : FAILED! + +After: + + # perf test "builtin clang support" + 55: builtin clang support : + 55.1: builtin clang compile C source to IR : Ok + 55.2: builtin clang compile C source to ELF object : Ok + + # perf test "LLVM search and compile" + 38: LLVM search and compile : + 38.1: Basic BPF llvm compile : Ok + 38.2: kbuild searching : Ok + 38.3: Compile source for BPF prologue generation : Ok + 38.4: Compile source for BPF relocation : Ok + + # perf test "BPF filter" + 40: BPF filter : + 40.1: Basic BPF filtering : Ok + 40.2: BPF pinning : Ok + 40.3: BPF prologue generation : Ok + 40.4: BPF relocation checker : Ok + +Signed-off-by: Sandipan Das +Reported-by: Arnaldo Carvalho de Melo +Tested-by: Arnaldo Carvalho de Melo +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Jiri Olsa +Cc: Martin Schwidefsky +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Thomas Richter +Fixes: 9ef0112442bd ("perf test: Fix subtest number when showing results") +Link: http://lkml.kernel.org/r/20180726171733.33208-1-sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/builtin-test.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c +index 5966f1f9b160..1c9bc3516f8b 100644 +--- a/tools/perf/tests/builtin-test.c ++++ b/tools/perf/tests/builtin-test.c +@@ -375,7 +375,7 @@ static int test_and_print(struct test *t, bool force_skip, int subtest) + if (!t->subtest.get_nr) + pr_debug("%s:", t->desc); + else +- pr_debug("%s subtest %d:", t->desc, subtest); ++ pr_debug("%s subtest %d:", t->desc, subtest + 1); + + switch (err) { + case TEST_OK: +@@ -589,7 +589,7 @@ static int __cmd_test(int argc, const char *argv[], struct intlist *skiplist) + for (subi = 0; subi < subn; subi++) { + pr_info("%2d.%1d: %-*s:", i, subi + 1, subw, + t->subtest.get_desc(subi)); +- err = test_and_print(t, skip, subi + 1); ++ err = test_and_print(t, skip, subi); + if (err != TEST_OK && t->subtest.skip_if_fail) + skip = true; + } +-- +2.17.1 + diff --git a/queue-4.14/perf-x86-amd-uncore-set-threadmask-and-slicemask-for.patch b/queue-4.14/perf-x86-amd-uncore-set-threadmask-and-slicemask-for.patch new file mode 100644 index 00000000000..392d126459d --- /dev/null +++ b/queue-4.14/perf-x86-amd-uncore-set-threadmask-and-slicemask-for.patch @@ -0,0 +1,101 @@ +From 89bca763d695099b7e38a3fc1e9e5bb209932722 Mon Sep 17 00:00:00 2001 +From: "Natarajan, Janakarajan" +Date: Thu, 27 Sep 2018 15:51:55 +0000 +Subject: perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf + events + +[ Upstream commit d7cbbe49a9304520181fb8c9272d1327deec8453 ] + +In Family 17h, some L3 Cache Performance events require the ThreadMask +and SliceMask to be set. For other events, these fields do not affect +the count either way. + +Set ThreadMask and SliceMask to 0xFF and 0xF respectively. + +Signed-off-by: Janakarajan Natarajan +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Borislav Petkov +Cc: H . Peter Anvin +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Suravee +Cc: Thomas Gleixner +Cc: Vince Weaver +Link: http://lkml.kernel.org/r/Message-ID: +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/uncore.c | 10 ++++++++++ + arch/x86/include/asm/perf_event.h | 8 ++++++++ + 2 files changed, 18 insertions(+) + +diff --git a/arch/x86/events/amd/uncore.c b/arch/x86/events/amd/uncore.c +index f5cbbba99283..4e1d7483b78c 100644 +--- a/arch/x86/events/amd/uncore.c ++++ b/arch/x86/events/amd/uncore.c +@@ -35,6 +35,7 @@ + + static int num_counters_llc; + static int num_counters_nb; ++static bool l3_mask; + + static HLIST_HEAD(uncore_unused_list); + +@@ -208,6 +209,13 @@ static int amd_uncore_event_init(struct perf_event *event) + hwc->config = event->attr.config & AMD64_RAW_EVENT_MASK_NB; + hwc->idx = -1; + ++ /* ++ * SliceMask and ThreadMask need to be set for certain L3 events in ++ * Family 17h. For other events, the two fields do not affect the count. ++ */ ++ if (l3_mask) ++ hwc->config |= (AMD64_L3_SLICE_MASK | AMD64_L3_THREAD_MASK); ++ + if (event->cpu < 0) + return -EINVAL; + +@@ -542,6 +550,7 @@ static int __init amd_uncore_init(void) + amd_llc_pmu.name = "amd_l3"; + format_attr_event_df.show = &event_show_df; + format_attr_event_l3.show = &event_show_l3; ++ l3_mask = true; + } else { + num_counters_nb = NUM_COUNTERS_NB; + num_counters_llc = NUM_COUNTERS_L2; +@@ -549,6 +558,7 @@ static int __init amd_uncore_init(void) + amd_llc_pmu.name = "amd_l2"; + format_attr_event_df = format_attr_event; + format_attr_event_l3 = format_attr_event; ++ l3_mask = false; + } + + amd_nb_pmu.attr_groups = amd_uncore_attr_groups_df; +diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h +index 12f54082f4c8..78241b736f2a 100644 +--- a/arch/x86/include/asm/perf_event.h ++++ b/arch/x86/include/asm/perf_event.h +@@ -46,6 +46,14 @@ + #define INTEL_ARCH_EVENT_MASK \ + (ARCH_PERFMON_EVENTSEL_UMASK | ARCH_PERFMON_EVENTSEL_EVENT) + ++#define AMD64_L3_SLICE_SHIFT 48 ++#define AMD64_L3_SLICE_MASK \ ++ ((0xFULL) << AMD64_L3_SLICE_SHIFT) ++ ++#define AMD64_L3_THREAD_SHIFT 56 ++#define AMD64_L3_THREAD_MASK \ ++ ((0xFFULL) << AMD64_L3_THREAD_SHIFT) ++ + #define X86_RAW_EVENT_MASK \ + (ARCH_PERFMON_EVENTSEL_EVENT | \ + ARCH_PERFMON_EVENTSEL_UMASK | \ +-- +2.17.1 + diff --git a/queue-4.14/perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch b/queue-4.14/perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch new file mode 100644 index 00000000000..a68cc6c8013 --- /dev/null +++ b/queue-4.14/perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch @@ -0,0 +1,66 @@ +From 5834c733e2d3e9c980d372235ab5dd3b3b2aedb5 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Fri, 21 Sep 2018 07:07:06 -0700 +Subject: perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX + +[ Upstream commit 9d92cfeaf5215158d26d2991be7f7ff865cb98f3 ] + +The counters on M3UPI Link 0 and Link 3 don't count properly, and writing +0 to these counters may causes system crash on some machines. + +The PCI BDF addresses of the M3UPI in the current code are incorrect. + +The correct addresses should be: + + D18:F1 0x204D + D18:F2 0x204E + D18:F5 0x204D + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: cd34cd97b7b4 ("perf/x86/intel/uncore: Add Skylake server uncore support") +Link: http://lkml.kernel.org/r/1537538826-55489-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index 2dae3f585c01..a68aba8a482f 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -3807,16 +3807,16 @@ static const struct pci_device_id skx_uncore_pci_ids[] = { + .driver_data = UNCORE_PCI_DEV_FULL_DATA(21, 5, SKX_PCI_UNCORE_M2PCIE, 3), + }, + { /* M3UPI0 Link 0 */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C), +- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 0, SKX_PCI_UNCORE_M3UPI, 0), ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D), ++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 0), + }, + { /* M3UPI0 Link 1 */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D), +- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 1, SKX_PCI_UNCORE_M3UPI, 1), ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204E), ++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 2, SKX_PCI_UNCORE_M3UPI, 1), + }, + { /* M3UPI1 Link 2 */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204C), +- .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 4, SKX_PCI_UNCORE_M3UPI, 2), ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x204D), ++ .driver_data = UNCORE_PCI_DEV_FULL_DATA(18, 5, SKX_PCI_UNCORE_M3UPI, 2), + }, + { /* end: all zeroes */ } + }; +-- +2.17.1 + diff --git a/queue-4.14/powerpc-pseries-add-empty-update_numa_cpu_lookup_tab.patch b/queue-4.14/powerpc-pseries-add-empty-update_numa_cpu_lookup_tab.patch new file mode 100644 index 00000000000..35e2a1501fe --- /dev/null +++ b/queue-4.14/powerpc-pseries-add-empty-update_numa_cpu_lookup_tab.patch @@ -0,0 +1,43 @@ +From 9116944f269da83f589a33f2dd031c5aed08727e Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Wed, 14 Feb 2018 12:17:47 +0000 +Subject: powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit c1e150ceb61e4a585bad156da15c33bfe89f5858 ] + +When CONFIG_NUMA is not set, the build fails with: + + arch/powerpc/platforms/pseries/hotplug-cpu.c:335:4: + error: déclaration implicite de la fonction « update_numa_cpu_lookup_table » + +So we have to add update_numa_cpu_lookup_table() as an empty function +when CONFIG_NUMA is not set. + +Fixes: 1d9a090783be ("powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove") +Signed-off-by: Corentin Labbe +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/topology.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/powerpc/include/asm/topology.h b/arch/powerpc/include/asm/topology.h +index d5f2ee882f74..66c72b356ac0 100644 +--- a/arch/powerpc/include/asm/topology.h ++++ b/arch/powerpc/include/asm/topology.h +@@ -81,6 +81,9 @@ static inline int numa_update_cpu_topology(bool cpus_locked) + { + return 0; + } ++ ++static inline void update_numa_cpu_lookup_table(unsigned int cpu, int node) {} ++ + #endif /* CONFIG_NUMA */ + + #if defined(CONFIG_NUMA) && defined(CONFIG_PPC_SPLPAR) +-- +2.17.1 + diff --git a/queue-4.14/pxa168fb-prepare-the-clock.patch b/queue-4.14/pxa168fb-prepare-the-clock.patch new file mode 100644 index 00000000000..a05c338f7ec --- /dev/null +++ b/queue-4.14/pxa168fb-prepare-the-clock.patch @@ -0,0 +1,80 @@ +From ab2f2bfd0f9f7a850be192e55f24f464af9589ed Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Wed, 26 Sep 2018 18:11:22 +0200 +Subject: pxa168fb: prepare the clock + +[ Upstream commit d85536cde91fcfed6fb8d983783bd2b92c843939 ] + +Add missing prepare/unprepare operations for fbi->clk, +this fixes following kernel warning: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 1 at drivers/clk/clk.c:874 clk_core_enable+0x2c/0x1b0 + Enabling unprepared disp0_clk + Modules linked in: + CPU: 0 PID: 1 Comm: swapper Not tainted 4.18.0-rc8-00032-g02b43ddd4f21-dirty #25 + Hardware name: Marvell MMP2 (Device Tree Support) + [] (unwind_backtrace) from [] (show_stack+0x10/0x14) + [] (show_stack) from [] (__warn+0xd8/0xf0) + [] (__warn) from [] (warn_slowpath_fmt+0x44/0x6c) + [] (warn_slowpath_fmt) from [] (clk_core_enable+0x2c/0x1b0) + [] (clk_core_enable) from [] (clk_core_enable_lock+0x18/0x2c) + [] (clk_core_enable_lock) from [] (pxa168fb_probe+0x464/0x6ac) + [] (pxa168fb_probe) from [] (platform_drv_probe+0x48/0x94) + [] (platform_drv_probe) from [] (driver_probe_device+0x328/0x470) + [] (driver_probe_device) from [] (__driver_attach+0xb0/0x124) + [] (__driver_attach) from [] (bus_for_each_dev+0x64/0xa0) + [] (bus_for_each_dev) from [] (bus_add_driver+0x1b8/0x230) + [] (bus_add_driver) from [] (driver_register+0xac/0xf0) + [] (driver_register) from [] (do_one_initcall+0xb8/0x1f0) + [] (do_one_initcall) from [] (kernel_init_freeable+0x294/0x2e0) + [] (kernel_init_freeable) from [] (kernel_init+0x8/0x10c) + [] (kernel_init) from [] (ret_from_fork+0x14/0x2c) + Exception stack(0xd008bfb0 to 0xd008bff8) + bfa0: 00000000 00000000 00000000 00000000 + bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 + ---[ end trace c0af40f9e2ed7cb4 ]--- + +Signed-off-by: Lubomir Rintel +[b.zolnierkie: enhance patch description a bit] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa168fb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/video/fbdev/pxa168fb.c b/drivers/video/fbdev/pxa168fb.c +index def3a501acd6..d059d04c63ac 100644 +--- a/drivers/video/fbdev/pxa168fb.c ++++ b/drivers/video/fbdev/pxa168fb.c +@@ -712,7 +712,7 @@ static int pxa168fb_probe(struct platform_device *pdev) + /* + * enable controller clock + */ +- clk_enable(fbi->clk); ++ clk_prepare_enable(fbi->clk); + + pxa168fb_set_par(info); + +@@ -767,7 +767,7 @@ static int pxa168fb_probe(struct platform_device *pdev) + failed_free_cmap: + fb_dealloc_cmap(&info->cmap); + failed_free_clk: +- clk_disable(fbi->clk); ++ clk_disable_unprepare(fbi->clk); + failed_free_fbmem: + dma_free_coherent(fbi->dev, info->fix.smem_len, + info->screen_base, fbi->fb_start_dma); +@@ -807,7 +807,7 @@ static int pxa168fb_remove(struct platform_device *pdev) + dma_free_wc(fbi->dev, PAGE_ALIGN(info->fix.smem_len), + info->screen_base, info->fix.smem_start); + +- clk_disable(fbi->clk); ++ clk_disable_unprepare(fbi->clk); + + framebuffer_release(info); + +-- +2.17.1 + diff --git a/queue-4.14/qed-avoid-constant-logical-operation-warning-in-qed_.patch b/queue-4.14/qed-avoid-constant-logical-operation-warning-in-qed_.patch new file mode 100644 index 00000000000..f226d5a502e --- /dev/null +++ b/queue-4.14/qed-avoid-constant-logical-operation-warning-in-qed_.patch @@ -0,0 +1,53 @@ +From 3d84b01f0a7f19248a0de0f9343c645a348981f5 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 24 Sep 2018 15:17:03 -0700 +Subject: qed: Avoid constant logical operation warning in qed_vf_pf_acquire + +[ Upstream commit 1c492a9d55ba99079210ed901dd8a5423f980487 ] + +Clang warns when a constant is used in a boolean context as it thinks a +bitwise operation may have been intended. + +drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: warning: use of logical +'&&' with constant operand [-Wconstant-logical-operand] + if (!p_iov->b_pre_fp_hsi && + ^ +drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: use '&' for a +bitwise operation + if (!p_iov->b_pre_fp_hsi && + ^~ + & +drivers/net/ethernet/qlogic/qed/qed_vf.c:415:27: note: remove constant +to silence this warning + if (!p_iov->b_pre_fp_hsi && + ~^~ +1 warning generated. + +This has been here since commit 1fe614d10f45 ("qed: Relax VF firmware +requirements") and I am not entirely sure why since 0 isn't a special +case. Just remove the statement causing Clang to warn since it isn't +required. + +Link: https://github.com/ClangBuiltLinux/linux/issues/126 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c +index b8b1a791a4fa..dd8ebf6d380f 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -413,7 +413,6 @@ static int qed_vf_pf_acquire(struct qed_hwfn *p_hwfn) + } + + if (!p_iov->b_pre_fp_hsi && +- ETH_HSI_VER_MINOR && + (resp->pfdev_info.minor_fp_hsi < ETH_HSI_VER_MINOR)) { + DP_INFO(p_hwfn, + "PF is using older fastpath HSI; %02x.%02x is configured\n", +-- +2.17.1 + diff --git a/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_iwarp_pars.patch b/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_iwarp_pars.patch new file mode 100644 index 00000000000..989bcdda123 --- /dev/null +++ b/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_iwarp_pars.patch @@ -0,0 +1,59 @@ +From 290f6ccd915a3fc96744f5cca83e31b06696927e Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 24 Sep 2018 14:42:12 -0700 +Subject: qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt + +[ Upstream commit 77f2d753819b7d50c16abfb778caf1fe075faed0 ] + +Clang warns when one enumerated type is implicitly converted to another. + +drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1713:25: warning: implicit +conversion from enumeration type 'enum tcp_ip_version' to different +enumeration type 'enum qed_tcp_ip_version' [-Wenum-conversion] + cm_info->ip_version = TCP_IPV4; + ~ ^~~~~~~~ +drivers/net/ethernet/qlogic/qed/qed_iwarp.c:1733:25: warning: implicit +conversion from enumeration type 'enum tcp_ip_version' to different +enumeration type 'enum qed_tcp_ip_version' [-Wenum-conversion] + cm_info->ip_version = TCP_IPV6; + ~ ^~~~~~~~ +2 warnings generated. + +Use the appropriate values from the expected type, qed_tcp_ip_version: + +TCP_IPV4 = QED_TCP_IPV4 = 0 +TCP_IPV6 = QED_TCP_IPV6 = 1 + +Link: https://github.com/ClangBuiltLinux/linux/issues/125 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +index e41f28602535..eb666877d1aa 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +@@ -1672,7 +1672,7 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn, + + cm_info->local_ip[0] = ntohl(iph->daddr); + cm_info->remote_ip[0] = ntohl(iph->saddr); +- cm_info->ip_version = TCP_IPV4; ++ cm_info->ip_version = QED_TCP_IPV4; + + ip_hlen = (iph->ihl) * sizeof(u32); + *payload_len = ntohs(iph->tot_len) - ip_hlen; +@@ -1692,7 +1692,7 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn, + cm_info->remote_ip[i] = + ntohl(ip6h->saddr.in6_u.u6_addr32[i]); + } +- cm_info->ip_version = TCP_IPV6; ++ cm_info->ip_version = QED_TCP_IPV6; + + ip_hlen = sizeof(*ip6h); + *payload_len = ntohs(ip6h->payload_len); +-- +2.17.1 + diff --git a/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch b/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch new file mode 100644 index 00000000000..c97c34143e2 --- /dev/null +++ b/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch @@ -0,0 +1,72 @@ +From e33f52077f6e9bd4eabf73d562a20209bf719008 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 24 Sep 2018 14:34:53 -0700 +Subject: qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor + +[ Upstream commit d3a315795b4ce8b105a64a90699103121bde04a8 ] + +Clang warns when one enumerated type is implicitly converted to another. + +drivers/net/ethernet/qlogic/qed/qed_roce.c:153:12: warning: implicit +conversion from enumeration type 'enum roce_mode' to different +enumeration type 'enum roce_flavor' [-Wenum-conversion] + flavor = ROCE_V2_IPV6; + ~ ^~~~~~~~~~~~ +drivers/net/ethernet/qlogic/qed/qed_roce.c:156:12: warning: implicit +conversion from enumeration type 'enum roce_mode' to different +enumeration type 'enum roce_flavor' [-Wenum-conversion] + flavor = MAX_ROCE_MODE; + ~ ^~~~~~~~~~~~~ +2 warnings generated. + +Use the appropriate values from the expected type, roce_flavor: + +ROCE_V2_IPV6 = RROCE_IPV6 = 2 +MAX_ROCE_MODE = MAX_ROCE_FLAVOR = 3 + +While we're add it, ditch the local variable flavor, we can just return +the value directly from the switch statement. + +Link: https://github.com/ClangBuiltLinux/linux/issues/125 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_roce.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_roce.c b/drivers/net/ethernet/qlogic/qed/qed_roce.c +index fb7c2d1562ae..bedbf840fd7d 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_roce.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_roce.c +@@ -129,23 +129,16 @@ static void qed_rdma_copy_gids(struct qed_rdma_qp *qp, __le32 *src_gid, + + static enum roce_flavor qed_roce_mode_to_flavor(enum roce_mode roce_mode) + { +- enum roce_flavor flavor; +- + switch (roce_mode) { + case ROCE_V1: +- flavor = PLAIN_ROCE; +- break; ++ return PLAIN_ROCE; + case ROCE_V2_IPV4: +- flavor = RROCE_IPV4; +- break; ++ return RROCE_IPV4; + case ROCE_V2_IPV6: +- flavor = ROCE_V2_IPV6; +- break; ++ return RROCE_IPV6; + default: +- flavor = MAX_ROCE_MODE; +- break; ++ return MAX_ROCE_FLAVOR; + } +- return flavor; + } + + void qed_roce_free_cid_pair(struct qed_hwfn *p_hwfn, u16 cid) +-- +2.17.1 + diff --git a/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_set_tunn_c.patch b/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_set_tunn_c.patch new file mode 100644 index 00000000000..b234dd248fe --- /dev/null +++ b/queue-4.14/qed-avoid-implicit-enum-conversion-in-qed_set_tunn_c.patch @@ -0,0 +1,62 @@ +From 344a0437d4bc34c098ca38a60931d21be8cfb55d Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 24 Sep 2018 13:53:34 -0700 +Subject: qed: Avoid implicit enum conversion in qed_set_tunn_cls_info + +[ Upstream commit a898fba32229efd5e6b6154f83fa86a7145156b9 ] + +Clang warns when one enumerated type is implicitly converted to another. + +drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:163:25: warning: +implicit conversion from enumeration type 'enum tunnel_clss' to +different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion] + p_tun->vxlan.tun_cls = type; + ~ ^~~~ +drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:165:26: warning: +implicit conversion from enumeration type 'enum tunnel_clss' to +different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion] + p_tun->l2_gre.tun_cls = type; + ~ ^~~~ +drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:167:26: warning: +implicit conversion from enumeration type 'enum tunnel_clss' to +different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion] + p_tun->ip_gre.tun_cls = type; + ~ ^~~~ +drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:169:29: warning: +implicit conversion from enumeration type 'enum tunnel_clss' to +different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion] + p_tun->l2_geneve.tun_cls = type; + ~ ^~~~ +drivers/net/ethernet/qlogic/qed/qed_sp_commands.c:171:29: warning: +implicit conversion from enumeration type 'enum tunnel_clss' to +different enumeration type 'enum qed_tunn_clss' [-Wenum-conversion] + p_tun->ip_geneve.tun_cls = type; + ~ ^~~~ +5 warnings generated. + +Avoid this by changing type to an int. + +Link: https://github.com/ClangBuiltLinux/linux/issues/125 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_sp_commands.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c b/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c +index 46d0c3cb83a5..d7c5965328be 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_sp_commands.c +@@ -154,7 +154,7 @@ qed_set_pf_update_tunn_mode(struct qed_tunnel_info *p_tun, + static void qed_set_tunn_cls_info(struct qed_tunnel_info *p_tun, + struct qed_tunnel_info *p_src) + { +- enum tunnel_clss type; ++ int type; + + p_tun->b_update_rx_cls = p_src->b_update_rx_cls; + p_tun->b_update_tx_cls = p_src->b_update_tx_cls; +-- +2.17.1 + diff --git a/queue-4.14/qed-fix-mask-parameter-in-qed_vf_prep_tunn_req_tlv.patch b/queue-4.14/qed-fix-mask-parameter-in-qed_vf_prep_tunn_req_tlv.patch new file mode 100644 index 00000000000..9123c6e4fcc --- /dev/null +++ b/queue-4.14/qed-fix-mask-parameter-in-qed_vf_prep_tunn_req_tlv.patch @@ -0,0 +1,52 @@ +From 8ccd720755ecb2cfcd6d83977cf295d6c712cbf7 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 24 Sep 2018 14:05:27 -0700 +Subject: qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv + +[ Upstream commit db803f36e56f23b5a2266807e190d1dc11554d54 ] + +Clang complains when one enumerated type is implicitly converted to +another. + +drivers/net/ethernet/qlogic/qed/qed_vf.c:686:6: warning: implicit +conversion from enumeration type 'enum qed_tunn_mode' to different +enumeration type 'enum qed_tunn_clss' [-Wenum-conversion] + QED_MODE_L2GENEVE_TUNN, + ^~~~~~~~~~~~~~~~~~~~~~ + +Update mask's parameter to expect qed_tunn_mode, which is what was +intended. + +Link: https://github.com/ClangBuiltLinux/linux/issues/125 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c +index 6eb85db69f9a..b8b1a791a4fa 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -572,7 +572,7 @@ free_p_iov: + static void + __qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req, + struct qed_tunn_update_type *p_src, +- enum qed_tunn_clss mask, u8 *p_cls) ++ enum qed_tunn_mode mask, u8 *p_cls) + { + if (p_src->b_update_mode) { + p_req->tun_mode_update_mask |= BIT(mask); +@@ -587,7 +587,7 @@ __qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req, + static void + qed_vf_prep_tunn_req_tlv(struct vfpf_update_tunn_param_tlv *p_req, + struct qed_tunn_update_type *p_src, +- enum qed_tunn_clss mask, ++ enum qed_tunn_mode mask, + u8 *p_cls, struct qed_tunn_update_udp_port *p_port, + u8 *p_update_port, u16 *p_udp_port) + { +-- +2.17.1 + diff --git a/queue-4.14/r8152-check-for-supported-wake-on-lan-modes.patch b/queue-4.14/r8152-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..a3834945de1 --- /dev/null +++ b/queue-4.14/r8152-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From a8369f14ea622193dcb73595df00720a959cf5cd Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:54 -0700 +Subject: r8152: Check for supported Wake-on-LAN Modes + +[ Upstream commit f2750df1548bd8a2b060eb609fc43ca82811af4c ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: 21ff2e8976b1 ("r8152: support WOL") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 0fa64cc1a011..66beff4d7646 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -4497,6 +4497,9 @@ static int rtl8152_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol) + if (!rtl_can_wakeup(tp)) + return -EOPNOTSUPP; + ++ if (wol->wolopts & ~WAKE_ANY) ++ return -EINVAL; ++ + ret = usb_autopm_get_interface(tp->intf); + if (ret < 0) + goto out_set_wol; +-- +2.17.1 + diff --git a/queue-4.14/rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch b/queue-4.14/rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch new file mode 100644 index 00000000000..f84d1cf2d16 --- /dev/null +++ b/queue-4.14/rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch @@ -0,0 +1,126 @@ +From f137052871d01e7485273b64338c58db591172d9 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 8 Oct 2018 15:46:01 +0100 +Subject: rxrpc: Don't check RXRPC_CALL_TX_LAST after calling + rxrpc_rotate_tx_window() + +[ Upstream commit c479d5f2c2e1ce609da08c075054440d97ddff52 ] + +We should only call the function to end a call's Tx phase if we rotated the +marked-last packet out of the transmission buffer. + +Make rxrpc_rotate_tx_window() return an indication of whether it just +rotated the packet marked as the last out of the transmit buffer, carrying +the information out of the locked section in that function. + +We can then check the return value instead of examining RXRPC_CALL_TX_LAST. + +Fixes: 70790dbe3f66 ("rxrpc: Pass the last Tx packet marker in the annotation buffer") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/input.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index 5edb636dbc4d..3a501bf0fc1a 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -216,10 +216,11 @@ static void rxrpc_send_ping(struct rxrpc_call *call, struct sk_buff *skb, + /* + * Apply a hard ACK by advancing the Tx window. + */ +-static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, ++static bool rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, + struct rxrpc_ack_summary *summary) + { + struct sk_buff *skb, *list = NULL; ++ bool rot_last = false; + int ix; + u8 annotation; + +@@ -243,15 +244,17 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, + skb->next = list; + list = skb; + +- if (annotation & RXRPC_TX_ANNO_LAST) ++ if (annotation & RXRPC_TX_ANNO_LAST) { + set_bit(RXRPC_CALL_TX_LAST, &call->flags); ++ rot_last = true; ++ } + if ((annotation & RXRPC_TX_ANNO_MASK) != RXRPC_TX_ANNO_ACK) + summary->nr_rot_new_acks++; + } + + spin_unlock(&call->lock); + +- trace_rxrpc_transmit(call, (test_bit(RXRPC_CALL_TX_LAST, &call->flags) ? ++ trace_rxrpc_transmit(call, (rot_last ? + rxrpc_transmit_rotate_last : + rxrpc_transmit_rotate)); + wake_up(&call->waitq); +@@ -262,6 +265,8 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, rxrpc_seq_t to, + skb->next = NULL; + rxrpc_free_skb(skb, rxrpc_skb_tx_freed); + } ++ ++ return rot_last; + } + + /* +@@ -332,11 +337,11 @@ static bool rxrpc_receiving_reply(struct rxrpc_call *call) + ktime_get_real()); + } + +- if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) +- rxrpc_rotate_tx_window(call, top, &summary); + if (!test_bit(RXRPC_CALL_TX_LAST, &call->flags)) { +- rxrpc_proto_abort("TXL", call, top); +- return false; ++ if (!rxrpc_rotate_tx_window(call, top, &summary)) { ++ rxrpc_proto_abort("TXL", call, top); ++ return false; ++ } + } + if (!rxrpc_end_tx_phase(call, true, "ETD")) + return false; +@@ -837,8 +842,12 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb, + if (nr_acks > call->tx_top - hard_ack) + return rxrpc_proto_abort("AKN", call, 0); + +- if (after(hard_ack, call->tx_hard_ack)) +- rxrpc_rotate_tx_window(call, hard_ack, &summary); ++ if (after(hard_ack, call->tx_hard_ack)) { ++ if (rxrpc_rotate_tx_window(call, hard_ack, &summary)) { ++ rxrpc_end_tx_phase(call, false, "ETA"); ++ return; ++ } ++ } + + if (nr_acks > 0) { + if (skb_copy_bits(skb, offset, buf.acks, nr_acks) < 0) +@@ -847,11 +856,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb, + &summary); + } + +- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags)) { +- rxrpc_end_tx_phase(call, false, "ETA"); +- return; +- } +- + if (call->rxtx_annotations[call->tx_top & RXRPC_RXTX_BUFF_MASK] & + RXRPC_TX_ANNO_LAST && + summary.nr_acks == call->tx_top - hard_ack && +@@ -873,8 +877,7 @@ static void rxrpc_input_ackall(struct rxrpc_call *call, struct sk_buff *skb) + + _proto("Rx ACKALL %%%u", sp->hdr.serial); + +- rxrpc_rotate_tx_window(call, call->tx_top, &summary); +- if (test_bit(RXRPC_CALL_TX_LAST, &call->flags)) ++ if (rxrpc_rotate_tx_window(call, call->tx_top, &summary)) + rxrpc_end_tx_phase(call, false, "ETL"); + } + +-- +2.17.1 + diff --git a/queue-4.14/rxrpc-fix-connection-level-abort-handling.patch b/queue-4.14/rxrpc-fix-connection-level-abort-handling.patch new file mode 100644 index 00000000000..57138d2cc4a --- /dev/null +++ b/queue-4.14/rxrpc-fix-connection-level-abort-handling.patch @@ -0,0 +1,154 @@ +From e2c3fe34b2c9bebe0dbee9f733bf9d2aae20875a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 8 Oct 2018 15:46:17 +0100 +Subject: rxrpc: Fix connection-level abort handling + +[ Upstream commit 647530924f47c93db472ee3cf43b7ef1425581b6 ] + +Fix connection-level abort handling to cache the abort and error codes +properly so that a new incoming call can be properly aborted if it races +with the parent connection being aborted by another CPU. + +The abort_code and error parameters can then be dropped from +rxrpc_abort_calls(). + +Fixes: f5c17aaeb2ae ("rxrpc: Calls should only have one terminal state") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/ar-internal.h | 4 ++-- + net/rxrpc/call_accept.c | 4 ++-- + net/rxrpc/conn_event.c | 26 +++++++++++++++----------- + 3 files changed, 19 insertions(+), 15 deletions(-) + +diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h +index e6c2c4f56fb1..71c7f1dd4599 100644 +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -424,8 +424,7 @@ struct rxrpc_connection { + spinlock_t state_lock; /* state-change lock */ + enum rxrpc_conn_cache_state cache_state; + enum rxrpc_conn_proto_state state; /* current state of connection */ +- u32 local_abort; /* local abort code */ +- u32 remote_abort; /* remote abort code */ ++ u32 abort_code; /* Abort code of connection abort */ + int debug_id; /* debug ID for printks */ + atomic_t serial; /* packet serial number counter */ + unsigned int hi_serial; /* highest serial number received */ +@@ -435,6 +434,7 @@ struct rxrpc_connection { + u8 security_size; /* security header size */ + u8 security_ix; /* security type */ + u8 out_clientflag; /* RXRPC_CLIENT_INITIATED if we are client */ ++ short error; /* Local error code */ + }; + + /* +diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c +index 62b1581d44a5..2dd13f5c47c8 100644 +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -418,11 +418,11 @@ found_service: + + case RXRPC_CONN_REMOTELY_ABORTED: + rxrpc_set_call_completion(call, RXRPC_CALL_REMOTELY_ABORTED, +- conn->remote_abort, -ECONNABORTED); ++ conn->abort_code, conn->error); + break; + case RXRPC_CONN_LOCALLY_ABORTED: + rxrpc_abort_call("CON", call, sp->hdr.seq, +- conn->local_abort, -ECONNABORTED); ++ conn->abort_code, conn->error); + break; + default: + BUG(); +diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c +index 0435c4167a1a..75ec1ad595b7 100644 +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -117,7 +117,7 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn, + + switch (chan->last_type) { + case RXRPC_PACKET_TYPE_ABORT: +- _proto("Tx ABORT %%%u { %d } [re]", serial, conn->local_abort); ++ _proto("Tx ABORT %%%u { %d } [re]", serial, conn->abort_code); + break; + case RXRPC_PACKET_TYPE_ACK: + trace_rxrpc_tx_ack(NULL, serial, chan->last_seq, 0, +@@ -135,13 +135,12 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn, + * pass a connection-level abort onto all calls on that connection + */ + static void rxrpc_abort_calls(struct rxrpc_connection *conn, +- enum rxrpc_call_completion compl, +- u32 abort_code, int error) ++ enum rxrpc_call_completion compl) + { + struct rxrpc_call *call; + int i; + +- _enter("{%d},%x", conn->debug_id, abort_code); ++ _enter("{%d},%x", conn->debug_id, conn->abort_code); + + spin_lock(&conn->channel_lock); + +@@ -153,9 +152,11 @@ static void rxrpc_abort_calls(struct rxrpc_connection *conn, + if (compl == RXRPC_CALL_LOCALLY_ABORTED) + trace_rxrpc_abort("CON", call->cid, + call->call_id, 0, +- abort_code, error); ++ conn->abort_code, ++ conn->error); + if (rxrpc_set_call_completion(call, compl, +- abort_code, error)) ++ conn->abort_code, ++ conn->error)) + rxrpc_notify_socket(call); + } + } +@@ -188,10 +189,12 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn, + return 0; + } + ++ conn->error = error; ++ conn->abort_code = abort_code; + conn->state = RXRPC_CONN_LOCALLY_ABORTED; + spin_unlock_bh(&conn->state_lock); + +- rxrpc_abort_calls(conn, RXRPC_CALL_LOCALLY_ABORTED, abort_code, error); ++ rxrpc_abort_calls(conn, RXRPC_CALL_LOCALLY_ABORTED); + + msg.msg_name = &conn->params.peer->srx.transport; + msg.msg_namelen = conn->params.peer->srx.transport_len; +@@ -210,7 +213,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn, + whdr._rsvd = 0; + whdr.serviceId = htons(conn->service_id); + +- word = htonl(conn->local_abort); ++ word = htonl(conn->abort_code); + + iov[0].iov_base = &whdr; + iov[0].iov_len = sizeof(whdr); +@@ -221,7 +224,7 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn, + + serial = atomic_inc_return(&conn->serial); + whdr.serial = htonl(serial); +- _proto("Tx CONN ABORT %%%u { %d }", serial, conn->local_abort); ++ _proto("Tx CONN ABORT %%%u { %d }", serial, conn->abort_code); + + ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len); + if (ret < 0) { +@@ -289,9 +292,10 @@ static int rxrpc_process_event(struct rxrpc_connection *conn, + abort_code = ntohl(wtmp); + _proto("Rx ABORT %%%u { ac=%d }", sp->hdr.serial, abort_code); + ++ conn->error = -ECONNABORTED; ++ conn->abort_code = abort_code; + conn->state = RXRPC_CONN_REMOTELY_ABORTED; +- rxrpc_abort_calls(conn, RXRPC_CALL_REMOTELY_ABORTED, +- abort_code, -ECONNABORTED); ++ rxrpc_abort_calls(conn, RXRPC_CALL_REMOTELY_ABORTED); + return -ECONNABORTED; + + case RXRPC_PACKET_TYPE_CHALLENGE: +-- +2.17.1 + diff --git a/queue-4.14/rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch b/queue-4.14/rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch new file mode 100644 index 00000000000..50e62f4d42f --- /dev/null +++ b/queue-4.14/rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch @@ -0,0 +1,58 @@ +From 5d2c08bd6887a5038e72f523b3edc53add313b7b Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 8 Oct 2018 15:46:11 +0100 +Subject: rxrpc: Only take the rwind and mtu values from latest ACK + +[ Upstream commit 298bc15b2079c324e82d0a6fda39c3d762af7282 ] + +Move the out-of-order and duplicate ACK packet check to before the call to +rxrpc_input_ackinfo() so that the receive window size and MTU size are only +checked in the latest ACK packet and don't regress. + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/input.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index 3a501bf0fc1a..ea506a77f3c8 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -806,6 +806,16 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb, + rxrpc_propose_ack_respond_to_ack); + } + ++ /* Discard any out-of-order or duplicate ACKs. */ ++ if (before_eq(sp->hdr.serial, call->acks_latest)) { ++ _debug("discard ACK %d <= %d", ++ sp->hdr.serial, call->acks_latest); ++ return; ++ } ++ call->acks_latest_ts = skb->tstamp; ++ call->acks_latest = sp->hdr.serial; ++ ++ /* Parse rwind and mtu sizes if provided. */ + ioffset = offset + nr_acks + 3; + if (skb->len >= ioffset + sizeof(buf.info)) { + if (skb_copy_bits(skb, ioffset, &buf.info, sizeof(buf.info)) < 0) +@@ -827,15 +837,6 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb, + return; + } + +- /* Discard any out-of-order or duplicate ACKs. */ +- if (before_eq(sp->hdr.serial, call->acks_latest)) { +- _debug("discard ACK %d <= %d", +- sp->hdr.serial, call->acks_latest); +- return; +- } +- call->acks_latest_ts = skb->tstamp; +- call->acks_latest = sp->hdr.serial; +- + if (before(hard_ack, call->tx_hard_ack) || + after(hard_ack, call->tx_top)) + return rxrpc_proto_abort("AKW", call, 0); +-- +2.17.1 + diff --git a/queue-4.14/s390-qeth-fix-error-handling-in-adapter-command-call.patch b/queue-4.14/s390-qeth-fix-error-handling-in-adapter-command-call.patch new file mode 100644 index 00000000000..5395a528188 --- /dev/null +++ b/queue-4.14/s390-qeth-fix-error-handling-in-adapter-command-call.patch @@ -0,0 +1,220 @@ +From 4604265508b1754702731011cdb097b49b0f814b Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Thu, 19 Apr 2018 12:52:06 +0200 +Subject: s390/qeth: fix error handling in adapter command callbacks + +[ Upstream commit 686c97ee29c886ee07d17987d0059874c5c3b5af ] + +Make sure to check both return code fields before(!) processing the +command response. Otherwise we risk operating on invalid data. + +This matches an earlier fix for SETASSPARMS commands, see +commit ad3cbf613329 ("s390/qeth: fix error handling in checksum cmd callback"). + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_core_main.c | 85 ++++++++++++++----------------- + 1 file changed, 37 insertions(+), 48 deletions(-) + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 4f2747cd15a6..169dd7127f9e 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -3001,28 +3001,23 @@ static int qeth_send_startlan(struct qeth_card *card) + return rc; + } + +-static int qeth_default_setadapterparms_cb(struct qeth_card *card, +- struct qeth_reply *reply, unsigned long data) ++static int qeth_setadpparms_inspect_rc(struct qeth_ipa_cmd *cmd) + { +- struct qeth_ipa_cmd *cmd; +- +- QETH_CARD_TEXT(card, 4, "defadpcb"); +- +- cmd = (struct qeth_ipa_cmd *) data; +- if (cmd->hdr.return_code == 0) ++ if (!cmd->hdr.return_code) + cmd->hdr.return_code = + cmd->data.setadapterparms.hdr.return_code; +- return 0; ++ return cmd->hdr.return_code; + } + + static int qeth_query_setadapterparms_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + + QETH_CARD_TEXT(card, 3, "quyadpcb"); ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + +- cmd = (struct qeth_ipa_cmd *) data; + if (cmd->data.setadapterparms.data.query_cmds_supp.lan_type & 0x7f) { + card->info.link_type = + cmd->data.setadapterparms.data.query_cmds_supp.lan_type; +@@ -3030,7 +3025,7 @@ static int qeth_query_setadapterparms_cb(struct qeth_card *card, + } + card->options.adp.supported_funcs = + cmd->data.setadapterparms.data.query_cmds_supp.supported_cmds; +- return qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd); ++ return 0; + } + + static struct qeth_cmd_buffer *qeth_get_adapter_cmd(struct qeth_card *card, +@@ -3122,22 +3117,20 @@ EXPORT_SYMBOL_GPL(qeth_query_ipassists); + static int qeth_query_switch_attributes_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; +- struct qeth_switch_info *sw_info; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + struct qeth_query_switch_attributes *attrs; ++ struct qeth_switch_info *sw_info; + + QETH_CARD_TEXT(card, 2, "qswiatcb"); +- cmd = (struct qeth_ipa_cmd *) data; +- sw_info = (struct qeth_switch_info *)reply->param; +- if (cmd->data.setadapterparms.hdr.return_code == 0) { +- attrs = &cmd->data.setadapterparms.data.query_switch_attributes; +- sw_info->capabilities = attrs->capabilities; +- sw_info->settings = attrs->settings; +- QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities, +- sw_info->settings); +- } +- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd); ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + ++ sw_info = (struct qeth_switch_info *)reply->param; ++ attrs = &cmd->data.setadapterparms.data.query_switch_attributes; ++ sw_info->capabilities = attrs->capabilities; ++ sw_info->settings = attrs->settings; ++ QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities, ++ sw_info->settings); + return 0; + } + +@@ -4188,16 +4181,13 @@ EXPORT_SYMBOL_GPL(qeth_do_send_packet); + static int qeth_setadp_promisc_mode_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + struct qeth_ipacmd_setadpparms *setparms; + + QETH_CARD_TEXT(card, 4, "prmadpcb"); + +- cmd = (struct qeth_ipa_cmd *) data; + setparms = &(cmd->data.setadapterparms); +- +- qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd); +- if (cmd->hdr.return_code) { ++ if (qeth_setadpparms_inspect_rc(cmd)) { + QETH_CARD_TEXT_(card, 4, "prmrc%x", cmd->hdr.return_code); + setparms->data.mode = SET_PROMISC_MODE_OFF; + } +@@ -4267,11 +4257,12 @@ EXPORT_SYMBOL_GPL(qeth_get_stats); + static int qeth_setadpparms_change_macaddr_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + + QETH_CARD_TEXT(card, 4, "chgmaccb"); ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + +- cmd = (struct qeth_ipa_cmd *) data; + if (!card->options.layer2 || + !(card->info.mac_bits & QETH_LAYER2_MAC_READ)) { + memcpy(card->dev->dev_addr, +@@ -4279,7 +4270,6 @@ static int qeth_setadpparms_change_macaddr_cb(struct qeth_card *card, + OSA_ADDR_LEN); + card->info.mac_bits |= QETH_LAYER2_MAC_READ; + } +- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd); + return 0; + } + +@@ -4310,13 +4300,15 @@ EXPORT_SYMBOL_GPL(qeth_setadpparms_change_macaddr); + static int qeth_setadpparms_set_access_ctrl_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data; + struct qeth_set_access_ctrl *access_ctrl_req; + int fallback = *(int *)reply->param; + + QETH_CARD_TEXT(card, 4, "setaccb"); ++ if (cmd->hdr.return_code) ++ return 0; ++ qeth_setadpparms_inspect_rc(cmd); + +- cmd = (struct qeth_ipa_cmd *) data; + access_ctrl_req = &cmd->data.setadapterparms.data.set_access_ctrl; + QETH_DBF_TEXT_(SETUP, 2, "setaccb"); + QETH_DBF_TEXT_(SETUP, 2, "%s", card->gdev->dev.kobj.name); +@@ -4389,7 +4381,6 @@ static int qeth_setadpparms_set_access_ctrl_cb(struct qeth_card *card, + card->options.isolation = card->options.prev_isolation; + break; + } +- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd); + return 0; + } + +@@ -4677,14 +4668,15 @@ out: + static int qeth_setadpparms_query_oat_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data; + struct qeth_qoat_priv *priv; + char *resdata; + int resdatalen; + + QETH_CARD_TEXT(card, 3, "qoatcb"); ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + +- cmd = (struct qeth_ipa_cmd *)data; + priv = (struct qeth_qoat_priv *)reply->param; + resdatalen = cmd->data.setadapterparms.hdr.cmdlength; + resdata = (char *)data + 28; +@@ -4778,21 +4770,18 @@ out: + static int qeth_query_card_info_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +- struct qeth_ipa_cmd *cmd; ++ struct carrier_info *carrier_info = (struct carrier_info *)reply->param; ++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data; + struct qeth_query_card_info *card_info; +- struct carrier_info *carrier_info; + + QETH_CARD_TEXT(card, 2, "qcrdincb"); +- carrier_info = (struct carrier_info *)reply->param; +- cmd = (struct qeth_ipa_cmd *)data; +- card_info = &cmd->data.setadapterparms.data.card_info; +- if (cmd->data.setadapterparms.hdr.return_code == 0) { +- carrier_info->card_type = card_info->card_type; +- carrier_info->port_mode = card_info->port_mode; +- carrier_info->port_speed = card_info->port_speed; +- } ++ if (qeth_setadpparms_inspect_rc(cmd)) ++ return 0; + +- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd); ++ card_info = &cmd->data.setadapterparms.data.card_info; ++ carrier_info->card_type = card_info->card_type; ++ carrier_info->port_mode = card_info->port_mode; ++ carrier_info->port_speed = card_info->port_speed; + return 0; + } + +-- +2.17.1 + diff --git a/queue-4.14/scsi-aacraid-address-ubsan-warning-regression.patch b/queue-4.14/scsi-aacraid-address-ubsan-warning-regression.patch new file mode 100644 index 00000000000..1583ecf7435 --- /dev/null +++ b/queue-4.14/scsi-aacraid-address-ubsan-warning-regression.patch @@ -0,0 +1,69 @@ +From 9bdc44aeee703a488ac2e5c8ce082ceea34d937a Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 28 Nov 2017 14:25:25 +0100 +Subject: scsi: aacraid: address UBSAN warning regression + +[ Upstream commit d18539754d97876503275efc7d00a1901bb0cfad ] + +As reported by Meelis Roos, my previous patch causes an incorrect +calculation of the timeout, through an undefined signed integer +overflow: + +[ 12.228155] UBSAN: Undefined behaviour in drivers/scsi/aacraid/commsup.c:2514:49 +[ 12.228229] signed integer overflow: +[ 12.228283] 964297611 * 250 cannot be represented in type 'long int' + +The problem is that doing a multiplication with HZ first and then +dividing by USEC_PER_SEC worked correctly for 32-bit microseconds, +but not for 32-bit nanoseconds, which would require up to 41 bits. + +This reworks the calculation to first convert the nanoseconds into +jiffies, which should give us the same result as before and not overflow. + +Unfortunately I did not understand the exact intention of the algorithm, +in particular the part where we add half a second, so it's possible that +there is still a preexisting problem in this function. I added a comment +that this would be handled more nicely using usleep_range(), which +generally works better for waking up at a particular time than the +current schedule_timeout() based implementation. I did not feel +comfortable trying to implement that without being sure what the +intent is here though. + +Fixes: 820f18865912 ("scsi: aacraid: use timespec64 instead of timeval") +Tested-by: Meelis Roos +Signed-off-by: Arnd Bergmann +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/commsup.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c +index 998788a967be..3e38bae6ecde 100644 +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -2506,8 +2506,8 @@ int aac_command_thread(void *data) + /* Synchronize our watches */ + if (((NSEC_PER_SEC - (NSEC_PER_SEC / HZ)) > now.tv_nsec) + && (now.tv_nsec > (NSEC_PER_SEC / HZ))) +- difference = (((NSEC_PER_SEC - now.tv_nsec) * HZ) +- + NSEC_PER_SEC / 2) / NSEC_PER_SEC; ++ difference = HZ + HZ / 2 - ++ now.tv_nsec / (NSEC_PER_SEC / HZ); + else { + if (now.tv_nsec > NSEC_PER_SEC / 2) + ++now.tv_sec; +@@ -2531,6 +2531,10 @@ int aac_command_thread(void *data) + if (kthread_should_stop()) + break; + ++ /* ++ * we probably want usleep_range() here instead of the ++ * jiffies computation ++ */ + schedule_timeout(difference); + + if (kthread_should_stop()) +-- +2.17.1 + diff --git a/queue-4.14/scsi-ibmvfc-avoid-unnecessary-port-relogin.patch b/queue-4.14/scsi-ibmvfc-avoid-unnecessary-port-relogin.patch new file mode 100644 index 00000000000..99d68af30d3 --- /dev/null +++ b/queue-4.14/scsi-ibmvfc-avoid-unnecessary-port-relogin.patch @@ -0,0 +1,43 @@ +From d4f098080c76ab32d6feefbc22aaecf51c15a613 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Wed, 14 Mar 2018 17:13:39 -0500 +Subject: scsi: ibmvfc: Avoid unnecessary port relogin + +[ Upstream commit 09dd15e0d9547ca424de4043bcd429bab6f285c8 ] + +Following an RSCN, ibmvfc will issue an ADISC to determine if the +underlying target has changed, comparing the SCSI ID, WWPN, and WWNN to +determine how to handle the rport in discovery. However, the comparison +of the WWPN and WWNN was performing a memcmp between a big endian field +against a CPU endian field, which resulted in the wrong answer on LE +systems. This was observed as unexpected errors getting logged at boot +time as targets were getting relogins when not needed. + +Signed-off-by: Brian King +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index b491af31a5f8..a06b24a61622 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -3580,11 +3580,9 @@ static void ibmvfc_tgt_implicit_logout(struct ibmvfc_target *tgt) + static int ibmvfc_adisc_needs_plogi(struct ibmvfc_passthru_mad *mad, + struct ibmvfc_target *tgt) + { +- if (memcmp(&mad->fc_iu.response[2], &tgt->ids.port_name, +- sizeof(tgt->ids.port_name))) ++ if (wwn_to_u64((u8 *)&mad->fc_iu.response[2]) != tgt->ids.port_name) + return 1; +- if (memcmp(&mad->fc_iu.response[4], &tgt->ids.node_name, +- sizeof(tgt->ids.node_name))) ++ if (wwn_to_u64((u8 *)&mad->fc_iu.response[4]) != tgt->ids.node_name) + return 1; + if (be32_to_cpu(mad->fc_iu.response[6]) != tgt->scsi_id) + return 1; +-- +2.17.1 + diff --git a/queue-4.14/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch b/queue-4.14/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch new file mode 100644 index 00000000000..127a1befaa1 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch @@ -0,0 +1,40 @@ +From e3bfb18a3900bc13c03f2e4e751f748b2bc8f2e0 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Tue, 20 Mar 2018 21:05:48 +0000 +Subject: scsi: qla2xxx: Avoid double completion of abort command + +[ Upstream commit 3a9910d7b686546dcc9986e790af17e148f1c888 ] + +qla2x00_tmf_sp_done() now deletes the timer that will run +qla2x00_tmf_iocb_timeout(), but doesn't check whether the timer already +expired. Check the return value from del_timer() to avoid calling +complete() a second time. + +Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous ...") +Fixes: 1514839b3664 ("scsi: qla2xxx: Fix NULL pointer crash due to active ...") +Signed-off-by: Ben Hutchings +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 1d42d38f5a45..0e19f6bc24ff 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1365,8 +1365,8 @@ qla24xx_abort_sp_done(void *ptr, int res) + srb_t *sp = ptr; + struct srb_iocb *abt = &sp->u.iocb_cmd; + +- del_timer(&sp->u.iocb_cmd.timer); +- complete(&abt->u.abt.comp); ++ if (del_timer(&sp->u.iocb_cmd.timer)) ++ complete(&abt->u.abt.comp); + } + + int +-- +2.17.1 + diff --git a/queue-4.14/scsi-sd-remember-that-read-capacity-16-succeeded.patch b/queue-4.14/scsi-sd-remember-that-read-capacity-16-succeeded.patch new file mode 100644 index 00000000000..8e8889ee828 --- /dev/null +++ b/queue-4.14/scsi-sd-remember-that-read-capacity-16-succeeded.patch @@ -0,0 +1,46 @@ +From 54b515f523e4c36975275c902e0a29818962b9ac Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Wed, 14 Mar 2018 12:15:56 -0400 +Subject: scsi: sd: Remember that READ CAPACITY(16) succeeded + +[ Upstream commit 597d74005ba85e87c256cd732128ebf7faf54247 ] + +The USB storage glue sets the try_rc_10_first flag in an attempt to +avoid wedging poorly implemented legacy USB devices. + +If the device capacity is too large to be expressed in the provided +response buffer field of READ CAPACITY(10), a well-behaved device will +set the reported capacity to 0xFFFFFFFF. We will then attempt to issue a +READ CAPACITY(16) to obtain the real capacity. + +Since this part of the discovery logic is not covered by the first_scan +flag, a warning will be printed a couple of times times per revalidate +attempt if we upgrade from READ CAPACITY(10) to READ CAPACITY(16). + +Remember that we have successfully issued READ CAPACITY(16) so we can +take the fast path on subsequent revalidate attempts. + +Reported-by: Menion +Reviewed-by: Laurence Oberman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 4a532318b211..b0dd8bdfdf98 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2497,6 +2497,8 @@ sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer) + sector_size = old_sector_size; + goto got_data; + } ++ /* Remember that READ CAPACITY(16) succeeded */ ++ sdp->try_rc_10_first = 0; + } + } + +-- +2.17.1 + diff --git a/queue-4.14/selftests-powerpc-add-ptrace-hw-breakpoint-test.patch b/queue-4.14/selftests-powerpc-add-ptrace-hw-breakpoint-test.patch new file mode 100644 index 00000000000..e70ebb747b5 --- /dev/null +++ b/queue-4.14/selftests-powerpc-add-ptrace-hw-breakpoint-test.patch @@ -0,0 +1,398 @@ +From ec8eebac3b967e52b4770b759ed3df00e2d7101c Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Tue, 22 May 2018 16:14:27 +1000 +Subject: selftests/powerpc: Add ptrace hw breakpoint test + +[ Upstream commit 9c2ddfe55c42bf4b9bc336a0650ab78f9222a159 ] + +This test the ptrace hw breakpoints via PTRACE_SET_DEBUGREG and +PPC_PTRACE_SETHWDEBUG. This test was use to find the bugs fixed by +these recent commits: + + 4f7c06e26e powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG + cd6ef7eebf powerpc/ptrace: Fix enforcement of DAWR constraints + +Signed-off-by: Michael Neuling +[mpe: Add SPDX tag, clang format it] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + .../selftests/powerpc/ptrace/.gitignore | 1 + + .../testing/selftests/powerpc/ptrace/Makefile | 2 +- + .../selftests/powerpc/ptrace/ptrace-hwbreak.c | 342 ++++++++++++++++++ + 3 files changed, 344 insertions(+), 1 deletion(-) + create mode 100644 tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c + +diff --git a/tools/testing/selftests/powerpc/ptrace/.gitignore b/tools/testing/selftests/powerpc/ptrace/.gitignore +index 349acfafc95b..9dcc16ea8179 100644 +--- a/tools/testing/selftests/powerpc/ptrace/.gitignore ++++ b/tools/testing/selftests/powerpc/ptrace/.gitignore +@@ -8,3 +8,4 @@ ptrace-vsx + ptrace-tm-vsx + ptrace-tm-spd-vsx + ptrace-tm-spr ++ptrace-hwbreak +diff --git a/tools/testing/selftests/powerpc/ptrace/Makefile b/tools/testing/selftests/powerpc/ptrace/Makefile +index 480305266504..0e2f4601d1a8 100644 +--- a/tools/testing/selftests/powerpc/ptrace/Makefile ++++ b/tools/testing/selftests/powerpc/ptrace/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + TEST_PROGS := ptrace-gpr ptrace-tm-gpr ptrace-tm-spd-gpr \ + ptrace-tar ptrace-tm-tar ptrace-tm-spd-tar ptrace-vsx ptrace-tm-vsx \ +- ptrace-tm-spd-vsx ptrace-tm-spr ++ ptrace-tm-spd-vsx ptrace-tm-spr ptrace-hwbreak + + include ../../lib.mk + +diff --git a/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c b/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c +new file mode 100644 +index 000000000000..3066d310f32b +--- /dev/null ++++ b/tools/testing/selftests/powerpc/ptrace/ptrace-hwbreak.c +@@ -0,0 +1,342 @@ ++// SPDX-License-Identifier: GPL-2.0+ ++ ++/* ++ * Ptrace test for hw breakpoints ++ * ++ * Based on tools/testing/selftests/breakpoints/breakpoint_test.c ++ * ++ * This test forks and the parent then traces the child doing various ++ * types of ptrace enabled breakpoints ++ * ++ * Copyright (C) 2018 Michael Neuling, IBM Corporation. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "ptrace.h" ++ ++/* Breakpoint access modes */ ++enum { ++ BP_X = 1, ++ BP_RW = 2, ++ BP_W = 4, ++}; ++ ++static pid_t child_pid; ++static struct ppc_debug_info dbginfo; ++ ++static void get_dbginfo(void) ++{ ++ int ret; ++ ++ ret = ptrace(PPC_PTRACE_GETHWDBGINFO, child_pid, NULL, &dbginfo); ++ if (ret) { ++ perror("Can't get breakpoint info\n"); ++ exit(-1); ++ } ++} ++ ++static bool hwbreak_present(void) ++{ ++ return (dbginfo.num_data_bps != 0); ++} ++ ++static bool dawr_present(void) ++{ ++ return !!(dbginfo.features & PPC_DEBUG_FEATURE_DATA_BP_DAWR); ++} ++ ++static void set_breakpoint_addr(void *addr) ++{ ++ int ret; ++ ++ ret = ptrace(PTRACE_SET_DEBUGREG, child_pid, 0, addr); ++ if (ret) { ++ perror("Can't set breakpoint addr\n"); ++ exit(-1); ++ } ++} ++ ++static int set_hwbreakpoint_addr(void *addr, int range) ++{ ++ int ret; ++ ++ struct ppc_hw_breakpoint info; ++ ++ info.version = 1; ++ info.trigger_type = PPC_BREAKPOINT_TRIGGER_RW; ++ info.addr_mode = PPC_BREAKPOINT_MODE_EXACT; ++ if (range > 0) ++ info.addr_mode = PPC_BREAKPOINT_MODE_RANGE_INCLUSIVE; ++ info.condition_mode = PPC_BREAKPOINT_CONDITION_NONE; ++ info.addr = (__u64)addr; ++ info.addr2 = (__u64)addr + range; ++ info.condition_value = 0; ++ ++ ret = ptrace(PPC_PTRACE_SETHWDEBUG, child_pid, 0, &info); ++ if (ret < 0) { ++ perror("Can't set breakpoint\n"); ++ exit(-1); ++ } ++ return ret; ++} ++ ++static int del_hwbreakpoint_addr(int watchpoint_handle) ++{ ++ int ret; ++ ++ ret = ptrace(PPC_PTRACE_DELHWDEBUG, child_pid, 0, watchpoint_handle); ++ if (ret < 0) { ++ perror("Can't delete hw breakpoint\n"); ++ exit(-1); ++ } ++ return ret; ++} ++ ++#define DAWR_LENGTH_MAX 512 ++ ++/* Dummy variables to test read/write accesses */ ++static unsigned long long ++ dummy_array[DAWR_LENGTH_MAX / sizeof(unsigned long long)] ++ __attribute__((aligned(512))); ++static unsigned long long *dummy_var = dummy_array; ++ ++static void write_var(int len) ++{ ++ long long *plval; ++ char *pcval; ++ short *psval; ++ int *pival; ++ ++ switch (len) { ++ case 1: ++ pcval = (char *)dummy_var; ++ *pcval = 0xff; ++ break; ++ case 2: ++ psval = (short *)dummy_var; ++ *psval = 0xffff; ++ break; ++ case 4: ++ pival = (int *)dummy_var; ++ *pival = 0xffffffff; ++ break; ++ case 8: ++ plval = (long long *)dummy_var; ++ *plval = 0xffffffffffffffffLL; ++ break; ++ } ++} ++ ++static void read_var(int len) ++{ ++ char cval __attribute__((unused)); ++ short sval __attribute__((unused)); ++ int ival __attribute__((unused)); ++ long long lval __attribute__((unused)); ++ ++ switch (len) { ++ case 1: ++ cval = *(char *)dummy_var; ++ break; ++ case 2: ++ sval = *(short *)dummy_var; ++ break; ++ case 4: ++ ival = *(int *)dummy_var; ++ break; ++ case 8: ++ lval = *(long long *)dummy_var; ++ break; ++ } ++} ++ ++/* ++ * Do the r/w accesses to trigger the breakpoints. And run ++ * the usual traps. ++ */ ++static void trigger_tests(void) ++{ ++ int len, ret; ++ ++ ret = ptrace(PTRACE_TRACEME, 0, NULL, 0); ++ if (ret) { ++ perror("Can't be traced?\n"); ++ return; ++ } ++ ++ /* Wake up father so that it sets up the first test */ ++ kill(getpid(), SIGUSR1); ++ ++ /* Test write watchpoints */ ++ for (len = 1; len <= sizeof(long); len <<= 1) ++ write_var(len); ++ ++ /* Test read/write watchpoints (on read accesses) */ ++ for (len = 1; len <= sizeof(long); len <<= 1) ++ read_var(len); ++ ++ /* Test when breakpoint is unset */ ++ ++ /* Test write watchpoints */ ++ for (len = 1; len <= sizeof(long); len <<= 1) ++ write_var(len); ++ ++ /* Test read/write watchpoints (on read accesses) */ ++ for (len = 1; len <= sizeof(long); len <<= 1) ++ read_var(len); ++} ++ ++static void check_success(const char *msg) ++{ ++ const char *msg2; ++ int status; ++ ++ /* Wait for the child to SIGTRAP */ ++ wait(&status); ++ ++ msg2 = "Failed"; ++ ++ if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) { ++ msg2 = "Child process hit the breakpoint"; ++ } ++ ++ printf("%s Result: [%s]\n", msg, msg2); ++} ++ ++static void launch_watchpoints(char *buf, int mode, int len, ++ struct ppc_debug_info *dbginfo, bool dawr) ++{ ++ const char *mode_str; ++ unsigned long data = (unsigned long)(dummy_var); ++ int wh, range; ++ ++ data &= ~0x7UL; ++ ++ if (mode == BP_W) { ++ data |= (1UL << 1); ++ mode_str = "write"; ++ } else { ++ data |= (1UL << 0); ++ data |= (1UL << 1); ++ mode_str = "read"; ++ } ++ ++ /* Set DABR_TRANSLATION bit */ ++ data |= (1UL << 2); ++ ++ /* use PTRACE_SET_DEBUGREG breakpoints */ ++ set_breakpoint_addr((void *)data); ++ ptrace(PTRACE_CONT, child_pid, NULL, 0); ++ sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len); ++ check_success(buf); ++ /* Unregister hw brkpoint */ ++ set_breakpoint_addr(NULL); ++ ++ data = (data & ~7); /* remove dabr control bits */ ++ ++ /* use PPC_PTRACE_SETHWDEBUG breakpoint */ ++ if (!(dbginfo->features & PPC_DEBUG_FEATURE_DATA_BP_RANGE)) ++ return; /* not supported */ ++ wh = set_hwbreakpoint_addr((void *)data, 0); ++ ptrace(PTRACE_CONT, child_pid, NULL, 0); ++ sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len); ++ check_success(buf); ++ /* Unregister hw brkpoint */ ++ del_hwbreakpoint_addr(wh); ++ ++ /* try a wider range */ ++ range = 8; ++ if (dawr) ++ range = 512 - ((int)data & (DAWR_LENGTH_MAX - 1)); ++ wh = set_hwbreakpoint_addr((void *)data, range); ++ ptrace(PTRACE_CONT, child_pid, NULL, 0); ++ sprintf(buf, "Test %s watchpoint with len: %d ", mode_str, len); ++ check_success(buf); ++ /* Unregister hw brkpoint */ ++ del_hwbreakpoint_addr(wh); ++} ++ ++/* Set the breakpoints and check the child successfully trigger them */ ++static int launch_tests(bool dawr) ++{ ++ char buf[1024]; ++ int len, i, status; ++ ++ struct ppc_debug_info dbginfo; ++ ++ i = ptrace(PPC_PTRACE_GETHWDBGINFO, child_pid, NULL, &dbginfo); ++ if (i) { ++ perror("Can't set breakpoint info\n"); ++ exit(-1); ++ } ++ if (!(dbginfo.features & PPC_DEBUG_FEATURE_DATA_BP_RANGE)) ++ printf("WARNING: Kernel doesn't support PPC_PTRACE_SETHWDEBUG\n"); ++ ++ /* Write watchpoint */ ++ for (len = 1; len <= sizeof(long); len <<= 1) ++ launch_watchpoints(buf, BP_W, len, &dbginfo, dawr); ++ ++ /* Read-Write watchpoint */ ++ for (len = 1; len <= sizeof(long); len <<= 1) ++ launch_watchpoints(buf, BP_RW, len, &dbginfo, dawr); ++ ++ ptrace(PTRACE_CONT, child_pid, NULL, 0); ++ ++ /* ++ * Now we have unregistered the breakpoint, access by child ++ * should not cause SIGTRAP. ++ */ ++ ++ wait(&status); ++ ++ if (WIFSTOPPED(status) && WSTOPSIG(status) == SIGTRAP) { ++ printf("FAIL: Child process hit the breakpoint, which is not expected\n"); ++ ptrace(PTRACE_CONT, child_pid, NULL, 0); ++ return TEST_FAIL; ++ } ++ ++ if (WIFEXITED(status)) ++ printf("Child exited normally\n"); ++ ++ return TEST_PASS; ++} ++ ++static int ptrace_hwbreak(void) ++{ ++ pid_t pid; ++ int ret; ++ bool dawr; ++ ++ pid = fork(); ++ if (!pid) { ++ trigger_tests(); ++ return 0; ++ } ++ ++ wait(NULL); ++ ++ child_pid = pid; ++ ++ get_dbginfo(); ++ SKIP_IF(!hwbreak_present()); ++ dawr = dawr_present(); ++ ++ ret = launch_tests(dawr); ++ ++ wait(NULL); ++ ++ return ret; ++} ++ ++int main(int argc, char **argv, char **envp) ++{ ++ return test_harness(ptrace_hwbreak, "ptrace-hwbreak"); ++} +-- +2.17.1 + diff --git a/queue-4.14/selftests-rtnetlink.sh-explicitly-requires-bash.patch b/queue-4.14/selftests-rtnetlink.sh-explicitly-requires-bash.patch new file mode 100644 index 00000000000..78dd78646b6 --- /dev/null +++ b/queue-4.14/selftests-rtnetlink.sh-explicitly-requires-bash.patch @@ -0,0 +1,33 @@ +From 6560fba319a41080fa4b08ec84572314f1d41fe2 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 11 Oct 2018 10:54:52 +0200 +Subject: selftests: rtnetlink.sh explicitly requires bash. + +[ Upstream commit 3c718e677c2b35b449992adc36ecce883c467e98 ] + +the script rtnetlink.sh requires a bash-only features (sleep with sub-second +precision). This may cause random test failure if the default shell is not +bash. +Address the above explicitly requiring bash as the script interpreter. + +Fixes: 33b01b7b4f19 ("selftests: add rtnetlink test script") +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index 57b5ff576240..891130daac7c 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # + # This test is for checking rtnetlink callpaths, and get as much coverage as possible. + # +-- +2.17.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..d80bb8389fe --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,105 @@ +xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch +xfrm6-call-kfree_skb-when-skb-is-toobig.patch +xfrm-reset-transport-header-back-to-network-header-a.patch +xfrm-reset-crypto_done-when-iterating-over-multiple-.patch +mac80211-always-report-tx-status.patch +cfg80211-reg-init-wiphy_idx-in-regulatory_hint_core.patch +mac80211-fix-pending-queue-hang-due-to-tx_drop.patch +cfg80211-address-some-corner-cases-in-scan-result-ch.patch +mac80211-tdls-fix-skb-queue-priority-assignment.patch +mac80211-fix-tx-status-reporting-for-ieee80211s.patch +xfrm-fix-null-pointer-dereference-when-skb_dst_force.patch +arm-8799-1-mm-fix-pci_ioremap_io-offset-check.patch +xfrm-validate-template-mode.patch +netfilter-bridge-don-t-sabotage-nf_hook-calls-from-a.patch +arm64-hugetlb-fix-handling-of-young-ptes.patch +arm-dts-bcm63xx-fix-incorrect-interrupt-specifiers.patch +net-macb-clean-64b-dma-addresses-if-they-are-not-det.patch +soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch +soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch +nl80211-fix-possible-spectre-v1-for-nl80211_txrate_h.patch +mac80211_hwsim-do-not-omit-multicast-announce-of-fir.patch +bluetooth-smp-fix-crash-in-unpairing.patch +pxa168fb-prepare-the-clock.patch +qed-avoid-implicit-enum-conversion-in-qed_set_tunn_c.patch +qed-fix-mask-parameter-in-qed_vf_prep_tunn_req_tlv.patch +qed-avoid-implicit-enum-conversion-in-qed_roce_mode_.patch +qed-avoid-constant-logical-operation-warning-in-qed_.patch +qed-avoid-implicit-enum-conversion-in-qed_iwarp_pars.patch +nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresho.patch +asix-check-for-supported-wake-on-lan-modes.patch +ax88179_178a-check-for-supported-wake-on-lan-modes.patch +lan78xx-check-for-supported-wake-on-lan-modes.patch +sr9800-check-for-supported-wake-on-lan-modes.patch +r8152-check-for-supported-wake-on-lan-modes.patch +smsc75xx-check-for-wake-on-lan-modes.patch +smsc95xx-check-for-wake-on-lan-modes.patch +cfg80211-fix-use-after-free-in-reg_process_hint.patch +perf-core-fix-perf_pmu_unregister-locking.patch +perf-ring_buffer-prevent-concurent-ring-buffer-acces.patch +perf-x86-intel-uncore-fix-pci-bdf-address-of-m3upi-o.patch +perf-x86-amd-uncore-set-threadmask-and-slicemask-for.patch +net-fec-fix-rare-tx-timeout.patch +declance-fix-continuation-with-the-adapter-identific.patch +net-qualcomm-rmnet-skip-processing-loopback-packets.patch +locking-ww_mutex-fix-runtime-warning-in-the-ww-mutex.patch +be2net-don-t-flip-hw_features-when-vxlans-are-added-.patch +net-cxgb3_main-fix-a-missing-check-bug.patch +yam-fix-a-missing-check-bug.patch +ocfs2-fix-crash-in-ocfs2_duplicate_clusters_by_page.patch +iwlwifi-mvm-check-for-short-gi-only-for-ofdm.patch +iwlwifi-dbg-allow-wrt-collection-before-alive.patch +iwlwifi-fix-the-alive-notification-layout.patch +x86-power-fix-some-ordering-bugs-in-__restore_proces.patch +tools-testing-nvdimm-unit-test-clear-error-commands.patch +usbip-vhci_hcd-update-status-file-header-and-format.patch +scsi-aacraid-address-ubsan-warning-regression.patch +ib-ipoib-fix-lockdep-issue-found-on-ipoib_ib_dev_hea.patch +ib-rxe-put-the-pool-on-allocation-failure.patch +s390-qeth-fix-error-handling-in-adapter-command-call.patch +net-mlx5-fix-mlx5_get_vector_affinity-function.patch +powerpc-pseries-add-empty-update_numa_cpu_lookup_tab.patch +dm-integrity-fail-early-if-required-hmac-key-is-not-.patch +net-phy-realtek-use-the-dummy-stubs-for-mmd-register.patch +net-phy-add-general-dummy-stubs-for-mmd-register-acc.patch +net-mlx5e-refine-ets-validation-function.patch +scsi-qla2xxx-avoid-double-completion-of-abort-comman.patch +kbuild-set-no-integrated-as-before-incl.-arch-makefi.patch +ib-mlx5-avoid-passing-an-invalid-qp-type-to-firmware.patch +arm-tegra-fix-ulpi-regression-on-tegra20.patch +l2tp-remove-configurable-payload-offset.patch +cifs-use-ull-suffix-for-64-bit-constant.patch +test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch +kvm-x86-update-the-exit_qualification-access-bits-wh.patch +sparc64-fix-regression-in-pmdp_invalidate.patch +tpm-move-the-delay_msec-increment-after-sleep-in-tpm.patch +bpf-sockmap-map_release-does-not-hold-refcnt-for-pin.patch +tpm-tpm_crb-relinquish-locality-on-error-path.patch +xen-netfront-update-features-after-registering-netde.patch +xen-netfront-fix-mismatched-rtnl_unlock.patch +ib-usnic-update-with-bug-fixes-from-core-code.patch +mmc-dw_mmc-rockchip-correct-property-names-in-debug.patch +mips-workaround-gcc-__builtin_unreachable-reordering.patch +lan78xx-don-t-reset-the-interface-on-open.patch +enic-do-not-overwrite-error-code.patch +iio-buffer-fix-the-function-signature-to-match-imple.patch +selftests-powerpc-add-ptrace-hw-breakpoint-test.patch +scsi-ibmvfc-avoid-unnecessary-port-relogin.patch +scsi-sd-remember-that-read-capacity-16-succeeded.patch +btrfs-quota-set-rescan-progress-to-u64-1-if-we-hit-l.patch +net-phy-phylink-don-t-release-null-gpio.patch +x86-paravirt-fix-some-warning-messages.patch +net-stmmac-mark-pm-functions-as-__maybe_unused.patch +kconfig-fix-the-rule-of-mainmenu_stmt-symbol.patch +libertas-call-into-generic-suspend-code-before-turni.patch +perf-tests-fix-indexing-when-invoking-subtests.patch +compiler.h-allow-arch-specific-asm-compiler.h.patch +arm-dts-imx53-qsb-disable-1.2ghz-opp.patch +perf-python-use-wno-redundant-decls-to-build-with-py.patch +rxrpc-don-t-check-rxrpc_call_tx_last-after-calling-r.patch +rxrpc-only-take-the-rwind-and-mtu-values-from-latest.patch +rxrpc-fix-connection-level-abort-handling.patch +net-ena-fix-warning-in-rmmod-caused-by-double-iounma.patch +net-ena-fix-null-dereference-due-to-untimely-napi-in.patch +selftests-rtnetlink.sh-explicitly-requires-bash.patch +fs-fat-fatent.c-add-cond_resched-to-fat_count_free_c.patch diff --git a/queue-4.14/smsc75xx-check-for-wake-on-lan-modes.patch b/queue-4.14/smsc75xx-check-for-wake-on-lan-modes.patch new file mode 100644 index 00000000000..d96b9cba362 --- /dev/null +++ b/queue-4.14/smsc75xx-check-for-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From 8bc4c33893d4cbacd0e56951a85f1e6e16d3a313 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:55 -0700 +Subject: smsc75xx: Check for Wake-on-LAN modes + +[ Upstream commit 9c734b2769a73eea2e9e9767c0e0bf839ff23679 ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: 6c636503260d ("smsc75xx: add wol magic packet support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc75xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c +index b64b1ee56d2d..ec287c9741e8 100644 +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -731,6 +731,9 @@ static int smsc75xx_ethtool_set_wol(struct net_device *net, + struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]); + int ret; + ++ if (wolinfo->wolopts & ~SUPPORTED_WAKE) ++ return -EINVAL; ++ + pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE; + + ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts); +-- +2.17.1 + diff --git a/queue-4.14/smsc95xx-check-for-wake-on-lan-modes.patch b/queue-4.14/smsc95xx-check-for-wake-on-lan-modes.patch new file mode 100644 index 00000000000..9d3eeffdb45 --- /dev/null +++ b/queue-4.14/smsc95xx-check-for-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From cef7137dde4345eca393d20fc942d73ec57bb69a Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:56 -0700 +Subject: smsc95xx: Check for Wake-on-LAN modes + +[ Upstream commit c530c471ba37bdd9fe1c7185b01455c00ae606fb ] + +The driver does not check for Wake-on-LAN modes specified by an user, +but will conditionally set the device as wake-up enabled or not based on +that, which could be a very confusing user experience. + +Fixes: e0e474a83c18 ("smsc95xx: add wol magic packet support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index 309b88acd3d0..99e684e39d35 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -774,6 +774,9 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net, + struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + int ret; + ++ if (wolinfo->wolopts & ~SUPPORTED_WAKE) ++ return -EINVAL; ++ + pdata->wolopts = wolinfo->wolopts & SUPPORTED_WAKE; + + ret = device_set_wakeup_enable(&dev->udev->dev, pdata->wolopts); +-- +2.17.1 + diff --git a/queue-4.14/soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch b/queue-4.14/soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch new file mode 100644 index 00000000000..11ea054359c --- /dev/null +++ b/queue-4.14/soc-fsl-qbman-qman-avoid-allocating-from-non-existin.patch @@ -0,0 +1,39 @@ +From 45b9d64cc3c81073e70b636e447a50f6752e1443 Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Thu, 23 Aug 2018 23:36:00 +0200 +Subject: soc: fsl: qbman: qman: avoid allocating from non existing gen_pool + +[ Upstream commit 64e9e22e68512da8df3c9a7430f07621e48db3c2 ] + +If the qman driver didn't probe, calling qman_alloc_fqid_range, +qman_alloc_pool_range or qman_alloc_cgrid_range (as done in dpaa_eth) will +pass a NULL pointer to gen_pool_alloc, leading to a NULL pointer +dereference. + +Signed-off-by: Alexandre Belloni +Reviewed-by: Roy Pledge +Signed-off-by: Li Yang +(cherry picked from commit f72487a2788aa70c3aee1d0ebd5470de9bac953a) +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qbman/qman.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/soc/fsl/qbman/qman.c b/drivers/soc/fsl/qbman/qman.c +index 0c6065dba48a..4f27e95efcdd 100644 +--- a/drivers/soc/fsl/qbman/qman.c ++++ b/drivers/soc/fsl/qbman/qman.c +@@ -2699,6 +2699,9 @@ static int qman_alloc_range(struct gen_pool *p, u32 *result, u32 cnt) + { + unsigned long addr; + ++ if (!p) ++ return -ENODEV; ++ + addr = gen_pool_alloc(p, cnt); + if (!addr) + return -ENOMEM; +-- +2.17.1 + diff --git a/queue-4.14/soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch b/queue-4.14/soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch new file mode 100644 index 00000000000..2efa156a563 --- /dev/null +++ b/queue-4.14/soc-fsl-qe-fix-copy-paste-bug-in-ucc_get_tdm_sync_sh.patch @@ -0,0 +1,37 @@ +From e5ca4611a496a600331d0f1f396c6e5ea0d67bc1 Mon Sep 17 00:00:00 2001 +From: Zhao Qiang +Date: Thu, 1 Feb 2018 14:54:32 +0800 +Subject: soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift() + +[ Upstream commit 96fc74333f84cfdf8d434c6c07254e215e2aad00 ] + +There is a copy and paste bug so we accidentally use the RX_ shift when +we're in TX_ mode. + +Fixes: bb8b2062aff3 ("fsl/qe: setup clock source for TDM mode") +Signed-off-by: Dan Carpenter +Signed-off-by: Zhao Qiang +Signed-off-by: Li Yang +(cherry picked from commit 3cb31b634052ed458922e0c8e2b4b093d7fb60b9) +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/ucc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/fsl/qe/ucc.c b/drivers/soc/fsl/qe/ucc.c +index c646d8713861..681f7d4b7724 100644 +--- a/drivers/soc/fsl/qe/ucc.c ++++ b/drivers/soc/fsl/qe/ucc.c +@@ -626,7 +626,7 @@ static u32 ucc_get_tdm_sync_shift(enum comm_dir mode, u32 tdm_num) + { + u32 shift; + +- shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : RX_SYNC_SHIFT_BASE; ++ shift = (mode == COMM_DIR_RX) ? RX_SYNC_SHIFT_BASE : TX_SYNC_SHIFT_BASE; + shift -= tdm_num * 2; + + return shift; +-- +2.17.1 + diff --git a/queue-4.14/sparc64-fix-regression-in-pmdp_invalidate.patch b/queue-4.14/sparc64-fix-regression-in-pmdp_invalidate.patch new file mode 100644 index 00000000000..9d9d6a87279 --- /dev/null +++ b/queue-4.14/sparc64-fix-regression-in-pmdp_invalidate.patch @@ -0,0 +1,76 @@ +From dad594e3b4862ec8e179767e08a32742f2c1dbce Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 15 Mar 2018 14:18:00 -0700 +Subject: sparc64: Fix regression in pmdp_invalidate(). + +[ Upstream commit cfb61b5e3e09f8b49bc4d685429df75f45127adc ] + +pmdp_invalidate() was changed to update the pmd atomically +(to not lose dirty/access bits) and return the original pmd +value. + +However, in doing so, we lost a lot of the essential work that +set_pmd_at() does, namely to update hugepage mapping counts and +queuing up the batched TLB flush entry. + +Thus we were not flushing entries out of the TLB when making +such PMD changes. + +Fix this by abstracting the accounting work of set_pmd_at() out into a +separate function, and call it from pmdp_establish(). + +Fixes: a8e654f01cb7 ("sparc64: update pmdp_invalidate() to return old pmd value") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/mm/tlb.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c +index 847ddffbf38a..b5cfab711651 100644 +--- a/arch/sparc/mm/tlb.c ++++ b/arch/sparc/mm/tlb.c +@@ -163,13 +163,10 @@ static void tlb_batch_pmd_scan(struct mm_struct *mm, unsigned long vaddr, + pte_unmap(pte); + } + +-void set_pmd_at(struct mm_struct *mm, unsigned long addr, +- pmd_t *pmdp, pmd_t pmd) +-{ +- pmd_t orig = *pmdp; +- +- *pmdp = pmd; + ++static void __set_pmd_acct(struct mm_struct *mm, unsigned long addr, ++ pmd_t orig, pmd_t pmd) ++{ + if (mm == &init_mm) + return; + +@@ -219,6 +216,15 @@ void set_pmd_at(struct mm_struct *mm, unsigned long addr, + } + } + ++void set_pmd_at(struct mm_struct *mm, unsigned long addr, ++ pmd_t *pmdp, pmd_t pmd) ++{ ++ pmd_t orig = *pmdp; ++ ++ *pmdp = pmd; ++ __set_pmd_acct(mm, addr, orig, pmd); ++} ++ + static inline pmd_t pmdp_establish(struct vm_area_struct *vma, + unsigned long address, pmd_t *pmdp, pmd_t pmd) + { +@@ -227,6 +233,7 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma, + do { + old = *pmdp; + } while (cmpxchg64(&pmdp->pmd, old.pmd, pmd.pmd) != old.pmd); ++ __set_pmd_acct(vma->vm_mm, address, old, pmd); + + return old; + } +-- +2.17.1 + diff --git a/queue-4.14/sr9800-check-for-supported-wake-on-lan-modes.patch b/queue-4.14/sr9800-check-for-supported-wake-on-lan-modes.patch new file mode 100644 index 00000000000..a11158c2dd0 --- /dev/null +++ b/queue-4.14/sr9800-check-for-supported-wake-on-lan-modes.patch @@ -0,0 +1,36 @@ +From c1328329c97b585efd29a5d014528aa60396af9c Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 28 Sep 2018 16:18:53 -0700 +Subject: sr9800: Check for supported Wake-on-LAN modes + +[ Upstream commit c5cb93e994ffb43b7b3b1ff10b9f928f54574a36 ] + +The driver currently silently accepts unsupported Wake-on-LAN modes +(other than WAKE_PHY or WAKE_MAGIC) without reporting that to the user, +which is confusing. + +Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9800.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c +index 9277a0f228df..35f39f23d881 100644 +--- a/drivers/net/usb/sr9800.c ++++ b/drivers/net/usb/sr9800.c +@@ -421,6 +421,9 @@ sr_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) + struct usbnet *dev = netdev_priv(net); + u8 opt = 0; + ++ if (wolinfo->wolopts & ~(WAKE_PHY | WAKE_MAGIC)) ++ return -EINVAL; ++ + if (wolinfo->wolopts & WAKE_PHY) + opt |= SR_MONITOR_LINK; + if (wolinfo->wolopts & WAKE_MAGIC) +-- +2.17.1 + diff --git a/queue-4.14/test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch b/queue-4.14/test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch new file mode 100644 index 00000000000..7b822d0c8af --- /dev/null +++ b/queue-4.14/test_bpf-fix-testing-with-config_bpf_jit_always_on-y.patch @@ -0,0 +1,43 @@ +From b1871a8aec3c2583e6a2636d8f75c142a8921bc2 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Tue, 20 Mar 2018 09:58:51 -0300 +Subject: test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches + +[ Upstream commit 52fda36d63bfc8c8e8ae5eda8eb5ac6f52cd67ed ] + +Function bpf_fill_maxinsns11 is designed to not be able to be JITed on +x86_64. So, it fails when CONFIG_BPF_JIT_ALWAYS_ON=y, and +commit 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when +CONFIG_BPF_JIT_ALWAYS_ON=y") makes sure that failure is detected on that +case. + +However, it does not fail on other architectures, which have a different +JIT compiler design. So, test_bpf has started to fail to load on those. + +After this fix, test_bpf loads fine on both x86_64 and ppc64el. + +Fixes: 09584b406742 ("bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + lib/test_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/test_bpf.c b/lib/test_bpf.c +index 64701b4c9900..75ebf2bbc2ee 100644 +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -5427,7 +5427,7 @@ static struct bpf_test tests[] = { + { + "BPF_MAXINSNS: Jump, gap, jump, ...", + { }, +-#ifdef CONFIG_BPF_JIT_ALWAYS_ON ++#if defined(CONFIG_BPF_JIT_ALWAYS_ON) && defined(CONFIG_X86) + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + #else + CLASSIC | FLAG_NO_DATA, +-- +2.17.1 + diff --git a/queue-4.14/tools-testing-nvdimm-unit-test-clear-error-commands.patch b/queue-4.14/tools-testing-nvdimm-unit-test-clear-error-commands.patch new file mode 100644 index 00000000000..f0088e9cf85 --- /dev/null +++ b/queue-4.14/tools-testing-nvdimm-unit-test-clear-error-commands.patch @@ -0,0 +1,57 @@ +From 3bc9ad5b5151a933bcd0a45faebbc84c4b95d642 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Sun, 12 Nov 2017 14:54:23 -0800 +Subject: tools/testing/nvdimm: unit test clear-error commands + +[ Upstream commit fb2a1748355161e050e9f49f1ea9a0ae707a148b ] + +Validate command parsing in acpi_nfit_ctl for the clear error command. +This tests for a crash condition introduced by commit 4b27db7e26cd +"acpi, nfit: add support for the _LSI, _LSR, and _LSW label methods". + +Cc: Vishal Verma +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +--- + tools/testing/nvdimm/test/nfit.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/tools/testing/nvdimm/test/nfit.c b/tools/testing/nvdimm/test/nfit.c +index bef419d4266d..3ad0b3a3317b 100644 +--- a/tools/testing/nvdimm/test/nfit.c ++++ b/tools/testing/nvdimm/test/nfit.c +@@ -1589,6 +1589,7 @@ static int nfit_ctl_test(struct device *dev) + unsigned long mask, cmd_size, offset; + union { + struct nd_cmd_get_config_size cfg_size; ++ struct nd_cmd_clear_error clear_err; + struct nd_cmd_ars_status ars_stat; + struct nd_cmd_ars_cap ars_cap; + char buf[sizeof(struct nd_cmd_ars_status) +@@ -1767,6 +1768,23 @@ static int nfit_ctl_test(struct device *dev) + return -EIO; + } + ++ /* test clear error */ ++ cmd_size = sizeof(cmds.clear_err); ++ cmds.clear_err = (struct nd_cmd_clear_error) { ++ .length = 512, ++ .cleared = 512, ++ }; ++ rc = setup_result(cmds.buf, cmd_size); ++ if (rc) ++ return rc; ++ rc = acpi_nfit_ctl(&acpi_desc->nd_desc, NULL, ND_CMD_CLEAR_ERROR, ++ cmds.buf, cmd_size, &cmd_rc); ++ if (rc < 0 || cmd_rc) { ++ dev_dbg(dev, "%s: failed at: %d rc: %d cmd_rc: %d\n", ++ __func__, __LINE__, rc, cmd_rc); ++ return -EIO; ++ } ++ + return 0; + } + +-- +2.17.1 + diff --git a/queue-4.14/tpm-move-the-delay_msec-increment-after-sleep-in-tpm.patch b/queue-4.14/tpm-move-the-delay_msec-increment-after-sleep-in-tpm.patch new file mode 100644 index 00000000000..3a650cdbe2b --- /dev/null +++ b/queue-4.14/tpm-move-the-delay_msec-increment-after-sleep-in-tpm.patch @@ -0,0 +1,48 @@ +From 9334f3f80ca3962589f1ab3627d2b0cedf9bfa39 Mon Sep 17 00:00:00 2001 +From: Nayna Jain +Date: Mon, 2 Apr 2018 21:50:06 +0530 +Subject: tpm: move the delay_msec increment after sleep in tpm_transmit() + +[ Upstream commit 92980756979a9c51be0275f395f4e89c42cf199a ] + +Commit e2fb992d82c6 ("tpm: add retry logic") introduced a new loop to +handle the TPM2_RC_RETRY error. The loop retries the command after +sleeping for the specified time, which is incremented exponentially in +every iteration. + +Unfortunately, the loop doubles the time before sleeping, causing the +initial sleep to be doubled. This patch fixes the initial sleep time. + +Fixes: commit e2fb992d82c6 ("tpm: add retry logic") +Signed-off-by: Nayna Jain +Reviewed-by: Mimi Zohar +Tested-by: Jarkko Sakkinen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm-interface.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c +index a2070ab86c82..89d5915b1a3f 100644 +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -611,12 +611,13 @@ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space, + rc = be32_to_cpu(header->return_code); + if (rc != TPM2_RC_RETRY) + break; +- delay_msec *= 2; ++ + if (delay_msec > TPM2_DURATION_LONG) { + dev_err(&chip->dev, "TPM is in retry loop\n"); + break; + } + tpm_msleep(delay_msec); ++ delay_msec *= 2; + memcpy(buf, save, save_size); + } + return ret; +-- +2.17.1 + diff --git a/queue-4.14/tpm-tpm_crb-relinquish-locality-on-error-path.patch b/queue-4.14/tpm-tpm_crb-relinquish-locality-on-error-path.patch new file mode 100644 index 00000000000..3911d4bb0e2 --- /dev/null +++ b/queue-4.14/tpm-tpm_crb-relinquish-locality-on-error-path.patch @@ -0,0 +1,60 @@ +From 2670a7d1a87458370ce0ed4ec3e9a1149dbef658 Mon Sep 17 00:00:00 2001 +From: "Winkler, Tomas" +Date: Sat, 7 Apr 2018 19:12:36 +0300 +Subject: tpm: tpm_crb: relinquish locality on error path. + +[ Upstream commit 1fbad3028664e114d210dc65d768947a3a553eaa ] + +In crb_map_io() function, __crb_request_locality() is called prior +to crb_cmd_ready(), but if one of the consecutive function fails +the flow bails out instead of trying to relinquish locality. +This patch adds goto jump to __crb_relinquish_locality() on the error path. + +Fixes: 888d867df441 (tpm: cmd_ready command can be issued only after granting locality) +Signed-off-by: Tomas Winkler +Tested-by: Jarkko Sakkinen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_crb.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c +index 5c7ce5aaaf6f..b4ad169836e9 100644 +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -520,8 +520,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, + + priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address, + sizeof(struct crb_regs_tail)); +- if (IS_ERR(priv->regs_t)) +- return PTR_ERR(priv->regs_t); ++ if (IS_ERR(priv->regs_t)) { ++ ret = PTR_ERR(priv->regs_t); ++ goto out_relinquish_locality; ++ } + + /* + * PTT HW bug w/a: wake up the device to access +@@ -529,7 +531,7 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, + */ + ret = __crb_cmd_ready(dev, priv); + if (ret) +- return ret; ++ goto out_relinquish_locality; + + pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high); + pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low); +@@ -574,6 +576,8 @@ out: + + __crb_go_idle(dev, priv); + ++out_relinquish_locality: ++ + __crb_relinquish_locality(dev, priv, 0); + + return ret; +-- +2.17.1 + diff --git a/queue-4.14/usbip-vhci_hcd-update-status-file-header-and-format.patch b/queue-4.14/usbip-vhci_hcd-update-status-file-header-and-format.patch new file mode 100644 index 00000000000..021bcbe56de --- /dev/null +++ b/queue-4.14/usbip-vhci_hcd-update-status-file-header-and-format.patch @@ -0,0 +1,67 @@ +From 947dc6d0315fec4fe932cff5334ecdf4435a4af6 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 18 Jan 2018 17:25:30 -0700 +Subject: usbip: vhci_hcd: update 'status' file header and format + +[ Upstream commit 5468099c747240ed97dbb34340fece8ca87be34f ] + +Commit 2f2d0088eb93 +("usbip: prevent vhci_hcd driver from leaking a socket pointer address") +in the /sys/devices/platform/vhci_hcd/status. + +Fix the header and field alignment to reflect the changes and make it +easier to read. + +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/vhci_sysfs.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c +index 4a22a9f06d96..eb7898353457 100644 +--- a/drivers/usb/usbip/vhci_sysfs.c ++++ b/drivers/usb/usbip/vhci_sysfs.c +@@ -34,10 +34,10 @@ + + /* + * output example: +- * hub port sta spd dev sockfd local_busid +- * hs 0000 004 000 00000000 3 1-2.3 ++ * hub port sta spd dev sockfd local_busid ++ * hs 0000 004 000 00000000 000003 1-2.3 + * ................................................ +- * ss 0008 004 000 00000000 4 2-3.4 ++ * ss 0008 004 000 00000000 000004 2-3.4 + * ................................................ + * + * Output includes socket fd instead of socket pointer address to avoid +@@ -61,13 +61,13 @@ static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vd + if (vdev->ud.status == VDEV_ST_USED) { + *out += sprintf(*out, "%03u %08x ", + vdev->speed, vdev->devid); +- *out += sprintf(*out, "%u %s", ++ *out += sprintf(*out, "%06u %s", + vdev->ud.sockfd, + dev_name(&vdev->udev->dev)); + + } else { + *out += sprintf(*out, "000 00000000 "); +- *out += sprintf(*out, "0000000000000000 0-0"); ++ *out += sprintf(*out, "000000 0-0"); + } + + *out += sprintf(*out, "\n"); +@@ -165,7 +165,7 @@ static ssize_t status_show(struct device *dev, + int pdev_nr; + + out += sprintf(out, +- "hub port sta spd dev socket local_busid\n"); ++ "hub port sta spd dev sockfd local_busid\n"); + + pdev_nr = status_name_to_id(attr->attr.name); + if (pdev_nr < 0) +-- +2.17.1 + diff --git a/queue-4.14/x86-paravirt-fix-some-warning-messages.patch b/queue-4.14/x86-paravirt-fix-some-warning-messages.patch new file mode 100644 index 00000000000..2744836d51a --- /dev/null +++ b/queue-4.14/x86-paravirt-fix-some-warning-messages.patch @@ -0,0 +1,49 @@ +From 9228f85982060b7a0740e6ae4df9228954787736 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 19 Sep 2018 13:35:53 +0300 +Subject: x86/paravirt: Fix some warning messages + +[ Upstream commit 571d0563c8881595f4ab027aef9ed1c55e3e7b7c ] + +The first argument to WARN_ONCE() is a condition. + +Fixes: 5800dc5c19f3 ("x86/paravirt: Fix spectre-v2 mitigations for paravirt guests") +Signed-off-by: Dan Carpenter +Signed-off-by: Thomas Gleixner +Reviewed-by: Juergen Gross +Cc: Peter Zijlstra +Cc: Alok Kataria +Cc: "H. Peter Anvin" +Cc: virtualization@lists.linux-foundation.org +Cc: kernel-janitors@vger.kernel.org +Link: https://lkml.kernel.org/r/20180919103553.GD9238@mwanda +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/paravirt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c +index f3559b84cd75..04da826381c9 100644 +--- a/arch/x86/kernel/paravirt.c ++++ b/arch/x86/kernel/paravirt.c +@@ -90,7 +90,7 @@ unsigned paravirt_patch_call(void *insnbuf, + + if (len < 5) { + #ifdef CONFIG_RETPOLINE +- WARN_ONCE("Failing to patch indirect CALL in %ps\n", (void *)addr); ++ WARN_ONCE(1, "Failing to patch indirect CALL in %ps\n", (void *)addr); + #endif + return len; /* call too long for patch site */ + } +@@ -110,7 +110,7 @@ unsigned paravirt_patch_jmp(void *insnbuf, const void *target, + + if (len < 5) { + #ifdef CONFIG_RETPOLINE +- WARN_ONCE("Failing to patch indirect JMP in %ps\n", (void *)addr); ++ WARN_ONCE(1, "Failing to patch indirect JMP in %ps\n", (void *)addr); + #endif + return len; /* call too long for patch site */ + } +-- +2.17.1 + diff --git a/queue-4.14/x86-power-fix-some-ordering-bugs-in-__restore_proces.patch b/queue-4.14/x86-power-fix-some-ordering-bugs-in-__restore_proces.patch new file mode 100644 index 00000000000..e460b8caa81 --- /dev/null +++ b/queue-4.14/x86-power-fix-some-ordering-bugs-in-__restore_proces.patch @@ -0,0 +1,128 @@ +From 6d8e4b401a392f5a36b747c2763ec98aded49b36 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Thu, 30 Nov 2017 07:57:57 -0800 +Subject: x86/power: Fix some ordering bugs in __restore_processor_context() + +[ Upstream commit 5b06bbcfc2c621da3009da8decb7511500c293ed ] + +__restore_processor_context() had a couple of ordering bugs. It +restored GSBASE after calling load_gs_index(), and the latter can +call into tracing code. It also tried to restore segment registers +before restoring the LDT, which is straight-up wrong. + +Reorder the code so that we restore GSBASE, then the descriptor +tables, then the segments. + +This fixes two bugs. First, it fixes a regression that broke resume +under certain configurations due to irqflag tracing in +native_load_gs_index(). Second, it fixes resume when the userspace +process that initiated suspect had funny segments. The latter can be +reproduced by compiling this: + +// SPDX-License-Identifier: GPL-2.0 +/* + * ldt_echo.c - Echo argv[1] while using an LDT segment + */ + +int main(int argc, char **argv) +{ + int ret; + size_t len; + char *buf; + + const struct user_desc desc = { + .entry_number = 0, + .base_addr = 0, + .limit = 0xfffff, + .seg_32bit = 1, + .contents = 0, /* Data, grow-up */ + .read_exec_only = 0, + .limit_in_pages = 1, + .seg_not_present = 0, + .useable = 0 + }; + + if (argc != 2) + errx(1, "Usage: %s STRING", argv[0]); + + len = asprintf(&buf, "%s\n", argv[1]); + if (len < 0) + errx(1, "Out of memory"); + + ret = syscall(SYS_modify_ldt, 1, &desc, sizeof(desc)); + if (ret < -1) + errno = -ret; + if (ret) + err(1, "modify_ldt"); + + asm volatile ("movw %0, %%es" :: "rm" ((unsigned short)7)); + write(1, buf, len); + return 0; +} + +and running ldt_echo >/sys/power/mem + +Without the fix, the latter causes a triple fault on resume. + +Fixes: ca37e57bbe0c ("x86/entry/64: Add missing irqflags tracing to native_load_gs_index()") +Reported-by: Jarkko Nikula +Signed-off-by: Andy Lutomirski +Signed-off-by: Thomas Gleixner +Tested-by: Jarkko Nikula +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Linus Torvalds +Link: https://lkml.kernel.org/r/6b31721ea92f51ea839e79bd97ade4a75b1eeea2.1512057304.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/power/cpu.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c +index 04d5157fe7f8..a51d2dfb57d1 100644 +--- a/arch/x86/power/cpu.c ++++ b/arch/x86/power/cpu.c +@@ -228,8 +228,20 @@ static void notrace __restore_processor_state(struct saved_context *ctxt) + load_idt((const struct desc_ptr *)&ctxt->idt_limit); + #endif + ++#ifdef CONFIG_X86_64 + /* +- * segment registers ++ * We need GSBASE restored before percpu access can work. ++ * percpu access can happen in exception handlers or in complicated ++ * helpers like load_gs_index(). ++ */ ++ wrmsrl(MSR_GS_BASE, ctxt->gs_base); ++#endif ++ ++ fix_processor_context(); ++ ++ /* ++ * Restore segment registers. This happens after restoring the GDT ++ * and LDT, which happen in fix_processor_context(). + */ + #ifdef CONFIG_X86_32 + loadsegment(es, ctxt->es); +@@ -250,13 +262,14 @@ static void notrace __restore_processor_state(struct saved_context *ctxt) + load_gs_index(ctxt->gs); + asm volatile ("movw %0, %%ss" :: "r" (ctxt->ss)); + ++ /* ++ * Restore FSBASE and user GSBASE after reloading the respective ++ * segment selectors. ++ */ + wrmsrl(MSR_FS_BASE, ctxt->fs_base); +- wrmsrl(MSR_GS_BASE, ctxt->gs_base); + wrmsrl(MSR_KERNEL_GS_BASE, ctxt->gs_kernel_base); + #endif + +- fix_processor_context(); +- + do_fpu_end(); + tsc_verify_tsc_adjust(true); + x86_platform.restore_sched_clock_state(); +-- +2.17.1 + diff --git a/queue-4.14/xen-netfront-fix-mismatched-rtnl_unlock.patch b/queue-4.14/xen-netfront-fix-mismatched-rtnl_unlock.patch new file mode 100644 index 00000000000..f0b0c73e5d4 --- /dev/null +++ b/queue-4.14/xen-netfront-fix-mismatched-rtnl_unlock.patch @@ -0,0 +1,41 @@ +From 944fe4692c0ca713140780a335af17c0836f3d6e Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 21 Jun 2018 14:00:20 +0100 +Subject: xen-netfront: Fix mismatched rtnl_unlock + +[ Upstream commit cb257783c2927b73614b20f915a91ff78aa6f3e8 ] + +Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open") +Reported-by: Ben Hutchings +Signed-off-by: Ross Lagerwall +Reviewed-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index ca239912c0e6..6ea95b316256 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1824,7 +1824,7 @@ static int talk_to_netback(struct xenbus_device *dev, + err = xen_net_read_mac(dev, info->netdev->dev_addr); + if (err) { + xenbus_dev_fatal(dev, err, "parsing %s/mac", dev->nodename); +- goto out; ++ goto out_unlocked; + } + + rtnl_lock(); +@@ -1939,6 +1939,7 @@ abort_transaction_no_dev_fatal: + xennet_destroy_queues(info); + out: + rtnl_unlock(); ++out_unlocked: + device_unregister(&dev->dev); + return err; + } +-- +2.17.1 + diff --git a/queue-4.14/xen-netfront-update-features-after-registering-netde.patch b/queue-4.14/xen-netfront-update-features-after-registering-netde.patch new file mode 100644 index 00000000000..3abc5c763b5 --- /dev/null +++ b/queue-4.14/xen-netfront-update-features-after-registering-netde.patch @@ -0,0 +1,52 @@ +From be7c28dc5af1c822e514f3abd56e57ef607fa6f8 Mon Sep 17 00:00:00 2001 +From: Ross Lagerwall +Date: Thu, 21 Jun 2018 14:00:21 +0100 +Subject: xen-netfront: Update features after registering netdev + +[ Upstream commit 45c8184c1bed1ca8a7f02918552063a00b909bf5 ] + +Update the features after calling register_netdev() otherwise the +device features are not set up correctly and it not possible to change +the MTU of the device. After this change, the features reported by +ethtool match the device's features before the commit which introduced +the issue and it is possible to change the device's MTU. + +Fixes: f599c64fdf7d ("xen-netfront: Fix race between device setup and open") +Reported-by: Liam Shepherd +Signed-off-by: Ross Lagerwall +Reviewed-by: Juergen Gross +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index 1a40fc3517a8..ca239912c0e6 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -1964,10 +1964,6 @@ static int xennet_connect(struct net_device *dev) + /* talk_to_netback() sets the correct number of queues */ + num_queues = dev->real_num_tx_queues; + +- rtnl_lock(); +- netdev_update_features(dev); +- rtnl_unlock(); +- + if (dev->reg_state == NETREG_UNINITIALIZED) { + err = register_netdev(dev); + if (err) { +@@ -1977,6 +1973,10 @@ static int xennet_connect(struct net_device *dev) + } + } + ++ rtnl_lock(); ++ netdev_update_features(dev); ++ rtnl_unlock(); ++ + /* + * All public and private state should now be sane. Get + * ready to start sending and receiving packets and give the driver +-- +2.17.1 + diff --git a/queue-4.14/xfrm-fix-null-pointer-dereference-when-skb_dst_force.patch b/queue-4.14/xfrm-fix-null-pointer-dereference-when-skb_dst_force.patch new file mode 100644 index 00000000000..caf30cc4c03 --- /dev/null +++ b/queue-4.14/xfrm-fix-null-pointer-dereference-when-skb_dst_force.patch @@ -0,0 +1,59 @@ +From 42d70ec2c8ba528fb8e5c7fd7e53b5cb77999c3c Mon Sep 17 00:00:00 2001 +From: Steffen Klassert +Date: Tue, 11 Sep 2018 10:31:15 +0200 +Subject: xfrm: Fix NULL pointer dereference when skb_dst_force clears the + dst_entry. + +[ Upstream commit 9e1437937807b0122e8da1ca8765be2adca9aee6 ] + +Since commit 222d7dbd258d ("net: prevent dst uses after free") +skb_dst_force() might clear the dst_entry attached to the skb. +The xfrm code don't expect this to happen, so we crash with +a NULL pointer dereference in this case. Fix it by checking +skb_dst(skb) for NULL after skb_dst_force() and drop the packet +in cast the dst_entry was cleared. + +Fixes: 222d7dbd258d ("net: prevent dst uses after free") +Reported-by: Tobias Hommel +Reported-by: Kristian Evensen +Reported-by: Wolfgang Walter +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_output.c | 4 ++++ + net/xfrm/xfrm_policy.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c +index 35610cc881a9..c47660fba498 100644 +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -101,6 +101,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err) + spin_unlock_bh(&x->lock); + + skb_dst_force(skb); ++ if (!skb_dst(skb)) { ++ XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR); ++ goto error_nolock; ++ } + + if (xfrm_offload(skb)) { + x->type_offload->encap(x, skb); +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 2fb7a78308e1..37c32e73aaef 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -2550,6 +2550,10 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family) + } + + skb_dst_force(skb); ++ if (!skb_dst(skb)) { ++ XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); ++ return 0; ++ } + + dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE); + if (IS_ERR(dst)) { +-- +2.17.1 + diff --git a/queue-4.14/xfrm-reset-crypto_done-when-iterating-over-multiple-.patch b/queue-4.14/xfrm-reset-crypto_done-when-iterating-over-multiple-.patch new file mode 100644 index 00000000000..0b46fd1cfe6 --- /dev/null +++ b/queue-4.14/xfrm-reset-crypto_done-when-iterating-over-multiple-.patch @@ -0,0 +1,36 @@ +From 29eda3b79c74026362d846441993b6cefb06dfa0 Mon Sep 17 00:00:00 2001 +From: Sowmini Varadhan +Date: Mon, 3 Sep 2018 04:36:53 -0700 +Subject: xfrm: reset crypto_done when iterating over multiple input xfrms + +[ Upstream commit 782710e333a526780d65918d669cb96646983ba2 ] + +We only support one offloaded xfrm (we do not have devices that +can handle more than one offload), so reset crypto_done in +xfrm_input() when iterating over multiple transforms in xfrm_input, +so that we can invoke the appropriate x->type->input for the +non-offloaded transforms + +Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") +Signed-off-by: Sowmini Varadhan +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_input.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c +index 9f492dc417d5..8e75319dd9c0 100644 +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -453,6 +453,7 @@ resume: + XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR); + goto drop; + } ++ crypto_done = false; + } while (!err); + + err = xfrm_rcv_cb(skb, family, x->type->proto, 0); +-- +2.17.1 + diff --git a/queue-4.14/xfrm-reset-transport-header-back-to-network-header-a.patch b/queue-4.14/xfrm-reset-transport-header-back-to-network-header-a.patch new file mode 100644 index 00000000000..e795d8f3a8b --- /dev/null +++ b/queue-4.14/xfrm-reset-transport-header-back-to-network-header-a.patch @@ -0,0 +1,100 @@ +From 183d6a00329c68e35c04058968294bcc7b55b888 Mon Sep 17 00:00:00 2001 +From: Sowmini Varadhan +Date: Mon, 3 Sep 2018 04:36:52 -0700 +Subject: xfrm: reset transport header back to network header after all input + transforms ahave been applied + +[ Upstream commit bfc0698bebcb16d19ecfc89574ad4d696955e5d3 ] + +A policy may have been set up with multiple transforms (e.g., ESP +and ipcomp). In this situation, the ingress IPsec processing +iterates in xfrm_input() and applies each transform in turn, +processing the nexthdr to find any additional xfrm that may apply. + +This patch resets the transport header back to network header +only after the last transformation so that subsequent xfrms +can find the correct transport header. + +Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") +Suggested-by: Steffen Klassert +Signed-off-by: Sowmini Varadhan +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/xfrm4_input.c | 1 + + net/ipv4/xfrm4_mode_transport.c | 4 +--- + net/ipv6/xfrm6_input.c | 1 + + net/ipv6/xfrm6_mode_transport.c | 4 +--- + 4 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c +index bcfc00e88756..f8de2482a529 100644 +--- a/net/ipv4/xfrm4_input.c ++++ b/net/ipv4/xfrm4_input.c +@@ -67,6 +67,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async) + + if (xo && (xo->flags & XFRM_GRO)) { + skb_mac_header_rebuild(skb); ++ skb_reset_transport_header(skb); + return 0; + } + +diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c +index 3d36644890bb..1ad2c2c4e250 100644 +--- a/net/ipv4/xfrm4_mode_transport.c ++++ b/net/ipv4/xfrm4_mode_transport.c +@@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb) + static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb) + { + int ihl = skb->data - skb_transport_header(skb); +- struct xfrm_offload *xo = xfrm_offload(skb); + + if (skb->transport_header != skb->network_header) { + memmove(skb_transport_header(skb), +@@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb) + skb->network_header = skb->transport_header; + } + ip_hdr(skb)->tot_len = htons(skb->len + ihl); +- if (!xo || !(xo->flags & XFRM_GRO)) +- skb_reset_transport_header(skb); ++ skb_reset_transport_header(skb); + return 0; + } + +diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c +index 841f4a07438e..9ef490dddcea 100644 +--- a/net/ipv6/xfrm6_input.c ++++ b/net/ipv6/xfrm6_input.c +@@ -59,6 +59,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async) + + if (xo && (xo->flags & XFRM_GRO)) { + skb_mac_header_rebuild(skb); ++ skb_reset_transport_header(skb); + return -1; + } + +diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c +index 9ad07a91708e..3c29da5defe6 100644 +--- a/net/ipv6/xfrm6_mode_transport.c ++++ b/net/ipv6/xfrm6_mode_transport.c +@@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb) + static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb) + { + int ihl = skb->data - skb_transport_header(skb); +- struct xfrm_offload *xo = xfrm_offload(skb); + + if (skb->transport_header != skb->network_header) { + memmove(skb_transport_header(skb), +@@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb) + } + ipv6_hdr(skb)->payload_len = htons(skb->len + ihl - + sizeof(struct ipv6hdr)); +- if (!xo || !(xo->flags & XFRM_GRO)) +- skb_reset_transport_header(skb); ++ skb_reset_transport_header(skb); + return 0; + } + +-- +2.17.1 + diff --git a/queue-4.14/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch b/queue-4.14/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch new file mode 100644 index 00000000000..d576bc9de44 --- /dev/null +++ b/queue-4.14/xfrm-validate-address-prefix-lengths-in-the-xfrm-sel.patch @@ -0,0 +1,63 @@ +From 7f57c55fc4ef3472efce83eaf1150debbbd91b02 Mon Sep 17 00:00:00 2001 +From: Steffen Klassert +Date: Wed, 1 Aug 2018 13:45:11 +0200 +Subject: xfrm: Validate address prefix lengths in the xfrm selector. + +[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ] + +We don't validate the address prefix lengths in the xfrm +selector we got from userspace. This can lead to undefined +behaviour in the address matching functions if the prefix +is too big for the given address family. Fix this by checking +the prefixes and refuse SA/policy insertation when a prefix +is invalid. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Air Icy +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 5554d28a32eb..4292347bf45e 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -151,10 +151,16 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + err = -EINVAL; + switch (p->family) { + case AF_INET: ++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) ++ goto out; ++ + break; + + case AF_INET6: + #if IS_ENABLED(CONFIG_IPV6) ++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) ++ goto out; ++ + break; + #else + err = -EAFNOSUPPORT; +@@ -1353,10 +1359,16 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) + + switch (p->sel.family) { + case AF_INET: ++ if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) ++ return -EINVAL; ++ + break; + + case AF_INET6: + #if IS_ENABLED(CONFIG_IPV6) ++ if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128) ++ return -EINVAL; ++ + break; + #else + return -EAFNOSUPPORT; +-- +2.17.1 + diff --git a/queue-4.14/xfrm-validate-template-mode.patch b/queue-4.14/xfrm-validate-template-mode.patch new file mode 100644 index 00000000000..9dab0602e1e --- /dev/null +++ b/queue-4.14/xfrm-validate-template-mode.patch @@ -0,0 +1,64 @@ +From 365754580edf19e2bc47d3ba8ad64f7368d29618 Mon Sep 17 00:00:00 2001 +From: Sean Tranchetti +Date: Wed, 19 Sep 2018 13:54:56 -0600 +Subject: xfrm: validate template mode + +[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ] + +XFRM mode parameters passed as part of the user templates +in the IP_XFRM_POLICY are never properly validated. Passing +values other than valid XFRM modes can cause stack-out-of-bounds +reads to occur later in the XFRM processing: + +[ 140.535608] ================================================================ +[ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4 +[ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148 +[ 140.557369] +[ 140.558927] Call trace: +[ 140.558936] dump_backtrace+0x0/0x388 +[ 140.558940] show_stack+0x24/0x30 +[ 140.558946] __dump_stack+0x24/0x2c +[ 140.558949] dump_stack+0x8c/0xd0 +[ 140.558956] print_address_description+0x74/0x234 +[ 140.558960] kasan_report+0x240/0x264 +[ 140.558963] __asan_report_load4_noabort+0x2c/0x38 +[ 140.558967] xfrm_state_find+0x17e4/0x1cc4 +[ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8 +[ 140.558975] xfrm_lookup+0x238/0x1444 +[ 140.558977] xfrm_lookup_route+0x48/0x11c +[ 140.558984] ip_route_output_flow+0x88/0xc4 +[ 140.558991] raw_sendmsg+0xa74/0x266c +[ 140.558996] inet_sendmsg+0x258/0x3b0 +[ 140.559002] sock_sendmsg+0xbc/0xec +[ 140.559005] SyS_sendto+0x3a8/0x5a8 +[ 140.559008] el0_svc_naked+0x34/0x38 +[ 140.559009] +[ 140.592245] page dumped because: kasan: bad access detected +[ 140.597981] page_owner info is not active (free page?) +[ 140.603267] +[ 140.653503] ================================================================ + +Signed-off-by: Sean Tranchetti +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 4292347bf45e..4e8319766f2b 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -1449,6 +1449,9 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) + (ut[i].family != prev_family)) + return -EINVAL; + ++ if (ut[i].mode >= XFRM_MODE_MAX) ++ return -EINVAL; ++ + prev_family = ut[i].family; + + switch (ut[i].family) { +-- +2.17.1 + diff --git a/queue-4.14/xfrm6-call-kfree_skb-when-skb-is-toobig.patch b/queue-4.14/xfrm6-call-kfree_skb-when-skb-is-toobig.patch new file mode 100644 index 00000000000..37bcc8c9858 --- /dev/null +++ b/queue-4.14/xfrm6-call-kfree_skb-when-skb-is-toobig.patch @@ -0,0 +1,46 @@ +From 9ad83d055c6cb50a5d20d340a2e2755bb3acb9a5 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 31 Aug 2018 08:38:49 -0300 +Subject: xfrm6: call kfree_skb when skb is toobig + +[ Upstream commit 215ab0f021c9fea3c18b75e7d522400ee6a49990 ] + +After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching +and reporting on xmit"), some too big skbs might be potentially passed down to +__xfrm6_output, causing it to fail to transmit but not free the skb, causing a +leak of skb, and consequentially a leak of dst references. + +After running pmtu.sh, that shows as failure to unregister devices in a namespace: + +[ 311.397671] unregister_netdevice: waiting for veth_b to become free. Usage count = 1 + +The fix is to call kfree_skb in case of transmit failures. + +Fixes: dd767856a36e ("xfrm6: Don't call icmpv6_send on local error") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_output.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c +index 8ae87d4ec5ff..29dae7f2ff14 100644 +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -170,9 +170,11 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + + if (toobig && xfrm6_local_dontfrag(skb)) { + xfrm6_local_rxpmtu(skb, mtu); ++ kfree_skb(skb); + return -EMSGSIZE; + } else if (!skb->ignore_df && toobig && skb->sk) { + xfrm_local_error(skb, mtu); ++ kfree_skb(skb); + return -EMSGSIZE; + } + +-- +2.17.1 + diff --git a/queue-4.14/yam-fix-a-missing-check-bug.patch b/queue-4.14/yam-fix-a-missing-check-bug.patch new file mode 100644 index 00000000000..5eb8b625336 --- /dev/null +++ b/queue-4.14/yam-fix-a-missing-check-bug.patch @@ -0,0 +1,56 @@ +From 18cdb1b4983079b867b1a279c76db160aeeeb1f5 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Fri, 5 Oct 2018 10:59:36 -0500 +Subject: yam: fix a missing-check bug + +[ Upstream commit 0781168e23a2fc8dceb989f11fc5b39b3ccacc35 ] + +In yam_ioctl(), the concrete ioctl command is firstly copied from the +user-space buffer 'ifr->ifr_data' to 'ioctl_cmd' and checked through the +following switch statement. If the command is not as expected, an error +code EINVAL is returned. In the following execution the buffer +'ifr->ifr_data' is copied again in the cases of the switch statement to +specific data structures according to what kind of ioctl command is +requested. However, after the second copy, no re-check is enforced on the +newly-copied command. Given that the buffer 'ifr->ifr_data' is in the user +space, a malicious user can race to change the command between the two +copies. This way, the attacker can inject inconsistent data and cause +undefined behavior. + +This patch adds a re-check in each case of the switch statement if there is +a second copy in that case, to re-check whether the command obtained in the +second copy is the same as the one in the first copy. If not, an error code +EINVAL will be returned. + +Signed-off-by: Wenwen Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/yam.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/hamradio/yam.c b/drivers/net/hamradio/yam.c +index 7a7c5224a336..16a6e1193912 100644 +--- a/drivers/net/hamradio/yam.c ++++ b/drivers/net/hamradio/yam.c +@@ -980,6 +980,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + sizeof(struct yamdrv_ioctl_mcs)); + if (IS_ERR(ym)) + return PTR_ERR(ym); ++ if (ym->cmd != SIOCYAMSMCS) ++ return -EINVAL; + if (ym->bitrate > YAM_MAXBITRATE) { + kfree(ym); + return -EINVAL; +@@ -995,6 +997,8 @@ static int yam_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + if (copy_from_user(&yi, ifr->ifr_data, sizeof(struct yamdrv_ioctl_cfg))) + return -EFAULT; + ++ if (yi.cmd != SIOCYAMSCFG) ++ return -EINVAL; + if ((yi.cfg.mask & YAM_IOBASE) && netif_running(dev)) + return -EINVAL; /* Cannot change this parameter when up */ + if ((yi.cfg.mask & YAM_IRQ) && netif_running(dev)) +-- +2.17.1 +