From: Sasha Levin Date: Mon, 23 May 2022 03:03:31 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.9.316~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d91732d2d48cc630dc4b2bcdc567ec872dc3a846;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch b/queue-4.14/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch new file mode 100644 index 00000000000..2ef49ed8c49 --- /dev/null +++ b/queue-4.14/arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch @@ -0,0 +1,36 @@ +From cfd9a344eb608d8ec4d890144a3f9df029128551 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:44:51 +0100 +Subject: ARM: 9196/1: spectre-bhb: enable for Cortex-A15 + +From: Ard Biesheuvel + +[ Upstream commit 0dc14aa94ccd8ba35eb17a0f9b123d1566efd39e ] + +The Spectre-BHB mitigations were inadvertently left disabled for +Cortex-A15, due to the fact that cpu_v7_bugs_init() is not called in +that case. So fix that. + +Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/proc-v7-bugs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c +index 1b6e770bc1cd..8b78694d56b8 100644 +--- a/arch/arm/mm/proc-v7-bugs.c ++++ b/arch/arm/mm/proc-v7-bugs.c +@@ -297,6 +297,7 @@ void cpu_v7_ca15_ibe(void) + { + if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0))) + cpu_v7_spectre_v2_init(); ++ cpu_v7_spectre_bhb_init(); + } + + void cpu_v7_bugs_init(void) +-- +2.35.1 + diff --git a/queue-4.14/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch b/queue-4.14/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch new file mode 100644 index 00000000000..ac6d9f60d03 --- /dev/null +++ b/queue-4.14/arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch @@ -0,0 +1,37 @@ +From 494ee379740026a171640a481b0005be4b3b387a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 09:46:17 +0100 +Subject: ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 + +From: Ard Biesheuvel + +[ Upstream commit 3cfb3019979666bdf33a1010147363cf05e0f17b ] + +In Thumb2, 'b . + 4' produces a branch instruction that uses a narrow +encoding, and so it does not jump to the following instruction as +expected. So use W(b) instead. + +Fixes: 6c7cb60bff7a ("ARM: fix Thumb2 regression with Spectre BHB") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/entry-armv.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S +index b54084f9b77a..e1b3c5c96560 100644 +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -1071,7 +1071,7 @@ vector_bhb_loop8_\name: + + @ bhb workaround + mov r0, #8 +-3: b . + 4 ++3: W(b) . + 4 + subs r0, r0, #1 + bne 3b + dsb +-- +2.35.1 + diff --git a/queue-4.14/clk-at91-generated-consider-range-when-calculating-b.patch b/queue-4.14/clk-at91-generated-consider-range-when-calculating-b.patch new file mode 100644 index 00000000000..a6421cf355f --- /dev/null +++ b/queue-4.14/clk-at91-generated-consider-range-when-calculating-b.patch @@ -0,0 +1,42 @@ +From 7abd2353980bb039edd68ddfab2ecc9f95db4d46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:13:18 +0300 +Subject: clk: at91: generated: consider range when calculating best rate + +From: Codrin Ciubotariu + +[ Upstream commit d0031e6fbed955ff8d5f5bbc8fe7382482559cec ] + +clk_generated_best_diff() helps in finding the parent and the divisor to +compute a rate closest to the required one. However, it doesn't take into +account the request's range for the new rate. Make sure the new rate +is within the required range. + +Fixes: 8a8f4bf0c480 ("clk: at91: clk-generated: create function to find best_diff") +Signed-off-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220413071318.244912-1-codrin.ciubotariu@microchip.com +Reviewed-by: Claudiu Beznea +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-generated.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c +index ea23002be4de..b397556c34d9 100644 +--- a/drivers/clk/at91/clk-generated.c ++++ b/drivers/clk/at91/clk-generated.c +@@ -119,6 +119,10 @@ static void clk_generated_best_diff(struct clk_rate_request *req, + tmp_rate = parent_rate; + else + tmp_rate = parent_rate / div; ++ ++ if (tmp_rate < req->min_rate || tmp_rate > req->max_rate) ++ return; ++ + tmp_diff = abs(req->rate - tmp_rate); + + if (*best_diff < 0 || *best_diff > tmp_diff) { +-- +2.35.1 + diff --git a/queue-4.14/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch b/queue-4.14/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch new file mode 100644 index 00000000000..718567bcd33 --- /dev/null +++ b/queue-4.14/ethernet-tulip-fix-missing-pci_disable_device-on-err.patch @@ -0,0 +1,49 @@ +From 6d0db2edfeedbfb2e695ff4453dee5de3d5c7fd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 17:42:50 +0800 +Subject: ethernet: tulip: fix missing pci_disable_device() on error in + tulip_init_one() + +From: Yang Yingliang + +[ Upstream commit 51ca86b4c9c7c75f5630fa0dbe5f8f0bd98e3c3e ] + +Fix the missing pci_disable_device() before return +from tulip_init_one() in the error handling case. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220506094250.3630615-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dec/tulip/tulip_core.c b/drivers/net/ethernet/dec/tulip/tulip_core.c +index 851b6d1f5a42..35bcb2c52dbc 100644 +--- a/drivers/net/ethernet/dec/tulip/tulip_core.c ++++ b/drivers/net/ethernet/dec/tulip/tulip_core.c +@@ -1410,8 +1410,10 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + /* alloc_etherdev ensures aligned and zeroed private structures */ + dev = alloc_etherdev (sizeof (*tp)); +- if (!dev) ++ if (!dev) { ++ pci_disable_device(pdev); + return -ENOMEM; ++ } + + SET_NETDEV_DEV(dev, &pdev->dev); + if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size) { +@@ -1789,6 +1791,7 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + err_out_free_netdev: + free_netdev (dev); ++ pci_disable_device(pdev); + return -ENODEV; + } + +-- +2.35.1 + diff --git a/queue-4.14/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch b/queue-4.14/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch new file mode 100644 index 00000000000..db78bf90f1e --- /dev/null +++ b/queue-4.14/gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch @@ -0,0 +1,45 @@ +From b1c8b26de736c25581c47939c1bb83f10c10b067 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 10:15:04 +0800 +Subject: gpio: gpio-vf610: do not touch other bits when set the target bit + +From: Haibo Chen + +[ Upstream commit 9bf3ac466faa83d51a8fe9212131701e58fdef74 ] + +For gpio controller contain register PDDR, when set one target bit, +current logic will clear all other bits, this is wrong. Use operator +'|=' to fix it. + +Fixes: 659d8a62311f ("gpio: vf610: add imx7ulp support") +Reviewed-by: Peng Fan +Signed-off-by: Haibo Chen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index 3210fba16a9b..91d6966c3d29 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -135,9 +135,13 @@ static int vf610_gpio_direction_output(struct gpio_chip *chip, unsigned gpio, + { + struct vf610_gpio_port *port = gpiochip_get_data(chip); + unsigned long mask = BIT(gpio); ++ u32 val; + +- if (port->sdata && port->sdata->have_paddr) +- vf610_gpio_writel(mask, port->gpio_base + GPIO_PDDR); ++ if (port->sdata && port->sdata->have_paddr) { ++ val = vf610_gpio_readl(port->gpio_base + GPIO_PDDR); ++ val |= mask; ++ vf610_gpio_writel(val, port->gpio_base + GPIO_PDDR); ++ } + + vf610_gpio_set(chip, gpio, value); + +-- +2.35.1 + diff --git a/queue-4.14/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch b/queue-4.14/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch new file mode 100644 index 00000000000..dbe1f6f3f94 --- /dev/null +++ b/queue-4.14/gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch @@ -0,0 +1,40 @@ +From 7a2e4fffa2a47f3954bc76a854ce8683dcbc16e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 09:58:56 +0200 +Subject: gpio: mvebu/pwm: Refuse requests with inverted polarity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 3ecb10175b1f776f076553c24e2689e42953fef5 ] + +The driver doesn't take struct pwm_state::polarity into account when +configuring the hardware, so refuse requests for inverted polarity. + +Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mvebu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c +index b14d481ab7db..cbad11029c67 100644 +--- a/drivers/gpio/gpio-mvebu.c ++++ b/drivers/gpio/gpio-mvebu.c +@@ -694,6 +694,9 @@ static int mvebu_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, + unsigned long flags; + unsigned int on, off; + ++ if (state->polarity != PWM_POLARITY_NORMAL) ++ return -EINVAL; ++ + val = (unsigned long long) mvpwm->clk_rate * state->duty_cycle; + do_div(val, NSEC_PER_SEC); + if (val > UINT_MAX) +-- +2.35.1 + diff --git a/queue-4.14/igb-skip-phy-status-check-where-unavailable.patch b/queue-4.14/igb-skip-phy-status-check-where-unavailable.patch new file mode 100644 index 00000000000..f16babe45b4 --- /dev/null +++ b/queue-4.14/igb-skip-phy-status-check-where-unavailable.patch @@ -0,0 +1,46 @@ +From 58f21f77bb4fe02ea8f61d6aee3e48a9fdddde6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 11:01:05 -0700 +Subject: igb: skip phy status check where unavailable + +From: Kevin Mitchell + +[ Upstream commit 942d2ad5d2e0df758a645ddfadffde2795322728 ] + +igb_read_phy_reg() will silently return, leaving phy_data untouched, if +hw->ops.read_reg isn't set. Depending on the uninitialized value of +phy_data, this led to the phy status check either succeeding immediately +or looping continuously for 2 seconds before emitting a noisy err-level +timeout. This message went out to the console even though there was no +actual problem. + +Instead, first check if there is read_reg function pointer. If not, +proceed without trying to check the phy status register. + +Fixes: b72f3f72005d ("igb: When GbE link up, wait for Remote receiver status condition") +Signed-off-by: Kevin Mitchell +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 6bd30d51dafc..618063d21f96 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4622,7 +4622,8 @@ static void igb_watchdog_task(struct work_struct *work) + break; + } + +- if (adapter->link_speed != SPEED_1000) ++ if (adapter->link_speed != SPEED_1000 || ++ !hw->phy.ops.read_reg) + goto no_wait; + + /* wait for Remote receiver status OK */ +-- +2.35.1 + diff --git a/queue-4.14/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch b/queue-4.14/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch new file mode 100644 index 00000000000..d890405aa7d --- /dev/null +++ b/queue-4.14/mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch @@ -0,0 +1,38 @@ +From f2e4761f16804deca05fdc1c99e351c037a1106b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Apr 2022 12:50:38 +0200 +Subject: mac80211: fix rx reordering with non explicit / psmp ack policy + +From: Felix Fietkau + +[ Upstream commit 5e469ed9764d4722c59562da13120bd2dc6834c5 ] + +When the QoS ack policy was set to non explicit / psmp ack, frames are treated +as not being part of a BA session, which causes extra latency on reordering. +Fix this by only bypassing reordering for packets with no-ack policy + +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20220420105038.36443-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 5a38be9145ff..e60a53c056c0 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1204,8 +1204,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, + goto dont_reorder; + + /* not part of a BA session */ +- if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK && +- ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL) ++ if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK) + goto dont_reorder; + + /* new, potentially un-ordered, ampdu frame - process it */ +-- +2.35.1 + diff --git a/queue-4.14/net-af_key-add-check-for-pfkey_broadcast-in-function.patch b/queue-4.14/net-af_key-add-check-for-pfkey_broadcast-in-function.patch new file mode 100644 index 00000000000..e1bf188a786 --- /dev/null +++ b/queue-4.14/net-af_key-add-check-for-pfkey_broadcast-in-function.patch @@ -0,0 +1,42 @@ +From feca7a2b243a12acafaf09bee7b6840a8ae40eeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 17:42:31 +0800 +Subject: net: af_key: add check for pfkey_broadcast in function pfkey_process + +From: Jiasheng Jiang + +[ Upstream commit 4dc2a5a8f6754492180741facf2a8787f2c415d7 ] + +If skb_clone() returns null pointer, pfkey_broadcast() will +return error. +Therefore, it should be better to check the return value of +pfkey_broadcast() and return error if fails. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index d7adac31b0fd..3d5a46080169 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2834,8 +2834,10 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb + void *ext_hdrs[SADB_EXT_MAX]; + int err; + +- pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, +- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, ++ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); ++ if (err) ++ return err; + + memset(ext_hdrs, 0, sizeof(ext_hdrs)); + err = parse_exthdrs(skb, hdr, ext_hdrs); +-- +2.35.1 + diff --git a/queue-4.14/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch b/queue-4.14/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch new file mode 100644 index 00000000000..f021c7e183c --- /dev/null +++ b/queue-4.14/net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch @@ -0,0 +1,43 @@ +From cbedc52570772b6d8203a5b9c34b0b6f7f016482 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 19:28:26 -0700 +Subject: net: atlantic: verify hw_head_ lies within TX buffer ring + +From: Grant Grundler + +[ Upstream commit 2120b7f4d128433ad8c5f503a9584deba0684901 ] + +Bounds check hw_head index provided by NIC to verify it lies +within the TX buffer ring. + +Reported-by: Aashay Shringarpure +Reported-by: Yi Chou +Reported-by: Shervin Oloumi +Signed-off-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +index 1c1bb074f664..066abf9dc91e 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c +@@ -625,6 +625,13 @@ static int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self, + err = -ENXIO; + goto err_exit; + } ++ ++ /* Validate that the new hw_head_ is reasonable. */ ++ if (hw_head_ >= ring->size) { ++ err = -ENXIO; ++ goto err_exit; ++ } ++ + ring->hw_head = hw_head_; + err = aq_hw_err_from_flags(self); + +-- +2.35.1 + diff --git a/queue-4.14/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch b/queue-4.14/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch new file mode 100644 index 00000000000..95e8b9f7681 --- /dev/null +++ b/queue-4.14/net-bridge-clear-offload_fwd_mark-when-passing-frame.patch @@ -0,0 +1,72 @@ +From 83bd1759082a826770379562024d9ebc977ae346 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 02:58:40 +0200 +Subject: net: bridge: Clear offload_fwd_mark when passing frame up bridge + interface. + +From: Andrew Lunn + +[ Upstream commit fbb3abdf2223cd0dfc07de85fe5a43ba7f435bdf ] + +It is possible to stack bridges on top of each other. Consider the +following which makes use of an Ethernet switch: + + br1 + / \ + / \ + / \ + br0.11 wlan0 + | + br0 + / | \ +p1 p2 p3 + +br0 is offloaded to the switch. Above br0 is a vlan interface, for +vlan 11. This vlan interface is then a slave of br1. br1 also has a +wireless interface as a slave. This setup trunks wireless lan traffic +over the copper network inside a VLAN. + +A frame received on p1 which is passed up to the bridge has the +skb->offload_fwd_mark flag set to true, indicating that the switch has +dealt with forwarding the frame out ports p2 and p3 as needed. This +flag instructs the software bridge it does not need to pass the frame +back down again. However, the flag is not getting reset when the frame +is passed upwards. As a result br1 sees the flag, wrongly interprets +it, and fails to forward the frame to wlan0. + +When passing a frame upwards, clear the flag. This is the Rx +equivalent of br_switchdev_frame_unmark() in br_dev_xmit(). + +Fixes: f1c2eddf4cb6 ("bridge: switchdev: Use an helper to clear forward mark") +Signed-off-by: Andrew Lunn +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://lore.kernel.org/r/20220518005840.771575-1-andrew@lunn.ch +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 10fa84056cb5..07e7cf2b4cfb 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -47,6 +47,13 @@ static int br_pass_frame_up(struct sk_buff *skb) + u64_stats_update_end(&brstats->syncp); + + vg = br_vlan_group_rcu(br); ++ ++ /* Reset the offload_fwd_mark because there could be a stacked ++ * bridge above, and it should not think this bridge it doing ++ * that bridge's work forwarding out its ports. ++ */ ++ br_switchdev_frame_unmark(skb); ++ + /* Bridge is just like any other port. Make sure the + * packet is allowed except in promisc modue when someone + * may be running packet capture. +-- +2.35.1 + diff --git a/queue-4.14/net-qla3xxx-fix-a-test-in-ql_reset_work.patch b/queue-4.14/net-qla3xxx-fix-a-test-in-ql_reset_work.patch new file mode 100644 index 00000000000..ec1cf3ade35 --- /dev/null +++ b/queue-4.14/net-qla3xxx-fix-a-test-in-ql_reset_work.patch @@ -0,0 +1,48 @@ +From cda98115672155300372dc6e59016608cb7edc27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 May 2022 20:07:02 +0200 +Subject: net/qla3xxx: Fix a test in ql_reset_work() + +From: Christophe JAILLET + +[ Upstream commit 5361448e45fac6fb96738df748229432a62d78b6 ] + +test_bit() tests if one bit is set or not. +Here the logic seems to check of bit QL_RESET_PER_SCSI (i.e. 4) OR bit +QL_RESET_START (i.e. 3) is set. + +In fact, it checks if bit 7 (4 | 3 = 7) is set, that is to say +QL_ADAPTER_UP. + +This looks harmless, because this bit is likely be set, and when the +ql_reset_work() delayed work is scheduled in ql3xxx_isr() (the only place +that schedule this work), QL_RESET_START or QL_RESET_PER_SCSI is set. + +This has been spotted by smatch. + +Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/80e73e33f390001d9c0140ffa9baddf6466a41a2.1652637337.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index ecd345ca160f..9d384fb3b746 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -3629,7 +3629,8 @@ static void ql_reset_work(struct work_struct *work) + qdev->mem_map_registers; + unsigned long hw_flags; + +- if (test_bit((QL_RESET_PER_SCSI | QL_RESET_START), &qdev->flags)) { ++ if (test_bit(QL_RESET_PER_SCSI, &qdev->flags) || ++ test_bit(QL_RESET_START, &qdev->flags)) { + clear_bit(QL_LINK_MASTER, &qdev->flags); + + /* +-- +2.35.1 + diff --git a/queue-4.14/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch b/queue-4.14/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch new file mode 100644 index 00000000000..9ab773f9eb2 --- /dev/null +++ b/queue-4.14/net-stmmac-fix-missing-pci_disable_device-on-error-i.patch @@ -0,0 +1,46 @@ +From eb50241dbdac83c2d0486ecd39522914a9f06a1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 11:13:16 +0800 +Subject: net: stmmac: fix missing pci_disable_device() on error in + stmmac_pci_probe() + +From: Yang Yingliang + +[ Upstream commit 0807ce0b010418a191e0e4009803b2d74c3245d5 ] + +Switch to using pcim_enable_device() to avoid missing pci_disable_device(). + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220510031316.1780409-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +index cc1e887e47b5..3dec109251ad 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -261,7 +261,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev, + return -ENOMEM; + + /* Enable pci device */ +- ret = pci_enable_device(pdev); ++ ret = pcim_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", + __func__); +@@ -313,8 +313,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev) + pcim_iounmap_regions(pdev, BIT(i)); + break; + } +- +- pci_disable_device(pdev); + } + + static int __maybe_unused stmmac_pci_suspend(struct device *dev) +-- +2.35.1 + diff --git a/queue-4.14/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch b/queue-4.14/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch new file mode 100644 index 00000000000..8ff09bd7557 --- /dev/null +++ b/queue-4.14/net-vmxnet3-fix-possible-null-pointer-dereference-in.patch @@ -0,0 +1,68 @@ +From 72893732707389c345ac9cfa7ca41cca5c4622fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:07:11 +0800 +Subject: net: vmxnet3: fix possible NULL pointer dereference in + vmxnet3_rq_cleanup() + +From: Zixuan Fu + +[ Upstream commit edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd ] + +In vmxnet3_rq_create(), when dma_alloc_coherent() fails, +vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then +vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all() +-> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls +vmxnet3_force_close() -> dev_close() in error handling code. And the driver +calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all() +-> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(), +rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing +a NULL pointer dereference. + +To fix this possible bug, an if statement is added to check whether +rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so. + +The error log in our fault-injection testing is shown as follows: + +[ 65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008 +... +[ 65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3] +... +[ 65.227977] Call Trace: +... +[ 65.228262] vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3] +[ 65.228580] vmxnet3_close+0x2c4/0x3f0 [vmxnet3] +[ 65.228866] __dev_close_many+0x288/0x350 +[ 65.229607] dev_close_many+0xa4/0x480 +[ 65.231124] dev_close+0x138/0x230 +[ 65.231933] vmxnet3_force_close+0x1f0/0x240 [vmxnet3] +[ 65.232248] vmxnet3_change_mtu+0x75d/0x920 [vmxnet3] +... + +Fixes: d1a890fa37f27 ("net: VMware virtual Ethernet NIC driver: vmxnet3") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050711.2636709-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 8f536bc2aed8..c6feb7459be6 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1573,6 +1573,10 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq, + u32 i, ring_idx; + struct Vmxnet3_RxDesc *rxd; + ++ /* ring has already been cleaned up */ ++ if (!rq->rx_ring[0].base) ++ return; ++ + for (ring_idx = 0; ring_idx < 2; ring_idx++) { + for (i = 0; i < rq->rx_ring[ring_idx].size; i++) { + #ifdef __BIG_ENDIAN_BITFIELD +-- +2.35.1 + diff --git a/queue-4.14/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch b/queue-4.14/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch new file mode 100644 index 00000000000..bec9cf269fb --- /dev/null +++ b/queue-4.14/net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch @@ -0,0 +1,94 @@ +From 5ce647cba23ca925eb2514641a7da58ef81888ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 May 2022 13:06:56 +0800 +Subject: net: vmxnet3: fix possible use-after-free bugs in + vmxnet3_rq_alloc_rx_buf() + +From: Zixuan Fu + +[ Upstream commit 9e7fef9521e73ca8afd7da9e58c14654b02dfad8 ] + +In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is +freed immediately. Similarly, in another branch, when dma_map_page() fails, +rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf() +returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all() +-> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls +vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page +are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs. + +To fix these possible bugs, rbi->skb and rbi->page should be cleared after +they are freed. + +The error log in our fault-injection testing is shown as follows: + +[ 14.319016] BUG: KASAN: use-after-free in consume_skb+0x2f/0x150 +... +[ 14.321586] Call Trace: +... +[ 14.325357] consume_skb+0x2f/0x150 +[ 14.325671] vmxnet3_rq_cleanup_all+0x33a/0x4e0 [vmxnet3] +[ 14.326150] vmxnet3_activate_dev+0xb9d/0x2ca0 [vmxnet3] +[ 14.326616] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.361675] Allocated by task 351: +... +[ 14.362688] __netdev_alloc_skb+0x1b3/0x6f0 +[ 14.362960] vmxnet3_rq_alloc_rx_buf+0x1b0/0x8d0 [vmxnet3] +[ 14.363317] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.363661] vmxnet3_open+0x387/0x470 [vmxnet3] +... +[ 14.367309] +[ 14.367412] Freed by task 351: +... +[ 14.368932] __dev_kfree_skb_any+0xd2/0xe0 +[ 14.369193] vmxnet3_rq_alloc_rx_buf+0x71e/0x8d0 [vmxnet3] +[ 14.369544] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3] +[ 14.369883] vmxnet3_open+0x387/0x470 [vmxnet3] +[ 14.370174] __dev_open+0x28a/0x420 +[ 14.370399] __dev_change_flags+0x192/0x590 +[ 14.370667] dev_change_flags+0x7a/0x180 +[ 14.370919] do_setlink+0xb28/0x3570 +[ 14.371150] rtnl_newlink+0x1160/0x1740 +[ 14.371399] rtnetlink_rcv_msg+0x5bf/0xa50 +[ 14.371661] netlink_rcv_skb+0x1cd/0x3e0 +[ 14.371913] netlink_unicast+0x5dc/0x840 +[ 14.372169] netlink_sendmsg+0x856/0xc40 +[ 14.372420] ____sys_sendmsg+0x8a7/0x8d0 +[ 14.372673] __sys_sendmsg+0x1c2/0x270 +[ 14.372914] do_syscall_64+0x41/0x90 +[ 14.373145] entry_SYSCALL_64_after_hwframe+0x44/0xae +... + +Fixes: 5738a09d58d5a ("vmxnet3: fix checks for dma mapping errors") +Reported-by: TOTE Robot +Signed-off-by: Zixuan Fu +Link: https://lore.kernel.org/r/20220514050656.2636588-1-r33s3n6@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 98fc34ea78ff..8f536bc2aed8 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -595,6 +595,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + dev_kfree_skb_any(rbi->skb); ++ rbi->skb = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +@@ -619,6 +620,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx, + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + put_page(rbi->page); ++ rbi->page = NULL; + rq->stats.rx_buf_alloc_failure++; + break; + } +-- +2.35.1 + diff --git a/queue-4.14/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch b/queue-4.14/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch new file mode 100644 index 00000000000..b44b770b5bd --- /dev/null +++ b/queue-4.14/nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch @@ -0,0 +1,81 @@ +From 5b9efc3ab5159957469b883da000c4aa21f5513d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 09:25:30 +0800 +Subject: NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc + +From: Duoming Zhou + +[ Upstream commit 23dd4581350d4ffa23d58976ec46408f8f4c1e16 ] + +There are sleep in atomic context bugs when the request to secure +element of st-nci is timeout. The root cause is that nci_skb_alloc +with GFP_KERNEL parameter is called in st_nci_se_wt_timeout which is +a timer handler. The call paths that could trigger bugs are shown below: + + (interrupt context 1) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_skb_alloc(..., GFP_KERNEL) //may sleep + + (interrupt context 2) +st_nci_se_wt_timeout + nci_hci_send_event + nci_hci_send_data + nci_send_data + nci_queue_tx_data_frags + nci_skb_alloc(..., GFP_KERNEL) //may sleep + +This patch changes allocation mode of nci_skb_alloc from GFP_KERNEL to +GFP_ATOMIC in order to prevent atomic context sleeping. The GFP_ATOMIC +flag makes memory allocation operation could be used in atomic context. + +Fixes: ed06aeefdac3 ("nfc: st-nci: Rename st21nfcb to st-nci") +Signed-off-by: Duoming Zhou +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220517012530.75714-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/nci/data.c | 2 +- + net/nfc/nci/hci.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c +index 5405d073804c..9e3f9460f14f 100644 +--- a/net/nfc/nci/data.c ++++ b/net/nfc/nci/data.c +@@ -130,7 +130,7 @@ static int nci_queue_tx_data_frags(struct nci_dev *ndev, + + skb_frag = nci_skb_alloc(ndev, + (NCI_DATA_HDR_SIZE + frag_len), +- GFP_KERNEL); ++ GFP_ATOMIC); + if (skb_frag == NULL) { + rc = -ENOMEM; + goto free_exit; +diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c +index c972c212e7ca..e5c5cff33236 100644 +--- a/net/nfc/nci/hci.c ++++ b/net/nfc/nci/hci.c +@@ -165,7 +165,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + + i = 0; + skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +@@ -198,7 +198,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe, + if (i < data_len) { + skb = nci_skb_alloc(ndev, + conn_info->max_pkt_payload_len + +- NCI_DATA_HDR_SIZE, GFP_KERNEL); ++ NCI_DATA_HDR_SIZE, GFP_ATOMIC); + if (!skb) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-4.14/perf-bench-numa-address-compiler-error-on-s390.patch b/queue-4.14/perf-bench-numa-address-compiler-error-on-s390.patch new file mode 100644 index 00000000000..a6dddb99f06 --- /dev/null +++ b/queue-4.14/perf-bench-numa-address-compiler-error-on-s390.patch @@ -0,0 +1,67 @@ +From c4cb100db017d2f16de173ab1255b706a2b2fe57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 10:11:58 +0200 +Subject: perf bench numa: Address compiler error on s390 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Richter + +[ Upstream commit f8ac1c478424a9a14669b8cef7389b1e14e5229d ] + +The compilation on s390 results in this error: + + # make DEBUG=y bench/numa.o + ... + bench/numa.c: In function ‘__bench_numa’: + bench/numa.c:1749:81: error: ‘%d’ directive output may be truncated + writing between 1 and 11 bytes into a region of size between + 10 and 20 [-Werror=format-truncation=] + 1749 | snprintf(tname, sizeof(tname), "process%d:thread%d", p, t); + ^~ + ... + bench/numa.c:1749:64: note: directive argument in the range + [-2147483647, 2147483646] + ... + # + +The maximum length of the %d replacement is 11 characters because of the +negative sign. Therefore extend the array by two more characters. + +Output after: + + # make DEBUG=y bench/numa.o > /dev/null 2>&1; ll bench/numa.o + -rw-r--r-- 1 root root 418320 May 19 09:11 bench/numa.o + # + +Fixes: 3aff8ba0a4c9c919 ("perf bench numa: Avoid possible truncation when using snprintf()") +Suggested-by: Namhyung Kim +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Sumanth Korikkar +Cc: Sven Schnelle +Cc: Vasily Gorbik +Link: https://lore.kernel.org/r/20220520081158.2990006-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/numa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index 275f1c3c73b6..4334f2af15fa 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -1631,7 +1631,7 @@ static int __bench_numa(const char *name) + "GB/sec,", "total-speed", "GB/sec total speed"); + + if (g->p.show_details >= 2) { +- char tname[14 + 2 * 10 + 1]; ++ char tname[14 + 2 * 11 + 1]; + struct thread_data *td; + for (p = 0; p < g->p.nr_proc; p++) { + for (t = 0; t < g->p.nr_threads; t++) { +-- +2.35.1 + diff --git a/queue-4.14/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch b/queue-4.14/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch new file mode 100644 index 00000000000..fca4c5154d1 --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch @@ -0,0 +1,51 @@ +From 240f12b72ccfcc400f70ca3be9bc9e7c6419cb99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 12:42:29 +0000 +Subject: scsi: qla2xxx: Fix missed DMA unmap for aborted commands + +From: Gleb Chesnokov + +[ Upstream commit 26f9ce53817a8fd84b69a73473a7de852a24c897 ] + +Aborting commands that have already been sent to the firmware can +cause BUG in qlt_free_cmd(): BUG_ON(cmd->sg_mapped) + +For instance: + + - Command passes rdx_to_xfer state, maps sgl, sends to the firmware + + - Reset occurs, qla2xxx performs ISP error recovery, aborts the command + + - Target stack calls qlt_abort_cmd() and then qlt_free_cmd() + + - BUG_ON(cmd->sg_mapped) in qlt_free_cmd() occurs because sgl was not + unmapped + +Thus, unmap sgl in qlt_abort_cmd() for commands with the aborted flag set. + +Link: https://lore.kernel.org/r/AS8PR10MB4952D545F84B6B1DFD39EC1E9DEE9@AS8PR10MB4952.EURPRD10.PROD.OUTLOOK.COM +Reviewed-by: Himanshu Madhani +Signed-off-by: Gleb Chesnokov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_target.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index 97a0c2384aee..4b431ca55c96 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -3639,6 +3639,9 @@ int qlt_abort_cmd(struct qla_tgt_cmd *cmd) + + spin_lock_irqsave(&cmd->cmd_lock, flags); + if (cmd->aborted) { ++ if (cmd->sg_mapped) ++ qlt_unmap_sg(vha, cmd); ++ + spin_unlock_irqrestore(&cmd->cmd_lock, flags); + /* + * It's normal to see 2 calls in this path: +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 0c4f2e3eca9..c25192484aa 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -11,3 +11,21 @@ drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch mmc-core-specify-timeouts-for-bkops-and-cache_flush-for-emmc.patch mmc-block-use-generic_cmd6_time-when-modifying-inand_cmd38_arg_ext_csd.patch mmc-core-default-to-generic_cmd6_time-as-timeout-in-__mmc_switch.patch +net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch +net-vmxnet3-fix-possible-null-pointer-dereference-in.patch +clk-at91-generated-consider-range-when-calculating-b.patch +net-qla3xxx-fix-a-test-in-ql_reset_work.patch +nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch +net-af_key-add-check-for-pfkey_broadcast-in-function.patch +arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch +arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch +igb-skip-phy-status-check-where-unavailable.patch +net-bridge-clear-offload_fwd_mark-when-passing-frame.patch +gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch +gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch +perf-bench-numa-address-compiler-error-on-s390.patch +scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch +mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch +ethernet-tulip-fix-missing-pci_disable_device-on-err.patch +net-stmmac-fix-missing-pci_disable_device-on-error-i.patch +net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch