From: Sasha Levin Date: Thu, 19 Sep 2019 18:08:16 +0000 (-0400) Subject: fixes for 4.19 X-Git-Tag: v4.4.194~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=da0ae11f21da2ab624de113d7e40d8973e1005dc;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/amd-xgbe-fix-error-path-in-xgbe_mod_init.patch b/queue-4.19/amd-xgbe-fix-error-path-in-xgbe_mod_init.patch new file mode 100644 index 00000000000..117fa90346c --- /dev/null +++ b/queue-4.19/amd-xgbe-fix-error-path-in-xgbe_mod_init.patch @@ -0,0 +1,50 @@ +From 8abc7635996c5a449f1812e6a7d589653382de45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 10:46:00 +0800 +Subject: amd-xgbe: Fix error path in xgbe_mod_init() + +From: YueHaibing + +[ Upstream commit b6b4dc4c1fa7f1c99398e7dc85758049645e9588 ] + +In xgbe_mod_init(), we should do cleanup if some error occurs + +Reported-by: Hulk Robot +Fixes: efbaa828330a ("amd-xgbe: Add support to handle device renaming") +Fixes: 47f164deab22 ("amd-xgbe: Add PCI device support") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-main.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c +index b41f23679a087..7ce9c69e9c44f 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c +@@ -469,13 +469,19 @@ static int __init xgbe_mod_init(void) + + ret = xgbe_platform_init(); + if (ret) +- return ret; ++ goto err_platform_init; + + ret = xgbe_pci_init(); + if (ret) +- return ret; ++ goto err_pci_init; + + return 0; ++ ++err_pci_init: ++ xgbe_platform_exit(); ++err_platform_init: ++ unregister_netdevice_notifier(&xgbe_netdev_notifier); ++ return ret; + } + + static void __exit xgbe_mod_exit(void) +-- +2.20.1 + diff --git a/queue-4.19/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch b/queue-4.19/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch new file mode 100644 index 00000000000..e139678a9fe --- /dev/null +++ b/queue-4.19/arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch @@ -0,0 +1,52 @@ +From d9e95f457153353ced43cff748e62f82170f61d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Jul 2019 18:50:11 +0100 +Subject: ARM: 8874/1: mm: only adjust sections of valid mm structures + +From: Doug Berger + +[ Upstream commit c51bc12d06b3a5494fbfcbd788a8e307932a06e9 ] + +A timing hazard exists when an early fork/exec thread begins +exiting and sets its mm pointer to NULL while a separate core +tries to update the section information. + +This commit ensures that the mm pointer is not NULL before +setting its section parameters. The arguments provided by +commit 11ce4b33aedc ("ARM: 8672/1: mm: remove tasklist locking +from update_sections_early()") are equally valid for not +requiring grabbing the task_lock around this check. + +Fixes: 08925c2f124f ("ARM: 8464/1: Update all mm structures with section adjustments") +Signed-off-by: Doug Berger +Acked-by: Laura Abbott +Cc: Mike Rapoport +Cc: Andrew Morton +Cc: Florian Fainelli +Cc: Rob Herring +Cc: "Steven Rostedt (VMware)" +Cc: Peng Fan +Cc: Geert Uytterhoeven +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index 0cc8e04295a40..66b1568b95e05 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -713,7 +713,8 @@ static void update_sections_early(struct section_perm perms[], int n) + if (t->flags & PF_KTHREAD) + continue; + for_each_thread(t, s) +- set_section_perms(perms, n, true, s->mm); ++ if (s->mm) ++ set_section_perms(perms, n, true, s->mm); + } + set_section_perms(perms, n, true, current->active_mm); + set_section_perms(perms, n, true, &init_mm); +-- +2.20.1 + diff --git a/queue-4.19/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch b/queue-4.19/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch new file mode 100644 index 00000000000..05ae41ca25f --- /dev/null +++ b/queue-4.19/arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch @@ -0,0 +1,50 @@ +From 734bbba968da52d385c8752e4250b6b713b2fdc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 04:07:37 +0100 +Subject: ARM: 8901/1: add a criteria for pfn_valid of arm + +From: zhaoyang + +[ Upstream commit 5b3efa4f1479c91cb8361acef55f9c6662feba57 ] + +pfn_valid can be wrong when parsing a invalid pfn whose phys address +exceeds BITS_PER_LONG as the MSB will be trimed when shifted. + +The issue originally arise from bellowing call stack, which corresponding to +an access of the /proc/kpageflags from userspace with a invalid pfn parameter +and leads to kernel panic. + +[46886.723249] c7 [] (stable_page_flags) from [] +[46886.723264] c7 [] (kpageflags_read) from [] +[46886.723280] c7 [] (proc_reg_read) from [] +[46886.723290] c7 [] (__vfs_read) from [] +[46886.723301] c7 [] (vfs_read) from [] +[46886.723315] c7 [] (SyS_pread64) from [] +(ret_fast_syscall+0x0/0x28) + +Signed-off-by: Zhaoyang Huang +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/init.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c +index 66b1568b95e05..e1d330a269212 100644 +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -196,6 +196,11 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max_low, + #ifdef CONFIG_HAVE_ARCH_PFN_VALID + int pfn_valid(unsigned long pfn) + { ++ phys_addr_t addr = __pfn_to_phys(pfn); ++ ++ if (__phys_to_pfn(addr) != pfn) ++ return 0; ++ + return memblock_is_map_memory(__pfn_to_phys(pfn)); + } + EXPORT_SYMBOL(pfn_valid); +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-am57xx-disable-voltage-switching-for-sd-card.patch b/queue-4.19/arm-dts-am57xx-disable-voltage-switching-for-sd-card.patch new file mode 100644 index 00000000000..dad8ff05302 --- /dev/null +++ b/queue-4.19/arm-dts-am57xx-disable-voltage-switching-for-sd-card.patch @@ -0,0 +1,154 @@ +From 2d5180f76312e9347d07d1a09029c1d9d0816a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jun 2019 15:54:54 +0530 +Subject: ARM: dts: am57xx: Disable voltage switching for SD card + +From: Faiz Abbas + +[ Upstream commit fb59ee37cfe20d10d19568899d1458a58361246c ] + +If UHS speed modes are enabled, a compatible SD card switches down to +1.8V during enumeration. If after this a software reboot/crash takes +place and on-chip ROM tries to enumerate the SD card, the difference in +IO voltages (host @ 3.3V and card @ 1.8V) may end up damaging the card. + +The fix for this is to have support for power cycling the card in +hardware (with a PORz/soft-reset line causing a power cycle of the +card). Because the beaglebone X15 (rev A,B and C), am57xx-idks and +am57xx-evms don't have this capability, disable voltage switching for +these boards. + +The major effect of this is that the maximum supported speed +mode is now high speed(50 MHz) down from SDR104(200 MHz). + +commit 88a748419b84 ("ARM: dts: am57xx-idk: Remove support for voltage +switching for SD card") did this only for idk boards. Do it for all +affected boards. + +Signed-off-by: Faiz Abbas +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/am571x-idk.dts | 7 +------ + arch/arm/boot/dts/am572x-idk.dts | 7 +------ + arch/arm/boot/dts/am574x-idk.dts | 7 +------ + arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi | 1 + + arch/arm/boot/dts/am57xx-beagle-x15-revb1.dts | 7 +------ + arch/arm/boot/dts/am57xx-beagle-x15-revc.dts | 7 +------ + 6 files changed, 6 insertions(+), 30 deletions(-) + +diff --git a/arch/arm/boot/dts/am571x-idk.dts b/arch/arm/boot/dts/am571x-idk.dts +index d9a2049a1ea8a..6bebedfc0f35a 100644 +--- a/arch/arm/boot/dts/am571x-idk.dts ++++ b/arch/arm/boot/dts/am571x-idk.dts +@@ -98,14 +98,9 @@ + }; + + &mmc1 { +- pinctrl-names = "default", "hs", "sdr12", "sdr25", "sdr50", "ddr50", "sdr104"; ++ pinctrl-names = "default", "hs"; + pinctrl-0 = <&mmc1_pins_default_no_clk_pu>; + pinctrl-1 = <&mmc1_pins_hs>; +- pinctrl-2 = <&mmc1_pins_sdr12>; +- pinctrl-3 = <&mmc1_pins_sdr25>; +- pinctrl-4 = <&mmc1_pins_sdr50>; +- pinctrl-5 = <&mmc1_pins_ddr50_rev20 &mmc1_iodelay_ddr50_conf>; +- pinctrl-6 = <&mmc1_pins_sdr104 &mmc1_iodelay_sdr104_rev20_conf>; + }; + + &mmc2 { +diff --git a/arch/arm/boot/dts/am572x-idk.dts b/arch/arm/boot/dts/am572x-idk.dts +index 3ef9111d0e8ba..9235173edbd3a 100644 +--- a/arch/arm/boot/dts/am572x-idk.dts ++++ b/arch/arm/boot/dts/am572x-idk.dts +@@ -20,14 +20,9 @@ + }; + + &mmc1 { +- pinctrl-names = "default", "hs", "sdr12", "sdr25", "sdr50", "ddr50", "sdr104"; ++ pinctrl-names = "default", "hs"; + pinctrl-0 = <&mmc1_pins_default_no_clk_pu>; + pinctrl-1 = <&mmc1_pins_hs>; +- pinctrl-2 = <&mmc1_pins_sdr12>; +- pinctrl-3 = <&mmc1_pins_sdr25>; +- pinctrl-4 = <&mmc1_pins_sdr50>; +- pinctrl-5 = <&mmc1_pins_ddr50 &mmc1_iodelay_ddr_rev20_conf>; +- pinctrl-6 = <&mmc1_pins_sdr104 &mmc1_iodelay_sdr104_rev20_conf>; + }; + + &mmc2 { +diff --git a/arch/arm/boot/dts/am574x-idk.dts b/arch/arm/boot/dts/am574x-idk.dts +index 378dfa780ac17..ae43de3297f4f 100644 +--- a/arch/arm/boot/dts/am574x-idk.dts ++++ b/arch/arm/boot/dts/am574x-idk.dts +@@ -24,14 +24,9 @@ + }; + + &mmc1 { +- pinctrl-names = "default", "hs", "sdr12", "sdr25", "sdr50", "ddr50", "sdr104"; ++ pinctrl-names = "default", "hs"; + pinctrl-0 = <&mmc1_pins_default_no_clk_pu>; + pinctrl-1 = <&mmc1_pins_hs>; +- pinctrl-2 = <&mmc1_pins_default>; +- pinctrl-3 = <&mmc1_pins_hs>; +- pinctrl-4 = <&mmc1_pins_sdr50>; +- pinctrl-5 = <&mmc1_pins_ddr50 &mmc1_iodelay_ddr_conf>; +- pinctrl-6 = <&mmc1_pins_ddr50 &mmc1_iodelay_sdr104_conf>; + }; + + &mmc2 { +diff --git a/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi b/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi +index ad953113cefbd..d53532b479475 100644 +--- a/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi ++++ b/arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi +@@ -433,6 +433,7 @@ + + bus-width = <4>; + cd-gpios = <&gpio6 27 GPIO_ACTIVE_LOW>; /* gpio 219 */ ++ no-1-8-v; + }; + + &mmc2 { +diff --git a/arch/arm/boot/dts/am57xx-beagle-x15-revb1.dts b/arch/arm/boot/dts/am57xx-beagle-x15-revb1.dts +index 5a77b334923d0..34c69965821bb 100644 +--- a/arch/arm/boot/dts/am57xx-beagle-x15-revb1.dts ++++ b/arch/arm/boot/dts/am57xx-beagle-x15-revb1.dts +@@ -19,14 +19,9 @@ + }; + + &mmc1 { +- pinctrl-names = "default", "hs", "sdr12", "sdr25", "sdr50", "ddr50", "sdr104"; ++ pinctrl-names = "default", "hs"; + pinctrl-0 = <&mmc1_pins_default>; + pinctrl-1 = <&mmc1_pins_hs>; +- pinctrl-2 = <&mmc1_pins_sdr12>; +- pinctrl-3 = <&mmc1_pins_sdr25>; +- pinctrl-4 = <&mmc1_pins_sdr50>; +- pinctrl-5 = <&mmc1_pins_ddr50 &mmc1_iodelay_ddr_rev11_conf>; +- pinctrl-6 = <&mmc1_pins_sdr104 &mmc1_iodelay_sdr104_rev11_conf>; + vmmc-supply = <&vdd_3v3>; + vqmmc-supply = <&ldo1_reg>; + }; +diff --git a/arch/arm/boot/dts/am57xx-beagle-x15-revc.dts b/arch/arm/boot/dts/am57xx-beagle-x15-revc.dts +index 17c41da3b55f1..ccd99160bbdfb 100644 +--- a/arch/arm/boot/dts/am57xx-beagle-x15-revc.dts ++++ b/arch/arm/boot/dts/am57xx-beagle-x15-revc.dts +@@ -19,14 +19,9 @@ + }; + + &mmc1 { +- pinctrl-names = "default", "hs", "sdr12", "sdr25", "sdr50", "ddr50", "sdr104"; ++ pinctrl-names = "default", "hs"; + pinctrl-0 = <&mmc1_pins_default>; + pinctrl-1 = <&mmc1_pins_hs>; +- pinctrl-2 = <&mmc1_pins_sdr12>; +- pinctrl-3 = <&mmc1_pins_sdr25>; +- pinctrl-4 = <&mmc1_pins_sdr50>; +- pinctrl-5 = <&mmc1_pins_ddr50 &mmc1_iodelay_ddr_rev20_conf>; +- pinctrl-6 = <&mmc1_pins_sdr104 &mmc1_iodelay_sdr104_rev20_conf>; + vmmc-supply = <&vdd_3v3>; + vqmmc-supply = <&ldo1_reg>; + }; +-- +2.20.1 + diff --git a/queue-4.19/arm-dts-dra74x-fix-iodelay-configuration-for-mmc3.patch b/queue-4.19/arm-dts-dra74x-fix-iodelay-configuration-for-mmc3.patch new file mode 100644 index 00000000000..40c05b758a6 --- /dev/null +++ b/queue-4.19/arm-dts-dra74x-fix-iodelay-configuration-for-mmc3.patch @@ -0,0 +1,110 @@ +From c86296c21400747a6879b9a46b6f2ca4f3bc6a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Aug 2019 16:22:38 +0530 +Subject: ARM: dts: dra74x: Fix iodelay configuration for mmc3 + +From: Faiz Abbas + +[ Upstream commit 07f9a8be66a9bd86f9eaedf8f8aeb416195adab8 ] + +According to the latest am572x[1] and dra74x[2] data manuals, mmc3 +default, hs, sdr12 and sdr25 modes use iodelay values given in +MMC3_MANUAL1. Set the MODE_SELECT bit for these so that manual mode is +selected and correct iodelay values can be configured. + +[1] http://www.ti.com/lit/ds/symlink/am5728.pdf +[2] http://www.ti.com/lit/ds/symlink/dra746.pdf + +Signed-off-by: Faiz Abbas +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi | 50 +++++++++++------------ + 1 file changed, 25 insertions(+), 25 deletions(-) + +diff --git a/arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi b/arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi +index 28ebb4eb884a9..214b9e6de2c35 100644 +--- a/arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi ++++ b/arch/arm/boot/dts/dra74x-mmc-iodelay.dtsi +@@ -32,7 +32,7 @@ + * + * Datamanual Revisions: + * +- * AM572x Silicon Revision 2.0: SPRS953B, Revised November 2016 ++ * AM572x Silicon Revision 2.0: SPRS953F, Revised May 2019 + * AM572x Silicon Revision 1.1: SPRS915R, Revised November 2016 + * + */ +@@ -229,45 +229,45 @@ + + mmc3_pins_default: mmc3_pins_default { + pinctrl-single,pins = < +- DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ +- DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ +- DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ +- DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ +- DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ +- DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ ++ DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ ++ DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ ++ DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ ++ DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ ++ DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ ++ DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ + >; + }; + + mmc3_pins_hs: mmc3_pins_hs { + pinctrl-single,pins = < +- DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ +- DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ +- DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ +- DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ +- DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ +- DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ ++ DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ ++ DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ ++ DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ ++ DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ ++ DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ ++ DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ + >; + }; + + mmc3_pins_sdr12: mmc3_pins_sdr12 { + pinctrl-single,pins = < +- DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ +- DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ +- DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ +- DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ +- DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ +- DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ ++ DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ ++ DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ ++ DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ ++ DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ ++ DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ ++ DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ + >; + }; + + mmc3_pins_sdr25: mmc3_pins_sdr25 { + pinctrl-single,pins = < +- DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ +- DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ +- DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ +- DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ +- DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ +- DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ ++ DRA7XX_CORE_IOPAD(0x377c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_clk.mmc3_clk */ ++ DRA7XX_CORE_IOPAD(0x3780, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_cmd.mmc3_cmd */ ++ DRA7XX_CORE_IOPAD(0x3784, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat0.mmc3_dat0 */ ++ DRA7XX_CORE_IOPAD(0x3788, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat1.mmc3_dat1 */ ++ DRA7XX_CORE_IOPAD(0x378c, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat2.mmc3_dat2 */ ++ DRA7XX_CORE_IOPAD(0x3790, (PIN_INPUT_PULLUP | MODE_SELECT | MUX_MODE0)) /* mmc3_dat3.mmc3_dat3 */ + >; + }; + +-- +2.20.1 + diff --git a/queue-4.19/arm-omap1-ams-delta-fiq-fix-missing-irq_ack.patch b/queue-4.19/arm-omap1-ams-delta-fiq-fix-missing-irq_ack.patch new file mode 100644 index 00000000000..15c1fa7b41c --- /dev/null +++ b/queue-4.19/arm-omap1-ams-delta-fiq-fix-missing-irq_ack.patch @@ -0,0 +1,65 @@ +From 7a7d601cef06dc8ceb1659201a1e86e218a645a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Aug 2019 10:48:02 +0200 +Subject: ARM: OMAP1: ams-delta-fiq: Fix missing irq_ack + +From: Janusz Krzysztofik + +[ Upstream commit fa8397e45c64e60c80373bc19ee56e42a6bed9b6 ] + +Non-serio path of Amstrad Delta FIQ deferred handler depended on +irq_ack() method provided by OMAP GPIO driver. That method has been +removed by commit 693de831c6e5 ("gpio: omap: remove irq_ack method"). +Remove useless code from the deferred handler and reimplement the +missing operation inside the base FIQ handler. + +Should another dependency - irq_unmask() - be ever removed from the OMAP +GPIO driver, WARN once if missing. + +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/ams-delta-fiq-handler.S | 3 ++- + arch/arm/mach-omap1/ams-delta-fiq.c | 4 +--- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-omap1/ams-delta-fiq-handler.S b/arch/arm/mach-omap1/ams-delta-fiq-handler.S +index ddc27638ba2a5..017c792be0a07 100644 +--- a/arch/arm/mach-omap1/ams-delta-fiq-handler.S ++++ b/arch/arm/mach-omap1/ams-delta-fiq-handler.S +@@ -135,6 +135,8 @@ restart: + orr r11, r11, r13 @ mask all requested interrupts + str r11, [r12, #OMAP1510_GPIO_INT_MASK] + ++ str r13, [r12, #OMAP1510_GPIO_INT_STATUS] @ ack all requested interrupts ++ + ands r10, r13, #KEYBRD_CLK_MASK @ extract keyboard status - set? + beq hksw @ no - try next source + +@@ -142,7 +144,6 @@ restart: + @@@@@@@@@@@@@@@@@@@@@@ + @ Keyboard clock FIQ mode interrupt handler + @ r10 now contains KEYBRD_CLK_MASK, use it +- str r10, [r12, #OMAP1510_GPIO_INT_STATUS] @ ack the interrupt + bic r11, r11, r10 @ unmask it + str r11, [r12, #OMAP1510_GPIO_INT_MASK] + +diff --git a/arch/arm/mach-omap1/ams-delta-fiq.c b/arch/arm/mach-omap1/ams-delta-fiq.c +index b0dc7ddf5877d..b8ba763fe1086 100644 +--- a/arch/arm/mach-omap1/ams-delta-fiq.c ++++ b/arch/arm/mach-omap1/ams-delta-fiq.c +@@ -73,9 +73,7 @@ static irqreturn_t deferred_fiq(int irq, void *dev_id) + * interrupts default to since commit 80ac93c27441 + * requires interrupt already acked and unmasked. + */ +- if (irq_chip->irq_ack) +- irq_chip->irq_ack(d); +- if (irq_chip->irq_unmask) ++ if (!WARN_ON_ONCE(!irq_chip->irq_unmask)) + irq_chip->irq_unmask(d); + } + for (; irq_counter[gpio] < fiq_count; irq_counter[gpio]++) +-- +2.20.1 + diff --git a/queue-4.19/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch b/queue-4.19/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch new file mode 100644 index 00000000000..3f962921e46 --- /dev/null +++ b/queue-4.19/arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch @@ -0,0 +1,40 @@ +From fade91132f32a79b0265bf57cbf990ac790c9df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2019 03:44:52 -0700 +Subject: ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss + +From: Tony Lindgren + +[ Upstream commit afd58b162e48076e3fe66d08a69eefbd6fe71643 ] + +TRM says PWMSS_SYSCONFIG bit for SOFTRESET changes to zero when +reset is completed. Let's configure it as otherwise we get warnings +on boot when we check the data against dts provided data. Eventually +the legacy platform data will be just dropped, but let's fix the +warning first. + +Reviewed-by: Suman Anna +Tested-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/omap_hwmod_7xx_data.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c +index e6c7061a8e736..3547f32822b64 100644 +--- a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c +@@ -385,7 +385,8 @@ static struct omap_hwmod dra7xx_dcan2_hwmod = { + static struct omap_hwmod_class_sysconfig dra7xx_epwmss_sysc = { + .rev_offs = 0x0, + .sysc_offs = 0x4, +- .sysc_flags = SYSC_HAS_SIDLEMODE | SYSC_HAS_SOFTRESET, ++ .sysc_flags = SYSC_HAS_SIDLEMODE | SYSC_HAS_SOFTRESET | ++ SYSC_HAS_RESET_STATUS, + .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART), + .sysc_fields = &omap_hwmod_sysc_type2, + }; +-- +2.20.1 + diff --git a/queue-4.19/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch b/queue-4.19/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch new file mode 100644 index 00000000000..74a794cf3fa --- /dev/null +++ b/queue-4.19/arm-omap2-fix-omap4-errata-warning-on-other-socs.patch @@ -0,0 +1,45 @@ +From cca066cee0acc2d1fe4732467b00d4f13354896b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jul 2019 04:37:45 -0700 +Subject: ARM: OMAP2+: Fix omap4 errata warning on other SoCs + +From: Tony Lindgren + +[ Upstream commit 45da5e09dd32fa98c32eaafe2513db6bd75e2f4f ] + +We have errata i688 workaround produce warnings on SoCs other than +omap4 and omap5: + +omap4_sram_init:Unable to allocate sram needed to handle errata I688 +omap4_sram_init:Unable to get sram pool needed to handle errata I688 + +This is happening because there is no ti,omap4-mpu node, or no SRAM +to configure for the other SoCs, so let's remove the warning based +on the SoC revision checks. + +As nobody has complained it seems that the other SoC variants do not +need this workaround. + +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/omap4-common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-omap2/omap4-common.c b/arch/arm/mach-omap2/omap4-common.c +index b226c8aaf8b1c..7074cfd1ff413 100644 +--- a/arch/arm/mach-omap2/omap4-common.c ++++ b/arch/arm/mach-omap2/omap4-common.c +@@ -131,6 +131,9 @@ static int __init omap4_sram_init(void) + struct device_node *np; + struct gen_pool *sram_pool; + ++ if (!soc_is_omap44xx() && !soc_is_omap54xx()) ++ return 0; ++ + np = of_find_compatible_node(NULL, NULL, "ti,omap4-mpu"); + if (!np) + pr_warn("%s:Unable to allocate sram needed to handle errata I688\n", +-- +2.20.1 + diff --git a/queue-4.19/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch b/queue-4.19/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch new file mode 100644 index 00000000000..a345abf8992 --- /dev/null +++ b/queue-4.19/batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch @@ -0,0 +1,73 @@ +From 3249f3043d47f18690e026592c0b171833cafa3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2019 08:55:36 +0200 +Subject: batman-adv: Only read OGM2 tvlv_len after buffer len check + +From: Sven Eckelmann + +[ Upstream commit 0ff0f15a32c093381ad1abc06abe85afb561ab28 ] + +Multiple batadv_ogm2_packet can be stored in an skbuff. The functions +batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there +is another additional batadv_ogm2_packet in the skb or not before they +continue processing the packet. + +The length for such an OGM2 is BATADV_OGM2_HLEN + +batadv_ogm2_packet->tvlv_len. The check must first check that at least +BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is +part of the header. Otherwise it might try read outside of the currently +available skbuff to get the content of tvlv_len. + +Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/bat_v_ogm.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c +index 2948b41b06d47..d241ccc0ca027 100644 +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -643,17 +643,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv, + * batadv_v_ogm_aggr_packet() - checks if there is another OGM aggregated + * @buff_pos: current position in the skb + * @packet_len: total length of the skb +- * @tvlv_len: tvlv length of the previously considered OGM ++ * @ogm2_packet: potential OGM2 in buffer + * + * Return: true if there is enough space for another OGM, false otherwise. + */ +-static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len, +- __be16 tvlv_len) ++static bool ++batadv_v_ogm_aggr_packet(int buff_pos, int packet_len, ++ const struct batadv_ogm2_packet *ogm2_packet) + { + int next_buff_pos = 0; + +- next_buff_pos += buff_pos + BATADV_OGM2_HLEN; +- next_buff_pos += ntohs(tvlv_len); ++ /* check if there is enough space for the header */ ++ next_buff_pos += buff_pos + sizeof(*ogm2_packet); ++ if (next_buff_pos > packet_len) ++ return false; ++ ++ /* check if there is enough space for the optional TVLV */ ++ next_buff_pos += ntohs(ogm2_packet->tvlv_len); + + return (next_buff_pos <= packet_len) && + (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); +@@ -830,7 +836,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb, + ogm_packet = (struct batadv_ogm2_packet *)skb->data; + + while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb), +- ogm_packet->tvlv_len)) { ++ ogm_packet)) { + batadv_v_ogm_process(skb, ogm_offset, if_incoming); + + ogm_offset += BATADV_OGM2_HLEN; +-- +2.20.1 + diff --git a/queue-4.19/bpf-allow-narrow-loads-of-some-sk_reuseport_md-field.patch b/queue-4.19/bpf-allow-narrow-loads-of-some-sk_reuseport_md-field.patch new file mode 100644 index 00000000000..e297f2571b1 --- /dev/null +++ b/queue-4.19/bpf-allow-narrow-loads-of-some-sk_reuseport_md-field.patch @@ -0,0 +1,62 @@ +From 8530a160880f7b36b7e892eb0af763e7e71a04b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2019 17:50:25 +0200 +Subject: bpf: allow narrow loads of some sk_reuseport_md fields with offset > + 0 + +From: Ilya Leoshkevich + +[ Upstream commit 2c238177bd7f4b14bdf7447cc1cd9bb791f147e6 ] + +test_select_reuseport fails on s390 due to verifier rejecting +test_select_reuseport_kern.o with the following message: + + ; data_check.eth_protocol = reuse_md->eth_protocol; + 18: (69) r1 = *(u16 *)(r6 +22) + invalid bpf_context access off=22 size=2 + +This is because on big-endian machines casts from __u32 to __u16 are +generated by referencing the respective variable as __u16 with an offset +of 2 (as opposed to 0 on little-endian machines). + +The verifier already has all the infrastructure in place to allow such +accesses, it's just that they are not explicitly enabled for +eth_protocol field. Enable them for eth_protocol field by using +bpf_ctx_range instead of offsetof. + +Ditto for ip_protocol, bind_inany and len, since they already allow +narrowing, and the same problem can arise when working with them. + +Fixes: 2dbb9b9e6df6 ("bpf: Introduce BPF_PROG_TYPE_SK_REUSEPORT") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index c996380f29597..e6fa88506c00d 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -7234,13 +7234,13 @@ sk_reuseport_is_valid_access(int off, int size, + return size == size_default; + + /* Fields that allow narrowing */ +- case offsetof(struct sk_reuseport_md, eth_protocol): ++ case bpf_ctx_range(struct sk_reuseport_md, eth_protocol): + if (size < FIELD_SIZEOF(struct sk_buff, protocol)) + return false; + /* fall through */ +- case offsetof(struct sk_reuseport_md, ip_protocol): +- case offsetof(struct sk_reuseport_md, bind_inany): +- case offsetof(struct sk_reuseport_md, len): ++ case bpf_ctx_range(struct sk_reuseport_md, ip_protocol): ++ case bpf_ctx_range(struct sk_reuseport_md, bind_inany): ++ case bpf_ctx_range(struct sk_reuseport_md, len): + bpf_ctx_record_field_size(info, size_default); + return bpf_ctx_narrow_access_ok(off, size, size_default); + +-- +2.20.1 + diff --git a/queue-4.19/bus-ti-sysc-fix-using-configured-sysc-mask-value.patch b/queue-4.19/bus-ti-sysc-fix-using-configured-sysc-mask-value.patch new file mode 100644 index 00000000000..dc6bc23295d --- /dev/null +++ b/queue-4.19/bus-ti-sysc-fix-using-configured-sysc-mask-value.patch @@ -0,0 +1,38 @@ +From 70f55ca542f5a7fdd8260641a6ee30a738b82682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2019 03:44:52 -0700 +Subject: bus: ti-sysc: Fix using configured sysc mask value + +From: Tony Lindgren + +[ Upstream commit e212abd452a4af3174fcd469d46656f83e135a19 ] + +We have cases where there are no softreset bits like with am335x lcdc. +In that case ti,sysc-mask = <0> needs to be handled properly. + +Tested-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index e4fe954e63a9b..4ca006e2137f7 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -1022,10 +1022,7 @@ static int sysc_init_sysc_mask(struct sysc *ddata) + if (error) + return 0; + +- if (val) +- ddata->cfg.sysc_val = val & ddata->cap->sysc_mask; +- else +- ddata->cfg.sysc_val = ddata->cap->sysc_mask; ++ ddata->cfg.sysc_val = val & ddata->cap->sysc_mask; + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.19/bus-ti-sysc-simplify-cleanup-upon-failures-in-sysc_p.patch b/queue-4.19/bus-ti-sysc-simplify-cleanup-upon-failures-in-sysc_p.patch new file mode 100644 index 00000000000..454a668092f --- /dev/null +++ b/queue-4.19/bus-ti-sysc-simplify-cleanup-upon-failures-in-sysc_p.patch @@ -0,0 +1,76 @@ +From 005323921af414111c82292a57061db3027cf1ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Jun 2019 18:33:15 -0500 +Subject: bus: ti-sysc: Simplify cleanup upon failures in sysc_probe() + +From: Suman Anna + +[ Upstream commit a304f483b6b00d42bde41c45ca52c670945348e2 ] + +The clocks are not yet parsed and prepared until after a successful +sysc_get_clocks(), so there is no need to unprepare the clocks upon +any failure of any of the prior functions in sysc_probe(). The current +code path would have been a no-op because of the clock validity checks +within sysc_unprepare(), but let's just simplify the cleanup path by +returning the error directly. + +While at this, also fix the cleanup path for a sysc_init_resets() +failure which is executed after the clocks are prepared. + +Signed-off-by: Suman Anna +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 4ca006e2137f7..e95b26319cd91 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -1685,7 +1685,7 @@ static int sysc_probe(struct platform_device *pdev) + + error = sysc_init_dts_quirks(ddata); + if (error) +- goto unprepare; ++ return error; + + error = sysc_get_clocks(ddata); + if (error) +@@ -1693,27 +1693,27 @@ static int sysc_probe(struct platform_device *pdev) + + error = sysc_map_and_check_registers(ddata); + if (error) +- goto unprepare; ++ return error; + + error = sysc_init_sysc_mask(ddata); + if (error) +- goto unprepare; ++ return error; + + error = sysc_init_idlemodes(ddata); + if (error) +- goto unprepare; ++ return error; + + error = sysc_init_syss_mask(ddata); + if (error) +- goto unprepare; ++ return error; + + error = sysc_init_pdata(ddata); + if (error) +- goto unprepare; ++ return error; + + error = sysc_init_resets(ddata); + if (error) +- return error; ++ goto unprepare; + + pm_runtime_enable(ddata->dev); + error = sysc_init_module(ddata); +-- +2.20.1 + diff --git a/queue-4.19/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch b/queue-4.19/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch new file mode 100644 index 00000000000..0f15c2841e9 --- /dev/null +++ b/queue-4.19/cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch @@ -0,0 +1,72 @@ +From ef181ba7c7ce234e83f428d23cdf1b20135dc617 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2019 08:09:50 +1000 +Subject: cifs: set domainName when a domain-key is used in multiuser + +From: Ronnie Sahlberg + +[ Upstream commit f2aee329a68f5a907bcff11a109dfe17c0b41aeb ] + +RHBZ: 1710429 + +When we use a domain-key to authenticate using multiuser we must also set +the domainnmame for the new volume as it will be used and passed to the server +in the NTLMSSP Domain-name. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 208430bb66fc6..75727518b272a 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2756,6 +2756,7 @@ static int + cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + { + int rc = 0; ++ int is_domain = 0; + const char *delim, *payload; + char *desc; + ssize_t len; +@@ -2803,6 +2804,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + rc = PTR_ERR(key); + goto out_err; + } ++ is_domain = 1; + } + + down_read(&key->sem); +@@ -2860,6 +2862,26 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + goto out_key_put; + } + ++ /* ++ * If we have a domain key then we must set the domainName in the ++ * for the request. ++ */ ++ if (is_domain && ses->domainName) { ++ vol->domainname = kstrndup(ses->domainName, ++ strlen(ses->domainName), ++ GFP_KERNEL); ++ if (!vol->domainname) { ++ cifs_dbg(FYI, "Unable to allocate %zd bytes for " ++ "domain\n", len); ++ rc = -ENOMEM; ++ kfree(vol->username); ++ vol->username = NULL; ++ kfree(vol->password); ++ vol->password = NULL; ++ goto out_key_put; ++ } ++ } ++ + out_key_put: + up_read(&key->sem); + key_put(key); +-- +2.20.1 + diff --git a/queue-4.19/cifs-use-kzfree-to-zero-out-the-password.patch b/queue-4.19/cifs-use-kzfree-to-zero-out-the-password.patch new file mode 100644 index 00000000000..a8e31fc35e7 --- /dev/null +++ b/queue-4.19/cifs-use-kzfree-to-zero-out-the-password.patch @@ -0,0 +1,35 @@ +From f0c82c931d9b0729ca69ef19e8c999456d344be0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2019 13:59:17 +0300 +Subject: cifs: Use kzfree() to zero out the password + +From: Dan Carpenter + +[ Upstream commit 478228e57f81f6cb60798d54fc02a74ea7dd267e ] + +It's safer to zero out the password so that it can never be disclosed. + +Fixes: 0c219f5799c7 ("cifs: set domainName when a domain-key is used in multiuser") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 75727518b272a..c290e231f9188 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2876,7 +2876,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses) + rc = -ENOMEM; + kfree(vol->username); + vol->username = NULL; +- kfree(vol->password); ++ kzfree(vol->password); + vol->password = NULL; + goto out_key_put; + } +-- +2.20.1 + diff --git a/queue-4.19/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch b/queue-4.19/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..2ad2ef7e84e --- /dev/null +++ b/queue-4.19/dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch @@ -0,0 +1,43 @@ +From 45889fb50859ca4c5782ceed66454264c4414762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 01:48:55 -0500 +Subject: dmaengine: ti: dma-crossbar: Fix a memory leak bug + +From: Wenwen Wang + +[ Upstream commit 2c231c0c1dec42192aca0f87f2dc68b8f0cbc7d2 ] + +In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then +of_property_read_u32_array() is invoked to search for the property. +However, if this process fails, 'rsv_events' is not deallocated, leading to +a memory leak bug. To fix this issue, free 'rsv_events' before returning +the error. + +Signed-off-by: Wenwen Wang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/1565938136-7249-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/dma-crossbar.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/ti/dma-crossbar.c b/drivers/dma/ti/dma-crossbar.c +index 9272b173c7465..6574cb5a12fee 100644 +--- a/drivers/dma/ti/dma-crossbar.c ++++ b/drivers/dma/ti/dma-crossbar.c +@@ -395,8 +395,10 @@ static int ti_dra7_xbar_probe(struct platform_device *pdev) + + ret = of_property_read_u32_array(node, pname, (u32 *)rsv_events, + nelm * 2); +- if (ret) ++ if (ret) { ++ kfree(rsv_events); + return ret; ++ } + + for (i = 0; i < nelm; i++) { + ti_dra7_xbar_reserve(rsv_events[i][0], rsv_events[i][1], +-- +2.20.1 + diff --git a/queue-4.19/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch b/queue-4.19/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch new file mode 100644 index 00000000000..871ee130356 --- /dev/null +++ b/queue-4.19/dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch @@ -0,0 +1,41 @@ +From 2eb0f4ed86fc3c453cd6f465441d772641837055 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 01:56:08 -0500 +Subject: dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() + +From: Wenwen Wang + +[ Upstream commit 962411b05a6d3342aa649e39cda1704c1fc042c6 ] + +If devm_request_irq() fails to disable all interrupts, no cleanup is +performed before retuning the error. To fix this issue, invoke +omap_dma_free() to do the cleanup. + +Signed-off-by: Wenwen Wang +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/1565938570-7528-1-git-send-email-wenwen@cs.uga.edu +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/omap-dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c +index aeb9c29e52554..c192bdc30aae1 100644 +--- a/drivers/dma/ti/omap-dma.c ++++ b/drivers/dma/ti/omap-dma.c +@@ -1543,8 +1543,10 @@ static int omap_dma_probe(struct platform_device *pdev) + + rc = devm_request_irq(&pdev->dev, irq, omap_dma_irq, + IRQF_SHARED, "omap-dma-engine", od); +- if (rc) ++ if (rc) { ++ omap_dma_free(od); + return rc; ++ } + } + + if (omap_dma_glbl_read(od, CAPS_0) & CAPS_0_SUPPORT_LL123) +-- +2.20.1 + diff --git a/queue-4.19/fpga-altera-ps-spi-fix-getting-of-optional-confd-gpi.patch b/queue-4.19/fpga-altera-ps-spi-fix-getting-of-optional-confd-gpi.patch new file mode 100644 index 00000000000..eed7d2f9fe3 --- /dev/null +++ b/queue-4.19/fpga-altera-ps-spi-fix-getting-of-optional-confd-gpi.patch @@ -0,0 +1,54 @@ +From 113a1d8df968ab2cd8a39f1477896883f91b704d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2019 10:48:45 +0800 +Subject: fpga: altera-ps-spi: Fix getting of optional confd gpio + +From: Phil Reid + +[ Upstream commit dec43da46f63eb71f519d963ba6832838e4262a3 ] + +Currently the driver does not handle EPROBE_DEFER for the confd gpio. +Use devm_gpiod_get_optional() instead of devm_gpiod_get() and return +error codes from altera_ps_probe(). + +Fixes: 5692fae0742d ("fpga manager: Add altera-ps-spi driver for Altera FPGAs") +Signed-off-by: Phil Reid +Signed-off-by: Moritz Fischer +Signed-off-by: Sasha Levin +--- + drivers/fpga/altera-ps-spi.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/fpga/altera-ps-spi.c b/drivers/fpga/altera-ps-spi.c +index 24b25c6260366..4925cae7dcdde 100644 +--- a/drivers/fpga/altera-ps-spi.c ++++ b/drivers/fpga/altera-ps-spi.c +@@ -207,7 +207,7 @@ static int altera_ps_write_complete(struct fpga_manager *mgr, + return -EIO; + } + +- if (!IS_ERR(conf->confd)) { ++ if (conf->confd) { + if (!gpiod_get_raw_value_cansleep(conf->confd)) { + dev_err(&mgr->dev, "CONF_DONE is inactive!\n"); + return -EIO; +@@ -265,10 +265,13 @@ static int altera_ps_probe(struct spi_device *spi) + return PTR_ERR(conf->status); + } + +- conf->confd = devm_gpiod_get(&spi->dev, "confd", GPIOD_IN); ++ conf->confd = devm_gpiod_get_optional(&spi->dev, "confd", GPIOD_IN); + if (IS_ERR(conf->confd)) { +- dev_warn(&spi->dev, "Not using confd gpio: %ld\n", +- PTR_ERR(conf->confd)); ++ dev_err(&spi->dev, "Failed to get confd gpio: %ld\n", ++ PTR_ERR(conf->confd)); ++ return PTR_ERR(conf->confd); ++ } else if (!conf->confd) { ++ dev_warn(&spi->dev, "Not using confd gpio"); + } + + /* Register manager with unique name */ +-- +2.20.1 + diff --git a/queue-4.19/i2c-designware-synchronize-irqs-when-unregistering-s.patch b/queue-4.19/i2c-designware-synchronize-irqs-when-unregistering-s.patch new file mode 100644 index 00000000000..244bd68659f --- /dev/null +++ b/queue-4.19/i2c-designware-synchronize-irqs-when-unregistering-s.patch @@ -0,0 +1,39 @@ +From ed7af24402e26e59073850c61e0d03bee24859f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2019 16:52:11 +0300 +Subject: i2c: designware: Synchronize IRQs when unregistering slave client + +From: Jarkko Nikula + +[ Upstream commit c486dcd2f1bbdd524a1e0149734b79e4ae329650 ] + +Make sure interrupt handler i2c_dw_irq_handler_slave() has finished +before clearing the the dev->slave pointer in i2c_dw_unreg_slave(). + +There is possibility for a race if i2c_dw_irq_handler_slave() is running +on another CPU while clearing the dev->slave pointer. + +Reported-by: Krzysztof Adamski +Reported-by: Wolfram Sang +Signed-off-by: Jarkko Nikula +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-slave.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c +index e7f9305b2dd9f..f5f001738df5e 100644 +--- a/drivers/i2c/busses/i2c-designware-slave.c ++++ b/drivers/i2c/busses/i2c-designware-slave.c +@@ -94,6 +94,7 @@ static int i2c_dw_unreg_slave(struct i2c_client *slave) + + dev->disable_int(dev); + dev->disable(dev); ++ synchronize_irq(dev->irq); + dev->slave = NULL; + pm_runtime_put(dev->dev); + +-- +2.20.1 + diff --git a/queue-4.19/ibmvnic-do-not-process-reset-during-or-after-device-.patch b/queue-4.19/ibmvnic-do-not-process-reset-during-or-after-device-.patch new file mode 100644 index 00000000000..82e6258eba0 --- /dev/null +++ b/queue-4.19/ibmvnic-do-not-process-reset-during-or-after-device-.patch @@ -0,0 +1,54 @@ +From aa8f7c52b993d26bcaa5dbb30604f91ec6ad178f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2019 11:10:04 -0500 +Subject: ibmvnic: Do not process reset during or after device removal + +From: Thomas Falcon + +[ Upstream commit 36f1031c51a2538e5558fb44c6d6b88f98d3c0f2 ] + +Currently, the ibmvnic driver will not schedule device resets +if the device is being removed, but does not check the device +state before the reset is actually processed. This leads to a race +where a reset is scheduled with a valid device state but is +processed after the driver has been removed, resulting in an oops. + +Fix this by checking the device state before processing a queued +reset event. + +Reported-by: Abdul Haleem +Tested-by: Abdul Haleem +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 255de7d68cd33..5a57be66a4872 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1998,6 +1998,10 @@ static void __ibmvnic_reset(struct work_struct *work) + + rwi = get_next_rwi(adapter); + while (rwi) { ++ if (adapter->state == VNIC_REMOVING || ++ adapter->state == VNIC_REMOVED) ++ goto out; ++ + if (adapter->force_reset_recovery) { + adapter->force_reset_recovery = false; + rc = do_hard_reset(adapter, rwi, reset_state); +@@ -2022,7 +2026,7 @@ static void __ibmvnic_reset(struct work_struct *work) + netdev_dbg(adapter->netdev, "Reset failed\n"); + free_all_rwi(adapter); + } +- ++out: + adapter->resetting = false; + if (we_lock_rtnl) + rtnl_unlock(); +-- +2.20.1 + diff --git a/queue-4.19/ieee802154-hwsim-fix-error-handle-path-in-hwsim_init.patch b/queue-4.19/ieee802154-hwsim-fix-error-handle-path-in-hwsim_init.patch new file mode 100644 index 00000000000..80c492c1baa --- /dev/null +++ b/queue-4.19/ieee802154-hwsim-fix-error-handle-path-in-hwsim_init.patch @@ -0,0 +1,106 @@ +From 765cf34911f7c0d37716ae03910a3a56f30a9081 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2019 22:14:51 +0800 +Subject: ieee802154: hwsim: Fix error handle path in hwsim_init_module + +From: YueHaibing + +[ Upstream commit 1cbbbf39efab05fae67f59e6ed01bb85061c69e2 ] + +KASAN report this: + +BUG: unable to handle kernel paging request at fffffbfff834f001 +PGD 237fe8067 P4D 237fe8067 PUD 237e64067 PMD 1c968d067 PTE 0 +Oops: 0000 [#1] SMP KASAN PTI +CPU: 1 PID: 8871 Comm: syz-executor.0 Tainted: G C 5.0.0+ #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +RIP: 0010:strcmp+0x31/0xa0 lib/string.c:328 +Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d +RSP: 0018:ffff8881e0c57800 EFLAGS: 00010246 +RAX: 1ffffffff834f001 RBX: ffffffffc1a78000 RCX: ffffffff827b9503 +RDX: 0000000000000000 RSI: ffffffffc1a40008 RDI: ffffffffc1a78008 +RBP: ffffffffc1a78009 R08: fffffbfff6a92195 R09: fffffbfff6a92195 +R10: ffff8881e0c578b8 R11: fffffbfff6a92194 R12: ffffffffc1a40008 +R13: dffffc0000000000 R14: ffffffffc1a3e470 R15: ffffffffc1a40000 +FS: 00007fdcc02ff700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff834f001 CR3: 00000001b3134003 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + genl_family_find_byname+0x7f/0xf0 net/netlink/genetlink.c:104 + genl_register_family+0x1e1/0x1070 net/netlink/genetlink.c:333 + ? 0xffffffffc1978000 + hwsim_init_module+0x6a/0x1000 [mac802154_hwsim] + ? 0xffffffffc1978000 + ? 0xffffffffc1978000 + ? 0xffffffffc1978000 + do_one_initcall+0xbc/0x47d init/main.c:887 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x462e99 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fdcc02fec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 +RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 +RBP: 00007fdcc02fec70 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdcc02ff6bc +R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004 +Modules linked in: mac802154_hwsim(+) mac802154 ieee802154 speakup(C) rc_proteus_2309 rtc_rk808 streebog_generic rds vboxguest madera_spi madera da9052_wdt mISDN_core ueagle_atm usbatm atm ir_imon_decoder scsi_transport_sas rc_dntv_live_dvb_t panel_samsung_s6d16d0 drm drm_panel_orientation_quirks lib80211 fb_agm1264k_fl(C) gspca_pac7302 gspca_main videobuf2_v4l2 soundwire_intel_init i2c_dln2 dln2 usbcore hid_gaff 88pm8607 nfnetlink axp20x_i2c axp20x uio pata_marvell pmbus_core snd_sonicvibes gameport snd_pcm snd_opl3_lib snd_timer snd_hwdep snd_mpu401_uart snd_rawmidi snd_seq_device snd soundcore rtc_ds1511 rtc_ds1742 vsock dwc_xlgmac rtc_rx8010 libphy twofish_x86_64_3way twofish_x86_64 twofish_common ad5696_i2c ad5686 lp8788_charger cxd2880_spi dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops fbtft(C) sysimgblt sysfillrect syscopyarea fb_sys_fops janz_ican3 firewire_net firewire_core crc_itu_t spi_slave_system_control i2c_matroxfb i2c_algo_bit + matroxfb_base fb fbdev matroxfb_DAC1064 matroxfb_accel cfbcopyarea cfbimgblt cfbfillrect matroxfb_Ti3026 matroxfb_g450 g450_pll matroxfb_misc leds_blinkm ti_dac7311 intel_spi_pci intel_spi spi_nor hid_elan hid async_tx rc_cinergy_1400 rc_core intel_ishtp kxcjk_1013 industrialio_triggered_buffer kfifo_buf can_dev intel_th spi_pxa2xx_platform pata_artop vme_ca91cx42 gb_gbphy(C) greybus(C) industrialio mptbase st_drv cmac ttpci_eeprom via_wdt gpio_xra1403 mtd iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 input_leds crypto_simd cryptd glue_helper ide_pci_generic piix psmouse + ide_core serio_raw ata_generic i2c_piix4 pata_acpi parport_pc parport floppy rtc_cmos intel_agp intel_gtt agpgart sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: speakup] +Dumping ftrace buffer: + (ftrace buffer empty) +CR2: fffffbfff834f001 +---[ end trace 5aa772c793e0e971 ]--- +RIP: 0010:strcmp+0x31/0xa0 lib/string.c:328 +Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d +RSP: 0018:ffff8881e0c57800 EFLAGS: 00010246 +RAX: 1ffffffff834f001 RBX: ffffffffc1a78000 RCX: ffffffff827b9503 +RDX: 0000000000000000 RSI: ffffffffc1a40008 RDI: ffffffffc1a78008 +RBP: ffffffffc1a78009 R08: fffffbfff6a92195 R09: fffffbfff6a92195 +R10: ffff8881e0c578b8 R11: fffffbfff6a92194 R12: ffffffffc1a40008 +R13: dffffc0000000000 R14: ffffffffc1a3e470 R15: ffffffffc1a40000 +FS: 00007fdcc02ff700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: fffffbfff834f001 CR3: 00000001b3134003 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 + +The error handing path misplace the cleanup in hwsim_init_module, +switch the two cleanup functions to fix above issues. + +Reported-by: Hulk Robot +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Signed-off-by: YueHaibing +Acked-by: Alexander Aring +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index f1ed1744801c7..20b4c0c21e36a 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -920,9 +920,9 @@ static __init int hwsim_init_module(void) + return 0; + + platform_drv: +- genl_unregister_family(&hwsim_genl_family); +-platform_dev: + platform_device_unregister(mac802154hwsim_dev); ++platform_dev: ++ genl_unregister_family(&hwsim_genl_family); + return rc; + } + +-- +2.20.1 + diff --git a/queue-4.19/ieee802154-hwsim-unregister-hw-while-hwsim_subscribe.patch b/queue-4.19/ieee802154-hwsim-unregister-hw-while-hwsim_subscribe.patch new file mode 100644 index 00000000000..28c3b12adfe --- /dev/null +++ b/queue-4.19/ieee802154-hwsim-unregister-hw-while-hwsim_subscribe.patch @@ -0,0 +1,101 @@ +From 05a8ae539f6ed07cccc83ea18375b82e79ab1f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2019 23:48:10 +0800 +Subject: ieee802154: hwsim: unregister hw while hwsim_subscribe_all_others + fails + +From: YueHaibing + +[ Upstream commit de166bbe861738c8bc3e5dad5b03f45d7d6ef914 ] + +KASAN report this: + +kernel BUG at net/mac802154/main.c:130! +invalid opcode: 0000 [#1] PREEMPT SMP +CPU: 0 PID: 19932 Comm: modprobe Not tainted 5.1.0-rc6+ #22 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 +RIP: 0010:ieee802154_free_hw+0x2a/0x30 [mac802154] +Code: 55 48 8d 57 38 48 89 e5 53 48 89 fb 48 8b 47 38 48 39 c2 75 15 48 8d 7f 48 e8 82 85 16 e1 48 8b 7b 28 e8 f9 ef 83 e2 5b 5d c3 <0f> 0b 0f 1f 40 00 55 48 89 e5 53 48 89 fb 0f b6 86 80 00 00 00 88 +RSP: 0018:ffffc90001c7b9f0 EFLAGS: 00010206 +RAX: ffff88822df3aa80 RBX: ffff88823143d5c0 RCX: 0000000000000002 +RDX: ffff88823143d5f8 RSI: ffff88822b1fabc0 RDI: ffff88823143d5c0 +RBP: ffffc90001c7b9f8 R08: 0000000000000000 R09: 0000000000000001 +R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffff4 +R13: ffff88822dea4f50 R14: ffff88823143d7c0 R15: 00000000fffffff4 +FS: 00007ff52e999540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fdc06dba768 CR3: 000000023160a000 CR4: 00000000000006f0 +Call Trace: + hwsim_add_one+0x2dd/0x540 [mac802154_hwsim] + hwsim_probe+0x2f/0xb0 [mac802154_hwsim] + platform_drv_probe+0x3a/0x90 + ? driver_sysfs_add+0x79/0xb0 + really_probe+0x1d4/0x2d0 + driver_probe_device+0x50/0xf0 + device_driver_attach+0x54/0x60 + __driver_attach+0x7e/0xd0 + ? device_driver_attach+0x60/0x60 + bus_for_each_dev+0x68/0xc0 + driver_attach+0x19/0x20 + bus_add_driver+0x15e/0x200 + driver_register+0x5b/0xf0 + __platform_driver_register+0x31/0x40 + hwsim_init_module+0x74/0x1000 [mac802154_hwsim] + ? 0xffffffffa00e9000 + do_one_initcall+0x6c/0x3cc + ? kmem_cache_alloc_trace+0x248/0x3b0 + do_init_module+0x5b/0x1f1 + load_module+0x1db1/0x2690 + ? m_show+0x1d0/0x1d0 + __do_sys_finit_module+0xc5/0xd0 + __x64_sys_finit_module+0x15/0x20 + do_syscall_64+0x6b/0x1d0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7ff52e4a2839 +Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48 +RSP: 002b:00007ffffa7b3c08 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +RAX: ffffffffffffffda RBX: 00005647560a2a00 RCX: 00007ff52e4a2839 +RDX: 0000000000000000 RSI: 00005647547f3c2e RDI: 0000000000000003 +RBP: 00005647547f3c2e R08: 0000000000000000 R09: 00005647560a2a00 +R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 +R13: 00005647560a2c10 R14: 0000000000040000 R15: 00005647560a2a00 +Modules linked in: mac802154_hwsim(+) mac802154 [last unloaded: mac802154_hwsim] + +In hwsim_add_one, if hwsim_subscribe_all_others fails, we +should call ieee802154_unregister_hw to free resources. + +Reported-by: Hulk Robot +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Signed-off-by: YueHaibing +Acked-by: Alexander Aring +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/mac802154_hwsim.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c +index 20b4c0c21e36a..be1f1a86bcd61 100644 +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -821,7 +821,7 @@ static int hwsim_add_one(struct genl_info *info, struct device *dev, + err = hwsim_subscribe_all_others(phy); + if (err < 0) { + mutex_unlock(&hwsim_phys_lock); +- goto err_reg; ++ goto err_subscribe; + } + } + list_add_tail(&phy->list, &hwsim_phys); +@@ -831,6 +831,8 @@ static int hwsim_add_one(struct genl_info *info, struct device *dev, + + return idx; + ++err_subscribe: ++ ieee802154_unregister_hw(phy->hw); + err_reg: + kfree(pib); + err_pib: +-- +2.20.1 + diff --git a/queue-4.19/iommu-amd-fix-race-in-increase_address_space.patch b/queue-4.19/iommu-amd-fix-race-in-increase_address_space.patch new file mode 100644 index 00000000000..57bcef77518 --- /dev/null +++ b/queue-4.19/iommu-amd-fix-race-in-increase_address_space.patch @@ -0,0 +1,73 @@ +From b496f100fc1bb2e9db7a5ef9d4575195c51aa18d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2019 10:39:54 +0200 +Subject: iommu/amd: Fix race in increase_address_space() + +From: Joerg Roedel + +[ Upstream commit 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 ] + +After the conversion to lock-less dma-api call the +increase_address_space() function can be called without any +locking. Multiple CPUs could potentially race for increasing +the address space, leading to invalid domain->mode settings +and invalid page-tables. This has been happening in the wild +under high IO load and memory pressure. + +Fix the race by locking this operation. The function is +called infrequently so that this does not introduce +a performance regression in the dma-api path again. + +Reported-by: Qian Cai +Fixes: 256e4621c21a ('iommu/amd: Make use of the generic IOVA allocator') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 8b79e2b32d378..69c269dc4f1bf 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1340,18 +1340,21 @@ static void domain_flush_devices(struct protection_domain *domain) + * another level increases the size of the address space by 9 bits to a size up + * to 64 bits. + */ +-static bool increase_address_space(struct protection_domain *domain, ++static void increase_address_space(struct protection_domain *domain, + gfp_t gfp) + { ++ unsigned long flags; + u64 *pte; + +- if (domain->mode == PAGE_MODE_6_LEVEL) ++ spin_lock_irqsave(&domain->lock, flags); ++ ++ if (WARN_ON_ONCE(domain->mode == PAGE_MODE_6_LEVEL)) + /* address space already 64 bit large */ +- return false; ++ goto out; + + pte = (void *)get_zeroed_page(gfp); + if (!pte) +- return false; ++ goto out; + + *pte = PM_LEVEL_PDE(domain->mode, + iommu_virt_to_phys(domain->pt_root)); +@@ -1359,7 +1362,10 @@ static bool increase_address_space(struct protection_domain *domain, + domain->mode += 1; + domain->updated = true; + +- return true; ++out: ++ spin_unlock_irqrestore(&domain->lock, flags); ++ ++ return; + } + + static u64 *alloc_pte(struct protection_domain *domain, +-- +2.20.1 + diff --git a/queue-4.19/iommu-amd-flush-old-domains-in-kdump-kernel.patch b/queue-4.19/iommu-amd-flush-old-domains-in-kdump-kernel.patch new file mode 100644 index 00000000000..29f16254e28 --- /dev/null +++ b/queue-4.19/iommu-amd-flush-old-domains-in-kdump-kernel.patch @@ -0,0 +1,84 @@ +From 8b0486c09267913bd1cc85bf3018e275b013078a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Sep 2019 12:09:48 -0500 +Subject: iommu/amd: Flush old domains in kdump kernel + +From: Stuart Hayes + +[ Upstream commit 36b7200f67dfe75b416b5281ed4ace9927b513bc ] + +When devices are attached to the amd_iommu in a kdump kernel, the old device +table entries (DTEs), which were copied from the crashed kernel, will be +overwritten with a new domain number. When the new DTE is written, the IOMMU +is told to flush the DTE from its internal cache--but it is not told to flush +the translation cache entries for the old domain number. + +Without this patch, AMD systems using the tg3 network driver fail when kdump +tries to save the vmcore to a network system, showing network timeouts and +(sometimes) IOMMU errors in the kernel log. + +This patch will flush IOMMU translation cache entries for the old domain when +a DTE gets overwritten with a new domain number. + +Signed-off-by: Stuart Hayes +Fixes: 3ac3e5ee5ed5 ('iommu/amd: Copy old trans table from old kernel') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index 8d9920ff41344..8b79e2b32d378 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1153,6 +1153,17 @@ static void amd_iommu_flush_tlb_all(struct amd_iommu *iommu) + iommu_completion_wait(iommu); + } + ++static void amd_iommu_flush_tlb_domid(struct amd_iommu *iommu, u32 dom_id) ++{ ++ struct iommu_cmd cmd; ++ ++ build_inv_iommu_pages(&cmd, 0, CMD_INV_IOMMU_ALL_PAGES_ADDRESS, ++ dom_id, 1); ++ iommu_queue_command(iommu, &cmd); ++ ++ iommu_completion_wait(iommu); ++} ++ + static void amd_iommu_flush_all(struct amd_iommu *iommu) + { + struct iommu_cmd cmd; +@@ -1838,6 +1849,7 @@ static void set_dte_entry(u16 devid, struct protection_domain *domain, + { + u64 pte_root = 0; + u64 flags = 0; ++ u32 old_domid; + + if (domain->mode != PAGE_MODE_NONE) + pte_root = iommu_virt_to_phys(domain->pt_root); +@@ -1887,8 +1899,20 @@ static void set_dte_entry(u16 devid, struct protection_domain *domain, + flags &= ~DEV_DOMID_MASK; + flags |= domain->id; + ++ old_domid = amd_iommu_dev_table[devid].data[1] & DEV_DOMID_MASK; + amd_iommu_dev_table[devid].data[1] = flags; + amd_iommu_dev_table[devid].data[0] = pte_root; ++ ++ /* ++ * A kdump kernel might be replacing a domain ID that was copied from ++ * the previous kernel--if so, it needs to flush the translation cache ++ * entries for the old domain ID that is being overwritten ++ */ ++ if (old_domid) { ++ struct amd_iommu *iommu = amd_iommu_rlookup_table[devid]; ++ ++ amd_iommu_flush_tlb_domid(iommu, old_domid); ++ } + } + + static void clear_dte_entry(u16 devid) +-- +2.20.1 + diff --git a/queue-4.19/kallsyms-don-t-let-kallsyms_lookup_size_offset-fail-.patch b/queue-4.19/kallsyms-don-t-let-kallsyms_lookup_size_offset-fail-.patch new file mode 100644 index 00000000000..5c407deea59 --- /dev/null +++ b/queue-4.19/kallsyms-don-t-let-kallsyms_lookup_size_offset-fail-.patch @@ -0,0 +1,86 @@ +From 4361fcfd854d5fa79329502c9c4a0e150237d4e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2019 14:12:31 +0100 +Subject: kallsyms: Don't let kallsyms_lookup_size_offset() fail on retrieving + the first symbol + +From: Marc Zyngier + +[ Upstream commit 2a1a3fa0f29270583f0e6e3100d609e09697add1 ] + +An arm64 kernel configured with + + CONFIG_KPROBES=y + CONFIG_KALLSYMS=y + # CONFIG_KALLSYMS_ALL is not set + CONFIG_KALLSYMS_BASE_RELATIVE=y + +reports the following kprobe failure: + + [ 0.032677] kprobes: failed to populate blacklist: -22 + [ 0.033376] Please take care of using kprobes. + +It appears that kprobe fails to retrieve the symbol at address +0xffff000010081000, despite this symbol being in System.map: + + ffff000010081000 T __exception_text_start + +This symbol is part of the first group of aliases in the +kallsyms_offsets array (symbol names generated using ugly hacks in +scripts/kallsyms.c): + + kallsyms_offsets: + .long 0x1000 // do_undefinstr + .long 0x1000 // efi_header_end + .long 0x1000 // _stext + .long 0x1000 // __exception_text_start + .long 0x12b0 // do_cp15instr + +Looking at the implementation of get_symbol_pos(), it returns the +lowest index for aliasing symbols. In this case, it return 0. + +But kallsyms_lookup_size_offset() considers 0 as a failure, which +is obviously wrong (there is definitely a valid symbol living there). +In turn, the kprobe blacklisting stops abruptly, hence the original +error. + +A CONFIG_KALLSYMS_ALL kernel wouldn't fail as there is always +some random symbols at the beginning of this array, which are never +looked up via kallsyms_lookup_size_offset. + +Fix it by considering that get_symbol_pos() is always successful +(which is consistent with the other uses of this function). + +Fixes: ffc5089196446 ("[PATCH] Create kallsyms_lookup_size_offset()") +Reviewed-by: Masami Hiramatsu +Cc: Arnaldo Carvalho de Melo +Cc: Peter Zijlstra +Cc: Will Deacon +Cc: Catalin Marinas +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + kernel/kallsyms.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index 02a0b01380d8e..ed87dac8378cc 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -262,8 +262,10 @@ int kallsyms_lookup_size_offset(unsigned long addr, unsigned long *symbolsize, + { + char namebuf[KSYM_NAME_LEN]; + +- if (is_ksym_addr(addr)) +- return !!get_symbol_pos(addr, symbolsize, offset); ++ if (is_ksym_addr(addr)) { ++ get_symbol_pos(addr, symbolsize, offset); ++ return 1; ++ } + return !!module_address_lookup(addr, symbolsize, offset, NULL, namebuf) || + !!__bpf_address_lookup(addr, symbolsize, offset, namebuf); + } +-- +2.20.1 + diff --git a/queue-4.19/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch b/queue-4.19/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch new file mode 100644 index 00000000000..4b811aefb31 --- /dev/null +++ b/queue-4.19/kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch @@ -0,0 +1,35 @@ +From 92ba805f9079efc26446f4e25bfb36560427217c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2019 07:04:25 +0200 +Subject: Kconfig: Fix the reference to the IDT77105 Phy driver in the + description of ATM_NICSTAR_USE_IDT77105 + +From: Christophe JAILLET + +[ Upstream commit cd9d4ff9b78fcd0fc4708900ba3e52e71e1a7690 ] + +This should be IDT77105, not IDT77015. + +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/Kconfig b/drivers/atm/Kconfig +index 2e2efa577437e..8c37294f1d1ee 100644 +--- a/drivers/atm/Kconfig ++++ b/drivers/atm/Kconfig +@@ -200,7 +200,7 @@ config ATM_NICSTAR_USE_SUNI + make the card work). + + config ATM_NICSTAR_USE_IDT77105 +- bool "Use IDT77015 PHY driver (25Mbps)" ++ bool "Use IDT77105 PHY driver (25Mbps)" + depends on ATM_NICSTAR + help + Support for the PHYsical layer chip in ForeRunner LE25 cards. In +-- +2.20.1 + diff --git a/queue-4.19/keys-fix-missing-null-pointer-check-in-request_key_a.patch b/queue-4.19/keys-fix-missing-null-pointer-check-in-request_key_a.patch new file mode 100644 index 00000000000..05a789e7be2 --- /dev/null +++ b/queue-4.19/keys-fix-missing-null-pointer-check-in-request_key_a.patch @@ -0,0 +1,74 @@ +From 0f91adda07e2c402f40e25e08a3dab9408302eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2019 13:37:29 +0100 +Subject: keys: Fix missing null pointer check in request_key_auth_describe() + +From: Hillf Danton + +[ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ] + +If a request_key authentication token key gets revoked, there's a window in +which request_key_auth_describe() can see it with a NULL payload - but it +makes no check for this and something like the following oops may occur: + + BUG: Kernel NULL pointer dereference at 0x00000038 + Faulting instruction address: 0xc0000000004ddf30 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP [...] request_key_auth_describe+0x90/0xd0 + LR [...] request_key_auth_describe+0x54/0xd0 + Call Trace: + [...] request_key_auth_describe+0x54/0xd0 (unreliable) + [...] proc_keys_show+0x308/0x4c0 + [...] seq_read+0x3d0/0x540 + [...] proc_reg_read+0x90/0x110 + [...] __vfs_read+0x3c/0x70 + [...] vfs_read+0xb4/0x1b0 + [...] ksys_read+0x7c/0x130 + [...] system_call+0x5c/0x70 + +Fix this by checking for a NULL pointer when describing such a key. + +Also make the read routine check for a NULL pointer to be on the safe side. + +[DH: Modified to not take already-held rcu lock and modified to also check + in the read routine] + +Fixes: 04c567d9313e ("[PATCH] Keys: Fix race between two instantiators of a key") +Reported-by: Sachin Sant +Signed-off-by: Hillf Danton +Signed-off-by: David Howells +Tested-by: Sachin Sant +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + security/keys/request_key_auth.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +index 5e515791ccd11..1d34b2a5f485e 100644 +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -71,6 +71,9 @@ static void request_key_auth_describe(const struct key *key, + { + struct request_key_auth *rka = get_request_key_auth(key); + ++ if (!rka) ++ return; ++ + seq_puts(m, "key:"); + seq_puts(m, key->description); + if (key_is_positive(key)) +@@ -88,6 +91,9 @@ static long request_key_auth_read(const struct key *key, + size_t datalen; + long ret; + ++ if (!rka) ++ return -EKEYREVOKED; ++ + datalen = rka->callout_len; + ret = datalen; + +-- +2.20.1 + diff --git a/queue-4.19/net-aquantia-fix-out-of-memory-condition-on-rx-side.patch b/queue-4.19/net-aquantia-fix-out-of-memory-condition-on-rx-side.patch new file mode 100644 index 00000000000..6cae7348ecd --- /dev/null +++ b/queue-4.19/net-aquantia-fix-out-of-memory-condition-on-rx-side.patch @@ -0,0 +1,59 @@ +From b24b64ee8e0ba36ff017bac8418b5b6b4397f3bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Aug 2019 12:08:38 +0000 +Subject: net: aquantia: fix out of memory condition on rx side + +From: Dmitry Bogdanov + +[ Upstream commit be6cef69ba570ebb327eba1ef6438f7af49aaf86 ] + +On embedded environments with hard memory limits it is a normal although +rare case when skb can't be allocated on rx part under high traffic. + +In such OOM cases napi_complete_done() was not called. +So the napi object became in an invalid state like it is "scheduled". +Kernel do not re-schedules the poll of that napi object. + +Consequently, kernel can not remove that object the system hangs on +`ifconfig down` waiting for a poll. + +We are fixing this by gracefully closing napi poll routine with correct +invocation of napi_complete_done. + +This was reproduced with artificially failing the allocation of skb to +simulate an "out of memory" error case and check that traffic does +not get stuck. + +Fixes: 970a2e9864b0 ("net: ethernet: aquantia: Vector operations") +Signed-off-by: Igor Russkikh +Signed-off-by: Dmitry Bogdanov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_vec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_vec.c b/drivers/net/ethernet/aquantia/atlantic/aq_vec.c +index d335c334fa561..82582fa54d5d2 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_vec.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_vec.c +@@ -89,6 +89,7 @@ static int aq_vec_poll(struct napi_struct *napi, int budget) + } + } + ++err_exit: + if (!was_tx_cleaned) + work_done = budget; + +@@ -98,7 +99,7 @@ static int aq_vec_poll(struct napi_struct *napi, int budget) + 1U << self->aq_ring_param.vec_idx); + } + } +-err_exit: ++ + return work_done; + } + +-- +2.20.1 + diff --git a/queue-4.19/net-seeq-fix-the-function-used-to-release-some-memor.patch b/queue-4.19/net-seeq-fix-the-function-used-to-release-some-memor.patch new file mode 100644 index 00000000000..6fcf62a59d1 --- /dev/null +++ b/queue-4.19/net-seeq-fix-the-function-used-to-release-some-memor.patch @@ -0,0 +1,56 @@ +From 82dd183f2f0b2da1541ca73a174308a5cb6e56d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2019 09:17:51 +0200 +Subject: net: seeq: Fix the function used to release some memory in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit e1e54ec7fb55501c33b117c111cb0a045b8eded2 ] + +In commit 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv"), +a call to 'get_zeroed_page()' has been turned into a call to +'dma_alloc_coherent()'. Only the remove function has been updated to turn +the corresponding 'free_page()' into 'dma_free_attrs()'. +The error hndling path of the probe function has not been updated. + +Fix it now. + +Rename the corresponding label to something more in line. + +Fixes: 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv") +Signed-off-by: Christophe JAILLET +Reviewed-by: Thomas Bogendoerfer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/seeq/sgiseeq.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/seeq/sgiseeq.c b/drivers/net/ethernet/seeq/sgiseeq.c +index 696037d5ac3d5..ad557f457b2ce 100644 +--- a/drivers/net/ethernet/seeq/sgiseeq.c ++++ b/drivers/net/ethernet/seeq/sgiseeq.c +@@ -793,15 +793,16 @@ static int sgiseeq_probe(struct platform_device *pdev) + printk(KERN_ERR "Sgiseeq: Cannot register net device, " + "aborting.\n"); + err = -ENODEV; +- goto err_out_free_page; ++ goto err_out_free_attrs; + } + + printk(KERN_INFO "%s: %s %pM\n", dev->name, sgiseeqstr, dev->dev_addr); + + return 0; + +-err_out_free_page: +- free_page((unsigned long) sp->srings); ++err_out_free_attrs: ++ dma_free_attrs(&pdev->dev, sizeof(*sp->srings), sp->srings, ++ sp->srings_dma, DMA_ATTR_NON_CONSISTENT); + err_out_free_dev: + free_netdev(dev); + +-- +2.20.1 + diff --git a/queue-4.19/netfilter-ebtables-fix-argument-order-to-add_counter.patch b/queue-4.19/netfilter-ebtables-fix-argument-order-to-add_counter.patch new file mode 100644 index 00000000000..20ee4e8c591 --- /dev/null +++ b/queue-4.19/netfilter-ebtables-fix-argument-order-to-add_counter.patch @@ -0,0 +1,60 @@ +From b76b54e7a35bc0615a565398a1ddeafc19de441d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2019 10:54:16 -0400 +Subject: netfilter: ebtables: Fix argument order to ADD_COUNTER + +From: Todd Seidelmann + +[ Upstream commit f20faa06d83de440bec8e200870784c3458793c4 ] + +The ordering of arguments to the x_tables ADD_COUNTER macro +appears to be wrong in ebtables (cf. ip_tables.c, ip6_tables.c, +and arp_tables.c). + +This causes data corruption in the ebtables userspace tools +because they get incorrect packet & byte counts from the kernel. + +Fixes: d72133e628803 ("netfilter: ebtables: use ADD_COUNTER macro") +Signed-off-by: Todd Seidelmann +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 62ffc989a44a2..7d249afa1466c 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -225,7 +225,7 @@ unsigned int ebt_do_table(struct sk_buff *skb, + return NF_DROP; + } + +- ADD_COUNTER(*(counter_base + i), 1, skb->len); ++ ADD_COUNTER(*(counter_base + i), skb->len, 1); + + /* these should only watch: not modify, nor tell us + * what to do with the packet +@@ -963,8 +963,8 @@ static void get_counters(const struct ebt_counter *oldcounters, + continue; + counter_base = COUNTER_BASE(oldcounters, nentries, cpu); + for (i = 0; i < nentries; i++) +- ADD_COUNTER(counters[i], counter_base[i].pcnt, +- counter_base[i].bcnt); ++ ADD_COUNTER(counters[i], counter_base[i].bcnt, ++ counter_base[i].pcnt); + } + } + +@@ -1289,7 +1289,7 @@ static int do_update_counters(struct net *net, const char *name, + + /* we add to the counters of the first cpu */ + for (i = 0; i < num_counters; i++) +- ADD_COUNTER(t->private->counters[i], tmp[i].pcnt, tmp[i].bcnt); ++ ADD_COUNTER(t->private->counters[i], tmp[i].bcnt, tmp[i].pcnt); + + write_unlock_bh(&t->lock); + ret = 0; +-- +2.20.1 + diff --git a/queue-4.19/netfilter-nf_conntrack_ftp-fix-debug-output.patch b/queue-4.19/netfilter-nf_conntrack_ftp-fix-debug-output.patch new file mode 100644 index 00000000000..4cc7649a0cc --- /dev/null +++ b/queue-4.19/netfilter-nf_conntrack_ftp-fix-debug-output.patch @@ -0,0 +1,47 @@ +From 79c7102d916c823d7895bb0709b21d9e835363bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 16:14:28 +0200 +Subject: netfilter: nf_conntrack_ftp: Fix debug output + +From: Thomas Jarosch + +[ Upstream commit 3a069024d371125227de3ac8fa74223fcf473520 ] + +The find_pattern() debug output was printing the 'skip' character. +This can be a NULL-byte and messes up further pr_debug() output. + +Output without the fix: +kernel: nf_conntrack_ftp: Pattern matches! +kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8 +kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8 + +Output with the fix: +kernel: nf_conntrack_ftp: Pattern matches! +kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter! +kernel: nf_conntrack_ftp: Match succeeded! +kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645) +kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8 + +Signed-off-by: Thomas Jarosch +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_ftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c +index a11c304fb7713..efc14c7b4f8ef 100644 +--- a/net/netfilter/nf_conntrack_ftp.c ++++ b/net/netfilter/nf_conntrack_ftp.c +@@ -323,7 +323,7 @@ static int find_pattern(const char *data, size_t dlen, + i++; + } + +- pr_debug("Skipped up to `%c'!\n", skip); ++ pr_debug("Skipped up to 0x%hhx delimiter!\n", skip); + + *numoff = i; + *numlen = getnum(data + i, dlen - i, cmd, term, numoff); +-- +2.20.1 + diff --git a/queue-4.19/netfilter-nft_flow_offload-missing-netlink-attribute.patch b/queue-4.19/netfilter-nft_flow_offload-missing-netlink-attribute.patch new file mode 100644 index 00000000000..ed37e2fe92a --- /dev/null +++ b/queue-4.19/netfilter-nft_flow_offload-missing-netlink-attribute.patch @@ -0,0 +1,45 @@ +From 8ae0ddb347216ff73038c14bb14f9e5b3e5e5fcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 11:23:58 +0200 +Subject: netfilter: nft_flow_offload: missing netlink attribute policy + +From: Pablo Neira Ayuso + +[ Upstream commit 14c415862c0630e01712a4eeaf6159a2b1b6d2a4 ] + +The netlink attribute policy for NFTA_FLOW_TABLE_NAME is missing. + +Fixes: a3c90f7a2323 ("netfilter: nf_tables: flow offload expression") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_flow_offload.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c +index 69decbe2c9884..1ef8cb789c41a 100644 +--- a/net/netfilter/nft_flow_offload.c ++++ b/net/netfilter/nft_flow_offload.c +@@ -149,6 +149,11 @@ static int nft_flow_offload_validate(const struct nft_ctx *ctx, + return nft_chain_validate_hooks(ctx->chain, hook_mask); + } + ++static const struct nla_policy nft_flow_offload_policy[NFTA_FLOW_MAX + 1] = { ++ [NFTA_FLOW_TABLE_NAME] = { .type = NLA_STRING, ++ .len = NFT_NAME_MAXLEN - 1 }, ++}; ++ + static int nft_flow_offload_init(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nlattr * const tb[]) +@@ -207,6 +212,7 @@ static const struct nft_expr_ops nft_flow_offload_ops = { + static struct nft_expr_type nft_flow_offload_type __read_mostly = { + .name = "flow_offload", + .ops = &nft_flow_offload_ops, ++ .policy = nft_flow_offload_policy, + .maxattr = NFTA_FLOW_MAX, + .owner = THIS_MODULE, + }; +-- +2.20.1 + diff --git a/queue-4.19/netfilter-xt_nfacct-fix-alignment-mismatch-in-xt_nfa.patch b/queue-4.19/netfilter-xt_nfacct-fix-alignment-mismatch-in-xt_nfa.patch new file mode 100644 index 00000000000..483fa28092e --- /dev/null +++ b/queue-4.19/netfilter-xt_nfacct-fix-alignment-mismatch-in-xt_nfa.patch @@ -0,0 +1,107 @@ +From ba85a0c270ec6d10649c55a4b32ba74fc7f77887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Aug 2019 17:02:22 +0200 +Subject: netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info + +From: Juliana Rodrigueiro + +[ Upstream commit 89a26cd4b501e9511d3cd3d22327fc76a75a38b3 ] + +When running a 64-bit kernel with a 32-bit iptables binary, the size of +the xt_nfacct_match_info struct diverges. + + kernel: sizeof(struct xt_nfacct_match_info) : 40 + iptables: sizeof(struct xt_nfacct_match_info)) : 36 + +Trying to append nfacct related rules results in an unhelpful message. +Although it is suggested to look for more information in dmesg, nothing +can be found there. + + # iptables -A -m nfacct --nfacct-name + iptables: Invalid argument. Run `dmesg' for more information. + +This patch fixes the memory misalignment by enforcing 8-byte alignment +within the struct's first revision. This solution is often used in many +other uapi netfilter headers. + +Signed-off-by: Juliana Rodrigueiro +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/uapi/linux/netfilter/xt_nfacct.h | 5 ++++ + net/netfilter/xt_nfacct.c | 36 ++++++++++++++++-------- + 2 files changed, 30 insertions(+), 11 deletions(-) + +diff --git a/include/uapi/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h +index 5c8a4d760ee34..b5123ab8d54a8 100644 +--- a/include/uapi/linux/netfilter/xt_nfacct.h ++++ b/include/uapi/linux/netfilter/xt_nfacct.h +@@ -11,4 +11,9 @@ struct xt_nfacct_match_info { + struct nf_acct *nfacct; + }; + ++struct xt_nfacct_match_info_v1 { ++ char name[NFACCT_NAME_MAX]; ++ struct nf_acct *nfacct __attribute__((aligned(8))); ++}; ++ + #endif /* _XT_NFACCT_MATCH_H */ +diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c +index 6b56f4170860c..3241fee9f2a19 100644 +--- a/net/netfilter/xt_nfacct.c ++++ b/net/netfilter/xt_nfacct.c +@@ -57,25 +57,39 @@ nfacct_mt_destroy(const struct xt_mtdtor_param *par) + nfnl_acct_put(info->nfacct); + } + +-static struct xt_match nfacct_mt_reg __read_mostly = { +- .name = "nfacct", +- .family = NFPROTO_UNSPEC, +- .checkentry = nfacct_mt_checkentry, +- .match = nfacct_mt, +- .destroy = nfacct_mt_destroy, +- .matchsize = sizeof(struct xt_nfacct_match_info), +- .usersize = offsetof(struct xt_nfacct_match_info, nfacct), +- .me = THIS_MODULE, ++static struct xt_match nfacct_mt_reg[] __read_mostly = { ++ { ++ .name = "nfacct", ++ .revision = 0, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = nfacct_mt_checkentry, ++ .match = nfacct_mt, ++ .destroy = nfacct_mt_destroy, ++ .matchsize = sizeof(struct xt_nfacct_match_info), ++ .usersize = offsetof(struct xt_nfacct_match_info, nfacct), ++ .me = THIS_MODULE, ++ }, ++ { ++ .name = "nfacct", ++ .revision = 1, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = nfacct_mt_checkentry, ++ .match = nfacct_mt, ++ .destroy = nfacct_mt_destroy, ++ .matchsize = sizeof(struct xt_nfacct_match_info_v1), ++ .usersize = offsetof(struct xt_nfacct_match_info_v1, nfacct), ++ .me = THIS_MODULE, ++ }, + }; + + static int __init nfacct_mt_init(void) + { +- return xt_register_match(&nfacct_mt_reg); ++ return xt_register_matches(nfacct_mt_reg, ARRAY_SIZE(nfacct_mt_reg)); + } + + static void __exit nfacct_mt_exit(void) + { +- xt_unregister_match(&nfacct_mt_reg); ++ xt_unregister_matches(nfacct_mt_reg, ARRAY_SIZE(nfacct_mt_reg)); + } + + module_init(nfacct_mt_init); +-- +2.20.1 + diff --git a/queue-4.19/netfilter-xt_physdev-fix-spurious-error-message-in-p.patch b/queue-4.19/netfilter-xt_physdev-fix-spurious-error-message-in-p.patch new file mode 100644 index 00000000000..e42d153d90e --- /dev/null +++ b/queue-4.19/netfilter-xt_physdev-fix-spurious-error-message-in-p.patch @@ -0,0 +1,46 @@ +From 8d1485c6cfbcc178bedf9afe69d264dc312c1285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 11:47:53 -0400 +Subject: netfilter: xt_physdev: Fix spurious error message in physdev_mt_check + +From: Todd Seidelmann + +[ Upstream commit 3cf2f450fff304be9cf4868bf0df17f253bc5b1c ] + +Simplify the check in physdev_mt_check() to emit an error message +only when passed an invalid chain (ie, NF_INET_LOCAL_OUT). +This avoids cluttering up the log with errors against valid rules. + +For large/heavily modified rulesets, current behavior can quickly +overwhelm the ring buffer, because this function gets called on +every change, regardless of the rule that was changed. + +Signed-off-by: Todd Seidelmann +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_physdev.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c +index 05f00fb20b047..cd15ea79e3e2a 100644 +--- a/net/netfilter/xt_physdev.c ++++ b/net/netfilter/xt_physdev.c +@@ -104,11 +104,9 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) + if (info->bitmask & (XT_PHYSDEV_OP_OUT | XT_PHYSDEV_OP_ISOUT) && + (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || + info->invert & XT_PHYSDEV_OP_BRIDGED) && +- par->hook_mask & ((1 << NF_INET_LOCAL_OUT) | +- (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) { ++ par->hook_mask & (1 << NF_INET_LOCAL_OUT)) { + pr_info_ratelimited("--physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic\n"); +- if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) +- return -EINVAL; ++ return -EINVAL; + } + + if (!brnf_probed) { +-- +2.20.1 + diff --git a/queue-4.19/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch b/queue-4.19/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch new file mode 100644 index 00000000000..f303b7fa581 --- /dev/null +++ b/queue-4.19/nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch @@ -0,0 +1,36 @@ +From f9bb3ca5cfc8df38d2162d684739c828d6f0d0cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2019 14:19:09 -0400 +Subject: NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup + +From: Trond Myklebust + +[ Upstream commit 17d8c5d145000070c581f2a8aa01edc7998582ab ] + +Initialise the result count to 0 rather than initialising it to the +argument count. The reason is that we want to ensure we record the +I/O stats correctly in the case where an error is returned (for +instance in the layoutstats). + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pagelist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index d23ea74b5d203..9cf59e2622f8e 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -567,7 +567,7 @@ static void nfs_pgio_rpcsetup(struct nfs_pgio_header *hdr, + } + + hdr->res.fattr = &hdr->fattr; +- hdr->res.count = count; ++ hdr->res.count = 0; + hdr->res.eof = 0; + hdr->res.verf = &hdr->verf; + nfs_fattr_init(&hdr->fattr); +-- +2.20.1 + diff --git a/queue-4.19/nfsv2-fix-eof-handling.patch b/queue-4.19/nfsv2-fix-eof-handling.patch new file mode 100644 index 00000000000..c58e9b4115a --- /dev/null +++ b/queue-4.19/nfsv2-fix-eof-handling.patch @@ -0,0 +1,35 @@ +From eac9283b829a78750b0a1074450c214f53cb11f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 20:41:16 -0400 +Subject: NFSv2: Fix eof handling + +From: Trond Myklebust + +[ Upstream commit 71affe9be45a5c60b9772e1b2701710712637274 ] + +If we received a reply from the server with a zero length read and +no error, then that implies we are at eof. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c +index e0c257bd62b93..89fa9c706b380 100644 +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -594,7 +594,8 @@ static int nfs_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr) + /* Emulate the eof flag, which isn't normally needed in NFSv2 + * as it is guaranteed to always return the file attributes + */ +- if (hdr->args.offset + hdr->res.count >= hdr->res.fattr->size) ++ if ((hdr->res.count == 0 && hdr->args.count > 0) || ++ hdr->args.offset + hdr->res.count >= hdr->res.fattr->size) + hdr->res.eof = 1; + } + return 0; +-- +2.20.1 + diff --git a/queue-4.19/nfsv2-fix-write-regression.patch b/queue-4.19/nfsv2-fix-write-regression.patch new file mode 100644 index 00000000000..689e2824bc8 --- /dev/null +++ b/queue-4.19/nfsv2-fix-write-regression.patch @@ -0,0 +1,40 @@ +From b4b8ab0d051027b8892d8a0777ab5a434e3d65f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Aug 2019 07:03:28 -0400 +Subject: NFSv2: Fix write regression + +From: Trond Myklebust + +[ Upstream commit d33d4beb522987d1c305c12500796f9be3687dee ] + +Ensure we update the write result count on success, since the +RPC call itself does not do so. + +Reported-by: Jan Stancek +Reported-by: Naresh Kamboju +Signed-off-by: Trond Myklebust +Tested-by: Jan Stancek +Signed-off-by: Sasha Levin +--- + fs/nfs/proc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c +index 89fa9c706b380..0e0335e77ce68 100644 +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -616,8 +616,10 @@ static int nfs_proc_pgio_rpc_prepare(struct rpc_task *task, + + static int nfs_write_done(struct rpc_task *task, struct nfs_pgio_header *hdr) + { +- if (task->tk_status >= 0) ++ if (task->tk_status >= 0) { ++ hdr->res.count = hdr->args.count; + nfs_writeback_update_inode(hdr); ++ } + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.19/nfsv4-fix-return-value-in-nfs_finish_open.patch b/queue-4.19/nfsv4-fix-return-value-in-nfs_finish_open.patch new file mode 100644 index 00000000000..e53997614c2 --- /dev/null +++ b/queue-4.19/nfsv4-fix-return-value-in-nfs_finish_open.patch @@ -0,0 +1,35 @@ +From fa5c7a110cbd52cba27f1749ed385828a42f652b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2019 12:15:07 -0400 +Subject: NFSv4: Fix return value in nfs_finish_open() + +From: Trond Myklebust + +[ Upstream commit 9821421a291b548ef4369c6998745baa36ddecd5 ] + +If the file turns out to be of the wrong type after opening, we want +to revalidate the path and retry, so return EOPENSTALE rather than +ESTALE. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 71b2e390becf2..b8d6860879528 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1486,7 +1486,7 @@ static int nfs_finish_open(struct nfs_open_context *ctx, + if (S_ISREG(file->f_path.dentry->d_inode->i_mode)) + nfs_file_set_open_context(file, ctx); + else +- err = -ESTALE; ++ err = -EOPENSTALE; + out: + return err; + } +-- +2.20.1 + diff --git a/queue-4.19/nfsv4-fix-return-values-for-nfs4_file_open.patch b/queue-4.19/nfsv4-fix-return-values-for-nfs4_file_open.patch new file mode 100644 index 00000000000..58d3a1231a3 --- /dev/null +++ b/queue-4.19/nfsv4-fix-return-values-for-nfs4_file_open.patch @@ -0,0 +1,51 @@ +From edd47a5327503d564c5436860a4a44a4f414a8db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Aug 2019 15:03:11 -0400 +Subject: NFSv4: Fix return values for nfs4_file_open() + +From: Trond Myklebust + +[ Upstream commit 90cf500e338ab3f3c0f126ba37e36fb6a9058441 ] + +Currently, we are translating RPC level errors such as timeouts, +as well as interrupts etc into EOPENSTALE, which forces a single +replay of the open attempt. What we actually want to do is +force the replay only in the cases where the returned error +indicates that the file may have changed on the server. + +So the fix is to spell out the exact set of errors where we want +to return EOPENSTALE. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4file.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c +index 61abbb087ed13..75d3cf86f1723 100644 +--- a/fs/nfs/nfs4file.c ++++ b/fs/nfs/nfs4file.c +@@ -73,13 +73,13 @@ nfs4_file_open(struct inode *inode, struct file *filp) + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + switch (err) { +- case -EPERM: +- case -EACCES: +- case -EDQUOT: +- case -ENOSPC: +- case -EROFS: +- goto out_put_ctx; + default: ++ goto out_put_ctx; ++ case -ENOENT: ++ case -ESTALE: ++ case -EISDIR: ++ case -ENOTDIR: ++ case -ELOOP: + goto out_drop; + } + } +-- +2.20.1 + diff --git a/queue-4.19/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch b/queue-4.19/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch new file mode 100644 index 00000000000..5f48eb7d72d --- /dev/null +++ b/queue-4.19/perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch @@ -0,0 +1,143 @@ +From 91165f6b914d0f4d70ff53a66fb6aaef9159bbd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Aug 2019 14:57:30 -0500 +Subject: perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops + +From: Kim Phillips + +[ Upstream commit 0f4cd769c410e2285a4e9873a684d90423f03090 ] + +When counting dispatched micro-ops with cnt_ctl=1, in order to prevent +sample bias, IBS hardware preloads the least significant 7 bits of +current count (IbsOpCurCnt) with random values, such that, after the +interrupt is handled and counting resumes, the next sample taken +will be slightly perturbed. + +The current count bitfield is in the IBS execution control h/w register, +alongside the maximum count field. + +Currently, the IBS driver writes that register with the maximum count, +leaving zeroes to fill the current count field, thereby overwriting +the random bits the hardware preloaded for itself. + +Fix the driver to actually retain and carry those random bits from the +read of the IBS control register, through to its write, instead of +overwriting the lower current count bits with zeroes. + +Tested with: + +perf record -c 100001 -e ibs_op/cnt_ctl=1/pp -a -C 0 taskset -c 0 + +'perf annotate' output before: + + 15.70 65: addsd %xmm0,%xmm1 + 17.30 add $0x1,%rax + 15.88 cmp %rdx,%rax + je 82 + 17.32 72: test $0x1,%al + jne 7c + 7.52 movapd %xmm1,%xmm0 + 5.90 jmp 65 + 8.23 7c: sqrtsd %xmm1,%xmm0 + 12.15 jmp 65 + +'perf annotate' output after: + + 16.63 65: addsd %xmm0,%xmm1 + 16.82 add $0x1,%rax + 16.81 cmp %rdx,%rax + je 82 + 16.69 72: test $0x1,%al + jne 7c + 8.30 movapd %xmm1,%xmm0 + 8.13 jmp 65 + 8.24 7c: sqrtsd %xmm1,%xmm0 + 8.39 jmp 65 + +Tested on Family 15h and 17h machines. + +Machines prior to family 10h Rev. C don't have the RDWROPCNT capability, +and have the IbsOpCurCnt bitfield reserved, so this patch shouldn't +affect their operation. + +It is unknown why commit db98c5faf8cb ("perf/x86: Implement 64-bit +counter support for IBS") ignored the lower 4 bits of the IbsOpCurCnt +field; the number of preloaded random bits has always been 7, AFAICT. + +Signed-off-by: Kim Phillips +Signed-off-by: Peter Zijlstra (Intel) +Cc: "Arnaldo Carvalho de Melo" +Cc: +Cc: Ingo Molnar +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Thomas Gleixner +Cc: "Borislav Petkov" +Cc: Stephane Eranian +Cc: Alexander Shishkin +Cc: "Namhyung Kim" +Cc: "H. Peter Anvin" +Link: https://lkml.kernel.org/r/20190826195730.30614-1-kim.phillips@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/ibs.c | 13 ++++++++++--- + arch/x86/include/asm/perf_event.h | 12 ++++++++---- + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c +index d50bb4dc06503..80c6d84cad67b 100644 +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -672,10 +672,17 @@ fail: + + throttle = perf_event_overflow(event, &data, ®s); + out: +- if (throttle) ++ if (throttle) { + perf_ibs_stop(event, 0); +- else +- perf_ibs_enable_event(perf_ibs, hwc, period >> 4); ++ } else { ++ period >>= 4; ++ ++ if ((ibs_caps & IBS_CAPS_RDWROPCNT) && ++ (*config & IBS_OP_CNT_CTL)) ++ period |= *config & IBS_OP_CUR_CNT_RAND; ++ ++ perf_ibs_enable_event(perf_ibs, hwc, period); ++ } + + perf_event_update_userpage(event); + +diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h +index 78241b736f2a0..f6c4915a863e0 100644 +--- a/arch/x86/include/asm/perf_event.h ++++ b/arch/x86/include/asm/perf_event.h +@@ -209,16 +209,20 @@ struct x86_pmu_capability { + #define IBSCTL_LVT_OFFSET_VALID (1ULL<<8) + #define IBSCTL_LVT_OFFSET_MASK 0x0F + +-/* ibs fetch bits/masks */ ++/* IBS fetch bits/masks */ + #define IBS_FETCH_RAND_EN (1ULL<<57) + #define IBS_FETCH_VAL (1ULL<<49) + #define IBS_FETCH_ENABLE (1ULL<<48) + #define IBS_FETCH_CNT 0xFFFF0000ULL + #define IBS_FETCH_MAX_CNT 0x0000FFFFULL + +-/* ibs op bits/masks */ +-/* lower 4 bits of the current count are ignored: */ +-#define IBS_OP_CUR_CNT (0xFFFF0ULL<<32) ++/* ++ * IBS op bits/masks ++ * The lower 7 bits of the current count are random bits ++ * preloaded by hardware and ignored in software ++ */ ++#define IBS_OP_CUR_CNT (0xFFF80ULL<<32) ++#define IBS_OP_CUR_CNT_RAND (0x0007FULL<<32) + #define IBS_OP_CNT_CTL (1ULL<<19) + #define IBS_OP_VAL (1ULL<<18) + #define IBS_OP_ENABLE (1ULL<<17) +-- +2.20.1 + diff --git a/queue-4.19/perf-x86-intel-restrict-period-on-nehalem.patch b/queue-4.19/perf-x86-intel-restrict-period-on-nehalem.patch new file mode 100644 index 00000000000..f28b72adb5a --- /dev/null +++ b/queue-4.19/perf-x86-intel-restrict-period-on-nehalem.patch @@ -0,0 +1,94 @@ +From 169113e829307436bae1ef60d6f85c3d1a4141f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Aug 2019 19:13:31 -0400 +Subject: perf/x86/intel: Restrict period on Nehalem + +From: Josh Hunt + +[ Upstream commit 44d3bbb6f5e501b873218142fe08cdf62a4ac1f3 ] + +We see our Nehalem machines reporting 'perfevents: irq loop stuck!' in +some cases when using perf: + +perfevents: irq loop stuck! +WARNING: CPU: 0 PID: 3485 at arch/x86/events/intel/core.c:2282 intel_pmu_handle_irq+0x37b/0x530 +... +RIP: 0010:intel_pmu_handle_irq+0x37b/0x530 +... +Call Trace: + +? perf_event_nmi_handler+0x2e/0x50 +? intel_pmu_save_and_restart+0x50/0x50 +perf_event_nmi_handler+0x2e/0x50 +nmi_handle+0x6e/0x120 +default_do_nmi+0x3e/0x100 +do_nmi+0x102/0x160 +end_repeat_nmi+0x16/0x50 +... +? native_write_msr+0x6/0x20 +? native_write_msr+0x6/0x20 + +intel_pmu_enable_event+0x1ce/0x1f0 +x86_pmu_start+0x78/0xa0 +x86_pmu_enable+0x252/0x310 +__perf_event_task_sched_in+0x181/0x190 +? __switch_to_asm+0x41/0x70 +? __switch_to_asm+0x35/0x70 +? __switch_to_asm+0x41/0x70 +? __switch_to_asm+0x35/0x70 +finish_task_switch+0x158/0x260 +__schedule+0x2f6/0x840 +? hrtimer_start_range_ns+0x153/0x210 +schedule+0x32/0x80 +schedule_hrtimeout_range_clock+0x8a/0x100 +? hrtimer_init+0x120/0x120 +ep_poll+0x2f7/0x3a0 +? wake_up_q+0x60/0x60 +do_epoll_wait+0xa9/0xc0 +__x64_sys_epoll_wait+0x1a/0x20 +do_syscall_64+0x4e/0x110 +entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x7fdeb1e96c03 +... +Signed-off-by: Peter Zijlstra (Intel) +Cc: acme@kernel.org +Cc: Josh Hunt +Cc: bpuranda@akamai.com +Cc: mingo@redhat.com +Cc: jolsa@redhat.com +Cc: tglx@linutronix.de +Cc: namhyung@kernel.org +Cc: alexander.shishkin@linux.intel.com +Link: https://lkml.kernel.org/r/1566256411-18820-1-git-send-email-johunt@akamai.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index db5a2ba617536..2dd8b0d64295a 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3319,6 +3319,11 @@ static u64 bdw_limit_period(struct perf_event *event, u64 left) + return left; + } + ++static u64 nhm_limit_period(struct perf_event *event, u64 left) ++{ ++ return max(left, 32ULL); ++} ++ + PMU_FORMAT_ATTR(event, "config:0-7" ); + PMU_FORMAT_ATTR(umask, "config:8-15" ); + PMU_FORMAT_ATTR(edge, "config:18" ); +@@ -4115,6 +4120,7 @@ __init int intel_pmu_init(void) + x86_pmu.pebs_constraints = intel_nehalem_pebs_event_constraints; + x86_pmu.enable_all = intel_pmu_nhm_enable_all; + x86_pmu.extra_regs = intel_nehalem_extra_regs; ++ x86_pmu.limit_period = nhm_limit_period; + + x86_pmu.cpu_events = nhm_events_attrs; + +-- +2.20.1 + diff --git a/queue-4.19/qed-add-cleanup-in-qed_slowpath_start.patch b/queue-4.19/qed-add-cleanup-in-qed_slowpath_start.patch new file mode 100644 index 00000000000..31771466c5a --- /dev/null +++ b/queue-4.19/qed-add-cleanup-in-qed_slowpath_start.patch @@ -0,0 +1,46 @@ +From e38959dfa85751196aec9f268618e80edcfbec72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Aug 2019 23:46:36 -0500 +Subject: qed: Add cleanup in qed_slowpath_start() + +From: Wenwen Wang + +[ Upstream commit de0e4fd2f07ce3bbdb69dfb8d9426b7227451b69 ] + +If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to +memory leaks. To fix this issue, introduce the label 'err4' to perform the +cleanup work before returning the error. + +Signed-off-by: Wenwen Wang +Acked-by: Sudarsana Reddy Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index cf3b0e3dc350c..637687b766ff0 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -1150,7 +1150,7 @@ static int qed_slowpath_start(struct qed_dev *cdev, + &drv_version); + if (rc) { + DP_NOTICE(cdev, "Failed sending drv version command\n"); +- return rc; ++ goto err4; + } + } + +@@ -1158,6 +1158,8 @@ static int qed_slowpath_start(struct qed_dev *cdev, + + return 0; + ++err4: ++ qed_ll2_dealloc_if(cdev); + err3: + qed_hw_stop(cdev); + err2: +-- +2.20.1 + diff --git a/queue-4.19/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch b/queue-4.19/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch new file mode 100644 index 00000000000..7f87c7da199 --- /dev/null +++ b/queue-4.19/r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch @@ -0,0 +1,52 @@ +From 88bc1a896b26eaf540c28953761d8aa60ca94a5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Aug 2019 01:36:19 -0700 +Subject: r8152: Set memory to all 0xFFs on failed reg reads + +From: Prashant Malani + +[ Upstream commit f53a7ad189594a112167efaf17ea8d0242b5ac00 ] + +get_registers() blindly copies the memory written to by the +usb_control_msg() call even if the underlying urb failed. + +This could lead to junk register values being read by the driver, since +some indirect callers of get_registers() ignore the return values. One +example is: + ocp_read_dword() ignores the return value of generic_ocp_read(), which + calls get_registers(). + +So, emulate PCI "Master Abort" behavior by setting the buffer to all +0xFFs when usb_control_msg() fails. + +This patch is copied from the r8152 driver (v2.12.0) published by +Realtek (www.realtek.com). + +Signed-off-by: Prashant Malani +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index f1b5201cc3207..a065a6184f7e4 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -788,8 +788,11 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data) + ret = usb_control_msg(tp->udev, usb_rcvctrlpipe(tp->udev, 0), + RTL8152_REQ_GET_REGS, RTL8152_REQT_READ, + value, index, tmp, size, 500); ++ if (ret < 0) ++ memset(data, 0xff, size); ++ else ++ memcpy(data, tmp, size); + +- memcpy(data, tmp, size); + kfree(tmp); + + return ret; +-- +2.20.1 + diff --git a/queue-4.19/s390-bpf-fix-lcgr-instruction-encoding.patch b/queue-4.19/s390-bpf-fix-lcgr-instruction-encoding.patch new file mode 100644 index 00000000000..ba03ecfbfe5 --- /dev/null +++ b/queue-4.19/s390-bpf-fix-lcgr-instruction-encoding.patch @@ -0,0 +1,43 @@ +From fac4a8349c547273863333c2dd80f83278913094 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 17:03:32 +0200 +Subject: s390/bpf: fix lcgr instruction encoding + +From: Ilya Leoshkevich + +[ Upstream commit bb2d267c448f4bc3a3389d97c56391cb779178ae ] + +"masking, test in bounds 3" fails on s390, because +BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0) ignores the top 32 bits of +BPF_REG_2. The reason is that JIT emits lcgfr instead of lcgr. +The associated comment indicates that the code was intended to +emit lcgr in the first place, it's just that the wrong opcode +was used. + +Fix by using the correct opcode. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Ilya Leoshkevich +Acked-by: Vasily Gorbik +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index d7052cbe984f8..a3ce1fdc3d802 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -841,7 +841,7 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + break; + case BPF_ALU64 | BPF_NEG: /* dst = -dst */ + /* lcgr %dst,%dst */ +- EMIT4(0xb9130000, dst_reg, dst_reg); ++ EMIT4(0xb9030000, dst_reg, dst_reg); + break; + /* + * BPF_FROM_BE/LE +-- +2.20.1 + diff --git a/queue-4.19/s390-bpf-use-32-bit-index-for-tail-calls.patch b/queue-4.19/s390-bpf-use-32-bit-index-for-tail-calls.patch new file mode 100644 index 00000000000..935d5fa1bbd --- /dev/null +++ b/queue-4.19/s390-bpf-use-32-bit-index-for-tail-calls.patch @@ -0,0 +1,62 @@ +From 16d5b7304fdc91cdae95b9cd47ba74684ec3f799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Aug 2019 18:18:07 +0200 +Subject: s390/bpf: use 32-bit index for tail calls + +From: Ilya Leoshkevich + +[ Upstream commit 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 ] + +"p runtime/jit: pass > 32bit index to tail_call" fails when +bpf_jit_enable=1, because the tail call is not executed. + +This in turn is because the generated code assumes index is 64-bit, +while it must be 32-bit, and as a result prog array bounds check fails, +while it should pass. Even if bounds check would have passed, the code +that follows uses 64-bit index to compute prog array offset. + +Fix by using clrj instead of clgrj for comparing index with array size, +and also by using llgfr for truncating index to 32 bits before using it +to compute prog array offset. + +Fixes: 6651ee070b31 ("s390/bpf: implement bpf_tail_call() helper") +Reported-by: Yauheni Kaliuta +Acked-by: Vasily Gorbik +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index a3ce1fdc3d802..2617e426c7926 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -1015,8 +1015,8 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + /* llgf %w1,map.max_entries(%b2) */ + EMIT6_DISP_LH(0xe3000000, 0x0016, REG_W1, REG_0, BPF_REG_2, + offsetof(struct bpf_array, map.max_entries)); +- /* clgrj %b3,%w1,0xa,label0: if %b3 >= %w1 goto out */ +- EMIT6_PCREL_LABEL(0xec000000, 0x0065, BPF_REG_3, ++ /* clrj %b3,%w1,0xa,label0: if (u32)%b3 >= (u32)%w1 goto out */ ++ EMIT6_PCREL_LABEL(0xec000000, 0x0077, BPF_REG_3, + REG_W1, 0, 0xa); + + /* +@@ -1042,8 +1042,10 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + * goto out; + */ + +- /* sllg %r1,%b3,3: %r1 = index * 8 */ +- EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, BPF_REG_3, REG_0, 3); ++ /* llgfr %r1,%b3: %r1 = (u32) index */ ++ EMIT4(0xb9160000, REG_1, BPF_REG_3); ++ /* sllg %r1,%r1,3: %r1 *= 8 */ ++ EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, REG_1, REG_0, 3); + /* lg %r1,prog(%b2,%r1) */ + EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, BPF_REG_2, + REG_1, offsetof(struct bpf_array, ptrs)); +-- +2.20.1 + diff --git a/queue-4.19/selftests-bpf-fix-bind-4-6-deny-specific-ip-port-on-.patch b/queue-4.19/selftests-bpf-fix-bind-4-6-deny-specific-ip-port-on-.patch new file mode 100644 index 00000000000..437baa2f332 --- /dev/null +++ b/queue-4.19/selftests-bpf-fix-bind-4-6-deny-specific-ip-port-on-.patch @@ -0,0 +1,61 @@ +From 73407e3ffe82d0a0f3bbf181a1e4d4d17aa737a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Aug 2019 12:41:09 +0200 +Subject: selftests/bpf: fix "bind{4, 6} deny specific IP & port" on s390 + +From: Ilya Leoshkevich + +[ Upstream commit 27df5c7068bf23cab282dc64b1c9894429b3b8a0 ] + +"bind4 allow specific IP & port" and "bind6 deny specific IP & port" +fail on s390 because of endianness issue: the 4 IP address bytes are +loaded as a word and compared with a constant, but the value of this +constant should be different on big- and little- endian machines, which +is not the case right now. + +Use __bpf_constant_ntohl to generate proper value based on machine +endianness. + +Fixes: 1d436885b23b ("selftests/bpf: Selftest for sys_bind post-hooks.") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_sock.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_sock.c b/tools/testing/selftests/bpf/test_sock.c +index b8ebe2f580741..e9567122070a3 100644 +--- a/tools/testing/selftests/bpf/test_sock.c ++++ b/tools/testing/selftests/bpf/test_sock.c +@@ -13,6 +13,7 @@ + #include + + #include "cgroup_helpers.h" ++#include "bpf_endian.h" + #include "bpf_rlimit.h" + #include "bpf_util.h" + +@@ -231,7 +232,8 @@ static struct sock_test tests[] = { + /* if (ip == expected && port == expected) */ + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_ip6[3])), +- BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x01000000, 4), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ++ __bpf_constant_ntohl(0x00000001), 4), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_port)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x2001, 2), +@@ -260,7 +262,8 @@ static struct sock_test tests[] = { + /* if (ip == expected && port == expected) */ + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_ip4)), +- BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x0100007F, 4), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_7, ++ __bpf_constant_ntohl(0x7F000001), 4), + BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, + offsetof(struct bpf_sock, src_port)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0x1002, 2), +-- +2.20.1 + diff --git a/queue-4.19/series b/queue-4.19/series index c5fa244cccb..c25927a303a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -16,3 +16,58 @@ serial-sprd-correct-the-wrong-sequence-of-arguments.patch tty-serial-atmel-reschedule-tx-after-rx-was-started.patch mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch nl80211-fix-possible-spectre-v1-for-cqm-rssi-thresholds.patch +ieee802154-hwsim-fix-error-handle-path-in-hwsim_init.patch +ieee802154-hwsim-unregister-hw-while-hwsim_subscribe.patch +arm-dts-am57xx-disable-voltage-switching-for-sd-card.patch +arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch +bus-ti-sysc-fix-using-configured-sysc-mask-value.patch +s390-bpf-fix-lcgr-instruction-encoding.patch +arm-omap2-fix-omap4-errata-warning-on-other-socs.patch +arm-dts-dra74x-fix-iodelay-configuration-for-mmc3.patch +arm-omap1-ams-delta-fiq-fix-missing-irq_ack.patch +bus-ti-sysc-simplify-cleanup-upon-failures-in-sysc_p.patch +s390-bpf-use-32-bit-index-for-tail-calls.patch +selftests-bpf-fix-bind-4-6-deny-specific-ip-port-on-.patch +tools-bpftool-close-prog-fd-before-exit-on-showing-a.patch +fpga-altera-ps-spi-fix-getting-of-optional-confd-gpi.patch +netfilter-ebtables-fix-argument-order-to-add_counter.patch +netfilter-nft_flow_offload-missing-netlink-attribute.patch +netfilter-xt_nfacct-fix-alignment-mismatch-in-xt_nfa.patch +nfsv4-fix-return-values-for-nfs4_file_open.patch +nfsv4-fix-return-value-in-nfs_finish_open.patch +nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch +kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch +xdp-unpin-xdp-umem-pages-in-error-path.patch +qed-add-cleanup-in-qed_slowpath_start.patch +arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch +batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch +bpf-allow-narrow-loads-of-some-sk_reuseport_md-field.patch +r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch +x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch +netfilter-xt_physdev-fix-spurious-error-message-in-p.patch +netfilter-nf_conntrack_ftp-fix-debug-output.patch +nfsv2-fix-eof-handling.patch +nfsv2-fix-write-regression.patch +kallsyms-don-t-let-kallsyms_lookup_size_offset-fail-.patch +cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch +cifs-use-kzfree-to-zero-out-the-password.patch +usb-host-xhci-tegra-set-dma-mask-correctly.patch +arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch +ibmvnic-do-not-process-reset-during-or-after-device-.patch +sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch +i2c-designware-synchronize-irqs-when-unregistering-s.patch +perf-x86-intel-restrict-period-on-nehalem.patch +perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch +amd-xgbe-fix-error-path-in-xgbe_mod_init.patch +tools-power-x86_energy_perf_policy-fix-uninitialized.patch +tools-power-x86_energy_perf_policy-fix-argument-pars.patch +tools-power-turbostat-fix-buffer-overrun.patch +net-aquantia-fix-out-of-memory-condition-on-rx-side.patch +net-seeq-fix-the-function-used-to-release-some-memor.patch +dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch +dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch +x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch +x86-hyper-v-fix-overflow-bug-in-fill_gva_list.patch +keys-fix-missing-null-pointer-check-in-request_key_a.patch +iommu-amd-flush-old-domains-in-kdump-kernel.patch +iommu-amd-fix-race-in-increase_address_space.patch diff --git a/queue-4.19/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch b/queue-4.19/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch new file mode 100644 index 00000000000..f74137b9f1d --- /dev/null +++ b/queue-4.19/sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch @@ -0,0 +1,43 @@ +From fe2c164fe4966c76f4c76c537c548ea88ab47230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 08:31:19 +0200 +Subject: sky2: Disable MSI on yet another ASUS boards (P6Xxxx) + +From: Takashi Iwai + +[ Upstream commit 189308d5823a089b56e2299cd96589507dac7319 ] + +A similar workaround for the suspend/resume problem is needed for yet +another ASUS machines, P6X models. Like the previous fix, the BIOS +doesn't provide the standard DMI_SYS_* entry, so again DMI_BOARD_* +entries are used instead. + +Reported-and-tested-by: SteveM +Signed-off-by: Takashi Iwai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/sky2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c +index 4ade864c8d531..d013f30019b69 100644 +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -4954,6 +4954,13 @@ static const struct dmi_system_id msi_blacklist[] = { + DMI_MATCH(DMI_BOARD_NAME, "P6T"), + }, + }, ++ { ++ .ident = "ASUS P6X", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "P6X"), ++ }, ++ }, + {} + }; + +-- +2.20.1 + diff --git a/queue-4.19/tools-bpftool-close-prog-fd-before-exit-on-showing-a.patch b/queue-4.19/tools-bpftool-close-prog-fd-before-exit-on-showing-a.patch new file mode 100644 index 00000000000..8bd824f6dc8 --- /dev/null +++ b/queue-4.19/tools-bpftool-close-prog-fd-before-exit-on-showing-a.patch @@ -0,0 +1,41 @@ +From 45be380e26e2319b0075a99cdcd9a5deb245ad1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2019 15:22:23 +0100 +Subject: tools: bpftool: close prog FD before exit on showing a single program + +From: Quentin Monnet + +[ Upstream commit d34b044038bfb0e19caa8b019910efc465f41d5f ] + +When showing metadata about a single program by invoking +"bpftool prog show PROG", the file descriptor referring to the program +is not closed before returning from the function. Let's close it. + +Fixes: 71bb428fe2c1 ("tools: bpf: add bpftool") +Signed-off-by: Quentin Monnet +Reviewed-by: Jakub Kicinski +Acked-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/prog.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index bbba0d61570fe..4f9611af46422 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -381,7 +381,9 @@ static int do_show(int argc, char **argv) + if (fd < 0) + return -1; + +- return show_prog(fd); ++ err = show_prog(fd); ++ close(fd); ++ return err; + } + + if (argc) +-- +2.20.1 + diff --git a/queue-4.19/tools-power-turbostat-fix-buffer-overrun.patch b/queue-4.19/tools-power-turbostat-fix-buffer-overrun.patch new file mode 100644 index 00000000000..439eb72400b --- /dev/null +++ b/queue-4.19/tools-power-turbostat-fix-buffer-overrun.patch @@ -0,0 +1,37 @@ +From 132077b784f456b0e6407132ee8849905b7e3b56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Apr 2019 16:02:14 +0900 +Subject: tools/power turbostat: fix buffer overrun + +From: Naoya Horiguchi + +[ Upstream commit eeb71c950bc6eee460f2070643ce137e067b234c ] + +turbostat could be terminated by general protection fault on some latest +hardwares which (for example) support 9 levels of C-states and show 18 +"tADDED" lines. That bloats the total output and finally causes buffer +overrun. So let's extend the buffer to avoid this. + +Signed-off-by: Naoya Horiguchi +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index fbb53c952b739..71cf7e77291ad 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -4953,7 +4953,7 @@ int initialize_counters(int cpu_id) + + void allocate_output_buffer() + { +- output_buffer = calloc(1, (1 + topo.num_cpus) * 1024); ++ output_buffer = calloc(1, (1 + topo.num_cpus) * 2048); + outp = output_buffer; + if (outp == NULL) + err(-1, "calloc output buffer"); +-- +2.20.1 + diff --git a/queue-4.19/tools-power-x86_energy_perf_policy-fix-argument-pars.patch b/queue-4.19/tools-power-x86_energy_perf_policy-fix-argument-pars.patch new file mode 100644 index 00000000000..b084067675a --- /dev/null +++ b/queue-4.19/tools-power-x86_energy_perf_policy-fix-argument-pars.patch @@ -0,0 +1,48 @@ +From 403f7d42daecff8b6a0997ab564d8f35142af8da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Feb 2019 05:25:48 -0800 +Subject: tools/power x86_energy_perf_policy: Fix argument parsing + +From: Zephaniah E. Loss-Cutler-Hull + +[ Upstream commit 03531482402a2bc4ab93cf6dde46833775e035e9 ] + +The -w argument in x86_energy_perf_policy currently triggers an +unconditional segfault. + +This is because the argument string reads: "+a:c:dD:E:e:f:m:M:rt:u:vw" and +yet the argument handler expects an argument. + +When parse_optarg_string is called with a null argument, we then proceed to +crash in strncmp, not horribly friendly. + +The man page describes -w as taking an argument, the long form +(--hwp-window) is correctly marked as taking a required argument, and the +code expects it. + +As such, this patch simply marks the short form (-w) as requiring an +argument. + +Signed-off-by: Zephaniah E. Loss-Cutler-Hull +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +index bbef8bcf44d6d..2aba622d1c5aa 100644 +--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c ++++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +@@ -546,7 +546,7 @@ void cmdline(int argc, char **argv) + + progname = argv[0]; + +- while ((opt = getopt_long_only(argc, argv, "+a:c:dD:E:e:f:m:M:rt:u:vw", ++ while ((opt = getopt_long_only(argc, argv, "+a:c:dD:E:e:f:m:M:rt:u:vw:", + long_options, &option_index)) != -1) { + switch (opt) { + case 'a': +-- +2.20.1 + diff --git a/queue-4.19/tools-power-x86_energy_perf_policy-fix-uninitialized.patch b/queue-4.19/tools-power-x86_energy_perf_policy-fix-uninitialized.patch new file mode 100644 index 00000000000..1bf9348b438 --- /dev/null +++ b/queue-4.19/tools-power-x86_energy_perf_policy-fix-uninitialized.patch @@ -0,0 +1,105 @@ +From 5553aa7c593d832243b7864e1c6af76dce85d4da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Sep 2018 16:05:53 +0100 +Subject: tools/power x86_energy_perf_policy: Fix "uninitialized variable" + warnings at -O2 + +From: Ben Hutchings + +[ Upstream commit adb8049097a9ec4acd09fbd3aa8636199a78df8a ] + +x86_energy_perf_policy first uses __get_cpuid() to check the maximum +CPUID level and exits if it is too low. It then assumes that later +calls will succeed (which I think is architecturally guaranteed). It +also assumes that CPUID works at all (which is not guaranteed on +x86_32). + +If optimisations are enabled, gcc warns about potentially +uninitialized variables. Fix this by adding an exit-on-error after +every call to __get_cpuid() instead of just checking the maximum +level. + +Signed-off-by: Ben Hutchings +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + .../x86_energy_perf_policy.c | 26 +++++++++++-------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +index 65bbe627a425f..bbef8bcf44d6d 100644 +--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c ++++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c +@@ -1260,6 +1260,15 @@ void probe_dev_msr(void) + if (system("/sbin/modprobe msr > /dev/null 2>&1")) + err(-5, "no /dev/cpu/0/msr, Try \"# modprobe msr\" "); + } ++ ++static void get_cpuid_or_exit(unsigned int leaf, ++ unsigned int *eax, unsigned int *ebx, ++ unsigned int *ecx, unsigned int *edx) ++{ ++ if (!__get_cpuid(leaf, eax, ebx, ecx, edx)) ++ errx(1, "Processor not supported\n"); ++} ++ + /* + * early_cpuid() + * initialize turbo_is_enabled, has_hwp, has_epb +@@ -1267,15 +1276,10 @@ void probe_dev_msr(void) + */ + void early_cpuid(void) + { +- unsigned int eax, ebx, ecx, edx, max_level; ++ unsigned int eax, ebx, ecx, edx; + unsigned int fms, family, model; + +- __get_cpuid(0, &max_level, &ebx, &ecx, &edx); +- +- if (max_level < 6) +- errx(1, "Processor not supported\n"); +- +- __get_cpuid(1, &fms, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(1, &fms, &ebx, &ecx, &edx); + family = (fms >> 8) & 0xf; + model = (fms >> 4) & 0xf; + if (family == 6 || family == 0xf) +@@ -1289,7 +1293,7 @@ void early_cpuid(void) + bdx_highest_ratio = msr & 0xFF; + } + +- __get_cpuid(0x6, &eax, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(0x6, &eax, &ebx, &ecx, &edx); + turbo_is_enabled = (eax >> 1) & 1; + has_hwp = (eax >> 7) & 1; + has_epb = (ecx >> 3) & 1; +@@ -1307,7 +1311,7 @@ void parse_cpuid(void) + + eax = ebx = ecx = edx = 0; + +- __get_cpuid(0, &max_level, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(0, &max_level, &ebx, &ecx, &edx); + + if (ebx == 0x756e6547 && edx == 0x49656e69 && ecx == 0x6c65746e) + genuine_intel = 1; +@@ -1316,7 +1320,7 @@ void parse_cpuid(void) + fprintf(stderr, "CPUID(0): %.4s%.4s%.4s ", + (char *)&ebx, (char *)&edx, (char *)&ecx); + +- __get_cpuid(1, &fms, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(1, &fms, &ebx, &ecx, &edx); + family = (fms >> 8) & 0xf; + model = (fms >> 4) & 0xf; + stepping = fms & 0xf; +@@ -1341,7 +1345,7 @@ void parse_cpuid(void) + errx(1, "CPUID: no MSR"); + + +- __get_cpuid(0x6, &eax, &ebx, &ecx, &edx); ++ get_cpuid_or_exit(0x6, &eax, &ebx, &ecx, &edx); + /* turbo_is_enabled already set */ + /* has_hwp already set */ + has_hwp_notify = eax & (1 << 8); +-- +2.20.1 + diff --git a/queue-4.19/usb-host-xhci-tegra-set-dma-mask-correctly.patch b/queue-4.19/usb-host-xhci-tegra-set-dma-mask-correctly.patch new file mode 100644 index 00000000000..67105420da1 --- /dev/null +++ b/queue-4.19/usb-host-xhci-tegra-set-dma-mask-correctly.patch @@ -0,0 +1,57 @@ +From 2605d21850a7871e664a8f3adb5ac3d6a1ba455e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Aug 2019 16:24:57 +0530 +Subject: usb: host: xhci-tegra: Set DMA mask correctly + +From: Nagarjuna Kristam + +[ Upstream commit 993cc8753453fccfe060a535bbe21fcf1001b626 ] + +The Falcon microcontroller that runs the XUSB firmware and which is +responsible for exposing the XHCI interface can address only 40 bits of +memory. Typically that's not a problem because Tegra devices don't have +enough system memory to exceed those 40 bits. + +However, if the ARM SMMU is enable on Tegra186 and later, the addresses +passed to the XUSB controller can be anywhere in the 48-bit IOV address +space of the ARM SMMU. Since the DMA/IOMMU API starts allocating from +the top of the IOVA space, the Falcon microcontroller is not able to +load the firmware successfully. + +Fix this by setting the DMA mask to 40 bits, which will force the DMA +API to map the buffer for the firmware to an IOVA that is addressable by +the Falcon. + +Signed-off-by: Nagarjuna Kristam +Signed-off-by: Thierry Reding +Link: https://lore.kernel.org/r/1566989697-13049-1-git-send-email-nkristam@nvidia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-tegra.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c +index b1cce989bd123..fe37dacc695fc 100644 +--- a/drivers/usb/host/xhci-tegra.c ++++ b/drivers/usb/host/xhci-tegra.c +@@ -1148,6 +1148,16 @@ static int tegra_xusb_probe(struct platform_device *pdev) + + tegra_xusb_ipfs_config(tegra, regs); + ++ /* ++ * The XUSB Falcon microcontroller can only address 40 bits, so set ++ * the DMA mask accordingly. ++ */ ++ err = dma_set_mask_and_coherent(tegra->dev, DMA_BIT_MASK(40)); ++ if (err < 0) { ++ dev_err(&pdev->dev, "failed to set DMA mask: %d\n", err); ++ goto put_rpm; ++ } ++ + err = tegra_xusb_load_firmware(tegra); + if (err < 0) { + dev_err(&pdev->dev, "failed to load firmware: %d\n", err); +-- +2.20.1 + diff --git a/queue-4.19/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch b/queue-4.19/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch new file mode 100644 index 00000000000..a20707e31c4 --- /dev/null +++ b/queue-4.19/x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch @@ -0,0 +1,71 @@ +From 73080bdf239225983a59dfb20ff2b763319dae77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Aug 2019 15:16:31 +0200 +Subject: x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines + +From: Thomas Gleixner + +[ Upstream commit 3e5bedc2c258341702ddffbd7688c5e6eb01eafa ] + +Rahul Tanwar reported the following bug on DT systems: + +> 'ioapic_dynirq_base' contains the virtual IRQ base number. Presently, it is +> updated to the end of hardware IRQ numbers but this is done only when IOAPIC +> configuration type is IOAPIC_DOMAIN_LEGACY or IOAPIC_DOMAIN_STRICT. There is +> a third type IOAPIC_DOMAIN_DYNAMIC which applies when IOAPIC configuration +> comes from devicetree. +> +> See dtb_add_ioapic() in arch/x86/kernel/devicetree.c +> +> In case of IOAPIC_DOMAIN_DYNAMIC (DT/OF based system), 'ioapic_dynirq_base' +> remains to zero initialized value. This means that for OF based systems, +> virtual IRQ base will get set to zero. + +Such systems will very likely not even boot. + +For DT enabled machines ioapic_dynirq_base is irrelevant and not +updated, so simply map the IRQ base 1:1 instead. + +Reported-by: Rahul Tanwar +Tested-by: Rahul Tanwar +Tested-by: Andy Shevchenko +Signed-off-by: Thomas Gleixner +Cc: Alexander Shishkin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: alan@linux.intel.com +Cc: bp@alien8.de +Cc: cheol.yong.kim@intel.com +Cc: qi-ming.wu@intel.com +Cc: rahul.tanwar@intel.com +Cc: rppt@linux.ibm.com +Cc: tony.luck@intel.com +Link: http://lkml.kernel.org/r/20190821081330.1187-1-rahul.tanwar@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/io_apic.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index 4077e309e5c4c..ab22eded61d25 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2432,7 +2432,13 @@ unsigned int arch_dynirq_lower_bound(unsigned int from) + * dmar_alloc_hwirq() may be called before setup_IO_APIC(), so use + * gsi_top if ioapic_dynirq_base hasn't been initialized yet. + */ +- return ioapic_initialized ? ioapic_dynirq_base : gsi_top; ++ if (!ioapic_initialized) ++ return gsi_top; ++ /* ++ * For DT enabled machines ioapic_dynirq_base is irrelevant and not ++ * updated. So simply return @from if ioapic_dynirq_base == 0. ++ */ ++ return ioapic_dynirq_base ? : from; + } + + #ifdef CONFIG_X86_32 +-- +2.20.1 + diff --git a/queue-4.19/x86-hyper-v-fix-overflow-bug-in-fill_gva_list.patch b/queue-4.19/x86-hyper-v-fix-overflow-bug-in-fill_gva_list.patch new file mode 100644 index 00000000000..db6241e4d77 --- /dev/null +++ b/queue-4.19/x86-hyper-v-fix-overflow-bug-in-fill_gva_list.patch @@ -0,0 +1,58 @@ +From eb4a46e9f519e9a19022438a475a33abf31c7685 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2019 20:41:43 +0800 +Subject: x86/hyper-v: Fix overflow bug in fill_gva_list() + +From: Tianyu Lan + +[ Upstream commit 4030b4c585c41eeefec7bd20ce3d0e100a0f2e4d ] + +When the 'start' parameter is >= 0xFF000000 on 32-bit +systems, or >= 0xFFFFFFFF'FF000000 on 64-bit systems, +fill_gva_list() gets into an infinite loop. + +With such inputs, 'cur' overflows after adding HV_TLB_FLUSH_UNIT +and always compares as less than end. Memory is filled with +guest virtual addresses until the system crashes. + +Fix this by never incrementing 'cur' to be larger than 'end'. + +Reported-by: Jong Hyun Park +Signed-off-by: Tianyu Lan +Reviewed-by: Michael Kelley +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 2ffd9e33ce4a ("x86/hyper-v: Use hypercall for remote TLB flush") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/mmu.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/hyperv/mmu.c b/arch/x86/hyperv/mmu.c +index ef5f29f913d7b..2f34d52753526 100644 +--- a/arch/x86/hyperv/mmu.c ++++ b/arch/x86/hyperv/mmu.c +@@ -37,12 +37,14 @@ static inline int fill_gva_list(u64 gva_list[], int offset, + * Lower 12 bits encode the number of additional + * pages to flush (in addition to the 'cur' page). + */ +- if (diff >= HV_TLB_FLUSH_UNIT) ++ if (diff >= HV_TLB_FLUSH_UNIT) { + gva_list[gva_n] |= ~PAGE_MASK; +- else if (diff) ++ cur += HV_TLB_FLUSH_UNIT; ++ } else if (diff) { + gva_list[gva_n] |= (diff - 1) >> PAGE_SHIFT; ++ cur = end; ++ } + +- cur += HV_TLB_FLUSH_UNIT; + gva_n++; + + } while (cur < end); +-- +2.20.1 + diff --git a/queue-4.19/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch b/queue-4.19/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch new file mode 100644 index 00000000000..a7f989fe372 --- /dev/null +++ b/queue-4.19/x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch @@ -0,0 +1,58 @@ +From ffb7129dba72638e556db51c16a540cd94c74d69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2019 10:24:45 +0200 +Subject: x86/uaccess: Don't leak the AC flags into __get_user() argument + evaluation + +From: Peter Zijlstra + +[ Upstream commit 9b8bd476e78e89c9ea26c3b435ad0201c3d7dbf5 ] + +Identical to __put_user(); the __get_user() argument evalution will too +leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region. +While uncommon this was observed to happen for: + + drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i])) + +where UBSAN added array bound checking. + +This complements commit: + + 6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation") + +Tested-by Sedat Dilek +Reported-by: Randy Dunlap +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Josh Poimboeuf +Reviewed-by: Thomas Gleixner +Cc: broonie@kernel.org +Cc: sfr@canb.auug.org.au +Cc: akpm@linux-foundation.org +Cc: Randy Dunlap +Cc: mhocko@suse.cz +Cc: Josh Poimboeuf +Link: https://lkml.kernel.org/r/20190829082445.GM2369@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/uaccess.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h +index 4111edb3188e2..9718303410614 100644 +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -451,8 +451,10 @@ do { \ + ({ \ + int __gu_err; \ + __inttype(*(ptr)) __gu_val; \ ++ __typeof__(ptr) __gu_ptr = (ptr); \ ++ __typeof__(size) __gu_size = (size); \ + __uaccess_begin_nospec(); \ +- __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \ ++ __get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err, -EFAULT); \ + __uaccess_end(); \ + (x) = (__force __typeof__(*(ptr)))__gu_val; \ + __builtin_expect(__gu_err, 0); \ +-- +2.20.1 + diff --git a/queue-4.19/xdp-unpin-xdp-umem-pages-in-error-path.patch b/queue-4.19/xdp-unpin-xdp-umem-pages-in-error-path.patch new file mode 100644 index 00000000000..ebaf848156f --- /dev/null +++ b/queue-4.19/xdp-unpin-xdp-umem-pages-in-error-path.patch @@ -0,0 +1,45 @@ +From dd5c1102591291cc3117c287d3a84863d77047e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2019 23:56:35 +0300 +Subject: xdp: unpin xdp umem pages in error path + +From: Ivan Khoronzhuk + +[ Upstream commit fb89c39455e4b49881c5a42761bd71f03d3ef888 ] + +Fix mem leak caused by missed unpin routine for umem pages. + +Fixes: 8aef7340ae9695 ("xsk: introduce xdp_umem_page") +Signed-off-by: Ivan Khoronzhuk +Acked-by: Jonathan Lemon +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + net/xdp/xdp_umem.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c +index a3b037fbfecde..8cab91c482ff5 100644 +--- a/net/xdp/xdp_umem.c ++++ b/net/xdp/xdp_umem.c +@@ -322,7 +322,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + umem->pages = kcalloc(umem->npgs, sizeof(*umem->pages), GFP_KERNEL); + if (!umem->pages) { + err = -ENOMEM; +- goto out_account; ++ goto out_pin; + } + + for (i = 0; i < umem->npgs; i++) +@@ -330,6 +330,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr) + + return 0; + ++out_pin: ++ xdp_umem_unpin_pages(umem); + out_account: + xdp_umem_unaccount_pages(umem); + return err; +-- +2.20.1 +