From: Greg Kroah-Hartman Date: Wed, 28 Nov 2018 10:46:25 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.19.6~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dc8c7189d923a5328af94842dfa1a5ee10981509;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch bfs-add-sanity-check-at-bfs_fill_super.patch brcmfmac-fix-reporting-support-for-160-mhz-channels.patch can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch can-flexcan-handle-tx-complete-can-frames-via-rx-offload-infrastructure.patch can-flexcan-use-can_rx_offload_queue_sorted-for-flexcan_irq_bus_.patch can-hi311x-use-level-triggered-interrupt.patch can-raw-check-for-can-fd-capable-netdev-in-raw_sendmsg.patch can-rx-offload-introduce-can_rx_offload_get_echo_skb-and-can_rx_offload_queue_sorted-functions.patch can-rx-offload-rename-can_rx_offload_irq_queue_err_skb-to-can_rx_offload_queue_tail.patch drm-ast-change-resolution-may-cause-screen-blurred.patch drm-ast-fixed-cursor-may-disappear-sometimes.patch drm-ast-remove-existing-framebuffers-before-loading-driver.patch drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch gpio-don-t-free-unallocated-ida-on-gpiochip_add_data_with_key-error-path.patch input-synaptics-avoid-using-uninitialized-variable-when-probing.patch iwlwifi-mvm-don-t-use-sar-geo-if-basic-sar-is-not-used.patch iwlwifi-mvm-fix-regulatory-domain-update-when-the-firmware-starts.patch iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch llc-do-not-use-sk_eat_skb.patch maintainers-add-sasha-as-a-stable-branch-maintainer.patch mm-don-t-warn-about-large-allocations-for-slab.patch mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch mmc-sdhci-pci-try-cd-for-card-detect-lookup-before-using-null.patch sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch tcp-do-not-release-socket-ownership-in-tcp_close.patch tools-power-cpupower-fix-compilation-with-static-true.patch usb-core-fix-hub-port-connection-events-lost.patch usb-dwc3-core-clean-up-ulpi-device.patch usb-dwc3-gadget-fix-isoc-trb-type-on-unaligned-transfers.patch usb-dwc3-gadget-properly-check-last-unaligned-zero-chain-trb.patch usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch xhci-add-check-for-invalid-byte-size-error-when-uas-devices-are-connected.patch --- diff --git a/queue-4.14/alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch b/queue-4.14/alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch new file mode 100644 index 00000000000..d2a62409b56 --- /dev/null +++ b/queue-4.14/alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch @@ -0,0 +1,73 @@ +From 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 9 Nov 2018 11:59:45 +0100 +Subject: ALSA: oss: Use kvzalloc() for local buffer allocations + +From: Takashi Iwai + +commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 upstream. + +PCM OSS layer may allocate a few temporary buffers, one for the core +read/write and another for the conversions via plugins. Currently +both are allocated via vmalloc(). But as the allocation size is +equivalent with the PCM period size, the required size might be quite +small, depending on the application. + +This patch replaces these vmalloc() calls with kvzalloc() for covering +small period sizes better. Also, we use "z"-alloc variant here for +addressing the possible uninitialized access reported by syzkaller. + +Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/pcm_oss.c | 6 +++--- + sound/core/oss/pcm_plugin.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1062,8 +1062,8 @@ static int snd_pcm_oss_change_params_loc + runtime->oss.channels = params_channels(params); + runtime->oss.rate = params_rate(params); + +- vfree(runtime->oss.buffer); +- runtime->oss.buffer = vmalloc(runtime->oss.period_bytes); ++ kvfree(runtime->oss.buffer); ++ runtime->oss.buffer = kvzalloc(runtime->oss.period_bytes, GFP_KERNEL); + if (!runtime->oss.buffer) { + err = -ENOMEM; + goto failure; +@@ -2328,7 +2328,7 @@ static void snd_pcm_oss_release_substrea + { + struct snd_pcm_runtime *runtime; + runtime = substream->runtime; +- vfree(runtime->oss.buffer); ++ kvfree(runtime->oss.buffer); + runtime->oss.buffer = NULL; + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + snd_pcm_oss_plugin_clear(substream); +--- a/sound/core/oss/pcm_plugin.c ++++ b/sound/core/oss/pcm_plugin.c +@@ -66,8 +66,8 @@ static int snd_pcm_plugin_alloc(struct s + return -ENXIO; + size /= 8; + if (plugin->buf_frames < frames) { +- vfree(plugin->buf); +- plugin->buf = vmalloc(size); ++ kvfree(plugin->buf); ++ plugin->buf = kvzalloc(size, GFP_KERNEL); + plugin->buf_frames = frames; + } + if (!plugin->buf) { +@@ -191,7 +191,7 @@ int snd_pcm_plugin_free(struct snd_pcm_p + if (plugin->private_free) + plugin->private_free(plugin); + kfree(plugin->buf_channels); +- vfree(plugin->buf); ++ kvfree(plugin->buf); + kfree(plugin); + return 0; + } diff --git a/queue-4.14/bfs-add-sanity-check-at-bfs_fill_super.patch b/queue-4.14/bfs-add-sanity-check-at-bfs_fill_super.patch new file mode 100644 index 00000000000..258112bfddf --- /dev/null +++ b/queue-4.14/bfs-add-sanity-check-at-bfs_fill_super.patch @@ -0,0 +1,57 @@ +From 9f2df09a33aa2c76ce6385d382693f98d7f2f07e Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 2 Nov 2018 15:48:42 -0700 +Subject: bfs: add sanity check at bfs_fill_super() + +From: Tetsuo Handa + +commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream. + +syzbot is reporting too large memory allocation at bfs_fill_super() [1]. +Since file system image is corrupted such that bfs_sb->s_start == 0, +bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix +this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and +printf(). + +[1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96 + +Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reviewed-by: Andrew Morton +Cc: Tigran Aivazian +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/bfs/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/bfs/inode.c ++++ b/fs/bfs/inode.c +@@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_b + + s->s_magic = BFS_MAGIC; + +- if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) { ++ if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) || ++ le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) { + printf("Superblock is corrupted\n"); + goto out1; + } +@@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_b + sizeof(struct bfs_inode) + + BFS_ROOT_INO - 1; + imap_len = (info->si_lasti / 8) + 1; +- info->si_imap = kzalloc(imap_len, GFP_KERNEL); +- if (!info->si_imap) ++ info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN); ++ if (!info->si_imap) { ++ printf("Cannot allocate %u bytes\n", imap_len); + goto out1; ++ } + for (i = 0; i < BFS_ROOT_INO; i++) + set_bit(i, info->si_imap); + diff --git a/queue-4.14/brcmfmac-fix-reporting-support-for-160-mhz-channels.patch b/queue-4.14/brcmfmac-fix-reporting-support-for-160-mhz-channels.patch new file mode 100644 index 00000000000..919381b3c7e --- /dev/null +++ b/queue-4.14/brcmfmac-fix-reporting-support-for-160-mhz-channels.patch @@ -0,0 +1,41 @@ +From d1fe6ad6f6bd61c84788d3a7b11e459a439c6169 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Thu, 8 Nov 2018 16:08:29 +0100 +Subject: brcmfmac: fix reporting support for 160 MHz channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit d1fe6ad6f6bd61c84788d3a7b11e459a439c6169 upstream. + +Driver can report IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ so it's +important to provide valid & complete info about supported bands for +each channel. By default no support for 160 MHz should be assumed unless +firmware reports it for a given channel later. + +This fixes info passed to the userspace. Without that change userspace +could try to use invalid channel and fail to start an interface. + +Signed-off-by: Rafał Miłecki +Cc: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6098,7 +6098,8 @@ static int brcmf_construct_chaninfo(stru + * for subsequent chanspecs. + */ + channel->flags = IEEE80211_CHAN_NO_HT40 | +- IEEE80211_CHAN_NO_80MHZ; ++ IEEE80211_CHAN_NO_80MHZ | ++ IEEE80211_CHAN_NO_160MHZ; + ch.bw = BRCMU_CHAN_BW_20; + cfg->d11inf.encchspec(&ch); + chaninfo = ch.chspec; diff --git a/queue-4.14/can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch b/queue-4.14/can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch new file mode 100644 index 00000000000..fb95202f1d0 --- /dev/null +++ b/queue-4.14/can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch @@ -0,0 +1,36 @@ +From e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 31 Oct 2018 14:05:26 +0100 +Subject: can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds + +From: Marc Kleine-Budde + +commit e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc upstream. + +If the "struct can_priv::echo_skb" is accessed out of bounds would lead +to a kernel crash. Better print a sensible warning message instead and +try to recover. + +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -480,7 +480,11 @@ struct sk_buff *__can_get_echo_skb(struc + { + struct can_priv *priv = netdev_priv(dev); + +- BUG_ON(idx >= priv->echo_skb_max); ++ if (idx >= priv->echo_skb_max) { ++ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", ++ __func__, idx, priv->echo_skb_max); ++ return NULL; ++ } + + if (priv->echo_skb[idx]) { + /* Using "struct canfd_frame::len" for the frame diff --git a/queue-4.14/can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch b/queue-4.14/can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch new file mode 100644 index 00000000000..e9eb9f0e11d --- /dev/null +++ b/queue-4.14/can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch @@ -0,0 +1,70 @@ +From 7da11ba5c5066dadc2e96835a6233d56d7b7764a Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 31 Oct 2018 14:15:13 +0100 +Subject: can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb + +From: Marc Kleine-Budde + +commit 7da11ba5c5066dadc2e96835a6233d56d7b7764a upstream. + +Prior to echoing a successfully transmitted CAN frame (by calling +can_get_echo_skb()), CAN drivers have to put the CAN frame (by calling +can_put_echo_skb() in the transmit function). These put and get function +take an index as parameter, which is used to identify the CAN frame. + +A driver calling can_get_echo_skb() with a index not pointing to a skb +is a BUG, so add an appropriate error message. + +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -479,6 +479,8 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb); + struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr) + { + struct can_priv *priv = netdev_priv(dev); ++ struct sk_buff *skb = priv->echo_skb[idx]; ++ struct canfd_frame *cf; + + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", +@@ -486,21 +488,20 @@ struct sk_buff *__can_get_echo_skb(struc + return NULL; + } + +- if (priv->echo_skb[idx]) { +- /* Using "struct canfd_frame::len" for the frame +- * length is supported on both CAN and CANFD frames. +- */ +- struct sk_buff *skb = priv->echo_skb[idx]; +- struct canfd_frame *cf = (struct canfd_frame *)skb->data; +- u8 len = cf->len; +- +- *len_ptr = len; +- priv->echo_skb[idx] = NULL; +- +- return skb; ++ if (!skb) { ++ netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n", ++ __func__, idx); ++ return NULL; + } + +- return NULL; ++ /* Using "struct canfd_frame::len" for the frame ++ * length is supported on both CAN and CANFD frames. ++ */ ++ cf = (struct canfd_frame *)skb->data; ++ *len_ptr = cf->len; ++ priv->echo_skb[idx] = NULL; ++ ++ return skb; + } + + /* diff --git a/queue-4.14/can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch b/queue-4.14/can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch new file mode 100644 index 00000000000..20d6d9b2895 --- /dev/null +++ b/queue-4.14/can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch @@ -0,0 +1,43 @@ +From 200f5c49f7a2cd694436bfc6cb0662b794c96736 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 31 Oct 2018 11:08:21 +0100 +Subject: can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length + +From: Marc Kleine-Budde + +commit 200f5c49f7a2cd694436bfc6cb0662b794c96736 upstream. + +This patch replaces the use of "struct can_frame::can_dlc" by "struct +canfd_frame::len" to access the frame's length. As it is ensured that +both structures have a compatible memory layout for this member this is +no functional change. Futher, this compatibility is documented in a +comment. + +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -483,11 +483,14 @@ struct sk_buff *__can_get_echo_skb(struc + BUG_ON(idx >= priv->echo_skb_max); + + if (priv->echo_skb[idx]) { ++ /* Using "struct canfd_frame::len" for the frame ++ * length is supported on both CAN and CANFD frames. ++ */ + struct sk_buff *skb = priv->echo_skb[idx]; +- struct can_frame *cf = (struct can_frame *)skb->data; +- u8 dlc = cf->can_dlc; ++ struct canfd_frame *cf = (struct canfd_frame *)skb->data; ++ u8 len = cf->len; + +- *len_ptr = dlc; ++ *len_ptr = len; + priv->echo_skb[idx] = NULL; + + return skb; diff --git a/queue-4.14/can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch b/queue-4.14/can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch new file mode 100644 index 00000000000..8d2567abd0b --- /dev/null +++ b/queue-4.14/can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch @@ -0,0 +1,88 @@ +From a4310fa2f24687888ce80fdb0e88583561a23700 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 31 Oct 2018 10:37:46 +0100 +Subject: can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() + +From: Marc Kleine-Budde + +commit a4310fa2f24687888ce80fdb0e88583561a23700 upstream. + +This patch factors out all non sending parts of can_get_echo_skb() into +a seperate function __can_get_echo_skb(), so that it can be re-used in +an upcoming patch. + +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 36 +++++++++++++++++++++++++----------- + include/linux/can/dev.h | 1 + + 2 files changed, 26 insertions(+), 11 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -476,14 +476,7 @@ void can_put_echo_skb(struct sk_buff *sk + } + EXPORT_SYMBOL_GPL(can_put_echo_skb); + +-/* +- * Get the skb from the stack and loop it back locally +- * +- * The function is typically called when the TX done interrupt +- * is handled in the device driver. The driver must protect +- * access to priv->echo_skb, if necessary. +- */ +-unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx) ++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr) + { + struct can_priv *priv = netdev_priv(dev); + +@@ -494,13 +487,34 @@ unsigned int can_get_echo_skb(struct net + struct can_frame *cf = (struct can_frame *)skb->data; + u8 dlc = cf->can_dlc; + +- netif_rx(priv->echo_skb[idx]); ++ *len_ptr = dlc; + priv->echo_skb[idx] = NULL; + +- return dlc; ++ return skb; + } + +- return 0; ++ return NULL; ++} ++ ++/* ++ * Get the skb from the stack and loop it back locally ++ * ++ * The function is typically called when the TX done interrupt ++ * is handled in the device driver. The driver must protect ++ * access to priv->echo_skb, if necessary. ++ */ ++unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx) ++{ ++ struct sk_buff *skb; ++ u8 len; ++ ++ skb = __can_get_echo_skb(dev, idx, &len); ++ if (!skb) ++ return 0; ++ ++ netif_rx(skb); ++ ++ return len; + } + EXPORT_SYMBOL_GPL(can_get_echo_skb); + +--- a/include/linux/can/dev.h ++++ b/include/linux/can/dev.h +@@ -163,6 +163,7 @@ void can_change_state(struct net_device + + void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, + unsigned int idx); ++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr); + unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx); + void can_free_echo_skb(struct net_device *dev, unsigned int idx); + diff --git a/queue-4.14/can-flexcan-handle-tx-complete-can-frames-via-rx-offload-infrastructure.patch b/queue-4.14/can-flexcan-handle-tx-complete-can-frames-via-rx-offload-infrastructure.patch new file mode 100644 index 00000000000..e9a68775b8e --- /dev/null +++ b/queue-4.14/can-flexcan-handle-tx-complete-can-frames-via-rx-offload-infrastructure.patch @@ -0,0 +1,39 @@ +From ed72bc8bcb9277061e753faf300b20f97323761c Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 18 Sep 2018 11:40:39 +0200 +Subject: can: flexcan: handle tx-complete CAN frames via rx-offload infrastructure + +From: Oleksij Rempel + +commit ed72bc8bcb9277061e753faf300b20f97323761c upstream. + +Current flexcan driver will put TX-ECHO in regular unsorted way, in +this case TX-ECHO can come after the response to the same TXed message. +In some cases, for example for J1939 stack, things will break. +This patch is using new rx-offload API to put the messages just in the +right place. + +Signed-off-by: Oleksij Rempel +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/flexcan.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -775,8 +775,11 @@ static irqreturn_t flexcan_irq(int irq, + + /* transmission complete interrupt */ + if (reg_iflag1 & FLEXCAN_IFLAG_MB(priv->tx_mb_idx)) { ++ u32 reg_ctrl = priv->read(®s->mb[FLEXCAN_TX_MB].can_ctrl); ++ + handled = IRQ_HANDLED; +- stats->tx_bytes += can_get_echo_skb(dev, 0); ++ stats->tx_bytes += can_rx_offload_get_echo_skb(&priv->offload, ++ 0, reg_ctrl << 16); + stats->tx_packets++; + can_led_event(dev, CAN_LED_EVENT_TX); + diff --git a/queue-4.14/can-flexcan-use-can_rx_offload_queue_sorted-for-flexcan_irq_bus_.patch b/queue-4.14/can-flexcan-use-can_rx_offload_queue_sorted-for-flexcan_irq_bus_.patch new file mode 100644 index 00000000000..5e40aa2e37f --- /dev/null +++ b/queue-4.14/can-flexcan-use-can_rx_offload_queue_sorted-for-flexcan_irq_bus_.patch @@ -0,0 +1,70 @@ +From d788905f68fd4714c82936f6f7f1d3644d7ae7ef Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 18 Sep 2018 11:40:41 +0200 +Subject: can: flexcan: use can_rx_offload_queue_sorted() for flexcan_irq_bus_*() + +From: Oleksij Rempel + +commit d788905f68fd4714c82936f6f7f1d3644d7ae7ef upstream. + +Currently, in case of bus error, driver will generate error message and put +in the tail of the message queue. To avoid confusions, this change should +place the bus related messages in proper order. + +Signed-off-by: Oleksij Rempel +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/flexcan.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -550,9 +550,13 @@ static int flexcan_start_xmit(struct sk_ + static void flexcan_irq_bus_err(struct net_device *dev, u32 reg_esr) + { + struct flexcan_priv *priv = netdev_priv(dev); ++ struct flexcan_regs __iomem *regs = priv->regs; + struct sk_buff *skb; + struct can_frame *cf; + bool rx_errors = false, tx_errors = false; ++ u32 timestamp; ++ ++ timestamp = priv->read(®s->timer) << 16; + + skb = alloc_can_err_skb(dev, &cf); + if (unlikely(!skb)) +@@ -599,17 +603,21 @@ static void flexcan_irq_bus_err(struct n + if (tx_errors) + dev->stats.tx_errors++; + +- can_rx_offload_queue_tail(&priv->offload, skb); ++ can_rx_offload_queue_sorted(&priv->offload, skb, timestamp); + } + + static void flexcan_irq_state(struct net_device *dev, u32 reg_esr) + { + struct flexcan_priv *priv = netdev_priv(dev); ++ struct flexcan_regs __iomem *regs = priv->regs; + struct sk_buff *skb; + struct can_frame *cf; + enum can_state new_state, rx_state, tx_state; + int flt; + struct can_berr_counter bec; ++ u32 timestamp; ++ ++ timestamp = priv->read(®s->timer) << 16; + + flt = reg_esr & FLEXCAN_ESR_FLT_CONF_MASK; + if (likely(flt == FLEXCAN_ESR_FLT_CONF_ACTIVE)) { +@@ -639,7 +647,7 @@ static void flexcan_irq_state(struct net + if (unlikely(new_state == CAN_STATE_BUS_OFF)) + can_bus_off(dev); + +- can_rx_offload_queue_tail(&priv->offload, skb); ++ can_rx_offload_queue_sorted(&priv->offload, skb, timestamp); + } + + static inline struct flexcan_priv *rx_offload_to_priv(struct can_rx_offload *offload) diff --git a/queue-4.14/can-hi311x-use-level-triggered-interrupt.patch b/queue-4.14/can-hi311x-use-level-triggered-interrupt.patch new file mode 100644 index 00000000000..e611c2b3dd7 --- /dev/null +++ b/queue-4.14/can-hi311x-use-level-triggered-interrupt.patch @@ -0,0 +1,59 @@ +From f164d0204b1156a7e0d8d1622c1a8d25752befec Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sat, 27 Oct 2018 10:36:54 +0200 +Subject: can: hi311x: Use level-triggered interrupt + +From: Lukas Wunner + +commit f164d0204b1156a7e0d8d1622c1a8d25752befec upstream. + +If the hi3110 shares the SPI bus with another traffic-intensive device +and packets are received in high volume (by a separate machine sending +with "cangen -g 0 -i -x"), reception stops after a few minutes and the +counter in /proc/interrupts stops incrementing. Bus state is "active". +Bringing the interface down and back up reconvenes the reception. The +issue is not observed when the hi3110 is the sole device on the SPI bus. + +Using a level-triggered interrupt makes the issue go away and lets the +hi3110 successfully receive 2 GByte over the course of 5 days while a +ks8851 Ethernet chip on the same SPI bus handles 6 GByte of traffic. + +Unfortunately the hi3110 datasheet is mum on the trigger type. The pin +description on page 3 only specifies the polarity (active high): +http://www.holtic.com/documents/371-hi-3110_v-rev-kpdf.do + +Cc: Mathias Duckeck +Cc: Akshay Bhat +Cc: Casey Fitzpatrick +Signed-off-by: Lukas Wunner +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/net/can/holt_hi311x.txt | 2 +- + drivers/net/can/spi/hi311x.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/net/can/holt_hi311x.txt ++++ b/Documentation/devicetree/bindings/net/can/holt_hi311x.txt +@@ -18,7 +18,7 @@ Example: + reg = <1>; + clocks = <&clk32m>; + interrupt-parent = <&gpio4>; +- interrupts = <13 IRQ_TYPE_EDGE_RISING>; ++ interrupts = <13 IRQ_TYPE_LEVEL_HIGH>; + vdd-supply = <®5v0>; + xceiver-supply = <®5v0>; + }; +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -760,7 +760,7 @@ static int hi3110_open(struct net_device + { + struct hi3110_priv *priv = netdev_priv(net); + struct spi_device *spi = priv->spi; +- unsigned long flags = IRQF_ONESHOT | IRQF_TRIGGER_RISING; ++ unsigned long flags = IRQF_ONESHOT | IRQF_TRIGGER_HIGH; + int ret; + + ret = open_candev(net); diff --git a/queue-4.14/can-raw-check-for-can-fd-capable-netdev-in-raw_sendmsg.patch b/queue-4.14/can-raw-check-for-can-fd-capable-netdev-in-raw_sendmsg.patch new file mode 100644 index 00000000000..ddf371ff891 --- /dev/null +++ b/queue-4.14/can-raw-check-for-can-fd-capable-netdev-in-raw_sendmsg.patch @@ -0,0 +1,54 @@ +From a43608fa77213ad5ac5f75994254b9f65d57cfa0 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Wed, 24 Oct 2018 10:27:12 +0200 +Subject: can: raw: check for CAN FD capable netdev in raw_sendmsg() + +From: Oliver Hartkopp + +commit a43608fa77213ad5ac5f75994254b9f65d57cfa0 upstream. + +When the socket is CAN FD enabled it can handle CAN FD frame +transmissions. Add an additional check in raw_sendmsg() as a CAN2.0 CAN +driver (non CAN FD) should never see a CAN FD frame. Due to the commonly +used can_dropped_invalid_skb() function the CAN 2.0 driver would drop +that CAN FD frame anyway - but with this patch the user gets a proper +-EINVAL return code. + +Signed-off-by: Oliver Hartkopp +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/raw.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -745,18 +745,19 @@ static int raw_sendmsg(struct socket *so + } else + ifindex = ro->ifindex; + +- if (ro->fd_frames) { ++ dev = dev_get_by_index(sock_net(sk), ifindex); ++ if (!dev) ++ return -ENXIO; ++ ++ err = -EINVAL; ++ if (ro->fd_frames && dev->mtu == CANFD_MTU) { + if (unlikely(size != CANFD_MTU && size != CAN_MTU)) +- return -EINVAL; ++ goto put_dev; + } else { + if (unlikely(size != CAN_MTU)) +- return -EINVAL; ++ goto put_dev; + } + +- dev = dev_get_by_index(sock_net(sk), ifindex); +- if (!dev) +- return -ENXIO; +- + skb = sock_alloc_send_skb(sk, size + sizeof(struct can_skb_priv), + msg->msg_flags & MSG_DONTWAIT, &err); + if (!skb) diff --git a/queue-4.14/can-rx-offload-introduce-can_rx_offload_get_echo_skb-and-can_rx_offload_queue_sorted-functions.patch b/queue-4.14/can-rx-offload-introduce-can_rx_offload_get_echo_skb-and-can_rx_offload_queue_sorted-functions.patch new file mode 100644 index 00000000000..30838317cf9 --- /dev/null +++ b/queue-4.14/can-rx-offload-introduce-can_rx_offload_get_echo_skb-and-can_rx_offload_queue_sorted-functions.patch @@ -0,0 +1,91 @@ +From 55059f2b7f868cd43b3ad30e28e18347e1b46ace Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 18 Sep 2018 11:40:38 +0200 +Subject: can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions + +From: Oleksij Rempel + +commit 55059f2b7f868cd43b3ad30e28e18347e1b46ace upstream. + +Current CAN framework can't guarantee proper/chronological order +of RX and TX-ECHO messages. To make this possible, drivers should use +this functions instead of can_get_echo_skb(). + +Signed-off-by: Oleksij Rempel +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/rx-offload.c | 46 +++++++++++++++++++++++++++++++++++++++++ + include/linux/can/rx-offload.h | 4 +++ + 2 files changed, 50 insertions(+) + +--- a/drivers/net/can/rx-offload.c ++++ b/drivers/net/can/rx-offload.c +@@ -209,6 +209,52 @@ int can_rx_offload_irq_offload_fifo(stru + } + EXPORT_SYMBOL_GPL(can_rx_offload_irq_offload_fifo); + ++int can_rx_offload_queue_sorted(struct can_rx_offload *offload, ++ struct sk_buff *skb, u32 timestamp) ++{ ++ struct can_rx_offload_cb *cb; ++ unsigned long flags; ++ ++ if (skb_queue_len(&offload->skb_queue) > ++ offload->skb_queue_len_max) ++ return -ENOMEM; ++ ++ cb = can_rx_offload_get_cb(skb); ++ cb->timestamp = timestamp; ++ ++ spin_lock_irqsave(&offload->skb_queue.lock, flags); ++ __skb_queue_add_sort(&offload->skb_queue, skb, can_rx_offload_compare); ++ spin_unlock_irqrestore(&offload->skb_queue.lock, flags); ++ ++ can_rx_offload_schedule(offload); ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(can_rx_offload_queue_sorted); ++ ++unsigned int can_rx_offload_get_echo_skb(struct can_rx_offload *offload, ++ unsigned int idx, u32 timestamp) ++{ ++ struct net_device *dev = offload->dev; ++ struct net_device_stats *stats = &dev->stats; ++ struct sk_buff *skb; ++ u8 len; ++ int err; ++ ++ skb = __can_get_echo_skb(dev, idx, &len); ++ if (!skb) ++ return 0; ++ ++ err = can_rx_offload_queue_sorted(offload, skb, timestamp); ++ if (err) { ++ stats->rx_errors++; ++ stats->tx_fifo_errors++; ++ } ++ ++ return len; ++} ++EXPORT_SYMBOL_GPL(can_rx_offload_get_echo_skb); ++ + int can_rx_offload_irq_queue_err_skb(struct can_rx_offload *offload, struct sk_buff *skb) + { + if (skb_queue_len(&offload->skb_queue) > +--- a/include/linux/can/rx-offload.h ++++ b/include/linux/can/rx-offload.h +@@ -41,6 +41,10 @@ int can_rx_offload_add_timestamp(struct + int can_rx_offload_add_fifo(struct net_device *dev, struct can_rx_offload *offload, unsigned int weight); + int can_rx_offload_irq_offload_timestamp(struct can_rx_offload *offload, u64 reg); + int can_rx_offload_irq_offload_fifo(struct can_rx_offload *offload); ++int can_rx_offload_queue_sorted(struct can_rx_offload *offload, ++ struct sk_buff *skb, u32 timestamp); ++unsigned int can_rx_offload_get_echo_skb(struct can_rx_offload *offload, ++ unsigned int idx, u32 timestamp); + int can_rx_offload_irq_queue_err_skb(struct can_rx_offload *offload, struct sk_buff *skb); + void can_rx_offload_reset(struct can_rx_offload *offload); + void can_rx_offload_del(struct can_rx_offload *offload); diff --git a/queue-4.14/can-rx-offload-rename-can_rx_offload_irq_queue_err_skb-to-can_rx_offload_queue_tail.patch b/queue-4.14/can-rx-offload-rename-can_rx_offload_irq_queue_err_skb-to-can_rx_offload_queue_tail.patch new file mode 100644 index 00000000000..5f6b17475fe --- /dev/null +++ b/queue-4.14/can-rx-offload-rename-can_rx_offload_irq_queue_err_skb-to-can_rx_offload_queue_tail.patch @@ -0,0 +1,75 @@ +From 4530ec36bb1e0d24f41c33229694adacda3d5d89 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 18 Sep 2018 11:40:40 +0200 +Subject: can: rx-offload: rename can_rx_offload_irq_queue_err_skb() to can_rx_offload_queue_tail() + +From: Oleksij Rempel + +commit 4530ec36bb1e0d24f41c33229694adacda3d5d89 upstream. + +This function has nothing todo with error. + +Signed-off-by: Oleksij Rempel +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/flexcan.c | 4 ++-- + drivers/net/can/rx-offload.c | 5 +++-- + include/linux/can/rx-offload.h | 3 ++- + 3 files changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -599,7 +599,7 @@ static void flexcan_irq_bus_err(struct n + if (tx_errors) + dev->stats.tx_errors++; + +- can_rx_offload_irq_queue_err_skb(&priv->offload, skb); ++ can_rx_offload_queue_tail(&priv->offload, skb); + } + + static void flexcan_irq_state(struct net_device *dev, u32 reg_esr) +@@ -639,7 +639,7 @@ static void flexcan_irq_state(struct net + if (unlikely(new_state == CAN_STATE_BUS_OFF)) + can_bus_off(dev); + +- can_rx_offload_irq_queue_err_skb(&priv->offload, skb); ++ can_rx_offload_queue_tail(&priv->offload, skb); + } + + static inline struct flexcan_priv *rx_offload_to_priv(struct can_rx_offload *offload) +--- a/drivers/net/can/rx-offload.c ++++ b/drivers/net/can/rx-offload.c +@@ -255,7 +255,8 @@ unsigned int can_rx_offload_get_echo_skb + } + EXPORT_SYMBOL_GPL(can_rx_offload_get_echo_skb); + +-int can_rx_offload_irq_queue_err_skb(struct can_rx_offload *offload, struct sk_buff *skb) ++int can_rx_offload_queue_tail(struct can_rx_offload *offload, ++ struct sk_buff *skb) + { + if (skb_queue_len(&offload->skb_queue) > + offload->skb_queue_len_max) +@@ -266,7 +267,7 @@ int can_rx_offload_irq_queue_err_skb(str + + return 0; + } +-EXPORT_SYMBOL_GPL(can_rx_offload_irq_queue_err_skb); ++EXPORT_SYMBOL_GPL(can_rx_offload_queue_tail); + + static int can_rx_offload_init_queue(struct net_device *dev, struct can_rx_offload *offload, unsigned int weight) + { +--- a/include/linux/can/rx-offload.h ++++ b/include/linux/can/rx-offload.h +@@ -45,7 +45,8 @@ int can_rx_offload_queue_sorted(struct c + struct sk_buff *skb, u32 timestamp); + unsigned int can_rx_offload_get_echo_skb(struct can_rx_offload *offload, + unsigned int idx, u32 timestamp); +-int can_rx_offload_irq_queue_err_skb(struct can_rx_offload *offload, struct sk_buff *skb); ++int can_rx_offload_queue_tail(struct can_rx_offload *offload, ++ struct sk_buff *skb); + void can_rx_offload_reset(struct can_rx_offload *offload); + void can_rx_offload_del(struct can_rx_offload *offload); + void can_rx_offload_enable(struct can_rx_offload *offload); diff --git a/queue-4.14/drm-ast-change-resolution-may-cause-screen-blurred.patch b/queue-4.14/drm-ast-change-resolution-may-cause-screen-blurred.patch new file mode 100644 index 00000000000..64d50d2830f --- /dev/null +++ b/queue-4.14/drm-ast-change-resolution-may-cause-screen-blurred.patch @@ -0,0 +1,36 @@ +From 1a37bd823891568f8721989aed0615835632d81a Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Wed, 3 Oct 2018 14:57:47 +0800 +Subject: drm/ast: change resolution may cause screen blurred + +From: Y.C. Chen + +commit 1a37bd823891568f8721989aed0615835632d81a upstream. + +The value of pitches is not correct while calling mode_set. +The issue we found so far on following system: +- Debian8 with XFCE Desktop +- Ubuntu with KDE Desktop +- SUSE15 with KDE Desktop + +Signed-off-by: Y.C. Chen +Cc: +Tested-by: Jean Delvare +Reviewed-by: Jean Delvare +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_mode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -568,6 +568,7 @@ static int ast_crtc_do_set_base(struct d + } + ast_bo_unreserve(bo); + ++ ast_set_offset_reg(crtc); + ast_set_start_address_crt1(crtc, (u32)gpu_addr); + + return 0; diff --git a/queue-4.14/drm-ast-fixed-cursor-may-disappear-sometimes.patch b/queue-4.14/drm-ast-fixed-cursor-may-disappear-sometimes.patch new file mode 100644 index 00000000000..69c836e48e7 --- /dev/null +++ b/queue-4.14/drm-ast-fixed-cursor-may-disappear-sometimes.patch @@ -0,0 +1,30 @@ +From 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Tue, 30 Oct 2018 11:34:46 +0800 +Subject: drm/ast: fixed cursor may disappear sometimes + +From: Y.C. Chen + +commit 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 upstream. + +Signed-off-by: Y.C. Chen +Cc: +Reviewed-by: Dave Airlie +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_mode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -1255,7 +1255,7 @@ static int ast_cursor_move(struct drm_cr + ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xc7, ((y >> 8) & 0x07)); + + /* dummy write to fire HWC */ +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xCB, 0xFF, 0x00); ++ ast_show_cursor(crtc); + + return 0; + } diff --git a/queue-4.14/drm-ast-remove-existing-framebuffers-before-loading-driver.patch b/queue-4.14/drm-ast-remove-existing-framebuffers-before-loading-driver.patch new file mode 100644 index 00000000000..cba1a490ce6 --- /dev/null +++ b/queue-4.14/drm-ast-remove-existing-framebuffers-before-loading-driver.patch @@ -0,0 +1,63 @@ +From 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Thu, 15 Nov 2018 11:42:16 +0100 +Subject: drm/ast: Remove existing framebuffers before loading driver + +From: Thomas Zimmermann + +commit 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a upstream. + +If vesafb attaches to the AST device, it configures the framebuffer memory +for uncached access by default. When ast.ko later tries to attach itself to +the device, it wants to use write-combining on the framebuffer memory, but +vesefb's existing configuration for uncached access takes precedence. This +results in reduced performance. + +Removing the framebuffer's configuration before loding the AST driver fixes +the problem. Other DRM drivers already contain equivalent code. + +Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1112963 +Signed-off-by: Thomas Zimmermann +Cc: +Tested-by: Y.C. Chen +Reviewed-by: Jean Delvare +Tested-by: Jean Delvare +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_drv.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/drivers/gpu/drm/ast/ast_drv.c ++++ b/drivers/gpu/drm/ast/ast_drv.c +@@ -60,8 +60,29 @@ static const struct pci_device_id pciidl + + MODULE_DEVICE_TABLE(pci, pciidlist); + ++static void ast_kick_out_firmware_fb(struct pci_dev *pdev) ++{ ++ struct apertures_struct *ap; ++ bool primary = false; ++ ++ ap = alloc_apertures(1); ++ if (!ap) ++ return; ++ ++ ap->ranges[0].base = pci_resource_start(pdev, 0); ++ ap->ranges[0].size = pci_resource_len(pdev, 0); ++ ++#ifdef CONFIG_X86 ++ primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW; ++#endif ++ drm_fb_helper_remove_conflicting_framebuffers(ap, "astdrmfb", primary); ++ kfree(ap); ++} ++ + static int ast_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { ++ ast_kick_out_firmware_fb(pdev); ++ + return drm_get_pci_dev(pdev, ent, &driver); + } + diff --git a/queue-4.14/drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch b/queue-4.14/drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch new file mode 100644 index 00000000000..6f2c9da069e --- /dev/null +++ b/queue-4.14/drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch @@ -0,0 +1,137 @@ +From 21556350ade3cb5d7afecc8b3544e56431d21695 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 14 Nov 2018 19:34:40 +0200 +Subject: drm/i915: Disable LP3 watermarks on all SNB machines +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 21556350ade3cb5d7afecc8b3544e56431d21695 upstream. + +I have a Thinkpad X220 Tablet in my hands that is losing vblank +interrupts whenever LP3 watermarks are used. + +If I nudge the latency value written to the WM3 register just +by one in either direction the problem disappears. That to me +suggests that the punit will not enter the corrsponding +powersave mode (MPLL shutdown IIRC) unless the latency value +in the register matches exactly what we read from SSKPD. Ie. +it's not really a latency value but rather just a cookie +by which the punit can identify the desired power saving state. +On HSW/BDW this was changed such that we actually just write +the WM level number into those bits, which makes much more +sense given the observed behaviour. + +We could try to handle this by disallowing LP3 watermarks +only when vblank interrupts are enabled but we'd first have +to prove that only vblank interrupts are affected, which +seems unlikely. Also we can't grab the wm mutex from the +vblank enable/disable hooks because those are called with +various spinlocks held. Thus we'd have to redesigne the +watermark locking. So to play it safe and keep the code +simple we simply disable LP3 watermarks on all SNB machines. + +To do that we simply zero out the latency values for +watermark level 3, and we adjust the watermark computation +to check for that. The behaviour now matches that of the +g4x/vlv/skl wm code in the presence of a zeroed latency +value. + +v2: s/USHRT_MAX/U32_MAX/ for consistency with the types (Chris) + +Cc: stable@vger.kernel.org +Cc: Chris Wilson +Acked-by: Chris Wilson +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101269 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103713 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20181114173440.6730-1-ville.syrjala@linux.intel.com +(cherry picked from commit 03981c6ebec4fc7056b9b45f847393aeac90d060) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_pm.c | 41 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -2500,6 +2500,9 @@ static uint32_t ilk_compute_spr_wm(const + uint32_t method1, method2; + int cpp; + ++ if (mem_value == 0) ++ return U32_MAX; ++ + if (!intel_wm_plane_visible(cstate, pstate)) + return 0; + +@@ -2523,6 +2526,9 @@ static uint32_t ilk_compute_cur_wm(const + { + int cpp; + ++ if (mem_value == 0) ++ return U32_MAX; ++ + if (!intel_wm_plane_visible(cstate, pstate)) + return 0; + +@@ -2540,6 +2546,9 @@ static uint32_t ilk_compute_fbc_wm(const + { + int cpp; + ++ if (mem_value == 0) ++ return U32_MAX; ++ + if (!intel_wm_plane_visible(cstate, pstate)) + return 0; + +@@ -2981,6 +2990,34 @@ static void snb_wm_latency_quirk(struct + intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency); + } + ++static void snb_wm_lp3_irq_quirk(struct drm_i915_private *dev_priv) ++{ ++ /* ++ * On some SNB machines (Thinkpad X220 Tablet at least) ++ * LP3 usage can cause vblank interrupts to be lost. ++ * The DEIIR bit will go high but it looks like the CPU ++ * never gets interrupted. ++ * ++ * It's not clear whether other interrupt source could ++ * be affected or if this is somehow limited to vblank ++ * interrupts only. To play it safe we disable LP3 ++ * watermarks entirely. ++ */ ++ if (dev_priv->wm.pri_latency[3] == 0 && ++ dev_priv->wm.spr_latency[3] == 0 && ++ dev_priv->wm.cur_latency[3] == 0) ++ return; ++ ++ dev_priv->wm.pri_latency[3] = 0; ++ dev_priv->wm.spr_latency[3] = 0; ++ dev_priv->wm.cur_latency[3] = 0; ++ ++ DRM_DEBUG_KMS("LP3 watermarks disabled due to potential for lost interrupts\n"); ++ intel_print_wm_latency(dev_priv, "Primary", dev_priv->wm.pri_latency); ++ intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency); ++ intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency); ++} ++ + static void ilk_setup_wm_latency(struct drm_i915_private *dev_priv) + { + intel_read_wm_latency(dev_priv, dev_priv->wm.pri_latency); +@@ -2997,8 +3034,10 @@ static void ilk_setup_wm_latency(struct + intel_print_wm_latency(dev_priv, "Sprite", dev_priv->wm.spr_latency); + intel_print_wm_latency(dev_priv, "Cursor", dev_priv->wm.cur_latency); + +- if (IS_GEN6(dev_priv)) ++ if (IS_GEN6(dev_priv)) { + snb_wm_latency_quirk(dev_priv); ++ snb_wm_lp3_irq_quirk(dev_priv); ++ } + } + + static void skl_setup_wm_latency(struct drm_i915_private *dev_priv) diff --git a/queue-4.14/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch b/queue-4.14/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch new file mode 100644 index 00000000000..7537b49e5d0 --- /dev/null +++ b/queue-4.14/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch @@ -0,0 +1,40 @@ +From 4c62bd9cea7bcf10292f7e4c57a2bca332942697 Mon Sep 17 00:00:00 2001 +From: Andrew Price +Date: Mon, 8 Oct 2018 07:52:43 -0500 +Subject: gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd + +From: Andrew Price + +commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream. + +When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points +to the same address. Move the assignment after that error check so that +s_fs_info can only point to a valid sdp or NULL, which is checked for +later in the error path, in gfs2_kill_super(). + +Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com +Signed-off-by: Andrew Price +Signed-off-by: Bob Peterson +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/ops_fstype.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -72,13 +72,13 @@ static struct gfs2_sbd *init_sbd(struct + if (!sdp) + return NULL; + +- sb->s_fs_info = sdp; + sdp->sd_vfs = sb; + sdp->sd_lkstats = alloc_percpu(struct gfs2_pcpu_lkstats); + if (!sdp->sd_lkstats) { + kfree(sdp); + return NULL; + } ++ sb->s_fs_info = sdp; + + set_bit(SDF_NOJOURNALID, &sdp->sd_flags); + gfs2_tune_init(&sdp->sd_tune); diff --git a/queue-4.14/gpio-don-t-free-unallocated-ida-on-gpiochip_add_data_with_key-error-path.patch b/queue-4.14/gpio-don-t-free-unallocated-ida-on-gpiochip_add_data_with_key-error-path.patch new file mode 100644 index 00000000000..2f09b77a216 --- /dev/null +++ b/queue-4.14/gpio-don-t-free-unallocated-ida-on-gpiochip_add_data_with_key-error-path.patch @@ -0,0 +1,49 @@ +From a05a14049999598a3bb6fab12db6b768a0215522 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Fri, 2 Nov 2018 15:39:43 +0200 +Subject: gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path + +From: Vladimir Zapolskiy + +commit a05a14049999598a3bb6fab12db6b768a0215522 upstream. + +The change corrects the error path in gpiochip_add_data_with_key() +by avoiding to call ida_simple_remove(), if ida_simple_get() returns +an error. + +Note that ida_simple_remove()/ida_free() throws a BUG(), if id argument +is negative, it allows to easily check the correctness of the fix by +fuzzing the return value from ida_simple_get(). + +Fixes: ff2b13592299 ("gpio: make the gpiochip a real device") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpiolib.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -1166,7 +1166,7 @@ int gpiochip_add_data(struct gpio_chip * + gdev->descs = kcalloc(chip->ngpio, sizeof(gdev->descs[0]), GFP_KERNEL); + if (!gdev->descs) { + status = -ENOMEM; +- goto err_free_gdev; ++ goto err_free_ida; + } + + if (chip->ngpio == 0) { +@@ -1298,8 +1298,9 @@ err_free_label: + kfree(gdev->label); + err_free_descs: + kfree(gdev->descs); +-err_free_gdev: ++err_free_ida: + ida_simple_remove(&gpio_ida, gdev->id); ++err_free_gdev: + /* failures here can mean systems won't boot... */ + pr_err("%s: GPIOs %d..%d (%s) failed to register\n", __func__, + gdev->base, gdev->base + gdev->ngpio - 1, diff --git a/queue-4.14/input-synaptics-avoid-using-uninitialized-variable-when-probing.patch b/queue-4.14/input-synaptics-avoid-using-uninitialized-variable-when-probing.patch new file mode 100644 index 00000000000..3b6f67c13a8 --- /dev/null +++ b/queue-4.14/input-synaptics-avoid-using-uninitialized-variable-when-probing.patch @@ -0,0 +1,37 @@ +From f39f8688888ae74fa8deae2d01289b69b4727394 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 16 Oct 2018 17:07:35 -0700 +Subject: Input: synaptics - avoid using uninitialized variable when probing + +From: Dmitry Torokhov + +commit f39f8688888ae74fa8deae2d01289b69b4727394 upstream. + +synaptics_detect() does not check whether sending commands to the +device succeeds and instead relies on getting unique data from the +device. Let's make sure we seed entire buffer with zeroes to make sure +we will not use garbage on stack that just happen to be 0x47. + +Reported-by: syzbot+13cb3b01d0784e4ffc3f@syzkaller.appspotmail.com +Reviewed-by: Benjamin Tissoires +Reviewed-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/synaptics.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -99,9 +99,7 @@ static int synaptics_mode_cmd(struct psm + int synaptics_detect(struct psmouse *psmouse, bool set_properties) + { + struct ps2dev *ps2dev = &psmouse->ps2dev; +- u8 param[4]; +- +- param[0] = 0; ++ u8 param[4] = { 0 }; + + ps2_command(ps2dev, param, PSMOUSE_CMD_SETRES); + ps2_command(ps2dev, param, PSMOUSE_CMD_SETRES); diff --git a/queue-4.14/iwlwifi-mvm-don-t-use-sar-geo-if-basic-sar-is-not-used.patch b/queue-4.14/iwlwifi-mvm-don-t-use-sar-geo-if-basic-sar-is-not-used.patch new file mode 100644 index 00000000000..cfe6ad3ce75 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-don-t-use-sar-geo-if-basic-sar-is-not-used.patch @@ -0,0 +1,92 @@ +From 5d041c46ccb9b48acc110e214beff5e2789311df Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Wed, 17 Oct 2018 08:35:15 +0300 +Subject: iwlwifi: mvm: don't use SAR Geo if basic SAR is not used + +From: Luca Coelho + +commit 5d041c46ccb9b48acc110e214beff5e2789311df upstream. + +We can't use SAR Geo if basic SAR is not enabled, since the SAR Geo +tables define offsets in relation to the basic SAR table in use. + +To fix this, make iwl_mvm_sar_init() return one in case WRDS is not +available, so we can skip reading WGDS entirely. + +Fixes: a6bff3cb19b7 ("iwlwifi: mvm: add GEO_TX_POWER_LIMIT cmd for geographic tx power table") +Cc: stable@vger.kernel.org # 4.12+ +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 36 +++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -997,6 +997,11 @@ static int iwl_mvm_sar_get_ewrd_table(st + return -ENOENT; + } + ++static int iwl_mvm_sar_get_wgds_table(struct iwl_mvm *mvm) ++{ ++ return -ENOENT; ++} ++ + static int iwl_mvm_sar_geo_init(struct iwl_mvm *mvm) + { + return 0; +@@ -1023,8 +1028,11 @@ static int iwl_mvm_sar_init(struct iwl_m + IWL_DEBUG_RADIO(mvm, + "WRDS SAR BIOS table invalid or unavailable. (%d)\n", + ret); +- /* if not available, don't fail and don't bother with EWRD */ +- return 0; ++ /* ++ * If not available, don't fail and don't bother with EWRD. ++ * Return 1 to tell that we can't use WGDS either. ++ */ ++ return 1; + } + + ret = iwl_mvm_sar_get_ewrd_table(mvm); +@@ -1037,9 +1045,13 @@ static int iwl_mvm_sar_init(struct iwl_m + /* choose profile 1 (WRDS) as default for both chains */ + ret = iwl_mvm_sar_select_profile(mvm, 1, 1); + +- /* if we don't have profile 0 from BIOS, just skip it */ ++ /* ++ * If we don't have profile 0 from BIOS, just skip it. This ++ * means that SAR Geo will not be enabled either, even if we ++ * have other valid profiles. ++ */ + if (ret == -ENOENT) +- return 0; ++ return 1; + + return ret; + } +@@ -1229,11 +1241,19 @@ int iwl_mvm_up(struct iwl_mvm *mvm) + iwl_mvm_unref(mvm, IWL_MVM_REF_UCODE_DOWN); + + ret = iwl_mvm_sar_init(mvm); +- if (ret) +- goto error; ++ if (ret == 0) { ++ ret = iwl_mvm_sar_geo_init(mvm); ++ } else if (ret > 0 && !iwl_mvm_sar_get_wgds_table(mvm)) { ++ /* ++ * If basic SAR is not available, we check for WGDS, ++ * which should *not* be available either. If it is ++ * available, issue an error, because we can't use SAR ++ * Geo without basic SAR. ++ */ ++ IWL_ERR(mvm, "BIOS contains WGDS but no WRDS\n"); ++ } + +- ret = iwl_mvm_sar_geo_init(mvm); +- if (ret) ++ if (ret < 0) + goto error; + + iwl_mvm_leds_sync(mvm); diff --git a/queue-4.14/iwlwifi-mvm-fix-regulatory-domain-update-when-the-firmware-starts.patch b/queue-4.14/iwlwifi-mvm-fix-regulatory-domain-update-when-the-firmware-starts.patch new file mode 100644 index 00000000000..463841e6e27 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-regulatory-domain-update-when-the-firmware-starts.patch @@ -0,0 +1,77 @@ +From 82715ac71e6b94a2c2136e31f3a8e6748e33aa8c Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Wed, 3 Oct 2018 11:16:54 +0300 +Subject: iwlwifi: mvm: fix regulatory domain update when the firmware starts + +From: Emmanuel Grumbach + +commit 82715ac71e6b94a2c2136e31f3a8e6748e33aa8c upstream. + +When the firmware starts, it doesn't have any regulatory +information, hence it uses the world wide limitations. The +driver can feed the firmware with previous knowledge that +was kept in the driver, but the firmware may still not +update its internal tables. + +This happens when we start a BSS interface, and then the +firmware can change the regulatory tables based on our +location and it'll use more lenient, location specific +rules. Then, if the firmware is shut down (when the +interface is brought down), and then an AP interface is +created, the firmware will forget the country specific +rules. + +The host will think that we are in a certain country that +may allow channels and will try to teach the firmware about +our location, but the firmware may still not allow to drop +the world wide limitations and apply country specific rules +because it was just re-started. + +In this case, the firmware will reply with MCC_RESP_ILLEGAL +to the MCC_UPDATE_CMD. In that case, iwlwifi needs to let +the upper layers (cfg80211 / hostapd) know that the channel +list they know about has been updated. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201105 + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 8 ++++++-- + drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 5 ++--- + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -328,8 +328,12 @@ struct ieee80211_regdomain *iwl_mvm_get_ + goto out; + } + +- if (changed) +- *changed = (resp->status == MCC_RESP_NEW_CHAN_PROFILE); ++ if (changed) { ++ u32 status = le32_to_cpu(resp->status); ++ ++ *changed = (status == MCC_RESP_NEW_CHAN_PROFILE || ++ status == MCC_RESP_ILLEGAL); ++ } + + regd = iwl_parse_nvm_mcc_info(mvm->trans->dev, mvm->cfg, + __le32_to_cpu(resp->n_channels), +--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c +@@ -732,9 +732,8 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, + } + + IWL_DEBUG_LAR(mvm, +- "MCC response status: 0x%x. new MCC: 0x%x ('%c%c') change: %d n_chans: %d\n", +- status, mcc, mcc >> 8, mcc & 0xff, +- !!(status == MCC_RESP_NEW_CHAN_PROFILE), n_channels); ++ "MCC response status: 0x%x. new MCC: 0x%x ('%c%c') n_chans: %d\n", ++ status, mcc, mcc >> 8, mcc & 0xff, n_channels); + + exit: + iwl_free_resp(&cmd); diff --git a/queue-4.14/iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch b/queue-4.14/iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch new file mode 100644 index 00000000000..ea5e18600da --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch @@ -0,0 +1,36 @@ +From ec484d03ef0df8d34086b95710e355a259cbe1f2 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Thu, 16 Aug 2018 13:25:48 +0300 +Subject: iwlwifi: mvm: support sta_statistics() even on older firmware + +From: Emmanuel Grumbach + +commit ec484d03ef0df8d34086b95710e355a259cbe1f2 upstream. + +The oldest firmware supported by iwlmvm do support getting +the average beacon RSSI. Enable the sta_statistics() call +from mac80211 even on older firmware versions. + +Fixes: 33cef9256342 ("iwlwifi: mvm: support beacon statistics for BSS client") +Cc: stable@vger.kernel.org # 4.2+ +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -4189,10 +4189,6 @@ static void iwl_mvm_mac_sta_statistics(s + sinfo->filled |= BIT(NL80211_STA_INFO_SIGNAL_AVG); + } + +- if (!fw_has_capa(&mvm->fw->ucode_capa, +- IWL_UCODE_TLV_CAPA_RADIO_BEACON_STATS)) +- return; +- + /* if beacon filtering isn't on mac80211 does it anyway */ + if (!(vif->driver_flags & IEEE80211_VIF_BEACON_FILTER)) + return; diff --git a/queue-4.14/llc-do-not-use-sk_eat_skb.patch b/queue-4.14/llc-do-not-use-sk_eat_skb.patch new file mode 100644 index 00000000000..d8468d1b377 --- /dev/null +++ b/queue-4.14/llc-do-not-use-sk_eat_skb.patch @@ -0,0 +1,164 @@ +From 604d415e2bd642b7e02c80e719e0396b9d4a77a6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 22 Oct 2018 09:24:27 -0700 +Subject: llc: do not use sk_eat_skb() + +From: Eric Dumazet + +commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream. + +syzkaller triggered a use-after-free [1], caused by a combination of +skb_get() in llc_conn_state_process() and usage of sk_eat_skb() + +sk_eat_skb() is assuming the skb about to be freed is only used by +the current thread. TCP/DCCP stacks enforce this because current +thread holds the socket lock. + +llc_conn_state_process() wants to make sure skb does not disappear, +and holds a reference on the skb it manipulates. But as soon as this +skb is added to socket receive queue, another thread can consume it. + +This means that llc must use regular skb_unlink() and kfree_skb() +so that both producer and consumer can safely work on the same skb. + +[1] +BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] +BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline] +BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline] +BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655 +Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18 + +CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113 + print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 + atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] + refcount_read include/linux/refcount.h:43 [inline] + skb_unref include/linux/skbuff.h:967 [inline] + kfree_skb+0xb7/0x580 net/core/skbuff.c:655 + llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224 + llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297 + llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438 + llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208 + __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 + process_backlog+0x218/0x6f0 net/core/dev.c:5829 + napi_poll net/core/dev.c:6249 [inline] + net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 + __do_softirq+0x30c/0xb03 kernel/softirq.c:292 + run_ksoftirqd+0x94/0x100 kernel/softirq.c:653 + smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164 + kthread+0x35a/0x420 kernel/kthread.c:246 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 + +Allocated by task 18: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 + kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 + kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644 + __alloc_skb+0x119/0x770 net/core/skbuff.c:193 + alloc_skb include/linux/skbuff.h:995 [inline] + llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54 + llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline] + llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111 + llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220 + __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 + process_backlog+0x218/0x6f0 net/core/dev.c:5829 + napi_poll net/core/dev.c:6249 [inline] + net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 + __do_softirq+0x30c/0xb03 kernel/softirq.c:292 + +Freed by task 16383: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 + kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 + __cache_free mm/slab.c:3498 [inline] + kmem_cache_free+0x83/0x290 mm/slab.c:3756 + kfree_skbmem+0x154/0x230 net/core/skbuff.c:582 + __kfree_skb+0x1d/0x20 net/core/skbuff.c:642 + sk_eat_skb include/net/sock.h:2366 [inline] + llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882 + sock_recvmsg_nosec net/socket.c:794 [inline] + sock_recvmsg+0xd0/0x110 net/socket.c:801 + ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278 + __sys_recvmmsg+0x303/0xb90 net/socket.c:2390 + do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466 + __do_sys_recvmmsg net/socket.c:2484 [inline] + __se_sys_recvmmsg net/socket.c:2480 [inline] + __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8801d1f6fac0 + which belongs to the cache skbuff_head_cache of size 232 +The buggy address is located 228 bytes inside of + 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8) +The buggy address belongs to the page: +page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80 +flags: 0x2fffc0000000100(slab) +raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680 +raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/llc/af_llc.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -730,7 +730,6 @@ static int llc_ui_recvmsg(struct socket + struct sk_buff *skb = NULL; + struct sock *sk = sock->sk; + struct llc_sock *llc = llc_sk(sk); +- unsigned long cpu_flags; + size_t copied = 0; + u32 peek_seq = 0; + u32 *seq, skb_len; +@@ -855,9 +854,8 @@ static int llc_ui_recvmsg(struct socket + goto copy_uaddr; + + if (!(flags & MSG_PEEK)) { +- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); +- sk_eat_skb(sk, skb); +- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); ++ skb_unlink(skb, &sk->sk_receive_queue); ++ kfree_skb(skb); + *seq = 0; + } + +@@ -878,9 +876,8 @@ copy_uaddr: + llc_cmsg_rcv(msg, skb); + + if (!(flags & MSG_PEEK)) { +- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); +- sk_eat_skb(sk, skb); +- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); ++ skb_unlink(skb, &sk->sk_receive_queue); ++ kfree_skb(skb); + *seq = 0; + } + diff --git a/queue-4.14/maintainers-add-sasha-as-a-stable-branch-maintainer.patch b/queue-4.14/maintainers-add-sasha-as-a-stable-branch-maintainer.patch new file mode 100644 index 00000000000..e4d6ae4739a --- /dev/null +++ b/queue-4.14/maintainers-add-sasha-as-a-stable-branch-maintainer.patch @@ -0,0 +1,31 @@ +From cb5d21946d2a2f4687c482ab4604af1d29dac35a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 15 Nov 2018 15:03:24 -0800 +Subject: MAINTAINERS: Add Sasha as a stable branch maintainer + +From: Greg Kroah-Hartman + +commit cb5d21946d2a2f4687c482ab4604af1d29dac35a upstream. + +Sasha has somehow been convinced into helping me with the stable kernel +maintenance. Codify this slip in good judgement before he realizes what +he really signed up for :) + +Signed-off-by: Greg Kroah-Hartman +Acked-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 1 + + 1 file changed, 1 insertion(+) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -12662,6 +12662,7 @@ F: arch/alpha/kernel/srm_env.c + + STABLE BRANCH + M: Greg Kroah-Hartman ++M: Sasha Levin + L: stable@vger.kernel.org + S: Supported + F: Documentation/process/stable-kernel-rules.rst diff --git a/queue-4.14/mm-don-t-warn-about-large-allocations-for-slab.patch b/queue-4.14/mm-don-t-warn-about-large-allocations-for-slab.patch new file mode 100644 index 00000000000..41a86fa5597 --- /dev/null +++ b/queue-4.14/mm-don-t-warn-about-large-allocations-for-slab.patch @@ -0,0 +1,107 @@ +From 61448479a9f2c954cde0cfe778cb6bec5d0a748d Mon Sep 17 00:00:00 2001 +From: Dmitry Vyukov +Date: Fri, 26 Oct 2018 15:03:12 -0700 +Subject: mm: don't warn about large allocations for slab + +From: Dmitry Vyukov + +commit 61448479a9f2c954cde0cfe778cb6bec5d0a748d upstream. + +Slub does not call kmalloc_slab() for sizes > KMALLOC_MAX_CACHE_SIZE, +instead it falls back to kmalloc_large(). + +For slab KMALLOC_MAX_CACHE_SIZE == KMALLOC_MAX_SIZE and it calls +kmalloc_slab() for all allocations relying on NULL return value for +over-sized allocations. + +This inconsistency leads to unwanted warnings from kmalloc_slab() for +over-sized allocations for slab. Returning NULL for failed allocations is +the expected behavior. + +Make slub and slab code consistent by checking size > +KMALLOC_MAX_CACHE_SIZE in slab before calling kmalloc_slab(). + +While we are here also fix the check in kmalloc_slab(). We should check +against KMALLOC_MAX_CACHE_SIZE rather than KMALLOC_MAX_SIZE. It all kinda +worked because for slab the constants are the same, and slub always checks +the size against KMALLOC_MAX_CACHE_SIZE before kmalloc_slab(). But if we +get there with size > KMALLOC_MAX_CACHE_SIZE anyhow bad things will +happen. For example, in case of a newly introduced bug in slub code. + +Also move the check in kmalloc_slab() from function entry to the size > +192 case. This partially compensates for the additional check in slab +code and makes slub code a bit faster (at least theoretically). + +Also drop __GFP_NOWARN in the warning check. This warning means a bug in +slab code itself, user-passed flags have nothing to do with it. + +Nothing of this affects slob. + +Link: http://lkml.kernel.org/r/20180927171502.226522-1-dvyukov@gmail.com +Signed-off-by: Dmitry Vyukov +Reported-by: syzbot+87829a10073277282ad1@syzkaller.appspotmail.com +Reported-by: syzbot+ef4e8fc3a06e9019bb40@syzkaller.appspotmail.com +Reported-by: syzbot+6e438f4036df52cbb863@syzkaller.appspotmail.com +Reported-by: syzbot+8574471d8734457d98aa@syzkaller.appspotmail.com +Reported-by: syzbot+af1504df0807a083dbd9@syzkaller.appspotmail.com +Acked-by: Christoph Lameter +Acked-by: Vlastimil Babka +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab.c | 4 ++++ + mm/slab_common.c | 12 ++++++------ + 2 files changed, 10 insertions(+), 6 deletions(-) + +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -3670,6 +3670,8 @@ __do_kmalloc_node(size_t size, gfp_t fla + struct kmem_cache *cachep; + void *ret; + ++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) ++ return NULL; + cachep = kmalloc_slab(size, flags); + if (unlikely(ZERO_OR_NULL_PTR(cachep))) + return cachep; +@@ -3705,6 +3707,8 @@ static __always_inline void *__do_kmallo + struct kmem_cache *cachep; + void *ret; + ++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) ++ return NULL; + cachep = kmalloc_slab(size, flags); + if (unlikely(ZERO_OR_NULL_PTR(cachep))) + return cachep; +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -971,18 +971,18 @@ struct kmem_cache *kmalloc_slab(size_t s + { + int index; + +- if (unlikely(size > KMALLOC_MAX_SIZE)) { +- WARN_ON_ONCE(!(flags & __GFP_NOWARN)); +- return NULL; +- } +- + if (size <= 192) { + if (!size) + return ZERO_SIZE_PTR; + + index = size_index[size_index_elem(size)]; +- } else ++ } else { ++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) { ++ WARN_ON(1); ++ return NULL; ++ } + index = fls(size - 1); ++ } + + #ifdef CONFIG_ZONE_DMA + if (unlikely((flags & GFP_DMA))) diff --git a/queue-4.14/mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch b/queue-4.14/mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch new file mode 100644 index 00000000000..6e227ed4de9 --- /dev/null +++ b/queue-4.14/mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch @@ -0,0 +1,84 @@ +From ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Fri, 26 Oct 2018 15:09:01 -0700 +Subject: mm/memory.c: recheck page table entry with page table lock held + +From: Aneesh Kumar K.V + +commit ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 upstream. + +We clear the pte temporarily during read/modify/write update of the pte. +If we take a page fault while the pte is cleared, the application can get +SIGBUS. One such case is with remap_pfn_range without a backing +vm_ops->fault callback. do_fault will return SIGBUS in that case. + +cpu 0 cpu1 +mprotect() +ptep_modify_prot_start()/pte cleared. +. +. page fault. +. +. +prep_modify_prot_commit() + +Fix this by taking page table lock and rechecking for pte_none. + +[aneesh.kumar@linux.ibm.com: fix crash observed with syzkaller run] + Link: http://lkml.kernel.org/r/87va6bwlfg.fsf@linux.ibm.com +Link: http://lkml.kernel.org/r/20180926031858.9692-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Aneesh Kumar K.V +Acked-by: Kirill A. Shutemov +Cc: Willem de Bruijn +Cc: Eric Dumazet +Cc: Ido Schimmel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3697,10 +3697,36 @@ static int do_fault(struct vm_fault *vmf + struct vm_area_struct *vma = vmf->vma; + int ret; + +- /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */ +- if (!vma->vm_ops->fault) +- ret = VM_FAULT_SIGBUS; +- else if (!(vmf->flags & FAULT_FLAG_WRITE)) ++ /* ++ * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND ++ */ ++ if (!vma->vm_ops->fault) { ++ /* ++ * If we find a migration pmd entry or a none pmd entry, which ++ * should never happen, return SIGBUS ++ */ ++ if (unlikely(!pmd_present(*vmf->pmd))) ++ ret = VM_FAULT_SIGBUS; ++ else { ++ vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm, ++ vmf->pmd, ++ vmf->address, ++ &vmf->ptl); ++ /* ++ * Make sure this is not a temporary clearing of pte ++ * by holding ptl and checking again. A R/M/W update ++ * of pte involves: take ptl, clearing the pte so that ++ * we don't have concurrent modification by hardware ++ * followed by an update. ++ */ ++ if (unlikely(pte_none(*vmf->pte))) ++ ret = VM_FAULT_SIGBUS; ++ else ++ ret = VM_FAULT_NOPAGE; ++ ++ pte_unmap_unlock(vmf->pte, vmf->ptl); ++ } ++ } else if (!(vmf->flags & FAULT_FLAG_WRITE)) + ret = do_read_fault(vmf); + else if (!(vma->vm_flags & VM_SHARED)) + ret = do_cow_fault(vmf); diff --git a/queue-4.14/mmc-sdhci-pci-try-cd-for-card-detect-lookup-before-using-null.patch b/queue-4.14/mmc-sdhci-pci-try-cd-for-card-detect-lookup-before-using-null.patch new file mode 100644 index 00000000000..7b1df92f2a9 --- /dev/null +++ b/queue-4.14/mmc-sdhci-pci-try-cd-for-card-detect-lookup-before-using-null.patch @@ -0,0 +1,96 @@ +From cdcefe6bd9df754f528ffc339d3cc143cea4ddf6 Mon Sep 17 00:00:00 2001 +From: Rajat Jain +Date: Mon, 29 Oct 2018 15:17:01 -0700 +Subject: mmc: sdhci-pci: Try "cd" for card-detect lookup before using NULL + +From: Rajat Jain + +commit cdcefe6bd9df754f528ffc339d3cc143cea4ddf6 upstream. + +Problem: + +The card detect IRQ does not work with modern BIOS (that want +to use _DSD to provide the card detect GPIO to the driver). + +Details: + +The mmc core provides the mmc_gpiod_request_cd() API to let host drivers +request the gpio descriptor for the "card detect" pin. +This pin is specified in the ACPI for the SDHC device: + + * Either as a resource using _CRS. This is a method used by legacy BIOS. + (The driver needs to tell which resource index). + + * Or as a named property ("cd-gpios"/"cd-gpio") in _DSD (which internally + points to an entry in _CRS). This way, the driver can lookup using a + string. This is what modern BIOS prefer to use. + +This API finally results in a call to the following code: + +struct gpio_desc *acpi_find_gpio(..., const char *con_id,...) +{ +... + /* Lookup gpio (using "-gpio") in the _DSD */ +... + if (!acpi_can_fallback_to_crs(adev, con_id)) + return ERR_PTR(-ENOENT); +... + /* Falling back to _CRS is allowed, Lookup gpio in the _CRS */ +... +} + +Note that this means that if the ACPI has _DSD properties, the kernel +will never use _CRS for the lookup (Because acpi_can_fallback_to_crs() +will always be false for any device hat has _DSD entries). + +The SDHCI driver is thus currently broken on a modern BIOS, even if +BIOS provides both _CRS (for index based lookup) and _DSD entries (for +string based lookup). Ironically, none of these will be used for the +lookup currently because: + +* Since the con_id is NULL, acpi_find_gpio() does not find a matching + entry in DSDT. (The _DSDT entry has the property name = "cd-gpios") + +* Because ACPI contains DSDT entries, thus acpi_can_fallback_to_crs() + returns false (because device properties have been populated from + _DSD), thus the _CRS is never used for the lookup. + +Fix: + +Try "cd" for lookup in the _DSD before falling back to using NULL so +as to try looking up in the _CRS. + +I've tested this patch successfully with both Legacy BIOS (that +provide only _CRS method) as well as modern BIOS (that provide both +_CRS and _DSD). Also the use of "cd" appears to be fairly consistent +across other users of this API (other MMC host controller drivers). + +Link: https://lkml.org/lkml/2018/9/25/1113 +Signed-off-by: Rajat Jain +Acked-by: Adrian Hunter +Fixes: f10e4bf6632b ("gpio: acpi: Even more tighten up ACPI GPIO lookups") +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-pci-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -1607,8 +1607,13 @@ static struct sdhci_pci_slot *sdhci_pci_ + host->mmc->caps2 |= MMC_CAP2_NO_PRESCAN_POWERUP; + + if (slot->cd_idx >= 0) { +- ret = mmc_gpiod_request_cd(host->mmc, NULL, slot->cd_idx, ++ ret = mmc_gpiod_request_cd(host->mmc, "cd", slot->cd_idx, + slot->cd_override_level, 0, NULL); ++ if (ret && ret != -EPROBE_DEFER) ++ ret = mmc_gpiod_request_cd(host->mmc, NULL, ++ slot->cd_idx, ++ slot->cd_override_level, ++ 0, NULL); + if (ret == -EPROBE_DEFER) + goto remove; + diff --git a/queue-4.14/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch b/queue-4.14/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch new file mode 100644 index 00000000000..9308e85b75d --- /dev/null +++ b/queue-4.14/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch @@ -0,0 +1,59 @@ +From df132eff463873e14e019a07f387b4d577d6d1f9 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 29 Oct 2018 23:10:29 +0800 +Subject: sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer + +From: Xin Long + +commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream. + +If a transport is removed by asconf but there still are some chunks with +this transport queuing on out_chunk_list, later an use-after-free issue +will be caused when accessing this transport from these chunks in +sctp_outq_flush(). + +This is an old bug, we fix it by clearing the transport of these chunks +in out_chunk_list when removing a transport in sctp_assoc_rm_peer(). + +Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/associola.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -497,8 +497,9 @@ void sctp_assoc_set_primary(struct sctp_ + void sctp_assoc_rm_peer(struct sctp_association *asoc, + struct sctp_transport *peer) + { +- struct list_head *pos; +- struct sctp_transport *transport; ++ struct sctp_transport *transport; ++ struct list_head *pos; ++ struct sctp_chunk *ch; + + pr_debug("%s: association:%p addr:%pISpc\n", + __func__, asoc, &peer->ipaddr.sa); +@@ -562,7 +563,6 @@ void sctp_assoc_rm_peer(struct sctp_asso + */ + if (!list_empty(&peer->transmitted)) { + struct sctp_transport *active = asoc->peer.active_path; +- struct sctp_chunk *ch; + + /* Reset the transport of each chunk on this list */ + list_for_each_entry(ch, &peer->transmitted, +@@ -584,6 +584,10 @@ void sctp_assoc_rm_peer(struct sctp_asso + sctp_transport_hold(active); + } + ++ list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list) ++ if (ch->transport == peer) ++ ch->transport = NULL; ++ + asoc->peer.transport_count--; + + sctp_transport_free(peer); diff --git a/queue-4.14/selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch b/queue-4.14/selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch new file mode 100644 index 00000000000..b0c5b4233eb --- /dev/null +++ b/queue-4.14/selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch @@ -0,0 +1,35 @@ +From 4458bba09788e70e8fb39ad003f087cd9dfbd6ac Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 8 Sep 2018 01:42:58 +0900 +Subject: selinux: Add __GFP_NOWARN to allocation at str_read() + +From: Tetsuo Handa + +commit 4458bba09788e70e8fb39ad003f087cd9dfbd6ac upstream. + +syzbot is hitting warning at str_read() [1] because len parameter can +become larger than KMALLOC_MAX_SIZE. We don't need to emit warning for +this case. + +[1] https://syzkaller.appspot.com/bug?id=7f2f5aad79ea8663c296a2eedb81978401a908f0 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/policydb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -1099,7 +1099,7 @@ static int str_read(char **strp, gfp_t f + if ((len == 0) || (len == (u32)-1)) + return -EINVAL; + +- str = kmalloc(len + 1, flags); ++ str = kmalloc(len + 1, flags | __GFP_NOWARN); + if (!str) + return -ENOMEM; + diff --git a/queue-4.14/series b/queue-4.14/series index 5622298f401..24794b5837a 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,3 +3,42 @@ arm-8766-1-drop-no-thumb-interwork-in-eabi-mode.patch arm-8767-1-add-support-for-building-arm-kernel-with-clang.patch bus-arm-cci-remove-unnecessary-unreachable.patch arm-trusted_foundations-do-not-use-naked-function.patch +usb-core-fix-hub-port-connection-events-lost.patch +usb-dwc3-gadget-fix-isoc-trb-type-on-unaligned-transfers.patch +usb-dwc3-gadget-properly-check-last-unaligned-zero-chain-trb.patch +usb-dwc3-core-clean-up-ulpi-device.patch +xhci-add-check-for-invalid-byte-size-error-when-uas-devices-are-connected.patch +usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch +alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch +maintainers-add-sasha-as-a-stable-branch-maintainer.patch +mmc-sdhci-pci-try-cd-for-card-detect-lookup-before-using-null.patch +gpio-don-t-free-unallocated-ida-on-gpiochip_add_data_with_key-error-path.patch +iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch +iwlwifi-mvm-fix-regulatory-domain-update-when-the-firmware-starts.patch +iwlwifi-mvm-don-t-use-sar-geo-if-basic-sar-is-not-used.patch +brcmfmac-fix-reporting-support-for-160-mhz-channels.patch +tools-power-cpupower-fix-compilation-with-static-true.patch +v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch +selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch +input-synaptics-avoid-using-uninitialized-variable-when-probing.patch +bfs-add-sanity-check-at-bfs_fill_super.patch +sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch +gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch +llc-do-not-use-sk_eat_skb.patch +mm-don-t-warn-about-large-allocations-for-slab.patch +mm-memory.c-recheck-page-table-entry-with-page-table-lock-held.patch +tcp-do-not-release-socket-ownership-in-tcp_close.patch +drm-i915-disable-lp3-watermarks-on-all-snb-machines.patch +drm-ast-change-resolution-may-cause-screen-blurred.patch +drm-ast-fixed-cursor-may-disappear-sometimes.patch +drm-ast-remove-existing-framebuffers-before-loading-driver.patch +can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch +can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch +can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch +can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch +can-rx-offload-introduce-can_rx_offload_get_echo_skb-and-can_rx_offload_queue_sorted-functions.patch +can-rx-offload-rename-can_rx_offload_irq_queue_err_skb-to-can_rx_offload_queue_tail.patch +can-flexcan-use-can_rx_offload_queue_sorted-for-flexcan_irq_bus_.patch +can-flexcan-handle-tx-complete-can-frames-via-rx-offload-infrastructure.patch +can-raw-check-for-can-fd-capable-netdev-in-raw_sendmsg.patch +can-hi311x-use-level-triggered-interrupt.patch diff --git a/queue-4.14/tcp-do-not-release-socket-ownership-in-tcp_close.patch b/queue-4.14/tcp-do-not-release-socket-ownership-in-tcp_close.patch new file mode 100644 index 00000000000..ebeeab9bea8 --- /dev/null +++ b/queue-4.14/tcp-do-not-release-socket-ownership-in-tcp_close.patch @@ -0,0 +1,81 @@ +From 8873c064d1de579ea23412a6d3eee972593f142b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 1 Oct 2018 23:24:26 -0700 +Subject: tcp: do not release socket ownership in tcp_close() + +From: Eric Dumazet + +commit 8873c064d1de579ea23412a6d3eee972593f142b upstream. + +syzkaller was able to hit the WARN_ON(sock_owned_by_user(sk)); +in tcp_close() + +While a socket is being closed, it is very possible other +threads find it in rtnetlink dump. + +tcp_get_info() will acquire the socket lock for a short amount +of time (slow = lock_sock_fast(sk)/unlock_sock_fast(sk, slow);), +enough to trigger the warning. + +Fixes: 67db3e4bfbc9 ("tcp: no longer hold ehash lock while calling tcp_get_info()") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/sock.h | 1 + + net/core/sock.c | 2 +- + net/ipv4/tcp.c | 11 +++-------- + 3 files changed, 5 insertions(+), 9 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1452,6 +1452,7 @@ static inline void lock_sock(struct sock + lock_sock_nested(sk, 0); + } + ++void __release_sock(struct sock *sk); + void release_sock(struct sock *sk); + + /* BH context may only use the following locking interface. */ +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2242,7 +2242,7 @@ static void __lock_sock(struct sock *sk) + finish_wait(&sk->sk_lock.wq, &wait); + } + +-static void __release_sock(struct sock *sk) ++void __release_sock(struct sock *sk) + __releases(&sk->sk_lock.slock) + __acquires(&sk->sk_lock.slock) + { +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2217,16 +2217,10 @@ adjudge_to_death: + sock_hold(sk); + sock_orphan(sk); + +- /* It is the last release_sock in its life. It will remove backlog. */ +- release_sock(sk); +- +- +- /* Now socket is owned by kernel and we acquire BH lock +- * to finish close. No need to check for user refs. +- */ + local_bh_disable(); + bh_lock_sock(sk); +- WARN_ON(sock_owned_by_user(sk)); ++ /* remove backlog if any, without releasing ownership. */ ++ __release_sock(sk); + + percpu_counter_inc(sk->sk_prot->orphan_count); + +@@ -2295,6 +2289,7 @@ adjudge_to_death: + out: + bh_unlock_sock(sk); + local_bh_enable(); ++ release_sock(sk); + sock_put(sk); + } + EXPORT_SYMBOL(tcp_close); diff --git a/queue-4.14/tools-power-cpupower-fix-compilation-with-static-true.patch b/queue-4.14/tools-power-cpupower-fix-compilation-with-static-true.patch new file mode 100644 index 00000000000..1737505fe41 --- /dev/null +++ b/queue-4.14/tools-power-cpupower-fix-compilation-with-static-true.patch @@ -0,0 +1,86 @@ +From 9de9aa45e9bd67232e000cca42ceb134b8ae51b6 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Tue, 16 Oct 2018 11:56:26 +0300 +Subject: tools/power/cpupower: fix compilation with STATIC=true + +From: Konstantin Khlebnikov + +commit 9de9aa45e9bd67232e000cca42ceb134b8ae51b6 upstream. + +Rename duplicate sysfs_read_file into cpupower_read_sysfs and fix linking. + +Signed-off-by: Konstantin Khlebnikov +Acked-by: Thomas Renninger +Cc: +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Greg Kroah-Hartman + +--- + tools/power/cpupower/bench/Makefile | 2 +- + tools/power/cpupower/lib/cpufreq.c | 2 +- + tools/power/cpupower/lib/cpuidle.c | 2 +- + tools/power/cpupower/lib/cpupower.c | 4 ++-- + tools/power/cpupower/lib/cpupower_intern.h | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +--- a/tools/power/cpupower/bench/Makefile ++++ b/tools/power/cpupower/bench/Makefile +@@ -9,7 +9,7 @@ endif + ifeq ($(strip $(STATIC)),true) + LIBS = -L../ -L$(OUTPUT) -lm + OBJS = $(OUTPUT)main.o $(OUTPUT)parse.o $(OUTPUT)system.o $(OUTPUT)benchmark.o \ +- $(OUTPUT)../lib/cpufreq.o $(OUTPUT)../lib/sysfs.o ++ $(OUTPUT)../lib/cpufreq.o $(OUTPUT)../lib/cpupower.o + else + LIBS = -L../ -L$(OUTPUT) -lm -lcpupower + OBJS = $(OUTPUT)main.o $(OUTPUT)parse.o $(OUTPUT)system.o $(OUTPUT)benchmark.o +--- a/tools/power/cpupower/lib/cpufreq.c ++++ b/tools/power/cpupower/lib/cpufreq.c +@@ -28,7 +28,7 @@ static unsigned int sysfs_cpufreq_read_f + + snprintf(path, sizeof(path), PATH_TO_CPU "cpu%u/cpufreq/%s", + cpu, fname); +- return sysfs_read_file(path, buf, buflen); ++ return cpupower_read_sysfs(path, buf, buflen); + } + + /* helper function to write a new value to a /sys file */ +--- a/tools/power/cpupower/lib/cpuidle.c ++++ b/tools/power/cpupower/lib/cpuidle.c +@@ -319,7 +319,7 @@ static unsigned int sysfs_cpuidle_read_f + + snprintf(path, sizeof(path), PATH_TO_CPU "cpuidle/%s", fname); + +- return sysfs_read_file(path, buf, buflen); ++ return cpupower_read_sysfs(path, buf, buflen); + } + + +--- a/tools/power/cpupower/lib/cpupower.c ++++ b/tools/power/cpupower/lib/cpupower.c +@@ -15,7 +15,7 @@ + #include "cpupower.h" + #include "cpupower_intern.h" + +-unsigned int sysfs_read_file(const char *path, char *buf, size_t buflen) ++unsigned int cpupower_read_sysfs(const char *path, char *buf, size_t buflen) + { + int fd; + ssize_t numread; +@@ -95,7 +95,7 @@ static int sysfs_topology_read_file(unsi + + snprintf(path, sizeof(path), PATH_TO_CPU "cpu%u/topology/%s", + cpu, fname); +- if (sysfs_read_file(path, linebuf, MAX_LINE_LEN) == 0) ++ if (cpupower_read_sysfs(path, linebuf, MAX_LINE_LEN) == 0) + return -1; + *result = strtol(linebuf, &endp, 0); + if (endp == linebuf || errno == ERANGE) +--- a/tools/power/cpupower/lib/cpupower_intern.h ++++ b/tools/power/cpupower/lib/cpupower_intern.h +@@ -3,4 +3,4 @@ + #define MAX_LINE_LEN 4096 + #define SYSFS_PATH_MAX 255 + +-unsigned int sysfs_read_file(const char *path, char *buf, size_t buflen); ++unsigned int cpupower_read_sysfs(const char *path, char *buf, size_t buflen); diff --git a/queue-4.14/usb-core-fix-hub-port-connection-events-lost.patch b/queue-4.14/usb-core-fix-hub-port-connection-events-lost.patch new file mode 100644 index 00000000000..773f778ad62 --- /dev/null +++ b/queue-4.14/usb-core-fix-hub-port-connection-events-lost.patch @@ -0,0 +1,46 @@ +From 22454b79e6de05fa61a2a72d00d2eed798abbb75 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Tue, 13 Nov 2018 14:40:34 +0100 +Subject: usb: core: Fix hub port connection events lost + +From: Dennis Wassenberg + +commit 22454b79e6de05fa61a2a72d00d2eed798abbb75 upstream. + +This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset +only if a device is was attached to the hub port before resetting the hub port. + +Using a Lenovo T480s attached to the ultra dock it was not possible to detect +some usb-c devices at the dock usb-c ports because the hub_port_reset code +will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset. +Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the +actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit. +This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the +new device was attached such that it was not detected. + +This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is +currently no device attached to the port before the hub port reset. +This will avoid clearing the connection bit for new attached devices. + +Signed-off-by: Dennis Wassenberg +Acked-by: Mathias Nyman +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2815,7 +2815,9 @@ static int hub_port_reset(struct usb_hub + USB_PORT_FEAT_C_BH_PORT_RESET); + usb_clear_port_feature(hub->hdev, port1, + USB_PORT_FEAT_C_PORT_LINK_STATE); +- usb_clear_port_feature(hub->hdev, port1, ++ ++ if (udev) ++ usb_clear_port_feature(hub->hdev, port1, + USB_PORT_FEAT_C_CONNECTION); + + /* diff --git a/queue-4.14/usb-dwc3-core-clean-up-ulpi-device.patch b/queue-4.14/usb-dwc3-core-clean-up-ulpi-device.patch new file mode 100644 index 00000000000..56c301e3580 --- /dev/null +++ b/queue-4.14/usb-dwc3-core-clean-up-ulpi-device.patch @@ -0,0 +1,35 @@ +From 08fd9a82fda86529bb2f2af3c2f7cb657b4d3066 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Mon, 27 Aug 2018 18:30:16 +0300 +Subject: usb: dwc3: core: Clean up ULPI device + +From: Andy Shevchenko + +commit 08fd9a82fda86529bb2f2af3c2f7cb657b4d3066 upstream. + +If dwc3_core_init_mode() fails with deferred probe, +next probe fails on sysfs with + +sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:11.0/dwc3.0.auto/dwc3.0.auto.ulpi' + +To avoid this failure, clean up ULPI device. + +Cc: +Signed-off-by: Andy Shevchenko +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1276,6 +1276,7 @@ static int dwc3_probe(struct platform_de + + err5: + dwc3_event_buffers_cleanup(dwc); ++ dwc3_ulpi_exit(dwc); + + err4: + dwc3_free_scratch_buffers(dwc); diff --git a/queue-4.14/usb-dwc3-gadget-fix-isoc-trb-type-on-unaligned-transfers.patch b/queue-4.14/usb-dwc3-gadget-fix-isoc-trb-type-on-unaligned-transfers.patch new file mode 100644 index 00000000000..50f181c06d1 --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-fix-isoc-trb-type-on-unaligned-transfers.patch @@ -0,0 +1,51 @@ +From 2fc6d4be35fb1e262f209758e25bfe2b7a113a7f Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Wed, 1 Aug 2018 09:37:34 +0300 +Subject: usb: dwc3: gadget: fix ISOC TRB type on unaligned transfers + +From: Felipe Balbi + +commit 2fc6d4be35fb1e262f209758e25bfe2b7a113a7f upstream. + +When chaining ISOC TRBs together, only the first ISOC TRB should be of +type ISOC_FIRST, all others should be of type ISOC. This patch fixes +that. + +Fixes: c6267a51639b ("usb: dwc3: gadget: align transfers to wMaxPacketSize") +Cc: # v4.11+ +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1088,7 +1088,7 @@ static void dwc3_prepare_one_trb_sg(stru + /* Now prepare one extra TRB to align transfer size */ + trb = &dep->trb_pool[dep->trb_enqueue]; + __dwc3_prepare_one_trb(dep, trb, dwc->bounce_addr, +- maxp - rem, false, 0, ++ maxp - rem, false, 1, + req->request.stream_id, + req->request.short_not_ok, + req->request.no_interrupt); +@@ -1120,7 +1120,7 @@ static void dwc3_prepare_one_trb_linear( + /* Now prepare one extra TRB to align transfer size */ + trb = &dep->trb_pool[dep->trb_enqueue]; + __dwc3_prepare_one_trb(dep, trb, dwc->bounce_addr, maxp - rem, +- false, 0, req->request.stream_id, ++ false, 1, req->request.stream_id, + req->request.short_not_ok, + req->request.no_interrupt); + } else if (req->request.zero && req->request.length && +@@ -1136,7 +1136,7 @@ static void dwc3_prepare_one_trb_linear( + /* Now prepare one extra TRB to handle ZLP */ + trb = &dep->trb_pool[dep->trb_enqueue]; + __dwc3_prepare_one_trb(dep, trb, dwc->bounce_addr, 0, +- false, 0, req->request.stream_id, ++ false, 1, req->request.stream_id, + req->request.short_not_ok, + req->request.no_interrupt); + } else { diff --git a/queue-4.14/usb-dwc3-gadget-properly-check-last-unaligned-zero-chain-trb.patch b/queue-4.14/usb-dwc3-gadget-properly-check-last-unaligned-zero-chain-trb.patch new file mode 100644 index 00000000000..e039f884d81 --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-properly-check-last-unaligned-zero-chain-trb.patch @@ -0,0 +1,40 @@ +From ba3a51ac32ebcf8d0a54b37f1af268ad8a31c52f Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Thu, 2 Aug 2018 20:17:16 -0700 +Subject: usb: dwc3: gadget: Properly check last unaligned/zero chain TRB + +From: Thinh Nguyen + +commit ba3a51ac32ebcf8d0a54b37f1af268ad8a31c52f upstream. + +Current check for the last extra TRB for zero and unaligned transfers +does not account for isoc OUT. The last TRB of the Buffer Descriptor for +isoc OUT transfers will be retired with HWO=0. As a result, we won't +return early. The req->remaining will be updated to include the BUFSIZ +count of the extra TRB, and the actual number of transferred bytes +calculation will be wrong. + +To fix this, check whether it's a short or zero packet and the last TRB +chain bit to return early. + +Fixes: c6267a51639b ("usb: dwc3: gadget: align transfers to wMaxPacketSize") +Cc: +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2249,7 +2249,7 @@ static int __dwc3_cleanup_done_trbs(stru + * with one TRB pending in the ring. We need to manually clear HWO bit + * from that TRB. + */ +- if ((req->zero || req->unaligned) && (trb->ctrl & DWC3_TRB_CTRL_HWO)) { ++ if ((req->zero || req->unaligned) && !(trb->ctrl & DWC3_TRB_CTRL_CHN)) { + trb->ctrl &= ~DWC3_TRB_CTRL_HWO; + return 1; + } diff --git a/queue-4.14/usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch b/queue-4.14/usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch new file mode 100644 index 00000000000..cfd35455f29 --- /dev/null +++ b/queue-4.14/usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch @@ -0,0 +1,56 @@ +From a5baeaeabcca3244782a9b6382ebab6f8a58f583 Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Fri, 9 Nov 2018 17:21:21 +0200 +Subject: usb: xhci: fix timeout for transition from RExit to U0 + +From: Aaron Ma + +commit a5baeaeabcca3244782a9b6382ebab6f8a58f583 upstream. + +This definition is used by msecs_to_jiffies in milliseconds. +According to the comments, max rexit timeout should be 20ms. +Align with the comments to properly calculate the delay. + +Verified on Sunrise Point-LP and Cannon Lake. + +Cc: stable@vger.kernel.org +Signed-off-by: Aaron Ma +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-hub.c | 4 ++-- + drivers/usb/host/xhci.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -941,7 +941,7 @@ static u32 xhci_get_port_status(struct u + time_left = wait_for_completion_timeout( + &bus_state->rexit_done[wIndex], + msecs_to_jiffies( +- XHCI_MAX_REXIT_TIMEOUT)); ++ XHCI_MAX_REXIT_TIMEOUT_MS)); + spin_lock_irqsave(&xhci->lock, flags); + + if (time_left) { +@@ -955,7 +955,7 @@ static u32 xhci_get_port_status(struct u + } else { + int port_status = readl(port_array[wIndex]); + xhci_warn(xhci, "Port resume took longer than %i msec, port status = 0x%x\n", +- XHCI_MAX_REXIT_TIMEOUT, ++ XHCI_MAX_REXIT_TIMEOUT_MS, + port_status); + status |= USB_PORT_STAT_SUSPEND; + clear_bit(wIndex, &bus_state->rexit_ports); +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1684,7 +1684,7 @@ struct xhci_bus_state { + * It can take up to 20 ms to transition from RExit to U0 on the + * Intel Lynx Point LP xHCI host. + */ +-#define XHCI_MAX_REXIT_TIMEOUT (20 * 1000) ++#define XHCI_MAX_REXIT_TIMEOUT_MS 20 + + static inline unsigned int hcd_index(struct usb_hcd *hcd) + { diff --git a/queue-4.14/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch b/queue-4.14/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch new file mode 100644 index 00000000000..8dc371cfd40 --- /dev/null +++ b/queue-4.14/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch @@ -0,0 +1,56 @@ +From 81c99089bce693b94b775b6eb888115d2d540086 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Mon, 27 Aug 2018 15:12:05 +0900 +Subject: v9fs_dir_readdir: fix double-free on p9stat_read error + +From: Dominique Martinet + +commit 81c99089bce693b94b775b6eb888115d2d540086 upstream. + +p9stat_read will call p9stat_free on error, we should only free the +struct content on success. + +There also is no need to "p9stat_init" st as the read function will +zero the whole struct for us anyway, so clean up the code a bit while +we are here. + +Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_dir.c | 11 ----------- + 1 file changed, 11 deletions(-) + +--- a/fs/9p/vfs_dir.c ++++ b/fs/9p/vfs_dir.c +@@ -76,15 +76,6 @@ static inline int dt_type(struct p9_wsta + return rettype; + } + +-static void p9stat_init(struct p9_wstat *stbuf) +-{ +- stbuf->name = NULL; +- stbuf->uid = NULL; +- stbuf->gid = NULL; +- stbuf->muid = NULL; +- stbuf->extension = NULL; +-} +- + /** + * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir + * @filp: opened file structure +@@ -145,12 +136,10 @@ static int v9fs_dir_readdir(struct file + rdir->tail = n; + } + while (rdir->head < rdir->tail) { +- p9stat_init(&st); + err = p9stat_read(fid->clnt, rdir->buf + rdir->head, + rdir->tail - rdir->head, &st); + if (err) { + p9_debug(P9_DEBUG_VFS, "returned %d\n", err); +- p9stat_free(&st); + return -EIO; + } + reclen = st.size+2; diff --git a/queue-4.14/xhci-add-check-for-invalid-byte-size-error-when-uas-devices-are-connected.patch b/queue-4.14/xhci-add-check-for-invalid-byte-size-error-when-uas-devices-are-connected.patch new file mode 100644 index 00000000000..e5c0f2128e8 --- /dev/null +++ b/queue-4.14/xhci-add-check-for-invalid-byte-size-error-when-uas-devices-are-connected.patch @@ -0,0 +1,41 @@ +From d9193efba84fe4c4aa22a569fade5e6ca971f8af Mon Sep 17 00:00:00 2001 +From: Sandeep Singh +Date: Fri, 9 Nov 2018 17:21:19 +0200 +Subject: xhci: Add check for invalid byte size error when UAS devices are connected. + +From: Sandeep Singh + +commit d9193efba84fe4c4aa22a569fade5e6ca971f8af upstream. + +Observed "TRB completion code (27)" error which corresponds to Stopped - +Length Invalid error(xhci spec section 4.17.4) while connecting USB to +SATA bridge. + +Looks like this case was not considered when the following patch[1] was +committed. Hence adding this new check which can prevent +the invalid byte size error. + +[1] ade2e3a xhci: handle transfer events without TRB pointer + +Cc: +Signed-off-by: Sandeep Singh +cc: Nehal Shah +cc: Shyam Sundar S K +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2335,6 +2335,7 @@ static int handle_tx_event(struct xhci_h + goto cleanup; + case COMP_RING_UNDERRUN: + case COMP_RING_OVERRUN: ++ case COMP_STOPPED_LENGTH_INVALID: + goto cleanup; + default: + xhci_err(xhci, "ERROR Transfer event for unknown stream ring slot %u ep %u\n",