From: Sasha Levin Date: Tue, 19 Mar 2019 22:13:50 +0000 (-0400) Subject: patches for 4.14 X-Git-Tag: v3.18.137~84 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ecf3b270b336d39a23cda4fa5539597a5720e663;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/af_key-unconditionally-clone-on-broadcast.patch b/queue-4.14/af_key-unconditionally-clone-on-broadcast.patch new file mode 100644 index 00000000000..4a454d55629 --- /dev/null +++ b/queue-4.14/af_key-unconditionally-clone-on-broadcast.patch @@ -0,0 +1,130 @@ +From f1fa557a115c6c83445bd989b260e6e929dc5035 Mon Sep 17 00:00:00 2001 +From: Sean Tranchetti +Date: Thu, 7 Feb 2019 13:33:21 -0700 +Subject: af_key: unconditionally clone on broadcast + +[ Upstream commit fc2d5cfdcfe2ab76b263d91429caa22451123085 ] + +Attempting to avoid cloning the skb when broadcasting by inflating +the refcount with sock_hold/sock_put while under RCU lock is dangerous +and violates RCU principles. It leads to subtle race conditions when +attempting to free the SKB, as we may reference sockets that have +already been freed by the stack. + +Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c4b +[006b6b6b6b6b6c4b] address between user and kernel address ranges +Internal error: Oops: 96000004 [#1] PREEMPT SMP +task: fffffff78f65b380 task.stack: ffffff8049a88000 +pc : sock_rfree+0x38/0x6c +lr : skb_release_head_state+0x6c/0xcc +Process repro (pid: 7117, stack limit = 0xffffff8049a88000) +Call trace: + sock_rfree+0x38/0x6c + skb_release_head_state+0x6c/0xcc + skb_release_all+0x1c/0x38 + __kfree_skb+0x1c/0x30 + kfree_skb+0xd0/0xf4 + pfkey_broadcast+0x14c/0x18c + pfkey_sendmsg+0x1d8/0x408 + sock_sendmsg+0x44/0x60 + ___sys_sendmsg+0x1d0/0x2a8 + __sys_sendmsg+0x64/0xb4 + SyS_sendmsg+0x34/0x4c + el0_svc_naked+0x34/0x38 +Kernel panic - not syncing: Fatal exception + +Suggested-by: Eric Dumazet +Signed-off-by: Sean Tranchetti +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 40 +++++++++++++++------------------------- + 1 file changed, 15 insertions(+), 25 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index 3b209cbfe1df..b095551a5773 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -196,30 +196,22 @@ static int pfkey_release(struct socket *sock) + return 0; + } + +-static int pfkey_broadcast_one(struct sk_buff *skb, struct sk_buff **skb2, +- gfp_t allocation, struct sock *sk) ++static int pfkey_broadcast_one(struct sk_buff *skb, gfp_t allocation, ++ struct sock *sk) + { + int err = -ENOBUFS; + +- sock_hold(sk); +- if (*skb2 == NULL) { +- if (refcount_read(&skb->users) != 1) { +- *skb2 = skb_clone(skb, allocation); +- } else { +- *skb2 = skb; +- refcount_inc(&skb->users); +- } +- } +- if (*skb2 != NULL) { +- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf) { +- skb_set_owner_r(*skb2, sk); +- skb_queue_tail(&sk->sk_receive_queue, *skb2); +- sk->sk_data_ready(sk); +- *skb2 = NULL; +- err = 0; +- } ++ if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) ++ return err; ++ ++ skb = skb_clone(skb, allocation); ++ ++ if (skb) { ++ skb_set_owner_r(skb, sk); ++ skb_queue_tail(&sk->sk_receive_queue, skb); ++ sk->sk_data_ready(sk); ++ err = 0; + } +- sock_put(sk); + return err; + } + +@@ -234,7 +226,6 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation, + { + struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id); + struct sock *sk; +- struct sk_buff *skb2 = NULL; + int err = -ESRCH; + + /* XXX Do we need something like netlink_overrun? I think +@@ -253,7 +244,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation, + * socket. + */ + if (pfk->promisc) +- pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk); ++ pfkey_broadcast_one(skb, GFP_ATOMIC, sk); + + /* the exact target will be processed later */ + if (sk == one_sk) +@@ -268,7 +259,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation, + continue; + } + +- err2 = pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk); ++ err2 = pfkey_broadcast_one(skb, GFP_ATOMIC, sk); + + /* Error is cleared after successful sending to at least one + * registered KM */ +@@ -278,9 +269,8 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation, + rcu_read_unlock(); + + if (one_sk != NULL) +- err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk); ++ err = pfkey_broadcast_one(skb, allocation, one_sk); + +- kfree_skb(skb2); + kfree_skb(skb); + return err; + } +-- +2.19.1 + diff --git a/queue-4.14/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch b/queue-4.14/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch new file mode 100644 index 00000000000..cab8f5152b6 --- /dev/null +++ b/queue-4.14/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch @@ -0,0 +1,59 @@ +From d0b873a2289b932e0817d4d5b45ab5f81a5e526a Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 5 Feb 2019 10:07:07 -0800 +Subject: ARC: uacces: remove lp_start, lp_end from clobber list + +[ Upstream commit d5e3c55e01d8b1774b37b4647c30fb22f1d39077 ] + +Newer ARC gcc handles lp_start, lp_end in a different way and doesn't +like them in the clobber list. + +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/uaccess.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h +index c9173c02081c..eabc3efa6c6d 100644 +--- a/arch/arc/include/asm/uaccess.h ++++ b/arch/arc/include/asm/uaccess.h +@@ -207,7 +207,7 @@ raw_copy_from_user(void *to, const void __user *from, unsigned long n) + */ + "=&r" (tmp), "+r" (to), "+r" (from) + : +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return n; + } +@@ -433,7 +433,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n) + */ + "=&r" (tmp), "+r" (to), "+r" (from) + : +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return n; + } +@@ -653,7 +653,7 @@ static inline unsigned long __arc_clear_user(void __user *to, unsigned long n) + " .previous \n" + : "+r"(d_char), "+r"(res) + : "i"(0) +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return res; + } +@@ -686,7 +686,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count) + " .previous \n" + : "+r"(res), "+r"(dst), "+r"(src), "=r"(val) + : "g"(-EFAULT), "r"(count) +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return res; + } +-- +2.19.1 + diff --git a/queue-4.14/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch b/queue-4.14/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch new file mode 100644 index 00000000000..6df0f527567 --- /dev/null +++ b/queue-4.14/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch @@ -0,0 +1,102 @@ +From 6028479b6bb3b8b9595431d9630cd0dd9abfc68f Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Wed, 30 Jan 2019 19:32:40 +0300 +Subject: ARCv2: lib: memcpy: fix doing prefetchw outside of buffer + +[ Upstream commit f8a15f97664178f27dfbf86a38f780a532cb6df0 ] + +ARCv2 optimized memcpy uses PREFETCHW instruction for prefetching the +next cache line but doesn't ensure that the line is not past the end of +the buffer. PRETECHW changes the line ownership and marks it dirty, +which can cause data corruption if this area is used for DMA IO. + +Fix the issue by avoiding the PREFETCHW. This leads to performance +degradation but it is OK as we'll introduce new memcpy implementation +optimized for unaligned memory access using. + +We also cut off all PREFETCH instructions at they are quite useless +here: + * we call PREFETCH right before LOAD instruction call. + * we copy 16 or 32 bytes of data (depending on CONFIG_ARC_HAS_LL64) + in a main logical loop. so we call PREFETCH 4 times (or 2 times) + for each L1 cache line (in case of 64B L1 cache Line which is + default case). Obviously this is not optimal. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/lib/memcpy-archs.S | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/arch/arc/lib/memcpy-archs.S b/arch/arc/lib/memcpy-archs.S +index d61044dd8b58..ea14b0bf3116 100644 +--- a/arch/arc/lib/memcpy-archs.S ++++ b/arch/arc/lib/memcpy-archs.S +@@ -25,15 +25,11 @@ + #endif + + #ifdef CONFIG_ARC_HAS_LL64 +-# define PREFETCH_READ(RX) prefetch [RX, 56] +-# define PREFETCH_WRITE(RX) prefetchw [RX, 64] + # define LOADX(DST,RX) ldd.ab DST, [RX, 8] + # define STOREX(SRC,RX) std.ab SRC, [RX, 8] + # define ZOLSHFT 5 + # define ZOLAND 0x1F + #else +-# define PREFETCH_READ(RX) prefetch [RX, 28] +-# define PREFETCH_WRITE(RX) prefetchw [RX, 32] + # define LOADX(DST,RX) ld.ab DST, [RX, 4] + # define STOREX(SRC,RX) st.ab SRC, [RX, 4] + # define ZOLSHFT 4 +@@ -41,8 +37,6 @@ + #endif + + ENTRY_CFI(memcpy) +- prefetch [r1] ; Prefetch the read location +- prefetchw [r0] ; Prefetch the write location + mov.f 0, r2 + ;;; if size is zero + jz.d [blink] +@@ -72,8 +66,6 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy32_64bytes + ;; LOOP START + LOADX (r6, r1) +- PREFETCH_READ (r1) +- PREFETCH_WRITE (r3) + LOADX (r8, r1) + LOADX (r10, r1) + LOADX (r4, r1) +@@ -117,9 +109,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_1 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 24) + or r7, r7, r5 +@@ -162,9 +152,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_2 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 16) + or r7, r7, r5 +@@ -204,9 +192,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_3 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 8) + or r7, r7, r5 +-- +2.19.1 + diff --git a/queue-4.14/arcv2-support-manual-regfile-save-on-interrupts.patch b/queue-4.14/arcv2-support-manual-regfile-save-on-interrupts.patch new file mode 100644 index 00000000000..c845278d7fa --- /dev/null +++ b/queue-4.14/arcv2-support-manual-regfile-save-on-interrupts.patch @@ -0,0 +1,159 @@ +From 867316d6f58e8730c52bd32477c0de8089ba65f4 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Wed, 6 Jun 2018 10:20:37 -0700 +Subject: ARCv2: support manual regfile save on interrupts + +[ Upstream commit e494239a007e601448110ac304fe055951f9de3b ] + +There's a hardware bug which affects the HSDK platform, triggered by +micro-ops for auto-saving regfile on taken interrupt. The workaround is +to inhibit autosave. + +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/Kconfig | 8 +++++ + arch/arc/include/asm/entry-arcv2.h | 54 ++++++++++++++++++++++++++++++ + arch/arc/kernel/entry-arcv2.S | 4 ++- + arch/arc/kernel/intc-arcv2.c | 2 ++ + arch/arc/plat-hsdk/Kconfig | 1 + + 5 files changed, 68 insertions(+), 1 deletion(-) + +diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig +index 9d06c9478a0d..82050893d0b3 100644 +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -417,6 +417,14 @@ config ARC_HAS_ACCL_REGS + (also referred to as r58:r59). These can also be used by gcc as GPR so + kernel needs to save/restore per process + ++config ARC_IRQ_NO_AUTOSAVE ++ bool "Disable hardware autosave regfile on interrupts" ++ default n ++ help ++ On HS cores, taken interrupt auto saves the regfile on stack. ++ This is programmable and can be optionally disabled in which case ++ software INTERRUPT_PROLOGUE/EPILGUE do the needed work ++ + endif # ISA_ARCV2 + + endmenu # "ARC CPU Configuration" +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index 257a68f3c2fe..9f581553dcc3 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -17,6 +17,33 @@ + ; + ; Now manually save: r12, sp, fp, gp, r25 + ++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE ++.ifnc \called_from, exception ++ st.as r9, [sp, -10] ; save r9 in it's final stack slot ++ sub sp, sp, 12 ; skip JLI, LDI, EI ++ ++ PUSH lp_count ++ PUSHAX lp_start ++ PUSHAX lp_end ++ PUSH blink ++ ++ PUSH r11 ++ PUSH r10 ++ ++ sub sp, sp, 4 ; skip r9 ++ ++ PUSH r8 ++ PUSH r7 ++ PUSH r6 ++ PUSH r5 ++ PUSH r4 ++ PUSH r3 ++ PUSH r2 ++ PUSH r1 ++ PUSH r0 ++.endif ++#endif ++ + #ifdef CONFIG_ARC_HAS_ACCL_REGS + PUSH r59 + PUSH r58 +@@ -86,6 +113,33 @@ + POP r59 + #endif + ++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE ++.ifnc \called_from, exception ++ POP r0 ++ POP r1 ++ POP r2 ++ POP r3 ++ POP r4 ++ POP r5 ++ POP r6 ++ POP r7 ++ POP r8 ++ POP r9 ++ POP r10 ++ POP r11 ++ ++ POP blink ++ POPAX lp_end ++ POPAX lp_start ++ ++ POP r9 ++ mov lp_count, r9 ++ ++ add sp, sp, 12 ; skip JLI, LDI, EI ++ ld.as r9, [sp, -10] ; reload r9 which got clobbered ++.endif ++#endif ++ + .endm + + /*------------------------------------------------------------------------*/ +diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S +index cc558a25b8fa..562089d62d9d 100644 +--- a/arch/arc/kernel/entry-arcv2.S ++++ b/arch/arc/kernel/entry-arcv2.S +@@ -209,7 +209,9 @@ restore_regs: + ;####### Return from Intr ####### + + debug_marker_l1: +- bbit1.nt r0, STATUS_DE_BIT, .Lintr_ret_to_delay_slot ++ ; bbit1.nt r0, STATUS_DE_BIT, .Lintr_ret_to_delay_slot ++ btst r0, STATUS_DE_BIT ; Z flag set if bit clear ++ bnz .Lintr_ret_to_delay_slot ; branch if STATUS_DE_BIT set + + .Lisr_ret_fast_path: + ; Handle special case #1: (Entry via Exception, Return via IRQ) +diff --git a/arch/arc/kernel/intc-arcv2.c b/arch/arc/kernel/intc-arcv2.c +index 067ea362fb3e..cf18b3e5a934 100644 +--- a/arch/arc/kernel/intc-arcv2.c ++++ b/arch/arc/kernel/intc-arcv2.c +@@ -49,11 +49,13 @@ void arc_init_IRQ(void) + + *(unsigned int *)&ictrl = 0; + ++#ifndef CONFIG_ARC_IRQ_NO_AUTOSAVE + ictrl.save_nr_gpr_pairs = 6; /* r0 to r11 (r12 saved manually) */ + ictrl.save_blink = 1; + ictrl.save_lp_regs = 1; /* LP_COUNT, LP_START, LP_END */ + ictrl.save_u_to_u = 0; /* user ctxt saved on kernel stack */ + ictrl.save_idx_regs = 1; /* JLI, LDI, EI */ ++#endif + + WRITE_AUX(AUX_IRQ_CTRL, ictrl); + +diff --git a/arch/arc/plat-hsdk/Kconfig b/arch/arc/plat-hsdk/Kconfig +index fcc9a9e27e9c..8fb1600b29b7 100644 +--- a/arch/arc/plat-hsdk/Kconfig ++++ b/arch/arc/plat-hsdk/Kconfig +@@ -9,5 +9,6 @@ menuconfig ARC_SOC_HSDK + bool "ARC HS Development Kit SOC" + depends on ISA_ARCV2 + select ARC_HAS_ACCL_REGS ++ select ARC_IRQ_NO_AUTOSAVE + select CLK_HSDK + select RESET_HSDK +-- +2.19.1 + diff --git a/queue-4.14/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch b/queue-4.14/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch new file mode 100644 index 00000000000..2f0d47f5e4c --- /dev/null +++ b/queue-4.14/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch @@ -0,0 +1,156 @@ +From 156ae4b25ce08b9c79e67c808142460d9cc62aff Mon Sep 17 00:00:00 2001 +From: Dietmar Eggemann +Date: Mon, 21 Jan 2019 14:42:42 +0100 +Subject: ARM: 8824/1: fix a migrating irq bug when hotplug cpu + +[ Upstream commit 1b5ba350784242eb1f899bcffd95d2c7cff61e84 ] + +Arm TC2 fails cpu hotplug stress test. + +This issue was tracked down to a missing copy of the new affinity +cpumask for the vexpress-spc interrupt into struct +irq_common_data.affinity when the interrupt is migrated in +migrate_one_irq(). + +Fix it by replacing the arm specific hotplug cpu migration with the +generic irq code. + +This is the counterpart implementation to commit 217d453d473c ("arm64: +fix a migrating irq bug when hotplug cpu"). + +Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus +CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y). +The vexpress-spc interrupt (irq=22) on this board is affine to CPU0. +Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when +CPU0 is hotplugged out. + +Suggested-by: Marc Zyngier +Signed-off-by: Dietmar Eggemann +Acked-by: Marc Zyngier +Reviewed-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 1 + + arch/arm/include/asm/irq.h | 1 - + arch/arm/kernel/irq.c | 62 -------------------------------------- + arch/arm/kernel/smp.c | 2 +- + 4 files changed, 2 insertions(+), 64 deletions(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index d1346a160760..cf69aab648fb 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1447,6 +1447,7 @@ config NR_CPUS + config HOTPLUG_CPU + bool "Support for hot-pluggable CPUs" + depends on SMP ++ select GENERIC_IRQ_MIGRATION + help + Say Y here to experiment with turning CPUs off and on. CPUs + can be controlled through /sys/devices/system/cpu. +diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h +index b6f319606e30..2de321e89b94 100644 +--- a/arch/arm/include/asm/irq.h ++++ b/arch/arm/include/asm/irq.h +@@ -25,7 +25,6 @@ + #ifndef __ASSEMBLY__ + struct irqaction; + struct pt_regs; +-extern void migrate_irqs(void); + + extern void asm_do_IRQ(unsigned int, struct pt_regs *); + void handle_IRQ(unsigned int, struct pt_regs *); +diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c +index ece04a457486..5b07c7a31c31 100644 +--- a/arch/arm/kernel/irq.c ++++ b/arch/arm/kernel/irq.c +@@ -31,7 +31,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -119,64 +118,3 @@ int __init arch_probe_nr_irqs(void) + return nr_irqs; + } + #endif +- +-#ifdef CONFIG_HOTPLUG_CPU +-static bool migrate_one_irq(struct irq_desc *desc) +-{ +- struct irq_data *d = irq_desc_get_irq_data(desc); +- const struct cpumask *affinity = irq_data_get_affinity_mask(d); +- struct irq_chip *c; +- bool ret = false; +- +- /* +- * If this is a per-CPU interrupt, or the affinity does not +- * include this CPU, then we have nothing to do. +- */ +- if (irqd_is_per_cpu(d) || !cpumask_test_cpu(smp_processor_id(), affinity)) +- return false; +- +- if (cpumask_any_and(affinity, cpu_online_mask) >= nr_cpu_ids) { +- affinity = cpu_online_mask; +- ret = true; +- } +- +- c = irq_data_get_irq_chip(d); +- if (!c->irq_set_affinity) +- pr_debug("IRQ%u: unable to set affinity\n", d->irq); +- else if (c->irq_set_affinity(d, affinity, false) == IRQ_SET_MASK_OK && ret) +- cpumask_copy(irq_data_get_affinity_mask(d), affinity); +- +- return ret; +-} +- +-/* +- * The current CPU has been marked offline. Migrate IRQs off this CPU. +- * If the affinity settings do not allow other CPUs, force them onto any +- * available CPU. +- * +- * Note: we must iterate over all IRQs, whether they have an attached +- * action structure or not, as we need to get chained interrupts too. +- */ +-void migrate_irqs(void) +-{ +- unsigned int i; +- struct irq_desc *desc; +- unsigned long flags; +- +- local_irq_save(flags); +- +- for_each_irq_desc(i, desc) { +- bool affinity_broken; +- +- raw_spin_lock(&desc->lock); +- affinity_broken = migrate_one_irq(desc); +- raw_spin_unlock(&desc->lock); +- +- if (affinity_broken) +- pr_warn_ratelimited("IRQ%u no longer affine to CPU%u\n", +- i, smp_processor_id()); +- } +- +- local_irq_restore(flags); +-} +-#endif /* CONFIG_HOTPLUG_CPU */ +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index f57333f46242..65f85737c6a2 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -254,7 +254,7 @@ int __cpu_disable(void) + /* + * OK - migrate IRQs away from this CPU + */ +- migrate_irqs(); ++ irq_migrate_all_off_this_cpu(); + + /* + * Flush user cache and TLB mappings, and then remove this CPU +-- +2.19.1 + diff --git a/queue-4.14/arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch b/queue-4.14/arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch new file mode 100644 index 00000000000..0ac99e5db7c --- /dev/null +++ b/queue-4.14/arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch @@ -0,0 +1,79 @@ +From b66f3f6e52429799449f8a7543acb322232f3c2f Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Wed, 12 Dec 2018 11:49:47 +0000 +Subject: ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug + +[ Upstream commit 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b ] + +If we have a kernel configured for periodic timer interrupts, and we +have cpuidle enabled, then we end up with CPU1 losing timer interupts +after a hotplug. + +This can manifest itself in RCU stall warnings, or userspace becoming +unresponsive. + +The problem is that the kernel initially wants to use the TWD timer +for interrupts, but the TWD loses context when we enter the C3 cpuidle +state. Nothing reprograms the TWD after idle. + +We have solved this in the past by switching to broadcast timer ticks, +and cpuidle44xx switches to that mode at boot time. However, there is +nothing to switch from periodic mode local timers after a hotplug +operation. + +We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one +would expect would take care of the issue, but internally this only +deals with one-shot local timers - tick_broadcast_enable() on the other +hand only deals with periodic local timers. So, we need to call both. + +Signed-off-by: Russell King +[tony@atomide.com: just standardized the subject line] +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/cpuidle44xx.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c +index a8b291f00109..dae514c8276a 100644 +--- a/arch/arm/mach-omap2/cpuidle44xx.c ++++ b/arch/arm/mach-omap2/cpuidle44xx.c +@@ -152,6 +152,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + mpuss_can_lose_context = (cx->mpu_state == PWRDM_POWER_RET) && + (cx->mpu_logic_state == PWRDM_POWER_OFF); + ++ /* Enter broadcast mode for periodic timers */ ++ tick_broadcast_enable(); ++ ++ /* Enter broadcast mode for one-shot timers */ + tick_broadcast_enter(); + + /* +@@ -218,15 +222,6 @@ fail: + return index; + } + +-/* +- * For each cpu, setup the broadcast timer because local timers +- * stops for the states above C1. +- */ +-static void omap_setup_broadcast_timer(void *arg) +-{ +- tick_broadcast_enable(); +-} +- + static struct cpuidle_driver omap4_idle_driver = { + .name = "omap4_idle", + .owner = THIS_MODULE, +@@ -319,8 +314,5 @@ int __init omap4_idle_init(void) + if (!cpu_clkdm[0] || !cpu_clkdm[1]) + return -ENODEV; + +- /* Configure the broadcast timer on each cpu */ +- on_each_cpu(omap_setup_broadcast_timer, NULL, 1); +- + return cpuidle_register(idle_driver, cpu_online_mask); + } +-- +2.19.1 + diff --git a/queue-4.14/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch b/queue-4.14/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch new file mode 100644 index 00000000000..3f242abc049 --- /dev/null +++ b/queue-4.14/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch @@ -0,0 +1,48 @@ +From 5f0c86d5d7b744561bc3fc73aca8cae7a827398a Mon Sep 17 00:00:00 2001 +From: Yizhuo +Date: Fri, 25 Jan 2019 22:32:20 -0800 +Subject: ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be + uninitialized + +[ Upstream commit dc30e70391376ba3987aeb856ae6d9c0706534f1 ] + +In function omap4_dsi_mux_pads(), local variable "reg" could +be uninitialized if function regmap_read() returns -EINVAL. +However, it will be used directly in the later context, which +is potentially unsafe. + +Signed-off-by: Yizhuo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/display.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c +index b3f6eb5d04a2..6e7440ef503a 100644 +--- a/arch/arm/mach-omap2/display.c ++++ b/arch/arm/mach-omap2/display.c +@@ -84,6 +84,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + u32 enable_mask, enable_shift; + u32 pipd_mask, pipd_shift; + u32 reg; ++ int ret; + + if (dsi_id == 0) { + enable_mask = OMAP4_DSI1_LANEENABLE_MASK; +@@ -99,7 +100,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + return -ENODEV; + } + +- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, ®); ++ ret = regmap_read(omap4_dsi_mux_syscon, ++ OMAP4_DSIPHY_SYSCON_OFFSET, ++ ®); ++ if (ret) ++ return ret; + + reg &= ~enable_mask; + reg &= ~pipd_mask; +-- +2.19.1 + diff --git a/queue-4.14/arm64-relax-gic-version-check-during-early-boot.patch b/queue-4.14/arm64-relax-gic-version-check-during-early-boot.patch new file mode 100644 index 00000000000..182715ac095 --- /dev/null +++ b/queue-4.14/arm64-relax-gic-version-check-during-early-boot.patch @@ -0,0 +1,40 @@ +From 75ff580829aa8e444771f1e162e0d46a3e5452cd Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Wed, 20 Feb 2019 11:43:05 +0000 +Subject: arm64: Relax GIC version check during early boot + +[ Upstream commit 74698f6971f25d045301139413578865fc2bd8f9 ] + +Updates to the GIC architecture allow ID_AA64PFR0_EL1.GIC to have +values other than 0 or 1. At the moment, Linux is quite strict in the +way it handles this field at early boot stage (cpufeature is fine) and +will refuse to use the system register CPU interface if it doesn't +find the value 1. + +Fixes: 021f653791ad17e03f98aaa7fb933816ae16f161 ("irqchip: gic-v3: Initial support for GICv3") +Reported-by: Chase Conklin +Reviewed-by: Marc Zyngier +Signed-off-by: Vladimir Murzin +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/head.S | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index ec393275ba04..1371542de0d3 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -442,8 +442,7 @@ set_hcr: + /* GICv3 system register access */ + mrs x0, id_aa64pfr0_el1 + ubfx x0, x0, #24, #4 +- cmp x0, #1 +- b.ne 3f ++ cbz x0, 3f + + mrs_s x0, SYS_ICC_SRE_EL2 + orr x0, x0, #ICC_SRE_EL2_SRE // Set ICC_SRE_EL2.SRE==1 +-- +2.19.1 + diff --git a/queue-4.14/asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch b/queue-4.14/asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch new file mode 100644 index 00000000000..072cf974912 --- /dev/null +++ b/queue-4.14/asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch @@ -0,0 +1,101 @@ +From 811611378248c2127209043d5314d0b8f40f5615 Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Tue, 5 Feb 2019 10:22:27 -0600 +Subject: ASoC: dapm: fix out-of-bounds accesses to DAPM lookup tables + +[ Upstream commit c16e12010060c6c7a31f08b4a99513064cb53b7d ] + +KASAN reports and additional traces point to out-of-bounds accesses to +the dapm_up_seq and dapm_down_seq lookup tables. The indices used are +larger than the array definition. + +Fix by adding missing entries for the new widget types in these two +lookup tables, and align them with PGA values. + +Also the sequences for the following widgets were not defined. Since +their values defaulted to zero, assign them explicitly + + snd_soc_dapm_input + snd_soc_dapm_output + snd_soc_dapm_vmid + snd_soc_dapm_siggen + snd_soc_dapm_sink + +Fixes: 8a70b4544ef4 ('ASoC: dapm: Add new widget type for constructing DAPM graphs on DSPs.'). +Signed-off-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index bba6a917cd02..e9f7c6287376 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -75,12 +75,16 @@ static int dapm_up_seq[] = { + [snd_soc_dapm_clock_supply] = 1, + [snd_soc_dapm_supply] = 2, + [snd_soc_dapm_micbias] = 3, ++ [snd_soc_dapm_vmid] = 3, + [snd_soc_dapm_dai_link] = 2, + [snd_soc_dapm_dai_in] = 4, + [snd_soc_dapm_dai_out] = 4, + [snd_soc_dapm_aif_in] = 4, + [snd_soc_dapm_aif_out] = 4, + [snd_soc_dapm_mic] = 5, ++ [snd_soc_dapm_siggen] = 5, ++ [snd_soc_dapm_input] = 5, ++ [snd_soc_dapm_output] = 5, + [snd_soc_dapm_mux] = 6, + [snd_soc_dapm_demux] = 6, + [snd_soc_dapm_dac] = 7, +@@ -88,11 +92,19 @@ static int dapm_up_seq[] = { + [snd_soc_dapm_mixer] = 8, + [snd_soc_dapm_mixer_named_ctl] = 8, + [snd_soc_dapm_pga] = 9, ++ [snd_soc_dapm_buffer] = 9, ++ [snd_soc_dapm_scheduler] = 9, ++ [snd_soc_dapm_effect] = 9, ++ [snd_soc_dapm_src] = 9, ++ [snd_soc_dapm_asrc] = 9, ++ [snd_soc_dapm_encoder] = 9, ++ [snd_soc_dapm_decoder] = 9, + [snd_soc_dapm_adc] = 10, + [snd_soc_dapm_out_drv] = 11, + [snd_soc_dapm_hp] = 11, + [snd_soc_dapm_spk] = 11, + [snd_soc_dapm_line] = 11, ++ [snd_soc_dapm_sink] = 11, + [snd_soc_dapm_kcontrol] = 12, + [snd_soc_dapm_post] = 13, + }; +@@ -105,13 +117,25 @@ static int dapm_down_seq[] = { + [snd_soc_dapm_spk] = 3, + [snd_soc_dapm_line] = 3, + [snd_soc_dapm_out_drv] = 3, ++ [snd_soc_dapm_sink] = 3, + [snd_soc_dapm_pga] = 4, ++ [snd_soc_dapm_buffer] = 4, ++ [snd_soc_dapm_scheduler] = 4, ++ [snd_soc_dapm_effect] = 4, ++ [snd_soc_dapm_src] = 4, ++ [snd_soc_dapm_asrc] = 4, ++ [snd_soc_dapm_encoder] = 4, ++ [snd_soc_dapm_decoder] = 4, + [snd_soc_dapm_switch] = 5, + [snd_soc_dapm_mixer_named_ctl] = 5, + [snd_soc_dapm_mixer] = 5, + [snd_soc_dapm_dac] = 6, + [snd_soc_dapm_mic] = 7, ++ [snd_soc_dapm_siggen] = 7, ++ [snd_soc_dapm_input] = 7, ++ [snd_soc_dapm_output] = 7, + [snd_soc_dapm_micbias] = 8, ++ [snd_soc_dapm_vmid] = 8, + [snd_soc_dapm_mux] = 9, + [snd_soc_dapm_demux] = 9, + [snd_soc_dapm_aif_in] = 10, +-- +2.19.1 + diff --git a/queue-4.14/asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch b/queue-4.14/asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch new file mode 100644 index 00000000000..de4c106ee9a --- /dev/null +++ b/queue-4.14/asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch @@ -0,0 +1,44 @@ +From 9ca130c193637fb5ad5001bcb319af8e04a62093 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Tue, 5 Feb 2019 09:46:43 +0900 +Subject: ASoC: rsnd: fixup rsnd_ssi_master_clk_start() user count check + +[ Upstream commit d9111d36024de07784f2e1ba2ccf70b16035f378 ] + +commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set +under non-atomic") added new rsnd_ssi_prepare() and moved +rsnd_ssi_master_clk_start() to .prepare. +But, ssi user count (= ssi->usrcnt) is incremented at .init +(= rsnd_ssi_init()). +Because of these timing exchange, ssi->usrcnt check at +rsnd_ssi_master_clk_start() should be adjusted. +Otherwise, 2nd master clock setup will be no check. +This patch fixup this issue. + +Fixes: commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set under non-atomic") +Reported-by: Yusuke Goda +Reported-by: Valentine Barshak +Signed-off-by: Kuninori Morimoto +Tested-by: Yusuke Goda +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ssi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index 0db2791f7035..60cc550c5a4c 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -280,7 +280,7 @@ static int rsnd_ssi_master_clk_start(struct rsnd_mod *mod, + if (rsnd_ssi_is_multi_slave(mod, io)) + return 0; + +- if (ssi->usrcnt > 1) { ++ if (ssi->usrcnt > 0) { + if (ssi->rate != rate) { + dev_err(dev, "SSI parent/child should use same rate\n"); + return -EINVAL; +-- +2.19.1 + diff --git a/queue-4.14/asoc-topology-free-created-components-in-tplg-load-e.patch b/queue-4.14/asoc-topology-free-created-components-in-tplg-load-e.patch new file mode 100644 index 00000000000..bb8046c31e0 --- /dev/null +++ b/queue-4.14/asoc-topology-free-created-components-in-tplg-load-e.patch @@ -0,0 +1,45 @@ +From 6ec81be536afa580054e03ab027a6234246b273c Mon Sep 17 00:00:00 2001 +From: Bard liao +Date: Sun, 17 Feb 2019 21:23:47 +0800 +Subject: ASoC: topology: free created components in tplg load error + +[ Upstream commit 304017d31df36fb61eb2ed3ebf65fb6870b3c731 ] + +Topology resources are no longer needed if any element failed to load. + +Signed-off-by: Bard liao +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-topology.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index c1619860a5de..2d5cf263515b 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -2513,6 +2513,7 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp, + struct snd_soc_tplg_ops *ops, const struct firmware *fw, u32 id) + { + struct soc_tplg tplg; ++ int ret; + + /* setup parsing context */ + memset(&tplg, 0, sizeof(tplg)); +@@ -2526,7 +2527,12 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp, + tplg.bytes_ext_ops = ops->bytes_ext_ops; + tplg.bytes_ext_ops_count = ops->bytes_ext_ops_count; + +- return soc_tplg_load(&tplg); ++ ret = soc_tplg_load(&tplg); ++ /* free the created components if fail to load topology */ ++ if (ret) ++ snd_soc_tplg_component_remove(comp, SND_SOC_TPLG_INDEX_ALL); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(snd_soc_tplg_component_load); + +-- +2.19.1 + diff --git a/queue-4.14/assoc_array-fix-shortcut-creation.patch b/queue-4.14/assoc_array-fix-shortcut-creation.patch new file mode 100644 index 00000000000..0f491c6c730 --- /dev/null +++ b/queue-4.14/assoc_array-fix-shortcut-creation.patch @@ -0,0 +1,57 @@ +From 078482aa9b50064ed31bdf30c52e8465603b9aa4 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 14 Feb 2019 16:20:15 +0000 +Subject: assoc_array: Fix shortcut creation + +[ Upstream commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ] + +Fix the creation of shortcuts for which the length of the index key value +is an exact multiple of the machine word size. The problem is that the +code that blanks off the unused bits of the shortcut value malfunctions if +the number of bits in the last word equals machine word size. This is due +to the "<<" operator being given a shift of zero in this case, and so the +mask that should be all zeros is all ones instead. This causes the +subsequent masking operation to clear everything rather than clearing +nothing. + +Ordinarily, the presence of the hash at the beginning of the tree index key +makes the issue very hard to test for, but in this case, it was encountered +due to a development mistake that caused the hash output to be either 0 +(keyring) or 1 (non-keyring) only. This made it susceptible to the +keyctl/unlink/valid test in the keyutils package. + +The fix is simply to skip the blanking if the shift would be 0. For +example, an index key that is 64 bits long would produce a 0 shift and thus +a 'blank' of all 1s. This would then be inverted and AND'd onto the +index_key, incorrectly clearing the entire last word. + +Fixes: 3cb989501c26 ("Add a generic associative array implementation.") +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +--- + lib/assoc_array.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/assoc_array.c b/lib/assoc_array.c +index 4e53be8bc590..9463d3445ccd 100644 +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -781,9 +781,11 @@ all_leaves_cluster_together: + new_s0->index_key[i] = + ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE); + +- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); +- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); +- new_s0->index_key[keylen - 1] &= ~blank; ++ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) { ++ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); ++ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); ++ new_s0->index_key[keylen - 1] &= ~blank; ++ } + + /* This now reduces to a node splitting exercise for which we'll need + * to regenerate the disparity table. +-- +2.19.1 + diff --git a/queue-4.14/auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch b/queue-4.14/auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch new file mode 100644 index 00000000000..f113bfc6b85 --- /dev/null +++ b/queue-4.14/auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch @@ -0,0 +1,44 @@ +From d8c827ab0d2fdd50cb0bcd31b8b1f62a6608fadc Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Sat, 9 Feb 2019 00:38:45 +0100 +Subject: auxdisplay: ht16k33: fix potential user-after-free on module unload + +[ Upstream commit 69ef9bc54715fb1cb7786ada15774e469e822209 ] + +On module unload/remove, we need to ensure that work does not run +after we have freed resources. Concretely, cancel_delayed_work() +may return while the callback function is still running. + +From kernel/workqueue.c: + + The work callback function may still be running on return, + unless it returns true and the work doesn't re-arm itself. + Explicitly flush or use cancel_delayed_work_sync() to wait on it. + +Link: https://lore.kernel.org/lkml/20190204220952.30761-1-TheSven73@googlemail.com/ +Reported-by: Sven Van Asbroeck +Reviewed-by: Dmitry Torokhov +Reviewed-by: Sven Van Asbroeck +Acked-by: Robin van der Gracht +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/ht16k33.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c +index fbfa5b4cc567..a93ded300740 100644 +--- a/drivers/auxdisplay/ht16k33.c ++++ b/drivers/auxdisplay/ht16k33.c +@@ -517,7 +517,7 @@ static int ht16k33_remove(struct i2c_client *client) + struct ht16k33_priv *priv = i2c_get_clientdata(client); + struct ht16k33_fbdev *fbdev = &priv->fbdev; + +- cancel_delayed_work(&fbdev->work); ++ cancel_delayed_work_sync(&fbdev->work); + unregister_framebuffer(fbdev->info); + framebuffer_release(fbdev->info); + free_page((unsigned long) fbdev->buffer); +-- +2.19.1 + diff --git a/queue-4.14/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch b/queue-4.14/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch new file mode 100644 index 00000000000..1a1091baa22 --- /dev/null +++ b/queue-4.14/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch @@ -0,0 +1,39 @@ +From 23dadb3ebe71ebc9a9ba629dcfa147b3d5f1124c Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Wed, 23 Jan 2019 00:59:11 +0000 +Subject: clk: sunxi: A31: Fix wrong AHB gate number + +[ Upstream commit ee0b27a3a4da0b0ed2318aa092f8856896e9450b ] + +According to the manual the gate clock for MMC3 is at bit 11, and NAND1 +is controlled by bit 12. + +Fix the gate bit definitions in the clock driver. + +Fixes: c6e6c96d8fa6 ("clk: sunxi-ng: Add A31/A31s clocks") +Signed-off-by: Andre Przywara +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun6i-a31.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c +index 40d5f74cb2ac..d93b4815e65c 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c ++++ b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c +@@ -252,9 +252,9 @@ static SUNXI_CCU_GATE(ahb1_mmc1_clk, "ahb1-mmc1", "ahb1", + static SUNXI_CCU_GATE(ahb1_mmc2_clk, "ahb1-mmc2", "ahb1", + 0x060, BIT(10), 0); + static SUNXI_CCU_GATE(ahb1_mmc3_clk, "ahb1-mmc3", "ahb1", +- 0x060, BIT(12), 0); ++ 0x060, BIT(11), 0); + static SUNXI_CCU_GATE(ahb1_nand1_clk, "ahb1-nand1", "ahb1", +- 0x060, BIT(13), 0); ++ 0x060, BIT(12), 0); + static SUNXI_CCU_GATE(ahb1_nand0_clk, "ahb1-nand0", "ahb1", + 0x060, BIT(13), 0); + static SUNXI_CCU_GATE(ahb1_sdram_clk, "ahb1-sdram", "ahb1", +-- +2.19.1 + diff --git a/queue-4.14/clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch b/queue-4.14/clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch new file mode 100644 index 00000000000..fde31cf19fd --- /dev/null +++ b/queue-4.14/clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch @@ -0,0 +1,35 @@ +From 3cfcac12a7d16c3ac98a9b452ec18150b2ccf2ec Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Tue, 22 Jan 2019 09:16:19 +0100 +Subject: clk: sunxi-ng: v3s: Fix TCON reset de-assert bit + +[ Upstream commit 5c59801f7018acba11b12de59017a3fcdcf7421d ] + +According to the datasheet and the reference code from Allwinner, the +bit used to de-assert the TCON reset is bit 4, not bit 3. + +Fix it in the V3s CCU driver. + +Signed-off-by: Paul Kocialkowski +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c +index 621b1cd996db..ac12f261f8ca 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c ++++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c +@@ -542,7 +542,7 @@ static struct ccu_reset_map sun8i_v3s_ccu_resets[] = { + [RST_BUS_OHCI0] = { 0x2c0, BIT(29) }, + + [RST_BUS_VE] = { 0x2c4, BIT(0) }, +- [RST_BUS_TCON0] = { 0x2c4, BIT(3) }, ++ [RST_BUS_TCON0] = { 0x2c4, BIT(4) }, + [RST_BUS_CSI] = { 0x2c4, BIT(8) }, + [RST_BUS_DE] = { 0x2c4, BIT(12) }, + [RST_BUS_DBG] = { 0x2c4, BIT(31) }, +-- +2.19.1 + diff --git a/queue-4.14/drm-imx-ignore-plane-updates-on-disabled-crtcs.patch b/queue-4.14/drm-imx-ignore-plane-updates-on-disabled-crtcs.patch new file mode 100644 index 00000000000..7a7f0352483 --- /dev/null +++ b/queue-4.14/drm-imx-ignore-plane-updates-on-disabled-crtcs.patch @@ -0,0 +1,41 @@ +From b53267773c3d0dbde5bf828bc48e8def4eb0adf0 Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Mon, 5 Nov 2018 16:36:07 +0100 +Subject: drm/imx: ignore plane updates on disabled crtcs + +[ Upstream commit 4fb873c9648e383206e0a91cef9b03aa54066aca ] + +This patch fixes backtraces like the following when sending SIGKILL to a +process with a currently pending plane update: + + [drm:ipu_plane_atomic_check] CRTC should be enabled + [drm:drm_framebuffer_remove] *ERROR* failed to commit + ------------[ cut here ]------------ + WARNING: CPU: 3 PID: 63 at drivers/gpu/drm/drm_framebuffer.c:926 drm_framebuffer_remove+0x47c/0x498 + atomic remove_fb failed with -22 + +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/ipuv3-plane.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/imx/ipuv3-plane.c b/drivers/gpu/drm/imx/ipuv3-plane.c +index cf98596c7ce1..d0d7f6adbc89 100644 +--- a/drivers/gpu/drm/imx/ipuv3-plane.c ++++ b/drivers/gpu/drm/imx/ipuv3-plane.c +@@ -348,9 +348,9 @@ static int ipu_plane_atomic_check(struct drm_plane *plane, + if (ret) + return ret; + +- /* CRTC should be enabled */ ++ /* nothing to check when disabling or disabled */ + if (!crtc_state->enable) +- return -EINVAL; ++ return 0; + + switch (plane->type) { + case DRM_PLANE_TYPE_PRIMARY: +-- +2.19.1 + diff --git a/queue-4.14/drm-imx-imx-ldb-add-missing-of_node_puts.patch b/queue-4.14/drm-imx-imx-ldb-add-missing-of_node_puts.patch new file mode 100644 index 00000000000..2766aed4073 --- /dev/null +++ b/queue-4.14/drm-imx-imx-ldb-add-missing-of_node_puts.patch @@ -0,0 +1,118 @@ +From 7aded8716f0ec10dd01f44b0dff5b216f3333189 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Sun, 13 Jan 2019 09:47:42 +0100 +Subject: drm/imx: imx-ldb: add missing of_node_puts + +[ Upstream commit aa3312012f103f91f123600bbf768b11c8f431bc ] + +The device node iterators perform an of_node_get on each +iteration, so a jump out of the loop requires an of_node_put. + +Move the initialization channel->child = child; down to just +before the call to imx_ldb_register so that intervening failures +don't need to clear it. Add a label at the end of the function to +do all the of_node_puts. + +The semantic patch that finds part of this problem is as follows +(http://coccinelle.lip6.fr): + +// +@@ +expression root,e; +local idexpression child; +iterator name for_each_child_of_node; +@@ + + for_each_child_of_node(root, child) { + ... when != of_node_put(child) + when != e = child +( + return child; +| +* return ...; +) + ... + } +// + +Signed-off-by: Julia Lawall +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/imx-ldb.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c +index dd5312b02a8d..4f2e6c7e04c1 100644 +--- a/drivers/gpu/drm/imx/imx-ldb.c ++++ b/drivers/gpu/drm/imx/imx-ldb.c +@@ -652,8 +652,10 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + int bus_format; + + ret = of_property_read_u32(child, "reg", &i); +- if (ret || i < 0 || i > 1) +- return -EINVAL; ++ if (ret || i < 0 || i > 1) { ++ ret = -EINVAL; ++ goto free_child; ++ } + + if (!of_device_is_available(child)) + continue; +@@ -666,7 +668,6 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + channel = &imx_ldb->channel[i]; + channel->ldb = imx_ldb; + channel->chno = i; +- channel->child = child; + + /* + * The output port is port@4 with an external 4-port mux or +@@ -676,13 +677,13 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + imx_ldb->lvds_mux ? 4 : 2, 0, + &channel->panel, &channel->bridge); + if (ret && ret != -ENODEV) +- return ret; ++ goto free_child; + + /* panel ddc only if there is no bridge */ + if (!channel->bridge) { + ret = imx_ldb_panel_ddc(dev, channel, child); + if (ret) +- return ret; ++ goto free_child; + } + + bus_format = of_get_bus_format(dev, child); +@@ -698,18 +699,26 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data) + if (bus_format < 0) { + dev_err(dev, "could not determine data mapping: %d\n", + bus_format); +- return bus_format; ++ ret = bus_format; ++ goto free_child; + } + channel->bus_format = bus_format; ++ channel->child = child; + + ret = imx_ldb_register(drm, channel); +- if (ret) +- return ret; ++ if (ret) { ++ channel->child = NULL; ++ goto free_child; ++ } + } + + dev_set_drvdata(dev, imx_ldb); + + return 0; ++ ++free_child: ++ of_node_put(child); ++ return ret; + } + + static void imx_ldb_unbind(struct device *dev, struct device *master, +-- +2.19.1 + diff --git a/queue-4.14/esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch b/queue-4.14/esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch new file mode 100644 index 00000000000..e8d8edf9ce5 --- /dev/null +++ b/queue-4.14/esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch @@ -0,0 +1,75 @@ +From 97cdc3fd1633623a9a3f2a68839ed3b0d4be8aaa Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Mon, 28 Jan 2019 09:35:35 +0100 +Subject: esp: Skip TX bytes accounting when sending from a request socket + +[ Upstream commit 09db51241118aeb06e1c8cd393b45879ce099b36 ] + +On ESP output, sk_wmem_alloc is incremented for the added padding if a +socket is associated to the skb. When replying with TCP SYNACKs over +IPsec, the associated sk is a casted request socket, only. Increasing +sk_wmem_alloc on a request socket results in a write at an arbitrary +struct offset. In the best case, this produces the following WARNING: + +WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4] +refcount_t: addition on 0; use-after-free. +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2 +Hardware name: Marvell Armada 380/385 (Device Tree) +[...] +[] (esp_output_head [esp4]) from [] (esp_output+0xb8/0x180 [esp4]) +[] (esp_output [esp4]) from [] (xfrm_output_resume+0x558/0x664) +[] (xfrm_output_resume) from [] (xfrm4_output+0x44/0xc4) +[] (xfrm4_output) from [] (tcp_v4_send_synack+0xa8/0xe8) +[] (tcp_v4_send_synack) from [] (tcp_conn_request+0x7f4/0x948) +[] (tcp_conn_request) from [] (tcp_rcv_state_process+0x2a0/0xe64) +[] (tcp_rcv_state_process) from [] (tcp_v4_do_rcv+0xf0/0x1f4) +[] (tcp_v4_do_rcv) from [] (tcp_v4_rcv+0xdb8/0xe20) +[] (tcp_v4_rcv) from [] (ip_protocol_deliver_rcu+0x2c/0x2dc) +[] (ip_protocol_deliver_rcu) from [] (ip_local_deliver_finish+0x48/0x54) +[] (ip_local_deliver_finish) from [] (ip_local_deliver+0x54/0xec) +[] (ip_local_deliver) from [] (ip_rcv+0x48/0xb8) +[] (ip_rcv) from [] (__netif_receive_skb_one_core+0x50/0x6c) +[...] + +The issue triggers only when not using TCP syncookies, as for syncookies +no socket is associated. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Signed-off-by: Martin Willi +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 2 +- + net/ipv6/esp6.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index b00e4a43b4dc..d30285c5d52d 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -307,7 +307,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * + skb->len += tailen; + skb->data_len += tailen; + skb->truesize += tailen; +- if (sk) ++ if (sk && sk_fullsock(sk)) + refcount_add(tailen, &sk->sk_wmem_alloc); + + goto out; +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index f112fef79216..ef7822fad0fd 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -275,7 +275,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info + skb->len += tailen; + skb->data_len += tailen; + skb->truesize += tailen; +- if (sk) ++ if (sk && sk_fullsock(sk)) + refcount_add(tailen, &sk->sk_wmem_alloc); + + goto out; +-- +2.19.1 + diff --git a/queue-4.14/floppy-check_events-callback-should-not-return-a-neg.patch b/queue-4.14/floppy-check_events-callback-should-not-return-a-neg.patch new file mode 100644 index 00000000000..85f96161f2b --- /dev/null +++ b/queue-4.14/floppy-check_events-callback-should-not-return-a-neg.patch @@ -0,0 +1,41 @@ +From a596c7857398f472a258843dc4b14b75f3ae4f0a Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Tue, 29 Jan 2019 16:34:04 +0800 +Subject: floppy: check_events callback should not return a negative number + +[ Upstream commit 96d7cb932e826219ec41ac02e5af037ffae6098c ] + +floppy_check_events() is supposed to return bit flags to say which +events occured. We should return zero to say that no event flags are +set. Only BIT(0) and BIT(1) are used in the caller. And .check_events +interface also expect to return an unsigned int value. + +However, after commit a0c80efe5956, it may return -EINTR (-4u). +Here, both BIT(0) and BIT(1) are cleared. So this patch shouldn't +affect runtime, but it obviously is still worth fixing. + +Reviewed-by: Dan Carpenter +Fixes: a0c80efe5956 ("floppy: fix lock_fdc() signal handling") +Signed-off-by: Yufen Yu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index a7f212ea17bf..3ea9c3e9acb3 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4079,7 +4079,7 @@ static unsigned int floppy_check_events(struct gendisk *disk, + + if (time_after(jiffies, UDRS->last_checked + UDP->checkfreq)) { + if (lock_fdc(drive)) +- return -EINTR; ++ return 0; + poll_drive(false, 0); + process_fd_request(); + } +-- +2.19.1 + diff --git a/queue-4.14/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch b/queue-4.14/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch new file mode 100644 index 00000000000..705f03cd5d9 --- /dev/null +++ b/queue-4.14/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch @@ -0,0 +1,37 @@ +From fb41c6779e62bbe4fa29507733c907b16c943c8f Mon Sep 17 00:00:00 2001 +From: Steve Longerbeam +Date: Tue, 16 Oct 2018 17:31:40 -0700 +Subject: gpu: ipu-v3: Fix CSI offsets for imx53 + +[ Upstream commit bb867d219fda7fbaabea3314702474c4eac2b91d ] + +The CSI offsets are wrong for both CSI0 and CSI1. They are at +physical address 0x1e030000 and 0x1e038000 respectively. + +Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit") + +Signed-off-by: Steve Longerbeam +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index 5f8b31f879ca..f3a57c0500f3 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -910,8 +910,8 @@ static struct ipu_devtype ipu_type_imx53 = { + .cpmem_ofs = 0x07000000, + .srm_ofs = 0x07040000, + .tpm_ofs = 0x07060000, +- .csi0_ofs = 0x07030000, +- .csi1_ofs = 0x07038000, ++ .csi0_ofs = 0x06030000, ++ .csi1_ofs = 0x06038000, + .ic_ofs = 0x06020000, + .disp0_ofs = 0x06040000, + .disp1_ofs = 0x06048000, +-- +2.19.1 + diff --git a/queue-4.14/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch b/queue-4.14/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch new file mode 100644 index 00000000000..5f31bb87486 --- /dev/null +++ b/queue-4.14/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch @@ -0,0 +1,38 @@ +From 74bfe808e60d0a6546b80a5acf56c107d3a71379 Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Thu, 20 Dec 2018 11:06:38 +0300 +Subject: gpu: ipu-v3: Fix i.MX51 CSI control registers offset + +[ Upstream commit 2c0408dd0d8906b26fe8023889af7adf5e68b2c2 ] + +The CSI0/CSI1 registers offset is at +0xe030000/+0xe038000 relative +to the control module registers on IPUv3EX. +This patch fixes wrong values for i.MX51 CSI0/CSI1. + +Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit") + +Signed-off-by: Alexander Shiyan +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index 2c8411b8d050..5f8b31f879ca 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -894,8 +894,8 @@ static struct ipu_devtype ipu_type_imx51 = { + .cpmem_ofs = 0x1f000000, + .srm_ofs = 0x1f040000, + .tpm_ofs = 0x1f060000, +- .csi0_ofs = 0x1f030000, +- .csi1_ofs = 0x1f038000, ++ .csi0_ofs = 0x1e030000, ++ .csi1_ofs = 0x1e038000, + .ic_ofs = 0x1e020000, + .disp0_ofs = 0x1e040000, + .disp1_ofs = 0x1e048000, +-- +2.19.1 + diff --git a/queue-4.14/i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch b/queue-4.14/i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch new file mode 100644 index 00000000000..d802a769c14 --- /dev/null +++ b/queue-4.14/i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch @@ -0,0 +1,70 @@ +From 79077ec79eb807b6409189f5c67a6fb063692d3e Mon Sep 17 00:00:00 2001 +From: Paul Kocialkowski +Date: Thu, 27 Dec 2018 16:42:25 +0100 +Subject: i2c: bcm2835: Clear current buffer pointers and counts after a + transfer + +[ Upstream commit f275a4659484716259cc46268d9043424e51cf0f ] + +The driver's interrupt handler checks whether a message is currently +being handled with the curr_msg pointer. When it is NULL, the interrupt +is considered to be unexpected. Similarly, the i2c_start_transfer +routine checks for the remaining number of messages to handle in +num_msgs. + +However, these values are never cleared and always keep the message and +number relevant to the latest transfer (which might be done already and +the underlying message memory might have been freed). + +When an unexpected interrupt hits with the DONE bit set, the isr will +then try to access the flags field of the curr_msg structure, leading +to a fatal page fault. + +The msg_buf and msg_buf_remaining fields are also never cleared at the +end of the transfer, which can lead to similar pitfalls. + +Fix these issues by introducing a cleanup function and always calling +it after a transfer is finished. + +Fixes: e2474541032d ("i2c: bcm2835: Fix hang for writing messages larger than 16 bytes") +Signed-off-by: Paul Kocialkowski +Acked-by: Stefan Wahren +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-bcm2835.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-bcm2835.c b/drivers/i2c/busses/i2c-bcm2835.c +index 44deae78913e..4d19254f78c8 100644 +--- a/drivers/i2c/busses/i2c-bcm2835.c ++++ b/drivers/i2c/busses/i2c-bcm2835.c +@@ -191,6 +191,15 @@ static void bcm2835_i2c_start_transfer(struct bcm2835_i2c_dev *i2c_dev) + bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C, c); + } + ++static void bcm2835_i2c_finish_transfer(struct bcm2835_i2c_dev *i2c_dev) ++{ ++ i2c_dev->curr_msg = NULL; ++ i2c_dev->num_msgs = 0; ++ ++ i2c_dev->msg_buf = NULL; ++ i2c_dev->msg_buf_remaining = 0; ++} ++ + /* + * Note about I2C_C_CLEAR on error: + * The I2C_C_CLEAR on errors will take some time to resolve -- if you were in +@@ -291,6 +300,9 @@ static int bcm2835_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], + + time_left = wait_for_completion_timeout(&i2c_dev->completion, + adap->timeout); ++ ++ bcm2835_i2c_finish_transfer(i2c_dev); ++ + if (!time_left) { + bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C, + BCM2835_I2C_C_CLEAR); +-- +2.19.1 + diff --git a/queue-4.14/i2c-cadence-fix-the-hold-bit-setting.patch b/queue-4.14/i2c-cadence-fix-the-hold-bit-setting.patch new file mode 100644 index 00000000000..538f9c73fa9 --- /dev/null +++ b/queue-4.14/i2c-cadence-fix-the-hold-bit-setting.patch @@ -0,0 +1,56 @@ +From 37c1a9f2b599b18d1a0569c9d7caafffeca43436 Mon Sep 17 00:00:00 2001 +From: Shubhrajyoti Datta +Date: Tue, 5 Feb 2019 16:42:53 +0530 +Subject: i2c: cadence: Fix the hold bit setting + +[ Upstream commit d358def706880defa4c9e87381c5bf086a97d5f9 ] + +In case the hold bit is not needed we are carrying the old values. +Fix the same by resetting the bit when not needed. + +Fixes the sporadic i2c bus lockups on National Instruments +Zynq-based devices. + +Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") +Reported-by: Kyle Roeschley +Acked-by: Michal Simek +Signed-off-by: Shubhrajyoti Datta +Tested-by: Kyle Roeschley +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-cadence.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index b13605718291..d917cefc5a19 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -382,8 +382,10 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->recv_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -440,8 +442,11 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->send_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; ++ + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +-- +2.19.1 + diff --git a/queue-4.14/input-cap11xx-switch-to-using-set_brightness_blockin.patch b/queue-4.14/input-cap11xx-switch-to-using-set_brightness_blockin.patch new file mode 100644 index 00000000000..559223f0b9d --- /dev/null +++ b/queue-4.14/input-cap11xx-switch-to-using-set_brightness_blockin.patch @@ -0,0 +1,101 @@ +From 2ab4c3ab975384bfe28794be3f19a510b003c607 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 5 Feb 2019 13:52:26 -0800 +Subject: Input: cap11xx - switch to using set_brightness_blocking() + +[ Upstream commit 628442880af8c201d307a45f3862a7a17df8a189 ] + +Updating LED state requires access to regmap and therefore we may sleep, +so we could not do that directly form set_brightness() method. +Historically we used private work to adjust the brightness, but with the +introduction of set_brightness_blocking() we no longer need it. + +As a bonus, not having our own work item means we do not have +use-after-free issue as we neglected to cancel outstanding work on +driver unbind. + +Reported-by: Sven Van Asbroeck +Reviewed-by: Sven Van Asbroeck +Acked-by: Jacek Anaszewski +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/cap11xx.c | 35 ++++++++++---------------------- + 1 file changed, 11 insertions(+), 24 deletions(-) + +diff --git a/drivers/input/keyboard/cap11xx.c b/drivers/input/keyboard/cap11xx.c +index 1a1eacae3ea1..87fb48143859 100644 +--- a/drivers/input/keyboard/cap11xx.c ++++ b/drivers/input/keyboard/cap11xx.c +@@ -75,9 +75,7 @@ + struct cap11xx_led { + struct cap11xx_priv *priv; + struct led_classdev cdev; +- struct work_struct work; + u32 reg; +- enum led_brightness new_brightness; + }; + #endif + +@@ -233,30 +231,21 @@ static void cap11xx_input_close(struct input_dev *idev) + } + + #ifdef CONFIG_LEDS_CLASS +-static void cap11xx_led_work(struct work_struct *work) ++static int cap11xx_led_set(struct led_classdev *cdev, ++ enum led_brightness value) + { +- struct cap11xx_led *led = container_of(work, struct cap11xx_led, work); ++ struct cap11xx_led *led = container_of(cdev, struct cap11xx_led, cdev); + struct cap11xx_priv *priv = led->priv; +- int value = led->new_brightness; + + /* +- * All LEDs share the same duty cycle as this is a HW limitation. +- * Brightness levels per LED are either 0 (OFF) and 1 (ON). ++ * All LEDs share the same duty cycle as this is a HW ++ * limitation. Brightness levels per LED are either ++ * 0 (OFF) and 1 (ON). + */ +- regmap_update_bits(priv->regmap, CAP11XX_REG_LED_OUTPUT_CONTROL, +- BIT(led->reg), value ? BIT(led->reg) : 0); +-} +- +-static void cap11xx_led_set(struct led_classdev *cdev, +- enum led_brightness value) +-{ +- struct cap11xx_led *led = container_of(cdev, struct cap11xx_led, cdev); +- +- if (led->new_brightness == value) +- return; +- +- led->new_brightness = value; +- schedule_work(&led->work); ++ return regmap_update_bits(priv->regmap, ++ CAP11XX_REG_LED_OUTPUT_CONTROL, ++ BIT(led->reg), ++ value ? BIT(led->reg) : 0); + } + + static int cap11xx_init_leds(struct device *dev, +@@ -299,7 +288,7 @@ static int cap11xx_init_leds(struct device *dev, + led->cdev.default_trigger = + of_get_property(child, "linux,default-trigger", NULL); + led->cdev.flags = 0; +- led->cdev.brightness_set = cap11xx_led_set; ++ led->cdev.brightness_set_blocking = cap11xx_led_set; + led->cdev.max_brightness = 1; + led->cdev.brightness = LED_OFF; + +@@ -312,8 +301,6 @@ static int cap11xx_init_leds(struct device *dev, + led->reg = reg; + led->priv = priv; + +- INIT_WORK(&led->work, cap11xx_led_work); +- + error = devm_led_classdev_register(dev, &led->cdev); + if (error) { + of_node_put(child); +-- +2.19.1 + diff --git a/queue-4.14/input-matrix_keypad-use-flush_delayed_work.patch b/queue-4.14/input-matrix_keypad-use-flush_delayed_work.patch new file mode 100644 index 00000000000..25ae942c54e --- /dev/null +++ b/queue-4.14/input-matrix_keypad-use-flush_delayed_work.patch @@ -0,0 +1,34 @@ +From 7780e1b10133e163d6808bd81cc1a06b2232729e Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 7 Feb 2019 14:39:40 -0800 +Subject: Input: matrix_keypad - use flush_delayed_work() + +[ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ] + +We should be using flush_delayed_work() instead of flush_work() in +matrix_keypad_stop() to ensure that we are not missing work that is +scheduled but not yet put in the workqueue (i.e. its delay timer has not +expired yet). + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/matrix_keypad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c +index 782dda68d93a..c04559a232f7 100644 +--- a/drivers/input/keyboard/matrix_keypad.c ++++ b/drivers/input/keyboard/matrix_keypad.c +@@ -222,7 +222,7 @@ static void matrix_keypad_stop(struct input_dev *dev) + keypad->stopped = true; + spin_unlock_irq(&keypad->lock); + +- flush_work(&keypad->work.work); ++ flush_delayed_work(&keypad->work); + /* + * matrix_keypad_scan() will leave IRQs enabled; + * we should disable them now. +-- +2.19.1 + diff --git a/queue-4.14/input-ps2-gpio-flush-tx-work-when-closing-port.patch b/queue-4.14/input-ps2-gpio-flush-tx-work-when-closing-port.patch new file mode 100644 index 00000000000..53713720bf5 --- /dev/null +++ b/queue-4.14/input-ps2-gpio-flush-tx-work-when-closing-port.patch @@ -0,0 +1,34 @@ +From 5277002d7f94790eb0736234a2c863454d5e79c1 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 7 Feb 2019 14:22:42 -0800 +Subject: Input: ps2-gpio - flush TX work when closing port + +[ Upstream commit 33a841ce5cef4ca6c18ad333248b6d273f54c839 ] + +To ensure that TX work is not running after serio port has been torn down, +let's flush it when closing the port. + +Reported-by: Sven Van Asbroeck +Acked-by: Danilo Krummrich +Reviewed-by: Sven Van Asbroeck +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/ps2-gpio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/serio/ps2-gpio.c b/drivers/input/serio/ps2-gpio.c +index b50e3817f3c4..4a64ab30589c 100644 +--- a/drivers/input/serio/ps2-gpio.c ++++ b/drivers/input/serio/ps2-gpio.c +@@ -76,6 +76,7 @@ static void ps2_gpio_close(struct serio *serio) + { + struct ps2_gpio_data *drvdata = serio->port_data; + ++ flush_delayed_work(&drvdata->tx_work); + disable_irq(drvdata->irq); + } + +-- +2.19.1 + diff --git a/queue-4.14/input-pwm-vibra-prevent-unbalanced-regulator.patch b/queue-4.14/input-pwm-vibra-prevent-unbalanced-regulator.patch new file mode 100644 index 00000000000..b8701135700 --- /dev/null +++ b/queue-4.14/input-pwm-vibra-prevent-unbalanced-regulator.patch @@ -0,0 +1,67 @@ +From 664c43d757fb00c57703dde635ed7ab39660c247 Mon Sep 17 00:00:00 2001 +From: Jonathan Bakker +Date: Mon, 28 Jan 2019 11:13:01 -0800 +Subject: Input: pwm-vibra - prevent unbalanced regulator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3ca232df9921f083c3b37ba5fbc76f4d9046268b ] + +pwm_vibrator_stop disables the regulator, but it can be called from +multiple places, even when the regulator is already disabled. Fix this +by using regulator_is_enabled check when starting and stopping device. + +Signed-off-by: Jonathan Bakker +Signed-off-by: Paweł Chmiel +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/pwm-vibra.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/input/misc/pwm-vibra.c b/drivers/input/misc/pwm-vibra.c +index 55da191ae550..9df87431d7d4 100644 +--- a/drivers/input/misc/pwm-vibra.c ++++ b/drivers/input/misc/pwm-vibra.c +@@ -34,6 +34,7 @@ struct pwm_vibrator { + struct work_struct play_work; + u16 level; + u32 direction_duty_cycle; ++ bool vcc_on; + }; + + static int pwm_vibrator_start(struct pwm_vibrator *vibrator) +@@ -42,10 +43,13 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator) + struct pwm_state state; + int err; + +- err = regulator_enable(vibrator->vcc); +- if (err) { +- dev_err(pdev, "failed to enable regulator: %d", err); +- return err; ++ if (!vibrator->vcc_on) { ++ err = regulator_enable(vibrator->vcc); ++ if (err) { ++ dev_err(pdev, "failed to enable regulator: %d", err); ++ return err; ++ } ++ vibrator->vcc_on = true; + } + + pwm_get_state(vibrator->pwm, &state); +@@ -76,7 +80,10 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator) + + static void pwm_vibrator_stop(struct pwm_vibrator *vibrator) + { +- regulator_disable(vibrator->vcc); ++ if (vibrator->vcc_on) { ++ regulator_disable(vibrator->vcc); ++ vibrator->vcc_on = false; ++ } + + if (vibrator->pwm_dir) + pwm_disable(vibrator->pwm_dir); +-- +2.19.1 + diff --git a/queue-4.14/input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch b/queue-4.14/input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch new file mode 100644 index 00000000000..7e21b01518e --- /dev/null +++ b/queue-4.14/input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch @@ -0,0 +1,49 @@ +From 984b0d83d6d9db803bac3d023a46c0872292f4b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Chmiel?= +Date: Mon, 28 Jan 2019 11:13:34 -0800 +Subject: Input: pwm-vibra - stop regulator after disabling pwm, not before +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 94803aef3533676194c772383472636c453e3147 ] + +This patch fixes order of disable calls in pwm_vibrator_stop. +Currently when starting device, we first enable vcc regulator and then +setup and enable pwm. When stopping, we should do this in oposite order, +so first disable pwm and then disable regulator. +Previously order was the same as in start. + +Signed-off-by: Paweł Chmiel +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/pwm-vibra.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/misc/pwm-vibra.c b/drivers/input/misc/pwm-vibra.c +index 9df87431d7d4..dbb6d9e1b947 100644 +--- a/drivers/input/misc/pwm-vibra.c ++++ b/drivers/input/misc/pwm-vibra.c +@@ -80,14 +80,14 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator) + + static void pwm_vibrator_stop(struct pwm_vibrator *vibrator) + { ++ if (vibrator->pwm_dir) ++ pwm_disable(vibrator->pwm_dir); ++ pwm_disable(vibrator->pwm); ++ + if (vibrator->vcc_on) { + regulator_disable(vibrator->vcc); + vibrator->vcc_on = false; + } +- +- if (vibrator->pwm_dir) +- pwm_disable(vibrator->pwm_dir); +- pwm_disable(vibrator->pwm); + } + + static void pwm_vibrator_play_work(struct work_struct *work) +-- +2.19.1 + diff --git a/queue-4.14/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch b/queue-4.14/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch new file mode 100644 index 00000000000..a432098e631 --- /dev/null +++ b/queue-4.14/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch @@ -0,0 +1,45 @@ +From 303d72bb3bdda502e026baf330f010c1c71b9e3f Mon Sep 17 00:00:00 2001 +From: Gabriel Fernandez +Date: Sat, 16 Feb 2019 21:10:16 -0800 +Subject: Input: st-keyscan - fix potential zalloc NULL dereference + +[ Upstream commit 2439d37e1bf8a34d437573c086572abe0f3f1b15 ] + +This patch fixes the following static checker warning: + +drivers/input/keyboard/st-keyscan.c:156 keyscan_probe() +error: potential zalloc NULL dereference: 'keypad_data->input_dev' + +Reported-by: Dan Carpenter +Signed-off-by: Gabriel Fernandez +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/st-keyscan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/keyboard/st-keyscan.c b/drivers/input/keyboard/st-keyscan.c +index babcfb165e4f..3b85631fde91 100644 +--- a/drivers/input/keyboard/st-keyscan.c ++++ b/drivers/input/keyboard/st-keyscan.c +@@ -153,6 +153,8 @@ static int keyscan_probe(struct platform_device *pdev) + + input_dev->id.bustype = BUS_HOST; + ++ keypad_data->input_dev = input_dev; ++ + error = keypad_matrix_key_parse_dt(keypad_data); + if (error) + return error; +@@ -168,8 +170,6 @@ static int keyscan_probe(struct platform_device *pdev) + + input_set_drvdata(input_dev, keypad_data); + +- keypad_data->input_dev = input_dev; +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + keypad_data->base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(keypad_data->base)) +-- +2.19.1 + diff --git a/queue-4.14/ipvs-fix-dependency-on-nf_defrag_ipv6.patch b/queue-4.14/ipvs-fix-dependency-on-nf_defrag_ipv6.patch new file mode 100644 index 00000000000..4af1a705c83 --- /dev/null +++ b/queue-4.14/ipvs-fix-dependency-on-nf_defrag_ipv6.patch @@ -0,0 +1,109 @@ +From 5e61552b7126a9094cb30379eb64ef17685942bf Mon Sep 17 00:00:00 2001 +From: Andrea Claudi +Date: Mon, 11 Feb 2019 16:14:39 +0100 +Subject: ipvs: fix dependency on nf_defrag_ipv6 + +[ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ] + +ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation, +but lacks proper Kconfig dependencies and does not explicitly +request defrag features. + +As a result, if netfilter hooks are not loaded, when IPv6 fragmented +packet are handled by ipvs only the first fragment makes through. + +Fix it properly declaring the dependency on Kconfig and registering +netfilter hooks on ip_vs_add_service() and ip_vs_new_dest(). + +Reported-by: Li Shuang +Signed-off-by: Andrea Claudi +Acked-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/Kconfig | 1 + + net/netfilter/ipvs/ip_vs_core.c | 10 ++++------ + net/netfilter/ipvs/ip_vs_ctl.c | 10 ++++++++++ + 3 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig +index b32fb0dbe237..3f8e490d1133 100644 +--- a/net/netfilter/ipvs/Kconfig ++++ b/net/netfilter/ipvs/Kconfig +@@ -29,6 +29,7 @@ config IP_VS_IPV6 + bool "IPv6 support for IPVS" + depends on IPV6 = y || IP_VS = IPV6 + select IP6_NF_IPTABLES ++ select NF_DEFRAG_IPV6 + ---help--- + Add IPv6 support to IPVS. + +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 1bd53b1e7672..4278f5c947ab 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1524,14 +1524,12 @@ ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, + /* sorry, all this trouble for a no-hit :) */ + IP_VS_DBG_PKT(12, af, pp, skb, iph->off, + "ip_vs_in: packet continues traversal as normal"); +- if (iph->fragoffs) { +- /* Fragment that couldn't be mapped to a conn entry +- * is missing module nf_defrag_ipv6 +- */ +- IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n"); ++ ++ /* Fragment couldn't be mapped to a conn entry */ ++ if (iph->fragoffs) + IP_VS_DBG_PKT(7, af, pp, skb, iph->off, + "unhandled fragment"); +- } ++ + *verdict = NF_ACCEPT; + return 0; + } +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index dff4ead3d117..56dd5ce6274f 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -43,6 +43,7 @@ + #ifdef CONFIG_IP_VS_IPV6 + #include + #include ++#include + #endif + #include + #include +@@ -888,6 +889,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest, + { + struct ip_vs_dest *dest; + unsigned int atype, i; ++ int ret = 0; + + EnterFunction(2); + +@@ -898,6 +900,10 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest, + atype & IPV6_ADDR_LINKLOCAL) && + !__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6)) + return -EINVAL; ++ ++ ret = nf_defrag_ipv6_enable(svc->ipvs->net); ++ if (ret) ++ return ret; + } else + #endif + { +@@ -1221,6 +1227,10 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, + ret = -EINVAL; + goto out_err; + } ++ ++ ret = nf_defrag_ipv6_enable(ipvs->net); ++ if (ret) ++ goto out_err; + } + #endif + +-- +2.19.1 + diff --git a/queue-4.14/ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch b/queue-4.14/ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch new file mode 100644 index 00000000000..b3bd8f0cc01 --- /dev/null +++ b/queue-4.14/ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch @@ -0,0 +1,41 @@ +From 7abff80b7274e2d11ff03b9b2a42344173650a83 Mon Sep 17 00:00:00 2001 +From: Jeff Kirsher +Date: Mon, 28 Jan 2019 09:45:01 -0800 +Subject: ixgbe: fix older devices that do not support IXGBE_MRQC_L3L4TXSWEN + +[ Upstream commit 156a67a9065e3339be85f811d1b13b920e50d73b ] + +The enabling L3/L4 filtering for transmit switched packets for all +devices caused unforeseen issue on older devices when trying to send UDP +traffic in an ordered sequence. This bit was originally intended for X550 +devices, which supported this feature, so limit the scope of this bit to +only X550 devices. + +Signed-off-by: Jeff Kirsher +Tested-by: Andrew Bowers +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 42183a8b649c..01c120d656c5 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -3827,8 +3827,11 @@ static void ixgbe_setup_mrqc(struct ixgbe_adapter *adapter) + else + mrqc = IXGBE_MRQC_VMDQRSS64EN; + +- /* Enable L3/L4 for Tx Switched packets */ +- mrqc |= IXGBE_MRQC_L3L4TXSWEN; ++ /* Enable L3/L4 for Tx Switched packets only for X550, ++ * older devices do not support this feature ++ */ ++ if (hw->mac.type >= ixgbe_mac_X550) ++ mrqc |= IXGBE_MRQC_L3L4TXSWEN; + } else { + if (tcs > 4) + mrqc = IXGBE_MRQC_RTRSS8TCEN; +-- +2.19.1 + diff --git a/queue-4.14/kasan-slab-fix-conflicts-with-config_hardened_userco.patch b/queue-4.14/kasan-slab-fix-conflicts-with-config_hardened_userco.patch new file mode 100644 index 00000000000..4917d13aa4d --- /dev/null +++ b/queue-4.14/kasan-slab-fix-conflicts-with-config_hardened_userco.patch @@ -0,0 +1,44 @@ +From 3f9218db9eb28f31c8b11035df7eff1a911b4ea8 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 20 Feb 2019 22:20:25 -0800 +Subject: kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY + +[ Upstream commit 219667c23c68eb3dbc0d5662b9246f28477fe529 ] + +Similarly to commit 96fedce27e13 ("kasan: make tag based mode work with +CONFIG_HARDENED_USERCOPY"), we need to reset pointer tags in +__check_heap_object() in mm/slab.c before doing any pointer math. + +Link: http://lkml.kernel.org/r/9a5c0f958db10e69df5ff9f2b997866b56b7effc.1550602886.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Tested-by: Qian Cai +Cc: Alexander Potapenko +Cc: Andrey Ryabinin +Cc: Catalin Marinas +Cc: Dmitry Vyukov +Cc: Evgeniy Stepanov +Cc: Kostya Serebryany +Cc: Vincenzo Frascino +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slab.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/mm/slab.c b/mm/slab.c +index 09df506ae830..409631e49295 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -4415,6 +4415,8 @@ const char *__check_heap_object(const void *ptr, unsigned long n, + unsigned int objnr; + unsigned long offset; + ++ ptr = kasan_reset_tag(ptr); ++ + /* Find and validate object. */ + cachep = page->slab_cache; + objnr = obj_to_index(cachep, page, (void *)ptr); +-- +2.19.1 + diff --git a/queue-4.14/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch b/queue-4.14/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch new file mode 100644 index 00000000000..80fdcfba40f --- /dev/null +++ b/queue-4.14/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch @@ -0,0 +1,86 @@ +From a8146d43007331bebbe675fd3acbcd6a46342a37 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 20 Feb 2019 22:19:23 -0800 +Subject: kasan, slub: move kasan_poison_slab hook before page_address + +[ Upstream commit a71012242837fe5e67d8c999cfc357174ed5dba0 ] + +With tag based KASAN page_address() looks at the page flags to see whether +the resulting pointer needs to have a tag set. Since we don't want to set +a tag when page_address() is called on SLAB pages, we call +page_kasan_tag_reset() in kasan_poison_slab(). However in allocate_slab() +page_address() is called before kasan_poison_slab(). Fix it by changing +the order. + +[andreyknvl@google.com: fix compilation error when CONFIG_SLUB_DEBUG=n] + Link: http://lkml.kernel.org/r/ac27cc0bbaeb414ed77bcd6671a877cf3546d56e.1550066133.git.andreyknvl@google.com +Link: http://lkml.kernel.org/r/cd895d627465a3f1c712647072d17f10883be2a1.1549921721.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Cc: Alexander Potapenko +Cc: Andrey Ryabinin +Cc: Catalin Marinas +Cc: Christoph Lameter +Cc: David Rientjes +Cc: Dmitry Vyukov +Cc: Evgeniy Stepanov +Cc: Joonsoo Kim +Cc: Kostya Serebryany +Cc: Pekka Enberg +Cc: Qian Cai +Cc: Vincenzo Frascino +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slub.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 220d42e592ef..f14ef59c9e57 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1087,6 +1087,16 @@ static void setup_object_debug(struct kmem_cache *s, struct page *page, + init_tracking(s, object); + } + ++static void setup_page_debug(struct kmem_cache *s, void *addr, int order) ++{ ++ if (!(s->flags & SLAB_POISON)) ++ return; ++ ++ metadata_access_enable(); ++ memset(addr, POISON_INUSE, PAGE_SIZE << order); ++ metadata_access_disable(); ++} ++ + static inline int alloc_consistency_checks(struct kmem_cache *s, + struct page *page, + void *object, unsigned long addr) +@@ -1304,6 +1314,8 @@ unsigned long kmem_cache_flags(unsigned long object_size, + #else /* !CONFIG_SLUB_DEBUG */ + static inline void setup_object_debug(struct kmem_cache *s, + struct page *page, void *object) {} ++static inline void setup_page_debug(struct kmem_cache *s, ++ void *addr, int order) {} + + static inline int alloc_debug_processing(struct kmem_cache *s, + struct page *page, void *object, unsigned long addr) { return 0; } +@@ -1599,12 +1611,11 @@ static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node) + if (page_is_pfmemalloc(page)) + SetPageSlabPfmemalloc(page); + +- start = page_address(page); ++ kasan_poison_slab(page); + +- if (unlikely(s->flags & SLAB_POISON)) +- memset(start, POISON_INUSE, PAGE_SIZE << order); ++ start = page_address(page); + +- kasan_poison_slab(page); ++ setup_page_debug(s, start, order); + + shuffle = shuffle_freelist(s, page); + +-- +2.19.1 + diff --git a/queue-4.14/keys-fix-dependency-loop-between-construction-record.patch b/queue-4.14/keys-fix-dependency-loop-between-construction-record.patch new file mode 100644 index 00000000000..bb90ce365d4 --- /dev/null +++ b/queue-4.14/keys-fix-dependency-loop-between-construction-record.patch @@ -0,0 +1,531 @@ +From 8857b8d38602ede2ddd5662926f91ada5507384c Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 14 Feb 2019 16:20:25 +0000 +Subject: keys: Fix dependency loop between construction record and auth key + +[ Upstream commit 822ad64d7e46a8e2c8b8a796738d7b657cbb146d ] + +In the request_key() upcall mechanism there's a dependency loop by which if +a key type driver overrides the ->request_key hook and the userspace side +manages to lose the authorisation key, the auth key and the internal +construction record (struct key_construction) can keep each other pinned. + +Fix this by the following changes: + + (1) Killing off the construction record and using the auth key instead. + + (2) Including the operation name in the auth key payload and making the + payload available outside of security/keys/. + + (3) The ->request_key hook is given the authkey instead of the cons + record and operation name. + +Changes (2) and (3) allow the auth key to naturally be cleaned up if the +keyring it is in is destroyed or cleared or the auth key is unlinked. + +Fixes: 7ee02a316600 ("keys: Fix dependency loop between construction record and auth key") +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4idmap.c | 31 ++++++------ + include/keys/request_key_auth-type.h | 36 ++++++++++++++ + include/linux/key-type.h | 22 +++------ + security/keys/internal.h | 13 +---- + security/keys/keyctl.c | 1 + + security/keys/process_keys.c | 1 + + security/keys/request_key.c | 72 +++++++++++----------------- + security/keys/request_key_auth.c | 16 ++++--- + 8 files changed, 100 insertions(+), 92 deletions(-) + create mode 100644 include/keys/request_key_auth-type.h + +diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c +index b6f9d84ba19b..ae2d6f220627 100644 +--- a/fs/nfs/nfs4idmap.c ++++ b/fs/nfs/nfs4idmap.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #include + + #include "internal.h" +@@ -59,7 +60,7 @@ static struct key_type key_type_id_resolver_legacy; + struct idmap_legacy_upcalldata { + struct rpc_pipe_msg pipe_msg; + struct idmap_msg idmap_msg; +- struct key_construction *key_cons; ++ struct key *authkey; + struct idmap *idmap; + }; + +@@ -384,7 +385,7 @@ static const match_table_t nfs_idmap_tokens = { + { Opt_find_err, NULL } + }; + +-static int nfs_idmap_legacy_upcall(struct key_construction *, const char *, void *); ++static int nfs_idmap_legacy_upcall(struct key *, void *); + static ssize_t idmap_pipe_downcall(struct file *, const char __user *, + size_t); + static void idmap_release_pipe(struct inode *); +@@ -545,11 +546,12 @@ nfs_idmap_prepare_pipe_upcall(struct idmap *idmap, + static void + nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret) + { +- struct key_construction *cons = idmap->idmap_upcall_data->key_cons; ++ struct key *authkey = idmap->idmap_upcall_data->authkey; + + kfree(idmap->idmap_upcall_data); + idmap->idmap_upcall_data = NULL; +- complete_request_key(cons, ret); ++ complete_request_key(authkey, ret); ++ key_put(authkey); + } + + static void +@@ -559,15 +561,14 @@ nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret) + nfs_idmap_complete_pipe_upcall_locked(idmap, ret); + } + +-static int nfs_idmap_legacy_upcall(struct key_construction *cons, +- const char *op, +- void *aux) ++static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux) + { + struct idmap_legacy_upcalldata *data; ++ struct request_key_auth *rka = get_request_key_auth(authkey); + struct rpc_pipe_msg *msg; + struct idmap_msg *im; + struct idmap *idmap = (struct idmap *)aux; +- struct key *key = cons->key; ++ struct key *key = rka->target_key; + int ret = -ENOKEY; + + if (!aux) +@@ -582,7 +583,7 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons, + msg = &data->pipe_msg; + im = &data->idmap_msg; + data->idmap = idmap; +- data->key_cons = cons; ++ data->authkey = key_get(authkey); + + ret = nfs_idmap_prepare_message(key->description, idmap, im, msg); + if (ret < 0) +@@ -600,7 +601,7 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons, + out2: + kfree(data); + out1: +- complete_request_key(cons, ret); ++ complete_request_key(authkey, ret); + return ret; + } + +@@ -647,9 +648,10 @@ out: + static ssize_t + idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) + { ++ struct request_key_auth *rka; + struct rpc_inode *rpci = RPC_I(file_inode(filp)); + struct idmap *idmap = (struct idmap *)rpci->private; +- struct key_construction *cons; ++ struct key *authkey; + struct idmap_msg im; + size_t namelen_in; + int ret = -ENOKEY; +@@ -661,7 +663,8 @@ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) + if (idmap->idmap_upcall_data == NULL) + goto out_noupcall; + +- cons = idmap->idmap_upcall_data->key_cons; ++ authkey = idmap->idmap_upcall_data->authkey; ++ rka = get_request_key_auth(authkey); + + if (mlen != sizeof(im)) { + ret = -ENOSPC; +@@ -686,9 +689,9 @@ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen) + + ret = nfs_idmap_read_and_verify_message(&im, + &idmap->idmap_upcall_data->idmap_msg, +- cons->key, cons->authkey); ++ rka->target_key, authkey); + if (ret >= 0) { +- key_set_timeout(cons->key, nfs_idmap_cache_timeout); ++ key_set_timeout(rka->target_key, nfs_idmap_cache_timeout); + ret = mlen; + } + +diff --git a/include/keys/request_key_auth-type.h b/include/keys/request_key_auth-type.h +new file mode 100644 +index 000000000000..a726dd3f1dc6 +--- /dev/null ++++ b/include/keys/request_key_auth-type.h +@@ -0,0 +1,36 @@ ++/* request_key authorisation token key type ++ * ++ * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#ifndef _KEYS_REQUEST_KEY_AUTH_TYPE_H ++#define _KEYS_REQUEST_KEY_AUTH_TYPE_H ++ ++#include ++ ++/* ++ * Authorisation record for request_key(). ++ */ ++struct request_key_auth { ++ struct key *target_key; ++ struct key *dest_keyring; ++ const struct cred *cred; ++ void *callout_info; ++ size_t callout_len; ++ pid_t pid; ++ char op[8]; ++} __randomize_layout; ++ ++static inline struct request_key_auth *get_request_key_auth(const struct key *key) ++{ ++ return key->payload.data[0]; ++} ++ ++ ++#endif /* _KEYS_REQUEST_KEY_AUTH_TYPE_H */ +diff --git a/include/linux/key-type.h b/include/linux/key-type.h +index 9520fc3c3b9a..dfb3ba782d2c 100644 +--- a/include/linux/key-type.h ++++ b/include/linux/key-type.h +@@ -17,15 +17,6 @@ + + #ifdef CONFIG_KEYS + +-/* +- * key under-construction record +- * - passed to the request_key actor if supplied +- */ +-struct key_construction { +- struct key *key; /* key being constructed */ +- struct key *authkey;/* authorisation for key being constructed */ +-}; +- + /* + * Pre-parsed payload, used by key add, update and instantiate. + * +@@ -47,8 +38,7 @@ struct key_preparsed_payload { + time_t expiry; /* Expiry time of key */ + } __randomize_layout; + +-typedef int (*request_key_actor_t)(struct key_construction *key, +- const char *op, void *aux); ++typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); + + /* + * Preparsed matching criterion. +@@ -170,20 +160,20 @@ extern int key_instantiate_and_link(struct key *key, + const void *data, + size_t datalen, + struct key *keyring, +- struct key *instkey); ++ struct key *authkey); + extern int key_reject_and_link(struct key *key, + unsigned timeout, + unsigned error, + struct key *keyring, +- struct key *instkey); +-extern void complete_request_key(struct key_construction *cons, int error); ++ struct key *authkey); ++extern void complete_request_key(struct key *authkey, int error); + + static inline int key_negate_and_link(struct key *key, + unsigned timeout, + struct key *keyring, +- struct key *instkey) ++ struct key *authkey) + { +- return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey); ++ return key_reject_and_link(key, timeout, ENOKEY, keyring, authkey); + } + + extern int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep); +diff --git a/security/keys/internal.h b/security/keys/internal.h +index 503adbae7b0d..e3a573840186 100644 +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -188,20 +188,9 @@ static inline int key_permission(const key_ref_t key_ref, unsigned perm) + return key_task_permission(key_ref, current_cred(), perm); + } + +-/* +- * Authorisation record for request_key(). +- */ +-struct request_key_auth { +- struct key *target_key; +- struct key *dest_keyring; +- const struct cred *cred; +- void *callout_info; +- size_t callout_len; +- pid_t pid; +-} __randomize_layout; +- + extern struct key_type key_type_request_key_auth; + extern struct key *request_key_auth_new(struct key *target, ++ const char *op, + const void *callout_info, + size_t callout_len, + struct key *dest_keyring); +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index 1ffe60bb2845..ca31af186abd 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include "internal.h" + + #define KEY_MAX_DESC_SIZE 4096 +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index 740affd65ee9..5f2993ab2d50 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include "internal.h" + + /* Session keyring create vs join semaphore */ +diff --git a/security/keys/request_key.c b/security/keys/request_key.c +index c707fdbb3429..2ecd67221476 100644 +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -18,31 +18,30 @@ + #include + #include + #include "internal.h" ++#include + + #define key_negative_timeout 60 /* default timeout on a negative key's existence */ + + /** + * complete_request_key - Complete the construction of a key. +- * @cons: The key construction record. ++ * @auth_key: The authorisation key. + * @error: The success or failute of the construction. + * + * Complete the attempt to construct a key. The key will be negated + * if an error is indicated. The authorisation key will be revoked + * unconditionally. + */ +-void complete_request_key(struct key_construction *cons, int error) ++void complete_request_key(struct key *authkey, int error) + { +- kenter("{%d,%d},%d", cons->key->serial, cons->authkey->serial, error); ++ struct request_key_auth *rka = get_request_key_auth(authkey); ++ struct key *key = rka->target_key; ++ ++ kenter("%d{%d},%d", authkey->serial, key->serial, error); + + if (error < 0) +- key_negate_and_link(cons->key, key_negative_timeout, NULL, +- cons->authkey); ++ key_negate_and_link(key, key_negative_timeout, NULL, authkey); + else +- key_revoke(cons->authkey); +- +- key_put(cons->key); +- key_put(cons->authkey); +- kfree(cons); ++ key_revoke(authkey); + } + EXPORT_SYMBOL(complete_request_key); + +@@ -91,21 +90,19 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp, + * Request userspace finish the construction of a key + * - execute "/sbin/request-key " + */ +-static int call_sbin_request_key(struct key_construction *cons, +- const char *op, +- void *aux) ++static int call_sbin_request_key(struct key *authkey, void *aux) + { + static char const request_key[] = "/sbin/request-key"; ++ struct request_key_auth *rka = get_request_key_auth(authkey); + const struct cred *cred = current_cred(); + key_serial_t prkey, sskey; +- struct key *key = cons->key, *authkey = cons->authkey, *keyring, +- *session; ++ struct key *key = rka->target_key, *keyring, *session; + char *argv[9], *envp[3], uid_str[12], gid_str[12]; + char key_str[12], keyring_str[3][12]; + char desc[20]; + int ret, i; + +- kenter("{%d},{%d},%s", key->serial, authkey->serial, op); ++ kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op); + + ret = install_user_keyrings(); + if (ret < 0) +@@ -163,7 +160,7 @@ static int call_sbin_request_key(struct key_construction *cons, + /* set up the argument list */ + i = 0; + argv[i++] = (char *)request_key; +- argv[i++] = (char *) op; ++ argv[i++] = (char *)rka->op; + argv[i++] = key_str; + argv[i++] = uid_str; + argv[i++] = gid_str; +@@ -191,7 +188,7 @@ error_link: + key_put(keyring); + + error_alloc: +- complete_request_key(cons, ret); ++ complete_request_key(authkey, ret); + kleave(" = %d", ret); + return ret; + } +@@ -205,42 +202,31 @@ static int construct_key(struct key *key, const void *callout_info, + size_t callout_len, void *aux, + struct key *dest_keyring) + { +- struct key_construction *cons; + request_key_actor_t actor; + struct key *authkey; + int ret; + + kenter("%d,%p,%zu,%p", key->serial, callout_info, callout_len, aux); + +- cons = kmalloc(sizeof(*cons), GFP_KERNEL); +- if (!cons) +- return -ENOMEM; +- + /* allocate an authorisation key */ +- authkey = request_key_auth_new(key, callout_info, callout_len, ++ authkey = request_key_auth_new(key, "create", callout_info, callout_len, + dest_keyring); +- if (IS_ERR(authkey)) { +- kfree(cons); +- ret = PTR_ERR(authkey); +- authkey = NULL; +- } else { +- cons->authkey = key_get(authkey); +- cons->key = key_get(key); ++ if (IS_ERR(authkey)) ++ return PTR_ERR(authkey); + +- /* make the call */ +- actor = call_sbin_request_key; +- if (key->type->request_key) +- actor = key->type->request_key; ++ /* Make the call */ ++ actor = call_sbin_request_key; ++ if (key->type->request_key) ++ actor = key->type->request_key; + +- ret = actor(cons, "create", aux); ++ ret = actor(authkey, aux); + +- /* check that the actor called complete_request_key() prior to +- * returning an error */ +- WARN_ON(ret < 0 && +- !test_bit(KEY_FLAG_REVOKED, &authkey->flags)); +- key_put(authkey); +- } ++ /* check that the actor called complete_request_key() prior to ++ * returning an error */ ++ WARN_ON(ret < 0 && ++ !test_bit(KEY_FLAG_REVOKED, &authkey->flags)); + ++ key_put(authkey); + kleave(" = %d", ret); + return ret; + } +@@ -275,7 +261,7 @@ static int construct_get_dest_keyring(struct key **_dest_keyring) + if (cred->request_key_auth) { + authkey = cred->request_key_auth; + down_read(&authkey->sem); +- rka = authkey->payload.data[0]; ++ rka = get_request_key_auth(authkey); + if (!test_bit(KEY_FLAG_REVOKED, + &authkey->flags)) + dest_keyring = +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +index 6797843154f0..5e515791ccd1 100644 +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -18,7 +18,7 @@ + #include + #include + #include "internal.h" +-#include ++#include + + static int request_key_auth_preparse(struct key_preparsed_payload *); + static void request_key_auth_free_preparse(struct key_preparsed_payload *); +@@ -69,7 +69,7 @@ static int request_key_auth_instantiate(struct key *key, + static void request_key_auth_describe(const struct key *key, + struct seq_file *m) + { +- struct request_key_auth *rka = key->payload.data[0]; ++ struct request_key_auth *rka = get_request_key_auth(key); + + seq_puts(m, "key:"); + seq_puts(m, key->description); +@@ -84,7 +84,7 @@ static void request_key_auth_describe(const struct key *key, + static long request_key_auth_read(const struct key *key, + char __user *buffer, size_t buflen) + { +- struct request_key_auth *rka = key->payload.data[0]; ++ struct request_key_auth *rka = get_request_key_auth(key); + size_t datalen; + long ret; + +@@ -110,7 +110,7 @@ static long request_key_auth_read(const struct key *key, + */ + static void request_key_auth_revoke(struct key *key) + { +- struct request_key_auth *rka = key->payload.data[0]; ++ struct request_key_auth *rka = get_request_key_auth(key); + + kenter("{%d}", key->serial); + +@@ -137,7 +137,7 @@ static void free_request_key_auth(struct request_key_auth *rka) + */ + static void request_key_auth_destroy(struct key *key) + { +- struct request_key_auth *rka = key->payload.data[0]; ++ struct request_key_auth *rka = get_request_key_auth(key); + + kenter("{%d}", key->serial); + +@@ -148,8 +148,9 @@ static void request_key_auth_destroy(struct key *key) + * Create an authorisation token for /sbin/request-key or whoever to gain + * access to the caller's security data. + */ +-struct key *request_key_auth_new(struct key *target, const void *callout_info, +- size_t callout_len, struct key *dest_keyring) ++struct key *request_key_auth_new(struct key *target, const char *op, ++ const void *callout_info, size_t callout_len, ++ struct key *dest_keyring) + { + struct request_key_auth *rka, *irka; + const struct cred *cred = current->cred; +@@ -167,6 +168,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info, + if (!rka->callout_info) + goto error_free_rka; + rka->callout_len = callout_len; ++ strlcpy(rka->op, op, sizeof(rka->op)); + + /* see if the calling process is already servicing the key request of + * another process */ +-- +2.19.1 + diff --git a/queue-4.14/kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch b/queue-4.14/kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch new file mode 100644 index 00000000000..7c96a9fe142 --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch @@ -0,0 +1,87 @@ +From 816251e46d9f4021a26cf3b2dd02a09d34f7b8e2 Mon Sep 17 00:00:00 2001 +From: Christoffer Dall +Date: Thu, 20 Dec 2018 12:44:05 +0100 +Subject: KVM: arm/arm64: Reset the VCPU without preemption and vcpu state + loaded + +[ Upstream commit e761a927bc9a7ee6ceb7c4f63d5922dbced87f0d ] + +We have two ways to reset a vcpu: +- either through VCPU_INIT +- or through a PSCI_ON call + +The first one is easy to reason about. The second one is implemented +in a more bizarre way, as it is the vcpu that handles PSCI_ON that +resets the vcpu that is being powered-on. As we need to turn the logic +around and have the target vcpu to reset itself, we must take some +preliminary steps. + +Resetting the VCPU state modifies the system register state in memory, +but this may interact with vcpu_load/vcpu_put if running with preemption +disabled, which in turn may lead to corrupted system register state. + +Address this by disabling preemption and doing put/load if required +around the reset logic. + +Reviewed-by: Andrew Jones +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/reset.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c +index a74311beda35..c1c5a57249d2 100644 +--- a/arch/arm64/kvm/reset.c ++++ b/arch/arm64/kvm/reset.c +@@ -95,16 +95,33 @@ int kvm_arch_dev_ioctl_check_extension(struct kvm *kvm, long ext) + * This function finds the right table above and sets the registers on + * the virtual CPU struct to their architecturally defined reset + * values. ++ * ++ * Note: This function can be called from two paths: The KVM_ARM_VCPU_INIT ++ * ioctl or as part of handling a request issued by another VCPU in the PSCI ++ * handling code. In the first case, the VCPU will not be loaded, and in the ++ * second case the VCPU will be loaded. Because this function operates purely ++ * on the memory-backed valus of system registers, we want to do a full put if ++ * we were loaded (handling a request) and load the values back at the end of ++ * the function. Otherwise we leave the state alone. In both cases, we ++ * disable preemption around the vcpu reset as we would otherwise race with ++ * preempt notifiers which also call put/load. + */ + int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + { + const struct kvm_regs *cpu_reset; ++ int ret = -EINVAL; ++ bool loaded; ++ ++ preempt_disable(); ++ loaded = (vcpu->cpu != -1); ++ if (loaded) ++ kvm_arch_vcpu_put(vcpu); + + switch (vcpu->arch.target) { + default: + if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features)) { + if (!cpu_has_32bit_el1()) +- return -EINVAL; ++ goto out; + cpu_reset = &default_regs_reset32; + } else { + cpu_reset = &default_regs_reset; +@@ -127,5 +144,10 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + vcpu->arch.workaround_flags |= VCPU_WORKAROUND_2_FLAG; + + /* Reset timer */ +- return kvm_timer_vcpu_reset(vcpu); ++ ret = kvm_timer_vcpu_reset(vcpu); ++out: ++ if (loaded) ++ kvm_arch_vcpu_load(vcpu, smp_processor_id()); ++ preempt_enable(); ++ return ret; + } +-- +2.19.1 + diff --git a/queue-4.14/mac80211-fix-tx-aggregation-session-tear-down-with-i.patch b/queue-4.14/mac80211-fix-tx-aggregation-session-tear-down-with-i.patch new file mode 100644 index 00000000000..ab9ec1c0794 --- /dev/null +++ b/queue-4.14/mac80211-fix-tx-aggregation-session-tear-down-with-i.patch @@ -0,0 +1,56 @@ +From 5f479efd921f08a4a9f64db734c46e86ff6454de Mon Sep 17 00:00:00 2001 +From: Ilan Peer +Date: Wed, 6 Feb 2019 13:17:21 +0200 +Subject: mac80211: Fix Tx aggregation session tear down with ITXQs + +[ Upstream commit 6157ca0d6bfe437691b1e98a62e2efe12b6714da ] + +When mac80211 requests the low level driver to stop an ongoing +Tx aggregation, the low level driver is expected to call +ieee80211_stop_tx_ba_cb_irqsafe() to indicate that it is ready +to stop the session. The callback in turn schedules a worker +to complete the session tear down, which in turn also handles +the relevant state for the intermediate Tx queue. + +However, as this flow in asynchronous, the intermediate queue +should be stopped and not continue servicing frames, as in +such a case frames that are dequeued would be marked as part +of an aggregation, although the aggregation is already been +stopped. + +Fix this by stopping the intermediate Tx queue, before +calling the low level driver to stop the Tx aggregation. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/agg-tx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c +index 197947a07f83..ed57db9b6086 100644 +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -8,7 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation + * Copyright(c) 2015-2017 Intel Deutschland GmbH +- * Copyright (C) 2018 Intel Corporation ++ * Copyright (C) 2018 - 2019 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -361,6 +361,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, + + set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); + ++ ieee80211_agg_stop_txq(sta, tid); ++ + spin_unlock_bh(&sta->lock); + + ht_dbg(sta->sdata, "Tx BA session stop requested for %pM tid %u\n", +-- +2.19.1 + diff --git a/queue-4.14/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch b/queue-4.14/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch new file mode 100644 index 00000000000..179146104ae --- /dev/null +++ b/queue-4.14/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch @@ -0,0 +1,32 @@ +From 40259f10ec7b9b60aa4942b121a3c291fcc1abfc Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Tue, 19 Feb 2019 13:12:40 +0800 +Subject: mac80211_hwsim: propagate genlmsg_reply return code + +[ Upstream commit 17407715240456448e4989bee46ffc93991add83 ] + +genlmsg_reply can fail, so propagate its return code + +Signed-off-by: Li RongQing +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 8f57ca969c9f..27224dc26413 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3241,7 +3241,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info) + goto out_err; + } + +- genlmsg_reply(skb, info); ++ res = genlmsg_reply(skb, info); + break; + } + +-- +2.19.1 + diff --git a/queue-4.14/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch b/queue-4.14/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch new file mode 100644 index 00000000000..f4ba6dc8d73 --- /dev/null +++ b/queue-4.14/mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch @@ -0,0 +1,40 @@ +From 0bb42df6c9991ab7c90ed142c10d2da773b04a3f Mon Sep 17 00:00:00 2001 +From: Rayagonda Kokatanur +Date: Mon, 4 Feb 2019 11:21:29 -0800 +Subject: mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue + +[ Upstream commit d7bf31a0f85faaf63c63c39d55154825a1eaaea9 ] + +RING_CONTROL reg was not written due to wrong address, hence all +the subsequent ring flush was timing out. + +Fixes: a371c10ea4b3 ("mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence") + +Signed-off-by: Rayagonda Kokatanur +Signed-off-by: Ray Jui +Reviewed-by: Scott Branden +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/bcm-flexrm-mailbox.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mailbox/bcm-flexrm-mailbox.c b/drivers/mailbox/bcm-flexrm-mailbox.c +index f052a3eb2098..7e3ed2714630 100644 +--- a/drivers/mailbox/bcm-flexrm-mailbox.c ++++ b/drivers/mailbox/bcm-flexrm-mailbox.c +@@ -1381,9 +1381,9 @@ static void flexrm_shutdown(struct mbox_chan *chan) + + /* Clear ring flush state */ + timeout = 1000; /* timeout of 1s */ +- writel_relaxed(0x0, ring + RING_CONTROL); ++ writel_relaxed(0x0, ring->regs + RING_CONTROL); + do { +- if (!(readl_relaxed(ring + RING_FLUSH_DONE) & ++ if (!(readl_relaxed(ring->regs + RING_FLUSH_DONE) & + FLUSH_DONE_MASK)) + break; + mdelay(1); +-- +2.19.1 + diff --git a/queue-4.14/mm-gup-fix-gup_pmd_range-for-dax.patch b/queue-4.14/mm-gup-fix-gup_pmd_range-for-dax.patch new file mode 100644 index 00000000000..78148270951 --- /dev/null +++ b/queue-4.14/mm-gup-fix-gup_pmd_range-for-dax.patch @@ -0,0 +1,48 @@ +From a5f7bbe4a8a35ccf65738311c1eea15c7dd64fe2 Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Tue, 12 Feb 2019 15:35:58 -0800 +Subject: mm/gup: fix gup_pmd_range() for dax + +[ Upstream commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 ] + +For dax pmd, pmd_trans_huge() returns false but pmd_huge() returns true +on x86. So the function works as long as hugetlb is configured. +However, dax doesn't depend on hugetlb. + +Link: http://lkml.kernel.org/r/20190111034033.601-1-yuzhao@google.com +Signed-off-by: Yu Zhao +Reviewed-by: Jan Kara +Cc: Dan Williams +Cc: Huang Ying +Cc: Matthew Wilcox +Cc: Keith Busch +Cc: "Michael S . Tsirkin" +Cc: John Hubbard +Cc: Wei Yang +Cc: Mike Rapoport +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/gup.c b/mm/gup.c +index 4cc8a6ff0f56..7c0e5b1bbcd4 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1643,7 +1643,8 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, + if (!pmd_present(pmd)) + return 0; + +- if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd))) { ++ if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd) || ++ pmd_devmap(pmd))) { + /* + * NUMA hinting faults need to be handled in the GUP + * slowpath for accounting purposes and so that they +-- +2.19.1 + diff --git a/queue-4.14/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch b/queue-4.14/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch new file mode 100644 index 00000000000..5ffc1574aac --- /dev/null +++ b/queue-4.14/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch @@ -0,0 +1,72 @@ +From a9b70022d02dc22155775b9ef8246a1559dc8d3c Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 13 Feb 2019 22:45:59 +0100 +Subject: mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs + +[ Upstream commit 2c2ade81741c66082f8211f0b96cf509cc4c0218 ] + +The basic idea behind ->pagecnt_bias is: If we pre-allocate the maximum +number of references that we might need to create in the fastpath later, +the bump-allocation fastpath only has to modify the non-atomic bias value +that tracks the number of extra references we hold instead of the atomic +refcount. The maximum number of allocations we can serve (under the +assumption that no allocation is made with size 0) is nc->size, so that's +the bias used. + +However, even when all memory in the allocation has been given away, a +reference to the page is still held; and in the `offset < 0` slowpath, the +page may be reused if everyone else has dropped their references. +This means that the necessary number of references is actually +`nc->size+1`. + +Luckily, from a quick grep, it looks like the only path that can call +page_frag_alloc(fragsz=1) is TAP with the IFF_NAPI_FRAGS flag, which +requires CAP_NET_ADMIN in the init namespace and is only intended to be +used for kernel testing and fuzzing. + +To test for this issue, put a `WARN_ON(page_ref_count(page) == 0)` in the +`offset < 0` path, below the virt_to_page() call, and then repeatedly call +writev() on a TAP device with IFF_TAP|IFF_NO_PI|IFF_NAPI_FRAGS|IFF_NAPI, +with a vector consisting of 15 elements containing 1 byte each. + +Signed-off-by: Jann Horn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index a2f365f40433..40075c1946b3 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -4325,11 +4325,11 @@ refill: + /* Even if we own the page, we do not use atomic_set(). + * This would break get_page_unless_zero() users. + */ +- page_ref_add(page, size - 1); ++ page_ref_add(page, size); + + /* reset page count bias and offset to start of new frag */ + nc->pfmemalloc = page_is_pfmemalloc(page); +- nc->pagecnt_bias = size; ++ nc->pagecnt_bias = size + 1; + nc->offset = size; + } + +@@ -4345,10 +4345,10 @@ refill: + size = nc->size; + #endif + /* OK, page count is 0, we can safely set it */ +- set_page_count(page, size); ++ set_page_count(page, size + 1); + + /* reset page count bias and offset to start of new frag */ +- nc->pagecnt_bias = size; ++ nc->pagecnt_bias = size + 1; + offset = size - fragsz; + } + +-- +2.19.1 + diff --git a/queue-4.14/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch b/queue-4.14/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch new file mode 100644 index 00000000000..ed8ed258c25 --- /dev/null +++ b/queue-4.14/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch @@ -0,0 +1,40 @@ +From eb9260a89860016a155ea34b602c886270f0dc72 Mon Sep 17 00:00:00 2001 +From: Huang Zijiang +Date: Thu, 14 Feb 2019 14:41:45 +0800 +Subject: net: hns: Fix object reference leaks in hns_dsaf_roce_reset() + +[ Upstream commit c969c6e7ab8cb42b5c787c567615474fdbad9d6a ] + +The of_find_device_by_node() takes a reference to the underlying device +structure, we should release that reference. + +Signed-off-by: Huang Zijiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +index 51d42d7f6074..7e82dfbb4340 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +@@ -3074,6 +3074,7 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset) + dsaf_dev = dev_get_drvdata(&pdev->dev); + if (!dsaf_dev) { + dev_err(&pdev->dev, "dsaf_dev is NULL\n"); ++ put_device(&pdev->dev); + return -ENODEV; + } + +@@ -3081,6 +3082,7 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset) + if (AE_IS_VER1(dsaf_dev->dsaf_ver)) { + dev_err(dsaf_dev->dev, "%s v1 chip doesn't support RoCE!\n", + dsaf_dev->ae_dev.name); ++ put_device(&pdev->dev); + return -ENODEV; + } + +-- +2.19.1 + diff --git a/queue-4.14/net-marvell-mvneta-fix-dma-debug-warning.patch b/queue-4.14/net-marvell-mvneta-fix-dma-debug-warning.patch new file mode 100644 index 00000000000..75f8ac778ab --- /dev/null +++ b/queue-4.14/net-marvell-mvneta-fix-dma-debug-warning.patch @@ -0,0 +1,58 @@ +From 1b6ba4915074884896518ccc210aabbfec98f130 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 15 Feb 2019 13:55:47 +0000 +Subject: net: marvell: mvneta: fix DMA debug warning + +[ Upstream commit a8fef9ba58c9966ddb1fec916d8d8137c9d8bc89 ] + +Booting 4.20 on SolidRun Clearfog issues this warning with DMA API +debug enabled: + +WARNING: CPU: 0 PID: 555 at kernel/dma/debug.c:1230 check_sync+0x514/0x5bc +mvneta f1070000.ethernet: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x000000002dd7dc00] [size=240 bytes] +Modules linked in: ahci mv88e6xxx dsa_core xhci_plat_hcd xhci_hcd devlink armada_thermal marvell_cesa des_generic ehci_orion phy_armada38x_comphy mcp3021 spi_orion evbug sfp mdio_i2c ip_tables x_tables +CPU: 0 PID: 555 Comm: bridge-network- Not tainted 4.20.0+ #291 +Hardware name: Marvell Armada 380/385 (Device Tree) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x9c/0xd4) +[] (dump_stack) from [] (__warn+0xf8/0x124) +[] (__warn) from [] (warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [] (check_sync+0x514/0x5bc) +[] (check_sync) from [] (debug_dma_sync_single_range_for_cpu+0x6c/0x74) +[] (debug_dma_sync_single_range_for_cpu) from [] (mvneta_poll+0x298/0xf58) +[] (mvneta_poll) from [] (net_rx_action+0x128/0x424) +[] (net_rx_action) from [] (__do_softirq+0xf0/0x540) +[] (__do_softirq) from [] (irq_exit+0x124/0x144) +[] (irq_exit) from [] (__handle_domain_irq+0x58/0xb0) +[] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x98) +[] (gic_handle_irq) from [] (__irq_svc+0x70/0x98) +... + +This appears to be caused by mvneta_rx_hwbm() calling +dma_sync_single_range_for_cpu() with the wrong struct device pointer, +as the buffer manager device pointer is used to map and unmap the +buffer. Fix this. + +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 074a5b79d691..f76cbefeb3c7 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -2102,7 +2102,7 @@ err_drop_frame: + if (unlikely(!skb)) + goto err_drop_frame_ret_pool; + +- dma_sync_single_range_for_cpu(dev->dev.parent, ++ dma_sync_single_range_for_cpu(&pp->bm_priv->pdev->dev, + rx_desc->buf_phys_addr, + MVNETA_MH_SIZE + NET_SKB_PAD, + rx_bytes, +-- +2.19.1 + diff --git a/queue-4.14/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch b/queue-4.14/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch new file mode 100644 index 00000000000..bcfc39feaad --- /dev/null +++ b/queue-4.14/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch @@ -0,0 +1,48 @@ +From 6f884495faa0fa84c9a847ce20884d4c0a7a59c6 Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 16 Feb 2019 00:20:54 +0300 +Subject: net: mv643xx_eth: disable clk on error path in + mv643xx_eth_shared_probe() + +[ Upstream commit e928b5d6b75e239feb9c6d5488974b6646a0ebc8 ] + +If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe() +leaves clk enabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index 81c1fac00d33..2434409f84b2 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2886,7 +2886,7 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + + ret = mv643xx_eth_shared_of_probe(pdev); + if (ret) +- return ret; ++ goto err_put_clk; + pd = dev_get_platdata(&pdev->dev); + + msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ? +@@ -2894,6 +2894,11 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + infer_hw_params(msp); + + return 0; ++ ++err_put_clk: ++ if (!IS_ERR(msp->clk)) ++ clk_disable_unprepare(msp->clk); ++ return ret; + } + + static int mv643xx_eth_shared_remove(struct platform_device *pdev) +-- +2.19.1 + diff --git a/queue-4.14/net-set-static-variable-an-initial-value-in-atl2_pro.patch b/queue-4.14/net-set-static-variable-an-initial-value-in-atl2_pro.patch new file mode 100644 index 00000000000..7869540fce7 --- /dev/null +++ b/queue-4.14/net-set-static-variable-an-initial-value-in-atl2_pro.patch @@ -0,0 +1,40 @@ +From 3256929044cae03fdab2bf8d5a7fa722d72cf4d6 Mon Sep 17 00:00:00 2001 +From: Mao Wenan +Date: Fri, 22 Feb 2019 14:57:23 +0800 +Subject: net: set static variable an initial value in atl2_probe() + +[ Upstream commit 4593403fa516a5a4cffe6883c5062d60932cbfbe ] + +cards_found is a static variable, but when it enters atl2_probe(), +cards_found is set to zero, the value is not consistent with last probe, +so next behavior is not our expect. + +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atlx/atl2.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c +index 77a1c03255de..225b4d452e0e 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl2.c ++++ b/drivers/net/ethernet/atheros/atlx/atl2.c +@@ -1334,13 +1334,11 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *netdev; + struct atl2_adapter *adapter; +- static int cards_found; ++ static int cards_found = 0; + unsigned long mmio_start; + int mmio_len; + int err; + +- cards_found = 0; +- + err = pci_enable_device(pdev); + if (err) + return err; +-- +2.19.1 + diff --git a/queue-4.14/net-systemport-fix-reception-of-bpdus.patch b/queue-4.14/net-systemport-fix-reception-of-bpdus.patch new file mode 100644 index 00000000000..d828ad94a48 --- /dev/null +++ b/queue-4.14/net-systemport-fix-reception-of-bpdus.patch @@ -0,0 +1,38 @@ +From b80de827c7b58c0032b08d842dcae41f33f1e3f7 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 15 Feb 2019 12:16:51 -0800 +Subject: net: systemport: Fix reception of BPDUs + +[ Upstream commit a40061ea2e39494104602b3048751341bda374a1 ] + +SYSTEMPORT has its RXCHK parser block that attempts to validate the +packet structures, unfortunately setting the L2 header check bit will +cause Bridge PDUs (BPDUs) to be incorrectly rejected because they look +like LLC/SNAP packets with a non-IPv4 or non-IPv6 Ethernet Type. + +Fixes: 4e8aedfe78c7 ("net: systemport: Turn on offloads by default") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index ed3edb17fd09..79018fea7be2 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -134,6 +134,10 @@ static int bcm_sysport_set_rx_csum(struct net_device *dev, + + priv->rx_chk_en = !!(wanted & NETIF_F_RXCSUM); + reg = rxchk_readl(priv, RXCHK_CONTROL); ++ /* Clear L2 header checks, which would prevent BPDUs ++ * from being received. ++ */ ++ reg &= ~RXCHK_L2_HDR_DIS; + if (priv->rx_chk_en) + reg |= RXCHK_EN; + else +-- +2.19.1 + diff --git a/queue-4.14/net-thunderx-make-cfg_done-message-to-run-through-ge.patch b/queue-4.14/net-thunderx-make-cfg_done-message-to-run-through-ge.patch new file mode 100644 index 00000000000..9ddcfd8433b --- /dev/null +++ b/queue-4.14/net-thunderx-make-cfg_done-message-to-run-through-ge.patch @@ -0,0 +1,78 @@ +From b9f964fbd4cb099b9b4e5b3fc5839f4f2c678b30 Mon Sep 17 00:00:00 2001 +From: Vadim Lomovtsev +Date: Wed, 20 Feb 2019 11:02:43 +0000 +Subject: net: thunderx: make CFG_DONE message to run through generic send-ack + sequence + +[ Upstream commit 0dd563b9a62c4cbabf5d4fd6596440c2491e72b1 ] + +At the end of NIC VF initialization VF sends CFG_DONE message to PF without +using nicvf_msg_send_to_pf routine. This potentially could re-write data in +mailbox. This commit is to implement common way of sending CFG_DONE message +by the same way with other configuration messages by using +nicvf_send_msg_to_pf() routine. + +Signed-off-by: Vadim Lomovtsev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nic_main.c | 2 +- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 15 ++++++++++++--- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c +index d89ec4724efd..819f38a3225d 100644 +--- a/drivers/net/ethernet/cavium/thunder/nic_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c +@@ -1030,7 +1030,7 @@ static void nic_handle_mbx_intr(struct nicpf *nic, int vf) + case NIC_MBOX_MSG_CFG_DONE: + /* Last message of VF config msg sequence */ + nic_enable_vf(nic, vf, true); +- goto unlock; ++ break; + case NIC_MBOX_MSG_SHUTDOWN: + /* First msg in VF teardown sequence */ + if (vf >= nic->num_vf_en) +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index f13256af8031..59b62b49ad48 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -166,6 +166,17 @@ static int nicvf_check_pf_ready(struct nicvf *nic) + return 1; + } + ++static void nicvf_send_cfg_done(struct nicvf *nic) ++{ ++ union nic_mbx mbx = {}; ++ ++ mbx.msg.msg = NIC_MBOX_MSG_CFG_DONE; ++ if (nicvf_send_msg_to_pf(nic, &mbx)) { ++ netdev_err(nic->netdev, ++ "PF didn't respond to CFG DONE msg\n"); ++ } ++} ++ + static void nicvf_read_bgx_stats(struct nicvf *nic, struct bgx_stats_msg *bgx) + { + if (bgx->rx) +@@ -1329,7 +1340,6 @@ int nicvf_open(struct net_device *netdev) + struct nicvf *nic = netdev_priv(netdev); + struct queue_set *qs = nic->qs; + struct nicvf_cq_poll *cq_poll = NULL; +- union nic_mbx mbx = {}; + + netif_carrier_off(netdev); + +@@ -1419,8 +1429,7 @@ int nicvf_open(struct net_device *netdev) + nicvf_enable_intr(nic, NICVF_INTR_RBDR, qidx); + + /* Send VF config done msg to PF */ +- mbx.msg.msg = NIC_MBOX_MSG_CFG_DONE; +- nicvf_write_to_mbx(nic, &mbx); ++ nicvf_send_cfg_done(nic); + + return 0; + cleanup: +-- +2.19.1 + diff --git a/queue-4.14/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch b/queue-4.14/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch new file mode 100644 index 00000000000..26a96783a80 --- /dev/null +++ b/queue-4.14/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch @@ -0,0 +1,96 @@ +From ca10918a278b3ee96fe2540cb0cdc7dccc0ce26e Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Fri, 22 Feb 2019 22:36:04 +0000 +Subject: nfp: bpf: fix ALU32 high bits clearance bug + +[ Upstream commit f036ebd9bfbe1e91a3d855e85e05fc5ff156b641 ] + +NFP BPF JIT compiler is doing a couple of small optimizations when jitting +ALU imm instructions, some of these optimizations could save code-gen, for +example: + + A & -1 = A + A | 0 = A + A ^ 0 = A + +However, for ALU32, high 32-bit of the 64-bit register should still be +cleared according to ISA semantics. + +Fixes: cd7df56ed3e6 ("nfp: add BPF to NFP code translator") +Reviewed-by: Jakub Kicinski +Signed-off-by: Jiong Wang +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/bpf/jit.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/bpf/jit.c b/drivers/net/ethernet/netronome/nfp/bpf/jit.c +index 3105ee5bbf8e..c1ffec85817a 100644 +--- a/drivers/net/ethernet/netronome/nfp/bpf/jit.c ++++ b/drivers/net/ethernet/netronome/nfp/bpf/jit.c +@@ -756,15 +756,10 @@ wrp_alu64_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta, + + static int + wrp_alu32_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta, +- enum alu_op alu_op, bool skip) ++ enum alu_op alu_op) + { + const struct bpf_insn *insn = &meta->insn; + +- if (skip) { +- meta->skip = true; +- return 0; +- } +- + wrp_alu_imm(nfp_prog, insn->dst_reg * 2, alu_op, insn->imm); + wrp_immed(nfp_prog, reg_both(insn->dst_reg * 2 + 1), 0); + +@@ -1017,7 +1012,7 @@ static int xor_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int xor_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR); + } + + static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -1027,7 +1022,7 @@ static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int and_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_AND, !~meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_AND); + } + + static int or_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -1037,7 +1032,7 @@ static int or_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int or_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_OR, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_OR); + } + + static int add_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -1047,7 +1042,7 @@ static int add_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int add_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_ADD, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_ADD); + } + + static int sub_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -1057,7 +1052,7 @@ static int sub_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int sub_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_SUB, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_SUB); + } + + static int shl_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +-- +2.19.1 + diff --git a/queue-4.14/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch b/queue-4.14/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch new file mode 100644 index 00000000000..8720a7fb330 --- /dev/null +++ b/queue-4.14/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch @@ -0,0 +1,34 @@ +From f470584598d006775daef85155a5d0a4e333deeb Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Fri, 22 Feb 2019 22:36:03 +0000 +Subject: nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K + +[ Upstream commit 71c190249f0ced5b26377ea6bf829ab3af77a40c ] + +The intended optimization should be A ^ 0 = A, not A ^ -1 = A. + +Fixes: cd7df56ed3e6 ("nfp: add BPF to NFP code translator") +Reviewed-by: Jakub Kicinski +Signed-off-by: Jiong Wang +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/bpf/jit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/bpf/jit.c b/drivers/net/ethernet/netronome/nfp/bpf/jit.c +index 239dfbe8a0a1..3105ee5bbf8e 100644 +--- a/drivers/net/ethernet/netronome/nfp/bpf/jit.c ++++ b/drivers/net/ethernet/netronome/nfp/bpf/jit.c +@@ -1017,7 +1017,7 @@ static int xor_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int xor_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !~meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !meta->insn.imm); + } + + static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +-- +2.19.1 + diff --git a/queue-4.14/nfs-don-t-use-page_file_mapping-after-removing-the-p.patch b/queue-4.14/nfs-don-t-use-page_file_mapping-after-removing-the-p.patch new file mode 100644 index 00000000000..a4d2b43d374 --- /dev/null +++ b/queue-4.14/nfs-don-t-use-page_file_mapping-after-removing-the-p.patch @@ -0,0 +1,67 @@ +From b6f8a3bead3e19044c4b76809c15be1ec22948ce Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Wed, 6 Feb 2019 06:09:43 -0500 +Subject: NFS: Don't use page_file_mapping after removing the page + +[ Upstream commit d2ceb7e57086750ea6198a31fd942d98099a0786 ] + +If nfs_page_async_flush() removes the page from the mapping, then we can't +use page_file_mapping() on it as nfs_updatepate() is wont to do when +receiving an error. Instead, push the mapping to the stack before the page +is possibly truncated. + +Fixes: 8fc75bed96bb ("NFS: Fix up return value on fatal errors in nfs_page_async_flush()") +Signed-off-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/write.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 2d956a7d5378..50ed3944d183 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -236,9 +236,9 @@ out: + } + + /* A writeback failed: mark the page as bad, and invalidate the page cache */ +-static void nfs_set_pageerror(struct page *page) ++static void nfs_set_pageerror(struct address_space *mapping) + { +- nfs_zap_mapping(page_file_mapping(page)->host, page_file_mapping(page)); ++ nfs_zap_mapping(mapping->host, mapping); + } + + /* +@@ -994,7 +994,7 @@ static void nfs_write_completion(struct nfs_pgio_header *hdr) + nfs_list_remove_request(req); + if (test_bit(NFS_IOHDR_ERROR, &hdr->flags) && + (hdr->good_bytes < bytes)) { +- nfs_set_pageerror(req->wb_page); ++ nfs_set_pageerror(page_file_mapping(req->wb_page)); + nfs_context_set_write_error(req->wb_context, hdr->error); + goto remove_req; + } +@@ -1330,7 +1330,8 @@ int nfs_updatepage(struct file *file, struct page *page, + unsigned int offset, unsigned int count) + { + struct nfs_open_context *ctx = nfs_file_open_context(file); +- struct inode *inode = page_file_mapping(page)->host; ++ struct address_space *mapping = page_file_mapping(page); ++ struct inode *inode = mapping->host; + int status = 0; + + nfs_inc_stats(inode, NFSIOS_VFSUPDATEPAGE); +@@ -1348,7 +1349,7 @@ int nfs_updatepage(struct file *file, struct page *page, + + status = nfs_writepage_setup(ctx, page, offset, count); + if (status < 0) +- nfs_set_pageerror(page); ++ nfs_set_pageerror(mapping); + else + __set_page_dirty_nobuffers(page); + out: +-- +2.19.1 + diff --git a/queue-4.14/phonet-fix-building-with-clang.patch b/queue-4.14/phonet-fix-building-with-clang.patch new file mode 100644 index 00000000000..c64a6af18a3 --- /dev/null +++ b/queue-4.14/phonet-fix-building-with-clang.patch @@ -0,0 +1,184 @@ +From f22e5d04fe0545f080d8f883ddb734bffff95eed Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 19 Feb 2019 22:53:50 +0100 +Subject: phonet: fix building with clang +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 6321aa197547da397753757bd84c6ce64b3e3d89 ] + +clang warns about overflowing the data[] member in the struct pnpipehdr: + +net/phonet/pep.c:295:8: warning: array index 4 is past the end of the array (which contains 1 element) [-Warray-bounds] + if (hdr->data[4] == PEP_IND_READY) + ^ ~ +include/net/phonet/pep.h:66:3: note: array 'data' declared here + u8 data[1]; + +Using a flexible array member at the end of the struct avoids the +warning, but since we cannot have a flexible array member inside +of the union, each index now has to be moved back by one, which +makes it a little uglier. + +Signed-off-by: Arnd Bergmann +Acked-by: Rémi Denis-Courmont +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/phonet/pep.h | 5 +++-- + net/phonet/pep.c | 32 ++++++++++++++++---------------- + 2 files changed, 19 insertions(+), 18 deletions(-) + +diff --git a/include/net/phonet/pep.h b/include/net/phonet/pep.h +index b669fe6dbc3b..98f31c7ea23d 100644 +--- a/include/net/phonet/pep.h ++++ b/include/net/phonet/pep.h +@@ -63,10 +63,11 @@ struct pnpipehdr { + u8 state_after_reset; /* reset request */ + u8 error_code; /* any response */ + u8 pep_type; /* status indication */ +- u8 data[1]; ++ u8 data0; /* anything else */ + }; ++ u8 data[]; + }; +-#define other_pep_type data[1] ++#define other_pep_type data[0] + + static inline struct pnpipehdr *pnp_hdr(struct sk_buff *skb) + { +diff --git a/net/phonet/pep.c b/net/phonet/pep.c +index e81537991ddf..bffcef58ebf5 100644 +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -132,7 +132,7 @@ static int pep_indicate(struct sock *sk, u8 id, u8 code, + ph->utid = 0; + ph->message_id = id; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = code; ++ ph->error_code = code; + return pn_skb_send(sk, skb, NULL); + } + +@@ -153,7 +153,7 @@ static int pipe_handler_request(struct sock *sk, u8 id, u8 code, + ph->utid = id; /* whatever */ + ph->message_id = id; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = code; ++ ph->error_code = code; + return pn_skb_send(sk, skb, NULL); + } + +@@ -208,7 +208,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code, + struct pnpipehdr *ph; + struct sockaddr_pn dst; + u8 data[4] = { +- oph->data[0], /* PEP type */ ++ oph->pep_type, /* PEP type */ + code, /* error code, at an unusual offset */ + PAD, PAD, + }; +@@ -221,7 +221,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code, + ph->utid = oph->utid; + ph->message_id = PNS_PEP_CTRL_RESP; + ph->pipe_handle = oph->pipe_handle; +- ph->data[0] = oph->data[1]; /* CTRL id */ ++ ph->data0 = oph->data[0]; /* CTRL id */ + + pn_skb_get_src_sockaddr(oskb, &dst); + return pn_skb_send(sk, skb, &dst); +@@ -272,17 +272,17 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + return -EINVAL; + + hdr = pnp_hdr(skb); +- if (hdr->data[0] != PN_PEP_TYPE_COMMON) { ++ if (hdr->pep_type != PN_PEP_TYPE_COMMON) { + net_dbg_ratelimited("Phonet unknown PEP type: %u\n", +- (unsigned int)hdr->data[0]); ++ (unsigned int)hdr->pep_type); + return -EOPNOTSUPP; + } + +- switch (hdr->data[1]) { ++ switch (hdr->data[0]) { + case PN_PEP_IND_FLOW_CONTROL: + switch (pn->tx_fc) { + case PN_LEGACY_FLOW_CONTROL: +- switch (hdr->data[4]) { ++ switch (hdr->data[3]) { + case PEP_IND_BUSY: + atomic_set(&pn->tx_credits, 0); + break; +@@ -292,7 +292,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + } + break; + case PN_ONE_CREDIT_FLOW_CONTROL: +- if (hdr->data[4] == PEP_IND_READY) ++ if (hdr->data[3] == PEP_IND_READY) + atomic_set(&pn->tx_credits, wake = 1); + break; + } +@@ -301,12 +301,12 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + case PN_PEP_IND_ID_MCFC_GRANT_CREDITS: + if (pn->tx_fc != PN_MULTI_CREDIT_FLOW_CONTROL) + break; +- atomic_add(wake = hdr->data[4], &pn->tx_credits); ++ atomic_add(wake = hdr->data[3], &pn->tx_credits); + break; + + default: + net_dbg_ratelimited("Phonet unknown PEP indication: %u\n", +- (unsigned int)hdr->data[1]); ++ (unsigned int)hdr->data[0]); + return -EOPNOTSUPP; + } + if (wake) +@@ -318,7 +318,7 @@ static int pipe_rcv_created(struct sock *sk, struct sk_buff *skb) + { + struct pep_sock *pn = pep_sk(sk); + struct pnpipehdr *hdr = pnp_hdr(skb); +- u8 n_sb = hdr->data[0]; ++ u8 n_sb = hdr->data0; + + pn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL; + __skb_pull(skb, sizeof(*hdr)); +@@ -506,7 +506,7 @@ static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb) + return -ECONNREFUSED; + + /* Parse sub-blocks */ +- n_sb = hdr->data[4]; ++ n_sb = hdr->data[3]; + while (n_sb > 0) { + u8 type, buf[6], len = sizeof(buf); + const u8 *data = pep_get_sb(skb, &type, &len, buf); +@@ -739,7 +739,7 @@ static int pipe_do_remove(struct sock *sk) + ph->utid = 0; + ph->message_id = PNS_PIPE_REMOVE_REQ; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = PAD; ++ ph->data0 = PAD; + return pn_skb_send(sk, skb, NULL); + } + +@@ -817,7 +817,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp, + peer_type = hdr->other_pep_type << 8; + + /* Parse sub-blocks (options) */ +- n_sb = hdr->data[4]; ++ n_sb = hdr->data[3]; + while (n_sb > 0) { + u8 type, buf[1], len = sizeof(buf); + const u8 *data = pep_get_sb(skb, &type, &len, buf); +@@ -1109,7 +1109,7 @@ static int pipe_skb_send(struct sock *sk, struct sk_buff *skb) + ph->utid = 0; + if (pn->aligned) { + ph->message_id = PNS_PIPE_ALIGNED_DATA; +- ph->data[0] = 0; /* padding */ ++ ph->data0 = 0; /* padding */ + } else + ph->message_id = PNS_PIPE_DATA; + ph->pipe_handle = pn->pipe_handle; +-- +2.19.1 + diff --git a/queue-4.14/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch b/queue-4.14/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch new file mode 100644 index 00000000000..0e48488dee8 --- /dev/null +++ b/queue-4.14/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch @@ -0,0 +1,36 @@ +From 2b5486881ce65d71f4a4605aa21edc4f9cf8b6ea Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 9 Feb 2019 02:01:01 +0100 +Subject: pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins + +[ Upstream commit c17abcfa93bf0be5e48bb011607d237ac2bfc839 ] + +Fix the mismatch between the "sdxc_d13_1_a" pin group definition from +meson8b_cbus_groups and the entry in sdxc_a_groups ("sdxc_d0_13_1_a"). +This makes it possible to use "sdxc_d13_1_a" in device-tree files to +route the MMC data 1..3 pins to GPIOX_1..3. + +Fixes: 0fefcb6876d0d6 ("pinctrl: Add support for Meson8b") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/meson/pinctrl-meson8b.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c +index a6fff215e60f..aafd39eba64f 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson8b.c ++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c +@@ -668,7 +668,7 @@ static const char * const sd_a_groups[] = { + + static const char * const sdxc_a_groups[] = { + "sdxc_d0_0_a", "sdxc_d13_0_a", "sdxc_d47_a", "sdxc_clk_a", +- "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d0_13_1_a" ++ "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d13_1_a" + }; + + static const char * const pcm_a_groups[] = { +-- +2.19.1 + diff --git a/queue-4.14/qed-fix-iwarp-syn-packet-mac-address-validation.patch b/queue-4.14/qed-fix-iwarp-syn-packet-mac-address-validation.patch new file mode 100644 index 00000000000..7514ad566f7 --- /dev/null +++ b/queue-4.14/qed-fix-iwarp-syn-packet-mac-address-validation.patch @@ -0,0 +1,42 @@ +From 82ccecbbb3c37571b1e4f0a222879c3ad31fded8 Mon Sep 17 00:00:00 2001 +From: Michal Kalderon +Date: Mon, 18 Feb 2019 15:24:03 +0200 +Subject: qed: Fix iWARP syn packet mac address validation. + +[ Upstream commit 8be3dadf04050c2907760ec1955ca1c8fbc25585 ] + +The ll2 forwards all syn packets to the driver without validating the mac +address. Add validation check in the driver's iWARP listener flow and drop +the packet if it isn't intended for the device. + +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +index eb666877d1aa..bb09f5a9846f 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c +@@ -1651,6 +1651,15 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn, + + eth_hlen = ETH_HLEN + (vlan_valid ? sizeof(u32) : 0); + ++ if (!ether_addr_equal(ethh->h_dest, ++ p_hwfn->p_rdma_info->iwarp.mac_addr)) { ++ DP_VERBOSE(p_hwfn, ++ QED_MSG_RDMA, ++ "Got unexpected mac %pM instead of %pM\n", ++ ethh->h_dest, p_hwfn->p_rdma_info->iwarp.mac_addr); ++ return -EINVAL; ++ } ++ + ether_addr_copy(remote_mac_addr, ethh->h_source); + ether_addr_copy(local_mac_addr, ethh->h_dest); + +-- +2.19.1 + diff --git a/queue-4.14/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch b/queue-4.14/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch new file mode 100644 index 00000000000..f31a092f868 --- /dev/null +++ b/queue-4.14/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch @@ -0,0 +1,40 @@ +From abde99af60f616bd20e463e1bafcd4c0eab03d26 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Fri, 15 Feb 2019 13:20:42 +0100 +Subject: qmi_wwan: apply SET_DTR quirk to Sierra WP7607 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 97dc47a1308a3af46a09b1546cfb869f2e382a81 ] + +The 1199:68C0 USB ID is reused by Sierra WP7607 which requires the DTR +quirk to be detected. Apply QMI_QUIRK_SET_DTR unconditionally as +already done for other IDs shared between different devices. + +Signed-off-by: Beniamino Galvani +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 25204d2c9e89..65e47cc52d14 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1193,8 +1193,8 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 19)}, /* Sierra Wireless MC7710 in QMI mode */ +- {QMI_FIXED_INTF(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC7304/MC7354 */ +- {QMI_FIXED_INTF(0x1199, 0x68c0, 10)}, /* Sierra Wireless MC7304/MC7354 */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC7304/MC7354, WP76xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x68c0, 10)},/* Sierra Wireless MC7304/MC7354 */ + {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */ + {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */ + {QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */ +-- +2.19.1 + diff --git a/queue-4.14/revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch b/queue-4.14/revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch new file mode 100644 index 00000000000..055de772b2b --- /dev/null +++ b/queue-4.14/revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch @@ -0,0 +1,115 @@ +From bc0c88889784544219b105d48b313218514965d9 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Tue, 12 Feb 2019 15:36:03 -0800 +Subject: Revert "mm: use early_pfn_to_nid in page_ext_init" + +[ Upstream commit 2f1ee0913ce58efe7f18fbd518bd54c598559b89 ] + +This reverts commit fe53ca54270a ("mm: use early_pfn_to_nid in +page_ext_init"). + +When booting a system with "page_owner=on", + +start_kernel + page_ext_init + invoke_init_callbacks + init_section_page_ext + init_page_owner + init_early_allocated_pages + init_zones_in_node + init_pages_in_zone + lookup_page_ext + page_to_nid + +The issue here is that page_to_nid() will not work since some page flags +have no node information until later in page_alloc_init_late() due to +DEFERRED_STRUCT_PAGE_INIT. Hence, it could trigger an out-of-bounds +access with an invalid nid. + + UBSAN: Undefined behaviour in ./include/linux/mm.h:1104:50 + index 7 is out of range for type 'zone [5]' + +Also, kernel will panic since flags were poisoned earlier with, + +CONFIG_DEBUG_VM_PGFLAGS=y +CONFIG_NODE_NOT_IN_PAGE_FLAGS=n + +start_kernel + setup_arch + pagetable_init + paging_init + sparse_init + sparse_init_nid + memblock_alloc_try_nid_raw + +It did not handle it well in init_pages_in_zone() which ends up calling +page_to_nid(). + + page:ffffea0004200000 is uninitialized and poisoned + raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff + raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff + page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) + page_owner info is not active (free page?) + kernel BUG at include/linux/mm.h:990! + RIP: 0010:init_page_owner+0x486/0x520 + +This means that assumptions behind commit fe53ca54270a ("mm: use +early_pfn_to_nid in page_ext_init") are incomplete. Therefore, revert +the commit for now. A proper way to move the page_owner initialization +to sooner is to hook into memmap initialization. + +Link: http://lkml.kernel.org/r/20190115202812.75820-1-cai@lca.pw +Signed-off-by: Qian Cai +Acked-by: Michal Hocko +Cc: Pasha Tatashin +Cc: Mel Gorman +Cc: Yang Shi +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + init/main.c | 3 ++- + mm/page_ext.c | 4 +--- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/init/main.c b/init/main.c +index c4a45145e102..3d3d79c5a232 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -663,7 +663,6 @@ asmlinkage __visible void __init start_kernel(void) + initrd_start = 0; + } + #endif +- page_ext_init(); + kmemleak_init(); + debug_objects_mem_init(); + setup_per_cpu_pageset(); +@@ -1069,6 +1068,8 @@ static noinline void __init kernel_init_freeable(void) + sched_init_smp(); + + page_alloc_init_late(); ++ /* Initialize page ext after all struct pages are initialized. */ ++ page_ext_init(); + + do_basic_setup(); + +diff --git a/mm/page_ext.c b/mm/page_ext.c +index 2c16216c29b6..2c44f5b78435 100644 +--- a/mm/page_ext.c ++++ b/mm/page_ext.c +@@ -396,10 +396,8 @@ void __init page_ext_init(void) + * We know some arch can have a nodes layout such as + * -------------pfn--------------> + * N0 | N1 | N2 | N0 | N1 | N2|.... +- * +- * Take into account DEFERRED_STRUCT_PAGE_INIT. + */ +- if (early_pfn_to_nid(pfn) != nid) ++ if (pfn_to_nid(pfn) != nid) + continue; + if (init_section_page_ext(pfn, nid)) + goto oom; +-- +2.19.1 + diff --git a/queue-4.14/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch b/queue-4.14/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch new file mode 100644 index 00000000000..926844a7024 --- /dev/null +++ b/queue-4.14/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch @@ -0,0 +1,96 @@ +From 69e36c94a6d9d92371695b0aa3f1097e42122eb5 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Wed, 21 Nov 2018 12:39:47 +0100 +Subject: s390/dasd: fix using offset into zero size array error + +[ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ] + +Dan Carpenter reported the following: + +The patch 52898025cf7d: "[S390] dasd: security and PSF update patch +for EMC CKD ioctl" from Mar 8, 2010, leads to the following static +checker warning: + + drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io() + error: using offset into zero size array 'psf_data[]' + +drivers/s390/block/dasd_eckd.c + 4458 /* Copy parms from caller */ + 4459 rc = -EFAULT; + 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm))) + ^^^^^^^ +The user can specify any "usrparm.psf_data_len". They choose zero by +mistake. + + 4461 goto out; + 4462 if (is_compat_task()) { + 4463 /* Make sure pointers are sane even on 31 bit. */ + 4464 rc = -EINVAL; + 4465 if ((usrparm.psf_data >> 32) != 0) + 4466 goto out; + 4467 if ((usrparm.rssd_result >> 32) != 0) + 4468 goto out; + 4469 usrparm.psf_data &= 0x7fffffffULL; + 4470 usrparm.rssd_result &= 0x7fffffffULL; + 4471 } + 4472 /* alloc I/O data area */ + 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL + | GFP_DMA); + 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL + | GFP_DMA); + 4475 if (!psf_data || !rssd_result) { + +kzalloc() returns a ZERO_SIZE_PTR (0x16). + + 4476 rc = -ENOMEM; + 4477 goto out_free; + 4478 } + 4479 + 4480 /* get syscall header from user space */ + 4481 rc = -EFAULT; + 4482 if (copy_from_user(psf_data, + 4483 (void __user *)(unsigned long) + usrparm.psf_data, + 4484 usrparm.psf_data_len)) + +That all works great. + + 4485 goto out_free; + 4486 psf0 = psf_data[0]; + 4487 psf1 = psf_data[1]; + +But now we're assuming that "->psf_data_len" was at least 2 bytes. + +Fix this by checking the user specified length psf_data_len. + +Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl") +Reported-by: Dan Carpenter +Signed-off-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 4c7c8455da96..0a1e7f9b5239 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -4463,6 +4463,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) + usrparm.psf_data &= 0x7fffffffULL; + usrparm.rssd_result &= 0x7fffffffULL; + } ++ /* at least 2 bytes are accessed and should be allocated */ ++ if (usrparm.psf_data_len < 2) { ++ DBF_DEV_EVENT(DBF_WARNING, device, ++ "Symmetrix ioctl invalid data length %d", ++ usrparm.psf_data_len); ++ rc = -EINVAL; ++ goto out; ++ } + /* alloc I/O data area */ + psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA); + rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA); +-- +2.19.1 + diff --git a/queue-4.14/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch b/queue-4.14/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch new file mode 100644 index 00000000000..6a86d07666e --- /dev/null +++ b/queue-4.14/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch @@ -0,0 +1,110 @@ +From f3644931461458011b6fda656b02ed073f900d92 Mon Sep 17 00:00:00 2001 +From: Anoob Soman +Date: Wed, 13 Feb 2019 13:21:39 +0800 +Subject: scsi: libiscsi: Fix race between iscsi_xmit_task and + iscsi_complete_task + +[ Upstream commit 79edd00dc6a96644d76b4a1cb97d94d49e026768 ] + +When a target sends Check Condition, whilst initiator is busy xmiting +re-queued data, could lead to race between iscsi_complete_task() and +iscsi_xmit_task() and eventually crashing with the following kernel +backtrace. + +[3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 +[3326150.987549] ALERT: IP: [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.987571] WARN: PGD 569c8067 PUD 569c9067 PMD 0 +[3326150.987582] WARN: Oops: 0002 [#1] SMP +[3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin +[3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1 +[3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016 +[3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi] +[3326150.987799] WARN: task: ffff8801d50f3800 ti: ffff8801f5458000 task.ti: ffff8801f5458000 +[3326150.987810] WARN: RIP: e030:[] [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.987825] WARN: RSP: e02b:ffff8801f545bdb0 EFLAGS: 00010246 +[3326150.987831] WARN: RAX: 00000000ffffffc3 RBX: ffff880282d2ab20 RCX: ffff88026b6ac480 +[3326150.987842] WARN: RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffff880282d2ab20 +[3326150.987852] WARN: RBP: ffff8801f545bdc8 R08: 0000000000000000 R09: 0000000000000008 +[3326150.987862] WARN: R10: 0000000000000000 R11: 000000000000fe88 R12: 0000000000000000 +[3326150.987872] WARN: R13: ffff880282d2abe8 R14: ffff880282d2abd8 R15: ffff880282d2ac08 +[3326150.987890] WARN: FS: 00007f5a866b4840(0000) GS:ffff88028a640000(0000) knlGS:0000000000000000 +[3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[3326150.987907] WARN: CR2: 0000000000000078 CR3: 0000000070244000 CR4: 0000000000042660 +[3326150.987918] WARN: Stack: +[3326150.987924] WARN: ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18 +[3326150.987938] WARN: ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00 +[3326150.987951] WARN: ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400 +[3326150.987964] WARN: Call Trace: +[3326150.987975] WARN: [] iscsi_xmitworker+0x2f0/0x360 [libiscsi] +[3326150.987988] WARN: [] process_one_work+0x1fc/0x3b0 +[3326150.987997] WARN: [] worker_thread+0x2a5/0x470 +[3326150.988006] WARN: [] ? __schedule+0x648/0x870 +[3326150.988015] WARN: [] ? rescuer_thread+0x300/0x300 +[3326150.988023] WARN: [] kthread+0xd5/0xe0 +[3326150.988031] WARN: [] ? kthread_stop+0x110/0x110 +[3326150.988040] WARN: [] ret_from_fork+0x3f/0x70 +[3326150.988048] WARN: [] ? kthread_stop+0x110/0x110 +[3326150.988127] ALERT: RIP [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.988138] WARN: RSP +[3326150.988144] WARN: CR2: 0000000000000078 +[3326151.020366] WARN: ---[ end trace 1c60974d4678d81b ]--- + +Commit 6f8830f5bbab ("scsi: libiscsi: add lock around task lists to fix +list corruption regression") introduced "taskqueuelock" to fix list +corruption during the race, but this wasn't enough. + +Re-setting of conn->task to NULL, could race with iscsi_xmit_task(). +iscsi_complete_task() +{ + .... + if (conn->task == task) + conn->task = NULL; +} + +conn->task in iscsi_xmit_task() could be NULL and so will be task. +__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access +refcount. + +iscsi_xmit_task() +{ + struct iscsi_task *task = conn->task; + + __iscsi_get_task(task); +} + +This commit will take extra conn->session->back_lock in iscsi_xmit_task() +to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if +iscsi_complete_task() wins the race. If iscsi_xmit_task() wins the race, +iscsi_xmit_task() increments task->refcount +(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task(). + +Signed-off-by: Anoob Soman +Signed-off-by: Bob Liu +Acked-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 3ff536b350a1..5ea5d42bac76 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1449,7 +1449,13 @@ static int iscsi_xmit_task(struct iscsi_conn *conn) + if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) + return -ENODATA; + ++ spin_lock_bh(&conn->session->back_lock); ++ if (conn->task == NULL) { ++ spin_unlock_bh(&conn->session->back_lock); ++ return -ENODATA; ++ } + __iscsi_get_task(task); ++ spin_unlock_bh(&conn->session->back_lock); + spin_unlock_bh(&conn->session->frwd_lock); + rc = conn->session->tt->xmit_task(task); + spin_lock_bh(&conn->session->frwd_lock); +-- +2.19.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 51d3f9d851d..45b54a751bf 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -8,3 +8,61 @@ crypto-ahash-fix-another-early-termination-in-hash-walk.patch crypto-rockchip-fix-scatterlist-nents-error.patch crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch +drm-imx-ignore-plane-updates-on-disabled-crtcs.patch +gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch +drm-imx-imx-ldb-add-missing-of_node_puts.patch +gpu-ipu-v3-fix-csi-offsets-for-imx53.patch +s390-dasd-fix-using-offset-into-zero-size-array-erro.patch +input-pwm-vibra-prevent-unbalanced-regulator.patch +input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch +arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch +asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch +asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch +kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch +arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch +input-cap11xx-switch-to-using-set_brightness_blockin.patch +input-ps2-gpio-flush-tx-work-when-closing-port.patch +input-matrix_keypad-use-flush_delayed_work.patch +mac80211-fix-tx-aggregation-session-tear-down-with-i.patch +ipvs-fix-dependency-on-nf_defrag_ipv6.patch +floppy-check_events-callback-should-not-return-a-neg.patch +nfs-don-t-use-page_file_mapping-after-removing-the-p.patch +mm-gup-fix-gup_pmd_range-for-dax.patch +revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch +mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch +net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch +i2c-cadence-fix-the-hold-bit-setting.patch +i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch +auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch +input-st-keyscan-fix-potential-zalloc-null-dereferen.patch +clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch +clk-sunxi-a31-fix-wrong-ahb-gate-number.patch +esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch +arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch +af_key-unconditionally-clone-on-broadcast.patch +assoc_array-fix-shortcut-creation.patch +keys-fix-dependency-loop-between-construction-record.patch +scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch +net-systemport-fix-reception-of-bpdus.patch +pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch +qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch +net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch +mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch +asoc-topology-free-created-components-in-tplg-load-e.patch +qed-fix-iwarp-syn-packet-mac-address-validation.patch +arm64-relax-gic-version-check-during-early-boot.patch +net-marvell-mvneta-fix-dma-debug-warning.patch +kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch +tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch +kasan-slab-fix-conflicts-with-config_hardened_userco.patch +ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch +arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch +arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch +arcv2-support-manual-regfile-save-on-interrupts.patch +phonet-fix-building-with-clang.patch +mac80211_hwsim-propagate-genlmsg_reply-return-code.patch +net-thunderx-make-cfg_done-message-to-run-through-ge.patch +nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch +nfp-bpf-fix-alu32-high-bits-clearance-bug.patch +net-set-static-variable-an-initial-value-in-atl2_pro.patch +tmpfs-fix-uninitialized-return-value-in-shmem_link.patch diff --git a/queue-4.14/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch b/queue-4.14/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch new file mode 100644 index 00000000000..830163aaa3d --- /dev/null +++ b/queue-4.14/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch @@ -0,0 +1,62 @@ +From 10c6e2ab16c88538323b01a9d367e22c24d3471b Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Thu, 21 Feb 2019 08:48:09 -0800 +Subject: tmpfs: fix link accounting when a tmpfile is linked in + +[ Upstream commit 1062af920c07f5b54cf5060fde3339da6df0cf6b ] + +tmpfs has a peculiarity of accounting hard links as if they were +separate inodes: so that when the number of inodes is limited, as it is +by default, a user cannot soak up an unlimited amount of unreclaimable +dcache memory just by repeatedly linking a file. + +But when v3.11 added O_TMPFILE, and the ability to use linkat() on the +fd, we missed accommodating this new case in tmpfs: "df -i" shows that +an extra "inode" remains accounted after the file is unlinked and the fd +closed and the actual inode evicted. If a user repeatedly links +tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they +are deleted. + +Just skip the extra reservation from shmem_link() in this case: there's +a sense in which this first link of a tmpfile is then cheaper than a +hard link of another file, but the accounting works out, and there's +still good limiting, so no need to do anything more complicated. + +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils +Fixes: f4e0c30c191 ("allow the temp files created by open() to be linked to") +Signed-off-by: Darrick J. Wong +Signed-off-by: Hugh Dickins +Reported-by: Matej Kupljen +Acked-by: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 6c10f1d92251..9b78c04f532b 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -3102,10 +3102,14 @@ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentr + * No ordinary (disk based) filesystem counts links as inodes; + * but each new link needs a new dentry, pinning lowmem, and + * tmpfs dentries cannot be pruned until they are unlinked. ++ * But if an O_TMPFILE file is linked into the tmpfs, the ++ * first link must skip that, to get the accounting right. + */ +- ret = shmem_reserve_inode(inode->i_sb); +- if (ret) +- goto out; ++ if (inode->i_nlink) { ++ ret = shmem_reserve_inode(inode->i_sb); ++ if (ret) ++ goto out; ++ } + + dir->i_size += BOGO_DIRENT_SIZE; + inode->i_ctime = dir->i_ctime = dir->i_mtime = current_time(inode); +-- +2.19.1 + diff --git a/queue-4.14/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch b/queue-4.14/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch new file mode 100644 index 00000000000..1f7527add6c --- /dev/null +++ b/queue-4.14/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch @@ -0,0 +1,40 @@ +From bc0038e0376cf21b44d311d321d327ea3092703e Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Fri, 22 Feb 2019 22:35:32 -0800 +Subject: tmpfs: fix uninitialized return value in shmem_link + +[ Upstream commit 29b00e609960ae0fcff382f4c7079dd0874a5311 ] + +When we made the shmem_reserve_inode call in shmem_link conditional, we +forgot to update the declaration for ret so that it always has a known +value. Dan Carpenter pointed out this deficiency in the original patch. + +Fixes: 1062af920c07 ("tmpfs: fix link accounting when a tmpfile is linked in") +Reported-by: Dan Carpenter +Signed-off-by: Darrick J. Wong +Signed-off-by: Hugh Dickins +Cc: Matej Kupljen +Cc: Al Viro +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 9b78c04f532b..037e2ee9ccac 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -3096,7 +3096,7 @@ static int shmem_create(struct inode *dir, struct dentry *dentry, umode_t mode, + static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) + { + struct inode *inode = d_inode(old_dentry); +- int ret; ++ int ret = 0; + + /* + * No ordinary (disk based) filesystem counts links as inodes; +-- +2.19.1 +