From 36c2299ecfc71b83330632cc3c0dcd79d816cda5 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 21 Jul 2019 20:55:27 -0400 Subject: [PATCH] fixes for 4.14 Signed-off-by: Sasha Levin --- ...e-5.1-fadts-that-are-reported-as-5.0.patch | 52 +++ ...eaks-in-key_pol_get_resp-and-dump_sp.patch | 50 +++ ..._efistub_stext_offset-as-an-absolute.patch | 61 +++ ...n-w56-fixed-pulse-type-3-radar-detec.patch | 44 ++ .../ath10k-add-missing-error-handling.patch | 46 ++ ...dio-workqueue-while-remove-sdio-modu.patch | 38 ++ ...end-probe-response-template-for-mesh.patch | 43 ++ ...th10k-fix-pcie-device-wake-up-failed.patch | 49 +++ .../ath6kl-add-some-bounds-checking.patch | 62 +++ ...or-errors-when-reading-srev-register.patch | 121 ++++++ ...tman-adv-fix-for-leaked-tvlv-handler.patch | 37 ++ ...c_thread-by-is_err_or_null-in-cache_.patch | 128 ++++++ ...dead-memcgs-shouldn-t-contribute-to-.patch | 55 +++ ...n-search-for-destination-address-in-.patch | 57 +++ ...-check-state-in-l2cap_disconnect_rsp.patch | 220 ++++++++++ ...h-hci_bcsp-fix-memory-leak-in-rx_skb.patch | 39 ++ ...date-ble-connection-interval-updates.patch | 92 ++++ ...bpf-silence-warning-messages-in-core.patch | 56 +++ ...ers-exynos_mct-increase-priority-ove.patch | 76 ++++ ...cy-set-r-option-misses-the-last-cpu-.patch | 41 ++ ...c_keys-select-crypto_hash-where-need.patch | 60 +++ ...-mark-__serpent_setkey_sbox-noinline.patch | 47 +++ ...lign-sec1-accesses-to-32-bits-bounda.patch | 42 ++ ...ix-skcipher-failure-due-to-wrong-out.patch | 55 +++ ...to-talitos-properly-handle-split-icv.patch | 97 +++++ ...ma-fix-use-after-free-on-probe-error.patch | 107 +++++ ...out-of-bounds-write-when-setting-eda.patch | 159 +++++++ ...emory-leak-when-creating-a-csrow-obj.patch | 52 +++ ...x-div-by-zero-in-setup_format_params.patch | 61 +++ ...id-pointer-dereference-in-drive_name.patch | 81 ++++ ...ix-out-of-bounds-read-in-copy_buffer.patch | 52 +++ ...-of-bounds-read-in-next_valid_format.patch | 79 ++++ ...-some-bug_on-s-in-block-encryption-d.patch | 69 +++ ...-ensure-irq-is-enabled-before-wakeup.patch | 85 ++++ ...fix-lack-of-irqstatus_raw0-for-omap4.patch | 43 ++ ...rences-to-gpiod_-gs-et_-value_cansle.patch | 58 +++ ...gtp_encap_disable_sock-in-gtp_encap_.patch | 41 ++ ...context-switch-in-rcu-read-side-crit.patch | 71 ++++ queue-4.14/gtp-fix-suspicious-rcu-usage.patch | 92 ++++ ...-use-after-free-in-gtp_encap_destroy.patch | 131 ++++++ ...tp-fix-use-after-free-in-gtp_newlink.patch | 109 +++++ ...ereference-of-null-rx_buffer-pointer.patch | 63 +++ ...x-a-leak-in-iommu_insert_resv_region.patch | 60 +++ ...-correcly-show-a-vf-hardware-address.patch | 57 +++ ...-select-crypto-ciphers-for-xfrm_algo.patch | 43 ++ ...-accounting-for-hash-types-on-resize.patch | 82 ++++ ...fer-hook-registration-to-avoid-leaks.patch | 118 ++++++ ...nfo-memory-leak-in-start_sync_thread.patch | 399 ++++++++++++++++++ ...wlwifi-mvm-drop-large-non-sta-frames.patch | 39 ++ ...existence-in-transceiver-before-acce.patch | 63 +++ ...equest-sense-data-on-zac-ata-devices.patch | 68 +++ ...fix-merging-of-hlocks-with-non-zero-.patch | 102 +++++ ...ast-buffer-handling-in-v4l2_enc_cmd_.patch | 46 ++ ...a-fix-mpeg2-sequence-number-handling.patch | 46 ++ ...ment-sequence-offset-for-the-last-re.patch | 37 ++ ...x-use-after-free-in-dvb_usb_device_e.patch | 44 ++ ...ia-fdp1-support-m3n-and-e3-platforms.patch | 51 +++ ...pvr-fix-locking-and-a-missing-msleep.patch | 81 ++++ ...ia-i2c-fix-warning-same-module-names.patch | 60 +++ ...ic-fix-dma-s-g-desc-number-calculati.patch | 64 +++ ...c-don-t-memset-__user-pointer-conten.patch | 43 ++ ...ce_enum_links32-clean-a-reserved-fie.patch | 55 +++ ...-mfc-make-additional-clocks-optional.patch | 44 ++ ...ed-add-missing-of-table-registration.patch | 42 ++ ...dia-davinci_vpfe-fix-for-memory-leak.patch | 36 ++ ...-check-v4l2_fill_pixfmt-return-value.patch | 49 +++ ...a-potential-null-pointer-dereference.patch | 38 ++ ...-some-error-handling-in-fm_v4l2_init.patch | 100 +++++ ...ps-ath79-fix-ar933x-uart-parity-mode.patch | 40 ++ .../mips-fix-build-on-non-linux-hosts.patch | 67 +++ ...chedule-rx_tasklet-when-the-device-h.patch | 114 +++++ ...ible-memory-leak-when-the-device-is-.patch | 125 ++++++ ...t-fix-race-condition-causing-tx-hang.patch | 64 +++ ...do-not-use-netdev-messages-too-early.patch | 50 +++ ...me-error-checking-in-hclge_tm-module.patch | 54 +++ ...a-wformat-nonliteral-compile-warning.patch | 44 ++ ...-probe-of-orion-mdio-if-a-clock-is-n.patch | 45 ++ ...-check-against-net_device-being-null.patch | 48 +++ ...x-to-prevent-concurrent-state-checks.patch | 65 +++ ...mac1000-clear-unused-address-entries.patch | 43 ++ ...wmac4-5-clear-unused-address-entries.patch | 53 +++ ...stmmac-dwmac4-fix-flow-control-issue.patch | 57 +++ ...et-usb-asix-init-mac-address-buffers.patch | 121 ++++++ queue-4.14/ntp-limit-tai-utc-offset.patch | 55 +++ ...erly-set-the-value-of-old-and-head-i.patch | 206 +++++++++ ...perf_evsel__name-accept-a-null-argum.patch | 54 +++ ...make-metric-event-lookup-more-robust.patch | 51 +++ ...fix-missing-kvm-module-load-for-s390.patch | 87 ++++ ...-increase-max_nr_cpus-and-max_caches.patch | 70 +++ ...d-set-the-doorbell-address-correctly.patch | 104 +++++ queue-4.14/ras-cec-fix-pfn-insertion.patch | 56 +++ .../rcu-force-inlining-of-rcu_read_lock.patch | 55 +++ ...p-fix-bulk-writes-on-paged-registers.patch | 42 ++ ...slib-fix-decoding-of-shortened-codes.patch | 44 ++ ...dling-of-of-caller-provided-syndrome.patch | 46 ++ ...u-fix-error-handle-when-usb-probe-fa.patch | 104 +++++ ...ndle-pending-state-for-qebsm-devices.patch | 39 ++ ...core-add-__sched-tag-for-io_schedule.patch | 47 +++ ...unnable_avg_yn_inv-not-used-warnings.patch | 64 +++ ...uth_protocol-back-to-null-if-chap_a-.patch | 78 ++++ queue-4.14/series | 111 +++++ ...cifs_put_tcp_session-to-call-send_si.patch | 52 +++ ...pace-fix-reboot_pid_ns-to-use-send_s.patch | 50 +++ ...imer_list-guard-procfs-specific-code.patch | 89 ++++ queue-4.14/tua6100-avoid-build-warnings.patch | 94 +++++ ...host_net-disable-zerocopy-by-default.patch | 43 ++ ...210-fix-potential-out-of-bounds-read.patch | 52 +++ ...ic-fix-smp_mb__-before-after-_atomic.patch | 164 +++++++ ...t-e-to-mkcapflags.sh-to-delete-broke.patch | 52 +++ ...add-fdp_excptn_only-and-zero_fcs_fds.patch | 60 +++ .../xfrm-fix-sa-selector-validation.patch | 42 ++ ...ix-xfrm-sel-prefix-length-validation.patch | 56 +++ 112 files changed, 7945 insertions(+) create mode 100644 queue-4.14/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch create mode 100644 queue-4.14/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch create mode 100644 queue-4.14/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch create mode 100644 queue-4.14/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch create mode 100644 queue-4.14/ath10k-add-missing-error-handling.patch create mode 100644 queue-4.14/ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch create mode 100644 queue-4.14/ath10k-do-not-send-probe-response-template-for-mesh.patch create mode 100644 queue-4.14/ath10k-fix-pcie-device-wake-up-failed.patch create mode 100644 queue-4.14/ath6kl-add-some-bounds-checking.patch create mode 100644 queue-4.14/ath9k-check-for-errors-when-reading-srev-register.patch create mode 100644 queue-4.14/batman-adv-fix-for-leaked-tvlv-handler.patch create mode 100644 queue-4.14/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch create mode 100644 queue-4.14/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch create mode 100644 queue-4.14/bluetooth-6lowpan-search-for-destination-address-in-.patch create mode 100644 queue-4.14/bluetooth-check-state-in-l2cap_disconnect_rsp.patch create mode 100644 queue-4.14/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch create mode 100644 queue-4.14/bluetooth-validate-ble-connection-interval-updates.patch create mode 100644 queue-4.14/bpf-silence-warning-messages-in-core.patch create mode 100644 queue-4.14/clocksource-drivers-exynos_mct-increase-priority-ove.patch create mode 100644 queue-4.14/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch create mode 100644 queue-4.14/crypto-asymmetric_keys-select-crypto_hash-where-need.patch create mode 100644 queue-4.14/crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch create mode 100644 queue-4.14/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch create mode 100644 queue-4.14/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch create mode 100644 queue-4.14/crypto-talitos-properly-handle-split-icv.patch create mode 100644 queue-4.14/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch create mode 100644 queue-4.14/edac-fix-global-out-of-bounds-write-when-setting-eda.patch create mode 100644 queue-4.14/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch create mode 100644 queue-4.14/floppy-fix-div-by-zero-in-setup_format_params.patch create mode 100644 queue-4.14/floppy-fix-invalid-pointer-dereference-in-drive_name.patch create mode 100644 queue-4.14/floppy-fix-out-of-bounds-read-in-copy_buffer.patch create mode 100644 queue-4.14/floppy-fix-out-of-bounds-read-in-next_valid_format.patch create mode 100644 queue-4.14/fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch create mode 100644 queue-4.14/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch create mode 100644 queue-4.14/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch create mode 100644 queue-4.14/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch create mode 100644 queue-4.14/gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch create mode 100644 queue-4.14/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch create mode 100644 queue-4.14/gtp-fix-suspicious-rcu-usage.patch create mode 100644 queue-4.14/gtp-fix-use-after-free-in-gtp_encap_destroy.patch create mode 100644 queue-4.14/gtp-fix-use-after-free-in-gtp_newlink.patch create mode 100644 queue-4.14/iavf-fix-dereference-of-null-rx_buffer-pointer.patch create mode 100644 queue-4.14/iommu-fix-a-leak-in-iommu_insert_resv_region.patch create mode 100644 queue-4.14/ipoib-correcly-show-a-vf-hardware-address.patch create mode 100644 queue-4.14/ipsec-select-crypto-ciphers-for-xfrm_algo.patch create mode 100644 queue-4.14/ipset-fix-memory-accounting-for-hash-types-on-resize.patch create mode 100644 queue-4.14/ipvs-defer-hook-registration-to-avoid-leaks.patch create mode 100644 queue-4.14/ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch create mode 100644 queue-4.14/iwlwifi-mvm-drop-large-non-sta-frames.patch create mode 100644 queue-4.14/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch create mode 100644 queue-4.14/libata-don-t-request-sense-data-on-zac-ata-devices.patch create mode 100644 queue-4.14/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch create mode 100644 queue-4.14/media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch create mode 100644 queue-4.14/media-coda-fix-mpeg2-sequence-number-handling.patch create mode 100644 queue-4.14/media-coda-increment-sequence-offset-for-the-last-re.patch create mode 100644 queue-4.14/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch create mode 100644 queue-4.14/media-fdp1-support-m3n-and-e3-platforms.patch create mode 100644 queue-4.14/media-hdpvr-fix-locking-and-a-missing-msleep.patch create mode 100644 queue-4.14/media-i2c-fix-warning-same-module-names.patch create mode 100644 queue-4.14/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch create mode 100644 queue-4.14/media-mc-device.c-don-t-memset-__user-pointer-conten.patch create mode 100644 queue-4.14/media-media_device_enum_links32-clean-a-reserved-fie.patch create mode 100644 queue-4.14/media-s5p-mfc-make-additional-clocks-optional.patch create mode 100644 queue-4.14/media-spi-ir-led-add-missing-of-table-registration.patch create mode 100644 queue-4.14/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch create mode 100644 queue-4.14/media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch create mode 100644 queue-4.14/media-vpss-fix-a-potential-null-pointer-dereference.patch create mode 100644 queue-4.14/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch create mode 100644 queue-4.14/mips-ath79-fix-ar933x-uart-parity-mode.patch create mode 100644 queue-4.14/mips-fix-build-on-non-linux-hosts.patch create mode 100644 queue-4.14/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch create mode 100644 queue-4.14/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch create mode 100644 queue-4.14/net-axienet-fix-race-condition-causing-tx-hang.patch create mode 100644 queue-4.14/net-fec-do-not-use-netdev-messages-too-early.patch create mode 100644 queue-4.14/net-hns3-add-some-error-checking-in-hclge_tm-module.patch create mode 100644 queue-4.14/net-hns3-fix-a-wformat-nonliteral-compile-warning.patch create mode 100644 queue-4.14/net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch create mode 100644 queue-4.14/net-phy-check-against-net_device-being-null.patch create mode 100644 queue-4.14/net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch create mode 100644 queue-4.14/net-stmmac-dwmac1000-clear-unused-address-entries.patch create mode 100644 queue-4.14/net-stmmac-dwmac4-5-clear-unused-address-entries.patch create mode 100644 queue-4.14/net-stmmac-dwmac4-fix-flow-control-issue.patch create mode 100644 queue-4.14/net-usb-asix-init-mac-address-buffers.patch create mode 100644 queue-4.14/ntp-limit-tai-utc-offset.patch create mode 100644 queue-4.14/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch create mode 100644 queue-4.14/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch create mode 100644 queue-4.14/perf-stat-make-metric-event-lookup-more-robust.patch create mode 100644 queue-4.14/perf-test-6-fix-missing-kvm-module-load-for-s390.patch create mode 100644 queue-4.14/perf-tools-increase-max_nr_cpus-and-max_caches.patch create mode 100644 queue-4.14/qed-set-the-doorbell-address-correctly.patch create mode 100644 queue-4.14/ras-cec-fix-pfn-insertion.patch create mode 100644 queue-4.14/rcu-force-inlining-of-rcu_read_lock.patch create mode 100644 queue-4.14/regmap-fix-bulk-writes-on-paged-registers.patch create mode 100644 queue-4.14/rslib-fix-decoding-of-shortened-codes.patch create mode 100644 queue-4.14/rslib-fix-handling-of-of-caller-provided-syndrome.patch create mode 100644 queue-4.14/rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch create mode 100644 queue-4.14/s390-qdio-handle-pending-state-for-qebsm-devices.patch create mode 100644 queue-4.14/sched-core-add-__sched-tag-for-io_schedule.patch create mode 100644 queue-4.14/sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch create mode 100644 queue-4.14/scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch create mode 100644 queue-4.14/series create mode 100644 queue-4.14/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch create mode 100644 queue-4.14/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch create mode 100644 queue-4.14/timer_list-guard-procfs-specific-code.patch create mode 100644 queue-4.14/tua6100-avoid-build-warnings.patch create mode 100644 queue-4.14/vhost_net-disable-zerocopy-by-default.patch create mode 100644 queue-4.14/wil6210-fix-potential-out-of-bounds-read.patch create mode 100644 queue-4.14/x86-atomic-fix-smp_mb__-before-after-_atomic.patch create mode 100644 queue-4.14/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch create mode 100644 queue-4.14/x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch create mode 100644 queue-4.14/xfrm-fix-sa-selector-validation.patch create mode 100644 queue-4.14/xfrm-fix-xfrm-sel-prefix-length-validation.patch diff --git a/queue-4.14/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch b/queue-4.14/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch new file mode 100644 index 00000000000..f45853d4ef2 --- /dev/null +++ b/queue-4.14/acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch @@ -0,0 +1,52 @@ +From 534362cf7e031f42b85be59c5cc7ca8de375d901 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 19 Jun 2019 14:18:31 +0200 +Subject: acpi/arm64: ignore 5.1 FADTs that are reported as 5.0 + +[ Upstream commit 2af22f3ec3ca452f1e79b967f634708ff01ced8a ] + +Some Qualcomm Snapdragon based laptops built to run Microsoft Windows +are clearly ACPI 5.1 based, given that that is the first ACPI revision +that supports ARM, and introduced the FADT 'arm_boot_flags' field, +which has a non-zero field on those systems. + +So in these cases, infer from the ARM boot flags that the FADT must be +5.1 or later, and treat it as 5.1. + +Acked-by: Sudeep Holla +Tested-by: Lee Jones +Reviewed-by: Graeme Gregory +Acked-by: Lorenzo Pieralisi +Acked-by: Hanjun Guo +Signed-off-by: Ard Biesheuvel +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/acpi.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c +index b3162715ed78..285f0b4851fc 100644 +--- a/arch/arm64/kernel/acpi.c ++++ b/arch/arm64/kernel/acpi.c +@@ -157,10 +157,14 @@ static int __init acpi_fadt_sanity_check(void) + */ + if (table->revision < 5 || + (table->revision == 5 && fadt->minor_revision < 1)) { +- pr_err("Unsupported FADT revision %d.%d, should be 5.1+\n", ++ pr_err(FW_BUG "Unsupported FADT revision %d.%d, should be 5.1+\n", + table->revision, fadt->minor_revision); +- ret = -EINVAL; +- goto out; ++ ++ if (!fadt->arm_boot_flags) { ++ ret = -EINVAL; ++ goto out; ++ } ++ pr_err("FADT has ARM boot flags set, assuming 5.1\n"); + } + + if (!(fadt->flags & ACPI_FADT_HW_REDUCED)) { +-- +2.20.1 + diff --git a/queue-4.14/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch b/queue-4.14/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch new file mode 100644 index 00000000000..422ac86e6c2 --- /dev/null +++ b/queue-4.14/af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch @@ -0,0 +1,50 @@ +From 400e617124b6cdd927fc9b0a67daf7cf828246f4 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 25 May 2019 19:09:35 +0100 +Subject: af_key: fix leaks in key_pol_get_resp and dump_sp. + +[ Upstream commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 ] + +In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly +allocated sk_buff. Free it on error. + +Fixes: 55569ce256ce ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.") +Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index b095551a5773..ac38b47e9f86 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2438,8 +2438,10 @@ static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struc + goto out; + } + err = pfkey_xfrm_policy2msg(out_skb, xp, dir); +- if (err < 0) ++ if (err < 0) { ++ kfree_skb(out_skb); + goto out; ++ } + + out_hdr = (struct sadb_msg *) out_skb->data; + out_hdr->sadb_msg_version = hdr->sadb_msg_version; +@@ -2690,8 +2692,10 @@ static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr) + return PTR_ERR(out_skb); + + err = pfkey_xfrm_policy2msg(out_skb, xp, dir); +- if (err < 0) ++ if (err < 0) { ++ kfree_skb(out_skb); + return err; ++ } + + out_hdr = (struct sadb_msg *) out_skb->data; + out_hdr->sadb_msg_version = pfk->dump.msg_version; +-- +2.20.1 + diff --git a/queue-4.14/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch b/queue-4.14/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch new file mode 100644 index 00000000000..1da88e18933 --- /dev/null +++ b/queue-4.14/arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch @@ -0,0 +1,61 @@ +From ca7e03c05a4390ed69bb9918b4d1e656e3a5e894 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 25 Jun 2019 21:20:17 -0700 +Subject: arm64/efi: Mark __efistub_stext_offset as an absolute symbol + explicitly + +[ Upstream commit aa69fb62bea15126e744af2e02acc0d6cf3ed4da ] + +After r363059 and r363928 in LLVM, a build using ld.lld as the linker +with CONFIG_RANDOMIZE_BASE enabled fails like so: + +ld.lld: error: relocation R_AARCH64_ABS32 cannot be used against symbol +__efistub_stext_offset; recompile with -fPIC + +Fangrui and Peter figured out that ld.lld is incorrectly considering +__efistub_stext_offset as a relative symbol because of the order in +which symbols are evaluated. _text is treated as an absolute symbol +and stext is a relative symbol, making __efistub_stext_offset a +relative symbol. + +Adding ABSOLUTE will force ld.lld to evalute this expression in the +right context and does not change ld.bfd's behavior. ld.lld will +need to be fixed but the developers do not see a quick or simple fix +without some research (see the linked issue for further explanation). +Add this simple workaround so that ld.lld can continue to link kernels. + +Link: https://github.com/ClangBuiltLinux/linux/issues/561 +Link: https://github.com/llvm/llvm-project/commit/025a815d75d2356f2944136269aa5874721ec236 +Link: https://github.com/llvm/llvm-project/commit/249fde85832c33f8b06c6b4ac65d1c4b96d23b83 +Acked-by: Ard Biesheuvel +Debugged-by: Fangrui Song +Debugged-by: Peter Smith +Suggested-by: Fangrui Song +Signed-off-by: Nathan Chancellor +[will: add comment] +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/image.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/image.h b/arch/arm64/kernel/image.h +index 40f9f0b078a4..12af2ba8d558 100644 +--- a/arch/arm64/kernel/image.h ++++ b/arch/arm64/kernel/image.h +@@ -73,7 +73,11 @@ + + #ifdef CONFIG_EFI + +-__efistub_stext_offset = stext - _text; ++/* ++ * Use ABSOLUTE() to avoid ld.lld treating this as a relative symbol: ++ * https://github.com/ClangBuiltLinux/linux/issues/561 ++ */ ++__efistub_stext_offset = ABSOLUTE(stext - _text); + + /* + * The EFI stub has its own symbol namespace prefixed by __efistub_, to +-- +2.20.1 + diff --git a/queue-4.14/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch b/queue-4.14/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch new file mode 100644 index 00000000000..84af41d4e30 --- /dev/null +++ b/queue-4.14/ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch @@ -0,0 +1,44 @@ +From af167cc058204f894b83ff4061b88ca96b5e58df Mon Sep 17 00:00:00 2001 +From: Anilkumar Kolli +Date: Wed, 6 Mar 2019 23:06:11 +0530 +Subject: ath: DFS JP domain W56 fixed pulse type 3 RADAR detection + +[ Upstream commit d8792393a783158cbb2c39939cb897dc5e5299b6 ] + +Increase pulse width range from 1-2usec to 0-4usec. +During data traffic HW occasionally fails detecting radar pulses, +so that SW cannot get enough radar reports to achieve the success rate. + +Tested ath10k hw and fw: + * QCA9888(10.4-3.5.1-00052) + * QCA4019(10.4-3.2.1.1-00017) + * QCA9984(10.4-3.6-00104) + * QCA988X(10.2.4-1.0-00041) + +Tested ath9k hw: AR9300 + +Tested-by: Tamizh chelvam +Signed-off-by: Tamizh chelvam +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/dfs_pattern_detector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c +index 4100ffd42a43..78146607f16e 100644 +--- a/drivers/net/wireless/ath/dfs_pattern_detector.c ++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c +@@ -111,7 +111,7 @@ static const struct radar_detector_specs jp_radar_ref_types[] = { + JP_PATTERN(0, 0, 1, 1428, 1428, 1, 18, 29, false), + JP_PATTERN(1, 2, 3, 3846, 3846, 1, 18, 29, false), + JP_PATTERN(2, 0, 1, 1388, 1388, 1, 18, 50, false), +- JP_PATTERN(3, 1, 2, 4000, 4000, 1, 18, 50, false), ++ JP_PATTERN(3, 0, 4, 4000, 4000, 1, 18, 50, false), + JP_PATTERN(4, 0, 5, 150, 230, 1, 23, 50, false), + JP_PATTERN(5, 6, 10, 200, 500, 1, 16, 50, false), + JP_PATTERN(6, 11, 20, 200, 500, 1, 12, 50, false), +-- +2.20.1 + diff --git a/queue-4.14/ath10k-add-missing-error-handling.patch b/queue-4.14/ath10k-add-missing-error-handling.patch new file mode 100644 index 00000000000..027b061fcf8 --- /dev/null +++ b/queue-4.14/ath10k-add-missing-error-handling.patch @@ -0,0 +1,46 @@ +From aab4ba4db835c24c00755126110d9254b942f2bc Mon Sep 17 00:00:00 2001 +From: Claire Chang +Date: Thu, 23 May 2019 15:15:34 +0800 +Subject: ath10k: add missing error handling + +[ Upstream commit 4b553f3ca4cbde67399aa3a756c37eb92145b8a1 ] + +In function ath10k_sdio_mbox_rx_alloc() [sdio.c], +ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases. +This will make the driver think the allocation for skb is successful and +try to access the skb. If we enable failslab, system will easily crash with +NULL pointer dereferencing. + +Call trace of CONFIG_FAILSLAB: +ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio] +process_sdio_pending_irqs+0x4c/0x174 +sdio_run_irqs+0x3c/0x64 +sdio_irq_work+0x1c/0x28 + +Fixes: d96db25d2025 ("ath10k: add initial SDIO support") +Signed-off-by: Claire Chang +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index da9dbf3ddaa5..c6440d28ab48 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -610,6 +610,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar, + full_len, + last_in_bundle, + last_in_bundle); ++ if (ret) { ++ ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret); ++ goto err; ++ } + } + + ar_sdio->n_rx_pkts = i; +-- +2.20.1 + diff --git a/queue-4.14/ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch b/queue-4.14/ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch new file mode 100644 index 00000000000..f8ff32e839c --- /dev/null +++ b/queue-4.14/ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch @@ -0,0 +1,38 @@ +From f87d5c9c25b20ade9b21f73f2fdcb86a83a015ae Mon Sep 17 00:00:00 2001 +From: Wen Gong +Date: Thu, 27 Jun 2019 21:21:51 +0300 +Subject: ath10k: destroy sdio workqueue while remove sdio module + +[ Upstream commit 3ed39f8e747a7aafeec07bb244f2c3a1bdca5730 ] + +The workqueue need to flush and destory while remove sdio module, +otherwise it will have thread which is not destory after remove +sdio modules. + +Tested with QCA6174 SDIO with firmware +WLAN.RMH.4.4.1-00007-QCARMSWP-1. + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/sdio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index c6440d28ab48..0a1248ebccf5 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -2076,6 +2076,9 @@ static void ath10k_sdio_remove(struct sdio_func *func) + cancel_work_sync(&ar_sdio->wr_async_work); + ath10k_core_unregister(ar); + ath10k_core_destroy(ar); ++ ++ flush_workqueue(ar_sdio->workqueue); ++ destroy_workqueue(ar_sdio->workqueue); + } + + static const struct sdio_device_id ath10k_sdio_devices[] = { +-- +2.20.1 + diff --git a/queue-4.14/ath10k-do-not-send-probe-response-template-for-mesh.patch b/queue-4.14/ath10k-do-not-send-probe-response-template-for-mesh.patch new file mode 100644 index 00000000000..364cbd6ce56 --- /dev/null +++ b/queue-4.14/ath10k-do-not-send-probe-response-template-for-mesh.patch @@ -0,0 +1,43 @@ +From d413e4c03d7348ba79552bbfebc95773a291e37e Mon Sep 17 00:00:00 2001 +From: Surabhi Vishnoi +Date: Wed, 17 Apr 2019 14:01:46 +0530 +Subject: ath10k: Do not send probe response template for mesh + +[ Upstream commit 97354f2c432788e3163134df6bb144f4b6289d87 ] + +Currently mac80211 do not support probe response template for +mesh point. When WMI_SERVICE_BEACON_OFFLOAD is enabled, host +driver tries to configure probe response template for mesh, but +it fails because the interface type is not NL80211_IFTYPE_AP but +NL80211_IFTYPE_MESH_POINT. + +To avoid this failure, skip sending probe response template to +firmware for mesh point. + +Tested HW: WCN3990/QCA6174/QCA9984 + +Signed-off-by: Surabhi Vishnoi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index cdcfb175ad9b..58a3c42c4aed 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -1611,6 +1611,10 @@ static int ath10k_mac_setup_prb_tmpl(struct ath10k_vif *arvif) + if (arvif->vdev_type != WMI_VDEV_TYPE_AP) + return 0; + ++ /* For mesh, probe response and beacon share the same template */ ++ if (ieee80211_vif_is_mesh(vif)) ++ return 0; ++ + prb = ieee80211_proberesp_get(hw, vif); + if (!prb) { + ath10k_warn(ar, "failed to get probe resp template from mac80211\n"); +-- +2.20.1 + diff --git a/queue-4.14/ath10k-fix-pcie-device-wake-up-failed.patch b/queue-4.14/ath10k-fix-pcie-device-wake-up-failed.patch new file mode 100644 index 00000000000..eb9a1517371 --- /dev/null +++ b/queue-4.14/ath10k-fix-pcie-device-wake-up-failed.patch @@ -0,0 +1,49 @@ +From 628f0e2e139e783be8ba63f406308b74fddc2736 Mon Sep 17 00:00:00 2001 +From: Miaoqing Pan +Date: Thu, 30 May 2019 09:49:20 +0800 +Subject: ath10k: fix PCIE device wake up failed + +[ Upstream commit 011d4111c8c602ea829fa4917af1818eb0500a90 ] + +Observed PCIE device wake up failed after ~120 iterations of +soft-reboot test. The error message is +"ath10k_pci 0000:01:00.0: failed to wake up device : -110" + +The call trace as below: +ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait -> +ath10k_pci_is_awake + +Once trigger the device to wake up, we will continuously check the RTC +state until it returns RTC_STATE_V_ON or timeout. + +But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON. +Occasionally, we get 0x7 on the fist read, we thought as a failure +case, but actually is the right value, also verified with the spec. +So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed +~2000 iterations. + +Tested HW: QCA9984 + +Signed-off-by: Miaoqing Pan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/hw.c b/drivers/net/wireless/ath/ath10k/hw.c +index a860691d635d..e96534cd3d8b 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.c ++++ b/drivers/net/wireless/ath/ath10k/hw.c +@@ -168,7 +168,7 @@ const struct ath10k_hw_values qca6174_values = { + }; + + const struct ath10k_hw_values qca99x0_values = { +- .rtc_state_val_on = 5, ++ .rtc_state_val_on = 7, + .ce_count = 12, + .msi_assign_ce_max = 12, + .num_target_ce_config_wlan = 10, +-- +2.20.1 + diff --git a/queue-4.14/ath6kl-add-some-bounds-checking.patch b/queue-4.14/ath6kl-add-some-bounds-checking.patch new file mode 100644 index 00000000000..b217f06ec19 --- /dev/null +++ b/queue-4.14/ath6kl-add-some-bounds-checking.patch @@ -0,0 +1,62 @@ +From aa68ef25c82af223fb0f2335888c167ce6d6e1d1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 4 Apr 2019 11:56:51 +0300 +Subject: ath6kl: add some bounds checking + +[ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ] + +The "ev->traffic_class" and "reply->ac" variables come from the network +and they're used as an offset into the wmi->stream_exist_for_ac[] array. +Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[] +array only has WMM_NUM_AC (4) elements. We need to add a couple bounds +checks to prevent array overflows. + +I also modified one existing check from "if (traffic_class > 3) {" to +"if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent. + +Fixes: bdcd81707973 (" Add ath6kl cleaned up driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index bfc20b45b806..d79c2bccf582 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -1178,6 +1178,10 @@ static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap, + return -EINVAL; + + ev = (struct wmi_pstream_timeout_event *) datap; ++ if (ev->traffic_class >= WMM_NUM_AC) { ++ ath6kl_err("invalid traffic class: %d\n", ev->traffic_class); ++ return -EINVAL; ++ } + + /* + * When the pstream (fat pipe == AC) timesout, it means there were +@@ -1519,6 +1523,10 @@ static int ath6kl_wmi_cac_event_rx(struct wmi *wmi, u8 *datap, int len, + return -EINVAL; + + reply = (struct wmi_cac_event *) datap; ++ if (reply->ac >= WMM_NUM_AC) { ++ ath6kl_err("invalid AC: %d\n", reply->ac); ++ return -EINVAL; ++ } + + if ((reply->cac_indication == CAC_INDICATION_ADMISSION_RESP) && + (reply->status_code != IEEE80211_TSPEC_STATUS_ADMISS_ACCEPTED)) { +@@ -2635,7 +2643,7 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class, + u16 active_tsids = 0; + int ret; + +- if (traffic_class > 3) { ++ if (traffic_class >= WMM_NUM_AC) { + ath6kl_err("invalid traffic class: %d\n", traffic_class); + return -EINVAL; + } +-- +2.20.1 + diff --git a/queue-4.14/ath9k-check-for-errors-when-reading-srev-register.patch b/queue-4.14/ath9k-check-for-errors-when-reading-srev-register.patch new file mode 100644 index 00000000000..333260ea84b --- /dev/null +++ b/queue-4.14/ath9k-check-for-errors-when-reading-srev-register.patch @@ -0,0 +1,121 @@ +From dc34fd0a1a380239096ec9694c3edf15b51567b2 Mon Sep 17 00:00:00 2001 +From: Tim Schumacher +Date: Mon, 18 Mar 2019 20:05:57 +0100 +Subject: ath9k: Check for errors when reading SREV register + +[ Upstream commit 2f90c7e5d09437a4d8d5546feaae9f1cf48cfbe1 ] + +Right now, if an error is encountered during the SREV register +read (i.e. an EIO in ath9k_regread()), that error code gets +passed all the way to __ath9k_hw_init(), where it is visible +during the "Chip rev not supported" message. + + ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits + ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath9k_htc: Failed to initialize the device + +Check for -EIO explicitly in ath9k_hw_read_revisions() and return +a boolean based on the success of the operation. Check for that in +__ath9k_hw_init() and abort with a more debugging-friendly message +if reading the revisions wasn't successful. + + ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits + ath: phy2: Failed to read SREV register + ath: phy2: Could not read hardware revision + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath: phy2: Unable to initialize hardware; initialization status: -95 + ath9k_htc: Failed to initialize the device + +This helps when debugging by directly showing the first point of +failure and it could prevent possible errors if a 0x0f.3 revision +is ever supported. + +Signed-off-by: Tim Schumacher +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hw.c | 32 +++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index a7f506eb7b36..406b52f114f0 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -250,8 +250,9 @@ void ath9k_hw_get_channel_centers(struct ath_hw *ah, + /* Chip Revisions */ + /******************/ + +-static void ath9k_hw_read_revisions(struct ath_hw *ah) ++static bool ath9k_hw_read_revisions(struct ath_hw *ah) + { ++ u32 srev; + u32 val; + + if (ah->get_mac_revision) +@@ -267,25 +268,33 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah) + val = REG_READ(ah, AR_SREV); + ah->hw_version.macRev = MS(val, AR_SREV_REVISION2); + } +- return; ++ return true; + case AR9300_DEVID_AR9340: + ah->hw_version.macVersion = AR_SREV_VERSION_9340; +- return; ++ return true; + case AR9300_DEVID_QCA955X: + ah->hw_version.macVersion = AR_SREV_VERSION_9550; +- return; ++ return true; + case AR9300_DEVID_AR953X: + ah->hw_version.macVersion = AR_SREV_VERSION_9531; +- return; ++ return true; + case AR9300_DEVID_QCA956X: + ah->hw_version.macVersion = AR_SREV_VERSION_9561; +- return; ++ return true; + } + +- val = REG_READ(ah, AR_SREV) & AR_SREV_ID; ++ srev = REG_READ(ah, AR_SREV); ++ ++ if (srev == -EIO) { ++ ath_err(ath9k_hw_common(ah), ++ "Failed to read SREV register"); ++ return false; ++ } ++ ++ val = srev & AR_SREV_ID; + + if (val == 0xFF) { +- val = REG_READ(ah, AR_SREV); ++ val = srev; + ah->hw_version.macVersion = + (val & AR_SREV_VERSION2) >> AR_SREV_TYPE2_S; + ah->hw_version.macRev = MS(val, AR_SREV_REVISION2); +@@ -304,6 +313,8 @@ static void ath9k_hw_read_revisions(struct ath_hw *ah) + if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCIE) + ah->is_pciexpress = true; + } ++ ++ return true; + } + + /************************************/ +@@ -557,7 +568,10 @@ static int __ath9k_hw_init(struct ath_hw *ah) + struct ath_common *common = ath9k_hw_common(ah); + int r = 0; + +- ath9k_hw_read_revisions(ah); ++ if (!ath9k_hw_read_revisions(ah)) { ++ ath_err(common, "Could not read hardware revisions"); ++ return -EOPNOTSUPP; ++ } + + switch (ah->hw_version.macVersion) { + case AR_SREV_VERSION_5416_PCI: +-- +2.20.1 + diff --git a/queue-4.14/batman-adv-fix-for-leaked-tvlv-handler.patch b/queue-4.14/batman-adv-fix-for-leaked-tvlv-handler.patch new file mode 100644 index 00000000000..092eba129f0 --- /dev/null +++ b/queue-4.14/batman-adv-fix-for-leaked-tvlv-handler.patch @@ -0,0 +1,37 @@ +From 3f74fbd357edcdf69cc10cbfed3e437d07278eac Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Tue, 21 May 2019 20:58:57 +0100 +Subject: batman-adv: fix for leaked TVLV handler. + +[ Upstream commit 17f78dd1bd624a4dd78ed5db3284a63ee807fcc3 ] + +A handler for BATADV_TVLV_ROAM was being registered when the +translation-table was initialized, but not unregistered when the +translation-table was freed. Unregister it. + +Fixes: 122edaa05940 ("batman-adv: tvlv - convert roaming adv packet to use tvlv unicast packets") +Reported-by: syzbot+d454a826e670502484b8@syzkaller.appspotmail.com +Signed-off-by: Jeremy Sowden +Signed-off-by: Sven Eckelmann +Signed-off-by: Sasha Levin +--- + net/batman-adv/translation-table.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 020a8adc4cce..2c2670b85fa9 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -3750,6 +3750,8 @@ static void batadv_tt_purge(struct work_struct *work) + + void batadv_tt_free(struct batadv_priv *bat_priv) + { ++ batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_ROAM, 1); ++ + batadv_tvlv_container_unregister(bat_priv, BATADV_TVLV_TT, 1); + batadv_tvlv_handler_unregister(bat_priv, BATADV_TVLV_TT, 1); + +-- +2.20.1 + diff --git a/queue-4.14/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch b/queue-4.14/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch new file mode 100644 index 00000000000..ea2be5de805 --- /dev/null +++ b/queue-4.14/bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch @@ -0,0 +1,128 @@ +From 7bc787f9db50d719250a0dd750f2aea84365a96d Mon Sep 17 00:00:00 2001 +From: Coly Li +Date: Fri, 28 Jun 2019 19:59:25 +0800 +Subject: bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush() + +[ Upstream commit b387e9b58679c60f5b1e4313939bd4878204fc37 ] + +When system memory is in heavy pressure, bch_gc_thread_start() from +run_cache_set() may fail due to out of memory. In such condition, +c->gc_thread is assigned to -ENOMEM, not NULL pointer. Then in following +failure code path bch_cache_set_error(), when cache_set_flush() gets +called, the code piece to stop c->gc_thread is broken, + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +And KASAN catches such NULL pointer deference problem, with the warning +information: + +[ 561.207881] ================================================================== +[ 561.207900] BUG: KASAN: null-ptr-deref in kthread_stop+0x3b/0x440 +[ 561.207904] Write of size 4 at addr 000000000000001c by task kworker/15:1/313 + +[ 561.207913] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G W 5.0.0-vanilla+ #3 +[ 561.207916] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019 +[ 561.207935] Workqueue: events cache_set_flush [bcache] +[ 561.207940] Call Trace: +[ 561.207948] dump_stack+0x9a/0xeb +[ 561.207955] ? kthread_stop+0x3b/0x440 +[ 561.207960] ? kthread_stop+0x3b/0x440 +[ 561.207965] kasan_report+0x176/0x192 +[ 561.207973] ? kthread_stop+0x3b/0x440 +[ 561.207981] kthread_stop+0x3b/0x440 +[ 561.207995] cache_set_flush+0xd4/0x6d0 [bcache] +[ 561.208008] process_one_work+0x856/0x1620 +[ 561.208015] ? find_held_lock+0x39/0x1d0 +[ 561.208028] ? drain_workqueue+0x380/0x380 +[ 561.208048] worker_thread+0x87/0xb80 +[ 561.208058] ? __kthread_parkme+0xb6/0x180 +[ 561.208067] ? process_one_work+0x1620/0x1620 +[ 561.208072] kthread+0x326/0x3e0 +[ 561.208079] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 561.208090] ret_from_fork+0x3a/0x50 +[ 561.208110] ================================================================== +[ 561.208113] Disabling lock debugging due to kernel taint +[ 561.208115] irq event stamp: 11800231 +[ 561.208126] hardirqs last enabled at (11800231): [] do_syscall_64+0x18/0x410 +[ 561.208127] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c +[ 561.208129] #PF error: [WRITE] +[ 561.312253] hardirqs last disabled at (11800230): [] trace_hardirqs_off_thunk+0x1a/0x1c +[ 561.312259] softirqs last enabled at (11799832): [] __do_softirq+0x5c7/0x8c3 +[ 561.405975] PGD 0 P4D 0 +[ 561.442494] softirqs last disabled at (11799821): [] irq_exit+0x1ac/0x1e0 +[ 561.791359] Oops: 0002 [#1] SMP KASAN NOPTI +[ 561.791362] CPU: 15 PID: 313 Comm: kworker/15:1 Tainted: G B W 5.0.0-vanilla+ #3 +[ 561.791363] Hardware name: Lenovo ThinkSystem SR650 -[7X05CTO1WW]-/-[7X05CTO1WW]-, BIOS -[IVE136T-2.10]- 03/22/2019 +[ 561.791371] Workqueue: events cache_set_flush [bcache] +[ 561.791374] RIP: 0010:kthread_stop+0x3b/0x440 +[ 561.791376] Code: 00 00 65 8b 05 26 d5 e0 7c 89 c0 48 0f a3 05 ec aa df 02 0f 82 dc 02 00 00 4c 8d 63 20 be 04 00 00 00 4c 89 e7 e8 65 c5 53 00 ff 43 20 48 8d 7b 24 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 +[ 561.791377] RSP: 0018:ffff88872fc8fd10 EFLAGS: 00010286 +[ 561.838895] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838916] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838934] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838948] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838966] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838979] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 561.838996] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 563.067028] RAX: 0000000000000000 RBX: fffffffffffffffc RCX: ffffffff832dd314 +[ 563.067030] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000297 +[ 563.067032] RBP: ffff88872fc8fe88 R08: fffffbfff0b8213d R09: fffffbfff0b8213d +[ 563.067034] R10: 0000000000000001 R11: fffffbfff0b8213c R12: 000000000000001c +[ 563.408618] R13: ffff88dc61cc0f68 R14: ffff888102b94900 R15: ffff88dc61cc0f68 +[ 563.408620] FS: 0000000000000000(0000) GS:ffff888f7dc00000(0000) knlGS:0000000000000000 +[ 563.408622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 563.408623] CR2: 000000000000001c CR3: 0000000f48a1a004 CR4: 00000000007606e0 +[ 563.408625] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 563.408627] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 563.904795] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 563.915796] PKRU: 55555554 +[ 563.915797] Call Trace: +[ 563.915807] cache_set_flush+0xd4/0x6d0 [bcache] +[ 563.915812] process_one_work+0x856/0x1620 +[ 564.001226] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.033563] ? find_held_lock+0x39/0x1d0 +[ 564.033567] ? drain_workqueue+0x380/0x380 +[ 564.033574] worker_thread+0x87/0xb80 +[ 564.062823] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.118042] ? __kthread_parkme+0xb6/0x180 +[ 564.118046] ? process_one_work+0x1620/0x1620 +[ 564.118048] kthread+0x326/0x3e0 +[ 564.118050] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 564.167066] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.252441] ret_from_fork+0x3a/0x50 +[ 564.252447] Modules linked in: msr rpcrdma sunrpc rdma_ucm ib_iser ib_umad rdma_cm ib_ipoib i40iw configfs iw_cm ib_cm libiscsi scsi_transport_iscsi mlx4_ib ib_uverbs mlx4_en ib_core nls_iso8859_1 nls_cp437 vfat fat intel_rapl skx_edac x86_pkg_temp_thermal coretemp iTCO_wdt iTCO_vendor_support crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ses raid0 aesni_intel cdc_ether enclosure usbnet ipmi_ssif joydev aes_x86_64 i40e scsi_transport_sas mii bcache md_mod crypto_simd mei_me ioatdma crc64 ptp cryptd pcspkr i2c_i801 mlx4_core glue_helper pps_core mei lpc_ich dca wmi ipmi_si ipmi_devintf nd_pmem dax_pmem nd_btt ipmi_msghandler device_dax pcc_cpufreq button hid_generic usbhid mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect xhci_pci sysimgblt fb_sys_fops xhci_hcd ttm megaraid_sas drm usbcore nfit libnvdimm sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua efivarfs +[ 564.299390] bcache: bch_count_io_errors() nvme0n1: IO error on writing btree. +[ 564.348360] CR2: 000000000000001c +[ 564.348362] ---[ end trace b7f0e5cc7b2103b0 ]--- + +Therefore, it is not enough to only check whether c->gc_thread is NULL, +we should use IS_ERR_OR_NULL() to check both NULL pointer and error +value. + +This patch changes the above buggy code piece in this way, + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +Signed-off-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 85a5afe01d39..1a270e2262f5 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1402,7 +1402,7 @@ static void cache_set_flush(struct closure *cl) + kobject_put(&c->internal); + kobject_del(&c->kobj); + +- if (c->gc_thread) ++ if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + + if (!IS_ERR_OR_NULL(c->root)) +-- +2.20.1 + diff --git a/queue-4.14/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch b/queue-4.14/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch new file mode 100644 index 00000000000..9b7b59aa0fd --- /dev/null +++ b/queue-4.14/blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch @@ -0,0 +1,55 @@ +From c4193b5e5dbc6071f5cab0ae0a151ab43c8cbfea Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Thu, 13 Jun 2019 15:30:41 -0700 +Subject: blkcg, writeback: dead memcgs shouldn't contribute to writeback + ownership arbitration + +[ Upstream commit 6631142229005e1b1c311a09efe9fb3cfdac8559 ] + +wbc_account_io() collects information on cgroup ownership of writeback +pages to determine which cgroup should own the inode. Pages can stay +associated with dead memcgs but we want to avoid attributing IOs to +dead blkcgs as much as possible as the association is likely to be +stale. However, currently, pages associated with dead memcgs +contribute to the accounting delaying and/or confusing the +arbitration. + +Fix it by ignoring pages associated with dead memcgs. + +Signed-off-by: Tejun Heo +Cc: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 4d561ee08d05..9e8fde348d61 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -721,6 +721,7 @@ void wbc_detach_inode(struct writeback_control *wbc) + void wbc_account_io(struct writeback_control *wbc, struct page *page, + size_t bytes) + { ++ struct cgroup_subsys_state *css; + int id; + + /* +@@ -732,7 +733,12 @@ void wbc_account_io(struct writeback_control *wbc, struct page *page, + if (!wbc->wb) + return; + +- id = mem_cgroup_css_from_page(page)->id; ++ css = mem_cgroup_css_from_page(page); ++ /* dead cgroups shouldn't contribute to inode ownership arbitration */ ++ if (!(css->flags & CSS_ONLINE)) ++ return; ++ ++ id = css->id; + + if (id == wbc->wb_id) { + wbc->wb_bytes += bytes; +-- +2.20.1 + diff --git a/queue-4.14/bluetooth-6lowpan-search-for-destination-address-in-.patch b/queue-4.14/bluetooth-6lowpan-search-for-destination-address-in-.patch new file mode 100644 index 00000000000..6df0bd9da46 --- /dev/null +++ b/queue-4.14/bluetooth-6lowpan-search-for-destination-address-in-.patch @@ -0,0 +1,57 @@ +From 839dd3e0e72204d9bade0a25a8f84647e0c19710 Mon Sep 17 00:00:00 2001 +From: Josua Mayer +Date: Sat, 6 Jul 2019 17:54:46 +0200 +Subject: Bluetooth: 6lowpan: search for destination address in all peers + +[ Upstream commit b188b03270b7f8568fc714101ce82fbf5e811c5a ] + +Handle overlooked case where the target address is assigned to a peer +and neither route nor gateway exist. + +For one peer, no checks are performed to see if it is meant to receive +packets for a given address. + +As soon as there is a second peer however, checks are performed +to deal with routes and gateways for handling complex setups with +multiple hops to a target address. +This logic assumed that no route and no gateway imply that the +destination address can not be reached, which is false in case of a +direct peer. + +Acked-by: Jukka Rissanen +Tested-by: Michael Scott +Signed-off-by: Josua Mayer +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/6lowpan.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c +index 4e2576fc0c59..357475cceec6 100644 +--- a/net/bluetooth/6lowpan.c ++++ b/net/bluetooth/6lowpan.c +@@ -187,10 +187,16 @@ static inline struct lowpan_peer *peer_lookup_dst(struct lowpan_btle_dev *dev, + } + + if (!rt) { +- nexthop = &lowpan_cb(skb)->gw; +- +- if (ipv6_addr_any(nexthop)) +- return NULL; ++ if (ipv6_addr_any(&lowpan_cb(skb)->gw)) { ++ /* There is neither route nor gateway, ++ * probably the destination is a direct peer. ++ */ ++ nexthop = daddr; ++ } else { ++ /* There is a known gateway ++ */ ++ nexthop = &lowpan_cb(skb)->gw; ++ } + } else { + nexthop = rt6_nexthop(rt, daddr); + +-- +2.20.1 + diff --git a/queue-4.14/bluetooth-check-state-in-l2cap_disconnect_rsp.patch b/queue-4.14/bluetooth-check-state-in-l2cap_disconnect_rsp.patch new file mode 100644 index 00000000000..6deef6cf309 --- /dev/null +++ b/queue-4.14/bluetooth-check-state-in-l2cap_disconnect_rsp.patch @@ -0,0 +1,220 @@ +From d50bdefdccab1495e9dfde298346bcd0712bfe54 Mon Sep 17 00:00:00 2001 +From: Matias Karhumaa +Date: Tue, 21 May 2019 13:07:22 +0300 +Subject: Bluetooth: Check state in l2cap_disconnect_rsp + +[ Upstream commit 28261da8a26f4915aa257d12d506c6ba179d961f ] + +Because of both sides doing L2CAP disconnection at the same time, it +was possible to receive L2CAP Disconnection Response with CID that was +already freed. That caused problems if CID was already reused and L2CAP +Connection Request with same CID was sent out. Before this patch kernel +deleted channel context regardless of the state of the channel. + +Example where leftover Disconnection Response (frame #402) causes local +device to delete L2CAP channel which was not yet connected. This in +turn confuses remote device's stack because same CID is re-used without +properly disconnecting. + +Btmon capture before patch: +** snip ** +> ACL Data RX: Handle 43 flags 0x02 dlen 8 #394 [hci1] 10.748949 + Channel: 65 len 4 [PSM 3 mode 0] {chan 2} + RFCOMM: Disconnect (DISC) (0x43) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x53 poll/final 1 + Length: 0 + FCS: 0xfd +< ACL Data TX: Handle 43 flags 0x00 dlen 8 #395 [hci1] 10.749062 + Channel: 65 len 4 [PSM 3 mode 0] {chan 2} + RFCOMM: Unnumbered Ack (UA) (0x63) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x73 poll/final 1 + Length: 0 + FCS: 0xd7 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #396 [hci1] 10.749073 + L2CAP: Disconnection Request (0x06) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Packets (0x13) plen 5 #397 [hci1] 10.752391 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Packets (0x13) plen 5 #398 [hci1] 10.753394 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #399 [hci1] 10.756499 + L2CAP: Disconnection Request (0x06) ident 26 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #400 [hci1] 10.756548 + L2CAP: Disconnection Response (0x07) ident 26 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #401 [hci1] 10.757459 + L2CAP: Connection Request (0x02) ident 18 len 4 + PSM: 1 (0x0001) + Source CID: 65 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #402 [hci1] 10.759148 + L2CAP: Disconnection Response (0x07) ident 17 len 4 + Destination CID: 65 + Source CID: 65 += bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o.. 10.759447 +> HCI Event: Number of Completed Packets (0x13) plen 5 #403 [hci1] 10.759386 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #404 [hci1] 10.760397 + L2CAP: Connection Request (0x02) ident 27 len 4 + PSM: 3 (0x0003) + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 16 #405 [hci1] 10.760441 + L2CAP: Connection Response (0x03) ident 27 len 8 + Destination CID: 65 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 43 flags 0x00 dlen 27 #406 [hci1] 10.760449 + L2CAP: Configure Request (0x04) ident 19 len 19 + Destination CID: 65 + Flags: 0x0000 + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 1013 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Basic (0x00) + TX window size: 0 + Max transmit: 0 + Retransmission timeout: 0 + Monitor timeout: 0 + Maximum PDU size: 0 +> HCI Event: Number of Completed Packets (0x13) plen 5 #407 [hci1] 10.761399 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 16 #408 [hci1] 10.762942 + L2CAP: Connection Response (0x03) ident 18 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +*snip* + +Similar case after the patch: +*snip* +> ACL Data RX: Handle 43 flags 0x02 dlen 8 #22702 [hci0] 1664.411056 + Channel: 65 len 4 [PSM 3 mode 0] {chan 3} + RFCOMM: Disconnect (DISC) (0x43) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x53 poll/final 1 + Length: 0 + FCS: 0xfd +< ACL Data TX: Handle 43 flags 0x00 dlen 8 #22703 [hci0] 1664.411136 + Channel: 65 len 4 [PSM 3 mode 0] {chan 3} + RFCOMM: Unnumbered Ack (UA) (0x63) + Address: 0x03 cr 1 dlci 0x00 + Control: 0x73 poll/final 1 + Length: 0 + FCS: 0xd7 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22704 [hci0] 1664.411143 + L2CAP: Disconnection Request (0x06) ident 11 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22705 [hci0] 1664.414009 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22706 [hci0] 1664.415007 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22707 [hci0] 1664.418674 + L2CAP: Disconnection Request (0x06) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22708 [hci0] 1664.418762 + L2CAP: Disconnection Response (0x07) ident 17 len 4 + Destination CID: 65 + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 12 #22709 [hci0] 1664.421073 + L2CAP: Connection Request (0x02) ident 12 len 4 + PSM: 1 (0x0001) + Source CID: 65 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22710 [hci0] 1664.421371 + L2CAP: Disconnection Response (0x07) ident 11 len 4 + Destination CID: 65 + Source CID: 65 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22711 [hci0] 1664.424082 + Num handles: 1 + Handle: 43 + Count: 1 +> HCI Event: Number of Completed Pac.. (0x13) plen 5 #22712 [hci0] 1664.425040 + Num handles: 1 + Handle: 43 + Count: 1 +> ACL Data RX: Handle 43 flags 0x02 dlen 12 #22713 [hci0] 1664.426103 + L2CAP: Connection Request (0x02) ident 18 len 4 + PSM: 3 (0x0003) + Source CID: 65 +< ACL Data TX: Handle 43 flags 0x00 dlen 16 #22714 [hci0] 1664.426186 + L2CAP: Connection Response (0x03) ident 18 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +< ACL Data TX: Handle 43 flags 0x00 dlen 27 #22715 [hci0] 1664.426196 + L2CAP: Configure Request (0x04) ident 13 len 19 + Destination CID: 65 + Flags: 0x0000 + Option: Maximum Transmission Unit (0x01) [mandatory] + MTU: 1013 + Option: Retransmission and Flow Control (0x04) [mandatory] + Mode: Basic (0x00) + TX window size: 0 + Max transmit: 0 + Retransmission timeout: 0 + Monitor timeout: 0 + Maximum PDU size: 0 +> ACL Data RX: Handle 43 flags 0x02 dlen 16 #22716 [hci0] 1664.428804 + L2CAP: Connection Response (0x03) ident 12 len 8 + Destination CID: 66 + Source CID: 65 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) +*snip* + +Fix is to check that channel is in state BT_DISCONN before deleting the +channel. + +This bug was found while fuzzing Bluez's OBEX implementation using +Synopsys Defensics. + +Reported-by: Matti Kamunen +Reported-by: Ari Timonen +Signed-off-by: Matias Karhumaa +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 0ee64f67300a..0c2219f483d7 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4384,6 +4384,12 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + + l2cap_chan_lock(chan); + ++ if (chan->state != BT_DISCONN) { ++ l2cap_chan_unlock(chan); ++ mutex_unlock(&conn->chan_lock); ++ return 0; ++ } ++ + l2cap_chan_hold(chan); + l2cap_chan_del(chan, 0); + +-- +2.20.1 + diff --git a/queue-4.14/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch b/queue-4.14/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch new file mode 100644 index 00000000000..22d45e55eb6 --- /dev/null +++ b/queue-4.14/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch @@ -0,0 +1,39 @@ +From c77d7ed50676218ecbe48c264ee23776a8075219 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Tue, 28 May 2019 15:42:58 +0200 +Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb + +[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ] + +Syzkaller found that it is possible to provoke a memory leak by +never freeing rx_skb in struct bcsp_struct. + +Fix by freeing in bcsp_close() + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_bcsp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c +index d880f4e33c75..57a7f4255ac0 100644 +--- a/drivers/bluetooth/hci_bcsp.c ++++ b/drivers/bluetooth/hci_bcsp.c +@@ -757,6 +757,11 @@ static int bcsp_close(struct hci_uart *hu) + skb_queue_purge(&bcsp->rel); + skb_queue_purge(&bcsp->unrel); + ++ if (bcsp->rx_skb) { ++ kfree_skb(bcsp->rx_skb); ++ bcsp->rx_skb = NULL; ++ } ++ + kfree(bcsp); + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/bluetooth-validate-ble-connection-interval-updates.patch b/queue-4.14/bluetooth-validate-ble-connection-interval-updates.patch new file mode 100644 index 00000000000..01328b0f50f --- /dev/null +++ b/queue-4.14/bluetooth-validate-ble-connection-interval-updates.patch @@ -0,0 +1,92 @@ +From 8d9d0df81c1a5dbb91a04da6e7a3202650c85db3 Mon Sep 17 00:00:00 2001 +From: csonsino +Date: Wed, 12 Jun 2019 15:00:52 -0600 +Subject: Bluetooth: validate BLE connection interval updates + +[ Upstream commit c49a8682fc5d298d44e8d911f4fa14690ea9485e ] + +Problem: The Linux Bluetooth stack yields complete control over the BLE +connection interval to the remote device. + +The Linux Bluetooth stack provides access to the BLE connection interval +min and max values through /sys/kernel/debug/bluetooth/hci0/ +conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval. +These values are used for initial BLE connections, but the remote device +has the ability to request a connection parameter update. In the event +that the remote side requests to change the connection interval, the Linux +kernel currently only validates that the desired value is within the +acceptable range in the Bluetooth specification (6 - 3200, corresponding to +7.5ms - 4000ms). There is currently no validation that the desired value +requested by the remote device is within the min/max limits specified in +the conn_min_interval/conn_max_interval configurations. This essentially +leads to Linux yielding complete control over the connection interval to +the remote device. + +The proposed patch adds a verification step to the connection parameter +update mechanism, ensuring that the desired value is within the min/max +bounds of the current connection. If the desired value is outside of the +current connection min/max values, then the connection parameter update +request is rejected and the negative response is returned to the remote +device. Recall that the initial connection is established using the local +conn_min_interval/conn_max_interval values, so this allows the Linux +administrator to retain control over the BLE connection interval. + +The one downside that I see is that the current default Linux values for +conn_min_interval and conn_max_interval typically correspond to 30ms and +50ms respectively. If this change were accepted, then it is feasible that +some devices would no longer be able to negotiate to their desired +connection interval values. This might be remedied by setting the default +Linux conn_min_interval and conn_max_interval values to the widest +supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same +behavior as the current implementation, where the remote device could +request to change the connection interval value to any value that is +permitted by the Bluetooth specification, and Linux would accept the +desired value. + +Signed-off-by: Carey Sonsino +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 5 +++++ + net/bluetooth/l2cap_core.c | 9 ++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 363dc85bbc5c..3d2f64a6d623 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5089,6 +5089,11 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_UNKNOWN_CONN_ID); + ++ if (min < hcon->le_conn_min_interval || ++ max > hcon->le_conn_max_interval) ++ return send_conn_param_neg_reply(hdev, handle, ++ HCI_ERROR_INVALID_LL_PARAMS); ++ + if (hci_check_conn_params(min, max, latency, timeout)) + return send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 0c2219f483d7..4dc1db85a9c2 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5287,7 +5287,14 @@ static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn, + + memset(&rsp, 0, sizeof(rsp)); + +- err = hci_check_conn_params(min, max, latency, to_multiplier); ++ if (min < hcon->le_conn_min_interval || ++ max > hcon->le_conn_max_interval) { ++ BT_DBG("requested connection interval exceeds current bounds."); ++ err = -EINVAL; ++ } else { ++ err = hci_check_conn_params(min, max, latency, to_multiplier); ++ } ++ + if (err) + rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED); + else +-- +2.20.1 + diff --git a/queue-4.14/bpf-silence-warning-messages-in-core.patch b/queue-4.14/bpf-silence-warning-messages-in-core.patch new file mode 100644 index 00000000000..dff09f6651c --- /dev/null +++ b/queue-4.14/bpf-silence-warning-messages-in-core.patch @@ -0,0 +1,56 @@ +From 33236f0ec011af184c3aff14940fa9c33dd05191 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Valdis=20Kl=C4=93tnieks?= +Date: Thu, 6 Jun 2019 22:39:27 -0400 +Subject: bpf: silence warning messages in core + +[ Upstream commit aee450cbe482a8c2f6fa5b05b178ef8b8ff107ca ] + +Compiling kernel/bpf/core.c with W=1 causes a flood of warnings: + +kernel/bpf/core.c:1198:65: warning: initialized field overwritten [-Woverride-init] + 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true + | ^~~~ +kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL' + 1087 | INSN_3(ALU, ADD, X), \ + | ^~~~~~ +kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP' + 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL), + | ^~~~~~~~~~~~ +kernel/bpf/core.c:1198:65: note: (near initialization for 'public_insntable[12]') + 1198 | #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true + | ^~~~ +kernel/bpf/core.c:1087:2: note: in expansion of macro 'BPF_INSN_3_TBL' + 1087 | INSN_3(ALU, ADD, X), \ + | ^~~~~~ +kernel/bpf/core.c:1202:3: note: in expansion of macro 'BPF_INSN_MAP' + 1202 | BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL), + | ^~~~~~~~~~~~ + +98 copies of the above. + +The attached patch silences the warnings, because we *know* we're overwriting +the default initializer. That leaves bpf/core.c with only 6 other warnings, +which become more visible in comparison. + +Signed-off-by: Valdis Kletnieks +Acked-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + kernel/bpf/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile +index af3ab6164ff5..be282c135a66 100644 +--- a/kernel/bpf/Makefile ++++ b/kernel/bpf/Makefile +@@ -1,5 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-y := core.o ++CFLAGS_core.o += $(call cc-disable-warning, override-init) + + obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o + obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o +-- +2.20.1 + diff --git a/queue-4.14/clocksource-drivers-exynos_mct-increase-priority-ove.patch b/queue-4.14/clocksource-drivers-exynos_mct-increase-priority-ove.patch new file mode 100644 index 00000000000..c961f4ea846 --- /dev/null +++ b/queue-4.14/clocksource-drivers-exynos_mct-increase-priority-ove.patch @@ -0,0 +1,76 @@ +From 9c957c176c3b613a41304299cb011541ee76b5e3 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 30 May 2019 12:50:43 +0200 +Subject: clocksource/drivers/exynos_mct: Increase priority over ARM arch timer + +[ Upstream commit 6282edb72bed5324352522d732080d4c1b9dfed6 ] + +Exynos SoCs based on CA7/CA15 have 2 timer interfaces: custom Exynos MCT +(Multi Core Timer) and standard ARM Architected Timers. + +There are use cases, where both timer interfaces are used simultanously. +One of such examples is using Exynos MCT for the main system timer and +ARM Architected Timers for the KVM and virtualized guests (KVM requires +arch timers). + +Exynos Multi-Core Timer driver (exynos_mct) must be however started +before ARM Architected Timers (arch_timer), because they both share some +common hardware blocks (global system counter) and turning on MCT is +needed to get ARM Architected Timer working properly. + +To ensure selecting Exynos MCT as the main system timer, increase MCT +timer rating. To ensure proper starting order of both timers during +suspend/resume cycle, increase MCT hotplug priority over ARM Archictected +Timers. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Chanwoo Choi +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/exynos_mct.c | 4 ++-- + include/linux/cpuhotplug.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c +index d55c30f6981d..aaf5bfa9bd9c 100644 +--- a/drivers/clocksource/exynos_mct.c ++++ b/drivers/clocksource/exynos_mct.c +@@ -211,7 +211,7 @@ static void exynos4_frc_resume(struct clocksource *cs) + + static struct clocksource mct_frc = { + .name = "mct-frc", +- .rating = 400, ++ .rating = 450, /* use value higher than ARM arch timer */ + .read = exynos4_frc_read, + .mask = CLOCKSOURCE_MASK(32), + .flags = CLOCK_SOURCE_IS_CONTINUOUS, +@@ -466,7 +466,7 @@ static int exynos4_mct_starting_cpu(unsigned int cpu) + evt->set_state_oneshot_stopped = set_state_shutdown; + evt->tick_resume = set_state_shutdown; + evt->features = CLOCK_EVT_FEAT_PERIODIC | CLOCK_EVT_FEAT_ONESHOT; +- evt->rating = 450; ++ evt->rating = 500; /* use value higher than ARM arch timer */ + + exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET); + +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index 0c78ad0cc515..0834eb5ea9e6 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -115,10 +115,10 @@ enum cpuhp_state { + CPUHP_AP_PERF_ARM_ACPI_STARTING, + CPUHP_AP_PERF_ARM_STARTING, + CPUHP_AP_ARM_L2X0_STARTING, ++ CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING, + CPUHP_AP_ARM_ARCH_TIMER_STARTING, + CPUHP_AP_ARM_GLOBAL_TIMER_STARTING, + CPUHP_AP_JCORE_TIMER_STARTING, +- CPUHP_AP_EXYNOS4_MCT_TIMER_STARTING, + CPUHP_AP_ARM_TWD_STARTING, + CPUHP_AP_METAG_TIMER_STARTING, + CPUHP_AP_QCOM_TIMER_STARTING, +-- +2.20.1 + diff --git a/queue-4.14/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch b/queue-4.14/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch new file mode 100644 index 00000000000..caf09f219f7 --- /dev/null +++ b/queue-4.14/cpupower-frequency-set-r-option-misses-the-last-cpu-.patch @@ -0,0 +1,41 @@ +From 2970269a9d52309808bee177cb878ea03d21d243 Mon Sep 17 00:00:00 2001 +From: Abhishek Goel +Date: Wed, 29 May 2019 04:30:33 -0500 +Subject: cpupower : frequency-set -r option misses the last cpu in related cpu + list + +[ Upstream commit 04507c0a9385cc8280f794a36bfff567c8cc1042 ] + +To set frequency on specific cpus using cpupower, following syntax can +be used : +cpupower -c #i frequency-set -f #f -r + +While setting frequency using cpupower frequency-set command, if we use +'-r' option, it is expected to set frequency for all cpus related to +cpu #i. But it is observed to be missing the last cpu in related cpu +list. This patch fixes the problem. + +Signed-off-by: Abhishek Goel +Reviewed-by: Thomas Renninger +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/cpufreq-set.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/power/cpupower/utils/cpufreq-set.c b/tools/power/cpupower/utils/cpufreq-set.c +index 1eef0aed6423..08a405593a79 100644 +--- a/tools/power/cpupower/utils/cpufreq-set.c ++++ b/tools/power/cpupower/utils/cpufreq-set.c +@@ -306,6 +306,8 @@ int cmd_freq_set(int argc, char **argv) + bitmask_setbit(cpus_chosen, cpus->cpu); + cpus = cpus->next; + } ++ /* Set the last cpu in related cpus list */ ++ bitmask_setbit(cpus_chosen, cpus->cpu); + cpufreq_put_related_cpus(cpus); + } + } +-- +2.20.1 + diff --git a/queue-4.14/crypto-asymmetric_keys-select-crypto_hash-where-need.patch b/queue-4.14/crypto-asymmetric_keys-select-crypto_hash-where-need.patch new file mode 100644 index 00000000000..d2cf436aeee --- /dev/null +++ b/queue-4.14/crypto-asymmetric_keys-select-crypto_hash-where-need.patch @@ -0,0 +1,60 @@ +From 8dd59aba2915111fa64499148d20aef56b690fc0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 18 Jun 2019 14:13:47 +0200 +Subject: crypto: asymmetric_keys - select CRYPTO_HASH where needed + +[ Upstream commit 90acc0653d2bee203174e66d519fbaaa513502de ] + +Build testing with some core crypto options disabled revealed +a few modules that are missing CRYPTO_HASH: + +crypto/asymmetric_keys/x509_public_key.o: In function `x509_get_sig_params': +x509_public_key.c:(.text+0x4c7): undefined reference to `crypto_alloc_shash' +x509_public_key.c:(.text+0x5e5): undefined reference to `crypto_shash_digest' +crypto/asymmetric_keys/pkcs7_verify.o: In function `pkcs7_digest.isra.0': +pkcs7_verify.c:(.text+0xab): undefined reference to `crypto_alloc_shash' +pkcs7_verify.c:(.text+0x1b2): undefined reference to `crypto_shash_digest' +pkcs7_verify.c:(.text+0x3c1): undefined reference to `crypto_shash_update' +pkcs7_verify.c:(.text+0x411): undefined reference to `crypto_shash_finup' + +This normally doesn't show up in randconfig tests because there is +a large number of other options that select CRYPTO_HASH. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/asymmetric_keys/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig +index f3702e533ff4..d8a73d94bb30 100644 +--- a/crypto/asymmetric_keys/Kconfig ++++ b/crypto/asymmetric_keys/Kconfig +@@ -15,6 +15,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select MPILIB + select CRYPTO_HASH_INFO + select CRYPTO_AKCIPHER ++ select CRYPTO_HASH + help + This option provides support for asymmetric public key type handling. + If signature generation and/or verification are to be used, +@@ -34,6 +35,7 @@ config X509_CERTIFICATE_PARSER + config PKCS7_MESSAGE_PARSER + tristate "PKCS#7 message parser" + depends on X509_CERTIFICATE_PARSER ++ select CRYPTO_HASH + select ASN1 + select OID_REGISTRY + help +@@ -56,6 +58,7 @@ config SIGNED_PE_FILE_VERIFICATION + bool "Support for PE file signature verification" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION ++ select CRYPTO_HASH + select ASN1 + select OID_REGISTRY + help +-- +2.20.1 + diff --git a/queue-4.14/crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch b/queue-4.14/crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch new file mode 100644 index 00000000000..57903a81d0c --- /dev/null +++ b/queue-4.14/crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch @@ -0,0 +1,47 @@ +From 31feb5daf941518fa8a9106bb38dcd2d9852e95e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 18 Jun 2019 13:19:42 +0200 +Subject: crypto: serpent - mark __serpent_setkey_sbox noinline + +[ Upstream commit 473971187d6727609951858c63bf12b0307ef015 ] + +The same bug that gcc hit in the past is apparently now showing +up with clang, which decides to inline __serpent_setkey_sbox: + +crypto/serpent_generic.c:268:5: error: stack frame size of 2112 bytes in function '__serpent_setkey' [-Werror,-Wframe-larger-than=] + +Marking it 'noinline' reduces the stack usage from 2112 bytes to +192 and 96 bytes, respectively, and seems to generate more +useful object code. + +Fixes: c871c10e4ea7 ("crypto: serpent - improve __serpent_setkey with UBSAN") +Signed-off-by: Arnd Bergmann +Reviewed-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/serpent_generic.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/crypto/serpent_generic.c b/crypto/serpent_generic.c +index 7c3382facc82..600bd288881d 100644 +--- a/crypto/serpent_generic.c ++++ b/crypto/serpent_generic.c +@@ -229,7 +229,13 @@ + x4 ^= x2; \ + }) + +-static void __serpent_setkey_sbox(u32 r0, u32 r1, u32 r2, u32 r3, u32 r4, u32 *k) ++/* ++ * both gcc and clang have misoptimized this function in the past, ++ * producing horrible object code from spilling temporary variables ++ * on the stack. Forcing this part out of line avoids that. ++ */ ++static noinline void __serpent_setkey_sbox(u32 r0, u32 r1, u32 r2, ++ u32 r3, u32 r4, u32 *k) + { + k += 100; + S3(r3, r4, r0, r1, r2); store_and_load_keys(r1, r2, r4, r3, 28, 24); +-- +2.20.1 + diff --git a/queue-4.14/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch b/queue-4.14/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch new file mode 100644 index 00000000000..0634d8ed0ed --- /dev/null +++ b/queue-4.14/crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch @@ -0,0 +1,42 @@ +From 040aeca121ec30261eb4988c7a4c9c0f2d009439 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 21 May 2019 13:34:18 +0000 +Subject: crypto: talitos - Align SEC1 accesses to 32 bits boundaries. + +[ Upstream commit c9cca7034b34a2d82e9a03b757de2485c294851c ] + +The MPC885 reference manual states: + +SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but +reads can occur on any byte boundary. Writing back a header read from a +non-32-bit-word boundary will yield unpredictable results. + +In order to ensure that, cra_alignmask is set to 3 for SEC1. + +Signed-off-by: Christophe Leroy +Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 62dca638105d..a0cd4f6085d0 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -3119,7 +3119,10 @@ static struct talitos_crypto_alg *talitos_alg_alloc(struct device *dev, + alg->cra_priority = t_alg->algt.priority; + else + alg->cra_priority = TALITOS_CRA_PRIORITY; +- alg->cra_alignmask = 0; ++ if (has_ftr_sec1(priv)) ++ alg->cra_alignmask = 3; ++ else ++ alg->cra_alignmask = 0; + alg->cra_ctxsize = sizeof(struct talitos_ctx); + alg->cra_flags |= CRYPTO_ALG_KERN_DRIVER_ONLY; + +-- +2.20.1 + diff --git a/queue-4.14/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch b/queue-4.14/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch new file mode 100644 index 00000000000..eeb6f05d181 --- /dev/null +++ b/queue-4.14/crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch @@ -0,0 +1,55 @@ +From 966d8c0080eedfbc079f0d707b9860e70eded64d Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 15 May 2019 12:29:03 +0000 +Subject: crypto: talitos - fix skcipher failure due to wrong output IV +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3e03e792865ae48b8cfc69a0b4d65f02f467389f ] + +Selftests report the following: + +[ 2.984845] alg: skcipher: cbc-aes-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 2.995377] 00000000: 3d af ba 42 9d 9e b4 30 b4 22 da 80 2c 9f ac 41 +[ 3.032673] alg: skcipher: cbc-des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 3.043185] 00000000: fe dc ba 98 76 54 32 10 +[ 3.063238] alg: skcipher: cbc-3des-talitos encryption test failed (wrong output IV) on test vector 0, cfg="in-place" +[ 3.073818] 00000000: 7d 33 88 93 0f 93 b2 42 + +This above dumps show that the actual output IV is indeed the input IV. +This is due to the IV not being copied back into the request. + +This patch fixes that. + +Signed-off-by: Christophe Leroy +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 1f8fe1795964..8707607039d3 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1544,11 +1544,15 @@ static void ablkcipher_done(struct device *dev, + int err) + { + struct ablkcipher_request *areq = context; ++ struct crypto_ablkcipher *cipher = crypto_ablkcipher_reqtfm(areq); ++ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher); ++ unsigned int ivsize = crypto_ablkcipher_ivsize(cipher); + struct talitos_edesc *edesc; + + edesc = container_of(desc, struct talitos_edesc, desc); + + common_nonsnoop_unmap(dev, edesc, areq); ++ memcpy(areq->info, ctx->iv, ivsize); + + kfree(edesc); + +-- +2.20.1 + diff --git a/queue-4.14/crypto-talitos-properly-handle-split-icv.patch b/queue-4.14/crypto-talitos-properly-handle-split-icv.patch new file mode 100644 index 00000000000..bedb487e1af --- /dev/null +++ b/queue-4.14/crypto-talitos-properly-handle-split-icv.patch @@ -0,0 +1,97 @@ +From 9562cbc21fcc680a3bc3565f2ed4f035af707af8 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 21 May 2019 13:34:17 +0000 +Subject: crypto: talitos - properly handle split ICV. + +[ Upstream commit eae55a586c3c8b50982bad3c3426e9c9dd7a0075 ] + +The driver assumes that the ICV is as a single piece in the last +element of the scatterlist. This assumption is wrong. + +This patch ensures that the ICV is properly handled regardless of +the scatterlist layout. + +Fixes: 9c4a79653b35 ("crypto: talitos - Freescale integrated security engine (SEC) driver") +Signed-off-by: Christophe Leroy +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/talitos.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/drivers/crypto/talitos.c b/drivers/crypto/talitos.c +index 8707607039d3..62dca638105d 100644 +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -984,7 +984,6 @@ static void ipsec_esp_encrypt_done(struct device *dev, + struct crypto_aead *authenc = crypto_aead_reqtfm(areq); + unsigned int authsize = crypto_aead_authsize(authenc); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + void *icvdata; + + edesc = container_of(desc, struct talitos_edesc, desc); +@@ -998,9 +997,8 @@ static void ipsec_esp_encrypt_done(struct device *dev, + else + icvdata = &edesc->link_tbl[edesc->src_nents + + edesc->dst_nents + 2]; +- sg = sg_last(areq->dst, edesc->dst_nents); +- memcpy((char *)sg_virt(sg) + sg->length - authsize, +- icvdata, authsize); ++ sg_pcopy_from_buffer(areq->dst, edesc->dst_nents ? : 1, icvdata, ++ authsize, areq->assoclen + areq->cryptlen); + } + + kfree(edesc); +@@ -1016,7 +1014,6 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev, + struct crypto_aead *authenc = crypto_aead_reqtfm(req); + unsigned int authsize = crypto_aead_authsize(authenc); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + char *oicv, *icv; + struct talitos_private *priv = dev_get_drvdata(dev); + bool is_sec1 = has_ftr_sec1(priv); +@@ -1026,9 +1023,18 @@ static void ipsec_esp_decrypt_swauth_done(struct device *dev, + ipsec_esp_unmap(dev, edesc, req); + + if (!err) { ++ char icvdata[SHA512_DIGEST_SIZE]; ++ int nents = edesc->dst_nents ? : 1; ++ unsigned int len = req->assoclen + req->cryptlen; ++ + /* auth check */ +- sg = sg_last(req->dst, edesc->dst_nents ? : 1); +- icv = (char *)sg_virt(sg) + sg->length - authsize; ++ if (nents > 1) { ++ sg_pcopy_to_buffer(req->dst, nents, icvdata, authsize, ++ len - authsize); ++ icv = icvdata; ++ } else { ++ icv = (char *)sg_virt(req->dst) + len - authsize; ++ } + + if (edesc->dma_len) { + if (is_sec1) +@@ -1458,7 +1464,6 @@ static int aead_decrypt(struct aead_request *req) + struct talitos_ctx *ctx = crypto_aead_ctx(authenc); + struct talitos_private *priv = dev_get_drvdata(ctx->dev); + struct talitos_edesc *edesc; +- struct scatterlist *sg; + void *icvdata; + + req->cryptlen -= authsize; +@@ -1493,9 +1498,8 @@ static int aead_decrypt(struct aead_request *req) + else + icvdata = &edesc->link_tbl[0]; + +- sg = sg_last(req->src, edesc->src_nents ? : 1); +- +- memcpy(icvdata, (char *)sg_virt(sg) + sg->length - authsize, authsize); ++ sg_pcopy_to_buffer(req->src, edesc->src_nents ? : 1, icvdata, authsize, ++ req->assoclen + req->cryptlen - authsize); + + return ipsec_esp(edesc, req, ipsec_esp_decrypt_swauth_done); + } +-- +2.20.1 + diff --git a/queue-4.14/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch b/queue-4.14/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch new file mode 100644 index 00000000000..68bab335f98 --- /dev/null +++ b/queue-4.14/dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch @@ -0,0 +1,107 @@ +From 1ca8651a77872ec0b3654468dc96dff1389bf94a Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Mon, 24 Jun 2019 10:07:31 -0400 +Subject: dmaengine: imx-sdma: fix use-after-free on probe error path + +[ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ] + +If probe() fails anywhere beyond the point where +sdma_get_firmware() is called, then a kernel oops may occur. + +Problematic sequence of events: +1. probe() calls sdma_get_firmware(), which schedules the + firmware callback to run when firmware becomes available, + using the sdma instance structure as the context +2. probe() encounters an error, which deallocates the + sdma instance structure +3. firmware becomes available, firmware callback is + called with deallocated sdma instance structure +4. use after free - kernel oops ! + +Solution: only attempt to load firmware when we're certain +that probe() will succeed. This guarantees that the firmware +callback's context will remain valid. + +Note that the remove() path is unaffected by this issue: the +firmware loader will increment the driver module's use count, +ensuring that the module cannot be unloaded while the +firmware callback is pending or running. + +Signed-off-by: Sven Van Asbroeck +Reviewed-by: Robin Gong +[vkoul: fixed braces for if condition] +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/imx-sdma.c | 48 ++++++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 21 deletions(-) + +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c +index b8e7c2d8915e..0fc12a8783e3 100644 +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1821,27 +1821,6 @@ static int sdma_probe(struct platform_device *pdev) + if (pdata && pdata->script_addrs) + sdma_add_scripts(sdma, pdata->script_addrs); + +- if (pdata) { +- ret = sdma_get_firmware(sdma, pdata->fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware from platform data\n"); +- } else { +- /* +- * Because that device tree does not encode ROM script address, +- * the RAM script in firmware is mandatory for device tree +- * probe, otherwise it fails. +- */ +- ret = of_property_read_string(np, "fsl,sdma-ram-script-name", +- &fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware name\n"); +- else { +- ret = sdma_get_firmware(sdma, fw_name); +- if (ret) +- dev_warn(&pdev->dev, "failed to get firmware from device tree\n"); +- } +- } +- + sdma->dma_device.dev = &pdev->dev; + + sdma->dma_device.device_alloc_chan_resources = sdma_alloc_chan_resources; +@@ -1883,6 +1862,33 @@ static int sdma_probe(struct platform_device *pdev) + of_node_put(spba_bus); + } + ++ /* ++ * Kick off firmware loading as the very last step: ++ * attempt to load firmware only if we're not on the error path, because ++ * the firmware callback requires a fully functional and allocated sdma ++ * instance. ++ */ ++ if (pdata) { ++ ret = sdma_get_firmware(sdma, pdata->fw_name); ++ if (ret) ++ dev_warn(&pdev->dev, "failed to get firmware from platform data\n"); ++ } else { ++ /* ++ * Because that device tree does not encode ROM script address, ++ * the RAM script in firmware is mandatory for device tree ++ * probe, otherwise it fails. ++ */ ++ ret = of_property_read_string(np, "fsl,sdma-ram-script-name", ++ &fw_name); ++ if (ret) { ++ dev_warn(&pdev->dev, "failed to get firmware name\n"); ++ } else { ++ ret = sdma_get_firmware(sdma, fw_name); ++ if (ret) ++ dev_warn(&pdev->dev, "failed to get firmware from device tree\n"); ++ } ++ } ++ + return 0; + + err_register: +-- +2.20.1 + diff --git a/queue-4.14/edac-fix-global-out-of-bounds-write-when-setting-eda.patch b/queue-4.14/edac-fix-global-out-of-bounds-write-when-setting-eda.patch new file mode 100644 index 00000000000..7598d07f367 --- /dev/null +++ b/queue-4.14/edac-fix-global-out-of-bounds-write-when-setting-eda.patch @@ -0,0 +1,159 @@ +From b8878155f23c54f4a111fb134b39983631d8952b Mon Sep 17 00:00:00 2001 +From: Eiichi Tsukata +Date: Wed, 26 Jun 2019 14:40:11 +0900 +Subject: EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec + +[ Upstream commit d8655e7630dafa88bc37f101640e39c736399771 ] + +Commit 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") assumes +edac_mc_poll_msec to be unsigned long, but the type of the variable still +remained as int. Setting edac_mc_poll_msec can trigger out-of-bounds +write. + +Reproducer: + + # echo 1001 > /sys/module/edac_core/parameters/edac_mc_poll_msec + +KASAN report: + + BUG: KASAN: global-out-of-bounds in edac_set_poll_msec+0x140/0x150 + Write of size 8 at addr ffffffffb91b2d00 by task bash/1996 + + CPU: 1 PID: 1996 Comm: bash Not tainted 5.2.0-rc6+ #23 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014 + Call Trace: + dump_stack+0xca/0x13e + print_address_description.cold+0x5/0x246 + __kasan_report.cold+0x75/0x9a + ? edac_set_poll_msec+0x140/0x150 + kasan_report+0xe/0x20 + edac_set_poll_msec+0x140/0x150 + ? dimmdev_location_show+0x30/0x30 + ? vfs_lock_file+0xe0/0xe0 + ? _raw_spin_lock+0x87/0xe0 + param_attr_store+0x1b5/0x310 + ? param_array_set+0x4f0/0x4f0 + module_attr_store+0x58/0x80 + ? module_attr_show+0x80/0x80 + sysfs_kf_write+0x13d/0x1a0 + kernfs_fop_write+0x2bc/0x460 + ? sysfs_kf_bin_read+0x270/0x270 + ? kernfs_notify+0x1f0/0x1f0 + __vfs_write+0x81/0x100 + vfs_write+0x1e1/0x560 + ksys_write+0x126/0x250 + ? __ia32_sys_read+0xb0/0xb0 + ? do_syscall_64+0x1f/0x390 + do_syscall_64+0xc1/0x390 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7fa7caa5e970 + Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 04 + RSP: 002b:00007fff6acfdfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa7caa5e970 + RDX: 0000000000000005 RSI: 0000000000e95c08 RDI: 0000000000000001 + RBP: 0000000000e95c08 R08: 00007fa7cad1e760 R09: 00007fa7cb36a700 + R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000005 + R13: 0000000000000001 R14: 00007fa7cad1d600 R15: 0000000000000005 + + The buggy address belongs to the variable: + edac_mc_poll_msec+0x0/0x40 + + Memory state around the buggy address: + ffffffffb91b2c00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa + ffffffffb91b2c80: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa + >ffffffffb91b2d00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa + ^ + ffffffffb91b2d80: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + ffffffffb91b2e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Fix it by changing the type of edac_mc_poll_msec to unsigned int. +The reason why this patch adopts unsigned int rather than unsigned long +is msecs_to_jiffies() assumes arg to be unsigned int. We can avoid +integer conversion bugs and unsigned int will be large enough for +edac_mc_poll_msec. + +Reviewed-by: James Morse +Fixes: 9da21b1509d8 ("EDAC: Poll timeout cannot be zero, p2") +Signed-off-by: Eiichi Tsukata +Signed-off-by: Tony Luck +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_mc_sysfs.c | 16 ++++++++-------- + drivers/edac/edac_module.h | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index 148c4649b155..a4acfa81dfe0 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -26,7 +26,7 @@ + static int edac_mc_log_ue = 1; + static int edac_mc_log_ce = 1; + static int edac_mc_panic_on_ue; +-static int edac_mc_poll_msec = 1000; ++static unsigned int edac_mc_poll_msec = 1000; + + /* Getter functions for above */ + int edac_mc_get_log_ue(void) +@@ -45,30 +45,30 @@ int edac_mc_get_panic_on_ue(void) + } + + /* this is temporary */ +-int edac_mc_get_poll_msec(void) ++unsigned int edac_mc_get_poll_msec(void) + { + return edac_mc_poll_msec; + } + + static int edac_set_poll_msec(const char *val, struct kernel_param *kp) + { +- unsigned long l; ++ unsigned int i; + int ret; + + if (!val) + return -EINVAL; + +- ret = kstrtoul(val, 0, &l); ++ ret = kstrtouint(val, 0, &i); + if (ret) + return ret; + +- if (l < 1000) ++ if (i < 1000) + return -EINVAL; + +- *((unsigned long *)kp->arg) = l; ++ *((unsigned int *)kp->arg) = i; + + /* notify edac_mc engine to reset the poll period */ +- edac_mc_reset_delay_period(l); ++ edac_mc_reset_delay_period(i); + + return 0; + } +@@ -82,7 +82,7 @@ MODULE_PARM_DESC(edac_mc_log_ue, + module_param(edac_mc_log_ce, int, 0644); + MODULE_PARM_DESC(edac_mc_log_ce, + "Log correctable error to console: 0=off 1=on"); +-module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_int, ++module_param_call(edac_mc_poll_msec, edac_set_poll_msec, param_get_uint, + &edac_mc_poll_msec, 0644); + MODULE_PARM_DESC(edac_mc_poll_msec, "Polling period in milliseconds"); + +diff --git a/drivers/edac/edac_module.h b/drivers/edac/edac_module.h +index dec88dcea036..c9f0e73872a6 100644 +--- a/drivers/edac/edac_module.h ++++ b/drivers/edac/edac_module.h +@@ -36,7 +36,7 @@ extern int edac_mc_get_log_ue(void); + extern int edac_mc_get_log_ce(void); + extern int edac_mc_get_panic_on_ue(void); + extern int edac_get_poll_msec(void); +-extern int edac_mc_get_poll_msec(void); ++extern unsigned int edac_mc_get_poll_msec(void); + + unsigned edac_dimm_info_location(struct dimm_info *dimm, char *buf, + unsigned len); +-- +2.20.1 + diff --git a/queue-4.14/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch b/queue-4.14/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch new file mode 100644 index 00000000000..2d7daafeeef --- /dev/null +++ b/queue-4.14/edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch @@ -0,0 +1,52 @@ +From cebe8265183cebedcb8e0f92b707997bf0240796 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Thu, 18 Apr 2019 10:27:18 +0800 +Subject: EDAC/sysfs: Fix memory leak when creating a csrow object + +[ Upstream commit 585fb3d93d32dbe89e718b85009f9c322cc554cd ] + +In edac_create_csrow_object(), the reference to the object is not +released when adding the device to the device hierarchy fails +(device_add()). This may result in a memory leak. + +Signed-off-by: Pan Bian +Signed-off-by: Borislav Petkov +Reviewed-by: Greg Kroah-Hartman +Cc: James Morse +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Link: https://lkml.kernel.org/r/1555554438-103953-1-git-send-email-bianpan2016@163.com +Signed-off-by: Sasha Levin +--- + drivers/edac/edac_mc_sysfs.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c +index 79c13301bf41..148c4649b155 100644 +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -426,6 +426,8 @@ static inline int nr_pages_per_csrow(struct csrow_info *csrow) + static int edac_create_csrow_object(struct mem_ctl_info *mci, + struct csrow_info *csrow, int index) + { ++ int err; ++ + csrow->dev.type = &csrow_attr_type; + csrow->dev.bus = mci->bus; + csrow->dev.groups = csrow_dev_groups; +@@ -438,7 +440,11 @@ static int edac_create_csrow_object(struct mem_ctl_info *mci, + edac_dbg(0, "creating (virtual) csrow node %s\n", + dev_name(&csrow->dev)); + +- return device_add(&csrow->dev); ++ err = device_add(&csrow->dev); ++ if (err) ++ put_device(&csrow->dev); ++ ++ return err; + } + + /* Create a CSROW object under specifed edac_mc_device */ +-- +2.20.1 + diff --git a/queue-4.14/floppy-fix-div-by-zero-in-setup_format_params.patch b/queue-4.14/floppy-fix-div-by-zero-in-setup_format_params.patch new file mode 100644 index 00000000000..cdaf44a8ce3 --- /dev/null +++ b/queue-4.14/floppy-fix-div-by-zero-in-setup_format_params.patch @@ -0,0 +1,61 @@ +From 98d3ed245078717e9767588aa32a39ce8e16af5f Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:20 +0300 +Subject: floppy: fix div-by-zero in setup_format_params + +[ Upstream commit f3554aeb991214cbfafd17d55e2bfddb50282e32 ] + +This fixes a divide by zero error in the setup_format_params function of +the floppy driver. + +Two consecutive ioctls can trigger the bug: The first one should set the +drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK +to become zero. Next, the floppy format operation should be called. + +A floppy disk is not required to be inserted. An unprivileged user +could trigger the bug if the device is accessible. + +The patch checks F_SECT_PER_TRACK for a non-zero value in the +set_geometry function. The proper check should involve a reasonable +upper limit for the .sect and .rate fields, but it could change the +UAPI. + +The patch also checks F_SECT_PER_TRACK in the setup_format_params, and +cancels the formatting operation in case of zero. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 3ea9c3e9acb3..4c6c20376a83 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -2114,6 +2114,9 @@ static void setup_format_params(int track) + raw_cmd->kernel_data = floppy_track_buffer; + raw_cmd->length = 4 * F_SECT_PER_TRACK; + ++ if (!F_SECT_PER_TRACK) ++ return; ++ + /* allow for about 30ms for data transport per track */ + head_shift = (F_SECT_PER_TRACK + 5) / 6; + +@@ -3238,6 +3241,8 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + /* sanity checking for parameters. */ + if (g->sect <= 0 || + g->head <= 0 || ++ /* check for zero in F_SECT_PER_TRACK */ ++ (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || + /* check if reserved bits are set */ + (g->stretch & ~(FD_STRETCH | FD_SWAPSIDES | FD_SECTBASEMASK)) != 0) +-- +2.20.1 + diff --git a/queue-4.14/floppy-fix-invalid-pointer-dereference-in-drive_name.patch b/queue-4.14/floppy-fix-invalid-pointer-dereference-in-drive_name.patch new file mode 100644 index 00000000000..bd554af9b89 --- /dev/null +++ b/queue-4.14/floppy-fix-invalid-pointer-dereference-in-drive_name.patch @@ -0,0 +1,81 @@ +From 5d6251e6e796dccfec451798718ca74b067608af Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:22 +0300 +Subject: floppy: fix invalid pointer dereference in drive_name + +[ Upstream commit 9b04609b784027968348796a18f601aed9db3789 ] + +This fixes the invalid pointer dereference in the drive_name function of +the floppy driver. + +The native_format field of the struct floppy_drive_params is used as +floppy_type array index in the drive_name function. Thus, the field +should be checked the same way as the autodetect field. + +To trigger the bug, one could use a value out of range and set the drive +parameters with the FDSETDRVPRM ioctl. Next, FDGETDRVTYP ioctl should +be used to call the drive_name. A floppy disk is not required to be +inserted. + +CAP_SYS_ADMIN is required to call FDSETDRVPRM. + +The patch adds the check for a value of the native_format field to be in +the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array +indices. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index a4f630ef2b75..b4051e251041 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3386,7 +3386,8 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo) + return 0; + } + +-static bool valid_floppy_drive_params(const short autodetect[8]) ++static bool valid_floppy_drive_params(const short autodetect[8], ++ int native_format) + { + size_t floppy_type_size = ARRAY_SIZE(floppy_type); + size_t i = 0; +@@ -3397,6 +3398,9 @@ static bool valid_floppy_drive_params(const short autodetect[8]) + return false; + } + ++ if (native_format < 0 || native_format >= floppy_type_size) ++ return false; ++ + return true; + } + +@@ -3526,7 +3530,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + SUPBOUND(size, strlen((const char *)outparam) + 1); + break; + case FDSETDRVPRM: +- if (!valid_floppy_drive_params(inparam.dp.autodetect)) ++ if (!valid_floppy_drive_params(inparam.dp.autodetect, ++ inparam.dp.native_format)) + return -EINVAL; + *UDP = inparam.dp; + break; +@@ -3725,7 +3730,7 @@ static int compat_setdrvprm(int drive, + return -EPERM; + if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) + return -EFAULT; +- if (!valid_floppy_drive_params(v.autodetect)) ++ if (!valid_floppy_drive_params(v.autodetect, v.native_format)) + return -EINVAL; + mutex_lock(&floppy_mutex); + UDP->cmos = v.cmos; +-- +2.20.1 + diff --git a/queue-4.14/floppy-fix-out-of-bounds-read-in-copy_buffer.patch b/queue-4.14/floppy-fix-out-of-bounds-read-in-copy_buffer.patch new file mode 100644 index 00000000000..106a1c90ca5 --- /dev/null +++ b/queue-4.14/floppy-fix-out-of-bounds-read-in-copy_buffer.patch @@ -0,0 +1,52 @@ +From 4da53fda4754b9f4f2fc1de3c2bd69a8d8c1c8f0 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:23 +0300 +Subject: floppy: fix out-of-bounds read in copy_buffer + +[ Upstream commit da99466ac243f15fbba65bd261bfc75ffa1532b6 ] + +This fixes a global out-of-bounds read access in the copy_buffer +function of the floppy driver. + +The FDDEFPRM ioctl allows one to set the geometry of a disk. The sect +and head fields (unsigned int) of the floppy_drive structure are used to +compute the max_sector (int) in the make_raw_rw_request function. It is +possible to overflow the max_sector. Next, max_sector is passed to the +copy_buffer function and used in one of the memcpy calls. + +An unprivileged user could trigger the bug if the device is accessible, +but requires a floppy disk to be inserted. + +The patch adds the check for the .sect * .head multiplication for not +overflowing in the set_geometry function. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index b4051e251041..a9d1430fc5ee 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3239,8 +3239,10 @@ static int set_geometry(unsigned int cmd, struct floppy_struct *g, + int cnt; + + /* sanity checking for parameters. */ +- if (g->sect <= 0 || +- g->head <= 0 || ++ if ((int)g->sect <= 0 || ++ (int)g->head <= 0 || ++ /* check for overflow in max_sector */ ++ (int)(g->sect * g->head) <= 0 || + /* check for zero in F_SECT_PER_TRACK */ + (unsigned char)((g->sect << 2) >> FD_SIZECODE(g)) == 0 || + g->track <= 0 || g->track > UDP->tracks >> STRETCH(g) || +-- +2.20.1 + diff --git a/queue-4.14/floppy-fix-out-of-bounds-read-in-next_valid_format.patch b/queue-4.14/floppy-fix-out-of-bounds-read-in-next_valid_format.patch new file mode 100644 index 00000000000..44045eaade4 --- /dev/null +++ b/queue-4.14/floppy-fix-out-of-bounds-read-in-next_valid_format.patch @@ -0,0 +1,79 @@ +From 721d85d9e725d141e8ca6b2a916241445207b973 Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Fri, 12 Jul 2019 21:55:21 +0300 +Subject: floppy: fix out-of-bounds read in next_valid_format + +[ Upstream commit 5635f897ed83fd539df78e98ba69ee91592f9bb8 ] + +This fixes a global out-of-bounds read access in the next_valid_format +function of the floppy driver. + +The values from autodetect field of the struct floppy_drive_params are +used as indices for the floppy_type array in the next_valid_format +function 'floppy_type[DP->autodetect[probed_format]].sect'. + +To trigger the bug, one could use a value out of range and set the drive +parameters with the FDSETDRVPRM ioctl. A floppy disk is not required to +be inserted. + +CAP_SYS_ADMIN is required to call FDSETDRVPRM. + +The patch adds the check for values of the autodetect field to be in the +'0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices. + +The bug was found by syzkaller. + +Signed-off-by: Denis Efremov +Tested-by: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 4c6c20376a83..a4f630ef2b75 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3386,6 +3386,20 @@ static int fd_getgeo(struct block_device *bdev, struct hd_geometry *geo) + return 0; + } + ++static bool valid_floppy_drive_params(const short autodetect[8]) ++{ ++ size_t floppy_type_size = ARRAY_SIZE(floppy_type); ++ size_t i = 0; ++ ++ for (i = 0; i < 8; ++i) { ++ if (autodetect[i] < 0 || ++ autodetect[i] >= floppy_type_size) ++ return false; ++ } ++ ++ return true; ++} ++ + static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int cmd, + unsigned long param) + { +@@ -3512,6 +3526,8 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, unsigned int + SUPBOUND(size, strlen((const char *)outparam) + 1); + break; + case FDSETDRVPRM: ++ if (!valid_floppy_drive_params(inparam.dp.autodetect)) ++ return -EINVAL; + *UDP = inparam.dp; + break; + case FDGETDRVPRM: +@@ -3709,6 +3725,8 @@ static int compat_setdrvprm(int drive, + return -EPERM; + if (copy_from_user(&v, arg, sizeof(struct compat_floppy_drive_params))) + return -EFAULT; ++ if (!valid_floppy_drive_params(v.autodetect)) ++ return -EINVAL; + mutex_lock(&floppy_mutex); + UDP->cmos = v.cmos; + UDP->max_dtr = v.max_dtr; +-- +2.20.1 + diff --git a/queue-4.14/fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch b/queue-4.14/fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch new file mode 100644 index 00000000000..9b469c2e1fc --- /dev/null +++ b/queue-4.14/fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch @@ -0,0 +1,69 @@ +From 256256ede2c72ec631e12573a9d1c05988288168 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 20 May 2019 09:29:42 -0700 +Subject: fscrypt: clean up some BUG_ON()s in block encryption/decryption + +[ Upstream commit eeacfdc68a104967162dfcba60f53f6f5b62a334 ] + +Replace some BUG_ON()s with WARN_ON_ONCE() and returning an error code, +and move the check for len divisible by FS_CRYPTO_BLOCK_SIZE into +fscrypt_crypt_block() so that it's done for both encryption and +decryption, not just encryption. + +Reviewed-by: Chandan Rajendra +Signed-off-by: Eric Biggers +Signed-off-by: Sasha Levin +--- + fs/crypto/crypto.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c +index daf2683f0655..f862ad19c714 100644 +--- a/fs/crypto/crypto.c ++++ b/fs/crypto/crypto.c +@@ -157,7 +157,10 @@ int fscrypt_do_page_crypto(const struct inode *inode, fscrypt_direction_t rw, + struct crypto_skcipher *tfm = ci->ci_ctfm; + int res = 0; + +- BUG_ON(len == 0); ++ if (WARN_ON_ONCE(len <= 0)) ++ return -EINVAL; ++ if (WARN_ON_ONCE(len % FS_CRYPTO_BLOCK_SIZE != 0)) ++ return -EINVAL; + + BUILD_BUG_ON(sizeof(iv) != FS_IV_SIZE); + BUILD_BUG_ON(AES_BLOCK_SIZE != FS_IV_SIZE); +@@ -257,8 +260,6 @@ struct page *fscrypt_encrypt_page(const struct inode *inode, + struct page *ciphertext_page = page; + int err; + +- BUG_ON(len % FS_CRYPTO_BLOCK_SIZE != 0); +- + if (inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES) { + /* with inplace-encryption we just encrypt the page */ + err = fscrypt_do_page_crypto(inode, FS_ENCRYPT, lblk_num, page, +@@ -270,7 +271,8 @@ struct page *fscrypt_encrypt_page(const struct inode *inode, + return ciphertext_page; + } + +- BUG_ON(!PageLocked(page)); ++ if (WARN_ON_ONCE(!PageLocked(page))) ++ return ERR_PTR(-EINVAL); + + ctx = fscrypt_get_ctx(inode, gfp_flags); + if (IS_ERR(ctx)) +@@ -318,8 +320,9 @@ EXPORT_SYMBOL(fscrypt_encrypt_page); + int fscrypt_decrypt_page(const struct inode *inode, struct page *page, + unsigned int len, unsigned int offs, u64 lblk_num) + { +- if (!(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES)) +- BUG_ON(!PageLocked(page)); ++ if (WARN_ON_ONCE(!PageLocked(page) && ++ !(inode->i_sb->s_cop->flags & FS_CFLG_OWN_PAGES))) ++ return -EINVAL; + + return fscrypt_do_page_crypto(inode, FS_DECRYPT, lblk_num, page, page, + len, offs, GFP_NOFS); +-- +2.20.1 + diff --git a/queue-4.14/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch b/queue-4.14/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch new file mode 100644 index 00000000000..caa6302fa1f --- /dev/null +++ b/queue-4.14/gpio-omap-ensure-irq-is-enabled-before-wakeup.patch @@ -0,0 +1,85 @@ +From f9c6323fbb76bad671ecf164beae003c90d04bb0 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 10 Jun 2019 20:10:44 +0300 +Subject: gpio: omap: ensure irq is enabled before wakeup + +[ Upstream commit c859e0d479b3b4f6132fc12637c51e01492f31f6 ] + +Documentation states: + + NOTE: There must be a correlation between the wake-up enable and + interrupt-enable registers. If a GPIO pin has a wake-up configured + on it, it must also have the corresponding interrupt enabled (on + one of the two interrupt lines). + +Ensure that this condition is always satisfied by enabling the detection +events after enabling the interrupt, and disabling the detection before +disabling the interrupt. This ensures interrupt/wakeup events can not +happen until both the wakeup and interrupt enables correlate. + +If we do any clearing, clear between the interrupt enable/disable and +trigger setting. + +Signed-off-by: Russell King +Signed-off-by: Grygorii Strashko +Tested-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index abe54659b1f4..47e537a91dd8 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -790,9 +790,9 @@ static void omap_gpio_irq_shutdown(struct irq_data *d) + + raw_spin_lock_irqsave(&bank->lock, flags); + bank->irq_usage &= ~(BIT(offset)); +- omap_set_gpio_irqenable(bank, offset, 0); +- omap_clear_gpio_irqstatus(bank, offset); + omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE); ++ omap_clear_gpio_irqstatus(bank, offset); ++ omap_set_gpio_irqenable(bank, offset, 0); + if (!LINE_USED(bank->mod_usage, offset)) + omap_clear_gpio_debounce(bank, offset); + omap_disable_gpio_module(bank, offset); +@@ -834,8 +834,8 @@ static void omap_gpio_mask_irq(struct irq_data *d) + unsigned long flags; + + raw_spin_lock_irqsave(&bank->lock, flags); +- omap_set_gpio_irqenable(bank, offset, 0); + omap_set_gpio_triggering(bank, offset, IRQ_TYPE_NONE); ++ omap_set_gpio_irqenable(bank, offset, 0); + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +@@ -847,9 +847,6 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + unsigned long flags; + + raw_spin_lock_irqsave(&bank->lock, flags); +- if (trigger) +- omap_set_gpio_triggering(bank, offset, trigger); +- + omap_set_gpio_irqenable(bank, offset, 1); + + /* +@@ -857,9 +854,13 @@ static void omap_gpio_unmask_irq(struct irq_data *d) + * is cleared, thus after the handler has run. OMAP4 needs this done + * after enabing the interrupt to clear the wakeup status. + */ +- if (bank->level_mask & BIT(offset)) ++ if (bank->regs->leveldetect0 && bank->regs->wkup_en && ++ trigger & (IRQ_TYPE_LEVEL_HIGH | IRQ_TYPE_LEVEL_LOW)) + omap_clear_gpio_irqstatus(bank, offset); + ++ if (trigger) ++ omap_set_gpio_triggering(bank, offset, trigger); ++ + raw_spin_unlock_irqrestore(&bank->lock, flags); + } + +-- +2.20.1 + diff --git a/queue-4.14/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch b/queue-4.14/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch new file mode 100644 index 00000000000..cb15dd3f8ae --- /dev/null +++ b/queue-4.14/gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch @@ -0,0 +1,43 @@ +From f5284f61770c95964098ff3fcf215a8f81324bd0 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 10 Jun 2019 20:10:45 +0300 +Subject: gpio: omap: fix lack of irqstatus_raw0 for OMAP4 + +[ Upstream commit 64ea3e9094a1f13b96c33244a3fb3a0f45690bd2 ] + +Commit 384ebe1c2849 ("gpio/omap: Add DT support to GPIO driver") added +the register definition tables to the gpio-omap driver. Subsequently to +that commit, commit 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() +checks from *_runtime_resume()") added definitions for irqstatus_raw* +registers to the legacy OMAP4 definitions, but missed the DT +definitions. + +This causes an unintentional change of behaviour for the 1.101 errata +workaround on OMAP4 platforms. Fix this oversight. + +Fixes: 4e962e8998cc ("gpio/omap: remove cpu_is_omapxxxx() checks from *_runtime_resume()") +Signed-off-by: Russell King +Signed-off-by: Grygorii Strashko +Tested-by: Tony Lindgren +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-omap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c +index 83c6843db50c..abe54659b1f4 100644 +--- a/drivers/gpio/gpio-omap.c ++++ b/drivers/gpio/gpio-omap.c +@@ -1604,6 +1604,8 @@ static struct omap_gpio_reg_offs omap4_gpio_regs = { + .clr_dataout = OMAP4_GPIO_CLEARDATAOUT, + .irqstatus = OMAP4_GPIO_IRQSTATUS0, + .irqstatus2 = OMAP4_GPIO_IRQSTATUS1, ++ .irqstatus_raw0 = OMAP4_GPIO_IRQSTATUSRAW0, ++ .irqstatus_raw1 = OMAP4_GPIO_IRQSTATUSRAW1, + .irqenable = OMAP4_GPIO_IRQSTATUSSET0, + .irqenable2 = OMAP4_GPIO_IRQSTATUSSET1, + .set_irqenable = OMAP4_GPIO_IRQSTATUSSET0, +-- +2.20.1 + diff --git a/queue-4.14/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch b/queue-4.14/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch new file mode 100644 index 00000000000..56e63f61354 --- /dev/null +++ b/queue-4.14/gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch @@ -0,0 +1,58 @@ +From fcd7bc97aa59f4764539e40b615d561e01332798 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 1 Jul 2019 16:27:38 +0200 +Subject: gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants + +[ Upstream commit 3285170f28a850638794cdfe712eb6d93e51e706 ] + +Commit 372e722ea4dd4ca1 ("gpiolib: use descriptors internally") renamed +the functions to use a "gpiod" prefix, and commit 79a9becda8940deb +("gpiolib: export descriptor-based GPIO interface") introduced the "raw" +variants, but both changes forgot to update the comments. + +Readd a similar reference to gpiod_set_value(), which was accidentally +removed by commit 1e77fc82110ac36f ("gpio: Add missing open drain/source +handling to gpiod_set_value_cansleep()"). + +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20190701142738.25219-1-geert+renesas@glider.be +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index 21062cb6b85f..3db0a9b0d259 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -2480,7 +2480,7 @@ static int _gpiod_get_raw_value(const struct gpio_desc *desc) + int gpiod_get_raw_value(const struct gpio_desc *desc) + { + VALIDATE_DESC(desc); +- /* Should be using gpio_get_value_cansleep() */ ++ /* Should be using gpiod_get_raw_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + return _gpiod_get_raw_value(desc); + } +@@ -2501,7 +2501,7 @@ int gpiod_get_value(const struct gpio_desc *desc) + int value; + + VALIDATE_DESC(desc); +- /* Should be using gpio_get_value_cansleep() */ ++ /* Should be using gpiod_get_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + + value = _gpiod_get_raw_value(desc); +@@ -2670,7 +2670,7 @@ void gpiod_set_array_value_complex(bool raw, bool can_sleep, + void gpiod_set_raw_value(struct gpio_desc *desc, int value) + { + VALIDATE_DESC_VOID(desc); +- /* Should be using gpiod_set_value_cansleep() */ ++ /* Should be using gpiod_set_raw_value_cansleep() */ + WARN_ON(desc->gdev->chip->can_sleep); + _gpiod_set_raw_value(desc, value); + } +-- +2.20.1 + diff --git a/queue-4.14/gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch b/queue-4.14/gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch new file mode 100644 index 00000000000..2f5c9ab8e0a --- /dev/null +++ b/queue-4.14/gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch @@ -0,0 +1,41 @@ +From 0f9d6d01dab6079c0a2fdfbe92649592afefb4eb Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:24:04 +0900 +Subject: gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() + +[ Upstream commit e30155fd23c9c141cbe7d99b786e10a83a328837 ] + +If an invalid role is sent from user space, gtp_encap_enable() will fail. +Then, it should call gtp_encap_disable_sock() but current code doesn't. +It makes memory leak. + +Fixes: 91ed81f9abc7 ("gtp: support SGSN-side tunnels") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index f38e32a7ec9c..dba3869b61be 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -845,8 +845,13 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) + + if (data[IFLA_GTP_ROLE]) { + role = nla_get_u32(data[IFLA_GTP_ROLE]); +- if (role > GTP_ROLE_SGSN) ++ if (role > GTP_ROLE_SGSN) { ++ if (sk0) ++ gtp_encap_disable_sock(sk0); ++ if (sk1u) ++ gtp_encap_disable_sock(sk1u); + return -EINVAL; ++ } + } + + gtp->sk0 = sk0; +-- +2.20.1 + diff --git a/queue-4.14/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch b/queue-4.14/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch new file mode 100644 index 00000000000..79aa79d8fc6 --- /dev/null +++ b/queue-4.14/gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch @@ -0,0 +1,71 @@ +From 25d547b6268631fa07f66c9d9dfe404c12f5645a Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:23:13 +0900 +Subject: gtp: fix Illegal context switch in RCU read-side critical section. + +[ Upstream commit 3f167e1921865b379a9becf03828e7202c7b4917 ] + +ipv4_pdp_add() is called in RCU read-side critical section. +So GFP_KERNEL should not be used in the function. +This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL. + +Test commands: +gtp-link add gtp1 & +gtp-tunnel add gtp1 v1 100 200 1.1.1.1 2.2.2.2 + +Splat looks like: +[ 130.618881] ============================= +[ 130.626382] WARNING: suspicious RCU usage +[ 130.626994] 5.2.0-rc6+ #50 Not tainted +[ 130.627622] ----------------------------- +[ 130.628223] ./include/linux/rcupdate.h:266 Illegal context switch in RCU read-side critical section! +[ 130.629684] +[ 130.629684] other info that might help us debug this: +[ 130.629684] +[ 130.631022] +[ 130.631022] rcu_scheduler_active = 2, debug_locks = 1 +[ 130.632136] 4 locks held by gtp-tunnel/1025: +[ 130.632925] #0: 000000002b93c8b7 (cb_lock){++++}, at: genl_rcv+0x15/0x40 +[ 130.634159] #1: 00000000f17bc999 (genl_mutex){+.+.}, at: genl_rcv_msg+0xfb/0x130 +[ 130.635487] #2: 00000000c644ed8e (rtnl_mutex){+.+.}, at: gtp_genl_new_pdp+0x18c/0x1150 [gtp] +[ 130.636936] #3: 0000000007a1cde7 (rcu_read_lock){....}, at: gtp_genl_new_pdp+0x187/0x1150 [gtp] +[ 130.638348] +[ 130.638348] stack backtrace: +[ 130.639062] CPU: 1 PID: 1025 Comm: gtp-tunnel Not tainted 5.2.0-rc6+ #50 +[ 130.641318] Call Trace: +[ 130.641707] dump_stack+0x7c/0xbb +[ 130.642252] ___might_sleep+0x2c0/0x3b0 +[ 130.642862] kmem_cache_alloc_trace+0x1cd/0x2b0 +[ 130.643591] gtp_genl_new_pdp+0x6c5/0x1150 [gtp] +[ 130.644371] genl_family_rcv_msg+0x63a/0x1030 +[ 130.645074] ? mutex_lock_io_nested+0x1090/0x1090 +[ 130.645845] ? genl_unregister_family+0x630/0x630 +[ 130.646592] ? debug_show_all_locks+0x2d0/0x2d0 +[ 130.647293] ? check_flags.part.40+0x440/0x440 +[ 130.648099] genl_rcv_msg+0xa3/0x130 +[ ... ] + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 2756edd84abc..c751f87c935e 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -956,7 +956,7 @@ static int ipv4_pdp_add(struct gtp_dev *gtp, struct sock *sk, + + } + +- pctx = kmalloc(sizeof(struct pdp_ctx), GFP_KERNEL); ++ pctx = kmalloc(sizeof(*pctx), GFP_ATOMIC); + if (pctx == NULL) + return -ENOMEM; + +-- +2.20.1 + diff --git a/queue-4.14/gtp-fix-suspicious-rcu-usage.patch b/queue-4.14/gtp-fix-suspicious-rcu-usage.patch new file mode 100644 index 00000000000..f72c34031ce --- /dev/null +++ b/queue-4.14/gtp-fix-suspicious-rcu-usage.patch @@ -0,0 +1,92 @@ +From 2b1a3e8b735ef9b566ee435a7e79cc4dc3e20a4c Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:20:51 +0900 +Subject: gtp: fix suspicious RCU usage + +[ Upstream commit e198987e7dd7d3645a53875151cd6f8fc425b706 ] + +gtp_encap_enable_socket() and gtp_encap_destroy() are not protected +by rcu_read_lock(). and it's not safe to write sk->sk_user_data. +This patch make these functions to use lock_sock() instead of +rcu_dereference_sk_user_data(). + +Test commands: + gtp-link add gtp1 + +Splat looks like: +[ 83.238315] ============================= +[ 83.239127] WARNING: suspicious RCU usage +[ 83.239702] 5.2.0-rc6+ #49 Not tainted +[ 83.240268] ----------------------------- +[ 83.241205] drivers/net/gtp.c:799 suspicious rcu_dereference_check() usage! +[ 83.243828] +[ 83.243828] other info that might help us debug this: +[ 83.243828] +[ 83.246325] +[ 83.246325] rcu_scheduler_active = 2, debug_locks = 1 +[ 83.247314] 1 lock held by gtp-link/1008: +[ 83.248523] #0: 0000000017772c7f (rtnl_mutex){+.+.}, at: __rtnl_newlink+0x5f5/0x11b0 +[ 83.251503] +[ 83.251503] stack backtrace: +[ 83.252173] CPU: 0 PID: 1008 Comm: gtp-link Not tainted 5.2.0-rc6+ #49 +[ 83.253271] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 83.254562] Call Trace: +[ 83.254995] dump_stack+0x7c/0xbb +[ 83.255567] gtp_encap_enable_socket+0x2df/0x360 [gtp] +[ 83.256415] ? gtp_find_dev+0x1a0/0x1a0 [gtp] +[ 83.257161] ? memset+0x1f/0x40 +[ 83.257843] gtp_newlink+0x90/0xa21 [gtp] +[ 83.258497] ? __netlink_ns_capable+0xc3/0xf0 +[ 83.259260] __rtnl_newlink+0xb9f/0x11b0 +[ 83.260022] ? rtnl_link_unregister+0x230/0x230 +[ ... ] + +Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index dba3869b61be..2756edd84abc 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -293,12 +293,14 @@ static void gtp_encap_destroy(struct sock *sk) + { + struct gtp_dev *gtp; + +- gtp = rcu_dereference_sk_user_data(sk); ++ lock_sock(sk); ++ gtp = sk->sk_user_data; + if (gtp) { + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); + sock_put(sk); + } ++ release_sock(sk); + } + + static void gtp_encap_disable_sock(struct sock *sk) +@@ -798,7 +800,8 @@ static struct sock *gtp_encap_enable_socket(int fd, int type, + goto out_sock; + } + +- if (rcu_dereference_sk_user_data(sock->sk)) { ++ lock_sock(sock->sk); ++ if (sock->sk->sk_user_data) { + sk = ERR_PTR(-EBUSY); + goto out_sock; + } +@@ -814,6 +817,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type, + setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg); + + out_sock: ++ release_sock(sock->sk); + sockfd_put(sock); + return sk; + } +-- +2.20.1 + diff --git a/queue-4.14/gtp-fix-use-after-free-in-gtp_encap_destroy.patch b/queue-4.14/gtp-fix-use-after-free-in-gtp_encap_destroy.patch new file mode 100644 index 00000000000..07665b0361e --- /dev/null +++ b/queue-4.14/gtp-fix-use-after-free-in-gtp_encap_destroy.patch @@ -0,0 +1,131 @@ +From 7a31040c0c33f15301d7e4d9e648cca8032c1ebe Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:22:25 +0900 +Subject: gtp: fix use-after-free in gtp_encap_destroy() + +[ Upstream commit 1788b8569f5de27da09087fa3f6580d2aa04cc75 ] + +gtp_encap_destroy() is called twice. +1. When interface is deleted. +2. When udp socket is destroyed. +either gtp->sk0 or gtp->sk1u could be freed by sock_put() in +gtp_encap_destroy(). so, when gtp_encap_destroy() is called again, +it would uses freed sk pointer. + +patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to +null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected +by rtnl_lock. so, rtnl_lock() is added. + +Test command: + gtp-link add gtp1 & + killall gtp-link + ip link del gtp1 + +Splat looks like: +[ 83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0 +[ 83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008 +[ 83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50 +[ 83.188469] Call Trace: +[ ... ] +[ 83.200126] lock_acquire+0x141/0x380 +[ 83.200575] ? lock_sock_nested+0x3a/0xf0 +[ 83.201069] _raw_spin_lock_bh+0x38/0x70 +[ 83.201551] ? lock_sock_nested+0x3a/0xf0 +[ 83.202044] lock_sock_nested+0x3a/0xf0 +[ 83.202520] gtp_encap_destroy+0x18/0xe0 [gtp] +[ 83.203065] gtp_encap_disable.isra.14+0x13/0x50 [gtp] +[ 83.203687] gtp_dellink+0x56/0x170 [gtp] +[ 83.204190] rtnl_delete_link+0xb4/0x100 +[ ... ] +[ 83.236513] Allocated by task 976: +[ 83.236925] save_stack+0x19/0x80 +[ 83.237332] __kasan_kmalloc.constprop.3+0xa0/0xd0 +[ 83.237894] kmem_cache_alloc+0xd8/0x280 +[ 83.238360] sk_prot_alloc.isra.42+0x50/0x200 +[ 83.238874] sk_alloc+0x32/0x940 +[ 83.239264] inet_create+0x283/0xc20 +[ 83.239684] __sock_create+0x2dd/0x540 +[ 83.240136] __sys_socket+0xca/0x1a0 +[ 83.240550] __x64_sys_socket+0x6f/0xb0 +[ 83.240998] do_syscall_64+0x9c/0x450 +[ 83.241466] entry_SYSCALL_64_after_hwframe+0x49/0xbe +[ 83.242061] +[ 83.242249] Freed by task 0: +[ 83.242616] save_stack+0x19/0x80 +[ 83.243013] __kasan_slab_free+0x111/0x150 +[ 83.243498] kmem_cache_free+0x89/0x250 +[ 83.244444] __sk_destruct+0x38f/0x5a0 +[ 83.245366] rcu_core+0x7e9/0x1c20 +[ 83.245766] __do_softirq+0x213/0x8fa + +Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index c751f87c935e..53fd66534e3a 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -289,13 +289,17 @@ static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb) + return gtp_rx(pctx, skb, hdrlen, gtp->role); + } + +-static void gtp_encap_destroy(struct sock *sk) ++static void __gtp_encap_destroy(struct sock *sk) + { + struct gtp_dev *gtp; + + lock_sock(sk); + gtp = sk->sk_user_data; + if (gtp) { ++ if (gtp->sk0 == sk) ++ gtp->sk0 = NULL; ++ else ++ gtp->sk1u = NULL; + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); + sock_put(sk); +@@ -303,12 +307,19 @@ static void gtp_encap_destroy(struct sock *sk) + release_sock(sk); + } + ++static void gtp_encap_destroy(struct sock *sk) ++{ ++ rtnl_lock(); ++ __gtp_encap_destroy(sk); ++ rtnl_unlock(); ++} ++ + static void gtp_encap_disable_sock(struct sock *sk) + { + if (!sk) + return; + +- gtp_encap_destroy(sk); ++ __gtp_encap_destroy(sk); + } + + static void gtp_encap_disable(struct gtp_dev *gtp) +@@ -1045,6 +1056,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) + return -EINVAL; + } + ++ rtnl_lock(); + rcu_read_lock(); + + gtp = gtp_find_dev(sock_net(skb->sk), info->attrs); +@@ -1069,6 +1081,7 @@ static int gtp_genl_new_pdp(struct sk_buff *skb, struct genl_info *info) + + out_unlock: + rcu_read_unlock(); ++ rtnl_unlock(); + return err; + } + +-- +2.20.1 + diff --git a/queue-4.14/gtp-fix-use-after-free-in-gtp_newlink.patch b/queue-4.14/gtp-fix-use-after-free-in-gtp_newlink.patch new file mode 100644 index 00000000000..b94ddfd9ee1 --- /dev/null +++ b/queue-4.14/gtp-fix-use-after-free-in-gtp_newlink.patch @@ -0,0 +1,109 @@ +From ac261086bb7e21aba6d4627040c2799746571dac Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Wed, 3 Jul 2019 00:23:42 +0900 +Subject: gtp: fix use-after-free in gtp_newlink() + +[ Upstream commit a2bed90704c68d3763bf24decb1b781a45395de8 ] + +Current gtp_newlink() could be called after unregister_pernet_subsys(). +gtp_newlink() uses gtp_net but it can be destroyed by +unregister_pernet_subsys(). +So unregister_pernet_subsys() should be called after +rtnl_link_unregister(). + +Test commands: + #SHELL 1 + while : + do + for i in {1..5} + do + ./gtp-link add gtp$i & + done + killall gtp-link + done + + #SHELL 2 + while : + do + modprobe -rv gtp + done + +Splat looks like: +[ 753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126 +[ 753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G W 5.2.0-rc6+ #50 +[ 753.185801] Call Trace: +[ 753.186264] dump_stack+0x7c/0xbb +[ 753.186863] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.187583] print_address_description+0xc7/0x240 +[ 753.188382] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.189097] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.189846] __kasan_report+0x12a/0x16f +[ 753.190542] ? gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.191298] kasan_report+0xe/0x20 +[ 753.191893] gtp_newlink+0x9b4/0xa5c [gtp] +[ 753.192580] ? __netlink_ns_capable+0xc3/0xf0 +[ 753.193370] __rtnl_newlink+0xb9f/0x11b0 +[ ... ] +[ 753.241201] Allocated by task 7186: +[ 753.241844] save_stack+0x19/0x80 +[ 753.242399] __kasan_kmalloc.constprop.3+0xa0/0xd0 +[ 753.243192] __kmalloc+0x13e/0x300 +[ 753.243764] ops_init+0xd6/0x350 +[ 753.244314] register_pernet_operations+0x249/0x6f0 +[ ... ] +[ 753.251770] Freed by task 7178: +[ 753.252288] save_stack+0x19/0x80 +[ 753.252833] __kasan_slab_free+0x111/0x150 +[ 753.253962] kfree+0xc7/0x280 +[ 753.254509] ops_free_list.part.11+0x1c4/0x2d0 +[ 753.255241] unregister_pernet_operations+0x262/0x390 +[ ... ] +[ 753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next. +[ 753.287241] ------------[ cut here ]------------ +[ 753.287794] kernel BUG at lib/list_debug.c:25! +[ 753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +[ 753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G B W 5.2.0-rc6+ #50 +[ 753.291036] RIP: 0010:__list_add_valid+0x74/0xd0 +[ 753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b +[ 753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286 +[ 753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000 +[ 753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69 +[ 753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21 +[ 753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878 +[ 753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458 +[ 753.299564] FS: 00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000 +[ 753.300533] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0 +[ 753.302183] Call Trace: +[ 753.302530] gtp_newlink+0x5f6/0xa5c [gtp] +[ 753.303037] ? __netlink_ns_capable+0xc3/0xf0 +[ 753.303576] __rtnl_newlink+0xb9f/0x11b0 +[ 753.304092] ? rtnl_link_unregister+0x230/0x230 + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 53fd66534e3a..5de4053774b8 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1383,9 +1383,9 @@ late_initcall(gtp_init); + + static void __exit gtp_fini(void) + { +- unregister_pernet_subsys(>p_net_ops); + genl_unregister_family(>p_genl_family); + rtnl_link_unregister(>p_link_ops); ++ unregister_pernet_subsys(>p_net_ops); + + pr_info("GTP module unloaded\n"); + } +-- +2.20.1 + diff --git a/queue-4.14/iavf-fix-dereference-of-null-rx_buffer-pointer.patch b/queue-4.14/iavf-fix-dereference-of-null-rx_buffer-pointer.patch new file mode 100644 index 00000000000..1df198eb8d4 --- /dev/null +++ b/queue-4.14/iavf-fix-dereference-of-null-rx_buffer-pointer.patch @@ -0,0 +1,63 @@ +From c6e3eeef24414f8fa71925ae49f685d81280db0e Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 19 Jun 2019 15:30:44 +0100 +Subject: iavf: fix dereference of null rx_buffer pointer + +[ Upstream commit 9fe06a51287b2d41baef7ece94df34b5abf19b90 ] + +A recent commit efa14c3985828d ("iavf: allow null RX descriptors") added +a null pointer sanity check on rx_buffer, however, rx_buffer is being +dereferenced before that check, which implies a null pointer dereference +bug can potentially occur. Fix this by only dereferencing rx_buffer +until after the null pointer check. + +Addresses-Coverity: ("Dereference before null check") +Signed-off-by: Colin Ian King +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c +index 7368b0dc3af8..4afdabbe95e8 100644 +--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c +@@ -1117,7 +1117,7 @@ static struct sk_buff *i40e_construct_skb(struct i40e_ring *rx_ring, + struct i40e_rx_buffer *rx_buffer, + unsigned int size) + { +- void *va = page_address(rx_buffer->page) + rx_buffer->page_offset; ++ void *va; + #if (PAGE_SIZE < 8192) + unsigned int truesize = i40e_rx_pg_size(rx_ring) / 2; + #else +@@ -1127,6 +1127,7 @@ static struct sk_buff *i40e_construct_skb(struct i40e_ring *rx_ring, + struct sk_buff *skb; + + /* prefetch first cache line of first page */ ++ va = page_address(rx_buffer->page) + rx_buffer->page_offset; + prefetch(va); + #if L1_CACHE_BYTES < 128 + prefetch(va + L1_CACHE_BYTES); +@@ -1181,7 +1182,7 @@ static struct sk_buff *i40e_build_skb(struct i40e_ring *rx_ring, + struct i40e_rx_buffer *rx_buffer, + unsigned int size) + { +- void *va = page_address(rx_buffer->page) + rx_buffer->page_offset; ++ void *va; + #if (PAGE_SIZE < 8192) + unsigned int truesize = i40e_rx_pg_size(rx_ring) / 2; + #else +@@ -1191,6 +1192,7 @@ static struct sk_buff *i40e_build_skb(struct i40e_ring *rx_ring, + struct sk_buff *skb; + + /* prefetch first cache line of first page */ ++ va = page_address(rx_buffer->page) + rx_buffer->page_offset; + prefetch(va); + #if L1_CACHE_BYTES < 128 + prefetch(va + L1_CACHE_BYTES); +-- +2.20.1 + diff --git a/queue-4.14/iommu-fix-a-leak-in-iommu_insert_resv_region.patch b/queue-4.14/iommu-fix-a-leak-in-iommu_insert_resv_region.patch new file mode 100644 index 00000000000..c50234f8be5 --- /dev/null +++ b/queue-4.14/iommu-fix-a-leak-in-iommu_insert_resv_region.patch @@ -0,0 +1,60 @@ +From 9310b19dad2e56527cc767f60fc4c70bc63c0b97 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Mon, 3 Jun 2019 08:53:30 +0200 +Subject: iommu: Fix a leak in iommu_insert_resv_region + +[ Upstream commit ad0834dedaa15c3a176f783c0373f836e44b4700 ] + +In case we expand an existing region, we unlink +this latter and insert the larger one. In +that case we should free the original region after +the insertion. Also we can immediately return. + +Fixes: 6c65fb318e8b ("iommu: iommu_get_group_resv_regions") + +Signed-off-by: Eric Auger +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c +index 3de5c0bcb5cc..1620a6f49989 100644 +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -205,18 +205,21 @@ static int iommu_insert_resv_region(struct iommu_resv_region *new, + pos = pos->next; + } else if ((start >= a) && (end <= b)) { + if (new->type == type) +- goto done; ++ return 0; + else + pos = pos->next; + } else { + if (new->type == type) { + phys_addr_t new_start = min(a, start); + phys_addr_t new_end = max(b, end); ++ int ret; + + list_del(&entry->list); + entry->start = new_start; + entry->length = new_end - new_start + 1; +- iommu_insert_resv_region(entry, regions); ++ ret = iommu_insert_resv_region(entry, regions); ++ kfree(entry); ++ return ret; + } else { + pos = pos->next; + } +@@ -229,7 +232,6 @@ static int iommu_insert_resv_region(struct iommu_resv_region *new, + return -ENOMEM; + + list_add_tail(®ion->list, pos); +-done: + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/ipoib-correcly-show-a-vf-hardware-address.patch b/queue-4.14/ipoib-correcly-show-a-vf-hardware-address.patch new file mode 100644 index 00000000000..bb4455d520e --- /dev/null +++ b/queue-4.14/ipoib-correcly-show-a-vf-hardware-address.patch @@ -0,0 +1,57 @@ +From 18441da21f1da90c13543951aaffee63271adacc Mon Sep 17 00:00:00 2001 +From: Denis Kirjanov +Date: Mon, 17 Jun 2019 10:53:40 +0200 +Subject: ipoib: correcly show a VF hardware address + +[ Upstream commit 64d701c608fea362881e823b666327f5d28d7ffd ] + +in the case of IPoIB with SRIOV enabled hardware +ip link show command incorrecly prints +0 instead of a VF hardware address. + +Before: +11: ib1: mtu 2044 qdisc pfifo_fast +state UP mode DEFAULT group default qlen 256 + link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff + vf 0 MAC 00:00:00:00:00:00, spoof checking off, link-state disable, +trust off, query_rss off +... +After: +11: ib1: mtu 2044 qdisc pfifo_fast +state UP mode DEFAULT group default qlen 256 + link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff + vf 0 link/infiniband +80:00:00:66:fe:80:00:00:00:00:00:00:24:8a:07:03:00:a4:3e:7c brd +00:ff:ff:ff:ff:12:40:1b:ff:ff:00:00:00:00:00:00:ff:ff:ff:ff, spoof +checking off, link-state disable, trust off, query_rss off + +v1->v2: just copy an address without modifing ifla_vf_mac +v2->v3: update the changelog + +Signed-off-by: Denis Kirjanov +Acked-by: Doug Ledford +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c +index e6ff16b27acd..1a93d3d58c8a 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -1833,6 +1833,7 @@ static int ipoib_get_vf_config(struct net_device *dev, int vf, + return err; + + ivf->vf = vf; ++ memcpy(ivf->mac, dev->dev_addr, dev->addr_len); + + return 0; + } +-- +2.20.1 + diff --git a/queue-4.14/ipsec-select-crypto-ciphers-for-xfrm_algo.patch b/queue-4.14/ipsec-select-crypto-ciphers-for-xfrm_algo.patch new file mode 100644 index 00000000000..cdfa10b53ed --- /dev/null +++ b/queue-4.14/ipsec-select-crypto-ciphers-for-xfrm_algo.patch @@ -0,0 +1,43 @@ +From 240f30503a9152715f587c9a18b5412718bd828e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 18 Jun 2019 13:22:13 +0200 +Subject: ipsec: select crypto ciphers for xfrm_algo + +[ Upstream commit 597179b0ba550bd83fab1a9d57c42a9343c58514 ] + +kernelci.org reports failed builds on arc because of what looks +like an old missed 'select' statement: + +net/xfrm/xfrm_algo.o: In function `xfrm_probe_algs': +xfrm_algo.c:(.text+0x1e8): undefined reference to `crypto_has_ahash' + +I don't see this in randconfig builds on other architectures, but +it's fairly clear we want to select the hash code for it, like we +do for all its other users. As Herbert points out, CRYPTO_BLKCIPHER +is also required even though it has not popped up in build tests. + +Fixes: 17bc19702221 ("ipsec: Use skcipher and ahash when probing algorithms") +Signed-off-by: Arnd Bergmann +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig +index 286ed25c1a69..2e747ae7dc89 100644 +--- a/net/xfrm/Kconfig ++++ b/net/xfrm/Kconfig +@@ -14,6 +14,8 @@ config XFRM_ALGO + tristate + select XFRM + select CRYPTO ++ select CRYPTO_HASH ++ select CRYPTO_BLKCIPHER + + config XFRM_USER + tristate "Transformation user configuration interface" +-- +2.20.1 + diff --git a/queue-4.14/ipset-fix-memory-accounting-for-hash-types-on-resize.patch b/queue-4.14/ipset-fix-memory-accounting-for-hash-types-on-resize.patch new file mode 100644 index 00000000000..7b4ed6a0eb1 --- /dev/null +++ b/queue-4.14/ipset-fix-memory-accounting-for-hash-types-on-resize.patch @@ -0,0 +1,82 @@ +From ab173adaf4e2095595cd17332b9deef80eb9f08e Mon Sep 17 00:00:00 2001 +From: Stefano Brivio +Date: Sun, 26 May 2019 23:14:06 +0200 +Subject: ipset: Fix memory accounting for hash types on resize + +[ Upstream commit 11921796f4799ca9c61c4b22cc54d84aa69f8a35 ] + +If a fresh array block is allocated during resize, the current in-memory +set size should be increased by the size of the block, not replaced by it. + +Before the fix, adding entries to a hash set type, leading to a table +resize, caused an inconsistent memory size to be reported. This becomes +more obvious when swapping sets with similar sizes: + + # cat hash_ip_size.sh + #!/bin/sh + FAIL_RETRIES=10 + + tries=0 + while [ ${tries} -lt ${FAIL_RETRIES} ]; do + ipset create t1 hash:ip + for i in `seq 1 4345`; do + ipset add t1 1.2.$((i / 255)).$((i % 255)) + done + t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')" + + ipset create t2 hash:ip + for i in `seq 1 4360`; do + ipset add t2 1.2.$((i / 255)).$((i % 255)) + done + t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')" + + ipset swap t1 t2 + t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')" + t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')" + + ipset destroy t1 + ipset destroy t2 + tries=$((tries + 1)) + + if [ ${t1_init} -lt 10000 ] || [ ${t2_init} -lt 10000 ]; then + echo "FAIL after ${tries} tries:" + echo "T1 size ${t1_init}, after swap ${t1_swap}" + echo "T2 size ${t2_init}, after swap ${t2_swap}" + exit 1 + fi + done + echo "PASS" + # echo -n 'func hash_ip4_resize +p' > /sys/kernel/debug/dynamic_debug/control + # ./hash_ip_size.sh + [ 2035.018673] attempt to resize set t1 from 10 to 11, t 00000000fe6551fa + [ 2035.078583] set t1 resized from 10 (00000000fe6551fa) to 11 (00000000172a0163) + [ 2035.080353] Table destroy by resize 00000000fe6551fa + FAIL after 4 tries: + T1 size 9064, after swap 71128 + T2 size 71128, after swap 9064 + +Reported-by: NOYB +Fixes: 9e41f26a505c ("netfilter: ipset: Count non-static extension memory for userspace") +Signed-off-by: Stefano Brivio +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_hash_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h +index dfd268166e42..42d9cd22447e 100644 +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -624,7 +624,7 @@ mtype_resize(struct ip_set *set, bool retried) + goto cleanup; + } + m->size = AHASH_INIT_SIZE; +- extsize = ext_size(AHASH_INIT_SIZE, dsize); ++ extsize += ext_size(AHASH_INIT_SIZE, dsize); + RCU_INIT_POINTER(hbucket(t, key), m); + } else if (m->pos >= m->size) { + struct hbucket *ht; +-- +2.20.1 + diff --git a/queue-4.14/ipvs-defer-hook-registration-to-avoid-leaks.patch b/queue-4.14/ipvs-defer-hook-registration-to-avoid-leaks.patch new file mode 100644 index 00000000000..86a5284c6d9 --- /dev/null +++ b/queue-4.14/ipvs-defer-hook-registration-to-avoid-leaks.patch @@ -0,0 +1,118 @@ +From 770214933cca3c4209fd07922151ce06ae567ac8 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Tue, 4 Jun 2019 21:56:35 +0300 +Subject: ipvs: defer hook registration to avoid leaks + +[ Upstream commit cf47a0b882a4e5f6b34c7949d7b293e9287f1972 ] + +syzkaller reports for memory leak when registering hooks [1] + +As we moved the nf_unregister_net_hooks() call into +__ip_vs_dev_cleanup(), defer the nf_register_net_hooks() +call, so that hooks are allocated and freed from same +pernet_operations (ipvs_core_dev_ops). + +[1] +BUG: memory leak +unreferenced object 0xffff88810acd8a80 (size 96): + comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s) + hex dump (first 32 bytes): + 02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff ........P....... + 00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff .........w...... + backtrace: + [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline] + [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597 + [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline] + [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627 + [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline] + [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431 + [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline] + [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline] + [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60 net/netfilter/core.c:61 + [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270 net/netfilter/core.c:128 + [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170 net/netfilter/core.c:337 + [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0 net/netfilter/core.c:464 + [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0 net/netfilter/core.c:480 + [<000000002ea868e0>] __ip_vs_init+0xe8/0x170 net/netfilter/ipvs/ip_vs_core.c:2280 + [<000000002eb2d451>] ops_init+0x4c/0x140 net/core/net_namespace.c:130 + [<000000000284ec48>] setup_net+0xde/0x230 net/core/net_namespace.c:316 + [<00000000a70600fa>] copy_net_ns+0xf0/0x1e0 net/core/net_namespace.c:439 + [<00000000ff26c15e>] create_new_namespaces+0x141/0x2a0 kernel/nsproxy.c:107 + [<00000000b103dc79>] copy_namespaces+0xa1/0xe0 kernel/nsproxy.c:165 + [<000000007cc008a2>] copy_process.part.0+0x11fd/0x2150 kernel/fork.c:2035 + [<00000000c344af7c>] copy_process kernel/fork.c:1800 [inline] + [<00000000c344af7c>] _do_fork+0x121/0x4f0 kernel/fork.c:2369 + +Reported-by: syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com +Fixes: 719c7d563c17 ("ipvs: Fix use-after-free in ip_vs_in") +Signed-off-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_core.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index ee97ce176b9a..2156571455db 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -2206,7 +2206,6 @@ static const struct nf_hook_ops ip_vs_ops[] = { + static int __net_init __ip_vs_init(struct net *net) + { + struct netns_ipvs *ipvs; +- int ret; + + ipvs = net_generic(net, ip_vs_net_id); + if (ipvs == NULL) +@@ -2238,17 +2237,11 @@ static int __net_init __ip_vs_init(struct net *net) + if (ip_vs_sync_net_init(ipvs) < 0) + goto sync_fail; + +- ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); +- if (ret < 0) +- goto hook_fail; +- + return 0; + /* + * Error handling + */ + +-hook_fail: +- ip_vs_sync_net_cleanup(ipvs); + sync_fail: + ip_vs_conn_net_cleanup(ipvs); + conn_fail: +@@ -2278,6 +2271,19 @@ static void __net_exit __ip_vs_cleanup(struct net *net) + net->ipvs = NULL; + } + ++static int __net_init __ip_vs_dev_init(struct net *net) ++{ ++ int ret; ++ ++ ret = nf_register_net_hooks(net, ip_vs_ops, ARRAY_SIZE(ip_vs_ops)); ++ if (ret < 0) ++ goto hook_fail; ++ return 0; ++ ++hook_fail: ++ return ret; ++} ++ + static void __net_exit __ip_vs_dev_cleanup(struct net *net) + { + struct netns_ipvs *ipvs = net_ipvs(net); +@@ -2297,6 +2303,7 @@ static struct pernet_operations ipvs_core_ops = { + }; + + static struct pernet_operations ipvs_core_dev_ops = { ++ .init = __ip_vs_dev_init, + .exit = __ip_vs_dev_cleanup, + }; + +-- +2.20.1 + diff --git a/queue-4.14/ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch b/queue-4.14/ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch new file mode 100644 index 00000000000..0f5d2f7c08b --- /dev/null +++ b/queue-4.14/ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch @@ -0,0 +1,399 @@ +From 94099cfca3cdb5d47d8048d817c4ed26bf1aa1b2 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Tue, 18 Jun 2019 23:07:36 +0300 +Subject: ipvs: fix tinfo memory leak in start_sync_thread + +[ Upstream commit 5db7c8b9f9fc2aeec671ae3ca6375752c162e0e7 ] + +syzkaller reports for memory leak in start_sync_thread [1] + +As Eric points out, kthread may start and stop before the +threadfn function is called, so there is no chance the +data (tinfo in our case) to be released in thread. + +Fix this by releasing tinfo in the controlling code instead. + +[1] +BUG: memory leak +unreferenced object 0xffff8881206bf700 (size 32): + comm "syz-executor761", pid 7268, jiffies 4294943441 (age 20.470s) + hex dump (first 32 bytes): + 00 40 7c 09 81 88 ff ff 80 45 b8 21 81 88 ff ff .@|......E.!.... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000057619e23>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] + [<0000000057619e23>] slab_post_alloc_hook mm/slab.h:439 [inline] + [<0000000057619e23>] slab_alloc mm/slab.c:3326 [inline] + [<0000000057619e23>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 + [<0000000086ce5479>] kmalloc include/linux/slab.h:547 [inline] + [<0000000086ce5479>] start_sync_thread+0x5d2/0xe10 net/netfilter/ipvs/ip_vs_sync.c:1862 + [<000000001a9229cc>] do_ip_vs_set_ctl+0x4c5/0x780 net/netfilter/ipvs/ip_vs_ctl.c:2402 + [<00000000ece457c8>] nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] + [<00000000ece457c8>] nf_setsockopt+0x4c/0x80 net/netfilter/nf_sockopt.c:115 + [<00000000942f62d4>] ip_setsockopt net/ipv4/ip_sockglue.c:1258 [inline] + [<00000000942f62d4>] ip_setsockopt+0x9b/0xb0 net/ipv4/ip_sockglue.c:1238 + [<00000000a56a8ffd>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 + [<00000000fa895401>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130 + [<0000000095eef4cf>] __sys_setsockopt+0x98/0x120 net/socket.c:2078 + [<000000009747cf88>] __do_sys_setsockopt net/socket.c:2089 [inline] + [<000000009747cf88>] __se_sys_setsockopt net/socket.c:2086 [inline] + [<000000009747cf88>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 + [<00000000ded8ba80>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 + [<00000000893b4ac8>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+7e2e50c8adfccd2e5041@syzkaller.appspotmail.com +Suggested-by: Eric Biggers +Fixes: 998e7a76804b ("ipvs: Use kthread_run() instead of doing a double-fork via kernel_thread()") +Signed-off-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/ip_vs.h | 6 +- + net/netfilter/ipvs/ip_vs_ctl.c | 4 - + net/netfilter/ipvs/ip_vs_sync.c | 134 +++++++++++++++++--------------- + 3 files changed, 76 insertions(+), 68 deletions(-) + +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index 5d08c1950e7d..82bc9f0e8a76 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -812,11 +812,12 @@ struct ipvs_master_sync_state { + struct ip_vs_sync_buff *sync_buff; + unsigned long sync_queue_len; + unsigned int sync_queue_delay; +- struct task_struct *master_thread; + struct delayed_work master_wakeup_work; + struct netns_ipvs *ipvs; + }; + ++struct ip_vs_sync_thread_data; ++ + /* How much time to keep dests in trash */ + #define IP_VS_DEST_TRASH_PERIOD (120 * HZ) + +@@ -947,7 +948,8 @@ struct netns_ipvs { + spinlock_t sync_lock; + struct ipvs_master_sync_state *ms; + spinlock_t sync_buff_lock; +- struct task_struct **backup_threads; ++ struct ip_vs_sync_thread_data *master_tinfo; ++ struct ip_vs_sync_thread_data *backup_tinfo; + int threads_mask; + volatile int sync_state; + struct mutex sync_mutex; +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 6d7608b88f66..4648dccebf59 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2414,9 +2414,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + cfg.syncid = dm->syncid; + ret = start_sync_thread(ipvs, &cfg, dm->state); + } else { +- mutex_lock(&ipvs->sync_mutex); + ret = stop_sync_thread(ipvs, dm->state); +- mutex_unlock(&ipvs->sync_mutex); + } + goto out_dec; + } +@@ -3524,10 +3522,8 @@ static int ip_vs_genl_del_daemon(struct netns_ipvs *ipvs, struct nlattr **attrs) + if (!attrs[IPVS_DAEMON_ATTR_STATE]) + return -EINVAL; + +- mutex_lock(&ipvs->sync_mutex); + ret = stop_sync_thread(ipvs, + nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE])); +- mutex_unlock(&ipvs->sync_mutex); + return ret; + } + +diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c +index 5e07f7a6794e..b578ebb3d7ef 100644 +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -195,6 +195,7 @@ union ip_vs_sync_conn { + #define IPVS_OPT_F_PARAM (1 << (IPVS_OPT_PARAM-1)) + + struct ip_vs_sync_thread_data { ++ struct task_struct *task; + struct netns_ipvs *ipvs; + struct socket *sock; + char *buf; +@@ -374,8 +375,11 @@ static inline void sb_queue_tail(struct netns_ipvs *ipvs, + max(IPVS_SYNC_SEND_DELAY, 1)); + ms->sync_queue_len++; + list_add_tail(&sb->list, &ms->sync_queue); +- if ((++ms->sync_queue_delay) == IPVS_SYNC_WAKEUP_RATE) +- wake_up_process(ms->master_thread); ++ if ((++ms->sync_queue_delay) == IPVS_SYNC_WAKEUP_RATE) { ++ int id = (int)(ms - ipvs->ms); ++ ++ wake_up_process(ipvs->master_tinfo[id].task); ++ } + } else + ip_vs_sync_buff_release(sb); + spin_unlock(&ipvs->sync_lock); +@@ -1645,8 +1649,10 @@ static void master_wakeup_work_handler(struct work_struct *work) + spin_lock_bh(&ipvs->sync_lock); + if (ms->sync_queue_len && + ms->sync_queue_delay < IPVS_SYNC_WAKEUP_RATE) { ++ int id = (int)(ms - ipvs->ms); ++ + ms->sync_queue_delay = IPVS_SYNC_WAKEUP_RATE; +- wake_up_process(ms->master_thread); ++ wake_up_process(ipvs->master_tinfo[id].task); + } + spin_unlock_bh(&ipvs->sync_lock); + } +@@ -1712,10 +1718,6 @@ static int sync_thread_master(void *data) + if (sb) + ip_vs_sync_buff_release(sb); + +- /* release the sending multicast socket */ +- sock_release(tinfo->sock); +- kfree(tinfo); +- + return 0; + } + +@@ -1749,11 +1751,6 @@ static int sync_thread_backup(void *data) + } + } + +- /* release the sending multicast socket */ +- sock_release(tinfo->sock); +- kfree(tinfo->buf); +- kfree(tinfo); +- + return 0; + } + +@@ -1761,8 +1758,8 @@ static int sync_thread_backup(void *data) + int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + int state) + { +- struct ip_vs_sync_thread_data *tinfo = NULL; +- struct task_struct **array = NULL, *task; ++ struct ip_vs_sync_thread_data *ti = NULL, *tinfo; ++ struct task_struct *task; + struct net_device *dev; + char *name; + int (*threadfn)(void *data); +@@ -1831,7 +1828,7 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + threadfn = sync_thread_master; + } else if (state == IP_VS_STATE_BACKUP) { + result = -EEXIST; +- if (ipvs->backup_threads) ++ if (ipvs->backup_tinfo) + goto out_early; + + ipvs->bcfg = *c; +@@ -1858,28 +1855,22 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + master_wakeup_work_handler); + ms->ipvs = ipvs; + } +- } else { +- array = kcalloc(count, sizeof(struct task_struct *), +- GFP_KERNEL); +- result = -ENOMEM; +- if (!array) +- goto out; + } ++ result = -ENOMEM; ++ ti = kcalloc(count, sizeof(struct ip_vs_sync_thread_data), ++ GFP_KERNEL); ++ if (!ti) ++ goto out; + + for (id = 0; id < count; id++) { +- result = -ENOMEM; +- tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL); +- if (!tinfo) +- goto out; ++ tinfo = &ti[id]; + tinfo->ipvs = ipvs; +- tinfo->sock = NULL; + if (state == IP_VS_STATE_BACKUP) { ++ result = -ENOMEM; + tinfo->buf = kmalloc(ipvs->bcfg.sync_maxlen, + GFP_KERNEL); + if (!tinfo->buf) + goto out; +- } else { +- tinfo->buf = NULL; + } + tinfo->id = id; + if (state == IP_VS_STATE_MASTER) +@@ -1894,17 +1885,15 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + result = PTR_ERR(task); + goto out; + } +- tinfo = NULL; +- if (state == IP_VS_STATE_MASTER) +- ipvs->ms[id].master_thread = task; +- else +- array[id] = task; ++ tinfo->task = task; + } + + /* mark as active */ + +- if (state == IP_VS_STATE_BACKUP) +- ipvs->backup_threads = array; ++ if (state == IP_VS_STATE_MASTER) ++ ipvs->master_tinfo = ti; ++ else ++ ipvs->backup_tinfo = ti; + spin_lock_bh(&ipvs->sync_buff_lock); + ipvs->sync_state |= state; + spin_unlock_bh(&ipvs->sync_buff_lock); +@@ -1919,29 +1908,31 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + + out: + /* We do not need RTNL lock anymore, release it here so that +- * sock_release below and in the kthreads can use rtnl_lock +- * to leave the mcast group. ++ * sock_release below can use rtnl_lock to leave the mcast group. + */ + rtnl_unlock(); +- count = id; +- while (count-- > 0) { +- if (state == IP_VS_STATE_MASTER) +- kthread_stop(ipvs->ms[count].master_thread); +- else +- kthread_stop(array[count]); ++ id = min(id, count - 1); ++ if (ti) { ++ for (tinfo = ti + id; tinfo >= ti; tinfo--) { ++ if (tinfo->task) ++ kthread_stop(tinfo->task); ++ } + } + if (!(ipvs->sync_state & IP_VS_STATE_MASTER)) { + kfree(ipvs->ms); + ipvs->ms = NULL; + } + mutex_unlock(&ipvs->sync_mutex); +- if (tinfo) { +- if (tinfo->sock) +- sock_release(tinfo->sock); +- kfree(tinfo->buf); +- kfree(tinfo); ++ ++ /* No more mutexes, release socks */ ++ if (ti) { ++ for (tinfo = ti + id; tinfo >= ti; tinfo--) { ++ if (tinfo->sock) ++ sock_release(tinfo->sock); ++ kfree(tinfo->buf); ++ } ++ kfree(ti); + } +- kfree(array); + return result; + + out_early: +@@ -1953,15 +1944,18 @@ int start_sync_thread(struct netns_ipvs *ipvs, struct ipvs_sync_daemon_cfg *c, + + int stop_sync_thread(struct netns_ipvs *ipvs, int state) + { +- struct task_struct **array; ++ struct ip_vs_sync_thread_data *ti, *tinfo; + int id; + int retc = -EINVAL; + + IP_VS_DBG(7, "%s(): pid %d\n", __func__, task_pid_nr(current)); + ++ mutex_lock(&ipvs->sync_mutex); + if (state == IP_VS_STATE_MASTER) { ++ retc = -ESRCH; + if (!ipvs->ms) +- return -ESRCH; ++ goto err; ++ ti = ipvs->master_tinfo; + + /* + * The lock synchronizes with sb_queue_tail(), so that we don't +@@ -1980,38 +1974,56 @@ int stop_sync_thread(struct netns_ipvs *ipvs, int state) + struct ipvs_master_sync_state *ms = &ipvs->ms[id]; + int ret; + ++ tinfo = &ti[id]; + pr_info("stopping master sync thread %d ...\n", +- task_pid_nr(ms->master_thread)); ++ task_pid_nr(tinfo->task)); + cancel_delayed_work_sync(&ms->master_wakeup_work); +- ret = kthread_stop(ms->master_thread); ++ ret = kthread_stop(tinfo->task); + if (retc >= 0) + retc = ret; + } + kfree(ipvs->ms); + ipvs->ms = NULL; ++ ipvs->master_tinfo = NULL; + } else if (state == IP_VS_STATE_BACKUP) { +- if (!ipvs->backup_threads) +- return -ESRCH; ++ retc = -ESRCH; ++ if (!ipvs->backup_tinfo) ++ goto err; ++ ti = ipvs->backup_tinfo; + + ipvs->sync_state &= ~IP_VS_STATE_BACKUP; +- array = ipvs->backup_threads; + retc = 0; + for (id = ipvs->threads_mask; id >= 0; id--) { + int ret; + ++ tinfo = &ti[id]; + pr_info("stopping backup sync thread %d ...\n", +- task_pid_nr(array[id])); +- ret = kthread_stop(array[id]); ++ task_pid_nr(tinfo->task)); ++ ret = kthread_stop(tinfo->task); + if (retc >= 0) + retc = ret; + } +- kfree(array); +- ipvs->backup_threads = NULL; ++ ipvs->backup_tinfo = NULL; ++ } else { ++ goto err; + } ++ id = ipvs->threads_mask; ++ mutex_unlock(&ipvs->sync_mutex); ++ ++ /* No more mutexes, release socks */ ++ for (tinfo = ti + id; tinfo >= ti; tinfo--) { ++ if (tinfo->sock) ++ sock_release(tinfo->sock); ++ kfree(tinfo->buf); ++ } ++ kfree(ti); + + /* decrease the module use count */ + ip_vs_use_count_dec(); ++ return retc; + ++err: ++ mutex_unlock(&ipvs->sync_mutex); + return retc; + } + +@@ -2030,7 +2042,6 @@ void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs) + { + int retc; + +- mutex_lock(&ipvs->sync_mutex); + retc = stop_sync_thread(ipvs, IP_VS_STATE_MASTER); + if (retc && retc != -ESRCH) + pr_err("Failed to stop Master Daemon\n"); +@@ -2038,5 +2049,4 @@ void ip_vs_sync_net_cleanup(struct netns_ipvs *ipvs) + retc = stop_sync_thread(ipvs, IP_VS_STATE_BACKUP); + if (retc && retc != -ESRCH) + pr_err("Failed to stop Backup Daemon\n"); +- mutex_unlock(&ipvs->sync_mutex); + } +-- +2.20.1 + diff --git a/queue-4.14/iwlwifi-mvm-drop-large-non-sta-frames.patch b/queue-4.14/iwlwifi-mvm-drop-large-non-sta-frames.patch new file mode 100644 index 00000000000..744eb0dc4ed --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-drop-large-non-sta-frames.patch @@ -0,0 +1,39 @@ +From 5503ac0d1a1fba2c7fc4a9ab50e2af11452ff2f8 Mon Sep 17 00:00:00 2001 +From: Andrei Otcheretianski +Date: Mon, 15 Apr 2019 16:45:04 +0300 +Subject: iwlwifi: mvm: Drop large non sta frames + +[ Upstream commit ac70499ee97231a418dc1a4d6c9dc102e8f64631 ] + +In some buggy scenarios we could possible attempt to transmit frames larger +than maximum MSDU size. Since our devices don't know how to handle this, +it may result in asserts, hangs etc. +This can happen, for example, when we receive a large multicast frame +and try to transmit it back to the air in AP mode. +Since in a legal scenario this should never happen, drop such frames and +warn about it. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +index 62a6e293cf12..f0f2be432d20 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -621,6 +621,9 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb) + + memcpy(&info, skb->cb, sizeof(info)); + ++ if (WARN_ON_ONCE(skb->len > IEEE80211_MAX_DATA_LEN + hdrlen)) ++ return -1; ++ + if (WARN_ON_ONCE(info.flags & IEEE80211_TX_CTL_AMPDU)) + return -1; + +-- +2.20.1 + diff --git a/queue-4.14/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch b/queue-4.14/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch new file mode 100644 index 00000000000..47502a190e1 --- /dev/null +++ b/queue-4.14/ixgbe-check-ddm-existence-in-transceiver-before-acce.patch @@ -0,0 +1,63 @@ +From 7742a5d1940711ec02d1496f208b23cbdbb02c1f Mon Sep 17 00:00:00 2001 +From: "Mauro S. M. Rodrigues" +Date: Thu, 23 May 2019 16:11:12 -0300 +Subject: ixgbe: Check DDM existence in transceiver before access + +[ Upstream commit 655c91414579d7bb115a4f7898ee726fc18e0984 ] + +Some transceivers may comply with SFF-8472 but not implement the Digital +Diagnostic Monitoring (DDM) interface described in it. The existence of +such area is specified by bit 6 of byte 92, set to 1 if implemented. + +Currently, due to not checking this bit ixgbe fails trying to read SFP +module's eeprom with the follow message: + +ethtool -m enP51p1s0f0 +Cannot get Module EEPROM data: Input/output error + +Because it fails to read the additional 256 bytes in which it was assumed +to exist the DDM data. + +This issue was noticed using a Mellanox Passive DAC PN 01FT738. The eeprom +data was confirmed by Mellanox as correct and present in other Passive +DACs in from other manufacturers. + +Signed-off-by: "Mauro S. M. Rodrigues" +Reviewed-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 3 ++- + drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index c3e7a8191128..f7e68083200c 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -3237,7 +3237,8 @@ static int ixgbe_get_module_info(struct net_device *dev, + page_swap = true; + } + +- if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap) { ++ if (sff8472_rev == IXGBE_SFF_SFF_8472_UNSUP || page_swap || ++ !(addr_mode & IXGBE_SFF_DDM_IMPLEMENTED)) { + /* We have a SFP, but it does not support SFF-8472 */ + modinfo->type = ETH_MODULE_SFF_8079; + modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN; +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h +index b0cac961df3b..94df1d99be95 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_phy.h +@@ -70,6 +70,7 @@ + #define IXGBE_SFF_SOFT_RS_SELECT_10G 0x8 + #define IXGBE_SFF_SOFT_RS_SELECT_1G 0x0 + #define IXGBE_SFF_ADDRESSING_MODE 0x4 ++#define IXGBE_SFF_DDM_IMPLEMENTED 0x40 + #define IXGBE_SFF_QSFP_DA_ACTIVE_CABLE 0x1 + #define IXGBE_SFF_QSFP_DA_PASSIVE_CABLE 0x8 + #define IXGBE_SFF_QSFP_CONNECTOR_NOT_SEPARABLE 0x23 +-- +2.20.1 + diff --git a/queue-4.14/libata-don-t-request-sense-data-on-zac-ata-devices.patch b/queue-4.14/libata-don-t-request-sense-data-on-zac-ata-devices.patch new file mode 100644 index 00000000000..056f956debe --- /dev/null +++ b/queue-4.14/libata-don-t-request-sense-data-on-zac-ata-devices.patch @@ -0,0 +1,68 @@ +From bd644a0ab1059782a501eb7fba1ccbbd38764e69 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 24 Jun 2019 09:32:50 -0700 +Subject: libata: don't request sense data on !ZAC ATA devices + +[ Upstream commit ca156e006add67e4beea7896be395160735e09b0 ] + +ZAC support added sense data requesting on error for both ZAC and ATA +devices. This seems to cause erratic error handling behaviors on some +SSDs where the device reports sense data availability and then +delivers the wrong content making EH take the wrong actions. The +failure mode was sporadic on a LITE-ON ssd and couldn't be reliably +reproduced. + +There is no value in requesting sense data from non-ZAC ATA devices +while there's a significant risk of introducing EH misbehaviors which +are difficult to reproduce and fix. Let's do the sense data dancing +only for ZAC devices. + +Reviewed-by: Hannes Reinecke +Tested-by: Masato Suzuki +Reviewed-by: Damien Le Moal +Signed-off-by: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-eh.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 2651c81d1edf..c398be4b1797 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -1535,7 +1535,7 @@ static int ata_eh_read_log_10h(struct ata_device *dev, + tf->hob_lbah = buf[10]; + tf->nsect = buf[12]; + tf->hob_nsect = buf[13]; +- if (ata_id_has_ncq_autosense(dev->id)) ++ if (dev->class == ATA_DEV_ZAC && ata_id_has_ncq_autosense(dev->id)) + tf->auxiliary = buf[14] << 16 | buf[15] << 8 | buf[16]; + + return 0; +@@ -1784,7 +1784,8 @@ void ata_eh_analyze_ncq_error(struct ata_link *link) + memcpy(&qc->result_tf, &tf, sizeof(tf)); + qc->result_tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_LBA | ATA_TFLAG_LBA48; + qc->err_mask |= AC_ERR_DEV | AC_ERR_NCQ; +- if ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary) { ++ if (dev->class == ATA_DEV_ZAC && ++ ((qc->result_tf.command & ATA_SENSE) || qc->result_tf.auxiliary)) { + char sense_key, asc, ascq; + + sense_key = (qc->result_tf.auxiliary >> 16) & 0xff; +@@ -1838,10 +1839,11 @@ static unsigned int ata_eh_analyze_tf(struct ata_queued_cmd *qc, + } + + switch (qc->dev->class) { +- case ATA_DEV_ATA: + case ATA_DEV_ZAC: + if (stat & ATA_SENSE) + ata_eh_request_sense(qc, qc->scsicmd); ++ /* fall through */ ++ case ATA_DEV_ATA: + if (err & ATA_ICRC) + qc->err_mask |= AC_ERR_ATA_BUS; + if (err & (ATA_UNC | ATA_AMNF)) +-- +2.20.1 + diff --git a/queue-4.14/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch b/queue-4.14/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch new file mode 100644 index 00000000000..7cd4325ffcc --- /dev/null +++ b/queue-4.14/locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch @@ -0,0 +1,102 @@ +From 6f771f0bec08efeadda31f02356f60fb76c16079 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 May 2019 23:15:09 +0300 +Subject: locking/lockdep: Fix merging of hlocks with non-zero references + +[ Upstream commit d9349850e188b8b59e5322fda17ff389a1c0cd7d ] + +The sequence + + static DEFINE_WW_CLASS(test_ww_class); + + struct ww_acquire_ctx ww_ctx; + struct ww_mutex ww_lock_a; + struct ww_mutex ww_lock_b; + struct ww_mutex ww_lock_c; + struct mutex lock_c; + + ww_acquire_init(&ww_ctx, &test_ww_class); + + ww_mutex_init(&ww_lock_a, &test_ww_class); + ww_mutex_init(&ww_lock_b, &test_ww_class); + ww_mutex_init(&ww_lock_c, &test_ww_class); + + mutex_init(&lock_c); + + ww_mutex_lock(&ww_lock_a, &ww_ctx); + + mutex_lock(&lock_c); + + ww_mutex_lock(&ww_lock_b, &ww_ctx); + ww_mutex_lock(&ww_lock_c, &ww_ctx); + + mutex_unlock(&lock_c); (*) + + ww_mutex_unlock(&ww_lock_c); + ww_mutex_unlock(&ww_lock_b); + ww_mutex_unlock(&ww_lock_a); + + ww_acquire_fini(&ww_ctx); (**) + +will trigger the following error in __lock_release() when calling +mutex_release() at **: + + DEBUG_LOCKS_WARN_ON(depth <= 0) + +The problem is that the hlock merging happening at * updates the +references for test_ww_class incorrectly to 3 whereas it should've +updated it to 4 (representing all the instances for ww_ctx and +ww_lock_[abc]). + +Fix this by updating the references during merging correctly taking into +account that we can have non-zero references (both for the hlock that we +merge into another hlock or for the hlock we are merging into). + +Signed-off-by: Imre Deak +Signed-off-by: Peter Zijlstra (Intel) +Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index bf694c709b96..565005a3b8f0 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3402,17 +3402,17 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass, + if (depth && !cross_lock(lock)) { + hlock = curr->held_locks + depth - 1; + if (hlock->class_idx == class_idx && nest_lock) { +- if (hlock->references) { +- /* +- * Check: unsigned int references:12, overflow. +- */ +- if (DEBUG_LOCKS_WARN_ON(hlock->references == (1 << 12)-1)) +- return 0; ++ if (!references) ++ references++; + ++ if (!hlock->references) + hlock->references++; +- } else { +- hlock->references = 2; +- } ++ ++ hlock->references += references; ++ ++ /* Overflow */ ++ if (DEBUG_LOCKS_WARN_ON(hlock->references < references)) ++ return 0; + + return 1; + } +-- +2.20.1 + diff --git a/queue-4.14/media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch b/queue-4.14/media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch new file mode 100644 index 00000000000..60d5c6dba6c --- /dev/null +++ b/queue-4.14/media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch @@ -0,0 +1,46 @@ +From 83d0cf2e2a5b083e951ebd1cea876ec93202a2c0 Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Tue, 18 Jun 2019 12:45:11 -0400 +Subject: media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP + +[ Upstream commit f3775f89852d167990b0d718587774cf00d22ac2 ] + +coda_encoder_cmd() is racy, as the last scheduled picture run worker can +still be in-flight while the ENC_CMD_STOP command is issued. Depending +on the exact timing the sequence numbers might already be changed, but +the last buffer might not have been put on the destination queue yet. + +In this case the current implementation would prematurely wake the +destination queue with last_buffer_dequeued=true, causing userspace to +call streamoff before the last buffer is handled. + +Close this race window by synchronizing with the pic_run_worker before +doing the sequence check. + +Signed-off-by: Marco Felsch +[l.stach@pengutronix.de: switch to flush_work, reword commit message] +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c +index 2e1472fadc2c..5b87c488ee11 100644 +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -932,6 +932,8 @@ static int coda_encoder_cmd(struct file *file, void *fh, + /* Set the stream-end flag on this context */ + ctx->bit_stream_param |= CODA_BIT_STREAM_END_FLAG; + ++ flush_work(&ctx->pic_run_work); ++ + /* If there is no buffer in flight, wake up */ + if (!ctx->streamon_out || ctx->qsequence == ctx->osequence) { + dst_vq = v4l2_m2m_get_vq(ctx->fh.m2m_ctx, +-- +2.20.1 + diff --git a/queue-4.14/media-coda-fix-mpeg2-sequence-number-handling.patch b/queue-4.14/media-coda-fix-mpeg2-sequence-number-handling.patch new file mode 100644 index 00000000000..58d8e5fa2f8 --- /dev/null +++ b/queue-4.14/media-coda-fix-mpeg2-sequence-number-handling.patch @@ -0,0 +1,46 @@ +From 06034806c0e8359b8e94b8cc0d9472b1cf09d88e Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Tue, 18 Jun 2019 12:45:10 -0400 +Subject: media: coda: fix mpeg2 sequence number handling + +[ Upstream commit 56d159a4ec6d8da7313aac6fcbb95d8fffe689ba ] + +Sequence number handling assumed that the BIT processor frame number +starts counting at 1, but this is not true for the MPEG-2 decoder, +which starts at 0. Fix the sequence counter offset detection to handle +this. + +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index 6eee55430d46..43eb5d51cf23 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -1679,6 +1679,7 @@ static int __coda_start_decoding(struct coda_ctx *ctx) + v4l2_err(&dev->v4l2_dev, "CODA_COMMAND_SEQ_INIT timeout\n"); + return ret; + } ++ ctx->sequence_offset = ~0U; + ctx->initialized = 1; + + /* Update kfifo out pointer from coda bitstream read pointer */ +@@ -2095,7 +2096,9 @@ static void coda_finish_decode(struct coda_ctx *ctx) + v4l2_err(&dev->v4l2_dev, + "decoded frame index out of range: %d\n", decoded_idx); + } else { +- val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM) - 1; ++ val = coda_read(dev, CODA_RET_DEC_PIC_FRAME_NUM); ++ if (ctx->sequence_offset == -1) ++ ctx->sequence_offset = val; + val -= ctx->sequence_offset; + spin_lock_irqsave(&ctx->buffer_meta_lock, flags); + if (!list_empty(&ctx->buffer_meta_list)) { +-- +2.20.1 + diff --git a/queue-4.14/media-coda-increment-sequence-offset-for-the-last-re.patch b/queue-4.14/media-coda-increment-sequence-offset-for-the-last-re.patch new file mode 100644 index 00000000000..7174486e23b --- /dev/null +++ b/queue-4.14/media-coda-increment-sequence-offset-for-the-last-re.patch @@ -0,0 +1,37 @@ +From fb1a240feb31631e0b0ac960df150d40de10f5a4 Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Tue, 18 Jun 2019 12:45:22 -0400 +Subject: media: coda: increment sequence offset for the last returned frame + +[ Upstream commit b3b7d96817cdb8b6fc353867705275dce8f41ccc ] + +If no more frames are decoded in bitstream end mode, and a previously +decoded frame has been returned, the firmware still increments the frame +number. To avoid a sequence number mismatch after decoder restart, +increment the sequence_offset correction parameter. + +Signed-off-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index 43eb5d51cf23..f0f2175265a9 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -2091,6 +2091,9 @@ static void coda_finish_decode(struct coda_ctx *ctx) + else if (ctx->display_idx < 0) + ctx->hold = true; + } else if (decoded_idx == -2) { ++ if (ctx->display_idx >= 0 && ++ ctx->display_idx < ctx->num_internal_frames) ++ ctx->sequence_offset++; + /* no frame was decoded, we still return remaining buffers */ + } else if (decoded_idx < 0 || decoded_idx >= ctx->num_internal_frames) { + v4l2_err(&dev->v4l2_dev, +-- +2.20.1 + diff --git a/queue-4.14/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch b/queue-4.14/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch new file mode 100644 index 00000000000..6fcc92313a0 --- /dev/null +++ b/queue-4.14/media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch @@ -0,0 +1,44 @@ +From cd229139e856b06c3b87ffec9b2fd690dfacf9a4 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 30 Apr 2019 09:07:36 -0400 +Subject: media: dvb: usb: fix use after free in dvb_usb_device_exit + +[ Upstream commit 6cf97230cd5f36b7665099083272595c55d72be7 ] + +dvb_usb_device_exit() frees and uses the device name in that order. +Fix by storing the name in a buffer before freeing it. + +Signed-off-by: Oliver Neukum +Reported-by: syzbot+26ec41e9f788b3eba396@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dvb-usb-init.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c +index 84308569e7dc..b3413404f91a 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c +@@ -287,12 +287,15 @@ EXPORT_SYMBOL(dvb_usb_device_init); + void dvb_usb_device_exit(struct usb_interface *intf) + { + struct dvb_usb_device *d = usb_get_intfdata(intf); +- const char *name = "generic DVB-USB module"; ++ const char *default_name = "generic DVB-USB module"; ++ char name[40]; + + usb_set_intfdata(intf, NULL); + if (d != NULL && d->desc != NULL) { +- name = d->desc->name; ++ strscpy(name, d->desc->name, sizeof(name)); + dvb_usb_exit(d); ++ } else { ++ strscpy(name, default_name, sizeof(name)); + } + info("%s successfully deinitialized and disconnected.", name); + +-- +2.20.1 + diff --git a/queue-4.14/media-fdp1-support-m3n-and-e3-platforms.patch b/queue-4.14/media-fdp1-support-m3n-and-e3-platforms.patch new file mode 100644 index 00000000000..3ae4d11e632 --- /dev/null +++ b/queue-4.14/media-fdp1-support-m3n-and-e3-platforms.patch @@ -0,0 +1,51 @@ +From c027e5c7d80bc793446d6a21c8522d86ab5929cd Mon Sep 17 00:00:00 2001 +From: Kieran Bingham +Date: Wed, 15 May 2019 11:39:12 -0400 +Subject: media: fdp1: Support M3N and E3 platforms + +[ Upstream commit 4e8c120de9268fc26f583268b9d22e7d37c4595f ] + +New Gen3 R-Car platforms incorporate the FDP1 with an updated version +register. No code change is required to support these targets, but they +will currently report an error stating that the device can not be +identified. + +Update the driver to match against the new device types. + +Signed-off-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar_fdp1.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/platform/rcar_fdp1.c b/drivers/media/platform/rcar_fdp1.c +index 3245bc45f4a0..a889332d5d30 100644 +--- a/drivers/media/platform/rcar_fdp1.c ++++ b/drivers/media/platform/rcar_fdp1.c +@@ -261,6 +261,8 @@ MODULE_PARM_DESC(debug, "activate debug info"); + #define FD1_IP_H3_ES1 0x02010101 + #define FD1_IP_M3W 0x02010202 + #define FD1_IP_H3 0x02010203 ++#define FD1_IP_M3N 0x02010204 ++#define FD1_IP_E3 0x02010205 + + /* LUTs */ + #define FD1_LUT_DIF_ADJ 0x1000 +@@ -2369,6 +2371,12 @@ static int fdp1_probe(struct platform_device *pdev) + case FD1_IP_H3: + dprintk(fdp1, "FDP1 Version R-Car H3\n"); + break; ++ case FD1_IP_M3N: ++ dprintk(fdp1, "FDP1 Version R-Car M3N\n"); ++ break; ++ case FD1_IP_E3: ++ dprintk(fdp1, "FDP1 Version R-Car E3\n"); ++ break; + default: + dev_err(fdp1->dev, "FDP1 Unidentifiable (0x%08x)\n", + hw_version); +-- +2.20.1 + diff --git a/queue-4.14/media-hdpvr-fix-locking-and-a-missing-msleep.patch b/queue-4.14/media-hdpvr-fix-locking-and-a-missing-msleep.patch new file mode 100644 index 00000000000..958626aa5f3 --- /dev/null +++ b/queue-4.14/media-hdpvr-fix-locking-and-a-missing-msleep.patch @@ -0,0 +1,81 @@ +From 8bba2ce9098394ed3f46a7d38f71449b516e2420 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 20 Jun 2019 07:43:41 -0400 +Subject: media: hdpvr: fix locking and a missing msleep + +[ Upstream commit 6bc5a4a1927556ff9adce1aa95ea408c95453225 ] + +This driver has three locking issues: + +- The wait_event_interruptible() condition calls hdpvr_get_next_buffer(dev) + which uses a mutex, which is not allowed. Rewrite with list_empty_careful() + that doesn't need locking. + +- In hdpvr_read() the call to hdpvr_stop_streaming() didn't lock io_mutex, + but it should have since stop_streaming expects that. + +- In hdpvr_device_release() io_mutex was locked when calling flush_work(), + but there it shouldn't take that mutex since the work done by flush_work() + also wants to lock that mutex. + +There are also two other changes (suggested by Keith): + +- msecs_to_jiffies(4000); (a NOP) should have been msleep(4000). +- Change v4l2_dbg to v4l2_info to always log if streaming had to be restarted. + +Reported-by: Keith Pyle +Suggested-by: Keith Pyle +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/hdpvr/hdpvr-video.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c +index 7fb036d6a86e..991f820a4530 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-video.c ++++ b/drivers/media/usb/hdpvr/hdpvr-video.c +@@ -439,7 +439,7 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count, + /* wait for the first buffer */ + if (!(file->f_flags & O_NONBLOCK)) { + if (wait_event_interruptible(dev->wait_data, +- hdpvr_get_next_buffer(dev))) ++ !list_empty_careful(&dev->rec_buff_list))) + return -ERESTARTSYS; + } + +@@ -465,10 +465,17 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count, + goto err; + } + if (!err) { +- v4l2_dbg(MSG_INFO, hdpvr_debug, &dev->v4l2_dev, +- "timeout: restart streaming\n"); ++ v4l2_info(&dev->v4l2_dev, ++ "timeout: restart streaming\n"); ++ mutex_lock(&dev->io_mutex); + hdpvr_stop_streaming(dev); +- msecs_to_jiffies(4000); ++ mutex_unlock(&dev->io_mutex); ++ /* ++ * The FW needs about 4 seconds after streaming ++ * stopped before it is ready to restart ++ * streaming. ++ */ ++ msleep(4000); + err = hdpvr_start_streaming(dev); + if (err) { + ret = err; +@@ -1133,9 +1140,7 @@ static void hdpvr_device_release(struct video_device *vdev) + struct hdpvr_device *dev = video_get_drvdata(vdev); + + hdpvr_delete(dev); +- mutex_lock(&dev->io_mutex); + flush_work(&dev->worker); +- mutex_unlock(&dev->io_mutex); + + v4l2_device_unregister(&dev->v4l2_dev); + v4l2_ctrl_handler_free(&dev->hdl); +-- +2.20.1 + diff --git a/queue-4.14/media-i2c-fix-warning-same-module-names.patch b/queue-4.14/media-i2c-fix-warning-same-module-names.patch new file mode 100644 index 00000000000..23f01bacced --- /dev/null +++ b/queue-4.14/media-i2c-fix-warning-same-module-names.patch @@ -0,0 +1,60 @@ +From 12bfb3c98956a9c1741cbe758cd81082491787cd Mon Sep 17 00:00:00 2001 +From: Anders Roxell +Date: Wed, 12 Jun 2019 12:19:35 -0400 +Subject: media: i2c: fix warning same module names + +[ Upstream commit b2ce5617dad254230551feda3599f2cc68e53ad8 ] + +When building with CONFIG_VIDEO_ADV7511 and CONFIG_DRM_I2C_ADV7511 +enabled as loadable modules, we see the following warning: + + drivers/gpu/drm/bridge/adv7511/adv7511.ko + drivers/media/i2c/adv7511.ko + +Rework so that the file is named adv7511-v4l2.c. + +Signed-off-by: Anders Roxell +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/Makefile | 2 +- + drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + rename drivers/media/i2c/{adv7511.c => adv7511-v4l2.c} (99%) + +diff --git a/drivers/media/i2c/Makefile b/drivers/media/i2c/Makefile +index f104650d6000..0f5c5a3cdca3 100644 +--- a/drivers/media/i2c/Makefile ++++ b/drivers/media/i2c/Makefile +@@ -33,7 +33,7 @@ obj-$(CONFIG_VIDEO_ADV748X) += adv748x/ + obj-$(CONFIG_VIDEO_ADV7604) += adv7604.o + obj-$(CONFIG_VIDEO_ADV7842) += adv7842.o + obj-$(CONFIG_VIDEO_AD9389B) += ad9389b.o +-obj-$(CONFIG_VIDEO_ADV7511) += adv7511.o ++obj-$(CONFIG_VIDEO_ADV7511) += adv7511-v4l2.o + obj-$(CONFIG_VIDEO_VPX3220) += vpx3220.o + obj-$(CONFIG_VIDEO_VS6624) += vs6624.o + obj-$(CONFIG_VIDEO_BT819) += bt819.o +diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511-v4l2.c +similarity index 99% +rename from drivers/media/i2c/adv7511.c +rename to drivers/media/i2c/adv7511-v4l2.c +index 80c20404334a..ef1144668809 100644 +--- a/drivers/media/i2c/adv7511.c ++++ b/drivers/media/i2c/adv7511-v4l2.c +@@ -17,6 +17,11 @@ + * SOFTWARE. + */ + ++/* ++ * This file is named adv7511-v4l2.c so it doesn't conflict with the Analog ++ * Device ADV7511 (config fragment CONFIG_DRM_I2C_ADV7511). ++ */ ++ + + #include + #include +-- +2.20.1 + diff --git a/queue-4.14/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch b/queue-4.14/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch new file mode 100644 index 00000000000..457c59ddda4 --- /dev/null +++ b/queue-4.14/media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch @@ -0,0 +1,64 @@ +From 2462c5f41d9198853eb699bd5f9376af22efaa8f Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Sun, 5 May 2019 10:00:23 -0400 +Subject: media: marvell-ccic: fix DMA s/g desc number calculation + +[ Upstream commit 0c7aa32966dab0b8a7424e1b34c7f206817953ec ] + +The commit d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here") +left dma_desc_nent unset. It previously contained the number of DMA +descriptors as returned from dma_map_sg(). + +We can now (since the commit referred to above) obtain the same value from +the sg_table and drop dma_desc_nent altogether. + +Tested on OLPC XO-1.75 machine. Doesn't affect the OLPC XO-1's Cafe +driver, since that one doesn't do DMA. + +[mchehab+samsung@kernel.org: fix a checkpatch warning] + +Fixes: d790b7eda953 ("[media] vb2-dma-sg: move dma_(un)map_sg here") +Signed-off-by: Lubomir Rintel +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/marvell-ccic/mcam-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c +index 7b7250b1cff8..4ecb94860aa4 100644 +--- a/drivers/media/platform/marvell-ccic/mcam-core.c ++++ b/drivers/media/platform/marvell-ccic/mcam-core.c +@@ -200,7 +200,6 @@ struct mcam_vb_buffer { + struct list_head queue; + struct mcam_dma_desc *dma_desc; /* Descriptor virtual address */ + dma_addr_t dma_desc_pa; /* Descriptor physical address */ +- int dma_desc_nent; /* Number of mapped descriptors */ + }; + + static inline struct mcam_vb_buffer *vb_to_mvb(struct vb2_v4l2_buffer *vb) +@@ -608,9 +607,11 @@ static void mcam_dma_contig_done(struct mcam_camera *cam, int frame) + static void mcam_sg_next_buffer(struct mcam_camera *cam) + { + struct mcam_vb_buffer *buf; ++ struct sg_table *sg_table; + + buf = list_first_entry(&cam->buffers, struct mcam_vb_buffer, queue); + list_del_init(&buf->queue); ++ sg_table = vb2_dma_sg_plane_desc(&buf->vb_buf.vb2_buf, 0); + /* + * Very Bad Not Good Things happen if you don't clear + * C1_DESC_ENA before making any descriptor changes. +@@ -618,7 +619,7 @@ static void mcam_sg_next_buffer(struct mcam_camera *cam) + mcam_reg_clear_bit(cam, REG_CTRL1, C1_DESC_ENA); + mcam_reg_write(cam, REG_DMA_DESC_Y, buf->dma_desc_pa); + mcam_reg_write(cam, REG_DESC_LEN_Y, +- buf->dma_desc_nent*sizeof(struct mcam_dma_desc)); ++ sg_table->nents * sizeof(struct mcam_dma_desc)); + mcam_reg_write(cam, REG_DESC_LEN_U, 0); + mcam_reg_write(cam, REG_DESC_LEN_V, 0); + mcam_reg_set_bit(cam, REG_CTRL1, C1_DESC_ENA); +-- +2.20.1 + diff --git a/queue-4.14/media-mc-device.c-don-t-memset-__user-pointer-conten.patch b/queue-4.14/media-mc-device.c-don-t-memset-__user-pointer-conten.patch new file mode 100644 index 00000000000..a02cd7b719c --- /dev/null +++ b/queue-4.14/media-mc-device.c-don-t-memset-__user-pointer-conten.patch @@ -0,0 +1,43 @@ +From f2cd129d56bbbafb1b2363b44972249b42890053 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 27 May 2019 05:31:13 -0400 +Subject: media: mc-device.c: don't memset __user pointer contents + +[ Upstream commit 518fa4e0e0da97ea2e17c95ab57647ce748a96e2 ] + +You can't memset the contents of a __user pointer. Instead, call copy_to_user to +copy links.reserved (which is zeroed) to the user memory. + +This fixes this sparse warning: + +SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16: warning: incorrect type in argument 1 (different address spaces) + +Fixes: f49308878d720 ("media: media_device_enum_links32: clean a reserved field") + +Signed-off-by: Hans Verkuil +Reviewed-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/media-device.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c +index a6d56154fac7..4eb51a618fe1 100644 +--- a/drivers/media/media-device.c ++++ b/drivers/media/media-device.c +@@ -486,8 +486,9 @@ static long media_device_enum_links32(struct media_device *mdev, + if (ret) + return ret; + +- memset(ulinks->reserved, 0, sizeof(ulinks->reserved)); +- ++ if (copy_to_user(ulinks->reserved, links.reserved, ++ sizeof(ulinks->reserved))) ++ return -EFAULT; + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.14/media-media_device_enum_links32-clean-a-reserved-fie.patch b/queue-4.14/media-media_device_enum_links32-clean-a-reserved-fie.patch new file mode 100644 index 00000000000..1a733652828 --- /dev/null +++ b/queue-4.14/media-media_device_enum_links32-clean-a-reserved-fie.patch @@ -0,0 +1,55 @@ +From 940398becce455e71521ee6418802802d200d01e Mon Sep 17 00:00:00 2001 +From: Jungo Lin +Date: Tue, 2 Apr 2019 21:44:27 -0400 +Subject: media: media_device_enum_links32: clean a reserved field + +[ Upstream commit f49308878d7202e07d8761238e01bd0e5fce2750 ] + +In v4l2-compliance utility, test MEDIA_IOC_ENUM_ENTITIES +will check whether reserved field of media_links_enum filled +with zero. + +However, for 32 bit program, the reserved field is missing +copy from kernel space to user space in media_device_enum_links32 +function. + +This patch adds the cleaning a reserved field logic in +media_device_enum_links32 function. + +Signed-off-by: Jungo Lin +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/media-device.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c +index 62b2c5d9bdfb..a6d56154fac7 100644 +--- a/drivers/media/media-device.c ++++ b/drivers/media/media-device.c +@@ -470,6 +470,7 @@ static long media_device_enum_links32(struct media_device *mdev, + { + struct media_links_enum links; + compat_uptr_t pads_ptr, links_ptr; ++ int ret; + + memset(&links, 0, sizeof(links)); + +@@ -481,7 +482,13 @@ static long media_device_enum_links32(struct media_device *mdev, + links.pads = compat_ptr(pads_ptr); + links.links = compat_ptr(links_ptr); + +- return media_device_enum_links(mdev, &links); ++ ret = media_device_enum_links(mdev, &links); ++ if (ret) ++ return ret; ++ ++ memset(ulinks->reserved, 0, sizeof(ulinks->reserved)); ++ ++ return 0; + } + + #define MEDIA_IOC_ENUM_LINKS32 _IOWR('|', 0x02, struct media_links_enum32) +-- +2.20.1 + diff --git a/queue-4.14/media-s5p-mfc-make-additional-clocks-optional.patch b/queue-4.14/media-s5p-mfc-make-additional-clocks-optional.patch new file mode 100644 index 00000000000..ba96db7305b --- /dev/null +++ b/queue-4.14/media-s5p-mfc-make-additional-clocks-optional.patch @@ -0,0 +1,44 @@ +From 8b86a927e9154d099b34bef0282b68aa4421557f Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 13 Jun 2019 06:48:34 -0400 +Subject: media: s5p-mfc: Make additional clocks optional + +[ Upstream commit e08efef8fe7db87206314c19b341612c719f891a ] + +Since the beginning the second clock ('special', 'sclk') was optional and +it is not available on some variants of Exynos SoCs (i.e. Exynos5420 with +v7 of MFC hardware). + +However commit 1bce6fb3edf1 ("[media] s5p-mfc: Rework clock handling") +made handling of all specified clocks mandatory. This patch restores +original behavior of the driver and fixes its operation on +Exynos5420 SoCs. + +Fixes: 1bce6fb3edf1 ("[media] s5p-mfc: Rework clock handling") +Signed-off-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +index eb85cedc5ef3..5e080f32b0e8 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c +@@ -38,6 +38,11 @@ int s5p_mfc_init_pm(struct s5p_mfc_dev *dev) + for (i = 0; i < pm->num_clocks; i++) { + pm->clocks[i] = devm_clk_get(pm->device, pm->clk_names[i]); + if (IS_ERR(pm->clocks[i])) { ++ /* additional clocks are optional */ ++ if (i && PTR_ERR(pm->clocks[i]) == -ENOENT) { ++ pm->clocks[i] = NULL; ++ continue; ++ } + mfc_err("Failed to get clock: %s\n", + pm->clk_names[i]); + return PTR_ERR(pm->clocks[i]); +-- +2.20.1 + diff --git a/queue-4.14/media-spi-ir-led-add-missing-of-table-registration.patch b/queue-4.14/media-spi-ir-led-add-missing-of-table-registration.patch new file mode 100644 index 00000000000..e04dc8fc205 --- /dev/null +++ b/queue-4.14/media-spi-ir-led-add-missing-of-table-registration.patch @@ -0,0 +1,42 @@ +From 3b61128caa41b9080f26591ea680d5850ff0c5bc Mon Sep 17 00:00:00 2001 +From: Daniel Gomez +Date: Mon, 22 Apr 2019 15:10:20 -0400 +Subject: media: spi: IR LED: add missing of table registration + +[ Upstream commit 24e4cf770371df6ad49ed873f21618d9878f64c8 ] + +MODULE_DEVICE_TABLE(of, should be called to complete DT +OF mathing mechanism and register it. + +Before this patch: +modinfo drivers/media/rc/ir-spi.ko | grep alias + +After this patch: +modinfo drivers/media/rc/ir-spi.ko | grep alias +alias: of:N*T*Cir-spi-ledC* +alias: of:N*T*Cir-spi-led + +Reported-by: Javier Martinez Canillas +Signed-off-by: Daniel Gomez +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ir-spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/rc/ir-spi.c b/drivers/media/rc/ir-spi.c +index 29ed0638cb74..cbe585f95715 100644 +--- a/drivers/media/rc/ir-spi.c ++++ b/drivers/media/rc/ir-spi.c +@@ -186,6 +186,7 @@ static const struct of_device_id ir_spi_of_match[] = { + { .compatible = "ir-spi-led" }, + {}, + }; ++MODULE_DEVICE_TABLE(of, ir_spi_of_match); + + static struct spi_driver ir_spi_driver = { + .probe = ir_spi_probe, +-- +2.20.1 + diff --git a/queue-4.14/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch b/queue-4.14/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch new file mode 100644 index 00000000000..c5dad045703 --- /dev/null +++ b/queue-4.14/media-staging-media-davinci_vpfe-fix-for-memory-leak.patch @@ -0,0 +1,36 @@ +From 87636271aa838ad47ae1da099f523e1e8b8d9a22 Mon Sep 17 00:00:00 2001 +From: Shailendra Verma +Date: Thu, 24 Nov 2016 23:57:34 -0500 +Subject: media: staging: media: davinci_vpfe: - Fix for memory leak if decoder + initialization fails. + +[ Upstream commit 6995a659101bd4effa41cebb067f9dc18d77520d ] + +Fix to avoid possible memory leak if the decoder initialization +got failed.Free the allocated memory for file handle object +before return in case decoder initialization fails. + +Signed-off-by: Shailendra Verma +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/davinci_vpfe/vpfe_video.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/staging/media/davinci_vpfe/vpfe_video.c b/drivers/staging/media/davinci_vpfe/vpfe_video.c +index 155e8c758e4b..346e60d230f3 100644 +--- a/drivers/staging/media/davinci_vpfe/vpfe_video.c ++++ b/drivers/staging/media/davinci_vpfe/vpfe_video.c +@@ -422,6 +422,9 @@ static int vpfe_open(struct file *file) + /* If decoder is not initialized. initialize it */ + if (!video->initialized && vpfe_update_pipe_state(video)) { + mutex_unlock(&video->lock); ++ v4l2_fh_del(&handle->vfh); ++ v4l2_fh_exit(&handle->vfh); ++ kfree(handle); + return -ENODEV; + } + /* Increment device users counter */ +-- +2.20.1 + diff --git a/queue-4.14/media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch b/queue-4.14/media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch new file mode 100644 index 00000000000..6452f57b7b9 --- /dev/null +++ b/queue-4.14/media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch @@ -0,0 +1,49 @@ +From 467085276714f3e427bf4a3af457567adf4179ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Almeida?= +Date: Mon, 17 Jun 2019 12:28:02 -0400 +Subject: media: vimc: cap: check v4l2_fill_pixfmt return value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 77ae46e11df5c96bb4582633851f838f5d954df4 ] + +v4l2_fill_pixfmt() returns -EINVAL if the pixelformat used as parameter is +invalid or if the user is trying to use a multiplanar format with the +singleplanar API. Currently, the vimc_cap_try_fmt_vid_cap() returns such +value, but vimc_cap_s_fmt_vid_cap() is ignoring it. Fix that and returns +an error value if vimc_cap_try_fmt_vid_cap() has failed. + +Signed-off-by: André Almeida +Suggested-by: Helen Koike +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vimc/vimc-capture.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/vimc/vimc-capture.c b/drivers/media/platform/vimc/vimc-capture.c +index a078ad18909a..091921ed09dd 100644 +--- a/drivers/media/platform/vimc/vimc-capture.c ++++ b/drivers/media/platform/vimc/vimc-capture.c +@@ -131,12 +131,15 @@ static int vimc_cap_s_fmt_vid_cap(struct file *file, void *priv, + struct v4l2_format *f) + { + struct vimc_cap_device *vcap = video_drvdata(file); ++ int ret; + + /* Do not change the format while stream is on */ + if (vb2_is_busy(&vcap->queue)) + return -EBUSY; + +- vimc_cap_try_fmt_vid_cap(file, priv, f); ++ ret = vimc_cap_try_fmt_vid_cap(file, priv, f); ++ if (ret) ++ return ret; + + dev_dbg(vcap->dev, "%s: format update: " + "old:%dx%d (0x%x, %d, %d, %d, %d) " +-- +2.20.1 + diff --git a/queue-4.14/media-vpss-fix-a-potential-null-pointer-dereference.patch b/queue-4.14/media-vpss-fix-a-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..1cbb6c1e51b --- /dev/null +++ b/queue-4.14/media-vpss-fix-a-potential-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 84cc366998399955e753e8cc7ec77e9bab9d23fb Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 22 Mar 2019 22:51:06 -0400 +Subject: media: vpss: fix a potential NULL pointer dereference + +[ Upstream commit e08f0761234def47961d3252eac09ccedfe4c6a0 ] + +In case ioremap fails, the fix returns -ENOMEM to avoid NULL +pointer dereference. + +Signed-off-by: Kangjie Lu +Acked-by: Lad, Prabhakar +Reviewed-by: Mukesh Ojha +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/davinci/vpss.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/platform/davinci/vpss.c b/drivers/media/platform/davinci/vpss.c +index f2d27b932999..2ee4cd9e6d80 100644 +--- a/drivers/media/platform/davinci/vpss.c ++++ b/drivers/media/platform/davinci/vpss.c +@@ -518,6 +518,11 @@ static int __init vpss_init(void) + return -EBUSY; + + oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4); ++ if (unlikely(!oper_cfg.vpss_regs_base2)) { ++ release_mem_region(VPSS_CLK_CTRL, 4); ++ return -ENOMEM; ++ } ++ + writel(VPSS_CLK_CTRL_VENCCLKEN | + VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2); + +-- +2.20.1 + diff --git a/queue-4.14/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch b/queue-4.14/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch new file mode 100644 index 00000000000..60157bd28b1 --- /dev/null +++ b/queue-4.14/media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch @@ -0,0 +1,100 @@ +From a713664e641ec43d117c16c83b656cf6b31b3c34 Mon Sep 17 00:00:00 2001 +From: Kefeng Wang +Date: Thu, 30 May 2019 03:25:49 -0400 +Subject: media: wl128x: Fix some error handling in fm_v4l2_init_video_device() + +[ Upstream commit 69fbb3f47327d959830c94bf31893972b8c8f700 ] + +X-Originating-IP: [10.175.113.25] +X-CFilter-Loop: Reflected +The fm_v4l2_init_video_device() forget to unregister v4l2/video device +in the error path, it could lead to UAF issue, eg, + + BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline] + BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline] + BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206 + Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659 + + CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xa9/0x10e lib/dump_stack.c:113 + print_address_description+0x65/0x270 mm/kasan/report.c:187 + kasan_report+0x149/0x18d mm/kasan/report.c:317 + atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline] + atomic_long_read include/asm-generic/atomic-long.h:28 [inline] + __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206 + fm_v4l2_fops_open+0xac/0x120 [fm_drv] + v4l2_open+0x191/0x390 [videodev] + chrdev_open+0x20d/0x570 fs/char_dev.c:417 + do_dentry_open+0x700/0xf30 fs/open.c:777 + do_last fs/namei.c:3416 [inline] + path_openat+0x7c4/0x2a90 fs/namei.c:3532 + do_filp_open+0x1a5/0x2b0 fs/namei.c:3563 + do_sys_open+0x302/0x490 fs/open.c:1069 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + RIP: 0033:0x7f8180c17c8e + ... + Allocated by task 3642: + set_track mm/kasan/common.c:87 [inline] + __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497 + fm_drv_init+0x13/0x1000 [fm_drv] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + Freed by task 3642: + set_track mm/kasan/common.c:87 [inline] + __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459 + slab_free_hook mm/slub.c:1429 [inline] + slab_free_freelist_hook mm/slub.c:1456 [inline] + slab_free mm/slub.c:3003 [inline] + kfree+0xe1/0x270 mm/slub.c:3958 + fm_drv_init+0x1e6/0x1000 [fm_drv] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Add relevant unregister functions to fix it. + +Cc: Hans Verkuil +Reported-by: Hulk Robot +Signed-off-by: Kefeng Wang +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/wl128x/fmdrv_v4l2.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/radio/wl128x/fmdrv_v4l2.c b/drivers/media/radio/wl128x/fmdrv_v4l2.c +index fc5a7abc83d2..77778c86e04d 100644 +--- a/drivers/media/radio/wl128x/fmdrv_v4l2.c ++++ b/drivers/media/radio/wl128x/fmdrv_v4l2.c +@@ -549,6 +549,7 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr) + + /* Register with V4L2 subsystem as RADIO device */ + if (video_register_device(&gradio_dev, VFL_TYPE_RADIO, radio_nr)) { ++ v4l2_device_unregister(&fmdev->v4l2_dev); + fmerr("Could not register video device\n"); + return -ENOMEM; + } +@@ -562,6 +563,8 @@ int fm_v4l2_init_video_device(struct fmdev *fmdev, int radio_nr) + if (ret < 0) { + fmerr("(fmdev): Can't init ctrl handler\n"); + v4l2_ctrl_handler_free(&fmdev->ctrl_handler); ++ video_unregister_device(fmdev->radio_dev); ++ v4l2_device_unregister(&fmdev->v4l2_dev); + return -EBUSY; + } + +-- +2.20.1 + diff --git a/queue-4.14/mips-ath79-fix-ar933x-uart-parity-mode.patch b/queue-4.14/mips-ath79-fix-ar933x-uart-parity-mode.patch new file mode 100644 index 00000000000..1e3c645e9f6 --- /dev/null +++ b/queue-4.14/mips-ath79-fix-ar933x-uart-parity-mode.patch @@ -0,0 +1,40 @@ +From b0081d9cb7aedd77396ed56f2aff8c1d9a2b6d4b Mon Sep 17 00:00:00 2001 +From: Stefan Hellermann +Date: Mon, 17 Jun 2019 15:43:59 +0200 +Subject: MIPS: ath79: fix ar933x uart parity mode + +[ Upstream commit db13a5ba2732755cf13320f3987b77cf2a71e790 ] + +While trying to get the uart with parity working I found setting even +parity enabled odd parity insted. Fix the register settings to match +the datasheet of AR9331. + +A similar patch was created by 8devices, but not sent upstream. +https://github.com/8devices/openwrt-8devices/commit/77c5586ade3bb72cda010afad3f209ed0c98ea7c + +Signed-off-by: Stefan Hellermann +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mach-ath79/ar933x_uart.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/mach-ath79/ar933x_uart.h b/arch/mips/include/asm/mach-ath79/ar933x_uart.h +index c2917b39966b..bba2c8837951 100644 +--- a/arch/mips/include/asm/mach-ath79/ar933x_uart.h ++++ b/arch/mips/include/asm/mach-ath79/ar933x_uart.h +@@ -27,8 +27,8 @@ + #define AR933X_UART_CS_PARITY_S 0 + #define AR933X_UART_CS_PARITY_M 0x3 + #define AR933X_UART_CS_PARITY_NONE 0 +-#define AR933X_UART_CS_PARITY_ODD 1 +-#define AR933X_UART_CS_PARITY_EVEN 2 ++#define AR933X_UART_CS_PARITY_ODD 2 ++#define AR933X_UART_CS_PARITY_EVEN 3 + #define AR933X_UART_CS_IF_MODE_S 2 + #define AR933X_UART_CS_IF_MODE_M 0x3 + #define AR933X_UART_CS_IF_MODE_NONE 0 +-- +2.20.1 + diff --git a/queue-4.14/mips-fix-build-on-non-linux-hosts.patch b/queue-4.14/mips-fix-build-on-non-linux-hosts.patch new file mode 100644 index 00000000000..d33895eb4e3 --- /dev/null +++ b/queue-4.14/mips-fix-build-on-non-linux-hosts.patch @@ -0,0 +1,67 @@ +From 65c4b5e5d809ed3c4d23134ba9db7f301cd85d7e Mon Sep 17 00:00:00 2001 +From: Kevin Darbyshire-Bryant +Date: Wed, 19 Jun 2019 15:08:18 +0100 +Subject: MIPS: fix build on non-linux hosts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1196364f21ffe5d1e6d83cafd6a2edb89404a3ae ] + +calc_vmlinuz_load_addr.c requires SZ_64K to be defined for alignment +purposes. It included "../../../../include/linux/sizes.h" to define +that size, however "sizes.h" tries to include which +assumes linux system headers. These may not exist eg. the following +error was encountered when building Linux for OpenWrt under macOS: + +In file included from arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:16: +arch/mips/boot/compressed/../../../../include/linux/sizes.h:11:10: fatal error: 'linux/const.h' file not found + ^~~~~~~~~~ + +Change makefile to force building on local linux headers instead of +system headers. Also change eye-watering relative reference in include +file spec. + +Thanks to Jo-Philip Wich & Petr Å tetiar for assistance in tracking this +down & fixing. + +Suggested-by: Jo-Philipp Wich +Signed-off-by: Petr Å tetiar +Signed-off-by: Kevin Darbyshire-Bryant +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/boot/compressed/Makefile | 2 ++ + arch/mips/boot/compressed/calc_vmlinuz_load_addr.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile +index adce180f3ee4..331b9e0a8072 100644 +--- a/arch/mips/boot/compressed/Makefile ++++ b/arch/mips/boot/compressed/Makefile +@@ -75,6 +75,8 @@ OBJCOPYFLAGS_piggy.o := --add-section=.image=$(obj)/vmlinux.bin.z \ + $(obj)/piggy.o: $(obj)/dummy.o $(obj)/vmlinux.bin.z FORCE + $(call if_changed,objcopy) + ++HOSTCFLAGS_calc_vmlinuz_load_addr.o += $(LINUXINCLUDE) ++ + # Calculate the load address of the compressed kernel image + hostprogs-y := calc_vmlinuz_load_addr + +diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +index 542c3ede9722..d14f75ec8273 100644 +--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c ++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include "../../../../include/linux/sizes.h" ++#include + + int main(int argc, char *argv[]) + { +-- +2.20.1 + diff --git a/queue-4.14/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch b/queue-4.14/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch new file mode 100644 index 00000000000..fbc95963029 --- /dev/null +++ b/queue-4.14/mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch @@ -0,0 +1,114 @@ +From 25e1636db1c4ccaa7a5a7346b3fdc9ae8bd5bb6a Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Fri, 7 Jun 2019 13:48:09 +0200 +Subject: mt7601u: do not schedule rx_tasklet when the device has been + disconnected + +[ Upstream commit 4079e8ccabc3b6d1b503f2376123cb515d14921f ] + +Do not schedule rx_tasklet when the usb dongle is disconnected. +Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb +can run concurrently with urb completion and we can unlink urbs from rx +ring in any order. +This patch fixes the common kernel warning reported when +the device is removed. + +[ 24.921354] usb 3-14: USB disconnect, device number 7 +[ 24.921593] ------------[ cut here ]------------ +[ 24.921594] RX urb mismatch +[ 24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u] +[ 24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G OE 4.19.31-041931-generic #201903231635 +[ 24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014 +[ 24.921782] Workqueue: usb_hub_wq hub_event +[ 24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u] +[ 24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086 +[ 24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006 +[ 24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420 +[ 24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8 +[ 24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c +[ 24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000 +[ 24.921807] FS: 0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000 +[ 24.921808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0 +[ 24.921809] Call Trace: +[ 24.921812] +[ 24.921819] __usb_hcd_giveback_urb+0x8b/0x140 +[ 24.921821] usb_hcd_giveback_urb+0xca/0xe0 +[ 24.921828] xhci_giveback_urb_in_irq.isra.42+0x82/0xf0 +[ 24.921834] handle_cmd_completion+0xe02/0x10d0 +[ 24.921837] xhci_irq+0x274/0x4a0 +[ 24.921838] xhci_msi_irq+0x11/0x20 +[ 24.921851] __handle_irq_event_percpu+0x44/0x190 +[ 24.921856] handle_irq_event_percpu+0x32/0x80 +[ 24.921861] handle_irq_event+0x3b/0x5a +[ 24.921867] handle_edge_irq+0x80/0x190 +[ 24.921874] handle_irq+0x20/0x30 +[ 24.921889] do_IRQ+0x4e/0xe0 +[ 24.921891] common_interrupt+0xf/0xf +[ 24.921892] +[ 24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180 +[ 24.921354] usb 3-14: USB disconnect, device number 7 + +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/dma.c | 33 +++++++++++---------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c +index 7f3e3983b781..bc36712cfffc 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/dma.c ++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c +@@ -193,10 +193,23 @@ static void mt7601u_complete_rx(struct urb *urb) + struct mt7601u_rx_queue *q = &dev->rx_q; + unsigned long flags; + +- spin_lock_irqsave(&dev->rx_lock, flags); ++ /* do no schedule rx tasklet if urb has been unlinked ++ * or the device has been removed ++ */ ++ switch (urb->status) { ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ case -ENOENT: ++ return; ++ default: ++ dev_err_ratelimited(dev->dev, "rx urb failed: %d\n", ++ urb->status); ++ /* fall through */ ++ case 0: ++ break; ++ } + +- if (mt7601u_urb_has_error(urb)) +- dev_err(dev->dev, "Error: RX urb failed:%d\n", urb->status); ++ spin_lock_irqsave(&dev->rx_lock, flags); + if (WARN_ONCE(q->e[q->end].urb != urb, "RX urb mismatch")) + goto out; + +@@ -363,19 +376,9 @@ int mt7601u_dma_enqueue_tx(struct mt7601u_dev *dev, struct sk_buff *skb, + static void mt7601u_kill_rx(struct mt7601u_dev *dev) + { + int i; +- unsigned long flags; + +- spin_lock_irqsave(&dev->rx_lock, flags); +- +- for (i = 0; i < dev->rx_q.entries; i++) { +- int next = dev->rx_q.end; +- +- spin_unlock_irqrestore(&dev->rx_lock, flags); +- usb_poison_urb(dev->rx_q.e[next].urb); +- spin_lock_irqsave(&dev->rx_lock, flags); +- } +- +- spin_unlock_irqrestore(&dev->rx_lock, flags); ++ for (i = 0; i < dev->rx_q.entries; i++) ++ usb_poison_urb(dev->rx_q.e[i].urb); + } + + static int mt7601u_submit_rx_buf(struct mt7601u_dev *dev, +-- +2.20.1 + diff --git a/queue-4.14/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch b/queue-4.14/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch new file mode 100644 index 00000000000..76ed1f8f495 --- /dev/null +++ b/queue-4.14/mt7601u-fix-possible-memory-leak-when-the-device-is-.patch @@ -0,0 +1,125 @@ +From 4c345aa6d2b2d0eed16297f6183bf9017662111e Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Fri, 7 Jun 2019 13:48:10 +0200 +Subject: mt7601u: fix possible memory leak when the device is disconnected + +[ Upstream commit 23377c200b2eb48a60d0f228b2a2e75ed6ee6060 ] + +When the device is disconnected while passing traffic it is possible +to receive out of order urbs causing a memory leak since the skb linked +to the current tx urb is not removed. Fix the issue deallocating the skb +cleaning up the tx ring. Moreover this patch fixes the following kernel +warning + +[ 57.480771] usb 1-1: USB disconnect, device number 2 +[ 57.483451] ------------[ cut here ]------------ +[ 57.483462] TX urb mismatch +[ 57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00 +[ 57.483483] Modules linked in: +[ 57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72 +[ 57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014 +[ 57.483502] Workqueue: usb_hub_wq hub_event +[ 57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0 +[ 57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f +[ 57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092 +[ 57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c +[ 57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371 +[ 57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001 +[ 57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046 +[ 57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078 +[ 57.483548] FS: 0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000 +[ 57.483550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0 +[ 57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 57.483559] Call Trace: +[ 57.483561] +[ 57.483565] __usb_hcd_giveback_urb+0x77/0xe0 +[ 57.483570] xhci_giveback_urb_in_irq.isra.0+0x8b/0x140 +[ 57.483574] handle_cmd_completion+0xf5b/0x12c0 +[ 57.483577] xhci_irq+0x1f6/0x1810 +[ 57.483581] ? lockdep_hardirqs_on+0x9e/0x180 +[ 57.483584] ? _raw_spin_unlock_irq+0x24/0x30 +[ 57.483588] __handle_irq_event_percpu+0x3a/0x260 +[ 57.483592] handle_irq_event_percpu+0x1c/0x60 +[ 57.483595] handle_irq_event+0x2f/0x4c +[ 57.483599] handle_edge_irq+0x7e/0x1a0 +[ 57.483603] handle_irq+0x17/0x20 +[ 57.483607] do_IRQ+0x54/0x110 +[ 57.483610] common_interrupt+0xf/0xf +[ 57.483612] + +Acked-by: Jakub Kicinski +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/dma.c | 21 ++++++++++++++++----- + drivers/net/wireless/mediatek/mt7601u/tx.c | 4 ++-- + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c +index bc36712cfffc..47cebb2ec05c 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/dma.c ++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c +@@ -241,14 +241,25 @@ static void mt7601u_complete_tx(struct urb *urb) + struct sk_buff *skb; + unsigned long flags; + +- spin_lock_irqsave(&dev->tx_lock, flags); ++ switch (urb->status) { ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ case -ENOENT: ++ return; ++ default: ++ dev_err_ratelimited(dev->dev, "tx urb failed: %d\n", ++ urb->status); ++ /* fall through */ ++ case 0: ++ break; ++ } + +- if (mt7601u_urb_has_error(urb)) +- dev_err(dev->dev, "Error: TX urb failed:%d\n", urb->status); ++ spin_lock_irqsave(&dev->tx_lock, flags); + if (WARN_ONCE(q->e[q->start].urb != urb, "TX urb mismatch")) + goto out; + + skb = q->e[q->start].skb; ++ q->e[q->start].skb = NULL; + trace_mt_tx_dma_done(dev, skb); + + __skb_queue_tail(&dev->tx_skb_done, skb); +@@ -448,10 +459,10 @@ static void mt7601u_free_tx_queue(struct mt7601u_tx_queue *q) + { + int i; + +- WARN_ON(q->used); +- + for (i = 0; i < q->entries; i++) { + usb_poison_urb(q->e[i].urb); ++ if (q->e[i].skb) ++ mt7601u_tx_status(q->dev, q->e[i].skb); + usb_free_urb(q->e[i].urb); + } + } +diff --git a/drivers/net/wireless/mediatek/mt7601u/tx.c b/drivers/net/wireless/mediatek/mt7601u/tx.c +index 3600e911a63e..4d81c45722fb 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/tx.c ++++ b/drivers/net/wireless/mediatek/mt7601u/tx.c +@@ -117,9 +117,9 @@ void mt7601u_tx_status(struct mt7601u_dev *dev, struct sk_buff *skb) + info->status.rates[0].idx = -1; + info->flags |= IEEE80211_TX_STAT_ACK; + +- spin_lock(&dev->mac_lock); ++ spin_lock_bh(&dev->mac_lock); + ieee80211_tx_status(dev->hw, skb); +- spin_unlock(&dev->mac_lock); ++ spin_unlock_bh(&dev->mac_lock); + } + + static int mt7601u_skb_rooms(struct mt7601u_dev *dev, struct sk_buff *skb) +-- +2.20.1 + diff --git a/queue-4.14/net-axienet-fix-race-condition-causing-tx-hang.patch b/queue-4.14/net-axienet-fix-race-condition-causing-tx-hang.patch new file mode 100644 index 00000000000..12bb5e2eaa8 --- /dev/null +++ b/queue-4.14/net-axienet-fix-race-condition-causing-tx-hang.patch @@ -0,0 +1,64 @@ +From d3ea3e785d3f0c0ca9814dc4c253bd442ee9cd14 Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Thu, 6 Jun 2019 16:28:17 -0600 +Subject: net: axienet: Fix race condition causing TX hang + +[ Upstream commit 7de44285c1f69ccfbe8be1d6a16fcd956681fee6 ] + +It is possible that the interrupt handler fires and frees up space in +the TX ring in between checking for sufficient TX ring space and +stopping the TX queue in axienet_start_xmit. If this happens, the +queue wake from the interrupt handler will occur before the queue is +stopped, causing a lost wakeup and the adapter's transmit hanging. + +To avoid this, after stopping the queue, check again whether there is +sufficient space in the TX ring. If so, wake up the queue again. + +Signed-off-by: Robert Hancock +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/xilinx/xilinx_axienet_main.c | 20 ++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index d46dc8cd1670..b481cb174b23 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -614,6 +614,10 @@ static void axienet_start_xmit_done(struct net_device *ndev) + + ndev->stats.tx_packets += packets; + ndev->stats.tx_bytes += size; ++ ++ /* Matches barrier in axienet_start_xmit */ ++ smp_mb(); ++ + netif_wake_queue(ndev); + } + +@@ -668,9 +672,19 @@ static int axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev) + cur_p = &lp->tx_bd_v[lp->tx_bd_tail]; + + if (axienet_check_tx_bd_space(lp, num_frag)) { +- if (!netif_queue_stopped(ndev)) +- netif_stop_queue(ndev); +- return NETDEV_TX_BUSY; ++ if (netif_queue_stopped(ndev)) ++ return NETDEV_TX_BUSY; ++ ++ netif_stop_queue(ndev); ++ ++ /* Matches barrier in axienet_start_xmit_done */ ++ smp_mb(); ++ ++ /* Space might have just been freed - check again */ ++ if (axienet_check_tx_bd_space(lp, num_frag)) ++ return NETDEV_TX_BUSY; ++ ++ netif_wake_queue(ndev); + } + + if (skb->ip_summed == CHECKSUM_PARTIAL) { +-- +2.20.1 + diff --git a/queue-4.14/net-fec-do-not-use-netdev-messages-too-early.patch b/queue-4.14/net-fec-do-not-use-netdev-messages-too-early.patch new file mode 100644 index 00000000000..2d8db698adb --- /dev/null +++ b/queue-4.14/net-fec-do-not-use-netdev-messages-too-early.patch @@ -0,0 +1,50 @@ +From 6c1fe37934b5d783fcbb106008ffdaca33ed93e8 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 6 Jun 2019 09:40:33 -0300 +Subject: net: fec: Do not use netdev messages too early + +[ Upstream commit a19a0582363b9a5f8ba812f34f1b8df394898780 ] + +When a valid MAC address is not found the current messages +are shown: + +fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00 +fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa + +Since the network device has not been registered at this point, it is better +to use dev_err()/dev_info() instead, which will provide cleaner log +messages like these: + +fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00 +fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa + +Tested on a imx6dl-pico-pi board. + +Signed-off-by: Fabio Estevam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 98cd53d380f7..0ae6532b02e0 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -1690,10 +1690,10 @@ static void fec_get_mac(struct net_device *ndev) + */ + if (!is_valid_ether_addr(iap)) { + /* Report it and use a random ethernet address instead */ +- netdev_err(ndev, "Invalid MAC address: %pM\n", iap); ++ dev_err(&fep->pdev->dev, "Invalid MAC address: %pM\n", iap); + eth_hw_addr_random(ndev); +- netdev_info(ndev, "Using random MAC address: %pM\n", +- ndev->dev_addr); ++ dev_info(&fep->pdev->dev, "Using random MAC address: %pM\n", ++ ndev->dev_addr); + return; + } + +-- +2.20.1 + diff --git a/queue-4.14/net-hns3-add-some-error-checking-in-hclge_tm-module.patch b/queue-4.14/net-hns3-add-some-error-checking-in-hclge_tm-module.patch new file mode 100644 index 00000000000..3ed694d3da3 --- /dev/null +++ b/queue-4.14/net-hns3-add-some-error-checking-in-hclge_tm-module.patch @@ -0,0 +1,54 @@ +From 61c926763b4b6141b9c628d1e6d19b801940d480 Mon Sep 17 00:00:00 2001 +From: Yunsheng Lin +Date: Fri, 28 Jun 2019 19:50:10 +0800 +Subject: net: hns3: add some error checking in hclge_tm module + +[ Upstream commit 04f25edb48c441fc278ecc154c270f16966cbb90 ] + +When hdev->tx_sch_mode is HCLGE_FLAG_VNET_BASE_SCH_MODE, the +hclge_tm_schd_mode_vnet_base_cfg calls hclge_tm_pri_schd_mode_cfg +with vport->vport_id as pri_id, which is used as index for +hdev->tm_info.tc_info, it will cause out of bound access issue +if vport_id is equal to or larger than HNAE3_MAX_TC. + +Also hardware only support maximum speed of HCLGE_ETHER_MAX_RATE. + +So this patch adds two checks for above cases. + +Fixes: 848440544b41 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver") +Signed-off-by: Yunsheng Lin +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index 73a75d7cc551..55228b91d80b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -57,7 +57,8 @@ static int hclge_shaper_para_calc(u32 ir, u8 shaper_level, + u32 tick; + + /* Calc tick */ +- if (shaper_level >= HCLGE_SHAPER_LVL_CNT) ++ if (shaper_level >= HCLGE_SHAPER_LVL_CNT || ++ ir > HCLGE_ETHER_MAX_RATE) + return -EINVAL; + + tick = tick_array[shaper_level]; +@@ -893,6 +894,9 @@ static int hclge_tm_schd_mode_vnet_base_cfg(struct hclge_vport *vport) + int ret; + u8 i; + ++ if (vport->vport_id >= HNAE3_MAX_TC) ++ return -EINVAL; ++ + ret = hclge_tm_pri_schd_mode_cfg(hdev, vport->vport_id); + if (ret) + return ret; +-- +2.20.1 + diff --git a/queue-4.14/net-hns3-fix-a-wformat-nonliteral-compile-warning.patch b/queue-4.14/net-hns3-fix-a-wformat-nonliteral-compile-warning.patch new file mode 100644 index 00000000000..90e176b8ade --- /dev/null +++ b/queue-4.14/net-hns3-fix-a-wformat-nonliteral-compile-warning.patch @@ -0,0 +1,44 @@ +From c8d91567a7df1ff990b038e99f27da653e72172c Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Fri, 28 Jun 2019 19:50:11 +0800 +Subject: net: hns3: fix a -Wformat-nonliteral compile warning + +[ Upstream commit 18d219b783da61a6cc77581f55fc4af2fa16bc36 ] + +When setting -Wformat=2, there is a compiler warning like this: + +hclge_main.c:xxx:x: warning: format not a string literal and no +format arguments [-Wformat-nonliteral] +strs[i].desc); +^~~~ + +This patch adds missing format parameter "%s" to snprintf() to +fix it. + +Fixes: 46a3df9f9718 ("Add HNS3 Acceleration Engine & Compatibility Layer Support") +Signed-off-by: Yonglong Liu +Signed-off-by: Peng Li +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 654aad6e748b..86523e8993cb 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -619,8 +619,7 @@ static u8 *hclge_comm_get_strings(u32 stringset, + return buff; + + for (i = 0; i < size; i++) { +- snprintf(buff, ETH_GSTRING_LEN, +- strs[i].desc); ++ snprintf(buff, ETH_GSTRING_LEN, "%s", strs[i].desc); + buff = buff + ETH_GSTRING_LEN; + } + +-- +2.20.1 + diff --git a/queue-4.14/net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch b/queue-4.14/net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch new file mode 100644 index 00000000000..c3c3bffd445 --- /dev/null +++ b/queue-4.14/net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch @@ -0,0 +1,45 @@ +From 3bb2c5474cb4878e4c1cb4a6e510db8c01bc054a Mon Sep 17 00:00:00 2001 +From: Josua Mayer +Date: Tue, 9 Jul 2019 15:01:01 +0200 +Subject: net: mvmdio: defer probe of orion-mdio if a clock is not ready + +[ Upstream commit 433a06d7d74e677c40b1148c70c48677ff62fb6b ] + +Defer probing of the orion-mdio interface when getting a clock returns +EPROBE_DEFER. This avoids locking up the Armada 8k SoC when mdio is used +before all clocks have been enabled. + +Signed-off-by: Josua Mayer +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvmdio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c +index 0495487f7b42..c8e3c1119313 100644 +--- a/drivers/net/ethernet/marvell/mvmdio.c ++++ b/drivers/net/ethernet/marvell/mvmdio.c +@@ -321,6 +321,10 @@ static int orion_mdio_probe(struct platform_device *pdev) + + for (i = 0; i < ARRAY_SIZE(dev->clk); i++) { + dev->clk[i] = of_clk_get(pdev->dev.of_node, i); ++ if (PTR_ERR(dev->clk[i]) == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto out_clk; ++ } + if (IS_ERR(dev->clk[i])) + break; + clk_prepare_enable(dev->clk[i]); +@@ -365,6 +369,7 @@ static int orion_mdio_probe(struct platform_device *pdev) + if (dev->err_interrupt > 0) + writel(0, dev->regs + MVMDIO_ERR_INT_MASK); + ++out_clk: + for (i = 0; i < ARRAY_SIZE(dev->clk); i++) { + if (IS_ERR(dev->clk[i])) + break; +-- +2.20.1 + diff --git a/queue-4.14/net-phy-check-against-net_device-being-null.patch b/queue-4.14/net-phy-check-against-net_device-being-null.patch new file mode 100644 index 00000000000..4bc2cf20082 --- /dev/null +++ b/queue-4.14/net-phy-check-against-net_device-being-null.patch @@ -0,0 +1,48 @@ +From f1fa8ba4d0832bef5db10be56c5302fcf33bc9a6 Mon Sep 17 00:00:00 2001 +From: Ioana Ciornei +Date: Tue, 28 May 2019 20:38:09 +0300 +Subject: net: phy: Check against net_device being NULL + +[ Upstream commit 82c76aca81187b3d28a6fb3062f6916450ce955e ] + +In general, we don't want MAC drivers calling phy_attach_direct with the +net_device being NULL. Add checks against this in all the functions +calling it: phy_attach() and phy_connect_direct(). + +Signed-off-by: Ioana Ciornei +Suggested-by: Andrew Lunn +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index c433be573e0d..ed7e3c70b511 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -729,6 +729,9 @@ int phy_connect_direct(struct net_device *dev, struct phy_device *phydev, + { + int rc; + ++ if (!dev) ++ return -EINVAL; ++ + rc = phy_attach_direct(dev, phydev, phydev->dev_flags, interface); + if (rc) + return rc; +@@ -1067,6 +1070,9 @@ struct phy_device *phy_attach(struct net_device *dev, const char *bus_id, + struct device *d; + int rc; + ++ if (!dev) ++ return ERR_PTR(-EINVAL); ++ + /* Search the list of PHY devices on the mdio bus for the + * PHY with the requested name + */ +-- +2.20.1 + diff --git a/queue-4.14/net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch b/queue-4.14/net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch new file mode 100644 index 00000000000..d0ce11db628 --- /dev/null +++ b/queue-4.14/net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch @@ -0,0 +1,65 @@ +From 1027d6d277960361981d03ab8d561225fd24c701 Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Fri, 7 Jun 2019 10:42:36 -0600 +Subject: net: sfp: add mutex to prevent concurrent state checks + +[ Upstream commit 2158e856f56bb762ef90f3ec244d41a519826f75 ] + +sfp_check_state can potentially be called by both a threaded IRQ handler +and delayed work. If it is concurrently called, it could result in +incorrect state management. Add a st_mutex to protect the state - this +lock gets taken outside of code that checks and handle state changes, and +the existing sm_mutex nests inside of it. + +Suggested-by: Russell King +Signed-off-by: Robert Hancock +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 2dcb25aa0452..9cef89fe410d 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -115,10 +115,11 @@ struct sfp { + struct gpio_desc *gpio[GPIO_MAX]; + + bool attached; ++ struct mutex st_mutex; /* Protects state */ + unsigned int state; + struct delayed_work poll; + struct delayed_work timeout; +- struct mutex sm_mutex; ++ struct mutex sm_mutex; /* Protects state machine */ + unsigned char sm_mod_state; + unsigned char sm_dev_state; + unsigned short sm_state; +@@ -738,6 +739,7 @@ static void sfp_check_state(struct sfp *sfp) + { + unsigned int state, i, changed; + ++ mutex_lock(&sfp->st_mutex); + state = sfp_get_state(sfp); + changed = state ^ sfp->state; + changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT; +@@ -763,6 +765,7 @@ static void sfp_check_state(struct sfp *sfp) + sfp_sm_event(sfp, state & SFP_F_LOS ? + SFP_E_LOS_HIGH : SFP_E_LOS_LOW); + rtnl_unlock(); ++ mutex_unlock(&sfp->st_mutex); + } + + static irqreturn_t sfp_irq(int irq, void *data) +@@ -793,6 +796,7 @@ static struct sfp *sfp_alloc(struct device *dev) + sfp->dev = dev; + + mutex_init(&sfp->sm_mutex); ++ mutex_init(&sfp->st_mutex); + INIT_DELAYED_WORK(&sfp->poll, sfp_poll); + INIT_DELAYED_WORK(&sfp->timeout, sfp_timeout); + +-- +2.20.1 + diff --git a/queue-4.14/net-stmmac-dwmac1000-clear-unused-address-entries.patch b/queue-4.14/net-stmmac-dwmac1000-clear-unused-address-entries.patch new file mode 100644 index 00000000000..c5978f76113 --- /dev/null +++ b/queue-4.14/net-stmmac-dwmac1000-clear-unused-address-entries.patch @@ -0,0 +1,43 @@ +From bae473ed374c86974aefed60395a2f05b0ecc92e Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Fri, 24 May 2019 10:20:21 +0200 +Subject: net: stmmac: dwmac1000: Clear unused address entries + +[ Upstream commit 9463c445590091202659cdfdd44b236acadfbd84 ] + +In case we don't use a given address entry we need to clear it because +it could contain previous values that are no longer valid. + +Found out while running stmmac selftests. + +Signed-off-by: Jose Abreu +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +index 540d21786a43..08dd6a06ac58 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -217,6 +217,12 @@ static void dwmac1000_set_filter(struct mac_device_info *hw, + GMAC_ADDR_LOW(reg)); + reg++; + } ++ ++ while (reg <= perfect_addr_number) { ++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); ++ writel(0, ioaddr + GMAC_ADDR_LOW(reg)); ++ reg++; ++ } + } + + #ifdef FRAME_FILTER_DEBUG +-- +2.20.1 + diff --git a/queue-4.14/net-stmmac-dwmac4-5-clear-unused-address-entries.patch b/queue-4.14/net-stmmac-dwmac4-5-clear-unused-address-entries.patch new file mode 100644 index 00000000000..d1c08776db8 --- /dev/null +++ b/queue-4.14/net-stmmac-dwmac4-5-clear-unused-address-entries.patch @@ -0,0 +1,53 @@ +From 85eea588ea57a9a5172f1c2add773d8726587c80 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Fri, 24 May 2019 10:20:25 +0200 +Subject: net: stmmac: dwmac4/5: Clear unused address entries + +[ Upstream commit 0620ec6c62a5a07625b65f699adc5d1b90394ee6 ] + +In case we don't use a given address entry we need to clear it because +it could contain previous values that are no longer valid. + +Found out while running stmmac selftests. + +Signed-off-by: Jose Abreu +Cc: Joao Pinto +Cc: David S. Miller +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 55ae14a6bb8c..ed5fcd4994f2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -443,14 +443,20 @@ static void dwmac4_set_filter(struct mac_device_info *hw, + * are required + */ + value |= GMAC_PACKET_FILTER_PR; +- } else if (!netdev_uc_empty(dev)) { +- int reg = 1; ++ } else { + struct netdev_hw_addr *ha; ++ int reg = 1; + + netdev_for_each_uc_addr(ha, dev) { + dwmac4_set_umac_addr(hw, ha->addr, reg); + reg++; + } ++ ++ while (reg <= GMAC_MAX_PERFECT_ADDRESSES) { ++ writel(0, ioaddr + GMAC_ADDR_HIGH(reg)); ++ writel(0, ioaddr + GMAC_ADDR_LOW(reg)); ++ reg++; ++ } + } + + writel(value, ioaddr + GMAC_PACKET_FILTER); +-- +2.20.1 + diff --git a/queue-4.14/net-stmmac-dwmac4-fix-flow-control-issue.patch b/queue-4.14/net-stmmac-dwmac4-fix-flow-control-issue.patch new file mode 100644 index 00000000000..fa103653b7d --- /dev/null +++ b/queue-4.14/net-stmmac-dwmac4-fix-flow-control-issue.patch @@ -0,0 +1,57 @@ +From 8858efab3716d211750a6a1ed05af6d2f0000ea4 Mon Sep 17 00:00:00 2001 +From: Biao Huang +Date: Mon, 3 Jun 2019 09:58:06 +0800 +Subject: net: stmmac: dwmac4: fix flow control issue + +[ Upstream commit ee326fd01e79dfa42014d55931260b68b9fa3273 ] + +Current dwmac4_flow_ctrl will not clear +GMAC_RX_FLOW_CTRL_RFE/GMAC_RX_FLOW_CTRL_RFE bits, +so MAC hw will keep flow control on although expecting +flow control off by ethtool. Add codes to fix it. + +Fixes: 477286b53f55 ("stmmac: add GMAC4 core support") +Signed-off-by: Biao Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index ed5fcd4994f2..8445af580cb6 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -474,8 +474,9 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex, + if (fc & FLOW_RX) { + pr_debug("\tReceive Flow-Control ON\n"); + flow |= GMAC_RX_FLOW_CTRL_RFE; +- writel(flow, ioaddr + GMAC_RX_FLOW_CTRL); + } ++ writel(flow, ioaddr + GMAC_RX_FLOW_CTRL); ++ + if (fc & FLOW_TX) { + pr_debug("\tTransmit Flow-Control ON\n"); + +@@ -483,7 +484,7 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex, + pr_debug("\tduplex mode: PAUSE %d\n", pause_time); + + for (queue = 0; queue < tx_cnt; queue++) { +- flow |= GMAC_TX_FLOW_CTRL_TFE; ++ flow = GMAC_TX_FLOW_CTRL_TFE; + + if (duplex) + flow |= +@@ -491,6 +492,9 @@ static void dwmac4_flow_ctrl(struct mac_device_info *hw, unsigned int duplex, + + writel(flow, ioaddr + GMAC_QX_TX_FLOW_CTRL(queue)); + } ++ } else { ++ for (queue = 0; queue < tx_cnt; queue++) ++ writel(0, ioaddr + GMAC_QX_TX_FLOW_CTRL(queue)); + } + } + +-- +2.20.1 + diff --git a/queue-4.14/net-usb-asix-init-mac-address-buffers.patch b/queue-4.14/net-usb-asix-init-mac-address-buffers.patch new file mode 100644 index 00000000000..9e51e0d6c5d --- /dev/null +++ b/queue-4.14/net-usb-asix-init-mac-address-buffers.patch @@ -0,0 +1,121 @@ +From 40236826998d3e4bf565fd34a183079722766bd9 Mon Sep 17 00:00:00 2001 +From: Phong Tran +Date: Tue, 2 Jul 2019 07:10:08 +0700 +Subject: net: usb: asix: init MAC address buffers + +[ Upstream commit 78226f6eaac80bf30256a33a4926c194ceefdf36 ] + +This is for fixing bug KMSAN: uninit-value in ax88772_bind + +Tested by +https://groups.google.com/d/msg/syzkaller-bugs/aFQurGotng4/eB_HlNhhCwAJ + +Reported-by: syzbot+8a3fc6674bbc3978ed4e@syzkaller.appspotmail.com + +syzbot found the following crash on: + +HEAD commit: f75e4cfe kmsan: use kmsan_handle_urb() in urb.c +git tree: kmsan +console output: https://syzkaller.appspot.com/x/log.txt?x=136d720ea00000 +kernel config: +https://syzkaller.appspot.com/x/.config?x=602468164ccdc30a +dashboard link: +https://syzkaller.appspot.com/bug?extid=8a3fc6674bbc3978ed4e +compiler: clang version 9.0.0 (/home/glider/llvm/clang +06d00afa61eef8f7f501ebdb4e8612ea43ec2d78) +syz repro: +https://syzkaller.appspot.com/x/repro.syz?x=12788316a00000 +C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120359aaa00000 + +================================================================== +BUG: KMSAN: uninit-value in is_valid_ether_addr +include/linux/etherdevice.h:200 [inline] +BUG: KMSAN: uninit-value in asix_set_netdev_dev_addr +drivers/net/usb/asix_devices.c:73 [inline] +BUG: KMSAN: uninit-value in ax88772_bind+0x93d/0x11e0 +drivers/net/usb/asix_devices.c:724 +CPU: 0 PID: 3348 Comm: kworker/0:2 Not tainted 5.1.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622 + __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310 + is_valid_ether_addr include/linux/etherdevice.h:200 [inline] + asix_set_netdev_dev_addr drivers/net/usb/asix_devices.c:73 [inline] + ax88772_bind+0x93d/0x11e0 drivers/net/usb/asix_devices.c:724 + usbnet_probe+0x10f5/0x3940 drivers/net/usb/usbnet.c:1728 + usb_probe_interface+0xd66/0x1320 drivers/usb/core/driver.c:361 + really_probe+0xdae/0x1d80 drivers/base/dd.c:513 + driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671 + __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778 + bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454 + __device_attach+0x454/0x730 drivers/base/dd.c:844 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:891 + bus_probe_device+0x137/0x390 drivers/base/bus.c:514 + device_add+0x288d/0x30e0 drivers/base/core.c:2106 + usb_set_configuration+0x30dc/0x3750 drivers/usb/core/message.c:2027 + generic_probe+0xe7/0x280 drivers/usb/core/generic.c:210 + usb_probe_device+0x14c/0x200 drivers/usb/core/driver.c:266 + really_probe+0xdae/0x1d80 drivers/base/dd.c:513 + driver_probe_device+0x1b3/0x4f0 drivers/base/dd.c:671 + __device_attach_driver+0x5b8/0x790 drivers/base/dd.c:778 + bus_for_each_drv+0x28e/0x3b0 drivers/base/bus.c:454 + __device_attach+0x454/0x730 drivers/base/dd.c:844 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:891 + bus_probe_device+0x137/0x390 drivers/base/bus.c:514 + device_add+0x288d/0x30e0 drivers/base/core.c:2106 + usb_new_device+0x23e5/0x2ff0 drivers/usb/core/hub.c:2534 + hub_port_connect drivers/usb/core/hub.c:5089 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] + port_event drivers/usb/core/hub.c:5350 [inline] + hub_event+0x48d1/0x7290 drivers/usb/core/hub.c:5432 + process_one_work+0x1572/0x1f00 kernel/workqueue.c:2269 + process_scheduled_works kernel/workqueue.c:2331 [inline] + worker_thread+0x189c/0x2460 kernel/workqueue.c:2417 + kthread+0x4b5/0x4f0 kernel/kthread.c:254 + ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355 + +Signed-off-by: Phong Tran +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_devices.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c +index d0c0ac0c3519..9b751d4bd327 100644 +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -238,7 +238,7 @@ static void asix_phy_reset(struct usbnet *dev, unsigned int reset_bits) + static int ax88172_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret = 0; +- u8 buf[ETH_ALEN]; ++ u8 buf[ETH_ALEN] = {0}; + int i; + unsigned long gpio_bits = dev->driver_info->data; + +@@ -689,7 +689,7 @@ static int asix_resume(struct usb_interface *intf) + static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret, i; +- u8 buf[ETH_ALEN], chipcode = 0; ++ u8 buf[ETH_ALEN] = {0}, chipcode = 0; + u32 phyid; + struct asix_common_private *priv; + +@@ -1065,7 +1065,7 @@ static const struct net_device_ops ax88178_netdev_ops = { + static int ax88178_bind(struct usbnet *dev, struct usb_interface *intf) + { + int ret; +- u8 buf[ETH_ALEN]; ++ u8 buf[ETH_ALEN] = {0}; + + usbnet_get_endpoints(dev,intf); + +-- +2.20.1 + diff --git a/queue-4.14/ntp-limit-tai-utc-offset.patch b/queue-4.14/ntp-limit-tai-utc-offset.patch new file mode 100644 index 00000000000..6bc85021736 --- /dev/null +++ b/queue-4.14/ntp-limit-tai-utc-offset.patch @@ -0,0 +1,55 @@ +From a0eef813ddcc422949655d2955502f027709e90a Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Tue, 18 Jun 2019 17:47:13 +0200 +Subject: ntp: Limit TAI-UTC offset + +[ Upstream commit d897a4ab11dc8a9fda50d2eccc081a96a6385998 ] + +Don't allow the TAI-UTC offset of the system clock to be set by adjtimex() +to a value larger than 100000 seconds. + +This prevents an overflow in the conversion to int, prevents the CLOCK_TAI +clock from getting too far ahead of the CLOCK_REALTIME clock, and it is +still large enough to allow leap seconds to be inserted at the maximum rate +currently supported by the kernel (once per day) for the next ~270 years, +however unlikely it is that someone can survive a catastrophic event which +slowed down the rotation of the Earth so much. + +Reported-by: Weikang shi +Signed-off-by: Miroslav Lichvar +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Cc: Prarit Bhargava +Cc: Richard Cochran +Cc: Stephen Boyd +Link: https://lkml.kernel.org/r/20190618154713.20929-1-mlichvar@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/time/ntp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c +index 4bb9b66338be..9288532f73c8 100644 +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -43,6 +43,7 @@ static u64 tick_length_base; + #define MAX_TICKADJ 500LL /* usecs */ + #define MAX_TICKADJ_SCALED \ + (((MAX_TICKADJ * NSEC_PER_USEC) << NTP_SCALE_SHIFT) / NTP_INTERVAL_FREQ) ++#define MAX_TAI_OFFSET 100000 + + /* + * phase-lock loop variables +@@ -640,7 +641,8 @@ static inline void process_adjtimex_modes(struct timex *txc, + time_constant = max(time_constant, 0l); + } + +- if (txc->modes & ADJ_TAI && txc->constant >= 0) ++ if (txc->modes & ADJ_TAI && ++ txc->constant >= 0 && txc->constant <= MAX_TAI_OFFSET) + *time_tai = txc->constant; + + if (txc->modes & ADJ_OFFSET) +-- +2.20.1 + diff --git a/queue-4.14/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch b/queue-4.14/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch new file mode 100644 index 00000000000..1f3e1a03fe0 --- /dev/null +++ b/queue-4.14/perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch @@ -0,0 +1,206 @@ +From 152e250a55fdf6e778a4cdc56ce7a71ac8475391 Mon Sep 17 00:00:00 2001 +From: Mathieu Poirier +Date: Wed, 5 Jun 2019 10:16:33 -0600 +Subject: perf cs-etm: Properly set the value of 'old' and 'head' in snapshot + mode + +[ Upstream commit e45c48a9a4d20ebc7b639a62c3ef8f4b08007027 ] + +This patch adds the necessary intelligence to properly compute the value +of 'old' and 'head' when operating in snapshot mode. That way we can +get the latest information in the AUX buffer and be compatible with the +generic AUX ring buffer mechanic. + +Tester notes: + +> Leo, have you had the chance to test/review this one? Suzuki? + +Sure. I applied this patch on the perf/core branch (with latest +commit 3e4fbf36c1e3 'perf augmented_raw_syscalls: Move reading +filename to the loop') and passed testing with below steps: + + # perf record -e cs_etm/@tmc_etr0/ -S -m,64 --per-thread ./sort & + [1] 19097 + Bubble sorting array of 30000 elements + + # kill -USR2 19097 + # kill -USR2 19097 + # kill -USR2 19097 + [ perf record: Woken up 4 times to write data ] + [ perf record: Captured and wrote 0.753 MB perf.data ] + +Signed-off-by: Mathieu Poirier +Tested-by: Leo Yan +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Peter Zijlstra +Cc: Suzuki Poulouse +Cc: linux-arm-kernel@lists.infradead.org +Link: http://lkml.kernel.org/r/20190605161633.12245-1-mathieu.poirier@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/arm/util/cs-etm.c | 127 +++++++++++++++++++++++++++++- + 1 file changed, 123 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/arch/arm/util/cs-etm.c b/tools/perf/arch/arm/util/cs-etm.c +index fbfc055d3f4d..aec62e822bab 100644 +--- a/tools/perf/arch/arm/util/cs-etm.c ++++ b/tools/perf/arch/arm/util/cs-etm.c +@@ -43,6 +43,8 @@ struct cs_etm_recording { + struct auxtrace_record itr; + struct perf_pmu *cs_etm_pmu; + struct perf_evlist *evlist; ++ int wrapped_cnt; ++ bool *wrapped; + bool snapshot_mode; + size_t snapshot_size; + }; +@@ -485,16 +487,131 @@ static int cs_etm_info_fill(struct auxtrace_record *itr, + return 0; + } + +-static int cs_etm_find_snapshot(struct auxtrace_record *itr __maybe_unused, ++static int cs_etm_alloc_wrapped_array(struct cs_etm_recording *ptr, int idx) ++{ ++ bool *wrapped; ++ int cnt = ptr->wrapped_cnt; ++ ++ /* Make @ptr->wrapped as big as @idx */ ++ while (cnt <= idx) ++ cnt++; ++ ++ /* ++ * Free'ed in cs_etm_recording_free(). Using realloc() to avoid ++ * cross compilation problems where the host's system supports ++ * reallocarray() but not the target. ++ */ ++ wrapped = realloc(ptr->wrapped, cnt * sizeof(bool)); ++ if (!wrapped) ++ return -ENOMEM; ++ ++ wrapped[cnt - 1] = false; ++ ptr->wrapped_cnt = cnt; ++ ptr->wrapped = wrapped; ++ ++ return 0; ++} ++ ++static bool cs_etm_buffer_has_wrapped(unsigned char *buffer, ++ size_t buffer_size, u64 head) ++{ ++ u64 i, watermark; ++ u64 *buf = (u64 *)buffer; ++ size_t buf_size = buffer_size; ++ ++ /* ++ * We want to look the very last 512 byte (chosen arbitrarily) in ++ * the ring buffer. ++ */ ++ watermark = buf_size - 512; ++ ++ /* ++ * @head is continuously increasing - if its value is equal or greater ++ * than the size of the ring buffer, it has wrapped around. ++ */ ++ if (head >= buffer_size) ++ return true; ++ ++ /* ++ * The value of @head is somewhere within the size of the ring buffer. ++ * This can be that there hasn't been enough data to fill the ring ++ * buffer yet or the trace time was so long that @head has numerically ++ * wrapped around. To find we need to check if we have data at the very ++ * end of the ring buffer. We can reliably do this because mmap'ed ++ * pages are zeroed out and there is a fresh mapping with every new ++ * session. ++ */ ++ ++ /* @head is less than 512 byte from the end of the ring buffer */ ++ if (head > watermark) ++ watermark = head; ++ ++ /* ++ * Speed things up by using 64 bit transactions (see "u64 *buf" above) ++ */ ++ watermark >>= 3; ++ buf_size >>= 3; ++ ++ /* ++ * If we find trace data at the end of the ring buffer, @head has ++ * been there and has numerically wrapped around at least once. ++ */ ++ for (i = watermark; i < buf_size; i++) ++ if (buf[i]) ++ return true; ++ ++ return false; ++} ++ ++static int cs_etm_find_snapshot(struct auxtrace_record *itr, + int idx, struct auxtrace_mmap *mm, +- unsigned char *data __maybe_unused, ++ unsigned char *data, + u64 *head, u64 *old) + { ++ int err; ++ bool wrapped; ++ struct cs_etm_recording *ptr = ++ container_of(itr, struct cs_etm_recording, itr); ++ ++ /* ++ * Allocate memory to keep track of wrapping if this is the first ++ * time we deal with this *mm. ++ */ ++ if (idx >= ptr->wrapped_cnt) { ++ err = cs_etm_alloc_wrapped_array(ptr, idx); ++ if (err) ++ return err; ++ } ++ ++ /* ++ * Check to see if *head has wrapped around. If it hasn't only the ++ * amount of data between *head and *old is snapshot'ed to avoid ++ * bloating the perf.data file with zeros. But as soon as *head has ++ * wrapped around the entire size of the AUX ring buffer it taken. ++ */ ++ wrapped = ptr->wrapped[idx]; ++ if (!wrapped && cs_etm_buffer_has_wrapped(data, mm->len, *head)) { ++ wrapped = true; ++ ptr->wrapped[idx] = true; ++ } ++ + pr_debug3("%s: mmap index %d old head %zu new head %zu size %zu\n", + __func__, idx, (size_t)*old, (size_t)*head, mm->len); + +- *old = *head; +- *head += mm->len; ++ /* No wrap has occurred, we can just use *head and *old. */ ++ if (!wrapped) ++ return 0; ++ ++ /* ++ * *head has wrapped around - adjust *head and *old to pickup the ++ * entire content of the AUX buffer. ++ */ ++ if (*head >= mm->len) { ++ *old = *head - mm->len; ++ } else { ++ *head += mm->len; ++ *old = *head - mm->len; ++ } + + return 0; + } +@@ -535,6 +652,8 @@ static void cs_etm_recording_free(struct auxtrace_record *itr) + { + struct cs_etm_recording *ptr = + container_of(itr, struct cs_etm_recording, itr); ++ ++ zfree(&ptr->wrapped); + free(ptr); + } + +-- +2.20.1 + diff --git a/queue-4.14/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch b/queue-4.14/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch new file mode 100644 index 00000000000..3c7ce42049d --- /dev/null +++ b/queue-4.14/perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch @@ -0,0 +1,54 @@ +From 8495888a0d19835b16c69bde940e4d9d82b0fc05 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Mon, 17 Jun 2019 14:32:53 -0300 +Subject: perf evsel: Make perf_evsel__name() accept a NULL argument + +[ Upstream commit fdbdd7e8580eac9bdafa532746c865644d125e34 ] + +In which case it simply returns "unknown", like when it can't figure out +the evsel->name value. + +This makes this code more robust and fixes a problem in 'perf trace' +where a NULL evsel was being passed to a routine that only used the +evsel for printing its name when a invalid syscall id was passed. + +Reported-by: Leo Yan +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-f30ztaasku3z935cn3ak3h53@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/evsel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index 0cf6f537f980..3ab81e8e079e 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -587,6 +587,9 @@ const char *perf_evsel__name(struct perf_evsel *evsel) + { + char bf[128]; + ++ if (!evsel) ++ goto out_unknown; ++ + if (evsel->name) + return evsel->name; + +@@ -623,7 +626,10 @@ const char *perf_evsel__name(struct perf_evsel *evsel) + + evsel->name = strdup(bf); + +- return evsel->name ?: "unknown"; ++ if (evsel->name) ++ return evsel->name; ++out_unknown: ++ return "unknown"; + } + + const char *perf_evsel__group_name(struct perf_evsel *evsel) +-- +2.20.1 + diff --git a/queue-4.14/perf-stat-make-metric-event-lookup-more-robust.patch b/queue-4.14/perf-stat-make-metric-event-lookup-more-robust.patch new file mode 100644 index 00000000000..ab14a42c24a --- /dev/null +++ b/queue-4.14/perf-stat-make-metric-event-lookup-more-robust.patch @@ -0,0 +1,51 @@ +From 1b8aa358cb442b22d9f1b61f42f4a90d9620393b Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Mon, 24 Jun 2019 12:37:08 -0700 +Subject: perf stat: Make metric event lookup more robust + +[ Upstream commit 145c407c808352acd625be793396fd4f33c794f8 ] + +After setting up metric groups through the event parser, the metricgroup +code looks them up again in the event list. + +Make sure we only look up events that haven't been used by some other +metric. The data structures currently cannot handle more than one metric +per event. This avoids problems with multiple events partially +overlapping. + +Signed-off-by: Andi Kleen +Acked-by: Jiri Olsa +Cc: Kan Liang +Link: http://lkml.kernel.org/r/20190624193711.35241-2-andi@firstfloor.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/stat-shadow.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/stat-shadow.c b/tools/perf/util/stat-shadow.c +index 37363869c9a1..eadc9a2aef16 100644 +--- a/tools/perf/util/stat-shadow.c ++++ b/tools/perf/util/stat-shadow.c +@@ -271,7 +271,7 @@ static struct perf_evsel *perf_stat__find_event(struct perf_evlist *evsel_list, + struct perf_evsel *c2; + + evlist__for_each_entry (evsel_list, c2) { +- if (!strcasecmp(c2->name, name)) ++ if (!strcasecmp(c2->name, name) && !c2->collect_stat) + return c2; + } + return NULL; +@@ -310,7 +310,8 @@ void perf_stat__collect_metric_expr(struct perf_evlist *evsel_list) + if (leader) { + /* Search in group */ + for_each_group_member (oc, leader) { +- if (!strcasecmp(oc->name, metric_names[i])) { ++ if (!strcasecmp(oc->name, metric_names[i]) && ++ !oc->collect_stat) { + found = true; + break; + } +-- +2.20.1 + diff --git a/queue-4.14/perf-test-6-fix-missing-kvm-module-load-for-s390.patch b/queue-4.14/perf-test-6-fix-missing-kvm-module-load-for-s390.patch new file mode 100644 index 00000000000..c043fab7270 --- /dev/null +++ b/queue-4.14/perf-test-6-fix-missing-kvm-module-load-for-s390.patch @@ -0,0 +1,87 @@ +From 9569a8e6ce1ee9a61360fc08443c0a0ade78cc32 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Tue, 4 Jun 2019 07:35:04 +0200 +Subject: perf test 6: Fix missing kvm module load for s390 + +[ Upstream commit 53fe307dfd309e425b171f6272d64296a54f4dff ] + +Command + + # perf test -Fv 6 + +fails with error + + running test 100 'kvm-s390:kvm_s390_create_vm' failed to parse + event 'kvm-s390:kvm_s390_create_vm', err -1, str 'unknown tracepoint' + event syntax error: 'kvm-s390:kvm_s390_create_vm' + \___ unknown tracepoint + +when the kvm module is not loaded or not built in. + +Fix this by adding a valid function which tests if the module +is loaded. Loaded modules (or builtin KVM support) have a +directory named + /sys/kernel/debug/tracing/events/kvm-s390 +for this tracepoint. + +Check for existence of this directory. + +Signed-off-by: Thomas Richter +Reviewed-by: Christian Borntraeger +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Link: http://lkml.kernel.org/r/20190604053504.43073-1-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/parse-events.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/perf/tests/parse-events.c b/tools/perf/tests/parse-events.c +index f0679613bd18..424b82a7d078 100644 +--- a/tools/perf/tests/parse-events.c ++++ b/tools/perf/tests/parse-events.c +@@ -19,6 +19,32 @@ + #define PERF_TP_SAMPLE_TYPE (PERF_SAMPLE_RAW | PERF_SAMPLE_TIME | \ + PERF_SAMPLE_CPU | PERF_SAMPLE_PERIOD) + ++#if defined(__s390x__) ++/* Return true if kvm module is available and loaded. Test this ++ * and retun success when trace point kvm_s390_create_vm ++ * exists. Otherwise this test always fails. ++ */ ++static bool kvm_s390_create_vm_valid(void) ++{ ++ char *eventfile; ++ bool rc = false; ++ ++ eventfile = get_events_file("kvm-s390"); ++ ++ if (eventfile) { ++ DIR *mydir = opendir(eventfile); ++ ++ if (mydir) { ++ rc = true; ++ closedir(mydir); ++ } ++ put_events_file(eventfile); ++ } ++ ++ return rc; ++} ++#endif ++ + static int test__checkevent_tracepoint(struct perf_evlist *evlist) + { + struct perf_evsel *evsel = perf_evlist__first(evlist); +@@ -1600,6 +1626,7 @@ static struct evlist_test test__events[] = { + { + .name = "kvm-s390:kvm_s390_create_vm", + .check = test__checkevent_tracepoint, ++ .valid = kvm_s390_create_vm_valid, + .id = 100, + }, + #endif +-- +2.20.1 + diff --git a/queue-4.14/perf-tools-increase-max_nr_cpus-and-max_caches.patch b/queue-4.14/perf-tools-increase-max_nr_cpus-and-max_caches.patch new file mode 100644 index 00000000000..c036d333df4 --- /dev/null +++ b/queue-4.14/perf-tools-increase-max_nr_cpus-and-max_caches.patch @@ -0,0 +1,70 @@ +From a1e06f17f09a1b3363d361732463e945d6b9d6aa Mon Sep 17 00:00:00 2001 +From: Kyle Meyer +Date: Thu, 20 Jun 2019 14:36:30 -0500 +Subject: perf tools: Increase MAX_NR_CPUS and MAX_CACHES + +[ Upstream commit 9f94c7f947e919c343b30f080285af53d0fa9902 ] + +Attempting to profile 1024 or more CPUs with perf causes two errors: + + perf record -a + [ perf record: Woken up X times to write data ] + way too many cpu caches.. + [ perf record: Captured and wrote X MB perf.data (X samples) ] + + perf report -C 1024 + Error: failed to set cpu bitmap + Requested CPU 1024 too large. Consider raising MAX_NR_CPUS + + Increasing MAX_NR_CPUS from 1024 to 2048 and redefining MAX_CACHES as + MAX_NR_CPUS * 4 returns normal functionality to perf: + + perf record -a + [ perf record: Woken up X times to write data ] + [ perf record: Captured and wrote X MB perf.data (X samples) ] + + perf report -C 1024 + ... + +Signed-off-by: Kyle Meyer +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20190620193630.154025-1-meyerk@stormcage.eag.rdlabs.hpecorp.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/perf.h | 2 +- + tools/perf/util/header.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/perf.h b/tools/perf/perf.h +index 96f62dd7e3ed..d4ebd0956114 100644 +--- a/tools/perf/perf.h ++++ b/tools/perf/perf.h +@@ -25,7 +25,7 @@ static inline unsigned long long rdclock(void) + } + + #ifndef MAX_NR_CPUS +-#define MAX_NR_CPUS 1024 ++#define MAX_NR_CPUS 2048 + #endif + + extern const char *input_name; +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index f11cead6a151..26437143c940 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -1122,7 +1122,7 @@ static int build_caches(struct cpu_cache_level caches[], u32 size, u32 *cntp) + return 0; + } + +-#define MAX_CACHES 2000 ++#define MAX_CACHES (MAX_NR_CPUS * 4) + + static int write_cache(struct feat_fd *ff, + struct perf_evlist *evlist __maybe_unused) +-- +2.20.1 + diff --git a/queue-4.14/qed-set-the-doorbell-address-correctly.patch b/queue-4.14/qed-set-the-doorbell-address-correctly.patch new file mode 100644 index 00000000000..1adc46f90ac --- /dev/null +++ b/queue-4.14/qed-set-the-doorbell-address-correctly.patch @@ -0,0 +1,104 @@ +From 6be983b8f16d4aa4531966191bf29296ef6d156d Mon Sep 17 00:00:00 2001 +From: Michal Kalderon +Date: Sun, 26 May 2019 15:22:25 +0300 +Subject: qed: Set the doorbell address correctly + +[ Upstream commit 8366d520019f366fabd6c7a13032bdcd837e18d4 ] + +In 100g mode the doorbell bar is united for both engines. Set +the correct offset in the hwfn so that the doorbell returned +for RoCE is in the affined hwfn. + +Signed-off-by: Ariel Elior +Signed-off-by: Denis Bolotin +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 29 ++++++++++++++-------- + drivers/net/ethernet/qlogic/qed/qed_rdma.c | 2 +- + 2 files changed, 19 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index 410528e7d927..c4e8bf0773fe 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -2947,6 +2947,7 @@ static int qed_get_dev_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn, + void __iomem *p_regview, + void __iomem *p_doorbells, ++ u64 db_phys_addr, + enum qed_pci_personality personality) + { + int rc = 0; +@@ -2954,6 +2955,7 @@ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn, + /* Split PCI bars evenly between hwfns */ + p_hwfn->regview = p_regview; + p_hwfn->doorbells = p_doorbells; ++ p_hwfn->db_phys_addr = db_phys_addr; + + if (IS_VF(p_hwfn->cdev)) + return qed_vf_hw_prepare(p_hwfn); +@@ -3036,7 +3038,9 @@ int qed_hw_prepare(struct qed_dev *cdev, + /* Initialize the first hwfn - will learn number of hwfns */ + rc = qed_hw_prepare_single(p_hwfn, + cdev->regview, +- cdev->doorbells, personality); ++ cdev->doorbells, ++ cdev->db_phys_addr, ++ personality); + if (rc) + return rc; + +@@ -3045,22 +3049,25 @@ int qed_hw_prepare(struct qed_dev *cdev, + /* Initialize the rest of the hwfns */ + if (cdev->num_hwfns > 1) { + void __iomem *p_regview, *p_doorbell; +- u8 __iomem *addr; ++ u64 db_phys_addr; ++ u32 offset; + + /* adjust bar offset for second engine */ +- addr = cdev->regview + +- qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt, +- BAR_ID_0) / 2; +- p_regview = addr; ++ offset = qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt, ++ BAR_ID_0) / 2; ++ p_regview = cdev->regview + offset; + +- addr = cdev->doorbells + +- qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt, +- BAR_ID_1) / 2; +- p_doorbell = addr; ++ offset = qed_hw_bar_size(p_hwfn, p_hwfn->p_main_ptt, ++ BAR_ID_1) / 2; ++ ++ p_doorbell = cdev->doorbells + offset; ++ ++ db_phys_addr = cdev->db_phys_addr + offset; + + /* prepare second hw function */ + rc = qed_hw_prepare_single(&cdev->hwfns[1], p_regview, +- p_doorbell, personality); ++ p_doorbell, db_phys_addr, ++ personality); + + /* in case of error, need to free the previously + * initiliazed hwfn 0. +diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c +index 1b6554866138..1e13dea66989 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c +@@ -753,7 +753,7 @@ static int qed_rdma_add_user(void *rdma_cxt, + dpi_start_offset + + ((out_params->dpi) * p_hwfn->dpi_size)); + +- out_params->dpi_phys_addr = p_hwfn->cdev->db_phys_addr + ++ out_params->dpi_phys_addr = p_hwfn->db_phys_addr + + dpi_start_offset + + ((out_params->dpi) * p_hwfn->dpi_size); + +-- +2.20.1 + diff --git a/queue-4.14/ras-cec-fix-pfn-insertion.patch b/queue-4.14/ras-cec-fix-pfn-insertion.patch new file mode 100644 index 00000000000..9c4a20dffd6 --- /dev/null +++ b/queue-4.14/ras-cec-fix-pfn-insertion.patch @@ -0,0 +1,56 @@ +From 94883833082c008449f3f9ca26e3cec27784f1d2 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Sat, 20 Apr 2019 12:53:05 +0200 +Subject: RAS/CEC: Fix pfn insertion + +[ Upstream commit 6d8e294bf5f0e85c34e8b14b064e2965f53f38b0 ] + +When inserting random PFNs for debugging the CEC through +(debugfs)/ras/cec/pfn, depending on the return value of pfn_set(), +multiple values get inserted per a single write. + +That is because simple_attr_write() interprets a retval of 0 as +success and claims the whole input. However, pfn_set() returns the +cec_add_elem() value, which, if > 0 and smaller than the whole input +length, makes glibc continue issuing the write syscall until there's +input left: + + pfn_set + simple_attr_write + debugfs_attr_write + full_proxy_write + vfs_write + ksys_write + do_syscall_64 + entry_SYSCALL_64_after_hwframe + +leading to those repeated calls. + +Return 0 to fix that. + +Signed-off-by: Borislav Petkov +Cc: Tony Luck +Cc: linux-edac +Signed-off-by: Sasha Levin +--- + drivers/ras/cec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/ras/cec.c b/drivers/ras/cec.c +index c7205cdcc11a..97cf40a522be 100644 +--- a/drivers/ras/cec.c ++++ b/drivers/ras/cec.c +@@ -373,7 +373,9 @@ static int pfn_set(void *data, u64 val) + { + *(u64 *)data = val; + +- return cec_add_elem(val); ++ cec_add_elem(val); ++ ++ return 0; + } + + DEFINE_DEBUGFS_ATTRIBUTE(pfn_ops, u64_get, pfn_set, "0x%llx\n"); +-- +2.20.1 + diff --git a/queue-4.14/rcu-force-inlining-of-rcu_read_lock.patch b/queue-4.14/rcu-force-inlining-of-rcu_read_lock.patch new file mode 100644 index 00000000000..c77269d3b25 --- /dev/null +++ b/queue-4.14/rcu-force-inlining-of-rcu_read_lock.patch @@ -0,0 +1,55 @@ +From ab0ee45837d937c831c5d9fc62e313057f1be422 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Tue, 21 May 2019 16:48:43 -0400 +Subject: rcu: Force inlining of rcu_read_lock() + +[ Upstream commit 6da9f775175e516fc7229ceaa9b54f8f56aa7924 ] + +When debugging options are turned on, the rcu_read_lock() function +might not be inlined. This results in lockdep's print_lock() function +printing "rcu_read_lock+0x0/0x70" instead of rcu_read_lock()'s caller. +For example: + +[ 10.579995] ============================= +[ 10.584033] WARNING: suspicious RCU usage +[ 10.588074] 4.18.0.memcg_v2+ #1 Not tainted +[ 10.593162] ----------------------------- +[ 10.597203] include/linux/rcupdate.h:281 Illegal context switch in +RCU read-side critical section! +[ 10.606220] +[ 10.606220] other info that might help us debug this: +[ 10.606220] +[ 10.614280] +[ 10.614280] rcu_scheduler_active = 2, debug_locks = 1 +[ 10.620853] 3 locks held by systemd/1: +[ 10.624632] #0: (____ptrval____) (&type->i_mutex_dir_key#5){.+.+}, at: lookup_slow+0x42/0x70 +[ 10.633232] #1: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70 +[ 10.640954] #2: (____ptrval____) (rcu_read_lock){....}, at: rcu_read_lock+0x0/0x70 + +These "rcu_read_lock+0x0/0x70" strings are not providing any useful +information. This commit therefore forces inlining of the rcu_read_lock() +function so that rcu_read_lock()'s caller is instead shown. + +Signed-off-by: Waiman Long +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/rcupdate.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index f960c85cd9ec..8d570190e9b4 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -622,7 +622,7 @@ static inline void rcu_preempt_sleep_check(void) { } + * read-side critical sections may be preempted and they may also block, but + * only when acquiring spinlocks that are subject to priority inheritance. + */ +-static inline void rcu_read_lock(void) ++static __always_inline void rcu_read_lock(void) + { + __rcu_read_lock(); + __acquire(RCU); +-- +2.20.1 + diff --git a/queue-4.14/regmap-fix-bulk-writes-on-paged-registers.patch b/queue-4.14/regmap-fix-bulk-writes-on-paged-registers.patch new file mode 100644 index 00000000000..012988ed088 --- /dev/null +++ b/queue-4.14/regmap-fix-bulk-writes-on-paged-registers.patch @@ -0,0 +1,42 @@ +From c9b30704a6ba33d30f6aa39c013327f3efede8de Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 12 Jun 2019 12:03:43 +0100 +Subject: regmap: fix bulk writes on paged registers + +[ Upstream commit db057679de3e9e6a03c1bcd5aee09b0d25fd9f5b ] + +On buses like SlimBus and SoundWire which does not support +gather_writes yet in regmap, A bulk write on paged register +would be silently ignored after programming page. +This is because local variable 'ret' value in regmap_raw_write_impl() +gets reset to 0 once page register is written successfully and the +code below checks for 'ret' value to be -ENOTSUPP before linearising +the write buffer to send to bus->write(). + +Fix this by resetting the 'ret' value to -ENOTSUPP in cases where +gather_writes() is not supported or single register write is +not possible. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 8fd08023c0f5..013d0a2b3ba0 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1509,6 +1509,8 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg, + map->format.reg_bytes + + map->format.pad_bytes, + val, val_len); ++ else ++ ret = -ENOTSUPP; + + /* If that didn't work fall back on linearising by hand. */ + if (ret == -ENOTSUPP) { +-- +2.20.1 + diff --git a/queue-4.14/rslib-fix-decoding-of-shortened-codes.patch b/queue-4.14/rslib-fix-decoding-of-shortened-codes.patch new file mode 100644 index 00000000000..6ab23f92004 --- /dev/null +++ b/queue-4.14/rslib-fix-decoding-of-shortened-codes.patch @@ -0,0 +1,44 @@ +From 17fb11898ebc79a61ebda88602e620e023ce7bed Mon Sep 17 00:00:00 2001 +From: Ferdinand Blomqvist +Date: Thu, 20 Jun 2019 17:10:34 +0300 +Subject: rslib: Fix decoding of shortened codes + +[ Upstream commit 2034a42d1747fc1e1eeef2c6f1789c4d0762cb9c ] + +The decoding of shortenend codes is broken. It only works as expected if +there are no erasures. + +When decoding with erasures, Lambda (the error and erasure locator +polynomial) is initialized from the given erasure positions. The pad +parameter is not accounted for by the initialisation code, and hence +Lambda is initialized from incorrect erasure positions. + +The fix is to adjust the erasure positions by the supplied pad. + +Signed-off-by: Ferdinand Blomqvist +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190620141039.9874-3-ferdinand.blomqvist@gmail.com +Signed-off-by: Sasha Levin +--- + lib/reed_solomon/decode_rs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c +index 0ec3f257ffdf..8eed0f9ac495 100644 +--- a/lib/reed_solomon/decode_rs.c ++++ b/lib/reed_solomon/decode_rs.c +@@ -99,9 +99,9 @@ + if (no_eras > 0) { + /* Init lambda to be the erasure locator polynomial */ + lambda[1] = alpha_to[rs_modnn(rs, +- prim * (nn - 1 - eras_pos[0]))]; ++ prim * (nn - 1 - (eras_pos[0] + pad)))]; + for (i = 1; i < no_eras; i++) { +- u = rs_modnn(rs, prim * (nn - 1 - eras_pos[i])); ++ u = rs_modnn(rs, prim * (nn - 1 - (eras_pos[i] + pad))); + for (j = i + 1; j > 0; j--) { + tmp = index_of[lambda[j - 1]]; + if (tmp != nn) { +-- +2.20.1 + diff --git a/queue-4.14/rslib-fix-handling-of-of-caller-provided-syndrome.patch b/queue-4.14/rslib-fix-handling-of-of-caller-provided-syndrome.patch new file mode 100644 index 00000000000..bb2887a540a --- /dev/null +++ b/queue-4.14/rslib-fix-handling-of-of-caller-provided-syndrome.patch @@ -0,0 +1,46 @@ +From ce235cbc44a763962ac83e0a7f5c1b83e80145e3 Mon Sep 17 00:00:00 2001 +From: Ferdinand Blomqvist +Date: Thu, 20 Jun 2019 17:10:37 +0300 +Subject: rslib: Fix handling of of caller provided syndrome + +[ Upstream commit ef4d6a8556b637ad27c8c2a2cff1dda3da38e9a9 ] + +Check if the syndrome provided by the caller is zero, and act +accordingly. + +Signed-off-by: Ferdinand Blomqvist +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190620141039.9874-6-ferdinand.blomqvist@gmail.com +Signed-off-by: Sasha Levin +--- + lib/reed_solomon/decode_rs.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/lib/reed_solomon/decode_rs.c b/lib/reed_solomon/decode_rs.c +index 8eed0f9ac495..a5d313381539 100644 +--- a/lib/reed_solomon/decode_rs.c ++++ b/lib/reed_solomon/decode_rs.c +@@ -42,8 +42,18 @@ + BUG_ON(pad < 0 || pad >= nn); + + /* Does the caller provide the syndrome ? */ +- if (s != NULL) +- goto decode; ++ if (s != NULL) { ++ for (i = 0; i < nroots; i++) { ++ /* The syndrome is in index form, ++ * so nn represents zero ++ */ ++ if (s[i] != nn) ++ goto decode; ++ } ++ ++ /* syndrome is zero, no errors to correct */ ++ return 0; ++ } + + /* form the syndromes; i.e., evaluate data(x) at roots of + * g(x) */ +-- +2.20.1 + diff --git a/queue-4.14/rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch b/queue-4.14/rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch new file mode 100644 index 00000000000..88a4efaa14a --- /dev/null +++ b/queue-4.14/rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch @@ -0,0 +1,104 @@ +From 2709d8a5fa3b478cf1c409b79505fef3aeb7b072 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Wed, 29 May 2019 14:57:30 +0800 +Subject: rtlwifi: rtl8192cu: fix error handle when usb probe failed + +[ Upstream commit 6c0ed66f1a5b84e2a812c7c2d6571a5621bf3396 ] + +rtl_usb_probe() must do error handle rtl_deinit_core() only if +rtl_init_core() is done, otherwise goto error_out2. + +| usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 +| rtl_usb: reg 0xf0, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0 +| rtl8192cu: Chip version 0x10 +| rtl_usb: reg 0xa, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0 +| rtl_usb: Too few input end points found +| INFO: trying to register non-static key. +| the code is fine but needs lockdep annotation. +| turning off the locking correctness validator. +| CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3 +| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +| Google 01/01/2011 +| Workqueue: usb_hub_wq hub_event +| Call Trace: +| __dump_stack lib/dump_stack.c:77 [inline] +| dump_stack+0xe8/0x16e lib/dump_stack.c:113 +| assign_lock_key kernel/locking/lockdep.c:786 [inline] +| register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095 +| __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582 +| lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211 +| __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] +| _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152 +| rtl_c2hcmd_launcher+0xd1/0x390 +| drivers/net/wireless/realtek/rtlwifi/base.c:2344 +| rtl_deinit_core+0x25/0x2d0 drivers/net/wireless/realtek/rtlwifi/base.c:574 +| rtl_usb_probe.cold+0x861/0xa70 +| drivers/net/wireless/realtek/rtlwifi/usb.c:1093 +| usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361 +| really_probe+0x2da/0xb10 drivers/base/dd.c:509 +| driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 +| __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 +| bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 +| __device_attach+0x223/0x3a0 drivers/base/dd.c:844 +| bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 +| device_add+0xad2/0x16e0 drivers/base/core.c:2106 +| usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021 +| generic_probe+0xa2/0xda drivers/usb/core/generic.c:210 +| usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266 +| really_probe+0x2da/0xb10 drivers/base/dd.c:509 +| driver_probe_device+0x21d/0x350 drivers/base/dd.c:671 +| __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778 +| bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454 +| __device_attach+0x223/0x3a0 drivers/base/dd.c:844 +| bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514 +| device_add+0xad2/0x16e0 drivers/base/core.c:2106 +| usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534 +| hub_port_connect drivers/usb/core/hub.c:5089 [inline] +| hub_port_connect_change drivers/usb/core/hub.c:5204 [inline] +| port_event drivers/usb/core/hub.c:5350 [inline] +| hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432 +| process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 +| worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 +| kthread+0x313/0x420 kernel/kthread.c:253 +| ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +Reported-by: syzbot+1fcc5ef45175fc774231@syzkaller.appspotmail.com +Signed-off-by: Ping-Ke Shih +Acked-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 820c42ff5384..2401c8bdb211 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1099,13 +1099,13 @@ int rtl_usb_probe(struct usb_interface *intf, + rtlpriv->cfg->ops->read_eeprom_info(hw); + err = _rtl_usb_init(hw); + if (err) +- goto error_out; ++ goto error_out2; + rtl_usb_init_sw(hw); + /* Init mac80211 sw */ + err = rtl_init_core(hw); + if (err) { + pr_err("Can't allocate sw for mac80211\n"); +- goto error_out; ++ goto error_out2; + } + if (rtlpriv->cfg->ops->init_sw_vars(hw)) { + pr_err("Can't init_sw_vars\n"); +@@ -1126,6 +1126,7 @@ int rtl_usb_probe(struct usb_interface *intf, + + error_out: + rtl_deinit_core(hw); ++error_out2: + _rtl_usb_io_handler_release(hw); + usb_put_dev(udev); + complete(&rtlpriv->firmware_loading_complete); +-- +2.20.1 + diff --git a/queue-4.14/s390-qdio-handle-pending-state-for-qebsm-devices.patch b/queue-4.14/s390-qdio-handle-pending-state-for-qebsm-devices.patch new file mode 100644 index 00000000000..82b9c272b12 --- /dev/null +++ b/queue-4.14/s390-qdio-handle-pending-state-for-qebsm-devices.patch @@ -0,0 +1,39 @@ +From 7e61852aa682440a1dd92e4be1f4de97fa981530 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Mon, 3 Jun 2019 07:47:04 +0200 +Subject: s390/qdio: handle PENDING state for QEBSM devices + +[ Upstream commit 04310324c6f482921c071444833e70fe861b73d9 ] + +When a CQ-enabled device uses QEBSM for SBAL state inspection, +get_buf_states() can return the PENDING state for an Output Queue. +get_outbound_buffer_frontier() isn't prepared for this, and any PENDING +buffer will permanently stall all further completion processing on this +Queue. + +This isn't a concern for non-QEBSM devices, as get_buf_states() for such +devices will manually turn PENDING buffers into EMPTY ones. + +Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") +Signed-off-by: Julian Wiedmann +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index c7afdbded26b..ab8dd81fbc2b 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -759,6 +759,7 @@ static int get_outbound_buffer_frontier(struct qdio_q *q) + + switch (state) { + case SLSB_P_OUTPUT_EMPTY: ++ case SLSB_P_OUTPUT_PENDING: + /* the adapter got it */ + DBF_DEV_EVENT(DBF_INFO, q->irq_ptr, + "out empty:%1d %02x", q->nr, count); +-- +2.20.1 + diff --git a/queue-4.14/sched-core-add-__sched-tag-for-io_schedule.patch b/queue-4.14/sched-core-add-__sched-tag-for-io_schedule.patch new file mode 100644 index 00000000000..dd736a53d28 --- /dev/null +++ b/queue-4.14/sched-core-add-__sched-tag-for-io_schedule.patch @@ -0,0 +1,47 @@ +From d1d321e8ff1b3ae945d465867cf9911f596d4f14 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Mon, 3 Jun 2019 17:13:38 +0800 +Subject: sched/core: Add __sched tag for io_schedule() + +[ Upstream commit e3b929b0a184edb35531153c5afcaebb09014f9d ] + +Non-inline io_schedule() was introduced in: + + commit 10ab56434f2f ("sched/core: Separate out io_schedule_prepare() and io_schedule_finish()") + +Keep in line with io_schedule_timeout(), otherwise "/proc//wchan" will +report io_schedule() rather than its callers when waiting for IO. + +Reported-by: Jilong Kou +Signed-off-by: Gao Xiang +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Tejun Heo +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Miao Xie +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 10ab56434f2f ("sched/core: Separate out io_schedule_prepare() and io_schedule_finish()") +Link: https://lkml.kernel.org/r/20190603091338.2695-1-gaoxiang25@huawei.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index b3ff73d6a4c2..ff128e281d1c 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -5026,7 +5026,7 @@ long __sched io_schedule_timeout(long timeout) + } + EXPORT_SYMBOL(io_schedule_timeout); + +-void io_schedule(void) ++void __sched io_schedule(void) + { + int token; + +-- +2.20.1 + diff --git a/queue-4.14/sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch b/queue-4.14/sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch new file mode 100644 index 00000000000..456de81f814 --- /dev/null +++ b/queue-4.14/sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch @@ -0,0 +1,64 @@ +From 7d82c7300ac16440d674c49fb631df5fc3772a11 Mon Sep 17 00:00:00 2001 +From: Qian Cai +Date: Mon, 3 Jun 2019 17:11:44 -0400 +Subject: sched/fair: Fix "runnable_avg_yN_inv" not used warnings + +[ Upstream commit 509466b7d480bc5d22e90b9fbe6122ae0e2fbe39 ] + +runnable_avg_yN_inv[] is only used in kernel/sched/pelt.c but was +included in several other places because they need other macros all +came from kernel/sched/sched-pelt.h which was generated by +Documentation/scheduler/sched-pelt. As the result, it causes compilation +a lot of warnings, + + kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=] + kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=] + kernel/sched/sched-pelt.h:4:18: warning: 'runnable_avg_yN_inv' defined but not used [-Wunused-const-variable=] + ... + +Silence it by appending the __maybe_unused attribute for it, so all +generated variables and macros can still be kept in the same file. + +Signed-off-by: Qian Cai +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: https://lkml.kernel.org/r/1559596304-31581-1-git-send-email-cai@lca.pw +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + Documentation/scheduler/sched-pelt.c | 3 ++- + kernel/sched/sched-pelt.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/Documentation/scheduler/sched-pelt.c b/Documentation/scheduler/sched-pelt.c +index e4219139386a..7238b355919c 100644 +--- a/Documentation/scheduler/sched-pelt.c ++++ b/Documentation/scheduler/sched-pelt.c +@@ -20,7 +20,8 @@ void calc_runnable_avg_yN_inv(void) + int i; + unsigned int x; + +- printf("static const u32 runnable_avg_yN_inv[] = {"); ++ /* To silence -Wunused-but-set-variable warnings. */ ++ printf("static const u32 runnable_avg_yN_inv[] __maybe_unused = {"); + for (i = 0; i < HALFLIFE; i++) { + x = ((1UL<<32)-1)*pow(y, i); + +diff --git a/kernel/sched/sched-pelt.h b/kernel/sched/sched-pelt.h +index a26473674fb7..c529706bed11 100644 +--- a/kernel/sched/sched-pelt.h ++++ b/kernel/sched/sched-pelt.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: GPL-2.0 */ + /* Generated by Documentation/scheduler/sched-pelt; do not modify. */ + +-static const u32 runnable_avg_yN_inv[] = { ++static const u32 runnable_avg_yN_inv[] __maybe_unused = { + 0xffffffff, 0xfa83b2da, 0xf5257d14, 0xefe4b99a, 0xeac0c6e6, 0xe5b906e6, + 0xe0ccdeeb, 0xdbfbb796, 0xd744fcc9, 0xd2a81d91, 0xce248c14, 0xc9b9bd85, + 0xc5672a10, 0xc12c4cc9, 0xbd08a39e, 0xb8fbaf46, 0xb504f333, 0xb123f581, +-- +2.20.1 + diff --git a/queue-4.14/scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch b/queue-4.14/scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch new file mode 100644 index 00000000000..983edf9c56d --- /dev/null +++ b/queue-4.14/scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch @@ -0,0 +1,78 @@ +From 0c77d4e6fba94dac4bd16ef0f131ffa3b8dcd175 Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Wed, 26 Jun 2019 19:27:34 +0200 +Subject: scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not + supported + +[ Upstream commit 5dd6c49339126c2c8df2179041373222362d6e49 ] + +If the CHAP_A value is not supported, the chap_server_open() function +should free the auth_protocol pointer and set it to NULL, or we will leave +a dangling pointer around. + +[ 66.010905] Unsupported CHAP_A value +[ 66.011660] Security negotiation failed. +[ 66.012443] iSCSI Login negotiation failed. +[ 68.413924] general protection fault: 0000 [#1] SMP PTI +[ 68.414962] CPU: 0 PID: 1562 Comm: targetcli Kdump: loaded Not tainted 4.18.0-80.el8.x86_64 #1 +[ 68.416589] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +[ 68.417677] RIP: 0010:__kmalloc_track_caller+0xc2/0x210 + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target_auth.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c +index 4e680d753941..e2fa3a3bc81d 100644 +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -89,6 +89,12 @@ static int chap_check_algorithm(const char *a_str) + return CHAP_DIGEST_UNKNOWN; + } + ++static void chap_close(struct iscsi_conn *conn) ++{ ++ kfree(conn->auth_protocol); ++ conn->auth_protocol = NULL; ++} ++ + static struct iscsi_chap *chap_server_open( + struct iscsi_conn *conn, + struct iscsi_node_auth *auth, +@@ -126,7 +132,7 @@ static struct iscsi_chap *chap_server_open( + case CHAP_DIGEST_UNKNOWN: + default: + pr_err("Unsupported CHAP_A value\n"); +- kfree(conn->auth_protocol); ++ chap_close(conn); + return NULL; + } + +@@ -141,19 +147,13 @@ static struct iscsi_chap *chap_server_open( + * Generate Challenge. + */ + if (chap_gen_challenge(conn, 1, aic_str, aic_len) < 0) { +- kfree(conn->auth_protocol); ++ chap_close(conn); + return NULL; + } + + return chap; + } + +-static void chap_close(struct iscsi_conn *conn) +-{ +- kfree(conn->auth_protocol); +- conn->auth_protocol = NULL; +-} +- + static int chap_server_compute_md5( + struct iscsi_conn *conn, + struct iscsi_node_auth *auth, +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..ff196ef0d78 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,111 @@ +mips-ath79-fix-ar933x-uart-parity-mode.patch +mips-fix-build-on-non-linux-hosts.patch +arm64-efi-mark-__efistub_stext_offset-as-an-absolute.patch +scsi-iscsi-set-auth_protocol-back-to-null-if-chap_a-.patch +dmaengine-imx-sdma-fix-use-after-free-on-probe-error.patch +wil6210-fix-potential-out-of-bounds-read.patch +ath10k-do-not-send-probe-response-template-for-mesh.patch +ath9k-check-for-errors-when-reading-srev-register.patch +ath6kl-add-some-bounds-checking.patch +ath-dfs-jp-domain-w56-fixed-pulse-type-3-radar-detec.patch +batman-adv-fix-for-leaked-tvlv-handler.patch +media-dvb-usb-fix-use-after-free-in-dvb_usb_device_e.patch +media-spi-ir-led-add-missing-of-table-registration.patch +crypto-talitos-fix-skcipher-failure-due-to-wrong-out.patch +media-marvell-ccic-fix-dma-s-g-desc-number-calculati.patch +media-vpss-fix-a-potential-null-pointer-dereference.patch +media-media_device_enum_links32-clean-a-reserved-fie.patch +net-stmmac-dwmac1000-clear-unused-address-entries.patch +net-stmmac-dwmac4-5-clear-unused-address-entries.patch +qed-set-the-doorbell-address-correctly.patch +signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch +signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch +af_key-fix-leaks-in-key_pol_get_resp-and-dump_sp.patch +xfrm-fix-xfrm-sel-prefix-length-validation.patch +fscrypt-clean-up-some-bug_on-s-in-block-encryption-d.patch +media-mc-device.c-don-t-memset-__user-pointer-conten.patch +media-staging-media-davinci_vpfe-fix-for-memory-leak.patch +net-phy-check-against-net_device-being-null.patch +crypto-talitos-properly-handle-split-icv.patch +crypto-talitos-align-sec1-accesses-to-32-bits-bounda.patch +tua6100-avoid-build-warnings.patch +locking-lockdep-fix-merging-of-hlocks-with-non-zero-.patch +media-wl128x-fix-some-error-handling-in-fm_v4l2_init.patch +cpupower-frequency-set-r-option-misses-the-last-cpu-.patch +net-stmmac-dwmac4-fix-flow-control-issue.patch +net-fec-do-not-use-netdev-messages-too-early.patch +net-axienet-fix-race-condition-causing-tx-hang.patch +s390-qdio-handle-pending-state-for-qebsm-devices.patch +ras-cec-fix-pfn-insertion.patch +net-sfp-add-mutex-to-prevent-concurrent-state-checks.patch +ipset-fix-memory-accounting-for-hash-types-on-resize.patch +perf-cs-etm-properly-set-the-value-of-old-and-head-i.patch +perf-test-6-fix-missing-kvm-module-load-for-s390.patch +media-fdp1-support-m3n-and-e3-platforms.patch +iommu-fix-a-leak-in-iommu_insert_resv_region.patch +gpio-omap-fix-lack-of-irqstatus_raw0-for-omap4.patch +gpio-omap-ensure-irq-is-enabled-before-wakeup.patch +regmap-fix-bulk-writes-on-paged-registers.patch +bpf-silence-warning-messages-in-core.patch +rcu-force-inlining-of-rcu_read_lock.patch +x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch +blkcg-writeback-dead-memcgs-shouldn-t-contribute-to-.patch +xfrm-fix-sa-selector-validation.patch +sched-core-add-__sched-tag-for-io_schedule.patch +sched-fair-fix-runnable_avg_yn_inv-not-used-warnings.patch +x86-atomic-fix-smp_mb__-before-after-_atomic.patch +perf-evsel-make-perf_evsel__name-accept-a-null-argum.patch +vhost_net-disable-zerocopy-by-default.patch +ipoib-correcly-show-a-vf-hardware-address.patch +edac-sysfs-fix-memory-leak-when-creating-a-csrow-obj.patch +ipsec-select-crypto-ciphers-for-xfrm_algo.patch +ipvs-defer-hook-registration-to-avoid-leaks.patch +media-s5p-mfc-make-additional-clocks-optional.patch +media-i2c-fix-warning-same-module-names.patch +ntp-limit-tai-utc-offset.patch +timer_list-guard-procfs-specific-code.patch +acpi-arm64-ignore-5.1-fadts-that-are-reported-as-5.0.patch +media-coda-fix-mpeg2-sequence-number-handling.patch +media-coda-fix-last-buffer-handling-in-v4l2_enc_cmd_.patch +media-coda-increment-sequence-offset-for-the-last-re.patch +media-vimc-cap-check-v4l2_fill_pixfmt-return-value.patch +media-hdpvr-fix-locking-and-a-missing-msleep.patch +rtlwifi-rtl8192cu-fix-error-handle-when-usb-probe-fa.patch +mt7601u-do-not-schedule-rx_tasklet-when-the-device-h.patch +x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch +mt7601u-fix-possible-memory-leak-when-the-device-is-.patch +ipvs-fix-tinfo-memory-leak-in-start_sync_thread.patch +ath10k-add-missing-error-handling.patch +ath10k-fix-pcie-device-wake-up-failed.patch +perf-tools-increase-max_nr_cpus-and-max_caches.patch +libata-don-t-request-sense-data-on-zac-ata-devices.patch +clocksource-drivers-exynos_mct-increase-priority-ove.patch +rslib-fix-decoding-of-shortened-codes.patch +rslib-fix-handling-of-of-caller-provided-syndrome.patch +ixgbe-check-ddm-existence-in-transceiver-before-acce.patch +crypto-serpent-mark-__serpent_setkey_sbox-noinline.patch +crypto-asymmetric_keys-select-crypto_hash-where-need.patch +edac-fix-global-out-of-bounds-write-when-setting-eda.patch +bcache-check-c-gc_thread-by-is_err_or_null-in-cache_.patch +net-hns3-fix-a-wformat-nonliteral-compile-warning.patch +net-hns3-add-some-error-checking-in-hclge_tm-module.patch +ath10k-destroy-sdio-workqueue-while-remove-sdio-modu.patch +iwlwifi-mvm-drop-large-non-sta-frames.patch +perf-stat-make-metric-event-lookup-more-robust.patch +net-usb-asix-init-mac-address-buffers.patch +gpiolib-fix-references-to-gpiod_-gs-et_-value_cansle.patch +bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch +bluetooth-6lowpan-search-for-destination-address-in-.patch +bluetooth-check-state-in-l2cap_disconnect_rsp.patch +gtp-add-missing-gtp_encap_disable_sock-in-gtp_encap_.patch +bluetooth-validate-ble-connection-interval-updates.patch +gtp-fix-suspicious-rcu-usage.patch +gtp-fix-illegal-context-switch-in-rcu-read-side-crit.patch +gtp-fix-use-after-free-in-gtp_encap_destroy.patch +gtp-fix-use-after-free-in-gtp_newlink.patch +net-mvmdio-defer-probe-of-orion-mdio-if-a-clock-is-n.patch +iavf-fix-dereference-of-null-rx_buffer-pointer.patch +floppy-fix-div-by-zero-in-setup_format_params.patch +floppy-fix-out-of-bounds-read-in-next_valid_format.patch +floppy-fix-invalid-pointer-dereference-in-drive_name.patch +floppy-fix-out-of-bounds-read-in-copy_buffer.patch diff --git a/queue-4.14/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch b/queue-4.14/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch new file mode 100644 index 00000000000..834b8bdd02b --- /dev/null +++ b/queue-4.14/signal-cifs-fix-cifs_put_tcp_session-to-call-send_si.patch @@ -0,0 +1,52 @@ +From 66e63b3845525d8fb86f792db93081ef5112fb17 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 15 May 2019 12:33:50 -0500 +Subject: signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of + force_sig + +[ Upstream commit 72abe3bcf0911d69b46c1e8bdb5612675e0ac42c ] + +The locking in force_sig_info is not prepared to deal with a task that +exits or execs (as sighand may change). The is not a locking problem +in force_sig as force_sig is only built to handle synchronous +exceptions. + +Further the function force_sig_info changes the signal state if the +signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the +delivery of the signal. The signal SIGKILL can not be ignored and can +not be blocked and SIGNAL_UNKILLABLE won't prevent it from being +delivered. + +So using force_sig rather than send_sig for SIGKILL is confusing +and pointless. + +Because it won't impact the sending of the signal and and because +using force_sig is wrong, replace force_sig with send_sig. + +Cc: Namjae Jeon +Cc: Jeff Layton +Cc: Steve French +Fixes: a5c3e1c725af ("Revert "cifs: No need to send SIGKILL to demux_thread during umount"") +Fixes: e7ddee9037e7 ("cifs: disable sharing session and tcon and add new TCP sharing code") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +--- + fs/cifs/connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 33cd844579ae..ebc5714fea95 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2320,7 +2320,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect) + + task = xchg(&server->tsk, NULL); + if (task) +- force_sig(SIGKILL, task); ++ send_sig(SIGKILL, task, 1); + } + + static struct TCP_Server_Info * +-- +2.20.1 + diff --git a/queue-4.14/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch b/queue-4.14/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch new file mode 100644 index 00000000000..a3e90cd26ad --- /dev/null +++ b/queue-4.14/signal-pid_namespace-fix-reboot_pid_ns-to-use-send_s.patch @@ -0,0 +1,50 @@ +From 8534de4eb7f0d225636082ccaff19dddb732cac5 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 15 May 2019 12:29:52 -0500 +Subject: signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig + +[ Upstream commit f9070dc94542093fd516ae4ccea17ef46a4362c5 ] + +The locking in force_sig_info is not prepared to deal with a task that +exits or execs (as sighand may change). The is not a locking problem +in force_sig as force_sig is only built to handle synchronous +exceptions. + +Further the function force_sig_info changes the signal state if the +signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the +delivery of the signal. The signal SIGKILL can not be ignored and can +not be blocked and SIGNAL_UNKILLABLE won't prevent it from being +delivered. + +So using force_sig rather than send_sig for SIGKILL is confusing +and pointless. + +Because it won't impact the sending of the signal and and because +using force_sig is wrong, replace force_sig with send_sig. + +Cc: Daniel Lezcano +Cc: Serge Hallyn +Cc: Oleg Nesterov +Fixes: cf3f89214ef6 ("pidns: add reboot_pid_ns() to handle the reboot syscall") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +--- + kernel/pid_namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c +index 4918314893bc..22091c88b3bb 100644 +--- a/kernel/pid_namespace.c ++++ b/kernel/pid_namespace.c +@@ -351,7 +351,7 @@ int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd) + } + + read_lock(&tasklist_lock); +- force_sig(SIGKILL, pid_ns->child_reaper); ++ send_sig(SIGKILL, pid_ns->child_reaper, 1); + read_unlock(&tasklist_lock); + + do_exit(0); +-- +2.20.1 + diff --git a/queue-4.14/timer_list-guard-procfs-specific-code.patch b/queue-4.14/timer_list-guard-procfs-specific-code.patch new file mode 100644 index 00000000000..c0f7b4492fa --- /dev/null +++ b/queue-4.14/timer_list-guard-procfs-specific-code.patch @@ -0,0 +1,89 @@ +From da86e944bb7aed5d71e2cf15b846f4070a1faf01 Mon Sep 17 00:00:00 2001 +From: Nathan Huckleberry +Date: Fri, 14 Jun 2019 11:16:04 -0700 +Subject: timer_list: Guard procfs specific code + +[ Upstream commit a9314773a91a1d3b36270085246a6715a326ff00 ] + +With CONFIG_PROC_FS=n the following warning is emitted: + +kernel/time/timer_list.c:361:36: warning: unused variable +'timer_list_sops' [-Wunused-const-variable] + static const struct seq_operations timer_list_sops = { + +Add #ifdef guard around procfs specific code. + +Signed-off-by: Nathan Huckleberry +Signed-off-by: Thomas Gleixner +Reviewed-by: Nick Desaulniers +Cc: john.stultz@linaro.org +Cc: sboyd@kernel.org +Cc: clang-built-linux@googlegroups.com +Link: https://github.com/ClangBuiltLinux/linux/issues/534 +Link: https://lkml.kernel.org/r/20190614181604.112297-1-nhuck@google.com +Signed-off-by: Sasha Levin +--- + kernel/time/timer_list.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c +index 0ed768b56c60..7e9f149d34ea 100644 +--- a/kernel/time/timer_list.c ++++ b/kernel/time/timer_list.c +@@ -289,23 +289,6 @@ static inline void timer_list_header(struct seq_file *m, u64 now) + SEQ_printf(m, "\n"); + } + +-static int timer_list_show(struct seq_file *m, void *v) +-{ +- struct timer_list_iter *iter = v; +- +- if (iter->cpu == -1 && !iter->second_pass) +- timer_list_header(m, iter->now); +- else if (!iter->second_pass) +- print_cpu(m, iter->cpu, iter->now); +-#ifdef CONFIG_GENERIC_CLOCKEVENTS +- else if (iter->cpu == -1 && iter->second_pass) +- timer_list_show_tickdevices_header(m); +- else +- print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu); +-#endif +- return 0; +-} +- + void sysrq_timer_list_show(void) + { + u64 now = ktime_to_ns(ktime_get()); +@@ -324,6 +307,24 @@ void sysrq_timer_list_show(void) + return; + } + ++#ifdef CONFIG_PROC_FS ++static int timer_list_show(struct seq_file *m, void *v) ++{ ++ struct timer_list_iter *iter = v; ++ ++ if (iter->cpu == -1 && !iter->second_pass) ++ timer_list_header(m, iter->now); ++ else if (!iter->second_pass) ++ print_cpu(m, iter->cpu, iter->now); ++#ifdef CONFIG_GENERIC_CLOCKEVENTS ++ else if (iter->cpu == -1 && iter->second_pass) ++ timer_list_show_tickdevices_header(m); ++ else ++ print_tickdevice(m, tick_get_device(iter->cpu), iter->cpu); ++#endif ++ return 0; ++} ++ + static void *move_iter(struct timer_list_iter *iter, loff_t offset) + { + for (; offset; offset--) { +@@ -395,3 +396,4 @@ static int __init init_timer_list_procfs(void) + return 0; + } + __initcall(init_timer_list_procfs); ++#endif +-- +2.20.1 + diff --git a/queue-4.14/tua6100-avoid-build-warnings.patch b/queue-4.14/tua6100-avoid-build-warnings.patch new file mode 100644 index 00000000000..62615715f89 --- /dev/null +++ b/queue-4.14/tua6100-avoid-build-warnings.patch @@ -0,0 +1,94 @@ +From 57917f01d59b7f660add90b1717490a4628043fe Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 30 May 2019 11:36:15 -0700 +Subject: tua6100: Avoid build warnings. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 621ccc6cc5f8d6730b740d31d4818227866c93c9 ] + +Rename _P to _P_VAL and _R to _R_VAL to avoid global +namespace conflicts: + +drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’: +drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined + #define _P 32 + +In file included from ./include/acpi/platform/aclinux.h:54, + from ./include/acpi/platform/acenv.h:152, + from ./include/acpi/acpi.h:22, + from ./include/linux/acpi.h:34, + from ./include/linux/i2c.h:17, + from drivers/media/dvb-frontends/tua6100.h:30, + from drivers/media/dvb-frontends/tua6100.c:32: +./include/linux/ctype.h:14: note: this is the location of the previous definition + #define _P 0x10 /* punct */ + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/tua6100.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/dvb-frontends/tua6100.c b/drivers/media/dvb-frontends/tua6100.c +index 18e6d4c5be21..859fa14b319c 100644 +--- a/drivers/media/dvb-frontends/tua6100.c ++++ b/drivers/media/dvb-frontends/tua6100.c +@@ -75,8 +75,8 @@ static int tua6100_set_params(struct dvb_frontend *fe) + struct i2c_msg msg1 = { .addr = priv->i2c_address, .flags = 0, .buf = reg1, .len = 4 }; + struct i2c_msg msg2 = { .addr = priv->i2c_address, .flags = 0, .buf = reg2, .len = 3 }; + +-#define _R 4 +-#define _P 32 ++#define _R_VAL 4 ++#define _P_VAL 32 + #define _ri 4000000 + + // setup register 0 +@@ -91,14 +91,14 @@ static int tua6100_set_params(struct dvb_frontend *fe) + else + reg1[1] = 0x0c; + +- if (_P == 64) ++ if (_P_VAL == 64) + reg1[1] |= 0x40; + if (c->frequency >= 1525000) + reg1[1] |= 0x80; + + // register 2 +- reg2[1] = (_R >> 8) & 0x03; +- reg2[2] = _R; ++ reg2[1] = (_R_VAL >> 8) & 0x03; ++ reg2[2] = _R_VAL; + if (c->frequency < 1455000) + reg2[1] |= 0x1c; + else if (c->frequency < 1630000) +@@ -110,18 +110,18 @@ static int tua6100_set_params(struct dvb_frontend *fe) + * The N divisor ratio (note: c->frequency is in kHz, but we + * need it in Hz) + */ +- prediv = (c->frequency * _R) / (_ri / 1000); +- div = prediv / _P; ++ prediv = (c->frequency * _R_VAL) / (_ri / 1000); ++ div = prediv / _P_VAL; + reg1[1] |= (div >> 9) & 0x03; + reg1[2] = div >> 1; + reg1[3] = (div << 7); +- priv->frequency = ((div * _P) * (_ri / 1000)) / _R; ++ priv->frequency = ((div * _P_VAL) * (_ri / 1000)) / _R_VAL; + + // Finally, calculate and store the value for A +- reg1[3] |= (prediv - (div*_P)) & 0x7f; ++ reg1[3] |= (prediv - (div*_P_VAL)) & 0x7f; + +-#undef _R +-#undef _P ++#undef _R_VAL ++#undef _P_VAL + #undef _ri + + if (fe->ops.i2c_gate_ctrl) +-- +2.20.1 + diff --git a/queue-4.14/vhost_net-disable-zerocopy-by-default.patch b/queue-4.14/vhost_net-disable-zerocopy-by-default.patch new file mode 100644 index 00000000000..9ffff3ce6b9 --- /dev/null +++ b/queue-4.14/vhost_net-disable-zerocopy-by-default.patch @@ -0,0 +1,43 @@ +From b793f1341700d797838287c3cbcd26b9689c07f4 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 17 Jun 2019 05:20:54 -0400 +Subject: vhost_net: disable zerocopy by default + +[ Upstream commit 098eadce3c622c07b328d0a43dda379b38cf7c5e ] + +Vhost_net was known to suffer from HOL[1] issues which is not easy to +fix. Several downstream disable the feature by default. What's more, +the datapath was split and datacopy path got the support of batching +and XDP support recently which makes it faster than zerocopy part for +small packets transmission. + +It looks to me that disable zerocopy by default is more +appropriate. It cold be enabled by default again in the future if we +fix the above issues. + +[1] https://patchwork.kernel.org/patch/3787671/ + +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/vhost/net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index b40e8ded49c6..4d11152e60c1 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -35,7 +35,7 @@ + + #include "vhost.h" + +-static int experimental_zcopytx = 1; ++static int experimental_zcopytx = 0; + module_param(experimental_zcopytx, int, 0444); + MODULE_PARM_DESC(experimental_zcopytx, "Enable Zero Copy TX;" + " 1 -Enable; 0 - Disable"); +-- +2.20.1 + diff --git a/queue-4.14/wil6210-fix-potential-out-of-bounds-read.patch b/queue-4.14/wil6210-fix-potential-out-of-bounds-read.patch new file mode 100644 index 00000000000..93bd51e4279 --- /dev/null +++ b/queue-4.14/wil6210-fix-potential-out-of-bounds-read.patch @@ -0,0 +1,52 @@ +From 271e26ae7280782b9f56d60138d1b6b774837524 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 15 Apr 2019 09:56:46 -0500 +Subject: wil6210: fix potential out-of-bounds read + +[ Upstream commit bfabdd6997323adbedccb13a3fed1967fb8cf8f5 ] + +Notice that *rc* can evaluate to up to 5, include/linux/netdevice.h: + +enum gro_result { + GRO_MERGED, + GRO_MERGED_FREE, + GRO_HELD, + GRO_NORMAL, + GRO_DROP, + GRO_CONSUMED, +}; +typedef enum gro_result gro_result_t; + +In case *rc* evaluates to 5, we end up having an out-of-bounds read +at drivers/net/wireless/ath/wil6210/txrx.c:821: + + wil_dbg_txrx(wil, "Rx complete %d bytes => %s\n", + len, gro_res_str[rc]); + +Fix this by adding element "GRO_CONSUMED" to array gro_res_str. + +Addresses-Coverity-ID: 1444666 ("Out-of-bounds read") +Fixes: 194b482b5055 ("wil6210: Debug print GRO Rx result") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wil6210/txrx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c +index 389c718cd257..16750056b8b5 100644 +--- a/drivers/net/wireless/ath/wil6210/txrx.c ++++ b/drivers/net/wireless/ath/wil6210/txrx.c +@@ -732,6 +732,7 @@ void wil_netif_rx_any(struct sk_buff *skb, struct net_device *ndev) + [GRO_HELD] = "GRO_HELD", + [GRO_NORMAL] = "GRO_NORMAL", + [GRO_DROP] = "GRO_DROP", ++ [GRO_CONSUMED] = "GRO_CONSUMED", + }; + + if (ndev->features & NETIF_F_RXHASH) +-- +2.20.1 + diff --git a/queue-4.14/x86-atomic-fix-smp_mb__-before-after-_atomic.patch b/queue-4.14/x86-atomic-fix-smp_mb__-before-after-_atomic.patch new file mode 100644 index 00000000000..af9ef9e6160 --- /dev/null +++ b/queue-4.14/x86-atomic-fix-smp_mb__-before-after-_atomic.patch @@ -0,0 +1,164 @@ +From d0c776d4d51702ec1e165ba295eea0fa5217e40b Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 24 Apr 2019 13:38:23 +0200 +Subject: x86/atomic: Fix smp_mb__{before,after}_atomic() + +[ Upstream commit 69d927bba39517d0980462efc051875b7f4db185 ] + +Recent probing at the Linux Kernel Memory Model uncovered a +'surprise'. Strongly ordered architectures where the atomic RmW +primitive implies full memory ordering and +smp_mb__{before,after}_atomic() are a simple barrier() (such as x86) +fail for: + + *x = 1; + atomic_inc(u); + smp_mb__after_atomic(); + r0 = *y; + +Because, while the atomic_inc() implies memory order, it +(surprisingly) does not provide a compiler barrier. This then allows +the compiler to re-order like so: + + atomic_inc(u); + *x = 1; + smp_mb__after_atomic(); + r0 = *y; + +Which the CPU is then allowed to re-order (under TSO rules) like: + + atomic_inc(u); + r0 = *y; + *x = 1; + +And this very much was not intended. Therefore strengthen the atomic +RmW ops to include a compiler barrier. + +NOTE: atomic_{or,and,xor} and the bitops already had the compiler +barrier. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + Documentation/atomic_t.txt | 3 +++ + arch/x86/include/asm/atomic.h | 8 ++++---- + arch/x86/include/asm/atomic64_64.h | 8 ++++---- + arch/x86/include/asm/barrier.h | 4 ++-- + 4 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/Documentation/atomic_t.txt b/Documentation/atomic_t.txt +index 913396ac5824..ed0d814df7e0 100644 +--- a/Documentation/atomic_t.txt ++++ b/Documentation/atomic_t.txt +@@ -177,6 +177,9 @@ These helper barriers exist because architectures have varying implicit + ordering on their SMP atomic primitives. For example our TSO architectures + provide full ordered atomics and these barriers are no-ops. + ++NOTE: when the atomic RmW ops are fully ordered, they should also imply a ++compiler barrier. ++ + Thus: + + atomic_fetch_add(); +diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h +index 72759f131cc5..d09dd91dd0b6 100644 +--- a/arch/x86/include/asm/atomic.h ++++ b/arch/x86/include/asm/atomic.h +@@ -50,7 +50,7 @@ static __always_inline void atomic_add(int i, atomic_t *v) + { + asm volatile(LOCK_PREFIX "addl %1,%0" + : "+m" (v->counter) +- : "ir" (i)); ++ : "ir" (i) : "memory"); + } + + /** +@@ -64,7 +64,7 @@ static __always_inline void atomic_sub(int i, atomic_t *v) + { + asm volatile(LOCK_PREFIX "subl %1,%0" + : "+m" (v->counter) +- : "ir" (i)); ++ : "ir" (i) : "memory"); + } + + /** +@@ -90,7 +90,7 @@ static __always_inline bool atomic_sub_and_test(int i, atomic_t *v) + static __always_inline void atomic_inc(atomic_t *v) + { + asm volatile(LOCK_PREFIX "incl %0" +- : "+m" (v->counter)); ++ : "+m" (v->counter) :: "memory"); + } + + /** +@@ -102,7 +102,7 @@ static __always_inline void atomic_inc(atomic_t *v) + static __always_inline void atomic_dec(atomic_t *v) + { + asm volatile(LOCK_PREFIX "decl %0" +- : "+m" (v->counter)); ++ : "+m" (v->counter) :: "memory"); + } + + /** +diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h +index 738495caf05f..e6fad6bbb2ee 100644 +--- a/arch/x86/include/asm/atomic64_64.h ++++ b/arch/x86/include/asm/atomic64_64.h +@@ -45,7 +45,7 @@ static __always_inline void atomic64_add(long i, atomic64_t *v) + { + asm volatile(LOCK_PREFIX "addq %1,%0" + : "=m" (v->counter) +- : "er" (i), "m" (v->counter)); ++ : "er" (i), "m" (v->counter) : "memory"); + } + + /** +@@ -59,7 +59,7 @@ static inline void atomic64_sub(long i, atomic64_t *v) + { + asm volatile(LOCK_PREFIX "subq %1,%0" + : "=m" (v->counter) +- : "er" (i), "m" (v->counter)); ++ : "er" (i), "m" (v->counter) : "memory"); + } + + /** +@@ -86,7 +86,7 @@ static __always_inline void atomic64_inc(atomic64_t *v) + { + asm volatile(LOCK_PREFIX "incq %0" + : "=m" (v->counter) +- : "m" (v->counter)); ++ : "m" (v->counter) : "memory"); + } + + /** +@@ -99,7 +99,7 @@ static __always_inline void atomic64_dec(atomic64_t *v) + { + asm volatile(LOCK_PREFIX "decq %0" + : "=m" (v->counter) +- : "m" (v->counter)); ++ : "m" (v->counter) : "memory"); + } + + /** +diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h +index a04f0c242a28..bc88797cfa61 100644 +--- a/arch/x86/include/asm/barrier.h ++++ b/arch/x86/include/asm/barrier.h +@@ -106,8 +106,8 @@ do { \ + #endif + + /* Atomic operations are already serializing on x86 */ +-#define __smp_mb__before_atomic() barrier() +-#define __smp_mb__after_atomic() barrier() ++#define __smp_mb__before_atomic() do { } while (0) ++#define __smp_mb__after_atomic() do { } while (0) + + #include + +-- +2.20.1 + diff --git a/queue-4.14/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch b/queue-4.14/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch new file mode 100644 index 00000000000..e8a5ea99a48 --- /dev/null +++ b/queue-4.14/x86-build-add-set-e-to-mkcapflags.sh-to-delete-broke.patch @@ -0,0 +1,52 @@ +From 3206e1a48c9b7b42038bc7c61a23bb93123dc74e Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Tue, 25 Jun 2019 16:26:22 +0900 +Subject: x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c + +[ Upstream commit bc53d3d777f81385c1bb08b07bd1c06450ecc2c1 ] + +Without 'set -e', shell scripts continue running even after any +error occurs. The missed 'set -e' is a typical bug in shell scripting. + +For example, when a disk space shortage occurs while this script is +running, it actually ends up with generating a truncated capflags.c. + +Yet, mkcapflags.sh continues running and exits with 0. So, the build +system assumes it has succeeded. + +It will not be re-generated in the next invocation of Make since its +timestamp is newer than that of any of the source files. + +Add 'set -e' so that any error in this script is caught and propagated +to the build system. + +Since 9c2af1c7377a ("kbuild: add .DELETE_ON_ERROR special target"), +make automatically deletes the target on any failure. So, the broken +capflags.c will be deleted automatically. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Thomas Gleixner +Cc: "H. Peter Anvin" +Cc: Borislav Petkov +Link: https://lkml.kernel.org/r/20190625072622.17679-1-yamada.masahiro@socionext.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mkcapflags.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/kernel/cpu/mkcapflags.sh b/arch/x86/kernel/cpu/mkcapflags.sh +index d0dfb892c72f..aed45b8895d5 100644 +--- a/arch/x86/kernel/cpu/mkcapflags.sh ++++ b/arch/x86/kernel/cpu/mkcapflags.sh +@@ -4,6 +4,8 @@ + # Generate the x86_cap/bug_flags[] arrays from include/asm/cpufeatures.h + # + ++set -e ++ + IN=$1 + OUT=$2 + +-- +2.20.1 + diff --git a/queue-4.14/x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch b/queue-4.14/x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch new file mode 100644 index 00000000000..6863408dee2 --- /dev/null +++ b/queue-4.14/x86-cpufeatures-add-fdp_excptn_only-and-zero_fcs_fds.patch @@ -0,0 +1,60 @@ +From 673f0a42699cbdfd03d3806e4aa710300f64fce0 Mon Sep 17 00:00:00 2001 +From: Aaron Lewis +Date: Wed, 5 Jun 2019 15:02:52 -0700 +Subject: x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS + +[ Upstream commit cbb99c0f588737ec98c333558922ce47e9a95827 ] + +Add the CPUID enumeration for Intel's de-feature bits to accommodate +passing these de-features through to kvm guests. + +These de-features are (from SDM vol 1, section 8.1.8): + - X86_FEATURE_FDP_EXCPTN_ONLY: If CPUID.(EAX=07H,ECX=0H):EBX[bit 6] = 1, the + data pointer (FDP) is updated only for the x87 non-control instructions that + incur unmasked x87 exceptions. + - X86_FEATURE_ZERO_FCS_FDS: If CPUID.(EAX=07H,ECX=0H):EBX[bit 13] = 1, the + processor deprecates FCS and FDS; it saves each as 0000H. + +Signed-off-by: Aaron Lewis +Signed-off-by: Borislav Petkov +Reviewed-by: Jim Mattson +Cc: Fenghua Yu +Cc: Frederic Weisbecker +Cc: "H. Peter Anvin" +Cc: Ingo Molnar +Cc: Konrad Rzeszutek Wilk +Cc: marcorr@google.com +Cc: Peter Feiner +Cc: pshier@google.com +Cc: Robert Hoo +Cc: Thomas Gleixner +Cc: Thomas Lendacky +Cc: x86-ml +Link: https://lkml.kernel.org/r/20190605220252.103406-1-aaronlewis@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/cpufeatures.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 48ef9ed8226d..4cb8315c521f 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -239,12 +239,14 @@ + #define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */ + #define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */ + #define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */ ++#define X86_FEATURE_FDP_EXCPTN_ONLY ( 9*32+ 6) /* "" FPU data pointer updated only on x87 exceptions */ + #define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */ + #define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */ + #define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB instructions */ + #define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */ + #define X86_FEATURE_RTM ( 9*32+11) /* Restricted Transactional Memory */ + #define X86_FEATURE_CQM ( 9*32+12) /* Cache QoS Monitoring */ ++#define X86_FEATURE_ZERO_FCS_FDS ( 9*32+13) /* "" Zero out FPU CS and FPU DS */ + #define X86_FEATURE_MPX ( 9*32+14) /* Memory Protection Extension */ + #define X86_FEATURE_RDT_A ( 9*32+15) /* Resource Director Technology Allocation */ + #define X86_FEATURE_AVX512F ( 9*32+16) /* AVX-512 Foundation */ +-- +2.20.1 + diff --git a/queue-4.14/xfrm-fix-sa-selector-validation.patch b/queue-4.14/xfrm-fix-sa-selector-validation.patch new file mode 100644 index 00000000000..bf66b26ce9b --- /dev/null +++ b/queue-4.14/xfrm-fix-sa-selector-validation.patch @@ -0,0 +1,42 @@ +From 1e2af0d0f29d6b6256ef03cf788184684ee9cb07 Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Fri, 14 Jun 2019 11:13:55 +0200 +Subject: xfrm: fix sa selector validation + +[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ] + +After commit b38ff4075a80, the following command does not work anymore: +$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \ + mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \ + 'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4 + +In fact, the selector is not mandatory, allow the user to provide an empty +selector. + +Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation") +CC: Anirudh Gupta +Signed-off-by: Nicolas Dichtel +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index b25b68ae7c74..150c58dc8a7b 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -166,6 +166,9 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + } + + switch (p->sel.family) { ++ case AF_UNSPEC: ++ break; ++ + case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + goto out; +-- +2.20.1 + diff --git a/queue-4.14/xfrm-fix-xfrm-sel-prefix-length-validation.patch b/queue-4.14/xfrm-fix-xfrm-sel-prefix-length-validation.patch new file mode 100644 index 00000000000..421fc140762 --- /dev/null +++ b/queue-4.14/xfrm-fix-xfrm-sel-prefix-length-validation.patch @@ -0,0 +1,56 @@ +From 54948bc0912b8786d17f24c00ca3c4a82e9de7a3 Mon Sep 17 00:00:00 2001 +From: Anirudh Gupta +Date: Tue, 21 May 2019 20:59:47 +0530 +Subject: xfrm: Fix xfrm sel prefix length validation + +[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ] + +Family of src/dst can be different from family of selector src/dst. +Use xfrm selector family to validate address prefix length, +while verifying new sa from userspace. + +Validated patch with this command: +ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \ +reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \ +0x1111016400000000000000000000000044440001 128 \ +sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5 + +Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") +Signed-off-by: Anirudh Gupta +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 919b8406028c..b25b68ae7c74 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -150,6 +150,22 @@ static int verify_newsa_info(struct xfrm_usersa_info *p, + + err = -EINVAL; + switch (p->family) { ++ case AF_INET: ++ break; ++ ++ case AF_INET6: ++#if IS_ENABLED(CONFIG_IPV6) ++ break; ++#else ++ err = -EAFNOSUPPORT; ++ goto out; ++#endif ++ ++ default: ++ goto out; ++ } ++ ++ switch (p->sel.family) { + case AF_INET: + if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32) + goto out; +-- +2.20.1 + -- 2.47.3