From 4a6e874ddb6763d10708502d463d98c86cf3448c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 25 Aug 2019 22:40:24 -0400 Subject: [PATCH] fixes for 4.4 Signed-off-by: Sasha Levin --- ...nstantiation-if-dai-format-setup-fai.patch | 40 +++++ ...mcasp-correct-slot_width-posed-const.patch | 112 ++++++++++++++ ...ave-speed-check-after-link-state-rec.patch | 73 +++++++++ ...netif_carrier_off-in-register_candev.patch | 38 +++++ ...ce-the-string-buffer-null-terminated.patch | 38 +++++ ...ce-the-string-buffer-null-terminated.patch | 38 +++++ ...44f-b320-thrustmaster-inc.-2-in-1-dt.patch | 65 ++++++++ ...-misdn-driver-crash-caused-by-transf.patch | 86 +++++++++++ ...sb-fix-possible-null-pointer-derefer.patch | 49 ++++++ ...g-safety-checks-in-sff-pio-transfers.patch | 46 ++++++ ...-use-i8253-clocksource-with-periodic.patch | 38 +++++ ...ix-a-resource-leak-in-a-error-path-i.patch | 44 ++++++ ...n-fix-dma_map_single-failed-on-arm64.patch | 107 +++++++++++++ ...-fix-hip04-xmit-never-return-tx_busy.patch | 41 +++++ ...-make-hip04_tx_reclaim-non-reentrant.patch | 94 ++++++++++++ ...mi_wwan-add-the-broadmobi-bm818-card.patch | 32 ++++ ...bles-fix-a-memory-leak-bug-in-compat.patch | 44 ++++++ ...ntial-sleep-while-atomic-in-nfs4_do_.patch | 142 ++++++++++++++++++ .../perf-bench-numa-fix-cpu0-binding.patch | 57 +++++++ ...elftests-kvm-adding-config-fragments.patch | 30 ++++ queue-4.4/series | 22 +++ ...ivity_event_received-null-check-the-.patch | 32 ++++ ...ctivity_event_received-null-check-th.patch | 32 ++++ 23 files changed, 1300 insertions(+) create mode 100644 queue-4.4/asoc-fail-card-instantiation-if-dai-format-setup-fai.patch create mode 100644 queue-4.4/asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch create mode 100644 queue-4.4/bonding-force-slave-speed-check-after-link-state-rec.patch create mode 100644 queue-4.4/can-dev-call-netif_carrier_off-in-register_candev.patch create mode 100644 queue-4.4/can-peak_usb-force-the-string-buffer-null-terminated.patch create mode 100644 queue-4.4/can-sja1000-force-the-string-buffer-null-terminated.patch create mode 100644 queue-4.4/hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch create mode 100644 queue-4.4/isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch create mode 100644 queue-4.4/isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch create mode 100644 queue-4.4/libata-add-sg-safety-checks-in-sff-pio-transfers.patch create mode 100644 queue-4.4/mips-kernel-only-use-i8253-clocksource-with-periodic.patch create mode 100644 queue-4.4/net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch create mode 100644 queue-4.4/net-hisilicon-fix-dma_map_single-failed-on-arm64.patch create mode 100644 queue-4.4/net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch create mode 100644 queue-4.4/net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch create mode 100644 queue-4.4/net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch create mode 100644 queue-4.4/netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch create mode 100644 queue-4.4/nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch create mode 100644 queue-4.4/perf-bench-numa-fix-cpu0-binding.patch create mode 100644 queue-4.4/selftests-kvm-adding-config-fragments.patch create mode 100644 queue-4.4/series create mode 100644 queue-4.4/st21nfca_connectivity_event_received-null-check-the-.patch create mode 100644 queue-4.4/st_nci_hci_connectivity_event_received-null-check-th.patch diff --git a/queue-4.4/asoc-fail-card-instantiation-if-dai-format-setup-fai.patch b/queue-4.4/asoc-fail-card-instantiation-if-dai-format-setup-fai.patch new file mode 100644 index 00000000000..65880e43d7f --- /dev/null +++ b/queue-4.4/asoc-fail-card-instantiation-if-dai-format-setup-fai.patch @@ -0,0 +1,40 @@ +From 23ef2a8aea13486004622afb1fdfd0ec8fe24d30 Mon Sep 17 00:00:00 2001 +From: Ricard Wanderlof +Date: Wed, 24 Jul 2019 11:38:44 +0200 +Subject: ASoC: Fail card instantiation if DAI format setup fails + +[ Upstream commit 40aa5383e393d72f6aa3943a4e7b1aae25a1e43b ] + +If the DAI format setup fails, there is no valid communication format +between CPU and CODEC, so fail card instantiation, rather than continue +with a card that will most likely not function properly. + +Signed-off-by: Ricard Wanderlof +Link: https://lore.kernel.org/r/alpine.DEB.2.20.1907241132350.6338@lnxricardw1.se.axis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index b927f9c81d922..8d10a24d38e06 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1357,8 +1357,11 @@ static int soc_probe_link_dais(struct snd_soc_card *card, int num, int order) + } + } + +- if (dai_link->dai_fmt) +- snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); ++ if (dai_link->dai_fmt) { ++ ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); ++ if (ret) ++ return ret; ++ } + + ret = soc_post_component_init(rtd, dai_link->name); + if (ret) +-- +2.20.1 + diff --git a/queue-4.4/asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch b/queue-4.4/asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch new file mode 100644 index 00000000000..8f57f08785e --- /dev/null +++ b/queue-4.4/asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch @@ -0,0 +1,112 @@ +From 804cca6edfb77e32352f60bca511a88507c3abdd Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Fri, 26 Jul 2019 09:42:43 +0300 +Subject: ASoC: ti: davinci-mcasp: Correct slot_width posed constraint + +[ Upstream commit 1e112c35e3c96db7c8ca6ddaa96574f00c06e7db ] + +The slot_width is a property for the bus while the constraint for +SNDRV_PCM_HW_PARAM_SAMPLE_BITS is for the in memory format. + +Applying slot_width constraint to sample_bits works most of the time, but +it will blacklist valid formats in some cases. + +With slot_width 24 we can support S24_3LE and S24_LE formats as they both +look the same on the bus, but a a 24 constraint on sample_bits would not +allow S24_LE as it is stored in 32bits in memory. + +Implement a simple hw_rule function to allow all formats which require less +or equal number of bits on the bus as slot_width (if configured). + +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20190726064244.3762-2-peter.ujfalusi@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/davinci/davinci-mcasp.c | 43 ++++++++++++++++++++++++------- + 1 file changed, 34 insertions(+), 9 deletions(-) + +diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c +index 512ec25c9ead1..2f7be6cee98e9 100644 +--- a/sound/soc/davinci/davinci-mcasp.c ++++ b/sound/soc/davinci/davinci-mcasp.c +@@ -1128,6 +1128,28 @@ static int davinci_mcasp_trigger(struct snd_pcm_substream *substream, + return ret; + } + ++static int davinci_mcasp_hw_rule_slot_width(struct snd_pcm_hw_params *params, ++ struct snd_pcm_hw_rule *rule) ++{ ++ struct davinci_mcasp_ruledata *rd = rule->private; ++ struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT); ++ struct snd_mask nfmt; ++ int i, slot_width; ++ ++ snd_mask_none(&nfmt); ++ slot_width = rd->mcasp->slot_width; ++ ++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) { ++ if (snd_mask_test(fmt, i)) { ++ if (snd_pcm_format_width(i) <= slot_width) { ++ snd_mask_set(&nfmt, i); ++ } ++ } ++ } ++ ++ return snd_mask_refine(fmt, &nfmt); ++} ++ + static const unsigned int davinci_mcasp_dai_rates[] = { + 8000, 11025, 16000, 22050, 32000, 44100, 48000, 64000, + 88200, 96000, 176400, 192000, +@@ -1219,7 +1241,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream, + struct davinci_mcasp_ruledata *ruledata = + &mcasp->ruledata[substream->stream]; + u32 max_channels = 0; +- int i, dir; ++ int i, dir, ret; + int tdm_slots = mcasp->tdm_slots; + + if (mcasp->tdm_mask[substream->stream]) +@@ -1244,6 +1266,7 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream, + max_channels++; + } + ruledata->serializers = max_channels; ++ ruledata->mcasp = mcasp; + max_channels *= tdm_slots; + /* + * If the already active stream has less channels than the calculated +@@ -1269,20 +1292,22 @@ static int davinci_mcasp_startup(struct snd_pcm_substream *substream, + 0, SNDRV_PCM_HW_PARAM_CHANNELS, + &mcasp->chconstr[substream->stream]); + +- if (mcasp->slot_width) +- snd_pcm_hw_constraint_minmax(substream->runtime, +- SNDRV_PCM_HW_PARAM_SAMPLE_BITS, +- 8, mcasp->slot_width); ++ if (mcasp->slot_width) { ++ /* Only allow formats require <= slot_width bits on the bus */ ++ ret = snd_pcm_hw_rule_add(substream->runtime, 0, ++ SNDRV_PCM_HW_PARAM_FORMAT, ++ davinci_mcasp_hw_rule_slot_width, ++ ruledata, ++ SNDRV_PCM_HW_PARAM_FORMAT, -1); ++ if (ret) ++ return ret; ++ } + + /* + * If we rely on implicit BCLK divider setting we should + * set constraints based on what we can provide. + */ + if (mcasp->bclk_master && mcasp->bclk_div == 0 && mcasp->sysclk_freq) { +- int ret; +- +- ruledata->mcasp = mcasp; +- + ret = snd_pcm_hw_rule_add(substream->runtime, 0, + SNDRV_PCM_HW_PARAM_RATE, + davinci_mcasp_hw_rule_rate, +-- +2.20.1 + diff --git a/queue-4.4/bonding-force-slave-speed-check-after-link-state-rec.patch b/queue-4.4/bonding-force-slave-speed-check-after-link-state-rec.patch new file mode 100644 index 00000000000..0e439c780ca --- /dev/null +++ b/queue-4.4/bonding-force-slave-speed-check-after-link-state-rec.patch @@ -0,0 +1,73 @@ +From 9ba6950ef93de9eac70083d38dc958d01e2b1301 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Tue, 16 Jul 2019 17:25:10 -0500 +Subject: bonding: Force slave speed check after link state recovery for + 802.3ad + +[ Upstream commit 12185dfe44360f814ac4ead9d22ad2af7511b2e9 ] + +The following scenario was encountered during testing of logical +partition mobility on pseries partitions with bonded ibmvnic +adapters in LACP mode. + +1. Driver receives a signal that the device has been + swapped, and it needs to reset to initialize the new + device. + +2. Driver reports loss of carrier and begins initialization. + +3. Bonding driver receives NETDEV_CHANGE notifier and checks + the slave's current speed and duplex settings. Because these + are unknown at the time, the bond sets its link state to + BOND_LINK_FAIL and handles the speed update, clearing + AD_PORT_LACP_ENABLE. + +4. Driver finishes recovery and reports that the carrier is on. + +5. Bond receives a new notification and checks the speed again. + The speeds are valid but miimon has not altered the link + state yet. AD_PORT_LACP_ENABLE remains off. + +Because the slave's link state is still BOND_LINK_FAIL, +no further port checks are made when it recovers. Though +the slave devices are operational and have valid speed +and duplex settings, the bond will not send LACPDU's. The +simplest fix I can see is to force another speed check +in bond_miimon_commit. This way the bond will update +AD_PORT_LACP_ENABLE if needed when transitioning from +BOND_LINK_FAIL to BOND_LINK_UP. + +CC: Jarod Wilson +CC: Jay Vosburgh +CC: Veaceslav Falico +CC: Andy Gospodarek +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 168f2331194ff..fd6aff9f0052e 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2081,6 +2081,15 @@ static void bond_miimon_commit(struct bonding *bond) + bond_for_each_slave(bond, slave, iter) { + switch (slave->new_link) { + case BOND_LINK_NOCHANGE: ++ /* For 802.3ad mode, check current slave speed and ++ * duplex again in case its port was disabled after ++ * invalid speed/duplex reporting but recovered before ++ * link monitoring could make a decision on the actual ++ * link status ++ */ ++ if (BOND_MODE(bond) == BOND_MODE_8023AD && ++ slave->link == BOND_LINK_UP) ++ bond_3ad_adapter_speed_duplex_changed(slave); + continue; + + case BOND_LINK_UP: +-- +2.20.1 + diff --git a/queue-4.4/can-dev-call-netif_carrier_off-in-register_candev.patch b/queue-4.4/can-dev-call-netif_carrier_off-in-register_candev.patch new file mode 100644 index 00000000000..310fb2dedf0 --- /dev/null +++ b/queue-4.4/can-dev-call-netif_carrier_off-in-register_candev.patch @@ -0,0 +1,38 @@ +From 580b3e34f67abb3ef9d23171005238110d170888 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Mon, 24 Jun 2019 08:34:13 +0000 +Subject: can: dev: call netif_carrier_off() in register_candev() + +[ Upstream commit c63845609c4700488e5eacd6ab4d06d5d420e5ef ] + +CONFIG_CAN_LEDS is deprecated. When trying to use the generic netdev +trigger as suggested, there's a small inconsistency with the link +property: The LED is on initially, stays on when the device is brought +up, and then turns off (as expected) when the device is brought down. + +Make sure the LED always reflects the state of the CAN device. + +Signed-off-by: Rasmus Villemoes +Acked-by: Willem de Bruijn +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 8b7c6425b681d..9dd968ee792e0 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -1065,6 +1065,8 @@ static struct rtnl_link_ops can_link_ops __read_mostly = { + int register_candev(struct net_device *dev) + { + dev->rtnl_link_ops = &can_link_ops; ++ netif_carrier_off(dev); ++ + return register_netdev(dev); + } + EXPORT_SYMBOL_GPL(register_candev); +-- +2.20.1 + diff --git a/queue-4.4/can-peak_usb-force-the-string-buffer-null-terminated.patch b/queue-4.4/can-peak_usb-force-the-string-buffer-null-terminated.patch new file mode 100644 index 00000000000..c89ab088a65 --- /dev/null +++ b/queue-4.4/can-peak_usb-force-the-string-buffer-null-terminated.patch @@ -0,0 +1,38 @@ +From 1fbcf172ef67f5072d07263db0aa84e116fbf664 Mon Sep 17 00:00:00 2001 +From: Wang Xiayang +Date: Wed, 31 Jul 2019 15:25:59 +0800 +Subject: can: peak_usb: force the string buffer NULL-terminated + +[ Upstream commit e787f19373b8a5fa24087800ed78314fd17b984a ] + +strncpy() does not ensure NULL-termination when the input string size +equals to the destination buffer size IFNAMSIZ. The output string is +passed to dev_info() which relies on the NULL-termination. + +Use strlcpy() instead. + +This issue is identified by a Coccinelle script. + +Signed-off-by: Wang Xiayang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +index e13bc27b42911..b1d68f49b3989 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -881,7 +881,7 @@ static void peak_usb_disconnect(struct usb_interface *intf) + + dev_prev_siblings = dev->prev_siblings; + dev->state &= ~PCAN_USB_STATE_CONNECTED; +- strncpy(name, netdev->name, IFNAMSIZ); ++ strlcpy(name, netdev->name, IFNAMSIZ); + + unregister_netdev(netdev); + +-- +2.20.1 + diff --git a/queue-4.4/can-sja1000-force-the-string-buffer-null-terminated.patch b/queue-4.4/can-sja1000-force-the-string-buffer-null-terminated.patch new file mode 100644 index 00000000000..5dfa9e2f222 --- /dev/null +++ b/queue-4.4/can-sja1000-force-the-string-buffer-null-terminated.patch @@ -0,0 +1,38 @@ +From 7eedbbb858422aa1d1a5bb703cf247ce1650bcaa Mon Sep 17 00:00:00 2001 +From: Wang Xiayang +Date: Wed, 31 Jul 2019 15:31:14 +0800 +Subject: can: sja1000: force the string buffer NULL-terminated + +[ Upstream commit cd28aa2e056cd1ea79fc5f24eed0ce868c6cab5c ] + +strncpy() does not ensure NULL-termination when the input string size +equals to the destination buffer size IFNAMSIZ. The output string +'name' is passed to dev_info which relies on NULL-termination. + +Use strlcpy() instead. + +This issue is identified by a Coccinelle script. + +Signed-off-by: Wang Xiayang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sja1000/peak_pcmcia.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/sja1000/peak_pcmcia.c b/drivers/net/can/sja1000/peak_pcmcia.c +index dd56133cc4616..fc9f8b01ecae2 100644 +--- a/drivers/net/can/sja1000/peak_pcmcia.c ++++ b/drivers/net/can/sja1000/peak_pcmcia.c +@@ -487,7 +487,7 @@ static void pcan_free_channels(struct pcan_pccard *card) + if (!netdev) + continue; + +- strncpy(name, netdev->name, IFNAMSIZ); ++ strlcpy(name, netdev->name, IFNAMSIZ); + + unregister_sja1000dev(netdev); + +-- +2.20.1 + diff --git a/queue-4.4/hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch b/queue-4.4/hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch new file mode 100644 index 00000000000..c80c455f151 --- /dev/null +++ b/queue-4.4/hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch @@ -0,0 +1,65 @@ +From c87f760b5fef54f493d26660b3d9523c5f788187 Mon Sep 17 00:00:00 2001 +From: Ilya Trukhanov +Date: Tue, 2 Jul 2019 13:37:16 +0300 +Subject: HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT + +[ Upstream commit 65f11c72780fa9d598df88def045ccb6a885cf80 ] + +Enable force feedback for the Thrustmaster Dual Trigger 2 in 1 Rumble Force +gamepad. Compared to other Thrustmaster devices, left and right rumble +motors here are swapped. + +Signed-off-by: Ilya Trukhanov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-tmff.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/hid/hid-tmff.c b/drivers/hid/hid-tmff.c +index b83376077d722..cfa0cb22c9b3c 100644 +--- a/drivers/hid/hid-tmff.c ++++ b/drivers/hid/hid-tmff.c +@@ -34,6 +34,8 @@ + + #include "hid-ids.h" + ++#define THRUSTMASTER_DEVICE_ID_2_IN_1_DT 0xb320 ++ + static const signed short ff_rumble[] = { + FF_RUMBLE, + -1 +@@ -88,6 +90,7 @@ static int tmff_play(struct input_dev *dev, void *data, + struct hid_field *ff_field = tmff->ff_field; + int x, y; + int left, right; /* Rumbling */ ++ int motor_swap; + + switch (effect->type) { + case FF_CONSTANT: +@@ -112,6 +115,13 @@ static int tmff_play(struct input_dev *dev, void *data, + ff_field->logical_minimum, + ff_field->logical_maximum); + ++ /* 2-in-1 strong motor is left */ ++ if (hid->product == THRUSTMASTER_DEVICE_ID_2_IN_1_DT) { ++ motor_swap = left; ++ left = right; ++ right = motor_swap; ++ } ++ + dbg_hid("(left,right)=(%08x, %08x)\n", left, right); + ff_field->value[0] = left; + ff_field->value[1] = right; +@@ -238,6 +248,8 @@ static const struct hid_device_id tm_devices[] = { + .driver_data = (unsigned long)ff_rumble }, + { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb304), /* FireStorm Dual Power 2 (and 3) */ + .driver_data = (unsigned long)ff_rumble }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, THRUSTMASTER_DEVICE_ID_2_IN_1_DT), /* Dual Trigger 2-in-1 */ ++ .driver_data = (unsigned long)ff_rumble }, + { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb323), /* Dual Trigger 3-in-1 (PC Mode) */ + .driver_data = (unsigned long)ff_rumble }, + { HID_USB_DEVICE(USB_VENDOR_ID_THRUSTMASTER, 0xb324), /* Dual Trigger 3-in-1 (PS3 Mode) */ +-- +2.20.1 + diff --git a/queue-4.4/isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch b/queue-4.4/isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch new file mode 100644 index 00000000000..bb73c2c6af5 --- /dev/null +++ b/queue-4.4/isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch @@ -0,0 +1,86 @@ +From df6128f7338d3d2376981b6d613b71a9f1fa754a Mon Sep 17 00:00:00 2001 +From: Juliana Rodrigueiro +Date: Wed, 31 Jul 2019 15:17:23 +0200 +Subject: isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on + the stack + +[ Upstream commit d8a1de3d5bb881507602bc02e004904828f88711 ] + +Since linux 4.9 it is not possible to use buffers on the stack for DMA transfers. + +During usb probe the driver crashes with "transfer buffer is on stack" message. + +This fix k-allocates a buffer to be used on "read_reg_atomic", which is a macro +that calls "usb_control_msg" under the hood. + +Kernel 4.19 backtrace: + +usb_hcd_submit_urb+0x3e5/0x900 +? sched_clock+0x9/0x10 +? log_store+0x203/0x270 +? get_random_u32+0x6f/0x90 +? cache_alloc_refill+0x784/0x8a0 +usb_submit_urb+0x3b4/0x550 +usb_start_wait_urb+0x4e/0xd0 +usb_control_msg+0xb8/0x120 +hfcsusb_probe+0x6bc/0xb40 [hfcsusb] +usb_probe_interface+0xc2/0x260 +really_probe+0x176/0x280 +driver_probe_device+0x49/0x130 +__driver_attach+0xa9/0xb0 +? driver_probe_device+0x130/0x130 +bus_for_each_dev+0x5a/0x90 +driver_attach+0x14/0x20 +? driver_probe_device+0x130/0x130 +bus_add_driver+0x157/0x1e0 +driver_register+0x51/0xe0 +usb_register_driver+0x5d/0x120 +? 0xf81ed000 +hfcsusb_drv_init+0x17/0x1000 [hfcsusb] +do_one_initcall+0x44/0x190 +? free_unref_page_commit+0x6a/0xd0 +do_init_module+0x46/0x1c0 +load_module+0x1dc1/0x2400 +sys_init_module+0xed/0x120 +do_fast_syscall_32+0x7a/0x200 +entry_SYSENTER_32+0x6b/0xbe + +Signed-off-by: Juliana Rodrigueiro +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c +index 6f19530ba2a93..726fba452f5f6 100644 +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -1701,13 +1701,23 @@ hfcsusb_stop_endpoint(struct hfcsusb *hw, int channel) + static int + setup_hfcsusb(struct hfcsusb *hw) + { ++ void *dmabuf = kmalloc(sizeof(u_char), GFP_KERNEL); + u_char b; ++ int ret; + + if (debug & DBG_HFC_CALL_TRACE) + printk(KERN_DEBUG "%s: %s\n", hw->name, __func__); + ++ if (!dmabuf) ++ return -ENOMEM; ++ ++ ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf); ++ ++ memcpy(&b, dmabuf, sizeof(u_char)); ++ kfree(dmabuf); ++ + /* check the chip id */ +- if (read_reg_atomic(hw, HFCUSB_CHIP_ID, &b) != 1) { ++ if (ret != 1) { + printk(KERN_DEBUG "%s: %s: cannot read chip id\n", + hw->name, __func__); + return 1; +-- +2.20.1 + diff --git a/queue-4.4/isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch b/queue-4.4/isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch new file mode 100644 index 00000000000..fe26e919a01 --- /dev/null +++ b/queue-4.4/isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch @@ -0,0 +1,49 @@ +From d2ae9d48dbc203bef57bd4a76a4be73784a94983 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Fri, 26 Jul 2019 16:27:36 +0800 +Subject: isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in + start_isoc_chain() + +[ Upstream commit a0d57a552b836206ad7705a1060e6e1ce5a38203 ] + +In start_isoc_chain(), usb_alloc_urb() on line 1392 may fail +and return NULL. At this time, fifo->iso[i].urb is assigned to NULL. + +Then, fifo->iso[i].urb is used at some places, such as: +LINE 1405: fill_isoc_urb(fifo->iso[i].urb, ...) + urb->number_of_packets = num_packets; + urb->transfer_flags = URB_ISO_ASAP; + urb->actual_length = 0; + urb->interval = interval; +LINE 1416: fifo->iso[i].urb->... +LINE 1419: fifo->iso[i].urb->... + +Thus, possible null-pointer dereferences may occur. + +To fix these bugs, "continue" is added to avoid using fifo->iso[i].urb +when it is NULL. + +These bugs are found by a static analysis tool STCheck written by us. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c +index c60c7998af173..6f19530ba2a93 100644 +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -1402,6 +1402,7 @@ start_isoc_chain(struct usb_fifo *fifo, int num_packets_per_urb, + printk(KERN_DEBUG + "%s: %s: alloc urb for fifo %i failed", + hw->name, __func__, fifo->fifonum); ++ continue; + } + fifo->iso[i].owner_fifo = (struct usb_fifo *) fifo; + fifo->iso[i].indx = i; +-- +2.20.1 + diff --git a/queue-4.4/libata-add-sg-safety-checks-in-sff-pio-transfers.patch b/queue-4.4/libata-add-sg-safety-checks-in-sff-pio-transfers.patch new file mode 100644 index 00000000000..c2509ba3efa --- /dev/null +++ b/queue-4.4/libata-add-sg-safety-checks-in-sff-pio-transfers.patch @@ -0,0 +1,46 @@ +From 829a98e5b786f3237d5a3b139cea7cbe0867452b Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 7 Aug 2019 12:23:57 -0600 +Subject: libata: add SG safety checks in SFF pio transfers + +[ Upstream commit 752ead44491e8c91e14d7079625c5916b30921c5 ] + +Abort processing of a command if we run out of mapped data in the +SG list. This should never happen, but a previous bug caused it to +be possible. Play it safe and attempt to abort nicely if we don't +have more SG segments left. + +Reviewed-by: Kees Cook +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sff.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index 18de4c4570682..1d8901fc0bfa9 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -703,6 +703,10 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) + unsigned int offset; + unsigned char *buf; + ++ if (!qc->cursg) { ++ qc->curbytes = qc->nbytes; ++ return; ++ } + if (qc->curbytes == qc->nbytes - qc->sect_size) + ap->hsm_task_state = HSM_ST_LAST; + +@@ -742,6 +746,8 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) + + if (qc->cursg_ofs == qc->cursg->length) { + qc->cursg = sg_next(qc->cursg); ++ if (!qc->cursg) ++ ap->hsm_task_state = HSM_ST_LAST; + qc->cursg_ofs = 0; + } + } +-- +2.20.1 + diff --git a/queue-4.4/mips-kernel-only-use-i8253-clocksource-with-periodic.patch b/queue-4.4/mips-kernel-only-use-i8253-clocksource-with-periodic.patch new file mode 100644 index 00000000000..93062142c77 --- /dev/null +++ b/queue-4.4/mips-kernel-only-use-i8253-clocksource-with-periodic.patch @@ -0,0 +1,38 @@ +From cb1407f6783cd633a2800f39df903a463fd52449 Mon Sep 17 00:00:00 2001 +From: Thomas Bogendoerfer +Date: Mon, 13 May 2019 13:47:25 +0200 +Subject: MIPS: kernel: only use i8253 clocksource with periodic clockevent + +[ Upstream commit a07e3324538a989b7cdbf2c679be6a7f9df2544f ] + +i8253 clocksource needs a free running timer. This could only +be used, if i8253 clockevent is set up as periodic. + +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/i8253.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/kernel/i8253.c b/arch/mips/kernel/i8253.c +index c5bc344fc745c..73039746ae364 100644 +--- a/arch/mips/kernel/i8253.c ++++ b/arch/mips/kernel/i8253.c +@@ -31,7 +31,8 @@ void __init setup_pit_timer(void) + + static int __init init_pit_clocksource(void) + { +- if (num_possible_cpus() > 1) /* PIT does not scale! */ ++ if (num_possible_cpus() > 1 || /* PIT does not scale! */ ++ !clockevent_state_periodic(&i8253_clockevent)) + return 0; + + return clocksource_i8253_init(); +-- +2.20.1 + diff --git a/queue-4.4/net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch b/queue-4.4/net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch new file mode 100644 index 00000000000..981a36cb215 --- /dev/null +++ b/queue-4.4/net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch @@ -0,0 +1,44 @@ +From 9c369ecceecd8e6cdbf4130d403d9845de930203 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Tue, 6 Aug 2019 10:55:12 +0200 +Subject: net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' + +[ Upstream commit debea2cd3193ac868289e8893c3a719c265b0612 ] + +A call to 'kfree_skb()' is missing in the error handling path of +'init_one()'. +This is already present in 'remove_one()' but is missing here. + +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +index 3dd4c39640dc4..bee615cddbdd8 100644 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -3260,7 +3260,7 @@ static int init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + if (!adapter->regs) { + dev_err(&pdev->dev, "cannot map device registers\n"); + err = -ENOMEM; +- goto out_free_adapter; ++ goto out_free_adapter_nofail; + } + + adapter->pdev = pdev; +@@ -3378,6 +3378,9 @@ out_free_dev: + if (adapter->port[i]) + free_netdev(adapter->port[i]); + ++out_free_adapter_nofail: ++ kfree_skb(adapter->nofail_skb); ++ + out_free_adapter: + kfree(adapter); + +-- +2.20.1 + diff --git a/queue-4.4/net-hisilicon-fix-dma_map_single-failed-on-arm64.patch b/queue-4.4/net-hisilicon-fix-dma_map_single-failed-on-arm64.patch new file mode 100644 index 00000000000..c505e21d8e6 --- /dev/null +++ b/queue-4.4/net-hisilicon-fix-dma_map_single-failed-on-arm64.patch @@ -0,0 +1,107 @@ +From ef97219a430113adcc4ebb773cf1bb4e83460e69 Mon Sep 17 00:00:00 2001 +From: Jiangfeng Xiao +Date: Sat, 3 Aug 2019 20:31:41 +0800 +Subject: net: hisilicon: Fix dma_map_single failed on arm64 + +[ Upstream commit 96a50c0d907ac8f5c3d6b051031a19eb8a2b53e3 ] + +On the arm64 platform, executing "ifconfig eth0 up" will fail, +returning "ifconfig: SIOCSIFFLAGS: Input/output error." + +ndev->dev is not initialized, dma_map_single->get_dma_ops-> +dummy_dma_ops->__dummy_map_page will return DMA_ERROR_CODE +directly, so when we use dma_map_single, the first parameter +is to use the device of platform_device. + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index a88d233df4e82..def831c89d354 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -157,6 +157,7 @@ struct hip04_priv { + unsigned int reg_inten; + + struct napi_struct napi; ++ struct device *dev; + struct net_device *ndev; + + struct tx_desc *tx_desc; +@@ -387,7 +388,7 @@ static int hip04_tx_reclaim(struct net_device *ndev, bool force) + } + + if (priv->tx_phys[tx_tail]) { +- dma_unmap_single(&ndev->dev, priv->tx_phys[tx_tail], ++ dma_unmap_single(priv->dev, priv->tx_phys[tx_tail], + priv->tx_skb[tx_tail]->len, + DMA_TO_DEVICE); + priv->tx_phys[tx_tail] = 0; +@@ -437,8 +438,8 @@ static int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev) + return NETDEV_TX_BUSY; + } + +- phys = dma_map_single(&ndev->dev, skb->data, skb->len, DMA_TO_DEVICE); +- if (dma_mapping_error(&ndev->dev, phys)) { ++ phys = dma_map_single(priv->dev, skb->data, skb->len, DMA_TO_DEVICE); ++ if (dma_mapping_error(priv->dev, phys)) { + dev_kfree_skb(skb); + return NETDEV_TX_OK; + } +@@ -506,7 +507,7 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget) + if (unlikely(!skb)) + net_dbg_ratelimited("build_skb failed\n"); + +- dma_unmap_single(&ndev->dev, priv->rx_phys[priv->rx_head], ++ dma_unmap_single(priv->dev, priv->rx_phys[priv->rx_head], + RX_BUF_SIZE, DMA_FROM_DEVICE); + priv->rx_phys[priv->rx_head] = 0; + +@@ -534,9 +535,9 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget) + buf = netdev_alloc_frag(priv->rx_buf_size); + if (!buf) + goto done; +- phys = dma_map_single(&ndev->dev, buf, ++ phys = dma_map_single(priv->dev, buf, + RX_BUF_SIZE, DMA_FROM_DEVICE); +- if (dma_mapping_error(&ndev->dev, phys)) ++ if (dma_mapping_error(priv->dev, phys)) + goto done; + priv->rx_buf[priv->rx_head] = buf; + priv->rx_phys[priv->rx_head] = phys; +@@ -639,9 +640,9 @@ static int hip04_mac_open(struct net_device *ndev) + for (i = 0; i < RX_DESC_NUM; i++) { + dma_addr_t phys; + +- phys = dma_map_single(&ndev->dev, priv->rx_buf[i], ++ phys = dma_map_single(priv->dev, priv->rx_buf[i], + RX_BUF_SIZE, DMA_FROM_DEVICE); +- if (dma_mapping_error(&ndev->dev, phys)) ++ if (dma_mapping_error(priv->dev, phys)) + return -EIO; + + priv->rx_phys[i] = phys; +@@ -675,7 +676,7 @@ static int hip04_mac_stop(struct net_device *ndev) + + for (i = 0; i < RX_DESC_NUM; i++) { + if (priv->rx_phys[i]) { +- dma_unmap_single(&ndev->dev, priv->rx_phys[i], ++ dma_unmap_single(priv->dev, priv->rx_phys[i], + RX_BUF_SIZE, DMA_FROM_DEVICE); + priv->rx_phys[i] = 0; + } +@@ -826,6 +827,7 @@ static int hip04_mac_probe(struct platform_device *pdev) + return -ENOMEM; + + priv = netdev_priv(ndev); ++ priv->dev = d; + priv->ndev = ndev; + platform_set_drvdata(pdev, ndev); + +-- +2.20.1 + diff --git a/queue-4.4/net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch b/queue-4.4/net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch new file mode 100644 index 00000000000..752c45fc30b --- /dev/null +++ b/queue-4.4/net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch @@ -0,0 +1,41 @@ +From f39445fc843dc85baeb6ad869588f8e831acbb9e Mon Sep 17 00:00:00 2001 +From: Jiangfeng Xiao +Date: Sat, 3 Aug 2019 20:31:40 +0800 +Subject: net: hisilicon: fix hip04-xmit never return TX_BUSY + +[ Upstream commit f2243b82785942be519016067ee6c55a063bbfe2 ] + +TX_DESC_NUM is 256, in tx_count, the maximum value of +mod(TX_DESC_NUM - 1) is 254, the variable "count" in +the hip04_mac_start_xmit function is never equal to +(TX_DESC_NUM - 1), so hip04_mac_start_xmit never +return NETDEV_TX_BUSY. + +tx_count is modified to mod(TX_DESC_NUM) so that +the maximum value of tx_count can reach +(TX_DESC_NUM - 1), then hip04_mac_start_xmit can reurn +NETDEV_TX_BUSY. + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index fdf8a477bec9c..a88d233df4e82 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -185,7 +185,7 @@ struct hip04_priv { + + static inline unsigned int tx_count(unsigned int head, unsigned int tail) + { +- return (head - tail) % (TX_DESC_NUM - 1); ++ return (head - tail) % TX_DESC_NUM; + } + + static void hip04_config_port(struct net_device *ndev, u32 speed, u32 duplex) +-- +2.20.1 + diff --git a/queue-4.4/net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch b/queue-4.4/net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch new file mode 100644 index 00000000000..4e444bb4ce5 --- /dev/null +++ b/queue-4.4/net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch @@ -0,0 +1,94 @@ +From fa7d8b3cc90f08175caa62e077a44b800b06bab6 Mon Sep 17 00:00:00 2001 +From: Jiangfeng Xiao +Date: Sat, 3 Aug 2019 20:31:39 +0800 +Subject: net: hisilicon: make hip04_tx_reclaim non-reentrant + +[ Upstream commit 1a2c070ae805910a853b4a14818481ed2e17c727 ] + +If hip04_tx_reclaim is interrupted while it is running +and then __napi_schedule continues to execute +hip04_rx_poll->hip04_tx_reclaim, reentrancy occurs +and oops is generated. So you need to mask the interrupt +during the hip04_tx_reclaim run. + +The kernel oops exception stack is as follows: + +Unable to handle kernel NULL pointer dereference +at virtual address 00000050 +pgd = c0003000 +[00000050] *pgd=80000000a04003, *pmd=00000000 +Internal error: Oops: 206 [#1] SMP ARM +Modules linked in: hip04_eth mtdblock mtd_blkdevs mtd +ohci_platform ehci_platform ohci_hcd ehci_hcd +vfat fat sd_mod usb_storage scsi_mod usbcore usb_common +CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.4.185 #1 +Hardware name: Hisilicon A15 +task: c0a250e0 task.stack: c0a00000 +PC is at hip04_tx_reclaim+0xe0/0x17c [hip04_eth] +LR is at hip04_tx_reclaim+0x30/0x17c [hip04_eth] +pc : [] lr : [] psr: 600e0313 +sp : c0a01d88 ip : 00000000 fp : c0601f9c +r10: 00000000 r9 : c3482380 r8 : 00000001 +r7 : 00000000 r6 : 000000e1 r5 : c3482000 r4 : 0000000c +r3 : f2209800 r2 : 00000000 r1 : 00000000 r0 : 00000000 +Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel +Control: 32c5387d Table: 03d28c80 DAC: 55555555 +Process swapper/0 (pid: 0, stack limit = 0xc0a00190) +Stack: (0xc0a01d88 to 0xc0a02000) +[] (hip04_tx_reclaim [hip04_eth]) from [] + (hip04_rx_poll+0x88/0x368 [hip04_eth]) +[] (hip04_rx_poll [hip04_eth]) from [] (net_rx_action+0x114/0x34c) +[] (net_rx_action) from [] (__do_softirq+0x218/0x318) +[] (__do_softirq) from [] (irq_exit+0x88/0xac) +[] (irq_exit) from [] (msa_irq_exit+0x11c/0x1d4) +[] (msa_irq_exit) from [] (__handle_domain_irq+0x110/0x148) +[] (__handle_domain_irq) from [] (gic_handle_irq+0xd4/0x118) +[] (gic_handle_irq) from [] (__irq_svc+0x40/0x58) +Exception stack(0xc0a01f30 to 0xc0a01f78) +1f20: c0ae8b40 00000000 00000000 00000000 +1f40: 00000002 ffffe000 c0601f9c 00000000 ffffffff c0a2257c c0a22440 c0831a38 +1f60: c0a01ec4 c0a01f80 c0203714 c0203718 600e0213 ffffffff +[] (__irq_svc) from [] (arch_cpu_idle+0x20/0x3c) +[] (arch_cpu_idle) from [] (cpu_startup_entry+0x244/0x29c) +[] (cpu_startup_entry) from [] (rest_init+0xc8/0x10c) +[] (rest_init) from [] (start_kernel+0x468/0x514) +Code: a40599e5 016086e2 018088e2 7660efe6 (503090e5) +---[ end trace 1db21d6d09c49d74 ]--- +Kernel panic - not syncing: Fatal exception in interrupt +CPU3: stopping +CPU: 3 PID: 0 Comm: swapper/3 Tainted: G D O 4.4.185 #1 + +Signed-off-by: Jiangfeng Xiao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hip04_eth.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c +index 60c727b0b7ab2..fdf8a477bec9c 100644 +--- a/drivers/net/ethernet/hisilicon/hip04_eth.c ++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c +@@ -497,6 +497,9 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget) + u16 len; + u32 err; + ++ /* clean up tx descriptors */ ++ tx_remaining = hip04_tx_reclaim(ndev, false); ++ + while (cnt && !last) { + buf = priv->rx_buf[priv->rx_head]; + skb = build_skb(buf, priv->rx_buf_size); +@@ -554,8 +557,7 @@ static int hip04_rx_poll(struct napi_struct *napi, int budget) + } + napi_complete(napi); + done: +- /* clean up tx descriptors and start a new timer if necessary */ +- tx_remaining = hip04_tx_reclaim(ndev, false); ++ /* start a new timer if necessary */ + if (rx < budget && tx_remaining) + hip04_start_tx_timer(priv); + +-- +2.20.1 + diff --git a/queue-4.4/net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch b/queue-4.4/net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch new file mode 100644 index 00000000000..1340ac55233 --- /dev/null +++ b/queue-4.4/net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch @@ -0,0 +1,32 @@ +From 23ca3f9c54ca20ca33ba814a51c2f694826beed5 Mon Sep 17 00:00:00 2001 +From: Bob Ham +Date: Wed, 24 Jul 2019 07:52:27 -0700 +Subject: net: usb: qmi_wwan: Add the BroadMobi BM818 card + +[ Upstream commit 9a07406b00cdc6ec689dc142540739575c717f3c ] + +The BroadMobi BM818 M.2 card uses the QMI protocol + +Signed-off-by: Bob Ham +Signed-off-by: Angus Ainslie (Purism) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index ee6fefe92af43..4391430e25273 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -719,6 +719,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ + {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */ + {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ ++ {QMI_FIXED_INTF(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ +-- +2.20.1 + diff --git a/queue-4.4/netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch b/queue-4.4/netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch new file mode 100644 index 00000000000..baf68d39587 --- /dev/null +++ b/queue-4.4/netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch @@ -0,0 +1,44 @@ +From 417895132af51bfff398efa0fc8c57ca9d4e7e30 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Sat, 20 Jul 2019 07:22:45 -0500 +Subject: netfilter: ebtables: fix a memory leak bug in compat + +[ Upstream commit 15a78ba1844a8e052c1226f930133de4cef4e7ad ] + +In compat_do_replace(), a temporary buffer is allocated through vmalloc() +to hold entries copied from the user space. The buffer address is firstly +saved to 'newinfo->entries', and later on assigned to 'entries_tmp'. Then +the entries in this temporary buffer is copied to the internal kernel +structure through compat_copy_entries(). If this copy process fails, +compat_do_replace() should be terminated. However, the allocated temporary +buffer is not freed on this path, leading to a memory leak. + +To fix the bug, free the buffer before returning from compat_do_replace(). + +Signed-off-by: Wenwen Wang +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/ebtables.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 1a87cf78fadc4..d9471e3ef2161 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2280,8 +2280,10 @@ static int compat_do_replace(struct net *net, void __user *user, + state.buf_kern_len = size64; + + ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); +- if (WARN_ON(ret < 0)) ++ if (WARN_ON(ret < 0)) { ++ vfree(entries_tmp); + goto out_unlock; ++ } + + vfree(entries_tmp); + tmp.entries_size = size64; +-- +2.20.1 + diff --git a/queue-4.4/nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch b/queue-4.4/nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch new file mode 100644 index 00000000000..076358caee3 --- /dev/null +++ b/queue-4.4/nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch @@ -0,0 +1,142 @@ +From 8f95fbe76d60896375584e482eda7c044252d653 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 3 Aug 2019 10:11:27 -0400 +Subject: NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() + +[ Upstream commit c77e22834ae9a11891cb613bd9a551be1b94f2bc ] + +John Hubbard reports seeing the following stack trace: + +nfs4_do_reclaim + rcu_read_lock /* we are now in_atomic() and must not sleep */ + nfs4_purge_state_owners + nfs4_free_state_owner + nfs4_destroy_seqid_counter + rpc_destroy_wait_queue + cancel_delayed_work_sync + __cancel_work_timer + __flush_work + start_flush_work + might_sleep: + (kernel/workqueue.c:2975: BUG) + +The solution is to separate out the freeing of the state owners +from nfs4_purge_state_owners(), and perform that outside the atomic +context. + +Reported-by: John Hubbard +Fixes: 0aaaf5c424c7f ("NFS: Cache state owners after files are closed") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4_fs.h | 3 ++- + fs/nfs/nfs4client.c | 5 ++++- + fs/nfs/nfs4state.c | 27 ++++++++++++++++++++++----- + 3 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h +index 4afdee420d253..9f15696f55b9f 100644 +--- a/fs/nfs/nfs4_fs.h ++++ b/fs/nfs/nfs4_fs.h +@@ -416,7 +416,8 @@ static inline void nfs4_schedule_session_recovery(struct nfs4_session *session, + + extern struct nfs4_state_owner *nfs4_get_state_owner(struct nfs_server *, struct rpc_cred *, gfp_t); + extern void nfs4_put_state_owner(struct nfs4_state_owner *); +-extern void nfs4_purge_state_owners(struct nfs_server *); ++extern void nfs4_purge_state_owners(struct nfs_server *, struct list_head *); ++extern void nfs4_free_state_owners(struct list_head *head); + extern struct nfs4_state * nfs4_get_open_state(struct inode *, struct nfs4_state_owner *); + extern void nfs4_put_open_state(struct nfs4_state *); + extern void nfs4_close_state(struct nfs4_state *, fmode_t); +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index ae91d1e450be7..dac20f31f01f8 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -685,9 +685,12 @@ found: + + static void nfs4_destroy_server(struct nfs_server *server) + { ++ LIST_HEAD(freeme); ++ + nfs_server_return_all_delegations(server); + unset_pnfs_layoutdriver(server); +- nfs4_purge_state_owners(server); ++ nfs4_purge_state_owners(server, &freeme); ++ nfs4_free_state_owners(&freeme); + } + + /* +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 5be61affeefd8..ef3ed2b1fd278 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -611,24 +611,39 @@ void nfs4_put_state_owner(struct nfs4_state_owner *sp) + /** + * nfs4_purge_state_owners - Release all cached state owners + * @server: nfs_server with cached state owners to release ++ * @head: resulting list of state owners + * + * Called at umount time. Remaining state owners will be on + * the LRU with ref count of zero. ++ * Note that the state owners are not freed, but are added ++ * to the list @head, which can later be used as an argument ++ * to nfs4_free_state_owners. + */ +-void nfs4_purge_state_owners(struct nfs_server *server) ++void nfs4_purge_state_owners(struct nfs_server *server, struct list_head *head) + { + struct nfs_client *clp = server->nfs_client; + struct nfs4_state_owner *sp, *tmp; +- LIST_HEAD(doomed); + + spin_lock(&clp->cl_lock); + list_for_each_entry_safe(sp, tmp, &server->state_owners_lru, so_lru) { +- list_move(&sp->so_lru, &doomed); ++ list_move(&sp->so_lru, head); + nfs4_remove_state_owner_locked(sp); + } + spin_unlock(&clp->cl_lock); ++} + +- list_for_each_entry_safe(sp, tmp, &doomed, so_lru) { ++/** ++ * nfs4_purge_state_owners - Release all cached state owners ++ * @head: resulting list of state owners ++ * ++ * Frees a list of state owners that was generated by ++ * nfs4_purge_state_owners ++ */ ++void nfs4_free_state_owners(struct list_head *head) ++{ ++ struct nfs4_state_owner *sp, *tmp; ++ ++ list_for_each_entry_safe(sp, tmp, head, so_lru) { + list_del(&sp->so_lru); + nfs4_free_state_owner(sp); + } +@@ -1724,12 +1739,13 @@ static int nfs4_do_reclaim(struct nfs_client *clp, const struct nfs4_state_recov + struct nfs4_state_owner *sp; + struct nfs_server *server; + struct rb_node *pos; ++ LIST_HEAD(freeme); + int status = 0; + + restart: + rcu_read_lock(); + list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) { +- nfs4_purge_state_owners(server); ++ nfs4_purge_state_owners(server, &freeme); + spin_lock(&clp->cl_lock); + for (pos = rb_first(&server->state_owners); + pos != NULL; +@@ -1758,6 +1774,7 @@ restart: + spin_unlock(&clp->cl_lock); + } + rcu_read_unlock(); ++ nfs4_free_state_owners(&freeme); + return 0; + } + +-- +2.20.1 + diff --git a/queue-4.4/perf-bench-numa-fix-cpu0-binding.patch b/queue-4.4/perf-bench-numa-fix-cpu0-binding.patch new file mode 100644 index 00000000000..4f5b6f79173 --- /dev/null +++ b/queue-4.4/perf-bench-numa-fix-cpu0-binding.patch @@ -0,0 +1,57 @@ +From f01e1cf18de37e3d5d3b13dcc0b6c7c3b0d83dda Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Thu, 1 Aug 2019 16:26:42 +0200 +Subject: perf bench numa: Fix cpu0 binding + +[ Upstream commit 6bbfe4e602691b90ac866712bd4c43c51e546a60 ] + +Michael reported an issue with perf bench numa failing with binding to +cpu0 with '-0' option. + + # perf bench numa mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd + # Running 'numa/mem' benchmark: + + # Running main, "perf bench numa numa-mem -p 3 -t 1 -P 512 -s 100 -zZcm0 --thp 1 -M 1 -ddd" + binding to node 0, mask: 0000000000000001 => -1 + perf: bench/numa.c:356: bind_to_memnode: Assertion `!(ret)' failed. + Aborted (core dumped) + +This happens when the cpu0 is not part of node0, which is the benchmark +assumption and we can see that's not the case for some powerpc servers. + +Using correct node for cpu0 binding. + +Reported-by: Michael Petlan +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Satheesh Rajendran +Link: http://lkml.kernel.org/r/20190801142642.28004-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/bench/numa.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c +index df41deed0320e..3bfba81d19118 100644 +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -370,8 +370,10 @@ static u8 *alloc_data(ssize_t bytes0, int map_flags, + + /* Allocate and initialize all memory on CPU#0: */ + if (init_cpu0) { +- orig_mask = bind_to_node(0); +- bind_to_memnode(0); ++ int node = numa_node_of_cpu(0); ++ ++ orig_mask = bind_to_node(node); ++ bind_to_memnode(node); + } + + bytes = bytes0 + HPSIZE; +-- +2.20.1 + diff --git a/queue-4.4/selftests-kvm-adding-config-fragments.patch b/queue-4.4/selftests-kvm-adding-config-fragments.patch new file mode 100644 index 00000000000..563bbf1f275 --- /dev/null +++ b/queue-4.4/selftests-kvm-adding-config-fragments.patch @@ -0,0 +1,30 @@ +From dc8c977d63aed9680ae6f4ca01fb83673ba3b385 Mon Sep 17 00:00:00 2001 +From: Naresh Kamboju +Date: Wed, 7 Aug 2019 13:58:14 +0000 +Subject: selftests: kvm: Adding config fragments + +[ Upstream commit c096397c78f766db972f923433031f2dec01cae0 ] + +selftests kvm test cases need pre-required kernel configs for the test +to get pass. + +Signed-off-by: Naresh Kamboju +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/config | 3 +++ + 1 file changed, 3 insertions(+) + create mode 100644 tools/testing/selftests/kvm/config + +diff --git a/tools/testing/selftests/kvm/config b/tools/testing/selftests/kvm/config +new file mode 100644 +index 0000000000000..63ed533f73d6e +--- /dev/null ++++ b/tools/testing/selftests/kvm/config +@@ -0,0 +1,3 @@ ++CONFIG_KVM=y ++CONFIG_KVM_INTEL=y ++CONFIG_KVM_AMD=y +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..939c73c283d --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,22 @@ +hid-add-044f-b320-thrustmaster-inc.-2-in-1-dt.patch +mips-kernel-only-use-i8253-clocksource-with-periodic.patch +netfilter-ebtables-fix-a-memory-leak-bug-in-compat.patch +bonding-force-slave-speed-check-after-link-state-rec.patch +can-dev-call-netif_carrier_off-in-register_candev.patch +asoc-fail-card-instantiation-if-dai-format-setup-fai.patch +st21nfca_connectivity_event_received-null-check-the-.patch +st_nci_hci_connectivity_event_received-null-check-th.patch +asoc-ti-davinci-mcasp-correct-slot_width-posed-const.patch +net-usb-qmi_wwan-add-the-broadmobi-bm818-card.patch +isdn-misdn-hfcsusb-fix-possible-null-pointer-derefer.patch +isdn-hfcsusb-fix-misdn-driver-crash-caused-by-transf.patch +perf-bench-numa-fix-cpu0-binding.patch +can-sja1000-force-the-string-buffer-null-terminated.patch +can-peak_usb-force-the-string-buffer-null-terminated.patch +nfsv4-fix-a-potential-sleep-while-atomic-in-nfs4_do_.patch +net-cxgb3_main-fix-a-resource-leak-in-a-error-path-i.patch +net-hisilicon-make-hip04_tx_reclaim-non-reentrant.patch +net-hisilicon-fix-hip04-xmit-never-return-tx_busy.patch +net-hisilicon-fix-dma_map_single-failed-on-arm64.patch +libata-add-sg-safety-checks-in-sff-pio-transfers.patch +selftests-kvm-adding-config-fragments.patch diff --git a/queue-4.4/st21nfca_connectivity_event_received-null-check-the-.patch b/queue-4.4/st21nfca_connectivity_event_received-null-check-the-.patch new file mode 100644 index 00000000000..8935fa64bd9 --- /dev/null +++ b/queue-4.4/st21nfca_connectivity_event_received-null-check-the-.patch @@ -0,0 +1,32 @@ +From d6401fbd6ed5f973d309ffb170e1347ebcb9313e Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Tue, 23 Jul 2019 17:04:30 -0500 +Subject: st21nfca_connectivity_event_received: null check the allocation + +[ Upstream commit 9891d06836e67324c9e9c4675ed90fc8b8110034 ] + +devm_kzalloc may fail and return null. So the null check is needed. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/st21nfca/se.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c +index c79d99b24c961..f1b96b5255e08 100644 +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -327,6 +327,8 @@ int st21nfca_connectivity_event_received(struct nfc_hci_dev *hdev, u8 host, + + transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev, + skb->len - 2, GFP_KERNEL); ++ if (!transaction) ++ return -ENOMEM; + + transaction->aid_len = skb->data[1]; + memcpy(transaction->aid, &skb->data[2], +-- +2.20.1 + diff --git a/queue-4.4/st_nci_hci_connectivity_event_received-null-check-th.patch b/queue-4.4/st_nci_hci_connectivity_event_received-null-check-th.patch new file mode 100644 index 00000000000..114d4e910ac --- /dev/null +++ b/queue-4.4/st_nci_hci_connectivity_event_received-null-check-th.patch @@ -0,0 +1,32 @@ +From 10ab0295f273b8d70aa9ea107cf66028e0b3dea9 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Tue, 23 Jul 2019 17:11:51 -0500 +Subject: st_nci_hci_connectivity_event_received: null check the allocation + +[ Upstream commit 3008e06fdf0973770370f97d5f1fba3701d8281d ] + +devm_kzalloc may fail and return NULL. So the null check is needed. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/st-nci/se.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c +index dbab722a06546..6f9d9b90ac645 100644 +--- a/drivers/nfc/st-nci/se.c ++++ b/drivers/nfc/st-nci/se.c +@@ -346,6 +346,8 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev, + + transaction = (struct nfc_evt_transaction *)devm_kzalloc(dev, + skb->len - 2, GFP_KERNEL); ++ if (!transaction) ++ return -ENOMEM; + + transaction->aid_len = skb->data[1]; + memcpy(transaction->aid, &skb->data[2], transaction->aid_len); +-- +2.20.1 + -- 2.47.3