From: Sasha Levin Date: Thu, 11 Jul 2019 00:53:50 +0000 (-0400) Subject: fixes for 4.9 X-Git-Tag: v5.2.1~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2769dd1b832617339757cb43e9ca71cec1ed8c7b;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arm-davinci-da850-evm-call-regulator_has_full_constr.patch b/queue-4.9/arm-davinci-da850-evm-call-regulator_has_full_constr.patch new file mode 100644 index 00000000000..ec7bd490c8a --- /dev/null +++ b/queue-4.9/arm-davinci-da850-evm-call-regulator_has_full_constr.patch @@ -0,0 +1,38 @@ +From c7f9fa207084abd6bb081a62c1637477fa8f86d3 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 7 Jun 2019 11:02:01 +0200 +Subject: ARM: davinci: da850-evm: call regulator_has_full_constraints() + +[ Upstream commit 0c0c9b5753cd04601b17de09da1ed2885a3b42fe ] + +The BB expander at 0x21 i2c bus 1 fails to probe on da850-evm because +the board doesn't set has_full_constraints to true in the regulator +API. + +Call regulator_has_full_constraints() at the end of board registration +just like we do in da850-lcdk and da830-evm. + +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/board-da850-evm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/mach-davinci/board-da850-evm.c b/arch/arm/mach-davinci/board-da850-evm.c +index 8e4539f69fdc..3bdf0d588238 100644 +--- a/arch/arm/mach-davinci/board-da850-evm.c ++++ b/arch/arm/mach-davinci/board-da850-evm.c +@@ -1479,6 +1479,8 @@ static __init void da850_evm_init(void) + if (ret) + pr_warn("%s: dsp/rproc registration failed: %d\n", + __func__, ret); ++ ++ regulator_has_full_constraints(); + } + + #ifdef CONFIG_SERIAL_8250_CONSOLE +-- +2.20.1 + diff --git a/queue-4.9/arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch b/queue-4.9/arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch new file mode 100644 index 00000000000..c5be6d1bbcf --- /dev/null +++ b/queue-4.9/arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch @@ -0,0 +1,66 @@ +From bfe771696f6c3eff89b5256c93a002b3a99da9b7 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 7 Jun 2019 16:33:50 +0200 +Subject: ARM: davinci: da8xx: specify dma_coherent_mask for lcdc + +[ Upstream commit 68f2515bb31a664ba3e2bc1eb78dd9f529b10067 ] + +The lcdc device is missing the dma_coherent_mask definition causing the +following warning on da850-evm: + +da8xx_lcdc da8xx_lcdc.0: found Sharp_LK043T1DG01 panel +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:247 dma_alloc_attrs+0xc8/0x110 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 5.2.0-rc3-00077-g16d72dd4891f #18 +Hardware name: DaVinci DA850/OMAP-L138/AM18x EVM +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (__warn+0xec/0x114) +[] (__warn) from [] (warn_slowpath_null+0x3c/0x48) +[] (warn_slowpath_null) from [] (dma_alloc_attrs+0xc8/0x110) +[] (dma_alloc_attrs) from [] (fb_probe+0x228/0x5a8) +[] (fb_probe) from [] (platform_drv_probe+0x48/0x9c) +[] (platform_drv_probe) from [] (really_probe+0x1d8/0x2d4) +[] (really_probe) from [] (driver_probe_device+0x5c/0x168) +[] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) +[] (device_driver_attach) from [] (__driver_attach+0x80/0xbc) +[] (__driver_attach) from [] (bus_for_each_dev+0x64/0xb4) +[] (bus_for_each_dev) from [] (bus_add_driver+0xe4/0x1d8) +[] (bus_add_driver) from [] (driver_register+0x78/0x10c) +[] (driver_register) from [] (do_one_initcall+0x48/0x1bc) +[] (do_one_initcall) from [] (kernel_init_freeable+0x10c/0x1d8) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0xf4) +[] (kernel_init) from [] (ret_from_fork+0x14/0x34) +Exception stack(0xc6837fb0 to 0xc6837ff8) +7fa0: 00000000 00000000 00000000 00000000 +7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +---[ end trace 8a8073511be81dd2 ]--- + +Add a 32-bit mask to the platform device's definition. + +Signed-off-by: Bartosz Golaszewski + +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/devices-da8xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/mach-davinci/devices-da8xx.c b/arch/arm/mach-davinci/devices-da8xx.c +index 9a22d40602aa..24779504f489 100644 +--- a/arch/arm/mach-davinci/devices-da8xx.c ++++ b/arch/arm/mach-davinci/devices-da8xx.c +@@ -706,6 +706,9 @@ static struct platform_device da8xx_lcdc_device = { + .id = 0, + .num_resources = ARRAY_SIZE(da8xx_lcdc_resources), + .resource = da8xx_lcdc_resources, ++ .dev = { ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ } + }; + + int __init da8xx_register_lcdc(struct da8xx_lcdc_platform_data *pdata) +-- +2.20.1 + diff --git a/queue-4.9/bnx2x-check-if-transceiver-implements-ddm-before-acc.patch b/queue-4.9/bnx2x-check-if-transceiver-implements-ddm-before-acc.patch new file mode 100644 index 00000000000..75c289f88f2 --- /dev/null +++ b/queue-4.9/bnx2x-check-if-transceiver-implements-ddm-before-acc.patch @@ -0,0 +1,63 @@ +From ebb6fc40439db283bf6e4052c2517dc3e0c43f47 Mon Sep 17 00:00:00 2001 +From: "Mauro S. M. Rodrigues" +Date: Thu, 13 Jun 2019 16:25:40 -0300 +Subject: bnx2x: Check if transceiver implements DDM before access + +[ Upstream commit cf18cecca911c0db96b868072665347efe6df46f ] + +Some transceivers may comply with SFF-8472 even though they do not +implement the Digital Diagnostic Monitoring (DDM) interface described in +the spec. The existence of such area is specified by the 6th bit of byte +92, set to 1 if implemented. + +Currently, without checking this bit, bnx2x fails trying to read sfp +module's EEPROM with the follow message: + +ethtool -m enP5p1s0f1 +Cannot get Module EEPROM data: Input/output error + +Because it fails to read the additional 256 bytes in which it is assumed +to exist the DDM data. + +This issue was noticed using a Mellanox Passive DAC PN 01FT738. The EEPROM +data was confirmed by Mellanox as correct and similar to other Passive +DACs from other manufacturers. + +Signed-off-by: Mauro S. M. Rodrigues +Acked-by: Sudarsana Reddy Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 ++- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +index 8aecd8ef6542..15a0850e6bde 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +@@ -1562,7 +1562,8 @@ static int bnx2x_get_module_info(struct net_device *dev, + } + + if (!sff8472_comp || +- (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ)) { ++ (diag_type & SFP_EEPROM_DIAG_ADDR_CHANGE_REQ) || ++ !(diag_type & SFP_EEPROM_DDM_IMPLEMENTED)) { + modinfo->type = ETH_MODULE_SFF_8079; + modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN; + } else { +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h +index b7d251108c19..7115f5025664 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.h +@@ -62,6 +62,7 @@ + #define SFP_EEPROM_DIAG_TYPE_ADDR 0x5c + #define SFP_EEPROM_DIAG_TYPE_SIZE 1 + #define SFP_EEPROM_DIAG_ADDR_CHANGE_REQ (1<<2) ++#define SFP_EEPROM_DDM_IMPLEMENTED (1<<6) + #define SFP_EEPROM_SFF_8472_COMP_ADDR 0x5e + #define SFP_EEPROM_SFF_8472_COMP_SIZE 1 + +-- +2.20.1 + diff --git a/queue-4.9/can-mcp251x-add-support-for-mcp25625.patch b/queue-4.9/can-mcp251x-add-support-for-mcp25625.patch new file mode 100644 index 00000000000..40e5aca16f9 --- /dev/null +++ b/queue-4.9/can-mcp251x-add-support-for-mcp25625.patch @@ -0,0 +1,134 @@ +From 39fef8d0e6c9bcf2f58a208d334cb67037441e0b Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Tue, 7 May 2019 11:34:36 +0200 +Subject: can: mcp251x: add support for mcp25625 + +[ Upstream commit 35b7fa4d07c43ad79b88e6462119e7140eae955c ] + +Fully compatible with mcp2515, the mcp25625 have integrated transceiver. + +This patch adds support for the mcp25625 to the existing mcp251x driver. + +Signed-off-by: Sean Nyekjaer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/Kconfig | 5 +++-- + drivers/net/can/spi/mcp251x.c | 25 ++++++++++++++++--------- + 2 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/can/spi/Kconfig b/drivers/net/can/spi/Kconfig +index 148cae5871a6..249d2db7d600 100644 +--- a/drivers/net/can/spi/Kconfig ++++ b/drivers/net/can/spi/Kconfig +@@ -2,9 +2,10 @@ menu "CAN SPI interfaces" + depends on SPI + + config CAN_MCP251X +- tristate "Microchip MCP251x SPI CAN controllers" ++ tristate "Microchip MCP251x and MCP25625 SPI CAN controllers" + depends on HAS_DMA + ---help--- +- Driver for the Microchip MCP251x SPI CAN controllers. ++ Driver for the Microchip MCP251x and MCP25625 SPI CAN ++ controllers. + + endmenu +diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c +index f3f05fea8e1f..d8c448beab24 100644 +--- a/drivers/net/can/spi/mcp251x.c ++++ b/drivers/net/can/spi/mcp251x.c +@@ -1,5 +1,5 @@ + /* +- * CAN bus driver for Microchip 251x CAN Controller with SPI Interface ++ * CAN bus driver for Microchip 251x/25625 CAN Controller with SPI Interface + * + * MCP2510 support and bug fixes by Christian Pellegrin + * +@@ -41,7 +41,7 @@ + * static struct spi_board_info spi_board_info[] = { + * { + * .modalias = "mcp2510", +- * // or "mcp2515" depending on your controller ++ * // "mcp2515" or "mcp25625" depending on your controller + * .platform_data = &mcp251x_info, + * .irq = IRQ_EINT13, + * .max_speed_hz = 2*1000*1000, +@@ -238,6 +238,7 @@ static const struct can_bittiming_const mcp251x_bittiming_const = { + enum mcp251x_model { + CAN_MCP251X_MCP2510 = 0x2510, + CAN_MCP251X_MCP2515 = 0x2515, ++ CAN_MCP251X_MCP25625 = 0x25625, + }; + + struct mcp251x_priv { +@@ -280,7 +281,6 @@ static inline int mcp251x_is_##_model(struct spi_device *spi) \ + } + + MCP251X_IS(2510); +-MCP251X_IS(2515); + + static void mcp251x_clean(struct net_device *net) + { +@@ -640,7 +640,7 @@ static int mcp251x_hw_reset(struct spi_device *spi) + + /* Wait for oscillator startup timer after reset */ + mdelay(MCP251X_OST_DELAY_MS); +- ++ + reg = mcp251x_read_reg(spi, CANSTAT); + if ((reg & CANCTRL_REQOP_MASK) != CANCTRL_REQOP_CONF) + return -ENODEV; +@@ -821,9 +821,8 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) + /* receive buffer 0 */ + if (intf & CANINTF_RX0IF) { + mcp251x_hw_rx(spi, 0); +- /* +- * Free one buffer ASAP +- * (The MCP2515 does this automatically.) ++ /* Free one buffer ASAP ++ * (The MCP2515/25625 does this automatically.) + */ + if (mcp251x_is_2510(spi)) + mcp251x_write_bits(spi, CANINTF, CANINTF_RX0IF, 0x00); +@@ -832,7 +831,7 @@ static irqreturn_t mcp251x_can_ist(int irq, void *dev_id) + /* receive buffer 1 */ + if (intf & CANINTF_RX1IF) { + mcp251x_hw_rx(spi, 1); +- /* the MCP2515 does this automatically */ ++ /* The MCP2515/25625 does this automatically. */ + if (mcp251x_is_2510(spi)) + clear_intf |= CANINTF_RX1IF; + } +@@ -1007,6 +1006,10 @@ static const struct of_device_id mcp251x_of_match[] = { + .compatible = "microchip,mcp2515", + .data = (void *)CAN_MCP251X_MCP2515, + }, ++ { ++ .compatible = "microchip,mcp25625", ++ .data = (void *)CAN_MCP251X_MCP25625, ++ }, + { } + }; + MODULE_DEVICE_TABLE(of, mcp251x_of_match); +@@ -1020,6 +1023,10 @@ static const struct spi_device_id mcp251x_id_table[] = { + .name = "mcp2515", + .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP2515, + }, ++ { ++ .name = "mcp25625", ++ .driver_data = (kernel_ulong_t)CAN_MCP251X_MCP25625, ++ }, + { } + }; + MODULE_DEVICE_TABLE(spi, mcp251x_id_table); +@@ -1260,5 +1267,5 @@ module_spi_driver(mcp251x_can_driver); + + MODULE_AUTHOR("Chris Elston , " + "Christian Pellegrin "); +-MODULE_DESCRIPTION("Microchip 251x CAN driver"); ++MODULE_DESCRIPTION("Microchip 251x/25625 CAN driver"); + MODULE_LICENSE("GPL v2"); +-- +2.20.1 + diff --git a/queue-4.9/dt-bindings-can-mcp251x-add-mcp25625-support.patch b/queue-4.9/dt-bindings-can-mcp251x-add-mcp25625-support.patch new file mode 100644 index 00000000000..6c78cb1a143 --- /dev/null +++ b/queue-4.9/dt-bindings-can-mcp251x-add-mcp25625-support.patch @@ -0,0 +1,33 @@ +From aaa73c162a9566804024fa085bf4d542c2e12b8d Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Tue, 7 May 2019 11:34:37 +0200 +Subject: dt-bindings: can: mcp251x: add mcp25625 support + +[ Upstream commit 0df82dcd55832a99363ab7f9fab954fcacdac3ae ] + +Fully compatible with mcp2515, the mcp25625 have integrated transceiver. + +This patch add the mcp25625 to the device tree bindings documentation. + +Signed-off-by: Sean Nyekjaer +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt +index ee3723beb701..33b38716b77f 100644 +--- a/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt ++++ b/Documentation/devicetree/bindings/net/can/microchip,mcp251x.txt +@@ -4,6 +4,7 @@ Required properties: + - compatible: Should be one of the following: + - "microchip,mcp2510" for MCP2510. + - "microchip,mcp2515" for MCP2515. ++ - "microchip,mcp25625" for MCP25625. + - reg: SPI chip select. + - clocks: The clock feeding the CAN controller. + - interrupt-parent: The parent interrupt controller. +-- +2.20.1 + diff --git a/queue-4.9/input-elantech-enable-middle-button-support-on-2-thi.patch b/queue-4.9/input-elantech-enable-middle-button-support-on-2-thi.patch new file mode 100644 index 00000000000..6f5c2873980 --- /dev/null +++ b/queue-4.9/input-elantech-enable-middle-button-support-on-2-thi.patch @@ -0,0 +1,32 @@ +From 70d83271ca0a4ccee6d5d30515b01d22366696fd Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Mon, 20 May 2019 22:09:10 -0700 +Subject: Input: elantech - enable middle button support on 2 ThinkPads + +[ Upstream commit aa440de3058a3ef530851f9ef373fbb5f694dbc3 ] + +Adding 2 new touchpad PNPIDs to enable middle button support. + +Signed-off-by: Aaron Ma +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/elantech.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 38edf8f5bf8a..15be3ee6cc50 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1187,6 +1187,8 @@ static const char * const middle_button_pnp_ids[] = { + "LEN2132", /* ThinkPad P52 */ + "LEN2133", /* ThinkPad P72 w/ NFC */ + "LEN2134", /* ThinkPad P72 */ ++ "LEN0407", ++ "LEN0408", + NULL + }; + +-- +2.20.1 + diff --git a/queue-4.9/input-imx_keypad-make-sure-keyboard-can-always-wake-.patch b/queue-4.9/input-imx_keypad-make-sure-keyboard-can-always-wake-.patch new file mode 100644 index 00000000000..ee414c811c4 --- /dev/null +++ b/queue-4.9/input-imx_keypad-make-sure-keyboard-can-always-wake-.patch @@ -0,0 +1,86 @@ +From 38853ffeb3eb53c73828890a8973acc550cf8ec8 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Tue, 11 Jun 2019 17:50:44 -0700 +Subject: Input: imx_keypad - make sure keyboard can always wake up system + +[ Upstream commit ce9a53eb3dbca89e7ad86673d94ab886e9bea704 ] + +There are several scenarios that keyboard can NOT wake up system +from suspend, e.g., if a keyboard is depressed between system +device suspend phase and device noirq suspend phase, the keyboard +ISR will be called and both keyboard depress and release interrupts +will be disabled, then keyboard will no longer be able to wake up +system. Another scenario would be, if a keyboard is kept depressed, +and then system goes into suspend, the expected behavior would be +when keyboard is released, system will be waked up, but current +implementation can NOT achieve that, because both depress and release +interrupts are disabled in ISR, and the event check is still in +progress. + +To fix these issues, need to make sure keyboard's depress or release +interrupt is enabled after noirq device suspend phase, this patch +moves the suspend/resume callback to noirq suspend/resume phase, and +enable the corresponding interrupt according to current keyboard status. + +Signed-off-by: Anson Huang +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/imx_keypad.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/keyboard/imx_keypad.c b/drivers/input/keyboard/imx_keypad.c +index 2165f3dd328b..842c0235471d 100644 +--- a/drivers/input/keyboard/imx_keypad.c ++++ b/drivers/input/keyboard/imx_keypad.c +@@ -530,11 +530,12 @@ static int imx_keypad_probe(struct platform_device *pdev) + return 0; + } + +-static int __maybe_unused imx_kbd_suspend(struct device *dev) ++static int __maybe_unused imx_kbd_noirq_suspend(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct imx_keypad *kbd = platform_get_drvdata(pdev); + struct input_dev *input_dev = kbd->input_dev; ++ unsigned short reg_val = readw(kbd->mmio_base + KPSR); + + /* imx kbd can wake up system even clock is disabled */ + mutex_lock(&input_dev->mutex); +@@ -544,13 +545,20 @@ static int __maybe_unused imx_kbd_suspend(struct device *dev) + + mutex_unlock(&input_dev->mutex); + +- if (device_may_wakeup(&pdev->dev)) ++ if (device_may_wakeup(&pdev->dev)) { ++ if (reg_val & KBD_STAT_KPKD) ++ reg_val |= KBD_STAT_KRIE; ++ if (reg_val & KBD_STAT_KPKR) ++ reg_val |= KBD_STAT_KDIE; ++ writew(reg_val, kbd->mmio_base + KPSR); ++ + enable_irq_wake(kbd->irq); ++ } + + return 0; + } + +-static int __maybe_unused imx_kbd_resume(struct device *dev) ++static int __maybe_unused imx_kbd_noirq_resume(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct imx_keypad *kbd = platform_get_drvdata(pdev); +@@ -574,7 +582,9 @@ static int __maybe_unused imx_kbd_resume(struct device *dev) + return ret; + } + +-static SIMPLE_DEV_PM_OPS(imx_kbd_pm_ops, imx_kbd_suspend, imx_kbd_resume); ++static const struct dev_pm_ops imx_kbd_pm_ops = { ++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(imx_kbd_noirq_suspend, imx_kbd_noirq_resume) ++}; + + static struct platform_driver imx_keypad_driver = { + .driver = { +-- +2.20.1 + diff --git a/queue-4.9/ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch b/queue-4.9/ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch new file mode 100644 index 00000000000..9c50694c260 --- /dev/null +++ b/queue-4.9/ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch @@ -0,0 +1,40 @@ +From def6b366fb7ae21ce98d7470728071fb35361986 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 17 Jun 2019 21:34:14 +0800 +Subject: ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL + +[ Upstream commit 6f6a8622057c92408930c31698394fae1557b188 ] + +A similar fix to Patch "ip_tunnel: allow not to count pkts on tstats by +setting skb's dev to NULL" is also needed by ip6_tunnel. + +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip6_tunnel.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index 1b1cf33cbfb0..2b6abd046087 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -149,9 +149,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + memset(skb->cb, 0, sizeof(struct inet6_skb_parm)); + pkt_len = skb->len - skb_inner_network_offset(skb); + err = ip6_local_out(dev_net(skb_dst(skb)->dev), sk, skb); +- if (unlikely(net_xmit_eval(err))) +- pkt_len = -1; +- iptunnel_xmit_stats(dev, pkt_len); ++ ++ if (dev) { ++ if (unlikely(net_xmit_eval(err))) ++ pkt_len = -1; ++ iptunnel_xmit_stats(dev, pkt_len); ++ } + } + #endif + #endif +-- +2.20.1 + diff --git a/queue-4.9/kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch b/queue-4.9/kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch new file mode 100644 index 00000000000..466dd3f44d5 --- /dev/null +++ b/queue-4.9/kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch @@ -0,0 +1,45 @@ +From 75f77348b056ce0836db009ab0dfe152b9ea04f9 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 6 Jun 2019 11:58:07 +0100 +Subject: KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy + +[ Upstream commit 4729ec8c1e1145234aeeebad5d96d77f4ccbb00a ] + +kvm_device->destroy() seems to be supposed to free its kvm_device +struct, but vgic_its_destroy() is not currently doing this, +resulting in a memory leak, resulting in kmemleak reports such as +the following: + +unreferenced object 0xffff800aeddfe280 (size 128): + comm "qemu-system-aar", pid 13799, jiffies 4299827317 (age 1569.844s) + [...] + backtrace: + [<00000000a08b80e2>] kmem_cache_alloc+0x178/0x208 + [<00000000dcad2bd3>] kvm_vm_ioctl+0x350/0xbc0 + +Fix it. + +Cc: Andre Przywara +Fixes: 1085fdc68c60 ("KVM: arm64: vgic-its: Introduce new KVM ITS device") +Signed-off-by: Dave Martin +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + virt/kvm/arm/vgic/vgic-its.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c +index 1ebbf233de9a..6d64b2cb02ab 100644 +--- a/virt/kvm/arm/vgic/vgic-its.c ++++ b/virt/kvm/arm/vgic/vgic-its.c +@@ -1466,6 +1466,7 @@ static void vgic_its_destroy(struct kvm_device *kvm_dev) + mutex_unlock(&its->its_lock); + + kfree(its); ++ kfree(kvm_dev);/* alloc by kvm_ioctl_create_device, free by .destroy */ + } + + static int vgic_its_has_attr(struct kvm_device *dev, +-- +2.20.1 + diff --git a/queue-4.9/mac80211-free-peer-keys-before-vif-down-in-mesh.patch b/queue-4.9/mac80211-free-peer-keys-before-vif-down-in-mesh.patch new file mode 100644 index 00000000000..6111d3a0621 --- /dev/null +++ b/queue-4.9/mac80211-free-peer-keys-before-vif-down-in-mesh.patch @@ -0,0 +1,32 @@ +From 6935b2942424f8fe14ad674aea2d4cc3b7911412 Mon Sep 17 00:00:00 2001 +From: Pradeep Kumar Chitrapu +Date: Tue, 28 May 2019 16:36:16 -0700 +Subject: mac80211: free peer keys before vif down in mesh + +[ Upstream commit 0112fa557c3bb3a002bc85760dc3761d737264d3 ] + +freeing peer keys after vif down is resulting in peer key uninstall +to fail due to interface lookup failure. so fix that. + +Signed-off-by: Pradeep Kumar Chitrapu +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 7f902e69530f..5c347d3a92c9 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -885,6 +885,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata) + + /* flush STAs and mpaths on this iface */ + sta_info_flush(sdata); ++ ieee80211_free_keys(sdata, true); + mesh_path_flush_by_iface(sdata); + + /* stop the beacon */ +-- +2.20.1 + diff --git a/queue-4.9/mac80211-mesh-fix-rcu-warning.patch b/queue-4.9/mac80211-mesh-fix-rcu-warning.patch new file mode 100644 index 00000000000..f257df3f0bd --- /dev/null +++ b/queue-4.9/mac80211-mesh-fix-rcu-warning.patch @@ -0,0 +1,62 @@ +From dbce5b4127dec0d23779e3464328188a5e12c697 Mon Sep 17 00:00:00 2001 +From: Thomas Pedersen +Date: Fri, 24 May 2019 21:16:24 -0700 +Subject: mac80211: mesh: fix RCU warning + +[ Upstream commit 551842446ed695641a00782cd118cbb064a416a1 ] + +ifmsh->csa is an RCU-protected pointer. The writer context +in ieee80211_mesh_finish_csa() is already mutually +exclusive with wdev->sdata.mtx, but the RCU checker did +not know this. Use rcu_dereference_protected() to avoid a +warning. + +fixes the following warning: + +[ 12.519089] ============================= +[ 12.520042] WARNING: suspicious RCU usage +[ 12.520652] 5.1.0-rc7-wt+ #16 Tainted: G W +[ 12.521409] ----------------------------- +[ 12.521972] net/mac80211/mesh.c:1223 suspicious rcu_dereference_check() usage! +[ 12.522928] other info that might help us debug this: +[ 12.523984] rcu_scheduler_active = 2, debug_locks = 1 +[ 12.524855] 5 locks held by kworker/u8:2/152: +[ 12.525438] #0: 00000000057be08c ((wq_completion)phy0){+.+.}, at: process_one_work+0x1a2/0x620 +[ 12.526607] #1: 0000000059c6b07a ((work_completion)(&sdata->csa_finalize_work)){+.+.}, at: process_one_work+0x1a2/0x620 +[ 12.528001] #2: 00000000f184ba7d (&wdev->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x2f/0x90 +[ 12.529116] #3: 00000000831a1f54 (&local->mtx){+.+.}, at: ieee80211_csa_finalize_work+0x47/0x90 +[ 12.530233] #4: 00000000fd06f988 (&local->chanctx_mtx){+.+.}, at: ieee80211_csa_finalize_work+0x51/0x90 + +Signed-off-by: Thomas Pedersen +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index b2a27263d6ff..7f902e69530f 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -1135,7 +1135,8 @@ int ieee80211_mesh_finish_csa(struct ieee80211_sub_if_data *sdata) + ifmsh->chsw_ttl = 0; + + /* Remove the CSA and MCSP elements from the beacon */ +- tmp_csa_settings = rcu_dereference(ifmsh->csa); ++ tmp_csa_settings = rcu_dereference_protected(ifmsh->csa, ++ lockdep_is_held(&sdata->wdev.mtx)); + RCU_INIT_POINTER(ifmsh->csa, NULL); + if (tmp_csa_settings) + kfree_rcu(tmp_csa_settings, rcu_head); +@@ -1157,6 +1158,8 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata, + struct mesh_csa_settings *tmp_csa_settings; + int ret = 0; + ++ lockdep_assert_held(&sdata->wdev.mtx); ++ + tmp_csa_settings = kmalloc(sizeof(*tmp_csa_settings), + GFP_ATOMIC); + if (!tmp_csa_settings) +-- +2.20.1 + diff --git a/queue-4.9/mac80211-only-warn-once-on-chanctx_conf-being-null.patch b/queue-4.9/mac80211-only-warn-once-on-chanctx_conf-being-null.patch new file mode 100644 index 00000000000..5443bdc5a72 --- /dev/null +++ b/queue-4.9/mac80211-only-warn-once-on-chanctx_conf-being-null.patch @@ -0,0 +1,49 @@ +From 59ee94b54d7507f21e05a22835903bb7614a4f23 Mon Sep 17 00:00:00 2001 +From: Yibo Zhao +Date: Fri, 14 Jun 2019 19:01:52 +0800 +Subject: mac80211: only warn once on chanctx_conf being NULL + +[ Upstream commit 563572340173865a9a356e6bb02579e6998a876d ] + +In multiple SSID cases, it takes time to prepare every AP interface +to be ready in initializing phase. If a sta already knows everything it +needs to join one of the APs and sends authentication to the AP which +is not fully prepared at this point of time, AP's channel context +could be NULL. As a result, warning message occurs. + +Even worse, if the AP is under attack via tools such as MDK3 and massive +authentication requests are received in a very short time, console will +be hung due to kernel warning messages. + +WARN_ON_ONCE() could be a better way for indicating warning messages +without duplicate messages to flood the console. + +Johannes: We still need to address the underlying problem, but we + don't really have a good handle on it yet. Suppress the + worst side-effects for now. + +Signed-off-by: Zhi Chen +Signed-off-by: Yibo Zhao +[johannes: add note, change subject] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 8a690ebd7374..6708de10a3e5 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1403,7 +1403,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) + rcu_read_lock(); + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); + +- if (WARN_ON(!chanctx_conf)) { ++ if (WARN_ON_ONCE(!chanctx_conf)) { + rcu_read_unlock(); + return NULL; + } +-- +2.20.1 + diff --git a/queue-4.9/md-fix-for-divide-error-in-status_resync.patch b/queue-4.9/md-fix-for-divide-error-in-status_resync.patch new file mode 100644 index 00000000000..87b873716f5 --- /dev/null +++ b/queue-4.9/md-fix-for-divide-error-in-status_resync.patch @@ -0,0 +1,91 @@ +From 73880de1d1becb01d81dc458c84ca8c45f2bc890 Mon Sep 17 00:00:00 2001 +From: Mariusz Tkaczyk +Date: Thu, 13 Jun 2019 16:11:41 +0200 +Subject: md: fix for divide error in status_resync + +[ Upstream commit 9642fa73d073527b0cbc337cc17a47d545d82cd2 ] + +Stopping external metadata arrays during resync/recovery causes +retries, loop of interrupting and starting reconstruction, until it +hit at good moment to stop completely. While these retries +curr_mark_cnt can be small- especially on HDD drives, so subtraction +result can be smaller than 0. However it is casted to uint without +checking. As a result of it the status bar in /proc/mdstat while stopping +is strange (it jumps between 0% and 99%). + +The real problem occurs here after commit 72deb455b5ec ("block: remove +CONFIG_LBDAF"). Sector_div() macro has been changed, now the +divisor is casted to uint32. For db = -8 the divisior(db/32-1) becomes 0. + +Check if db value can be really counted and replace these macro by +div64_u64() inline. + +Signed-off-by: Mariusz Tkaczyk +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 36 ++++++++++++++++++++++-------------- + 1 file changed, 22 insertions(+), 14 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 21698eb671d7..765a16dab2e5 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7296,9 +7296,9 @@ static void status_unused(struct seq_file *seq) + static int status_resync(struct seq_file *seq, struct mddev *mddev) + { + sector_t max_sectors, resync, res; +- unsigned long dt, db; +- sector_t rt; +- int scale; ++ unsigned long dt, db = 0; ++ sector_t rt, curr_mark_cnt, resync_mark_cnt; ++ int scale, recovery_active; + unsigned int per_milli; + + if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery) || +@@ -7368,22 +7368,30 @@ static int status_resync(struct seq_file *seq, struct mddev *mddev) + * db: blocks written from mark until now + * rt: remaining time + * +- * rt is a sector_t, so could be 32bit or 64bit. +- * So we divide before multiply in case it is 32bit and close +- * to the limit. +- * We scale the divisor (db) by 32 to avoid losing precision +- * near the end of resync when the number of remaining sectors +- * is close to 'db'. +- * We then divide rt by 32 after multiplying by db to compensate. +- * The '+1' avoids division by zero if db is very small. ++ * rt is a sector_t, which is always 64bit now. We are keeping ++ * the original algorithm, but it is not really necessary. ++ * ++ * Original algorithm: ++ * So we divide before multiply in case it is 32bit and close ++ * to the limit. ++ * We scale the divisor (db) by 32 to avoid losing precision ++ * near the end of resync when the number of remaining sectors ++ * is close to 'db'. ++ * We then divide rt by 32 after multiplying by db to compensate. ++ * The '+1' avoids division by zero if db is very small. + */ + dt = ((jiffies - mddev->resync_mark) / HZ); + if (!dt) dt++; +- db = (mddev->curr_mark_cnt - atomic_read(&mddev->recovery_active)) +- - mddev->resync_mark_cnt; ++ ++ curr_mark_cnt = mddev->curr_mark_cnt; ++ recovery_active = atomic_read(&mddev->recovery_active); ++ resync_mark_cnt = mddev->resync_mark_cnt; ++ ++ if (curr_mark_cnt >= (recovery_active + resync_mark_cnt)) ++ db = curr_mark_cnt - (recovery_active + resync_mark_cnt); + + rt = max_sectors - resync; /* number of remaining sectors */ +- sector_div(rt, db/32+1); ++ rt = div64_u64(rt, db/32+1); + rt *= dt; + rt >>= 5; + +-- +2.20.1 + diff --git a/queue-4.9/mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch b/queue-4.9/mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch new file mode 100644 index 00000000000..e46e6c8f14d --- /dev/null +++ b/queue-4.9/mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch @@ -0,0 +1,35 @@ +From 9129ac062e41c80ddde8c6b37e4f4a16d1590aac Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Tue, 11 Jun 2019 10:19:46 +0300 +Subject: mlxsw: spectrum: Disallow prio-tagged packets when PVID is removed + +[ Upstream commit 4b14cc313f076c37b646cee06a85f0db59cf216c ] + +When PVID is removed from a bridge port, the Linux bridge drops both +untagged and prio-tagged packets. Align mlxsw with this behavior. + +Fixes: 148f472da5db ("mlxsw: reg: Add the Switch Port Acceptable Frame Types register") +Acked-by: Jiri Pirko +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/reg.h b/drivers/net/ethernet/mellanox/mlxsw/reg.h +index a01e6c0d0cd1..b2a745b579fd 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h +@@ -935,7 +935,7 @@ static inline void mlxsw_reg_spaft_pack(char *payload, u8 local_port, + MLXSW_REG_ZERO(spaft, payload); + mlxsw_reg_spaft_local_port_set(payload, local_port); + mlxsw_reg_spaft_allow_untagged_set(payload, allow_untagged); +- mlxsw_reg_spaft_allow_prio_tagged_set(payload, true); ++ mlxsw_reg_spaft_allow_prio_tagged_set(payload, allow_untagged); + mlxsw_reg_spaft_allow_tagged_set(payload, true); + } + +-- +2.20.1 + diff --git a/queue-4.9/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch b/queue-4.9/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch new file mode 100644 index 00000000000..00c69d95d76 --- /dev/null +++ b/queue-4.9/mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch @@ -0,0 +1,49 @@ +From 305856f22471741dbfb4ee02e6f3ebaa496f28ac Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 29 May 2019 14:52:19 +0200 +Subject: mwifiex: Fix possible buffer overflows at parsing bss descriptor + +[ Upstream commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 ] + +mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in +a couple places without checking the destination size. Since the +source is given from user-space, this may trigger a heap buffer +overflow. + +Fix it by putting the length check before performing memcpy(). + +This fix addresses CVE-2019-3846. + +Reported-by: huangwen +Signed-off-by: Takashi Iwai +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 78d59a67f7e1..674ad3405646 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -1236,6 +1236,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + } + switch (element_id) { + case WLAN_EID_SSID: ++ if (element_len > IEEE80211_MAX_SSID_LEN) ++ return -EINVAL; + bss_entry->ssid.ssid_len = element_len; + memcpy(bss_entry->ssid.ssid, (current_ptr + 2), + element_len); +@@ -1245,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, + break; + + case WLAN_EID_SUPP_RATES: ++ if (element_len > MWIFIEX_SUPPORTED_RATES) ++ return -EINVAL; + memcpy(bss_entry->data_rates, current_ptr + 2, + element_len); + memcpy(bss_entry->supported_rates, current_ptr + 2, +-- +2.20.1 + diff --git a/queue-4.9/net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch b/queue-4.9/net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch new file mode 100644 index 00000000000..0ff0dfa08c7 --- /dev/null +++ b/queue-4.9/net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch @@ -0,0 +1,32 @@ +From 8c1b26d996d2b941a9bbbfb545d10105ad0483c9 Mon Sep 17 00:00:00 2001 +From: Lin Yi +Date: Mon, 10 Jun 2019 10:16:56 +0800 +Subject: net :sunrpc :clnt :Fix xps refcount imbalance on the error path + +[ Upstream commit b96226148491505318228ac52624956bd98f9e0c ] + +rpc_clnt_add_xprt take a reference to struct rpc_xprt_switch, but forget +to release it before return, may lead to a memory leak. + +Signed-off-by: Lin Yi +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 244eac1bd648..de18a463ac96 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2718,6 +2718,7 @@ int rpc_clnt_add_xprt(struct rpc_clnt *clnt, + xprt = xprt_iter_xprt(&clnt->cl_xpi); + if (xps == NULL || xprt == NULL) { + rcu_read_unlock(); ++ xprt_switch_put(xps); + return -EAGAIN; + } + resvport = xprt->resvport; +-- +2.20.1 + diff --git a/queue-4.9/netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch b/queue-4.9/netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch new file mode 100644 index 00000000000..375f062620b --- /dev/null +++ b/queue-4.9/netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch @@ -0,0 +1,59 @@ +From b01b176601e1b467177446e41c0336e75780c799 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Thu, 6 Jun 2019 18:04:00 +0200 +Subject: netfilter: ipv6: nf_defrag: accept duplicate fragments again + +[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ] + +When fixing the skb leak introduced by the conversion to rbtree, I +forgot about the special case of duplicate fragments. The condition +under the 'insert_error' label isn't effective anymore as +nf_ct_frg6_gather() doesn't override the returned value anymore. So +duplicate fragments now get NF_DROP verdict. + +To accept duplicate fragments again, handle them specially as soon as +inet_frag_queue_insert() reports them. Return -EINPROGRESS which will +translate to NF_STOLEN verdict, like any accepted fragment. However, +such packets don't carry any new information and aren't queued, so we +just drop them immediately. + +Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments") +Signed-off-by: Guillaume Nault +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index e6114a6710e0..0b53d1907e4a 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -264,8 +264,14 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, + + prev = fq->q.fragments_tail; + err = inet_frag_queue_insert(&fq->q, skb, offset, end); +- if (err) ++ if (err) { ++ if (err == IPFRAG_DUP) { ++ /* No error for duplicates, pretend they got queued. */ ++ kfree_skb(skb); ++ return -EINPROGRESS; ++ } + goto insert_error; ++ } + + if (dev) + fq->iif = dev->ifindex; +@@ -303,8 +309,6 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, + return -EINPROGRESS; + + insert_error: +- if (err == IPFRAG_DUP) +- goto err; + inet_frag_kill(&fq->q); + err: + skb_dst_drop(skb); +-- +2.20.1 + diff --git a/queue-4.9/netfilter-ipv6-nf_defrag-fix-leakage-of-unqueued-fra.patch b/queue-4.9/netfilter-ipv6-nf_defrag-fix-leakage-of-unqueued-fra.patch new file mode 100644 index 00000000000..8f45ff244f2 --- /dev/null +++ b/queue-4.9/netfilter-ipv6-nf_defrag-fix-leakage-of-unqueued-fra.patch @@ -0,0 +1,63 @@ +From 7e2258dd1bf79ff272fe2138ff6dcf7ce4ca15c7 Mon Sep 17 00:00:00 2001 +From: Guillaume Nault +Date: Sun, 2 Jun 2019 15:13:47 +0200 +Subject: netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments + +[ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ] + +With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in +nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from +nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail +after the skb has been added to the fragment queue and +nf_ct_frag6_gather() was adapted to handle this case. + +But nf_ct_frag6_queue() can still fail before the fragment has been +queued. nf_ct_frag6_gather() can't handle this case anymore, because it +has no way to know if nf_ct_frag6_queue() queued the fragment before +failing. If it didn't, the skb is lost as the error code is overwritten +with -EINPROGRESS. + +Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so +that nf_ct_frag6_gather() can propagate the error as is. + +Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c") +Signed-off-by: Guillaume Nault +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index 1e1fa99b3243..e6114a6710e0 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -292,7 +292,11 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, + skb->_skb_refdst = 0UL; + err = nf_ct_frag6_reasm(fq, skb, prev, dev); + skb->_skb_refdst = orefdst; +- return err; ++ ++ /* After queue has assumed skb ownership, only 0 or ++ * -EINPROGRESS must be returned. ++ */ ++ return err ? -EINPROGRESS : 0; + } + + skb_dst_drop(skb); +@@ -480,12 +484,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) + ret = 0; + } + +- /* after queue has assumed skb ownership, only 0 or -EINPROGRESS +- * must be returned. +- */ +- if (ret) +- ret = -EINPROGRESS; +- + spin_unlock_bh(&fq->q.lock); + inet_frag_put(&fq->q); + return ret; +-- +2.20.1 + diff --git a/queue-4.9/samples-bpf-fix-to-change-the-buffer-size-for-read.patch b/queue-4.9/samples-bpf-fix-to-change-the-buffer-size-for-read.patch new file mode 100644 index 00000000000..d5a3ea561f5 --- /dev/null +++ b/queue-4.9/samples-bpf-fix-to-change-the-buffer-size-for-read.patch @@ -0,0 +1,43 @@ +From 7ff39dd2339663725de648f06bc855569eb3a018 Mon Sep 17 00:00:00 2001 +From: Chang-Hsien Tsai +Date: Sun, 19 May 2019 09:05:44 +0000 +Subject: samples, bpf: fix to change the buffer size for read() + +[ Upstream commit f7c2d64bac1be2ff32f8e4f500c6e5429c1003e0 ] + +If the trace for read is larger than 4096, the return +value sz will be 4096. This results in off-by-one error +on buf: + + static char buf[4096]; + ssize_t sz; + + sz = read(trace_fd, buf, sizeof(buf)); + if (sz > 0) { + buf[sz] = 0; + puts(buf); + } + +Signed-off-by: Chang-Hsien Tsai +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + samples/bpf/bpf_load.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/bpf_load.c b/samples/bpf/bpf_load.c +index 97913e109b14..99e5a2f63e76 100644 +--- a/samples/bpf/bpf_load.c ++++ b/samples/bpf/bpf_load.c +@@ -369,7 +369,7 @@ void read_trace_pipe(void) + static char buf[4096]; + ssize_t sz; + +- sz = read(trace_fd, buf, sizeof(buf)); ++ sz = read(trace_fd, buf, sizeof(buf) - 1); + if (sz > 0) { + buf[sz] = 0; + puts(buf); +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 07977fed2ef..50da5ec13f3 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,21 @@ crypto-talitos-rename-alternative-aead-algos.patch +input-elantech-enable-middle-button-support-on-2-thi.patch +samples-bpf-fix-to-change-the-buffer-size-for-read.patch +staging-iio-ad7150-fix-threshold-mode-config-bit.patch +mac80211-mesh-fix-rcu-warning.patch +mac80211-free-peer-keys-before-vif-down-in-mesh.patch +mwifiex-fix-possible-buffer-overflows-at-parsing-bss.patch +netfilter-ipv6-nf_defrag-fix-leakage-of-unqueued-fra.patch +netfilter-ipv6-nf_defrag-accept-duplicate-fragments-.patch +dt-bindings-can-mcp251x-add-mcp25625-support.patch +can-mcp251x-add-support-for-mcp25625.patch +input-imx_keypad-make-sure-keyboard-can-always-wake-.patch +kvm-arm-arm64-vgic-fix-kvm_device-leak-in-vgic_its_d.patch +mlxsw-spectrum-disallow-prio-tagged-packets-when-pvi.patch +arm-davinci-da850-evm-call-regulator_has_full_constr.patch +arm-davinci-da8xx-specify-dma_coherent_mask-for-lcdc.patch +mac80211-only-warn-once-on-chanctx_conf-being-null.patch +md-fix-for-divide-error-in-status_resync.patch +bnx2x-check-if-transceiver-implements-ddm-before-acc.patch +ip6_tunnel-allow-not-to-count-pkts-on-tstats-by-pass.patch +net-sunrpc-clnt-fix-xps-refcount-imbalance-on-the-er.patch diff --git a/queue-4.9/staging-iio-ad7150-fix-threshold-mode-config-bit.patch b/queue-4.9/staging-iio-ad7150-fix-threshold-mode-config-bit.patch new file mode 100644 index 00000000000..2c501e0f194 --- /dev/null +++ b/queue-4.9/staging-iio-ad7150-fix-threshold-mode-config-bit.patch @@ -0,0 +1,78 @@ +From 69a065d0ba8f3bac48477f312a193ca73a2d82e3 Mon Sep 17 00:00:00 2001 +From: Melissa Wen +Date: Sat, 18 May 2019 22:04:56 -0300 +Subject: staging:iio:ad7150: fix threshold mode config bit + +[ Upstream commit df4d737ee4d7205aaa6275158aeebff87fd14488 ] + +According to the AD7150 configuration register description, bit 7 assumes +value 1 when the threshold mode is fixed and 0 when it is adaptive, +however, the operation that identifies this mode was considering the +opposite values. + +This patch renames the boolean variable to describe it correctly and +properly replaces it in the places where it is used. + +Fixes: 531efd6aa0991 ("staging:iio:adc:ad7150: chan_spec conv + i2c_smbus commands + drop unused poweroff timeout control.") +Signed-off-by: Melissa Wen +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/cdc/ad7150.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/staging/iio/cdc/ad7150.c b/drivers/staging/iio/cdc/ad7150.c +index 50a5b0c2cc7b..7ab95efcf1dc 100644 +--- a/drivers/staging/iio/cdc/ad7150.c ++++ b/drivers/staging/iio/cdc/ad7150.c +@@ -6,6 +6,7 @@ + * Licensed under the GPL-2 or later. + */ + ++#include + #include + #include + #include +@@ -129,7 +130,7 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev, + { + int ret; + u8 threshtype; +- bool adaptive; ++ bool thrfixed; + struct ad7150_chip_info *chip = iio_priv(indio_dev); + + ret = i2c_smbus_read_byte_data(chip->client, AD7150_CFG); +@@ -137,21 +138,23 @@ static int ad7150_read_event_config(struct iio_dev *indio_dev, + return ret; + + threshtype = (ret >> 5) & 0x03; +- adaptive = !!(ret & 0x80); ++ ++ /*check if threshold mode is fixed or adaptive*/ ++ thrfixed = FIELD_GET(AD7150_CFG_FIX, ret); + + switch (type) { + case IIO_EV_TYPE_MAG_ADAPTIVE: + if (dir == IIO_EV_DIR_RISING) +- return adaptive && (threshtype == 0x1); +- return adaptive && (threshtype == 0x0); ++ return !thrfixed && (threshtype == 0x1); ++ return !thrfixed && (threshtype == 0x0); + case IIO_EV_TYPE_THRESH_ADAPTIVE: + if (dir == IIO_EV_DIR_RISING) +- return adaptive && (threshtype == 0x3); +- return adaptive && (threshtype == 0x2); ++ return !thrfixed && (threshtype == 0x3); ++ return !thrfixed && (threshtype == 0x2); + case IIO_EV_TYPE_THRESH: + if (dir == IIO_EV_DIR_RISING) +- return !adaptive && (threshtype == 0x1); +- return !adaptive && (threshtype == 0x0); ++ return thrfixed && (threshtype == 0x1); ++ return thrfixed && (threshtype == 0x0); + default: + break; + } +-- +2.20.1 +