From: Sasha Levin Date: Thu, 2 May 2019 13:51:58 +0000 (-0400) Subject: autosel fixes for 4.9 X-Git-Tag: v4.9.173~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=897926478bbc095f4c08524a5aa63ce93a7229da;p=thirdparty%2Fkernel%2Fstable-queue.git autosel fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch b/queue-4.9/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch new file mode 100644 index 00000000000..8e61ca46101 --- /dev/null +++ b/queue-4.9/arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch @@ -0,0 +1,33 @@ +From 4658421e49cbbc1ebba4181d41e1fd4f8c2e4f52 Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Mon, 4 Mar 2019 18:48:37 -0300 +Subject: ARM: dts: bcm283x: Fix hdmi hpd gpio pull + +[ Upstream commit 544e784188f1dd7c797c70b213385e67d92005b6 ] + +Raspberry pi board model B revison 2 have the hot plug detector gpio +active high (and not low as it was in the dts). + +Signed-off-by: Helen Koike +Fixes: 49ac67e0c39c ("ARM: bcm2835: Add VC4 to the device tree.") +Reviewed-by: Eric Anholt +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts +index 84df85ea6296..7efde03daadd 100644 +--- a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts ++++ b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts +@@ -26,5 +26,5 @@ + }; + + &hdmi { +- hpd-gpios = <&gpio 46 GPIO_ACTIVE_LOW>; ++ hpd-gpios = <&gpio 46 GPIO_ACTIVE_HIGH>; + }; +-- +2.19.1 + diff --git a/queue-4.9/arm-dts-pfla02-increase-phy-reset-duration.patch b/queue-4.9/arm-dts-pfla02-increase-phy-reset-duration.patch new file mode 100644 index 00000000000..98d116afcda --- /dev/null +++ b/queue-4.9/arm-dts-pfla02-increase-phy-reset-duration.patch @@ -0,0 +1,48 @@ +From 0e62b35e3249870d85bb5954dbd0bbd1cabd3ab7 Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Mon, 4 Mar 2019 11:49:40 +0100 +Subject: ARM: dts: pfla02: increase phy reset duration + +[ Upstream commit 032f85c9360fb1a08385c584c2c4ed114b33c260 ] + +Increase the reset duration to ensure correct phy functionality. The +reset duration is taken from barebox commit 52fdd510de ("ARM: dts: +pfla02: use long enough reset for ethernet phy"): + + Use a longer reset time for ethernet phy Micrel KSZ9031RNX. Otherwise a + small percentage of modules have 'transmission timeouts' errors like + + barebox@Phytec phyFLEX-i.MX6 Quad Carrier-Board:/ ifup eth0 + warning: No MAC address set. Using random address 7e:94:4d:02:f8:f3 + eth0: 1000Mbps full duplex link detected + eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + T eth0: transmission timeout + +Cc: Stefan Christ +Cc: Christian Hemp +Signed-off-by: Marco Felsch +Fixes: 3180f956668e ("ARM: dts: Phytec imx6q pfla02 and pbab01 support") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +index e0280cac2484..fed72a5f3ffa 100644 +--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi +@@ -90,6 +90,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; ++ phy-reset-duration = <10>; /* in msecs */ + phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>; + phy-supply = <&vdd_eth_io_reg>; + status = "disabled"; +-- +2.19.1 + diff --git a/queue-4.9/ceph-fix-use-after-free-on-symlink-traversal.patch b/queue-4.9/ceph-fix-use-after-free-on-symlink-traversal.patch new file mode 100644 index 00000000000..e179dff3a8b --- /dev/null +++ b/queue-4.9/ceph-fix-use-after-free-on-symlink-traversal.patch @@ -0,0 +1,42 @@ +From 50f353f9146a31bd56c93a814d6d09f72972bcdc Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 26 Mar 2019 01:38:58 +0000 +Subject: ceph: fix use-after-free on symlink traversal + +[ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ] + +free the symlink body after the same RCU delay we have for freeing the +struct inode itself, so that traversal during RCU pathwalk wouldn't step +into freed memory. + +Signed-off-by: Al Viro +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin (Microsoft) +--- + fs/ceph/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 30d9d9e7057d..7a4052501866 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -523,6 +523,7 @@ static void ceph_i_callback(struct rcu_head *head) + struct inode *inode = container_of(head, struct inode, i_rcu); + struct ceph_inode_info *ci = ceph_inode(inode); + ++ kfree(ci->i_symlink); + kmem_cache_free(ceph_inode_cachep, ci); + } + +@@ -554,7 +555,6 @@ void ceph_destroy_inode(struct inode *inode) + ceph_put_snap_realm(mdsc, realm); + } + +- kfree(ci->i_symlink); + while ((n = rb_first(&ci->i_fragtree)) != NULL) { + frag = rb_entry(n, struct ceph_inode_frag, node); + rb_erase(n, &ci->i_fragtree); +-- +2.19.1 + diff --git a/queue-4.9/gpio-of-fix-of_gpiochip_add-error-path.patch b/queue-4.9/gpio-of-fix-of_gpiochip_add-error-path.patch new file mode 100644 index 00000000000..0439574831f --- /dev/null +++ b/queue-4.9/gpio-of-fix-of_gpiochip_add-error-path.patch @@ -0,0 +1,48 @@ +From f5219a4f821d6ba848c05847d8f8583409f3514c Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 28 Mar 2019 14:13:47 +0100 +Subject: gpio: of: Fix of_gpiochip_add() error path + +[ Upstream commit f7299d441a4da8a5088e651ea55023525a793a13 ] + +If the call to of_gpiochip_scan_gpios() in of_gpiochip_add() fails, no +error handling is performed. This lead to the need of callers to call +of_gpiochip_remove() on failure, which causes "BAD of_node_put() on ..." +if the failure happened before the call to of_node_get(). + +Fix this by adding proper error handling. + +Note that calling gpiochip_remove_pin_ranges() multiple times causes no +harm: subsequent calls are a no-op. + +Fixes: dfbd379ba9b7431e ("gpio: of: Return error if gpio hog configuration failed") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Mukesh Ojha +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/gpio/gpiolib-of.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index aac84329c759..b863386be911 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -531,7 +531,13 @@ int of_gpiochip_add(struct gpio_chip *chip) + + of_node_get(chip->of_node); + +- return of_gpiochip_scan_gpios(chip); ++ status = of_gpiochip_scan_gpios(chip); ++ if (status) { ++ of_node_put(chip->of_node); ++ gpiochip_remove_pin_ranges(chip); ++ } ++ ++ return status; + } + + void of_gpiochip_remove(struct gpio_chip *chip) +-- +2.19.1 + diff --git a/queue-4.9/kconfig-mn-conf-handle-backspace-h-key.patch b/queue-4.9/kconfig-mn-conf-handle-backspace-h-key.patch new file mode 100644 index 00000000000..6463b1128b0 --- /dev/null +++ b/queue-4.9/kconfig-mn-conf-handle-backspace-h-key.patch @@ -0,0 +1,65 @@ +From b47d5e5563acf670d55120281b97c1c9f6957b65 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Mon, 25 Mar 2019 15:16:47 +0000 +Subject: kconfig/[mn]conf: handle backspace (^H) key + +[ Upstream commit 9c38f1f044080392603c497ecca4d7d09876ff99 ] + +Backspace is not working on some terminal emulators which do not send the +key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127). +But currently only '^?' is handled. Let's also handle '^H' for those +terminals. + +Signed-off-by: Changbin Du +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin (Microsoft) +--- + scripts/kconfig/lxdialog/inputbox.c | 3 ++- + scripts/kconfig/nconf.c | 2 +- + scripts/kconfig/nconf.gui.c | 3 ++- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c +index d58de1dc5360..510049a7bd1d 100644 +--- a/scripts/kconfig/lxdialog/inputbox.c ++++ b/scripts/kconfig/lxdialog/inputbox.c +@@ -126,7 +126,8 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width + case KEY_DOWN: + break; + case KEY_BACKSPACE: +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + if (pos) { + wattrset(dialog, dlg.inputbox.atr); + if (input_x == 0) { +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index d42d534a66cd..f7049e288e93 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -1046,7 +1046,7 @@ static int do_match(int key, struct match_state *state, int *ans) + state->match_direction = FIND_NEXT_MATCH_UP; + *ans = get_mext_match(state->pattern, + state->match_direction); +- } else if (key == KEY_BACKSPACE || key == 127) { ++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) { + state->pattern[strlen(state->pattern)-1] = '\0'; + adj_match_dir(&state->match_direction); + } else +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c +index 4b2f44c20caf..9a65035cf787 100644 +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window, + case KEY_F(F_EXIT): + case KEY_F(F_BACK): + break; +- case 127: ++ case 8: /* ^H */ ++ case 127: /* ^? */ + case KEY_BACKSPACE: + if (cursor_position > 0) { + memmove(&result[cursor_position-1], +-- +2.19.1 + diff --git a/queue-4.9/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch b/queue-4.9/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch new file mode 100644 index 00000000000..cbe9794aefd --- /dev/null +++ b/queue-4.9/leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch @@ -0,0 +1,47 @@ +From 244a90c767c8f10fa5ce3275f388b9240d85632c Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Sat, 9 Mar 2019 00:04:11 -0600 +Subject: leds: pca9532: fix a potential NULL pointer dereference + +[ Upstream commit 0aab8e4df4702b31314a27ec4b0631dfad0fae0a ] + +In case of_match_device cannot find a match, return -EINVAL to avoid +NULL pointer dereference. + +Fixes: fa4191a609f2 ("leds: pca9532: Add device tree support") +Signed-off-by: Kangjie Lu +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/leds/leds-pca9532.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/leds/leds-pca9532.c b/drivers/leds/leds-pca9532.c +index 09a7cffbc46f..896b38f6f9c0 100644 +--- a/drivers/leds/leds-pca9532.c ++++ b/drivers/leds/leds-pca9532.c +@@ -488,6 +488,7 @@ static int pca9532_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { + int devid; ++ const struct of_device_id *of_id; + struct pca9532_data *data = i2c_get_clientdata(client); + struct pca9532_platform_data *pca9532_pdata = + dev_get_platdata(&client->dev); +@@ -503,8 +504,11 @@ static int pca9532_probe(struct i2c_client *client, + dev_err(&client->dev, "no platform data\n"); + return -EINVAL; + } +- devid = (int)(uintptr_t)of_match_device( +- of_pca9532_leds_match, &client->dev)->data; ++ of_id = of_match_device(of_pca9532_leds_match, ++ &client->dev); ++ if (unlikely(!of_id)) ++ return -EINVAL; ++ devid = (int)(uintptr_t) of_id->data; + } else { + devid = id->driver_data; + } +-- +2.19.1 + diff --git a/queue-4.9/libata-fix-using-dma-buffers-on-stack.patch b/queue-4.9/libata-fix-using-dma-buffers-on-stack.patch new file mode 100644 index 00000000000..9f7f7551e8e --- /dev/null +++ b/queue-4.9/libata-fix-using-dma-buffers-on-stack.patch @@ -0,0 +1,87 @@ +From bd57d3cdabce33ad1ad2567ee2752d289308f20c Mon Sep 17 00:00:00 2001 +From: raymond pang +Date: Thu, 28 Mar 2019 12:19:25 +0000 +Subject: libata: fix using DMA buffers on stack + +[ Upstream commit dd08a8d9a66de4b54575c294a92630299f7e0fe7 ] + +When CONFIG_VMAP_STACK=y, __pa() returns incorrect physical address for +a stack virtual address. Stack DMA buffers must be avoided. + +Signed-off-by: raymond pang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/ata/libata-zpodd.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c +index 0ad96c647541..7017a81d53cf 100644 +--- a/drivers/ata/libata-zpodd.c ++++ b/drivers/ata/libata-zpodd.c +@@ -51,38 +51,52 @@ static int eject_tray(struct ata_device *dev) + /* Per the spec, only slot type and drawer type ODD can be supported */ + static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev) + { +- char buf[16]; ++ char *buf; + unsigned int ret; +- struct rm_feature_desc *desc = (void *)(buf + 8); ++ struct rm_feature_desc *desc; + struct ata_taskfile tf; + static const char cdb[] = { GPCMD_GET_CONFIGURATION, + 2, /* only 1 feature descriptor requested */ + 0, 3, /* 3, removable medium feature */ + 0, 0, 0,/* reserved */ +- 0, sizeof(buf), ++ 0, 16, + 0, 0, 0, + }; + ++ buf = kzalloc(16, GFP_KERNEL); ++ if (!buf) ++ return ODD_MECH_TYPE_UNSUPPORTED; ++ desc = (void *)(buf + 8); ++ + ata_tf_init(dev, &tf); + tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE; + tf.command = ATA_CMD_PACKET; + tf.protocol = ATAPI_PROT_PIO; +- tf.lbam = sizeof(buf); ++ tf.lbam = 16; + + ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE, +- buf, sizeof(buf), 0); +- if (ret) ++ buf, 16, 0); ++ if (ret) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (be16_to_cpu(desc->feature_code) != 3) ++ if (be16_to_cpu(desc->feature_code) != 3) { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + +- if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) ++ if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_SLOT; +- else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1) ++ } else if (desc->mech_type == 1 && desc->load == 0 && ++ desc->eject == 1) { ++ kfree(buf); + return ODD_MECH_TYPE_DRAWER; +- else ++ } else { ++ kfree(buf); + return ODD_MECH_TYPE_UNSUPPORTED; ++ } + } + + /* Test if ODD is zero power ready by sense code */ +-- +2.19.1 + diff --git a/queue-4.9/net-ethernet-ti-fix-possible-object-reference-leak.patch b/queue-4.9/net-ethernet-ti-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..515f1fda8ad --- /dev/null +++ b/queue-4.9/net-ethernet-ti-fix-possible-object-reference-leak.patch @@ -0,0 +1,53 @@ +From 94e7a7b47aec12d59d1032744f8b0b5a0731a736 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 22 Mar 2019 11:04:09 +0800 +Subject: net: ethernet: ti: fix possible object reference leak + +[ Upstream commit 75eac7b5f68b0a0671e795ac636457ee27cc11d8 ] + +The call to of_get_child_by_name returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/net/ethernet/ti/netcp_ethss.c:3661:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3654, but without a corresponding object release within this function. +./drivers/net/ethernet/ti/netcp_ethss.c:3665:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3654, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Wingman Kwok +Cc: Murali Karicheri +Cc: "David S. Miller" +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/ti/netcp_ethss.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/netcp_ethss.c b/drivers/net/ethernet/ti/netcp_ethss.c +index d543298d6750..ff24524e7f46 100644 +--- a/drivers/net/ethernet/ti/netcp_ethss.c ++++ b/drivers/net/ethernet/ti/netcp_ethss.c +@@ -3122,12 +3122,16 @@ static int gbe_probe(struct netcp_device *netcp_device, struct device *dev, + + ret = netcp_txpipe_init(&gbe_dev->tx_pipe, netcp_device, + gbe_dev->dma_chan_name, gbe_dev->tx_queue_id); +- if (ret) ++ if (ret) { ++ of_node_put(interfaces); + return ret; ++ } + + ret = netcp_txpipe_open(&gbe_dev->tx_pipe); +- if (ret) ++ if (ret) { ++ of_node_put(interfaces); + return ret; ++ } + + /* Create network interfaces */ + INIT_LIST_HEAD(&gbe_dev->gbe_intf_head); +-- +2.19.1 + diff --git a/queue-4.9/net-ibm-fix-possible-object-reference-leak.patch b/queue-4.9/net-ibm-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..6864c20a70b --- /dev/null +++ b/queue-4.9/net-ibm-fix-possible-object-reference-leak.patch @@ -0,0 +1,40 @@ +From 34efebdd0d0ed75698937c656d1850ebad05e1ae Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 22 Mar 2019 11:04:08 +0800 +Subject: net: ibm: fix possible object reference leak + +[ Upstream commit be693df3cf9dd113ff1d2c0d8150199efdba37f6 ] + +The call to ehea_get_eth_dn returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/net/ethernet/ibm/ehea/ehea_main.c:3163:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 3154, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Douglas Miller +Cc: "David S. Miller" +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/ibm/ehea/ehea_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c +index bd719e25dd76..2dd17e01e3a7 100644 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -3184,6 +3184,7 @@ static ssize_t ehea_probe_port(struct device *dev, + + if (ehea_add_adapter_mr(adapter)) { + pr_err("creating MR failed\n"); ++ of_node_put(eth_dn); + return -EIO; + } + +-- +2.19.1 + diff --git a/queue-4.9/net-ks8851-delay-requesting-irq-until-opened.patch b/queue-4.9/net-ks8851-delay-requesting-irq-until-opened.patch new file mode 100644 index 00000000000..1d37239cd1a --- /dev/null +++ b/queue-4.9/net-ks8851-delay-requesting-irq-until-opened.patch @@ -0,0 +1,94 @@ +From 15306b0baf75c7839273983f539ebc71858385a6 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Delay requesting IRQ until opened + +[ Upstream commit d268f31552794abf5b6aa5af31021643411f25f5 ] + +The ks8851 driver currently requests the IRQ before registering the +net_device. Because the net_device name is used as IRQ name and is +still "eth%d" when the IRQ is requested, it's impossibe to tell IRQs +apart if multiple ks8851 chips are present. Most other drivers delay +requesting the IRQ until the net_device is opened. Do the same. + +The driver doesn't enable interrupts on the chip before opening the +net_device and disables them when closing it, so there doesn't seem to +be a need to request the IRQ already on probe. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index a8c5641ff955..ff6cab4f6343 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -797,6 +797,15 @@ static void ks8851_tx_work(struct work_struct *work) + static int ks8851_net_open(struct net_device *dev) + { + struct ks8851_net *ks = netdev_priv(dev); ++ int ret; ++ ++ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq, ++ IRQF_TRIGGER_LOW | IRQF_ONESHOT, ++ dev->name, ks); ++ if (ret < 0) { ++ netdev_err(dev, "failed to get irq\n"); ++ return ret; ++ } + + /* lock the card, even if we may not actually be doing anything + * else at the moment */ +@@ -911,6 +920,8 @@ static int ks8851_net_stop(struct net_device *dev) + dev_kfree_skb(txb); + } + ++ free_irq(dev->irq, ks); ++ + return 0; + } + +@@ -1542,14 +1553,6 @@ static int ks8851_probe(struct spi_device *spi) + ks8851_read_selftest(ks); + ks8851_init_mac(ks); + +- ret = request_threaded_irq(spi->irq, NULL, ks8851_irq, +- IRQF_TRIGGER_LOW | IRQF_ONESHOT, +- ndev->name, ks); +- if (ret < 0) { +- dev_err(&spi->dev, "failed to get irq\n"); +- goto err_irq; +- } +- + ret = register_netdev(ndev); + if (ret) { + dev_err(&spi->dev, "failed to register network device\n"); +@@ -1562,11 +1565,7 @@ static int ks8851_probe(struct spi_device *spi) + + return 0; + +- + err_netdev: +- free_irq(ndev->irq, ks); +- +-err_irq: + err_id: + if (gpio_is_valid(gpio)) + gpio_set_value(gpio, 0); +@@ -1587,7 +1586,6 @@ static int ks8851_remove(struct spi_device *spi) + dev_info(&spi->dev, "remove\n"); + + unregister_netdev(priv->netdev); +- free_irq(spi->irq, priv); + if (gpio_is_valid(priv->gpio)) + gpio_set_value(priv->gpio, 0); + regulator_disable(priv->vdd_reg); +-- +2.19.1 + diff --git a/queue-4.9/net-ks8851-dequeue-rx-packets-explicitly.patch b/queue-4.9/net-ks8851-dequeue-rx-packets-explicitly.patch new file mode 100644 index 00000000000..5d07a33f239 --- /dev/null +++ b/queue-4.9/net-ks8851-dequeue-rx-packets-explicitly.patch @@ -0,0 +1,76 @@ +From 23295cf5dcc45fc5cf87e61955ace7fb4dd971dd Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Dequeue RX packets explicitly + +[ Upstream commit 536d3680fd2dab5c39857d62a3e084198fc74ff9 ] + +The ks8851 driver lets the chip auto-dequeue received packets once they +have been read in full. It achieves that by setting the ADRFE flag in +the RXQCR register ("Auto-Dequeue RXQ Frame Enable"). + +However if allocation of a packet's socket buffer or retrieval of the +packet over the SPI bus fails, the packet will not have been read in +full and is not auto-dequeued. Such partial retrieval of a packet +confuses the chip's RX queue management: On the next RX interrupt, +the first packet read from the queue will be the one left there +previously and this one can be retrieved without issues. But for any +newly received packets, the frame header status and byte count registers +(RXFHSR and RXFHBCR) contain bogus values, preventing their retrieval. + +The chip allows explicitly dequeueing a packet from the RX queue by +setting the RRXEF flag in the RXQCR register ("Release RX Error Frame"). +This could be used to dequeue the packet in case of an error, but if +that error is a failed SPI transfer, it is unknown if the packet was +transferred in full and was auto-dequeued or if it was only transferred +in part and requires an explicit dequeue. The safest approach is thus +to always dequeue packets explicitly and forgo auto-dequeueing. + +Without this change, I've witnessed packet retrieval break completely +when an SPI DMA transfer fails, requiring a chip reset. Explicit +dequeueing magically fixes this and makes packet retrieval absolutely +robust for me. + +The chip's documentation suggests auto-dequeuing and uses the RRXEF +flag only to dequeue error frames which the driver doesn't want to +retrieve. But that seems to be a fair-weather approach. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index 1edc973df4c4..247a3377b951 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -547,9 +547,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + /* set dma read address */ + ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00); + +- /* start the packet dma process, and set auto-dequeue rx */ +- ks8851_wrreg16(ks, KS_RXQCR, +- ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE); ++ /* start DMA access */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA); + + if (rxlen > 4) { + unsigned int rxalign; +@@ -580,7 +579,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks) + } + } + +- ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr); ++ /* end DMA access and dequeue packet */ ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF); + } + } + +-- +2.19.1 + diff --git a/queue-4.9/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch b/queue-4.9/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch new file mode 100644 index 00000000000..70e3d948c94 --- /dev/null +++ b/queue-4.9/net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch @@ -0,0 +1,45 @@ +From 8b57feab409c85cc707ae3d68a15626d8003988c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Reassert reset pin if chip ID check fails + +[ Upstream commit 761cfa979a0c177d6c2d93ef5585cd79ae49a7d5 ] + +Commit 73fdeb82e963 ("net: ks8851: Add optional vdd_io regulator and +reset gpio") amended the ks8851 driver to briefly assert the chip's +reset pin on probe. It also amended the probe routine's error path to +reassert the reset pin if a subsequent initialization step fails. + +However the commit misplaced reassertion of the reset pin in the error +path such that it is not performed if the check of the Chip ID and +Enable Register (CIDER) fails. The error path is therefore slightly +asymmetrical to the probe routine's body. Fix it. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Stephen Boyd +Cc: Nishanth Menon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index 247a3377b951..a8c5641ff955 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -1567,9 +1567,9 @@ static int ks8851_probe(struct spi_device *spi) + free_irq(ndev->irq, ks); + + err_irq: ++err_id: + if (gpio_is_valid(gpio)) + gpio_set_value(gpio, 0); +-err_id: + regulator_disable(ks->vdd_reg); + err_reg: + regulator_disable(ks->vdd_io); +-- +2.19.1 + diff --git a/queue-4.9/net-ks8851-set-initial-carrier-state-to-down.patch b/queue-4.9/net-ks8851-set-initial-carrier-state-to-down.patch new file mode 100644 index 00000000000..be48241e3d7 --- /dev/null +++ b/queue-4.9/net-ks8851-set-initial-carrier-state-to-down.patch @@ -0,0 +1,54 @@ +From 379d1424dae5182a929593dc5d035d9a287da5d9 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 20 Mar 2019 15:02:00 +0100 +Subject: net: ks8851: Set initial carrier state to down + +[ Upstream commit 9624bafa5f6418b9ca5b3f66d1f6a6a2e8bf6d4c ] + +The ks8851 chip's initial carrier state is down. A Link Change Interrupt +is signaled once interrupts are enabled if the carrier is up. + +The ks8851 driver has it backwards by assuming that the initial carrier +state is up. The state is therefore misrepresented if the interface is +opened with no cable attached. Fix it. + +The Link Change interrupt is sometimes not signaled unless the P1MBSR +register (which contains the Link Status bit) is read on ->ndo_open(). +This might be a hardware erratum. Read the register by calling +mii_check_link(), which has the desirable side effect of setting the +carrier state to down if the cable was detached while the interface was +closed. + +Signed-off-by: Lukas Wunner +Cc: Frank Pavlic +Cc: Ben Dooks +Cc: Tristram Ha +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/micrel/ks8851.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c +index ff6cab4f6343..7377dca6eb57 100644 +--- a/drivers/net/ethernet/micrel/ks8851.c ++++ b/drivers/net/ethernet/micrel/ks8851.c +@@ -870,6 +870,7 @@ static int ks8851_net_open(struct net_device *dev) + netif_dbg(ks, ifup, ks->netdev, "network device up\n"); + + mutex_unlock(&ks->lock); ++ mii_check_link(&ks->mii); + return 0; + } + +@@ -1527,6 +1528,7 @@ static int ks8851_probe(struct spi_device *spi) + + spi_set_drvdata(spi, ks); + ++ netif_carrier_off(ks->netdev); + ndev->if_port = IF_PORT_100BASET; + ndev->netdev_ops = &ks8851_netdev_ops; + ndev->irq = spi->irq; +-- +2.19.1 + diff --git a/queue-4.9/net-xilinx-fix-possible-object-reference-leak.patch b/queue-4.9/net-xilinx-fix-possible-object-reference-leak.patch new file mode 100644 index 00000000000..2b55157c4fd --- /dev/null +++ b/queue-4.9/net-xilinx-fix-possible-object-reference-leak.patch @@ -0,0 +1,50 @@ +From d9e91499b09e5a3846061ba8eab0370eec3fb8b5 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Fri, 22 Mar 2019 11:04:07 +0800 +Subject: net: xilinx: fix possible object reference leak + +[ Upstream commit fa3a419d2f674b431d38748cb58fb7da17ee8949 ] + +The call to of_parse_phandle returns a node pointer with refcount +incremented thus it must be explicitly decremented after the last +usage. + +Detected by coccinelle with the following warnings: +./drivers/net/ethernet/xilinx/xilinx_axienet_main.c:1624:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1569, but without a corresponding object release within this function. + +Signed-off-by: Wen Yang +Cc: Anirudha Sarangi +Cc: John Linn +Cc: "David S. Miller" +Cc: Michal Simek +Cc: netdev@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index c688d68c39aa..a8afc92cbfca 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1548,12 +1548,14 @@ static int axienet_probe(struct platform_device *pdev) + ret = of_address_to_resource(np, 0, &dmares); + if (ret) { + dev_err(&pdev->dev, "unable to get DMA resource\n"); ++ of_node_put(np); + goto free_netdev; + } + lp->dma_regs = devm_ioremap_resource(&pdev->dev, &dmares); + if (IS_ERR(lp->dma_regs)) { + dev_err(&pdev->dev, "could not map DMA regs\n"); + ret = PTR_ERR(lp->dma_regs); ++ of_node_put(np); + goto free_netdev; + } + lp->rx_irq = irq_of_parse_and_map(np, 1); +-- +2.19.1 + diff --git a/queue-4.9/netfilter-bridge-set-skb-transport_header-before-ent.patch b/queue-4.9/netfilter-bridge-set-skb-transport_header-before-ent.patch new file mode 100644 index 00000000000..bd4d5faf591 --- /dev/null +++ b/queue-4.9/netfilter-bridge-set-skb-transport_header-before-ent.patch @@ -0,0 +1,57 @@ +From 247500d1e26e8127aabe505b8a0cda5486e3be68 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Wed, 13 Mar 2019 16:33:29 +0800 +Subject: netfilter: bridge: set skb transport_header before entering + NF_INET_PRE_ROUTING + +[ Upstream commit e166e4fdaced850bee3d5ee12a5740258fb30587 ] + +Since Commit 21d1196a35f5 ("ipv4: set transport header earlier"), +skb->transport_header has been always set before entering INET +netfilter. This patch is to set skb->transport_header for bridge +before entering INET netfilter by bridge-nf-call-iptables. + +It also fixes an issue that sctp_error() couldn't compute a right +csum due to unset skb->transport_header. + +Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") +Reported-by: Li Shuang +Suggested-by: Pablo Neira Ayuso +Signed-off-by: Xin Long +Acked-by: Neil Horman +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin (Microsoft) +--- + net/bridge/br_netfilter_hooks.c | 1 + + net/bridge/br_netfilter_ipv6.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 38865deab3ac..0c96773d1829 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -512,6 +512,7 @@ static unsigned int br_nf_pre_routing(void *priv, + nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr; + + skb->protocol = htons(ETH_P_IP); ++ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4; + + NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb, + skb->dev, NULL, +diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c +index a1b57cb07f1e..8c08dd07419f 100644 +--- a/net/bridge/br_netfilter_ipv6.c ++++ b/net/bridge/br_netfilter_ipv6.c +@@ -235,6 +235,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv, + nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr; + + skb->protocol = htons(ETH_P_IPV6); ++ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr); ++ + NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb, + skb->dev, NULL, + br_nf_pre_routing_finish_ipv6); +-- +2.19.1 + diff --git a/queue-4.9/netfilter-nft_set_rbtree-check-for-inactive-element-.patch b/queue-4.9/netfilter-nft_set_rbtree-check-for-inactive-element-.patch new file mode 100644 index 00000000000..71d1b74b385 --- /dev/null +++ b/queue-4.9/netfilter-nft_set_rbtree-check-for-inactive-element-.patch @@ -0,0 +1,49 @@ +From 625381be85638e928d130b16fc331e31b7c0d669 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 12 Mar 2019 12:10:59 +0100 +Subject: netfilter: nft_set_rbtree: check for inactive element after flag + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 05b7639da55f5555b9866a1f4b7e8995232a6323 ] + +Otherwise, we hit bogus ENOENT when removing elements. + +Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates") +Reported-by: Václav Zindulka +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin (Microsoft) +--- + net/netfilter/nft_set_rbtree.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 93820e0d8814..4ee8acded0a4 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -191,10 +191,6 @@ static void *nft_rbtree_deactivate(const struct net *net, + else if (d > 0) + parent = parent->rb_right; + else { +- if (!nft_set_elem_active(&rbe->ext, genmask)) { +- parent = parent->rb_left; +- continue; +- } + if (nft_rbtree_interval_end(rbe) && + !nft_rbtree_interval_end(this)) { + parent = parent->rb_left; +@@ -203,6 +199,9 @@ static void *nft_rbtree_deactivate(const struct net *net, + nft_rbtree_interval_end(this)) { + parent = parent->rb_right; + continue; ++ } else if (!nft_set_elem_active(&rbe->ext, genmask)) { ++ parent = parent->rb_left; ++ continue; + } + nft_set_elem_change_active(net, set, &rbe->ext); + return rbe; +-- +2.19.1 + diff --git a/queue-4.9/nfs-fix-a-typo-in-nfs_init_timeout_values.patch b/queue-4.9/nfs-fix-a-typo-in-nfs_init_timeout_values.patch new file mode 100644 index 00000000000..9d121b82270 --- /dev/null +++ b/queue-4.9/nfs-fix-a-typo-in-nfs_init_timeout_values.patch @@ -0,0 +1,34 @@ +From 0c29cd5c35a508684eb231482a595dc78b9f680c Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 21 Mar 2019 17:57:56 -0400 +Subject: NFS: Fix a typo in nfs_init_timeout_values() + +[ Upstream commit 5a698243930c441afccec04e4d5dc8febfd2b775 ] + +Specifying a retrans=0 mount parameter to a NFS/TCP mount, is +inadvertently causing the NFS client to rewrite any specified +timeout parameter to the default of 60 seconds. + +Fixes: a956beda19a6 ("NFS: Allow the mount option retrans=0") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin (Microsoft) +--- + fs/nfs/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index ebecfb8fba06..28d8a57a9908 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -440,7 +440,7 @@ void nfs_init_timeout_values(struct rpc_timeout *to, int proto, + case XPRT_TRANSPORT_RDMA: + if (retrans == NFS_UNSPEC_RETRANS) + to->to_retries = NFS_DEF_TCP_RETRANS; +- if (timeo == NFS_UNSPEC_TIMEO || to->to_retries == 0) ++ if (timeo == NFS_UNSPEC_TIMEO || to->to_initval == 0) + to->to_initval = NFS_DEF_TCP_TIMEO * HZ / 10; + if (to->to_initval > NFS_MAX_TCP_TIMEOUT) + to->to_initval = NFS_MAX_TCP_TIMEOUT; +-- +2.19.1 + diff --git a/queue-4.9/qlcnic-avoid-potential-null-pointer-dereference.patch b/queue-4.9/qlcnic-avoid-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..5f9e4ac3cac --- /dev/null +++ b/queue-4.9/qlcnic-avoid-potential-null-pointer-dereference.patch @@ -0,0 +1,33 @@ +From f7501fb11b920d752a24b8baff77dc31afa1a746 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Thu, 14 Mar 2019 15:31:40 -0500 +Subject: qlcnic: Avoid potential NULL pointer dereference + +[ Upstream commit 5bf7295fe34a5251b1d241b9736af4697b590670 ] + +netdev_alloc_skb can fail and return a NULL pointer which is +dereferenced without a check. The patch avoids such a scenario. + +Signed-off-by: Aditya Pakki +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +index 0a2318cad34d..63ebc491057b 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c +@@ -1038,6 +1038,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode) + + for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) { + skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE); ++ if (!skb) ++ break; + qlcnic_create_loopback_buff(skb->data, adapter->mac_addr); + skb_put(skb, QLCNIC_ILB_PKT_SIZE); + adapter->ahw->diag_cnt = 0; +-- +2.19.1 + diff --git a/queue-4.9/s390-limit-brk-randomization-to-32mb.patch b/queue-4.9/s390-limit-brk-randomization-to-32mb.patch new file mode 100644 index 00000000000..05fe62cf81a --- /dev/null +++ b/queue-4.9/s390-limit-brk-randomization-to-32mb.patch @@ -0,0 +1,47 @@ +From c28dfeb2fe023e2395eeedc4735aa9e588755972 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 4 Mar 2019 12:33:28 +0100 +Subject: s390: limit brk randomization to 32MB + +[ Upstream commit cd479eccd2e057116d504852814402a1e68ead80 ] + +For a 64-bit process the randomization of the program break is quite +large with 1GB. That is as big as the randomization of the anonymous +mapping base, for a test case started with '/lib/ld64.so.1 ' +it can happen that the heap is placed after the stack. To avoid +this limit the program break randomization to 32MB for 64-bit and +keep 8MB for 31-bit. + +Reported-by: Stefan Liebler +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin (Microsoft) +--- + arch/s390/include/asm/elf.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h +index 8d665f1b29f8..f0fe566a9910 100644 +--- a/arch/s390/include/asm/elf.h ++++ b/arch/s390/include/asm/elf.h +@@ -215,11 +215,14 @@ do { \ + + /* + * Cache aliasing on the latest machines calls for a mapping granularity +- * of 512KB. For 64-bit processes use a 512KB alignment and a randomization +- * of up to 1GB. For 31-bit processes the virtual address space is limited, +- * use no alignment and limit the randomization to 8MB. ++ * of 512KB for the anonymous mapping base. For 64-bit processes use a ++ * 512KB alignment and a randomization of up to 1GB. For 31-bit processes ++ * the virtual address space is limited, use no alignment and limit the ++ * randomization to 8MB. ++ * For the additional randomization of the program break use 32MB for ++ * 64-bit and 8MB for 31-bit. + */ +-#define BRK_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ffffUL) ++#define BRK_RND_MASK (is_compat_task() ? 0x7ffUL : 0x1fffUL) + #define MMAP_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ff80UL) + #define MMAP_ALIGN_MASK (is_compat_task() ? 0 : 0x7fUL) + #define STACK_RND_MASK MMAP_RND_MASK +-- +2.19.1 + diff --git a/queue-4.9/sc16is7xx-missing-unregister-delete-driver-on-error-.patch b/queue-4.9/sc16is7xx-missing-unregister-delete-driver-on-error-.patch new file mode 100644 index 00000000000..74ff5a592b7 --- /dev/null +++ b/queue-4.9/sc16is7xx-missing-unregister-delete-driver-on-error-.patch @@ -0,0 +1,55 @@ +From 0bf798cf8f5ca240a18932171fc52bdda5ee8284 Mon Sep 17 00:00:00 2001 +From: Mao Wenan +Date: Fri, 8 Mar 2019 22:08:31 +0800 +Subject: sc16is7xx: missing unregister/delete driver on error in + sc16is7xx_init() + +[ Upstream commit ac0cdb3d990108df795b676cd0d0e65ac34b2273 ] + +Add the missing uart_unregister_driver() and i2c_del_driver() before return +from sc16is7xx_init() in the error handling case. + +Signed-off-by: Mao Wenan +Reviewed-by: Vladimir Zapolskiy +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/tty/serial/sc16is7xx.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c +index ea6b62cece88..82451bb6622b 100644 +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -1482,7 +1482,7 @@ static int __init sc16is7xx_init(void) + ret = i2c_add_driver(&sc16is7xx_i2c_uart_driver); + if (ret < 0) { + pr_err("failed to init sc16is7xx i2c --> %d\n", ret); +- return ret; ++ goto err_i2c; + } + #endif + +@@ -1490,10 +1490,18 @@ static int __init sc16is7xx_init(void) + ret = spi_register_driver(&sc16is7xx_spi_uart_driver); + if (ret < 0) { + pr_err("failed to init sc16is7xx spi --> %d\n", ret); +- return ret; ++ goto err_spi; + } + #endif + return ret; ++ ++err_spi: ++#ifdef CONFIG_SERIAL_SC16IS7XX_I2C ++ i2c_del_driver(&sc16is7xx_i2c_uart_driver); ++#endif ++err_i2c: ++ uart_unregister_driver(&sc16is7xx_uart); ++ return ret; + } + module_init(sc16is7xx_init); + +-- +2.19.1 + diff --git a/queue-4.9/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch b/queue-4.9/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch new file mode 100644 index 00000000000..3737bc1b454 --- /dev/null +++ b/queue-4.9/scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch @@ -0,0 +1,35 @@ +From 0dda07a7e10ca513909172929c65fc6e0f7c5c18 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 14 Mar 2019 01:30:59 -0500 +Subject: scsi: qla4xxx: fix a potential NULL pointer dereference + +[ Upstream commit fba1bdd2a9a93f3e2181ec1936a3c2f6b37e7ed6 ] + +In case iscsi_lookup_endpoint fails, the fix returns -EINVAL to avoid NULL +pointer dereference. + +Signed-off-by: Kangjie Lu +Acked-by: Manish Rangankar +Reviewed-by: Mukesh Ojha +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index f9f899ec9427..c158967b59d7 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -3207,6 +3207,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session, + if (iscsi_conn_bind(cls_session, cls_conn, is_leading)) + return -EINVAL; + ep = iscsi_lookup_endpoint(transport_fd); ++ if (!ep) ++ return -EINVAL; + conn = cls_conn->dd_data; + qla_conn = conn->dd_data; + qla_conn->qla_ep = ep->dd_data; +-- +2.19.1 + diff --git a/queue-4.9/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch b/queue-4.9/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch new file mode 100644 index 00000000000..97c60014521 --- /dev/null +++ b/queue-4.9/scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch @@ -0,0 +1,112 @@ +From 43365eb942571cd451184e752e554e1d5ba7e496 Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Tue, 26 Mar 2019 14:37:00 +0100 +Subject: scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element + RSCN + +[ Upstream commit c8206579175c34a2546de8a74262456278a7795a ] + +If an incoming ELS of type RSCN contains more than one element, zfcp +suboptimally causes repeated erp trigger NOP trace records for each +previously failed port. These could be ports that went away. It loops over +each RSCN element, and for each of those in an inner loop over all +zfcp_ports. + +The trigger to recover failed ports should be just the reception of some +RSCN, no matter how many elements it has. So we can loop over failed ports +separately, and only then loop over each RSCN element to handle the +non-failed ports. + +The call chain was: + + zfcp_fc_incoming_rscn + for (i = 1; i < no_entries; i++) + _zfcp_fc_incoming_rscn + list_for_each_entry(port, &adapter->port_list, list) + if (masked port->d_id match) zfcp_fc_test_link + if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <=== + +In order the reduce the "flooding" of the REC trace area in such cases, we +factor out handling the failed ports to be outside of the entries loop: + + zfcp_fc_incoming_rscn + if (no_entries > 1) <=== + list_for_each_entry(port, &adapter->port_list, list) <=== + if (!port->d_id) zfcp_erp_port_reopen "fcrscn1" <=== + for (i = 1; i < no_entries; i++) + _zfcp_fc_incoming_rscn + list_for_each_entry(port, &adapter->port_list, list) + if (masked port->d_id match) zfcp_fc_test_link + +Abbreviated example trace records before this code change: + +Tag : fcrscn1 +WWPN : 0x500507630310d327 +ERP want : 0x02 +ERP need : 0x02 + +Tag : fcrscn1 +WWPN : 0x500507630310d327 +ERP want : 0x02 +ERP need : 0x00 NOP => superfluous trace record + +The last trace entry repeats if there are more than 2 RSCN elements. + +Signed-off-by: Steffen Maier +Reviewed-by: Benjamin Block +Reviewed-by: Jens Remus +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/s390/scsi/zfcp_fc.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c +index 237688af179b..f7630cf581cd 100644 +--- a/drivers/s390/scsi/zfcp_fc.c ++++ b/drivers/s390/scsi/zfcp_fc.c +@@ -238,10 +238,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + list_for_each_entry(port, &adapter->port_list, list) { + if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range)) + zfcp_fc_test_link(port); +- if (!port->d_id) +- zfcp_erp_port_reopen(port, +- ZFCP_STATUS_COMMON_ERP_FAILED, +- "fcrscn1"); + } + read_unlock_irqrestore(&adapter->port_list_lock, flags); + } +@@ -249,6 +245,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range, + static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + { + struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data; ++ struct zfcp_adapter *adapter = fsf_req->adapter; + struct fc_els_rscn *head; + struct fc_els_rscn_page *page; + u16 i; +@@ -261,6 +258,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req) + /* see FC-FS */ + no_entries = head->rscn_plen / sizeof(struct fc_els_rscn_page); + ++ if (no_entries > 1) { ++ /* handle failed ports */ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ read_lock_irqsave(&adapter->port_list_lock, flags); ++ list_for_each_entry(port, &adapter->port_list, list) { ++ if (port->d_id) ++ continue; ++ zfcp_erp_port_reopen(port, ++ ZFCP_STATUS_COMMON_ERP_FAILED, ++ "fcrscn1"); ++ } ++ read_unlock_irqrestore(&adapter->port_list_lock, flags); ++ } ++ + for (i = 1; i < no_entries; i++) { + /* skip head and start with 1st element */ + page++; +-- +2.19.1 + diff --git a/queue-4.9/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch b/queue-4.9/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch new file mode 100644 index 00000000000..0abbe4913eb --- /dev/null +++ b/queue-4.9/serial-ar933x_uart-fix-build-failure-with-disabled-c.patch @@ -0,0 +1,102 @@ +From 8a930c2665f90356cc4fabe4a0da761d0d66a68c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C5=A0tetiar?= +Date: Wed, 6 Mar 2019 17:54:03 +0100 +Subject: serial: ar933x_uart: Fix build failure with disabled console +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 72ff51d8dd262d1fef25baedc2ac35116435be47 ] + +Andrey has reported on OpenWrt's bug tracking system[1], that he +currently can't use ar93xx_uart as pure serial UART without console +(CONFIG_SERIAL_8250_CONSOLE and CONFIG_SERIAL_AR933X_CONSOLE undefined), +because compilation ends with following error: + + ar933x_uart.c: In function 'ar933x_uart_console_write': + ar933x_uart.c:550:14: error: 'struct uart_port' has no + member named 'sysrq' + +So this patch moves all the code related to console handling behind +series of CONFIG_SERIAL_AR933X_CONSOLE ifdefs. + +1. https://bugs.openwrt.org/index.php?do=details&task_id=2152 + +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Andrey Batyiev +Reported-by: Andrey Batyiev +Tested-by: Andrey Batyiev +Signed-off-by: Petr Štetiar +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/tty/serial/ar933x_uart.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/drivers/tty/serial/ar933x_uart.c b/drivers/tty/serial/ar933x_uart.c +index 73137f4aac20..d4462512605b 100644 +--- a/drivers/tty/serial/ar933x_uart.c ++++ b/drivers/tty/serial/ar933x_uart.c +@@ -52,11 +52,6 @@ struct ar933x_uart_port { + struct clk *clk; + }; + +-static inline bool ar933x_uart_console_enabled(void) +-{ +- return IS_ENABLED(CONFIG_SERIAL_AR933X_CONSOLE); +-} +- + static inline unsigned int ar933x_uart_read(struct ar933x_uart_port *up, + int offset) + { +@@ -511,6 +506,7 @@ static struct uart_ops ar933x_uart_ops = { + .verify_port = ar933x_uart_verify_port, + }; + ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE + static struct ar933x_uart_port * + ar933x_console_ports[CONFIG_SERIAL_AR933X_NR_UARTS]; + +@@ -607,14 +603,7 @@ static struct console ar933x_uart_console = { + .index = -1, + .data = &ar933x_uart_driver, + }; +- +-static void ar933x_uart_add_console_port(struct ar933x_uart_port *up) +-{ +- if (!ar933x_uart_console_enabled()) +- return; +- +- ar933x_console_ports[up->port.line] = up; +-} ++#endif /* CONFIG_SERIAL_AR933X_CONSOLE */ + + static struct uart_driver ar933x_uart_driver = { + .owner = THIS_MODULE, +@@ -703,7 +692,9 @@ static int ar933x_uart_probe(struct platform_device *pdev) + baud = ar933x_uart_get_baud(port->uartclk, 0, AR933X_UART_MAX_STEP); + up->max_baud = min_t(unsigned int, baud, AR933X_UART_MAX_BAUD); + +- ar933x_uart_add_console_port(up); ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE ++ ar933x_console_ports[up->port.line] = up; ++#endif + + ret = uart_add_one_port(&ar933x_uart_driver, &up->port); + if (ret) +@@ -752,8 +743,9 @@ static int __init ar933x_uart_init(void) + { + int ret; + +- if (ar933x_uart_console_enabled()) +- ar933x_uart_driver.cons = &ar933x_uart_console; ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE ++ ar933x_uart_driver.cons = &ar933x_uart_console; ++#endif + + ret = uart_register_driver(&ar933x_uart_driver); + if (ret) +-- +2.19.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 50e881d1969..1150bf2da9d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,3 +1,31 @@ usbnet-ipheth-prevent-tx-queue-timeouts-when-device-not-ready.patch usbnet-ipheth-fix-potential-null-pointer-dereference-in-ipheth_carrier_set.patch media-vivid-check-if-the-cec_adapter-is-valid.patch +arm-dts-bcm283x-fix-hdmi-hpd-gpio-pull.patch +s390-limit-brk-randomization-to-32mb.patch +qlcnic-avoid-potential-null-pointer-dereference.patch +netfilter-nft_set_rbtree-check-for-inactive-element-.patch +netfilter-bridge-set-skb-transport_header-before-ent.patch +sc16is7xx-missing-unregister-delete-driver-on-error-.patch +serial-ar933x_uart-fix-build-failure-with-disabled-c.patch +usb-gadget-net2280-fix-overrun-of-out-messages.patch +usb-gadget-net2280-fix-net2280_dequeue.patch +usb-gadget-net2272-fix-net2272_dequeue.patch +arm-dts-pfla02-increase-phy-reset-duration.patch +net-ks8851-dequeue-rx-packets-explicitly.patch +net-ks8851-reassert-reset-pin-if-chip-id-check-fails.patch +net-ks8851-delay-requesting-irq-until-opened.patch +net-ks8851-set-initial-carrier-state-to-down.patch +staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch +nfs-fix-a-typo-in-nfs_init_timeout_values.patch +net-xilinx-fix-possible-object-reference-leak.patch +net-ibm-fix-possible-object-reference-leak.patch +net-ethernet-ti-fix-possible-object-reference-leak.patch +scsi-qla4xxx-fix-a-potential-null-pointer-dereferenc.patch +usb-u132-hcd-fix-resource-leak.patch +ceph-fix-use-after-free-on-symlink-traversal.patch +scsi-zfcp-reduce-flood-of-fcrscn1-trace-records-on-m.patch +libata-fix-using-dma-buffers-on-stack.patch +gpio-of-fix-of_gpiochip_add-error-path.patch +kconfig-mn-conf-handle-backspace-h-key.patch +leds-pca9532-fix-a-potential-null-pointer-dereferenc.patch diff --git a/queue-4.9/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch b/queue-4.9/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch new file mode 100644 index 00000000000..1ee4040298c --- /dev/null +++ b/queue-4.9/staging-rtl8712-uninitialized-memory-in-read_bbreg_h.patch @@ -0,0 +1,67 @@ +From f40c054bf085b79f649caee4284306909f89fd59 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 21 Mar 2019 09:26:38 +0300 +Subject: staging: rtl8712: uninitialized memory in read_bbreg_hdl() + +[ Upstream commit 22c971db7dd4b0ad8dd88e99c407f7a1f4231a2e ] + +Colin King reported a bug in read_bbreg_hdl(): + + memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); + +The problem is that "val" is uninitialized. + +This code is obviously not useful, but so far as I can tell +"pcmd->cmdcode" is never GEN_CMD_CODE(_Read_BBREG) so it's not harmful +either. For now the easiest fix is to just call r8712_free_cmd_obj() +and return. + +Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") +Reported-by: Colin Ian King +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/staging/rtl8712/rtl8712_cmd.c | 10 +--------- + drivers/staging/rtl8712/rtl8712_cmd.h | 2 +- + 2 files changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c +index 9f61583af150..41b667c8385c 100644 +--- a/drivers/staging/rtl8712/rtl8712_cmd.c ++++ b/drivers/staging/rtl8712/rtl8712_cmd.c +@@ -158,17 +158,9 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf) + + static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf) + { +- u32 val; +- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd); + struct cmd_obj *pcmd = (struct cmd_obj *)pbuf; + +- if (pcmd->rsp && pcmd->rspsz > 0) +- memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz); +- pcmd_callback = cmd_callback[pcmd->cmdcode].callback; +- if (!pcmd_callback) +- r8712_free_cmd_obj(pcmd); +- else +- pcmd_callback(padapter, pcmd); ++ r8712_free_cmd_obj(pcmd); + return H2C_SUCCESS; + } + +diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h +index 67e9e910aef9..d10a59d4a550 100644 +--- a/drivers/staging/rtl8712/rtl8712_cmd.h ++++ b/drivers/staging/rtl8712/rtl8712_cmd.h +@@ -152,7 +152,7 @@ enum rtl8712_h2c_cmd { + static struct _cmd_callback cmd_callback[] = { + {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/ + {GEN_CMD_CODE(_Write_MACREG), NULL}, +- {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback}, ++ {GEN_CMD_CODE(_Read_BBREG), NULL}, + {GEN_CMD_CODE(_Write_BBREG), NULL}, + {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback}, + {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/ +-- +2.19.1 + diff --git a/queue-4.9/usb-gadget-net2272-fix-net2272_dequeue.patch b/queue-4.9/usb-gadget-net2272-fix-net2272_dequeue.patch new file mode 100644 index 00000000000..cd249985237 --- /dev/null +++ b/queue-4.9/usb-gadget-net2272-fix-net2272_dequeue.patch @@ -0,0 +1,41 @@ +From 5f2ef0f9f1e121ccadc34e510d638c8e469a53f8 Mon Sep 17 00:00:00 2001 +From: Guido Kiener +Date: Mon, 18 Mar 2019 09:18:34 +0100 +Subject: usb: gadget: net2272: Fix net2272_dequeue() + +[ Upstream commit 091dacc3cc10979ab0422f0a9f7fcc27eee97e69 ] + +Restore the status of ep->stopped in function net2272_dequeue(). + +When the given request is not found in the endpoint queue +the function returns -EINVAL without restoring the state of +ep->stopped. Thus the endpoint keeps blocked and does not transfer +any data anymore. + +This fix is only compile-tested, since we do not have a +corresponding hardware. An analogous fix was tested in the sibling +driver. See "usb: gadget: net2280: Fix net2280_dequeue()" + +Acked-by: Alan Stern +Signed-off-by: Guido Kiener +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/gadget/udc/net2272.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c +index 40396a265a3f..f57d293a1791 100644 +--- a/drivers/usb/gadget/udc/net2272.c ++++ b/drivers/usb/gadget/udc/net2272.c +@@ -958,6 +958,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); + return -EINVAL; + } +-- +2.19.1 + diff --git a/queue-4.9/usb-gadget-net2280-fix-net2280_dequeue.patch b/queue-4.9/usb-gadget-net2280-fix-net2280_dequeue.patch new file mode 100644 index 00000000000..cad3a65014e --- /dev/null +++ b/queue-4.9/usb-gadget-net2280-fix-net2280_dequeue.patch @@ -0,0 +1,43 @@ +From 454da3c28ada05de7e6e49bbf0e6b3a22e87f6a1 Mon Sep 17 00:00:00 2001 +From: Guido Kiener +Date: Mon, 18 Mar 2019 09:18:33 +0100 +Subject: usb: gadget: net2280: Fix net2280_dequeue() + +[ Upstream commit f1d3fba17cd4eeea20397f1324b7b9c69a6a935c ] + +When a request must be dequeued with net2280_dequeue() e.g. due +to a device clear action and the same request is finished by the +function scan_dma_completions() then the function net2280_dequeue() +does not find the request in the following search loop and +returns the error -EINVAL without restoring the status ep->stopped. +Thus the endpoint keeps blocked and does not receive any data +anymore. +This fix restores the status and does not issue an error message. + +Acked-by: Alan Stern +Signed-off-by: Guido Kiener +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/gadget/udc/net2280.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 57b88f4f49c5..dfaed8e8cc52 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -1277,9 +1277,9 @@ static int net2280_dequeue(struct usb_ep *_ep, struct usb_request *_req) + break; + } + if (&req->req != _req) { ++ ep->stopped = stopped; + spin_unlock_irqrestore(&ep->dev->lock, flags); +- dev_err(&ep->dev->pdev->dev, "%s: Request mismatch\n", +- __func__); ++ ep_dbg(ep->dev, "%s: Request mismatch\n", __func__); + return -EINVAL; + } + +-- +2.19.1 + diff --git a/queue-4.9/usb-gadget-net2280-fix-overrun-of-out-messages.patch b/queue-4.9/usb-gadget-net2280-fix-overrun-of-out-messages.patch new file mode 100644 index 00000000000..111c07da18f --- /dev/null +++ b/queue-4.9/usb-gadget-net2280-fix-overrun-of-out-messages.patch @@ -0,0 +1,62 @@ +From 6d29dd8664ba847d440de9c372c44d3b191a2590 Mon Sep 17 00:00:00 2001 +From: Guido Kiener +Date: Tue, 19 Mar 2019 19:12:03 +0100 +Subject: usb: gadget: net2280: Fix overrun of OUT messages + +[ Upstream commit 9d6a54c1430647355a5e23434881b2ca3d192b48 ] + +The OUT endpoint normally blocks (NAK) subsequent packets when a +short packet was received and returns an incomplete queue entry to +the gadget driver. Thereby the gadget driver can detect a short packet +when reading queue entries with a length that is not equal to a +multiple of packet size. + +The start_queue() function enables receiving OUT packets regardless of +the content of the OUT FIFO. This results in a race: With the current +code, it's possible that the "!ep->is_in && (readl(&ep->regs->ep_stat) +& BIT(NAK_OUT_PACKETS))" test in start_dma() will fail, then a short +packet will be received, and then start_queue() will call +stop_out_naking(). That's what we don't want (OUT naking gets turned +off while there is data in the FIFO) because then the next driver +request might receive a mixture of old and new packets. + +With the patch, this race can't occur because the FIFO's state is +tested after we know that OUT naking is already turned on, and OUT +naking is stopped only when both of the conditions are met. This +ensures that all received data is delivered to the gadget driver, +which can detect a short packet now before new packets are appended +to the last short packet. + +Acked-by: Alan Stern +Signed-off-by: Guido Kiener +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/gadget/udc/net2280.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c +index 7a8c36642293..57b88f4f49c5 100644 +--- a/drivers/usb/gadget/udc/net2280.c ++++ b/drivers/usb/gadget/udc/net2280.c +@@ -870,9 +870,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma) + (void) readl(&ep->dev->pci->pcimstctl); + + writel(BIT(DMA_START), &dma->dmastat); +- +- if (!ep->is_in) +- stop_out_naking(ep); + } + + static void start_dma(struct net2280_ep *ep, struct net2280_request *req) +@@ -911,6 +908,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req) + writel(BIT(DMA_START), &dma->dmastat); + return; + } ++ stop_out_naking(ep); + } + + tmp = dmactl_default; +-- +2.19.1 + diff --git a/queue-4.9/usb-u132-hcd-fix-resource-leak.patch b/queue-4.9/usb-u132-hcd-fix-resource-leak.patch new file mode 100644 index 00000000000..34a3fc4a9ce --- /dev/null +++ b/queue-4.9/usb-u132-hcd-fix-resource-leak.patch @@ -0,0 +1,34 @@ +From 51b27f6d38679bb4646faae7754aa72cdc3b4064 Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Tue, 26 Mar 2019 13:42:22 +0530 +Subject: usb: u132-hcd: fix resource leak + +[ Upstream commit f276e002793cdb820862e8ea8f76769d56bba575 ] + +if platform_driver_register fails, cleanup the allocated resource +gracefully. + +Signed-off-by: Mukesh Ojha +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin (Microsoft) +--- + drivers/usb/host/u132-hcd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c +index 43618976d68a..3efb7b0e8269 100644 +--- a/drivers/usb/host/u132-hcd.c ++++ b/drivers/usb/host/u132-hcd.c +@@ -3208,6 +3208,9 @@ static int __init u132_hcd_init(void) + printk(KERN_INFO "driver %s\n", hcd_name); + workqueue = create_singlethread_workqueue("u132"); + retval = platform_driver_register(&u132_platform_driver); ++ if (retval) ++ destroy_workqueue(workqueue); ++ + return retval; + } + +-- +2.19.1 +