From: Greg Kroah-Hartman Date: Wed, 6 May 2020 11:33:38 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.223~60 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a0929c2c4e7c3598eb0a677f31c8d6b0205195ec;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alpha-pci-call-iomem_is_exclusive-for-ioresource_mem-but-not-ioresource_io.patch bluetooth-btmrvl-fix-hung-task-warning-dump.patch brcmfmac-add-eth_type_trans-back-for-pcie-full-dongle.patch dccp-limit-sk_filter-trim-to-payload.patch gre-disable-segmentation-offloads-w-csum-and-we-are-encapsulated-via-fou.patch ib-mlx4-initialize-hop_limit-when-creating-address-handle.patch iwlwifi-set-max-firmware-version-of-7265-to-17.patch mlxsw-pci-correctly-determine-if-descriptor-queue-is-full.patch mlxsw-treat-local-port-64-as-valid.patch mwifiex-add-missing-check-for-pcie8997-chipset.patch mwifiex-fix-ibss-data-path-issue.patch net-mlx4_core-do-not-bug_on-during-reset-when-pci-is-offline.patch net-mlx4_core-implement-pci_resume-callback.patch ovs-gre-geneve-fix-error-path-when-creating-an-iface.patch pci-supply-cpu-physical-address-not-bus-address-to-iomem_is_exclusive.patch vfio-pci-allow-vpd-short-read.patch --- diff --git a/queue-4.4/alpha-pci-call-iomem_is_exclusive-for-ioresource_mem-but-not-ioresource_io.patch b/queue-4.4/alpha-pci-call-iomem_is_exclusive-for-ioresource_mem-but-not-ioresource_io.patch new file mode 100644 index 00000000000..59c14bc0ca7 --- /dev/null +++ b/queue-4.4/alpha-pci-call-iomem_is_exclusive-for-ioresource_mem-but-not-ioresource_io.patch @@ -0,0 +1,40 @@ +From c20e128030caf0537d5e906753eac1c28fefdb75 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Mon, 25 Apr 2016 15:59:50 -0500 +Subject: alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO + +From: Bjorn Helgaas + +commit c20e128030caf0537d5e906753eac1c28fefdb75 upstream. + +The alpha pci_mmap_resource() is used for both IORESOURCE_MEM and +IORESOURCE_IO resources, but iomem_is_exclusive() is only applicable for +IORESOURCE_MEM. + +Call iomem_is_exclusive() only for IORESOURCE_MEM resources, and do it +earlier to match the generic version of pci_mmap_resource(). + +Fixes: 10a0ef39fbd1 ("PCI/alpha: pci sysfs resources") +Signed-off-by: Bjorn Helgaas +CC: Ivan Kokshaysky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/pci-sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/alpha/kernel/pci-sysfs.c ++++ b/arch/alpha/kernel/pci-sysfs.c +@@ -77,10 +77,10 @@ static int pci_mmap_resource(struct kobj + if (i >= PCI_ROM_RESOURCE) + return -ENODEV; + +- if (!__pci_mmap_fits(pdev, i, vma, sparse)) ++ if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) + return -EINVAL; + +- if (iomem_is_exclusive(res->start)) ++ if (!__pci_mmap_fits(pdev, i, vma, sparse)) + return -EINVAL; + + pcibios_resource_to_bus(pdev->bus, &bar, res); diff --git a/queue-4.4/bluetooth-btmrvl-fix-hung-task-warning-dump.patch b/queue-4.4/bluetooth-btmrvl-fix-hung-task-warning-dump.patch new file mode 100644 index 00000000000..337effd171e --- /dev/null +++ b/queue-4.4/bluetooth-btmrvl-fix-hung-task-warning-dump.patch @@ -0,0 +1,86 @@ +From 86f7ac77d4035e22ec7e58dcdb96327e2ecc3a9b Mon Sep 17 00:00:00 2001 +From: Chin-Ran Lo +Date: Tue, 29 Dec 2015 04:26:33 -0800 +Subject: Bluetooth: btmrvl: fix hung task warning dump + +From: Chin-Ran Lo + +commit 86f7ac77d4035e22ec7e58dcdb96327e2ecc3a9b upstream. + +It's been observed that when bluetooth driver fails to +activate the firmware, below hung task warning dump is +displayed after 120 seconds. + +[ 36.461022] Bluetooth: vendor=0x2df, device=0x912e, class=255, fn=2 +[ 56.512128] Bluetooth: FW failed to be active in time! +[ 56.517264] Bluetooth: Downloading firmware failed! +[ 240.252176] INFO: task kworker/3:2:129 blocked for more than 120 seconds. +[ 240.258931] Not tainted 3.18.0 #254 +[ 240.262972] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 240.270751] kworker/3:2 D ffffffc000205760 0 129 2 0x00000000 +[ 240.277825] Workqueue: events request_firmware_work_func +[ 240.283134] Call trace: +[ 240.285581] [] __switch_to+0x80/0x8c +[ 240.290693] [] __schedule+0x540/0x7b8 +[ 240.295921] [] schedule+0x78/0x84 +[ 240.300764] [] __mmc_claim_host+0xe8/0x1c8 +[ 240.306395] [] sdio_claim_host+0x74/0x84 +[ 240.311840] [] 0xffffffbffc163d08 +[ 240.316685] [] 0xffffffbffc165104 +[ 240.321524] [] mwifiex_dnld_fw+0x98/0x110 [mwifiex] +[ 240.327918] [] mwifiex_remove_card+0x2c4/0x5fc [mwifiex] +[ 240.334741] [] request_firmware_work_func+0x44/0x80 +[ 240.341127] [] process_one_work+0x2ec/0x50c +[ 240.346831] [] worker_thread+0x350/0x470 +[ 240.352272] [] kthread+0xf0/0xfc +[ 240.357019] 2 locks held by kworker/3:2/129: +[ 240.361248] #0: ("events"){.+.+.+}, at: [] process_one_work+0x1f8/0x50c +[ 240.369562] #1: ((&fw_work->work)){+.+.+.}, at: [] process_one_work+0x1f8/0x50c +[ 240.378589] task PC stack pid father +[ 240.384501] kworker/1:1 D ffffffc000205760 0 40 2 0x00000000 +[ 240.391524] Workqueue: events mtk_atomic_work +[ 240.395884] Call trace: +[ 240.398317] [] __switch_to+0x80/0x8c +[ 240.403448] [] lock_acquire+0x128/0x164 +[ 240.408821] kworker/3:2 D ffffffc000205760 0 129 2 0x00000000 +[ 240.415867] Workqueue: events request_firmware_work_func +[ 240.421138] Call trace: +[ 240.423589] [] __switch_to+0x80/0x8c +[ 240.428688] [] __schedule+0x540/0x7b8 +[ 240.433886] [] schedule+0x78/0x84 +[ 240.438732] [] __mmc_claim_host+0xe8/0x1c8 +[ 240.444361] [] sdio_claim_host+0x74/0x84 +[ 240.449801] [] 0xffffffbffc163d08 +[ 240.454649] [] 0xffffffbffc165104 +[ 240.459486] [] mwifiex_dnld_fw+0x98/0x110 [mwifiex] +[ 240.465882] [] mwifiex_remove_card+0x2c4/0x5fc [mwifiex] +[ 240.472705] [] request_firmware_work_func+0x44/0x80 +[ 240.479090] [] process_one_work+0x2ec/0x50c +[ 240.484794] [] worker_thread+0x350/0x470 +[ 240.490231] [] kthread+0xf0/0xfc + +This patch adds missing sdio_release_host() call so that wlan driver +thread can claim sdio host. + +Fixes: 4863e4cc31d647e1 ("Bluetooth: btmrvl: release sdio bus after firmware is up") +Signed-off-by: Chin-Ran Lo +Signed-off-by: Amitkumar Karwar +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btmrvl_sdio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/bluetooth/btmrvl_sdio.c ++++ b/drivers/bluetooth/btmrvl_sdio.c +@@ -1112,7 +1112,8 @@ static int btmrvl_sdio_download_fw(struc + */ + if (btmrvl_sdio_verify_fw_download(card, pollnum)) { + BT_ERR("FW failed to be active in time!"); +- return -ETIMEDOUT; ++ ret = -ETIMEDOUT; ++ goto done; + } + + sdio_release_host(card->func); diff --git a/queue-4.4/brcmfmac-add-eth_type_trans-back-for-pcie-full-dongle.patch b/queue-4.4/brcmfmac-add-eth_type_trans-back-for-pcie-full-dongle.patch new file mode 100644 index 00000000000..f5da9c2a0fd --- /dev/null +++ b/queue-4.4/brcmfmac-add-eth_type_trans-back-for-pcie-full-dongle.patch @@ -0,0 +1,96 @@ +From 31143e2933d1675c4c1ba6ce125cdd95870edd85 Mon Sep 17 00:00:00 2001 +From: Franky Lin +Date: Thu, 2 Jun 2016 02:00:27 -0700 +Subject: brcmfmac: add eth_type_trans back for PCIe full dongle + +From: Franky Lin + +commit 31143e2933d1675c4c1ba6ce125cdd95870edd85 upstream. + +A regression was introduced in commit 9c349892ccc9 ("brcmfmac: revise +handling events in receive path") which moves eth_type_trans() call +to brcmf_rx_frame(). Msgbuf layer doesn't use brcmf_rx_frame() but invokes +brcmf_netif_rx() directly. In such case the Ethernet header was not +stripped out resulting in null pointer dereference in the networking +stack. + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 +IP: [] enqueue_to_backlog+0x56/0x260 +PGD 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: fuse ipt_MASQUERADE nf_nat_masquerade_ipv4 +iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype +[...] +rtsx_pci scsi_mod usbcore usb_common i8042 serio nvme nvme_core +CPU: 7 PID: 1340 Comm: irq/136-brcmf_p Not tainted 4.7.0-rc1-mainline #1 +Hardware name: Dell Inc. XPS 15 9550/0N7TVV, BIOS 01.02.00 04/07/2016 +task: ffff8804a0c5bd00 ti: ffff88049e124000 task.ti: ffff88049e124000 +RIP: 0010:[] [] +enqueue_to_backlog+0x56/0x260 +RSP: 0018:ffff88049e127ca0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: ffff8804bddd7c40 RCX: 000000000000002f +RDX: 0000000000000000 RSI: 0000000000000007 RDI: ffff8804bddd7d4c +RBP: ffff88049e127ce8 R08: 0000000000000000 R09: 0000000000000000 +R10: ffff8804bddd12c0 R11: 000000000000149e R12: 0000000000017c40 +R13: ffff88049e127d08 R14: ffff8804a9bd6d00 R15: ffff8804bddd7d4c +FS: 0000000000000000(0000) GS:ffff8804bddc0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000048 CR3: 0000000001806000 CR4: 00000000003406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Stack: +ffff8804bdddad00 ffff8804ad089e00 0000000000000000 0000000000000282 +0000000000000000 ffff8804a9bd6d00 ffff8804a1b27e00 ffff8804a9bd6d00 +ffff88002ee88000 ffff88049e127d28 ffffffff814c3f3b ffffffff81311fc3 +Call Trace: +[] netif_rx_internal+0x4b/0x170 +[] ? swiotlb_tbl_unmap_single+0xf3/0x120 +[] netif_rx_ni+0x27/0xc0 +[] brcmf_netif_rx+0x49/0x70 [brcmfmac] +[] brcmf_msgbuf_process_rx+0x2b4/0x570 [brcmfmac] +[] ? __xen_set_pgd_hyper+0x57/0xd0 +[] ? irq_forced_thread_fn+0x70/0x70 +[] brcmf_proto_msgbuf_rx_trigger+0x31/0xe0 [brcmfmac] +[] brcmf_pcie_isr_thread+0x7f/0x110 [brcmfmac] +[] irq_thread_fn+0x20/0x50 +[] irq_thread+0x12d/0x1c0 +[] ? __schedule+0x2f5/0x7a0 +[] ? wake_threads_waitq+0x30/0x30 +[] ? irq_thread_dtor+0xb0/0xb0 +[] kthread+0xd8/0xf0 +[] ret_from_fork+0x1f/0x40 +[] ? kthread_worker_fn+0x170/0x170 +Code: 1c f5 60 9a 8e 81 9c 58 0f 1f 44 00 00 48 89 45 d0 fa 66 0f 1f +44 00 00 4c 8d bb 0c 01 00 00 4c 89 ff e8 5e 08 11 00 49 8b 56 20 <48> +8b 52 48 83 e2 01 74 10 8b 8b 08 01 00 00 8b 15 59 c5 42 00 +RIP [] enqueue_to_backlog+0x56/0x260 +RSP +CR2: 0000000000000048 + +Fixes: 9c349892ccc9 ("brcmfmac: revise handling events in receive path") +Reported-by: Rafal Milecki +Reported-by: Grey Christoforo +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Arend Van Spriel +Reviewed-by: Hante Meuleman +Signed-off-by: Franky Lin +[arend@broadcom.com: rephrased the commit message] +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c +@@ -1155,6 +1155,8 @@ brcmf_msgbuf_process_rx_complete(struct + brcmu_pkt_buf_free_skb(skb); + return; + } ++ ++ skb->protocol = eth_type_trans(skb, ifp->ndev); + brcmf_netif_rx(ifp, skb); + } + diff --git a/queue-4.4/dccp-limit-sk_filter-trim-to-payload.patch b/queue-4.4/dccp-limit-sk_filter-trim-to-payload.patch new file mode 100644 index 00000000000..dc8019cf1d7 --- /dev/null +++ b/queue-4.4/dccp-limit-sk_filter-trim-to-payload.patch @@ -0,0 +1,100 @@ +From 4f0c40d94461cfd23893a17335b2ab78ecb333c8 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 12 Jul 2016 18:18:57 -0400 +Subject: dccp: limit sk_filter trim to payload + +From: Willem de Bruijn + +commit 4f0c40d94461cfd23893a17335b2ab78ecb333c8 upstream. + +Dccp verifies packet integrity, including length, at initial rcv in +dccp_invalid_packet, later pulls headers in dccp_enqueue_skb. + +A call to sk_filter in-between can cause __skb_pull to wrap skb->len. +skb_copy_datagram_msg interprets this as a negative value, so +(correctly) fails with EFAULT. The negative length is reported in +ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close. + +Introduce an sk_receive_skb variant that caps how small a filter +program can trim packets, and call this in dccp with the header +length. Excessively trimmed packets are now processed normally and +queued for reception as 0B payloads. + +Fixes: 7c657876b63c ("[DCCP]: Initial implementation") +Signed-off-by: Willem de Bruijn +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/sock.h | 8 +++++++- + net/core/sock.c | 7 ++++--- + net/dccp/ipv4.c | 2 +- + net/dccp/ipv6.c | 2 +- + 4 files changed, 13 insertions(+), 6 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1651,7 +1651,13 @@ static inline void sock_put(struct sock + */ + void sock_gen_put(struct sock *sk); + +-int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested); ++int __sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested, ++ unsigned int trim_cap); ++static inline int sk_receive_skb(struct sock *sk, struct sk_buff *skb, ++ const int nested) ++{ ++ return __sk_receive_skb(sk, skb, nested, 1); ++} + + static inline void sk_tx_queue_set(struct sock *sk, int tx_queue) + { +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -484,11 +484,12 @@ int sock_queue_rcv_skb(struct sock *sk, + } + EXPORT_SYMBOL(sock_queue_rcv_skb); + +-int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested) ++int __sk_receive_skb(struct sock *sk, struct sk_buff *skb, ++ const int nested, unsigned int trim_cap) + { + int rc = NET_RX_SUCCESS; + +- if (sk_filter(sk, skb)) ++ if (sk_filter_trim_cap(sk, skb, trim_cap)) + goto discard_and_relse; + + skb->dev = NULL; +@@ -524,7 +525,7 @@ discard_and_relse: + kfree_skb(skb); + goto out; + } +-EXPORT_SYMBOL(sk_receive_skb); ++EXPORT_SYMBOL(__sk_receive_skb); + + struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie) + { +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -868,7 +868,7 @@ lookup: + goto discard_and_relse; + nf_reset(skb); + +- return sk_receive_skb(sk, skb, 1); ++ return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4); + + no_dccp_socket: + if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -741,7 +741,7 @@ lookup: + if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) + goto discard_and_relse; + +- return sk_receive_skb(sk, skb, 1) ? -1 : 0; ++ return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4) ? -1 : 0; + + no_dccp_socket: + if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) diff --git a/queue-4.4/gre-disable-segmentation-offloads-w-csum-and-we-are-encapsulated-via-fou.patch b/queue-4.4/gre-disable-segmentation-offloads-w-csum-and-we-are-encapsulated-via-fou.patch new file mode 100644 index 00000000000..37225264f4e --- /dev/null +++ b/queue-4.4/gre-disable-segmentation-offloads-w-csum-and-we-are-encapsulated-via-fou.patch @@ -0,0 +1,119 @@ +From a0ca153f98db8cf25298565a09e11fe9d82846ad Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Tue, 5 Apr 2016 09:13:39 -0700 +Subject: GRE: Disable segmentation offloads w/ CSUM and we are encapsulated via FOU + +From: Alexander Duyck + +commit a0ca153f98db8cf25298565a09e11fe9d82846ad upstream. + +This patch fixes an issue I found in which we were dropping frames if we +had enabled checksums on GRE headers that were encapsulated by either FOU +or GUE. Without this patch I was barely able to get 1 Gb/s of throughput. +With this patch applied I am now at least getting around 6 Gb/s. + +The issue is due to the fact that with FOU or GUE applied we do not provide +a transport offset pointing to the GRE header, nor do we offload it in +software as the GRE header is completely skipped by GSO and treated like a +VXLAN or GENEVE type header. As such we need to prevent the stack from +generating it and also prevent GRE from generating it via any interface we +create. + +Fixes: c3483384ee511 ("gro: Allow tunnel stacking in the case of FOU/GUE") +Signed-off-by: Alexander Duyck +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netdevice.h | 5 ++++- + net/core/dev.c | 1 + + net/ipv4/fou.c | 6 ++++++ + net/ipv4/gre_offload.c | 8 ++++++++ + net/ipv4/ip_gre.c | 13 ++++++++++--- + 5 files changed, 29 insertions(+), 4 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2013,7 +2013,10 @@ struct napi_gro_cb { + /* Number of gro_receive callbacks this packet already went through */ + u8 recursion_counter:4; + +- /* 3 bit hole */ ++ /* Used in GRE, set in fou/gue_gro_receive */ ++ u8 is_fou:1; ++ ++ /* 2 bit hole */ + + /* used to support CHECKSUM_COMPLETE for tunneling protocols */ + __wsum csum; +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4320,6 +4320,7 @@ static enum gro_result dev_gro_receive(s + NAPI_GRO_CB(skb)->free = 0; + NAPI_GRO_CB(skb)->encap_mark = 0; + NAPI_GRO_CB(skb)->recursion_counter = 0; ++ NAPI_GRO_CB(skb)->is_fou = 0; + NAPI_GRO_CB(skb)->gro_remcsum_start = 0; + + /* Setup for GRO checksum validation */ +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -205,6 +205,9 @@ static struct sk_buff **fou_gro_receive( + */ + NAPI_GRO_CB(skb)->encap_mark = 0; + ++ /* Flag this frame as already having an outer encap header */ ++ NAPI_GRO_CB(skb)->is_fou = 1; ++ + rcu_read_lock(); + offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads; + ops = rcu_dereference(offloads[proto]); +@@ -372,6 +375,9 @@ static struct sk_buff **gue_gro_receive( + */ + NAPI_GRO_CB(skb)->encap_mark = 0; + ++ /* Flag this frame as already having an outer encap header */ ++ NAPI_GRO_CB(skb)->is_fou = 1; ++ + rcu_read_lock(); + offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads; + ops = rcu_dereference(offloads[guehdr->proto_ctype]); +--- a/net/ipv4/gre_offload.c ++++ b/net/ipv4/gre_offload.c +@@ -151,6 +151,14 @@ static struct sk_buff **gre_gro_receive( + if ((greh->flags & ~(GRE_KEY|GRE_CSUM)) != 0) + goto out; + ++ /* We can only support GRE_CSUM if we can track the location of ++ * the GRE header. In the case of FOU/GUE we cannot because the ++ * outer UDP header displaces the GRE header leaving us in a state ++ * of limbo. ++ */ ++ if ((greh->flags & GRE_CSUM) && NAPI_GRO_CB(skb)->is_fou) ++ goto out; ++ + type = greh->protocol; + + rcu_read_lock(); +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -851,9 +851,16 @@ static void __gre_tunnel_init(struct net + dev->hw_features |= GRE_FEATURES; + + if (!(tunnel->parms.o_flags & TUNNEL_SEQ)) { +- /* TCP offload with GRE SEQ is not supported. */ +- dev->features |= NETIF_F_GSO_SOFTWARE; +- dev->hw_features |= NETIF_F_GSO_SOFTWARE; ++ /* TCP offload with GRE SEQ is not supported, nor ++ * can we support 2 levels of outer headers requiring ++ * an update. ++ */ ++ if (!(tunnel->parms.o_flags & TUNNEL_CSUM) || ++ (tunnel->encap.type == TUNNEL_ENCAP_NONE)) { ++ dev->features |= NETIF_F_GSO_SOFTWARE; ++ dev->hw_features |= NETIF_F_GSO_SOFTWARE; ++ } ++ + /* Can use a lockless transmit, unless we generate + * output sequences + */ diff --git a/queue-4.4/ib-mlx4-initialize-hop_limit-when-creating-address-handle.patch b/queue-4.4/ib-mlx4-initialize-hop_limit-when-creating-address-handle.patch new file mode 100644 index 00000000000..76d01be5f2d --- /dev/null +++ b/queue-4.4/ib-mlx4-initialize-hop_limit-when-creating-address-handle.patch @@ -0,0 +1,32 @@ +From 4e4081673445485aa6bc90383bdb83e7a96cc48a Mon Sep 17 00:00:00 2001 +From: Matan Barak +Date: Thu, 14 Jan 2016 17:47:02 +0200 +Subject: IB/mlx4: Initialize hop_limit when creating address handle + +From: Matan Barak + +commit 4e4081673445485aa6bc90383bdb83e7a96cc48a upstream. + +Hop limit value wasn't copied from attributes when ah was created. +This may influence packets for unconnected services to get dropped in +routers when endpoints are not in the same subnet. + +Fixes: fa417f7b520e ("IB/mlx4: Add support for IBoE") +Signed-off-by: Matan Barak +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/ah.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mlx4/ah.c ++++ b/drivers/infiniband/hw/mlx4/ah.c +@@ -107,6 +107,7 @@ static struct ib_ah *create_iboe_ah(stru + return ERR_PTR(ret); + ah->av.eth.gid_index = ret; + ah->av.eth.vlan = cpu_to_be16(vlan_tag); ++ ah->av.eth.hop_limit = ah_attr->grh.hop_limit; + if (ah_attr->static_rate) { + ah->av.eth.stat_rate = ah_attr->static_rate + MLX4_STAT_RATE_OFFSET; + while (ah->av.eth.stat_rate > IB_RATE_2_5_GBPS + MLX4_STAT_RATE_OFFSET && diff --git a/queue-4.4/iwlwifi-set-max-firmware-version-of-7265-to-17.patch b/queue-4.4/iwlwifi-set-max-firmware-version-of-7265-to-17.patch new file mode 100644 index 00000000000..869016429df --- /dev/null +++ b/queue-4.4/iwlwifi-set-max-firmware-version-of-7265-to-17.patch @@ -0,0 +1,32 @@ +From ed0450cef00d2c76bcb8778721df947ba7ff4147 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 4 Jan 2016 10:19:17 +0200 +Subject: iwlwifi: set max firmware version of 7265 to 17 + +From: Emmanuel Grumbach + +commit ed0450cef00d2c76bcb8778721df947ba7ff4147 upstream. + +Just like 7260, 7265 will not have firmware releases newer +than iwlwifi-7265-17.ucode. 7265D is still supported in +latest firmware releases. + +Fixes: 628a2918afe4 ("iwlwifi: separate firmware version for 7260 devices") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/iwl-7000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlwifi/iwl-7000.c ++++ b/drivers/net/wireless/iwlwifi/iwl-7000.c +@@ -70,7 +70,7 @@ + + /* Highest firmware API version supported */ + #define IWL7260_UCODE_API_MAX 17 +-#define IWL7265_UCODE_API_MAX 19 ++#define IWL7265_UCODE_API_MAX 17 + #define IWL7265D_UCODE_API_MAX 19 + + /* Oldest version we won't warn about */ diff --git a/queue-4.4/mlxsw-pci-correctly-determine-if-descriptor-queue-is-full.patch b/queue-4.4/mlxsw-pci-correctly-determine-if-descriptor-queue-is-full.patch new file mode 100644 index 00000000000..0f7e0c11efc --- /dev/null +++ b/queue-4.4/mlxsw-pci-correctly-determine-if-descriptor-queue-is-full.patch @@ -0,0 +1,45 @@ +From 5091730d7795ccb21eb880699b5194730641c70b Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Mon, 7 Mar 2016 15:15:30 +0100 +Subject: mlxsw: pci: Correctly determine if descriptor queue is full + +From: Ido Schimmel + +commit 5091730d7795ccb21eb880699b5194730641c70b upstream. + +The descriptor queues for sending (SDQs) and receiving (RDQs) packets +are managed by two counters - producer and consumer - which are both +16-bit in size. A queue is considered full when the difference between +the two equals the queue's maximum number of descriptors. + +However, if the producer counter overflows, then it's possible for the +full queue check to fail, as it doesn't take the overflow into account. +In such a case, descriptors already passed to the device - but for which +a completion has yet to be posted - will be overwritten, thereby causing +undefined behavior. The above can be achieved under heavy load (~30 +netperf instances). + +Fix that by casting the subtraction result to u16, preventing it from +being treated as a signed integer. + +Fixes: eda6500a987a ("mlxsw: Add PCI bus implementation") +Signed-off-by: Ido Schimmel +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlxsw/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c +@@ -215,7 +215,7 @@ mlxsw_pci_queue_elem_info_producer_get(s + { + int index = q->producer_counter & (q->count - 1); + +- if ((q->producer_counter - q->consumer_counter) == q->count) ++ if ((u16) (q->producer_counter - q->consumer_counter) == q->count) + return NULL; + return mlxsw_pci_queue_elem_info_get(q, index); + } diff --git a/queue-4.4/mlxsw-treat-local-port-64-as-valid.patch b/queue-4.4/mlxsw-treat-local-port-64-as-valid.patch new file mode 100644 index 00000000000..cdb715ca2c3 --- /dev/null +++ b/queue-4.4/mlxsw-treat-local-port-64-as-valid.patch @@ -0,0 +1,33 @@ +From 1e5ad30c649a82a062ce79a87c1296e6c6f328c2 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Mon, 15 Feb 2016 13:19:53 +0100 +Subject: mlxsw: Treat local port 64 as valid + +From: Ido Schimmel + +commit 1e5ad30c649a82a062ce79a87c1296e6c6f328c2 upstream. + +MLXSW_PORT_MAX_PORTS represents the maximum number of local ports, which +is 65 for both ASICs (SwitchX-2 and Spectrum) supported by this driver. + +Fixes: 93c1edb27f9e ("mlxsw: Introduce Mellanox switch driver core") +Signed-off-by: Ido Schimmel +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlxsw/port.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/port.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/port.h +@@ -49,7 +49,7 @@ + #define MLXSW_PORT_MID 0xd000 + + #define MLXSW_PORT_MAX_PHY_PORTS 0x40 +-#define MLXSW_PORT_MAX_PORTS MLXSW_PORT_MAX_PHY_PORTS ++#define MLXSW_PORT_MAX_PORTS (MLXSW_PORT_MAX_PHY_PORTS + 1) + + #define MLXSW_PORT_DEVID_BITS_OFFSET 10 + #define MLXSW_PORT_PHY_BITS_OFFSET 4 diff --git a/queue-4.4/mwifiex-add-missing-check-for-pcie8997-chipset.patch b/queue-4.4/mwifiex-add-missing-check-for-pcie8997-chipset.patch new file mode 100644 index 00000000000..fb5e5bd062b --- /dev/null +++ b/queue-4.4/mwifiex-add-missing-check-for-pcie8997-chipset.patch @@ -0,0 +1,31 @@ +From f3b35f28096895f2438c10ef719ef67d2951a8c9 Mon Sep 17 00:00:00 2001 +From: Amitkumar Karwar +Date: Wed, 16 Dec 2015 04:21:44 -0800 +Subject: mwifiex: add missing check for PCIe8997 chipset + +From: Amitkumar Karwar + +commit f3b35f28096895f2438c10ef719ef67d2951a8c9 upstream. + +This patch ensures mwifiex_pcie_txbd_empty() does take care +of 8997 chipset. + +Fixes: 6d85ef00d9dfe ("mwifiex: add support for 8997 chipset") +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/pcie.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/mwifiex/pcie.h ++++ b/drivers/net/wireless/mwifiex/pcie.h +@@ -342,6 +342,7 @@ mwifiex_pcie_txbd_empty(struct pcie_serv + return 1; + break; + case PCIE_DEVICE_ID_MARVELL_88W8897: ++ case PCIE_DEVICE_ID_MARVELL_88W8997: + if (((card->txbd_wrptr & reg->tx_mask) == + (rdptr & reg->tx_mask)) && + ((card->txbd_wrptr & reg->tx_rollover_ind) == diff --git a/queue-4.4/mwifiex-fix-ibss-data-path-issue.patch b/queue-4.4/mwifiex-fix-ibss-data-path-issue.patch new file mode 100644 index 00000000000..2bce2a34782 --- /dev/null +++ b/queue-4.4/mwifiex-fix-ibss-data-path-issue.patch @@ -0,0 +1,66 @@ +From dc386ce76dedaeeaaf006fceb6ed8cf2e20ff026 Mon Sep 17 00:00:00 2001 +From: chunfan chen +Date: Wed, 6 Jan 2016 23:40:48 -0800 +Subject: mwifiex: fix IBSS data path issue. + +From: chunfan chen + +commit dc386ce76dedaeeaaf006fceb6ed8cf2e20ff026 upstream. + +The port_open flag is not applicable for IBSS mode. IBSS data +path was broken when port_open flag was introduced. +This patch fixes the problem by correcting the checks. + +Fixes: 5c8946330abfa4c ("mwifiex: enable traffic only when port is open") +Signed-off-by: chunfan chen +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/sta_event.c | 10 ++++++---- + drivers/net/wireless/mwifiex/wmm.c | 6 ++++-- + 2 files changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/mwifiex/sta_event.c ++++ b/drivers/net/wireless/mwifiex/sta_event.c +@@ -607,11 +607,13 @@ int mwifiex_process_sta_event(struct mwi + + case EVENT_PS_AWAKE: + mwifiex_dbg(adapter, EVENT, "info: EVENT: AWAKE\n"); +- if (!adapter->pps_uapsd_mode && priv->port_open && ++ if (!adapter->pps_uapsd_mode && ++ (priv->port_open || ++ (priv->bss_mode == NL80211_IFTYPE_ADHOC)) && + priv->media_connected && adapter->sleep_period.period) { +- adapter->pps_uapsd_mode = true; +- mwifiex_dbg(adapter, EVENT, +- "event: PPS/UAPSD mode activated\n"); ++ adapter->pps_uapsd_mode = true; ++ mwifiex_dbg(adapter, EVENT, ++ "event: PPS/UAPSD mode activated\n"); + } + adapter->tx_lock_flag = false; + if (adapter->pps_uapsd_mode && adapter->gen_null_pkt) { +--- a/drivers/net/wireless/mwifiex/wmm.c ++++ b/drivers/net/wireless/mwifiex/wmm.c +@@ -475,7 +475,8 @@ mwifiex_wmm_lists_empty(struct mwifiex_a + priv = adapter->priv[i]; + if (!priv) + continue; +- if (!priv->port_open) ++ if (!priv->port_open && ++ (priv->bss_mode != NL80211_IFTYPE_ADHOC)) + continue; + if (adapter->if_ops.is_port_ready && + !adapter->if_ops.is_port_ready(priv)) +@@ -1109,7 +1110,8 @@ mwifiex_wmm_get_highest_priolist_ptr(str + + priv_tmp = adapter->bss_prio_tbl[j].bss_prio_cur->priv; + +- if (!priv_tmp->port_open || ++ if (((priv_tmp->bss_mode != NL80211_IFTYPE_ADHOC) && ++ !priv_tmp->port_open) || + (atomic_read(&priv_tmp->wmm.tx_pkts_queued) == 0)) + continue; + diff --git a/queue-4.4/net-mlx4_core-do-not-bug_on-during-reset-when-pci-is-offline.patch b/queue-4.4/net-mlx4_core-do-not-bug_on-during-reset-when-pci-is-offline.patch new file mode 100644 index 00000000000..7498c25e485 --- /dev/null +++ b/queue-4.4/net-mlx4_core-do-not-bug_on-during-reset-when-pci-is-offline.patch @@ -0,0 +1,44 @@ +From 22e3817e6c8301dc0520b855c8a2d764580e719c Mon Sep 17 00:00:00 2001 +From: Daniel Jurgens +Date: Wed, 17 Feb 2016 17:24:25 +0200 +Subject: net/mlx4_core: Do not BUG_ON during reset when PCI is offline + +From: Daniel Jurgens + +commit 22e3817e6c8301dc0520b855c8a2d764580e719c upstream. + +The PCI channel could go offline during reset due to EEH. Don't bug on in +this case, the error is recoverable. + +Fixes: f6bc11e42646 ('net/mlx4_core: Enhance the catas flow to support device reset') +Signed-off-by: Daniel Jurgens +Reviewed-by: Yishai Hadas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx4/catas.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/catas.c ++++ b/drivers/net/ethernet/mellanox/mlx4/catas.c +@@ -182,10 +182,17 @@ void mlx4_enter_error_state(struct mlx4_ + err = mlx4_reset_slave(dev); + else + err = mlx4_reset_master(dev); +- BUG_ON(err != 0); + ++ if (!err) { ++ mlx4_err(dev, "device was reset successfully\n"); ++ } else { ++ /* EEH could have disabled the PCI channel during reset. That's ++ * recoverable and the PCI error flow will handle it. ++ */ ++ if (!pci_channel_offline(dev->persist->pdev)) ++ BUG_ON(1); ++ } + dev->persist->state |= MLX4_DEVICE_STATE_INTERNAL_ERROR; +- mlx4_err(dev, "device was reset successfully\n"); + mutex_unlock(&persist->device_state_mutex); + + /* At that step HW was already reset, now notify clients */ diff --git a/queue-4.4/net-mlx4_core-implement-pci_resume-callback.patch b/queue-4.4/net-mlx4_core-implement-pci_resume-callback.patch new file mode 100644 index 00000000000..341d5e94463 --- /dev/null +++ b/queue-4.4/net-mlx4_core-implement-pci_resume-callback.patch @@ -0,0 +1,104 @@ +From c12833acff62cff83a8b728253e7ebbc1264d75e Mon Sep 17 00:00:00 2001 +From: Daniel Jurgens +Date: Wed, 20 Apr 2016 16:01:15 +0300 +Subject: net/mlx4_core: Implement pci_resume callback + +From: Daniel Jurgens + +commit c12833acff62cff83a8b728253e7ebbc1264d75e upstream. + +Move resume related activities to a new pci_resume function instead of +performing them in mlx4_pci_slot_reset. This change is needed to avoid +a hotplug during EEH recovery due to commit f2da4ccf8bd4 ("powerpc/eeh: +More relaxed hotplug criterion"). + +Fixes: 2ba5fbd62b25 ('net/mlx4_core: Handle AER flow properly') +Signed-off-by: Daniel Jurgens +Signed-off-by: Yishai Hadas +Signed-off-by: Or Gerlitz +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/mellanox/mlx4/main.c | 39 ++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/main.c ++++ b/drivers/net/ethernet/mellanox/mlx4/main.c +@@ -3854,45 +3854,53 @@ static pci_ers_result_t mlx4_pci_slot_re + { + struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev); + struct mlx4_dev *dev = persist->dev; +- struct mlx4_priv *priv = mlx4_priv(dev); +- int ret; +- int nvfs[MLX4_MAX_PORTS + 1] = {0, 0, 0}; +- int total_vfs; ++ int err; + + mlx4_err(dev, "mlx4_pci_slot_reset was called\n"); +- ret = pci_enable_device(pdev); +- if (ret) { +- mlx4_err(dev, "Can not re-enable device, ret=%d\n", ret); ++ err = pci_enable_device(pdev); ++ if (err) { ++ mlx4_err(dev, "Can not re-enable device, err=%d\n", err); + return PCI_ERS_RESULT_DISCONNECT; + } + + pci_set_master(pdev); + pci_restore_state(pdev); + pci_save_state(pdev); ++ return PCI_ERS_RESULT_RECOVERED; ++} ++ ++static void mlx4_pci_resume(struct pci_dev *pdev) ++{ ++ struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev); ++ struct mlx4_dev *dev = persist->dev; ++ struct mlx4_priv *priv = mlx4_priv(dev); ++ int nvfs[MLX4_MAX_PORTS + 1] = {0, 0, 0}; ++ int total_vfs; ++ int err; + ++ mlx4_err(dev, "%s was called\n", __func__); + total_vfs = dev->persist->num_vfs; + memcpy(nvfs, dev->persist->nvfs, sizeof(dev->persist->nvfs)); + + mutex_lock(&persist->interface_state_mutex); + if (!(persist->interface_state & MLX4_INTERFACE_STATE_UP)) { +- ret = mlx4_load_one(pdev, priv->pci_dev_data, total_vfs, nvfs, ++ err = mlx4_load_one(pdev, priv->pci_dev_data, total_vfs, nvfs, + priv, 1); +- if (ret) { +- mlx4_err(dev, "%s: mlx4_load_one failed, ret=%d\n", +- __func__, ret); ++ if (err) { ++ mlx4_err(dev, "%s: mlx4_load_one failed, err=%d\n", ++ __func__, err); + goto end; + } + +- ret = restore_current_port_types(dev, dev->persist-> ++ err = restore_current_port_types(dev, dev->persist-> + curr_port_type, dev->persist-> + curr_port_poss_type); +- if (ret) +- mlx4_err(dev, "could not restore original port types (%d)\n", ret); ++ if (err) ++ mlx4_err(dev, "could not restore original port types (%d)\n", err); + } + end: + mutex_unlock(&persist->interface_state_mutex); + +- return ret ? PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_RECOVERED; + } + + static void mlx4_shutdown(struct pci_dev *pdev) +@@ -3909,6 +3917,7 @@ static void mlx4_shutdown(struct pci_dev + static const struct pci_error_handlers mlx4_err_handler = { + .error_detected = mlx4_pci_err_detected, + .slot_reset = mlx4_pci_slot_reset, ++ .resume = mlx4_pci_resume, + }; + + static struct pci_driver mlx4_driver = { diff --git a/queue-4.4/ovs-gre-geneve-fix-error-path-when-creating-an-iface.patch b/queue-4.4/ovs-gre-geneve-fix-error-path-when-creating-an-iface.patch new file mode 100644 index 00000000000..3b040d86099 --- /dev/null +++ b/queue-4.4/ovs-gre-geneve-fix-error-path-when-creating-an-iface.patch @@ -0,0 +1,88 @@ +From 106da663ff495e0aea3ac15b8317aa410754fcac Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel +Date: Mon, 13 Jun 2016 10:31:04 +0200 +Subject: ovs/gre,geneve: fix error path when creating an iface + +From: Nicolas Dichtel + +commit 106da663ff495e0aea3ac15b8317aa410754fcac upstream. + +After ipgre_newlink()/geneve_configure() call, the netdev is registered. + +Fixes: 7e059158d57b ("vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices") +CC: David Wragg +Signed-off-by: Nicolas Dichtel +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/geneve.c | 10 +++++++--- + net/ipv4/ip_gre.c | 10 +++++++--- + 2 files changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -1340,6 +1340,7 @@ struct net_device *geneve_dev_create_fb( + { + struct nlattr *tb[IFLA_MAX + 1]; + struct net_device *dev; ++ LIST_HEAD(list_kill); + int err; + + memset(tb, 0, sizeof(tb)); +@@ -1350,8 +1351,10 @@ struct net_device *geneve_dev_create_fb( + + err = geneve_configure(net, dev, &geneve_remote_unspec, + 0, 0, 0, htons(dst_port), true); +- if (err) +- goto err; ++ if (err) { ++ free_netdev(dev); ++ return ERR_PTR(err); ++ } + + /* openvswitch users expect packet sizes to be unrestricted, + * so set the largest MTU we can. +@@ -1363,7 +1366,8 @@ struct net_device *geneve_dev_create_fb( + return dev; + + err: +- free_netdev(dev); ++ geneve_dellink(dev, &list_kill); ++ unregister_netdevice_many(&list_kill); + return ERR_PTR(err); + } + EXPORT_SYMBOL_GPL(geneve_dev_create_fb); +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -1230,6 +1230,7 @@ struct net_device *gretap_fb_dev_create( + { + struct nlattr *tb[IFLA_MAX + 1]; + struct net_device *dev; ++ LIST_HEAD(list_kill); + struct ip_tunnel *t; + int err; + +@@ -1245,8 +1246,10 @@ struct net_device *gretap_fb_dev_create( + t->collect_md = true; + + err = ipgre_newlink(net, dev, tb, NULL); +- if (err < 0) +- goto out; ++ if (err < 0) { ++ free_netdev(dev); ++ return ERR_PTR(err); ++ } + + /* openvswitch users expect packet sizes to be unrestricted, + * so set the largest MTU we can. +@@ -1257,7 +1260,8 @@ struct net_device *gretap_fb_dev_create( + + return dev; + out: +- free_netdev(dev); ++ ip_tunnel_dellink(dev, &list_kill); ++ unregister_netdevice_many(&list_kill); + return ERR_PTR(err); + } + EXPORT_SYMBOL_GPL(gretap_fb_dev_create); diff --git a/queue-4.4/pci-supply-cpu-physical-address-not-bus-address-to-iomem_is_exclusive.patch b/queue-4.4/pci-supply-cpu-physical-address-not-bus-address-to-iomem_is_exclusive.patch new file mode 100644 index 00000000000..c25b2ac4049 --- /dev/null +++ b/queue-4.4/pci-supply-cpu-physical-address-not-bus-address-to-iomem_is_exclusive.patch @@ -0,0 +1,57 @@ +From ca620723d4ff9ea7ed484eab46264c3af871b9ae Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Thu, 7 Apr 2016 17:15:14 -0700 +Subject: PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() + +From: Bjorn Helgaas + +commit ca620723d4ff9ea7ed484eab46264c3af871b9ae upstream. + +iomem_is_exclusive() requires a CPU physical address, but on some arches we +supplied a PCI bus address instead. + +On most arches, pci_resource_to_user(res) returns "res->start", which is a +CPU physical address. But on microblaze, mips, powerpc, and sparc, it +returns the PCI bus address corresponding to "res->start". + +The result is that pci_mmap_resource() may fail when it shouldn't (if the +bus address happens to match an existing resource), or it may succeed when +it should fail (if the resource is exclusive but the bus address doesn't +match it). + +Call iomem_is_exclusive() with "res->start", which is always a CPU physical +address, not the result of pci_resource_to_user(). + +Fixes: e8de1481fd71 ("resource: allow MMIO exclusivity for device drivers") +Suggested-by: Yinghai Lu +Signed-off-by: Bjorn Helgaas +CC: Arjan van de Ven +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-sysfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -1027,6 +1027,9 @@ static int pci_mmap_resource(struct kobj + if (i >= PCI_ROM_RESOURCE) + return -ENODEV; + ++ if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start)) ++ return -EINVAL; ++ + if (!pci_mmap_fits(pdev, i, vma, PCI_MMAP_SYSFS)) { + WARN(1, "process \"%s\" tried to map 0x%08lx bytes at page 0x%08lx on %s BAR %d (start 0x%16Lx, size 0x%16Lx)\n", + current->comm, vma->vm_end-vma->vm_start, vma->vm_pgoff, +@@ -1043,10 +1046,6 @@ static int pci_mmap_resource(struct kobj + pci_resource_to_user(pdev, i, res, &start, &end); + vma->vm_pgoff += start >> PAGE_SHIFT; + mmap_type = res->flags & IORESOURCE_MEM ? pci_mmap_mem : pci_mmap_io; +- +- if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(start)) +- return -EINVAL; +- + return pci_mmap_page_range(pdev, vma, mmap_type, write_combine); + } + diff --git a/queue-4.4/series b/queue-4.4/series index 1b31492a8d9..97953af6aab 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -50,3 +50,19 @@ alsa-fm801-propagate-tuner_only-bit-when-autodetected.patch alsa-fm801-detect-fm-only-card-earlier.patch netfilter-nfnetlink-use-original-skbuff-when-acking-batches.patch xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch +mwifiex-fix-ibss-data-path-issue.patch +mwifiex-add-missing-check-for-pcie8997-chipset.patch +iwlwifi-set-max-firmware-version-of-7265-to-17.patch +bluetooth-btmrvl-fix-hung-task-warning-dump.patch +dccp-limit-sk_filter-trim-to-payload.patch +net-mlx4_core-do-not-bug_on-during-reset-when-pci-is-offline.patch +mlxsw-pci-correctly-determine-if-descriptor-queue-is-full.patch +pci-supply-cpu-physical-address-not-bus-address-to-iomem_is_exclusive.patch +net-mlx4_core-implement-pci_resume-callback.patch +alpha-pci-call-iomem_is_exclusive-for-ioresource_mem-but-not-ioresource_io.patch +vfio-pci-allow-vpd-short-read.patch +brcmfmac-add-eth_type_trans-back-for-pcie-full-dongle.patch +mlxsw-treat-local-port-64-as-valid.patch +ib-mlx4-initialize-hop_limit-when-creating-address-handle.patch +ovs-gre-geneve-fix-error-path-when-creating-an-iface.patch +gre-disable-segmentation-offloads-w-csum-and-we-are-encapsulated-via-fou.patch diff --git a/queue-4.4/vfio-pci-allow-vpd-short-read.patch b/queue-4.4/vfio-pci-allow-vpd-short-read.patch new file mode 100644 index 00000000000..06a24423547 --- /dev/null +++ b/queue-4.4/vfio-pci-allow-vpd-short-read.patch @@ -0,0 +1,33 @@ +From ce7585f3c4d76bca1dff4b66ae1ea32552954f9e Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Tue, 31 May 2016 21:25:52 -0600 +Subject: vfio/pci: Allow VPD short read + +From: Alex Williamson + +commit ce7585f3c4d76bca1dff4b66ae1ea32552954f9e upstream. + +The size of the VPD area is not necessarily 4-byte aligned, so a +pci_vpd_read() might return less than 4 bytes. Zero our buffer and +accept anything other than an error. Intel X710 NICs exercise this. + +Fixes: 4e1a635552d3 ("vfio/pci: Use kernel VPD access functions") +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci_config.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/vfio/pci/vfio_pci_config.c ++++ b/drivers/vfio/pci/vfio_pci_config.c +@@ -698,7 +698,8 @@ static int vfio_vpd_config_write(struct + if (pci_write_vpd(pdev, addr & ~PCI_VPD_ADDR_F, 4, &data) != 4) + return count; + } else { +- if (pci_read_vpd(pdev, addr, 4, &data) != 4) ++ data = 0; ++ if (pci_read_vpd(pdev, addr, 4, &data) < 0) + return count; + *pdata = cpu_to_le32(data); + }