diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-08-24 12:32:32 -0400 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-08-24 12:32:32 -0400 |
| commit | 2aed82b1188d43a3d9a4364635ad0e3c353836b3 (patch) | |
| tree | 77ec50625725b92c100f2d24b1ac80f08f1bd6d2 | |
| parent | db151d40a09befbc96702236e1c842a8a90c3da5 (diff) | |
| download | longterm-queue-4.12-2aed82b1188d43a3d9a4364635ad0e3c353836b3.tar.gz | |
add more possible patches
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
101 files changed, 7078 insertions, 0 deletions
diff --git a/queue/ALSA-hda-Add-MIC_NO_PRESENCE-fixup-for-2-HP-machines.patch b/queue/ALSA-hda-Add-MIC_NO_PRESENCE-fixup-for-2-HP-machines.patch new file mode 100644 index 0000000..078715f --- /dev/null +++ b/queue/ALSA-hda-Add-MIC_NO_PRESENCE-fixup-for-2-HP-machines.patch @@ -0,0 +1,80 @@ +From 322f74ede933b3e2cb78768b6a6fdbfbf478a0c1 Mon Sep 17 00:00:00 2001 +From: Hui Wang <hui.wang@canonical.com> +Date: Fri, 22 Dec 2017 11:17:44 +0800 +Subject: [PATCH] ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines + +commit 322f74ede933b3e2cb78768b6a6fdbfbf478a0c1 upstream. + +There is a headset jack on the front panel, when we plug a headset +into it, the headset mic can't trigger unsol events, and +read_pin_sense() can't detect its presence too. So add this fixup +to fix this issue. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index a81aacf684b2..37e1cf8218ff 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -271,6 +271,8 @@ enum { + CXT_FIXUP_HP_SPECTRE, + CXT_FIXUP_HP_GATE_MIC, + CXT_FIXUP_MUTE_LED_GPIO, ++ CXT_FIXUP_HEADSET_MIC, ++ CXT_FIXUP_HP_MIC_NO_PRESENCE, + }; + + /* for hda_fixup_thinkpad_acpi() */ +@@ -350,6 +352,18 @@ static void cxt_fixup_headphone_mic(struct hda_codec *codec, + } + } + ++static void cxt_fixup_headset_mic(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct conexant_spec *spec = codec->spec; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ spec->parse_flags |= HDA_PINCFG_HEADSET_MIC; ++ break; ++ } ++} ++ + /* OPLC XO 1.5 fixup */ + + /* OLPC XO-1.5 supports DC input mode (e.g. for use with analog sensors) +@@ -880,6 +894,19 @@ static const struct hda_fixup cxt_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = cxt_fixup_mute_led_gpio, + }, ++ [CXT_FIXUP_HEADSET_MIC] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cxt_fixup_headset_mic, ++ }, ++ [CXT_FIXUP_HP_MIC_NO_PRESENCE] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x1a, 0x02a1113c }, ++ { } ++ }, ++ .chained = true, ++ .chain_id = CXT_FIXUP_HEADSET_MIC, ++ }, + }; + + static const struct snd_pci_quirk cxt5045_fixups[] = { +@@ -934,6 +961,8 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN), + SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO), + SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410), +-- +2.15.0 + diff --git a/queue/ALSA-hda-Drop-useless-WARN_ON.patch b/queue/ALSA-hda-Drop-useless-WARN_ON.patch new file mode 100644 index 0000000..6a388b4 --- /dev/null +++ b/queue/ALSA-hda-Drop-useless-WARN_ON.patch @@ -0,0 +1,35 @@ +From a36c2638380c0a4676647a1f553b70b20d3ebce1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Fri, 22 Dec 2017 10:45:07 +0100 +Subject: [PATCH] ALSA: hda: Drop useless WARN_ON() + +commit a36c2638380c0a4676647a1f553b70b20d3ebce1 upstream. + +Since the commit 97cc2ed27e5a ("ALSA: hda - Fix yet another i915 +pointer leftover in error path") cleared hdac_acomp pointer, the +WARN_ON() non-NULL check in snd_hdac_i915_register_notifier() may give +a false-positive warning, as the function gets called no matter +whether the component is registered or not. For fixing it, let's get +rid of the spurious WARN_ON(). + +Fixes: 97cc2ed27e5a ("ALSA: hda - Fix yet another i915 pointer leftover in error path") +Cc: <stable@vger.kernel.org> +Reported-by: Kouta Okamoto <kouta.okamoto@toshiba.co.jp> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/hda/hdac_i915.c b/sound/hda/hdac_i915.c +index 038a180d3f81..cbe818eda336 100644 +--- a/sound/hda/hdac_i915.c ++++ b/sound/hda/hdac_i915.c +@@ -325,7 +325,7 @@ static int hdac_component_master_match(struct device *dev, void *data) + */ + int snd_hdac_i915_register_notifier(const struct i915_audio_component_audio_ops *aops) + { +- if (WARN_ON(!hdac_acomp)) ++ if (!hdac_acomp) + return -ENODEV; + + hdac_acomp->audio_ops = aops; +-- +2.15.0 + diff --git a/queue/ALSA-hda-Fix-missing-COEF-init-for-ALC225-295-299.patch b/queue/ALSA-hda-Fix-missing-COEF-init-for-ALC225-295-299.patch new file mode 100644 index 0000000..ebeb48a --- /dev/null +++ b/queue/ALSA-hda-Fix-missing-COEF-init-for-ALC225-295-299.patch @@ -0,0 +1,52 @@ +From 44be77c590f381bc629815ac789b8b15ecc4ddcf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Wed, 27 Dec 2017 08:53:59 +0100 +Subject: [PATCH] ALSA: hda - Fix missing COEF init for ALC225/295/299 + +commit 44be77c590f381bc629815ac789b8b15ecc4ddcf upstream. + +There was a long-standing problem on HP Spectre X360 with Kabylake +where it lacks of the front speaker output in some situations. Also +there are other products showing the similar behavior. The culprit +seems to be the missing COEF setup on ALC codecs, ALC225/295/299, +which are all compatible. + +This patch adds the proper COEF setup (to initialize idx 0x67 / bits +0x3000) for addressing the issue. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195457 +Cc: <stable@vger.kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 1522ba31e16d..8fd2d9c62c96 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -324,8 +324,12 @@ static void alc_fill_eapd_coef(struct hda_codec *codec) + case 0x10ec0292: + alc_update_coef_idx(codec, 0x4, 1<<15, 0); + break; +- case 0x10ec0215: + case 0x10ec0225: ++ case 0x10ec0295: ++ case 0x10ec0299: ++ alc_update_coef_idx(codec, 0x67, 0xf000, 0x3000); ++ /* fallthrough */ ++ case 0x10ec0215: + case 0x10ec0233: + case 0x10ec0236: + case 0x10ec0255: +@@ -336,10 +340,8 @@ static void alc_fill_eapd_coef(struct hda_codec *codec) + case 0x10ec0286: + case 0x10ec0288: + case 0x10ec0285: +- case 0x10ec0295: + case 0x10ec0298: + case 0x10ec0289: +- case 0x10ec0299: + alc_update_coef_idx(codec, 0x10, 1<<9, 0); + break; + case 0x10ec0275: +-- +2.15.0 + diff --git a/queue/ALSA-hda-change-the-location-for-one-mic-on-a-Lenovo.patch b/queue/ALSA-hda-change-the-location-for-one-mic-on-a-Lenovo.patch new file mode 100644 index 0000000..65163ed --- /dev/null +++ b/queue/ALSA-hda-change-the-location-for-one-mic-on-a-Lenovo.patch @@ -0,0 +1,32 @@ +From 8da5bbfc7cbba909f4f32d5e1dda3750baa5d853 Mon Sep 17 00:00:00 2001 +From: Hui Wang <hui.wang@canonical.com> +Date: Fri, 22 Dec 2017 11:17:46 +0800 +Subject: [PATCH] ALSA: hda - change the location for one mic on a Lenovo + machine + +commit 8da5bbfc7cbba909f4f32d5e1dda3750baa5d853 upstream. + +There are two front mics on this machine, and current driver assign +the same name Mic to both of them, but pulseaudio can't handle them. +As a workaround, we change the location for one of them, then the +driver will assign "Front Mic" and "Mic" for them. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 682858548b9b..1522ba31e16d 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6328,6 +6328,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), ++ SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), +-- +2.15.0 + diff --git a/queue/ALSA-hda-fix-headset-mic-detection-issue-on-a-Dell-m.patch b/queue/ALSA-hda-fix-headset-mic-detection-issue-on-a-Dell-m.patch new file mode 100644 index 0000000..92c3c81 --- /dev/null +++ b/queue/ALSA-hda-fix-headset-mic-detection-issue-on-a-Dell-m.patch @@ -0,0 +1,33 @@ +From 285d5ddcffafa5d5e68c586f4c9eaa8b24a2897d Mon Sep 17 00:00:00 2001 +From: Hui Wang <hui.wang@canonical.com> +Date: Fri, 22 Dec 2017 11:17:45 +0800 +Subject: [PATCH] ALSA: hda - fix headset mic detection issue on a Dell machine + +commit 285d5ddcffafa5d5e68c586f4c9eaa8b24a2897d upstream. + +It has the codec alc256, and add its pin definition to pin quirk +table to let it apply ALC255_FIXUP_DELL1_MIC_NO_PRESENCE. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Hui Wang <hui.wang@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 6a4db00511ab..682858548b9b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6585,6 +6585,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x1b, 0x01011020}, + {0x21, 0x02211010}), ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x12, 0x90a60130}, ++ {0x14, 0x90170110}, ++ {0x1b, 0x01011020}, ++ {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x12, 0x90a60160}, + {0x14, 0x90170120}, +-- +2.15.0 + diff --git a/queue/ASoC-codecs-msm8916-wcd-Fix-supported-formats.patch b/queue/ASoC-codecs-msm8916-wcd-Fix-supported-formats.patch new file mode 100644 index 0000000..dd60d08 --- /dev/null +++ b/queue/ASoC-codecs-msm8916-wcd-Fix-supported-formats.patch @@ -0,0 +1,52 @@ +From 51f493ae71adc2c49a317a13c38e54e1cdf46005 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> +Date: Thu, 30 Nov 2017 10:15:02 +0000 +Subject: [PATCH] ASoC: codecs: msm8916-wcd: Fix supported formats + +commit 51f493ae71adc2c49a317a13c38e54e1cdf46005 upstream. + +This codec is configurable for only 16 bit and 32 bit samples, so reflect +this in the supported formats also remove 24bit sample from supported list. + +Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: stable@vger.kernel.org + +diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c +index 5f3c42c4f74a..066ea2f4ce7b 100644 +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -267,7 +267,7 @@ + #define MSM8916_WCD_ANALOG_RATES (SNDRV_PCM_RATE_8000 | SNDRV_PCM_RATE_16000 |\ + SNDRV_PCM_RATE_32000 | SNDRV_PCM_RATE_48000) + #define MSM8916_WCD_ANALOG_FORMATS (SNDRV_PCM_FMTBIT_S16_LE |\ +- SNDRV_PCM_FMTBIT_S24_LE) ++ SNDRV_PCM_FMTBIT_S32_LE) + + static int btn_mask = SND_JACK_BTN_0 | SND_JACK_BTN_1 | + SND_JACK_BTN_2 | SND_JACK_BTN_3 | SND_JACK_BTN_4; +diff --git a/sound/soc/codecs/msm8916-wcd-digital.c b/sound/soc/codecs/msm8916-wcd-digital.c +index a10a724eb448..13354d6304a8 100644 +--- a/sound/soc/codecs/msm8916-wcd-digital.c ++++ b/sound/soc/codecs/msm8916-wcd-digital.c +@@ -194,7 +194,7 @@ + SNDRV_PCM_RATE_32000 | \ + SNDRV_PCM_RATE_48000) + #define MSM8916_WCD_DIGITAL_FORMATS (SNDRV_PCM_FMTBIT_S16_LE |\ +- SNDRV_PCM_FMTBIT_S24_LE) ++ SNDRV_PCM_FMTBIT_S32_LE) + + struct msm8916_wcd_digital_priv { + struct clk *ahbclk, *mclk; +@@ -645,7 +645,7 @@ static int msm8916_wcd_digital_hw_params(struct snd_pcm_substream *substream, + RX_I2S_CTL_RX_I2S_MODE_MASK, + RX_I2S_CTL_RX_I2S_MODE_16); + break; +- case SNDRV_PCM_FORMAT_S24_LE: ++ case SNDRV_PCM_FORMAT_S32_LE: + snd_soc_update_bits(dai->codec, LPASS_CDC_CLK_TX_I2S_CTL, + TX_I2S_CTL_TX_I2S_MODE_MASK, + TX_I2S_CTL_TX_I2S_MODE_32); +-- +2.15.0 + diff --git a/queue/ASoC-da7218-fix-fix-child-node-lookup.patch b/queue/ASoC-da7218-fix-fix-child-node-lookup.patch new file mode 100644 index 0000000..19c2926 --- /dev/null +++ b/queue/ASoC-da7218-fix-fix-child-node-lookup.patch @@ -0,0 +1,35 @@ +From bc6476d6c1edcb9b97621b5131bd169aa81f27db Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Mon, 13 Nov 2017 12:12:55 +0100 +Subject: [PATCH] ASoC: da7218: fix fix child-node lookup + +commit bc6476d6c1edcb9b97621b5131bd169aa81f27db upstream. + +Fix child-node lookup during probe, which ended up searching the whole +device tree depth-first starting at the parent rather than just matching +on its children. + +To make things worse, the parent codec node was also prematurely freed. + +Fixes: 4d50934abd22 ("ASoC: da7218: Add da7218 codec driver") +Signed-off-by: Johan Hovold <johan@kernel.org> +Acked-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: stable <stable@vger.kernel.org> + +diff --git a/sound/soc/codecs/da7218.c b/sound/soc/codecs/da7218.c +index b2d42ec1dcd9..56564ce90cb6 100644 +--- a/sound/soc/codecs/da7218.c ++++ b/sound/soc/codecs/da7218.c +@@ -2520,7 +2520,7 @@ static struct da7218_pdata *da7218_of_to_pdata(struct snd_soc_codec *codec) + } + + if (da7218->dev_id == DA7218_DEV_ID) { +- hpldet_np = of_find_node_by_name(np, "da7218_hpldet"); ++ hpldet_np = of_get_child_by_name(np, "da7218_hpldet"); + if (!hpldet_np) + return pdata; + +-- +2.15.0 + diff --git a/queue/ASoC-fsl_ssi-AC-97-ops-need-regmap-clock-and-cleanin.patch b/queue/ASoC-fsl_ssi-AC-97-ops-need-regmap-clock-and-cleanin.patch new file mode 100644 index 0000000..00cec5e --- /dev/null +++ b/queue/ASoC-fsl_ssi-AC-97-ops-need-regmap-clock-and-cleanin.patch @@ -0,0 +1,64 @@ +From 695b78b548d8a26288f041e907ff17758df9e1d5 Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name> +Date: Mon, 20 Nov 2017 23:14:55 +0100 +Subject: [PATCH] ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up + on failure + +commit 695b78b548d8a26288f041e907ff17758df9e1d5 upstream. + +AC'97 ops (register read / write) need SSI regmap and clock, so they have +to be set after them. + +We also need to set these ops back to NULL if we fail the probe. + +Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name> +Acked-by: Nicolin Chen <nicoleotsuka@gmail.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: stable@vger.kernel.org + +diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c +index f2f51e06e22c..c3a83ed0297e 100644 +--- a/sound/soc/fsl/fsl_ssi.c ++++ b/sound/soc/fsl/fsl_ssi.c +@@ -1458,12 +1458,6 @@ static int fsl_ssi_probe(struct platform_device *pdev) + sizeof(fsl_ssi_ac97_dai)); + + fsl_ac97_data = ssi_private; +- +- ret = snd_soc_set_ac97_ops_of_reset(&fsl_ssi_ac97_ops, pdev); +- if (ret) { +- dev_err(&pdev->dev, "could not set AC'97 ops\n"); +- return ret; +- } + } else { + /* Initialize this copy of the CPU DAI driver structure */ + memcpy(&ssi_private->cpu_dai_drv, &fsl_ssi_dai_template, +@@ -1574,6 +1568,14 @@ static int fsl_ssi_probe(struct platform_device *pdev) + return ret; + } + ++ if (fsl_ssi_is_ac97(ssi_private)) { ++ ret = snd_soc_set_ac97_ops_of_reset(&fsl_ssi_ac97_ops, pdev); ++ if (ret) { ++ dev_err(&pdev->dev, "could not set AC'97 ops\n"); ++ goto error_ac97_ops; ++ } ++ } ++ + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_ssi_component, + &ssi_private->cpu_dai_drv, 1); + if (ret) { +@@ -1657,6 +1659,10 @@ error_sound_card: + fsl_ssi_debugfs_remove(&ssi_private->dbg_stats); + + error_asoc_register: ++ if (fsl_ssi_is_ac97(ssi_private)) ++ snd_soc_set_ac97_ops(NULL); ++ ++error_ac97_ops: + if (ssi_private->soc->imx) + fsl_ssi_imx_clean(pdev, ssi_private); + +-- +2.15.0 + diff --git a/queue/ASoC-tlv320aic31xx-Fix-GPIO1-register-definition.patch b/queue/ASoC-tlv320aic31xx-Fix-GPIO1-register-definition.patch new file mode 100644 index 0000000..367c118 --- /dev/null +++ b/queue/ASoC-tlv320aic31xx-Fix-GPIO1-register-definition.patch @@ -0,0 +1,30 @@ +From 737e0b7b67bdfe24090fab2852044bb283282fc5 Mon Sep 17 00:00:00 2001 +From: "Andrew F. Davis" <afd@ti.com> +Date: Wed, 29 Nov 2017 15:32:46 -0600 +Subject: [PATCH] ASoC: tlv320aic31xx: Fix GPIO1 register definition + +commit 737e0b7b67bdfe24090fab2852044bb283282fc5 upstream. + +GPIO1 control register is number 51, fix this here. + +Fixes: bafcbfe429eb ("ASoC: tlv320aic31xx: Make the register values human readable") +Signed-off-by: Andrew F. Davis <afd@ti.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: stable@vger.kernel.org + +diff --git a/sound/soc/codecs/tlv320aic31xx.h b/sound/soc/codecs/tlv320aic31xx.h +index 730fb2058869..1ff3edb7bbb6 100644 +--- a/sound/soc/codecs/tlv320aic31xx.h ++++ b/sound/soc/codecs/tlv320aic31xx.h +@@ -116,7 +116,7 @@ struct aic31xx_pdata { + /* INT2 interrupt control */ + #define AIC31XX_INT2CTRL AIC31XX_REG(0, 49) + /* GPIO1 control */ +-#define AIC31XX_GPIO1 AIC31XX_REG(0, 50) ++#define AIC31XX_GPIO1 AIC31XX_REG(0, 51) + + #define AIC31XX_DACPRB AIC31XX_REG(0, 60) + /* ADC Instruction Set Register */ +-- +2.15.0 + diff --git a/queue/ASoC-twl4030-fix-child-node-lookup.patch b/queue/ASoC-twl4030-fix-child-node-lookup.patch new file mode 100644 index 0000000..59d0d39 --- /dev/null +++ b/queue/ASoC-twl4030-fix-child-node-lookup.patch @@ -0,0 +1,47 @@ +From 15f8c5f2415bfac73f33a14bcd83422bcbfb5298 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Mon, 13 Nov 2017 12:12:56 +0100 +Subject: [PATCH] ASoC: twl4030: fix child-node lookup + +commit 15f8c5f2415bfac73f33a14bcd83422bcbfb5298 upstream. + +Fix child-node lookup during probe, which ended up searching the whole +device tree depth-first starting at the parent rather than just matching +on its children. + +To make things worse, the parent codec node was also prematurely freed, +while the child node was leaked. + +Fixes: 2d6d649a2e0f ("ASoC: twl4030: Support for DT booted kernel") +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: stable <stable@vger.kernel.org> + +diff --git a/sound/soc/codecs/twl4030.c b/sound/soc/codecs/twl4030.c +index c482b2e7a7d2..cfe72b9d4356 100644 +--- a/sound/soc/codecs/twl4030.c ++++ b/sound/soc/codecs/twl4030.c +@@ -232,7 +232,7 @@ static struct twl4030_codec_data *twl4030_get_pdata(struct snd_soc_codec *codec) + struct twl4030_codec_data *pdata = dev_get_platdata(codec->dev); + struct device_node *twl4030_codec_node = NULL; + +- twl4030_codec_node = of_find_node_by_name(codec->dev->parent->of_node, ++ twl4030_codec_node = of_get_child_by_name(codec->dev->parent->of_node, + "codec"); + + if (!pdata && twl4030_codec_node) { +@@ -241,9 +241,11 @@ static struct twl4030_codec_data *twl4030_get_pdata(struct snd_soc_codec *codec) + GFP_KERNEL); + if (!pdata) { + dev_err(codec->dev, "Can not allocate memory\n"); ++ of_node_put(twl4030_codec_node); + return NULL; + } + twl4030_setup_pdata_of(pdata, twl4030_codec_node); ++ of_node_put(twl4030_codec_node); + } + + return pdata; +-- +2.15.0 + diff --git a/queue/ASoC-wm_adsp-Fix-validation-of-firmware-and-coeff-le.patch b/queue/ASoC-wm_adsp-Fix-validation-of-firmware-and-coeff-le.patch new file mode 100644 index 0000000..7e3586e --- /dev/null +++ b/queue/ASoC-wm_adsp-Fix-validation-of-firmware-and-coeff-le.patch @@ -0,0 +1,69 @@ +From 50dd2ea8ef67a1617e0c0658bcbec4b9fb03b936 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben.hutchings@codethink.co.uk> +Date: Fri, 8 Dec 2017 16:15:20 +0000 +Subject: [PATCH] ASoC: wm_adsp: Fix validation of firmware and coeff lengths + +commit 50dd2ea8ef67a1617e0c0658bcbec4b9fb03b936 upstream. + +The checks for whether another region/block header could be present +are subtracting the size from the current offset. Obviously we should +instead subtract the offset from the size. + +The checks for whether the region/block data fit in the file are +adding the data size to the current offset and header size, without +checking for integer overflow. Rearrange these so that overflow is +impossible. + +Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> +Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com> +Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com> +Signed-off-by: Mark Brown <broonie@kernel.org> +Cc: stable@vger.kernel.org + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index 65c059b5ffd7..66e32f5d2917 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -1733,7 +1733,7 @@ static int wm_adsp_load(struct wm_adsp *dsp) + le64_to_cpu(footer->timestamp)); + + while (pos < firmware->size && +- pos - firmware->size > sizeof(*region)) { ++ sizeof(*region) < firmware->size - pos) { + region = (void *)&(firmware->data[pos]); + region_name = "Unknown"; + reg = 0; +@@ -1782,8 +1782,8 @@ static int wm_adsp_load(struct wm_adsp *dsp) + regions, le32_to_cpu(region->len), offset, + region_name); + +- if ((pos + le32_to_cpu(region->len) + sizeof(*region)) > +- firmware->size) { ++ if (le32_to_cpu(region->len) > ++ firmware->size - pos - sizeof(*region)) { + adsp_err(dsp, + "%s.%d: %s region len %d bytes exceeds file length %zu\n", + file, regions, region_name, +@@ -2253,7 +2253,7 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp) + + blocks = 0; + while (pos < firmware->size && +- pos - firmware->size > sizeof(*blk)) { ++ sizeof(*blk) < firmware->size - pos) { + blk = (void *)(&firmware->data[pos]); + + type = le16_to_cpu(blk->type); +@@ -2327,8 +2327,8 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp) + } + + if (reg) { +- if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) > +- firmware->size) { ++ if (le32_to_cpu(blk->len) > ++ firmware->size - pos - sizeof(*blk)) { + adsp_err(dsp, + "%s.%d: %s region len %d bytes exceeds file length %zu\n", + file, blocks, region_name, +-- +2.15.0 + diff --git a/queue/IB-core-Verify-that-QP-is-security-enabled-in-create.patch b/queue/IB-core-Verify-that-QP-is-security-enabled-in-create.patch new file mode 100644 index 0000000..1655e2d --- /dev/null +++ b/queue/IB-core-Verify-that-QP-is-security-enabled-in-create.patch @@ -0,0 +1,52 @@ +From 4a50881bbac309e6f0684816a180bc3c14e1485d Mon Sep 17 00:00:00 2001 +From: Moni Shoua <monis@mellanox.com> +Date: Sun, 24 Dec 2017 13:54:58 +0200 +Subject: [PATCH] IB/core: Verify that QP is security enabled in create and + destroy + +commit 4a50881bbac309e6f0684816a180bc3c14e1485d upstream. + +The XRC target QP create flow sets up qp_sec only if there is an IB link with +LSM security enabled. However, several other related uAPI entry points blindly +follow the qp_sec NULL pointer, resulting in a possible oops. + +Check for NULL before using qp_sec. + +Cc: <stable@vger.kernel.org> # v4.12 +Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs") +Reviewed-by: Daniel Jurgens <danielj@mellanox.com> +Signed-off-by: Moni Shoua <monis@mellanox.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> + +diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c +index feafdb961c48..59b2f96d986a 100644 +--- a/drivers/infiniband/core/security.c ++++ b/drivers/infiniband/core/security.c +@@ -386,6 +386,9 @@ int ib_open_shared_qp_security(struct ib_qp *qp, struct ib_device *dev) + if (ret) + return ret; + ++ if (!qp->qp_sec) ++ return 0; ++ + mutex_lock(&real_qp->qp_sec->mutex); + ret = check_qp_port_pkey_settings(real_qp->qp_sec->ports_pkeys, + qp->qp_sec); +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 3fb8fb6cc824..e36d27ed4daa 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -1438,7 +1438,8 @@ int ib_close_qp(struct ib_qp *qp) + spin_unlock_irqrestore(&real_qp->device->event_handler_lock, flags); + + atomic_dec(&real_qp->usecnt); +- ib_close_shared_qp_security(qp->qp_sec); ++ if (qp->qp_sec) ++ ib_close_shared_qp_security(qp->qp_sec); + kfree(qp); + + return 0; +-- +2.15.0 + diff --git a/queue/IB-hfi-Only-read-capability-registers-if-the-capabil.patch b/queue/IB-hfi-Only-read-capability-registers-if-the-capabil.patch new file mode 100644 index 0000000..7227bfe --- /dev/null +++ b/queue/IB-hfi-Only-read-capability-registers-if-the-capabil.patch @@ -0,0 +1,88 @@ +From 4c009af473b2026caaa26107e34d7cc68dad7756 Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" <michael.j.ruhl@intel.com> +Date: Fri, 22 Dec 2017 08:47:20 -0800 +Subject: [PATCH] IB/hfi: Only read capability registers if the capability + exists + +commit 4c009af473b2026caaa26107e34d7cc68dad7756 upstream. + +During driver init, various registers are saved to allow restoration +after an FLR or gen3 bump. Some of these registers are not available +in some circumstances (i.e. Virtual machines). + +This bug makes the driver unusable when the PCI device is passed into +a VM, it fails during probe. + +Delete unnecessary register read/write, and only access register if +the capability exists. + +Cc: <stable@vger.kernel.org> # 4.14.x +Fixes: a618b7e40af2 ("IB/hfi1: Move saving PCI values to a separate function") +Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com> +Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com> +Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> + +diff --git a/drivers/infiniband/hw/hfi1/hfi.h b/drivers/infiniband/hw/hfi1/hfi.h +index 4a9b4d7efe63..8ce9118d4a7f 100644 +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1131,7 +1131,6 @@ struct hfi1_devdata { + u16 pcie_lnkctl; + u16 pcie_devctl2; + u32 pci_msix0; +- u32 pci_lnkctl3; + u32 pci_tph2; + + /* +diff --git a/drivers/infiniband/hw/hfi1/pcie.c b/drivers/infiniband/hw/hfi1/pcie.c +index 09e50fd2a08f..8c7e7a60b715 100644 +--- a/drivers/infiniband/hw/hfi1/pcie.c ++++ b/drivers/infiniband/hw/hfi1/pcie.c +@@ -411,15 +411,12 @@ int restore_pci_variables(struct hfi1_devdata *dd) + if (ret) + goto error; + +- ret = pci_write_config_dword(dd->pcidev, PCIE_CFG_SPCIE1, +- dd->pci_lnkctl3); +- if (ret) +- goto error; +- +- ret = pci_write_config_dword(dd->pcidev, PCIE_CFG_TPH2, dd->pci_tph2); +- if (ret) +- goto error; +- ++ if (pci_find_ext_capability(dd->pcidev, PCI_EXT_CAP_ID_TPH)) { ++ ret = pci_write_config_dword(dd->pcidev, PCIE_CFG_TPH2, ++ dd->pci_tph2); ++ if (ret) ++ goto error; ++ } + return 0; + + error: +@@ -469,15 +466,12 @@ int save_pci_variables(struct hfi1_devdata *dd) + if (ret) + goto error; + +- ret = pci_read_config_dword(dd->pcidev, PCIE_CFG_SPCIE1, +- &dd->pci_lnkctl3); +- if (ret) +- goto error; +- +- ret = pci_read_config_dword(dd->pcidev, PCIE_CFG_TPH2, &dd->pci_tph2); +- if (ret) +- goto error; +- ++ if (pci_find_ext_capability(dd->pcidev, PCI_EXT_CAP_ID_TPH)) { ++ ret = pci_read_config_dword(dd->pcidev, PCIE_CFG_TPH2, ++ &dd->pci_tph2); ++ if (ret) ++ goto error; ++ } + return 0; + + error: +-- +2.15.0 + diff --git a/queue/IB-mlx5-Serialize-access-to-the-VMA-list.patch b/queue/IB-mlx5-Serialize-access-to-the-VMA-list.patch new file mode 100644 index 0000000..2053625 --- /dev/null +++ b/queue/IB-mlx5-Serialize-access-to-the-VMA-list.patch @@ -0,0 +1,98 @@ +From ad9a3668a434faca1339789ed2f043d679199309 Mon Sep 17 00:00:00 2001 +From: Majd Dibbiny <majd@mellanox.com> +Date: Sun, 24 Dec 2017 13:54:56 +0200 +Subject: [PATCH] IB/mlx5: Serialize access to the VMA list + +commit ad9a3668a434faca1339789ed2f043d679199309 upstream. + +User-space applications can do mmap and munmap directly at +any time. + +Since the VMA list is not protected with a mutex, concurrent +accesses to the VMA list from the mmap and munmap can cause +data corruption. Add a mutex around the list. + +Cc: <stable@vger.kernel.org> # v4.7 +Fixes: 7c2344c3bbf9 ("IB/mlx5: Implements disassociate_ucontext API") +Reviewed-by: Yishai Hadas <yishaih@mellanox.com> +Signed-off-by: Majd Dibbiny <majd@mellanox.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index b4ef4d9b6ce5..8ac50de2b242 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -1463,6 +1463,7 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev, + } + + INIT_LIST_HEAD(&context->vma_private_list); ++ mutex_init(&context->vma_private_list_mutex); + INIT_LIST_HEAD(&context->db_page_list); + mutex_init(&context->db_page_mutex); + +@@ -1624,7 +1625,9 @@ static void mlx5_ib_vma_close(struct vm_area_struct *area) + * mlx5_ib_disassociate_ucontext(). + */ + mlx5_ib_vma_priv_data->vma = NULL; ++ mutex_lock(mlx5_ib_vma_priv_data->vma_private_list_mutex); + list_del(&mlx5_ib_vma_priv_data->list); ++ mutex_unlock(mlx5_ib_vma_priv_data->vma_private_list_mutex); + kfree(mlx5_ib_vma_priv_data); + } + +@@ -1644,10 +1647,13 @@ static int mlx5_ib_set_vma_data(struct vm_area_struct *vma, + return -ENOMEM; + + vma_prv->vma = vma; ++ vma_prv->vma_private_list_mutex = &ctx->vma_private_list_mutex; + vma->vm_private_data = vma_prv; + vma->vm_ops = &mlx5_ib_vm_ops; + ++ mutex_lock(&ctx->vma_private_list_mutex); + list_add(&vma_prv->list, vma_head); ++ mutex_unlock(&ctx->vma_private_list_mutex); + + return 0; + } +@@ -1690,6 +1696,7 @@ static void mlx5_ib_disassociate_ucontext(struct ib_ucontext *ibcontext) + * mlx5_ib_vma_close. + */ + down_write(&owning_mm->mmap_sem); ++ mutex_lock(&context->vma_private_list_mutex); + list_for_each_entry_safe(vma_private, n, &context->vma_private_list, + list) { + vma = vma_private->vma; +@@ -1704,6 +1711,7 @@ static void mlx5_ib_disassociate_ucontext(struct ib_ucontext *ibcontext) + list_del(&vma_private->list); + kfree(vma_private); + } ++ mutex_unlock(&context->vma_private_list_mutex); + up_write(&owning_mm->mmap_sem); + mmput(owning_mm); + put_task_struct(owning_process); +diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h +index 6dd8cac78de2..2c5f3533bbc9 100644 +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h +@@ -115,6 +115,8 @@ enum { + struct mlx5_ib_vma_private_data { + struct list_head list; + struct vm_area_struct *vma; ++ /* protect vma_private_list add/del */ ++ struct mutex *vma_private_list_mutex; + }; + + struct mlx5_ib_ucontext { +@@ -129,6 +131,8 @@ struct mlx5_ib_ucontext { + /* Transport Domain number */ + u32 tdn; + struct list_head vma_private_list; ++ /* protect vma_private_list add/del */ ++ struct mutex vma_private_list_mutex; + + unsigned long upd_xlt_page; + /* protect ODP/KSM */ +-- +2.15.0 + diff --git a/queue/IB-uverbs-Fix-command-checking-as-part-of-ib_uverbs_.patch b/queue/IB-uverbs-Fix-command-checking-as-part-of-ib_uverbs_.patch new file mode 100644 index 0000000..d36acf8 --- /dev/null +++ b/queue/IB-uverbs-Fix-command-checking-as-part-of-ib_uverbs_.patch @@ -0,0 +1,38 @@ +From 05d14e7b0c138cb07ba30e464f47b39434f3fdef Mon Sep 17 00:00:00 2001 +From: Moni Shoua <monis@mellanox.com> +Date: Sun, 24 Dec 2017 13:54:57 +0200 +Subject: [PATCH] IB/uverbs: Fix command checking as part of + ib_uverbs_ex_modify_qp() + +commit 05d14e7b0c138cb07ba30e464f47b39434f3fdef upstream. + +If the input command length is larger than the kernel supports an error should +be returned in case the unsupported bytes are not cleared, instead of the +other way aroudn. This matches what all other callers of ib_is_udata_cleared +do and will avoid user ABI problems in the future. + +Cc: <stable@vger.kernel.org> # v4.10 +Fixes: 189aba99e700 ("IB/uverbs: Extend modify_qp and support packet pacing") +Reviewed-by: Yishai Hadas <yishaih@mellanox.com> +Signed-off-by: Moni Shoua <monis@mellanox.com> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> + +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index d0202bb176a4..840b24096690 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -2074,8 +2074,8 @@ int ib_uverbs_ex_modify_qp(struct ib_uverbs_file *file, + return -EOPNOTSUPP; + + if (ucore->inlen > sizeof(cmd)) { +- if (ib_is_udata_cleared(ucore, sizeof(cmd), +- ucore->inlen - sizeof(cmd))) ++ if (!ib_is_udata_cleared(ucore, sizeof(cmd), ++ ucore->inlen - sizeof(cmd))) + return -EOPNOTSUPP; + } + +-- +2.15.0 + diff --git a/queue/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch b/queue/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch new file mode 100644 index 0000000..ff5a3eb --- /dev/null +++ b/queue/RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch @@ -0,0 +1,70 @@ +From 14e138a86f6347c6199f610576d2e11c03bec5f0 Mon Sep 17 00:00:00 2001 +From: Avinash Repaka <avinash.repaka@oracle.com> +Date: Thu, 21 Dec 2017 20:17:04 -0800 +Subject: [PATCH] RDS: Check cmsg_len before dereferencing CMSG_DATA + +commit 14e138a86f6347c6199f610576d2e11c03bec5f0 upstream. + +RDS currently doesn't check if the length of the control message is +large enough to hold the required data, before dereferencing the control +message data. This results in following crash: + +BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013 +[inline] +BUG: KASAN: stack-out-of-bounds in rds_sendmsg+0x1f02/0x1f90 +net/rds/send.c:1066 +Read of size 8 at addr ffff8801c928fb70 by task syzkaller455006/3157 + +CPU: 0 PID: 3157 Comm: syzkaller455006 Not tainted 4.15.0-rc3+ #161 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x257 lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:252 + kasan_report_error mm/kasan/report.c:351 [inline] + kasan_report+0x25b/0x340 mm/kasan/report.c:409 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 + rds_rdma_bytes net/rds/send.c:1013 [inline] + rds_sendmsg+0x1f02/0x1f90 net/rds/send.c:1066 + sock_sendmsg_nosec net/socket.c:628 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:638 + ___sys_sendmsg+0x320/0x8b0 net/socket.c:2018 + __sys_sendmmsg+0x1ee/0x620 net/socket.c:2108 + SYSC_sendmmsg net/socket.c:2139 [inline] + SyS_sendmmsg+0x35/0x60 net/socket.c:2134 + entry_SYSCALL_64_fastpath+0x1f/0x96 +RIP: 0033:0x43fe49 +RSP: 002b:00007fffbe244ad8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe49 +RDX: 0000000000000001 RSI: 000000002020c000 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004017b0 +R13: 0000000000401840 R14: 0000000000000000 R15: 0000000000000000 + +To fix this, we verify that the cmsg_len is large enough to hold the +data to be read, before proceeding further. + +Reported-by: syzbot <syzkaller-bugs@googlegroups.com> +Signed-off-by: Avinash Repaka <avinash.repaka@oracle.com> +Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> +Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/rds/send.c b/net/rds/send.c +index b52cdc8ae428..f72466c63f0c 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -1009,6 +1009,9 @@ static int rds_rdma_bytes(struct msghdr *msg, size_t *rdma_bytes) + continue; + + if (cmsg->cmsg_type == RDS_CMSG_RDMA_ARGS) { ++ if (cmsg->cmsg_len < ++ CMSG_LEN(sizeof(struct rds_rdma_args))) ++ return -EINVAL; + args = CMSG_DATA(cmsg); + *rdma_bytes += args->remote_vec.bytes; + } +-- +2.15.0 + diff --git a/queue/Revert-mlx5-move-affinity-hints-assignments-to-gener.patch b/queue/Revert-mlx5-move-affinity-hints-assignments-to-gener.patch new file mode 100644 index 0000000..d9a3238 --- /dev/null +++ b/queue/Revert-mlx5-move-affinity-hints-assignments-to-gener.patch @@ -0,0 +1,340 @@ +From 231243c82793428467524227ae02ca451e6a98e7 Mon Sep 17 00:00:00 2001 +From: Saeed Mahameed <saeedm@mellanox.com> +Date: Fri, 10 Nov 2017 15:59:52 +0900 +Subject: [PATCH] Revert "mlx5: move affinity hints assignments to generic + code" + +commit 231243c82793428467524227ae02ca451e6a98e7 upstream. + +Before the offending commit, mlx5 core did the IRQ affinity itself, +and it seems that the new generic code have some drawbacks and one +of them is the lack for user ability to modify irq affinity after +the initial affinity values got assigned. + +The issue is still being discussed and a solution in the new generic code +is required, until then we need to revert this patch. + +This fixes the following issue: +echo <new affinity> > /proc/irq/<x>/smp_affinity +fails with -EIO + +This reverts commit a435393acafbf0ecff4deb3e3cb554b34f0d0664. +Note: kept mlx5_get_vector_affinity in include/linux/mlx5/driver.h since +it is used in mlx5_ib driver. + +Fixes: a435393acafb ("mlx5: move affinity hints assignments to generic code") +Cc: Sagi Grimberg <sagi@grimberg.me> +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Jes Sorensen <jsorensen@fb.com> +Reported-by: Jes Sorensen <jsorensen@fb.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index c0872b3284cb..43f9054830e5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -590,6 +590,7 @@ struct mlx5e_channel { + struct mlx5_core_dev *mdev; + struct hwtstamp_config *tstamp; + int ix; ++ int cpu; + }; + + struct mlx5e_channels { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index d2b057a3e512..cbec66bc82f1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -71,11 +71,6 @@ struct mlx5e_channel_param { + struct mlx5e_cq_param icosq_cq; + }; + +-static int mlx5e_get_node(struct mlx5e_priv *priv, int ix) +-{ +- return pci_irq_get_node(priv->mdev->pdev, MLX5_EQ_VEC_COMP_BASE + ix); +-} +- + static bool mlx5e_check_fragmented_striding_rq_cap(struct mlx5_core_dev *mdev) + { + return MLX5_CAP_GEN(mdev, striding_rq) && +@@ -444,17 +439,16 @@ static int mlx5e_rq_alloc_mpwqe_info(struct mlx5e_rq *rq, + int wq_sz = mlx5_wq_ll_get_size(&rq->wq); + int mtt_sz = mlx5e_get_wqe_mtt_sz(); + int mtt_alloc = mtt_sz + MLX5_UMR_ALIGN - 1; +- int node = mlx5e_get_node(c->priv, c->ix); + int i; + + rq->mpwqe.info = kzalloc_node(wq_sz * sizeof(*rq->mpwqe.info), +- GFP_KERNEL, node); ++ GFP_KERNEL, cpu_to_node(c->cpu)); + if (!rq->mpwqe.info) + goto err_out; + + /* We allocate more than mtt_sz as we will align the pointer */ +- rq->mpwqe.mtt_no_align = kzalloc_node(mtt_alloc * wq_sz, +- GFP_KERNEL, node); ++ rq->mpwqe.mtt_no_align = kzalloc_node(mtt_alloc * wq_sz, GFP_KERNEL, ++ cpu_to_node(c->cpu)); + if (unlikely(!rq->mpwqe.mtt_no_align)) + goto err_free_wqe_info; + +@@ -562,7 +556,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + int err; + int i; + +- rqp->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); ++ rqp->wq.db_numa_node = cpu_to_node(c->cpu); + + err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->wq, + &rq->wq_ctrl); +@@ -629,8 +623,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c, + default: /* MLX5_WQ_TYPE_LINKED_LIST */ + rq->wqe.frag_info = + kzalloc_node(wq_sz * sizeof(*rq->wqe.frag_info), +- GFP_KERNEL, +- mlx5e_get_node(c->priv, c->ix)); ++ GFP_KERNEL, cpu_to_node(c->cpu)); + if (!rq->wqe.frag_info) { + err = -ENOMEM; + goto err_rq_wq_destroy; +@@ -1000,13 +993,13 @@ static int mlx5e_alloc_xdpsq(struct mlx5e_channel *c, + sq->uar_map = mdev->mlx5e_res.bfreg.map; + sq->min_inline_mode = params->tx_min_inline_mode; + +- param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); ++ param->wq.db_numa_node = cpu_to_node(c->cpu); + err = mlx5_wq_cyc_create(mdev, ¶m->wq, sqc_wq, &sq->wq, &sq->wq_ctrl); + if (err) + return err; + sq->wq.db = &sq->wq.db[MLX5_SND_DBR]; + +- err = mlx5e_alloc_xdpsq_db(sq, mlx5e_get_node(c->priv, c->ix)); ++ err = mlx5e_alloc_xdpsq_db(sq, cpu_to_node(c->cpu)); + if (err) + goto err_sq_wq_destroy; + +@@ -1053,13 +1046,13 @@ static int mlx5e_alloc_icosq(struct mlx5e_channel *c, + sq->channel = c; + sq->uar_map = mdev->mlx5e_res.bfreg.map; + +- param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); ++ param->wq.db_numa_node = cpu_to_node(c->cpu); + err = mlx5_wq_cyc_create(mdev, ¶m->wq, sqc_wq, &sq->wq, &sq->wq_ctrl); + if (err) + return err; + sq->wq.db = &sq->wq.db[MLX5_SND_DBR]; + +- err = mlx5e_alloc_icosq_db(sq, mlx5e_get_node(c->priv, c->ix)); ++ err = mlx5e_alloc_icosq_db(sq, cpu_to_node(c->cpu)); + if (err) + goto err_sq_wq_destroy; + +@@ -1126,13 +1119,13 @@ static int mlx5e_alloc_txqsq(struct mlx5e_channel *c, + if (MLX5_IPSEC_DEV(c->priv->mdev)) + set_bit(MLX5E_SQ_STATE_IPSEC, &sq->state); + +- param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); ++ param->wq.db_numa_node = cpu_to_node(c->cpu); + err = mlx5_wq_cyc_create(mdev, ¶m->wq, sqc_wq, &sq->wq, &sq->wq_ctrl); + if (err) + return err; + sq->wq.db = &sq->wq.db[MLX5_SND_DBR]; + +- err = mlx5e_alloc_txqsq_db(sq, mlx5e_get_node(c->priv, c->ix)); ++ err = mlx5e_alloc_txqsq_db(sq, cpu_to_node(c->cpu)); + if (err) + goto err_sq_wq_destroy; + +@@ -1504,8 +1497,8 @@ static int mlx5e_alloc_cq(struct mlx5e_channel *c, + struct mlx5_core_dev *mdev = c->priv->mdev; + int err; + +- param->wq.buf_numa_node = mlx5e_get_node(c->priv, c->ix); +- param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix); ++ param->wq.buf_numa_node = cpu_to_node(c->cpu); ++ param->wq.db_numa_node = cpu_to_node(c->cpu); + param->eq_ix = c->ix; + + err = mlx5e_alloc_cq_common(mdev, param, cq); +@@ -1604,6 +1597,11 @@ static void mlx5e_close_cq(struct mlx5e_cq *cq) + mlx5e_free_cq(cq); + } + ++static int mlx5e_get_cpu(struct mlx5e_priv *priv, int ix) ++{ ++ return cpumask_first(priv->mdev->priv.irq_info[ix].mask); ++} ++ + static int mlx5e_open_tx_cqs(struct mlx5e_channel *c, + struct mlx5e_params *params, + struct mlx5e_channel_param *cparam) +@@ -1752,12 +1750,13 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix, + { + struct mlx5e_cq_moder icocq_moder = {0, 0}; + struct net_device *netdev = priv->netdev; ++ int cpu = mlx5e_get_cpu(priv, ix); + struct mlx5e_channel *c; + unsigned int irq; + int err; + int eqn; + +- c = kzalloc_node(sizeof(*c), GFP_KERNEL, mlx5e_get_node(priv, ix)); ++ c = kzalloc_node(sizeof(*c), GFP_KERNEL, cpu_to_node(cpu)); + if (!c) + return -ENOMEM; + +@@ -1765,6 +1764,7 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix, + c->mdev = priv->mdev; + c->tstamp = &priv->tstamp; + c->ix = ix; ++ c->cpu = cpu; + c->pdev = &priv->mdev->pdev->dev; + c->netdev = priv->netdev; + c->mkey_be = cpu_to_be32(priv->mdev->mlx5e_res.mkey.key); +@@ -1853,8 +1853,7 @@ static void mlx5e_activate_channel(struct mlx5e_channel *c) + for (tc = 0; tc < c->num_tc; tc++) + mlx5e_activate_txqsq(&c->sq[tc]); + mlx5e_activate_rq(&c->rq); +- netif_set_xps_queue(c->netdev, +- mlx5_get_vector_affinity(c->priv->mdev, c->ix), c->ix); ++ netif_set_xps_queue(c->netdev, get_cpu_mask(c->cpu), c->ix); + } + + static void mlx5e_deactivate_channel(struct mlx5e_channel *c) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 5f323442cc5a..8a89c7e8cd63 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -317,9 +317,6 @@ static int mlx5_alloc_irq_vectors(struct mlx5_core_dev *dev) + { + struct mlx5_priv *priv = &dev->priv; + struct mlx5_eq_table *table = &priv->eq_table; +- struct irq_affinity irqdesc = { +- .pre_vectors = MLX5_EQ_VEC_COMP_BASE, +- }; + int num_eqs = 1 << MLX5_CAP_GEN(dev, log_max_eq); + int nvec; + +@@ -333,10 +330,9 @@ static int mlx5_alloc_irq_vectors(struct mlx5_core_dev *dev) + if (!priv->irq_info) + goto err_free_msix; + +- nvec = pci_alloc_irq_vectors_affinity(dev->pdev, ++ nvec = pci_alloc_irq_vectors(dev->pdev, + MLX5_EQ_VEC_COMP_BASE + 1, nvec, +- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY, +- &irqdesc); ++ PCI_IRQ_MSIX); + if (nvec < 0) + return nvec; + +@@ -622,6 +618,63 @@ u64 mlx5_read_internal_timer(struct mlx5_core_dev *dev) + return (u64)timer_l | (u64)timer_h1 << 32; + } + ++static int mlx5_irq_set_affinity_hint(struct mlx5_core_dev *mdev, int i) ++{ ++ struct mlx5_priv *priv = &mdev->priv; ++ int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i); ++ ++ if (!zalloc_cpumask_var(&priv->irq_info[i].mask, GFP_KERNEL)) { ++ mlx5_core_warn(mdev, "zalloc_cpumask_var failed"); ++ return -ENOMEM; ++ } ++ ++ cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node), ++ priv->irq_info[i].mask); ++ ++ if (IS_ENABLED(CONFIG_SMP) && ++ irq_set_affinity_hint(irq, priv->irq_info[i].mask)) ++ mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq); ++ ++ return 0; ++} ++ ++static void mlx5_irq_clear_affinity_hint(struct mlx5_core_dev *mdev, int i) ++{ ++ struct mlx5_priv *priv = &mdev->priv; ++ int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i); ++ ++ irq_set_affinity_hint(irq, NULL); ++ free_cpumask_var(priv->irq_info[i].mask); ++} ++ ++static int mlx5_irq_set_affinity_hints(struct mlx5_core_dev *mdev) ++{ ++ int err; ++ int i; ++ ++ for (i = 0; i < mdev->priv.eq_table.num_comp_vectors; i++) { ++ err = mlx5_irq_set_affinity_hint(mdev, i); ++ if (err) ++ goto err_out; ++ } ++ ++ return 0; ++ ++err_out: ++ for (i--; i >= 0; i--) ++ mlx5_irq_clear_affinity_hint(mdev, i); ++ ++ return err; ++} ++ ++static void mlx5_irq_clear_affinity_hints(struct mlx5_core_dev *mdev) ++{ ++ int i; ++ ++ for (i = 0; i < mdev->priv.eq_table.num_comp_vectors; i++) ++ mlx5_irq_clear_affinity_hint(mdev, i); ++} ++ + int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, + unsigned int *irqn) + { +@@ -1097,6 +1150,12 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv, + goto err_stop_eqs; + } + ++ err = mlx5_irq_set_affinity_hints(dev); ++ if (err) { ++ dev_err(&pdev->dev, "Failed to alloc affinity hint cpumask\n"); ++ goto err_affinity_hints; ++ } ++ + err = mlx5_init_fs(dev); + if (err) { + dev_err(&pdev->dev, "Failed to init flow steering\n"); +@@ -1154,6 +1213,9 @@ err_sriov: + mlx5_cleanup_fs(dev); + + err_fs: ++ mlx5_irq_clear_affinity_hints(dev); ++ ++err_affinity_hints: + free_comp_eqs(dev); + + err_stop_eqs: +@@ -1222,6 +1284,7 @@ static int mlx5_unload_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv, + + mlx5_sriov_detach(dev); + mlx5_cleanup_fs(dev); ++ mlx5_irq_clear_affinity_hints(dev); + free_comp_eqs(dev); + mlx5_stop_eqs(dev); + mlx5_put_uars_page(dev, priv->uar); +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index a886b51511ab..40a6f33c4cde 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -556,6 +556,7 @@ struct mlx5_core_sriov { + }; + + struct mlx5_irq_info { ++ cpumask_var_t mask; + char name[MLX5_MAX_IRQ_NAME]; + }; + +-- +2.15.0 + diff --git a/queue/USB-chipidea-msm-fix-ulpi-node-lookup.patch b/queue/USB-chipidea-msm-fix-ulpi-node-lookup.patch new file mode 100644 index 0000000..b1582dc --- /dev/null +++ b/queue/USB-chipidea-msm-fix-ulpi-node-lookup.patch @@ -0,0 +1,39 @@ +From 964728f9f407eca0b417fdf8e784b7a76979490c Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Mon, 13 Nov 2017 11:12:58 +0100 +Subject: [PATCH] USB: chipidea: msm: fix ulpi-node lookup + +commit 964728f9f407eca0b417fdf8e784b7a76979490c upstream. + +Fix child-node lookup during probe, which ended up searching the whole +device tree depth-first starting at the parent rather than just matching +on its children. + +Note that the original premature free of the parent node has already +been fixed separately, but that fix was apparently never backported to +stable. + +Fixes: 47654a162081 ("usb: chipidea: msm: Restore wrapper settings after reset") +Fixes: b74c43156c0c ("usb: chipidea: msm: ci_hdrc_msm_probe() missing of_node_get()") +Cc: stable <stable@vger.kernel.org> # 4.10: b74c43156c0c +Cc: Stephen Boyd <stephen.boyd@linaro.org> +Cc: Frank Rowand <frank.rowand@sony.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Peter Chen <peter.chen@nxp.com> + +diff --git a/drivers/usb/chipidea/ci_hdrc_msm.c b/drivers/usb/chipidea/ci_hdrc_msm.c +index 3593ce0ec641..880009987460 100644 +--- a/drivers/usb/chipidea/ci_hdrc_msm.c ++++ b/drivers/usb/chipidea/ci_hdrc_msm.c +@@ -247,7 +247,7 @@ static int ci_hdrc_msm_probe(struct platform_device *pdev) + if (ret) + goto err_mux; + +- ulpi_node = of_find_node_by_name(of_node_get(pdev->dev.of_node), "ulpi"); ++ ulpi_node = of_get_child_by_name(pdev->dev.of_node, "ulpi"); + if (ulpi_node) { + phy_node = of_get_next_available_child(ulpi_node, NULL); + ci->hsic = of_device_is_compatible(phy_node, "qcom,usb-hsic-phy"); +-- +2.15.0 + diff --git a/queue/USB-serial-ftdi_sio-add-id-for-Airbus-DS-P8GR.patch b/queue/USB-serial-ftdi_sio-add-id-for-Airbus-DS-P8GR.patch new file mode 100644 index 0000000..f4b241a --- /dev/null +++ b/queue/USB-serial-ftdi_sio-add-id-for-Airbus-DS-P8GR.patch @@ -0,0 +1,45 @@ +From c6a36ad383559a60a249aa6016cebf3cb8b6c485 Mon Sep 17 00:00:00 2001 +From: Max Schulze <max.schulze@posteo.de> +Date: Wed, 20 Dec 2017 20:47:44 +0100 +Subject: [PATCH] USB: serial: ftdi_sio: add id for Airbus DS P8GR + +commit c6a36ad383559a60a249aa6016cebf3cb8b6c485 upstream. + +Add AIRBUS_DS_P8GR device IDs to ftdi_sio driver. + +Signed-off-by: Max Schulze <max.schulze@posteo.de> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 1aba9105b369..fc68952c994a 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1013,6 +1013,7 @@ static const struct usb_device_id id_table_combined[] = { + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) }, + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) }, ++ { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 4faa09fe308c..8b4ecd2bd297 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -914,6 +914,12 @@ + #define ICPDAS_I7561U_PID 0x0104 + #define ICPDAS_I7563U_PID 0x0105 + ++/* ++ * Airbus Defence and Space ++ */ ++#define AIRBUS_DS_VID 0x1e8e /* Vendor ID */ ++#define AIRBUS_DS_P8GR 0x6001 /* Tetra P8GR */ ++ + /* + * RT Systems programming cables for various ham radios + */ +-- +2.15.0 + diff --git a/queue/USB-serial-option-add-support-for-Telit-ME910-PID-0x.patch b/queue/USB-serial-option-add-support-for-Telit-ME910-PID-0x.patch new file mode 100644 index 0000000..373798d --- /dev/null +++ b/queue/USB-serial-option-add-support-for-Telit-ME910-PID-0x.patch @@ -0,0 +1,49 @@ +From 08933099e6404f588f81c2050bfec7313e06eeaf Mon Sep 17 00:00:00 2001 +From: Daniele Palmas <dnlplm@gmail.com> +Date: Thu, 14 Dec 2017 16:54:45 +0100 +Subject: [PATCH] USB: serial: option: add support for Telit ME910 PID 0x1101 + +commit 08933099e6404f588f81c2050bfec7313e06eeaf upstream. + +This patch adds support for PID 0x1101 of Telit ME910. + +Signed-off-by: Daniele Palmas <dnlplm@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index 3b3513874cfd..b02fb576b856 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -280,6 +280,7 @@ static void option_instat_callback(struct urb *urb); + #define TELIT_PRODUCT_LE922_USBCFG3 0x1043 + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045 + #define TELIT_PRODUCT_ME910 0x1100 ++#define TELIT_PRODUCT_ME910_DUAL_MODEM 0x1101 + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 + #define TELIT_PRODUCT_LE910_USBCFG4 0x1206 +@@ -645,6 +646,11 @@ static const struct option_blacklist_info telit_me910_blacklist = { + .reserved = BIT(1) | BIT(3), + }; + ++static const struct option_blacklist_info telit_me910_dual_modem_blacklist = { ++ .sendsetup = BIT(0), ++ .reserved = BIT(3), ++}; ++ + static const struct option_blacklist_info telit_le910_blacklist = { + .sendsetup = BIT(0), + .reserved = BIT(1) | BIT(2), +@@ -1244,6 +1250,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), + .driver_info = (kernel_ulong_t)&telit_me910_blacklist }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), ++ .driver_info = (kernel_ulong_t)&telit_me910_dual_modem_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), +-- +2.15.0 + diff --git a/queue/USB-serial-option-adding-support-for-YUGA-CLM920-NC5.patch b/queue/USB-serial-option-adding-support-for-YUGA-CLM920-NC5.patch new file mode 100644 index 0000000..18cf5d2 --- /dev/null +++ b/queue/USB-serial-option-adding-support-for-YUGA-CLM920-NC5.patch @@ -0,0 +1,63 @@ +From 3920bb713038810f25770e7545b79f204685c8f2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?= + <sz.lin@moxa.com> +Date: Tue, 19 Dec 2017 17:40:32 +0800 +Subject: [PATCH] USB: serial: option: adding support for YUGA CLM920-NC5 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 3920bb713038810f25770e7545b79f204685c8f2 upstream. + +This patch adds support for YUGA CLM920-NC5 PID 0x9625 USB modem to option +driver. + +Interface layout: +0: QCDM/DIAG +1: ADB +2: MODEM +3: AT +4: RMNET + +Signed-off-by: Taiyi Wu <taiyity.wu@moxa.com> +Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> + +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index b02fb576b856..b6320e3be429 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -233,6 +233,8 @@ static void option_instat_callback(struct urb *urb); + /* These Quectel products use Qualcomm's vendor ID */ + #define QUECTEL_PRODUCT_UC20 0x9003 + #define QUECTEL_PRODUCT_UC15 0x9090 ++/* These Yuga products use Qualcomm's vendor ID */ ++#define YUGA_PRODUCT_CLM920_NC5 0x9625 + + #define QUECTEL_VENDOR_ID 0x2c7c + /* These Quectel products use Quectel's vendor ID */ +@@ -680,6 +682,10 @@ static const struct option_blacklist_info cinterion_rmnet2_blacklist = { + .reserved = BIT(4) | BIT(5), + }; + ++static const struct option_blacklist_info yuga_clm920_nc5_blacklist = { ++ .reserved = BIT(1) | BIT(4), ++}; ++ + static const struct usb_device_id option_ids[] = { + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) }, +@@ -1184,6 +1190,9 @@ static const struct usb_device_id option_ids[] = { + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)}, + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ /* Yuga products use Qualcomm vendor ID */ ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, YUGA_PRODUCT_CLM920_NC5), ++ .driver_info = (kernel_ulong_t)&yuga_clm920_nc5_blacklist }, + /* Quectel products using Quectel vendor ID */ + { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, +-- +2.15.0 + diff --git a/queue/USB-serial-qcserial-add-Sierra-Wireless-EM7565.patch b/queue/USB-serial-qcserial-add-Sierra-Wireless-EM7565.patch new file mode 100644 index 0000000..55d65a5 --- /dev/null +++ b/queue/USB-serial-qcserial-add-Sierra-Wireless-EM7565.patch @@ -0,0 +1,77 @@ +From 92a18a657fb2e2ffbfa0659af32cc18fd2346516 Mon Sep 17 00:00:00 2001 +From: Reinhard Speyerer <rspmn@arcor.de> +Date: Fri, 15 Dec 2017 00:39:27 +0100 +Subject: [PATCH] USB: serial: qcserial: add Sierra Wireless EM7565 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 92a18a657fb2e2ffbfa0659af32cc18fd2346516 upstream. + +Sierra Wireless EM7565 devices use the QCSERIAL_SWI layout for their +serial ports + +T: Bus=01 Lev=03 Prnt=29 Port=01 Cnt=02 Dev#= 31 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=1199 ProdID=9091 Rev= 0.06 +S: Manufacturer=Sierra Wireless, Incorporated +S: Product=Sierra Wireless EM7565 Qualcomm Snapdragon X16 LTE-A +S: SerialNumber=xxxxxxxx +C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=qcserial +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=qcserial +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=qcserial +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=86(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +but need sendsetup = true for the NMEA port to make it work properly. + +Simplify the patch compared to v1 as suggested by Bjørn Mork by taking +advantage of the fact that existing devices work with sendsetup = true +too. + +Use sendsetup = true for the NMEA interface of QCSERIAL_SWI and add +DEVICE_SWI entries for the EM7565 PID 0x9091 and the EM7565 QDL PID +0x9090. + +Tests with several MC73xx/MC74xx/MC77xx devices have been performed in +order to verify backward compatibility. + +Signed-off-by: Reinhard Speyerer <rspmn@arcor.de> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Johan Hovold <johan@kernel.org> + +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index e3892541a489..613f91add03d 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -162,6 +162,8 @@ static const struct usb_device_id id_table[] = { + {DEVICE_SWI(0x1199, 0x9079)}, /* Sierra Wireless EM74xx */ + {DEVICE_SWI(0x1199, 0x907a)}, /* Sierra Wireless EM74xx QDL */ + {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */ ++ {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */ ++ {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */ + {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ +@@ -342,6 +344,7 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id) + break; + case 2: + dev_dbg(dev, "NMEA GPS interface found\n"); ++ sendsetup = true; + break; + case 3: + dev_dbg(dev, "Modem port found\n"); +-- +2.15.0 + diff --git a/queue/adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch b/queue/adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch new file mode 100644 index 0000000..5bf966b --- /dev/null +++ b/queue/adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch @@ -0,0 +1,36 @@ +From 74c4b656c3d92ec4c824ea1a4afd726b7b6568c8 Mon Sep 17 00:00:00 2001 +From: "Nikita V. Shirokov" <tehnerd@fb.com> +Date: Wed, 6 Dec 2017 17:15:43 -0800 +Subject: [PATCH] adding missing rcu_read_unlock in ipxip6_rcv + +commit 74c4b656c3d92ec4c824ea1a4afd726b7b6568c8 upstream. + +commit 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels") +introduced new exit point in ipxip6_rcv. however rcu_read_unlock is +missing there. this diff is fixing this + +v1->v2: + instead of doing rcu_read_unlock in place, we are going to "drop" + section (to prevent skb leakage) + +Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels") +Signed-off-by: Nikita V. Shirokov <tehnerd@fb.com> +Acked-by: Alexei Starovoitov <ast@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 3d3092adf1d2..db84f523656d 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -904,7 +904,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto, + if (t->parms.collect_md) { + tun_dst = ipv6_tun_rx_dst(skb, 0, 0, 0); + if (!tun_dst) +- return 0; ++ goto drop; + } + ret = __ip6_tnl_rcv(t, skb, tpi, tun_dst, dscp_ecn_decapsulate, + log_ecn_error); +-- +2.15.0 + diff --git a/queue/binder-fix-proc-files-use-after-free.patch b/queue/binder-fix-proc-files-use-after-free.patch new file mode 100644 index 0000000..07430b5 --- /dev/null +++ b/queue/binder-fix-proc-files-use-after-free.patch @@ -0,0 +1,148 @@ +From 7f3dc0088b98533f17128058fac73cd8b2752ef1 Mon Sep 17 00:00:00 2001 +From: Todd Kjos <tkjos@android.com> +Date: Mon, 27 Nov 2017 09:32:33 -0800 +Subject: [PATCH] binder: fix proc->files use-after-free + +commit 7f3dc0088b98533f17128058fac73cd8b2752ef1 upstream. + +proc->files cleanup is initiated by binder_vma_close. Therefore +a reference on the binder_proc is not enough to prevent the +files_struct from being released while the binder_proc still has +a reference. This can lead to an attempt to dereference the +stale pointer obtained from proc->files prior to proc->files +cleanup. This has been seen once in task_get_unused_fd_flags() +when __alloc_fd() is called with a stale "files". + +The fix is to protect proc->files with a mutex to prevent cleanup +while in use. + +Signed-off-by: Todd Kjos <tkjos@google.com> +Cc: stable <stable@vger.kernel.org> # 4.14 +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/android/binder.c b/drivers/android/binder.c +index bccec9de0533..a7ecfde66b7b 100644 +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -482,7 +482,8 @@ enum binder_deferred_state { + * @tsk task_struct for group_leader of process + * (invariant after initialized) + * @files files_struct for process +- * (invariant after initialized) ++ * (protected by @files_lock) ++ * @files_lock mutex to protect @files + * @deferred_work_node: element for binder_deferred_list + * (protected by binder_deferred_lock) + * @deferred_work: bitmap of deferred work to perform +@@ -530,6 +531,7 @@ struct binder_proc { + int pid; + struct task_struct *tsk; + struct files_struct *files; ++ struct mutex files_lock; + struct hlist_node deferred_work_node; + int deferred_work; + bool is_dead; +@@ -877,20 +879,26 @@ static void binder_inc_node_tmpref_ilocked(struct binder_node *node); + + static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) + { +- struct files_struct *files = proc->files; + unsigned long rlim_cur; + unsigned long irqs; ++ int ret; + +- if (files == NULL) +- return -ESRCH; +- +- if (!lock_task_sighand(proc->tsk, &irqs)) +- return -EMFILE; +- ++ mutex_lock(&proc->files_lock); ++ if (proc->files == NULL) { ++ ret = -ESRCH; ++ goto err; ++ } ++ if (!lock_task_sighand(proc->tsk, &irqs)) { ++ ret = -EMFILE; ++ goto err; ++ } + rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE); + unlock_task_sighand(proc->tsk, &irqs); + +- return __alloc_fd(files, 0, rlim_cur, flags); ++ ret = __alloc_fd(proc->files, 0, rlim_cur, flags); ++err: ++ mutex_unlock(&proc->files_lock); ++ return ret; + } + + /* +@@ -899,8 +907,10 @@ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) + static void task_fd_install( + struct binder_proc *proc, unsigned int fd, struct file *file) + { ++ mutex_lock(&proc->files_lock); + if (proc->files) + __fd_install(proc->files, fd, file); ++ mutex_unlock(&proc->files_lock); + } + + /* +@@ -910,9 +920,11 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd) + { + int retval; + +- if (proc->files == NULL) +- return -ESRCH; +- ++ mutex_lock(&proc->files_lock); ++ if (proc->files == NULL) { ++ retval = -ESRCH; ++ goto err; ++ } + retval = __close_fd(proc->files, fd); + /* can't restart close syscall because file table entry was cleared */ + if (unlikely(retval == -ERESTARTSYS || +@@ -920,7 +932,8 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd) + retval == -ERESTARTNOHAND || + retval == -ERESTART_RESTARTBLOCK)) + retval = -EINTR; +- ++err: ++ mutex_unlock(&proc->files_lock); + return retval; + } + +@@ -4627,7 +4640,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) + ret = binder_alloc_mmap_handler(&proc->alloc, vma); + if (ret) + return ret; ++ mutex_lock(&proc->files_lock); + proc->files = get_files_struct(current); ++ mutex_unlock(&proc->files_lock); + return 0; + + err_bad_arg: +@@ -4651,6 +4666,7 @@ static int binder_open(struct inode *nodp, struct file *filp) + spin_lock_init(&proc->outer_lock); + get_task_struct(current->group_leader); + proc->tsk = current->group_leader; ++ mutex_init(&proc->files_lock); + INIT_LIST_HEAD(&proc->todo); + proc->default_priority = task_nice(current); + binder_dev = container_of(filp->private_data, struct binder_device, +@@ -4903,9 +4919,11 @@ static void binder_deferred_func(struct work_struct *work) + + files = NULL; + if (defer & BINDER_DEFERRED_PUT_FILES) { ++ mutex_lock(&proc->files_lock); + files = proc->files; + if (files) + proc->files = NULL; ++ mutex_unlock(&proc->files_lock); + } + + if (defer & BINDER_DEFERRED_FLUSH) +-- +2.15.0 + diff --git a/queue/block-don-t-let-passthrough-IO-go-into-.make_request.patch b/queue/block-don-t-let-passthrough-IO-go-into-.make_request.patch new file mode 100644 index 0000000..a35d61b --- /dev/null +++ b/queue/block-don-t-let-passthrough-IO-go-into-.make_request.patch @@ -0,0 +1,102 @@ +From 14cb0dc6479dc5ebc63b3a459a5d89a2f1b39fed Mon Sep 17 00:00:00 2001 +From: Ming Lei <ming.lei@redhat.com> +Date: Mon, 18 Dec 2017 15:40:43 +0800 +Subject: [PATCH] block: don't let passthrough IO go into .make_request_fn() + +commit 14cb0dc6479dc5ebc63b3a459a5d89a2f1b39fed upstream. + +Commit a8821f3f3("block: Improvements to bounce-buffer handling") tries +to make sure that the bio to .make_request_fn won't exceed BIO_MAX_PAGES, +but ignores that passthrough I/O can use blk_queue_bounce() too. +Especially, passthrough IO may not be sector-aligned, and the check +of 'sectors < bio_sectors(*bio_orig)' inside __blk_queue_bounce() may +become true even though the max bvec number doesn't exceed BIO_MAX_PAGES, +then cause the bio splitted, and the original passthrough bio is submited +to generic_make_request(). + +This patch fixes this issue by checking if the bio is passthrough IO, +and use bio_kmalloc() to allocate the cloned passthrough bio. + +Cc: NeilBrown <neilb@suse.com> +Fixes: a8821f3f3("block: Improvements to bounce-buffer handling") +Tested-by: Michele Ballabio <barra_cuda@katamail.com> +Signed-off-by: Ming Lei <ming.lei@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/block/bounce.c b/block/bounce.c +index fceb1a96480b..1d05c422c932 100644 +--- a/block/bounce.c ++++ b/block/bounce.c +@@ -200,6 +200,7 @@ static void __blk_queue_bounce(struct request_queue *q, struct bio **bio_orig, + unsigned i = 0; + bool bounce = false; + int sectors = 0; ++ bool passthrough = bio_is_passthrough(*bio_orig); + + bio_for_each_segment(from, *bio_orig, iter) { + if (i++ < BIO_MAX_PAGES) +@@ -210,13 +211,14 @@ static void __blk_queue_bounce(struct request_queue *q, struct bio **bio_orig, + if (!bounce) + return; + +- if (sectors < bio_sectors(*bio_orig)) { ++ if (!passthrough && sectors < bio_sectors(*bio_orig)) { + bio = bio_split(*bio_orig, sectors, GFP_NOIO, bounce_bio_split); + bio_chain(bio, *bio_orig); + generic_make_request(*bio_orig); + *bio_orig = bio; + } +- bio = bio_clone_bioset(*bio_orig, GFP_NOIO, bounce_bio_set); ++ bio = bio_clone_bioset(*bio_orig, GFP_NOIO, passthrough ? NULL : ++ bounce_bio_set); + + bio_for_each_segment_all(to, bio, i) { + struct page *page = to->bv_page; +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 8089ca17db9a..abd06f540863 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -241,14 +241,24 @@ struct request { + struct request *next_rq; + }; + ++static inline bool blk_op_is_scsi(unsigned int op) ++{ ++ return op == REQ_OP_SCSI_IN || op == REQ_OP_SCSI_OUT; ++} ++ ++static inline bool blk_op_is_private(unsigned int op) ++{ ++ return op == REQ_OP_DRV_IN || op == REQ_OP_DRV_OUT; ++} ++ + static inline bool blk_rq_is_scsi(struct request *rq) + { +- return req_op(rq) == REQ_OP_SCSI_IN || req_op(rq) == REQ_OP_SCSI_OUT; ++ return blk_op_is_scsi(req_op(rq)); + } + + static inline bool blk_rq_is_private(struct request *rq) + { +- return req_op(rq) == REQ_OP_DRV_IN || req_op(rq) == REQ_OP_DRV_OUT; ++ return blk_op_is_private(req_op(rq)); + } + + static inline bool blk_rq_is_passthrough(struct request *rq) +@@ -256,6 +266,13 @@ static inline bool blk_rq_is_passthrough(struct request *rq) + return blk_rq_is_scsi(rq) || blk_rq_is_private(rq); + } + ++static inline bool bio_is_passthrough(struct bio *bio) ++{ ++ unsigned op = bio_op(bio); ++ ++ return blk_op_is_scsi(op) || blk_op_is_private(op); ++} ++ + static inline unsigned short req_get_ioprio(struct request *req) + { + return req->ioprio; +-- +2.15.0 + diff --git a/queue/block-fix-blk_rq_append_bio.patch b/queue/block-fix-blk_rq_append_bio.patch new file mode 100644 index 0000000..6a6b69b --- /dev/null +++ b/queue/block-fix-blk_rq_append_bio.patch @@ -0,0 +1,158 @@ +From 0abc2a10389f0c9070f76ca906c7382788036b93 Mon Sep 17 00:00:00 2001 +From: Jens Axboe <axboe@kernel.dk> +Date: Mon, 18 Dec 2017 15:40:44 +0800 +Subject: [PATCH] block: fix blk_rq_append_bio + +commit 0abc2a10389f0c9070f76ca906c7382788036b93 upstream. + +Commit caa4b02476e3(blk-map: call blk_queue_bounce from blk_rq_append_bio) +moves blk_queue_bounce() into blk_rq_append_bio(), but don't consider +the fact that the bounced bio becomes invisible to caller since the +parameter type is 'struct bio *'. Make it a pointer to a pointer to +a bio, so the caller sees the right bio also after a bounce. + +Fixes: caa4b02476e3 ("blk-map: call blk_queue_bounce from blk_rq_append_bio") +Cc: Christoph Hellwig <hch@lst.de> +Reported-by: Michele Ballabio <barra_cuda@katamail.com> +(handling failure of blk_rq_append_bio(), only call bio_get() after +blk_rq_append_bio() returns OK) +Tested-by: Michele Ballabio <barra_cuda@katamail.com> +Signed-off-by: Ming Lei <ming.lei@redhat.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> + +diff --git a/block/blk-map.c b/block/blk-map.c +index b21f8e86f120..d3a94719f03f 100644 +--- a/block/blk-map.c ++++ b/block/blk-map.c +@@ -12,22 +12,29 @@ + #include "blk.h" + + /* +- * Append a bio to a passthrough request. Only works can be merged into +- * the request based on the driver constraints. ++ * Append a bio to a passthrough request. Only works if the bio can be merged ++ * into the request based on the driver constraints. + */ +-int blk_rq_append_bio(struct request *rq, struct bio *bio) ++int blk_rq_append_bio(struct request *rq, struct bio **bio) + { +- blk_queue_bounce(rq->q, &bio); ++ struct bio *orig_bio = *bio; ++ ++ blk_queue_bounce(rq->q, bio); + + if (!rq->bio) { +- blk_rq_bio_prep(rq->q, rq, bio); ++ blk_rq_bio_prep(rq->q, rq, *bio); + } else { +- if (!ll_back_merge_fn(rq->q, rq, bio)) ++ if (!ll_back_merge_fn(rq->q, rq, *bio)) { ++ if (orig_bio != *bio) { ++ bio_put(*bio); ++ *bio = orig_bio; ++ } + return -EINVAL; ++ } + +- rq->biotail->bi_next = bio; +- rq->biotail = bio; +- rq->__data_len += bio->bi_iter.bi_size; ++ rq->biotail->bi_next = *bio; ++ rq->biotail = *bio; ++ rq->__data_len += (*bio)->bi_iter.bi_size; + } + + return 0; +@@ -73,14 +80,12 @@ static int __blk_rq_map_user_iov(struct request *rq, + * We link the bounce buffer in and could have to traverse it + * later so we have to get a ref to prevent it from being freed + */ +- ret = blk_rq_append_bio(rq, bio); +- bio_get(bio); ++ ret = blk_rq_append_bio(rq, &bio); + if (ret) { +- bio_endio(bio); + __blk_rq_unmap_user(orig_bio); +- bio_put(bio); + return ret; + } ++ bio_get(bio); + + return 0; + } +@@ -213,7 +218,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf, + int reading = rq_data_dir(rq) == READ; + unsigned long addr = (unsigned long) kbuf; + int do_copy = 0; +- struct bio *bio; ++ struct bio *bio, *orig_bio; + int ret; + + if (len > (queue_max_hw_sectors(q) << 9)) +@@ -236,10 +241,11 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf, + if (do_copy) + rq->rq_flags |= RQF_COPY_USER; + +- ret = blk_rq_append_bio(rq, bio); ++ orig_bio = bio; ++ ret = blk_rq_append_bio(rq, &bio); + if (unlikely(ret)) { + /* request is too big */ +- bio_put(bio); ++ bio_put(orig_bio); + return ret; + } + +diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c +index a4f28b7e4c65..e18877177f1b 100644 +--- a/drivers/scsi/osd/osd_initiator.c ++++ b/drivers/scsi/osd/osd_initiator.c +@@ -1576,7 +1576,9 @@ static struct request *_make_request(struct request_queue *q, bool has_write, + return req; + + for_each_bio(bio) { +- ret = blk_rq_append_bio(req, bio); ++ struct bio *bounce_bio = bio; ++ ++ ret = blk_rq_append_bio(req, &bounce_bio); + if (ret) + return ERR_PTR(ret); + } +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c +index 7c69b4a9694d..0d99b242e82e 100644 +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -920,7 +920,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, + " %d i: %d bio: %p, allocating another" + " bio\n", bio->bi_vcnt, i, bio); + +- rc = blk_rq_append_bio(req, bio); ++ rc = blk_rq_append_bio(req, &bio); + if (rc) { + pr_err("pSCSI: failed to append bio\n"); + goto fail; +@@ -938,7 +938,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, + } + + if (bio) { +- rc = blk_rq_append_bio(req, bio); ++ rc = blk_rq_append_bio(req, &bio); + if (rc) { + pr_err("pSCSI: failed to append bio\n"); + goto fail; +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index abd06f540863..100d0df38026 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -965,7 +965,7 @@ extern int blk_rq_prep_clone(struct request *rq, struct request *rq_src, + extern void blk_rq_unprep_clone(struct request *rq); + extern blk_status_t blk_insert_cloned_request(struct request_queue *q, + struct request *rq); +-extern int blk_rq_append_bio(struct request *rq, struct bio *bio); ++extern int blk_rq_append_bio(struct request *rq, struct bio **bio); + extern void blk_delay_queue(struct request_queue *, unsigned long); + extern void blk_queue_split(struct request_queue *, struct bio **); + extern void blk_recount_segments(struct request_queue *, struct bio *); +-- +2.15.0 + diff --git a/queue/bnxt_en-Fix-sources-of-spurious-netpoll-warnings.patch b/queue/bnxt_en-Fix-sources-of-spurious-netpoll-warnings.patch new file mode 100644 index 0000000..d00f606 --- /dev/null +++ b/queue/bnxt_en-Fix-sources-of-spurious-netpoll-warnings.patch @@ -0,0 +1,71 @@ +From 2edbdb3159d6f6bd3a9b6e7f789f2b879699a519 Mon Sep 17 00:00:00 2001 +From: Calvin Owens <calvinowens@fb.com> +Date: Fri, 8 Dec 2017 09:05:26 -0800 +Subject: [PATCH] bnxt_en: Fix sources of spurious netpoll warnings + +commit 2edbdb3159d6f6bd3a9b6e7f789f2b879699a519 upstream. + +After applying 2270bc5da3497945 ("bnxt_en: Fix netpoll handling") and +903649e718f80da2 ("bnxt_en: Improve -ENOMEM logic in NAPI poll loop."), +we still see the following WARN fire: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 1875170 at net/core/netpoll.c:165 netpoll_poll_dev+0x15a/0x160 + bnxt_poll+0x0/0xd0 exceeded budget in poll + <snip> + Call Trace: + [<ffffffff814be5cd>] dump_stack+0x4d/0x70 + [<ffffffff8107e013>] __warn+0xd3/0xf0 + [<ffffffff8107e07f>] warn_slowpath_fmt+0x4f/0x60 + [<ffffffff8179519a>] netpoll_poll_dev+0x15a/0x160 + [<ffffffff81795f38>] netpoll_send_skb_on_dev+0x168/0x250 + [<ffffffff817962fc>] netpoll_send_udp+0x2dc/0x440 + [<ffffffff815fa9be>] write_ext_msg+0x20e/0x250 + [<ffffffff810c8125>] call_console_drivers.constprop.23+0xa5/0x110 + [<ffffffff810c9549>] console_unlock+0x339/0x5b0 + [<ffffffff810c9a88>] vprintk_emit+0x2c8/0x450 + [<ffffffff810c9d5f>] vprintk_default+0x1f/0x30 + [<ffffffff81173df5>] printk+0x48/0x50 + [<ffffffffa0197713>] edac_raw_mc_handle_error+0x563/0x5c0 [edac_core] + [<ffffffffa0197b9b>] edac_mc_handle_error+0x42b/0x6e0 [edac_core] + [<ffffffffa01c3a60>] sbridge_mce_output_error+0x410/0x10d0 [sb_edac] + [<ffffffffa01c47cc>] sbridge_check_error+0xac/0x130 [sb_edac] + [<ffffffffa0197f3c>] edac_mc_workq_function+0x3c/0x90 [edac_core] + [<ffffffff81095f8b>] process_one_work+0x19b/0x480 + [<ffffffff810967ca>] worker_thread+0x6a/0x520 + [<ffffffff8109c7c4>] kthread+0xe4/0x100 + [<ffffffff81884c52>] ret_from_fork+0x22/0x40 + +This happens because we increment rx_pkts on -ENOMEM and -EIO, resulting +in rx_pkts > 0. Fix this by only bumping rx_pkts if we were actually +given a non-zero budget. + +Signed-off-by: Calvin Owens <calvinowens@fb.com> +Acked-by: Michael Chan <michael.chan@broadcom.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 28f5e94274ee..61ca4eb7c6fa 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -1883,7 +1883,7 @@ static int bnxt_poll_work(struct bnxt *bp, struct bnxt_napi *bnapi, int budget) + * here forever if we consistently cannot allocate + * buffers. + */ +- else if (rc == -ENOMEM) ++ else if (rc == -ENOMEM && budget) + rx_pkts++; + else if (rc == -EBUSY) /* partial completion */ + break; +@@ -1969,7 +1969,7 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget) + cpu_to_le32(RX_CMPL_ERRORS_CRC_ERROR); + + rc = bnxt_rx_pkt(bp, bnapi, &raw_cons, &event); +- if (likely(rc == -EIO)) ++ if (likely(rc == -EIO) && budget) + rx_pkts++; + else if (rc == -EBUSY) /* partial completion */ + break; +-- +2.15.0 + diff --git a/queue/cpufreq-schedutil-Use-idle_calls-counter-of-the-remo.patch b/queue/cpufreq-schedutil-Use-idle_calls-counter-of-the-remo.patch new file mode 100644 index 0000000..9d5ad73 --- /dev/null +++ b/queue/cpufreq-schedutil-Use-idle_calls-counter-of-the-remo.patch @@ -0,0 +1,72 @@ +From 466a2b42d67644447a1765276259a3ea5531ddff Mon Sep 17 00:00:00 2001 +From: Joel Fernandes <joelaf@google.com> +Date: Thu, 21 Dec 2017 02:22:45 +0100 +Subject: [PATCH] cpufreq: schedutil: Use idle_calls counter of the remote CPU + +commit 466a2b42d67644447a1765276259a3ea5531ddff upstream. + +Since the recent remote cpufreq callback work, its possible that a cpufreq +update is triggered from a remote CPU. For single policies however, the current +code uses the local CPU when trying to determine if the remote sg_cpu entered +idle or is busy. This is incorrect. To remedy this, compare with the nohz tick +idle_calls counter of the remote CPU. + +Fixes: 674e75411fc2 (sched: cpufreq: Allow remote cpufreq callbacks) +Acked-by: Viresh Kumar <viresh.kumar@linaro.org> +Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Signed-off-by: Joel Fernandes <joelaf@google.com> +Cc: 4.14+ <stable@vger.kernel.org> # 4.14+ +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> + +diff --git a/include/linux/tick.h b/include/linux/tick.h +index f442d1a42025..7cc35921218e 100644 +--- a/include/linux/tick.h ++++ b/include/linux/tick.h +@@ -119,6 +119,7 @@ extern void tick_nohz_idle_exit(void); + extern void tick_nohz_irq_exit(void); + extern ktime_t tick_nohz_get_sleep_length(void); + extern unsigned long tick_nohz_get_idle_calls(void); ++extern unsigned long tick_nohz_get_idle_calls_cpu(int cpu); + extern u64 get_cpu_idle_time_us(int cpu, u64 *last_update_time); + extern u64 get_cpu_iowait_time_us(int cpu, u64 *last_update_time); + #else /* !CONFIG_NO_HZ_COMMON */ +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c +index 2f52ec0f1539..d6717a3331a1 100644 +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -244,7 +244,7 @@ static void sugov_iowait_boost(struct sugov_cpu *sg_cpu, unsigned long *util, + #ifdef CONFIG_NO_HZ_COMMON + static bool sugov_cpu_is_busy(struct sugov_cpu *sg_cpu) + { +- unsigned long idle_calls = tick_nohz_get_idle_calls(); ++ unsigned long idle_calls = tick_nohz_get_idle_calls_cpu(sg_cpu->cpu); + bool ret = idle_calls == sg_cpu->saved_idle_calls; + + sg_cpu->saved_idle_calls = idle_calls; +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index 99578f06c8d4..77555faf6fbc 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -985,6 +985,19 @@ ktime_t tick_nohz_get_sleep_length(void) + return ts->sleep_length; + } + ++/** ++ * tick_nohz_get_idle_calls_cpu - return the current idle calls counter value ++ * for a particular CPU. ++ * ++ * Called from the schedutil frequency scaling governor in scheduler context. ++ */ ++unsigned long tick_nohz_get_idle_calls_cpu(int cpu) ++{ ++ struct tick_sched *ts = tick_get_tick_sched(cpu); ++ ++ return ts->idle_calls; ++} ++ + /** + * tick_nohz_get_idle_calls - return the current idle calls counter value + * +-- +2.15.0 + diff --git a/queue/drivers-base-cacheinfo-fix-cache-type-for-non-archit.patch b/queue/drivers-base-cacheinfo-fix-cache-type-for-non-archit.patch new file mode 100644 index 0000000..8fd1bec --- /dev/null +++ b/queue/drivers-base-cacheinfo-fix-cache-type-for-non-archit.patch @@ -0,0 +1,57 @@ +From f57ab9a01a36ef3454333251cc57e3a9948b17bf Mon Sep 17 00:00:00 2001 +From: Sudeep Holla <sudeep.holla@arm.com> +Date: Fri, 17 Nov 2017 11:56:41 +0000 +Subject: [PATCH] drivers: base: cacheinfo: fix cache type for non-architected + system cache + +commit f57ab9a01a36ef3454333251cc57e3a9948b17bf upstream. + +Commit dfea747d2aba ("drivers: base: cacheinfo: support DT overrides for +cache properties") doesn't initialise the cache type if it's present +only in DT and the architecture is not aware of it. They are unified +system level cache which are generally transparent. + +This patch check if the cache type is set to NOCACHE but the DT node +indicates that it's unified cache and sets the cache type accordingly. + +Fixes: dfea747d2aba ("drivers: base: cacheinfo: support DT overrides for cache properties") +Reported-and-tested-by: Tan Xiaojun <tanxiaojun@huawei.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c +index eb3af2739537..07532d83be0b 100644 +--- a/drivers/base/cacheinfo.c ++++ b/drivers/base/cacheinfo.c +@@ -186,6 +186,11 @@ static void cache_associativity(struct cacheinfo *this_leaf) + this_leaf->ways_of_associativity = (size / nr_sets) / line_size; + } + ++static bool cache_node_is_unified(struct cacheinfo *this_leaf) ++{ ++ return of_property_read_bool(this_leaf->of_node, "cache-unified"); ++} ++ + static void cache_of_override_properties(unsigned int cpu) + { + int index; +@@ -194,6 +199,14 @@ static void cache_of_override_properties(unsigned int cpu) + + for (index = 0; index < cache_leaves(cpu); index++) { + this_leaf = this_cpu_ci->info_list + index; ++ /* ++ * init_cache_level must setup the cache level correctly ++ * overriding the architecturally specified levels, so ++ * if type is NONE at this stage, it should be unified ++ */ ++ if (this_leaf->type == CACHE_TYPE_NOCACHE && ++ cache_node_is_unified(this_leaf)) ++ this_leaf->type = CACHE_TYPE_UNIFIED; + cache_size(this_leaf); + cache_get_line_size(this_leaf); + cache_nr_sets(this_leaf); +-- +2.15.0 + diff --git a/queue/gpio-fix-gpio-line-names-property-retrieval.patch b/queue/gpio-fix-gpio-line-names-property-retrieval.patch new file mode 100644 index 0000000..4d1cfe8 --- /dev/null +++ b/queue/gpio-fix-gpio-line-names-property-retrieval.patch @@ -0,0 +1,122 @@ +From 822703354774ec935169cbbc8d503236bcb54fda Mon Sep 17 00:00:00 2001 +From: Christophe Leroy <christophe.leroy@c-s.fr> +Date: Fri, 15 Dec 2017 15:02:33 +0100 +Subject: [PATCH] gpio: fix "gpio-line-names" property retrieval + +commit 822703354774ec935169cbbc8d503236bcb54fda upstream. + +Following commit 9427ecbed46cc ("gpio: Rework of_gpiochip_set_names() +to use device property accessors"), "gpio-line-names" DT property is +not retrieved anymore when chip->parent is not set by the driver. +This is due to OF based property reads having been replaced by device +based property reads. + +This patch fixes that by making use of +fwnode_property_read_string_array() instead of +device_property_read_string_array() and handing over either +of_fwnode_handle(chip->of_node) or dev_fwnode(chip->parent) +to that function. + +Fixes: 9427ecbed46cc ("gpio: Rework of_gpiochip_set_names() to use device property accessors") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> +Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com> +Signed-off-by: Linus Walleij <linus.walleij@linaro.org> + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index eb4528c87c0b..d6f3d9ee1350 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -1074,7 +1074,7 @@ void acpi_gpiochip_add(struct gpio_chip *chip) + } + + if (!chip->names) +- devprop_gpiochip_set_names(chip); ++ devprop_gpiochip_set_names(chip, dev_fwnode(chip->parent)); + + acpi_gpiochip_request_regions(acpi_gpio); + acpi_gpiochip_scan_gpios(acpi_gpio); +diff --git a/drivers/gpio/gpiolib-devprop.c b/drivers/gpio/gpiolib-devprop.c +index 27f383bda7d9..f748aa3e77f7 100644 +--- a/drivers/gpio/gpiolib-devprop.c ++++ b/drivers/gpio/gpiolib-devprop.c +@@ -19,30 +19,27 @@ + /** + * devprop_gpiochip_set_names - Set GPIO line names using device properties + * @chip: GPIO chip whose lines should be named, if possible ++ * @fwnode: Property Node containing the gpio-line-names property + * + * Looks for device property "gpio-line-names" and if it exists assigns + * GPIO line names for the chip. The memory allocated for the assigned + * names belong to the underlying firmware node and should not be released + * by the caller. + */ +-void devprop_gpiochip_set_names(struct gpio_chip *chip) ++void devprop_gpiochip_set_names(struct gpio_chip *chip, ++ const struct fwnode_handle *fwnode) + { + struct gpio_device *gdev = chip->gpiodev; + const char **names; + int ret, i; + +- if (!chip->parent) { +- dev_warn(&gdev->dev, "GPIO chip parent is NULL\n"); +- return; +- } +- +- ret = device_property_read_string_array(chip->parent, "gpio-line-names", ++ ret = fwnode_property_read_string_array(fwnode, "gpio-line-names", + NULL, 0); + if (ret < 0) + return; + + if (ret != gdev->ngpio) { +- dev_warn(chip->parent, ++ dev_warn(&gdev->dev, + "names %d do not match number of GPIOs %d\n", ret, + gdev->ngpio); + return; +@@ -52,10 +49,10 @@ void devprop_gpiochip_set_names(struct gpio_chip *chip) + if (!names) + return; + +- ret = device_property_read_string_array(chip->parent, "gpio-line-names", ++ ret = fwnode_property_read_string_array(fwnode, "gpio-line-names", + names, gdev->ngpio); + if (ret < 0) { +- dev_warn(chip->parent, "failed to read GPIO line names\n"); ++ dev_warn(&gdev->dev, "failed to read GPIO line names\n"); + kfree(names); + return; + } +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c +index e0d59e61b52f..72a0695d2ac3 100644 +--- a/drivers/gpio/gpiolib-of.c ++++ b/drivers/gpio/gpiolib-of.c +@@ -493,7 +493,8 @@ int of_gpiochip_add(struct gpio_chip *chip) + + /* If the chip defines names itself, these take precedence */ + if (!chip->names) +- devprop_gpiochip_set_names(chip); ++ devprop_gpiochip_set_names(chip, ++ of_fwnode_handle(chip->of_node)); + + of_node_get(chip->of_node); + +diff --git a/drivers/gpio/gpiolib.h b/drivers/gpio/gpiolib.h +index af48322839c3..6c44d1652139 100644 +--- a/drivers/gpio/gpiolib.h ++++ b/drivers/gpio/gpiolib.h +@@ -228,7 +228,8 @@ static inline int gpio_chip_hwgpio(const struct gpio_desc *desc) + return desc - &desc->gdev->descs[0]; + } + +-void devprop_gpiochip_set_names(struct gpio_chip *chip); ++void devprop_gpiochip_set_names(struct gpio_chip *chip, ++ const struct fwnode_handle *fwnode); + + /* With descriptor prefix */ + +-- +2.15.0 + diff --git a/queue/ip6_gre-fix-device-features-for-ioctl-setup.patch b/queue/ip6_gre-fix-device-features-for-ioctl-setup.patch new file mode 100644 index 0000000..8e9904a --- /dev/null +++ b/queue/ip6_gre-fix-device-features-for-ioctl-setup.patch @@ -0,0 +1,138 @@ +From e5a9336adb317db55eb3fe8200856096f3c71109 Mon Sep 17 00:00:00 2001 +From: Alexey Kodanev <alexey.kodanev@oracle.com> +Date: Wed, 20 Dec 2017 19:36:03 +0300 +Subject: [PATCH] ip6_gre: fix device features for ioctl setup + +commit e5a9336adb317db55eb3fe8200856096f3c71109 upstream. + +When ip6gre is created using ioctl, its features, such as +scatter-gather, GSO and tx-checksumming will be turned off: + + # ip -f inet6 tunnel add gre6 mode ip6gre remote fd00::1 + # ethtool -k gre6 (truncated output) + tx-checksumming: off + scatter-gather: off + tcp-segmentation-offload: off + generic-segmentation-offload: off [requested on] + +But when netlink is used, they will be enabled: + # ip link add gre6 type ip6gre remote fd00::1 + # ethtool -k gre6 (truncated output) + tx-checksumming: on + scatter-gather: on + tcp-segmentation-offload: on + generic-segmentation-offload: on + +This results in a loss of performance when gre6 is created via ioctl. +The issue was found with LTP/gre tests. + +Fix it by moving the setup of device features to a separate function +and invoke it with ndo_init callback because both netlink and ioctl +will eventually call it via register_netdevice(): + + register_netdevice() + - ndo_init() callback -> ip6gre_tunnel_init() or ip6gre_tap_init() + - ip6gre_tunnel_init_common() + - ip6gre_tnl_init_features() + +The moved code also contains two minor style fixes: + * removed needless tab from GRE6_FEATURES on NETIF_F_HIGHDMA line. + * fixed the issue reported by checkpatch: "Unnecessary parentheses around + 'nt->encap.type == TUNNEL_ENCAP_NONE'" + +Fixes: ac4eb009e477 ("ip6gre: Add support for basic offloads offloads excluding GSO") +Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 416c8913f132..772695960890 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1014,6 +1014,36 @@ static void ip6gre_tunnel_setup(struct net_device *dev) + eth_random_addr(dev->perm_addr); + } + ++#define GRE6_FEATURES (NETIF_F_SG | \ ++ NETIF_F_FRAGLIST | \ ++ NETIF_F_HIGHDMA | \ ++ NETIF_F_HW_CSUM) ++ ++static void ip6gre_tnl_init_features(struct net_device *dev) ++{ ++ struct ip6_tnl *nt = netdev_priv(dev); ++ ++ dev->features |= GRE6_FEATURES; ++ dev->hw_features |= GRE6_FEATURES; ++ ++ if (!(nt->parms.o_flags & TUNNEL_SEQ)) { ++ /* TCP offload with GRE SEQ is not supported, nor ++ * can we support 2 levels of outer headers requiring ++ * an update. ++ */ ++ if (!(nt->parms.o_flags & TUNNEL_CSUM) || ++ nt->encap.type == TUNNEL_ENCAP_NONE) { ++ dev->features |= NETIF_F_GSO_SOFTWARE; ++ dev->hw_features |= NETIF_F_GSO_SOFTWARE; ++ } ++ ++ /* Can use a lockless transmit, unless we generate ++ * output sequences ++ */ ++ dev->features |= NETIF_F_LLTX; ++ } ++} ++ + static int ip6gre_tunnel_init_common(struct net_device *dev) + { + struct ip6_tnl *tunnel; +@@ -1048,6 +1078,8 @@ static int ip6gre_tunnel_init_common(struct net_device *dev) + if (!(tunnel->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT)) + dev->mtu -= 8; + ++ ip6gre_tnl_init_features(dev); ++ + return 0; + } + +@@ -1298,11 +1330,6 @@ static const struct net_device_ops ip6gre_tap_netdev_ops = { + .ndo_get_iflink = ip6_tnl_get_iflink, + }; + +-#define GRE6_FEATURES (NETIF_F_SG | \ +- NETIF_F_FRAGLIST | \ +- NETIF_F_HIGHDMA | \ +- NETIF_F_HW_CSUM) +- + static void ip6gre_tap_setup(struct net_device *dev) + { + +@@ -1383,26 +1410,6 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev, + nt->net = dev_net(dev); + ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]); + +- dev->features |= GRE6_FEATURES; +- dev->hw_features |= GRE6_FEATURES; +- +- if (!(nt->parms.o_flags & TUNNEL_SEQ)) { +- /* TCP offload with GRE SEQ is not supported, nor +- * can we support 2 levels of outer headers requiring +- * an update. +- */ +- if (!(nt->parms.o_flags & TUNNEL_CSUM) || +- (nt->encap.type == TUNNEL_ENCAP_NONE)) { +- dev->features |= NETIF_F_GSO_SOFTWARE; +- dev->hw_features |= NETIF_F_GSO_SOFTWARE; +- } +- +- /* Can use a lockless transmit, unless we generate +- * output sequences +- */ +- dev->features |= NETIF_F_LLTX; +- } +- + err = register_netdevice(dev); + if (err) + goto out; +-- +2.15.0 + diff --git a/queue/ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch b/queue/ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch new file mode 100644 index 0000000..bc2f258 --- /dev/null +++ b/queue/ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch @@ -0,0 +1,57 @@ +From b4681c2829e24943aadd1a7bb3a30d41d0a20050 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel <idosch@mellanox.com> +Date: Wed, 20 Dec 2017 19:34:19 +0200 +Subject: [PATCH] ipv4: Fix use-after-free when flushing FIB tables + +commit b4681c2829e24943aadd1a7bb3a30d41d0a20050 upstream. + +Since commit 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse") the +local table uses the same trie allocated for the main table when custom +rules are not in use. + +When a net namespace is dismantled, the main table is flushed and freed +(via an RCU callback) before the local table. In case the callback is +invoked before the local table is iterated, a use-after-free can occur. + +Fix this by iterating over the FIB tables in reverse order, so that the +main table is always freed after the local table. + +v3: Reworded comment according to Alex's suggestion. +v2: Add a comment to make the fix more explicit per Dave's and Alex's +feedback. + +Fixes: 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse") +Signed-off-by: Ido Schimmel <idosch@mellanox.com> +Reported-by: Fengguang Wu <fengguang.wu@intel.com> +Acked-by: Alexander Duyck <alexander.h.duyck@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index f52d27a422c3..08259d078b1c 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -1298,14 +1298,19 @@ err_table_hash_alloc: + + static void ip_fib_net_exit(struct net *net) + { +- unsigned int i; ++ int i; + + rtnl_lock(); + #ifdef CONFIG_IP_MULTIPLE_TABLES + RCU_INIT_POINTER(net->ipv4.fib_main, NULL); + RCU_INIT_POINTER(net->ipv4.fib_default, NULL); + #endif +- for (i = 0; i < FIB_TABLE_HASHSZ; i++) { ++ /* Destroy the tables in reverse order to guarantee that the ++ * local table, ID 255, is destroyed before the main table, ID ++ * 254. This is necessary as the local table may contain ++ * references to data contained in the main table. ++ */ ++ for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) { + struct hlist_head *head = &net->ipv4.fib_table_hash[i]; + struct hlist_node *tmp; + struct fib_table *tb; +-- +2.15.0 + diff --git a/queue/ipv4-fib-Fix-metrics-match-when-deleting-a-route.patch b/queue/ipv4-fib-Fix-metrics-match-when-deleting-a-route.patch new file mode 100644 index 0000000..9a16f4c --- /dev/null +++ b/queue/ipv4-fib-Fix-metrics-match-when-deleting-a-route.patch @@ -0,0 +1,58 @@ +From d03a45572efa068fa64db211d6d45222660e76c5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter <phil@nwl.cc> +Date: Tue, 19 Dec 2017 15:17:13 +0100 +Subject: [PATCH] ipv4: fib: Fix metrics match when deleting a route + +commit d03a45572efa068fa64db211d6d45222660e76c5 upstream. + +The recently added fib_metrics_match() causes a regression for routes +with both RTAX_FEATURES and RTAX_CC_ALGO if the latter has +TCP_CONG_NEEDS_ECN flag set: + +| # ip link add d0 type dummy +| # ip link set d0 up +| # ip route add 172.29.29.0/24 dev d0 features ecn congctl dctcp +| # ip route del 172.29.29.0/24 dev d0 features ecn congctl dctcp +| RTNETLINK answers: No such process + +During route insertion, fib_convert_metrics() detects that the given CC +algo requires ECN and hence sets DST_FEATURE_ECN_CA bit in +RTAX_FEATURES. + +During route deletion though, fib_metrics_match() compares stored +RTAX_FEATURES value with that from userspace (which obviously has no +knowledge about DST_FEATURE_ECN_CA) and fails. + +Fixes: 5f9ae3d9e7e4a ("ipv4: do metrics match when looking up and deleting a route") +Signed-off-by: Phil Sutter <phil@nwl.cc> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index f04d944f8abe..c586597da20d 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -698,7 +698,7 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi) + + nla_for_each_attr(nla, cfg->fc_mx, cfg->fc_mx_len, remaining) { + int type = nla_type(nla); +- u32 val; ++ u32 fi_val, val; + + if (!type) + continue; +@@ -715,7 +715,11 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi) + val = nla_get_u32(nla); + } + +- if (fi->fib_metrics->metrics[type - 1] != val) ++ fi_val = fi->fib_metrics->metrics[type - 1]; ++ if (type == RTAX_FEATURES) ++ fi_val &= ~DST_FEATURE_ECN_CA; ++ ++ if (fi_val != val) + return false; + } + +-- +2.15.0 + diff --git a/queue/ipv4-igmp-guard-against-silly-MTU-values.patch b/queue/ipv4-igmp-guard-against-silly-MTU-values.patch new file mode 100644 index 0000000..770a7d4 --- /dev/null +++ b/queue/ipv4-igmp-guard-against-silly-MTU-values.patch @@ -0,0 +1,146 @@ +From b5476022bbada3764609368f03329ca287528dc8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 11 Dec 2017 07:17:39 -0800 +Subject: [PATCH] ipv4: igmp: guard against silly MTU values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit b5476022bbada3764609368f03329ca287528dc8 upstream. + +IPv4 stack reacts to changes to small MTU, by disabling itself under +RTNL. + +But there is a window where threads not using RTNL can see a wrong +device mtu. This can lead to surprises, in igmp code where it is +assumed the mtu is suitable. + +Fix this by reading device mtu once and checking IPv4 minimal MTU. + +This patch adds missing IPV4_MIN_MTU define, to not abuse +ETH_MIN_MTU anymore. + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/net/ip.h b/include/net/ip.h +index 9896f46cbbf1..af8addbaa3c1 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -34,6 +34,7 @@ + #include <net/flow_dissector.h> + + #define IPV4_MAX_PMTU 65535U /* RFC 2675, Section 5.1 */ ++#define IPV4_MIN_MTU 68 /* RFC 791 */ + + struct sock; + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index a4573bccd6da..7a93359fbc72 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -1428,7 +1428,7 @@ skip: + + static bool inetdev_valid_mtu(unsigned int mtu) + { +- return mtu >= 68; ++ return mtu >= IPV4_MIN_MTU; + } + + static void inetdev_send_gratuitous_arp(struct net_device *dev, +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index d1f8f302dbf3..50448a220a1f 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -404,16 +404,17 @@ static int grec_size(struct ip_mc_list *pmc, int type, int gdel, int sdel) + } + + static struct sk_buff *add_grhead(struct sk_buff *skb, struct ip_mc_list *pmc, +- int type, struct igmpv3_grec **ppgr) ++ int type, struct igmpv3_grec **ppgr, unsigned int mtu) + { + struct net_device *dev = pmc->interface->dev; + struct igmpv3_report *pih; + struct igmpv3_grec *pgr; + +- if (!skb) +- skb = igmpv3_newpack(dev, dev->mtu); +- if (!skb) +- return NULL; ++ if (!skb) { ++ skb = igmpv3_newpack(dev, mtu); ++ if (!skb) ++ return NULL; ++ } + pgr = skb_put(skb, sizeof(struct igmpv3_grec)); + pgr->grec_type = type; + pgr->grec_auxwords = 0; +@@ -436,12 +437,17 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, + struct igmpv3_grec *pgr = NULL; + struct ip_sf_list *psf, *psf_next, *psf_prev, **psf_list; + int scount, stotal, first, isquery, truncate; ++ unsigned int mtu; + + if (pmc->multiaddr == IGMP_ALL_HOSTS) + return skb; + if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports) + return skb; + ++ mtu = READ_ONCE(dev->mtu); ++ if (mtu < IPV4_MIN_MTU) ++ return skb; ++ + isquery = type == IGMPV3_MODE_IS_INCLUDE || + type == IGMPV3_MODE_IS_EXCLUDE; + truncate = type == IGMPV3_MODE_IS_EXCLUDE || +@@ -462,7 +468,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) { + if (skb) + igmpv3_sendpack(skb); +- skb = igmpv3_newpack(dev, dev->mtu); ++ skb = igmpv3_newpack(dev, mtu); + } + } + first = 1; +@@ -498,12 +504,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, + pgr->grec_nsrcs = htons(scount); + if (skb) + igmpv3_sendpack(skb); +- skb = igmpv3_newpack(dev, dev->mtu); ++ skb = igmpv3_newpack(dev, mtu); + first = 1; + scount = 0; + } + if (first) { +- skb = add_grhead(skb, pmc, type, &pgr); ++ skb = add_grhead(skb, pmc, type, &pgr, mtu); + first = 0; + } + if (!skb) +@@ -538,7 +544,7 @@ empty_source: + igmpv3_sendpack(skb); + skb = NULL; /* add_grhead will get a new one */ + } +- skb = add_grhead(skb, pmc, type, &pgr); ++ skb = add_grhead(skb, pmc, type, &pgr, mtu); + } + } + if (pgr) +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index fe6fee728ce4..5ddb1cb52bd4 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -349,8 +349,8 @@ static int ip_tunnel_bind_dev(struct net_device *dev) + dev->needed_headroom = t_hlen + hlen; + mtu -= (dev->hard_header_len + t_hlen); + +- if (mtu < 68) +- mtu = 68; ++ if (mtu < IPV4_MIN_MTU) ++ mtu = IPV4_MIN_MTU; + + return mtu; + } +-- +2.15.0 + diff --git a/queue/ipv6-Honor-specified-parameters-in-fibmatch-lookup.patch b/queue/ipv6-Honor-specified-parameters-in-fibmatch-lookup.patch new file mode 100644 index 0000000..e891a64 --- /dev/null +++ b/queue/ipv6-Honor-specified-parameters-in-fibmatch-lookup.patch @@ -0,0 +1,94 @@ +From 58acfd714e6b02e8617448b431c2b64a2f1f0792 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel <idosch@mellanox.com> +Date: Wed, 20 Dec 2017 12:28:25 +0200 +Subject: [PATCH] ipv6: Honor specified parameters in fibmatch lookup + +commit 58acfd714e6b02e8617448b431c2b64a2f1f0792 upstream. + +Currently, parameters such as oif and source address are not taken into +account during fibmatch lookup. Example (IPv4 for reference) before +patch: + +$ ip -4 route show +192.0.2.0/24 dev dummy0 proto kernel scope link src 192.0.2.1 +198.51.100.0/24 dev dummy1 proto kernel scope link src 198.51.100.1 + +$ ip -6 route show +2001:db8:1::/64 dev dummy0 proto kernel metric 256 pref medium +2001:db8:2::/64 dev dummy1 proto kernel metric 256 pref medium +fe80::/64 dev dummy0 proto kernel metric 256 pref medium +fe80::/64 dev dummy1 proto kernel metric 256 pref medium + +$ ip -4 route get fibmatch 192.0.2.2 oif dummy0 +192.0.2.0/24 dev dummy0 proto kernel scope link src 192.0.2.1 +$ ip -4 route get fibmatch 192.0.2.2 oif dummy1 +RTNETLINK answers: No route to host + +$ ip -6 route get fibmatch 2001:db8:1::2 oif dummy0 +2001:db8:1::/64 dev dummy0 proto kernel metric 256 pref medium +$ ip -6 route get fibmatch 2001:db8:1::2 oif dummy1 +2001:db8:1::/64 dev dummy0 proto kernel metric 256 pref medium + +After: + +$ ip -6 route get fibmatch 2001:db8:1::2 oif dummy0 +2001:db8:1::/64 dev dummy0 proto kernel metric 256 pref medium +$ ip -6 route get fibmatch 2001:db8:1::2 oif dummy1 +RTNETLINK answers: Network is unreachable + +The problem stems from the fact that the necessary route lookup flags +are not set based on these parameters. + +Instead of duplicating the same logic for fibmatch, we can simply +resolve the original route from its copy and dump it instead. + +Fixes: 18c3a61c4264 ("net: ipv6: RTM_GETROUTE: return matched fib result when requested") +Signed-off-by: Ido Schimmel <idosch@mellanox.com> +Acked-by: David Ahern <dsahern@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 2bc91c349273..0458b761f3c5 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -4298,19 +4298,13 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, + if (!ipv6_addr_any(&fl6.saddr)) + flags |= RT6_LOOKUP_F_HAS_SADDR; + +- if (!fibmatch) +- dst = ip6_route_input_lookup(net, dev, &fl6, flags); +- else +- dst = ip6_route_lookup(net, &fl6, 0); ++ dst = ip6_route_input_lookup(net, dev, &fl6, flags); + + rcu_read_unlock(); + } else { + fl6.flowi6_oif = oif; + +- if (!fibmatch) +- dst = ip6_route_output(net, NULL, &fl6); +- else +- dst = ip6_route_lookup(net, &fl6, 0); ++ dst = ip6_route_output(net, NULL, &fl6); + } + + +@@ -4327,6 +4321,15 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, + goto errout; + } + ++ if (fibmatch && rt->dst.from) { ++ struct rt6_info *ort = container_of(rt->dst.from, ++ struct rt6_info, dst); ++ ++ dst_hold(&ort->dst); ++ ip6_rt_put(rt); ++ rt = ort; ++ } ++ + skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); + if (!skb) { + ip6_rt_put(rt); +-- +2.15.0 + diff --git a/queue/ipv6-mcast-better-catch-silly-mtu-values.patch b/queue/ipv6-mcast-better-catch-silly-mtu-values.patch new file mode 100644 index 0000000..6657064 --- /dev/null +++ b/queue/ipv6-mcast-better-catch-silly-mtu-values.patch @@ -0,0 +1,147 @@ +From b9b312a7a451e9c098921856e7cfbc201120e1a7 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 11 Dec 2017 07:03:38 -0800 +Subject: [PATCH] ipv6: mcast: better catch silly mtu values + +commit b9b312a7a451e9c098921856e7cfbc201120e1a7 upstream. + +syzkaller reported crashes in IPv6 stack [1] + +Xin Long found that lo MTU was set to silly values. + +IPv6 stack reacts to changes to small MTU, by disabling itself under +RTNL. + +But there is a window where threads not using RTNL can see a wrong +device mtu. This can lead to surprises, in mld code where it is assumed +the mtu is suitable. + +Fix this by reading device mtu once and checking IPv6 minimal MTU. + +[1] + skbuff: skb_over_panic: text:0000000010b86b8d len:196 put:20 + head:000000003b477e60 data:000000000e85441e tail:0xd4 end:0xc0 dev:lo + ------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:104! + invalid opcode: 0000 [#1] SMP KASAN + Dumping ftrace buffer: + (ftrace buffer empty) + Modules linked in: + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.15.0-rc2-mm1+ #39 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS + Google 01/01/2011 + RIP: 0010:skb_panic+0x15c/0x1f0 net/core/skbuff.c:100 + RSP: 0018:ffff8801db307508 EFLAGS: 00010286 + RAX: 0000000000000082 RBX: ffff8801c517e840 RCX: 0000000000000000 + RDX: 0000000000000082 RSI: 1ffff1003b660e61 RDI: ffffed003b660e95 + RBP: ffff8801db307570 R08: 1ffff1003b660e23 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff85bd4020 + R13: ffffffff84754ed2 R14: 0000000000000014 R15: ffff8801c4e26540 + FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000463610 CR3: 00000001c6698000 CR4: 00000000001406e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + <IRQ> + skb_over_panic net/core/skbuff.c:109 [inline] + skb_put+0x181/0x1c0 net/core/skbuff.c:1694 + add_grhead.isra.24+0x42/0x3b0 net/ipv6/mcast.c:1695 + add_grec+0xa55/0x1060 net/ipv6/mcast.c:1817 + mld_send_cr net/ipv6/mcast.c:1903 [inline] + mld_ifc_timer_expire+0x4d2/0x770 net/ipv6/mcast.c:2448 + call_timer_fn+0x23b/0x840 kernel/time/timer.c:1320 + expire_timers kernel/time/timer.c:1357 [inline] + __run_timers+0x7e1/0xb60 kernel/time/timer.c:1660 + run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686 + __do_softirq+0x29d/0xbb2 kernel/softirq.c:285 + invoke_softirq kernel/softirq.c:365 [inline] + irq_exit+0x1d3/0x210 kernel/softirq.c:405 + exiting_irq arch/x86/include/asm/apic.h:540 [inline] + smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 + apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:920 + +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot <syzkaller@googlegroups.com> +Tested-by: Xin Long <lucien.xin@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index fc6d7d143f2c..844642682b83 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1682,16 +1682,16 @@ static int grec_size(struct ifmcaddr6 *pmc, int type, int gdel, int sdel) + } + + static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc, +- int type, struct mld2_grec **ppgr) ++ int type, struct mld2_grec **ppgr, unsigned int mtu) + { +- struct net_device *dev = pmc->idev->dev; + struct mld2_report *pmr; + struct mld2_grec *pgr; + +- if (!skb) +- skb = mld_newpack(pmc->idev, dev->mtu); +- if (!skb) +- return NULL; ++ if (!skb) { ++ skb = mld_newpack(pmc->idev, mtu); ++ if (!skb) ++ return NULL; ++ } + pgr = skb_put(skb, sizeof(struct mld2_grec)); + pgr->grec_type = type; + pgr->grec_auxwords = 0; +@@ -1714,10 +1714,15 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + struct mld2_grec *pgr = NULL; + struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list; + int scount, stotal, first, isquery, truncate; ++ unsigned int mtu; + + if (pmc->mca_flags & MAF_NOREPORT) + return skb; + ++ mtu = READ_ONCE(dev->mtu); ++ if (mtu < IPV6_MIN_MTU) ++ return skb; ++ + isquery = type == MLD2_MODE_IS_INCLUDE || + type == MLD2_MODE_IS_EXCLUDE; + truncate = type == MLD2_MODE_IS_EXCLUDE || +@@ -1738,7 +1743,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) { + if (skb) + mld_sendpack(skb); +- skb = mld_newpack(idev, dev->mtu); ++ skb = mld_newpack(idev, mtu); + } + } + first = 1; +@@ -1774,12 +1779,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + pgr->grec_nsrcs = htons(scount); + if (skb) + mld_sendpack(skb); +- skb = mld_newpack(idev, dev->mtu); ++ skb = mld_newpack(idev, mtu); + first = 1; + scount = 0; + } + if (first) { +- skb = add_grhead(skb, pmc, type, &pgr); ++ skb = add_grhead(skb, pmc, type, &pgr, mtu); + first = 0; + } + if (!skb) +@@ -1814,7 +1819,7 @@ empty_source: + mld_sendpack(skb); + skb = NULL; /* add_grhead will get a new one */ + } +- skb = add_grhead(skb, pmc, type, &pgr); ++ skb = add_grhead(skb, pmc, type, &pgr, mtu); + } + } + if (pgr) +-- +2.15.0 + diff --git a/queue/ipv6-set-all.accept_dad-to-0-by-default.patch b/queue/ipv6-set-all.accept_dad-to-0-by-default.patch new file mode 100644 index 0000000..c2e2b17 --- /dev/null +++ b/queue/ipv6-set-all.accept_dad-to-0-by-default.patch @@ -0,0 +1,65 @@ +From 094009531612246d9e13f9e0c3ae2205d7f63a0a Mon Sep 17 00:00:00 2001 +From: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Date: Tue, 14 Nov 2017 14:21:32 +0100 +Subject: [PATCH] ipv6: set all.accept_dad to 0 by default + +commit 094009531612246d9e13f9e0c3ae2205d7f63a0a upstream. + +With commits 35e015e1f577 and a2d3f3e33853, the global 'accept_dad' flag +is also taken into account (default value is 1). If either global or +per-interface flag is non-zero, DAD will be enabled on a given interface. + +This is not backward compatible: before those patches, the user could +disable DAD just by setting the per-interface flag to 0. Now, the +user instead needs to set both flags to 0 to actually disable DAD. + +Restore the previous behaviour by setting the default for the global +'accept_dad' flag to 0. This way, DAD is still enabled by default, +as per-interface flags are set to 1 on device creation, but setting +them to 0 is enough to disable DAD on a given interface. + +- Before 35e015e1f57a7 and a2d3f3e33853: + global per-interface DAD enabled +[default] 1 1 yes + X 0 no + X 1 yes + +- After 35e015e1f577 and a2d3f3e33853: + global per-interface DAD enabled +[default] 1 1 yes + 0 0 no + 0 1 yes + 1 0 yes + +- After this fix: + global per-interface DAD enabled + 1 1 yes + 0 0 no +[default] 0 1 yes + 1 0 yes + +Fixes: 35e015e1f577 ("ipv6: fix net.ipv6.conf.all interface DAD handlers") +Fixes: a2d3f3e33853 ("ipv6: fix net.ipv6.conf.all.accept_dad behaviour for real") +CC: Stefano Brivio <sbrivio@redhat.com> +CC: Matteo Croce <mcroce@redhat.com> +CC: Erik Kline <ek@google.com> +Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> +Acked-by: Stefano Brivio <sbrivio@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index a6dffd65eb9d..a0ae1c9d37df 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -231,7 +231,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { + .proxy_ndp = 0, + .accept_source_route = 0, /* we do not accept RH0 by default. */ + .disable_ipv6 = 0, +- .accept_dad = 1, ++ .accept_dad = 0, + .suppress_frag_ndisc = 1, + .accept_ra_mtu = 1, + .stable_secret = { +-- +2.15.0 + diff --git a/queue/iw_cxgb4-Only-validate-the-MSN-for-successful-comple.patch b/queue/iw_cxgb4-Only-validate-the-MSN-for-successful-comple.patch new file mode 100644 index 0000000..70b9a67 --- /dev/null +++ b/queue/iw_cxgb4-Only-validate-the-MSN-for-successful-comple.patch @@ -0,0 +1,36 @@ +From f55688c45442bc863f40ad678c638785b26cdce6 Mon Sep 17 00:00:00 2001 +From: Steve Wise <swise@opengridcomputing.com> +Date: Mon, 18 Dec 2017 13:10:00 -0800 +Subject: [PATCH] iw_cxgb4: Only validate the MSN for successful completions + +commit f55688c45442bc863f40ad678c638785b26cdce6 upstream. + +If the RECV CQE is in error, ignore the MSN check. This was causing +recvs that were flushed into the sw cq to be completed with the wrong +status (BAD_MSN instead of FLUSHED). + +Cc: stable@vger.kernel.org +Signed-off-by: Steve Wise <swise@opengridcomputing.com> +Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> + +diff --git a/drivers/infiniband/hw/cxgb4/cq.c b/drivers/infiniband/hw/cxgb4/cq.c +index b7bfc536e00f..7ed87622e461 100644 +--- a/drivers/infiniband/hw/cxgb4/cq.c ++++ b/drivers/infiniband/hw/cxgb4/cq.c +@@ -571,10 +571,10 @@ static int poll_cq(struct t4_wq *wq, struct t4_cq *cq, struct t4_cqe *cqe, + ret = -EAGAIN; + goto skip_cqe; + } +- if (unlikely((CQE_WRID_MSN(hw_cqe) != (wq->rq.msn)))) { ++ if (unlikely(!CQE_STATUS(hw_cqe) && ++ CQE_WRID_MSN(hw_cqe) != wq->rq.msn)) { + t4_set_wq_in_error(wq); +- hw_cqe->header |= htonl(CQE_STATUS_V(T4_ERR_MSN)); +- goto proc_cqe; ++ hw_cqe->header |= cpu_to_be32(CQE_STATUS_V(T4_ERR_MSN)); + } + goto proc_cqe; + } +-- +2.15.0 + diff --git a/queue/kbuild-add-fno-stack-check-to-kernel-build-options.patch b/queue/kbuild-add-fno-stack-check-to-kernel-build-options.patch new file mode 100644 index 0000000..2f3ad56 --- /dev/null +++ b/queue/kbuild-add-fno-stack-check-to-kernel-build-options.patch @@ -0,0 +1,48 @@ +From 3ce120b16cc548472f80cf8644f90eda958cf1b6 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Fri, 29 Dec 2017 17:34:43 -0800 +Subject: [PATCH] kbuild: add '-fno-stack-check' to kernel build options +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 3ce120b16cc548472f80cf8644f90eda958cf1b6 upstream. + +It appears that hardened gentoo enables "-fstack-check" by default for +gcc. + +That doesn't work _at_all_ for the kernel, because the kernel stack +doesn't act like a user stack at all: it's much smaller, and it doesn't +auto-expand on use. So the extra "probe one page below the stack" code +generated by -fstack-check just breaks the kernel in horrible ways, +causing infinite double faults etc. + +[ I have to say, that the particular code gcc generates looks very + stupid even for user space where it works, but that's a separate + issue. ] + +Reported-and-tested-by: Alexander Tsoy <alexander@tsoy.me> +Reported-and-tested-by: Toralf Förster <toralf.foerster@gmx.de> +Cc: stable@kernel.org +Cc: Dave Hansen <dave.hansen@intel.com> +Cc: Jiri Kosina <jikos@kernel.org> +Cc: Andy Lutomirski <luto@amacapital.net> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +diff --git a/Makefile b/Makefile +index ac8c441866b7..92b74bcd3c2a 100644 +--- a/Makefile ++++ b/Makefile +@@ -789,6 +789,9 @@ KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign) + # disable invalid "can't wrap" optimizations for signed / pointers + KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow) + ++# Make sure -fstack-check isn't enabled (like gentoo apparently did) ++KBUILD_CFLAGS += $(call cc-option,-fno-stack-check,) ++ + # conserve stack if available + KBUILD_CFLAGS += $(call cc-option,-fconserve-stack) + +-- +2.15.0 + diff --git a/queue/mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch b/queue/mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch new file mode 100644 index 0000000..9d587eb --- /dev/null +++ b/queue/mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch @@ -0,0 +1,66 @@ +From fccff0862838908d21eaf956d57e09c6c189f7c5 Mon Sep 17 00:00:00 2001 +From: Yuval Mintz <yuvalm@mellanox.com> +Date: Fri, 15 Dec 2017 08:44:21 +0100 +Subject: [PATCH] mlxsw: spectrum: Disable MAC learning for ovs port + +commit fccff0862838908d21eaf956d57e09c6c189f7c5 upstream. + +Learning is currently enabled for ports which are OVS slaves - +even though OVS doesn't need this indication. +Since we're not associating a fid with the port, HW would continuously +notify driver of learned [& aged] MACs which would be logged as errors. + +Fixes: 2b94e58df58c ("mlxsw: spectrum: Allow ports to work under OVS master") +Signed-off-by: Yuval Mintz <yuvalm@mellanox.com> +Reviewed-by: Ido Schimmel <idosch@mellanox.com> +Signed-off-by: Jiri Pirko <jiri@mellanox.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +index 2d0897b7d860..9bd8d28de152 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -4300,6 +4300,7 @@ static int mlxsw_sp_port_stp_set(struct mlxsw_sp_port *mlxsw_sp_port, + + static int mlxsw_sp_port_ovs_join(struct mlxsw_sp_port *mlxsw_sp_port) + { ++ u16 vid = 1; + int err; + + err = mlxsw_sp_port_vp_mode_set(mlxsw_sp_port, true); +@@ -4312,8 +4313,19 @@ static int mlxsw_sp_port_ovs_join(struct mlxsw_sp_port *mlxsw_sp_port) + true, false); + if (err) + goto err_port_vlan_set; ++ ++ for (; vid <= VLAN_N_VID - 1; vid++) { ++ err = mlxsw_sp_port_vid_learning_set(mlxsw_sp_port, ++ vid, false); ++ if (err) ++ goto err_vid_learning_set; ++ } ++ + return 0; + ++err_vid_learning_set: ++ for (vid--; vid >= 1; vid--) ++ mlxsw_sp_port_vid_learning_set(mlxsw_sp_port, vid, true); + err_port_vlan_set: + mlxsw_sp_port_stp_set(mlxsw_sp_port, false); + err_port_stp_set: +@@ -4323,6 +4335,12 @@ err_port_stp_set: + + static void mlxsw_sp_port_ovs_leave(struct mlxsw_sp_port *mlxsw_sp_port) + { ++ u16 vid; ++ ++ for (vid = VLAN_N_VID - 1; vid >= 1; vid--) ++ mlxsw_sp_port_vid_learning_set(mlxsw_sp_port, ++ vid, true); ++ + mlxsw_sp_port_vlan_set(mlxsw_sp_port, 2, VLAN_N_VID - 1, + false, false); + mlxsw_sp_port_stp_set(mlxsw_sp_port, false); +-- +2.15.0 + diff --git a/queue/n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch b/queue/n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch new file mode 100644 index 0000000..cc7d411 --- /dev/null +++ b/queue/n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch @@ -0,0 +1,64 @@ +From 966031f340185eddd05affcf72b740549f056348 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Wed, 20 Dec 2017 17:57:06 -0800 +Subject: [PATCH] n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka + FIONREAD) + +commit 966031f340185eddd05affcf72b740549f056348 upstream. + +We added support for EXTPROC back in 2010 in commit 26df6d13406d ("tty: +Add EXTPROC support for LINEMODE") and the intent was to allow it to +override some (all?) ICANON behavior. Quoting from that original commit +message: + + There is a new bit in the termios local flag word, EXTPROC. + When this bit is set, several aspects of the terminal driver + are disabled. Input line editing, character echo, and mapping + of signals are all disabled. This allows the telnetd to turn + off these functions when in linemode, but still keep track of + what state the user wants the terminal to be in. + +but the problem turns out that "several aspects of the terminal driver +are disabled" is a bit ambiguous, and you can really confuse the n_tty +layer by setting EXTPROC and then causing some of the ICANON invariants +to no longer be maintained. + +This fixes at least one such case (TIOCINQ) becoming unhappy because of +the confusion over whether ICANON really means ICANON when EXTPROC is set. + +This basically makes TIOCINQ match the case of read: if EXTPROC is set, +we ignore ICANON. Also, make sure to reset the ICANON state ie EXTPROC +changes, not just if ICANON changes. + +Fixes: 26df6d13406d ("tty: Add EXTPROC support for LINEMODE") +Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> +Reported-by: syzkaller <syzkaller@googlegroups.com> +Cc: Jiri Slaby <jslaby@suse.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index 427e0d5d8f13..539b49adb6af 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1762,7 +1762,7 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old) + { + struct n_tty_data *ldata = tty->disc_data; + +- if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) { ++ if (!old || (old->c_lflag ^ tty->termios.c_lflag) & (ICANON | EXTPROC)) { + bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE); + ldata->line_start = ldata->read_tail; + if (!L_ICANON(tty) || !read_cnt(ldata)) { +@@ -2425,7 +2425,7 @@ static int n_tty_ioctl(struct tty_struct *tty, struct file *file, + return put_user(tty_chars_in_buffer(tty), (int __user *) arg); + case TIOCINQ: + down_write(&tty->termios_rwsem); +- if (L_ICANON(tty)) ++ if (L_ICANON(tty) && !L_EXTPROC(tty)) + retval = inq_canon(ldata); + else + retval = read_cnt(ldata); +-- +2.15.0 + diff --git a/queue/net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch b/queue/net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch new file mode 100644 index 0000000..60f7f2c --- /dev/null +++ b/queue/net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch @@ -0,0 +1,93 @@ +From 84aeb437ab98a2bce3d4b2111c79723aedfceb33 Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Date: Mon, 18 Dec 2017 17:35:09 +0200 +Subject: [PATCH] net: bridge: fix early call to br_stp_change_bridge_id and + plug newlink leaks + +commit 84aeb437ab98a2bce3d4b2111c79723aedfceb33 upstream. + +The early call to br_stp_change_bridge_id in bridge's newlink can cause +a memory leak if an error occurs during the newlink because the fdb +entries are not cleaned up if a different lladdr was specified, also +another minor issue is that it generates fdb notifications with +ifindex = 0. Another unrelated memory leak is the bridge sysfs entries +which get added on NETDEV_REGISTER event, but are not cleaned up in the +newlink error path. To remove this special case the call to +br_stp_change_bridge_id is done after netdev register and we cleanup the +bridge on changelink error via br_dev_delete to plug all leaks. + +This patch makes netlink bridge destruction on newlink error the same as +dellink and ioctl del which is necessary since at that point we have a +fully initialized bridge device. + +To reproduce the issue: +$ ip l add br0 address 00:11:22:33:44:55 type bridge group_fwd_mask 1 +RTNETLINK answers: Invalid argument + +$ rmmod bridge +[ 1822.142525] ============================================================================= +[ 1822.143640] BUG bridge_fdb_cache (Tainted: G O ): Objects remaining in bridge_fdb_cache on __kmem_cache_shutdown() +[ 1822.144821] ----------------------------------------------------------------------------- + +[ 1822.145990] Disabling lock debugging due to kernel taint +[ 1822.146732] INFO: Slab 0x0000000092a844b2 objects=32 used=2 fp=0x00000000fef011b0 flags=0x1ffff8000000100 +[ 1822.147700] CPU: 2 PID: 13584 Comm: rmmod Tainted: G B O 4.15.0-rc2+ #87 +[ 1822.148578] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 +[ 1822.150008] Call Trace: +[ 1822.150510] dump_stack+0x78/0xa9 +[ 1822.151156] slab_err+0xb1/0xd3 +[ 1822.151834] ? __kmalloc+0x1bb/0x1ce +[ 1822.152546] __kmem_cache_shutdown+0x151/0x28b +[ 1822.153395] shutdown_cache+0x13/0x144 +[ 1822.154126] kmem_cache_destroy+0x1c0/0x1fb +[ 1822.154669] SyS_delete_module+0x194/0x244 +[ 1822.155199] ? trace_hardirqs_on_thunk+0x1a/0x1c +[ 1822.155773] entry_SYSCALL_64_fastpath+0x23/0x9a +[ 1822.156343] RIP: 0033:0x7f929bd38b17 +[ 1822.156859] RSP: 002b:00007ffd160e9a98 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0 +[ 1822.157728] RAX: ffffffffffffffda RBX: 00005578316ba090 RCX: 00007f929bd38b17 +[ 1822.158422] RDX: 00007f929bd9ec60 RSI: 0000000000000800 RDI: 00005578316ba0f0 +[ 1822.159114] RBP: 0000000000000003 R08: 00007f929bff5f20 R09: 00007ffd160e8a11 +[ 1822.159808] R10: 00007ffd160e9860 R11: 0000000000000202 R12: 00007ffd160e8a80 +[ 1822.160513] R13: 0000000000000000 R14: 0000000000000000 R15: 00005578316ba090 +[ 1822.161278] INFO: Object 0x000000007645de29 @offset=0 +[ 1822.161666] INFO: Object 0x00000000d5df2ab5 @offset=128 + +Fixes: 30313a3d5794 ("bridge: Handle IFLA_ADDRESS correctly when creating bridge device") +Fixes: 5b8d5429daa0 ("bridge: netlink: register netdevice before executing changelink") +Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c +index d0ef0a8e8831..015f465c514b 100644 +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -1262,19 +1262,20 @@ static int br_dev_newlink(struct net *src_net, struct net_device *dev, + struct net_bridge *br = netdev_priv(dev); + int err; + ++ err = register_netdevice(dev); ++ if (err) ++ return err; ++ + if (tb[IFLA_ADDRESS]) { + spin_lock_bh(&br->lock); + br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS])); + spin_unlock_bh(&br->lock); + } + +- err = register_netdevice(dev); +- if (err) +- return err; +- + err = br_changelink(dev, tb, data, extack); + if (err) +- unregister_netdevice(dev); ++ br_dev_delete(dev, NULL); ++ + return err; + } + +-- +2.15.0 + diff --git a/queue/net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch b/queue/net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch new file mode 100644 index 0000000..fdbcd09 --- /dev/null +++ b/queue/net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch @@ -0,0 +1,31 @@ +From 4b52d010113e11006a389f2a8315167ede9e0b10 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli <f.fainelli@gmail.com> +Date: Tue, 21 Nov 2017 17:37:46 -0800 +Subject: [PATCH] net: dsa: bcm_sf2: Clear IDDQ_GLOBAL_PWR bit for PHY + +commit 4b52d010113e11006a389f2a8315167ede9e0b10 upstream. + +The PHY on BCM7278 has an additional bit that needs to be cleared: +IDDQ_GLOBAL_PWR, without doing this, the PHY remains stuck in reset out +of suspend/resume cycles. + +Fixes: 0fe9933804eb ("net: dsa: bcm_sf2: Add support for BCM7278 integrated switch") +Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c +index 93faa1fed6f2..ea01f24f15e7 100644 +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -95,7 +95,7 @@ static void bcm_sf2_gphy_enable_set(struct dsa_switch *ds, bool enable) + reg = reg_readl(priv, REG_SPHY_CNTRL); + if (enable) { + reg |= PHY_RESET; +- reg &= ~(EXT_PWR_DOWN | IDDQ_BIAS | CK25_DIS); ++ reg &= ~(EXT_PWR_DOWN | IDDQ_BIAS | IDDQ_GLOBAL_PWR | CK25_DIS); + reg_writel(priv, reg, REG_SPHY_CNTRL); + udelay(21); + reg = reg_readl(priv, REG_SPHY_CNTRL); +-- +2.15.0 + diff --git a/queue/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch b/queue/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch new file mode 100644 index 0000000..c1e7067 --- /dev/null +++ b/queue/net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch @@ -0,0 +1,44 @@ +From 178e5f57a8d8f8fc5799a624b96fc31ef9a29ffa Mon Sep 17 00:00:00 2001 +From: Fugang Duan <fugang.duan@nxp.com> +Date: Fri, 22 Dec 2017 17:12:09 +0800 +Subject: [PATCH] net: fec: unmap the xmit buffer that are not transferred by + DMA + +commit 178e5f57a8d8f8fc5799a624b96fc31ef9a29ffa upstream. + +The enet IP only support 32 bit, it will use swiotlb buffer to do dma +mapping when xmit buffer DMA memory address is bigger than 4G in i.MX +platform. After stress suspend/resume test, it will print out: + +log: +[12826.352864] fec 5b040000.ethernet: swiotlb buffer is full (sz: 191 bytes) +[12826.359676] DMA: Out of SW-IOMMU space for 191 bytes at device 5b040000.ethernet +[12826.367110] fec 5b040000.ethernet eth0: Tx DMA memory map failed + +The issue is that the ready xmit buffers that are dma mapped but DMA still +don't copy them into fifo, once MAC restart, these DMA buffers are not unmapped. +So it should check the dma mapping buffer and unmap them. + +Signed-off-by: Fugang Duan <fugang.duan@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 610573855213..8184d2fca9be 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -818,6 +818,12 @@ static void fec_enet_bd_init(struct net_device *dev) + for (i = 0; i < txq->bd.ring_size; i++) { + /* Initialize the BD for every fragment in the page. */ + bdp->cbd_sc = cpu_to_fec16(0); ++ if (bdp->cbd_bufaddr && ++ !IS_TSO_HEADER(txq, fec32_to_cpu(bdp->cbd_bufaddr))) ++ dma_unmap_single(&fep->pdev->dev, ++ fec32_to_cpu(bdp->cbd_bufaddr), ++ fec16_to_cpu(bdp->cbd_datlen), ++ DMA_TO_DEVICE); + if (txq->tx_skbuff[i]) { + dev_kfree_skb_any(txq->tx_skbuff[i]); + txq->tx_skbuff[i] = NULL; +-- +2.15.0 + diff --git a/queue/net-igmp-Use-correct-source-address-on-IGMPv3-report.patch b/queue/net-igmp-Use-correct-source-address-on-IGMPv3-report.patch new file mode 100644 index 0000000..fecf122 --- /dev/null +++ b/queue/net-igmp-Use-correct-source-address-on-IGMPv3-report.patch @@ -0,0 +1,86 @@ +From a46182b00290839fa3fa159d54fd3237bd8669f0 Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee <cernekee@chromium.org> +Date: Mon, 11 Dec 2017 11:13:45 -0800 +Subject: [PATCH] net: igmp: Use correct source address on IGMPv3 reports + +commit a46182b00290839fa3fa159d54fd3237bd8669f0 upstream. + +Closing a multicast socket after the final IPv4 address is deleted +from an interface can generate a membership report that uses the +source IP from a different interface. The following test script, run +from an isolated netns, reproduces the issue: + + #!/bin/bash + + ip link add dummy0 type dummy + ip link add dummy1 type dummy + ip link set dummy0 up + ip link set dummy1 up + ip addr add 10.1.1.1/24 dev dummy0 + ip addr add 192.168.99.99/24 dev dummy1 + + tcpdump -U -i dummy0 & + socat EXEC:"sleep 2" \ + UDP4-DATAGRAM:239.101.1.68:8889,ip-add-membership=239.0.1.68:10.1.1.1 & + + sleep 1 + ip addr del 10.1.1.1/24 dev dummy0 + sleep 5 + kill %tcpdump + +RFC 3376 specifies that the report must be sent with a valid IP source +address from the destination subnet, or from address 0.0.0.0. Add an +extra check to make sure this is the case. + +Signed-off-by: Kevin Cernekee <cernekee@chromium.org> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c +index 50448a220a1f..726f6b608274 100644 +--- a/net/ipv4/igmp.c ++++ b/net/ipv4/igmp.c +@@ -89,6 +89,7 @@ + #include <linux/rtnetlink.h> + #include <linux/times.h> + #include <linux/pkt_sched.h> ++#include <linux/byteorder/generic.h> + + #include <net/net_namespace.h> + #include <net/arp.h> +@@ -321,6 +322,23 @@ igmp_scount(struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted) + return scount; + } + ++/* source address selection per RFC 3376 section 4.2.13 */ ++static __be32 igmpv3_get_srcaddr(struct net_device *dev, ++ const struct flowi4 *fl4) ++{ ++ struct in_device *in_dev = __in_dev_get_rcu(dev); ++ ++ if (!in_dev) ++ return htonl(INADDR_ANY); ++ ++ for_ifa(in_dev) { ++ if (inet_ifa_match(fl4->saddr, ifa)) ++ return fl4->saddr; ++ } endfor_ifa(in_dev); ++ ++ return htonl(INADDR_ANY); ++} ++ + static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu) + { + struct sk_buff *skb; +@@ -368,7 +386,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu) + pip->frag_off = htons(IP_DF); + pip->ttl = 1; + pip->daddr = fl4.daddr; +- pip->saddr = fl4.saddr; ++ pip->saddr = igmpv3_get_srcaddr(dev, &fl4); + pip->protocol = IPPROTO_IGMP; + pip->tot_len = 0; /* filled in later */ + ip_select_ident(net, skb, NULL); +-- +2.15.0 + diff --git a/queue/net-mlx5-FPGA-return-EINVAL-if-size-is-zero.patch b/queue/net-mlx5-FPGA-return-EINVAL-if-size-is-zero.patch new file mode 100644 index 0000000..595173e --- /dev/null +++ b/queue/net-mlx5-FPGA-return-EINVAL-if-size-is-zero.patch @@ -0,0 +1,51 @@ +From bae115a2bb479142605726e6aa130f43f50e801a Mon Sep 17 00:00:00 2001 +From: Kamal Heib <kamalh@mellanox.com> +Date: Sun, 29 Oct 2017 04:03:37 +0200 +Subject: [PATCH] net/mlx5: FPGA, return -EINVAL if size is zero + +commit bae115a2bb479142605726e6aa130f43f50e801a upstream. + +Currently, if a size of zero is passed to +mlx5_fpga_mem_{read|write}_i2c() +the "err" return value will not be initialized, which triggers gcc +warnings: + +[..]/mlx5/core/fpga/sdk.c:87 mlx5_fpga_mem_read_i2c() error: +uninitialized symbol 'err'. +[..]/mlx5/core/fpga/sdk.c:115 mlx5_fpga_mem_write_i2c() error: +uninitialized symbol 'err'. + +fix that. + +Fixes: a9956d35d199 ('net/mlx5: FPGA, Add SBU infrastructure') +Signed-off-by: Kamal Heib <kamalh@mellanox.com> +Reviewed-by: Yevgeny Kliteynik <kliteyn@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c +index 3c11d6e2160a..14962969c5ba 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c +@@ -66,6 +66,9 @@ static int mlx5_fpga_mem_read_i2c(struct mlx5_fpga_device *fdev, size_t size, + u8 actual_size; + int err; + ++ if (!size) ++ return -EINVAL; ++ + if (!fdev->mdev) + return -ENOTCONN; + +@@ -95,6 +98,9 @@ static int mlx5_fpga_mem_write_i2c(struct mlx5_fpga_device *fdev, size_t size, + u8 actual_size; + int err; + ++ if (!size) ++ return -EINVAL; ++ + if (!fdev->mdev) + return -ENOTCONN; + +-- +2.15.0 + diff --git a/queue/net-mlx5-Fix-error-flow-in-CREATE_QP-command.patch b/queue/net-mlx5-Fix-error-flow-in-CREATE_QP-command.patch new file mode 100644 index 0000000..141ba9a --- /dev/null +++ b/queue/net-mlx5-Fix-error-flow-in-CREATE_QP-command.patch @@ -0,0 +1,33 @@ +From dbff26e44dc3ec4de6578733b054a0114652a764 Mon Sep 17 00:00:00 2001 +From: Moni Shoua <monis@mellanox.com> +Date: Mon, 4 Dec 2017 08:59:25 +0200 +Subject: [PATCH] net/mlx5: Fix error flow in CREATE_QP command + +commit dbff26e44dc3ec4de6578733b054a0114652a764 upstream. + +In error flow, when DESTROY_QP command should be executed, the wrong +mailbox was set with data, not the one that is written to hardware, +Fix that. + +Fixes: 09a7d9eca1a6 '{net,IB}/mlx5: QP/XRCD commands via mlx5 ifc' +Signed-off-by: Moni Shoua <monis@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/qp.c b/drivers/net/ethernet/mellanox/mlx5/core/qp.c +index db9e665ab104..889130edb715 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/qp.c +@@ -213,8 +213,8 @@ int mlx5_core_create_qp(struct mlx5_core_dev *dev, + err_cmd: + memset(din, 0, sizeof(din)); + memset(dout, 0, sizeof(dout)); +- MLX5_SET(destroy_qp_in, in, opcode, MLX5_CMD_OP_DESTROY_QP); +- MLX5_SET(destroy_qp_in, in, qpn, qp->qpn); ++ MLX5_SET(destroy_qp_in, din, opcode, MLX5_CMD_OP_DESTROY_QP); ++ MLX5_SET(destroy_qp_in, din, qpn, qp->qpn); + mlx5_cmd_exec(dev, din, sizeof(din), dout, sizeof(dout)); + return err; + } +-- +2.15.0 + diff --git a/queue/net-mlx5-Fix-rate-limit-packet-pacing-naming-and-str.patch b/queue/net-mlx5-Fix-rate-limit-packet-pacing-naming-and-str.patch new file mode 100644 index 0000000..2300283 --- /dev/null +++ b/queue/net-mlx5-Fix-rate-limit-packet-pacing-naming-and-str.patch @@ -0,0 +1,141 @@ +From 37e92a9d4fe38dc3e7308913575983a6a088c8d4 Mon Sep 17 00:00:00 2001 +From: Eran Ben Elisha <eranbe@mellanox.com> +Date: Mon, 13 Nov 2017 10:11:27 +0200 +Subject: [PATCH] net/mlx5: Fix rate limit packet pacing naming and struct + +commit 37e92a9d4fe38dc3e7308913575983a6a088c8d4 upstream. + +In mlx5_ifc, struct size was not complete, and thus driver was sending +garbage after the last defined field. Fixed it by adding reserved field +to complete the struct size. + +In addition, rename all set_rate_limit to set_pp_rate_limit to be +compliant with the Firmware <-> Driver definition. + +Fixes: 7486216b3a0b ("{net,IB}/mlx5: mlx5_ifc updates") +Fixes: 1466cc5b23d1 ("net/mlx5: Rate limit tables support") +Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 1fffdebbc9e8..e9a1fbcc4adf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -362,7 +362,7 @@ static int mlx5_internal_err_ret_value(struct mlx5_core_dev *dev, u16 op, + case MLX5_CMD_OP_QUERY_VPORT_COUNTER: + case MLX5_CMD_OP_ALLOC_Q_COUNTER: + case MLX5_CMD_OP_QUERY_Q_COUNTER: +- case MLX5_CMD_OP_SET_RATE_LIMIT: ++ case MLX5_CMD_OP_SET_PP_RATE_LIMIT: + case MLX5_CMD_OP_QUERY_RATE_LIMIT: + case MLX5_CMD_OP_CREATE_SCHEDULING_ELEMENT: + case MLX5_CMD_OP_QUERY_SCHEDULING_ELEMENT: +@@ -505,7 +505,7 @@ const char *mlx5_command_str(int command) + MLX5_COMMAND_STR_CASE(ALLOC_Q_COUNTER); + MLX5_COMMAND_STR_CASE(DEALLOC_Q_COUNTER); + MLX5_COMMAND_STR_CASE(QUERY_Q_COUNTER); +- MLX5_COMMAND_STR_CASE(SET_RATE_LIMIT); ++ MLX5_COMMAND_STR_CASE(SET_PP_RATE_LIMIT); + MLX5_COMMAND_STR_CASE(QUERY_RATE_LIMIT); + MLX5_COMMAND_STR_CASE(CREATE_SCHEDULING_ELEMENT); + MLX5_COMMAND_STR_CASE(DESTROY_SCHEDULING_ELEMENT); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/rl.c b/drivers/net/ethernet/mellanox/mlx5/core/rl.c +index e651e4c02867..d3c33e9eea72 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/rl.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/rl.c +@@ -125,16 +125,16 @@ static struct mlx5_rl_entry *find_rl_entry(struct mlx5_rl_table *table, + return ret_entry; + } + +-static int mlx5_set_rate_limit_cmd(struct mlx5_core_dev *dev, ++static int mlx5_set_pp_rate_limit_cmd(struct mlx5_core_dev *dev, + u32 rate, u16 index) + { +- u32 in[MLX5_ST_SZ_DW(set_rate_limit_in)] = {0}; +- u32 out[MLX5_ST_SZ_DW(set_rate_limit_out)] = {0}; ++ u32 in[MLX5_ST_SZ_DW(set_pp_rate_limit_in)] = {0}; ++ u32 out[MLX5_ST_SZ_DW(set_pp_rate_limit_out)] = {0}; + +- MLX5_SET(set_rate_limit_in, in, opcode, +- MLX5_CMD_OP_SET_RATE_LIMIT); +- MLX5_SET(set_rate_limit_in, in, rate_limit_index, index); +- MLX5_SET(set_rate_limit_in, in, rate_limit, rate); ++ MLX5_SET(set_pp_rate_limit_in, in, opcode, ++ MLX5_CMD_OP_SET_PP_RATE_LIMIT); ++ MLX5_SET(set_pp_rate_limit_in, in, rate_limit_index, index); ++ MLX5_SET(set_pp_rate_limit_in, in, rate_limit, rate); + return mlx5_cmd_exec(dev, in, sizeof(in), out, sizeof(out)); + } + +@@ -173,7 +173,7 @@ int mlx5_rl_add_rate(struct mlx5_core_dev *dev, u32 rate, u16 *index) + entry->refcount++; + } else { + /* new rate limit */ +- err = mlx5_set_rate_limit_cmd(dev, rate, entry->index); ++ err = mlx5_set_pp_rate_limit_cmd(dev, rate, entry->index); + if (err) { + mlx5_core_err(dev, "Failed configuring rate: %u (%d)\n", + rate, err); +@@ -209,7 +209,7 @@ void mlx5_rl_remove_rate(struct mlx5_core_dev *dev, u32 rate) + entry->refcount--; + if (!entry->refcount) { + /* need to remove rate */ +- mlx5_set_rate_limit_cmd(dev, 0, entry->index); ++ mlx5_set_pp_rate_limit_cmd(dev, 0, entry->index); + entry->rate = 0; + } + +@@ -262,8 +262,8 @@ void mlx5_cleanup_rl_table(struct mlx5_core_dev *dev) + /* Clear all configured rates */ + for (i = 0; i < table->max_size; i++) + if (table->rl_entry[i].rate) +- mlx5_set_rate_limit_cmd(dev, 0, +- table->rl_entry[i].index); ++ mlx5_set_pp_rate_limit_cmd(dev, 0, ++ table->rl_entry[i].index); + + kfree(dev->priv.rl_table.rl_entry); + } +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 38a7577a9ce7..d44ec5f41d4a 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -147,7 +147,7 @@ enum { + MLX5_CMD_OP_ALLOC_Q_COUNTER = 0x771, + MLX5_CMD_OP_DEALLOC_Q_COUNTER = 0x772, + MLX5_CMD_OP_QUERY_Q_COUNTER = 0x773, +- MLX5_CMD_OP_SET_RATE_LIMIT = 0x780, ++ MLX5_CMD_OP_SET_PP_RATE_LIMIT = 0x780, + MLX5_CMD_OP_QUERY_RATE_LIMIT = 0x781, + MLX5_CMD_OP_CREATE_SCHEDULING_ELEMENT = 0x782, + MLX5_CMD_OP_DESTROY_SCHEDULING_ELEMENT = 0x783, +@@ -7239,7 +7239,7 @@ struct mlx5_ifc_add_vxlan_udp_dport_in_bits { + u8 vxlan_udp_port[0x10]; + }; + +-struct mlx5_ifc_set_rate_limit_out_bits { ++struct mlx5_ifc_set_pp_rate_limit_out_bits { + u8 status[0x8]; + u8 reserved_at_8[0x18]; + +@@ -7248,7 +7248,7 @@ struct mlx5_ifc_set_rate_limit_out_bits { + u8 reserved_at_40[0x40]; + }; + +-struct mlx5_ifc_set_rate_limit_in_bits { ++struct mlx5_ifc_set_pp_rate_limit_in_bits { + u8 opcode[0x10]; + u8 reserved_at_10[0x10]; + +@@ -7261,6 +7261,8 @@ struct mlx5_ifc_set_rate_limit_in_bits { + u8 reserved_at_60[0x20]; + + u8 rate_limit[0x20]; ++ ++ u8 reserved_at_a0[0x160]; + }; + + struct mlx5_ifc_access_register_out_bits { +-- +2.15.0 + diff --git a/queue/net-mlx5e-Add-refcount-to-VXLAN-structure.patch b/queue/net-mlx5e-Add-refcount-to-VXLAN-structure.patch new file mode 100644 index 0000000..f60418e --- /dev/null +++ b/queue/net-mlx5e-Add-refcount-to-VXLAN-structure.patch @@ -0,0 +1,131 @@ +From 23f4cc2cd9ed92570647220aca60d0197d8c1fa9 Mon Sep 17 00:00:00 2001 +From: Gal Pressman <galp@mellanox.com> +Date: Sun, 3 Dec 2017 13:58:50 +0200 +Subject: [PATCH] net/mlx5e: Add refcount to VXLAN structure + +commit 23f4cc2cd9ed92570647220aca60d0197d8c1fa9 upstream. + +A refcount mechanism must be implemented in order to prevent unwanted +scenarios such as: +- Open an IPv4 VXLAN interface +- Open an IPv6 VXLAN interface (different socket) +- Remove one of the interfaces + +With current implementation, the UDP port will be removed from our VXLAN +database and turn off the offloads for the other interface, which is +still active. +The reference count mechanism will only allow UDP port removals once all +consumers are gone. + +Fixes: b3f63c3d5e2c ("net/mlx5e: Add netdev support for VXLAN tunneling") +Signed-off-by: Gal Pressman <galp@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c +index f8238275759f..25f782344667 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c +@@ -88,8 +88,11 @@ static void mlx5e_vxlan_add_port(struct work_struct *work) + struct mlx5e_vxlan *vxlan; + int err; + +- if (mlx5e_vxlan_lookup_port(priv, port)) ++ vxlan = mlx5e_vxlan_lookup_port(priv, port); ++ if (vxlan) { ++ atomic_inc(&vxlan->refcount); + goto free_work; ++ } + + if (mlx5e_vxlan_core_add_port_cmd(priv->mdev, port)) + goto free_work; +@@ -99,6 +102,7 @@ static void mlx5e_vxlan_add_port(struct work_struct *work) + goto err_delete_port; + + vxlan->udp_port = port; ++ atomic_set(&vxlan->refcount, 1); + + spin_lock_bh(&vxlan_db->lock); + err = radix_tree_insert(&vxlan_db->tree, vxlan->udp_port, vxlan); +@@ -116,32 +120,33 @@ free_work: + kfree(vxlan_work); + } + +-static void __mlx5e_vxlan_core_del_port(struct mlx5e_priv *priv, u16 port) ++static void mlx5e_vxlan_del_port(struct work_struct *work) + { ++ struct mlx5e_vxlan_work *vxlan_work = ++ container_of(work, struct mlx5e_vxlan_work, work); ++ struct mlx5e_priv *priv = vxlan_work->priv; + struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan; ++ u16 port = vxlan_work->port; + struct mlx5e_vxlan *vxlan; ++ bool remove = false; + + spin_lock_bh(&vxlan_db->lock); +- vxlan = radix_tree_delete(&vxlan_db->tree, port); +- spin_unlock_bh(&vxlan_db->lock); +- ++ vxlan = radix_tree_lookup(&vxlan_db->tree, port); + if (!vxlan) +- return; +- +- mlx5e_vxlan_core_del_port_cmd(priv->mdev, vxlan->udp_port); +- +- kfree(vxlan); +-} ++ goto out_unlock; + +-static void mlx5e_vxlan_del_port(struct work_struct *work) +-{ +- struct mlx5e_vxlan_work *vxlan_work = +- container_of(work, struct mlx5e_vxlan_work, work); +- struct mlx5e_priv *priv = vxlan_work->priv; +- u16 port = vxlan_work->port; ++ if (atomic_dec_and_test(&vxlan->refcount)) { ++ radix_tree_delete(&vxlan_db->tree, port); ++ remove = true; ++ } + +- __mlx5e_vxlan_core_del_port(priv, port); ++out_unlock: ++ spin_unlock_bh(&vxlan_db->lock); + ++ if (remove) { ++ mlx5e_vxlan_core_del_port_cmd(priv->mdev, port); ++ kfree(vxlan); ++ } + kfree(vxlan_work); + } + +@@ -171,12 +176,11 @@ void mlx5e_vxlan_cleanup(struct mlx5e_priv *priv) + struct mlx5e_vxlan *vxlan; + unsigned int port = 0; + +- spin_lock_bh(&vxlan_db->lock); ++ /* Lockless since we are the only radix-tree consumers, wq is disabled */ + while (radix_tree_gang_lookup(&vxlan_db->tree, (void **)&vxlan, port, 1)) { + port = vxlan->udp_port; +- spin_unlock_bh(&vxlan_db->lock); +- __mlx5e_vxlan_core_del_port(priv, (u16)port); +- spin_lock_bh(&vxlan_db->lock); ++ radix_tree_delete(&vxlan_db->tree, port); ++ mlx5e_vxlan_core_del_port_cmd(priv->mdev, port); ++ kfree(vxlan); + } +- spin_unlock_bh(&vxlan_db->lock); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h +index 5def12c048e3..5ef6ae7d568a 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h +@@ -36,6 +36,7 @@ + #include "en.h" + + struct mlx5e_vxlan { ++ atomic_t refcount; + u16 udp_port; + }; + +-- +2.15.0 + diff --git a/queue/net-mlx5e-Fix-features-check-of-IPv6-traffic.patch b/queue/net-mlx5e-Fix-features-check-of-IPv6-traffic.patch new file mode 100644 index 0000000..f40b46d --- /dev/null +++ b/queue/net-mlx5e-Fix-features-check-of-IPv6-traffic.patch @@ -0,0 +1,48 @@ +From 2989ad1ec03021ee6d2193c35414f1d970a243de Mon Sep 17 00:00:00 2001 +From: Gal Pressman <galp@mellanox.com> +Date: Tue, 21 Nov 2017 17:49:36 +0200 +Subject: [PATCH] net/mlx5e: Fix features check of IPv6 traffic + +commit 2989ad1ec03021ee6d2193c35414f1d970a243de upstream. + +The assumption that the next header field contains the transport +protocol is wrong for IPv6 packets with extension headers. +Instead, we should look the inner-most next header field in the buffer. +This will fix TSO offload for tunnels over IPv6 with extension headers. + +Performance testing: 19.25x improvement, cool! +Measuring bandwidth of 16 threads TCP traffic over IPv6 GRE tap. +CPU: Intel(R) Xeon(R) CPU E5-2660 v2 @ 2.20GHz +NIC: Mellanox Technologies MT28800 Family [ConnectX-5 Ex] +TSO: Enabled +Before: 4,926.24 Mbps +Now : 94,827.91 Mbps + +Fixes: b3f63c3d5e2c ("net/mlx5e: Add netdev support for VXLAN tunneling") +Signed-off-by: Gal Pressman <galp@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index cbec66bc82f1..c535a44ab8ac 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3678,6 +3678,7 @@ static netdev_features_t mlx5e_tunnel_features_check(struct mlx5e_priv *priv, + struct sk_buff *skb, + netdev_features_t features) + { ++ unsigned int offset = 0; + struct udphdr *udph; + u8 proto; + u16 port; +@@ -3687,7 +3688,7 @@ static netdev_features_t mlx5e_tunnel_features_check(struct mlx5e_priv *priv, + proto = ip_hdr(skb)->protocol; + break; + case htons(ETH_P_IPV6): +- proto = ipv6_hdr(skb)->nexthdr; ++ proto = ipv6_find_hdr(skb, &offset, -1, NULL, NULL); + break; + default: + goto out; +-- +2.15.0 + diff --git a/queue/net-mlx5e-Fix-possible-deadlock-of-VXLAN-lock.patch b/queue/net-mlx5e-Fix-possible-deadlock-of-VXLAN-lock.patch new file mode 100644 index 0000000..80ca818 --- /dev/null +++ b/queue/net-mlx5e-Fix-possible-deadlock-of-VXLAN-lock.patch @@ -0,0 +1,105 @@ +From 6323514116404cc651df1b7fffa1311ddf8ce647 Mon Sep 17 00:00:00 2001 +From: Gal Pressman <galp@mellanox.com> +Date: Thu, 23 Nov 2017 13:52:28 +0200 +Subject: [PATCH] net/mlx5e: Fix possible deadlock of VXLAN lock + +commit 6323514116404cc651df1b7fffa1311ddf8ce647 upstream. + +mlx5e_vxlan_lookup_port is called both from mlx5e_add_vxlan_port (user +context) and mlx5e_features_check (softirq), but the lock acquired does +not disable bottom half and might result in deadlock. Fix it by simply +replacing spin_lock() with spin_lock_bh(). +While at it, replace all unnecessary spin_lock_irq() to spin_lock_bh(). + +lockdep's WARNING: inconsistent lock state +[ 654.028136] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. +[ 654.028229] swapper/5/0 [HC0[0]:SC1[9]:HE1:SE0] takes: +[ 654.028321] (&(&vxlan_db->lock)->rlock){+.?.}, at: [<ffffffffa06e7f0e>] mlx5e_vxlan_lookup_port+0x1e/0x50 [mlx5_core] +[ 654.028528] {SOFTIRQ-ON-W} state was registered at: +[ 654.028607] _raw_spin_lock+0x3c/0x70 +[ 654.028689] mlx5e_vxlan_lookup_port+0x1e/0x50 [mlx5_core] +[ 654.028794] mlx5e_vxlan_add_port+0x2e/0x120 [mlx5_core] +[ 654.028878] process_one_work+0x1e9/0x640 +[ 654.028942] worker_thread+0x4a/0x3f0 +[ 654.029002] kthread+0x141/0x180 +[ 654.029056] ret_from_fork+0x24/0x30 +[ 654.029114] irq event stamp: 579088 +[ 654.029174] hardirqs last enabled at (579088): [<ffffffff818f475a>] ip6_finish_output2+0x49a/0x8c0 +[ 654.029309] hardirqs last disabled at (579087): [<ffffffff818f470e>] ip6_finish_output2+0x44e/0x8c0 +[ 654.029446] softirqs last enabled at (579030): [<ffffffff810b3b3d>] irq_enter+0x6d/0x80 +[ 654.029567] softirqs last disabled at (579031): [<ffffffff810b3c05>] irq_exit+0xb5/0xc0 +[ 654.029684] other info that might help us debug this: +[ 654.029781] Possible unsafe locking scenario: + +[ 654.029868] CPU0 +[ 654.029908] ---- +[ 654.029947] lock(&(&vxlan_db->lock)->rlock); +[ 654.030045] <Interrupt> +[ 654.030090] lock(&(&vxlan_db->lock)->rlock); +[ 654.030162] + *** DEADLOCK *** + +Fixes: b3f63c3d5e2c ("net/mlx5e: Add netdev support for VXLAN tunneling") +Signed-off-by: Gal Pressman <galp@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c +index 07a9ba6cfc70..f8238275759f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c +@@ -71,9 +71,9 @@ struct mlx5e_vxlan *mlx5e_vxlan_lookup_port(struct mlx5e_priv *priv, u16 port) + struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan; + struct mlx5e_vxlan *vxlan; + +- spin_lock(&vxlan_db->lock); ++ spin_lock_bh(&vxlan_db->lock); + vxlan = radix_tree_lookup(&vxlan_db->tree, port); +- spin_unlock(&vxlan_db->lock); ++ spin_unlock_bh(&vxlan_db->lock); + + return vxlan; + } +@@ -100,9 +100,9 @@ static void mlx5e_vxlan_add_port(struct work_struct *work) + + vxlan->udp_port = port; + +- spin_lock_irq(&vxlan_db->lock); ++ spin_lock_bh(&vxlan_db->lock); + err = radix_tree_insert(&vxlan_db->tree, vxlan->udp_port, vxlan); +- spin_unlock_irq(&vxlan_db->lock); ++ spin_unlock_bh(&vxlan_db->lock); + if (err) + goto err_free; + +@@ -121,9 +121,9 @@ static void __mlx5e_vxlan_core_del_port(struct mlx5e_priv *priv, u16 port) + struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan; + struct mlx5e_vxlan *vxlan; + +- spin_lock_irq(&vxlan_db->lock); ++ spin_lock_bh(&vxlan_db->lock); + vxlan = radix_tree_delete(&vxlan_db->tree, port); +- spin_unlock_irq(&vxlan_db->lock); ++ spin_unlock_bh(&vxlan_db->lock); + + if (!vxlan) + return; +@@ -171,12 +171,12 @@ void mlx5e_vxlan_cleanup(struct mlx5e_priv *priv) + struct mlx5e_vxlan *vxlan; + unsigned int port = 0; + +- spin_lock_irq(&vxlan_db->lock); ++ spin_lock_bh(&vxlan_db->lock); + while (radix_tree_gang_lookup(&vxlan_db->tree, (void **)&vxlan, port, 1)) { + port = vxlan->udp_port; +- spin_unlock_irq(&vxlan_db->lock); ++ spin_unlock_bh(&vxlan_db->lock); + __mlx5e_vxlan_core_del_port(priv, (u16)port); +- spin_lock_irq(&vxlan_db->lock); ++ spin_lock_bh(&vxlan_db->lock); + } +- spin_unlock_irq(&vxlan_db->lock); ++ spin_unlock_bh(&vxlan_db->lock); + } +-- +2.15.0 + diff --git a/queue/net-mlx5e-Prevent-possible-races-in-VXLAN-control-fl.patch b/queue/net-mlx5e-Prevent-possible-races-in-VXLAN-control-fl.patch new file mode 100644 index 0000000..8cb1eae --- /dev/null +++ b/queue/net-mlx5e-Prevent-possible-races-in-VXLAN-control-fl.patch @@ -0,0 +1,58 @@ +From 0c1cc8b2215f5122ca614b5adca60346018758c3 Mon Sep 17 00:00:00 2001 +From: Gal Pressman <galp@mellanox.com> +Date: Mon, 4 Dec 2017 09:57:43 +0200 +Subject: [PATCH] net/mlx5e: Prevent possible races in VXLAN control flow + +commit 0c1cc8b2215f5122ca614b5adca60346018758c3 upstream. + +When calling add/remove VXLAN port, a lock must be held in order to +prevent race scenarios when more than one add/remove happens at the +same time. +Fix by holding our state_lock (mutex) as done by all other parts of the +driver. +Note that the spinlock protecting the radix-tree is still needed in +order to synchronize radix-tree access from softirq context. + +Fixes: b3f63c3d5e2c ("net/mlx5e: Add netdev support for VXLAN tunneling") +Signed-off-by: Gal Pressman <galp@mellanox.com> +Signed-off-by: Saeed Mahameed <saeedm@mellanox.com> + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c +index 25f782344667..2f74953e4561 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c +@@ -88,6 +88,7 @@ static void mlx5e_vxlan_add_port(struct work_struct *work) + struct mlx5e_vxlan *vxlan; + int err; + ++ mutex_lock(&priv->state_lock); + vxlan = mlx5e_vxlan_lookup_port(priv, port); + if (vxlan) { + atomic_inc(&vxlan->refcount); +@@ -117,6 +118,7 @@ err_free: + err_delete_port: + mlx5e_vxlan_core_del_port_cmd(priv->mdev, port); + free_work: ++ mutex_unlock(&priv->state_lock); + kfree(vxlan_work); + } + +@@ -130,6 +132,7 @@ static void mlx5e_vxlan_del_port(struct work_struct *work) + struct mlx5e_vxlan *vxlan; + bool remove = false; + ++ mutex_lock(&priv->state_lock); + spin_lock_bh(&vxlan_db->lock); + vxlan = radix_tree_lookup(&vxlan_db->tree, port); + if (!vxlan) +@@ -147,6 +150,7 @@ out_unlock: + mlx5e_vxlan_core_del_port_cmd(priv->mdev, port); + kfree(vxlan); + } ++ mutex_unlock(&priv->state_lock); + kfree(vxlan_work); + } + +-- +2.15.0 + diff --git a/queue/net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch b/queue/net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch new file mode 100644 index 0000000..c4d3ecd --- /dev/null +++ b/queue/net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch @@ -0,0 +1,34 @@ +From 589bf32f09852041fbd3b7ce1a9e703f95c230ba Mon Sep 17 00:00:00 2001 +From: Tobias Jordan <Tobias.Jordan@elektrobit.com> +Date: Wed, 6 Dec 2017 15:23:23 +0100 +Subject: [PATCH] net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case + +commit 589bf32f09852041fbd3b7ce1a9e703f95c230ba upstream. + +add appropriate calls to clk_disable_unprepare() by jumping to out_mdio +in case orion_mdio_probe() returns -EPROBE_DEFER. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 3d604da1e954 ("net: mvmdio: get and enable optional clock") +Signed-off-by: Tobias Jordan <Tobias.Jordan@elektrobit.com> +Reviewed-by: Andrew Lunn <andrew@lunn.ch> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c +index c9798210fa0f..0495487f7b42 100644 +--- a/drivers/net/ethernet/marvell/mvmdio.c ++++ b/drivers/net/ethernet/marvell/mvmdio.c +@@ -344,7 +344,8 @@ static int orion_mdio_probe(struct platform_device *pdev) + dev->regs + MVMDIO_ERR_INT_MASK); + + } else if (dev->err_interrupt == -EPROBE_DEFER) { +- return -EPROBE_DEFER; ++ ret = -EPROBE_DEFER; ++ goto out_mdio; + } + + if (pdev->dev.of_node) +-- +2.15.0 + diff --git a/queue/net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch b/queue/net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch new file mode 100644 index 0000000..b5bb720 --- /dev/null +++ b/queue/net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch @@ -0,0 +1,30 @@ +From c505873eaece2b4aefd07d339dc7e1400e0235ac Mon Sep 17 00:00:00 2001 +From: Zhao Qiang <qiang.zhao@nxp.com> +Date: Mon, 18 Dec 2017 10:26:43 +0800 +Subject: [PATCH] net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as + well. + +commit c505873eaece2b4aefd07d339dc7e1400e0235ac upstream. + +88E1145 also need this autoneg errata. + +Fixes: f2899788353c ("net: phy: marvell: Limit errata to 88m1101") +Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c +index b5a8f750e433..26c9a11220ca 100644 +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -2073,7 +2073,7 @@ static struct phy_driver marvell_drivers[] = { + .flags = PHY_HAS_INTERRUPT, + .probe = marvell_probe, + .config_init = &m88e1145_config_init, +- .config_aneg = &marvell_config_aneg, ++ .config_aneg = &m88e1101_config_aneg, + .read_status = &genphy_read_status, + .ack_interrupt = &marvell_ack_interrupt, + .config_intr = &marvell_config_intr, +-- +2.15.0 + diff --git a/queue/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch b/queue/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch new file mode 100644 index 0000000..8302fa8 --- /dev/null +++ b/queue/net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch @@ -0,0 +1,37 @@ +From c1a8d0a3accf64a014d605e6806ce05d1c17adf1 Mon Sep 17 00:00:00 2001 +From: Grygorii Strashko <grygorii.strashko@ti.com> +Date: Wed, 20 Dec 2017 18:45:10 -0600 +Subject: [PATCH] net: phy: micrel: ksz9031: reconfigure autoneg after phy + autoneg workaround + +commit c1a8d0a3accf64a014d605e6806ce05d1c17adf1 upstream. + +Under some circumstances driver will perform PHY reset in +ksz9031_read_status() to fix autoneg failure case (idle error count = +0xFF). When this happens ksz9031 will not detect link status change any +more when connecting to Netgear 1G switch (link can be recovered sometimes by +restarting netdevice "ifconfig down up"). Reproduced with TI am572x board +equipped with ksz9031 PHY while connecting to Netgear 1G switch. + +Fix the issue by reconfiguring autonegotiation after PHY reset in +ksz9031_read_status(). + +Fixes: d2fd719bcb0e ("net/phy: micrel: Add workaround for bad autoneg") +Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index ab4614113403..422ff6333c52 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -624,6 +624,7 @@ static int ksz9031_read_status(struct phy_device *phydev) + phydev->link = 0; + if (phydev->drv->config_intr && phy_interrupt_is_valid(phydev)) + phydev->drv->config_intr(phydev); ++ return genphy_config_aneg(phydev); + } + + return 0; +-- +2.15.0 + diff --git a/queue/net-qmi_wwan-add-Sierra-EM7565-1199-9091.patch b/queue/net-qmi_wwan-add-Sierra-EM7565-1199-9091.patch new file mode 100644 index 0000000..2d6ab00 --- /dev/null +++ b/queue/net-qmi_wwan-add-Sierra-EM7565-1199-9091.patch @@ -0,0 +1,33 @@ +From aceef61ee56898cfa7b6960fb60b9326c3860441 Mon Sep 17 00:00:00 2001 +From: Sebastian Sjoholm <ssjoholm@mac.com> +Date: Mon, 11 Dec 2017 21:51:14 +0100 +Subject: [PATCH] net: qmi_wwan: add Sierra EM7565 1199:9091 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit aceef61ee56898cfa7b6960fb60b9326c3860441 upstream. + +Sierra Wireless EM7565 is an Qualcomm MDM9x50 based M.2 modem. +The USB id is added to qmi_wwan.c to allow QMI communication +with the EM7565. + +Signed-off-by: Sebastian Sjoholm <ssjoholm@mac.com> +Acked-by: Bjørn Mork <bjorn@mork.no> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 304ec6555cd8..d2ca5a202e8d 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1204,6 +1204,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */ + {QMI_FIXED_INTF(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */ + {QMI_FIXED_INTF(0x1199, 0x907b, 10)}, /* Sierra Wireless EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x9091, 8)}, /* Sierra Wireless EM7565 */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ +-- +2.15.0 + diff --git a/queue/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch b/queue/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch new file mode 100644 index 0000000..ce291e0 --- /dev/null +++ b/queue/net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch @@ -0,0 +1,119 @@ +From 513674b5a2c9c7a67501506419da5c3c77ac6f08 Mon Sep 17 00:00:00 2001 +From: Shaohua Li <shli@fb.com> +Date: Wed, 20 Dec 2017 12:10:21 -0800 +Subject: [PATCH] net: reevalulate autoflowlabel setting after sysctl setting + +commit 513674b5a2c9c7a67501506419da5c3c77ac6f08 upstream. + +sysctl.ip6.auto_flowlabels is default 1. In our hosts, we set it to 2. +If sockopt doesn't set autoflowlabel, outcome packets from the hosts are +supposed to not include flowlabel. This is true for normal packet, but +not for reset packet. + +The reason is ipv6_pinfo.autoflowlabel is set in sock creation. Later if +we change sysctl.ip6.auto_flowlabels, the ipv6_pinfo.autoflowlabel isn't +changed, so the sock will keep the old behavior in terms of auto +flowlabel. Reset packet is suffering from this problem, because reset +packet is sent from a special control socket, which is created at boot +time. Since sysctl.ipv6.auto_flowlabels is 1 by default, the control +socket will always have its ipv6_pinfo.autoflowlabel set, even after +user set sysctl.ipv6.auto_flowlabels to 1, so reset packset will always +have flowlabel. Normal sock created before sysctl setting suffers from +the same issue. We can't even turn off autoflowlabel unless we kill all +socks in the hosts. + +To fix this, if IPV6_AUTOFLOWLABEL sockopt is used, we use the +autoflowlabel setting from user, otherwise we always call +ip6_default_np_autolabel() which has the new settings of sysctl. + +Note, this changes behavior a little bit. Before commit 42240901f7c4 +(ipv6: Implement different admin modes for automatic flow labels), the +autoflowlabel behavior of a sock isn't sticky, eg, if sysctl changes, +existing connection will change autoflowlabel behavior. After that +commit, autoflowlabel behavior is sticky in the whole life of the sock. +With this patch, the behavior isn't sticky again. + +Cc: Martin KaFai Lau <kafai@fb.com> +Cc: Eric Dumazet <eric.dumazet@gmail.com> +Cc: Tom Herbert <tom@quantonium.net> +Signed-off-by: Shaohua Li <shli@fb.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h +index cb18c6290ca8..8415bf1a9776 100644 +--- a/include/linux/ipv6.h ++++ b/include/linux/ipv6.h +@@ -273,7 +273,8 @@ struct ipv6_pinfo { + * 100: prefer care-of address + */ + dontfrag:1, +- autoflowlabel:1; ++ autoflowlabel:1, ++ autoflowlabel_set:1; + __u8 min_hopcount; + __u8 tclass; + __be32 rcv_flowinfo; +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index c26f71234b9c..c9441ca45399 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -210,7 +210,6 @@ lookup_protocol: + np->mcast_hops = IPV6_DEFAULT_MCASTHOPS; + np->mc_loop = 1; + np->pmtudisc = IPV6_PMTUDISC_WANT; +- np->autoflowlabel = ip6_default_np_autolabel(net); + np->repflow = net->ipv6.sysctl.flowlabel_reflect; + sk->sk_ipv6only = net->ipv6.sysctl.bindv6only; + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 5110a418cc4d..f7dd51c42314 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -166,6 +166,14 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) + !(IP6CB(skb)->flags & IP6SKB_REROUTED)); + } + ++static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np) ++{ ++ if (!np->autoflowlabel_set) ++ return ip6_default_np_autolabel(net); ++ else ++ return np->autoflowlabel; ++} ++ + /* + * xmit an sk_buff (used by TCP, SCTP and DCCP) + * Note : socket lock is not held for SYNACK packets, but might be modified +@@ -230,7 +238,7 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, + hlimit = ip6_dst_hoplimit(dst); + + ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, +- np->autoflowlabel, fl6)); ++ ip6_autoflowlabel(net, np), fl6)); + + hdr->payload_len = htons(seg_len); + hdr->nexthdr = proto; +@@ -1626,7 +1634,7 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, + + ip6_flow_hdr(hdr, v6_cork->tclass, + ip6_make_flowlabel(net, skb, fl6->flowlabel, +- np->autoflowlabel, fl6)); ++ ip6_autoflowlabel(net, np), fl6)); + hdr->hop_limit = v6_cork->hop_limit; + hdr->nexthdr = proto; + hdr->saddr = fl6->saddr; +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index b9404feabd78..2d4680e0376f 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -886,6 +886,7 @@ pref_skip_coa: + break; + case IPV6_AUTOFLOWLABEL: + np->autoflowlabel = valbool; ++ np->autoflowlabel_set = 1; + retv = 0; + break; + case IPV6_RECVFRAGSIZE: +-- +2.15.0 + diff --git a/queue/net-sched-fix-static-key-imbalance-in-case-of-ingres.patch b/queue/net-sched-fix-static-key-imbalance-in-case-of-ingres.patch new file mode 100644 index 0000000..7dbc980 --- /dev/null +++ b/queue/net-sched-fix-static-key-imbalance-in-case-of-ingres.patch @@ -0,0 +1,61 @@ +From b59e6979a86384e68b0ab6ffeab11f0034fba82d Mon Sep 17 00:00:00 2001 +From: Jiri Pirko <jiri@mellanox.com> +Date: Fri, 15 Dec 2017 12:40:13 +0100 +Subject: [PATCH] net: sched: fix static key imbalance in case of + ingress/clsact_init error + +commit b59e6979a86384e68b0ab6ffeab11f0034fba82d upstream. + +Move static key increments to the beginning of the init function +so they pair 1:1 with decrements in ingress/clsact_destroy, +which is called in case ingress/clsact_init fails. + +Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure") +Signed-off-by: Jiri Pirko <jiri@mellanox.com> +Acked-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index 5e1cd2e5df87..fc1286f499c1 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -68,6 +68,8 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt) + struct net_device *dev = qdisc_dev(sch); + int err; + ++ net_inc_ingress_queue(); ++ + mini_qdisc_pair_init(&q->miniqp, sch, &dev->miniq_ingress); + + q->block_info.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS; +@@ -78,7 +80,6 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt) + if (err) + return err; + +- net_inc_ingress_queue(); + sch->flags |= TCQ_F_CPUSTATS; + + return 0; +@@ -172,6 +173,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt) + struct net_device *dev = qdisc_dev(sch); + int err; + ++ net_inc_ingress_queue(); ++ net_inc_egress_queue(); ++ + mini_qdisc_pair_init(&q->miniqp_ingress, sch, &dev->miniq_ingress); + + q->ingress_block_info.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS; +@@ -192,9 +196,6 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt) + if (err) + return err; + +- net_inc_ingress_queue(); +- net_inc_egress_queue(); +- + sch->flags |= TCQ_F_CPUSTATS; + + return 0; +-- +2.15.0 + diff --git a/queue/openvswitch-Fix-pop_vlan-action-for-double-tagged-fr.patch b/queue/openvswitch-Fix-pop_vlan-action-for-double-tagged-fr.patch new file mode 100644 index 0000000..215b595 --- /dev/null +++ b/queue/openvswitch-Fix-pop_vlan-action-for-double-tagged-fr.patch @@ -0,0 +1,58 @@ +From c48e74736fccf25fb32bb015426359e1c2016e3b Mon Sep 17 00:00:00 2001 +From: Eric Garver <e@erig.me> +Date: Wed, 20 Dec 2017 15:09:22 -0500 +Subject: [PATCH] openvswitch: Fix pop_vlan action for double tagged frames + +commit c48e74736fccf25fb32bb015426359e1c2016e3b upstream. + +skb_vlan_pop() expects skb->protocol to be a valid TPID for double +tagged frames. So set skb->protocol to the TPID and let skb_vlan_pop() +shift the true ethertype into position for us. + +Fixes: 5108bbaddc37 ("openvswitch: add processing of L3 packets") +Signed-off-by: Eric Garver <e@erig.me> +Reviewed-by: Jiri Benc <jbenc@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c +index dbe2379329c5..f039064ce922 100644 +--- a/net/openvswitch/flow.c ++++ b/net/openvswitch/flow.c +@@ -579,6 +579,7 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key) + return -EINVAL; + + skb_reset_network_header(skb); ++ key->eth.type = skb->protocol; + } else { + eth = eth_hdr(skb); + ether_addr_copy(key->eth.src, eth->h_source); +@@ -592,15 +593,23 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key) + if (unlikely(parse_vlan(skb, key))) + return -ENOMEM; + +- skb->protocol = parse_ethertype(skb); +- if (unlikely(skb->protocol == htons(0))) ++ key->eth.type = parse_ethertype(skb); ++ if (unlikely(key->eth.type == htons(0))) + return -ENOMEM; + ++ /* Multiple tagged packets need to retain TPID to satisfy ++ * skb_vlan_pop(), which will later shift the ethertype into ++ * skb->protocol. ++ */ ++ if (key->eth.cvlan.tci & htons(VLAN_TAG_PRESENT)) ++ skb->protocol = key->eth.cvlan.tpid; ++ else ++ skb->protocol = key->eth.type; ++ + skb_reset_network_header(skb); + __skb_push(skb, skb->data - skb_mac_header(skb)); + } + skb_reset_mac_len(skb); +- key->eth.type = skb->protocol; + + /* Network layer. */ + if (key->eth.type == htons(ETH_P_IP)) { +-- +2.15.0 + diff --git a/queue/phy-tegra-fix-device-tree-node-lookups.patch b/queue/phy-tegra-fix-device-tree-node-lookups.patch new file mode 100644 index 0000000..69773ac --- /dev/null +++ b/queue/phy-tegra-fix-device-tree-node-lookups.patch @@ -0,0 +1,135 @@ +From 046046737bd35bed047460f080ea47e186be731e Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Wed, 15 Nov 2017 10:43:16 +0100 +Subject: [PATCH] phy: tegra: fix device-tree node lookups + +commit 046046737bd35bed047460f080ea47e186be731e upstream. + +Fix child-node lookups during probe, which ended up searching the whole +device tree depth-first starting at the parents rather than just +matching on their children. + +To make things worse, some parent nodes could end up being being +prematurely freed (by tegra_xusb_pad_register()) as +of_find_node_by_name() drops a reference to its first argument. + +Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support") +Cc: stable <stable@vger.kernel.org> # 4.7 +Cc: Thierry Reding <treding@nvidia.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com> + +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c +index 4307bf0013e1..63e916d4d069 100644 +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -75,14 +75,14 @@ MODULE_DEVICE_TABLE(of, tegra_xusb_padctl_of_match); + static struct device_node * + tegra_xusb_find_pad_node(struct tegra_xusb_padctl *padctl, const char *name) + { +- /* +- * of_find_node_by_name() drops a reference, so make sure to grab one. +- */ +- struct device_node *np = of_node_get(padctl->dev->of_node); ++ struct device_node *pads, *np; ++ ++ pads = of_get_child_by_name(padctl->dev->of_node, "pads"); ++ if (!pads) ++ return NULL; + +- np = of_find_node_by_name(np, "pads"); +- if (np) +- np = of_find_node_by_name(np, name); ++ np = of_get_child_by_name(pads, name); ++ of_node_put(pads); + + return np; + } +@@ -90,16 +90,16 @@ tegra_xusb_find_pad_node(struct tegra_xusb_padctl *padctl, const char *name) + static struct device_node * + tegra_xusb_pad_find_phy_node(struct tegra_xusb_pad *pad, unsigned int index) + { +- /* +- * of_find_node_by_name() drops a reference, so make sure to grab one. +- */ +- struct device_node *np = of_node_get(pad->dev.of_node); ++ struct device_node *np, *lanes; + +- np = of_find_node_by_name(np, "lanes"); +- if (!np) ++ lanes = of_get_child_by_name(pad->dev.of_node, "lanes"); ++ if (!lanes) + return NULL; + +- return of_find_node_by_name(np, pad->soc->lanes[index].name); ++ np = of_get_child_by_name(lanes, pad->soc->lanes[index].name); ++ of_node_put(lanes); ++ ++ return np; + } + + static int +@@ -195,7 +195,7 @@ int tegra_xusb_pad_register(struct tegra_xusb_pad *pad, + unsigned int i; + int err; + +- children = of_find_node_by_name(pad->dev.of_node, "lanes"); ++ children = of_get_child_by_name(pad->dev.of_node, "lanes"); + if (!children) + return -ENODEV; + +@@ -444,21 +444,21 @@ static struct device_node * + tegra_xusb_find_port_node(struct tegra_xusb_padctl *padctl, const char *type, + unsigned int index) + { +- /* +- * of_find_node_by_name() drops a reference, so make sure to grab one. +- */ +- struct device_node *np = of_node_get(padctl->dev->of_node); ++ struct device_node *ports, *np; ++ char *name; + +- np = of_find_node_by_name(np, "ports"); +- if (np) { +- char *name; ++ ports = of_get_child_by_name(padctl->dev->of_node, "ports"); ++ if (!ports) ++ return NULL; + +- name = kasprintf(GFP_KERNEL, "%s-%u", type, index); +- if (!name) +- return ERR_PTR(-ENOMEM); +- np = of_find_node_by_name(np, name); +- kfree(name); ++ name = kasprintf(GFP_KERNEL, "%s-%u", type, index); ++ if (!name) { ++ of_node_put(ports); ++ return ERR_PTR(-ENOMEM); + } ++ np = of_get_child_by_name(ports, name); ++ kfree(name); ++ of_node_put(ports); + + return np; + } +@@ -847,7 +847,7 @@ static void tegra_xusb_remove_ports(struct tegra_xusb_padctl *padctl) + + static int tegra_xusb_padctl_probe(struct platform_device *pdev) + { +- struct device_node *np = of_node_get(pdev->dev.of_node); ++ struct device_node *np = pdev->dev.of_node; + const struct tegra_xusb_padctl_soc *soc; + struct tegra_xusb_padctl *padctl; + const struct of_device_id *match; +@@ -855,7 +855,7 @@ static int tegra_xusb_padctl_probe(struct platform_device *pdev) + int err; + + /* for backwards compatibility with old device trees */ +- np = of_find_node_by_name(np, "pads"); ++ np = of_get_child_by_name(np, "pads"); + if (!np) { + dev_warn(&pdev->dev, "deprecated DT, using legacy driver\n"); + return tegra_xusb_padctl_legacy_probe(pdev); +-- +2.15.0 + diff --git a/queue/phylink-ensure-AN-is-enabled.patch b/queue/phylink-ensure-AN-is-enabled.patch new file mode 100644 index 0000000..f2ff8d1 --- /dev/null +++ b/queue/phylink-ensure-AN-is-enabled.patch @@ -0,0 +1,31 @@ +From 74ee0e8c1bf9925c59cc8f1c65c29adf6e4cf603 Mon Sep 17 00:00:00 2001 +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Wed, 20 Dec 2017 23:21:34 +0000 +Subject: [PATCH] phylink: ensure AN is enabled + +commit 74ee0e8c1bf9925c59cc8f1c65c29adf6e4cf603 upstream. + +Ensure that we mark AN as enabled at boot time, rather than leaving +it disabled. This is noticable if your SFP module is fiber, and +it supports faster speeds than 1G with 2.5G support in place. + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 8d06a083ac4c..827f3f92560e 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -526,6 +526,7 @@ struct phylink *phylink_create(struct net_device *ndev, struct device_node *np, + pl->link_config.pause = MLO_PAUSE_AN; + pl->link_config.speed = SPEED_UNKNOWN; + pl->link_config.duplex = DUPLEX_UNKNOWN; ++ pl->link_config.an_enabled = true; + pl->ops = ops; + __set_bit(PHYLINK_DISABLE_STOPPED, &pl->phylink_disable_state); + +-- +2.15.0 + diff --git a/queue/phylink-ensure-the-PHY-interface-mode-is-appropriate.patch b/queue/phylink-ensure-the-PHY-interface-mode-is-appropriate.patch new file mode 100644 index 0000000..5afe9b0 --- /dev/null +++ b/queue/phylink-ensure-the-PHY-interface-mode-is-appropriate.patch @@ -0,0 +1,31 @@ +From 182088aa3c6c7f7c20a2c1dcc9ded4a3fc631f38 Mon Sep 17 00:00:00 2001 +From: Russell King <rmk+kernel@armlinux.org.uk> +Date: Wed, 20 Dec 2017 23:21:28 +0000 +Subject: [PATCH] phylink: ensure the PHY interface mode is appropriately set + +commit 182088aa3c6c7f7c20a2c1dcc9ded4a3fc631f38 upstream. + +When setting the ethtool settings, ensure that the validated PHY +interface mode is propagated to the current link settings, so that +2500BaseX can be selected. + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> +Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 5dc9668dde34..8d06a083ac4c 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -951,6 +951,7 @@ int phylink_ethtool_ksettings_set(struct phylink *pl, + mutex_lock(&pl->state_mutex); + /* Configure the MAC to match the new settings */ + linkmode_copy(pl->link_config.advertising, our_kset.link_modes.advertising); ++ pl->link_config.interface = config.interface; + pl->link_config.speed = our_kset.base.speed; + pl->link_config.duplex = our_kset.base.duplex; + pl->link_config.an_enabled = our_kset.base.autoneg != AUTONEG_DISABLE; +-- +2.15.0 + diff --git a/queue/ptr_ring-add-barriers.patch b/queue/ptr_ring-add-barriers.patch new file mode 100644 index 0000000..d1fa0a0 --- /dev/null +++ b/queue/ptr_ring-add-barriers.patch @@ -0,0 +1,62 @@ +From a8ceb5dbfde1092b466936bca0ff3be127ecf38e Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" <mst@redhat.com> +Date: Tue, 5 Dec 2017 21:29:37 +0200 +Subject: [PATCH] ptr_ring: add barriers + +commit a8ceb5dbfde1092b466936bca0ff3be127ecf38e upstream. + +Users of ptr_ring expect that it's safe to give the +data structure a pointer and have it be available +to consumers, but that actually requires an smb_wmb +or a stronger barrier. + +In absence of such barriers and on architectures that reorder writes, +consumer might read an un=initialized value from an skb pointer stored +in the skb array. This was observed causing crashes. + +To fix, add memory barriers. The barrier we use is a wmb, the +assumption being that producers do not need to read the value so we do +not need to order these reads. + +Reported-by: George Cherian <george.cherian@cavium.com> +Suggested-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Acked-by: Jason Wang <jasowang@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h +index 37b4bb2545b3..6866df4f31b5 100644 +--- a/include/linux/ptr_ring.h ++++ b/include/linux/ptr_ring.h +@@ -101,12 +101,18 @@ static inline bool ptr_ring_full_bh(struct ptr_ring *r) + + /* Note: callers invoking this in a loop must use a compiler barrier, + * for example cpu_relax(). Callers must hold producer_lock. ++ * Callers are responsible for making sure pointer that is being queued ++ * points to a valid data. + */ + static inline int __ptr_ring_produce(struct ptr_ring *r, void *ptr) + { + if (unlikely(!r->size) || r->queue[r->producer]) + return -ENOSPC; + ++ /* Make sure the pointer we are storing points to a valid data. */ ++ /* Pairs with smp_read_barrier_depends in __ptr_ring_consume. */ ++ smp_wmb(); ++ + r->queue[r->producer++] = ptr; + if (unlikely(r->producer >= r->size)) + r->producer = 0; +@@ -275,6 +281,9 @@ static inline void *__ptr_ring_consume(struct ptr_ring *r) + if (ptr) + __ptr_ring_discard_one(r); + ++ /* Make sure anyone accessing data through the pointer is up to date. */ ++ /* Pairs with smp_wmb in __ptr_ring_produce. */ ++ smp_read_barrier_depends(); + return ptr; + } + +-- +2.15.0 + diff --git a/queue/s390-qeth-apply-takeover-changes-when-mode-is-toggle.patch b/queue/s390-qeth-apply-takeover-changes-when-mode-is-toggle.patch new file mode 100644 index 0000000..e0310d0 --- /dev/null +++ b/queue/s390-qeth-apply-takeover-changes-when-mode-is-toggle.patch @@ -0,0 +1,98 @@ +From 7fbd9493f0eeae8cef58300505a9ef5c8fce6313 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Wed, 13 Dec 2017 18:56:29 +0100 +Subject: [PATCH] s390/qeth: apply takeover changes when mode is toggled + +commit 7fbd9493f0eeae8cef58300505a9ef5c8fce6313 upstream. + +Just as for an explicit enable/disable, toggling the takeover mode also +requires that the IP addresses get updated. Otherwise all IPs that were +added to the table before the mode-toggle, get registered with the old +settings. + +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h +index 15015a24f8ad..51c618d9fefe 100644 +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -565,7 +565,7 @@ enum qeth_cq { + }; + + struct qeth_ipato { +- int enabled; ++ bool enabled; + int invert4; + int invert6; + struct list_head entries; +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 430e3214f7e2..8d18675e60e2 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -1480,7 +1480,7 @@ static int qeth_setup_card(struct qeth_card *card) + qeth_set_intial_options(card); + /* IP address takeover */ + INIT_LIST_HEAD(&card->ipato.entries); +- card->ipato.enabled = 0; ++ card->ipato.enabled = false; + card->ipato.invert4 = 0; + card->ipato.invert6 = 0; + /* init QDIO stuff */ +diff --git a/drivers/s390/net/qeth_l3_sys.c b/drivers/s390/net/qeth_l3_sys.c +index bd12fdf678be..198717f71b3d 100644 +--- a/drivers/s390/net/qeth_l3_sys.c ++++ b/drivers/s390/net/qeth_l3_sys.c +@@ -372,6 +372,7 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev, + struct qeth_card *card = dev_get_drvdata(dev); + struct qeth_ipaddr *addr; + int i, rc = 0; ++ bool enable; + + if (!card) + return -EINVAL; +@@ -384,25 +385,23 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev, + } + + if (sysfs_streq(buf, "toggle")) { +- card->ipato.enabled = (card->ipato.enabled)? 0 : 1; +- } else if (sysfs_streq(buf, "1")) { +- card->ipato.enabled = 1; +- hash_for_each(card->ip_htable, i, addr, hnode) { +- if ((addr->type == QETH_IP_TYPE_NORMAL) && +- qeth_l3_is_addr_covered_by_ipato(card, addr)) +- addr->set_flags |= +- QETH_IPA_SETIP_TAKEOVER_FLAG; +- } +- } else if (sysfs_streq(buf, "0")) { +- card->ipato.enabled = 0; +- hash_for_each(card->ip_htable, i, addr, hnode) { +- if (addr->set_flags & +- QETH_IPA_SETIP_TAKEOVER_FLAG) +- addr->set_flags &= +- ~QETH_IPA_SETIP_TAKEOVER_FLAG; +- } +- } else ++ enable = !card->ipato.enabled; ++ } else if (kstrtobool(buf, &enable)) { + rc = -EINVAL; ++ goto out; ++ } ++ ++ if (card->ipato.enabled == enable) ++ goto out; ++ card->ipato.enabled = enable; ++ ++ hash_for_each(card->ip_htable, i, addr, hnode) { ++ if (!enable) ++ addr->set_flags &= ~QETH_IPA_SETIP_TAKEOVER_FLAG; ++ else if (addr->type == QETH_IP_TYPE_NORMAL && ++ qeth_l3_is_addr_covered_by_ipato(card, addr)) ++ addr->set_flags |= QETH_IPA_SETIP_TAKEOVER_FLAG; ++ } + out: + mutex_unlock(&card->conf_mutex); + return rc ? rc : count; +-- +2.15.0 + diff --git a/queue/s390-qeth-don-t-apply-takeover-changes-to-RXIP.patch b/queue/s390-qeth-don-t-apply-takeover-changes-to-RXIP.patch new file mode 100644 index 0000000..d819ca8 --- /dev/null +++ b/queue/s390-qeth-don-t-apply-takeover-changes-to-RXIP.patch @@ -0,0 +1,60 @@ +From b22d73d6689fd902a66c08ebe71ab2f3b351e22f Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Wed, 13 Dec 2017 18:56:30 +0100 +Subject: [PATCH] s390/qeth: don't apply takeover changes to RXIP + +commit b22d73d6689fd902a66c08ebe71ab2f3b351e22f upstream. + +When takeover is switched off, current code clears the 'TAKEOVER' flag on +all IPs. But the flag is also used for RXIP addresses, and those should +not be affected by the takeover mode. +Fix the behaviour by consistenly applying takover logic to NORMAL +addresses only. + +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index 6a73894b0cb5..4a4be81800eb 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -174,6 +174,8 @@ int qeth_l3_is_addr_covered_by_ipato(struct qeth_card *card, + + if (!card->ipato.enabled) + return 0; ++ if (addr->type != QETH_IP_TYPE_NORMAL) ++ return 0; + + qeth_l3_convert_addr_to_bits((u8 *) &addr->u, addr_bits, + (addr->proto == QETH_PROT_IPV4)? 4:16); +@@ -290,8 +292,7 @@ int qeth_l3_add_ip(struct qeth_card *card, struct qeth_ipaddr *tmp_addr) + memcpy(addr, tmp_addr, sizeof(struct qeth_ipaddr)); + addr->ref_counter = 1; + +- if (addr->type == QETH_IP_TYPE_NORMAL && +- qeth_l3_is_addr_covered_by_ipato(card, addr)) { ++ if (qeth_l3_is_addr_covered_by_ipato(card, addr)) { + QETH_CARD_TEXT(card, 2, "tkovaddr"); + addr->set_flags |= QETH_IPA_SETIP_TAKEOVER_FLAG; + } +diff --git a/drivers/s390/net/qeth_l3_sys.c b/drivers/s390/net/qeth_l3_sys.c +index 198717f71b3d..e256928092e5 100644 +--- a/drivers/s390/net/qeth_l3_sys.c ++++ b/drivers/s390/net/qeth_l3_sys.c +@@ -396,10 +396,11 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev, + card->ipato.enabled = enable; + + hash_for_each(card->ip_htable, i, addr, hnode) { ++ if (addr->type != QETH_IP_TYPE_NORMAL) ++ continue; + if (!enable) + addr->set_flags &= ~QETH_IPA_SETIP_TAKEOVER_FLAG; +- else if (addr->type == QETH_IP_TYPE_NORMAL && +- qeth_l3_is_addr_covered_by_ipato(card, addr)) ++ else if (qeth_l3_is_addr_covered_by_ipato(card, addr)) + addr->set_flags |= QETH_IPA_SETIP_TAKEOVER_FLAG; + } + out: +-- +2.15.0 + diff --git a/queue/s390-qeth-fix-error-handling-in-checksum-cmd-callbac.patch b/queue/s390-qeth-fix-error-handling-in-checksum-cmd-callbac.patch new file mode 100644 index 0000000..9d2cfb2 --- /dev/null +++ b/queue/s390-qeth-fix-error-handling-in-checksum-cmd-callbac.patch @@ -0,0 +1,44 @@ +From ad3cbf61332914711e5f506972b1dc9af8d62146 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Wed, 20 Dec 2017 18:07:18 +0100 +Subject: [PATCH] s390/qeth: fix error handling in checksum cmd callback + +commit ad3cbf61332914711e5f506972b1dc9af8d62146 upstream. + +Make sure to check both return code fields before processing the +response. Otherwise we risk operating on invalid data. + +Fixes: c9475369bd2b ("s390/qeth: rework RX/TX checksum offload") +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 6c815207f4f5..3614df68830f 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -5386,6 +5386,13 @@ out: + } + EXPORT_SYMBOL_GPL(qeth_poll); + ++static int qeth_setassparms_inspect_rc(struct qeth_ipa_cmd *cmd) ++{ ++ if (!cmd->hdr.return_code) ++ cmd->hdr.return_code = cmd->data.setassparms.hdr.return_code; ++ return cmd->hdr.return_code; ++} ++ + int qeth_setassparms_cb(struct qeth_card *card, + struct qeth_reply *reply, unsigned long data) + { +@@ -6242,7 +6249,7 @@ static int qeth_ipa_checksum_run_cmd_cb(struct qeth_card *card, + (struct qeth_checksum_cmd *)reply->param; + + QETH_CARD_TEXT(card, 4, "chkdoccb"); +- if (cmd->hdr.return_code) ++ if (qeth_setassparms_inspect_rc(cmd)) + return 0; + + memset(chksum_cb, 0, sizeof(*chksum_cb)); +-- +2.15.0 + diff --git a/queue/s390-qeth-lock-IP-table-while-applying-takeover-chan.patch b/queue/s390-qeth-lock-IP-table-while-applying-takeover-chan.patch new file mode 100644 index 0000000..cb70414 --- /dev/null +++ b/queue/s390-qeth-lock-IP-table-while-applying-takeover-chan.patch @@ -0,0 +1,37 @@ +From 8a03a3692b100d84785ee7a834e9215e304c9e00 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Wed, 13 Dec 2017 18:56:31 +0100 +Subject: [PATCH] s390/qeth: lock IP table while applying takeover changes + +commit 8a03a3692b100d84785ee7a834e9215e304c9e00 upstream. + +Modifying the flags of an IP addr object needs to be protected against +eg. concurrent removal of the same object from the IP table. + +Fixes: 5f78e29ceebf ("qeth: optimize IP handling in rx_mode callback") +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/s390/net/qeth_l3_sys.c b/drivers/s390/net/qeth_l3_sys.c +index e256928092e5..aa676b4090da 100644 +--- a/drivers/s390/net/qeth_l3_sys.c ++++ b/drivers/s390/net/qeth_l3_sys.c +@@ -395,6 +395,7 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev, + goto out; + card->ipato.enabled = enable; + ++ spin_lock_bh(&card->ip_lock); + hash_for_each(card->ip_htable, i, addr, hnode) { + if (addr->type != QETH_IP_TYPE_NORMAL) + continue; +@@ -403,6 +404,7 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev, + else if (qeth_l3_is_addr_covered_by_ipato(card, addr)) + addr->set_flags |= QETH_IPA_SETIP_TAKEOVER_FLAG; + } ++ spin_unlock_bh(&card->ip_lock); + out: + mutex_unlock(&card->conf_mutex); + return rc ? rc : count; +-- +2.15.0 + diff --git a/queue/s390-qeth-update-takeover-IPs-after-configuration-ch.patch b/queue/s390-qeth-update-takeover-IPs-after-configuration-ch.patch new file mode 100644 index 0000000..159548d --- /dev/null +++ b/queue/s390-qeth-update-takeover-IPs-after-configuration-ch.patch @@ -0,0 +1,242 @@ +From 02f510f326501470348a5df341e8232c3497bbbb Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Date: Wed, 13 Dec 2017 18:56:32 +0100 +Subject: [PATCH] s390/qeth: update takeover IPs after configuration change + +commit 02f510f326501470348a5df341e8232c3497bbbb upstream. + +Any modification to the takeover IP-ranges requires that we re-evaluate +which IP addresses are takeover-eligible. Otherwise we might do takeover +for some addresses when we no longer should, or vice-versa. + +Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h +index 51c618d9fefe..badf42acbf95 100644 +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -566,8 +566,8 @@ enum qeth_cq { + + struct qeth_ipato { + bool enabled; +- int invert4; +- int invert6; ++ bool invert4; ++ bool invert6; + struct list_head entries; + }; + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 8d18675e60e2..6c815207f4f5 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -1481,8 +1481,8 @@ static int qeth_setup_card(struct qeth_card *card) + /* IP address takeover */ + INIT_LIST_HEAD(&card->ipato.entries); + card->ipato.enabled = false; +- card->ipato.invert4 = 0; +- card->ipato.invert6 = 0; ++ card->ipato.invert4 = false; ++ card->ipato.invert6 = false; + /* init QDIO stuff */ + qeth_init_qdio_info(card); + INIT_DELAYED_WORK(&card->buffer_reclaim_work, qeth_buffer_reclaim_work); +diff --git a/drivers/s390/net/qeth_l3.h b/drivers/s390/net/qeth_l3.h +index 194ae9b577cc..e5833837b799 100644 +--- a/drivers/s390/net/qeth_l3.h ++++ b/drivers/s390/net/qeth_l3.h +@@ -82,7 +82,7 @@ void qeth_l3_del_vipa(struct qeth_card *, enum qeth_prot_versions, const u8 *); + int qeth_l3_add_rxip(struct qeth_card *, enum qeth_prot_versions, const u8 *); + void qeth_l3_del_rxip(struct qeth_card *card, enum qeth_prot_versions, + const u8 *); +-int qeth_l3_is_addr_covered_by_ipato(struct qeth_card *, struct qeth_ipaddr *); ++void qeth_l3_update_ipato(struct qeth_card *card); + struct qeth_ipaddr *qeth_l3_get_addr_buffer(enum qeth_prot_versions); + int qeth_l3_add_ip(struct qeth_card *, struct qeth_ipaddr *); + int qeth_l3_delete_ip(struct qeth_card *, struct qeth_ipaddr *); +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index 4a4be81800eb..ef0961e18686 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -164,8 +164,8 @@ static void qeth_l3_convert_addr_to_bits(u8 *addr, u8 *bits, int len) + } + } + +-int qeth_l3_is_addr_covered_by_ipato(struct qeth_card *card, +- struct qeth_ipaddr *addr) ++static bool qeth_l3_is_addr_covered_by_ipato(struct qeth_card *card, ++ struct qeth_ipaddr *addr) + { + struct qeth_ipato_entry *ipatoe; + u8 addr_bits[128] = {0, }; +@@ -606,6 +606,27 @@ int qeth_l3_setrouting_v6(struct qeth_card *card) + /* + * IP address takeover related functions + */ ++ ++/** ++ * qeth_l3_update_ipato() - Update 'takeover' property, for all NORMAL IPs. ++ * ++ * Caller must hold ip_lock. ++ */ ++void qeth_l3_update_ipato(struct qeth_card *card) ++{ ++ struct qeth_ipaddr *addr; ++ unsigned int i; ++ ++ hash_for_each(card->ip_htable, i, addr, hnode) { ++ if (addr->type != QETH_IP_TYPE_NORMAL) ++ continue; ++ if (qeth_l3_is_addr_covered_by_ipato(card, addr)) ++ addr->set_flags |= QETH_IPA_SETIP_TAKEOVER_FLAG; ++ else ++ addr->set_flags &= ~QETH_IPA_SETIP_TAKEOVER_FLAG; ++ } ++} ++ + static void qeth_l3_clear_ipato_list(struct qeth_card *card) + { + struct qeth_ipato_entry *ipatoe, *tmp; +@@ -617,6 +638,7 @@ static void qeth_l3_clear_ipato_list(struct qeth_card *card) + kfree(ipatoe); + } + ++ qeth_l3_update_ipato(card); + spin_unlock_bh(&card->ip_lock); + } + +@@ -641,8 +663,10 @@ int qeth_l3_add_ipato_entry(struct qeth_card *card, + } + } + +- if (!rc) ++ if (!rc) { + list_add_tail(&new->entry, &card->ipato.entries); ++ qeth_l3_update_ipato(card); ++ } + + spin_unlock_bh(&card->ip_lock); + +@@ -665,6 +689,7 @@ void qeth_l3_del_ipato_entry(struct qeth_card *card, + (proto == QETH_PROT_IPV4)? 4:16) && + (ipatoe->mask_bits == mask_bits)) { + list_del(&ipatoe->entry); ++ qeth_l3_update_ipato(card); + kfree(ipatoe); + } + } +diff --git a/drivers/s390/net/qeth_l3_sys.c b/drivers/s390/net/qeth_l3_sys.c +index aa676b4090da..6ea2b528a64e 100644 +--- a/drivers/s390/net/qeth_l3_sys.c ++++ b/drivers/s390/net/qeth_l3_sys.c +@@ -370,9 +370,8 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev, + struct device_attribute *attr, const char *buf, size_t count) + { + struct qeth_card *card = dev_get_drvdata(dev); +- struct qeth_ipaddr *addr; +- int i, rc = 0; + bool enable; ++ int rc = 0; + + if (!card) + return -EINVAL; +@@ -391,20 +390,12 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev, + goto out; + } + +- if (card->ipato.enabled == enable) +- goto out; +- card->ipato.enabled = enable; +- +- spin_lock_bh(&card->ip_lock); +- hash_for_each(card->ip_htable, i, addr, hnode) { +- if (addr->type != QETH_IP_TYPE_NORMAL) +- continue; +- if (!enable) +- addr->set_flags &= ~QETH_IPA_SETIP_TAKEOVER_FLAG; +- else if (qeth_l3_is_addr_covered_by_ipato(card, addr)) +- addr->set_flags |= QETH_IPA_SETIP_TAKEOVER_FLAG; ++ if (card->ipato.enabled != enable) { ++ card->ipato.enabled = enable; ++ spin_lock_bh(&card->ip_lock); ++ qeth_l3_update_ipato(card); ++ spin_unlock_bh(&card->ip_lock); + } +- spin_unlock_bh(&card->ip_lock); + out: + mutex_unlock(&card->conf_mutex); + return rc ? rc : count; +@@ -430,20 +421,27 @@ static ssize_t qeth_l3_dev_ipato_invert4_store(struct device *dev, + const char *buf, size_t count) + { + struct qeth_card *card = dev_get_drvdata(dev); ++ bool invert; + int rc = 0; + + if (!card) + return -EINVAL; + + mutex_lock(&card->conf_mutex); +- if (sysfs_streq(buf, "toggle")) +- card->ipato.invert4 = (card->ipato.invert4)? 0 : 1; +- else if (sysfs_streq(buf, "1")) +- card->ipato.invert4 = 1; +- else if (sysfs_streq(buf, "0")) +- card->ipato.invert4 = 0; +- else ++ if (sysfs_streq(buf, "toggle")) { ++ invert = !card->ipato.invert4; ++ } else if (kstrtobool(buf, &invert)) { + rc = -EINVAL; ++ goto out; ++ } ++ ++ if (card->ipato.invert4 != invert) { ++ card->ipato.invert4 = invert; ++ spin_lock_bh(&card->ip_lock); ++ qeth_l3_update_ipato(card); ++ spin_unlock_bh(&card->ip_lock); ++ } ++out: + mutex_unlock(&card->conf_mutex); + return rc ? rc : count; + } +@@ -609,20 +607,27 @@ static ssize_t qeth_l3_dev_ipato_invert6_store(struct device *dev, + struct device_attribute *attr, const char *buf, size_t count) + { + struct qeth_card *card = dev_get_drvdata(dev); ++ bool invert; + int rc = 0; + + if (!card) + return -EINVAL; + + mutex_lock(&card->conf_mutex); +- if (sysfs_streq(buf, "toggle")) +- card->ipato.invert6 = (card->ipato.invert6)? 0 : 1; +- else if (sysfs_streq(buf, "1")) +- card->ipato.invert6 = 1; +- else if (sysfs_streq(buf, "0")) +- card->ipato.invert6 = 0; +- else ++ if (sysfs_streq(buf, "toggle")) { ++ invert = !card->ipato.invert6; ++ } else if (kstrtobool(buf, &invert)) { + rc = -EINVAL; ++ goto out; ++ } ++ ++ if (card->ipato.invert6 != invert) { ++ card->ipato.invert6 = invert; ++ spin_lock_bh(&card->ip_lock); ++ qeth_l3_update_ipato(card); ++ spin_unlock_bh(&card->ip_lock); ++ } ++out: + mutex_unlock(&card->conf_mutex); + return rc ? rc : count; + } +-- +2.15.0 + diff --git a/queue/sctp-Replace-use-of-sockets_allocated-with-specified.patch b/queue/sctp-Replace-use-of-sockets_allocated-with-specified.patch new file mode 100644 index 0000000..7a06a80 --- /dev/null +++ b/queue/sctp-Replace-use-of-sockets_allocated-with-specified.patch @@ -0,0 +1,42 @@ +From 8cb38a602478e9f806571f6920b0a3298aabf042 Mon Sep 17 00:00:00 2001 +From: Tonghao Zhang <xiangxia.m.yue@gmail.com> +Date: Fri, 22 Dec 2017 10:15:20 -0800 +Subject: [PATCH] sctp: Replace use of sockets_allocated with specified macro. + +commit 8cb38a602478e9f806571f6920b0a3298aabf042 upstream. + +The patch(180d8cd942ce) replaces all uses of struct sock fields' +memory_pressure, memory_allocated, sockets_allocated, and sysctl_mem +to accessor macros. But the sockets_allocated field of sctp sock is +not replaced at all. Then replace it now for unifying the code. + +Fixes: 180d8cd942ce ("foundations of per-cgroup memory pressure controlling.") +Cc: Glauber Costa <glommer@parallels.com> +Signed-off-by: Tonghao Zhang <zhangtonghao@didichuxing.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 3253f724a995..b4fb6e4886d2 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4498,7 +4498,7 @@ static int sctp_init_sock(struct sock *sk) + SCTP_DBG_OBJCNT_INC(sock); + + local_bh_disable(); +- percpu_counter_inc(&sctp_sockets_allocated); ++ sk_sockets_allocated_inc(sk); + sock_prot_inuse_add(net, sk->sk_prot, 1); + + /* Nothing can fail after this block, otherwise +@@ -4542,7 +4542,7 @@ static void sctp_destroy_sock(struct sock *sk) + } + sctp_endpoint_free(sp->ep); + local_bh_disable(); +- percpu_counter_dec(&sctp_sockets_allocated); ++ sk_sockets_allocated_dec(sk); + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); + local_bh_enable(); + } +-- +2.15.0 + diff --git a/queue/sctp-make-sure-stream-nums-can-match-optlen-in-sctp_.patch b/queue/sctp-make-sure-stream-nums-can-match-optlen-in-sctp_.patch new file mode 100644 index 0000000..e3a0391 --- /dev/null +++ b/queue/sctp-make-sure-stream-nums-can-match-optlen-in-sctp_.patch @@ -0,0 +1,54 @@ +From 2342b8d95bcae5946e1b9b8d58645f37500ef2e7 Mon Sep 17 00:00:00 2001 +From: Xin Long <lucien.xin@gmail.com> +Date: Sun, 10 Dec 2017 15:40:51 +0800 +Subject: [PATCH] sctp: make sure stream nums can match optlen in + sctp_setsockopt_reset_streams + +commit 2342b8d95bcae5946e1b9b8d58645f37500ef2e7 upstream. + +Now in sctp_setsockopt_reset_streams, it only does the check +optlen < sizeof(*params) for optlen. But it's not enough, as +params->srs_number_streams should also match optlen. + +If the streams in params->srs_stream_list are less than stream +nums in params->srs_number_streams, later when dereferencing +the stream list, it could cause a slab-out-of-bounds crash, as +reported by syzbot. + +This patch is to fix it by also checking the stream numbers in +sctp_setsockopt_reset_streams to make sure at least it's not +greater than the streams in the list. + +Fixes: 7f9d68ac944e ("sctp: implement sender-side procedures for SSN Reset Request Parameter") +Reported-by: Dmitry Vyukov <dvyukov@google.com> +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Acked-by: Neil Horman <nhorman@tuxdriver.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index eb17a911aa29..3253f724a995 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -3891,13 +3891,17 @@ static int sctp_setsockopt_reset_streams(struct sock *sk, + struct sctp_association *asoc; + int retval = -EINVAL; + +- if (optlen < sizeof(struct sctp_reset_streams)) ++ if (optlen < sizeof(*params)) + return -EINVAL; + + params = memdup_user(optval, optlen); + if (IS_ERR(params)) + return PTR_ERR(params); + ++ if (params->srs_number_streams * sizeof(__u16) > ++ optlen - sizeof(*params)) ++ goto out; ++ + asoc = sctp_id2assoc(sk, params->srs_assoc_id); + if (!asoc) + goto out; +-- +2.15.0 + diff --git a/queue/series b/queue/series index df825c6..49b13cd 100644 --- a/queue/series +++ b/queue/series @@ -1,3 +1,103 @@ +tracing-Remove-extra-zeroing-out-of-the-ring-buffer-.patch +tracing-Fix-possible-double-free-on-failure-of-alloc.patch +tracing-Fix-crash-when-it-fails-to-alloc-ring-buffer.patch +iw_cxgb4-Only-validate-the-MSN-for-successful-comple.patch +ASoC-codecs-msm8916-wcd-Fix-supported-formats.patch +ASoC-wm_adsp-Fix-validation-of-firmware-and-coeff-le.patch +ASoC-da7218-fix-fix-child-node-lookup.patch +ASoC-fsl_ssi-AC-97-ops-need-regmap-clock-and-cleanin.patch +ASoC-twl4030-fix-child-node-lookup.patch +ASoC-tlv320aic31xx-Fix-GPIO1-register-definition.patch +gpio-fix-gpio-line-names-property-retrieval.patch +IB-hfi-Only-read-capability-registers-if-the-capabil.patch +IB-mlx5-Serialize-access-to-the-VMA-list.patch +IB-uverbs-Fix-command-checking-as-part-of-ib_uverbs_.patch +IB-core-Verify-that-QP-is-security-enabled-in-create.patch +ALSA-hda-Drop-useless-WARN_ON.patch +ALSA-hda-Add-MIC_NO_PRESENCE-fixup-for-2-HP-machines.patch +ALSA-hda-change-the-location-for-one-mic-on-a-Lenovo.patch +ALSA-hda-fix-headset-mic-detection-issue-on-a-Dell-m.patch +ALSA-hda-Fix-missing-COEF-init-for-ALC225-295-299.patch +cpufreq-schedutil-Use-idle_calls-counter-of-the-remo.patch +block-fix-blk_rq_append_bio.patch +block-don-t-let-passthrough-IO-go-into-.make_request.patch +kbuild-add-fno-stack-check-to-kernel-build-options.patch +ipv4-igmp-guard-against-silly-MTU-values.patch +ipv6-mcast-better-catch-silly-mtu-values.patch +net-fec-unmap-the-xmit-buffer-that-are-not-transferr.patch +net-igmp-Use-correct-source-address-on-IGMPv3-report.patch +net-qmi_wwan-add-Sierra-EM7565-1199-9091.patch +net-reevalulate-autoflowlabel-setting-after-sysctl-s.patch +ptr_ring-add-barriers.patch +RDS-Check-cmsg_len-before-dereferencing-CMSG_DATA.patch +tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch +tcp-md5sig-Use-skb-s-saddr-when-replying-to-an-incom.patch +tg3-Fix-rx-hang-on-MTU-change-with-5717-5719.patch +tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch +tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch +s390-qeth-apply-takeover-changes-when-mode-is-toggle.patch +s390-qeth-don-t-apply-takeover-changes-to-RXIP.patch +s390-qeth-lock-IP-table-while-applying-takeover-chan.patch +s390-qeth-update-takeover-IPs-after-configuration-ch.patch +net-mvmdio-disable-unprepare-clocks-in-EPROBE_DEFER-.patch +sctp-Replace-use-of-sockets_allocated-with-specified.patch +adding-missing-rcu_read_unlock-in-ipxip6_rcv.patch +ip6_gre-fix-device-features-for-ioctl-setup.patch +ipv4-Fix-use-after-free-when-flushing-FIB-tables.patch +net-bridge-fix-early-call-to-br_stp_change_bridge_id.patch +net-phy-micrel-ksz9031-reconfigure-autoneg-after-phy.patch +sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch +tcp-invalidate-rate-samples-during-SACK-reneging.patch +net-mlx5-Fix-rate-limit-packet-pacing-naming-and-str.patch +net-mlx5e-Fix-possible-deadlock-of-VXLAN-lock.patch +net-mlx5e-Fix-features-check-of-IPv6-traffic.patch +net-mlx5e-Add-refcount-to-VXLAN-structure.patch +net-mlx5e-Prevent-possible-races-in-VXLAN-control-fl.patch +net-mlx5-Fix-error-flow-in-CREATE_QP-command.patch +openvswitch-Fix-pop_vlan-action-for-double-tagged-fr.patch +sfc-pass-valid-pointers-from-efx_enqueue_unwind.patch +net-dsa-bcm_sf2-Clear-IDDQ_GLOBAL_PWR-bit-for-PHY.patch +s390-qeth-fix-error-handling-in-checksum-cmd-callbac.patch +sctp-make-sure-stream-nums-can-match-optlen-in-sctp_.patch +tipc-fix-hanging-poll-for-stream-sockets.patch +mlxsw-spectrum-Disable-MAC-learning-for-ovs-port.patch +tcp-fix-potential-underestimation-on-rcv_rtt.patch +net-phy-marvell-Limit-88m1101-autoneg-errata-to-88E1.patch +ipv6-Honor-specified-parameters-in-fibmatch-lookup.patch +net-mlx5-FPGA-return-EINVAL-if-size-is-zero.patch +vxlan-restore-dev-mtu-setting-based-on-lower-device.patch +net-sched-fix-static-key-imbalance-in-case-of-ingres.patch +bnxt_en-Fix-sources-of-spurious-netpoll-warnings.patch +phylink-ensure-the-PHY-interface-mode-is-appropriate.patch +phylink-ensure-AN-is-enabled.patch +ipv4-fib-Fix-metrics-match-when-deleting-a-route.patch +ipv6-set-all.accept_dad-to-0-by-default.patch +Revert-mlx5-move-affinity-hints-assignments-to-gener.patch +skbuff-orphan-frags-before-zerocopy-clone.patch +skbuff-skb_copy_ubufs-must-release-uarg-even-without.patch +sparc64-repair-calling-incorrect-hweight-function-fr.patch +usbip-fix-usbip-bind-writing-random-string-after-com.patch +usbip-prevent-leaking-socket-pointer-address-in-mess.patch +usbip-stub-stop-printing-kernel-pointer-addresses-in.patch +usbip-vhci-stop-printing-kernel-pointer-addresses-in.patch +USB-chipidea-msm-fix-ulpi-node-lookup.patch +USB-serial-ftdi_sio-add-id-for-Airbus-DS-P8GR.patch +USB-serial-qcserial-add-Sierra-Wireless-EM7565.patch +USB-serial-option-add-support-for-Telit-ME910-PID-0x.patch +USB-serial-option-adding-support-for-YUGA-CLM920-NC5.patch +usb-Add-device-quirk-for-Logitech-HD-Pro-Webcam-C925.patch +usb-add-RESET_RESUME-for-ELSA-MicroLink-56K.patch +usb-xhci-Add-XHCI_TRUST_TX_LENGTH-for-Renesas-uPD720.patch +timers-Use-deferrable-base-independent-of-base-nohz_.patch +timers-Invoke-timer_start_debug-where-it-makes-sense.patch +timers-Reinitialize-per-cpu-bases-on-hotplug.patch +binder-fix-proc-files-use-after-free.patch +phy-tegra-fix-device-tree-node-lookups.patch +drivers-base-cacheinfo-fix-cache-type-for-non-archit.patch +staging-android-ion-Fix-dma-direction-for-dma_sync_s.patch +x86-32-Fix-kexec-with-stack-canary-CONFIG_CC_STACKPR.patch +n_tty-fix-EXTPROC-vs-ICANON-interaction-with-TIOCINQ.patch +tty-fix-tty_ldisc_receive_buf-documentation.patch KVM-arm64-Store-vcpu-on-the-stack-during-__guest_ent.patch KVM-arm-arm64-Convert-kvm_host_cpu_state-to-a-static.patch KVM-arm64-Change-hyp_panic-s-dependency-on-tpidr_el2.patch diff --git a/queue/sfc-pass-valid-pointers-from-efx_enqueue_unwind.patch b/queue/sfc-pass-valid-pointers-from-efx_enqueue_unwind.patch new file mode 100644 index 0000000..372b76e --- /dev/null +++ b/queue/sfc-pass-valid-pointers-from-efx_enqueue_unwind.patch @@ -0,0 +1,53 @@ +From d4a7a8893d4cdbc89d79ac4aa704bf8d4b67b368 Mon Sep 17 00:00:00 2001 +From: Bert Kenward <bkenward@solarflare.com> +Date: Thu, 7 Dec 2017 17:18:58 +0000 +Subject: [PATCH] sfc: pass valid pointers from efx_enqueue_unwind + +commit d4a7a8893d4cdbc89d79ac4aa704bf8d4b67b368 upstream. + +The bytes_compl and pkts_compl pointers passed to efx_dequeue_buffers +cannot be NULL. Add a paranoid warning to check this condition and fix +the one case where they were NULL. + +efx_enqueue_unwind() is called very rarely, during error handling. +Without this fix it would fail with a NULL pointer dereference in +efx_dequeue_buffer, with efx_enqueue_skb in the call stack. + +Fixes: e9117e5099ea ("sfc: Firmware-Assisted TSO version 2") +Reported-by: Jarod Wilson <jarod@redhat.com> +Signed-off-by: Bert Kenward <bkenward@solarflare.com> +Tested-by: Jarod Wilson <jarod@redhat.com> +Acked-by: Jarod Wilson <jarod@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/sfc/tx.c b/drivers/net/ethernet/sfc/tx.c +index 0ea7e16f2e6e..9937a2450e57 100644 +--- a/drivers/net/ethernet/sfc/tx.c ++++ b/drivers/net/ethernet/sfc/tx.c +@@ -77,6 +77,7 @@ static void efx_dequeue_buffer(struct efx_tx_queue *tx_queue, + } + + if (buffer->flags & EFX_TX_BUF_SKB) { ++ EFX_WARN_ON_PARANOID(!pkts_compl || !bytes_compl); + (*pkts_compl)++; + (*bytes_compl) += buffer->skb->len; + dev_consume_skb_any((struct sk_buff *)buffer->skb); +@@ -426,12 +427,14 @@ static int efx_tx_map_data(struct efx_tx_queue *tx_queue, struct sk_buff *skb, + static void efx_enqueue_unwind(struct efx_tx_queue *tx_queue) + { + struct efx_tx_buffer *buffer; ++ unsigned int bytes_compl = 0; ++ unsigned int pkts_compl = 0; + + /* Work backwards until we hit the original insert pointer value */ + while (tx_queue->insert_count != tx_queue->write_count) { + --tx_queue->insert_count; + buffer = __efx_tx_queue_get_insert_buffer(tx_queue); +- efx_dequeue_buffer(tx_queue, buffer, NULL, NULL); ++ efx_dequeue_buffer(tx_queue, buffer, &pkts_compl, &bytes_compl); + } + } + +-- +2.15.0 + diff --git a/queue/skbuff-orphan-frags-before-zerocopy-clone.patch b/queue/skbuff-orphan-frags-before-zerocopy-clone.patch new file mode 100644 index 0000000..5d2608f --- /dev/null +++ b/queue/skbuff-orphan-frags-before-zerocopy-clone.patch @@ -0,0 +1,52 @@ +From 268b790679422a89e9ab0685d9f291edae780c98 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn <willemb@google.com> +Date: Wed, 20 Dec 2017 17:37:49 -0500 +Subject: [PATCH] skbuff: orphan frags before zerocopy clone + +commit 268b790679422a89e9ab0685d9f291edae780c98 upstream. + +Call skb_zerocopy_clone after skb_orphan_frags, to avoid duplicate +calls to skb_uarg(skb)->callback for the same data. + +skb_zerocopy_clone associates skb_shinfo(skb)->uarg from frag_skb +with each segment. This is only safe for uargs that do refcounting, +which is those that pass skb_orphan_frags without dropping their +shared frags. For others, skb_orphan_frags drops the user frags and +sets the uarg to NULL, after which sock_zerocopy_clone has no effect. + +Qemu hangs were reported due to duplicate vhost_net_zerocopy_callback +calls for the same data causing the vhost_net_ubuf_ref_>refcount to +drop below zero. + +Link: http://lkml.kernel.org/r/<CAF=yD-LWyCD4Y0aJ9O0e_CHLR+3JOeKicRRTEVCPxgw4XOcqGQ@mail.gmail.com> +Fixes: 1f8b977ab32d ("sock: enable MSG_ZEROCOPY") +Reported-by: Andreas Hartmann <andihartmann@01019freenet.de> +Reported-by: David Hill <dhill@redhat.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index a592ca025fc4..edf40ac0cd07 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3654,8 +3654,6 @@ normal: + + skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags & + SKBTX_SHARED_FRAG; +- if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC)) +- goto err; + + while (pos < offset + len) { + if (i >= nfrags) { +@@ -3681,6 +3679,8 @@ normal: + + if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC))) + goto err; ++ if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC)) ++ goto err; + + *nskb_frag = *frag; + __skb_frag_ref(nskb_frag); +-- +2.15.0 + diff --git a/queue/skbuff-skb_copy_ubufs-must-release-uarg-even-without.patch b/queue/skbuff-skb_copy_ubufs-must-release-uarg-even-without.patch new file mode 100644 index 0000000..5a0ddb4 --- /dev/null +++ b/queue/skbuff-skb_copy_ubufs-must-release-uarg-even-without.patch @@ -0,0 +1,43 @@ +From b90ddd568792bcb0054eaf0f61785c8f80c3bd1c Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn <willemb@google.com> +Date: Wed, 20 Dec 2017 17:37:50 -0500 +Subject: [PATCH] skbuff: skb_copy_ubufs must release uarg even without user + frags + +commit b90ddd568792bcb0054eaf0f61785c8f80c3bd1c upstream. + +skb_copy_ubufs creates a private copy of frags[] to release its hold +on user frags, then calls uarg->callback to notify the owner. + +Call uarg->callback even when no frags exist. This edge case can +happen when zerocopy_sg_from_iter finds enough room in skb_headlen +to copy all the data. + +Fixes: 3ece782693c4 ("sock: skb_copy_ubufs support for compound pages") +Signed-off-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index edf40ac0cd07..a3cb0be4c6f3 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -1178,7 +1178,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask) + u32 d_off; + + if (!num_frags) +- return 0; ++ goto release; + + if (skb_shared(skb) || skb_unclone(skb, gfp_mask)) + return -EINVAL; +@@ -1238,6 +1238,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask) + __skb_fill_page_desc(skb, new_frags - 1, head, 0, d_off); + skb_shinfo(skb)->nr_frags = new_frags; + ++release: + skb_zcopy_clear(skb, false); + return 0; + } +-- +2.15.0 + diff --git a/queue/sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch b/queue/sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch new file mode 100644 index 0000000..e3cace9 --- /dev/null +++ b/queue/sock-free-skb-in-skb_complete_tx_timestamp-on-error.patch @@ -0,0 +1,45 @@ +From 35b99dffc3f710cafceee6c8c6ac6a98eb2cb4bf Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn <willemb@google.com> +Date: Wed, 13 Dec 2017 14:41:06 -0500 +Subject: [PATCH] sock: free skb in skb_complete_tx_timestamp on error + +commit 35b99dffc3f710cafceee6c8c6ac6a98eb2cb4bf upstream. + +skb_complete_tx_timestamp must ingest the skb it is passed. Call +kfree_skb if the skb cannot be enqueued. + +Fixes: b245be1f4db1 ("net-timestamp: no-payload only sysctl") +Fixes: 9ac25fc06375 ("net: fix socket refcounting in skb_complete_tx_timestamp()") +Reported-by: Richard Cochran <richardcochran@gmail.com> +Signed-off-by: Willem de Bruijn <willemb@google.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 6b0ff396fa9d..a592ca025fc4 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4293,7 +4293,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb, + struct sock *sk = skb->sk; + + if (!skb_may_tx_timestamp(sk, false)) +- return; ++ goto err; + + /* Take a reference to prevent skb_orphan() from freeing the socket, + * but only if the socket refcount is not zero. +@@ -4302,7 +4302,11 @@ void skb_complete_tx_timestamp(struct sk_buff *skb, + *skb_hwtstamps(skb) = *hwtstamps; + __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false); + sock_put(sk); ++ return; + } ++ ++err: ++ kfree_skb(skb); + } + EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp); + +-- +2.15.0 + diff --git a/queue/sparc64-repair-calling-incorrect-hweight-function-fr.patch b/queue/sparc64-repair-calling-incorrect-hweight-function-fr.patch new file mode 100644 index 0000000..29ce9f3 --- /dev/null +++ b/queue/sparc64-repair-calling-incorrect-hweight-function-fr.patch @@ -0,0 +1,32 @@ +From 59585b4be9ae4dc6506551709bdcd6f5210b8a01 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt <jengelh@inai.de> +Date: Mon, 25 Dec 2017 03:43:53 +0100 +Subject: [PATCH] sparc64: repair calling incorrect hweight function from stubs + +commit 59585b4be9ae4dc6506551709bdcd6f5210b8a01 upstream. + +Commit v4.12-rc4-1-g9289ea7f952b introduced a mistake that made the +64-bit hweight stub call the 16-bit hweight function. + +Fixes: 9289ea7f952b ("sparc64: Use indirect calls in hamming weight stubs") +Signed-off-by: Jan Engelhardt <jengelh@inai.de> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/arch/sparc/lib/hweight.S b/arch/sparc/lib/hweight.S +index e5547b22cd18..0ddbbb031822 100644 +--- a/arch/sparc/lib/hweight.S ++++ b/arch/sparc/lib/hweight.S +@@ -44,8 +44,8 @@ EXPORT_SYMBOL(__arch_hweight32) + .previous + + ENTRY(__arch_hweight64) +- sethi %hi(__sw_hweight16), %g1 +- jmpl %g1 + %lo(__sw_hweight16), %g0 ++ sethi %hi(__sw_hweight64), %g1 ++ jmpl %g1 + %lo(__sw_hweight64), %g0 + nop + ENDPROC(__arch_hweight64) + EXPORT_SYMBOL(__arch_hweight64) +-- +2.15.0 + diff --git a/queue/staging-android-ion-Fix-dma-direction-for-dma_sync_s.patch b/queue/staging-android-ion-Fix-dma-direction-for-dma_sync_s.patch new file mode 100644 index 0000000..5bf7703 --- /dev/null +++ b/queue/staging-android-ion-Fix-dma-direction-for-dma_sync_s.patch @@ -0,0 +1,43 @@ +From d6b246bb7a29703f53aa4c050b8b3205d749caee Mon Sep 17 00:00:00 2001 +From: Sushmita Susheelendra <ssusheel@codeaurora.org> +Date: Fri, 15 Dec 2017 13:59:13 -0700 +Subject: [PATCH] staging: android: ion: Fix dma direction for + dma_sync_sg_for_cpu/device + +commit d6b246bb7a29703f53aa4c050b8b3205d749caee upstream. + +Use the direction argument passed into begin_cpu_access +and end_cpu_access when calling the dma_sync_sg_for_cpu/device. +The actual cache primitive called depends on the direction +passed in. + +Signed-off-by: Sushmita Susheelendra <ssusheel@codeaurora.org> +Cc: stable <stable@vger.kernel.org> +Acked-by: Laura Abbott <labbott@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c +index a7d9b0e98572..f480885e346b 100644 +--- a/drivers/staging/android/ion/ion.c ++++ b/drivers/staging/android/ion/ion.c +@@ -346,7 +346,7 @@ static int ion_dma_buf_begin_cpu_access(struct dma_buf *dmabuf, + mutex_lock(&buffer->lock); + list_for_each_entry(a, &buffer->attachments, list) { + dma_sync_sg_for_cpu(a->dev, a->table->sgl, a->table->nents, +- DMA_BIDIRECTIONAL); ++ direction); + } + mutex_unlock(&buffer->lock); + +@@ -368,7 +368,7 @@ static int ion_dma_buf_end_cpu_access(struct dma_buf *dmabuf, + mutex_lock(&buffer->lock); + list_for_each_entry(a, &buffer->attachments, list) { + dma_sync_sg_for_device(a->dev, a->table->sgl, a->table->nents, +- DMA_BIDIRECTIONAL); ++ direction); + } + mutex_unlock(&buffer->lock); + +-- +2.15.0 + diff --git a/queue/tcp-fix-potential-underestimation-on-rcv_rtt.patch b/queue/tcp-fix-potential-underestimation-on-rcv_rtt.patch new file mode 100644 index 0000000..d388eb7 --- /dev/null +++ b/queue/tcp-fix-potential-underestimation-on-rcv_rtt.patch @@ -0,0 +1,57 @@ +From 9ee11bd03cb1a5c3ca33c2bb70e7ed325f68890f Mon Sep 17 00:00:00 2001 +From: Wei Wang <weiwan@google.com> +Date: Tue, 12 Dec 2017 16:28:58 -0800 +Subject: [PATCH] tcp: fix potential underestimation on rcv_rtt + +commit 9ee11bd03cb1a5c3ca33c2bb70e7ed325f68890f upstream. + +When ms timestamp is used, current logic uses 1us in +tcp_rcv_rtt_update() when the real rcv_rtt is within 1 - 999us. +This could cause rcv_rtt underestimation. +Fix it by always using a min value of 1ms if ms timestamp is used. + +Fixes: 645f4c6f2ebd ("tcp: switch rcv_rtt_est and rcvq_space to high resolution timestamps") +Signed-off-by: Wei Wang <weiwan@google.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Acked-by: Neal Cardwell <ncardwell@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 9550cc42de2d..45f750e85714 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -508,9 +508,6 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep) + u32 new_sample = tp->rcv_rtt_est.rtt_us; + long m = sample; + +- if (m == 0) +- m = 1; +- + if (new_sample != 0) { + /* If we sample in larger samples in the non-timestamp + * case, we could grossly overestimate the RTT especially +@@ -547,6 +544,8 @@ static inline void tcp_rcv_rtt_measure(struct tcp_sock *tp) + if (before(tp->rcv_nxt, tp->rcv_rtt_est.seq)) + return; + delta_us = tcp_stamp_us_delta(tp->tcp_mstamp, tp->rcv_rtt_est.time); ++ if (!delta_us) ++ delta_us = 1; + tcp_rcv_rtt_update(tp, delta_us, 1); + + new_measure: +@@ -563,8 +562,11 @@ static inline void tcp_rcv_rtt_measure_ts(struct sock *sk, + (TCP_SKB_CB(skb)->end_seq - + TCP_SKB_CB(skb)->seq >= inet_csk(sk)->icsk_ack.rcv_mss)) { + u32 delta = tcp_time_stamp(tp) - tp->rx_opt.rcv_tsecr; +- u32 delta_us = delta * (USEC_PER_SEC / TCP_TS_HZ); ++ u32 delta_us; + ++ if (!delta) ++ delta = 1; ++ delta_us = delta * (USEC_PER_SEC / TCP_TS_HZ); + tcp_rcv_rtt_update(tp, delta_us, 0); + } + } +-- +2.15.0 + diff --git a/queue/tcp-invalidate-rate-samples-during-SACK-reneging.patch b/queue/tcp-invalidate-rate-samples-during-SACK-reneging.patch new file mode 100644 index 0000000..f35e655 --- /dev/null +++ b/queue/tcp-invalidate-rate-samples-during-SACK-reneging.patch @@ -0,0 +1,155 @@ +From d4761754b4fb2ef8d9a1e9d121c4bec84e1fe292 Mon Sep 17 00:00:00 2001 +From: Yousuk Seung <ysseung@google.com> +Date: Thu, 7 Dec 2017 13:41:34 -0800 +Subject: [PATCH] tcp: invalidate rate samples during SACK reneging + +commit d4761754b4fb2ef8d9a1e9d121c4bec84e1fe292 upstream. + +Mark tcp_sock during a SACK reneging event and invalidate rate samples +while marked. Such rate samples may overestimate bw by including packets +that were SACKed before reneging. + +< ack 6001 win 10000 sack 7001:38001 +< ack 7001 win 0 sack 8001:38001 // Reneg detected +> seq 7001:8001 // RTO, SACK cleared. +< ack 38001 win 10000 + +In above example the rate sample taken after the last ack will count +7001-38001 as delivered while the actual delivery rate likely could +be much lower i.e. 7001-8001. + +This patch adds a new field tcp_sock.sack_reneg and marks it when we +declare SACK reneging and entering TCP_CA_Loss, and unmarks it after +the last rate sample was taken before moving back to TCP_CA_Open. This +patch also invalidates rate samples taken while tcp_sock.is_sack_reneg +is set. + +Fixes: b9f64820fb22 ("tcp: track data delivery rate for a TCP connection") +Signed-off-by: Yousuk Seung <ysseung@google.com> +Signed-off-by: Neal Cardwell <ncardwell@google.com> +Signed-off-by: Yuchung Cheng <ycheng@google.com> +Acked-by: Soheil Hassas Yeganeh <soheil@google.com> +Acked-by: Eric Dumazet <edumazet@google.com> +Acked-by: Priyaranjan Jha <priyarjha@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index df5d97a85e1a..ca4a6361389b 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -224,7 +224,8 @@ struct tcp_sock { + rate_app_limited:1, /* rate_{delivered,interval_us} limited? */ + fastopen_connect:1, /* FASTOPEN_CONNECT sockopt */ + fastopen_no_cookie:1, /* Allow send/recv SYN+data without a cookie */ +- unused:3; ++ is_sack_reneg:1, /* in recovery from loss with SACK reneg? */ ++ unused:2; + u8 nonagle : 4,/* Disable Nagle algorithm? */ + thin_lto : 1,/* Use linear timeouts for thin streams */ + unused1 : 1, +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 6998707e81f3..6da880d2f022 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1055,7 +1055,7 @@ void tcp_rate_skb_sent(struct sock *sk, struct sk_buff *skb); + void tcp_rate_skb_delivered(struct sock *sk, struct sk_buff *skb, + struct rate_sample *rs); + void tcp_rate_gen(struct sock *sk, u32 delivered, u32 lost, +- struct rate_sample *rs); ++ bool is_sack_reneg, struct rate_sample *rs); + void tcp_rate_check_app_limited(struct sock *sk); + + /* These functions determine how the current flow behaves in respect of SACK +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index bf97317e6c97..f08eebe60446 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2412,6 +2412,7 @@ int tcp_disconnect(struct sock *sk, int flags) + tp->snd_cwnd_cnt = 0; + tp->window_clamp = 0; + tcp_set_ca_state(sk, TCP_CA_Open); ++ tp->is_sack_reneg = 0; + tcp_clear_retrans(tp); + inet_csk_delack_init(sk); + /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 514c00732988..075c559570e6 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1942,6 +1942,8 @@ void tcp_enter_loss(struct sock *sk) + if (is_reneg) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSACKRENEGING); + tp->sacked_out = 0; ++ /* Mark SACK reneging until we recover from this loss event. */ ++ tp->is_sack_reneg = 1; + } + tcp_clear_all_retrans_hints(tp); + +@@ -2365,6 +2367,7 @@ static bool tcp_try_undo_recovery(struct sock *sk) + return true; + } + tcp_set_ca_state(sk, TCP_CA_Open); ++ tp->is_sack_reneg = 0; + return false; + } + +@@ -2398,8 +2401,10 @@ static bool tcp_try_undo_loss(struct sock *sk, bool frto_undo) + NET_INC_STATS(sock_net(sk), + LINUX_MIB_TCPSPURIOUSRTOS); + inet_csk(sk)->icsk_retransmits = 0; +- if (frto_undo || tcp_is_sack(tp)) ++ if (frto_undo || tcp_is_sack(tp)) { + tcp_set_ca_state(sk, TCP_CA_Open); ++ tp->is_sack_reneg = 0; ++ } + return true; + } + return false; +@@ -3496,6 +3501,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + struct tcp_sacktag_state sack_state; + struct rate_sample rs = { .prior_delivered = 0 }; + u32 prior_snd_una = tp->snd_una; ++ bool is_sack_reneg = tp->is_sack_reneg; + u32 ack_seq = TCP_SKB_CB(skb)->seq; + u32 ack = TCP_SKB_CB(skb)->ack_seq; + bool is_dupack = false; +@@ -3612,7 +3618,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + + delivered = tp->delivered - delivered; /* freshly ACKed or SACKed */ + lost = tp->lost - lost; /* freshly marked lost */ +- tcp_rate_gen(sk, delivered, lost, sack_state.rate); ++ tcp_rate_gen(sk, delivered, lost, is_sack_reneg, sack_state.rate); + tcp_cong_control(sk, ack, delivered, flag, sack_state.rate); + tcp_xmit_recovery(sk, rexmit); + return 1; +diff --git a/net/ipv4/tcp_rate.c b/net/ipv4/tcp_rate.c +index 3330a370d306..c61240e43923 100644 +--- a/net/ipv4/tcp_rate.c ++++ b/net/ipv4/tcp_rate.c +@@ -106,7 +106,7 @@ void tcp_rate_skb_delivered(struct sock *sk, struct sk_buff *skb, + + /* Update the connection delivery information and generate a rate sample. */ + void tcp_rate_gen(struct sock *sk, u32 delivered, u32 lost, +- struct rate_sample *rs) ++ bool is_sack_reneg, struct rate_sample *rs) + { + struct tcp_sock *tp = tcp_sk(sk); + u32 snd_us, ack_us; +@@ -124,8 +124,12 @@ void tcp_rate_gen(struct sock *sk, u32 delivered, u32 lost, + + rs->acked_sacked = delivered; /* freshly ACKed or SACKed */ + rs->losses = lost; /* freshly marked lost */ +- /* Return an invalid sample if no timing information is available. */ +- if (!rs->prior_mstamp) { ++ /* Return an invalid sample if no timing information is available or ++ * in recovery from loss with SACK reneging. Rate samples taken during ++ * a SACK reneging event may overestimate bw by including packets that ++ * were SACKed before the reneg. ++ */ ++ if (!rs->prior_mstamp || is_sack_reneg) { + rs->delivered = -1; + rs->interval_us = -1; + return; +-- +2.15.0 + diff --git a/queue/tcp-md5sig-Use-skb-s-saddr-when-replying-to-an-incom.patch b/queue/tcp-md5sig-Use-skb-s-saddr-when-replying-to-an-incom.patch new file mode 100644 index 0000000..872af43 --- /dev/null +++ b/queue/tcp-md5sig-Use-skb-s-saddr-when-replying-to-an-incom.patch @@ -0,0 +1,55 @@ +From 30791ac41927ebd3e75486f9504b6d2280463bf0 Mon Sep 17 00:00:00 2001 +From: Christoph Paasch <cpaasch@apple.com> +Date: Mon, 11 Dec 2017 00:05:46 -0800 +Subject: [PATCH] tcp md5sig: Use skb's saddr when replying to an incoming + segment + +commit 30791ac41927ebd3e75486f9504b6d2280463bf0 upstream. + +The MD5-key that belongs to a connection is identified by the peer's +IP-address. When we are in tcp_v4(6)_reqsk_send_ack(), we are replying +to an incoming segment from tcp_check_req() that failed the seq-number +checks. + +Thus, to find the correct key, we need to use the skb's saddr and not +the daddr. + +This bug seems to have been there since quite a while, but probably got +unnoticed because the consequences are not catastrophic. We will call +tcp_v4_reqsk_send_ack only to send a challenge-ACK back to the peer, +thus the connection doesn't really fail. + +Fixes: 9501f9722922 ("tcp md5sig: Let the caller pass appropriate key for tcp_v{4,6}_do_calc_md5_hash().") +Signed-off-by: Christoph Paasch <cpaasch@apple.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 77ea45da0fe9..94e28350f420 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -848,7 +848,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, + req->ts_recent, + 0, +- tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr, ++ tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->saddr, + AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, + ip_hdr(skb)->tos); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 1f04ec0e4a7a..7178476b3d2f 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -994,7 +994,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, + req->ts_recent, sk->sk_bound_dev_if, +- tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr), ++ tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr), + 0, 0); + } + +-- +2.15.0 + diff --git a/queue/tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch b/queue/tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch new file mode 100644 index 0000000..e482064 --- /dev/null +++ b/queue/tcp_bbr-record-full-bw-reached-decision-in-new-full_.patch @@ -0,0 +1,69 @@ +From c589e69b508d29ed8e644dfecda453f71c02ec27 Mon Sep 17 00:00:00 2001 +From: Neal Cardwell <ncardwell@google.com> +Date: Thu, 7 Dec 2017 12:43:30 -0500 +Subject: [PATCH] tcp_bbr: record "full bw reached" decision in new + full_bw_reached bit + +commit c589e69b508d29ed8e644dfecda453f71c02ec27 upstream. + +This commit records the "full bw reached" decision in a new +full_bw_reached bit. This is a pure refactor that does not change the +current behavior, but enables subsequent fixes and improvements. + +In particular, this enables simple and clean fixes because the full_bw +and full_bw_cnt can be unconditionally zeroed without worrying about +forgetting that we estimated we filled the pipe in Startup. And it +enables future improvements because multiple code paths can be used +for estimating that we filled the pipe in Startup; any new code paths +only need to set this bit when they think the pipe is full. + +Note that this fix intentionally reduces the width of the full_bw_cnt +counter, since we have never used the most significant bit. + +Signed-off-by: Neal Cardwell <ncardwell@google.com> +Reviewed-by: Yuchung Cheng <ycheng@google.com> +Acked-by: Soheil Hassas Yeganeh <soheil@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c +index 69ee877574d0..3089c956b9f9 100644 +--- a/net/ipv4/tcp_bbr.c ++++ b/net/ipv4/tcp_bbr.c +@@ -110,7 +110,8 @@ struct bbr { + u32 lt_last_lost; /* LT intvl start: tp->lost */ + u32 pacing_gain:10, /* current gain for setting pacing rate */ + cwnd_gain:10, /* current gain for setting cwnd */ +- full_bw_cnt:3, /* number of rounds without large bw gains */ ++ full_bw_reached:1, /* reached full bw in Startup? */ ++ full_bw_cnt:2, /* number of rounds without large bw gains */ + cycle_idx:3, /* current index in pacing_gain cycle array */ + has_seen_rtt:1, /* have we seen an RTT sample yet? */ + unused_b:5; +@@ -180,7 +181,7 @@ static bool bbr_full_bw_reached(const struct sock *sk) + { + const struct bbr *bbr = inet_csk_ca(sk); + +- return bbr->full_bw_cnt >= bbr_full_bw_cnt; ++ return bbr->full_bw_reached; + } + + /* Return the windowed max recent bandwidth sample, in pkts/uS << BW_SCALE. */ +@@ -717,6 +718,7 @@ static void bbr_check_full_bw_reached(struct sock *sk, + return; + } + ++bbr->full_bw_cnt; ++ bbr->full_bw_reached = bbr->full_bw_cnt >= bbr_full_bw_cnt; + } + + /* If pipe is probably full, drain the queue and then enter steady-state. */ +@@ -850,6 +852,7 @@ static void bbr_init(struct sock *sk) + bbr->restore_cwnd = 0; + bbr->round_start = 0; + bbr->idle_restart = 0; ++ bbr->full_bw_reached = 0; + bbr->full_bw = 0; + bbr->full_bw_cnt = 0; + bbr->cycle_mstamp = 0; +-- +2.15.0 + diff --git a/queue/tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch b/queue/tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch new file mode 100644 index 0000000..10cd697 --- /dev/null +++ b/queue/tcp_bbr-reset-full-pipe-detection-on-loss-recovery-u.patch @@ -0,0 +1,42 @@ +From 2f6c498e4f15d27852c04ed46d804a39137ba364 Mon Sep 17 00:00:00 2001 +From: Neal Cardwell <ncardwell@google.com> +Date: Thu, 7 Dec 2017 12:43:31 -0500 +Subject: [PATCH] tcp_bbr: reset full pipe detection on loss recovery undo + +commit 2f6c498e4f15d27852c04ed46d804a39137ba364 upstream. + +Fix BBR so that upon notification of a loss recovery undo BBR resets +the full pipe detection (STARTUP exit) state machine. + +Under high reordering, reordering events can be interpreted as loss. +If the reordering and spurious loss estimates are high enough, this +could previously cause BBR to spuriously estimate that the pipe is +full. + +Since spurious loss recovery means that our overall sending will have +slowed down spuriously, this commit gives a flow more time to probe +robustly for bandwidth and decide the pipe is really full. + +Signed-off-by: Neal Cardwell <ncardwell@google.com> +Reviewed-by: Yuchung Cheng <ycheng@google.com> +Acked-by: Soheil Hassas Yeganeh <soheil@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c +index 3089c956b9f9..ab3ff14ea7f7 100644 +--- a/net/ipv4/tcp_bbr.c ++++ b/net/ipv4/tcp_bbr.c +@@ -874,6 +874,10 @@ static u32 bbr_sndbuf_expand(struct sock *sk) + */ + static u32 bbr_undo_cwnd(struct sock *sk) + { ++ struct bbr *bbr = inet_csk_ca(sk); ++ ++ bbr->full_bw = 0; /* spurious slow-down; reset full pipe detection */ ++ bbr->full_bw_cnt = 0; + return tcp_sk(sk)->snd_cwnd; + } + +-- +2.15.0 + diff --git a/queue/tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch b/queue/tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch new file mode 100644 index 0000000..9a87d94 --- /dev/null +++ b/queue/tcp_bbr-reset-long-term-bandwidth-sampling-on-loss-r.patch @@ -0,0 +1,38 @@ +From 600647d467c6d04b3954b41a6ee1795b5ae00550 Mon Sep 17 00:00:00 2001 +From: Neal Cardwell <ncardwell@google.com> +Date: Thu, 7 Dec 2017 12:43:32 -0500 +Subject: [PATCH] tcp_bbr: reset long-term bandwidth sampling on loss recovery + undo + +commit 600647d467c6d04b3954b41a6ee1795b5ae00550 upstream. + +Fix BBR so that upon notification of a loss recovery undo BBR resets +long-term bandwidth sampling. + +Under high reordering, reordering events can be interpreted as loss. +If the reordering and spurious loss estimates are high enough, this +can cause BBR to spuriously estimate that we are seeing loss rates +high enough to trigger long-term bandwidth estimation. To avoid that +problem, this commit resets long-term bandwidth sampling on loss +recovery undo events. + +Signed-off-by: Neal Cardwell <ncardwell@google.com> +Reviewed-by: Yuchung Cheng <ycheng@google.com> +Acked-by: Soheil Hassas Yeganeh <soheil@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c +index ab3ff14ea7f7..8322f26e770e 100644 +--- a/net/ipv4/tcp_bbr.c ++++ b/net/ipv4/tcp_bbr.c +@@ -878,6 +878,7 @@ static u32 bbr_undo_cwnd(struct sock *sk) + + bbr->full_bw = 0; /* spurious slow-down; reset full pipe detection */ + bbr->full_bw_cnt = 0; ++ bbr_reset_lt_bw_sampling(sk); + return tcp_sk(sk)->snd_cwnd; + } + +-- +2.15.0 + diff --git a/queue/tg3-Fix-rx-hang-on-MTU-change-with-5717-5719.patch b/queue/tg3-Fix-rx-hang-on-MTU-change-with-5717-5719.patch new file mode 100644 index 0000000..2322322 --- /dev/null +++ b/queue/tg3-Fix-rx-hang-on-MTU-change-with-5717-5719.patch @@ -0,0 +1,35 @@ +From 748a240c589824e9121befb1cba5341c319885bc Mon Sep 17 00:00:00 2001 +From: Brian King <brking@linux.vnet.ibm.com> +Date: Fri, 15 Dec 2017 15:21:50 -0600 +Subject: [PATCH] tg3: Fix rx hang on MTU change with 5717/5719 + +commit 748a240c589824e9121befb1cba5341c319885bc upstream. + +This fixes a hang issue seen when changing the MTU size from 1500 MTU +to 9000 MTU on both 5717 and 5719 chips. In discussion with Broadcom, +they've indicated that these chipsets have the same phy as the 57766 +chipset, so the same workarounds apply. This has been tested by IBM +on both Power 8 and Power 9 systems as well as by Broadcom on x86 +hardware and has been confirmed to resolve the hang issue. + +Signed-off-by: Brian King <brking@linux.vnet.ibm.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index de51c2177d03..d09c5a9c53b5 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -14225,7 +14225,9 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu) + /* Reset PHY, otherwise the read DMA engine will be in a mode that + * breaks all requests to 256 bytes. + */ +- if (tg3_asic_rev(tp) == ASIC_REV_57766) ++ if (tg3_asic_rev(tp) == ASIC_REV_57766 || ++ tg3_asic_rev(tp) == ASIC_REV_5717 || ++ tg3_asic_rev(tp) == ASIC_REV_5719) + reset_phy = true; + + err = tg3_restart_hw(tp, reset_phy); +-- +2.15.0 + diff --git a/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch b/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch new file mode 100644 index 0000000..ff09554 --- /dev/null +++ b/queue/timers-Invoke-timer_start_debug-where-it-makes-sense.patch @@ -0,0 +1,49 @@ +From fd45bb77ad682be728d1002431d77b8c73342836 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Fri, 22 Dec 2017 15:51:14 +0100 +Subject: [PATCH] timers: Invoke timer_start_debug() where it makes sense + +commit fd45bb77ad682be728d1002431d77b8c73342836 upstream. + +The timer start debug function is called before the proper timer base is +set. As a consequence the trace data contains the stale CPU and flags +values. + +Call the debug function after setting the new base and flags. + +Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Frederic Weisbecker <fweisbec@gmail.com> +Cc: Sebastian Siewior <bigeasy@linutronix.de> +Cc: stable@vger.kernel.org +Cc: rt@linutronix.de +Cc: Paul McKenney <paulmck@linux.vnet.ibm.com> +Cc: Anna-Maria Gleixner <anna-maria@linutronix.de> +Link: https://lkml.kernel.org/r/20171222145337.792907137@linutronix.de + +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index 6be576e02209..89a9e1b4264a 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1007,8 +1007,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, unsigned int option + if (!ret && (options & MOD_TIMER_PENDING_ONLY)) + goto out_unlock; + +- debug_activate(timer, expires); +- + new_base = get_target_base(base, timer->flags); + + if (base != new_base) { +@@ -1032,6 +1030,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, unsigned int option + } + } + ++ debug_activate(timer, expires); ++ + timer->expires = expires; + /* + * If 'idx' was calculated above and the base time did not advance +-- +2.15.0 + diff --git a/queue/timers-Reinitialize-per-cpu-bases-on-hotplug.patch b/queue/timers-Reinitialize-per-cpu-bases-on-hotplug.patch new file mode 100644 index 0000000..537ab85 --- /dev/null +++ b/queue/timers-Reinitialize-per-cpu-bases-on-hotplug.patch @@ -0,0 +1,102 @@ +From 26456f87aca7157c057de65c9414b37f1ab881d1 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Wed, 27 Dec 2017 21:37:25 +0100 +Subject: [PATCH] timers: Reinitialize per cpu bases on hotplug + +commit 26456f87aca7157c057de65c9414b37f1ab881d1 upstream. + +The timer wheel bases are not (re)initialized on CPU hotplug. That leaves +them with a potentially stale clk and next_expiry valuem, which can cause +trouble then the CPU is plugged. + +Add a prepare callback which forwards the clock, sets next_expiry to far in +the future and reset the control flags to a known state. + +Set base->must_forward_clk so the first timer which is queued will try to +forward the clock to current jiffies. + +Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") +Reported-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Frederic Weisbecker <fweisbec@gmail.com> +Cc: Sebastian Siewior <bigeasy@linutronix.de> +Cc: Anna-Maria Gleixner <anna-maria@linutronix.de> +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1712272152200.2431@nanos + +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index 201ab7267986..1a32e558eb11 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -86,7 +86,7 @@ enum cpuhp_state { + CPUHP_MM_ZSWP_POOL_PREPARE, + CPUHP_KVM_PPC_BOOK3S_PREPARE, + CPUHP_ZCOMP_PREPARE, +- CPUHP_TIMERS_DEAD, ++ CPUHP_TIMERS_PREPARE, + CPUHP_MIPS_SOC_PREPARE, + CPUHP_BP_PREPARE_DYN, + CPUHP_BP_PREPARE_DYN_END = CPUHP_BP_PREPARE_DYN + 20, +diff --git a/include/linux/timer.h b/include/linux/timer.h +index 04af640ea95b..2448f9cc48a3 100644 +--- a/include/linux/timer.h ++++ b/include/linux/timer.h +@@ -207,9 +207,11 @@ unsigned long round_jiffies_up(unsigned long j); + unsigned long round_jiffies_up_relative(unsigned long j); + + #ifdef CONFIG_HOTPLUG_CPU ++int timers_prepare_cpu(unsigned int cpu); + int timers_dead_cpu(unsigned int cpu); + #else +-#define timers_dead_cpu NULL ++#define timers_prepare_cpu NULL ++#define timers_dead_cpu NULL + #endif + + #endif +diff --git a/kernel/cpu.c b/kernel/cpu.c +index 41376c3ac93b..97858477e586 100644 +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1277,9 +1277,9 @@ static struct cpuhp_step cpuhp_bp_states[] = { + * before blk_mq_queue_reinit_notify() from notify_dead(), + * otherwise a RCU stall occurs. + */ +- [CPUHP_TIMERS_DEAD] = { ++ [CPUHP_TIMERS_PREPARE] = { + .name = "timers:dead", +- .startup.single = NULL, ++ .startup.single = timers_prepare_cpu, + .teardown.single = timers_dead_cpu, + }, + /* Kicks the plugged cpu into life */ +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index 19a9c3da7698..6be576e02209 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1853,6 +1853,21 @@ static void migrate_timer_list(struct timer_base *new_base, struct hlist_head *h + } + } + ++int timers_prepare_cpu(unsigned int cpu) ++{ ++ struct timer_base *base; ++ int b; ++ ++ for (b = 0; b < NR_BASES; b++) { ++ base = per_cpu_ptr(&timer_bases[b], cpu); ++ base->clk = jiffies; ++ base->next_expiry = base->clk + NEXT_TIMER_MAX_DELTA; ++ base->is_idle = false; ++ base->must_forward_clk = true; ++ } ++ return 0; ++} ++ + int timers_dead_cpu(unsigned int cpu) + { + struct timer_base *old_base; +-- +2.15.0 + diff --git a/queue/timers-Use-deferrable-base-independent-of-base-nohz_.patch b/queue/timers-Use-deferrable-base-independent-of-base-nohz_.patch new file mode 100644 index 0000000..9737ea5 --- /dev/null +++ b/queue/timers-Use-deferrable-base-independent-of-base-nohz_.patch @@ -0,0 +1,78 @@ +From ced6d5c11d3e7b342f1a80f908e6756ebd4b8ddd Mon Sep 17 00:00:00 2001 +From: Anna-Maria Gleixner <anna-maria@linutronix.de> +Date: Fri, 22 Dec 2017 15:51:12 +0100 +Subject: [PATCH] timers: Use deferrable base independent of base::nohz_active + +commit ced6d5c11d3e7b342f1a80f908e6756ebd4b8ddd upstream. + +During boot and before base::nohz_active is set in the timer bases, deferrable +timers are enqueued into the standard timer base. This works correctly as +long as base::nohz_active is false. + +Once it base::nohz_active is set and a timer which was enqueued before that +is accessed the lock selector code choses the lock of the deferred +base. This causes unlocked access to the standard base and in case the +timer is removed it does not clear the pending flag in the standard base +bitmap which causes get_next_timer_interrupt() to return bogus values. + +To prevent that, the deferrable timers must be enqueued in the deferrable +base, even when base::nohz_active is not set. Those deferrable timers also +need to be expired unconditional. + +Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") +Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Reviewed-by: Frederic Weisbecker <fweisbec@gmail.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Sebastian Siewior <bigeasy@linutronix.de> +Cc: stable@vger.kernel.org +Cc: rt@linutronix.de +Cc: Paul McKenney <paulmck@linux.vnet.ibm.com> +Link: https://lkml.kernel.org/r/20171222145337.633328378@linutronix.de + +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index ffebcf878fba..19a9c3da7698 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -823,11 +823,10 @@ static inline struct timer_base *get_timer_cpu_base(u32 tflags, u32 cpu) + struct timer_base *base = per_cpu_ptr(&timer_bases[BASE_STD], cpu); + + /* +- * If the timer is deferrable and nohz is active then we need to use +- * the deferrable base. ++ * If the timer is deferrable and NO_HZ_COMMON is set then we need ++ * to use the deferrable base. + */ +- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active && +- (tflags & TIMER_DEFERRABLE)) ++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE)) + base = per_cpu_ptr(&timer_bases[BASE_DEF], cpu); + return base; + } +@@ -837,11 +836,10 @@ static inline struct timer_base *get_timer_this_cpu_base(u32 tflags) + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + + /* +- * If the timer is deferrable and nohz is active then we need to use +- * the deferrable base. ++ * If the timer is deferrable and NO_HZ_COMMON is set then we need ++ * to use the deferrable base. + */ +- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active && +- (tflags & TIMER_DEFERRABLE)) ++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE)) + base = this_cpu_ptr(&timer_bases[BASE_DEF]); + return base; + } +@@ -1684,7 +1682,7 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h) + base->must_forward_clk = false; + + __run_timers(base); +- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active) ++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON)) + __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF])); + } + +-- +2.15.0 + diff --git a/queue/tipc-fix-hanging-poll-for-stream-sockets.patch b/queue/tipc-fix-hanging-poll-for-stream-sockets.patch new file mode 100644 index 0000000..fb91e5d --- /dev/null +++ b/queue/tipc-fix-hanging-poll-for-stream-sockets.patch @@ -0,0 +1,43 @@ +From 517d7c79bdb39864e617960504bdc1aa560c75c6 Mon Sep 17 00:00:00 2001 +From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@gmail.com> +Date: Thu, 28 Dec 2017 12:03:06 +0100 +Subject: [PATCH] tipc: fix hanging poll() for stream sockets + +commit 517d7c79bdb39864e617960504bdc1aa560c75c6 upstream. + +In commit 42b531de17d2f6 ("tipc: Fix missing connection request +handling"), we replaced unconditional wakeup() with condtional +wakeup for clients with flags POLLIN | POLLRDNORM | POLLRDBAND. + +This breaks the applications which do a connect followed by poll +with POLLOUT flag. These applications are not woken when the +connection is ESTABLISHED and hence sleep forever. + +In this commit, we fix it by including the POLLOUT event for +sockets in TIPC_CONNECTING state. + +Fixes: 42b531de17d2f6 ("tipc: Fix missing connection request handling") +Acked-by: Jon Maloy <jon.maloy@ericsson.com> +Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 41127d0b925e..3b4084480377 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -727,11 +727,11 @@ static unsigned int tipc_poll(struct file *file, struct socket *sock, + + switch (sk->sk_state) { + case TIPC_ESTABLISHED: ++ case TIPC_CONNECTING: + if (!tsk->cong_link_cnt && !tsk_conn_cong(tsk)) + revents |= POLLOUT; + /* fall thru' */ + case TIPC_LISTEN: +- case TIPC_CONNECTING: + if (!skb_queue_empty(&sk->sk_receive_queue)) + revents |= POLLIN | POLLRDNORM; + break; +-- +2.15.0 + diff --git a/queue/tracing-Fix-crash-when-it-fails-to-alloc-ring-buffer.patch b/queue/tracing-Fix-crash-when-it-fails-to-alloc-ring-buffer.patch new file mode 100644 index 0000000..1412ed1 --- /dev/null +++ b/queue/tracing-Fix-crash-when-it-fails-to-alloc-ring-buffer.patch @@ -0,0 +1,58 @@ +From 24f2aaf952ee0b59f31c3a18b8b36c9e3d3c2cf5 Mon Sep 17 00:00:00 2001 +From: Jing Xia <jing.xia@spreadtrum.com> +Date: Tue, 26 Dec 2017 15:12:53 +0800 +Subject: [PATCH] tracing: Fix crash when it fails to alloc ring buffer + +commit 24f2aaf952ee0b59f31c3a18b8b36c9e3d3c2cf5 upstream. + +Double free of the ring buffer happens when it fails to alloc new +ring buffer instance for max_buffer if TRACER_MAX_TRACE is configured. +The root cause is that the pointer is not set to NULL after the buffer +is freed in allocate_trace_buffers(), and the freeing of the ring +buffer is invoked again later if the pointer is not equal to Null, +as: + +instance_mkdir() + |-allocate_trace_buffers() + |-allocate_trace_buffer(tr, &tr->trace_buffer...) + |-allocate_trace_buffer(tr, &tr->max_buffer...) + + // allocate fail(-ENOMEM),first free + // and the buffer pointer is not set to null + |-ring_buffer_free(tr->trace_buffer.buffer) + + // out_free_tr + |-free_trace_buffers() + |-free_trace_buffer(&tr->trace_buffer); + + //if trace_buffer is not null, free again + |-ring_buffer_free(buf->buffer) + |-rb_free_cpu_buffer(buffer->buffers[cpu]) + // ring_buffer_per_cpu is null, and + // crash in ring_buffer_per_cpu->pages + +Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com + +Cc: stable@vger.kernel.org +Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") +Signed-off-by: Jing Xia <jing.xia@spreadtrum.com> +Signed-off-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 73652d5318b2..0e53d46544b8 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7603,7 +7603,9 @@ static int allocate_trace_buffers(struct trace_array *tr, int size) + allocate_snapshot ? size : 1); + if (WARN_ON(ret)) { + ring_buffer_free(tr->trace_buffer.buffer); ++ tr->trace_buffer.buffer = NULL; + free_percpu(tr->trace_buffer.data); ++ tr->trace_buffer.data = NULL; + return -ENOMEM; + } + tr->allocated_snapshot = allocate_snapshot; +-- +2.15.0 + diff --git a/queue/tracing-Fix-possible-double-free-on-failure-of-alloc.patch b/queue/tracing-Fix-possible-double-free-on-failure-of-alloc.patch new file mode 100644 index 0000000..1917a9e --- /dev/null +++ b/queue/tracing-Fix-possible-double-free-on-failure-of-alloc.patch @@ -0,0 +1,37 @@ +From 4397f04575c44e1440ec2e49b6302785c95fd2f8 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Tue, 26 Dec 2017 20:07:34 -0500 +Subject: [PATCH] tracing: Fix possible double free on failure of allocating + trace buffer + +commit 4397f04575c44e1440ec2e49b6302785c95fd2f8 upstream. + +Jing Xia and Chunyan Zhang reported that on failing to allocate part of the +tracing buffer, memory is freed, but the pointers that point to them are not +initialized back to NULL, and later paths may try to free the freed memory +again. Jing and Chunyan fixed one of the locations that does this, but +missed a spot. + +Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com + +Cc: stable@vger.kernel.org +Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") +Reported-by: Jing Xia <jing.xia@spreadtrum.com> +Reported-by: Chunyan Zhang <chunyan.zhang@spreadtrum.com> +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 0e53d46544b8..2a8d8a294345 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7580,6 +7580,7 @@ allocate_trace_buffer(struct trace_array *tr, struct trace_buffer *buf, int size + buf->data = alloc_percpu(struct trace_array_cpu); + if (!buf->data) { + ring_buffer_free(buf->buffer); ++ buf->buffer = NULL; + return -ENOMEM; + } + +-- +2.15.0 + diff --git a/queue/tracing-Remove-extra-zeroing-out-of-the-ring-buffer-.patch b/queue/tracing-Remove-extra-zeroing-out-of-the-ring-buffer-.patch new file mode 100644 index 0000000..cd78b75 --- /dev/null +++ b/queue/tracing-Remove-extra-zeroing-out-of-the-ring-buffer-.patch @@ -0,0 +1,48 @@ +From 6b7e633fe9c24682df550e5311f47fb524701586 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" <rostedt@goodmis.org> +Date: Fri, 22 Dec 2017 20:38:57 -0500 +Subject: [PATCH] tracing: Remove extra zeroing out of the ring buffer page + +commit 6b7e633fe9c24682df550e5311f47fb524701586 upstream. + +The ring_buffer_read_page() takes care of zeroing out any extra data in the +page that it returns. There's no need to zero it out again from the +consumer. It was removed from one consumer of this function, but +read_buffers_splice_read() did not remove it, and worse, it contained a +nasty bug because of it. + +Cc: stable@vger.kernel.org +Fixes: 2711ca237a084 ("ring-buffer: Move zeroing out excess in page to ring buffer code") +Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org> + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 59518b8126d0..73652d5318b2 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6769,7 +6769,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + .spd_release = buffer_spd_release, + }; + struct buffer_ref *ref; +- int entries, size, i; ++ int entries, i; + ssize_t ret = 0; + + #ifdef CONFIG_TRACER_MAX_TRACE +@@ -6823,14 +6823,6 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + break; + } + +- /* +- * zero out any left over data, this is going to +- * user land. +- */ +- size = ring_buffer_page_len(ref->page); +- if (size < PAGE_SIZE) +- memset(ref->page + size, 0, PAGE_SIZE - size); +- + page = virt_to_page(ref->page); + + spd.pages[i] = page; +-- +2.15.0 + diff --git a/queue/tty-fix-tty_ldisc_receive_buf-documentation.patch b/queue/tty-fix-tty_ldisc_receive_buf-documentation.patch new file mode 100644 index 0000000..b6ef1d7 --- /dev/null +++ b/queue/tty-fix-tty_ldisc_receive_buf-documentation.patch @@ -0,0 +1,30 @@ +From e7e51dcf3b8a5f65c5653a054ad57eb2492a90d0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Fri, 3 Nov 2017 15:18:05 +0100 +Subject: [PATCH] tty: fix tty_ldisc_receive_buf() documentation + +commit e7e51dcf3b8a5f65c5653a054ad57eb2492a90d0 upstream. + +The tty_ldisc_receive_buf() helper returns the number of bytes +processed so drop the bogus "not" from the kernel doc comment. + +Fixes: 8d082cd300ab ("tty: Unify receive_buf() code paths") +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c +index f8eba1c5412f..677fa99b7747 100644 +--- a/drivers/tty/tty_buffer.c ++++ b/drivers/tty/tty_buffer.c +@@ -446,7 +446,7 @@ EXPORT_SYMBOL_GPL(tty_prepare_flip_string); + * Callers other than flush_to_ldisc() need to exclude the kworker + * from concurrent use of the line discipline, see paste_selection(). + * +- * Returns the number of bytes not processed ++ * Returns the number of bytes processed + */ + int tty_ldisc_receive_buf(struct tty_ldisc *ld, const unsigned char *p, + char *f, int count) +-- +2.15.0 + diff --git a/queue/usb-Add-device-quirk-for-Logitech-HD-Pro-Webcam-C925.patch b/queue/usb-Add-device-quirk-for-Logitech-HD-Pro-Webcam-C925.patch new file mode 100644 index 0000000..52007df --- /dev/null +++ b/queue/usb-Add-device-quirk-for-Logitech-HD-Pro-Webcam-C925.patch @@ -0,0 +1,40 @@ +From 7f038d256c723dd390d2fca942919573995f4cfd Mon Sep 17 00:00:00 2001 +From: Dmitry Fleytman Dmitry Fleytman <dmitry.fleytman@gmail.com> +Date: Tue, 19 Dec 2017 06:02:04 +0200 +Subject: [PATCH] usb: Add device quirk for Logitech HD Pro Webcam C925e + +commit 7f038d256c723dd390d2fca942919573995f4cfd upstream. + +Commit e0429362ab15 +("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e") +introduced quirk to workaround an issue with some Logitech webcams. + +There is one more model that has the same issue - C925e, so applying +the same quirk as well. + +See aforementioned commit message for detailed explanation of the problem. + +Signed-off-by: Dmitry Fleytman <dmitry.fleytman@gmail.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 95812656d9b9..4024926c1d68 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -52,10 +52,11 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Microsoft LifeCam-VX700 v2.0 */ + { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME }, + +- /* Logitech HD Pro Webcams C920, C920-C and C930e */ ++ /* Logitech HD Pro Webcams C920, C920-C, C925e and C930e */ + { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x046d, 0x0843), .driver_info = USB_QUIRK_DELAY_INIT }, ++ { USB_DEVICE(0x046d, 0x085b), .driver_info = USB_QUIRK_DELAY_INIT }, + + /* Logitech ConferenceCam CC3000e */ + { USB_DEVICE(0x046d, 0x0847), .driver_info = USB_QUIRK_DELAY_INIT }, +-- +2.15.0 + diff --git a/queue/usb-add-RESET_RESUME-for-ELSA-MicroLink-56K.patch b/queue/usb-add-RESET_RESUME-for-ELSA-MicroLink-56K.patch new file mode 100644 index 0000000..a11a120 --- /dev/null +++ b/queue/usb-add-RESET_RESUME-for-ELSA-MicroLink-56K.patch @@ -0,0 +1,31 @@ +From b9096d9f15c142574ebebe8fbb137012bb9d99c2 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.com> +Date: Tue, 12 Dec 2017 16:11:30 +0100 +Subject: [PATCH] usb: add RESET_RESUME for ELSA MicroLink 56K + +commit b9096d9f15c142574ebebe8fbb137012bb9d99c2 upstream. + +This modem needs this quirk to operate. It produces timeouts when +resumed without reset. + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +CC: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index a10b346b9777..95812656d9b9 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -149,6 +149,9 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Genesys Logic hub, internally used by KY-688 USB 3.1 Type-C Hub */ + { USB_DEVICE(0x05e3, 0x0612), .driver_info = USB_QUIRK_NO_LPM }, + ++ /* ELSA MicroLink 56K */ ++ { USB_DEVICE(0x05cc, 0x2267), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */ + { USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM }, + +-- +2.15.0 + diff --git a/queue/usb-xhci-Add-XHCI_TRUST_TX_LENGTH-for-Renesas-uPD720.patch b/queue/usb-xhci-Add-XHCI_TRUST_TX_LENGTH-for-Renesas-uPD720.patch new file mode 100644 index 0000000..1e5a9f8 --- /dev/null +++ b/queue/usb-xhci-Add-XHCI_TRUST_TX_LENGTH-for-Renesas-uPD720.patch @@ -0,0 +1,38 @@ +From da99706689481717998d1d48edd389f339eea979 Mon Sep 17 00:00:00 2001 +From: Daniel Thompson <daniel.thompson@linaro.org> +Date: Thu, 21 Dec 2017 15:06:15 +0200 +Subject: [PATCH] usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 + +commit da99706689481717998d1d48edd389f339eea979 upstream. + +When plugging in a USB webcam I see the following message: +xhci_hcd 0000:04:00.0: WARN Successful completion on short TX: needs +XHCI_TRUST_TX_LENGTH quirk? +handle_tx_event: 913 callbacks suppressed + +All is quiet again with this patch (and I've done a fair but of soak +testing with the camera since). + +Cc: <stable@vger.kernel.org> +Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> +Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> +Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 7ef1274ef7f7..1aad89b8aba0 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -177,6 +177,9 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + xhci->quirks |= XHCI_BROKEN_STREAMS; + } ++ if (pdev->vendor == PCI_VENDOR_ID_RENESAS && ++ pdev->device == 0x0014) ++ xhci->quirks |= XHCI_TRUST_TX_LENGTH; + if (pdev->vendor == PCI_VENDOR_ID_RENESAS && + pdev->device == 0x0015) + xhci->quirks |= XHCI_RESET_ON_RESUME; +-- +2.15.0 + diff --git a/queue/usbip-fix-usbip-bind-writing-random-string-after-com.patch b/queue/usbip-fix-usbip-bind-writing-random-string-after-com.patch new file mode 100644 index 0000000..dc6b665 --- /dev/null +++ b/queue/usbip-fix-usbip-bind-writing-random-string-after-com.patch @@ -0,0 +1,50 @@ +From 544c4605acc5ae4afe7dd5914147947db182f2fb Mon Sep 17 00:00:00 2001 +From: Juan Zea <juan.zea@qindel.com> +Date: Fri, 15 Dec 2017 10:21:20 +0100 +Subject: [PATCH] usbip: fix usbip bind writing random string after command in + match_busid + +commit 544c4605acc5ae4afe7dd5914147947db182f2fb upstream. + +usbip bind writes commands followed by random string when writing to +match_busid attribute in sysfs, caused by using full variable size +instead of string length. + +Signed-off-by: Juan Zea <juan.zea@qindel.com> +Acked-by: Shuah Khan <shuahkh@osg.samsung.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/tools/usb/usbip/src/utils.c b/tools/usb/usbip/src/utils.c +index 2b3d6d235015..3d7b42e77299 100644 +--- a/tools/usb/usbip/src/utils.c ++++ b/tools/usb/usbip/src/utils.c +@@ -30,6 +30,7 @@ int modify_match_busid(char *busid, int add) + char command[SYSFS_BUS_ID_SIZE + 4]; + char match_busid_attr_path[SYSFS_PATH_MAX]; + int rc; ++ int cmd_size; + + snprintf(match_busid_attr_path, sizeof(match_busid_attr_path), + "%s/%s/%s/%s/%s/%s", SYSFS_MNT_PATH, SYSFS_BUS_NAME, +@@ -37,12 +38,14 @@ int modify_match_busid(char *busid, int add) + attr_name); + + if (add) +- snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s", busid); ++ cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s", ++ busid); + else +- snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s", busid); ++ cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s", ++ busid); + + rc = write_sysfs_attribute(match_busid_attr_path, command, +- sizeof(command)); ++ cmd_size); + if (rc < 0) { + dbg("failed to write match_busid: %s", strerror(errno)); + return -1; +-- +2.15.0 + diff --git a/queue/usbip-prevent-leaking-socket-pointer-address-in-mess.patch b/queue/usbip-prevent-leaking-socket-pointer-address-in-mess.patch new file mode 100644 index 0000000..f8296e2 --- /dev/null +++ b/queue/usbip-prevent-leaking-socket-pointer-address-in-mess.patch @@ -0,0 +1,81 @@ +From 90120d15f4c397272aaf41077960a157fc4212bf Mon Sep 17 00:00:00 2001 +From: Shuah Khan <shuahkh@osg.samsung.com> +Date: Fri, 15 Dec 2017 10:50:09 -0700 +Subject: [PATCH] usbip: prevent leaking socket pointer address in messages + +commit 90120d15f4c397272aaf41077960a157fc4212bf upstream. + +usbip driver is leaking socket pointer address in messages. Remove +the messages that aren't useful and print sockfd in the ones that +are useful for debugging. + +Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index a3df8ee82faf..e31a6f204397 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -149,8 +149,7 @@ static void stub_shutdown_connection(struct usbip_device *ud) + * step 1? + */ + if (ud->tcp_socket) { +- dev_dbg(&sdev->udev->dev, "shutdown tcp_socket %p\n", +- ud->tcp_socket); ++ dev_dbg(&sdev->udev->dev, "shutdown sockfd %d\n", ud->sockfd); + kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR); + } + +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c +index f7978933b402..7b219d9109b4 100644 +--- a/drivers/usb/usbip/usbip_common.c ++++ b/drivers/usb/usbip/usbip_common.c +@@ -317,26 +317,20 @@ int usbip_recv(struct socket *sock, void *buf, int size) + struct msghdr msg = {.msg_flags = MSG_NOSIGNAL}; + int total = 0; + ++ if (!sock || !buf || !size) ++ return -EINVAL; ++ + iov_iter_kvec(&msg.msg_iter, READ|ITER_KVEC, &iov, 1, size); + + usbip_dbg_xmit("enter\n"); + +- if (!sock || !buf || !size) { +- pr_err("invalid arg, sock %p buff %p size %d\n", sock, buf, +- size); +- return -EINVAL; +- } +- + do { +- int sz = msg_data_left(&msg); ++ msg_data_left(&msg); + sock->sk->sk_allocation = GFP_NOIO; + + result = sock_recvmsg(sock, &msg, MSG_WAITALL); +- if (result <= 0) { +- pr_debug("receive sock %p buf %p size %u ret %d total %d\n", +- sock, buf + total, sz, result, total); ++ if (result <= 0) + goto err; +- } + + total += result; + } while (msg_data_left(&msg)); +diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c +index 9efab3dc3734..c3e1008aa491 100644 +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -965,7 +965,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud) + + /* need this? see stub_dev.c */ + if (ud->tcp_socket) { +- pr_debug("shutdown tcp_socket %p\n", ud->tcp_socket); ++ pr_debug("shutdown tcp_socket %d\n", ud->sockfd); + kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR); + } + +-- +2.15.0 + diff --git a/queue/usbip-stub-stop-printing-kernel-pointer-addresses-in.patch b/queue/usbip-stub-stop-printing-kernel-pointer-addresses-in.patch new file mode 100644 index 0000000..a5b20ef --- /dev/null +++ b/queue/usbip-stub-stop-printing-kernel-pointer-addresses-in.patch @@ -0,0 +1,86 @@ +From 248a22044366f588d46754c54dfe29ffe4f8b4df Mon Sep 17 00:00:00 2001 +From: Shuah Khan <shuahkh@osg.samsung.com> +Date: Mon, 18 Dec 2017 17:23:37 -0700 +Subject: [PATCH] usbip: stub: stop printing kernel pointer addresses in + messages + +commit 248a22044366f588d46754c54dfe29ffe4f8b4df upstream. + +Remove and/or change debug, info. and error messages to not print +kernel pointer addresses. + +Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c +index 4f48b306713f..c31c8402a0c5 100644 +--- a/drivers/usb/usbip/stub_main.c ++++ b/drivers/usb/usbip/stub_main.c +@@ -237,11 +237,12 @@ void stub_device_cleanup_urbs(struct stub_device *sdev) + struct stub_priv *priv; + struct urb *urb; + +- dev_dbg(&sdev->udev->dev, "free sdev %p\n", sdev); ++ dev_dbg(&sdev->udev->dev, "Stub device cleaning up urbs\n"); + + while ((priv = stub_priv_pop(sdev))) { + urb = priv->urb; +- dev_dbg(&sdev->udev->dev, "free urb %p\n", urb); ++ dev_dbg(&sdev->udev->dev, "free urb seqnum %lu\n", ++ priv->seqnum); + usb_kill_urb(urb); + + kmem_cache_free(stub_priv_cache, priv); +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 493ac2928391..2f29be474098 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -211,9 +211,6 @@ static int stub_recv_cmd_unlink(struct stub_device *sdev, + if (priv->seqnum != pdu->u.cmd_unlink.seqnum) + continue; + +- dev_info(&priv->urb->dev->dev, "unlink urb %p\n", +- priv->urb); +- + /* + * This matched urb is not completed yet (i.e., be in + * flight in usb hcd hardware/driver). Now we are +@@ -252,8 +249,8 @@ static int stub_recv_cmd_unlink(struct stub_device *sdev, + ret = usb_unlink_urb(priv->urb); + if (ret != -EINPROGRESS) + dev_err(&priv->urb->dev->dev, +- "failed to unlink a urb %p, ret %d\n", +- priv->urb, ret); ++ "failed to unlink a urb # %lu, ret %d\n", ++ priv->seqnum, ret); + + return 0; + } +diff --git a/drivers/usb/usbip/stub_tx.c b/drivers/usb/usbip/stub_tx.c +index 53172b1f6257..f0ec41a50cbc 100644 +--- a/drivers/usb/usbip/stub_tx.c ++++ b/drivers/usb/usbip/stub_tx.c +@@ -88,7 +88,7 @@ void stub_complete(struct urb *urb) + /* link a urb to the queue of tx. */ + spin_lock_irqsave(&sdev->priv_lock, flags); + if (sdev->ud.tcp_socket == NULL) { +- usbip_dbg_stub_tx("ignore urb for closed connection %p", urb); ++ usbip_dbg_stub_tx("ignore urb for closed connection\n"); + /* It will be freed in stub_device_cleanup_urbs(). */ + } else if (priv->unlinking) { + stub_enqueue_ret_unlink(sdev, priv->seqnum, urb->status); +@@ -190,8 +190,8 @@ static int stub_send_ret_submit(struct stub_device *sdev) + + /* 1. setup usbip_header */ + setup_ret_submit_pdu(&pdu_header, urb); +- usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n", +- pdu_header.base.seqnum, urb); ++ usbip_dbg_stub_tx("setup txdata seqnum: %d\n", ++ pdu_header.base.seqnum); + usbip_header_correct_endian(&pdu_header, 1); + + iov[iovnum].iov_base = &pdu_header; +-- +2.15.0 + diff --git a/queue/usbip-vhci-stop-printing-kernel-pointer-addresses-in.patch b/queue/usbip-vhci-stop-printing-kernel-pointer-addresses-in.patch new file mode 100644 index 0000000..8e4143e --- /dev/null +++ b/queue/usbip-vhci-stop-printing-kernel-pointer-addresses-in.patch @@ -0,0 +1,146 @@ +From 8272d099d05f7ab2776cf56a2ab9f9443be18907 Mon Sep 17 00:00:00 2001 +From: Shuah Khan <shuahkh@osg.samsung.com> +Date: Mon, 18 Dec 2017 17:24:22 -0700 +Subject: [PATCH] usbip: vhci: stop printing kernel pointer addresses in + messages + +commit 8272d099d05f7ab2776cf56a2ab9f9443be18907 upstream. + +Remove and/or change debug, info. and error messages to not print +kernel pointer addresses. + +Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c +index 6b3278c4b72a..9efab3dc3734 100644 +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -656,9 +656,6 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag + struct vhci_device *vdev; + unsigned long flags; + +- usbip_dbg_vhci_hc("enter, usb_hcd %p urb %p mem_flags %d\n", +- hcd, urb, mem_flags); +- + if (portnum > VHCI_HC_PORTS) { + pr_err("invalid port number %d\n", portnum); + return -ENODEV; +@@ -822,8 +819,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + struct vhci_device *vdev; + unsigned long flags; + +- pr_info("dequeue a urb %p\n", urb); +- + spin_lock_irqsave(&vhci->lock, flags); + + priv = urb->hcpriv; +@@ -851,7 +846,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + /* tcp connection is closed */ + spin_lock(&vdev->priv_lock); + +- pr_info("device %p seems to be disconnected\n", vdev); + list_del(&priv->list); + kfree(priv); + urb->hcpriv = NULL; +@@ -863,8 +857,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + * vhci_rx will receive RET_UNLINK and give back the URB. + * Otherwise, we give back it here. + */ +- pr_info("gives back urb %p\n", urb); +- + usb_hcd_unlink_urb_from_ep(hcd, urb); + + spin_unlock_irqrestore(&vhci->lock, flags); +@@ -892,8 +884,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status) + + unlink->unlink_seqnum = priv->seqnum; + +- pr_info("device %p seems to be still connected\n", vdev); +- + /* send cmd_unlink and try to cancel the pending URB in the + * peer */ + list_add_tail(&unlink->list, &vdev->unlink_tx); +diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c +index 90577e8b2282..112ebb90d8c9 100644 +--- a/drivers/usb/usbip/vhci_rx.c ++++ b/drivers/usb/usbip/vhci_rx.c +@@ -23,24 +23,23 @@ struct urb *pickup_urb_and_free_priv(struct vhci_device *vdev, __u32 seqnum) + urb = priv->urb; + status = urb->status; + +- usbip_dbg_vhci_rx("find urb %p vurb %p seqnum %u\n", +- urb, priv, seqnum); ++ usbip_dbg_vhci_rx("find urb seqnum %u\n", seqnum); + + switch (status) { + case -ENOENT: + /* fall through */ + case -ECONNRESET: +- dev_info(&urb->dev->dev, +- "urb %p was unlinked %ssynchronuously.\n", urb, +- status == -ENOENT ? "" : "a"); ++ dev_dbg(&urb->dev->dev, ++ "urb seq# %u was unlinked %ssynchronuously\n", ++ seqnum, status == -ENOENT ? "" : "a"); + break; + case -EINPROGRESS: + /* no info output */ + break; + default: +- dev_info(&urb->dev->dev, +- "urb %p may be in a error, status %d\n", urb, +- status); ++ dev_dbg(&urb->dev->dev, ++ "urb seq# %u may be in a error, status %d\n", ++ seqnum, status); + } + + list_del(&priv->list); +@@ -67,8 +66,8 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, + spin_unlock_irqrestore(&vdev->priv_lock, flags); + + if (!urb) { +- pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum); +- pr_info("max seqnum %d\n", ++ pr_err("cannot find a urb of seqnum %u max seqnum %d\n", ++ pdu->base.seqnum, + atomic_read(&vhci_hcd->seqnum)); + usbip_event_add(ud, VDEV_EVENT_ERROR_TCP); + return; +@@ -91,7 +90,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev, + if (usbip_dbg_flag_vhci_rx) + usbip_dump_urb(urb); + +- usbip_dbg_vhci_rx("now giveback urb %p\n", urb); ++ usbip_dbg_vhci_rx("now giveback urb %u\n", pdu->base.seqnum); + + spin_lock_irqsave(&vhci->lock, flags); + usb_hcd_unlink_urb_from_ep(vhci_hcd_to_hcd(vhci_hcd), urb); +@@ -158,7 +157,7 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev, + pr_info("the urb (seqnum %d) was already given back\n", + pdu->base.seqnum); + } else { +- usbip_dbg_vhci_rx("now giveback urb %p\n", urb); ++ usbip_dbg_vhci_rx("now giveback urb %d\n", pdu->base.seqnum); + + /* If unlink is successful, status is -ECONNRESET */ + urb->status = pdu->u.ret_unlink.status; +diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c +index d625a2ff4b71..9aed15a358b7 100644 +--- a/drivers/usb/usbip/vhci_tx.c ++++ b/drivers/usb/usbip/vhci_tx.c +@@ -69,7 +69,8 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev) + memset(&msg, 0, sizeof(msg)); + memset(&iov, 0, sizeof(iov)); + +- usbip_dbg_vhci_tx("setup txdata urb %p\n", urb); ++ usbip_dbg_vhci_tx("setup txdata urb seqnum %lu\n", ++ priv->seqnum); + + /* 1. setup usbip_header */ + setup_cmd_submit_pdu(&pdu_header, urb); +-- +2.15.0 + diff --git a/queue/vxlan-restore-dev-mtu-setting-based-on-lower-device.patch b/queue/vxlan-restore-dev-mtu-setting-based-on-lower-device.patch new file mode 100644 index 0000000..37ba610 --- /dev/null +++ b/queue/vxlan-restore-dev-mtu-setting-based-on-lower-device.patch @@ -0,0 +1,56 @@ +From f870c1ff65a6d1f3a083f277280802ee09a5b44d Mon Sep 17 00:00:00 2001 +From: Alexey Kodanev <alexey.kodanev@oracle.com> +Date: Thu, 14 Dec 2017 20:20:00 +0300 +Subject: [PATCH] vxlan: restore dev->mtu setting based on lower device + +commit f870c1ff65a6d1f3a083f277280802ee09a5b44d upstream. + +Stefano Brivio says: + Commit a985343ba906 ("vxlan: refactor verification and + application of configuration") introduced a change in the + behaviour of initial MTU setting: earlier, the MTU for a link + created on top of a given lower device, without an initial MTU + specification, was set to the MTU of the lower device minus + headroom as a result of this path in vxlan_dev_configure(): + + if (!conf->mtu) + dev->mtu = lowerdev->mtu - + (use_ipv6 ? VXLAN6_HEADROOM : VXLAN_HEADROOM); + + which is now gone. Now, the initial MTU, in absence of a + configured value, is simply set by ether_setup() to ETH_DATA_LEN + (1500 bytes). + + This breaks userspace expectations in case the MTU of + the lower device is higher than 1500 bytes minus headroom. + +This patch restores the previous behaviour on newlink operation. Since +max_mtu can be negative and we update dev->mtu directly, also check it +for valid minimum. + +Reported-by: Junhan Yan <juyan@redhat.com> +Fixes: a985343ba906 ("vxlan: refactor verification and application of configuration") +Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> +Acked-by: Stefano Brivio <sbrivio@redhat.com> +Signed-off-by: Stefano Brivio <sbrivio@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 19b9cc51079e..1000b0e4ee01 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -3103,6 +3103,11 @@ static void vxlan_config_apply(struct net_device *dev, + + max_mtu = lowerdev->mtu - (use_ipv6 ? VXLAN6_HEADROOM : + VXLAN_HEADROOM); ++ if (max_mtu < ETH_MIN_MTU) ++ max_mtu = ETH_MIN_MTU; ++ ++ if (!changelink && !conf->mtu) ++ dev->mtu = max_mtu; + } + + if (dev->mtu > max_mtu) +-- +2.15.0 + diff --git a/queue/x86-32-Fix-kexec-with-stack-canary-CONFIG_CC_STACKPR.patch b/queue/x86-32-Fix-kexec-with-stack-canary-CONFIG_CC_STACKPR.patch new file mode 100644 index 0000000..a9916c6 --- /dev/null +++ b/queue/x86-32-Fix-kexec-with-stack-canary-CONFIG_CC_STACKPR.patch @@ -0,0 +1,84 @@ +From ac461122c88a10b7d775de2f56467f097c9e627a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Wed, 27 Dec 2017 11:48:50 -0800 +Subject: [PATCH] x86-32: Fix kexec with stack canary + (CONFIG_CC_STACKPROTECTOR) + +commit ac461122c88a10b7d775de2f56467f097c9e627a upstream. + +Commit e802a51ede91 ("x86/idt: Consolidate IDT invalidation") cleaned up +and unified the IDT invalidation that existed in a couple of places. It +changed no actual real code. + +Despite not changing any actual real code, it _did_ change code generation: +by implementing the common idt_invalidate() function in +archx86/kernel/idt.c, it made the use of the function in +arch/x86/kernel/machine_kexec_32.c be a real function call rather than an +(accidental) inlining of the function. + +That, in turn, exposed two issues: + + - in load_segments(), we had incorrectly reset all the segment + registers, which then made the stack canary load (which gcc does + using offset of %gs) cause a trap. Instead of %gs pointing to the + stack canary, it will be the normal zero-based kernel segment, and + the stack canary load will take a page fault at address 0x14. + + - to make this even harder to debug, we had invalidated the GDT just + before calling idt_invalidate(), which meant that the fault happened + with an invalid GDT, which in turn causes a triple fault and + immediate reboot. + +Fix this by + + (a) not reloading the special segments in load_segments(). We currently + don't do any percpu accesses (which would require %fs on x86-32) in + this area, but there's no reason to think that we might not want to + do them, and like %gs, it's pointless to break it. + + (b) doing idt_invalidate() before invalidating the GDT, to keep things + at least _slightly_ more debuggable for a bit longer. Without a + IDT, traps will not work. Without a GDT, traps also will not work, + but neither will any segment loads etc. So in a very real sense, + the GDT is even more core than the IDT. + +Fixes: e802a51ede91 ("x86/idt: Consolidate IDT invalidation") +Reported-and-tested-by: Alexandru Chirvasitu <achirvasub@gmail.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Cc: Denys Vlasenko <dvlasenk@redhat.com> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Brian Gerst <brgerst@gmail.com> +Cc: Steven Rostedt <rostedt@goodmis.org> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: Josh Poimboeuf <jpoimboe@redhat.com> +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/alpine.LFD.2.21.1712271143180.8572@i7.lan + +diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c +index 00bc751c861c..edfede768688 100644 +--- a/arch/x86/kernel/machine_kexec_32.c ++++ b/arch/x86/kernel/machine_kexec_32.c +@@ -48,8 +48,6 @@ static void load_segments(void) + "\tmovl $"STR(__KERNEL_DS)",%%eax\n" + "\tmovl %%eax,%%ds\n" + "\tmovl %%eax,%%es\n" +- "\tmovl %%eax,%%fs\n" +- "\tmovl %%eax,%%gs\n" + "\tmovl %%eax,%%ss\n" + : : : "eax", "memory"); + #undef STR +@@ -232,8 +230,8 @@ void machine_kexec(struct kimage *image) + * The gdt & idt are now invalid. + * If you want to load them you must set up your own idt & gdt. + */ +- set_gdt(phys_to_virt(0), 0); + idt_invalidate(phys_to_virt(0)); ++ set_gdt(phys_to_virt(0), 0); + + /* now call it */ + image->start = relocate_kernel_ptr((unsigned long)image->head, +-- +2.15.0 + |