kernel: bump 4.14 to 4.14.59

Drop patch that was superseded upstream: ramips/0036-mtd-fix-cfi-cmdset-0002-erase-status-check.patch Drop upstreamed patches: - apm821xx/020-0001-crypto-crypto4xx-remove-bad-list_del.patch - apm821xx/020-0011-crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_b.patch - ath79/0011-MIPS-ath79-fix-register-address-in-ath79_ddr_wb_flus.patch - brcm63xx/001-4.15-08-bcm63xx_enet-correct-clock-usage.patch - brcm63xx/001-4.15-09-bcm63xx_enet-do-not-write-to-random-DMA-channel-on-B.patch - generic/backport/080-net-convert-sock.sk_wmem_alloc-from-atomic_t-to-refc.patch - generic/pending/170-usb-dwc2-Fix-DMA-alignment-to-start-at-allocated-boun.patch - generic/pending/900-gen_stats-fix-netlink-stats-padding.patch In 4.14.55, a patch was introduced that breaks ext4 images in some cases. The newly introduced patch backport-4.14/500-ext4-fix-check-to-prevent-initializing-reserved-inod.patch addresses this breakage. Fixes the following CVEs: - CVE-2018-10876 - CVE-2018-10877 - CVE-2018-10879 - CVE-2018-10880 - CVE-2018-10881 - CVE-2018-10882 - CVE-2018-10883 Compile-tested: ath79, octeon, x86/64 Runtime-tested: ath79, octeon, x86/64 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
author: Stijn Tintel <stijn@linux-ipv6.be> 2018-07-31 05:11:07 +0300
committer: Stijn Tintel <stijn@linux-ipv6.be> 2018-07-31 05:11:07 +0300
commit: 22b9f99b87fa1ff991180cabf02dd04d1bddce2b (patch)
tree: 4675ce75a330278a46b34522f99d9e5ca6b9e8d3 /target/linux/generic/backport-4.14
parent: c89195eb25a4dfd093f9d0d3b3adac896bb471ad (diff)
download: upstream-22b9f99b87fa1ff991180cabf02dd04d1bddce2b.tar.gz
upstream-22b9f99b87fa1ff991180cabf02dd04d1bddce2b.tar.bz2
upstream-22b9f99b87fa1ff991180cabf02dd04d1bddce2b.zip
7 files changed, 75 insertions, 182 deletions
diff --git a/target/linux/generic/backport-4.14/012-kbuild-add-macro-for-controlling-warnings-to-linux-c.patch b/target/linux/generic/backport-4.14/012-kbuild-add-macro-for-controlling-warnings-to-linux-c.patch
index 6b56a68b31..892b65fbc0 100644
--- a/target/linux/generic/backport-4.14/012-kbuild-add-macro-for-controlling-warnings-to-linux-c.patch
+++ b/target/linux/generic/backport-4.14/012-kbuild-add-macro-for-controlling-warnings-to-linux-c.patch
@@ -84,7 +84,7 @@ Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
 
 --- a/include/linux/compiler-gcc.h
 +++ b/include/linux/compiler-gcc.h
-@@ -343,3 +343,28 @@
+@@ -358,3 +358,28 @@
   * code
   */
  #define uninitialized_var(x) x = x
diff --git a/target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch b/target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch
index 89117bd874..d9215505ee 100644
--- a/target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch
+++ b/target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch
@@ -65,7 +65,7 @@ Cc: Kir Kolyshkin <kir@openvz.org>
  	 * Before updating sk_refcnt, we must commit prior changes to memory
 --- a/net/ipv4/tcp_output.c
 +++ b/net/ipv4/tcp_output.c
-@@ -1671,7 +1671,7 @@ u32 tcp_tso_autosize(const struct sock *
+@@ -1683,7 +1683,7 @@ u32 tcp_tso_autosize(const struct sock *
  {
  	u32 bytes, segs;
  
@@ -74,7 +74,7 @@ Cc: Kir Kolyshkin <kir@openvz.org>
  		    sk->sk_gso_max_size - 1 - MAX_TCP_HEADER);
  
  	/* Goal is to send at least one packet per ms,
-@@ -2172,7 +2172,7 @@ static bool tcp_small_queue_check(struct
+@@ -2184,7 +2184,7 @@ static bool tcp_small_queue_check(struct
  {
  	unsigned int limit;
  
diff --git a/target/linux/generic/backport-4.14/030-v4.17-0001-usb-dwc2-add-support-for-host-mode-external-vbus-sup.patch b/target/linux/generic/backport-4.14/030-v4.17-0001-usb-dwc2-add-support-for-host-mode-external-vbus-sup.patch
index 1154150259..dc85efd1e1 100644
--- a/target/linux/generic/backport-4.14/030-v4.17-0001-usb-dwc2-add-support-for-host-mode-external-vbus-sup.patch
+++ b/target/linux/generic/backport-4.14/030-v4.17-0001-usb-dwc2-add-support-for-host-mode-external-vbus-sup.patch
@@ -63,7 +63,7 @@ Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
  /**
   * dwc2_enable_host_interrupts() - Enables the Host mode interrupts
   *
-@@ -3276,6 +3293,7 @@ static void dwc2_conn_id_status_change(s
+@@ -3278,6 +3295,7 @@ static void dwc2_conn_id_status_change(s
  
  	/* B-Device connector (Device Mode) */
  	if (gotgctl & GOTGCTL_CONID_B) {
@@ -71,7 +71,7 @@ Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
  		/* Wait for switch to device mode */
  		dev_dbg(hsotg->dev, "connId B\n");
  		if (hsotg->bus_suspended) {
-@@ -4382,6 +4400,9 @@ static int _dwc2_hcd_start(struct usb_hc
+@@ -4384,6 +4402,9 @@ static int _dwc2_hcd_start(struct usb_hc
  	}
  
  	spin_unlock_irqrestore(&hsotg->lock, flags);
@@ -81,7 +81,7 @@ Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
  	return 0;
  }
  
-@@ -4409,6 +4430,8 @@ static void _dwc2_hcd_stop(struct usb_hc
+@@ -4411,6 +4432,8 @@ static void _dwc2_hcd_stop(struct usb_hc
  	clear_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags);
  	spin_unlock_irqrestore(&hsotg->lock, flags);
  
@@ -90,7 +90,7 @@ Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
  	usleep_range(1000, 3000);
  }
  
-@@ -4445,6 +4468,7 @@ static int _dwc2_hcd_suspend(struct usb_
+@@ -4447,6 +4470,7 @@ static int _dwc2_hcd_suspend(struct usb_
  		hprt0 |= HPRT0_SUSP;
  		hprt0 &= ~HPRT0_PWR;
  		dwc2_writel(hprt0, hsotg->regs + HPRT0);
@@ -98,7 +98,7 @@ Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
  	}
  
  	/* Enter hibernation */
-@@ -4525,6 +4549,8 @@ static int _dwc2_hcd_resume(struct usb_h
+@@ -4527,6 +4551,8 @@ static int _dwc2_hcd_resume(struct usb_h
  		spin_unlock_irqrestore(&hsotg->lock, flags);
  		dwc2_port_resume(hsotg);
  	} else {
diff --git a/target/linux/generic/backport-4.14/030-v4.17-0002-usb-dwc2-dwc2_vbus_supply_init-fix-error-check.patch b/target/linux/generic/backport-4.14/030-v4.17-0002-usb-dwc2-dwc2_vbus_supply_init-fix-error-check.patch
index f860cde0f6..8dac0bffc2 100644
--- a/target/linux/generic/backport-4.14/030-v4.17-0002-usb-dwc2-dwc2_vbus_supply_init-fix-error-check.patch
+++ b/target/linux/generic/backport-4.14/030-v4.17-0002-usb-dwc2-dwc2_vbus_supply_init-fix-error-check.patch
@@ -42,7 +42,7 @@ Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
  
  	return regulator_enable(hsotg->vbus_supply);
  }
-@@ -4401,9 +4406,7 @@ static int _dwc2_hcd_start(struct usb_hc
+@@ -4403,9 +4408,7 @@ static int _dwc2_hcd_start(struct usb_hc
  
  	spin_unlock_irqrestore(&hsotg->lock, flags);
  
diff --git a/target/linux/generic/backport-4.14/080-net-convert-sock.sk_wmem_alloc-from-atomic_t-to-refc.patch b/target/linux/generic/backport-4.14/080-net-convert-sock.sk_wmem_alloc-from-atomic_t-to-refc.patch
deleted file mode 100644
index 06d00886f1..0000000000
--- a/target/linux/generic/backport-4.14/080-net-convert-sock.sk_wmem_alloc-from-atomic_t-to-refc.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From 9bbe60a67be5a1c6f79b3c9be5003481a50529ff Mon Sep 17 00:00:00 2001
-From: David Woodhouse <dwmw2@infradead.org>
-Date: Sat, 16 Jun 2018 11:55:44 +0100
-Subject: atm: Preserve value of skb->truesize when accounting to vcc
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-ATM accounts for in-flight TX packets in sk_wmem_alloc of the VCC on
-which they are to be sent. But it doesn't take ownership of those
-packets from the sock (if any) which originally owned them. They should
-remain owned by their actual sender until they've left the box.
-
-There's a hack in pskb_expand_head() to avoid adjusting skb->truesize
-for certain skbs, precisely to avoid messing up sk_wmem_alloc
-accounting. Ideally that hack would cover the ATM use case too, but it
-doesn't — skbs which aren't owned by any sock, for example PPP control
-frames, still get their truesize adjusted when the low-level ATM driver
-adds headroom.
-
-This has always been an issue, it seems. The truesize of a packet
-increases, and sk_wmem_alloc on the VCC goes negative. But this wasn't
-for normal traffic, only for control frames. So I think we just got away
-with it, and we probably needed to send 2GiB of LCP echo frames before
-the misaccounting would ever have caused a problem and caused
-atm_may_send() to start refusing packets.
-
-Commit 14afee4b609 ("net: convert sock.sk_wmem_alloc from atomic_t to
-refcount_t") did exactly what it was intended to do, and turned this
-mostly-theoretical problem into a real one, causing PPPoATM to fail
-immediately as sk_wmem_alloc underflows and atm_may_send() *immediately*
-starts refusing to allow new packets.
-
-The least intrusive solution to this problem is to stash the value of
-skb->truesize that was accounted to the VCC, in a new member of the
-ATM_SKB(skb) structure. Then in atm_pop_raw() subtract precisely that
-value instead of the then-current value of skb->truesize.
-
-Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()")
-Signed-off-by: David Woodhouse <dwmw2@infradead.org>
-Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/linux/atmdev.h | 15 +++++++++++++++
- net/atm/br2684.c       |  3 +--
- net/atm/clip.c         |  3 +--
- net/atm/common.c       |  3 +--
- net/atm/lec.c          |  3 +--
- net/atm/mpc.c          |  3 +--
- net/atm/pppoatm.c      |  3 +--
- net/atm/raw.c          |  4 ++--
- 8 files changed, 23 insertions(+), 14 deletions(-)
-
---- a/include/linux/atmdev.h
-+++ b/include/linux/atmdev.h
-@@ -214,6 +214,7 @@ struct atmphy_ops {
- struct atm_skb_data {
- 	struct atm_vcc	*vcc;		/* ATM VCC */
- 	unsigned long	atm_options;	/* ATM layer options */
-+	unsigned int	acct_truesize;  /* truesize accounted to vcc */
- };
- 
- #define VCC_HTABLE_SIZE 32
-@@ -241,6 +242,20 @@ void vcc_insert_socket(struct sock *sk);
- 
- void atm_dev_release_vccs(struct atm_dev *dev);
- 
-+static inline void atm_account_tx(struct atm_vcc *vcc, struct sk_buff *skb)
-+{
-+	/*
-+	 * Because ATM skbs may not belong to a sock (and we don't
-+	 * necessarily want to), skb->truesize may be adjusted,
-+	 * escaping the hack in pskb_expand_head() which avoids
-+	 * doing so for some cases. So stash the value of truesize
-+	 * at the time we accounted it, and atm_pop_raw() can use
-+	 * that value later, in case it changes.
-+	 */
-+	refcount_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
-+	ATM_SKB(skb)->acct_truesize = skb->truesize;
-+	ATM_SKB(skb)->atm_options = vcc->atm_options;
-+}
- 
- static inline void atm_force_charge(struct atm_vcc *vcc,int truesize)
- {
---- a/net/atm/br2684.c
-+++ b/net/atm/br2684.c
-@@ -252,8 +252,7 @@ static int br2684_xmit_vcc(struct sk_buf
- 
- 	ATM_SKB(skb)->vcc = atmvcc = brvcc->atmvcc;
- 	pr_debug("atm_skb(%p)->vcc(%p)->dev(%p)\n", skb, atmvcc, atmvcc->dev);
--	refcount_add(skb->truesize, &sk_atm(atmvcc)->sk_wmem_alloc);
--	ATM_SKB(skb)->atm_options = atmvcc->atm_options;
-+	atm_account_tx(atmvcc, skb);
- 	dev->stats.tx_packets++;
- 	dev->stats.tx_bytes += skb->len;
- 
---- a/net/atm/clip.c
-+++ b/net/atm/clip.c
-@@ -381,8 +381,7 @@ static netdev_tx_t clip_start_xmit(struc
- 		memcpy(here, llc_oui, sizeof(llc_oui));
- 		((__be16 *) here)[3] = skb->protocol;
- 	}
--	refcount_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
--	ATM_SKB(skb)->atm_options = vcc->atm_options;
-+	atm_account_tx(vcc, skb);
- 	entry->vccs->last_use = jiffies;
- 	pr_debug("atm_skb(%p)->vcc(%p)->dev(%p)\n", skb, vcc, vcc->dev);
- 	old = xchg(&entry->vccs->xoff, 1);	/* assume XOFF ... */
---- a/net/atm/common.c
-+++ b/net/atm/common.c
-@@ -630,10 +630,9 @@ int vcc_sendmsg(struct socket *sock, str
- 		goto out;
- 	}
- 	pr_debug("%d += %d\n", sk_wmem_alloc_get(sk), skb->truesize);
--	refcount_add(skb->truesize, &sk->sk_wmem_alloc);
-+	atm_account_tx(vcc, skb);
- 
- 	skb->dev = NULL; /* for paths shared with net_device interfaces */
--	ATM_SKB(skb)->atm_options = vcc->atm_options;
- 	if (!copy_from_iter_full(skb_put(skb, size), size, &m->msg_iter)) {
- 		kfree_skb(skb);
- 		error = -EFAULT;
---- a/net/atm/lec.c
-+++ b/net/atm/lec.c
-@@ -182,9 +182,8 @@ lec_send(struct atm_vcc *vcc, struct sk_
- 	struct net_device *dev = skb->dev;
- 
- 	ATM_SKB(skb)->vcc = vcc;
--	ATM_SKB(skb)->atm_options = vcc->atm_options;
-+	atm_account_tx(vcc, skb);
- 
--	refcount_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
- 	if (vcc->send(vcc, skb) < 0) {
- 		dev->stats.tx_dropped++;
- 		return;
---- a/net/atm/mpc.c
-+++ b/net/atm/mpc.c
-@@ -555,8 +555,7 @@ static int send_via_shortcut(struct sk_b
- 					sizeof(struct llc_snap_hdr));
- 	}
- 
--	refcount_add(skb->truesize, &sk_atm(entry->shortcut)->sk_wmem_alloc);
--	ATM_SKB(skb)->atm_options = entry->shortcut->atm_options;
-+	atm_account_tx(entry->shortcut, skb);
- 	entry->shortcut->send(entry->shortcut, skb);
- 	entry->packets_fwded++;
- 	mpc->in_ops->put(entry);
---- a/net/atm/pppoatm.c
-+++ b/net/atm/pppoatm.c
-@@ -350,8 +350,7 @@ static int pppoatm_send(struct ppp_chann
- 		return 1;
- 	}
- 
--	refcount_add(skb->truesize, &sk_atm(ATM_SKB(skb)->vcc)->sk_wmem_alloc);
--	ATM_SKB(skb)->atm_options = ATM_SKB(skb)->vcc->atm_options;
-+	atm_account_tx(vcc, skb);
- 	pr_debug("atm_skb(%p)->vcc(%p)->dev(%p)\n",
- 		 skb, ATM_SKB(skb)->vcc, ATM_SKB(skb)->vcc->dev);
- 	ret = ATM_SKB(skb)->vcc->send(ATM_SKB(skb)->vcc, skb)
---- a/net/atm/raw.c
-+++ b/net/atm/raw.c
-@@ -35,8 +35,8 @@ static void atm_pop_raw(struct atm_vcc *
- 	struct sock *sk = sk_atm(vcc);
- 
- 	pr_debug("(%d) %d -= %d\n",
--		 vcc->vci, sk_wmem_alloc_get(sk), skb->truesize);
--	WARN_ON(refcount_sub_and_test(skb->truesize, &sk->sk_wmem_alloc));
-+		 vcc->vci, sk_wmem_alloc_get(sk), ATM_SKB(skb)->acct_truesize);
-+	WARN_ON(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, &sk->sk_wmem_alloc));
- 	dev_kfree_skb_any(skb);
- 	sk->sk_write_space(sk);
- }
diff --git a/target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch b/target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch
index 37975ae038..5c942e3a54 100644
--- a/target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch
+++ b/target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch
@@ -62,7 +62,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  static struct pernet_operations nfnl_log_net_ops = {
 --- a/net/netfilter/nfnetlink_queue.c
 +++ b/net/netfilter/nfnetlink_queue.c
-@@ -1512,10 +1512,15 @@ static int __net_init nfnl_queue_net_ini
+@@ -1515,10 +1515,15 @@ static int __net_init nfnl_queue_net_ini
  
  static void __net_exit nfnl_queue_net_exit(struct net *net)
  {
diff --git a/target/linux/generic/backport-4.14/500-ext4-fix-check-to-prevent-initializing-reserved-inod.patch b/target/linux/generic/backport-4.14/500-ext4-fix-check-to-prevent-initializing-reserved-inod.patch
new file mode 100644
index 0000000000..8e63189e80
--- /dev/null
+++ b/target/linux/generic/backport-4.14/500-ext4-fix-check-to-prevent-initializing-reserved-inod.patch
@@ -0,0 +1,65 @@
+From 5012284700775a4e6e3fbe7eac4c543c4874b559 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 28 Jul 2018 08:12:04 -0400
+Subject: [PATCH] ext4: fix check to prevent initializing reserved inodes
+
+Commit 8844618d8aa7: "ext4: only look at the bg_flags field if it is
+valid" will complain if block group zero does not have the
+EXT4_BG_INODE_ZEROED flag set.  Unfortunately, this is not correct,
+since a freshly created file system has this flag cleared.  It gets
+almost immediately after the file system is mounted read-write --- but
+the following somewhat unlikely sequence will end up triggering a
+false positive report of a corrupted file system:
+
+   mkfs.ext4 /dev/vdc
+   mount -o ro /dev/vdc /vdc
+   mount -o remount,rw /dev/vdc
+
+Instead, when initializing the inode table for block group zero, test
+to make sure that itable_unused count is not too large, since that is
+the case that will result in some or all of the reserved inodes
+getting cleared.
+
+This fixes the failures reported by Eric Whiteney when running
+generic/230 and generic/231 in the the nojournal test case.
+
+Fixes: 8844618d8aa7 ("ext4: only look at the bg_flags field if it is valid")
+Reported-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+---
+ fs/ext4/ialloc.c | 5 ++++-
+ fs/ext4/super.c  | 8 +-------
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -1394,7 +1394,10 @@ int ext4_init_inode_table(struct super_b
+ 			    ext4_itable_unused_count(sb, gdp)),
+ 			    sbi->s_inodes_per_block);
+ 
+-	if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group)) {
++	if ((used_blks < 0) || (used_blks > sbi->s_itb_per_group) ||
++	    ((group == 0) && ((EXT4_INODES_PER_GROUP(sb) -
++			       ext4_itable_unused_count(sb, gdp)) <
++			      EXT4_FIRST_INO(sb)))) {
+ 		ext4_error(sb, "Something is wrong with group %u: "
+ 			   "used itable blocks: %d; "
+ 			   "itable unused count: %u",
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3103,14 +3103,8 @@ static ext4_group_t ext4_has_uninit_itab
+ 		if (!gdp)
+ 			continue;
+ 
+-		if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))
+-			continue;
+-		if (group != 0)
++		if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)))
+ 			break;
+-		ext4_error(sb, "Inode table for bg 0 marked as "
+-			   "needing zeroing");
+-		if (sb_rdonly(sb))
+-			return ngroups;
+ 	}
+ 
+ 	return group;
author	Stijn Tintel <stijn@linux-ipv6.be>	2018-07-31 05:11:07 +0300
committer	Stijn Tintel <stijn@linux-ipv6.be>	2018-07-31 05:11:07 +0300
commit	22b9f99b87fa1ff991180cabf02dd04d1bddce2b (patch)
tree	4675ce75a330278a46b34522f99d9e5ca6b9e8d3 /target/linux/generic/backport-4.14
parent	c89195eb25a4dfd093f9d0d3b3adac896bb471ad (diff)
download	upstream-22b9f99b87fa1ff991180cabf02dd04d1bddce2b.tar.gz upstream-22b9f99b87fa1ff991180cabf02dd04d1bddce2b.tar.bz2 upstream-22b9f99b87fa1ff991180cabf02dd04d1bddce2b.zip