This is the start of the stable review cycle for the 4.4.210 release.
There are 28 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.210-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.4.210-rc1
Florian Westphal <[email protected]>
netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
Florian Westphal <[email protected]>
netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
Alan Stern <[email protected]>
USB: Fix: Don't skip endpoint descriptors with maxpacket=0
Navid Emamdoost <[email protected]>
rtl8xxxu: prevent leaking urb
Navid Emamdoost <[email protected]>
scsi: bfa: release allocated memory in case of error
Navid Emamdoost <[email protected]>
mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
Ganapathi Bhat <[email protected]>
mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
Sudip Mukherjee <[email protected]>
tty: always relink the port
Sudip Mukherjee <[email protected]>
tty: link tty and port before configuring it as console
Michael Straube <[email protected]>
staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
Paul Cercueil <[email protected]>
usb: musb: dma: Correct parameter passed to IRQ handler
Paul Cercueil <[email protected]>
usb: musb: Disable pullup at init
Daniele Palmas <[email protected]>
USB: serial: option: add ZLP support for 0x1bc7/0x9010
Malcolm Priestley <[email protected]>
staging: vt6656: set usb_set_intfdata on driver fail.
Oliver Hartkopp <[email protected]>
can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs
Florian Faber <[email protected]>
can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode
Johan Hovold <[email protected]>
can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
Wayne Lin <[email protected]>
drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
Dmitry Torokhov <[email protected]>
Input: add safety guards to input_set_keycode()
Dmitry Torokhov <[email protected]>
HID: hid-input: clear unmapped usages
Marcel Holtmann <[email protected]>
HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
Alan Stern <[email protected]>
HID: Fix slab-out-of-bounds read in hid_field_extract
Steven Rostedt (VMware) <[email protected]>
tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
Kaitao Cheng <[email protected]>
kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
Takashi Iwai <[email protected]>
ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
Guenter Roeck <[email protected]>
usb: chipidea: host: Disable port power only if previously enabled
Will Deacon <[email protected]>
chardev: Avoid potential use-after-free in 'chrdev_open()'
Jan Kara <[email protected]>
kobject: Export kobject_get_unless_zero()
-------------
Diffstat:
Makefile | 4 +--
drivers/gpu/drm/drm_dp_mst_topology.c | 2 +-
drivers/hid/hid-core.c | 6 +++++
drivers/hid/hid-input.c | 16 ++++++++---
drivers/hid/uhid.c | 3 ++-
drivers/input/input.c | 26 +++++++++++-------
drivers/net/can/mscan/mscan.c | 21 +++++++--------
drivers/net/can/usb/gs_usb.c | 4 +--
drivers/net/wireless/mwifiex/pcie.c | 4 ++-
drivers/net/wireless/mwifiex/sta_ioctl.c | 11 +++++++-
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c | 1 +
drivers/scsi/bfa/bfad_attr.c | 4 ++-
drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
drivers/staging/vt6656/device.h | 1 +
drivers/staging/vt6656/main_usb.c | 1 +
drivers/staging/vt6656/wcmd.c | 1 +
drivers/tty/serial/serial_core.c | 1 +
drivers/usb/chipidea/host.c | 4 ++-
drivers/usb/core/config.c | 12 ++++++---
drivers/usb/musb/musb_core.c | 3 +++
drivers/usb/musb/musbhsdma.c | 2 +-
drivers/usb/serial/option.c | 8 ++++++
drivers/usb/serial/usb-wwan.h | 1 +
drivers/usb/serial/usb_wwan.c | 4 +++
fs/char_dev.c | 2 +-
include/linux/can/dev.h | 34 ++++++++++++++++++++++++
include/linux/kobject.h | 2 ++
kernel/trace/trace_sched_wakeup.c | 4 ++-
kernel/trace/trace_stack.c | 5 ++++
lib/kobject.c | 5 +++-
net/ipv4/netfilter/arp_tables.c | 27 +++++++++++--------
net/netfilter/ipset/ip_set_core.c | 3 ++-
sound/usb/quirks.c | 1 +
33 files changed, 169 insertions(+), 55 deletions(-)
From: Michael Straube <[email protected]>
commit 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a upstream.
This device was added to the stand-alone driver on github.
Add it to the staging driver as well.
Link: https://github.com/lwfinger/rtl8188eu/commit/b9b537aa25a8
Signed-off-by: Michael Straube <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -49,6 +49,7 @@ static struct usb_device_id rtw_usb_id_t
{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
{USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
+ {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */
{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
{USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
{} /* Terminating entry */
From: Wayne Lin <[email protected]>
commit c4e4fccc5d52d881afaac11d3353265ef4eccb8b upstream.
[Why]
According to DP spec, it should shift left 4 digits for NO_STOP_BIT
in REMOTE_I2C_READ message. Not 5 digits.
In current code, NO_STOP_BIT is always set to zero which means I2C
master is always generating a I2C stop at the end of each I2C write
transaction while handling REMOTE_I2C_READ sideband message. This issue
might have the generated I2C signal not meeting the requirement. Take
random read in I2C for instance, I2C master should generate a repeat
start to start to read data after writing the read address. This issue
will cause the I2C master to generate a stop-start rather than a
re-start which is not expected in I2C random read.
[How]
Correct the shifting value of NO_STOP_BIT for DP_REMOTE_I2C_READ case in
drm_dp_encode_sideband_req().
Changes since v1:(https://patchwork.kernel.org/patch/11312667/)
* Add more descriptions in commit and cc to stable
Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Reviewed-by: Harry Wentland <[email protected]>
Signed-off-by: Wayne Lin <[email protected]>
Cc: [email protected]
Signed-off-by: Lyude Paul <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpu/drm/drm_dp_mst_topology.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -272,7 +272,7 @@ static void drm_dp_encode_sideband_req(s
memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes);
idx += req->u.i2c_read.transactions[i].num_bytes;
- buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 5;
+ buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4;
buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf);
idx++;
}
From: Alan Stern <[email protected]>
commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.
The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
handler. The bug was caused by a report descriptor which included a
field with size 12 bits and count 4899, for a total size of 7349
bytes.
The usbhid driver uses at most a single-page 4-KB buffer for reports.
In the test there wasn't any problem about overflowing the buffer,
since only one byte was received from the device. Rather, the bug
occurred when the HID core tried to extract the data from the report
fields, which caused it to try reading data beyond the end of the
allocated buffer.
This patch fixes the problem by rejecting any report whose total
length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
for a possible report index). In theory a device could have a report
longer than that, but if there was such a thing we wouldn't handle it
correctly anyway.
Reported-and-tested-by: [email protected]
Signed-off-by: Alan Stern <[email protected]>
CC: <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/hid/hid-core.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -269,6 +269,12 @@ static int hid_add_field(struct hid_pars
offset = report->size;
report->size += parser->global.report_size * parser->global.report_count;
+ /* Total size check: Allow for possible report index byte */
+ if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
+ hid_err(parser->device, "report is too long\n");
+ return -1;
+ }
+
if (!parser->local.usage_index) /* Ignore padding fields */
return 0;
From: Kaitao Cheng <[email protected]>
commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream.
In the function, if register_trace_sched_migrate_task() returns error,
sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is
why fail_deprobe_sched_switch was added.
Link: http://lkml.kernel.org/r/[email protected]
Cc: [email protected]
Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing")
Signed-off-by: Kaitao Cheng <[email protected]>
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
kernel/trace/trace_sched_wakeup.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_sched_wakeup.c
+++ b/kernel/trace/trace_sched_wakeup.c
@@ -625,7 +625,7 @@ static void start_wakeup_tracer(struct t
if (ret) {
pr_info("wakeup trace: Couldn't activate tracepoint"
" probe to kernel_sched_migrate_task\n");
- return;
+ goto fail_deprobe_sched_switch;
}
wakeup_reset(tr);
@@ -643,6 +643,8 @@ static void start_wakeup_tracer(struct t
printk(KERN_ERR "failed to start wakeup tracer\n");
return;
+fail_deprobe_sched_switch:
+ unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL);
fail_deprobe_wake_new:
unregister_trace_sched_wakeup_new(probe_wakeup, NULL);
fail_deprobe:
From: Jan Kara <[email protected]>
commit c70c176ff8c3ff0ac6ef9a831cd591ea9a66bd1a upstream.
Make the function available for outside use and fortify it against NULL
kobject.
CC: Greg Kroah-Hartman <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Acked-by: Tejun Heo <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/kobject.h | 2 ++
lib/kobject.c | 5 ++++-
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/include/linux/kobject.h
+++ b/include/linux/kobject.h
@@ -108,6 +108,8 @@ extern int __must_check kobject_rename(s
extern int __must_check kobject_move(struct kobject *, struct kobject *);
extern struct kobject *kobject_get(struct kobject *kobj);
+extern struct kobject * __must_check kobject_get_unless_zero(
+ struct kobject *kobj);
extern void kobject_put(struct kobject *kobj);
extern const void *kobject_namespace(struct kobject *kobj);
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -599,12 +599,15 @@ struct kobject *kobject_get(struct kobje
}
EXPORT_SYMBOL(kobject_get);
-static struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj)
+struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj)
{
+ if (!kobj)
+ return NULL;
if (!kref_get_unless_zero(&kobj->kref))
kobj = NULL;
return kobj;
}
+EXPORT_SYMBOL(kobject_get_unless_zero);
/*
* kobject_cleanup - free kobject resources.
On 14/01/2020 10:02, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.210 release.
> There are 28 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.210-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests are passing for Tegra ...
Test results for stable-v4.4:
6 builds: 6 pass, 0 fail
12 boots: 12 pass, 0 fail
19 tests: 19 pass, 0 fail
Linux version: 4.4.210-rc1-ge249b6762aa6
Boards tested: tegra124-jetson-tk1, tegra20-ventana,
tegra30-cardhu-a04
Cheers
Jon
--
nvpublic
On Tue, Jan 14, 2020 at 11:02:02AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.210 release.
> There are 28 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 170 pass: 170 fail: 0
Qemu test results:
total: 326 pass: 326 fail: 0
Guenter
On 1/14/20 3:02 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.210 release.
> There are 28 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.210-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
thanks,
-- Shuah
Hello!
On 1/14/20 4:02 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.210 release.
> There are 28 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.210-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Summary
------------------------------------------------------------------------
kernel: 4.4.210-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.4.y
git commit: e249b6762aa64944a407b6e00bb99590fdee9091
git describe: v4.4.209-29-ge249b6762aa6
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.4-oe/build/v4.4.209-29-ge249b6762aa6
No regressions (compared to build v4.4.209)
No fixes (compared to build v4.4.209)
Ran 19907 total tests in the following environments and test suites.
Environments
--------------
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* kselftest-vsyscall-mode-none
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fs-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* perf
* prep-tmp-disk
* spectre-meltdown-checker-test
* ssuite
* v4l2-compliance
Greetings!
Daniel Díaz
[email protected]
--
Linaro LKFT
https://lkft.linaro.org