This is the start of the stable review cycle for the 4.14.196 release.
There are 91 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 03 Sep 2020 15:09:01 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.196-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.14.196-rc1
Hector Martin <[email protected]>
ALSA: usb-audio: Update documentation comment for MS2109 quirk
Peilin Ye <[email protected]>
HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
Jarkko Sakkinen <[email protected]>
tpm: Unify the mismatching TPM space buffer sizes
Josef Bacik <[email protected]>
btrfs: check the right error variable in btrfs_del_dir_entries_in_log
Alan Stern <[email protected]>
usb: storage: Add unusual_uas entry for Sony PSZ drives
Tom Rix <[email protected]>
USB: cdc-acm: rework notification_buffer resizing
Andy Shevchenko <[email protected]>
USB: gadget: u_f: Unbreak offset calculation in VLAs
Brooke Basile <[email protected]>
USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()
Brooke Basile <[email protected]>
USB: gadget: u_f: add overflow checks to VLA macros
Kees Cook <[email protected]>
overflow.h: Add allocation size calculation helpers
Tang Bin <[email protected]>
usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe()
Cyril Roelandt <[email protected]>
USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge
Kai-Heng Feng <[email protected]>
USB: quirks: Add no-lpm quirk for another Raydium touchscreen
Thinh Nguyen <[email protected]>
usb: uas: Add quirk for PNY Pro Elite
Alan Stern <[email protected]>
USB: yurex: Fix bad gfp argument
Alex Deucher <[email protected]>
drm/amdgpu: Fix buffer overflow in INFO ioctl
Heikki Krogerus <[email protected]>
device property: Fix the secondary firmware node handling in set_primary_fwnode()
Rafael J. Wysocki <[email protected]>
PM: sleep: core: Fix the handling of pending runtime resume requests
Kai-Heng Feng <[email protected]>
xhci: Do warm-reset when both CAS and XDEV_RESUME are set
Thomas Gleixner <[email protected]>
XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information.
Jan Kara <[email protected]>
writeback: Fix sync livelock due to b_dirty_time processing
Jan Kara <[email protected]>
writeback: Avoid skipping inode writeback
Jan Kara <[email protected]>
writeback: Protect inode->i_io_list with inode->i_lock
Sergey Senozhatsky <[email protected]>
serial: 8250: change lock order in serial8250_do_startup()
Valmer Huhn <[email protected]>
serial: 8250_exar: Fix number of ports for Commtech PCIe cards
Lukas Wunner <[email protected]>
serial: pl011: Don't leak amba_ports entry on driver register error
Lukas Wunner <[email protected]>
serial: pl011: Fix oops on -EPROBE_DEFER
Tamseel Shams <[email protected]>
serial: samsung: Removes the IRQ not found warning
George Kennedy <[email protected]>
vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize()
Tetsuo Handa <[email protected]>
vt: defer kfree() of vc_screenbuf in vc_do_resize()
Evgeny Novikov <[email protected]>
USB: lvtest: return proper error code in probe
George Kennedy <[email protected]>
fbcon: prevent user font height or width change from causing potential out-of-bounds access
Filipe Manana <[email protected]>
btrfs: fix space cache memory leak after transaction abort
Hans de Goede <[email protected]>
HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands
Athira Rajeev <[email protected]>
powerpc/perf: Fix soft lockups due to missed interrupt accounting
Sumera Priyadarsini <[email protected]>
net: gianfar: Add of_node_put() before goto statement
Stanley Chu <[email protected]>
scsi: ufs: Clean up completed request without interrupt notification
Adrian Hunter <[email protected]>
scsi: ufs: Improve interrupt handling for shared interrupts
Stanley Chu <[email protected]>
scsi: ufs: Fix possible infinite loop in ufshcd_hold
Vineeth Vijayan <[email protected]>
s390/cio: add cond_resched() in the slow_eval_known_fn() loop
Amelie Delaunay <[email protected]>
spi: stm32: fix stm32_spi_prepare_mbr in case of odd clk_rate
Xianting Tian <[email protected]>
fs: prevent BUG_ON in submit_bh_wbc()
zhangyi (F) <[email protected]>
jbd2: abort journal if free a async write error metadata buffer
Jan Kara <[email protected]>
ext4: don't BUG on inconsistent journal feature
Lukas Czerner <[email protected]>
jbd2: make sure jh have b_transaction set in refile/unfile_buffer
Christophe JAILLET <[email protected]>
usb: gadget: f_tcm: Fix some resource leaks in some error paths
Wolfram Sang <[email protected]>
i2c: rcar: in slave mode, clear NACK earlier
Hou Pu <[email protected]>
null_blk: fix passing of REQ_FUA flag in null_handle_rq
Tianjia Zhang <[email protected]>
nvme-fc: Fix wrong return value in __nvme_fc_init_request()
Sean Young <[email protected]>
media: gpio-ir-tx: improve precision of transmitted signal due to scheduling
Zhi Chen <[email protected]>
Revert "ath10k: fix DMA related firmware crashes on multiple devices"
Andrey Konovalov <[email protected]>
efi: provide empty efi_enter_virtual_mode implementation
Changming Liu <[email protected]>
USB: sisusbvga: Fix a potential UB casued by left shifting a negative value
Arnd Bergmann <[email protected]>
powerpc/spufs: add CONFIG_COREDUMP dependency
David Brazdil <[email protected]>
KVM: arm64: Fix symbol dependency in __hyp_call_panic_nvhe
Evgeny Novikov <[email protected]>
media: davinci: vpif_capture: fix potential double free
Jason Baron <[email protected]>
EDAC/ie31200: Fallback if host bridge device is already initialized
Javed Hasan <[email protected]>
scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del()
Xiubo Li <[email protected]>
ceph: fix potential mdsc use-after-free crash
Jing Xiangfeng <[email protected]>
scsi: iscsi: Do not put host in iscsi_set_flashnode_param()
Chris Wilson <[email protected]>
locking/lockdep: Fix overflow in presentation of average lock-time
Aditya Pakki <[email protected]>
drm/nouveau: Fix reference count leak in nouveau_connector_detect
Aditya Pakki <[email protected]>
drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open
Li Guifu <[email protected]>
f2fs: fix use-after-free issue
Hans Verkuil <[email protected]>
cec-api: prevent leaking memory through hole in structure
Peng Fan <[email protected]>
mips/vdso: Fix resource leaks in genvdso.c
Reto Schneider <[email protected]>
rtlwifi: rtl8192cu: Prevent leaking urb
Qiushi Wu <[email protected]>
PCI: Fix pci_create_slot() reference count leak
Aditya Pakki <[email protected]>
omapfb: fix multiple reference count leaks due to pm_runtime_get_sync
Desnes A. Nunes do Rosario <[email protected]>
selftests/powerpc: Purge extra count_pmc() calls of ebb selftests
Dick Kennedy <[email protected]>
scsi: lpfc: Fix shost refcount mismatch when deleting vport
Navid Emamdoost <[email protected]>
drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails
Navid Emamdoost <[email protected]>
drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config
Navid Emamdoost <[email protected]>
drm/amd/display: fix ref count leak in amdgpu_drm_ioctl
Navid Emamdoost <[email protected]>
drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms
Aditya Pakki <[email protected]>
drm/radeon: fix multiple reference count leak
Qiushi Wu <[email protected]>
drm/amdkfd: Fix reference count leaks.
Robin Murphy <[email protected]>
iommu/iova: Don't BUG on invalid PFNs
Bodo Stroesser <[email protected]>
scsi: target: tcmu: Fix crash on ARM during cmd completion
Luis Chamberlain <[email protected]>
blktrace: ensure our debugfs dir exists
Jia-Ju Bai <[email protected]>
media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq()
Alexey Kardashevskiy <[email protected]>
powerpc/xive: Ignore kmemleak false positives
Stephan Gerhold <[email protected]>
arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep
Andy Shevchenko <[email protected]>
mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs
Qiushi Wu <[email protected]>
ASoC: tegra: Fix reference count leaks.
Randy Dunlap <[email protected]>
ALSA: pci: delete repeated words in comments
Mark Tomlinson <[email protected]>
gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY
Mahesh Bandewar <[email protected]>
ipvlan: fix device features
Cong Wang <[email protected]>
tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
Miaohe Lin <[email protected]>
net: Fix potential wrong skb->protocol in skb_vlan_untag()
Michael Ellerman <[email protected]>
powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 2 +-
arch/arm64/kvm/hyp/switch.c | 2 +-
arch/mips/vdso/genvdso.c | 10 +++
arch/powerpc/kernel/cpu_setup_power.S | 2 +-
arch/powerpc/perf/core-book3s.c | 4 ++
arch/powerpc/platforms/cell/Kconfig | 1 +
arch/powerpc/sysdev/xive/native.c | 2 +
drivers/base/core.c | 12 ++--
drivers/base/power/main.c | 16 +++--
drivers/block/null_blk.c | 2 +-
drivers/char/tpm/tpm-chip.c | 9 +--
drivers/char/tpm/tpm.h | 6 +-
drivers/char/tpm/tpm2-space.c | 26 ++++---
drivers/char/tpm/tpmrm-dev.c | 2 +-
drivers/edac/ie31200_edac.c | 50 ++++++++++++-
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 16 +++--
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 5 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 7 +-
drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 20 ++++--
drivers/gpu/drm/nouveau/nouveau_connector.c | 4 +-
drivers/gpu/drm/nouveau/nouveau_fbcon.c | 4 +-
drivers/gpu/drm/radeon/radeon_connectors.c | 20 ++++--
drivers/hid/i2c-hid/i2c-hid-core.c | 22 +++---
drivers/hid/usbhid/hiddev.c | 4 ++
drivers/i2c/busses/i2c-rcar.c | 1 +
drivers/iommu/iova.c | 4 +-
drivers/md/dm-table.c | 10 +--
drivers/media/cec/cec-api.c | 8 ++-
drivers/media/pci/ttpci/av7110.c | 5 +-
drivers/media/platform/davinci/vpif_capture.c | 2 -
drivers/media/rc/gpio-ir-tx.c | 7 +-
drivers/mfd/intel-lpss-pci.c | 3 +
drivers/net/ethernet/freescale/gianfar.c | 4 +-
drivers/net/ipvlan/ipvlan_main.c | 27 +++++--
drivers/net/wireless/ath/ath10k/hw.h | 2 +-
drivers/net/wireless/realtek/rtlwifi/usb.c | 5 +-
drivers/nvme/host/fc.c | 4 +-
drivers/pci/slot.c | 6 +-
drivers/s390/cio/css.c | 5 ++
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
drivers/scsi/lpfc/lpfc_vport.c | 26 +++----
drivers/scsi/scsi_transport_iscsi.c | 2 +-
drivers/scsi/ufs/ufshcd.c | 14 ++--
drivers/spi/spi-stm32.c | 3 +-
drivers/target/target_core_user.c | 9 ++-
drivers/tty/serial/8250/8250_exar.c | 24 ++++++-
drivers/tty/serial/8250/8250_port.c | 9 ++-
drivers/tty/serial/amba-pl011.c | 16 +++--
drivers/tty/serial/samsung.c | 8 ++-
drivers/tty/vt/vt.c | 5 +-
drivers/tty/vt/vt_ioctl.c | 12 +++-
drivers/usb/class/cdc-acm.c | 22 +++---
drivers/usb/core/quirks.c | 2 +
drivers/usb/gadget/function/f_ncm.c | 81 +++++++++++++++++----
drivers/usb/gadget/function/f_tcm.c | 7 +-
drivers/usb/gadget/u_f.h | 38 +++++++---
drivers/usb/host/ohci-exynos.c | 5 +-
drivers/usb/host/xhci-hub.c | 19 ++---
drivers/usb/misc/lvstest.c | 2 +-
drivers/usb/misc/sisusbvga/sisusb.c | 2 +-
drivers/usb/misc/yurex.c | 2 +-
drivers/usb/storage/unusual_devs.h | 2 +-
drivers/usb/storage/unusual_uas.h | 14 ++++
drivers/video/fbdev/core/fbcon.c | 25 ++++++-
drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 7 +-
drivers/video/fbdev/omap2/omapfb/dss/dsi.c | 7 +-
drivers/video/fbdev/omap2/omapfb/dss/dss.c | 7 +-
drivers/video/fbdev/omap2/omapfb/dss/hdmi4.c | 5 +-
drivers/video/fbdev/omap2/omapfb/dss/hdmi5.c | 5 +-
drivers/video/fbdev/omap2/omapfb/dss/venc.c | 7 +-
drivers/xen/events/events_base.c | 16 ++---
fs/btrfs/disk-io.c | 1 +
fs/btrfs/free-space-cache.c | 2 +-
fs/btrfs/tree-log.c | 10 +--
fs/buffer.c | 9 +++
fs/ceph/mds_client.c | 14 +++-
fs/ext4/super.c | 75 +++++++++++--------
fs/f2fs/super.c | 5 +-
fs/fs-writeback.c | 83 ++++++++++++----------
fs/jbd2/transaction.c | 26 +++++++
include/linux/efi.h | 4 ++
include/linux/fs.h | 8 ++-
include/linux/overflow.h | 73 +++++++++++++++++++
include/trace/events/writeback.h | 13 ++--
kernel/locking/lockdep_proc.c | 2 +-
kernel/trace/blktrace.c | 12 ++++
net/core/skbuff.c | 4 +-
net/ipv6/ip6_tunnel.c | 10 ++-
net/tipc/netlink_compat.c | 12 +++-
sound/pci/cs46xx/cs46xx_lib.c | 2 +-
sound/pci/cs46xx/dsp_spos_scb_lib.c | 2 +-
sound/pci/hda/hda_codec.c | 2 +-
sound/pci/hda/hda_generic.c | 2 +-
sound/pci/hda/patch_sigmatel.c | 2 +-
sound/pci/ice1712/prodigy192.c | 2 +-
sound/pci/oxygen/xonar_dg.c | 2 +-
sound/soc/tegra/tegra30_ahub.c | 4 +-
sound/soc/tegra/tegra30_i2s.c | 4 +-
sound/usb/quirks-table.h | 4 +-
.../powerpc/pmu/ebb/back_to_back_ebbs_test.c | 2 -
.../selftests/powerpc/pmu/ebb/cycles_test.c | 2 -
.../powerpc/pmu/ebb/cycles_with_freeze_test.c | 2 -
.../powerpc/pmu/ebb/cycles_with_mmcr2_test.c | 2 -
tools/testing/selftests/powerpc/pmu/ebb/ebb.c | 2 -
.../powerpc/pmu/ebb/ebb_on_willing_child_test.c | 2 -
.../powerpc/pmu/ebb/lost_exception_test.c | 1 -
.../selftests/powerpc/pmu/ebb/multi_counter_test.c | 7 --
.../powerpc/pmu/ebb/multi_ebb_procs_test.c | 2 -
.../selftests/powerpc/pmu/ebb/pmae_handling_test.c | 2 -
.../powerpc/pmu/ebb/pmc56_overflow_test.c | 2 -
112 files changed, 826 insertions(+), 342 deletions(-)
From: Navid Emamdoost <[email protected]>
[ Upstream commit 5509ac65f2fe5aa3c0003237ec629ca55024307c ]
in amdgpu_drm_ioctl the call to pm_runtime_get_sync increments the
counter even in case of failure, leading to incorrect
ref count. In case of failure, decrement the ref count before returning.
Signed-off-by: Navid Emamdoost <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
index ae23f7e0290c3..465ece90e63ab 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -801,11 +801,12 @@ long amdgpu_drm_ioctl(struct file *filp,
dev = file_priv->minor->dev;
ret = pm_runtime_get_sync(dev->dev);
if (ret < 0)
- return ret;
+ goto out;
ret = drm_ioctl(filp, cmd, arg);
pm_runtime_mark_last_busy(dev->dev);
+out:
pm_runtime_put_autosuspend(dev->dev);
return ret;
}
--
2.25.1
From: Aditya Pakki <[email protected]>
[ Upstream commit 6f2e8acdb48ed166b65d47837c31b177460491ec ]
On calling pm_runtime_get_sync() the reference count of the device
is incremented. In case of failure, decrement the
reference count before returning the error.
Signed-off-by: Aditya Pakki <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/radeon/radeon_connectors.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
index 48f752cf7a920..fc021b8e4077d 100644
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -895,8 +895,10 @@ radeon_lvds_detect(struct drm_connector *connector, bool force)
if (!drm_kms_helper_is_poll_worker()) {
r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
+ if (r < 0) {
+ pm_runtime_put_autosuspend(connector->dev->dev);
return connector_status_disconnected;
+ }
}
if (encoder) {
@@ -1041,8 +1043,10 @@ radeon_vga_detect(struct drm_connector *connector, bool force)
if (!drm_kms_helper_is_poll_worker()) {
r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
+ if (r < 0) {
+ pm_runtime_put_autosuspend(connector->dev->dev);
return connector_status_disconnected;
+ }
}
encoder = radeon_best_single_encoder(connector);
@@ -1179,8 +1183,10 @@ radeon_tv_detect(struct drm_connector *connector, bool force)
if (!drm_kms_helper_is_poll_worker()) {
r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
+ if (r < 0) {
+ pm_runtime_put_autosuspend(connector->dev->dev);
return connector_status_disconnected;
+ }
}
encoder = radeon_best_single_encoder(connector);
@@ -1263,8 +1269,10 @@ radeon_dvi_detect(struct drm_connector *connector, bool force)
if (!drm_kms_helper_is_poll_worker()) {
r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
+ if (r < 0) {
+ pm_runtime_put_autosuspend(connector->dev->dev);
return connector_status_disconnected;
+ }
}
if (radeon_connector->detected_hpd_without_ddc) {
@@ -1704,8 +1712,10 @@ radeon_dp_detect(struct drm_connector *connector, bool force)
if (!drm_kms_helper_is_poll_worker()) {
r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
+ if (r < 0) {
+ pm_runtime_put_autosuspend(connector->dev->dev);
return connector_status_disconnected;
+ }
}
if (!force && radeon_check_hpd_status_unchanged(connector)) {
--
2.25.1
From: Andy Shevchenko <[email protected]>
[ Upstream commit 3ea2e4eab64cefa06055bb0541fcdedad4b48565 ]
Intel Emmitsburg PCH has the same LPSS than Intel Ice Lake.
Add the new IDs to the list of supported devices.
Signed-off-by: Andy Shevchenko <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/mfd/intel-lpss-pci.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mfd/intel-lpss-pci.c b/drivers/mfd/intel-lpss-pci.c
index 0504761516f7b..a12bb8ed20405 100644
--- a/drivers/mfd/intel-lpss-pci.c
+++ b/drivers/mfd/intel-lpss-pci.c
@@ -176,6 +176,9 @@ static const struct pci_device_id intel_lpss_pci_ids[] = {
{ PCI_VDEVICE(INTEL, 0x1ac4), (kernel_ulong_t)&bxt_info },
{ PCI_VDEVICE(INTEL, 0x1ac6), (kernel_ulong_t)&bxt_info },
{ PCI_VDEVICE(INTEL, 0x1aee), (kernel_ulong_t)&bxt_uart_info },
+ /* EBG */
+ { PCI_VDEVICE(INTEL, 0x1bad), (kernel_ulong_t)&bxt_uart_info },
+ { PCI_VDEVICE(INTEL, 0x1bae), (kernel_ulong_t)&bxt_uart_info },
/* GLK */
{ PCI_VDEVICE(INTEL, 0x31ac), (kernel_ulong_t)&glk_i2c_info },
{ PCI_VDEVICE(INTEL, 0x31ae), (kernel_ulong_t)&glk_i2c_info },
--
2.25.1
From: Jia-Ju Bai <[email protected]>
[ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ]
The value av7110->debi_virt is stored in DMA memory, and it is assigned
to data, and thus data[0] can be modified at any time by malicious
hardware. In this case, "if (data[0] < 2)" can be passed, but then
data[0] can be changed into a large number, which may cause buffer
overflow when the code "av7110->ci_slot[data[0]]" is used.
To fix this possible bug, data[0] is assigned to a local variable, which
replaces the use of data[0].
Signed-off-by: Jia-Ju Bai <[email protected]>
Signed-off-by: Sean Young <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/media/pci/ttpci/av7110.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/media/pci/ttpci/av7110.c b/drivers/media/pci/ttpci/av7110.c
index f46947d8adf8f..fcc053d95ae49 100644
--- a/drivers/media/pci/ttpci/av7110.c
+++ b/drivers/media/pci/ttpci/av7110.c
@@ -423,14 +423,15 @@ static void debiirq(unsigned long cookie)
case DATA_CI_GET:
{
u8 *data = av7110->debi_virt;
+ u8 data_0 = data[0];
- if ((data[0] < 2) && data[2] == 0xff) {
+ if (data_0 < 2 && data[2] == 0xff) {
int flags = 0;
if (data[5] > 0)
flags |= CA_CI_MODULE_PRESENT;
if (data[5] > 5)
flags |= CA_CI_MODULE_READY;
- av7110->ci_slot[data[0]].flags = flags;
+ av7110->ci_slot[data_0].flags = flags;
} else
ci_get_data(&av7110->ci_rbuffer,
av7110->debi_virt,
--
2.25.1
From: Mark Tomlinson <[email protected]>
[ Upstream commit 272502fcb7cda01ab07fc2fcff82d1d2f73d43cc ]
When receiving an IPv4 packet inside an IPv6 GRE packet, and the
IP6_TNL_F_RCV_DSCP_COPY flag is set on the tunnel, the IPv4 header would
get corrupted. This is due to the common ip6_tnl_rcv() function assuming
that the inner header is always IPv6. This patch checks the tunnel
protocol for IPv4 inner packets, but still defaults to IPv6.
Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
Signed-off-by: Mark Tomlinson <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv6/ip6_tunnel.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -872,7 +872,15 @@ int ip6_tnl_rcv(struct ip6_tnl *t, struc
struct metadata_dst *tun_dst,
bool log_ecn_err)
{
- return __ip6_tnl_rcv(t, skb, tpi, NULL, ip6ip6_dscp_ecn_decapsulate,
+ int (*dscp_ecn_decapsulate)(const struct ip6_tnl *t,
+ const struct ipv6hdr *ipv6h,
+ struct sk_buff *skb);
+
+ dscp_ecn_decapsulate = ip6ip6_dscp_ecn_decapsulate;
+ if (tpi->proto == htons(ETH_P_IP))
+ dscp_ecn_decapsulate = ip4ip6_dscp_ecn_decapsulate;
+
+ return __ip6_tnl_rcv(t, skb, tpi, NULL, dscp_ecn_decapsulate,
log_ecn_err);
}
EXPORT_SYMBOL(ip6_tnl_rcv);
From: Michael Ellerman <[email protected]>
commit 0828137e8f16721842468e33df0460044a0c588b upstream.
__init_FSCR() was added originally in commit 2468dcf641e4 ("powerpc:
Add support for context switching the TAR register") (Feb 2013), and
only set FSCR_TAR.
At that point FSCR (Facility Status and Control Register) was not
context switched, so the setting was permanent after boot.
Later we added initialisation of FSCR_DSCR to __init_FSCR(), in commit
54c9b2253d34 ("powerpc: Set DSCR bit in FSCR setup") (Mar 2013), again
that was permanent after boot.
Then commit 2517617e0de6 ("powerpc: Fix context switch DSCR on
POWER8") (Aug 2013) added a limited context switch of FSCR, just the
FSCR_DSCR bit was context switched based on thread.dscr_inherit. That
commit said "This clears the H/FSCR DSCR bit initially", but it
didn't, it left the initialisation of FSCR_DSCR in __init_FSCR().
However the initial context switch from init_task to pid 1 would clear
FSCR_DSCR because thread.dscr_inherit was 0.
That commit also introduced the requirement that FSCR_DSCR be clear
for user processes, so that we can take the facility unavailable
interrupt in order to manage dscr_inherit.
Then in commit 152d523e6307 ("powerpc: Create context switch helpers
save_sprs() and restore_sprs()") (Dec 2015) FSCR was added to
thread_struct. However it still wasn't fully context switched, we just
took the existing value and set FSCR_DSCR if the new thread had
dscr_inherit set. FSCR was still initialised at boot to FSCR_DSCR |
FSCR_TAR, but that value was not propagated into the thread_struct, so
the initial context switch set FSCR_DSCR back to 0.
Finally commit b57bd2de8c6c ("powerpc: Improve FSCR init and context
switching") (Jun 2016) added a full context switch of the FSCR, and
added an initialisation of init_task.thread.fscr to FSCR_TAR |
FSCR_EBB, but omitted FSCR_DSCR.
The end result is that swapper runs with FSCR_DSCR set because of the
initialisation in __init_FSCR(), but no other processes do, they use
the value from init_task.thread.fscr.
Having FSCR_DSCR set for swapper allows it to access SPR 3 from
userspace, but swapper never runs userspace, so it has no useful
effect. It's also confusing to have the value initialised in two
places to two different values.
So remove FSCR_DSCR from __init_FSCR(), this at least gets us to the
point where there's a single value of FSCR, even if it's still set in
two places.
Signed-off-by: Michael Ellerman <[email protected]>
Tested-by: Alistair Popple <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: Thadeu Lima de Souza Cascardo <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/powerpc/kernel/cpu_setup_power.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/kernel/cpu_setup_power.S
+++ b/arch/powerpc/kernel/cpu_setup_power.S
@@ -189,7 +189,7 @@ __init_LPCR_ISA300:
__init_FSCR:
mfspr r3,SPRN_FSCR
- ori r3,r3,FSCR_TAR|FSCR_DSCR|FSCR_EBB
+ ori r3,r3,FSCR_TAR|FSCR_EBB
mtspr SPRN_FSCR,r3
blr
From: Miaohe Lin <[email protected]>
[ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ]
We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So
we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or
we may access the wrong data.
Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.")
Signed-off-by: Miaohe Lin <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/core/skbuff.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5053,8 +5053,8 @@ struct sk_buff *skb_vlan_untag(struct sk
skb = skb_share_check(skb, GFP_ATOMIC);
if (unlikely(!skb))
goto err_free;
-
- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
+ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */
+ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))))
goto err_free;
vhdr = (struct vlan_hdr *)skb->data;
From: Alexey Kardashevskiy <[email protected]>
[ Upstream commit f0993c839e95dd6c7f054a1015e693c87e33e4fb ]
xive_native_provision_pages() allocates memory and passes the pointer to
OPAL so kmemleak cannot find the pointer usage in the kernel memory and
produces a false positive report (below) (even if the kernel did scan
OPAL memory, it is unable to deal with __pa() addresses anyway).
This silences the warning.
unreferenced object 0xc000200350c40000 (size 65536):
comm "qemu-system-ppc", pid 2725, jiffies 4294946414 (age 70776.530s)
hex dump (first 32 bytes):
02 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P...........
01 00 08 07 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000081ff046c>] xive_native_alloc_vp_block+0x120/0x250
[<00000000d555d524>] kvmppc_xive_compute_vp_id+0x248/0x350 [kvm]
[<00000000d69b9c9f>] kvmppc_xive_connect_vcpu+0xc0/0x520 [kvm]
[<000000006acbc81c>] kvm_arch_vcpu_ioctl+0x308/0x580 [kvm]
[<0000000089c69580>] kvm_vcpu_ioctl+0x19c/0xae0 [kvm]
[<00000000902ae91e>] ksys_ioctl+0x184/0x1b0
[<00000000f3e68bd7>] sys_ioctl+0x48/0xb0
[<0000000001b2c127>] system_call_exception+0x124/0x1f0
[<00000000d2b2ee40>] system_call_common+0xe8/0x214
Signed-off-by: Alexey Kardashevskiy <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
arch/powerpc/sysdev/xive/native.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/sysdev/xive/native.c b/arch/powerpc/sysdev/xive/native.c
index 30cdcbfa1c04e..b0e96f4b728c1 100644
--- a/arch/powerpc/sysdev/xive/native.c
+++ b/arch/powerpc/sysdev/xive/native.c
@@ -22,6 +22,7 @@
#include <linux/delay.h>
#include <linux/cpumask.h>
#include <linux/mm.h>
+#include <linux/kmemleak.h>
#include <asm/prom.h>
#include <asm/io.h>
@@ -630,6 +631,7 @@ static bool xive_native_provision_pages(void)
pr_err("Failed to allocate provisioning page\n");
return false;
}
+ kmemleak_ignore(p);
opal_xive_donate_page(chip, __pa(p));
}
return true;
--
2.25.1
On 9/1/20 9:09 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.196 release.
> There are 91 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 03 Sep 2020 15:09:01 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.196-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
On Tue, 1 Sep 2020 at 20:49, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.14.196 release.
> There are 91 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 03 Sep 2020 15:09:01 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.196-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
NOTE:
Kernel BUG on arm64 juno kasan config kernel running
LTP tracing test suite found this BUG. This BUG is not specific
to this stable rc release.
BUG: KASAN: use-after-free in prepare_ftrace_return
Summary
------------------------------------------------------------------------
kernel: 4.14.196-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: 54fa008d06cd73d42acafb918a6ae005eaef4875
git describe: v4.14.195-92-g54fa008d06cd
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.195-92-g54fa008d06cd
No regressions (compared to build v4.14.195)
No fixes (compared to build v4.14.195)
Ran 33060 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
- x86-kasan
Test Suites
-----------
* build
* igt-gpu-tools
* install-android-platform-tools-r2600
* kselftest
* kselftest/drivers
* kselftest/filesystems
* kselftest/net
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-tracing-tests
* perf
* v4l2-compliance
* ltp-containers-tests
* ltp-dio-tests
* ltp-fs-tests
* ltp-io-tests
* ltp-syscalls-tests
* network-basic-tests
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-native/drivers
* kselftest-vsyscall-mode-native/filesystems
* kselftest-vsyscall-mode-native/net
* kselftest-vsyscall-mode-none
* kselftest-vsyscall-mode-none/drivers
* kselftest-vsyscall-mode-none/filesystems
* kselftest-vsyscall-mode-none/net
* ssuite
--
Linaro LKFT
https://lkft.linaro.org
On Tue, Sep 01, 2020 at 05:09:34PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.196 release.
> There are 91 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 03 Sep 2020 15:09:01 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 171 pass: 171 fail: 0
Qemu test results:
total: 408 pass: 408 fail: 0
Tested-by: Guenter Roeck <[email protected]>
Guenter