This is the start of the stable review cycle for the 4.14.197 release.
There are 65 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 10 Sep 2020 15:21:57 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.197-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.14.197-rc1
Himadri Pandya <[email protected]>
net: usb: Fix uninit-was-stored issue in asix_read_phy_addr()
Johannes Berg <[email protected]>
cfg80211: regulatory: reject invalid hints
Muchun Song <[email protected]>
mm/hugetlb: fix a race between hugetlb sysctl handlers
Mrinal Pandey <[email protected]>
checkpatch: fix the usage of capture group ( ... )
James Morse <[email protected]>
KVM: arm64: Set HCR_EL2.PTW to prevent AT taking synchronous exception
James Morse <[email protected]>
KVM: arm64: Survive synchronous exceptions caused by AT instructions
James Morse <[email protected]>
KVM: arm64: Defer guest entry when an asynchronous exception is pending
James Morse <[email protected]>
KVM: arm64: Add kvm_extable for vaxorcism code
Eugeniu Rosca <[email protected]>
mm: slub: fix conversion of freelist_corrupted()
Ye Bin <[email protected]>
dm thin metadata: Avoid returning cmd->bm wild pointer on error
Ye Bin <[email protected]>
dm cache metadata: Avoid returning cmd->bm wild pointer on error
Tejun Heo <[email protected]>
libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks
Bart Van Assche <[email protected]>
block: Move SECTOR_SIZE and SECTOR_SHIFT definitions into <linux/blkdev.h>
Ming Lei <[email protected]>
block: allow for_each_bvec to support zero len bvec
Max Staudt <[email protected]>
affs: fix basic permission bits to actually work
Takashi Sakamoto <[email protected]>
ALSA: firewire-digi00x: exclude Avid Adrenaline from detection
Kai Vehmanen <[email protected]>
ALSA: hda/hdmi: always check pin power status in i915 pin fixup
Takashi Iwai <[email protected]>
ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
Tong Zhang <[email protected]>
ALSA: ca0106: fix error code handling
Rogan Dawes <[email protected]>
usb: qmi_wwan: add D-Link DWM-222 A2 device ID
Daniele Palmas <[email protected]>
net: usb: qmi_wwan: add Telit 0x1050 composition
Josef Bacik <[email protected]>
btrfs: fix potential deadlock in the search ioctl
Daniel Borkmann <[email protected]>
uaccess: Add non-pagefault user-space write function
Masami Hiramatsu <[email protected]>
uaccess: Add non-pagefault user-space read functions
Josef Bacik <[email protected]>
btrfs: set the lockdep class for log tree extent buffers
Nikolay Borisov <[email protected]>
btrfs: Remove extraneous extent_buffer_get from tree_mod_log_rewind
Nikolay Borisov <[email protected]>
btrfs: Remove redundant extent_buffer_get in get_old_root
Josef Bacik <[email protected]>
btrfs: drop path before adding new uuid tree entry
Jason Gunthorpe <[email protected]>
include/linux/log2.h: add missing () around n in roundup_pow_of_two()
Tony Lindgren <[email protected]>
thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
Lu Baolu <[email protected]>
iommu/vt-d: Serialize IOMMU GCMD register modifications
Michael Chan <[email protected]>
tg3: Fix soft lockup when tg3_reset_task() fails.
Kai-Heng Feng <[email protected]>
drm/radeon: Prefer lower feedback dividers
Al Viro <[email protected]>
fix regression in "epoll: Keep a reference on files added to the check list"
Shung-Hsi Yu <[email protected]>
net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init()
Al Grant <[email protected]>
perf tools: Correct SNOOPX field offset
Christophe JAILLET <[email protected]>
nvmet-fc: Fix a missed _irqsave version of spin_lock in 'nvmet_fc_fod_op_done()'
Vasundhara Volam <[email protected]>
bnxt_en: Fix PCI AER error recovery flow
Vasundhara Volam <[email protected]>
bnxt_en: Check for zero dir entries in NVRAM.
Nicolas Dichtel <[email protected]>
gtp: add GTPA_LINK info to msg sent to userspace
Marek Szyprowski <[email protected]>
dmaengine: pl330: Fix burst length if burst size is smaller than bus width
Dinghao Liu <[email protected]>
net: arc_emac: Fix memleak in arc_mdio_probe
Yuusuke Ashizuka <[email protected]>
ravb: Fixed to be able to unload modules
Dinghao Liu <[email protected]>
net: systemport: Fix memleak in bcm_sysport_probe
Dinghao Liu <[email protected]>
net: hns: Fix memleak in hns_nic_dev_probe
Florian Westphal <[email protected]>
netfilter: nf_tables: fix destination register zeroing
Pablo Neira Ayuso <[email protected]>
netfilter: nf_tables: incorrect enum nft_list_attributes definition
Pablo Neira Ayuso <[email protected]>
netfilter: nf_tables: add NFTA_SET_USERDATA if not null
Florian Fainelli <[email protected]>
MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores
Florian Fainelli <[email protected]>
MIPS: mm: BMIPS5000 has inclusive physical caches
Yu Kuai <[email protected]>
dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate()
Jussi Kivilinna <[email protected]>
batman-adv: bla: use netif_rx_ni when not in interrupt context
Linus Lüssing <[email protected]>
batman-adv: Fix own OGM check in aggregated OGMs
Sven Eckelmann <[email protected]>
batman-adv: Avoid uninitialized chaddr when handling DHCP
Peter Ujfalusi <[email protected]>
dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
Simon Leiner <[email protected]>
xen/xenbus: Fix granting of vmalloc'd memory
Sven Schnelle <[email protected]>
s390: don't trace preemption in percpu macros
Peter Zijlstra <[email protected]>
cpuidle: Fixup IRQ state
Jeff Layton <[email protected]>
ceph: don't allow setlease on cephfs
Amit Engel <[email protected]>
nvmet: Disable keep-alive timer when kato is cleared to 0h
Tom Rix <[email protected]>
hwmon: (applesmc) check status earlier.
Krishna Manikandan <[email protected]>
drm/msm: add shutdown support for display platform_driver
Kim Phillips <[email protected]>
perf record/stat: Explicitly call out event modifiers in the documentation
Marc Zyngier <[email protected]>
HID: core: Sanitize event code and type when mapping input
Marc Zyngier <[email protected]>
HID: core: Correctly handle ReportSize being zero
-------------
Diffstat:
Documentation/filesystems/affs.txt | 16 +-
Makefile | 4 +-
arch/arm64/include/asm/kvm_arm.h | 3 +-
arch/arm64/include/asm/kvm_asm.h | 43 ++++++
arch/arm64/kernel/vmlinux.lds.S | 8 +
arch/arm64/kvm/hyp/entry.S | 26 +++-
arch/arm64/kvm/hyp/hyp-entry.S | 63 +++++---
arch/arm64/kvm/hyp/switch.c | 39 ++++-
arch/mips/kernel/smp-bmips.c | 2 +
arch/mips/mm/c-r4k.c | 4 +
arch/s390/include/asm/percpu.h | 28 ++--
arch/xtensa/platforms/iss/simdisk.c | 1 -
drivers/ata/libata-core.c | 5 +-
drivers/ata/libata-scsi.c | 8 +-
drivers/block/brd.c | 1 -
drivers/block/null_blk.c | 2 -
drivers/block/rbd.c | 9 --
drivers/block/zram/zram_drv.h | 1 -
drivers/cpuidle/cpuidle.c | 3 +-
drivers/dma/at_hdmac.c | 2 +
drivers/dma/of-dma.c | 8 +-
drivers/dma/pl330.c | 2 +-
drivers/gpu/drm/msm/msm_drv.c | 8 +
drivers/gpu/drm/radeon/radeon_display.c | 2 +-
drivers/hid/hid-core.c | 15 +-
drivers/hid/hid-input.c | 4 +
drivers/hid/hid-multitouch.c | 2 +
drivers/hwmon/applesmc.c | 31 ++--
drivers/ide/ide-cd.c | 8 +-
drivers/ide/ide-cd.h | 6 +-
drivers/iommu/intel_irq_remapping.c | 10 +-
drivers/md/dm-cache-metadata.c | 8 +-
drivers/md/dm-thin-metadata.c | 8 +-
drivers/net/ethernet/arc/emac_mdio.c | 1 +
drivers/net/ethernet/broadcom/bcmsysport.c | 6 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 3 +
drivers/net/ethernet/broadcom/tg3.c | 17 ++-
drivers/net/ethernet/hisilicon/hns/hns_enet.c | 9 +-
drivers/net/ethernet/mellanox/mlx4/mr.c | 2 +-
drivers/net/ethernet/renesas/ravb_main.c | 110 +++++++-------
drivers/net/gtp.c | 1 +
drivers/net/usb/asix_common.c | 2 +-
drivers/net/usb/qmi_wwan.c | 2 +
drivers/nvdimm/nd.h | 1 -
drivers/nvme/target/core.c | 6 +
drivers/nvme/target/fc.c | 4 +-
drivers/scsi/gdth.h | 3 -
.../thermal/ti-soc-thermal/omap4-thermal-data.c | 23 +--
drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h | 10 +-
drivers/xen/xenbus/xenbus_client.c | 10 +-
fs/affs/amigaffs.c | 27 ++++
fs/affs/file.c | 26 +++-
fs/btrfs/ctree.c | 8 +-
fs/btrfs/extent_io.c | 8 +-
fs/btrfs/extent_io.h | 6 +-
fs/btrfs/ioctl.c | 27 +++-
fs/btrfs/volumes.c | 3 +-
fs/ceph/file.c | 1 +
fs/eventpoll.c | 6 +-
include/linux/blkdev.h | 42 ++++--
include/linux/bvec.h | 9 +-
include/linux/device-mapper.h | 2 -
include/linux/hid.h | 42 ++++--
include/linux/ide.h | 1 -
include/linux/libata.h | 1 +
include/linux/log2.h | 2 +-
include/linux/uaccess.h | 26 ++++
include/net/netfilter/nf_tables.h | 2 +
include/uapi/linux/msdos_fs.h | 2 +
include/uapi/linux/netfilter/nf_tables.h | 2 +-
mm/hugetlb.c | 26 +++-
mm/maccess.c | 167 +++++++++++++++++++--
mm/slub.c | 12 +-
net/batman-adv/bat_v_ogm.c | 11 +-
net/batman-adv/bridge_loop_avoidance.c | 5 +-
net/batman-adv/gateway_client.c | 6 +-
net/netfilter/nf_tables_api.c | 3 +-
net/netfilter/nft_payload.c | 4 +-
net/wireless/reg.c | 3 +
scripts/checkpatch.pl | 4 +-
sound/core/oss/mulaw.c | 4 +-
sound/firewire/digi00x/digi00x.c | 5 +
sound/pci/ca0106/ca0106_main.c | 3 +-
sound/pci/hda/patch_hdmi.c | 1 +
tools/include/uapi/linux/perf_event.h | 2 +-
tools/perf/Documentation/perf-record.txt | 4 +
tools/perf/Documentation/perf-stat.txt | 4 +
88 files changed, 811 insertions(+), 289 deletions(-)
From: Kim Phillips <[email protected]>
commit e48a73a312ebf19cc3d72aa74985db25c30757c1 upstream.
Event modifiers are not mentioned in the perf record or perf stat
manpages. Add them to orient new users more effectively by pointing
them to the perf list manpage for details.
Fixes: 2055fdaf8703 ("perf list: Document precise event sampling for AMD IBS")
Signed-off-by: Kim Phillips <[email protected]>
Cc: Adrian Hunter <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Alexey Budankov <[email protected]>
Cc: Ian Rogers <[email protected]>
Cc: Jin Yao <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Mark Rutland <[email protected]>
Cc: Namhyung Kim <[email protected]>
Cc: Paul Clarke <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Stephane Eranian <[email protected]>
Cc: Tony Jones <[email protected]>
Cc: [email protected]
Link: http://lore.kernel.org/lkml/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
tools/perf/Documentation/perf-record.txt | 4 ++++
tools/perf/Documentation/perf-stat.txt | 4 ++++
2 files changed, 8 insertions(+)
--- a/tools/perf/Documentation/perf-record.txt
+++ b/tools/perf/Documentation/perf-record.txt
@@ -33,6 +33,10 @@ OPTIONS
- a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a
hexadecimal event descriptor.
+ - a symbolic or raw PMU event followed by an optional colon
+ and a list of event modifiers, e.g., cpu-cycles:p. See the
+ linkperf:perf-list[1] man page for details on event modifiers.
+
- a symbolically formed PMU event like 'pmu/param1=0x3,param2/' where
'param1', 'param2', etc are defined as formats for the PMU in
/sys/bus/event_source/devices/<pmu>/format/*.
--- a/tools/perf/Documentation/perf-stat.txt
+++ b/tools/perf/Documentation/perf-stat.txt
@@ -39,6 +39,10 @@ report::
- a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a
hexadecimal event descriptor.
+ - a symbolic or raw PMU event followed by an optional colon
+ and a list of event modifiers, e.g., cpu-cycles:p. See the
+ linkperf:perf-list[1] man page for details on event modifiers.
+
- a symbolically formed event like 'pmu/param1=0x3,param2/' where
param1 and param2 are defined as formats for the PMU in
/sys/bus/event_source/devices/<pmu>/format/*
From: Tom Rix <[email protected]>
[ Upstream commit cecf7560f00a8419396a2ed0f6e5d245ccb4feac ]
clang static analysis reports this representative problem
applesmc.c:758:10: warning: 1st function call argument is an
uninitialized value
left = be16_to_cpu(*(__be16 *)(buffer + 6)) >> 2;
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
buffer is filled by the earlier call
ret = applesmc_read_key(LIGHT_SENSOR_LEFT_KEY, ...
This problem is reported because a goto skips the status check.
Other similar problems use data from applesmc_read_key before checking
the status. So move the checks to before the use.
Signed-off-by: Tom Rix <[email protected]>
Reviewed-by: Henrik Rydberg <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/hwmon/applesmc.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
index 5c677ba440143..b201129a9beae 100644
--- a/drivers/hwmon/applesmc.c
+++ b/drivers/hwmon/applesmc.c
@@ -760,15 +760,18 @@ static ssize_t applesmc_light_show(struct device *dev,
}
ret = applesmc_read_key(LIGHT_SENSOR_LEFT_KEY, buffer, data_length);
+ if (ret)
+ goto out;
/* newer macbooks report a single 10-bit bigendian value */
if (data_length == 10) {
left = be16_to_cpu(*(__be16 *)(buffer + 6)) >> 2;
goto out;
}
left = buffer[2];
+
+ ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length);
if (ret)
goto out;
- ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length);
right = buffer[2];
out:
@@ -817,12 +820,11 @@ static ssize_t applesmc_show_fan_speed(struct device *dev,
to_index(attr));
ret = applesmc_read_key(newkey, buffer, 2);
- speed = ((buffer[0] << 8 | buffer[1]) >> 2);
-
if (ret)
return ret;
- else
- return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed);
+
+ speed = ((buffer[0] << 8 | buffer[1]) >> 2);
+ return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed);
}
static ssize_t applesmc_store_fan_speed(struct device *dev,
@@ -858,12 +860,11 @@ static ssize_t applesmc_show_fan_manual(struct device *dev,
u8 buffer[2];
ret = applesmc_read_key(FANS_MANUAL, buffer, 2);
- manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01;
-
if (ret)
return ret;
- else
- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual);
+
+ manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01;
+ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual);
}
static ssize_t applesmc_store_fan_manual(struct device *dev,
@@ -879,10 +880,11 @@ static ssize_t applesmc_store_fan_manual(struct device *dev,
return -EINVAL;
ret = applesmc_read_key(FANS_MANUAL, buffer, 2);
- val = (buffer[0] << 8 | buffer[1]);
if (ret)
goto out;
+ val = (buffer[0] << 8 | buffer[1]);
+
if (input)
val = val | (0x01 << to_index(attr));
else
@@ -958,13 +960,12 @@ static ssize_t applesmc_key_count_show(struct device *dev,
u32 count;
ret = applesmc_read_key(KEY_COUNT_KEY, buffer, 4);
- count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) +
- ((u32)buffer[2]<<8) + buffer[3];
-
if (ret)
return ret;
- else
- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count);
+
+ count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) +
+ ((u32)buffer[2]<<8) + buffer[3];
+ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count);
}
static ssize_t applesmc_key_at_index_read_show(struct device *dev,
--
2.25.1
From: Jeff Layton <[email protected]>
[ Upstream commit 496ceaf12432b3d136dcdec48424312e71359ea7 ]
Leases don't currently work correctly on kcephfs, as they are not broken
when caps are revoked. They could eventually be implemented similarly to
how we did them in libcephfs, but for now don't allow them.
[ idryomov: no need for simple_nosetlease() in ceph_dir_fops and
ceph_snapdir_fops ]
Signed-off-by: Jeff Layton <[email protected]>
Reviewed-by: Ilya Dryomov <[email protected]>
Signed-off-by: Ilya Dryomov <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/ceph/file.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 6d653235e323b..1f873034f4691 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -1728,6 +1728,7 @@ const struct file_operations ceph_file_fops = {
.mmap = ceph_mmap,
.fsync = ceph_fsync,
.lock = ceph_lock,
+ .setlease = simple_nosetlease,
.flock = ceph_flock,
.splice_read = generic_file_splice_read,
.splice_write = iter_file_splice_write,
--
2.25.1
From: Sven Eckelmann <[email protected]>
[ Upstream commit 303216e76dcab6049c9d42390b1032f0649a8206 ]
The gateway client code can try to optimize the delivery of DHCP packets to
avoid broadcasting them through the whole mesh. But also transmissions to
the client can be optimized by looking up the destination via the chaddr of
the DHCP packet.
But the chaddr is currently only done when chaddr is fully inside the
non-paged area of the skbuff. Otherwise it will not be initialized and the
unoptimized path should have been taken.
But the implementation didn't handle this correctly. It didn't retrieve the
correct chaddr but still tried to perform the TT lookup with this
uninitialized memory.
Reported-by: [email protected]
Fixes: 6c413b1c22a2 ("batman-adv: send every DHCP packet as bat-unicast")
Signed-off-by: Sven Eckelmann <[email protected]>
Acked-by: Antonio Quartulli <[email protected]>
Signed-off-by: Simon Wunderlich <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/batman-adv/gateway_client.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index c6a7341f05270..056af2eec4a2a 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -674,8 +674,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len,
chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET;
/* store the client address if the message is going to a client */
- if (ret == BATADV_DHCP_TO_CLIENT &&
- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) {
+ if (ret == BATADV_DHCP_TO_CLIENT) {
+ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN))
+ return BATADV_DHCP_NO;
+
/* check if the DHCP packet carries an Ethernet DHCP */
p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET;
if (*p != BATADV_DHCP_HTYPE_ETHERNET)
--
2.25.1
From: Marc Zyngier <[email protected]>
commit bce1305c0ece3dc549663605e567655dd701752c upstream.
It appears that a ReportSize value of zero is legal, even if a bit
non-sensical. Most of the HID code seems to handle that gracefully,
except when computing the total size in bytes. When fed as input to
memset, this leads to some funky outcomes.
Detect the corner case and correctly compute the size.
Cc: [email protected]
Signed-off-by: Marc Zyngier <[email protected]>
Signed-off-by: Benjamin Tissoires <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/hid/hid-core.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1427,6 +1427,17 @@ static void hid_output_field(const struc
}
/*
+ * Compute the size of a report.
+ */
+static size_t hid_compute_report_size(struct hid_report *report)
+{
+ if (report->size)
+ return ((report->size - 1) >> 3) + 1;
+
+ return 0;
+}
+
+/*
* Create a report. 'data' has to be allocated using
* hid_alloc_report_buf() so that it has proper size.
*/
@@ -1438,7 +1449,7 @@ void hid_output_report(struct hid_report
if (report->id > 0)
*data++ = report->id;
- memset(data, 0, ((report->size - 1) >> 3) + 1);
+ memset(data, 0, hid_compute_report_size(report));
for (n = 0; n < report->maxfield; n++)
hid_output_field(report->device, report->field[n], data);
}
@@ -1565,7 +1576,7 @@ int hid_report_raw_event(struct hid_devi
csize--;
}
- rsize = ((report->size - 1) >> 3) + 1;
+ rsize = hid_compute_report_size(report);
if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
rsize = HID_MAX_BUFFER_SIZE - 1;
From: Marc Zyngier <[email protected]>
commit 35556bed836f8dc07ac55f69c8d17dce3e7f0e25 upstream.
When calling into hid_map_usage(), the passed event code is
blindly stored as is, even if it doesn't fit in the associated bitmap.
This event code can come from a variety of sources, including devices
masquerading as input devices, only a bit more "programmable".
Instead of taking the event code at face value, check that it actually
fits the corresponding bitmap, and if it doesn't:
- spit out a warning so that we know which device is acting up
- NULLify the bitmap pointer so that we catch unexpected uses
Code paths that can make use of untrusted inputs can now check
that the mapping was indeed correct and bail out if not.
Cc: [email protected]
Signed-off-by: Marc Zyngier <[email protected]>
Signed-off-by: Benjamin Tissoires <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/hid/hid-input.c | 4 ++++
drivers/hid/hid-multitouch.c | 2 ++
include/linux/hid.h | 42 +++++++++++++++++++++++++++++-------------
3 files changed, 35 insertions(+), 13 deletions(-)
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1116,6 +1116,10 @@ static void hidinput_configure_usage(str
}
mapped:
+ /* Mapping failed, bail out */
+ if (!bit)
+ return;
+
if (device->driver->input_mapped &&
device->driver->input_mapped(device, hidinput, field, usage,
&bit, &max) < 0) {
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -616,6 +616,8 @@ static int mt_touch_input_mapping(struct
(usage->hid & HID_USAGE) > 1)
code--;
hid_map_usage(hi, usage, bit, max, EV_KEY, code);
+ if (!*bit)
+ return -1;
input_set_capability(hi->input, EV_KEY, code);
return 1;
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -919,34 +919,49 @@ static inline void hid_device_io_stop(st
* @max: maximal valid usage->code to consider later (out parameter)
* @type: input event type (EV_KEY, EV_REL, ...)
* @c: code which corresponds to this usage and type
+ *
+ * The value pointed to by @bit will be set to NULL if either @type is
+ * an unhandled event type, or if @c is out of range for @type. This
+ * can be used as an error condition.
*/
static inline void hid_map_usage(struct hid_input *hidinput,
struct hid_usage *usage, unsigned long **bit, int *max,
- __u8 type, __u16 c)
+ __u8 type, unsigned int c)
{
struct input_dev *input = hidinput->input;
-
- usage->type = type;
- usage->code = c;
+ unsigned long *bmap = NULL;
+ unsigned int limit = 0;
switch (type) {
case EV_ABS:
- *bit = input->absbit;
- *max = ABS_MAX;
+ bmap = input->absbit;
+ limit = ABS_MAX;
break;
case EV_REL:
- *bit = input->relbit;
- *max = REL_MAX;
+ bmap = input->relbit;
+ limit = REL_MAX;
break;
case EV_KEY:
- *bit = input->keybit;
- *max = KEY_MAX;
+ bmap = input->keybit;
+ limit = KEY_MAX;
break;
case EV_LED:
- *bit = input->ledbit;
- *max = LED_MAX;
+ bmap = input->ledbit;
+ limit = LED_MAX;
break;
}
+
+ if (unlikely(c > limit || !bmap)) {
+ pr_warn_ratelimited("%s: Invalid code %d type %d\n",
+ input->name, c, type);
+ *bit = NULL;
+ return;
+ }
+
+ usage->type = type;
+ usage->code = c;
+ *max = limit;
+ *bit = bmap;
}
/**
@@ -960,7 +975,8 @@ static inline void hid_map_usage_clear(s
__u8 type, __u16 c)
{
hid_map_usage(hidinput, usage, bit, max, type, c);
- clear_bit(c, *bit);
+ if (*bit)
+ clear_bit(usage->code, *bit);
}
/**
From: Simon Leiner <[email protected]>
[ Upstream commit d742db70033c745e410523e00522ee0cfe2aa416 ]
On some architectures (like ARM), virt_to_gfn cannot be used for
vmalloc'd memory because of its reliance on virt_to_phys. This patch
introduces a check for vmalloc'd addresses and obtains the PFN using
vmalloc_to_pfn in that case.
Signed-off-by: Simon Leiner <[email protected]>
Reviewed-by: Stefano Stabellini <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Juergen Gross <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/xen/xenbus/xenbus_client.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c
index e94a61eaeceb0..f7b553faadb10 100644
--- a/drivers/xen/xenbus/xenbus_client.c
+++ b/drivers/xen/xenbus/xenbus_client.c
@@ -365,8 +365,14 @@ int xenbus_grant_ring(struct xenbus_device *dev, void *vaddr,
int i, j;
for (i = 0; i < nr_pages; i++) {
- err = gnttab_grant_foreign_access(dev->otherend_id,
- virt_to_gfn(vaddr), 0);
+ unsigned long gfn;
+
+ if (is_vmalloc_addr(vaddr))
+ gfn = pfn_to_gfn(vmalloc_to_pfn(vaddr));
+ else
+ gfn = virt_to_gfn(vaddr);
+
+ err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0);
if (err < 0) {
xenbus_dev_fatal(dev, err,
"granting access to ring page");
--
2.25.1
From: Krishna Manikandan <[email protected]>
[ Upstream commit 9d5cbf5fe46e350715389d89d0c350d83289a102 ]
Define shutdown callback for display drm driver,
so as to disable all the CRTCS when shutdown
notification is received by the driver.
This change will turn off the timing engine so
that no display transactions are requested
while mmu translations are getting disabled
during reboot sequence.
Signed-off-by: Krishna Manikandan <[email protected]>
Changes in v2:
- Remove NULL check from msm_pdev_shutdown (Stephen Boyd)
- Change commit text to reflect when this issue
was uncovered (Sai Prakash Ranjan)
Signed-off-by: Rob Clark <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/msm/msm_drv.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
index d9c0687435a05..c59240b566d83 100644
--- a/drivers/gpu/drm/msm/msm_drv.c
+++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -1134,6 +1134,13 @@ static int msm_pdev_remove(struct platform_device *pdev)
return 0;
}
+static void msm_pdev_shutdown(struct platform_device *pdev)
+{
+ struct drm_device *drm = platform_get_drvdata(pdev);
+
+ drm_atomic_helper_shutdown(drm);
+}
+
static const struct of_device_id dt_match[] = {
{ .compatible = "qcom,mdp4", .data = (void *)4 }, /* MDP4 */
{ .compatible = "qcom,mdss", .data = (void *)5 }, /* MDP5 MDSS */
@@ -1144,6 +1151,7 @@ MODULE_DEVICE_TABLE(of, dt_match);
static struct platform_driver msm_platform_driver = {
.probe = msm_pdev_probe,
.remove = msm_pdev_remove,
+ .shutdown = msm_pdev_shutdown,
.driver = {
.name = "msm",
.of_match_table = dt_match,
--
2.25.1
From: Peter Ujfalusi <[email protected]>
[ Upstream commit 5b2aa9f918f6837ae943557f8cec02c34fcf80e7 ]
of_dma_xlate callback can return ERR_PTR as well NULL in case of failure.
If error code is returned (not NULL) then the route should be released and
the router should not be registered for the channel.
Fixes: 56f13c0d9524c ("dmaengine: of_dma: Support for DMA routers")
Signed-off-by: Peter Ujfalusi <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vinod Koul <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/dma/of-dma.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c
index 91fd395c90c4c..8344a60c2131b 100644
--- a/drivers/dma/of-dma.c
+++ b/drivers/dma/of-dma.c
@@ -72,12 +72,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec,
return NULL;
chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target);
- if (chan) {
- chan->router = ofdma->dma_router;
- chan->route_data = route_data;
- } else {
+ if (IS_ERR_OR_NULL(chan)) {
ofdma->dma_router->route_free(ofdma->dma_router->dev,
route_data);
+ } else {
+ chan->router = ofdma->dma_router;
+ chan->route_data = route_data;
}
/*
--
2.25.1
From: Amit Engel <[email protected]>
[ Upstream commit 0d3b6a8d213a30387b5104b2fb25376d18636f23 ]
Based on nvme spec, when keep alive timeout is set to zero
the keep-alive timer should be disabled.
Signed-off-by: Amit Engel <[email protected]>
Signed-off-by: Sagi Grimberg <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/nvme/target/core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
index 09a39f4aaf821..d0be85d0c289a 100644
--- a/drivers/nvme/target/core.c
+++ b/drivers/nvme/target/core.c
@@ -208,6 +208,9 @@ static void nvmet_keep_alive_timer(struct work_struct *work)
static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl)
{
+ if (unlikely(ctrl->kato == 0))
+ return;
+
pr_debug("ctrl %d start keep-alive timer for %d secs\n",
ctrl->cntlid, ctrl->kato);
@@ -217,6 +220,9 @@ static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl)
static void nvmet_stop_keep_alive_timer(struct nvmet_ctrl *ctrl)
{
+ if (unlikely(ctrl->kato == 0))
+ return;
+
pr_debug("ctrl %d stop keep-alive\n", ctrl->cntlid);
cancel_delayed_work_sync(&ctrl->ka_work);
--
2.25.1
On 9/8/20 9:25 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.197 release.
> There are 65 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Sep 2020 15:21:57 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.197-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
On Tue, 8 Sep 2020 at 21:22, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.14.197 release.
> There are 65 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Sep 2020 15:21:57 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.197-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
Summary
------------------------------------------------------------------------
kernel: 4.14.197-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: d520aac0cd79e557dd7d2ae06370d104a9f48645
git describe: v4.14.196-66-gd520aac0cd79
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.196-66-gd520aac0cd79
No regressions (compared to build v4.14.196)
No fixes (compared to build v4.14.196)
Ran 33476 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
- x86-kasan
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* kselftest/drivers
* kselftest/filesystems
* kselftest/net
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* perf
* v4l2-compliance
* ltp-syscalls-tests
* network-basic-tests
* ltp-fs-tests
* ltp-open-posix-tests
* ltp-tracing-tests
* igt-gpu-tools
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-native/drivers
* kselftest-vsyscall-mode-native/filesystems
* kselftest-vsyscall-mode-native/net
* kselftest-vsyscall-mode-none
* kselftest-vsyscall-mode-none/drivers
* kselftest-vsyscall-mode-none/filesystems
* kselftest-vsyscall-mode-none/net
--
Linaro LKFT
https://lkft.linaro.org
On Tue, Sep 08, 2020 at 05:25:45PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.197 release.
> There are 65 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Sep 2020 15:21:57 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 171 pass: 171 fail: 0
Qemu test results:
total: 408 pass: 408 fail: 0
Guenter
On Tue, Sep 08, 2020 at 05:25:45PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.197 release.
> There are 65 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Sep 2020 15:21:57 +0000.
> Anything received after that time might be too late.
>
Forgot:
Tested-by: Guenter Roeck <[email protected]>
Guenter