This is the start of the stable review cycle for the 4.4.247 release.
There are 24 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 03 Dec 2020 08:46:29 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.247-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.4.247-rc1
Filipe Manana <[email protected]>
btrfs: fix lockdep splat when reading qgroup config on mount
Alan Stern <[email protected]>
USB: core: Fix regression in Hercules audio card
Johan Hovold <[email protected]>
USB: core: add endpoint-blacklist quirk
Anand K Mistry <[email protected]>
x86/speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb
Alan Stern <[email protected]>
USB: core: Change %pK for __user pointers to %px
Masami Hiramatsu <[email protected]>
perf probe: Fix to die_entrypc() returns error correctly
Ard Biesheuvel <[email protected]>
efivarfs: revert "fix memory leak in efivarfs_create()"
Krzysztof Kozlowski <[email protected]>
nfc: s3fwrn5: use signed integer for parsing GPIO numbers
Xiongfeng Wang <[email protected]>
IB/mthca: fix return value of error branch in mthca_init_cq()
Michael Chan <[email protected]>
bnxt_en: Release PCI regions when DMA mask setup fails during probe.
Dexuan Cui <[email protected]>
video: hyperv_fb: Fix the cache type when mapping the VRAM
Zhang Changzhong <[email protected]>
bnxt_en: fix error return code in bnxt_init_board()
Stanley Chu <[email protected]>
scsi: ufs: Fix race between shutdown and runtime resume flow
Mike Christie <[email protected]>
scsi: target: iscsi: Fix cmd abort fabric stop race
Lee Duncan <[email protected]>
scsi: libiscsi: Fix NOP race condition
Sugar Zhang <[email protected]>
dmaengine: pl330: _prep_dma_memcpy: Fix wrong burst size
Jens Axboe <[email protected]>
proc: don't allow async path resolution of /proc/self components
Brian Masney <[email protected]>
x86/xen: don't unbind uninitialized lock_kicker_irq
Pablo Ceballos <[email protected]>
HID: hid-sensor-hub: Fix issue with devices with no report ID
Hans de Goede <[email protected]>
Input: i8042 - allow insmod to succeed on devices without an i8042 controller
Frank Yang <[email protected]>
HID: cypress: Support Varmilo Keyboards' media hotkeys
Paolo Bonzini <[email protected]>
KVM: x86: Fix split-irqchip vs interrupt injection window request
Qu Wenruo <[email protected]>
btrfs: inode: Verify inode mode to avoid NULL pointer dereference
Qu Wenruo <[email protected]>
btrfs: tree-checker: Enhance chunk checker to validate chunk profile
-------------
Diffstat:
Makefile | 4 +--
arch/x86/include/asm/kvm_host.h | 1 +
arch/x86/kernel/cpu/bugs.c | 4 +--
arch/x86/kvm/irq.c | 2 +-
arch/x86/kvm/x86.c | 18 +++++++------
arch/x86/xen/spinlock.c | 12 ++++++++-
drivers/dma/pl330.c | 2 +-
drivers/hid/hid-cypress.c | 44 +++++++++++++++++++++++++++----
drivers/hid/hid-ids.h | 2 ++
drivers/hid/hid-sensor-hub.c | 3 ++-
drivers/infiniband/hw/mthca/mthca_cq.c | 10 ++++---
drivers/input/serio/i8042.c | 12 ++++++++-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++-
drivers/nfc/s3fwrn5/i2c.c | 4 +--
drivers/scsi/libiscsi.c | 23 ++++++++++------
drivers/scsi/ufs/ufshcd.c | 6 +----
drivers/target/iscsi/iscsi_target.c | 17 +++++++++---
drivers/usb/core/config.c | 11 ++++++++
drivers/usb/core/devio.c | 4 +--
drivers/usb/core/quirks.c | 38 ++++++++++++++++++++++++++
drivers/usb/core/usb.h | 3 +++
drivers/video/fbdev/hyperv_fb.c | 7 ++++-
fs/btrfs/inode.c | 41 ++++++++++++++++++++++------
fs/btrfs/qgroup.c | 2 +-
fs/btrfs/tests/inode-tests.c | 1 +
fs/btrfs/volumes.c | 7 +++++
fs/efivarfs/inode.c | 2 ++
fs/efivarfs/super.c | 1 -
fs/proc/self.c | 7 +++++
include/linux/usb/quirks.h | 3 +++
include/scsi/libiscsi.h | 3 +++
tools/perf/util/dwarf-aux.c | 8 ++++++
32 files changed, 246 insertions(+), 59 deletions(-)
From: Alan Stern <[email protected]>
commit 184eead057cc7e803558269babc1f2cfb9113ad1 upstream
Commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints")
aimed to make the USB stack more reliable by detecting and skipping
over endpoints that are duplicated between interfaces. This caused a
regression for a Hercules audio card (reported as Bugzilla #208357),
which contains such non-compliant duplications. Although the
duplications are harmless, skipping the valid endpoints prevented the
device from working.
This patch fixes the regression by adding ENDPOINT_IGNORE quirks for
the Hercules card, telling the kernel to ignore the invalid duplicate
endpoints and thereby allowing the valid endpoints to be used as
intended.
Fixes: 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints")
CC: <[email protected]>
Reported-by: Alexander Chalikiopoulos <[email protected]>
Signed-off-by: Alan Stern <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[sudip: use usb_endpoint_blacklist and USB_QUIRK_ENDPOINT_BLACKLIST]
Signed-off-by: Sudip Mukherjee <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/core/quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -195,6 +195,10 @@ static const struct usb_device_id usb_qu
/* Guillemot Webcam Hercules Dualpix Exchange*/
{ USB_DEVICE(0x06f8, 0x3005), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* Guillemot Hercules DJ Console audio card (BZ 208357) */
+ { USB_DEVICE(0x06f8, 0xb000), .driver_info =
+ USB_QUIRK_ENDPOINT_BLACKLIST },
+
/* Midiman M-Audio Keystation 88es */
{ USB_DEVICE(0x0763, 0x0192), .driver_info = USB_QUIRK_RESET_RESUME },
@@ -351,6 +355,8 @@ static const struct usb_device_id usb_am
* Matched for devices with USB_QUIRK_ENDPOINT_BLACKLIST.
*/
static const struct usb_device_id usb_endpoint_blacklist[] = {
+ { USB_DEVICE_INTERFACE_NUMBER(0x06f8, 0xb000, 5), .driver_info = 0x01 },
+ { USB_DEVICE_INTERFACE_NUMBER(0x06f8, 0xb000, 5), .driver_info = 0x81 },
{ }
};
From: Qu Wenruo <[email protected]>
commit 6bf9e4bd6a277840d3fe8c5d5d530a1fbd3db592 upstream
[BUG]
When accessing a file on a crafted image, btrfs can crash in block layer:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
PGD 136501067 P4D 136501067 PUD 124519067 PMD 0
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.0.0-rc8-default #252
RIP: 0010:end_bio_extent_readpage+0x144/0x700
Call Trace:
<IRQ>
blk_update_request+0x8f/0x350
blk_mq_end_request+0x1a/0x120
blk_done_softirq+0x99/0xc0
__do_softirq+0xc7/0x467
irq_exit+0xd1/0xe0
call_function_single_interrupt+0xf/0x20
</IRQ>
RIP: 0010:default_idle+0x1e/0x170
[CAUSE]
The crafted image has a tricky corruption, the INODE_ITEM has a
different type against its parent dir:
item 20 key (268 INODE_ITEM 0) itemoff 2808 itemsize 160
generation 13 transid 13 size 1048576 nbytes 1048576
block group 0 mode 121644 links 1 uid 0 gid 0 rdev 0
sequence 9 flags 0x0(none)
This mode number 0120000 means it's a symlink.
But the dir item think it's still a regular file:
item 8 key (264 DIR_INDEX 5) itemoff 3707 itemsize 32
location key (268 INODE_ITEM 0) type FILE
transid 13 data_len 0 name_len 2
name: f4
item 40 key (264 DIR_ITEM 51821248) itemoff 1573 itemsize 32
location key (268 INODE_ITEM 0) type FILE
transid 13 data_len 0 name_len 2
name: f4
For symlink, we don't set BTRFS_I(inode)->io_tree.ops and leave it
empty, as symlink is only designed to have inlined extent, all handled
by tree block read. Thus no need to trigger btrfs_submit_bio_hook() for
inline file extent.
However end_bio_extent_readpage() expects tree->ops populated, as it's
reading regular data extent. This causes NULL pointer dereference.
[FIX]
This patch fixes the problem in two ways:
- Verify inode mode against its dir item when looking up inode
So in btrfs_lookup_dentry() if we find inode mode mismatch with dir
item, we error out so that corrupted inode will not be accessed.
- Verify inode mode when getting extent mapping
Only regular file should have regular or preallocated extent.
If we found regular/preallocated file extent for symlink or
the rest, we error out before submitting the read bio.
With this fix that crafted image can be rejected gracefully:
BTRFS critical (device loop0): inode mode mismatch with dir: inode mode=0121644 btrfs type=7 dir type=1
Reported-by: Yoon Jungyeon <[email protected]>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=202763
Reviewed-by: Nikolay Borisov <[email protected]>
Signed-off-by: Qu Wenruo <[email protected]>
Signed-off-by: David Sterba <[email protected]>
[sudip: use original btrfs_inode_type(), btrfs_crit with root->fs_info,
ISREG with inode->i_mode and adjust context]
Signed-off-by: Sudip Mukherjee <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/btrfs/inode.c | 41 +++++++++++++++++++++++++++++++++--------
fs/btrfs/tests/inode-tests.c | 1 +
2 files changed, 34 insertions(+), 8 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -5370,11 +5370,13 @@ no_delete:
}
/*
- * this returns the key found in the dir entry in the location pointer.
+ * Return the key found in the dir entry in the location pointer, fill @type
+ * with BTRFS_FT_*, and return 0.
+ *
* If no dir entries were found, location->objectid is 0.
*/
static int btrfs_inode_by_name(struct inode *dir, struct dentry *dentry,
- struct btrfs_key *location)
+ struct btrfs_key *location, u8 *type)
{
const char *name = dentry->d_name.name;
int namelen = dentry->d_name.len;
@@ -5396,6 +5398,8 @@ static int btrfs_inode_by_name(struct in
goto out_err;
btrfs_dir_item_key_to_cpu(path->nodes[0], di, location);
+ if (!ret)
+ *type = btrfs_dir_type(path->nodes[0], di);
out:
btrfs_free_path(path);
return ret;
@@ -5681,19 +5685,25 @@ static struct inode *new_simple_dir(stru
return inode;
}
+static inline u8 btrfs_inode_type(struct inode *inode)
+{
+ return btrfs_type_by_mode[(inode->i_mode & S_IFMT) >> S_SHIFT];
+}
+
struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry)
{
struct inode *inode;
struct btrfs_root *root = BTRFS_I(dir)->root;
struct btrfs_root *sub_root = root;
struct btrfs_key location;
+ u8 di_type = 0;
int index;
int ret = 0;
if (dentry->d_name.len > BTRFS_NAME_LEN)
return ERR_PTR(-ENAMETOOLONG);
- ret = btrfs_inode_by_name(dir, dentry, &location);
+ ret = btrfs_inode_by_name(dir, dentry, &location, &di_type);
if (ret < 0)
return ERR_PTR(ret);
@@ -5702,6 +5712,18 @@ struct inode *btrfs_lookup_dentry(struct
if (location.type == BTRFS_INODE_ITEM_KEY) {
inode = btrfs_iget(dir->i_sb, &location, root, NULL);
+ if (IS_ERR(inode))
+ return inode;
+
+ /* Do extra check against inode mode with di_type */
+ if (btrfs_inode_type(inode) != di_type) {
+ btrfs_crit(root->fs_info,
+"inode mode mismatch with dir: inode mode=0%o btrfs type=%u dir type=%u",
+ inode->i_mode, btrfs_inode_type(inode),
+ di_type);
+ iput(inode);
+ return ERR_PTR(-EUCLEAN);
+ }
return inode;
}
@@ -6315,11 +6337,6 @@ fail:
return ERR_PTR(ret);
}
-static inline u8 btrfs_inode_type(struct inode *inode)
-{
- return btrfs_type_by_mode[(inode->i_mode & S_IFMT) >> S_SHIFT];
-}
-
/*
* utility function to add 'inode' into 'parent_inode' with
* a give name and a given sequence number.
@@ -6904,6 +6921,14 @@ again:
extent_start = found_key.offset;
if (found_type == BTRFS_FILE_EXTENT_REG ||
found_type == BTRFS_FILE_EXTENT_PREALLOC) {
+ /* Only regular file could have regular/prealloc extent */
+ if (!S_ISREG(inode->i_mode)) {
+ ret = -EUCLEAN;
+ btrfs_crit(root->fs_info,
+ "regular/prealloc extent found for non-regular inode %llu",
+ btrfs_ino(inode));
+ goto out;
+ }
extent_end = extent_start +
btrfs_file_extent_num_bytes(leaf, item);
} else if (found_type == BTRFS_FILE_EXTENT_INLINE) {
--- a/fs/btrfs/tests/inode-tests.c
+++ b/fs/btrfs/tests/inode-tests.c
@@ -235,6 +235,7 @@ static noinline int test_btrfs_get_exten
return ret;
}
+ inode->i_mode = S_IFREG;
BTRFS_I(inode)->location.type = BTRFS_INODE_ITEM_KEY;
BTRFS_I(inode)->location.objectid = BTRFS_FIRST_FREE_OBJECTID;
BTRFS_I(inode)->location.offset = 0;
Hi!
> This is the start of the stable review cycle for the 4.4.247 release.
> There are 24 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 03 Dec 2020 08:46:29 +0000.
> Anything received after that time might be too late.
>
No problems detected during testing:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.4.y
Tested-by: Pavel Machek (CIP) <[email protected]>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
On Tue, 1 Dec 2020 at 14:24, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.4.247 release.
> There are 24 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 03 Dec 2020 08:46:29 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.247-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
Summary
------------------------------------------------------------------------
kernel: 4.4.247-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.4.y
git commit: 412881df37c2300a95caf9e61b42c25814c64af9
git describe: v4.4.246-25-g412881df37c2
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.4.y/build/v4.4.246-25-g412881df37c2
No regressions (compared to build v4.4.246)
No fixes (compared to build v4.4.246)
Ran 12293 total tests in the following environments and test suites.
Environments
--------------
- arm
- arm64
- i386
- juno-r2 - arm64
- mips
- qemu-arm64-kasan
- qemu-x86_64-kasan
- qemu_arm
- qemu_arm64
- qemu_arm64-compat
- qemu_i386
- qemu_x86_64
- qemu_x86_64-compat
- sparc
- x15 - arm
- x86_64
Test Suites
-----------
* build
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-controllers-tests
* ltp-tracing-tests
* libhugetlbfs
* v4l2-compliance
* install-android-platform-tools-r2600
* network-basic-tests
* perf
Summary
------------------------------------------------------------------------
kernel: 4.4.247-rc1
git repo: https://git.linaro.org/lkft/arm64-stable-rc.git
git branch: 4.4.247-rc1-hikey-20201201-867
git commit: 56c68faa4c221dab59e36da4f9fc198e41a73808
git describe: 4.4.247-rc1-hikey-20201201-867
Test details: https://qa-reports.linaro.org/lkft/linaro-hikey-stable-rc-4.4-oe/build/4.4.247-rc1-hikey-20201201-867
No regressions (compared to build 4.4.246-rc1-hikey-20201123-865)
No fixes (compared to build 4.4.246-rc1-hikey-20201123-865)
Ran 1758 total tests in the following environments and test suites.
Environments
--------------
- hi6220-hikey - arm64
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
--
Linaro LKFT
https://lkft.linaro.org
On 12/1/20 1:53 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.247 release.
> There are 24 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 03 Dec 2020 08:46:29 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.247-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah