This is the start of the stable review cycle for the 4.14.258 release.
There are 53 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.258-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.14.258-rc1
Vladimir Murzin <[email protected]>
irqchip: nvic: Fix offset for Interrupt Priority Offsets
Wudi Wang <[email protected]>
irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
Pali Rohár <[email protected]>
irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
Pali Rohár <[email protected]>
irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
Yang Yingliang <[email protected]>
iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
Evgeny Boger <[email protected]>
iio: adc: axp20x_adc: fix charging current reporting on AXP22x
Lars-Peter Clausen <[email protected]>
iio: dln2: Check return value of devm_iio_trigger_register()
Noralf Trønnes <[email protected]>
iio: dln2-adc: Fix lockdep complaint
Lars-Peter Clausen <[email protected]>
iio: itg3200: Call iio_trigger_notify_done() on error
Lars-Peter Clausen <[email protected]>
iio: kxsd9: Don't return error code in trigger handler
Lars-Peter Clausen <[email protected]>
iio: ltr501: Don't return error code in trigger handler
Lars-Peter Clausen <[email protected]>
iio: mma8452: Fix trigger reference couting
Lars-Peter Clausen <[email protected]>
iio: stk3310: Don't return error code in interrupt handler
Alyssa Ross <[email protected]>
iio: trigger: stm32-timer: fix MODULE_ALIAS
Lars-Peter Clausen <[email protected]>
iio: trigger: Fix reference counting
Pavel Hofman <[email protected]>
usb: core: config: using bit mask instead of individual bits
Kai-Heng Feng <[email protected]>
xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending
Pavel Hofman <[email protected]>
usb: core: config: fix validation of wMaxPacketValue entries
Greg Kroah-Hartman <[email protected]>
USB: gadget: zero allocate endpoint 0 buffers
Greg Kroah-Hartman <[email protected]>
USB: gadget: detect too-big endpoint 0 requests
Dan Carpenter <[email protected]>
net/qla3xxx: fix an error code in ql_adapter_up()
Eric Dumazet <[email protected]>
net, neigh: clear whole pneigh_entry at alloc time
Joakim Zhang <[email protected]>
net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
Dan Carpenter <[email protected]>
net: altera: set a couple error code in probe()
Lee Jones <[email protected]>
net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
Manish Chopra <[email protected]>
qede: validate non LSO skb length
Davidlohr Bueso <[email protected]>
block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
Steven Rostedt (VMware) <[email protected]>
tracefs: Set all files to the same group ownership as the mount option
Eric Biggers <[email protected]>
signalfd: use wake_up_pollfree()
Eric Biggers <[email protected]>
binder: use wake_up_pollfree()
Eric Biggers <[email protected]>
wait: add wake_up_pollfree()
Hannes Reinecke <[email protected]>
libata: add horkage for ASMedia 1092
Tom Lendacky <[email protected]>
x86/sme: Explicitly map new EFI memmap table as encrypted
Brian Silverman <[email protected]>
can: m_can: Disable and ignore ELO interrupt
Vincent Mailhol <[email protected]>
can: pch_can: pch_can_rx_normal: fix use after free
Steven Rostedt (VMware) <[email protected]>
tracefs: Have new files inherit the ownership of their parent
Takashi Iwai <[email protected]>
ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
Takashi Iwai <[email protected]>
ALSA: pcm: oss: Limit the period size to 16MB
Takashi Iwai <[email protected]>
ALSA: pcm: oss: Fix negative period/buffer sizes
Alan Young <[email protected]>
ALSA: ctl: Fix copy of updated id with element read/write
Manjong Lee <[email protected]>
mm: bdi: initialize bdi_min_ratio when bdi is unregistered
Mike Marciniszyn <[email protected]>
IB/hfi1: Correct guard on eager buffer deallocation
Andrea Mayer <[email protected]>
seg6: fix the iif in the IPv6 socket control block
Jianglei Nie <[email protected]>
nfp: Fix memory leak in nfp_cpp_area_cache_add()
Maxim Mikityanskiy <[email protected]>
bpf: Fix the off-by-two error in range markings
Krzysztof Kozlowski <[email protected]>
nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
Dan Carpenter <[email protected]>
can: sja1000: fix use after free in ems_pcmcia_add_card()
Greg Kroah-Hartman <[email protected]>
HID: check for valid USB device for many HID drivers
Greg Kroah-Hartman <[email protected]>
HID: wacom: fix problems when device is not a valid USB device
Greg Kroah-Hartman <[email protected]>
HID: add USB_HID dependancy on some USB HID drivers
Greg Kroah-Hartman <[email protected]>
HID: add USB_HID dependancy to hid-chicony
Greg Kroah-Hartman <[email protected]>
HID: add USB_HID dependancy to hid-prodikeys
Greg Kroah-Hartman <[email protected]>
HID: add hid_is_usb() function to make it simpler for USB detection
-------------
Diffstat:
Makefile | 4 +-
arch/x86/Kconfig | 1 +
arch/x86/platform/efi/quirks.c | 3 +-
block/ioprio.c | 3 +
drivers/android/binder.c | 21 +++---
drivers/ata/libata-core.c | 2 +
drivers/hid/Kconfig | 10 +--
drivers/hid/hid-asus.c | 2 +-
drivers/hid/hid-chicony.c | 8 ++-
drivers/hid/hid-corsair.c | 7 +-
drivers/hid/hid-elo.c | 3 +
drivers/hid/hid-holtek-kbd.c | 9 ++-
drivers/hid/hid-holtek-mouse.c | 9 +++
drivers/hid/hid-lg.c | 10 ++-
drivers/hid/hid-prodikeys.c | 10 ++-
drivers/hid/hid-roccat-arvo.c | 3 +
drivers/hid/hid-roccat-isku.c | 3 +
drivers/hid/hid-roccat-kone.c | 3 +
drivers/hid/hid-roccat-koneplus.c | 3 +
drivers/hid/hid-roccat-konepure.c | 3 +
drivers/hid/hid-roccat-kovaplus.c | 3 +
drivers/hid/hid-roccat-lua.c | 3 +
drivers/hid/hid-roccat-pyra.c | 3 +
drivers/hid/hid-roccat-ryos.c | 3 +
drivers/hid/hid-roccat-savu.c | 3 +
drivers/hid/hid-samsung.c | 3 +
drivers/hid/hid-uclogic.c | 3 +
drivers/hid/wacom_sys.c | 19 ++++--
drivers/iio/accel/kxcjk-1013.c | 5 +-
drivers/iio/accel/kxsd9.c | 6 +-
drivers/iio/accel/mma8452.c | 2 +-
drivers/iio/adc/axp20x_adc.c | 18 +----
drivers/iio/adc/dln2-adc.c | 21 +++---
drivers/iio/gyro/itg3200_buffer.c | 2 +-
drivers/iio/industrialio-trigger.c | 1 -
drivers/iio/light/ltr501.c | 2 +-
drivers/iio/light/stk3310.c | 6 +-
drivers/iio/trigger/stm32-timer-trigger.c | 2 +-
drivers/infiniband/hw/hfi1/init.c | 2 +-
drivers/irqchip/irq-armada-370-xp.c | 16 ++---
drivers/irqchip/irq-gic-v3-its.c | 2 +-
drivers/irqchip/irq-nvic.c | 2 +-
drivers/net/can/m_can/m_can.c | 14 ++--
drivers/net/can/pch_can.c | 2 +-
drivers/net/can/sja1000/ems_pcmcia.c | 7 +-
drivers/net/ethernet/altera/altera_tse_main.c | 9 ++-
drivers/net/ethernet/freescale/fec.h | 3 +
drivers/net/ethernet/freescale/fec_main.c | 2 +-
.../ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 4 +-
drivers/net/ethernet/qlogic/qede/qede_fp.c | 7 ++
drivers/net/ethernet/qlogic/qla3xxx.c | 19 +++---
drivers/net/usb/cdc_ncm.c | 2 +
drivers/usb/core/config.c | 6 +-
drivers/usb/gadget/composite.c | 14 +++-
drivers/usb/gadget/legacy/dbgp.c | 15 ++++-
drivers/usb/gadget/legacy/inode.c | 16 ++++-
drivers/usb/host/xhci.c | 4 --
fs/signalfd.c | 12 +---
fs/tracefs/inode.c | 76 ++++++++++++++++++++++
include/linux/hid.h | 5 ++
include/linux/wait.h | 26 ++++++++
kernel/bpf/verifier.c | 2 +-
kernel/sched/wait.c | 8 +++
mm/backing-dev.c | 7 ++
net/core/neighbour.c | 2 +-
net/ipv6/seg6_iptunnel.c | 8 +++
net/nfc/netlink.c | 6 +-
sound/core/control_compat.c | 3 +
sound/core/oss/pcm_oss.c | 37 +++++++----
69 files changed, 411 insertions(+), 149 deletions(-)
From: Lars-Peter Clausen <[email protected]>
commit ef9d67fa72c1b149a420587e435a3e888bdbf74f upstream.
IIO trigger handlers need to return one of the irqreturn_t values.
Returning an error code is not supported.
The ltr501 interrupt handler gets this right for most error paths, but
there is one case where it returns the error code.
In addition for this particular case the trigger handler does not call
`iio_trigger_notify_done()`. Which when not done keeps the triggered
disabled forever.
Modify the code so that the function returns a valid irqreturn_t value as
well as calling `iio_trigger_notify_done()` on all exit paths.
Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
Signed-off-by: Lars-Peter Clausen <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/light/ltr501.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -1279,7 +1279,7 @@ static irqreturn_t ltr501_trigger_handle
ret = regmap_bulk_read(data->regmap, LTR501_ALS_DATA1,
(u8 *)als_buf, sizeof(als_buf));
if (ret < 0)
- return ret;
+ goto done;
if (test_bit(0, indio_dev->active_scan_mask))
scan.channels[j++] = le16_to_cpu(als_buf[1]);
if (test_bit(1, indio_dev->active_scan_mask))
From: Eric Dumazet <[email protected]>
commit e195e9b5dee6459d8c8e6a314cc71a644a0537fd upstream.
Commit 2c611ad97a82 ("net, neigh: Extend neigh->flags to 32 bit
to allow for extensions") enables a new KMSAM warning [1]
I think the bug is actually older, because the following intruction
only occurred if ndm->ndm_flags had NTF_PROXY set.
pn->flags = ndm->ndm_flags;
Let's clear all pneigh_entry fields at alloc time.
[1]
BUG: KMSAN: uninit-value in pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593
pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593
pneigh_dump_table net/core/neighbour.c:2715 [inline]
neigh_dump_info+0x1e3f/0x2c60 net/core/neighbour.c:2832
netlink_dump+0xaca/0x16a0 net/netlink/af_netlink.c:2265
__netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370
netlink_dump_start include/linux/netlink.h:254 [inline]
rtnetlink_rcv_msg+0x181b/0x18c0 net/core/rtnetlink.c:5534
netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5589
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
sock_sendmsg_nosec net/socket.c:704 [inline]
sock_sendmsg net/socket.c:724 [inline]
sock_write_iter+0x594/0x690 net/socket.c:1057
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write fs/read_write.c:503 [inline]
vfs_write+0x1318/0x2030 fs/read_write.c:590
ksys_write+0x28c/0x520 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0xdb/0x120 fs/read_write.c:652
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
slab_alloc mm/slub.c:3259 [inline]
__kmalloc+0xc3c/0x12d0 mm/slub.c:4437
kmalloc include/linux/slab.h:595 [inline]
pneigh_lookup+0x60f/0xd70 net/core/neighbour.c:766
arp_req_set_public net/ipv4/arp.c:1016 [inline]
arp_req_set+0x430/0x10a0 net/ipv4/arp.c:1032
arp_ioctl+0x8d4/0xb60 net/ipv4/arp.c:1232
inet_ioctl+0x4ef/0x820 net/ipv4/af_inet.c:947
sock_do_ioctl net/socket.c:1118 [inline]
sock_ioctl+0xa3f/0x13e0 net/socket.c:1235
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0x2df/0x4a0 fs/ioctl.c:860
__x64_sys_ioctl+0xd8/0x110 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
CPU: 1 PID: 20001 Comm: syz-executor.0 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes: 62dd93181aaa ("[IPV6] NDISC: Set per-entry is_router flag in Proxy NA.")
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Roopa Prabhu <[email protected]>
Reviewed-by: David Ahern <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/core/neighbour.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -633,7 +633,7 @@ struct pneigh_entry * pneigh_lookup(stru
ASSERT_RTNL();
- n = kmalloc(sizeof(*n) + key_len, GFP_KERNEL);
+ n = kzalloc(sizeof(*n) + key_len, GFP_KERNEL);
if (!n)
goto out;
From: Lars-Peter Clausen <[email protected]>
commit 45febe0d63917ee908198c5be08511c64ee1790a upstream.
IIO trigger handlers need to return one of the irqreturn_t values.
Returning an error code is not supported.
The kxsd9 interrupt handler returns an error code if reading the data
registers fails. In addition when exiting due to an error the trigger
handler does not call `iio_trigger_notify_done()`. Which when not done
keeps the triggered disabled forever.
Modify the code so that the function returns a valid irqreturn_t value as
well as calling `iio_trigger_notify_done()` on all exit paths.
Since we can't return the error code make sure to at least log it as part
of the error message.
Fixes: 0427a106a98a ("iio: accel: kxsd9: Add triggered buffer handling")
Signed-off-by: Lars-Peter Clausen <[email protected]>
Reviewed-by: Linus Walleij <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/accel/kxsd9.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -227,14 +227,14 @@ static irqreturn_t kxsd9_trigger_handler
hw_values.chan,
sizeof(hw_values.chan));
if (ret) {
- dev_err(st->dev,
- "error reading data\n");
- return ret;
+ dev_err(st->dev, "error reading data: %d\n", ret);
+ goto out;
}
iio_push_to_buffers_with_timestamp(indio_dev,
&hw_values,
iio_get_time_ns(indio_dev));
+out:
iio_trigger_notify_done(indio_dev->trig);
return IRQ_HANDLED;
From: Lars-Peter Clausen <[email protected]>
commit 67fe29583e72b2103abb661bb58036e3c1f00277 upstream.
IIO trigger handlers must call iio_trigger_notify_done() when done. This
must be done even when an error occurred. Otherwise the trigger will be
seen as busy indefinitely and the trigger handler will never be called
again.
The itg3200 driver neglects to call iio_trigger_notify_done() when there is
an error reading the gyro data. Fix this by making sure that
iio_trigger_notify_done() is included in the error exit path.
Fixes: 9dbf091da080 ("iio: gyro: Add itg3200")
Signed-off-by: Lars-Peter Clausen <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/gyro/itg3200_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/gyro/itg3200_buffer.c
+++ b/drivers/iio/gyro/itg3200_buffer.c
@@ -64,9 +64,9 @@ static irqreturn_t itg3200_trigger_handl
iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp);
+error_ret:
iio_trigger_notify_done(indio_dev->trig);
-error_ret:
return IRQ_HANDLED;
}
From: Evgeny Boger <[email protected]>
commit 92beafb76a31bdc02649eb44e93a8e4f4cfcdbe8 upstream.
Both the charging and discharging currents on AXP22x are stored as
12-bit integers, in accordance with the datasheet.
It's also confirmed by vendor BSP (axp20x_adc.c:axp22_icharge_to_mA).
The scale factor of 0.5 is never mentioned in datasheet, nor in the
vendor source code. I think it was here to compensate for
erroneous addition bit in register width.
Tested on custom A40i+AXP221s board with external ammeter as
a reference.
Fixes: 0e34d5de961d ("iio: adc: add support for X-Powers AXP20X and AXP22X PMICs ADCs")
Signed-off-by: Evgeny Boger <[email protected]>
Acked-by: Chen-Yu Tsai <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/adc/axp20x_adc.c | 18 +++---------------
1 file changed, 3 insertions(+), 15 deletions(-)
--- a/drivers/iio/adc/axp20x_adc.c
+++ b/drivers/iio/adc/axp20x_adc.c
@@ -224,19 +224,8 @@ static int axp22x_adc_raw(struct iio_dev
struct iio_chan_spec const *chan, int *val)
{
struct axp20x_adc_iio *info = iio_priv(indio_dev);
- int size;
- /*
- * N.B.: Unlike the Chinese datasheets tell, the charging current is
- * stored on 12 bits, not 13 bits. Only discharging current is on 13
- * bits.
- */
- if (chan->type == IIO_CURRENT && chan->channel == AXP22X_BATT_DISCHRG_I)
- size = 13;
- else
- size = 12;
-
- *val = axp20x_read_variable_width(info->regmap, chan->address, size);
+ *val = axp20x_read_variable_width(info->regmap, chan->address, 12);
if (*val < 0)
return *val;
@@ -329,9 +318,8 @@ static int axp22x_adc_scale(struct iio_c
return IIO_VAL_INT_PLUS_MICRO;
case IIO_CURRENT:
- *val = 0;
- *val2 = 500000;
- return IIO_VAL_INT_PLUS_MICRO;
+ *val = 1;
+ return IIO_VAL_INT;
case IIO_TEMP:
*val = 100;
From: Yang Yingliang <[email protected]>
commit 70c9774e180d151abaab358108e3510a8e615215 upstream.
When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the
memory allocated by iio_triggered_buffer_setup() will not be freed, and cause
memory leak as follows:
unreferenced object 0xffff888009551400 (size 512):
comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s)
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ .......
backtrace:
[<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360
[<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf]
[<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer]
[<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013]
Fix it by remove data->dready_trig condition in probe and remove.
Reported-by: Hulk Robot <[email protected]>
Fixes: a25691c1f967 ("iio: accel: kxcjk1013: allow using an external trigger")
Signed-off-by: Yang Yingliang <[email protected]>
Cc: <[email protected]>
Reviewed-by: Hans de Goede <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/accel/kxcjk-1013.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/accel/kxcjk-1013.c
+++ b/drivers/iio/accel/kxcjk-1013.c
@@ -1326,8 +1326,7 @@ static int kxcjk1013_probe(struct i2c_cl
return 0;
err_buffer_cleanup:
- if (data->dready_trig)
- iio_triggered_buffer_cleanup(indio_dev);
+ iio_triggered_buffer_cleanup(indio_dev);
err_trigger_unregister:
if (data->dready_trig)
iio_trigger_unregister(data->dready_trig);
@@ -1350,8 +1349,8 @@ static int kxcjk1013_remove(struct i2c_c
pm_runtime_set_suspended(&client->dev);
pm_runtime_put_noidle(&client->dev);
+ iio_triggered_buffer_cleanup(indio_dev);
if (data->dready_trig) {
- iio_triggered_buffer_cleanup(indio_dev);
iio_trigger_unregister(data->dready_trig);
iio_trigger_unregister(data->motion_trig);
}
From: Greg Kroah-Hartman <[email protected]>
commit 153a2d7e3350cc89d406ba2d35be8793a64c2038 upstream.
Sometimes USB hosts can ask for buffers that are too large from endpoint
0, which should not be allowed. If this happens for OUT requests, stall
the endpoint, but for IN requests, trim the request size to the endpoint
buffer size.
Co-developed-by: Szymon Heidrich <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/gadget/composite.c | 12 ++++++++++++
drivers/usb/gadget/legacy/dbgp.c | 13 +++++++++++++
drivers/usb/gadget/legacy/inode.c | 16 +++++++++++++++-
3 files changed, 40 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1635,6 +1635,18 @@ composite_setup(struct usb_gadget *gadge
struct usb_function *f = NULL;
u8 endp;
+ if (w_length > USB_COMP_EP0_BUFSIZ) {
+ if (ctrl->bRequestType == USB_DIR_OUT) {
+ goto done;
+ } else {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+ w_length = USB_COMP_EP0_BUFSIZ;
+ }
+ }
+
/* partial re-init of the response message; the function or the
* gadget might need to intercept e.g. a control-OUT completion
* when we delegate to it.
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -344,6 +344,19 @@ static int dbgp_setup(struct usb_gadget
void *data = NULL;
u16 len = 0;
+ if (length > DBGP_REQ_LEN) {
+ if (ctrl->bRequestType == USB_DIR_OUT) {
+ return err;
+ } else {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(DBGP_REQ_LEN);
+ length = DBGP_REQ_LEN;
+ }
+ }
+
+
if (request == USB_REQ_GET_DESCRIPTOR) {
switch (value>>8) {
case USB_DT_DEVICE:
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -113,6 +113,8 @@ enum ep0_state {
/* enough for the whole queue: most events invalidate others */
#define N_EVENT 5
+#define RBUF_SIZE 256
+
struct dev_data {
spinlock_t lock;
refcount_t count;
@@ -147,7 +149,7 @@ struct dev_data {
struct dentry *dentry;
/* except this scratch i/o buffer for ep0 */
- u8 rbuf [256];
+ u8 rbuf[RBUF_SIZE];
};
static inline void get_dev (struct dev_data *data)
@@ -1336,6 +1338,18 @@ gadgetfs_setup (struct usb_gadget *gadge
u16 w_value = le16_to_cpu(ctrl->wValue);
u16 w_length = le16_to_cpu(ctrl->wLength);
+ if (w_length > RBUF_SIZE) {
+ if (ctrl->bRequestType == USB_DIR_OUT) {
+ return value;
+ } else {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(RBUF_SIZE);
+ w_length = RBUF_SIZE;
+ }
+ }
+
spin_lock (&dev->lock);
dev->setup_abort = 0;
if (dev->state == STATE_DEV_UNCONNECTED) {
From: Joakim Zhang <[email protected]>
commit b5bd95d17102b6719e3531d627875b9690371383 upstream.
Background:
We have a customer is running a Profinet stack on the 8MM which receives and
responds PNIO packets every 4ms and PNIO-CM packets every 40ms. However, from
time to time the received PNIO-CM package is "stock" and is only handled when
receiving a new PNIO-CM or DCERPC-Ping packet (tcpdump shows the PNIO-CM and
the DCERPC-Ping packet at the same time but the PNIO-CM HW timestamp is from
the expected 40 ms and not the 2s delay of the DCERPC-Ping).
After debugging, we noticed PNIO, PNIO-CM and DCERPC-Ping packets would
be handled by different RX queues.
The root cause should be driver ack all queues' interrupt when handle a
specific queue in fec_enet_rx_queue(). The blamed patch is introduced to
receive as much packets as possible once to avoid interrupt flooding.
But it's unreasonable to clear other queues'interrupt when handling one
queue, this patch tries to fix it.
Fixes: ed63f1dcd578 (net: fec: clear receive interrupts before processing a packet)
Cc: Russell King <[email protected]>
Reported-by: Nicolas Diaz <[email protected]>
Signed-off-by: Joakim Zhang <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/freescale/fec.h | 3 +++
drivers/net/ethernet/freescale/fec_main.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/freescale/fec.h
+++ b/drivers/net/ethernet/freescale/fec.h
@@ -372,6 +372,9 @@ struct bufdesc_ex {
#define FEC_ENET_WAKEUP ((uint)0x00020000) /* Wakeup request */
#define FEC_ENET_TXF (FEC_ENET_TXF_0 | FEC_ENET_TXF_1 | FEC_ENET_TXF_2)
#define FEC_ENET_RXF (FEC_ENET_RXF_0 | FEC_ENET_RXF_1 | FEC_ENET_RXF_2)
+#define FEC_ENET_RXF_GET(X) (((X) == 0) ? FEC_ENET_RXF_0 : \
+ (((X) == 1) ? FEC_ENET_RXF_1 : \
+ FEC_ENET_RXF_2))
#define FEC_ENET_TS_AVAIL ((uint)0x00010000)
#define FEC_ENET_TS_TIMER ((uint)0x00008000)
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1385,7 +1385,7 @@ fec_enet_rx_queue(struct net_device *nde
break;
pkt_received++;
- writel(FEC_ENET_RXF, fep->hwp + FEC_IEVENT);
+ writel(FEC_ENET_RXF_GET(queue_id), fep->hwp + FEC_IEVENT);
/* Check for errors. */
status ^= BD_ENET_RX_LAST;
From: Kai-Heng Feng <[email protected]>
commit 811ae81320da53a5670c36970cefacca8519f90e upstream.
When the xHCI is quirked with XHCI_RESET_ON_RESUME, runtime resume
routine also resets the controller.
This is bad for USB drivers without reset_resume callback, because
there's no subsequent call of usb_dev_complete() ->
usb_resume_complete() to force rebinding the driver to the device. For
instance, btusb device stops working after xHCI controller is runtime
resumed, if the controlled is quirked with XHCI_RESET_ON_RESUME.
So always take XHCI_RESET_ON_RESUME into account to solve the issue.
Cc: <[email protected]>
Signed-off-by: Kai-Heng Feng <[email protected]>
Signed-off-by: Mathias Nyman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/host/xhci.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3627,7 +3627,6 @@ static void xhci_free_dev(struct usb_hcd
struct xhci_slot_ctx *slot_ctx;
int i, ret;
-#ifndef CONFIG_USB_DEFAULT_PERSIST
/*
* We called pm_runtime_get_noresume when the device was attached.
* Decrement the counter here to allow controller to runtime suspend
@@ -3635,7 +3634,6 @@ static void xhci_free_dev(struct usb_hcd
*/
if (xhci->quirks & XHCI_RESET_ON_RESUME)
pm_runtime_put_noidle(hcd->self.controller);
-#endif
ret = xhci_check_args(hcd, udev, NULL, 0, true, __func__);
/* If the host is halted due to driver unload, we still need to free the
@@ -3790,14 +3788,12 @@ int xhci_alloc_dev(struct usb_hcd *hcd,
udev->slot_id = slot_id;
-#ifndef CONFIG_USB_DEFAULT_PERSIST
/*
* If resetting upon resume, we can't put the controller into runtime
* suspend if there is a device attached.
*/
if (xhci->quirks & XHCI_RESET_ON_RESUME)
pm_runtime_get_noresume(hcd->self.controller);
-#endif
/* Is this a LS or FS device under a HS hub? */
/* Hub or peripherial? */
From: Pavel Hofman <[email protected]>
commit ca5737396927afd4d57b133fd2874bbcf3421cdb upstream.
Using standard USB_EP_MAXP_MULT_MASK instead of individual bits for
extracting multiple-transactions bits from wMaxPacketSize value.
Acked-by: Alan Stern <[email protected]>
Signed-off-by: Pavel Hofman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/core/config.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -425,9 +425,9 @@ static int usb_parse_endpoint(struct dev
maxpacket_maxes = full_speed_maxpacket_maxes;
break;
case USB_SPEED_HIGH:
- /* Bits 12..11 are allowed only for HS periodic endpoints */
+ /* Multiple-transactions bits are allowed only for HS periodic endpoints */
if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
- i = maxp & (BIT(12) | BIT(11));
+ i = maxp & USB_EP_MAXP_MULT_MASK;
maxp &= ~i;
}
/* fallthrough */
From: Lars-Peter Clausen <[email protected]>
commit a827a4984664308f13599a0b26c77018176d0c7c upstream.
In viio_trigger_alloc() device_initialize() is used to set the initial
reference count of the trigger to 1. Then another get_device() is called on
trigger. This sets the reference count to 2 before the trigger is returned.
iio_trigger_free(), which is the matching API to viio_trigger_alloc(),
calls put_device() which decreases the reference count by 1. But the second
reference count acquired in viio_trigger_alloc() is never dropped.
As a result the iio_trigger_release() function is never called and the
memory associated with the trigger is never freed.
Since there is no reason for the trigger to start its lifetime with two
reference counts just remove the extra get_device() in
viio_trigger_alloc().
Fixes: 5f9c035cae18 ("staging:iio:triggers. Add a reference get to the core for triggers.")
Signed-off-by: Lars-Peter Clausen <[email protected]>
Acked-by: Nuno Sá <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/industrialio-trigger.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/iio/industrialio-trigger.c
+++ b/drivers/iio/industrialio-trigger.c
@@ -549,7 +549,6 @@ static struct iio_trigger *viio_trigger_
irq_modify_status(trig->subirq_base + i,
IRQ_NOREQUEST | IRQ_NOAUTOEN, IRQ_NOPROBE);
}
- get_device(&trig->dev);
return trig;
From: Alyssa Ross <[email protected]>
commit 893621e0606747c5bbefcaf2794d12c7aa6212b7 upstream.
modprobe can't handle spaces in aliases.
Fixes: 93fbe91b5521 ("iio: Add STM32 timer trigger driver")
Signed-off-by: Alyssa Ross <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/trigger/stm32-timer-trigger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/trigger/stm32-timer-trigger.c
+++ b/drivers/iio/trigger/stm32-timer-trigger.c
@@ -886,6 +886,6 @@ static struct platform_driver stm32_time
};
module_platform_driver(stm32_timer_trigger_driver);
-MODULE_ALIAS("platform: stm32-timer-trigger");
+MODULE_ALIAS("platform:stm32-timer-trigger");
MODULE_DESCRIPTION("STMicroelectronics STM32 Timer Trigger driver");
MODULE_LICENSE("GPL v2");
On Mon, Dec 13, 2021 at 10:29:39AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.258 release.
> There are 53 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 168 pass: 168 fail: 0
Qemu test results:
total: 421 pass: 421 fail: 0
Tested-by: Guenter Roeck <[email protected]>
Guenter
On Mon, 13 Dec 2021 at 15:07, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.14.258 release.
> There are 53 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.258-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
NOTE:
Following warnings noticed on x86_64 and i386 with defconfig
building with gcc-8/9/10/11 and clang-11/12/13 and nightly.
make --silent --keep-going --jobs=8
O=/home/tuxbuild/.cache/tuxmake/builds/current ARCH=x86_64
CROSS_COMPILE=x86_64-linux-gnu- 'CC=sccache x86_64-linux-gnu-gcc'
'HOSTCC=sccache gcc' defconfig
warning: (EFI) selects ARCH_USE_MEMREMAP_PROT which has unmet direct
dependencies (AMD_MEM_ENCRYPT)
warning: (EFI) selects ARCH_USE_MEMREMAP_PROT which has unmet direct
dependencies (AMD_MEM_ENCRYPT)
build link,
https://builds.tuxbuild.com/22E1lTwjlXKmMoDPpESc96Cszdo/
## Build
* kernel: 4.14.258-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-4.14.y
* git commit: 5aef54c7f9c79b66de0fc4ee21754c4336cb927e
* git describe: v4.14.257-54-g5aef54c7f9c7
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.14.y/build/v4.14.257-54-g5aef54c7f9c7
## No Test Regressions (compared to v4.14.257)
## No Test Fixes (compared to v4.14.257)
## Test result summary
total: 76832, pass: 61693, fail: 668, skip: 12387, xfail: 2084
## Build Summary
* arm: 254 total, 186 passed, 68 failed
* arm64: 32 total, 32 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 19 total, 19 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 22 total, 22 passed, 0 failed
* powerpc: 52 total, 0 passed, 52 failed
* sparc: 12 total, 12 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 31 total, 31 passed, 0 failed
## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-arm64/arm64.btitest.bti_c_func
* kselftest-arm64/arm64.btitest.bti_j_func
* kselftest-arm64/arm64.btitest.bti_jc_func
* kselftest-arm64/arm64.btitest.bti_none_func
* kselftest-arm64/arm64.btitest.nohint_func
* kselftest-arm64/arm64.btitest.paciasp_func
* kselftest-arm64/arm64.nobtitest.bti_c_func
* kselftest-arm64/arm64.nobtitest.bti_j_func
* kselftest-arm64/arm64.nobtitest.bti_jc_func
* kselftest-arm64/arm64.nobtitest.bti_none_func
* kselftest-arm64/arm64.nobtitest.nohint_func
* kselftest-arm64/arm64.nobtitest.paciasp_func
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance
--
Linaro LKFT
https://lkft.linaro.org
On Tue, Dec 14, 2021 at 10:53:19AM +0530, Naresh Kamboju wrote:
> On Mon, 13 Dec 2021 at 15:07, Greg Kroah-Hartman
> <[email protected]> wrote:
> >
> > This is the start of the stable review cycle for the 4.14.258 release.
> > There are 53 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.258-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
>
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.
>
> Tested-by: Linux Kernel Functional Testing <[email protected]>
>
> NOTE:
> Following warnings noticed on x86_64 and i386 with defconfig
> building with gcc-8/9/10/11 and clang-11/12/13 and nightly.
>
> make --silent --keep-going --jobs=8
> O=/home/tuxbuild/.cache/tuxmake/builds/current ARCH=x86_64
> CROSS_COMPILE=x86_64-linux-gnu- 'CC=sccache x86_64-linux-gnu-gcc'
> 'HOSTCC=sccache gcc' defconfig
> warning: (EFI) selects ARCH_USE_MEMREMAP_PROT which has unmet direct
> dependencies (AMD_MEM_ENCRYPT)
> warning: (EFI) selects ARCH_USE_MEMREMAP_PROT which has unmet direct
> dependencies (AMD_MEM_ENCRYPT)
I'll go drop the offending commit from all trees, thanks.
greg k-h