2021-12-13 09:46:37

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 00/74] 4.19.221-rc1 review

This is the start of the stable review cycle for the 4.19.221 release.
There are 74 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.221-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <[email protected]>
Linux 4.19.221-rc1

Wei Yongjun <[email protected]>
net: sched: make function qdisc_free_cb() static

Cong Wang <[email protected]>
net_sched: fix a crash in tc_new_tfilter()

Vladimir Murzin <[email protected]>
irqchip: nvic: Fix offset for Interrupt Priority Offsets

Wudi Wang <[email protected]>
irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL

Pali Rohár <[email protected]>
irqchip/armada-370-xp: Fix support for Multi-MSI interrupts

Pali Rohár <[email protected]>
irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()

Yang Yingliang <[email protected]>
iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove

Evgeny Boger <[email protected]>
iio: adc: axp20x_adc: fix charging current reporting on AXP22x

Gwendal Grignou <[email protected]>
iio: at91-sama5d2: Fix incorrect sign extension

Lars-Peter Clausen <[email protected]>
iio: dln2: Check return value of devm_iio_trigger_register()

Noralf Trønnes <[email protected]>
iio: dln2-adc: Fix lockdep complaint

Lars-Peter Clausen <[email protected]>
iio: itg3200: Call iio_trigger_notify_done() on error

Lars-Peter Clausen <[email protected]>
iio: kxsd9: Don't return error code in trigger handler

Lars-Peter Clausen <[email protected]>
iio: ltr501: Don't return error code in trigger handler

Lars-Peter Clausen <[email protected]>
iio: mma8452: Fix trigger reference couting

Lars-Peter Clausen <[email protected]>
iio: stk3310: Don't return error code in interrupt handler

Alyssa Ross <[email protected]>
iio: trigger: stm32-timer: fix MODULE_ALIAS

Lars-Peter Clausen <[email protected]>
iio: trigger: Fix reference counting

Mathias Nyman <[email protected]>
xhci: avoid race between disable slot command and host runtime suspend

Pavel Hofman <[email protected]>
usb: core: config: using bit mask instead of individual bits

Kai-Heng Feng <[email protected]>
xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending

Pavel Hofman <[email protected]>
usb: core: config: fix validation of wMaxPacketValue entries

Greg Kroah-Hartman <[email protected]>
USB: gadget: zero allocate endpoint 0 buffers

Greg Kroah-Hartman <[email protected]>
USB: gadget: detect too-big endpoint 0 requests

Dan Carpenter <[email protected]>
net/qla3xxx: fix an error code in ql_adapter_up()

Eric Dumazet <[email protected]>
net, neigh: clear whole pneigh_entry at alloc time

Joakim Zhang <[email protected]>
net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()

Dan Carpenter <[email protected]>
net: altera: set a couple error code in probe()

Lee Jones <[email protected]>
net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero

Arnaldo Carvalho de Melo <[email protected]>
tools build: Remove needless libpython-version feature check that breaks test-all fast path

Herve Codina <[email protected]>
mtd: rawnand: fsmc: Take instruction delay into account

Mateusz Palczewski <[email protected]>
i40e: Fix pre-set max number of queues for VF

Srinivas Kandagatla <[email protected]>
ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer

Manish Chopra <[email protected]>
qede: validate non LSO skb length

Davidlohr Bueso <[email protected]>
block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)

Steven Rostedt (VMware) <[email protected]>
tracefs: Set all files to the same group ownership as the mount option

Eric Biggers <[email protected]>
aio: fix use-after-free due to missing POLLFREE handling

Eric Biggers <[email protected]>
aio: keep poll requests on waitqueue until completed

Eric Biggers <[email protected]>
signalfd: use wake_up_pollfree()

Eric Biggers <[email protected]>
binder: use wake_up_pollfree()

Eric Biggers <[email protected]>
wait: add wake_up_pollfree()

Hannes Reinecke <[email protected]>
libata: add horkage for ASMedia 1092

Tom Lendacky <[email protected]>
x86/sme: Explicitly map new EFI memmap table as encrypted

Brian Silverman <[email protected]>
can: m_can: Disable and ignore ELO interrupt

Vincent Mailhol <[email protected]>
can: pch_can: pch_can_rx_normal: fix use after free

Dmitry Baryshkov <[email protected]>
clk: qcom: regmap-mux: fix parent clock lookup

Steven Rostedt (VMware) <[email protected]>
tracefs: Have new files inherit the ownership of their parent

Takashi Iwai <[email protected]>
ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()

Takashi Iwai <[email protected]>
ALSA: pcm: oss: Limit the period size to 16MB

Takashi Iwai <[email protected]>
ALSA: pcm: oss: Fix negative period/buffer sizes

Alan Young <[email protected]>
ALSA: ctl: Fix copy of updated id with element read/write

Manjong Lee <[email protected]>
mm: bdi: initialize bdi_min_ratio when bdi is unregistered

Mike Marciniszyn <[email protected]>
IB/hfi1: Correct guard on eager buffer deallocation

Jianguo Wu <[email protected]>
udp: using datalen to cap max gso segments

Andrea Mayer <[email protected]>
seg6: fix the iif in the IPv6 socket control block

Jianglei Nie <[email protected]>
nfp: Fix memory leak in nfp_cpp_area_cache_add()

Eric Dumazet <[email protected]>
bonding: make tx_rebalance_counter an atomic

Jesse Brandeburg <[email protected]>
ice: ignore dropped packets during init

Maxim Mikityanskiy <[email protected]>
bpf: Fix the off-by-two error in range markings

Krzysztof Kozlowski <[email protected]>
nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done

Vlad Buslov <[email protected]>
net: sched: use Qdisc rcu API instead of relying on rtnl lock

Vlad Buslov <[email protected]>
net: sched: add helper function to take reference to Qdisc

Vlad Buslov <[email protected]>
net: sched: extend Qdisc with rcu

Vlad Buslov <[email protected]>
net: sched: rename qdisc_destroy() to qdisc_put()

Vlad Buslov <[email protected]>
net: core: netlink: add helper refcount dec and lock function

Dan Carpenter <[email protected]>
can: sja1000: fix use after free in ems_pcmcia_add_card()

Jimmy Assarsson <[email protected]>
can: kvaser_usb: get CAN clock frequency from device

Greg Kroah-Hartman <[email protected]>
HID: check for valid USB device for many HID drivers

Greg Kroah-Hartman <[email protected]>
HID: wacom: fix problems when device is not a valid USB device

Greg Kroah-Hartman <[email protected]>
HID: add USB_HID dependancy on some USB HID drivers

Greg Kroah-Hartman <[email protected]>
HID: add USB_HID dependancy to hid-chicony

Greg Kroah-Hartman <[email protected]>
HID: add USB_HID dependancy to hid-prodikeys

Greg Kroah-Hartman <[email protected]>
HID: add hid_is_usb() function to make it simpler for USB detection

xiazhengqiao <[email protected]>
HID: google: add eel USB id


-------------

Diffstat:

Makefile | 4 +-
arch/x86/Kconfig | 1 +
arch/x86/platform/efi/quirks.c | 3 +-
block/ioprio.c | 3 +
drivers/android/binder.c | 21 +--
drivers/ata/libata-core.c | 2 +
drivers/clk/qcom/clk-regmap-mux.c | 2 +-
drivers/clk/qcom/common.c | 12 ++
drivers/clk/qcom/common.h | 2 +
drivers/hid/Kconfig | 10 +-
drivers/hid/hid-asus.c | 2 +-
drivers/hid/hid-chicony.c | 8 +-
drivers/hid/hid-corsair.c | 7 +-
drivers/hid/hid-elan.c | 2 +-
drivers/hid/hid-elo.c | 3 +
drivers/hid/hid-google-hammer.c | 2 +
drivers/hid/hid-holtek-kbd.c | 9 +-
drivers/hid/hid-holtek-mouse.c | 9 +
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-lg.c | 10 +-
drivers/hid/hid-prodikeys.c | 10 +-
drivers/hid/hid-roccat-arvo.c | 3 +
drivers/hid/hid-roccat-isku.c | 3 +
drivers/hid/hid-roccat-kone.c | 3 +
drivers/hid/hid-roccat-koneplus.c | 3 +
drivers/hid/hid-roccat-konepure.c | 3 +
drivers/hid/hid-roccat-kovaplus.c | 3 +
drivers/hid/hid-roccat-lua.c | 3 +
drivers/hid/hid-roccat-pyra.c | 3 +
drivers/hid/hid-roccat-ryos.c | 3 +
drivers/hid/hid-roccat-savu.c | 3 +
drivers/hid/hid-samsung.c | 3 +
drivers/hid/hid-uclogic.c | 3 +
drivers/hid/wacom_sys.c | 19 ++-
drivers/iio/accel/kxcjk-1013.c | 5 +-
drivers/iio/accel/kxsd9.c | 6 +-
drivers/iio/accel/mma8452.c | 2 +-
drivers/iio/adc/at91-sama5d2_adc.c | 3 +-
drivers/iio/adc/axp20x_adc.c | 18 +-
drivers/iio/adc/dln2-adc.c | 21 ++-
drivers/iio/gyro/itg3200_buffer.c | 2 +-
drivers/iio/industrialio-trigger.c | 1 -
drivers/iio/light/ltr501.c | 2 +-
drivers/iio/light/stk3310.c | 6 +-
drivers/iio/trigger/stm32-timer-trigger.c | 2 +-
drivers/infiniband/hw/hfi1/init.c | 2 +-
drivers/irqchip/irq-armada-370-xp.c | 16 +-
drivers/irqchip/irq-gic-v3-its.c | 2 +-
drivers/irqchip/irq-nvic.c | 2 +-
drivers/mtd/nand/raw/fsmc_nand.c | 4 +
drivers/net/bonding/bond_alb.c | 14 +-
drivers/net/can/m_can/m_can.c | 14 +-
drivers/net/can/pch_can.c | 2 +-
drivers/net/can/sja1000/ems_pcmcia.c | 7 +-
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 101 +++++++----
drivers/net/ethernet/altera/altera_tse_main.c | 9 +-
drivers/net/ethernet/freescale/fec.h | 3 +
drivers/net/ethernet/freescale/fec_main.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 5 -
drivers/net/ethernet/intel/ice/ice_main.c | 3 +
.../ethernet/netronome/nfp/nfpcore/nfp_cppcore.c | 4 +-
drivers/net/ethernet/qlogic/qede/qede_fp.c | 7 +
drivers/net/ethernet/qlogic/qla3xxx.c | 19 +--
drivers/net/usb/cdc_ncm.c | 2 +
drivers/usb/core/config.c | 6 +-
drivers/usb/gadget/composite.c | 14 +-
drivers/usb/gadget/legacy/dbgp.c | 15 +-
drivers/usb/gadget/legacy/inode.c | 16 +-
drivers/usb/host/xhci-hub.c | 1 +
drivers/usb/host/xhci-ring.c | 1 -
drivers/usb/host/xhci.c | 26 +--
fs/aio.c | 184 +++++++++++++++++----
fs/signalfd.c | 12 +-
fs/tracefs/inode.c | 76 +++++++++
include/linux/hid.h | 5 +
include/linux/rtnetlink.h | 7 +
include/linux/wait.h | 26 +++
include/net/bond_alb.h | 2 +-
include/net/pkt_sched.h | 1 +
include/net/sch_generic.h | 17 +-
include/uapi/asm-generic/poll.h | 2 +-
kernel/bpf/verifier.c | 2 +-
kernel/sched/wait.c | 7 +
mm/backing-dev.c | 7 +
net/core/neighbour.c | 2 +-
net/core/rtnetlink.c | 6 +
net/ipv4/udp.c | 2 +-
net/ipv6/seg6_iptunnel.c | 8 +
net/nfc/netlink.c | 6 +-
net/sched/cls_api.c | 81 +++++++--
net/sched/sch_api.c | 24 ++-
net/sched/sch_atm.c | 2 +-
net/sched/sch_cbq.c | 2 +-
net/sched/sch_cbs.c | 2 +-
net/sched/sch_drr.c | 4 +-
net/sched/sch_dsmark.c | 2 +-
net/sched/sch_fifo.c | 2 +-
net/sched/sch_generic.c | 48 ++++--
net/sched/sch_hfsc.c | 2 +-
net/sched/sch_htb.c | 4 +-
net/sched/sch_mq.c | 4 +-
net/sched/sch_mqprio.c | 4 +-
net/sched/sch_multiq.c | 6 +-
net/sched/sch_netem.c | 2 +-
net/sched/sch_prio.c | 6 +-
net/sched/sch_qfq.c | 4 +-
net/sched/sch_red.c | 4 +-
net/sched/sch_sfb.c | 4 +-
net/sched/sch_tbf.c | 4 +-
sound/core/control_compat.c | 3 +
sound/core/oss/pcm_oss.c | 37 +++--
sound/soc/qcom/qdsp6/q6routing.c | 8 +-
tools/build/Makefile.feature | 1 -
tools/build/feature/Makefile | 4 -
tools/build/feature/test-all.c | 5 -
tools/build/feature/test-libpython-version.c | 11 --
tools/perf/Makefile.config | 2 -
117 files changed, 878 insertions(+), 319 deletions(-)




2021-12-13 09:46:51

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 24/74] ALSA: ctl: Fix copy of updated id with element read/write

From: Alan Young <[email protected]>

commit b6409dd6bdc03aa178bbff0d80db2a30d29b63ac upstream.

When control_compat.c:copy_ctl_value_to_user() is used, by
ctl_elem_read_user() & ctl_elem_write_user(), it must also copy back the
snd_ctl_elem_id value that may have been updated (filled in) by the call
to snd_ctl_elem_read/snd_ctl_elem_write().

This matches the functionality provided by snd_ctl_elem_read_user() and
snd_ctl_elem_write_user(), via snd_ctl_build_ioff().

Without this, and without making additional calls to snd_ctl_info()
which are unnecessary when using the non-compat calls, a userspace
application will not know the numid value for the element and
consequently will not be able to use the poll/read interface on the
control file to determine which elements have updates.

Signed-off-by: Alan Young <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/core/control_compat.c | 3 +++
1 file changed, 3 insertions(+)

--- a/sound/core/control_compat.c
+++ b/sound/core/control_compat.c
@@ -279,6 +279,7 @@ static int copy_ctl_value_to_user(void _
struct snd_ctl_elem_value *data,
int type, int count)
{
+ struct snd_ctl_elem_value32 __user *data32 = userdata;
int i, size;

if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN ||
@@ -295,6 +296,8 @@ static int copy_ctl_value_to_user(void _
if (copy_to_user(valuep, data->value.bytes.data, size))
return -EFAULT;
}
+ if (copy_to_user(&data32->id, &data->id, sizeof(data32->id)))
+ return -EFAULT;
return 0;
}




2021-12-13 09:48:25

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 35/74] binder: use wake_up_pollfree()

From: Eric Biggers <[email protected]>

commit a880b28a71e39013e357fd3adccd1d8a31bc69a8 upstream.

wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll
and aio poll are fortunately not affected by this, but it's very
fragile. Thus, the new function wake_up_pollfree() has been introduced.

Convert binder to use wake_up_pollfree().

Reported-by: Linus Torvalds <[email protected]>
Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.")
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/android/binder.c | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)

--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -4416,23 +4416,20 @@ static int binder_thread_release(struct
}

/*
- * If this thread used poll, make sure we remove the waitqueue
- * from any epoll data structures holding it with POLLFREE.
- * waitqueue_active() is safe to use here because we're holding
- * the inner lock.
+ * If this thread used poll, make sure we remove the waitqueue from any
+ * poll data structures holding it.
*/
- if ((thread->looper & BINDER_LOOPER_STATE_POLL) &&
- waitqueue_active(&thread->wait)) {
- wake_up_poll(&thread->wait, EPOLLHUP | POLLFREE);
- }
+ if (thread->looper & BINDER_LOOPER_STATE_POLL)
+ wake_up_pollfree(&thread->wait);

binder_inner_proc_unlock(thread->proc);

/*
- * This is needed to avoid races between wake_up_poll() above and
- * and ep_remove_waitqueue() called for other reasons (eg the epoll file
- * descriptor being closed); ep_remove_waitqueue() holds an RCU read
- * lock, so we can be sure it's done after calling synchronize_rcu().
+ * This is needed to avoid races between wake_up_pollfree() above and
+ * someone else removing the last entry from the queue for other reasons
+ * (e.g. ep_remove_wait_queue() being called due to an epoll file
+ * descriptor being closed). Such other users hold an RCU read lock, so
+ * we can be sure they're done after we call synchronize_rcu().
*/
if (thread->looper & BINDER_LOOPER_STATE_POLL)
synchronize_rcu();



2021-12-13 09:48:26

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 34/74] wait: add wake_up_pollfree()

From: Eric Biggers <[email protected]>

commit 42288cb44c4b5fff7653bc392b583a2b8bd6a8c0 upstream.

Several ->poll() implementations are special in that they use a
waitqueue whose lifetime is the current task, rather than the struct
file as is normally the case. This is okay for blocking polls, since a
blocking poll occurs within one task; however, non-blocking polls
require another solution. This solution is for the queue to be cleared
before it is freed, using 'wake_up_poll(wq, EPOLLHUP | POLLFREE);'.

However, that has a bug: wake_up_poll() calls __wake_up() with
nr_exclusive=1. Therefore, if there are multiple "exclusive" waiters,
and the wakeup function for the first one returns a positive value, only
that one will be called. That's *not* what's needed for POLLFREE;
POLLFREE is special in that it really needs to wake up everyone.

Considering the three non-blocking poll systems:

- io_uring poll doesn't handle POLLFREE at all, so it is broken anyway.

- aio poll is unaffected, since it doesn't support exclusive waits.
However, that's fragile, as someone could add this feature later.

- epoll doesn't appear to be broken by this, since its wakeup function
returns 0 when it sees POLLFREE. But this is fragile.

Although there is a workaround (see epoll), it's better to define a
function which always sends POLLFREE to all waiters. Add such a
function. Also make it verify that the queue really becomes empty after
all waiters have been woken up.

Reported-by: Linus Torvalds <[email protected]>
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/wait.h | 26 ++++++++++++++++++++++++++
kernel/sched/wait.c | 7 +++++++
2 files changed, 33 insertions(+)

--- a/include/linux/wait.h
+++ b/include/linux/wait.h
@@ -191,6 +191,7 @@ void __wake_up_locked_key_bookmark(struc
void __wake_up_sync_key(struct wait_queue_head *wq_head, unsigned int mode, int nr, void *key);
void __wake_up_locked(struct wait_queue_head *wq_head, unsigned int mode, int nr);
void __wake_up_sync(struct wait_queue_head *wq_head, unsigned int mode, int nr);
+void __wake_up_pollfree(struct wait_queue_head *wq_head);

#define wake_up(x) __wake_up(x, TASK_NORMAL, 1, NULL)
#define wake_up_nr(x, nr) __wake_up(x, TASK_NORMAL, nr, NULL)
@@ -217,6 +218,31 @@ void __wake_up_sync(struct wait_queue_he
#define wake_up_interruptible_sync_poll(x, m) \
__wake_up_sync_key((x), TASK_INTERRUPTIBLE, 1, poll_to_key(m))

+/**
+ * wake_up_pollfree - signal that a polled waitqueue is going away
+ * @wq_head: the wait queue head
+ *
+ * In the very rare cases where a ->poll() implementation uses a waitqueue whose
+ * lifetime is tied to a task rather than to the 'struct file' being polled,
+ * this function must be called before the waitqueue is freed so that
+ * non-blocking polls (e.g. epoll) are notified that the queue is going away.
+ *
+ * The caller must also RCU-delay the freeing of the wait_queue_head, e.g. via
+ * an explicit synchronize_rcu() or call_rcu(), or via SLAB_TYPESAFE_BY_RCU.
+ */
+static inline void wake_up_pollfree(struct wait_queue_head *wq_head)
+{
+ /*
+ * For performance reasons, we don't always take the queue lock here.
+ * Therefore, we might race with someone removing the last entry from
+ * the queue, and proceed while they still hold the queue lock.
+ * However, rcu_read_lock() is required to be held in such cases, so we
+ * can safely proceed with an RCU-delayed free.
+ */
+ if (waitqueue_active(wq_head))
+ __wake_up_pollfree(wq_head);
+}
+
#define ___wait_cond_timeout(condition) \
({ \
bool __cond = (condition); \
--- a/kernel/sched/wait.c
+++ b/kernel/sched/wait.c
@@ -209,6 +209,13 @@ void __wake_up_sync(struct wait_queue_he
}
EXPORT_SYMBOL_GPL(__wake_up_sync); /* For internal use only */

+void __wake_up_pollfree(struct wait_queue_head *wq_head)
+{
+ __wake_up(wq_head, TASK_NORMAL, 0, poll_to_key(EPOLLHUP | POLLFREE));
+ /* POLLFREE must have cleared the queue. */
+ WARN_ON_ONCE(waitqueue_active(wq_head));
+}
+
/*
* Note: we use "set_current_state()" _after_ the wait-queue add,
* because we need a memory barrier there on SMP, so that any



2021-12-13 09:48:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 36/74] signalfd: use wake_up_pollfree()

From: Eric Biggers <[email protected]>

commit 9537bae0da1f8d1e2361ab6d0479e8af7824e160 upstream.

wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll
and aio poll are fortunately not affected by this, but it's very
fragile. Thus, the new function wake_up_pollfree() has been introduced.

Convert signalfd to use wake_up_pollfree().

Reported-by: Linus Torvalds <[email protected]>
Fixes: d80e731ecab4 ("epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()")
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/signalfd.c | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)

--- a/fs/signalfd.c
+++ b/fs/signalfd.c
@@ -35,17 +35,7 @@

void signalfd_cleanup(struct sighand_struct *sighand)
{
- wait_queue_head_t *wqh = &sighand->signalfd_wqh;
- /*
- * The lockless check can race with remove_wait_queue() in progress,
- * but in this case its caller should run under rcu_read_lock() and
- * sighand_cachep is SLAB_TYPESAFE_BY_RCU, we can safely return.
- */
- if (likely(!waitqueue_active(wqh)))
- return;
-
- /* wait_queue_entry_t->func(POLLFREE) should do remove_wait_queue() */
- wake_up_poll(wqh, EPOLLHUP | POLLFREE);
+ wake_up_pollfree(&sighand->signalfd_wqh);
}

struct signalfd_ctx {



2021-12-13 09:48:59

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 50/74] net/qla3xxx: fix an error code in ql_adapter_up()

From: Dan Carpenter <[email protected]>

commit d17b9737c2bc09b4ac6caf469826e5a7ce3ffab7 upstream.

The ql_wait_for_drvr_lock() fails and returns false, then this
function should return an error code instead of returning success.

The other problem is that the success path prints an error message
netdev_err(ndev, "Releasing driver lock\n"); Delete that and
re-order the code a little to make it more clear.

Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver")
Signed-off-by: Dan Carpenter <[email protected]>
Link: https://lore.kernel.org/r/20211207082416.GA16110@kili
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/qlogic/qla3xxx.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)

--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -3496,20 +3496,19 @@ static int ql_adapter_up(struct ql3_adap

spin_lock_irqsave(&qdev->hw_lock, hw_flags);

- err = ql_wait_for_drvr_lock(qdev);
- if (err) {
- err = ql_adapter_initialize(qdev);
- if (err) {
- netdev_err(ndev, "Unable to initialize adapter\n");
- goto err_init;
- }
- netdev_err(ndev, "Releasing driver lock\n");
- ql_sem_unlock(qdev, QL_DRVR_SEM_MASK);
- } else {
+ if (!ql_wait_for_drvr_lock(qdev)) {
netdev_err(ndev, "Could not acquire driver lock\n");
+ err = -ENODEV;
goto err_lock;
}

+ err = ql_adapter_initialize(qdev);
+ if (err) {
+ netdev_err(ndev, "Unable to initialize adapter\n");
+ goto err_init;
+ }
+ ql_sem_unlock(qdev, QL_DRVR_SEM_MASK);
+
spin_unlock_irqrestore(&qdev->hw_lock, hw_flags);

set_bit(QL_ADAPTER_UP, &qdev->flags);



2021-12-13 09:49:07

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 52/74] USB: gadget: zero allocate endpoint 0 buffers

From: Greg Kroah-Hartman <[email protected]>

commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream.

Under some conditions, USB gadget devices can show allocated buffer
contents to a host. Fix this up by zero-allocating them so that any
extra data will all just be zeros.

Reported-by: Szymon Heidrich <[email protected]>
Tested-by: Szymon Heidrich <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/gadget/composite.c | 2 +-
drivers/usb/gadget/legacy/dbgp.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2159,7 +2159,7 @@ int composite_dev_prepare(struct usb_com
if (!cdev->req)
return -ENOMEM;

- cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
+ cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
if (!cdev->req->buf)
goto fail;

--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -137,7 +137,7 @@ static int dbgp_enable_ep_req(struct usb
goto fail_1;
}

- req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL);
+ req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL);
if (!req->buf) {
err = -ENOMEM;
stp = 2;



2021-12-13 09:49:14

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 26/74] ALSA: pcm: oss: Limit the period size to 16MB

From: Takashi Iwai <[email protected]>

commit 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 upstream.

Set the practical limit to the period size (the fragment shift in OSS)
instead of a full 31bit; a too large value could lead to the exhaust
of memory as we allocate temporary buffers of the period size, too.

As of this patch, we set to 16MB limit, which should cover all use
cases.

Reported-by: [email protected]
Reported-by: Bixuan Cui <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/core/oss/pcm_oss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1967,7 +1967,7 @@ static int snd_pcm_oss_set_fragment1(str
if (runtime->oss.subdivision || runtime->oss.fragshift)
return -EINVAL;
fragshift = val & 0xffff;
- if (fragshift >= 31)
+ if (fragshift >= 25) /* should be large enough */
return -EINVAL;
runtime->oss.fragshift = fragshift;
runtime->oss.maxfrags = (val >> 16) & 0xffff;



2021-12-13 09:50:19

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 58/74] iio: trigger: stm32-timer: fix MODULE_ALIAS

From: Alyssa Ross <[email protected]>

commit 893621e0606747c5bbefcaf2794d12c7aa6212b7 upstream.

modprobe can't handle spaces in aliases.

Fixes: 93fbe91b5521 ("iio: Add STM32 timer trigger driver")
Signed-off-by: Alyssa Ross <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/trigger/stm32-timer-trigger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/trigger/stm32-timer-trigger.c
+++ b/drivers/iio/trigger/stm32-timer-trigger.c
@@ -884,6 +884,6 @@ static struct platform_driver stm32_time
};
module_platform_driver(stm32_timer_trigger_driver);

-MODULE_ALIAS("platform: stm32-timer-trigger");
+MODULE_ALIAS("platform:stm32-timer-trigger");
MODULE_DESCRIPTION("STMicroelectronics STM32 Timer Trigger driver");
MODULE_LICENSE("GPL v2");



2021-12-13 09:50:25

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 57/74] iio: trigger: Fix reference counting

From: Lars-Peter Clausen <[email protected]>

commit a827a4984664308f13599a0b26c77018176d0c7c upstream.

In viio_trigger_alloc() device_initialize() is used to set the initial
reference count of the trigger to 1. Then another get_device() is called on
trigger. This sets the reference count to 2 before the trigger is returned.

iio_trigger_free(), which is the matching API to viio_trigger_alloc(),
calls put_device() which decreases the reference count by 1. But the second
reference count acquired in viio_trigger_alloc() is never dropped.

As a result the iio_trigger_release() function is never called and the
memory associated with the trigger is never freed.

Since there is no reason for the trigger to start its lifetime with two
reference counts just remove the extra get_device() in
viio_trigger_alloc().

Fixes: 5f9c035cae18 ("staging:iio:triggers. Add a reference get to the core for triggers.")
Signed-off-by: Lars-Peter Clausen <[email protected]>
Acked-by: Nuno Sá <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/industrialio-trigger.c | 1 -
1 file changed, 1 deletion(-)

--- a/drivers/iio/industrialio-trigger.c
+++ b/drivers/iio/industrialio-trigger.c
@@ -549,7 +549,6 @@ static struct iio_trigger *viio_trigger_
irq_modify_status(trig->subirq_base + i,
IRQ_NOREQUEST | IRQ_NOAUTOEN, IRQ_NOPROBE);
}
- get_device(&trig->dev);

return trig;




2021-12-13 09:51:12

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 30/74] can: pch_can: pch_can_rx_normal: fix use after free

From: Vincent Mailhol <[email protected]>

commit 94cddf1e9227a171b27292509d59691819c458db upstream.

After calling netif_receive_skb(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is dereferenced
just after the call netif_receive_skb(skb).

Reordering the lines solves the issue.

Fixes: b21d18b51b31 ("can: Topcliff: Add PCH_CAN driver.")
Link: https://lore.kernel.org/all/[email protected]
Cc: [email protected]
Signed-off-by: Vincent Mailhol <[email protected]>
Signed-off-by: Marc Kleine-Budde <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/can/pch_can.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/pch_can.c
+++ b/drivers/net/can/pch_can.c
@@ -703,11 +703,11 @@ static int pch_can_rx_normal(struct net_
cf->data[i + 1] = data_reg >> 8;
}

- netif_receive_skb(skb);
rcv_pkts++;
stats->rx_packets++;
quota--;
stats->rx_bytes += cf->can_dlc;
+ netif_receive_skb(skb);

pch_fifo_thresh(priv, obj_num);
obj_num++;



2021-12-13 09:51:24

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 55/74] usb: core: config: using bit mask instead of individual bits

From: Pavel Hofman <[email protected]>

commit ca5737396927afd4d57b133fd2874bbcf3421cdb upstream.

Using standard USB_EP_MAXP_MULT_MASK instead of individual bits for
extracting multiple-transactions bits from wMaxPacketSize value.

Acked-by: Alan Stern <[email protected]>
Signed-off-by: Pavel Hofman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/core/config.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -425,9 +425,9 @@ static int usb_parse_endpoint(struct dev
maxpacket_maxes = full_speed_maxpacket_maxes;
break;
case USB_SPEED_HIGH:
- /* Bits 12..11 are allowed only for HS periodic endpoints */
+ /* Multiple-transactions bits are allowed only for HS periodic endpoints */
if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
- i = maxp & (BIT(12) | BIT(11));
+ i = maxp & USB_EP_MAXP_MULT_MASK;
maxp &= ~i;
}
/* fallthrough */



2021-12-13 09:51:36

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 70/74] irqchip/armada-370-xp: Fix support for Multi-MSI interrupts

From: Pali Rohár <[email protected]>

commit d0a553502efd545c1ce3fd08fc4d423f8e4ac3d6 upstream.

irq-armada-370-xp driver already sets MSI_FLAG_MULTI_PCI_MSI flag into
msi_domain_info structure. But allocated interrupt numbers for Multi-MSI
needs to be properly aligned otherwise devices send MSI interrupt with
wrong number.

Fix this issue by using function bitmap_find_free_region() instead of
bitmap_find_next_zero_area() to allocate aligned interrupt numbers.

Signed-off-by: Pali Rohár <[email protected]>
Fixes: a71b9412c90c ("irqchip/armada-370-xp: Allow allocation of multiple MSIs")
Cc: [email protected]
Signed-off-by: Marc Zyngier <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/irqchip/irq-armada-370-xp.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)

--- a/drivers/irqchip/irq-armada-370-xp.c
+++ b/drivers/irqchip/irq-armada-370-xp.c
@@ -232,16 +232,12 @@ static int armada_370_xp_msi_alloc(struc
int hwirq, i;

mutex_lock(&msi_used_lock);
+ hwirq = bitmap_find_free_region(msi_used, PCI_MSI_DOORBELL_NR,
+ order_base_2(nr_irqs));
+ mutex_unlock(&msi_used_lock);

- hwirq = bitmap_find_next_zero_area(msi_used, PCI_MSI_DOORBELL_NR,
- 0, nr_irqs, 0);
- if (hwirq >= PCI_MSI_DOORBELL_NR) {
- mutex_unlock(&msi_used_lock);
+ if (hwirq < 0)
return -ENOSPC;
- }
-
- bitmap_set(msi_used, hwirq, nr_irqs);
- mutex_unlock(&msi_used_lock);

for (i = 0; i < nr_irqs; i++) {
irq_domain_set_info(domain, virq + i, hwirq + i,
@@ -259,7 +255,7 @@ static void armada_370_xp_msi_free(struc
struct irq_data *d = irq_domain_get_irq_data(domain, virq);

mutex_lock(&msi_used_lock);
- bitmap_clear(msi_used, d->hwirq, nr_irqs);
+ bitmap_release_region(msi_used, d->hwirq, order_base_2(nr_irqs));
mutex_unlock(&msi_used_lock);
}




2021-12-13 09:53:21

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 31/74] can: m_can: Disable and ignore ELO interrupt

From: Brian Silverman <[email protected]>

commit f58ac1adc76b5beda43c64ef359056077df4d93a upstream.

With the design of this driver, this condition is often triggered.
However, the counter that this interrupt indicates an overflow is never
read either, so overflowing is harmless.

On my system, when a CAN bus starts flapping up and down, this locks up
the whole system with lots of interrupts and printks.

Specifically, this interrupt indicates the CEL field of ECR has
overflowed. All reads of ECR mask out CEL.

Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support")
Link: https://lore.kernel.org/all/[email protected]
Cc: [email protected]
Signed-off-by: Brian Silverman <[email protected]>
Signed-off-by: Marc Kleine-Budde <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/can/m_can/m_can.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)

--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -233,15 +233,15 @@ enum m_can_mram_cfg {

/* Interrupts for version 3.0.x */
#define IR_ERR_LEC_30X (IR_STE | IR_FOE | IR_ACKE | IR_BE | IR_CRCE)
-#define IR_ERR_BUS_30X (IR_ERR_LEC_30X | IR_WDI | IR_ELO | IR_BEU | \
- IR_BEC | IR_TOO | IR_MRAF | IR_TSW | IR_TEFL | \
- IR_RF1L | IR_RF0L)
+#define IR_ERR_BUS_30X (IR_ERR_LEC_30X | IR_WDI | IR_BEU | IR_BEC | \
+ IR_TOO | IR_MRAF | IR_TSW | IR_TEFL | IR_RF1L | \
+ IR_RF0L)
#define IR_ERR_ALL_30X (IR_ERR_STATE | IR_ERR_BUS_30X)
/* Interrupts for version >= 3.1.x */
#define IR_ERR_LEC_31X (IR_PED | IR_PEA)
-#define IR_ERR_BUS_31X (IR_ERR_LEC_31X | IR_WDI | IR_ELO | IR_BEU | \
- IR_BEC | IR_TOO | IR_MRAF | IR_TSW | IR_TEFL | \
- IR_RF1L | IR_RF0L)
+#define IR_ERR_BUS_31X (IR_ERR_LEC_31X | IR_WDI | IR_BEU | IR_BEC | \
+ IR_TOO | IR_MRAF | IR_TSW | IR_TEFL | IR_RF1L | \
+ IR_RF0L)
#define IR_ERR_ALL_31X (IR_ERR_STATE | IR_ERR_BUS_31X)

/* Interrupt Line Select (ILS) */
@@ -769,8 +769,6 @@ static void m_can_handle_other_err(struc
{
if (irqstatus & IR_WDI)
netdev_err(dev, "Message RAM Watchdog event due to missing READY\n");
- if (irqstatus & IR_ELO)
- netdev_err(dev, "Error Logging Overflow\n");
if (irqstatus & IR_BEU)
netdev_err(dev, "Bit Error Uncorrected\n");
if (irqstatus & IR_BEC)



2021-12-13 09:53:22

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 28/74] tracefs: Have new files inherit the ownership of their parent

From: Steven Rostedt (VMware) <[email protected]>

commit ee7f3666995d8537dec17b1d35425f28877671a9 upstream.

If directories in tracefs have their ownership changed, then any new files
and directories that are created under those directories should inherit
the ownership of the director they are created in.

Link: https://lkml.kernel.org/r/[email protected]

Cc: Kees Cook <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Al Viro <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Yabin Cui <[email protected]>
Cc: Christian Brauner <[email protected]>
Cc: [email protected]
Fixes: 4282d60689d4f ("tracefs: Add new tracefs file system")
Reported-by: Kalesh Singh <[email protected]>
Reported: https://lore.kernel.org/all/CAC_TJve8MMAv+H_NdLSJXZUSoxOEq2zB_pVaJ9p=7H6Bu3X76g@mail.gmail.com/
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/tracefs/inode.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -409,6 +409,8 @@ struct dentry *tracefs_create_file(const
inode->i_mode = mode;
inode->i_fop = fops ? fops : &tracefs_file_operations;
inode->i_private = data;
+ inode->i_uid = d_inode(dentry->d_parent)->i_uid;
+ inode->i_gid = d_inode(dentry->d_parent)->i_gid;
d_instantiate(dentry, inode);
fsnotify_create(dentry->d_parent->d_inode, dentry);
return end_creating(dentry);
@@ -431,6 +433,8 @@ static struct dentry *__create_dir(const
inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP;
inode->i_op = ops;
inode->i_fop = &simple_dir_operations;
+ inode->i_uid = d_inode(dentry->d_parent)->i_uid;
+ inode->i_gid = d_inode(dentry->d_parent)->i_gid;

/* directory inodes start off with i_nlink == 2 (for "." entry) */
inc_nlink(inode);



2021-12-13 09:53:22

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 69/74] irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()

From: Pali Rohár <[email protected]>

commit ce20eff57361e72878a772ef08b5239d3ae102b6 upstream.

IRQ domain alloc function should return zero on success. Non-zero value
indicates failure.

Signed-off-by: Pali Rohár <[email protected]>
Fixes: fcc392d501bd ("irqchip/armada-370-xp: Use the generic MSI infrastructure")
Cc: [email protected]
Signed-off-by: Marc Zyngier <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/irqchip/irq-armada-370-xp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/irqchip/irq-armada-370-xp.c
+++ b/drivers/irqchip/irq-armada-370-xp.c
@@ -250,7 +250,7 @@ static int armada_370_xp_msi_alloc(struc
NULL, NULL);
}

- return hwirq;
+ return 0;
}

static void armada_370_xp_msi_free(struct irq_domain *domain,



2021-12-13 10:24:10

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 63/74] iio: itg3200: Call iio_trigger_notify_done() on error

From: Lars-Peter Clausen <[email protected]>

commit 67fe29583e72b2103abb661bb58036e3c1f00277 upstream.

IIO trigger handlers must call iio_trigger_notify_done() when done. This
must be done even when an error occurred. Otherwise the trigger will be
seen as busy indefinitely and the trigger handler will never be called
again.

The itg3200 driver neglects to call iio_trigger_notify_done() when there is
an error reading the gyro data. Fix this by making sure that
iio_trigger_notify_done() is included in the error exit path.

Fixes: 9dbf091da080 ("iio: gyro: Add itg3200")
Signed-off-by: Lars-Peter Clausen <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/gyro/itg3200_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/gyro/itg3200_buffer.c
+++ b/drivers/iio/gyro/itg3200_buffer.c
@@ -64,9 +64,9 @@ static irqreturn_t itg3200_trigger_handl

iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp);

+error_ret:
iio_trigger_notify_done(indio_dev->trig);

-error_ret:
return IRQ_HANDLED;
}




2021-12-13 10:25:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 68/74] iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove

From: Yang Yingliang <[email protected]>

commit 70c9774e180d151abaab358108e3510a8e615215 upstream.

When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the
memory allocated by iio_triggered_buffer_setup() will not be freed, and cause
memory leak as follows:

unreferenced object 0xffff888009551400 (size 512):
comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s)
hex dump (first 32 bytes):
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff ........ .......
backtrace:
[<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360
[<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf]
[<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer]
[<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013]

Fix it by remove data->dready_trig condition in probe and remove.

Reported-by: Hulk Robot <[email protected]>
Fixes: a25691c1f967 ("iio: accel: kxcjk1013: allow using an external trigger")
Signed-off-by: Yang Yingliang <[email protected]>
Cc: <[email protected]>
Reviewed-by: Hans de Goede <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/accel/kxcjk-1013.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/iio/accel/kxcjk-1013.c
+++ b/drivers/iio/accel/kxcjk-1013.c
@@ -1423,8 +1423,7 @@ static int kxcjk1013_probe(struct i2c_cl
return 0;

err_buffer_cleanup:
- if (data->dready_trig)
- iio_triggered_buffer_cleanup(indio_dev);
+ iio_triggered_buffer_cleanup(indio_dev);
err_trigger_unregister:
if (data->dready_trig)
iio_trigger_unregister(data->dready_trig);
@@ -1447,8 +1446,8 @@ static int kxcjk1013_remove(struct i2c_c
pm_runtime_set_suspended(&client->dev);
pm_runtime_put_noidle(&client->dev);

+ iio_triggered_buffer_cleanup(indio_dev);
if (data->dready_trig) {
- iio_triggered_buffer_cleanup(indio_dev);
iio_trigger_unregister(data->dready_trig);
iio_trigger_unregister(data->motion_trig);
}



2021-12-13 10:25:35

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 66/74] iio: at91-sama5d2: Fix incorrect sign extension

From: Gwendal Grignou <[email protected]>

commit 652e7df485c6884d552085ae2c73efa6cfea3547 upstream.

Use scan_type when processing raw data which also fixes that the sign
extension was from the wrong bit.

Use channel definition as root of trust and replace constant
when reading elements directly using the raw sysfs attributes.

Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution")
Signed-off-by: Gwendal Grignou <[email protected]>
Reviewed-by: Eugen Hristev <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/iio/adc/at91-sama5d2_adc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/iio/adc/at91-sama5d2_adc.c
+++ b/drivers/iio/adc/at91-sama5d2_adc.c
@@ -1375,7 +1375,8 @@ static int at91_adc_read_info_raw(struct
*val = st->conversion_value;
ret = at91_adc_adjust_val_osr(st, val);
if (chan->scan_type.sign == 's')
- *val = sign_extend32(*val, 11);
+ *val = sign_extend32(*val,
+ chan->scan_type.realbits - 1);
st->conversion_done = false;
}




2021-12-13 10:34:05

by Pavel Machek

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

Hi!

> This is the start of the stable review cycle for the 4.19.221 release.
> There are 74 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.

CIP testing did not find any problems here:

https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.19.y

Tested-by: Pavel Machek (CIP) <[email protected]>

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Attachments:
(No filename) (643.00 B)
signature.asc (195.00 B)
Download all attachments

2021-12-13 16:27:57

by Sudip Mukherjee

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

HI Greg,

On Mon, Dec 13, 2021 at 9:51 AM Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.19.221 release.
> There are 74 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.

Just an initial report. mips allmodconfig is failing with the following error.

drivers/spi/spi-sh-msiof.c:78: warning: "STR" redefined
78 | #define STR 0x40 /* Status Register */
|
In file included from ./arch/mips/include/asm/mach-generic/spaces.h:15,
from ./arch/mips/include/asm/addrspace.h:13,
from ./arch/mips/include/asm/barrier.h:11,
from ./include/linux/compiler.h:320,
from ./arch/mips/include/asm/bitops.h:16,
from ./include/linux/bitops.h:19,
from ./include/linux/bitmap.h:8,
from drivers/spi/spi-sh-msiof.c:14:
./arch/mips/include/asm/mipsregs.h:30: note: this is the location of
the previous definition
30 | #define STR(x) __STR(x)
|
In file included from ./arch/mips/include/asm/sibyte/sb1250.h:41,
from drivers/watchdog/sb_wdog.c:58:
./arch/mips/include/asm/sibyte/bcm1480_scd.h:274: warning:
"M_SPC_CFG_CLEAR" redefined
274 | #define M_SPC_CFG_CLEAR M_BCM1480_SPC_CFG_CLEAR
|
In file included from ./arch/mips/include/asm/sibyte/sb1250.h:40,
from drivers/watchdog/sb_wdog.c:58:
./arch/mips/include/asm/sibyte/sb1250_scd.h:405: note: this is the
location of the previous definition
405 | #define M_SPC_CFG_CLEAR _SB_MAKEMASK1(32)
|
In file included from ./arch/mips/include/asm/sibyte/sb1250.h:41,
from drivers/watchdog/sb_wdog.c:58:
./arch/mips/include/asm/sibyte/bcm1480_scd.h:275: warning:
"M_SPC_CFG_ENABLE" redefined
275 | #define M_SPC_CFG_ENABLE M_BCM1480_SPC_CFG_ENABLE
|
In file included from ./arch/mips/include/asm/sibyte/sb1250.h:40,
from drivers/watchdog/sb_wdog.c:58:
./arch/mips/include/asm/sibyte/sb1250_scd.h:406: note: this is the
location of the previous definition
406 | #define M_SPC_CFG_ENABLE _SB_MAKEMASK1(33)
|
/src/gcc-10/bin/mips-linux-ld:
arch/mips/boot/dts/mscc/ocelot_pcb123.dtb.o: in function
`__dtb_ocelot_pcb123_begin':
(.dtb.init.rodata+0x0): multiple definition of
`__dtb_ocelot_pcb123_begin';
arch/mips/boot/dts/mscc/ocelot_pcb123.dtb.o:(.dtb.init.rodata+0x0):
first defined here
/src/gcc-10/bin/mips-linux-ld:
arch/mips/boot/dts/mscc/ocelot_pcb123.dtb.o: in function
`__dtb_ocelot_pcb123_end':
(.dtb.init.rodata+0x1003): multiple definition of
`__dtb_ocelot_pcb123_end';
arch/mips/boot/dts/mscc/ocelot_pcb123.dtb.o:(.dtb.init.rodata+0x1003):
first defined here
/src/gcc-10/bin/mips-linux-ld: arch/mips/boot/dts/mti/sead3.dtb.o: in
function `__dtb_sead3_begin':
(.dtb.init.rodata+0x0): multiple definition of `__dtb_sead3_begin';
arch/mips/boot/dts/mti/sead3.dtb.o:(.dtb.init.rodata+0x0): first
defined here
/src/gcc-10/bin/mips-linux-ld: arch/mips/boot/dts/mti/sead3.dtb.o: in
function `__dtb_sead3_end':
(.dtb.init.rodata+0x100b): multiple definition of `__dtb_sead3_end';
arch/mips/boot/dts/mti/sead3.dtb.o:(.dtb.init.rodata+0x100b): first
defined here
make: *** [Makefile:1046: vmlinux] Error 1


--
Regards
Sudip

2021-12-13 18:59:03

by Sudip Mukherjee

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

On Mon, Dec 13, 2021 at 4:27 PM Sudip Mukherjee
<[email protected]> wrote:
>
> HI Greg,
>
> On Mon, Dec 13, 2021 at 9:51 AM Greg Kroah-Hartman
> <[email protected]> wrote:
> >
> > This is the start of the stable review cycle for the 4.19.221 release.
> > There are 74 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> > Anything received after that time might be too late.
>
> Just an initial report. mips allmodconfig is failing with the following error.

Ignore this please. I am not seeing the error on a clean build. Need
to check what went wrong with my build script.


--
Regards
Sudip

2021-12-13 19:06:07

by Linus Torvalds

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

On Mon, Dec 13, 2021 at 10:59 AM Sudip Mukherjee
<[email protected]> wrote:
>
> >
> > Just an initial report. mips allmodconfig is failing with the following error.
>
> Ignore this please. I am not seeing the error on a clean build. Need
> to check what went wrong with my build script.

The gcc plugin builds often fail if there's been a gcc version update,
and you need to blow the old plugins away.

We do not have the full dependencies for system tools, and that might
happen with other incompatible system updates too.

But practically speaking, the gcc plugins are the only thing in the
kernel build that regularly cause problems.

Linus

2021-12-13 19:55:37

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

On Mon, Dec 13, 2021 at 10:29:31AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.221 release. There
> are 74 patches in this series, all will be posted as a response to this one.
> If anyone has any issues with these being applied, please let me know.
>
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000. Anything
> received after that time might be too late.
>

Build results:
total: 155 pass: 155 fail: 0
Qemu test results:
total: 422 pass: 422 fail: 0

Tested-by: Guenter Roeck <[email protected]>

Guenter

2021-12-13 20:31:05

by Shuah Khan

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

On 12/13/21 2:29 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.221 release.
> There are 74 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.221-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <[email protected]>

thanks,
-- Shuah

2021-12-13 22:24:32

by Sudip Mukherjee

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

On Mon, Dec 13, 2021 at 7:06 PM Linus Torvalds
<[email protected]> wrote:
>
> On Mon, Dec 13, 2021 at 10:59 AM Sudip Mukherjee
> <[email protected]> wrote:
> >
> > >
> > > Just an initial report. mips allmodconfig is failing with the following error.
> >
> > Ignore this please. I am not seeing the error on a clean build. Need
> > to check what went wrong with my build script.
>
> The gcc plugin builds often fail if there's been a gcc version update,
> and you need to blow the old plugins away.

I have not changed my gcc since 20211112.
And, I also have "scripts/config -d GCC_PLUGINS" as part of my build script.
Anyway, I will trigger my build for v4.19.221-rc1 again to verify.


--
Regards
Sudip

2021-12-14 05:04:21

by Naresh Kamboju

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

On Mon, 13 Dec 2021 at 15:09, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.19.221 release.
> There are 74 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.221-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <[email protected]>


NOTE:
Following warnings noticed on x86_64 and i386 with defconfig
building with gcc-8/9/10/11 and clang-11/12/13 and nightly.

make --silent --keep-going --jobs=8
O=/home/tuxbuild/.cache/tuxmake/builds/current ARCH=x86_64
CROSS_COMPILE=x86_64-linux-gnu- 'CC=sccache x86_64-linux-gnu-gcc'
'HOSTCC=sccache gcc' defconfig

WARNING: unmet direct dependencies detected for ARCH_USE_MEMREMAP_PROT
Depends on [n]: AMD_MEM_ENCRYPT [=n]
Selected by [y]:
- EFI [=y] && ACPI [=y]

WARNING: unmet direct dependencies detected for ARCH_USE_MEMREMAP_PROT
Depends on [n]: AMD_MEM_ENCRYPT [=n]
Selected by [y]:
- EFI [=y] && ACPI [=y]

build link,
https://builds.tuxbuild.com/22E1yyBLiIA9rwo90Cee5hMgOPR/


## Build
* kernel: 4.19.221-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-4.19.y
* git commit: c65e8cddade7ba91d6b7438b4746b7b02a83bb72
* git describe: v4.19.220-75-gc65e8cddade7
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.19.y/build/v4.19.220-75-gc65e8cddade7

## No Test Regressions (compared to v4.19.220)

## No Test Fixes (compared to v4.19.220)

## Test result summary
total: 81020, pass: 65995, fail: 642, skip: 12539, xfail: 1844

## Build Summary
* arm: 254 total, 186 passed, 68 failed
* arm64: 35 total, 35 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 19 total, 19 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 26 total, 26 passed, 0 failed
* powerpc: 52 total, 0 passed, 52 failed
* s390: 12 total, 12 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 34 total, 34 passed, 0 failed

## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-arm64/arm64.btitest.bti_c_func
* kselftest-arm64/arm64.btitest.bti_j_func
* kselftest-arm64/arm64.btitest.bti_jc_func
* kselftest-arm64/arm64.btitest.bti_none_func
* kselftest-arm64/arm64.btitest.nohint_func
* kselftest-arm64/arm64.btitest.paciasp_func
* kselftest-arm64/arm64.nobtitest.bti_c_func
* kselftest-arm64/arm64.nobtitest.bti_j_func
* kselftest-arm64/arm64.nobtitest.bti_jc_func
* kselftest-arm64/arm64.nobtitest.bti_none_func
* kselftest-arm64/arm64.nobtitest.nohint_func
* kselftest-arm64/arm64.nobtitest.paciasp_func
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org

2021-12-14 12:40:10

by Sudip Mukherjee

[permalink] [raw]
Subject: Re: [PATCH 4.19 00/74] 4.19.221-rc1 review

Hi Greg,

On Mon, Dec 13, 2021 at 10:29:31AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.221 release.
> There are 74 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.

Build test:
mips (gcc version 11.2.1 20211112): 63 configs -> no failure
arm (gcc version 11.2.1 20211112): 116 configs -> no new failure
arm64 (gcc version 11.2.1 20211112): 2 configs -> no failure
x86_64 (gcc version 11.2.1 20211112): 4 configs -> no failure

Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]

[1]. https://openqa.qa.codethink.co.uk/tests/508


Tested-by: Sudip Mukherjee <[email protected]>

--
Regards
Sudip