This is the start of the stable review cycle for the 5.4.39 release.
There are 57 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 06 May 2020 16:52:55 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.39-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 5.4.39-rc1
Paul Moore <[email protected]>
selinux: properly handle multiple messages in selinux_netlink_send()
Vincenzo Frascino <[email protected]>
arm64: vdso: Add -fasynchronous-unwind-tables to cflags
Andy Shevchenko <[email protected]>
dmaengine: dmatest: Fix process hang when reading 'wait' parameter
Andy Shevchenko <[email protected]>
dmaengine: dmatest: Fix iteration non-stop logic
Andreas Gruenbacher <[email protected]>
nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl
Niklas Cassel <[email protected]>
nvme: prevent double free in nvme_alloc_ns() error handling
David Howells <[email protected]>
Fix use after free in get_tree_bdev()
Arnd Bergmann <[email protected]>
ALSA: opti9xx: shut up gcc-10 range warning
ryan_chen <[email protected]>
i2c: aspeed: Avoid i2c interrupt status clear race condition.
Suravee Suthikulpanit <[email protected]>
iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system
David Disseldorp <[email protected]>
scsi: target/iblock: fix WRITE SAME zeroing
Tang Bin <[email protected]>
iommu/qcom: Fix local_base status check
Sean Christopherson <[email protected]>
vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn()
Yan Zhao <[email protected]>
vfio: avoid possible overflow in vfio_iommu_type1_pin_pages
Rayagonda Kokatanur <[email protected]>
i2c: iproc: generate stop event for slave writes
Dan Carpenter <[email protected]>
RDMA/cm: Fix an error check in cm_alloc_id_priv()
Jason Gunthorpe <[email protected]>
RDMA/cm: Fix ordering of xa_alloc_cyclic() in ib_create_cm_id()
Leon Romanovsky <[email protected]>
RDMA/core: Fix race between destroy and release FD object
Leon Romanovsky <[email protected]>
RDMA/core: Prevent mixed use of FDs between shared ufiles
Jason Gunthorpe <[email protected]>
RDMA/siw: Fix potential siw_mem refcnt leak in siw_fastreg_mr()
Alaa Hleihel <[email protected]>
RDMA/mlx4: Initialize ib_spec on the stack
Aharon Landau <[email protected]>
RDMA/mlx5: Set GRH fields in query QP on RoCE
Martin Wilck <[email protected]>
scsi: qla2xxx: check UNLOADING before posting async work
Martin Wilck <[email protected]>
scsi: qla2xxx: set UNLOADING before waiting for session deletion
Russell King <[email protected]>
ARM: dts: imx6qdl-sr-som-ti: indicate powering off wifi is safe
Gabriel Krisman Bertazi <[email protected]>
dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath
Mikulas Patocka <[email protected]>
dm writecache: fix data corruption when reloading the target
Sunwook Eom <[email protected]>
dm verity fec: fix hash block number in verity_fec_decode
Dexuan Cui <[email protected]>
PM: hibernate: Freeze kernel threads in software_resume()
Kai-Heng Feng <[email protected]>
PM: ACPI: Output correct message on target power state
Sudip Mukherjee <[email protected]>
IB/rdmavt: Always return ERR_PTR from rvt_create_mmap_info()
Al Viro <[email protected]>
dlmfs_file_write(): fix the bogosity in handling non-zero *ppos
Dexuan Cui <[email protected]>
Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM
Dan Carpenter <[email protected]>
i2c: amd-mp2-pci: Fix Oops in amd_mp2_pci_init() error handling
Takashi Iwai <[email protected]>
ALSA: pcm: oss: Place the plugin buffer overflow checks correctly
Vasily Khoruzhick <[email protected]>
ALSA: line6: Fix POD HD500 audio playback
Wu Bo <[email protected]>
ALSA: hda/hdmi: fix without unlocked before return
Takashi Iwai <[email protected]>
ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID
Hui Wang <[email protected]>
ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter
Iuliana Prodan <[email protected]>
crypto: caam - fix the address of the last entry of S/G
Martin Blumenstingl <[email protected]>
mmc: meson-mx-sdio: remove the broken ->card_busy() op
Martin Blumenstingl <[email protected]>
mmc: meson-mx-sdio: Set MMC_CAP_WAIT_WHILE_BUSY
Veerabhadrarao Badiganti <[email protected]>
mmc: sdhci-msm: Enable host capabilities pertains to R1b response
Adrian Hunter <[email protected]>
mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers
Marek Behún <[email protected]>
mmc: sdhci-xenon: fix annoying 1.8V regulator warning
Douglas Anderson <[email protected]>
mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop
Qu Wenruo <[email protected]>
btrfs: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info
Filipe Manana <[email protected]>
btrfs: fix partial loss of prealloc extent past i_size after fsync
Xiyu Yang <[email protected]>
btrfs: fix block group leak when removing fails
Xiyu Yang <[email protected]>
btrfs: fix transaction leak in btrfs_recover_relocation
Olga Kornievskaia <[email protected]>
NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION
Vasily Averin <[email protected]>
drm/qxl: qxl_release use after free
Vasily Averin <[email protected]>
drm/qxl: qxl_release leak in qxl_hw_surface_alloc()
Vasily Averin <[email protected]>
drm/qxl: qxl_release leak in qxl_draw_dirty_fb()
Rodrigo Siqueira <[email protected]>
drm/amd/display: Fix green screen issue after suspend
Ville Syrjälä <[email protected]>
drm/edid: Fix off-by-one in DispID DTD pixel clock
Daniel Vetter <[email protected]>
dma-buf: Fix SET_NAME ioctl uapi
-------------
Diffstat:
Makefile | 4 +-
arch/arm/boot/dts/imx6qdl-sr-som-ti.dtsi | 1 +
arch/arm64/kernel/vdso/Makefile | 2 +-
drivers/acpi/device_pm.c | 4 +-
drivers/crypto/caam/caamalg.c | 2 +-
drivers/dma-buf/dma-buf.c | 3 +-
drivers/dma/dmatest.c | 6 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 38 +++++++++---
drivers/gpu/drm/drm_edid.c | 2 +-
drivers/gpu/drm/qxl/qxl_cmd.c | 10 ++--
drivers/gpu/drm/qxl/qxl_display.c | 6 +-
drivers/gpu/drm/qxl/qxl_draw.c | 7 ++-
drivers/gpu/drm/qxl/qxl_ioctl.c | 5 +-
drivers/hv/vmbus_drv.c | 43 +++++++++++---
drivers/i2c/busses/i2c-amd-mp2-pci.c | 2 +-
drivers/i2c/busses/i2c-aspeed.c | 5 +-
drivers/i2c/busses/i2c-bcm-iproc.c | 3 +
drivers/infiniband/core/cm.c | 27 ++++-----
drivers/infiniband/core/rdma_core.c | 4 +-
drivers/infiniband/hw/mlx4/main.c | 3 +-
drivers/infiniband/hw/mlx5/qp.c | 4 +-
drivers/infiniband/sw/rdmavt/cq.c | 4 +-
drivers/infiniband/sw/rdmavt/mmap.c | 4 +-
drivers/infiniband/sw/rdmavt/qp.c | 4 +-
drivers/infiniband/sw/rdmavt/srq.c | 4 +-
drivers/infiniband/sw/siw/siw_qp_tx.c | 15 +++--
drivers/iommu/amd_iommu_init.c | 2 +-
drivers/iommu/qcom_iommu.c | 5 +-
drivers/md/dm-mpath.c | 6 +-
drivers/md/dm-verity-fec.c | 2 +-
drivers/md/dm-writecache.c | 52 ++++++++++++-----
drivers/mmc/host/cqhci.c | 21 ++++---
drivers/mmc/host/meson-mx-sdio.c | 11 +---
drivers/mmc/host/sdhci-msm.c | 2 +
drivers/mmc/host/sdhci-pci-core.c | 3 +
drivers/mmc/host/sdhci-xenon.c | 10 ++++
drivers/nvme/host/core.c | 2 +
drivers/scsi/qla2xxx/qla_os.c | 35 ++++++------
drivers/target/target_core_iblock.c | 2 +-
drivers/vfio/vfio_iommu_type1.c | 6 +-
fs/btrfs/block-group.c | 16 ++++--
fs/btrfs/relocation.c | 1 +
fs/btrfs/transaction.c | 13 ++++-
fs/btrfs/tree-log.c | 43 +++++++++++++-
fs/nfs/nfs3acl.c | 22 ++++---
fs/nfs/nfs4proc.c | 8 +++
fs/ocfs2/dlmfs/dlmfs.c | 27 ++++-----
fs/super.c | 2 +-
include/linux/nfs_xdr.h | 2 +
include/linux/sunrpc/clnt.h | 5 ++
include/uapi/linux/dma-buf.h | 6 ++
kernel/power/hibernate.c | 7 +++
security/selinux/hooks.c | 70 +++++++++++++++--------
sound/core/oss/pcm_plugin.c | 20 ++++---
sound/isa/opti9xx/miro.c | 9 ++-
sound/isa/opti9xx/opti92x-ad1848.c | 9 ++-
sound/pci/hda/patch_hdmi.c | 4 +-
sound/pci/hda/patch_realtek.c | 1 +
sound/usb/line6/podhd.c | 22 ++-----
sound/usb/quirks.c | 2 +-
60 files changed, 427 insertions(+), 233 deletions(-)
From: ryan_chen <[email protected]>
commit c926c87b8e36dcc0ea5c2a0a0227ed4f32d0516a upstream.
In AST2600 there have a slow peripheral bus between CPU and i2c
controller. Therefore GIC i2c interrupt status clear have delay timing,
when CPU issue write clear i2c controller interrupt status. To avoid
this issue, the driver need have read after write clear at i2c ISR.
Fixes: f327c686d3ba ("i2c: aspeed: added driver for Aspeed I2C")
Signed-off-by: ryan_chen <[email protected]>
Acked-by: Benjamin Herrenschmidt <[email protected]>
[wsa: added Fixes tag]
Signed-off-by: Wolfram Sang <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/i2c/busses/i2c-aspeed.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-aspeed.c
+++ b/drivers/i2c/busses/i2c-aspeed.c
@@ -603,6 +603,7 @@ static irqreturn_t aspeed_i2c_bus_irq(in
/* Ack all interrupts except for Rx done */
writel(irq_received & ~ASPEED_I2CD_INTR_RX_DONE,
bus->base + ASPEED_I2C_INTR_STS_REG);
+ readl(bus->base + ASPEED_I2C_INTR_STS_REG);
irq_remaining = irq_received;
#if IS_ENABLED(CONFIG_I2C_SLAVE)
@@ -645,9 +646,11 @@ static irqreturn_t aspeed_i2c_bus_irq(in
irq_received, irq_handled);
/* Ack Rx done */
- if (irq_received & ASPEED_I2CD_INTR_RX_DONE)
+ if (irq_received & ASPEED_I2CD_INTR_RX_DONE) {
writel(ASPEED_I2CD_INTR_RX_DONE,
bus->base + ASPEED_I2C_INTR_STS_REG);
+ readl(bus->base + ASPEED_I2C_INTR_STS_REG);
+ }
spin_unlock(&bus->lock);
return irq_remaining ? IRQ_NONE : IRQ_HANDLED;
}
From: Aharon Landau <[email protected]>
commit 2d7e3ff7b6f2c614eb21d0dc348957a47eaffb57 upstream.
GRH fields such as sgid_index, hop limit, et. are set in the QP context
when QP is created/modified.
Currently, when query QP is performed, we fill the GRH fields only if the
GRH bit is set in the QP context, but this bit is not set for RoCE. Adjust
the check so we will set all relevant data for the RoCE too.
Since this data is returned to userspace, the below is an ABI regression.
Fixes: d8966fcd4c25 ("IB/core: Use rdma_ah_attr accessor functions")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Aharon Landau <[email protected]>
Reviewed-by: Maor Gottlieb <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/infiniband/hw/mlx5/qp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -5496,7 +5496,9 @@ static void to_rdma_ah_attr(struct mlx5_
rdma_ah_set_path_bits(ah_attr, path->grh_mlid & 0x7f);
rdma_ah_set_static_rate(ah_attr,
path->static_rate ? path->static_rate - 5 : 0);
- if (path->grh_mlid & (1 << 7)) {
+
+ if (path->grh_mlid & (1 << 7) ||
+ ah_attr->type == RDMA_AH_ATTR_TYPE_ROCE) {
u32 tc_fl = be32_to_cpu(path->tclass_flowlabel);
rdma_ah_set_grh(ah_attr, NULL,
From: Sunwook Eom <[email protected]>
commit ad4e80a639fc61d5ecebb03caa5cdbfb91fcebfc upstream.
The error correction data is computed as if data and hash blocks
were concatenated. But hash block number starts from v->hash_start.
So, we have to calculate hash block number based on that.
Fixes: a739ff3f543af ("dm verity: add support for forward error correction")
Cc: [email protected]
Signed-off-by: Sunwook Eom <[email protected]>
Reviewed-by: Sami Tolvanen <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/md/dm-verity-fec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -435,7 +435,7 @@ int verity_fec_decode(struct dm_verity *
fio->level++;
if (type == DM_VERITY_BLOCK_TYPE_METADATA)
- block += v->data_blocks;
+ block = block - v->hash_start + v->data_blocks;
/*
* For RS(M, N), the continuous FEC data is divided into blocks of N
From: Russell King <[email protected]>
commit b7dc7205b2ae6b6c9d9cfc3e47d6f08da8647b10 upstream.
We need to indicate that powering off the TI WiFi is safe, to avoid:
wl18xx_driver wl18xx.2.auto: Unbalanced pm_runtime_enable!
wl1271_sdio mmc0:0001:2: wl12xx_sdio_power_on: failed to get_sync(-13)
which prevents the WiFi being functional.
Signed-off-by: Russell King <[email protected]>
Reviewed-by: Fabio Estevam <[email protected]>
Signed-off-by: Shawn Guo <[email protected]>
Cc: Miguel Borges de Freitas <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/arm/boot/dts/imx6qdl-sr-som-ti.dtsi | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/boot/dts/imx6qdl-sr-som-ti.dtsi
+++ b/arch/arm/boot/dts/imx6qdl-sr-som-ti.dtsi
@@ -153,6 +153,7 @@
bus-width = <4>;
keep-power-in-suspend;
mmc-pwrseq = <&pwrseq_ti_wifi>;
+ cap-power-off-card;
non-removable;
vmmc-supply = <&vcc_3v3>;
/* vqmmc-supply = <&nvcc_sd1>; - MMC layer doesn't like it! */
From: Takashi Iwai <[email protected]>
commit 4285de0725b1bf73608abbcd35ad7fd3ddc0b61e upstream.
The checks of the plugin buffer overflow in the previous fix by commit
f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
are put in the wrong places mistakenly, which leads to the expected
(repeated) sound when the rate plugin is involved. Fix in the right
places.
Also, at those right places, the zero check is needed for the
termination node, so added there as well, and let's get it done,
finally.
Fixes: f2ecf903ef06 ("ALSA: pcm: oss: Avoid plugin buffer overflow")
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/core/oss/pcm_plugin.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -211,21 +211,23 @@ static snd_pcm_sframes_t plug_client_siz
if (stream == SNDRV_PCM_STREAM_PLAYBACK) {
plugin = snd_pcm_plug_last(plug);
while (plugin && drv_frames > 0) {
- if (check_size && drv_frames > plugin->buf_frames)
- drv_frames = plugin->buf_frames;
plugin_prev = plugin->prev;
if (plugin->src_frames)
drv_frames = plugin->src_frames(plugin, drv_frames);
+ if (check_size && plugin->buf_frames &&
+ drv_frames > plugin->buf_frames)
+ drv_frames = plugin->buf_frames;
plugin = plugin_prev;
}
} else if (stream == SNDRV_PCM_STREAM_CAPTURE) {
plugin = snd_pcm_plug_first(plug);
while (plugin && drv_frames > 0) {
plugin_next = plugin->next;
+ if (check_size && plugin->buf_frames &&
+ drv_frames > plugin->buf_frames)
+ drv_frames = plugin->buf_frames;
if (plugin->dst_frames)
drv_frames = plugin->dst_frames(plugin, drv_frames);
- if (check_size && drv_frames > plugin->buf_frames)
- drv_frames = plugin->buf_frames;
plugin = plugin_next;
}
} else
@@ -251,26 +253,28 @@ static snd_pcm_sframes_t plug_slave_size
plugin = snd_pcm_plug_first(plug);
while (plugin && frames > 0) {
plugin_next = plugin->next;
+ if (check_size && plugin->buf_frames &&
+ frames > plugin->buf_frames)
+ frames = plugin->buf_frames;
if (plugin->dst_frames) {
frames = plugin->dst_frames(plugin, frames);
if (frames < 0)
return frames;
}
- if (check_size && frames > plugin->buf_frames)
- frames = plugin->buf_frames;
plugin = plugin_next;
}
} else if (stream == SNDRV_PCM_STREAM_CAPTURE) {
plugin = snd_pcm_plug_last(plug);
while (plugin) {
- if (check_size && frames > plugin->buf_frames)
- frames = plugin->buf_frames;
plugin_prev = plugin->prev;
if (plugin->src_frames) {
frames = plugin->src_frames(plugin, frames);
if (frames < 0)
return frames;
}
+ if (check_size && plugin->buf_frames &&
+ frames > plugin->buf_frames)
+ frames = plugin->buf_frames;
plugin = plugin_prev;
}
} else
From: Jason Gunthorpe <[email protected]>
commit e8dc4e885c459343970b25acd9320fe9ee5492e7 upstream.
xa_alloc_cyclic() is a SMP release to be paired with some later acquire
during xa_load() as part of cm_acquire_id().
As such, xa_alloc_cyclic() must be done after the cm_id is fully
initialized, in particular, it absolutely must be after the
refcount_set(), otherwise the refcount_inc() in cm_acquire_id() may not
see the set.
As there are several cases where a reader will be able to use the
id.local_id after cm_acquire_id in the IB_CM_IDLE state there needs to be
an unfortunate split into a NULL allocate and a finalizing xa_store.
Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/infiniband/core/cm.c | 27 +++++++++++----------------
1 file changed, 11 insertions(+), 16 deletions(-)
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -597,18 +597,6 @@ static int cm_init_av_by_path(struct sa_
return 0;
}
-static int cm_alloc_id(struct cm_id_private *cm_id_priv)
-{
- int err;
- u32 id;
-
- err = xa_alloc_cyclic_irq(&cm.local_id_table, &id, cm_id_priv,
- xa_limit_32b, &cm.local_id_next, GFP_KERNEL);
-
- cm_id_priv->id.local_id = (__force __be32)id ^ cm.random_id_operand;
- return err;
-}
-
static u32 cm_local_id(__be32 local_id)
{
return (__force u32) (local_id ^ cm.random_id_operand);
@@ -862,6 +850,7 @@ struct ib_cm_id *ib_create_cm_id(struct
void *context)
{
struct cm_id_private *cm_id_priv;
+ u32 id;
int ret;
cm_id_priv = kzalloc(sizeof *cm_id_priv, GFP_KERNEL);
@@ -873,9 +862,6 @@ struct ib_cm_id *ib_create_cm_id(struct
cm_id_priv->id.cm_handler = cm_handler;
cm_id_priv->id.context = context;
cm_id_priv->id.remote_cm_qpn = 1;
- ret = cm_alloc_id(cm_id_priv);
- if (ret)
- goto error;
spin_lock_init(&cm_id_priv->lock);
init_completion(&cm_id_priv->comp);
@@ -884,11 +870,20 @@ struct ib_cm_id *ib_create_cm_id(struct
INIT_LIST_HEAD(&cm_id_priv->altr_list);
atomic_set(&cm_id_priv->work_count, -1);
atomic_set(&cm_id_priv->refcount, 1);
+
+ ret = xa_alloc_cyclic_irq(&cm.local_id_table, &id, NULL, xa_limit_32b,
+ &cm.local_id_next, GFP_KERNEL);
+ if (ret)
+ goto error;
+ cm_id_priv->id.local_id = (__force __be32)id ^ cm.random_id_operand;
+ xa_store_irq(&cm.local_id_table, cm_local_id(cm_id_priv->id.local_id),
+ cm_id_priv, GFP_KERNEL);
+
return &cm_id_priv->id;
error:
kfree(cm_id_priv);
- return ERR_PTR(-ENOMEM);
+ return ERR_PTR(ret);
}
EXPORT_SYMBOL(ib_create_cm_id);
From: Wu Bo <[email protected]>
commit a2f647240998aa49632fb09b01388fdf2b87acfc upstream.
Fix the following coccicheck warning:
sound/pci/hda/patch_hdmi.c:1852:2-8: preceding lock on line 1846
After add sanity check to pass klockwork check,
The spdif_mutex should be unlock before return true
in check_non_pcm_per_cvt().
Fixes: 960a581e22d9 ("ALSA: hda: fix some klockwork scan warnings")
Signed-off-by: Wu Bo <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/pci/hda/patch_hdmi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1861,8 +1861,10 @@ static bool check_non_pcm_per_cvt(struct
/* Add sanity check to pass klockwork check.
* This should never happen.
*/
- if (WARN_ON(spdif == NULL))
+ if (WARN_ON(spdif == NULL)) {
+ mutex_unlock(&codec->spdif_mutex);
return true;
+ }
non_pcm = !!(spdif->status & IEC958_AES0_NONAUDIO);
mutex_unlock(&codec->spdif_mutex);
return non_pcm;
From: Leon Romanovsky <[email protected]>
commit 0fb00941dc63990a10951146df216fc7b0e20bc2 upstream.
FDs can only be used on the ufile that created them, they cannot be mixed
to other ufiles. We are lacking a check to prevent it.
BUG: KASAN: null-ptr-deref in atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
BUG: KASAN: null-ptr-deref in atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
BUG: KASAN: null-ptr-deref in fput_many+0x1a/0x140 fs/file_table.c:336
Write of size 8 at addr 0000000000000038 by task syz-executor179/284
CPU: 0 PID: 284 Comm: syz-executor179 Not tainted 5.5.0-rc5+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x94/0xce lib/dump_stack.c:118
__kasan_report+0x18f/0x1b7 mm/kasan/report.c:510
kasan_report+0xe/0x20 mm/kasan/common.c:639
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
atomic64_sub_and_test include/asm-generic/atomic-instrumented.h:1547 [inline]
atomic_long_sub_and_test include/asm-generic/atomic-long.h:460 [inline]
fput_many+0x1a/0x140 fs/file_table.c:336
rdma_lookup_put_uobject+0x85/0x130 drivers/infiniband/core/rdma_core.c:692
uobj_put_read include/rdma/uverbs_std_types.h:96 [inline]
_ib_uverbs_lookup_comp_file drivers/infiniband/core/uverbs_cmd.c:198 [inline]
create_cq+0x375/0xba0 drivers/infiniband/core/uverbs_cmd.c:1006
ib_uverbs_create_cq+0x114/0x140 drivers/infiniband/core/uverbs_cmd.c:1089
ib_uverbs_write+0xaa5/0xdf0 drivers/infiniband/core/uverbs_main.c:769
__vfs_write+0x7c/0x100 fs/read_write.c:494
vfs_write+0x168/0x4a0 fs/read_write.c:558
ksys_write+0xc8/0x200 fs/read_write.c:611
do_syscall_64+0x9c/0x390 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44ef99
Code: 00 b8 00 01 00 00 eb e1 e8 74 1c 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc0b74c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffc0b74c030 RCX: 000000000044ef99
RDX: 0000000000000040 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00007ffc0b74c038 R08: 0000000000401830 R09: 0000000000401830
R10: 00007ffc0b74c038 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000006be018 R15: 0000000000000000
Fixes: cf8966b3477d ("IB/core: Add support for fd objects")
Link: https://lore.kernel.org/r/[email protected]
Suggested-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/infiniband/core/rdma_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/core/rdma_core.c
+++ b/drivers/infiniband/core/rdma_core.c
@@ -362,7 +362,7 @@ lookup_get_fd_uobject(const struct uverb
* and the caller is expected to ensure that uverbs_close_fd is never
* done while a call top lookup is possible.
*/
- if (f->f_op != fd_type->fops) {
+ if (f->f_op != fd_type->fops || uobject->ufile != ufile) {
fput(f);
return ERR_PTR(-EBADF);
}
From: Alaa Hleihel <[email protected]>
commit c08cfb2d8d78bfe81b37cc6ba84f0875bddd0d5c upstream.
Initialize ib_spec on the stack before using it, otherwise we will have
garbage values that will break creating default rules with invalid parsing
error.
Fixes: a37a1a428431 ("IB/mlx4: Add mechanism to support flow steering over IB links")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alaa Hleihel <[email protected]>
Reviewed-by: Maor Gottlieb <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/infiniband/hw/mlx4/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -1492,8 +1492,9 @@ static int __mlx4_ib_create_default_rule
int i;
for (i = 0; i < ARRAY_SIZE(pdefault_rules->rules_create_list); i++) {
+ union ib_flow_spec ib_spec = {};
int ret;
- union ib_flow_spec ib_spec;
+
switch (pdefault_rules->rules_create_list[i]) {
case 0:
/* no rule */
From: Martin Wilck <[email protected]>
commit 5a263892d7d0b4fe351363f8d1a14c6a75955475 upstream.
qlt_free_session_done() tries to post async PRLO / LOGO, and waits for the
completion of these async commands. If UNLOADING is set, this is doomed to
timeout, because the async logout command will never complete.
The only way to avoid waiting pointlessly is to fail posting these commands
in the first place if the driver is in UNLOADING state. In general,
posting any command should be avoided when the driver is UNLOADING.
With this patch, "rmmod qla2xxx" completes without noticeable delay.
Link: https://lore.kernel.org/r/[email protected]
Fixes: 45235022da99 ("scsi: qla2xxx: Fix driver unload by shutting down chip")
Acked-by: Arun Easi <[email protected]>
Reviewed-by: Himanshu Madhani <[email protected]>
Signed-off-by: Martin Wilck <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/qla2xxx/qla_os.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -4857,6 +4857,9 @@ qla2x00_alloc_work(struct scsi_qla_host
struct qla_work_evt *e;
uint8_t bail;
+ if (test_bit(UNLOADING, &vha->dpc_flags))
+ return NULL;
+
QLA_VHA_MARK_BUSY(vha, bail);
if (bail)
return NULL;
From: Paul Moore <[email protected]>
commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream.
Fix the SELinux netlink_send hook to properly handle multiple netlink
messages in a single sk_buff; each message is parsed and subject to
SELinux access control. Prior to this patch, SELinux only inspected
the first message in the sk_buff.
Cc: [email protected]
Reported-by: Dmitry Vyukov <[email protected]>
Reviewed-by: Stephen Smalley <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
security/selinux/hooks.c | 70 ++++++++++++++++++++++++++++++-----------------
1 file changed, 45 insertions(+), 25 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5521,40 +5521,60 @@ static int selinux_tun_dev_open(void *se
static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
{
- int err = 0;
- u32 perm;
+ int rc = 0;
+ unsigned int msg_len;
+ unsigned int data_len = skb->len;
+ unsigned char *data = skb->data;
struct nlmsghdr *nlh;
struct sk_security_struct *sksec = sk->sk_security;
+ u16 sclass = sksec->sclass;
+ u32 perm;
- if (skb->len < NLMSG_HDRLEN) {
- err = -EINVAL;
- goto out;
- }
- nlh = nlmsg_hdr(skb);
+ while (data_len >= nlmsg_total_size(0)) {
+ nlh = (struct nlmsghdr *)data;
- err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
- if (err) {
- if (err == -EINVAL) {
+ /* NOTE: the nlmsg_len field isn't reliably set by some netlink
+ * users which means we can't reject skb's with bogus
+ * length fields; our solution is to follow what
+ * netlink_rcv_skb() does and simply skip processing at
+ * messages with length fields that are clearly junk
+ */
+ if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
+ return 0;
+
+ rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
+ if (rc == 0) {
+ rc = sock_has_perm(sk, perm);
+ if (rc)
+ return rc;
+ } else if (rc == -EINVAL) {
+ /* -EINVAL is a missing msg/perm mapping */
pr_warn_ratelimited("SELinux: unrecognized netlink"
- " message: protocol=%hu nlmsg_type=%hu sclass=%s"
- " pig=%d comm=%s\n",
- sk->sk_protocol, nlh->nlmsg_type,
- secclass_map[sksec->sclass - 1].name,
- task_pid_nr(current), current->comm);
- if (!enforcing_enabled(&selinux_state) ||
- security_get_allow_unknown(&selinux_state))
- err = 0;
+ " message: protocol=%hu nlmsg_type=%hu sclass=%s"
+ " pid=%d comm=%s\n",
+ sk->sk_protocol, nlh->nlmsg_type,
+ secclass_map[sclass - 1].name,
+ task_pid_nr(current), current->comm);
+ if (enforcing_enabled(&selinux_state) &&
+ !security_get_allow_unknown(&selinux_state))
+ return rc;
+ rc = 0;
+ } else if (rc == -ENOENT) {
+ /* -ENOENT is a missing socket/class mapping, ignore */
+ rc = 0;
+ } else {
+ return rc;
}
- /* Ignore */
- if (err == -ENOENT)
- err = 0;
- goto out;
+ /* move to the next message after applying netlink padding */
+ msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
+ if (msg_len >= data_len)
+ return 0;
+ data_len -= msg_len;
+ data += msg_len;
}
- err = sock_has_perm(sk, perm);
-out:
- return err;
+ return rc;
}
#ifdef CONFIG_NETFILTER
On 04/05/2020 18:57, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.39 release.
> There are 57 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 06 May 2020 16:52:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.39-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests are passing for Tegra ...
Test results for stable-v5.4:
13 builds: 13 pass, 0 fail
24 boots: 24 pass, 0 fail
40 tests: 40 pass, 0 fail
Linux version: 5.4.39-rc1-g29ca49e0243b
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Cheers
Jon
--
nvpublic
On Mon, 4 May 2020 at 23:33, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.4.39 release.
> There are 57 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 06 May 2020 16:52:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.39-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
NOTE:
While running LTP mm tests on hikey device kernel panic has been noticed.
But this is hard to reproduce.
We are investigating this problem.
[ 75.934817] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
[ 75.943910] Mem abort info:
[ 75.946768] ESR = 0x86000006
[ 75.949899] EC = 0x21: IABT (current EL), IL = 32 bits
[ 75.955330] SET = 0, FnV = 0
[ 75.958454] EA = 0, S1PTW = 0
[ 75.961674] user pgtable: 4k pages, 48-bit VAs, pgdp=000000007296d000
[ 75.968260] [0000000000000000] pgd=0000000072962003,
pud=0000000072935003, pmd=0000000000000000
[ 75.977159] Internal error: Oops: 86000006 [#1] PREEMPT SMP
[ 75.982851] Modules linked in: wl18xx wlcore mac80211 cfg80211
hci_uart snd_soc_audio_graph_card btbcm crct10dif_ce adv7511
snd_soc_simple_card_utils wlcore_sdio cec kirin_drm dw_drm_dsi
bluetooth drm_kms_helper rfkill drm fuse
[ 75.998113] dwmmc_k3 f723d000.dwmmc0: Unexpected interrupt latency
[ 76.003485] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
5.4.39-rc1-00058-g29ca49e0243b #1
[ 76.017981] Hardware name: HiKey Development Board (DT)
[ 76.024656] pstate: 60000085 (nZCv daIf -PAN -UAO)
[ 76.029554] pc : 0x0
[ 76.031796] lr : cpuidle_enter_state+0x68/0x360
<>
[ 76.121215] Call trace:
[ 76.123718] 0x0
[ 76.125604] cpuidle_enter+0x34/0x48
[ 76.129262] call_cpuidle+0x18/0x38
[ 76.132830] do_idle+0x1e0/0x280
[ 76.136129] cpu_startup_entry+0x20/0x40
[ 76.140139] rest_init+0xd4/0xe0
[ 76.143442] arch_call_rest_init+0xc/0x14
[ 76.147540] start_kernel+0x41c/0x448
[ 76.151293] Code: bad PC value
[ 76.154426] ---[ end trace 01a359b3eb02445a ]---
[ 76.159146] Kernel panic - not syncing: Attempted to kill the idle task!
[ 76.165995] SMP: stopping secondary CPUs
[ 76.170441] Kernel Offset: disabled
[ 76.174005] CPU features: 0x0002,24002004
[ 76.178103] Memory Limit: none
[ 76.181240] ---[ end Kernel panic - not syncing: Attempted to kill
the idle task! ]---
[ 75.977159] Internal error: Oops: 86000006 [#1] PREEMPT SMP
Summary
------------------------------------------------------------------------
kernel: 5.4.39-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.4.y
git commit: 29ca49e0243b0d2bb55a2ee418f3cdc1fae69627
git describe: v5.4.38-58-g29ca49e0243b
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.4-oe/build/v5.4.38-58-g29ca49e0243b
No regressions (compared to build v5.4.38)
No fixes (compared to build v5.4.38)
Ran 25955 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- juno-r2-compat
- juno-r2-kasan
- nxp-ls2088
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86
- x86-kasan
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* install-android-platform-tools-r2800
* libgpiod
* linux-log-parser
* ltp-commands-tests
* ltp-containers-tests
* ltp-cve-tests
* ltp-math-tests
* ltp-sched-tests
* perf
* kselftest
* kselftest/drivers
* kselftest/filesystems
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* v4l2-compliance
* kselftest/net
* kselftest/networking
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-ipc-tests
* ltp-mm-tests
* ltp-open-posix-tests
* ltp-syscalls-tests
* network-basic-tests
* kvm-unit-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-native/drivers
* kselftest-vsyscall-mode-native/filesystems
* kselftest-vsyscall-mode-native/net
* kselftest-vsyscall-mode-native/networking
* kselftest-vsyscall-mode-none
* kselftest-vsyscall-mode-none/drivers
* kselftest-vsyscall-mode-none/filesystems
* kselftest-vsyscall-mode-none/net
* kselftest-vsyscall-mode-none/networking
--
Linaro LKFT
https://lkft.linaro.org
On 5/4/20 10:57 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.39 release.
> There are 57 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 06 May 2020 16:52:55 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 426 pass: 426 fail: 0
Guenter
On 5/4/20 11:57 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.39 release.
> There are 57 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 06 May 2020 16:52:55 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.39-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
thanks,
-- Shuah