This is the start of the stable review cycle for the 4.14.215 release.
There are 57 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 13 Jan 2021 13:00:19 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.215-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.14.215-rc1
Paolo Bonzini <[email protected]>
KVM: x86: fix shift out of bounds reported by UBSAN
Ying-Tsun Huang <[email protected]>
x86/mtrr: Correct the range check before performing MTRR type lookups
Florian Westphal <[email protected]>
netfilter: xt_RATEEST: reject non-null terminated string from userspace
Vasily Averin <[email protected]>
netfilter: ipset: fix shift-out-of-bounds in htable_bits()
Bard Liao <[email protected]>
Revert "device property: Keep secondary firmware node secondary by type"
Kailang Yang <[email protected]>
ALSA: hda/realtek - Fix speaker volume control on Lenovo C940
bo liu <[email protected]>
ALSA: hda/conexant: add a new hda codec CX11970
Dan Williams <[email protected]>
x86/mm: Fix leak of pmd ptlock
Johan Hovold <[email protected]>
USB: serial: keyspan_pda: remove unused variable
Eddie Hung <[email protected]>
usb: gadget: configfs: Fix use-after-free issue with udc_name
Chandana Kishori Chiluveru <[email protected]>
usb: gadget: configfs: Preserve function ordering after bind failure
Sriharsha Allenki <[email protected]>
usb: gadget: Fix spinlock lockup on usb_function_deactivate
Yang Yingliang <[email protected]>
USB: gadget: legacy: fix return error code in acm_ms_bind()
Zqiang <[email protected]>
usb: gadget: function: printer: Fix a memory leak for interface descriptor
Jerome Brunet <[email protected]>
usb: gadget: f_uac2: reset wMaxPacketSize
Arnd Bergmann <[email protected]>
usb: gadget: select CONFIG_CRC32
Takashi Iwai <[email protected]>
ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks
Johan Hovold <[email protected]>
USB: usblp: fix DMA to stack
Johan Hovold <[email protected]>
USB: yurex: fix control-URB timeout handling
Bjørn Mork <[email protected]>
USB: serial: option: add Quectel EM160R-GL
Daniel Palmer <[email protected]>
USB: serial: option: add LongSung M5710 module support
Johan Hovold <[email protected]>
USB: serial: iuu_phoenix: fix DMA from stack
Thinh Nguyen <[email protected]>
usb: uas: Add PNY USB Portable SSD to unusual_uas
Randy Dunlap <[email protected]>
usb: usbip: vhci_hcd: protect shift size
Michael Grzeschik <[email protected]>
USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set
Yu Kuai <[email protected]>
usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data()
Serge Semin <[email protected]>
usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion
Sean Young <[email protected]>
USB: cdc-acm: blacklist another IR Droid device
taehyun.cho <[email protected]>
usb: gadget: enable super speed plus
Ard Biesheuvel <[email protected]>
crypto: ecdh - avoid buffer overflow in ecdh_set_secret()
Dexuan Cui <[email protected]>
video: hyperv_fb: Fix the mmap() regression for v5.4.y and older
Florian Fainelli <[email protected]>
net: systemport: set dev->max_mtu to UMAC_MAX_MTU_SIZE
Stefan Chulski <[email protected]>
net: mvpp2: Fix GoP port 3 Networking Complex Control configurations
Antoine Tenart <[email protected]>
net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc
Randy Dunlap <[email protected]>
net: sched: prevent invalid Scell_log shift count
Yunjian Wang <[email protected]>
vhost_net: fix ubuf refcount incorrectly when sendmsg fails
Bjørn Mork <[email protected]>
net: usb: qmi_wwan: add Quectel EM160R-GL
Roland Dreier <[email protected]>
CDC-NCM: remove "connected" log message
Xie He <[email protected]>
net: hdlc_ppp: Fix issues when mod_timer is called while timer is running
Yunjian Wang <[email protected]>
net: hns: fix return value check in __lb_other_process()
Guillaume Nault <[email protected]>
ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst()
Grygorii Strashko <[email protected]>
net: ethernet: ti: cpts: fix ethtool output when no ptp_clock registered
Antoine Tenart <[email protected]>
net-sysfs: take the rtnl lock when storing xps_cpus
Dinghao Liu <[email protected]>
net: ethernet: Fix memleak in ethoc_probe
John Wang <[email protected]>
net/ncsi: Use real net-device for response handler
Petr Machata <[email protected]>
net: dcb: Validate netlink message in DCB handler
Jeff Dike <[email protected]>
virtio_net: Fix recursive call to cpus_read_lock()
Manish Chopra <[email protected]>
qede: fix offload for IPIP tunnel packets
Dan Carpenter <[email protected]>
atm: idt77252: call pci_disable_device() on error path
Rasmus Villemoes <[email protected]>
ethernet: ucc_geth: set dev->max_mtu to 1518
Rasmus Villemoes <[email protected]>
ethernet: ucc_geth: fix use-after-free in ucc_geth_remove()
Linus Torvalds <[email protected]>
depmod: handle the case of /sbin/depmod without /sbin in PATH
Huang Shijie <[email protected]>
lib/genalloc: fix the overflow when size is too big
Bart Van Assche <[email protected]>
scsi: ide: Do not set the RQF_PREEMPT flag for sense requests
Adrian Hunter <[email protected]>
scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk ->poweroff()
Yunfeng Ye <[email protected]>
workqueue: Kick a worker based on the actual activation of delayed works
Dominique Martinet <[email protected]>
kbuild: don't hardcode depmod path
-------------
Diffstat:
Makefile | 6 +--
arch/x86/kernel/cpu/mtrr/generic.c | 6 +--
arch/x86/kvm/mmu.h | 2 +-
arch/x86/mm/pgtable.c | 2 +
crypto/ecdh.c | 3 +-
drivers/atm/idt77252.c | 2 +-
drivers/base/core.c | 2 +-
drivers/ide/ide-atapi.c | 1 -
drivers/ide/ide-io.c | 5 --
drivers/net/ethernet/broadcom/bcmsysport.c | 1 +
drivers/net/ethernet/ethoc.c | 3 +-
drivers/net/ethernet/freescale/ucc_geth.c | 3 +-
drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 4 ++
drivers/net/ethernet/marvell/mvpp2.c | 2 +-
drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 ++
drivers/net/ethernet/ti/cpts.c | 2 +
drivers/net/usb/cdc_ncm.c | 3 --
drivers/net/usb/qmi_wwan.c | 1 +
drivers/net/virtio_net.c | 12 +++--
drivers/net/wan/hdlc_ppp.c | 7 +++
drivers/scsi/ufs/ufshcd-pci.c | 34 +++++++++++-
drivers/usb/chipidea/ci_hdrc_imx.c | 6 ++-
drivers/usb/class/cdc-acm.c | 4 ++
drivers/usb/class/usblp.c | 21 +++++++-
drivers/usb/dwc3/core.h | 1 +
drivers/usb/dwc3/ulpi.c | 2 +-
drivers/usb/gadget/Kconfig | 2 +
drivers/usb/gadget/composite.c | 10 +++-
drivers/usb/gadget/configfs.c | 19 ++++---
drivers/usb/gadget/function/f_printer.c | 1 +
drivers/usb/gadget/function/f_uac2.c | 69 +++++++++++++++++++-----
drivers/usb/gadget/legacy/acm_ms.c | 4 +-
drivers/usb/host/xhci.c | 24 ++++-----
drivers/usb/misc/yurex.c | 3 ++
drivers/usb/serial/iuu_phoenix.c | 20 +++++--
drivers/usb/serial/keyspan_pda.c | 2 -
drivers/usb/serial/option.c | 3 ++
drivers/usb/storage/unusual_uas.h | 7 +++
drivers/usb/usbip/vhci_hcd.c | 2 +
drivers/vhost/net.c | 6 +--
drivers/video/fbdev/hyperv_fb.c | 6 +--
include/net/red.h | 4 +-
kernel/workqueue.c | 13 +++--
lib/genalloc.c | 25 ++++-----
net/core/net-sysfs.c | 29 ++++++++--
net/dcb/dcbnl.c | 2 +
net/ipv4/fib_frontend.c | 2 +-
net/ncsi/ncsi-rsp.c | 2 +-
net/netfilter/ipset/ip_set_hash_gen.h | 20 ++-----
net/netfilter/xt_RATEEST.c | 3 ++
net/sched/sch_choke.c | 2 +-
net/sched/sch_gred.c | 2 +-
net/sched/sch_red.c | 2 +-
net/sched/sch_sfq.c | 2 +-
scripts/depmod.sh | 2 +
sound/pci/hda/patch_conexant.c | 1 +
sound/pci/hda/patch_realtek.c | 6 +++
sound/usb/midi.c | 4 ++
58 files changed, 315 insertions(+), 124 deletions(-)
From: Guillaume Nault <[email protected]>
[ Upstream commit 21fdca22eb7df2a1e194b8adb812ce370748b733 ]
RT_TOS() only clears one of the ECN bits. Therefore, when
fib_compute_spec_dst() resorts to a fib lookup, it can return
different results depending on the value of the second ECN bit.
For example, ECT(0) and ECT(1) packets could be treated differently.
$ ip netns add ns0
$ ip netns add ns1
$ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1
$ ip -netns ns0 link set dev lo up
$ ip -netns ns1 link set dev lo up
$ ip -netns ns0 link set dev veth01 up
$ ip -netns ns1 link set dev veth10 up
$ ip -netns ns0 address add 192.0.2.10/24 dev veth01
$ ip -netns ns1 address add 192.0.2.11/24 dev veth10
$ ip -netns ns1 address add 192.0.2.21/32 dev lo
$ ip -netns ns1 route add 192.0.2.10/32 tos 4 dev veth10 src 192.0.2.21
$ ip netns exec ns1 sysctl -wq net.ipv4.icmp_echo_ignore_broadcasts=0
With TOS 4 and ECT(1), ns1 replies using source address 192.0.2.21
(ping uses -Q to set all TOS and ECN bits):
$ ip netns exec ns0 ping -c 1 -b -Q 5 192.0.2.255
[...]
64 bytes from 192.0.2.21: icmp_seq=1 ttl=64 time=0.544 ms
But with TOS 4 and ECT(0), ns1 replies using source address 192.0.2.11
because the "tos 4" route isn't matched:
$ ip netns exec ns0 ping -c 1 -b -Q 6 192.0.2.255
[...]
64 bytes from 192.0.2.11: icmp_seq=1 ttl=64 time=0.597 ms
After this patch the ECN bits don't affect the result anymore:
$ ip netns exec ns0 ping -c 1 -b -Q 6 192.0.2.255
[...]
64 bytes from 192.0.2.21: icmp_seq=1 ttl=64 time=0.591 ms
Fixes: 35ebf65e851c ("ipv4: Create and use fib_compute_spec_dst() helper.")
Signed-off-by: Guillaume Nault <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/fib_frontend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -292,7 +292,7 @@ __be32 fib_compute_spec_dst(struct sk_bu
.flowi4_iif = LOOPBACK_IFINDEX,
.flowi4_oif = l3mdev_master_ifindex_rcu(dev),
.daddr = ip_hdr(skb)->saddr,
- .flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
+ .flowi4_tos = ip_hdr(skb)->tos & IPTOS_RT_MASK,
.flowi4_scope = scope,
.flowi4_mark = vmark ? skb->mark : 0,
};
From: Yunjian Wang <[email protected]>
[ Upstream commit 5ede3ada3da7f050519112b81badc058190b9f9f ]
The function skb_copy() could return NULL, the return value
need to be checked.
Fixes: b5996f11ea54 ("net: add Hisilicon Network Subsystem basic ethernet support")
Signed-off-by: Yunjian Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_ethtool.c
@@ -418,6 +418,10 @@ static void __lb_other_process(struct hn
/* for mutl buffer*/
new_skb = skb_copy(skb, GFP_ATOMIC);
dev_kfree_skb_any(skb);
+ if (!new_skb) {
+ netdev_err(ndev, "skb alloc failed\n");
+ return;
+ }
skb = new_skb;
check_ok = 0;
From: Stefan Chulski <[email protected]>
[ Upstream commit 2575bc1aa9d52a62342b57a0b7d0a12146cf6aed ]
During GoP port 2 Networking Complex Control mode of operation configurations,
also GoP port 3 mode of operation was wrongly set.
Patch removes these configurations.
Fixes: f84bf386f395 ("net: mvpp2: initialize the GoP")
Acked-by: Marcin Wojtas <[email protected]>
Signed-off-by: Stefan Chulski <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/ethernet/marvell/mvpp2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/mvpp2.c
+++ b/drivers/net/ethernet/marvell/mvpp2.c
@@ -4349,7 +4349,7 @@ static void mvpp22_gop_init_rgmii(struct
regmap_read(priv->sysctrl_base, GENCONF_CTRL0, &val);
if (port->gop_id == 2)
- val |= GENCONF_CTRL0_PORT0_RGMII | GENCONF_CTRL0_PORT1_RGMII;
+ val |= GENCONF_CTRL0_PORT0_RGMII;
else if (port->gop_id == 3)
val |= GENCONF_CTRL0_PORT1_RGMII_MII;
regmap_write(priv->sysctrl_base, GENCONF_CTRL0, val);
From: Sriharsha Allenki <[email protected]>
commit 5cc35c224a80aa5a5a539510ef049faf0d6ed181 upstream.
There is a spinlock lockup as part of composite_disconnect
when it tries to acquire cdev->lock as part of usb_gadget_deactivate.
This is because the usb_gadget_deactivate is called from
usb_function_deactivate with the same spinlock held.
This would result in the below call stack and leads to stall.
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 3-...0: (1 GPs behind) idle=162/1/0x4000000000000000
softirq=10819/10819 fqs=2356
(detected by 2, t=5252 jiffies, g=20129, q=3770)
Task dump for CPU 3:
task:uvc-gadget_wlhe state:R running task stack: 0 pid: 674 ppid:
636 flags:0x00000202
Call trace:
__switch_to+0xc0/0x170
_raw_spin_lock_irqsave+0x84/0xb0
composite_disconnect+0x28/0x78
configfs_composite_disconnect+0x68/0x70
usb_gadget_disconnect+0x10c/0x128
usb_gadget_deactivate+0xd4/0x108
usb_function_deactivate+0x6c/0x80
uvc_function_disconnect+0x20/0x58
uvc_v4l2_release+0x30/0x88
v4l2_release+0xbc/0xf0
__fput+0x7c/0x230
____fput+0x14/0x20
task_work_run+0x88/0x140
do_notify_resume+0x240/0x6f0
work_pending+0x8/0x200
Fix this by doing an unlock on cdev->lock before the usb_gadget_deactivate
call from usb_function_deactivate.
The same lockup can happen in the usb_gadget_activate path. Fix that path
as well.
Reported-by: Peter Chen <[email protected]>
Link: https://lore.kernel.org/linux-usb/20201102094936.GA29581@b29397-desktop/
Tested-by: Peter Chen <[email protected]>
Signed-off-by: Sriharsha Allenki <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/gadget/composite.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -395,8 +395,11 @@ int usb_function_deactivate(struct usb_f
spin_lock_irqsave(&cdev->lock, flags);
- if (cdev->deactivations == 0)
+ if (cdev->deactivations == 0) {
+ spin_unlock_irqrestore(&cdev->lock, flags);
status = usb_gadget_deactivate(cdev->gadget);
+ spin_lock_irqsave(&cdev->lock, flags);
+ }
if (status == 0)
cdev->deactivations++;
@@ -427,8 +430,11 @@ int usb_function_activate(struct usb_fun
status = -EINVAL;
else {
cdev->deactivations--;
- if (cdev->deactivations == 0)
+ if (cdev->deactivations == 0) {
+ spin_unlock_irqrestore(&cdev->lock, flags);
status = usb_gadget_activate(cdev->gadget);
+ spin_lock_irqsave(&cdev->lock, flags);
+ }
}
spin_unlock_irqrestore(&cdev->lock, flags);
From: Zqiang <[email protected]>
commit 2cc332e4ee4febcbb685e2962ad323fe4b3b750a upstream.
When printer driver is loaded, the printer_func_bind function is called, in
this function, the interface descriptor be allocated memory, if after that,
the error occurred, the interface descriptor memory need to be free.
Reviewed-by: Peter Chen <[email protected]>
Cc: <[email protected]>
Signed-off-by: Zqiang <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/gadget/function/f_printer.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -1130,6 +1130,7 @@ fail_tx_reqs:
printer_req_free(dev->in_ep, req);
}
+ usb_free_all_descriptors(f);
return ret;
}
On Mon, 11 Jan 2021 at 18:36, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.14.215 release.
> There are 57 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 13 Jan 2021 13:00:19 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.215-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
Summary
------------------------------------------------------------------------
kernel: 4.14.215-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: e3be7c59d3c1eb71d34a1927c0fbc89052ce93ca
git describe: v4.14.214-58-ge3be7c59d3c1
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.14.y/build/v4.14.214-58-ge3be7c59d3c1
No regressions (compared to build v4.14.214)
No fixes (compared to build v4.14.214)
Ran 38840 total tests in the following environments and test suites.
Environments
--------------
- arm
- arm64
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- mips
- qemu-arm64-kasan
- qemu-x86_64-kasan
- qemu_arm
- qemu_arm64
- qemu_arm64-compat
- qemu_i386
- qemu_x86_64
- qemu_x86_64-compat
- sparc
- x15 - arm
- x86_64
- x86-kasan
Test Suites
-----------
* build
* linux-log-parser
* install-android-platform-tools-r2600
* libhugetlbfs
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-ipc-tests
* ltp-mm-tests
* ltp-tracing-tests
* v4l2-compliance
* fwts
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fs-tests
* ltp-io-tests
* ltp-math-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* ltp-open-posix-tests
* perf
* kvm-unit-tests
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org