This is the start of the stable review cycle for the 5.4.58 release.
There are 67 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 12 Aug 2020 15:17:47 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.58-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 5.4.58-rc1
Chuck Lever <[email protected]>
nfsd: Fix NFSv4 READ on RDMA when using readv
Bruno Meneguele <[email protected]>
ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime
Jianfeng Wang <[email protected]>
tcp: apply a floor of 1 for RTT samples from TCP timestamps
Willem de Bruijn <[email protected]>
selftests/net: relax cpu affinity requirement in msg_zerocopy test
Hangbin Liu <[email protected]>
Revert "vxlan: fix tos value before xmit"
Peilin Ye <[email protected]>
openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
Xin Long <[email protected]>
net: thunderx: use spin_lock_bh in nicvf_set_rx_mode_task()
Lorenzo Bianconi <[email protected]>
net: gre: recompute gre csum for sctp over gre tunnels
Stephen Hemminger <[email protected]>
hv_netvsc: do not use VF device if link is down
YueHaibing <[email protected]>
dpaa2-eth: Fix passing zero to 'PTR_ERR' warning
Vincent Duvert <[email protected]>
appletalk: Fix atalk_proc_init() return path
Johan Hovold <[email protected]>
net: lan78xx: replace bogus endpoint lookup
Ido Schimmel <[email protected]>
vxlan: Ensure FDB dump is performed under RCU
David Howells <[email protected]>
rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
Landen Chao <[email protected]>
net: ethernet: mtk_eth_soc: fix MTU warnings
Xiyu Yang <[email protected]>
ipv6: Fix nexthop refcnt leak when creating ipv6 route info
Cong Wang <[email protected]>
ipv6: fix memory leaks on IPV6_ADDRFORM path
Ido Schimmel <[email protected]>
ipv4: Silence suspicious RCU usage warning
Nicolas Chauvet <[email protected]>
PCI: tegra: Revert tegra124 raw_violation_fixup
Christophe Leroy <[email protected]>
Revert "powerpc/kasan: Fix shadow pages allocation failure"
Frank van der Linden <[email protected]>
xattr: break delegations in {set,remove}xattr
Dexuan Cui <[email protected]>
Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
Philippe Duplessis-Guindon <[email protected]>
tools lib traceevent: Fix memory leak in process_dynamic_array_len
Xin Xiong <[email protected]>
atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
Francesco Ruggeri <[email protected]>
igb: reinit_locked() should be called with rtnl_lock
Julian Squires <[email protected]>
cfg80211: check vendor command doit pointer before use
Qiushi Wu <[email protected]>
firmware: Fix a reference count leak.
Ranjani Sridharan <[email protected]>
ALSA: hda: fix NULL pointer dereference during suspend
René van Dorst <[email protected]>
net: ethernet: mtk_eth_soc: Always call mtk_gmac0_rgmii_adjust() for mt7623
Rustam Kovhaev <[email protected]>
usb: hso: check for return value in hso_serial_common_create()
Wolfram Sang <[email protected]>
i2c: slave: add sanity check when unregistering
Wolfram Sang <[email protected]>
i2c: slave: improve sanity check when registering
Sam Ravnborg <[email protected]>
drm/drm_fb_helper: fix fbdev with sparc64
Kai-Heng Feng <[email protected]>
nvme-pci: prevent SK hynix PC400 from using Write Zeroes command
Ben Skeggs <[email protected]>
drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
Ben Skeggs <[email protected]>
drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
Christoph Hellwig <[email protected]>
net/9p: validate fds in p9_fd_open
Johan Hovold <[email protected]>
leds: 88pm860x: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: lm3533: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: da903x: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: lm36274: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: wm831x-status: fix use-after-free on unbind
Greg Kroah-Hartman <[email protected]>
mtd: properly check all write ioctls for permissions
Yunhai Zhang <[email protected]>
vgacon: Fix for missing check in scrollback handling
Matthias Maennich <[email protected]>
scripts: add dummy report mode to add_namespace.cocci
Eric Biggers <[email protected]>
Smack: fix use-after-free in smk_write_relabel_self()
Jann Horn <[email protected]>
binder: Prevent context manager from incrementing ref 0
Adam Ford <[email protected]>
omapfb: dss: Fix max fclk divider for omap36xx
Peilin Ye <[email protected]>
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
Peilin Ye <[email protected]>
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
Peilin Ye <[email protected]>
Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
Dinghao Liu <[email protected]>
Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode
Rustam Kovhaev <[email protected]>
staging: rtl8712: handle firmware load failure
Suren Baghdasaryan <[email protected]>
staging: android: ashmem: Fix lockdep warning for write operation
Takashi Iwai <[email protected]>
ALSA: seq: oss: Serialize ioctls
Connor McAdams <[email protected]>
ALSA: hda/ca0132 - Fix AE-5 microphone selection commands.
Connor McAdams <[email protected]>
ALSA: hda/ca0132 - Fix ZxR Headphone gain control get value.
Connor McAdams <[email protected]>
ALSA: hda/ca0132 - Add new quirk ID for Recon3D.
Huacai Chen <[email protected]>
ALSA: hda/realtek: Add alc269/alc662 pin-tables for Loongson-3 laptops
Hui Wang <[email protected]>
Revert "ALSA: hda: call runtime_allow() for all hda controllers"
Guoyu Huang <[email protected]>
io_uring: Fix use-after-free in io_sq_wq_submit_work()
Jens Axboe <[email protected]>
io_uring: prevent re-read of sqe->opcode
Forest Crossman <[email protected]>
usb: xhci: Fix ASMedia ASM1142 DMA addressing
Forest Crossman <[email protected]>
usb: xhci: define IDs for various ASMedia host controllers
Greg Kroah-Hartman <[email protected]>
USB: iowarrior: fix up report size handling for some devices
Peter Zijlstra <[email protected]>
perf/core: Fix endless multiplex timer
Erik Ekman <[email protected]>
USB: serial: qcserial: add EM7305 QDL product ID
-------------
Diffstat:
Makefile | 4 +-
arch/powerpc/include/asm/kasan.h | 2 +
arch/powerpc/mm/init_32.c | 2 +
arch/powerpc/mm/kasan/kasan_init_32.c | 4 +-
drivers/android/binder.c | 15 ++-
drivers/atm/atmtcp.c | 10 +-
drivers/firmware/qemu_fw_cfg.c | 7 +-
drivers/gpu/drm/bochs/bochs_kms.c | 1 +
drivers/gpu/drm/drm_fb_helper.c | 6 +-
drivers/gpu/drm/nouveau/nouveau_fbcon.c | 3 +-
drivers/hv/channel_mgmt.c | 21 ++--
drivers/hv/vmbus_drv.c | 4 +
drivers/i2c/i2c-core-slave.c | 7 +-
drivers/leds/leds-88pm860x.c | 14 ++-
drivers/leds/leds-da903x.c | 14 ++-
drivers/leds/leds-lm3533.c | 12 ++-
drivers/leds/leds-lm36274.c | 15 ++-
drivers/leds/leds-wm831x-status.c | 14 ++-
drivers/mtd/mtdchar.c | 56 +++++++++--
drivers/net/ethernet/cavium/thunder/nicvf_main.c | 4 +-
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 6 +-
drivers/net/ethernet/intel/igb/igb_main.c | 9 ++
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 21 +++-
drivers/net/hyperv/netvsc_drv.c | 7 +-
drivers/net/usb/hso.c | 5 +-
drivers/net/usb/lan78xx.c | 117 ++++++-----------------
drivers/net/vxlan.c | 10 +-
drivers/nvme/host/pci.c | 2 +
drivers/pci/controller/pci-tegra.c | 32 -------
drivers/staging/android/ashmem.c | 12 +++
drivers/staging/rtl8188eu/core/rtw_mlme.c | 4 +-
drivers/staging/rtl8712/hal_init.c | 3 +-
drivers/staging/rtl8712/usb_intf.c | 11 ++-
drivers/usb/host/xhci-pci.c | 10 +-
drivers/usb/misc/iowarrior.c | 35 +++++--
drivers/usb/serial/qcserial.c | 1 +
drivers/video/console/vgacon.c | 4 +
drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +-
fs/io_uring.c | 60 +++++-------
fs/nfsd/nfs4xdr.c | 20 ++--
fs/xattr.c | 84 ++++++++++++++--
include/drm/drm_mode_config.h | 12 +++
include/linux/hyperv.h | 2 +
include/linux/sunrpc/svc.h | 3 +
include/linux/sunrpc/svc_rdma.h | 8 +-
include/linux/sunrpc/svc_xprt.h | 2 +
include/linux/xattr.h | 2 +
include/net/addrconf.h | 1 +
kernel/events/core.c | 20 ++--
net/9p/trans_fd.c | 24 +++--
net/appletalk/atalk_proc.c | 2 +
net/bluetooth/hci_event.c | 11 ++-
net/ipv4/fib_trie.c | 2 +-
net/ipv4/gre_offload.c | 13 ++-
net/ipv4/tcp_input.c | 2 +
net/ipv6/anycast.c | 17 +++-
net/ipv6/ipv6_sockglue.c | 1 +
net/ipv6/route.c | 8 +-
net/openvswitch/conntrack.c | 38 ++++----
net/rxrpc/call_object.c | 27 ++++--
net/rxrpc/conn_object.c | 8 +-
net/rxrpc/recvmsg.c | 2 +-
net/rxrpc/sendmsg.c | 3 +
net/sunrpc/svc.c | 16 ++++
net/sunrpc/svcsock.c | 8 ++
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 1 +
net/sunrpc/xprtrdma/svc_rdma_rw.c | 30 +++---
net/sunrpc/xprtrdma/svc_rdma_sendto.c | 40 +++++++-
net/sunrpc/xprtrdma/svc_rdma_transport.c | 1 +
net/wireless/nl80211.c | 6 +-
scripts/coccinelle/misc/add_namespace.cocci | 8 +-
scripts/nsdeps | 2 +-
security/integrity/ima/Kconfig | 2 +-
security/integrity/ima/ima_appraise.c | 6 ++
security/smack/smackfs.c | 13 ++-
sound/core/seq/oss/seq_oss.c | 8 +-
sound/pci/hda/hda_codec.c | 8 ++
sound/pci/hda/hda_intel.c | 1 -
sound/pci/hda/patch_ca0132.c | 12 ++-
sound/pci/hda/patch_realtek.c | 114 ++++++++++++++++++++++
tools/lib/traceevent/event-parse.c | 1 +
tools/testing/selftests/net/msg_zerocopy.c | 5 +-
82 files changed, 818 insertions(+), 342 deletions(-)
From: René van Dorst <[email protected]>
[ Upstream commit 19016d93bfc335f0c158c0d9e3b9d06c4dd53d39 ]
Modify mtk_gmac0_rgmii_adjust() so it can always be called.
mtk_gmac0_rgmii_adjust() sets-up the TRGMII clocks.
Signed-off-by: René van Dorst <[email protected]>
Signed-off-By: David Woodhouse <[email protected]>
Tested-by: Frank Wunderlich <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 997dc811382a4..be390c7e43b2f 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -171,11 +171,21 @@ static int mt7621_gmac0_rgmii_adjust(struct mtk_eth *eth,
return 0;
}
-static void mtk_gmac0_rgmii_adjust(struct mtk_eth *eth, int speed)
+static void mtk_gmac0_rgmii_adjust(struct mtk_eth *eth,
+ phy_interface_t interface, int speed)
{
u32 val;
int ret;
+ if (interface == PHY_INTERFACE_MODE_TRGMII) {
+ mtk_w32(eth, TRGMII_MODE, INTF_MODE);
+ val = 500000000;
+ ret = clk_set_rate(eth->clks[MTK_CLK_TRGPLL], val);
+ if (ret)
+ dev_err(eth->dev, "Failed to set trgmii pll: %d\n", ret);
+ return;
+ }
+
val = (speed == SPEED_1000) ?
INTF_MODE_RGMII_1000 : INTF_MODE_RGMII_10_100;
mtk_w32(eth, val, INTF_MODE);
@@ -262,10 +272,9 @@ static void mtk_mac_config(struct phylink_config *config, unsigned int mode,
state->interface))
goto err_phy;
} else {
- if (state->interface !=
- PHY_INTERFACE_MODE_TRGMII)
- mtk_gmac0_rgmii_adjust(mac->hw,
- state->speed);
+ mtk_gmac0_rgmii_adjust(mac->hw,
+ state->interface,
+ state->speed);
/* mt7623_pad_clk_setup */
for (i = 0 ; i < NUM_TRGMII_CTRL; i++)
--
2.25.1
From: Dinghao Liu <[email protected]>
commit 11536442a3b4e1de6890ea5e805908debb74f94a upstream.
The variable authmode can be uninitialized. The danger would be if
it equals to _WPA_IE_ID_ (0xdd) or _WPA2_IE_ID_ (0x33). We can avoid
this by setting it to zero instead. This is the approach that was
used in the rtl8723bs driver.
Fixes: 7b464c9fa5cc ("staging: r8188eu: Add files for new driver - part 4")
Co-developed-by: Dan Carpenter <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Dinghao Liu <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/rtl8188eu/core/rtw_mlme.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c
@@ -1729,9 +1729,11 @@ int rtw_restruct_sec_ie(struct adapter *
if ((ndisauthmode == Ndis802_11AuthModeWPA) ||
(ndisauthmode == Ndis802_11AuthModeWPAPSK))
authmode = _WPA_IE_ID_;
- if ((ndisauthmode == Ndis802_11AuthModeWPA2) ||
+ else if ((ndisauthmode == Ndis802_11AuthModeWPA2) ||
(ndisauthmode == Ndis802_11AuthModeWPA2PSK))
authmode = _WPA2_IE_ID_;
+ else
+ authmode = 0x0;
if (check_fwstate(pmlmepriv, WIFI_UNDER_WPS)) {
memcpy(out_ie+ielength, psecuritypriv->wps_ie, psecuritypriv->wps_ie_len);
From: Frank van der Linden <[email protected]>
commit 08b5d5014a27e717826999ad20e394a8811aae92 upstream.
set/removexattr on an exported filesystem should break NFS delegations.
This is true in general, but also for the upcoming support for
RFC 8726 (NFSv4 extended attribute support). Make sure that they do.
Additionally, they need to grow a _locked variant, since callers might
call this with i_rwsem held (like the NFS server code).
Cc: [email protected] # v4.9+
Cc: [email protected]
Cc: Al Viro <[email protected]>
Signed-off-by: Frank van der Linden <[email protected]>
Signed-off-by: Chuck Lever <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/xattr.c | 84 +++++++++++++++++++++++++++++++++++++++++++++-----
include/linux/xattr.h | 2 +
2 files changed, 79 insertions(+), 7 deletions(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -204,10 +204,22 @@ int __vfs_setxattr_noperm(struct dentry
return error;
}
-
+/**
+ * __vfs_setxattr_locked: set an extended attribute while holding the inode
+ * lock
+ *
+ * @dentry - object to perform setxattr on
+ * @name - xattr name to set
+ * @value - value to set @name to
+ * @size - size of @value
+ * @flags - flags to pass into filesystem operations
+ * @delegated_inode - on return, will contain an inode pointer that
+ * a delegation was broken on, NULL if none.
+ */
int
-vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
- size_t size, int flags)
+__vfs_setxattr_locked(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags,
+ struct inode **delegated_inode)
{
struct inode *inode = dentry->d_inode;
int error;
@@ -216,15 +228,40 @@ vfs_setxattr(struct dentry *dentry, cons
if (error)
return error;
- inode_lock(inode);
error = security_inode_setxattr(dentry, name, value, size, flags);
if (error)
goto out;
+ error = try_break_deleg(inode, delegated_inode);
+ if (error)
+ goto out;
+
error = __vfs_setxattr_noperm(dentry, name, value, size, flags);
out:
+ return error;
+}
+EXPORT_SYMBOL_GPL(__vfs_setxattr_locked);
+
+int
+vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ size_t size, int flags)
+{
+ struct inode *inode = dentry->d_inode;
+ struct inode *delegated_inode = NULL;
+ int error;
+
+retry_deleg:
+ inode_lock(inode);
+ error = __vfs_setxattr_locked(dentry, name, value, size, flags,
+ &delegated_inode);
inode_unlock(inode);
+
+ if (delegated_inode) {
+ error = break_deleg_wait(&delegated_inode);
+ if (!error)
+ goto retry_deleg;
+ }
return error;
}
EXPORT_SYMBOL_GPL(vfs_setxattr);
@@ -378,8 +415,18 @@ __vfs_removexattr(struct dentry *dentry,
}
EXPORT_SYMBOL(__vfs_removexattr);
+/**
+ * __vfs_removexattr_locked: set an extended attribute while holding the inode
+ * lock
+ *
+ * @dentry - object to perform setxattr on
+ * @name - name of xattr to remove
+ * @delegated_inode - on return, will contain an inode pointer that
+ * a delegation was broken on, NULL if none.
+ */
int
-vfs_removexattr(struct dentry *dentry, const char *name)
+__vfs_removexattr_locked(struct dentry *dentry, const char *name,
+ struct inode **delegated_inode)
{
struct inode *inode = dentry->d_inode;
int error;
@@ -388,11 +435,14 @@ vfs_removexattr(struct dentry *dentry, c
if (error)
return error;
- inode_lock(inode);
error = security_inode_removexattr(dentry, name);
if (error)
goto out;
+ error = try_break_deleg(inode, delegated_inode);
+ if (error)
+ goto out;
+
error = __vfs_removexattr(dentry, name);
if (!error) {
@@ -401,12 +451,32 @@ vfs_removexattr(struct dentry *dentry, c
}
out:
+ return error;
+}
+EXPORT_SYMBOL_GPL(__vfs_removexattr_locked);
+
+int
+vfs_removexattr(struct dentry *dentry, const char *name)
+{
+ struct inode *inode = dentry->d_inode;
+ struct inode *delegated_inode = NULL;
+ int error;
+
+retry_deleg:
+ inode_lock(inode);
+ error = __vfs_removexattr_locked(dentry, name, &delegated_inode);
inode_unlock(inode);
+
+ if (delegated_inode) {
+ error = break_deleg_wait(&delegated_inode);
+ if (!error)
+ goto retry_deleg;
+ }
+
return error;
}
EXPORT_SYMBOL_GPL(vfs_removexattr);
-
/*
* Extended attribute SET operations
*/
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -51,8 +51,10 @@ ssize_t vfs_getxattr(struct dentry *, co
ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
int __vfs_setxattr(struct dentry *, struct inode *, const char *, const void *, size_t, int);
int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int);
+int __vfs_setxattr_locked(struct dentry *, const char *, const void *, size_t, int, struct inode **);
int vfs_setxattr(struct dentry *, const char *, const void *, size_t, int);
int __vfs_removexattr(struct dentry *, const char *);
+int __vfs_removexattr_locked(struct dentry *, const char *, struct inode **);
int vfs_removexattr(struct dentry *, const char *);
ssize_t generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size);
From: Connor McAdams <[email protected]>
commit 7fe3530427e52dd53cd7366914864e29215180a4 upstream.
The ca0113 command had the wrong group_id, 0x48 when it should've been
0x30. The front microphone selection should now work.
Signed-off-by: Connor McAdams <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/pci/hda/patch_ca0132.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -4671,7 +4671,7 @@ static int ca0132_alt_select_in(struct h
tmp = FLOAT_ONE;
break;
case QUIRK_AE5:
- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x00);
+ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00);
tmp = FLOAT_THREE;
break;
default:
@@ -4717,7 +4717,7 @@ static int ca0132_alt_select_in(struct h
r3di_gpio_mic_set(codec, R3DI_REAR_MIC);
break;
case QUIRK_AE5:
- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x00);
+ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00);
break;
default:
break;
@@ -4756,7 +4756,7 @@ static int ca0132_alt_select_in(struct h
tmp = FLOAT_ONE;
break;
case QUIRK_AE5:
- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x3f);
+ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x3f);
tmp = FLOAT_THREE;
break;
default:
From: Ranjani Sridharan <[email protected]>
[ Upstream commit 7fcd9bb5acd01250bcae1ecc0cb8b8d4bb5b7e63 ]
When the ASoC card registration fails and the codec component driver
never probes, the codec device is not initialized and therefore
memory for codec->wcaps is not allocated. This results in a NULL pointer
dereference when the codec driver suspend callback is invoked during
system suspend. Fix this by returning without performing any actions
during codec suspend/resume if the card was not registered successfully.
Reviewed-by: Pierre-Louis Bossart <[email protected]>
Signed-off-by: Ranjani Sridharan <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
sound/pci/hda/hda_codec.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
index 07c03c32715a9..801abf0fc98b3 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -2924,6 +2924,10 @@ static int hda_codec_runtime_suspend(struct device *dev)
struct hda_codec *codec = dev_to_hda_codec(dev);
unsigned int state;
+ /* Nothing to do if card registration fails and the component driver never probes */
+ if (!codec->card)
+ return 0;
+
cancel_delayed_work_sync(&codec->jackpoll_work);
state = hda_call_codec_suspend(codec);
if (codec->link_down_at_suspend ||
@@ -2938,6 +2942,10 @@ static int hda_codec_runtime_resume(struct device *dev)
{
struct hda_codec *codec = dev_to_hda_codec(dev);
+ /* Nothing to do if card registration fails and the component driver never probes */
+ if (!codec->card)
+ return 0;
+
codec_display_power(codec, true);
snd_hdac_codec_link_up(&codec->core);
hda_call_codec_resume(codec);
--
2.25.1
From: Suren Baghdasaryan <[email protected]>
commit 3e338d3c95c735dc3265a86016bb4c022ec7cadc upstream.
syzbot report [1] describes a deadlock when write operation against an
ashmem fd executed at the time when ashmem is shrinking its cache results
in the following lock sequence:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(fs_reclaim);
lock(&sb->s_type->i_mutex_key#13);
lock(fs_reclaim);
lock(&sb->s_type->i_mutex_key#13);
kswapd takes fs_reclaim and then inode_lock while generic_perform_write
takes inode_lock and then fs_reclaim. However ashmem does not support
writing into backing shmem with a write syscall. The only way to change
its content is to mmap it and operate on mapped memory. Therefore the race
that lockdep is warning about is not valid. Resolve this by introducing a
separate lockdep class for the backing shmem inodes.
[1]: https://lkml.kernel.org/lkml/[email protected]/
Reported-by: [email protected]
Signed-off-by: Suren Baghdasaryan <[email protected]>
Cc: stable <[email protected]>
Reviewed-by: Joel Fernandes (Google) <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/android/ashmem.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -95,6 +95,15 @@ static DEFINE_MUTEX(ashmem_mutex);
static struct kmem_cache *ashmem_area_cachep __read_mostly;
static struct kmem_cache *ashmem_range_cachep __read_mostly;
+/*
+ * A separate lockdep class for the backing shmem inodes to resolve the lockdep
+ * warning about the race between kswapd taking fs_reclaim before inode_lock
+ * and write syscall taking inode_lock and then fs_reclaim.
+ * Note that such race is impossible because ashmem does not support write
+ * syscalls operating on the backing shmem.
+ */
+static struct lock_class_key backing_shmem_inode_class;
+
static inline unsigned long range_size(struct ashmem_range *range)
{
return range->pgend - range->pgstart + 1;
@@ -396,6 +405,7 @@ static int ashmem_mmap(struct file *file
if (!asma->file) {
char *name = ASHMEM_NAME_DEF;
struct file *vmfile;
+ struct inode *inode;
if (asma->name[ASHMEM_NAME_PREFIX_LEN] != '\0')
name = asma->name;
@@ -407,6 +417,8 @@ static int ashmem_mmap(struct file *file
goto out;
}
vmfile->f_mode |= FMODE_LSEEK;
+ inode = file_inode(vmfile);
+ lockdep_set_class(&inode->i_rwsem, &backing_shmem_inode_class);
asma->file = vmfile;
/*
* override mmap operation of the vmfile so that it can't be
From: Eric Biggers <[email protected]>
commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream.
smk_write_relabel_self() frees memory from the task's credentials with
no locking, which can easily cause a use-after-free because multiple
tasks can share the same credentials structure.
Fix this by using prepare_creds() and commit_creds() to correctly modify
the task's credentials.
Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
static void *thrproc(void *arg)
{
int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
for (;;) write(fd, "foo", 3);
}
int main()
{
pthread_t t;
pthread_create(&t, NULL, thrproc, NULL);
thrproc(NULL);
}
Reported-by: [email protected]
Fixes: 38416e53936e ("Smack: limited capability for changing process label")
Cc: <[email protected]> # v4.4+
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Casey Schaufler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
security/smack/smackfs.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2720,7 +2720,6 @@ static int smk_open_relabel_self(struct
static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = smack_cred(current_cred());
char *data;
int rc;
LIST_HEAD(list_tmp);
@@ -2745,11 +2744,21 @@ static ssize_t smk_write_relabel_self(st
kfree(data);
if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
+ struct cred *new;
+ struct task_smack *tsp;
+
+ new = prepare_creds();
+ if (!new) {
+ rc = -ENOMEM;
+ goto out;
+ }
+ tsp = smack_cred(new);
smk_destroy_label_list(&tsp->smk_relabel);
list_splice(&list_tmp, &tsp->smk_relabel);
+ commit_creds(new);
return count;
}
-
+out:
smk_destroy_label_list(&list_tmp);
return rc;
}
From: Takashi Iwai <[email protected]>
commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream.
Some ioctls via OSS sequencer API may race and lead to UAF when the
port create and delete are performed concurrently, as spotted by a
couple of syzkaller cases. This patch is an attempt to address it by
serializing the ioctls with the existing register_mutex.
Basically OSS sequencer API is an obsoleted interface and was designed
without much consideration of the concurrency. There are very few
applications with it, and the concurrent performance isn't asked,
hence this "big hammer" approach should be good enough.
Reported-by: [email protected]
Reported-by: [email protected]
Suggested-by: Hillf Danton <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/core/seq/oss/seq_oss.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/sound/core/seq/oss/seq_oss.c
+++ b/sound/core/seq/oss/seq_oss.c
@@ -168,10 +168,16 @@ static long
odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
struct seq_oss_devinfo *dp;
+ long rc;
+
dp = file->private_data;
if (snd_BUG_ON(!dp))
return -ENXIO;
- return snd_seq_oss_ioctl(dp, cmd, arg);
+
+ mutex_lock(®ister_mutex);
+ rc = snd_seq_oss_ioctl(dp, cmd, arg);
+ mutex_unlock(®ister_mutex);
+ return rc;
}
#ifdef CONFIG_COMPAT
From: Wolfram Sang <[email protected]>
[ Upstream commit 8808981baf96e1b3dea1f08461e4d958aa0dbde1 ]
Signed-off-by: Wolfram Sang <[email protected]>
Reviewed-by: Alain Volmat <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/i2c/i2c-core-slave.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c
index 549751347e6c7..1589179d5eb92 100644
--- a/drivers/i2c/i2c-core-slave.c
+++ b/drivers/i2c/i2c-core-slave.c
@@ -58,6 +58,9 @@ int i2c_slave_unregister(struct i2c_client *client)
{
int ret;
+ if (IS_ERR_OR_NULL(client))
+ return -EINVAL;
+
if (!client->adapter->algo->unreg_slave) {
dev_err(&client->dev, "%s: not supported by adapter\n", __func__);
return -EOPNOTSUPP;
--
2.25.1
From: Erik Ekman <[email protected]>
commit d2a4309c1ab6df424b2239fe2920d6f26f808d17 upstream.
When running qmi-firmware-update on the Sierra Wireless EM7305 in a Toshiba
laptop, it changed product ID to 0x9062 when entering QDL mode:
usb 2-4: new high-speed USB device number 78 using xhci_hcd
usb 2-4: New USB device found, idVendor=1199, idProduct=9062, bcdDevice= 0.00
usb 2-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 2-4: Product: EM7305
usb 2-4: Manufacturer: Sierra Wireless, Incorporated
The upgrade could complete after running
# echo 1199 9062 > /sys/bus/usb-serial/drivers/qcserial/new_id
qcserial 2-4:1.0: Qualcomm USB modem converter detected
usb 2-4: Qualcomm USB modem converter now attached to ttyUSB0
Signed-off-by: Erik Ekman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: [email protected]
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/serial/qcserial.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -155,6 +155,7 @@ static const struct usb_device_id id_tab
{DEVICE_SWI(0x1199, 0x9056)}, /* Sierra Wireless Modem */
{DEVICE_SWI(0x1199, 0x9060)}, /* Sierra Wireless Modem */
{DEVICE_SWI(0x1199, 0x9061)}, /* Sierra Wireless Modem */
+ {DEVICE_SWI(0x1199, 0x9062)}, /* Sierra Wireless EM7305 QDL */
{DEVICE_SWI(0x1199, 0x9063)}, /* Sierra Wireless EM7305 */
{DEVICE_SWI(0x1199, 0x9070)}, /* Sierra Wireless MC74xx */
{DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */
From: Wolfram Sang <[email protected]>
[ Upstream commit 1b1be3bf27b62f5abcf85c6f3214bdb9c7526685 ]
Add check for ERR_PTR and simplify code while here.
Signed-off-by: Wolfram Sang <[email protected]>
Reviewed-by: Alain Volmat <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/i2c/i2c-core-slave.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c
index 5427f047faf06..549751347e6c7 100644
--- a/drivers/i2c/i2c-core-slave.c
+++ b/drivers/i2c/i2c-core-slave.c
@@ -18,10 +18,8 @@ int i2c_slave_register(struct i2c_client *client, i2c_slave_cb_t slave_cb)
{
int ret;
- if (!client || !slave_cb) {
- WARN(1, "insufficient data\n");
+ if (WARN(IS_ERR_OR_NULL(client) || !slave_cb, "insufficient data\n"))
return -EINVAL;
- }
if (!(client->flags & I2C_CLIENT_SLAVE))
dev_warn(&client->dev, "%s: client slave flag not set. You might see address collisions\n",
--
2.25.1
From: Sam Ravnborg <[email protected]>
[ Upstream commit 2a1658bf922ffd9b7907e270a7d9cdc9643fc45d ]
Recent kernels have been reported to panic using the bochs_drm
framebuffer under qemu-system-sparc64 which was bisected to
commit 7a0483ac4ffc ("drm/bochs: switch to generic drm fbdev emulation").
The backtrace indicates that the shadow framebuffer copy in
drm_fb_helper_dirty_blit_real() is trying to access the real
framebuffer using a virtual address rather than use an IO access
typically implemented using a physical (ASI_PHYS) access on SPARC.
The fix is to replace the memcpy with memcpy_toio() from io.h.
memcpy_toio() uses writeb() where the original fbdev code
used sbus_memcpy_toio(). The latter uses sbus_writeb().
The difference between writeb() and sbus_memcpy_toio() is
that writeb() writes bytes in little-endian, where sbus_writeb() writes
bytes in big-endian. As endian does not matter for byte writes they are
the same. So we can safely use memcpy_toio() here.
Note that this only fixes bochs, in general fbdev helpers still have
issues with mixing up system memory and __iomem space. Fixing that will
require a lot more work.
v3:
- Improved changelog (Daniel)
- Added FIXME to fbdev_use_iomem (Daniel)
v2:
- Added missing __iomem cast (kernel test robot)
- Made changelog readable and fix typos (Mark)
- Add flag to select iomem - and set it in the bochs driver
Signed-off-by: Sam Ravnborg <[email protected]>
Reported-by: Mark Cave-Ayland <[email protected]>
Reported-by: kernel test robot <[email protected]>
Tested-by: Mark Cave-Ayland <[email protected]>
Reviewed-by: Daniel Vetter <[email protected]>
Cc: Mark Cave-Ayland <[email protected]>
Cc: Thomas Zimmermann <[email protected]>
Cc: Gerd Hoffmann <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: [email protected]
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/bochs/bochs_kms.c | 1 +
drivers/gpu/drm/drm_fb_helper.c | 6 +++++-
include/drm/drm_mode_config.h | 12 ++++++++++++
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/bochs/bochs_kms.c b/drivers/gpu/drm/bochs/bochs_kms.c
index 02a9c1ed165bb..fa50ab2523d4b 100644
--- a/drivers/gpu/drm/bochs/bochs_kms.c
+++ b/drivers/gpu/drm/bochs/bochs_kms.c
@@ -194,6 +194,7 @@ int bochs_kms_init(struct bochs_device *bochs)
bochs->dev->mode_config.preferred_depth = 24;
bochs->dev->mode_config.prefer_shadow = 0;
bochs->dev->mode_config.prefer_shadow_fbdev = 1;
+ bochs->dev->mode_config.fbdev_use_iomem = true;
bochs->dev->mode_config.quirk_addfb_prefer_host_byte_order = true;
bochs->dev->mode_config.funcs = &bochs_mode_funcs;
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index 8d193a58363d4..6b8502bcf0fd3 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -390,7 +390,11 @@ static void drm_fb_helper_dirty_blit_real(struct drm_fb_helper *fb_helper,
unsigned int y;
for (y = clip->y1; y < clip->y2; y++) {
- memcpy(dst, src, len);
+ if (!fb_helper->dev->mode_config.fbdev_use_iomem)
+ memcpy(dst, src, len);
+ else
+ memcpy_toio((void __iomem *)dst, src, len);
+
src += fb->pitches[0];
dst += fb->pitches[0];
}
diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h
index 3bcbe30339f04..198b9d0600081 100644
--- a/include/drm/drm_mode_config.h
+++ b/include/drm/drm_mode_config.h
@@ -865,6 +865,18 @@ struct drm_mode_config {
*/
bool prefer_shadow_fbdev;
+ /**
+ * @fbdev_use_iomem:
+ *
+ * Set to true if framebuffer reside in iomem.
+ * When set to true memcpy_toio() is used when copying the framebuffer in
+ * drm_fb_helper.drm_fb_helper_dirty_blit_real().
+ *
+ * FIXME: This should be replaced with a per-mapping is_iomem
+ * flag (like ttm does), and then used everywhere in fbdev code.
+ */
+ bool fbdev_use_iomem;
+
/**
* @quirk_addfb_prefer_xbgr_30bpp:
*
--
2.25.1
From: Christoph Hellwig <[email protected]>
[ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ]
p9_fd_open just fgets file descriptors passed in from userspace, but
doesn't verify that they are valid for read or writing. This gets
cought down in the VFS when actually attempting a read or write, but
a new warning added in linux-next upsets syzcaller.
Fix this by just verifying the fds early on.
Link: http://lkml.kernel.org/r/[email protected]
Reported-by: [email protected]
Signed-off-by: Christoph Hellwig <[email protected]>
[Dominique: amend goto as per Doug Nazar's review]
Signed-off-by: Dominique Martinet <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/9p/trans_fd.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 3f67803123be2..12ecacf0c55fb 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -816,20 +816,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd)
return -ENOMEM;
ts->rd = fget(rfd);
+ if (!ts->rd)
+ goto out_free_ts;
+ if (!(ts->rd->f_mode & FMODE_READ))
+ goto out_put_rd;
ts->wr = fget(wfd);
- if (!ts->rd || !ts->wr) {
- if (ts->rd)
- fput(ts->rd);
- if (ts->wr)
- fput(ts->wr);
- kfree(ts);
- return -EIO;
- }
+ if (!ts->wr)
+ goto out_put_rd;
+ if (!(ts->wr->f_mode & FMODE_WRITE))
+ goto out_put_wr;
client->trans = ts;
client->status = Connected;
return 0;
+
+out_put_wr:
+ fput(ts->wr);
+out_put_rd:
+ fput(ts->rd);
+out_free_ts:
+ kfree(ts);
+ return -EIO;
}
static int p9_socket_open(struct p9_client *client, struct socket *csocket)
--
2.25.1
From: Peilin Ye <[email protected]>
commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream.
Check upon `num_rsp` is insufficient. A malformed event packet with a
large `num_rsp` number makes hci_extended_inquiry_result_evt() go out
of bounds. Fix it.
This patch fixes the following syzbot bug:
https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2
Reported-by: [email protected]
Cc: [email protected]
Signed-off-by: Peilin Ye <[email protected]>
Acked-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bluetooth/hci_event.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4270,7 +4270,7 @@ static void hci_extended_inquiry_result_
BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
- if (!num_rsp)
+ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
return;
if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
From: Peilin Ye <[email protected]>
commit 629b49c848ee71244203934347bd7730b0ddee8d upstream.
Check `num_rsp` before using it as for-loop counter. Add `unlock` label.
Cc: [email protected]
Signed-off-by: Peilin Ye <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bluetooth/hci_event.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4067,6 +4067,9 @@ static void hci_inquiry_result_with_rssi
struct inquiry_info_with_rssi_and_pscan_mode *info;
info = (void *) (skb->data + 1);
+ if (skb->len < num_rsp * sizeof(*info) + 1)
+ goto unlock;
+
for (; num_rsp; num_rsp--, info++) {
u32 flags;
@@ -4088,6 +4091,9 @@ static void hci_inquiry_result_with_rssi
} else {
struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
+ if (skb->len < num_rsp * sizeof(*info) + 1)
+ goto unlock;
+
for (; num_rsp; num_rsp--, info++) {
u32 flags;
@@ -4108,6 +4114,7 @@ static void hci_inquiry_result_with_rssi
}
}
+unlock:
hci_dev_unlock(hdev);
}
From: Rustam Kovhaev <[email protected]>
commit b4383c971bc5263efe2b0915ba67ebf2bf3f1ee5 upstream.
when firmware fails to load we should not call unregister_netdev()
this patch fixes a race condition between rtl871x_load_fw_cb() and
r871xu_dev_remove() and fixes the bug reported by syzbot
Reported-by: [email protected]
Link: https://syzkaller.appspot.com/bug?extid=80899a8a8efe8968cde7
Signed-off-by: Rustam Kovhaev <[email protected]>
Cc: stable <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/rtl8712/hal_init.c | 3 ++-
drivers/staging/rtl8712/usb_intf.c | 11 ++++++++---
2 files changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/staging/rtl8712/hal_init.c
+++ b/drivers/staging/rtl8712/hal_init.c
@@ -33,7 +33,6 @@ static void rtl871x_load_fw_cb(const str
{
struct _adapter *adapter = context;
- complete(&adapter->rtl8712_fw_ready);
if (!firmware) {
struct usb_device *udev = adapter->dvobjpriv.pusbdev;
struct usb_interface *usb_intf = adapter->pusb_intf;
@@ -41,11 +40,13 @@ static void rtl871x_load_fw_cb(const str
dev_err(&udev->dev, "r8712u: Firmware request failed\n");
usb_put_dev(udev);
usb_set_intfdata(usb_intf, NULL);
+ complete(&adapter->rtl8712_fw_ready);
return;
}
adapter->fw = firmware;
/* firmware available - start netdev */
register_netdev(adapter->pnetdev);
+ complete(&adapter->rtl8712_fw_ready);
}
static const char firmware_file[] = "rtlwifi/rtl8712u.bin";
--- a/drivers/staging/rtl8712/usb_intf.c
+++ b/drivers/staging/rtl8712/usb_intf.c
@@ -595,13 +595,17 @@ static void r871xu_dev_remove(struct usb
if (pnetdev) {
struct _adapter *padapter = netdev_priv(pnetdev);
- usb_set_intfdata(pusb_intf, NULL);
- release_firmware(padapter->fw);
/* never exit with a firmware callback pending */
wait_for_completion(&padapter->rtl8712_fw_ready);
+ pnetdev = usb_get_intfdata(pusb_intf);
+ usb_set_intfdata(pusb_intf, NULL);
+ if (!pnetdev)
+ goto firmware_load_fail;
+ release_firmware(padapter->fw);
if (drvpriv.drv_registered)
padapter->surprise_removed = true;
- unregister_netdev(pnetdev); /* will call netdev_close() */
+ if (pnetdev->reg_state != NETREG_UNINITIALIZED)
+ unregister_netdev(pnetdev); /* will call netdev_close() */
flush_scheduled_work();
udelay(1);
/* Stop driver mlme relation timer */
@@ -614,6 +618,7 @@ static void r871xu_dev_remove(struct usb
*/
usb_put_dev(udev);
}
+firmware_load_fail:
/* If we didn't unplug usb dongle and remove/insert module, driver
* fails on sitesurvey for the first time when device is up.
* Reset usb port for sitesurvey fail issue.
From: Connor McAdams <[email protected]>
commit a00dc409de455b64e6cb2f6d40cdb8237cdb2e83 upstream.
When the ZxR headphone gain control was added, the ca0132_switch_get
function was not updated, which meant that the changes to the control
state were not saved when entering/exiting alsamixer.
Signed-off-by: Connor McAdams <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/pci/hda/patch_ca0132.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -5748,6 +5748,11 @@ static int ca0132_switch_get(struct snd_
return 0;
}
+ if (nid == ZXR_HEADPHONE_GAIN) {
+ *valp = spec->zxr_gain_set;
+ return 0;
+ }
+
return 0;
}
From: Connor McAdams <[email protected]>
commit cc5edb1bd3f7bfe450f767b12423f6673822427b upstream.
Add a new quirk ID for the Recon3D, as tested by me.
Signed-off-by: Connor McAdams <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/pci/hda/patch_ca0132.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -1182,6 +1182,7 @@ static const struct snd_pci_quirk ca0132
SND_PCI_QUIRK(0x1458, 0xA036, "Gigabyte GA-Z170X-Gaming 7", QUIRK_R3DI),
SND_PCI_QUIRK(0x3842, 0x1038, "EVGA X99 Classified", QUIRK_R3DI),
SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D),
+ SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D),
SND_PCI_QUIRK(0x1102, 0x0051, "Sound Blaster AE-5", QUIRK_AE5),
{}
};
On 8/10/20 9:20 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.58 release.
> There are 67 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 12 Aug 2020 15:17:47 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.58-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
On Mon, 10 Aug 2020 at 20:57, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.4.58 release.
> There are 67 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 12 Aug 2020 15:17:47 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.58-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Summary
------------------------------------------------------------------------
kernel: 5.4.58-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.4.y
git commit: 133d9613b2c88c60658eda244e2658dd07294b5e
git describe: v5.4.57-68-g133d9613b2c8
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.4-oe/build/v5.4.57-68-g133d9613b2c8
No regressions (compared to build v5.4.57)
No fixes (compared to build v5.4.57)
Ran 33402 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- juno-r2-compat
- juno-r2-kasan
- nxp-ls2088
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86
- x86-kasan
Test Suites
-----------
* build
* igt-gpu-tools
* install-android-platform-tools-r2600
* kselftest
* kselftest/drivers
* kselftest/filesystems
* kselftest/net
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-hugetlb-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* perf
* ltp-containers-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* v4l2-compliance
* ltp-controllers-tests
* ltp-fs-tests
* ltp-open-posix-tests
* ltp-sched-tests
* network-basic-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-native/drivers
* kselftest-vsyscall-mode-native/filesystems
* kselftest-vsyscall-mode-native/net
* kselftest-vsyscall-mode-none
* kselftest-vsyscall-mode-none/drivers
* kselftest-vsyscall-mode-none/filesystems
* kselftest-vsyscall-mode-none/net
* ssuite
--
Linaro LKFT
https://lkft.linaro.org
On Mon, Aug 10, 2020 at 05:20:47PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.58 release.
> There are 67 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 12 Aug 2020 15:17:47 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 430 pass: 430 fail: 0
Guenter