diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-11-11 07:42:03 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-11-11 07:42:03 +0100 |
commit | 7cc093e1111bcfd1dcbf0578ab43f9a10bed5e95 (patch) | |
tree | 36765c170e04f9ba45e94e8a26a833990abf4861 | |
parent | 9f6dbc3744a6696a44db2c4523be43f3aff02c20 (diff) | |
download | queue-3.18-7cc093e1111bcfd1dcbf0578ab43f9a10bed5e95.tar.gz |
more patches
16 files changed, 789 insertions, 0 deletions
diff --git a/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch b/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch new file mode 100644 index 0000000..d839f10 --- /dev/null +++ b/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch @@ -0,0 +1,50 @@ +From 706ad6746a66546daf96d4e4a95e46faf6cf689a Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto <o-takashi@sakamocchi.jp> +Date: Sun, 3 Nov 2019 00:09:20 +0900 +Subject: ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series + +From: Takashi Sakamoto <o-takashi@sakamocchi.jp> + +commit 706ad6746a66546daf96d4e4a95e46faf6cf689a upstream. + +For Focusrite Saffire Pro i/o, the lowest 8 bits of register represents +configured source of sampling clock. The next lowest 8 bits represents +whether the configured source is actually detected or not just after +the register is changed for the source. + +Current implementation evaluates whole the register to detect configured +source. This results in failure due to the next lowest 8 bits when the +source is connected in advance. + +This commit fixes the bug. + +Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series") +Cc: <stable@vger.kernel.org> # v3.16+ +Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> +Link: https://lore.kernel.org/r/20191102150920.20367-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/firewire/bebob/bebob_focusrite.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/firewire/bebob/bebob_focusrite.c ++++ b/sound/firewire/bebob/bebob_focusrite.c +@@ -28,6 +28,8 @@ + #define SAFFIRE_CLOCK_SOURCE_SPDIF 1 + + /* clock sources as returned from register of Saffire Pro 10 and 26 */ ++#define SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK 0x000000ff ++#define SAFFIREPRO_CLOCK_SOURCE_DETECT_MASK 0x0000ff00 + #define SAFFIREPRO_CLOCK_SOURCE_INTERNAL 0 + #define SAFFIREPRO_CLOCK_SOURCE_SKIP 1 /* never used on hardware */ + #define SAFFIREPRO_CLOCK_SOURCE_SPDIF 2 +@@ -184,6 +186,7 @@ saffirepro_both_clk_src_get(struct snd_b + map = saffirepro_clk_maps[1]; + + /* In a case that this driver cannot handle the value of register. */ ++ value &= SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK; + if (value >= SAFFIREPRO_CLOCK_SOURCE_COUNT || map[value] < 0) { + err = -EIO; + goto end; diff --git a/alsa-hda-ca0132-fix-possible-workqueue-stall.patch b/alsa-hda-ca0132-fix-possible-workqueue-stall.patch new file mode 100644 index 0000000..92b3c7e --- /dev/null +++ b/alsa-hda-ca0132-fix-possible-workqueue-stall.patch @@ -0,0 +1,41 @@ +From 15c2b3cc09a31620914955cb2a89c277c18ee999 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Tue, 5 Nov 2019 14:43:16 +0100 +Subject: ALSA: hda/ca0132 - Fix possible workqueue stall + +From: Takashi Iwai <tiwai@suse.de> + +commit 15c2b3cc09a31620914955cb2a89c277c18ee999 upstream. + +The unsolicited event handler for the headphone jack on CA0132 codec +driver tries to reschedule the another delayed work with +cancel_delayed_work_sync(). It's no good idea, unfortunately, +especially after we changed the work queue to the standard global +one; this may lead to a stall because both works are using the same +global queue. + +Fix it by dropping the _sync but does call cancel_delayed_work() +instead. + +Fixes: 993884f6a26c ("ALSA: hda/ca0132 - Delay HP amp turnon.") +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1155836 +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20191105134316.19294-1-tiwai@suse.de +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4415,7 +4415,7 @@ static void hp_callback(struct hda_codec + /* Delay enabling the HP amp, to let the mic-detection + * state machine run. + */ +- cancel_delayed_work_sync(&spec->unsol_hp_work); ++ cancel_delayed_work(&spec->unsol_hp_work); + queue_delayed_work(codec->bus->workq, &spec->unsol_hp_work, + msecs_to_jiffies(500)); + cb->tbl->block_report = 1; diff --git a/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch b/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch new file mode 100644 index 0000000..4932e27 --- /dev/null +++ b/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch @@ -0,0 +1,93 @@ +From 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 Mon Sep 17 00:00:00 2001 +From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be> +Date: Tue, 1 Oct 2019 09:40:36 +0200 +Subject: can: c_can: c_can_poll(): only read status register after status IRQ + +From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be> + +commit 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 upstream. + +When the status register is read without the status IRQ pending, the +chip may not raise the interrupt line for an upcoming status interrupt +and the driver may miss a status interrupt. + +It is critical that the BUSOFF status interrupt is forwarded to the +higher layers, since no more interrupts will follow without +intervention. + +Thanks to Wolfgang and Joe for bringing up the first idea. + +Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be> +Cc: Wolfgang Grandegger <wg@grandegger.com> +Cc: Joe Burmeister <joe.burmeister@devtank.co.uk> +Fixes: fa39b54ccf28 ("can: c_can: Get rid of pointless interrupts") +Cc: linux-stable <stable@vger.kernel.org> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/can/c_can/c_can.c | 25 ++++++++++++++++++++----- + drivers/net/can/c_can/c_can.h | 1 + + 2 files changed, 21 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -96,6 +96,9 @@ + #define BTR_TSEG2_SHIFT 12 + #define BTR_TSEG2_MASK (0x7 << BTR_TSEG2_SHIFT) + ++/* interrupt register */ ++#define INT_STS_PENDING 0x8000 ++ + /* brp extension register */ + #define BRP_EXT_BRPE_MASK 0x0f + #define BRP_EXT_BRPE_SHIFT 0 +@@ -1021,10 +1024,16 @@ static int c_can_poll(struct napi_struct + u16 curr, last = priv->last_status; + int work_done = 0; + +- priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG); +- /* Ack status on C_CAN. D_CAN is self clearing */ +- if (priv->type != BOSCH_D_CAN) +- priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED); ++ /* Only read the status register if a status interrupt was pending */ ++ if (atomic_xchg(&priv->sie_pending, 0)) { ++ priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG); ++ /* Ack status on C_CAN. D_CAN is self clearing */ ++ if (priv->type != BOSCH_D_CAN) ++ priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED); ++ } else { ++ /* no change detected ... */ ++ curr = last; ++ } + + /* handle state changes */ + if ((curr & STATUS_EWARN) && (!(last & STATUS_EWARN))) { +@@ -1075,10 +1084,16 @@ static irqreturn_t c_can_isr(int irq, vo + { + struct net_device *dev = (struct net_device *)dev_id; + struct c_can_priv *priv = netdev_priv(dev); ++ int reg_int; + +- if (!priv->read_reg(priv, C_CAN_INT_REG)) ++ reg_int = priv->read_reg(priv, C_CAN_INT_REG); ++ if (!reg_int) + return IRQ_NONE; + ++ /* save for later use */ ++ if (reg_int & INT_STS_PENDING) ++ atomic_set(&priv->sie_pending, 1); ++ + /* disable all interrupts and schedule the NAPI */ + c_can_irq_control(priv, false); + napi_schedule(&priv->napi); +--- a/drivers/net/can/c_can/c_can.h ++++ b/drivers/net/can/c_can/c_can.h +@@ -176,6 +176,7 @@ struct c_can_priv { + struct net_device *dev; + struct device *device; + atomic_t tx_active; ++ atomic_t sie_pending; + unsigned long tx_dir; + int last_status; + u16 (*read_reg) (const struct c_can_priv *priv, enum reg index); diff --git a/can-gs_usb-gs_can_open-prevent-memory-leak.patch b/can-gs_usb-gs_can_open-prevent-memory-leak.patch new file mode 100644 index 0000000..5ceb1e6 --- /dev/null +++ b/can-gs_usb-gs_can_open-prevent-memory-leak.patch @@ -0,0 +1,32 @@ +From fb5be6a7b4863ecc44963bb80ca614584b6c7817 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost <navid.emamdoost@gmail.com> +Date: Thu, 19 Sep 2019 21:44:38 -0500 +Subject: can: gs_usb: gs_can_open(): prevent memory leak + +From: Navid Emamdoost <navid.emamdoost@gmail.com> + +commit fb5be6a7b4863ecc44963bb80ca614584b6c7817 upstream. + +In gs_can_open() if usb_submit_urb() fails the allocated urb should be +released. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: linux-stable <stable@vger.kernel.org> +Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/can/usb/gs_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -617,6 +617,7 @@ static int gs_can_open(struct net_device + rc); + + usb_unanchor_urb(urb); ++ usb_free_urb(urb); + break; + } + diff --git a/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch b/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch new file mode 100644 index 0000000..4d6d603 --- /dev/null +++ b/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch @@ -0,0 +1,80 @@ +From de280f403f2996679e2607384980703710576fed Mon Sep 17 00:00:00 2001 +From: Stephane Grosjean <s.grosjean@peak-system.com> +Date: Tue, 8 Oct 2019 10:35:44 +0200 +Subject: can: peak_usb: fix a potential out-of-sync while decoding packets + +From: Stephane Grosjean <s.grosjean@peak-system.com> + +commit de280f403f2996679e2607384980703710576fed upstream. + +When decoding a buffer received from PCAN-USB, the first timestamp read in +a packet is a 16-bit coded time base, and the next ones are an 8-bit +offset to this base, regardless of the type of packet read. + +This patch corrects a potential loss of synchronization by using a +timestamp index read from the buffer, rather than an index of received +data packets, to determine on the sizeof the timestamp to be read from the +packet being decoded. + +Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com> +Fixes: 46be265d3388 ("can: usb: PEAK-System Technik PCAN-USB specific part") +Cc: linux-stable <stable@vger.kernel.org> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/can/usb/peak_usb/pcan_usb.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c +@@ -108,7 +108,7 @@ struct pcan_usb_msg_context { + u8 *end; + u8 rec_cnt; + u8 rec_idx; +- u8 rec_data_idx; ++ u8 rec_ts_idx; + struct net_device *netdev; + struct pcan_usb *pdev; + }; +@@ -551,10 +551,15 @@ static int pcan_usb_decode_status(struct + mc->ptr += PCAN_USB_CMD_ARGS; + + if (status_len & PCAN_USB_STATUSLEN_TIMESTAMP) { +- int err = pcan_usb_decode_ts(mc, !mc->rec_idx); ++ int err = pcan_usb_decode_ts(mc, !mc->rec_ts_idx); + + if (err) + return err; ++ ++ /* Next packet in the buffer will have a timestamp on a single ++ * byte ++ */ ++ mc->rec_ts_idx++; + } + + switch (f) { +@@ -637,10 +642,13 @@ static int pcan_usb_decode_data(struct p + + cf->can_dlc = get_can_dlc(rec_len); + +- /* first data packet timestamp is a word */ +- if (pcan_usb_decode_ts(mc, !mc->rec_data_idx)) ++ /* Only first packet timestamp is a word */ ++ if (pcan_usb_decode_ts(mc, !mc->rec_ts_idx)) + goto decode_failed; + ++ /* Next packet in the buffer will have a timestamp on a single byte */ ++ mc->rec_ts_idx++; ++ + /* read data */ + memset(cf->data, 0x0, sizeof(cf->data)); + if (status_len & PCAN_USB_STATUSLEN_RTR) { +@@ -695,7 +703,6 @@ static int pcan_usb_decode_msg(struct pe + /* handle normal can frames here */ + } else { + err = pcan_usb_decode_data(&mc, sl); +- mc.rec_data_idx++; + } + } + diff --git a/can-peak_usb-fix-slab-info-leak.patch b/can-peak_usb-fix-slab-info-leak.patch new file mode 100644 index 0000000..f5786e5 --- /dev/null +++ b/can-peak_usb-fix-slab-info-leak.patch @@ -0,0 +1,39 @@ +From f7a1337f0d29b98733c8824e165fca3371d7d4fd Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Wed, 23 Oct 2019 10:27:05 +0200 +Subject: can: peak_usb: fix slab info leak + +From: Johan Hovold <johan@kernel.org> + +commit f7a1337f0d29b98733c8824e165fca3371d7d4fd upstream. + +Fix a small slab info leak due to a failure to clear the command buffer +at allocation. + +The first 16 bytes of the command buffer are always sent to the device +in pcan_usb_send_cmd() even though only the first two may have been +initialised in case no argument payload is provided (e.g. when waiting +for a response). + +Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") +Cc: stable <stable@vger.kernel.org> # 3.4 +Reported-by: syzbot+863724e7128e14b26732@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -732,7 +732,7 @@ static int peak_usb_create_dev(struct pe + dev = netdev_priv(netdev); + + /* allocate a buffer large enough to send commands */ +- dev->cmd_buf = kmalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL); ++ dev->cmd_buf = kzalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL); + if (!dev->cmd_buf) { + err = -ENOMEM; + goto lbl_free_candev; diff --git a/can-usb_8dev-fix-use-after-free-on-disconnect.patch b/can-usb_8dev-fix-use-after-free-on-disconnect.patch new file mode 100644 index 0000000..8ced081 --- /dev/null +++ b/can-usb_8dev-fix-use-after-free-on-disconnect.patch @@ -0,0 +1,36 @@ +From 3759739426186a924675651b388d1c3963c5710e Mon Sep 17 00:00:00 2001 +From: Johan Hovold <johan@kernel.org> +Date: Tue, 1 Oct 2019 12:29:14 +0200 +Subject: can: usb_8dev: fix use-after-free on disconnect + +From: Johan Hovold <johan@kernel.org> + +commit 3759739426186a924675651b388d1c3963c5710e upstream. + +The driver was accessing its driver data after having freed it. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Cc: stable <stable@vger.kernel.org> # 3.9 +Cc: Bernd Krumboeck <b.krumboeck@gmail.com> +Cc: Wolfgang Grandegger <wg@grandegger.com> +Signed-off-by: Johan Hovold <johan@kernel.org> +Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/net/can/usb/usb_8dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -1016,9 +1016,8 @@ static void usb_8dev_disconnect(struct u + netdev_info(priv->netdev, "device disconnected\n"); + + unregister_netdev(priv->netdev); +- free_candev(priv->netdev); +- + unlink_all_urbs(priv); ++ free_candev(priv->netdev); + } + + } diff --git a/ceph-fix-use-after-free-in-__ceph_remove_cap.patch b/ceph-fix-use-after-free-in-__ceph_remove_cap.patch new file mode 100644 index 0000000..57e2611 --- /dev/null +++ b/ceph-fix-use-after-free-in-__ceph_remove_cap.patch @@ -0,0 +1,73 @@ +From ea60ed6fcf29eebc78f2ce91491e6309ee005a01 Mon Sep 17 00:00:00 2001 +From: Luis Henriques <lhenriques@suse.com> +Date: Fri, 25 Oct 2019 14:05:24 +0100 +Subject: ceph: fix use-after-free in __ceph_remove_cap() + +From: Luis Henriques <lhenriques@suse.com> + +commit ea60ed6fcf29eebc78f2ce91491e6309ee005a01 upstream. + +KASAN reports a use-after-free when running xfstest generic/531, with the +following trace: + +[ 293.903362] kasan_report+0xe/0x20 +[ 293.903365] rb_erase+0x1f/0x790 +[ 293.903370] __ceph_remove_cap+0x201/0x370 +[ 293.903375] __ceph_remove_caps+0x4b/0x70 +[ 293.903380] ceph_evict_inode+0x4e/0x360 +[ 293.903386] evict+0x169/0x290 +[ 293.903390] __dentry_kill+0x16f/0x250 +[ 293.903394] dput+0x1c6/0x440 +[ 293.903398] __fput+0x184/0x330 +[ 293.903404] task_work_run+0xb9/0xe0 +[ 293.903410] exit_to_usermode_loop+0xd3/0xe0 +[ 293.903413] do_syscall_64+0x1a0/0x1c0 +[ 293.903417] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This happens because __ceph_remove_cap() may queue a cap release +(__ceph_queue_cap_release) which can be scheduled before that cap is +removed from the inode list with + + rb_erase(&cap->ci_node, &ci->i_caps); + +And, when this finally happens, the use-after-free will occur. + +This can be fixed by removing the cap from the inode list before being +removed from the session list, and thus eliminating the risk of an UAF. + +Cc: stable@vger.kernel.org +Signed-off-by: Luis Henriques <lhenriques@suse.com> +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + fs/ceph/caps.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -913,6 +913,11 @@ void __ceph_remove_cap(struct ceph_cap * + + dout("__ceph_remove_cap %p from %p\n", cap, &ci->vfs_inode); + ++ /* remove from inode's cap rbtree, and clear auth cap */ ++ rb_erase(&cap->ci_node, &ci->i_caps); ++ if (ci->i_auth_cap == cap) ++ ci->i_auth_cap = NULL; ++ + /* remove from session list */ + spin_lock(&session->s_cap_lock); + /* +@@ -939,11 +944,6 @@ void __ceph_remove_cap(struct ceph_cap * + cap->ci = NULL; + spin_unlock(&session->s_cap_lock); + +- /* remove from inode list */ +- rb_erase(&cap->ci_node, &ci->i_caps); +- if (ci->i_auth_cap == cap) +- ci->i_auth_cap = NULL; +- + if (removed) + ceph_put_cap(mdsc, cap); + diff --git a/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch b/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch new file mode 100644 index 0000000..d30ab33 --- /dev/null +++ b/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch @@ -0,0 +1,33 @@ +From 2c409ba81be25516afe05ae27a4a15da01740b01 Mon Sep 17 00:00:00 2001 +From: Alex Deucher <alexander.deucher@amd.com> +Date: Wed, 30 Oct 2019 10:21:28 -0400 +Subject: drm/radeon: fix si_enable_smc_cac() failed issue + +From: Alex Deucher <alexander.deucher@amd.com> + +commit 2c409ba81be25516afe05ae27a4a15da01740b01 upstream. + +Need to set the dte flag on this asic. + +Port the fix from amdgpu: +5cb818b861be114 ("drm/amd/amdgpu: fix si_enable_smc_cac() failed issue") + +Reviewed-by: Yong Zhao <yong.zhao@amd.com> +Signed-off-by: Alex Deucher <alexander.deucher@amd.com> +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/gpu/drm/radeon/si_dpm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -1952,6 +1952,7 @@ static void si_initialize_powertune_defa + case 0x682C: + si_pi->cac_weights = cac_weights_cape_verde_pro; + si_pi->dte_data = dte_data_sun_xt; ++ update_dte_from_pl2 = true; + break; + case 0x6825: + case 0x6827: diff --git a/dump_stack-avoid-the-livelock-of-the-dump_lock.patch b/dump_stack-avoid-the-livelock-of-the-dump_lock.patch new file mode 100644 index 0000000..4136ce2 --- /dev/null +++ b/dump_stack-avoid-the-livelock-of-the-dump_lock.patch @@ -0,0 +1,47 @@ +From 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f Mon Sep 17 00:00:00 2001 +From: Kevin Hao <haokexin@gmail.com> +Date: Tue, 5 Nov 2019 21:16:57 -0800 +Subject: dump_stack: avoid the livelock of the dump_lock + +From: Kevin Hao <haokexin@gmail.com> + +commit 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f upstream. + +In the current code, we use the atomic_cmpxchg() to serialize the output +of the dump_stack(), but this implementation suffers the thundering herd +problem. We have observed such kind of livelock on a Marvell cn96xx +board(24 cpus) when heavily using the dump_stack() in a kprobe handler. +Actually we can let the competitors to wait for the releasing of the +lock before jumping to atomic_cmpxchg(). This will definitely mitigate +the thundering herd problem. Thanks Linus for the suggestion. + +[akpm@linux-foundation.org: fix comment] +Link: http://lkml.kernel.org/r/20191030031637.6025-1-haokexin@gmail.com +Fixes: b58d977432c8 ("dump_stack: serialize the output from dump_stack()") +Signed-off-by: Kevin Hao <haokexin@gmail.com> +Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + lib/dump_stack.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/lib/dump_stack.c ++++ b/lib/dump_stack.c +@@ -44,7 +44,12 @@ retry: + was_locked = 1; + } else { + local_irq_restore(flags); +- cpu_relax(); ++ /* ++ * Wait for the lock to release before jumping to ++ * atomic_cmpxchg() in order to mitigate the thundering herd ++ * problem. ++ */ ++ do { cpu_relax(); } while (atomic_read(&dump_lock) != -1); + goto retry; + } + diff --git a/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch b/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch new file mode 100644 index 0000000..1a23715 --- /dev/null +++ b/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch @@ -0,0 +1,40 @@ +From 24e1eb5c0d78cfb9750b690bbe997d4d59170258 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean <alexandru.ardelean@analog.com> +Date: Tue, 8 Oct 2019 17:15:37 +0300 +Subject: iio: imu: adis16480: make sure provided frequency is positive + +From: Alexandru Ardelean <alexandru.ardelean@analog.com> + +commit 24e1eb5c0d78cfb9750b690bbe997d4d59170258 upstream. + +It could happen that either `val` or `val2` [provided from userspace] is +negative. In that case the computed frequency could get a weird value. + +Fix this by checking that neither of the 2 variables is negative, and check +that the computed result is not-zero. + +Fixes: e4f959390178 ("iio: imu: adis16480 switch sampling frequency attr to core support") +Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com> +Cc: <Stable@vger.kernel.org> +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + drivers/iio/imu/adis16480.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iio/imu/adis16480.c ++++ b/drivers/iio/imu/adis16480.c +@@ -266,8 +266,11 @@ static int adis16480_set_freq(struct iio + struct adis16480 *st = iio_priv(indio_dev); + unsigned int t; + ++ if (val < 0 || val2 < 0) ++ return -EINVAL; ++ + t = val * 1000 + val2 / 1000; +- if (t <= 0) ++ if (t == 0) + return -EINVAL; + + t = 2460000 / t; diff --git a/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch b/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch new file mode 100644 index 0000000..2b80ffc --- /dev/null +++ b/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch @@ -0,0 +1,57 @@ +From abaed0112c1db08be15a784a2c5c8a8b3063cdd3 Mon Sep 17 00:00:00 2001 +From: Michal Hocko <mhocko@suse.com> +Date: Tue, 5 Nov 2019 21:16:40 -0800 +Subject: mm, vmstat: hide /proc/pagetypeinfo from normal users + +From: Michal Hocko <mhocko@suse.com> + +commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream. + +/proc/pagetypeinfo is a debugging tool to examine internal page +allocator state wrt to fragmentation. It is not very useful for any +other use so normal users really do not need to read this file. + +Waiman Long has noticed that reading this file can have negative side +effects because zone->lock is necessary for gathering data and that a) +interferes with the page allocator and its users and b) can lead to hard +lockups on large machines which have very long free_list. + +Reduce both issues by simply not exporting the file to regular users. + +Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org +Fixes: 467c996c1e19 ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo") +Signed-off-by: Michal Hocko <mhocko@suse.com> +Reported-by: Waiman Long <longman@redhat.com> +Acked-by: Mel Gorman <mgorman@suse.de> +Acked-by: Vlastimil Babka <vbabka@suse.cz> +Acked-by: Waiman Long <longman@redhat.com> +Acked-by: Rafael Aquini <aquini@redhat.com> +Acked-by: David Rientjes <rientjes@google.com> +Reviewed-by: Andrew Morton <akpm@linux-foundation.org> +Cc: David Hildenbrand <david@redhat.com> +Cc: Johannes Weiner <hannes@cmpxchg.org> +Cc: Roman Gushchin <guro@fb.com> +Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> +Cc: Jann Horn <jannh@google.com> +Cc: Song Liu <songliubraving@fb.com> +Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + mm/vmstat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1444,7 +1444,7 @@ static int __init setup_vmstat(void) + #endif + #ifdef CONFIG_PROC_FS + proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations); +- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops); ++ proc_create("pagetypeinfo", 0400, NULL, &pagetypeinfo_file_ops); + proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations); + proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations); + #endif diff --git a/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch b/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch new file mode 100644 index 0000000..157d819 --- /dev/null +++ b/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch @@ -0,0 +1,47 @@ +From 30b7244d79651460ff114ba8f7987ed94c86b99a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Sat, 24 Aug 2019 17:49:55 +0300 +Subject: netfilter: ipset: Fix an error code in ip_set_sockfn_get() + +From: Dan Carpenter <dan.carpenter@oracle.com> + +commit 30b7244d79651460ff114ba8f7987ed94c86b99a upstream. + +The copy_to_user() function returns the number of bytes remaining to be +copied. In this code, that positive return is checked at the end of the +function and we return zero/success. What we should do instead is +return -EFAULT. + +Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + net/netfilter/ipset/ip_set_core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1885,8 +1885,9 @@ ip_set_sockfn_get(struct sock *sk, int o + } + + req_version->version = IPSET_PROTOCOL; +- ret = copy_to_user(user, req_version, +- sizeof(struct ip_set_req_version)); ++ if (copy_to_user(user, req_version, ++ sizeof(struct ip_set_req_version))) ++ ret = -EFAULT; + goto done; + } + case IP_SET_OP_GET_BYNAME: { +@@ -1943,7 +1944,8 @@ ip_set_sockfn_get(struct sock *sk, int o + } /* end of switch(op) */ + + copy: +- ret = copy_to_user(user, data, copylen); ++ if (copy_to_user(user, data, copylen)) ++ ret = -EFAULT; + + done: + vfree(data); diff --git a/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch b/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch new file mode 100644 index 0000000..8545e5b --- /dev/null +++ b/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch @@ -0,0 +1,60 @@ +From 250367c59e6ba0d79d702a059712d66edacd4a1a Mon Sep 17 00:00:00 2001 +From: Lukas Wunner <lukas@wunner.de> +Date: Thu, 31 Oct 2019 11:06:24 +0100 +Subject: netfilter: nf_tables: Align nft_expr private data to 64-bit + +From: Lukas Wunner <lukas@wunner.de> + +commit 250367c59e6ba0d79d702a059712d66edacd4a1a upstream. + +Invoking the following commands on a 32-bit architecture with strict +alignment requirements (such as an ARMv7-based Raspberry Pi) results +in an alignment exception: + + # nft add table ip test-ip4 + # nft add chain ip test-ip4 output { type filter hook output priority 0; } + # nft add rule ip test-ip4 output quota 1025 bytes + +Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>] +Unhandled fault: alignment exception (0x001) at 0xb832e824 +Internal error: : 1 [#1] PREEMPT SMP ARM +Hardware name: BCM2835 +[<7f4473fc>] (nft_quota_do_init [nft_quota]) +[<7f447448>] (nft_quota_init [nft_quota]) +[<7f4260d0>] (nf_tables_newrule [nf_tables]) +[<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink]) +[<7f416bd0>] (nfnetlink_rcv [nfnetlink]) +[<8078b334>] (netlink_unicast) +[<8078b664>] (netlink_sendmsg) +[<8071b47c>] (sock_sendmsg) +[<8071bd18>] (___sys_sendmsg) +[<8071ce3c>] (__sys_sendmsg) +[<8071ce94>] (sys_sendmsg) + +The reason is that nft_quota_do_init() calls atomic64_set() on an +atomic64_t which is only aligned to 32-bit, not 64-bit, because it +succeeds struct nft_expr in memory which only contains a 32-bit pointer. +Fix by aligning the nft_expr private data to 64-bit. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + include/net/netfilter/nf_tables.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -365,7 +365,8 @@ struct nft_expr_ops { + */ + struct nft_expr { + const struct nft_expr_ops *ops; +- unsigned char data[]; ++ unsigned char data[] ++ __attribute__((aligned(__alignof__(u64)))); + }; + + static inline void *nft_expr_priv(const struct nft_expr *expr) diff --git a/perf-tools-fix-time-sorting.patch b/perf-tools-fix-time-sorting.patch new file mode 100644 index 0000000..2ab59da --- /dev/null +++ b/perf-tools-fix-time-sorting.patch @@ -0,0 +1,46 @@ +From 722ddfde366fd46205456a9c5ff9b3359dc9a75e Mon Sep 17 00:00:00 2001 +From: Jiri Olsa <jolsa@kernel.org> +Date: Tue, 5 Nov 2019 00:27:11 +0100 +Subject: perf tools: Fix time sorting + +From: Jiri Olsa <jolsa@kernel.org> + +commit 722ddfde366fd46205456a9c5ff9b3359dc9a75e upstream. + +The final sort might get confused when the comparison is done over +bigger numbers than int like for -s time. + +Check the following report for longer workloads: + + $ perf report -s time -F time,overhead --stdio + +Fix hist_entry__sort() to properly return int64_t and not possible cut +int. + +Fixes: 043ca389a318 ("perf tools: Use hpp formats to sort final output") +Signed-off-by: Jiri Olsa <jolsa@kernel.org> +Reviewed-by: Andi Kleen <ak@linux.intel.com> +Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> +Cc: Michael Petlan <mpetlan@redhat.com> +Cc: Namhyung Kim <namhyung@kernel.org> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: stable@vger.kernel.org # v3.16+ +Link: http://lore.kernel.org/lkml/20191104232711.16055-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + tools/perf/util/hist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -1050,7 +1050,7 @@ void hists__collapse_resort(struct hists + } + } + +-static int hist_entry__sort(struct hist_entry *a, struct hist_entry *b) ++static int64_t hist_entry__sort(struct hist_entry *a, struct hist_entry *b) + { + struct perf_hpp_fmt *fmt; + int64_t cmp = 0; @@ -1,3 +1,18 @@ cdc-ncm-handle-incomplete-transfer-of-mtu.patch net-fix-data-race-in-neigh_event_send.patch nfc-netlink-fix-double-device-reference-drop.patch +alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch +alsa-hda-ca0132-fix-possible-workqueue-stall.patch +mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch +dump_stack-avoid-the-livelock-of-the-dump_lock.patch +perf-tools-fix-time-sorting.patch +drm-radeon-fix-si_enable_smc_cac-failed-issue.patch +ceph-fix-use-after-free-in-__ceph_remove_cap.patch +iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch +netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch +netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch +can-usb_8dev-fix-use-after-free-on-disconnect.patch +can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch +can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch +can-gs_usb-gs_can_open-prevent-memory-leak.patch +can-peak_usb-fix-slab-info-leak.patch |