All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.9 00/42] 4.9.293-rc1 review
@ 2021-12-13  9:29 Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 01/42] HID: introduce hid_is_using_ll_driver Greg Kroah-Hartman
                   ` (46 more replies)
  0 siblings, 47 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 4.9.293 release.
There are 42 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.293-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.9.293-rc1

Vladimir Murzin <vladimir.murzin@arm.com>
    irqchip: nvic: Fix offset for Interrupt Priority Offsets

Wudi Wang <wangwudi@hisilicon.com>
    irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL

Pali Rohár <pali@kernel.org>
    irqchip/armada-370-xp: Fix support for Multi-MSI interrupts

Pali Rohár <pali@kernel.org>
    irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()

Yang Yingliang <yangyingliang@huawei.com>
    iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove

Lars-Peter Clausen <lars@metafoo.de>
    iio: itg3200: Call iio_trigger_notify_done() on error

Lars-Peter Clausen <lars@metafoo.de>
    iio: kxsd9: Don't return error code in trigger handler

Lars-Peter Clausen <lars@metafoo.de>
    iio: ltr501: Don't return error code in trigger handler

Lars-Peter Clausen <lars@metafoo.de>
    iio: mma8452: Fix trigger reference couting

Lars-Peter Clausen <lars@metafoo.de>
    iio: stk3310: Don't return error code in interrupt handler

Pavel Hofman <pavel.hofman@ivitera.com>
    usb: core: config: using bit mask instead of individual bits

Pavel Hofman <pavel.hofman@ivitera.com>
    usb: core: config: fix validation of wMaxPacketValue entries

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    USB: gadget: zero allocate endpoint 0 buffers

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    USB: gadget: detect too-big endpoint 0 requests

Dan Carpenter <dan.carpenter@oracle.com>
    net/qla3xxx: fix an error code in ql_adapter_up()

Eric Dumazet <edumazet@google.com>
    net, neigh: clear whole pneigh_entry at alloc time

Joakim Zhang <qiangqing.zhang@nxp.com>
    net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()

Dan Carpenter <dan.carpenter@oracle.com>
    net: altera: set a couple error code in probe()

Lee Jones <lee.jones@linaro.org>
    net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero

Davidlohr Bueso <dave@stgolabs.net>
    block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)

Steven Rostedt (VMware) <rostedt@goodmis.org>
    tracefs: Set all files to the same group ownership as the mount option

Eric Biggers <ebiggers@google.com>
    signalfd: use wake_up_pollfree()

Eric Biggers <ebiggers@google.com>
    binder: use wake_up_pollfree()

Eric Biggers <ebiggers@kernel.org>
    wait: add wake_up_pollfree()

Hannes Reinecke <hare@suse.de>
    libata: add horkage for ASMedia 1092

Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    can: pch_can: pch_can_rx_normal: fix use after free

Steven Rostedt (VMware) <rostedt@goodmis.org>
    tracefs: Have new files inherit the ownership of their parent

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: oss: Limit the period size to 16MB

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: oss: Fix negative period/buffer sizes

Alan Young <consult.awy@gmail.com>
    ALSA: ctl: Fix copy of updated id with element read/write

Manjong Lee <mj0123.lee@samsung.com>
    mm: bdi: initialize bdi_min_ratio when bdi is unregistered

Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
    IB/hfi1: Correct guard on eager buffer deallocation

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done

Dan Carpenter <dan.carpenter@oracle.com>
    can: sja1000: fix use after free in ems_pcmcia_add_card()

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    HID: check for valid USB device for many HID drivers

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    HID: wacom: fix problems when device is not a valid USB device

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    HID: add USB_HID dependancy on some USB HID drivers

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    HID: add USB_HID dependancy to hid-chicony

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    HID: add USB_HID dependancy to hid-prodikeys

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    HID: add hid_is_usb() function to make it simpler for USB detection

Jason Gerecke <killertofu@gmail.com>
    HID: introduce hid_is_using_ll_driver


-------------

Diffstat:

 Makefile                                      |  4 +-
 block/ioprio.c                                |  3 ++
 drivers/android/binder.c                      | 21 ++++----
 drivers/ata/libata-core.c                     |  2 +
 drivers/hid/Kconfig                           | 10 ++--
 drivers/hid/hid-chicony.c                     |  8 ++-
 drivers/hid/hid-corsair.c                     |  7 ++-
 drivers/hid/hid-elo.c                         |  3 ++
 drivers/hid/hid-holtek-kbd.c                  |  9 +++-
 drivers/hid/hid-holtek-mouse.c                |  9 ++++
 drivers/hid/hid-lg.c                          | 10 +++-
 drivers/hid/hid-prodikeys.c                   | 10 +++-
 drivers/hid/hid-roccat-arvo.c                 |  3 ++
 drivers/hid/hid-roccat-isku.c                 |  3 ++
 drivers/hid/hid-roccat-kone.c                 |  3 ++
 drivers/hid/hid-roccat-koneplus.c             |  3 ++
 drivers/hid/hid-roccat-konepure.c             |  3 ++
 drivers/hid/hid-roccat-kovaplus.c             |  3 ++
 drivers/hid/hid-roccat-lua.c                  |  3 ++
 drivers/hid/hid-roccat-pyra.c                 |  3 ++
 drivers/hid/hid-roccat-ryos.c                 |  3 ++
 drivers/hid/hid-roccat-savu.c                 |  3 ++
 drivers/hid/hid-samsung.c                     |  3 ++
 drivers/hid/hid-uclogic.c                     |  3 ++
 drivers/hid/i2c-hid/i2c-hid-core.c            |  3 +-
 drivers/hid/uhid.c                            |  3 +-
 drivers/hid/usbhid/hid-core.c                 |  3 +-
 drivers/hid/wacom_sys.c                       | 17 ++++--
 drivers/iio/accel/kxcjk-1013.c                |  5 +-
 drivers/iio/accel/kxsd9.c                     |  6 +--
 drivers/iio/accel/mma8452.c                   |  2 +-
 drivers/iio/gyro/itg3200_buffer.c             |  2 +-
 drivers/iio/light/ltr501.c                    |  2 +-
 drivers/iio/light/stk3310.c                   |  6 +--
 drivers/infiniband/hw/hfi1/init.c             |  2 +-
 drivers/irqchip/irq-armada-370-xp.c           | 16 +++---
 drivers/irqchip/irq-gic-v3-its.c              |  2 +-
 drivers/irqchip/irq-nvic.c                    |  2 +-
 drivers/net/can/pch_can.c                     |  2 +-
 drivers/net/can/sja1000/ems_pcmcia.c          |  7 ++-
 drivers/net/ethernet/altera/altera_tse_main.c |  9 ++--
 drivers/net/ethernet/freescale/fec.h          |  3 ++
 drivers/net/ethernet/freescale/fec_main.c     |  2 +-
 drivers/net/ethernet/qlogic/qla3xxx.c         | 19 ++++---
 drivers/net/usb/cdc_ncm.c                     |  2 +
 drivers/usb/core/config.c                     |  6 +--
 drivers/usb/gadget/composite.c                | 14 ++++-
 drivers/usb/gadget/legacy/dbgp.c              | 15 +++++-
 drivers/usb/gadget/legacy/inode.c             | 16 +++++-
 fs/signalfd.c                                 | 12 +----
 fs/tracefs/inode.c                            | 76 +++++++++++++++++++++++++++
 include/linux/hid.h                           | 16 ++++++
 include/linux/wait.h                          | 26 +++++++++
 kernel/sched/wait.c                           |  8 +++
 mm/backing-dev.c                              |  7 +++
 net/bluetooth/hidp/core.c                     |  3 +-
 net/core/neighbour.c                          |  2 +-
 net/nfc/netlink.c                             |  6 ++-
 sound/core/control_compat.c                   |  3 ++
 sound/core/oss/pcm_oss.c                      | 37 ++++++++-----
 60 files changed, 384 insertions(+), 110 deletions(-)



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 01/42] HID: introduce hid_is_using_ll_driver
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 02/42] HID: add hid_is_usb() function to make it simpler for USB detection Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gerecke, Benjamin Tissoires,
	Jiri Kosina

From: Jason Gerecke <killertofu@gmail.com>

commit fc2237a724a9e448599076d7d23497f51e2f7441 upstream.

Although HID itself is transport-agnostic, occasionally a driver may
want to interact with the low-level transport that a device is connected
through. To do this, we need to know what kind of bus is in use. The
first guess may be to look at the 'bus' field of the 'struct hid_device',
but this field may be emulated in some cases (e.g. uhid).

More ideally, we can check which ll_driver a device is using. This
function introduces a 'hid_is_using_ll_driver' function and makes the
'struct hid_ll_driver' of the four most common transports accessible
through hid.h.

Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Acked-By: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/i2c-hid/i2c-hid-core.c |    3 ++-
 drivers/hid/uhid.c                 |    3 ++-
 drivers/hid/usbhid/hid-core.c      |    3 ++-
 include/linux/hid.h                |   11 +++++++++++
 net/bluetooth/hidp/core.c          |    3 ++-
 5 files changed, 19 insertions(+), 4 deletions(-)

--- a/drivers/hid/i2c-hid/i2c-hid-core.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -875,7 +875,7 @@ static int i2c_hid_power(struct hid_devi
 	return 0;
 }
 
-static struct hid_ll_driver i2c_hid_ll_driver = {
+struct hid_ll_driver i2c_hid_ll_driver = {
 	.parse = i2c_hid_parse,
 	.start = i2c_hid_start,
 	.stop = i2c_hid_stop,
@@ -885,6 +885,7 @@ static struct hid_ll_driver i2c_hid_ll_d
 	.output_report = i2c_hid_output_report,
 	.raw_request = i2c_hid_raw_request,
 };
+EXPORT_SYMBOL_GPL(i2c_hid_ll_driver);
 
 static int i2c_hid_init_irq(struct i2c_client *client)
 {
--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -372,7 +372,7 @@ static int uhid_hid_output_report(struct
 	return uhid_hid_output_raw(hid, buf, count, HID_OUTPUT_REPORT);
 }
 
-static struct hid_ll_driver uhid_hid_driver = {
+struct hid_ll_driver uhid_hid_driver = {
 	.start = uhid_hid_start,
 	.stop = uhid_hid_stop,
 	.open = uhid_hid_open,
@@ -381,6 +381,7 @@ static struct hid_ll_driver uhid_hid_dri
 	.raw_request = uhid_hid_raw_request,
 	.output_report = uhid_hid_output_report,
 };
+EXPORT_SYMBOL_GPL(uhid_hid_driver);
 
 #ifdef CONFIG_COMPAT
 
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1272,7 +1272,7 @@ static int usbhid_idle(struct hid_device
 	return hid_set_idle(dev, ifnum, report, idle);
 }
 
-static struct hid_ll_driver usb_hid_driver = {
+struct hid_ll_driver usb_hid_driver = {
 	.parse = usbhid_parse,
 	.start = usbhid_start,
 	.stop = usbhid_stop,
@@ -1285,6 +1285,7 @@ static struct hid_ll_driver usb_hid_driv
 	.output_report = usbhid_output_report,
 	.idle = usbhid_idle,
 };
+EXPORT_SYMBOL_GPL(usb_hid_driver);
 
 static int usbhid_probe(struct usb_interface *intf, const struct usb_device_id *id)
 {
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -762,6 +762,17 @@ struct hid_ll_driver {
 	int (*idle)(struct hid_device *hdev, int report, int idle, int reqtype);
 };
 
+extern struct hid_ll_driver i2c_hid_ll_driver;
+extern struct hid_ll_driver hidp_hid_driver;
+extern struct hid_ll_driver uhid_hid_driver;
+extern struct hid_ll_driver usb_hid_driver;
+
+static inline bool hid_is_using_ll_driver(struct hid_device *hdev,
+		struct hid_ll_driver *driver)
+{
+	return hdev->ll_driver == driver;
+}
+
 #define	PM_HINT_FULLON	1<<5
 #define PM_HINT_NORMAL	1<<1
 
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -734,7 +734,7 @@ static void hidp_stop(struct hid_device
 	hid->claimed = 0;
 }
 
-static struct hid_ll_driver hidp_hid_driver = {
+struct hid_ll_driver hidp_hid_driver = {
 	.parse = hidp_parse,
 	.start = hidp_start,
 	.stop = hidp_stop,
@@ -743,6 +743,7 @@ static struct hid_ll_driver hidp_hid_dri
 	.raw_request = hidp_raw_request,
 	.output_report = hidp_output_report,
 };
+EXPORT_SYMBOL_GPL(hidp_hid_driver);
 
 /* This function sets up the hid device. It does not add it
    to the HID system. That is done in hidp_add_connection(). */



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 02/42] HID: add hid_is_usb() function to make it simpler for USB detection
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 01/42] HID: introduce hid_is_using_ll_driver Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 03/42] HID: add USB_HID dependancy to hid-prodikeys Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Kosina, Benjamin Tissoires, linux-input

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f83baa0cb6cfc92ebaf7f9d3a99d7e34f2e77a8a upstream.

A number of HID drivers already call hid_is_using_ll_driver() but only
for the detection of if this is a USB device or not.  Make this more
obvious by creating hid_is_usb() and calling the function that way.

Also converts the existing hid_is_using_ll_driver() functions to use the
new call.

Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org
Cc: stable@vger.kernel.org
Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20211201183503.2373082-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/hid.h |    5 +++++
 1 file changed, 5 insertions(+)

--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -773,6 +773,11 @@ static inline bool hid_is_using_ll_drive
 	return hdev->ll_driver == driver;
 }
 
+static inline bool hid_is_usb(struct hid_device *hdev)
+{
+	return hid_is_using_ll_driver(hdev, &usb_hid_driver);
+}
+
 #define	PM_HINT_FULLON	1<<5
 #define PM_HINT_NORMAL	1<<1
 



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 03/42] HID: add USB_HID dependancy to hid-prodikeys
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 01/42] HID: introduce hid_is_using_ll_driver Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 02/42] HID: add hid_is_usb() function to make it simpler for USB detection Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 04/42] HID: add USB_HID dependancy to hid-chicony Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Jiri Kosina,
	Benjamin Tissoires

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 30cb3c2ad24b66fb7639a6d1f4390c74d6e68f94 upstream.

The prodikeys HID driver only controls USB devices, yet did not have a
dependancy on USB_HID.  This causes build errors on some configurations
like nios2 when building due to new changes to the prodikeys driver.

Reported-by: kernel test robot <lkp@intel.com>
Cc: stable@vger.kernel.org
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20211203081231.2856936-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/Kconfig |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hid/Kconfig
+++ b/drivers/hid/Kconfig
@@ -194,7 +194,7 @@ config HID_CORSAIR
 
 config HID_PRODIKEYS
 	tristate "Prodikeys PC-MIDI Keyboard support"
-	depends on HID && SND
+	depends on USB_HID && SND
 	select SND_RAWMIDI
 	---help---
 	Support for Prodikeys PC-MIDI Keyboard device support.



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 04/42] HID: add USB_HID dependancy to hid-chicony
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 03/42] HID: add USB_HID dependancy to hid-prodikeys Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 05/42] HID: add USB_HID dependancy on some USB HID drivers Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Rothwell, Jiri Kosina,
	Benjamin Tissoires

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d080811f27936f712f619f847389f403ac873b8f upstream.

The chicony HID driver only controls USB devices, yet did not have a
dependancy on USB_HID.  This causes build errors on some configurations
like sparc when building due to new changes to the chicony driver.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: stable@vger.kernel.org
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20211203075927.2829218-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/Kconfig |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hid/Kconfig
+++ b/drivers/hid/Kconfig
@@ -176,7 +176,7 @@ config HID_CHERRY
 
 config HID_CHICONY
 	tristate "Chicony devices"
-	depends on HID
+	depends on USB_HID
 	default !EXPERT
 	---help---
 	Support for Chicony Tactical pad and special keys on Chicony keyboards.



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 05/42] HID: add USB_HID dependancy on some USB HID drivers
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 04/42] HID: add USB_HID dependancy to hid-chicony Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 06/42] HID: wacom: fix problems when device is not a valid USB device Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Benjamin Tissoires

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f237d9028f844a86955fc9da59d7ac4a5c55d7d5 upstream.

Some HID drivers are only for USB drivers, yet did not depend on
CONFIG_USB_HID.  This was hidden by the fact that the USB functions were
stubbed out in the past, but now that drivers are checking for USB
devices properly, build errors can occur with some random
configurations.

Reported-by: kernel test robot <lkp@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20211202114819.2511954-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/Kconfig |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/hid/Kconfig
+++ b/drivers/hid/Kconfig
@@ -183,7 +183,7 @@ config HID_CHICONY
 
 config HID_CORSAIR
 	tristate "Corsair devices"
-	depends on HID && USB && LEDS_CLASS
+	depends on USB_HID && LEDS_CLASS
 	---help---
 	Support for Corsair devices that are not fully compliant with the
 	HID standard.
@@ -421,7 +421,7 @@ config HID_LENOVO
 
 config HID_LOGITECH
 	tristate "Logitech devices"
-	depends on HID
+	depends on USB_HID
 	default !EXPERT
 	---help---
 	Support for Logitech devices that are not fully compliant with HID standard.
@@ -730,7 +730,7 @@ config HID_SAITEK
 
 config HID_SAMSUNG
 	tristate "Samsung InfraRed remote control or keyboards"
-	depends on HID
+	depends on USB_HID
 	---help---
 	Support for Samsung InfraRed remote control or keyboards.
 



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 06/42] HID: wacom: fix problems when device is not a valid USB device
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 05/42] HID: add USB_HID dependancy on some USB HID drivers Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 07/42] HID: check for valid USB device for many HID drivers Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Kosina, Benjamin Tissoires, linux-input

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 720ac467204a70308bd687927ed475afb904e11b upstream.

The wacom driver accepts devices of more than just USB types, but some
code paths can cause problems if the device being controlled is not a
USB device due to a lack of checking.  Add the needed checks to ensure
that the USB device accesses are only happening on a "real" USB device,
and not one on some other bus.

Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org
Cc: stable@vger.kernel.org
Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20211201183503.2373082-2-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/wacom_sys.c |   17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -506,7 +506,7 @@ static void wacom_retrieve_hid_descripto
 	 * Skip the query for this type and modify defaults based on
 	 * interface number.
 	 */
-	if (features->type == WIRELESS) {
+	if (features->type == WIRELESS && intf) {
 		if (intf->cur_altsetting->desc.bInterfaceNumber == 0)
 			features->device_type = WACOM_DEVICETYPE_WL_MONITOR;
 		else
@@ -2115,6 +2115,9 @@ static void wacom_wireless_work(struct w
 
 	wacom_destroy_battery(wacom);
 
+	if (!usbdev)
+		return;
+
 	/* Stylus interface */
 	hdev1 = usb_get_intfdata(usbdev->config->interface[1]);
 	wacom1 = hid_get_drvdata(hdev1);
@@ -2354,8 +2357,6 @@ static void wacom_remote_work(struct wor
 static int wacom_probe(struct hid_device *hdev,
 		const struct hid_device_id *id)
 {
-	struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
-	struct usb_device *dev = interface_to_usbdev(intf);
 	struct wacom *wacom;
 	struct wacom_wac *wacom_wac;
 	struct wacom_features *features;
@@ -2388,8 +2389,14 @@ static int wacom_probe(struct hid_device
 	wacom_wac->hid_data.inputmode = -1;
 	wacom_wac->mode_report = -1;
 
-	wacom->usbdev = dev;
-	wacom->intf = intf;
+	if (hid_is_usb(hdev)) {
+		struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
+		struct usb_device *dev = interface_to_usbdev(intf);
+
+		wacom->usbdev = dev;
+		wacom->intf = intf;
+	}
+
 	mutex_init(&wacom->lock);
 	INIT_WORK(&wacom->wireless_work, wacom_wireless_work);
 	INIT_WORK(&wacom->battery_work, wacom_battery_work);



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 07/42] HID: check for valid USB device for many HID drivers
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 06/42] HID: wacom: fix problems when device is not a valid USB device Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 08/42] can: sja1000: fix use after free in ems_pcmcia_add_card() Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Kosina, Benjamin Tissoires,
	Michael Zaidman, Stefan Achatz, Maxime Coquelin,
	Alexandre Torgue, linux-input

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 93020953d0fa7035fd036ad87a47ae2b7aa4ae33 upstream.

Many HID drivers assume that the HID device assigned to them is a USB
device as that was the only way HID devices used to be able to be
created in Linux.  However, with the additional ways that HID devices
can be created for many different bus types, that is no longer true, so
properly check that we have a USB device associated with the HID device
before allowing a driver that makes this assumption to claim it.

Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: Michael Zaidman <michael.zaidman@gmail.com>
Cc: Stefan Achatz <erazor_de@users.sourceforge.net>
Cc: Maxime Coquelin <mcoquelin.stm32@gmail.com>
Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>
Cc: linux-input@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
[bentiss: amended for thrustmater.c hunk to apply]
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20211201183503.2373082-3-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/hid-chicony.c         |    8 ++++++--
 drivers/hid/hid-corsair.c         |    7 ++++++-
 drivers/hid/hid-elo.c             |    3 +++
 drivers/hid/hid-holtek-kbd.c      |    9 +++++++--
 drivers/hid/hid-holtek-mouse.c    |    9 +++++++++
 drivers/hid/hid-lg.c              |   10 ++++++++--
 drivers/hid/hid-prodikeys.c       |   10 ++++++++--
 drivers/hid/hid-roccat-arvo.c     |    3 +++
 drivers/hid/hid-roccat-isku.c     |    3 +++
 drivers/hid/hid-roccat-kone.c     |    3 +++
 drivers/hid/hid-roccat-koneplus.c |    3 +++
 drivers/hid/hid-roccat-konepure.c |    3 +++
 drivers/hid/hid-roccat-kovaplus.c |    3 +++
 drivers/hid/hid-roccat-lua.c      |    3 +++
 drivers/hid/hid-roccat-pyra.c     |    3 +++
 drivers/hid/hid-roccat-ryos.c     |    3 +++
 drivers/hid/hid-roccat-savu.c     |    3 +++
 drivers/hid/hid-samsung.c         |    3 +++
 drivers/hid/hid-uclogic.c         |    3 +++
 19 files changed, 83 insertions(+), 9 deletions(-)

--- a/drivers/hid/hid-chicony.c
+++ b/drivers/hid/hid-chicony.c
@@ -61,8 +61,12 @@ static int ch_input_mapping(struct hid_d
 static __u8 *ch_switch12_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 		unsigned int *rsize)
 {
-	struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
-	
+	struct usb_interface *intf;
+
+	if (!hid_is_usb(hdev))
+		return rdesc;
+
+	intf = to_usb_interface(hdev->dev.parent);
 	if (intf->cur_altsetting->desc.bInterfaceNumber == 1) {
 		/* Change usage maximum and logical maximum from 0x7fff to
 		 * 0x2fff, so they don't exceed HID_MAX_USAGES */
--- a/drivers/hid/hid-corsair.c
+++ b/drivers/hid/hid-corsair.c
@@ -553,7 +553,12 @@ static int corsair_probe(struct hid_devi
 	int ret;
 	unsigned long quirks = id->driver_data;
 	struct corsair_drvdata *drvdata;
-	struct usb_interface *usbif = to_usb_interface(dev->dev.parent);
+	struct usb_interface *usbif;
+
+	if (!hid_is_usb(dev))
+		return -EINVAL;
+
+	usbif = to_usb_interface(dev->dev.parent);
 
 	drvdata = devm_kzalloc(&dev->dev, sizeof(struct corsair_drvdata),
 			       GFP_KERNEL);
--- a/drivers/hid/hid-elo.c
+++ b/drivers/hid/hid-elo.c
@@ -230,6 +230,9 @@ static int elo_probe(struct hid_device *
 	struct elo_priv *priv;
 	int ret;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
--- a/drivers/hid/hid-holtek-kbd.c
+++ b/drivers/hid/hid-holtek-kbd.c
@@ -143,12 +143,17 @@ static int holtek_kbd_input_event(struct
 static int holtek_kbd_probe(struct hid_device *hdev,
 		const struct hid_device_id *id)
 {
-	struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
-	int ret = hid_parse(hdev);
+	struct usb_interface *intf;
+	int ret;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
+	ret = hid_parse(hdev);
 	if (!ret)
 		ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
 
+	intf = to_usb_interface(hdev->dev.parent);
 	if (!ret && intf->cur_altsetting->desc.bInterfaceNumber == 1) {
 		struct hid_input *hidinput;
 		list_for_each_entry(hidinput, &hdev->inputs, list) {
--- a/drivers/hid/hid-holtek-mouse.c
+++ b/drivers/hid/hid-holtek-mouse.c
@@ -65,6 +65,14 @@ static __u8 *holtek_mouse_report_fixup(s
 	return rdesc;
 }
 
+static int holtek_mouse_probe(struct hid_device *hdev,
+			      const struct hid_device_id *id)
+{
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+	return 0;
+}
+
 static const struct hid_device_id holtek_mouse_devices[] = {
 	{ HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT,
 			USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A067) },
@@ -86,6 +94,7 @@ static struct hid_driver holtek_mouse_dr
 	.name = "holtek_mouse",
 	.id_table = holtek_mouse_devices,
 	.report_fixup = holtek_mouse_report_fixup,
+	.probe = holtek_mouse_probe,
 };
 
 module_hid_driver(holtek_mouse_driver);
--- a/drivers/hid/hid-lg.c
+++ b/drivers/hid/hid-lg.c
@@ -714,12 +714,18 @@ static int lg_raw_event(struct hid_devic
 
 static int lg_probe(struct hid_device *hdev, const struct hid_device_id *id)
 {
-	struct usb_interface *iface = to_usb_interface(hdev->dev.parent);
-	__u8 iface_num = iface->cur_altsetting->desc.bInterfaceNumber;
+	struct usb_interface *iface;
+	__u8 iface_num;
 	unsigned int connect_mask = HID_CONNECT_DEFAULT;
 	struct lg_drv_data *drv_data;
 	int ret;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
+	iface = to_usb_interface(hdev->dev.parent);
+	iface_num = iface->cur_altsetting->desc.bInterfaceNumber;
+
 	/* G29 only work with the 1st interface */
 	if ((hdev->product == USB_DEVICE_ID_LOGITECH_G29_WHEEL) &&
 	    (iface_num != 0)) {
--- a/drivers/hid/hid-prodikeys.c
+++ b/drivers/hid/hid-prodikeys.c
@@ -803,12 +803,18 @@ static int pk_raw_event(struct hid_devic
 static int pk_probe(struct hid_device *hdev, const struct hid_device_id *id)
 {
 	int ret;
-	struct usb_interface *intf = to_usb_interface(hdev->dev.parent);
-	unsigned short ifnum = intf->cur_altsetting->desc.bInterfaceNumber;
+	struct usb_interface *intf;
+	unsigned short ifnum;
 	unsigned long quirks = id->driver_data;
 	struct pk_device *pk;
 	struct pcmidi_snd *pm = NULL;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
+	intf = to_usb_interface(hdev->dev.parent);
+	ifnum = intf->cur_altsetting->desc.bInterfaceNumber;
+
 	pk = kzalloc(sizeof(*pk), GFP_KERNEL);
 	if (pk == NULL) {
 		hid_err(hdev, "can't alloc descriptor\n");
--- a/drivers/hid/hid-roccat-arvo.c
+++ b/drivers/hid/hid-roccat-arvo.c
@@ -347,6 +347,9 @@ static int arvo_probe(struct hid_device
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-isku.c
+++ b/drivers/hid/hid-roccat-isku.c
@@ -327,6 +327,9 @@ static int isku_probe(struct hid_device
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-kone.c
+++ b/drivers/hid/hid-roccat-kone.c
@@ -752,6 +752,9 @@ static int kone_probe(struct hid_device
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-koneplus.c
+++ b/drivers/hid/hid-roccat-koneplus.c
@@ -434,6 +434,9 @@ static int koneplus_probe(struct hid_dev
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-konepure.c
+++ b/drivers/hid/hid-roccat-konepure.c
@@ -136,6 +136,9 @@ static int konepure_probe(struct hid_dev
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-kovaplus.c
+++ b/drivers/hid/hid-roccat-kovaplus.c
@@ -504,6 +504,9 @@ static int kovaplus_probe(struct hid_dev
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-lua.c
+++ b/drivers/hid/hid-roccat-lua.c
@@ -163,6 +163,9 @@ static int lua_probe(struct hid_device *
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-pyra.c
+++ b/drivers/hid/hid-roccat-pyra.c
@@ -452,6 +452,9 @@ static int pyra_probe(struct hid_device
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-ryos.c
+++ b/drivers/hid/hid-roccat-ryos.c
@@ -144,6 +144,9 @@ static int ryos_probe(struct hid_device
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-roccat-savu.c
+++ b/drivers/hid/hid-roccat-savu.c
@@ -116,6 +116,9 @@ static int savu_probe(struct hid_device
 {
 	int retval;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	retval = hid_parse(hdev);
 	if (retval) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-samsung.c
+++ b/drivers/hid/hid-samsung.c
@@ -157,6 +157,9 @@ static int samsung_probe(struct hid_devi
 	int ret;
 	unsigned int cmask = HID_CONNECT_DEFAULT;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	ret = hid_parse(hdev);
 	if (ret) {
 		hid_err(hdev, "parse failed\n");
--- a/drivers/hid/hid-uclogic.c
+++ b/drivers/hid/hid-uclogic.c
@@ -791,6 +791,9 @@ static int uclogic_tablet_enable(struct
 	__u8 *p;
 	s32 v;
 
+	if (!hid_is_usb(hdev))
+		return -EINVAL;
+
 	/*
 	 * Read string descriptor containing tablet parameters. The specific
 	 * string descriptor and data were discovered by sniffing the Windows



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 08/42] can: sja1000: fix use after free in ems_pcmcia_add_card()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 07/42] HID: check for valid USB device for many HID drivers Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 09/42] nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Oliver Hartkopp,
	Marc Kleine-Budde

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 3ec6ca6b1a8e64389f0212b5a1b0f6fed1909e45 upstream.

If the last channel is not available then "dev" is freed.  Fortunately,
we can just use "pdev->irq" instead.

Also we should check if at least one channel was set up.

Fixes: fd734c6f25ae ("can/sja1000: add driver for EMS PCMCIA card")
Link: https://lore.kernel.org/all/20211124145041.GB13656@kili
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/sja1000/ems_pcmcia.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/net/can/sja1000/ems_pcmcia.c
+++ b/drivers/net/can/sja1000/ems_pcmcia.c
@@ -243,7 +243,12 @@ static int ems_pcmcia_add_card(struct pc
 			free_sja1000dev(dev);
 	}
 
-	err = request_irq(dev->irq, &ems_pcmcia_interrupt, IRQF_SHARED,
+	if (!card->channels) {
+		err = -ENODEV;
+		goto failure_cleanup;
+	}
+
+	err = request_irq(pdev->irq, &ems_pcmcia_interrupt, IRQF_SHARED,
 			  DRV_NAME, card);
 	if (!err)
 		return 0;



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 09/42] nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 08/42] can: sja1000: fix use after free in ems_pcmcia_add_card() Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 10/42] IB/hfi1: Correct guard on eager buffer deallocation Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Jakub Kicinski

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

commit 4cd8371a234d051f9c9557fcbb1f8c523b1c0d10 upstream.

The done() netlink callback nfc_genl_dump_ses_done() should check if
received argument is non-NULL, because its allocation could fail earlier
in dumpit() (nfc_genl_dump_ses()).

Fixes: ac22ac466a65 ("NFC: Add a GET_SE netlink API")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20211209081307.57337-1-krzysztof.kozlowski@canonical.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/nfc/netlink.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -1403,8 +1403,10 @@ static int nfc_genl_dump_ses_done(struct
 {
 	struct class_dev_iter *iter = (struct class_dev_iter *) cb->args[0];
 
-	nfc_device_iter_exit(iter);
-	kfree(iter);
+	if (iter) {
+		nfc_device_iter_exit(iter);
+		kfree(iter);
+	}
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 10/42] IB/hfi1: Correct guard on eager buffer deallocation
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 09/42] nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 11/42] mm: bdi: initialize bdi_min_ratio when bdi is unregistered Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Dennis Dalessandro,
	Jason Gunthorpe

From: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>

commit 9292f8f9a2ac42eb320bced7153aa2e63d8cc13a upstream.

The code tests the dma address which legitimately can be 0.

The code should test the kernel logical address to avoid leaking eager
buffer allocations that happen to map to a dma address of 0.

Fixes: 60368186fd85 ("IB/hfi1: Fix user-space buffers mapping with IOMMU enabled")
Link: https://lore.kernel.org/r/20211129191952.101968.17137.stgit@awfm-01.cornelisnetworks.com
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/hfi1/init.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/hfi1/init.c
+++ b/drivers/infiniband/hw/hfi1/init.c
@@ -955,7 +955,7 @@ void hfi1_free_ctxtdata(struct hfi1_devd
 	kfree(rcd->egrbufs.rcvtids);
 
 	for (e = 0; e < rcd->egrbufs.alloced; e++) {
-		if (rcd->egrbufs.buffers[e].dma)
+		if (rcd->egrbufs.buffers[e].addr)
 			dma_free_coherent(&dd->pcidev->dev,
 					  rcd->egrbufs.buffers[e].len,
 					  rcd->egrbufs.buffers[e].addr,



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 11/42] mm: bdi: initialize bdi_min_ratio when bdi is unregistered
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 10/42] IB/hfi1: Correct guard on eager buffer deallocation Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 12/42] ALSA: ctl: Fix copy of updated id with element read/write Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manjong Lee, Peter Zijlstra (Intel),
	Changheun Lee, Jens Axboe, Christoph Hellwig, Matthew Wilcox,
	seunghwan.hyun, sookwan7.kim, yt0928.kim, junho89.kim,
	jisoo2146.oh, Andrew Morton, Linus Torvalds

From: Manjong Lee <mj0123.lee@samsung.com>

commit 3c376dfafbf7a8ea0dea212d095ddd83e93280bb upstream.

Initialize min_ratio if it is set during bdi unregistration.  This can
prevent problems that may occur a when bdi is removed without resetting
min_ratio.

For example.
1) insert external sdcard
2) set external sdcard's min_ratio 70
3) remove external sdcard without setting min_ratio 0
4) insert external sdcard
5) set external sdcard's min_ratio 70 << error occur(can't set)

Because when an sdcard is removed, the present bdi_min_ratio value will
remain.  Currently, the only way to reset bdi_min_ratio is to reboot.

[akpm@linux-foundation.org: tweak comment and coding style]

Link: https://lkml.kernel.org/r/20211021161942.5983-1-mj0123.lee@samsung.com
Signed-off-by: Manjong Lee <mj0123.lee@samsung.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Changheun Lee <nanich.lee@samsung.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <seunghwan.hyun@samsung.com>
Cc: <sookwan7.kim@samsung.com>
Cc: <yt0928.kim@samsung.com>
Cc: <junho89.kim@samsung.com>
Cc: <jisoo2146.oh@samsung.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/backing-dev.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -865,6 +865,13 @@ void bdi_unregister(struct backing_dev_i
 	wb_shutdown(&bdi->wb);
 	cgwb_bdi_destroy(bdi);
 
+	/*
+	 * If this BDI's min ratio has been set, use bdi_set_min_ratio() to
+	 * update the global bdi_min_ratio.
+	 */
+	if (bdi->min_ratio)
+		bdi_set_min_ratio(bdi, 0);
+
 	if (bdi->dev) {
 		bdi_debug_unregister(bdi);
 		device_unregister(bdi->dev);



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 12/42] ALSA: ctl: Fix copy of updated id with element read/write
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 11/42] mm: bdi: initialize bdi_min_ratio when bdi is unregistered Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 13/42] ALSA: pcm: oss: Fix negative period/buffer sizes Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Young, Takashi Iwai

From: Alan Young <consult.awy@gmail.com>

commit b6409dd6bdc03aa178bbff0d80db2a30d29b63ac upstream.

When control_compat.c:copy_ctl_value_to_user() is used, by
ctl_elem_read_user() & ctl_elem_write_user(), it must also copy back the
snd_ctl_elem_id value that may have been updated (filled in) by the call
to snd_ctl_elem_read/snd_ctl_elem_write().

This matches the functionality provided by snd_ctl_elem_read_user() and
snd_ctl_elem_write_user(), via snd_ctl_build_ioff().

Without this, and without making additional calls to snd_ctl_info()
which are unnecessary when using the non-compat calls, a userspace
application will not know the numid value for the element and
consequently will not be able to use the poll/read interface on the
control file to determine which elements have updates.

Signed-off-by: Alan Young <consult.awy@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211202150607.543389-1-consult.awy@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/control_compat.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/sound/core/control_compat.c
+++ b/sound/core/control_compat.c
@@ -281,6 +281,7 @@ static int copy_ctl_value_to_user(void _
 				  struct snd_ctl_elem_value *data,
 				  int type, int count)
 {
+	struct snd_ctl_elem_value32 __user *data32 = userdata;
 	int i, size;
 
 	if (type == SNDRV_CTL_ELEM_TYPE_BOOLEAN ||
@@ -297,6 +298,8 @@ static int copy_ctl_value_to_user(void _
 		if (copy_to_user(valuep, data->value.bytes.data, size))
 			return -EFAULT;
 	}
+	if (copy_to_user(&data32->id, &data->id, sizeof(data32->id)))
+		return -EFAULT;
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 13/42] ALSA: pcm: oss: Fix negative period/buffer sizes
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 12/42] ALSA: ctl: Fix copy of updated id with element read/write Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 14/42] ALSA: pcm: oss: Limit the period size to 16MB Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+bb348e9f9a954d42746f,
	Bixuan Cui, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 9d2479c960875ca1239bcb899f386970c13d9cfe upstream.

The period size calculation in OSS layer may receive a negative value
as an error, but the code there assumes only the positive values and
handle them with size_t.  Due to that, a too big value may be passed
to the lower layers.

This patch changes the code to handle with ssize_t and adds the proper
error checks appropriately.

Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com
Reported-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com
Link: https://lore.kernel.org/r/20211201073606.11660-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/oss/pcm_oss.c |   24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -173,7 +173,7 @@ snd_pcm_hw_param_value_min(const struct
  *
  * Return the maximum value for field PAR.
  */
-static unsigned int
+static int
 snd_pcm_hw_param_value_max(const struct snd_pcm_hw_params *params,
 			   snd_pcm_hw_param_t var, int *dir)
 {
@@ -708,18 +708,24 @@ static int snd_pcm_oss_period_size(struc
 				   struct snd_pcm_hw_params *oss_params,
 				   struct snd_pcm_hw_params *slave_params)
 {
-	size_t s;
-	size_t oss_buffer_size, oss_period_size, oss_periods;
-	size_t min_period_size, max_period_size;
+	ssize_t s;
+	ssize_t oss_buffer_size;
+	ssize_t oss_period_size, oss_periods;
+	ssize_t min_period_size, max_period_size;
 	struct snd_pcm_runtime *runtime = substream->runtime;
 	size_t oss_frame_size;
 
 	oss_frame_size = snd_pcm_format_physical_width(params_format(oss_params)) *
 			 params_channels(oss_params) / 8;
 
+	oss_buffer_size = snd_pcm_hw_param_value_max(slave_params,
+						     SNDRV_PCM_HW_PARAM_BUFFER_SIZE,
+						     NULL);
+	if (oss_buffer_size <= 0)
+		return -EINVAL;
 	oss_buffer_size = snd_pcm_plug_client_size(substream,
-						   snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, NULL)) * oss_frame_size;
-	if (!oss_buffer_size)
+						   oss_buffer_size * oss_frame_size);
+	if (oss_buffer_size <= 0)
 		return -EINVAL;
 	oss_buffer_size = rounddown_pow_of_two(oss_buffer_size);
 	if (atomic_read(&substream->mmap_count)) {
@@ -756,7 +762,7 @@ static int snd_pcm_oss_period_size(struc
 
 	min_period_size = snd_pcm_plug_client_size(substream,
 						   snd_pcm_hw_param_value_min(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL));
-	if (min_period_size) {
+	if (min_period_size > 0) {
 		min_period_size *= oss_frame_size;
 		min_period_size = roundup_pow_of_two(min_period_size);
 		if (oss_period_size < min_period_size)
@@ -765,7 +771,7 @@ static int snd_pcm_oss_period_size(struc
 
 	max_period_size = snd_pcm_plug_client_size(substream,
 						   snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL));
-	if (max_period_size) {
+	if (max_period_size > 0) {
 		max_period_size *= oss_frame_size;
 		max_period_size = rounddown_pow_of_two(max_period_size);
 		if (oss_period_size > max_period_size)
@@ -778,7 +784,7 @@ static int snd_pcm_oss_period_size(struc
 		oss_periods = substream->oss.setup.periods;
 
 	s = snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIODS, NULL);
-	if (runtime->oss.maxfrags && s > runtime->oss.maxfrags)
+	if (s > 0 && runtime->oss.maxfrags && s > runtime->oss.maxfrags)
 		s = runtime->oss.maxfrags;
 	if (oss_periods > s)
 		oss_periods = s;



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 14/42] ALSA: pcm: oss: Limit the period size to 16MB
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 13/42] ALSA: pcm: oss: Fix negative period/buffer sizes Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 15/42] ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+bb348e9f9a954d42746f,
	Bixuan Cui, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 8839c8c0f77ab8fc0463f4ab8b37fca3f70677c2 upstream.

Set the practical limit to the period size (the fragment shift in OSS)
instead of a full 31bit; a too large value could lead to the exhaust
of memory as we allocate temporary buffers of the period size, too.

As of this patch, we set to 16MB limit, which should cover all use
cases.

Reported-by: syzbot+bb348e9f9a954d42746f@syzkaller.appspotmail.com
Reported-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1638270978-42412-1-git-send-email-cuibixuan@linux.alibaba.com
Link: https://lore.kernel.org/r/20211201073606.11660-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/oss/pcm_oss.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -2019,7 +2019,7 @@ static int snd_pcm_oss_set_fragment1(str
 	if (runtime->oss.subdivision || runtime->oss.fragshift)
 		return -EINVAL;
 	fragshift = val & 0xffff;
-	if (fragshift >= 31)
+	if (fragshift >= 25) /* should be large enough */
 		return -EINVAL;
 	runtime->oss.fragshift = fragshift;
 	runtime->oss.maxfrags = (val >> 16) & 0xffff;



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 15/42] ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 14/42] ALSA: pcm: oss: Limit the period size to 16MB Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 16/42] tracefs: Have new files inherit the ownership of their parent Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 6665bb30a6b1a4a853d52557c05482ee50e71391 upstream.

A couple of calls in snd_pcm_oss_change_params_locked() ignore the
possible errors.  Catch those errors and abort the operation for
avoiding further problems.

Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211201073606.11660-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/oss/pcm_oss.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -910,8 +910,15 @@ static int snd_pcm_oss_change_params_loc
 		err = -EINVAL;
 		goto failure;
 	}
-	choose_rate(substream, sparams, runtime->oss.rate);
-	snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_CHANNELS, runtime->oss.channels, NULL);
+
+	err = choose_rate(substream, sparams, runtime->oss.rate);
+	if (err < 0)
+		goto failure;
+	err = snd_pcm_hw_param_near(substream, sparams,
+				    SNDRV_PCM_HW_PARAM_CHANNELS,
+				    runtime->oss.channels, NULL);
+	if (err < 0)
+		goto failure;
 
 	format = snd_pcm_oss_format_from(runtime->oss.format);
 



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 16/42] tracefs: Have new files inherit the ownership of their parent
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 15/42] ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:29 ` [PATCH 4.9 17/42] can: pch_can: pch_can_rx_normal: fix use after free Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Ingo Molnar,
	Andrew Morton, Linus Torvalds, Al Viro, Yabin Cui,
	Christian Brauner, Kalesh Singh, Steven Rostedt (VMware)

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit ee7f3666995d8537dec17b1d35425f28877671a9 upstream.

If directories in tracefs have their ownership changed, then any new files
and directories that are created under those directories should inherit
the ownership of the director they are created in.

Link: https://lkml.kernel.org/r/20211208075720.4855d180@gandalf.local.home

Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Yabin Cui <yabinc@google.com>
Cc: Christian Brauner <christian.brauner@ubuntu.com>
Cc: stable@vger.kernel.org
Fixes: 4282d60689d4f ("tracefs: Add new tracefs file system")
Reported-by: Kalesh Singh <kaleshsingh@google.com>
Reported: https://lore.kernel.org/all/CAC_TJve8MMAv+H_NdLSJXZUSoxOEq2zB_pVaJ9p=7H6Bu3X76g@mail.gmail.com/
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/tracefs/inode.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -411,6 +411,8 @@ struct dentry *tracefs_create_file(const
 	inode->i_mode = mode;
 	inode->i_fop = fops ? fops : &tracefs_file_operations;
 	inode->i_private = data;
+	inode->i_uid = d_inode(dentry->d_parent)->i_uid;
+	inode->i_gid = d_inode(dentry->d_parent)->i_gid;
 	d_instantiate(dentry, inode);
 	fsnotify_create(dentry->d_parent->d_inode, dentry);
 	return end_creating(dentry);
@@ -433,6 +435,8 @@ static struct dentry *__create_dir(const
 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP;
 	inode->i_op = ops;
 	inode->i_fop = &simple_dir_operations;
+	inode->i_uid = d_inode(dentry->d_parent)->i_uid;
+	inode->i_gid = d_inode(dentry->d_parent)->i_gid;
 
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
 	inc_nlink(inode);



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 17/42] can: pch_can: pch_can_rx_normal: fix use after free
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 16/42] tracefs: Have new files inherit the ownership of their parent Greg Kroah-Hartman
@ 2021-12-13  9:29 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 18/42] libata: add horkage for ASMedia 1092 Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincent Mailhol, Marc Kleine-Budde

From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>

commit 94cddf1e9227a171b27292509d59691819c458db upstream.

After calling netif_receive_skb(skb), dereferencing skb is unsafe.
Especially, the can_frame cf which aliases skb memory is dereferenced
just after the call netif_receive_skb(skb).

Reordering the lines solves the issue.

Fixes: b21d18b51b31 ("can: Topcliff: Add PCH_CAN driver.")
Link: https://lore.kernel.org/all/20211123111654.621610-1-mailhol.vincent@wanadoo.fr
Cc: stable@vger.kernel.org
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/pch_can.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/pch_can.c
+++ b/drivers/net/can/pch_can.c
@@ -703,11 +703,11 @@ static int pch_can_rx_normal(struct net_
 			cf->data[i + 1] = data_reg >> 8;
 		}
 
-		netif_receive_skb(skb);
 		rcv_pkts++;
 		stats->rx_packets++;
 		quota--;
 		stats->rx_bytes += cf->can_dlc;
+		netif_receive_skb(skb);
 
 		pch_fifo_thresh(priv, obj_num);
 		obj_num++;



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 18/42] libata: add horkage for ASMedia 1092
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-12-13  9:29 ` [PATCH 4.9 17/42] can: pch_can: pch_can_rx_normal: fix use after free Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 19/42] wait: add wake_up_pollfree() Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hannes Reinecke, Damien Le Moal

From: Hannes Reinecke <hare@suse.de>

commit a66307d473077b7aeba74e9b09c841ab3d399c2d upstream.

The ASMedia 1092 has a configuration mode which will present a
dummy device; sadly the implementation falsely claims to provide
a device with 100M which doesn't actually exist.
So disable this device to avoid errors during boot.

Cc: stable@vger.kernel.org
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/ata/libata-core.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4332,6 +4332,8 @@ static const struct ata_blacklist_entry
 	{ "VRFDFC22048UCHC-TE*", NULL,		ATA_HORKAGE_NODMA },
 	/* Odd clown on sil3726/4726 PMPs */
 	{ "Config  Disk",	NULL,		ATA_HORKAGE_DISABLE },
+	/* Similar story with ASMedia 1092 */
+	{ "ASMT109x- Config",	NULL,		ATA_HORKAGE_DISABLE },
 
 	/* Weird ATAPI devices */
 	{ "TORiSAN DVD-ROM DRD-N216", NULL,	ATA_HORKAGE_MAX_SEC_128 },



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 19/42] wait: add wake_up_pollfree()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 18/42] libata: add horkage for ASMedia 1092 Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 20/42] binder: use wake_up_pollfree() Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, linux-kernel@vger.kernel.org, Linus Torvalds,
	Eric Biggers, Linus Torvalds

From: Eric Biggers <ebiggers@kernel.org>

commit 42288cb44c4b5fff7653bc392b583a2b8bd6a8c0 upstream.

Several ->poll() implementations are special in that they use a
waitqueue whose lifetime is the current task, rather than the struct
file as is normally the case.  This is okay for blocking polls, since a
blocking poll occurs within one task; however, non-blocking polls
require another solution.  This solution is for the queue to be cleared
before it is freed, using 'wake_up_poll(wq, EPOLLHUP | POLLFREE);'.

However, that has a bug: wake_up_poll() calls __wake_up() with
nr_exclusive=1.  Therefore, if there are multiple "exclusive" waiters,
and the wakeup function for the first one returns a positive value, only
that one will be called.  That's *not* what's needed for POLLFREE;
POLLFREE is special in that it really needs to wake up everyone.

Considering the three non-blocking poll systems:

- io_uring poll doesn't handle POLLFREE at all, so it is broken anyway.

- aio poll is unaffected, since it doesn't support exclusive waits.
  However, that's fragile, as someone could add this feature later.

- epoll doesn't appear to be broken by this, since its wakeup function
  returns 0 when it sees POLLFREE.  But this is fragile.

Although there is a workaround (see epoll), it's better to define a
function which always sends POLLFREE to all waiters.  Add such a
function.  Also make it verify that the queue really becomes empty after
all waiters have been woken up.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211209010455.42744-2-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/wait.h |   26 ++++++++++++++++++++++++++
 kernel/sched/wait.c  |    8 ++++++++
 2 files changed, 34 insertions(+)

--- a/include/linux/wait.h
+++ b/include/linux/wait.h
@@ -202,6 +202,7 @@ void __wake_up_locked_key(wait_queue_hea
 void __wake_up_sync_key(wait_queue_head_t *q, unsigned int mode, int nr, void *key);
 void __wake_up_locked(wait_queue_head_t *q, unsigned int mode, int nr);
 void __wake_up_sync(wait_queue_head_t *q, unsigned int mode, int nr);
+void __wake_up_pollfree(wait_queue_head_t *wq_head);
 void __wake_up_bit(wait_queue_head_t *, void *, int);
 int __wait_on_bit(wait_queue_head_t *, struct wait_bit_queue *, wait_bit_action_f *, unsigned);
 int __wait_on_bit_lock(wait_queue_head_t *, struct wait_bit_queue *, wait_bit_action_f *, unsigned);
@@ -236,6 +237,31 @@ wait_queue_head_t *bit_waitqueue(void *,
 #define wake_up_interruptible_sync_poll(x, m)				\
 	__wake_up_sync_key((x), TASK_INTERRUPTIBLE, 1, (void *) (m))
 
+/**
+ * wake_up_pollfree - signal that a polled waitqueue is going away
+ * @wq_head: the wait queue head
+ *
+ * In the very rare cases where a ->poll() implementation uses a waitqueue whose
+ * lifetime is tied to a task rather than to the 'struct file' being polled,
+ * this function must be called before the waitqueue is freed so that
+ * non-blocking polls (e.g. epoll) are notified that the queue is going away.
+ *
+ * The caller must also RCU-delay the freeing of the wait_queue_head, e.g. via
+ * an explicit synchronize_rcu() or call_rcu(), or via SLAB_DESTROY_BY_RCU.
+ */
+static inline void wake_up_pollfree(wait_queue_head_t *wq_head)
+{
+	/*
+	 * For performance reasons, we don't always take the queue lock here.
+	 * Therefore, we might race with someone removing the last entry from
+	 * the queue, and proceed while they still hold the queue lock.
+	 * However, rcu_read_lock() is required to be held in such cases, so we
+	 * can safely proceed with an RCU-delayed free.
+	 */
+	if (waitqueue_active(wq_head))
+		__wake_up_pollfree(wq_head);
+}
+
 #define ___wait_cond_timeout(condition)					\
 ({									\
 	bool __cond = (condition);					\
--- a/kernel/sched/wait.c
+++ b/kernel/sched/wait.c
@@ -10,6 +10,7 @@
 #include <linux/wait.h>
 #include <linux/hash.h>
 #include <linux/kthread.h>
+#include <linux/poll.h>
 
 void __init_waitqueue_head(wait_queue_head_t *q, const char *name, struct lock_class_key *key)
 {
@@ -156,6 +157,13 @@ void __wake_up_sync(wait_queue_head_t *q
 }
 EXPORT_SYMBOL_GPL(__wake_up_sync);	/* For internal use only */
 
+void __wake_up_pollfree(wait_queue_head_t *wq_head)
+{
+	__wake_up(wq_head, TASK_NORMAL, 0, (void *)(POLLHUP | POLLFREE));
+	/* POLLFREE must have cleared the queue. */
+	WARN_ON_ONCE(waitqueue_active(wq_head));
+}
+
 /*
  * Note: we use "set_current_state()" _after_ the wait-queue add,
  * because we need a memory barrier there on SMP, so that any



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 20/42] binder: use wake_up_pollfree()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 19/42] wait: add wake_up_pollfree() Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 21/42] signalfd: " Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, linux-kernel@vger.kernel.org, Linus Torvalds,
	Eric Biggers, Linus Torvalds

From: Eric Biggers <ebiggers@google.com>

commit a880b28a71e39013e357fd3adccd1d8a31bc69a8 upstream.

wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters.  Yet, POLLFREE *must* wake up all waiters.  epoll
and aio poll are fortunately not affected by this, but it's very
fragile.  Thus, the new function wake_up_pollfree() has been introduced.

Convert binder to use wake_up_pollfree().

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211209010455.42744-3-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/android/binder.c |   21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2641,21 +2641,18 @@ static int binder_free_thread(struct bin
 	}
 
 	/*
-	 * If this thread used poll, make sure we remove the waitqueue
-	 * from any epoll data structures holding it with POLLFREE.
-	 * waitqueue_active() is safe to use here because we're holding
-	 * the global lock.
+	 * If this thread used poll, make sure we remove the waitqueue from any
+	 * poll data structures holding it.
 	 */
-	if ((thread->looper & BINDER_LOOPER_STATE_POLL) &&
-	    waitqueue_active(&thread->wait)) {
-		wake_up_poll(&thread->wait, POLLHUP | POLLFREE);
-	}
+	if (thread->looper & BINDER_LOOPER_STATE_POLL)
+		wake_up_pollfree(&thread->wait);
 
 	/*
-	 * This is needed to avoid races between wake_up_poll() above and
-	 * and ep_remove_waitqueue() called for other reasons (eg the epoll file
-	 * descriptor being closed); ep_remove_waitqueue() holds an RCU read
-	 * lock, so we can be sure it's done after calling synchronize_rcu().
+	 * This is needed to avoid races between wake_up_pollfree() above and
+	 * someone else removing the last entry from the queue for other reasons
+	 * (e.g. ep_remove_wait_queue() being called due to an epoll file
+	 * descriptor being closed).  Such other users hold an RCU read lock, so
+	 * we can be sure they're done after we call synchronize_rcu().
 	 */
 	if (thread->looper & BINDER_LOOPER_STATE_POLL)
 		synchronize_rcu();



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 21/42] signalfd: use wake_up_pollfree()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 20/42] binder: use wake_up_pollfree() Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 22/42] tracefs: Set all files to the same group ownership as the mount option Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, linux-kernel@vger.kernel.org, Linus Torvalds,
	Eric Biggers, Linus Torvalds

From: Eric Biggers <ebiggers@google.com>

commit 9537bae0da1f8d1e2361ab6d0479e8af7824e160 upstream.

wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
all exclusive waiters.  Yet, POLLFREE *must* wake up all waiters.  epoll
and aio poll are fortunately not affected by this, but it's very
fragile.  Thus, the new function wake_up_pollfree() has been introduced.

Convert signalfd to use wake_up_pollfree().

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: d80e731ecab4 ("epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211209010455.42744-4-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/signalfd.c |   12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

--- a/fs/signalfd.c
+++ b/fs/signalfd.c
@@ -34,17 +34,7 @@
 
 void signalfd_cleanup(struct sighand_struct *sighand)
 {
-	wait_queue_head_t *wqh = &sighand->signalfd_wqh;
-	/*
-	 * The lockless check can race with remove_wait_queue() in progress,
-	 * but in this case its caller should run under rcu_read_lock() and
-	 * sighand_cachep is SLAB_DESTROY_BY_RCU, we can safely return.
-	 */
-	if (likely(!waitqueue_active(wqh)))
-		return;
-
-	/* wait_queue_t->func(POLLFREE) should do remove_wait_queue() */
-	wake_up_poll(wqh, POLLHUP | POLLFREE);
+	wake_up_pollfree(&sighand->signalfd_wqh);
 }
 
 struct signalfd_ctx {



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 22/42] tracefs: Set all files to the same group ownership as the mount option
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 21/42] signalfd: " Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 23/42] block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Kees Cook,
	Andrew Morton, Linus Torvalds, linux-fsdevel, Al Viro,
	Kalesh Singh, Yabin Cui, Steven Rostedt (VMware)

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 48b27b6b5191e2e1f2798cd80877b6e4ef47c351 upstream.

As people have been asking to allow non-root processes to have access to
the tracefs directory, it was considered best to only allow groups to have
access to the directory, where it is easier to just set the tracefs file
system to a specific group (as other would be too dangerous), and that way
the admins could pick which processes would have access to tracefs.

Unfortunately, this broke tooling on Android that expected the other bit
to be set. For some special cases, for non-root tools to trace the system,
tracefs would be mounted and change the permissions of the top level
directory which gave access to all running tasks permission to the
tracing directory. Even though this would be dangerous to do in a
production environment, for testing environments this can be useful.

Now with the new changes to not allow other (which is still the proper
thing to do), it breaks the testing tooling. Now more code needs to be
loaded on the system to change ownership of the tracing directory.

The real solution is to have tracefs honor the gid=xxx option when
mounting. That is,

(tracing group tracing has value 1003)

 mount -t tracefs -o gid=1003 tracefs /sys/kernel/tracing

should have it that all files in the tracing directory should be of the
given group.

Copy the logic from d_walk() from dcache.c and simplify it for the mount
case of tracefs if gid is set. All the files in tracefs will be walked and
their group will be set to the value passed in.

Link: https://lkml.kernel.org/r/20211207171729.2a54e1b3@gandalf.local.home

Cc: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-fsdevel@vger.kernel.org
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reported-by: Kalesh Singh <kaleshsingh@google.com>
Reported-by: Yabin Cui <yabinc@google.com>
Fixes: 49d67e445742 ("tracefs: Have tracefs directories not set OTH permission bits by default")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/tracefs/inode.c |   72 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -162,6 +162,77 @@ struct tracefs_fs_info {
 	struct tracefs_mount_opts mount_opts;
 };
 
+static void change_gid(struct dentry *dentry, kgid_t gid)
+{
+	if (!dentry->d_inode)
+		return;
+	dentry->d_inode->i_gid = gid;
+}
+
+/*
+ * Taken from d_walk, but without he need for handling renames.
+ * Nothing can be renamed while walking the list, as tracefs
+ * does not support renames. This is only called when mounting
+ * or remounting the file system, to set all the files to
+ * the given gid.
+ */
+static void set_gid(struct dentry *parent, kgid_t gid)
+{
+	struct dentry *this_parent;
+	struct list_head *next;
+
+	this_parent = parent;
+	spin_lock(&this_parent->d_lock);
+
+	change_gid(this_parent, gid);
+repeat:
+	next = this_parent->d_subdirs.next;
+resume:
+	while (next != &this_parent->d_subdirs) {
+		struct list_head *tmp = next;
+		struct dentry *dentry = list_entry(tmp, struct dentry, d_child);
+		next = tmp->next;
+
+		spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
+
+		change_gid(dentry, gid);
+
+		if (!list_empty(&dentry->d_subdirs)) {
+			spin_unlock(&this_parent->d_lock);
+			spin_release(&dentry->d_lock.dep_map, 1, _RET_IP_);
+			this_parent = dentry;
+			spin_acquire(&this_parent->d_lock.dep_map, 0, 1, _RET_IP_);
+			goto repeat;
+		}
+		spin_unlock(&dentry->d_lock);
+	}
+	/*
+	 * All done at this level ... ascend and resume the search.
+	 */
+	rcu_read_lock();
+ascend:
+	if (this_parent != parent) {
+		struct dentry *child = this_parent;
+		this_parent = child->d_parent;
+
+		spin_unlock(&child->d_lock);
+		spin_lock(&this_parent->d_lock);
+
+		/* go into the first sibling still alive */
+		do {
+			next = child->d_child.next;
+			if (next == &this_parent->d_subdirs)
+				goto ascend;
+			child = list_entry(next, struct dentry, d_child);
+		} while (unlikely(child->d_flags & DCACHE_DENTRY_KILLED));
+		rcu_read_unlock();
+		goto resume;
+	}
+	rcu_read_unlock();
+	spin_unlock(&this_parent->d_lock);
+	return;
+}
+
 static int tracefs_parse_options(char *data, struct tracefs_mount_opts *opts)
 {
 	substring_t args[MAX_OPT_ARGS];
@@ -194,6 +265,7 @@ static int tracefs_parse_options(char *d
 			if (!gid_valid(gid))
 				return -EINVAL;
 			opts->gid = gid;
+			set_gid(tracefs_mount->mnt_root, gid);
 			break;
 		case Opt_mode:
 			if (match_octal(&args[0], &option))



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 23/42] block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 22/42] tracefs: Set all files to the same group ownership as the mount option Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 24/42] net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Davidlohr Bueso, Jens Axboe

From: Davidlohr Bueso <dave@stgolabs.net>

commit e6a59aac8a8713f335a37d762db0dbe80e7f6d38 upstream.

do_each_pid_thread(PIDTYPE_PGID) can race with a concurrent
change_pid(PIDTYPE_PGID) that can move the task from one hlist
to another while iterating. Serialize ioprio_get to take
the tasklist_lock in this case, just like it's set counterpart.

Fixes: d69b78ba1de (ioprio: grab rcu_read_lock in sys_ioprio_{set,get}())
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Link: https://lore.kernel.org/r/20211210182058.43417-1-dave@stgolabs.net
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/ioprio.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -202,6 +202,7 @@ SYSCALL_DEFINE2(ioprio_get, int, which,
 				pgrp = task_pgrp(current);
 			else
 				pgrp = find_vpid(who);
+			read_lock(&tasklist_lock);
 			do_each_pid_thread(pgrp, PIDTYPE_PGID, p) {
 				tmpio = get_task_ioprio(p);
 				if (tmpio < 0)
@@ -211,6 +212,8 @@ SYSCALL_DEFINE2(ioprio_get, int, which,
 				else
 					ret = ioprio_best(ret, tmpio);
 			} while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
+			read_unlock(&tasklist_lock);
+
 			break;
 		case IOPRIO_WHO_USER:
 			uid = make_kuid(current_user_ns(), who);



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 24/42] net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 23/42] block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 25/42] net: altera: set a couple error code in probe() Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Neukum, Lee Jones,
	Bjørn Mork, Jakub Kicinski

From: Lee Jones <lee.jones@linaro.org>

commit 2be6d4d16a0849455a5c22490e3c5983495fed00 upstream.

Currently, due to the sequential use of min_t() and clamp_t() macros,
in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is not set, the logic
sets tx_max to 0.  This is then used to allocate the data area of the
SKB requested later in cdc_ncm_fill_tx_frame().

This does not cause an issue presently because when memory is
allocated during initialisation phase of SKB creation, more memory
(512b) is allocated than is required for the SKB headers alone (320b),
leaving some space (512b - 320b = 192b) for CDC data (172b).

However, if more elements (for example 3 x u64 = [24b]) were added to
one of the SKB header structs, say 'struct skb_shared_info',
increasing its original size (320b [320b aligned]) to something larger
(344b [384b aligned]), then suddenly the CDC data (172b) no longer
fits in the spare SKB data area (512b - 384b = 128b).

Consequently the SKB bounds checking semantics fails and panics:

  skbuff: skb_over_panic: text:ffffffff830a5b5f len:184 put:172   \
     head:ffff888119227c00 data:ffff888119227c00 tail:0xb8 end:0x80 dev:<NULL>

  ------------[ cut here ]------------
  kernel BUG at net/core/skbuff.c:110!
  RIP: 0010:skb_panic+0x14f/0x160 net/core/skbuff.c:106
  <snip>
  Call Trace:
   <IRQ>
   skb_over_panic+0x2c/0x30 net/core/skbuff.c:115
   skb_put+0x205/0x210 net/core/skbuff.c:1877
   skb_put_zero include/linux/skbuff.h:2270 [inline]
   cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1116 [inline]
   cdc_ncm_fill_tx_frame+0x127f/0x3d50 drivers/net/usb/cdc_ncm.c:1293
   cdc_ncm_tx_fixup+0x98/0xf0 drivers/net/usb/cdc_ncm.c:1514

By overriding the max value with the default CDC_NCM_NTB_MAX_SIZE_TX
when not offered through the system provided params, we ensure enough
data space is allocated to handle the CDC data, meaning no crash will
occur.

Cc: Oliver Neukum <oliver@neukum.org>
Fixes: 289507d3364f9 ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning")
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Reviewed-by: Bjørn Mork <bjorn@mork.no>
Link: https://lore.kernel.org/r/20211202143437.1411410-1-lee.jones@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/cdc_ncm.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -175,6 +175,8 @@ static u32 cdc_ncm_check_tx_max(struct u
 	/* clamp new_tx to sane values */
 	min = ctx->max_datagram_size + ctx->max_ndp_size + sizeof(struct usb_cdc_ncm_nth16);
 	max = min_t(u32, CDC_NCM_NTB_MAX_SIZE_TX, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize));
+	if (max == 0)
+		max = CDC_NCM_NTB_MAX_SIZE_TX; /* dwNtbOutMaxSize not set */
 
 	/* some devices set dwNtbOutMaxSize too low for the above default */
 	min = min(min, max);



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 25/42] net: altera: set a couple error code in probe()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 24/42] net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 26/42] net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller

From: Dan Carpenter <dan.carpenter@oracle.com>

commit badd7857f5c933a3dc34942a2c11d67fdbdc24de upstream.

There are two error paths which accidentally return success instead of
a negative error code.

Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/altera/altera_tse_main.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/altera/altera_tse_main.c
+++ b/drivers/net/ethernet/altera/altera_tse_main.c
@@ -1361,16 +1361,19 @@ static int altera_tse_probe(struct platf
 		priv->rxdescmem_busaddr = dma_res->start;
 
 	} else {
+		ret = -ENODEV;
 		goto err_free_netdev;
 	}
 
-	if (!dma_set_mask(priv->device, DMA_BIT_MASK(priv->dmaops->dmamask)))
+	if (!dma_set_mask(priv->device, DMA_BIT_MASK(priv->dmaops->dmamask))) {
 		dma_set_coherent_mask(priv->device,
 				      DMA_BIT_MASK(priv->dmaops->dmamask));
-	else if (!dma_set_mask(priv->device, DMA_BIT_MASK(32)))
+	} else if (!dma_set_mask(priv->device, DMA_BIT_MASK(32))) {
 		dma_set_coherent_mask(priv->device, DMA_BIT_MASK(32));
-	else
+	} else {
+		ret = -EIO;
 		goto err_free_netdev;
+	}
 
 	/* MAC address space */
 	ret = request_and_map(pdev, "control_port", &control_port,



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 26/42] net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 25/42] net: altera: set a couple error code in probe() Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 27/42] net, neigh: clear whole pneigh_entry at alloc time Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Nicolas Diaz,
	Joakim Zhang, Jakub Kicinski

From: Joakim Zhang <qiangqing.zhang@nxp.com>

commit b5bd95d17102b6719e3531d627875b9690371383 upstream.

Background:
We have a customer is running a Profinet stack on the 8MM which receives and
responds PNIO packets every 4ms and PNIO-CM packets every 40ms. However, from
time to time the received PNIO-CM package is "stock" and is only handled when
receiving a new PNIO-CM or DCERPC-Ping packet (tcpdump shows the PNIO-CM and
the DCERPC-Ping packet at the same time but the PNIO-CM HW timestamp is from
the expected 40 ms and not the 2s delay of the DCERPC-Ping).

After debugging, we noticed PNIO, PNIO-CM and DCERPC-Ping packets would
be handled by different RX queues.

The root cause should be driver ack all queues' interrupt when handle a
specific queue in fec_enet_rx_queue(). The blamed patch is introduced to
receive as much packets as possible once to avoid interrupt flooding.
But it's unreasonable to clear other queues'interrupt when handling one
queue, this patch tries to fix it.

Fixes: ed63f1dcd578 (net: fec: clear receive interrupts before processing a packet)
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Reported-by: Nicolas Diaz <nicolas.diaz@nxp.com>
Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
Link: https://lore.kernel.org/r/20211206135457.15946-1-qiangqing.zhang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/freescale/fec.h      |    3 +++
 drivers/net/ethernet/freescale/fec_main.c |    2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/freescale/fec.h
+++ b/drivers/net/ethernet/freescale/fec.h
@@ -371,6 +371,9 @@ struct bufdesc_ex {
 #define FEC_ENET_WAKEUP	((uint)0x00020000)	/* Wakeup request */
 #define FEC_ENET_TXF	(FEC_ENET_TXF_0 | FEC_ENET_TXF_1 | FEC_ENET_TXF_2)
 #define FEC_ENET_RXF	(FEC_ENET_RXF_0 | FEC_ENET_RXF_1 | FEC_ENET_RXF_2)
+#define FEC_ENET_RXF_GET(X)	(((X) == 0) ? FEC_ENET_RXF_0 :	\
+				(((X) == 1) ? FEC_ENET_RXF_1 :	\
+				FEC_ENET_RXF_2))
 #define FEC_ENET_TS_AVAIL       ((uint)0x00010000)
 #define FEC_ENET_TS_TIMER       ((uint)0x00008000)
 
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1380,7 +1380,7 @@ fec_enet_rx_queue(struct net_device *nde
 			break;
 		pkt_received++;
 
-		writel(FEC_ENET_RXF, fep->hwp + FEC_IEVENT);
+		writel(FEC_ENET_RXF_GET(queue_id), fep->hwp + FEC_IEVENT);
 
 		/* Check for errors. */
 		status ^= BD_ENET_RX_LAST;



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 27/42] net, neigh: clear whole pneigh_entry at alloc time
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 26/42] net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 28/42] net/qla3xxx: fix an error code in ql_adapter_up() Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Roopa Prabhu,
	David Ahern, Jakub Kicinski

From: Eric Dumazet <edumazet@google.com>

commit e195e9b5dee6459d8c8e6a314cc71a644a0537fd upstream.

Commit 2c611ad97a82 ("net, neigh: Extend neigh->flags to 32 bit
to allow for extensions") enables a new KMSAM warning [1]

I think the bug is actually older, because the following intruction
only occurred if ndm->ndm_flags had NTF_PROXY set.

	pn->flags = ndm->ndm_flags;

Let's clear all pneigh_entry fields at alloc time.

[1]
BUG: KMSAN: uninit-value in pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593
 pneigh_fill_info+0x986/0xb30 net/core/neighbour.c:2593
 pneigh_dump_table net/core/neighbour.c:2715 [inline]
 neigh_dump_info+0x1e3f/0x2c60 net/core/neighbour.c:2832
 netlink_dump+0xaca/0x16a0 net/netlink/af_netlink.c:2265
 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370
 netlink_dump_start include/linux/netlink.h:254 [inline]
 rtnetlink_rcv_msg+0x181b/0x18c0 net/core/rtnetlink.c:5534
 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5589
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 sock_write_iter+0x594/0x690 net/socket.c:1057
 call_write_iter include/linux/fs.h:2162 [inline]
 new_sync_write fs/read_write.c:503 [inline]
 vfs_write+0x1318/0x2030 fs/read_write.c:590
 ksys_write+0x28c/0x520 fs/read_write.c:643
 __do_sys_write fs/read_write.c:655 [inline]
 __se_sys_write fs/read_write.c:652 [inline]
 __x64_sys_write+0xdb/0x120 fs/read_write.c:652
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3251 [inline]
 slab_alloc mm/slub.c:3259 [inline]
 __kmalloc+0xc3c/0x12d0 mm/slub.c:4437
 kmalloc include/linux/slab.h:595 [inline]
 pneigh_lookup+0x60f/0xd70 net/core/neighbour.c:766
 arp_req_set_public net/ipv4/arp.c:1016 [inline]
 arp_req_set+0x430/0x10a0 net/ipv4/arp.c:1032
 arp_ioctl+0x8d4/0xb60 net/ipv4/arp.c:1232
 inet_ioctl+0x4ef/0x820 net/ipv4/af_inet.c:947
 sock_do_ioctl net/socket.c:1118 [inline]
 sock_ioctl+0xa3f/0x13e0 net/socket.c:1235
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0x2df/0x4a0 fs/ioctl.c:860
 __x64_sys_ioctl+0xd8/0x110 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

CPU: 1 PID: 20001 Comm: syz-executor.0 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: 62dd93181aaa ("[IPV6] NDISC: Set per-entry is_router flag in Proxy NA.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Roopa Prabhu <roopa@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20211206165329.1049835-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/neighbour.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -597,7 +597,7 @@ struct pneigh_entry * pneigh_lookup(stru
 
 	ASSERT_RTNL();
 
-	n = kmalloc(sizeof(*n) + key_len, GFP_KERNEL);
+	n = kzalloc(sizeof(*n) + key_len, GFP_KERNEL);
 	if (!n)
 		goto out;
 



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 28/42] net/qla3xxx: fix an error code in ql_adapter_up()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 27/42] net, neigh: clear whole pneigh_entry at alloc time Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 29/42] USB: gadget: detect too-big endpoint 0 requests Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Jakub Kicinski

From: Dan Carpenter <dan.carpenter@oracle.com>

commit d17b9737c2bc09b4ac6caf469826e5a7ce3ffab7 upstream.

The ql_wait_for_drvr_lock() fails and returns false, then this
function should return an error code instead of returning success.

The other problem is that the success path prints an error message
netdev_err(ndev, "Releasing driver lock\n");  Delete that and
re-order the code a little to make it more clear.

Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211207082416.GA16110@kili
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/qlogic/qla3xxx.c |   19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -3491,20 +3491,19 @@ static int ql_adapter_up(struct ql3_adap
 
 	spin_lock_irqsave(&qdev->hw_lock, hw_flags);
 
-	err = ql_wait_for_drvr_lock(qdev);
-	if (err) {
-		err = ql_adapter_initialize(qdev);
-		if (err) {
-			netdev_err(ndev, "Unable to initialize adapter\n");
-			goto err_init;
-		}
-		netdev_err(ndev, "Releasing driver lock\n");
-		ql_sem_unlock(qdev, QL_DRVR_SEM_MASK);
-	} else {
+	if (!ql_wait_for_drvr_lock(qdev)) {
 		netdev_err(ndev, "Could not acquire driver lock\n");
+		err = -ENODEV;
 		goto err_lock;
 	}
 
+	err = ql_adapter_initialize(qdev);
+	if (err) {
+		netdev_err(ndev, "Unable to initialize adapter\n");
+		goto err_init;
+	}
+	ql_sem_unlock(qdev, QL_DRVR_SEM_MASK);
+
 	spin_unlock_irqrestore(&qdev->hw_lock, hw_flags);
 
 	set_bit(QL_ADAPTER_UP, &qdev->flags);



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 29/42] USB: gadget: detect too-big endpoint 0 requests
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 28/42] net/qla3xxx: fix an error code in ql_adapter_up() Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 30/42] USB: gadget: zero allocate endpoint 0 buffers Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Szymon Heidrich

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 153a2d7e3350cc89d406ba2d35be8793a64c2038 upstream.

Sometimes USB hosts can ask for buffers that are too large from endpoint
0, which should not be allowed.  If this happens for OUT requests, stall
the endpoint, but for IN requests, trim the request size to the endpoint
buffer size.

Co-developed-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/composite.c    |   12 ++++++++++++
 drivers/usb/gadget/legacy/dbgp.c  |   13 +++++++++++++
 drivers/usb/gadget/legacy/inode.c |   16 +++++++++++++++-
 3 files changed, 40 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1631,6 +1631,18 @@ composite_setup(struct usb_gadget *gadge
 	struct usb_function		*f = NULL;
 	u8				endp;
 
+	if (w_length > USB_COMP_EP0_BUFSIZ) {
+		if (ctrl->bRequestType == USB_DIR_OUT) {
+			goto done;
+		} else {
+			/* Cast away the const, we are going to overwrite on purpose. */
+			__le16 *temp = (__le16 *)&ctrl->wLength;
+
+			*temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+			w_length = USB_COMP_EP0_BUFSIZ;
+		}
+	}
+
 	/* partial re-init of the response message; the function or the
 	 * gadget might need to intercept e.g. a control-OUT completion
 	 * when we delegate to it.
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -344,6 +344,19 @@ static int dbgp_setup(struct usb_gadget
 	void *data = NULL;
 	u16 len = 0;
 
+	if (length > DBGP_REQ_LEN) {
+		if (ctrl->bRequestType == USB_DIR_OUT) {
+			return err;
+		} else {
+			/* Cast away the const, we are going to overwrite on purpose. */
+			__le16 *temp = (__le16 *)&ctrl->wLength;
+
+			*temp = cpu_to_le16(DBGP_REQ_LEN);
+			length = DBGP_REQ_LEN;
+		}
+	}
+
+
 	if (request == USB_REQ_GET_DESCRIPTOR) {
 		switch (value>>8) {
 		case USB_DT_DEVICE:
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -113,6 +113,8 @@ enum ep0_state {
 /* enough for the whole queue: most events invalidate others */
 #define	N_EVENT			5
 
+#define RBUF_SIZE		256
+
 struct dev_data {
 	spinlock_t			lock;
 	atomic_t			count;
@@ -147,7 +149,7 @@ struct dev_data {
 	struct dentry			*dentry;
 
 	/* except this scratch i/o buffer for ep0 */
-	u8				rbuf [256];
+	u8				rbuf[RBUF_SIZE];
 };
 
 static inline void get_dev (struct dev_data *data)
@@ -1336,6 +1338,18 @@ gadgetfs_setup (struct usb_gadget *gadge
 	u16				w_value = le16_to_cpu(ctrl->wValue);
 	u16				w_length = le16_to_cpu(ctrl->wLength);
 
+	if (w_length > RBUF_SIZE) {
+		if (ctrl->bRequestType == USB_DIR_OUT) {
+			return value;
+		} else {
+			/* Cast away the const, we are going to overwrite on purpose. */
+			__le16 *temp = (__le16 *)&ctrl->wLength;
+
+			*temp = cpu_to_le16(RBUF_SIZE);
+			w_length = RBUF_SIZE;
+		}
+	}
+
 	spin_lock (&dev->lock);
 	dev->setup_abort = 0;
 	if (dev->state == STATE_DEV_UNCONNECTED) {



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 30/42] USB: gadget: zero allocate endpoint 0 buffers
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 29/42] USB: gadget: detect too-big endpoint 0 requests Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 31/42] usb: core: config: fix validation of wMaxPacketValue entries Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Szymon Heidrich

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream.

Under some conditions, USB gadget devices can show allocated buffer
contents to a host.  Fix this up by zero-allocating them so that any
extra data will all just be zeros.

Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Tested-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/composite.c   |    2 +-
 drivers/usb/gadget/legacy/dbgp.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2183,7 +2183,7 @@ int composite_dev_prepare(struct usb_com
 	if (!cdev->req)
 		return -ENOMEM;
 
-	cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
+	cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
 	if (!cdev->req->buf)
 		goto fail;
 
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -136,7 +136,7 @@ static int dbgp_enable_ep_req(struct usb
 		goto fail_1;
 	}
 
-	req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL);
+	req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL);
 	if (!req->buf) {
 		err = -ENOMEM;
 		stp = 2;



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 31/42] usb: core: config: fix validation of wMaxPacketValue entries
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 30/42] USB: gadget: zero allocate endpoint 0 buffers Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 32/42] usb: core: config: using bit mask instead of individual bits Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Pavel Hofman

From: Pavel Hofman <pavel.hofman@ivitera.com>

commit 1a3910c80966e4a76b25ce812f6bea0ef1b1d530 upstream.

The checks performed by commit aed9d65ac327 ("USB: validate
wMaxPacketValue entries in endpoint descriptors") require that initial
value of the maxp variable contains both maximum packet size bits
(10..0) and multiple-transactions bits (12..11). However, the existing
code assings only the maximum packet size bits. This patch assigns all
bits of wMaxPacketSize to the variable.

Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors")
Cc: stable <stable@vger.kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20211210085219.16796-1-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/config.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -404,7 +404,7 @@ static int usb_parse_endpoint(struct dev
 	 * the USB-2 spec requires such endpoints to have wMaxPacketSize = 0
 	 * (see the end of section 5.6.3), so don't warn about them.
 	 */
-	maxp = usb_endpoint_maxp(&endpoint->desc);
+	maxp = le16_to_cpu(endpoint->desc.wMaxPacketSize);
 	if (maxp == 0 && !(usb_endpoint_xfer_isoc(d) && asnum == 0)) {
 		dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid wMaxPacketSize 0\n",
 		    cfgno, inum, asnum, d->bEndpointAddress);



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 32/42] usb: core: config: using bit mask instead of individual bits
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 31/42] usb: core: config: fix validation of wMaxPacketValue entries Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 33/42] iio: stk3310: Dont return error code in interrupt handler Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Pavel Hofman

From: Pavel Hofman <pavel.hofman@ivitera.com>

commit ca5737396927afd4d57b133fd2874bbcf3421cdb upstream.

Using standard USB_EP_MAXP_MULT_MASK instead of individual bits for
extracting multiple-transactions bits from wMaxPacketSize value.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20211210085219.16796-2-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/config.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -420,9 +420,9 @@ static int usb_parse_endpoint(struct dev
 		maxpacket_maxes = full_speed_maxpacket_maxes;
 		break;
 	case USB_SPEED_HIGH:
-		/* Bits 12..11 are allowed only for HS periodic endpoints */
+		/* Multiple-transactions bits are allowed only for HS periodic endpoints */
 		if (usb_endpoint_xfer_int(d) || usb_endpoint_xfer_isoc(d)) {
-			i = maxp & (BIT(12) | BIT(11));
+			i = maxp & USB_EP_MAXP_MULT_MASK;
 			maxp &= ~i;
 		}
 		/* fallthrough */



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 33/42] iio: stk3310: Dont return error code in interrupt handler
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 32/42] usb: core: config: using bit mask instead of individual bits Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 34/42] iio: mma8452: Fix trigger reference couting Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Stable, Jonathan Cameron

From: Lars-Peter Clausen <lars@metafoo.de>

commit 8e1eeca5afa7ba84d885987165dbdc5decf15413 upstream.

Interrupt handlers must return one of the irqreturn_t values. Returning a
error code is not supported.

The stk3310 event interrupt handler returns an error code when reading the
flags register fails.

Fix the implementation to always return an irqreturn_t value.

Fixes: 3dd477acbdd1 ("iio: light: Add threshold interrupt support for STK3310")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20211024171251.22896-3-lars@metafoo.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/light/stk3310.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/iio/light/stk3310.c
+++ b/drivers/iio/light/stk3310.c
@@ -546,9 +546,8 @@ static irqreturn_t stk3310_irq_event_han
 	mutex_lock(&data->lock);
 	ret = regmap_field_read(data->reg_flag_nf, &dir);
 	if (ret < 0) {
-		dev_err(&data->client->dev, "register read failed\n");
-		mutex_unlock(&data->lock);
-		return ret;
+		dev_err(&data->client->dev, "register read failed: %d\n", ret);
+		goto out;
 	}
 	event = IIO_UNMOD_EVENT_CODE(IIO_PROXIMITY, 1,
 				     IIO_EV_TYPE_THRESH,
@@ -560,6 +559,7 @@ static irqreturn_t stk3310_irq_event_han
 	ret = regmap_field_write(data->reg_flag_psint, 0);
 	if (ret < 0)
 		dev_err(&data->client->dev, "failed to reset interrupts\n");
+out:
 	mutex_unlock(&data->lock);
 
 	return IRQ_HANDLED;



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 34/42] iio: mma8452: Fix trigger reference couting
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 33/42] iio: stk3310: Dont return error code in interrupt handler Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 35/42] iio: ltr501: Dont return error code in trigger handler Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Stable, Jonathan Cameron

From: Lars-Peter Clausen <lars@metafoo.de>

commit cd0082235783f814241a1c9483fb89e405f4f892 upstream.

The mma8452 driver directly assigns a trigger to the struct iio_dev. The
IIO core when done using this trigger will call `iio_trigger_put()` to drop
the reference count by 1.

Without the matching `iio_trigger_get()` in the driver the reference count
can reach 0 too early, the trigger gets freed while still in use and a
use-after-free occurs.

Fix this by getting a reference to the trigger before assigning it to the
IIO device.

Fixes: ae6d9ce05691 ("iio: mma8452: Add support for interrupt driven triggers.")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20211024092700.6844-1-lars@metafoo.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/accel/mma8452.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/accel/mma8452.c
+++ b/drivers/iio/accel/mma8452.c
@@ -1389,7 +1389,7 @@ static int mma8452_trigger_setup(struct
 	if (ret)
 		return ret;
 
-	indio_dev->trig = trig;
+	indio_dev->trig = iio_trigger_get(trig);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 35/42] iio: ltr501: Dont return error code in trigger handler
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 34/42] iio: mma8452: Fix trigger reference couting Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 36/42] iio: kxsd9: " Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Stable, Jonathan Cameron

From: Lars-Peter Clausen <lars@metafoo.de>

commit ef9d67fa72c1b149a420587e435a3e888bdbf74f upstream.

IIO trigger handlers need to return one of the irqreturn_t values.
Returning an error code is not supported.

The ltr501 interrupt handler gets this right for most error paths, but
there is one case where it returns the error code.

In addition for this particular case the trigger handler does not call
`iio_trigger_notify_done()`. Which when not done keeps the triggered
disabled forever.

Modify the code so that the function returns a valid irqreturn_t value as
well as calling `iio_trigger_notify_done()` on all exit paths.

Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20211024171251.22896-1-lars@metafoo.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/light/ltr501.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -1248,7 +1248,7 @@ static irqreturn_t ltr501_trigger_handle
 		ret = regmap_bulk_read(data->regmap, LTR501_ALS_DATA1,
 				       (u8 *)als_buf, sizeof(als_buf));
 		if (ret < 0)
-			return ret;
+			goto done;
 		if (test_bit(0, indio_dev->active_scan_mask))
 			scan.channels[j++] = le16_to_cpu(als_buf[1]);
 		if (test_bit(1, indio_dev->active_scan_mask))



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 36/42] iio: kxsd9: Dont return error code in trigger handler
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 35/42] iio: ltr501: Dont return error code in trigger handler Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 37/42] iio: itg3200: Call iio_trigger_notify_done() on error Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Linus Walleij,
	Stable, Jonathan Cameron

From: Lars-Peter Clausen <lars@metafoo.de>

commit 45febe0d63917ee908198c5be08511c64ee1790a upstream.

IIO trigger handlers need to return one of the irqreturn_t values.
Returning an error code is not supported.

The kxsd9 interrupt handler returns an error code if reading the data
registers fails. In addition when exiting due to an error the trigger
handler does not call `iio_trigger_notify_done()`. Which when not done
keeps the triggered disabled forever.

Modify the code so that the function returns a valid irqreturn_t value as
well as calling `iio_trigger_notify_done()` on all exit paths.

Since we can't return the error code make sure to at least log it as part
of the error message.

Fixes: 0427a106a98a ("iio: accel: kxsd9: Add triggered buffer handling")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20211024171251.22896-2-lars@metafoo.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/accel/kxsd9.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -227,14 +227,14 @@ static irqreturn_t kxsd9_trigger_handler
 			       hw_values.chan,
 			       sizeof(hw_values.chan));
 	if (ret) {
-		dev_err(st->dev,
-			"error reading data\n");
-		return ret;
+		dev_err(st->dev, "error reading data: %d\n", ret);
+		goto out;
 	}
 
 	iio_push_to_buffers_with_timestamp(indio_dev,
 					   &hw_values,
 					   iio_get_time_ns(indio_dev));
+out:
 	iio_trigger_notify_done(indio_dev->trig);
 
 	return IRQ_HANDLED;



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 37/42] iio: itg3200: Call iio_trigger_notify_done() on error
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 36/42] iio: kxsd9: " Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 38/42] iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Stable, Jonathan Cameron

From: Lars-Peter Clausen <lars@metafoo.de>

commit 67fe29583e72b2103abb661bb58036e3c1f00277 upstream.

IIO trigger handlers must call iio_trigger_notify_done() when done. This
must be done even when an error occurred. Otherwise the trigger will be
seen as busy indefinitely and the trigger handler will never be called
again.

The itg3200 driver neglects to call iio_trigger_notify_done() when there is
an error reading the gyro data. Fix this by making sure that
iio_trigger_notify_done() is included in the error exit path.

Fixes: 9dbf091da080 ("iio: gyro: Add itg3200")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20211101144055.13858-1-lars@metafoo.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/gyro/itg3200_buffer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/gyro/itg3200_buffer.c
+++ b/drivers/iio/gyro/itg3200_buffer.c
@@ -64,9 +64,9 @@ static irqreturn_t itg3200_trigger_handl
 
 	iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp);
 
+error_ret:
 	iio_trigger_notify_done(indio_dev->trig);
 
-error_ret:
 	return IRQ_HANDLED;
 }
 



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 38/42] iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 37/42] iio: itg3200: Call iio_trigger_notify_done() on error Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 39/42] irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Stable,
	Hans de Goede, Jonathan Cameron

From: Yang Yingliang <yangyingliang@huawei.com>

commit 70c9774e180d151abaab358108e3510a8e615215 upstream.

When ACPI type is ACPI_SMO8500, the data->dready_trig will not be set, the
memory allocated by iio_triggered_buffer_setup() will not be freed, and cause
memory leak as follows:

unreferenced object 0xffff888009551400 (size 512):
  comm "i2c-SMO8500-125", pid 911, jiffies 4294911787 (age 83.852s)
  hex dump (first 32 bytes):
    02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 20 e2 e5 c0 ff ff ff ff  ........ .......
  backtrace:
    [<0000000041ce75ee>] kmem_cache_alloc_trace+0x16d/0x360
    [<000000000aeb17b0>] iio_kfifo_allocate+0x41/0x130 [kfifo_buf]
    [<000000004b40c1f5>] iio_triggered_buffer_setup_ext+0x2c/0x210 [industrialio_triggered_buffer]
    [<000000004375b15f>] kxcjk1013_probe+0x10c3/0x1d81 [kxcjk_1013]

Fix it by remove data->dready_trig condition in probe and remove.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: a25691c1f967 ("iio: accel: kxcjk1013: allow using an external trigger")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: <Stable@vger.kernel.org>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20211025124159.2700301-1-yangyingliang@huawei.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/accel/kxcjk-1013.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/iio/accel/kxcjk-1013.c
+++ b/drivers/iio/accel/kxcjk-1013.c
@@ -1290,8 +1290,7 @@ static int kxcjk1013_probe(struct i2c_cl
 	return 0;
 
 err_buffer_cleanup:
-	if (data->dready_trig)
-		iio_triggered_buffer_cleanup(indio_dev);
+	iio_triggered_buffer_cleanup(indio_dev);
 err_trigger_unregister:
 	if (data->dready_trig)
 		iio_trigger_unregister(data->dready_trig);
@@ -1314,8 +1313,8 @@ static int kxcjk1013_remove(struct i2c_c
 	pm_runtime_set_suspended(&client->dev);
 	pm_runtime_put_noidle(&client->dev);
 
+	iio_triggered_buffer_cleanup(indio_dev);
 	if (data->dready_trig) {
-		iio_triggered_buffer_cleanup(indio_dev);
 		iio_trigger_unregister(data->dready_trig);
 		iio_trigger_unregister(data->motion_trig);
 	}



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 39/42] irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 38/42] iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 40/42] irqchip/armada-370-xp: Fix support for Multi-MSI interrupts Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marc Zyngier

From: Pali Rohár <pali@kernel.org>

commit ce20eff57361e72878a772ef08b5239d3ae102b6 upstream.

IRQ domain alloc function should return zero on success. Non-zero value
indicates failure.

Signed-off-by: Pali Rohár <pali@kernel.org>
Fixes: fcc392d501bd ("irqchip/armada-370-xp: Use the generic MSI infrastructure")
Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211125130057.26705-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/irq-armada-370-xp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/irqchip/irq-armada-370-xp.c
+++ b/drivers/irqchip/irq-armada-370-xp.c
@@ -171,7 +171,7 @@ static int armada_370_xp_msi_alloc(struc
 				    NULL, NULL);
 	}
 
-	return hwirq;
+	return 0;
 }
 
 static void armada_370_xp_msi_free(struct irq_domain *domain,



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 40/42] irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 39/42] irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 41/42] irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marc Zyngier

From: Pali Rohár <pali@kernel.org>

commit d0a553502efd545c1ce3fd08fc4d423f8e4ac3d6 upstream.

irq-armada-370-xp driver already sets MSI_FLAG_MULTI_PCI_MSI flag into
msi_domain_info structure. But allocated interrupt numbers for Multi-MSI
needs to be properly aligned otherwise devices send MSI interrupt with
wrong number.

Fix this issue by using function bitmap_find_free_region() instead of
bitmap_find_next_zero_area() to allocate aligned interrupt numbers.

Signed-off-by: Pali Rohár <pali@kernel.org>
Fixes: a71b9412c90c ("irqchip/armada-370-xp: Allow allocation of multiple MSIs")
Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211125130057.26705-2-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/irq-armada-370-xp.c |   14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

--- a/drivers/irqchip/irq-armada-370-xp.c
+++ b/drivers/irqchip/irq-armada-370-xp.c
@@ -153,16 +153,12 @@ static int armada_370_xp_msi_alloc(struc
 	int hwirq, i;
 
 	mutex_lock(&msi_used_lock);
+	hwirq = bitmap_find_free_region(msi_used, PCI_MSI_DOORBELL_NR,
+					order_base_2(nr_irqs));
+	mutex_unlock(&msi_used_lock);
 
-	hwirq = bitmap_find_next_zero_area(msi_used, PCI_MSI_DOORBELL_NR,
-					   0, nr_irqs, 0);
-	if (hwirq >= PCI_MSI_DOORBELL_NR) {
-		mutex_unlock(&msi_used_lock);
+	if (hwirq < 0)
 		return -ENOSPC;
-	}
-
-	bitmap_set(msi_used, hwirq, nr_irqs);
-	mutex_unlock(&msi_used_lock);
 
 	for (i = 0; i < nr_irqs; i++) {
 		irq_domain_set_info(domain, virq + i, hwirq + i,
@@ -180,7 +176,7 @@ static void armada_370_xp_msi_free(struc
 	struct irq_data *d = irq_domain_get_irq_data(domain, virq);
 
 	mutex_lock(&msi_used_lock);
-	bitmap_clear(msi_used, d->hwirq, nr_irqs);
+	bitmap_release_region(msi_used, d->hwirq, order_base_2(nr_irqs));
 	mutex_unlock(&msi_used_lock);
 }
 



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 41/42] irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 40/42] irqchip/armada-370-xp: Fix support for Multi-MSI interrupts Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13  9:30 ` [PATCH 4.9 42/42] irqchip: nvic: Fix offset for Interrupt Priority Offsets Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wudi Wang, Shaokun Zhang, Marc Zyngier

From: Wudi Wang <wangwudi@hisilicon.com>

commit b383a42ca523ce54bcbd63f7c8f3cf974abc9b9a upstream.

INVALL CMD specifies that the ITS must ensure any caching associated with
the interrupt collection defined by ICID is consistent with the LPI
configuration tables held in memory for all Redistributors. SYNC is
required to ensure that INVALL is executed.

Currently, LPI configuration data may be inconsistent with that in the
memory within a short period of time after the INVALL command is executed.

Signed-off-by: Wudi Wang <wangwudi@hisilicon.com>
Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue")
Link: https://lore.kernel.org/r/20211208015429.5007-1-zhangshaokun@hisilicon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/irq-gic-v3-its.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -369,7 +369,7 @@ static struct its_collection *its_build_
 
 	its_fixup_cmd(cmd);
 
-	return NULL;
+	return desc->its_invall_cmd.col;
 }
 
 static u64 its_cmd_ptr_to_offset(struct its_node *its,



^ permalink raw reply	[flat|nested] 48+ messages in thread

* [PATCH 4.9 42/42] irqchip: nvic: Fix offset for Interrupt Priority Offsets
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 41/42] irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL Greg Kroah-Hartman
@ 2021-12-13  9:30 ` Greg Kroah-Hartman
  2021-12-13 14:43 ` [PATCH 4.9 00/42] 4.9.293-rc1 review Jon Hunter
                   ` (4 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-13  9:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vladimir Murzin, Marc Zyngier

From: Vladimir Murzin <vladimir.murzin@arm.com>

commit c5e0cbe2858d278a27d5b3fe31890aea5be064c4 upstream.

According to ARM(v7M) ARM Interrupt Priority Offsets located at
0xE000E400-0xE000E5EC, while 0xE000E300-0xE000E33C covers read-only
Interrupt Active Bit Registers

Fixes: 292ec080491d ("irqchip: Add support for ARMv7-M NVIC")
Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20211201110259.84857-1-vladimir.murzin@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/irq-nvic.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/irqchip/irq-nvic.c
+++ b/drivers/irqchip/irq-nvic.c
@@ -29,7 +29,7 @@
 
 #define NVIC_ISER		0x000
 #define NVIC_ICER		0x080
-#define NVIC_IPR		0x300
+#define NVIC_IPR		0x400
 
 #define NVIC_MAX_BANKS		16
 /*



^ permalink raw reply	[flat|nested] 48+ messages in thread

* Re: [PATCH 4.9 00/42] 4.9.293-rc1 review
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-12-13  9:30 ` [PATCH 4.9 42/42] irqchip: nvic: Fix offset for Interrupt Priority Offsets Greg Kroah-Hartman
@ 2021-12-13 14:43 ` Jon Hunter
  2021-12-13 19:54 ` Guenter Roeck
                   ` (3 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Jon Hunter @ 2021-12-13 14:43 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable, linux-tegra

On Mon, 13 Dec 2021 10:29:42 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.293 release.
> There are 42 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.293-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests passing for Tegra ...

Test results for stable-v4.9:
    8 builds:	8 pass, 0 fail
    16 boots:	16 pass, 0 fail
    32 tests:	32 pass, 0 fail

Linux version:	4.9.293-rc1-gad074ba3bae9
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Tested-by: Jon Hunter <jonathanh@nvidia.com>

Jon

^ permalink raw reply	[flat|nested] 48+ messages in thread

* Re: [PATCH 4.9 00/42] 4.9.293-rc1 review
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-12-13 14:43 ` [PATCH 4.9 00/42] 4.9.293-rc1 review Jon Hunter
@ 2021-12-13 19:54 ` Guenter Roeck
  2021-12-13 20:00 ` Florian Fainelli
                   ` (2 subsequent siblings)
  46 siblings, 0 replies; 48+ messages in thread
From: Guenter Roeck @ 2021-12-13 19:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable

On Mon, Dec 13, 2021 at 10:29:42AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.293 release.
> There are 42 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 163 pass: 163 fail: 0
Qemu test results:
	total: 394 pass: 394 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 48+ messages in thread

* Re: [PATCH 4.9 00/42] 4.9.293-rc1 review
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-12-13 19:54 ` Guenter Roeck
@ 2021-12-13 20:00 ` Florian Fainelli
  2021-12-13 20:31 ` Shuah Khan
  2021-12-14  5:53 ` Naresh Kamboju
  46 siblings, 0 replies; 48+ messages in thread
From: Florian Fainelli @ 2021-12-13 20:00 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, stable

On 12/13/21 1:29 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.293 release.
> There are 42 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.293-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels:

Tested-by: Florian Fainelli <f.fainelli@gmail.com>
-- 
Florian

^ permalink raw reply	[flat|nested] 48+ messages in thread

* Re: [PATCH 4.9 00/42] 4.9.293-rc1 review
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-12-13 20:00 ` Florian Fainelli
@ 2021-12-13 20:31 ` Shuah Khan
  2021-12-14  5:53 ` Naresh Kamboju
  46 siblings, 0 replies; 48+ messages in thread
From: Shuah Khan @ 2021-12-13 20:31 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable, Shuah Khan

On 12/13/21 2:29 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.293 release.
> There are 42 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.293-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 48+ messages in thread

* Re: [PATCH 4.9 00/42] 4.9.293-rc1 review
  2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-12-13 20:31 ` Shuah Khan
@ 2021-12-14  5:53 ` Naresh Kamboju
  46 siblings, 0 replies; 48+ messages in thread
From: Naresh Kamboju @ 2021-12-14  5:53 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, shuah, f.fainelli, patches, lkft-triage, jonathanh,
	stable, pavel, akpm, torvalds, linux

On Mon, 13 Dec 2021 at 15:04, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.9.293 release.
> There are 42 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Dec 2021 09:29:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.293-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 4.9.293-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-4.9.y
* git commit: ad074ba3bae9f56fde437a2ef3ecc555430a6f16
* git describe: v4.9.292-43-gad074ba3bae9
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.9.y/build/v4.9.292-43-gad074ba3bae9

## No Test Regressions (compared to v4.9.292)

## No Test Fixes (compared to v4.9.292)

## Test result summary
total: 66961, pass: 53001, fail: 521, skip: 11587, xfail: 1852

## Build Summary
* arm: 254 total, 186 passed, 68 failed
* arm64: 32 total, 32 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 19 total, 19 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 21 total, 21 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 31 total, 31 passed, 0 failed

## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-arm64/arm64.btitest.bti_c_func
* kselftest-arm64/arm64.btitest.bti_j_func
* kselftest-arm64/arm64.btitest.bti_jc_func
* kselftest-arm64/arm64.btitest.bti_none_func
* kselftest-arm64/arm64.btitest.nohint_func
* kselftest-arm64/arm64.btitest.paciasp_func
* kselftest-arm64/arm64.nobtitest.bti_c_func
* kselftest-arm64/arm64.nobtitest.bti_j_func
* kselftest-arm64/arm64.nobtitest.bti_jc_func
* kselftest-arm64/arm64.nobtitest.bti_none_func
* kselftest-arm64/arm64.nobtitest.nohint_func
* kselftest-arm64/arm64.nobtitest.paciasp_func
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* ssuite
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 48+ messages in thread

end of thread, other threads:[~2021-12-14  5:53 UTC | newest]

Thread overview: 48+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-13  9:29 [PATCH 4.9 00/42] 4.9.293-rc1 review Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 01/42] HID: introduce hid_is_using_ll_driver Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 02/42] HID: add hid_is_usb() function to make it simpler for USB detection Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 03/42] HID: add USB_HID dependancy to hid-prodikeys Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 04/42] HID: add USB_HID dependancy to hid-chicony Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 05/42] HID: add USB_HID dependancy on some USB HID drivers Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 06/42] HID: wacom: fix problems when device is not a valid USB device Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 07/42] HID: check for valid USB device for many HID drivers Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 08/42] can: sja1000: fix use after free in ems_pcmcia_add_card() Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 09/42] nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 10/42] IB/hfi1: Correct guard on eager buffer deallocation Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 11/42] mm: bdi: initialize bdi_min_ratio when bdi is unregistered Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 12/42] ALSA: ctl: Fix copy of updated id with element read/write Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 13/42] ALSA: pcm: oss: Fix negative period/buffer sizes Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 14/42] ALSA: pcm: oss: Limit the period size to 16MB Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 15/42] ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 16/42] tracefs: Have new files inherit the ownership of their parent Greg Kroah-Hartman
2021-12-13  9:29 ` [PATCH 4.9 17/42] can: pch_can: pch_can_rx_normal: fix use after free Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 18/42] libata: add horkage for ASMedia 1092 Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 19/42] wait: add wake_up_pollfree() Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 20/42] binder: use wake_up_pollfree() Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 21/42] signalfd: " Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 22/42] tracefs: Set all files to the same group ownership as the mount option Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 23/42] block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 24/42] net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 25/42] net: altera: set a couple error code in probe() Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 26/42] net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 27/42] net, neigh: clear whole pneigh_entry at alloc time Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 28/42] net/qla3xxx: fix an error code in ql_adapter_up() Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 29/42] USB: gadget: detect too-big endpoint 0 requests Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 30/42] USB: gadget: zero allocate endpoint 0 buffers Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 31/42] usb: core: config: fix validation of wMaxPacketValue entries Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 32/42] usb: core: config: using bit mask instead of individual bits Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 33/42] iio: stk3310: Dont return error code in interrupt handler Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 34/42] iio: mma8452: Fix trigger reference couting Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 35/42] iio: ltr501: Dont return error code in trigger handler Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 36/42] iio: kxsd9: " Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 37/42] iio: itg3200: Call iio_trigger_notify_done() on error Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 38/42] iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 39/42] irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 40/42] irqchip/armada-370-xp: Fix support for Multi-MSI interrupts Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 41/42] irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL Greg Kroah-Hartman
2021-12-13  9:30 ` [PATCH 4.9 42/42] irqchip: nvic: Fix offset for Interrupt Priority Offsets Greg Kroah-Hartman
2021-12-13 14:43 ` [PATCH 4.9 00/42] 4.9.293-rc1 review Jon Hunter
2021-12-13 19:54 ` Guenter Roeck
2021-12-13 20:00 ` Florian Fainelli
2021-12-13 20:31 ` Shuah Khan
2021-12-14  5:53 ` Naresh Kamboju

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.