All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.4 00/78] 5.4.12-stable review
@ 2020-01-14 10:00 Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 01/78] chardev: Avoid potential use-after-free in chrdev_open() Greg Kroah-Hartman
                   ` (81 more replies)
  0 siblings, 82 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 5.4.12 release.
There are 78 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.12-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.4.12-rc1

Florian Westphal <fw@strlen.de>
    netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present

Florian Westphal <fw@strlen.de>
    netfilter: conntrack: dccp, sctp: handle null timeout argument

Florian Westphal <fw@strlen.de>
    netfilter: arp_tables: init netns pointer in xt_tgchk_param struct

Tony Lindgren <tony@atomide.com>
    phy: cpcap-usb: Fix flakey host idling and enumerating of devices

Tony Lindgren <tony@atomide.com>
    phy: cpcap-usb: Fix error path when no host driver is loaded

Alan Stern <stern@rowland.harvard.edu>
    USB: Fix: Don't skip endpoint descriptors with maxpacket=0

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    HID: hiddev: fix mess in hiddev_open()

Navid Emamdoost <navid.emamdoost@gmail.com>
    ath10k: fix memory leak

Navid Emamdoost <navid.emamdoost@gmail.com>
    rtl8xxxu: prevent leaking urb

Navid Emamdoost <navid.emamdoost@gmail.com>
    scsi: bfa: release allocated memory in case of error

Navid Emamdoost <navid.emamdoost@gmail.com>
    rpmsg: char: release allocated memory

Navid Emamdoost <navid.emamdoost@gmail.com>
    mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf

Ganapathi Bhat <gbhat@marvell.com>
    mwifiex: fix possible heap overflow in mwifiex_process_country_ie()

Malcolm Priestley <tvboxspy@gmail.com>
    staging: vt6656: remove bool from vnt_radio_power_on ret

Amanieu d'Antras <amanieu@gmail.com>
    um: Implement copy_thread_tls

Amanieu d'Antras <amanieu@gmail.com>
    clone3: ensure copy_thread_tls is implemented

Amanieu d'Antras <amanieu@gmail.com>
    xtensa: Implement copy_thread_tls

Amanieu d'Antras <amanieu@gmail.com>
    riscv: Implement copy_thread_tls

Amanieu d'Antras <amanieu@gmail.com>
    parisc: Implement copy_thread_tls

Amanieu d'Antras <amanieu@gmail.com>
    arm: Implement copy_thread_tls

Amanieu d'Antras <amanieu@gmail.com>
    arm64: Implement copy_thread_tls

Amanieu d'Antras <amanieu@gmail.com>
    arm64: Move __ARCH_WANT_SYS_CLONE3 definition to uapi headers

Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    tty: always relink the port

Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    tty: link tty and port before configuring it as console

Patrick Steinhardt <ps@pks.im>
    iommu/vt-d: Fix adding non-PCI devices to Intel IOMMU

Punit Agrawal <punit1.agrawal@toshiba.co.jp>
    serdev: Don't claim unsupported ACPI serial devices

Michael Straube <straube.linux@gmail.com>
    staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21

Malcolm Priestley <tvboxspy@gmail.com>
    staging: vt6656: limit reg output to block size

Malcolm Priestley <tvboxspy@gmail.com>
    staging: vt6656: correct return of vnt_init_registers.

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713

Paul Cercueil <paul@crapouillou.net>
    usb: musb: dma: Correct parameter passed to IRQ handler

Paul Cercueil <paul@crapouillou.net>
    usb: musb: Disable pullup at init

Tony Lindgren <tony@atomide.com>
    usb: musb: fix idling for suspend after disconnect interrupt

Daniele Palmas <dnlplm@gmail.com>
    USB: serial: option: add ZLP support for 0x1bc7/0x9010

Douglas Gilbert <dgilbert@interlog.com>
    USB-PD tcpm: bad warning+size, PPS adapters

Colin Ian King <colin.king@canonical.com>
    usb: ohci-da8xx: ensure error return on variable error is set

Peter Chen <peter.chen@nxp.com>
    usb: cdns3: should not use the same dev_id for shared interrupt handler

Malcolm Priestley <tvboxspy@gmail.com>
    staging: vt6656: Fix non zero logical return of, usb_control_msg

Malcolm Priestley <tvboxspy@gmail.com>
    staging: vt6656: set usb_set_intfdata on driver fail.

Kees Cook <keescook@chromium.org>
    pstore/ram: Regularize prz label allocation lifetime

Hans de Goede <hdegoede@redhat.com>
    gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism

Hans de Goede <hdegoede@redhat.com>
    gpiolib: acpi: Turn dmi_system_id table into a generic quirk table

Oliver Hartkopp <socketcan@hartkopp.net>
    can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs

Florian Faber <faber@faberman.de>
    can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode

Sean Nyekjaer <sean@geanix.com>
    can: tcan4x5x: tcan4x5x_can_probe(): get the device out of standby before register access

Johan Hovold <johan@kernel.org>
    can: gs_usb: gs_usb_probe(): use descriptors of current altsetting

Johan Hovold <johan@kernel.org>
    can: kvaser_usb: fix interface sanity check

Kaike Wan <kaike.wan@intel.com>
    IB/hfi1: Adjust flow PSN with the correct resync_psn

Chris Wilson <chris@chris-wilson.co.uk>
    drm/i915/gt: Mark up virtual engine uabi_instance

Matt Roper <matthew.d.roper@intel.com>
    drm/i915: Add Wa_1407352427:icl,ehl

Wayne Lin <Wayne.Lin@amd.com>
    drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ

Geert Uytterhoeven <geert+renesas@glider.be>
    drm/fb-helper: Round up bits_per_pixel if possible

Chen-Yu Tsai <wens@csie.org>
    drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model

Alex Deucher <alexander.deucher@amd.com>
    Revert "drm/amdgpu: Set no-retry as default."

Chunming Zhou <david1.zhou@amd.com>
    drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu

Matt Roper <matthew.d.roper@intel.com>
    drm/i915: Add Wa_1408615072 and Wa_1407596294 to icl,ehl

Arnd Bergmann <arnd@arndb.de>
    Input: input_event - fix struct padding on sparc64

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Input: add safety guards to input_set_keycode()

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    HID: hid-input: clear unmapped usages

Marcel Holtmann <marcel@holtmann.org>
    HID: hidraw: Fix returning EPOLLOUT from hidraw_poll

Marcel Holtmann <marcel@holtmann.org>
    HID: uhid: Fix returning EPOLLOUT from uhid_char_poll

Alan Stern <stern@rowland.harvard.edu>
    HID: Fix slab-out-of-bounds read in hid_field_extract

Joel Fernandes (Google) <joel@joelfernandes.org>
    tracing: Change offset type to s32 in preempt/irq tracepoints

Steven Rostedt (VMware) <rostedt@goodmis.org>
    tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined

Kaitao Cheng <pilgrimtao@gmail.com>
    kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail

Chen-Yu Tsai <wens@csie.org>
    rtc: sun6i: Add support for RTC clocks on R40

Tadeusz Struk <tadeusz.struk@intel.com>
    tpm: Handle negative priv->response_len in tpm_common_read()

Stefan Berger <stefanb@linux.ibm.com>
    tpm: Revert "tpm_tis_core: Turn on the TPM before probing IRQ's"

Stefan Berger <stefanb@linux.ibm.com>
    tpm: Revert "tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts"

Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
    tpm: Revert "tpm_tis: reserve chip for duration of tpm_tis_core_init"

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Set EAPD control to default for ALC222

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - Add new codec supported for ALCS1200A

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5

Guenter Roeck <linux@roeck-us.net>
    usb: chipidea: host: Disable port power only if previously enabled

Harry Pan <harry.pan@intel.com>
    powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online()

Russell King <rmk+kernel@armlinux.org.uk>
    i2c: fix bus recovery stop mode timing

Will Deacon <will@kernel.org>
    chardev: Avoid potential use-after-free in 'chrdev_open()'


-------------

Diffstat:

 Makefile                                           |  4 +-
 arch/arm/Kconfig                                   |  1 +
 arch/arm/kernel/process.c                          |  6 +-
 arch/arm64/Kconfig                                 |  1 +
 arch/arm64/include/asm/unistd.h                    |  1 -
 arch/arm64/include/uapi/asm/unistd.h               |  1 +
 arch/arm64/kernel/process.c                        | 10 +--
 arch/parisc/Kconfig                                |  1 +
 arch/parisc/kernel/process.c                       |  8 +-
 arch/riscv/Kconfig                                 |  1 +
 arch/riscv/kernel/process.c                        |  6 +-
 arch/um/Kconfig                                    |  1 +
 arch/um/include/asm/ptrace-generic.h               |  2 +-
 arch/um/kernel/process.c                           |  6 +-
 arch/x86/um/tls_32.c                               |  6 +-
 arch/x86/um/tls_64.c                               |  7 +-
 arch/xtensa/Kconfig                                |  1 +
 arch/xtensa/kernel/process.c                       |  8 +-
 drivers/char/tpm/tpm-dev-common.c                  |  2 +-
 drivers/char/tpm/tpm-dev.h                         |  2 +-
 drivers/char/tpm/tpm_tis_core.c                    | 34 ++++----
 drivers/gpio/gpiolib-acpi.c                        | 51 ++++++++++--
 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c            |  7 +-
 drivers/gpu/drm/drm_dp_mst_topology.c              |  2 +-
 drivers/gpu/drm/drm_fb_helper.c                    |  7 +-
 drivers/gpu/drm/i915/gt/intel_lrc.c                |  2 +
 drivers/gpu/drm/i915/i915_reg.h                    |  8 +-
 drivers/gpu/drm/i915/intel_pm.c                    | 11 +++
 drivers/gpu/drm/sun4i/sun4i_tcon.c                 | 15 +++-
 drivers/gpu/drm/sun4i/sun4i_tcon.h                 |  1 +
 drivers/hid/hid-core.c                             |  6 ++
 drivers/hid/hid-input.c                            | 16 +++-
 drivers/hid/hidraw.c                               |  4 +-
 drivers/hid/uhid.c                                 |  2 +-
 drivers/hid/usbhid/hiddev.c                        | 97 ++++++++++------------
 drivers/i2c/i2c-core-base.c                        | 13 ++-
 drivers/infiniband/hw/hfi1/tid_rdma.c              |  9 ++
 drivers/input/evdev.c                              | 14 ++--
 drivers/input/input.c                              | 26 +++---
 drivers/input/misc/uinput.c                        | 14 ++--
 drivers/iommu/intel-iommu.c                        |  9 +-
 drivers/net/can/m_can/tcan4x5x.c                   |  4 +
 drivers/net/can/mscan/mscan.c                      | 21 +++--
 drivers/net/can/usb/gs_usb.c                       |  4 +-
 drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c  |  2 +-
 drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c   |  2 +-
 drivers/net/wireless/ath/ath10k/usb.c              |  1 +
 drivers/net/wireless/marvell/mwifiex/pcie.c        |  4 +-
 drivers/net/wireless/marvell/mwifiex/sta_ioctl.c   | 13 ++-
 .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c  |  1 +
 drivers/phy/motorola/phy-cpcap-usb.c               | 35 ++++----
 drivers/powercap/intel_rapl_common.c               |  3 +
 drivers/rpmsg/rpmsg_char.c                         |  6 +-
 drivers/rtc/rtc-sun6i.c                            | 16 ++++
 drivers/scsi/bfa/bfad_attr.c                       |  4 +-
 drivers/staging/comedi/drivers/adv_pci1710.c       |  4 +-
 drivers/staging/rtl8188eu/os_dep/usb_intf.c        |  1 +
 drivers/staging/vt6656/baseband.c                  |  4 +-
 drivers/staging/vt6656/card.c                      |  2 +-
 drivers/staging/vt6656/device.h                    |  1 +
 drivers/staging/vt6656/main_usb.c                  |  3 +-
 drivers/staging/vt6656/usbpipe.c                   | 25 +++++-
 drivers/staging/vt6656/usbpipe.h                   |  5 ++
 drivers/staging/vt6656/wcmd.c                      |  1 +
 drivers/tty/serdev/core.c                          | 10 +++
 drivers/tty/serial/serial_core.c                   |  1 +
 drivers/usb/cdns3/gadget.c                         | 14 ++--
 drivers/usb/chipidea/host.c                        |  4 +-
 drivers/usb/core/config.c                          | 12 ++-
 drivers/usb/host/ohci-da8xx.c                      |  8 +-
 drivers/usb/musb/musb_core.c                       | 11 +++
 drivers/usb/musb/musbhsdma.c                       |  2 +-
 drivers/usb/serial/option.c                        |  8 ++
 drivers/usb/serial/usb-wwan.h                      |  1 +
 drivers/usb/serial/usb_wwan.c                      |  4 +
 drivers/usb/typec/tcpm/tcpci.c                     | 20 +++--
 fs/char_dev.c                                      |  2 +-
 fs/pstore/ram.c                                    |  4 +-
 fs/pstore/ram_core.c                               |  2 +-
 include/linux/can/dev.h                            | 34 ++++++++
 include/trace/events/preemptirq.h                  |  8 +-
 include/uapi/linux/input.h                         |  1 +
 kernel/fork.c                                      | 10 +++
 kernel/trace/trace_sched_wakeup.c                  |  4 +-
 kernel/trace/trace_stack.c                         |  5 ++
 net/ipv4/netfilter/arp_tables.c                    | 27 +++---
 net/netfilter/ipset/ip_set_core.c                  |  3 +-
 net/netfilter/nf_conntrack_proto_dccp.c            |  3 +
 net/netfilter/nf_conntrack_proto_sctp.c            |  3 +
 sound/pci/hda/patch_realtek.c                      |  5 ++
 sound/usb/quirks.c                                 |  1 +
 91 files changed, 547 insertions(+), 245 deletions(-)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 01/78] chardev: Avoid potential use-after-free in chrdev_open()
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hillf Danton, Andrew Morton, Al Viro,
	syzbot+82defefbbd8527e1c2cb, Will Deacon

From: Will Deacon <will@kernel.org>

commit 68faa679b8be1a74e6663c21c3a9d25d32f1c079 upstream.

'chrdev_open()' calls 'cdev_get()' to obtain a reference to the
'struct cdev *' stashed in the 'i_cdev' field of the target inode
structure. If the pointer is NULL, then it is initialised lazily by
looking up the kobject in the 'cdev_map' and so the whole procedure is
protected by the 'cdev_lock' spinlock to serialise initialisation of
the shared pointer.

Unfortunately, it is possible for the initialising thread to fail *after*
installing the new pointer, for example if the subsequent '->open()' call
on the file fails. In this case, 'cdev_put()' is called, the reference
count on the kobject is dropped and, if nobody else has taken a reference,
the release function is called which finally clears 'inode->i_cdev' from
'cdev_purge()' before potentially freeing the object. The problem here
is that a racing thread can happily take the 'cdev_lock' and see the
non-NULL pointer in the inode, which can result in a refcount increment
from zero and a warning:

  |  ------------[ cut here ]------------
  |  refcount_t: addition on 0; use-after-free.
  |  WARNING: CPU: 2 PID: 6385 at lib/refcount.c:25 refcount_warn_saturate+0x6d/0xf0
  |  Modules linked in:
  |  CPU: 2 PID: 6385 Comm: repro Not tainted 5.5.0-rc2+ #22
  |  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
  |  RIP: 0010:refcount_warn_saturate+0x6d/0xf0
  |  Code: 05 55 9a 15 01 01 e8 9d aa c8 ff 0f 0b c3 80 3d 45 9a 15 01 00 75 ce 48 c7 c7 00 9c 62 b3 c6 08
  |  RSP: 0018:ffffb524c1b9bc70 EFLAGS: 00010282
  |  RAX: 0000000000000000 RBX: ffff9e9da1f71390 RCX: 0000000000000000
  |  RDX: ffff9e9dbbd27618 RSI: ffff9e9dbbd18798 RDI: ffff9e9dbbd18798
  |  RBP: 0000000000000000 R08: 000000000000095f R09: 0000000000000039
  |  R10: 0000000000000000 R11: ffffb524c1b9bb20 R12: ffff9e9da1e8c700
  |  R13: ffffffffb25ee8b0 R14: 0000000000000000 R15: ffff9e9da1e8c700
  |  FS:  00007f3b87d26700(0000) GS:ffff9e9dbbd00000(0000) knlGS:0000000000000000
  |  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  |  CR2: 00007fc16909c000 CR3: 000000012df9c000 CR4: 00000000000006e0
  |  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  |  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  |  Call Trace:
  |   kobject_get+0x5c/0x60
  |   cdev_get+0x2b/0x60
  |   chrdev_open+0x55/0x220
  |   ? cdev_put.part.3+0x20/0x20
  |   do_dentry_open+0x13a/0x390
  |   path_openat+0x2c8/0x1470
  |   do_filp_open+0x93/0x100
  |   ? selinux_file_ioctl+0x17f/0x220
  |   do_sys_open+0x186/0x220
  |   do_syscall_64+0x48/0x150
  |   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  |  RIP: 0033:0x7f3b87efcd0e
  |  Code: 89 54 24 08 e8 a3 f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f4
  |  RSP: 002b:00007f3b87d259f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
  |  RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b87efcd0e
  |  RDX: 0000000000000000 RSI: 00007f3b87d25a80 RDI: 00000000ffffff9c
  |  RBP: 00007f3b87d25e90 R08: 0000000000000000 R09: 0000000000000000
  |  R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe188f504e
  |  R13: 00007ffe188f504f R14: 00007f3b87d26700 R15: 0000000000000000
  |  ---[ end trace 24f53ca58db8180a ]---

Since 'cdev_get()' can already fail to obtain a reference, simply move
it over to use 'kobject_get_unless_zero()' instead of 'kobject_get()',
which will cause the racing thread to return -ENXIO if the initialising
thread fails unexpectedly.

Cc: Hillf Danton <hdanton@sina.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Reported-by: syzbot+82defefbbd8527e1c2cb@syzkaller.appspotmail.com
Signed-off-by: Will Deacon <will@kernel.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191219120203.32691-1-will@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/char_dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/char_dev.c
+++ b/fs/char_dev.c
@@ -352,7 +352,7 @@ static struct kobject *cdev_get(struct c
 
 	if (owner && !try_module_get(owner))
 		return NULL;
-	kobj = kobject_get(&p->kobj);
+	kobj = kobject_get_unless_zero(&p->kobj);
 	if (!kobj)
 		module_put(owner);
 	return kobj;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 01/78] chardev: Avoid potential use-after-free in chrdev_open() Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 03/78] powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online() Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Russell King, Wolfram Sang

From: Russell King <rmk+kernel@armlinux.org.uk>

commit cf8ce8b80f8bf9669f6ec4e71e16668430febdac upstream.

The I2C specification states that tsu:sto for standard mode timing must
be at minimum 4us. Pictographically, this is:

SCL: ____/~~~~~~~~~
SDA: _________/~~~~
       ->|    |<- 4us minimum

We are currently waiting 2.5us between asserting SCL and SDA, which is
in violation of the standard. Adjust the timings to ensure that we meet
what is stipulated as the minimum timings to ensure that all devices
correctly interpret the STOP bus transition.

This is more important than trying to generate a square wave with even
duty cycle.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/i2c-core-base.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -186,10 +186,11 @@ int i2c_generic_scl_recovery(struct i2c_
 	 * If we can set SDA, we will always create a STOP to ensure additional
 	 * pulses will do no harm. This is achieved by letting SDA follow SCL
 	 * half a cycle later. Check the 'incomplete_write_byte' fault injector
-	 * for details.
+	 * for details. Note that we must honour tsu:sto, 4us, but lets use 5us
+	 * here for simplicity.
 	 */
 	bri->set_scl(adap, scl);
-	ndelay(RECOVERY_NDELAY / 2);
+	ndelay(RECOVERY_NDELAY);
 	if (bri->set_sda)
 		bri->set_sda(adap, scl);
 	ndelay(RECOVERY_NDELAY / 2);
@@ -211,7 +212,13 @@ int i2c_generic_scl_recovery(struct i2c_
 		scl = !scl;
 		bri->set_scl(adap, scl);
 		/* Creating STOP again, see above */
-		ndelay(RECOVERY_NDELAY / 2);
+		if (scl)  {
+			/* Honour minimum tsu:sto */
+			ndelay(RECOVERY_NDELAY);
+		} else {
+			/* Honour minimum tf and thd:dat */
+			ndelay(RECOVERY_NDELAY / 2);
+		}
 		if (bri->set_sda)
 			bri->set_sda(adap, scl);
 		ndelay(RECOVERY_NDELAY / 2);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 03/78] powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online()
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 01/78] chardev: Avoid potential use-after-free in chrdev_open() Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 04/78] usb: chipidea: host: Disable port power only if previously enabled Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Harry Pan, Rafael J. Wysocki

From: Harry Pan <harry.pan@intel.com>

commit 3aa3c5882e4fb2274448908aaed605a3ed7dd15d upstream.

RAPL MMIO support depends on the RAPL common driver.  During CPU
initialization rapl_mmio_cpu_online() is called via CPU hotplug
to initialize the MMIO RAPL for the new CPU, but if that CPU is
not present in the common RAPL driver's support list, rapl_defaults
is NULL and the kernel crashes on an attempt to dereference it:

[    4.188566] BUG: kernel NULL pointer dereference, address: 0000000000000020
...snip...
[    4.189555] RIP: 0010:rapl_add_package+0x223/0x574
[    4.189555] Code: b5 a0 31 c0 49 8b 4d 78 48 01 d9 48 8b 0c c1 49 89 4c c6 10 48 ff c0 48 83 f8 05 75 e7 49 83 ff 03 75 15 48 8b 05 09 bc 18 01 <8b> 70 20 41 89 b6 0c 05 00 00 85 f6 75 1a 49 81 c6 18 9
[    4.189555] RSP: 0000:ffffb3adc00b3d90 EFLAGS: 00010246
[    4.189555] RAX: 0000000000000000 RBX: 0000000000000098 RCX: 0000000000000000
[    4.267161] usb 1-1: New USB device found, idVendor=2109, idProduct=2812, bcdDevice= b.e0
[    4.189555] RDX: 0000000000001000 RSI: 0000000000000000 RDI: ffff9340caafd000
[    4.189555] RBP: ffffb3adc00b3df8 R08: ffffffffa0246e28 R09: ffff9340caafc000
[    4.189555] R10: 000000000000024a R11: ffffffff9ff1f6f2 R12: 00000000ffffffed
[    4.189555] R13: ffff9340caa94800 R14: ffff9340caafc518 R15: 0000000000000003
[    4.189555] FS:  0000000000000000(0000) GS:ffff9340ce200000(0000) knlGS:0000000000000000
[    4.189555] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    4.189555] CR2: 0000000000000020 CR3: 0000000302c14001 CR4: 00000000003606f0
[    4.189555] Call Trace:
[    4.189555]  ? __switch_to_asm+0x40/0x70
[    4.189555]  rapl_mmio_cpu_online+0x47/0x64
[    4.189555]  ? rapl_mmio_write_raw+0x33/0x33
[    4.281059] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[    4.189555]  cpuhp_invoke_callback+0x29f/0x66f
[    4.189555]  ? __schedule+0x46d/0x6a0
[    4.189555]  cpuhp_thread_fun+0xb9/0x11c
[    4.189555]  smpboot_thread_fn+0x17d/0x22f
[    4.297006] usb 1-1: Product: USB2.0 Hub
[    4.189555]  ? cpu_report_death+0x43/0x43
[    4.189555]  kthread+0x137/0x13f
[    4.189555]  ? cpu_report_death+0x43/0x43
[    4.189555]  ? kthread_blkcg+0x2e/0x2e
[    4.312951] usb 1-1: Manufacturer: VIA Labs, Inc.
[    4.189555]  ret_from_fork+0x1f/0x40
[    4.189555] Modules linked in:
[    4.189555] CR2: 0000000000000020
[    4.189555] ---[ end trace 01bb812aabc791f4 ]---

To avoid that problem, check rapl_defaults NULL upfront and return an
error code if it is NULL.  [Note that it does not make sense to even
try to allocate memory in that case, because it is not going to be
used anyway.]

Fixes: 555c45fe0d04 ("int340X/processor_thermal_device: add support for MMIO RAPL")
Cc: 5.3+ <stable@vger.kernel.org> # 5.3+
Signed-off-by: Harry Pan <harry.pan@intel.com>
[ rjw: Subject & changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/powercap/intel_rapl_common.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/powercap/intel_rapl_common.c
+++ b/drivers/powercap/intel_rapl_common.c
@@ -1293,6 +1293,9 @@ struct rapl_package *rapl_add_package(in
 	struct cpuinfo_x86 *c = &cpu_data(cpu);
 	int ret;
 
+	if (!rapl_defaults)
+		return ERR_PTR(-ENODEV);
+
 	rp = kzalloc(sizeof(struct rapl_package), GFP_KERNEL);
 	if (!rp)
 		return ERR_PTR(-ENOMEM);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 04/78] usb: chipidea: host: Disable port power only if previously enabled
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 03/78] powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online() Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 05/78] ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Grzeschik, Peter Chen,
	Guenter Roeck, Peter Chen

From: Guenter Roeck <linux@roeck-us.net>

commit c1ffba305dbcf3fb9ca969c20a97acbddc38f8e9 upstream.

On shutdown, ehci_power_off() is called unconditionally to power off
each port, even if it was never called to power on the port.
For chipidea, this results in a call to ehci_ci_portpower() with a request
to power off ports even if the port was never powered on.
This results in the following warning from the regulator code.

WARNING: CPU: 0 PID: 182 at drivers/regulator/core.c:2596 _regulator_disable+0x1a8/0x210
unbalanced disables for usb_otg2_vbus
Modules linked in:
CPU: 0 PID: 182 Comm: init Not tainted 5.4.6 #1
Hardware name: Freescale i.MX7 Dual (Device Tree)
[<c0313658>] (unwind_backtrace) from [<c030d698>] (show_stack+0x10/0x14)
[<c030d698>] (show_stack) from [<c1133afc>] (dump_stack+0xe0/0x10c)
[<c1133afc>] (dump_stack) from [<c0349098>] (__warn+0xf4/0x10c)
[<c0349098>] (__warn) from [<c0349128>] (warn_slowpath_fmt+0x78/0xbc)
[<c0349128>] (warn_slowpath_fmt) from [<c09f36ac>] (_regulator_disable+0x1a8/0x210)
[<c09f36ac>] (_regulator_disable) from [<c09f374c>] (regulator_disable+0x38/0xe8)
[<c09f374c>] (regulator_disable) from [<c0df7bac>] (ehci_ci_portpower+0x38/0xdc)
[<c0df7bac>] (ehci_ci_portpower) from [<c0db4fa4>] (ehci_port_power+0x50/0xa4)
[<c0db4fa4>] (ehci_port_power) from [<c0db5420>] (ehci_silence_controller+0x5c/0xc4)
[<c0db5420>] (ehci_silence_controller) from [<c0db7644>] (ehci_stop+0x3c/0xcc)
[<c0db7644>] (ehci_stop) from [<c0d5bdc4>] (usb_remove_hcd+0xe0/0x19c)
[<c0d5bdc4>] (usb_remove_hcd) from [<c0df7638>] (host_stop+0x38/0xa8)
[<c0df7638>] (host_stop) from [<c0df2f34>] (ci_hdrc_remove+0x44/0xe4)
...

Keeping track of the power enable state avoids the warning and traceback.

Fixes: c8679a2fb8dec ("usb: chipidea: host: add portpower override")
Cc: Michael Grzeschik <m.grzeschik@pengutronix.de>
Cc: Peter Chen <peter.chen@freescale.com>
Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Peter Chen <peter.chen@nxp.com>
Link: https://lore.kernel.org/r/20191226155754.25451-1-linux@roeck-us.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/chipidea/host.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/chipidea/host.c
+++ b/drivers/usb/chipidea/host.c
@@ -26,6 +26,7 @@ static int (*orig_bus_suspend)(struct us
 
 struct ehci_ci_priv {
 	struct regulator *reg_vbus;
+	bool enabled;
 };
 
 static int ehci_ci_portpower(struct usb_hcd *hcd, int portnum, bool enable)
@@ -37,7 +38,7 @@ static int ehci_ci_portpower(struct usb_
 	int ret = 0;
 	int port = HCS_N_PORTS(ehci->hcs_params);
 
-	if (priv->reg_vbus) {
+	if (priv->reg_vbus && enable != priv->enabled) {
 		if (port > 1) {
 			dev_warn(dev,
 				"Not support multi-port regulator control\n");
@@ -53,6 +54,7 @@ static int ehci_ci_portpower(struct usb_
 				enable ? "enable" : "disable", ret);
 			return ret;
 		}
+		priv->enabled = enable;
 	}
 
 	if (enable && (ci->platdata->phy_mode == USBPHY_INTERFACE_MODE_HSIC)) {



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 05/78] ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 04/78] usb: chipidea: host: Disable port power only if previously enabled Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 06/78] ALSA: hda/realtek - Add new codec supported for ALCS1200A Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 51d4efab7865e6ea6a4ebcd25b3f03c019515c4c upstream.

Bose Companion 5 (with USB ID 05a7:1020) doesn't seem supporting
reading back the sample rate, so the existing quirk is needed.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206063
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200104110936.14288-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/quirks.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1397,6 +1397,7 @@ bool snd_usb_get_sample_rate_quirk(struc
 	case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
 	case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */
 	case USB_ID(0x05A3, 0x9420): /* ELP HD USB Camera */
+	case USB_ID(0x05a7, 0x1020): /* Bose Companion 5 */
 	case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
 	case USB_ID(0x1395, 0x740a): /* Sennheiser DECT */
 	case USB_ID(0x1901, 0x0191): /* GE B850V3 CP2114 audio interface */



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 06/78] ALSA: hda/realtek - Add new codec supported for ALCS1200A
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 05/78] ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 07/78] ALSA: hda/realtek - Set EAPD control to default for ALC222 Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

From: Kailang Yang <kailang@realtek.com>

commit 6d9ffcff646bbd0ede6c2a59f4cd28414ecec6e0 upstream.

Add ALCS1200A supported.
It was similar as ALC900.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/a9bd3cdaa02d4fa197623448d5c51e50@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -430,6 +430,7 @@ static void alc_fill_eapd_coef(struct hd
 		break;
 	case 0x10ec0899:
 	case 0x10ec0900:
+	case 0x10ec0b00:
 	case 0x10ec1168:
 	case 0x10ec1220:
 		alc_update_coef_idx(codec, 0x7, 1<<1, 0);
@@ -2526,6 +2527,7 @@ static int patch_alc882(struct hda_codec
 	case 0x10ec0882:
 	case 0x10ec0885:
 	case 0x10ec0900:
+	case 0x10ec0b00:
 	case 0x10ec1220:
 		break;
 	default:
@@ -9295,6 +9297,7 @@ static const struct hda_device_id snd_hd
 	HDA_CODEC_ENTRY(0x10ec0892, "ALC892", patch_alc662),
 	HDA_CODEC_ENTRY(0x10ec0899, "ALC898", patch_alc882),
 	HDA_CODEC_ENTRY(0x10ec0900, "ALC1150", patch_alc882),
+	HDA_CODEC_ENTRY(0x10ec0b00, "ALCS1200A", patch_alc882),
 	HDA_CODEC_ENTRY(0x10ec1168, "ALC1220", patch_alc882),
 	HDA_CODEC_ENTRY(0x10ec1220, "ALC1220", patch_alc882),
 	{} /* terminator */



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 07/78] ALSA: hda/realtek - Set EAPD control to default for ALC222
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 06/78] ALSA: hda/realtek - Add new codec supported for ALCS1200A Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 08/78] ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

From: Kailang Yang <kailang@realtek.com>

commit 9194a1ebbc56d7006835e2b4cacad301201fb832 upstream.

Set EAPD control to verb control.

Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -412,6 +412,7 @@ static void alc_fill_eapd_coef(struct hd
 	case 0x10ec0672:
 		alc_update_coef_idx(codec, 0xd, 0, 1<<14); /* EAPD Ctrl */
 		break;
+	case 0x10ec0222:
 	case 0x10ec0623:
 		alc_update_coef_idx(codec, 0x19, 1<<13, 0);
 		break;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 08/78] ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 07/78] ALSA: hda/realtek - Set EAPD control to default for ALC222 Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 09/78] tpm: Revert "tpm_tis: reserve chip for duration of tpm_tis_core_init" Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kailang Yang, Jaroslav Kysela, Takashi Iwai

From: Kailang Yang <kailang@realtek.com>

commit 54a6a7dc107da0492a9e84fd7e9a107b3c58138d upstream.

Add quirk to ALC285_FIXUP_SPEAKER2_TO_DAC1, which is the same fixup
applied for X1 Carbon 7th gen in commit d2cd795c4ece ("ALSA: hda -
fixup for the bass speaker on Lenovo Carbon X1 7th gen").

Signed-off-by: Kailang Yang <kailang@realtek.com>
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7260,6 +7260,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
 	SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
 	SND_PCI_QUIRK(0x17aa, 0x225d, "Thinkpad T480", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+	SND_PCI_QUIRK(0x17aa, 0x2292, "Thinkpad X1 Yoga 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
 	SND_PCI_QUIRK(0x17aa, 0x2293, "Thinkpad X1 Carbon 7th", ALC285_FIXUP_SPEAKER2_TO_DAC1),
 	SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
 	SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 09/78] tpm: Revert "tpm_tis: reserve chip for duration of tpm_tis_core_init"
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 08/78] ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 10/78] tpm: Revert "tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts" Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jerry Snitselaar, Dan Williams,
	Xiaoping Zhou, Jarkko Sakkinen

From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

commit 9550f210492c6f88415709002f42a9d15c0e6231 upstream.

Revert a commit, which was included in Linux v5.5-rc3 because it did not
properly fix the issues it was supposed to fix.

Fixes: 21df4a8b6018 ("tpm_tis: reserve chip for duration of tpm_tis_core_init")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=205935
Cc: stable@vger.kernel.org
Cc: Jerry Snitselaar <jsnitsel@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Tested-by: Dan Williams <dan.j.williams@intel.com>
Tested-by: Xiaoping Zhou <xiaoping.zhou@intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_tis_core.c |   35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -899,13 +899,13 @@ int tpm_tis_core_init(struct device *dev
 
 	if (wait_startup(chip, 0) != 0) {
 		rc = -ENODEV;
-		goto err_start;
+		goto out_err;
 	}
 
 	/* Take control of the TPM's interrupt hardware and shut it off */
 	rc = tpm_tis_read32(priv, TPM_INT_ENABLE(priv->locality), &intmask);
 	if (rc < 0)
-		goto err_start;
+		goto out_err;
 
 	intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT |
 		   TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT;
@@ -914,21 +914,21 @@ int tpm_tis_core_init(struct device *dev
 
 	rc = tpm_chip_start(chip);
 	if (rc)
-		goto err_start;
-
+		goto out_err;
 	rc = tpm2_probe(chip);
+	tpm_chip_stop(chip);
 	if (rc)
-		goto err_probe;
+		goto out_err;
 
 	rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor);
 	if (rc < 0)
-		goto err_probe;
+		goto out_err;
 
 	priv->manufacturer_id = vendor;
 
 	rc = tpm_tis_read8(priv, TPM_RID(0), &rid);
 	if (rc < 0)
-		goto err_probe;
+		goto out_err;
 
 	dev_info(dev, "%s TPM (device-id 0x%X, rev-id %d)\n",
 		 (chip->flags & TPM_CHIP_FLAG_TPM2) ? "2.0" : "1.2",
@@ -937,13 +937,13 @@ int tpm_tis_core_init(struct device *dev
 	probe = probe_itpm(chip);
 	if (probe < 0) {
 		rc = -ENODEV;
-		goto err_probe;
+		goto out_err;
 	}
 
 	/* Figure out the capabilities */
 	rc = tpm_tis_read32(priv, TPM_INTF_CAPS(priv->locality), &intfcaps);
 	if (rc < 0)
-		goto err_probe;
+		goto out_err;
 
 	dev_dbg(dev, "TPM interface capabilities (0x%x):\n",
 		intfcaps);
@@ -977,9 +977,10 @@ int tpm_tis_core_init(struct device *dev
 		if (tpm_get_timeouts(chip)) {
 			dev_err(dev, "Could not get TPM timeouts and durations\n");
 			rc = -ENODEV;
-			goto err_probe;
+			goto out_err;
 		}
 
+		tpm_chip_start(chip);
 		chip->flags |= TPM_CHIP_FLAG_IRQ;
 		if (irq) {
 			tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED,
@@ -990,20 +991,18 @@ int tpm_tis_core_init(struct device *dev
 		} else {
 			tpm_tis_probe_irq(chip, intmask);
 		}
+		tpm_chip_stop(chip);
 	}
 
-	tpm_chip_stop(chip);
-
 	rc = tpm_chip_register(chip);
 	if (rc)
-		goto err_start;
+		goto out_err;
 
-	return 0;
-
-err_probe:
-	tpm_chip_stop(chip);
+	if (chip->ops->clk_enable != NULL)
+		chip->ops->clk_enable(chip, false);
 
-err_start:
+	return 0;
+out_err:
 	if ((chip->ops != NULL) && (chip->ops->clk_enable != NULL))
 		chip->ops->clk_enable(chip, false);
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 10/78] tpm: Revert "tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts"
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 09/78] tpm: Revert "tpm_tis: reserve chip for duration of tpm_tis_core_init" Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 11/78] tpm: Revert "tpm_tis_core: Turn on the TPM before probing IRQs" Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jerry Snitselaar, Dan Williams,
	Xiaoping Zhou, Stefan Berger, Jarkko Sakkinen

From: Stefan Berger <stefanb@linux.ibm.com>

commit dda8b2af395b2ed508e2ef314ae32e122841b447 upstream.

There has been a bunch of reports (one from kernel bugzilla linked)
reporting that when this commit is applied it causes on some machines
boot freezes.

Unfortunately hardware where this commit causes a failure is not widely
available (only one I'm aware is Lenovo T490), which means we cannot
predict yet how long it will take to properly fix tpm_tis interrupt
probing.

Thus, the least worst short term action is to revert the code to the
state before this commit. In long term we need fix the tpm_tis probing
code to work on machines that Stefan's fix was supposed to fix.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=205935
Fixes: 1ea32c83c699 ("tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts")
Cc: stable@vger.kernel.org
Cc: Jerry Snitselaar <jsnitsel@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Tested-by: Dan Williams <dan.j.williams@intel.com>
Tested-by: Xiaoping Zhou <xiaoping.zhou@intel.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reported-by: Jerry Snitselaar <jsnitsel@redhat.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_tis_core.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -981,7 +981,6 @@ int tpm_tis_core_init(struct device *dev
 		}
 
 		tpm_chip_start(chip);
-		chip->flags |= TPM_CHIP_FLAG_IRQ;
 		if (irq) {
 			tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED,
 						 irq);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 11/78] tpm: Revert "tpm_tis_core: Turn on the TPM before probing IRQs"
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 10/78] tpm: Revert "tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts" Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 12/78] tpm: Handle negative priv->response_len in tpm_common_read() Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jerry Snitselaar, Dan Williams,
	Xiaoping Zhou, Stefan Berger, Jarkko Sakkinen

From: Stefan Berger <stefanb@linux.ibm.com>

commit aa4a63dd981682b1742baa01237036e48bc11923 upstream.

There has been a bunch of reports (one from kernel bugzilla linked)
reporting that when this commit is applied it causes on some machines
boot freezes.

Unfortunately hardware where this commit causes a failure is not widely
available (only one I'm aware is Lenovo T490), which means we cannot
predict yet how long it will take to properly fix tpm_tis interrupt
probing.

Thus, the least worst short term action is to revert the code to the
state before this commit. In long term we need fix the tpm_tis probing
code to work on machines that Stefan's fix was supposed to fix.

Fixes: 21df4a8b6018 ("tpm_tis: reserve chip for duration of tpm_tis_core_init")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=205935
Cc: stable@vger.kernel.org
Cc: Jerry Snitselaar <jsnitsel@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Tested-by: Dan Williams <dan.j.williams@intel.com>
Tested-by: Xiaoping Zhou <xiaoping.zhou@intel.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reported-by: Jerry Snitselaar <jsnitsel@redhat.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_tis_core.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -980,7 +980,6 @@ int tpm_tis_core_init(struct device *dev
 			goto out_err;
 		}
 
-		tpm_chip_start(chip);
 		if (irq) {
 			tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED,
 						 irq);
@@ -990,7 +989,6 @@ int tpm_tis_core_init(struct device *dev
 		} else {
 			tpm_tis_probe_irq(chip, intmask);
 		}
-		tpm_chip_stop(chip);
 	}
 
 	rc = tpm_chip_register(chip);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 12/78] tpm: Handle negative priv->response_len in tpm_common_read()
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 11/78] tpm: Revert "tpm_tis_core: Turn on the TPM before probing IRQs" Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 13/78] rtc: sun6i: Add support for RTC clocks on R40 Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laura Abbott, Tadeusz Struk, Jarkko Sakkinen

From: Tadeusz Struk <tadeusz.struk@intel.com>

commit a430e67d9a2c62a8c7b315b99e74de02018d0a96 upstream.

The priv->response_length can hold the size of an response or an negative
error code, and the tpm_common_read() needs to handle both cases correctly.
Changed the type of response_length to signed and accounted for negative
value in tpm_common_read().

Cc: stable@vger.kernel.org
Fixes: d23d12484307 ("tpm: fix invalid locking in NONBLOCKING mode")
Reported-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm-dev-common.c |    2 +-
 drivers/char/tpm/tpm-dev.h        |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/char/tpm/tpm-dev-common.c
+++ b/drivers/char/tpm/tpm-dev-common.c
@@ -130,7 +130,7 @@ ssize_t tpm_common_read(struct file *fil
 		priv->response_read = true;
 
 		ret_size = min_t(ssize_t, size, priv->response_length);
-		if (!ret_size) {
+		if (ret_size <= 0) {
 			priv->response_length = 0;
 			goto out;
 		}
--- a/drivers/char/tpm/tpm-dev.h
+++ b/drivers/char/tpm/tpm-dev.h
@@ -14,7 +14,7 @@ struct file_priv {
 	struct work_struct timeout_work;
 	struct work_struct async_work;
 	wait_queue_head_t async_wait;
-	size_t response_length;
+	ssize_t response_length;
 	bool response_read;
 	bool command_enqueued;
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 13/78] rtc: sun6i: Add support for RTC clocks on R40
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 12/78] tpm: Handle negative priv->response_len in tpm_common_read() Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 14/78] kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Maxime Ripard,
	Alexandre Belloni

From: Chen-Yu Tsai <wens@csie.org>

commit 111bf02b8f544f98de53ea1f912ae01f598b161b upstream.

When support for the R40 in the rtc-sun6i driver was split out for a
separate compatible string, only the RTC half was covered, and not the
clock half. Unfortunately this results in the whole driver not working,
as the RTC half expects the clock half to have been initialized.

Add support for the clock part as well. The clock part is like the H3,
but does not need to export the internal oscillator, nor does it have
a gateable LOSC external output.

This fixes issues with WiFi and Bluetooth not working on the BPI M2U.

Fixes: d6624cc75021 ("rtc: sun6i: Add R40 compatible")
Cc: <stable@vger.kernel.org> # 5.3.x
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Acked-by: Maxime Ripard <mripard@kernel.org>
Link: https://lore.kernel.org/r/20191205085054.6049-1-wens@kernel.org
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/rtc/rtc-sun6i.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/rtc/rtc-sun6i.c
+++ b/drivers/rtc/rtc-sun6i.c
@@ -380,6 +380,22 @@ static void __init sun50i_h6_rtc_clk_ini
 CLK_OF_DECLARE_DRIVER(sun50i_h6_rtc_clk, "allwinner,sun50i-h6-rtc",
 		      sun50i_h6_rtc_clk_init);
 
+/*
+ * The R40 user manual is self-conflicting on whether the prescaler is
+ * fixed or configurable. The clock diagram shows it as fixed, but there
+ * is also a configurable divider in the RTC block.
+ */
+static const struct sun6i_rtc_clk_data sun8i_r40_rtc_data = {
+	.rc_osc_rate = 16000000,
+	.fixed_prescaler = 512,
+};
+static void __init sun8i_r40_rtc_clk_init(struct device_node *node)
+{
+	sun6i_rtc_clk_init(node, &sun8i_r40_rtc_data);
+}
+CLK_OF_DECLARE_DRIVER(sun8i_r40_rtc_clk, "allwinner,sun8i-r40-rtc",
+		      sun8i_r40_rtc_clk_init);
+
 static const struct sun6i_rtc_clk_data sun8i_v3_rtc_data = {
 	.rc_osc_rate = 32000,
 	.has_out_clk = 1,



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 14/78] kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 13/78] rtc: sun6i: Add support for RTC clocks on R40 Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 15/78] tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kaitao Cheng, Steven Rostedt (VMware)

From: Kaitao Cheng <pilgrimtao@gmail.com>

commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream.

In the function, if register_trace_sched_migrate_task() returns error,
sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is
why fail_deprobe_sched_switch was added.

Link: http://lkml.kernel.org/r/20191231133530.2794-1-pilgrimtao@gmail.com

Cc: stable@vger.kernel.org
Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing")
Signed-off-by: Kaitao Cheng <pilgrimtao@gmail.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_sched_wakeup.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace_sched_wakeup.c
+++ b/kernel/trace/trace_sched_wakeup.c
@@ -630,7 +630,7 @@ static void start_wakeup_tracer(struct t
 	if (ret) {
 		pr_info("wakeup trace: Couldn't activate tracepoint"
 			" probe to kernel_sched_migrate_task\n");
-		return;
+		goto fail_deprobe_sched_switch;
 	}
 
 	wakeup_reset(tr);
@@ -648,6 +648,8 @@ static void start_wakeup_tracer(struct t
 		printk(KERN_ERR "failed to start wakeup tracer\n");
 
 	return;
+fail_deprobe_sched_switch:
+	unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL);
 fail_deprobe_wake_new:
 	unregister_trace_sched_wakeup_new(probe_wakeup, NULL);
 fail_deprobe:



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 15/78] tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 14/78] kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 16/78] tracing: Change offset type to s32 in preempt/irq tracepoints Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Steven Rostedt (VMware)

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit b8299d362d0837ae39e87e9019ebe6b736e0f035 upstream.

On some archs with some configurations, MCOUNT_INSN_SIZE is not defined, and
this makes the stack tracer fail to compile. Just define it to zero in this
case.

Link: https://lore.kernel.org/r/202001020219.zvE3vsty%lkp@intel.com

Cc: stable@vger.kernel.org
Fixes: 4df297129f622 ("tracing: Remove most or all of stack tracer stack size from stack_max_size")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_stack.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/kernel/trace/trace_stack.c
+++ b/kernel/trace/trace_stack.c
@@ -283,6 +283,11 @@ static void check_stack(unsigned long ip
 	local_irq_restore(flags);
 }
 
+/* Some archs may not define MCOUNT_INSN_SIZE */
+#ifndef MCOUNT_INSN_SIZE
+# define MCOUNT_INSN_SIZE 0
+#endif
+
 static void
 stack_trace_call(unsigned long ip, unsigned long parent_ip,
 		 struct ftrace_ops *op, struct pt_regs *pt_regs)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 16/78] tracing: Change offset type to s32 in preempt/irq tracepoints
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 15/78] tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bjorn Helgaas, David Sterba,
	Ingo Molnar, Mike Rapoport, Rafael J. Wysocki, Sakari Ailus,
	Antonio Borneo, Joel Fernandes (Google), Steven Rostedt (VMware)

From: Joel Fernandes (Google) <joel@joelfernandes.org>

commit bf44f488e168368cae4139b4b33c3d0aaa11679c upstream.

Discussion in the below link reported that symbols in modules can appear
to be before _stext on ARM architecture, causing wrapping with the
offsets of this tracepoint. Change the offset type to s32 to fix this.

Link: http://lore.kernel.org/r/20191127154428.191095-1-antonio.borneo@st.com
Link: http://lkml.kernel.org/r/20200102194625.226436-1-joel@joelfernandes.org

Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: David Sterba <dsterba@suse.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: Antonio Borneo <antonio.borneo@st.com>
Cc: stable@vger.kernel.org
Fixes: d59158162e032 ("tracing: Add support for preempt and irq enable/disable events")
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/trace/events/preemptirq.h |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/include/trace/events/preemptirq.h
+++ b/include/trace/events/preemptirq.h
@@ -18,13 +18,13 @@ DECLARE_EVENT_CLASS(preemptirq_template,
 	TP_ARGS(ip, parent_ip),
 
 	TP_STRUCT__entry(
-		__field(u32, caller_offs)
-		__field(u32, parent_offs)
+		__field(s32, caller_offs)
+		__field(s32, parent_offs)
 	),
 
 	TP_fast_assign(
-		__entry->caller_offs = (u32)(ip - (unsigned long)_stext);
-		__entry->parent_offs = (u32)(parent_ip - (unsigned long)_stext);
+		__entry->caller_offs = (s32)(ip - (unsigned long)_stext);
+		__entry->parent_offs = (s32)(parent_ip - (unsigned long)_stext);
 	),
 
 	TP_printk("caller=%pS parent=%pS",



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 16/78] tracing: Change offset type to s32 in preempt/irq tracepoints Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-02-05  7:12   ` [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!) peter enderborg
  2020-01-14 10:00 ` [PATCH 5.4 18/78] HID: uhid: Fix returning EPOLLOUT from uhid_char_poll Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  81 siblings, 1 reply; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, Jiri Kosina,
	syzbot+09ef48aa58261464b621

From: Alan Stern <stern@rowland.harvard.edu>

commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.

The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
handler.  The bug was caused by a report descriptor which included a
field with size 12 bits and count 4899, for a total size of 7349
bytes.

The usbhid driver uses at most a single-page 4-KB buffer for reports.
In the test there wasn't any problem about overflowing the buffer,
since only one byte was received from the device.  Rather, the bug
occurred when the HID core tried to extract the data from the report
fields, which caused it to try reading data beyond the end of the
allocated buffer.

This patch fixes the problem by rejecting any report whose total
length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
for a possible report index).  In theory a device could have a report
longer than that, but if there was such a thing we wouldn't handle it
correctly anyway.

Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-core.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -288,6 +288,12 @@ static int hid_add_field(struct hid_pars
 	offset = report->size;
 	report->size += parser->global.report_size * parser->global.report_count;
 
+	/* Total size check: Allow for possible report index byte */
+	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
+		hid_err(parser->device, "report is too long\n");
+		return -1;
+	}
+
 	if (!parser->local.usage_index) /* Ignore padding fields */
 		return 0;
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 18/78] HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 19/78] HID: hidraw: Fix returning EPOLLOUT from hidraw_poll Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marcel Holtmann, Jiri Kosina

From: Marcel Holtmann <marcel@holtmann.org>

commit be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 upstream.

Always return EPOLLOUT from uhid_char_poll to allow polling /dev/uhid
for writable state.

Fixes: 1f9dec1e0164 ("HID: uhid: allow poll()'ing on uhid devices")
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/uhid.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hid/uhid.c
+++ b/drivers/hid/uhid.c
@@ -772,7 +772,7 @@ static __poll_t uhid_char_poll(struct fi
 	if (uhid->head != uhid->tail)
 		return EPOLLIN | EPOLLRDNORM;
 
-	return 0;
+	return EPOLLOUT | EPOLLWRNORM;
 }
 
 static const struct file_operations uhid_fops = {



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 19/78] HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 18/78] HID: uhid: Fix returning EPOLLOUT from uhid_char_poll Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 20/78] HID: hid-input: clear unmapped usages Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marcel Holtmann, Jiri Kosina

From: Marcel Holtmann <marcel@holtmann.org>

commit 9f3b61dc1dd7b81e99e7ed23776bb64a35f39e1a upstream.

When polling a connected /dev/hidrawX device, it is useful to get the
EPOLLOUT when writing is possible. Since writing is possible as soon as
the device is connected, always return it.

Right now EPOLLOUT is only returned when there are also input reports
are available. This works if devices start sending reports when
connected, but some HID devices might need an output report first before
sending any input reports. This change will allow using EPOLLOUT here as
well.

Fixes: 378b80370aa1 ("hidraw: Return EPOLLOUT from hidraw_poll")
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hidraw.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -252,10 +252,10 @@ static __poll_t hidraw_poll(struct file
 
 	poll_wait(file, &list->hidraw->wait, wait);
 	if (list->head != list->tail)
-		return EPOLLIN | EPOLLRDNORM | EPOLLOUT;
+		return EPOLLIN | EPOLLRDNORM;
 	if (!list->hidraw->exist)
 		return EPOLLERR | EPOLLHUP;
-	return 0;
+	return EPOLLOUT | EPOLLWRNORM;
 }
 
 static int hidraw_open(struct inode *inode, struct file *file)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 20/78] HID: hid-input: clear unmapped usages
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 19/78] HID: hidraw: Fix returning EPOLLOUT from hidraw_poll Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 21/78] Input: add safety guards to input_set_keycode() Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+19340dff067c2d3835c0,
	Dmitry Torokhov, Benjamin Tissoires, Jiri Kosina

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit 4f3882177240a1f55e45a3d241d3121341bead78 upstream.

We should not be leaving half-mapped usages with potentially invalid
keycodes, as that may confuse hidinput_find_key() when the key is located
by index, which may end up feeding way too large keycode into the VT
keyboard handler and cause OOB write there:

BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
...
 kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
 kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
 input_pass_values drivers/input/input.c:949 [inline]
 input_set_keycode+0x290/0x320 drivers/input/input.c:954
 evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
 evdev_do_ioctl drivers/input/evdev.c:1150 [inline]

Cc: stable@vger.kernel.org
Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-input.c |   16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1132,9 +1132,15 @@ static void hidinput_configure_usage(str
 	}
 
 mapped:
-	if (device->driver->input_mapped && device->driver->input_mapped(device,
-				hidinput, field, usage, &bit, &max) < 0)
-		goto ignore;
+	if (device->driver->input_mapped &&
+	    device->driver->input_mapped(device, hidinput, field, usage,
+					 &bit, &max) < 0) {
+		/*
+		 * The driver indicated that no further generic handling
+		 * of the usage is desired.
+		 */
+		return;
+	}
 
 	set_bit(usage->type, input->evbit);
 
@@ -1215,9 +1221,11 @@ mapped:
 		set_bit(MSC_SCAN, input->mscbit);
 	}
 
-ignore:
 	return;
 
+ignore:
+	usage->type = 0;
+	usage->code = 0;
 }
 
 static void hidinput_handle_scroll(struct hid_usage *usage,



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 21/78] Input: add safety guards to input_set_keycode()
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 20/78] HID: hid-input: clear unmapped usages Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 22/78] Input: input_event - fix struct padding on sparc64 Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c769968809f9359b07aa,
	syzbot+76f3a30e88d256644c78, Dmitry Torokhov

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit cb222aed03d798fc074be55e59d9a112338ee784 upstream.

If we happen to have a garbage in input device's keycode table with values
too big we'll end up doing clear_bit() with offset way outside of our
bitmaps, damaging other objects within an input device or even outside of
it. Let's add sanity checks to the returned old keycodes.

Reported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com
Reported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/input.c |   26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -878,16 +878,18 @@ static int input_default_setkeycode(stru
 		}
 	}
 
-	__clear_bit(*old_keycode, dev->keybit);
-	__set_bit(ke->keycode, dev->keybit);
-
-	for (i = 0; i < dev->keycodemax; i++) {
-		if (input_fetch_keycode(dev, i) == *old_keycode) {
-			__set_bit(*old_keycode, dev->keybit);
-			break; /* Setting the bit twice is useless, so break */
+	if (*old_keycode <= KEY_MAX) {
+		__clear_bit(*old_keycode, dev->keybit);
+		for (i = 0; i < dev->keycodemax; i++) {
+			if (input_fetch_keycode(dev, i) == *old_keycode) {
+				__set_bit(*old_keycode, dev->keybit);
+				/* Setting the bit twice is useless, so break */
+				break;
+			}
 		}
 	}
 
+	__set_bit(ke->keycode, dev->keybit);
 	return 0;
 }
 
@@ -943,9 +945,13 @@ int input_set_keycode(struct input_dev *
 	 * Simulate keyup event if keycode is not present
 	 * in the keymap anymore
 	 */
-	if (test_bit(EV_KEY, dev->evbit) &&
-	    !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&
-	    __test_and_clear_bit(old_keycode, dev->key)) {
+	if (old_keycode > KEY_MAX) {
+		dev_warn(dev->dev.parent ?: &dev->dev,
+			 "%s: got too big old keycode %#x\n",
+			 __func__, old_keycode);
+	} else if (test_bit(EV_KEY, dev->evbit) &&
+		   !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&
+		   __test_and_clear_bit(old_keycode, dev->key)) {
 		struct input_value vals[] =  {
 			{ EV_KEY, old_keycode, 0 },
 			input_value_sync



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 22/78] Input: input_event - fix struct padding on sparc64
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 21/78] Input: add safety guards to input_set_keycode() Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 23/78] drm/i915: Add Wa_1408615072 and Wa_1407596294 to icl,ehl Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Dmitry Torokhov

From: Arnd Bergmann <arnd@arndb.de>

commit f729a1b0f8df7091cea3729fc0e414f5326e1163 upstream.

Going through all uses of timeval, I noticed that we screwed up
input_event in the previous attempts to fix it:

The time fields now match between kernel and user space, but all following
fields are in the wrong place.

Add the required padding that is implied by the glibc timeval definition
to fix the layout, and use a struct initializer to avoid leaking kernel
stack data.

Fixes: 141e5dcaa735 ("Input: input_event - fix the CONFIG_SPARC64 mixup")
Fixes: 2e746942ebac ("Input: input_event - provide override for sparc64")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20191213204936.3643476-2-arnd@arndb.de
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/evdev.c       |   14 +++++++-------
 drivers/input/misc/uinput.c |   14 +++++++++-----
 include/uapi/linux/input.h  |    1 +
 3 files changed, 17 insertions(+), 12 deletions(-)

--- a/drivers/input/evdev.c
+++ b/drivers/input/evdev.c
@@ -224,13 +224,13 @@ static void __pass_event(struct evdev_cl
 		 */
 		client->tail = (client->head - 2) & (client->bufsize - 1);
 
-		client->buffer[client->tail].input_event_sec =
-						event->input_event_sec;
-		client->buffer[client->tail].input_event_usec =
-						event->input_event_usec;
-		client->buffer[client->tail].type = EV_SYN;
-		client->buffer[client->tail].code = SYN_DROPPED;
-		client->buffer[client->tail].value = 0;
+		client->buffer[client->tail] = (struct input_event) {
+			.input_event_sec = event->input_event_sec,
+			.input_event_usec = event->input_event_usec,
+			.type = EV_SYN,
+			.code = SYN_DROPPED,
+			.value = 0,
+		};
 
 		client->packet_head = client->tail;
 	}
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -74,12 +74,16 @@ static int uinput_dev_event(struct input
 	struct uinput_device	*udev = input_get_drvdata(dev);
 	struct timespec64	ts;
 
-	udev->buff[udev->head].type = type;
-	udev->buff[udev->head].code = code;
-	udev->buff[udev->head].value = value;
 	ktime_get_ts64(&ts);
-	udev->buff[udev->head].input_event_sec = ts.tv_sec;
-	udev->buff[udev->head].input_event_usec = ts.tv_nsec / NSEC_PER_USEC;
+
+	udev->buff[udev->head] = (struct input_event) {
+		.input_event_sec = ts.tv_sec,
+		.input_event_usec = ts.tv_nsec / NSEC_PER_USEC,
+		.type = type,
+		.code = code,
+		.value = value,
+	};
+
 	udev->head = (udev->head + 1) % UINPUT_BUFFER_SIZE;
 
 	wake_up_interruptible(&udev->waitq);
--- a/include/uapi/linux/input.h
+++ b/include/uapi/linux/input.h
@@ -34,6 +34,7 @@ struct input_event {
 	__kernel_ulong_t __sec;
 #if defined(__sparc__) && defined(__arch64__)
 	unsigned int __usec;
+	unsigned int __pad;
 #else
 	__kernel_ulong_t __usec;
 #endif



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 23/78] drm/i915: Add Wa_1408615072 and Wa_1407596294 to icl,ehl
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 22/78] Input: input_event - fix struct padding on sparc64 Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Lucas De Marchi, Matt Atwood,
	Radhakrishna Sripada, Matt Roper, Joonas Lahtinen

From: Matt Roper <matthew.d.roper@intel.com>

commit a7f3ad37f80d0d5eec9dad156964c0dac800a80e upstream.

Workaround database indicates we should disable clock gating of both the
vsunit and hsunit.

Bspec: 33450
Bspec: 33451
Cc: stable@kernel.vger.org
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Matt Atwood <matthew.s.atwood@intel.com>
Cc: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191224012026.3157766-3-matthew.d.roper@intel.com
Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
(cherry picked from commit b9cf9dac3dac4c1d2a47d34f30ec53c0423cecf8)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_reg.h |    4 +++-
 drivers/gpu/drm/i915/intel_pm.c |    8 ++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -4049,7 +4049,9 @@ enum {
 #define  GWUNIT_CLKGATE_DIS		(1 << 16)
 
 #define UNSLICE_UNIT_LEVEL_CLKGATE	_MMIO(0x9434)
-#define  VFUNIT_CLKGATE_DIS		(1 << 20)
+#define   VFUNIT_CLKGATE_DIS		REG_BIT(20)
+#define   HSUNIT_CLKGATE_DIS		REG_BIT(8)
+#define   VSUNIT_CLKGATE_DIS		REG_BIT(3)
 
 #define INF_UNIT_LEVEL_CLKGATE		_MMIO(0x9560)
 #define   CGPSF_CLKGATE_DIS		(1 << 3)
--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -9194,6 +9194,14 @@ static void icl_init_clock_gating(struct
 	/* WaEnable32PlaneMode:icl */
 	I915_WRITE(GEN9_CSFE_CHICKEN1_RCS,
 		   _MASKED_BIT_ENABLE(GEN11_ENABLE_32_PLANE_MODE));
+
+	/*
+	 * Wa_1408615072:icl,ehl  (vsunit)
+	 * Wa_1407596294:icl,ehl  (hsunit)
+	 */
+	intel_uncore_rmw(&dev_priv->uncore, UNSLICE_UNIT_LEVEL_CLKGATE,
+			 0, VSUNIT_CLKGATE_DIS | HSUNIT_CLKGATE_DIS);
+
 }
 
 static void cnp_init_clock_gating(struct drm_i915_private *dev_priv)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 23/78] drm/i915: Add Wa_1408615072 and Wa_1407596294 to icl,ehl Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 14:31   ` Deucher, Alexander
  2020-01-14 10:00 ` [PATCH 5.4 25/78] Revert "drm/amdgpu: Set no-retry as default." Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  81 siblings, 1 reply; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chunming Zhou, Flora Cui,
	Christian König, Alex Deucher

From: Chunming Zhou <david1.zhou@amd.com>

commit db4ff423cd1659580e541a2d4363342f15c14230 upstream.

Can expose it now that the khronos has exposed the
vlk extension.

Signed-off-by: Chunming Zhou <david1.zhou@amd.com>
Reviewed-by: Flora Cui <Flora.Cui@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -1422,7 +1422,8 @@ static struct drm_driver kms_driver = {
 	.driver_features =
 	    DRIVER_USE_AGP | DRIVER_ATOMIC |
 	    DRIVER_GEM |
-	    DRIVER_RENDER | DRIVER_MODESET | DRIVER_SYNCOBJ,
+	    DRIVER_RENDER | DRIVER_MODESET | DRIVER_SYNCOBJ |
+	    DRIVER_SYNCOBJ_TIMELINE,
 	.load = amdgpu_driver_load_kms,
 	.open = amdgpu_driver_open_kms,
 	.postclose = amdgpu_driver_postclose_kms,



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 25/78] Revert "drm/amdgpu: Set no-retry as default."
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu Greg Kroah-Hartman
@ 2020-01-14 10:00 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 26/78] drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felix Kuehling, Christian König,
	Alex Deucher

From: Alex Deucher <alexander.deucher@amd.com>

commit 7aec9ec1cf324d5c5a8d17b9c78a34c388e5f17b upstream.

This reverts commit 51bfac71cade386966791a8db87a5912781d249f.

This causes stability issues on some raven boards.  Revert
for now until a proper fix is completed.

Bug: https://gitlab.freedesktop.org/drm/amd/issues/934
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=206017
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -145,7 +145,7 @@ int amdgpu_async_gfx_ring = 1;
 int amdgpu_mcbp = 0;
 int amdgpu_discovery = -1;
 int amdgpu_mes = 0;
-int amdgpu_noretry = 1;
+int amdgpu_noretry;
 
 struct amdgpu_mgpu_info mgpu_info = {
 	.mutex = __MUTEX_INITIALIZER(mgpu_info.mutex),
@@ -613,7 +613,7 @@ MODULE_PARM_DESC(mes,
 module_param_named(mes, amdgpu_mes, int, 0444);
 
 MODULE_PARM_DESC(noretry,
-	"Disable retry faults (0 = retry enabled, 1 = retry disabled (default))");
+	"Disable retry faults (0 = retry enabled (default), 1 = retry disabled)");
 module_param_named(noretry, amdgpu_noretry, int, 0644);
 
 #ifdef CONFIG_HSA_AMD



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 26/78] drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2020-01-14 10:00 ` [PATCH 5.4 25/78] Revert "drm/amdgpu: Set no-retry as default." Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 27/78] drm/fb-helper: Round up bits_per_pixel if possible Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Maxime Ripard

From: Chen-Yu Tsai <wens@csie.org>

commit 4396393fb96449c56423fb4b351f76e45a6bcaf6 upstream.

In commit 0b8e7bbde5e7 ("drm/sun4i: tcon: Set min division of TCON0_DCLK
to 1.") it was assumed that all TCON variants support a minimum divider
of 1 if only DCLK was used.

However, the oldest generation of hardware only supports minimum divider
of 4 if only DCLK is used. If a divider of 1 was used on this old
hardware, some scrolling artifact would appear. A divider of 2 seemed
OK, but a divider of 3 had artifacts as well.

Set the minimum divider when outputing to parallel RGB based on the
hardware model, with a minimum of 4 for the oldest (A10/A10s/A13/A20)
hardware, and a minimum of 1 for the rest. A value is not set for the
TCON variants lacking channel 0.

This fixes the scrolling artifacts seen on my A13 tablet.

Fixes: 0b8e7bbde5e7 ("drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.")
Cc: <stable@vger.kernel.org> # 5.4.x
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Link: https://patchwork.freedesktop.org/patch/msgid/20200107070113.28951-1-wens@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/sun4i/sun4i_tcon.c |   15 ++++++++++++---
 drivers/gpu/drm/sun4i/sun4i_tcon.h |    1 +
 2 files changed, 13 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c
+++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c
@@ -488,7 +488,7 @@ static void sun4i_tcon0_mode_set_rgb(str
 
 	WARN_ON(!tcon->quirks->has_channel_0);
 
-	tcon->dclk_min_div = 1;
+	tcon->dclk_min_div = tcon->quirks->dclk_min_div;
 	tcon->dclk_max_div = 127;
 	sun4i_tcon0_mode_set_common(tcon, mode);
 
@@ -1425,12 +1425,14 @@ static int sun8i_r40_tcon_tv_set_mux(str
 static const struct sun4i_tcon_quirks sun4i_a10_quirks = {
 	.has_channel_0		= true,
 	.has_channel_1		= true,
+	.dclk_min_div		= 4,
 	.set_mux		= sun4i_a10_tcon_set_mux,
 };
 
 static const struct sun4i_tcon_quirks sun5i_a13_quirks = {
 	.has_channel_0		= true,
 	.has_channel_1		= true,
+	.dclk_min_div		= 4,
 	.set_mux		= sun5i_a13_tcon_set_mux,
 };
 
@@ -1439,6 +1441,7 @@ static const struct sun4i_tcon_quirks su
 	.has_channel_1		= true,
 	.has_lvds_alt		= true,
 	.needs_de_be_mux	= true,
+	.dclk_min_div		= 1,
 	.set_mux		= sun6i_tcon_set_mux,
 };
 
@@ -1446,11 +1449,13 @@ static const struct sun4i_tcon_quirks su
 	.has_channel_0		= true,
 	.has_channel_1		= true,
 	.needs_de_be_mux	= true,
+	.dclk_min_div		= 1,
 };
 
 static const struct sun4i_tcon_quirks sun7i_a20_quirks = {
 	.has_channel_0		= true,
 	.has_channel_1		= true,
+	.dclk_min_div		= 4,
 	/* Same display pipeline structure as A10 */
 	.set_mux		= sun4i_a10_tcon_set_mux,
 };
@@ -1458,11 +1463,13 @@ static const struct sun4i_tcon_quirks su
 static const struct sun4i_tcon_quirks sun8i_a33_quirks = {
 	.has_channel_0		= true,
 	.has_lvds_alt		= true,
+	.dclk_min_div		= 1,
 };
 
 static const struct sun4i_tcon_quirks sun8i_a83t_lcd_quirks = {
 	.supports_lvds		= true,
 	.has_channel_0		= true,
+	.dclk_min_div		= 1,
 };
 
 static const struct sun4i_tcon_quirks sun8i_a83t_tv_quirks = {
@@ -1476,11 +1483,13 @@ static const struct sun4i_tcon_quirks su
 
 static const struct sun4i_tcon_quirks sun8i_v3s_quirks = {
 	.has_channel_0		= true,
+	.dclk_min_div		= 1,
 };
 
 static const struct sun4i_tcon_quirks sun9i_a80_tcon_lcd_quirks = {
-	.has_channel_0	= true,
-	.needs_edp_reset = true,
+	.has_channel_0		= true,
+	.needs_edp_reset	= true,
+	.dclk_min_div		= 1,
 };
 
 static const struct sun4i_tcon_quirks sun9i_a80_tcon_tv_quirks = {
--- a/drivers/gpu/drm/sun4i/sun4i_tcon.h
+++ b/drivers/gpu/drm/sun4i/sun4i_tcon.h
@@ -224,6 +224,7 @@ struct sun4i_tcon_quirks {
 	bool	needs_de_be_mux; /* sun6i needs mux to select backend */
 	bool    needs_edp_reset; /* a80 edp reset needed for tcon0 access */
 	bool	supports_lvds;   /* Does the TCON support an LVDS output? */
+	u8	dclk_min_div;	/* minimum divider for TCON0 DCLK */
 
 	/* callback to handle tcon muxing options */
 	int	(*set_mux)(struct sun4i_tcon *, const struct drm_encoder *);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 27/78] drm/fb-helper: Round up bits_per_pixel if possible
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 26/78] drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 28/78] drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Daniel Vetter

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit f30e27779d3031a092c2a177b7fb76adccc45241 upstream.

When userspace requests a video mode parameter value that is not
supported, frame buffer device drivers should round it up to a supported
value, if possible, instead of just rejecting it.  This allows
applications to quickly scan for supported video modes.

Currently this rule is not followed for the number of bits per pixel,
causing e.g. "fbset -depth N" to fail, if N is smaller than the current
number of bits per pixel.

Fix this by returning an error only if bits per pixel is too large, and
setting it to the current value otherwise.

See also Documentation/fb/framebuffer.rst, Section 2 (Programmer's View
of /dev/fb*").

Fixes: 865afb11949e5bf4 ("drm/fb-helper: reject any changes to the fbdev")
Cc: stable@vger.kernel.org
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20191230132734.4538-1-geert+renesas@glider.be
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_fb_helper.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -1320,7 +1320,7 @@ int drm_fb_helper_check_var(struct fb_va
 	 * Changes struct fb_var_screeninfo are currently not pushed back
 	 * to KMS, hence fail if different settings are requested.
 	 */
-	if (var->bits_per_pixel != fb->format->cpp[0] * 8 ||
+	if (var->bits_per_pixel > fb->format->cpp[0] * 8 ||
 	    var->xres > fb->width || var->yres > fb->height ||
 	    var->xres_virtual > fb->width || var->yres_virtual > fb->height) {
 		DRM_DEBUG("fb requested width/height/bpp can't fit in current fb "
@@ -1346,6 +1346,11 @@ int drm_fb_helper_check_var(struct fb_va
 	}
 
 	/*
+	 * Likewise, bits_per_pixel should be rounded up to a supported value.
+	 */
+	var->bits_per_pixel = fb->format->cpp[0] * 8;
+
+	/*
 	 * drm fbdev emulation doesn't support changing the pixel format at all,
 	 * so reject all pixel format changing requests.
 	 */



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 28/78] drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 27/78] drm/fb-helper: Round up bits_per_pixel if possible Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 29/78] drm/i915: Add Wa_1407352427:icl,ehl Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harry Wentland, Wayne Lin, Lyude Paul

From: Wayne Lin <Wayne.Lin@amd.com>

commit c4e4fccc5d52d881afaac11d3353265ef4eccb8b upstream.

[Why]
According to DP spec, it should shift left 4 digits for NO_STOP_BIT
in REMOTE_I2C_READ message. Not 5 digits.

In current code, NO_STOP_BIT is always set to zero which means I2C
master is always generating a I2C stop at the end of each I2C write
transaction while handling REMOTE_I2C_READ sideband message. This issue
might have the generated I2C signal not meeting the requirement. Take
random read in I2C for instance, I2C master should generate a repeat
start to start to read data after writing the read address. This issue
will cause the I2C master to generate a stop-start rather than a
re-start which is not expected in I2C random read.

[How]
Correct the shifting value of NO_STOP_BIT for DP_REMOTE_I2C_READ case in
drm_dp_encode_sideband_req().

Changes since v1:(https://patchwork.kernel.org/patch/11312667/)
* Add more descriptions in commit and cc to stable

Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200103055001.10287-1-Wayne.Lin@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_dp_mst_topology.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -339,7 +339,7 @@ static void drm_dp_encode_sideband_req(s
 			memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes);
 			idx += req->u.i2c_read.transactions[i].num_bytes;
 
-			buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 5;
+			buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4;
 			buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf);
 			idx++;
 		}



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 29/78] drm/i915: Add Wa_1407352427:icl,ehl
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 28/78] drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 30/78] drm/i915/gt: Mark up virtual engine uabi_instance Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lionel Landwerlin, Lucas De Marchi,
	Matt Atwood, Matt Roper, Joonas Lahtinen

From: Matt Roper <matthew.d.roper@intel.com>

commit 25b79ad51bf04a8aa67b5bccd631fc05f963b8e0 upstream.

The workaround database now indicates we need to disable psdunit clock
gating as well.

v3:
 - Rebase on top of other workarounds that have landed.
 - Restrict cc:stable tag to 5.2+ since that's when ICL was first
   officially supported.

Bspec: 32354
Bspec: 33450
Bspec: 33451
Suggested-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: stable@vger.kernel.org # v5.2+
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Lucas De Marchi <lucas.demarchi@intel.com>
Cc: Matt Atwood <matthew.s.atwood@intel.com>
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191231190713.1549533-1-matthew.d.roper@intel.com
(cherry picked from commit 1cd21a7c5679015352e8a6f46813aced51d71bb8)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_reg.h |    4 ++++
 drivers/gpu/drm/i915/intel_pm.c |    3 +++
 2 files changed, 7 insertions(+)

--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -4053,6 +4053,10 @@ enum {
 #define   HSUNIT_CLKGATE_DIS		REG_BIT(8)
 #define   VSUNIT_CLKGATE_DIS		REG_BIT(3)
 
+#define UNSLICE_UNIT_LEVEL_CLKGATE2	_MMIO(0x94e4)
+#define   VSUNIT_CLKGATE_DIS_TGL	REG_BIT(19)
+#define   PSDUNIT_CLKGATE_DIS		REG_BIT(5)
+
 #define INF_UNIT_LEVEL_CLKGATE		_MMIO(0x9560)
 #define   CGPSF_CLKGATE_DIS		(1 << 3)
 
--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -9202,6 +9202,9 @@ static void icl_init_clock_gating(struct
 	intel_uncore_rmw(&dev_priv->uncore, UNSLICE_UNIT_LEVEL_CLKGATE,
 			 0, VSUNIT_CLKGATE_DIS | HSUNIT_CLKGATE_DIS);
 
+	/* Wa_1407352427:icl,ehl */
+	intel_uncore_rmw(&dev_priv->uncore, UNSLICE_UNIT_LEVEL_CLKGATE2,
+			 0, PSDUNIT_CLKGATE_DIS);
 }
 
 static void cnp_init_clock_gating(struct drm_i915_private *dev_priv)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 30/78] drm/i915/gt: Mark up virtual engine uabi_instance
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 29/78] drm/i915: Add Wa_1407352427:icl,ehl Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 31/78] IB/hfi1: Adjust flow PSN with the correct resync_psn Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tvrtko Ursulin, Chris Wilson,
	Joonas Lahtinen

From: Chris Wilson <chris@chris-wilson.co.uk>

commit 1325008f5c8dbc84aa835d98af8447fa0569bc4d upstream.

Be sure to initialise the uabi_instance on the virtual engine to the
special invalid value, just in case we ever peek at it from the uAPI.

Reported-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Fixes: 750e76b4f9f6 ("drm/i915/gt: Move the [class][inst] lookup for engines onto the GT")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: <stable@vger.kernel.org> # v5.4+
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200106123921.2543886-1-chris@chris-wilson.co.uk
(cherry picked from commit f75fc37b5e70b75f21550410f88e2379648120e2)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/gt/intel_lrc.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/gpu/drm/i915/gt/intel_lrc.c
+++ b/drivers/gpu/drm/i915/gt/intel_lrc.c
@@ -3716,9 +3716,11 @@ intel_execlists_create_virtual(struct i9
 	ve->base.i915 = ctx->i915;
 	ve->base.gt = siblings[0]->gt;
 	ve->base.id = -1;
+
 	ve->base.class = OTHER_CLASS;
 	ve->base.uabi_class = I915_ENGINE_CLASS_INVALID;
 	ve->base.instance = I915_ENGINE_CLASS_INVALID_VIRTUAL;
+	ve->base.uabi_instance = I915_ENGINE_CLASS_INVALID_VIRTUAL;
 
 	/*
 	 * The decision on whether to submit a request using semaphores



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 31/78] IB/hfi1: Adjust flow PSN with the correct resync_psn
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 30/78] drm/i915/gt: Mark up virtual engine uabi_instance Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 32/78] can: kvaser_usb: fix interface sanity check Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Kaike Wan,
	Dennis Dalessandro, Jason Gunthorpe

From: Kaike Wan <kaike.wan@intel.com>

commit b2ff0d510182eb5cc05a65d1b2371af62c4b170c upstream.

When a TID RDMA ACK to RESYNC request is received, the flow PSNs for
pending TID RDMA WRITE segments will be adjusted with the next flow
generation number, based on the resync_psn value extracted from the flow
PSN of the TID RDMA ACK packet. The resync_psn value indicates the last
flow PSN for which a TID RDMA WRITE DATA packet has been received by the
responder and the requester should resend TID RDMA WRITE DATA packets,
starting from the next flow PSN.

However, if resync_psn points to the last flow PSN for a segment and the
next segment flow PSN starts with a new generation number, use of the old
resync_psn to adjust the flow PSN for the next segment will lead to
miscalculation, resulting in WARN_ON and sge rewinding errors:

  WARNING: CPU: 4 PID: 146961 at /nfs/site/home/phcvs2/gitrepo/ifs-all/components/Drivers/tmp/rpmbuild/BUILD/ifs-kernel-updates-3.10.0_957.el7.x86_64/hfi1/tid_rdma.c:4764 hfi1_rc_rcv_tid_rdma_ack+0x8f6/0xa90 [hfi1]
  Modules linked in: ib_ipoib(OE) hfi1(OE) rdmavt(OE) rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfsv3 nfs_acl nfs lockd grace fscache iTCO_wdt iTCO_vendor_support skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm irqbypass crc32_pclmul ghash_clmulni_intel ib_isert iscsi_target_mod target_core_mod aesni_intel lrw gf128mul glue_helper ablk_helper cryptd rpcrdma sunrpc opa_vnic ast ttm ib_iser libiscsi drm_kms_helper scsi_transport_iscsi ipmi_ssif syscopyarea sysfillrect sysimgblt fb_sys_fops drm joydev ipmi_si pcspkr sg drm_panel_orientation_quirks ipmi_devintf lpc_ich i2c_i801 ipmi_msghandler wmi rdma_ucm ib_ucm ib_uverbs acpi_cpufreq acpi_power_meter ib_umad rdma_cm ib_cm iw_cm ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul i2c_algo_bit crct10dif_common
   crc32c_intel e1000e ib_core ahci libahci ptp libata pps_core nfit libnvdimm [last unloaded: rdmavt]
  CPU: 4 PID: 146961 Comm: kworker/4:0H Kdump: loaded Tainted: G        W  OE  ------------   3.10.0-957.el7.x86_64 #1
  Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.0X.02.0117.040420182310 04/04/2018
  Workqueue: hfi0_0 _hfi1_do_tid_send [hfi1]
  Call Trace:
   <IRQ>  [<ffffffff9e361dc1>] dump_stack+0x19/0x1b
   [<ffffffff9dc97648>] __warn+0xd8/0x100
   [<ffffffff9dc9778d>] warn_slowpath_null+0x1d/0x20
   [<ffffffffc05d28c6>] hfi1_rc_rcv_tid_rdma_ack+0x8f6/0xa90 [hfi1]
   [<ffffffffc05c21cc>] hfi1_kdeth_eager_rcv+0x1dc/0x210 [hfi1]
   [<ffffffffc05c23ef>] ? hfi1_kdeth_expected_rcv+0x1ef/0x210 [hfi1]
   [<ffffffffc0574f15>] kdeth_process_eager+0x35/0x90 [hfi1]
   [<ffffffffc0575b5a>] handle_receive_interrupt_nodma_rtail+0x17a/0x2b0 [hfi1]
   [<ffffffffc056a623>] receive_context_interrupt+0x23/0x40 [hfi1]
   [<ffffffff9dd4a294>] __handle_irq_event_percpu+0x44/0x1c0
   [<ffffffff9dd4a442>] handle_irq_event_percpu+0x32/0x80
   [<ffffffff9dd4a4cc>] handle_irq_event+0x3c/0x60
   [<ffffffff9dd4d27f>] handle_edge_irq+0x7f/0x150
   [<ffffffff9dc2e554>] handle_irq+0xe4/0x1a0
   [<ffffffff9e3795dd>] do_IRQ+0x4d/0xf0
   [<ffffffff9e36b362>] common_interrupt+0x162/0x162
   <EOI>  [<ffffffff9dfa0f79>] ? swiotlb_map_page+0x49/0x150
   [<ffffffffc05c2ed1>] hfi1_verbs_send_dma+0x291/0xb70 [hfi1]
   [<ffffffffc05c2c40>] ? hfi1_wait_kmem+0xf0/0xf0 [hfi1]
   [<ffffffffc05c3f26>] hfi1_verbs_send+0x126/0x2b0 [hfi1]
   [<ffffffffc05ce683>] _hfi1_do_tid_send+0x1d3/0x320 [hfi1]
   [<ffffffff9dcb9d4f>] process_one_work+0x17f/0x440
   [<ffffffff9dcbade6>] worker_thread+0x126/0x3c0
   [<ffffffff9dcbacc0>] ? manage_workers.isra.25+0x2a0/0x2a0
   [<ffffffff9dcc1c31>] kthread+0xd1/0xe0
   [<ffffffff9dcc1b60>] ? insert_kthread_work+0x40/0x40
   [<ffffffff9e374c1d>] ret_from_fork_nospec_begin+0x7/0x21
   [<ffffffff9dcc1b60>] ? insert_kthread_work+0x40/0x40

This patch fixes the issue by adjusting the resync_psn first if the flow
generation has been advanced for a pending segment.

Fixes: 9e93e967f7b4 ("IB/hfi1: Add a function to receive TID RDMA ACK packet")
Link: https://lore.kernel.org/r/20191219231920.51069.37147.stgit@awfm-01.aw.intel.com
Cc: <stable@vger.kernel.org>
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Kaike Wan <kaike.wan@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/hfi1/tid_rdma.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/infiniband/hw/hfi1/tid_rdma.c
+++ b/drivers/infiniband/hw/hfi1/tid_rdma.c
@@ -4633,6 +4633,15 @@ void hfi1_rc_rcv_tid_rdma_ack(struct hfi
 			 */
 			fpsn = full_flow_psn(flow, flow->flow_state.spsn);
 			req->r_ack_psn = psn;
+			/*
+			 * If resync_psn points to the last flow PSN for a
+			 * segment and the new segment (likely from a new
+			 * request) starts with a new generation number, we
+			 * need to adjust resync_psn accordingly.
+			 */
+			if (flow->flow_state.generation !=
+			    (resync_psn >> HFI1_KDETH_BTH_SEQ_SHIFT))
+				resync_psn = mask_psn(fpsn - 1);
 			flow->resync_npkts +=
 				delta_psn(mask_psn(resync_psn + 1), fpsn);
 			/*



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 32/78] can: kvaser_usb: fix interface sanity check
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 31/78] IB/hfi1: Adjust flow PSN with the correct resync_psn Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 33/78] can: gs_usb: gs_usb_probe(): use descriptors of current altsetting Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Christer Beskow,
	Nicklas Johansson, Martin Henriksson, Johan Hovold,
	Marc Kleine-Budde

From: Johan Hovold <johan@kernel.org>

commit 5660493c637c9d83786f1c9297f403eae44177b6 upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family")
Cc: stable <stable@vger.kernel.org>     # 4.19
Cc: Jimmy Assarsson <extja@kvaser.com>
Cc: Christer Beskow <chbe@kvaser.com>
Cc: Nicklas Johansson <extnj@kvaser.com>
Cc: Martin Henriksson <mh@kvaser.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c |    2 +-
 drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
@@ -1590,7 +1590,7 @@ static int kvaser_usb_hydra_setup_endpoi
 	struct usb_endpoint_descriptor *ep;
 	int i;
 
-	iface_desc = &dev->intf->altsetting[0];
+	iface_desc = dev->intf->cur_altsetting;
 
 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
 		ep = &iface_desc->endpoint[i].desc;
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -1310,7 +1310,7 @@ static int kvaser_usb_leaf_setup_endpoin
 	struct usb_endpoint_descriptor *endpoint;
 	int i;
 
-	iface_desc = &dev->intf->altsetting[0];
+	iface_desc = dev->intf->cur_altsetting;
 
 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
 		endpoint = &iface_desc->endpoint[i].desc;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 33/78] can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 32/78] can: kvaser_usb: fix interface sanity check Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 34/78] can: tcan4x5x: tcan4x5x_can_probe(): get the device out of standby before register access Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Marc Kleine-Budde

From: Johan Hovold <johan@kernel.org>

commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream.

Make sure to always use the descriptors of the current alternate setting
to avoid future issues when accessing fields that may differ between
settings.

Signed-off-by: Johan Hovold <johan@kernel.org>
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/gs_usb.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -918,7 +918,7 @@ static int gs_usb_probe(struct usb_inter
 			     GS_USB_BREQ_HOST_FORMAT,
 			     USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
 			     1,
-			     intf->altsetting[0].desc.bInterfaceNumber,
+			     intf->cur_altsetting->desc.bInterfaceNumber,
 			     hconf,
 			     sizeof(*hconf),
 			     1000);
@@ -941,7 +941,7 @@ static int gs_usb_probe(struct usb_inter
 			     GS_USB_BREQ_DEVICE_CONFIG,
 			     USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
 			     1,
-			     intf->altsetting[0].desc.bInterfaceNumber,
+			     intf->cur_altsetting->desc.bInterfaceNumber,
 			     dconf,
 			     sizeof(*dconf),
 			     1000);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 34/78] can: tcan4x5x: tcan4x5x_can_probe(): get the device out of standby before register access
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 33/78] can: gs_usb: gs_usb_probe(): use descriptors of current altsetting Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 35/78] can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Nyekjaer, Dan Murphy, Marc Kleine-Budde

From: Sean Nyekjaer <sean@geanix.com>

commit 3069ce620daed85e4ef2b0c087dca2509f809470 upstream.

The m_can tries to detect if Non ISO Operation is available while in
standby mode, this function results in the following error:

| tcan4x5x spi2.0 (unnamed net_device) (uninitialized): Failed to init module
| tcan4x5x spi2.0: m_can device registered (irq=84, version=32)
| tcan4x5x spi2.0 can2: TCAN4X5X successfully initialized.

When the tcan device comes out of reset it goes in standby mode. The
m_can driver tries to access the control register but fails due to the
device being in standby mode.

So this patch will put the tcan device in normal mode before the m_can
driver does the initialization.

Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Acked-by: Dan Murphy <dmurphy@ti.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/m_can/tcan4x5x.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/net/can/m_can/tcan4x5x.c
+++ b/drivers/net/can/m_can/tcan4x5x.c
@@ -445,6 +445,10 @@ static int tcan4x5x_can_probe(struct spi
 
 	tcan4x5x_power_enable(priv->power, 1);
 
+	ret = tcan4x5x_init(mcan_class);
+	if (ret)
+		goto out_power;
+
 	ret = m_can_class_register(mcan_class);
 	if (ret)
 		goto out_power;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 35/78] can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 34/78] can: tcan4x5x: tcan4x5x_can_probe(): get the device out of standby before register access Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 36/78] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Florian Faber, Marc Kleine-Budde

From: Florian Faber <faber@faberman.de>

commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream.

Under load, the RX side of the mscan driver can get stuck while TX still
works. Restarting the interface locks up the system. This behaviour
could be reproduced reliably on a MPC5121e based system.

The patch fixes the return value of the NAPI polling function (should be
the number of processed packets, not constant 1) and the condition under
which IRQs are enabled again after polling is finished.

With this patch, no more lockups were observed over a test period of ten
days.

Fixes: afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
Signed-off-by: Florian Faber <faber@faberman.de>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/mscan/mscan.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

--- a/drivers/net/can/mscan/mscan.c
+++ b/drivers/net/can/mscan/mscan.c
@@ -381,13 +381,12 @@ static int mscan_rx_poll(struct napi_str
 	struct net_device *dev = napi->dev;
 	struct mscan_regs __iomem *regs = priv->reg_base;
 	struct net_device_stats *stats = &dev->stats;
-	int npackets = 0;
-	int ret = 1;
+	int work_done = 0;
 	struct sk_buff *skb;
 	struct can_frame *frame;
 	u8 canrflg;
 
-	while (npackets < quota) {
+	while (work_done < quota) {
 		canrflg = in_8(&regs->canrflg);
 		if (!(canrflg & (MSCAN_RXF | MSCAN_ERR_IF)))
 			break;
@@ -408,18 +407,18 @@ static int mscan_rx_poll(struct napi_str
 
 		stats->rx_packets++;
 		stats->rx_bytes += frame->can_dlc;
-		npackets++;
+		work_done++;
 		netif_receive_skb(skb);
 	}
 
-	if (!(in_8(&regs->canrflg) & (MSCAN_RXF | MSCAN_ERR_IF))) {
-		napi_complete(&priv->napi);
-		clear_bit(F_RX_PROGRESS, &priv->flags);
-		if (priv->can.state < CAN_STATE_BUS_OFF)
-			out_8(&regs->canrier, priv->shadow_canrier);
-		ret = 0;
+	if (work_done < quota) {
+		if (likely(napi_complete_done(&priv->napi, work_done))) {
+			clear_bit(F_RX_PROGRESS, &priv->flags);
+			if (priv->can.state < CAN_STATE_BUS_OFF)
+				out_8(&regs->canrier, priv->shadow_canrier);
+		}
 	}
-	return ret;
+	return work_done;
 }
 
 static irqreturn_t mscan_isr(int irq, void *dev_id)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 36/78] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 35/78] can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 37/78] gpiolib: acpi: Turn dmi_system_id table into a generic quirk table Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+b02ff0707a97e4e79ebb,
	Oliver Hartkopp, Marc Kleine-Budde

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit e7153bf70c3496bac00e7e4f395bb8d8394ac0ea upstream.

KMSAN sysbot detected a read access to an untinitialized value in the
headroom of an outgoing CAN related sk_buff. When using CAN sockets this
area is filled appropriately - but when using a packet socket this
initialization is missing.

The problematic read access occurs in the CAN receive path which can
only be triggered when the sk_buff is sent through a (virtual) CAN
interface. So we check in the sending path whether we need to perform
the missing initializations.

Fixes: d3b58c47d330d ("can: replace timestamp as unique skb attribute")
Reported-by: syzbot+b02ff0707a97e4e79ebb@syzkaller.appspotmail.com
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org> # >= v4.1
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/can/dev.h |   34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -18,6 +18,7 @@
 #include <linux/can/error.h>
 #include <linux/can/led.h>
 #include <linux/can/netlink.h>
+#include <linux/can/skb.h>
 #include <linux/netdevice.h>
 
 /*
@@ -91,6 +92,36 @@ struct can_priv {
 #define get_can_dlc(i)		(min_t(__u8, (i), CAN_MAX_DLC))
 #define get_canfd_dlc(i)	(min_t(__u8, (i), CANFD_MAX_DLC))
 
+/* Check for outgoing skbs that have not been created by the CAN subsystem */
+static inline bool can_skb_headroom_valid(struct net_device *dev,
+					  struct sk_buff *skb)
+{
+	/* af_packet creates a headroom of HH_DATA_MOD bytes which is fine */
+	if (WARN_ON_ONCE(skb_headroom(skb) < sizeof(struct can_skb_priv)))
+		return false;
+
+	/* af_packet does not apply CAN skb specific settings */
+	if (skb->ip_summed == CHECKSUM_NONE) {
+		/* init headroom */
+		can_skb_prv(skb)->ifindex = dev->ifindex;
+		can_skb_prv(skb)->skbcnt = 0;
+
+		skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+		/* preform proper loopback on capable devices */
+		if (dev->flags & IFF_ECHO)
+			skb->pkt_type = PACKET_LOOPBACK;
+		else
+			skb->pkt_type = PACKET_HOST;
+
+		skb_reset_mac_header(skb);
+		skb_reset_network_header(skb);
+		skb_reset_transport_header(skb);
+	}
+
+	return true;
+}
+
 /* Drop a given socketbuffer if it does not contain a valid CAN frame. */
 static inline bool can_dropped_invalid_skb(struct net_device *dev,
 					  struct sk_buff *skb)
@@ -108,6 +139,9 @@ static inline bool can_dropped_invalid_s
 	} else
 		goto inval_skb;
 
+	if (!can_skb_headroom_valid(dev, skb))
+		goto inval_skb;
+
 	return false;
 
 inval_skb:



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 37/78] gpiolib: acpi: Turn dmi_system_id table into a generic quirk table
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 36/78] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 38/78] gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Mika Westerberg,
	Hans de Goede, Linus Walleij

From: Hans de Goede <hdegoede@redhat.com>

commit 1ad1b54099c231aed8f6f257065c1b322583f264 upstream.

Turn the existing run_edge_events_on_boot_blacklist dmi_system_id table
into a generic quirk table, storing the quirks in the driver_data ptr.

This is a preparation patch for adding other types of (DMI based) quirks.

Cc: stable@vger.kernel.org
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200105160357.97154-2-hdegoede@redhat.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpiolib-acpi.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -21,6 +21,8 @@
 #include "gpiolib.h"
 #include "gpiolib-acpi.h"
 
+#define QUIRK_NO_EDGE_EVENTS_ON_BOOT		0x01l
+
 static int run_edge_events_on_boot = -1;
 module_param(run_edge_events_on_boot, int, 0444);
 MODULE_PARM_DESC(run_edge_events_on_boot,
@@ -1302,7 +1304,7 @@ static int acpi_gpio_handle_deferred_req
 /* We must use _sync so that this runs after the first deferred_probe run */
 late_initcall_sync(acpi_gpio_handle_deferred_request_irqs);
 
-static const struct dmi_system_id run_edge_events_on_boot_blacklist[] = {
+static const struct dmi_system_id gpiolib_acpi_quirks[] = {
 	{
 		/*
 		 * The Minix Neo Z83-4 has a micro-USB-B id-pin handler for
@@ -1312,7 +1314,8 @@ static const struct dmi_system_id run_ed
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "MINIX"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"),
-		}
+		},
+		.driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT,
 	},
 	{
 		/*
@@ -1324,15 +1327,23 @@ static const struct dmi_system_id run_ed
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"),
-		}
+		},
+		.driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT,
 	},
 	{} /* Terminating entry */
 };
 
 static int acpi_gpio_setup_params(void)
 {
+	const struct dmi_system_id *id;
+	long quirks = 0;
+
+	id = dmi_first_match(gpiolib_acpi_quirks);
+	if (id)
+		quirks = (long)id->driver_data;
+
 	if (run_edge_events_on_boot < 0) {
-		if (dmi_check_system(run_edge_events_on_boot_blacklist))
+		if (quirks & QUIRK_NO_EDGE_EVENTS_ON_BOOT)
 			run_edge_events_on_boot = 0;
 		else
 			run_edge_events_on_boot = 1;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 38/78] gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 37/78] gpiolib: acpi: Turn dmi_system_id table into a generic quirk table Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 39/78] pstore/ram: Regularize prz label allocation lifetime Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Mika Westerberg,
	Hans de Goede, Linus Walleij

From: Hans de Goede <hdegoede@redhat.com>

commit aa23ca3d98f756d5b1e503fb140665fb24a41a38 upstream.

On some laptops enabling wakeup on the GPIO interrupts used for ACPI _AEI
event handling causes spurious wakeups.

This commit adds a new honor_wakeup option, defaulting to true (our current
behavior), which can be used to disable wakeup on troublesome hardware
to avoid these spurious wakeups.

This is a workaround for an architectural problem with s2idle under Linux
where we do not have any mechanism to immediately go back to sleep after
wakeup events, other then for embedded-controller events using the standard
ACPI EC interface, for details see:
https://lore.kernel.org/linux-acpi/61450f9b-cbc6-0c09-8b3a-aff6bf9a0b3c@redhat.com/

One series of laptops which is not able to suspend without this workaround
is the HP x2 10 Cherry Trail models, this commit adds a DMI based quirk
which makes sets honor_wakeup to false on these models.

Cc: stable@vger.kernel.org
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20200105160357.97154-3-hdegoede@redhat.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpiolib-acpi.c |   32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -22,12 +22,18 @@
 #include "gpiolib-acpi.h"
 
 #define QUIRK_NO_EDGE_EVENTS_ON_BOOT		0x01l
+#define QUIRK_NO_WAKEUP				0x02l
 
 static int run_edge_events_on_boot = -1;
 module_param(run_edge_events_on_boot, int, 0444);
 MODULE_PARM_DESC(run_edge_events_on_boot,
 		 "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto");
 
+static int honor_wakeup = -1;
+module_param(honor_wakeup, int, 0444);
+MODULE_PARM_DESC(honor_wakeup,
+		 "Honor the ACPI wake-capable flag: 0=no, 1=yes, -1=auto");
+
 /**
  * struct acpi_gpio_event - ACPI GPIO event handler data
  *
@@ -276,7 +282,7 @@ static acpi_status acpi_gpiochip_alloc_e
 	event->handle = evt_handle;
 	event->handler = handler;
 	event->irq = irq;
-	event->irq_is_wake = agpio->wake_capable == ACPI_WAKE_CAPABLE;
+	event->irq_is_wake = honor_wakeup && agpio->wake_capable == ACPI_WAKE_CAPABLE;
 	event->pin = pin;
 	event->desc = desc;
 
@@ -1330,6 +1336,23 @@ static const struct dmi_system_id gpioli
 		},
 		.driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT,
 	},
+	{
+		/*
+		 * Various HP X2 10 Cherry Trail models use an external
+		 * embedded-controller connected via I2C + an ACPI GPIO
+		 * event handler. The embedded controller generates various
+		 * spurious wakeup events when suspended. So disable wakeup
+		 * for its handler (it uses the only ACPI GPIO event handler).
+		 * This breaks wakeup when opening the lid, the user needs
+		 * to press the power-button to wakeup the system. The
+		 * alternative is suspend simply not working, which is worse.
+		 */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "HP x2 Detachable 10-p0XX"),
+		},
+		.driver_data = (void *)QUIRK_NO_WAKEUP,
+	},
 	{} /* Terminating entry */
 };
 
@@ -1349,6 +1372,13 @@ static int acpi_gpio_setup_params(void)
 			run_edge_events_on_boot = 1;
 	}
 
+	if (honor_wakeup < 0) {
+		if (quirks & QUIRK_NO_WAKEUP)
+			honor_wakeup = 0;
+		else
+			honor_wakeup = 1;
+	}
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 39/78] pstore/ram: Regularize prz label allocation lifetime
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 38/78] gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 40/78] staging: vt6656: set usb_set_intfdata on driver fail Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Cengiz Can, Kees Cook

From: Kees Cook <keescook@chromium.org>

commit e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8 upstream.

In my attempt to fix a memory leak, I introduced a double-free in the
pstore error path. Instead of trying to manage the allocation lifetime
between persistent_ram_new() and its callers, adjust the logic so
persistent_ram_new() always takes a kstrdup() copy, and leaves the
caller's allocation lifetime up to the caller. Therefore callers are
_always_ responsible for freeing their label. Before, it only needed
freeing when the prz itself failed to allocate, and not in any of the
other prz failure cases, which callers would have no visibility into,
which is the root design problem that lead to both the leak and now
double-free bugs.

Reported-by: Cengiz Can <cengiz@kernel.wtf>
Link: https://lore.kernel.org/lkml/d4ec59002ede4aaf9928c7f7526da87c@kernel.wtf
Fixes: 8df955a32a73 ("pstore/ram: Fix error-path memory leak in persistent_ram_new() callers")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/pstore/ram.c      |    4 ++--
 fs/pstore/ram_core.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/fs/pstore/ram.c
+++ b/fs/pstore/ram.c
@@ -583,12 +583,12 @@ static int ramoops_init_przs(const char
 		prz_ar[i] = persistent_ram_new(*paddr, zone_sz, sig,
 					       &cxt->ecc_info,
 					       cxt->memtype, flags, label);
+		kfree(label);
 		if (IS_ERR(prz_ar[i])) {
 			err = PTR_ERR(prz_ar[i]);
 			dev_err(dev, "failed to request %s mem region (0x%zx@0x%llx): %d\n",
 				name, record_size,
 				(unsigned long long)*paddr, err);
-			kfree(label);
 
 			while (i > 0) {
 				i--;
@@ -629,12 +629,12 @@ static int ramoops_init_prz(const char *
 	label = kasprintf(GFP_KERNEL, "ramoops:%s", name);
 	*prz = persistent_ram_new(*paddr, sz, sig, &cxt->ecc_info,
 				  cxt->memtype, PRZ_FLAG_ZAP_OLD, label);
+	kfree(label);
 	if (IS_ERR(*prz)) {
 		int err = PTR_ERR(*prz);
 
 		dev_err(dev, "failed to request %s mem region (0x%zx@0x%llx): %d\n",
 			name, sz, (unsigned long long)*paddr, err);
-		kfree(label);
 		return err;
 	}
 
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -574,7 +574,7 @@ struct persistent_ram_zone *persistent_r
 	/* Initialize general buffer state. */
 	raw_spin_lock_init(&prz->buffer_lock);
 	prz->flags = flags;
-	prz->label = label;
+	prz->label = kstrdup(label, GFP_KERNEL);
 
 	ret = persistent_ram_buffer_map(start, size, prz, memtype);
 	if (ret)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 40/78] staging: vt6656: set usb_set_intfdata on driver fail.
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 39/78] pstore/ram: Regularize prz label allocation lifetime Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 41/78] staging: vt6656: Fix non zero logical return of, usb_control_msg Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley

From: Malcolm Priestley <tvboxspy@gmail.com>

commit c0bcf9f3f5b661d4ace2a64a79ef661edd2a4dc8 upstream.

intfdata will contain stale pointer when the device is detached after
failed initialization when referenced in vt6656_disconnect

Provide driver access to it here and NULL it.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Link: https://lore.kernel.org/r/6de448d7-d833-ef2e-dd7b-3ef9992fee0e@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vt6656/device.h   |    1 +
 drivers/staging/vt6656/main_usb.c |    1 +
 drivers/staging/vt6656/wcmd.c     |    1 +
 3 files changed, 3 insertions(+)

--- a/drivers/staging/vt6656/device.h
+++ b/drivers/staging/vt6656/device.h
@@ -259,6 +259,7 @@ struct vnt_private {
 	u8 mac_hw;
 	/* netdev */
 	struct usb_device *usb;
+	struct usb_interface *intf;
 
 	u64 tsf_time;
 	u8 rx_rate;
--- a/drivers/staging/vt6656/main_usb.c
+++ b/drivers/staging/vt6656/main_usb.c
@@ -993,6 +993,7 @@ vt6656_probe(struct usb_interface *intf,
 	priv = hw->priv;
 	priv->hw = hw;
 	priv->usb = udev;
+	priv->intf = intf;
 
 	vnt_set_options(priv);
 
--- a/drivers/staging/vt6656/wcmd.c
+++ b/drivers/staging/vt6656/wcmd.c
@@ -99,6 +99,7 @@ void vnt_run_command(struct work_struct
 		if (vnt_init(priv)) {
 			/* If fail all ends TODO retry */
 			dev_err(&priv->usb->dev, "failed to start\n");
+			usb_set_intfdata(priv->intf, NULL);
 			ieee80211_free_hw(priv->hw);
 			return;
 		}



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 41/78] staging: vt6656: Fix non zero logical return of, usb_control_msg
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 40/78] staging: vt6656: set usb_set_intfdata on driver fail Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 42/78] usb: cdns3: should not use the same dev_id for shared interrupt handler Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley

From: Malcolm Priestley <tvboxspy@gmail.com>

commit 58c3e681b04dd57c70d0dcb7b69fe52d043ff75a upstream.

Starting with commit 59608cb1de1856
("staging: vt6656: clean function's error path in usbpipe.c")
the usb control functions have returned errors throughout driver
with only logical variable checking.

However, usb_control_msg return the amount of bytes transferred
this means that normal operation causes errors.

Correct the return function so only return zero when transfer
is successful.

Cc: stable <stable@vger.kernel.org> # v5.3+
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Link: https://lore.kernel.org/r/08e88842-6f78-a2e3-a7a0-139fec960b2b@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vt6656/usbpipe.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/staging/vt6656/usbpipe.c
+++ b/drivers/staging/vt6656/usbpipe.c
@@ -59,7 +59,9 @@ int vnt_control_out(struct vnt_private *
 
 	kfree(usb_buffer);
 
-	if (ret >= 0 && ret < (int)length)
+	if (ret == (int)length)
+		ret = 0;
+	else
 		ret = -EIO;
 
 end_unlock:
@@ -103,7 +105,9 @@ int vnt_control_in(struct vnt_private *p
 
 	kfree(usb_buffer);
 
-	if (ret >= 0 && ret < (int)length)
+	if (ret == (int)length)
+		ret = 0;
+	else
 		ret = -EIO;
 
 end_unlock:



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 42/78] usb: cdns3: should not use the same dev_id for shared interrupt handler
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 41/78] staging: vt6656: Fix non zero logical return of, usb_control_msg Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 43/78] usb: ohci-da8xx: ensure error return on variable error is set Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen

From: Peter Chen <peter.chen@nxp.com>

commit af58e1fca9840192f14b6f03c59595d64bff9127 upstream.

Both drd and gadget interrupt handler use the struct cdns3 pointer as
dev_id, it causes devm_free_irq at cdns3_gadget_exit doesn't free
gadget's interrupt handler, it freed drd's handler. So, when the
host interrupt occurs, the gadget's interrupt hanlder is still
called, and causes below oops. To fix it, we use gadget's private
data priv_dev as interrupt dev_id for gadget.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000380
Mem abort info:
  ESR = 0x96000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000971d79000
[0000000000000380] pgd=0000000971d6f003, pud=0000000971d6e003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in: mxc_jpeg_encdec crct10dif_ce fsl_imx8_ddr_perf
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-03486-g69f4e7d9c54a-dirty #254
Hardware name: Freescale i.MX8QM MEK (DT)
pstate: 00000085 (nzcv daIf -PAN -UAO)
pc : cdns3_device_irq_handler+0x1c/0xb8
lr : __handle_irq_event_percpu+0x78/0x2c0
sp : ffff800010003e30
x29: ffff800010003e30 x28: ffff8000129bb000
x27: ffff8000126e9000 x26: ffff0008f61b5600
x25: ffff800011fe1018 x24: ffff8000126ea120
x23: ffff800010003f04 x22: 0000000000000000
x21: 0000000000000093 x20: ffff0008f61b5600
x19: ffff0008f5061a80 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: 003d090000000000
x13: 00003d0900000000 x12: 0000000000000000
x11: 00003d0900000000 x10: 0000000000000040
x9 : ffff800012708cb8 x8 : ffff800012708cb0
x7 : ffff0008f7c7a9d0 x6 : 0000000000000000
x5 : ffff0008f7c7a910 x4 : ffff8008ed359000
x3 : ffff800010003f40 x2 : 0000000000000000
x1 : ffff0008f5061a80 x0 : ffff800010161a60
Call trace:
 cdns3_device_irq_handler+0x1c/0xb8
 __handle_irq_event_percpu+0x78/0x2c0
 handle_irq_event_percpu+0x40/0x98
 handle_irq_event+0x4c/0xd0
 handle_fasteoi_irq+0xbc/0x168
 generic_handle_irq+0x34/0x50
 __handle_domain_irq+0x6c/0xc0
 gic_handle_irq+0xd4/0x174
 el1_irq+0xb8/0x180
 arch_cpu_idle+0x3c/0x230
 default_idle_call+0x38/0x40
 do_idle+0x20c/0x298
 cpu_startup_entry+0x28/0x48
 rest_init+0xdc/0xe8
 arch_call_rest_init+0x14/0x1c
 start_kernel+0x48c/0x4b8
Code: aa0103f3 aa1e03e0 d503201f f9409662 (f941c040)
---[ end trace 091dcf4dee011b0e ]---
Kernel panic - not syncing: Fatal exception in interrupt
SMP: stopping secondary CPUs
Kernel Offset: disabled
CPU features: 0x0002,2100600c
Memory Limit: none
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Cc: <stable@vger.kernel.org> #v5.4
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Link: https://lore.kernel.org/r/1577437804-18146-1-git-send-email-peter.chen@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/cdns3/gadget.c |   14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

--- a/drivers/usb/cdns3/gadget.c
+++ b/drivers/usb/cdns3/gadget.c
@@ -1375,13 +1375,10 @@ static void cdns3_check_usb_interrupt_pr
  */
 static irqreturn_t cdns3_device_irq_handler(int irq, void *data)
 {
-	struct cdns3_device *priv_dev;
-	struct cdns3 *cdns = data;
+	struct cdns3_device *priv_dev = data;
 	irqreturn_t ret = IRQ_NONE;
 	u32 reg;
 
-	priv_dev = cdns->gadget_dev;
-
 	/* check USB device interrupt */
 	reg = readl(&priv_dev->regs->usb_ists);
 	if (reg) {
@@ -1419,14 +1416,12 @@ static irqreturn_t cdns3_device_irq_hand
  */
 static irqreturn_t cdns3_device_thread_irq_handler(int irq, void *data)
 {
-	struct cdns3_device *priv_dev;
-	struct cdns3 *cdns = data;
+	struct cdns3_device *priv_dev = data;
 	irqreturn_t ret = IRQ_NONE;
 	unsigned long flags;
 	int bit;
 	u32 reg;
 
-	priv_dev = cdns->gadget_dev;
 	spin_lock_irqsave(&priv_dev->lock, flags);
 
 	reg = readl(&priv_dev->regs->usb_ists);
@@ -2539,7 +2534,7 @@ void cdns3_gadget_exit(struct cdns3 *cdn
 
 	priv_dev = cdns->gadget_dev;
 
-	devm_free_irq(cdns->dev, cdns->dev_irq, cdns);
+	devm_free_irq(cdns->dev, cdns->dev_irq, priv_dev);
 
 	pm_runtime_mark_last_busy(cdns->dev);
 	pm_runtime_put_autosuspend(cdns->dev);
@@ -2710,7 +2705,8 @@ static int __cdns3_gadget_init(struct cd
 	ret = devm_request_threaded_irq(cdns->dev, cdns->dev_irq,
 					cdns3_device_irq_handler,
 					cdns3_device_thread_irq_handler,
-					IRQF_SHARED, dev_name(cdns->dev), cdns);
+					IRQF_SHARED, dev_name(cdns->dev),
+					cdns->gadget_dev);
 
 	if (ret)
 		goto err0;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 43/78] usb: ohci-da8xx: ensure error return on variable error is set
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 42/78] usb: cdns3: should not use the same dev_id for shared interrupt handler Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 44/78] USB-PD tcpm: bad warning+size, PPS adapters Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King, Alan Stern

From: Colin Ian King <colin.king@canonical.com>

commit ba9b40810bb43e6bf73b395012b98633c03f7f59 upstream.

Currently when an error occurs when calling devm_gpiod_get_optional or
calling gpiod_to_irq it causes an uninitialized error return in variable
'error' to be returned.  Fix this by ensuring the error variable is set
from da8xx_ohci->oc_gpio and oc_irq.

Thanks to Dan Carpenter for spotting the uninitialized error in the
gpiod_to_irq failure case.

Addresses-Coverity: ("Uninitialized scalar variable")
Fixes: d193abf1c913 ("usb: ohci-da8xx: add vbus and overcurrent gpios")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20200107123901.101190-1-colin.king@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/ohci-da8xx.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/ohci-da8xx.c
+++ b/drivers/usb/host/ohci-da8xx.c
@@ -415,13 +415,17 @@ static int ohci_da8xx_probe(struct platf
 	}
 
 	da8xx_ohci->oc_gpio = devm_gpiod_get_optional(dev, "oc", GPIOD_IN);
-	if (IS_ERR(da8xx_ohci->oc_gpio))
+	if (IS_ERR(da8xx_ohci->oc_gpio)) {
+		error = PTR_ERR(da8xx_ohci->oc_gpio);
 		goto err;
+	}
 
 	if (da8xx_ohci->oc_gpio) {
 		oc_irq = gpiod_to_irq(da8xx_ohci->oc_gpio);
-		if (oc_irq < 0)
+		if (oc_irq < 0) {
+			error = oc_irq;
 			goto err;
+		}
 
 		error = devm_request_threaded_irq(dev, oc_irq, NULL,
 				ohci_da8xx_oc_thread, IRQF_TRIGGER_RISING |



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 44/78] USB-PD tcpm: bad warning+size, PPS adapters
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 43/78] usb: ohci-da8xx: ensure error return on variable error is set Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 45/78] USB: serial: option: add ZLP support for 0x1bc7/0x9010 Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Douglas Gilbert, Guenter Roeck

From: Douglas Gilbert <dgilbert@interlog.com>

commit c215e48e97d232249a33849fc46fc50311043e11 upstream.

Augmented Power Delivery Objects (A)PDO_s are used by USB-C
PD power adapters to advertize the voltages and currents
they support. There can be up to 7 PDO_s but before PPS
(programmable power supply) there were seldom more than 4
or 5. Recently Samsung released an optional PPS 45 Watt power
adapter (EP-TA485) that has 7 PDO_s. It is for the Galaxy 10+
tablet and charges it quicker than the adapter supplied at
purchase. The EP-TA485 causes an overzealous WARN_ON to soil
the log plus it miscalculates the number of bytes to read.

So this bug has been there for some time but goes
undetected for the majority of USB-C PD power adapters on
the market today that have 6 or less PDO_s. That may soon
change as more USB-C PD adapters with PPS come to market.

Tested on a EP-TA485 and an older Lenovo PN: SA10M13950
USB-C 65 Watt adapter (without PPS and has 4 PDO_s) plus
several other PD power adapters.

Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191230033544.1809-1-dgilbert@interlog.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/typec/tcpm/tcpci.c |   20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpci.c
+++ b/drivers/usb/typec/tcpm/tcpci.c
@@ -432,20 +432,30 @@ irqreturn_t tcpci_irq(struct tcpci *tcpc
 
 	if (status & TCPC_ALERT_RX_STATUS) {
 		struct pd_message msg;
-		unsigned int cnt;
+		unsigned int cnt, payload_cnt;
 		u16 header;
 
 		regmap_read(tcpci->regmap, TCPC_RX_BYTE_CNT, &cnt);
+		/*
+		 * 'cnt' corresponds to READABLE_BYTE_COUNT in section 4.4.14
+		 * of the TCPCI spec [Rev 2.0 Ver 1.0 October 2017] and is
+		 * defined in table 4-36 as one greater than the number of
+		 * bytes received. And that number includes the header. So:
+		 */
+		if (cnt > 3)
+			payload_cnt = cnt - (1 + sizeof(msg.header));
+		else
+			payload_cnt = 0;
 
 		tcpci_read16(tcpci, TCPC_RX_HDR, &header);
 		msg.header = cpu_to_le16(header);
 
-		if (WARN_ON(cnt > sizeof(msg.payload)))
-			cnt = sizeof(msg.payload);
+		if (WARN_ON(payload_cnt > sizeof(msg.payload)))
+			payload_cnt = sizeof(msg.payload);
 
-		if (cnt > 0)
+		if (payload_cnt > 0)
 			regmap_raw_read(tcpci->regmap, TCPC_RX_DATA,
-					&msg.payload, cnt);
+					&msg.payload, payload_cnt);
 
 		/* Read complete, clear RX status alert bit */
 		tcpci_write16(tcpci, TCPC_ALERT, TCPC_ALERT_RX_STATUS);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 45/78] USB: serial: option: add ZLP support for 0x1bc7/0x9010
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 44/78] USB-PD tcpm: bad warning+size, PPS adapters Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 46/78] usb: musb: fix idling for suspend after disconnect interrupt Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniele Palmas, Johan Hovold

From: Daniele Palmas <dnlplm@gmail.com>

commit 2438c3a19dec5e98905fd3ffcc2f24716aceda6b upstream.

Telit FN980 flashing device 0x1bc7/0x9010 requires zero packet
to be sent if out data size is is equal to the endpoint max size.

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
[ johan: switch operands in conditional ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/option.c   |    8 ++++++++
 drivers/usb/serial/usb-wwan.h |    1 +
 drivers/usb/serial/usb_wwan.c |    4 ++++
 3 files changed, 13 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -567,6 +567,9 @@ static void option_instat_callback(struc
 /* Interface must have two endpoints */
 #define NUMEP2		BIT(16)
 
+/* Device needs ZLP */
+#define ZLP		BIT(17)
+
 
 static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
@@ -1198,6 +1201,8 @@ static const struct usb_device_id option
 	  .driver_info = NCTRL(0) | RSVD(1) },
 	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff),	/* Telit LN940 (MBIM) */
 	  .driver_info = NCTRL(0) },
+	{ USB_DEVICE(TELIT_VENDOR_ID, 0x9010),				/* Telit SBL FN980 flashing device */
+	  .driver_info = NCTRL(0) | ZLP },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff, 0xff),
 	  .driver_info = RSVD(1) },
@@ -2099,6 +2104,9 @@ static int option_attach(struct usb_seri
 	if (!(device_flags & NCTRL(iface_desc->bInterfaceNumber)))
 		data->use_send_setup = 1;
 
+	if (device_flags & ZLP)
+		data->use_zlp = 1;
+
 	spin_lock_init(&data->susp_lock);
 
 	usb_set_serial_data(serial, data);
--- a/drivers/usb/serial/usb-wwan.h
+++ b/drivers/usb/serial/usb-wwan.h
@@ -38,6 +38,7 @@ struct usb_wwan_intf_private {
 	spinlock_t susp_lock;
 	unsigned int suspended:1;
 	unsigned int use_send_setup:1;
+	unsigned int use_zlp:1;
 	int in_flight;
 	unsigned int open_ports;
 	void *private;
--- a/drivers/usb/serial/usb_wwan.c
+++ b/drivers/usb/serial/usb_wwan.c
@@ -461,6 +461,7 @@ static struct urb *usb_wwan_setup_urb(st
 				      void (*callback) (struct urb *))
 {
 	struct usb_serial *serial = port->serial;
+	struct usb_wwan_intf_private *intfdata = usb_get_serial_data(serial);
 	struct urb *urb;
 
 	urb = usb_alloc_urb(0, GFP_KERNEL);	/* No ISO */
@@ -471,6 +472,9 @@ static struct urb *usb_wwan_setup_urb(st
 			  usb_sndbulkpipe(serial->dev, endpoint) | dir,
 			  buf, len, callback, ctx);
 
+	if (intfdata->use_zlp && dir == USB_DIR_OUT)
+		urb->transfer_flags |= URB_ZERO_PACKET;
+
 	return urb;
 }
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 46/78] usb: musb: fix idling for suspend after disconnect interrupt
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 45/78] USB: serial: option: add ZLP support for 0x1bc7/0x9010 Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 47/78] usb: musb: Disable pullup at init Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Merlijn Wajer, Pavel Machek,
	Sebastian Reichel, Tony Lindgren, Bin Liu

From: Tony Lindgren <tony@atomide.com>

commit 5fbf7a2534703fd71159d3d71504b0ad01b43394 upstream.

When disconnected as USB B-device, suspend interrupt should come before
diconnect interrupt, because the DP/DM pins are shorter than the
VBUS/GND pins on the USB connectors. But we sometimes get a suspend
interrupt after disconnect interrupt. In that case we have devctl set to
99 with VBUS still valid and musb_pm_runtime_check_session() wrongly
thinks we have an active session. We have no other interrupts after
disconnect coming in this case at least with the omap2430 glue.

Let's fix the issue by checking the interrupt status again with
delayed work for the devctl 99 case. In the suspend after disconnect
case the devctl session bit has cleared by then and musb can idle.
For a typical USB B-device connect case we just continue with normal
interrupts.

Fixes: 467d5c980709 ("usb: musb: Implement session bit based runtime PM for musb-core")

Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Link: https://lore.kernel.org/r/20200107152625.857-2-b-liu@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/musb/musb_core.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -1840,6 +1840,9 @@ ATTRIBUTE_GROUPS(musb);
 #define MUSB_QUIRK_B_INVALID_VBUS_91	(MUSB_DEVCTL_BDEVICE | \
 					 (2 << MUSB_DEVCTL_VBUS_SHIFT) | \
 					 MUSB_DEVCTL_SESSION)
+#define MUSB_QUIRK_B_DISCONNECT_99	(MUSB_DEVCTL_BDEVICE | \
+					 (3 << MUSB_DEVCTL_VBUS_SHIFT) | \
+					 MUSB_DEVCTL_SESSION)
 #define MUSB_QUIRK_A_DISCONNECT_19	((3 << MUSB_DEVCTL_VBUS_SHIFT) | \
 					 MUSB_DEVCTL_SESSION)
 
@@ -1862,6 +1865,11 @@ static void musb_pm_runtime_check_sessio
 	s = MUSB_DEVCTL_FSDEV | MUSB_DEVCTL_LSDEV |
 		MUSB_DEVCTL_HR;
 	switch (devctl & ~s) {
+	case MUSB_QUIRK_B_DISCONNECT_99:
+		musb_dbg(musb, "Poll devctl in case of suspend after disconnect\n");
+		schedule_delayed_work(&musb->irq_work,
+				      msecs_to_jiffies(1000));
+		break;
 	case MUSB_QUIRK_B_INVALID_VBUS_91:
 		if (musb->quirk_retries && !musb->flush_irq_work) {
 			musb_dbg(musb,



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 47/78] usb: musb: Disable pullup at init
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 46/78] usb: musb: fix idling for suspend after disconnect interrupt Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 48/78] usb: musb: dma: Correct parameter passed to IRQ handler Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paul Cercueil, Bin Liu

From: Paul Cercueil <paul@crapouillou.net>

commit 96a0c12843109e5c4d5eb1e09d915fdd0ce31d25 upstream.

The pullup may be already enabled before the driver is initialized. This
happens for instance on JZ4740.

It has to be disabled at init time, as we cannot guarantee that a gadget
driver will be bound to the UDC.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Suggested-by: Bin Liu <b-liu@ti.com>
Cc: stable@vger.kernel.org
Signed-off-by: Bin Liu <b-liu@ti.com>
Link: https://lore.kernel.org/r/20200107152625.857-3-b-liu@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/musb/musb_core.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -2318,6 +2318,9 @@ musb_init_controller(struct device *dev,
 	musb_disable_interrupts(musb);
 	musb_writeb(musb->mregs, MUSB_DEVCTL, 0);
 
+	/* MUSB_POWER_SOFTCONN might be already set, JZ4740 does this. */
+	musb_writeb(musb->mregs, MUSB_POWER, 0);
+
 	/* Init IRQ workqueue before request_irq */
 	INIT_DELAYED_WORK(&musb->irq_work, musb_irq_work);
 	INIT_DELAYED_WORK(&musb->deassert_reset_work, musb_deassert_reset);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 48/78] usb: musb: dma: Correct parameter passed to IRQ handler
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 47/78] usb: musb: Disable pullup at init Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 49/78] staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Cercueil, Artur Rojek, Bin Liu

From: Paul Cercueil <paul@crapouillou.net>

commit c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 upstream.

The IRQ handler was passed a pointer to a struct dma_controller, but the
argument was then casted to a pointer to a struct musb_dma_controller.

Fixes: 427c4f333474 ("usb: struct device - replace bus_id with dev_name(), dev_set_name()")
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Tested-by: Artur Rojek <contact@artur-rojek.eu>
Cc: stable@vger.kernel.org
Signed-off-by: Bin Liu <b-liu@ti.com>
Link: https://lore.kernel.org/r/20191216161844.772-2-b-liu@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/musb/musbhsdma.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/musb/musbhsdma.c
+++ b/drivers/usb/musb/musbhsdma.c
@@ -425,7 +425,7 @@ struct dma_controller *musbhs_dma_contro
 	controller->controller.channel_abort = dma_channel_abort;
 
 	if (request_irq(irq, dma_controller_irq, 0,
-			dev_name(musb->controller), &controller->controller)) {
+			dev_name(musb->controller), controller)) {
 		dev_err(dev, "request_irq %d failed!\n", irq);
 		musb_dma_controller_destroy(&controller->controller);
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 49/78] staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 48/78] usb: musb: dma: Correct parameter passed to IRQ handler Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 50/78] staging: vt6656: correct return of vnt_init_registers Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmytro Fil, Ian Abbott

From: Ian Abbott <abbotti@mev.co.uk>

commit a9d3a9cedc1330c720e0ddde1978a8e7771da5ab upstream.

The Advantech PCI-1713 has 32 analog input channels, but an incorrect
bit-mask in the definition of the `PCI171X_MUX_CHANH(x)` and
PCI171X_MUX_CHANL(x)` macros is causing channels 16 to 31 to be aliases
of channels 0 to 15.  Change the bit-mask value from 0xf to 0xff to fix
it.  Note that the channel numbers will have been range checked already,
so the bit-mask isn't really needed.

Fixes: 92c65e5553ed ("staging: comedi: adv_pci1710: define the mux control register bits")
Reported-by: Dmytro Fil <monkdaf@gmail.com>
Cc: <stable@vger.kernel.org> # v4.5+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20191227170054.32051-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/adv_pci1710.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/comedi/drivers/adv_pci1710.c
+++ b/drivers/staging/comedi/drivers/adv_pci1710.c
@@ -46,8 +46,8 @@
 #define PCI171X_RANGE_UNI	BIT(4)
 #define PCI171X_RANGE_GAIN(x)	(((x) & 0x7) << 0)
 #define PCI171X_MUX_REG		0x04	/* W:   A/D multiplexor control */
-#define PCI171X_MUX_CHANH(x)	(((x) & 0xf) << 8)
-#define PCI171X_MUX_CHANL(x)	(((x) & 0xf) << 0)
+#define PCI171X_MUX_CHANH(x)	(((x) & 0xff) << 8)
+#define PCI171X_MUX_CHANL(x)	(((x) & 0xff) << 0)
 #define PCI171X_MUX_CHAN(x)	(PCI171X_MUX_CHANH(x) | PCI171X_MUX_CHANL(x))
 #define PCI171X_STATUS_REG	0x06	/* R:   status register */
 #define PCI171X_STATUS_IRQ	BIT(11)	/* 1=IRQ occurred */



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 50/78] staging: vt6656: correct return of vnt_init_registers.
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 49/78] staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 51/78] staging: vt6656: limit reg output to block size Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley

From: Malcolm Priestley <tvboxspy@gmail.com>

commit 7de6155c8968a3342d1bef3f7a2084d31ae6e4be upstream.

The driver standard error returns remove bool false conditions.

Cc: stable <stable@vger.kernel.org> # v5.3+
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Link: https://lore.kernel.org/r/072ec0b3-425f-277e-130c-1e3a116c90d6@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vt6656/main_usb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/vt6656/main_usb.c
+++ b/drivers/staging/vt6656/main_usb.c
@@ -950,7 +950,7 @@ static const struct ieee80211_ops vnt_ma
 
 int vnt_init(struct vnt_private *priv)
 {
-	if (!(vnt_init_registers(priv)))
+	if (vnt_init_registers(priv))
 		return -EAGAIN;
 
 	SET_IEEE80211_PERM_ADDR(priv->hw, priv->permanent_net_addr);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 51/78] staging: vt6656: limit reg output to block size
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 50/78] staging: vt6656: correct return of vnt_init_registers Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 52/78] staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley

From: Malcolm Priestley <tvboxspy@gmail.com>

commit 69cc1f925e1aa74b96e2ace67e3453a50d091d2f upstream.

vnt_control_out appears to fail when BBREG is greater than 64 writes.

Create new function that will relay an array in no larger than
the indicated block size.

It appears that this command has always failed but was ignored by
driver until the introduction of error checking.

Cc: stable <stable@vger.kernel.org> # v5.3+
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Link: https://lore.kernel.org/r/a41f0601-df46-ce6e-ab7c-35e697946e2a@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vt6656/baseband.c |    4 ++--
 drivers/staging/vt6656/usbpipe.c  |   17 +++++++++++++++++
 drivers/staging/vt6656/usbpipe.h  |    5 +++++
 3 files changed, 24 insertions(+), 2 deletions(-)

--- a/drivers/staging/vt6656/baseband.c
+++ b/drivers/staging/vt6656/baseband.c
@@ -449,8 +449,8 @@ int vnt_vt3184_init(struct vnt_private *
 
 	memcpy(array, addr, length);
 
-	ret = vnt_control_out(priv, MESSAGE_TYPE_WRITE, 0,
-			      MESSAGE_REQUEST_BBREG, length, array);
+	ret = vnt_control_out_blocks(priv, VNT_REG_BLOCK_SIZE,
+				     MESSAGE_REQUEST_BBREG, length, array);
 	if (ret)
 		goto end;
 
--- a/drivers/staging/vt6656/usbpipe.c
+++ b/drivers/staging/vt6656/usbpipe.c
@@ -76,6 +76,23 @@ int vnt_control_out_u8(struct vnt_privat
 			       reg_off, reg, sizeof(u8), &data);
 }
 
+int vnt_control_out_blocks(struct vnt_private *priv,
+			   u16 block, u8 reg, u16 length, u8 *data)
+{
+	int ret = 0, i;
+
+	for (i = 0; i < length; i += block) {
+		u16 len = min_t(int, length - i, block);
+
+		ret = vnt_control_out(priv, MESSAGE_TYPE_WRITE,
+				      i, reg, len, data + i);
+		if (ret)
+			goto end;
+	}
+end:
+	return ret;
+}
+
 int vnt_control_in(struct vnt_private *priv, u8 request, u16 value,
 		   u16 index, u16 length, u8 *buffer)
 {
--- a/drivers/staging/vt6656/usbpipe.h
+++ b/drivers/staging/vt6656/usbpipe.h
@@ -18,6 +18,8 @@
 
 #include "device.h"
 
+#define VNT_REG_BLOCK_SIZE	64
+
 int vnt_control_out(struct vnt_private *priv, u8 request, u16 value,
 		    u16 index, u16 length, u8 *buffer);
 int vnt_control_in(struct vnt_private *priv, u8 request, u16 value,
@@ -26,6 +28,9 @@ int vnt_control_in(struct vnt_private *p
 int vnt_control_out_u8(struct vnt_private *priv, u8 reg, u8 ref_off, u8 data);
 int vnt_control_in_u8(struct vnt_private *priv, u8 reg, u8 reg_off, u8 *data);
 
+int vnt_control_out_blocks(struct vnt_private *priv,
+			   u16 block, u8 reg, u16 len, u8 *data);
+
 int vnt_start_interrupt_urb(struct vnt_private *priv);
 int vnt_submit_rx_urb(struct vnt_private *priv, struct vnt_rcb *rcb);
 int vnt_tx_context(struct vnt_private *priv,



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 52/78] staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 51/78] staging: vt6656: limit reg output to block size Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 53/78] serdev: Dont claim unsupported ACPI serial devices Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Straube

From: Michael Straube <straube.linux@gmail.com>

commit 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a upstream.

This device was added to the stand-alone driver on github.
Add it to the staging driver as well.

Link: https://github.com/lwfinger/rtl8188eu/commit/b9b537aa25a8
Signed-off-by: Michael Straube <straube.linux@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191228143725.24455-1-straube.linux@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/rtl8188eu/os_dep/usb_intf.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -37,6 +37,7 @@ static const struct usb_device_id rtw_us
 	{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
 	{USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
 	{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
+	{USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */
 	{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
 	{USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
 	{}	/* Terminating entry */



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 53/78] serdev: Dont claim unsupported ACPI serial devices
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 52/78] staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 54/78] iommu/vt-d: Fix adding non-PCI devices to Intel IOMMU Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Punit Agrawal, Hans de Goede,
	Johan Hovold, Rob Herring

From: Punit Agrawal <punit1.agrawal@toshiba.co.jp>

commit c5ee0b3104e0b292d353e63fd31cb8c692645d8c upstream.

Serdev sub-system claims all ACPI serial devices that are not already
initialised. As a result, no device node is created for serial ports
on certain boards such as the Apollo Lake based UP2. This has the
unintended consequence of not being able to raise the login prompt via
serial connection.

Introduce a blacklist to reject ACPI serial devices that should not be
claimed by serdev sub-system. Add the peripheral ids for Intel HS UART
to the blacklist to bring back serial port on SoCs carrying them.

Cc: stable@vger.kernel.org
Signed-off-by: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Johan Hovold <johan@kernel.org>
Cc: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20191219100345.911093-1-punit1.agrawal@toshiba.co.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serdev/core.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/drivers/tty/serdev/core.c
+++ b/drivers/tty/serdev/core.c
@@ -582,6 +582,12 @@ static acpi_status acpi_serdev_register_
 	return AE_OK;
 }
 
+static const struct acpi_device_id serdev_acpi_devices_blacklist[] = {
+	{ "INT3511", 0 },
+	{ "INT3512", 0 },
+	{ },
+};
+
 static acpi_status acpi_serdev_add_device(acpi_handle handle, u32 level,
 				       void *data, void **return_value)
 {
@@ -591,6 +597,10 @@ static acpi_status acpi_serdev_add_devic
 	if (acpi_bus_get_device(handle, &adev))
 		return AE_OK;
 
+	/* Skip if black listed */
+	if (!acpi_match_device_ids(adev, serdev_acpi_devices_blacklist))
+		return AE_OK;
+
 	return acpi_serdev_register_device(ctrl, adev);
 }
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 54/78] iommu/vt-d: Fix adding non-PCI devices to Intel IOMMU
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 53/78] serdev: Dont claim unsupported ACPI serial devices Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 55/78] tty: link tty and port before configuring it as console Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Patrick Steinhardt, Lu Baolu, Joerg Roedel

From: Patrick Steinhardt <ps@pks.im>

commit 4a350a0ee5b0a14f826fcdf60dd1a3199cafbfd6 upstream.

Starting with commit fa212a97f3a3 ("iommu/vt-d: Probe DMA-capable ACPI
name space devices"), we now probe DMA-capable ACPI name
space devices. On Dell XPS 13 9343, which has an Intel LPSS platform
device INTL9C60 enumerated via ACPI, this change leads to the following
warning:

    ------------[ cut here ]------------
    WARNING: CPU: 1 PID: 1 at pci_device_group+0x11a/0x130
    CPU: 1 PID: 1 Comm: swapper/0 Tainted: G                T 5.5.0-rc3+ #22
    Hardware name: Dell Inc. XPS 13 9343/0310JH, BIOS A20 06/06/2019
    RIP: 0010:pci_device_group+0x11a/0x130
    Code: f0 ff ff 48 85 c0 49 89 c4 75 c4 48 8d 74 24 10 48 89 ef e8 48 ef ff ff 48 85 c0 49 89 c4 75 af e8 db f7 ff ff 49 89 c4 eb a5 <0f> 0b 49 c7 c4 ea ff ff ff eb 9a e8 96 1e c7 ff 66 0f 1f 44 00 00
    RSP: 0000:ffffc0d6c0043cb0 EFLAGS: 00010202
    RAX: 0000000000000000 RBX: ffffa3d1d43dd810 RCX: 0000000000000000
    RDX: ffffa3d1d4fecf80 RSI: ffffa3d12943dcc0 RDI: ffffa3d1d43dd810
    RBP: ffffa3d1d43dd810 R08: 0000000000000000 R09: ffffa3d1d4c04a80
    R10: ffffa3d1d4c00880 R11: ffffa3d1d44ba000 R12: 0000000000000000
    R13: ffffa3d1d4383b80 R14: ffffa3d1d4c090d0 R15: ffffa3d1d4324530
    FS:  0000000000000000(0000) GS:ffffa3d1d6700000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 000000000460a001 CR4: 00000000003606e0
    Call Trace:
     ? iommu_group_get_for_dev+0x81/0x1f0
     ? intel_iommu_add_device+0x61/0x170
     ? iommu_probe_device+0x43/0xd0
     ? intel_iommu_init+0x1fa2/0x2235
     ? pci_iommu_init+0x52/0xe7
     ? e820__memblock_setup+0x15c/0x15c
     ? do_one_initcall+0xcc/0x27e
     ? kernel_init_freeable+0x169/0x259
     ? rest_init+0x95/0x95
     ? kernel_init+0x5/0xeb
     ? ret_from_fork+0x35/0x40
    ---[ end trace 28473e7abc25b92c ]---
    DMAR: ACPI name space devices didn't probe correctly

The bug results from the fact that while we now enumerate ACPI devices,
we aren't able to handle any non-PCI device when generating the device
group. Fix the issue by implementing an Intel-specific callback that
returns `pci_device_group` only if the device is a PCI device.
Otherwise, it will return a generic device group.

Fixes: fa212a97f3a3 ("iommu/vt-d: Probe DMA-capable ACPI name space devices")
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Cc: stable@vger.kernel.org # v5.3+
Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iommu/intel-iommu.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -5786,6 +5786,13 @@ static void intel_iommu_apply_resv_regio
 	WARN_ON_ONCE(!reserve_iova(&dmar_domain->iovad, start, end));
 }
 
+static struct iommu_group *intel_iommu_device_group(struct device *dev)
+{
+	if (dev_is_pci(dev))
+		return pci_device_group(dev);
+	return generic_device_group(dev);
+}
+
 #ifdef CONFIG_INTEL_IOMMU_SVM
 struct intel_iommu *intel_svm_device_to_iommu(struct device *dev)
 {
@@ -5958,7 +5965,7 @@ const struct iommu_ops intel_iommu_ops =
 	.get_resv_regions	= intel_iommu_get_resv_regions,
 	.put_resv_regions	= intel_iommu_put_resv_regions,
 	.apply_resv_region	= intel_iommu_apply_resv_region,
-	.device_group		= pci_device_group,
+	.device_group		= intel_iommu_device_group,
 	.dev_has_feat		= intel_iommu_dev_has_feat,
 	.dev_feat_enabled	= intel_iommu_dev_feat_enabled,
 	.dev_enable_feat	= intel_iommu_dev_enable_feat,



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 55/78] tty: link tty and port before configuring it as console
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 54/78] iommu/vt-d: Fix adding non-PCI devices to Intel IOMMU Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 56/78] tty: always relink the port Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Sudip Mukherjee

From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>

commit fb2b90014d782d80d7ebf663e50f96d8c507a73c upstream.

There seems to be a race condition in tty drivers and I could see on
many boot cycles a NULL pointer dereference as tty_init_dev() tries to
do 'tty->port->itty = tty' even though tty->port is NULL.
'tty->port' will be set by the driver and if the driver has not yet done
it before we open the tty device we can get to this situation. By adding
some extra debug prints, I noticed that:

6.650130: uart_add_one_port
6.663849: register_console
6.664846: tty_open
6.674391: tty_init_dev
6.675456: tty_port_link_device

uart_add_one_port() registers the console, as soon as it registers, the
userspace tries to use it and that leads to tty_open() but
uart_add_one_port() has not yet done tty_port_link_device() and so
tty->port is not yet configured when control reaches tty_init_dev().

Further look into the code and tty_port_link_device() is done by
uart_add_one_port(). After registering the console uart_add_one_port()
will call tty_port_register_device_attr_serdev() and
tty_port_link_device() is called from this.

Call add tty_port_link_device() before uart_configure_port() is done and
add a check in tty_port_link_device() so that it only links the port if
it has not been done yet.

Suggested-by: Jiri Slaby <jslaby@suse.com>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191212131602.29504-1-sudipm.mukherjee@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/serial_core.c |    1 +
 drivers/tty/tty_port.c           |    3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -2834,6 +2834,7 @@ int uart_add_one_port(struct uart_driver
 	if (uport->cons && uport->dev)
 		of_console_check(uport->dev->of_node, uport->cons->name, uport->line);
 
+	tty_port_link_device(port, drv->tty_driver, uport->line);
 	uart_configure_port(drv, state, uport);
 
 	port->console = uart_console(uport);
--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -89,7 +89,8 @@ void tty_port_link_device(struct tty_por
 {
 	if (WARN_ON(index >= driver->num))
 		return;
-	driver->ports[index] = port;
+	if (!driver->ports[index])
+		driver->ports[index] = port;
 }
 EXPORT_SYMBOL_GPL(tty_port_link_device);
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 56/78] tty: always relink the port
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 55/78] tty: link tty and port before configuring it as console Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01   ` Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kenneth R. Crudup, Sudip Mukherjee

From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>

commit 273f632912f1b24b642ba5b7eb5022e43a72f3b5 upstream.

If the serial device is disconnected and reconnected, it re-enumerates
properly but does not link it. fwiw, linking means just saving the port
index, so allow it always as there is no harm in saving the same value
again even if it tries to relink with the same port.

Fixes: fb2b90014d78 ("tty: link tty and port before configuring it as console")
Reported-by: Kenneth R. Crudup <kenny@panix.com>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20191227174434.12057-1-sudipm.mukherjee@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/tty_port.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -89,8 +89,7 @@ void tty_port_link_device(struct tty_por
 {
 	if (WARN_ON(index >= driver->num))
 		return;
-	if (!driver->ports[index])
-		driver->ports[index] = port;
+	driver->ports[index] = port;
 }
 EXPORT_SYMBOL_GPL(tty_port_link_device);
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 57/78] arm64: Move __ARCH_WANT_SYS_CLONE3 definition to uapi headers
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
                     ` (80 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amanieu dAntras, linux-arm-kernel,
	Arnd Bergmann, Christian Brauner

From: Amanieu d'Antras <amanieu@gmail.com>

commit 3e3c8ca5a351350031f0f3d5ecedf7048b1b9008 upstream.

Previously this was only defined in the internal headers which
resulted in __NR_clone3 not being defined in the user headers.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20200102172413.654385-2-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/unistd.h      |    1 -
 arch/arm64/include/uapi/asm/unistd.h |    1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -42,7 +42,6 @@
 #endif
 
 #define __ARCH_WANT_SYS_CLONE
-#define __ARCH_WANT_SYS_CLONE3
 
 #ifndef __COMPAT_SYSCALL_NR
 #include <uapi/asm/unistd.h>
--- a/arch/arm64/include/uapi/asm/unistd.h
+++ b/arch/arm64/include/uapi/asm/unistd.h
@@ -19,5 +19,6 @@
 #define __ARCH_WANT_NEW_STAT
 #define __ARCH_WANT_SET_GET_RLIMIT
 #define __ARCH_WANT_TIME32_SYSCALLS
+#define __ARCH_WANT_SYS_CLONE3
 
 #include <asm-generic/unistd.h>



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 57/78] arm64: Move __ARCH_WANT_SYS_CLONE3 definition to uapi headers
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Amanieu dAntras, Arnd Bergmann, Greg Kroah-Hartman, stable,
	Christian Brauner, linux-arm-kernel

From: Amanieu d'Antras <amanieu@gmail.com>

commit 3e3c8ca5a351350031f0f3d5ecedf7048b1b9008 upstream.

Previously this was only defined in the internal headers which
resulted in __NR_clone3 not being defined in the user headers.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20200102172413.654385-2-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/unistd.h      |    1 -
 arch/arm64/include/uapi/asm/unistd.h |    1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -42,7 +42,6 @@
 #endif
 
 #define __ARCH_WANT_SYS_CLONE
-#define __ARCH_WANT_SYS_CLONE3
 
 #ifndef __COMPAT_SYSCALL_NR
 #include <uapi/asm/unistd.h>
--- a/arch/arm64/include/uapi/asm/unistd.h
+++ b/arch/arm64/include/uapi/asm/unistd.h
@@ -19,5 +19,6 @@
 #define __ARCH_WANT_NEW_STAT
 #define __ARCH_WANT_SET_GET_RLIMIT
 #define __ARCH_WANT_TIME32_SYSCALLS
+#define __ARCH_WANT_SYS_CLONE3
 
 #include <asm-generic/unistd.h>



_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 58/78] arm64: Implement copy_thread_tls
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
                     ` (80 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amanieu dAntras, linux-arm-kernel,
	Will Deacon, Christian Brauner

From: Amanieu d'Antras <amanieu@gmail.com>

commit a4376f2fbcc8084832f2f114577c8d68234c7903 upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Acked-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20200102172413.654385-3-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/Kconfig          |    1 +
 arch/arm64/kernel/process.c |   10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -139,6 +139,7 @@ config ARM64
 	select HAVE_CMPXCHG_DOUBLE
 	select HAVE_CMPXCHG_LOCAL
 	select HAVE_CONTEXT_TRACKING
+	select HAVE_COPY_THREAD_TLS
 	select HAVE_DEBUG_BUGVERBOSE
 	select HAVE_DEBUG_KMEMLEAK
 	select HAVE_DMA_CONTIGUOUS
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -360,8 +360,8 @@ int arch_dup_task_struct(struct task_str
 
 asmlinkage void ret_from_fork(void) asm("ret_from_fork");
 
-int copy_thread(unsigned long clone_flags, unsigned long stack_start,
-		unsigned long stk_sz, struct task_struct *p)
+int copy_thread_tls(unsigned long clone_flags, unsigned long stack_start,
+		unsigned long stk_sz, struct task_struct *p, unsigned long tls)
 {
 	struct pt_regs *childregs = task_pt_regs(p);
 
@@ -394,11 +394,11 @@ int copy_thread(unsigned long clone_flag
 		}
 
 		/*
-		 * If a TLS pointer was passed to clone (4th argument), use it
-		 * for the new thread.
+		 * If a TLS pointer was passed to clone, use it for the new
+		 * thread.
 		 */
 		if (clone_flags & CLONE_SETTLS)
-			p->thread.uw.tp_value = childregs->regs[3];
+			p->thread.uw.tp_value = tls;
 	} else {
 		memset(childregs, 0, sizeof(struct pt_regs));
 		childregs->pstate = PSR_MODE_EL1h;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 58/78] arm64: Implement copy_thread_tls
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Amanieu dAntras, Greg Kroah-Hartman, stable, Christian Brauner,
	Will Deacon, linux-arm-kernel

From: Amanieu d'Antras <amanieu@gmail.com>

commit a4376f2fbcc8084832f2f114577c8d68234c7903 upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Acked-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20200102172413.654385-3-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/Kconfig          |    1 +
 arch/arm64/kernel/process.c |   10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -139,6 +139,7 @@ config ARM64
 	select HAVE_CMPXCHG_DOUBLE
 	select HAVE_CMPXCHG_LOCAL
 	select HAVE_CONTEXT_TRACKING
+	select HAVE_COPY_THREAD_TLS
 	select HAVE_DEBUG_BUGVERBOSE
 	select HAVE_DEBUG_KMEMLEAK
 	select HAVE_DMA_CONTIGUOUS
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -360,8 +360,8 @@ int arch_dup_task_struct(struct task_str
 
 asmlinkage void ret_from_fork(void) asm("ret_from_fork");
 
-int copy_thread(unsigned long clone_flags, unsigned long stack_start,
-		unsigned long stk_sz, struct task_struct *p)
+int copy_thread_tls(unsigned long clone_flags, unsigned long stack_start,
+		unsigned long stk_sz, struct task_struct *p, unsigned long tls)
 {
 	struct pt_regs *childregs = task_pt_regs(p);
 
@@ -394,11 +394,11 @@ int copy_thread(unsigned long clone_flag
 		}
 
 		/*
-		 * If a TLS pointer was passed to clone (4th argument), use it
-		 * for the new thread.
+		 * If a TLS pointer was passed to clone, use it for the new
+		 * thread.
 		 */
 		if (clone_flags & CLONE_SETTLS)
-			p->thread.uw.tp_value = childregs->regs[3];
+			p->thread.uw.tp_value = tls;
 	} else {
 		memset(childregs, 0, sizeof(struct pt_regs));
 		childregs->pstate = PSR_MODE_EL1h;



_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 59/78] arm: Implement copy_thread_tls
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
                     ` (80 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amanieu dAntras, linux-arm-kernel,
	Christian Brauner

From: Amanieu d'Antras <amanieu@gmail.com>

commit 167ee0b82429cb5df272808c7a21370b7c961ab2 upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200102172413.654385-4-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/Kconfig          |    1 +
 arch/arm/kernel/process.c |    6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -73,6 +73,7 @@ config ARM
 	select HAVE_ARM_SMCCC if CPU_V7
 	select HAVE_EBPF_JIT if !CPU_ENDIAN_BE32
 	select HAVE_CONTEXT_TRACKING
+	select HAVE_COPY_THREAD_TLS
 	select HAVE_C_RECORDMCOUNT
 	select HAVE_DEBUG_KMEMLEAK
 	select HAVE_DMA_CONTIGUOUS if MMU
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
@@ -224,8 +224,8 @@ void release_thread(struct task_struct *
 asmlinkage void ret_from_fork(void) __asm__("ret_from_fork");
 
 int
-copy_thread(unsigned long clone_flags, unsigned long stack_start,
-	    unsigned long stk_sz, struct task_struct *p)
+copy_thread_tls(unsigned long clone_flags, unsigned long stack_start,
+	    unsigned long stk_sz, struct task_struct *p, unsigned long tls)
 {
 	struct thread_info *thread = task_thread_info(p);
 	struct pt_regs *childregs = task_pt_regs(p);
@@ -259,7 +259,7 @@ copy_thread(unsigned long clone_flags, u
 	clear_ptrace_hw_breakpoint(p);
 
 	if (clone_flags & CLONE_SETTLS)
-		thread->tp_value[0] = childregs->ARM_r3;
+		thread->tp_value[0] = tls;
 	thread->tp_value[1] = get_tpuser();
 
 	thread_notify(THREAD_NOTIFY_COPY, thread);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 59/78] arm: Implement copy_thread_tls
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, Christian Brauner, Amanieu dAntras,
	linux-arm-kernel, stable

From: Amanieu d'Antras <amanieu@gmail.com>

commit 167ee0b82429cb5df272808c7a21370b7c961ab2 upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200102172413.654385-4-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/Kconfig          |    1 +
 arch/arm/kernel/process.c |    6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -73,6 +73,7 @@ config ARM
 	select HAVE_ARM_SMCCC if CPU_V7
 	select HAVE_EBPF_JIT if !CPU_ENDIAN_BE32
 	select HAVE_CONTEXT_TRACKING
+	select HAVE_COPY_THREAD_TLS
 	select HAVE_C_RECORDMCOUNT
 	select HAVE_DEBUG_KMEMLEAK
 	select HAVE_DMA_CONTIGUOUS if MMU
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
@@ -224,8 +224,8 @@ void release_thread(struct task_struct *
 asmlinkage void ret_from_fork(void) __asm__("ret_from_fork");
 
 int
-copy_thread(unsigned long clone_flags, unsigned long stack_start,
-	    unsigned long stk_sz, struct task_struct *p)
+copy_thread_tls(unsigned long clone_flags, unsigned long stack_start,
+	    unsigned long stk_sz, struct task_struct *p, unsigned long tls)
 {
 	struct thread_info *thread = task_thread_info(p);
 	struct pt_regs *childregs = task_pt_regs(p);
@@ -259,7 +259,7 @@ copy_thread(unsigned long clone_flags, u
 	clear_ptrace_hw_breakpoint(p);
 
 	if (clone_flags & CLONE_SETTLS)
-		thread->tp_value[0] = childregs->ARM_r3;
+		thread->tp_value[0] = tls;
 	thread->tp_value[1] = get_tpuser();
 
 	thread_notify(THREAD_NOTIFY_COPY, thread);



_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 60/78] parisc: Implement copy_thread_tls
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2020-01-14 10:01   ` Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01   ` Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amanieu dAntras, linux-parisc,
	Christian Brauner

From: Amanieu d'Antras <amanieu@gmail.com>

commit d2f36c787b2181561d8b95814f8cdad64b348ad7 upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-parisc@vger.kernel.org
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200102172413.654385-5-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/parisc/Kconfig          |    1 +
 arch/parisc/kernel/process.c |    8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -62,6 +62,7 @@ config PARISC
 	select HAVE_FTRACE_MCOUNT_RECORD if HAVE_DYNAMIC_FTRACE
 	select HAVE_KPROBES_ON_FTRACE
 	select HAVE_DYNAMIC_FTRACE_WITH_REGS
+	select HAVE_COPY_THREAD_TLS
 
 	help
 	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
--- a/arch/parisc/kernel/process.c
+++ b/arch/parisc/kernel/process.c
@@ -208,8 +208,8 @@ arch_initcall(parisc_idle_init);
  * Copy architecture-specific thread state
  */
 int
-copy_thread(unsigned long clone_flags, unsigned long usp,
-	    unsigned long kthread_arg, struct task_struct *p)
+copy_thread_tls(unsigned long clone_flags, unsigned long usp,
+	    unsigned long kthread_arg, struct task_struct *p, unsigned long tls)
 {
 	struct pt_regs *cregs = &(p->thread.regs);
 	void *stack = task_stack_page(p);
@@ -254,9 +254,9 @@ copy_thread(unsigned long clone_flags, u
 		cregs->ksp = (unsigned long)stack + THREAD_SZ_ALGN + FRAME_SIZE;
 		cregs->kpc = (unsigned long) &child_return;
 
-		/* Setup thread TLS area from the 4th parameter in clone */
+		/* Setup thread TLS area */
 		if (clone_flags & CLONE_SETTLS)
-			cregs->cr27 = cregs->gr[23];
+			cregs->cr27 = tls;
 	}
 
 	return 0;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 61/78] riscv: Implement copy_thread_tls
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
                     ` (80 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amanieu dAntras, linux-riscv,
	Christian Brauner

From: Amanieu d'Antras <amanieu@gmail.com>

commit 20bda4ed62f507ed72e30e817b43c65fdba60be7 upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-riscv@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200102172413.654385-6-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/riscv/Kconfig          |    1 +
 arch/riscv/kernel/process.c |    6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -61,6 +61,7 @@ config RISCV
 	select SPARSEMEM_STATIC if 32BIT
 	select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT if MMU
 	select HAVE_ARCH_MMAP_RND_BITS
+	select HAVE_COPY_THREAD_TLS
 
 config ARCH_MMAP_RND_BITS_MIN
 	default 18 if 64BIT
--- a/arch/riscv/kernel/process.c
+++ b/arch/riscv/kernel/process.c
@@ -99,8 +99,8 @@ int arch_dup_task_struct(struct task_str
 	return 0;
 }
 
-int copy_thread(unsigned long clone_flags, unsigned long usp,
-	unsigned long arg, struct task_struct *p)
+int copy_thread_tls(unsigned long clone_flags, unsigned long usp,
+	unsigned long arg, struct task_struct *p, unsigned long tls)
 {
 	struct pt_regs *childregs = task_pt_regs(p);
 
@@ -120,7 +120,7 @@ int copy_thread(unsigned long clone_flag
 		if (usp) /* User fork */
 			childregs->sp = usp;
 		if (clone_flags & CLONE_SETTLS)
-			childregs->tp = childregs->a5;
+			childregs->tp = tls;
 		childregs->a0 = 0; /* Return value of fork() */
 		p->thread.ra = (unsigned long)ret_from_fork;
 	}



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 61/78] riscv: Implement copy_thread_tls
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, linux-riscv, Amanieu dAntras,
	Christian Brauner, stable

From: Amanieu d'Antras <amanieu@gmail.com>

commit 20bda4ed62f507ed72e30e817b43c65fdba60be7 upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-riscv@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200102172413.654385-6-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/riscv/Kconfig          |    1 +
 arch/riscv/kernel/process.c |    6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -61,6 +61,7 @@ config RISCV
 	select SPARSEMEM_STATIC if 32BIT
 	select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT if MMU
 	select HAVE_ARCH_MMAP_RND_BITS
+	select HAVE_COPY_THREAD_TLS
 
 config ARCH_MMAP_RND_BITS_MIN
 	default 18 if 64BIT
--- a/arch/riscv/kernel/process.c
+++ b/arch/riscv/kernel/process.c
@@ -99,8 +99,8 @@ int arch_dup_task_struct(struct task_str
 	return 0;
 }
 
-int copy_thread(unsigned long clone_flags, unsigned long usp,
-	unsigned long arg, struct task_struct *p)
+int copy_thread_tls(unsigned long clone_flags, unsigned long usp,
+	unsigned long arg, struct task_struct *p, unsigned long tls)
 {
 	struct pt_regs *childregs = task_pt_regs(p);
 
@@ -120,7 +120,7 @@ int copy_thread(unsigned long clone_flag
 		if (usp) /* User fork */
 			childregs->sp = usp;
 		if (clone_flags & CLONE_SETTLS)
-			childregs->tp = childregs->a5;
+			childregs->tp = tls;
 		childregs->a0 = 0; /* Return value of fork() */
 		p->thread.ra = (unsigned long)ret_from_fork;
 	}




^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 62/78] xtensa: Implement copy_thread_tls
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2020-01-14 10:01   ` Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 63/78] clone3: ensure copy_thread_tls is implemented Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amanieu dAntras, linux-xtensa,
	Christian Brauner

From: Amanieu d'Antras <amanieu@gmail.com>

commit c346b94f8c5d1b7d637522c908209de93305a8eb upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-xtensa@linux-xtensa.org
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200102172413.654385-7-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/Kconfig          |    1 +
 arch/xtensa/kernel/process.c |    8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

--- a/arch/xtensa/Kconfig
+++ b/arch/xtensa/Kconfig
@@ -22,6 +22,7 @@ config XTENSA
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_KASAN if MMU
 	select HAVE_ARCH_TRACEHOOK
+	select HAVE_COPY_THREAD_TLS
 	select HAVE_DEBUG_KMEMLEAK
 	select HAVE_DMA_CONTIGUOUS
 	select HAVE_EXIT_THREAD
--- a/arch/xtensa/kernel/process.c
+++ b/arch/xtensa/kernel/process.c
@@ -202,8 +202,9 @@ int arch_dup_task_struct(struct task_str
  * involved.  Much simpler to just not copy those live frames across.
  */
 
-int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn,
-		unsigned long thread_fn_arg, struct task_struct *p)
+int copy_thread_tls(unsigned long clone_flags, unsigned long usp_thread_fn,
+		unsigned long thread_fn_arg, struct task_struct *p,
+		unsigned long tls)
 {
 	struct pt_regs *childregs = task_pt_regs(p);
 
@@ -264,9 +265,8 @@ int copy_thread(unsigned long clone_flag
 			       &regs->areg[XCHAL_NUM_AREGS - len/4], len);
 		}
 
-		/* The thread pointer is passed in the '4th argument' (= a5) */
 		if (clone_flags & CLONE_SETTLS)
-			childregs->threadptr = childregs->areg[5];
+			childregs->threadptr = tls;
 	} else {
 		p->thread.ra = MAKE_RA_FOR_CALL(
 				(unsigned long)ret_from_kernel_thread, 1);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 63/78] clone3: ensure copy_thread_tls is implemented
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 62/78] xtensa: " Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01   ` Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amanieu dAntras, Christian Brauner

From: Amanieu d'Antras <amanieu@gmail.com>

commit dd499f7a7e34270208350a849ef103c0b3ae477f upstream.

copy_thread implementations handle CLONE_SETTLS by reading the TLS
value from the registers containing the syscall arguments for
clone. This doesn't work with clone3 since the TLS value is passed
in clone_args instead.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200102172413.654385-8-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/fork.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2513,6 +2513,16 @@ SYSCALL_DEFINE5(clone, unsigned long, cl
 #endif
 
 #ifdef __ARCH_WANT_SYS_CLONE3
+
+/*
+ * copy_thread implementations handle CLONE_SETTLS by reading the TLS value from
+ * the registers containing the syscall arguments for clone. This doesn't work
+ * with clone3 since the TLS value is passed in clone_args instead.
+ */
+#ifndef CONFIG_HAVE_COPY_THREAD_TLS
+#error clone3 requires copy_thread_tls support in arch
+#endif
+
 noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
 					      struct clone_args __user *uargs,
 					      size_t usize)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 64/78] um: Implement copy_thread_tls
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
                     ` (80 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amanieu dAntras, linux-um, Christian Brauner

From: Amanieu d'Antras <amanieu@gmail.com>

commit 457677c70c7672a4586b0b8abc396cc1ecdd376d upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-um@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200104123928.1048822-1-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/um/Kconfig                      |    1 +
 arch/um/include/asm/ptrace-generic.h |    2 +-
 arch/um/kernel/process.c             |    6 +++---
 arch/x86/um/tls_32.c                 |    6 ++----
 arch/x86/um/tls_64.c                 |    7 +++----
 5 files changed, 10 insertions(+), 12 deletions(-)

--- a/arch/um/Kconfig
+++ b/arch/um/Kconfig
@@ -14,6 +14,7 @@ config UML
 	select HAVE_FUTEX_CMPXCHG if FUTEX
 	select HAVE_DEBUG_KMEMLEAK
 	select HAVE_DEBUG_BUGVERBOSE
+	select HAVE_COPY_THREAD_TLS
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
 	select GENERIC_CLOCKEVENTS
--- a/arch/um/include/asm/ptrace-generic.h
+++ b/arch/um/include/asm/ptrace-generic.h
@@ -36,7 +36,7 @@ extern long subarch_ptrace(struct task_s
 extern unsigned long getreg(struct task_struct *child, int regno);
 extern int putreg(struct task_struct *child, int regno, unsigned long value);
 
-extern int arch_copy_tls(struct task_struct *new);
+extern int arch_set_tls(struct task_struct *new, unsigned long tls);
 extern void clear_flushed_tls(struct task_struct *task);
 extern int syscall_trace_enter(struct pt_regs *regs);
 extern void syscall_trace_leave(struct pt_regs *regs);
--- a/arch/um/kernel/process.c
+++ b/arch/um/kernel/process.c
@@ -153,8 +153,8 @@ void fork_handler(void)
 	userspace(&current->thread.regs.regs, current_thread_info()->aux_fp_regs);
 }
 
-int copy_thread(unsigned long clone_flags, unsigned long sp,
-		unsigned long arg, struct task_struct * p)
+int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
+		unsigned long arg, struct task_struct * p, unsigned long tls)
 {
 	void (*handler)(void);
 	int kthread = current->flags & PF_KTHREAD;
@@ -188,7 +188,7 @@ int copy_thread(unsigned long clone_flag
 		 * Set a new TLS for the child thread?
 		 */
 		if (clone_flags & CLONE_SETTLS)
-			ret = arch_copy_tls(p);
+			ret = arch_set_tls(p, tls);
 	}
 
 	return ret;
--- a/arch/x86/um/tls_32.c
+++ b/arch/x86/um/tls_32.c
@@ -215,14 +215,12 @@ static int set_tls_entry(struct task_str
 	return 0;
 }
 
-int arch_copy_tls(struct task_struct *new)
+int arch_set_tls(struct task_struct *new, unsigned long tls)
 {
 	struct user_desc info;
 	int idx, ret = -EFAULT;
 
-	if (copy_from_user(&info,
-			   (void __user *) UPT_SI(&new->thread.regs.regs),
-			   sizeof(info)))
+	if (copy_from_user(&info, (void __user *) tls, sizeof(info)))
 		goto out;
 
 	ret = -EINVAL;
--- a/arch/x86/um/tls_64.c
+++ b/arch/x86/um/tls_64.c
@@ -6,14 +6,13 @@ void clear_flushed_tls(struct task_struc
 {
 }
 
-int arch_copy_tls(struct task_struct *t)
+int arch_set_tls(struct task_struct *t, unsigned long tls)
 {
 	/*
 	 * If CLONE_SETTLS is set, we need to save the thread id
-	 * (which is argument 5, child_tid, of clone) so it can be set
-	 * during context switches.
+	 * so it can be set during context switches.
 	 */
-	t->thread.arch.fs = t->thread.regs.regs.gp[R8 / sizeof(long)];
+	t->thread.arch.fs = tls;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 64/78] um: Implement copy_thread_tls
@ 2020-01-14 10:01   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: linux-um, Greg Kroah-Hartman, Christian Brauner, Amanieu dAntras, stable

From: Amanieu d'Antras <amanieu@gmail.com>

commit 457677c70c7672a4586b0b8abc396cc1ecdd376d upstream.

This is required for clone3 which passes the TLS value through a
struct rather than a register.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: linux-um@lists.infradead.org
Cc: <stable@vger.kernel.org> # 5.3.x
Link: https://lore.kernel.org/r/20200104123928.1048822-1-amanieu@gmail.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/um/Kconfig                      |    1 +
 arch/um/include/asm/ptrace-generic.h |    2 +-
 arch/um/kernel/process.c             |    6 +++---
 arch/x86/um/tls_32.c                 |    6 ++----
 arch/x86/um/tls_64.c                 |    7 +++----
 5 files changed, 10 insertions(+), 12 deletions(-)

--- a/arch/um/Kconfig
+++ b/arch/um/Kconfig
@@ -14,6 +14,7 @@ config UML
 	select HAVE_FUTEX_CMPXCHG if FUTEX
 	select HAVE_DEBUG_KMEMLEAK
 	select HAVE_DEBUG_BUGVERBOSE
+	select HAVE_COPY_THREAD_TLS
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
 	select GENERIC_CLOCKEVENTS
--- a/arch/um/include/asm/ptrace-generic.h
+++ b/arch/um/include/asm/ptrace-generic.h
@@ -36,7 +36,7 @@ extern long subarch_ptrace(struct task_s
 extern unsigned long getreg(struct task_struct *child, int regno);
 extern int putreg(struct task_struct *child, int regno, unsigned long value);
 
-extern int arch_copy_tls(struct task_struct *new);
+extern int arch_set_tls(struct task_struct *new, unsigned long tls);
 extern void clear_flushed_tls(struct task_struct *task);
 extern int syscall_trace_enter(struct pt_regs *regs);
 extern void syscall_trace_leave(struct pt_regs *regs);
--- a/arch/um/kernel/process.c
+++ b/arch/um/kernel/process.c
@@ -153,8 +153,8 @@ void fork_handler(void)
 	userspace(&current->thread.regs.regs, current_thread_info()->aux_fp_regs);
 }
 
-int copy_thread(unsigned long clone_flags, unsigned long sp,
-		unsigned long arg, struct task_struct * p)
+int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
+		unsigned long arg, struct task_struct * p, unsigned long tls)
 {
 	void (*handler)(void);
 	int kthread = current->flags & PF_KTHREAD;
@@ -188,7 +188,7 @@ int copy_thread(unsigned long clone_flag
 		 * Set a new TLS for the child thread?
 		 */
 		if (clone_flags & CLONE_SETTLS)
-			ret = arch_copy_tls(p);
+			ret = arch_set_tls(p, tls);
 	}
 
 	return ret;
--- a/arch/x86/um/tls_32.c
+++ b/arch/x86/um/tls_32.c
@@ -215,14 +215,12 @@ static int set_tls_entry(struct task_str
 	return 0;
 }
 
-int arch_copy_tls(struct task_struct *new)
+int arch_set_tls(struct task_struct *new, unsigned long tls)
 {
 	struct user_desc info;
 	int idx, ret = -EFAULT;
 
-	if (copy_from_user(&info,
-			   (void __user *) UPT_SI(&new->thread.regs.regs),
-			   sizeof(info)))
+	if (copy_from_user(&info, (void __user *) tls, sizeof(info)))
 		goto out;
 
 	ret = -EINVAL;
--- a/arch/x86/um/tls_64.c
+++ b/arch/x86/um/tls_64.c
@@ -6,14 +6,13 @@ void clear_flushed_tls(struct task_struc
 {
 }
 
-int arch_copy_tls(struct task_struct *t)
+int arch_set_tls(struct task_struct *t, unsigned long tls)
 {
 	/*
 	 * If CLONE_SETTLS is set, we need to save the thread id
-	 * (which is argument 5, child_tid, of clone) so it can be set
-	 * during context switches.
+	 * so it can be set during context switches.
 	 */
-	t->thread.arch.fs = t->thread.regs.regs.gp[R8 / sizeof(long)];
+	t->thread.arch.fs = tls;
 
 	return 0;
 }



_______________________________________________
linux-um mailing list
linux-um@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-um


^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 65/78] staging: vt6656: remove bool from vnt_radio_power_on ret
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2020-01-14 10:01   ` Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 66/78] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley

From: Malcolm Priestley <tvboxspy@gmail.com>

commit 07f59f180ee083c48c32a1e69ae1d0091444d212 upstream.

The driver uses logical only error checking a bool true would flag error.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Link: https://lore.kernel.org/r/cc52b67c-9ef8-3e57-815a-44d10701919e@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/vt6656/card.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/vt6656/card.c
+++ b/drivers/staging/vt6656/card.c
@@ -719,7 +719,7 @@ end:
  */
 int vnt_radio_power_on(struct vnt_private *priv)
 {
-	int ret = true;
+	int ret = 0;
 
 	vnt_exit_deep_sleep(priv);
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 66/78] mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 65/78] staging: vt6656: remove bool from vnt_radio_power_on ret Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 67/78] mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, huangwen, Ganapathi Bhat, Kalle Valo,
	Ben Hutchings

From: Ganapathi Bhat <gbhat@marvell.com>

commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.

mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can  force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.

This fix addresses CVE-2019-14895.

Reported-by: huangwen <huangwenabc@gmail.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/marvell/mwifiex/sta_ioctl.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(st
 			    "11D: skip setting domain info in FW\n");
 		return 0;
 	}
+
+	if (country_ie_len >
+	    (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
+		mwifiex_dbg(priv->adapter, ERROR,
+			    "11D: country_ie_len overflow!, deauth AP\n");
+		return -EINVAL;
+	}
+
 	memcpy(priv->adapter->country_code, &country_ie[2], 2);
 
 	domain_info->country_code[0] = country_ie[2];
@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_pri
 	priv->scan_block = false;
 
 	if (bss) {
-		if (adapter->region_code == 0x00)
-			mwifiex_process_country_ie(priv, bss);
+		if (adapter->region_code == 0x00 &&
+		    mwifiex_process_country_ie(priv, bss))
+			return -EINVAL;
 
 		/* Allocate and fill new bss descriptor */
 		bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 67/78] mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 66/78] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 68/78] rpmsg: char: release allocated memory Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, Ganapathi Bhat,
	Kalle Valo, Ben Hutchings

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit db8fd2cde93227e566a412cf53173ffa227998bc upstream.

In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be
released if mwifiex_map_pci_memory() fails. The release is added.

Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Acked-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/marvell/mwifiex/pcie.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
+++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
@@ -1032,8 +1032,10 @@ static int mwifiex_pcie_alloc_cmdrsp_buf
 	}
 	skb_put(skb, MWIFIEX_UPLD_SIZE);
 	if (mwifiex_map_pci_memory(adapter, skb, MWIFIEX_UPLD_SIZE,
-				   PCI_DMA_FROMDEVICE))
+				   PCI_DMA_FROMDEVICE)) {
+		kfree_skb(skb);
 		return -1;
+	}
 
 	card->cmdrsp_buf = skb;
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 68/78] rpmsg: char: release allocated memory
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 67/78] mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 69/78] scsi: bfa: release allocated memory in case of error Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, Bjorn Andersson,
	Ben Hutchings

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit bbe692e349e2a1edf3fe0a29a0e05899c9c94d51 upstream.

In rpmsg_eptdev_write_iter, if copy_from_iter_full fails the allocated
buffer needs to be released.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/rpmsg/rpmsg_char.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -227,8 +227,10 @@ static ssize_t rpmsg_eptdev_write_iter(s
 	if (!kbuf)
 		return -ENOMEM;
 
-	if (!copy_from_iter_full(kbuf, len, from))
-		return -EFAULT;
+	if (!copy_from_iter_full(kbuf, len, from)) {
+		ret = -EFAULT;
+		goto free_kbuf;
+	}
 
 	if (mutex_lock_interruptible(&eptdev->ept_lock)) {
 		ret = -ERESTARTSYS;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 69/78] scsi: bfa: release allocated memory in case of error
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 68/78] rpmsg: char: release allocated memory Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 70/78] rtl8xxxu: prevent leaking urb Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, Martin K. Petersen,
	Ben Hutchings

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 upstream.

In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to
be released.

Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/bfa/bfad_attr.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/scsi/bfa/bfad_attr.c
+++ b/drivers/scsi/bfa/bfad_attr.c
@@ -275,8 +275,10 @@ bfad_im_get_stats(struct Scsi_Host *shos
 	rc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa),
 				fcstats, bfad_hcb_comp, &fcomp);
 	spin_unlock_irqrestore(&bfad->bfad_lock, flags);
-	if (rc != BFA_STATUS_OK)
+	if (rc != BFA_STATUS_OK) {
+		kfree(fcstats);
 		return NULL;
+	}
 
 	wait_for_completion(&fcomp.comp);
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 70/78] rtl8xxxu: prevent leaking urb
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 69/78] scsi: bfa: release allocated memory in case of error Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 71/78] ath10k: fix memory leak Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, Chris Chiu,
	Kalle Valo, Ben Hutchings

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c upstream.

In rtl8xxxu_submit_int_urb if usb_submit_urb fails the allocated urb
should be released.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Reviewed-by: Chris Chiu <chiu@endlessm.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -5447,6 +5447,7 @@ static int rtl8xxxu_submit_int_urb(struc
 	ret = usb_submit_urb(urb, GFP_KERNEL);
 	if (ret) {
 		usb_unanchor_urb(urb);
+		usb_free_urb(urb);
 		goto error;
 	}
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 71/78] ath10k: fix memory leak
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 70/78] rtl8xxxu: prevent leaking urb Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 72/78] HID: hiddev: fix mess in hiddev_open() Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Navid Emamdoost, Kalle Valo, Ben Hutchings

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit b8d17e7d93d2beb89e4f34c59996376b8b544792 upstream.

In ath10k_usb_hif_tx_sg the allocated urb should be released if
usb_submit_urb fails.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath10k/usb.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/ath/ath10k/usb.c
+++ b/drivers/net/wireless/ath/ath10k/usb.c
@@ -443,6 +443,7 @@ static int ath10k_usb_hif_tx_sg(struct a
 			ath10k_dbg(ar, ATH10K_DBG_USB_BULK,
 				   "usb bulk transmit failed: %d\n", ret);
 			usb_unanchor_urb(urb);
+			usb_free_urb(urb);
 			ret = -EINVAL;
 			goto err_free_urb_to_pipe;
 		}



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 72/78] HID: hiddev: fix mess in hiddev_open()
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 71/78] ath10k: fix memory leak Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 73/78] USB: Fix: Dont skip endpoint descriptors with maxpacket=0 Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Torokhov, Benjamin Tissoires

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit 18a1b06e5b91d47dc86c0a66a762646ea7c5d141 upstream.

The open method of hiddev handler fails to bring the device out of
autosuspend state as was promised in 0361a28d3f9a, as it actually has 2
blocks that try to start the transport (call hid_hw_open()) with both
being guarded by the "open" counter, so the 2nd block is never executed as
the first block increments the counter so it is never at 0 when we check
it for the second block.

Additionally hiddev_open() was leaving counter incremented on errors,
causing the device to never be reopened properly if there was ever an
error.

Let's fix all of this by factoring out code that creates client structure
and powers up the device into a separate function that is being called
from usbhid_open() with the "existancelock" being held.

Fixes: 0361a28d3f9a ("HID: autosuspend support for USB HID")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/usbhid/hiddev.c |   97 +++++++++++++++++++-------------------------
 1 file changed, 42 insertions(+), 55 deletions(-)

--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -241,12 +241,51 @@ static int hiddev_release(struct inode *
 	return 0;
 }
 
+static int __hiddev_open(struct hiddev *hiddev, struct file *file)
+{
+	struct hiddev_list *list;
+	int error;
+
+	lockdep_assert_held(&hiddev->existancelock);
+
+	list = vzalloc(sizeof(*list));
+	if (!list)
+		return -ENOMEM;
+
+	mutex_init(&list->thread_lock);
+	list->hiddev = hiddev;
+
+	if (!hiddev->open++) {
+		error = hid_hw_power(hiddev->hid, PM_HINT_FULLON);
+		if (error < 0)
+			goto err_drop_count;
+
+		error = hid_hw_open(hiddev->hid);
+		if (error < 0)
+			goto err_normal_power;
+	}
+
+	spin_lock_irq(&hiddev->list_lock);
+	list_add_tail(&list->node, &hiddev->list);
+	spin_unlock_irq(&hiddev->list_lock);
+
+	file->private_data = list;
+
+	return 0;
+
+err_normal_power:
+	hid_hw_power(hiddev->hid, PM_HINT_NORMAL);
+err_drop_count:
+	hiddev->open--;
+	vfree(list);
+	return error;
+}
+
 /*
  * open file op
  */
 static int hiddev_open(struct inode *inode, struct file *file)
 {
-	struct hiddev_list *list;
 	struct usb_interface *intf;
 	struct hid_device *hid;
 	struct hiddev *hiddev;
@@ -255,66 +294,14 @@ static int hiddev_open(struct inode *ino
 	intf = usbhid_find_interface(iminor(inode));
 	if (!intf)
 		return -ENODEV;
+
 	hid = usb_get_intfdata(intf);
 	hiddev = hid->hiddev;
 
-	if (!(list = vzalloc(sizeof(struct hiddev_list))))
-		return -ENOMEM;
-	mutex_init(&list->thread_lock);
-	list->hiddev = hiddev;
-	file->private_data = list;
-
-	/*
-	 * no need for locking because the USB major number
-	 * is shared which usbcore guards against disconnect
-	 */
-	if (list->hiddev->exist) {
-		if (!list->hiddev->open++) {
-			res = hid_hw_open(hiddev->hid);
-			if (res < 0)
-				goto bail;
-		}
-	} else {
-		res = -ENODEV;
-		goto bail;
-	}
-
-	spin_lock_irq(&list->hiddev->list_lock);
-	list_add_tail(&list->node, &hiddev->list);
-	spin_unlock_irq(&list->hiddev->list_lock);
-
 	mutex_lock(&hiddev->existancelock);
-	/*
-	 * recheck exist with existance lock held to
-	 * avoid opening a disconnected device
-	 */
-	if (!list->hiddev->exist) {
-		res = -ENODEV;
-		goto bail_unlock;
-	}
-	if (!list->hiddev->open++)
-		if (list->hiddev->exist) {
-			struct hid_device *hid = hiddev->hid;
-			res = hid_hw_power(hid, PM_HINT_FULLON);
-			if (res < 0)
-				goto bail_unlock;
-			res = hid_hw_open(hid);
-			if (res < 0)
-				goto bail_normal_power;
-		}
-	mutex_unlock(&hiddev->existancelock);
-	return 0;
-bail_normal_power:
-	hid_hw_power(hid, PM_HINT_NORMAL);
-bail_unlock:
+	res = hiddev->exist ? __hiddev_open(hiddev, file) : -ENODEV;
 	mutex_unlock(&hiddev->existancelock);
 
-	spin_lock_irq(&list->hiddev->list_lock);
-	list_del(&list->node);
-	spin_unlock_irq(&list->hiddev->list_lock);
-bail:
-	file->private_data = NULL;
-	vfree(list);
 	return res;
 }
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 73/78] USB: Fix: Dont skip endpoint descriptors with maxpacket=0
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 72/78] HID: hiddev: fix mess in hiddev_open() Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 74/78] phy: cpcap-usb: Fix error path when no host driver is loaded Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, Laurent Pinchart,
	Roger Whittaker

From: Alan Stern <stern@rowland.harvard.edu>

commit 2548288b4fb059b2da9ceada172ef763077e8a59 upstream.

It turns out that even though endpoints with a maxpacket length of 0
aren't useful for data transfer, the descriptors do serve other
purposes.  In particular, skipping them will also skip over other
class-specific descriptors for classes such as UVC.  This unexpected
side effect has caused some UVC cameras to stop working.

In addition, the USB spec requires that when isochronous endpoint
descriptors are present in an interface's altsetting 0 (which is true
on some devices), the maxpacket size _must_ be set to 0.  Warning
about such things seems like a bad idea.

This patch updates an earlier commit which would log a warning and
skip these endpoint descriptors.  Now we only log a warning, and we
don't even do that for isochronous endpoints in altsetting 0.

We don't need to worry about preventing endpoints with maxpacket = 0
from ever being used for data transfers; usb_submit_urb() already
checks for this.

Reported-and-tested-by: Roger Whittaker <Roger.Whittaker@suse.com>
Fixes: d482c7bb0541 ("USB: Skip endpoints with 0 maxpacket length")
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://marc.info/?l=linux-usb&m=157790377329882&w=2
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2001061040270.1514-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/config.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -392,12 +392,16 @@ static int usb_parse_endpoint(struct dev
 			endpoint->desc.wMaxPacketSize = cpu_to_le16(8);
 	}
 
-	/* Validate the wMaxPacketSize field */
+	/*
+	 * Validate the wMaxPacketSize field.
+	 * Some devices have isochronous endpoints in altsetting 0;
+	 * the USB-2 spec requires such endpoints to have wMaxPacketSize = 0
+	 * (see the end of section 5.6.3), so don't warn about them.
+	 */
 	maxp = usb_endpoint_maxp(&endpoint->desc);
-	if (maxp == 0) {
-		dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has wMaxPacketSize 0, skipping\n",
+	if (maxp == 0 && !(usb_endpoint_xfer_isoc(d) && asnum == 0)) {
+		dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid wMaxPacketSize 0\n",
 		    cfgno, inum, asnum, d->bEndpointAddress);
-		goto skip_to_next_endpoint_or_interface_descriptor;
 	}
 
 	/* Find the highest legal maxpacket size for this endpoint */



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 74/78] phy: cpcap-usb: Fix error path when no host driver is loaded
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 73/78] USB: Fix: Dont skip endpoint descriptors with maxpacket=0 Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 75/78] phy: cpcap-usb: Fix flakey host idling and enumerating of devices Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Merlijn Wajer, Pavel Machek,
	Sebastian Reichel, Tony Lindgren, Kishon Vijay Abraham I

From: Tony Lindgren <tony@atomide.com>

commit 4acb0200ab2b07843e3ef5599add3454c7440f03 upstream.

If musb_mailbox() returns an error, we must still continue to finish
configuring the phy.

Otherwise the phy state may end up only half initialized, and this can
cause the debug serial console to stop working. And this will happen if the
usb driver musb controller is not loaded.

Let's fix the issue by adding helper for cpcap_usb_try_musb_mailbox().

Fixes: 6d6ce40f63af ("phy: cpcap-usb: Add CPCAP PMIC USB support")
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/phy/motorola/phy-cpcap-usb.c |   33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

--- a/drivers/phy/motorola/phy-cpcap-usb.c
+++ b/drivers/phy/motorola/phy-cpcap-usb.c
@@ -207,6 +207,19 @@ static int cpcap_phy_get_ints_state(stru
 static int cpcap_usb_set_uart_mode(struct cpcap_phy_ddata *ddata);
 static int cpcap_usb_set_usb_mode(struct cpcap_phy_ddata *ddata);
 
+static void cpcap_usb_try_musb_mailbox(struct cpcap_phy_ddata *ddata,
+				       enum musb_vbus_id_status status)
+{
+	int error;
+
+	error = musb_mailbox(status);
+	if (!error)
+		return;
+
+	dev_dbg(ddata->dev, "%s: musb_mailbox failed: %i\n",
+		__func__, error);
+}
+
 static void cpcap_usb_detect(struct work_struct *work)
 {
 	struct cpcap_phy_ddata *ddata;
@@ -226,9 +239,7 @@ static void cpcap_usb_detect(struct work
 		if (error)
 			goto out_err;
 
-		error = musb_mailbox(MUSB_ID_GROUND);
-		if (error)
-			goto out_err;
+		cpcap_usb_try_musb_mailbox(ddata, MUSB_ID_GROUND);
 
 		error = regmap_update_bits(ddata->reg, CPCAP_REG_USBC3,
 					   CPCAP_BIT_VBUSSTBY_EN |
@@ -257,9 +268,7 @@ static void cpcap_usb_detect(struct work
 			error = cpcap_usb_set_usb_mode(ddata);
 			if (error)
 				goto out_err;
-			error = musb_mailbox(MUSB_ID_GROUND);
-			if (error)
-				goto out_err;
+			cpcap_usb_try_musb_mailbox(ddata, MUSB_ID_GROUND);
 
 			return;
 		}
@@ -269,9 +278,7 @@ static void cpcap_usb_detect(struct work
 		error = cpcap_usb_set_usb_mode(ddata);
 		if (error)
 			goto out_err;
-		error = musb_mailbox(MUSB_VBUS_VALID);
-		if (error)
-			goto out_err;
+		cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_VALID);
 
 		return;
 	}
@@ -281,9 +288,7 @@ static void cpcap_usb_detect(struct work
 	if (error)
 		goto out_err;
 
-	error = musb_mailbox(MUSB_VBUS_OFF);
-	if (error)
-		goto out_err;
+	cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
 
 	dev_dbg(ddata->dev, "set UART mode\n");
 
@@ -649,9 +654,7 @@ static int cpcap_usb_phy_remove(struct p
 	if (error)
 		dev_err(ddata->dev, "could not set UART mode\n");
 
-	error = musb_mailbox(MUSB_VBUS_OFF);
-	if (error)
-		dev_err(ddata->dev, "could not set mailbox\n");
+	cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
 
 	usb_remove_phy(&ddata->phy);
 	cancel_delayed_work_sync(&ddata->detect_work);



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 75/78] phy: cpcap-usb: Fix flakey host idling and enumerating of devices
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 74/78] phy: cpcap-usb: Fix error path when no host driver is loaded Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 76/78] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jacopo Mondi, Marcel Partap,
	Merlijn Wajer, Michael Scott, NeKit, Pavel Machek,
	Sebastian Reichel, Tony Lindgren, Kishon Vijay Abraham I

From: Tony Lindgren <tony@atomide.com>

commit 049226b9fd7442149dcbcf55f15408f5973cceda upstream.

We must let the USB host idle things properly before we switch to debug
UART mode. Otherwise the USB host may never idle after disconnecting
devices, and that causes the next enumeration to be flakey.

Cc: Jacopo Mondi <jacopo@jmondi.org>
Cc: Marcel Partap <mpartap@gmx.net>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Michael Scott <hashcode0f@gmail.com>
Cc: NeKit <nekit1000@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Acked-by: Pavel Machek <pavel@ucw.cz>
Fixes: 6d6ce40f63af ("phy: cpcap-usb: Add CPCAP PMIC USB support")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/phy/motorola/phy-cpcap-usb.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/phy/motorola/phy-cpcap-usb.c
+++ b/drivers/phy/motorola/phy-cpcap-usb.c
@@ -283,13 +283,13 @@ static void cpcap_usb_detect(struct work
 		return;
 	}
 
+	cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
+
 	/* Default to debug UART mode */
 	error = cpcap_usb_set_uart_mode(ddata);
 	if (error)
 		goto out_err;
 
-	cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
-
 	dev_dbg(ddata->dev, "set UART mode\n");
 
 	return;



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 76/78] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 75/78] phy: cpcap-usb: Fix flakey host idling and enumerating of devices Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 77/78] netfilter: conntrack: dccp, sctp: handle null timeout argument Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d7358a458d8a81aee898,
	Florian Westphal, Cong Wang, Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 1b789577f655060d98d20ed0c6f9fbd469d6ba63 upstream.

We get crash when the targets checkentry function tries to make
use of the network namespace pointer for arptables.

When the net pointer got added back in 2010, only ip/ip6/ebtables were
changed to initialize it, so arptables has this set to NULL.

This isn't a problem for normal arptables because no existing
arptables target has a checkentry function that makes use of par->net.

However, direct users of the setsockopt interface can provide any
target they want as long as its registered for ARP or UNPSEC protocols.

syzkaller managed to send a semi-valid arptables rule for RATEEST target
which is enough to trigger NULL deref:

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109
[..]
 xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019
 check_target net/ipv4/netfilter/arp_tables.c:399 [inline]
 find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline]
 translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572
 do_replace net/ipv4/netfilter/arp_tables.c:977 [inline]
 do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456

Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
Reported-by: syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv4/netfilter/arp_tables.c |   27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -384,10 +384,11 @@ next:		;
 	return 1;
 }
 
-static inline int check_target(struct arpt_entry *e, const char *name)
+static int check_target(struct arpt_entry *e, struct net *net, const char *name)
 {
 	struct xt_entry_target *t = arpt_get_target(e);
 	struct xt_tgchk_param par = {
+		.net       = net,
 		.table     = name,
 		.entryinfo = e,
 		.target    = t->u.kernel.target,
@@ -399,8 +400,9 @@ static inline int check_target(struct ar
 	return xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false);
 }
 
-static inline int
-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
+static int
+find_check_entry(struct arpt_entry *e, struct net *net, const char *name,
+		 unsigned int size,
 		 struct xt_percpu_counter_alloc_state *alloc_state)
 {
 	struct xt_entry_target *t;
@@ -419,7 +421,7 @@ find_check_entry(struct arpt_entry *e, c
 	}
 	t->u.kernel.target = target;
 
-	ret = check_target(e, name);
+	ret = check_target(e, net, name);
 	if (ret)
 		goto err;
 	return 0;
@@ -512,7 +514,9 @@ static inline void cleanup_entry(struct
 /* Checks and translates the user-supplied table segment (held in
  * newinfo).
  */
-static int translate_table(struct xt_table_info *newinfo, void *entry0,
+static int translate_table(struct net *net,
+			   struct xt_table_info *newinfo,
+			   void *entry0,
 			   const struct arpt_replace *repl)
 {
 	struct xt_percpu_counter_alloc_state alloc_state = { 0 };
@@ -569,7 +573,7 @@ static int translate_table(struct xt_tab
 	/* Finally, each sanity check must pass */
 	i = 0;
 	xt_entry_foreach(iter, entry0, newinfo->size) {
-		ret = find_check_entry(iter, repl->name, repl->size,
+		ret = find_check_entry(iter, net, repl->name, repl->size,
 				       &alloc_state);
 		if (ret != 0)
 			break;
@@ -974,7 +978,7 @@ static int do_replace(struct net *net, c
 		goto free_newinfo;
 	}
 
-	ret = translate_table(newinfo, loc_cpu_entry, &tmp);
+	ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
 	if (ret != 0)
 		goto free_newinfo;
 
@@ -1149,7 +1153,8 @@ compat_copy_entry_from_user(struct compa
 	}
 }
 
-static int translate_compat_table(struct xt_table_info **pinfo,
+static int translate_compat_table(struct net *net,
+				  struct xt_table_info **pinfo,
 				  void **pentry0,
 				  const struct compat_arpt_replace *compatr)
 {
@@ -1217,7 +1222,7 @@ static int translate_compat_table(struct
 	repl.num_counters = 0;
 	repl.counters = NULL;
 	repl.size = newinfo->size;
-	ret = translate_table(newinfo, entry1, &repl);
+	ret = translate_table(net, newinfo, entry1, &repl);
 	if (ret)
 		goto free_newinfo;
 
@@ -1270,7 +1275,7 @@ static int compat_do_replace(struct net
 		goto free_newinfo;
 	}
 
-	ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
+	ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
 	if (ret != 0)
 		goto free_newinfo;
 
@@ -1546,7 +1551,7 @@ int arpt_register_table(struct net *net,
 	loc_cpu_entry = newinfo->entries;
 	memcpy(loc_cpu_entry, repl->entries, repl->size);
 
-	ret = translate_table(newinfo, loc_cpu_entry, repl);
+	ret = translate_table(net, newinfo, loc_cpu_entry, repl);
 	if (ret != 0)
 		goto out_free;
 



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 77/78] netfilter: conntrack: dccp, sctp: handle null timeout argument
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 76/78] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 10:01 ` [PATCH 5.4 78/78] netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+46a4ad33f345d1dd346e,
	Florian Westphal, Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 1d9a7acd3d1e74c2d150d8934f7f55bed6d70858 upstream.

The timeout pointer can be NULL which means we should modify the
per-nets timeout instead.

All do this, except sctp and dccp which instead give:

general protection fault: 0000 [#1] PREEMPT SMP KASAN
net/netfilter/nf_conntrack_proto_dccp.c:682
 ctnl_timeout_parse_policy+0x150/0x1d0 net/netfilter/nfnetlink_cttimeout.c:67
 cttimeout_default_set+0x150/0x1c0 net/netfilter/nfnetlink_cttimeout.c:368
 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477

Reported-by: syzbot+46a4ad33f345d1dd346e@syzkaller.appspotmail.com
Fixes: c779e849608a8 ("netfilter: conntrack: remove get_timeout() indirection")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/nf_conntrack_proto_dccp.c |    3 +++
 net/netfilter/nf_conntrack_proto_sctp.c |    3 +++
 2 files changed, 6 insertions(+)

--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -677,6 +677,9 @@ static int dccp_timeout_nlattr_to_obj(st
 	unsigned int *timeouts = data;
 	int i;
 
+	if (!timeouts)
+		 timeouts = dn->dccp_timeout;
+
 	/* set default DCCP timeouts. */
 	for (i=0; i<CT_DCCP_MAX; i++)
 		timeouts[i] = dn->dccp_timeout[i];
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -594,6 +594,9 @@ static int sctp_timeout_nlattr_to_obj(st
 	struct nf_sctp_net *sn = nf_sctp_pernet(net);
 	int i;
 
+	if (!timeouts)
+		timeouts = sn->timeouts;
+
 	/* set default SCTP timeouts. */
 	for (i=0; i<SCTP_CONNTRACK_MAX; i++)
 		timeouts[i] = sn->timeouts[i];



^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH 5.4 78/78] netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2020-01-14 10:01 ` [PATCH 5.4 77/78] netfilter: conntrack: dccp, sctp: handle null timeout argument Greg Kroah-Hartman
@ 2020-01-14 10:01 ` Greg Kroah-Hartman
  2020-01-14 15:02   ` Jon Hunter
                   ` (3 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 10:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jozsef Kadlecsik,
	syzbot+34bd2369d38707f3f4a7, Florian Westphal, Pablo Neira Ayuso

From: Florian Westphal <fw@strlen.de>

commit 22dad713b8a5ff488e07b821195270672f486eb2 upstream.

The set uadt functions assume lineno is never NULL, but it is in
case of ip_set_utest().

syzkaller managed to generate a netlink message that calls this with
LINENO attr present:

general protection fault: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104
Call Trace:
 ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867
 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
 nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563

pass a dummy lineno storage, its easier than patching all set
implementations.

This seems to be a day-0 bug.

Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com
Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/ipset/ip_set_core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1658,6 +1658,7 @@ static int ip_set_utest(struct net *net,
 	struct ip_set *set;
 	struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
 	int ret = 0;
+	u32 lineno;
 
 	if (unlikely(protocol_min_failed(attr) ||
 		     !attr[IPSET_ATTR_SETNAME] ||
@@ -1674,7 +1675,7 @@ static int ip_set_utest(struct net *net,
 		return -IPSET_ERR_PROTOCOL;
 
 	rcu_read_lock_bh();
-	ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
+	ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0);
 	rcu_read_unlock_bh();
 	/* Userspace can't trigger element to be re-added */
 	if (ret == -EAGAIN)



^ permalink raw reply	[flat|nested] 113+ messages in thread

* RE: [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu
  2020-01-14 10:00 ` [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu Greg Kroah-Hartman
@ 2020-01-14 14:31   ` Deucher, Alexander
  2020-01-14 14:39     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 113+ messages in thread
From: Deucher, Alexander @ 2020-01-14 14:31 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, Zhou, David(ChunMing), Cui, Flora, Koenig, Christian

[AMD Public Use]

> -----Original Message-----
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Sent: Tuesday, January 14, 2020 5:01 AM
> To: linux-kernel@vger.kernel.org
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>;
> stable@vger.kernel.org; Zhou, David(ChunMing) <David1.Zhou@amd.com>;
> Cui, Flora <Flora.Cui@amd.com>; Koenig, Christian
> <Christian.Koenig@amd.com>; Deucher, Alexander
> <Alexander.Deucher@amd.com>
> Subject: [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to
> amdgpu
> 
> From: Chunming Zhou <david1.zhou@amd.com>
> 
> commit db4ff423cd1659580e541a2d4363342f15c14230 upstream.
> 
> Can expose it now that the khronos has exposed the vlk extension.
> 
> Signed-off-by: Chunming Zhou <david1.zhou@amd.com>
> Reviewed-by: Flora Cui <Flora.Cui@amd.com>
> Reviewed-by: Christian König <christian.koenig@amd.com>
> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 

This can be dropped for 5.4.  According to ChunMing, there is missing functionality in 5.4 so it's not required.

Thanks,

Alex

> ---
>  drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
> @@ -1422,7 +1422,8 @@ static struct drm_driver kms_driver = {
>  	.driver_features =
>  	    DRIVER_USE_AGP | DRIVER_ATOMIC |
>  	    DRIVER_GEM |
> -	    DRIVER_RENDER | DRIVER_MODESET | DRIVER_SYNCOBJ,
> +	    DRIVER_RENDER | DRIVER_MODESET | DRIVER_SYNCOBJ |
> +	    DRIVER_SYNCOBJ_TIMELINE,
>  	.load = amdgpu_driver_load_kms,
>  	.open = amdgpu_driver_open_kms,
>  	.postclose = amdgpu_driver_postclose_kms,
> 

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu
  2020-01-14 14:31   ` Deucher, Alexander
@ 2020-01-14 14:39     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 14:39 UTC (permalink / raw)
  To: Deucher, Alexander
  Cc: linux-kernel, stable, Zhou, David(ChunMing),
	Cui, Flora, Koenig, Christian

On Tue, Jan 14, 2020 at 02:31:26PM +0000, Deucher, Alexander wrote:
> [AMD Public Use]
> 
> > -----Original Message-----
> > From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Sent: Tuesday, January 14, 2020 5:01 AM
> > To: linux-kernel@vger.kernel.org
> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>;
> > stable@vger.kernel.org; Zhou, David(ChunMing) <David1.Zhou@amd.com>;
> > Cui, Flora <Flora.Cui@amd.com>; Koenig, Christian
> > <Christian.Koenig@amd.com>; Deucher, Alexander
> > <Alexander.Deucher@amd.com>
> > Subject: [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to
> > amdgpu
> > 
> > From: Chunming Zhou <david1.zhou@amd.com>
> > 
> > commit db4ff423cd1659580e541a2d4363342f15c14230 upstream.
> > 
> > Can expose it now that the khronos has exposed the vlk extension.
> > 
> > Signed-off-by: Chunming Zhou <david1.zhou@amd.com>
> > Reviewed-by: Flora Cui <Flora.Cui@amd.com>
> > Reviewed-by: Christian König <christian.koenig@amd.com>
> > Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> 
> This can be dropped for 5.4.  According to ChunMing, there is missing functionality in 5.4 so it's not required.

Ok, thanks for letting me know, now dropped.

greg k-h

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
@ 2020-01-14 15:02   ` Jon Hunter
  2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
                     ` (80 subsequent siblings)
  81 siblings, 0 replies; 113+ messages in thread
From: Jon Hunter @ 2020-01-14 15:02 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 14/01/2020 10:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.12 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.12-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests are passing for Tegra ...

Test results for stable-v5.4:
    13 builds:	13 pass, 0 fail
    22 boots:	22 pass, 0 fail
    38 tests:	38 pass, 0 fail

Linux version:	5.4.12-rc1-g5c903e10834d
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
@ 2020-01-14 15:02   ` Jon Hunter
  0 siblings, 0 replies; 113+ messages in thread
From: Jon Hunter @ 2020-01-14 15:02 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 14/01/2020 10:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.12 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.12-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests are passing for Tegra ...

Test results for stable-v5.4:
    13 builds:	13 pass, 0 fail
    22 boots:	22 pass, 0 fail
    38 tests:	38 pass, 0 fail

Linux version:	5.4.12-rc1-g5c903e10834d
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
  2020-01-14 15:02   ` Jon Hunter
  (?)
@ 2020-01-14 15:18   ` Greg Kroah-Hartman
  -1 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 15:18 UTC (permalink / raw)
  To: Jon Hunter
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable, linux-tegra

On Tue, Jan 14, 2020 at 03:02:56PM +0000, Jon Hunter wrote:
> 
> On 14/01/2020 10:00, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.12 release.
> > There are 78 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.12-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> 
> All tests are passing for Tegra ...
> 
> Test results for stable-v5.4:
>     13 builds:	13 pass, 0 fail
>     22 boots:	22 pass, 0 fail
>     38 tests:	38 pass, 0 fail

Wonderful, thanks for the testing and quick response.

greg k-h

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2020-01-14 15:02   ` Jon Hunter
@ 2020-01-14 18:17 ` Guenter Roeck
  2020-01-14 18:53   ` Greg Kroah-Hartman
  2020-01-14 20:19 ` shuah
  2020-01-15  2:09 ` Daniel Díaz
  81 siblings, 1 reply; 113+ messages in thread
From: Guenter Roeck @ 2020-01-14 18:17 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Tue, Jan 14, 2020 at 11:00:34AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.12 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 158 pass: 158 fail: 0
Qemu test results:
	total: 389 pass: 389 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
  2020-01-14 18:17 ` Guenter Roeck
@ 2020-01-14 18:53   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 18:53 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Tue, Jan 14, 2020 at 10:17:45AM -0800, Guenter Roeck wrote:
> On Tue, Jan 14, 2020 at 11:00:34AM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.12 release.
> > There are 78 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 158 pass: 158 fail: 0
> Qemu test results:
> 	total: 389 pass: 389 fail: 0

Wonderful, thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2020-01-14 18:17 ` Guenter Roeck
@ 2020-01-14 20:19 ` shuah
  2020-01-14 21:55   ` Greg Kroah-Hartman
  2020-01-15  2:09 ` Daniel Díaz
  81 siblings, 1 reply; 113+ messages in thread
From: shuah @ 2020-01-14 20:19 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 1/14/20 3:00 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.12 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.12-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
  2020-01-14 20:19 ` shuah
@ 2020-01-14 21:55   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-14 21:55 UTC (permalink / raw)
  To: shuah
  Cc: linux-kernel, torvalds, akpm, linux, patches, ben.hutchings,
	lkft-triage, stable

On Tue, Jan 14, 2020 at 01:19:41PM -0700, shuah wrote:
> On 1/14/20 3:00 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.12 release.
> > There are 78 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.12-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> Compiled and booted on my test system. No dmesg regressions.

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
  2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2020-01-14 20:19 ` shuah
@ 2020-01-15  2:09 ` Daniel Díaz
  2020-01-15  8:12   ` Greg Kroah-Hartman
  81 siblings, 1 reply; 113+ messages in thread
From: Daniel Díaz @ 2020-01-15  2:09 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable

Hello!

On 1/14/20 4:00 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.12 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.12-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 5.4.12-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.4.y
git commit: 5c903e10834dc8905bf461f15b48cceb1ee8c0d9
git describe: v5.4.11-79-g5c903e10834d
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.4-oe/build/v5.4.11-79-g5c903e10834d


No regressions (compared to build v5.4.11)

No fixes (compared to build v5.4.11)

Ran 23755 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fs-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* ssuite
* v4l2-compliance


Greetings!

Daniel Díaz
daniel.diaz@linaro.org


-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.12-stable review
  2020-01-15  2:09 ` Daniel Díaz
@ 2020-01-15  8:12   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-15  8:12 UTC (permalink / raw)
  To: Daniel Díaz
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

On Tue, Jan 14, 2020 at 08:09:11PM -0600, Daniel Díaz wrote:
> Hello!
> 
> On 1/14/20 4:00 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.4.12 release.
> > There are 78 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu, 16 Jan 2020 09:41:58 +0000.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.12-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-01-14 10:00 ` [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract Greg Kroah-Hartman
@ 2020-02-05  7:12   ` peter enderborg
  2020-02-05  9:32     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 113+ messages in thread
From: peter enderborg @ 2020-02-05  7:12 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel, Alan Stern, Jiri Kosina
  Cc: stable, syzbot+09ef48aa58261464b621

On 1/14/20 11:00 AM, Greg Kroah-Hartman wrote:
> From: Alan Stern <stern@rowland.harvard.edu>
>
> commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.
>
> The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
> handler.  The bug was caused by a report descriptor which included a
> field with size 12 bits and count 4899, for a total size of 7349
> bytes.
>
> The usbhid driver uses at most a single-page 4-KB buffer for reports.
> In the test there wasn't any problem about overflowing the buffer,
> since only one byte was received from the device.  Rather, the bug
> occurred when the HID core tried to extract the data from the report
> fields, which caused it to try reading data beyond the end of the
> allocated buffer.
>
> This patch fixes the problem by rejecting any report whose total
> length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
> for a possible report index).  In theory a device could have a report
> longer than that, but if there was such a thing we wouldn't handle it
> correctly anyway.
>
> Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> CC: <stable@vger.kernel.org>
> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> ---
>  drivers/hid/hid-core.c |    6 ++++++
>  1 file changed, 6 insertions(+)
>
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -288,6 +288,12 @@ static int hid_add_field(struct hid_pars
>  	offset = report->size;
>  	report->size += parser->global.report_size * parser->global.report_count;
>  
> +	/* Total size check: Allow for possible report index byte */
> +	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
> +		hid_err(parser->device, "report is too long\n");
> +		return -1;
> +	}
> +
>  	if (!parser->local.usage_index) /* Ignore padding fields */
>  		return 0;
>  
>
>
>
This patch breaks Elgato StreamDeck.


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-05  7:12   ` [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!) peter enderborg
@ 2020-02-05  9:32     ` Greg Kroah-Hartman
  2020-02-05  9:49       ` Enderborg, Peter
  0 siblings, 1 reply; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-02-05  9:32 UTC (permalink / raw)
  To: peter enderborg
  Cc: linux-kernel, Alan Stern, Jiri Kosina, stable,
	syzbot+09ef48aa58261464b621

On Wed, Feb 05, 2020 at 08:12:27AM +0100, peter enderborg wrote:
> On 1/14/20 11:00 AM, Greg Kroah-Hartman wrote:
> > From: Alan Stern <stern@rowland.harvard.edu>
> >
> > commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.
> >
> > The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
> > handler.  The bug was caused by a report descriptor which included a
> > field with size 12 bits and count 4899, for a total size of 7349
> > bytes.
> >
> > The usbhid driver uses at most a single-page 4-KB buffer for reports.
> > In the test there wasn't any problem about overflowing the buffer,
> > since only one byte was received from the device.  Rather, the bug
> > occurred when the HID core tried to extract the data from the report
> > fields, which caused it to try reading data beyond the end of the
> > allocated buffer.
> >
> > This patch fixes the problem by rejecting any report whose total
> > length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
> > for a possible report index).  In theory a device could have a report
> > longer than that, but if there was such a thing we wouldn't handle it
> > correctly anyway.
> >
> > Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
> > Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> > CC: <stable@vger.kernel.org>
> > Signed-off-by: Jiri Kosina <jkosina@suse.cz>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > ---
> >  drivers/hid/hid-core.c |    6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > --- a/drivers/hid/hid-core.c
> > +++ b/drivers/hid/hid-core.c
> > @@ -288,6 +288,12 @@ static int hid_add_field(struct hid_pars
> >  	offset = report->size;
> >  	report->size += parser->global.report_size * parser->global.report_count;
> >  
> > +	/* Total size check: Allow for possible report index byte */
> > +	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
> > +		hid_err(parser->device, "report is too long\n");
> > +		return -1;
> > +	}
> > +
> >  	if (!parser->local.usage_index) /* Ignore padding fields */
> >  		return 0;
> >  
> >
> >
> >
> This patch breaks Elgato StreamDeck.

Does that mean the device is broken with a too-large of a report?

Is it broken in Linus's tree?  If so, can you work with the HID
developers to fix it there so we can backport the fix to all stable
trees?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-05  9:32     ` Greg Kroah-Hartman
@ 2020-02-05  9:49       ` Enderborg, Peter
  2020-02-05  9:54         ` Jiri Kosina
  0 siblings, 1 reply; 113+ messages in thread
From: Enderborg, Peter @ 2020-02-05  9:49 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Jiri Kosina
  Cc: linux-kernel, Alan Stern, stable, syzbot+09ef48aa58261464b621

On 2/5/20 10:32 AM, Greg Kroah-Hartman wrote:
> On Wed, Feb 05, 2020 at 08:12:27AM +0100, peter enderborg wrote:
>> On 1/14/20 11:00 AM, Greg Kroah-Hartman wrote:
>>> From: Alan Stern <stern@rowland.harvard.edu>
>>>
>>> commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.
>>>
>>> The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
>>> handler.  The bug was caused by a report descriptor which included a
>>> field with size 12 bits and count 4899, for a total size of 7349
>>> bytes.
>>>
>>> The usbhid driver uses at most a single-page 4-KB buffer for reports.
>>> In the test there wasn't any problem about overflowing the buffer,
>>> since only one byte was received from the device.  Rather, the bug
>>> occurred when the HID core tried to extract the data from the report
>>> fields, which caused it to try reading data beyond the end of the
>>> allocated buffer.
>>>
>>> This patch fixes the problem by rejecting any report whose total
>>> length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
>>> for a possible report index).  In theory a device could have a report
>>> longer than that, but if there was such a thing we wouldn't handle it
>>> correctly anyway.
>>>
>>> Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
>>> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
>>> CC: <stable@vger.kernel.org>
>>> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>>
>>> ---
>>>  drivers/hid/hid-core.c |    6 ++++++
>>>  1 file changed, 6 insertions(+)
>>>
>>> --- a/drivers/hid/hid-core.c
>>> +++ b/drivers/hid/hid-core.c
>>> @@ -288,6 +288,12 @@ static int hid_add_field(struct hid_pars
>>>  	offset = report->size;
>>>  	report->size += parser->global.report_size * parser->global.report_count;
>>>  
>>> +	/* Total size check: Allow for possible report index byte */
>>> +	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
>>> +		hid_err(parser->device, "report is too long\n");
>>> +		return -1;
>>> +	}
>>> +
>>>  	if (!parser->local.usage_index) /* Ignore padding fields */
>>>  		return 0;
>>>  
>>>
>>>
>>>
>> This patch breaks Elgato StreamDeck.
> Does that mean the device is broken with a too-large of a report?

Yes.

> Is it broken in Linus's tree?  If so, can you work with the HID
> developers to fix it there so we can backport the fix to all stable
> trees?

I cant see that there are any other fixes upon this so I dont think so. I can try.  

Jiri is in the loop. I guess he is the "HID developers" ?

>
> thanks,
>
> greg k-h


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-05  9:49       ` Enderborg, Peter
@ 2020-02-05  9:54         ` Jiri Kosina
  2020-02-05 11:56           ` peter enderborg
  2020-02-05 15:00           ` Alan Stern
  0 siblings, 2 replies; 113+ messages in thread
From: Jiri Kosina @ 2020-02-05  9:54 UTC (permalink / raw)
  To: Enderborg, Peter
  Cc: Greg Kroah-Hartman, linux-kernel, Alan Stern, stable,
	syzbot+09ef48aa58261464b621

On Wed, 5 Feb 2020, Enderborg, Peter wrote:

> >> This patch breaks Elgato StreamDeck.
>
> > Does that mean the device is broken with a too-large of a report?
> 
> Yes.

In which way does the breakage pop up? Are you getting "report too long" 
errors in dmesg, or the device just doesn't enumerate at all?

Could you please post /sys/kernel/debug/hid/<device>/rdesc contents, and 
if the device is at least semi-alive, also contents of 
/sys/kernel/debug/hid/<device>/events from the time it misbehaves?

> > Is it broken in Linus's tree?  If so, can you work with the HID
> > developers to fix it there so we can backport the fix to all stable
> > trees?
> 
> I cant see that there are any other fixes upon this so I dont think so. 
> I can try.
>
> 
> Jiri is in the loop. I guess he is the "HID developers" ?

Thanks,

-- 
Jiri Kosina
SUSE Labs


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-05  9:54         ` Jiri Kosina
@ 2020-02-05 11:56           ` peter enderborg
  2020-02-05 15:00           ` Alan Stern
  1 sibling, 0 replies; 113+ messages in thread
From: peter enderborg @ 2020-02-05 11:56 UTC (permalink / raw)
  To: Jiri Kosina; +Cc: Greg Kroah-Hartman, linux-kernel, Alan Stern

On 2/5/20 10:54 AM, Jiri Kosina wrote:
> On Wed, 5 Feb 2020, Enderborg, Peter wrote:
>
>>>> This patch breaks Elgato StreamDeck.
>>> Does that mean the device is broken with a too-large of a report?
>> Yes.
> In which way does the breakage pop up? Are you getting "report too long" 
> errors in dmesg, or the device just doesn't enumerate at all?
>
> Could you please post /sys/kernel/debug/hid/<device>/rdesc contents, and 
> if the device is at least semi-alive, also contents of 
> /sys/kernel/debug/hid/<device>/events from the time it misbehaves?
>
Sure.

[   18.710500] hid-generic 0003:0FD9:0060.0005: report is too long
[   18.716511] hid-generic 0003:0FD9:0060.0005: item 0 1 0 9 parsing failed
[   18.723359] hid-generic: probe of 0003:0FD9:0060.0005 failed with error -22
[root@imx ~]# cat /sys/kernel/debug/hid/0003\:0FD9\:0060.0005/rdesc
05 0c 09 01 a1 01 09 01 05 09 19 01 29 10 15 00 26 ff 00 75 08 95 10 85 01 81 02 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 a0 81 02 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 a1 81 02 0a 00 ff 15 00 26 ff 00 75 08 96 fe 1f 85 02 91 02 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 03 b1 02 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 04 b1 02 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 05 b1 02 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 01 85 06 b1 02 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 07 b1 04 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 01 85 08 b1 04 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 09 b1 04 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 0a b1 04 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 0b b1 04 c0 c0

The rdesc is different in 5.3.16 and quite long where it works. The head is there:

[root@imx ~]# cat rdesc.5.3.16 | more
05 0c 09 01 a1 01 09 01 05 09 19 01 29 10 15 00 26 ff 00 75 08 95 10 85 01 81 02
 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 a0 81 02 0a 00 ff 15 00 26 ff 00 75 08 9
5 10 85 a1 81 02 0a 00 ff 15 00 26 ff 00 75 08 96 fe 1f 85 02 91 02 a1 00 0a 00
ff 15 00 26 ff 00 75 08 95 10 85 03 b1 02 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08
 95 10 85 04 b1 02 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 05 b1 02 c0 a
1 00 0a 00 ff 15 00 26 ff 00 75 08 95 01 85 06 b1 02 c0 a1 00 0a 00 ff 15 00 26
ff 00 75 08 95 10 85 07 b1 04 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 01 85 08
 b1 04 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08 95 10 85 09 b1 04 c0 a1 00 0a 00 f
f 15 00 26 ff 00 75 08 95 10 85 0a b1 04 c0 a1 00 0a 00 ff 15 00 26 ff 00 75 08
95 10 85 0b b1 04 c0 c0

  INPUT(1)[INPUT]
    Field(0)
      Application(Consumer.0001)
      Usage(17)
        Consumer.0001
        Button.0001
        Button.0002
        Button.0003
        Button.0004
        Button.0005
        Button.0006
        Button.0007
        Button.0008
        Button.0009
        Button.000a
        Button.000b
        Button.000c
        Button.000d
        Button.000e
        Button.000f
        Button.0010
      Logical Minimum(0)
      Logical Maximum(255)
      Report Size(8)
      Report Count(16)
      Report Offset(0)
      Flags( Variable Absolute )
  INPUT(160)[INPUT]
    Field(0)
      Application(Consumer.0001)
      Usage(16)
        Button.ff00
        Button.ff00
        Button.ff00
        Button.ff00

>>> Is it broken in Linus's tree?  If so, can you work with the HID
>>> developers to fix it there so we can backport the fix to all stable
>>> trees?
>> I cant see that there are any other fixes upon this so I dont think so. 
>> I can try.
>>
>>
>> Jiri is in the loop. I guess he is the "HID developers" ?
> Thanks,
>


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-05  9:54         ` Jiri Kosina
  2020-02-05 11:56           ` peter enderborg
@ 2020-02-05 15:00           ` Alan Stern
  2020-02-06  7:00             ` Enderborg, Peter
  1 sibling, 1 reply; 113+ messages in thread
From: Alan Stern @ 2020-02-05 15:00 UTC (permalink / raw)
  To: Jiri Kosina
  Cc: Enderborg, Peter, Greg Kroah-Hartman, linux-kernel, stable,
	syzbot+09ef48aa58261464b621

On Wed, 5 Feb 2020, Jiri Kosina wrote:

> On Wed, 5 Feb 2020, Enderborg, Peter wrote:
> 
> > >> This patch breaks Elgato StreamDeck.
> >
> > > Does that mean the device is broken with a too-large of a report?
> > 
> > Yes.
> 
> In which way does the breakage pop up? Are you getting "report too long" 
> errors in dmesg, or the device just doesn't enumerate at all?
> 
> Could you please post /sys/kernel/debug/hid/<device>/rdesc contents, and 
> if the device is at least semi-alive, also contents of 
> /sys/kernel/debug/hid/<device>/events from the time it misbehaves?

Also, please post the output from "lsusb -v" for the StreamDeck.

Alan Stern


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-05 15:00           ` Alan Stern
@ 2020-02-06  7:00             ` Enderborg, Peter
  2020-02-06 15:14               ` Alan Stern
  0 siblings, 1 reply; 113+ messages in thread
From: Enderborg, Peter @ 2020-02-06  7:00 UTC (permalink / raw)
  To: Alan Stern, Jiri Kosina; +Cc: Greg Kroah-Hartman, linux-kernel, stable

On 2/5/20 4:00 PM, Alan Stern wrote:
> On Wed, 5 Feb 2020, Jiri Kosina wrote:
>
>> On Wed, 5 Feb 2020, Enderborg, Peter wrote:
>>
>>>>> This patch breaks Elgato StreamDeck.
>>>> Does that mean the device is broken with a too-large of a report?
>>> Yes.
>> In which way does the breakage pop up? Are you getting "report too long" 
>> errors in dmesg, or the device just doesn't enumerate at all?
>>
>> Could you please post /sys/kernel/debug/hid/<device>/rdesc contents, and 
>> if the device is at least semi-alive, also contents of 
>> /sys/kernel/debug/hid/<device>/events from the time it misbehaves?
> Also, please post the output from "lsusb -v" for the StreamDeck.

Bus 002 Device 008: ID 0fd9:0060 Elgato Systems GmbH Stream Deck
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x0fd9 Elgato Systems GmbH
  idProduct          0x0060
  bcdDevice            1.00
  iManufacturer           1
  iProduct                2
  iSerial                 3
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0029
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower              400mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength     248
         Report Descriptors:
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               1


> Alan Stern
>

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-06  7:00             ` Enderborg, Peter
@ 2020-02-06 15:14               ` Alan Stern
  2020-02-07  8:11                 ` Enderborg, Peter
  0 siblings, 1 reply; 113+ messages in thread
From: Alan Stern @ 2020-02-06 15:14 UTC (permalink / raw)
  To: Enderborg, Peter; +Cc: Jiri Kosina, Greg Kroah-Hartman, linux-kernel, stable

On Thu, 6 Feb 2020, Enderborg, Peter wrote:

> > Also, please post the output from "lsusb -v" for the StreamDeck.
> 
> Bus 002 Device 008: ID 0fd9:0060 Elgato Systems GmbH Stream Deck
> Device Descriptor:
>   bLength                18
>   bDescriptorType         1
>   bcdUSB               2.00
>   bDeviceClass            0
>   bDeviceSubClass         0
>   bDeviceProtocol         0
>   bMaxPacketSize0        64
>   idVendor           0x0fd9 Elgato Systems GmbH
>   idProduct          0x0060
>   bcdDevice            1.00
>   iManufacturer           1
>   iProduct                2
>   iSerial                 3
>   bNumConfigurations      1
>   Configuration Descriptor:
>     bLength                 9
>     bDescriptorType         2
>     wTotalLength       0x0029
>     bNumInterfaces          1
>     bConfigurationValue     1
>     iConfiguration          0
>     bmAttributes         0xe0
>       Self Powered
>       Remote Wakeup
>     MaxPower              400mA
>     Interface Descriptor:
>       bLength                 9
>       bDescriptorType         4
>       bInterfaceNumber        0
>       bAlternateSetting       0
>       bNumEndpoints           2
>       bInterfaceClass         3 Human Interface Device
>       bInterfaceSubClass      0
>       bInterfaceProtocol      0
>       iInterface              0
>         HID Device Descriptor:
>           bLength                 9
>           bDescriptorType        33
>           bcdHID               1.11
>           bCountryCode            0 Not supported
>           bNumDescriptors         1
>           bDescriptorType        34 Report
>           wDescriptorLength     248
>          Report Descriptors:
>            ** UNAVAILABLE **

I was hoping to see the report descriptors.  This would produce the 
actual descriptors as sent by the device, not the kernel's 
interpretation or modification of the descriptors.

I guess you have to unbind the device from the usbhid driver first in
order for lsusb to get them.  Can you do that?

Alan Stern


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-06 15:14               ` Alan Stern
@ 2020-02-07  8:11                 ` Enderborg, Peter
  2020-02-07 15:22                   ` Alan Stern
  0 siblings, 1 reply; 113+ messages in thread
From: Enderborg, Peter @ 2020-02-07  8:11 UTC (permalink / raw)
  To: Alan Stern; +Cc: Jiri Kosina, Greg Kroah-Hartman, linux-kernel, stable

On 2/6/20 4:14 PM, Alan Stern wrote:
> On Thu, 6 Feb 2020, Enderborg, Peter wrote:
>
>>> Also, please post the output from "lsusb -v" for the StreamDeck.
>> Bus 002 Device 008: ID 0fd9:0060 Elgato Systems GmbH Stream Deck
>> Device Descriptor:
>>   bLength                18
>>   bDescriptorType         1
>>   bcdUSB               2.00
>>   bDeviceClass            0
>>   bDeviceSubClass         0
>>   bDeviceProtocol         0
>>   bMaxPacketSize0        64
>>   idVendor           0x0fd9 Elgato Systems GmbH
>>   idProduct          0x0060
>>   bcdDevice            1.00
>>   iManufacturer           1
>>   iProduct                2
>>   iSerial                 3
>>   bNumConfigurations      1
>>   Configuration Descriptor:
>>     bLength                 9
>>     bDescriptorType         2
>>     wTotalLength       0x0029
>>     bNumInterfaces          1
>>     bConfigurationValue     1
>>     iConfiguration          0
>>     bmAttributes         0xe0
>>       Self Powered
>>       Remote Wakeup
>>     MaxPower              400mA
>>     Interface Descriptor:
>>       bLength                 9
>>       bDescriptorType         4
>>       bInterfaceNumber        0
>>       bAlternateSetting       0
>>       bNumEndpoints           2
>>       bInterfaceClass         3 Human Interface Device
>>       bInterfaceSubClass      0
>>       bInterfaceProtocol      0
>>       iInterface              0
>>         HID Device Descriptor:
>>           bLength                 9
>>           bDescriptorType        33
>>           bcdHID               1.11
>>           bCountryCode            0 Not supported
>>           bNumDescriptors         1
>>           bDescriptorType        34 Report
>>           wDescriptorLength     248
>>          Report Descriptors:
>>            ** UNAVAILABLE **
> I was hoping to see the report descriptors.  This would produce the 
> actual descriptors as sent by the device, not the kernel's 
> interpretation or modification of the descriptors.
>
> I guess you have to unbind the device from the usbhid driver first in
> order for lsusb to get them.  Can you do that?
>
> Alan Stern
>
Im not sure exatly what you need to unbind. But I assume this is what you want:

 lsusb -v -d 0fd9:0060

Bus 002 Device 002: ID 0fd9:0060 Elgato Systems GmbH Stream Deck
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x0fd9 Elgato Systems GmbH
  idProduct          0x0060
  bcdDevice            1.00
  iManufacturer           1 Elgato Systems
  iProduct                2 Stream Deck
  iSerial                 3 AL01H1A08945
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0029
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower              400mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength     248
          Report Descriptor: (length is 248)
            Item(Global): Usage Page, data= [ 0x0c ] 12
                            Consumer
            Item(Local ): Usage, data= [ 0x01 ] 1
                            Consumer Control
            Item(Main  ): Collection, data= [ 0x01 ] 1
                            Application
            Item(Local ): Usage, data= [ 0x01 ] 1
                            Consumer Control
            Item(Global): Usage Page, data= [ 0x09 ] 9
                            Buttons
            Item(Local ): Usage Minimum, data= [ 0x01 ] 1
                            Button 1 (Primary)
            Item(Local ): Usage Maximum, data= [ 0x10 ] 16
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0x01 ] 1
            Item(Main  ): Input, data= [ 0x02 ] 2
                            Data Variable Absolute No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0xa0 ] 160
            Item(Main  ): Input, data= [ 0x02 ] 2
                            Data Variable Absolute No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0xa1 ] 161
            Item(Main  ): Input, data= [ 0x02 ] 2
                            Data Variable Absolute No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0xfe 0x1f ] 8190
            Item(Global): Report ID, data= [ 0x02 ] 2
            Item(Main  ): Output, data= [ 0x02 ] 2
                            Data Variable Absolute No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0x03 ] 3
            Item(Main  ): Feature, data= [ 0x02 ] 2
                            Data Variable Absolute No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0x04 ] 4
            Item(Main  ): Feature, data= [ 0x02 ] 2
                            Data Variable Absolute No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0x05 ] 5
            Item(Main  ): Feature, data= [ 0x02 ] 2
                            Data Variable Absolute No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x01 ] 1
            Item(Global): Report ID, data= [ 0x06 ] 6
            Item(Main  ): Feature, data= [ 0x02 ] 2
                            Data Variable Absolute No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0x07 ] 7
            Item(Main  ): Feature, data= [ 0x04 ] 4
                            Data Array Relative No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x01 ] 1
            Item(Global): Report ID, data= [ 0x08 ] 8
            Item(Main  ): Feature, data= [ 0x04 ] 4
                            Data Array Relative No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0x09 ] 9
            Item(Main  ): Feature, data= [ 0x04 ] 4
                            Data Array Relative No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0x0a ] 10
            Item(Main  ): Feature, data= [ 0x04 ] 4
                            Data Array Relative No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): Collection, data= [ 0x00 ] 0
                            Physical
            Item(Local ): Usage, data= [ 0x00 0xff ] 65280
                            (null)
            Item(Global): Logical Minimum, data= [ 0x00 ] 0
            Item(Global): Logical Maximum, data= [ 0xff 0x00 ] 255
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Report Count, data= [ 0x10 ] 16
            Item(Global): Report ID, data= [ 0x0b ] 11
            Item(Main  ): Feature, data= [ 0x04 ] 4
                            Data Array Relative No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield
            Item(Main  ): End Collection, data=none
            Item(Main  ): End Collection, data=none
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes

    bInterval               1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               1
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  bNumConfigurations      1
can't get debug descriptor: Resource temporarily unavailable
Device Status:     0x0003
  Self Powered
  Remote Wakeup Enabled

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!)
  2020-02-07  8:11                 ` Enderborg, Peter
@ 2020-02-07 15:22                   ` Alan Stern
  2020-02-10 12:08                     ` [PATCH] HID: Extend report buffer size Peter Enderborg
  0 siblings, 1 reply; 113+ messages in thread
From: Alan Stern @ 2020-02-07 15:22 UTC (permalink / raw)
  To: Enderborg, Peter; +Cc: Jiri Kosina, Greg Kroah-Hartman, linux-kernel, stable

On Fri, 7 Feb 2020, Enderborg, Peter wrote:

> On 2/6/20 4:14 PM, Alan Stern wrote:

> > I guess you have to unbind the device from the usbhid driver first in
> > order for lsusb to get them.  Can you do that?
> >
> > Alan Stern
> >
> Im not sure exatly what you need to unbind. But I assume this is what you want:
> 
>  lsusb -v -d 0fd9:0060

Yes, that's it.  Most of the reports have:

>             Item(Global): Report Size, data= [ 0x08 ] 8
>             Item(Global): Report Count, data= [ 0x10 ] 16

which means they are 16 bytes long.  But one report has:

>             Item(Global): Report Size, data= [ 0x08 ] 8
>             Item(Global): Report Count, data= [ 0xfe 0x1f ] 8190

meaning it is 8190 bytes long (plus one byte for the report ID).  
Therefore setting the maximum buffer size to 8192 should allow this 
device to work properly, with no other changes needed.

Alan Stern


^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH] HID: Extend report buffer size
  2020-02-07 15:22                   ` Alan Stern
@ 2020-02-10 12:08                     ` Peter Enderborg
  2020-02-10 12:21                       ` Greg Kroah-Hartman
  2020-02-10 15:01                       ` Alan Stern
  0 siblings, 2 replies; 113+ messages in thread
From: Peter Enderborg @ 2020-02-10 12:08 UTC (permalink / raw)
  To: Jiri Kosina, Greg Kroah-Hartman, linux-kernel, stable, Alan Stern
  Cc: Peter Enderborg

In the patch "HID: Fix slab-out-of-bounds read in hid_field_extract"
there added a check for buffer overruns. This made Elgato StreamDeck
to fail. This patch extend the buffer to 8192 to solve this. It also
adds a print of the requested length if it fails on this test.

Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
---
 drivers/hid/hid-core.c | 2 +-
 include/linux/hid.h    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 851fe54ea59e..28841219b3d2 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -290,7 +290,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
 
 	/* Total size check: Allow for possible report index byte */
 	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
-		hid_err(parser->device, "report is too long\n");
+		hid_err(parser->device, "report is too long (%d)\n", report->size);
 		return -1;
 	}
 
diff --git a/include/linux/hid.h b/include/linux/hid.h
index cd41f209043f..875f71132b14 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -492,7 +492,7 @@ struct hid_report_enum {
 };
 
 #define HID_MIN_BUFFER_SIZE	64		/* make sure there is at least a packet size of space */
-#define HID_MAX_BUFFER_SIZE	4096		/* 4kb */
+#define HID_MAX_BUFFER_SIZE	8192		/* 8kb */
 #define HID_CONTROL_FIFO_SIZE	256		/* to init devices with >100 reports */
 #define HID_OUTPUT_FIFO_SIZE	64
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 113+ messages in thread

* Re: [PATCH] HID: Extend report buffer size
  2020-02-10 12:08                     ` [PATCH] HID: Extend report buffer size Peter Enderborg
@ 2020-02-10 12:21                       ` Greg Kroah-Hartman
  2020-02-10 12:40                         ` Peter Enderborg
  2020-02-10 15:01                       ` Alan Stern
  1 sibling, 1 reply; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-02-10 12:21 UTC (permalink / raw)
  To: Peter Enderborg; +Cc: Jiri Kosina, linux-kernel, stable, Alan Stern

On Mon, Feb 10, 2020 at 01:08:47PM +0100, Peter Enderborg wrote:
> In the patch "HID: Fix slab-out-of-bounds read in hid_field_extract"
> there added a check for buffer overruns. This made Elgato StreamDeck
> to fail. This patch extend the buffer to 8192 to solve this. It also
> adds a print of the requested length if it fails on this test.
> 
> Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>

Can you add a "Fixes:" tag here pointing to the commit it fixes, as well
as a cc: stable as I'm pretty sure that the commit this fixes is also in
the stable trees already, right?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 113+ messages in thread

* [PATCH] HID: Extend report buffer size
  2020-02-10 12:21                       ` Greg Kroah-Hartman
@ 2020-02-10 12:40                         ` Peter Enderborg
  2020-02-10 13:43                           ` Greg Kroah-Hartman
  0 siblings, 1 reply; 113+ messages in thread
From: Peter Enderborg @ 2020-02-10 12:40 UTC (permalink / raw)
  To: Jiri Kosina, Greg Kroah-Hartman, linux-kernel, stable, Alan Stern
  Cc: Peter Enderborg

In the patch "HID: Fix slab-out-of-bounds read in hid_field_extract"
there added a check for buffer overruns. This made Elgato StreamDeck
to fail. This patch extend the buffer to 8192 to solve this. It also
adds a print of the requested length if it fails on this test.

Fixes: 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in hid_field_extract")
Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
---
 drivers/hid/hid-core.c | 2 +-
 include/linux/hid.h    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 851fe54ea59e..28841219b3d2 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -290,7 +290,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
 
 	/* Total size check: Allow for possible report index byte */
 	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
-		hid_err(parser->device, "report is too long\n");
+		hid_err(parser->device, "report is too long (%d)\n", report->size);
 		return -1;
 	}
 
diff --git a/include/linux/hid.h b/include/linux/hid.h
index cd41f209043f..875f71132b14 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -492,7 +492,7 @@ struct hid_report_enum {
 };
 
 #define HID_MIN_BUFFER_SIZE	64		/* make sure there is at least a packet size of space */
-#define HID_MAX_BUFFER_SIZE	4096		/* 4kb */
+#define HID_MAX_BUFFER_SIZE	8192		/* 8kb */
 #define HID_CONTROL_FIFO_SIZE	256		/* to init devices with >100 reports */
 #define HID_OUTPUT_FIFO_SIZE	64
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 113+ messages in thread

* Re: [PATCH] HID: Extend report buffer size
  2020-02-10 12:40                         ` Peter Enderborg
@ 2020-02-10 13:43                           ` Greg Kroah-Hartman
  0 siblings, 0 replies; 113+ messages in thread
From: Greg Kroah-Hartman @ 2020-02-10 13:43 UTC (permalink / raw)
  To: Peter Enderborg; +Cc: Jiri Kosina, linux-kernel, stable, Alan Stern

On Mon, Feb 10, 2020 at 01:40:54PM +0100, Peter Enderborg wrote:
> In the patch "HID: Fix slab-out-of-bounds read in hid_field_extract"
> there added a check for buffer overruns. This made Elgato StreamDeck
> to fail. This patch extend the buffer to 8192 to solve this. It also
> adds a print of the requested length if it fails on this test.
> 
> Fixes: 8ec321e96e05 ("HID: Fix slab-out-of-bounds read in hid_field_extract")
> Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
> ---

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH] HID: Extend report buffer size
  2020-02-10 12:08                     ` [PATCH] HID: Extend report buffer size Peter Enderborg
  2020-02-10 12:21                       ` Greg Kroah-Hartman
@ 2020-02-10 15:01                       ` Alan Stern
  2020-02-11  8:35                         ` peter enderborg
  1 sibling, 1 reply; 113+ messages in thread
From: Alan Stern @ 2020-02-10 15:01 UTC (permalink / raw)
  To: Peter Enderborg
  Cc: Jiri Kosina, Johan Korsnes, Greg Kroah-Hartman,
	Kernel development list, stable

On Mon, 10 Feb 2020, Peter Enderborg wrote:

> In the patch "HID: Fix slab-out-of-bounds read in hid_field_extract"
> there added a check for buffer overruns. This made Elgato StreamDeck
> to fail. This patch extend the buffer to 8192 to solve this. It also
> adds a print of the requested length if it fails on this test.
> 
> Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
> ---
>  drivers/hid/hid-core.c | 2 +-
>  include/linux/hid.h    | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> index 851fe54ea59e..28841219b3d2 100644
> --- a/drivers/hid/hid-core.c
> +++ b/drivers/hid/hid-core.c
> @@ -290,7 +290,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
>  
>  	/* Total size check: Allow for possible report index byte */
>  	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
> -		hid_err(parser->device, "report is too long\n");
> +		hid_err(parser->device, "report is too long (%d)\n", report->size);
>  		return -1;
>  	}
>  
> diff --git a/include/linux/hid.h b/include/linux/hid.h
> index cd41f209043f..875f71132b14 100644
> --- a/include/linux/hid.h
> +++ b/include/linux/hid.h
> @@ -492,7 +492,7 @@ struct hid_report_enum {
>  };
>  
>  #define HID_MIN_BUFFER_SIZE	64		/* make sure there is at least a packet size of space */
> -#define HID_MAX_BUFFER_SIZE	4096		/* 4kb */
> +#define HID_MAX_BUFFER_SIZE	8192		/* 8kb */
>  #define HID_CONTROL_FIFO_SIZE	256		/* to init devices with >100 reports */
>  #define HID_OUTPUT_FIFO_SIZE	64

The second part of this patch is identical to the "HID: core: increase
HID report buffer size to 8KiB" patch submitted by Johan Korsnes a few
weeks ago.  You might want to submit just the first part of your patch,
or not submit anything at all.

Alan Stern


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH] HID: Extend report buffer size
  2020-02-10 15:01                       ` Alan Stern
@ 2020-02-11  8:35                         ` peter enderborg
  2020-02-11 14:54                           ` Alan Stern
  0 siblings, 1 reply; 113+ messages in thread
From: peter enderborg @ 2020-02-11  8:35 UTC (permalink / raw)
  To: Alan Stern, Johan Korsnes
  Cc: Jiri Kosina, Greg Kroah-Hartman, Kernel development list, stable

On 2/10/20 4:01 PM, Alan Stern wrote:
> On Mon, 10 Feb 2020, Peter Enderborg wrote:
>
>> In the patch "HID: Fix slab-out-of-bounds read in hid_field_extract"
>> there added a check for buffer overruns. This made Elgato StreamDeck
>> to fail. This patch extend the buffer to 8192 to solve this. It also
>> adds a print of the requested length if it fails on this test.
>>
>> Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
>> ---
>>  drivers/hid/hid-core.c | 2 +-
>>  include/linux/hid.h    | 2 +-
>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
>> index 851fe54ea59e..28841219b3d2 100644
>> --- a/drivers/hid/hid-core.c
>> +++ b/drivers/hid/hid-core.c
>> @@ -290,7 +290,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
>>  
>>  	/* Total size check: Allow for possible report index byte */
>>  	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
>> -		hid_err(parser->device, "report is too long\n");
>> +		hid_err(parser->device, "report is too long (%d)\n", report->size);
>>  		return -1;
>>  	}
>>  
>> diff --git a/include/linux/hid.h b/include/linux/hid.h
>> index cd41f209043f..875f71132b14 100644
>> --- a/include/linux/hid.h
>> +++ b/include/linux/hid.h
>> @@ -492,7 +492,7 @@ struct hid_report_enum {
>>  };
>>  
>>  #define HID_MIN_BUFFER_SIZE	64		/* make sure there is at least a packet size of space */
>> -#define HID_MAX_BUFFER_SIZE	4096		/* 4kb */
>> +#define HID_MAX_BUFFER_SIZE	8192		/* 8kb */
>>  #define HID_CONTROL_FIFO_SIZE	256		/* to init devices with >100 reports */
>>  #define HID_OUTPUT_FIFO_SIZE	64
> The second part of this patch is identical to the "HID: core: increase
> HID report buffer size to 8KiB" patch submitted by Johan Korsnes a few
> weeks ago.  You might want to submit just the first part of your patch,
> or not submit anything at all.
>
> Alan Stern
>
>
Korsnes patch is not in Torvalds tree nor is it requested for stable. How do we get it there?


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH] HID: Extend report buffer size
  2020-02-11  8:35                         ` peter enderborg
@ 2020-02-11 14:54                           ` Alan Stern
  2020-02-11 15:01                             ` Jiri Kosina
  0 siblings, 1 reply; 113+ messages in thread
From: Alan Stern @ 2020-02-11 14:54 UTC (permalink / raw)
  To: peter enderborg
  Cc: Johan Korsnes, Jiri Kosina, Greg Kroah-Hartman,
	Kernel development list, stable

On Tue, 11 Feb 2020, peter enderborg wrote:

> On 2/10/20 4:01 PM, Alan Stern wrote:
> > On Mon, 10 Feb 2020, Peter Enderborg wrote:
> >
> >> In the patch "HID: Fix slab-out-of-bounds read in hid_field_extract"
> >> there added a check for buffer overruns. This made Elgato StreamDeck
> >> to fail. This patch extend the buffer to 8192 to solve this. It also
> >> adds a print of the requested length if it fails on this test.
> >>
> >> Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
> >> ---
> >>  drivers/hid/hid-core.c | 2 +-
> >>  include/linux/hid.h    | 2 +-
> >>  2 files changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> >> index 851fe54ea59e..28841219b3d2 100644
> >> --- a/drivers/hid/hid-core.c
> >> +++ b/drivers/hid/hid-core.c
> >> @@ -290,7 +290,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
> >>  
> >>  	/* Total size check: Allow for possible report index byte */
> >>  	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
> >> -		hid_err(parser->device, "report is too long\n");
> >> +		hid_err(parser->device, "report is too long (%d)\n", report->size);
> >>  		return -1;
> >>  	}
> >>  
> >> diff --git a/include/linux/hid.h b/include/linux/hid.h
> >> index cd41f209043f..875f71132b14 100644
> >> --- a/include/linux/hid.h
> >> +++ b/include/linux/hid.h
> >> @@ -492,7 +492,7 @@ struct hid_report_enum {
> >>  };
> >>  
> >>  #define HID_MIN_BUFFER_SIZE	64		/* make sure there is at least a packet size of space */
> >> -#define HID_MAX_BUFFER_SIZE	4096		/* 4kb */
> >> +#define HID_MAX_BUFFER_SIZE	8192		/* 8kb */
> >>  #define HID_CONTROL_FIFO_SIZE	256		/* to init devices with >100 reports */
> >>  #define HID_OUTPUT_FIFO_SIZE	64
> > The second part of this patch is identical to the "HID: core: increase
> > HID report buffer size to 8KiB" patch submitted by Johan Korsnes a few
> > weeks ago.  You might want to submit just the first part of your patch,
> > or not submit anything at all.
> >
> > Alan Stern
> >
> >
> Korsnes patch is not in Torvalds tree nor is it requested for stable. How do we get it there?

Bring the whole matter to Jiri's attention.  He is the person who will
take care of it.

Alan Stern


^ permalink raw reply	[flat|nested] 113+ messages in thread

* Re: [PATCH] HID: Extend report buffer size
  2020-02-11 14:54                           ` Alan Stern
@ 2020-02-11 15:01                             ` Jiri Kosina
  0 siblings, 0 replies; 113+ messages in thread
From: Jiri Kosina @ 2020-02-11 15:01 UTC (permalink / raw)
  To: Alan Stern
  Cc: peter enderborg, Johan Korsnes, Greg Kroah-Hartman,
	Kernel development list, stable

On Tue, 11 Feb 2020, Alan Stern wrote:

> > >> In the patch "HID: Fix slab-out-of-bounds read in hid_field_extract"
> > >> there added a check for buffer overruns. This made Elgato StreamDeck
> > >> to fail. This patch extend the buffer to 8192 to solve this. It also
> > >> adds a print of the requested length if it fails on this test.
> > >>
> > >> Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
> > >> ---
> > >>  drivers/hid/hid-core.c | 2 +-
> > >>  include/linux/hid.h    | 2 +-
> > >>  2 files changed, 2 insertions(+), 2 deletions(-)
> > >>
> > >> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
> > >> index 851fe54ea59e..28841219b3d2 100644
> > >> --- a/drivers/hid/hid-core.c
> > >> +++ b/drivers/hid/hid-core.c
> > >> @@ -290,7 +290,7 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign
> > >>  
> > >>  	/* Total size check: Allow for possible report index byte */
> > >>  	if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
> > >> -		hid_err(parser->device, "report is too long\n");
> > >> +		hid_err(parser->device, "report is too long (%d)\n", report->size);
> > >>  		return -1;
> > >>  	}
> > >>  
> > >> diff --git a/include/linux/hid.h b/include/linux/hid.h
> > >> index cd41f209043f..875f71132b14 100644
> > >> --- a/include/linux/hid.h
> > >> +++ b/include/linux/hid.h
> > >> @@ -492,7 +492,7 @@ struct hid_report_enum {
> > >>  };
> > >>  
> > >>  #define HID_MIN_BUFFER_SIZE	64		/* make sure there is at least a packet size of space */
> > >> -#define HID_MAX_BUFFER_SIZE	4096		/* 4kb */
> > >> +#define HID_MAX_BUFFER_SIZE	8192		/* 8kb */
> > >>  #define HID_CONTROL_FIFO_SIZE	256		/* to init devices with >100 reports */
> > >>  #define HID_OUTPUT_FIFO_SIZE	64
> > > The second part of this patch is identical to the "HID: core: increase
> > > HID report buffer size to 8KiB" patch submitted by Johan Korsnes a few
> > > weeks ago.  You might want to submit just the first part of your patch,
> > > or not submit anything at all.
> > >
> > > Alan Stern
> > >
> > >
> > Korsnes patch is not in Torvalds tree nor is it requested for stable. How do we get it there?
> 
> Bring the whole matter to Jiri's attention.  He is the person who will
> take care of it.

I have been a bit swamped during past few days. Johan's patch is in my 
list of things to process either today or tomorrow.

Thanks,

-- 
Jiri Kosina
SUSE Labs


^ permalink raw reply	[flat|nested] 113+ messages in thread

end of thread, other threads:[~2020-02-11 15:01 UTC | newest]

Thread overview: 113+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-14 10:00 [PATCH 5.4 00/78] 5.4.12-stable review Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 01/78] chardev: Avoid potential use-after-free in chrdev_open() Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 02/78] i2c: fix bus recovery stop mode timing Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 03/78] powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online() Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 04/78] usb: chipidea: host: Disable port power only if previously enabled Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 05/78] ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 06/78] ALSA: hda/realtek - Add new codec supported for ALCS1200A Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 07/78] ALSA: hda/realtek - Set EAPD control to default for ALC222 Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 08/78] ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 09/78] tpm: Revert "tpm_tis: reserve chip for duration of tpm_tis_core_init" Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 10/78] tpm: Revert "tpm_tis_core: Set TPM_CHIP_FLAG_IRQ before probing for interrupts" Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 11/78] tpm: Revert "tpm_tis_core: Turn on the TPM before probing IRQs" Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 12/78] tpm: Handle negative priv->response_len in tpm_common_read() Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 13/78] rtc: sun6i: Add support for RTC clocks on R40 Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 14/78] kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 15/78] tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 16/78] tracing: Change offset type to s32 in preempt/irq tracepoints Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract Greg Kroah-Hartman
2020-02-05  7:12   ` [PATCH 5.4 17/78] HID: Fix slab-out-of-bounds read in hid_field_extract (Broken!) peter enderborg
2020-02-05  9:32     ` Greg Kroah-Hartman
2020-02-05  9:49       ` Enderborg, Peter
2020-02-05  9:54         ` Jiri Kosina
2020-02-05 11:56           ` peter enderborg
2020-02-05 15:00           ` Alan Stern
2020-02-06  7:00             ` Enderborg, Peter
2020-02-06 15:14               ` Alan Stern
2020-02-07  8:11                 ` Enderborg, Peter
2020-02-07 15:22                   ` Alan Stern
2020-02-10 12:08                     ` [PATCH] HID: Extend report buffer size Peter Enderborg
2020-02-10 12:21                       ` Greg Kroah-Hartman
2020-02-10 12:40                         ` Peter Enderborg
2020-02-10 13:43                           ` Greg Kroah-Hartman
2020-02-10 15:01                       ` Alan Stern
2020-02-11  8:35                         ` peter enderborg
2020-02-11 14:54                           ` Alan Stern
2020-02-11 15:01                             ` Jiri Kosina
2020-01-14 10:00 ` [PATCH 5.4 18/78] HID: uhid: Fix returning EPOLLOUT from uhid_char_poll Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 19/78] HID: hidraw: Fix returning EPOLLOUT from hidraw_poll Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 20/78] HID: hid-input: clear unmapped usages Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 21/78] Input: add safety guards to input_set_keycode() Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 22/78] Input: input_event - fix struct padding on sparc64 Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 23/78] drm/i915: Add Wa_1408615072 and Wa_1407596294 to icl,ehl Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 24/78] drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu Greg Kroah-Hartman
2020-01-14 14:31   ` Deucher, Alexander
2020-01-14 14:39     ` Greg Kroah-Hartman
2020-01-14 10:00 ` [PATCH 5.4 25/78] Revert "drm/amdgpu: Set no-retry as default." Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 26/78] drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 27/78] drm/fb-helper: Round up bits_per_pixel if possible Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 28/78] drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 29/78] drm/i915: Add Wa_1407352427:icl,ehl Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 30/78] drm/i915/gt: Mark up virtual engine uabi_instance Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 31/78] IB/hfi1: Adjust flow PSN with the correct resync_psn Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 32/78] can: kvaser_usb: fix interface sanity check Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 33/78] can: gs_usb: gs_usb_probe(): use descriptors of current altsetting Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 34/78] can: tcan4x5x: tcan4x5x_can_probe(): get the device out of standby before register access Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 35/78] can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 36/78] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 37/78] gpiolib: acpi: Turn dmi_system_id table into a generic quirk table Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 38/78] gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 39/78] pstore/ram: Regularize prz label allocation lifetime Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 40/78] staging: vt6656: set usb_set_intfdata on driver fail Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 41/78] staging: vt6656: Fix non zero logical return of, usb_control_msg Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 42/78] usb: cdns3: should not use the same dev_id for shared interrupt handler Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 43/78] usb: ohci-da8xx: ensure error return on variable error is set Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 44/78] USB-PD tcpm: bad warning+size, PPS adapters Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 45/78] USB: serial: option: add ZLP support for 0x1bc7/0x9010 Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 46/78] usb: musb: fix idling for suspend after disconnect interrupt Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 47/78] usb: musb: Disable pullup at init Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 48/78] usb: musb: dma: Correct parameter passed to IRQ handler Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 49/78] staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 50/78] staging: vt6656: correct return of vnt_init_registers Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 51/78] staging: vt6656: limit reg output to block size Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 52/78] staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 53/78] serdev: Dont claim unsupported ACPI serial devices Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 54/78] iommu/vt-d: Fix adding non-PCI devices to Intel IOMMU Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 55/78] tty: link tty and port before configuring it as console Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 56/78] tty: always relink the port Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 57/78] arm64: Move __ARCH_WANT_SYS_CLONE3 definition to uapi headers Greg Kroah-Hartman
2020-01-14 10:01   ` Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 58/78] arm64: Implement copy_thread_tls Greg Kroah-Hartman
2020-01-14 10:01   ` Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 59/78] arm: " Greg Kroah-Hartman
2020-01-14 10:01   ` Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 60/78] parisc: " Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 61/78] riscv: " Greg Kroah-Hartman
2020-01-14 10:01   ` Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 62/78] xtensa: " Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 63/78] clone3: ensure copy_thread_tls is implemented Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 64/78] um: Implement copy_thread_tls Greg Kroah-Hartman
2020-01-14 10:01   ` Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 65/78] staging: vt6656: remove bool from vnt_radio_power_on ret Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 66/78] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 67/78] mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 68/78] rpmsg: char: release allocated memory Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 69/78] scsi: bfa: release allocated memory in case of error Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 70/78] rtl8xxxu: prevent leaking urb Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 71/78] ath10k: fix memory leak Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 72/78] HID: hiddev: fix mess in hiddev_open() Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 73/78] USB: Fix: Dont skip endpoint descriptors with maxpacket=0 Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 74/78] phy: cpcap-usb: Fix error path when no host driver is loaded Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 75/78] phy: cpcap-usb: Fix flakey host idling and enumerating of devices Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 76/78] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 77/78] netfilter: conntrack: dccp, sctp: handle null timeout argument Greg Kroah-Hartman
2020-01-14 10:01 ` [PATCH 5.4 78/78] netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present Greg Kroah-Hartman
2020-01-14 15:02 ` [PATCH 5.4 00/78] 5.4.12-stable review Jon Hunter
2020-01-14 15:02   ` Jon Hunter
2020-01-14 15:18   ` Greg Kroah-Hartman
2020-01-14 18:17 ` Guenter Roeck
2020-01-14 18:53   ` Greg Kroah-Hartman
2020-01-14 20:19 ` shuah
2020-01-14 21:55   ` Greg Kroah-Hartman
2020-01-15  2:09 ` Daniel Díaz
2020-01-15  8:12   ` Greg Kroah-Hartman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.