From: Greg Kroah-Hartman Date: Tue, 10 Mar 2020 11:02:53 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.216~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=155d0095037c74adf2605e70ae2deac4e998049d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch rdma-iwcm-fix-iwcm-work-deallocation.patch rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch --- diff --git a/queue-4.4/asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch b/queue-4.4/asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch new file mode 100644 index 00000000000..df0b35fe994 --- /dev/null +++ b/queue-4.4/asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch @@ -0,0 +1,43 @@ +From 9b3193089e77d3b59b045146ff1c770dd899acb1 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Fri, 28 Feb 2020 15:31:45 +0000 +Subject: ASoC: dapm: Correct DAPM handling of active widgets during shutdown + +From: Charles Keepax + +commit 9b3193089e77d3b59b045146ff1c770dd899acb1 upstream. + +commit c2caa4da46a4 ("ASoC: Fix widget powerdown on shutdown") added a +set of the power state during snd_soc_dapm_shutdown to ensure the +widgets powered off. However, when commit 39eb5fd13dff +("ASoC: dapm: Delay w->power update until the changes are written") +added the new_power member of the widget structure, to differentiate +between the current power state and the target power state, it did not +update the shutdown to use the new_power member. + +As new_power has not updated it will be left in the state set by the +last DAPM sequence, ie. 1 for active widgets. So as the DAPM sequence +for the shutdown proceeds it will turn the widgets on (despite them +already being on) rather than turning them off. + +Fixes: 39eb5fd13dff ("ASoC: dapm: Delay w->power update until the changes are written") +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20200228153145.21013-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -4317,7 +4317,7 @@ static void soc_dapm_shutdown_dapm(struc + continue; + if (w->power) { + dapm_seq_insert(w, &down_list, false); +- w->power = 0; ++ w->new_power = 0; + powerdown = 1; + } + } diff --git a/queue-4.4/asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch b/queue-4.4/asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch new file mode 100644 index 00000000000..c3c9c2ab10d --- /dev/null +++ b/queue-4.4/asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch @@ -0,0 +1,84 @@ +From 6c89ffea60aa3b2a33ae7987de1e84bfb89e4c9e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 18 Feb 2020 12:17:37 +0100 +Subject: ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output + +From: Takashi Iwai + +commit 6c89ffea60aa3b2a33ae7987de1e84bfb89e4c9e upstream. + +dpcm_show_state() invokes multiple snprintf() calls to concatenate +formatted strings on the fixed size buffer. The usage of snprintf() +is supposed for avoiding the buffer overflow, but it doesn't work as +expected because snprintf() doesn't return the actual output size but +the size to be written. + +Fix this bug by replacing all snprintf() calls with scnprintf() +calls. + +Fixes: f86dcef87b77 ("ASoC: dpcm: Add debugFS support for DPCM") +Signed-off-by: Takashi Iwai +Acked-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20200218111737.14193-4-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-pcm.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -2866,16 +2866,16 @@ static ssize_t dpcm_show_state(struct sn + ssize_t offset = 0; + + /* FE state */ +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + "[%s - %s]\n", fe->dai_link->name, + stream ? "Capture" : "Playback"); + +- offset += snprintf(buf + offset, size - offset, "State: %s\n", ++ offset += scnprintf(buf + offset, size - offset, "State: %s\n", + dpcm_state_string(fe->dpcm[stream].state)); + + if ((fe->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) && + (fe->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP)) +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + "Hardware Params: " + "Format = %s, Channels = %d, Rate = %d\n", + snd_pcm_format_name(params_format(params)), +@@ -2883,10 +2883,10 @@ static ssize_t dpcm_show_state(struct sn + params_rate(params)); + + /* BEs state */ +- offset += snprintf(buf + offset, size - offset, "Backends:\n"); ++ offset += scnprintf(buf + offset, size - offset, "Backends:\n"); + + if (list_empty(&fe->dpcm[stream].be_clients)) { +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + " No active DSP links\n"); + goto out; + } +@@ -2895,16 +2895,16 @@ static ssize_t dpcm_show_state(struct sn + struct snd_soc_pcm_runtime *be = dpcm->be; + params = &dpcm->hw_params; + +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + "- %s\n", be->dai_link->name); + +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + " State: %s\n", + dpcm_state_string(be->dpcm[stream].state)); + + if ((be->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) && + (be->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP)) +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + " Hardware Params: " + "Format = %s, Channels = %d, Rate = %d\n", + snd_pcm_format_name(params_format(params)), diff --git a/queue-4.4/asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch b/queue-4.4/asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch new file mode 100644 index 00000000000..99f269f169f --- /dev/null +++ b/queue-4.4/asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch @@ -0,0 +1,47 @@ +From ac0a68997935c4acb92eaae5ad8982e0bb432d56 Mon Sep 17 00:00:00 2001 +From: Matthias Reichl +Date: Thu, 20 Feb 2020 21:29:56 +0100 +Subject: ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path + +From: Matthias Reichl + +commit ac0a68997935c4acb92eaae5ad8982e0bb432d56 upstream. + +When we get a clock error during probe we have to call +regulator_bulk_disable before bailing out, otherwise we trigger +a warning in regulator_put. + +Fix this by using "goto err" like in the error cases above. + +Fixes: 5a3af1293194d ("ASoC: pcm512x: Add PCM512x driver") +Signed-off-by: Matthias Reichl +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200220202956.29233-1-hias@horus.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/pcm512x.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/pcm512x.c ++++ b/sound/soc/codecs/pcm512x.c +@@ -1439,13 +1439,15 @@ int pcm512x_probe(struct device *dev, st + } + + pcm512x->sclk = devm_clk_get(dev, NULL); +- if (PTR_ERR(pcm512x->sclk) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ if (PTR_ERR(pcm512x->sclk) == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto err; ++ } + if (!IS_ERR(pcm512x->sclk)) { + ret = clk_prepare_enable(pcm512x->sclk); + if (ret != 0) { + dev_err(dev, "Failed to enable SCLK: %d\n", ret); +- return ret; ++ goto err; + } + } + diff --git a/queue-4.4/rdma-iwcm-fix-iwcm-work-deallocation.patch b/queue-4.4/rdma-iwcm-fix-iwcm-work-deallocation.patch new file mode 100644 index 00000000000..7e7ccc6455b --- /dev/null +++ b/queue-4.4/rdma-iwcm-fix-iwcm-work-deallocation.patch @@ -0,0 +1,41 @@ +From 810dbc69087b08fd53e1cdd6c709f385bc2921ad Mon Sep 17 00:00:00 2001 +From: Bernard Metzler +Date: Mon, 2 Mar 2020 19:16:14 +0100 +Subject: RDMA/iwcm: Fix iwcm work deallocation + +From: Bernard Metzler + +commit 810dbc69087b08fd53e1cdd6c709f385bc2921ad upstream. + +The dealloc_work_entries() function must update the work_free_list pointer +while freeing its entries, since potentially called again on same list. A +second iteration of the work list caused system crash. This happens, if +work allocation fails during cma_iw_listen() and free_cm_id() tries to +free the list again during cleanup. + +Fixes: 922a8e9fb2e0 ("RDMA: iWARP Connection Manager.") +Link: https://lore.kernel.org/r/20200302181614.17042-1-bmt@zurich.ibm.com +Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com +Signed-off-by: Bernard Metzler +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/iwcm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -125,8 +125,10 @@ static void dealloc_work_entries(struct + { + struct list_head *e, *tmp; + +- list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) ++ list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) { ++ list_del(e); + kfree(list_entry(e, struct iwcm_work, free_list)); ++ } + } + + static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count) diff --git a/queue-4.4/rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch b/queue-4.4/rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch new file mode 100644 index 00000000000..f94e5060278 --- /dev/null +++ b/queue-4.4/rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch @@ -0,0 +1,32 @@ +From c14dfddbd869bf0c2bafb7ef260c41d9cebbcfec Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Fri, 21 Feb 2020 15:20:26 +0000 +Subject: RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() + +From: Jason Gunthorpe + +commit c14dfddbd869bf0c2bafb7ef260c41d9cebbcfec upstream. + +The algorithm pre-allocates a cm_id since allocation cannot be done while +holding the cm.lock spinlock, however it doesn't free it on one error +path, leading to a memory leak. + +Fixes: 067b171b8679 ("IB/cm: Share listening CM IDs") +Link: https://lore.kernel.org/r/20200221152023.GA8680@ziepe.ca +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -1073,6 +1073,7 @@ struct ib_cm_id *ib_cm_insert_listen(str + /* Sharing an ib_cm_id with different handlers is not + * supported */ + spin_unlock_irqrestore(&cm.lock, flags); ++ ib_destroy_cm_id(cm_id); + return ERR_PTR(-EINVAL); + } + atomic_inc(&cm_id_priv->refcount); diff --git a/queue-4.4/series b/queue-4.4/series index 428d5659782..c4099a01a89 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -59,3 +59,8 @@ vt-selection-push-console-lock-down.patch vt-selection-push-sel_lock-up.patch dmaengine-tegra-apb-fix-use-after-free.patch dmaengine-tegra-apb-prevent-race-conditions-of-tasklet-vs-free-list.patch +asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch +asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch +asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch +rdma-iwcm-fix-iwcm-work-deallocation.patch +rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch