From: Greg Kroah-Hartman Date: Tue, 10 Mar 2020 11:03:35 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.216~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=480a67966daf864b7f4315f01a36d325e32ae599;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch ib-hfi1-qib-ensure-rcu-is-locked-when-accessing-list.patch rdma-iwcm-fix-iwcm-work-deallocation.patch rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch --- diff --git a/queue-4.14/asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch b/queue-4.14/asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch new file mode 100644 index 00000000000..05ae3f46831 --- /dev/null +++ b/queue-4.14/asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch @@ -0,0 +1,43 @@ +From 9b3193089e77d3b59b045146ff1c770dd899acb1 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Fri, 28 Feb 2020 15:31:45 +0000 +Subject: ASoC: dapm: Correct DAPM handling of active widgets during shutdown + +From: Charles Keepax + +commit 9b3193089e77d3b59b045146ff1c770dd899acb1 upstream. + +commit c2caa4da46a4 ("ASoC: Fix widget powerdown on shutdown") added a +set of the power state during snd_soc_dapm_shutdown to ensure the +widgets powered off. However, when commit 39eb5fd13dff +("ASoC: dapm: Delay w->power update until the changes are written") +added the new_power member of the widget structure, to differentiate +between the current power state and the target power state, it did not +update the shutdown to use the new_power member. + +As new_power has not updated it will be left in the state set by the +last DAPM sequence, ie. 1 for active widgets. So as the DAPM sequence +for the shutdown proceeds it will turn the widgets on (despite them +already being on) rather than turning them off. + +Fixes: 39eb5fd13dff ("ASoC: dapm: Delay w->power update until the changes are written") +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20200228153145.21013-1-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -4481,7 +4481,7 @@ static void soc_dapm_shutdown_dapm(struc + continue; + if (w->power) { + dapm_seq_insert(w, &down_list, false); +- w->power = 0; ++ w->new_power = 0; + powerdown = 1; + } + } diff --git a/queue-4.14/asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch b/queue-4.14/asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch new file mode 100644 index 00000000000..2a1ddb81353 --- /dev/null +++ b/queue-4.14/asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch @@ -0,0 +1,84 @@ +From 6c89ffea60aa3b2a33ae7987de1e84bfb89e4c9e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 18 Feb 2020 12:17:37 +0100 +Subject: ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output + +From: Takashi Iwai + +commit 6c89ffea60aa3b2a33ae7987de1e84bfb89e4c9e upstream. + +dpcm_show_state() invokes multiple snprintf() calls to concatenate +formatted strings on the fixed size buffer. The usage of snprintf() +is supposed for avoiding the buffer overflow, but it doesn't work as +expected because snprintf() doesn't return the actual output size but +the size to be written. + +Fix this bug by replacing all snprintf() calls with scnprintf() +calls. + +Fixes: f86dcef87b77 ("ASoC: dpcm: Add debugFS support for DPCM") +Signed-off-by: Takashi Iwai +Acked-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20200218111737.14193-4-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-pcm.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -2957,16 +2957,16 @@ static ssize_t dpcm_show_state(struct sn + ssize_t offset = 0; + + /* FE state */ +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + "[%s - %s]\n", fe->dai_link->name, + stream ? "Capture" : "Playback"); + +- offset += snprintf(buf + offset, size - offset, "State: %s\n", ++ offset += scnprintf(buf + offset, size - offset, "State: %s\n", + dpcm_state_string(fe->dpcm[stream].state)); + + if ((fe->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) && + (fe->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP)) +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + "Hardware Params: " + "Format = %s, Channels = %d, Rate = %d\n", + snd_pcm_format_name(params_format(params)), +@@ -2974,10 +2974,10 @@ static ssize_t dpcm_show_state(struct sn + params_rate(params)); + + /* BEs state */ +- offset += snprintf(buf + offset, size - offset, "Backends:\n"); ++ offset += scnprintf(buf + offset, size - offset, "Backends:\n"); + + if (list_empty(&fe->dpcm[stream].be_clients)) { +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + " No active DSP links\n"); + goto out; + } +@@ -2986,16 +2986,16 @@ static ssize_t dpcm_show_state(struct sn + struct snd_soc_pcm_runtime *be = dpcm->be; + params = &dpcm->hw_params; + +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + "- %s\n", be->dai_link->name); + +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + " State: %s\n", + dpcm_state_string(be->dpcm[stream].state)); + + if ((be->dpcm[stream].state >= SND_SOC_DPCM_STATE_HW_PARAMS) && + (be->dpcm[stream].state <= SND_SOC_DPCM_STATE_STOP)) +- offset += snprintf(buf + offset, size - offset, ++ offset += scnprintf(buf + offset, size - offset, + " Hardware Params: " + "Format = %s, Channels = %d, Rate = %d\n", + snd_pcm_format_name(params_format(params)), diff --git a/queue-4.14/asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch b/queue-4.14/asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch new file mode 100644 index 00000000000..f75e535e72f --- /dev/null +++ b/queue-4.14/asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch @@ -0,0 +1,47 @@ +From ac0a68997935c4acb92eaae5ad8982e0bb432d56 Mon Sep 17 00:00:00 2001 +From: Matthias Reichl +Date: Thu, 20 Feb 2020 21:29:56 +0100 +Subject: ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path + +From: Matthias Reichl + +commit ac0a68997935c4acb92eaae5ad8982e0bb432d56 upstream. + +When we get a clock error during probe we have to call +regulator_bulk_disable before bailing out, otherwise we trigger +a warning in regulator_put. + +Fix this by using "goto err" like in the error cases above. + +Fixes: 5a3af1293194d ("ASoC: pcm512x: Add PCM512x driver") +Signed-off-by: Matthias Reichl +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20200220202956.29233-1-hias@horus.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/pcm512x.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/pcm512x.c ++++ b/sound/soc/codecs/pcm512x.c +@@ -1438,13 +1438,15 @@ int pcm512x_probe(struct device *dev, st + } + + pcm512x->sclk = devm_clk_get(dev, NULL); +- if (PTR_ERR(pcm512x->sclk) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ if (PTR_ERR(pcm512x->sclk) == -EPROBE_DEFER) { ++ ret = -EPROBE_DEFER; ++ goto err; ++ } + if (!IS_ERR(pcm512x->sclk)) { + ret = clk_prepare_enable(pcm512x->sclk); + if (ret != 0) { + dev_err(dev, "Failed to enable SCLK: %d\n", ret); +- return ret; ++ goto err; + } + } + diff --git a/queue-4.14/ib-hfi1-qib-ensure-rcu-is-locked-when-accessing-list.patch b/queue-4.14/ib-hfi1-qib-ensure-rcu-is-locked-when-accessing-list.patch new file mode 100644 index 00000000000..bcbea4e4c20 --- /dev/null +++ b/queue-4.14/ib-hfi1-qib-ensure-rcu-is-locked-when-accessing-list.patch @@ -0,0 +1,66 @@ +From 817a68a6584aa08e323c64283fec5ded7be84759 Mon Sep 17 00:00:00 2001 +From: Dennis Dalessandro +Date: Tue, 25 Feb 2020 14:54:45 -0500 +Subject: IB/hfi1, qib: Ensure RCU is locked when accessing list + +From: Dennis Dalessandro + +commit 817a68a6584aa08e323c64283fec5ded7be84759 upstream. + +The packet handling function, specifically the iteration of the qp list +for mad packet processing misses locking RCU before running through the +list. Not only is this incorrect, but the list_for_each_entry_rcu() call +can not be called with a conditional check for lock dependency. Remedy +this by invoking the rcu lock and unlock around the critical section. + +This brings MAD packet processing in line with what is done for non-MAD +packets. + +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Link: https://lore.kernel.org/r/20200225195445.140896.41873.stgit@awfm-01.aw.intel.com +Reviewed-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/verbs.c | 4 +++- + drivers/infiniband/hw/qib/qib_verbs.c | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/verbs.c ++++ b/drivers/infiniband/hw/hfi1/verbs.c +@@ -593,10 +593,11 @@ static inline void hfi1_handle_packet(st + opa_get_lid(packet->dlid, 9B)); + if (!mcast) + goto drop; ++ rcu_read_lock(); + list_for_each_entry_rcu(p, &mcast->qp_list, list) { + packet->qp = p->qp; + if (hfi1_do_pkey_check(packet)) +- goto drop; ++ goto unlock_drop; + spin_lock_irqsave(&packet->qp->r_lock, flags); + packet_handler = qp_ok(packet); + if (likely(packet_handler)) +@@ -605,6 +606,7 @@ static inline void hfi1_handle_packet(st + ibp->rvp.n_pkt_drops++; + spin_unlock_irqrestore(&packet->qp->r_lock, flags); + } ++ rcu_read_unlock(); + /* + * Notify rvt_multicast_detach() if it is waiting for us + * to finish. +--- a/drivers/infiniband/hw/qib/qib_verbs.c ++++ b/drivers/infiniband/hw/qib/qib_verbs.c +@@ -360,8 +360,10 @@ void qib_ib_rcv(struct qib_ctxtdata *rcd + if (mcast == NULL) + goto drop; + this_cpu_inc(ibp->pmastats->n_multicast_rcv); ++ rcu_read_lock(); + list_for_each_entry_rcu(p, &mcast->qp_list, list) + qib_qp_rcv(rcd, hdr, 1, data, tlen, p->qp); ++ rcu_read_unlock(); + /* + * Notify rvt_multicast_detach() if it is waiting for us + * to finish. diff --git a/queue-4.14/rdma-iwcm-fix-iwcm-work-deallocation.patch b/queue-4.14/rdma-iwcm-fix-iwcm-work-deallocation.patch new file mode 100644 index 00000000000..689bd522c50 --- /dev/null +++ b/queue-4.14/rdma-iwcm-fix-iwcm-work-deallocation.patch @@ -0,0 +1,41 @@ +From 810dbc69087b08fd53e1cdd6c709f385bc2921ad Mon Sep 17 00:00:00 2001 +From: Bernard Metzler +Date: Mon, 2 Mar 2020 19:16:14 +0100 +Subject: RDMA/iwcm: Fix iwcm work deallocation + +From: Bernard Metzler + +commit 810dbc69087b08fd53e1cdd6c709f385bc2921ad upstream. + +The dealloc_work_entries() function must update the work_free_list pointer +while freeing its entries, since potentially called again on same list. A +second iteration of the work list caused system crash. This happens, if +work allocation fails during cma_iw_listen() and free_cm_id() tries to +free the list again during cleanup. + +Fixes: 922a8e9fb2e0 ("RDMA: iWARP Connection Manager.") +Link: https://lore.kernel.org/r/20200302181614.17042-1-bmt@zurich.ibm.com +Reported-by: syzbot+cb0c054eabfba4342146@syzkaller.appspotmail.com +Signed-off-by: Bernard Metzler +Reviewed-by: Jason Gunthorpe +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/iwcm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -158,8 +158,10 @@ static void dealloc_work_entries(struct + { + struct list_head *e, *tmp; + +- list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) ++ list_for_each_safe(e, tmp, &cm_id_priv->work_free_list) { ++ list_del(e); + kfree(list_entry(e, struct iwcm_work, free_list)); ++ } + } + + static int alloc_work_entries(struct iwcm_id_private *cm_id_priv, int count) diff --git a/queue-4.14/rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch b/queue-4.14/rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch new file mode 100644 index 00000000000..282915612c2 --- /dev/null +++ b/queue-4.14/rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch @@ -0,0 +1,32 @@ +From c14dfddbd869bf0c2bafb7ef260c41d9cebbcfec Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Fri, 21 Feb 2020 15:20:26 +0000 +Subject: RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() + +From: Jason Gunthorpe + +commit c14dfddbd869bf0c2bafb7ef260c41d9cebbcfec upstream. + +The algorithm pre-allocates a cm_id since allocation cannot be done while +holding the cm.lock spinlock, however it doesn't free it on one error +path, leading to a memory leak. + +Fixes: 067b171b8679 ("IB/cm: Share listening CM IDs") +Link: https://lore.kernel.org/r/20200221152023.GA8680@ziepe.ca +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/cm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -1143,6 +1143,7 @@ struct ib_cm_id *ib_cm_insert_listen(str + /* Sharing an ib_cm_id with different handlers is not + * supported */ + spin_unlock_irqrestore(&cm.lock, flags); ++ ib_destroy_cm_id(cm_id); + return ERR_PTR(-EINVAL); + } + atomic_inc(&cm_id_priv->refcount); diff --git a/queue-4.14/series b/queue-4.14/series index f1c603f841a..eb97fc88e4d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -111,3 +111,9 @@ arm-dts-ls1021a-restore-mdio-compatible-to-gianfar.patch asoc-topology-fix-memleak-in-soc_tplg_link_elems_load.patch asoc-intel-skl-fix-pin-debug-prints.patch asoc-intel-skl-fix-possible-buffer-overflow-in-debug-outputs.patch +asoc-pcm-fix-possible-buffer-overflow-in-dpcm-state-sysfs-output.patch +asoc-pcm512x-fix-unbalanced-regulator-enable-call-in-probe-error-path.patch +asoc-dapm-correct-dapm-handling-of-active-widgets-during-shutdown.patch +rdma-iwcm-fix-iwcm-work-deallocation.patch +rmda-cm-fix-missing-ib_cm_destroy_id-in-ib_cm_insert_listen.patch +ib-hfi1-qib-ensure-rcu-is-locked-when-accessing-list.patch