From: Greg Kroah-Hartman Date: Tue, 8 Sep 2020 12:58:00 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.14.197~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=662fcda4082db742a1194695aa567c1753082cb6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: affs-fix-basic-permission-bits-to-actually-work.patch alsa-ca0106-fix-error-code-handling.patch alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch block-allow-for_each_bvec-to-support-zero-len-bvec.patch dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch mm-slub-fix-conversion-of-freelist_corrupted.patch --- diff --git a/queue-4.19/affs-fix-basic-permission-bits-to-actually-work.patch b/queue-4.19/affs-fix-basic-permission-bits-to-actually-work.patch new file mode 100644 index 00000000000..af37da416cc --- /dev/null +++ b/queue-4.19/affs-fix-basic-permission-bits-to-actually-work.patch @@ -0,0 +1,171 @@ +From d3a84a8d0dde4e26bc084b36ffcbdc5932ac85e2 Mon Sep 17 00:00:00 2001 +From: Max Staudt +Date: Thu, 27 Aug 2020 17:49:00 +0200 +Subject: affs: fix basic permission bits to actually work + +From: Max Staudt + +commit d3a84a8d0dde4e26bc084b36ffcbdc5932ac85e2 upstream. + +The basic permission bits (protection bits in AmigaOS) have been broken +in Linux' AFFS - it would only set bits, but never delete them. +Also, contrary to the documentation, the Archived bit was not handled. + +Let's fix this for good, and set the bits such that Linux and classic +AmigaOS can coexist in the most peaceful manner. + +Also, update the documentation to represent the current state of things. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Max Staudt +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/filesystems/affs.txt | 16 ++++++++++------ + fs/affs/amigaffs.c | 27 +++++++++++++++++++++++++++ + fs/affs/file.c | 26 +++++++++++++++++++++++++- + 3 files changed, 62 insertions(+), 7 deletions(-) + +--- a/Documentation/filesystems/affs.txt ++++ b/Documentation/filesystems/affs.txt +@@ -93,13 +93,15 @@ The Amiga protection flags RWEDRWEDHSPAR + + - R maps to r for user, group and others. On directories, R implies x. + +- - If both W and D are allowed, w will be set. ++ - W maps to w. + + - E maps to x. + +- - H and P are always retained and ignored under Linux. ++ - D is ignored. + +- - A is always reset when a file is written to. ++ - H, S and P are always retained and ignored under Linux. ++ ++ - A is cleared when a file is written to. + + User id and group id will be used unless set[gu]id are given as mount + options. Since most of the Amiga file systems are single user systems +@@ -111,11 +113,13 @@ Linux -> Amiga: + + The Linux rwxrwxrwx file mode is handled as follows: + +- - r permission will set R for user, group and others. ++ - r permission will allow R for user, group and others. ++ ++ - w permission will allow W for user, group and others. + +- - w permission will set W and D for user, group and others. ++ - x permission of the user will allow E for plain files. + +- - x permission of the user will set E for plain files. ++ - D will be allowed for user, group and others. + + - All other flags (suid, sgid, ...) are ignored and will + not be retained. +--- a/fs/affs/amigaffs.c ++++ b/fs/affs/amigaffs.c +@@ -420,24 +420,51 @@ affs_mode_to_prot(struct inode *inode) + u32 prot = AFFS_I(inode)->i_protect; + umode_t mode = inode->i_mode; + ++ /* ++ * First, clear all RWED bits for owner, group, other. ++ * Then, recalculate them afresh. ++ * ++ * We'll always clear the delete-inhibit bit for the owner, as that is ++ * the classic single-user mode AmigaOS protection bit and we need to ++ * stay compatible with all scenarios. ++ * ++ * Since multi-user AmigaOS is an extension, we'll only set the ++ * delete-allow bit if any of the other bits in the same user class ++ * (group/other) are used. ++ */ ++ prot &= ~(FIBF_NOEXECUTE | FIBF_NOREAD ++ | FIBF_NOWRITE | FIBF_NODELETE ++ | FIBF_GRP_EXECUTE | FIBF_GRP_READ ++ | FIBF_GRP_WRITE | FIBF_GRP_DELETE ++ | FIBF_OTR_EXECUTE | FIBF_OTR_READ ++ | FIBF_OTR_WRITE | FIBF_OTR_DELETE); ++ ++ /* Classic single-user AmigaOS flags. These are inverted. */ + if (!(mode & 0100)) + prot |= FIBF_NOEXECUTE; + if (!(mode & 0400)) + prot |= FIBF_NOREAD; + if (!(mode & 0200)) + prot |= FIBF_NOWRITE; ++ ++ /* Multi-user extended flags. Not inverted. */ + if (mode & 0010) + prot |= FIBF_GRP_EXECUTE; + if (mode & 0040) + prot |= FIBF_GRP_READ; + if (mode & 0020) + prot |= FIBF_GRP_WRITE; ++ if (mode & 0070) ++ prot |= FIBF_GRP_DELETE; ++ + if (mode & 0001) + prot |= FIBF_OTR_EXECUTE; + if (mode & 0004) + prot |= FIBF_OTR_READ; + if (mode & 0002) + prot |= FIBF_OTR_WRITE; ++ if (mode & 0007) ++ prot |= FIBF_OTR_DELETE; + + AFFS_I(inode)->i_protect = prot; + } +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -428,6 +428,24 @@ static int affs_write_begin(struct file + return ret; + } + ++static int affs_write_end(struct file *file, struct address_space *mapping, ++ loff_t pos, unsigned int len, unsigned int copied, ++ struct page *page, void *fsdata) ++{ ++ struct inode *inode = mapping->host; ++ int ret; ++ ++ ret = generic_write_end(file, mapping, pos, len, copied, page, fsdata); ++ ++ /* Clear Archived bit on file writes, as AmigaOS would do */ ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) { ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED; ++ mark_inode_dirty(inode); ++ } ++ ++ return ret; ++} ++ + static sector_t _affs_bmap(struct address_space *mapping, sector_t block) + { + return generic_block_bmap(mapping,block,affs_get_block); +@@ -437,7 +455,7 @@ const struct address_space_operations af + .readpage = affs_readpage, + .writepage = affs_writepage, + .write_begin = affs_write_begin, +- .write_end = generic_write_end, ++ .write_end = affs_write_end, + .direct_IO = affs_direct_IO, + .bmap = _affs_bmap + }; +@@ -794,6 +812,12 @@ done: + if (tmp > inode->i_size) + inode->i_size = AFFS_I(inode)->mmu_private = tmp; + ++ /* Clear Archived bit on file writes, as AmigaOS would do */ ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) { ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED; ++ mark_inode_dirty(inode); ++ } ++ + err_first_bh: + unlock_page(page); + put_page(page); diff --git a/queue-4.19/alsa-ca0106-fix-error-code-handling.patch b/queue-4.19/alsa-ca0106-fix-error-code-handling.patch new file mode 100644 index 00000000000..6d177d4fe89 --- /dev/null +++ b/queue-4.19/alsa-ca0106-fix-error-code-handling.patch @@ -0,0 +1,35 @@ +From ee0761d1d8222bcc5c86bf10849dc86cf008557c Mon Sep 17 00:00:00 2001 +From: Tong Zhang +Date: Mon, 24 Aug 2020 18:45:41 -0400 +Subject: ALSA: ca0106: fix error code handling + +From: Tong Zhang + +commit ee0761d1d8222bcc5c86bf10849dc86cf008557c upstream. + +snd_ca0106_spi_write() returns 1 on error, snd_ca0106_pcm_power_dac() +is returning the error code directly, and the caller is expecting an +negative error code + +Signed-off-by: Tong Zhang +Cc: +Link: https://lore.kernel.org/r/20200824224541.1260307-1-ztong0001@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ca0106/ca0106_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/ca0106/ca0106_main.c ++++ b/sound/pci/ca0106/ca0106_main.c +@@ -551,7 +551,8 @@ static int snd_ca0106_pcm_power_dac(stru + else + /* Power down */ + chip->spi_dac_reg[reg] |= bit; +- return snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]); ++ if (snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]) != 0) ++ return -ENXIO; + } + return 0; + } diff --git a/queue-4.19/alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch b/queue-4.19/alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch new file mode 100644 index 00000000000..b25c0dbe2bf --- /dev/null +++ b/queue-4.19/alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch @@ -0,0 +1,109 @@ +From acd46a6b6de88569654567810acad2b0a0a25cea Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 23 Aug 2020 16:55:45 +0900 +Subject: ALSA: firewire-digi00x: exclude Avid Adrenaline from detection + +From: Takashi Sakamoto + +commit acd46a6b6de88569654567810acad2b0a0a25cea upstream. + +Avid Adrenaline is reported that ALSA firewire-digi00x driver is bound to. +However, as long as he investigated, the design of this model is hardly +similar to the one of Digi 00x family. It's better to exclude the model +from modalias of ALSA firewire-digi00x driver. + +This commit changes device entries so that the model is excluded. + +$ python3 crpp < ~/git/am-config-rom/misc/avid-adrenaline.img + ROM header and bus information block + ----------------------------------------------------------------- +400 04203a9c bus_info_length 4, crc_length 32, crc 15004 +404 31333934 bus_name "1394" +408 e064a002 irmc 1, cmc 1, isc 1, bmc 0, cyc_clk_acc 100, max_rec 10 (2048) +40c 00a07e01 company_id 00a07e | +410 00085257 device_id 0100085257 | EUI-64 00a07e0100085257 + + root directory + ----------------------------------------------------------------- +414 0005d08c directory_length 5, crc 53388 +418 0300a07e vendor +41c 8100000c --> descriptor leaf at 44c +420 0c008380 node capabilities +424 8d000002 --> eui-64 leaf at 42c +428 d1000004 --> unit directory at 438 + + eui-64 leaf at 42c + ----------------------------------------------------------------- +42c 0002410f leaf_length 2, crc 16655 +430 00a07e01 company_id 00a07e | +434 00085257 device_id 0100085257 | EUI-64 00a07e0100085257 + + unit directory at 438 + ----------------------------------------------------------------- +438 0004d6c9 directory_length 4, crc 54985 +43c 1200a02d specifier id: 1394 TA +440 13014001 version: Vender Unique and AV/C +444 17000001 model +448 81000009 --> descriptor leaf at 46c + + descriptor leaf at 44c + ----------------------------------------------------------------- +44c 00077205 leaf_length 7, crc 29189 +450 00000000 textual descriptor +454 00000000 minimal ASCII +458 41766964 "Avid" +45c 20546563 " Tec" +460 686e6f6c "hnol" +464 6f677900 "ogy" +468 00000000 + + descriptor leaf at 46c + ----------------------------------------------------------------- +46c 000599a5 leaf_length 5, crc 39333 +470 00000000 textual descriptor +474 00000000 minimal ASCII +478 41647265 "Adre" +47c 6e616c69 "nali" +480 6e650000 "ne" + +Reported-by: Simon Wood +Fixes: 9edf723fd858 ("ALSA: firewire-digi00x: add skeleton for Digi 002/003 family") +Cc: # 4.4+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20200823075545.56305-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/digi00x/digi00x.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/firewire/digi00x/digi00x.c ++++ b/sound/firewire/digi00x/digi00x.c +@@ -15,6 +15,7 @@ MODULE_LICENSE("GPL v2"); + #define VENDOR_DIGIDESIGN 0x00a07e + #define MODEL_CONSOLE 0x000001 + #define MODEL_RACK 0x000002 ++#define SPEC_VERSION 0x000001 + + static int name_card(struct snd_dg00x *dg00x) + { +@@ -185,14 +186,18 @@ static const struct ieee1394_device_id s + /* Both of 002/003 use the same ID. */ + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_VERSION | + IEEE1394_MATCH_MODEL_ID, + .vendor_id = VENDOR_DIGIDESIGN, ++ .version = SPEC_VERSION, + .model_id = MODEL_CONSOLE, + }, + { + .match_flags = IEEE1394_MATCH_VENDOR_ID | ++ IEEE1394_MATCH_VERSION | + IEEE1394_MATCH_MODEL_ID, + .vendor_id = VENDOR_DIGIDESIGN, ++ .version = SPEC_VERSION, + .model_id = MODEL_RACK, + }, + {} diff --git a/queue-4.19/alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch b/queue-4.19/alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch new file mode 100644 index 00000000000..57ae8b8fee3 --- /dev/null +++ b/queue-4.19/alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch @@ -0,0 +1,39 @@ +From 15cbff3fbbc631952c346744f862fb294504b5e2 Mon Sep 17 00:00:00 2001 +From: Dan Crawford +Date: Sat, 29 Aug 2020 12:49:46 +1000 +Subject: ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO + +From: Dan Crawford + +commit 15cbff3fbbc631952c346744f862fb294504b5e2 upstream. + +Following Christian Lachner's patch for Gigabyte X570-based motherboards, +also patch the MSI X570-A PRO motherboard; the ALC1220 codec requires the +same workaround for Clevo laptops to enforce the DAC/mixer connection +path. Set up a quirk entry for that. + +I suspect most if all X570 motherboards will require similar patches. + +[ The entries reordered in the SSID order -- tiwai ] + +Related buglink: https://bugzilla.kernel.org/show_bug.cgi?id=205275 +Signed-off-by: Dan Crawford +Cc: +Link: https://lore.kernel.org/r/20200829024946.5691-1-dnlcrwfrd@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2452,6 +2452,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), ++ SND_PCI_QUIRK(0x1462, 0x9c37, "MSI X570-A PRO", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3), + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX), diff --git a/queue-4.19/alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch b/queue-4.19/alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch new file mode 100644 index 00000000000..62ae9ceab90 --- /dev/null +++ b/queue-4.19/alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch @@ -0,0 +1,44 @@ +From 858e0ad9301d1270c02b5aca97537d2d6ee9dd68 Mon Sep 17 00:00:00 2001 +From: Kai Vehmanen +Date: Wed, 26 Aug 2020 20:03:06 +0300 +Subject: ALSA: hda/hdmi: always check pin power status in i915 pin fixup + +From: Kai Vehmanen + +commit 858e0ad9301d1270c02b5aca97537d2d6ee9dd68 upstream. + +When system is suspended with active audio playback to HDMI/DP, two +alternative sequences can happen at resume: + a) monitor is detected first and ALSA prepare follows normal + stream setup sequence, or + b) ALSA prepare is called first, but monitor is not yet detected, + so PCM is restarted without a pin, + +In case of (b), on i915 systems, haswell_verify_D0() is not called at +resume and the pin power state may be incorrect. Result is lack of audio +after resume with no error reported back to user-space. + +Fix the problem by always verifying converter and pin state in the +i915_pin_cvt_fixup(). + +BugLink: https://github.com/thesofproject/linux/issues/2388 +Signed-off-by: Kai Vehmanen +Cc: +Link: https://lore.kernel.org/r/20200826170306.701566-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2574,6 +2574,7 @@ static void i915_pin_cvt_fixup(struct hd + hda_nid_t cvt_nid) + { + if (per_pin) { ++ haswell_verify_D0(codec, per_pin->cvt_nid, per_pin->pin_nid); + snd_hda_set_dev_select(codec, per_pin->pin_nid, + per_pin->dev_id); + intel_verify_pin_cvt_connect(codec, per_pin); diff --git a/queue-4.19/alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch b/queue-4.19/alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch new file mode 100644 index 00000000000..776fd0bffcd --- /dev/null +++ b/queue-4.19/alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch @@ -0,0 +1,40 @@ +From 949a1ebe8cea7b342085cb6a4946b498306b9493 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 1 Sep 2020 15:18:02 +0200 +Subject: ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check + +From: Takashi Iwai + +commit 949a1ebe8cea7b342085cb6a4946b498306b9493 upstream. + +The PCM OSS mulaw plugin has a check of the format of the counter part +whether it's a linear format. The check is with snd_BUG_ON() that +emits WARN_ON() when the debug config is set, and it confuses +syzkaller as if it were a serious issue. Let's drop snd_BUG_ON() for +avoiding that. + +While we're at it, correct the error code to a more suitable, EINVAL. + +Reported-by: syzbot+23b22dc2e0b81cbfcc95@syzkaller.appspotmail.com +Cc: +Link: https://lore.kernel.org/r/20200901131802.18157-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/mulaw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/core/oss/mulaw.c ++++ b/sound/core/oss/mulaw.c +@@ -329,8 +329,8 @@ int snd_pcm_plugin_build_mulaw(struct sn + snd_BUG(); + return -EINVAL; + } +- if (snd_BUG_ON(!snd_pcm_format_linear(format->format))) +- return -ENXIO; ++ if (!snd_pcm_format_linear(format->format)) ++ return -EINVAL; + + err = snd_pcm_plugin_build(plug, "Mu-Law<->linear conversion", + src_format, dst_format, diff --git a/queue-4.19/block-allow-for_each_bvec-to-support-zero-len-bvec.patch b/queue-4.19/block-allow-for_each_bvec-to-support-zero-len-bvec.patch new file mode 100644 index 00000000000..1c78d0906aa --- /dev/null +++ b/queue-4.19/block-allow-for_each_bvec-to-support-zero-len-bvec.patch @@ -0,0 +1,54 @@ +From 7e24969022cbd61ddc586f14824fc205661bb124 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Mon, 17 Aug 2020 18:00:55 +0800 +Subject: block: allow for_each_bvec to support zero len bvec + +From: Ming Lei + +commit 7e24969022cbd61ddc586f14824fc205661bb124 upstream. + +Block layer usually doesn't support or allow zero-length bvec. Since +commit 1bdc76aea115 ("iov_iter: use bvec iterator to implement +iterate_bvec()"), iterate_bvec() switches to bvec iterator. However, +Al mentioned that 'Zero-length segments are not disallowed' in iov_iter. + +Fixes for_each_bvec() so that it can move on after seeing one zero +length bvec. + +Fixes: 1bdc76aea115 ("iov_iter: use bvec iterator to implement iterate_bvec()") +Reported-by: syzbot +Signed-off-by: Ming Lei +Tested-by: Tetsuo Handa +Cc: Al Viro +Cc: Matthew Wilcox +Cc: +Link: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2262077.html +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/bvec.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/include/linux/bvec.h ++++ b/include/linux/bvec.h +@@ -119,11 +119,18 @@ static inline bool bvec_iter_rewind(cons + return true; + } + ++static inline void bvec_iter_skip_zero_bvec(struct bvec_iter *iter) ++{ ++ iter->bi_bvec_done = 0; ++ iter->bi_idx++; ++} ++ + #define for_each_bvec(bvl, bio_vec, iter, start) \ + for (iter = (start); \ + (iter).bi_size && \ + ((bvl = bvec_iter_bvec((bio_vec), (iter))), 1); \ +- bvec_iter_advance((bio_vec), &(iter), (bvl).bv_len)) ++ (bvl).bv_len ? (void)bvec_iter_advance((bio_vec), &(iter), \ ++ (bvl).bv_len) : bvec_iter_skip_zero_bvec(&(iter))) + + /* for iterating one bio from start to end */ + #define BVEC_ITER_ALL_INIT (struct bvec_iter) \ diff --git a/queue-4.19/dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch b/queue-4.19/dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch new file mode 100644 index 00000000000..bfe5ac1bf46 --- /dev/null +++ b/queue-4.19/dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch @@ -0,0 +1,42 @@ +From d16ff19e69ab57e08bf908faaacbceaf660249de Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Tue, 1 Sep 2020 14:25:42 +0800 +Subject: dm cache metadata: Avoid returning cmd->bm wild pointer on error + +From: Ye Bin + +commit d16ff19e69ab57e08bf908faaacbceaf660249de upstream. + +Maybe __create_persistent_data_objects() caller will use PTR_ERR as a +pointer, it will lead to some strange things. + +Signed-off-by: Ye Bin +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -537,12 +537,16 @@ static int __create_persistent_data_obje + CACHE_MAX_CONCURRENT_LOCKS); + if (IS_ERR(cmd->bm)) { + DMERR("could not create block manager"); +- return PTR_ERR(cmd->bm); ++ r = PTR_ERR(cmd->bm); ++ cmd->bm = NULL; ++ return r; + } + + r = __open_or_format_metadata(cmd, may_format_device); +- if (r) ++ if (r) { + dm_block_manager_destroy(cmd->bm); ++ cmd->bm = NULL; ++ } + + return r; + } diff --git a/queue-4.19/dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch b/queue-4.19/dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch new file mode 100644 index 00000000000..98051953137 --- /dev/null +++ b/queue-4.19/dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch @@ -0,0 +1,42 @@ +From 219403d7e56f9b716ad80ab87db85d29547ee73e Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Tue, 1 Sep 2020 14:25:43 +0800 +Subject: dm thin metadata: Avoid returning cmd->bm wild pointer on error + +From: Ye Bin + +commit 219403d7e56f9b716ad80ab87db85d29547ee73e upstream. + +Maybe __create_persistent_data_objects() caller will use PTR_ERR as a +pointer, it will lead to some strange things. + +Signed-off-by: Ye Bin +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin-metadata.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -698,12 +698,16 @@ static int __create_persistent_data_obje + THIN_MAX_CONCURRENT_LOCKS); + if (IS_ERR(pmd->bm)) { + DMERR("could not create block manager"); +- return PTR_ERR(pmd->bm); ++ r = PTR_ERR(pmd->bm); ++ pmd->bm = NULL; ++ return r; + } + + r = __open_or_format_metadata(pmd, format_device); +- if (r) ++ if (r) { + dm_block_manager_destroy(pmd->bm); ++ pmd->bm = NULL; ++ } + + return r; + } diff --git a/queue-4.19/dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch b/queue-4.19/dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch new file mode 100644 index 00000000000..7544fa9ba82 --- /dev/null +++ b/queue-4.19/dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch @@ -0,0 +1,62 @@ +From f9e040efcc28309e5c592f7e79085a9a52e31f58 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 24 Aug 2020 11:09:47 -0400 +Subject: dm writecache: handle DAX to partitions on persistent memory correctly + +From: Mikulas Patocka + +commit f9e040efcc28309e5c592f7e79085a9a52e31f58 upstream. + +The function dax_direct_access doesn't take partitions into account, +it always maps pages from the beginning of the device. Therefore, +persistent_memory_claim() must get the partition offset using +get_start_sect() and add it to the page offsets passed to +dax_direct_access(). + +Signed-off-by: Mikulas Patocka +Fixes: 48debafe4f2f ("dm: add writecache target") +Cc: stable@vger.kernel.org # 4.18+ +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-writecache.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -226,6 +226,7 @@ static int persistent_memory_claim(struc + pfn_t pfn; + int id; + struct page **pages; ++ sector_t offset; + + wc->memory_vmapped = false; + +@@ -244,9 +245,16 @@ static int persistent_memory_claim(struc + goto err1; + } + ++ offset = get_start_sect(wc->ssd_dev->bdev); ++ if (offset & (PAGE_SIZE / 512 - 1)) { ++ r = -EINVAL; ++ goto err1; ++ } ++ offset >>= PAGE_SHIFT - 9; ++ + id = dax_read_lock(); + +- da = dax_direct_access(wc->ssd_dev->dax_dev, 0, p, &wc->memory_map, &pfn); ++ da = dax_direct_access(wc->ssd_dev->dax_dev, offset, p, &wc->memory_map, &pfn); + if (da < 0) { + wc->memory_map = NULL; + r = da; +@@ -268,7 +276,7 @@ static int persistent_memory_claim(struc + i = 0; + do { + long daa; +- daa = dax_direct_access(wc->ssd_dev->dax_dev, i, p - i, ++ daa = dax_direct_access(wc->ssd_dev->dax_dev, offset + i, p - i, + NULL, &pfn); + if (daa <= 0) { + r = daa ? daa : -EINVAL; diff --git a/queue-4.19/libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch b/queue-4.19/libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch new file mode 100644 index 00000000000..7cabc592898 --- /dev/null +++ b/queue-4.19/libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch @@ -0,0 +1,79 @@ +From 3b5455636fe26ea21b4189d135a424a6da016418 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 2 Sep 2020 12:32:45 -0400 +Subject: libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks + +From: Tejun Heo + +commit 3b5455636fe26ea21b4189d135a424a6da016418 upstream. + +All three generations of Sandisk SSDs lock up hard intermittently. +Experiments showed that disabling NCQ lowered the failure rate significantly +and the kernel has been disabling NCQ for some models of SD7's and 8's, +which is obviously undesirable. + +Karthik worked with Sandisk to root cause the hard lockups to trim commands +larger than 128M. This patch implements ATA_HORKAGE_MAX_TRIM_128M which +limits max trim size to 128M and applies it to all three generations of +Sandisk SSDs. + +Signed-off-by: Tejun Heo +Cc: Karthik Shivaram +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 5 ++--- + drivers/ata/libata-scsi.c | 8 +++++++- + include/linux/libata.h | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4492,9 +4492,8 @@ static const struct ata_blacklist_entry + /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */ + { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, }, + +- /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on +- SD7SN6S256G and SD8SN8U256G */ +- { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, }, ++ /* Sandisk SD7/8/9s lock up hard on large trims */ ++ { "SanDisk SD[789]*", NULL, ATA_HORKAGE_MAX_TRIM_128M, }, + + /* devices which puke on READ_NATIVE_MAX */ + { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, }, +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2391,6 +2391,7 @@ static unsigned int ata_scsiop_inq_89(st + + static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf) + { ++ struct ata_device *dev = args->dev; + u16 min_io_sectors; + + rbuf[1] = 0xb0; +@@ -2416,7 +2417,12 @@ static unsigned int ata_scsiop_inq_b0(st + * with the unmap bit set. + */ + if (ata_id_has_trim(args->id)) { +- put_unaligned_be64(65535 * ATA_MAX_TRIM_RNUM, &rbuf[36]); ++ u64 max_blocks = 65535 * ATA_MAX_TRIM_RNUM; ++ ++ if (dev->horkage & ATA_HORKAGE_MAX_TRIM_128M) ++ max_blocks = 128 << (20 - SECTOR_SHIFT); ++ ++ put_unaligned_be64(max_blocks, &rbuf[36]); + put_unaligned_be32(1, &rbuf[28]); + } + +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -439,6 +439,7 @@ enum { + ATA_HORKAGE_NO_DMA_LOG = (1 << 23), /* don't use DMA for log read */ + ATA_HORKAGE_NOTRIM = (1 << 24), /* don't use TRIM */ + ATA_HORKAGE_MAX_SEC_1024 = (1 << 25), /* Limit max sects to 1024 */ ++ ATA_HORKAGE_MAX_TRIM_128M = (1 << 26), /* Limit max trim size to 128M */ + + /* DMA mask for user DMA control: User visible values; DO NOT + renumber */ diff --git a/queue-4.19/media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch b/queue-4.19/media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch new file mode 100644 index 00000000000..35eb834c189 --- /dev/null +++ b/queue-4.19/media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch @@ -0,0 +1,57 @@ +From a2e2d73fa28136598e84db9d021091f1b98cbb1a Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sat, 8 Aug 2020 13:38:02 +0200 +Subject: media: rc: do not access device via sysfs after rc_unregister_device() + +From: Sean Young + +commit a2e2d73fa28136598e84db9d021091f1b98cbb1a upstream. + +Device drivers do not expect to have change_protocol or wakeup +re-programming to be accesed after rc_unregister_device(). This can +cause the device driver to access deallocated resources. + +Cc: # 4.16+ +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/rc-main.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1245,6 +1245,10 @@ static ssize_t store_protocols(struct de + } + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + old_protocols = *current_protocols; + new_protocols = old_protocols; +@@ -1383,6 +1387,10 @@ static ssize_t store_filter(struct devic + return -EINVAL; + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + new_filter = *filter; + if (fattr->mask) +@@ -1497,6 +1505,10 @@ static ssize_t store_wakeup_protocols(st + int i; + + mutex_lock(&dev->lock); ++ if (!dev->registered) { ++ mutex_unlock(&dev->lock); ++ return -ENODEV; ++ } + + allowed = dev->allowed_wakeup_protocols; + diff --git a/queue-4.19/media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch b/queue-4.19/media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch new file mode 100644 index 00000000000..344b00e3a58 --- /dev/null +++ b/queue-4.19/media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch @@ -0,0 +1,82 @@ +From 4f0835d6677dc69263f90f976524cb92b257d9f4 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sat, 8 Aug 2020 13:19:12 +0200 +Subject: media: rc: uevent sysfs file races with rc_unregister_device() + +From: Sean Young + +commit 4f0835d6677dc69263f90f976524cb92b257d9f4 upstream. + +Only report uevent file contents if device still registered, else we +might read freed memory. + +Reported-by: syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com +Cc: Hillf Danton +Cc: # 4.16+ +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/rc-main.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1568,25 +1568,25 @@ static void rc_dev_release(struct device + kfree(dev); + } + +-#define ADD_HOTPLUG_VAR(fmt, val...) \ +- do { \ +- int err = add_uevent_var(env, fmt, val); \ +- if (err) \ +- return err; \ +- } while (0) +- + static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env) + { + struct rc_dev *dev = to_rc_dev(device); ++ int ret = 0; + +- if (dev->rc_map.name) +- ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name); +- if (dev->driver_name) +- ADD_HOTPLUG_VAR("DRV_NAME=%s", dev->driver_name); +- if (dev->device_name) +- ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name); ++ mutex_lock(&dev->lock); + +- return 0; ++ if (!dev->registered) ++ ret = -ENODEV; ++ if (ret == 0 && dev->rc_map.name) ++ ret = add_uevent_var(env, "NAME=%s", dev->rc_map.name); ++ if (ret == 0 && dev->driver_name) ++ ret = add_uevent_var(env, "DRV_NAME=%s", dev->driver_name); ++ if (ret == 0 && dev->device_name) ++ ret = add_uevent_var(env, "DEV_NAME=%s", dev->device_name); ++ ++ mutex_unlock(&dev->lock); ++ ++ return ret; + } + + /* +@@ -1970,14 +1970,14 @@ void rc_unregister_device(struct rc_dev + del_timer_sync(&dev->timer_keyup); + del_timer_sync(&dev->timer_repeat); + +- rc_free_rx_device(dev); +- + mutex_lock(&dev->lock); + if (dev->users && dev->close) + dev->close(dev); + dev->registered = false; + mutex_unlock(&dev->lock); + ++ rc_free_rx_device(dev); ++ + /* + * lirc device should be freed with dev->registered = false, so + * that userspace polling will get notified. diff --git a/queue-4.19/mm-slub-fix-conversion-of-freelist_corrupted.patch b/queue-4.19/mm-slub-fix-conversion-of-freelist_corrupted.patch new file mode 100644 index 00000000000..a10ccbb4628 --- /dev/null +++ b/queue-4.19/mm-slub-fix-conversion-of-freelist_corrupted.patch @@ -0,0 +1,76 @@ +From dc07a728d49cf025f5da2c31add438d839d076c0 Mon Sep 17 00:00:00 2001 +From: Eugeniu Rosca +Date: Fri, 4 Sep 2020 16:35:30 -0700 +Subject: mm: slub: fix conversion of freelist_corrupted() + +From: Eugeniu Rosca + +commit dc07a728d49cf025f5da2c31add438d839d076c0 upstream. + +Commit 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in +deactivate_slab()") suffered an update when picked up from LKML [1]. + +Specifically, relocating 'freelist = NULL' into 'freelist_corrupted()' +created a no-op statement. Fix it by sticking to the behavior intended +in the original patch [1]. In addition, make freelist_corrupted() +immune to passing NULL instead of &freelist. + +The issue has been spotted via static analysis and code review. + +[1] https://lore.kernel.org/linux-mm/20200331031450.12182-1-dongli.zhang@oracle.com/ + +Fixes: 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in deactivate_slab()") +Signed-off-by: Eugeniu Rosca +Signed-off-by: Andrew Morton +Cc: Dongli Zhang +Cc: Joe Jin +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: +Link: https://lkml.kernel.org/r/20200824130643.10291-1-erosca@de.adit-jv.com +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slub.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -646,12 +646,12 @@ static void slab_fix(struct kmem_cache * + } + + static bool freelist_corrupted(struct kmem_cache *s, struct page *page, +- void *freelist, void *nextfree) ++ void **freelist, void *nextfree) + { + if ((s->flags & SLAB_CONSISTENCY_CHECKS) && +- !check_valid_pointer(s, page, nextfree)) { +- object_err(s, page, freelist, "Freechain corrupt"); +- freelist = NULL; ++ !check_valid_pointer(s, page, nextfree) && freelist) { ++ object_err(s, page, *freelist, "Freechain corrupt"); ++ *freelist = NULL; + slab_fix(s, "Isolate corrupted freechain"); + return true; + } +@@ -1343,7 +1343,7 @@ static inline void dec_slabs_node(struct + int objects) {} + + static bool freelist_corrupted(struct kmem_cache *s, struct page *page, +- void *freelist, void *nextfree) ++ void **freelist, void *nextfree) + { + return false; + } +@@ -2037,7 +2037,7 @@ static void deactivate_slab(struct kmem_ + * 'freelist' is already corrupted. So isolate all objects + * starting at 'freelist'. + */ +- if (freelist_corrupted(s, page, freelist, nextfree)) ++ if (freelist_corrupted(s, page, &freelist, nextfree)) + break; + + do { diff --git a/queue-4.19/series b/queue-4.19/series index 5f1799cb2bb..44e895849a7 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -63,3 +63,17 @@ uaccess-add-non-pagefault-user-space-write-function.patch btrfs-fix-potential-deadlock-in-the-search-ioctl.patch net-usb-qmi_wwan-add-telit-0x1050-composition.patch usb-qmi_wwan-add-d-link-dwm-222-a2-device-id.patch +alsa-ca0106-fix-error-code-handling.patch +alsa-pcm-oss-remove-superfluous-warn_on-for-mulaw-sanity-check.patch +alsa-hda-hdmi-always-check-pin-power-status-in-i915-pin-fixup.patch +alsa-firewire-digi00x-exclude-avid-adrenaline-from-detection.patch +alsa-hda-fix-silent-audio-output-and-corrupted-input-on-msi-x570-a-pro.patch +media-rc-do-not-access-device-via-sysfs-after-rc_unregister_device.patch +media-rc-uevent-sysfs-file-races-with-rc_unregister_device.patch +affs-fix-basic-permission-bits-to-actually-work.patch +block-allow-for_each_bvec-to-support-zero-len-bvec.patch +libata-implement-ata_horkage_max_trim_128m-and-apply-to-sandisks.patch +dm-writecache-handle-dax-to-partitions-on-persistent-memory-correctly.patch +dm-cache-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch +dm-thin-metadata-avoid-returning-cmd-bm-wild-pointer-on-error.patch +mm-slub-fix-conversion-of-freelist_corrupted.patch