From f75d58f69c1fee206504bc836c2a4b0da94e522c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 11 Nov 2019 07:41:57 +0100 Subject: [PATCH] 4.14-stable patches added patches: alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch alsa-hda-ca0132-fix-possible-workqueue-stall.patch alsa-timer-fix-incorrectly-assigned-timer-instance.patch arm64-do-not-mask-out-pte_rdonly-in-pte_same.patch can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch can-gs_usb-gs_can_open-prevent-memory-leak.patch can-mcba_usb-fix-use-after-free-on-disconnect.patch can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch can-peak_usb-fix-slab-info-leak.patch can-rx-offload-can_rx_offload_queue_sorted-fix-error-handling-avoid-skb-mem-leak.patch can-usb_8dev-fix-use-after-free-on-disconnect.patch ceph-add-missing-check-in-d_revalidate-snapdir-handling.patch ceph-fix-use-after-free-in-__ceph_remove_cap.patch drm-radeon-fix-si_enable_smc_cac-failed-issue.patch dump_stack-avoid-the-livelock-of-the-dump_lock.patch hid-wacom-generic-treat-serial-number-and-related-fields-as-unsigned.patch iio-adc-stm32-adc-fix-stopping-dma.patch iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch iio-srf04-fix-wrong-limitation-in-distance-measuring.patch intel_th-pci-add-comet-lake-pch-support.patch intel_th-pci-add-jasper-lake-pch-support.patch mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch perf-tools-fix-time-sorting.patch tools-gpio-use-building_out_of_srctree-to-determine-srctree.patch --- ...for-focusrite-saffire-pro-i-o-series.patch | 50 ++++++ ...-ca0132-fix-possible-workqueue-stall.patch | 41 +++++ ...-incorrectly-assigned-timer-instance.patch | 61 ++++++++ ...-not-mask-out-pte_rdonly-in-pte_same.patch | 57 +++++++ ...ead-status-register-after-status-irq.patch | 93 +++++++++++ ..._usb-gs_can_open-prevent-memory-leak.patch | 32 ++++ ...usb-fix-use-after-free-on-disconnect.patch | 39 +++++ ...l-out-of-sync-while-decoding-packets.patch | 80 ++++++++++ .../can-peak_usb-fix-slab-info-leak.patch | 39 +++++ ...ix-error-handling-avoid-skb-mem-leak.patch | 51 ++++++ ...dev-fix-use-after-free-on-disconnect.patch | 36 +++++ ...eck-in-d_revalidate-snapdir-handling.patch | 31 ++++ ...-use-after-free-in-__ceph_remove_cap.patch | 73 +++++++++ ...n-fix-si_enable_smc_cac-failed-issue.patch | 33 ++++ ...-avoid-the-livelock-of-the-dump_lock.patch | 47 ++++++ ...umber-and-related-fields-as-unsigned.patch | 101 ++++++++++++ .../iio-adc-stm32-adc-fix-stopping-dma.patch | 46 ++++++ ...-sure-provided-frequency-is-positive.patch | 40 +++++ ...ong-limitation-in-distance-measuring.patch | 108 +++++++++++++ ...el_th-pci-add-comet-lake-pch-support.patch | 35 +++++ ...l_th-pci-add-jasper-lake-pch-support.patch | 35 +++++ ...and-high-limits-after-init-completes.patch | 120 +++++++++++++++ ...hp-correctly-in-pagetranscompoundmap.patch | 145 ++++++++++++++++++ ...-proc-pagetypeinfo-from-normal-users.patch | 57 +++++++ ...x-an-error-code-in-ip_set_sockfn_get.patch | 47 ++++++ ...lign-nft_expr-private-data-to-64-bit.patch | 60 ++++++++ queue-4.14/perf-tools-fix-time-sorting.patch | 46 ++++++ queue-4.14/series | 28 ++++ ..._out_of_srctree-to-determine-srctree.patch | 48 ++++++ 29 files changed, 1679 insertions(+) create mode 100644 queue-4.14/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch create mode 100644 queue-4.14/alsa-hda-ca0132-fix-possible-workqueue-stall.patch create mode 100644 queue-4.14/alsa-timer-fix-incorrectly-assigned-timer-instance.patch create mode 100644 queue-4.14/arm64-do-not-mask-out-pte_rdonly-in-pte_same.patch create mode 100644 queue-4.14/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch create mode 100644 queue-4.14/can-gs_usb-gs_can_open-prevent-memory-leak.patch create mode 100644 queue-4.14/can-mcba_usb-fix-use-after-free-on-disconnect.patch create mode 100644 queue-4.14/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch create mode 100644 queue-4.14/can-peak_usb-fix-slab-info-leak.patch create mode 100644 queue-4.14/can-rx-offload-can_rx_offload_queue_sorted-fix-error-handling-avoid-skb-mem-leak.patch create mode 100644 queue-4.14/can-usb_8dev-fix-use-after-free-on-disconnect.patch create mode 100644 queue-4.14/ceph-add-missing-check-in-d_revalidate-snapdir-handling.patch create mode 100644 queue-4.14/ceph-fix-use-after-free-in-__ceph_remove_cap.patch create mode 100644 queue-4.14/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch create mode 100644 queue-4.14/dump_stack-avoid-the-livelock-of-the-dump_lock.patch create mode 100644 queue-4.14/hid-wacom-generic-treat-serial-number-and-related-fields-as-unsigned.patch create mode 100644 queue-4.14/iio-adc-stm32-adc-fix-stopping-dma.patch create mode 100644 queue-4.14/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch create mode 100644 queue-4.14/iio-srf04-fix-wrong-limitation-in-distance-measuring.patch create mode 100644 queue-4.14/intel_th-pci-add-comet-lake-pch-support.patch create mode 100644 queue-4.14/intel_th-pci-add-jasper-lake-pch-support.patch create mode 100644 queue-4.14/mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch create mode 100644 queue-4.14/mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch create mode 100644 queue-4.14/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch create mode 100644 queue-4.14/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch create mode 100644 queue-4.14/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch create mode 100644 queue-4.14/perf-tools-fix-time-sorting.patch create mode 100644 queue-4.14/tools-gpio-use-building_out_of_srctree-to-determine-srctree.patch diff --git a/queue-4.14/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch b/queue-4.14/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch new file mode 100644 index 00000000000..be9b3c4bce8 --- /dev/null +++ b/queue-4.14/alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch @@ -0,0 +1,50 @@ +From 706ad6746a66546daf96d4e4a95e46faf6cf689a Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 3 Nov 2019 00:09:20 +0900 +Subject: ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series + +From: Takashi Sakamoto + +commit 706ad6746a66546daf96d4e4a95e46faf6cf689a upstream. + +For Focusrite Saffire Pro i/o, the lowest 8 bits of register represents +configured source of sampling clock. The next lowest 8 bits represents +whether the configured source is actually detected or not just after +the register is changed for the source. + +Current implementation evaluates whole the register to detect configured +source. This results in failure due to the next lowest 8 bits when the +source is connected in advance. + +This commit fixes the bug. + +Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series") +Cc: # v3.16+ +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20191102150920.20367-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/bebob/bebob_focusrite.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/firewire/bebob/bebob_focusrite.c ++++ b/sound/firewire/bebob/bebob_focusrite.c +@@ -28,6 +28,8 @@ + #define SAFFIRE_CLOCK_SOURCE_SPDIF 1 + + /* clock sources as returned from register of Saffire Pro 10 and 26 */ ++#define SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK 0x000000ff ++#define SAFFIREPRO_CLOCK_SOURCE_DETECT_MASK 0x0000ff00 + #define SAFFIREPRO_CLOCK_SOURCE_INTERNAL 0 + #define SAFFIREPRO_CLOCK_SOURCE_SKIP 1 /* never used on hardware */ + #define SAFFIREPRO_CLOCK_SOURCE_SPDIF 2 +@@ -190,6 +192,7 @@ saffirepro_both_clk_src_get(struct snd_b + map = saffirepro_clk_maps[1]; + + /* In a case that this driver cannot handle the value of register. */ ++ value &= SAFFIREPRO_CLOCK_SOURCE_SELECT_MASK; + if (value >= SAFFIREPRO_CLOCK_SOURCE_COUNT || map[value] < 0) { + err = -EIO; + goto end; diff --git a/queue-4.14/alsa-hda-ca0132-fix-possible-workqueue-stall.patch b/queue-4.14/alsa-hda-ca0132-fix-possible-workqueue-stall.patch new file mode 100644 index 00000000000..74aa1ffe96f --- /dev/null +++ b/queue-4.14/alsa-hda-ca0132-fix-possible-workqueue-stall.patch @@ -0,0 +1,41 @@ +From 15c2b3cc09a31620914955cb2a89c277c18ee999 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 5 Nov 2019 14:43:16 +0100 +Subject: ALSA: hda/ca0132 - Fix possible workqueue stall + +From: Takashi Iwai + +commit 15c2b3cc09a31620914955cb2a89c277c18ee999 upstream. + +The unsolicited event handler for the headphone jack on CA0132 codec +driver tries to reschedule the another delayed work with +cancel_delayed_work_sync(). It's no good idea, unfortunately, +especially after we changed the work queue to the standard global +one; this may lead to a stall because both works are using the same +global queue. + +Fix it by dropping the _sync but does call cancel_delayed_work() +instead. + +Fixes: 993884f6a26c ("ALSA: hda/ca0132 - Delay HP amp turnon.") +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1155836 +Cc: +Link: https://lore.kernel.org/r/20191105134316.19294-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4440,7 +4440,7 @@ static void hp_callback(struct hda_codec + /* Delay enabling the HP amp, to let the mic-detection + * state machine run. + */ +- cancel_delayed_work_sync(&spec->unsol_hp_work); ++ cancel_delayed_work(&spec->unsol_hp_work); + schedule_delayed_work(&spec->unsol_hp_work, msecs_to_jiffies(500)); + tbl = snd_hda_jack_tbl_get(codec, cb->nid); + if (tbl) diff --git a/queue-4.14/alsa-timer-fix-incorrectly-assigned-timer-instance.patch b/queue-4.14/alsa-timer-fix-incorrectly-assigned-timer-instance.patch new file mode 100644 index 00000000000..c2245e714f0 --- /dev/null +++ b/queue-4.14/alsa-timer-fix-incorrectly-assigned-timer-instance.patch @@ -0,0 +1,61 @@ +From e7af6307a8a54f0b873960b32b6a644f2d0fbd97 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 6 Nov 2019 17:55:47 +0100 +Subject: ALSA: timer: Fix incorrectly assigned timer instance + +From: Takashi Iwai + +commit e7af6307a8a54f0b873960b32b6a644f2d0fbd97 upstream. + +The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in +snd_timer_open()") unified the error handling code paths with the +standard goto, but it introduced a subtle bug: the timer instance is +stored in snd_timer_open() incorrectly even if it returns an error. +This may eventually lead to UAF, as spotted by fuzzer. + +The culprit is the snd_timer_open() code checks the +SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri. +This variable is supposed to be the newly created instance, but we +(ab-)used it for a temporary check before the actual creation of a +timer instance. After that point, there is another check for the max +number of instances, and it bails out if over the threshold. Before +the refactoring above, it worked fine because the code returned +directly from that point. After the refactoring, however, it jumps to +the unified error path that stores the timeri variable in return -- +even if it returns an error. Unfortunately this stored value is kept +in the caller side (snd_timer_user_tselect()) in tu->timeri. This +causes inconsistency later, as if the timer was successfully +assigned. + +In this patch, we fix it by not re-using timeri variable but a +temporary variable for testing the exclusive connection, so timeri +remains NULL at that point. + +Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()") +Reported-and-tested-by: Tristan Madani +Cc: +Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -298,11 +298,11 @@ int snd_timer_open(struct snd_timer_inst + goto unlock; + } + if (!list_empty(&timer->open_list_head)) { +- timeri = list_entry(timer->open_list_head.next, ++ struct snd_timer_instance *t = ++ list_entry(timer->open_list_head.next, + struct snd_timer_instance, open_list); +- if (timeri->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { ++ if (t->flags & SNDRV_TIMER_IFLG_EXCLUSIVE) { + err = -EBUSY; +- timeri = NULL; + goto unlock; + } + } diff --git a/queue-4.14/arm64-do-not-mask-out-pte_rdonly-in-pte_same.patch b/queue-4.14/arm64-do-not-mask-out-pte_rdonly-in-pte_same.patch new file mode 100644 index 00000000000..b9f3f45eeda --- /dev/null +++ b/queue-4.14/arm64-do-not-mask-out-pte_rdonly-in-pte_same.patch @@ -0,0 +1,57 @@ +From 6767df245f4736d0cf0c6fb7cf9cf94b27414245 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Wed, 6 Nov 2019 15:41:05 +0000 +Subject: arm64: Do not mask out PTE_RDONLY in pte_same() + +From: Catalin Marinas + +commit 6767df245f4736d0cf0c6fb7cf9cf94b27414245 upstream. + +Following commit 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out +of set_pte_at()"), the PTE_RDONLY bit is no longer managed by +set_pte_at() but built into the PAGE_* attribute definitions. +Consequently, pte_same() must include this bit when checking two PTEs +for equality. + +Remove the arm64-specific pte_same() function, practically reverting +commit 747a70e60b72 ("arm64: Fix copy-on-write referencing in HugeTLB") + +Fixes: 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()") +Cc: # 4.14.x- +Cc: Will Deacon +Cc: Steve Capper +Reported-by: John Stultz +Signed-off-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/pgtable.h | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -258,23 +258,6 @@ static inline void set_pte_at(struct mm_ + set_pte(ptep, pte); + } + +-#define __HAVE_ARCH_PTE_SAME +-static inline int pte_same(pte_t pte_a, pte_t pte_b) +-{ +- pteval_t lhs, rhs; +- +- lhs = pte_val(pte_a); +- rhs = pte_val(pte_b); +- +- if (pte_present(pte_a)) +- lhs &= ~PTE_RDONLY; +- +- if (pte_present(pte_b)) +- rhs &= ~PTE_RDONLY; +- +- return (lhs == rhs); +-} +- + /* + * Huge pte definitions. + */ diff --git a/queue-4.14/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch b/queue-4.14/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch new file mode 100644 index 00000000000..93a929ca93a --- /dev/null +++ b/queue-4.14/can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch @@ -0,0 +1,93 @@ +From 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 Mon Sep 17 00:00:00 2001 +From: Kurt Van Dijck +Date: Tue, 1 Oct 2019 09:40:36 +0200 +Subject: can: c_can: c_can_poll(): only read status register after status IRQ + +From: Kurt Van Dijck + +commit 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 upstream. + +When the status register is read without the status IRQ pending, the +chip may not raise the interrupt line for an upcoming status interrupt +and the driver may miss a status interrupt. + +It is critical that the BUSOFF status interrupt is forwarded to the +higher layers, since no more interrupts will follow without +intervention. + +Thanks to Wolfgang and Joe for bringing up the first idea. + +Signed-off-by: Kurt Van Dijck +Cc: Wolfgang Grandegger +Cc: Joe Burmeister +Fixes: fa39b54ccf28 ("can: c_can: Get rid of pointless interrupts") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/c_can/c_can.c | 25 ++++++++++++++++++++----- + drivers/net/can/c_can/c_can.h | 1 + + 2 files changed, 21 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -97,6 +97,9 @@ + #define BTR_TSEG2_SHIFT 12 + #define BTR_TSEG2_MASK (0x7 << BTR_TSEG2_SHIFT) + ++/* interrupt register */ ++#define INT_STS_PENDING 0x8000 ++ + /* brp extension register */ + #define BRP_EXT_BRPE_MASK 0x0f + #define BRP_EXT_BRPE_SHIFT 0 +@@ -1029,10 +1032,16 @@ static int c_can_poll(struct napi_struct + u16 curr, last = priv->last_status; + int work_done = 0; + +- priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG); +- /* Ack status on C_CAN. D_CAN is self clearing */ +- if (priv->type != BOSCH_D_CAN) +- priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED); ++ /* Only read the status register if a status interrupt was pending */ ++ if (atomic_xchg(&priv->sie_pending, 0)) { ++ priv->last_status = curr = priv->read_reg(priv, C_CAN_STS_REG); ++ /* Ack status on C_CAN. D_CAN is self clearing */ ++ if (priv->type != BOSCH_D_CAN) ++ priv->write_reg(priv, C_CAN_STS_REG, LEC_UNUSED); ++ } else { ++ /* no change detected ... */ ++ curr = last; ++ } + + /* handle state changes */ + if ((curr & STATUS_EWARN) && (!(last & STATUS_EWARN))) { +@@ -1083,10 +1092,16 @@ static irqreturn_t c_can_isr(int irq, vo + { + struct net_device *dev = (struct net_device *)dev_id; + struct c_can_priv *priv = netdev_priv(dev); ++ int reg_int; + +- if (!priv->read_reg(priv, C_CAN_INT_REG)) ++ reg_int = priv->read_reg(priv, C_CAN_INT_REG); ++ if (!reg_int) + return IRQ_NONE; + ++ /* save for later use */ ++ if (reg_int & INT_STS_PENDING) ++ atomic_set(&priv->sie_pending, 1); ++ + /* disable all interrupts and schedule the NAPI */ + c_can_irq_control(priv, false); + napi_schedule(&priv->napi); +--- a/drivers/net/can/c_can/c_can.h ++++ b/drivers/net/can/c_can/c_can.h +@@ -198,6 +198,7 @@ struct c_can_priv { + struct net_device *dev; + struct device *device; + atomic_t tx_active; ++ atomic_t sie_pending; + unsigned long tx_dir; + int last_status; + u16 (*read_reg) (const struct c_can_priv *priv, enum reg index); diff --git a/queue-4.14/can-gs_usb-gs_can_open-prevent-memory-leak.patch b/queue-4.14/can-gs_usb-gs_can_open-prevent-memory-leak.patch new file mode 100644 index 00000000000..b94f52d1d3f --- /dev/null +++ b/queue-4.14/can-gs_usb-gs_can_open-prevent-memory-leak.patch @@ -0,0 +1,32 @@ +From fb5be6a7b4863ecc44963bb80ca614584b6c7817 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Thu, 19 Sep 2019 21:44:38 -0500 +Subject: can: gs_usb: gs_can_open(): prevent memory leak + +From: Navid Emamdoost + +commit fb5be6a7b4863ecc44963bb80ca614584b6c7817 upstream. + +In gs_can_open() if usb_submit_urb() fails the allocated urb should be +released. + +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Cc: linux-stable +Signed-off-by: Navid Emamdoost +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/gs_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -631,6 +631,7 @@ static int gs_can_open(struct net_device + rc); + + usb_unanchor_urb(urb); ++ usb_free_urb(urb); + break; + } + diff --git a/queue-4.14/can-mcba_usb-fix-use-after-free-on-disconnect.patch b/queue-4.14/can-mcba_usb-fix-use-after-free-on-disconnect.patch new file mode 100644 index 00000000000..a584ffcc02c --- /dev/null +++ b/queue-4.14/can-mcba_usb-fix-use-after-free-on-disconnect.patch @@ -0,0 +1,39 @@ +From 4d6636498c41891d0482a914dd570343a838ad79 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Oct 2019 12:29:13 +0200 +Subject: can: mcba_usb: fix use-after-free on disconnect +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johan Hovold + +commit 4d6636498c41891d0482a914dd570343a838ad79 upstream. + +The driver was accessing its driver data after having freed it. + +Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") +Cc: stable # 4.12 +Cc: Remigiusz Kołłątaj +Reported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/mcba_usb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/can/usb/mcba_usb.c ++++ b/drivers/net/can/usb/mcba_usb.c +@@ -887,9 +887,8 @@ static void mcba_usb_disconnect(struct u + netdev_info(priv->netdev, "device disconnected\n"); + + unregister_candev(priv->netdev); +- free_candev(priv->netdev); +- + mcba_urb_unlink(priv); ++ free_candev(priv->netdev); + } + + static struct usb_driver mcba_usb_driver = { diff --git a/queue-4.14/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch b/queue-4.14/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch new file mode 100644 index 00000000000..76eef2f97c8 --- /dev/null +++ b/queue-4.14/can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch @@ -0,0 +1,80 @@ +From de280f403f2996679e2607384980703710576fed Mon Sep 17 00:00:00 2001 +From: Stephane Grosjean +Date: Tue, 8 Oct 2019 10:35:44 +0200 +Subject: can: peak_usb: fix a potential out-of-sync while decoding packets + +From: Stephane Grosjean + +commit de280f403f2996679e2607384980703710576fed upstream. + +When decoding a buffer received from PCAN-USB, the first timestamp read in +a packet is a 16-bit coded time base, and the next ones are an 8-bit +offset to this base, regardless of the type of packet read. + +This patch corrects a potential loss of synchronization by using a +timestamp index read from the buffer, rather than an index of received +data packets, to determine on the sizeof the timestamp to be read from the +packet being decoded. + +Signed-off-by: Stephane Grosjean +Fixes: 46be265d3388 ("can: usb: PEAK-System Technik PCAN-USB specific part") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c +@@ -108,7 +108,7 @@ struct pcan_usb_msg_context { + u8 *end; + u8 rec_cnt; + u8 rec_idx; +- u8 rec_data_idx; ++ u8 rec_ts_idx; + struct net_device *netdev; + struct pcan_usb *pdev; + }; +@@ -552,10 +552,15 @@ static int pcan_usb_decode_status(struct + mc->ptr += PCAN_USB_CMD_ARGS; + + if (status_len & PCAN_USB_STATUSLEN_TIMESTAMP) { +- int err = pcan_usb_decode_ts(mc, !mc->rec_idx); ++ int err = pcan_usb_decode_ts(mc, !mc->rec_ts_idx); + + if (err) + return err; ++ ++ /* Next packet in the buffer will have a timestamp on a single ++ * byte ++ */ ++ mc->rec_ts_idx++; + } + + switch (f) { +@@ -638,10 +643,13 @@ static int pcan_usb_decode_data(struct p + + cf->can_dlc = get_can_dlc(rec_len); + +- /* first data packet timestamp is a word */ +- if (pcan_usb_decode_ts(mc, !mc->rec_data_idx)) ++ /* Only first packet timestamp is a word */ ++ if (pcan_usb_decode_ts(mc, !mc->rec_ts_idx)) + goto decode_failed; + ++ /* Next packet in the buffer will have a timestamp on a single byte */ ++ mc->rec_ts_idx++; ++ + /* read data */ + memset(cf->data, 0x0, sizeof(cf->data)); + if (status_len & PCAN_USB_STATUSLEN_RTR) { +@@ -695,7 +703,6 @@ static int pcan_usb_decode_msg(struct pe + /* handle normal can frames here */ + } else { + err = pcan_usb_decode_data(&mc, sl); +- mc.rec_data_idx++; + } + } + diff --git a/queue-4.14/can-peak_usb-fix-slab-info-leak.patch b/queue-4.14/can-peak_usb-fix-slab-info-leak.patch new file mode 100644 index 00000000000..3b368ee63df --- /dev/null +++ b/queue-4.14/can-peak_usb-fix-slab-info-leak.patch @@ -0,0 +1,39 @@ +From f7a1337f0d29b98733c8824e165fca3371d7d4fd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 23 Oct 2019 10:27:05 +0200 +Subject: can: peak_usb: fix slab info leak + +From: Johan Hovold + +commit f7a1337f0d29b98733c8824e165fca3371d7d4fd upstream. + +Fix a small slab info leak due to a failure to clear the command buffer +at allocation. + +The first 16 bytes of the command buffer are always sent to the device +in pcan_usb_send_cmd() even though only the first two may have been +initialised in case no argument payload is provided (e.g. when waiting +for a response). + +Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") +Cc: stable # 3.4 +Reported-by: syzbot+863724e7128e14b26732@syzkaller.appspotmail.com +Signed-off-by: Johan Hovold +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -776,7 +776,7 @@ static int peak_usb_create_dev(const str + dev = netdev_priv(netdev); + + /* allocate a buffer large enough to send commands */ +- dev->cmd_buf = kmalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL); ++ dev->cmd_buf = kzalloc(PCAN_USB_MAX_CMD_LEN, GFP_KERNEL); + if (!dev->cmd_buf) { + err = -ENOMEM; + goto lbl_free_candev; diff --git a/queue-4.14/can-rx-offload-can_rx_offload_queue_sorted-fix-error-handling-avoid-skb-mem-leak.patch b/queue-4.14/can-rx-offload-can_rx_offload_queue_sorted-fix-error-handling-avoid-skb-mem-leak.patch new file mode 100644 index 00000000000..6ccc389d679 --- /dev/null +++ b/queue-4.14/can-rx-offload-can_rx_offload_queue_sorted-fix-error-handling-avoid-skb-mem-leak.patch @@ -0,0 +1,51 @@ +From ca913f1ac024559ebc17f0b599af262f0ad997c9 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 9 Oct 2019 15:48:48 +0200 +Subject: can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +commit ca913f1ac024559ebc17f0b599af262f0ad997c9 upstream. + +If the rx-offload skb_queue is full can_rx_offload_queue_sorted() will +not queue the skb and return with an error. + +None of the callers of this function, issue a kfree_skb() to free the +not queued skb. This results in a memory leak. + +This patch fixes the problem by freeing the skb in case of a full queue. +The return value is adjusted to -ENOBUFS to better reflect the actual +problem. + +The device stats handling is left to the callers, as this function might +be used in both the rx and tx path. + +Fixes: 55059f2b7f86 ("can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions") +Cc: linux-stable +Cc: Martin Hundebøll +Reported-by: Martin Hundebøll +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/rx-offload.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/rx-offload.c ++++ b/drivers/net/can/rx-offload.c +@@ -216,8 +216,10 @@ int can_rx_offload_queue_sorted(struct c + unsigned long flags; + + if (skb_queue_len(&offload->skb_queue) > +- offload->skb_queue_len_max) +- return -ENOMEM; ++ offload->skb_queue_len_max) { ++ kfree_skb(skb); ++ return -ENOBUFS; ++ } + + cb = can_rx_offload_get_cb(skb); + cb->timestamp = timestamp; diff --git a/queue-4.14/can-usb_8dev-fix-use-after-free-on-disconnect.patch b/queue-4.14/can-usb_8dev-fix-use-after-free-on-disconnect.patch new file mode 100644 index 00000000000..9600b85384a --- /dev/null +++ b/queue-4.14/can-usb_8dev-fix-use-after-free-on-disconnect.patch @@ -0,0 +1,36 @@ +From 3759739426186a924675651b388d1c3963c5710e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Oct 2019 12:29:14 +0200 +Subject: can: usb_8dev: fix use-after-free on disconnect + +From: Johan Hovold + +commit 3759739426186a924675651b388d1c3963c5710e upstream. + +The driver was accessing its driver data after having freed it. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Cc: stable # 3.9 +Cc: Bernd Krumboeck +Cc: Wolfgang Grandegger +Signed-off-by: Johan Hovold +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/usb_8dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -1007,9 +1007,8 @@ static void usb_8dev_disconnect(struct u + netdev_info(priv->netdev, "device disconnected\n"); + + unregister_netdev(priv->netdev); +- free_candev(priv->netdev); +- + unlink_all_urbs(priv); ++ free_candev(priv->netdev); + } + + } diff --git a/queue-4.14/ceph-add-missing-check-in-d_revalidate-snapdir-handling.patch b/queue-4.14/ceph-add-missing-check-in-d_revalidate-snapdir-handling.patch new file mode 100644 index 00000000000..f83735b1eb9 --- /dev/null +++ b/queue-4.14/ceph-add-missing-check-in-d_revalidate-snapdir-handling.patch @@ -0,0 +1,31 @@ +From 1f08529c84cfecaf1261ed9b7e17fab18541c58f Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 29 Oct 2019 13:53:29 +0000 +Subject: ceph: add missing check in d_revalidate snapdir handling + +From: Al Viro + +commit 1f08529c84cfecaf1261ed9b7e17fab18541c58f upstream. + +We should not play with dcache without parent locked... + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -1347,6 +1347,7 @@ retry_lookup: + dout(" final dn %p\n", dn); + } else if ((req->r_op == CEPH_MDS_OP_LOOKUPSNAP || + req->r_op == CEPH_MDS_OP_MKSNAP) && ++ test_bit(CEPH_MDS_R_PARENT_LOCKED, &req->r_req_flags) && + !test_bit(CEPH_MDS_R_ABORTED, &req->r_req_flags)) { + struct dentry *dn = req->r_dentry; + struct inode *dir = req->r_parent; diff --git a/queue-4.14/ceph-fix-use-after-free-in-__ceph_remove_cap.patch b/queue-4.14/ceph-fix-use-after-free-in-__ceph_remove_cap.patch new file mode 100644 index 00000000000..7c274195cd1 --- /dev/null +++ b/queue-4.14/ceph-fix-use-after-free-in-__ceph_remove_cap.patch @@ -0,0 +1,73 @@ +From ea60ed6fcf29eebc78f2ce91491e6309ee005a01 Mon Sep 17 00:00:00 2001 +From: Luis Henriques +Date: Fri, 25 Oct 2019 14:05:24 +0100 +Subject: ceph: fix use-after-free in __ceph_remove_cap() + +From: Luis Henriques + +commit ea60ed6fcf29eebc78f2ce91491e6309ee005a01 upstream. + +KASAN reports a use-after-free when running xfstest generic/531, with the +following trace: + +[ 293.903362] kasan_report+0xe/0x20 +[ 293.903365] rb_erase+0x1f/0x790 +[ 293.903370] __ceph_remove_cap+0x201/0x370 +[ 293.903375] __ceph_remove_caps+0x4b/0x70 +[ 293.903380] ceph_evict_inode+0x4e/0x360 +[ 293.903386] evict+0x169/0x290 +[ 293.903390] __dentry_kill+0x16f/0x250 +[ 293.903394] dput+0x1c6/0x440 +[ 293.903398] __fput+0x184/0x330 +[ 293.903404] task_work_run+0xb9/0xe0 +[ 293.903410] exit_to_usermode_loop+0xd3/0xe0 +[ 293.903413] do_syscall_64+0x1a0/0x1c0 +[ 293.903417] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This happens because __ceph_remove_cap() may queue a cap release +(__ceph_queue_cap_release) which can be scheduled before that cap is +removed from the inode list with + + rb_erase(&cap->ci_node, &ci->i_caps); + +And, when this finally happens, the use-after-free will occur. + +This can be fixed by removing the cap from the inode list before being +removed from the session list, and thus eliminating the risk of an UAF. + +Cc: stable@vger.kernel.org +Signed-off-by: Luis Henriques +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/caps.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -935,6 +935,11 @@ void __ceph_remove_cap(struct ceph_cap * + + dout("__ceph_remove_cap %p from %p\n", cap, &ci->vfs_inode); + ++ /* remove from inode's cap rbtree, and clear auth cap */ ++ rb_erase(&cap->ci_node, &ci->i_caps); ++ if (ci->i_auth_cap == cap) ++ ci->i_auth_cap = NULL; ++ + /* remove from session list */ + spin_lock(&session->s_cap_lock); + if (session->s_cap_iterator == cap) { +@@ -970,11 +975,6 @@ void __ceph_remove_cap(struct ceph_cap * + + spin_unlock(&session->s_cap_lock); + +- /* remove from inode list */ +- rb_erase(&cap->ci_node, &ci->i_caps); +- if (ci->i_auth_cap == cap) +- ci->i_auth_cap = NULL; +- + if (removed) + ceph_put_cap(mdsc, cap); + diff --git a/queue-4.14/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch b/queue-4.14/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch new file mode 100644 index 00000000000..735e1b6f441 --- /dev/null +++ b/queue-4.14/drm-radeon-fix-si_enable_smc_cac-failed-issue.patch @@ -0,0 +1,33 @@ +From 2c409ba81be25516afe05ae27a4a15da01740b01 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 30 Oct 2019 10:21:28 -0400 +Subject: drm/radeon: fix si_enable_smc_cac() failed issue + +From: Alex Deucher + +commit 2c409ba81be25516afe05ae27a4a15da01740b01 upstream. + +Need to set the dte flag on this asic. + +Port the fix from amdgpu: +5cb818b861be114 ("drm/amd/amdgpu: fix si_enable_smc_cac() failed issue") + +Reviewed-by: Yong Zhao +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/si_dpm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -1956,6 +1956,7 @@ static void si_initialize_powertune_defa + case 0x682C: + si_pi->cac_weights = cac_weights_cape_verde_pro; + si_pi->dte_data = dte_data_sun_xt; ++ update_dte_from_pl2 = true; + break; + case 0x6825: + case 0x6827: diff --git a/queue-4.14/dump_stack-avoid-the-livelock-of-the-dump_lock.patch b/queue-4.14/dump_stack-avoid-the-livelock-of-the-dump_lock.patch new file mode 100644 index 00000000000..1dc03b60c68 --- /dev/null +++ b/queue-4.14/dump_stack-avoid-the-livelock-of-the-dump_lock.patch @@ -0,0 +1,47 @@ +From 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Tue, 5 Nov 2019 21:16:57 -0800 +Subject: dump_stack: avoid the livelock of the dump_lock + +From: Kevin Hao + +commit 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f upstream. + +In the current code, we use the atomic_cmpxchg() to serialize the output +of the dump_stack(), but this implementation suffers the thundering herd +problem. We have observed such kind of livelock on a Marvell cn96xx +board(24 cpus) when heavily using the dump_stack() in a kprobe handler. +Actually we can let the competitors to wait for the releasing of the +lock before jumping to atomic_cmpxchg(). This will definitely mitigate +the thundering herd problem. Thanks Linus for the suggestion. + +[akpm@linux-foundation.org: fix comment] +Link: http://lkml.kernel.org/r/20191030031637.6025-1-haokexin@gmail.com +Fixes: b58d977432c8 ("dump_stack: serialize the output from dump_stack()") +Signed-off-by: Kevin Hao +Suggested-by: Linus Torvalds +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/dump_stack.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/lib/dump_stack.c ++++ b/lib/dump_stack.c +@@ -46,7 +46,12 @@ retry: + was_locked = 1; + } else { + local_irq_restore(flags); +- cpu_relax(); ++ /* ++ * Wait for the lock to release before jumping to ++ * atomic_cmpxchg() in order to mitigate the thundering herd ++ * problem. ++ */ ++ do { cpu_relax(); } while (atomic_read(&dump_lock) != -1); + goto retry; + } + diff --git a/queue-4.14/hid-wacom-generic-treat-serial-number-and-related-fields-as-unsigned.patch b/queue-4.14/hid-wacom-generic-treat-serial-number-and-related-fields-as-unsigned.patch new file mode 100644 index 00000000000..7dd997a483d --- /dev/null +++ b/queue-4.14/hid-wacom-generic-treat-serial-number-and-related-fields-as-unsigned.patch @@ -0,0 +1,101 @@ +From ff479731c3859609530416a18ddb3db5db019b66 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Wed, 6 Nov 2019 11:59:46 -0800 +Subject: HID: wacom: generic: Treat serial number and related fields as unsigned + +From: Jason Gerecke + +commit ff479731c3859609530416a18ddb3db5db019b66 upstream. + +The HID descriptors for most Wacom devices oddly declare the serial +number and other related fields as signed integers. When these numbers +are ingested by the HID subsystem, they are automatically sign-extended +into 32-bit integers. We treat the fields as unsigned elsewhere in the +kernel and userspace, however, so this sign-extension causes problems. +In particular, the sign-extended tool ID sent to userspace as ABS_MISC +does not properly match unsigned IDs used by xf86-input-wacom and libwacom. + +We introduce a function 'wacom_s32tou' that can undo the automatic sign +extension performed by 'hid_snto32'. We call this function when processing +the serial number and related fields to ensure that we are dealing with +and reporting the unsigned form. We opt to use this method rather than +adding a descriptor fixup in 'wacom_hid_usage_quirk' since it should be +more robust in the face of future devices. + +Ref: https://github.com/linuxwacom/input-wacom/issues/134 +Fixes: f85c9dc678 ("HID: wacom: generic: Support tool ID and additional tool types") +CC: # v4.10+ +Signed-off-by: Jason Gerecke +Reviewed-by: Aaron Armstrong Skomra +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/wacom.h | 15 +++++++++++++++ + drivers/hid/wacom_wac.c | 10 ++++++---- + 2 files changed, 21 insertions(+), 4 deletions(-) + +--- a/drivers/hid/wacom.h ++++ b/drivers/hid/wacom.h +@@ -205,6 +205,21 @@ static inline void wacom_schedule_work(s + } + } + ++/* ++ * Convert a signed 32-bit integer to an unsigned n-bit integer. Undoes ++ * the normally-helpful work of 'hid_snto32' for fields that use signed ++ * ranges for questionable reasons. ++ */ ++static inline __u32 wacom_s32tou(s32 value, __u8 n) ++{ ++ switch (n) { ++ case 8: return ((__u8)value); ++ case 16: return ((__u16)value); ++ case 32: return ((__u32)value); ++ } ++ return value & (1 << (n - 1)) ? value & (~(~0U << n)) : value; ++} ++ + extern const struct hid_device_id wacom_ids[]; + + void wacom_wac_irq(struct wacom_wac *wacom_wac, size_t len); +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2182,7 +2182,7 @@ static void wacom_wac_pen_event(struct h + case HID_DG_TOOLSERIALNUMBER: + if (value) { + wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL); +- wacom_wac->serial[0] |= (__u32)value; ++ wacom_wac->serial[0] |= wacom_s32tou(value, field->report_size); + } + return; + case HID_DG_TWIST: +@@ -2198,15 +2198,17 @@ static void wacom_wac_pen_event(struct h + return; + case WACOM_HID_WD_SERIALHI: + if (value) { ++ __u32 raw_value = wacom_s32tou(value, field->report_size); ++ + wacom_wac->serial[0] = (wacom_wac->serial[0] & 0xFFFFFFFF); +- wacom_wac->serial[0] |= ((__u64)value) << 32; ++ wacom_wac->serial[0] |= ((__u64)raw_value) << 32; + /* + * Non-USI EMR devices may contain additional tool type + * information here. See WACOM_HID_WD_TOOLTYPE case for + * more details. + */ + if (value >> 20 == 1) { +- wacom_wac->id[0] |= value & 0xFFFFF; ++ wacom_wac->id[0] |= raw_value & 0xFFFFF; + } + } + return; +@@ -2218,7 +2220,7 @@ static void wacom_wac_pen_event(struct h + * bitwise OR so the complete value can be built + * up over time :( + */ +- wacom_wac->id[0] |= value; ++ wacom_wac->id[0] |= wacom_s32tou(value, field->report_size); + return; + case WACOM_HID_WD_OFFSETLEFT: + if (features->offset_left && value != features->offset_left) diff --git a/queue-4.14/iio-adc-stm32-adc-fix-stopping-dma.patch b/queue-4.14/iio-adc-stm32-adc-fix-stopping-dma.patch new file mode 100644 index 00000000000..7d12085b6dd --- /dev/null +++ b/queue-4.14/iio-adc-stm32-adc-fix-stopping-dma.patch @@ -0,0 +1,46 @@ +From e6afcf6c598d6f3a0c9c408bfeddb3f5730608b0 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Fri, 25 Oct 2019 17:04:20 +0200 +Subject: iio: adc: stm32-adc: fix stopping dma + +From: Fabrice Gasnier + +commit e6afcf6c598d6f3a0c9c408bfeddb3f5730608b0 upstream. + +There maybe a race when using dmaengine_terminate_all(). The predisable +routine may call iio_triggered_buffer_predisable() prior to a pending DMA +callback. +Adopt dmaengine_terminate_sync() to ensure there's no pending DMA request +before calling iio_triggered_buffer_predisable(). + +Fixes: 2763ea0585c9 ("iio: adc: stm32: add optional dma support") + +Signed-off-by: Fabrice Gasnier +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/stm32-adc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/stm32-adc.c ++++ b/drivers/iio/adc/stm32-adc.c +@@ -1343,7 +1343,7 @@ static int stm32_adc_dma_start(struct ii + cookie = dmaengine_submit(desc); + ret = dma_submit_error(cookie); + if (ret) { +- dmaengine_terminate_all(adc->dma_chan); ++ dmaengine_terminate_sync(adc->dma_chan); + return ret; + } + +@@ -1416,7 +1416,7 @@ static int stm32_adc_buffer_predisable(s + dev_err(&indio_dev->dev, "predisable failed\n"); + + if (adc->dma_chan) +- dmaengine_terminate_all(adc->dma_chan); ++ dmaengine_terminate_sync(adc->dma_chan); + + if (stm32_adc_set_trig(indio_dev, NULL)) + dev_err(&indio_dev->dev, "Can't clear trigger\n"); diff --git a/queue-4.14/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch b/queue-4.14/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch new file mode 100644 index 00000000000..1a237156cf8 --- /dev/null +++ b/queue-4.14/iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch @@ -0,0 +1,40 @@ +From 24e1eb5c0d78cfb9750b690bbe997d4d59170258 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Tue, 8 Oct 2019 17:15:37 +0300 +Subject: iio: imu: adis16480: make sure provided frequency is positive + +From: Alexandru Ardelean + +commit 24e1eb5c0d78cfb9750b690bbe997d4d59170258 upstream. + +It could happen that either `val` or `val2` [provided from userspace] is +negative. In that case the computed frequency could get a weird value. + +Fix this by checking that neither of the 2 variables is negative, and check +that the computed result is not-zero. + +Fixes: e4f959390178 ("iio: imu: adis16480 switch sampling frequency attr to core support") +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/imu/adis16480.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iio/imu/adis16480.c ++++ b/drivers/iio/imu/adis16480.c +@@ -266,8 +266,11 @@ static int adis16480_set_freq(struct iio + struct adis16480 *st = iio_priv(indio_dev); + unsigned int t; + ++ if (val < 0 || val2 < 0) ++ return -EINVAL; ++ + t = val * 1000 + val2 / 1000; +- if (t <= 0) ++ if (t == 0) + return -EINVAL; + + t = 2460000 / t; diff --git a/queue-4.14/iio-srf04-fix-wrong-limitation-in-distance-measuring.patch b/queue-4.14/iio-srf04-fix-wrong-limitation-in-distance-measuring.patch new file mode 100644 index 00000000000..b7dae5c8da5 --- /dev/null +++ b/queue-4.14/iio-srf04-fix-wrong-limitation-in-distance-measuring.patch @@ -0,0 +1,108 @@ +From 431f7667bd6889a274913162dfd19cce9d84848e Mon Sep 17 00:00:00 2001 +From: Andreas Klinger +Date: Sun, 6 Oct 2019 16:29:56 +0200 +Subject: iio: srf04: fix wrong limitation in distance measuring +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andreas Klinger + +commit 431f7667bd6889a274913162dfd19cce9d84848e upstream. + +The measured time value in the driver is limited to the maximum distance +which can be read by the sensor. This limitation was wrong and is fixed +by this patch. + +It also takes into account that we are supporting a variety of sensors +today and that the recently added sensors have a higher maximum +distance range. + +Changes in v2: +- Added a Tested-by + +Suggested-by: Zbyněk Kocur +Tested-by: Zbyněk Kocur +Signed-off-by: Andreas Klinger +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/proximity/srf04.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +--- a/drivers/iio/proximity/srf04.c ++++ b/drivers/iio/proximity/srf04.c +@@ -105,7 +105,7 @@ static int srf04_read(struct srf04_data + udelay(10); + gpiod_set_value(data->gpiod_trig, 0); + +- /* it cannot take more than 20 ms */ ++ /* it should not take more than 20 ms until echo is rising */ + ret = wait_for_completion_killable_timeout(&data->rising, HZ/50); + if (ret < 0) { + mutex_unlock(&data->lock); +@@ -115,7 +115,8 @@ static int srf04_read(struct srf04_data + return -ETIMEDOUT; + } + +- ret = wait_for_completion_killable_timeout(&data->falling, HZ/50); ++ /* it cannot take more than 50 ms until echo is falling */ ++ ret = wait_for_completion_killable_timeout(&data->falling, HZ/20); + if (ret < 0) { + mutex_unlock(&data->lock); + return ret; +@@ -130,19 +131,19 @@ static int srf04_read(struct srf04_data + + dt_ns = ktime_to_ns(ktime_dt); + /* +- * measuring more than 3 meters is beyond the capabilities of +- * the sensor ++ * measuring more than 6,45 meters is beyond the capabilities of ++ * the supported sensors + * ==> filter out invalid results for not measuring echos of + * another us sensor + * + * formula: +- * distance 3 m +- * time = ---------- = --------- = 9404389 ns +- * speed 319 m/s ++ * distance 6,45 * 2 m ++ * time = ---------- = ------------ = 40438871 ns ++ * speed 319 m/s + * + * using a minimum speed at -20 °C of 319 m/s + */ +- if (dt_ns > 9404389) ++ if (dt_ns > 40438871) + return -EIO; + + time_ns = dt_ns; +@@ -154,20 +155,20 @@ static int srf04_read(struct srf04_data + * with Temp in °C + * and speed in m/s + * +- * use 343 m/s as ultrasonic speed at 20 °C here in absence of the ++ * use 343,5 m/s as ultrasonic speed at 20 °C here in absence of the + * temperature + * + * therefore: +- * time 343 +- * distance = ------ * ----- +- * 10^6 2 ++ * time 343,5 time * 106 ++ * distance = ------ * ------- = ------------ ++ * 10^6 2 617176 + * with time in ns + * and distance in mm (one way) + * +- * because we limit to 3 meters the multiplication with 343 just ++ * because we limit to 6,45 meters the multiplication with 106 just + * fits into 32 bit + */ +- distance_mm = time_ns * 343 / 2000000; ++ distance_mm = time_ns * 106 / 617176; + + return distance_mm; + } diff --git a/queue-4.14/intel_th-pci-add-comet-lake-pch-support.patch b/queue-4.14/intel_th-pci-add-comet-lake-pch-support.patch new file mode 100644 index 00000000000..c2b969d55bd --- /dev/null +++ b/queue-4.14/intel_th-pci-add-comet-lake-pch-support.patch @@ -0,0 +1,35 @@ +From 3adbb5718dd5264666ddbc2b9b43799d292e9cb6 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 28 Oct 2019 09:06:50 +0200 +Subject: intel_th: pci: Add Comet Lake PCH support + +From: Alexander Shishkin + +commit 3adbb5718dd5264666ddbc2b9b43799d292e9cb6 upstream. + +This adds support for Intel TH on Comet Lake PCH. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191028070651.9770-7-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -184,6 +184,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, + { ++ /* Comet Lake PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x06a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, ++ { + /* Ice Lake NNPI */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x45c5), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.14/intel_th-pci-add-jasper-lake-pch-support.patch b/queue-4.14/intel_th-pci-add-jasper-lake-pch-support.patch new file mode 100644 index 00000000000..c328daa289d --- /dev/null +++ b/queue-4.14/intel_th-pci-add-jasper-lake-pch-support.patch @@ -0,0 +1,35 @@ +From 9d55499d8da49e9261e95a490f3fda41d955f505 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Mon, 28 Oct 2019 09:06:51 +0200 +Subject: intel_th: pci: Add Jasper Lake PCH support + +From: Alexander Shishkin + +commit 9d55499d8da49e9261e95a490f3fda41d955f505 upstream. + +This adds support for Intel TH on Jasper Lake PCH. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191028070651.9770-8-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -198,6 +198,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, ++ { ++ /* Jasper Lake PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4da6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, + { 0 }, + }; + diff --git a/queue-4.14/mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch b/queue-4.14/mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch new file mode 100644 index 00000000000..bd1e3caea8c --- /dev/null +++ b/queue-4.14/mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch @@ -0,0 +1,120 @@ +From 3e8fc0075e24338b1117cdff6a79477427b8dbed Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Tue, 5 Nov 2019 21:16:27 -0800 +Subject: mm, meminit: recalculate pcpu batch and high limits after init completes + +From: Mel Gorman + +commit 3e8fc0075e24338b1117cdff6a79477427b8dbed upstream. + +Deferred memory initialisation updates zone->managed_pages during the +initialisation phase but before that finishes, the per-cpu page +allocator (pcpu) calculates the number of pages allocated/freed in +batches as well as the maximum number of pages allowed on a per-cpu +list. As zone->managed_pages is not up to date yet, the pcpu +initialisation calculates inappropriately low batch and high values. + +This increases zone lock contention quite severely in some cases with +the degree of severity depending on how many CPUs share a local zone and +the size of the zone. A private report indicated that kernel build +times were excessive with extremely high system CPU usage. A perf +profile indicated that a large chunk of time was lost on zone->lock +contention. + +This patch recalculates the pcpu batch and high values after deferred +initialisation completes for every populated zone in the system. It was +tested on a 2-socket AMD EPYC 2 machine using a kernel compilation +workload -- allmodconfig and all available CPUs. + +mmtests configuration: config-workload-kernbench-max Configuration was +modified to build on a fresh XFS partition. + +kernbench + 5.4.0-rc3 5.4.0-rc3 + vanilla resetpcpu-v2 +Amean user-256 13249.50 ( 0.00%) 16401.31 * -23.79%* +Amean syst-256 14760.30 ( 0.00%) 4448.39 * 69.86%* +Amean elsp-256 162.42 ( 0.00%) 119.13 * 26.65%* +Stddev user-256 42.97 ( 0.00%) 19.15 ( 55.43%) +Stddev syst-256 336.87 ( 0.00%) 6.71 ( 98.01%) +Stddev elsp-256 2.46 ( 0.00%) 0.39 ( 84.03%) + + 5.4.0-rc3 5.4.0-rc3 + vanilla resetpcpu-v2 +Duration User 39766.24 49221.79 +Duration System 44298.10 13361.67 +Duration Elapsed 519.11 388.87 + +The patch reduces system CPU usage by 69.86% and total build time by +26.65%. The variance of system CPU usage is also much reduced. + +Before, this was the breakdown of batch and high values over all zones +was: + + 256 batch: 1 + 256 batch: 63 + 512 batch: 7 + 256 high: 0 + 256 high: 378 + 512 high: 42 + +512 pcpu pagesets had a batch limit of 7 and a high limit of 42. After +the patch: + + 256 batch: 1 + 768 batch: 63 + 256 high: 0 + 768 high: 378 + +[mgorman@techsingularity.net: fix merge/linkage snafu] + Link: http://lkml.kernel.org/r/20191023084705.GD3016@techsingularity.netLink: http://lkml.kernel.org/r/20191021094808.28824-2-mgorman@techsingularity.net +Signed-off-by: Mel Gorman +Acked-by: Michal Hocko +Acked-by: Vlastimil Babka +Acked-by: David Hildenbrand +Cc: Matt Fleming +Cc: Thomas Gleixner +Cc: Borislav Petkov +Cc: Qian Cai +Cc: [4.1+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1998,6 +1998,14 @@ static void steal_suitable_fallback(stru + old_block_type = get_pageblock_migratetype(page); + + /* ++ * The number of managed pages has changed due to the initialisation ++ * so the pcpu batch and high limits needs to be updated or the limits ++ * will be artificially small. ++ */ ++ for_each_populated_zone(zone) ++ zone_pcp_update(zone); ++ ++ /* + * This can happen due to races and we want to prevent broken + * highatomic accounting. + */ +@@ -7659,7 +7667,6 @@ void free_contig_range(unsigned long pfn + } + #endif + +-#ifdef CONFIG_MEMORY_HOTPLUG + /* + * The zone indicated has a new number of managed_pages; batch sizes and percpu + * page high values need to be recalulated. +@@ -7673,7 +7680,6 @@ void __meminit zone_pcp_update(struct zo + per_cpu_ptr(zone->pageset, cpu)); + mutex_unlock(&pcp_batch_high_lock); + } +-#endif + + void zone_pcp_reset(struct zone *zone) + { diff --git a/queue-4.14/mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch b/queue-4.14/mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch new file mode 100644 index 00000000000..4a46ebc0502 --- /dev/null +++ b/queue-4.14/mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch @@ -0,0 +1,145 @@ +From 169226f7e0d275c1879551f37484ef6683579a5c Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Tue, 5 Nov 2019 21:16:30 -0800 +Subject: mm: thp: handle page cache THP correctly in PageTransCompoundMap + +From: Yang Shi + +commit 169226f7e0d275c1879551f37484ef6683579a5c upstream. + +We have a usecase to use tmpfs as QEMU memory backend and we would like +to take the advantage of THP as well. But, our test shows the EPT is +not PMD mapped even though the underlying THP are PMD mapped on host. +The number showed by /sys/kernel/debug/kvm/largepage is much less than +the number of PMD mapped shmem pages as the below: + + 7f2778200000-7f2878200000 rw-s 00000000 00:14 262232 /dev/shm/qemu_back_mem.mem.Hz2hSf (deleted) + Size: 4194304 kB + [snip] + AnonHugePages: 0 kB + ShmemPmdMapped: 579584 kB + [snip] + Locked: 0 kB + + cat /sys/kernel/debug/kvm/largepages + 12 + +And some benchmarks do worse than with anonymous THPs. + +By digging into the code we figured out that commit 127393fbe597 ("mm: +thp: kvm: fix memory corruption in KVM with THP enabled") checks if +there is a single PTE mapping on the page for anonymous THP when setting +up EPT map. But the _mapcount < 0 check doesn't work for page cache THP +since every subpage of page cache THP would get _mapcount inc'ed once it +is PMD mapped, so PageTransCompoundMap() always returns false for page +cache THP. This would prevent KVM from setting up PMD mapped EPT entry. + +So we need handle page cache THP correctly. However, when page cache +THP's PMD gets split, kernel just remove the map instead of setting up +PTE map like what anonymous THP does. Before KVM calls get_user_pages() +the subpages may get PTE mapped even though it is still a THP since the +page cache THP may be mapped by other processes at the mean time. + +Checking its _mapcount and whether the THP has PTE mapped or not. +Although this may report some false negative cases (PTE mapped by other +processes), it looks not trivial to make this accurate. + +With this fix /sys/kernel/debug/kvm/largepage would show reasonable +pages are PMD mapped by EPT as the below: + + 7fbeaee00000-7fbfaee00000 rw-s 00000000 00:14 275464 /dev/shm/qemu_back_mem.mem.SKUvat (deleted) + Size: 4194304 kB + [snip] + AnonHugePages: 0 kB + ShmemPmdMapped: 557056 kB + [snip] + Locked: 0 kB + + cat /sys/kernel/debug/kvm/largepages + 271 + +And the benchmarks are as same as anonymous THPs. + +[yang.shi@linux.alibaba.com: v4] + Link: http://lkml.kernel.org/r/1571865575-42913-1-git-send-email-yang.shi@linux.alibaba.com +Link: http://lkml.kernel.org/r/1571769577-89735-1-git-send-email-yang.shi@linux.alibaba.com +Fixes: dd78fedde4b9 ("rmap: support file thp") +Signed-off-by: Yang Shi +Reported-by: Gang Deng +Tested-by: Gang Deng +Suggested-by: Hugh Dickins +Acked-by: Kirill A. Shutemov +Cc: Andrea Arcangeli +Cc: Matthew Wilcox +Cc: [4.8+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mm.h | 5 ----- + include/linux/mm_types.h | 5 +++++ + include/linux/page-flags.h | 20 ++++++++++++++++++-- + 3 files changed, 23 insertions(+), 7 deletions(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -549,11 +549,6 @@ static inline void *kvmalloc_array(size_ + + extern void kvfree(const void *addr); + +-static inline atomic_t *compound_mapcount_ptr(struct page *page) +-{ +- return &page[1].compound_mapcount; +-} +- + static inline int compound_mapcount(struct page *page) + { + VM_BUG_ON_PAGE(!PageCompound(page), page); +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -240,6 +240,11 @@ struct page_frag_cache { + + typedef unsigned long vm_flags_t; + ++static inline atomic_t *compound_mapcount_ptr(struct page *page) ++{ ++ return &page[1].compound_mapcount; ++} ++ + /* + * A region containing a mapping of a non-memory backed file under NOMMU + * conditions. These are held in a global tree and are pinned by the VMAs that +--- a/include/linux/page-flags.h ++++ b/include/linux/page-flags.h +@@ -565,12 +565,28 @@ static inline int PageTransCompound(stru + * + * Unlike PageTransCompound, this is safe to be called only while + * split_huge_pmd() cannot run from under us, like if protected by the +- * MMU notifier, otherwise it may result in page->_mapcount < 0 false ++ * MMU notifier, otherwise it may result in page->_mapcount check false + * positives. ++ * ++ * We have to treat page cache THP differently since every subpage of it ++ * would get _mapcount inc'ed once it is PMD mapped. But, it may be PTE ++ * mapped in the current process so comparing subpage's _mapcount to ++ * compound_mapcount to filter out PTE mapped case. + */ + static inline int PageTransCompoundMap(struct page *page) + { +- return PageTransCompound(page) && atomic_read(&page->_mapcount) < 0; ++ struct page *head; ++ ++ if (!PageTransCompound(page)) ++ return 0; ++ ++ if (PageAnon(page)) ++ return atomic_read(&page->_mapcount) < 0; ++ ++ head = compound_head(page); ++ /* File THP is PMD mapped and not PTE mapped */ ++ return atomic_read(&page->_mapcount) == ++ atomic_read(compound_mapcount_ptr(head)); + } + + /* diff --git a/queue-4.14/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch b/queue-4.14/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch new file mode 100644 index 00000000000..634c7db8e05 --- /dev/null +++ b/queue-4.14/mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch @@ -0,0 +1,57 @@ +From abaed0112c1db08be15a784a2c5c8a8b3063cdd3 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Tue, 5 Nov 2019 21:16:40 -0800 +Subject: mm, vmstat: hide /proc/pagetypeinfo from normal users + +From: Michal Hocko + +commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream. + +/proc/pagetypeinfo is a debugging tool to examine internal page +allocator state wrt to fragmentation. It is not very useful for any +other use so normal users really do not need to read this file. + +Waiman Long has noticed that reading this file can have negative side +effects because zone->lock is necessary for gathering data and that a) +interferes with the page allocator and its users and b) can lead to hard +lockups on large machines which have very long free_list. + +Reduce both issues by simply not exporting the file to regular users. + +Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org +Fixes: 467c996c1e19 ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo") +Signed-off-by: Michal Hocko +Reported-by: Waiman Long +Acked-by: Mel Gorman +Acked-by: Vlastimil Babka +Acked-by: Waiman Long +Acked-by: Rafael Aquini +Acked-by: David Rientjes +Reviewed-by: Andrew Morton +Cc: David Hildenbrand +Cc: Johannes Weiner +Cc: Roman Gushchin +Cc: Konstantin Khlebnikov +Cc: Jann Horn +Cc: Song Liu +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmstat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1951,7 +1951,7 @@ void __init init_mm_internals(void) + #endif + #ifdef CONFIG_PROC_FS + proc_create("buddyinfo", 0444, NULL, &buddyinfo_file_operations); +- proc_create("pagetypeinfo", 0444, NULL, &pagetypeinfo_file_operations); ++ proc_create("pagetypeinfo", 0400, NULL, &pagetypeinfo_file_operations); + proc_create("vmstat", 0444, NULL, &vmstat_file_operations); + proc_create("zoneinfo", 0444, NULL, &zoneinfo_file_operations); + #endif diff --git a/queue-4.14/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch b/queue-4.14/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch new file mode 100644 index 00000000000..e0b6704b147 --- /dev/null +++ b/queue-4.14/netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch @@ -0,0 +1,47 @@ +From 30b7244d79651460ff114ba8f7987ed94c86b99a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 24 Aug 2019 17:49:55 +0300 +Subject: netfilter: ipset: Fix an error code in ip_set_sockfn_get() + +From: Dan Carpenter + +commit 30b7244d79651460ff114ba8f7987ed94c86b99a upstream. + +The copy_to_user() function returns the number of bytes remaining to be +copied. In this code, that positive return is checked at the end of the +function and we return zero/success. What we should do instead is +return -EFAULT. + +Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") +Signed-off-by: Dan Carpenter +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1950,8 +1950,9 @@ ip_set_sockfn_get(struct sock *sk, int o + } + + req_version->version = IPSET_PROTOCOL; +- ret = copy_to_user(user, req_version, +- sizeof(struct ip_set_req_version)); ++ if (copy_to_user(user, req_version, ++ sizeof(struct ip_set_req_version))) ++ ret = -EFAULT; + goto done; + } + case IP_SET_OP_GET_BYNAME: { +@@ -2008,7 +2009,8 @@ ip_set_sockfn_get(struct sock *sk, int o + } /* end of switch(op) */ + + copy: +- ret = copy_to_user(user, data, copylen); ++ if (copy_to_user(user, data, copylen)) ++ ret = -EFAULT; + + done: + vfree(data); diff --git a/queue-4.14/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch b/queue-4.14/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch new file mode 100644 index 00000000000..6f29debc4ee --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch @@ -0,0 +1,60 @@ +From 250367c59e6ba0d79d702a059712d66edacd4a1a Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 31 Oct 2019 11:06:24 +0100 +Subject: netfilter: nf_tables: Align nft_expr private data to 64-bit + +From: Lukas Wunner + +commit 250367c59e6ba0d79d702a059712d66edacd4a1a upstream. + +Invoking the following commands on a 32-bit architecture with strict +alignment requirements (such as an ARMv7-based Raspberry Pi) results +in an alignment exception: + + # nft add table ip test-ip4 + # nft add chain ip test-ip4 output { type filter hook output priority 0; } + # nft add rule ip test-ip4 output quota 1025 bytes + +Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>] +Unhandled fault: alignment exception (0x001) at 0xb832e824 +Internal error: : 1 [#1] PREEMPT SMP ARM +Hardware name: BCM2835 +[<7f4473fc>] (nft_quota_do_init [nft_quota]) +[<7f447448>] (nft_quota_init [nft_quota]) +[<7f4260d0>] (nf_tables_newrule [nf_tables]) +[<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink]) +[<7f416bd0>] (nfnetlink_rcv [nfnetlink]) +[<8078b334>] (netlink_unicast) +[<8078b664>] (netlink_sendmsg) +[<8071b47c>] (sock_sendmsg) +[<8071bd18>] (___sys_sendmsg) +[<8071ce3c>] (__sys_sendmsg) +[<8071ce94>] (sys_sendmsg) + +The reason is that nft_quota_do_init() calls atomic64_set() on an +atomic64_t which is only aligned to 32-bit, not 64-bit, because it +succeeds struct nft_expr in memory which only contains a 32-bit pointer. +Fix by aligning the nft_expr private data to 64-bit. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v3.13+ +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/netfilter/nf_tables.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -759,7 +759,8 @@ struct nft_expr_ops { + */ + struct nft_expr { + const struct nft_expr_ops *ops; +- unsigned char data[]; ++ unsigned char data[] ++ __attribute__((aligned(__alignof__(u64)))); + }; + + static inline void *nft_expr_priv(const struct nft_expr *expr) diff --git a/queue-4.14/perf-tools-fix-time-sorting.patch b/queue-4.14/perf-tools-fix-time-sorting.patch new file mode 100644 index 00000000000..b82ec89fb6a --- /dev/null +++ b/queue-4.14/perf-tools-fix-time-sorting.patch @@ -0,0 +1,46 @@ +From 722ddfde366fd46205456a9c5ff9b3359dc9a75e Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Tue, 5 Nov 2019 00:27:11 +0100 +Subject: perf tools: Fix time sorting + +From: Jiri Olsa + +commit 722ddfde366fd46205456a9c5ff9b3359dc9a75e upstream. + +The final sort might get confused when the comparison is done over +bigger numbers than int like for -s time. + +Check the following report for longer workloads: + + $ perf report -s time -F time,overhead --stdio + +Fix hist_entry__sort() to properly return int64_t and not possible cut +int. + +Fixes: 043ca389a318 ("perf tools: Use hpp formats to sort final output") +Signed-off-by: Jiri Olsa +Reviewed-by: Andi Kleen +Cc: Alexander Shishkin +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org # v3.16+ +Link: http://lore.kernel.org/lkml/20191104232711.16055-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/util/hist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -1504,7 +1504,7 @@ int hists__collapse_resort(struct hists + return 0; + } + +-static int hist_entry__sort(struct hist_entry *a, struct hist_entry *b) ++static int64_t hist_entry__sort(struct hist_entry *a, struct hist_entry *b) + { + struct hists *hists = a->hists; + struct perf_hpp_fmt *fmt; diff --git a/queue-4.14/series b/queue-4.14/series index 8d86b5f0ee2..60fb7259f63 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -9,3 +9,31 @@ nfc-fdp-fix-incorrect-free-object.patch nfc-netlink-fix-double-device-reference-drop.patch nfc-st21nfca-fix-double-free.patch qede-fix-null-pointer-deref-in-__qede_remove.patch +alsa-timer-fix-incorrectly-assigned-timer-instance.patch +alsa-bebob-fix-to-detect-configured-source-of-sampling-clock-for-focusrite-saffire-pro-i-o-series.patch +alsa-hda-ca0132-fix-possible-workqueue-stall.patch +mm-meminit-recalculate-pcpu-batch-and-high-limits-after-init-completes.patch +mm-thp-handle-page-cache-thp-correctly-in-pagetranscompoundmap.patch +mm-vmstat-hide-proc-pagetypeinfo-from-normal-users.patch +dump_stack-avoid-the-livelock-of-the-dump_lock.patch +tools-gpio-use-building_out_of_srctree-to-determine-srctree.patch +perf-tools-fix-time-sorting.patch +drm-radeon-fix-si_enable_smc_cac-failed-issue.patch +hid-wacom-generic-treat-serial-number-and-related-fields-as-unsigned.patch +arm64-do-not-mask-out-pte_rdonly-in-pte_same.patch +ceph-fix-use-after-free-in-__ceph_remove_cap.patch +ceph-add-missing-check-in-d_revalidate-snapdir-handling.patch +iio-adc-stm32-adc-fix-stopping-dma.patch +iio-imu-adis16480-make-sure-provided-frequency-is-positive.patch +iio-srf04-fix-wrong-limitation-in-distance-measuring.patch +netfilter-nf_tables-align-nft_expr-private-data-to-64-bit.patch +netfilter-ipset-fix-an-error-code-in-ip_set_sockfn_get.patch +intel_th-pci-add-comet-lake-pch-support.patch +intel_th-pci-add-jasper-lake-pch-support.patch +can-usb_8dev-fix-use-after-free-on-disconnect.patch +can-c_can-c_can_poll-only-read-status-register-after-status-irq.patch +can-peak_usb-fix-a-potential-out-of-sync-while-decoding-packets.patch +can-rx-offload-can_rx_offload_queue_sorted-fix-error-handling-avoid-skb-mem-leak.patch +can-gs_usb-gs_can_open-prevent-memory-leak.patch +can-mcba_usb-fix-use-after-free-on-disconnect.patch +can-peak_usb-fix-slab-info-leak.patch diff --git a/queue-4.14/tools-gpio-use-building_out_of_srctree-to-determine-srctree.patch b/queue-4.14/tools-gpio-use-building_out_of_srctree-to-determine-srctree.patch new file mode 100644 index 00000000000..a82cbf31600 --- /dev/null +++ b/queue-4.14/tools-gpio-use-building_out_of_srctree-to-determine-srctree.patch @@ -0,0 +1,48 @@ +From 4a6a6f5c4aeedb72db871d60bfcca89835f317aa Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 26 Sep 2019 19:16:41 -0600 +Subject: tools: gpio: Use !building_out_of_srctree to determine srctree + +From: Shuah Khan + +commit 4a6a6f5c4aeedb72db871d60bfcca89835f317aa upstream. + +make TARGETS=gpio kselftest fails with: + +Makefile:23: tools/build/Makefile.include: No such file or directory + +When the gpio tool make is invoked from tools Makefile, srctree is +cleared and the current logic check for srctree equals to empty +string to determine srctree location from CURDIR. + +When the build in invoked from selftests/gpio Makefile, the srctree +is set to "." and the same logic used for srctree equals to empty is +needed to determine srctree. + +Check building_out_of_srctree undefined as the condition for both +cases to fix "make TARGETS=gpio kselftest" build failure. + +Cc: stable@vger.kernel.org +Signed-off-by: Shuah Khan +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + tools/gpio/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/tools/gpio/Makefile ++++ b/tools/gpio/Makefile +@@ -3,7 +3,11 @@ include ../scripts/Makefile.include + + bindir ?= /usr/bin + +-ifeq ($(srctree),) ++# This will work when gpio is built in tools env. where srctree ++# isn't set and when invoked from selftests build, where srctree ++# is set to ".". building_out_of_srctree is undefined for in srctree ++# builds ++ifndef building_out_of_srctree + srctree := $(patsubst %/,%,$(dir $(CURDIR))) + srctree := $(patsubst %/,%,$(dir $(srctree))) + endif -- 2.47.3