From 1e63247e7cd886543367eacae5a74e8db53798e0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 18 Apr 2020 12:55:47 +0200 Subject: [PATCH] 5.6-stable patches added patches: alsa-hda-allow-setting-preallocation-again-for-x86.patch alsa-hda-realtek-enable-the-headset-mic-on-asus-fx505dt.patch alsa-usb-audio-check-mapping-at-creating-connector-controls-too.patch alsa-usb-audio-don-t-create-jack-controls-for-pcm-terminals.patch alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch alsa-usb-audio-filter-error-from-connector-kctl-ops-too.patch arm64-vdso-don-t-free-unallocated-pages.patch btrfs-check-commit-root-generation-in-should_ignore_root.patch keys-fix-proc_keys_next-to-increase-position-index.patch mac80211-fix-race-in-ieee80211_register_hw.patch mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch nl80211-fix-nl80211_attr_ftm_responder-policy.patch tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch --- ...-setting-preallocation-again-for-x86.patch | 56 +++++++ ...able-the-headset-mic-on-asus-fx505dt.patch | 37 +++++ ...g-at-creating-connector-controls-too.patch | 105 ++++++++++++ ...eate-jack-controls-for-pcm-terminals.patch | 56 +++++++ ...-ignore_ctl_error-value-from-the-map.patch | 36 +++++ ...er-error-from-connector-kctl-ops-too.patch | 38 +++++ ...64-vdso-don-t-free-unallocated-pages.patch | 53 +++++++ ...oot-generation-in-should_ignore_root.patch | 54 +++++++ ...keys_next-to-increase-position-index.patch | 70 ++++++++ ...11-fix-race-in-ieee80211_register_hw.patch | 149 ++++++++++++++++++ ...m-use-kstrndup-in-place-of-kasprintf.patch | 68 ++++++++ ...ix-nl80211_attr_ftm_responder-policy.patch | 38 +++++ queue-5.6/series | 13 ++ ...er-and-triggering-snapshot-operation.patch | 56 +++++++ 14 files changed, 829 insertions(+) create mode 100644 queue-5.6/alsa-hda-allow-setting-preallocation-again-for-x86.patch create mode 100644 queue-5.6/alsa-hda-realtek-enable-the-headset-mic-on-asus-fx505dt.patch create mode 100644 queue-5.6/alsa-usb-audio-check-mapping-at-creating-connector-controls-too.patch create mode 100644 queue-5.6/alsa-usb-audio-don-t-create-jack-controls-for-pcm-terminals.patch create mode 100644 queue-5.6/alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch create mode 100644 queue-5.6/alsa-usb-audio-filter-error-from-connector-kctl-ops-too.patch create mode 100644 queue-5.6/arm64-vdso-don-t-free-unallocated-pages.patch create mode 100644 queue-5.6/btrfs-check-commit-root-generation-in-should_ignore_root.patch create mode 100644 queue-5.6/keys-fix-proc_keys_next-to-increase-position-index.patch create mode 100644 queue-5.6/mac80211-fix-race-in-ieee80211_register_hw.patch create mode 100644 queue-5.6/mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch create mode 100644 queue-5.6/nl80211-fix-nl80211_attr_ftm_responder-policy.patch create mode 100644 queue-5.6/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch diff --git a/queue-5.6/alsa-hda-allow-setting-preallocation-again-for-x86.patch b/queue-5.6/alsa-hda-allow-setting-preallocation-again-for-x86.patch new file mode 100644 index 00000000000..bd89625bd62 --- /dev/null +++ b/queue-5.6/alsa-hda-allow-setting-preallocation-again-for-x86.patch @@ -0,0 +1,56 @@ +From f8e4ae10de43fbb7ce85f79e04eca2988b6b2c40 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 13 Apr 2020 22:19:19 +0200 +Subject: ALSA: hda: Allow setting preallocation again for x86 + +From: Takashi Iwai + +commit f8e4ae10de43fbb7ce85f79e04eca2988b6b2c40 upstream. + +The commit c31427d0d21e ("ALSA: hda: No preallocation on x86 +platforms") changed CONFIG_SND_HDA_PREALLOC_SIZE setup and its default +to zero for x86, as the preallocation should work almost all cases. +However, this expectation was too naive; some applications try to +allocate as the max buffer size as possible, and it leads to the +memory exhaustion. More badly, the commit changed the kconfig no +longer adjustable for x86, so you can't fix it statically (although it +can be still adjusted via procfs). + +So, practically seen, it's more recommended to set a reasonable limit +for x86, too. This patch follows to that experience, and changes the +default to 2048 and allow the kconfig adjustable again. + +Fixes: c31427d0d21e ("ALSA: hda: No preallocation on x86 platforms") +Cc: +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207223 +Link: https://lore.kernel.org/r/20200413201919.24241-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/hda/Kconfig | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/hda/Kconfig ++++ b/sound/hda/Kconfig +@@ -21,16 +21,17 @@ config SND_HDA_EXT_CORE + select SND_HDA_CORE + + config SND_HDA_PREALLOC_SIZE +- int "Pre-allocated buffer size for HD-audio driver" if !SND_DMA_SGBUF ++ int "Pre-allocated buffer size for HD-audio driver" + range 0 32768 +- default 0 if SND_DMA_SGBUF ++ default 2048 if SND_DMA_SGBUF + default 64 if !SND_DMA_SGBUF + help + Specifies the default pre-allocated buffer-size in kB for the + HD-audio driver. A larger buffer (e.g. 2048) is preferred + for systems using PulseAudio. The default 64 is chosen just + for compatibility reasons. +- On x86 systems, the default is zero as we need no preallocation. ++ On x86 systems, the default is 2048 as a reasonable value for ++ most of modern systems. + + Note that the pre-allocation size can be changed dynamically + via a proc file (/proc/asound/card*/pcm*/sub*/prealloc), too. diff --git a/queue-5.6/alsa-hda-realtek-enable-the-headset-mic-on-asus-fx505dt.patch b/queue-5.6/alsa-hda-realtek-enable-the-headset-mic-on-asus-fx505dt.patch new file mode 100644 index 00000000000..461e81e39f8 --- /dev/null +++ b/queue-5.6/alsa-hda-realtek-enable-the-headset-mic-on-asus-fx505dt.patch @@ -0,0 +1,37 @@ +From 4963d66b8a26c489958063abb6900ea6ed8e4836 Mon Sep 17 00:00:00 2001 +From: Adam Barber +Date: Fri, 10 Apr 2020 17:00:32 +0800 +Subject: ALSA: hda/realtek - Enable the headset mic on Asus FX505DT + +From: Adam Barber + +commit 4963d66b8a26c489958063abb6900ea6ed8e4836 upstream. + +On Asus FX505DT with Realtek ALC233, the headset mic is connected +to pin 0x19, with default 0x411111f0. + +Enable headset mic by reconfiguring the pin to an external mic +associated with the headphone on 0x21. Mic jack detection was also +found to be working. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207131 +Signed-off-by: Adam Barber +Cc: +Link: https://lore.kernel.org/r/20200410090032.2759-1-barberadam995@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7253,6 +7253,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), + SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1043, 0x18f1, "Asus FX505DT", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x19ce, "ASUS B9450FA", ALC294_FIXUP_ASUS_HPE), + SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW), + SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC), diff --git a/queue-5.6/alsa-usb-audio-check-mapping-at-creating-connector-controls-too.patch b/queue-5.6/alsa-usb-audio-check-mapping-at-creating-connector-controls-too.patch new file mode 100644 index 00000000000..1dcf8f33840 --- /dev/null +++ b/queue-5.6/alsa-usb-audio-check-mapping-at-creating-connector-controls-too.patch @@ -0,0 +1,105 @@ +From 934b96594ed66b07dbc7e576d28814466df3a494 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 12 Apr 2020 10:13:31 +0200 +Subject: ALSA: usb-audio: Check mapping at creating connector controls, too + +From: Takashi Iwai + +commit 934b96594ed66b07dbc7e576d28814466df3a494 upstream. + +Add the mapping check to build_connector_control() so that the device +specific quirk can provide the node to skip for the badly behaving +connector controls. As an example, ALC1220-VB-based codec implements +the skip entry for the broken SPDIF connector detection. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206873 +Cc: +Link: https://lore.kernel.org/r/20200412081331.4742-5-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 18 +++++++++++------- + sound/usb/mixer_maps.c | 4 +++- + 2 files changed, 14 insertions(+), 8 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1750,11 +1750,15 @@ static void get_connector_control_name(s + + /* Build a mixer control for a UAC connector control (jack-detect) */ + static void build_connector_control(struct usb_mixer_interface *mixer, ++ const struct usbmix_name_map *imap, + struct usb_audio_term *term, bool is_input) + { + struct snd_kcontrol *kctl; + struct usb_mixer_elem_info *cval; + ++ if (check_ignored_ctl(find_map(imap, term->id, 0))) ++ return; ++ + cval = kzalloc(sizeof(*cval), GFP_KERNEL); + if (!cval) + return; +@@ -2090,7 +2094,7 @@ static int parse_audio_input_terminal(st + /* Check for jack detection. */ + if ((iterm.type & 0xff00) != 0x0100 && + uac_v2v3_control_is_readable(bmctls, control)) +- build_connector_control(state->mixer, &iterm, true); ++ build_connector_control(state->mixer, state->map, &iterm, true); + + return 0; + } +@@ -3051,13 +3055,13 @@ static int snd_usb_mixer_controls_badd(s + memset(&iterm, 0, sizeof(iterm)); + iterm.id = UAC3_BADD_IT_ID4; + iterm.type = UAC_BIDIR_TERMINAL_HEADSET; +- build_connector_control(mixer, &iterm, true); ++ build_connector_control(mixer, map->map, &iterm, true); + + /* Output Term - Insertion control */ + memset(&oterm, 0, sizeof(oterm)); + oterm.id = UAC3_BADD_OT_ID3; + oterm.type = UAC_BIDIR_TERMINAL_HEADSET; +- build_connector_control(mixer, &oterm, false); ++ build_connector_control(mixer, map->map, &oterm, false); + } + + return 0; +@@ -3132,8 +3136,8 @@ static int snd_usb_mixer_controls(struct + if ((state.oterm.type & 0xff00) != 0x0100 && + uac_v2v3_control_is_readable(le16_to_cpu(desc->bmControls), + UAC2_TE_CONNECTOR)) { +- build_connector_control(state.mixer, &state.oterm, +- false); ++ build_connector_control(state.mixer, state.map, ++ &state.oterm, false); + } + } else { /* UAC_VERSION_3 */ + struct uac3_output_terminal_descriptor *desc = p; +@@ -3158,8 +3162,8 @@ static int snd_usb_mixer_controls(struct + if ((state.oterm.type & 0xff00) != 0x0100 && + uac_v2v3_control_is_readable(le32_to_cpu(desc->bmControls), + UAC3_TE_INSERTION)) { +- build_connector_control(state.mixer, &state.oterm, +- false); ++ build_connector_control(state.mixer, state.map, ++ &state.oterm, false); + } + } + } +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -360,9 +360,11 @@ static const struct usbmix_name_map cors + }; + + /* Some mobos shipped with a dummy HD-audio show the invalid GET_MIN/GET_MAX +- * response for Input Gain Pad (id=19, control=12). Skip it. ++ * response for Input Gain Pad (id=19, control=12) and the connector status ++ * for SPDIF terminal (id=18). Skip them. + */ + static const struct usbmix_name_map asus_rog_map[] = { ++ { 18, NULL }, /* OT, connector control */ + { 19, NULL, 12 }, /* FU, Input Gain Pad */ + {} + }; diff --git a/queue-5.6/alsa-usb-audio-don-t-create-jack-controls-for-pcm-terminals.patch b/queue-5.6/alsa-usb-audio-don-t-create-jack-controls-for-pcm-terminals.patch new file mode 100644 index 00000000000..67d19e119bf --- /dev/null +++ b/queue-5.6/alsa-usb-audio-don-t-create-jack-controls-for-pcm-terminals.patch @@ -0,0 +1,56 @@ +From 7dc3c5a0172e6c0449502103356c3628d05bc0e0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 12 Apr 2020 10:13:30 +0200 +Subject: ALSA: usb-audio: Don't create jack controls for PCM terminals + +From: Takashi Iwai + +commit 7dc3c5a0172e6c0449502103356c3628d05bc0e0 upstream. + +Some funky firmwares set the connector flag even on PCM terminals +although it doesn't make sense (and even actually the firmware doesn't +react properly!). Let's skip creation of jack controls in such a +case. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206873 +Cc: +Link: https://lore.kernel.org/r/20200412081331.4742-4-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2088,7 +2088,8 @@ static int parse_audio_input_terminal(st + check_input_term(state, term_id, &iterm); + + /* Check for jack detection. */ +- if (uac_v2v3_control_is_readable(bmctls, control)) ++ if ((iterm.type & 0xff00) != 0x0100 && ++ uac_v2v3_control_is_readable(bmctls, control)) + build_connector_control(state->mixer, &iterm, true); + + return 0; +@@ -3128,7 +3129,8 @@ static int snd_usb_mixer_controls(struct + if (err < 0 && err != -EINVAL) + return err; + +- if (uac_v2v3_control_is_readable(le16_to_cpu(desc->bmControls), ++ if ((state.oterm.type & 0xff00) != 0x0100 && ++ uac_v2v3_control_is_readable(le16_to_cpu(desc->bmControls), + UAC2_TE_CONNECTOR)) { + build_connector_control(state.mixer, &state.oterm, + false); +@@ -3153,7 +3155,8 @@ static int snd_usb_mixer_controls(struct + if (err < 0 && err != -EINVAL) + return err; + +- if (uac_v2v3_control_is_readable(le32_to_cpu(desc->bmControls), ++ if ((state.oterm.type & 0xff00) != 0x0100 && ++ uac_v2v3_control_is_readable(le32_to_cpu(desc->bmControls), + UAC3_TE_INSERTION)) { + build_connector_control(state.mixer, &state.oterm, + false); diff --git a/queue-5.6/alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch b/queue-5.6/alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch new file mode 100644 index 00000000000..f4884a0e144 --- /dev/null +++ b/queue-5.6/alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch @@ -0,0 +1,36 @@ +From 3507245b82b4362dc9721cbc328644905a3efa22 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 12 Apr 2020 10:13:29 +0200 +Subject: ALSA: usb-audio: Don't override ignore_ctl_error value from the map + +From: Takashi Iwai + +commit 3507245b82b4362dc9721cbc328644905a3efa22 upstream. + +The mapping table may contain also ignore_ctl_error flag for devices +that are known to behave wild. Since this flag always writes the +card's own ignore_ctl_error flag, it overrides the value already set +by the module option, so it doesn't follow user's expectation. +Let's fix the code not to clear the flag that has been set by user. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206873 +Cc: +Link: https://lore.kernel.org/r/20200412081331.4742-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3085,7 +3085,7 @@ static int snd_usb_mixer_controls(struct + if (map->id == state.chip->usb_id) { + state.map = map->map; + state.selector_map = map->selector_map; +- mixer->ignore_ctl_error = map->ignore_ctl_error; ++ mixer->ignore_ctl_error |= map->ignore_ctl_error; + break; + } + } diff --git a/queue-5.6/alsa-usb-audio-filter-error-from-connector-kctl-ops-too.patch b/queue-5.6/alsa-usb-audio-filter-error-from-connector-kctl-ops-too.patch new file mode 100644 index 00000000000..c251971bae0 --- /dev/null +++ b/queue-5.6/alsa-usb-audio-filter-error-from-connector-kctl-ops-too.patch @@ -0,0 +1,38 @@ +From 48cc42973509afac24e83d6edc23901d102872d1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 12 Apr 2020 10:13:28 +0200 +Subject: ALSA: usb-audio: Filter error from connector kctl ops, too + +From: Takashi Iwai + +commit 48cc42973509afac24e83d6edc23901d102872d1 upstream. + +The ignore_ctl_error option should filter the error at kctl accesses, +but there was an overlook: mixer_ctl_connector_get() returns an error +from the request. + +This patch covers the forgotten code path and apply filter_error() +properly. The locking error is still returned since this is a fatal +error that has to be reported even with ignore_ctl_error option. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206873 +Cc: +Link: https://lore.kernel.org/r/20200412081331.4742-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1446,7 +1446,7 @@ error: + usb_audio_err(chip, + "cannot get connectors status: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n", + UAC_GET_CUR, validx, idx, cval->val_type); +- return ret; ++ return filter_error(cval, ret); + } + + ucontrol->value.integer.value[0] = val; diff --git a/queue-5.6/arm64-vdso-don-t-free-unallocated-pages.patch b/queue-5.6/arm64-vdso-don-t-free-unallocated-pages.patch new file mode 100644 index 00000000000..1e560c388cc --- /dev/null +++ b/queue-5.6/arm64-vdso-don-t-free-unallocated-pages.patch @@ -0,0 +1,53 @@ +From 9cc3d0c6915aee5140f8335d41bbc3ff1b79aa4e Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Tue, 14 Apr 2020 11:42:48 +0100 +Subject: arm64: vdso: don't free unallocated pages + +From: Mark Rutland + +commit 9cc3d0c6915aee5140f8335d41bbc3ff1b79aa4e upstream. + +The aarch32_vdso_pages[] array never has entries allocated in the C_VVAR +or C_VDSO slots, and as the array is zero initialized these contain +NULL. + +However in __aarch32_alloc_vdso_pages() when +aarch32_alloc_kuser_vdso_page() fails we attempt to free the page whose +struct page is at NULL, which is obviously nonsensical. + +This patch removes the erroneous page freeing. + +Fixes: 7c1deeeb0130 ("arm64: compat: VDSO setup for compat layer") +Cc: # 5.3.x- +Cc: Vincenzo Frascino +Acked-by: Will Deacon +Signed-off-by: Mark Rutland +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/vdso.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +--- a/arch/arm64/kernel/vdso.c ++++ b/arch/arm64/kernel/vdso.c +@@ -260,18 +260,7 @@ static int __aarch32_alloc_vdso_pages(vo + if (ret) + return ret; + +- ret = aarch32_alloc_kuser_vdso_page(); +- if (ret) { +- unsigned long c_vvar = +- (unsigned long)page_to_virt(aarch32_vdso_pages[C_VVAR]); +- unsigned long c_vdso = +- (unsigned long)page_to_virt(aarch32_vdso_pages[C_VDSO]); +- +- free_page(c_vvar); +- free_page(c_vdso); +- } +- +- return ret; ++ return aarch32_alloc_kuser_vdso_page(); + } + #else + static int __aarch32_alloc_vdso_pages(void) diff --git a/queue-5.6/btrfs-check-commit-root-generation-in-should_ignore_root.patch b/queue-5.6/btrfs-check-commit-root-generation-in-should_ignore_root.patch new file mode 100644 index 00000000000..949ba12ad43 --- /dev/null +++ b/queue-5.6/btrfs-check-commit-root-generation-in-should_ignore_root.patch @@ -0,0 +1,54 @@ +From 4d4225fc228e46948486d8b8207955f0c031b92e Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 2 Apr 2020 15:51:18 -0400 +Subject: btrfs: check commit root generation in should_ignore_root + +From: Josef Bacik + +commit 4d4225fc228e46948486d8b8207955f0c031b92e upstream. + +Previously we would set the reloc root's last snapshot to transid - 1. +However there was a problem with doing this, and we changed it to +setting the last snapshot to the generation of the commit node of the fs +root. + +This however broke should_ignore_root(). The assumption is that if we +are in a generation newer than when the reloc root was created, then we +would find the reloc root through normal backref lookups, and thus can +ignore any fs roots we find with an old enough reloc root. + +Now that the last snapshot could be considerably further in the past +than before, we'd end up incorrectly ignoring an fs root. Thus we'd +find no nodes for the bytenr we were searching for, and we'd fail to +relocate anything. We'd loop through the relocate code again and see +that there were still used space in that block group, attempt to +relocate those bytenr's again, fail in the same way, and just loop like +this forever. This is tricky in that we have to not modify the fs root +at all during this time, so we need to have a block group that has data +in this fs root that is not shared by any other root, which is why this +has been difficult to reproduce. + +Fixes: 054570a1dc94 ("Btrfs: fix relocation incorrectly dropping data references") +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Filipe Manana +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/relocation.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -561,8 +561,8 @@ static int should_ignore_root(struct btr + if (!reloc_root) + return 0; + +- if (btrfs_root_last_snapshot(&reloc_root->root_item) == +- root->fs_info->running_transaction->transid - 1) ++ if (btrfs_header_generation(reloc_root->commit_root) == ++ root->fs_info->running_transaction->transid) + return 0; + /* + * if there is reloc tree and it was created in previous diff --git a/queue-5.6/keys-fix-proc_keys_next-to-increase-position-index.patch b/queue-5.6/keys-fix-proc_keys_next-to-increase-position-index.patch new file mode 100644 index 00000000000..4115b179a10 --- /dev/null +++ b/queue-5.6/keys-fix-proc_keys_next-to-increase-position-index.patch @@ -0,0 +1,70 @@ +From 86d32f9a7c54ad74f4514d7fef7c847883207291 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Tue, 14 Apr 2020 21:33:16 +0100 +Subject: keys: Fix proc_keys_next to increase position index + +From: Vasily Averin + +commit 86d32f9a7c54ad74f4514d7fef7c847883207291 upstream. + +If seq_file .next function does not change position index, +read after some lseek can generate unexpected output: + + $ dd if=/proc/keys bs=1 # full usual output + 0f6bfdf5 I--Q--- 2 perm 3f010000 1000 1000 user 4af2f79ab8848d0a: 740 + 1fb91b32 I--Q--- 3 perm 1f3f0000 1000 65534 keyring _uid.1000: 2 + 27589480 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 + 2f33ab67 I--Q--- 152 perm 3f030000 0 0 keyring _ses: 2 + 33f1d8fa I--Q--- 4 perm 3f030000 1000 1000 keyring _ses: 1 + 3d427fda I--Q--- 2 perm 3f010000 1000 1000 user 69ec44aec7678e5a: 740 + 3ead4096 I--Q--- 1 perm 1f3f0000 1000 65534 keyring _uid_ses.1000: 1 + 521+0 records in + 521+0 records out + 521 bytes copied, 0,00123769 s, 421 kB/s + +But a read after lseek in middle of last line results in the partial +last line and then a repeat of the final line: + + $ dd if=/proc/keys bs=500 skip=1 + dd: /proc/keys: cannot skip to specified offset + g _uid_ses.1000: 1 + 3ead4096 I--Q--- 1 perm 1f3f0000 1000 65534 keyring _uid_ses.1000: 1 + 0+1 records in + 0+1 records out + 97 bytes copied, 0,000135035 s, 718 kB/s + +and a read after lseek beyond end of file results in the last line being +shown: + + $ dd if=/proc/keys bs=1000 skip=1 # read after lseek beyond end of file + dd: /proc/keys: cannot skip to specified offset + 3ead4096 I--Q--- 1 perm 1f3f0000 1000 65534 keyring _uid_ses.1000: 1 + 0+1 records in + 0+1 records out + 76 bytes copied, 0,000119981 s, 633 kB/s + +See https://bugzilla.kernel.org/show_bug.cgi?id=206283 + +Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code ...") +Signed-off-by: Vasily Averin +Signed-off-by: David Howells +Reviewed-by: Jarkko Sakkinen +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/proc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -139,6 +139,8 @@ static void *proc_keys_next(struct seq_f + n = key_serial_next(p, v); + if (n) + *_pos = key_node_serial(n); ++ else ++ (*_pos)++; + return n; + } + diff --git a/queue-5.6/mac80211-fix-race-in-ieee80211_register_hw.patch b/queue-5.6/mac80211-fix-race-in-ieee80211_register_hw.patch new file mode 100644 index 00000000000..6cb3460a394 --- /dev/null +++ b/queue-5.6/mac80211-fix-race-in-ieee80211_register_hw.patch @@ -0,0 +1,149 @@ +From 52e04b4ce5d03775b6a78f3ed1097480faacc9fd Mon Sep 17 00:00:00 2001 +From: Sumit Garg +Date: Tue, 7 Apr 2020 15:40:55 +0530 +Subject: mac80211: fix race in ieee80211_register_hw() + +From: Sumit Garg + +commit 52e04b4ce5d03775b6a78f3ed1097480faacc9fd upstream. + +A race condition leading to a kernel crash is observed during invocation +of ieee80211_register_hw() on a dragonboard410c device having wcn36xx +driver built as a loadable module along with a wifi manager in user-space +waiting for a wifi device (wlanX) to be active. + +Sequence diagram for a particular kernel crash scenario: + + user-space ieee80211_register_hw() ieee80211_tasklet_handler() + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + | | | + |<---phy0----wiphy_register() | + |-----iwd if_add---->| | + | |<---IRQ----(RX packet) + | Kernel crash | + | due to unallocated | + | workqueue. | + | | | + | alloc_ordered_workqueue() | + | | | + | Misc wiphy init. | + | | | + | ieee80211_if_add() | + | | | + +As evident from above sequence diagram, this race condition isn't specific +to a particular wifi driver but rather the initialization sequence in +ieee80211_register_hw() needs to be fixed. So re-order the initialization +sequence and the updated sequence diagram would look like: + + user-space ieee80211_register_hw() ieee80211_tasklet_handler() + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + | | | + | alloc_ordered_workqueue() | + | | | + | Misc wiphy init. | + | | | + |<---phy0----wiphy_register() | + |-----iwd if_add---->| | + | |<---IRQ----(RX packet) + | | | + | ieee80211_if_add() | + | | | + +Cc: stable@vger.kernel.org +Signed-off-by: Sumit Garg +Link: https://lore.kernel.org/r/1586254255-28713-1-git-send-email-sumit.garg@linaro.org +[Johannes: fix rtnl imbalances] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/main.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1051,7 +1051,7 @@ int ieee80211_register_hw(struct ieee802 + local->hw.wiphy->signal_type = CFG80211_SIGNAL_TYPE_UNSPEC; + if (hw->max_signal <= 0) { + result = -EINVAL; +- goto fail_wiphy_register; ++ goto fail_workqueue; + } + } + +@@ -1113,7 +1113,7 @@ int ieee80211_register_hw(struct ieee802 + + result = ieee80211_init_cipher_suites(local); + if (result < 0) +- goto fail_wiphy_register; ++ goto fail_workqueue; + + if (!local->ops->remain_on_channel) + local->hw.wiphy->max_remain_on_channel_duration = 5000; +@@ -1139,10 +1139,6 @@ int ieee80211_register_hw(struct ieee802 + + local->hw.wiphy->max_num_csa_counters = IEEE80211_MAX_CSA_COUNTERS_NUM; + +- result = wiphy_register(local->hw.wiphy); +- if (result < 0) +- goto fail_wiphy_register; +- + /* + * We use the number of queues for feature tests (QoS, HT) internally + * so restrict them appropriately. +@@ -1198,9 +1194,9 @@ int ieee80211_register_hw(struct ieee802 + goto fail_flows; + + rtnl_lock(); +- + result = ieee80211_init_rate_ctrl_alg(local, + hw->rate_control_algorithm); ++ rtnl_unlock(); + if (result < 0) { + wiphy_debug(local->hw.wiphy, + "Failed to initialize rate control algorithm\n"); +@@ -1254,6 +1250,12 @@ int ieee80211_register_hw(struct ieee802 + local->sband_allocated |= BIT(band); + } + ++ result = wiphy_register(local->hw.wiphy); ++ if (result < 0) ++ goto fail_wiphy_register; ++ ++ rtnl_lock(); ++ + /* add one default STA interface if supported */ + if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_STATION) && + !ieee80211_hw_check(hw, NO_AUTO_VIF)) { +@@ -1293,17 +1295,17 @@ int ieee80211_register_hw(struct ieee802 + #if defined(CONFIG_INET) || defined(CONFIG_IPV6) + fail_ifa: + #endif ++ wiphy_unregister(local->hw.wiphy); ++ fail_wiphy_register: + rtnl_lock(); + rate_control_deinitialize(local); + ieee80211_remove_interfaces(local); +- fail_rate: + rtnl_unlock(); ++ fail_rate: + fail_flows: + ieee80211_led_exit(local); + destroy_workqueue(local->workqueue); + fail_workqueue: +- wiphy_unregister(local->hw.wiphy); +- fail_wiphy_register: + if (local->wiphy_ciphers_allocated) + kfree(local->hw.wiphy->cipher_suites); + kfree(local->int_scan_req); +@@ -1353,8 +1355,8 @@ void ieee80211_unregister_hw(struct ieee + skb_queue_purge(&local->skb_queue_unreliable); + skb_queue_purge(&local->skb_queue_tdls_chsw); + +- destroy_workqueue(local->workqueue); + wiphy_unregister(local->hw.wiphy); ++ destroy_workqueue(local->workqueue); + ieee80211_led_exit(local); + kfree(local->int_scan_req); + } diff --git a/queue-5.6/mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch b/queue-5.6/mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch new file mode 100644 index 00000000000..d7b7d41df66 --- /dev/null +++ b/queue-5.6/mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch @@ -0,0 +1,68 @@ +From 7ea862048317aa76d0f22334202779a25530980c Mon Sep 17 00:00:00 2001 +From: Tuomas Tynkkynen +Date: Fri, 10 Apr 2020 15:32:57 +0300 +Subject: mac80211_hwsim: Use kstrndup() in place of kasprintf() + +From: Tuomas Tynkkynen + +commit 7ea862048317aa76d0f22334202779a25530980c upstream. + +syzbot reports a warning: + +precision 33020 too large +WARNING: CPU: 0 PID: 9618 at lib/vsprintf.c:2471 set_precision+0x150/0x180 lib/vsprintf.c:2471 + vsnprintf+0xa7b/0x19a0 lib/vsprintf.c:2547 + kvasprintf+0xb2/0x170 lib/kasprintf.c:22 + kasprintf+0xbb/0xf0 lib/kasprintf.c:59 + hwsim_del_radio_nl+0x63a/0x7e0 drivers/net/wireless/mac80211_hwsim.c:3625 + genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline] + ... + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Thus it seems that kasprintf() with "%.*s" format can not be used for +duplicating a string with arbitrary length. Replace it with kstrndup(). + +Note that later this string is limited to NL80211_WIPHY_NAME_MAXLEN == 64, +but the code is simpler this way. + +Reported-by: syzbot+6693adf1698864d21734@syzkaller.appspotmail.com +Reported-by: syzbot+a4aee3f42d7584d76761@syzkaller.appspotmail.com +Cc: stable@kernel.org +Signed-off-by: Tuomas Tynkkynen +Link: https://lore.kernel.org/r/20200410123257.14559-1-tuomas.tynkkynen@iki.fi +[johannes: add note about length limit] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mac80211_hwsim.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3600,9 +3600,9 @@ static int hwsim_new_radio_nl(struct sk_ + } + + if (info->attrs[HWSIM_ATTR_RADIO_NAME]) { +- hwname = kasprintf(GFP_KERNEL, "%.*s", +- nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]), +- (char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME])); ++ hwname = kstrndup((char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]), ++ nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]), ++ GFP_KERNEL); + if (!hwname) + return -ENOMEM; + param.hwname = hwname; +@@ -3622,9 +3622,9 @@ static int hwsim_del_radio_nl(struct sk_ + if (info->attrs[HWSIM_ATTR_RADIO_ID]) { + idx = nla_get_u32(info->attrs[HWSIM_ATTR_RADIO_ID]); + } else if (info->attrs[HWSIM_ATTR_RADIO_NAME]) { +- hwname = kasprintf(GFP_KERNEL, "%.*s", +- nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]), +- (char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME])); ++ hwname = kstrndup((char *)nla_data(info->attrs[HWSIM_ATTR_RADIO_NAME]), ++ nla_len(info->attrs[HWSIM_ATTR_RADIO_NAME]), ++ GFP_KERNEL); + if (!hwname) + return -ENOMEM; + } else diff --git a/queue-5.6/nl80211-fix-nl80211_attr_ftm_responder-policy.patch b/queue-5.6/nl80211-fix-nl80211_attr_ftm_responder-policy.patch new file mode 100644 index 00000000000..62350406d45 --- /dev/null +++ b/queue-5.6/nl80211-fix-nl80211_attr_ftm_responder-policy.patch @@ -0,0 +1,38 @@ +From 0e012b4e4b5ec8e064be3502382579dd0bb43269 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sun, 12 Apr 2020 00:40:30 +0200 +Subject: nl80211: fix NL80211_ATTR_FTM_RESPONDER policy + +From: Johannes Berg + +commit 0e012b4e4b5ec8e064be3502382579dd0bb43269 upstream. + +The nested policy here should be established using the +NLA_POLICY_NESTED() macro so the length is properly +filled in. + +Cc: stable@vger.kernel.org +Fixes: 81e54d08d9d8 ("cfg80211: support FTM responder configuration/statistics") +Link: https://lore.kernel.org/r/20200412004029.9d0722bb56c8.Ie690bfcc4a1a61ff8d8ca7e475d59fcaa52fb2da@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -619,10 +619,8 @@ const struct nla_policy nl80211_policy[N + [NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY, + .len = NL80211_HE_MAX_CAPABILITY_LEN }, + +- [NL80211_ATTR_FTM_RESPONDER] = { +- .type = NLA_NESTED, +- .validation_data = nl80211_ftm_responder_policy, +- }, ++ [NL80211_ATTR_FTM_RESPONDER] = ++ NLA_POLICY_NESTED(nl80211_ftm_responder_policy), + [NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1), + [NL80211_ATTR_PEER_MEASUREMENTS] = + NLA_POLICY_NESTED(nl80211_pmsr_attr_policy), diff --git a/queue-5.6/series b/queue-5.6/series index f898de700d0..08fb0c4bbb0 100644 --- a/queue-5.6/series +++ b/queue-5.6/series @@ -39,3 +39,16 @@ arm64-dts-librem5-devkit-add-a-vbus-supply-to-usb0.patch usb-dwc3-gadget-don-t-clear-flags-before-transfer-ended.patch asoc-intel-mrfld-fix-incorrect-check-on-p-sink.patch asoc-intel-mrfld-return-error-codes-when-an-error-occurs.patch +alsa-hda-allow-setting-preallocation-again-for-x86.patch +alsa-hda-realtek-enable-the-headset-mic-on-asus-fx505dt.patch +alsa-usb-audio-filter-error-from-connector-kctl-ops-too.patch +alsa-usb-audio-don-t-override-ignore_ctl_error-value-from-the-map.patch +alsa-usb-audio-don-t-create-jack-controls-for-pcm-terminals.patch +alsa-usb-audio-check-mapping-at-creating-connector-controls-too.patch +arm64-vdso-don-t-free-unallocated-pages.patch +keys-fix-proc_keys_next-to-increase-position-index.patch +tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch +btrfs-check-commit-root-generation-in-should_ignore_root.patch +nl80211-fix-nl80211_attr_ftm_responder-policy.patch +mac80211-fix-race-in-ieee80211_register_hw.patch +mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch diff --git a/queue-5.6/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch b/queue-5.6/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch new file mode 100644 index 00000000000..847b28867b3 --- /dev/null +++ b/queue-5.6/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch @@ -0,0 +1,56 @@ +From 0bbe7f719985efd9adb3454679ecef0984cb6800 Mon Sep 17 00:00:00 2001 +From: Xiao Yang +Date: Tue, 14 Apr 2020 09:51:45 +0800 +Subject: tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation + +From: Xiao Yang + +commit 0bbe7f719985efd9adb3454679ecef0984cb6800 upstream. + +Traced event can trigger 'snapshot' operation(i.e. calls snapshot_trigger() +or snapshot_count_trigger()) when register_snapshot_trigger() has completed +registration but doesn't allocate buffer for 'snapshot' event trigger. In +the rare case, 'snapshot' operation always detects the lack of allocated +buffer so make register_snapshot_trigger() allocate buffer first. + +trigger-snapshot.tc in kselftest reproduces the issue on slow vm: +----------------------------------------------------------- +cat trace +... +ftracetest-3028 [002] .... 236.784290: sched_process_fork: comm=ftracetest pid=3028 child_comm=ftracetest child_pid=3036 + <...>-2875 [003] .... 240.460335: tracing_snapshot_instance_cond: *** SNAPSHOT NOT ALLOCATED *** + <...>-2875 [003] .... 240.460338: tracing_snapshot_instance_cond: *** stopping trace here! *** +----------------------------------------------------------- + +Link: http://lkml.kernel.org/r/20200414015145.66236-1-yangx.jy@cn.fujitsu.com + +Cc: stable@vger.kernel.org +Fixes: 93e31ffbf417a ("tracing: Add 'snapshot' event trigger command") +Signed-off-by: Xiao Yang +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_trigger.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -1088,14 +1088,10 @@ register_snapshot_trigger(char *glob, st + struct event_trigger_data *data, + struct trace_event_file *file) + { +- int ret = register_trigger(glob, ops, data, file); ++ if (tracing_alloc_snapshot_instance(file->tr) != 0) ++ return 0; + +- if (ret > 0 && tracing_alloc_snapshot_instance(file->tr) != 0) { +- unregister_trigger(glob, ops, data, file); +- ret = 0; +- } +- +- return ret; ++ return register_trigger(glob, ops, data, file); + } + + static int -- 2.47.3