From bb8fb310a0740b76b17d3b07134e0232da66a6be Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Apr 2020 19:35:42 +0200 Subject: [PATCH] 4.4-stable patches added patches: alsa-hda-don-t-release-card-at-firmware-loading-error.patch of-unittest-kmemleak-on-changeset-destroy.patch scsi-sg-add-sg_remove_request-in-sg_common_write.patch tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch x86-mitigations-clear-cpu-buffers-on-the-syscall-fast-path.patch --- ...lease-card-at-firmware-loading-error.patch | 59 +++++++++++++++++++ ...ittest-kmemleak-on-changeset-destroy.patch | 40 +++++++++++++ ...sg_remove_request-in-sg_common_write.patch | 37 ++++++++++++ queue-4.4/series | 6 ++ ...er-and-triggering-snapshot-operation.patch | 56 ++++++++++++++++++ ...ssary-parentheses-and-commented-code.patch | 53 +++++++++++++++++ ...cpu-buffers-on-the-syscall-fast-path.patch | 53 +++++++++++++++++ 7 files changed, 304 insertions(+) create mode 100644 queue-4.4/alsa-hda-don-t-release-card-at-firmware-loading-error.patch create mode 100644 queue-4.4/of-unittest-kmemleak-on-changeset-destroy.patch create mode 100644 queue-4.4/scsi-sg-add-sg_remove_request-in-sg_common_write.patch create mode 100644 queue-4.4/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch create mode 100644 queue-4.4/video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch create mode 100644 queue-4.4/x86-mitigations-clear-cpu-buffers-on-the-syscall-fast-path.patch diff --git a/queue-4.4/alsa-hda-don-t-release-card-at-firmware-loading-error.patch b/queue-4.4/alsa-hda-don-t-release-card-at-firmware-loading-error.patch new file mode 100644 index 00000000000..b518a995eb6 --- /dev/null +++ b/queue-4.4/alsa-hda-don-t-release-card-at-firmware-loading-error.patch @@ -0,0 +1,59 @@ +From 25faa4bd37c10f19e4b848b9032a17a3d44c6f09 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 13 Apr 2020 10:20:29 +0200 +Subject: ALSA: hda: Don't release card at firmware loading error + +From: Takashi Iwai + +commit 25faa4bd37c10f19e4b848b9032a17a3d44c6f09 upstream. + +At the error path of the firmware loading error, the driver tries to +release the card object and set NULL to drvdata. This may be referred +badly at the possible PM action, as the driver itself is still bound +and the PM callbacks read the card object. + +Instead, we continue the probing as if it were no option set. This is +often a better choice than the forced abort, too. + +Fixes: 5cb543dba986 ("ALSA: hda - Deferred probing with request_firmware_nowait()") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207043 +Link: https://lore.kernel.org/r/20200413082034.25166-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -1839,24 +1839,15 @@ static void azx_firmware_cb(const struct + { + struct snd_card *card = context; + struct azx *chip = card->private_data; +- struct pci_dev *pci = chip->pci; + +- if (!fw) { +- dev_err(card->dev, "Cannot load firmware, aborting\n"); +- goto error; +- } +- +- chip->fw = fw; ++ if (fw) ++ chip->fw = fw; ++ else ++ dev_err(card->dev, "Cannot load firmware, continue without patching\n"); + if (!chip->disabled) { + /* continue probing */ +- if (azx_probe_continue(chip)) +- goto error; ++ azx_probe_continue(chip); + } +- return; /* OK */ +- +- error: +- snd_card_free(card); +- pci_set_drvdata(pci, NULL); + } + #endif + diff --git a/queue-4.4/of-unittest-kmemleak-on-changeset-destroy.patch b/queue-4.4/of-unittest-kmemleak-on-changeset-destroy.patch new file mode 100644 index 00000000000..82a8d874a6e --- /dev/null +++ b/queue-4.4/of-unittest-kmemleak-on-changeset-destroy.patch @@ -0,0 +1,40 @@ +From b3fb36ed694b05738d45218ea72cf7feb10ce2b1 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Thu, 16 Apr 2020 16:42:46 -0500 +Subject: of: unittest: kmemleak on changeset destroy + +From: Frank Rowand + +commit b3fb36ed694b05738d45218ea72cf7feb10ce2b1 upstream. + +kmemleak reports several memory leaks from devicetree unittest. +This is the fix for problem 1 of 5. + +of_unittest_changeset() reaches deeply into the dynamic devicetree +functions. Several nodes were left with an elevated reference +count and thus were not properly cleaned up. Fix the reference +counts so that the memory will be freed. + +Fixes: 201c910bd689 ("of: Transactional DT support.") +Reported-by: Erhard F. +Signed-off-by: Frank Rowand +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/unittest.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -544,6 +544,10 @@ static void __init of_unittest_changeset + mutex_unlock(&of_mutex); + + of_changeset_destroy(&chgset); ++ ++ of_node_put(n1); ++ of_node_put(n2); ++ of_node_put(n21); + #endif + } + diff --git a/queue-4.4/scsi-sg-add-sg_remove_request-in-sg_common_write.patch b/queue-4.4/scsi-sg-add-sg_remove_request-in-sg_common_write.patch new file mode 100644 index 00000000000..789d2f5f61b --- /dev/null +++ b/queue-4.4/scsi-sg-add-sg_remove_request-in-sg_common_write.patch @@ -0,0 +1,37 @@ +From 849f8583e955dbe3a1806e03ecacd5e71cce0a08 Mon Sep 17 00:00:00 2001 +From: Li Bin +Date: Mon, 13 Apr 2020 19:29:21 +0800 +Subject: scsi: sg: add sg_remove_request in sg_common_write + +From: Li Bin + +commit 849f8583e955dbe3a1806e03ecacd5e71cce0a08 upstream. + +If the dxfer_len is greater than 256M then the request is invalid and we +need to call sg_remove_request in sg_common_write. + +Link: https://lore.kernel.org/r/1586777361-17339-1-git-send-email-huawei.libin@huawei.com +Fixes: f930c7043663 ("scsi: sg: only check for dxfer_len greater than 256M") +Acked-by: Douglas Gilbert +Signed-off-by: Li Bin +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -820,8 +820,10 @@ sg_common_write(Sg_fd * sfp, Sg_request + "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n", + (int) cmnd[0], (int) hp->cmd_len)); + +- if (hp->dxfer_len >= SZ_256M) ++ if (hp->dxfer_len >= SZ_256M) { ++ sg_remove_request(sfp, srp); + return -EINVAL; ++ } + + k = sg_start_req(srp, cmnd); + if (k) { diff --git a/queue-4.4/series b/queue-4.4/series index 0392eae0393..40c25b1743e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -66,3 +66,9 @@ mac80211_hwsim-use-kstrndup-in-place-of-kasprintf.patch ext4-do-not-zeroout-extents-beyond-i_disksize.patch dm-flakey-check-for-null-arg_name-in-parse_features.patch kvm-x86-host-feature-ssbd-doesn-t-imply-guest-featur.patch +x86-mitigations-clear-cpu-buffers-on-the-syscall-fast-path.patch +tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch +scsi-sg-add-sg_remove_request-in-sg_common_write.patch +alsa-hda-don-t-release-card-at-firmware-loading-error.patch +of-unittest-kmemleak-on-changeset-destroy.patch +video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch diff --git a/queue-4.4/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch b/queue-4.4/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch new file mode 100644 index 00000000000..42267f219ee --- /dev/null +++ b/queue-4.4/tracing-fix-the-race-between-registering-snapshot-event-trigger-and-triggering-snapshot-operation.patch @@ -0,0 +1,56 @@ +From 0bbe7f719985efd9adb3454679ecef0984cb6800 Mon Sep 17 00:00:00 2001 +From: Xiao Yang +Date: Tue, 14 Apr 2020 09:51:45 +0800 +Subject: tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation + +From: Xiao Yang + +commit 0bbe7f719985efd9adb3454679ecef0984cb6800 upstream. + +Traced event can trigger 'snapshot' operation(i.e. calls snapshot_trigger() +or snapshot_count_trigger()) when register_snapshot_trigger() has completed +registration but doesn't allocate buffer for 'snapshot' event trigger. In +the rare case, 'snapshot' operation always detects the lack of allocated +buffer so make register_snapshot_trigger() allocate buffer first. + +trigger-snapshot.tc in kselftest reproduces the issue on slow vm: +----------------------------------------------------------- +cat trace +... +ftracetest-3028 [002] .... 236.784290: sched_process_fork: comm=ftracetest pid=3028 child_comm=ftracetest child_pid=3036 + <...>-2875 [003] .... 240.460335: tracing_snapshot_instance_cond: *** SNAPSHOT NOT ALLOCATED *** + <...>-2875 [003] .... 240.460338: tracing_snapshot_instance_cond: *** stopping trace here! *** +----------------------------------------------------------- + +Link: http://lkml.kernel.org/r/20200414015145.66236-1-yangx.jy@cn.fujitsu.com + +Cc: stable@vger.kernel.org +Fixes: 93e31ffbf417a ("tracing: Add 'snapshot' event trigger command") +Signed-off-by: Xiao Yang +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_trigger.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/kernel/trace/trace_events_trigger.c ++++ b/kernel/trace/trace_events_trigger.c +@@ -910,14 +910,10 @@ register_snapshot_trigger(char *glob, st + struct event_trigger_data *data, + struct trace_event_file *file) + { +- int ret = register_trigger(glob, ops, data, file); ++ if (tracing_alloc_snapshot() != 0) ++ return 0; + +- if (ret > 0 && tracing_alloc_snapshot() != 0) { +- unregister_trigger(glob, ops, data, file); +- ret = 0; +- } +- +- return ret; ++ return register_trigger(glob, ops, data, file); + } + + static int diff --git a/queue-4.4/video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch b/queue-4.4/video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch new file mode 100644 index 00000000000..50ccf6da526 --- /dev/null +++ b/queue-4.4/video-fbdev-sis-remove-unnecessary-parentheses-and-commented-code.patch @@ -0,0 +1,53 @@ +From 864eb1afc60cb43e7df879b97f8ca0d719bbb735 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 8 Oct 2018 12:57:36 +0200 +Subject: video: fbdev: sis: Remove unnecessary parentheses and commented code + +From: Nathan Chancellor + +commit 864eb1afc60cb43e7df879b97f8ca0d719bbb735 upstream. + +Clang warns when multiple pairs of parentheses are used for a single +conditional statement. + +drivers/video/fbdev/sis/init301.c:851:42: warning: equality comparison +with extraneous parentheses [-Wparentheses-equality] + } else if((SiS_Pr->SiS_IF_DEF_LVDS == 1) /* || + ~~~~~~~~~~~~~~~~~~~~~~~~^~~~ +drivers/video/fbdev/sis/init301.c:851:42: note: remove extraneous +parentheses around the comparison to silence this warning + } else if((SiS_Pr->SiS_IF_DEF_LVDS == 1) /* || + ~ ^ ~ +drivers/video/fbdev/sis/init301.c:851:42: note: use '=' to turn this +equality comparison into an assignment + } else if((SiS_Pr->SiS_IF_DEF_LVDS == 1) /* || + ^~ + = +1 warning generated. + +Remove the parentheses and while we're at it, clean up the commented +code, which has been here since the beginning of git history. + +Link: https://github.com/ClangBuiltLinux/linux/issues/118 +Signed-off-by: Nathan Chancellor +Cc: Thomas Winischhofer +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/sis/init301.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/video/fbdev/sis/init301.c ++++ b/drivers/video/fbdev/sis/init301.c +@@ -522,9 +522,7 @@ SiS_PanelDelay(struct SiS_Private *SiS_P + SiS_DDC2Delay(SiS_Pr, 0x4000); + } + +- } else if((SiS_Pr->SiS_IF_DEF_LVDS == 1) /* || +- (SiS_Pr->SiS_CustomT == CUT_COMPAQ1280) || +- (SiS_Pr->SiS_CustomT == CUT_CLEVO1400) */ ) { /* 315 series, LVDS; Special */ ++ } else if (SiS_Pr->SiS_IF_DEF_LVDS == 1) { /* 315 series, LVDS; Special */ + + if(SiS_Pr->SiS_IF_DEF_CH70xx == 0) { + PanelID = SiS_GetReg(SiS_Pr->SiS_P3d4,0x36); diff --git a/queue-4.4/x86-mitigations-clear-cpu-buffers-on-the-syscall-fast-path.patch b/queue-4.4/x86-mitigations-clear-cpu-buffers-on-the-syscall-fast-path.patch new file mode 100644 index 00000000000..c466194753c --- /dev/null +++ b/queue-4.4/x86-mitigations-clear-cpu-buffers-on-the-syscall-fast-path.patch @@ -0,0 +1,53 @@ +From: Borislav Petkov +Date: Sun, 19 Apr 2020 09:59:03 +0200 +Subject: x86/mitigations: Clear CPU buffers on the SYSCALL fast path + +From: Borislav Petkov + +The fast SYSCALL exit path returns with SYSRET to userspace after +verifying that there's no pending work. MDS mitigation mandates that CPU +buffers must be cleared on transition from kernel to userspace so do +that here too. + +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_64.S | 2 ++ + arch/x86/include/asm/spec-ctrl.h | 2 ++ + arch/x86/kernel/cpu/bugs.c | 5 +++++ + 3 files changed, 9 insertions(+) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -218,6 +218,8 @@ entry_SYSCALL_64_fastpath: + testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS) + jnz int_ret_from_sys_call_irqs_off /* Go to the slow path */ + ++ call mds_user_clear_buffers ++ + movq RIP(%rsp), %rcx + movq EFLAGS(%rsp), %r11 + RESTORE_C_REGS_EXCEPT_RCX_R11 +--- a/arch/x86/include/asm/spec-ctrl.h ++++ b/arch/x86/include/asm/spec-ctrl.h +@@ -85,4 +85,6 @@ static inline void speculative_store_byp + extern void speculation_ctrl_update(unsigned long tif); + extern void speculation_ctrl_update_current(void); + ++extern void mds_user_clear_buffers(void); ++ + #endif +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -263,6 +263,11 @@ static int __init mds_cmdline(char *str) + } + early_param("mds", mds_cmdline); + ++void mds_user_clear_buffers(void) ++{ ++ mds_user_clear_cpu_buffers(); ++} ++ + #undef pr_fmt + #define pr_fmt(fmt) "TAA: " fmt + -- 2.47.3