~ian-may/ubuntu/+source/linux/+git/xenial:xenial-update-4.4.219

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

51d1c05... by Greg Kroah-Hartman <email address hidden> on 2020-04-13

Linux 4.4.219

BugLink: https://bugs.launchpad.net/bugs/1874093

Signed-off-by: Ian May <email address hidden>

8879e32... by Hans Verkuil <email address hidden> on 2018-08-27

drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read()

BugLink: https://bugs.launchpad.net/bugs/1874093

commit a4c30a4861c54af78c4eb8b7855524c1a96d9f80 upstream.

When parsing the reply of a DP_REMOTE_DPCD_READ DPCD command the
result is wrong due to a missing idx increment.

This was never noticed since DP_REMOTE_DPCD_READ is currently not
used, but if you enable it, then it is all wrong.

Signed-off-by: Hans Verkuil <email address hidden>
Reviewed-by: Lyude Paul <email address hidden>
Acked-by: Alex Deucher <email address hidden>
Link: https://patchwork.<email address hidden>
Signed-off-by: Lee Jones <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Ian May <email address hidden>

9b46de7... by Taniya Das <email address hidden> on 2019-05-08

clk: qcom: rcg: Return failure for RCG update

BugLink: https://bugs.launchpad.net/bugs/1874093

commit 21ea4b62e1f3dc258001a68da98c9663a9dbd6c7 upstream.

In case of update config failure, return -EBUSY, so that consumers could
handle the failure gracefully.

Signed-off-by: Taniya Das <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Stephen Boyd <email address hidden>
Signed-off-by: Lee Jones <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Ian May <email address hidden>

d8c263e... by Avihai Horon <email address hidden> on 2020-03-18

RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow

BugLink: https://bugs.launchpad.net/bugs/1874093

commit 987914ab841e2ec281a35b54348ab109b4c0bb4e upstream.

After a successful allocation of path_rec, num_paths is set to 1, but any
error after such allocation will leave num_paths uncleared.

This causes to de-referencing a NULL pointer later on. Hence, num_paths
needs to be set back to 0 if such an error occurs.

The following crash from syzkaller revealed it.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
  CPU: 0 PID: 357 Comm: syz-executor060 Not tainted 4.18.0+ #311
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
  RIP: 0010:ib_copy_path_rec_to_user+0x94/0x3e0
  Code: f1 f1 f1 f1 c7 40 0c 00 00 f4 f4 65 48 8b 04 25 28 00 00 00 48 89
  45 c8 31 c0 e8 d7 60 24 ff 48 8d 7b 4c 48 89 f8 48 c1 e8 03 <42> 0f b6
  14 30 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
  RSP: 0018:ffff88006586f980 EFLAGS: 00010207
  RAX: 0000000000000009 RBX: 0000000000000000 RCX: 1ffff1000d5fe475
  RDX: ffff8800621e17c0 RSI: ffffffff820d45f9 RDI: 000000000000004c
  RBP: ffff88006586fa50 R08: ffffed000cb0df73 R09: ffffed000cb0df72
  R10: ffff88006586fa70 R11: ffffed000cb0df73 R12: 1ffff1000cb0df30
  R13: ffff88006586fae8 R14: dffffc0000000000 R15: ffff88006aff2200
  FS: 00000000016fc880(0000) GS:ffff88006d000000(0000)
  knlGS:0000000000000000
  CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000020000040 CR3: 0000000063fec000 CR4: 00000000000006b0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
  ? ib_copy_path_rec_from_user+0xcc0/0xcc0
  ? __mutex_unlock_slowpath+0xfc/0x670
  ? wait_for_completion+0x3b0/0x3b0
  ? ucma_query_route+0x818/0xc60
  ucma_query_route+0x818/0xc60
  ? ucma_listen+0x1b0/0x1b0
  ? sched_clock_cpu+0x18/0x1d0
  ? sched_clock_cpu+0x18/0x1d0
  ? ucma_listen+0x1b0/0x1b0
  ? ucma_write+0x292/0x460
  ucma_write+0x292/0x460
  ? ucma_close_id+0x60/0x60
  ? sched_clock_cpu+0x18/0x1d0
  ? sched_clock_cpu+0x18/0x1d0
  __vfs_write+0xf7/0x620
  ? ucma_close_id+0x60/0x60
  ? kernel_read+0x110/0x110
  ? time_hardirqs_on+0x19/0x580
  ? lock_acquire+0x18b/0x3a0
  ? finish_task_switch+0xf3/0x5d0
  ? _raw_spin_unlock_irq+0x29/0x40
  ? _raw_spin_unlock_irq+0x29/0x40
  ? finish_task_switch+0x1be/0x5d0
  ? __switch_to_asm+0x34/0x70
  ? __switch_to_asm+0x40/0x70
  ? security_file_permission+0x172/0x1e0
  vfs_write+0x192/0x460
  ksys_write+0xc6/0x1a0
  ? __ia32_sys_read+0xb0/0xb0
  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
  ? do_syscall_64+0x1d/0x470
  do_syscall_64+0x9e/0x470
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 3c86aa70bf67 ("RDMA/cm: Add RDMA CM support for IBoE devices")
Link: https://<email address hidden>
Signed-off-by: Avihai Horon <email address hidden>
Reviewed-by: Maor Gottlieb <email address hidden>
Signed-off-by: Leon Romanovsky <email address hidden>
Signed-off-by: Jason Gunthorpe <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Ian May <email address hidden>

a66e723... by Qiujun Huang <email address hidden> on 2020-03-08

Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl

BugLink: https://bugs.launchpad.net/bugs/1874093

commit 71811cac8532b2387b3414f7cd8fe9e497482864 upstream.

Needn't call 'rfcomm_dlc_put' here, because 'rfcomm_dlc_exists' didn't
increase dlc->refcnt.

Reported-by: <email address hidden>
Signed-off-by: Qiujun Huang <email address hidden>
Suggested-by: Hillf Danton <email address hidden>
Signed-off-by: Marcel Holtmann <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Ian May <email address hidden>

7d06ce1... by Kaike Wan <email address hidden> on 2020-03-26

IB/hfi1: Call kobject_put() when kobject_init_and_add() fails

BugLink: https://bugs.launchpad.net/bugs/1874093

commit dfb5394f804ed4fcea1fc925be275a38d66712ab upstream.

When kobject_init_and_add() returns an error in the function
hfi1_create_port_files(), the function kobject_put() is not called for the
corresponding kobject, which potentially leads to memory leak.

This patch fixes the issue by calling kobject_put() even if
kobject_init_and_add() fails.

Cc: <email address hidden>
Link: https://<email address hidden>
Reviewed-by: Mike Marciniszyn <email address hidden>
Signed-off-by: Kaike Wan <email address hidden>
Signed-off-by: Dennis Dalessandro <email address hidden>
Signed-off-by: Jason Gunthorpe <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Ian May <email address hidden>

364d9b1... by Bob on 2020-03-06

ASoC: jz4740-i2s: Fix divider written at incorrect offset in register

BugLink: https://bugs.launchpad.net/bugs/1874093

commit 9401d5aa328e64617d87abd59af1c91cace4c3e4 upstream.

The 4-bit divider value was written at offset 8, while the jz4740
programming manual locates it at offset 0.

Fixes: 26b0aad80a86 ("ASoC: jz4740: Add dynamic sampling rate support to jz4740-i2s")
Signed-off-by: Paul Cercueil <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Mark Brown <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Ian May <email address hidden>

436a8b7... by "Gustavo A. R. Silva" <email address hidden> on 2019-03-18

power: supply: axp288_charger: Fix unchecked return value

BugLink: https://bugs.launchpad.net/bugs/1874093

commit c3422ad5f84a66739ec6a37251ca27638c85b6be upstream.

Currently there is no check on platform_get_irq() return value
in case it fails, hence never actually reporting any errors and
causing unexpected behavior when using such value as argument
for function regmap_irq_get_virq().

Fix this by adding a proper check, a message reporting any errors
and returning *pirq*

Addresses-Coverity-ID: 1443940 ("Improper use of negative value")
Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver")
Cc: <email address hidden>
Signed-off-by: Gustavo A. R. Silva <email address hidden>
Reviewed-by: Hans de Goede <email address hidden>
Signed-off-by: Sebastian Reichel <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <email address hidden>
Signed-off-by: Ian May <email address hidden>

7d7bb34... by David Ahern <email address hidden> on 2020-04-02

tools/accounting/getdelays.c: fix netlink attribute length

BugLink: https://bugs.launchpad.net/bugs/1874093

commit 4054ab64e29bb05b3dfe758fff3c38a74ba753bb upstream.

A recent change to the netlink code: 6e237d099fac ("netlink: Relax attr
validation for fixed length types") logs a warning when programs send
messages with invalid attributes (e.g., wrong length for a u32). Yafang
reported this error message for tools/accounting/getdelays.c.

send_cmd() is wrongly adding 1 to the attribute length. As noted in
include/uapi/linux/netlink.h nla_len should be NLA_HDRLEN + payload
length, so drop the +1.

Fixes: 9e06d3f9f6b1 ("per task delay accounting taskstats interface: documentation fix")
Reported-by: Yafang Shao <email address hidden>
Signed-off-by: David Ahern <email address hidden>
Signed-off-by: Andrew Morton <email address hidden>
Tested-by: Yafang Shao <email address hidden>
Cc: Johannes Berg <email address hidden>
Cc: Shailabh Nagar <email address hidden>
Cc: <email address hidden>
Link: http://<email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Ian May <email address hidden>

74bd74e... by Jason A. Donenfeld on 2020-02-21

random: always use batched entropy for get_random_u{32,64}

BugLink: https://bugs.launchpad.net/bugs/1874093

commit 69efea712f5b0489e67d07565aad5c94e09a3e52 upstream.

It turns out that RDRAND is pretty slow. Comparing these two
constructions:

  for (i = 0; i < CHACHA_BLOCK_SIZE; i += sizeof(ret))
    arch_get_random_long(&ret);

and

  long buf[CHACHA_BLOCK_SIZE / sizeof(long)];
  extract_crng((u8 *)buf);

it amortizes out to 352 cycles per long for the top one and 107 cycles
per long for the bottom one, on Coffee Lake Refresh, Intel Core i9-9880H.

And importantly, the top one has the drawback of not benefiting from the
real rng, whereas the bottom one has all the nice benefits of using our
own chacha rng. As get_random_u{32,64} gets used in more places (perhaps
beyond what it was originally intended for when it was introduced as
get_random_{int,long} back in the md5 monstrosity era), it seems like it
might be a good thing to strengthen its posture a tiny bit. Doing this
should only be stronger and not any weaker because that pool is already
initialized with a bunch of rdrand data (when available). This way, we
get the benefits of the hardware rng as well as our own rng.

Another benefit of this is that we no longer hit pitfalls of the recent
stream of AMD bugs in RDRAND. One often used code pattern for various
things is:

  do {
   val = get_random_u32();
  } while (hash_table_contains_key(val));

That recent AMD bug rendered that pattern useless, whereas we're really
very certain that chacha20 output will give pretty distributed numbers,
no matter what.

So, this simplification seems better both from a security perspective
and from a performance perspective.

Signed-off-by: Jason A. Donenfeld <email address hidden>
Reviewed-by: Greg Kroah-Hartman <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Theodore Ts'o <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
Signed-off-by: Ian May <email address hidden>