This is the start of the stable review cycle for the 4.14.194 release.
There are 228 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.194-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.14.194-rc1
Denis Efremov <[email protected]>
drm/radeon: fix fb_div check in ni_init_smc_spll_table()
Mike Snitzer <[email protected]>
dm cache: remove all obsolete writethrough-specific code
Mike Snitzer <[email protected]>
dm cache: submit writethrough writes in parallel to origin and cache
Mike Snitzer <[email protected]>
dm cache: pass cache structure to mode functions
Tomasz Maciej Nowak <[email protected]>
arm64: dts: marvell: espressobin: add ethernet alias
Thomas Gleixner <[email protected]>
genirq/affinity: Make affinity setting if activated opt-in
Thomas Gleixner <[email protected]>
genirq/affinity: Handle affinity setting on inactive interrupts correctly
Hugh Dickins <[email protected]>
khugepaged: retract_page_tables() remember to test exit
Geert Uytterhoeven <[email protected]>
sh: landisk: Add missing initialization of sh_io_port_base
Daniel Díaz <[email protected]>
tools build feature: Quote CC and CXX for their arguments
Vincent Whitchurch <[email protected]>
perf bench mem: Always memset source before memcpy
Dinghao Liu <[email protected]>
ALSA: echoaudio: Fix potential Oops in snd_echo_resume()
Andy Shevchenko <[email protected]>
mfd: dln2: Run event handler loop under spinlock
Tiezhu Yang <[email protected]>
test_kmod: avoid potential double free in trigger_config_run_type()
Colin Ian King <[email protected]>
fs/ufs: avoid potential u32 multiplication overflow
Jeffrey Mitchell <[email protected]>
nfs: Fix getxattr kernel panic and memory overflow
Wang Hai <[email protected]>
net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init
Dan Carpenter <[email protected]>
drm/vmwgfx: Fix two list_for_each loop exit tests
Dan Carpenter <[email protected]>
drm/vmwgfx: Use correct vmw_legacy_display_unit pointer
Colin Ian King <[email protected]>
Input: sentelic - fix error return when fsp_reg_write fails
Wolfram Sang <[email protected]>
i2c: rcar: avoid race when unregistering slave
Thomas Hebb <[email protected]>
tools build feature: Use CC and CXX from parent
Rayagonda Kokatanur <[email protected]>
pwm: bcm-iproc: handle clk_get_rate() return
Xu Wang <[email protected]>
clk: clk-atlas6: fix return value check in atlas6_clk_init()
Wolfram Sang <[email protected]>
i2c: rcar: slave: only send STOP event when we have been addressed
Liu Yi L <[email protected]>
iommu/vt-d: Enforce PASID devTLB field mask
Colin Ian King <[email protected]>
iommu/omap: Check for failure of a call to omap_iommu_dump_ctx
Ming Lei <[email protected]>
dm rq: don't call blk_mq_queue_stopped() in dm_stop_queue()
Steve Longerbeam <[email protected]>
gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers
Johan Hovold <[email protected]>
USB: serial: ftdi_sio: fix break and sysrq handling
Johan Hovold <[email protected]>
USB: serial: ftdi_sio: clean up receive processing
Johan Hovold <[email protected]>
USB: serial: ftdi_sio: make process-packet buffer unsigned
Kamal Heib <[email protected]>
RDMA/ipoib: Return void from ipoib_ib_dev_stop()
Charles Keepax <[email protected]>
mfd: arizona: Ensure 32k clock is put on driver unbind and error
Liu Ying <[email protected]>
drm/imx: imx-ldb: Disable both channels for split mode in enc->disable()
Adrian Hunter <[email protected]>
perf intel-pt: Fix FUP packet state
Anton Blanchard <[email protected]>
pseries: Fix 64 bit logical memory block panic
Ahmad Fatoum <[email protected]>
watchdog: f71808e_wdt: clear watchdog timeout occurred flag
Ahmad Fatoum <[email protected]>
watchdog: f71808e_wdt: remove use of wrong watchdog_info option
Ahmad Fatoum <[email protected]>
watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in watchdog_info.options
Steven Rostedt (VMware) <[email protected]>
tracing: Use trace_sched_process_free() instead of exit() for pid tracing
Kevin Hao <[email protected]>
tracing/hwlat: Honor the tracing_cpumask
Muchun Song <[email protected]>
kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler
Chengming Zhou <[email protected]>
ftrace: Setup correct FTRACE_FL_REGS flags for module
Junxiao Bi <[email protected]>
ocfs2: change slot number type s16 to u16
Mikulas Patocka <[email protected]>
ext2: fix missing percpu_counter_inc
Huacai Chen <[email protected]>
MIPS: CPU#0 is not hotpluggable
Johannes Berg <[email protected]>
mac80211: fix misplaced while instead of if
Coly Li <[email protected]>
bcache: allocate meta data pages as compound pages
ChangSyun Peng <[email protected]>
md/raid5: Fix Force reconstruct-write io stuck in degraded raid5
Kees Cook <[email protected]>
net/compat: Add missing sock updates for SCM_RIGHTS
Jonathan McDowell <[email protected]>
net: stmmac: dwmac1000: provide multicast filter fallback
Jonathan McDowell <[email protected]>
net: ethernet: stmmac: Disable hardware multicast filter
Michael Ellerman <[email protected]>
powerpc: Fix circular dependency between percpu.h and mmu.h
Max Filippov <[email protected]>
xtensa: fix xtensa_pmu_setup prototype
Alexandru Ardelean <[email protected]>
iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw()
Christian Eggers <[email protected]>
dt-bindings: iio: io-channel-mux: Fix compatible string in example code
Filipe Manana <[email protected]>
btrfs: fix memory leaks after failure to lookup checksums during inode logging
Josef Bacik <[email protected]>
btrfs: only search for left_info if there is no right_info in try_merge_free_space
Qu Wenruo <[email protected]>
btrfs: don't allocate anonymous block device for user invisible roots
Rafael J. Wysocki <[email protected]>
PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context()
Steve French <[email protected]>
smb3: warn on confusing error scenario with sec=krb5
Tim Froidcoeur <[email protected]>
net: initialize fastreuse on inet_inherit_port
Roger Pau Monne <[email protected]>
xen/balloon: make the balloon wait interruptible
Roger Pau Monne <[email protected]>
xen/balloon: fix accounting in alloc_xenballooned_pages error path
Jon Derrick <[email protected]>
irqdomain/treewide: Free firmware node after domain removal
Nathan Huckleberry <[email protected]>
ARM: 8992/1: Fix unwind_frame for clang-built kernels
Sven Schnelle <[email protected]>
parisc: mask out enable and reserved bits from sba imask
John David Anglin <[email protected]>
parisc: Implement __smp_store_release and __smp_load_acquire barriers
Sivaprakash Murugesan <[email protected]>
mtd: rawnand: qcom: avoid write to unavailable register
Christian Eggers <[email protected]>
spi: spidev: Align buffers for DMA
Zheng Bin <[email protected]>
9p: Fix memory leak in v9fs_mount
Hector Martin <[email protected]>
ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
Eric Biggers <[email protected]>
fs/minix: reject too-large maximum file size
Eric Biggers <[email protected]>
fs/minix: don't allow getting deleted inodes
Eric Biggers <[email protected]>
fs/minix: check return value of sb_getblk()
Jakub Kicinski <[email protected]>
bitfield.h: don't compile-time validate _val in FIELD_FIT
Mikulas Patocka <[email protected]>
crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified
John Allen <[email protected]>
crypto: ccp - Fix use of merged scatterlists
Tom Rix <[email protected]>
crypto: qat - fix double free in qat_uclo_create_batch_init_list
Hector Martin <[email protected]>
ALSA: usb-audio: add quirk for Pioneer DDJ-RB
Hector Martin <[email protected]>
ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109
Mirko Dietrich <[email protected]>
ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support
Brant Merryman <[email protected]>
USB: serial: cp210x: enable usb generic throttle/unthrottle
Brant Merryman <[email protected]>
USB: serial: cp210x: re-enable auto-RTS on open
Miaohe Lin <[email protected]>
net: Set fput_needed iff FDPUT_FPUT is set
Tim Froidcoeur <[email protected]>
net: refactor bind_bucket fastreuse into helper
Qingyu Li <[email protected]>
net/nfc/rawsock.c: add CAP_NET_RAW check.
Xie He <[email protected]>
drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
John Ogness <[email protected]>
af_packet: TPACKET_V3: fix fill status rwlock imbalance
Jian Cai <[email protected]>
crypto: aesni - add compatibility with IAS
Eric Dumazet <[email protected]>
x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task
Drew Fustini <[email protected]>
pinctrl-single: fix pcs_parse_pinconf() return value
Wang Hai <[email protected]>
dlm: Fix kobject memleak
Florinel Iordache <[email protected]>
fsl/fman: fix eth hash table allocation
Florinel Iordache <[email protected]>
fsl/fman: check dereferencing null pointer
Florinel Iordache <[email protected]>
fsl/fman: fix unreachable code
Florinel Iordache <[email protected]>
fsl/fman: fix dereference null return value
Florinel Iordache <[email protected]>
fsl/fman: use 32-bit unsigned integer
Christophe JAILLET <[email protected]>
net: spider_net: Fix the size used in a 'dma_free_coherent()' call
Tianjia Zhang <[email protected]>
liquidio: Fix wrong return value in cn23xx_get_pf_num()
Tianjia Zhang <[email protected]>
net: ethernet: aquantia: Fix wrong return value
Andrii Nakryiko <[email protected]>
tools, build: Propagate build failures from tools/build/Makefile.build
Wang Hai <[email protected]>
wl1251: fix always return 0 error
Julian Wiedmann <[email protected]>
s390/qeth: don't process empty bridge port events
Sandipan Das <[email protected]>
selftests/powerpc: Fix online CPU selection
Hanjun Guo <[email protected]>
PCI: Release IVRS table in AMD ACS quirk
Harish <[email protected]>
selftests/powerpc: Fix CPU affinity for child process
Nicolas Boichat <[email protected]>
Bluetooth: hci_serdev: Only unregister device if it was registered
Tom Rix <[email protected]>
power: supply: check if calc_soc succeeded in pm860x_init_battery
Dan Carpenter <[email protected]>
Smack: prevent underflow in smk_set_cipso()
Dan Carpenter <[email protected]>
Smack: fix another vsscanf out of bounds
Chris Packham <[email protected]>
net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration
Finn Thain <[email protected]>
scsi: mesh: Fix panic after host or bus reset
Marek Szyprowski <[email protected]>
usb: dwc2: Fix error path in gadget registration
Yu Kuai <[email protected]>
MIPS: OCTEON: add missing put_device() call in dwc3_octeon_device_init()
Sai Prakash Ranjan <[email protected]>
coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb()
Dan Carpenter <[email protected]>
thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor()
Johan Hovold <[email protected]>
USB: serial: iuu_phoenix: fix led-activity helpers
Marco Felsch <[email protected]>
drm/imx: tve: fix regulator_disable error path
Xiongfeng Wang <[email protected]>
PCI/ASPM: Add missing newline in sysfs 'policy'
Colin Ian King <[email protected]>
staging: rtl8192u: fix a dubious looking mask before a shift
Milton Miller <[email protected]>
powerpc/vdso: Fix vdso cpu truncation
Dan Carpenter <[email protected]>
mwifiex: Prevent memory corruption handling keys
John Garry <[email protected]>
scsi: scsi_debug: Add check for sdebug_max_queue during module init
Tom Rix <[email protected]>
drm/bridge: sil_sii8620: initialize return of sii8620_readb
Laurent Pinchart <[email protected]>
drm: panel: simple: Fix bpc for LG LB070WV8 panel
Kai-Heng Feng <[email protected]>
leds: core: Flush scheduled work for system suspend
Bjorn Helgaas <[email protected]>
PCI: Fix pci_cfg_wait queue locking problem
Darrick J. Wong <[email protected]>
xfs: fix reflink quota reservation accounting error
Chuhong Yuan <[email protected]>
media: exynos4-is: Add missed check for pinctrl_lookup_state()
Dan Carpenter <[email protected]>
media: firewire: Using uninitialized values in node_probe()
Julian Anastasov <[email protected]>
ipvs: allow connection reuse for unconfirmed conntrack
Christophe JAILLET <[email protected]>
scsi: eesox: Fix different dev_id between request_irq() and free_irq()
Christophe JAILLET <[email protected]>
scsi: powertec: Fix different dev_id between request_irq() and free_irq()
Colin Ian King <[email protected]>
drm/radeon: fix array out-of-bounds read and write issues
Wang Hai <[email protected]>
cxl: Fix kobject memleak
Emil Velikov <[email protected]>
drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline
Christophe JAILLET <[email protected]>
scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()
Pierre-Louis Bossart <[email protected]>
ASoC: Intel: bxt_rt298: add missing .owner field
Chuhong Yuan <[email protected]>
media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()
Arnd Bergmann <[email protected]>
leds: lm355x: avoid enum conversion warning
Colin Ian King <[email protected]>
drm/arm: fix unintentional integer overflow on left shift
Tomasz Duszynski <[email protected]>
iio: improve IIO_CONCENTRATION channel type description
Christophe JAILLET <[email protected]>
video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call
Dejin Zheng <[email protected]>
console: newport_con: fix an issue about leak related system resources
Dejin Zheng <[email protected]>
video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
Qiushi Wu <[email protected]>
agp/intel: Fix a memory leak on module initialisation failure
Erik Kaneda <[email protected]>
ACPICA: Do not increment operation_region reference counts for field units
Coly Li <[email protected]>
bcache: fix super block seq numbers comparision in register_cache_set()
Jim Cromie <[email protected]>
dyndbg: fix a BUG_ON in ddebug_describe_flags
Danesh Petigara <[email protected]>
usb: bdc: Halt controller on suspend
Sasi Kumar <[email protected]>
bdc: Fix bug causing crash after multiple disconnects
Evgeny Novikov <[email protected]>
usb: gadget: net2280: fix memory leak on probe error handling paths
Dmitry Osipenko <[email protected]>
gpu: host1x: debug: Fix multiple channels emitting messages simultaneously
Bolarinwa Olayemi Saheed <[email protected]>
iwlegacy: Check the return value of pcie_capability_read_*()
Wright Feng <[email protected]>
brcmfmac: set state of hanger slot to FREE when flushing PSQ
Prasanna Kerekoppa <[email protected]>
brcmfmac: To fix Bss Info flag definition Bug
Paul E. McKenney <[email protected]>
mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
Bartosz Golaszewski <[email protected]>
irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock
Michael Tretter <[email protected]>
drm/debugfs: fix plain echo to connector "force" attribute
Aditya Pakki <[email protected]>
drm/nouveau: fix multiple instances of reference count leaks
Ricardo Cañuelo <[email protected]>
arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding
Zhao Heming <[email protected]>
md-cluster: fix wild pointer of unlock_all_bitmaps()
Evgeny Novikov <[email protected]>
video: fbdev: neofb: fix memory leak in neo_scan_monitor()
Aditya Pakki <[email protected]>
drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
Paul E. McKenney <[email protected]>
fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
Lihong Kou <[email protected]>
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
Tomi Valkeinen <[email protected]>
drm/tilcdc: fix leak & null ref in panel_connector_get_modes
Yu Kuai <[email protected]>
ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()
Dilip Kota <[email protected]>
spi: lantiq: fix: Rx overflow error in full duplex mode
yu kuai <[email protected]>
ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
Lu Wei <[email protected]>
platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()
Lu Wei <[email protected]>
platform/x86: intel-hid: Fix return value check in check_acpi_dev()
Finn Thain <[email protected]>
m68k: mac: Fix IOP status/control register writes
Finn Thain <[email protected]>
m68k: mac: Don't send IOP message until channel is idle
Alim Akhtar <[email protected]>
arm64: dts: exynos: Fix silent hang after boot on Espresso
Stephan Gerhold <[email protected]>
arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property
Qiushi Wu <[email protected]>
EDAC: Fix reference count leaks
Heiko Stuebner <[email protected]>
arm64: dts: rockchip: fix rk3399-puma gmac reset gpio
Heiko Stuebner <[email protected]>
arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio
Peng Liu <[email protected]>
sched: correct SD_flags returned by tl->sd_flags()
Zhenzhong Duan <[email protected]>
x86/mce/inject: Fix a wrong assignment of i_mce.status
Yang Yingliang <[email protected]>
cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
Grant Likely <[email protected]>
HID: input: Fix devices that return multiple bytes in battery report
Nick Desaulniers <[email protected]>
tracepoint: Mark __tracepoint_string's __used
Eric Biggers <[email protected]>
Smack: fix use-after-free in smk_write_relabel_self()
David Howells <[email protected]>
rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
Rustam Kovhaev <[email protected]>
usb: hso: check for return value in hso_serial_common_create()
Willem de Bruijn <[email protected]>
selftests/net: relax cpu affinity requirement in msg_zerocopy test
Hangbin Liu <[email protected]>
Revert "vxlan: fix tos value before xmit"
Peilin Ye <[email protected]>
openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()
Lorenzo Bianconi <[email protected]>
net: gre: recompute gre csum for sctp over gre tunnels
Stephen Hemminger <[email protected]>
hv_netvsc: do not use VF device if link is down
Johan Hovold <[email protected]>
net: lan78xx: replace bogus endpoint lookup
Ido Schimmel <[email protected]>
vxlan: Ensure FDB dump is performed under RCU
Landen Chao <[email protected]>
net: ethernet: mtk_eth_soc: fix MTU warnings
Cong Wang <[email protected]>
ipv6: fix memory leaks on IPV6_ADDRFORM path
Ido Schimmel <[email protected]>
ipv4: Silence suspicious RCU usage warning
Frank van der Linden <[email protected]>
xattr: break delegations in {set,remove}xattr
Dexuan Cui <[email protected]>
Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
Philippe Duplessis-Guindon <[email protected]>
tools lib traceevent: Fix memory leak in process_dynamic_array_len
Xin Xiong <[email protected]>
atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
Francesco Ruggeri <[email protected]>
igb: reinit_locked() should be called with rtnl_lock
Julian Squires <[email protected]>
cfg80211: check vendor command doit pointer before use
Wolfram Sang <[email protected]>
i2c: slave: add sanity check when unregistering
Wolfram Sang <[email protected]>
i2c: slave: improve sanity check when registering
Ben Skeggs <[email protected]>
drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
Ben Skeggs <[email protected]>
drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason
Christoph Hellwig <[email protected]>
net/9p: validate fds in p9_fd_open
Johan Hovold <[email protected]>
leds: 88pm860x: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: lm3533: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: da903x: fix use-after-free on unbind
Johan Hovold <[email protected]>
leds: wm831x-status: fix use-after-free on unbind
Greg Kroah-Hartman <[email protected]>
mtd: properly check all write ioctls for permissions
Yunhai Zhang <[email protected]>
vgacon: Fix for missing check in scrollback handling
Jann Horn <[email protected]>
binder: Prevent context manager from incrementing ref 0
Adam Ford <[email protected]>
omapfb: dss: Fix max fclk divider for omap36xx
Peilin Ye <[email protected]>
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
Peilin Ye <[email protected]>
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
Peilin Ye <[email protected]>
Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
Suren Baghdasaryan <[email protected]>
staging: android: ashmem: Fix lockdep warning for write operation
Takashi Iwai <[email protected]>
ALSA: seq: oss: Serialize ioctls
Forest Crossman <[email protected]>
usb: xhci: Fix ASMedia ASM1142 DMA addressing
Forest Crossman <[email protected]>
usb: xhci: define IDs for various ASMedia host controllers
Greg Kroah-Hartman <[email protected]>
USB: iowarrior: fix up report size handling for some devices
Roi Dayan <[email protected]>
net/mlx5e: Don't support phys switch id if not in switchdev mode
Erik Ekman <[email protected]>
USB: serial: qcserial: add EM7305 QDL product ID
-------------
Diffstat:
Documentation/ABI/testing/sysfs-bus-iio | 3 +-
.../bindings/iio/multiplexer/io-channel-mux.txt | 2 +-
Makefile | 4 +-
arch/arm/kernel/stacktrace.c | 24 +++
arch/arm/mach-at91/pm.c | 11 +-
arch/arm/mach-socfpga/pm.c | 8 +-
arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 1 +
arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts | 11 ++
arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts | 2 +-
.../boot/dts/marvell/armada-3720-espressobin.dts | 6 +
arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 10 +-
arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 4 +-
arch/m68k/mac/iop.c | 21 +--
arch/mips/cavium-octeon/octeon-usb.c | 5 +-
arch/mips/kernel/topology.c | 2 +-
arch/parisc/include/asm/barrier.h | 61 ++++++++
arch/powerpc/include/asm/percpu.h | 4 +-
arch/powerpc/kernel/vdso.c | 2 +-
arch/powerpc/platforms/pseries/hotplug-memory.c | 2 +-
arch/sh/boards/mach-landisk/setup.c | 3 +
arch/x86/crypto/aes_ctrby8_avx-x86_64.S | 14 +-
arch/x86/kernel/apic/io_apic.c | 5 +
arch/x86/kernel/apic/vector.c | 4 +
arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 +-
arch/x86/kernel/ptrace.c | 2 +-
arch/xtensa/kernel/perf_event.c | 2 +-
drivers/acpi/acpica/exprep.c | 4 -
drivers/acpi/acpica/utdelete.c | 6 +-
drivers/android/binder.c | 15 +-
drivers/atm/atmtcp.c | 10 +-
drivers/bluetooth/hci_serdev.c | 3 +-
drivers/char/agp/intel-gtt.c | 4 +-
drivers/clk/sirf/clk-atlas6.c | 2 +-
drivers/crypto/cavium/cpt/cptvf_algs.c | 1 +
drivers/crypto/cavium/cpt/cptvf_reqmanager.c | 12 +-
drivers/crypto/cavium/cpt/request_manager.h | 2 +
drivers/crypto/ccp/ccp-dev.h | 1 +
drivers/crypto/ccp/ccp-ops.c | 37 +++--
drivers/crypto/qat/qat_common/qat_uclo.c | 9 +-
drivers/edac/edac_device_sysfs.c | 1 +
drivers/edac/edac_pci_sysfs.c | 2 +-
drivers/gpu/drm/arm/malidp_planes.c | 2 +-
drivers/gpu/drm/bridge/sil-sii8620.c | 2 +-
drivers/gpu/drm/drm_debugfs.c | 8 +-
drivers/gpu/drm/drm_mipi_dsi.c | 6 +-
drivers/gpu/drm/imx/imx-ldb.c | 7 +-
drivers/gpu/drm/imx/imx-tve.c | 20 +--
drivers/gpu/drm/nouveau/nouveau_drm.c | 8 +-
drivers/gpu/drm/nouveau/nouveau_fbcon.c | 3 +-
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
drivers/gpu/drm/panel/panel-simple.c | 2 +-
drivers/gpu/drm/radeon/ci_dpm.c | 2 +-
drivers/gpu/drm/radeon/ni_dpm.c | 2 +-
drivers/gpu/drm/radeon/radeon_display.c | 4 +-
drivers/gpu/drm/radeon/radeon_drv.c | 4 +-
drivers/gpu/drm/radeon/radeon_kms.c | 4 +-
drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +-
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 8 +-
drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 5 +-
drivers/gpu/host1x/debug.c | 4 +
drivers/gpu/ipu-v3/ipu-image-convert.c | 58 +++----
drivers/hid/hid-input.c | 6 +-
drivers/hv/channel_mgmt.c | 21 +--
drivers/hv/vmbus_drv.c | 4 +
drivers/hwtracing/coresight/coresight-tmc-etf.c | 13 +-
drivers/i2c/busses/i2c-rcar.c | 15 +-
drivers/i2c/i2c-core-slave.c | 7 +-
drivers/iio/dac/ad5592r-base.c | 4 +-
drivers/infiniband/ulp/ipoib/ipoib.h | 2 +-
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 4 +-
drivers/input/mouse/sentelic.c | 2 +-
drivers/iommu/intel_irq_remapping.c | 8 +
drivers/iommu/omap-iommu-debug.c | 3 +
drivers/irqchip/irq-gic-v3-its.c | 5 +-
drivers/irqchip/irq-mtk-sysirq.c | 8 +-
drivers/leds/led-class.c | 1 +
drivers/leds/leds-88pm860x.c | 14 +-
drivers/leds/leds-da903x.c | 14 +-
drivers/leds/leds-lm3533.c | 12 +-
drivers/leds/leds-lm355x.c | 7 +-
drivers/leds/leds-wm831x-status.c | 14 +-
drivers/md/bcache/bset.c | 2 +-
drivers/md/bcache/btree.c | 2 +-
drivers/md/bcache/journal.c | 4 +-
drivers/md/bcache/super.c | 11 +-
drivers/md/dm-cache-target.c | 166 +++++++--------------
drivers/md/dm-rq.c | 3 -
drivers/md/md-cluster.c | 1 +
drivers/md/raid5.c | 3 +-
drivers/media/firewire/firedtv-fw.c | 2 +
drivers/media/platform/exynos4-is/media-dev.c | 3 +
drivers/media/platform/omap3isp/isppreview.c | 4 +-
drivers/mfd/arizona-core.c | 18 +++
drivers/mfd/dln2.c | 4 +
drivers/misc/cxl/sysfs.c | 2 +-
drivers/mtd/mtdchar.c | 56 +++++--
drivers/mtd/nand/qcom_nandc.c | 7 +-
drivers/net/dsa/mv88e6xxx/chip.c | 1 -
.../ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c | 2 +-
.../ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +-
drivers/net/ethernet/freescale/fman/fman.c | 3 +-
drivers/net/ethernet/freescale/fman/fman_dtsec.c | 4 +-
drivers/net/ethernet/freescale/fman/fman_mac.h | 2 +-
drivers/net/ethernet/freescale/fman/fman_memac.c | 3 +-
drivers/net/ethernet/freescale/fman/fman_port.c | 9 +-
drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +-
drivers/net/ethernet/intel/igb/igb_main.c | 9 ++
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +-
drivers/net/ethernet/qualcomm/emac/emac.c | 17 ++-
.../net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 1 +
.../net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 +
drivers/net/ethernet/toshiba/spider_net.c | 4 +-
drivers/net/hyperv/netvsc_drv.c | 7 +-
drivers/net/usb/hso.c | 5 +-
drivers/net/usb/lan78xx.c | 117 ++++-----------
drivers/net/vxlan.c | 10 +-
drivers/net/wan/lapbether.c | 10 +-
.../broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +-
.../broadcom/brcm80211/brcmfmac/fwsignal.c | 4 +
drivers/net/wireless/intel/iwlegacy/common.c | 4 +-
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 22 ++-
drivers/net/wireless/ti/wl1251/event.c | 2 +-
drivers/parisc/sba_iommu.c | 2 +-
drivers/pci/access.c | 8 +-
drivers/pci/host/vmd.c | 3 +
drivers/pci/hotplug/acpiphp_glue.c | 14 +-
drivers/pci/pcie/aspm.c | 1 +
drivers/pci/quirks.c | 2 +
drivers/pinctrl/pinctrl-single.c | 11 +-
drivers/platform/x86/intel-hid.c | 2 +-
drivers/platform/x86/intel-vbtn.c | 2 +-
drivers/power/supply/88pm860x_battery.c | 6 +-
drivers/pwm/pwm-bcm-iproc.c | 9 +-
drivers/s390/net/qeth_l2_main.c | 4 +
drivers/scsi/arm/cumana_2.c | 2 +-
drivers/scsi/arm/eesox.c | 2 +-
drivers/scsi/arm/powertec.c | 2 +-
drivers/scsi/mesh.c | 8 +-
drivers/scsi/scsi_debug.c | 6 +
drivers/spi/spi-lantiq-ssc.c | 10 ++
drivers/spi/spidev.c | 21 ++-
drivers/staging/android/ashmem.c | 12 ++
drivers/staging/rtl8192u/r8192U_core.c | 2 +-
drivers/thermal/ti-soc-thermal/ti-thermal-common.c | 2 +-
drivers/usb/dwc2/platform.c | 4 +-
drivers/usb/gadget/udc/bdc/bdc_core.c | 13 +-
drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 +-
drivers/usb/gadget/udc/net2280.c | 4 +-
drivers/usb/host/xhci-pci.c | 10 +-
drivers/usb/misc/iowarrior.c | 35 +++--
drivers/usb/serial/cp210x.c | 19 +++
drivers/usb/serial/ftdi_sio.c | 57 ++++---
drivers/usb/serial/iuu_phoenix.c | 14 +-
drivers/usb/serial/qcserial.c | 1 +
drivers/video/console/newport_con.c | 12 +-
drivers/video/console/vgacon.c | 4 +
drivers/video/fbdev/neofb.c | 1 +
drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +-
drivers/video/fbdev/pxafb.c | 4 +-
drivers/video/fbdev/sm712fb.c | 2 +
drivers/watchdog/f71808e_wdt.c | 13 +-
drivers/xen/balloon.c | 12 +-
fs/9p/v9fs.c | 5 +-
fs/btrfs/disk-io.c | 13 +-
fs/btrfs/extent_io.c | 2 +
fs/btrfs/free-space-cache.c | 4 +-
fs/btrfs/tree-log.c | 8 +-
fs/cifs/smb2pdu.c | 2 +
fs/dlm/lockspace.c | 6 +-
fs/ext2/ialloc.c | 3 +-
fs/minix/inode.c | 36 ++++-
fs/minix/itree_common.c | 8 +-
fs/nfs/nfs4proc.c | 2 -
fs/nfs/nfs4xdr.c | 6 +-
fs/ocfs2/ocfs2.h | 4 +-
fs/ocfs2/suballoc.c | 4 +-
fs/ocfs2/super.c | 4 +-
fs/ufs/super.c | 2 +-
fs/xattr.c | 84 ++++++++++-
fs/xfs/xfs_reflink.c | 21 ++-
include/linux/bitfield.h | 2 +-
include/linux/hyperv.h | 2 +
include/linux/intel-iommu.h | 4 +-
include/linux/irq.h | 12 ++
include/linux/tracepoint.h | 2 +-
include/linux/xattr.h | 2 +
include/net/addrconf.h | 1 +
include/net/inet_connection_sock.h | 4 +
include/net/ip_vs.h | 10 +-
include/net/sock.h | 4 +
kernel/cgroup/cgroup.c | 2 +
kernel/irq/manage.c | 41 ++++-
kernel/kprobes.c | 7 +
kernel/sched/topology.c | 2 +-
kernel/trace/ftrace.c | 15 +-
kernel/trace/trace_events.c | 4 +-
kernel/trace/trace_hwlat.c | 5 +-
lib/dynamic_debug.c | 23 ++-
lib/test_kmod.c | 2 +-
mm/khugepaged.c | 22 +--
mm/mmap.c | 1 +
net/9p/trans_fd.c | 24 ++-
net/bluetooth/6lowpan.c | 5 +
net/bluetooth/hci_event.c | 11 +-
net/compat.c | 1 +
net/core/sock.c | 21 +++
net/ipv4/fib_trie.c | 2 +-
net/ipv4/gre_offload.c | 13 +-
net/ipv4/inet_connection_sock.c | 93 ++++++------
net/ipv4/inet_hashtables.c | 1 +
net/ipv6/anycast.c | 17 ++-
net/ipv6/ipv6_sockglue.c | 1 +
net/mac80211/sta_info.c | 2 +-
net/netfilter/ipvs/ip_vs_core.c | 12 +-
net/nfc/rawsock.c | 7 +-
net/openvswitch/conntrack.c | 38 ++---
net/packet/af_packet.c | 9 +-
net/rxrpc/call_object.c | 27 +++-
net/rxrpc/conn_object.c | 8 +-
net/rxrpc/recvmsg.c | 2 +-
net/rxrpc/sendmsg.c | 3 +
net/socket.c | 2 +-
net/wireless/nl80211.c | 6 +-
security/smack/smackfs.c | 19 ++-
sound/core/seq/oss/seq_oss.c | 8 +-
sound/pci/echoaudio/echoaudio.c | 2 -
sound/soc/intel/boards/bxt_rt298.c | 2 +
sound/usb/card.h | 1 +
sound/usb/mixer_quirks.c | 1 +
sound/usb/pcm.c | 6 +
sound/usb/quirks-table.h | 64 +++++++-
sound/usb/quirks.c | 3 +
sound/usb/stream.c | 1 +
tools/build/Build.include | 3 +-
tools/build/Makefile.feature | 2 +-
tools/build/feature/Makefile | 2 -
tools/lib/traceevent/event-parse.c | 1 +
tools/perf/bench/mem-functions.c | 21 +--
.../perf/util/intel-pt-decoder/intel-pt-decoder.c | 21 +--
tools/testing/selftests/net/msg_zerocopy.c | 5 +-
.../selftests/powerpc/benchmarks/context_switch.c | 21 ++-
tools/testing/selftests/powerpc/utils.c | 37 +++--
243 files changed, 1619 insertions(+), 825 deletions(-)
From: Peilin Ye <[email protected]>
commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream.
Check `num_rsp` before using it as for-loop counter.
Cc: [email protected]
Signed-off-by: Peilin Ye <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bluetooth/hci_event.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2094,7 +2094,7 @@ static void hci_inquiry_result_evt(struc
BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
- if (!num_rsp)
+ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
return;
if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
From: Jann Horn <[email protected]>
commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream.
Binder is designed such that a binder_proc never has references to
itself. If this rule is violated, memory corruption can occur when a
process sends a transaction to itself; see e.g.
<https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.
There is a remaining edgecase through which such a transaction-to-self
can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
access:
- task A opens /dev/binder twice, creating binder_proc instances P1
and P2
- P1 becomes context manager
- P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
handle table
- P1 dies (by closing the /dev/binder fd and waiting a bit)
- P2 becomes context manager
- P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
handle table
[this triggers a warning: "binder: 1974:1974 tried to acquire
reference to desc 0, got 1 instead"]
- task B opens /dev/binder once, creating binder_proc instance P3
- P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
transaction)
- P2 receives the handle and uses it to call P3 (two-way transaction)
- P3 calls P2 (via magic handle 0) (two-way transaction)
- P2 calls P2 (via handle 1) (two-way transaction)
And then, if P2 does *NOT* accept the incoming transaction work, but
instead closes the binder fd, we get a crash.
Solve it by preventing the context manager from using ACQUIRE on ref 0.
There shouldn't be any legitimate reason for the context manager to do
that.
Additionally, print a warning if someone manages to find another way to
trigger a transaction-to-self bug in the future.
Cc: [email protected]
Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
Acked-by: Todd Kjos <[email protected]>
Signed-off-by: Jann Horn <[email protected]>
Reviewed-by: Martijn Coenen <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/android/binder.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2813,6 +2813,12 @@ static void binder_transaction(struct bi
goto err_dead_binder;
}
e->to_node = target_node->debug_id;
+ if (WARN_ON(proc == target_proc)) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = -EINVAL;
+ return_error_line = __LINE__;
+ goto err_invalid_target_handle;
+ }
if (security_binder_transaction(proc->tsk,
target_proc->tsk) < 0) {
return_error = BR_FAILED_REPLY;
@@ -3288,10 +3294,17 @@ static int binder_thread_write(struct bi
struct binder_node *ctx_mgr_node;
mutex_lock(&context->context_mgr_node_lock);
ctx_mgr_node = context->binder_context_mgr_node;
- if (ctx_mgr_node)
+ if (ctx_mgr_node) {
+ if (ctx_mgr_node->proc == proc) {
+ binder_user_error("%d:%d context manager tried to acquire desc 0\n",
+ proc->pid, thread->pid);
+ mutex_unlock(&context->context_mgr_node_lock);
+ return -EINVAL;
+ }
ret = binder_inc_ref_for_node(
proc, ctx_mgr_node,
strong, NULL, &rdata);
+ }
mutex_unlock(&context->context_mgr_node_lock);
}
if (ret)
From: Erik Ekman <[email protected]>
commit d2a4309c1ab6df424b2239fe2920d6f26f808d17 upstream.
When running qmi-firmware-update on the Sierra Wireless EM7305 in a Toshiba
laptop, it changed product ID to 0x9062 when entering QDL mode:
usb 2-4: new high-speed USB device number 78 using xhci_hcd
usb 2-4: New USB device found, idVendor=1199, idProduct=9062, bcdDevice= 0.00
usb 2-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 2-4: Product: EM7305
usb 2-4: Manufacturer: Sierra Wireless, Incorporated
The upgrade could complete after running
# echo 1199 9062 > /sys/bus/usb-serial/drivers/qcserial/new_id
qcserial 2-4:1.0: Qualcomm USB modem converter detected
usb 2-4: Qualcomm USB modem converter now attached to ttyUSB0
Signed-off-by: Erik Ekman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Cc: [email protected]
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/usb/serial/qcserial.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -159,6 +159,7 @@ static const struct usb_device_id id_tab
{DEVICE_SWI(0x1199, 0x9056)}, /* Sierra Wireless Modem */
{DEVICE_SWI(0x1199, 0x9060)}, /* Sierra Wireless Modem */
{DEVICE_SWI(0x1199, 0x9061)}, /* Sierra Wireless Modem */
+ {DEVICE_SWI(0x1199, 0x9062)}, /* Sierra Wireless EM7305 QDL */
{DEVICE_SWI(0x1199, 0x9063)}, /* Sierra Wireless EM7305 */
{DEVICE_SWI(0x1199, 0x9070)}, /* Sierra Wireless MC74xx */
{DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */
From: Yunhai Zhang <[email protected]>
commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream.
vgacon_scrollback_update() always leaves enbough room in the scrollback
buffer for the next call, but if the console size changed that room
might not actually be enough, and so we need to re-check.
The check should be in the loop since vgacon_scrollback_cur->tail is
updated in the loop and count may be more than 1 when triggered by CSI M,
as Jiri's PoC:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>
int main(int argc, char** argv)
{
int fd = open("/dev/tty1", O_RDWR);
unsigned short size[3] = {25, 200, 0};
ioctl(fd, 0x5609, size); // VT_RESIZE
write(fd, "\e[1;1H", 6);
for (int i = 0; i < 30; i++)
write(fd, "\e[10M", 5);
}
It leads to various crashes as vgacon_scrollback_update writes out of
the buffer:
BUG: unable to handle page fault for address: ffffc900001752a0
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
RIP: 0010:mutex_unlock+0x13/0x30
...
Call Trace:
n_tty_write+0x1a0/0x4d0
tty_write+0x1a0/0x2e0
Or to KASAN reports:
BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed
This fixes CVE-2020-14331.
Reported-by: 张云海 <[email protected]>
Reported-by: Yang Yingliang <[email protected]>
Reported-by: Kyungtae Kim <[email protected]>
Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback)
Cc: [email protected]
Cc: [email protected]
Cc: Linus Torvalds <[email protected]>
Cc: Solar Designer <[email protected]>
Cc: "Srivatsa S. Bhat" <[email protected]>
Cc: Anthony Liguori <[email protected]>
Cc: Yang Yingliang <[email protected]>
Cc: Bartlomiej Zolnierkiewicz <[email protected]>
Cc: Jiri Slaby <[email protected]>
Signed-off-by: Yunhai Zhang <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/video/console/vgacon.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -246,6 +246,10 @@ static void vgacon_scrollback_update(str
p = (void *) (c->vc_origin + t * c->vc_size_row);
while (count--) {
+ if ((vgacon_scrollback_cur->tail + c->vc_size_row) >
+ vgacon_scrollback_cur->size)
+ vgacon_scrollback_cur->tail = 0;
+
scr_memcpyw(vgacon_scrollback_cur->data +
vgacon_scrollback_cur->tail,
p, c->vc_size_row);
From: Greg Kroah-Hartman <[email protected]>
commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream.
When doing a "write" ioctl call, properly check that we have permissions
to do so before copying anything from userspace or anything else so we
can "fail fast". This includes also covering the MEMWRITE ioctl which
previously missed checking for this.
Cc: Miquel Raynal <[email protected]>
Cc: Richard Weinberger <[email protected]>
Cc: Vignesh Raghavendra <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[rw: Fixed locking issue]
Signed-off-by: Richard Weinberger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/mtd/mtdchar.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 47 insertions(+), 9 deletions(-)
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -372,9 +372,6 @@ static int mtdchar_writeoob(struct file
uint32_t retlen;
int ret = 0;
- if (!(file->f_mode & FMODE_WRITE))
- return -EPERM;
-
if (length > 4096)
return -EINVAL;
@@ -681,6 +678,48 @@ static int mtdchar_ioctl(struct file *fi
return -EFAULT;
}
+ /*
+ * Check the file mode to require "dangerous" commands to have write
+ * permissions.
+ */
+ switch (cmd) {
+ /* "safe" commands */
+ case MEMGETREGIONCOUNT:
+ case MEMGETREGIONINFO:
+ case MEMGETINFO:
+ case MEMREADOOB:
+ case MEMREADOOB64:
+ case MEMLOCK:
+ case MEMUNLOCK:
+ case MEMISLOCKED:
+ case MEMGETOOBSEL:
+ case MEMGETBADBLOCK:
+ case MEMSETBADBLOCK:
+ case OTPSELECT:
+ case OTPGETREGIONCOUNT:
+ case OTPGETREGIONINFO:
+ case OTPLOCK:
+ case ECCGETLAYOUT:
+ case ECCGETSTATS:
+ case MTDFILEMODE:
+ case BLKPG:
+ case BLKRRPART:
+ break;
+
+ /* "dangerous" commands */
+ case MEMERASE:
+ case MEMERASE64:
+ case MEMWRITEOOB:
+ case MEMWRITEOOB64:
+ case MEMWRITE:
+ if (!(file->f_mode & FMODE_WRITE))
+ return -EPERM;
+ break;
+
+ default:
+ return -ENOTTY;
+ }
+
switch (cmd) {
case MEMGETREGIONCOUNT:
if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int)))
@@ -728,9 +767,6 @@ static int mtdchar_ioctl(struct file *fi
{
struct erase_info *erase;
- if(!(file->f_mode & FMODE_WRITE))
- return -EPERM;
-
erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL);
if (!erase)
ret = -ENOMEM;
@@ -1051,9 +1087,6 @@ static int mtdchar_ioctl(struct file *fi
ret = 0;
break;
}
-
- default:
- ret = -ENOTTY;
}
return ret;
@@ -1097,6 +1130,11 @@ static long mtdchar_compat_ioctl(struct
struct mtd_oob_buf32 buf;
struct mtd_oob_buf32 __user *buf_user = argp;
+ if (!(file->f_mode & FMODE_WRITE)) {
+ ret = -EPERM;
+ break;
+ }
+
if (copy_from_user(&buf, argp, sizeof(buf)))
ret = -EFAULT;
else
From: Adam Ford <[email protected]>
commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream.
The drm/omap driver was fixed to correct an issue where using a
divider of 32 breaks the DSS despite the TRM stating 32 is a valid
number. Through experimentation, it appears that 31 works, and
it is consistent with the value used by the drm/omap driver.
This patch fixes the divider for fbdev driver instead of the drm.
Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb")
Cc: <[email protected]> #4.5+
Signed-off-by: Adam Ford <[email protected]>
Reviewed-by: Tomi Valkeinen <[email protected]>
Cc: Dave Airlie <[email protected]>
Cc: Rob Clark <[email protected]>
[b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)]
Signed-off-by: Bartlomiej Zolnierkiewicz <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c
+++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c
@@ -843,7 +843,7 @@ static const struct dss_features omap34x
};
static const struct dss_features omap3630_dss_feats = {
- .fck_div_max = 32,
+ .fck_div_max = 31,
.dss_fck_multiplier = 1,
.parent_clk_name = "dpll4_ck",
.dpi_select_source = &dss_dpi_select_source_omap2_omap3,
From: Peilin Ye <[email protected]>
commit 629b49c848ee71244203934347bd7730b0ddee8d upstream.
Check `num_rsp` before using it as for-loop counter. Add `unlock` label.
Cc: [email protected]
Signed-off-by: Peilin Ye <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bluetooth/hci_event.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3623,6 +3623,9 @@ static void hci_inquiry_result_with_rssi
struct inquiry_info_with_rssi_and_pscan_mode *info;
info = (void *) (skb->data + 1);
+ if (skb->len < num_rsp * sizeof(*info) + 1)
+ goto unlock;
+
for (; num_rsp; num_rsp--, info++) {
u32 flags;
@@ -3644,6 +3647,9 @@ static void hci_inquiry_result_with_rssi
} else {
struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
+ if (skb->len < num_rsp * sizeof(*info) + 1)
+ goto unlock;
+
for (; num_rsp; num_rsp--, info++) {
u32 flags;
@@ -3664,6 +3670,7 @@ static void hci_inquiry_result_with_rssi
}
}
+unlock:
hci_dev_unlock(hdev);
}
On 20/08/2020 10:19, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.194 release.
> There are 228 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.194-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
...
> Tomasz Maciej Nowak <[email protected]>
> arm64: dts: marvell: espressobin: add ethernet alias
The above change is causing the following build failure for ARM64 ...
arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb: ERROR (path_references): Reference to non-existent node or label "uart1"
ERROR: Input tree has errors, aborting (use -f to force output)
scripts/Makefile.lib:317: recipe for target 'arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb' failed
make[3]: *** [arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb] Error 2
Reverting this fixes the problem.
Cheers
Jon
--
nvpublic
On Thu, Aug 20, 2020 at 12:57:36PM +0100, Jon Hunter wrote:
>
> On 20/08/2020 10:19, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.14.194 release.
> > There are 228 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.194-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
> > -------------
> > Pseudo-Shortlog of commits:
>
> ...
>
> > Tomasz Maciej Nowak <[email protected]>
> > arm64: dts: marvell: espressobin: add ethernet alias
>
>
> The above change is causing the following build failure for ARM64 ...
>
> arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb: ERROR (path_references): Reference to non-existent node or label "uart1"
> ERROR: Input tree has errors, aborting (use -f to force output)
> scripts/Makefile.lib:317: recipe for target 'arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb' failed
> make[3]: *** [arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb] Error 2
>
> Reverting this fixes the problem.
Thanks, now dropping it. Sad as it said it was to be backported here...
Will go push out a -rc2 with that fixed.
thanks,
greg k-h
On Thu, Aug 20, 2020 at 02:38:28PM +0200, Greg Kroah-Hartman wrote:
> On Thu, Aug 20, 2020 at 12:57:36PM +0100, Jon Hunter wrote:
> >
> > On 20/08/2020 10:19, Greg Kroah-Hartman wrote:
> > > This is the start of the stable review cycle for the 4.14.194 release.
> > > There are 228 patches in this series, all will be posted as a response
> > > to this one. If anyone has any issues with these being applied, please
> > > let me know.
> > >
> > > Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
> > > Anything received after that time might be too late.
> > >
> > > The whole patch series can be found in one patch at:
> > > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.194-rc1.gz
> > > or in the git tree and branch at:
> > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> > > and the diffstat can be found below.
> > >
> > > thanks,
> > >
> > > greg k-h
> > >
> > > -------------
> > > Pseudo-Shortlog of commits:
> >
> > ...
> >
> > > Tomasz Maciej Nowak <[email protected]>
> > > arm64: dts: marvell: espressobin: add ethernet alias
> >
> >
> > The above change is causing the following build failure for ARM64 ...
> >
> > arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb: ERROR (path_references): Reference to non-existent node or label "uart1"
> > ERROR: Input tree has errors, aborting (use -f to force output)
> > scripts/Makefile.lib:317: recipe for target 'arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb' failed
> > make[3]: *** [arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb] Error 2
> >
> > Reverting this fixes the problem.
>
> Thanks, now dropping it. Sad as it said it was to be backported here...
>
> Will go push out a -rc2 with that fixed.
Well, will push out -rc2 once kernel.org's maintenance is finished,
might be an hour or so...
thanks,
greg k-h
On Thu, Aug 20, 2020 at 02:44:45PM +0200, Greg Kroah-Hartman wrote:
> On Thu, Aug 20, 2020 at 02:38:28PM +0200, Greg Kroah-Hartman wrote:
> > On Thu, Aug 20, 2020 at 12:57:36PM +0100, Jon Hunter wrote:
> > >
> > > On 20/08/2020 10:19, Greg Kroah-Hartman wrote:
> > > > This is the start of the stable review cycle for the 4.14.194 release.
> > > > There are 228 patches in this series, all will be posted as a response
> > > > to this one. If anyone has any issues with these being applied, please
> > > > let me know.
> > > >
> > > > Responses should be made by Sat, 22 Aug 2020 09:15:09 +0000.
> > > > Anything received after that time might be too late.
> > > >
> > > > The whole patch series can be found in one patch at:
> > > > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.194-rc1.gz
> > > > or in the git tree and branch at:
> > > > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> > > > and the diffstat can be found below.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
> > > > -------------
> > > > Pseudo-Shortlog of commits:
> > >
> > > ...
> > >
> > > > Tomasz Maciej Nowak <[email protected]>
> > > > arm64: dts: marvell: espressobin: add ethernet alias
> > >
> > >
> > > The above change is causing the following build failure for ARM64 ...
> > >
> > > arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb: ERROR (path_references): Reference to non-existent node or label "uart1"
> > > ERROR: Input tree has errors, aborting (use -f to force output)
> > > scripts/Makefile.lib:317: recipe for target 'arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb' failed
> > > make[3]: *** [arch/arm64/boot/dts/marvell/armada-3720-espressobin.dtb] Error 2
> > >
> > > Reverting this fixes the problem.
> >
> > Thanks, now dropping it. Sad as it said it was to be backported here...
> >
> > Will go push out a -rc2 with that fixed.
>
> Well, will push out -rc2 once kernel.org's maintenance is finished,
> might be an hour or so...
Now pushed out!