This is the start of the stable review cycle for the 4.14.204 release.
There are 125 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 05 Nov 2020 20:29:58 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.204-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.14.204-rc1
Alexander Sverdlin <[email protected]>
staging: octeon: Drop on uncorrectable alignment or FCS error
Alexander Sverdlin <[email protected]>
staging: octeon: repair "fixed-link" support
Ian Abbott <[email protected]>
staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice
Marc Zyngier <[email protected]>
KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR
Andy Shevchenko <[email protected]>
device property: Don't clear secondary pointer for shared primary firmware node
Andy Shevchenko <[email protected]>
device property: Keep secondary firmware node secondary by type
Krzysztof Kozlowski <[email protected]>
ARM: s3c24xx: fix missing system reset
Krzysztof Kozlowski <[email protected]>
ARM: samsung: fix PM debug build with DEBUG_LL but !MMU
Frank Wunderlich <[email protected]>
arm: dts: mt7623: add missing pause for switchport
Helge Deller <[email protected]>
hil/parisc: Disable HIL driver when it gets stuck
Matthew Wilcox (Oracle) <[email protected]>
cachefiles: Handle readpage error correctly
Jisheng Zhang <[email protected]>
arm64: berlin: Select DW_APB_TIMER_OF
Linus Torvalds <[email protected]>
tty: make FONTX ioctl use the tty pointer they were actually passed
Bartosz Golaszewski <[email protected]>
rtc: rx8010: don't modify the global rtc ops
Dave Airlie <[email protected]>
drm/ttm: fix eviction valuable range check.
Constantine Sapuntzakis <[email protected]>
ext4: fix superblock checksum calculation race
Luo Meng <[email protected]>
ext4: fix invalid inode checksum
Dinghao Liu <[email protected]>
ext4: fix error handling code in add_new_gdb
Eric Biggers <[email protected]>
ext4: fix leaking sysfs kobject after failed mount
Stefano Garzarella <[email protected]>
vringh: fix __vringh_iov() when riov and wiov are different
Qiujun Huang <[email protected]>
ring-buffer: Return 0 on success from ring_buffer_resize()
Matthew Wilcox (Oracle) <[email protected]>
9P: Cast to loff_t before multiplying
Ilya Dryomov <[email protected]>
libceph: clear con->out_msg on Policy::stateful_server faults
Matthew Wilcox (Oracle) <[email protected]>
ceph: promote to unsigned long long before shifting
Madhav Chauhan <[email protected]>
drm/amdgpu: don't map BO in reserved region
Krzysztof Kozlowski <[email protected]>
ia64: fix build error with !COREDUMP
Zhihao Cheng <[email protected]>
ubi: check kthread_should_stop() after the setting of task state
Jiri Olsa <[email protected]>
perf python scripting: Fix printable strings in python3 scripts
Zhihao Cheng <[email protected]>
ubifs: dent: Fix some potential memory leaks while iterating entries
Chuck Lever <[email protected]>
NFSD: Add missing NFSv2 .pc_func methods
Olga Kornievskaia <[email protected]>
NFSv4.2: support EXCHGID4_FLAG_SUPP_FENCE_OPS 4.2 EXCHANGE_ID flag
Mahesh Salgaonkar <[email protected]>
powerpc/powernv/elog: Fix race while processing OPAL error log event.
Joel Stanley <[email protected]>
powerpc: Warn about use of smt_snooze_delay
Andrew Donnellan <[email protected]>
powerpc/rtas: Restrict RTAS requests from userspace
Sven Schnelle <[email protected]>
s390/stp: add locking to sysfs functions
Jonathan Cameron <[email protected]>
iio:gyro:itg3200: Fix timestamp alignment and prevent data leak.
Jonathan Cameron <[email protected]>
iio:adc:ti-adc12138 Fix alignment issue with timestamp
Jonathan Cameron <[email protected]>
iio:adc:ti-adc0832 Fix alignment issue with timestamp
Jonathan Cameron <[email protected]>
iio:light:si1145: Fix timestamp alignment and prevent data leak.
Paul Cercueil <[email protected]>
dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status
Jiri Slaby <[email protected]>
vt: keyboard, extend func_buf_lock to readers
Jiri Slaby <[email protected]>
vt: keyboard, simplify vt_kdgkbsent
Chris Wilson <[email protected]>
drm/i915: Force VT'd workarounds when running as a guest OS
Ran Wang <[email protected]>
usb: host: fsl-mph-dr-of: check return of dma_set_mask()
Jerome Brunet <[email protected]>
usb: cdc-acm: fix cooldown mechanism
Li Jun <[email protected]>
usb: dwc3: core: don't trigger runtime pm when remove driver
Li Jun <[email protected]>
usb: dwc3: core: add phy cleanup for probe error handling
Thinh Nguyen <[email protected]>
usb: dwc3: ep0: Fix ZLP for OUT ep0 requests
Filipe Manana <[email protected]>
btrfs: fix use-after-free on readahead extent after failure to create it
Josef Bacik <[email protected]>
btrfs: cleanup cow block on error
Denis Efremov <[email protected]>
btrfs: use kvzalloc() to allocate clone_roots in btrfs_ioctl_send()
Filipe Manana <[email protected]>
btrfs: send, recompute reference path after orphanization of a directory
Filipe Manana <[email protected]>
btrfs: reschedule if necessary when logging directory items
Helge Deller <[email protected]>
scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove()
Martin Fuzzey <[email protected]>
w1: mxc_w1: Fix timeout resolution problem leading to bus error
Wei Huang <[email protected]>
acpi-cpufreq: Honor _PSD table setting on new AMD CPUs
Jamie Iles <[email protected]>
ACPI: debug: don't allow debugging when ACPI is disabled
Alex Hung <[email protected]>
ACPI: video: use ACPI backlight for HP 635 Notebook
Ben Hutchings <[email protected]>
ACPI / extlog: Check for RDMSR failure
Ashish Sangwan <[email protected]>
NFS: fix nfs_path in case of a rename retry
Jan Kara <[email protected]>
fs: Don't invalidate page buffers in block_write_full_page()
Marek Behún <[email protected]>
leds: bcm6328, bcm6358: use devres LED registering function
Kim Phillips <[email protected]>
perf/x86/amd/ibs: Fix raw sample data accumulation
Kim Phillips <[email protected]>
perf/x86/amd/ibs: Don't include randomized bits in get_ibs_op_count()
Song Liu <[email protected]>
md/raid5: fix oops during stripe resizing
Chao Leng <[email protected]>
nvme-rdma: fix crash when connect rejected
Douglas Gilbert <[email protected]>
sgl_alloc_order: fix memory leak
Xiubo Li <[email protected]>
nbd: make the config put is called before the notifying the waiter
Krzysztof Kozlowski <[email protected]>
ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node
Krzysztof Kozlowski <[email protected]>
ARM: dts: s5pv210: move PMU node out of clock controller
Krzysztof Kozlowski <[email protected]>
ARM: dts: s5pv210: remove DMA controller bus node name to fix dtschema warnings
Dan Carpenter <[email protected]>
memory: emif: Remove bogus debugfs error handling
Yoshihiro Shimoda <[email protected]>
arm64: dts: renesas: ulcb: add full-pwr-cycle-in-suspend into eMMC nodes
Anant Thazhemadam <[email protected]>
gfs2: add validation checks for size of superblock
Jan Kara <[email protected]>
ext4: Detect already used quota file early
Madhuparna Bhowmik <[email protected]>
drivers: watchdog: rdc321x_wdt: Fix race condition bugs
Anant Thazhemadam <[email protected]>
net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid
Lorenzo Pieralisi <[email protected]>
asm-generic/io.h: Fix !CONFIG_GENERIC_IOMAP pci_iounmap() implementation
Tero Kristo <[email protected]>
clk: ti: clockdomain: fix static checker warning
Michael Chan <[email protected]>
bnxt_en: Log unknown link speed appropriately.
Zhao Heming <[email protected]>
md/bitmap: md_bitmap_get_counter returns wrong blocks
Xiongfeng Wang <[email protected]>
power: supply: test_power: add missing newlines when printing parameters by sysfs
Diana Craciun <[email protected]>
bus/fsl_mc: Do not rely on caller to provide non NULL mc_io
Xie He <[email protected]>
drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values
Jonathan Cameron <[email protected]>
ACPI: Add out of bounds and numa_off protections to pxm_to_node()
Zhengyuan Liu <[email protected]>
arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE
Lang Dai <[email protected]>
uio: free uio id after uio file node is freed
Oliver Neukum <[email protected]>
USB: adutux: fix debugging
Alain Volmat <[email protected]>
cpufreq: sti-cpufreq: add stih418 support
Douglas Anderson <[email protected]>
kgdb: Make "kgdbcon" work properly with "kgdb_earlycon"
John Ogness <[email protected]>
printk: reduce LOG_BUF_SHIFT range for H8300
Antonio Borneo <[email protected]>
drm/bridge/synopsys: dsi: add support for non-continuous HS clock
Madhuparna Bhowmik <[email protected]>
mmc: via-sdmmc: Fix data race bug
Tom Rix <[email protected]>
media: tw5864: check status of tw5864_frameinterval_get
Badhri Jagan Sridharan <[email protected]>
usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart
Xia Jiang <[email protected]>
media: platform: Improve queue set up flow for bug fixing
Hans Verkuil <[email protected]>
media: videodev2.h: RGB BT2020 and HSV are always full range
Nadezda Lutovinova <[email protected]>
drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly
Sathishkumar Muruganandam <[email protected]>
ath10k: fix VHT NSS calculation when STBC is enabled
Wen Gong <[email protected]>
ath10k: start recovery process when payload length exceeds max htc length for sdio
Tom Rix <[email protected]>
video: fbdev: pvr2fb: initialize variables
Darrick J. Wong <[email protected]>
xfs: fix realtime bitmap/summary file truncation when growing rt volume
Douglas Anderson <[email protected]>
ARM: 8997/2: hw_breakpoint: Handle inexact watchpoint addresses
Johannes Berg <[email protected]>
um: change sigio_spinlock to a mutex
Chao Yu <[email protected]>
f2fs: fix to check segment boundary during SIT page readahead
Zhang Qilong <[email protected]>
f2fs: add trace exit in exception path
Nicholas Piggin <[email protected]>
sparc64: remove mm_cpumask clearing to fix kthread_use_mm race
Nicholas Piggin <[email protected]>
powerpc: select ARCH_WANT_IRQS_OFF_ACTIVATE_MM
Oliver O'Halloran <[email protected]>
powerpc/powernv/smp: Fix spurious DBG() warning
Mateusz Nosek <[email protected]>
futex: Fix incorrect should_fail_futex() handling
Amit Cohen <[email protected]>
mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish()
Jiri Slaby <[email protected]>
x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels
Eric Biggers <[email protected]>
fscrypt: return -EXDEV for incompatible rename or link into encrypted dir
Geert Uytterhoeven <[email protected]>
ata: sata_rcar: Fix DMA boundary mask
Gustavo A. R. Silva <[email protected]>
mtd: lpddr: Fix bad logic in print_drs_error
Jia-Ju Bai <[email protected]>
p54: avoid accessing the data mapped to streaming DMA
Miklos Szeredi <[email protected]>
fuse: fix page dereference after free
Juergen Gross <[email protected]>
x86/xen: disable Firmware First mode for correctable memory errors
Kim Phillips <[email protected]>
arch/x86/amd/ibs: Fix re-arming IBS Fetch
Tung Nguyen <[email protected]>
tipc: fix memory leak caused by tipc_buf_append()
Andrew Gabbasov <[email protected]>
ravb: Fix bit fields checking in ravb_hwtstamp_get()
Masahiro Fujiwara <[email protected]>
gtp: fix an use-before-init in gtp_newlink()
Michael Schaller <[email protected]>
efivarfs: Replace invalid slashes with exclamation marks in dentries.
Nick Desaulniers <[email protected]>
arm64: link with -z norelro regardless of CONFIG_RELOCATABLE
Rasmus Villemoes <[email protected]>
scripts/setlocalversion: make git describe output more reliable
-------------
Diffstat:
Documentation/media/uapi/v4l/colorspaces-defs.rst | 9 +-
.../media/uapi/v4l/colorspaces-details.rst | 5 +-
Makefile | 4 +-
arch/arm/Kconfig | 2 +
arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts | 1 +
arch/arm/boot/dts/s5pv210.dtsi | 127 ++++++++---------
arch/arm/kernel/hw_breakpoint.c | 100 ++++++++++----
arch/arm/plat-samsung/Kconfig | 1 +
arch/arm64/Kconfig.platforms | 1 +
arch/arm64/Makefile | 4 +-
arch/arm64/boot/dts/renesas/ulcb.dtsi | 1 +
arch/arm64/include/asm/kvm_host.h | 1 +
arch/arm64/include/asm/numa.h | 3 +
arch/arm64/kvm/sys_regs.c | 6 +-
arch/arm64/mm/numa.c | 6 +-
arch/ia64/kernel/Makefile | 2 +-
arch/powerpc/Kconfig | 14 ++
arch/powerpc/include/asm/mmu_context.h | 2 +-
arch/powerpc/kernel/rtas.c | 153 +++++++++++++++++++++
arch/powerpc/kernel/sysfs.c | 42 +++---
arch/powerpc/platforms/powernv/opal-elog.c | 33 ++++-
arch/powerpc/platforms/powernv/smp.c | 2 +-
arch/s390/kernel/time.c | 118 +++++++++++-----
arch/sparc/kernel/smp_64.c | 65 ++-------
arch/um/kernel/sigio.c | 6 +-
arch/x86/events/amd/ibs.c | 53 +++++--
arch/x86/include/asm/msr-index.h | 1 +
arch/x86/kernel/unwind_orc.c | 9 +-
arch/x86/xen/enlighten_pv.c | 9 ++
drivers/acpi/acpi_dbg.c | 3 +
drivers/acpi/acpi_extlog.c | 6 +-
drivers/acpi/numa.c | 2 +-
drivers/acpi/video_detect.c | 9 ++
drivers/ata/sata_rcar.c | 2 +-
drivers/base/core.c | 4 +-
drivers/block/nbd.c | 2 +-
drivers/clk/ti/clockdomain.c | 2 +
drivers/cpufreq/acpi-cpufreq.c | 3 +-
drivers/cpufreq/sti-cpufreq.c | 6 +-
drivers/dma/dma-jz4780.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 10 ++
.../drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 12 +-
drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c | 9 +-
drivers/gpu/drm/i915/i915_drv.h | 6 +-
drivers/gpu/drm/ttm/ttm_bo.c | 2 +-
drivers/iio/adc/ti-adc0832.c | 11 +-
drivers/iio/adc/ti-adc12138.c | 13 +-
drivers/iio/gyro/itg3200_buffer.c | 15 +-
drivers/iio/light/si1145.c | 19 +--
drivers/input/serio/hil_mlc.c | 21 ++-
drivers/input/serio/hp_sdc_mlc.c | 8 +-
drivers/leds/leds-bcm6328.c | 2 +-
drivers/leds/leds-bcm6358.c | 2 +-
drivers/md/bitmap.c | 2 +-
drivers/md/raid5.c | 4 +-
drivers/media/pci/tw5864/tw5864-video.c | 6 +
drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 7 +
drivers/memory/emif.c | 33 +----
drivers/message/fusion/mptscsih.c | 13 +-
drivers/mmc/host/via-sdmmc.c | 3 +
drivers/mtd/ubi/wl.c | 13 ++
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +-
drivers/net/ethernet/mellanox/mlxsw/core.c | 3 +
drivers/net/ethernet/renesas/ravb_main.c | 10 +-
drivers/net/gtp.c | 16 +--
drivers/net/wan/hdlc_fr.c | 98 ++++++-------
drivers/net/wireless/ath/ath10k/htt_rx.c | 8 +-
drivers/net/wireless/ath/ath10k/sdio.c | 4 +
drivers/net/wireless/intersil/p54/p54pci.c | 4 +-
drivers/nvme/host/rdma.c | 1 -
drivers/power/supply/test_power.c | 6 +
drivers/rtc/rtc-rx8010.c | 24 +++-
drivers/staging/comedi/drivers/cb_pcidas.c | 1 +
drivers/staging/fsl-mc/bus/mc-io.c | 7 +-
drivers/staging/octeon/ethernet-mdio.c | 6 -
drivers/staging/octeon/ethernet-rx.c | 34 +++--
drivers/staging/octeon/ethernet.c | 9 ++
drivers/staging/typec/pd.h | 1 +
drivers/staging/typec/tcpm.c | 2 +-
drivers/tty/vt/keyboard.c | 39 +++---
drivers/tty/vt/vt_ioctl.c | 32 +++--
drivers/uio/uio.c | 4 +-
drivers/usb/class/cdc-acm.c | 12 +-
drivers/usb/class/cdc-acm.h | 3 +-
drivers/usb/dwc3/core.c | 15 +-
drivers/usb/dwc3/ep0.c | 11 +-
drivers/usb/host/fsl-mph-dr-of.c | 9 +-
drivers/usb/misc/adutux.c | 1 +
drivers/vhost/vringh.c | 9 +-
drivers/video/fbdev/pvr2fb.c | 2 +
drivers/w1/masters/mxc_w1.c | 14 +-
drivers/watchdog/rdc321x_wdt.c | 5 +-
fs/9p/vfs_file.c | 4 +-
fs/btrfs/ctree.c | 6 +
fs/btrfs/reada.c | 2 +
fs/btrfs/send.c | 74 +++++++++-
fs/btrfs/tree-log.c | 8 ++
fs/buffer.c | 16 ---
fs/cachefiles/rdwr.c | 3 +-
fs/ceph/addr.c | 2 +-
fs/crypto/policy.c | 3 +-
fs/efivarfs/super.c | 3 +
fs/ext4/inode.c | 11 +-
fs/ext4/namei.c | 6 +-
fs/ext4/resize.c | 4 +-
fs/ext4/super.c | 17 +++
fs/f2fs/checkpoint.c | 8 +-
fs/f2fs/namei.c | 6 +-
fs/fuse/dev.c | 28 ++--
fs/gfs2/ops_fstype.c | 18 ++-
fs/nfs/namespace.c | 12 +-
fs/nfs/nfs4proc.c | 9 +-
fs/nfsd/nfsproc.c | 16 +++
fs/ubifs/debug.c | 1 +
fs/ubifs/dir.c | 6 +-
fs/xfs/xfs_rtalloc.c | 10 +-
include/asm-generic/io.h | 39 ++++--
include/linux/hil_mlc.h | 2 +-
include/linux/mtd/pfow.h | 2 +-
include/uapi/linux/nfs4.h | 3 +
include/uapi/linux/videodev2.h | 17 ++-
init/Kconfig | 3 +-
kernel/debug/debug_core.c | 22 +--
kernel/futex.c | 4 +-
kernel/trace/ring_buffer.c | 8 +-
lib/scatterlist.c | 2 +-
net/9p/trans_fd.c | 2 +-
net/ceph/messenger.c | 5 +
net/tipc/msg.c | 5 +-
scripts/setlocalversion | 21 ++-
tools/perf/util/print_binary.c | 2 +-
131 files changed, 1227 insertions(+), 616 deletions(-)
From: Helge Deller <[email protected]>
commit 2f4843b172c2c0360ee7792ad98025fae7baefde upstream.
The mptscsih_remove() function triggers a kernel oops if the Scsi_Host
pointer (ioc->sh) is NULL, as can be seen in this syslog:
ioc0: LSI53C1030 B2: Capabilities={Initiator,Target}
Begin: Waiting for root file system ...
scsi host2: error handler thread failed to spawn, error = -4
mptspi: ioc0: WARNING - Unable to register controller with SCSI subsystem
Backtrace:
[<000000001045b7cc>] mptspi_probe+0x248/0x3d0 [mptspi]
[<0000000040946470>] pci_device_probe+0x1ac/0x2d8
[<0000000040add668>] really_probe+0x1bc/0x988
[<0000000040ade704>] driver_probe_device+0x160/0x218
[<0000000040adee24>] device_driver_attach+0x160/0x188
[<0000000040adef90>] __driver_attach+0x144/0x320
[<0000000040ad7c78>] bus_for_each_dev+0xd4/0x158
[<0000000040adc138>] driver_attach+0x4c/0x80
[<0000000040adb3ec>] bus_add_driver+0x3e0/0x498
[<0000000040ae0130>] driver_register+0xf4/0x298
[<00000000409450c4>] __pci_register_driver+0x78/0xa8
[<000000000007d248>] mptspi_init+0x18c/0x1c4 [mptspi]
This patch adds the necessary NULL-pointer checks. Successfully tested on
a HP C8000 parisc workstation with buggy SCSI drives.
Link: https://lore.kernel.org/r/[email protected]
Cc: <[email protected]>
Signed-off-by: Helge Deller <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/message/fusion/mptscsih.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/message/fusion/mptscsih.c
+++ b/drivers/message/fusion/mptscsih.c
@@ -1174,8 +1174,10 @@ mptscsih_remove(struct pci_dev *pdev)
MPT_SCSI_HOST *hd;
int sz1;
- if((hd = shost_priv(host)) == NULL)
- return;
+ if (host == NULL)
+ hd = NULL;
+ else
+ hd = shost_priv(host);
mptscsih_shutdown(pdev);
@@ -1191,14 +1193,15 @@ mptscsih_remove(struct pci_dev *pdev)
"Free'd ScsiLookup (%d) memory\n",
ioc->name, sz1));
- kfree(hd->info_kbuf);
+ if (hd)
+ kfree(hd->info_kbuf);
/* NULL the Scsi_Host pointer
*/
ioc->sh = NULL;
- scsi_host_put(host);
-
+ if (host)
+ scsi_host_put(host);
mpt_detach(pdev);
}
From: Masahiro Fujiwara <[email protected]>
[ Upstream commit 51467431200b91682b89d31317e35dcbca1469ce ]
*_pdp_find() from gtp_encap_recv() would trigger a crash when a peer
sends GTP packets while creating new GTP device.
RIP: 0010:gtp1_pdp_find.isra.0+0x68/0x90 [gtp]
<SNIP>
Call Trace:
<IRQ>
gtp_encap_recv+0xc2/0x2e0 [gtp]
? gtp1_pdp_find.isra.0+0x90/0x90 [gtp]
udp_queue_rcv_one_skb+0x1fe/0x530
udp_queue_rcv_skb+0x40/0x1b0
udp_unicast_rcv_skb.isra.0+0x78/0x90
__udp4_lib_rcv+0x5af/0xc70
udp_rcv+0x1a/0x20
ip_protocol_deliver_rcu+0xc5/0x1b0
ip_local_deliver_finish+0x48/0x50
ip_local_deliver+0xe5/0xf0
? ip_protocol_deliver_rcu+0x1b0/0x1b0
gtp_encap_enable() should be called after gtp_hastable_new() otherwise
*_pdp_find() will access the uninitialized hash table.
Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
Signed-off-by: Masahiro Fujiwara <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/gtp.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -667,10 +667,6 @@ static int gtp_newlink(struct net *src_n
gtp = netdev_priv(dev);
- err = gtp_encap_enable(gtp, data);
- if (err < 0)
- return err;
-
if (!data[IFLA_GTP_PDP_HASHSIZE]) {
hashsize = 1024;
} else {
@@ -681,12 +677,16 @@ static int gtp_newlink(struct net *src_n
err = gtp_hashtable_new(gtp, hashsize);
if (err < 0)
- goto out_encap;
+ return err;
+
+ err = gtp_encap_enable(gtp, data);
+ if (err < 0)
+ goto out_hashtable;
err = register_netdevice(dev);
if (err < 0) {
netdev_dbg(dev, "failed to register new netdev %d\n", err);
- goto out_hashtable;
+ goto out_encap;
}
gn = net_generic(dev_net(dev), gtp_net_id);
@@ -697,11 +697,11 @@ static int gtp_newlink(struct net *src_n
return 0;
+out_encap:
+ gtp_encap_disable(gtp);
out_hashtable:
kfree(gtp->addr_hash);
kfree(gtp->tid_hash);
-out_encap:
- gtp_encap_disable(gtp);
return err;
}
From: Antonio Borneo <[email protected]>
[ Upstream commit c6d94e37bdbb6dfe7e581e937a915ab58399b8a5 ]
Current code enables the HS clock when video mode is started or to
send out a HS command, and disables the HS clock to send out a LP
command. This is not what DSI spec specify.
Enable HS clock either in command and in video mode.
Set automatic HS clock management for panels and devices that
support non-continuous HS clock.
Signed-off-by: Antonio Borneo <[email protected]>
Tested-by: Philippe Cornu <[email protected]>
Reviewed-by: Philippe Cornu <[email protected]>
Acked-by: Neil Armstrong <[email protected]>
Signed-off-by: Neil Armstrong <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c
index 63c7a01b7053e..d95b0703d0255 100644
--- a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c
+++ b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c
@@ -311,7 +311,6 @@ static void dw_mipi_message_config(struct dw_mipi_dsi *dsi,
if (lpm)
val |= CMD_MODE_ALL_LP;
- dsi_write(dsi, DSI_LPCLK_CTRL, lpm ? 0 : PHY_TXREQUESTCLKHS);
dsi_write(dsi, DSI_CMD_MODE_CFG, val);
}
@@ -468,16 +467,22 @@ static void dw_mipi_dsi_video_mode_config(struct dw_mipi_dsi *dsi)
static void dw_mipi_dsi_set_mode(struct dw_mipi_dsi *dsi,
unsigned long mode_flags)
{
+ u32 val;
+
dsi_write(dsi, DSI_PWR_UP, RESET);
if (mode_flags & MIPI_DSI_MODE_VIDEO) {
dsi_write(dsi, DSI_MODE_CFG, ENABLE_VIDEO_MODE);
dw_mipi_dsi_video_mode_config(dsi);
- dsi_write(dsi, DSI_LPCLK_CTRL, PHY_TXREQUESTCLKHS);
} else {
dsi_write(dsi, DSI_MODE_CFG, ENABLE_CMD_MODE);
}
+ val = PHY_TXREQUESTCLKHS;
+ if (dsi->mode_flags & MIPI_DSI_CLOCK_NON_CONTINUOUS)
+ val |= AUTO_CLKLANE_CTRL;
+ dsi_write(dsi, DSI_LPCLK_CTRL, val);
+
dsi_write(dsi, DSI_PWR_UP, POWERUP);
}
--
2.27.0
From: Filipe Manana <[email protected]>
commit 83bc1560e02e25c6439341352024ebe8488f4fbd upstream.
If we fail to find suitable zones for a new readahead extent, we end up
leaving a stale pointer in the global readahead extents radix tree
(fs_info->reada_tree), which can trigger the following trace later on:
[13367.696354] BUG: kernel NULL pointer dereference, address: 00000000000000b0
[13367.696802] #PF: supervisor read access in kernel mode
[13367.697249] #PF: error_code(0x0000) - not-present page
[13367.697721] PGD 0 P4D 0
[13367.698171] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI
[13367.698632] CPU: 6 PID: 851214 Comm: btrfs Tainted: G W 5.9.0-rc6-btrfs-next-69 #1
[13367.699100] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[13367.700069] RIP: 0010:__lock_acquire+0x20a/0x3970
[13367.700562] Code: ff 1f 0f b7 c0 48 0f (...)
[13367.701609] RSP: 0018:ffffb14448f57790 EFLAGS: 00010046
[13367.702140] RAX: 0000000000000000 RBX: 29b935140c15e8cf RCX: 0000000000000000
[13367.702698] RDX: 0000000000000002 RSI: ffffffffb3d66bd0 RDI: 0000000000000046
[13367.703240] RBP: ffff8a52ba8ac040 R08: 00000c2866ad9288 R09: 0000000000000001
[13367.703783] R10: 0000000000000001 R11: 00000000b66d9b53 R12: ffff8a52ba8ac9b0
[13367.704330] R13: 0000000000000000 R14: ffff8a532b6333e8 R15: 0000000000000000
[13367.704880] FS: 00007fe1df6b5700(0000) GS:ffff8a5376600000(0000) knlGS:0000000000000000
[13367.705438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[13367.705995] CR2: 00000000000000b0 CR3: 000000022cca8004 CR4: 00000000003706e0
[13367.706565] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[13367.707127] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[13367.707686] Call Trace:
[13367.708246] ? ___slab_alloc+0x395/0x740
[13367.708820] ? reada_add_block+0xae/0xee0 [btrfs]
[13367.709383] lock_acquire+0xb1/0x480
[13367.709955] ? reada_add_block+0xe0/0xee0 [btrfs]
[13367.710537] ? reada_add_block+0xae/0xee0 [btrfs]
[13367.711097] ? rcu_read_lock_sched_held+0x5d/0x90
[13367.711659] ? kmem_cache_alloc_trace+0x8d2/0x990
[13367.712221] ? lock_acquired+0x33b/0x470
[13367.712784] _raw_spin_lock+0x34/0x80
[13367.713356] ? reada_add_block+0xe0/0xee0 [btrfs]
[13367.713966] reada_add_block+0xe0/0xee0 [btrfs]
[13367.714529] ? btrfs_root_node+0x15/0x1f0 [btrfs]
[13367.715077] btrfs_reada_add+0x117/0x170 [btrfs]
[13367.715620] scrub_stripe+0x21e/0x10d0 [btrfs]
[13367.716141] ? kvm_sched_clock_read+0x5/0x10
[13367.716657] ? __lock_acquire+0x41e/0x3970
[13367.717184] ? scrub_chunk+0x60/0x140 [btrfs]
[13367.717697] ? find_held_lock+0x32/0x90
[13367.718254] ? scrub_chunk+0x60/0x140 [btrfs]
[13367.718773] ? lock_acquired+0x33b/0x470
[13367.719278] ? scrub_chunk+0xcd/0x140 [btrfs]
[13367.719786] scrub_chunk+0xcd/0x140 [btrfs]
[13367.720291] scrub_enumerate_chunks+0x270/0x5c0 [btrfs]
[13367.720787] ? finish_wait+0x90/0x90
[13367.721281] btrfs_scrub_dev+0x1ee/0x620 [btrfs]
[13367.721762] ? rcu_read_lock_any_held+0x8e/0xb0
[13367.722235] ? preempt_count_add+0x49/0xa0
[13367.722710] ? __sb_start_write+0x19b/0x290
[13367.723192] btrfs_ioctl+0x7f5/0x36f0 [btrfs]
[13367.723660] ? __fget_files+0x101/0x1d0
[13367.724118] ? find_held_lock+0x32/0x90
[13367.724559] ? __fget_files+0x101/0x1d0
[13367.724982] ? __x64_sys_ioctl+0x83/0xb0
[13367.725399] __x64_sys_ioctl+0x83/0xb0
[13367.725802] do_syscall_64+0x33/0x80
[13367.726188] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[13367.726574] RIP: 0033:0x7fe1df7add87
[13367.726948] Code: 00 00 00 48 8b 05 09 91 (...)
[13367.727763] RSP: 002b:00007fe1df6b4d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[13367.728179] RAX: ffffffffffffffda RBX: 000055ce1fb596a0 RCX: 00007fe1df7add87
[13367.728604] RDX: 000055ce1fb596a0 RSI: 00000000c400941b RDI: 0000000000000003
[13367.729021] RBP: 0000000000000000 R08: 00007fe1df6b5700 R09: 0000000000000000
[13367.729431] R10: 00007fe1df6b5700 R11: 0000000000000246 R12: 00007ffd922b07de
[13367.729842] R13: 00007ffd922b07df R14: 00007fe1df6b4e40 R15: 0000000000802000
[13367.730275] Modules linked in: btrfs blake2b_generic xor (...)
[13367.732638] CR2: 00000000000000b0
[13367.733166] ---[ end trace d298b6805556acd9 ]---
What happens is the following:
1) At reada_find_extent() we don't find any existing readahead extent for
the metadata extent starting at logical address X;
2) So we proceed to create a new one. We then call btrfs_map_block() to get
information about which stripes contain extent X;
3) After that we iterate over the stripes and create only one zone for the
readahead extent - only one because reada_find_zone() returned NULL for
all iterations except for one, either because a memory allocation failed
or it couldn't find the block group of the extent (it may have just been
deleted);
4) We then add the new readahead extent to the readahead extents radix
tree at fs_info->reada_tree;
5) Then we iterate over each zone of the new readahead extent, and find
that the device used for that zone no longer exists, because it was
removed or it was the source device of a device replace operation.
Since this left 'have_zone' set to 0, after finishing the loop we jump
to the 'error' label, call kfree() on the new readahead extent and
return without removing it from the radix tree at fs_info->reada_tree;
6) Any future call to reada_find_extent() for the logical address X will
find the stale pointer in the readahead extents radix tree, increment
its reference counter, which can trigger the use-after-free right
away or return it to the caller reada_add_block() that results in the
use-after-free of the example trace above.
So fix this by making sure we delete the readahead extent from the radix
tree if we fail to setup zones for it (when 'have_zone = 0').
Fixes: 319450211842ba ("btrfs: reada: bypass adding extent when all zone failed")
CC: [email protected] # 4.9+
Reviewed-by: Johannes Thumshirn <[email protected]>
Reviewed-by: Josef Bacik <[email protected]>
Signed-off-by: Filipe Manana <[email protected]>
Reviewed-by: David Sterba <[email protected]>
Signed-off-by: David Sterba <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/btrfs/reada.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/btrfs/reada.c
+++ b/fs/btrfs/reada.c
@@ -456,6 +456,8 @@ static struct reada_extent *reada_find_e
}
have_zone = 1;
}
+ if (!have_zone)
+ radix_tree_delete(&fs_info->reada_tree, index);
spin_unlock(&fs_info->reada_lock);
btrfs_dev_replace_unlock(&fs_info->dev_replace, 0);
From: Eric Biggers <[email protected]>
commit f5e55e777cc93eae1416f0fa4908e8846b6d7825 upstream.
Currently, trying to rename or link a regular file, directory, or
symlink into an encrypted directory fails with EPERM when the source
file is unencrypted or is encrypted with a different encryption policy,
and is on the same mountpoint. It is correct for the operation to fail,
but the choice of EPERM breaks tools like 'mv' that know to copy rather
than rename if they see EXDEV, but don't know what to do with EPERM.
Our original motivation for EPERM was to encourage users to securely
handle their data. Encrypting files by "moving" them into an encrypted
directory can be insecure because the unencrypted data may remain in
free space on disk, where it can later be recovered by an attacker.
It's much better to encrypt the data from the start, or at least try to
securely delete the source data e.g. using the 'shred' program.
However, the current behavior hasn't been effective at achieving its
goal because users tend to be confused, hack around it, and complain;
see e.g. https://github.com/google/fscrypt/issues/76. And in some cases
it's actually inconsistent or unnecessary. For example, 'mv'-ing files
between differently encrypted directories doesn't work even in cases
where it can be secure, such as when in userspace the same passphrase
protects both directories. Yet, you *can* already 'mv' unencrypted
files into an encrypted directory if the source files are on a different
mountpoint, even though doing so is often insecure.
There are probably better ways to teach users to securely handle their
files. For example, the 'fscrypt' userspace tool could provide a
command that migrates unencrypted files into an encrypted directory,
acting like 'shred' on the source files and providing appropriate
warnings depending on the type of the source filesystem and disk.
Receiving errors on unimportant files might also force some users to
disable encryption, thus making the behavior counterproductive. It's
desirable to make encryption as unobtrusive as possible.
Therefore, change the error code from EPERM to EXDEV so that tools
looking for EXDEV will fall back to a copy.
This, of course, doesn't prevent users from still doing the right things
to securely manage their files. Note that this also matches the
behavior when a file is renamed between two project quota hierarchies;
so there's precedent for using EXDEV for things other than mountpoints.
xfstests generic/398 will require an update with this change.
[Rewritten from an earlier patch series by Michael Halcrow.]
Cc: Michael Halcrow <[email protected]>
Cc: Joe Richey <[email protected]>
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/crypto/policy.c | 3 +--
fs/ext4/namei.c | 6 +++---
fs/f2fs/namei.c | 6 +++---
fs/ubifs/dir.c | 6 +++---
4 files changed, 10 insertions(+), 11 deletions(-)
--- a/fs/crypto/policy.c
+++ b/fs/crypto/policy.c
@@ -153,8 +153,7 @@ EXPORT_SYMBOL(fscrypt_ioctl_get_policy);
* malicious offline violations of this constraint, while the link and rename
* checks are needed to prevent online violations of this constraint.
*
- * Return: 1 if permitted, 0 if forbidden. If forbidden, the caller must fail
- * the filesystem operation with EPERM.
+ * Return: 1 if permitted, 0 if forbidden.
*/
int fscrypt_has_permitted_context(struct inode *parent, struct inode *child)
{
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3280,7 +3280,7 @@ static int ext4_link(struct dentry *old_
return -EMLINK;
if (ext4_encrypted_inode(dir) &&
!fscrypt_has_permitted_context(dir, inode))
- return -EPERM;
+ return -EXDEV;
if ((ext4_test_inode_flag(dir, EXT4_INODE_PROJINHERIT)) &&
(!projid_eq(EXT4_I(dir)->i_projid,
@@ -3618,7 +3618,7 @@ static int ext4_rename(struct inode *old
if ((old.dir != new.dir) &&
ext4_encrypted_inode(new.dir) &&
!fscrypt_has_permitted_context(new.dir, old.inode)) {
- retval = -EPERM;
+ retval = -EXDEV;
goto end_rename;
}
@@ -3798,7 +3798,7 @@ static int ext4_cross_rename(struct inod
(old_dir != new_dir) &&
(!fscrypt_has_permitted_context(new_dir, old.inode) ||
!fscrypt_has_permitted_context(old_dir, new.inode)))
- return -EPERM;
+ return -EXDEV;
if ((ext4_test_inode_flag(new_dir, EXT4_INODE_PROJINHERIT) &&
!projid_eq(EXT4_I(new_dir)->i_projid,
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -222,7 +222,7 @@ static int f2fs_link(struct dentry *old_
if (f2fs_encrypted_inode(dir) &&
!fscrypt_has_permitted_context(dir, inode))
- return -EPERM;
+ return -EXDEV;
if (is_inode_flag_set(dir, FI_PROJ_INHERIT) &&
(!projid_eq(F2FS_I(dir)->i_projid,
@@ -746,7 +746,7 @@ static int f2fs_rename(struct inode *old
if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) &&
!fscrypt_has_permitted_context(new_dir, old_inode)) {
- err = -EPERM;
+ err = -EXDEV;
goto out;
}
@@ -942,7 +942,7 @@ static int f2fs_cross_rename(struct inod
(old_dir != new_dir) &&
(!fscrypt_has_permitted_context(new_dir, old_inode) ||
!fscrypt_has_permitted_context(old_dir, new_inode)))
- return -EPERM;
+ return -EXDEV;
if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
!projid_eq(F2FS_I(new_dir)->i_projid,
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -747,7 +747,7 @@ static int ubifs_link(struct dentry *old
if (ubifs_crypt_is_encrypted(dir) &&
!fscrypt_has_permitted_context(dir, inode))
- return -EPERM;
+ return -EXDEV;
err = fscrypt_setup_filename(dir, &dentry->d_name, 0, &nm);
if (err)
@@ -1357,7 +1357,7 @@ static int do_rename(struct inode *old_d
if (old_dir != new_dir) {
if (ubifs_crypt_is_encrypted(new_dir) &&
!fscrypt_has_permitted_context(new_dir, old_inode))
- return -EPERM;
+ return -EXDEV;
}
if (unlink && is_dir) {
@@ -1579,7 +1579,7 @@ static int ubifs_xrename(struct inode *o
(old_dir != new_dir) &&
(!fscrypt_has_permitted_context(new_dir, fst_inode) ||
!fscrypt_has_permitted_context(old_dir, snd_inode)))
- return -EPERM;
+ return -EXDEV;
err = fscrypt_setup_filename(old_dir, &old_dentry->d_name, 0, &fst_nm);
if (err)
From: Xiubo Li <[email protected]>
[ Upstream commit 87aac3a80af5cbad93e63250e8a1e19095ba0d30 ]
There has one race case for ceph's rbd-nbd tool. When do mapping
it may fail with EBUSY from ioctl(nbd, NBD_DO_IT), but actually
the nbd device has already unmaped.
It dues to if just after the wake_up(), the recv_work() is scheduled
out and defers calling the nbd_config_put(), though the map process
has exited the "nbd->recv_task" is not cleared.
Signed-off-by: Xiubo Li <[email protected]>
Reviewed-by: Josef Bacik <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/block/nbd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index f22fad977c913..cdf62fb94fb15 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -725,9 +725,9 @@ static void recv_work(struct work_struct *work)
blk_mq_complete_request(blk_mq_rq_from_pdu(cmd));
}
+ nbd_config_put(nbd);
atomic_dec(&config->recv_threads);
wake_up(&config->recv_wq);
- nbd_config_put(nbd);
kfree(args);
}
--
2.27.0
From: Krzysztof Kozlowski <[email protected]>
[ Upstream commit 6c17a2974abf68a58517f75741b15c4aba42b4b8 ]
The 'audio-subsystem' node is an artificial creation, not representing
real hardware. The hardware is described by its nodes - AUDSS clock
controller and I2S0.
Remove the 'audio-subsystem' node along with its undocumented compatible
to fix dtbs_check warnings like:
audio-subsystem: $nodename:0: 'audio-subsystem' does not match '^([a-z][a-z0-9\\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$'
Signed-off-by: Krzysztof Kozlowski <[email protected]>
Tested-by: Jonathan Bakker <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm/boot/dts/s5pv210.dtsi | 65 +++++++++++++++-------------------
1 file changed, 29 insertions(+), 36 deletions(-)
diff --git a/arch/arm/boot/dts/s5pv210.dtsi b/arch/arm/boot/dts/s5pv210.dtsi
index b72ca89beac98..a215218237a60 100644
--- a/arch/arm/boot/dts/s5pv210.dtsi
+++ b/arch/arm/boot/dts/s5pv210.dtsi
@@ -220,43 +220,36 @@
status = "disabled";
};
- audio-subsystem {
- compatible = "samsung,s5pv210-audss", "simple-bus";
- #address-cells = <1>;
- #size-cells = <1>;
- ranges;
-
- clk_audss: clock-controller@eee10000 {
- compatible = "samsung,s5pv210-audss-clock";
- reg = <0xeee10000 0x1000>;
- clock-names = "hclk", "xxti",
- "fout_epll",
- "sclk_audio0";
- clocks = <&clocks DOUT_HCLKP>, <&xxti>,
- <&clocks FOUT_EPLL>,
- <&clocks SCLK_AUDIO0>;
- #clock-cells = <1>;
- };
+ clk_audss: clock-controller@eee10000 {
+ compatible = "samsung,s5pv210-audss-clock";
+ reg = <0xeee10000 0x1000>;
+ clock-names = "hclk", "xxti",
+ "fout_epll",
+ "sclk_audio0";
+ clocks = <&clocks DOUT_HCLKP>, <&xxti>,
+ <&clocks FOUT_EPLL>,
+ <&clocks SCLK_AUDIO0>;
+ #clock-cells = <1>;
+ };
- i2s0: i2s@eee30000 {
- compatible = "samsung,s5pv210-i2s";
- reg = <0xeee30000 0x1000>;
- interrupt-parent = <&vic2>;
- interrupts = <16>;
- dma-names = "rx", "tx", "tx-sec";
- dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>;
- clock-names = "iis",
- "i2s_opclk0",
- "i2s_opclk1";
- clocks = <&clk_audss CLK_I2S>,
- <&clk_audss CLK_I2S>,
- <&clk_audss CLK_DOUT_AUD_BUS>;
- samsung,idma-addr = <0xc0010000>;
- pinctrl-names = "default";
- pinctrl-0 = <&i2s0_bus>;
- #sound-dai-cells = <0>;
- status = "disabled";
- };
+ i2s0: i2s@eee30000 {
+ compatible = "samsung,s5pv210-i2s";
+ reg = <0xeee30000 0x1000>;
+ interrupt-parent = <&vic2>;
+ interrupts = <16>;
+ dma-names = "rx", "tx", "tx-sec";
+ dmas = <&pdma1 9>, <&pdma1 10>, <&pdma1 11>;
+ clock-names = "iis",
+ "i2s_opclk0",
+ "i2s_opclk1";
+ clocks = <&clk_audss CLK_I2S>,
+ <&clk_audss CLK_I2S>,
+ <&clk_audss CLK_DOUT_AUD_BUS>;
+ samsung,idma-addr = <0xc0010000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&i2s0_bus>;
+ #sound-dai-cells = <0>;
+ status = "disabled";
};
i2s1: i2s@e2100000 {
--
2.27.0
From: Miklos Szeredi <[email protected]>
commit d78092e4937de9ce55edcb4ee4c5e3c707be0190 upstream.
After unlock_request() pages from the ap->pages[] array may be put (e.g. by
aborting the connection) and the pages can be freed.
Prevent use after free by grabbing a reference to the page before calling
unlock_request().
The original patch was created by Pradeep P V K.
Reported-by: Pradeep P V K <[email protected]>
Cc: <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/fuse/dev.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -845,15 +845,16 @@ static int fuse_try_move_page(struct fus
struct page *newpage;
struct pipe_buffer *buf = cs->pipebufs;
+ get_page(oldpage);
err = unlock_request(cs->req);
if (err)
- return err;
+ goto out_put_old;
fuse_copy_finish(cs);
err = pipe_buf_confirm(cs->pipe, buf);
if (err)
- return err;
+ goto out_put_old;
BUG_ON(!cs->nr_segs);
cs->currbuf = buf;
@@ -893,7 +894,7 @@ static int fuse_try_move_page(struct fus
err = replace_page_cache_page(oldpage, newpage, GFP_KERNEL);
if (err) {
unlock_page(newpage);
- return err;
+ goto out_put_old;
}
get_page(newpage);
@@ -912,14 +913,19 @@ static int fuse_try_move_page(struct fus
if (err) {
unlock_page(newpage);
put_page(newpage);
- return err;
+ goto out_put_old;
}
unlock_page(oldpage);
+ /* Drop ref for ap->pages[] array */
put_page(oldpage);
cs->len = 0;
- return 0;
+ err = 0;
+out_put_old:
+ /* Drop ref obtained in this function */
+ put_page(oldpage);
+ return err;
out_fallback_unlock:
unlock_page(newpage);
@@ -928,10 +934,10 @@ out_fallback:
cs->offset = buf->offset;
err = lock_request(cs->req);
- if (err)
- return err;
+ if (!err)
+ err = 1;
- return 1;
+ goto out_put_old;
}
static int fuse_ref_page(struct fuse_copy_state *cs, struct page *page,
@@ -943,14 +949,16 @@ static int fuse_ref_page(struct fuse_cop
if (cs->nr_segs == cs->pipe->buffers)
return -EIO;
+ get_page(page);
err = unlock_request(cs->req);
- if (err)
+ if (err) {
+ put_page(page);
return err;
+ }
fuse_copy_finish(cs);
buf = cs->pipebufs;
- get_page(page);
buf->page = page;
buf->offset = offset;
buf->len = count;
From: Nick Desaulniers <[email protected]>
commit 3b92fa7485eba16b05166fddf38ab42f2ff6ab95 upstream.
With CONFIG_EXPERT=y, CONFIG_KASAN=y, CONFIG_RANDOMIZE_BASE=n,
CONFIG_RELOCATABLE=n, we observe the following failure when trying to
link the kernel image with LD=ld.lld:
error: section: .exit.data is not contiguous with other relro sections
ld.lld defaults to -z relro while ld.bfd defaults to -z norelro. This
was previously fixed, but only for CONFIG_RELOCATABLE=y.
Fixes: 3bbd3db86470 ("arm64: relocatable: fix inconsistencies in linker script and options")
Signed-off-by: Nick Desaulniers <[email protected]>
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Will Deacon <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/arm64/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -10,7 +10,7 @@
#
# Copyright (C) 1995-2001 by Russell King
-LDFLAGS_vmlinux :=--no-undefined -X
+LDFLAGS_vmlinux :=--no-undefined -X -z norelro
CPPFLAGS_vmlinux.lds = -DTEXT_OFFSET=$(TEXT_OFFSET)
GZFLAGS :=-9
@@ -18,7 +18,7 @@ ifeq ($(CONFIG_RELOCATABLE), y)
# Pass --no-apply-dynamic-relocs to restore pre-binutils-2.27 behaviour
# for relative relocs, since this leads to better Image compression
# with the relocation offsets always being zero.
-LDFLAGS_vmlinux += -shared -Bsymbolic -z notext -z norelro \
+LDFLAGS_vmlinux += -shared -Bsymbolic -z notext \
$(call ld-option, --no-apply-dynamic-relocs)
endif
From: Anant Thazhemadam <[email protected]>
[ Upstream commit 0ddc5154b24c96f20e94d653b0a814438de6032b ]
In gfs2_check_sb(), no validation checks are performed with regards to
the size of the superblock.
syzkaller detected a slab-out-of-bounds bug that was primarily caused
because the block size for a superblock was set to zero.
A valid size for a superblock is a power of 2 between 512 and PAGE_SIZE.
Performing validation checks and ensuring that the size of the superblock
is valid fixes this bug.
Reported-by: [email protected]
Tested-by: [email protected]
Suggested-by: Andrew Price <[email protected]>
Signed-off-by: Anant Thazhemadam <[email protected]>
[Minor code reordering.]
Signed-off-by: Andreas Gruenbacher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/gfs2/ops_fstype.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 2de67588ac2d8..0b5c37ceb3ed3 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -161,15 +161,19 @@ static int gfs2_check_sb(struct gfs2_sbd *sdp, int silent)
return -EINVAL;
}
- /* If format numbers match exactly, we're done. */
-
- if (sb->sb_fs_format == GFS2_FORMAT_FS &&
- sb->sb_multihost_format == GFS2_FORMAT_MULTI)
- return 0;
+ if (sb->sb_fs_format != GFS2_FORMAT_FS ||
+ sb->sb_multihost_format != GFS2_FORMAT_MULTI) {
+ fs_warn(sdp, "Unknown on-disk format, unable to mount\n");
+ return -EINVAL;
+ }
- fs_warn(sdp, "Unknown on-disk format, unable to mount\n");
+ if (sb->sb_bsize < 512 || sb->sb_bsize > PAGE_SIZE ||
+ (sb->sb_bsize & (sb->sb_bsize - 1))) {
+ pr_warn("Invalid superblock size\n");
+ return -EINVAL;
+ }
- return -EINVAL;
+ return 0;
}
static void end_bio_io_page(struct bio *bio)
--
2.27.0
From: Tung Nguyen <[email protected]>
[ Upstream commit ceb1eb2fb609c88363e06618b8d4bbf7815a4e03 ]
Commit ed42989eab57 ("tipc: fix the skb_unshare() in tipc_buf_append()")
replaced skb_unshare() with skb_copy() to not reduce the data reference
counter of the original skb intentionally. This is not the correct
way to handle the cloned skb because it causes memory leak in 2
following cases:
1/ Sending multicast messages via broadcast link
The original skb list is cloned to the local skb list for local
destination. After that, the data reference counter of each skb
in the original list has the value of 2. This causes each skb not
to be freed after receiving ACK:
tipc_link_advance_transmq()
{
...
/* release skb */
__skb_unlink(skb, &l->transmq);
kfree_skb(skb); <-- memory exists after being freed
}
2/ Sending multicast messages via replicast link
Similar to the above case, each skb cannot be freed after purging
the skb list:
tipc_mcast_xmit()
{
...
__skb_queue_purge(pkts); <-- memory exists after being freed
}
This commit fixes this issue by using skb_unshare() instead. Besides,
to avoid use-after-free error reported by KASAN, the pointer to the
fragment is set to NULL before calling skb_unshare() to make sure that
the original skb is not freed after freeing the fragment 2 times in
case skb_unshare() returns NULL.
Fixes: ed42989eab57 ("tipc: fix the skb_unshare() in tipc_buf_append()")
Acked-by: Jon Maloy <[email protected]>
Reported-by: Thang Hoang Ngo <[email protected]>
Signed-off-by: Tung Nguyen <[email protected]>
Reviewed-by: Xin Long <[email protected]>
Acked-by: Cong Wang <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/tipc/msg.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -140,12 +140,11 @@ int tipc_buf_append(struct sk_buff **hea
if (fragid == FIRST_FRAGMENT) {
if (unlikely(head))
goto err;
- if (skb_cloned(frag))
- frag = skb_copy(frag, GFP_ATOMIC);
+ *buf = NULL;
+ frag = skb_unshare(frag, GFP_ATOMIC);
if (unlikely(!frag))
goto err;
head = *headbuf = frag;
- *buf = NULL;
TIPC_SKB_CB(head)->tail = NULL;
if (skb_is_nonlinear(head)) {
skb_walk_frags(head, tail) {
From: Jia-Ju Bai <[email protected]>
commit 478762855b5ae9f68fa6ead1edf7abada70fcd5f upstream.
In p54p_tx(), skb->data is mapped to streaming DMA on line 337:
mapping = pci_map_single(..., skb->data, ...);
Then skb->data is accessed on line 349:
desc->device_addr = ((struct p54_hdr *)skb->data)->req_id;
This access may cause data inconsistency between CPU cache and hardware.
To fix this problem, ((struct p54_hdr *)skb->data)->req_id is stored in
a local variable before DMA mapping, and then the driver accesses this
local variable instead of skb->data.
Cc: <[email protected]>
Signed-off-by: Jia-Ju Bai <[email protected]>
Acked-by: Christian Lamparter <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/wireless/intersil/p54/p54pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/intersil/p54/p54pci.c
+++ b/drivers/net/wireless/intersil/p54/p54pci.c
@@ -332,10 +332,12 @@ static void p54p_tx(struct ieee80211_hw
struct p54p_desc *desc;
dma_addr_t mapping;
u32 idx, i;
+ __le32 device_addr;
spin_lock_irqsave(&priv->lock, flags);
idx = le32_to_cpu(ring_control->host_idx[1]);
i = idx % ARRAY_SIZE(ring_control->tx_data);
+ device_addr = ((struct p54_hdr *)skb->data)->req_id;
mapping = pci_map_single(priv->pdev, skb->data, skb->len,
PCI_DMA_TODEVICE);
@@ -349,7 +351,7 @@ static void p54p_tx(struct ieee80211_hw
desc = &ring_control->tx_data[i];
desc->host_addr = cpu_to_le32(mapping);
- desc->device_addr = ((struct p54_hdr *)skb->data)->req_id;
+ desc->device_addr = device_addr;
desc->len = cpu_to_le16(skb->len);
desc->flags = 0;
From: Lang Dai <[email protected]>
[ Upstream commit 8fd0e2a6df262539eaa28b0a2364cca10d1dc662 ]
uio_register_device() do two things.
1) get an uio id from a global pool, e.g. the id is <A>
2) create file nodes like /sys/class/uio/uio<A>
uio_unregister_device() do two things.
1) free the uio id <A> and return it to the global pool
2) free the file node /sys/class/uio/uio<A>
There is a situation is that one worker is calling uio_unregister_device(),
and another worker is calling uio_register_device().
If the two workers are X and Y, they go as below sequence,
1) X free the uio id <AAA>
2) Y get an uio id <AAA>
3) Y create file node /sys/class/uio/uio<AAA>
4) X free the file note /sys/class/uio/uio<AAA>
Then it will failed at the 3rd step and cause the phenomenon we saw as it
is creating a duplicated file node.
Failure reports as follows:
sysfs: cannot create duplicate filename '/class/uio/uio10'
Call Trace:
sysfs_do_create_link_sd.isra.2+0x9e/0xb0
sysfs_create_link+0x25/0x40
device_add+0x2c4/0x640
__uio_register_device+0x1c5/0x576 [uio]
adf_uio_init_bundle_dev+0x231/0x280 [intel_qat]
adf_uio_register+0x1c0/0x340 [intel_qat]
adf_dev_start+0x202/0x370 [intel_qat]
adf_dev_start_async+0x40/0xa0 [intel_qat]
process_one_work+0x14d/0x410
worker_thread+0x4b/0x460
kthread+0x105/0x140
? process_one_work+0x410/0x410
? kthread_bind+0x40/0x40
ret_from_fork+0x1f/0x40
Code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef
e8 ec c4 ff ff 4c 89 e2 48 89 de 48 c7 c7 e8 b4 ee b4 e8 6a d4 d7
ff <0f> 0b 48 89 df e8 20 fa f3 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84
---[ end trace a7531c1ed5269e84 ]---
c6xxvf b002:00:00.0: Failed to register UIO devices
c6xxvf b002:00:00.0: Failed to register UIO devices
Signed-off-by: Lang Dai <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/uio/uio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
index 7c18536a3742a..4fc94b5e15ef4 100644
--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -1009,8 +1009,6 @@ void uio_unregister_device(struct uio_info *info)
idev = info->uio_dev;
- uio_free_minor(idev);
-
mutex_lock(&idev->info_lock);
uio_dev_del_attributes(idev);
@@ -1022,6 +1020,8 @@ void uio_unregister_device(struct uio_info *info)
device_unregister(&idev->dev);
+ uio_free_minor(idev);
+
return;
}
EXPORT_SYMBOL_GPL(uio_unregister_device);
--
2.27.0
From: Zhengyuan Liu <[email protected]>
[ Upstream commit a194c5f2d2b3a05428805146afcabe5140b5d378 ]
The @node passed to cpumask_of_node() can be NUMA_NO_NODE, in that
case it will trigger the following WARN_ON(node >= nr_node_ids) due to
mismatched data types of @node and @nr_node_ids. Actually we should
return cpu_all_mask just like most other architectures do if passed
NUMA_NO_NODE.
Also add a similar check to the inline cpumask_of_node() in numa.h.
Signed-off-by: Zhengyuan Liu <[email protected]>
Reviewed-by: Gavin Shan <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Will Deacon <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm64/include/asm/numa.h | 3 +++
arch/arm64/mm/numa.c | 6 +++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/numa.h b/arch/arm64/include/asm/numa.h
index 01bc46d5b43ac..9bde636027670 100644
--- a/arch/arm64/include/asm/numa.h
+++ b/arch/arm64/include/asm/numa.h
@@ -25,6 +25,9 @@ const struct cpumask *cpumask_of_node(int node);
/* Returns a pointer to the cpumask of CPUs on Node 'node'. */
static inline const struct cpumask *cpumask_of_node(int node)
{
+ if (node == NUMA_NO_NODE)
+ return cpu_all_mask;
+
return node_to_cpumask_map[node];
}
#endif
diff --git a/arch/arm64/mm/numa.c b/arch/arm64/mm/numa.c
index e9c843e0c1727..6b42af182aa74 100644
--- a/arch/arm64/mm/numa.c
+++ b/arch/arm64/mm/numa.c
@@ -58,7 +58,11 @@ EXPORT_SYMBOL(node_to_cpumask_map);
*/
const struct cpumask *cpumask_of_node(int node)
{
- if (WARN_ON(node >= nr_node_ids))
+
+ if (node == NUMA_NO_NODE)
+ return cpu_all_mask;
+
+ if (WARN_ON(node < 0 || node >= nr_node_ids))
return cpu_none_mask;
if (WARN_ON(node_to_cpumask_map[node] == NULL))
--
2.27.0
From: Douglas Anderson <[email protected]>
[ Upstream commit b18b099e04f450cdc77bec72acefcde7042bd1f3 ]
On my system the kernel processes the "kgdb_earlycon" parameter before
the "kgdbcon" parameter. When we setup "kgdb_earlycon" we'll end up
in kgdb_register_callbacks() and "kgdb_use_con" won't have been set
yet so we'll never get around to starting "kgdbcon". Let's remedy
this by detecting that the IO module was already registered when
setting "kgdb_use_con" and registering the console then.
As part of this, to avoid pre-declaring things, move the handling of
the "kgdbcon" further down in the file.
Signed-off-by: Douglas Anderson <[email protected]>
Link: https://lore.kernel.org/r/20200630151422.1.I4aa062751ff5e281f5116655c976dff545c09a46@changeid
Signed-off-by: Daniel Thompson <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/debug/debug_core.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
index 694fcd0492827..4cf5697e72b18 100644
--- a/kernel/debug/debug_core.c
+++ b/kernel/debug/debug_core.c
@@ -95,14 +95,6 @@ int dbg_switch_cpu;
/* Use kdb or gdbserver mode */
int dbg_kdb_mode = 1;
-static int __init opt_kgdb_con(char *str)
-{
- kgdb_use_con = 1;
- return 0;
-}
-
-early_param("kgdbcon", opt_kgdb_con);
-
module_param(kgdb_use_con, int, 0644);
module_param(kgdbreboot, int, 0644);
@@ -816,6 +808,20 @@ static struct console kgdbcons = {
.index = -1,
};
+static int __init opt_kgdb_con(char *str)
+{
+ kgdb_use_con = 1;
+
+ if (kgdb_io_module_registered && !kgdb_con_registered) {
+ register_console(&kgdbcons);
+ kgdb_con_registered = 1;
+ }
+
+ return 0;
+}
+
+early_param("kgdbcon", opt_kgdb_con);
+
#ifdef CONFIG_MAGIC_SYSRQ
static void sysrq_handle_dbg(int key)
{
--
2.27.0
From: Diana Craciun <[email protected]>
[ Upstream commit 5026cf605143e764e1785bbf9158559d17f8d260 ]
Before destroying the mc_io, check first that it was
allocated.
Reviewed-by: Laurentiu Tudor <[email protected]>
Acked-by: Laurentiu Tudor <[email protected]>
Signed-off-by: Diana Craciun <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/staging/fsl-mc/bus/mc-io.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/fsl-mc/bus/mc-io.c b/drivers/staging/fsl-mc/bus/mc-io.c
index f65c23ce83f16..deec2d04c2dd9 100644
--- a/drivers/staging/fsl-mc/bus/mc-io.c
+++ b/drivers/staging/fsl-mc/bus/mc-io.c
@@ -166,7 +166,12 @@ error_destroy_mc_io:
*/
void fsl_destroy_mc_io(struct fsl_mc_io *mc_io)
{
- struct fsl_mc_device *dpmcp_dev = mc_io->dpmcp_dev;
+ struct fsl_mc_device *dpmcp_dev;
+
+ if (!mc_io)
+ return;
+
+ dpmcp_dev = mc_io->dpmcp_dev;
if (dpmcp_dev)
fsl_mc_io_unset_dpmcp(mc_io);
--
2.27.0
From: Kim Phillips <[email protected]>
commit 221bfce5ebbdf72ff08b3bf2510ae81058ee568b upstream.
Stephane Eranian found a bug in that IBS' current Fetch counter was not
being reset when the driver would write the new value to clear it along
with the enable bit set, and found that adding an MSR write that would
first disable IBS Fetch would make IBS Fetch reset its current count.
Indeed, the PPR for AMD Family 17h Model 31h B0 55803 Rev 0.54 - Sep 12,
2019 states "The periodic fetch counter is set to IbsFetchCnt [...] when
IbsFetchEn is changed from 0 to 1."
Explicitly set IbsFetchEn to 0 and then to 1 when re-enabling IBS Fetch,
so the driver properly resets the internal counter to 0 and IBS
Fetch starts counting again.
A family 15h machine tested does not have this problem, and the extra
wrmsr is also not needed on Family 19h, so only do the extra wrmsr on
families 16h through 18h.
Reported-by: Stephane Eranian <[email protected]>
Signed-off-by: Kim Phillips <[email protected]>
[peterz: optimized]
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: [email protected]
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/x86/events/amd/ibs.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/arch/x86/events/amd/ibs.c
+++ b/arch/x86/events/amd/ibs.c
@@ -89,6 +89,7 @@ struct perf_ibs {
u64 max_period;
unsigned long offset_mask[1];
int offset_max;
+ unsigned int fetch_count_reset_broken : 1;
struct cpu_perf_ibs __percpu *pcpu;
struct attribute **format_attrs;
@@ -375,7 +376,12 @@ perf_ibs_event_update(struct perf_ibs *p
static inline void perf_ibs_enable_event(struct perf_ibs *perf_ibs,
struct hw_perf_event *hwc, u64 config)
{
- wrmsrl(hwc->config_base, hwc->config | config | perf_ibs->enable_mask);
+ u64 tmp = hwc->config | config;
+
+ if (perf_ibs->fetch_count_reset_broken)
+ wrmsrl(hwc->config_base, tmp & ~perf_ibs->enable_mask);
+
+ wrmsrl(hwc->config_base, tmp | perf_ibs->enable_mask);
}
/*
@@ -744,6 +750,13 @@ static __init void perf_event_ibs_init(v
{
struct attribute **attr = ibs_op_format_attrs;
+ /*
+ * Some chips fail to reset the fetch count when it is written; instead
+ * they need a 0-1 transition of IbsFetchEn.
+ */
+ if (boot_cpu_data.x86 >= 0x16 && boot_cpu_data.x86 <= 0x18)
+ perf_ibs_fetch.fetch_count_reset_broken = 1;
+
perf_ibs_pmu_init(&perf_ibs_fetch, "ibs_fetch");
if (ibs_caps & IBS_CAPS_OPCNT) {
From: Xia Jiang <[email protected]>
[ Upstream commit 5095a6413a0cf896ab468009b6142cb0fe617e66 ]
Add checking created buffer size follow in mtk_jpeg_queue_setup().
Reviewed-by: Tomasz Figa <[email protected]>
Signed-off-by: Xia Jiang <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
index 46c996936798a..fd9e13500fe7f 100644
--- a/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mtk-jpeg/mtk_jpeg_core.c
@@ -579,6 +579,13 @@ static int mtk_jpeg_queue_setup(struct vb2_queue *q,
if (!q_data)
return -EINVAL;
+ if (*num_planes) {
+ for (i = 0; i < *num_planes; i++)
+ if (sizes[i] < q_data->sizeimage[i])
+ return -EINVAL;
+ return 0;
+ }
+
*num_planes = q_data->fmt->colplanes;
for (i = 0; i < q_data->fmt->colplanes; i++) {
sizes[i] = q_data->sizeimage[i];
--
2.27.0
From: Jamie Iles <[email protected]>
commit 0fada277147ffc6d694aa32162f51198d4f10d94 upstream.
If ACPI is disabled then loading the acpi_dbg module will result in the
following splat when lock debugging is enabled.
DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 0 PID: 1 at kernel/locking/mutex.c:938 __mutex_lock+0xa10/0x1290
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.9.0-rc8+ #103
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x4d8
show_stack+0x34/0x48
dump_stack+0x174/0x1f8
panic+0x360/0x7a0
__warn+0x244/0x2ec
report_bug+0x240/0x398
bug_handler+0x50/0xc0
call_break_hook+0x160/0x1d8
brk_handler+0x30/0xc0
do_debug_exception+0x184/0x340
el1_dbg+0x48/0xb0
el1_sync_handler+0x170/0x1c8
el1_sync+0x80/0x100
__mutex_lock+0xa10/0x1290
mutex_lock_nested+0x6c/0xc0
acpi_register_debugger+0x40/0x88
acpi_aml_init+0xc4/0x114
do_one_initcall+0x24c/0xb10
kernel_init_freeable+0x690/0x728
kernel_init+0x20/0x1e8
ret_from_fork+0x10/0x18
This is because acpi_debugger.lock has not been initialized as
acpi_debugger_init() is not called when ACPI is disabled. Fail module
loading to avoid this and any subsequent problems that might arise by
trying to debug AML when ACPI is disabled.
Fixes: 8cfb0cdf07e2 ("ACPI / debugger: Add IO interface to access debugger functionalities")
Reviewed-by: Hanjun Guo <[email protected]>
Signed-off-by: Jamie Iles <[email protected]>
Cc: 4.10+ <[email protected]> # 4.10+
Signed-off-by: Rafael J. Wysocki <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/acpi/acpi_dbg.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/acpi/acpi_dbg.c
+++ b/drivers/acpi/acpi_dbg.c
@@ -757,6 +757,9 @@ int __init acpi_aml_init(void)
goto err_exit;
}
+ if (acpi_disabled)
+ return -ENODEV;
+
/* Initialize AML IO interface */
mutex_init(&acpi_aml_io.lock);
init_waitqueue_head(&acpi_aml_io.wait);
From: Michael Schaller <[email protected]>
commit 336af6a4686d885a067ecea8c3c3dd129ba4fc75 upstream.
Without this patch efivarfs_alloc_dentry creates dentries with slashes in
their name if the respective EFI variable has slashes in its name. This in
turn causes EIO on getdents64, which prevents a complete directory listing
of /sys/firmware/efi/efivars/.
This patch replaces the invalid shlashes with exclamation marks like
kobject_set_name_vargs does for /sys/firmware/efi/vars/ to have consistently
named dentries under /sys/firmware/efi/vars/ and /sys/firmware/efi/efivars/.
Signed-off-by: Michael Schaller <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Ard Biesheuvel <[email protected]>
Signed-off-by: dann frazier <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/efivarfs/super.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -145,6 +145,9 @@ static int efivarfs_callback(efi_char16_
name[len + EFI_VARIABLE_GUID_LEN+1] = '\0';
+ /* replace invalid slashes like kobject_set_name_vargs does for /sys/firmware/efi/vars. */
+ strreplace(name, '/', '!');
+
inode = efivarfs_get_inode(sb, d_inode(root), S_IFREG | 0644, 0,
is_removable);
if (!inode)
From: Jiri Slaby <[email protected]>
[ Upstream commit f2ac57a4c49d40409c21c82d23b5706df9b438af ]
GCC 10 optimizes the scheduler code differently than its predecessors.
When CONFIG_DEBUG_SECTION_MISMATCH=y, the Makefile forces GCC not
to inline some functions (-fno-inline-functions-called-once). Before GCC
10, "no-inlined" __schedule() starts with the usual prologue:
push %bp
mov %sp, %bp
So the ORC unwinder simply picks stack pointer from %bp and
unwinds from __schedule() just perfectly:
$ cat /proc/1/stack
[<0>] ep_poll+0x3e9/0x450
[<0>] do_epoll_wait+0xaa/0xc0
[<0>] __x64_sys_epoll_wait+0x1a/0x20
[<0>] do_syscall_64+0x33/0x40
[<0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
But now, with GCC 10, there is no %bp prologue in __schedule():
$ cat /proc/1/stack
<nothing>
The ORC entry of the point in __schedule() is:
sp:sp+88 bp:last_sp-48 type:call end:0
In this case, nobody subtracts sizeof "struct inactive_task_frame" in
__unwind_start(). The struct is put on the stack by __switch_to_asm() and
only then __switch_to_asm() stores %sp to task->thread.sp. But we start
unwinding from a point in __schedule() (stored in frame->ret_addr by
'call') and not in __switch_to_asm().
So for these example values in __unwind_start():
sp=ffff94b50001fdc8 bp=ffff8e1f41d29340 ip=__schedule+0x1f0
The stack is:
ffff94b50001fdc8: ffff8e1f41578000 # struct inactive_task_frame
ffff94b50001fdd0: 0000000000000000
ffff94b50001fdd8: ffff8e1f41d29340
ffff94b50001fde0: ffff8e1f41611d40 # ...
ffff94b50001fde8: ffffffff93c41920 # bx
ffff94b50001fdf0: ffff8e1f41d29340 # bp
ffff94b50001fdf8: ffffffff9376cad0 # ret_addr (and end of the struct)
0xffffffff9376cad0 is __schedule+0x1f0 (after the call to
__switch_to_asm). Now follow those 88 bytes from the ORC entry (sp+88).
The entry is correct, __schedule() really pushes 48 bytes (8*7) + 32 bytes
via subq to store some local values (like 4U below). So to unwind, look
at the offset 88-sizeof(long) = 0x50 from here:
ffff94b50001fe00: ffff8e1f41578618
ffff94b50001fe08: 00000cc000000255
ffff94b50001fe10: 0000000500000004
ffff94b50001fe18: 7793fab6956b2d00 # NOTE (see below)
ffff94b50001fe20: ffff8e1f41578000
ffff94b50001fe28: ffff8e1f41578000
ffff94b50001fe30: ffff8e1f41578000
ffff94b50001fe38: ffff8e1f41578000
ffff94b50001fe40: ffff94b50001fed8
ffff94b50001fe48: ffff8e1f41577ff0
ffff94b50001fe50: ffffffff9376cf12
Here ^^^^^^^^^^^^^^^^ is the correct ret addr from
__schedule(). It translates to schedule+0x42 (insn after a call to
__schedule()).
BUT, unwind_next_frame() tries to take the address starting from
0xffff94b50001fdc8. That is exactly from thread.sp+88-sizeof(long) =
0xffff94b50001fdc8+88-8 = 0xffff94b50001fe18, which is garbage marked as
NOTE above. So this quits the unwinding as 7793fab6956b2d00 is obviously
not a kernel address.
There was a fix to skip 'struct inactive_task_frame' in
unwind_get_return_address_ptr in the following commit:
187b96db5ca7 ("x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks")
But we need to skip the struct already in the unwinder proper. So
subtract the size (increase the stack pointer) of the structure in
__unwind_start() directly. This allows for removal of the code added by
commit 187b96db5ca7 completely, as the address is now at
'(unsigned long *)state->sp - 1', the same as in the generic case.
[ mingo: Cleaned up the changelog a bit, for better readability. ]
Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
Bug: https://bugzilla.suse.com/show_bug.cgi?id=1176907
Signed-off-by: Jiri Slaby <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
arch/x86/kernel/unwind_orc.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
index a5e2ce931f692..e64c5b78fbfd3 100644
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -255,19 +255,12 @@ EXPORT_SYMBOL_GPL(unwind_get_return_address);
unsigned long *unwind_get_return_address_ptr(struct unwind_state *state)
{
- struct task_struct *task = state->task;
-
if (unwind_done(state))
return NULL;
if (state->regs)
return &state->regs->ip;
- if (task != current && state->sp == task->thread.sp) {
- struct inactive_task_frame *frame = (void *)task->thread.sp;
- return &frame->ret_addr;
- }
-
if (state->sp)
return (unsigned long *)state->sp - 1;
@@ -550,7 +543,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
} else {
struct inactive_task_frame *frame = (void *)task->thread.sp;
- state->sp = task->thread.sp;
+ state->sp = task->thread.sp + sizeof(*frame);
state->bp = READ_ONCE_NOCHECK(frame->bp);
state->ip = READ_ONCE_NOCHECK(frame->ret_addr);
state->signal = (void *)state->ip == ret_from_fork;
--
2.27.0
From: Mateusz Nosek <[email protected]>
[ Upstream commit 921c7ebd1337d1a46783d7e15a850e12aed2eaa0 ]
If should_futex_fail() returns true in futex_wake_pi(), then the 'ret'
variable is set to -EFAULT and then immediately overwritten. So the failure
injection is non-functional.
Fix it by actually leaving the function and returning -EFAULT.
The Fixes tag is kinda blury because the initial commit which introduced
failure injection was already sloppy, but the below mentioned commit broke
it completely.
[ tglx: Massaged changelog ]
Fixes: 6b4f4bc9cb22 ("locking/futex: Allow low-level atomic operations to return -EAGAIN")
Signed-off-by: Mateusz Nosek <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/futex.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index 2921ebaa14676..8f0e62c59a55b 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1595,8 +1595,10 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_
*/
newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
- if (unlikely(should_fail_futex(true)))
+ if (unlikely(should_fail_futex(true))) {
ret = -EFAULT;
+ goto out_unlock;
+ }
ret = cmpxchg_futex_value_locked(&curval, uaddr, uval, newval);
if (!ret && (curval != uval)) {
--
2.27.0
From: Andy Shevchenko <[email protected]>
commit 99aed9227073fb34ce2880cbc7063e04185a65e1 upstream.
It appears that firmware nodes can be shared between devices. In such case
when a (child) device is about to be deleted, its firmware node may be shared
and ACPI_COMPANION_SET(..., NULL) call for it breaks the secondary link
of the shared primary firmware node.
In order to prevent that, check, if the device has a parent and parent's
firmware node is shared with its child, and avoid crashing the link.
Fixes: c15e1bdda436 ("device property: Fix the secondary firmware node handling in set_primary_fwnode()")
Reported-by: Ferry Toth <[email protected]>
Signed-off-by: Andy Shevchenko <[email protected]>
Reviewed-by: Heikki Krogerus <[email protected]>
Tested-by: Ferry Toth <[email protected]>
Cc: 5.9+ <[email protected]> # 5.9+
Signed-off-by: Rafael J. Wysocki <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/base/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -3074,6 +3074,7 @@ static inline bool fwnode_is_primary(str
*/
void set_primary_fwnode(struct device *dev, struct fwnode_handle *fwnode)
{
+ struct device *parent = dev->parent;
struct fwnode_handle *fn = dev->fwnode;
if (fwnode) {
@@ -3088,7 +3089,8 @@ void set_primary_fwnode(struct device *d
} else {
if (fwnode_is_primary(fn)) {
dev->fwnode = fn->secondary;
- fn->secondary = ERR_PTR(-ENODEV);
+ if (!(parent && fn == parent->fwnode))
+ fn->secondary = ERR_PTR(-ENODEV);
} else {
dev->fwnode = NULL;
}
On Wed, 4 Nov 2020 at 02:39, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.14.204 release.
> There are 125 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 05 Nov 2020 20:29:58 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.204-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
NOTE:
LTP syscalls test shmctl04 test modified in latest LTP release and this test
reported as fail. so reporting to LTP mailig list.
Failed on 4.14, 4.9 and 4.4 branches But
Passed on 4.19, 5.4 and 5.9 branches,
shmctl04.c:115: TFAIL: SHM_INFO haven't returned a valid index: SUCCESS (0)
shmctl04.c:131: TFAIL: Counted used = 0, used_ids = 1
shmctl04.c:72: TPASS: used_ids = 1
shmctl04.c:79: TPASS: shm_rss = 0
shmctl04.c:86: TPASS: shm_swp = 0
shmctl04.c:93: TPASS: shm_tot = 1
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.14.y/build/v4.14.203-126-g8c25e7a92b2f/testrun/3392140/suite/ltp-syscalls-tests/test/shmctl04/log
Summary
------------------------------------------------------------------------
kernel: 4.14.204-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: 8c25e7a92b2f1688d46addf84ba6e3ec6f8d7d52
git describe: v4.14.203-126-g8c25e7a92b2f
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.14.y/build/v4.14.203-126-g8c25e7a92b2f
No regressions (compared to build v4.14.203)
No fixes (compared to build v4.14.203)
Ran 35206 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- qemu-arm64-kasan
- qemu-x86_64-kasan
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
- x86-kasan
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* perf
* v4l2-compliance
* ltp-controllers-tests
* ltp-fs-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* ltp-open-posix-tests
* ltp-sched-tests
* kvm-unit-tests
--
Linaro LKFT
https://lkft.linaro.org
On Tue, Nov 03, 2020 at 09:36:17PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.204 release. There
> are 125 patches in this series, all will be posted as a response to this one.
> If anyone has any issues with these being applied, please let me know.
>
> Responses should be made by Thu, 05 Nov 2020 20:29:58 +0000. Anything
> received after that time might be too late.
>
sparc32 images fail to build.
Building sparc32:defconfig ... failed
--------------
Error log:
In file included from arch/sparc/include/asm/io_32.h:14,
from arch/sparc/include/asm/io.h:7,
from include/linux/io.h:25,
from include/linux/irq.h:25,
from include/asm-generic/hardirq.h:13,
from arch/sparc/include/asm/hardirq_32.h:11,
from arch/sparc/include/asm/hardirq.h:7,
from include/linux/hardirq.h:9,
from include/linux/memcontrol.h:24,
from include/linux/swap.h:9,
from include/linux/suspend.h:5,
from init/do_mounts.c:16:
include/asm-generic/io.h: In function '__pci_ioport_unmap':
include/asm-generic/io.h:900:2: error: implicit declaration of function 'iounmap'; did you mean 'vunmap'?
Guenter
On Tue, Nov 03, 2020 at 09:36:17PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.204 release.
> There are 125 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 05 Nov 2020 20:29:58 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 168 pass: 165 fail: 3
Failed builds:
sparc32:defconfig
sparc32:allnoconfig
sparc32:tinyconfig
Qemu test results:
total: 404 pass: 389 fail: 15
Failed tests:
<all sparc32>
Tested-by: Guenter Roeck <[email protected]>
Guenter