This is the start of the stable review cycle for the 4.19.140 release.
There are 168 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 19 Aug 2020 14:36:49 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.140-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 4.19.140-rc1
Oleksandr Andrushchenko <[email protected]>
xen/gntdev: Fix dmabuf import with non-zero sgt offset
Roger Pau Monne <[email protected]>
xen/balloon: make the balloon wait interruptible
Roger Pau Monne <[email protected]>
xen/balloon: fix accounting in alloc_xenballooned_pages error path
Jon Derrick <[email protected]>
irqdomain/treewide: Free firmware node after domain removal
Nathan Huckleberry <[email protected]>
ARM: 8992/1: Fix unwind_frame for clang-built kernels
Sven Schnelle <[email protected]>
parisc: mask out enable and reserved bits from sba imask
John David Anglin <[email protected]>
parisc: Implement __smp_store_release and __smp_load_acquire barriers
Sivaprakash Murugesan <[email protected]>
mtd: rawnand: qcom: avoid write to unavailable register
Christian Eggers <[email protected]>
spi: spidev: Align buffers for DMA
Romain Naour <[email protected]>
include/asm-generic/vmlinux.lds.h: align ro_after_init
Ivan Kokshaysky <[email protected]>
cpufreq: dt: fix oops on armada37xx
Trond Myklebust <[email protected]>
NFS: Don't return layout segments that are in use
Trond Myklebust <[email protected]>
NFS: Don't move layouts to plh_return_segs list while in use
Dave Airlie <[email protected]>
drm/ttm/nouveau: don't call tt destroy callback on alloc failure.
Zheng Bin <[email protected]>
9p: Fix memory leak in v9fs_mount
Hector Martin <[email protected]>
ALSA: usb-audio: add quirk for Pioneer DDJ-RB
Eric Biggers <[email protected]>
fs/minix: reject too-large maximum file size
Eric Biggers <[email protected]>
fs/minix: don't allow getting deleted inodes
Eric Biggers <[email protected]>
fs/minix: check return value of sb_getblk()
Jakub Kicinski <[email protected]>
bitfield.h: don't compile-time validate _val in FIELD_FIT
Mikulas Patocka <[email protected]>
crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified
John Allen <[email protected]>
crypto: ccp - Fix use of merged scatterlists
Tom Rix <[email protected]>
crypto: qat - fix double free in qat_uclo_create_batch_init_list
Mikulas Patocka <[email protected]>
crypto: hisilicon - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified
Matteo Croce <[email protected]>
pstore: Fix linking when crypto API disabled
Hector Martin <[email protected]>
ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
Hector Martin <[email protected]>
ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109
Mirko Dietrich <[email protected]>
ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support
Hui Wang <[email protected]>
ALSA: hda - fix the micmute led status for Lenovo ThinkCentre AIO
Brant Merryman <[email protected]>
USB: serial: cp210x: enable usb generic throttle/unthrottle
Brant Merryman <[email protected]>
USB: serial: cp210x: re-enable auto-RTS on open
Tim Froidcoeur <[email protected]>
net: initialize fastreuse on inet_inherit_port
Tim Froidcoeur <[email protected]>
net: refactor bind_bucket fastreuse into helper
Ira Weiny <[email protected]>
net/tls: Fix kmap usage
Miaohe Lin <[email protected]>
net: Set fput_needed iff FDPUT_FPUT is set
Qingyu Li <[email protected]>
net/nfc/rawsock.c: add CAP_NET_RAW check.
Xie He <[email protected]>
drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
John Ogness <[email protected]>
af_packet: TPACKET_V3: fix fill status rwlock imbalance
Jian Cai <[email protected]>
crypto: aesni - add compatibility with IAS
Eric Dumazet <[email protected]>
x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task
Chuck Lever <[email protected]>
svcrdma: Fix page leak in svc_rdma_recv_read_chunk()
Drew Fustini <[email protected]>
pinctrl-single: fix pcs_parse_pinconf() return value
Pavel Machek <[email protected]>
ocfs2: fix unbalanced locking
Wang Hai <[email protected]>
dlm: Fix kobject memleak
Florinel Iordache <[email protected]>
fsl/fman: fix eth hash table allocation
Florinel Iordache <[email protected]>
fsl/fman: check dereferencing null pointer
Florinel Iordache <[email protected]>
fsl/fman: fix unreachable code
Florinel Iordache <[email protected]>
fsl/fman: fix dereference null return value
Florinel Iordache <[email protected]>
fsl/fman: use 32-bit unsigned integer
Christophe JAILLET <[email protected]>
net: spider_net: Fix the size used in a 'dma_free_coherent()' call
Tianjia Zhang <[email protected]>
liquidio: Fix wrong return value in cn23xx_get_pf_num()
Tianjia Zhang <[email protected]>
net: ethernet: aquantia: Fix wrong return value
Andrii Nakryiko <[email protected]>
tools, build: Propagate build failures from tools/build/Makefile.build
Wang Hai <[email protected]>
wl1251: fix always return 0 error
Julian Wiedmann <[email protected]>
s390/qeth: don't process empty bridge port events
Jerome Brunet <[email protected]>
ASoC: meson: axg-tdm-interface: fix link fmt setup
Sandipan Das <[email protected]>
selftests/powerpc: Fix online CPU selection
Hanjun Guo <[email protected]>
PCI: Release IVRS table in AMD ACS quirk
Harish <[email protected]>
selftests/powerpc: Fix CPU affinity for child process
Michael Ellerman <[email protected]>
powerpc/boot: Fix CONFIG_PPC_MPC52XX references
Linus Walleij <[email protected]>
net: dsa: rtl8366: Fix VLAN set-up
Linus Walleij <[email protected]>
net: dsa: rtl8366: Fix VLAN semantics
Nicolas Boichat <[email protected]>
Bluetooth: hci_serdev: Only unregister device if it was registered
Nicolas Boichat <[email protected]>
Bluetooth: hci_h5: Set HCI_UART_RESET_ON_INIT to correct flags
Tom Rix <[email protected]>
power: supply: check if calc_soc succeeded in pm860x_init_battery
Dan Carpenter <[email protected]>
Smack: prevent underflow in smk_set_cipso()
Dan Carpenter <[email protected]>
Smack: fix another vsscanf out of bounds
Li Heng <[email protected]>
RDMA/core: Fix return error value in _ib_modify_qp() to negative
Kishon Vijay Abraham I <[email protected]>
PCI: cadence: Fix updating Vendor ID and Subsystem Vendor ID register
Chris Packham <[email protected]>
net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration
Finn Thain <[email protected]>
scsi: mesh: Fix panic after host or bus reset
Marek Szyprowski <[email protected]>
usb: dwc2: Fix error path in gadget registration
Yu Kuai <[email protected]>
MIPS: OCTEON: add missing put_device() call in dwc3_octeon_device_init()
Sai Prakash Ranjan <[email protected]>
coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb()
Dan Carpenter <[email protected]>
thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor()
Kars Mulder <[email protected]>
usb: core: fix quirks_param_set() writing to a const pointer
Johan Hovold <[email protected]>
USB: serial: iuu_phoenix: fix led-activity helpers
Marco Felsch <[email protected]>
drm/imx: tve: fix regulator_disable error path
Aneesh Kumar K.V <[email protected]>
powerpc/book3s64/pkeys: Use PVR check instead of cpu feature
Xiongfeng Wang <[email protected]>
PCI/ASPM: Add missing newline in sysfs 'policy'
Colin Ian King <[email protected]>
staging: rtl8192u: fix a dubious looking mask before a shift
Mikhail Malygin <[email protected]>
RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
Yuval Basson <[email protected]>
RDMA/qedr: SRQ's bug fixes
Milton Miller <[email protected]>
powerpc/vdso: Fix vdso cpu truncation
Dan Carpenter <[email protected]>
mwifiex: Prevent memory corruption handling keys
John Garry <[email protected]>
scsi: scsi_debug: Add check for sdebug_max_queue during module init
Tom Rix <[email protected]>
drm/bridge: sil_sii8620: initialize return of sii8620_readb
Marek Szyprowski <[email protected]>
phy: exynos5-usbdrd: Calibrating makes sense only for USB2.0 PHY
Laurent Pinchart <[email protected]>
drm: panel: simple: Fix bpc for LG LB070WV8 panel
Kai-Heng Feng <[email protected]>
leds: core: Flush scheduled work for system suspend
Bjorn Helgaas <[email protected]>
PCI: Fix pci_cfg_wait queue locking problem
Zhu Yanjun <[email protected]>
RDMA/rxe: Skip dgid check in loopback mode
Darrick J. Wong <[email protected]>
xfs: fix reflink quota reservation accounting error
Darrick J. Wong <[email protected]>
xfs: don't eat an EIO/ENOSPC writeback error when scrubbing data fork
Chuhong Yuan <[email protected]>
media: exynos4-is: Add missed check for pinctrl_lookup_state()
Dan Carpenter <[email protected]>
media: firewire: Using uninitialized values in node_probe()
Julian Anastasov <[email protected]>
ipvs: allow connection reuse for unconfirmed conntrack
Christophe JAILLET <[email protected]>
scsi: eesox: Fix different dev_id between request_irq() and free_irq()
Christophe JAILLET <[email protected]>
scsi: powertec: Fix different dev_id between request_irq() and free_irq()
Colin Ian King <[email protected]>
drm/radeon: fix array out-of-bounds read and write issues
Wang Hai <[email protected]>
cxl: Fix kobject memleak
Emil Velikov <[email protected]>
drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline
Christophe JAILLET <[email protected]>
scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()
Pierre-Louis Bossart <[email protected]>
ASoC: Intel: bxt_rt298: add missing .owner field
Chuhong Yuan <[email protected]>
media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()
Arnd Bergmann <[email protected]>
leds: lm355x: avoid enum conversion warning
Colin Ian King <[email protected]>
drm/arm: fix unintentional integer overflow on left shift
Lubomir Rintel <[email protected]>
drm/etnaviv: Fix error path on failure to enable bus clk
Tomasz Duszynski <[email protected]>
iio: improve IIO_CONCENTRATION channel type description
Evan Green <[email protected]>
ath10k: Acquire tx_lock in tx error paths
Christophe JAILLET <[email protected]>
video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call
Dejin Zheng <[email protected]>
console: newport_con: fix an issue about leak related system resources
Dejin Zheng <[email protected]>
video: fbdev: sm712fb: fix an issue about iounmap for a wrong address
Qiushi Wu <[email protected]>
agp/intel: Fix a memory leak on module initialisation failure
Rob Clark <[email protected]>
drm/msm: ratelimit crtc event overflow error
Erik Kaneda <[email protected]>
ACPICA: Do not increment operation_region reference counts for field units
Coly Li <[email protected]>
bcache: fix super block seq numbers comparision in register_cache_set()
Jim Cromie <[email protected]>
dyndbg: fix a BUG_ON in ddebug_describe_flags
Danesh Petigara <[email protected]>
usb: bdc: Halt controller on suspend
Sasi Kumar <[email protected]>
bdc: Fix bug causing crash after multiple disconnects
Evgeny Novikov <[email protected]>
usb: gadget: net2280: fix memory leak on probe error handling paths
Dmitry Osipenko <[email protected]>
gpu: host1x: debug: Fix multiple channels emitting messages simultaneously
Bolarinwa Olayemi Saheed <[email protected]>
iwlegacy: Check the return value of pcie_capability_read_*()
Wright Feng <[email protected]>
brcmfmac: set state of hanger slot to FREE when flushing PSQ
Prasanna Kerekoppa <[email protected]>
brcmfmac: To fix Bss Info flag definition Bug
Wright Feng <[email protected]>
brcmfmac: keep SDIO watchdog running when console_interval is non-zero
Paul E. McKenney <[email protected]>
mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
Bartosz Golaszewski <[email protected]>
irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock
Christian König <[email protected]>
drm/radeon: disable AGP by default
Michael Tretter <[email protected]>
drm/debugfs: fix plain echo to connector "force" attribute
Chunfeng Yun <[email protected]>
usb: mtu3: clear dual mode of u3port when disable device
Aditya Pakki <[email protected]>
drm/nouveau: fix multiple instances of reference count leaks
Navid Emamdoost <[email protected]>
drm/etnaviv: fix ref count leak via pm_runtime_get_sync
Ricardo Cañuelo <[email protected]>
arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding
Zhao Heming <[email protected]>
md-cluster: fix wild pointer of unlock_all_bitmaps()
Evgeny Novikov <[email protected]>
video: fbdev: neofb: fix memory leak in neo_scan_monitor()
Sedat Dilek <[email protected]>
crypto: aesni - Fix build with LLVM_IAS=1
Aditya Pakki <[email protected]>
drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync
Jack Xiao <[email protected]>
drm/amdgpu: avoid dereferencing a NULL pointer
Paul E. McKenney <[email protected]>
fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls
Luis Chamberlain <[email protected]>
loop: be paranoid on exit and prevent new additions / removals
Lihong Kou <[email protected]>
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
Maulik Shah <[email protected]>
soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag
Tomi Valkeinen <[email protected]>
drm/tilcdc: fix leak & null ref in panel_connector_get_modes
Yu Kuai <[email protected]>
ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()
Dilip Kota <[email protected]>
spi: lantiq: fix: Rx overflow error in full duplex mode
yu kuai <[email protected]>
ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()
Niklas Söderlund <[email protected]>
ARM: dts: gose: Fix ports node name for adv7612
Niklas Söderlund <[email protected]>
ARM: dts: gose: Fix ports node name for adv7180
Lu Wei <[email protected]>
platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()
Lu Wei <[email protected]>
platform/x86: intel-hid: Fix return value check in check_acpi_dev()
Finn Thain <[email protected]>
m68k: mac: Fix IOP status/control register writes
Finn Thain <[email protected]>
m68k: mac: Don't send IOP message until channel is idle
Sudeep Holla <[email protected]>
clk: scmi: Fix min and max rate when registering clocks with discrete rates
Alim Akhtar <[email protected]>
arm64: dts: exynos: Fix silent hang after boot on Espresso
Cristian Marussi <[email protected]>
firmware: arm_scmi: Fix SCMI genpd domain probing
Gilad Ben-Yossef <[email protected]>
crypto: ccree - fix resource leak on error path
Stephan Gerhold <[email protected]>
arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property
Qiushi Wu <[email protected]>
EDAC: Fix reference count leaks
Heiko Stuebner <[email protected]>
arm64: dts: rockchip: fix rk3399-puma gmac reset gpio
Heiko Stuebner <[email protected]>
arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio
Heiko Stuebner <[email protected]>
arm64: dts: rockchip: fix rk3368-lion gmac reset gpio
Peng Liu <[email protected]>
sched: correct SD_flags returned by tl->sd_flags()
Vincent Guittot <[email protected]>
sched/fair: Fix NOHZ next idle balance
Zhenzhong Duan <[email protected]>
x86/mce/inject: Fix a wrong assignment of i_mce.status
Yang Yingliang <[email protected]>
cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
Grant Likely <[email protected]>
HID: input: Fix devices that return multiple bytes in battery report
Nick Desaulniers <[email protected]>
tracepoint: Mark __tracepoint_string's __used
-------------
Diffstat:
Documentation/ABI/testing/sysfs-bus-iio | 3 +-
Makefile | 4 +-
arch/arm/boot/dts/r8a7793-gose.dts | 4 +-
arch/arm/kernel/stacktrace.c | 24 ++++++
arch/arm/mach-at91/pm.c | 11 ++-
arch/arm/mach-socfpga/pm.c | 8 +-
arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 1 +
arch/arm64/boot/dts/hisilicon/hi3660-hikey960.dts | 11 +++
arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts | 2 +-
arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 10 +--
arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi | 2 +-
arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 4 +-
arch/m68k/mac/iop.c | 21 ++---
arch/mips/cavium-octeon/octeon-usb.c | 5 +-
arch/parisc/include/asm/barrier.h | 61 ++++++++++++++
arch/powerpc/boot/Makefile | 2 +-
arch/powerpc/boot/serial.c | 2 +-
arch/powerpc/kernel/vdso.c | 2 +-
arch/powerpc/mm/pkeys.c | 16 ++--
arch/x86/crypto/aes_ctrby8_avx-x86_64.S | 14 +---
arch/x86/crypto/aesni-intel_asm.S | 6 +-
arch/x86/kernel/apic/io_apic.c | 5 ++
arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 +-
arch/x86/kernel/ptrace.c | 2 +-
drivers/acpi/acpica/exprep.c | 4 -
drivers/acpi/acpica/utdelete.c | 6 +-
drivers/block/loop.c | 4 +
drivers/bluetooth/hci_h5.c | 2 +-
drivers/bluetooth/hci_serdev.c | 3 +-
drivers/char/agp/intel-gtt.c | 4 +-
drivers/clk/clk-scmi.c | 22 ++++-
drivers/cpufreq/armada-37xx-cpufreq.c | 1 +
drivers/crypto/cavium/cpt/cptvf_algs.c | 1 +
drivers/crypto/cavium/cpt/cptvf_reqmanager.c | 12 +--
drivers/crypto/cavium/cpt/request_manager.h | 2 +
drivers/crypto/ccp/ccp-dev.h | 1 +
drivers/crypto/ccp/ccp-ops.c | 37 ++++++---
drivers/crypto/ccree/cc_cipher.c | 30 ++++---
drivers/crypto/hisilicon/sec/sec_algs.c | 34 ++++----
drivers/crypto/qat/qat_common/qat_uclo.c | 9 ++-
drivers/edac/edac_device_sysfs.c | 1 +
drivers/edac/edac_pci_sysfs.c | 2 +-
drivers/firmware/arm_scmi/scmi_pm_domain.c | 12 +--
drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 19 +++--
drivers/gpu/drm/arm/malidp_planes.c | 2 +-
drivers/gpu/drm/bridge/sil-sii8620.c | 2 +-
drivers/gpu/drm/drm_debugfs.c | 8 +-
drivers/gpu/drm/drm_mipi_dsi.c | 6 +-
drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 19 +++--
drivers/gpu/drm/imx/imx-tve.c | 20 ++---
drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_drm.c | 8 +-
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
drivers/gpu/drm/nouveau/nouveau_sgdma.c | 9 +--
drivers/gpu/drm/panel/panel-simple.c | 2 +-
drivers/gpu/drm/radeon/ci_dpm.c | 2 +-
drivers/gpu/drm/radeon/radeon_display.c | 4 +-
drivers/gpu/drm/radeon/radeon_drv.c | 9 +--
drivers/gpu/drm/radeon/radeon_kms.c | 4 +-
drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +-
drivers/gpu/drm/ttm/ttm_tt.c | 3 -
drivers/gpu/host1x/debug.c | 4 +
drivers/hid/hid-input.c | 6 +-
drivers/hwtracing/coresight/coresight-tmc-etf.c | 13 ++-
drivers/infiniband/core/verbs.c | 2 +-
drivers/infiniband/hw/qedr/qedr.h | 4 +-
drivers/infiniband/hw/qedr/verbs.c | 22 +++--
drivers/infiniband/sw/rxe/rxe_recv.c | 6 +-
drivers/infiniband/sw/rxe/rxe_verbs.c | 5 +-
drivers/iommu/intel_irq_remapping.c | 8 ++
drivers/irqchip/irq-mtk-sysirq.c | 8 +-
drivers/leds/led-class.c | 1 +
drivers/leds/leds-lm355x.c | 7 +-
drivers/md/bcache/super.c | 9 ++-
drivers/md/md-cluster.c | 1 +
drivers/media/firewire/firedtv-fw.c | 2 +
drivers/media/platform/exynos4-is/media-dev.c | 3 +
drivers/media/platform/omap3isp/isppreview.c | 4 +-
drivers/misc/cxl/sysfs.c | 2 +-
drivers/mtd/nand/raw/qcom_nandc.c | 7 +-
drivers/net/dsa/mv88e6xxx/chip.c | 1 -
drivers/net/dsa/rtl8366.c | 35 +++++---
.../ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c | 2 +-
.../ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +-
drivers/net/ethernet/freescale/fman/fman.c | 3 +-
drivers/net/ethernet/freescale/fman/fman_dtsec.c | 4 +-
drivers/net/ethernet/freescale/fman/fman_mac.h | 2 +-
drivers/net/ethernet/freescale/fman/fman_memac.c | 3 +-
drivers/net/ethernet/freescale/fman/fman_port.c | 9 ++-
drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +-
drivers/net/ethernet/toshiba/spider_net.c | 4 +-
drivers/net/wan/lapbether.c | 10 ++-
drivers/net/wireless/ath/ath10k/htt_tx.c | 4 +
.../broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +-
.../broadcom/brcm80211/brcmfmac/fwsignal.c | 4 +
.../wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 +-
drivers/net/wireless/intel/iwlegacy/common.c | 4 +-
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 22 +++--
drivers/net/wireless/ti/wl1251/event.c | 2 +-
drivers/parisc/sba_iommu.c | 2 +-
drivers/pci/access.c | 8 +-
drivers/pci/controller/pcie-cadence-host.c | 9 ++-
drivers/pci/controller/vmd.c | 3 +
drivers/pci/pcie/aspm.c | 1 +
drivers/pci/quirks.c | 2 +
drivers/phy/samsung/phy-exynos5-usbdrd.c | 4 +-
drivers/pinctrl/pinctrl-single.c | 11 ++-
drivers/platform/x86/intel-hid.c | 2 +-
drivers/platform/x86/intel-vbtn.c | 2 +-
drivers/power/supply/88pm860x_battery.c | 6 +-
drivers/s390/net/qeth_l2_main.c | 4 +
drivers/scsi/arm/cumana_2.c | 2 +-
drivers/scsi/arm/eesox.c | 2 +-
drivers/scsi/arm/powertec.c | 2 +-
drivers/scsi/mesh.c | 8 +-
drivers/scsi/scsi_debug.c | 6 ++
drivers/soc/qcom/rpmh-rsc.c | 1 +
drivers/spi/spi-lantiq-ssc.c | 10 +++
drivers/spi/spidev.c | 21 +++--
drivers/staging/rtl8192u/r8192U_core.c | 2 +-
drivers/thermal/ti-soc-thermal/ti-thermal-common.c | 2 +-
drivers/usb/core/quirks.c | 16 +++-
drivers/usb/dwc2/platform.c | 4 +-
drivers/usb/gadget/udc/bdc/bdc_core.c | 13 ++-
drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 ++--
drivers/usb/gadget/udc/net2280.c | 4 +-
drivers/usb/mtu3/mtu3_core.c | 6 +-
drivers/usb/serial/cp210x.c | 19 +++++
drivers/usb/serial/iuu_phoenix.c | 14 ++--
drivers/video/console/newport_con.c | 12 ++-
drivers/video/fbdev/neofb.c | 1 +
drivers/video/fbdev/pxafb.c | 4 +-
drivers/video/fbdev/sm712fb.c | 2 +
drivers/xen/balloon.c | 12 ++-
drivers/xen/gntdev-dmabuf.c | 8 ++
fs/9p/v9fs.c | 5 +-
fs/btrfs/extent_io.c | 2 +
fs/dlm/lockspace.c | 6 +-
fs/minix/inode.c | 36 ++++++++-
fs/minix/itree_common.c | 8 +-
fs/nfs/pnfs.c | 46 ++++-------
fs/ocfs2/dlmglue.c | 8 +-
fs/pstore/platform.c | 5 +-
fs/xfs/scrub/bmap.c | 22 ++++-
fs/xfs/xfs_reflink.c | 21 +++--
include/asm-generic/vmlinux.lds.h | 1 +
include/linux/bitfield.h | 2 +-
include/linux/tracepoint.h | 2 +-
include/net/inet_connection_sock.h | 4 +
include/net/ip_vs.h | 10 +--
kernel/cgroup/cgroup.c | 2 +
kernel/sched/fair.c | 23 +++---
kernel/sched/topology.c | 2 +-
lib/dynamic_debug.c | 23 +++---
mm/mmap.c | 1 +
net/bluetooth/6lowpan.c | 5 ++
net/ipv4/inet_connection_sock.c | 93 ++++++++++++----------
net/ipv4/inet_hashtables.c | 1 +
net/netfilter/ipvs/ip_vs_core.c | 12 +--
net/nfc/rawsock.c | 7 +-
net/packet/af_packet.c | 9 ++-
net/socket.c | 2 +-
net/sunrpc/xprtrdma/svc_rdma_rw.c | 28 +++++--
net/tls/tls_device.c | 3 +-
security/smack/smackfs.c | 6 +-
sound/pci/hda/patch_realtek.c | 1 +
sound/soc/intel/boards/bxt_rt298.c | 2 +
sound/soc/meson/axg-tdm-interface.c | 26 +++---
sound/usb/card.h | 1 +
sound/usb/mixer_quirks.c | 1 +
sound/usb/pcm.c | 6 ++
sound/usb/quirks-table.h | 64 ++++++++++++++-
sound/usb/quirks.c | 3 +
sound/usb/stream.c | 1 +
tools/build/Build.include | 3 +-
.../selftests/powerpc/benchmarks/context_switch.c | 21 +++--
tools/testing/selftests/powerpc/utils.c | 37 ++++++---
177 files changed, 1086 insertions(+), 489 deletions(-)
From: Jack Xiao <[email protected]>
[ Upstream commit 55611b507fd6453d26030c0c0619fdf0c262766d ]
Check if irq_src is NULL to avoid dereferencing a NULL pointer,
for MES ring is uneccessary to recieve an interrupt notification.
Signed-off-by: Jack Xiao <[email protected]>
Acked-by: Alex Deucher <[email protected]>
Reviewed-by: Hawking Zhang <[email protected]>
Reviewed-by: Christian König <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
index 869ff624b108c..e5e51e4d4f3d8 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
@@ -396,7 +396,9 @@ int amdgpu_fence_driver_start_ring(struct amdgpu_ring *ring,
ring->fence_drv.gpu_addr = adev->uvd.inst[ring->me].gpu_addr + index;
}
amdgpu_fence_write(ring, atomic_read(&ring->fence_drv.last_seq));
- amdgpu_irq_get(adev, irq_src, irq_type);
+
+ if (irq_src)
+ amdgpu_irq_get(adev, irq_src, irq_type);
ring->fence_drv.irq_src = irq_src;
ring->fence_drv.irq_type = irq_type;
@@ -508,8 +510,9 @@ void amdgpu_fence_driver_fini(struct amdgpu_device *adev)
/* no need to trigger GPU reset as we are unloading */
amdgpu_fence_driver_force_completion(ring);
}
- amdgpu_irq_put(adev, ring->fence_drv.irq_src,
- ring->fence_drv.irq_type);
+ if (ring->fence_drv.irq_src)
+ amdgpu_irq_put(adev, ring->fence_drv.irq_src,
+ ring->fence_drv.irq_type);
drm_sched_fini(&ring->sched);
del_timer_sync(&ring->fence_drv.fallback_timer);
for (j = 0; j <= ring->fence_drv.num_fences_mask; ++j)
@@ -545,8 +548,9 @@ void amdgpu_fence_driver_suspend(struct amdgpu_device *adev)
}
/* disable the interrupt */
- amdgpu_irq_put(adev, ring->fence_drv.irq_src,
- ring->fence_drv.irq_type);
+ if (ring->fence_drv.irq_src)
+ amdgpu_irq_put(adev, ring->fence_drv.irq_src,
+ ring->fence_drv.irq_type);
}
}
@@ -572,8 +576,9 @@ void amdgpu_fence_driver_resume(struct amdgpu_device *adev)
continue;
/* enable the interrupt */
- amdgpu_irq_get(adev, ring->fence_drv.irq_src,
- ring->fence_drv.irq_type);
+ if (ring->fence_drv.irq_src)
+ amdgpu_irq_get(adev, ring->fence_drv.irq_src,
+ ring->fence_drv.irq_type);
}
}
--
2.25.1
From: Lihong Kou <[email protected]>
[ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]
In the case we set or free the global value listen_chan in
different threads, we can encounter the UAF problems because
the method is not protected by any lock, add one to avoid
this bug.
BUG: KASAN: use-after-free in l2cap_chan_close+0x48/0x990
net/bluetooth/l2cap_core.c:730
Read of size 8 at addr ffff888096950000 by task kworker/1:102/2868
CPU: 1 PID: 2868 Comm: kworker/1:102 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fb/0x318 lib/dump_stack.c:118
print_address_description+0x74/0x5c0 mm/kasan/report.c:374
__kasan_report+0x149/0x1c0 mm/kasan/report.c:506
kasan_report+0x26/0x50 mm/kasan/common.c:641
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
l2cap_chan_close+0x48/0x990 net/bluetooth/l2cap_core.c:730
do_enable_set+0x660/0x900 net/bluetooth/6lowpan.c:1074
process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
kthread+0x332/0x350 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 2870:
save_stack mm/kasan/common.c:72 [inline]
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
l2cap_chan_create+0x50/0x320 net/bluetooth/l2cap_core.c:446
chan_create net/bluetooth/6lowpan.c:640 [inline]
bt_6lowpan_listen net/bluetooth/6lowpan.c:959 [inline]
do_enable_set+0x6a4/0x900 net/bluetooth/6lowpan.c:1078
process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
kthread+0x332/0x350 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 2870:
save_stack mm/kasan/common.c:72 [inline]
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
__cache_free mm/slab.c:3426 [inline]
kfree+0x10d/0x220 mm/slab.c:3757
l2cap_chan_destroy net/bluetooth/l2cap_core.c:484 [inline]
kref_put include/linux/kref.h:65 [inline]
l2cap_chan_put+0x170/0x190 net/bluetooth/l2cap_core.c:498
do_enable_set+0x66c/0x900 net/bluetooth/6lowpan.c:1075
process_one_work+0x7f5/0x10f0 kernel/workqueue.c:2264
worker_thread+0xbbc/0x1630 kernel/workqueue.c:2410
kthread+0x332/0x350 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff888096950000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes inside of
2048-byte region [ffff888096950000, ffff888096950800)
The buggy address belongs to the page:
page:ffffea00025a5400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027d1548 ffffea0002397808 ffff8880aa400e00
raw: 0000000000000000 ffff888096950000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809694ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88809694ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888096950000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888096950080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888096950100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Reported-by: [email protected]
Signed-off-by: Lihong Kou <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/bluetooth/6lowpan.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 357475cceec61..9a75f9b00b512 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -57,6 +57,7 @@ static bool enable_6lowpan;
/* We are listening incoming connections via this channel
*/
static struct l2cap_chan *listen_chan;
+static DEFINE_MUTEX(set_lock);
struct lowpan_peer {
struct list_head list;
@@ -1082,12 +1083,14 @@ static void do_enable_set(struct work_struct *work)
enable_6lowpan = set_enable->flag;
+ mutex_lock(&set_lock);
if (listen_chan) {
l2cap_chan_close(listen_chan, 0);
l2cap_chan_put(listen_chan);
}
listen_chan = bt_6lowpan_listen();
+ mutex_unlock(&set_lock);
kfree(set_enable);
}
@@ -1139,11 +1142,13 @@ static ssize_t lowpan_control_write(struct file *fp,
if (ret == -EINVAL)
return ret;
+ mutex_lock(&set_lock);
if (listen_chan) {
l2cap_chan_close(listen_chan, 0);
l2cap_chan_put(listen_chan);
listen_chan = NULL;
}
+ mutex_unlock(&set_lock);
if (conn) {
struct lowpan_peer *peer;
--
2.25.1
From: Niklas Söderlund <[email protected]>
[ Upstream commit 59692ac5a7bb8c97ff440fc8917828083fbc38d6 ]
When adding the adv7612 device node the ports node was misspelled as
port, fix this.
Fixes: bc63cd87f3ce924f ("ARM: dts: gose: add HDMI input")
Signed-off-by: Niklas Söderlund <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm/boot/dts/r8a7793-gose.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/r8a7793-gose.dts b/arch/arm/boot/dts/r8a7793-gose.dts
index 9235be8f0f007..7802ce842a736 100644
--- a/arch/arm/boot/dts/r8a7793-gose.dts
+++ b/arch/arm/boot/dts/r8a7793-gose.dts
@@ -399,7 +399,7 @@ hdmi-in@4c {
interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
default-input = <0>;
- port {
+ ports {
#address-cells = <1>;
#size-cells = <0>;
--
2.25.1
From: Yu Kuai <[email protected]>
[ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ]
if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh
doesn't have a corresponding put_device(). Thus add a jump target to
fix the exception handling for this function implementation.
Fixes: 44fd8c7d4005 ("ARM: socfpga: support suspend to ram")
Signed-off-by: Yu Kuai <[email protected]>
Signed-off-by: Dinh Nguyen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm/mach-socfpga/pm.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/arm/mach-socfpga/pm.c b/arch/arm/mach-socfpga/pm.c
index d4866788702cb..b782294ee30bc 100644
--- a/arch/arm/mach-socfpga/pm.c
+++ b/arch/arm/mach-socfpga/pm.c
@@ -60,14 +60,14 @@ static int socfpga_setup_ocram_self_refresh(void)
if (!ocram_pool) {
pr_warn("%s: ocram pool unavailable!\n", __func__);
ret = -ENODEV;
- goto put_node;
+ goto put_device;
}
ocram_base = gen_pool_alloc(ocram_pool, socfpga_sdram_self_refresh_sz);
if (!ocram_base) {
pr_warn("%s: unable to alloc ocram!\n", __func__);
ret = -ENOMEM;
- goto put_node;
+ goto put_device;
}
ocram_pbase = gen_pool_virt_to_phys(ocram_pool, ocram_base);
@@ -78,7 +78,7 @@ static int socfpga_setup_ocram_self_refresh(void)
if (!suspend_ocram_base) {
pr_warn("%s: __arm_ioremap_exec failed!\n", __func__);
ret = -ENOMEM;
- goto put_node;
+ goto put_device;
}
/* Copy the code that puts DDR in self refresh to ocram */
@@ -92,6 +92,8 @@ static int socfpga_setup_ocram_self_refresh(void)
if (!socfpga_sdram_self_refresh_in_ocram)
ret = -EFAULT;
+put_device:
+ put_device(&pdev->dev);
put_node:
of_node_put(np);
--
2.25.1
From: Niklas Söderlund <[email protected]>
[ Upstream commit d344234abde938ae1062edb6c05852b0bafb4a03 ]
When adding the adv7180 device node the ports node was misspelled as
port, fix this.
Fixes: 8cae359049a88b75 ("ARM: dts: gose: add composite video input")
Signed-off-by: Niklas Söderlund <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm/boot/dts/r8a7793-gose.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/r8a7793-gose.dts b/arch/arm/boot/dts/r8a7793-gose.dts
index 6b2f3a4fd13d6..9235be8f0f007 100644
--- a/arch/arm/boot/dts/r8a7793-gose.dts
+++ b/arch/arm/boot/dts/r8a7793-gose.dts
@@ -339,7 +339,7 @@ composite-in@20 {
reg = <0x20>;
remote = <&vin1>;
- port {
+ ports {
#address-cells = <1>;
#size-cells = <0>;
--
2.25.1
From: Cristian Marussi <[email protected]>
[ Upstream commit e0f1a30cf184821499eeb67daedd7a3f21bbcb0b ]
When, at probe time, an SCMI communication failure inhibits the capacity
to query power domains states, such domains should be skipped.
Registering partially initialized SCMI power domains with genpd will
causes kernel panic.
arm-scmi timed out in resp(caller: scmi_power_state_get+0xa4/0xd0)
scmi-power-domain scmi_dev.2: failed to get state for domain 9
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
ESR = 0x96000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000009f3691000
[0000000000000000] pgd=00000009f1ca0003, p4d=00000009f1ca0003, pud=00000009f35ea003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
CPU: 2 PID: 381 Comm: bash Not tainted 5.8.0-rc1-00011-gebd118c2cca8 #2
Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Jan 3 2020
Internal error: Oops: 96000006 [#1] PREEMPT SMP
pstate: 80000005 (Nzcv daif -PAN -UAO BTYPE=--)
pc : of_genpd_add_provider_onecell+0x98/0x1f8
lr : of_genpd_add_provider_onecell+0x48/0x1f8
Call trace:
of_genpd_add_provider_onecell+0x98/0x1f8
scmi_pm_domain_probe+0x174/0x1e8
scmi_dev_probe+0x90/0xe0
really_probe+0xe4/0x448
driver_probe_device+0xfc/0x168
device_driver_attach+0x7c/0x88
bind_store+0xe8/0x128
drv_attr_store+0x2c/0x40
sysfs_kf_write+0x4c/0x60
kernfs_fop_write+0x114/0x230
__vfs_write+0x24/0x50
vfs_write+0xbc/0x1e0
ksys_write+0x70/0xf8
__arm64_sys_write+0x24/0x30
el0_svc_common.constprop.3+0x94/0x160
do_el0_svc+0x2c/0x98
el0_sync_handler+0x148/0x1a8
el0_sync+0x158/0x180
Do not register any power domain that failed to be queried with genpd.
Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Cristian Marussi <[email protected]>
Signed-off-by: Sudeep Holla <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/firmware/arm_scmi/scmi_pm_domain.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/firmware/arm_scmi/scmi_pm_domain.c b/drivers/firmware/arm_scmi/scmi_pm_domain.c
index 87f737e01473c..041f8152272bf 100644
--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c
+++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c
@@ -85,7 +85,10 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev)
for (i = 0; i < num_domains; i++, scmi_pd++) {
u32 state;
- domains[i] = &scmi_pd->genpd;
+ if (handle->power_ops->state_get(handle, i, &state)) {
+ dev_warn(dev, "failed to get state for domain %d\n", i);
+ continue;
+ }
scmi_pd->domain = i;
scmi_pd->handle = handle;
@@ -94,13 +97,10 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev)
scmi_pd->genpd.power_off = scmi_pd_power_off;
scmi_pd->genpd.power_on = scmi_pd_power_on;
- if (handle->power_ops->state_get(handle, i, &state)) {
- dev_warn(dev, "failed to get state for domain %d\n", i);
- continue;
- }
-
pm_genpd_init(&scmi_pd->genpd, NULL,
state == SCMI_POWER_STATE_GENERIC_OFF);
+
+ domains[i] = &scmi_pd->genpd;
}
scmi_pd_data->domains = domains;
--
2.25.1
From: Stephan Gerhold <[email protected]>
[ Upstream commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 ]
msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio
pin configurations. This was likely copied from the qcom kernel fork
where the same property was used for these audio pins.
However, "bias-pull-none" actually does not exist at all - not in
mainline and not in downstream. I can only guess that the original
intention was to configure "no pull", i.e. bias-disable.
Change it to that instead.
Fixes: 143bb9ad85b7 ("arm64: dts: qcom: add audio pinctrls")
Cc: Srinivas Kandagatla <[email protected]>
Signed-off-by: Stephan Gerhold <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Bjorn Andersson <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm64/boot/dts/qcom/msm8916-pins.dtsi | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi
index 390a2fa285145..60d218c5275c1 100644
--- a/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8916-pins.dtsi
@@ -516,7 +516,7 @@ pinconf {
pins = "gpio63", "gpio64", "gpio65", "gpio66",
"gpio67", "gpio68";
drive-strength = <8>;
- bias-pull-none;
+ bias-disable;
};
};
cdc_pdm_lines_sus: pdm_lines_off {
@@ -545,7 +545,7 @@ pinconf {
pins = "gpio113", "gpio114", "gpio115",
"gpio116";
drive-strength = <8>;
- bias-pull-none;
+ bias-disable;
};
};
@@ -573,7 +573,7 @@ pinmux {
pinconf {
pins = "gpio110";
drive-strength = <8>;
- bias-pull-none;
+ bias-disable;
};
};
@@ -599,7 +599,7 @@ pinmux {
pinconf {
pins = "gpio116";
drive-strength = <8>;
- bias-pull-none;
+ bias-disable;
};
};
ext_mclk_tlmm_lines_sus: mclk_lines_off {
@@ -627,7 +627,7 @@ pinconf {
pins = "gpio112", "gpio117", "gpio118",
"gpio119";
drive-strength = <8>;
- bias-pull-none;
+ bias-disable;
};
};
ext_sec_tlmm_lines_sus: tlmm_lines_off {
--
2.25.1
From: Lu Wei <[email protected]>
[ Upstream commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 ]
In the function check_acpi_dev(), if it fails to create
platform device, the return value is ERR_PTR() or NULL.
Thus it must use IS_ERR_OR_NULL() to check return value.
Fixes: ecc83e52b28c ("intel-hid: new hid event driver for hotkeys")
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Lu Wei <[email protected]>
Signed-off-by: Andy Shevchenko <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/platform/x86/intel-hid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c
index c514cb73bb500..d7d69eadb9bba 100644
--- a/drivers/platform/x86/intel-hid.c
+++ b/drivers/platform/x86/intel-hid.c
@@ -564,7 +564,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv)
return AE_OK;
if (acpi_match_device_ids(dev, ids) == 0)
- if (acpi_create_platform_device(dev, NULL))
+ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL)))
dev_info(&dev->dev,
"intel-hid: created platform device\n");
--
2.25.1
From: Lu Wei <[email protected]>
[ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ]
In the function check_acpi_dev(), if it fails to create
platform device, the return value is ERR_PTR() or NULL.
Thus it must use IS_ERR_OR_NULL() to check return value.
Fixes: 332e081225fc ("intel-vbtn: new driver for Intel Virtual Button")
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Lu Wei <[email protected]>
Signed-off-by: Andy Shevchenko <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/platform/x86/intel-vbtn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
index d122f33d43acb..c7c8b432c163f 100644
--- a/drivers/platform/x86/intel-vbtn.c
+++ b/drivers/platform/x86/intel-vbtn.c
@@ -272,7 +272,7 @@ check_acpi_dev(acpi_handle handle, u32 lvl, void *context, void **rv)
return AE_OK;
if (acpi_match_device_ids(dev, ids) == 0)
- if (acpi_create_platform_device(dev, NULL))
+ if (!IS_ERR_OR_NULL(acpi_create_platform_device(dev, NULL)))
dev_info(&dev->dev,
"intel-vbtn: created platform device\n");
--
2.25.1
From: Zhenzhong Duan <[email protected]>
[ Upstream commit 5d7f7d1d5e01c22894dee7c9c9266500478dca99 ]
The original code is a nop as i_mce.status is or'ed with part of itself,
fix it.
Fixes: a1300e505297 ("x86/ras/mce_amd_inj: Trigger deferred and thresholding errors interrupts")
Signed-off-by: Zhenzhong Duan <[email protected]>
Signed-off-by: Borislav Petkov <[email protected]>
Acked-by: Yazen Ghannam <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
arch/x86/kernel/cpu/mcheck/mce-inject.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
index 1ceccc4a5472c..9cc524be3c949 100644
--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
@@ -518,7 +518,7 @@ static void do_inject(void)
*/
if (inj_type == DFR_INT_INJ) {
i_mce.status |= MCI_STATUS_DEFERRED;
- i_mce.status |= (i_mce.status & ~MCI_STATUS_UC);
+ i_mce.status &= ~MCI_STATUS_UC;
}
/*
--
2.25.1
From: Wright Feng <[email protected]>
[ Upstream commit fcdd7a875def793c38d7369633af3eba6c7cf089 ]
When USB or SDIO device got abnormal bus disconnection, host driver
tried to clean up the skbs in PSQ and TXQ (The skb's pointer in hanger
slot linked to PSQ and TSQ), so we should set the state of skb hanger slot
to BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb.
In brcmf_fws_bus_txq_cleanup it already sets
BRCMF_FWS_HANGER_ITEM_STATE_FREE before freeing skb, therefore we add the
same thing in brcmf_fws_psq_flush to avoid following warning message.
[ 1580.012880] ------------ [ cut here ]------------
[ 1580.017550] WARNING: CPU: 3 PID: 3065 at
drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49
brcmu_pkt_buf_free_skb+0x21/0x30 [brcmutil]
[ 1580.184017] Call Trace:
[ 1580.186514] brcmf_fws_cleanup+0x14e/0x190 [brcmfmac]
[ 1580.191594] brcmf_fws_del_interface+0x70/0x90 [brcmfmac]
[ 1580.197029] brcmf_proto_bcdc_del_if+0xe/0x10 [brcmfmac]
[ 1580.202418] brcmf_remove_interface+0x69/0x190 [brcmfmac]
[ 1580.207888] brcmf_detach+0x90/0xe0 [brcmfmac]
[ 1580.212385] brcmf_usb_disconnect+0x76/0xb0 [brcmfmac]
[ 1580.217557] usb_unbind_interface+0x72/0x260
[ 1580.221857] device_release_driver_internal+0x141/0x200
[ 1580.227152] device_release_driver+0x12/0x20
[ 1580.231460] bus_remove_device+0xfd/0x170
[ 1580.235504] device_del+0x1d9/0x300
[ 1580.239041] usb_disable_device+0x9e/0x270
[ 1580.243160] usb_disconnect+0x94/0x270
[ 1580.246980] hub_event+0x76d/0x13b0
[ 1580.250499] process_one_work+0x144/0x360
[ 1580.254564] worker_thread+0x4d/0x3c0
[ 1580.258247] kthread+0x109/0x140
[ 1580.261515] ? rescuer_thread+0x340/0x340
[ 1580.265543] ? kthread_park+0x60/0x60
[ 1580.269237] ? SyS_exit_group+0x14/0x20
[ 1580.273118] ret_from_fork+0x25/0x30
[ 1580.300446] ------------ [ cut here ]------------
Acked-by: Arend van Spriel <[email protected]>
Signed-off-by: Wright Feng <[email protected]>
Signed-off-by: Chi-hsien Lin <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
index 1de8497d92b8a..dc7c970257d2f 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
@@ -653,6 +653,7 @@ static inline int brcmf_fws_hanger_poppkt(struct brcmf_fws_hanger *h,
static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
int ifidx)
{
+ struct brcmf_fws_hanger_item *hi;
bool (*matchfn)(struct sk_buff *, void *) = NULL;
struct sk_buff *skb;
int prec;
@@ -664,6 +665,9 @@ static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
while (skb) {
hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT);
+ hi = &fws->hanger.items[hslot];
+ WARN_ON(skb != hi->pkt);
+ hi->state = BRCMF_FWS_HANGER_ITEM_STATE_FREE;
brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb,
true);
brcmu_pkt_buf_free_skb(skb);
--
2.25.1
From: Evgeny Novikov <[email protected]>
[ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ]
Driver does not release memory for device on error handling paths in
net2280_probe() when gadget_release() is not registered yet.
The patch fixes the bug like in other similar drivers.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/usb/gadget/udc/net2280.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
index ee872cad52705..a87caad8d1c7e 100644
--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -3782,8 +3782,10 @@ static int net2280_probe(struct pci_dev *pdev, const struct pci_device_id *id)
return 0;
done:
- if (dev)
+ if (dev) {
net2280_remove(pdev);
+ kfree(dev);
+ }
return retval;
}
--
2.25.1
From: Sasi Kumar <[email protected]>
[ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ]
Multiple connects/disconnects can cause a crash on the second
disconnect. The driver had a problem where it would try to send
endpoint commands after it was disconnected which is not allowed
by the hardware. The fix is to only allow the endpoint commands
when the endpoint is connected. This will also fix issues that
showed up when using configfs to create gadgets.
Signed-off-by: Sasi Kumar <[email protected]>
Signed-off-by: Al Cooper <[email protected]>
Acked-by: Florian Fainelli <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/usb/gadget/udc/bdc/bdc_core.c | 4 ++++
drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 ++++++++++------
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/gadget/udc/bdc/bdc_core.c b/drivers/usb/gadget/udc/bdc/bdc_core.c
index 01b44e1596237..4c557f3154460 100644
--- a/drivers/usb/gadget/udc/bdc/bdc_core.c
+++ b/drivers/usb/gadget/udc/bdc/bdc_core.c
@@ -283,6 +283,7 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit)
* in that case reinit is passed as 1
*/
if (reinit) {
+ int i;
/* Enable interrupts */
temp = bdc_readl(bdc->regs, BDC_BDCSC);
temp |= BDC_GIE;
@@ -292,6 +293,9 @@ static void bdc_mem_init(struct bdc *bdc, bool reinit)
/* Initialize SRR to 0 */
memset(bdc->srr.sr_bds, 0,
NUM_SR_ENTRIES * sizeof(struct bdc_bd));
+ /* clear ep flags to avoid post disconnect stops/deconfigs */
+ for (i = 1; i < bdc->num_eps; ++i)
+ bdc->bdc_ep_array[i]->flags = 0;
} else {
/* One time initiaization only */
/* Enable status report function pointers */
diff --git a/drivers/usb/gadget/udc/bdc/bdc_ep.c b/drivers/usb/gadget/udc/bdc/bdc_ep.c
index d49c6dc1082dc..9ddc0b4e92c9c 100644
--- a/drivers/usb/gadget/udc/bdc/bdc_ep.c
+++ b/drivers/usb/gadget/udc/bdc/bdc_ep.c
@@ -615,7 +615,6 @@ int bdc_ep_enable(struct bdc_ep *ep)
}
bdc_dbg_bd_list(bdc, ep);
/* only for ep0: config ep is called for ep0 from connect event */
- ep->flags |= BDC_EP_ENABLED;
if (ep->ep_num == 1)
return ret;
@@ -759,10 +758,13 @@ static int ep_dequeue(struct bdc_ep *ep, struct bdc_req *req)
__func__, ep->name, start_bdi, end_bdi);
dev_dbg(bdc->dev, "ep_dequeue ep=%p ep->desc=%p\n",
ep, (void *)ep->usb_ep.desc);
- /* Stop the ep to see where the HW is ? */
- ret = bdc_stop_ep(bdc, ep->ep_num);
- /* if there is an issue with stopping ep, then no need to go further */
- if (ret)
+ /* if still connected, stop the ep to see where the HW is ? */
+ if (!(bdc_readl(bdc->regs, BDC_USPC) & BDC_PST_MASK)) {
+ ret = bdc_stop_ep(bdc, ep->ep_num);
+ /* if there is an issue, then no need to go further */
+ if (ret)
+ return 0;
+ } else
return 0;
/*
@@ -1911,7 +1913,9 @@ static int bdc_gadget_ep_disable(struct usb_ep *_ep)
__func__, ep->name, ep->flags);
if (!(ep->flags & BDC_EP_ENABLED)) {
- dev_warn(bdc->dev, "%s is already disabled\n", ep->name);
+ if (bdc->gadget.speed != USB_SPEED_UNKNOWN)
+ dev_warn(bdc->dev, "%s is already disabled\n",
+ ep->name);
return 0;
}
spin_lock_irqsave(&bdc->lock, flags);
--
2.25.1
From: Dejin Zheng <[email protected]>
[ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ]
A call of the function do_take_over_console() can fail here.
The corresponding system resources were not released then.
Thus add a call of iounmap() and release_mem_region()
together with the check of a failure predicate. and also
add release_mem_region() on device removal.
Fixes: e86bb8acc0fdc ("[PATCH] VT binding: Make newport_con support binding")
Suggested-by: Bartlomiej Zolnierkiewicz <[email protected]>
Signed-off-by: Dejin Zheng <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
cc: Thomas Gleixner <[email protected]>
Cc: Andrew Morton <[email protected]>
Signed-off-by: Bartlomiej Zolnierkiewicz <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/video/console/newport_con.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/video/console/newport_con.c b/drivers/video/console/newport_con.c
index 7f2526b43b336..cc2fb50431840 100644
--- a/drivers/video/console/newport_con.c
+++ b/drivers/video/console/newport_con.c
@@ -31,6 +31,8 @@
#include <linux/linux_logo.h>
#include <linux/font.h>
+#define NEWPORT_LEN 0x10000
+
#define FONT_DATA ((unsigned char *)font_vga_8x16.data)
/* borrowed from fbcon.c */
@@ -42,6 +44,7 @@
static unsigned char *font_data[MAX_NR_CONSOLES];
static struct newport_regs *npregs;
+static unsigned long newport_addr;
static int logo_active;
static int topscan;
@@ -701,7 +704,6 @@ const struct consw newport_con = {
static int newport_probe(struct gio_device *dev,
const struct gio_device_id *id)
{
- unsigned long newport_addr;
int err;
if (!dev->resource.start)
@@ -711,7 +713,7 @@ static int newport_probe(struct gio_device *dev,
return -EBUSY; /* we only support one Newport as console */
newport_addr = dev->resource.start + 0xF0000;
- if (!request_mem_region(newport_addr, 0x10000, "Newport"))
+ if (!request_mem_region(newport_addr, NEWPORT_LEN, "Newport"))
return -ENODEV;
npregs = (struct newport_regs *)/* ioremap cannot fail */
@@ -719,6 +721,11 @@ static int newport_probe(struct gio_device *dev,
console_lock();
err = do_take_over_console(&newport_con, 0, MAX_NR_CONSOLES - 1, 1);
console_unlock();
+
+ if (err) {
+ iounmap((void *)npregs);
+ release_mem_region(newport_addr, NEWPORT_LEN);
+ }
return err;
}
@@ -726,6 +733,7 @@ static void newport_remove(struct gio_device *dev)
{
give_up_console(&newport_con);
iounmap((void *)npregs);
+ release_mem_region(newport_addr, NEWPORT_LEN);
}
static struct gio_device_id newport_ids[] = {
--
2.25.1
From: Michael Tretter <[email protected]>
[ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ]
Using plain echo to set the "force" connector attribute fails with
-EINVAL, because echo appends a newline to the output.
Replace strcmp with sysfs_streq to also accept strings that end with a
newline.
v2: use sysfs_streq instead of stripping trailing whitespace
Signed-off-by: Michael Tretter <[email protected]>
Reviewed-by: Jani Nikula <[email protected]>
Signed-off-by: Emil Velikov <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/drm_debugfs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/drm_debugfs.c b/drivers/gpu/drm/drm_debugfs.c
index 373bd4c2b698b..84b7b22a9590a 100644
--- a/drivers/gpu/drm/drm_debugfs.c
+++ b/drivers/gpu/drm/drm_debugfs.c
@@ -265,13 +265,13 @@ static ssize_t connector_write(struct file *file, const char __user *ubuf,
buf[len] = '\0';
- if (!strcmp(buf, "on"))
+ if (sysfs_streq(buf, "on"))
connector->force = DRM_FORCE_ON;
- else if (!strcmp(buf, "digital"))
+ else if (sysfs_streq(buf, "digital"))
connector->force = DRM_FORCE_ON_DIGITAL;
- else if (!strcmp(buf, "off"))
+ else if (sysfs_streq(buf, "off"))
connector->force = DRM_FORCE_OFF;
- else if (!strcmp(buf, "unspecified"))
+ else if (sysfs_streq(buf, "unspecified"))
connector->force = DRM_FORCE_UNSPECIFIED;
else
return -EINVAL;
--
2.25.1
From: Sudeep Holla <[email protected]>
[ Upstream commit fcd2e0deae50bce48450f14c8fc5611b08d7438c ]
Currently we are not initializing the scmi clock with discrete rates
correctly. We fetch the min_rate and max_rate value only for clocks with
ranges and ignore the ones with discrete rates. This will lead to wrong
initialization of rate range when clock supports discrete rate.
Fix this by using the first and the last rate in the sorted list of the
discrete clock rates while registering the clock.
Link: https://lore.kernel.org/r/[email protected]
Fixes: 6d6a1d82eaef7 ("clk: add support for clocks provided by SCMI")
Reviewed-by: Stephen Boyd <[email protected]>
Reported-and-tested-by: Dien Pham <[email protected]>
Signed-off-by: Sudeep Holla <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/clk/clk-scmi.c | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/clk-scmi.c b/drivers/clk/clk-scmi.c
index a985bf5e1ac61..c65d30bba7005 100644
--- a/drivers/clk/clk-scmi.c
+++ b/drivers/clk/clk-scmi.c
@@ -103,6 +103,8 @@ static const struct clk_ops scmi_clk_ops = {
static int scmi_clk_ops_init(struct device *dev, struct scmi_clk *sclk)
{
int ret;
+ unsigned long min_rate, max_rate;
+
struct clk_init_data init = {
.flags = CLK_GET_RATE_NOCACHE,
.num_parents = 0,
@@ -112,9 +114,23 @@ static int scmi_clk_ops_init(struct device *dev, struct scmi_clk *sclk)
sclk->hw.init = &init;
ret = devm_clk_hw_register(dev, &sclk->hw);
- if (!ret)
- clk_hw_set_rate_range(&sclk->hw, sclk->info->range.min_rate,
- sclk->info->range.max_rate);
+ if (ret)
+ return ret;
+
+ if (sclk->info->rate_discrete) {
+ int num_rates = sclk->info->list.num_rates;
+
+ if (num_rates <= 0)
+ return -EINVAL;
+
+ min_rate = sclk->info->list.rates[0];
+ max_rate = sclk->info->list.rates[num_rates - 1];
+ } else {
+ min_rate = sclk->info->range.min_rate;
+ max_rate = sclk->info->range.max_rate;
+ }
+
+ clk_hw_set_rate_range(&sclk->hw, min_rate, max_rate);
return ret;
}
--
2.25.1
From: Kishon Vijay Abraham I <[email protected]>
[ Upstream commit e3bca37d15dca118f2ef1f0a068bb6e07846ea20 ]
Commit 1b79c5284439 ("PCI: cadence: Add host driver for Cadence PCIe
controller") in order to update Vendor ID, directly wrote to
PCI_VENDOR_ID register. However PCI_VENDOR_ID in root port configuration
space is read-only register and writing to it will have no effect.
Use local management register to configure Vendor ID and Subsystem Vendor
ID.
Link: https://lore.kernel.org/r/[email protected]
Fixes: 1b79c5284439 ("PCI: cadence: Add host driver for Cadence PCIe controller")
Signed-off-by: Kishon Vijay Abraham I <[email protected]>
Signed-off-by: Lorenzo Pieralisi <[email protected]>
Reviewed-by: Rob Herring <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/pci/controller/pcie-cadence-host.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/controller/pcie-cadence-host.c b/drivers/pci/controller/pcie-cadence-host.c
index ec394f6a19c8e..ae7affcb1a811 100644
--- a/drivers/pci/controller/pcie-cadence-host.c
+++ b/drivers/pci/controller/pcie-cadence-host.c
@@ -102,6 +102,7 @@ static int cdns_pcie_host_init_root_port(struct cdns_pcie_rc *rc)
{
struct cdns_pcie *pcie = &rc->pcie;
u32 value, ctrl;
+ u32 id;
/*
* Set the root complex BAR configuration register:
@@ -121,8 +122,12 @@ static int cdns_pcie_host_init_root_port(struct cdns_pcie_rc *rc)
cdns_pcie_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
/* Set root port configuration space */
- if (rc->vendor_id != 0xffff)
- cdns_pcie_rp_writew(pcie, PCI_VENDOR_ID, rc->vendor_id);
+ if (rc->vendor_id != 0xffff) {
+ id = CDNS_PCIE_LM_ID_VENDOR(rc->vendor_id) |
+ CDNS_PCIE_LM_ID_SUBSYS(rc->vendor_id);
+ cdns_pcie_writel(pcie, CDNS_PCIE_LM_ID, id);
+ }
+
if (rc->device_id != 0xffff)
cdns_pcie_rp_writew(pcie, PCI_DEVICE_ID, rc->device_id);
--
2.25.1
From: Christophe JAILLET <[email protected]>
[ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ]
Update the size used in 'dma_free_coherent()' in order to match the one
used in the corresponding 'dma_alloc_coherent()', in
'spider_net_init_chain()'.
Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing")
Signed-off-by: Christophe JAILLET <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/ethernet/toshiba/spider_net.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c
index 23417266b7ecc..e66014e0427f7 100644
--- a/drivers/net/ethernet/toshiba/spider_net.c
+++ b/drivers/net/ethernet/toshiba/spider_net.c
@@ -296,8 +296,8 @@ spider_net_free_chain(struct spider_net_card *card,
descr = descr->next;
} while (descr != chain->ring);
- dma_free_coherent(&card->pdev->dev, chain->num_desc,
- chain->hwring, chain->dma_addr);
+ dma_free_coherent(&card->pdev->dev, chain->num_desc * sizeof(struct spider_net_hw_descr),
+ chain->hwring, chain->dma_addr);
}
/**
--
2.25.1
From: Roger Pau Monne <[email protected]>
commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream.
target_unpopulated is incremented with nr_pages at the start of the
function, but the call to free_xenballooned_pages will only subtract
pgno number of pages, and thus the rest need to be subtracted before
returning or else accounting will be skewed.
Signed-off-by: Roger Pau Monné <[email protected]>
Reviewed-by: Juergen Gross <[email protected]>
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Juergen Gross <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/xen/balloon.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -632,6 +632,12 @@ int alloc_xenballooned_pages(int nr_page
out_undo:
mutex_unlock(&balloon_mutex);
free_xenballooned_pages(pgno, pages);
+ /*
+ * NB: free_xenballooned_pages will only subtract pgno pages, but since
+ * target_unpopulated is incremented with nr_pages at the start we need
+ * to remove the remaining ones also, or accounting will be screwed.
+ */
+ balloon_stats.target_unpopulated -= nr_pages - pgno;
return ret;
}
EXPORT_SYMBOL(alloc_xenballooned_pages);
From: Bjorn Helgaas <[email protected]>
[ Upstream commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb ]
The pci_cfg_wait queue is used to prevent user-space config accesses to
devices while they are recovering from reset.
Previously we used these operations on pci_cfg_wait:
__add_wait_queue(&pci_cfg_wait, ...)
__remove_wait_queue(&pci_cfg_wait, ...)
wake_up_all(&pci_cfg_wait)
The wake_up acquires the wait queue lock, but the add and remove do not.
Originally these were all protected by the pci_lock, but cdcb33f98244
("PCI: Avoid possible deadlock on pci_lock and p->pi_lock"), moved
wake_up_all() outside pci_lock, so it could race with add/remove
operations, which caused occasional kernel panics, e.g., during vfio-pci
hotplug/unplug testing:
Unable to handle kernel read from unreadable memory at virtual address ffff802dac469000
Resolve this by using wait_event() instead of __add_wait_queue() and
__remove_wait_queue(). The wait queue lock is held by both wait_event()
and wake_up_all(), so it provides mutual exclusion.
Fixes: cdcb33f98244 ("PCI: Avoid possible deadlock on pci_lock and p->pi_lock")
Link: https://lore.kernel.org/linux-pci/[email protected]/T/#u
Based-on: https://lore.kernel.org/linux-pci/[email protected]/
Based-on-patch-by: Xiang Zheng <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Tested-by: Xiang Zheng <[email protected]>
Cc: Heyi Guo <[email protected]>
Cc: Biaoxiang Ye <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/pci/access.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/access.c b/drivers/pci/access.c
index a3ad2fe185b9c..3c8ffd62dc006 100644
--- a/drivers/pci/access.c
+++ b/drivers/pci/access.c
@@ -204,17 +204,13 @@ EXPORT_SYMBOL(pci_bus_set_ops);
static DECLARE_WAIT_QUEUE_HEAD(pci_cfg_wait);
static noinline void pci_wait_cfg(struct pci_dev *dev)
+ __must_hold(&pci_lock)
{
- DECLARE_WAITQUEUE(wait, current);
-
- __add_wait_queue(&pci_cfg_wait, &wait);
do {
- set_current_state(TASK_UNINTERRUPTIBLE);
raw_spin_unlock_irq(&pci_lock);
- schedule();
+ wait_event(pci_cfg_wait, !dev->block_cfg_access);
raw_spin_lock_irq(&pci_lock);
} while (dev->block_cfg_access);
- __remove_wait_queue(&pci_cfg_wait, &wait);
}
/* Returns 0 on success, negative values indicate error. */
--
2.25.1
From: Gilad Ben-Yossef <[email protected]>
[ Upstream commit 9bc6165d608d676f05d8bf156a2c9923ee38d05b ]
Fix a small resource leak on the error path of cipher processing.
Signed-off-by: Gilad Ben-Yossef <[email protected]>
Fixes: 63ee04c8b491e ("crypto: ccree - add skcipher support")
Cc: Markus Elfring <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/crypto/ccree/cc_cipher.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/drivers/crypto/ccree/cc_cipher.c b/drivers/crypto/ccree/cc_cipher.c
index 28a5b8b38fa2f..1bcb6f0157b07 100644
--- a/drivers/crypto/ccree/cc_cipher.c
+++ b/drivers/crypto/ccree/cc_cipher.c
@@ -137,7 +137,6 @@ static int cc_cipher_init(struct crypto_tfm *tfm)
skcipher_alg.base);
struct device *dev = drvdata_to_dev(cc_alg->drvdata);
unsigned int max_key_buf_size = cc_alg->skcipher_alg.max_keysize;
- int rc = 0;
dev_dbg(dev, "Initializing context @%p for %s\n", ctx_p,
crypto_tfm_alg_name(tfm));
@@ -149,10 +148,19 @@ static int cc_cipher_init(struct crypto_tfm *tfm)
ctx_p->flow_mode = cc_alg->flow_mode;
ctx_p->drvdata = cc_alg->drvdata;
+ if (ctx_p->cipher_mode == DRV_CIPHER_ESSIV) {
+ /* Alloc hash tfm for essiv */
+ ctx_p->shash_tfm = crypto_alloc_shash("sha256-generic", 0, 0);
+ if (IS_ERR(ctx_p->shash_tfm)) {
+ dev_err(dev, "Error allocating hash tfm for ESSIV.\n");
+ return PTR_ERR(ctx_p->shash_tfm);
+ }
+ }
+
/* Allocate key buffer, cache line aligned */
ctx_p->user.key = kmalloc(max_key_buf_size, GFP_KERNEL);
if (!ctx_p->user.key)
- return -ENOMEM;
+ goto free_shash;
dev_dbg(dev, "Allocated key buffer in context. key=@%p\n",
ctx_p->user.key);
@@ -164,21 +172,19 @@ static int cc_cipher_init(struct crypto_tfm *tfm)
if (dma_mapping_error(dev, ctx_p->user.key_dma_addr)) {
dev_err(dev, "Mapping Key %u B at va=%pK for DMA failed\n",
max_key_buf_size, ctx_p->user.key);
- return -ENOMEM;
+ goto free_key;
}
dev_dbg(dev, "Mapped key %u B at va=%pK to dma=%pad\n",
max_key_buf_size, ctx_p->user.key, &ctx_p->user.key_dma_addr);
- if (ctx_p->cipher_mode == DRV_CIPHER_ESSIV) {
- /* Alloc hash tfm for essiv */
- ctx_p->shash_tfm = crypto_alloc_shash("sha256-generic", 0, 0);
- if (IS_ERR(ctx_p->shash_tfm)) {
- dev_err(dev, "Error allocating hash tfm for ESSIV.\n");
- return PTR_ERR(ctx_p->shash_tfm);
- }
- }
+ return 0;
- return rc;
+free_key:
+ kfree(ctx_p->user.key);
+free_shash:
+ crypto_free_shash(ctx_p->shash_tfm);
+
+ return -ENOMEM;
}
static void cc_cipher_exit(struct crypto_tfm *tfm)
--
2.25.1
From: Qiushi Wu <[email protected]>
[ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ]
When kobject_init_and_add() returns an error, it should be handled
because kobject_init_and_add() takes a reference even when it fails. If
this function returns an error, kobject_put() must be called to properly
clean up the memory associated with the object.
Therefore, replace calling kfree() and call kobject_put() and add a
missing kobject_put() in the edac_device_register_sysfs_main_kobj()
error path.
[ bp: Massage and merge into a single patch. ]
Fixes: b2ed215a3338 ("Kobject: change drivers/edac to use kobject_init_and_add")
Signed-off-by: Qiushi Wu <[email protected]>
Signed-off-by: Borislav Petkov <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/edac/edac_device_sysfs.c | 1 +
drivers/edac/edac_pci_sysfs.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/edac/edac_device_sysfs.c b/drivers/edac/edac_device_sysfs.c
index 0e7ea3591b781..5e75937537997 100644
--- a/drivers/edac/edac_device_sysfs.c
+++ b/drivers/edac/edac_device_sysfs.c
@@ -275,6 +275,7 @@ int edac_device_register_sysfs_main_kobj(struct edac_device_ctl_info *edac_dev)
/* Error exit stack */
err_kobj_reg:
+ kobject_put(&edac_dev->kobj);
module_put(edac_dev->owner);
err_out:
diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
index 72c9eb9fdffbe..53042af7262e2 100644
--- a/drivers/edac/edac_pci_sysfs.c
+++ b/drivers/edac/edac_pci_sysfs.c
@@ -386,7 +386,7 @@ static int edac_pci_main_kobj_setup(void)
/* Error unwind statck */
kobject_init_and_add_fail:
- kfree(edac_pci_top_main_kobj);
+ kobject_put(edac_pci_top_main_kobj);
kzalloc_fail:
module_put(THIS_MODULE);
--
2.25.1
From: Alim Akhtar <[email protected]>
[ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ]
Once regulators are disabled after kernel boot, on Espresso board silent
hang observed because of LDO7 being disabled. LDO7 actually provide
power to CPU cores and non-cpu blocks circuitries. Keep this regulator
always-on to fix this hang.
Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso")
Signed-off-by: Alim Akhtar <[email protected]>
Signed-off-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm64/boot/dts/exynos/exynos7-espresso.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts
index 00dd89b92b427..d991eae5202f2 100644
--- a/arch/arm64/boot/dts/exynos/exynos7-espresso.dts
+++ b/arch/arm64/boot/dts/exynos/exynos7-espresso.dts
@@ -152,6 +152,7 @@ ldo7_reg: LDO7 {
regulator-min-microvolt = <700000>;
regulator-max-microvolt = <1150000>;
regulator-enable-ramp-delay = <125>;
+ regulator-always-on;
};
ldo8_reg: LDO8 {
--
2.25.1
From: Darrick J. Wong <[email protected]>
[ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ]
Quota reservations are supposed to account for the blocks that might be
allocated due to a bmap btree split. Reflink doesn't do this, so fix
this to make the quota accounting more accurate before we start
rearranging things.
Fixes: 862bb360ef56 ("xfs: reflink extents from one file to another")
Signed-off-by: Darrick J. Wong <[email protected]>
Reviewed-by: Brian Foster <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/xfs/xfs_reflink.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c
index 6622652a85a80..0b159a79a17c6 100644
--- a/fs/xfs/xfs_reflink.c
+++ b/fs/xfs/xfs_reflink.c
@@ -1010,6 +1010,7 @@ xfs_reflink_remap_extent(
xfs_filblks_t rlen;
xfs_filblks_t unmap_len;
xfs_off_t newlen;
+ int64_t qres;
int error;
unmap_len = irec->br_startoff + irec->br_blockcount - destoff;
@@ -1032,13 +1033,19 @@ xfs_reflink_remap_extent(
xfs_ilock(ip, XFS_ILOCK_EXCL);
xfs_trans_ijoin(tp, ip, 0);
- /* If we're not just clearing space, then do we have enough quota? */
- if (real_extent) {
- error = xfs_trans_reserve_quota_nblks(tp, ip,
- irec->br_blockcount, 0, XFS_QMOPT_RES_REGBLKS);
- if (error)
- goto out_cancel;
- }
+ /*
+ * Reserve quota for this operation. We don't know if the first unmap
+ * in the dest file will cause a bmap btree split, so we always reserve
+ * at least enough blocks for that split. If the extent being mapped
+ * in is written, we need to reserve quota for that too.
+ */
+ qres = XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK);
+ if (real_extent)
+ qres += irec->br_blockcount;
+ error = xfs_trans_reserve_quota_nblks(tp, ip, qres, 0,
+ XFS_QMOPT_RES_REGBLKS);
+ if (error)
+ goto out_cancel;
trace_xfs_reflink_remap(ip, irec->br_startoff,
irec->br_blockcount, irec->br_startblock);
--
2.25.1
From: Kai-Heng Feng <[email protected]>
[ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ]
Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon
system suspend.
led_set_brightness_nopm() uses schedule_work() to set LED brightness.
However, there's no guarantee that the scheduled work gets executed
because no one flushes the work.
So flush the scheduled work to make sure LED gets turned off.
Signed-off-by: Kai-Heng Feng <[email protected]>
Acked-by: Jacek Anaszewski <[email protected]>
Fixes: 81fe8e5b73e3 ("leds: core: Add led_set_brightness_nosleep{nopm} functions")
Signed-off-by: Pavel Machek <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/leds/led-class.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c
index 3c7e3487b373b..4e63dd2bfcf87 100644
--- a/drivers/leds/led-class.c
+++ b/drivers/leds/led-class.c
@@ -173,6 +173,7 @@ void led_classdev_suspend(struct led_classdev *led_cdev)
{
led_cdev->flags |= LED_SUSPENDED;
led_set_brightness_nopm(led_cdev, 0);
+ flush_work(&led_cdev->set_brightness_work);
}
EXPORT_SYMBOL_GPL(led_classdev_suspend);
--
2.25.1
From: Dan Carpenter <[email protected]>
[ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ]
If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So
then the "strlen(model_names[i]) <= name_len" is true because strlen()
is unsigned and -ENOENT is type promoted to a very high positive value.
Then the "strncmp(name, model_names[i], name_len)" uses uninitialized
data because "name" is uninitialized.
Fixes: 92374e886c75 ("[media] firedtv: drop obsolete backend abstraction")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/media/firewire/firedtv-fw.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c
index 92f4112d2e377..eaf94b817dbc0 100644
--- a/drivers/media/firewire/firedtv-fw.c
+++ b/drivers/media/firewire/firedtv-fw.c
@@ -271,6 +271,8 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
name_len = fw_csr_string(unit->directory, CSR_MODEL,
name, sizeof(name));
+ if (name_len < 0)
+ return name_len;
for (i = ARRAY_SIZE(model_names); --i; )
if (strlen(model_names[i]) <= name_len &&
strncmp(name, model_names[i], name_len) == 0)
--
2.25.1
From: Christophe JAILLET <[email protected]>
[ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ]
The dev_id used in request_irq() and free_irq() should match. Use 'info' in
both cases.
Link: https://lore.kernel.org/r/[email protected]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Christophe JAILLET <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/scsi/arm/eesox.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/arm/eesox.c b/drivers/scsi/arm/eesox.c
index e93e047f43165..65bb34ce93b94 100644
--- a/drivers/scsi/arm/eesox.c
+++ b/drivers/scsi/arm/eesox.c
@@ -575,7 +575,7 @@ static int eesoxscsi_probe(struct expansion_card *ec, const struct ecard_id *id)
if (info->info.scsi.dma != NO_DMA)
free_dma(info->info.scsi.dma);
- free_irq(ec->irq, host);
+ free_irq(ec->irq, info);
out_remove:
fas216_remove(host);
--
2.25.1
From: Ira Weiny <[email protected]>
[ Upstream commit b06c19d9f827f6743122795570bfc0c72db482b0 ]
When MSG_OOB is specified to tls_device_sendpage() the mapped page is
never unmapped.
Hold off mapping the page until after the flags are checked and the page
is actually needed.
Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
Signed-off-by: Ira Weiny <[email protected]>
Reviewed-by: Jakub Kicinski <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/tls/tls_device.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -476,7 +476,7 @@ int tls_device_sendpage(struct sock *sk,
int offset, size_t size, int flags)
{
struct iov_iter msg_iter;
- char *kaddr = kmap(page);
+ char *kaddr;
struct kvec iov;
int rc;
@@ -490,6 +490,7 @@ int tls_device_sendpage(struct sock *sk,
goto out;
}
+ kaddr = kmap(page);
iov.iov_base = kaddr + offset;
iov.iov_len = size;
iov_iter_kvec(&msg_iter, WRITE | ITER_KVEC, &iov, 1, size);
From: Linus Walleij <[email protected]>
[ Upstream commit 788abc6d9d278ed6fa1fa94db2098481a04152b7 ]
Alter the rtl8366_vlan_add() to call rtl8366_set_vlan()
inside the loop that goes over all VIDs since we now
properly support calling that function more than once.
Augment the loop to postincrement as this is more
intuitive.
The loop moved past the last VID but called
rtl8366_set_vlan() with the port number instead of
the VID, assuming a 1-to-1 correspondence between
ports and VIDs. This was also a bug.
Cc: DENG Qingfang <[email protected]>
Cc: Mauri Sandberg <[email protected]>
Reviewed-by: Florian Fainelli <[email protected]>
Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
Signed-off-by: Linus Walleij <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/dsa/rtl8366.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c
index 145f34de7b416..7e27c9aff9b72 100644
--- a/drivers/net/dsa/rtl8366.c
+++ b/drivers/net/dsa/rtl8366.c
@@ -397,7 +397,7 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port,
if (dsa_is_dsa_port(ds, port) || dsa_is_cpu_port(ds, port))
dev_err(smi->dev, "port is DSA or CPU port\n");
- for (vid = vlan->vid_begin; vid <= vlan->vid_end; ++vid) {
+ for (vid = vlan->vid_begin; vid <= vlan->vid_end; vid++) {
int pvid_val = 0;
dev_info(smi->dev, "add VLAN %04x\n", vid);
@@ -420,13 +420,13 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port,
if (ret < 0)
return;
}
- }
- ret = rtl8366_set_vlan(smi, port, member, untag, 0);
- if (ret)
- dev_err(smi->dev,
- "failed to set up VLAN %04x",
- vid);
+ ret = rtl8366_set_vlan(smi, vid, member, untag, 0);
+ if (ret)
+ dev_err(smi->dev,
+ "failed to set up VLAN %04x",
+ vid);
+ }
}
EXPORT_SYMBOL_GPL(rtl8366_vlan_add);
--
2.25.1
From: Sven Schnelle <[email protected]>
commit 5b24993c21cbf2de11aff077a48c5cb0505a0450 upstream.
When using kexec the SBA IOMMU IBASE might still have the RE
bit set. This triggers a WARN_ON when trying to write back the
IBASE register later, and it also makes some mask calculations fail.
Cc: <[email protected]>
Signed-off-by: Sven Schnelle <[email protected]>
Signed-off-by: Helge Deller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/parisc/sba_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/parisc/sba_iommu.c
+++ b/drivers/parisc/sba_iommu.c
@@ -1291,7 +1291,7 @@ sba_ioc_init_pluto(struct parisc_device
** (one that doesn't overlap memory or LMMIO space) in the
** IBASE and IMASK registers.
*/
- ioc->ibase = READ_REG(ioc->ioc_hpa + IOC_IBASE);
+ ioc->ibase = READ_REG(ioc->ioc_hpa + IOC_IBASE) & ~0x1fffffULL;
iova_space_size = ~(READ_REG(ioc->ioc_hpa + IOC_IMASK) & 0xFFFFFFFFUL) + 1;
if ((ioc->ibase < 0xfed00000UL) && ((ioc->ibase + iova_space_size) > 0xfee00000UL)) {
From: Ivan Kokshaysky <[email protected]>
commit 10470dec3decaf5ed3c596f85debd7c42777ae12 upstream.
Commit 0c868627e617e43a295d8 (cpufreq: dt: Allow platform specific
intermediate callbacks) added two function pointers to the
struct cpufreq_dt_platform_data. However, armada37xx_cpufreq_driver_init()
has this struct (pdata) located on the stack and uses only "suspend"
and "resume" fields. So these newly added "get_intermediate" and
"target_intermediate" pointers are uninitialized and contain arbitrary
non-null values, causing all kinds of trouble.
For instance, here is an oops on espressobin after an attempt to change
the cpefreq governor:
[ 29.174554] Unable to handle kernel execute from non-executable memory at virtual address ffff00003f87bdc0
...
[ 29.269373] pc : 0xffff00003f87bdc0
[ 29.272957] lr : __cpufreq_driver_target+0x138/0x580
...
Fixed by zeroing out pdata before use.
Cc: <[email protected]> # v5.7+
Signed-off-by: Ivan Kokshaysky <[email protected]>
Reviewed-by: Andrew Lunn <[email protected]>
Signed-off-by: Viresh Kumar <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/cpufreq/armada-37xx-cpufreq.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/cpufreq/armada-37xx-cpufreq.c
+++ b/drivers/cpufreq/armada-37xx-cpufreq.c
@@ -458,6 +458,7 @@ static int __init armada37xx_cpufreq_dri
/* Now that everything is setup, enable the DVFS at hardware level */
armada37xx_cpufreq_enable_dvfs(nb_pm_base);
+ memset(&pdata, 0, sizeof(pdata));
pdata.suspend = armada37xx_cpufreq_suspend;
pdata.resume = armada37xx_cpufreq_resume;
From: Mikulas Patocka <[email protected]>
commit 9e27c99104707f083dccd3b4d79762859b5a0614 upstream.
There is this call chain:
cvm_encrypt -> cvm_enc_dec -> cptvf_do_request -> process_request -> kzalloc
where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP
was not specified.
Signed-off-by: Mikulas Patocka <[email protected]>
Cc: [email protected] # v4.11+
Fixes: c694b233295b ("crypto: cavium - Add the Virtual Function driver for CPT")
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/crypto/cavium/cpt/cptvf_algs.c | 1 +
drivers/crypto/cavium/cpt/cptvf_reqmanager.c | 12 ++++++------
drivers/crypto/cavium/cpt/request_manager.h | 2 ++
3 files changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/crypto/cavium/cpt/cptvf_algs.c
+++ b/drivers/crypto/cavium/cpt/cptvf_algs.c
@@ -205,6 +205,7 @@ static inline int cvm_enc_dec(struct abl
int status;
memset(req_info, 0, sizeof(struct cpt_request_info));
+ req_info->may_sleep = (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) != 0;
memset(fctx, 0, sizeof(struct fc_context));
create_input_list(req, enc, enc_iv_len);
create_output_list(req, enc_iv_len);
--- a/drivers/crypto/cavium/cpt/cptvf_reqmanager.c
+++ b/drivers/crypto/cavium/cpt/cptvf_reqmanager.c
@@ -136,7 +136,7 @@ static inline int setup_sgio_list(struct
/* Setup gather (input) components */
g_sz_bytes = ((req->incnt + 3) / 4) * sizeof(struct sglist_component);
- info->gather_components = kzalloc(g_sz_bytes, GFP_KERNEL);
+ info->gather_components = kzalloc(g_sz_bytes, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC);
if (!info->gather_components) {
ret = -ENOMEM;
goto scatter_gather_clean;
@@ -153,7 +153,7 @@ static inline int setup_sgio_list(struct
/* Setup scatter (output) components */
s_sz_bytes = ((req->outcnt + 3) / 4) * sizeof(struct sglist_component);
- info->scatter_components = kzalloc(s_sz_bytes, GFP_KERNEL);
+ info->scatter_components = kzalloc(s_sz_bytes, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC);
if (!info->scatter_components) {
ret = -ENOMEM;
goto scatter_gather_clean;
@@ -170,7 +170,7 @@ static inline int setup_sgio_list(struct
/* Create and initialize DPTR */
info->dlen = g_sz_bytes + s_sz_bytes + SG_LIST_HDR_SIZE;
- info->in_buffer = kzalloc(info->dlen, GFP_KERNEL);
+ info->in_buffer = kzalloc(info->dlen, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC);
if (!info->in_buffer) {
ret = -ENOMEM;
goto scatter_gather_clean;
@@ -198,7 +198,7 @@ static inline int setup_sgio_list(struct
}
/* Create and initialize RPTR */
- info->out_buffer = kzalloc(COMPLETION_CODE_SIZE, GFP_KERNEL);
+ info->out_buffer = kzalloc(COMPLETION_CODE_SIZE, req->may_sleep ? GFP_KERNEL : GFP_ATOMIC);
if (!info->out_buffer) {
ret = -ENOMEM;
goto scatter_gather_clean;
@@ -434,7 +434,7 @@ int process_request(struct cpt_vf *cptvf
struct cpt_vq_command vq_cmd;
union cpt_inst_s cptinst;
- info = kzalloc(sizeof(*info), GFP_KERNEL);
+ info = kzalloc(sizeof(*info), req->may_sleep ? GFP_KERNEL : GFP_ATOMIC);
if (unlikely(!info)) {
dev_err(&pdev->dev, "Unable to allocate memory for info_buffer\n");
return -ENOMEM;
@@ -456,7 +456,7 @@ int process_request(struct cpt_vf *cptvf
* Get buffer for union cpt_res_s response
* structure and its physical address
*/
- info->completion_addr = kzalloc(sizeof(union cpt_res_s), GFP_KERNEL);
+ info->completion_addr = kzalloc(sizeof(union cpt_res_s), req->may_sleep ? GFP_KERNEL : GFP_ATOMIC);
if (unlikely(!info->completion_addr)) {
dev_err(&pdev->dev, "Unable to allocate memory for completion_addr\n");
ret = -ENOMEM;
--- a/drivers/crypto/cavium/cpt/request_manager.h
+++ b/drivers/crypto/cavium/cpt/request_manager.h
@@ -65,6 +65,8 @@ struct cpt_request_info {
union ctrl_info ctrl; /* User control information */
struct cptvf_request req; /* Request Information (Core specific) */
+ bool may_sleep;
+
struct buf_ptr in[MAX_BUF_CNT];
struct buf_ptr out[MAX_BUF_CNT];
From: Mikulas Patocka <[email protected]>
commit 5ead051780404b5cb22147170acadd1994dc3236 upstream.
There is this call chain:
sec_alg_skcipher_encrypt -> sec_alg_skcipher_crypto ->
sec_alg_alloc_and_calc_split_sizes -> kcalloc
where we call sleeping allocator function even if CRYPTO_TFM_REQ_MAY_SLEEP
was not specified.
Signed-off-by: Mikulas Patocka <[email protected]>
Cc: [email protected] # v4.19+
Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver")
Acked-by: Jonathan Cameron <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/crypto/hisilicon/sec/sec_algs.c | 34 ++++++++++++++++----------------
1 file changed, 18 insertions(+), 16 deletions(-)
--- a/drivers/crypto/hisilicon/sec/sec_algs.c
+++ b/drivers/crypto/hisilicon/sec/sec_algs.c
@@ -175,7 +175,8 @@ static int sec_alloc_and_fill_hw_sgl(str
dma_addr_t *psec_sgl,
struct scatterlist *sgl,
int count,
- struct sec_dev_info *info)
+ struct sec_dev_info *info,
+ gfp_t gfp)
{
struct sec_hw_sgl *sgl_current = NULL;
struct sec_hw_sgl *sgl_next;
@@ -190,7 +191,7 @@ static int sec_alloc_and_fill_hw_sgl(str
sge_index = i % SEC_MAX_SGE_NUM;
if (sge_index == 0) {
sgl_next = dma_pool_zalloc(info->hw_sgl_pool,
- GFP_KERNEL, &sgl_next_dma);
+ gfp, &sgl_next_dma);
if (!sgl_next) {
ret = -ENOMEM;
goto err_free_hw_sgls;
@@ -553,14 +554,14 @@ void sec_alg_callback(struct sec_bd_info
}
static int sec_alg_alloc_and_calc_split_sizes(int length, size_t **split_sizes,
- int *steps)
+ int *steps, gfp_t gfp)
{
size_t *sizes;
int i;
/* Split into suitable sized blocks */
*steps = roundup(length, SEC_REQ_LIMIT) / SEC_REQ_LIMIT;
- sizes = kcalloc(*steps, sizeof(*sizes), GFP_KERNEL);
+ sizes = kcalloc(*steps, sizeof(*sizes), gfp);
if (!sizes)
return -ENOMEM;
@@ -576,7 +577,7 @@ static int sec_map_and_split_sg(struct s
int steps, struct scatterlist ***splits,
int **splits_nents,
int sgl_len_in,
- struct device *dev)
+ struct device *dev, gfp_t gfp)
{
int ret, count;
@@ -584,12 +585,12 @@ static int sec_map_and_split_sg(struct s
if (!count)
return -EINVAL;
- *splits = kcalloc(steps, sizeof(struct scatterlist *), GFP_KERNEL);
+ *splits = kcalloc(steps, sizeof(struct scatterlist *), gfp);
if (!*splits) {
ret = -ENOMEM;
goto err_unmap_sg;
}
- *splits_nents = kcalloc(steps, sizeof(int), GFP_KERNEL);
+ *splits_nents = kcalloc(steps, sizeof(int), gfp);
if (!*splits_nents) {
ret = -ENOMEM;
goto err_free_splits;
@@ -597,7 +598,7 @@ static int sec_map_and_split_sg(struct s
/* output the scatter list before and after this */
ret = sg_split(sgl, count, 0, steps, split_sizes,
- *splits, *splits_nents, GFP_KERNEL);
+ *splits, *splits_nents, gfp);
if (ret) {
ret = -ENOMEM;
goto err_free_splits_nents;
@@ -638,13 +639,13 @@ static struct sec_request_el
int el_size, bool different_dest,
struct scatterlist *sgl_in, int n_ents_in,
struct scatterlist *sgl_out, int n_ents_out,
- struct sec_dev_info *info)
+ struct sec_dev_info *info, gfp_t gfp)
{
struct sec_request_el *el;
struct sec_bd_info *req;
int ret;
- el = kzalloc(sizeof(*el), GFP_KERNEL);
+ el = kzalloc(sizeof(*el), gfp);
if (!el)
return ERR_PTR(-ENOMEM);
el->el_length = el_size;
@@ -676,7 +677,7 @@ static struct sec_request_el
el->sgl_in = sgl_in;
ret = sec_alloc_and_fill_hw_sgl(&el->in, &el->dma_in, el->sgl_in,
- n_ents_in, info);
+ n_ents_in, info, gfp);
if (ret)
goto err_free_el;
@@ -687,7 +688,7 @@ static struct sec_request_el
el->sgl_out = sgl_out;
ret = sec_alloc_and_fill_hw_sgl(&el->out, &el->dma_out,
el->sgl_out,
- n_ents_out, info);
+ n_ents_out, info, gfp);
if (ret)
goto err_free_hw_sgl_in;
@@ -728,6 +729,7 @@ static int sec_alg_skcipher_crypto(struc
int *splits_out_nents = NULL;
struct sec_request_el *el, *temp;
bool split = skreq->src != skreq->dst;
+ gfp_t gfp = skreq->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : GFP_ATOMIC;
mutex_init(&sec_req->lock);
sec_req->req_base = &skreq->base;
@@ -736,13 +738,13 @@ static int sec_alg_skcipher_crypto(struc
sec_req->len_in = sg_nents(skreq->src);
ret = sec_alg_alloc_and_calc_split_sizes(skreq->cryptlen, &split_sizes,
- &steps);
+ &steps, gfp);
if (ret)
return ret;
sec_req->num_elements = steps;
ret = sec_map_and_split_sg(skreq->src, split_sizes, steps, &splits_in,
&splits_in_nents, sec_req->len_in,
- info->dev);
+ info->dev, gfp);
if (ret)
goto err_free_split_sizes;
@@ -750,7 +752,7 @@ static int sec_alg_skcipher_crypto(struc
sec_req->len_out = sg_nents(skreq->dst);
ret = sec_map_and_split_sg(skreq->dst, split_sizes, steps,
&splits_out, &splits_out_nents,
- sec_req->len_out, info->dev);
+ sec_req->len_out, info->dev, gfp);
if (ret)
goto err_unmap_in_sg;
}
@@ -783,7 +785,7 @@ static int sec_alg_skcipher_crypto(struc
splits_in[i], splits_in_nents[i],
split ? splits_out[i] : NULL,
split ? splits_out_nents[i] : 0,
- info);
+ info, gfp);
if (IS_ERR(el)) {
ret = PTR_ERR(el);
goto err_free_elements;
From: Mirko Dietrich <[email protected]>
commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream.
Adds an entry for Creative USB X-Fi to the rc_config array in
mixer_quirks.c to allow use of volume knob on the device.
Adds support for newer X-Fi Pro card, known as "Model No. SB1095"
with USB ID "041e:3263"
Signed-off-by: Mirko Dietrich <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/usb/mixer_quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -195,6 +195,7 @@ static const struct rc_config {
{ USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */
{ USB_ID(0x041e, 0x30df), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */
{ USB_ID(0x041e, 0x3237), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */
+ { USB_ID(0x041e, 0x3263), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */
{ USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */
};
From: Marco Felsch <[email protected]>
[ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ]
Add missing regulator_disable() as devm_action to avoid dedicated
unbind() callback and fix the missing error handling.
Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)")
Signed-off-by: Marco Felsch <[email protected]>
Signed-off-by: Philipp Zabel <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/imx/imx-tve.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/imx/imx-tve.c b/drivers/gpu/drm/imx/imx-tve.c
index cffd3310240e5..c19c1dfbfcdc4 100644
--- a/drivers/gpu/drm/imx/imx-tve.c
+++ b/drivers/gpu/drm/imx/imx-tve.c
@@ -498,6 +498,13 @@ static int imx_tve_register(struct drm_device *drm, struct imx_tve *tve)
return 0;
}
+static void imx_tve_disable_regulator(void *data)
+{
+ struct imx_tve *tve = data;
+
+ regulator_disable(tve->dac_reg);
+}
+
static bool imx_tve_readable_reg(struct device *dev, unsigned int reg)
{
return (reg % 4 == 0) && (reg <= 0xdc);
@@ -622,6 +629,9 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data)
ret = regulator_enable(tve->dac_reg);
if (ret)
return ret;
+ ret = devm_add_action_or_reset(dev, imx_tve_disable_regulator, tve);
+ if (ret)
+ return ret;
}
tve->clk = devm_clk_get(dev, "tve");
@@ -668,18 +678,8 @@ static int imx_tve_bind(struct device *dev, struct device *master, void *data)
return 0;
}
-static void imx_tve_unbind(struct device *dev, struct device *master,
- void *data)
-{
- struct imx_tve *tve = dev_get_drvdata(dev);
-
- if (!IS_ERR(tve->dac_reg))
- regulator_disable(tve->dac_reg);
-}
-
static const struct component_ops imx_tve_ops = {
.bind = imx_tve_bind,
- .unbind = imx_tve_unbind,
};
static int imx_tve_probe(struct platform_device *pdev)
--
2.25.1
From: Eric Biggers <[email protected]>
commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream.
If an inode has no links, we need to mark it bad rather than allowing it
to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when
doing directory operations on a fuzzed filesystem.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: [email protected]
Reported-by: [email protected]
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Cc: Alexander Viro <[email protected]>
Cc: Qiujun Huang <[email protected]>
Cc: <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/minix/inode.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -471,6 +471,13 @@ static struct inode *V1_minix_iget(struc
iget_failed(inode);
return ERR_PTR(-EIO);
}
+ if (raw_inode->i_nlinks == 0) {
+ printk("MINIX-fs: deleted inode referenced: %lu\n",
+ inode->i_ino);
+ brelse(bh);
+ iget_failed(inode);
+ return ERR_PTR(-ESTALE);
+ }
inode->i_mode = raw_inode->i_mode;
i_uid_write(inode, raw_inode->i_uid);
i_gid_write(inode, raw_inode->i_gid);
@@ -504,6 +511,13 @@ static struct inode *V2_minix_iget(struc
iget_failed(inode);
return ERR_PTR(-EIO);
}
+ if (raw_inode->i_nlinks == 0) {
+ printk("MINIX-fs: deleted inode referenced: %lu\n",
+ inode->i_ino);
+ brelse(bh);
+ iget_failed(inode);
+ return ERR_PTR(-ESTALE);
+ }
inode->i_mode = raw_inode->i_mode;
i_uid_write(inode, raw_inode->i_uid);
i_gid_write(inode, raw_inode->i_gid);
From: Wang Hai <[email protected]>
[ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ]
Currently the error return path from kobject_init_and_add() is not
followed by a call to kobject_put() - which means we are leaking
the kobject.
Fix it by adding a call to kobject_put() in the error path of
kobject_init_and_add().
Fixes: b087e6190ddc ("cxl: Export optional AFU configuration record in sysfs")
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Wang Hai <[email protected]>
Acked-by: Andrew Donnellan <[email protected]>
Acked-by: Frederic Barrat <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/misc/cxl/sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c
index 629e2e1564124..0baa229d2b7d4 100644
--- a/drivers/misc/cxl/sysfs.c
+++ b/drivers/misc/cxl/sysfs.c
@@ -628,7 +628,7 @@ static struct afu_config_record *cxl_sysfs_afu_new_cr(struct cxl_afu *afu, int c
rc = kobject_init_and_add(&cr->kobj, &afu_config_record_type,
&afu->dev.kobj, "cr%i", cr->cr);
if (rc)
- goto err;
+ goto err1;
rc = sysfs_create_bin_file(&cr->kobj, &cr->config_attr);
if (rc)
--
2.25.1
From: Qiushi Wu <[email protected]>
[ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ]
In intel_gtt_setup_scratch_page(), pointer "page" is not released if
pci_dma_mapping_error() return an error, leading to a memory leak on
module initialisation failure. Simply fix this issue by freeing "page"
before return.
Fixes: 0e87d2b06cb46 ("intel-gtt: initialize our own scratch page")
Signed-off-by: Qiushi Wu <[email protected]>
Reviewed-by: Chris Wilson <[email protected]>
Signed-off-by: Chris Wilson <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/char/agp/intel-gtt.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
index b161bdf600004..0941d38b2d32f 100644
--- a/drivers/char/agp/intel-gtt.c
+++ b/drivers/char/agp/intel-gtt.c
@@ -304,8 +304,10 @@ static int intel_gtt_setup_scratch_page(void)
if (intel_private.needs_dmar) {
dma_addr = pci_map_page(intel_private.pcidev, page, 0,
PAGE_SIZE, PCI_DMA_BIDIRECTIONAL);
- if (pci_dma_mapping_error(intel_private.pcidev, dma_addr))
+ if (pci_dma_mapping_error(intel_private.pcidev, dma_addr)) {
+ __free_page(page);
return -EINVAL;
+ }
intel_private.scratch_page_dma = dma_addr;
} else
--
2.25.1
From: John Garry <[email protected]>
[ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ]
sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like
this can be triggered by passing an out-of-range value:
Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019
pstate: 20400009 (nzCv daif +PAN -UAO BTYPE=--)
pc : schedule_resp+0x2a4/0xa70 [scsi_debug]
lr : schedule_resp+0x52c/0xa70 [scsi_debug]
sp : ffff800022ab36f0
x29: ffff800022ab36f0 x28: ffff0023a935a610
x27: ffff800008e0a648 x26: 0000000000000003
x25: ffff0023e84f3200 x24: 00000000003d0900
x23: 0000000000000000 x22: 0000000000000000
x21: ffff0023be60a320 x20: ffff0023be60b538
x19: ffff800008e13000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: 0000000000000000
x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000
x9 : 0000000000000001 x8 : 0000000000000000
x7 : 0000000000000000 x6 : 00000000000000c1
x5 : 0000020000200000 x4 : dead0000000000ff
x3 : 0000000000000200 x2 : 0000000000000200
x1 : ffff800008e13d88 x0 : 0000000000000000
Call trace:
schedule_resp+0x2a4/0xa70 [scsi_debug]
scsi_debug_queuecommand+0x2c4/0x9e0 [scsi_debug]
scsi_queue_rq+0x698/0x840
__blk_mq_try_issue_directly+0x108/0x228
blk_mq_request_issue_directly+0x58/0x98
blk_mq_try_issue_list_directly+0x5c/0xf0
blk_mq_sched_insert_requests+0x18c/0x200
blk_mq_flush_plug_list+0x11c/0x190
blk_flush_plug_list+0xdc/0x110
blk_finish_plug+0x38/0x210
blkdev_direct_IO+0x450/0x4d8
generic_file_read_iter+0x84/0x180
blkdev_read_iter+0x3c/0x50
aio_read+0xc0/0x170
io_submit_one+0x5c8/0xc98
__arm64_sys_io_submit+0x1b0/0x258
el0_svc_common.constprop.3+0x68/0x170
do_el0_svc+0x24/0x90
el0_sync_handler+0x13c/0x1a8
el0_sync+0x158/0x180
Code: 528847e0 72a001e0 6b00003f 540018cd (3941c340)
In addition, it should not be less than 1.
So add checks for these, and fail the module init for those cases.
[mkp: changed if condition to match error message]
Link: https://lore.kernel.org/r/[email protected]
Fixes: c483739430f1 ("scsi_debug: add multiple queue support")
Reviewed-by: Ming Lei <[email protected]>
Acked-by: Douglas Gilbert <[email protected]>
Signed-off-by: John Garry <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/scsi/scsi_debug.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index a1dbae806fdea..d2b045eb72742 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -5384,6 +5384,12 @@ static int __init scsi_debug_init(void)
pr_err("submit_queues must be 1 or more\n");
return -EINVAL;
}
+
+ if ((sdebug_max_queue > SDEBUG_CANQUEUE) || (sdebug_max_queue < 1)) {
+ pr_err("max_queue must be in range [1, %d]\n", SDEBUG_CANQUEUE);
+ return -EINVAL;
+ }
+
sdebug_q_arr = kcalloc(submit_queues, sizeof(struct sdebug_queue),
GFP_KERNEL);
if (sdebug_q_arr == NULL)
--
2.25.1
From: Zhao Heming <[email protected]>
[ Upstream commit 60f80d6f2d07a6d8aee485a1d1252327eeee0c81 ]
reproduction steps:
```
node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda
/dev/sdb
node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb
node1 # mdadm -G /dev/md0 -b none
mdadm: failed to remove clustered bitmap.
node1 # mdadm -S --scan
^C <==== mdadm hung & kernel crash
```
kernel stack:
```
[ 335.230657] general protection fault: 0000 [#1] SMP NOPTI
[...]
[ 335.230848] Call Trace:
[ 335.230873] ? unlock_all_bitmaps+0x5/0x70 [md_cluster]
[ 335.230886] unlock_all_bitmaps+0x3d/0x70 [md_cluster]
[ 335.230899] leave+0x10f/0x190 [md_cluster]
[ 335.230932] ? md_super_wait+0x93/0xa0 [md_mod]
[ 335.230947] ? leave+0x5/0x190 [md_cluster]
[ 335.230973] md_cluster_stop+0x1a/0x30 [md_mod]
[ 335.230999] md_bitmap_free+0x142/0x150 [md_mod]
[ 335.231013] ? _cond_resched+0x15/0x40
[ 335.231025] ? mutex_lock+0xe/0x30
[ 335.231056] __md_stop+0x1c/0xa0 [md_mod]
[ 335.231083] do_md_stop+0x160/0x580 [md_mod]
[ 335.231119] ? 0xffffffffc05fb078
[ 335.231148] md_ioctl+0xa04/0x1930 [md_mod]
[ 335.231165] ? filename_lookup+0xf2/0x190
[ 335.231179] blkdev_ioctl+0x93c/0xa10
[ 335.231205] ? _cond_resched+0x15/0x40
[ 335.231214] ? __check_object_size+0xd4/0x1a0
[ 335.231224] block_ioctl+0x39/0x40
[ 335.231243] do_vfs_ioctl+0xa0/0x680
[ 335.231253] ksys_ioctl+0x70/0x80
[ 335.231261] __x64_sys_ioctl+0x16/0x20
[ 335.231271] do_syscall_64+0x65/0x1f0
[ 335.231278] entry_SYSCALL_64_after_hwframe+0x44/0xa9
```
Signed-off-by: Zhao Heming <[email protected]>
Signed-off-by: Song Liu <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/md/md-cluster.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c
index 0b2af6e74fc37..4522e87d9d68d 100644
--- a/drivers/md/md-cluster.c
+++ b/drivers/md/md-cluster.c
@@ -1443,6 +1443,7 @@ static void unlock_all_bitmaps(struct mddev *mddev)
}
}
kfree(cinfo->other_bitmap_lockres);
+ cinfo->other_bitmap_lockres = NULL;
}
}
--
2.25.1
From: Rob Clark <[email protected]>
[ Upstream commit 5e16372b5940b1fecc3cc887fc02a50ba148d373 ]
This can happen a lot when things go pear shaped. Lets not flood dmesg
when this happens.
Signed-off-by: Rob Clark <[email protected]>
Reviewed-by: Abhinav Kumar <[email protected]>
Signed-off-by: Rob Clark <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
index 4752f08f0884c..3c3b7f7013e87 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
@@ -659,7 +659,7 @@ static void dpu_crtc_frame_event_cb(void *data, u32 event)
spin_unlock_irqrestore(&dpu_crtc->spin_lock, flags);
if (!fevent) {
- DRM_ERROR("crtc%d event %d overflow\n", crtc->base.id, event);
+ DRM_ERROR_RATELIMITED("crtc%d event %d overflow\n", crtc->base.id, event);
return;
}
--
2.25.1
From: Sivaprakash Murugesan <[email protected]>
commit 443440cc4a901af462239d286cd10721aa1c7dfc upstream.
SFLASHC_BURST_CFG is only available on older ipq NAND platforms, this
register has been removed when the NAND controller got implemented in
the qpic controller.
Avoid writing this register on devices which are based on qpic NAND
controller.
Fixes: dce84760b09f ("mtd: nand: qcom: Support for IPQ8074 QPIC NAND controller")
Cc: [email protected]
Signed-off-by: Sivaprakash Murugesan <[email protected]>
Signed-off-by: Miquel Raynal <[email protected]>
Link: https://lore.kernel.org/linux-mtd/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/mtd/nand/raw/qcom_nandc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/qcom_nandc.c
+++ b/drivers/mtd/nand/raw/qcom_nandc.c
@@ -466,11 +466,13 @@ struct qcom_nand_host {
* among different NAND controllers.
* @ecc_modes - ecc mode for NAND
* @is_bam - whether NAND controller is using BAM
+ * @is_qpic - whether NAND CTRL is part of qpic IP
* @dev_cmd_reg_start - NAND_DEV_CMD_* registers starting offset
*/
struct qcom_nandc_props {
u32 ecc_modes;
bool is_bam;
+ bool is_qpic;
u32 dev_cmd_reg_start;
};
@@ -2766,7 +2768,8 @@ static int qcom_nandc_setup(struct qcom_
u32 nand_ctrl;
/* kill onenand */
- nandc_write(nandc, SFLASHC_BURST_CFG, 0);
+ if (!nandc->props->is_qpic)
+ nandc_write(nandc, SFLASHC_BURST_CFG, 0);
nandc_write(nandc, dev_cmd_reg_addr(nandc, NAND_DEV_CMD_VLD),
NAND_DEV_CMD_VLD_VAL);
@@ -3022,12 +3025,14 @@ static const struct qcom_nandc_props ipq
static const struct qcom_nandc_props ipq4019_nandc_props = {
.ecc_modes = (ECC_BCH_4BIT | ECC_BCH_8BIT),
.is_bam = true,
+ .is_qpic = true,
.dev_cmd_reg_start = 0x0,
};
static const struct qcom_nandc_props ipq8074_nandc_props = {
.ecc_modes = (ECC_BCH_4BIT | ECC_BCH_8BIT),
.is_bam = true,
+ .is_qpic = true,
.dev_cmd_reg_start = 0x7000,
};
From: Christian Eggers <[email protected]>
commit aa9e862d7d5bcecd4dca9f39e8b684b93dd84ee7 upstream.
Simply copying all xfers from userspace into one bounce buffer causes
alignment problems if the SPI controller uses DMA.
Ensure that all transfer data blocks within the rx and tx bounce buffers
are aligned for DMA (according to ARCH_KMALLOC_MINALIGN).
Alignment may increase the usage of the bounce buffers. In some cases,
the buffers may need to be increased using the "bufsiz" module
parameter.
Signed-off-by: Christian Eggers <[email protected]>
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/spi/spidev.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -232,6 +232,11 @@ static int spidev_message(struct spidev_
for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers;
n;
n--, k_tmp++, u_tmp++) {
+ /* Ensure that also following allocations from rx_buf/tx_buf will meet
+ * DMA alignment requirements.
+ */
+ unsigned int len_aligned = ALIGN(u_tmp->len, ARCH_KMALLOC_MINALIGN);
+
k_tmp->len = u_tmp->len;
total += k_tmp->len;
@@ -247,17 +252,17 @@ static int spidev_message(struct spidev_
if (u_tmp->rx_buf) {
/* this transfer needs space in RX bounce buffer */
- rx_total += k_tmp->len;
+ rx_total += len_aligned;
if (rx_total > bufsiz) {
status = -EMSGSIZE;
goto done;
}
k_tmp->rx_buf = rx_buf;
- rx_buf += k_tmp->len;
+ rx_buf += len_aligned;
}
if (u_tmp->tx_buf) {
/* this transfer needs space in TX bounce buffer */
- tx_total += k_tmp->len;
+ tx_total += len_aligned;
if (tx_total > bufsiz) {
status = -EMSGSIZE;
goto done;
@@ -267,7 +272,7 @@ static int spidev_message(struct spidev_
(uintptr_t) u_tmp->tx_buf,
u_tmp->len))
goto done;
- tx_buf += k_tmp->len;
+ tx_buf += len_aligned;
}
k_tmp->cs_change = !!u_tmp->cs_change;
@@ -297,16 +302,16 @@ static int spidev_message(struct spidev_
goto done;
/* copy any rx data out of bounce buffer */
- rx_buf = spidev->rx_buffer;
- for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
+ for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers;
+ n;
+ n--, k_tmp++, u_tmp++) {
if (u_tmp->rx_buf) {
if (copy_to_user((u8 __user *)
- (uintptr_t) u_tmp->rx_buf, rx_buf,
+ (uintptr_t) u_tmp->rx_buf, k_tmp->rx_buf,
u_tmp->len)) {
status = -EFAULT;
goto done;
}
- rx_buf += u_tmp->len;
}
}
status = total;
From: Finn Thain <[email protected]>
[ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ]
In the following sequence of calls, iop_do_send() gets called when the
"send" channel is not in the IOP_MSG_IDLE state:
iop_ism_irq()
iop_handle_send()
(msg->handler)()
iop_send_message()
iop_do_send()
Avoid this by testing the channel state before calling iop_do_send().
When sending, and iop_send_queue is empty, call iop_do_send() because
the channel is idle. If iop_send_queue is not empty, iop_do_send() will
get called later by iop_handle_send().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Finn Thain <[email protected]>
Tested-by: Stan Johnson <[email protected]>
Cc: Joshua Thompson <[email protected]>
Link: https://lore.kernel.org/r/6d667c39e53865661fa5a48f16829d18ed8abe54.1590880333.git.fthain@telegraphics.com.au
Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/m68k/mac/iop.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c
index 9bfa170157688..d8f2282978f9c 100644
--- a/arch/m68k/mac/iop.c
+++ b/arch/m68k/mac/iop.c
@@ -416,7 +416,8 @@ static void iop_handle_send(uint iop_num, uint chan)
msg->status = IOP_MSGSTATUS_UNUSED;
msg = msg->next;
iop_send_queue[iop_num][chan] = msg;
- if (msg) iop_do_send(msg);
+ if (msg && iop_readb(iop, IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE)
+ iop_do_send(msg);
}
/*
@@ -490,16 +491,12 @@ int iop_send_message(uint iop_num, uint chan, void *privdata,
if (!(q = iop_send_queue[iop_num][chan])) {
iop_send_queue[iop_num][chan] = msg;
+ iop_do_send(msg);
} else {
while (q->next) q = q->next;
q->next = msg;
}
- if (iop_readb(iop_base[iop_num],
- IOP_ADDR_SEND_STATE + chan) == IOP_MSG_IDLE) {
- iop_do_send(msg);
- }
-
return 0;
}
--
2.25.1
From: John Allen <[email protected]>
commit 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 upstream.
Running the crypto manager self tests with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS may result in several types of errors
when using the ccp-crypto driver:
alg: skcipher: cbc-des3-ccp encryption failed on test vector 0; expected_error=0, actual_error=-5 ...
alg: skcipher: ctr-aes-ccp decryption overran dst buffer on test vector 0 ...
alg: ahash: sha224-ccp test failed (wrong result) on test vector ...
These errors are the result of improper processing of scatterlists mapped
for DMA.
Given a scatterlist in which entries are merged as part of mapping the
scatterlist for DMA, the DMA length of a merged entry will reflect the
combined length of the entries that were merged. The subsequent
scatterlist entry will contain DMA information for the scatterlist entry
after the last merged entry, but the non-DMA information will be that of
the first merged entry.
The ccp driver does not take this scatterlist merging into account. To
address this, add a second scatterlist pointer to track the current
position in the DMA mapped representation of the scatterlist. Both the DMA
representation and the original representation of the scatterlist must be
tracked as while most of the driver can use just the DMA representation,
scatterlist_map_and_copy() must use the original representation and
expects the scatterlist pointer to be accurate to the original
representation.
In order to properly walk the original scatterlist, the scatterlist must
be walked until the combined lengths of the entries seen is equal to the
DMA length of the current entry being processed in the DMA mapped
representation.
Fixes: 63b945091a070 ("crypto: ccp - CCP device driver and interface support")
Signed-off-by: John Allen <[email protected]>
Cc: [email protected]
Acked-by: Tom Lendacky <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/crypto/ccp/ccp-dev.h | 1 +
drivers/crypto/ccp/ccp-ops.c | 37 ++++++++++++++++++++++++++-----------
2 files changed, 27 insertions(+), 11 deletions(-)
--- a/drivers/crypto/ccp/ccp-dev.h
+++ b/drivers/crypto/ccp/ccp-dev.h
@@ -471,6 +471,7 @@ struct ccp_sg_workarea {
unsigned int sg_used;
struct scatterlist *dma_sg;
+ struct scatterlist *dma_sg_head;
struct device *dma_dev;
unsigned int dma_count;
enum dma_data_direction dma_dir;
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -67,7 +67,7 @@ static u32 ccp_gen_jobid(struct ccp_devi
static void ccp_sg_free(struct ccp_sg_workarea *wa)
{
if (wa->dma_count)
- dma_unmap_sg(wa->dma_dev, wa->dma_sg, wa->nents, wa->dma_dir);
+ dma_unmap_sg(wa->dma_dev, wa->dma_sg_head, wa->nents, wa->dma_dir);
wa->dma_count = 0;
}
@@ -96,6 +96,7 @@ static int ccp_init_sg_workarea(struct c
return 0;
wa->dma_sg = sg;
+ wa->dma_sg_head = sg;
wa->dma_dev = dev;
wa->dma_dir = dma_dir;
wa->dma_count = dma_map_sg(dev, sg, wa->nents, dma_dir);
@@ -108,14 +109,28 @@ static int ccp_init_sg_workarea(struct c
static void ccp_update_sg_workarea(struct ccp_sg_workarea *wa, unsigned int len)
{
unsigned int nbytes = min_t(u64, len, wa->bytes_left);
+ unsigned int sg_combined_len = 0;
if (!wa->sg)
return;
wa->sg_used += nbytes;
wa->bytes_left -= nbytes;
- if (wa->sg_used == wa->sg->length) {
- wa->sg = sg_next(wa->sg);
+ if (wa->sg_used == sg_dma_len(wa->dma_sg)) {
+ /* Advance to the next DMA scatterlist entry */
+ wa->dma_sg = sg_next(wa->dma_sg);
+
+ /* In the case that the DMA mapped scatterlist has entries
+ * that have been merged, the non-DMA mapped scatterlist
+ * must be advanced multiple times for each merged entry.
+ * This ensures that the current non-DMA mapped entry
+ * corresponds to the current DMA mapped entry.
+ */
+ do {
+ sg_combined_len += wa->sg->length;
+ wa->sg = sg_next(wa->sg);
+ } while (wa->sg_used > sg_combined_len);
+
wa->sg_used = 0;
}
}
@@ -304,7 +319,7 @@ static unsigned int ccp_queue_buf(struct
/* Update the structures and generate the count */
buf_count = 0;
while (sg_wa->bytes_left && (buf_count < dm_wa->length)) {
- nbytes = min(sg_wa->sg->length - sg_wa->sg_used,
+ nbytes = min(sg_dma_len(sg_wa->dma_sg) - sg_wa->sg_used,
dm_wa->length - buf_count);
nbytes = min_t(u64, sg_wa->bytes_left, nbytes);
@@ -336,11 +351,11 @@ static void ccp_prepare_data(struct ccp_
* and destination. The resulting len values will always be <= UINT_MAX
* because the dma length is an unsigned int.
*/
- sg_src_len = sg_dma_len(src->sg_wa.sg) - src->sg_wa.sg_used;
+ sg_src_len = sg_dma_len(src->sg_wa.dma_sg) - src->sg_wa.sg_used;
sg_src_len = min_t(u64, src->sg_wa.bytes_left, sg_src_len);
if (dst) {
- sg_dst_len = sg_dma_len(dst->sg_wa.sg) - dst->sg_wa.sg_used;
+ sg_dst_len = sg_dma_len(dst->sg_wa.dma_sg) - dst->sg_wa.sg_used;
sg_dst_len = min_t(u64, src->sg_wa.bytes_left, sg_dst_len);
op_len = min(sg_src_len, sg_dst_len);
} else {
@@ -370,7 +385,7 @@ static void ccp_prepare_data(struct ccp_
/* Enough data in the sg element, but we need to
* adjust for any previously copied data
*/
- op->src.u.dma.address = sg_dma_address(src->sg_wa.sg);
+ op->src.u.dma.address = sg_dma_address(src->sg_wa.dma_sg);
op->src.u.dma.offset = src->sg_wa.sg_used;
op->src.u.dma.length = op_len & ~(block_size - 1);
@@ -391,7 +406,7 @@ static void ccp_prepare_data(struct ccp_
/* Enough room in the sg element, but we need to
* adjust for any previously used area
*/
- op->dst.u.dma.address = sg_dma_address(dst->sg_wa.sg);
+ op->dst.u.dma.address = sg_dma_address(dst->sg_wa.dma_sg);
op->dst.u.dma.offset = dst->sg_wa.sg_used;
op->dst.u.dma.length = op->src.u.dma.length;
}
@@ -2034,7 +2049,7 @@ ccp_run_passthru_cmd(struct ccp_cmd_queu
dst.sg_wa.sg_used = 0;
for (i = 1; i <= src.sg_wa.dma_count; i++) {
if (!dst.sg_wa.sg ||
- (dst.sg_wa.sg->length < src.sg_wa.sg->length)) {
+ (sg_dma_len(dst.sg_wa.sg) < sg_dma_len(src.sg_wa.sg))) {
ret = -EINVAL;
goto e_dst;
}
@@ -2060,8 +2075,8 @@ ccp_run_passthru_cmd(struct ccp_cmd_queu
goto e_dst;
}
- dst.sg_wa.sg_used += src.sg_wa.sg->length;
- if (dst.sg_wa.sg_used == dst.sg_wa.sg->length) {
+ dst.sg_wa.sg_used += sg_dma_len(src.sg_wa.sg);
+ if (dst.sg_wa.sg_used == sg_dma_len(dst.sg_wa.sg)) {
dst.sg_wa.sg = sg_next(dst.sg_wa.sg);
dst.sg_wa.sg_used = 0;
}
From: Xiongfeng Wang <[email protected]>
[ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ]
When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a
newline for easy reading. Other sysfs attributes already include a
newline.
[root@localhost ~]# cat /sys/module/pcie_aspm/parameters/policy
[default] performance powersave powersupersave [root@localhost ~]#
Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Xiongfeng Wang <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/pci/pcie/aspm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
index 6e50f84733b75..279f9f0197b01 100644
--- a/drivers/pci/pcie/aspm.c
+++ b/drivers/pci/pcie/aspm.c
@@ -1164,6 +1164,7 @@ static int pcie_aspm_get_policy(char *buffer, const struct kernel_param *kp)
cnt += sprintf(buffer + cnt, "[%s] ", policy_str[i]);
else
cnt += sprintf(buffer + cnt, "%s ", policy_str[i]);
+ cnt += sprintf(buffer + cnt, "\n");
return cnt;
}
--
2.25.1
From: Nick Desaulniers <[email protected]>
commit f3751ad0116fb6881f2c3c957d66a9327f69cefb upstream.
__tracepoint_string's have their string data stored in .rodata, and an
address to that data stored in the "__tracepoint_str" section. Functions
that refer to those strings refer to the symbol of the address. Compiler
optimization can replace those address references with references
directly to the string data. If the address doesn't appear to have other
uses, then it appears dead to the compiler and is removed. This can
break the /tracing/printk_formats sysfs node which iterates the
addresses stored in the "__tracepoint_str" section.
Like other strings stored in custom sections in this header, mark these
__used to inform the compiler that there are other non-obvious users of
the address, so they should still be emitted.
Link: https://lkml.kernel.org/r/[email protected]
Cc: Ingo Molnar <[email protected]>
Cc: Miguel Ojeda <[email protected]>
Cc: [email protected]
Fixes: 102c9323c35a8 ("tracing: Add __tracepoint_string() to export string pointers")
Reported-by: Tim Murray <[email protected]>
Reported-by: Simon MacMullen <[email protected]>
Suggested-by: Greg Hackmann <[email protected]>
Signed-off-by: Nick Desaulniers <[email protected]>
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/tracepoint.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/tracepoint.h
+++ b/include/linux/tracepoint.h
@@ -364,7 +364,7 @@ static inline struct tracepoint *tracepo
static const char *___tp_str __tracepoint_string = str; \
___tp_str; \
})
-#define __tracepoint_string __attribute__((section("__tracepoint_str")))
+#define __tracepoint_string __attribute__((section("__tracepoint_str"), used))
#else
/*
* tracepoint_string() is used to save the string address for userspace
From: Grant Likely <[email protected]>
commit 4f57cace81438cc873a96f9f13f08298815c9b51 upstream.
Some devices, particularly the 3DConnexion Spacemouse wireless 3D
controllers, return more than just the battery capacity in the battery
report. The Spacemouse devices return an additional byte with a device
specific field. However, hidinput_query_battery_capacity() only
requests a 2 byte transfer.
When a spacemouse is connected via USB (direct wire, no wireless dongle)
and it returns a 3 byte report instead of the assumed 2 byte battery
report the larger transfer confuses and frightens the USB subsystem
which chooses to ignore the transfer. Then after 2 seconds assume the
device has stopped responding and reset it. This can be reproduced
easily by using a wired connection with a wireless spacemouse. The
Spacemouse will enter a loop of resetting every 2 seconds which can be
observed in dmesg.
This patch solves the problem by increasing the transfer request to 4
bytes instead of 2. The fix isn't particularly elegant, but it is simple
and safe to backport to stable kernels. A further patch will follow to
more elegantly handle battery reports that contain additional data.
Signed-off-by: Grant Likely <[email protected]>
Cc: Darren Hart <[email protected]>
Cc: Jiri Kosina <[email protected]>
Cc: Benjamin Tissoires <[email protected]>
Cc: [email protected]
Tested-by: Darren Hart <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/hid/hid-input.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -362,13 +362,13 @@ static int hidinput_query_battery_capaci
u8 *buf;
int ret;
- buf = kmalloc(2, GFP_KERNEL);
+ buf = kmalloc(4, GFP_KERNEL);
if (!buf)
return -ENOMEM;
- ret = hid_hw_raw_request(dev, dev->battery_report_id, buf, 2,
+ ret = hid_hw_raw_request(dev, dev->battery_report_id, buf, 4,
dev->battery_report_type, HID_REQ_GET_REPORT);
- if (ret != 2) {
+ if (ret < 2) {
kfree(buf);
return -ENODATA;
}
On Mon, 17 Aug 2020 at 21:44, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.19.140 release.
> There are 168 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 19 Aug 2020 14:36:49 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.140-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Summary
------------------------------------------------------------------------
kernel: 4.19.140-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.19.y
git commit: 9950f9b4d350ca9b4f05daa2d16b090000b1d2d7
git describe: v4.19.139-169-g9950f9b4d350
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe/build/v4.19.139-169-g9950f9b4d350
No regressions (compared to build v4.19.139)
No fixes (compared to build v4.19.139)
Ran 33782 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- juno-r2-compat
- juno-r2-kasan
- nxp-ls2088
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
- x86-kasan
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* kselftest/drivers
* kselftest/filesystems
* kselftest/net
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* perf
* ltp-controllers-tests
* ltp-cve-tests
* ltp-fs-tests
* network-basic-tests
* v4l2-compliance
* ltp-open-posix-tests
* igt-gpu-tools
* ssuite
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-native/drivers
* kselftest-vsyscall-mode-native/filesystems
* kselftest-vsyscall-mode-native/net
* kselftest-vsyscall-mode-none
* kselftest-vsyscall-mode-none/drivers
* kselftest-vsyscall-mode-none/filesystems
* kselftest-vsyscall-mode-none/net
--
Linaro LKFT
https://lkft.linaro.org
Hi!
> Fix a small resource leak on the error path of cipher processing.
I believe this one is wrong.
> @@ -149,10 +148,19 @@ static int cc_cipher_init(struct crypto_tfm *tfm)
> ctx_p->flow_mode = cc_alg->flow_mode;
> ctx_p->drvdata = cc_alg->drvdata;
>
> + if (ctx_p->cipher_mode == DRV_CIPHER_ESSIV) {
> + /* Alloc hash tfm for essiv */
> + ctx_p->shash_tfm = crypto_alloc_shash("sha256-generic", 0, 0);
> + if (IS_ERR(ctx_p->shash_tfm)) {
> + dev_err(dev, "Error allocating hash tfm for ESSIV.\n");
> + return PTR_ERR(ctx_p->shash_tfm);
> + }
> + }
shash_tfm() is only allocated conditionally.
> +free_key:
> + kfree(ctx_p->user.key);
> +free_shash:
> + crypto_free_shash(ctx_p->shash_tfm);
But it is freed unconditionally, and free_shash() is not robust
against NULL pointer due to undefined behaviour in crypto_shash_tfm.
Additionally, it would be cleaner to set ctx_p->shash_tfm to NULL in
this path.
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Hi!
> From: Lihong Kou <[email protected]>
>
> [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]
>
> In the case we set or free the global value listen_chan in
> different threads, we can encounter the UAF problems because
> the method is not protected by any lock, add one to avoid
> this bug.
For this to be safe, bt_6lowpan_exit() needs same handling, no?
Signed-off-by: Pavel Machek (CIP) <[email protected]>
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 9a75f9b00b51..2402ef5ac072 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -1304,10 +1304,12 @@ static void __exit bt_6lowpan_exit(void)
debugfs_remove(lowpan_enable_debugfs);
debugfs_remove(lowpan_control_debugfs);
+ mutex_lock(&set_lock);
if (listen_chan) {
l2cap_chan_close(listen_chan, 0);
l2cap_chan_put(listen_chan);
}
+ mutex_unlock(&set_lock);
disconnect_devices();
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On Tue, Aug 18, 2020 at 11:40:25AM +0200, Pavel Machek wrote:
> Hi!
>
> > From: Lihong Kou <[email protected]>
> >
> > [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ]
> >
> > In the case we set or free the global value listen_chan in
> > different threads, we can encounter the UAF problems because
> > the method is not protected by any lock, add one to avoid
> > this bug.
>
> For this to be safe, bt_6lowpan_exit() needs same handling, no?
>
> Signed-off-by: Pavel Machek (CIP) <[email protected]>
>
> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
> index 9a75f9b00b51..2402ef5ac072 100644
> --- a/net/bluetooth/6lowpan.c
> +++ b/net/bluetooth/6lowpan.c
> @@ -1304,10 +1304,12 @@ static void __exit bt_6lowpan_exit(void)
> debugfs_remove(lowpan_enable_debugfs);
> debugfs_remove(lowpan_control_debugfs);
>
> + mutex_lock(&set_lock);
> if (listen_chan) {
> l2cap_chan_close(listen_chan, 0);
> l2cap_chan_put(listen_chan);
> }
> + mutex_unlock(&set_lock);
>
> disconnect_devices();
>
>
>
Why you are sending this in this format seems very odd to me, you know
better...
On Mon, Aug 17, 2020 at 05:15:31PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.140 release.
> There are 168 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 19 Aug 2020 14:36:49 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 155 pass: 155 fail: 0
Qemu test results:
total: 420 pass: 420 fail: 0
Guenter
Hi!
> This is the start of the stable review cycle for the 4.19.140 release.
> There are 168 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 19 Aug 2020 14:36:49 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.140-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
Our tests did not detect problems:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/178773989
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Hi!
> From: Dan Carpenter <[email protected]>
>
> [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ]
>
> If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So
> then the "strlen(model_names[i]) <= name_len" is true because strlen()
> is unsigned and -ENOENT is type promoted to a very high positive value.
> Then the "strncmp(name, model_names[i], name_len)" uses uninitialized
> data because "name" is uninitialized.
This causes memory leak, AFAICT.
Signed-off-by: Pavel Machek (CIP) <[email protected]>
Best regards,
Pavel
diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c
index eaf94b817dbc..2ac9d24d3f0c 100644
--- a/drivers/media/firewire/firedtv-fw.c
+++ b/drivers/media/firewire/firedtv-fw.c
@@ -271,8 +271,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
name_len = fw_csr_string(unit->directory, CSR_MODEL,
name, sizeof(name));
- if (name_len < 0)
- return name_len;
+ if (name_len < 0) {
+ err = name_len;
+ goto fail_free;
+ }
for (i = ARRAY_SIZE(model_names); --i; )
if (strlen(model_names[i]) <= name_len &&
strncmp(name, model_names[i], name_len) == 0)
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On 8/17/20 9:15 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.140 release.
> There are 168 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 19 Aug 2020 14:36:49 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.140-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
On Tue, Aug 18, 2020 at 11:34:53PM +0200, Pavel Machek wrote:
> Hi!
>
> > From: Dan Carpenter <[email protected]>
> >
> > [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ]
> >
> > If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So
> > then the "strlen(model_names[i]) <= name_len" is true because strlen()
> > is unsigned and -ENOENT is type promoted to a very high positive value.
> > Then the "strncmp(name, model_names[i], name_len)" uses uninitialized
> > data because "name" is uninitialized.
>
> This causes memory leak, AFAICT.
>
> Signed-off-by: Pavel Machek (CIP) <[email protected]>
Again, this is not how to submit patches, and you know this.
You are one more email-like-this away from my circular-file filter...
greg k-h
On Tue, Aug 18, 2020 at 11:22:31AM +0200, Pavel Machek wrote:
>
> But it is freed unconditionally, and free_shash() is not robust
> against NULL pointer due to undefined behaviour in crypto_shash_tfm.
crypto_free_shash calls crypto_destroy_tfm with both the original
pointer as well as the crypto_shash_tfm pointer so it does the
right thing for NULL pointers. Please check again.
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt