| Age | Commit message (Collapse) | Author |
|---|
|
[ Upstream commit d7aff291d069c4418285f3c8ee27b0ff67ce5998 ]
Oxford Semiconductor 950 serial port devices have a 128-byte FIFO and in
the enhanced (650) mode, which we select in `autoconfig_has_efr' with
the ECB bit set in the EFR register, they support the receive interrupt
trigger level selectable with FCR bits 7:6 from the set of 16, 32, 112,
120. This applies to the original OX16C950 discrete UART[1] as well as
950 cores embedded into more complex devices.
For these devices we set the default to 112, which sets an excessively
high level of 112 or 7/8 of the FIFO capacity, unlike with other port
types where we choose at most 1/2 of their respective FIFO capacities.
Additionally we don't make the trigger level configurable. Consequently
frequent input overruns happen with high bit rates where hardware flow
control cannot be used (e.g. terminal applications) even with otherwise
highly-performant systems.
Lower the default receive interrupt trigger level to 32 then, and make
it configurable. Document the trigger levels along with other port
types, including the set of 16, 32, 64, 112 for the transmit interrupt
as well[2].
References:
[1] "OX16C950 rev B High Performance UART with 128 byte FIFOs", Oxford
Semiconductor, Inc., DS-0031, Sep 05, Table 10: "Receiver Trigger
Levels", p. 22
[2] same, Table 9: "Transmit Interrupt Trigger Levels", p. 22
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2106260608480.37803@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit ed0d0a0506025f06061325cedae1bbebd081620a ]
Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
Change-Id: Iac55a9589294ca0bc58f863c4896c31aa1619ee7
|
|
lineage-18.1-caf-msm8998
# By Thomas Gleixner (11) and others
# Via Greg Kroah-Hartman
* google/common/android-4.4-p:
Linux 4.4.283
Revert "floppy: reintroduce O_NDELAY fix"
fbmem: add margin check to fb_check_caps()
vt_kdsetmode: extend console locking
vringh: Use wiov->used to check for read/write desc order
virtio: Improve vq->broken access to avoid any compiler optimization
net: marvell: fix MVNETA_TX_IN_PRGRS bit number
e1000e: Fix the max snoop/no-snoop latency for 10M
USB: serial: option: add new VID/PID to support Fibocom FG150
Revert "USB: serial: ch341: fix character loss at high transfer rates"
can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters
Linux 4.4.282
mmc: dw_mmc: Fix occasional hang after tuning on eMMC
ASoC: intel: atom: Fix breakage for PCM buffer address setup
ipack: tpci200: fix many double free issues in tpci200_pci_probe
ALSA: hda - fix the 'Capture Switch' value change notifications
mmc: dw_mmc: Fix hang on data CRC error
mmc: dw_mmc: call the dw_mci_prep_stop_abort() by default
mmc: dw_mmc: Wait for data transfer after response errors.
net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32
net: 6pack: fix slab-out-of-bounds in decode_data
dccp: add do-while-0 stubs for dccp_pr_debug macros
Bluetooth: hidp: use correct wait queue when removing ctrl_wait
scsi: core: Avoid printing an error if target_alloc() returns -ENXIO
scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry()
dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available
ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218
dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe()
KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
vmlinux.lds.h: Handle clang's module.{c,d}tor sections
PCI/MSI: Enforce MSI[X] entry updates to be visible
PCI/MSI: Enforce that MSI-X table entry is masked for update
PCI/MSI: Mask all unused MSI-X entries
PCI/MSI: Protect msi_desc::masked for multi-MSI
PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown()
PCI/MSI: Correct misleading comments
PCI/MSI: Do not set invalid bits in MSI mask
PCI/MSI: Enable and mask MSI-X early
x86/tools: Fix objdump version check again
xen/events: Fix race in set_evtchn_to_irq
net: Fix memory leak in ieee802154_raw_deliver
i2c: dev: zero out array used for i2c reads from userspace
ASoC: intel: atom: Fix reference to PCM buffer address
ANDROID: xt_quota2: set usersize in xt_match registration object
ANDROID: xt_quota2: clear quota2_log message before sending
ANDROID: xt_quota2: remove trailing junk which might have a digit in it
UPSTREAM: netfilter: x_tables: fix pointer leaks to userspace
Linux 4.4.281
ovl: prevent private clone if bind mount is not allowed
net: xilinx_emaclite: Do not print real IOMEM pointer
USB:ehci:fix Kunpeng920 ehci hardware problem
pipe: increase minimum default pipe size to 2 pages
net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset
alpha: Send stop IPI to send to online CPUs
reiserfs: check directory items on read from disk
reiserfs: add check for root_inode in reiserfs_fill_super
pcmcia: i82092: fix a null pointer dereference bug
MIPS: Malta: Do not byte-swap accesses to the CBUS UART
serial: 8250: Mask out floating 16/32-bit bus bits
media: rtl28xxu: fix zero-length control request
scripts/tracing: fix the bug that can't parse raw_trace_func
USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2
USB: serial: ch341: fix character loss at high transfer rates
USB: serial: option: add Telit FD980 composition 0x1056
Bluetooth: defer cleanup of resources in hci_unregister_dev()
net: vxge: fix use-after-free in vxge_device_unregister
net: pegasus: fix uninit-value in get_interrupt_interval
bnx2x: fix an error code in bnx2x_nic_load()
mips: Fix non-POSIX regexp
net: natsemi: Fix missing pci_disable_device() in probe and remove
media: videobuf2-core: dequeue if start_streaming fails
scsi: sr: Return correct event when media event code is 3
ALSA: seq: Fix racy deletion of subscriber
Linux 4.4.280
rcu: Update documentation of rcu_read_unlock()
futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock()
futex: Avoid freeing an active timer
futex: Handle transient "ownerless" rtmutex state correctly
rtmutex: Make wait_lock irq safe
futex: Futex_unlock_pi() determinism
futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()
futex: Pull rt_mutex_futex_unlock() out from under hb->lock
futex,rt_mutex: Introduce rt_mutex_init_waiter()
futex: Cleanup refcounting
futex: Rename free_pi_state() to put_pi_state()
Linux 4.4.279
can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"
net: Fix zero-copy head len calculation.
r8152: Fix potential PM refcount imbalance
regulator: rt5033: Fix n_voltages settings for BUCK and LDO
btrfs: mark compressed range uptodate only if all bio succeed
Conflicts:
net/bluetooth/hci_core.c
net/netfilter/xt_quota2.c
Change-Id: I66e2384c8cc40448a7bff34bb935c74e6103e924
|
|
Add slatecom_interface header file in gen_headers to make it
accessible from userspace modules who uses Android.bp files
for compilation.
Change-Id: Ie298ec28983c16999d941ee8667e2dd7b5c3db22
Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
|
|
Changes in 4.4.282
ASoC: intel: atom: Fix reference to PCM buffer address
i2c: dev: zero out array used for i2c reads from userspace
net: Fix memory leak in ieee802154_raw_deliver
xen/events: Fix race in set_evtchn_to_irq
x86/tools: Fix objdump version check again
PCI/MSI: Enable and mask MSI-X early
PCI/MSI: Do not set invalid bits in MSI mask
PCI/MSI: Correct misleading comments
PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown()
PCI/MSI: Protect msi_desc::masked for multi-MSI
PCI/MSI: Mask all unused MSI-X entries
PCI/MSI: Enforce that MSI-X table entry is masked for update
PCI/MSI: Enforce MSI[X] entry updates to be visible
vmlinux.lds.h: Handle clang's module.{c,d}tor sections
KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe()
ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218
dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available
scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry()
scsi: core: Avoid printing an error if target_alloc() returns -ENXIO
Bluetooth: hidp: use correct wait queue when removing ctrl_wait
dccp: add do-while-0 stubs for dccp_pr_debug macros
net: 6pack: fix slab-out-of-bounds in decode_data
net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32
mmc: dw_mmc: Wait for data transfer after response errors.
mmc: dw_mmc: call the dw_mci_prep_stop_abort() by default
mmc: dw_mmc: Fix hang on data CRC error
ALSA: hda - fix the 'Capture Switch' value change notifications
ipack: tpci200: fix many double free issues in tpci200_pci_probe
ASoC: intel: atom: Fix breakage for PCM buffer address setup
mmc: dw_mmc: Fix occasional hang after tuning on eMMC
Linux 4.4.282
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ifed03ee647494ce96ad9673a133a9b77649b5c12
|
|
commit 848378812e40152abe9b9baf58ce2004f76fb988 upstream.
A recent change in LLVM causes module_{c,d}tor sections to appear when
CONFIG_K{A,C}SAN are enabled, which results in orphan section warnings
because these are not handled anywhere:
ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.asan.module_ctor) is being placed in '.text.asan.module_ctor'
ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.asan.module_dtor) is being placed in '.text.asan.module_dtor'
ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.tsan.module_ctor) is being placed in '.text.tsan.module_ctor'
Fangrui explains: "the function asan.module_ctor has the SHF_GNU_RETAIN
flag, so it is in a separate section even with -fno-function-sections
(default)".
Place them in the TEXT_TEXT section so that these technologies continue
to work with the newer compiler versions. All of the KASAN and KCSAN
KUnit tests continue to pass after this change.
Cc: stable@vger.kernel.org
Link: https://github.com/ClangBuiltLinux/linux/issues/1432
Link: https://github.com/llvm/llvm-project/commit/7b789562244ee941b7bf2cefeb3fc08a59a01865
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Fangrui Song <maskray@google.com>
Acked-by: Marco Elver <elver@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210731023107.1932981-1-nathan@kernel.org
[nc: Fix conflicts due to lack of cf68fffb66d60 and 266ff2a8f51f0]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 77e89afc25f30abd56e76a809ee2884d7c1b63ce upstream.
Multi-MSI uses a single MSI descriptor and there is a single mask register
when the device supports per vector masking. To avoid reading back the mask
register the value is cached in the MSI descriptor and updates are done by
clearing and setting bits in the cache and writing it to the device.
But nothing protects msi_desc::masked and the mask register from being
modified concurrently on two different CPUs for two different Linux
interrupts which belong to the same multi-MSI descriptor.
Add a lock to struct device and protect any operation on the mask and the
mask register with it.
This makes the update of msi_desc::masked unconditional, but there is no
place which requires a modification of the hardware register without
updating the masked cache.
msi_mask_irq() is now an empty wrapper which will be cleaned up in follow
up changes.
The problem goes way back to the initial support of multi-MSI, but picking
the commit which introduced the mask cache is a valid cut off point
(2.6.30).
Fixes: f2440d9acbe8 ("PCI MSI: Refactor interrupt masking code")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210729222542.726833414@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Change-Id: Ic52e29a4ad6c1203f02535f501473641aa78c809
|
|
Allow some seq_puts removals by taking a string instead of a single
char.
[akpm@linux-foundation.org: update vmstat_show(), per Joe]
Link: http://lkml.kernel.org/r/667e1cf3d436de91a5698170a1e98d882905e956.1470704995.git.joe@perches.com
Signed-off-by: Joe Perches <joe@perches.com>
Cc: Joe Perches <joe@perches.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Iff69c72cb3ed6a73fe0348f65f22bfe3d1ee00c7
|
|
Changes in 4.4.281
ALSA: seq: Fix racy deletion of subscriber
scsi: sr: Return correct event when media event code is 3
media: videobuf2-core: dequeue if start_streaming fails
net: natsemi: Fix missing pci_disable_device() in probe and remove
mips: Fix non-POSIX regexp
bnx2x: fix an error code in bnx2x_nic_load()
net: pegasus: fix uninit-value in get_interrupt_interval
net: vxge: fix use-after-free in vxge_device_unregister
Bluetooth: defer cleanup of resources in hci_unregister_dev()
USB: serial: option: add Telit FD980 composition 0x1056
USB: serial: ch341: fix character loss at high transfer rates
USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2
scripts/tracing: fix the bug that can't parse raw_trace_func
media: rtl28xxu: fix zero-length control request
serial: 8250: Mask out floating 16/32-bit bus bits
MIPS: Malta: Do not byte-swap accesses to the CBUS UART
pcmcia: i82092: fix a null pointer dereference bug
reiserfs: add check for root_inode in reiserfs_fill_super
reiserfs: check directory items on read from disk
alpha: Send stop IPI to send to online CPUs
net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset
pipe: increase minimum default pipe size to 2 pages
USB:ehci:fix Kunpeng920 ehci hardware problem
net: xilinx_emaclite: Do not print real IOMEM pointer
ovl: prevent private clone if bind mount is not allowed
Linux 4.4.281
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I23014eec5c0648b030387cc4469a1cdfaa2c14a1
|
|
[ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ]
syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
calling lock_sock() with rw spinlock held [1].
It seems that history of this locking problem is a trial and error.
Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in
hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
lock_sock() as an attempt to fix lockdep warning.
Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in
hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
sleep in atomic context warning.
Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from
hci_sock.c") in 3.3-rc1 removed local_bh_disable().
Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF
of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
lock_sock() as an attempt to fix CVE-2021-3573.
This difficulty comes from current implementation that
hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
references from sockets because hci_unregister_dev() immediately
reclaims resources as soon as returning from
hci_sock_dev_event(HCI_DEV_UNREG).
But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
doing what it should do.
Therefore, instead of trying to detach sockets from device, let's accept
not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
by moving actual cleanup of resources from hci_unregister_dev() to
hci_cleanup_dev() which is called by bt_host_release() when all
references to this unregistered device (which is a kobject) are gone.
Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
hci_pi(sk)->hdev, we need to check whether this device was unregistered
and return an error based on HCI_UNREGISTER flag. There might be subtle
behavioral difference in "monitor the hdev" functionality; please report
if you found something went wrong due to this patch.
Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object")
Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
Change-Id: I838feeb8dc3d47071e2b49a1e489154ace948fb4
|
|
https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998
# By Pavel Skripkin (6) and others
# Via Greg Kroah-Hartman
* android-4.4-p:
Linux 4.4.278
sis900: Fix missing pci_disable_device() in probe and remove
tulip: windbond-840: Fix missing pci_disable_device() in probe and remove
net: llc: fix skb_over_panic
mlx4: Fix missing error code in mlx4_load_one()
tipc: fix sleeping in tipc accept routine
netfilter: nft_nat: allow to specify layer 4 protocol NAT only
cfg80211: Fix possible memory leak in function cfg80211_bss_update
x86/asm: Ensure asm/proto.h can be included stand-alone
NIU: fix incorrect error return, missed in previous revert
can: esd_usb2: fix memory leak
can: ems_usb: fix memory leak
can: usb_8dev: fix memory leak
ocfs2: issue zeroout to EOF blocks
ocfs2: fix zero out valid data
ARM: ensure the signal page contains defined contents
lib/string.c: add multibyte memset functions
ARM: dts: versatile: Fix up interrupt controller node names
hfs: add lock nesting notation to hfs_find_init
hfs: fix high memory mapping in hfs_bnode_read
hfs: add missing clean-up in hfs_fill_super
sctp: move 198 addresses from unusable to private scope
net/802/garp: fix memleak in garp_request_join()
net/802/mrp: fix memleak in mrp_request_join()
workqueue: fix UAF in pwq_unbound_release_workfn()
af_unix: fix garbage collect vs MSG_PEEK
net: split out functions related to registering inflight socket files
Linux 4.4.277
btrfs: compression: don't try to compress if we don't have enough pages
iio: accel: bma180: Fix BMA25x bandwidth register values
iio: accel: bma180: Use explicit member assignment
net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear
media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.
USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
USB: serial: cp210x: fix comments for GE CS1000
USB: serial: option: add support for u-blox LARA-R6 family
usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop()
usb: max-3421: Prevent corruption of freed memory
USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS
usb: hub: Disable USB 3 device initiated lpm if exit latency is too high
KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
xhci: Fix lost USB 2 remote wake
ALSA: sb: Fix potential ABBA deadlock in CSP driver
s390/ftrace: fix ftrace_update_ftrace_func implementation
proc: Avoid mixing integer types in mem_rw()
Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem"
scsi: target: Fix protect handling in WRITE SAME(32)
scsi: iscsi: Fix iface sysfs attr detection
netrom: Decrease sock refcount when sock timers expire
net: decnet: Fix sleeping inside in af_decnet
net: fix uninit-value in caif_seqpkt_sendmsg
s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1]
perf probe-file: Delete namelist in del_events() on the error path
perf test bpf: Free obj_buf
igb: Check if num of q_vectors is smaller than max before array access
iavf: Fix an error handling path in 'iavf_probe()'
ipv6: tcp: drop silly ICMPv6 packet too big messages
tcp: annotate data races around tp->mtu_info
net: validate lwtstate->data before returning from skb_tunnel_info()
net: ti: fix UAF in tlan_remove_one
net: moxa: fix UAF in moxart_mac_probe
net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
net: ipv6: fix return value of ip6_skb_dst_mtu
x86/fpu: Make init_fpstate correct with optimized XSAVE
Revert "memory: fsl_ifc: fix leak of IO mapping on probe failure"
sched/fair: Fix CFS bandwidth hrtimer expiry type
scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8
kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set
thermal/core: Correct function name thermal_zone_device_unregister()
ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info
ARM: dts: imx6: phyFLEX: Fix UART hardware flow control
ARM: dts: BCM63xx: Fix NAND nodes names
ARM: brcmstb: dts: fix NAND nodes names
Change-Id: Id59b93b8704270f45923f262facbadde4c486a15
|
|
https://source.codeaurora.org/quic/la/kernel/msm-4.4 into lineage-18.1-caf-msm8998
"LA.UM.9.2.r1-03500-SDMxx0.0"
# By Shyam Kumar Thella (1) and others
# Via Gerrit - the friendly Code Review server (1) and others
* tag 'LA.UM.9.2.r1-03500-SDMxx0.0' of https://source.codeaurora.org/quic/la/kernel/msm-4.4:
include: uapi: Add QBG UAPI headers
HID: make arrays usage and value to be the same
netfilter: nf_conntrack_h323: lost .data_len definition for Q.931/ipv6
Change-Id: I374078569c6c1f0b0f53ce63bd466a22574f7c90
|
|
Changes in 4.4.280
futex: Rename free_pi_state() to put_pi_state()
futex: Cleanup refcounting
futex,rt_mutex: Introduce rt_mutex_init_waiter()
futex: Pull rt_mutex_futex_unlock() out from under hb->lock
futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()
futex: Futex_unlock_pi() determinism
rtmutex: Make wait_lock irq safe
futex: Handle transient "ownerless" rtmutex state correctly
futex: Avoid freeing an active timer
futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock()
rcu: Update documentation of rcu_read_unlock()
Linux 4.4.280
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ib8bf7ba366087b2442c4de8a078f0a252b076c51
|
|
[ Upstream commit ec84b27f9b3b569f9235413d1945a2006b97b0aa ]
Since commit b4abf91047cf ("rtmutex: Make wait_lock irq safe") the
explanation in rcu_read_unlock() documentation about irq unsafe rtmutex
wait_lock is no longer valid.
Remove it to prevent kernel developers reading the documentation to rely on
it.
Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: bigeasy@linutronix.de
Link: https://lkml.kernel.org/r/20180525090507.22248-2-anna-maria@linutronix.de
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-by: Joe Korty <joe.korty@concurrent-rt.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Changes in 4.4.279
btrfs: mark compressed range uptodate only if all bio succeed
regulator: rt5033: Fix n_voltages settings for BUCK and LDO
r8152: Fix potential PM refcount imbalance
net: Fix zero-copy head len calculation.
Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"
can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
Linux 4.4.279
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie3e6cadbc9c8291c2be61e0a3427225458891c18
|
|
[ Upstream commit 6549c46af8551b346bcc0b9043f93848319acd5c ]
For linear regulators, the n_voltages should be (max - min) / step + 1.
Buck voltage from 1v to 3V, per step 100mV, and vout mask is 0x1f.
If value is from 20 to 31, the voltage will all be fixed to 3V.
And LDO also, just vout range is different from 1.2v to 3v, step is the
same. If value is from 18 to 31, the voltage will also be fixed to 3v.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Reviewed-by: ChiYuan Huang <cy_huang@richtek.com>
Link: https://lore.kernel.org/r/20210627080418.1718127-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
Changes in 4.4.278
net: split out functions related to registering inflight socket files
af_unix: fix garbage collect vs MSG_PEEK
workqueue: fix UAF in pwq_unbound_release_workfn()
net/802/mrp: fix memleak in mrp_request_join()
net/802/garp: fix memleak in garp_request_join()
sctp: move 198 addresses from unusable to private scope
hfs: add missing clean-up in hfs_fill_super
hfs: fix high memory mapping in hfs_bnode_read
hfs: add lock nesting notation to hfs_find_init
ARM: dts: versatile: Fix up interrupt controller node names
lib/string.c: add multibyte memset functions
ARM: ensure the signal page contains defined contents
ocfs2: fix zero out valid data
ocfs2: issue zeroout to EOF blocks
can: usb_8dev: fix memory leak
can: ems_usb: fix memory leak
can: esd_usb2: fix memory leak
NIU: fix incorrect error return, missed in previous revert
x86/asm: Ensure asm/proto.h can be included stand-alone
cfg80211: Fix possible memory leak in function cfg80211_bss_update
netfilter: nft_nat: allow to specify layer 4 protocol NAT only
tipc: fix sleeping in tipc accept routine
mlx4: Fix missing error code in mlx4_load_one()
net: llc: fix skb_over_panic
tulip: windbond-840: Fix missing pci_disable_device() in probe and remove
sis900: Fix missing pci_disable_device() in probe and remove
Linux 4.4.278
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I51e4e7e9cc9db03de57626e25e3785c400ced81f
|
|
[ Upstream commit c7c9d2102c9c098916ab9e0ab248006107d00d6c ]
Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The
problem was in wrong LCC header manipulations.
Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is
doing following steps:
1. skb allocation with size = len + header size
len is passed from userpace and header size
is 3 since addr->sllc_xid is set.
2. skb_reserve() for header_len = 3
3. filling all other space with memcpy_from_msg()
Ok, at this moment we have fully loaded skb, only headers needs to be
filled.
Then code comes to llc_sap_action_send_xid_c(). This function pushes 3
bytes for LLC PDU header and initializes it. Then comes
llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU
header and call skb_push(skb, 3). This looks wrong for 2 reasons:
1. Bytes rigth after LLC header are user data, so this function
was overwriting payload.
2. skb_push(skb, 3) call can cause skb_over_panic() since
all free space was filled in llc_ui_sendmsg(). (This can
happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC
header) = 703. SKB_DATA_ALIGN(703) = 704)
So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID
and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve
header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by
llc_pdu_header_init() function to push 6 bytes instead of 3. And finally
I removed skb_push() call from llc_pdu_init_as_xid_cmd().
This changes should not affect other parts of LLC, since after
all steps we just transmit buffer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
commit 3b3c4babd898715926d24ae10aa64778ace33aae upstream.
Patch series "Multibyte memset variations", v4.
A relatively common idiom we're missing is a function to fill an area of
memory with a pattern which is larger than a single byte. I first
noticed this with a zram patch which wanted to fill a page with an
'unsigned long' value. There turn out to be quite a few places in the
kernel which can benefit from using an optimised function rather than a
loop; sometimes text size, sometimes speed, and sometimes both. The
optimised PowerPC version (not included here) improves performance by
about 30% on POWER8 on just the raw memset_l().
Most of the extra lines of code come from the three testcases I added.
This patch (of 8):
memset16(), memset32() and memset64() are like memset(), but allow the
caller to fill the destination with a value larger than a single byte.
memset_l() and memset_p() allow the caller to use unsigned long and
pointer values respectively.
Link: http://lkml.kernel.org/r/20170720184539.31609-2-willy@infradead.org
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: David Miller <davem@davemloft.net>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit 1d11fa231cabeae09a95cb3e4cf1d9dd34e00f08 ]
The doc draft-stewart-tsvwg-sctp-ipv4-00 that restricts 198 addresses
was never published. These addresses as private addresses should be
allowed to use in SCTP.
As Michael Tuexen suggested, this patch is to move 198 addresses from
unusable to private scope.
Reported-by: Sérgio <surkamp@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
commit f4e65870e5cede5ca1ec0006b6c9803994e5f7b8 upstream.
We need this functionality for the io_uring file registration, but
we cannot rely on it since CONFIG_UNIX can be modular. Move the helpers
to a separate file, that's always builtin to the kernel if CONFIG_UNIX is
m/y.
No functional changes in this patch, just moving code around.
Reviewed-by: Hannes Reinecke <hare@suse.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[ backported to older kernels to get access to unix_gc_lock - gregkh ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Changes in 4.4.277
ARM: brcmstb: dts: fix NAND nodes names
ARM: dts: BCM63xx: Fix NAND nodes names
ARM: dts: imx6: phyFLEX: Fix UART hardware flow control
ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info
thermal/core: Correct function name thermal_zone_device_unregister()
kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set
scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8
sched/fair: Fix CFS bandwidth hrtimer expiry type
Revert "memory: fsl_ifc: fix leak of IO mapping on probe failure"
x86/fpu: Make init_fpstate correct with optimized XSAVE
net: ipv6: fix return value of ip6_skb_dst_mtu
net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
net: moxa: fix UAF in moxart_mac_probe
net: ti: fix UAF in tlan_remove_one
net: validate lwtstate->data before returning from skb_tunnel_info()
tcp: annotate data races around tp->mtu_info
ipv6: tcp: drop silly ICMPv6 packet too big messages
iavf: Fix an error handling path in 'iavf_probe()'
igb: Check if num of q_vectors is smaller than max before array access
perf test bpf: Free obj_buf
perf probe-file: Delete namelist in del_events() on the error path
s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1]
net: fix uninit-value in caif_seqpkt_sendmsg
net: decnet: Fix sleeping inside in af_decnet
netrom: Decrease sock refcount when sock timers expire
scsi: iscsi: Fix iface sysfs attr detection
scsi: target: Fix protect handling in WRITE SAME(32)
Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem"
proc: Avoid mixing integer types in mem_rw()
s390/ftrace: fix ftrace_update_ftrace_func implementation
ALSA: sb: Fix potential ABBA deadlock in CSP driver
xhci: Fix lost USB 2 remote wake
KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
usb: hub: Disable USB 3 device initiated lpm if exit latency is too high
USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS
usb: max-3421: Prevent corruption of freed memory
usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop()
USB: serial: option: add support for u-blox LARA-R6 family
USB: serial: cp210x: fix comments for GE CS1000
USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.
media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear
iio: accel: bma180: Use explicit member assignment
iio: accel: bma180: Fix BMA25x bandwidth register values
btrfs: compression: don't try to compress if we don't have enough pages
Linux 4.4.277
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I7159a9fb5545e504222fcee566c6661c1070c8f7
|
|
commit 67a9c94317402b826fc3db32afc8f39336803d97 upstream.
skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info
type without validation. lwtstate->data can have various types such as
mpls_iptunnel_encap, etc and these are not compatible.
So skb_tunnel_info() should validate before returning that pointer.
Splat looks like:
BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]
Read of size 2 at addr ffff888106ec2698 by task ping/811
CPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195
Call Trace:
dump_stack_lvl+0x56/0x7b
print_address_description.constprop.8.cold.13+0x13/0x2ee
? vxlan_get_route+0x418/0x4b0 [vxlan]
? vxlan_get_route+0x418/0x4b0 [vxlan]
kasan_report.cold.14+0x83/0xdf
? vxlan_get_route+0x418/0x4b0 [vxlan]
vxlan_get_route+0x418/0x4b0 [vxlan]
[ ... ]
vxlan_xmit_one+0x148b/0x32b0 [vxlan]
[ ... ]
vxlan_xmit+0x25c5/0x4780 [vxlan]
[ ... ]
dev_hard_start_xmit+0x1ae/0x6e0
__dev_queue_xmit+0x1f39/0x31a0
[ ... ]
neigh_xmit+0x2f9/0x940
mpls_xmit+0x911/0x1600 [mpls_iptunnel]
lwtunnel_xmit+0x18f/0x450
ip_finish_output2+0x867/0x2040
[ ... ]
Fixes: 61adedf3e3f1 ("route: move lwtunnel state to dst_entry")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 40fc3054b45820c28ea3c65e2c86d041dc244a8a upstream.
Commit 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE") introduced
ip6_skb_dst_mtu with return value of signed int which is inconsistent
with actually returned values. Also 2 users of this function actually
assign its value to unsigned int variable and only __xfrm6_output
assigns result of this function to signed variable but actually uses
as unsigned in further comparisons and calls. Change this function
to return unsigned int value.
Fixes: 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE")
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Change-Id: I2dea08b7be4049f0a4165801d223fff2a732e067
|
|
https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998
This brings LA.UM.9.2.r1-03400-SDMxx0.0 up to date with
https://android.googlesource.com/kernel/common/ android-4.4-p at commit:
e5239ed489f64 Merge 4.4.276 into android-4.4-p
Change-Id: I5f3fdc31e61b229b299cf72014710d36e42863d8
|
|
Changes in 4.4.276
ALSA: usb-audio: fix rate on Ozone Z90 USB headset
media: dvb-usb: fix wrong definition
Input: usbtouchscreen - fix control-request directions
net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
usb: gadget: eem: fix echo command packet response issue
USB: cdc-acm: blacklist Heimann USB Appset device
ntfs: fix validity check for file name attribute
iov_iter_fault_in_readable() should do nothing in xarray case
Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
ARM: dts: at91: sama5d4: fix pinctrl muxing
btrfs: clear defrag status of a root if starting transaction fails
ext4: fix kernel infoleak via ext4_extent_header
ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
ext4: remove check for zero nr_to_scan in ext4_es_scan()
ext4: fix avefreec in find_group_orlov
SUNRPC: Fix the batch tasks count wraparound.
SUNRPC: Should wake up the privileged task firstly.
s390/cio: dont call css_wait_for_slow_path() inside a lock
iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too
iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
iio: ltr501: ltr501_read_ps(): add missing endianness conversion
serial_cs: Add Option International GSM-Ready 56K/ISDN modem
ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
ssb: sdio: Don't overwrite const buffer if block_write fails
seq_buf: Make trace_seq_putmem_hex() support data longer than 8
fuse: check connected before queueing on fpq->io
spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages()
spi: omap-100k: Fix the length judgment problem
crypto: nx - add missing MODULE_DEVICE_TABLE
media: cpia2: fix memory leak in cpia2_usb_probe
media: pvrusb2: fix warning in pvr2_i2c_core_done
crypto: qat - check return code of qat_hal_rd_rel_reg()
crypto: qat - remove unused macro in FW loader
media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
media: bt8xx: Fix a missing check bug in bt878_probe
mmc: via-sdmmc: add a check against NULL pointer dereference
crypto: shash - avoid comparing pointers to exported functions under CFI
media: dvb_net: avoid speculation from net slot
btrfs: disable build on platforms having page size 256K
regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
ACPI: processor idle: Fix up C-state latency if not ordered
block_dump: remove block_dump feature in mark_inode_dirty()
fs: dlm: cancel work sync othercon
random32: Fix implicit truncation warning in prandom_seed_state()
ACPI: bus: Call kobject_put() in acpi_init() error path
platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard()
ia64: mca_drv: fix incorrect array size calculation
crypto: ixp4xx - dma_unmap the correct address
crypto: ux500 - Fix error return code in hash_hw_final()
sata_highbank: fix deferred probing
pata_rb532_cf: fix deferred probing
media: I2C: change 'RST' to "RSET" to fix multiple build errors
pata_octeon_cf: avoid WARN_ON() in ata_host_activate()
pata_ep93xx: fix deferred probing
media: tc358743: Fix error return code in tc358743_probe_of()
media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2()
mmc: usdhi6rol0: fix error return code in usdhi6_probe()
media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx
spi: spi-sun6i: Fix chipselect/clock bug
crypto: nx - Fix RCU warning in nx842_OF_upd_status
ACPI: sysfs: Fix a buffer overrun problem with description_show()
net: pch_gbe: Propagate error from devm_gpio_request_one()
ehea: fix error return code in ehea_restart_qps()
drm: qxl: ensure surf.data is ininitialized
wireless: carl9170: fix LEDS build errors & warnings
brcmsmac: mac80211_if: Fix a resource leak in an error handling path
ath10k: Fix an error code in ath10k_add_interface()
netlabel: Fix memory leak in netlbl_mgmt_add_common
netfilter: nft_exthdr: check for IPv6 packet before further processing
net: ethernet: aeroflex: fix UAF in greth_of_remove
net: ethernet: ezchip: fix UAF in nps_enet_remove
net: ethernet: ezchip: fix error handling
vxlan: add missing rcu_read_lock() in neigh_reduce()
i40e: Fix error handling in i40e_vsi_open
writeback: fix obtain a reference to a freeing memcg css
tty: nozomi: Fix a resource leak in an error handling function
iio: adis_buffer: do not return ints in irq handlers
iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
Input: hil_kbd - fix error return code in hil_dev_connect()
char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol()
tty: nozomi: Fix the error handling path of 'nozomi_card_init()'
scsi: FlashPoint: Rename si_flags field
s390: appldata depends on PROC_SYSCTL
staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt()
staging: gdm724x: check for overflow in gdm_lte_netif_rx()
scsi: mpt3sas: Fix error return value in _scsih_expander_add()
phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe()
extcon: sm5502: Drop invalid register write in sm5502_reg_data
extcon: max8997: Add missing modalias string
mmc: vub3000: fix control-request direction
scsi: core: Retry I/O for Notify (Enable Spinup) Required error
net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
hugetlb: clear huge pte during flush function on mips platform
atm: iphase: fix possible use-after-free in ia_module_exit()
mISDN: fix possible use-after-free in HFC_cleanup()
atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
reiserfs: add check for invalid 1st journal block
drm/virtio: Fix double free on probe failure
udf: Fix NULL pointer dereference in udf_symlink function
e100: handle eeprom as little endian
ipv6: use prandom_u32() for ID generation
RDMA/cxgb4: Fix missing error code in create_qp()
dm space maps: don't reset space map allocation cursor when committing
net: micrel: check return value after calling platform_get_resource()
selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
xfrm: Fix error reporting in xfrm_state_construct.
wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
wl1251: Fix possible buffer overflow in wl1251_cmd_scan
cw1200: add missing MODULE_DEVICE_TABLE
atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
atm: nicstar: register the interrupt handler in the right place
sfc: avoid double pci_remove of VFs
sfc: error code if SRIOV cannot be disabled
wireless: wext-spy: Fix out-of-bounds warning
RDMA/cma: Fix rdma_resolve_route() memory leak
Bluetooth: Fix the HCI to MGMT status conversion table
Bluetooth: Shutdown controller after workqueues are flushed or cancelled
Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc.
sctp: add size validation when walking chunks
fuse: reject internal errno
can: gw: synchronize rcu operations before removing gw job entry
can: bcm: delay release of struct bcm_op after synchronize_rcu()
mac80211: fix memory corruption in EAPOL handling
powerpc/barrier: Avoid collision with clang's __lwsync macro
mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode
ata: ahci_sunxi: Disable DIPM
ASoC: tegra: Set driver_name=tegra for all machine drivers
ipmi/watchdog: Stop watchdog timer when the current action is 'none'
power: supply: ab8500: Fix an old bug
seq_buf: Fix overflow in seq_buf_putmem_hex()
ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
dm btree remove: assign new_root only when removal succeeds
media: zr364xx: fix memory leak in zr364xx_start_readpipe
media: gspca/sq905: fix control-request direction
media: gspca/sunplus: fix zero-length control requests
media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K
jfs: fix GPF in diFree
KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled
KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run()
tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero
misc/libmasm/module: Fix two use after free in ibmasm_init_one
Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro"
scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology
tty: serial: 8250: serial_cs: Fix a memory leak in error handling path
fs/jfs: Fix missing error code in lmLogInit()
scsi: iscsi: Add iscsi_cls_conn refcount helpers
mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE
ALSA: sb: Fix potential double-free of CSP mixer elements
powerpc/ps3: Add dma_mask to ps3_dma_region
gpio: zynq: Check return value of pm_runtime_get_sync
ALSA: ppc: fix error return code in snd_pmac_probe()
selftests/powerpc: Fix "no_handler" EBB selftest
ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing()
ALSA: bebob: add support for ToneWeal FW66
usb: gadget: f_hid: fix endianness issue with descriptors
usb: gadget: hid: fix error return code in hid_bind()
powerpc/boot: Fixup device-tree on little endian
backlight: lm3630a: Fix return code of .update_status() callback
ALSA: hda: Add IRQ check for platform_get_irq()
lib/decompress_unlz4.c: correctly handle zero-padding around initrds.
pwm: spear: Don't modify HW state in .remove callback
power: supply: ab8500: Avoid NULL pointers
power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE
ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1
watchdog: Fix possible use-after-free in wdt_startup()
watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
watchdog: Fix possible use-after-free by calling del_timer_sync()
ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty
power: supply: charger-manager: add missing MODULE_DEVICE_TABLE
power: supply: ab8500: add missing MODULE_DEVICE_TABLE
virtio-blk: Fix memory leak among suspend/resume procedure
virtio_console: Assure used length from device is limited
PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun
um: fix error return code in slip_open()
um: fix error return code in winch_tramp()
nfs: fix acl memory leak of posix_acl_create()
ALSA: isa: Fix error return code in snd_cmi8330_probe()
hexagon: use common DISCARDS macro
ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4
rtc: fix snprintf() checking in is_rtc_hctosys()
memory: fsl_ifc: fix leak of IO mapping on probe failure
memory: fsl_ifc: fix leak of private memory on probe failure
scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe()
mips: disable branch profiling in boot/decompress.o
MIPS: vdso: Invalid GIC access through VDSO
seq_file: disallow extremely large seq buffer allocations
Linux 4.4.276
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If7756927f46fbb8a74337ee1eae8031c0d3579e2
|
|
[ Upstream commit b1d19e8c92cfb0ded180ef3376c20e130414e067 ]
There are a couple places where we could free the iscsi_cls_conn while it's
still in use. This adds some helpers to get/put a refcount on the struct
and converts an exiting user. Subsequent commits will then use the helpers
to fix 2 bugs in the eh code.
Link: https://lore.kernel.org/r/20210525181821.7617-11-michael.christie@oracle.com
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
commit f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce upstream.
Trying to get the AB8500 charging driver working I ran into a bit
of bitrot: we haven't used the driver for a while so errors in
refactorings won't be noticed.
This one is pretty self evident: use argument to the macro or we
end up with a random pointer to something else.
Cc: stable@vger.kernel.org
Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Marcus Cooper <codekipper@gmail.com>
Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit d327ea15a305024ef0085252fa3657bbb1ce25f5 ]
sparse generates the following warning:
include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from
constant value
This is because the 64-bit seed value is manipulated and then placed in a
u32, causing an implicit cast and truncation. A forced cast to u32 doesn't
prevent this warning, which is reasonable because a typecast doesn't prove
that truncation was expected.
Logical-AND the value with 0xffffffff to make explicit that truncation to
32-bit is intended.
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 22ca9f4aaf431a9413dcc115dd590123307f274f ]
crypto_shash_alg_has_setkey() is implemented by testing whether the
.setkey() member of a struct shash_alg points to the default version,
called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static
inline, this requires shash_no_setkey() to be exported to modules.
Unfortunately, when building with CFI, function pointers are routed
via CFI stubs which are private to each module (or to the kernel proper)
and so this function pointer comparison may fail spuriously.
Let's fix this by turning crypto_shash_alg_has_setkey() into an out of
line function.
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
Change-Id: I1a5e19485cdb37409eb5907d98fe3163a3f10e59
|
|
https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998
This brings LA.UM.9.2.r1-03400-SDMxx0.0 up to date with
https://android.googlesource.com/kernel/common/ android-4.4-p at commit:
b5f0035416310 Merge 4.4.274 into android-4.4-p
Conflicts:
include/linux/spi/spi.h
Change-Id: I3daac7891ee93c70ffe08b7e70b77e8b2989af67
|
|
Add UAPI headers for QBG (Qualcomm Battery Gauge).
Change-Id: Iae5ba52ebff9fb4b591065c2bffe15763ab9518a
Signed-off-by: Shyam Kumar Thella <sthella@codeaurora.org>
|
|
Changes in 4.4.274
HID: hid-sensor-hub: Return error for hid_set_field() failure
HID: Add BUS_VIRTUAL to hid_connect logging
HID: usbhid: fix info leak in hid_submit_ctrl
ARM: OMAP2+: Fix build warning when mmc_omap is not built
HID: gt683r: add missing MODULE_DEVICE_TABLE
gfs2: Fix use-after-free in gfs2_glock_shrink_scan
scsi: target: core: Fix warning on realtime kernels
ethernet: myri10ge: Fix missing error code in myri10ge_probe()
net: ipconfig: Don't override command-line hostnames or domains
rtnetlink: Fix missing error code in rtnl_bridge_notify()
net/x25: Return the correct errno code
net: Return the correct errno code
fib: Return the correct errno code
dmaengine: stedma40: add missing iounmap() on error in d40_probe()
net: ipv4: fix memory leak in netlbl_cipsov4_add_std
net: rds: fix memory leak in rds_recvmsg
rtnetlink: Fix regression in bridge VLAN configuration
netfilter: synproxy: Fix out of bounds when parsing TCP options
net: stmmac: dwmac1000: Fix extended MAC address registers definition
qlcnic: Fix an error handling path in 'qlcnic_probe()'
netxen_nic: Fix an error handling path in 'netxen_nic_probe()'
net: cdc_ncm: switch to eth%d interface naming
net: usb: fix possible use-after-free in smsc75xx_bind
net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock
be2net: Fix an error handling path in 'be_probe()'
net: hamradio: fix memory leak in mkiss_close
net: cdc_eem: fix tx fixup skb leak
net: ethernet: fix potential use-after-free in ec_bhf_remove
scsi: core: Put .shost_dev in failure path if host state changes to RUNNING
radeon: use memcpy_to/fromio for UVD fw upload
can: bcm: fix infoleak in struct bcm_msg_head
tracing: Do no increment trace_clock_global() by one
PCI: Mark TI C667X to avoid bus reset
PCI: Mark some NVIDIA GPUs to avoid bus reset
dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc
net: fec_ptp: add clock rate zero check
can: bcm/raw/isotp: use per module netdevice notifier
tracing: Do not stop recording cmdlines when tracing is off
tracing: Do not stop recording comms if the trace file is being read
x86/fpu: Reset state for all signal restore failures
inet: use bigger hash table for IP ID generation
ARM: 9081/1: fix gcc-10 thumb2-kernel regression
Makefile: Move -Wno-unused-but-set-variable out of GCC only block
Revert "PCI: PM: Do not read power state in pci_enable_device_flags()"
cfg80211: call cfg80211_leave_ocb when switching away from OCB
mac80211: drop multicast fragments
ping: Check return value of function 'ping_queue_rcv_skb'
inet: annotate date races around sk->sk_txhash
net: caif: fix memory leak in ldisc_open
r8152: Avoid memcpy() over-reading of ETH_SS_STATS
sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS
r8169: Avoid memcpy() over-reading of ETH_SS_STATS
net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
nilfs2: fix memory leak in nilfs_sysfs_delete_device_group
i2c: robotfuzz-osif: fix control-request directions
Linux 4.4.274
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8ed74ec47e5cd175c4234738949286b4e1b7760a
|
|
[ Upstream commit b71eaed8c04f72a919a9c44e83e4ee254e69e7f3 ]
UDP sendmsg() path can be lockless, it is possible for another
thread to re-connect an change sk->sk_txhash under us.
There is no serious impact, but we can use READ_ONCE()/WRITE_ONCE()
pair to document the race.
BUG: KCSAN: data-race in __ip4_datagram_connect / skb_set_owner_w
write to 0xffff88813397920c of 4 bytes by task 30997 on cpu 1:
sk_set_txhash include/net/sock.h:1937 [inline]
__ip4_datagram_connect+0x69e/0x710 net/ipv4/datagram.c:75
__ip6_datagram_connect+0x551/0x840 net/ipv6/datagram.c:189
ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272
inet_dgram_connect+0xfd/0x180 net/ipv4/af_inet.c:580
__sys_connect_file net/socket.c:1837 [inline]
__sys_connect+0x245/0x280 net/socket.c:1854
__do_sys_connect net/socket.c:1864 [inline]
__se_sys_connect net/socket.c:1861 [inline]
__x64_sys_connect+0x3d/0x50 net/socket.c:1861
do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff88813397920c of 4 bytes by task 31039 on cpu 0:
skb_set_hash_from_sk include/net/sock.h:2211 [inline]
skb_set_owner_w+0x118/0x220 net/core/sock.c:2101
sock_alloc_send_pskb+0x452/0x4e0 net/core/sock.c:2359
sock_alloc_send_skb+0x2d/0x40 net/core/sock.c:2373
__ip6_append_data+0x1743/0x21a0 net/ipv6/ip6_output.c:1621
ip6_make_skb+0x258/0x420 net/ipv6/ip6_output.c:1983
udpv6_sendmsg+0x160a/0x16b0 net/ipv6/udp.c:1527
inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642
sock_sendmsg_nosec net/socket.c:654 [inline]
sock_sendmsg net/socket.c:674 [inline]
____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
___sys_sendmsg net/socket.c:2404 [inline]
__sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
__do_sys_sendmmsg net/socket.c:2519 [inline]
__se_sys_sendmmsg net/socket.c:2516 [inline]
__x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0xbca3c43d -> 0xfdb309e0
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 31039 Comm: syz-executor.2 Not tainted 5.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
[ Upstream commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f ]
In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.
To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().
Reported-by: syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
Changes in 4.4.273
proc: Track /proc/$pid/attr/ opener mm_struct
net/nfc/rawsock.c: fix a permission check bug
ASoC: sti-sas: add missing MODULE_DEVICE_TABLE
isdn: mISDN: netjet: Fix crash in nj_probe:
bonding: init notify_work earlier to avoid uninitialized use
netlink: disable IRQs for netlink_lock_table()
net: mdiobus: get rid of a BUG_ON()
net/qla3xxx: fix schedule while atomic in ql_sem_spinlock
scsi: vmw_pvscsi: Set correct residual data length
scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal
net: macb: ensure the device is available before accessing GEMGXL control registers
net: appletalk: cops: Fix data race in cops_probe1
MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER
bnx2x: Fix missing error code in bnx2x_iov_init_one()
powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers
powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers
i2c: mpc: Make use of i2c_recover_bus()
i2c: mpc: implement erratum A-004447 workaround
kvm: avoid speculation-based attacks from out-of-range memslot accesses
btrfs: return value from btrfs_mark_extent_written() in case of error
cgroup1: don't allow '\n' in renaming
USB: f_ncm: ncm_bitrate (speed) is unsigned
usb: dwc3: ep0: fix NULL pointer exception
USB: serial: ftdi_sio: add NovaTech OrionMX product ID
USB: serial: omninet: add device id for Zyxel Omni 56K Plus
USB: serial: quatech2: fix control-request directions
usb: gadget: eem: fix wrong eem header operation
perf: Fix data race between pin_count increment/decrement
NFS: Fix a potential NULL dereference in nfs_get_client()
perf session: Correct buffer copying when peeking events
kvm: fix previous commit for 32-bit builds
NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error.
scsi: core: Only put parent device if host state differs from SHOST_CREATED
ftrace: Do not blindly read the ip address in ftrace_bug()
proc: only require mm_struct for writing
Linux 4.4.273
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I97fdaeb60b62a57bf34ecceabda8be5cee23a0e7
|
|
commit 4422829e8053068e0225e4d0ef42dc41ea7c9ef5 upstream.
array_index_nospec does not work for uint64_t on 32-bit builds.
However, the size of a memory slot must be less than 20 bits wide
on those system, since the memory slot must fit in the user
address space. So just store it in an unsigned long.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream.
KVM's mechanism for accessing guest memory translates a guest physical
address (gpa) to a host virtual address using the right-shifted gpa
(also known as gfn) and a struct kvm_memory_slot. The translation is
performed in __gfn_to_hva_memslot using the following formula:
hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE
It is expected that gfn falls within the boundaries of the guest's
physical memory. However, a guest can access invalid physical addresses
in such a way that the gfn is invalid.
__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first
retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot
does check that the gfn falls within the boundaries of the guest's
physical memory or not, a CPU can speculate the result of the check and
continue execution speculatively using an illegal gfn. The speculation
can result in calculating an out-of-bounds hva. If the resulting host
virtual address is used to load another guest physical address, this
is effectively a Spectre gadget consisting of two consecutive reads,
the second of which is data dependent on the first.
Right now it's not clear if there are any cases in which this is
exploitable. One interesting case was reported by the original author
of this patch, and involves visiting guest page tables on x86. Right
now these are not vulnerable because the hva read goes through get_user(),
which contains an LFENCE speculation barrier. However, there are
patches in progress for x86 uaccess.h to mask kernel addresses instead of
using LFENCE; once these land, a guest could use speculation to read
from the VMM's ring 3 address space. Other architectures such as ARM
already use the address masking method, and would be susceptible to
this same kind of data-dependent access gadgets. Therefore, this patch
proactively protects from these attacks by masking out-of-bounds gfns
in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.
Sean Christopherson noted that this patch does not cover
kvm_read_guest_offset_cached. This however is limited to a few bytes
past the end of the cache, and therefore it is unlikely to be useful in
the context of building a chain of data dependent accesses.
Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Changes in 4.4.272
efi: cper: fix snprintf() use in cper_dimm_err_location()
vfio/pci: Fix error return code in vfio_ecap_init()
vfio/platform: fix module_put call in error flow
ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service
HID: pidff: fix error return code in hid_pidff_init()
netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches
ieee802154: fix error return code in ieee802154_add_iface()
ieee802154: fix error return code in ieee802154_llsec_getparams()
Bluetooth: fix the erroneous flush_work() order
Bluetooth: use correct lock to prevent UAF of hdev object
net: caif: added cfserl_release function
net: caif: add proper error handling
net: caif: fix memory leak in caif_device_notify
net: caif: fix memory leak in cfusbl_device_notify
ALSA: timer: Fix master timer notification
ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed
pid: take a reference when initializing `cad_pid`
ocfs2: fix data corruption by fallocate
nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect
btrfs: fixup error handling in fixup_inode_link_counts
KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode
arm64: Remove unimplemented syscall log message
xen-pciback: redo VF placement in the virtual topology
Linux 4.4.272
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I0bc043dfa7733208cbd61362d947d9d505eda922
|
|
commit a2805dca5107d5603f4bbc027e81e20d93476e96 upstream.
caif_enroll_dev() can fail in some cases. Ingnoring
these cases can lead to memory leak due to not assigning
link_support pointer to anywhere.
Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll")
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit bce130e7f392ddde8cfcb09927808ebd5f9c8669 upstream.
Added cfserl_release() function.
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Changes in 4.4.271
mm, vmstat: drop zone->lock in /proc/pagetypeinfo
netfilter: x_tables: Use correct memory barriers.
NFC: nci: fix memory leak in nci_allocate_device
proc: Check /proc/$pid/attr/ writes against file opener
net: hso: fix control-request directions
mac80211: assure all fragments are encrypted
mac80211: prevent mixed key and fragment cache attacks
mac80211: properly handle A-MSDUs that start with an RFC 1042 header
cfg80211: mitigate A-MSDU aggregation attacks
mac80211: drop A-MSDUs on old ciphers
mac80211: add fragment cache to sta_info
mac80211: check defrag PN against current frame
mac80211: prevent attacks on TKIP/WEP as well
mac80211: do not accept/forward invalid EAPOL frames
mac80211: extend protection against mixed key and fragment cache attacks
dm snapshot: properly fix a crash when an origin has no snapshots
kgdb: fix gcc-11 warnings harder
misc/uss720: fix memory leak in uss720_probe
mei: request autosuspend after sending rx flow control
staging: iio: cdc: ad7746: avoid overwrite of num_channels
iio: adc: ad7793: Add missing error code in ad7793_setup()
USB: trancevibrator: fix control-request direction
serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'
USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011
USB: serial: ftdi_sio: add IDs for IDS GmbH Products
USB: serial: pl2303: add device id for ADLINK ND-6530 GC
net: usb: fix memory leak in smsc75xx_bind
spi: Fix use-after-free with devm_spi_alloc_*
spi: spi-sh: Fix use-after-free on unbind
Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
NFS: fix an incorrect limit in filelayout_decode_layout()
NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()
NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config
net/mlx4: Fix EEPROM dump support
Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
tipc: skb_linearize the head skb when reassembling msgs
i2c: s3c2410: fix possible NULL pointer deref on read message after write
i2c: i801: Don't generate an interrupt on bus reset
platform/x86: hp_accel: Avoid invoking _INI to speed up resume
net: fujitsu: fix potential null-ptr-deref
net: caif: remove BUG_ON(dev == NULL) in caif_xmit
char: hpet: add checks after calling ioremap
isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io
libertas: register sysfs groups properly
media: dvb: Add check on sp8870_readreg return
media: gspca: properly check for errors in po1030_probe()
scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic
openrisc: Define memory barrier mb
btrfs: do not BUG_ON in link_to_fixup_dir
drm/amdgpu: Fix a use-after-free
net: netcp: Fix an error message
net: bnx2: Fix error return code in bnx2_init_board()
mld: fix panic in mld_newpack()
staging: emxx_udc: fix loop in _nbu2ss_nuke()
scsi: libsas: Use _safe() loop in sas_resume_port()
sch_dsmark: fix a NULL deref in qdisc_reset()
MIPS: alchemy: xxs1500: add gpio-au1000.h header file
MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c
hugetlbfs: hugetlb_fault_mutex_hash() cleanup
bluetooth: eliminate the potential race condition when removing the HCI controller
usb: core: reduce power-on-good delay time of root hub
x86, asm: change the GEN_*_RMWcc() macros to not quote the condition
x86/asm: Add instruction suffixes to bitops
x86/entry/64: Add instruction suffix
Linux 4.4.271
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4d2a335d92f357364741f729648d8946007ba04c
|
|
commit 552546366a30d88bd1d6f5efe848b2ab50fd57e5 upstream.
A new clang diagnostic (-Wsizeof-array-div) warns about the calculation
to determine the number of u32's in an array of unsigned longs.
Suppress warning by adding parentheses.
While looking at the above issue, noticed that the 'address' parameter
to hugetlb_fault_mutex_hash is no longer used. So, remove it from the
definition and all callers.
No functional change.
Link: http://lkml.kernel.org/r/20190919011847.18400-1-mike.kravetz@oracle.com
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reported-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Davidlohr Bueso <dbueso@suse.de>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Ilie Halip <ilie.halip@gmail.com>
Cc: David Bolvansky <david.bolvansky@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 794aaf01444d4e765e2b067cba01cc69c1c68ed9 upstream.
We can't rely on the contents of the devres list during
spi_unregister_controller(), as the list is already torn down at the
time we perform devres_find() for devm_spi_release_controller. This
causes devices registered with devm_spi_alloc_{master,slave}() to be
mistakenly identified as legacy, non-devm managed devices and have their
reference counters decremented below 0.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 660 at lib/refcount.c:28 refcount_warn_saturate+0x108/0x174
[<b0396f04>] (refcount_warn_saturate) from [<b03c56a4>] (kobject_put+0x90/0x98)
[<b03c5614>] (kobject_put) from [<b0447b4c>] (put_device+0x20/0x24)
r4:b6700140
[<b0447b2c>] (put_device) from [<b07515e8>] (devm_spi_release_controller+0x3c/0x40)
[<b07515ac>] (devm_spi_release_controller) from [<b045343c>] (release_nodes+0x84/0xc4)
r5:b6700180 r4:b6700100
[<b04533b8>] (release_nodes) from [<b0454160>] (devres_release_all+0x5c/0x60)
r8:b1638c54 r7:b117ad94 r6:b1638c10 r5:b117ad94 r4:b163dc10
[<b0454104>] (devres_release_all) from [<b044e41c>] (__device_release_driver+0x144/0x1ec)
r5:b117ad94 r4:b163dc10
[<b044e2d8>] (__device_release_driver) from [<b044f70c>] (device_driver_detach+0x84/0xa0)
r9:00000000 r8:00000000 r7:b117ad94 r6:b163dc54 r5:b1638c10 r4:b163dc10
[<b044f688>] (device_driver_detach) from [<b044d274>] (unbind_store+0xe4/0xf8)
Instead, determine the devm allocation state as a flag on the
controller which is guaranteed to be stable during cleanup.
Fixes: 5e844cc37a5c ("spi: Introduce device-managed SPI controller allocation")
Signed-off-by: William A. Kennington III <wak@google.com>
Link: https://lore.kernel.org/r/20210407095527.2771582-1-wak@google.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[lukas: backport to v4.4.270]
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit bf30ca922a0c0176007e074b0acc77ed345e9990 upstream.
As pointed out by Mathy Vanhoef, we implement the RX PN check
on fragmented frames incorrectly - we check against the last
received PN prior to the new frame, rather than to the one in
this frame itself.
Prior patches addressed the security issue here, but in order
to be able to reason better about the code, fix it to really
compare against the current frame's PN, not the last stored
one.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210511200110.bfbc340ff071.Id0b690e581da7d03d76df90bb0e3fd55930bc8a0@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
