1. 13 Dec, 2018 1 commit
  2. 29 Nov, 2018 1 commit
  3. 19 Nov, 2018 1 commit
    • Hans de Goede's avatar
      ACPICA: Fix handling of buffer-size in acpi_ex_write_data_to_field() · ae6b3e54
      Hans de Goede authored
      Generic Serial Bus transfers use a data struct like this:
      
      struct gsb_buffer {
              u8      status;
              u8      len;
              u8      data[0];
      };
      
      acpi_ex_write_data_to_field() copies the data which is to be written from
      the source-buffer to a temp-buffer. This is done because the OpReg-handler
      overwrites the status field and some transfers do a write + read-back.
      
      Commit f99b89ee ("ACPICA: Update for generic_serial_bus and
      attrib_raw_process_bytes protocol") acpi_ex_write_data_to_field()
      introduces a number of problems with this:
      
       1) It drops a "length += 2" statement used to calculate the temp-buffer
       size causing the temp-buffer to only be 1/2 bytes large for byte/word
       transfers while it should be 3/4 bytes (taking the status and len field
       into account). This is already fixed in commit e324e101 ("ACPICA:
       Update for field unit access") which refactors the code.
      
      The ACPI 6.0 spec (ACPI_6.0.pdf) "5.5.2.4.5.2 Declaring and Using a
      GenericSerialBusData Buffer" (page 232) states that the GenericSerialBus
      Data Buffer Length field is only valid when doing a Read/Write Block
      (AttribBlock) transfer, but since the troublesome commit we unconditionally
      use the len field to determine how much data to copy from the source-buffer
      into the temp-buffer passed to the OpRegion.
      
      This causes 3 further issues:
      
       2) This may lead to not copying enough data to the temp-buffer causing the
       OpRegion handler for the serial-bus to write garbage to the hardware.
      
       3) The temp-buffer passed to the OpRegion is allocated to the size
       returned by acpi_ex_get_serial_access_length(), which may be as little
       as 1, so potentially this may lead to a write overflow of the temp-buffer.
      
       4) Commit e324e101 ("ACPICA: Update for field unit access") drops a
       length check on the source-buffer, leading to a potential read overflow
       of the source-buffer.
      
      This commit fixes all 3 remaining issues by not looking at the len field at
      all (the interpretation of this field is left up to the OpRegion handler),
      and copying the minimum of the source- and temp-buffer sizes from the
      source-buffer to the temp-buffer.
      
      This fixes e.g. an Acer S1003 no longer booting since the troublesome
      commit.
      
      Fixes: f99b89ee (ACPICA: Update for generic_serial_bus and ...)
      Fixes: e324e101 (ACPICA: Update for field unit access)
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      ae6b3e54
  4. 18 Nov, 2018 23 commits
  5. 16 Nov, 2018 9 commits
    • Linus Torvalds's avatar
      Merge tag 'fsnotify_for_v4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 1ce80e0f
      Linus Torvalds authored
      Pull fsnotify fix from Jan Kara:
       "One small fsnotify fix for duplicate events"
      
      * tag 'fsnotify_for_v4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        fanotify: fix handling of events on child sub-directory
      1ce80e0f
    • Linus Torvalds's avatar
      Merge tag 'gfs2-4.20.fixes3' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · e6a2562f
      Linus Torvalds authored
      Pull bfs2 fixes from Andreas Gruenbacher:
       "Fix two bugs leading to leaked buffer head references:
      
         - gfs2: Put bitmap buffers in put_super
         - gfs2: Fix iomap buffer head reference counting bug
      
        And one bug leading to significant slow-downs when deleting large
        files:
      
         - gfs2: Fix metadata read-ahead during truncate (2)"
      
      * tag 'gfs2-4.20.fixes3' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        gfs2: Fix iomap buffer head reference counting bug
        gfs2: Fix metadata read-ahead during truncate (2)
        gfs2: Put bitmap buffers in put_super
      e6a2562f
    • Andreas Gruenbacher's avatar
      gfs2: Fix iomap buffer head reference counting bug · c26b5aa8
      Andreas Gruenbacher authored
      GFS2 passes the inode buffer head (dibh) from gfs2_iomap_begin to
      gfs2_iomap_end in iomap->private.  It sets that private pointer in
      gfs2_iomap_get.  Users of gfs2_iomap_get other than gfs2_iomap_begin
      would have to release iomap->private, but this isn't done correctly,
      leading to a leak of buffer head references.
      
      To fix this, move the code for setting iomap->private from
      gfs2_iomap_get to gfs2_iomap_begin.
      
      Fixes: 64bc06bb ("gfs2: iomap buffered write support")
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c26b5aa8
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 32e2524a
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes the following issues:
      
         - Potential memory overwrite in simd
      
         - Kernel info leaks in crypto_user
      
         - NULL dereference and use-after-free in hisilicon"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: user - Zeroize whole structure given to user space
        crypto: user - fix leaking uninitialized memory to userspace
        crypto: simd - correctly take reqsize of wrapped skcipher into account
        crypto: hisilicon - Fix reference after free of memories on error path
        crypto: hisilicon - Fix NULL dereference for same dst and src
      32e2524a
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2018-11-16' of git://anongit.freedesktop.org/drm/drm · 4efd3460
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Live from Vancouver, SoC maintainer talk, this weeks drm fixes pull
        for rc3:
      
        omapdrm:
         - regression fixes for the reordering bridge stuff that went into rc1
      
        i915:
         - incorrect EU count fix
         - HPD storm fix
         - MST fix
         - relocation fix for gen4/5
      
        amdgpu:
         - huge page handling fix
         - IH ring setup
         - XGMI aperture setup
         - watermark setup fix
      
        misc:
         - docs and MST fix"
      
      * tag 'drm-fixes-2018-11-16' of git://anongit.freedesktop.org/drm/drm: (23 commits)
        drm/i915: Account for scale factor when calculating initial phase
        drm/i915: Clean up skl_program_scaler()
        drm/i915: Move programming plane scaler to its own function.
        drm/i915/icl: Drop spurious register read from icl_dbuf_slices_update
        drm/i915: fix broadwell EU computation
        drm/amdgpu: fix huge page handling on Vega10
        drm/amd/pp: Fix truncated clock value when set watermark
        drm/amdgpu: fix bug with IH ring setup
        drm/meson: venc: dmt mode must use encp
        drm/amdgpu: set system aperture to cover whole FB region
        drm/i915: Fix hpd handling for pins with two encoders
        drm/i915/execlists: Force write serialisation into context image vs execution
        drm/i915/icl: Fix power well 2 wrt. DC-off toggling order
        drm/i915: Fix NULL deref when re-enabling HPD IRQs on systems with MST
        drm/i915: Fix possible race in intel_dp_add_mst_connector()
        drm/i915/ringbuffer: Delay after EMIT_INVALIDATE for gen4/gen5
        drm/omap: dsi: Fix missing of_platform_depopulate()
        drm/omap: Move DISPC runtime PM handling to omapdrm
        drm/omap: dsi: Ensure the device is active during probe
        drm/omap: hdmi4: Ensure the device is active during bind
        ...
      4efd3460
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · ef268de1
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Two weeks worth of fixes since rc1.
      
         - I broke 16-byte alignment of the stack when we moved PPR into
           pt_regs. Despite being required by the ABI this broke almost
           nothing, we eventually hit it in code where GCC does arithmetic on
           the stack pointer assuming the bottom 4 bits are clear. Fix it by
           padding the in-kernel pt_regs by 8 bytes.
      
         - A couple of commits fixing minor bugs in the recent SLB rewrite.
      
         - A build fix related to tracepoints in KVM in some configurations.
      
         - Our old "IO workarounds" code written for Cell couldn't coexist in
           a kernel that runs on Power9 with the Radix MMU, fix that.
      
         - Remove the NPU DMA ops, these just printed a warning and should
           never have been called.
      
         - Suppress an overly chatty message triggered by CPU hotplug in some
           configs.
      
         - Two small selftest fixes.
      
        Thanks to: Alistair Popple, Gustavo Romero, Nicholas Piggin, Satheesh
        Rajendran, Scott Wood"
      
      * tag 'powerpc-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        selftests/powerpc: Adjust wild_bctr to build with old binutils
        powerpc/64: Fix kernel stack 16-byte alignment
        powerpc/numa: Suppress "VPHN is not supported" messages
        selftests/powerpc: Fix wild_bctr test to work on ppc64
        powerpc/io: Fix the IO workarounds code to work with Radix
        powerpc/mm/64s: Fix preempt warning in slb_allocate_kernel()
        KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE
        powerpc/mm/64s: Only use slbfee on CPUs that support it
        powerpc/mm/64s: Use PPC_SLBFEE macro
        powerpc/mm/64s: Consolidate SLB assertions
        powerpc/powernv/npu: Remove NPU DMA ops
      ef268de1
    • Linus Torvalds's avatar
      Merge tag 'xtensa-20181115' of git://github.com/jcmvbkbc/linux-xtensa · 50d25bdc
      Linus Torvalds authored
      Pull Xtensa fixes from Max Filippov:
      
       - fix stack alignment for bFLT binaries.
      
       - fix physical-to-virtual address translation for boot parameters in
         MMUv3 256+256 and 512+512 virtual memory layouts.
      
      * tag 'xtensa-20181115' of git://github.com/jcmvbkbc/linux-xtensa:
        xtensa: fix boot parameters address translation
        xtensa: make sure bFLT stack is 16 byte aligned
      50d25bdc
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20181115' of git://git.kernel.dk/linux-block · 59749c2d
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Discard loop fix, caused by integer overflow (Dave)
      
       - Blacklist of Samsung drive that hangs with power management (Diego)
      
       - Copy bio priority when cloning it (Hannes)
      
       - Fix race condition exposed in floppy (me)
      
       - Fix SCSI queue cleanup regression. While elusive, it caused oopses in
         queue running (Ming)
      
       - Fix bad string copy in kyber tracing (Omar)
      
      * tag 'for-linus-20181115' of git://git.kernel.dk/linux-block:
        SCSI: fix queue cleanup race before queue initialization is done
        block: fix 32 bit overflow in __blkdev_issue_discard()
        libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD
        block: copy ioprio in __bio_clone_fast() and bounce
        kyber: fix wrong strlcpy() size in trace_kyber_latency()
        floppy: fix race condition in __floppy_read_block_0()
      59749c2d
    • Linus Torvalds's avatar
      Merge tag 'fuse-fixes-4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · 9b5f361a
      Linus Torvalds authored
      Pull fuse fixes from Miklos Szeredi:
       "A couple of fixes, all bound for -stable (i.e. not regressions in this
        cycle)"
      
      * tag 'fuse-fixes-4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: fix use-after-free in fuse_direct_IO()
        fuse: fix possibly missed wake-up after abort
        fuse: fix leaked notify reply
      9b5f361a
  6. 15 Nov, 2018 5 commits