- 10 Jan, 2020 16 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-miscLinus Torvalds authored
Pull char/misc fix from Greg KH: "Here is a single fix, for the chrdev core, for 5.5-rc6 There's been a long-standing race condition triggered by syzbot, and occasionally real people, in the chrdev open() path. Will finally took the time to track it down and fix it for real before the holidays. Here's that one patch, it's been in linux-next for a while with no reported issues and it does fix the reported problem" * tag 'char-misc-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: chardev: Avoid potential use-after-free in 'chrdev_open()'
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/stagingLinus Torvalds authored
Pull staging fixes from Greg KH: "Here are some small staging driver fixes for 5.5-rc6. Nothing major here, just some small fixes for a comedi driver, the vt6656 driver, and a new device id for the rtl8188eu driver. All of these have been in linux-next for a while with no reported issues" * tag 'staging-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 staging: vt6656: set usb_set_intfdata on driver fail. staging: vt6656: remove bool from vnt_radio_power_on ret staging: vt6656: limit reg output to block size staging: vt6656: correct return of vnt_init_registers. staging: vt6656: Fix non zero logical return of, usb_control_msg
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/ttyLinus Torvalds authored
Pull tty/serial fixes from Greg KH: "Here are two tty/serial driver fixes for 5.5-rc6. The first fixes a much much reported issue with a previous tty port link patch that is in your tree, and the second fixes a problem where the serdev driver would claim ACPI devices that it shouldn't be claiming. Both have been in linux-next for a while with no reported issues" * tag 'tty-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serdev: Don't claim unsupported ACPI serial devices tty: always relink the port
-
git://git.kernel.dk/linux-blockLinus Torvalds authored
Pull block fixes from Jens Axboe: "A few fixes that should go into this round. This pull request contains two NVMe fixes via Keith, removal of a dead function, and a fix for the bio op for read truncates (Ming)" * tag 'block-5.5-2020-01-10' of git://git.kernel.dk/linux-block: nvmet: fix per feat data len for get_feature nvme: Translate more status codes to blk_status_t fs: move guard_bio_eod() after bio_set_op_attrs block: remove unused mp_bvec_last_segment
-
git://git.kernel.dk/linux-blockLinus Torvalds authored
Pull io_uring fix from Jens Axboe: "Single fix for this series, fixing a regression with the short read handling. This just removes it, as it cannot safely be done for all cases" * tag 'io_uring-5.5-2020-01-10' of git://git.kernel.dk/linux-block: io_uring: remove punt of short reads to async context
-
git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linuxLinus Torvalds authored
Pull MTD fixes from Miquel Raynal: "MTD: - sm_ftl: Fix NULL pointer warning. Raw NAND: - Cadence: fix compile testing. - STM32: Avoid locking. Onenand: - Fix several sparse/build warnings. SPI-NOR: - Add a flag to fix interaction with Micron parts" * tag 'mtd/fixes-for-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd: spi-nor: Fix the writing of the Status Register on micron flashes mtd: sm_ftl: fix NULL pointer warning mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy mtd: onenand: samsung: Fix iomem access with regular memcpy mtd: onenand: omap2: Fix errors in style mtd: cadence: Fix cast to pointer from integer of different size warning mtd: rawnand: stm32_fmc2: avoid to lock the CPU bus
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
Pull sound fixes from Takashi Iwai: "A few piled ASoC fixes and usual HD-audio and USB-audio fixups. Some of them are for ASoC core error-handling" * tag 'sound-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda: enable regmap internal locking ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen ALSA: hda/realtek - Set EAPD control to default for ALC222 ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 ALSA: hda/realtek - Add new codec supported for ALCS1200A ASoC: Intel: boards: Fix compile-testing RT1011/RT5682 ASoC: SOF: imx8: Fix dsp_box offset ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime() ASoC: fsl_audmix: add missed pm_runtime_disable ASoC: stm32: spdifrx: fix input pin state management ASoC: stm32: spdifrx: fix race condition in irq handler ASoC: stm32: spdifrx: fix inconsistent lock state ASoC: core: Fix access to uninitialized list heads ASoC: soc-core: Set dpcm_playback / dpcm_capture ASoC: SOF: imx8: fix memory allocation failure check on priv->pd_dev ASoC: SOF: Intel: hda: hda-dai: fix oops on hda_link .hw_free ASoC: SOF: fix fault at driver unload after failed probe
-
git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linuxLinus Torvalds authored
Pull thermal fix from Daniel Lezcano: "Fix backward compatibility with old DTBs on QCOM tsens (Amit Kucheria)" * tag 'thermal-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux: drivers: thermal: tsens: Work with old DTBs
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull power management fixes from Rafael Wysocki: "Prevent the cpufreq-dt driver from probing Tegra20/30 (Dmitry Osipenko) and prevent the Intel RAPL power capping driver from crashing during CPU initialization due to a NULL pointer dereference if the processor model in use is not known to it (Harry Pan)" * tag 'pm-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online() cpufreq: dt-platdev: Blacklist NVIDIA Tegra20 and Tegra30 SoCs
-
Amit Engel authored
The existing implementation for the get_feature admin-cmd does not use per-feature data len. This patch introduces a new helper function nvmet_feat_data_len(), which is used to calculate per feature data len. Right now we only set data len for fid 0x81 (NVME_FEAT_HOST_ID). Fixes: commit e9061c39 ("nvmet: Remove the data_len field from the nvmet_req struct") Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Amit Engel <amit.engel@dell.com> [endiness, naming, and kernel style fixes] Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Jens Axboe <axboe@kernel.dk>
-
Keith Busch authored
Decode interrupted command and not ready namespace nvme status codes to BLK_STS_TARGET. These are not generic IO errors and should use a non-path specific error so that it can use the non-failover retry path. Reported-by: John Meneghini <John.Meneghini@netapp.com> Cc: Hannes Reinecke <hare@suse.de> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Jens Axboe <axboe@kernel.dk>
-
Rafael J. Wysocki authored
* powercap: powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online()
-
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linuxLinus Torvalds authored
Pull pstore fix from Kees Cook: "Cengiz Can forwarded a Coverity report about more problems with a rare pstore initialization error path, so the allocation lifetime was rearranged to avoid needing to share the kfree() responsibilities between caller and callee" * tag 'pstore-v5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: pstore/ram: Regularize prz label allocation lifetime
-
git://anongit.freedesktop.org/drm/drmLinus Torvalds authored
Pull drm fixes from Dave Airlie: "Pre-LCA pull request I'm not sure how things will look next week, myself and Daniel are at LCA and I'm speaking quite late, so if I get my talk finished I'll probably process fixes. This week has a bunch of i915 fixes, some amdgpu fixes, one sun4i, one core MST, and one core fb_helper fix. More details below: core: - mst Fix NO_STOP_BIT bit offset (Wayne) fb_helper: - fb_helper: Fix bits_per_pixel param set behavior to round up (Geert) sun4i: - Fix RGB_DIV clock min divider on old hardware (Chen-Yu) amdgpu: - Stability fix for raven - Reduce pixel encoding to if max clock is exceeded on HDMI to allow additional high res modes - enable DRIVER_SYNCOBJ_TIMELINE for amdgpu i915: - Fix GitLab issue #446 causing GPU hangs: Do not restore invalid RS state - Fix GitLab issue #846: Restore coarse power gating that was disabled by initial RC66 context corruption security fixes. - Revert f6ec9483 ("drm/i915: extend audio CDCLK>=2*BCLK constraint to more platforms") to avoid screen flicker - Fix to fill in unitialized uabi_instance in virtual engine uAPI - Add two missing W/As for ICL and EHL" * tag 'drm-fixes-2020-01-10' of git://anongit.freedesktop.org/drm/drm: drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu drm/amd/display: Reduce HDMI pixel encoding if max clock is exceeded Revert "drm/amdgpu: Set no-retry as default." drm/fb-helper: Round up bits_per_pixel if possible drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model drm/i915/dp: Disable Port sync mode correctly on teardown drm/i915: Add Wa_1407352427:icl,ehl drm/i915: Add Wa_1408615072 and Wa_1407596294 to icl,ehl drm/i915/gt: Restore coarse power gating drm/i915/gt: Do not restore invalid RS state drm/i915: Limit audio CDCLK>=2*BCLK constraint back to GLK only drm/i915/gt: Mark up virtual engine uabi_instance drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
-
git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdmaLinus Torvalds authored
Pull rdma fixes from Jason Gunthorpe: "First RDMA subsystem updates for 5.5-rc. A very small set of fixes, most people seem to still be recovering from December! Five small driver fixes: - Fix error flow with MR allocation in bnxt_re - An errata work around for bnxt_re - Misuse of the workqueue API in hfi1 - Protocol error in hfi1 - Regression in 5.5 related to the mmap rework with i40iw" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: i40iw: Remove setting of VMA private data and use rdma_user_mmap_io IB/hfi1: Adjust flow PSN with the correct resync_psn IB/hfi1: Don't cancel unused work item RDMA/bnxt_re: Fix Send Work Entry state check while polling completions RDMA/bnxt_re: Avoid freeing MR resources if dereg fails
-
Dave Airlie authored
Merge tag 'drm-intel-fixes-2020-01-09-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fix GitLab issue #446 causing GPU hangs: Do not restore invalid RS state - Fix GitLab issue #846: Restore coarse power gating that was disabled by initial RC66 context corruption security fixes. - Revert f6ec9483 ("drm/i915: extend audio CDCLK>=2*BCLK constraint to more platforms") to avoid screen flicker - Fix to fill in unitialized uabi_instance in virtual engine uAPI - Add two missing W/As for ICL and EHL Signed-off-by: Dave Airlie <airlied@redhat.com> From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20200109133458.GA15558@jlahtine-desk.ger.corp.intel.com
-
- 09 Jan, 2020 17 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpioLinus Torvalds authored
Pull GPIO fixes from Linus Walleij: "Here is a host of GPIO fixes for the v5.5 series. The ACPI fix is especially important, see summary below and in the commit for details: - Select GPIOLIB_IRQCHIP on the max77620 GPIO expander - Fix context restore in the Zynq driver - Create a new ACPI quirk handler for disabling wakeups on problematic hardware. - Fix a coding style issue on the mockup device" * tag 'gpio-v5.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism gpiolib: acpi: Turn dmi_system_id table into a generic quirk table gpio: zynq: Fix for bug in zynq_gpio_restore_context API gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP gpio: mockup: fix coding style
-
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrlLinus Torvalds authored
Pull pin control fixes from Linus Walleij: "Two fixes for pin control, not much to say about it, it's just regular driver fixes: - Fix erroneous shift in the Meson driver - Make Lochnagar select the GPIOLIB Kconfig symbol" * tag 'pinctrl-v5.5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: meson: Fix wrong shift value when get drive-strength pinctrl: lochnagar: select GPIOLIB
-
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/inputLinus Torvalds authored
Pull input fixes from Dmitry Torokhov: "Just a few small fixups here" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: imx_sc_key - only take the valid data from SCU firmware as key state Input: add safety guards to input_set_keycode() Input: input_event - fix struct padding on sparc64 Input: uinput - always report EPOLLOUT
-
Tudor Ambarus authored
Micron flashes do not support 16 bit writes on the Status Register. According to micron datasheets, when using the Write Status Register (01h) command, the chip select should be driven LOW and held LOW until the eighth bit of the last data byte has been latched in, after which it must be driven HIGH. If CS is not driven HIGH, the command is not executed, flag status register error bits are not set, and the write enable latch remains set to 1. This fixes the lock operations on micron flashes. Reported-by: John Garry <john.garry@huawei.com> Fixes: 39d1e334 ("mtd: spi-nor: Fix clearing of QE bit on lock()/unlock()") Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com> Tested-by: John Garry <john.garry@huawei.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-
Arnd Bergmann authored
With gcc -O3, we get a new warning: In file included from arch/arm64/include/asm/processor.h:28, from drivers/mtd/sm_ftl.c:8: In function 'memset', inlined from 'sm_read_sector.constprop' at drivers/mtd/sm_ftl.c:250:3: include/linux/string.h:411:9: error: argument 1 null where non-null expected [-Werror=nonnull] return __builtin_memset(p, c, size); >From all I can tell, this cannot happen (the function is called either with a NULL buffer or with a -1 block number but not both), but adding a check makes it more robust and avoids the warning. Fixes: mmtom ("init/Kconfig: enable -O3 for all arches") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-
Peter Ujfalusi authored
The commit converting the driver to DMAengine was missing the flags for the memcpy prepare call. It went unnoticed since the omap-dma driver was ignoring them. Fixes: 3ed6a4d1 (" mtd: onenand: omap2: Convert to use dmaengine for memcp") Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com> Tested-by: H. Nikolaus Schaller <hns@goldelico.com> Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-
Krzysztof Kozlowski authored
The __iomem memory should be copied with memcpy_fromio. This fixes Sparse warnings like: drivers/mtd/nand/onenand/samsung_mtd.c:678:40: warning: incorrect type in argument 2 (different address spaces) drivers/mtd/nand/onenand/samsung_mtd.c:678:40: expected void const *from drivers/mtd/nand/onenand/samsung_mtd.c:678:40: got void [noderef] <asn:2> *[assigned] p drivers/mtd/nand/onenand/samsung_mtd.c:679:19: warning: incorrect type in assignment (different address spaces) drivers/mtd/nand/onenand/samsung_mtd.c:679:19: expected void [noderef] <asn:2> *[assigned] p drivers/mtd/nand/onenand/samsung_mtd.c:679:19: got unsigned char * Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-
Amir Mahdi Ghorbanian authored
Correct mispelling, spacing, and coding style flaws caught by checkpatch.pl script in the Omap2 Onenand driver . Signed-off-by: Amir Mahdi Ghorbanian <indigoomega021@gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-
Vasyl Gomonovych authored
Use dma_addr_t type to pass memory address and control data in DMA descriptor fields memory_pointer and ctrl_data_ptr To fix warning: cast to pointer from integer of different size Signed-off-by: Vasyl Gomonovych <gomonovych@gmail.com> Acked-by: Olof Johansson <olof@lixom.net> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-
Christophe Kerello authored
We are currently using nand_soft_waitrdy to poll the status of the NAND flash. FMC2 enables the wait feature bit (this feature is mandatory for the sequencer mode). By enabling this feature, we can't poll the status of the NAND flash, the read status command is stucked in FMC2 pipeline until R/B# signal is high, and locks the CPU bus. To avoid to lock the CPU bus, we poll FMC2 ISR register. This register reports the status of the R/B# signal. Fixes: 2cd457f3 ("mtd: rawnand: stm32_fmc2: add STM32 FMC2 NAND flash controller driver") Signed-off-by: Christophe Kerello <christophe.kerello@st.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-
git://git.kernel.org/pub/scm/linux/kernel/git/hid/hidLinus Torvalds authored
Pull HID fixes from Jiri Kosina: - fix for OOB in hiddev, from Dmitry Torokhov - _poll API fixes for hidraw, from Marcel Holtmann - functional fix for Steam driver, from Rodrigo Rivas Costa - a few new device IDs / device-specific quirks and other assorted smaller fixes * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: HID: steam: Fix input device disappearing HID: intel-ish-hid: ipc: Add Tiger Lake PCI device ID drivers/hid/hid-multitouch.c: fix a possible null pointer access. HID: wacom: Recognize new MobileStudio Pro PID HID: intel-ish-hid: ipc: add CMP device id HID: hiddev: fix mess in hiddev_open() HID: hid-input: clear unmapped usages HID: Add quirk for incorrect input length on Lenovo Y720 HID: asus: Ignore Asus vendor-page usage-code 0xff events HID: ite: Add USB id match for Acer SW5-012 keyboard dock HID: Add quirk for Xin-Mo Dual Controller HID: Fix slab-out-of-bounds read in hid_field_extract HID: multitouch: Add LG MELF0410 I2C touchscreen support HID: uhid: Fix returning EPOLLOUT from uhid_char_poll HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netLinus Torvalds authored
Pull networking fixes from David Miller: 1) Missing netns pointer init in arp_tables, from Florian Westphal. 2) Fix normal tcp SACK being treated as D-SACK, from Pengcheng Yang. 3) Fix divide by zero in sch_cake, from Wen Yang. 4) Len passed to skb_put_padto() is wrong in qrtr code, from Carl Huang. 5) cmd->obj.chunk is leaked in sctp code error paths, from Xin Long. 6) cgroup bpf programs can be released out of order, fix from Roman Gushchin. 7) Make sure stmmac debugfs entry name is changed when device name changes, from Jiping Ma. 8) Fix memory leak in vlan_dev_set_egress_priority(), from Eric Dumazet. 9) SKB leak in lan78xx usb driver, also from Eric Dumazet. 10) Ridiculous TCA_FQ_QUANTUM values configured can cause loops in fq packet scheduler, reject them. From Eric Dumazet. * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (69 commits) tipc: fix wrong connect() return code tipc: fix link overflow issue at socket shutdown netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present netfilter: conntrack: dccp, sctp: handle null timeout argument atm: eni: fix uninitialized variable warning macvlan: do not assume mac_header is set in macvlan_broadcast() net: sch_prio: When ungrafting, replace with FIFO mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO MAINTAINERS: Remove myself as co-maintainer for qcom-ethqos gtp: fix bad unlock balance in gtp_encap_enable_socket pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM tipc: remove meaningless assignment in Makefile tipc: do not add socket.o to tipc-y twice net: stmmac: dwmac-sun8i: Allow all RGMII modes net: stmmac: dwmac-sunxi: Allow all RGMII modes net: usb: lan78xx: fix possible skb leak net: stmmac: Fixed link does not need MDIO Bus vlan: vlan_changelink() should propagate errors vlan: fix memory leak in vlan_dev_set_egress_priority stmmac: debugfs entry name is not be changed when udev rename device name. ...
-
Ming Lei authored
Commit 85a8ce62 ("block: add bio_truncate to fix guard_bio_eod") adds bio_truncate() for handling bio EOD. However, bio_truncate() doesn't use the passed 'op' parameter from guard_bio_eod's callers. So bio_trunacate() may retrieve wrong 'op', and zering pages may not be done for READ bio. Fixes this issue by moving guard_bio_eod() after bio_set_op_attrs() in submit_bh_wbc() so that bio_truncate() can always retrieve correct op info. Meantime remove the 'op' parameter from guard_bio_eod() because it isn't used any more. Cc: Carlos Maiolino <cmaiolino@redhat.com> Cc: linux-fsdevel@vger.kernel.org Fixes: 85a8ce62 ("block: add bio_truncate to fix guard_bio_eod") Signed-off-by: Ming Lei <ming.lei@redhat.com> Fold in kerneldoc and bio_op() change. Signed-off-by: Jens Axboe <axboe@kernel.dk>
-
Rodrigo Rivas Costa authored
The `connected` value for wired devices was not properly initialized, it must be set to `true` upon creation, because wired devices do not generate connection events. When a raw client (the Steam Client) uses the device, the input device is destroyed. Then, when the raw client finishes, it must be recreated. But since the `connected` variable was false this never happended. Signed-off-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-
Dave Airlie authored
Merge tag 'amd-drm-fixes-5.5-2020-01-08' of git://people.freedesktop.org/~agd5f/linux into drm-fixes amd-drm-fixes-5.5-2020-01-08: amdgpu: - Stability fix for raven - Reduce pixel encoding to if max clock is exceeded on HDMI to allow additional high res modes UAPI: - enable DRIVER_SYNCOBJ_TIMELINE for amdgpu Signed-off-by: Dave Airlie <airlied@redhat.com> From: Alex Deucher <alexdeucher@gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/20200108213649.5485-1-alexander.deucher@amd.com
-
git://anongit.freedesktop.org/drm/drm-miscDave Airlie authored
mst: Fix NO_STOP_BIT bit offset (Wayne) sun4i: Fix RGB_DIV clock min divider on old hardware (Chen-Yu) fb_helper: Fix bits_per_pixel param set behavior to round up (Geert) Cc: Wayne Lin <Wayne.Lin@amd.com> Cc: Chen-Yu Tsai <wens@csie.org> Cc: Geert Uytterhoeven <geert+renesas@glider.be> Signed-off-by: Dave Airlie <airlied@redhat.com> From: Sean Paul <sean@poorly.run> Link: https://patchwork.freedesktop.org/patch/msgid/20200108205949.GA233273@art_vandelay
-
Kees Cook authored
In my attempt to fix a memory leak, I introduced a double-free in the pstore error path. Instead of trying to manage the allocation lifetime between persistent_ram_new() and its callers, adjust the logic so persistent_ram_new() always takes a kstrdup() copy, and leaves the caller's allocation lifetime up to the caller. Therefore callers are _always_ responsible for freeing their label. Before, it only needed freeing when the prz itself failed to allocate, and not in any of the other prz failure cases, which callers would have no visibility into, which is the root design problem that lead to both the leak and now double-free bugs. Reported-by: Cengiz Can <cengiz@kernel.wtf> Link: https://lore.kernel.org/lkml/d4ec59002ede4aaf9928c7f7526da87c@kernel.wtf Fixes: 8df955a3 ("pstore/ram: Fix error-path memory leak in persistent_ram_new() callers") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
-
- 08 Jan, 2020 7 commits
-
-
Tuong Lien authored
The current 'tipc_wait_for_connect()' function does a wait-loop for the condition 'sk->sk_state != TIPC_CONNECTING' to conclude if the socket connecting has done. However, when the condition is met, it returns '0' even in the case the connecting is actually failed, the socket state is set to 'TIPC_DISCONNECTING' (e.g. when the server socket has closed..). This results in a wrong return code for the 'connect()' call from user, making it believe that the connection is established and go ahead with building, sending a message, etc. but finally failed e.g. '-EPIPE'. This commit fixes the issue by changing the wait condition to the 'tipc_sk_connected(sk)', so the function will return '0' only when the connection is really established. Otherwise, either the socket 'sk_err' if any or '-ETIMEDOUT'/'-EINTR' will be returned correspondingly. Acked-by: Ying Xue <ying.xue@windriver.com> Acked-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Tuong Lien authored
When a socket is suddenly shutdown or released, it will reject all the unreceived messages in its receive queue. This applies to a connected socket too, whereas there is only one 'FIN' message required to be sent back to its peer in this case. In case there are many messages in the queue and/or some connections with such messages are shutdown at the same time, the link layer will easily get overflowed at the 'TIPC_SYSTEM_IMPORTANCE' backlog level because of the message rejections. As a result, the link will be taken down. Moreover, immediately when the link is re-established, the socket layer can continue to reject the messages and the same issue happens... The commit refactors the '__tipc_shutdown()' function to only send one 'FIN' in the situation mentioned above. For the connectionless case, it is unavoidable but usually there is no rejections for such socket messages because they are 'dest-droppable' by default. In addition, the new code makes the other socket states clear (e.g.'TIPC_LISTEN') and treats as a separate case to avoid misbehaving. Acked-by: Ying Xue <ying.xue@windriver.com> Acked-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nfDavid S. Miller authored
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Missing netns context in arp_tables, from Florian Westphal. 2) Underflow in flowtable reference counter, from wenxu. 3) Fix incorrect ethernet destination address in flowtable offload, from wenxu. 4) Check for status of neighbour entry, from wenxu. 5) Fix NAT port mangling, from wenxu. 6) Unbind callbacks from destroy path to cleanup hardware properly on flowtable removal. 7) Fix missing casting statistics timestamp, add nf_flowtable_time_stamp and use it. 8) NULL pointer exception when timeout argument is null in conntrack dccp and sctp protocol helpers, from Florian Westphal. 9) Possible nul-dereference in ipset with IPSET_ATTR_LINENO, also from Florian. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Florian Westphal authored
The set uadt functions assume lineno is never NULL, but it is in case of ip_set_utest(). syzkaller managed to generate a netlink message that calls this with LINENO attr present: general protection fault: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104 Call Trace: ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563 pass a dummy lineno storage, its easier than patching all set implementations. This seems to be a day-0 bug. Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com Fixes: a7b4f989 ("netfilter: ipset: IP set core support") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Florian Westphal authored
The timeout pointer can be NULL which means we should modify the per-nets timeout instead. All do this, except sctp and dccp which instead give: general protection fault: 0000 [#1] PREEMPT SMP KASAN net/netfilter/nf_conntrack_proto_dccp.c:682 ctnl_timeout_parse_policy+0x150/0x1d0 net/netfilter/nfnetlink_cttimeout.c:67 cttimeout_default_set+0x150/0x1c0 net/netfilter/nfnetlink_cttimeout.c:368 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 Reported-by: syzbot+46a4ad33f345d1dd346e@syzkaller.appspotmail.com Fixes: c779e849 ("netfilter: conntrack: remove get_timeout() indirection") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Arnd Bergmann authored
With -O3, gcc has found an actual unintialized variable stored into an mmio register in two instances: drivers/atm/eni.c: In function 'discard': drivers/atm/eni.c:465:13: error: 'dma[1]' is used uninitialized in this function [-Werror=uninitialized] writel(dma[i*2+1],eni_dev->rx_dma+dma_wr*8+4); ^ drivers/atm/eni.c:465:13: error: 'dma[3]' is used uninitialized in this function [-Werror=uninitialized] Change the code to always write zeroes instead. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
Use of eth_hdr() in tx path is error prone. Many drivers call skb_reset_mac_header() before using it, but others do not. Commit 6d1ccff6 ("net: reset mac header in dev_start_xmit()") attempted to fix this generically, but commit d346a3fa ("packet: introduce PACKET_QDISC_BYPASS socket option") brought back the macvlan bug. Lets add a new helper, so that tx paths no longer have to call skb_reset_mac_header() only to get a pointer to skb->data. Hopefully we will be able to revert 6d1ccff6 ("net: reset mac header in dev_start_xmit()") and save few cycles in transmit fast path. BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] mc_hash drivers/net/macvlan.c:251 [inline] macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 __netdev_start_xmit include/linux/netdevice.h:4447 [inline] netdev_start_xmit include/linux/netdevice.h:4461 [inline] dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 packet_snd net/packet/af_packet.c:2966 [inline] packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:659 __sys_sendto+0x262/0x380 net/socket.c:1985 __do_sys_sendto net/socket.c:1997 [inline] __se_sys_sendto net/socket.c:1993 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x442639 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 9389: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x163/0x770 mm/slab.c:3665 kmalloc include/linux/slab.h:561 [inline] tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 security_inode_getattr+0xf2/0x150 security/security.c:1222 vfs_getattr+0x25/0x70 fs/stat.c:115 vfs_statx_fd+0x71/0xc0 fs/stat.c:145 vfs_fstat include/linux/fs.h:3265 [inline] __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 __se_sys_newfstat fs/stat.c:375 [inline] __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9389: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 security_inode_getattr+0xf2/0x150 security/security.c:1222 vfs_getattr+0x25/0x70 fs/stat.c:115 vfs_statx_fd+0x71/0xc0 fs/stat.c:145 vfs_fstat include/linux/fs.h:3265 [inline] __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 __se_sys_newfstat fs/stat.c:375 [inline] __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880a4932000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1025 bytes inside of 4096-byte region [ffff8880a4932000, ffff8880a4933000) The buggy address belongs to the page: page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: b863ceb7 ("[NET]: Add macvlan driver") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-