1. 09 Jul, 2019 1 commit
  2. 02 Jul, 2019 3 commits
  3. 28 Jun, 2019 5 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 763cf1f2
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - fix for one corner case in HID++ protocol with respect to handling
         very long reports, from Hans de Goede
      
       - power management fix in Intel-ISH driver, from Hyungwoo Yang
      
       - use-after-free fix in Intel-ISH driver, from Dan Carpenter
      
       - a couple of new device IDs/quirks from Kai-Heng Feng, Kyle Godbey and
         Oleksandr Natalenko
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: intel-ish-hid: fix wrong driver_data usage
        HID: multitouch: Add pointstick support for ALPS Touchpad
        HID: logitech-dj: Fix forwarding of very long HID++ reports
        HID: uclogic: Add support for Huion HS64 tablet
        HID: chicony: add another quirk for PixArt mouse
        HID: intel-ish-hid: Fix a use after free in load_fw_from_host()
      763cf1f2
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · fe2da896
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A smaller batch of fixes, nothing that stands out as risky or scary.
      
        Mostly DTS tweaks for a few issues:
      
         - GPU fixlets for Meson
      
         - CPU idle fix for LS1028A
      
         - PWM interrupt fixes for i.MX6UL
      
        Also, enable a driver (FSL_EDMA) on arm64 defconfig, and a warning and
        two MAINTAINER tweaks"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        ARM: dts: imx6ul: fix PWM[1-4] interrupts
        ARM: omap2: remove incorrect __init annotation
        ARM: dts: gemini Fix up DNS-313 compatible string
        ARM: dts: Blank D-Link DIR-685 console
        arm64: defconfig: Enable FSL_EDMA driver
        arm64: dts: ls1028a: Fix CPU idle fail.
        MAINTAINERS: BCM53573: Add internal Broadcom mailing list
        MAINTAINERS: BCM2835: Add internal Broadcom mailing list
        ARM: dts: meson8b: fix the operating voltage of the Mali GPU
        ARM: dts: meson8b: drop undocumented property from the Mali GPU node
        ARM: dts: meson8: fix GPU interrupts and drop an undocumented property
      fe2da896
    • Linus Torvalds's avatar
      Merge tag 'afs-fixes-20190620' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · cd0f3aae
      Linus Torvalds authored
      Pull AFS fixes from David Howells:
       "The in-kernel AFS client has been undergoing testing on opendev.org on
        one of their mirror machines. They are using AFS to hold data that is
        then served via apache, and Ian Wienand had reported seeing oopses,
        spontaneous machine reboots and updates to volumes going missing. This
        patch series appears to have fixed the problem, very probably due to
        patch (2), but it's not 100% certain.
      
        (1) Fix the printing of the "vnode modified" warning to exclude checks
            on files for which we don't have a callback promise from the
            server (and so don't expect the server to tell us when it
            changes).
      
            Without this, for every file or directory for which we still have
            an in-core inode that gets changed on the server, we may get a
            message logged when we next look at it. This can happen in bulk
            if, for instance, someone does "vos release" to update a R/O
            volume from a R/W volume and a whole set of files are all changed
            together.
      
            We only really want to log a message if the file changed and the
            server didn't tell us about it or we failed to track the state
            internally.
      
        (2) Fix accidental corruption of either afs_vlserver struct objects or
            the the following memory locations (which could hold anything).
            The issue is caused by a union that points to two different
            structs in struct afs_call (to save space in the struct). The call
            cleanup code assumes that it can simply call the cleanup for one
            of those structs if not NULL - when it might be actually pointing
            to the other struct.
      
            This means that every Volume Location RPC op is going to corrupt
            something.
      
        (3) Fix an uninitialised spinlock. This isn't too bad, it just causes
            a one-off warning if lockdep is enabled when "vos release" is
            called, but the spinlock still behaves correctly.
      
        (4) Fix the setting of i_block in the inode. This causes du, for
            example, to produce incorrect results, but otherwise should not be
            dangerous to the kernel"
      
      * tag 'afs-fixes-20190620' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        afs: Fix setting of i_blocks
        afs: Fix uninitialised spinlock afs_volume::cb_break_lock
        afs: Fix vlserver record corruption
        afs: Fix over zealous "vnode modified" warnings
      cd0f3aae
    • Linus Torvalds's avatar
      Merge tag 'csky-for-linus-5.2-fixup-gcc-unwind' of git://github.com/c-sky/csky-linux · 139ca258
      Linus Torvalds authored
      Pull arch/csky fixup from Guo Ren:
       "A fixup patch for rt_sigframe in signal.c"
      
      * tag 'csky-for-linus-5.2-fixup-gcc-unwind' of git://github.com/c-sky/csky-linux:
        csky: Fixup libgcc unwind error
      139ca258
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · c84afab0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix ppp_mppe crypto soft dependencies, from Takashi Iawi.
      
       2) Fix TX completion to be finite, from Sergej Benilov.
      
       3) Use register_pernet_device to avoid a dst leak in tipc, from Xin
          Long.
      
       4) Double free of TX cleanup in Dirk van der Merwe.
      
       5) Memory leak in packet_set_ring(), from Eric Dumazet.
      
       6) Out of bounds read in qmi_wwan, from Bjørn Mork.
      
       7) Fix iif used in mcast/bcast looped back packets, from Stephen
          Suryaputra.
      
       8) Fix neighbour resolution on raw ipv6 sockets, from Nicolas Dichtel.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (25 commits)
        af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET
        sctp: change to hold sk after auth shkey is created successfully
        ipv6: fix neighbour resolution with raw socket
        ipv6: constify rt6_nexthop()
        net: dsa: microchip: Use gpiod_set_value_cansleep()
        net: aquantia: fix vlans not working over bridged network
        ipv4: reset rt_iif for recirculated mcast/bcast out pkts
        team: Always enable vlan tx offload
        net/smc: Fix error path in smc_init
        net/smc: hold conns_lock before calling smc_lgr_register_conn()
        bonding: Always enable vlan tx offload
        net/ipv6: Fix misuse of proc_dointvec "skip_notify_on_dev_down"
        ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
        qmi_wwan: Fix out-of-bounds read
        tipc: check msg->req data len in tipc_nl_compat_bearer_disable
        net: macb: do not copy the mac address if NULL
        net/packet: fix memory leak in packet_set_ring()
        net/tls: fix page double free on TX cleanup
        net/sched: cbs: Fix error path of cbs_module_init
        tipc: change to use register_pernet_device
        ...
      c84afab0
  4. 27 Jun, 2019 2 commits
    • Neil Horman's avatar
      af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET · 89ed5b51
      Neil Horman authored
      When an application is run that:
      a) Sets its scheduler to be SCHED_FIFO
      and
      b) Opens a memory mapped AF_PACKET socket, and sends frames with the
      MSG_DONTWAIT flag cleared, its possible for the application to hang
      forever in the kernel.  This occurs because when waiting, the code in
      tpacket_snd calls schedule, which under normal circumstances allows
      other tasks to run, including ksoftirqd, which in some cases is
      responsible for freeing the transmitted skb (which in AF_PACKET calls a
      destructor that flips the status bit of the transmitted frame back to
      available, allowing the transmitting task to complete).
      
      However, when the calling application is SCHED_FIFO, its priority is
      such that the schedule call immediately places the task back on the cpu,
      preventing ksoftirqd from freeing the skb, which in turn prevents the
      transmitting task from detecting that the transmission is complete.
      
      We can fix this by converting the schedule call to a completion
      mechanism.  By using a completion queue, we force the calling task, when
      it detects there are no more frames to send, to schedule itself off the
      cpu until such time as the last transmitted skb is freed, allowing
      forward progress to be made.
      
      Tested by myself and the reporter, with good results
      
      Change Notes:
      
      V1->V2:
      	Enhance the sleep logic to support being interruptible and
      allowing for honoring to SK_SNDTIMEO (Willem de Bruijn)
      
      V2->V3:
      	Rearrage the point at which we wait for the completion queue, to
      avoid needing to check for ph/skb being null at the end of the loop.
      Also move the complete call to the skb destructor to avoid needing to
      modify __packet_set_status.  Also gate calling complete on
      packet_read_pending returning zero to avoid multiple calls to complete.
      (Willem de Bruijn)
      
      	Move timeo computation within loop, to re-fetch the socket
      timeout since we also use the timeo variable to record the return code
      from the wait_for_complete call (Neil Horman)
      
      V3->V4:
      	Willem has requested that the control flow be restored to the
      previous state.  Doing so lets us eliminate the need for the
      po->wait_on_complete flag variable, and lets us get rid of the
      packet_next_frame function, but introduces another complexity.
      Specifically, but using the packet pending count, we can, if an
      applications calls sendmsg multiple times with MSG_DONTWAIT set, each
      set of transmitted frames, when complete, will cause
      tpacket_destruct_skb to issue a complete call, for which there will
      never be a wait_on_completion call.  This imbalance will lead to any
      future call to wait_for_completion here to return early, when the frames
      they sent may not have completed.  To correct this, we need to re-init
      the completion queue on every call to tpacket_snd before we enter the
      loop so as to ensure we wait properly for the frames we send in this
      iteration.
      
      	Change the timeout and interrupted gotos to out_put rather than
      out_status so that we don't try to free a non-existant skb
      	Clean up some extra newlines (Willem de Bruijn)
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reported-by: default avatarMatteo Croce <mcroce@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89ed5b51
    • Xin Long's avatar
      sctp: change to hold sk after auth shkey is created successfully · 25bff6d5
      Xin Long authored
      Now in sctp_endpoint_init(), it holds the sk then creates auth
      shkey. But when the creation fails, it doesn't release the sk,
      which causes a sk defcnf leak,
      
      Here to fix it by only holding the sk when auth shkey is created
      successfully.
      
      Fixes: a29a5bd4 ("[SCTP]: Implement SCTP-AUTH initializations.")
      Reported-by: syzbot+afabda3890cc2f765041@syzkaller.appspotmail.com
      Reported-by: syzbot+276ca1c77a19977c0130@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25bff6d5
  5. 26 Jun, 2019 20 commits
  6. 25 Jun, 2019 4 commits
  7. 24 Jun, 2019 5 commits
    • Linus Torvalds's avatar
      Merge branch 'parisc-5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 249155c2
      Linus Torvalds authored
      Pull parisc fix from Helge Deller:
       "Add missing PCREL64 relocation in module loader to fix module load
        errors when the static branch and JUMP_LABEL feature is enabled on
        a 64-bit kernel"
      
      * 'parisc-5.2-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Fix module loading error with JUMP_LABEL feature
      249155c2
    • Linus Torvalds's avatar
      Merge tag 'mfd-fixes-5.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd · c88e40e0
      Linus Torvalds authored
      Pull mfd bugfix from Lee Jones.
      
      Fix stmfx type confusion between regmap_read() (which takes an "u32")
      and the bitmap operations (which take an "unsigned long" array).
      
      * tag 'mfd-fixes-5.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
        mfd: stmfx: Fix an endian bug in stmfx_irq_handler()
        mfd: stmfx: Uninitialized variable in stmfx_irq_handler()
      c88e40e0
    • Bjørn Mork's avatar
      qmi_wwan: Fix out-of-bounds read · 904d88d7
      Bjørn Mork authored
      The syzbot reported
      
       Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x67/0x231 mm/kasan/report.c:188
        __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
        kasan_report+0xe/0x20 mm/kasan/common.c:614
        qmi_wwan_probe+0x342/0x360 drivers/net/usb/qmi_wwan.c:1417
        usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
        really_probe+0x281/0x660 drivers/base/dd.c:509
        driver_probe_device+0x104/0x210 drivers/base/dd.c:670
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
      
      Caused by too many confusing indirections and casts.
      id->driver_info is a pointer stored in a long.  We want the
      pointer here, not the address of it.
      
      Thanks-to: Hillf Danton <hdanton@sina.com>
      Reported-by: syzbot+b68605d7fadd21510de1@syzkaller.appspotmail.com
      Cc: Kristian Evensen <kristian.evensen@gmail.com>
      Fixes: e4bf6348 ("qmi_wwan: Add quirk for Quectel dynamic config")
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      904d88d7
    • Xin Long's avatar
      tipc: check msg->req data len in tipc_nl_compat_bearer_disable · 4f07b80c
      Xin Long authored
      This patch is to fix an uninit-value issue, reported by syzbot:
      
        BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:981
        Call Trace:
          __dump_stack lib/dump_stack.c:77 [inline]
          dump_stack+0x191/0x1f0 lib/dump_stack.c:113
          kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
          __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
          memchr+0xce/0x110 lib/string.c:981
          string_is_valid net/tipc/netlink_compat.c:176 [inline]
          tipc_nl_compat_bearer_disable+0x2a1/0x480 net/tipc/netlink_compat.c:449
          __tipc_nl_compat_doit net/tipc/netlink_compat.c:327 [inline]
          tipc_nl_compat_doit+0x3ac/0xb00 net/tipc/netlink_compat.c:360
          tipc_nl_compat_handle net/tipc/netlink_compat.c:1178 [inline]
          tipc_nl_compat_recv+0x1b1b/0x27b0 net/tipc/netlink_compat.c:1281
      
      TLV_GET_DATA_LEN() may return a negtive int value, which will be
      used as size_t (becoming a big unsigned long) passed into memchr,
      cause this issue.
      
      Similar to what it does in tipc_nl_compat_bearer_enable(), this
      fix is to return -EINVAL when TLV_GET_DATA_LEN() is negtive in
      tipc_nl_compat_bearer_disable(), as well as in
      tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
      
      v1->v2:
        - add the missing Fixes tags per Eric's request.
      
      Fixes: 0762216c ("tipc: fix uninit-value in tipc_nl_compat_bearer_enable")
      Fixes: 8b66fee7 ("tipc: fix uninit-value in tipc_nl_compat_link_reset_stats")
      Reported-by: syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f07b80c
    • Antoine Tenart's avatar
      net: macb: do not copy the mac address if NULL · 2bf4ecbc
      Antoine Tenart authored
      This patch fixes the MAC address setup in the probe. The MAC address
      retrieved using of_get_mac_address was checked for not containing an
      error, but it may also be NULL which wasn't tested. Fix it by replacing
      IS_ERR with IS_ERR_OR_NULL.
      
      Fixes: 541ddc66 ("net: macb: support of_get_mac_address new ERR_PTR error")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2bf4ecbc