December 2019 - Linux-stable-mirror

[PATCH 5.5 regression fix 2/2] efi/libstub/helper: Initialize pointer variables to zero for mixed mode

by Hans de Goede

When running in EFI mixed mode (running a 64 bit kernel on 32 bit EFI firmware), we _must_ initialize any pointers which are returned by reference by an EFI call to NULL before making the EFI call. In mixed mode pointers are 64 bit, but when running on a 32 bit firmware, EFI calls which return a pointer value by reference only fill the lower 32 bits of the passed pointer, leaving the upper 32 bits uninitialized unless we explicitly set them to 0 before the call. We have had this bug in the efi-stub-helper.c file reading code for a while now, but this has likely not been noticed sofar because this code only gets triggered when LILO style file=... arguments are present on the kernel cmdline. Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index e02579907f2e..6ca7d86743af 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -365,7 +365,7 @@ static efi_status_t efi_file_size(efi_system_table_t *sys_table_arg, void *__fh, u64 *file_sz) { efi_file_handle_t *h, *fh = __fh; - efi_file_info_t *info; + efi_file_info_t *info = NULL; efi_status_t status; efi_guid_t info_guid = EFI_FILE_INFO_ID; unsigned long info_sz; @@ -527,7 +527,7 @@ efi_status_t handle_cmdline_files(efi_system_table_t *sys_table_arg, unsigned long *load_addr, unsigned long *load_size) { - struct file_info *files; + struct file_info *files = NULL; unsigned long file_addr; u64 file_size_total; efi_file_handle_t *fh = NULL; -- 2.23.0

5 years

2
5
0 0

[git:media_tree/master] media: pulse8-cec: fix lost cec_transmit_attempt_done() call

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: pulse8-cec: fix lost cec_transmit_attempt_done() call Author: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Date: Sat Dec 7 23:43:23 2019 +0100 The periodic PING command could interfere with the result of a CEC transmit, causing a lost cec_transmit_attempt_done() call. Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Cc: <stable(a)vger.kernel.org> # for v4.10 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> drivers/media/usb/pulse8-cec/pulse8-cec.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) --- diff --git a/drivers/media/usb/pulse8-cec/pulse8-cec.c b/drivers/media/usb/pulse8-cec/pulse8-cec.c index ac88ade94cda..59609556d969 100644 --- a/drivers/media/usb/pulse8-cec/pulse8-cec.c +++ b/drivers/media/usb/pulse8-cec/pulse8-cec.c @@ -116,6 +116,7 @@ struct pulse8 { unsigned int vers; struct completion cmd_done; struct work_struct work; + u8 work_result; struct delayed_work ping_eeprom_work; struct cec_msg rx_msg; u8 data[DATA_SIZE]; @@ -137,8 +138,10 @@ static void pulse8_irq_work_handler(struct work_struct *work) { struct pulse8 *pulse8 = container_of(work, struct pulse8, work); + u8 result = pulse8->work_result; - switch (pulse8->data[0] & 0x3f) { + pulse8->work_result = 0; + switch (result & 0x3f) { case MSGCODE_FRAME_DATA: cec_received_msg(pulse8->adap, &pulse8->rx_msg); break; @@ -172,12 +175,12 @@ static irqreturn_t pulse8_interrupt(struct serio *serio, unsigned char data, pulse8->escape = false; } else if (data == MSGEND) { struct cec_msg *msg = &pulse8->rx_msg; + u8 msgcode = pulse8->buf[0]; if (debug) dev_info(pulse8->dev, "received: %*ph\n", pulse8->idx, pulse8->buf); - pulse8->data[0] = pulse8->buf[0]; - switch (pulse8->buf[0] & 0x3f) { + switch (msgcode & 0x3f) { case MSGCODE_FRAME_START: msg->len = 1; msg->msg[0] = pulse8->buf[1]; @@ -186,14 +189,20 @@ static irqreturn_t pulse8_interrupt(struct serio *serio, unsigned char data, if (msg->len == CEC_MAX_MSG_SIZE) break; msg->msg[msg->len++] = pulse8->buf[1]; - if (pulse8->buf[0] & MSGCODE_FRAME_EOM) + if (msgcode & MSGCODE_FRAME_EOM) { + WARN_ON(pulse8->work_result); + pulse8->work_result = msgcode; schedule_work(&pulse8->work); + break; + } break; case MSGCODE_TRANSMIT_SUCCEEDED: case MSGCODE_TRANSMIT_FAILED_LINE: case MSGCODE_TRANSMIT_FAILED_ACK: case MSGCODE_TRANSMIT_FAILED_TIMEOUT_DATA: case MSGCODE_TRANSMIT_FAILED_TIMEOUT_LINE: + WARN_ON(pulse8->work_result); + pulse8->work_result = msgcode; schedule_work(&pulse8->work); break; case MSGCODE_HIGH_ERROR:

5 years

1
0
0 0

[git:media_tree/master] media: cec: check 'transmit_in_progress', not 'transmitting'

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: cec: check 'transmit_in_progress', not 'transmitting' Author: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Date: Wed Dec 11 12:47:57 2019 +0100 Currently wait_event_interruptible_timeout is called in cec_thread_func() when adap->transmitting is set. But if the adapter is unconfigured while transmitting, then adap->transmitting is set to NULL. But the hardware is still actually transmitting the message, and that's indicated by adap->transmit_in_progress and we should wait until that is finished or times out before transmitting new messages. As the original commit says: adap->transmitting is the userspace view, adap->transmit_in_progress reflects the hardware state. However, if adap->transmitting is NULL and adap->transmit_in_progress is true, then wait_event_interruptible is called (no timeout), which can get stuck indefinitely if the CEC driver is flaky and never marks the transmit-in-progress as 'done'. So test against transmit_in_progress when deciding whether to use the timeout variant or not, instead of testing against adap->transmitting. Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Fixes: 32804fcb612b ("media: cec: keep track of outstanding transmits") Cc: <stable(a)vger.kernel.org> # for v4.19 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> drivers/media/cec/cec-adap.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) --- diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c index 1060e633b623..6c95dc471d4c 100644 --- a/drivers/media/cec/cec-adap.c +++ b/drivers/media/cec/cec-adap.c @@ -465,7 +465,7 @@ int cec_thread_func(void *_adap) bool timeout = false; u8 attempts; - if (adap->transmitting) { + if (adap->transmit_in_progress) { int err; /* @@ -500,7 +500,7 @@ int cec_thread_func(void *_adap) goto unlock; } - if (adap->transmitting && timeout) { + if (adap->transmit_in_progress && timeout) { /* * If we timeout, then log that. Normally this does * not happen and it is an indication of a faulty CEC @@ -509,14 +509,18 @@ int cec_thread_func(void *_adap) * so much traffic on the bus that the adapter was * unable to transmit for CEC_XFER_TIMEOUT_MS (2.1s). */ - pr_warn("cec-%s: message %*ph timed out\n", adap->name, - adap->transmitting->msg.len, - adap->transmitting->msg.msg); + if (adap->transmitting) { + pr_warn("cec-%s: message %*ph timed out\n", adap->name, + adap->transmitting->msg.len, + adap->transmitting->msg.msg); + /* Just give up on this. */ + cec_data_cancel(adap->transmitting, + CEC_TX_STATUS_TIMEOUT); + } else { + pr_warn("cec-%s: transmit timed out\n", adap->name); + } adap->transmit_in_progress = false; adap->tx_timeouts++; - /* Just give up on this. */ - cec_data_cancel(adap->transmitting, - CEC_TX_STATUS_TIMEOUT); goto unlock; }

5 years

1
0
0 0

[git:media_tree/master] media: cec: avoid decrementing transmit_queue_sz if it is 0

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: cec: avoid decrementing transmit_queue_sz if it is 0 Author: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Date: Sat Dec 7 23:48:09 2019 +0100 WARN if transmit_queue_sz is 0 but do not decrement it. The CEC adapter will become unresponsive if it goes below 0 since then it thinks there are 4 billion messages in the queue. Obviously this should not happen, but a driver bug could cause this. Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Cc: <stable(a)vger.kernel.org> # for v4.12 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> drivers/media/cec/cec-adap.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) --- diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c index e90c30dac68b..1060e633b623 100644 --- a/drivers/media/cec/cec-adap.c +++ b/drivers/media/cec/cec-adap.c @@ -380,7 +380,8 @@ static void cec_data_cancel(struct cec_data *data, u8 tx_status) } else { list_del_init(&data->list); if (!(data->msg.tx_status & CEC_TX_STATUS_OK)) - data->adap->transmit_queue_sz--; + if (!WARN_ON(!data->adap->transmit_queue_sz)) + data->adap->transmit_queue_sz--; } if (data->msg.tx_status & CEC_TX_STATUS_OK) { @@ -432,6 +433,14 @@ static void cec_flush(struct cec_adapter *adap) * need to do anything special in that case. */ } + /* + * If something went wrong and this counter isn't what it should + * be, then this will reset it back to 0. Warn if it is not 0, + * since it indicates a bug, either in this framework or in a + * CEC driver. + */ + if (WARN_ON(adap->transmit_queue_sz)) + adap->transmit_queue_sz = 0; } /* @@ -522,7 +531,8 @@ int cec_thread_func(void *_adap) data = list_first_entry(&adap->transmit_queue, struct cec_data, list); list_del_init(&data->list); - adap->transmit_queue_sz--; + if (!WARN_ON(!data->adap->transmit_queue_sz)) + adap->transmit_queue_sz--; /* Make this the current transmitting message */ adap->transmitting = data;

5 years

1
0
0 0

[git:media_tree/master] media: cec: CEC 2.0-only bcast messages were ignored

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: cec: CEC 2.0-only bcast messages were ignored Author: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Date: Wed Dec 4 08:52:08 2019 +0100 Some messages are allowed to be a broadcast message in CEC 2.0 only, and should be ignored by CEC 1.4 devices. Unfortunately, the check was wrong, causing such messages to be marked as invalid under CEC 2.0. Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Cc: <stable(a)vger.kernel.org> # for v4.10 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> drivers/media/cec/cec-adap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c index 9340435a94a0..e90c30dac68b 100644 --- a/drivers/media/cec/cec-adap.c +++ b/drivers/media/cec/cec-adap.c @@ -1085,11 +1085,11 @@ void cec_received_msg_ts(struct cec_adapter *adap, valid_la = false; else if (!cec_msg_is_broadcast(msg) && !(dir_fl & DIRECTED)) valid_la = false; - else if (cec_msg_is_broadcast(msg) && !(dir_fl & BCAST1_4)) + else if (cec_msg_is_broadcast(msg) && !(dir_fl & BCAST)) valid_la = false; else if (cec_msg_is_broadcast(msg) && - adap->log_addrs.cec_version >= CEC_OP_CEC_VERSION_2_0 && - !(dir_fl & BCAST2_0)) + adap->log_addrs.cec_version < CEC_OP_CEC_VERSION_2_0 && + !(dir_fl & BCAST1_4)) valid_la = false; } if (valid_la && min_len) {

5 years

1
0
0 0

[PATCH 5.3 000/105] 5.3.16-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.3.16 release. There are 105 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 13 Dec 2019 14:56:06 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.3.16-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.3.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.3.16-rc1 Jann Horn <jannh(a)google.com> binder: Handle start==NULL in binder_update_page_range() Jann Horn <jannh(a)google.com> binder: Prevent repeated use of ->mmap() via NULL mapping Jann Horn <jannh(a)google.com> binder: Fix race between mmap() and binder_alloc_print_pages() Nicolas Pitre <nico(a)fluxnic.net> vcs: prevent write access to vcsu devices Wei Wang <wvw(a)google.com> thermal: Fix deadlock in thermal thermal_zone_device_check Jan Kara <jack(a)suse.cz> iomap: Fix pipe page leakage during splicing Viresh Kumar <viresh.kumar(a)linaro.org> RDMA/qib: Validate ->show()/store() callbacks before calling them Johan Hovold <johan(a)kernel.org> can: ucan: fix non-atomic allocation in completion handler Gregory CLEMENT <gregory.clement(a)bootlin.com> spi: Fix NULL pointer when setting SPI_CS_HIGH for GPIO CS Gregory CLEMENT <gregory.clement(a)bootlin.com> spi: Fix SPI_CS_HIGH setting when using native and GPIO CS Gregory CLEMENT <gregory.clement(a)bootlin.com> spi: atmel: Fix CS high support Patrice Chotard <patrice.chotard(a)st.com> spi: stm32-qspi: Fix kernel oops when unbinding driver Frieder Schrempf <frieder.schrempf(a)kontron.de> spi: spi-fsl-qspi: Clear TDH bits in FLSHCR register Navid Emamdoost <navid.emamdoost(a)gmail.com> crypto: user - fix memory leak in crypto_reportstat Navid Emamdoost <navid.emamdoost(a)gmail.com> crypto: user - fix memory leak in crypto_report Ard Biesheuvel <ard.biesheuvel(a)linaro.org> crypto: ecdh - fix big endian bug in ECC library Mark Salter <msalter(a)redhat.com> crypto: ccp - fix uninitialized list head Ard Biesheuvel <ard.biesheuvel(a)linaro.org> crypto: geode-aes - switch to skcipher for cbc(aes) fallback Ayush Sawal <ayush.sawal(a)chelsio.com> crypto: af_alg - cast ki_complete ternary op to int Tudor Ambarus <tudor.ambarus(a)microchip.com> crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize Christian Lamparter <chunkeey(a)gmail.com> crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr Sean Christopherson <sean.j.christopherson(a)intel.com> KVM: x86: Grab KVM's srcu lock when setting nested state Sean Christopherson <sean.j.christopherson(a)intel.com> KVM: x86: Remove a spurious export of a static function Paolo Bonzini <pbonzini(a)redhat.com> KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES Paolo Bonzini <pbonzini(a)redhat.com> KVM: x86: do not modify masked bits of shared MSRs Zenghui Yu <yuzenghui(a)huawei.com> KVM: arm/arm64: vgic: Don't rely on the wrong pending table Sean Christopherson <sean.j.christopherson(a)intel.com> KVM: nVMX: Always write vmcs02.GUEST_CR3 during nested VM-Enter Greg Kurz <groug(a)kaod.org> KVM: PPC: Book3S HV: XIVE: Set kvm->arch.xive when VPs are allocated Greg Kurz <groug(a)kaod.org> KVM: PPC: Book3S HV: XIVE: Fix potential page leak on error path Greg Kurz <groug(a)kaod.org> KVM: PPC: Book3S HV: XIVE: Free previous EQ page when setting up a new one Marek Szyprowski <m.szyprowski(a)samsung.com> arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node" Dan Carpenter <dan.carpenter(a)oracle.com> drm/i810: Prevent underflow in ioctl Sean Paul <seanpaul(a)chromium.org> drm: damage_helper: Fix race checking plane->state->fb Johan Hovold <johan(a)kernel.org> drm/msm: fix memleak on release Jan Kara <jack(a)suse.cz> jbd2: Fix possible overflow in jbd2_log_space_left() Tejun Heo <tj(a)kernel.org> kernfs: fix ino wrap-around detection J. Bruce Fields <bfields(a)redhat.com> nfsd: restore NFSv3 ACL support Trond Myklebust <trondmy(a)gmail.com> nfsd: Ensure CLONE persists data and metadata changes to the target file Jouni Hogander <jouni.hogander(a)unikie.com> can: slcan: Fix use-after-free Read in slcan_open Dmitry Torokhov <dmitry.torokhov(a)gmail.com> tty: vt: keyboard: reject invalid keycodes Pavel Shilovsky <pshilov(a)microsoft.com> CIFS: Fix SMB2 oplock break processing Pavel Shilovsky <pshilov(a)microsoft.com> CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks Kai-Heng Feng <kai.heng.feng(a)canonical.com> x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect Joerg Roedel <jroedel(a)suse.de> x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all() Sean Young <sean(a)mess.org> media: rc: mark input device as pointing stick Navid Emamdoost <navid.emamdoost(a)gmail.com> Input: Fix memory leak in psxpad_spi_probe Mike Leach <mike.leach(a)linaro.org> coresight: etm4x: Fix input validation for sysfs. Hans de Goede <hdegoede(a)redhat.com> Input: goodix - add upside-down quirk for Teclast X89 tablet Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers Lucas Stach <l.stach(a)pengutronix.de> Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus Takashi Iwai <tiwai(a)suse.de> ALSA: hda: Modify stream stripe mask only when needed Kai-Heng Feng <kai.heng.feng(a)canonical.com> ALSA: hda - Add mute led support for HP ProBook 645 G4 Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: oss: Avoid potential buffer overflows Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 Hui Wang <hui.wang(a)canonical.com> ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop Jian-Hong Pan <jian-hong(a)endlessm.com> ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC Trond Myklebust <trond.myklebust(a)hammerspace.com> SUNRPC: Avoid RPC delays when exiting suspend Jens Axboe <axboe(a)kernel.dk> io_uring: ensure req->submit is copied when req is deferred Miklos Szeredi <mszeredi(a)redhat.com> fuse: verify attributes Miklos Szeredi <mszeredi(a)redhat.com> fuse: verify nlink Jens Axboe <axboe(a)kernel.dk> io_uring: transform send/recvmsg() -ERESTARTSYS to -EINTR Wen Yang <wenyang(a)linux.alibaba.com> i2c: core: fix use after free in of_i2c_notify Chuhong Yuan <hslester96(a)gmail.com> net: ep93xx_eth: fix mismatch of request_mem_region in remove David Howells <dhowells(a)redhat.com> afs: Fix race in commit bulk status fetch Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix ETS bandwidth validation bug Yunsheng Lin <linyunsheng(a)huawei.com> net: hns3: reallocate SSU' buffer size when pfc_en changes Ulrich Hecht <uli+renesas(a)fpond.eu> ravb: implement MTU change while device is up Chuhong Yuan <hslester96(a)gmail.com> rsxx: add missed destroy_workqueue calls in remove Ilya Dryomov <idryomov(a)gmail.com> rbd: silence bogus uninitialized warning in rbd_object_map_update_finish() Vitaly Kuznetsov <vkuznets(a)redhat.com> selftests: kvm: fix build with glibc >= 2.30 Yunhao Tian <t123yh(a)outlook.com> drm/sun4i: tcon: Set min division of TCON0_DCLK to 1. Xiaochen Shen <xiaochen.shen(a)intel.com> x86/resctrl: Fix potential lockdep warning paulhsia <paulhsia(a)chromium.org> ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Alexander Shishkin <alexander.shishkin(a)linux.intel.com> perf/core: Consistently fail fork on allocation failures Vincent Guittot <vincent.guittot(a)linaro.org> sched/pelt: Fix update of blocked PELT ordering Peter Zijlstra <peterz(a)infradead.org> sched/core: Avoid spurious lock dependencies Pan Bian <bianpan2016(a)163.com> Input: cyttsp4_core - fix use after free bug Junichi Nomura <j-nomura(a)ce.jp.nec.com> block: check bi_size overflow before merge Xiaodong Xu <stid.smth(a)gmail.com> xfrm: release device reference for invalid state Stephan Gerhold <stephan(a)gerhold.net> NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Chiou, Cooper <cooper.chiou(a)intel.com> ALSA: hda: Add Cometlake-S PCI ID Al Viro <viro(a)zeniv.linux.org.uk> ecryptfs: fix unlink and rmdir in face of underlying fs modifications Al Viro <viro(a)zeniv.linux.org.uk> audit_get_nd(): don't unlock parent too early Al Viro <viro(a)zeniv.linux.org.uk> exportfs_decode_fh(): negative pinned may become positive without the parent locked Al Viro <viro(a)zeniv.linux.org.uk> cgroup: don't put ERR_PTR() into fc->root Mordechay Goodstein <mordechay.goodstein(a)intel.com> iwlwifi: pcie: don't consider IV len in A-MSDU Wenpeng Liang <liangwenpeng(a)huawei.com> RDMA/hns: Correct the value of srq_desc_size Sirong Wang <wangsirong(a)huawei.com> RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Thomas Bogendoerfer <tbogendoerfer(a)suse.de> MIPS: SGI-IP27: fix exception handler replication Al Viro <viro(a)zeniv.linux.org.uk> autofs: fix a leak in autofs_expire_indirect() Guillem Jover <guillem(a)hadrons.org> aio: Fix io_pgetevents() struct __compat_aio_sigset layout Chuhong Yuan <hslester96(a)gmail.com> serial: ifx6x60: add missed pm_runtime_disable Fabrice Gasnier <fabrice.gasnier(a)st.com> serial: stm32: fix clearing interrupt error flags Jiangfeng Xiao <xiaojiangfeng(a)huawei.com> serial: serial_core: Perform NULL checks for break_ctl ops Vincent Whitchurch <vincent.whitchurch(a)axis.com> serial: pl011: Fix DMA ->flush_buffer() Jeffrey Hugo <jeffrey.l.hugo(a)gmail.com> tty: serial: msm_serial: Fix flow control Peng Fan <peng.fan(a)nxp.com> tty: serial: fsl_lpuart: use the sg count from dma_map_sg Michał Mirosław <mirq-linux(a)rere.qmqm.pl> usb: gadget: u_serial: add missing port entry locking Dmitry Safonov <0x7f454c46(a)gmail.com> time: Zero the upper 32-bits in __kernel_timespec on 32-bit Arnd Bergmann <arnd(a)arndb.de> lp: fix sparc64 LPSETTIMEOUT ioctl Tuowen Zhao <ztuowen(a)gmail.com> sparc64: implement ioremap_uc Adrian Hunter <adrian.hunter(a)intel.com> perf scripts python: exported-sql-viewer.py: Fix use of TRUE with SQLite Jon Hunter <jonathanh(a)nvidia.com> arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator Navid Emamdoost <navid.emamdoost(a)gmail.com> rsi: release skb if rsi_prepare_beacon fails ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/exynos/exynos5433.dtsi | 6 +- arch/arm64/boot/dts/exynos/exynos7.dtsi | 6 +- arch/arm64/boot/dts/nvidia/tegra210-p2597.dtsi | 2 +- arch/mips/sgi-ip27/Kconfig | 7 --- arch/mips/sgi-ip27/ip27-init.c | 21 ++----- arch/mips/sgi-ip27/ip27-memory.c | 4 -- arch/powerpc/kvm/book3s_xive.c | 11 ++-- arch/powerpc/kvm/book3s_xive_native.c | 46 +++++++++------ arch/sparc/include/asm/io_64.h | 1 + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 4 -- arch/x86/kvm/vmx/nested.c | 10 ++++ arch/x86/kvm/vmx/vmx.c | 10 +++- arch/x86/kvm/x86.c | 17 ++++-- arch/x86/mm/fault.c | 2 +- arch/x86/pci/fixup.c | 11 ++++ block/bio.c | 2 +- crypto/af_alg.c | 2 +- crypto/crypto_user_base.c | 4 +- crypto/crypto_user_stat.c | 4 +- crypto/ecc.c | 3 +- drivers/android/binder_alloc.c | 41 ++++++++------ drivers/block/rbd.c | 2 +- drivers/block/rsxx/core.c | 2 + drivers/char/lp.c | 4 ++ drivers/crypto/amcc/crypto4xx_core.c | 6 +- drivers/crypto/atmel-aes.c | 53 ++++++++++-------- drivers/crypto/ccp/ccp-dmaengine.c | 1 + drivers/crypto/geode-aes.c | 57 +++++++++++-------- drivers/crypto/geode-aes.h | 2 +- drivers/gpu/drm/drm_damage_helper.c | 8 ++- drivers/gpu/drm/i810/i810_dma.c | 4 +- drivers/gpu/drm/msm/msm_debugfs.c | 6 +- drivers/gpu/drm/sun4i/sun4i_tcon.c | 2 +- .../hwtracing/coresight/coresight-etm4x-sysfs.c | 21 ++++--- drivers/i2c/i2c-core-of.c | 4 +- drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +- drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +- drivers/infiniband/hw/qib/qib_sysfs.c | 6 ++ drivers/input/joystick/psxpad-spi.c | 2 +- drivers/input/mouse/synaptics.c | 1 + drivers/input/rmi4/rmi_f34v7.c | 3 + drivers/input/rmi4/rmi_smbus.c | 2 - drivers/input/touchscreen/cyttsp4_core.c | 7 --- drivers/input/touchscreen/goodix.c | 9 +++ drivers/media/rc/rc-main.c | 1 + drivers/net/can/slcan.c | 1 + drivers/net/can/usb/ucan.c | 2 +- drivers/net/ethernet/cirrus/ep93xx_eth.c | 5 +- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 19 ++++++- drivers/net/ethernet/renesas/ravb.h | 3 +- drivers/net/ethernet/renesas/ravb_main.c | 26 +++++---- drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 20 +++---- drivers/net/wireless/rsi/rsi_91x_mgmt.c | 1 + drivers/nfc/nxp-nci/i2c.c | 6 +- drivers/spi/spi-atmel.c | 6 +- drivers/spi/spi-fsl-qspi.c | 38 +++++++++++-- drivers/spi/spi-stm32-qspi.c | 3 +- drivers/spi/spi.c | 19 ++++--- drivers/thermal/thermal_core.c | 4 +- drivers/tty/serial/amba-pl011.c | 6 +- drivers/tty/serial/fsl_lpuart.c | 4 +- drivers/tty/serial/ifx6x60.c | 3 + drivers/tty/serial/msm_serial.c | 6 +- drivers/tty/serial/serial_core.c | 2 +- drivers/tty/serial/stm32-usart.c | 6 +- drivers/tty/vt/keyboard.c | 2 +- drivers/tty/vt/vc_screen.c | 3 + drivers/usb/gadget/function/u_serial.c | 2 + fs/afs/dir.c | 7 ++- fs/aio.c | 10 ++-- fs/autofs/expire.c | 5 +- fs/cifs/file.c | 7 ++- fs/cifs/smb2misc.c | 7 +-- fs/ecryptfs/inode.c | 65 +++++++++++++--------- fs/exportfs/expfs.c | 31 +++++++---- fs/fuse/dir.c | 25 ++++++--- fs/fuse/fuse_i.h | 2 + fs/fuse/readdir.c | 2 +- fs/io_uring.c | 9 ++- fs/iomap/direct-io.c | 9 ++- fs/kernfs/dir.c | 5 +- fs/nfsd/nfs4proc.c | 3 +- fs/nfsd/nfssvc.c | 3 +- fs/nfsd/vfs.c | 8 ++- fs/nfsd/vfs.h | 2 +- include/linux/jbd2.h | 4 +- include/linux/kernfs.h | 1 + include/sound/hdaudio.h | 1 + kernel/audit_watch.c | 2 +- kernel/cgroup/cgroup.c | 5 +- kernel/events/core.c | 2 +- kernel/sched/core.c | 3 +- kernel/sched/fair.c | 29 +++++++--- kernel/time/time.c | 3 +- net/sunrpc/sched.c | 2 +- net/xfrm/xfrm_input.c | 3 + sound/core/oss/linear.c | 2 + sound/core/oss/mulaw.c | 2 + sound/core/oss/route.c | 2 + sound/core/pcm_lib.c | 8 ++- sound/hda/hdac_stream.c | 19 ++++--- sound/pci/hda/hda_intel.c | 3 + sound/pci/hda/patch_conexant.c | 1 + sound/pci/hda/patch_hdmi.c | 5 ++ sound/pci/hda/patch_realtek.c | 18 +++++- tools/perf/scripts/python/exported-sql-viewer.py | 10 +++- tools/testing/selftests/kvm/lib/assert.c | 4 +- virt/kvm/arm/vgic/vgic-v3.c | 6 +- 109 files changed, 597 insertions(+), 350 deletions(-)

5 years

6
124
0 0

[PATCH 0/2] usbip: Fix infinite loop in vhci rx

by Suwan Kim

usbip: Fix infinite loop in vhci rx https://lore.kernel.org/linux-usb/20191206032406.GE1208@mail-itl/T/#u In this mail thread, it shows system hang when there is receive error in vhci. There are two different causes in this bug. [1] Wrong receive logic in vhci when using scatter-gather [2] Wrong error path of vhci_recv_ret_submit() [1] considers normal reception to be an error condition and closes connection. And when [1] error situation occurs, wrong error path[2] causes the system freeze. So each patch fixes this bugs. Suwan Kim (2): usbip: Fix receive error in vhci-hcd when using scatter-gather usbip: Fix error path of vhci_recv_ret_submit() drivers/usb/usbip/usbip_common.c | 3 +++ drivers/usb/usbip/vhci_rx.c | 13 +++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) -- 2.20.1

5 years

3
6
0 0

[PATCH AUTOSEL 4.4 01/37] scsi: mpt3sas: Fix clear pending bit in ioctl status

by Sasha Levin

From: Sreekanth Reddy <sreekanth.reddy(a)broadcom.com> [ Upstream commit 782b281883caf70289ba6a186af29441a117d23e ] When user issues diag register command from application with required size, and if driver unable to allocate the memory, then it will fail the register command. While failing the register command, driver is not currently clearing MPT3_CMD_PENDING bit in ctl_cmds.status variable which was set before trying to allocate the memory. As this bit is set, subsequent register command will be failed with BUSY status even when user wants to register the trace buffer will less memory. Clear MPT3_CMD_PENDING bit in ctl_cmds.status before returning the diag register command with no memory status. Link: https://lore.kernel.org/r/1568379890-18347-4-git-send-email-sreekanth.reddy… Signed-off-by: Sreekanth Reddy <sreekanth.reddy(a)broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/scsi/mpt3sas/mpt3sas_ctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c index 4ccde5a05b701..7874b989d2f4b 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c +++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c @@ -1456,7 +1456,8 @@ _ctl_diag_register_2(struct MPT3SAS_ADAPTER *ioc, " for diag buffers, requested size(%d)\n", ioc->name, __func__, request_data_sz); mpt3sas_base_free_smid(ioc, smid); - return -ENOMEM; + rc = -ENOMEM; + goto out; } ioc->diag_buffer[buffer_type] = request_data; ioc->diag_buffer_sz[buffer_type] = request_data_sz; -- 2.20.1

5 years

3
41
0 0

[PATCH 4.9 00/47] 4.9.196-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.196 release. There are 47 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue 08 Oct 2019 05:19:59 PM UTC. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.196-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.196-rc1 Andrey Konovalov <andreyknvl(a)google.com> NFC: fix attrs checks in netlink interface Eric Biggers <ebiggers(a)google.com> smack: use GFP_NOFS while holding inode_smack::smk_lock Jann Horn <jannh(a)google.com> Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set David Ahern <dsahern(a)gmail.com> ipv6: Handle missing host route in __ipv6_ifa_notify Eric Dumazet <edumazet(a)google.com> sch_cbq: validate TCA_CBQ_WRROPT to avoid crash Dongli Zhang <dongli.zhang(a)oracle.com> xen-netfront: do not use ~0U as error return value for xennet_fill_frags() Dotan Barak <dotanb(a)dev.mellanox.co.il> net/rds: Fix error handling in rds_ib_add_one() Eric Dumazet <edumazet(a)google.com> sch_dsmark: fix potential NULL deref in dsmark_init() Reinhard Speyerer <rspmn(a)arcor.de> qmi_wwan: add support for Cinterion CLS8 devices Eric Dumazet <edumazet(a)google.com> nfc: fix memory leak in llcp_sock_bind() Martin KaFai Lau <kafai(a)fb.com> net: Unpublish sk from sk_reuseport_cb before call_rcu Navid Emamdoost <navid.emamdoost(a)gmail.com> net: qlogic: Fix memory leak in ql_alloc_large_buffers Paolo Abeni <pabeni(a)redhat.com> net: ipv4: avoid mixed n_redirects and rate_tokens usage Eric Dumazet <edumazet(a)google.com> ipv6: drop incoming packets having a v4mapped source address Johan Hovold <johan(a)kernel.org> hso: fix NULL-deref on tty open Vishal Kulkarni <vishal(a)chelsio.com> cxgb4:Fix out-of-bounds MSI-X info array access Martijn Coenen <maco(a)android.com> ANDROID: binder: synchronize_rcu() when using POLLFREE. Martijn Coenen <maco(a)android.com> ANDROID: binder: remove waitqueue when thread exits. Nicolas Boichat <drinkcat(a)chromium.org> kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K Changwei Ge <gechangwei(a)live.cn> ocfs2: wait for recovering done after direct unlock request David Howells <dhowells(a)redhat.com> hypfs: Fix error number left in struct pointer member OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> fat: work around race with userspace's read via blockdev while mounting Mike Rapoport <mike.rapoport(a)gmail.com> ARM: 8903/1: ensure that usable memory in bank 0 starts from a PMD-aligned address Jia-Ju Bai <baijiaju1990(a)gmail.com> security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb() Joao Moreno <mail(a)joaomoreno.com> HID: apple: Fix stuck function keys when using FN Will Deacon <will(a)kernel.org> ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as writes Nishka Dasgupta <nishkadg.linux(a)gmail.com> PCI: tegra: Fix OF node reference leak Kai-Heng Feng <kai.heng.feng(a)canonical.com> mfd: intel-lpss: Remove D3cold delay Nathan Chancellor <natechancellor(a)gmail.com> MIPS: tlbex: Explicitly cast _PAGE_NO_EXEC to a boolean Bart Van Assche <bvanassche(a)acm.org> scsi: core: Reduce memory required for SCSI logging Eugen Hristev <eugen.hristev(a)microchip.com> clk: at91: select parent if main oscillator or bypass is enabled Arnd Bergmann <arnd(a)arndb.de> arm64: fix unreachable code issue with cmpxchg Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/pseries: correctly track irq state in default idle Nicholas Piggin <npiggin(a)gmail.com> powerpc/64s/exception: machine check use correct cfar for late handler Jean Delvare <jdelvare(a)suse.de> drm/amdgpu/si: fix ASIC tests hexin <hexin.op(a)gmail.com> vfio_pci: Restore original state on release Sowjanya Komatineni <skomatineni(a)nvidia.com> pinctrl: tegra: Fix write barrier placement in pmx_writel Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/pseries/mobility: use cond_resched when updating device tree Christophe Leroy <christophe.leroy(a)c-s.fr> powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/rtas: use device model APIs and serialization during LPM Stephen Boyd <sboyd(a)kernel.org> clk: sirf: Don't reference clk_init_data after registration Nathan Huckleberry <nhuck(a)google.com> clk: qoriq: Fix -Wunused-const-variable Corey Minyard <cminyard(a)mvista.com> ipmi_si: Only schedule continuously in the thread in maintenance mode Jia-Ju Bai <baijiaju1990(a)gmail.com> gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() KyleMahlkuch <kmahlkuc(a)linux.vnet.ibm.com> drm/radeon: Fix EEH during kexec Marko Kohtala <marko.kohtala(a)okoko.fi> video: ssd1307fb: Start page range at page_offset Andrey Smirnov <andrew.smirnov(a)gmail.com> drm/bridge: tc358767: Increase AUX transfer length limit ------------- Diffstat: Makefile | 4 +-- arch/arm/mm/fault.c | 4 +-- arch/arm/mm/fault.h | 1 + arch/arm/mm/mmu.c | 16 +++++++++ arch/arm64/include/asm/cmpxchg.h | 6 ++-- arch/mips/mm/tlbex.c | 2 +- arch/powerpc/include/asm/futex.h | 3 +- arch/powerpc/kernel/exceptions-64s.S | 4 +++ arch/powerpc/kernel/rtas.c | 11 ++++-- arch/powerpc/platforms/pseries/mobility.c | 9 +++++ arch/powerpc/platforms/pseries/setup.c | 3 ++ arch/s390/hypfs/inode.c | 9 ++--- drivers/android/binder.c | 26 +++++++++++++- drivers/char/ipmi/ipmi_si_intf.c | 24 ++++++++++--- drivers/clk/at91/clk-main.c | 10 ++++-- drivers/clk/clk-qoriq.c | 2 +- drivers/clk/sirf/clk-common.c | 12 ++++--- drivers/gpu/drm/amd/amdgpu/si.c | 6 ++-- drivers/gpu/drm/bridge/tc358767.c | 2 +- drivers/gpu/drm/radeon/radeon_connectors.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.c | 8 +++++ drivers/hid/hid-apple.c | 49 +++++++++++++++----------- drivers/mfd/intel-lpss-pci.c | 2 ++ drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 9 +++-- drivers/net/ethernet/qlogic/qla3xxx.c | 1 + drivers/net/usb/hso.c | 12 ++++--- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/xen-netfront.c | 17 ++++----- drivers/pci/host/pci-tegra.c | 22 ++++++++---- drivers/pinctrl/tegra/pinctrl-tegra.c | 4 ++- drivers/scsi/scsi_logging.c | 48 ++----------------------- drivers/vfio/pci/vfio_pci.c | 17 ++++++--- drivers/video/fbdev/ssd1307fb.c | 2 +- fs/fat/dir.c | 13 +++++-- fs/fat/fatent.c | 3 ++ fs/ocfs2/dlm/dlmunlock.c | 23 +++++++++--- include/scsi/scsi_dbg.h | 2 -- lib/Kconfig.debug | 2 +- net/core/sock.c | 11 ++++-- net/ipv4/route.c | 5 ++- net/ipv6/addrconf.c | 17 ++++++--- net/ipv6/ip6_input.c | 10 ++++++ net/nfc/llcp_sock.c | 7 +++- net/nfc/netlink.c | 6 ++-- net/rds/ib.c | 6 ++-- net/sched/sch_cbq.c | 27 +++++++++++--- net/sched/sch_dsmark.c | 2 ++ security/smack/smack_access.c | 4 +-- security/smack/smack_lsm.c | 7 ++-- 49 files changed, 328 insertions(+), 165 deletions(-)

5 years

9
60
0 0

[PATCH 8/8] KVM: arm/arm64: Properly handle faulting of device mappings

by Marc Zyngier

A device mapping is normally always mapped at Stage-2, since there is very little gain in having it faulted in. Nonetheless, it is possible to end-up in a situation where the device mapping has been removed from Stage-2 (userspace munmaped the VFIO region, and the MMU notifier did its job), but present in a userspace mapping (userpace has mapped it back at the same address). In such a situation, the device mapping will be demand-paged as the guest performs memory accesses. This requires to be careful when dealing with mapping size, cache management, and to handle potential execution of a device mapping. Reported-by: Alexandru Elisei <alexandru.elisei(a)arm.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Tested-by: Alexandru Elisei <alexandru.elisei(a)arm.com> Reviewed-by: James Morse <james.morse(a)arm.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20191211165651.7889-2-maz@kernel.org --- virt/kvm/arm/mmu.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c index a48994af70b8..0b32a904a1bb 100644 --- a/virt/kvm/arm/mmu.c +++ b/virt/kvm/arm/mmu.c @@ -38,6 +38,11 @@ static unsigned long io_map_base; #define KVM_S2PTE_FLAG_IS_IOMAP (1UL << 0) #define KVM_S2_FLAG_LOGGING_ACTIVE (1UL << 1) +static bool is_iomap(unsigned long flags) +{ + return flags & KVM_S2PTE_FLAG_IS_IOMAP; +} + static bool memslot_is_logging(struct kvm_memory_slot *memslot) { return memslot->dirty_bitmap && !(memslot->flags & KVM_MEM_READONLY); @@ -1698,6 +1703,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, vma_pagesize = vma_kernel_pagesize(vma); if (logging_active || + (vma->vm_flags & VM_PFNMAP) || !fault_supports_stage2_huge_mapping(memslot, hva, vma_pagesize)) { force_pte = true; vma_pagesize = PAGE_SIZE; @@ -1760,6 +1766,9 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, writable = false; } + if (exec_fault && is_iomap(flags)) + return -ENOEXEC; + spin_lock(&kvm->mmu_lock); if (mmu_notifier_retry(kvm, mmu_seq)) goto out_unlock; @@ -1781,7 +1790,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, if (writable) kvm_set_pfn_dirty(pfn); - if (fault_status != FSC_PERM) + if (fault_status != FSC_PERM && !is_iomap(flags)) clean_dcache_guest_page(pfn, vma_pagesize); if (exec_fault) @@ -1948,9 +1957,8 @@ int kvm_handle_guest_abort(struct kvm_vcpu *vcpu, struct kvm_run *run) if (kvm_is_error_hva(hva) || (write_fault && !writable)) { if (is_iabt) { /* Prefetch Abort on I/O address */ - kvm_inject_pabt(vcpu, kvm_vcpu_get_hfar(vcpu)); - ret = 1; - goto out_unlock; + ret = -ENOEXEC; + goto out; } /* @@ -1992,6 +2000,11 @@ int kvm_handle_guest_abort(struct kvm_vcpu *vcpu, struct kvm_run *run) ret = user_mem_abort(vcpu, fault_ipa, memslot, hva, fault_status); if (ret == 0) ret = 1; +out: + if (ret == -ENOEXEC) { + kvm_inject_pabt(vcpu, kvm_vcpu_get_hfar(vcpu)); + ret = 1; + } out_unlock: srcu_read_unlock(&vcpu->kvm->srcu, idx); return ret; -- 2.20.1

5 years

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2019