-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test #1
test #1
Commits on Jul 14, 2019
-
crypto: lrw - use correct alignmask
commit 20a0f97 upstream. Commit c778f96 ("crypto: lrw - Optimize tweak computation") incorrectly reduced the alignmask of LRW instances from '__alignof__(u64) - 1' to '__alignof__(__be32) - 1'. However, xor_tweak() and setkey() assume that the data and key, respectively, are aligned to 'be128', which has u64 alignment. Fix the alignmask to be at least '__alignof__(be128) - 1'. Fixes: c778f96 ("crypto: lrw - Optimize tweak computation") Cc: <stable@vger.kernel.org> # v4.20+ Cc: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for eff1b6a - Browse repository at this point
Copy the full SHA eff1b6aView commit details -
crypto: talitos - rename alternative AEAD algos.
commit a1a42f8 upstream. The talitos driver has two ways to perform AEAD depending on the HW capability. Some HW support both. It is needed to give them different names to distingish which one it is for instance when a test fails. Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> Fixes: 7405c8d ("crypto: talitos - templates for AEAD using HMAC_SNOOP_NO_AFEU") Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 587c49c - Browse repository at this point
Copy the full SHA 587c49cView commit details -
fscrypt: don't set policy for a dead directory
commit 5858bda upstream. The directory may have been removed when entering fscrypt_ioctl_set_policy(). If so, the empty_dir() check will return error for ext4 file system. ext4_rmdir() sets i_size = 0, then ext4_empty_dir() reports an error because 'inode->i_size < EXT4_DIR_REC_LEN(1) + EXT4_DIR_REC_LEN(2)'. If the fs is mounted with errors=panic, it will trigger a panic issue. Add the check IS_DEADDIR() to fix this problem. Fixes: 9bd8212 ("ext4 crypto: add encryption policy and password salt support") Cc: <stable@vger.kernel.org> # v4.1+ Signed-off-by: Hongjie Fang <hongjiefang@asrmicro.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 787716e - Browse repository at this point
Copy the full SHA 787716eView commit details -
udf: Fix incorrect final NOT_ALLOCATED (hole) extent length
commit fa33cdb upstream. In some cases, using the 'truncate' command to extend a UDF file results in a mismatch between the length of the file's extents (specifically, due to incorrect length of the final NOT_ALLOCATED extent) and the information (file) length. The discrepancy can prevent other operating systems (i.e., Windows 10) from opening the file. Two particular errors have been observed when extending a file: 1. The final extent is larger than it should be, having been rounded up to a multiple of the block size. B. The final extent is not shorter than it should be, due to not having been updated when the file's information length was increased. [JK: simplified udf_do_extend_final_block(), fixed up some types] Fixes: 2c948b3 ("udf: Avoid IO in udf_clear_inode") CC: stable@vger.kernel.org Signed-off-by: Steven J. Magnani <steve@digidescorp.com> Link: https://lore.kernel.org/r/1561948775-5878-1-git-send-email-steve@digidescorp.com Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 56a3c35 - Browse repository at this point
Copy the full SHA 56a3c35View commit details -
media: stv0297: fix frequency range limit
commit b09a2ab upstream. There was a typo at the lower frequency limit for a DVB-C card, causing the driver to fail while tuning channels at the VHF range. https://bugzilla.kernel.org/show_bug.cgi?id=202083 Fixes: f1b1eab ("media: dvb: represent min/max/step/tolerance freqs in Hz") Reported-by: Ari Kohtamäki <ari.kohtamaki@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for c8b4e54 - Browse repository at this point
Copy the full SHA c8b4e54View commit details -
ALSA: usb-audio: Fix parse of UAC2 Extension Units
commit ca95c7b upstream. Extension Unit (XU) is used to have a compatible layout with Processing Unit (PU) on UAC1, and the usb-audio driver code assumed it for parsing the descriptors. Meanwhile, on UAC2, XU became slightly incompatible with PU; namely, XU has a one-byte bmControls bitmap while PU has two bytes bmControls bitmap. This incompatibility results in the read of a wrong address for the last iExtension field, which ended up with an incorrect string for the mixer element name, as recently reported for Focusrite Scarlett 18i20 device. This patch corrects this misalignment by introducing a couple of new macros and calling them depending on the descriptor type. Fixes: 23caaf1 ("ALSA: usb-mixer: Add support for Audio Class v2.0") Reported-by: Stefan Sauer <ensonic@hora-obscura.de> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 8b0ab7d - Browse repository at this point
Copy the full SHA 8b0ab7dView commit details -
ALSA: hda/realtek - Headphone Mic can't record after S3
commit d07a9a4 upstream. Dell headset mode platform with ALC236. It doesn't recording after system resume from S3. S3 mode was deep. s2idle was not has this issue. S3 deep will cut of codec power. So, the register will back to default after resume back. This patch will solve this issue. Signed-off-by: Kailang Yang <kailang@realtek.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for eaf775f - Browse repository at this point
Copy the full SHA eaf775fView commit details -
tpm: Actually fail on TPM errors during "get random"
commit 782779b upstream. A "get random" may fail with a TPM error, but those codes were returned as-is to the caller, which assumed the result was the number of bytes that had been written to the target buffer, which could lead to a kernel heap memory exposure and over-read. This fixes tpm1_get_random() to mask positive TPM errors into -EIO, as before. [ 18.092103] tpm tpm0: A TPM error (379) occurred attempting get random [ 18.092106] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)! Link: https://bugzilla.redhat.com/show_bug.cgi?id=1650989 Reported-by: Phil Baker <baker1tex@gmail.com> Reported-by: Craig Robson <craig@zhatt.com> Fixes: 7aee9c5 ("tpm: tpm1: rewrite tpm1_get_random() using tpm_buf structure") Cc: Laura Abbott <labbott@redhat.com> Cc: Tomas Winkler <tomas.winkler@intel.com> Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Tomas Winkler <tomas.winkler@intel.com> Tested-by: Bartosz Szczepanek <bsz@semihalf.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 4cce48a - Browse repository at this point
Copy the full SHA 4cce48aView commit details -
tpm: Fix TPM 1.2 Shutdown sequence to prevent future TPM operations
commit db4d8cb upstream. TPM 2.0 Shutdown involve sending TPM2_Shutdown to TPM chip and disabling future TPM operations. TPM 1.2 behavior was different, future TPM operations weren't disabled, causing rare issues. This patch ensures that future TPM operations are disabled. Fixes: d1bd4a7 ("tpm: Issue a TPM2_Shutdown for TPM2 devices.") Cc: stable@vger.kernel.org Signed-off-by: Vadim Sukhomlinov <sukhomlinov@google.com> [dianders: resolved merge conflicts with mainline] Signed-off-by: Douglas Anderson <dianders@chromium.org> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for a6d2786 - Browse repository at this point
Copy the full SHA a6d2786View commit details -
commit 79d08f8 upstream. 'bio->bi_iter.bi_size' is 'unsigned int', which at most hold 4G - 1 bytes. Before 07173c3 ("block: enable multipage bvecs"), one bio can include very limited pages, and usually at most 256, so the fs bio size won't be bigger than 1M bytes most of times. Since we support multi-page bvec, in theory one fs bio really can be added > 1M pages, especially in case of hugepage, or big writeback with too many dirty pages. Then there is chance in which .bi_size is overflowed. Fixes this issue by using bio_full() to check if the added segment may overflow .bi_size. Cc: Liu Yiding <liuyd.fnst@cn.fujitsu.com> Cc: kernel test robot <rong.a.chen@intel.com> Cc: "Darrick J. Wong" <darrick.wong@oracle.com> Cc: linux-xfs@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org Cc: stable@vger.kernel.org Fixes: 07173c3 ("block: enable multipage bvecs") Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Ming Lei <ming.lei@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for c785529 - Browse repository at this point
Copy the full SHA c785529View commit details -
block, bfq: NULL out the bic when it's no longer valid
commit dbc3117 upstream. In reboot tests on several devices we were seeing a "use after free" when slub_debug or KASAN was enabled. The kernel complained about: Unable to handle kernel paging request at virtual address 6b6b6c2b ...which is a classic sign of use after free under slub_debug. The stack crawl in kgdb looked like: 0 test_bit (addr=<optimized out>, nr=<optimized out>) 1 bfq_bfqq_busy (bfqq=<optimized out>) 2 bfq_select_queue (bfqd=<optimized out>) 3 __bfq_dispatch_request (hctx=<optimized out>) 4 bfq_dispatch_request (hctx=<optimized out>) 5 0xc056ef00 in blk_mq_do_dispatch_sched (hctx=0xed249440) 6 0xc056f728 in blk_mq_sched_dispatch_requests (hctx=0xed249440) 7 0xc0568d24 in __blk_mq_run_hw_queue (hctx=0xed249440) 8 0xc0568d94 in blk_mq_run_work_fn (work=<optimized out>) 9 0xc024c5c4 in process_one_work (worker=0xec6d4640, work=0xed249480) 10 0xc024cff4 in worker_thread (__worker=0xec6d4640) Digging in kgdb, it could be found that, though bfqq looked fine, bfqq->bic had been freed. Through further digging, I postulated that perhaps it is illegal to access a "bic" (AKA an "icq") after bfq_exit_icq() had been called because the "bic" can be freed at some point in time after this call is made. I confirmed that there certainly were cases where the exact crashing code path would access the "bic" after bfq_exit_icq() had been called. Sspecifically I set the "bfqq->bic" to (void *)0x7 and saw that the bic was 0x7 at the time of the crash. To understand a bit more about why this crash was fairly uncommon (I saw it only once in a few hundred reboots), you can see that much of the time bfq_exit_icq_fbqq() fully frees the bfqq and thus it can't access the ->bic anymore. The only case it doesn't is if bfq_put_queue() sees a reference still held. However, even in the case when bfqq isn't freed, the crash is still rare. Why? I tracked what happened to the "bic" after the exit routine. It doesn't get freed right away. Rather, put_io_context_active() eventually called put_io_context() which queued up freeing on a workqueue. The freeing then actually happened later than that through call_rcu(). Despite all these delays, some extra debugging showed that all the hoops could be jumped through in time and the memory could be freed causing the original crash. Phew! To make a long story short, assuming it truly is illegal to access an icq after the "exit_icq" callback is finished, this patch is needed. Cc: stable@vger.kernel.org Reviewed-by: Paolo Valente <paolo.valente@unimore.it> Signed-off-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 6975db1 - Browse repository at this point
Copy the full SHA 6975db1View commit details -
perf intel-pt: Fix itrace defaults for perf script
commit 26f19c2 upstream. Commit 4eb0681 ("perf script: Make itrace script default to all calls") does not work because 'use_browser' is being used to determine whether to default to periodic sampling (i.e. better for perf report). The result is that nothing but CBR events display for perf script when no --itrace option is specified. Fix by using 'default_no_sample' and 'inject' instead. Example: Before: $ perf record -e intel_pt/cyc/u ls $ perf script > cmp1.txt $ perf script --itrace=cepwx > cmp2.txt $ diff -sq cmp1.txt cmp2.txt Files cmp1.txt and cmp2.txt differ After: $ perf script > cmp1.txt $ perf script --itrace=cepwx > cmp2.txt $ diff -sq cmp1.txt cmp2.txt Files cmp1.txt and cmp2.txt are identical Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: stable@vger.kernel.org # v4.20+ Fixes: 90e457f ("perf tools: Add Intel PT support") Link: http://lkml.kernel.org/r/20190520113728.14389-2-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 8fe0dff - Browse repository at this point
Copy the full SHA 8fe0dffView commit details -
perf auxtrace: Fix itrace defaults for perf script
commit 355200e upstream. Commit 4eb0681 ("perf script: Make itrace script default to all calls") does not work for the case when '--itrace' only is used, because default_no_sample is not being passed. Example: Before: $ perf record -e intel_pt/cyc/u ls $ perf script --itrace > cmp1.txt $ perf script --itrace=cepwx > cmp2.txt $ diff -sq cmp1.txt cmp2.txt Files cmp1.txt and cmp2.txt differ After: $ perf script --itrace > cmp1.txt $ perf script --itrace=cepwx > cmp2.txt $ diff -sq cmp1.txt cmp2.txt Files cmp1.txt and cmp2.txt are identical Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: stable@vger.kernel.org Fixes: 4eb0681 ("perf script: Make itrace script default to all calls") Link: http://lkml.kernel.org/r/20190520113728.14389-3-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for dacc61d - Browse repository at this point
Copy the full SHA dacc61dView commit details -
perf intel-pt: Fix itrace defaults for perf script intel-pt documenta…
…tion commit a2d8a15 upstream. Fix intel-pt documentation to reflect the change of itrace defaults for perf script. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: stable@vger.kernel.org Fixes: 4eb0681 ("perf script: Make itrace script default to all calls") Link: http://lkml.kernel.org/r/20190520113728.14389-4-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 66562fc - Browse repository at this point
Copy the full SHA 66562fcView commit details -
perf pmu: Fix uncore PMU alias list for ARM64
commit 599ee18 upstream. In commit 292c34c ("perf pmu: Fix core PMU alias list for X86 platform"), we fixed the issue of CPU events being aliased to uncore events. Fix this same issue for ARM64, since the said commit left the (broken) behaviour untouched for ARM64. Signed-off-by: John Garry <john.garry@huawei.com> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Ben Hutchings <ben@decadent.org.uk> Cc: Hendrik Brueckner <brueckner@linux.ibm.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Kan Liang <kan.liang@linux.intel.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Shaokun Zhang <zhangshaokun@hisilicon.com> Cc: Thomas Richter <tmricht@linux.ibm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: linux-arm-kernel@lists.infradead.org Cc: linuxarm@huawei.com Cc: stable@vger.kernel.org Fixes: 292c34c ("perf pmu: Fix core PMU alias list for X86 platform") Link: http://lkml.kernel.org/r/1560521283-73314-2-git-send-email-john.garry@huawei.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 4a3e679 - Browse repository at this point
Copy the full SHA 4a3e679View commit details -
perf thread-stack: Fix thread stack return from kernel for kernel-onl…
…y case commit 97860b4 upstream. Commit f08046c ("perf thread-stack: Represent jmps to the start of a different symbol") had the side-effect of introducing more stack entries before return from kernel space. When user space is also traced, those entries are popped before entry to user space, but when user space is not traced, they get stuck at the bottom of the stack, making the stack grow progressively larger. Fix by detecting a return-from-kernel branch type, and popping kernel addresses from the stack then. Note, the problem and fix affect the exported Call Graph / Tree but not the callindent option used by "perf script --call-trace". Example: perf-with-kcore record example -e intel_pt//k -- ls perf-with-kcore script example --itrace=bep -s ~/libexec/perf-core/scripts/python/export-to-sqlite.py example.db branches calls ~/libexec/perf-core/scripts/python/exported-sql-viewer.py example.db Menu option: Reports -> Context-Sensitive Call Graph Before: (showing Call Path column only) Call Path ▶ perf ▼ ls ▼ 12111:12111 ▶ setup_new_exec ▶ __task_pid_nr_ns ▶ perf_event_pid_type ▶ perf_event_comm_output ▶ perf_iterate_ctx ▶ perf_iterate_sb ▶ perf_event_comm ▶ __set_task_comm ▶ load_elf_binary ▶ search_binary_handler ▶ __do_execve_file.isra.41 ▶ __x64_sys_execve ▶ do_syscall_64 ▼ entry_SYSCALL_64_after_hwframe ▼ swapgs_restore_regs_and_return_to_usermode ▼ native_iret ▶ error_entry ▶ do_page_fault ▼ error_exit ▼ retint_user ▶ prepare_exit_to_usermode ▼ native_iret ▶ error_entry ▶ do_page_fault ▼ error_exit ▼ retint_user ▶ prepare_exit_to_usermode ▼ native_iret ▶ error_entry ▶ do_page_fault ▼ error_exit ▼ retint_user ▶ prepare_exit_to_usermode ▶ native_iret After: (showing Call Path column only) Call Path ▶ perf ▼ ls ▼ 12111:12111 ▶ setup_new_exec ▶ __task_pid_nr_ns ▶ perf_event_pid_type ▶ perf_event_comm_output ▶ perf_iterate_ctx ▶ perf_iterate_sb ▶ perf_event_comm ▶ __set_task_comm ▶ load_elf_binary ▶ search_binary_handler ▶ __do_execve_file.isra.41 ▶ __x64_sys_execve ▶ do_syscall_64 ▶ entry_SYSCALL_64_after_hwframe ▶ page_fault ▼ entry_SYSCALL_64 ▼ do_syscall_64 ▶ __x64_sys_brk ▶ __x64_sys_access ▶ __x64_sys_openat ▶ __x64_sys_newfstat ▶ __x64_sys_mmap ▶ __x64_sys_close ▶ __x64_sys_read ▶ __x64_sys_mprotect ▶ __x64_sys_arch_prctl ▶ __x64_sys_munmap ▶ exit_to_usermode_loop ▶ __x64_sys_set_tid_address ▶ __x64_sys_set_robust_list ▶ __x64_sys_rt_sigaction ▶ __x64_sys_rt_sigprocmask ▶ __x64_sys_prlimit64 ▶ __x64_sys_statfs ▶ __x64_sys_ioctl ▶ __x64_sys_getdents64 ▶ __x64_sys_write ▶ __x64_sys_exit_group Committer notes: The first arg to the perf-with-kcore needs to be the same for the 'record' and 'script' lines, otherwise we'll record the perf.data file and kcore_dir/ files in one directory ('example') to then try to use it from the 'bep' directory, fix the instructions above it so that both use 'example'. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: stable@vger.kernel.org Fixes: f08046c ("perf thread-stack: Represent jmps to the start of a different symbol") Link: http://lkml.kernel.org/r/20190619064429.14940-2-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for af31a53 - Browse repository at this point
Copy the full SHA af31a53View commit details -
perf header: Assign proper ff->ph in perf_event__synthesize_features()
commit c952b35 upstream. bpf/btf write_* functions need ff->ph->env. With this missing, pipe-mode (perf record -o -) would crash like: Program terminated with signal SIGSEGV, Segmentation fault. This patch assign proper ph value to ff. Committer testing: (gdb) run record -o - Starting program: /root/bin/perf record -o - PERFILE2 <SNIP start of perf.data headers> Thread 1 "perf" received signal SIGSEGV, Segmentation fault. __do_write_buf (size=4, buf=0x160, ff=0x7fffffff8f80) at util/header.c:126 126 memcpy(ff->buf + ff->offset, buf, size); (gdb) bt #0 __do_write_buf (size=4, buf=0x160, ff=0x7fffffff8f80) at util/header.c:126 #1 do_write (ff=ff@entry=0x7fffffff8f80, buf=buf@entry=0x160, size=4) at util/header.c:137 #2 0x00000000004eddba in write_bpf_prog_info (ff=0x7fffffff8f80, evlist=<optimized out>) at util/header.c:912 #3 0x00000000004f69d7 in perf_event__synthesize_features (tool=tool@entry=0x97cc00 <record>, session=session@entry=0x7fffe9c6d010, evlist=0x7fffe9cae010, process=process@entry=0x4435d0 <process_synthesized_event>) at util/header.c:3695 #4 0x0000000000443c79 in record__synthesize (tail=tail@entry=false, rec=0x97cc00 <record>) at builtin-record.c:1214 #5 0x0000000000444ec9 in __cmd_record (rec=0x97cc00 <record>, argv=<optimized out>, argc=0) at builtin-record.c:1435 torvalds#6 cmd_record (argc=0, argv=<optimized out>) at builtin-record.c:2450 torvalds#7 0x00000000004ae3e9 in run_builtin (p=p@entry=0x98e058 <commands+216>, argc=argc@entry=3, argv=0x7fffffffd670) at perf.c:304 torvalds#8 0x000000000042eded in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:356 torvalds#9 run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:400 torvalds#10 main (argc=3, argv=<optimized out>) at perf.c:522 (gdb) After the patch the SEGSEGV is gone. Reported-by: David Carrillo Cisneros <davidca@fb.com> Signed-off-by: Song Liu <songliubraving@fb.com> Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Cc: kernel-team@fb.com Cc: stable@vger.kernel.org # v5.1+ Fixes: 606f972 ("perf bpf: Save bpf_prog_info information as headers to perf.data") Link: http://lkml.kernel.org/r/20190620010453.4118689-1-songliubraving@fb.com Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 635d4fb - Browse repository at this point
Copy the full SHA 635d4fbView commit details -
x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
commit 31a2fbb upstream. The index to access the threads ptrace_bps is controlled by userspace via syscall: sys_ptrace(), hence leading to a potential exploitation of the Spectre variant 1 vulnerability. The index can be controlled from: ptrace -> arch_ptrace -> ptrace_get_debugreg. Fix this by sanitizing the user supplied index before using it access thread->ptrace_bps. Signed-off-by: Dianzhang Chen <dianzhangchen0@gmail.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: bp@alien8.de Cc: hpa@zytor.com Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1561476617-3759-1-git-send-email-dianzhangchen0@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for d1ba61a - Browse repository at this point
Copy the full SHA d1ba61aView commit details -
x86/tls: Fix possible spectre-v1 in do_get_thread_area()
commit 993773d upstream. The index to access the threads tls array is controlled by userspace via syscall: sys_ptrace(), hence leading to a potential exploitation of the Spectre variant 1 vulnerability. The index can be controlled from: ptrace -> arch_ptrace -> do_get_thread_area. Fix this by sanitizing the user supplied index before using it to access the p->thread.tls_array. Signed-off-by: Dianzhang Chen <dianzhangchen0@gmail.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: bp@alien8.de Cc: hpa@zytor.com Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1561524630-3642-1-git-send-email-dianzhangchen0@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 2b73121 - Browse repository at this point
Copy the full SHA 2b73121View commit details -
Documentation: Add section about CPU vulnerabilities for Spectre
commit 6e88559 upstream. Add documentation for Spectre vulnerability and the mitigation mechanisms: - Explain the problem and risks - Document the mitigation mechanisms - Document the command line controls - Document the sysfs files Co-developed-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Andi Kleen <ak@linux.intel.com> Co-developed-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Reviewed-by: Randy Dunlap <rdunlap@infradead.org> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org Signed-off-by: Jonathan Corbet <corbet@lwn.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 2833a74 - Browse repository at this point
Copy the full SHA 2833a74View commit details -
Documentation/admin: Remove the vsyscall=native documentation
commit d974ffc upstream. The vsyscall=native feature is gone -- remove the docs. Fixes: 076ca27 ("x86/vsyscall/64: Drop "native" vsyscalls") Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Kees Cook <keescook@chromium.org> Cc: Florian Weimer <fweimer@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: stable@vger.kernel.org Cc: Borislav Petkov <bp@alien8.de> Cc: Kernel Hardening <kernel-hardening@lists.openwall.com> Cc: Peter Zijlstra <peterz@infradead.org> Link: https://lkml.kernel.org/r/d77c7105eb4c57c1a95a95b6a5b8ba194a18e764.1561610354.git.luto@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 9dfd263 - Browse repository at this point
Copy the full SHA 9dfd263View commit details -
mwifiex: Don't abort on small, spec-compliant vendor IEs
commit 63d7ef3 upstream. Per the 802.11 specification, vendor IEs are (at minimum) only required to contain an OUI. A type field is also included in ieee80211.h (struct ieee80211_vendor_ie) but doesn't appear in the specification. The remaining fields (subtype, version) are a convention used in WMM headers. Thus, we should not reject vendor-specific IEs that have only the minimum length (3 bytes) -- we should skip over them (since we only want to match longer IEs, that match either WMM or WPA formats). We can reject elements that don't have the minimum-required 3 byte OUI. While we're at it, move the non-standard subtype and version fields into the WMM structs, to avoid this confusion in the future about generic "vendor header" attributes. Fixes: 685c9b7 ("mwifiex: Abort at too short BSS descriptor element") Cc: Takashi Iwai <tiwai@suse.de> Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 94ae2c6 - Browse repository at this point
Copy the full SHA 94ae2c6View commit details -
USB: serial: ftdi_sio: add ID for isodebug v1
commit f8377ef upstream. This adds the vid:pid of the isodebug v1 isolated JTAG/SWD+UART. Only the second channel is available for use as a serial port. Signed-off-by: Andreas Fritiofson <andreas.fritiofson@unjo.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 3377dc6 - Browse repository at this point
Copy the full SHA 3377dc6View commit details -
USB: serial: option: add support for GosunCn ME3630 RNDIS mode
commit aed2a26 upstream. Added USB IDs for GosunCn ME3630 cellular module in RNDIS mode. T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=03 Dev#= 18 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=19d2 ProdID=0601 Rev=03.18 S: Manufacturer=Android S: Product=Android S: SerialNumber=b950269c C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 6517295 - Browse repository at this point
Copy the full SHA 6517295View commit details -
Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled"
commit 3f2640e upstream. This reverts commit 2e9fe53. Reading LSR unconditionally but processing the error flags only if UART_IIR_RDI bit was set before in IIR may lead to a loss of transmission error information on UARTs where the transmission error flags are cleared by a read of LSR. Information are lost in case an error is detected right before the read of LSR while processing e.g. an UART_IIR_THRI interrupt. Signed-off-by: Oliver Barta <o.barta89@gmail.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Fixes: 2e9fe53 ("serial: 8250: Don't service RX FIFO if interrupts are disabled") Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 5a5097c - Browse repository at this point
Copy the full SHA 5a5097cView commit details -
p54usb: Fix race between disconnect and firmware loading
commit 6e41e22 upstream. The syzbot fuzzer found a bug in the p54 USB wireless driver. The issue involves a race between disconnect and the firmware-loader callback routine, and it has several aspects. One big problem is that when the firmware can't be loaded, the callback routine tries to unbind the driver from the USB _device_ (by calling device_release_driver) instead of from the USB _interface_ to which it is actually bound (by calling usb_driver_release_interface). The race involves access to the private data structure. The driver's disconnect handler waits for a completion that is signalled by the firmware-loader callback routine. As soon as the completion is signalled, you have to assume that the private data structure may have been deallocated by the disconnect handler -- even if the firmware was loaded without errors. However, the callback routine does access the private data several times after that point. Another problem is that, in order to ensure that the USB device structure hasn't been freed when the callback routine runs, the driver takes a reference to it. This isn't good enough any more, because now that the callback routine calls usb_driver_release_interface, it has to ensure that the interface structure hasn't been freed. Finally, the driver takes an unnecessary reference to the USB device structure in the probe function and drops the reference in the disconnect handler. This extra reference doesn't accomplish anything, because the USB core already guarantees that a device structure won't be deallocated while a driver is still bound to any of its interfaces. To fix these problems, this patch makes the following changes: Call usb_driver_release_interface() rather than device_release_driver(). Don't signal the completion until after the important information has been copied out of the private data structure, and don't refer to the private data at all thereafter. Lock udev (the interface's parent) before unbinding the driver instead of locking udev->parent. During the firmware loading process, take a reference to the USB interface instead of the USB device. Don't take an unnecessary reference to the device during probe (and then don't drop it during disconnect). Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com CC: <stable@vger.kernel.org> Acked-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 9baa5b4 - Browse repository at this point
Copy the full SHA 9baa5b4View commit details -
usb: gadget: f_fs: data_len used before properly set
commit 4833a94 upstream. The following line of code in function ffs_epfile_io is trying to set flag io_data->use_sg in case buffer required is larger than one page. io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE; However at this point of time the variable data_len has not been set to the proper buffer size yet. The consequence is that io_data->use_sg is always set regardless what buffer size really is, because the condition (data_len > PAGE_SIZE) is effectively an unsigned comparison between -EINVAL and PAGE_SIZE which would always result in TRUE. Fixes: 772a7a7 ("usb: gadget: f_fs: Allow scatter-gather buffers") Signed-off-by: Fei Yang <fei.yang@intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 0657003 - Browse repository at this point
Copy the full SHA 0657003View commit details -
usb: gadget: ether: Fix race between gether_disconnect and rx_submit
commit d29fcf7 upstream. On spin lock release in rx_submit, gether_disconnect get a chance to run, it makes port_usb NULL, rx_submit access NULL port USB, hence null pointer crash. Fixed by releasing the lock in rx_submit after port_usb is used. Fixes: 2b3d942 ("usb ethernet gadget: split out network core") Cc: <stable@vger.kernel.org> Signed-off-by: Kiruthika Varadarajan <Kiruthika.Varadarajan@harman.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 9b0bb09 - Browse repository at this point
Copy the full SHA 9b0bb09View commit details -
usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset()
commit dfc4fde upstream. Use a 10000us AHB idle timeout in dwc2_core_reset() and make it consistent with the other "wait for AHB master IDLE state" ocurrences. This fixes a problem for me where dwc2 would not want to initialize when updating to 4.19 on a MIPS Lantiq VRX200 SoC. dwc2 worked fine with 4.14. Testing on my board shows that it takes 180us until AHB master IDLE state is signalled. The very old vendor driver for this SoC (ifxhcd) used a 1 second timeout. Use the same timeout that is used everywhere when polling for GRSTCTL_AHBIDLE instead of using a timeout that "works for one board" (180us in my case) to have consistent behavior across the dwc2 driver. Cc: linux-stable <stable@vger.kernel.org> # 4.19+ Acked-by: Minas Harutyunyan <hminas@synopsys.com> Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 302b3d5 - Browse repository at this point
Copy the full SHA 302b3d5View commit details -
usb: renesas_usbhs: add a workaround for a race condition of workqueue
commit b235783 upstream. The old commit 6e4b74e ("usb: renesas: fix scheduling in atomic context bug") fixed an atomic issue by using workqueue for the shdmac dmaengine driver. However, this has a potential race condition issue between the work pending and usbhsg_ep_free_request() in gadget mode. When usbhsg_ep_free_request() is called while pending the queue, since the work_struct will be freed and then the work handler is called, kernel panic happens on process_one_work(). To fix the issue, if we could call cancel_work_sync() at somewhere before the free request, it could be easy. However, the usbhsg_ep_free_request() is called on atomic (e.g. f_ncm driver calls free request via gether_disconnect()). For now, almost all users are having "USB-DMAC" and the DMAengine driver can be used on atomic. So, this patch adds a workaround for a race condition to call the DMAengine APIs without the workqueue. This means we still have TODO on shdmac environment (SH7724), but since it doesn't have SMP, the race condition might not happen. Fixes: ab330cf ("usb: renesas_usbhs: add support for USB-DMAC") Cc: <stable@vger.kernel.org> # v4.1+ Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for df850cc - Browse repository at this point
Copy the full SHA df850ccView commit details -
drivers/usb/typec/tps6598x.c: fix portinfo width
commit 05da75f upstream. Portinfo bit field is 3 bits wide, not 2 bits. This led to a wrong driver configuration for some tps6598x configurations. Fixes: 0a4c005 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") Signed-off-by: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de> Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 582aa3a - Browse repository at this point
Copy the full SHA 582aa3aView commit details -
drivers/usb/typec/tps6598x.c: fix 4CC cmd write
commit 2681795 upstream. Writing 4CC commands with tps6598x_write_4cc() already has a pointer arg, don't reference it when using as arg to tps6598x_block_write(). Correcting this enforces the constness of the pointer to propagate to tps6598x_block_write(), so add the const qualifier there to avoid the warning. Fixes: 0a4c005 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") Signed-off-by: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de> Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 99189d8 - Browse repository at this point
Copy the full SHA 99189d8View commit details -
p54: fix crash during initialization
commit 1645ab9 upstream. This patch fixes a crash that got introduced when the mentioned patch replaced the direct list_head access with skb_peek_tail(). When the device is starting up, there are no entries in the queue, so previously to "Use skb_peek_tail() instead..." the target_skb would end up as the tail and head pointer which then could be used by __skb_queue_after to fill the empty queue. With skb_peek_tail() in its place will instead just return NULL which then causes a crash in the __skb_queue_after(). | BUG: unable to handle kernel NULL pointer dereference at 000000 | #PF error: [normal kernel read fault] | PGD 0 P4D 0 | Oops: 0000 [#1] SMP PTI | CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: GO 5.1.0-rc7-wt+ torvalds#218 | Hardware name: MSI MS-7816/Z87-G43 (MS-7816), BIOS V1.11 05/09/2015 | Workqueue: events request_firmware_work_func | RIP: 0010:p54_tx_pending+0x10f/0x1b0 [p54common] | Code: 78 06 80 78 28 00 74 6d <48> 8b 07 49 89 7c 24 08 49 89 04 24 4 | RSP: 0018:ffffa81c81927d90 EFLAGS: 00010086 | RAX: ffff9bbaaf131048 RBX: 0000000000020670 RCX: 0000000000020264 | RDX: ffff9bbaa976d660 RSI: 0000000000000202 RDI: 0000000000000000 | RBP: ffff9bbaa976d620 R08: 00000000000006c0 R09: ffff9bbaa976d660 | R10: 0000000000000000 R11: ffffe8480dbc5900 R12: ffff9bbb45e87700 | R13: ffff9bbaa976d648 R14: ffff9bbaa976d674 R15: ffff9bbaaf131048 | FS: 0000000000000000(0000) GS:ffff9bbb5ec00000(0000) knlGS:00000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 0000000000000000 CR3: 00000003695fc003 CR4: 00000000001606f0 | Call Trace: | p54_download_eeprom+0xbe/0x120 [p54common] | p54_read_eeprom+0x7f/0xc0 [p54common] | p54u_load_firmware_cb+0xe0/0x160 [p54usb] | request_firmware_work_func+0x42/0x80 | process_one_work+0x1f5/0x3f0 | worker_thread+0x28/0x3c0 Cc: stable@vger.kernel.org Fixes: e355419 ("p54: Use skb_peek_tail() instead of direct head pointer accesses.") Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 2306902 - Browse repository at this point
Copy the full SHA 2306902View commit details -
staging: comedi: dt282x: fix a null pointer deref on interrupt
commit b8336be upstream. The interrupt handler `dt282x_interrupt()` causes a null pointer dereference for those supported boards that have no analog output support. For these boards, `dev->write_subdev` will be `NULL` and therefore the `s_ao` subdevice pointer variable will be `NULL`. In that case, the following call near the end of the interrupt handler results in a null pointer dereference: comedi_handle_events(dev, s_ao); Fix it by only calling the above function if `s_ao` is valid. (There are other uses of `s_ao` by the interrupt handler that may or may not be reached depending on values of hardware registers. Trust that they are reliable for now.) Note: commit 4f6f009 ("staging: comedi: dt282x: use comedi_handle_events()") propagates an earlier error from commit f21c74f ("staging: comedi: dt282x: use cfc_handle_events()"). Fixes: 4f6f009 ("staging: comedi: dt282x: use comedi_handle_events()") Cc: <stable@vger.kernel.org> # v3.19+ Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 99e5f88 - Browse repository at this point
Copy the full SHA 99e5f88View commit details -
staging: wilc1000: fix error path cleanup in wilc_wlan_initialize()
commit 6419f81 upstream. For the error path in wilc_wlan_initialize(), the resources are not cleanup in the correct order. Reverted the previous changes and use the correct order to free during error condition. Fixes: b46d688 ("staging: wilc1000: remove COMPLEMENT_BOOT") Cc: <stable@vger.kernel.org> Signed-off-by: Ajay Singh <ajay.kathat@microchip.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for df73c93 - Browse repository at this point
Copy the full SHA df73c93View commit details -
staging: bcm2835-camera: Restore return behavior of ctrl_set_bitrate()
commit f816db1 upstream. The commit 52c4dfc ("Staging: vc04_services: Cleanup in ctrl_set_bitrate()") changed the return behavior of ctrl_set_bitrate(). We cannot do this because of a bug in the firmware, which breaks probing of bcm2835-camera: bcm2835-v4l2: mmal_init: failed to set all camera controls: -3 Cleanup: Destroy video encoder Cleanup: Destroy image encoder Cleanup: Destroy video render Cleanup: Destroy camera bcm2835-v4l2: bcm2835_mmal_probe: mmal init failed: -3 bcm2835-camera: probe of bcm2835-camera failed with error -3 So restore the old behavior, add an explaining comment and a debug message to verify that the bug has been fixed in firmware. Fixes: 52c4dfc ("Staging: vc04_services: Cleanup in ctrl_set_bitrate()") Signed-off-by: Stefan Wahren <wahrenst@gmx.net> Cc: stable <stable@vger.kernel.org> Acked-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for e937d42 - Browse repository at this point
Copy the full SHA e937d42View commit details -
staging: comedi: amplc_pci230: fix null pointer deref on interrupt
commit 7379e6b upstream. The interrupt handler `pci230_interrupt()` causes a null pointer dereference for a PCI260 card. There is no analog output subdevice for a PCI260. The `dev->write_subdev` subdevice pointer and therefore the `s_ao` subdevice pointer variable will be `NULL` for a PCI260. The following call near the end of the interrupt handler results in the null pointer dereference for a PCI260: comedi_handle_events(dev, s_ao); Fix it by only calling the above function if `s_ao` is valid. Note that the other uses of `s_ao` in the calls `pci230_handle_ao_nofifo(dev, s_ao);` and `pci230_handle_ao_fifo(dev, s_ao);` will never be reached for a PCI260, so they are safe. Fixes: 39064f2 ("staging: comedi: amplc_pci230: use comedi_handle_events()") Cc: <stable@vger.kernel.org> # v3.19+ Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for f0f909a - Browse repository at this point
Copy the full SHA f0f909aView commit details -
staging: mt7621-pci: fix PCIE_FTS_NUM_LO macro
commit 0ae0cf5 upstream. Add missing parenthesis to PCIE_FTS_NUM_LO macro to do the same it was being done in original code. Fixes: a4b2eb9 ("staging: mt7621-pci: rewrite RC FTS configuration") Signed-off-by: Sergio Paracuellos <sergio.paracuellos@gmail.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 7ce8bd8 - Browse repository at this point
Copy the full SHA 7ce8bd8View commit details -
HID: Add another Primax PIXART OEM mouse quirk
commit 4c12954 upstream. The PixArt OEM mice are known for disconnecting every minute in runlevel 1 or 3 if they are not always polled. So add quirk ALWAYS_POLL for this Alienware branded Primax mouse as well. Daniel Schepler (@dschepler) reported and tested the quirk. Reference: sriemer/fix-linux-mouse#15 Signed-off-by: Sebastian Parschauer <s.parschauer@gmx.de> CC: stable@vger.kernel.org Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for f49855f - Browse repository at this point
Copy the full SHA f49855fView commit details -
commit e9e08a0 upstream. With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors: llvm-objcopy: error: --set-section-flags=.text conflicts with --rename-section=.text=.rodata Rather than support setting flags then renaming sections vs renaming then setting flags, it's simpler to just change both at the same time via --rename-section. Adding the load flag is required for GNU objcopy to mark .rodata Type as PROGBITS after the rename. This can be verified with: $ readelf -S drivers/misc/lkdtm/rodata_objcopy.o ... Section Headers: [Nr] Name Type Address Offset Size EntSize Flags Link Info Align ... [ 1] .rodata PROGBITS 0000000000000000 00000040 0000000000000004 0000000000000000 A 0 0 4 ... Which shows that .text is now renamed .rodata, the alloc flag A is set, the type is PROGBITS, and the section is not flagged as writeable W. Cc: stable@vger.kernel.org Link: https://sourceware.org/bugzilla/show_bug.cgi?id=24554 Link: ClangBuiltLinux#448 Reported-by: Nathan Chancellor <natechancellor@gmail.com> Suggested-by: Alan Modra <amodra@gmail.com> Suggested-by: Jordan Rupprect <rupprecht@google.com> Suggested-by: Kees Cook <keescook@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Reviewed-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for d003726 - Browse repository at this point
Copy the full SHA d003726View commit details -
binder: fix memory leak in error path
commit 1909a67 upstream. syzkallar found a 32-byte memory leak in a rarely executed error case. The transaction complete work item was not freed if put_user() failed when writing the BR_TRANSACTION_COMPLETE to the user command buffer. Fixed by freeing it before put_user() is called. Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com Signed-off-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 4f4a269 - Browse repository at this point
Copy the full SHA 4f4a269View commit details -
binder: return errors from buffer copy functions
commit bb4a2e4 upstream. The buffer copy functions assumed the caller would ensure correct alignment and that the memory to be copied was completely within the binder buffer. There have been a few cases discovered by syzkallar where a malformed transaction created by a user could violated the assumptions and resulted in a BUG_ON. The fix is to remove the BUG_ON and always return the error to be handled appropriately by the caller. Acked-by: Martijn Coenen <maco@android.com> Reported-by: syzbot+3ae18325f96190606754@syzkaller.appspotmail.com Fixes: bde4a19 ("binder: use userspace pointer as base of buffer space") Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Todd Kjos <tkjos@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for f18e68e - Browse repository at this point
Copy the full SHA f18e68eView commit details -
iio: adc: stm32-adc: add missing vdda-supply
commit 7685010 upstream. Add missing vdda-supply, analog power supply, to STM32 ADC. When vdda is an independent supply, it needs to be properly turned on or off to supply the ADC. Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com> Fixes: 1add698 ("iio: adc: Add support for STM32 ADC core"). Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 26a202b - Browse repository at this point
Copy the full SHA 26a202bView commit details -
coresight: Potential uninitialized variable in probe()
commit 0530ef6 upstream. The "drvdata->atclk" clock is optional, but if it gets set to an error pointer then we're accidentally return an uninitialized variable instead of success. Fixes: 78e6427 ("coresight: funnel: Support static funnel") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20190620221237.3536-6-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 3204bd0 - Browse repository at this point
Copy the full SHA 3204bd0View commit details -
coresight: etb10: Do not call smp_processor_id from preemptible
commit 730766b upstream. During a perf session we try to allocate buffers on the "node" associated with the CPU the event is bound to. If it is not bound to a CPU, we use the current CPU node, using smp_processor_id(). However this is unsafe in a pre-emptible context and could generate the splats as below : BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544 Use NUMA_NO_NODE hint instead of using the current node for events not bound to CPUs. Fixes: 2997aa4 ("coresight: etb10: implementing AUX API") Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: stable <stable@vger.kernel.org> # 4.6+ Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for d881f63 - Browse repository at this point
Copy the full SHA d881f63View commit details -
coresight: tmc-etr: Do not call smp_processor_id() from preemptible
commit 3ff4456 upstream. During a perf session we try to allocate buffers on the "node" associated with the CPU the event is bound to. If it's not bound to a CPU, we use the current CPU node, using smp_processor_id(). However this is unsafe in a pre-emptible context and could generate the splats as below : BUG: using smp_processor_id() in preemptible [00000000] code: perf/1743 caller is alloc_etr_buf.isra.6+0x80/0xa0 CPU: 1 PID: 1743 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e torvalds#344 Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 Call trace: dump_backtrace+0x0/0x150 show_stack+0x14/0x20 dump_stack+0x9c/0xc4 debug_smp_processor_id+0x10c/0x110 alloc_etr_buf.isra.6+0x80/0xa0 tmc_alloc_etr_buffer+0x12c/0x1f0 etm_setup_aux+0x1c4/0x230 rb_alloc_aux+0x1b8/0x2b8 perf_mmap+0x35c/0x478 mmap_region+0x34c/0x4f0 do_mmap+0x2d8/0x418 vm_mmap_pgoff+0xd0/0xf8 ksys_mmap_pgoff+0x88/0xf8 __arm64_sys_mmap+0x28/0x38 el0_svc_handler+0xd8/0x138 el0_svc+0x8/0xc Use NUMA_NO_NODE hint instead of using the current node for events not bound to CPUs. Fixes: 855ab61 ("coresight: tmc-etr: Refactor function tmc_etr_setup_perf_buf()") Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20190620221237.3536-2-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for e854872 - Browse repository at this point
Copy the full SHA e854872View commit details -
coresight: tmc-etr: alloc_perf_buf: Do not call smp_processor_id from…
… preemptible commit 3a87103 upstream. During a perf session we try to allocate buffers on the "node" associated with the CPU the event is bound to. If it is not bound to a CPU, we use the current CPU node, using smp_processor_id(). However this is unsafe in a pre-emptible context and could generate the splats as below : BUG: using smp_processor_id() in preemptible [00000000] code: perf/1743 caller is tmc_alloc_etr_buffer+0x1bc/0x1f0 CPU: 1 PID: 1743 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e torvalds#344 Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 Call trace: dump_backtrace+0x0/0x150 show_stack+0x14/0x20 dump_stack+0x9c/0xc4 debug_smp_processor_id+0x10c/0x110 tmc_alloc_etr_buffer+0x1bc/0x1f0 etm_setup_aux+0x1c4/0x230 rb_alloc_aux+0x1b8/0x2b8 perf_mmap+0x35c/0x478 mmap_region+0x34c/0x4f0 do_mmap+0x2d8/0x418 vm_mmap_pgoff+0xd0/0xf8 ksys_mmap_pgoff+0x88/0xf8 __arm64_sys_mmap+0x28/0x38 el0_svc_handler+0xd8/0x138 el0_svc+0x8/0xc Use NUMA_NO_NODE hint instead of using the current node for events not bound to CPUs. Fixes: 22f429f ("coresight: etm-perf: Add support for ETR backend") Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: stable <stable@vger.kernel.org> # 4.20+ Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Link: https://lore.kernel.org/r/20190620221237.3536-3-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 0927f64 - Browse repository at this point
Copy the full SHA 0927f64View commit details -
coresight: tmc-etf: Do not call smp_processor_id from preemptible
commit 024c1fd upstream. During a perf session we try to allocate buffers on the "node" associated with the CPU the event is bound to. If it is not bound to a CPU, we use the current CPU node, using smp_processor_id(). However this is unsafe in a pre-emptible context and could generate the splats as below : BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544 caller is tmc_alloc_etf_buffer+0x5c/0x60 CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e torvalds#344 Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019 Call trace: dump_backtrace+0x0/0x150 show_stack+0x14/0x20 dump_stack+0x9c/0xc4 debug_smp_processor_id+0x10c/0x110 tmc_alloc_etf_buffer+0x5c/0x60 etm_setup_aux+0x1c4/0x230 rb_alloc_aux+0x1b8/0x2b8 perf_mmap+0x35c/0x478 mmap_region+0x34c/0x4f0 do_mmap+0x2d8/0x418 vm_mmap_pgoff+0xd0/0xf8 ksys_mmap_pgoff+0x88/0xf8 __arm64_sys_mmap+0x28/0x38 el0_svc_handler+0xd8/0x138 el0_svc+0x8/0xc Use NUMA_NO_NODE hint instead of using the current node for events not bound to CPUs. Fixes: 2e499bb ("coresight: tmc: implementing TMC-ETF AUX space API") Cc: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: stable <stable@vger.kernel.org> # 4.7+ Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for fb0ce48 - Browse repository at this point
Copy the full SHA fb0ce48View commit details -
carl9170: fix misuse of device driver API
commit feb09b2 upstream. This patch follows Alan Stern's recent patch: "p54: Fix race between disconnect and firmware loading" that overhauled carl9170 buggy firmware loading and driver unbinding procedures. Since the carl9170 code was adapted from p54 it uses the same functions and is likely to have the same problem, but it's just that the syzbot hasn't reproduce them (yet). a summary from the changes (copied from the p54 patch): * Call usb_driver_release_interface() rather than device_release_driver(). * Lock udev (the interface's parent) before unbinding the driver instead of locking udev->parent. * During the firmware loading process, take a reference to the USB interface instead of the USB device. * Don't take an unnecessary reference to the device during probe (and then don't drop it during disconnect). and * Make sure to prevent use-after-free bugs by explicitly setting the driver context to NULL after signaling the completion. Cc: <stable@vger.kernel.org> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 0a53ab0 - Browse repository at this point
Copy the full SHA 0a53ab0View commit details -
Revert "x86/build: Move _etext to actual end of .text"
commit 013c66e upstream. This reverts commit 392bef7. Per the discussion here: https://lkml.kernel.org/r/201906201042.3BF5CD6@keescook the above referenced commit breaks kernel compilation with old GCC toolchains as well as current versions of the Gold linker. Revert it to fix the regression and to keep the ability to compile the kernel with these tools. Signed-off-by: Ross Zwisler <zwisler@google.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Guenter Roeck <groeck@chromium.org> Cc: <stable@vger.kernel.org> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Kees Cook <keescook@chromium.org> Cc: Johannes Hirte <johannes.hirte@datenkhaos.de> Cc: Klaus Kusche <klaus.kusche@computerix.info> Cc: samitolvanen@google.com Cc: Guenter Roeck <groeck@google.com> Link: https://lkml.kernel.org/r/20190701155208.211815-1-zwisler@google.com Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 7ce6dfc - Browse repository at this point
Copy the full SHA 7ce6dfcView commit details -
VMCI: Fix integer overflow in VMCI handle arrays
commit 1c2eb5b upstream. The VMCI handle array has an integer overflow in vmci_handle_arr_append_entry when it tries to expand the array. This can be triggered from a guest, since the doorbell link hypercall doesn't impose a limit on the number of doorbell handles that a VM can create in the hypervisor, and these handles are stored in a handle array. In this change, we introduce a mandatory max capacity for handle arrays/lists to avoid excessive memory usage. Signed-off-by: Vishnu Dasa <vdasa@vmware.com> Reviewed-by: Adit Ranadive <aditr@vmware.com> Reviewed-by: Jorgen Hansen <jhansen@vmware.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 89fda9a - Browse repository at this point
Copy the full SHA 89fda9aView commit details -
staging: vchiq_2835_arm: revert "quit using custom down_interruptible()"
commit 061ca14 upstream. The killable version of down() is meant to be used on situations where it should not fail at all costs, but still have the convenience of being able to kill it if really necessary. VCHIQ doesn't fit this criteria, as it's mainly used as an interface to V4L2 and ALSA devices. Fixes: ff5979a ("staging: vchiq_2835_arm: quit using custom down_interruptible()") Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de> Acked-by: Stefan Wahren <stefan.wahren@i2se.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 4e5cde2 - Browse repository at this point
Copy the full SHA 4e5cde2View commit details -
staging: vchiq: make wait events interruptible
commit 77cf3f5 upstream. The killable version of wait_event() is meant to be used on situations where it should not fail at all costs, but still have the convenience of being able to kill it if really necessary. Wait events in VCHIQ doesn't fit this criteria, as it's mainly used as an interface to V4L2 and ALSA devices. Fixes: 852b287 ("staging: vchiq: rework remove_event handling") Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de> Acked-by: Stefan Wahren <stefan.wahren@i2se.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for ec1ce3a - Browse repository at this point
Copy the full SHA ec1ce3aView commit details -
staging: vchiq: revert "switch to wait_for_completion_killable"
commit 086efba upstream. The killable version of wait_for_completion() is meant to be used on situations where it should not fail at all costs, but still have the convenience of being able to kill it if really necessary. VCHIQ doesn't fit this criteria, as it's mainly used as an interface to V4L2 and ALSA devices. Fixes: a772f11 ("staging: vchiq: switch to wait_for_completion_killable") Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de> Acked-by: Stefan Wahren <stefan.wahren@i2se.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 7fc7b74 - Browse repository at this point
Copy the full SHA 7fc7b74View commit details -
staging: fsl-dpaa2/ethsw: fix memory leak of switchdev_work
commit 5555ebb upstream. In the default event case switchdev_work is being leaked because nothing is queued for work. Fix this by kfree'ing switchdev_work before returning NOTIFY_DONE. Addresses-Coverity: ("Resource leak") Fixes: 44baaa4 ("staging: fsl-dpaa2/ethsw: Add Freescale DPAA2 Ethernet Switch driver") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 6766564 - Browse repository at this point
Copy the full SHA 6766564View commit details -
staging: bcm2835-camera: Replace spinlock protecting context_map with…
… mutex commit 8dedab2 upstream. The commit "staging: bcm2835-camera: Replace open-coded idr with a struct idr." replaced an internal implementation of an idr with the standard functions and a spinlock. idr_alloc(GFP_KERNEL) can sleep whilst calling kmem_cache_alloc to allocate the new node, but this is not valid whilst in an atomic context due to the spinlock. There is no need for this to be a spinlock as a standard mutex is sufficient. Fixes: 950fd86 ("staging: bcm2835-camera: Replace open-coded idr with a struct idr.") Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Signed-off-by: Stefan Wahren <wahrenst@gmx.net> Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for fd84f7f - Browse repository at this point
Copy the full SHA fd84f7fView commit details -
staging: bcm2835-camera: Ensure all buffers are returned on disable
commit 70ec64c upstream. With the recent change to match MMAL and V4L2 buffers there is a need to wait for all MMAL buffers to be returned during stop_streaming. Fixes: 9384167 ("staging: bcm2835-camera: Remove V4L2/MMAL buffer remapping") Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Signed-off-by: Stefan Wahren <wahrenst@gmx.net> Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 4b28ea4 - Browse repository at this point
Copy the full SHA 4b28ea4View commit details -
staging: bcm2835-camera: Remove check of the number of buffers supplied
commit bb8e970 upstream. Before commit "staging: bcm2835-camera: Remove V4L2/MMAL buffer remapping" there was a need to ensure that there were sufficient buffers supplied from the user to cover those being sent to the VPU (always 1). Now the buffers are linked 1:1 between MMAL and V4L2, therefore there is no need for that check, and indeed it is wrong as there is no need to submit all the buffers before starting streaming. Fixes: 9384167 ("staging: bcm2835-camera: Remove V4L2/MMAL buffer remapping") Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Signed-off-by: Stefan Wahren <wahrenst@gmx.net> Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for bc54525 - Browse repository at this point
Copy the full SHA bc54525View commit details -
staging: bcm2835-camera: Handle empty EOS buffers whilst streaming
commit a26be06 upstream. The change to mapping V4L2 to MMAL buffers 1:1 didn't handle the condition we get with raw pixel buffers (eg YUV and RGB) direct from the camera's stills port. That sends the pixel buffer and then an empty buffer with the EOS flag set. The EOS buffer wasn't handled and returned an error up the stack. Handle the condition correctly by returning it to the component if streaming, or returning with an error if stopping streaming. Fixes: 9384167 ("staging: bcm2835-camera: Remove V4L2/MMAL buffer remapping") Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.org> Signed-off-by: Stefan Wahren <wahrenst@gmx.net> Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for fa7314b - Browse repository at this point
Copy the full SHA fa7314bView commit details -
staging: rtl8712: reduce stack usage, again
commit fbd6b25 upstream. An earlier patch I sent reduced the stack usage enough to get below the warning limit, and I could show this was safe, but with GCC_PLUGIN_STRUCTLEAK_BYREF_ALL, it gets worse again because large stack variables in the same function no longer overlap: drivers/staging/rtl8712/rtl871x_ioctl_linux.c: In function 'translate_scan.isra.2': drivers/staging/rtl8712/rtl871x_ioctl_linux.c:322:1: error: the frame size of 1200 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] Split out the largest two blocks in the affected function into two separate functions and mark those noinline_for_stack. Fixes: 8c5af16 ("staging: rtl8712: reduce stack usage") Fixes: 81a56f6 ("gcc-plugins: structleak: Generalize to all variable types") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 090ce9c - Browse repository at this point
Copy the full SHA 090ce9cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 527a3db - Browse repository at this point
Copy the full SHA 527a3dbView commit details
Commits on Jul 21, 2019
-
Revert "e1000e: fix cyclic resets at link up with active tx"
commit caff422 upstream. This reverts commit 0f9e980. That change cased false-positive warning about hardware hang: e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready e1000e 0000:00:1f.6 eth0: Detected Hardware Unit Hang: TDH <0> TDT <1> next_to_use <1> next_to_clean <0> buffer_info[next_to_clean]: time_stamp <fffba7a7> next_to_watch <0> jiffies <fffbb140> next_to_watch.status <0> MAC Status <40080080> PHY Status <7949> PHY 1000BASE-T Status <0> PHY Extended Status <3000> PCI Status <10> e1000e: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx Besides warning everything works fine. Original issue will be fixed property in following patch. Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Reported-by: Joseph Yasi <joe.yasi@gmail.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=203175 Tested-by: Joseph Yasi <joe.yasi@gmail.com> Tested-by: Aaron Brown <aaron.f.brown@intel.com> Tested-by: Oleksandr Natalenko <oleksandr@redhat.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for bb1f1b2 - Browse repository at this point
Copy the full SHA bb1f1b2View commit details -
e1000e: start network tx queue only when link is up
commit d17ba0f upstream. Driver does not want to keep packets in Tx queue when link is lost. But present code only reset NIC to flush them, but does not prevent queuing new packets. Moreover reset sequence itself could generate new packets via netconsole and NIC falls into endless reset loop. This patch wakes Tx queue only when NIC is ready to send packets. This is proper fix for problem addressed by commit 0f9e980 ("e1000e: fix cyclic resets at link up with active tx"). Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Suggested-by: Alexander Duyck <alexander.duyck@gmail.com> Tested-by: Joseph Yasi <joe.yasi@gmail.com> Tested-by: Aaron Brown <aaron.f.brown@intel.com> Tested-by: Oleksandr Natalenko <oleksandr@redhat.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for c3ab182 - Browse repository at this point
Copy the full SHA c3ab182View commit details -
Input: synaptics - enable SMBUS on T480 thinkpad trackpad
commit abbe3ac upstream. Thinkpad t480 laptops had some touchpad features disabled, resulting in the loss of pinch to activities in GNOME, on wayland, and other touch gestures being slower. This patch adds the touchpad of the t480 to the smbus_pnp_ids whitelist to enable the extra features. In my testing this does not break suspend (on fedora, with wayland, and GNOME, using the rc-6 kernel), while also fixing the feature on a T480. Signed-off-by: Cole Rogers <colerogers@disroot.org> Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 9d405dc - Browse repository at this point
Copy the full SHA 9d405dcView commit details -
nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header
commit c32cc30 upstream. cpu_to_le32/le32_to_cpu is defined in include/linux/byteorder/generic.h, which is not exported to user-space. UAPI headers must use the ones prefixed with double-underscore. Detected by compile-testing exported headers: include/linux/nilfs2_ondisk.h: In function `nilfs_checkpoint_set_snapshot': include/linux/nilfs2_ondisk.h:536:17: error: implicit declaration of function `cpu_to_le32' [-Werror=implicit-function-declaration] cp->cp_flags = cpu_to_le32(le32_to_cpu(cp->cp_flags) | \ ^ include/linux/nilfs2_ondisk.h:552:1: note: in expansion of macro `NILFS_CHECKPOINT_FNS' NILFS_CHECKPOINT_FNS(SNAPSHOT, snapshot) ^~~~~~~~~~~~~~~~~~~~ include/linux/nilfs2_ondisk.h:536:29: error: implicit declaration of function `le32_to_cpu' [-Werror=implicit-function-declaration] cp->cp_flags = cpu_to_le32(le32_to_cpu(cp->cp_flags) | \ ^ include/linux/nilfs2_ondisk.h:552:1: note: in expansion of macro `NILFS_CHECKPOINT_FNS' NILFS_CHECKPOINT_FNS(SNAPSHOT, snapshot) ^~~~~~~~~~~~~~~~~~~~ include/linux/nilfs2_ondisk.h: In function `nilfs_segment_usage_set_clean': include/linux/nilfs2_ondisk.h:622:19: error: implicit declaration of function `cpu_to_le64' [-Werror=implicit-function-declaration] su->su_lastmod = cpu_to_le64(0); ^~~~~~~~~~~ Link: http://lkml.kernel.org/r/20190605053006.14332-1-yamada.masahiro@socionext.com Fixes: e63e88b ("nilfs2: move ioctl interface and disk layout to uapi separately") Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Acked-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Greg KH <gregkh@linuxfoundation.org> Cc: Joe Perches <joe@perches.com> Cc: <stable@vger.kernel.org> [4.9+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 744da33 - Browse repository at this point
Copy the full SHA 744da33View commit details -
drivers: base: cacheinfo: Ensure cpu hotplug work is done before Inte…
…l RDT commit 83b44fe upstream. The cacheinfo structures are alloced/freed by cpu online/offline callbacks. Originally these were only used by sysfs to expose the cache topology to user space. Without any in-kernel dependencies CPUHP_AP_ONLINE_DYN was an appropriate choice. resctrl has started using these structures to identify CPUs that share a cache. It updates its 'domain' structures from cpu online/offline callbacks. These depend on the cacheinfo structures (resctrl_online_cpu()->domain_add_cpu()->get_cache_id()-> get_cpu_cacheinfo()). These also run as CPUHP_AP_ONLINE_DYN. Now that there is an in-kernel dependency, move the cacheinfo work earlier so we know its done before resctrl's CPUHP_AP_ONLINE_DYN work runs. Fixes: 2264d9c ("x86/intel_rdt: Build structures for each resource based on cache topology") Cc: <stable@vger.kernel.org> Cc: Fenghua Yu <fenghua.yu@intel.com> Cc: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: James Morse <james.morse@arm.com> Link: https://lore.kernel.org/r/20190624173656.202407-1-james.morse@arm.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for afe692c - Browse repository at this point
Copy the full SHA afe692cView commit details -
firmware: improve LSM/IMA security behaviour
commit 2472d64 upstream. The firmware loader queries if LSM/IMA permits it to load firmware via the sysfs fallback. Unfortunately, the code does the opposite: it expressly permits sysfs fw loading if security_kernel_load_data( LOADING_FIRMWARE) returns -EACCES. This happens because a zero-on-success return value is cast to a bool that's true on success. Fix the return value handling so we get the correct behaviour. Fixes: 6e85265 ("firmware: add call to LSM hook before firmware sysfs fallback") Cc: Stable <stable@vger.kernel.org> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Kees Cook <keescook@chromium.org> To: Luis Chamberlain <mcgrof@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: "Rafael J. Wysocki" <rafael@kernel.org> Cc: linux-kernel@vger.kernel.org Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 5f1733e - Browse repository at this point
Copy the full SHA 5f1733eView commit details -
genirq: Delay deactivation in free_irq()
commit 4001d8e upstream. When interrupts are shutdown, they are immediately deactivated in the irqdomain hierarchy. While this looks obviously correct there is a subtle issue: There might be an interrupt in flight when free_irq() is invoking the shutdown. This is properly handled at the irq descriptor / primary handler level, but the deactivation might completely disable resources which are required to acknowledge the interrupt. Split the shutdown code and deactivate the interrupt after synchronization in free_irq(). Fixup all other usage sites where this is not an issue to invoke the combined shutdown_and_deactivate() function instead. This still might be an issue if the interrupt in flight servicing is delayed on a remote CPU beyond the invocation of synchronize_irq(), but that cannot be handled at that level and needs to be handled in the synchronize_irq() context. Fixes: f8264e3 ("irqdomain: Introduce new interfaces to support hierarchy irqdomains") Reported-by: Robert Hodaszi <Robert.Hodaszi@digi.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Marc Zyngier <marc.zyngier@arm.com> Link: https://lkml.kernel.org/r/20190628111440.098196390@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 5db47f4 - Browse repository at this point
Copy the full SHA 5db47f4View commit details -
genirq: Fix misleading synchronize_irq() documentation
commit 1d21f2a upstream. The function might sleep, so it cannot be called from interrupt context. Not even with care. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Marc Zyngier <marc.zyngier@arm.com> Link: https://lkml.kernel.org/r/20190628111440.189241552@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 41e95c3 - Browse repository at this point
Copy the full SHA 41e95c3View commit details -
genirq: Add optional hardware synchronization for shutdown
commit 62e0468 upstream. free_irq() ensures that no hardware interrupt handler is executing on a different CPU before actually releasing resources and deactivating the interrupt completely in a domain hierarchy. But that does not catch the case where the interrupt is on flight at the hardware level but not yet serviced by the target CPU. That creates an interesing race condition: CPU 0 CPU 1 IRQ CHIP interrupt is raised sent to CPU1 Unable to handle immediately (interrupts off, deep idle delay) mask() ... free() shutdown() synchronize_irq() release_resources() do_IRQ() -> resources are not available That might be harmless and just trigger a spurious interrupt warning, but some interrupt chips might get into a wedged state. Utilize the existing irq_get_irqchip_state() callback for the synchronization in free_irq(). synchronize_hardirq() is not using this mechanism as it might actually deadlock unter certain conditions, e.g. when called with interrupts disabled and the target CPU is the one on which the synchronization is invoked. synchronize_irq() uses it because that function cannot be called from non preemtible contexts as it might sleep. No functional change intended and according to Marc the existing GIC implementations where the driver supports the callback should be able to cope with that core change. Famous last words. Fixes: 464d123 ("x86/vector: Switch IOAPIC to global reservation mode") Reported-by: Robert Hodaszi <Robert.Hodaszi@digi.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Marc Zyngier <marc.zyngier@arm.com> Tested-by: Marc Zyngier <marc.zyngier@arm.com> Link: https://lkml.kernel.org/r/20190628111440.279463375@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for f4999a2 - Browse repository at this point
Copy the full SHA f4999a2View commit details -
x86/ioapic: Implement irq_get_irqchip_state() callback
commit dfe0cf8 upstream. When an interrupt is shut down in free_irq() there might be an inflight interrupt pending in the IO-APIC remote IRR which is not yet serviced. That means the interrupt has been sent to the target CPUs local APIC, but the target CPU is in a state which delays the servicing. So free_irq() would proceed to free resources and to clear the vector because synchronize_hardirq() does not see an interrupt handler in progress. That can trigger a spurious interrupt warning, which is harmless and just confuses users, but it also can leave the remote IRR in a stale state because once the handler is invoked the interrupt resources might be freed already and therefore acknowledgement is not possible anymore. Implement the irq_get_irqchip_state() callback for the IO-APIC irq chip. The callback is invoked from free_irq() via __synchronize_hardirq(). Check the remote IRR bit of the interrupt and return 'in flight' if it is set and the interrupt is configured in level mode. For edge mode the remote IRR has no meaning. As this is only meaningful for level triggered interrupts this won't cure the potential spurious interrupt warning for edge triggered interrupts, but the edge trigger case does not result in stale hardware state. This has to be addressed at the vector/interrupt entry level seperately. Fixes: 464d123 ("x86/vector: Switch IOAPIC to global reservation mode") Reported-by: Robert Hodaszi <Robert.Hodaszi@digi.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Marc Zyngier <marc.zyngier@arm.com> Link: https://lkml.kernel.org/r/20190628111440.370295517@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for fd5f4b9 - Browse repository at this point
Copy the full SHA fd5f4b9View commit details -
x86/irq: Handle spurious interrupt after shutdown gracefully
commit b7107a6 upstream. Since the rework of the vector management, warnings about spurious interrupts have been reported. Robert provided some more information and did an initial analysis. The following situation leads to these warnings: CPU 0 CPU 1 IO_APIC interrupt is raised sent to CPU1 Unable to handle immediately (interrupts off, deep idle delay) mask() ... free() shutdown() synchronize_irq() clear_vector() do_IRQ() -> vector is clear Before the rework the vector entries of legacy interrupts were statically assigned and occupied precious vector space while most of them were unused. Due to that the above situation was handled silently because the vector was handled and the core handler of the assigned interrupt descriptor noticed that it is shut down and returned. While this has been usually observed with legacy interrupts, this situation is not limited to them. Any other interrupt source, e.g. MSI, can cause the same issue. After adding proper synchronization for level triggered interrupts, this can only happen for edge triggered interrupts where the IO-APIC obviously cannot provide information about interrupts in flight. While the spurious warning is actually harmless in this case it worries users and driver developers. Handle it gracefully by marking the vector entry as VECTOR_SHUTDOWN instead of VECTOR_UNUSED when the vector is freed up. If that above late handling happens the spurious detector will not complain and switch the entry to VECTOR_UNUSED. Any subsequent spurious interrupt on that line will trigger the spurious warning as before. Fixes: 464d123 ("x86/vector: Switch IOAPIC to global reservation mode") Reported-by: Robert Hodaszi <Robert.Hodaszi@digi.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>- Tested-by: Robert Hodaszi <Robert.Hodaszi@digi.com> Cc: Marc Zyngier <marc.zyngier@arm.com> Link: https://lkml.kernel.org/r/20190628111440.459647741@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for d151698 - Browse repository at this point
Copy the full SHA d151698View commit details -
x86/irq: Seperate unused system vectors from spurious entry again
commit f8a8fe6 upstream. Quite some time ago the interrupt entry stubs for unused vectors in the system vector range got removed and directly mapped to the spurious interrupt vector entry point. Sounds reasonable, but it's subtly broken. The spurious interrupt vector entry point pushes vector number 0xFF on the stack which makes the whole logic in __smp_spurious_interrupt() pointless. As a consequence any spurious interrupt which comes from a vector != 0xFF is treated as a real spurious interrupt (vector 0xFF) and not acknowledged. That subsequently stalls all interrupt vectors of equal and lower priority, which brings the system to a grinding halt. This can happen because even on 64-bit the system vector space is not guaranteed to be fully populated. A full compile time handling of the unused vectors is not possible because quite some of them are conditonally populated at runtime. Bring the entry stubs back, which wastes 160 bytes if all stubs are unused, but gains the proper handling back. There is no point to selectively spare some of the stubs which are known at compile time as the required code in the IDT management would be way larger and convoluted. Do not route the spurious entries through common_interrupt and do_IRQ() as the original code did. Route it to smp_spurious_interrupt() which evaluates the vector number and acts accordingly now that the real vector numbers are handed in. Fixup the pr_warn so the actual spurious vector (0xff) is clearly distiguished from the other vectors and also note for the vectored case whether it was pending in the ISR or not. "Spurious APIC interrupt (vector 0xFF) on CPU#0, should never happen." "Spurious interrupt vector 0xed on CPU#1. Acked." "Spurious interrupt vector 0xee on CPU#1. Not pending!." Fixes: 2414e02 ("x86: Avoid building unused IRQ entry stubs") Reported-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Marc Zyngier <marc.zyngier@arm.com> Cc: Jan Beulich <jbeulich@suse.com> Link: https://lkml.kernel.org/r/20190628111440.550568228@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for f29cd95 - Browse repository at this point
Copy the full SHA f29cd95View commit details -
ARC: hide unused function unw_hdr_alloc
commit fd5de27 upstream. As kernelci.org reports, this function is not used in vdk_hs38_defconfig: arch/arc/kernel/unwind.c:188:14: warning: 'unw_hdr_alloc' defined but not used [-Wunused-function] Fixes: bc79c9a ("ARC: dw2 unwind: Reinstante unwinding out of modules") Link: https://kernelci.org/build/id/5d1cae3f59b514300340c132/logs/ Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Vineet Gupta <vgupta@synopsys.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 175713c - Browse repository at this point
Copy the full SHA 175713cView commit details -
s390/ipl: Fix detection of has_secure attribute
commit 1b2be20 upstream. Use the correct bit for detection of the machine capability associated with the has_secure attribute. It is expected that the underlying platform (including hypervisors) unsets the bit when they don't provide secure ipl for their guests. Fixes: c9896ac ("s390/ipl: Provide has_secure sysfs attribute") Cc: stable@vger.kernel.org # 5.2 Signed-off-by: Philipp Rudo <prudo@linux.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for bb48afc - Browse repository at this point
Copy the full SHA bb48afcView commit details -
commit 4f18d86 upstream. The stfle inline assembly returns the number of double words written (condition code 0) or the double words it would have written (condition code 3), if the memory array it got as parameter would have been large enough. The current stfle implementation assumes that the array is always large enough and clears those parts of the array that have not been written to with a subsequent memset call. If however the array is not large enough memset will get a negative length parameter, which means that memset clears memory until it gets an exception and the kernel crashes. To fix this simply limit the maximum length. Move also the inline assembly to an extra function to avoid clobbering of register 0, which might happen because of the added min_t invocation together with code instrumentation. The bug was introduced with commit 14375bc ("[S390] cleanup facility list handling") but was rather harmless, since it would only write to a rather large array. It became a potential problem with commit 3ab121a ("[S390] kernel: Add z/VM LGR detection"). Since then it writes to an array with only four double words, while some machines already deliver three double words. As soon as machines have a facility bit within the fifth double a crash on IPL would happen. Fixes: 14375bc ("[S390] cleanup facility list handling") Cc: <stable@vger.kernel.org> # v2.6.37+ Reviewed-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 3bbbf5b - Browse repository at this point
Copy the full SHA 3bbbf5bView commit details -
s390/qdio: (re-)initialize tiqdio list entries
commit e54e478 upstream. When tiqdio_remove_input_queues() removes a queue from the tiq_list as part of qdio_shutdown(), it doesn't re-initialize the queue's list entry and the prev/next pointers go stale. If a subsequent qdio_establish() fails while sending the ESTABLISH cmd, it calls qdio_shutdown() again in QDIO_IRQ_STATE_ERR state and tiqdio_remove_input_queues() will attempt to remove the queue entry a second time. This dereferences the stale pointers, and bad things ensue. Fix this by re-initializing the list entry after removing it from the list. For good practice also initialize the list entry when the queue is first allocated, and remove the quirky checks that papered over this omission. Note that prior to commit e521813 ("s390/qdio: fix access to uninitialized qdio_q fields"), these checks were bogus anyway. setup_queues_misc() clears the whole queue struct, and thus needs to re-init the prev/next pointers as well. Fixes: 779e6e1 ("[S390] qdio: new qdio driver.") Cc: <stable@vger.kernel.org> Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for c26226c - Browse repository at this point
Copy the full SHA c26226cView commit details -
s390/qdio: don't touch the dsci in tiqdio_add_input_queues()
commit ac6639c upstream. Current code sets the dsci to 0x00000080. Which doesn't make any sense, as the indicator area is located in the _left-most_ byte. Worse: if the dsci is the _shared_ indicator, this potentially clears the indication of activity for a _different_ device. tiqdio_thinint_handler() will then have no reason to call that device's IRQ handler, and the device ends up stalling. Fixes: d0c9d4a ("[S390] qdio: set correct bit in dsci") Cc: <stable@vger.kernel.org> Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 90c7a32 - Browse repository at this point
Copy the full SHA 90c7a32View commit details -
crypto: talitos - move struct talitos_edesc into talitos.h
commit d44769e upstream. Moves struct talitos_edesc into talitos.h so that it can be used from any place in talitos.c It will be required for next patch ("crypto: talitos - fix hash on SEC1") Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for c506680 - Browse repository at this point
Copy the full SHA c506680View commit details -
crypto: talitos - fix hash on SEC1.
commit 58cdbc6 upstream. On SEC1, hash provides wrong result when performing hashing in several steps with input data SG list has more than one element. This was detected with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS: [ 44.185947] alg: hash: md5-talitos test failed (wrong result) on test vector 6, cfg="random: may_sleep use_finup src_divs=[<reimport>25.88%@+8063, <flush>24.19%@+9588, 28.63%@+16333, <reimport>4.60%@+6756, 16.70%@+16281] dst_divs=[71.61%@alignmask+16361, 14.36%@+7756, 14.3%@+" [ 44.325122] alg: hash: sha1-talitos test failed (wrong result) on test vector 3, cfg="random: inplace use_final src_divs=[<flush,nosimd>16.56%@+16378, <reimport>52.0%@+16329, 21.42%@alignmask+16380, 10.2%@alignmask+16380] iv_offset=39" [ 44.493500] alg: hash: sha224-talitos test failed (wrong result) on test vector 4, cfg="random: use_final nosimd src_divs=[<reimport>52.27%@+7401, <reimport>17.34%@+16285, <flush>17.71%@+26, 12.68%@+10644] iv_offset=43" [ 44.673262] alg: hash: sha256-talitos test failed (wrong result) on test vector 4, cfg="random: may_sleep use_finup src_divs=[<reimport>60.6%@+12790, 17.86%@+1329, <reimport>12.64%@alignmask+16300, 8.29%@+15, 0.40%@+13506, <reimport>0.51%@+16322, <reimport>0.24%@+16339] dst_divs" This is due to two issues: - We have an overlap between the buffer used for copying the input data (SEC1 doesn't do scatter/gather) and the chained descriptor. - Data copy is wrong when the previous hash left less than one blocksize of data to hash, implying a complement of the previous block with a few bytes from the new request. Fix it by: - Moving the second descriptor after the buffer, as moving the buffer after the descriptor would make it more complex for other cipher operations (AEAD, ABLKCIPHER) - Skip the bytes taken from the new request to complete the previous one by moving the SG list forward. Fixes: 37b5e88 ("crypto: talitos - chain in buffered data for ahash on SEC1") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Configuration menu - View commit details
-
Copy full SHA for 4509f31 - Browse repository at this point
Copy the full SHA 4509f31View commit details -
crypto/NX: Set receive window credits to max number of CRBs in RxFIFO
commit e52d484 upstream. System gets checkstop if RxFIFO overruns with more requests than the maximum possible number of CRBs in FIFO at the same time. The max number of requests per window is controlled by window credits. So find max CRBs from FIFO size and set it to receive window credits. Fixes: b0d6c9b ("crypto/nx: Add P9 NX support for 842 compression engine") CC: stable@vger.kernel.org # v4.14+ Signed-off-by:Haren Myneni <haren@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Configuration menu - View commit details
-
Copy full SHA for 6d9584d - Browse repository at this point
Copy the full SHA 6d9584dView commit details -
x86/entry/32: Fix ENDPROC of common_spurious
[ Upstream commit 1cbec37 ] common_spurious is currently ENDed erroneously. common_interrupt is used in its ENDPROC. So fix this mistake. Found by my asm macros rewrite patchset. Fixes: f8a8fe6 ("x86/irq: Seperate unused system vectors from spurious entry again") Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lkml.kernel.org/r/20190709063402.19847-1-jslaby@suse.cz Signed-off-by: Sasha Levin <sashal@kernel.org>
Configuration menu - View commit details
-
Copy full SHA for 760d269 - Browse repository at this point
Copy the full SHA 760d269View commit details -
Configuration menu - View commit details
-
Copy full SHA for e9b75c6 - Browse repository at this point
Copy the full SHA e9b75c6View commit details
Commits on Jul 24, 2019
-
phy: sun4i-usb: add support for the USB PHY on suniv SoC
The suniv SoC has one USB OTG port connected to a MUSB controller. Add support for its USB PHY. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 523cd68 - Browse repository at this point
Copy the full SHA 523cd68View commit details -
musb: sunxi: add support for the suniv MUSB controller
The suniv SoC has a MUSB controller like the one in A33, but with a SRAM region to be claimed. Add support for it. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 189f6e6 - Browse repository at this point
Copy the full SHA 189f6e6View commit details -
ARM: suniv: add USB-related device nodes
The suniv SoC has a USB OTG controller and a USB PHY like other Allwinner SoCs. Add their device tree node. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 73e89f5 - Browse repository at this point
Copy the full SHA 73e89f5View commit details -
ARM: suniv: f1c100s: enable USB on Lichee Pi Nano
Lichee Pi Nano has a Micro-USB connector, with its D+, D- pins connected to the USB pins of the SoC and ID pin connected to PE2 GPIO. Enable the USB functionality. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for ce68e7d - Browse repository at this point
Copy the full SHA ce68e7dView commit details -
ARM: dts: suniv: add support for MMC controllers
The suniv SoC has two MMC controllers like the ones in A20/A23/A33 SoC. Add device tree nodes for them. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 148cc9c - Browse repository at this point
Copy the full SHA 148cc9cView commit details -
ARM: suniv: f1c100s: add MMC support for Lichee Pi Nano
The Lichee Pi Nano board has a MicroSD slot which is connected to the MMC0 controller of the F1C100s SoC. Add support for it. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for eb18221 - Browse repository at this point
Copy the full SHA eb18221View commit details -
ARM: dts: suniv: add SPI device nodes
The suniv SoC has two SPI controllers like the one in H3, but with no dedicated mod clock (the SPI clock input is the AHB bus clock). Add the device tree nodes. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 4bef0b5 - Browse repository at this point
Copy the full SHA 4bef0b5View commit details -
ARM: dts: suniv: add pinmux for SPI0 at PC
There's a pin group for SPI0 at PC bank on suniv SoC, which is the bootable SPI0 pinmux. Add the device tree node for this pinmux. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 556b945 - Browse repository at this point
Copy the full SHA 556b945View commit details -
ARM: suniv: f1c100s: enable SPI flash on Lichee Pi Nano
The Lichee Pi Nano board has a Winbond W25Q128FVSIQ 128Mbit SPI NOR flash connected to the SPI0 controller of F1C100s SoC, via the pinmux group at PC bank; so it's bootable. Enable this SPI flash. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 9ee24e4 - Browse repository at this point
Copy the full SHA 9ee24e4View commit details -
drm: sun4i: bypass RGB interface dotclock check when panel is used
The RGB interface code of sun4i-drm has a dotclock check, which is used to prevent not supported resolutions when a bridge is used. However, it prevents most of the panels in panel-simple driver from being used, as the dotclock may not be divided precisely to the dotclock in panel-simple driver. Bypass the dotclock check when a panel is used. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for d6dac5b - Browse repository at this point
Copy the full SHA d6dac5bView commit details -
drm: sun4i: add compatible strings for suniv DE components
The suniv display engine is just the traditional DE1 of Allwinner. As it has only one pipeline, no mux is needed; for TCON output mux there's still no document. Add compatible strings for its components. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 86599e9 - Browse repository at this point
Copy the full SHA 86599e9View commit details -
ARM: dts: suniv: add display pipeline
The suniv SoC has a traditional DE1 display pipeline. Add it to the device tree. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 0d224a2 - Browse repository at this point
Copy the full SHA 0d224a2View commit details -
ARM: dts: suniv: add pinmux node for RGB666
The suniv SoC has a RGB888 LCD interface, with RGB666 interface at PD bank and the extra pins at PE bank. Lichee Pi Nano board just uses RGB666. Add pinmux node for RGB666. Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for 5846b56 - Browse repository at this point
Copy the full SHA 5846b56View commit details -
ARM: suniv: f1c100s: add device tree for Lichee Pi Nano with LCD
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Configuration menu - View commit details
-
Copy full SHA for d60e910 - Browse repository at this point
Copy the full SHA d60e910View commit details -
Fix typo in suniv USB support code
Signed-off-by: George Hilliard <thirtythreeforty@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for fcc57fe - Browse repository at this point
Copy the full SHA fcc57feView commit details