- May 31, 2019
-
-
Alistair Strachan authored
commit 47bb1179 upstream. When initially testing the Camera Terminal Descriptor wTerminalType field (buffer[4]), no mask is used. Later in the function, the MSB is overloaded to store the descriptor subtype, and so a mask of 0x7fff is used to check the type. If a descriptor is specially crafted to set this overloaded bit in the original wTerminalType field, the initial type check will fail (falling through, without adjusting the buffer size), but the later type checks will pass, assuming the buffer has been made suitably large, causing an overflow. Avoid this problem by checking for the MSB in the wTerminalType field. If the bit is set, assume the descriptor is bad, and abort parsing it. Originally reported here: https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8 A similar (non-compiling) patch was provided at that time. Reported-by:
syzbot <syzkaller@googlegroups.com> Signed-off-by:
Alistair Strachan <astrachan@google.com> Signed-off-by:
Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by:
Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- Mar 05, 2019
-
-
Todd Kjos authored
To allow servers to verify client identity, allow a node flag to be set that causes the sender's security context to be delivered with the transaction. The BR_TRANSACTION command is extended in BR_TRANSACTION_SEC_CTX to contain a pointer to the security context string. Signed-off-by:
Todd Kjos <tkjos@google.com> Reviewed-by:
Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by:
-
- Mar 01, 2019
-
-
Todd Kjos authored
commit 7bada55a upstream. Malicious code can attempt to free buffers using the BC_FREE_BUFFER ioctl to binder. There are protections against a user freeing a buffer while in use by the kernel, however there was a window where BC_FREE_BUFFER could be used to free a recently allocated buffer that was not completely initialized. This resulted in a use-after-free detected by KASAN with a malicious test program. This window is closed by setting the buffer's allow_user_free attribute to 0 when the buffer is allocated or when the user has previously freed it instead of waiting for the caller to set it. The problem was that when the struct buffer was recycled, allow_user_free was stale and set to 1 allowing a free to go through. Signed-off-by:
Arve Hjønnevåg <arve@android.com> Cc: stable <stable@vger.kernel.org> # 4.14 Signed-off-by:
-
Matthias Schwarzott authored
[ Upstream commit 910b0797 ] Fix bug by moving the i2c_unregister_device calls after deregistration of dvb frontend. The new style i2c drivers already destroys the frontend object at i2c_unregister_device time. When the dvb frontend is unregistered afterwards it leads to this oops: [ 6058.866459] BUG: unable to handle kernel NULL pointer dereference at 00000000000001f8 [ 6058.866578] IP: dvb_frontend_stop+0x30/0xd0 [dvb_core] [ 6058.866644] PGD 0 [ 6058.866646] P4D 0 [ 6058.866726] Oops: 0000 [#1] SMP [ 6058.866768] Modules linked in: rc_pinnacle_pctv_hd(O) em28xx_rc(O) si2157(O) si2168(O) em28xx_dvb(O) em28xx(O) si2165(O) a8293(O) tda10071(O) tea5767(O) tuner(O) cx23885(O) tda18271(O) videobuf2_dvb(O) videobuf2_dma_sg(O) m88ds3103(O) tveeprom(O) cx2341x(O) v4l2_common(O) dvb_core(O) rc_core(O) videobuf2_memops(O) videobuf2_v4l2(O) videobuf2_core(O) videodev(O) media(O) bluetooth ecdh_generic ums_realtek uas rtl8192cu rtl_usb rtl8192c_common rtlwifi usb_storage snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic i2c_mux snd_hda_intel snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core kvm_intel kvm irqbypass [last unloaded: videobuf2_memops] [ 6058.867497] CPU: 2 PID: 7349 Comm: kworker/2:0 Tainted: G W O 4.13.9-gentoo #1 [ 6058.867595] Hardware name: MEDION E2050 2391/H81H3-EM2, BIOS H81EM2W08.308 08/25/2014 [ 6058.867692] Workqueue: usb_hub_wq hub_event [ 6058.867746] task: ffff88011a15e040 task.stack: ffffc90003074000 [ 6058.867825] RIP: 0010:dvb_frontend_stop+0x30/0xd0 [dvb_core] [ 6058.867896] RSP: 0018:ffffc90003077b58 EFLAGS: 00010293 [ 6058.867964] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000010040001f [ 6058.868056] RDX: ffff88011a15e040 RSI: ffffea000464e400 RDI: ffff88001cbe3028 [ 6058.868150] RBP: ffffc90003077b68 R08: ffff880119390380 R09: 000000010040001f [ 6058.868241] R10: ffffc90003077b18 R11: 000000000001e200 R12: ffff88001cbe3028 [ 6058.868330] R13: ffff88001cbe68d0 R14: ffff8800cf734000 R15: ffff8800cf734098 [ 6058.868419] FS: 0000000000000000(0000) GS:ffff88011fb00000(0000) knlGS:0000000000000000 [ 6058.868511] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6058.868578] CR2: 00000000000001f8 CR3: 00000001113c5000 CR4: 00000000001406e0 [ 6058.868662] Call Trace: [ 6058.868705] dvb_unregister_frontend+0x2a/0x80 [dvb_core] [ 6058.868774] em28xx_dvb_fini+0x132/0x220 [em28xx_dvb] [ 6058.868840] em28xx_close_extension+0x34/0x90 [em28xx] [ 6058.868902] em28xx_usb_disconnect+0x4e/0x70 [em28xx] [ 6058.868968] usb_unbind_interface+0x6d/0x260 [ 6058.869025] device_release_driver_internal+0x150/0x210 [ 6058.869094] device_release_driver+0xd/0x10 [ 6058.869150] bus_remove_device+0xe4/0x160 [ 6058.869204] device_del+0x1ce/0x2f0 [ 6058.869253] usb_disable_device+0x99/0x270 [ 6058.869306] usb_disconnect+0x8d/0x260 [ 6058.869359] hub_event+0x93d/0x1520 [ 6058.869408] ? dequeue_task_fair+0xae5/0xd20 [ 6058.869467] process_one_work+0x1d9/0x3e0 [ 6058.869522] worker_thread+0x43/0x3e0 [ 6058.869576] kthread+0x104/0x140 [ 6058.869602] ? trace_event_raw_event_workqueue_work+0x80/0x80 [ 6058.869640] ? kthread_create_on_node+0x40/0x40 [ 6058.869673] ret_from_fork+0x22/0x30 [ 6058.869698] Code: 54 49 89 fc 53 48 8b 9f 18 03 00 00 0f 1f 44 00 00 41 83 bc 24 04 05 00 00 02 74 0c 41 c7 84 24 04 05 00 00 01 00 00 00 0f ae f0 <48> 8b bb f8 01 00 00 48 85 ff 74 5c e8 df 40 f0 e0 48 8b 93 f8 [ 6058.869850] RIP: dvb_frontend_stop+0x30/0xd0 [dvb_core] RSP: ffffc90003077b58 [ 6058.869894] CR2: 00000000000001f8 [ 6058.875880] ---[ end trace 717eecf7193b3fc6 ]--- Signed-off-by:
Matthias Schwarzott <zzam@gentoo.org> Signed-off-by:
Mauro Carvalho Chehab <mchehab@s-opensource.com> Signed-off-by:
Sasha Levin <sashal@kernel.org>
-
- Jan 08, 2019
-
-
Alexey Brodkin authored
commit 40660f1f upstream. There's not much sense in doing that because if user or his build-system didn't set CROSS_COMPILE we still may very well make incorrect guess. But as it turned out setting CROSS_COMPILE is not as harmless as one may think: with recent changes that implemented automatic discovery of __host__ gcc features unconditional setup of CROSS_COMPILE leads to failures on execution of "make xxx_defconfig" with absent cross-compiler, for more info see [1]. Set CROSS_COMPILE as well gets in the way if we want only to build .dtb's (again with absent cross-compiler which is not really needed for building .dtb's), see [2]. Note, we had to change LIBGCC assignment type from ":=" to "=" so that is is resolved on its usage, otherwise if it is resolved at declaration time with missing CROSS_COMPILE we're getting this error message from host GCC: | gcc: error: unrecognized command line option -mmedium-calls | gcc: error: unrecognized command line option -mno-sdata [1] http://lists.infradead.org/pipermail/linux-snps-arc/2018-September/004308.html [2] http://lists.infradead.org/pipermail/linux-snps-arc/2018-September/004320.html Signed-off-by:
Alexey Brodkin <abrodkin@synopsys.com> Cc: Masahiro Yamada <yamada.masahiro@socionext.com> Cc: Rob Herring <robh@kernel.org> Signed-off-by:
Vineet Gupta <vgupta@synopsys.com> Signed-off-by:
-
Alexey Brodkin authored
commit 615f6445 upstream. This check is very naive: we simply test if GCC invoked without "-mcpu=XXX" has ARC700 define set. In that case we think that GCC was built with "--with-cpu=arc700" and has libgcc built for ARC700. Otherwise if ARC700 is not defined we think that everythng was built for ARCv2. But in reality our life is much more interesting. 1. Regardless of GCC configuration (i.e. what we pass in "--with-cpu" it may generate code for any ARC core). 2. libgcc might be built with explicitly specified "--mcpu=YYY" That's exactly what happens in case of multilibbed toolchains: - GCC is configured with default settings - All the libs built for many different CPU flavors I.e. that check gets in the way of usage of multilibbed toolchains. And even non-multilibbed toolchains are affected. OpenEmbedded also builds GCC without "--with-cpu" because each and every target component later is compiled with explicitly set "-mcpu=ZZZ". Acked-by:
Rob Herring <robh@kernel.org> Signed-off-by:
-
Alexey Brodkin authored
[ Upstream commit 74c11e30 ] GCC built for arc*-*-linux has "-mmedium-calls" implicitly enabled by default thus we don't see any problems during Linux kernel compilation. ----------------------------->8------------------------ arc-linux-gcc -mcpu=arc700 -Q --help=target | grep calls -mlong-calls [disabled] -mmedium-calls [enabled] ----------------------------->8------------------------ But if we try to use so-called Elf32 toolchain with GCC configured for arc*-*-elf* then we'd see the following failure: ----------------------------->8------------------------ init/do_mounts.o: In function 'init_rootfs': do_mounts.c:(.init.text+0x108): relocation truncated to fit: R_ARC_S21W_PCREL against symbol 'unregister_filesystem' defined in .text section in fs/filesystems.o arc-elf32-ld: final link failed: Symbol needs debug section which does not exist make: *** [vmlinux] Error 1 ----------------------------->8------------------------ That happens because neither "-mmedium-calls" nor "-mlong-calls" are enabled in Elf32 GCC: ----------------------------->8------------------------ arc-elf32-gcc -mcpu=arc700 -Q --help=target | grep calls -mlong-calls [disabled] -mmedium-calls [disabled] ----------------------------->8------------------------ Now to make it possible to use Elf32 toolchain for building Linux kernel we're explicitly add "-mmedium-calls" to CFLAGS. And since we add "-mmedium-calls" to the global CFLAGS there's no point in having per-file copies thus removing them. Signed-off-by:
Sasha Levin <alexander.levin@microsoft.com> Signed-off-by:
-
- Jan 04, 2019
-
-
Linus Torvalds authored
commit 7a9cdebd upstream. Jann Horn points out that the vmacache_flush_all() function is not only potentially expensive, it's buggy too. It also happens to be entirely unnecessary, because the sequence number overflow case can be avoided by simply making the sequence number be 64-bit. That doesn't even grow the data structures in question, because the other adjacent fields are already 64-bit. So simplify the whole thing by just making the sequence number overflow case go away entirely, which gets rid of all the complications and makes the code faster too. Win-win. [ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics also just goes away entirely with this ] Reported-by:
Jann Horn <jannh@google.com> Suggested-by:
Will Deacon <will.deacon@arm.com> Acked-by:
Davidlohr Bueso <dave@stgolabs.net> Cc: Oleg Nesterov <oleg@redhat.com> Cc: stable@kernel.org Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Linus Torvalds authored
commit eb66ae03 upstream. Jann Horn points out that our TLB flushing was subtly wrong for the mremap() case. What makes mremap() special is that we don't follow the usual "add page to list of pages to be freed, then flush tlb, and then free pages". No, mremap() obviously just _moves_ the page from one page table location to another. That matters, because mremap() thus doesn't directly control the lifetime of the moved page with a freelist: instead, the lifetime of the page is controlled by the page table locking, that serializes access to the entry. As a result, we need to flush the TLB not just before releasing the lock for the source location (to avoid any concurrent accesses to the entry), but also before we release the destination page table lock (to avoid the TLB being flushed after somebody else has already done something to that page). This also makes the whole "need_flush" logic unnecessary, since we now always end up flushing the TLB for every valid entry. Reported-and-tested-by:
Ingo Molnar <mingo@kernel.org> Acked-by:
Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by:
-
- Nov 02, 2018
-
-
Suren Baghdasaryan authored
commit e285d5bf upstream. According to ETSI TS 102 622 specification chapter 4.4 pipe identifier is 7 bits long which allows for 128 unique pipe IDs. Because NFC_HCI_MAX_PIPES is used as the number of pipes supported and not as the max pipe ID, its value should be 128 instead of 127. nfc_hci_recv_from_llc extracts pipe ID from packet header using NFC_HCI_FRAGMENT(0x7F) mask which allows for pipe ID value of 127. Same happens when NCI_HCP_MSG_GET_PIPE() is being used. With pipes array having only 127 elements and pipe ID of 127 the OOB memory access will result. Cc: Samuel Ortiz <sameo@linux.intel.com> Cc: Allen Pais <allen.pais@oracle.com> Cc: "David S. Miller" <davem@davemloft.net> Suggested-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
Suren Baghdasaryan <surenb@google.com> Reviewed-by:
Kees Cook <keescook@chromium.org> Cc: stable <stable@vger.kernel.org> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Mark Salyzyn authored
commit 7992c188 upstream. CVE-2018-9363 The buffer length is unsigned at all layers, but gets cast to int and checked in hidp_process_report and can lead to a buffer overflow. Switch len parameter to unsigned int to resolve issue. This affects 3.18 and newer kernels. Signed-off-by:
Mark Salyzyn <salyzyn@android.com> Fixes: a4b1b587 ("HID: Bluetooth: hidp: make sure input buffers are big enough") Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Kees Cook <keescook@chromium.org> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: security@kernel.org Cc: kernel-team@android.com Acked-by:
Marcel Holtmann <marcel@holtmann.org> Signed-off-by:
-
- Oct 04, 2018
-
-
Daniel Rosenberg authored
Adjusted from previous version to add missing include bug: 111641492 Change-Id: I321d83f5d599efb3abdfaf2f3a4900ac512beca6 Reported-by:
Daniel Rosenberg <drosen@google.com>
-
Daniel Rosenberg authored
The macro hides some control flow, making it easier to run into bugs. bug: 111642636 Change-Id: I37ec207c277d97c4e7f1e8381bc9ae743ad78435 Reported-by:
-
- Aug 06, 2018
-
-
Greg Kroah-Hartman authored
Changes in 4.14.61 bonding: avoid lockdep confusion in bond_get_stats() inet: frag: enforce memory limits earlier ipv4: frags: handle possible skb truesize change net: dsa: Do not suspend/resume closed slave_dev netlink: Fix spectre v1 gadget in netlink_create() net: stmmac: Fix WoL for PCI-based setups rxrpc: Fix user call ID check in rxrpc_service_prealloc_one net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager squashfs: more metadata hardening squashfs: more metadata hardenings can: ems_usb: Fix memory leak on ems_usb_disconnect() net: socket: fix potential spectre v1 gadget in socketcall virtio_balloon: fix another race between migration and ballooning x86/apic: Future-proof the TSC_DEADLINE quirk for SKX x86/entry/64: Remove %ebx handling from error_entry/exit kvm: x86: vmx: fix vpid leak audit: fix potential null dereference 'context->module.name' userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails iwlwifi: add more card IDs for 9000 series RDMA/uverbs: Expand primary and alt AV port checks crypto: padlock-aes - Fix Nano workaround data corruption drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats scsi: sg: fix minor memory leak in error path Linux 4.14.61 Signed-off-by:Greg Kroah-Hartman <gregkh@google.com>
-
Greg Kroah-Hartman authored
-
Tony Battersby authored
commit c170e5a8 upstream. Fix a minor memory leak when there is an error opening a /dev/sg device. Fixes: cc833acb ("sg: O_EXCL and other lock handling") Cc: <stable@vger.kernel.org> Reviewed-by:
Ewan D. Milne <emilne@redhat.com> Signed-off-by:
Tony Battersby <tonyb@cybernetics.com> Reviewed-by:
Bart Van Assche <bart.vanassche@wdc.com> Signed-off-by:
Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by:
-
Boris Brezillon authored
commit a6a00918 upstream. This is needed to ensure ->is_unity is correct when the plane was previously configured to output a multi-planar format with scaling enabled, and is then being reconfigured to output a uniplanar format. Fixes: fc04023f ("drm/vc4: Add support for YUV planes.") Cc: <stable@vger.kernel.org> Signed-off-by:
Boris Brezillon <boris.brezillon@bootlin.com> Reviewed-by:
Eric Anholt <eric@anholt.net> Link: https://patchwork.freedesktop.org/patch/msgid/20180724133601.32114-1-boris.brezillon@bootlin.com Signed-off-by:
-
Herbert Xu authored
commit 46d8c4b2 upstream. This was detected by the self-test thanks to Ard's chunking patch. I finally got around to testing this out on my ancient Via box. It turns out that the workaround got the assembly wrong and we end up doing count + initial cycles of the loop instead of just count. This obviously causes corruption, either by overwriting the source that is yet to be processed, or writing over the end of the buffer. On CPUs that don't require the workaround only ECB is affected. On Nano CPUs both ECB and CBC are affected. This patch fixes it by doing the subtraction prior to the assembly. Fixes: a76c1c23 ("crypto: padlock-aes - work around Nano CPU...") Cc: <stable@vger.kernel.org> Reported-by:
Jamie Heilman <jamie@audible.transient.net> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Jack Morgenstein authored
commit addb8a65 upstream. The commit cited below checked that the port numbers provided in the primary and alt AVs are legal. That is sufficient to prevent a kernel panic. However, it is not sufficient for correct operation. In Linux, AVs (both primary and alt) must be completely self-described. We do not accept an AV from userspace without an embedded port number. (This has been the case since kernel 3.14 commit dbf727de ("IB/core: Use GID table in AH creation and dmac resolution")). For the primary AV, this embedded port number must match the port number specified with IB_QP_PORT. We also expect the port number embedded in the alt AV to match the alt_port_num value passed by the userspace driver in the modify_qp command base structure. Add these checks to modify_qp. Cc: <stable@vger.kernel.org> # 4.16 Fixes: 5d4c05c3 ("RDMA/uverbs: Sanitize user entered port numbers prior to access it") Signed-off-by:
Jack Morgenstein <jackm@dev.mellanox.co.il> Signed-off-by:
Leon Romanovsky <leonro@mellanox.com> Signed-off-by:
Jason Gunthorpe <jgg@mellanox.com> Signed-off-by:
-
Emmanuel Grumbach authored
commit 0a5257bc upstream. Add new device IDs for the 9000 series. Cc: stable@vger.kernel.org # 4.14 Signed-off-by:
Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by:
Kalle Valo <kvalo@codeaurora.org> Signed-off-by:
-
Mike Rapoport authored
commit 31e810aa upstream. The fix in commit 0cbb4b4f ("userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags that were copied from the parent process VMA. As the result, there is an inconsistency between the values of vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON in userfaultfd_release(). Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK failure resolves the issue. Link: http://lkml.kernel.org/r/1532931975-25473-1-git-send-email-rppt@linux.vnet.ibm.com Fixes: 0cbb4b4f ("userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") Signed-off-by:
Mike Rapoport <rppt@linux.vnet.ibm.com> Reported-by:
<syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Eric Biggers <ebiggers3@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Yi Wang authored
commit b305f7ed upstream. The variable 'context->module.name' may be null pointer when kmalloc return null, so it's better to check it before using to avoid null dereference. Another one more thing this patch does is using kstrdup instead of (kmalloc + strcpy), and signal a lost record via audit_log_lost. Cc: stable@vger.kernel.org # 4.11 Signed-off-by:
Yi Wang <wang.yi59@zte.com.cn> Reviewed-by:
Jiang Biao <jiang.biao2@zte.com.cn> Reviewed-by:
Richard Guy Briggs <rgb@redhat.com> Signed-off-by:
Paul Moore <paul@paul-moore.com> Signed-off-by:
-
Roman Kagan authored
commit 63aff655 upstream. VPID for the nested vcpu is allocated at vmx_create_vcpu whenever nested vmx is turned on with the module parameter. However, it's only freed if the L1 guest has executed VMXON which is not a given. As a result, on a system with nested==on every creation+deletion of an L1 vcpu without running an L2 guest results in leaking one vpid. Since the total number of vpids is limited to 64k, they can eventually get exhausted, preventing L2 from starting. Delay allocation of the L2 vpid until VMXON emulation, thus matching its freeing. Fixes: 5c614b35 Cc: stable@vger.kernel.org Signed-off-by:
Roman Kagan <rkagan@virtuozzo.com> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com> Signed-off-by:
-
Andy Lutomirski authored
commit b3681dd5 upstream. error_entry and error_exit communicate the user vs. kernel status of the frame using %ebx. This is unnecessary -- the information is in regs->cs. Just use regs->cs. This makes error_entry simpler and makes error_exit more robust. It also fixes a nasty bug. Before all the Spectre nonsense, the xen_failsafe_callback entry point returned like this: ALLOC_PT_GPREGS_ON_STACK SAVE_C_REGS SAVE_EXTRA_REGS ENCODE_FRAME_POINTER jmp error_exit And it did not go through error_entry. This was bogus: RBX contained garbage, and error_exit expected a flag in RBX. Fortunately, it generally contained *nonzero* garbage, so the correct code path was used. As part of the Spectre fixes, code was added to clear RBX to mitigate certain speculation attacks. Now, depending on kernel configuration, RBX got zeroed and, when running some Wine workloads, the kernel crashes. This was introduced by: commit 3ac6d8c7 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") With this patch applied, RBX is no longer needed as a flag, and the problem goes away. I suspect that malicious userspace could use this bug to crash the kernel even without the offending patch applied, though. [ Historical note: I wrote this patch as a cleanup before I was aware of the bug it fixed. ] [ Note to stable maintainers: this should probably get applied to all kernels. If you're nervous about that, a more conservative fix to add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should also fix the problem. ] Reported-and-tested-by:
M. Vefa Bicakci <m.v.b@runbox.com> Signed-off-by:
Andy Lutomirski <luto@kernel.org> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Cc: Greg KH <gregkh@linuxfoundation.org> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Juergen Gross <jgross@suse.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org Cc: xen-devel@lists.xenproject.org Fixes: 3ac6d8c7 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org Signed-off-by:
-
Len Brown authored
commit d9e6dbcf upstream. All SKX with stepping higher than 4 support the TSC_DEADLINE, no matter the microcode version. Without this patch, upcoming SKX steppings will not be able to use their TSC_DEADLINE timer. Signed-off-by:
Len Brown <len.brown@intel.com> Cc: <stable@kernel.org> # v4.14+ Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Fixes: 616dd587 ("x86/apic: Update TSC_DEADLINE quirk with additional SKX stepping") Link: http://lkml.kernel.org/r/d0c7129e509660be9ec6b233284b8d42d90659e8.1532207856.git.len.brown@intel.com Signed-off-by:
-
Jiang Biao authored
commit 89da619b upstream. Kernel panic when with high memory pressure, calltrace looks like, PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java" #0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb #1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942 #2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30 #3 [ffff881ec7ed7778] oops_end at ffffffff816902c8 #4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46 #5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc #6 [ffff881ec7ed7838] __node_set at ffffffff81680300 #7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f #8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5 #9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8 [exception RIP: _raw_spin_lock_irqsave+47] RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046 RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8 RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008 RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098 R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 It happens in the pagefault and results in double pagefault during compacting pages when memory allocation fails. Analysed the vmcore, the page leads to second pagefault is corrupted with _mapcount=-256, but private=0. It's caused by the race between migration and ballooning, and lock missing in virtballoon_migratepage() of virtio_balloon driver. This patch fix the bug. Fixes: e2250429 ("virtio_balloon: introduce migration primitives to balloon pages") Cc: stable@vger.kernel.org Signed-off-by:
Huang Chong <huang.chong@zte.com.cn> Signed-off-by:
Michael S. Tsirkin <mst@redhat.com> Signed-off-by:
-
Jeremy Cline authored
commit c8e8cd57 upstream. 'call' is a user-controlled value, so sanitize the array index after the bounds check to avoid speculating past the bounds of the 'nargs' array. Found with the help of Smatch: net/socket.c:2508 __do_sys_socketcall() warn: potential spectre issue 'nargs' [r] (local cap) Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: stable@vger.kernel.org Signed-off-by:
Jeremy Cline <jcline@redhat.com> Signed-off-by:
-
Anton Vasilyev authored
commit 72c05f32 upstream. ems_usb_probe() allocates memory for dev->tx_msg_buffer, but there is no its deallocation in ems_usb_disconnect(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by:
Anton Vasilyev <vasilyev@ispras.ru> Cc: <stable@vger.kernel.org> Signed-off-by:
Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by:
-
Linus Torvalds authored
commit 71755ee5 upstream. The squashfs fragment reading code doesn't actually verify that the fragment is inside the fragment table. The end result _is_ verified to be inside the image when actually reading the fragment data, but before that is done, we may end up taking a page fault because the fragment table itself might not even exist. Another report from Anatoly and his endless squashfs image fuzzing. Reported-by:
Анатолий Тросиненко <anatoly.trosinenko@gmail.com> Acked-by:
: Phillip Lougher <phillip.lougher@gmail.com>,> Cc: Willy Tarreau <w@1wt.eu> Signed-off-by:
-
Linus Torvalds authored
commit d5125847 upstream. Anatoly reports another squashfs fuzzing issue, where the decompression parameters themselves are in a compressed block. This causes squashfs_read_data() to be called in order to read the decompression options before the decompression stream having been set up, making squashfs go sideways. Reported-by:
Phillip Lougher <phillip.lougher@gmail.com> Cc: stable@kernel.org Signed-off-by:
-
Eli Cohen authored
[ Upstream commit 5f5991f3 ] Execute mlx5_eswitch_init() only if we have MLX5_ESWITCH_MANAGER capabilities. Do the same for mlx5_eswitch_cleanup(). Fixes: a9f7705f ("net/mlx5: Unify vport manager capability check") Signed-off-by:
Eli Cohen <eli@mellanox.com> Signed-off-by:
Saeed Mahameed <saeedm@mellanox.com> Signed-off-by:
-
YueHaibing authored
[ Upstream commit c01f6c9b ] There just check the user call ID isn't already in use, hence should compare user_call_ID with xcall->user_call_ID, which is current node's user_call_ID. Fixes: 540b1c48 ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg") Suggested-by:
David Howells <dhowells@redhat.com> Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Signed-off-by:
-
Jose Abreu authored
[ Upstream commit b7d0f08e ] WoL won't work in PCI-based setups because we are not saving the PCI EP state before entering suspend state and not allowing D3 wake. Fix this by using a wrapper around stmmac_{suspend/resume} which correctly sets the PCI EP state. Signed-off-by:
Jose Abreu <joabreu@synopsys.com> Cc: David S. Miller <davem@davemloft.net> Cc: Joao Pinto <jpinto@synopsys.com> Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com> Cc: Alexandre Torgue <alexandre.torgue@st.com> Signed-off-by:
-
Jeremy Cline authored
[ Upstream commit bc5b6c0b ] 'protocol' is a user-controlled value, so sanitize it after the bounds check to avoid using it for speculative out-of-bounds access to arrays indexed by it. This addresses the following accesses detected with the help of smatch: * net/netlink/af_netlink.c:654 __netlink_create() warn: potential spectre issue 'nlk_cb_mutex_keys' [w] * net/netlink/af_netlink.c:654 __netlink_create() warn: potential spectre issue 'nlk_cb_mutex_key_strings' [w] * net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre issue 'nl_table' [w] (local cap) Cc: Josh Poimboeuf <jpoimboe@redhat.com> Signed-off-by:
Josh Poimboeuf <jpoimboe@redhat.com> Signed-off-by:
-
Florian Fainelli authored
[ Upstream commit a94c689e ] If a DSA slave network device was previously disabled, there is no need to suspend or resume it. Fixes: 24462549 ("net: dsa: allow switch drivers to implement suspend/resume hooks") Signed-off-by:
Florian Fainelli <f.fainelli@gmail.com> Reviewed-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 4672694b ] ip_frag_queue() might call pskb_pull() on one skb that is already in the fragment queue. We need to take care of possible truesize change, or we might have an imbalance of the netns frags memory usage. IPv6 is immune to this bug, because RFC5722, Section 4, amended by Errata ID 3089 states : When reassembling an IPv6 datagram, if one or more its constituent fragments is determined to be an overlapping fragment, the entire datagram (and any constituent fragments) MUST be silently discarded. Fixes: 158f323b ("net: adjust skb->truesize in pskb_expand_head()") Signed-off-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 56e2c94f ] We currently check current frags memory usage only when a new frag queue is created. This allows attackers to first consume the memory budget (default : 4 MB) creating thousands of frag queues, then sending tiny skbs to exceed high_thresh limit by 2 to 3 order of magnitude. Note that before commit 648700f7 ("inet: frags: use rhashtables for reassembly units"), work queue could be starved under DOS, getting no cpu cycles. After commit 648700f7, only the per frag queue timer can eventually remove an incomplete frag queue and its skbs. Fixes: b13d3cbf ("inet: frag: move eviction of queues to work queue") Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
Eric Dumazet authored
[ Upstream commit 7e2556e4 ] syzbot found that the following sequence produces a LOCKDEP splat [1] ip link add bond10 type bond ip link add bond11 type bond ip link set bond11 master bond10 To fix this, we can use the already provided nest_level. This patch also provides correct nesting for dev->addr_list_lock [1] WARNING: possible recursive locking detected 4.18.0-rc6+ #167 Not tainted -------------------------------------------- syz-executor751/4439 is trying to acquire lock: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 but task is already holding lock: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&bond->stats_lock)->rlock); lock(&(&bond->stats_lock)->rlock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by syz-executor751/4439: #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77 #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 #2: (____ptrval____) (rcu_read_lock){....}, at: bond_get_stats+0x0/0x560 include/linux/compiler.h:215 stack backtrace: CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_deadlock_bug kernel/locking/lockdep.c:1765 [inline] check_deadlock kernel/locking/lockdep.c:1809 [inline] validate_chain kernel/locking/lockdep.c:2405 [inline] __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435 lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 dev_get_stats+0x10f/0x470 net/core/dev.c:8316 bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432 dev_get_stats+0x10f/0x470 net/core/dev.c:8316 rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169 rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611 rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268 rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300 rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline] rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716 notifier_call_chain+0x180/0x390 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735 call_netdevice_notifiers net/core/dev.c:1753 [inline] netdev_features_change net/core/dev.c:1321 [inline] netdev_change_features+0xb3/0x110 net/core/dev.c:7759 bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120 bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755 bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528 dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327 dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493 sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992 sock_ioctl+0x30d/0x680 net/socket.c:1093 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 __do_sys_ioctl fs/ioctl.c:708 [inline] __se_sys_ioctl fs/ioctl.c:706 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x440859 Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffc51a92878 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440859 RDX: 0000000020000040 RSI: 0000000000008990 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 R10: 00000000022d5880 R11: 0000000000000213 R12: 0000000000007390 R13: 0000000000401db0 R14: 0000000000000000 R15: 0000000000000000 Signed-off-by:
-
- Aug 03, 2018
-
-
Greg Kroah-Hartman authored
Changes in 4.14.60 fork: unconditionally clear stack on fork i2c: core: decrease reference count of device node in i2c_unregister_device RDMA/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access drivers/infiniband/core/verbs.c: fix build with gcc-4.4.4 IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write() drivers/infiniband/ulp/srpt/ib_srpt.c: fix build with gcc-4.4.4 spi: spi-s3c64xx: Fix system resume support Input: elan_i2c - add ACPI ID for lenovo ideapad 330 Input: i8042 - add Lenovo LaVie Z to the i8042 reset list Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST kvm, mm: account shadow page tables to kmemcg delayacct: fix crash in delayacct_blkio_end() after delayacct init failure tracing: Fix double free of event_trigger_data tracing: Fix possible double free in event_enable_trigger_func() kthread, tracing: Don't expose half-written comm when creating kthreads tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure tracing: Quiet gcc warning about maybe unused link variable arm64: fix vmemmap BUILD_BUG_ON() triggering on !vmemmap setups mlxsw: spectrum_switchdev: Fix port_vlan refcounting kcov: ensure irq code sees a valid area xen/netfront: raise max number of slots in xennet_get_responses() hv_netvsc: fix network namespace issues with VF support skip LAYOUTRETURN if layout is invalid ALSA: emu10k1: add error handling for snd_ctl_add ALSA: fm801: add error handling for snd_ctl_add NFSv4.1: Fix the client behaviour on NFS4ERR_SEQ_FALSE_RETRY nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo vfio: platform: Fix reset module leak in error path vfio/mdev: Check globally for duplicate devices vfio/type1: Fix task tracking for QEMU vCPU hotplug kernel/hung_task.c: show all hung tasks before panic mm: /proc/pid/pagemap: hide swap entries from unprivileged users mm: vmalloc: avoid racy handling of debugobjects in vunmap mm/slub.c: add __printf verification to slab_err() rtc: ensure rtc_set_alarm fails when alarms are not supported perf tools: Fix pmu events parsing rule netfilter: ipset: forbid family for hash:mac sets netfilter: ipset: List timing out entries with "timeout 1" instead of zero irqchip/ls-scfg-msi: Map MSIs in the iommu watchdog: da9063: Fix updating timeout value printk: drop in_nmi check from printk_safe_flush_on_panic() bpf, arm32: fix inconsistent naming about emit_a32_lsr_{r64,i64} ceph: fix alignment of rasize e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes infiniband: fix a possible use-after-free bug powerpc/lib: Adjust .balign inside string functions for PPC32 powerpc/64s: Add barrier_nospec powerpc/eeh: Fix use-after-release of EEH driver hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common() powerpc/64s: Fix compiler store ordering to SLB shadow area RDMA/mad: Convert BUG_ONs to error flows lightnvm: pblk: warn in case of corrupted write buffer netfilter: nf_tables: check msg_type before nft_trans_set(trans) pnfs: Don't release the sequence slot until we've processed layoutget on open disable loading f2fs module on PAGE_SIZE > 4KB f2fs: fix error path of move_data_page f2fs: fix to don't trigger writeback during recovery f2fs: fix to wait page writeback during revoking atomic write f2fs: Fix deadlock in shutdown ioctl f2fs: fix to detect failure of dquot_initialize f2fs: fix race in between GC and atomic open block, bfq: remove wrong lock in bfq_requests_merged usbip: usbip_detach: Fix memory, udev context and udev leak usbip: dynamically allocate idev by nports found in sysfs perf/x86/intel/uncore: Correct fixed counter index check in generic code perf/x86/intel/uncore: Correct fixed counter index check for NHM selftests/intel_pstate: Improve test, minor fixes selftests: memfd: return Kselftest Skip code for skipped tests selftests: intel_pstate: return Kselftest Skip code for skipped tests PCI: Fix devm_pci_alloc_host_bridge() memory leak btrfs: balance dirty metadata pages in btrfs_finish_ordered_io iwlwifi: pcie: fix race in Rx buffer allocator Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 ASoC: dpcm: fix BE dai not hw_free and shutdown mfd: cros_ec: Fail early if we cannot identify the EC mwifiex: handle race during mwifiex_usb_disconnect wlcore: sdio: check for valid platform device data before suspend net: hns3: Fixes the init of the VALID BD info in the descriptor media: tw686x: Fix incorrect vb2_mem_ops GFP flags media: videobuf2-core: don't call memop 'finish' when queueing Btrfs: don't return ino to ino cache if inode item removal fails Btrfs: don't BUG_ON() in btrfs_truncate_inode_items() btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups btrfs: qgroup: Finish rescan when hit the last leaf of extent tree x86/microcode: Make the late update update_lock a raw lock for RT PM / wakeup: Make s2idle_lock a RAW_SPINLOCK PCI: Prevent sysfs disable of device while driver is attached nvme-rdma: stop admin queue before freeing it nvme-pci: Fix AER reset handling ath: Add regulatory mapping for FCC3_ETSIC ath: Add regulatory mapping for ETSI8_WORLD ath: Add regulatory mapping for APL13_WORLD ath: Add regulatory mapping for APL2_FCCA ath: Add regulatory mapping for Uganda ath: Add regulatory mapping for Tanzania ath: Add regulatory mapping for Serbia ath: Add regulatory mapping for Bermuda ath: Add regulatory mapping for Bahamas powerpc/32: Add a missing include header powerpc/chrp/time: Make some functions static, add missing header include powerpc/powermac: Add missing prototype for note_bootable_part() powerpc/powermac: Mark variable x as unused powerpc: Add __printf verification to prom_printf spi: sh-msiof: Fix setting SIRMDR1.SYNCAC to match SITMDR1.SYNCAC powerpc/8xx: fix invalid register expression in head_8xx.S pinctrl: at91-pio4: add missing of_node_put bpf: powerpc64: pad function address loads with NOPs PCI: pciehp: Request control of native hotplug only if supported net: dsa: qca8k: Add support for QCA8334 switch mwifiex: correct histogram data with appropriate index ima: based on policy verify firmware signatures (pre-allocated buffer) drivers/perf: arm-ccn: don't log to dmesg in event_init spi: Add missing pm_runtime_put_noidle() after failed get net: hns3: Fix the missing client list node initialization fscrypt: use unbound workqueue for decryption scsi: ufs: ufshcd: fix possible unclocked register access scsi: ufs: fix exception event handling scsi: zfcp: assert that the ERP lock is held when tracing a recovery trigger drm/nouveau/fifo/gk104-: poll for runlist update completion Bluetooth: btusb: add ID for LiteOn 04ca:301a rtc: tps6586x: fix possible race condition rtc: vr41xx: fix possible race condition rtc: tps65910: fix possible race condition ALSA: emu10k1: Rate-limit error messages about page errors regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops md/raid1: add error handling of read error from FailFast device md: fix NULL dereference of mddev->pers in remove_and_add_spares() ixgbevf: fix MAC address changes through ixgbevf_set_mac() media: smiapp: fix timeout checking in smiapp_read_nvm net: ethernet: ti: cpsw-phy-sel: check bus_find_device() ret value ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback media: atomisp: ov2680: don't declare unused vars arm64: cmpwait: Clear event register before arming exclusive monitor HID: hid-plantronics: Re-resend Update to map button for PTT products arm64: dts: renesas: salvator-common: use audio-graph-card for Sound drm/radeon: fix mode_valid's return type drm/amdgpu: Remove VRAM from shared bo domains. powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet HID: i2c-hid: check if device is there before really probing EDAC, altera: Fix ARM64 build warning ARM: dts: stih407-pinctrl: Fix complain about IRQ_TYPE_NONE usage ARM: dts: emev2: Add missing interrupt-affinity to PMU node ARM: dts: sh73a0: Add missing interrupt-affinity to PMU node nvmem: properly handle returned value nvmem_reg_read i40e: free the skb after clearing the bitlock tty: Fix data race in tty_insert_flip_string_fixed_flag dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA net: phy: phylink: Release link GPIO media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() libata: Fix command retry decision ACPI / LPSS: Only call pwm_add_table() for Bay Trail PWM if PMIC HRV is 2 media: media-device: fix ioctl function types media: saa7164: Fix driver name in debug output mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages brcmfmac: Add support for bcm43364 wireless chipset s390/cpum_sf: Add data entry sizes to sampling trailer entry perf: fix invalid bit in diagnostic entry bnxt_en: Check unsupported speeds in bnxt_update_link() on PF only. scsi: 3w-9xxx: fix a missing-check bug scsi: 3w-xxxx: fix a missing-check bug scsi: megaraid: silence a static checker bug scsi: hisi_sas: config ATA de-reset as an constrained command for v3 hw scsi: qedf: Set the UNLOADING flag when removing a vport staging: lustre: o2iblnd: fix race at kiblnd_connect_peer staging: lustre: o2iblnd: Fix FastReg map/unmap for MLX5 thermal: exynos: fix setting rising_threshold for Exynos5433 bpf: fix references to free_bpf_prog_info() in comments f2fs: avoid fsync() failure caused by EAGAIN in writepage() media: siano: get rid of __le32/__le16 cast warnings drm/atomic: Handling the case when setting old crtc for plane ALSA: hda/ca0132: fix build failure when a local macro is defined mmc: dw_mmc: update actual clock for mmc debugfs mmc: pwrseq: Use kmalloc_array instead of stack VLA dt-bindings: pinctrl: meson: add support for the Meson8m2 SoC spi: meson-spicc: Fix error handling in meson_spicc_probe() net: hns3: Fixes the out of bounds access in hclge_map_tqp dt-bindings: net: meson-dwmac: new compatible name for AXG SoC backlight: pwm_bl: Don't use GPIOF_* with gpiod_get_direction stop_machine: Use raw spinlocks delayacct: Use raw_spinlocks memory: tegra: Do not handle spurious interrupts memory: tegra: Apply interrupts mask per SoC nvme: lightnvm: add granby support arm64: defconfig: Enable Rockchip io-domain driver igb: Fix queue selection on MAC filters on i210 drm/gma500: fix psb_intel_lvds_mode_valid()'s return type ipconfig: Correctly initialise ic_nameservers rsi: Fix 'invalid vdd' warning in mmc rsi: fix nommu_map_sg overflow kernel panic audit: allow not equal op for audit by executable staging: vchiq_core: Fix missing semaphore release in error case staging: lustre: llite: correct removexattr detection staging: lustre: ldlm: free resource when ldlm_lock_create() fails. serial: core: Make sure compiler barfs for 16-byte earlycon names soc: imx: gpcv2: Do not pass static memory as platform data microblaze: Fix simpleImage format generation usb: hub: Don't wait for connect state at resume for powered-off ports crypto: authencesn - don't leak pointers to authenc keys crypto: authenc - don't leak pointers to authenc keys media: omap3isp: fix unbalanced dma_iommu_mapping regulator: Don't return or expect -errno from of_map_mode() scsi: scsi_dh: replace too broad "TP9" string with the exact models scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs scsi: cxlflash: Synchronize reset and remove ops scsi: cxlflash: Avoid clobbering context control register value media: atomisp: compat32: fix __user annotations media: si470x: fix __be16 annotations ASoC: topology: Fix bclk and fsync inversion in set_link_hw_format() ASoC: topology: Add missing clock gating parameter when parsing hw_configs drm: Add DP PSR2 sink enable bit drm/atomic-helper: Drop plane->fb references only for drm_atomic_helper_shutdown() drm/dp/mst: Fix off-by-one typo when dump payload table block: bio_iov_iter_get_pages: fix size of last iovec blkdev: __blkdev_direct_IO_simple: fix leak in error case block: reset bi_iter.bi_done after splitting bio random: mix rdrand with entropy sent in from userspace squashfs: be more careful about metadata corruption ext4: fix inline data updates with checksums enabled ext4: check for allocation block validity with block group locked ext4: fix check to prevent initializing reserved inodes PCI: pciehp: Assume NoCompl+ for Thunderbolt ports PCI: xgene: Remove leftover pci_scan_child_bus() call ovl: Sync upper dirty data when syncing overlayfs usb: gadget: udc: renesas_usb3: should remove debugfs RDMA/uverbs: Protect from attempts to create flows on unsupported QP net: dsa: qca8k: Force CPU port to its highest bandwidth net: dsa: qca8k: Enable RXMAC when bringing up a port net: dsa: qca8k: Add QCA8334 binding documentation net: dsa: qca8k: Allow overwriting CPU port setting ipv4: remove BUG_ON() from fib_compute_spec_dst net: ena: Fix use of uninitialized DMA address bits field net: fix amd-xgbe flow-control issue net: lan78xx: fix rx handling before first packet is send net: mdio-mux: bcm-iproc: fix wrong getter and setter pair NET: stmmac: align DMA stuff to largest cache line length tcp_bbr: fix bw probing to raise in-flight data for very small BDPs xen-netfront: wait xenbus state change when load module manually netlink: Do not subscribe to non-existent groups netlink: Don't shift with UB on nlk->ngroups tcp: do not force quickack when receiving out-of-order packets tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode tcp: do not aggressively quick ack after ECN events tcp: refactor tcp_ecn_check_ce to remove sk type cast tcp: add one more quick ack after after ECN events Linux 4.14.60 Signed-off-by: -
Greg Kroah-Hartman authored
-
