- Feb 25, 2021
-
-
Stanimir Varbanov authored
The rate of the core clock is set through devm_pm_opp_set_rate and to avoid errors from it we have to set the name of the clock via dev_pm_opp_set_clkname. Signed-off-by:
Stanimir Varbanov <stanimir.varbanov@linaro.org> Signed-off-by:
Aníbal Limón <anibal.limon@linaro.org>
-
Stanimir Varbanov authored
The Venus v1 behaves differently comparing with the other Venus version in respect to capability parsing and when they are send to the driver. So we don't need to initialize hfi parser for multiple invocations like what we do for > v1 Venus versions. Signed-off-by:
-
- Feb 17, 2021
-
-
Viresh Kumar authored
freq_qos_update_request() returns 1 if the effective constraint value has changed, 0 if the effective constraint value has not changed, or a negative error code on failures. The frequency constraints for CPUs can be set by different parts of the kernel. If the maximum frequency constraint set by other parts of the kernel are set at a lower value than the one corresponding to cooling state 0, then we will never be able to cool down the system as freq_qos_update_request() will keep on returning 0 and we will skip updating cpufreq_state and thermal pressure. Fix that by doing the updates even in the case where freq_qos_update_request() returns 0, as we have effectively set the constraint to a new value even if the consolidated value of the actual constraint is unchanged because of external factors. Cc: v5.7+ <stable@vger.kernel.org> # v5.7+ Reported-by:
Thara Gopinath <thara.gopinath@linaro.org> Fixes: f12e4f66 ("thermal/cpu-cooling: Update thermal pressure in case of a maximum frequency capping") Signed-off-by:
Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by:
Lukasz Luba <lukasz.luba@arm.com> Tested-by:
Rafael J. Wysocki <rafael.j.wysocki@intel.com> Tested-by:
Thara <Gopinath<thara.gopinath@linaro.org> Signed-off-by:
-
- Feb 16, 2021
-
-
Aníbal Limón authored
Signed-off-by:
-
- Feb 11, 2021
-
-
Aníbal Limón authored
Signed-off-by: -
Dmitry Baryshkov authoredVerify that user applications are not using the kernel RPC message handle to restrict them from directly attaching to guest OS on the remote subsystem. This is a port of CVE-2019-2308 fix. Fixes: c68cfb71 ("misc: fastrpc: Add support for context Invoke method") Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Cc: Jonathan Marek <jonathan@marek.ca> Cc: stable@vger.kernel.org Signed-off-by:
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-
dma_map_sgtable() returns 0 on success, which is the opposite of what this code was doing. Fixes: 7cd7edb8 ("misc: fastrpc: fix common struct sg_table related issues") Signed-off-by:
Jonathan Marek <jonathan@marek.ca>
-
- Feb 09, 2021
-
-
Dmitry Baryshkov authored
GENI SPI controller shows several issues if it manages the CS on its own (see 37dd4b77 ("arm64: dts: qcom: sc7180: Provide pinconf for SPI to use GPIO for CS")) for the details. Configure SPI0 CS pin as a GPIO. Signed-off-by:
-
Dmitry Baryshkov authored
GENI SPI controller shows several issues if it manages the CS on its own (see 37dd4b77 ("arm64: dts: qcom: sc7180: Provide pinconf for SPI to use GPIO for CS")) for the details. Provide pinctrl entries for SPI controllers using the same CS pin but in GPIO mode. Signed-off-by:
-
Dmitry Baryshkov authored
spi_geni_transfer_one() should return 1 in SE case, as it only starts the transfer (like the mainline code does). Signed-off-by:
-
- Jan 27, 2021
-
-
Dmitry Baryshkov authored
This reverts commit 51a7e3e0. Both meta-qcom and Debian have received firmware packages using new firmware files, so revert this commit.
-
- Jan 19, 2021
-
-
Aníbal Limón authored
Signed-off-by: -
Aníbal Limón authored
Signed-off-by: -
Aníbal Limón authored
Signed-off-by: -
Aníbal Limón authored
Signed-off-by: -
Aníbal Limón authored
Signed-off-by:
-
- Jan 18, 2021
-
-
Srini Kandagatla authored
lpass hdmi support patch totally removed support for MI2S TERTIARY and QUATERNARY. One of the major issue was spotted with the design of having separate SoC specifc header files for the common lpass driver. This design is prone to break as an when new SoC header is added as the common DAI ids of other SoCs will be overwritten by the new ones. Having a common header qcom,lpass.h should fix the issue and any new DAI ids should be added to the common header. With this change lpass also needs a new of_xlate function to resolve dai name. Fixes: 7cb37b7b ("ASoC: qcom: Add support for lpass hdmi driver") Signed-off-by:
Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Signed-off-by:
-
- Jan 13, 2021
-
-
Stephan Gerhold authored
Sound is broken on the DragonBoard 410c (apq8016_sbc) since 5.10: hdmi-audio-codec hdmi-audio-codec.1.auto: ASoC: error at snd_soc_component_set_jack on hdmi-audio-codec.1.auto: -95 qcom-apq8016-sbc 7702000.sound: Failed to set jack: -95 ADV7533: ASoC: error at snd_soc_link_init on ADV7533: -95 hdmi-audio-codec hdmi-audio-codec.1.auto: ASoC: error at snd_soc_component_set_jack on hdmi-audio-codec.1.auto: -95 qcom-apq8016-sbc: probe of 7702000.sound failed with error -95 This happens because apq8016_sbc calls snd_soc_component_set_jack() on all codec DAIs and attempts to ignore failures with return code -ENOTSUPP. -ENOTSUPP is also excluded from error logging in soc_component_ret(). However, hdmi_codec_set_jack() returns -E*OP*NOTSUPP if jack detection is not supported, which is not handled in apq8016_sbc and soc_component_ret(). Make it return -ENOTSUPP instead to fix sound and silence the errors. Cc: Cheng-Yi Chiang <cychiang@chromium.org> Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Fixes: 55c5cc63 ("ASoC: hdmi-codec: Use set_jack ops to set jack") Signed-off-by:
Stephan Gerhold <stephan@gerhold.net> Acked-by:
Nicolin Chen <nicoleotsuka@gmail.com> Link: https://lore.kernel.org/r/20210107165131.2535-1-stephan@gerhold.net Signed-off-by:
Mark Brown <broonie@kernel.org> Signed-off-by:
-
- Jan 12, 2021
-
-
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linuxDmitry Baryshkov authored
This is the 5.10.7 stable release
-
Greg Kroah-Hartman authored
Tested-by:
Jon Hunter <jonathanh@nvidia.com> Tested-by:
Guenter Roeck <linux@roeck-us.net> Tested-by:
Shuah Khan <skhan@linuxfoundation.org> Tested-by:
Linux Kernel Functional Testing <lkft@linaro.org> Link: https://lore.kernel.org/r/20210111161510.602817176@linuxfoundation.org Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
David Disseldorp authored
commit 2896c938 upstream. When attempting to match EXTENDED COPY CSCD descriptors with corresponding se_devices, target_xcopy_locate_se_dev_e4() currently iterates over LIO's global devices list which includes all configured backstores. This change ensures that only initiator-accessible backstores are considered during CSCD descriptor lookup, according to the session's se_node_acl LUN list. To avoid LUN removal race conditions, device pinning is changed from being configfs based to instead using the se_node_acl lun_ref. Reference: CVE-2020-28374 Fixes: cbf031f4 ("target: Add support for EXTENDED_COPY copy offload emulation") Reviewed-by:
Lee Duncan <lduncan@suse.com> Signed-off-by:
David Disseldorp <ddiss@suse.de> Signed-off-by:
Mike Christie <michael.christie@oracle.com> Signed-off-by:
Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by:
-
Ping-Ke Shih authored
commit 4dfde294 upstream. request_firmware_nowait() which schedules another work is used to load firmware when USB is probing. If USB is unplugged before running the firmware work, it goes disconnect ops, and then causes use-after-free. Though we wait for completion of firmware work before freeing the hw, firmware callback rises completion too early. So I move it to the last step. usb 5-1: Direct firmware load for rtlwifi/rtl8192cufw.bin failed with error -2 rtlwifi: Loading alternative firmware rtlwifi/rtl8192cufw.bin rtlwifi: Selected firmware is not available ================================================================== BUG: KASAN: use-after-free in rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93 Write of size 4 at addr ffff8881454cff50 by task kworker/0:6/7379 CPU: 0 PID: 7379 Comm: kworker/0:6 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1079 process_one_work+0x933/0x1520 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x38c/0x460 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the page: page:00000000f54435b3 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1454cf flags: 0x200000000000000() raw: 0200000000000000 0000000000000000 ffffea00051533c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881454cfe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881454cfe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881454cff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881454cff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881454d0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Reported-by:
<syzbot+65be4277f3c489293939@syzkaller.appspotmail.com> Signed-off-by:
Ping-Ke Shih <pkshih@realtek.com> Signed-off-by:
Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201214053106.7748-1-pkshih@realtek.com Signed-off-by:
-
Magnus Karlsson authored
commit 8bee6833 upstream. Fix a possible memory leak when a bind of an AF_XDP socket fails. When the fill and completion rings are created, they are tied to the socket. But when the buffer pool is later created at bind time, the ownership of these two rings are transferred to the buffer pool as they might be shared between sockets (and the buffer pool cannot be created until we know what we are binding to). So, before the buffer pool is created, these two rings are cleaned up with the socket, and after they have been transferred they are cleaned up together with the buffer pool. The problem is that ownership was transferred before it was absolutely certain that the buffer pool could be created and initialized correctly and when one of these errors occurred, the fill and completion rings did neither belong to the socket nor the pool and where therefore leaked. Solve this by moving the ownership transfer to the point where the buffer pool has been completely set up and there is no way it can fail. Fixes: 7361f9c3 ("xsk: Move fill and completion rings to buffer pool") Reported-by:
<syzbot+cfa88ddd0655afa88763@syzkaller.appspotmail.com> Signed-off-by:
Magnus Karlsson <magnus.karlsson@intel.com> Signed-off-by:
Daniel Borkmann <daniel@iogearbox.net> Acked-by:
Björn Töpel <bjorn.topel@intel.com> Link: https://lore.kernel.org/bpf/20201214085127.3960-1-magnus.karlsson@gmail.com Signed-off-by:
-
Paolo Bonzini authored
commit 2f80d502 upstream. Since we know that e >= s, we can reassociate the left shift, changing the shifted number from 1 to 2 in exchange for decreasing the right hand side by 1. Reported-by:
<syzbot+e87846c48bf72bc85311@syzkaller.appspotmail.com> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com> Signed-off-by:
-
Ying-Tsun Huang authored
commit cb7f4a8b upstream. In mtrr_type_lookup(), if the input memory address region is not in the MTRR, over 4GB, and not over the top of memory, a write-back attribute is returned. These condition checks are for ensuring the input memory address region is actually mapped to the physical memory. However, if the end address is just aligned with the top of memory, the condition check treats the address is over the top of memory, and write-back attribute is not returned. And this hits in a real use case with NVDIMM: the nd_pmem module tries to map NVDIMMs as cacheable memories when NVDIMMs are connected. If a NVDIMM is the last of the DIMMs, the performance of this NVDIMM becomes very low since it is aligned with the top of memory and its memory type is uncached-minus. Move the input end address change to inclusive up into mtrr_type_lookup(), before checking for the top of memory in either mtrr_type_lookup_{variable,fixed}() helpers. [ bp: Massage commit message. ] Fixes: 0cc705f5 ("x86/mm/mtrr: Clean up mtrr_type_lookup()") Signed-off-by:
Ying-Tsun Huang <ying-tsun.huang@amd.com> Signed-off-by:
Borislav Petkov <bp@suse.de> Link: https://lkml.kernel.org/r/20201215070721.4349-1-ying-tsun.huang@amd.com Signed-off-by:
-
Dan Carpenter authored
commit ff58f7dd upstream. The clean up is off by one so this will start at "i" and it should start with "i - 1" and then it doesn't unregister the zeroeth elements in the array. Fixes: c52ca478 ("dmaengine: idxd: add configuration component of driver") Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Acked-by:
Dave Jiang <dave.jiang@intel.com> Link: https://lore.kernel.org/r/X9nFeojulsNqUSnG@mwanda Signed-off-by:
Vinod Koul <vkoul@kernel.org> Signed-off-by:
-
Pablo Neira Ayuso authored
commit 95cd4bca upstream. If userspace requests a feature which is not available the original set definition, then bail out with EOPNOTSUPP. If userspace sends unsupported dynset flags (new feature not supported by this kernel), then report EOPNOTSUPP to userspace. EINVAL should be only used to report malformed netlink messages from userspace. Fixes: 22fe54d5 ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
-
Florian Westphal authored
commit 6cb56218 upstream. syzbot reports: detected buffer overflow in strlen [..] Call Trace: strlen include/linux/string.h:325 [inline] strlcpy include/linux/string.h:348 [inline] xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143 strlcpy assumes src is a c-string. Check info->name before its used. Reported-by:
<syzbot+e86f7c428c8c50db65b4@syzkaller.appspotmail.com> Fixes: 5859034d ("[NETFILTER]: x_tables: add RATEEST target") Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
Vasily Averin authored
commit 5c8193f5 upstream. htable_bits() can call jhash_size(32) and trigger shift-out-of-bounds UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 8498 Comm: syz-executor519 Not tainted 5.10.0-rc7-next-20201208-syzkaller #0 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline] hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524 ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115 nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This patch replaces htable_bits() by simple fls(hashsize - 1) call: it alone returns valid nbits both for round and non-round hashsizes. It is normal to set any nbits here because it is validated inside following htable_size() call which returns 0 for nbits>31. Fixes: 1feab10d("netfilter: ipset: Unified hash type generation") Reported-by:
<syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com> Signed-off-by:
Vasily Averin <vvs@virtuozzo.com> Acked-by:
Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by:
-
Subash Abhinov Kasiviswanathan authored
commit 443d6e86 upstream. This fixes the dereference to fetch the RCU pointer when holding the appropriate xtables lock. Reported-by:
kernel test robot <lkp@intel.com> Fixes: cc00bcaa ("netfilter: x_tables: Switch synchronization to RCU") Signed-off-by:
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Reviewed-by:
-
Aaro Koskinen authored
commit f1dc15cd upstream. AES needs to be disabled on Nokia N950/N9 as well (HS devices), otherwise kernel fails to boot. Fixes: c312f066 ("ARM: dts: omap3: Migrate AES from hwmods to sysc-omap2") Signed-off-by:
Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by:
Tony Lindgren <tony@atomide.com> Signed-off-by:
-
Moshe Shemesh authored
commit b544011f upstream. In case WQE includes inline header the vlan is inserted by driver even if vlan offload is set. On geneve over vlan interface where software parser is used the SWP offsets should be updated according to the added vlan. Fixes: e3cfc7e6 ("net/mlx5e: TX, Add geneve tunnel stateless offload support") Signed-off-by:
Moshe Shemesh <moshe@mellanox.com> Reviewed-by:
Tariq Toukan <tariqt@nvidia.com> Signed-off-by:
Saeed Mahameed <saeedm@nvidia.com> Signed-off-by:
-
Coly Li authored
commit b16671e8 upstream. When large bucket feature was added, BCH_FEATURE_INCOMPAT_LARGE_BUCKET was introduced into the incompat feature set. It used bucket_size_hi (which was added at the tail of struct cache_sb_disk) to extend current 16bit bucket size to 32bit with existing bucket_size in struct cache_sb_disk. This is not a good idea, there are two obvious problems, - Bucket size is always value power of 2, if store log2(bucket size) in existing bucket_size of struct cache_sb_disk, it is unnecessary to add bucket_size_hi. - Macro csum_set() assumes d[SB_JOURNAL_BUCKETS] is the last member in struct cache_sb_disk, bucket_size_hi was added after d[] which makes csum_set calculate an unexpected super block checksum. To fix the above problems, this patch introduces a new incompat feature bit BCH_FEATURE_INCOMPAT_LOG_LARGE_BUCKET_SIZE, when this bit is set, it means bucket_size in struct cache_sb_disk stores the order of power-of-2 bucket size value. When user specifies a bucket size larger than 32768 sectors, BCH_FEATURE_INCOMPAT_LOG_LARGE_BUCKET_SIZE will be set to incompat feature set, and bucket_size stores log2(bucket size) more than store the real bucket size value. The obsoleted BCH_FEATURE_INCOMPAT_LARGE_BUCKET won't be used anymore, it is renamed to BCH_FEATURE_INCOMPAT_OBSO_LARGE_BUCKET and still only recognized by kernel driver for legacy compatible purpose. The previous bucket_size_hi is renmaed to obso_bucket_size_hi in struct cache_sb_disk and not used in bcache-tools anymore. For cache device created with BCH_FEATURE_INCOMPAT_LARGE_BUCKET feature, bcache-tools and kernel driver still recognize the feature string and display it as "obso_large_bucket". With this change, the unnecessary extra space extend of bcache on-disk super block can be avoided, and csum_set() may generate expected check sum as well. Fixes: ffa47032 ("bcache: add bucket_size_hi into struct cache_sb_disk for large bucket") Signed-off-by:
Coly Li <colyli@suse.de> Cc: stable@vger.kernel.org # 5.9+ Signed-off-by:
Jens Axboe <axboe@kernel.dk> Signed-off-by:
-
Coly Li authored
commit 1dfc0686 upstream. This patch adds the check for features which is incompatible for current supported feature sets. Now if the bcache device created by bcache-tools has features that current kernel doesn't support, read_super() will fail with error messoage. E.g. if an unsupported incompatible feature detected, bcache register will fail with dmesg "bcache: register_bcache() error : Unsupported incompatible feature found". Fixes: d721a43f ("bcache: increase super block version for cache device and backing device") Fixes: ffa47032 ("bcache: add bucket_size_hi into struct cache_sb_disk for large bucket") Signed-off-by:
-
Coly Li authored
commit f7b4943d upstream. This patch fixes the following typos, from BCH_FEATURE_COMPAT_SUUP to BCH_FEATURE_COMPAT_SUPP from BCH_FEATURE_INCOMPAT_SUUP to BCH_FEATURE_INCOMPAT_SUPP from BCH_FEATURE_INCOMPAT_SUUP to BCH_FEATURE_RO_COMPAT_SUPP Fixes: d721a43f ("bcache: increase super block version for cache device and backing device") Fixes: ffa47032 ("bcache: add bucket_size_hi into struct cache_sb_disk for large bucket") Signed-off-by:
-
Matthew Auld authored
commit 641382e9 upstream. The reloc batch is short lived but can exist in the user visible ppGTT, and since it's backed by an internal object, which lacks page clearing, we should take care to clear it upfront. Signed-off-by:
Matthew Auld <matthew.auld@intel.com> Reviewed-by:
Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by:
Jani Nikula <jani.nikula@intel.com> Signed-off-by:
-
Matthew Auld authored
commit 75353bcd upstream. The shadow batch is an internal object, which doesn't have any page clearing, and since the batch_len can be smaller than the object, we should take care to clear it. Testcase: igt/gen9_exec_parse/shadow-peek Fixes: 4f7af194 ("drm/i915: Support ro ppgtt mapped cmdparser shadow buffers") Signed-off-by:
-
Nick Desaulniers authored
commit 311bea3c upstream. With GNU binutils 2.35+, linking with BFD produces warnings for vmlinux: aarch64-linux-gnu-ld: warning: -z norelro ignored BFD can produce this warning when the target emulation mode does not support RELRO program headers, and -z relro or -z norelro is passed. Alan Modra clarifies: The default linker emulation for an aarch64-linux ld.bfd is -maarch64linux, the default for an aarch64-elf linker is -maarch64elf. They are not equivalent. If you choose -maarch64elf you get an emulation that doesn't support -z relro. The ARCH=arm64 kernel prefers -maarch64elf, but may fall back to -maarch64linux based on the toolchain configuration. LLD will always create RELRO program header regardless of target emulation. To avoid the above warning when linking with BFD, pass -z norelro only when linking with LLD or with -maarch64linux. Fixes: 3b92fa74 ("arm64: link with -z norelro regardless of CONFIG_RELOCATABLE") Fixes: 3bbd3db8 ("arm64: relocatable: fix inconsistencies in linker script and options") Cc: <stable@vger.kernel.org> # 5.0.x- Reported-by:
kernelci.org bot <bot@kernelci.org> Reported-by:
Quentin Perret <qperret@google.com> Signed-off-by:
Nick Desaulniers <ndesaulniers@google.com> Reviewed-by:
Nathan Chancellor <natechancellor@gmail.com> Acked-by:
Ard Biesheuvel <ardb@kernel.org> Cc: Alan Modra <amodra@gmail.com> Cc: Fāng-ruì Sòng <maskray@google.com> Link: https://lore.kernel.org/r/20201218002432.788499-1-ndesaulniers@google.com Signed-off-by:
Catalin Marinas <catalin.marinas@arm.com> Signed-off-by:
-
Charan Teja Reddy authored
commit 05cd8469 upstream. It is observed 'use-after-free' on the dmabuf's file->f_inode with the race between closing the dmabuf file and reading the dmabuf's debug info. Consider the below scenario where P1 is closing the dma_buf file and P2 is reading the dma_buf's debug info in the system: P1 P2 dma_buf_debug_show() dma_buf_put() __fput() file->f_op->release() dput() .... dentry_unlink_inode() iput(dentry->d_inode) (where the inode is freed) mutex_lock(&db_list.lock) read 'dma_buf->file->f_inode' (the same inode is freed by P1) mutex_unlock(&db_list.lock) dentry->d_op->d_release()--> dma_buf_release() ..... mutex_lock(&db_list.lock) removes the dmabuf from the list mutex_unlock(&db_list.lock) In the above scenario, when dma_buf_put() is called on a dma_buf, it first frees the dma_buf's file->f_inode(=dentry->d_inode) and then removes this dma_buf from the system db_list. In between P2 traversing the db_list tries to access this dma_buf's file->f_inode that was freed by P1 which is a use-after-free case. Since, __fput() calls f_op->release first and then later calls the d_op->d_release, move the dma_buf's db_list removal from d_release() to f_op->release(). This ensures that dma_buf's file->f_inode is not accessed after it is released. Cc: <stable@vger.kernel.org> # 5.4.x- Fixes: 4ab59c3c ("dma-buf: Move dma_buf_release() from fops to dentry_ops") Acked-by:
Christian König <christian.koenig@amd.com> Signed-off-by:
Charan Teja Reddy <charante@codeaurora.org> Signed-off-by:
Sumit Semwal <sumit.semwal@linaro.org> Signed-off-by:
Thomas Zimmermann <tzimmermann@suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/1609857399-31549-1-git-send-email-charante@codeaurora.org Signed-off-by:
-
Bard Liao authored
commit 47f44699 upstream. While commit d5dcce0c ("device property: Keep secondary firmware node secondary by type") describes everything correct in its commit message, the change it made does the opposite and original commit c15e1bdd ("device property: Fix the secondary firmware node handling in set_primary_fwnode()") was fully correct. Revert the former one here and improve documentation in the next patch. Fixes: d5dcce0c ("device property: Keep secondary firmware node secondary by type") Signed-off-by:
Bard Liao <yung-chuan.liao@linux.intel.com> Reviewed-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reviewed-by:
Heikki Krogerus <heikki.krogerus@linux.intel.com> Cc: 5.10+ <stable@vger.kernel.org> # 5.10+ Signed-off-by:
-
