[PATCH 4.9 023/212] install several missing uapi headers

From: Rolf Eike Beer Commit fcc8487d477a3452a1d0ccbdd4c5e0e1e3cb8bed ("uapi: export all headers under uapi directories") changed the default to install all headers not marked to be conditional. This takes the list of headers listed in the commit message and manually adds an export for those that

[PATCH 4.9 006/212] media: rc: prevent memory leak in cx23888_ir_probe

From: Navid Emamdoost [ Upstream commit a7b2df76b42bdd026e3106cf2ba97db41345a177 ] In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state should be released. Signed-off-by: Navid Emamdoost Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Le

[PATCH 4.9 056/212] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()

From: Peilin Ye commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. Check `num_rsp` before using it as for-loop counter. Add `unlock` label. Cc: sta...@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_even

[PATCH 4.9 053/212] ALSA: seq: oss: Serialize ioctls

From: Takashi Iwai commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing th

[PATCH 4.9 059/212] mtd: properly check all write ioctls for permissions

From: Greg Kroah-Hartman commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. When doing a "write" ioctl call, properly check that we have permissions to do so before copying anything from userspace or anything else so we can "fail fast". This includes also covering the MEMWRITE ioctl whic

[PATCH 4.9 060/212] leds: wm831x-status: fix use-after-free on unbind

From: Johan Hovold commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something whic

[PATCH 4.9 050/212] ext4: fix direct I/O read error

From: Jiang Ying This patch is used to fix ext4 direct I/O read error when the read size is not aligned with block size. Then, I will use a test to explain the error. (1) Make a file that is not aligned with block size: $dd if=/dev/zero of=./test.jar bs=1000 count=3 (2) I wrote a sourc

[PATCH 4.9 045/212] random32: update the net random state on interrupt and activity

From: Willy Tarreau commit f227e3ec3b5cad859ad15666874405e8c1bbc1d4 upstream. This modifies the first 32 bits out of the 128 bits of a random CPU's net_rand_state on interrupt or CPU activity to complicate remote observations that could lead to guessing the network RNG's internal state. Note th

[PATCH 4.9 034/212] mac80211: mesh: Free pending skb when destroying a mpath

From: Remi Pommarel [ Upstream commit 5e43540c2af0a0c0a18e39579b1ad49541f87506 ] A mpath object can hold reference on a list of skb that are waiting for mpath resolution to be sent. When destroying a mpath this skb list should be cleaned up in order to not leak memory. Fixing that kind of leak:

[PATCH 4.9 037/212] qed: Disable "MFW indication via attention" SPAM every 5 minutes

From: Laurence Oberman [ Upstream commit 1d61e21852d3161f234b9656797669fe185c251b ] This is likely firmware causing this but its starting to annoy customers. Change the message level to verbose to prevent the spam. Note that this seems to only show up with ISCSI enabled on the HBA via the qedi d

[PATCH 4.9 039/212] parisc: add support for cmpxchg on u8 pointers

From: Liam Beguin [ Upstream commit b344d6a83d01c52fddbefa6b3b4764da5b1022a0 ] The kernel test bot reported[1] that using set_mask_bits on a u8 causes the following issue on parisc: hppa-linux-ld: drivers/phy/ti/phy-tusb1210.o: in function `tusb1210_probe': >> (.text+0x2f4): un

[PATCH 4.9 058/212] vgacon: Fix for missing check in scrollback handling

From: Yunhai Zhang commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream. vgacon_scrollback_update() always leaves enbough room in the scrollback buffer for the next call, but if the console size changed that room might not actually be enough, and so we need to re-check. The check should be

[PATCH 4.9 065/212] drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason

From: Ben Skeggs [ Upstream commit 498595abf5bd51f0ae074cec565d888778ea558f ] Stale pointer was tripping up the unload path. Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin --- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/no

[PATCH 4.9 082/212] EDAC: Fix reference count leaks

From: Qiushi Wu [ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ] When kobject_init_and_add() returns an error, it should be handled because kobject_init_and_add() takes a reference even when it fails. If this function returns an error, kobject_put() must be called to properly clean u

[PATCH 4.9 076/212] Revert "vxlan: fix tos value before xmit"

From: Hangbin Liu [ Upstream commit a0dced17ad9dc08b1b25e0065b54c97a318e6e8b ] This reverts commit 71130f29979c7c7956b040673e6b9d5643003176. In commit 71130f29979c ("vxlan: fix tos value before xmit") we want to make sure the tos value are filtered by RT_TOS() based on RFC1349. 0 1

[PATCH 4.9 040/212] net: ethernet: ravb: exit if re-initialization fails in tx timeout

From: Yoshihiro Shimoda [ Upstream commit 015c5d5e6aa3523c758a70eb87b291cece2dbbb4 ] According to the report of [1], this driver is possible to cause the following error in ravb_tx_timeout_work(). ravb e680.ethernet ethernet: failed to switch device to config mode This error means that the

[PATCH 4.9 079/212] tracepoint: Mark __tracepoint_strings __used

From: Nick Desaulniers commit f3751ad0116fb6881f2c3c957d66a9327f69cefb upstream. __tracepoint_string's have their string data stored in .rodata, and an address to that data stored in the "__tracepoint_str" section. Functions that refer to those strings refer to the symbol of the address. Compile

[PATCH 4.9 084/212] arm64: dts: exynos: Fix silent hang after boot on Espresso

From: Alim Akhtar [ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ] Once regulators are disabled after kernel boot, on Espresso board silent hang observed because of LDO7 being disabled. LDO7 actually provide power to CPU cores and non-cpu blocks circuitries. Keep this regulator alw

[PATCH 4.9 088/212] platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()

From: Lu Wei [ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ] In the function check_acpi_dev(), if it fails to create platform device, the return value is ERR_PTR() or NULL. Thus it must use IS_ERR_OR_NULL() to check return value. Fixes: 332e081225fc ("intel-vbtn: new driver for Int

[PATCH 4.9 070/212] xattr: break delegations in {set,remove}xattr

From: Frank van der Linden commit 08b5d5014a27e717826999ad20e394a8811aae92 upstream. set/removexattr on an exported filesystem should break NFS delegations. This is true in general, but also for the upcoming support for RFC 8726 (NFSv4 extended attribute support). Make sure that they do. Additi

[PATCH 4.9 071/212] binder: Prevent context manager from incrementing ref 0

From: Jann Horn commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream. Binder is designed such that a binder_proc never has references to itself. If this rule is violated, memory corruption can occur when a process sends a transaction to itself; see e.g.

[PATCH 4.9 114/212] scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()

From: Christophe JAILLET [ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jail...@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.1

[PATCH 4.9 112/212] leds: lm355x: avoid enum conversion warning

From: Arnd Bergmann [ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ] clang points out that doing arithmetic between diffent enums is usually a mistake: drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm3

[PATCH 4.9 113/212] media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()

From: Chuhong Yuan [ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ] preview_init_entities() does not call v4l2_ctrl_handler_free() when it fails. Add the missed function to fix it. Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") Signed-off-by: Chuhong Yuan

[PATCH 4.9 101/212] iwlegacy: Check the return value of pcie_capability_read_*()

From: Bolarinwa Olayemi Saheed [ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ] On failure pcie_capability_read_dword() sets it's last parameter, val to 0. However, with Patch 14/14, it is possible that val is set to ~0 on failure. This would introduce a bug because (x & x) == (~0 &

[PATCH 4.9 125/212] drm: panel: simple: Fix bpc for LG LB070WV8 panel

From: Laurent Pinchart [ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ] The LG LB070WV8 panel incorrectly reports a 16 bits per component value, while the panel uses 8 bits per component. Fix it. Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel"

[PATCH 4.9 129/212] staging: rtl8192u: fix a dubious looking mask before a shift

From: Colin Ian King [ Upstream commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 ] Currently the masking of ret with 0xff and followed by a right shift of 8 bits always leaves a zero result. It appears the mask of 0xff is incorrect and should be 0xff00, but I don't have the hardware to test this

[PATCH 4.9 100/212] brcmfmac: To fix Bss Info flag definition Bug

From: Prasanna Kerekoppa [ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ] Bss info flag definition need to be fixed from 0x2 to 0x4 This flag is for rssi info received on channel. All Firmware branches defined as 0x4 and this is bug in brcmfmac. Signed-off-by: Prasanna Kerekoppa Si

[PATCH 4.9 126/212] scsi: scsi_debug: Add check for sdebug_max_queue during module init

From: John Garry [ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ] sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like this can be triggered by passing an out-of-range value: Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 ps

[PATCH 4.9 128/212] powerpc/vdso: Fix vdso cpu truncation

From: Milton Miller [ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ] The code in vdso_cpu_init that exposes the cpu and numa node to userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means that any kernel running on a box with more than 4096 threads (NR_CPUS advertise

[PATCH 4.9 102/212] usb: gadget: net2280: fix memory leak on probe error handling paths

From: Evgeny Novikov [ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ] Driver does not release memory for device on error handling paths in net2280_probe() when gadget_release() is not registered yet. The patch fixes the bug like in other similar drivers. Found by Linux Driver Verif

[PATCH 4.9 103/212] bdc: Fix bug causing crash after multiple disconnects

From: Sasi Kumar [ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ] Multiple connects/disconnects can cause a crash on the second disconnect. The driver had a problem where it would try to send endpoint commands after it was disconnected which is not allowed by the hardware. The fix is

[PATCH 4.9 124/212] leds: core: Flush scheduled work for system suspend

From: Kai-Heng Feng [ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ] Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon system suspend. led_set_brightness_nopm() uses schedule_work() to set LED brightness. However, there's no guarantee that the scheduled work gets

[PATCH 4.9 105/212] bcache: fix super block seq numbers comparision in register_cache_set()

From: Coly Li [ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ] In register_cache_set(), c is pointer to struct cache_set, and ca is pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this registering cache has up to date version and other members, the in- memory version and

[PATCH 4.9 119/212] scsi: eesox: Fix different dev_id between request_irq() and free_irq()

From: Christophe JAILLET [ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jail...@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12

[PATCH 4.9 104/212] dyndbg: fix a BUG_ON in ddebug_describe_flags

From: Jim Cromie [ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ] ddebug_describe_flags() currently fills a caller provided string buffer, after testing its size (also passed) in a BUG_ON. Fix this by replacing them with a known-big-enough string buffer wrapped in a struct, and pass

[PATCH 4.9 120/212] media: firewire: Using uninitialized values in node_probe()

From: Dan Carpenter [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So then the "strlen(model_names[i]) <= name_len" is true because strlen() is unsigned and -ENOENT is type promoted to a very high positive value. Th

[PATCH 4.9 122/212] xfs: fix reflink quota reservation accounting error

From: Darrick J. Wong [ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ] Quota reservations are supposed to account for the blocks that might be allocated due to a bmap btree split. Reflink doesn't do this, so fix this to make the quota accounting more accurate before we start rearran

[PATCH 4.9 121/212] media: exynos4-is: Add missed check for pinctrl_lookup_state()

From: Chuhong Yuan [ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ] fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state(). Add the missed check to fix it. Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]") Signed-off-by: Chuhong Yuan

[PATCH 4.9 118/212] scsi: powertec: Fix different dev_id between request_irq() and free_irq()

From: Christophe JAILLET [ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jail...@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12

[PATCH 4.9 106/212] ACPICA: Do not increment operation_region reference counts for field units

From: Erik Kaneda [ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ] ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70 Object reference counts are used as a part of ACPICA's garbage collection mechanism. This mechanism keeps track of references to heap-allocated structures such a

Re: [PATCH 8/8] KVM: nSVM: read only changed fields of the nested guest data area

On 20/08/20 11:13, Maxim Levitsky wrote: > + u32 clean = nested_vmcb->control.clean; > + > + if (svm->nested.vmcb_gpa != vmcb_gpa) { > + svm->nested.vmcb_gpa = vmcb_gpa; > + clean = 0; > + } You probably should set clean to 0 also if the guest doesn't have the V

[PATCH 4.9 140/212] s390/qeth: dont process empty bridge port events

From: Julian Wiedmann [ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ] Discard events that don't contain any entries. This shouldn't happen, but subsequent code relies on being able to use entry 0. So better be safe than accessing garbage. Fixes: b4d72c08b358 ("qeth: bridgeport supp

[PATCH 4.9 202/212] Input: sentelic - fix error return when fsp_reg_write fails

From: Colin Ian King [ Upstream commit ea38f06e0291986eb93beb6d61fd413607a30ca4 ] Currently when the call to fsp_reg_write fails -EIO is not being returned because the count is being returned instead of the return value in retval. Fix this by returning the value in retval instead of count. Addr

[PATCH 4.14 002/228] net/mlx5e: Dont support phys switch id if not in switchdev mode

From: Roi Dayan Support for phys switch id ndo added for representors and if we do not have representors there is no need to support it. Since each port return different switch id supporting this block support for creating bond over PFs and attaching to bridge in legacy mode. This bug doesn't

[PATCH 4.14 005/228] usb: xhci: Fix ASMedia ASM1142 DMA addressing

From: Forest Crossman commit ec37198acca7b4c17b96247697406e47aafe0605 upstream. I've confirmed that the ASMedia ASM1142 has the same problem as the ASM2142/ASM3142, in that it too reports that it supports 64-bit DMA addresses when in fact it does not. As with the ASM2142/ASM3142, this can cause

[PATCH 4.14 045/228] cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()

From: Yang Yingliang Add skcd->no_refcnt check which is missed when backporting ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()"). This patch is needed in stable-4.9, stable-4.14 and stable-4.19. Signed-off-by: Yang Yingliang Signed-off-by: Sasha Levin --- kernel/cgroup/cgro

[PATCH 4.14 015/228] leds: wm831x-status: fix use-after-free on unbind

From: Johan Hovold commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something whic

[PATCH 4.14 050/228] EDAC: Fix reference count leaks

From: Qiushi Wu [ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ] When kobject_init_and_add() returns an error, it should be handled because kobject_init_and_add() takes a reference even when it fails. If this function returns an error, kobject_put() must be called to properly clean u

[PATCH 4.14 067/228] drm/nouveau: fix multiple instances of reference count leaks

From: Aditya Pakki [ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Sign

[PATCH 4.14 051/228] arm64: dts: qcom: msm8916: Replace invalid bias-pull-none property

From: Stephan Gerhold [ Upstream commit 1b6a1a162defe649c5599d661b58ac64bb6f31b6 ] msm8916-pins.dtsi specifies "bias-pull-none" for most of the audio pin configurations. This was likely copied from the qcom kernel fork where the same property was used for these audio pins. However, "bias-pull-n

[PATCH 4.14 062/228] fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls

From: Paul E. McKenney [ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ] Very large I/Os can cause the following RCU CPU stall warning: RIP: 0010:rb_prev+0x8/0x50 Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c = 89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48

[PATCH 4.14 024/228] cfg80211: check vendor command doit pointer before use

From: Julian Squires [ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ] In the case where a vendor command does not implement doit, and has no flags set, doit would not be validated and a NULL pointer dereference would occur, for example when invoking the vendor command via iw. I enco

[PATCH 4.14 027/228] tools lib traceevent: Fix memory leak in process_dynamic_array_len

From: Philippe Duplessis-Guindon [ Upstream commit e24c6447ccb7b1a01f9bf0aec94939e6450c0b4d ] I compiled with AddressSanitizer and I had these memory leaks while I was using the tep_parse_format function: Direct leak of 28 byte(s) in 4 object(s) allocated from: #0 0x7fb07db49ffe in

[PATCH 4.14 028/228] Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)

From: Dexuan Cui [ Upstream commit ddc9d357b991838c2d975e8d7e4e9db26f37a7ff ] When a Linux hv_sock app tries to connect to a Service GUID on which no host app is listening, a recent host (RS3+) sends a CHANNELMSG_TL_CONNECT_RESULT (23) message to Linux and this triggers such a warning: unknown

[PATCH 4.14 068/228] drm/debugfs: fix plain echo to connector "force" attribute

From: Michael Tretter [ Upstream commit c704b17071c4dc571dca3af4e4151dac51de081a ] Using plain echo to set the "force" connector attribute fails with -EINVAL, because echo appends a newline to the output. Replace strcmp with sysfs_streq to also accept strings that end with a newline. v2: use s

[PATCH 4.14 071/228] brcmfmac: To fix Bss Info flag definition Bug

From: Prasanna Kerekoppa [ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ] Bss info flag definition need to be fixed from 0x2 to 0x4 This flag is for rssi info received on channel. All Firmware branches defined as 0x4 and this is bug in brcmfmac. Signed-off-by: Prasanna Kerekoppa Si

[PATCH 4.14 054/228] m68k: mac: Fix IOP status/control register writes

From: Finn Thain [ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ] When writing values to the IOP status/control register make sure those values do not have any extraneous bits that will clear interrupt flags. To place the SCC IOP into bypass mode would be desirable but this is not a

[PATCH 4.14 069/228] irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock

From: Bartosz Golaszewski [ Upstream commit 6eeb997ab5075e770a002c51351fa4ec2c6b5c39 ] This driver may take a regular spinlock when a raw spinlock (irq_desc->lock) is already taken which results in the following lockdep splat: = [ BUG: Invalid wait context ] 5.7.0-rc

[PATCH 4.14 073/228] iwlegacy: Check the return value of pcie_capability_read_*()

From: Bolarinwa Olayemi Saheed [ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ] On failure pcie_capability_read_dword() sets it's last parameter, val to 0. However, with Patch 14/14, it is possible that val is set to ~0 on failure. This would introduce a bug because (x & x) == (~0 &

[PATCH 4.14 074/228] gpu: host1x: debug: Fix multiple channels emitting messages simultaneously

From: Dmitry Osipenko [ Upstream commit 35681862808472a0a4b9a8817ae2789c0b5b3edc ] Once channel's job is hung, it dumps the channel's state into KMSG before tearing down the offending job. If multiple channels hang at once, then they dump messages simultaneously, making the debug info unreadable

[PATCH 4.14 075/228] usb: gadget: net2280: fix memory leak on probe error handling paths

From: Evgeny Novikov [ Upstream commit 2468c877da428ebfd701142c4cdfefcfb7d4c00e ] Driver does not release memory for device on error handling paths in net2280_probe() when gadget_release() is not registered yet. The patch fixes the bug like in other similar drivers. Found by Linux Driver Verif

[PATCH 4.14 079/228] bcache: fix super block seq numbers comparision in register_cache_set()

From: Coly Li [ Upstream commit 117f636ea695270fe492d0c0c9dfadc7a662af47 ] In register_cache_set(), c is pointer to struct cache_set, and ca is pointer to struct cache, if ca->sb.seq > c->sb.seq, it means this registering cache has up to date version and other members, the in- memory version and

[PATCH 4.14 059/228] ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()

From: Yu Kuai [ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ] if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh doesn't have a corresponding put_device(). Thus add a jump target to fix the exception handling for this function implementation. Fixes: 44fd8c7d4005

[PATCH 4.14 061/228] Bluetooth: add a mutex lock to avoid UAF in do_enale_set

From: Lihong Kou [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] In the case we set or free the global value listen_chan in different threads, we can encounter the UAF problems because the method is not protected by any lock, add one to avoid this bug. BUG: KASAN: use-after-free in

[PATCH 4.14 081/228] agp/intel: Fix a memory leak on module initialisation failure

From: Qiushi Wu [ Upstream commit b975abbd382fe442713a4c233549abb90e57c22b ] In intel_gtt_setup_scratch_page(), pointer "page" is not released if pci_dma_mapping_error() return an error, leading to a memory leak on module initialisation failure. Simply fix this issue by freeing "page" before re

[PATCH 4.14 087/228] leds: lm355x: avoid enum conversion warning

From: Arnd Bergmann [ Upstream commit 985b1f596f9ed56f42b8c2280005f943e1434c06 ] clang points out that doing arithmetic between diffent enums is usually a mistake: drivers/leds/leds-lm355x.c:167:28: warning: bitwise operation between different enumeration types ('enum lm355x_tx2' and 'enum lm3

[PATCH 4.14 104/228] scsi: scsi_debug: Add check for sdebug_max_queue during module init

From: John Garry [ Upstream commit c87bf24cfb60bce27b4d2c7e56ebfd86fb9d16bb ] sdebug_max_queue should not exceed SDEBUG_CANQUEUE, otherwise crashes like this can be triggered by passing an out-of-range value: Hardware name: Huawei D06 /D06, BIOS Hisilicon D06 UEFI RC0 - V1.16.01 03/15/2019 ps

[PATCH 4.14 095/228] scsi: eesox: Fix different dev_id between request_irq() and free_irq()

From: Christophe JAILLET [ Upstream commit 86f2da1112ccf744ad9068b1d5d9843faf8ddee6 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626040553.944352-1-christophe.jail...@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12

[PATCH 4.14 102/228] drm: panel: simple: Fix bpc for LG LB070WV8 panel

From: Laurent Pinchart [ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ] The LG LB070WV8 panel incorrectly reports a 16 bits per component value, while the panel uses 8 bits per component. Fix it. Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel"

[PATCH 4.14 101/228] leds: core: Flush scheduled work for system suspend

From: Kai-Heng Feng [ Upstream commit 302a085c20194bfa7df52e0fe684ee0c41da02e6 ] Sometimes LED won't be turned off by LED_CORE_SUSPENDRESUME flag upon system suspend. led_set_brightness_nopm() uses schedule_work() to set LED brightness. However, there's no guarantee that the scheduled work gets

[PATCH 4.14 099/228] xfs: fix reflink quota reservation accounting error

From: Darrick J. Wong [ Upstream commit 83895227aba1ade33e81f586aa7b6b1e143096a5 ] Quota reservations are supposed to account for the blocks that might be allocated due to a bmap btree split. Reflink doesn't do this, so fix this to make the quota accounting more accurate before we start rearran

[PATCH 4.14 052/228] arm64: dts: exynos: Fix silent hang after boot on Espresso

From: Alim Akhtar [ Upstream commit b072714bfc0e42c984b8fd6e069f3ca17de8137a ] Once regulators are disabled after kernel boot, on Espresso board silent hang observed because of LDO7 being disabled. LDO7 actually provide power to CPU cores and non-cpu blocks circuitries. Keep this regulator alw

[PATCH 4.14 086/228] drm/arm: fix unintentional integer overflow on left shift

From: Colin Ian King [ Upstream commit 5f368ddea6fec519bdb93b5368f6a844b6ea27a6 ] Shifting the integer value 1 is evaluated using 32-bit arithmetic and then used in an expression that expects a long value leads to a potential integer overflow. Fix this by using the BIT macro to perform the shift

[PATCH 4.14 091/228] drm/mipi: use dcs write for mipi_dsi_dcs_set_tear_scanline

From: Emil Velikov [ Upstream commit 7a05c3b6d24b8460b3cec436cf1d33fac43c8450 ] The helper uses the MIPI_DCS_SET_TEAR_SCANLINE, although it's currently using the generic write. This does not look right. Perhaps some platforms don't distinguish between the two writers? Cc: Robert Chiras Cc: Vi

[PATCH 4.14 085/228] iio: improve IIO_CONCENTRATION channel type description

From: Tomasz Duszynski [ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ] IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting raw concentrations of pollutants. Raw value should be meaningless before being properly scaled. Because of that description shouldn't menti

[PATCH 4.14 128/228] liquidio: Fix wrong return value in cn23xx_get_pf_num()

From: Tianjia Zhang [ Upstream commit aa027850a292ea65524b8fab83eb91a124ad362c ] On an error exit path, a negative error code should be returned instead of a positive return value. Fixes: 0c45d7fe12c7e ("liquidio: fix use of pf in pass-through mode in a virtual machine") Cc: Rick Farrington S

[PATCH 4.14 093/228] drm/radeon: fix array out-of-bounds read and write issues

From: Colin Ian King [ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ] There is an off-by-one bounds check on the index into arrays table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that can lead to reads and writes outside of arrays. Fix the bound checking off-by-one

[PATCH 4.14 116/228] net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration

From: Chris Packham [ Upstream commit 0f3c66a3c7b4e8b9f654b3c998e9674376a51b0f ] The MV88E6097 chip does not support configuring jumbo frames. Prior to commit 5f430d65 only the 6352, 6351, 6165 and 6320 chips configured jumbo mode. The refactor accidentally added the function for the 6097. R

[PATCH 4.14 088/228] media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()

From: Chuhong Yuan [ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ] preview_init_entities() does not call v4l2_ctrl_handler_free() when it fails. Add the missed function to fix it. Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") Signed-off-by: Chuhong Yuan

[PATCH 4.14 103/228] drm/bridge: sil_sii8620: initialize return of sii8620_readb

From: Tom Rix [ Upstream commit 02cd2d3144653e6e2a0c7ccaa73311e48e2dc686 ] clang static analysis flags this error sil-sii8620.c:184:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn] return ret; ^~ sii8620_readb calls sii8620_re

[PATCH 4.14 105/228] mwifiex: Prevent memory corruption handling keys

From: Dan Carpenter [ Upstream commit e18696786548244914f36ec3c46ac99c53df99c3 ] The length of the key comes from the network and it's a 16 bit number. It needs to be capped to prevent a buffer overflow. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Sign

[PATCH 4.14 131/228] fsl/fman: fix dereference null return value

From: Florinel Iordache [ Upstream commit 0572054617f32670abab4b4e89a876954d54b704 ] Check before using returned value to avoid dereferencing null pointer. Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sa

[PATCH 4.14 134/228] fsl/fman: fix eth hash table allocation

From: Florinel Iordache [ Upstream commit 3207f715c34317d08e798e11a10ce816feb53c0f ] Fix memory allocation for ethernet address hash table. The code was wrongly allocating an array for eth hash table which is incorrect because this is the main structure for eth hash table (struct eth_hash_t) tha

[PATCH 4.14 135/228] dlm: Fix kobject memleak

From: Wang Hai [ Upstream commit 0ffddafc3a3970ef7013696e7f36b3d378bc4c16 ] Currently the error return path from kobject_init_and_add() is not followed by a call to kobject_put() - which means we are leaking the kobject. Set do_unreg = 1 before kobject_init_and_add() to ensure that kobject_put(

[PATCH 4.14 140/228] drivers/net/wan/lapbether: Added needed_headroom and a skb->len check

From: Xie He [ Upstream commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 ] 1. Added a skb->len check This driver expects upper layers to include a pseudo header of 1 byte when passing down a skb for transmission. This driver will read this 1-byte header. This patch added a skb->len check before

[PATCH 4.14 145/228] USB: serial: cp210x: enable usb generic throttle/unthrottle

From: Brant Merryman commit 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 upstream. Assign the .throttle and .unthrottle functions to be generic function in the driver structure to prevent data loss that can otherwise occur if the host does not enable USB throttling. Signed-off-by: Brant Merryman C

[PATCH 4.14 138/228] crypto: aesni - add compatibility with IAS

From: Jian Cai [ Upstream commit 44069737ac9625a0f02f0f7f5ab96aae4cd819bc ] Clang's integrated assembler complains "invalid reassignment of non-absolute variable 'var_ddq_add'" while assembling arch/x86/crypto/aes_ctrby8_avx-x86_64.S. It was because var_ddq_add was reassigned with non-absolute v

[PATCH 4.14 146/228] ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support

From: Mirko Dietrich commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream. Adds an entry for Creative USB X-Fi to the rc_config array in mixer_quirks.c to allow use of volume knob on the device. Adds support for newer X-Fi Pro card, known as "Model No. SB1095" with USB ID "041e:3263" Signed

[PATCH 4.14 122/228] PCI: Release IVRS table in AMD ACS quirk

From: Hanjun Guo [ Upstream commit 090688fa4e448284aaa16136372397d7d10814db ] The acpi_get_table() should be coupled with acpi_put_table() if the mapped table is not used at runtime to release the table mapping. In pci_quirk_amd_sb_acs(), IVRS table is just used for checking AMD IOMMU is suppor

[PATCH 4.14 139/228] af_packet: TPACKET_V3: fix fill status rwlock imbalance

From: John Ogness [ Upstream commit 88fd1cb80daa20af063bce81e1fad14e945a8dc4 ] After @blk_fill_in_prog_lock is acquired there is an early out vnet situation that can occur. In that case, the rwlock needs to be released. Also, since @blk_fill_in_prog_lock is only acquired when @tp_version is exa

[PATCH 4.14 144/228] USB: serial: cp210x: re-enable auto-RTS on open

From: Brant Merryman commit c7614ff9b73a1e6fb2b1b51396da132ed22fecdb upstream. CP210x hardware disables auto-RTS but leaves auto-CTS when in hardware flow control mode and UART on cp210x hardware is disabled. When re-opening the port, if auto-CTS is enabled on the cp210x, then auto-RTS must be r

[PATCH 4.14 125/228] wl1251: fix always return 0 error

From: Wang Hai [ Upstream commit 20e6421344b5bc2f97b8e2db47b6994368417904 ] wl1251_event_ps_report() should not always return 0 because wl1251_ps_set_mode() may fail. Change it to return 'ret'. Fixes: f7ad1eed4d4b ("wl1251: retry power save entry") Reported-by: Hulk Robot Signed-off-by: Wang H

[PATCH 4.14 126/228] tools, build: Propagate build failures from tools/build/Makefile.build

From: Andrii Nakryiko [ Upstream commit a278f3d8191228212c553a5d4303fa603214b717 ] The '&&' command seems to have a bad effect when $(cmd_$(1)) exits with non-zero effect: the command failure is masked (despite `set -e`) and all but the first command of $(dep-cmd) is executed (successfully, as t

[PATCH 4.14 166/228] net: initialize fastreuse on inet_inherit_port

From: Tim Froidcoeur commit d76f3351cea2d927fdf70dd7c06898235035e84e upstream. In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind behaviour or in the incorrect reuse of a bind. the kernel keeps track fo

[PATCH 4.14 164/228] xen/balloon: fix accounting in alloc_xenballooned_pages error path

From: Roger Pau Monne commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream. target_unpopulated is incremented with nr_pages at the start of the function, but the call to free_xenballooned_pages will only subtract pgno number of pages, and thus the rest need to be subtracted before returning

[PATCH 4.14 169/228] btrfs: dont allocate anonymous block device for user invisible roots

From: Qu Wenruo commit 851fd730a743e072badaf67caf39883e32439431 upstream. [BUG] When a lot of subvolumes are created, there is a user report about transaction aborted: BTRFS: Transaction aborted (error -24) WARNING: CPU: 17 PID: 17041 at fs/btrfs/transaction.c:1576 create_pending_snapshot+

[PATCH 4.14 154/228] fs/minix: dont allow getting deleted inodes

From: Eric Biggers commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream. If an inode has no links, we need to mark it bad rather than allowing it to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when doing directory operations on a fuzzed filesystem. Fixes: 1da177e4c3f4

[PATCH 4.14 162/228] ARM: 8992/1: Fix unwind_frame for clang-built kernels

From: Nathan Huckleberry commit b4d5ec9b39f8b31d98f65bc5577b5d15d93795d7 upstream. Since clang does not push pc and sp in function prologues, the current implementation of unwind_frame does not work. By using the previous frame's lr/fp instead of saved pc/sp we get valid unwinds on clang-built k

[PATCH 4.14 183/228] ext2: fix missing percpu_counter_inc

From: Mikulas Patocka commit bc2fbaa4d3808aef82dd1064a8e61c16549fe956 upstream. sbi->s_freeinodes_counter is only decreased by the ext2 code, it is never increased. This patch fixes it. Note that sbi->s_freeinodes_counter is only used in the algorithm that tries to find the group for new alloca

<    1   2   3   4   5   6   7   8   9   10   >