[PATCH 4.4 074/149] dyndbg: fix a BUG_ON in ddebug_describe_flags

From: Jim Cromie [ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ] ddebug_describe_flags() currently fills a caller provided string buffer, after testing its size (also passed) in a BUG_ON. Fix this by replacing them with a known-big-enough string buffer wrapped in a struct, and pass

[PATCH 4.4 113/149] fs/minix: reject too-large maximum file size

From: Eric Biggers commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream. If the minix filesystem tries to map a very large logical block number to its on-disk location, block_to_path() can return offsets that are too large, causing out-of-bounds memory accesses when accessing indirect index

[PATCH 4.4 096/149] Smack: fix another vsscanf out of bounds

From: Dan Carpenter [ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ] This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in vsscanf") where we added a bounds check on "rule". Reported-by: syzbot+a22c6092d003d6fe1...@syzkaller.appspotmail.com Fixes: f7112e6c9abf ("Smac

[PATCH 4.4 097/149] Smack: prevent underflow in smk_set_cipso()

From: Dan Carpenter [ Upstream commit 42a2df3e829f3c5562090391b33714b2e2e5ad4a ] We have an upper bound on "maplevel" but forgot to check for negative values. Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by: Dan Carpenter Signed-off-by: Casey Schaufler

[PATCH 4.4 099/149] s390/qeth: dont process empty bridge port events

From: Julian Wiedmann [ Upstream commit 02472e28b9a45471c6d8729ff2c7422baa9be46a ] Discard events that don't contain any entries. This shouldn't happen, but subsequent code relies on being able to use entry 0. So better be safe than accessing garbage. Fixes: b4d72c08b358 ("qeth: bridgeport supp

[PATCH 4.4 098/149] power: supply: check if calc_soc succeeded in pm860x_init_battery

From: Tom Rix [ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ] clang static analysis flags this error 88pm860x_battery.c:522:19: warning: Assigned value is garbage or undefined [core.uninitialized.Assign] info->start_soc = soc; ^ ~~~

[PATCH 4.4 071/149] iwlegacy: Check the return value of pcie_capability_read_*()

From: Bolarinwa Olayemi Saheed [ Upstream commit 9018fd7f2a73e9b290f48a56b421558fa31e8b75 ] On failure pcie_capability_read_dword() sets it's last parameter, val to 0. However, with Patch 14/14, it is possible that val is set to ~0 on failure. This would introduce a bug because (x & x) == (~0 &

[PATCH] selinux: fix memdup.cocci warnings

From: kernel test robot Use kmemdup rather than duplicating its implementation Generated by: scripts/coccinelle/api/memdup.cocci Fixes: c7c556f1e81b ("selinux: refactor changing booleans") CC: Stephen Smalley Signed-off-by: kernel test robot Signed-off-by: Julia Lawall --- tree: https://

Re: [PATCH 1/2] i2c: i2c-qcom-geni: Add tx_dma, rx_dma and xfer_len to geni_i2c_dev struct

Hi Stephen, Thanks for reviewing the patches. On 2020-08-19 09:09, Stephen Boyd wrote: Quoting Roja Rani Yarubandi (2020-08-14 02:55:39) Adding tx_dma, rx_dma and xfer length in geni_i2c_dev struct to store DMA mapping data to enhance its scope. For example during shutdown callback to unmap DM

[PATCH 4.4 090/149] drm: panel: simple: Fix bpc for LG LB070WV8 panel

From: Laurent Pinchart [ Upstream commit a6ae2fe5c9f9fd355a48fb7d21c863e5b20d6c9c ] The LG LB070WV8 panel incorrectly reports a 16 bits per component value, while the panel uses 8 bits per component. Fix it. Fixes: dd0150026901 ("drm/panel: simple: Add support for LG LB070WV8 800x480 7" panel"

[PATCH 4.4 095/149] scsi: mesh: Fix panic after host or bus reset

From: Finn Thain [ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ] Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus results in EH measures and a panic: [ 25.499838] mesh: configured for synchronous 5 MB/s [ 25.787154] mesh: performing initial bus reset... [

[PATCH 4.4 079/149] console: newport_con: fix an issue about leak related system resources

From: Dejin Zheng [ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ] A call of the function do_take_over_console() can fail here. The corresponding system resources were not released then. Thus add a call of iounmap() and release_mem_region() together with the check of a failure predic

[PATCH 4.4 070/149] brcmfmac: To fix Bss Info flag definition Bug

From: Prasanna Kerekoppa [ Upstream commit fa3266541b13f390eb35bdbc38ff4a03368be004 ] Bss info flag definition need to be fixed from 0x2 to 0x4 This flag is for rssi info received on channel. All Firmware branches defined as 0x4 and this is bug in brcmfmac. Signed-off-by: Prasanna Kerekoppa Si

[PATCH 4.4 084/149] cxl: Fix kobject memleak

From: Wang Hai [ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ] Currently the error return path from kobject_init_and_add() is not followed by a call to kobject_put() - which means we are leaking the kobject. Fix it by adding a call to kobject_put() in the error path of kobject_init

[PATCH 4.4 082/149] media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities()

From: Chuhong Yuan [ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ] preview_init_entities() does not call v4l2_ctrl_handler_free() when it fails. Add the missed function to fix it. Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer") Signed-off-by: Chuhong Yuan

Re: [patch 0/2] timekeeping: NMI safe timekeeper enhancements

Petr, On Thu, Aug 20 2020 at 10:47, Petr Mladek wrote: > The interface is perfectly fine for printk() needs. Good. So I suggest that I apply that on top of rc1 somewhere in tip and tag the top commit. So you can pull that tag into your printk branch and go wild. Thanks, tglx

[PATCH 4.4 086/149] scsi: powertec: Fix different dev_id between request_irq() and free_irq()

From: Christophe JAILLET [ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jail...@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12

[PATCH 4.4 088/149] media: firewire: Using uninitialized values in node_probe()

From: Dan Carpenter [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So then the "strlen(model_names[i]) <= name_len" is true because strlen() is unsigned and -ENOENT is type promoted to a very high positive value. Th

RE: [PATCH] fs: NTFS read-write driver GPL implementation by Paragon Software.

From: Aurélien Aptel Sent: Friday, August 14, 2020 5:09 PM > > Hi Konstantin, > > That's cool :) As Nikolay said it needs a little change to the makefiles > to even build. > > Are you also going to publish your own mkfs.ntfs3 tool? I dont think the > existing one would support 64k clusters. Hi

[PATCH 4.4 080/149] iio: improve IIO_CONCENTRATION channel type description

From: Tomasz Duszynski [ Upstream commit df16c33a4028159d1ba8a7061c9fa950b58d1a61 ] IIO_CONCENTRATION together with INFO_RAW specifier is used for reporting raw concentrations of pollutants. Raw value should be meaningless before being properly scaled. Because of that description shouldn't menti

Re: [PATCH 2/2] i2c: i2c-qcom-geni: Add shutdown callback for i2c

On 2020-08-19 09:13, Stephen Boyd wrote: Quoting Roja Rani Yarubandi (2020-08-14 02:55:40) If the hardware is still accessing memory after SMMU translation is disabled(as part of smmu shutdown callback), then the Put a space before ( Ok. IOVAs(I/O virtual address) which it was using will

[PATCH 4.4 085/149] drm/radeon: fix array out-of-bounds read and write issues

From: Colin Ian King [ Upstream commit 7ee78aff9de13d5dccba133f4a0de5367194b243 ] There is an off-by-one bounds check on the index into arrays table->mc_reg_address and table->mc_reg_table_entry[k].mc_data[j] that can lead to reads and writes outside of arrays. Fix the bound checking off-by-one

[PATCH 4.4 044/149] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent

From: Xin Xiong [ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ] atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a reference of atm_dev with increased refcount or NULL if fails. The refcount leaks issues occur in two error handling paths. If dev_data->persist is z

[PATCH 4.4 042/149] cfg80211: check vendor command doit pointer before use

From: Julian Squires [ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ] In the case where a vendor command does not implement doit, and has no flags set, doit would not be validated and a NULL pointer dereference would occur, for example when invoking the vendor command via iw. I enco

[PATCH 4.4 043/149] igb: reinit_locked() should be called with rtnl_lock

From: Francesco Ruggeri [ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ] We observed two panics involving races with igb_reset_task. The first panic is caused by this race condition: kworker reboot -f igb_reset_task igb_reinit_locked

[PATCH 4.4 078/149] video: fbdev: sm712fb: fix an issue about iounmap for a wrong address

From: Dejin Zheng [ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ] the sfb->fb->screen_base is not save the value get by iounmap() when the chip id is 0x720. so iounmap() for address sfb->fb->screen_base is not right. Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbd

[PATCH 4.4 069/149] mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls

From: Paul E. McKenney [ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ] A large process running on a heavily loaded system can encounter the following RCU CPU stall warning: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 3-: (20998 ticks this GP) idle=4ea/1/0x4000

[PATCH 4.4 067/149] drm/nouveau: fix multiple instances of reference count leaks

From: Aditya Pakki [ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Sign

[PATCH 4.4 040/149] net/9p: validate fds in p9_fd_open

From: Christoph Hellwig [ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ] p9_fd_open just fgets file descriptors passed in from userspace, but doesn't verify that they are valid for read or writing. This gets cought down in the VFS when actually attempting a read or write, but a new

[PATCH 4.4 063/149] Bluetooth: add a mutex lock to avoid UAF in do_enale_set

From: Lihong Kou [ Upstream commit f9c70bdc279b191da8d60777c627702c06e4a37d ] In the case we set or free the global value listen_chan in different threads, we can encounter the UAF problems because the method is not protected by any lock, add one to avoid this bug. BUG: KASAN: use-after-free in

[PATCH 4.4 039/149] mtd: properly check all write ioctls for permissions

From: Greg Kroah-Hartman commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. When doing a "write" ioctl call, properly check that we have permissions to do so before copying anything from userspace or anything else so we can "fail fast". This includes also covering the MEMWRITE ioctl whic

[PATCH 4.4 064/149] fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls

From: Paul E. McKenney [ Upstream commit 9f47eb5461aaeb6cb8696f9d11503ae90e4d5cb0 ] Very large I/Os can cause the following RCU CPU stall warning: RIP: 0010:rb_prev+0x8/0x50 Code: 49 89 c0 49 89 d1 48 89 c2 48 89 f8 e9 e5 fd ff ff 4c 89 48 10 c3 4c = 89 06 c3 4c 89 40 10 c3 0f 1f 00 48 8b 0f 48

[PATCH 4.4 054/149] tracepoint: Mark __tracepoint_strings __used

From: Nick Desaulniers commit f3751ad0116fb6881f2c3c957d66a9327f69cefb upstream. __tracepoint_string's have their string data stored in .rodata, and an address to that data stored in the "__tracepoint_str" section. Functions that refer to those strings refer to the symbol of the address. Compile

[PATCH 4.4 066/149] video: fbdev: neofb: fix memory leak in neo_scan_monitor()

From: Evgeny Novikov [ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ] neofb_probe() calls neo_scan_monitor() that can successfully allocate a memory for info->monspecs.modedb and proceed to case 0x03. There it does not free the memory and returns -1. neofb_probe() goes to label err_s

Re: [PATCH 2/8] KVM: nSVM: rename nested 'vmcb' to vmcb_gpa in few places

On 20/08/20 12:00, Maxim Levitsky wrote: >> Please use vmcb12_gpa, and svm->nested.vmcb12 for the VMCB in patch 6. >> >> (You probably also what to have local variables named vmcb12 in patch 6 >> to avoid too-long lines). > The limit was raised to 100 chars recently, thats why I allowed some lines

[PATCH 4.4 046/149] binder: Prevent context manager from incrementing ref 0

From: Jann Horn commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream. Binder is designed such that a binder_proc never has references to itself. If this rule is violated, memory corruption can occur when a process sends a transaction to itself; see e.g.

[PATCH 4.4 060/149] ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()

From: yu kuai [ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ] if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have a corresponding put_device(). Thus add a jump target to fix the exception handling for this function implementation. Fixes: d2e467905596 ("ARM: at91:

[PATCH 4.4 038/149] vgacon: Fix for missing check in scrollback handling

From: Yunhai Zhang commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream. vgacon_scrollback_update() always leaves enbough room in the scrollback buffer for the next call, but if the console size changed that room might not actually be enough, and so we need to re-check. The check should be

Re: [PATCH 1/1] mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary

On Thu, Aug 20, 2020 at 11:09:01AM +0200, Michal Hocko wrote: > On Thu 20-08-20 10:46:54, Christian Brauner wrote: > > On Wed, Aug 19, 2020 at 05:20:53PM -0700, Suren Baghdasaryan wrote: > > > Currently __set_oom_adj loops through all processes in the system to > > > keep oom_score_adj and oom_scor

[PATCH 4.4 057/149] EDAC: Fix reference count leaks

From: Qiushi Wu [ Upstream commit 17ed808ad243192fb923e4e653c1338d3ba06207 ] When kobject_init_and_add() returns an error, it should be handled because kobject_init_and_add() takes a reference even when it fails. If this function returns an error, kobject_put() must be called to properly clean u

[PATCH 4.4 062/149] drm/tilcdc: fix leak & null ref in panel_connector_get_modes

From: Tomi Valkeinen [ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ] If videomode_from_timings() returns true, the mode allocated with drm_mode_create will be leaked. Also, the return value of drm_mode_create() is never checked, and thus could cause NULL deref. Fix these two issue

[PATCH 4.4 048/149] ipv6: fix memory leaks on IPV6_ADDRFORM path

From: Cong Wang [ Upstream commit 8c0de6e96c9794cb523a516c465991a70245da1c ] IPV6_ADDRFORM causes resource leaks when converting an IPv6 socket to IPv4, particularly struct ipv6_ac_socklist. Similar to struct ipv6_mc_socklist, we should just close it on this path. This bug can be easily reprodu

[PATCH 4.4 056/149] gpio: fix oops resulting from calling of_get_named_gpio(NULL, ...)

From: Uwe Kleine-König This happens for the spi-imx driver when running a dt-enabled kernel on a non-dt machine on Linux 4.0. Among the still supported stable versions only 4.4 and 4.9 are affected. (However the spi-imx driver doesn't call of_get_named_gpio() since v4.8-rc1 (commit b36581df7e78 (

[PATCH 4.4 061/149] ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh()

From: Yu Kuai [ Upstream commit 3ad7b4e8f89d6bcc9887ca701cf2745a6aedb1a0 ] if of_find_device_by_node() succeed, socfpga_setup_ocram_self_refresh doesn't have a corresponding put_device(). Thus add a jump target to fix the exception handling for this function implementation. Fixes: 44fd8c7d4005

[PATCH 4.4 059/149] m68k: mac: Fix IOP status/control register writes

From: Finn Thain [ Upstream commit 931fc82a6aaf4e2e4a5490addaa6a090d78c24a7 ] When writing values to the IOP status/control register make sure those values do not have any extraneous bits that will clear interrupt flags. To place the SCC IOP into bypass mode would be desirable but this is not a

[PATCH 4.4 058/149] m68k: mac: Dont send IOP message until channel is idle

From: Finn Thain [ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ] In the following sequence of calls, iop_do_send() gets called when the "send" channel is not in the IOP_MSG_IDLE state: iop_ism_irq() iop_handle_send() (msg->handler)()

Re: [PATCH 8/8] KVM: nSVM: read only changed fields of the nested guest data area

On 20/08/20 12:05, Maxim Levitsky wrote: >> You probably should set clean to 0 also if the guest doesn't have the >> VMCBCLEAN feature (so, you first need an extra patch to add the >> VMCBCLEAN feature to cpufeatures.h). It's probably best to cache the >> guest vmcbclean in struct vcpu_svm, too. >

[PATCH 4.4 049/149] Revert "vxlan: fix tos value before xmit"

From: Hangbin Liu [ Upstream commit a0dced17ad9dc08b1b25e0065b54c97a318e6e8b ] This reverts commit 71130f29979c7c7956b040673e6b9d5643003176. In commit 71130f29979c ("vxlan: fix tos value before xmit") we want to make sure the tos value are filtered by RT_TOS() based on RFC1349. 0 1

[PATCH 4.4 051/149] usb: hso: check for return value in hso_serial_common_create()

From: Rustam Kovhaev [ Upstream commit e911e99a0770f760377c263bc7bac1b1593c6147 ] in case of an error tty_register_device_attr() returns ERR_PTR(), add IS_ERR() check Reported-and-tested-by: syzbot+67b2bd0e34f952d03...@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=67b2

[PATCH 4.4 014/149] rds: Prevent kernel-infoleak in rds_notify_queue_get()

From: Peilin Ye commit bbc8a99e952226c585ac17477a85ef1194501762 upstream. rds_notify_queue_get() is potentially copying uninitialized kernel stack memory to userspace since the compiler may leave a 4-byte hole at the end of `cmsg`. In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg

[PATCH 4.4 023/149] net: ethernet: ravb: exit if re-initialization fails in tx timeout

From: Yoshihiro Shimoda [ Upstream commit 015c5d5e6aa3523c758a70eb87b291cece2dbbb4 ] According to the report of [1], this driver is possible to cause the following error in ravb_tx_timeout_work(). ravb e680.ethernet ethernet: failed to switch device to config mode This error means that the

[PATCH 4.4 015/149] net/x25: Fix x25_neigh refcnt leak when x25 disconnect

From: Xiyu Yang commit 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 upstream. x25_connect() invokes x25_get_neigh(), which returns a reference of the specified x25_neigh object to "x25->neighbour" with increased refcnt. When x25 connect success and returns, the reference still be hold by "x25->neig

[PATCH 4.4 037/149] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()

From: Peilin Ye commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. Check `num_rsp` before using it as for-loop counter. Add `unlock` label. Cc: sta...@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_even

[PATCH 4.4 053/149] Smack: fix use-after-free in smk_write_relabel_self()

From: Eric Biggers commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream. smk_write_relabel_self() frees memory from the task's credentials with no locking, which can easily cause a use-after-free because multiple tasks can share the same credentials structure. Fix this by using prepare_cred

[PATCH 4.4 050/149] net: lan78xx: replace bogus endpoint lookup

From: Johan Hovold [ Upstream commit ea060b352654a8de1e070140d25fe1b7e4d50310 ] Drop the bogus endpoint-lookup helper which could end up accepting interfaces based on endpoints belonging to unrelated altsettings. Note that the returned bulk pipes and interrupt endpoint descriptor were never act

[PATCH 4.4 052/149] vxlan: Ensure FDB dump is performed under RCU

From: Ido Schimmel [ Upstream commit b5141915b5aec3b29a63db869229e3741ebce258 ] The commit cited below removed the RCU read-side critical section from rtnl_fdb_dump() which means that the ndo_fdb_dump() callback is invoked without RCU protection. This results in the following warning [1] in the

[PATCH 4.4 021/149] mac80211: mesh: Free ie data when leaving mesh

From: Remi Pommarel [ Upstream commit 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 ] At ieee80211_join_mesh() some ie data could have been allocated (see copy_mesh_setup()) and need to be cleaned up when leaving the mesh. This fixes the following kmemleak report: unreferenced object 0x116b

[PATCH V2 0/2] Implement Shutdown callback for i2c

Store DMA mapping data in geni_i2c_dev struct. Implement Shutdown callback for geni i2c driver. Changes in V2: - Changed commit text. - As per Stephen's comments added separate function for stop transfer. Roja Rani Yarubandi (2): i2c: i2c-qcom-geni: Store DMA mapping data in geni_i2c_dev stru

[PATCH 4.4 003/149] media: rc: prevent memory leak in cx23888_ir_probe

From: Navid Emamdoost [ Upstream commit a7b2df76b42bdd026e3106cf2ba97db41345a177 ] In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state should be released. Signed-off-by: Navid Emamdoost Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Le

[PATCH V2 1/2] i2c: i2c-qcom-geni: Store DMA mapping data in geni_i2c_dev struct

Store DMA mapping data in geni_i2c_dev struct to enhance DMA mapping data scope. For example during shutdown callback to unmap DMA mapping, this stored DMA mapping data can be used to call geni_se_tx_dma_unprep and geni_se_rx_dma_unprep functions. Signed-off-by: Roja Rani Yarubandi --- Changes in

[PATCH V2 2/2] i2c: i2c-qcom-geni: Add shutdown callback for i2c

If the hardware is still accessing memory after SMMU translation is disabled (as part of smmu shutdown callback), then the IOVAs (I/O virtual address) which it was using will go on the bus as the physical addresses which will result in unknown crashes like NoC/interconnect errors. So, implement sh

[PATCH 4.4 017/149] sh: Fix validation of system call number

From: Michael Karcher [ Upstream commit 04a8a3d0a73f51c7c2da84f494db7ec1df230e69 ] The slow path for traced system call entries accessed a wrong memory location to get the number of the maximum allowed system call number. Renumber the numbered "local" label for the correct location to avoid coll

[PATCH 4.4 010/149] f2fs: check memory boundary by insane namelen

From: Jaegeuk Kim [ Upstream commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 ] If namelen is corrupted to have very long value, fill_dentries can copy wrong memory area. Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin --- fs/f2fs/dir.c | 11 ++- 1 file cha

[PATCH 4.4 008/149] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()

From: Peilin Ye commit 543e8669ed9bfb30545fd52bc0e047ca4df7fb31 upstream. Compiler leaves a 4-byte hole near the end of `dev_info`, causing amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace when `size` is greater than 356. In 2015 we tried to fix this issue by doing `=

[PATCH 4.4 011/149] f2fs: check if file namelen exceeds max value

From: Sheng Yong [ Upstream commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b ] Dentry bitmap is not enough to detect incorrect dentries. So this patch also checks the namelen value of a dentry. Signed-off-by: Gong Chen Signed-off-by: Sheng Yong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim

[PATCH 4.4 032/149] ext4: fix direct I/O read error

From: Jiang Ying This patch is used to fix ext4 direct I/O read error when the read size is not aligned with block size. Then, I will use a test to explain the error. (1) Make a file that is not aligned with block size: $dd if=/dev/zero of=./test.jar bs=1000 count=3 (2) I wrote a sourc

[PATCH 4.4 030/149] random32: remove net_rand_state from the latent entropy gcc plugin

From: Linus Torvalds commit 83bdc7275e6206f560d247be856bceba3e1ed8f2 upstream. It turns out that the plugin right now ends up being really unhappy about the change from 'static' to 'extern' storage that happened in commit f227e3ec3b5c ("random32: update the net random state on interrupt and acti

[PATCH 4.4 033/149] USB: serial: qcserial: add EM7305 QDL product ID

From: Erik Ekman commit d2a4309c1ab6df424b2239fe2920d6f26f808d17 upstream. When running qmi-firmware-update on the Sierra Wireless EM7305 in a Toshiba laptop, it changed product ID to 0x9062 when entering QDL mode: usb 2-4: new high-speed USB device number 78 using xhci_hcd usb 2-4: New USB dev

[PATCH 4.4 031/149] random32: move the pseudo-random 32-bit definitions to prandom.h

From: Linus Torvalds commit c0842fbc1b18c7a044e6ff3e8fa78bfa822c7d1a upstream. The addition of percpu.h to the list of includes in random.h revealed some circular dependencies on arm64 and possibly other platforms. This include was added solely for the pseudo-random definitions, which have noth

[PATCH 4.4 009/149] drm: hold gem reference until object is no longer accessed

From: Steve Cohen commit 8490d6a7e0a0a6fab5c2d82d57a3937306660864 upstream. A use-after-free in drm_gem_open_ioctl can happen if the GEM object handle is closed between the idr lookup and retrieving the size from said object since a local reference is not being held at that point. Hold the local

[PATCH 4.4 028/149] ARM: percpu.h: fix build error

From: Grygorii Strashko commit aa54ea903abb02303bf55855fb51e3fcee135d70 upstream. Fix build error for the case: defined(CONFIG_SMP) && !defined(CONFIG_CPU_V6) config: keystone_defconfig CC arch/arm/kernel/signal.o In file included from ../include/linux/random.h:14,

[PATCH 4.4 006/149] nfs: Move call to security_inode_listsecurity into nfs_listxattr

From: Andreas Gruenbacher [ Upstream commit c4803c497fbdb37e96af614813a7cfb434b6682a ] Add a nfs_listxattr operation. Move the call to security_inode_listsecurity from list operation of the "security.*" xattr handler to nfs_listxattr. Signed-off-by: Andreas Gruenbacher Cc: Trond Myklebust Cc

Re: [PATCH v2 09/11] usb: phy: phy-mv-usb: convert to readl_poll_timeout_atomic()

On 20.08.2020 8:45, Chunfeng Yun wrote: Use readl_poll_timeout_atomic() to simplify code Signed-off-by: Chunfeng Yun --- v2: udelay 10us instead of 20us according to kerneldoc --- drivers/usb/phy/phy-mv-usb.c | 16 +++- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git

[PATCH 4.4 027/149] random32: update the net random state on interrupt and activity

From: Willy Tarreau commit f227e3ec3b5cad859ad15666874405e8c1bbc1d4 upstream. This modifies the first 32 bits out of the 128 bits of a random CPU's net_rand_state on interrupt or CPU activity to complicate remote observations that could lead to guessing the network RNG's internal state. Note th

[PATCH 4.4 007/149] PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge

From: Robert Hancock commit b361663c5a40c8bc758b7f7f2239f7a192180e7c upstream. Recently ASPM handling was changed to allow ASPM on PCIe-to-PCI/PCI-X bridges. Unfortunately the ASMedia ASM1083/1085 PCIe to PCI bridge device doesn't seem to function properly with ASPM enabled. On an Asus PRIME H

[PATCH 4.4 025/149] xen-netfront: fix potential deadlock in xennet_remove()

From: Andrea Righi [ Upstream commit c2c633106453611be07821f53dff9e93a9d1c3f0 ] There's a potential race in xennet_remove(); this is what the driver is doing upon unregistering a network device: 1. state = read bus state 2. if state is not "Closed": 3.request to set state to "Closing"

[PATCH 4.4 029/149] random: fix circular include dependency on arm64 after addition of percpu.h

From: Willy Tarreau commit 1c9df907da83812e4f33b59d3d142c864d9da57f upstream. Daniel Díaz and Kees Cook independently reported that commit f227e3ec3b5c ("random32: update the net random state on interrupt and activity") broke arm64 due to a circular dependency on include files since the addition

[PATCH 4.4 026/149] x86/i8259: Use printk_deferred() to prevent deadlock

From: Thomas Gleixner commit bdd65589593edd79b6a12ce86b3b7a7c6dae5208 upstream. 0day reported a possible circular locking dependency: Chain exists of: &irq_desc_lock_class --> console_owner --> &port_lock_key Possible unsafe locking scenario: CPU0CPU1

RE: [PATCH] fs: NTFS read-write driver GPL implementation by Paragon Software.

From: Aurélien Aptel Sent: Friday, August 14, 2020 6:30 PM > I've tried this using libntfs-3g mkfs.ntfs > > # mkfs.ntfs /dev/vb1 > # mount -t ntfs3 /dev/vb1 /mnt > > This already triggered UBSAN: > Then I've tried to copy /etc into it: > ... > # cp -rp /etc /mnt > > But this triggered a NULL pt

My Dear in the lord

My Dear in the lord My name is Mrs. Mina A. Brunel I am a Norway Citizen who is living in Burkina Faso, I am married to Mr. Brunel Patrice, a politicians who owns a small gold company in Burkina Faso; He died of Leprosy and Radesyge, in year February 2010, During his lifetime he deposited t

[PATCH 4.4 013/149] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.

From: Tetsuo Handa [ Upstream commit 033724d6864245a11f8e04c066002e6ad22b3fd0 ] syzbot is reporting general protection fault in bitfill_aligned() [1] caused by integer underflow in bit_clear_margins(). The cause of this problem is when and how do_vc_resize() updates vc->vc_{cols,rows}. If vc_do

[PATCH 4.4 002/149] net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe()

From: Wei Yongjun [ Upstream commit 297a6961ffb8ff4dc66c9fbf53b924bd1dda05d5 ] platform_get_resource() may fail and return NULL, so we should better check it's return value to avoid a NULL pointer dereference a bit later in the code. This is detected by Coccinelle semantic patch. @@ expression

[PATCH 4.4 024/149] Revert "i2c: cadence: Fix the hold bit setting"

From: Raviteja Narayanam [ Upstream commit 0db9254d6b896b587759e2c844c277fb1a6da5b9 ] This reverts commit d358def706880defa4c9e87381c5bf086a97d5f9. There are two issues with "i2c: cadence: Fix the hold bit setting" commit. 1. In case of combined message request from user space, when the HOLD b

[PATCH 4.14 222/228] genirq/affinity: Handle affinity setting on inactive interrupts correctly

From: Thomas Gleixner commit baedb87d1b53532f81b4bd0387f83b05d4f7eb9a upstream. Setting interrupt affinity on inactive interrupts is inconsistent when hierarchical irq domains are enabled. The core code should just store the affinity and not call into the irq chip driver for inactive interrupts

[PATCH 4.14 224/228] arm64: dts: marvell: espressobin: add ethernet alias

From: Tomasz Maciej Nowak commit 5253cb8c00a6f4356760efb38bca0e0393aa06de upstream. The maker of this board and its variants, stores MAC address in U-Boot environment. Add alias for bootloader to recognise, to which ethernet node inject the factory MAC address. Signed-off-by: Tomasz Maciej Nowa

[PATCH 4.14 223/228] genirq/affinity: Make affinity setting if activated opt-in

From: Thomas Gleixner commit f0c7baca180046824e07fc5f1326e83a8fd150c7 upstream. John reported that on a RK3288 system the perf per CPU interrupts are all affine to CPU0 and provided the analysis: "It looks like what happens is that because the interrupts are not per-CPU in the hardware, armp

[PATCH 4.14 216/228] mfd: dln2: Run event handler loop under spinlock

From: Andy Shevchenko [ Upstream commit 3d858942250820b9adc35f963a257481d6d4c81d ] The event handler loop must be run with interrupts disabled. Otherwise we will have a warning: [ 1970.785649] irq 31 handler lineevent_irq_handler+0x0/0x20 enabled interrupts [ 1970.792739] WARNING: CPU: 0 PID: 0

[PATCH 4.14 218/228] perf bench mem: Always memset source before memcpy

From: Vincent Whitchurch [ Upstream commit 1beaef29c34154ccdcb3f1ae557f6883eda18840 ] For memcpy, the source pages are memset to zero only when --cycles is used. This leads to wildly different results with or without --cycles, since all sources pages are likely to be mapped to the same zero pag

[PATCH 4.14 184/228] ocfs2: change slot number type s16 to u16

From: Junxiao Bi commit 38d51b2dd171ad973afc1f5faab825ed05a2d5e9 upstream. Dan Carpenter reported the following static checker warning. fs/ocfs2/super.c:1269 ocfs2_parse_options() warn: '(-1)' 65535 can't fit into 32767 'mopt->slot' fs/ocfs2/suballoc.c:859 ocfs2_init_inode_stea

[PATCH 4.14 193/228] perf intel-pt: Fix FUP packet state

From: Adrian Hunter commit 401136bb084fd021acd9f8c51b52fe0a25e326b2 upstream. While walking code towards a FUP ip, the packet state is INTEL_PT_STATE_FUP or INTEL_PT_STATE_FUP_NO_TIP. That was mishandled resulting in the state becoming INTEL_PT_STATE_IN_SYNC prematurely. The result was an occas

[PATCH 4.14 208/228] i2c: rcar: avoid race when unregistering slave

From: Wolfram Sang [ Upstream commit c7c9e914f9a0478fba4dc6f227cfd69cf84a4063 ] Due to the lockless design of the driver, it is theoretically possible to access a NULL pointer, if a slave interrupt was running while we were unregistering the slave. To make this rock solid, disable the interrupt

[PATCH 4.14 215/228] test_kmod: avoid potential double free in trigger_config_run_type()

From: Tiezhu Yang [ Upstream commit 0776d1231bec0c7ab43baf440a3f5ef5f49dd795 ] Reset the member "test_fs" of the test configuration after a call of the function "kfree_const" to a null pointer so that a double memory release will not be performed. Fixes: d9c6a72d6fa2 ("kmod: add test driver to

[PATCH 4.14 228/228] drm/radeon: fix fb_div check in ni_init_smc_spll_table()

From: Denis Efremov commit f29aa08852e1953e461f2d47ab13c34e14bc08b3 upstream. clk_s is checked twice in a row in ni_init_smc_spll_table(). fb_div should be checked instead. Fixes: 69e0b57a91ad ("drm/radeon/kms: add dpm support for cayman (v5)") Cc: sta...@vger.kernel.org Signed-off-by: Denis Ef

[PATCH 4.14 227/228] dm cache: remove all obsolete writethrough-specific code

From: Mike Snitzer commit 9958f1d9a04efb3db19134482b3f4c6897e0e7b8 upstream. Now that the writethrough code is much simpler there is no need to track so much state or cascade bio submission (as was done, via writethrough_endio(), to issue origin then cache IO in series). As such the obsolete wr

Re: [PATCH] eventfd: Enlarge recursion limit to allow vhost to work

On 7/22/20 5:01 PM, Juri Lelli wrote: > On 13/07/20 15:22, Juri Lelli wrote: > > [...] > >> Gentle ping about this issue (mainly addressing relevant maintainers and >> potential reviewers). It's easily reproducible with PREEMPT_RT. > Ping. Any comment at all? :-) Hi Maintainer(s), It's been 4

[PATCH 4.14 191/228] watchdog: f71808e_wdt: clear watchdog timeout occurred flag

From: Ahmad Fatoum commit 4f39d575844148fbf3081571a1f3b4ae04150958 upstream. The flag indicating a watchdog timeout having occurred normally persists till Power-On Reset of the Fintek Super I/O chip. The user can clear it by writing a `1' to the bit. The driver doesn't offer a restart method, s

[PATCH 4.14 192/228] pseries: Fix 64 bit logical memory block panic

From: Anton Blanchard commit 89c140bbaeee7a55ed0360a88f294ead2b95201b upstream. Booting with a 4GB LMB size causes us to panic: qemu-system-ppc64: OS terminated: OS panic: Memory block size not suitable: 0x0 Fix pseries_memory_block_size() to handle 64 bit LMBs. Cc: sta...@vger.kernel

[PATCH 4.14 202/228] iommu/omap: Check for failure of a call to omap_iommu_dump_ctx

From: Colin Ian King [ Upstream commit dee9d154f40c58d02f69acdaa5cfd1eae6ebc28b ] It is possible for the call to omap_iommu_dump_ctx to return a negative error number, so check for the failure and return the error number rather than pass the negative value to simple_read_from_buffer. Fixes: 14e

Re: [PATCH] binder: print warnings when detecting oneway spamming.

Hi Martijn, I love your patch! Yet something to improve: [auto build test ERROR on staging/staging-testing] [also build test ERROR on v5.9-rc1 next-20200820] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--bas

[PATCH 4.14 226/228] dm cache: submit writethrough writes in parallel to origin and cache

From: Mike Snitzer commit 2df3bae9a6543e90042291707b8db0cbfbae9ee9 upstream. Discontinue issuing writethrough write IO in series to the origin and then cache. Use bio_clone_fast() to create a new origin clone bio that will be mapped to the origin device and then bio_chain() it to the bio that g

<    2   3   4   5   6   7   8   9   10   11   >