[PATCH 4.14 133/228] fsl/fman: check dereferencing null pointer

From: Florinel Iordache [ Upstream commit cc5d229a122106733a85c279d89d7703f21e4d4f ] Add a safe check to avoid dereferencing null pointer Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") Signed-off-by: Florinel Iordache Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- dri

Re: [PATCH v3 6/7] libnvdimm: make sure EXPORT_SYMBOL_GPL(nvdimm_flush) close to its function

> Move EXPORT_SYMBOL_GPL(nvdimm_flush) close to nvdimm_flush(), currently > it's near to generic_nvdimm_flush(). > > Signed-off-by: Zhen Lei > --- > drivers/nvdimm/region_devs.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/nvdimm/region_devs.c b/drivers/nvdim

[PATCH 4.14 119/228] power: supply: check if calc_soc succeeded in pm860x_init_battery

From: Tom Rix [ Upstream commit ccf193dee1f0fff55b556928591f7818bac1b3b1 ] clang static analysis flags this error 88pm860x_battery.c:522:19: warning: Assigned value is garbage or undefined [core.uninitialized.Assign] info->start_soc = soc; ^ ~~~

[PATCH 4.14 132/228] fsl/fman: fix unreachable code

From: Florinel Iordache [ Upstream commit cc79fd8f557767de90ff199d3b6fb911df43160a ] The parameter 'priority' is incorrectly forced to zero which ultimately induces logically dead code in the subsequent lines. Fixes: 57ba4c9b56d8 ("fsl/fman: Add FMan MAC support") Signed-off-by: Florinel Iordac

[PATCH 4.14 130/228] fsl/fman: use 32-bit unsigned integer

From: Florinel Iordache [ Upstream commit 99f47abd9f7bf6e365820d355dc98f6955a562df ] Potentially overflowing expression (ts_freq << 16 and intgr << 16) declared as type u32 (32-bit unsigned) is evaluated using 32-bit arithmetic and then used in a context that expects an expression of type u64 (6

[PATCH 4.14 129/228] net: spider_net: Fix the size used in a dma_free_coherent() call

From: Christophe JAILLET [ Upstream commit 36f28f7687a9ce665479cce5d64ce7afaa9e77ae ] Update the size used in 'dma_free_coherent()' in order to match the one used in the corresponding 'dma_alloc_coherent()', in 'spider_net_init_chain()'. Fixes: d4ed8f8d1fb7 ("Spidernet DMA coalescing") Signed-o

[PATCH 4.14 115/228] scsi: mesh: Fix panic after host or bus reset

From: Finn Thain [ Upstream commit edd7dd2292ab9c3628b65c4d04514c3068ad54f6 ] Booting Linux with a Conner CP3200 drive attached to the MESH SCSI bus results in EH measures and a panic: [ 25.499838] mesh: configured for synchronous 5 MB/s [ 25.787154] mesh: performing initial bus reset... [

[PATCH 4.14 092/228] cxl: Fix kobject memleak

From: Wang Hai [ Upstream commit 85c5cbeba8f4fb28e6b9bfb3e467718385f78f76 ] Currently the error return path from kobject_init_and_add() is not followed by a call to kobject_put() - which means we are leaking the kobject. Fix it by adding a call to kobject_put() in the error path of kobject_init

[PATCH 4.14 113/228] MIPS: OCTEON: add missing put_device() call in dwc3_octeon_device_init()

From: Yu Kuai [ Upstream commit e8b9fc10f2615b9a525fce56981e40b489528355 ] if of_find_device_by_node() succeed, dwc3_octeon_device_init() doesn't have a corresponding put_device(). Thus add put_device() to fix the exception handling for this function implementation. Fixes: 93e502b3c2d4 ("MIPS:

[PATCH 4.14 090/228] scsi: cumana_2: Fix different dev_id between request_irq() and free_irq()

From: Christophe JAILLET [ Upstream commit 040ab9c4fd0070cd5fa71ba3a7b95b8470db9b4d ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200625204730.943520-1-christophe.jail...@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.1

[PATCH 4.14 094/228] scsi: powertec: Fix different dev_id between request_irq() and free_irq()

From: Christophe JAILLET [ Upstream commit d179f7c763241c1dc5077fca88ddc3c47d21b763 ] The dev_id used in request_irq() and free_irq() should match. Use 'info' in both cases. Link: https://lore.kernel.org/r/20200626035948.944148-1-christophe.jail...@wanadoo.fr Fixes: 1da177e4c3f4 ("Linux-2.6.12

[PATCH 4.14 089/228] ASoC: Intel: bxt_rt298: add missing .owner field

From: Pierre-Louis Bossart [ Upstream commit 88cee34b776f80d2da04afb990c2a28c36799c43 ] This field is required for ASoC cards. Not setting it will result in a module->name pointer being NULL and generate problems such as cat /proc/asound/modules 0 (efault) Fixes: 76016322ec56 ('ASoC: Intel: A

[PATCH 4.14 108/228] PCI/ASPM: Add missing newline in sysfs policy

From: Xiongfeng Wang [ Upstream commit 3167e3d340c092fd47924bc4d23117a3074ef9a9 ] When I cat ASPM parameter 'policy' by sysfs, it displays as follows. Add a newline for easy reading. Other sysfs attributes already include a newline. [root@localhost ~]# cat /sys/module/pcie_aspm/parameters/p

[PATCH 4.14 098/228] media: exynos4-is: Add missed check for pinctrl_lookup_state()

From: Chuhong Yuan [ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ] fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state(). Add the missed check to fix it. Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]") Signed-off-by: Chuhong Yuan

[PATCH 4.14 112/228] coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb()

From: Sai Prakash Ranjan [ Upstream commit d021f5c5ff679432c5e9faee0fd7350db2efb97c ] Reading TMC mode register without proper coresight power management can lead to exceptions like the one in the call trace below in tmc_read_unprepare_etb() when the trace data is read after the sink is disabled

[PATCH 4.14 107/228] staging: rtl8192u: fix a dubious looking mask before a shift

From: Colin Ian King [ Upstream commit c4283950a9a4d3bf4a3f362e406c80ab14f10714 ] Currently the masking of ret with 0xff and followed by a right shift of 8 bits always leaves a zero result. It appears the mask of 0xff is incorrect and should be 0xff00, but I don't have the hardware to test this

[PATCH 4.14 106/228] powerpc/vdso: Fix vdso cpu truncation

From: Milton Miller [ Upstream commit a9f675f950a07d5c1dbcbb97aabac56f5ed085e3 ] The code in vdso_cpu_init that exposes the cpu and numa node to userspace via SPRG_VDSO incorrctly masks the cpu to 12 bits. This means that any kernel running on a box with more than 4096 threads (NR_CPUS advertise

[PATCH 4.14 109/228] drm/imx: tve: fix regulator_disable error path

From: Marco Felsch [ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ] Add missing regulator_disable() as devm_action to avoid dedicated unbind() callback and fix the missing error handling. Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") Signed-of

[PATCH 4.14 117/228] Smack: fix another vsscanf out of bounds

From: Dan Carpenter [ Upstream commit a6bd4f6d9b07452b0b19842044a6c3ea384b0b88 ] This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in vsscanf") where we added a bounds check on "rule". Reported-by: syzbot+a22c6092d003d6fe1...@syzkaller.appspotmail.com Fixes: f7112e6c9abf ("Smac

[PATCH 4.14 114/228] usb: dwc2: Fix error path in gadget registration

From: Marek Szyprowski [ Upstream commit 33a06f1300a79cfd461cea0268f05e969d4f34ec ] When gadget registration fails, one should not call usb_del_gadget_udc(). Ensure this by setting gadget->udc to NULL. Also in case of a failure there is no need to disable low-level hardware, so return immiedetly

[PATCH 4.14 111/228] thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor()

From: Dan Carpenter [ Upstream commit 0f348db01fdf128813fdd659fcc339038fb421a4 ] This condition is reversed and will cause breakage. Fixes: 7440f518dad9 ("thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR") Signed-off-by: Dan Carpenter Signed-off-by: Daniel Lezcano Link: https://lo

[PATCH 4.14 100/228] PCI: Fix pci_cfg_wait queue locking problem

From: Bjorn Helgaas [ Upstream commit 2a7e32d0547f41c5ce244f84cf5d6ca7fccee7eb ] The pci_cfg_wait queue is used to prevent user-space config accesses to devices while they are recovering from reset. Previously we used these operations on pci_cfg_wait: __add_wait_queue(&pci_cfg_wait, ...) _

[PATCH 4.14 055/228] platform/x86: intel-hid: Fix return value check in check_acpi_dev()

From: Lu Wei [ Upstream commit 71fbe886ce6dd0be17f20aded9c63fe58edd2806 ] In the function check_acpi_dev(), if it fails to create platform device, the return value is ERR_PTR() or NULL. Thus it must use IS_ERR_OR_NULL() to check return value. Fixes: ecc83e52b28c ("intel-hid: new hid event drive

[PATCH 4.14 060/228] drm/tilcdc: fix leak & null ref in panel_connector_get_modes

From: Tomi Valkeinen [ Upstream commit 3f9c1c872cc97875ddc8d63bc9fe6ee13652b933 ] If videomode_from_timings() returns true, the mode allocated with drm_mode_create will be leaked. Also, the return value of drm_mode_create() is never checked, and thus could cause NULL deref. Fix these two issue

[PATCH 4.14 057/228] ARM: at91: pm: add missing put_device() call in at91_pm_sram_init()

From: yu kuai [ Upstream commit f87a4f022c44e5b87e842a9f3e644fba87e8385f ] if of_find_device_by_node() succeed, at91_pm_sram_init() doesn't have a corresponding put_device(). Thus add a jump target to fix the exception handling for this function implementation. Fixes: d2e467905596 ("ARM: at91:

[PATCH 4.14 096/228] ipvs: allow connection reuse for unconfirmed conntrack

From: Julian Anastasov [ Upstream commit f0a5e4d7a594e0fe237d3dfafb069bb82f80f42f ] YangYuxi is reporting that connection reuse is causing one-second delay when SYN hits existing connection in TIME_WAIT state. Such delay was added to give time to expire both the IPVS connection and the correspon

[PATCH 4.14 097/228] media: firewire: Using uninitialized values in node_probe()

From: Dan Carpenter [ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ] If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So then the "strlen(model_names[i]) <= name_len" is true because strlen() is unsigned and -ENOENT is type promoted to a very high positive value. Th

[PATCH 4.14 058/228] spi: lantiq: fix: Rx overflow error in full duplex mode

From: Dilip Kota [ Upstream commit 661ccf2b3f1360be50242726f7c26ced6a9e7d52 ] In full duplex mode, rx overflow error is observed. To overcome the error, wait until the complete data got received and proceed further. Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controll

[PATCH 4.14 056/228] platform/x86: intel-vbtn: Fix return value check in check_acpi_dev()

From: Lu Wei [ Upstream commit 64dd4a5a7d214a07e3d9f40227ec30ac8ba8796e ] In the function check_acpi_dev(), if it fails to create platform device, the return value is ERR_PTR() or NULL. Thus it must use IS_ERR_OR_NULL() to check return value. Fixes: 332e081225fc ("intel-vbtn: new driver for Int

[PATCH 4.14 110/228] USB: serial: iuu_phoenix: fix led-activity helpers

From: Johan Hovold [ Upstream commit de37458f8c2bfc465500a1dd0d15dbe96d2a698c ] The set-led command is eight bytes long and starts with a command byte followed by six bytes of RGB data and ends with a byte encoding a frequency (see iuu_led() and iuu_rgbf_fill_buffer()). The led activity helpers

[PATCH 4.14 084/228] video: pxafb: Fix the function used to balance a dma_alloc_coherent() call

From: Christophe JAILLET [ Upstream commit 499a2c41b954518c372873202d5e7714e22010c4 ] 'dma_alloc_coherent()' must be balanced by a call to 'dma_free_coherent()' not 'dma_free_wc()'. The correct dma_free_ function is already used in the error handling path of the probe function. Fixes: 77e196752

[PATCH 4.14 082/228] video: fbdev: sm712fb: fix an issue about iounmap for a wrong address

From: Dejin Zheng [ Upstream commit 98bd4f72988646c35569e1e838c0ab80d06c77f6 ] the sfb->fb->screen_base is not save the value get by iounmap() when the chip id is 0x720. so iounmap() for address sfb->fb->screen_base is not right. Fixes: 1461d6672864854 ("staging: sm7xxfb: merge sm712fb with fbd

[PATCH 4.14 083/228] console: newport_con: fix an issue about leak related system resources

From: Dejin Zheng [ Upstream commit fd4b8243877250c05bb24af7fea5567110c9720b ] A call of the function do_take_over_console() can fail here. The corresponding system resources were not released then. Thus add a call of iounmap() and release_mem_region() together with the check of a failure predic

[PATCH 4.14 080/228] ACPICA: Do not increment operation_region reference counts for field units

From: Erik Kaneda [ Upstream commit 6a54ebae6d047c988a31f5ac5a64ab5cf83797a2 ] ACPICA commit e17b28cfcc31918d0db9547b6b274b09c413eb70 Object reference counts are used as a part of ACPICA's garbage collection mechanism. This mechanism keeps track of references to heap-allocated structures such a

[PATCH 4.14 078/228] dyndbg: fix a BUG_ON in ddebug_describe_flags

From: Jim Cromie [ Upstream commit f678ce8cc3cb2ad29df75d8824c74f36398ba871 ] ddebug_describe_flags() currently fills a caller provided string buffer, after testing its size (also passed) in a BUG_ON. Fix this by replacing them with a known-big-enough string buffer wrapped in a struct, and pass

[PATCH 4.14 077/228] usb: bdc: Halt controller on suspend

From: Danesh Petigara [ Upstream commit 5fc453d7de3d0c345812453823a3a56783c5f82c ] GISB bus error kernel panics have been observed during S2 transition tests on the 7271t platform. The errors are a result of the BDC interrupt handler trying to access BDC register space after the system's suspend

[PATCH 4.14 065/228] md-cluster: fix wild pointer of unlock_all_bitmaps()

From: Zhao Heming [ Upstream commit 60f80d6f2d07a6d8aee485a1d12523270c81 ] reproduction steps: ``` node1 # mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb node2 # mdadm -A /dev/md0 /dev/sda /dev/sdb node1 # mdadm -G /dev/md0 -b none mdadm: failed to remove clustered bi

[PATCH 4.14 076/228] bdc: Fix bug causing crash after multiple disconnects

From: Sasi Kumar [ Upstream commit a95bdfd22076497288868c028619bc5995f5cc7f ] Multiple connects/disconnects can cause a crash on the second disconnect. The driver had a problem where it would try to send endpoint commands after it was disconnected which is not allowed by the hardware. The fix is

[PATCH 4.14 072/228] brcmfmac: set state of hanger slot to FREE when flushing PSQ

From: Wright Feng [ Upstream commit fcdd7a875def793c38d7369633af3eba6c7cf089 ] When USB or SDIO device got abnormal bus disconnection, host driver tried to clean up the skbs in PSQ and TXQ (The skb's pointer in hanger slot linked to PSQ and TSQ), so we should set the state of skb hanger slot to

[PATCH 4.14 070/228] mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls

From: Paul E. McKenney [ Upstream commit 0a3b3c253a1eb2c7fe7f34086d46660c909abeb3 ] A large process running on a heavily loaded system can encounter the following RCU CPU stall warning: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 3-: (20998 ticks this GP) idle=4ea/1/0x4000

Re: [PATCH 1/1] mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary

On Thu 20-08-20 12:32:48, Christian Brauner wrote: > On Thu, Aug 20, 2020 at 11:09:01AM +0200, Michal Hocko wrote: > > On Thu 20-08-20 10:46:54, Christian Brauner wrote: [...] > > > > which includes processes with multiple threads (sharing mm and signals). > > > > However for such processes the loo

Re: [PATCH 1/1] mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary

On Thu 20-08-20 12:55:56, Oleg Nesterov wrote: > On 08/19, Suren Baghdasaryan wrote: > > > > Since the combination of CLONE_VM and !CLONE_SIGHAND is rarely > > used the additional mutex lock in that path of the clone() syscall should > > not affect its overall performance. Clearing the MMF_PROC_SHA

[PATCH 4.14 064/228] video: fbdev: neofb: fix memory leak in neo_scan_monitor()

From: Evgeny Novikov [ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ] neofb_probe() calls neo_scan_monitor() that can successfully allocate a memory for info->monspecs.modedb and proceed to case 0x03. There it does not free the memory and returns -1. neofb_probe() goes to label err_s

[PATCH 4.14 053/228] m68k: mac: Dont send IOP message until channel is idle

From: Finn Thain [ Upstream commit aeb445bf2194d83e12e85bf5c65baaf1f093bd8f ] In the following sequence of calls, iop_do_send() gets called when the "send" channel is not in the IOP_MSG_IDLE state: iop_ism_irq() iop_handle_send() (msg->handler)()

[PATCH 4.14 066/228] arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding

From: Ricardo Cañuelo [ Upstream commit bbe28fc3cbabbef781bcdf847615d52ce2e26e42 ] hi3660-hikey960.dts: Define a 'ports' node for 'adv7533: adv7533@39' and the 'adi,dsi-lanes' property to make it compliant with the adi,adv7533 DT binding. This fills the requirements to meet the binding

[PATCH 4.14 026/228] atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent

From: Xin Xiong [ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ] atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a reference of atm_dev with increased refcount or NULL if fails. The refcount leaks issues occur in two error handling paths. If dev_data->persist is z

[PATCH 4.14 023/228] i2c: slave: add sanity check when unregistering

From: Wolfram Sang [ Upstream commit 8808981baf96e1b3dea1f08461e4d958aa0dbde1 ] Signed-off-by: Wolfram Sang Reviewed-by: Alain Volmat Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/i2c-core-slave.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/i2c/i2

[PATCH 4.14 063/228] drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync

From: Aditya Pakki [ Upstream commit 9fb10671011143d15b6b40d6d5fa9c52c57e9d63 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the reference count before returning the error. Acked-by: Evan Quan Signed-off-by: Aditya Pakki Sign

[PATCH 4.14 019/228] net/9p: validate fds in p9_fd_open

From: Christoph Hellwig [ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ] p9_fd_open just fgets file descriptors passed in from userspace, but doesn't verify that they are valid for read or writing. This gets cought down in the VFS when actually attempting a read or write, but a new

[PATCH 4.14 047/228] sched: correct SD_flags returned by tl->sd_flags()

From: Peng Liu [ Upstream commit 9b1b234bb86bcdcdb142e900d39b599185465dbb ] During sched domain init, we check whether non-topological SD_flags are returned by tl->sd_flags(), if found, fire a waning and correct the violation, but the code failed to correct the violation. Correct this. Fixes: 1

[PATCH 4.14 025/228] igb: reinit_locked() should be called with rtnl_lock

From: Francesco Ruggeri [ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ] We observed two panics involving races with igb_reset_task. The first panic is caused by this race condition: kworker reboot -f igb_reset_task igb_reinit_locked

[PATCH 4.14 049/228] arm64: dts: rockchip: fix rk3399-puma gmac reset gpio

From: Heiko Stuebner [ Upstream commit 8a445086f8af0b7b9bd8d1901d6f306bb154f70d ] The puma gmac node currently uses opposite active-values for the gmac phy reset pin. The gpio-declaration uses active-high while the separate snps,reset-active-low property marks the pin as active low. While on th

[PATCH 4.14 048/228] arm64: dts: rockchip: fix rk3399-puma vcc5v0-host gpio

From: Heiko Stuebner [ Upstream commit 7a7184f6cfa9279f1a1c10a1845d247d7fad54ff ] The puma vcc5v0_host regulator node currently uses opposite active-values for the enable pin. The gpio-declaration uses active-high while the separate enable-active-low property marks the pin as active low. While

[PATCH 4.14 022/228] i2c: slave: improve sanity check when registering

From: Wolfram Sang [ Upstream commit 1b1be3bf27b62f5abcf85c6f3214bdb9c7526685 ] Add check for ERR_PTR and simplify code while here. Signed-off-by: Wolfram Sang Reviewed-by: Alain Volmat Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin --- drivers/i2c/i2c-core-slave.c | 4 +--- 1 file

[PATCH 4.14 044/228] HID: input: Fix devices that return multiple bytes in battery report

From: Grant Likely commit 4f57cace81438cc873a96f9f13f08298815c9b51 upstream. Some devices, particularly the 3DConnexion Spacemouse wireless 3D controllers, return more than just the battery capacity in the battery report. The Spacemouse devices return an additional byte with a device specific fi

[PATCH 4.14 043/228] tracepoint: Mark __tracepoint_strings __used

From: Nick Desaulniers commit f3751ad0116fb6881f2c3c957d66a9327f69cefb upstream. __tracepoint_string's have their string data stored in .rodata, and an address to that data stored in the "__tracepoint_str" section. Functions that refer to those strings refer to the symbol of the address. Compile

INVESTMENT

Good day, You were recommended by a mutual associate. I write you regarding an investment of bearer bonds I made on behalf of a client. The investment was made in 2009 and has been under my management. The said investor is deceased. The window is now available to assign these bonds to an

[PATCH 4.14 008/228] Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()

From: Peilin Ye commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream. Check upon `num_rsp` is insufficient. A malformed event packet with a large `num_rsp` number makes hci_extended_inquiry_result_evt() go out of bounds. Fix it. This patch fixes the following syzbot bug: https://syzka

[PATCH 4.14 042/228] Smack: fix use-after-free in smk_write_relabel_self()

From: Eric Biggers commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream. smk_write_relabel_self() frees memory from the task's credentials with no locking, which can easily cause a use-after-free because multiple tasks can share the same credentials structure. Fix this by using prepare_cred

[PATCH 4.14 046/228] x86/mce/inject: Fix a wrong assignment of i_mce.status

From: Zhenzhong Duan [ Upstream commit 5d7f7d1d5e01c22894dee7c9c9266500478dca99 ] The original code is a nop as i_mce.status is or'ed with part of itself, fix it. Fixes: a1300e505297 ("x86/ras/mce_amd_inj: Trigger deferred and thresholding errors interrupts") Signed-off-by: Zhenzhong Duan Sig

[PATCH 4.14 017/228] leds: lm3533: fix use-after-free on unbind

From: Johan Hovold commit d584221e683bbd173738603b83a315f27d27d043 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something whic

[PATCH 4.14 041/228] rxrpc: Fix race between recvmsg and sendmsg on immediate call failure

From: David Howells [ Upstream commit 65550098c1c4db528400c73acf3e46bfa78d9264 ] There's a race between rxrpc_sendmsg setting up a call, but then failing to send anything on it due to an error, and recvmsg() seeing the call completion occur and trying to return the state to the user. An asserti

[PATCH 4.14 040/228] usb: hso: check for return value in hso_serial_common_create()

From: Rustam Kovhaev [ Upstream commit e911e99a0770f760377c263bc7bac1b1593c6147 ] in case of an error tty_register_device_attr() returns ERR_PTR(), add IS_ERR() check Reported-and-tested-by: syzbot+67b2bd0e34f952d03...@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=67b2

[PATCH 4.14 021/228] drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure

From: Ben Skeggs [ Upstream commit 15fbc3b938534cc8eaac584a7b0c1183fc968b86 ] This is tripping up the format modifier patches. Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin --- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/

[PATCH 4.14 039/228] selftests/net: relax cpu affinity requirement in msg_zerocopy test

From: Willem de Bruijn [ Upstream commit 16f6458f2478b55e2b628797bc81a4455045c74e ] The msg_zerocopy test pins the sender and receiver threads to separate cores to reduce variance between runs. But it hardcodes the cores and skips core 0, so it fails on machines with the selected cores offline,

[PATCH 4.14 037/228] openvswitch: Prevent kernel-infoleak in ovs_ct_put_key()

From: Peilin Ye [ Upstream commit 9aba6c5b49254d5bee927d81593ed4429e91d4ae ] ovs_ct_put_key() is potentially copying uninitialized kernel stack memory into socket buffers, since the compiler may leave a 3-byte hole at the end of `struct ovs_key_ct_tuple_ipv4` and `struct ovs_key_ct_tuple_ipv6`.

[PATCH 4.14 038/228] Revert "vxlan: fix tos value before xmit"

From: Hangbin Liu [ Upstream commit a0dced17ad9dc08b1b25e0065b54c97a318e6e8b ] This reverts commit 71130f29979c7c7956b040673e6b9d5643003176. In commit 71130f29979c ("vxlan: fix tos value before xmit") we want to make sure the tos value are filtered by RT_TOS() based on RFC1349. 0 1

[PATCH 4.14 036/228] net: gre: recompute gre csum for sctp over gre tunnels

From: Lorenzo Bianconi [ Upstream commit 622e32b7d4a6492cf5c1f759ef833f817418f7b3 ] The GRE tunnel can be used to transport traffic that does not rely on a Internet checksum (e.g. SCTP). The issue can be triggered creating a GRE or GRETAP tunnel and transmitting SCTP traffic ontop of it where CR

[PATCH 4.14 035/228] hv_netvsc: do not use VF device if link is down

From: Stephen Hemminger [ Upstream commit 7c9864bbccc23e1812ac82966555d68c13ea4006 ] If the accelerated networking SRIOV VF device has lost carrier use the synthetic network device which is available as backup path. This is a rare case since if VF link goes down, normally the VMBus device will a

[PATCH 4.14 034/228] net: lan78xx: replace bogus endpoint lookup

From: Johan Hovold [ Upstream commit ea060b352654a8de1e070140d25fe1b7e4d50310 ] Drop the bogus endpoint-lookup helper which could end up accepting interfaces based on endpoints belonging to unrelated altsettings. Note that the returned bulk pipes and interrupt endpoint descriptor were never act

Re: [PATCH] pinctrl: mediatek: check mtk_is_virt_gpio input parameter

On Wed, 2020-08-19 at 16:43 -0700, Sean Wang wrote: > Hi Hanks, > > On Thu, Aug 13, 2020 at 4:14 AM Hanks Chen wrote: > > > > check mtk_is_virt_gpio input parameter, > > virtual gpio need to support eint mode. > > > > add error handler for the ko case > > to fix this boot fail: > > pc : mtk_is_vi

[PATCH v2] pinctrl: mediatek: check mtk_is_virt_gpio input parameter

check mtk_is_virt_gpio input parameter, virtual gpio need to support eint mode. add error handler for the ko case to fix this boot fail: pc : mtk_is_virt_gpio+0x20/0x38 [pinctrl_mtk_common_v2] lr : mtk_gpio_get_direction+0x44/0xb0 [pinctrl_paris] Fixes: edd546465002 ("pinctrl: mediatek: avoid vir

[PATCH 4.14 033/228] vxlan: Ensure FDB dump is performed under RCU

From: Ido Schimmel [ Upstream commit b5141915b5aec3b29a63db869229e3741ebce258 ] The commit cited below removed the RCU read-side critical section from rtnl_fdb_dump() which means that the ndo_fdb_dump() callback is invoked without RCU protection. This results in the following warning [1] in the

[PATCH 4.14 020/228] drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason

From: Ben Skeggs [ Upstream commit 498595abf5bd51f0ae074cec565d888778ea558f ] Stale pointer was tripping up the unload path. Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin --- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/no

[PATCH 4.14 032/228] net: ethernet: mtk_eth_soc: fix MTU warnings

From: Landen Chao [ Upstream commit 555a893303872e044fb86f0a5834ce78d41ad2e2 ] in recent kernel versions there are warnings about incorrect MTU size like these: eth0: mtu greater than device maximum mtk_soc_eth 1b10.ethernet eth0: error -22 setting MTU to include DSA overhead Fixes: bfcb8

[PATCH 4.14 031/228] ipv6: fix memory leaks on IPV6_ADDRFORM path

From: Cong Wang [ Upstream commit 8c0de6e96c9794cb523a516c465991a70245da1c ] IPV6_ADDRFORM causes resource leaks when converting an IPv6 socket to IPv4, particularly struct ipv6_ac_socklist. Similar to struct ipv6_mc_socklist, we should just close it on this path. This bug can be easily reprodu

[PATCH 4.14 030/228] ipv4: Silence suspicious RCU usage warning

From: Ido Schimmel [ Upstream commit 83f3522860f702748143e022f1a546547314c715 ] fib_trie_unmerge() is called with RTNL held, but not from an RCU read-side critical section. This leads to the following warning [1] when the FIB alias list in a leaf is traversed with hlist_for_each_entry_rcu(). Si

[PATCH 4.14 009/228] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()

From: Peilin Ye commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream. Check `num_rsp` before using it as for-loop counter. Cc: sta...@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_event.c |2 +- 1 fil

[PATCH 4.14 007/228] staging: android: ashmem: Fix lockdep warning for write operation

From: Suren Baghdasaryan commit 3e338d3c95c735dc3265a86016bb4c022ec7cadc upstream. syzbot report [1] describes a deadlock when write operation against an ashmem fd executed at the time when ashmem is shrinking its cache results in the following lock sequence: Possible unsafe locking scenario:

[PATCH 4.14 029/228] xattr: break delegations in {set,remove}xattr

From: Frank van der Linden commit 08b5d5014a27e717826999ad20e394a8811aae92 upstream. set/removexattr on an exported filesystem should break NFS delegations. This is true in general, but also for the upcoming support for RFC 8726 (NFSv4 extended attribute support). Make sure that they do. Additi

[PATCH 4.14 000/228] 4.14.194-rc1 review

This is the start of the stable review cycle for the 4.14.194 release. There are 228 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 22 Aug 2020 09:15:09 +. Anything r

[PATCH 4.9 097/212] drm/nouveau: fix multiple instances of reference count leaks

From: Aditya Pakki [ Upstream commit 659fb5f154c3434c90a34586f3b7aa1c39cf6062 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Sign

[PATCH 4.14 016/228] leds: da903x: fix use-after-free on unbind

From: Johan Hovold commit 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something whic

[PATCH 4.14 004/228] usb: xhci: define IDs for various ASMedia host controllers

From: Forest Crossman commit 1841cb255da41e87bed9573915891d056f80e2e7 upstream. Not all ASMedia host controllers have a device ID that matches its part number. #define some of these IDs to make it clearer at a glance which chips require what quirks. Acked-by: Mathias Nyman Signed-off-by: Fores

[PATCH 4.14 006/228] ALSA: seq: oss: Serialize ioctls

From: Takashi Iwai commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream. Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing th

[PATCH 4.9 131/212] drm/imx: tve: fix regulator_disable error path

From: Marco Felsch [ Upstream commit 7bb58b987fee26da2a1665c01033022624986b7c ] Add missing regulator_disable() as devm_action to avoid dedicated unbind() callback and fix the missing error handling. Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") Signed-of

[PATCH 4.14 018/228] leds: 88pm860x: fix use-after-free on unbind

From: Johan Hovold commit eca21c2d8655387823d695b26e6fe78cf3975c05 upstream. Several MFD child drivers register their class devices directly under the parent device. This means you cannot blindly do devres conversions so that deregistration ends up being tied to the parent device, something whic

[PATCH 4.14 003/228] USB: iowarrior: fix up report size handling for some devices

From: Greg Kroah-Hartman commit 17a82716587e9d7c3b246a789add490b2b5dcab6 upstream. In previous patches that added support for new iowarrior devices, the handling of the report size was not done correct. Fix that up and update the copyright date for the driver Reworked from an original patch wr

[PATCH 4.14 012/228] binder: Prevent context manager from incrementing ref 0

From: Jann Horn commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream. Binder is designed such that a binder_proc never has references to itself. If this rule is violated, memory corruption can occur when a process sends a transaction to itself; see e.g.

[PATCH 4.14 014/228] mtd: properly check all write ioctls for permissions

From: Greg Kroah-Hartman commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. When doing a "write" ioctl call, properly check that we have permissions to do so before copying anything from userspace or anything else so we can "fail fast". This includes also covering the MEMWRITE ioctl whic

[PATCH 4.14 013/228] vgacon: Fix for missing check in scrollback handling

From: Yunhai Zhang commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream. vgacon_scrollback_update() always leaves enbough room in the scrollback buffer for the next call, but if the console size changed that room might not actually be enough, and so we need to re-check. The check should be

[PATCH 4.14 011/228] omapfb: dss: Fix max fclk divider for omap36xx

From: Adam Ford commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream. The drm/omap driver was fixed to correct an issue where using a divider of 32 breaks the DSS despite the TRM stating 32 is a valid number. Through experimentation, it appears that 31 works, and it is consistent with the v

[PATCH 4.14 001/228] USB: serial: qcserial: add EM7305 QDL product ID

From: Erik Ekman commit d2a4309c1ab6df424b2239fe2920d6f26f808d17 upstream. When running qmi-firmware-update on the Sierra Wireless EM7305 in a Toshiba laptop, it changed product ID to 0x9062 when entering QDL mode: usb 2-4: new high-speed USB device number 78 using xhci_hcd usb 2-4: New USB dev

[PATCH 4.14 010/228] Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()

From: Peilin Ye commit 629b49c848ee71244203934347bd7730b0ddee8d upstream. Check `num_rsp` before using it as for-loop counter. Add `unlock` label. Cc: sta...@vger.kernel.org Signed-off-by: Peilin Ye Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/hci_even

[PATCH 4.9 196/212] gpu: ipu-v3: image-convert: Combine rotate/no-rotate irq handlers

From: Steve Longerbeam [ Upstream commit 0f6245f42ce9b7e4d20f2cda8d5f12b55a44d7d1 ] Combine the rotate_irq() and norotate_irq() handlers into a single eof_irq() handler. Signed-off-by: Steve Longerbeam Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin --- drivers/gpu/ipu-v3/ipu-image-

[PATCH 4.9 200/212] clk: clk-atlas6: fix return value check in atlas6_clk_init()

From: Xu Wang [ Upstream commit 12b90b40854a8461a02ef19f6f4474cc88d64b66 ] In case of error, the function clk_register() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Signed-off-by: Xu Wang Link: https://lore.kernel.org/r/20

[PATCH 4.9 203/212] drm/vmwgfx: Fix two list_for_each loop exit tests

From: Dan Carpenter [ Upstream commit 4437c1152ce0e57ab8f401aa696ea6291cc07ab1 ] These if statements are supposed to be true if we ended the list_for_each_entry() loops without hitting a break statement but they don't work. In the first loop, we increment "i" after the "if (i == unit)" conditio

[PATCH 4.9 201/212] pwm: bcm-iproc: handle clk_get_rate() return

From: Rayagonda Kokatanur [ Upstream commit 6ced5ff0be8e94871ba846dfbddf69d21363f3d7 ] Handle clk_get_rate() returning 0 to avoid possible division by zero. Fixes: daa5abc41c80 ("pwm: Add support for Broadcom iProc PWM controller") Signed-off-by: Rayagonda Kokatanur Signed-off-by: Scott Brande

[PATCH 4.9 205/212] nfs: Fix getxattr kernel panic and memory overflow

From: Jeffrey Mitchell [ Upstream commit b4487b93545214a9db8cbf32e86411677b0cca21 ] Move the buffer size check to decode_attr_security_label() before memcpy() Only call memcpy() if the buffer is large enough Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") Signed-off-by: Jeffre

[PATCH 4.9 204/212] net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init

From: Wang Hai [ Upstream commit 50caa777a3a24d7027748e96265728ce748b41ef ] Fix the missing clk_disable_unprepare() before return from emac_clks_phase1_init() in the error handling case. Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver") Reported-by: Hulk Robot Signed-o

<    4   5   6   7   8   9   10   11   12   13   >