From: Wei Yongjun
[ Upstream commit 88ec7cb22ddde725ed4ce15991f0bd9dd817fd85 ]
Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.
Fixes: b7370112f519 ("lpc32xx: Added ethernet driver")
Signed-off-by: Wei Yongjun
Acked-by:
From: Christophe JAILLET
commit 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 upstream.
Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in
the 'w100fb_restore_vidmem' function. (these functions are called
respectively from the 'suspend' and the 'resume' functions)
However,
From: Pablo Neira Ayuso
[ Upstream commit 0d7c83463fdf7841350f37960a7abadd3e650b41 ]
Instead of EINVAL which should be used for malformed netlink messages.
Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT")
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Sasha Levin
---
From: Jia-Ju Bai
[ Upstream commit 3e1c6846b9e108740ef8a37be80314053f5dd52a ]
The value adapter->rss_conf is stored in DMA memory, and it is assigned
to rssConf, so rssConf->indTableSize can be modified at anytime by
malicious hardware. Because rssConf->indTableSize is assigned to n,
buffer
From: Colin Ian King
[ Upstream commit 96f3a9392799dd0f6472648a7366622ffd0989f3 ]
Currently when i2c transfers fail the error return -EREMOTEIO
is assigned to err but then later overwritten when the tuner
attach call is made. Fix this by returning early with the
error return code -EREMOTEIO on
From: Jeremy Kerr
[ Upstream commit 88413a6bfbbe2f648df399b62f85c934460b7a4d ]
Currently, we may perform a copy_to_user (through
simple_read_from_buffer()) while holding a context's register_lock,
while accessing the context save area.
This change uses a temporary buffer for the context save
From: Yunjian Wang
[ Upstream commit 09f6c44aaae0f1bdb8b983d7762676d5018c53bc ]
The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix
the ndo function to use the correct type. And emac_start_xmit() can
leak one skb if 'channel' == 3.
Signed-off-by: Yunjian Wang
Signed-off-by:
From: Sean Christopherson
commit 2ebac8bb3c2d35f5135466490fc8eeaf3f3e2d37 upstream.
Consult only the basic exit reason, i.e. bits 15:0 of vmcs.EXIT_REASON,
when determining whether a nested VM-Exit should be reflected into L1 or
handled by KVM in L0.
For better or worse, the switch statement
For SPS firmware versions 5.0 and newer the way detection has changed.
The detection is done now via PCI_CFG_HFS_3 register.
To prevent conflict the previous method will get sps_4 suffix
Disable both CNP_H and CNP_H_3 interfaces. CNP_H_3 requires
a separate configuration as it doesn't support DMA.
From: Marc Zyngier
commit 3204be4109ad681523e3461ce64454c79278450a upstream.
AArch32 CP1x registers are overlayed on their AArch64 counterparts
in the vcpu struct. This leads to an interesting problem as they
are stored in their CPU-local format, and thus a CP1x register
doesn't "hit" the lower
The adm1278 temp attribute need it for openbmc platform .
This feature not enabled by default, so PMON_CONFIG needs to enable it.
Signed-off-by: Manikandan Elumalai
---
---v4 -Reported-by: kernel test robot
---v3 -fix invalid signed-off.
--- -removed checkpath warnings.
---
From: Qiujun Huang
commit e4ff08a4d727146bb6717a39a8d399d834654345 upstream.
Write out of slab bounds. We should check epid.
The case reported by syzbot:
https://lore.kernel.org/linux-usb/6ac55b05a1c05...@google.com
BUG: KASAN: use-after-free in htc_process_conn_rsp
Last add mei_me_fw_sku_sps_4() kdoc and add descriptive defines
for register name and values.
Signed-off-by: Tomas Winkler
---
drivers/misc/mei/hw-me-regs.h | 2 ++
drivers/misc/mei/hw-me.c | 18 --
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git
Add device ID for Intel Sunrise Point PCH (Skylake) which has
Intel Precise Touch & Stylus IPTS (iTouch).
Signed-off-by: Tomas Winkler
---
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/pci-me.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/misc/mei/hw-me-regs.h
From: Alexander Usyskin
Add Tiger Lake device ids H for HECI1.
TGH_H is also used in Tatlow SPS platform we need to
disable the mei interface there.
Cc:
Signed-off-by: Alexander Usyskin
Signed-off-by: Tomas Winkler
---
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/hw-me.c | 10
From: Daniel Thompson
[ Upstream commit 3fec4aecb311995189217e64d725cfe84a568de3 ]
Currently there is a small window where a badly timed migration could
cause in_dbg_master() to spuriously return true. Specifically if we
migrate to a new core after reading the processor id and the previous
core
The quirk_probe there is no writing to pci device hence
we can constify the passed pci_dev pointer.
Signed-off-by: Tomas Winkler
---
drivers/misc/mei/hw-me.c | 6 +++---
drivers/misc/mei/hw-me.h | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/misc/mei/hw-me.c
From: Qiujun Huang
commit abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 upstream.
Free wmi later after cmd urb has been killed, as urb cb will access wmi.
the case reported by syzbot:
https://lore.kernel.org/linux-usb/0002fc05a1d61...@google.com
BUG: KASAN: use-after-free in
Add kdoc for mei_me_fw_type_nm() function.
Signed-off-by: Tomas Winkler
---
drivers/misc/mei/hw-me.c | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c
index 6aa522c0d910..e476995e4c56 100644
---
Add device ID for Intel Kaby Point PCH (Kabylake) which has
Intel Precise Touch & Stylus IPTS (iTouch).
Signed-off-by: Tomas Winkler
---
drivers/misc/mei/hw-me-regs.h | 1 +
drivers/misc/mei/pci-me.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/misc/mei/hw-me-regs.h
From: Serge Semin
[ Upstream commit f0410bbf7d0fb80149e3b17d11d31f5b5197873e ]
DW APB SSI DMA-part of the driver may need to perform the requested
SPI-transfer synchronously. In that case the dma_transfer() callback
will return 0 as a marker of the SPI transfer being finished so the
SPI core
From: Chuhong Yuan
commit 9453264ef58638ce8976121ac44c07a3ef375983 upstream.
go7007_snd_init() misses a snd_card_free() in an error path.
Add the missed call to fix it.
Signed-off-by: Chuhong Yuan
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
[Salvatore Bonaccorso: Adjust
From: Filipe Manana
[ Upstream commit 1ec9a1ae1e30c733077c0b288c4301b66b7a81f2 ]
If we delete a snapshot, fsync its parent directory and crash/power fail
before the next transaction commit, on the next mount when we attempt to
replay the log tree of the root containing the parent directory we
Make use of the struct_size() helper instead of an open-coded version
in order to avoid any potential type mistakes. Also, remove unnecessary
variable _datasize_.
This code was detected with the help of Coccinelle and, audited and
fixed manually.
Signed-off-by: Gustavo A. R. Silva
---
From: Roberto Sassu
[ Upstream commit 067a436b1b0aafa593344fddd711a755a58afb3b ]
This patch prevents the following oops:
[ 10.771813] BUG: kernel NULL pointer dereference, address: 0
[...]
[ 10.779790] RIP: 0010:ima_match_policy+0xf7/0xb80
[...]
[ 10.798576] Call Trace:
[
From: Marcos Paulo de Souza
[ Upstream commit 89efda52e6b6930f80f5adda9c3c9edfb1397191 ]
Whenever a chown is executed, all capabilities of the file being touched
are lost. When doing incremental send with a file with capabilities,
there is a situation where the capability can be lost on the
Hi,
On Wed, Jun 17, 2020 at 12:23:04PM +0200, Krzysztof Kozlowski wrote:
> Fix example indentation to tabs to follow generic Linux coding style.
> This avoids copying the space indentation to DTS when re-using the
> example.
>
> Signed-off-by: Krzysztof Kozlowski
> ---
Thanks, queued.
--
From: Christian Lamparter
commit b14fba7ebd04082f7767a11daea7f12f3593de22 upstream.
This patch follows up on a bug-report by Frank Schäfer that
discovered P2P GO wasn't working with wpa_supplicant.
This patch removes part of the broken P2P GO support but
keeps the vif switchover code in place.
From: Omar Sandoval
[ Upstream commit 6d3113a193e3385c72240096fe397618ecab6e43 ]
In btrfs_submit_direct_hook(), if a direct I/O write doesn't span a RAID
stripe or chunk, we submit orig_bio without cloning it. In this case, we
don't increment pending_bios. Then, if btrfs_submit_dio_bio() fails,
From: Larry Finger
commit 75d057bda1fbca6ade21378aa45db712e5f7d962 upstream.
Since the driver was first introduced into the kernel, it has only
handled the ciphers associated with WEP, WPA, and WPA2. It fails with
WPA3 even though mac80211 can handle those additional ciphers in software,
b43
From: Guoqing Jiang
[ Upstream commit f6766ff6afff70e2aaf39e1511e16d471de7c3ae ]
We need to check mddev->del_work before flush workqueu since the purpose
of flush is to ensure the previous md is disappeared. Otherwise the similar
deadlock appeared if LOCKDEP is enabled, it is due to md_open
From: Larry Finger
commit ec4d3e3a054578de34cd0b587ab8a1ac36f629d9 upstream.
This patch fixes commit 75388acd0cd8 ("add mac80211-based driver for
legacy BCM43xx devices")
In https://bugzilla.kernel.org/show_bug.cgi?id=207093, a defect in
b43legacy is reported. Upon testing, thus problem exists
From: Pali Rohár
[ Upstream commit 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 ]
The mwifiex_cfg80211_dump_station() uses static variable for iterating
over a linked list of all associated stations (when the driver is in UAP
role). This has a race condition if .dump_station is called in parallel
Hi,
On Wed, Jun 17, 2020 at 12:23:05PM +0200, Krzysztof Kozlowski wrote:
> The driver requires interrupts (fails probe if it is not provided) so
> document this requirement in bindings.
>
> Fixes: 4aeae9cb0dad ("power_supply: Add support for TI BQ25890 charger chip")
> Cc:
> Signed-off-by:
From: H. Nikolaus Schaller
commit 5e02f3b31704e24537697bce54f8156bdb72b7a6 upstream.
Otherwise it will corrupt the console log during debugging.
Fixes: 7b5362a603a1 ("w1: omap_hdq: Fix some error/debug handling.")
Cc: sta...@vger.kernel.org
Acked-by: Tony Lindgren
Signed-off-by: H. Nikolaus
From: Masami Hiramatsu
commit f41ebe9defacddeae96a872a33f0f22ced0bfcef upstream.
When a probe point is expanded to several places (like inlined) and if
some of them are skipped because of blacklisted or __init function,
those trace_events has no event name. It must be skipped while showing
From: Al Viro
commit cf51e129b96847f969bfb8af1ee1516a01a70b39 upstream.
It needs access_process_vm() if the traced process does not share
mm with the caller. Solution is similar to what sparc64 does.
Note that genregs32_set() is only ever called with pos being 0
or 32 * sizeof(u32) (the latter
From: YuanJunQing
[ Upstream commit 31e1b3efa802f97a17628dde280006c4cee4ce5e ]
Register "a1" is unsaved in this function,
when CONFIG_TRACE_IRQFLAGS is enabled,
the TRACE_IRQS_OFF macro will call trace_hardirqs_off(),
and this may change register "a1".
The changed register "a1" as argument
From: Alexander Sverdlin
[ Upstream commit 81f3dc9349ce0bf7b8447f147f45e70f0a5b36a6 ]
Ignore loopback-originatig packets soon enough and don't try to process L2
header where it doesn't exist. The very similar br_handle_frame() in bridge
code performs exactly the same check.
This is an example
From: Adrian Hunter
commit 85afd35575a3c1a3a905722dde5ee70b49282e70 upstream.
Reportedly, from 19.10 Ubuntu has begun mixing up the location of some
debug symbol files, putting files expected to be in
/usr/lib/debug/usr/lib into /usr/lib/debug/lib instead. Fix by adding
another dso_binary_type.
From: Jiaxun Yang
[ Upstream commit b6caa1d8c80cb71b6162cb1f1ec13aa655026c9f ]
Don't disable MEM/IO decoding when a device have both non_compliant_bars
and mmio_always_on.
That would allow us quirk devices with junk in BARs but can't disable
their decoding.
Signed-off-by: Jiaxun Yang
From: Xiaochun Lee
commit 1574051e52cb4b5b7f7509cfd729b76ca1117808 upstream.
The Intel C620 Platform Controller Hub has MROM functions that have non-PCI
registers (undocumented in the public spec) where BAR 0 is supposed to be,
which results in messages like this:
pci :00:11.0: [Firmware
From: Hangbin Liu
[ Upstream commit 79a1f0ccdbb4ad700590f61b00525b390cb53905 ]
Socket option IPV6_ADDRFORM supports UDP/UDPLITE and TCP at present.
Previously the checking logic looks like:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
else if
From: Qiushi Wu
commit 4d8be4bc94f74bb7d096e1c2e44457b530d5a170 upstream.
kobject_init_and_add() takes reference even when it fails.
If this function returns an error, kobject_put() must be called to
properly clean up the memory associated with the object. Previous
commit "b8eb718348b8" fixed a
From: Rafael J. Wysocki
commit 956ad9d98b73f59e442cc119c98ba1e04e94fe6d upstream.
As recently reported, some platforms provide a list of power
resources for device power state D3hot, through the _PR3 object,
but they do not provide a list of power resources for device power
state D0.
Among
From: Qiushi Wu
commit 6e6c25283dff866308c87b49434c7dbad4774cc0 upstream.
kobject_init_and_add() takes reference even when it fails.
Thus, when kobject_init_and_add() returns an error,
kobject_put() must be called to properly clean up the kobject.
Fixes: 3f8055c35836 ("ACPI / hotplug:
From: Takashi Iwai
commit 862b2509d157c629dd26d7ac6c6cdbf043d332eb upstream.
When a USB-audio interface gets runtime-suspended via auto-pm feature,
the driver suspends all functionality and increment
chip->num_suspended_intf. Later on, when the system gets suspended to
S3, the driver
From: Johannes Thumshirn
commit e7661a8e5ce10b5321882d0bbaf3f81070903319 upstream.
When instrumenting the SCSI layer to run into the
!blk_rq_nr_phys_segments(rq) case the following warning emitted from the
block layer:
blk_peek_request: bad return=-22
This happens because since commit
From: Thomas Falcon
[ Upstream commit 784688993ebac34dffe44a9f2fabbe126ebfd4db ]
VNIC protocol version is reported in big-endian format, but it
is not byteswapped before logging. Fix that, and remove version
comparison as only one protocol version exists at this time.
Signed-off-by: Thomas
From: Jens Axboe
[ Upstream commit 18f855e574d9799a0e7489f8ae6fd8447d0dd74a ]
Stefano reported a crash with using SQPOLL with io_uring:
BUG: kernel NULL pointer dereference, address: 03b0
CPU: 2 PID: 1307 Comm: io_uring-sq Not tainted 5.7.0-rc7 #11
RIP:
From: Ard Biesheuvel
commit ea6f3af4c5e63f6981c0b0ab8ebec438e2d5ef40 upstream.
Per the ACPI spec, interrupts in the range [0, 255] may be handled
in AML using individual methods whose naming is based on the format
_Exx or _Lxx, where xx is the hex representation of the interrupt
index.
Add
On Fri, 19 Jun 2020 at 17:41, Greg Kroah-Hartman
wrote:
> > Yes. I want to show the user *why* TME is not available.
> So even if it is "available" that's fine, even if it is not being used?
No, it's just one more thing we can check and report. For instance,
"Full memory encryption: NO
From: Bob Haarman
commit d8ad6d39c35d2b44b3d48b787df7f3359381dcbf upstream.
'jiffies' and 'jiffies_64' are meant to alias (two different symbols that
share the same address). Most architectures make the symbols alias to the
same address via a linker script assignment in their
From: Lukas Wunner
[ Upstream commit 9dd277ff92d06f6aa95b39936ad83981d781f49b ]
The BCM2835 SPI driver uses devm_spi_register_controller() on bind.
As a consequence, on unbind, __device_release_driver() first invokes
bcm2835_spi_remove() before unregistering the SPI controller via
From: Eric W. Biederman
commit ef1548adada51a2f32ed7faef50aa465e1b4c5da upstream.
Recently syzbot reported that unmounting proc when there is an ongoing
inotify watch on the root directory of proc could result in a use
after free when the watch is removed after the unmount of proc
when the
From: Yuxuan Shui
commit 520da69d265a91c6536c63851cbb8a53946974f0 upstream.
In ovl_copy_xattr, if all the xattrs to be copied are overlayfs private
xattrs, the copy loop will terminate without assigning anything to the
error variable, thus returning an uninitialized value.
If ovl_copy_xattr is
From: Marc Zyngier
commit 3204be4109ad681523e3461ce64454c79278450a upstream.
AArch32 CP1x registers are overlayed on their AArch64 counterparts
in the vcpu struct. This leads to an interesting problem as they
are stored in their CPU-local format, and thus a CP1x register
doesn't "hit" the lower
From: Qiujun Huang
commit 19d6c375d671ce9949a864fb9a03e19f5487b4d3 upstream.
Add barrier to accessing the stack array skb_pool.
The case reported by syzbot:
https://lore.kernel.org/linux-usb/3d7c1505a2168...@google.com
BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_stream
From: Lukas Wunner
[ Upstream commit 84855678add8aba927faf76bc2f130a40f94b6f7 ]
When an SPI controller unregisters, it unbinds all its slave devices.
For this, their drivers may need to access the SPI bus, e.g. to quiesce
interrupts.
However since commit ffbbdd21329f ("spi: create a message
From: Xing Li
commit 5816c76dea116a458f1932eefe064e35403248eb upstream.
If a CPU support more than 32bit vmbits (which is true for 64bit CPUs),
VPN2_MASK set to fixed 0xe000 will lead to a wrong EntryHi in some
functions such as _kvm_mips_host_tlb_inv().
The cpu_vmbits definition of 32bit
From: Christophe JAILLET
commit 18722d48a6bb9c2e8d046214c0a5fd19d0a7c9f6 upstream.
Some memory is vmalloc'ed in the 'w100fb_save_vidmem' function and freed in
the 'w100fb_restore_vidmem' function. (these functions are called
respectively from the 'suspend' and the 'resume' functions)
However,
From: Xing Li
commit fe2b73dba47fb6d6922df1ad44e83b1754d5ed4d upstream.
The code in decode_config4() of arch/mips/kernel/cpu-probe.c
asid_mask = MIPS_ENTRYHI_ASID;
if (config4 & MIPS_CONF4_AE)
asid_mask |= MIPS_ENTRYHI_ASIDX;
set_cpu_asid_mask(c,
in
https://git-scm.com/docs/git-format-patch]
url:
https://github.com/0day-ci/linux/commits/Kaaira-Gupta/media-Add-colors-order-and-other-info-over-test-image/20200619-030709
base: git://linuxtv.org/media_tree.git master
config: nds32-randconfig-r016-20200619 (attached as .config)
compiler
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 4ddf4739be6e375116c375f0a68bf3893ffcee21
Gitweb:
https://git.kernel.org/tip/4ddf4739be6e375116c375f0a68bf3893ffcee21
Author:Qiushi Wu
AuthorDate:Thu, 28 May 2020 13:38:04 -05:00
Committer:
From: Waiman Long
[ Upstream commit aa77bfb354c495fc4361199e63fc5765b9e1e783 ]
STIBP stands for Single Thread Indirect Branch Predictors. The acronym,
however, can be easily mis-spelled as STIPB. It is perhaps due to the
presence of another related term - IBPB (Indirect Branch Predictor
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 2a55280a3675203496d302463b941834228b9875
Gitweb:
https://git.kernel.org/tip/2a55280a3675203496d302463b941834228b9875
Author:Ard Biesheuvel
AuthorDate:Sun, 07 Jun 2020 15:41:35 +02:00
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 62956be8f95b93e9f91ffe2e5aa9c0e411af5a14
Gitweb:
https://git.kernel.org/tip/62956be8f95b93e9f91ffe2e5aa9c0e411af5a14
Author:Ard Biesheuvel
AuthorDate:Tue, 16 Jun 2020 12:53:30 +02:00
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 41d90b0c1108d1e46c48cf79964636c553844f4c
Gitweb:
https://git.kernel.org/tip/41d90b0c1108d1e46c48cf79964636c553844f4c
Author:Arvind Sankar
AuthorDate:Wed, 17 Jun 2020 09:19:57 -04:00
On Fri, 19 Jun 2020 10:11:20 -0400
Phil Auld wrote:
>
> diff --git a/include/trace/events/sched.h b/include/trace/events/sched.h
> index ed168b0e2c53..a6d9fe5a68cf 100644
> --- a/include/trace/events/sched.h
> +++ b/include/trace/events/sched.h
> @@ -634,6 +634,10 @@
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 24552d10339f13d2174e013002da3ed90e26adda
Gitweb:
https://git.kernel.org/tip/24552d10339f13d2174e013002da3ed90e26adda
Author:Ard Biesheuvel
AuthorDate:Mon, 15 Jun 2020 12:31:14 +02:00
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 5435f73d5c4a1b7504356876e69ba52de83f4975
Gitweb:
https://git.kernel.org/tip/5435f73d5c4a1b7504356876e69ba52de83f4975
Author:Arvind Sankar
AuthorDate:Fri, 05 Jun 2020 11:06:38 -04:00
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 8c0a839c2bccb756454e35e8977e44fcf2bd417e
Gitweb:
https://git.kernel.org/tip/8c0a839c2bccb756454e35e8977e44fcf2bd417e
Author:Heinrich Schuchardt
AuthorDate:Tue, 16 Jun 2020 01:42:31 +02:00
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 2096721f1577b51b574fa06a7d91823dffe7267a
Gitweb:
https://git.kernel.org/tip/2096721f1577b51b574fa06a7d91823dffe7267a
Author:Tony Luck
AuthorDate:Thu, 28 May 2020 12:49:04 -07:00
Committer:
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 435d1a471598752446a72ad1201b3c980526d869
Gitweb:
https://git.kernel.org/tip/435d1a471598752446a72ad1201b3c980526d869
Author:Peter Jones
AuthorDate:Mon, 15 Jun 2020 16:24:08 -04:00
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 2963795122f50b36ed16e3ba880c3ed2de1bda6e
Gitweb:
https://git.kernel.org/tip/2963795122f50b36ed16e3ba880c3ed2de1bda6e
Author:Gustavo A. R. Silva
AuthorDate:Wed, 27 May 2020 12:14:25 -05:00
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: 7a88a6227dc7f2e723bba11ece05e57bd8dce8e4
Gitweb:
https://git.kernel.org/tip/7a88a6227dc7f2e723bba11ece05e57bd8dce8e4
Author:Philipp Fent
AuthorDate:Mon, 15 Jun 2020 13:51:09 +02:00
From: Anthony Steinhauser
[ Upstream commit 4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf ]
Currently, it is possible to enable indirect branch speculation even after
it was force-disabled using the PR_SPEC_FORCE_DISABLE option. Moreover, the
PR_GET_SPECULATION_CTRL command gives afterwards an
[ Upstream commit 66b19d762378785d1568b5650935205edfeb0503 ]
It is possible to get an interrupt as soon as it is requested. dw_spi_irq
does spi_controller_get_devdata(master) and expects it to be different than
NULL. However, spi_controller_set_devdata() is called after request_irq(),
resulting
From: Colin Ian King
commit a9e4998073d49a762a154a6b48a332ec6cb8e6b1 upstream.
The fe_status variable s is not initialized meaning it can have any
random garbage status. This could be problematic if fe->ops.tune is
false as s is not updated by the call to fe->ops.tune() and a
subsequent check
From: Anthony Steinhauser
[ Upstream commit 21998a351512eba4ed5969006f0c55882d995ada ]
When STIBP is unavailable or enhanced IBRS is available, Linux
force-disables the IBPB mitigation of Spectre-BTB even when simultaneous
multithreading is disabled. While attempts to enable IBPB using
From: Xiaolong Huang
commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream.
Uninitialized Kernel memory can leak to USB devices.
Fix this by using kzalloc() instead of kmalloc().
Signed-off-by: Xiaolong Huang
Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and
From: Thomas Lendacky
[ Upstream commit 20c3a2c33e9fdc82e9e8e8d2a6445b3256d20191 ]
Different AMD processors may have different implementations of STIBP.
When STIBP is conditionally enabled, some implementations would benefit
from having STIBP always on instead of toggling the STIBP bit through
From: Colin Ian King
[ Upstream commit 96f3a9392799dd0f6472648a7366622ffd0989f3 ]
Currently when i2c transfers fail the error return -EREMOTEIO
is assigned to err but then later overwritten when the tuner
attach call is made. Fix this by returning early with the
error return code -EREMOTEIO on
From: Christoph Hellwig
[ Upstream commit 5bf9917452112694b2c774465ee4dbe441c84b77 ]
vm_map_ram can keep mappings around after the vm_unmap_ram. Using that
with non-PAGE_KERNEL mappings can lead to all kinds of aliasing issues.
Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
From: Julien Thierry
[ Upstream commit 7170cf47d16f1ba29eca07fd818870b7af0a93a5 ]
The .alternatives section can contain entries with no original
instructions. Objtool will currently crash when handling such an entry.
Just skip that entry, but still give a warning to discourage useless
entries.
From: Serge Semin
[ Upstream commit ed26aacfb5f71eecb20a51c4467da440cb719d66 ]
Loops-per-jiffies is a special number which represents a number of
noop-loop cycles per CPU-scheduler quantum - jiffies. As you
understand aside from CPU-specific implementation it depends on
the CPU frequency. So
From: Dan Carpenter
[ Upstream commit beb12813bc75d4a23de43b85ad1c7cb28d27631e ]
Seven years ago we tried to fix a leak but actually introduced a double
free instead. It was an understandable mistake because the code was a
bit confusing and the free was done in the wrong place. The "skb"
From: Jia-Ju Bai
[ Upstream commit 3e1c6846b9e108740ef8a37be80314053f5dd52a ]
The value adapter->rss_conf is stored in DMA memory, and it is assigned
to rssConf, so rssConf->indTableSize can be modified at anytime by
malicious hardware. Because rssConf->indTableSize is assigned to n,
buffer
From: Jon Doron
[ Upstream commit f7d31e65368aeef973fab788aa22c4f1d5a6af66 ]
The problem the patch is trying to address is the fact that 'struct
kvm_hyperv_exit' has different layout on when compiling in 32 and 64 bit
modes.
In 64-bit mode the default alignment boundary is 64 bits thus
forcing
From: Jann Horn
[ Upstream commit 586b58cac8b4683eb58a1446fbc399de18974e40 ]
With CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_CGROUPS=y, kernel oopses in
non-preemptible context look untidy; after the main oops, the kernel prints
a "sleeping function called from invalid context" report because
From: Daniel Thompson
[ Upstream commit 3fec4aecb311995189217e64d725cfe84a568de3 ]
Currently there is a small window where a badly timed migration could
cause in_dbg_master() to spuriously return true. Specifically if we
migrate to a new core after reading the processor id and the previous
core
From: Yunjian Wang
[ Upstream commit 09f6c44aaae0f1bdb8b983d7762676d5018c53bc ]
The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix
the ndo function to use the correct type. And emac_start_xmit() can
leak one skb if 'channel' == 3.
Signed-off-by: Yunjian Wang
Signed-off-by:
From: Marcos Paulo de Souza
commit 89efda52e6b6930f80f5adda9c3c9edfb1397191 upstream.
Whenever a chown is executed, all capabilities of the file being touched
are lost. When doing incremental send with a file with capabilities,
there is a situation where the capability can be lost on the
From: Finn Thain
[ Upstream commit bcc44f6b74106b31f0b0408b70305a40360d63b7 ]
There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache().
This avoids a boot crash which appeared in v5.4.
printk: console [ttyS0] enabled
printk: bootconsole [debug0] disabled
printk: bootconsole
From: Jiaxun Yang
[ Upstream commit ff487d41036035376e47972c7c522490b839ab37 ]
LLD failed to link vmlinux with 64bit load address for 32bit ELF
while bfd will strip 64bit address into 32bit silently.
To fix LLD build, we should truncate load address provided by platform
into 32bit for 32bit
From: Hsin-Yu Chao
[ Upstream commit 56b5453a86203a44726f523b4133c1feca49ce7c ]
Bluetooth PTS test case HFP/AG/ACC/BI-12-I accepts SCO connection
with invalid parameter at the first SCO request expecting AG to
attempt another SCO request with the use of "safe settings" for
given codec, base on
From: Roberto Sassu
commit 067a436b1b0aafa593344fddd711a755a58afb3b upstream.
This patch prevents the following oops:
[ 10.771813] BUG: kernel NULL pointer dereference, address: 0
[...]
[ 10.779790] RIP: 0010:ima_match_policy+0xf7/0xb80
[...]
[ 10.798576] Call Trace:
[
From: Douglas Anderson
[ Upstream commit 3ca676e4ca60d1834bb77535dafe24169cadacef ]
If we detect that we recursively entered the debugger we should hack
our I/O ops to NULL so that the panic() in the next line won't
actually cause another recursion into the debugger. The first line of
From: Filipe Manana
[ Upstream commit 7e4a3f7ed5d54926ec671bbb13e171cfe179cc50 ]
We are currently treating any non-zero return value from btrfs_next_leaf()
the same way, by going to the code that inserts a new checksum item in the
tree. However if btrfs_next_leaf() returns an error (a value <
From: Serge Semin
[ Upstream commit 6d2e16a3181bafb77b535095c39ad1c8b9558c8c ]
Commit 100214889973 ("clocksource: dw_apb_timer_of: use
clocksource_of_init") replaced a publicly available driver
initialization method with one called by the timer_probe() method
available after CLKSRC_OF. In
501 - 600 of 2517 matches
Mail list logo