From: Doug Horn
[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ]
If a response to virtio_gpu_cmd_get_capset_info takes longer than
five seconds to return, the callback will access freed kernel memory
in vg->capsets.
Signed-off-by: Doug Horn
Link:
From: Hans de Goede
[ Upstream commit 5bf2f2f331ad812c9b7eea6e14a3ea328acbffc0 ]
The Acer One S1003 2-in-1 keyboard dock uses a Synaptics S910xx touchpad
which is connected to an ITE 8910 USB keyboard controller chip.
This keyboard has the same quirk for its rfkill / airplane mode hotkey as
From: Pierre-Louis Bossart
[ Upstream commit d2068da5c85697b5880483dd7beaba98e0b62e02 ]
In system suspend stress cases, the SOF CI reports timeouts. The root
cause is that an alert is generated while the system suspends. The
interrupt handling generates transactions on the bus that will never
From: Kevin Barnett
[ Upstream commit 9e688ef7206f0bccd590378d0dca8f9b4f57 ]
Eliminate kernel panics when getting invalid responses from controller.
Take controller offline instead of causing kernel panics.
Link:
From: Tong Zhang
[ Upstream commit db332356222d9429731ab9395c89cca403828460 ]
ipwireless_send_packet() can only return 0 on success and -ENOMEM on
error, the caller should check non zero for error condition
Signed-off-by: Tong Zhang
Acked-by: David Sterba
Link:
From: Julian Wiedmann
[ Upstream commit 9d6a569a4cbab5a8b4c959d4e312daeecb7c9f09 ]
The current code for bridge address events has two shortcomings in its
control sequence:
1. after disabling address events via PNSO, we don't flush the remaining
events from the event_wq. So if the feature is
From: George Kennedy
[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
or yres setting in struct fb_var_screeninfo will result in a
KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
the margins are being
From: Sathyanarayana Nujella
[ Upstream commit 3e1734b64ce786c54dc98adcfe67941e6011d735 ]
A Chrome System based on tgl_max98373_rt5682 has different SSP interface
configurations. Using DMI data of this variant DUT, override quirk
data.
Reviewed-by: Guennadi Liakhovetski
Signed-off-by:
From: Connor McAdams
[ Upstream commit ed93f9750c6c2ed371347d0aac3dcd31cb9cf256 ]
Add AE-7 quirk data for setting of microphone. The AE-7 has no front
panel connector, so only rear-mic/line-in have new commands.
Signed-off-by: Connor McAdams
Link:
From: Wang Yufen
[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ]
When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL,
we should destroy the workqueue.
Reported-by: Hulk Robot
Signed-off-by: Wang Yufen
Signed-off-by: Kalle Valo
Link:
From: Tetsuo Handa
[ Upstream commit 621a3a8b1c0ecf16e1e5667ea5756a76a082b738 ]
syzbot is reporting that del_timer_sync() is called from
mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without
checking timer_setup() from mwifiex_usb_tx_init() was called [1].
Ganapathi Bhat proposed
From: Serge Semin
[ Upstream commit 6d9459d04081c796fc67c2bb771f4e4ebb5744c4 ]
CFGx.FIFO_MODE field controls a DMA-controller "FIFO readiness" criterion.
In other words it determines when to start pushing data out of a DW
DMAC channel FIFO to a destination peripheral or from a source
peripheral
Add i2c_device_id table for the vcnl4035 driver,
enabling device instantiation using i2c_new_client_device()
or from userspace in cases where device-tree based description
is not possible now, like device(s) on a gbphy i2c adapter
created by greybus.
Signed-off-by: Vaishnav M A
---
v4:
From: Navid Emamdoost
[ Upstream commit 9df0e0c1889677175037445d5ad1654d54176369 ]
in panfrost_perfcnt_enable_locked, pm_runtime_get_sync is called which
increments the counter even in case of failure, leading to incorrect
ref count. In case of failure, decrement the ref count before returning.
From: Bard Liao
[ Upstream commit a5a0239c27fe1125826c5cad4dec9cd1fd960d4a ]
The .prepare() callback is invoked for normal streaming, underflows or
during the system resume transition. In the latter case, the context
for the ALH PDIs is lost, and the DSP is not initialized properly
either, but
From: Serge Semin
[ Upstream commit e8ee6c8cb61b676f1a2d6b942329e98224bd8ee9 ]
DW DMA IP-core provides a way to synthesize the DMA controller with
channels having different parameters like maximum burst-length,
multi-block support, maximum data width, etc. Those parameters both
explicitly and
From: Tetsuo Handa
[ Upstream commit f4ac712e4fe009635344b9af5d890fe25fcc8c0d ]
syzbot is reporting unkillable task [1], for the caller is failing to
handle a corrupted filesystem image which attempts to access beyond
the end of the device. While we need to fix the caller, flooding the
console
On Thu, 15 Oct 2020 15:37:00 -0700 Jakub Kicinski wrote:
> On Thu, 15 Oct 2020 15:24:51 -0700 Jakub Kicinski wrote:
> > On Fri, 16 Oct 2020 08:59:22 +1100 Stephen Rothwell wrote:
> > > > I will apply the above patch to the merge of the usb tree today to fix
> > > > up a semantic conflict between
From: Alvin Lee
[ Upstream commit 81b437f57e35a6caa3a4304e6fff0eba0a9f3266 ]
[Why]
When changing pixel formats for HDR (e.g. ARGB -> FP16)
there are configurations that change from 2 pipes to 1 pipe.
In these cases, it seems that disconnecting MPCC and doing
a surface update at the same
From: Sathyanarayana Nujella
[ Upstream commit 5253a73d567dcd75e62834ff5f502ea9470e5722 ]
Add topology filename override based on system DMI data matching,
typically to account for a different hardware layout.
In ACPI based systems, the tplg_filename is pre-defined in an ACPI
machine table.
From: Can Guo
[ Upstream commit 89dd87acd40a44de8ff3358138aedf8f73f4efc6 ]
If ufs_qcom_dump_dbg_regs() calls ufs_qcom_testbus_config() from
ufshcd_suspend/resume and/or clk gate/ungate context, pm_runtime_get_sync()
and ufshcd_hold() will cause a race condition. Fix this by removing the
From: Mark Mossberg
[ Upstream commit 238c91115cd05c71447ea071624a4c9fe661f970 ]
Printing "Bad RIP value" if copy_code() fails can be misleading for
userspace pointers, since copy_code() can fail if the instruction
pointer is valid but the code is paged out. This is because copy_code()
calls
From: Pavel Machek
[ Upstream commit b28e32798c78a346788d412f1958f36bb760ec03 ]
Fix memory leak in node_probe.
Signed-off-by: Pavel Machek (CIP)
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin
---
drivers/media/firewire/firedtv-fw.c | 6 --
From: Zhao Heming
[ Upstream commit 1383b347a8ae4a69c04ae3746e6cb5c8d38e2585 ]
Callers of get_bitmap_from_slot() are responsible to free the bitmap.
Suggested-by: Guoqing Jiang
Signed-off-by: Zhao Heming
Signed-off-by: Song Liu
Signed-off-by: Sasha Levin
---
drivers/md/md-bitmap.c | 3
From: Dinghao Liu
[ Upstream commit dbd2f2dc025f9be8ae063e4f270099677238f620 ]
pm_runtime_get_sync() increments the runtime PM usage counter even
when it returns an error code. Thus a pairing decrement is needed on
the error handling path to keep the counter balanced.
Signed-off-by: Dinghao
From: Qiushi Wu
[ Upstream commit c47f7c779ef0458a58583f00c9ed71b7f5a4d0a2 ]
On calling pm_runtime_get_sync() the reference count of the device
is incremented. In case of failure, decrement the
reference count before returning the error.
Signed-off-by: Qiushi Wu
Signed-off-by: Hans Verkuil
From: Dinghao Liu
[ Upstream commit 98fae901c8883640202802174a4bd70a1b9118bd ]
pm_runtime_get_sync() increments the runtime PM usage counter even
when it returns an error code. Thus a pairing decrement is needed on
the error handling path to keep the counter balanced.
Signed-off-by: Dinghao
From: Aditya Pakki
[ Upstream commit 57cc666d36adc7b45e37ba4cd7bc4e44ec4c43d7 ]
delta_run_work() calls delta_get_sync() that increments
the reference counter. In case of failure, decrement the reference
count by calling delta_put_autosuspend().
Signed-off-by: Aditya Pakki
Signed-off-by: Hans
From: Arvind Sankar
[ Upstream commit aa5cacdc29d76a005cbbee018a47faa6e724dd2d ]
The CRn accessor functions use __force_order as a dummy operand to
prevent the compiler from reordering CRn reads/writes with respect to
each other.
The fact that the asm is volatile should be enough to prevent
From: Dinghao Liu
[ Upstream commit dafa3605fe60d5a61239d670919b2a36e712481e ]
pm_runtime_get_sync() increments the runtime PM usage counter even
when it returns an error code. Thus a pairing decrement is needed on
the error handling path to keep the counter balanced.
Also, call
From: Longfang Liu
[ Upstream commit 24efcec2919afa7d56f848c83a605b46c8042a53 ]
1. Fix the bug of 'mac' memory leak as allocating 'pbuf' failing.
2. Fix the bug of 'qps' leak as allocating 'qp_ctx' failing.
Signed-off-by: Longfang Liu
Signed-off-by: Herbert Xu
Signed-off-by: Sasha Levin
---
From: Brad Bishop
[ Upstream commit 0b546bbe9474ff23e6843916ad6d567f703b2396 ]
Use a clock divider tuned to a 200MHz FSI bus frequency (the maximum). Use
of the previous divider at 200MHz results in corrupt data from endpoint
devices. Ideally the clock divider would be calculated from the FSI
From: Qiushi Wu
[ Upstream commit 6f4432bae9f2d12fc1815b5e26cc07e69bcad0df ]
pm_runtime_get_sync() increments the runtime PM usage counter even
when it returns an error code, causing incorrect ref count if
pm_runtime_put_noidle() is not called in error handling paths.
Thus call
From: Borislav Petkov
[ Upstream commit e2def7d49d0812ea40a224161b2001b2e815dce2 ]
If an exception needs to be handled while reading an MSR - which is in
most of the cases caused by a #GP on a non-existent MSR - then this
is most likely the incarnation of a BIOS or a hardware bug. Such bug
From: Rich Felker
[ Upstream commit 4d671d922d51907bc41f1f7f2dc737c928ae78fd ]
Asynchronous termination of a thread outside of the userspace thread
library's knowledge is an unsafe operation that leaves the process in
an inconsistent, corrupt, and possibly unrecoverable state. In order
to make
From: Alexander Aring
[ Upstream commit 3d2825c8c6105b0f36f3ff72760799fa2e71420e ]
This patch fixes the following memory detected by kmemleak and umount
gfs2 filesystem which removed the last lockspace:
unreferenced object 0x9264f482f600 (size 192):
comm "dlm_controld", pid 325, jiffies
From: Vikash Garodia
[ Upstream commit e1c69c4eef61ffe295b747992c6fd849e6cd747d ]
There are few list handling issues while adding and deleting
node in the registered buf list in the driver.
1. list addition - buffer added into the list during buf_init
while not deleted during cleanup.
2. list
From: Adam Goode
[ Upstream commit 8a652a17e3c005dcdae31b6c8fdf14382a29cbbe ]
bFrameIndex and bFormatIndex can be negotiated by the camera during
probing, resulting in the camera choosing a different format than
expected. v4l2 can already accommodate such changes, but the code was
not updating
From: Dinghao Liu
[ Upstream commit c1bca5b5ced0cbd779d56f60cdbc9f5e6f6449fe ]
When aspect_ratio_crop_init() fails, curr_stream needs
to be freed just like what we've done in the following
error paths. However, current code is returning directly
and ends up leaking memory.
Signed-off-by:
From: Dinghao Liu
[ Upstream commit bbe516e976fce538db96bd2b7287df942faa14a3 ]
pm_runtime_get_sync() increments the runtime PM usage counter even
when it returns an error code. Thus a pairing decrement is needed on
the error handling path to keep the counter balanced. For other error
paths
From: Rajendra Nayak
[ Upstream commit 98cd831088c64aa8fe7e1d2a8bb94b6faba0462b ]
Post a successful pm_ops->core_get, an error in probe
should exit by doing a pm_ops->core_put which seems
to be missing. So fix it.
Signed-off-by: Rajendra Nayak
Reviewed-by: Bjorn Andersson
Signed-off-by:
From: Pali Rohár
[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ]
Before parsing CISTPL_VERS_1 structure check that its size is at least two
bytes to prevent buffer overflow.
Signed-off-by: Pali Rohár
Link: https://lore.kernel.org/r/20200727133837.19086-2-p...@kernel.org
From: Thomas Pedersen
[ Upstream commit 8b783d104e7f40684333d2ec155fac39219beb2f ]
Even though a driver or mac80211 shouldn't produce a
legacy bitrate if sband->bitrates doesn't exist, don't
crash if that is the case either.
This fixes a kernel panic if station dump is run before
last_rate can
From: Hangbin Liu
[ Upstream commit a0f2b7acb4b1d29127ff99c714233b973afd1411 ]
Previously we forgot to close the map fd if bpf_map_update_elem()
failed during map slot init, which will leak map fd.
Let's move map slot initialization to new function init_map_slots() to
simplify the code. And
From: Rustam Kovhaev
[ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ]
Number of bytes allocated for mft record should be equal to the mft record
size stored in ntfs superblock as reported by syzbot, userspace might
trigger out-of-bounds read by dereferencing ctx->attr in
From: Yu Chen
[ Upstream commit f580170f135af14e287560d94045624d4242d712 ]
SPLIT_BOUNDARY_DISABLE should be set for DesignWare USB3 DRD Core
of Hisilicon Kirin Soc when dwc3 core act as host.
[mchehab: dropped a dev_dbg() as only traces are now allowwed on this driver]
Signed-off-by: Yu Chen
From: Christoph Hellwig
[ Upstream commit 428805c0c5e76ef643b1fbc893edfb636b3d8aef ]
get_gendisk grabs a reference on the disk and file operation, so this
code will leak both of them while having absolutely no use for the
gendisk itself.
This effectively reverts commit 2df83fa4bce421f ("PM /
From: Jing Xiangfeng
[ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ]
Return PTR_ERR() from the error handling case instead of 0.
Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangf...@huawei.com
Signed-off-by: Jing Xiangfeng
Signed-off-by: Martin K. Petersen
From: Sherry Sun
[ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ]
Since struct _mic_vring_info and vring are allocated together and follow
vring, if the vring_size() is not four bytes aligned, which will cause
the start address of struct _mic_vring_info is not four byte aligned.
For
Add i2c_device_id table for the vl53l0x-i2c driver,
helps in device instantiation using i2c_new_client_device()
or from userspace in cases where device-tree based description
is not possible now, like device(s) on a gbphy i2c adapter
created by greybus.
Signed-off-by: Vaishnav M A
---
v4:
From: Song Liu
[ Upstream commit 39d8f0d1026a990604770a658708f5845f7dbec0 ]
Recent improvements in LOCKDEP highlighted a potential A-A deadlock with
pcpu_freelist in NMI:
./tools/testing/selftests/bpf/test_progs -t stacktrace_build_id_nmi
[ 18.984807]
[
From: Zqiang
[ Upstream commit e8d5f92b8d30bb4ade76494490c3c065e12411b1 ]
Fix this by increase object reference count.
BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180
kernel/locking/lockdep.c:3831
Read of size 8 at addr 8880683b0018 by task syz-executor.0/3377
CPU: 1 PID: 3377
From: Brooke Basile
[ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ]
Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor
systems create a race condition in which usb_kill_anchored_urbs() deallocates
the URB before the completer callback is called in
From: Mikael Wikström
[ Upstream commit 140958da9ab53a7df9e9ccc7678ea64655279ac1 ]
One more device that needs 40d5bb87 to resolve regression for the trackpoint
and three mouse buttons on the type cover of the Lenovo X1 Tablet Gen3.
It is probably also needed for the Lenovo X1 Tablet Gen2 with
On Sun, Oct 18, 2020 at 12:40 AM wrote:
>
> From: AngeloGioacchino Del Regno
>
> This is a driver for the Novatek in-cell touch controller and
> supports various chips from the NT36xxx family, currently
> including NT36525, NT36672A, NT36676F, NT36772 and NT36870.
>
> Functionality like wake
From: Johan Hovold
[ Upstream commit 960c7339de27c6d6fec13b54880501c3576bb08d ]
Handle broken union functional descriptors where the master-interface
doesn't exist or where its class is of neither Communication or Data
type (as required by the specification) by falling back to
From: Joakim Zhang
[ Upstream commit 9ad02c7f4f279504bdd38ab706fdc97d5f2b2a9c ]
This patch implements error handling and propagates the error value of
flexcan_chip_stop(). This function will be called from flexcan_suspend()
in an upcoming patch in some SoCs which support LPSR mode.
Add a new
From: Jan Kara
[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ]
When we fail to read inode, some data accessed in udf_evict_inode() may
be uninitialized. Move the accesses to !is_bad_inode() branch.
Reported-by: syzbot+91f02b28f9bb5f5f1...@syzkaller.appspotmail.com
Signed-off-by:
From: Jan Kara
[ Upstream commit 44ac6b829c4e173fdf6df18e6dd86aecf9a3dc99 ]
Although UDF standard allows it, we don't support sparing table larger
than a single block. Check it during mount so that we don't try to
access memory beyond end of buffer.
Reported-by:
From: Neil Armstrong
[ Upstream commit afcd0c7d3d4c22afc8befcfc906db6ce3058d3ee ]
This adds the required GPU quirks, including the quirk in the PWR
registers at the GPU reset time and the IOMMU quirk for shareability
issues observed on G52 in Amlogic G12B SoCs.
Signed-off-by: Neil Armstrong
From: Eric Biggers
[ Upstream commit 8859bf2b1278d064a139e3031451524a49a56bd0 ]
unlock_new_inode() is only meant to be called after a new inode has
already been inserted into the hash table. But reiserfs_new_inode() can
call it even before it has inserted the inode, triggering the WARNING in
From: Keita Suzuki
[ Upstream commit bc28369c6189009b66d9619dd9f09bd8c684bb98 ]
When mfd_add_devices() fail, pcr->slots should also be freed. However,
the current implementation does not free the member, leading to a memory
leak.
Fix this by adding a new goto label that frees pcr->slots.
From: Viresh Kumar
[ Upstream commit cb60e9602cce1593eb1e9cdc8ee562815078a354 ]
If dev_pm_opp_attach_genpd() is called multiple times (once for each CPU
sharing the table), then it would result in unwanted behavior like
memory leak, attaching the domain multiple times, etc.
Handle that by
From: Jia Yang
[ Upstream commit da62cb7230f0871c30dc9789071f63229158d261 ]
I got a use-after-free report when doing some fuzz test:
If ttm_bo_init() fails, the "gbo" and "gbo->bo.base" will be
freed by ttm_buffer_object_destroy() in ttm_bo_init(). But
then drm_gem_vram_create() and
From: Hamish Martin
[ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ]
Some integrated OHCI controller hubs do not expose all ports of the hub
to pins on the SoC. In some cases the unconnected ports generate
spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC
switch/case use of break after a return or goto is unnecessary.
There is an existing warning for these uses, so add a --fix option too.
Signed-off-by: Joe Perches
---
For today's next, this would remove ~300 instances like:
case FOO:
return bar;
break;
From: Abhishek Pandit-Subedi
[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ]
Since l2cap_sock_teardown_cb doesn't acquire the channel lock before
setting the socket as zapped, it could potentially race with
l2cap_sock_release which frees the socket. Thus, wait until the cleanup
is
From: Neil Armstrong
[ Upstream commit 91e89097b86f566636ea5a7329c79d5521be46d2 ]
The T820, G31 & G52 GPUs integrated by Amlogic in the respective GXM,
G12A/SM1 & G12B SoCs needs a quirk in the PWR registers after each reset.
This adds a callback in the device compatible struct of permit this.
From: Qian Cai
[ Upstream commit a805c111650cdba6ee880f528abdd03c1af82089 ]
It is trivial to trigger a WARN_ON_ONCE(1) in iomap_dio_actor() by
unprivileged users which would taint the kernel, or worse - panic if
panic_on_warn or panic_on_taint is set. Hence, just convert it to
From: Zhenzhong Duan
[ Upstream commit 08d3ab4b46339bc6f97e83b54a3fb4f8bf8f4cd9 ]
It's allocating an array of a6xx_gpu_state_obj structure rathor than
its pointers.
This patch fix it.
Signed-off-by: Zhenzhong Duan
Signed-off-by: Rob Clark
Signed-off-by: Sasha Levin
---
From: Daniel Wagner
[ Upstream commit c0014f94218ea3a312f6235febea0d626c5f2154 ]
Emit a warning when ->done or ->free are called on an already freed
srb. There is a hidden use-after-free bug in the driver which corrupts
the srb memory pool which originates from the cleanup callbacks.
An
From: Keita Suzuki
[ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ]
When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy,
the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be
freed in the caller function.
Fix this by calling wlc_phy_detach_lcnphy in
From: Chris Chiu
[ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ]
Free the skb if usb_submit_urb fails on rx_urb. And free the urb
no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb.
Signed-off-by: Chris Chiu
Signed-off-by: Kalle Valo
Link:
From: Saurav Kashyap
[ Upstream commit 10aff62fab263ad7661780816551420cea956ebb ]
If SUCCESS is not returned, error handling will escalate. Return SUCCESS
similar to other conditions in this function.
Link: https://lore.kernel.org/r/20200907121443.5150-6-jha...@marvell.com
Signed-off-by:
From: Hans de Goede
[ Upstream commit 5bf2f2f331ad812c9b7eea6e14a3ea328acbffc0 ]
The Acer One S1003 2-in-1 keyboard dock uses a Synaptics S910xx touchpad
which is connected to an ITE 8910 USB keyboard controller chip.
This keyboard has the same quirk for its rfkill / airplane mode hotkey as
From: Nilesh Javali
[ Upstream commit 28b35d17f9f8573d4646dd8df08917a4076a6b63 ]
While aborting the I/O, the firmware cleanup task timed out and driver
deleted the I/O from active command list. Some time later the firmware
sent the cleanup task response and driver again deleted the I/O from
From: Julian Wiedmann
[ Upstream commit 9d6a569a4cbab5a8b4c959d4e312daeecb7c9f09 ]
The current code for bridge address events has two shortcomings in its
control sequence:
1. after disabling address events via PNSO, we don't flush the remaining
events from the event_wq. So if the feature is
From: George Kennedy
[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
or yres setting in struct fb_var_screeninfo will result in a
KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
the margins are being
From: Connor McAdams
[ Upstream commit 620f08eea6d6961b789af3fa3ea86725c8c93ece ]
Add a new PCI subsystem ID for the SoundBlaster AE-7 card.
Signed-off-by: Connor McAdams
Link: https://lore.kernel.org/r/20200825201040.30339-11-conmanx...@gmail.com
Signed-off-by: Takashi Iwai
Signed-off-by:
From: Sathyanarayana Nujella
[ Upstream commit 3e1734b64ce786c54dc98adcfe67941e6011d735 ]
A Chrome System based on tgl_max98373_rt5682 has different SSP interface
configurations. Using DMI data of this variant DUT, override quirk
data.
Reviewed-by: Guennadi Liakhovetski
Signed-off-by:
From: Peilin Ye
[ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ]
do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
zero. Fix it.
Reported-by: syzbot+23b5f9e7caf61d9a3...@syzkaller.appspotmail.com
Link:
From: Wang Yufen
[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ]
When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL,
we should destroy the workqueue.
Reported-by: Hulk Robot
Signed-off-by: Wang Yufen
Signed-off-by: Kalle Valo
Link:
From: Tetsuo Handa
[ Upstream commit f4ac712e4fe009635344b9af5d890fe25fcc8c0d ]
syzbot is reporting unkillable task [1], for the caller is failing to
handle a corrupted filesystem image which attempts to access beyond
the end of the device. While we need to fix the caller, flooding the
console
From: Dinghao Liu
[ Upstream commit d33fe77bdf75806d785dabf90d21d962122e5296 ]
When kmalloc() on buf fails, urb should be freed just like
when kmalloc() on dr fails.
Signed-off-by: Dinghao Liu
Signed-off-by: Marcel Holtmann
Signed-off-by: Sasha Levin
---
drivers/bluetooth/btusb.c | 1 +
1
From: Jan Kara
[ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ]
When a usrjquota or grpjquota mount option is used multiple times, we
will leak memory allocated for the file name. Make sure the last setting
is used and all the previous ones are properly freed.
Reported-by:
From: Sathyanarayana Nujella
[ Upstream commit 5253a73d567dcd75e62834ff5f502ea9470e5722 ]
Add topology filename override based on system DMI data matching,
typically to account for a different hardware layout.
In ACPI based systems, the tplg_filename is pre-defined in an ACPI
machine table.
From: xinhui pan
[ Upstream commit 1545fbf97eafc1dbdc2923e58b4186b16a834784 ]
Remove the private obj from the internal list before we free aconnector.
[ 56.925828] BUG: unable to handle page fault for address: 8f84a870a560
[ 56.933272] #PF: supervisor read access in kernel mode
[
dev_comp field is used in a couple of places but it is never set. This
results in kernel oops when dereferencing a NULL pointer. Set the
`dev_comp` field correctly in the probe function.
Fixes: 6d97024dce23 ("iio: adc: mediatek: mt6577-auxadc, add mt6765 support")
Signed-off-by: Fabien Parent
From: Eli Billauer
[ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ]
usb_kill_anchored_urbs() is commonly used to cancel all URBs on an
anchor just before releasing resources which the URBs rely on. By doing
so, users of this function rely on that no completer callbacks will take
From: Serge Semin
[ Upstream commit e8ee6c8cb61b676f1a2d6b942329e98224bd8ee9 ]
DW DMA IP-core provides a way to synthesize the DMA controller with
channels having different parameters like maximum burst-length,
multi-block support, maximum data width, etc. Those parameters both
explicitly and
From: Kevin Barnett
[ Upstream commit 9e688ef7206f0bccd590378d0dca8f9b4f57 ]
Eliminate kernel panics when getting invalid responses from controller.
Take controller offline instead of causing kernel panics.
Link:
From: Zekun Shen
[ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ]
The idx in __ath10k_htt_rx_ring_fill_n function lives in
consistent dma region writable by the device. Malfunctional
or malicious device could manipulate such idx to have a OOB
write. Either by
From: Pali Rohár
[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ]
Before parsing CISTPL_VERS_1 structure check that its size is at least two
bytes to prevent buffer overflow.
Signed-off-by: Pali Rohár
Link: https://lore.kernel.org/r/20200727133837.19086-2-p...@kernel.org
From: Oliver Neukum
[ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ]
If you do sanity checks, you should do them for both endpoints.
Hence introduce checking for endpoint type for the output
endpoint, too.
Reported-by: syzbot+998261c2ae5932458...@syzkaller.appspotmail.com
From: Qiushi Wu
[ Upstream commit 7ef64ceea0008c17e94a8a2c60c5d6d46f481996 ]
On calling pm_runtime_get_sync() the reference count of the device
is incremented. In case of failure, decrement the
reference count before returning the error.
Signed-off-by: Qiushi Wu
Signed-off-by: Hans Verkuil
From: Zhao Heming
[ Upstream commit 1383b347a8ae4a69c04ae3746e6cb5c8d38e2585 ]
Callers of get_bitmap_from_slot() are responsible to free the bitmap.
Suggested-by: Guoqing Jiang
Signed-off-by: Zhao Heming
Signed-off-by: Song Liu
Signed-off-by: Sasha Levin
---
drivers/md/md-bitmap.c | 3
From: Laurent Pinchart
[ Upstream commit cdd4f7824994c9254acc6e415750529ea2d2cfe0 ]
The fwnode reference corresponding to the endpoint is leaked in an error
path of the rcar_drif_parse_subdevs() function. Fix it, and reorganize
fwnode reference handling in the function to release references
From: Borislav Petkov
[ Upstream commit fd258dc4442c5c1c069c6b5b42bfe7d10cddda95 ]
The patrol scrubber in Skylake and Cascade Lake systems can be configured
to report uncorrected errors using a special signature in the machine
check bank and to signal using CMCI instead of machine check.
From: Jing Xiangfeng
[ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ]
Return PTR_ERR() from the error handling case instead of 0.
Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangf...@huawei.com
Signed-off-by: Jing Xiangfeng
Signed-off-by: Martin K. Petersen
From: Qingqing Zhuo
[ Upstream commit ce271b40a91f781af3dee985c39e841ac5148766 ]
[why]
Current pipe merge and split logic only supports cases where new
dc_state is allocated and relies on dc->current_state to gather
information from previous dc_state.
Calls to validate_bandwidth on
201 - 300 of 790 matches
Mail list logo