| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
When resolving an IP address that is on the host of the caller the
result from querying the routing table is the loopback device. This is
not a valid response, because it doesn't represent the RDMA device and
the port.
Therefore, callers need to check the resolved device and if it is a
loopback device find an alternative way to resolve it. To avoid this we
make sure that the response from rdma_resolve_ip() will not be the
loopback device.
While that, we fix an static checker warning about dereferencing an
unintitialized pointer using the same solution as in commit abeffce90c7f
("net/mlx5e: Fix a -Wmaybe-uninitialized warning") as a reference.
Signed-off-by: Moni Shoua <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
|
|
In function addr_resolve() the namespace is a required input parameter
and not an output. It is passed later for searching the routing table
and device addresses. Also, it shouldn't be copied back to the caller.
Fixes: 565edd1d5555 ('IB/addr: Pass network namespace as a parameter')
Cc: <[email protected]> # v4.3+
Signed-off-by: Moni Shoua <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
|
|
Under heavy iser target(scst) start/stop stress during login/logout
on iser intitiator side happened trace call provided below.
The function iscsi_iser_slave_alloc iser_conn pointer could be NULL,
due to the fact that function iscsi_iser_conn_stop can be called before
and free iser connection. Let's protect that flow by introducing global mutex.
BUG: unable to handle kernel paging request at 0000000000001018
IP: [<ffffffffc0426f7e>] iscsi_iser_slave_alloc+0x1e/0x50 [ib_iser]
Call Trace:
? scsi_alloc_sdev+0x242/0x300
scsi_probe_and_add_lun+0x9e1/0xea0
? kfree_const+0x21/0x30
? kobject_set_name_vargs+0x76/0x90
? __pm_runtime_resume+0x5b/0x70
__scsi_scan_target+0xf6/0x250
scsi_scan_target+0xea/0x100
iscsi_user_scan_session.part.13+0x101/0x130 [scsi_transport_iscsi]
? iscsi_user_scan_session.part.13+0x130/0x130 [scsi_transport_iscsi]
iscsi_user_scan_session+0x1e/0x30 [scsi_transport_iscsi]
device_for_each_child+0x50/0x90
iscsi_user_scan+0x44/0x60 [scsi_transport_iscsi]
store_scan+0xa8/0x100
? common_file_perm+0x5d/0x1c0
dev_attr_store+0x18/0x30
sysfs_kf_write+0x37/0x40
kernfs_fop_write+0x12c/0x1c0
__vfs_write+0x18/0x40
vfs_write+0xb5/0x1a0
SyS_write+0x55/0xc0
Fixes: 318d311e8f01 ("iser: Accept arbitrary sg lists mapping if the device supports it")
Cc: <[email protected]> # v4.5+
Signed-off-by: Vladimir Neyelov <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Reviewed-by: Sagi Grimberg <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
|
|
While looking into Coverity ID 1351047 I ran into the following
piece of code at
drivers/infiniband/core/verbs.c:496:
ret = rdma_addr_find_l2_eth_by_grh(&dgid, &sgid,
ah_attr->dmac,
wc->wc_flags & IB_WC_WITH_VLAN ?
NULL : &vlan_id,
&if_index, &hoplimit);
The issue here is that the position of arguments in the call to
rdma_addr_find_l2_eth_by_grh() function do not match the order of
the parameters:
&dgid is passed to sgid
&sgid is passed to dgid
This is the function prototype:
int rdma_addr_find_l2_eth_by_grh(const union ib_gid *sgid,
const union ib_gid *dgid,
u8 *dmac, u16 *vlan_id, int *if_index,
int *hoplimit)
My question here is if this is intentional?
Answer:
Yes. ib_init_ah_from_wc() creates ah from the incoming packet.
Incoming packet has dgid of the receiver node on which this code is
getting executed and sgid contains the GID of the sender.
When resolving mac address of destination, you use arrived dgid as
sgid and use sgid as dgid because sgid contains destinations GID whom to
respond to.
Signed-off-by: Gustavo A. R. Silva <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
|
|
ib_map_mr_sg() can pass an SG-list to .map_mr_sg() that is larger
than what fits into a single MR. .map_mr_sg() must not attempt to
map more SG-list elements than what fits into a single MR.
Hence make sure that mlx5_ib_sg_to_klms() does not write outside
the MR klms[] array.
Fixes: b005d3164713 ("mlx5: Add arbitrary sg list support")
Signed-off-by: Bart Van Assche <[email protected]>
Reviewed-by: Max Gurtovoy <[email protected]>
Cc: Sagi Grimberg <[email protected]>
Cc: Leon Romanovsky <[email protected]>
Cc: Israel Rukshin <[email protected]>
Cc: <[email protected]>
Acked-by: Leon Romanovsky <[email protected]>
Reviewed-by: Sagi Grimberg <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
|
|
As the code stands today the array access in remap_intr() is OK. To
future proof the code though we should explicitly check to ensure the
index value is not outside of the valid range. This is not a straight
forward calculation so err on the side of caution.
Reviewed-by: Michael J. Ruhl <[email protected]>
Signed-off-by: Dennis Dalessandro <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
|
|
Linux v4.13-rc1
|
|
This ioctl does nothing to justify an _IOC_READ or _IOC_WRITE flag
because it doesn't copy anything from/to userspace to access the
argument.
Fixes: 54ebbfb16034 ("tty: add TIOCGPTPEER ioctl")
Signed-off-by: Gleb Fotengauer-Malinovskiy <[email protected]>
Acked-by: Aleksa Sarai <[email protected]>
Acked-by: Arnd Bergmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
TIOCGPTPEER is only used for unix98 PTYs, and we get a warning
when those are disabled:
drivers/tty/pty.c:466:12: error: 'pty_get_peer' defined but not used [-Werror=unused-function]
This moves the respective functions inside of the existing #ifdef.
Fixes: 54ebbfb16034 ("tty: add TIOCGPTPEER ioctl")
Signed-off-by: Arnd Bergmann <[email protected]>
Acked-by: Aleksa Sarai <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
We crash in __nf_ct_expect_check, it calls nf_ct_remove_expect on the
uninitialised expectation instead of existing one, so del_timer chokes
on random memory address.
Fixes: ec0e3f01114ad32711243 ("netfilter: nf_ct_expect: Add nf_ct_remove_expect()")
Reported-by: Sergey Kvachonok <[email protected]>
Tested-by: Sergey Kvachonok <[email protected]>
Cc: Gao Feng <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
|
|
arp packets cannot be forwarded.
They can be bridged, but then they can be filtered using
either ebtables or nftables bridge family.
The bridge netfilter exposes a "call-arptables" switch which
pushes packets into arptables, but lets not expose this for nftables, so better
close this asap.
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
|
|
When doing initial conversion to rhashtable I replaced the bucket
walk with a single rhashtable_lookup_fast().
When moving to rhlist I failed to properly walk the list of identical
tuples, but that is what is needed for this to work correctly.
The table contains the original tuples, so the reply tuples are all
distinct.
We currently decide that mapping is (not) in range only based on the
first entry, but in case its not we need to try the reply tuple of the
next entry until we either find an in-range mapping or we checked
all the entries.
This bug makes nat core attempt collision resolution while it might be
able to use the mapping as-is.
Fixes: 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Reported-by: Jaco Kroon <[email protected]>
Tested-by: Jaco Kroon <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
|
|
no more users in the tree, remove this.
The old api is racy wrt. module removal, all users have been converted
to the netns-aware api.
The old api pretended we still have global hooks but that has not been
true for a long time.
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
|
|
Fixes: cc5d0db390b0 ("regmap: Add 1-Wire bus support")
Commit de0d6dbdbdb2 ("w1: Add subsystem kernel public interface")
Fix place off w1.h header file
Cosmetic: Fix company name (local to international)
Signed-off-by: Alex A. Mihaylov <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
|
|
platform_get_irq() returns an error code, but the omap_hdq
driver ignores it and always returns -ENXIO. This is not correct,
and prevents -EPROBE_DEFER from being propagated properly.
Notice that platform_get_irq() no longer returns 0 on error.
Print error message and propagate the return value of
platform_get_irq on failure.
Signed-off-by: Gustavo A. R. Silva <[email protected]>
Acked-by: Evgeniy Polyakov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Fixes: cc5d0db390b0 ("regmap: Add 1-Wire bus support")
Commit de0d6dbdbdb2 ("w1: Add subsystem kernel public interface")
Fix place off w1.h header file
Cosmetic: Fix company name (local to international)
Signed-off-by: Alex A. Mihaylov <[email protected]>
Reviewed-by: Sebastian Reichel <[email protected]>
Cc: Mark Brown <[email protected]>
Acked-by: Evgeniy Polyakov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
1-Wire bus have very fast algorith for exchange with single slave
device. Fix incorrect count of slave devices on connect second slave
device. This case on slave device probe() step we need use generic
(multislave) functions for read/write device.
Signed-off-by: Alex A. Mihaylov <[email protected]>
Acked-by: Evgeniy Polyakov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Fixes an obvious and nasty typo.
Fixes: a3b02a9c6591 ("mux: minimal mux subsystem")
Signed-off-by: Kuppuswamy Sathyanarayanan <[email protected]>
Signed-off-by: Peter Rosin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
The MULTIPLEXER question in the Kconfig might be confusing and is
of dubious value. Remove it. This makes consumers responsible for
selecting MULTIPLEXER, which they already do.
Signed-off-by: Peter Rosin <[email protected]>
Reported-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
As the comments from Heiko Stuebner <[email protected]> that compatible
should not contain any placeholders, this patch fix it for rk3228 SoC.
Note that this is a fix for v4.13, due to fixing the current non-standard
binding name that should not become part of an official kernel release.
Signed-off-by: Frank Wang <[email protected]>
Acked-by: Rob Herring <[email protected]>
Reviewed-by: Heiko Stuebner <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
gcc warns about the return type of this function:
drivers/fsi/fsi-core.c:535:8: error: type qualifiers ignored on function return type [-Werror=ignored-qualifiers]
This removes the 'const' attribute, as suggested by the warning.
Fixes: 2b37c3e285f9 ("drivers/fsi: Set slave SMODE to init communication")
Signed-off-by: Arnd Bergmann <[email protected]>
Acked-by: Geert Uytterhoeven <[email protected]>
Acked-by: Jeremy Kerr <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
When testing an i2c driver that is a fsi bus driver, I saw the following
oops:
kernel BUG at drivers/base/driver.c:153!
Internal error: Oops - BUG: 0 [#1] ARM
[<8027cb1c>] (driver_register) from [<80344e88>] (fsi_driver_register+0x2c/0x38)
[<80344e88>] (fsi_driver_register) from [<805f5ebc>] (fsi_i2c_driver_init+0x1c/0x24)
[<805f5ebc>] (fsi_i2c_driver_init) from [<805d1f14>] (do_one_initcall+0xb4/0x170)
[<805d1f14>] (do_one_initcall) from [<805d20f0>] (kernel_init_freeable+0x120/0x1dc)
[<805d20f0>] (kernel_init_freeable) from [<8043f4a8>] (kernel_init+0x18/0x104)
[<8043f4a8>] (kernel_init) from [<8000a5e8>] (ret_from_fork+0x14/0x2c)
This is because the fsi bus had not been registered. This fix registers the bus
with postcore_initcall instead, to ensure it is registered earlier on.
When the fsi core is used as a module this should not be a problem as the fsi
driver will depend on the fsi bus type symbol, and will therefore load the core
before the driver.
Fixes: 0508ad1fff11 ("drivers/fsi: Add empty fsi bus definitions")
Signed-off-by: Joel Stanley <[email protected]>
Acked-by: Jeremy Kerr <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
The parallel panel driver should continue to work without having an
endpoint linking to an panel in DT for backwards compatibility.
With the recent switch to drm_of_find_panel_or_bridge, an absent
panel results in a failure with -ENODEV error return code. To restore
the old behaviour, ignore the -ENODEV return code.
Reported-by: Nikita Yushchenko <[email protected]>
Fixes: ebc944613567 ("drm: convert drivers to use drm_of_find_panel_or_bridge")
Tested-by: Chris Healy <[email protected]>
Cc: [email protected]
Signed-off-by: Philipp Zabel <[email protected]>
|
|
The BGRA8888 appears twice in the ipu_plane_formats[] list. The
duplicate should be BGRX8888.
The original commit is:
commit 59d6b7189a96 ("drm/imx: ipuv3-plane: enable support for RGBX8888
and RGBA8888 pixel formats")
Signed-off-by: Laurentiu Palcu <[email protected]>
Fixes: 59d6b7189a96 ("drm/imx: ipuv3-plane: enable support for RGBX8888 and RGBA8888 pixel")
Signed-off-by: Philipp Zabel <[email protected]>
|
|
Firmware upgrade tools that decide which NVM image should be uploaded to
the Thunderbolt controller need to access active parts of the NVM even
if they are not run as root. The information in active NVM is not
considered security critical so we can use the default permissions set
by the NVMem framework.
Writing the NVM image is still left as root only operation.
While there mark the active NVM as read-only in the filesystem.
Reported-by: Yehezkel Bernat <[email protected]>
Signed-off-by: Mika Westerberg <[email protected]>
Signed-off-by: Andreas Noever <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
This problem shows up in 4.11 when netvsc driver is removed and reloaded.
The problem is that the channel is closed during module removal and the
tasklet for processing responses is disabled. When module is reloaded
the channel is reopened but the tasklet is marked as disabled.
The fix is to re-enable tasklet at the end of close which gets it back
to the initial state.
The issue is less urgent in 4.12 since network driver now uses NAPI
and not the tasklet; and other VMBUS devices are rarely unloaded/reloaded.
Fixes: dad72a1d2844 ("vmbus: remove hv_event_tasklet_disable/enable")
Signed-off-by: Stephen Hemminger <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
After commit 7f1d4e58dabb ("spmi: pmic-arb: optimize table
lookups") we always need the ppid_to_apid table regardless of the
version of pmic arbiter we have. Otherwise, we will try to deref
the array when we don't allocate it on v2 hardware like the
msm8974 SoCs.
Cc: Abhijeet Dharmapurikar <[email protected]>
Cc: Kiran Gunda <[email protected]>
Fixes: 7f1d4e58dabb ("spmi: pmic-arb: optimize table lookups")
Signed-off-by: Stephen Boyd <[email protected]>
Tested-by: Luca Weiss <[email protected]>
Reviewed-by: Kiran Gunda <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
I have the hardware and I've been reviewing SPMI patches when
they come on the list. Add myself as a reviewer in this area and
add the linux-arm-msm list because people subscribed there also
have the hardware.
Cc: Kiran Gunda <[email protected]>
Cc: Abhijeet Dharmapurikar <[email protected]>
Signed-off-by: Stephen Boyd <[email protected]>
Acked-by: Andy Gross <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Include the OF-based modalias in the uevent sent when registering SPMI
devices, so that user space has a chance to autoload the kernel module
for the device.
Tested-by: Rob Clark <[email protected]>
Reported-by: Rob Clark <[email protected]>
Reviewed-by: Stephen Boyd <[email protected]>
Signed-off-by: Bjorn Andersson <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
If kmem_cache_zalloc() returns NULL then the INIT_LIST_HEAD(&data->links);
will Oops. The callers aren't really prepared for NULL returns so it
doesn't make a lot of difference in real life.
Fixes: 5240d9f95dfe ("libceph: replace message data pointer with list")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Ilya Dryomov <[email protected]>
|
|
For a large directory, program needs to issue multiple readdir
syscalls to get all dentries. When there are multiple programs
read the directory concurrently. Following sequence of events
can happen.
- program calls readdir with pos = 2. ceph sends readdir request
to mds. The reply contains N1 entries. ceph adds these N1 entries
to readdir cache.
- program calls readdir with pos = N1+2. The readdir is satisfied
by the readdir cache, N2 entries are returned. (Other program
calls readdir in the middle, which fills the cache)
- program calls readdir with pos = N1+N2+2. ceph sends readdir
request to mds. The reply contains N3 entries and it reaches
directory end. ceph adds these N3 entries to the readdir cache
and marks directory complete.
The second readdir call does not update fi->readdir_cache_idx.
ceph add the last N3 entries to wrong places.
Cc: [email protected] # v4.3+
Signed-off-by: "Yan, Zheng" <[email protected]>
Signed-off-by: Ilya Dryomov <[email protected]>
|
|
encode_request_finish() is for MOSDOp messages. Calling it on
MOSDBackoff ack-block messages corrupts them.
Fixes: a02a946dfe96 ("libceph: respect RADOS_BACKOFF backoffs")
Signed-off-by: Ilya Dryomov <[email protected]>
|
|
... otherwise we die in insert_pg_mapping(), which wants pg->node to be
empty, i.e. initialized with RB_CLEAR_NODE.
Fixes: 6f428df47dae ("libceph: pg_upmap[_items] infrastructure")
Signed-off-by: Ilya Dryomov <[email protected]>
|
|
No sooner than Dan had fixed this issue in commit 293dffaad8d5
("libceph: NULL deref on crush_decode() error path"), I brought it
back. Add a new label and set -EINVAL once, right before failing.
Fixes: 278b1d709c6a ("libceph: ceph_decode_skip_* helpers")
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Ilya Dryomov <[email protected]>
|
|
There are hidden gotos in the ceph_decode_* macros. We need to set the
"err" variable on these error paths otherwise we end up returning
ERR_PTR(0) which is NULL. It causes NULL dereferences in the callers.
Fixes: 6f428df47dae ("libceph: pg_upmap[_items] infrastructure")
Signed-off-by: Dan Carpenter <[email protected]>
[[email protected]: similar bug in osdmap_decode(), changelog tweak]
Signed-off-by: Ilya Dryomov <[email protected]>
|
|
The new macros don't follow the usual style for declarations,
which we get a warning for with 'make W=1':
In file included from fs/ceph/mds_client.c:16:0:
include/linux/ceph/ceph_features.h:74:1: error: 'static' is not at beginning of declaration [-Werror=old-style-declaration]
This moves the 'static' keyword to the front of the
declaration.
Fixes: f179d3ba8cb9 ("libceph: new features macros")
Signed-off-by: Arnd Bergmann <[email protected]>
Signed-off-by: Ilya Dryomov <[email protected]>
|
|
Use wake_up_interruptible_sync() to hint to the scheduler binder
transactions are synchronous wakeups. Disable preemption while waking
to avoid ping-ponging on the binder lock.
Signed-off-by: Todd Kjos <[email protected]>
Signed-off-by: Omprakash Dhyade <[email protected]>
Cc: stable <[email protected]> # 4.4+
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
The binder allocator assumes that the thread that
called binder_open will never die for the lifetime of
that proc. That thread is normally the group_leader,
however it may not be. Use the group_leader instead
of current.
Signed-off-by: Todd Kjos <[email protected]>
Cc: stable <[email protected]> # 4.4+
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27.
The patch introduced a race in the binder driver. An attempt to fix the
race was submitted in "[PATCH v2] android: binder: fix dangling pointer
comparison", however the conclusion in the discussion for that patch
was that the original patch should be reverted.
The reversion is being done as part of the fine-grained locking
patchset since the patch would need to be refactored when
proc->vmm_vm_mm is removed from struct binder_proc and added
in the binder allocator.
Signed-off-by: Todd Kjos <[email protected]>
Cc: stable <[email protected]> # 4.6+
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Commit 0d6fce904452 ("tty: serial: lpuart: introduce lpuart_soc_data to
represent SoC property") introduced a buggy logic for detecting the 32-bit
type UART since the condition: "if (sport->port.iotype & UPIO_MEM32BE)"
is always true.
Performing such bitfield AND operation is not correct, because in the
case of Vybrid UART iotype is UPIO_MEM (2), so:
UPIO_MEM & UPIO_MEM32BE = 010 & 110 = 010, which is true.
Such logic tells the driver to always treat the UART operations as 32-bit,
leading to the driver misbehavior on Vybrid.
Fix the 32-bit type detection logic to avoid UART breakage on Vybrid.
While at it, introduce a lpuart_is_32() function to help readability.
Fixes: 0d6fce904452 ("tty: serial: lpuart: introduce lpuart_soc_data to represent SoC property")
Reported-by: Vivien Didelot <[email protected]>
Signed-off-by: Fabio Estevam <[email protected]>
Reviewed-by: Dong Aisheng <[email protected]>
Tested-by: Vivien Didelot <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Function imx_transmit_buffer starts a TX DMA if DMA is enabled, since
commit 91a1a909f921 ("serial: imx: Support sw flow control in DMA mode").
It also carries on and attempts to write the same TX buffer using PIO.
This results in TX data corruption and double-incrementing xmit->tail
with the knock-on effect of tail passing head and a page of garbage
being sent out.
This seems to be triggered mostly when using RS485 half duplex on SMP
systems, but is probably not limited to just those.
Tested locally on an i.MX6Q with an RS485 half duplex transceiver on
UART3, and also by Clemens Gruber.
Tested-by: Clemens Gruber <[email protected]>
Signed-off-by: Ian Jamison <[email protected]>
Reviewed-by: Fabio Estevam <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
This reverts commit a3015affdf76ef279fbbb3710a220bab7e9ea04b as there
are complaints that it is incorrect.
Reported-by: Uwe Kleine-König <[email protected]>
Cc: Nandor Han <[email protected]>
Cc: Romain Perier <[email protected]>
Signed-off-by: Greg Kroah-Hartman [email protected]
|
|
In commit 1c0eaf0f56d6 ("powerpc/powernv: Tell OPAL about our MMU mode
on POWER9"), we added additional flags to the OPAL call to configure
CPUs at boot.
These flags only work on Power9 firmwares, and worse can cause boot
failures on Power8 machines, so we check for CPU_FTR_ARCH_300 (aka POWER9)
before adding the extra flags.
Unfortunately we forgot that opal_configure_cores() is called before
the CPU feature checks are dynamically patched, meaning the check
always returns true.
We definitely need to do something to make the CPU feature checks less
prone to bugs like this, but for now the minimal fix is to use
early_cpu_has_feature().
Reported-and-tested-by: Abdul Haleem <[email protected]>
Fixes: 1c0eaf0f56d6 ("powerpc/powernv: Tell OPAL about our MMU mode on POWER9")
Signed-off-by: Michael Ellerman <[email protected]>
|
|
Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < NLMSG_HDRLEN expression.
The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.
Signed-off-by: Mateusz Jurczyk <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
|
|
The kstrtol() function returns -ERANGE as well as -EINVAL so these tests
are not enough. It's not a super serious bug, but my static checker
correctly complains that the "r" variable might be used uninitialized.
Fixes: 5d23188a473d ("serial: sh-sci: make RX FIFO parameters tunable via sysfs")
Signed-off-by: Dan Carpenter <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
It looks like we intended to return an error code here, because we
dereference "ascport->pinctrl" on the next lines.
Fixes: 6929cb00a501 ("serial: st-asc: Read in all Pinctrl states")
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Lee Jones <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
When us->extra is null the driver is not initialized, however, a
later call to osd200_scsi_to_ata is made that dereferences
us->extra, causing a null pointer dereference. The code
currently detects and reports that the driver is not initialized;
add a return to avoid the subsequent dereference issue in this
check.
Thanks to Alan Stern for pointing out that srb->result needs setting
to DID_ERROR << 16
Detected by CoverityScan, CID#100308 ("Dereference after null check")
Signed-off-by: Colin Ian King <[email protected]>
Cc: stable <[email protected]>
Acked-by: Alan Stern <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
The new driver causes a build failure in some configurations:
In file included from /git/arm-soc/drivers/usb/typec/ucsi/trace.h:9:0,
from /git/arm-soc/drivers/usb/typec/ucsi/trace.c:2:
drivers/usb/typec/ucsi/ucsi.h:331:39: error: 'struct device' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
This includes the required header file.
Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface")
Signed-off-by: Arnd Bergmann <[email protected]>
Acked-by: Heikki Krogerus <[email protected]>
Reviewed-by: Guenter Roeck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Add device-id entry for DATECS FP-2000 fiscal printer needing the
NO_UNION_NORMAL quirk.
Reported-by: Anton Avramov <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Acked-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
This commit adds the vboxvideo drm/kms driver for the virtual graphics
card used in Virtual Box virtual machines to drivers/staging.
Why drivers/staging? This driver is already being patched into the kernel
by several distros, thus it is good to get this driver upstream soon, so
that work on the driver can be easily shared.
At the same time we want to take our time to get this driver properly
cleaned up (mainly converted to the new atomic modesetting APIs) before
submitting it as a normal driver under drivers/gpu/drm, putting this
driver in staging for now allows both.
Note this driver has already been significantly cleaned up, when I started
working on this the files under /usr/src/vboxguest/vboxvideo as installed
by Virtual Box 5.1.18 Guest Additions had a total linecount of 52681
lines. The version in this commit has 4874 lines.
Cc: [email protected]
Cc: Michael Thayer <[email protected]>
Signed-off-by: Hans de Goede <[email protected]>
Signed-off-by: Michael Thayer <[email protected]>
Acked-by: Daniel Vetter <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|