4b1ee0c027
28927 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Greg Kroah-Hartman
|
973a60728e |
ANDROID: virt_wifi: fix export symbol types
In commit 39bb6b4242ff ("ANDROID: virt_wifi: Add data ops for scan data simulation") some new symbols were exported, but they should have been set as _GPL symbols. Fix this up by properly. Bug: 139421123 Cc: lesl <lesl@google.com> Cc: Alistair Delva <adelva@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ied186f08c695f5d1f50d88446f1e71fef303e7f8 |
||
Greg Kroah-Hartman
|
be3bb0daac |
This is the 4.19.119 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl6pj8gACgkQONu9yGCS aT5mKxAAvzC4s4XHwDDckvvu57/sED2oEtp7MgmLuyK4Ih55GyyLGx9zg1A2z+rs wQSsVW+/WeurCj4CuVciakkCvgBeY494cbnghr2lohhJZ918/XnYmPODLJhlvtcV gZ4vxk5euNqpWGsmu+X+DRBG6QuU5GYf4ox39NZdtKm5I+kt5Lw44AHSNlFP0q3y drRFc49cqSxa4WkVRixJJOTQbSHARNWiayOG4uLb4zoZFvJOTDAp7+yX5LYD7lxY 3FsQLVMSp7c/whppeGySVX0oJF/12weR9OQJZVxxhlMNggmGREwDxayBaPYqA4pa 0OO83rO1aP9j2VK3HFiK4OwatKHcu0GvGV9I4rP3u8hWvJyUzTAfdcVUXHl6of12 6hXG7F3f0TVY/OP6J2WepcQG5IbkiiAY1J0wlqbqo5MvOqESJZ/J0pGuFD1qzQ8n zaMnj2zhJHkJEfyP7Dvjo4y72eM9tWnFxKfm/PtuHWGovpP15rrsuHcs343U92Z7 zQ/Ak10tA8FpSM7dXaTd98/3FkVdQbkImkEUOpWzPjiJFGyuk8j6/ZE9rCWtlNR1 HP9cLgKB/PF/a3+kwtgGAhAHBVIA8trhSm1jRqEU7ki9sBQnV/2iR5b7UJ8xn4uA dl9HlxpiDYvIjRhHfMh6GXIhdO2T8coFzxKRztjxrM0dbaQeVKQ= =31Y5 -----END PGP SIGNATURE----- Merge 4.19.119 into android-4.19 Changes in 4.19.119 ext4: fix extent_status fragmentation for plain files drm/msm: Use the correct dma_sync calls harder bpftool: Fix printing incorrect pointer in btf_dump_ptr crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static vti4: removed duplicate log message. arm64: Add part number for Neoverse N1 arm64: errata: Hide CTR_EL0.DIC on systems affected by Neoverse-N1 #1542419 arm64: Fake the IminLine size on systems affected by Neoverse-N1 #1542419 arm64: compat: Workaround Neoverse-N1 #1542419 for compat user-space arm64: Silence clang warning on mismatched value/register sizes watchdog: reset last_hw_keepalive time at start scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG ceph: return ceph_mdsc_do_request() errors from __get_parent() ceph: don't skip updating wanted caps when cap is stale pwm: rcar: Fix late Runtime PM enablement scsi: iscsi: Report unbind session event when the target has been removed ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() nvme: fix deadlock caused by ANA update wrong locking kernel/gcov/fs.c: gcov_seq_next() should increase position index selftests: kmod: fix handling test numbers above 9 ipc/util.c: sysvipc_find_ipc() should increase position index kconfig: qconf: Fix a few alignment issues s390/cio: avoid duplicated 'ADD' uevents loop: Better discard support for block devices Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled" pwm: renesas-tpu: Fix late Runtime PM enablement pwm: bcm2835: Dynamically allocate base perf/core: Disable page faults when getting phys address ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN MPWIN895CL tablet xhci: Ensure link state is U3 after setting USB_SS_PORT_LS_U3 drm/amd/display: Not doing optimize bandwidth if flip pending. tracing/selftests: Turn off timeout setting virtio-blk: improve virtqueue error to BLK_STS scsi: smartpqi: fix call trace in device discovery PCI/ASPM: Allow re-enabling Clock PM net: ipv6: add net argument to ip6_dst_lookup_flow net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup blktrace: Protect q->blk_trace with RCU blktrace: fix dereference after null check f2fs: fix to avoid memory leakage in f2fs_listxattr KVM: VMX: Zero out *all* general purpose registers after VM-Exit KVM: nVMX: Always sync GUEST_BNDCFGS when it comes from vmcs01 KVM: Introduce a new guest mapping API kvm: fix compilation on aarch64 kvm: fix compilation on s390 kvm: fix compile on s390 part 2 KVM: Properly check if "page" is valid in kvm_vcpu_unmap x86/kvm: Introduce kvm_(un)map_gfn() x86/kvm: Cache gfn to pfn translation x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed x86/KVM: Clean up host's steal time structure cxgb4: fix adapter crash due to wrong MC size cxgb4: fix large delays in PTP synchronization ipv6: fix restrict IPV6_ADDRFORM operation macsec: avoid to set wrong mtu macvlan: fix null dereference in macvlan_device_event() net: bcmgenet: correct per TX/RX ring statistics net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array net/x25: Fix x25_neigh refcnt leak when receiving frame sched: etf: do not assume all sockets are full blown tcp: cache line align MAX_TCP_HEADER team: fix hang in team_mode_get() vrf: Fix IPv6 with qdisc and xfrm net: dsa: b53: Lookup VID in ARL searches when VLAN is enabled net: dsa: b53: Fix ARL register definitions net: dsa: b53: Rework ARL bin logic net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish vrf: Check skb for XFRM_TRANSFORMED flag mlxsw: Fix some IS_ERR() vs NULL bugs KEYS: Avoid false positive ENOMEM error on key read ALSA: hda: Remove ASUS ROG Zenith from the blacklist ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos ALSA: usb-audio: Add connector notifier delegation iio: core: remove extra semi-colon from devm_iio_device_register() macro iio: st_sensors: rely on odr mask to know if odr can be set iio: adc: stm32-adc: fix sleep in atomic context iio: xilinx-xadc: Fix ADC-B powerdown iio: xilinx-xadc: Fix clearing interrupt when enabling trigger iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode iio: xilinx-xadc: Make sure not exceed maximum samplerate fs/namespace.c: fix mountpoint reference counter race USB: sisusbvga: Change port variable from signed to unsigned USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE USB: early: Handle AMD's spec-compliant identifiers, too USB: core: Fix free-while-in-use bug in the USB S-Glibrary USB: hub: Fix handling of connect changes during sleep vmalloc: fix remap_vmalloc_range() bounds checks mm/hugetlb: fix a addressing exception caused by huge_pte_offset mm/ksm: fix NULL pointer dereference when KSM zero page is enabled tools/vm: fix cross-compile build ALSA: usx2y: Fix potential NULL dereference ALSA: hda/realtek - Fix unexpected init_amp override ALSA: hda/realtek - Add new codec supported for ALC245 ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices tpm/tpm_tis: Free IRQ if probing fails tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() KVM: s390: Return last valid slot if approx index is out-of-bounds KVM: Check validity of resolved slot when searching memslots KVM: VMX: Enable machine check support for 32bit targets tty: hvc: fix buffer overflow during hvc_alloc(). tty: rocket, avoid OOB access usb-storage: Add unusual_devs entry for JMicron JMS566 audit: check the length of userspace generated audit records ASoC: dapm: fixup dapm kcontrol widget iwlwifi: pcie: actually release queue memory in TVQM iwlwifi: mvm: beacon statistics shouldn't go backwards ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y powerpc/setup_64: Set cache-line-size based on cache-block-size staging: comedi: dt2815: fix writing hi byte of analog output staging: comedi: Fix comedi_device refcnt leak in comedi_open vt: don't hardcode the mem allocation upper bound vt: don't use kmalloc() for the unicode screen buffer staging: vt6656: Don't set RCR_MULTICAST or RCR_BROADCAST by default. staging: vt6656: Fix calling conditions of vnt_set_bss_mode staging: vt6656: Fix drivers TBTT timing counter. staging: vt6656: Fix pairwise key entry save. staging: vt6656: Power save stop wake_up_count wrap around. cdc-acm: close race betrween suspend() and acm_softint cdc-acm: introduce a cool down UAS: no use logging any details in case of ENODEV UAS: fix deadlock in error handling and PM flushing work usb: dwc3: gadget: Fix request completion check usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() xhci: prevent bus suspend if a roothub port detected a over-current condition serial: sh-sci: Make sure status register SCxSR is read in correct sequence xfs: Fix deadlock between AGI and AGF with RENAME_WHITEOUT s390/mm: fix page table upgrade vs 2ndary address mode accesses Linux 4.19.119 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4b16db8472367d135a4ff68d2863c634bf093ef5 |
||
Mordechay Goodstein
|
eed3199232 |
iwlwifi: mvm: beacon statistics shouldn't go backwards
commit 290d5e4951832e39d10f4184610dbf09038f8483 upstream. We reset statistics also in case that we didn't reassoc so in this cases keep last beacon counter. Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/iwlwifi.20200417100405.1f9142751fbc.Ifbfd0f928a0a761110b8f4f2ca5483a61fb21131@changeid Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Johannes Berg
|
95df104546 |
iwlwifi: pcie: actually release queue memory in TVQM
commit b98b33d5560a2d940f3b80f6768a6177bf3dfbc0 upstream.
The iwl_trans_pcie_dyn_txq_free() function only releases the frames
that may be left on the queue by calling iwl_pcie_gen2_txq_unmap(),
but doesn't actually free the DMA ring or byte-count tables for the
queue. This leads to pretty large memory leaks (at least before my
queue size improvements), in particular in monitor/sniffer mode on
channel hopping since this happens on every channel change.
This was also now more evident after the move to a DMA pool for the
byte count tables, showing messages such as
BUG iwlwifi:bc (...): Objects remaining in iwlwifi:bc on __kmem_cache_shutdown()
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=206811.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fixes:
|
||
Greg Kroah-Hartman
|
fd8a9d61cf |
This is the 4.19.117 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl6emrgACgkQONu9yGCS aT7KHhAAnWFfpGr89QEPUIDcdYNqmjnBlf7WRmVqQxbM+umD5AWo8fdLkKA43Fsx nNdMP6POYUwMqXahNOYwxCfRuw5sqsz/5bZO8O5p6fIXk1WhtW6Nzw78DHmDpQSj Cdfo92dJVhRcsCOElhrdsIypuBr7LoAOFjTGIzx4OZVXM3VJhWPpIgDEtU5yy/+S ym9TSU1RyQ9C/mIev3z6AXTAzAzWKdHXKtkWf3YW/7Mgr2QCcwmZxDlp9L1+L6e3 lLn2IMcFH91Wj0hJX98OhkmjA0EJ/LNU4LaaIe/DxGBEtzyLjn+aoxGIEREnU/Y6 36+3neWC3tJmUIzgyoRgVby+Jti3APEq3ncD0xzD8MAKitxihru7vKdTyfSWwmY0 xSz2UbCbbF1BeG3MZQNzgdSQCn4o21Iyxu+aQVGSvVd4k43x4jbtNedLqA6mHmkz 7I/V7UXyyzztDwlgT+DZa3LT6j4iv8VI6rPl7Evm3b5Iu9un3KLjnOEsXnvxjx9D o8dsPkK/pqbIW75bfThkoo8llmm/SsQ0n5GTKbITx9x0jU9E3VlQNHv+DUkT2CEn 1cY4hsVNql475RsOabhXbfOXI7+uwUCxKEOVN7DysT8UGARGIXZOkrGLr4UqjQHI B4J8oKBPPS5ZQKEIC7j/h4V/exqtSZYTQ1GWUNj4uo9X7KnJ+K4= =kytQ -----END PGP SIGNATURE----- Merge 4.19.117 into android-4.19 Changes in 4.19.117 amd-xgbe: Use __napi_schedule() in BH context hsr: check protocol version in hsr_newlink() net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin net: ipv6: do not consider routes via gateways for anycast address check net: qrtr: send msgs from local of same id as broadcast net: revert default NAPI poll timeout to 2 jiffies net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes net: dsa: mt7530: fix tagged frames pass-through in VLAN-unaware mode ovl: fix value of i_ino for lower hardlink corner case scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic jbd2: improve comments about freeing data buffers whose page mapping is NULL pwm: pca9685: Fix PWM/GPIO inter-operation ext4: fix incorrect group count in ext4_fill_super error message ext4: fix incorrect inodes per group in error message ASoC: Intel: mrfld: fix incorrect check on p->sink ASoC: Intel: mrfld: return error codes when an error occurs ALSA: usb-audio: Filter error from connector kctl ops, too ALSA: usb-audio: Don't override ignore_ctl_error value from the map ALSA: usb-audio: Don't create jack controls for PCM terminals ALSA: usb-audio: Check mapping at creating connector controls, too keys: Fix proc_keys_next to increase position index tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation btrfs: check commit root generation in should_ignore_root mac80211_hwsim: Use kstrndup() in place of kasprintf() usb: dwc3: gadget: don't enable interrupt when disabling endpoint usb: dwc3: gadget: Don't clear flags before transfer ended drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is enabled ext4: do not zeroout extents beyond i_disksize kvm: x86: Host feature SSBD doesn't imply guest feature SPEC_CTRL_SSBD scsi: target: remove boilerplate code scsi: target: fix hang when multiple threads try to destroy the same iscsi session x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE x86/resctrl: Preserve CDP enable over CPU hotplug x86/resctrl: Fix invalid attempt at removing the default resource group wil6210: check rx_buff_mgmt before accessing it wil6210: ignore HALP ICR if already handled wil6210: add general initialization/size checks wil6210: make sure Rx ring sizes are correlated wil6210: remove reset file from debugfs mm/vmalloc.c: move 'area->pages' after if statement Linux 4.19.117 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib4ab9aa34c22c034887be15902a625ecc5622b35 |
||
Karthick Gopalasubramanian
|
4994cc6785 |
wil6210: remove reset file from debugfs
commit 32dcfe8316cdbd885542967c0c85f5b9de78874b upstream. Reset file is not used and may cause race conditions with operational driver if used. Signed-off-by: Karthick Gopalasubramanian <kargop@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Dedy Lansky
|
e541f4b1d8 |
wil6210: make sure Rx ring sizes are correlated
commit 61e5ec044748486f06dec760a19dce78247b3ad8 upstream. When enlarging rx_ring_order module param, wil6210 fails to load because there are not enough Rx buffers. Fix this by enlarging number of Rx buffers at startup, if needed based on rx_ring_order. Signed-off-by: Dedy Lansky <dlansky@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Alexei Avshalom Lazar
|
2068090709 |
wil6210: add general initialization/size checks
commit ac0e541ab2f2951845acee784ef487be40fb4c77 upstream. Initialize unset variable, and verify that mid is valid. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Maya Erez
|
ced3402c36 |
wil6210: ignore HALP ICR if already handled
commit 979c9d8d01c482b1befb44dc639ecb907b5a37bd upstream. HALP ICR is set as long as the FW should stay awake. To prevent its multiple handling the driver masks this IRQ bit. However, if there is a different MISC ICR before the driver clears this bit, there is a risk of race condition between HALP mask and unmask. This race leads to HALP timeout, in case it is mistakenly masked. Add an atomic flag to indicate if HALP ICR should be handled. Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Dedy Lansky
|
9d9cb5efdc |
wil6210: check rx_buff_mgmt before accessing it
commit d6a553c0c61b0b0219764e4d4fc14e385085f374 upstream. Make sure rx_buff_mgmt is initialized before accessing it. Signed-off-by: Dedy Lansky <dlansky@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Tuomas Tynkkynen
|
faed49eaa5 |
mac80211_hwsim: Use kstrndup() in place of kasprintf()
commit 7ea862048317aa76d0f22334202779a25530980c upstream. syzbot reports a warning: precision 33020 too large WARNING: CPU: 0 PID: 9618 at lib/vsprintf.c:2471 set_precision+0x150/0x180 lib/vsprintf.c:2471 vsnprintf+0xa7b/0x19a0 lib/vsprintf.c:2547 kvasprintf+0xb2/0x170 lib/kasprintf.c:22 kasprintf+0xbb/0xf0 lib/kasprintf.c:59 hwsim_del_radio_nl+0x63a/0x7e0 drivers/net/wireless/mac80211_hwsim.c:3625 genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline] ... entry_SYSCALL_64_after_hwframe+0x49/0xbe Thus it seems that kasprintf() with "%.*s" format can not be used for duplicating a string with arbitrary length. Replace it with kstrndup(). Note that later this string is limited to NL80211_WIPHY_NAME_MAXLEN == 64, but the code is simpler this way. Reported-by: syzbot+6693adf1698864d21734@syzkaller.appspotmail.com Reported-by: syzbot+a4aee3f42d7584d76761@syzkaller.appspotmail.com Cc: stable@kernel.org Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> Link: https://lore.kernel.org/r/20200410123257.14559-1-tuomas.tynkkynen@iki.fi [johannes: add note about length limit] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Kroah-Hartman
|
95bff4cdab |
This is the 4.19.116 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl6ZbYYACgkQONu9yGCS aT76ohAAn4lIjSuMRCILy/lq0DXVWDy7q6YdfyzNBITxc86tVfnfjMeQxUBviE/1 OzShWgMRXeqrb0xJTJ5Rv6mt5Kf9a3DpPWt2jwo1iqWkl4AihDtDV7Z2Bh+QdnSX +lQ1xGPqDi4MMgoYlpMtlFc3wq/pJV0i8Q7amXC/KbsDkt5dlDrQYeEZHe2P7pR9 ZljKLHEdGRE3uGqXmEM8qb6aLjQudnHmH/9uChP4UX6b+ZADDCc05DMhEkhEoCZT jdxiqVZvRdiiXTc1r6ckGv0xae77s0IAAZMQAd+24zFK94QByi6d9Cw0y6qyyDi7 1rfHIWSjvetY3+4DCQDOu/k2/pLt/Vqh9zuvtaf8Tu8cKM9rxow0Hl9FlL3fZpBN btpqeCY6twFxApHoAp9ZDK6otaVEOtbg1MCsmpUbVxWIF9IR8cPqMGyYK3lR2Ao1 HgdKEFkYOycAOu51ujuHsDLx/9k2ZqeSPyh0yrdVpFUVvMV/YqoYP9X3jzGRVllL hgYfFcywgrVgxK4c02/6cPiJNbFskTpLllDPVVXGIjO+9R4vTRUgJ74CNrqL25aT ioSFWJA00UvXObnbCDdA+otYYWAmYOJX7HVvEieb0oDqPYHZHa1UW6+1WlYSAQLm WAsHiejOv6PwzRmCDI6RyuZKQjjX6bppAWFq0/RLPO0uEqjXlxc= =Iq3k -----END PGP SIGNATURE----- Merge 4.19.116 into android-4.19 Changes in 4.19.116 ARM: dts: sun8i-a83t-tbs-a711: HM5065 doesn't like such a high voltage bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads net: vxge: fix wrong __VA_ARGS__ usage hinic: fix a bug of waitting for IO stopped hinic: fix wrong para of wait_for_completion_timeout cxgb4/ptp: pass the sign of offset delta in FW CMD qlcnic: Fix bad kzalloc null test i2c: st: fix missing struct parameter description cpufreq: imx6q: Fixes unwanted cpu overclocking on i.MX6ULL media: venus: hfi_parser: Ignore HEVC encoding for V1 firmware: arm_sdei: fix double-lock on hibernate with shared events null_blk: Fix the null_add_dev() error path null_blk: Handle null_add_dev() failures properly null_blk: fix spurious IO errors after failed past-wp access xhci: bail out early if driver can't accress host in resume x86: Don't let pgprot_modify() change the page encryption bit block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices irqchip/versatile-fpga: Handle chained IRQs properly sched: Avoid scale real weight down to zero selftests/x86/ptrace_syscall_32: Fix no-vDSO segfault PCI/switchtec: Fix init_completion race condition with poll_wait() media: i2c: video-i2c: fix build errors due to 'imply hwmon' libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() pstore/platform: fix potential mem leak if pstore_init_fs failed gfs2: Don't demote a glock until its revokes are written x86/boot: Use unsigned comparison for addresses efi/x86: Ignore the memory attributes table on i386 genirq/irqdomain: Check pointer in irq_domain_alloc_irqs_hierarchy() block: Fix use-after-free issue accessing struct io_cq media: i2c: ov5695: Fix power on and off sequences usb: dwc3: core: add support for disabling SS instances in park mode irqchip/gic-v4: Provide irq_retrigger to avoid circular locking dependency md: check arrays is suspended in mddev_detach before call quiesce operations firmware: fix a double abort case with fw_load_sysfs_fallback locking/lockdep: Avoid recursion in lockdep_count_{for,back}ward_deps() block, bfq: fix use-after-free in bfq_idle_slice_timer_body btrfs: qgroup: ensure qgroup_rescan_running is only set when the worker is at least queued btrfs: remove a BUG_ON() from merge_reloc_roots() btrfs: track reloc roots based on their commit root bytenr IB/mlx5: Replace tunnel mpls capability bits for tunnel_offloads uapi: rename ext2_swab() to swab() and share globally in swab.h slub: improve bit diffusion for freelist ptr obfuscation ASoC: fix regwmask ASoC: dapm: connect virtual mux with default value ASoC: dpcm: allow start or stop during pause for backend ASoC: topology: use name_prefix for new kcontrol usb: gadget: f_fs: Fix use after free issue as part of queue failure usb: gadget: composite: Inform controller driver of self-powered ALSA: usb-audio: Add mixer workaround for TRX40 and co ALSA: hda: Add driver blacklist ALSA: hda: Fix potential access overflow in beep helper ALSA: ice1724: Fix invalid access for enumerated ctl items ALSA: pcm: oss: Fix regression by buffer overflow fix ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 ALSA: hda/realtek - Remove now-unnecessary XPS 13 headphone noise fixups ALSA: hda/realtek - Add quirk for MSI GL63 media: ti-vpe: cal: fix disable_irqs to only the intended target acpi/x86: ignore unspecified bit positions in the ACPI global lock field thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n nvme-fc: Revert "add module to ops template to allow module references" nvme: Treat discovery subsystems as unique subsystems PCI: pciehp: Fix indefinite wait on sysfs requests PCI/ASPM: Clear the correct bits when enabling L1 substates PCI: Add boot interrupt quirk mechanism for Xeon chipsets PCI: endpoint: Fix for concurrent memory allocation in OB address region tpm: Don't make log failures fatal tpm: tpm1_bios_measurements_next should increase position index tpm: tpm2_bios_measurements_next should increase position index KEYS: reaching the keys quotas correctly irqchip/versatile-fpga: Apply clear-mask earlier pstore: pstore_ftrace_seq_next should increase position index MIPS/tlbex: Fix LDDIR usage in setup_pw() for Loongson-3 MIPS: OCTEON: irq: Fix potential NULL pointer dereference ath9k: Handle txpower changes even when TPC is disabled signal: Extend exec_id to 64bits x86/entry/32: Add missing ASM_CLAC to general_protection entry KVM: nVMX: Properly handle userspace interrupt window request KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks KVM: s390: vsie: Fix delivery of addressing exceptions KVM: x86: Allocate new rmap and large page tracking when moving memslot KVM: VMX: Always VMCLEAR in-use VMCSes during crash with kexec support KVM: x86: Gracefully handle __vmalloc() failure during VM allocation KVM: VMX: fix crash cleanup when KVM wasn't used CIFS: Fix bug which the return value by asynchronous read is error mtd: spinand: Stop using spinand->oobbuf for buffering bad block markers mtd: spinand: Do not erase the block before writing a bad block marker Btrfs: fix crash during unmount due to race with delayed inode workers btrfs: set update the uuid generation as soon as possible btrfs: drop block from cache on error in relocation btrfs: fix missing file extent item for hole after ranged fsync btrfs: fix missing semaphore unlock in btrfs_sync_file crypto: mxs-dcp - fix scatterlist linearization for hash erofs: correct the remaining shrink objects powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() x86/speculation: Remove redundant arch_smt_update() invocation tools: gpio: Fix out-of-tree build regression mm: Use fixed constant in page_frag_alloc instead of size + 1 net: qualcomm: rmnet: Allow configuration updates to existing devices arm64: dts: allwinner: h6: Fix PMU compatible dm writecache: add cond_resched to avoid CPU hangs dm verity fec: fix memory leak in verity_fec_dtr scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point arm64: armv8_deprecated: Fix undef_hook mask for thumb setend selftests: vm: drop dependencies on page flags from mlock2 tests rtc: omap: Use define directive for PIN_CONFIG_ACTIVE_HIGH drm/etnaviv: rework perfmon query infrastructure powerpc/pseries: Avoid NULL pointer dereference when drmem is unavailable NFS: Fix a page leak in nfs_destroy_unlinked_subrequests() ext4: fix a data race at inode->i_blocks fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once() ocfs2: no need try to truncate file beyond i_size perf tools: Support Python 3.8+ in Makefile s390/diag: fix display of diagnose call statistics Input: i8042 - add Acer Aspire 5738z to nomux list clk: ingenic/jz4770: Exit with error if CGU init failed kmod: make request_module() return an error when autoloading is disabled cpufreq: powernv: Fix use-after-free hfsplus: fix crash and filesystem corruption when deleting files libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set ipmi: fix hung processes in __get_guid() xen/blkfront: fix memory allocation flags in blkfront_setup_indirect() powerpc/powernv/idle: Restore AMR/UAMOR/AMOR after idle powerpc/64/tm: Don't let userspace set regs->trap via sigreturn powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs powerpc/kprobes: Ignore traps that happened in real mode scsi: mpt3sas: Fix kernel panic observed on soft HBA unplug powerpc: Add attributes for setjmp/longjmp powerpc: Make setjmp/longjmp signature standard btrfs: use nofs allocations for running delayed items dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() crypto: caam - update xts sector size for large input length crypto: ccree - improve error handling crypto: ccree - zero out internal struct before use crypto: ccree - don't mangle the request assoclen crypto: ccree - dec auth tag size from cryptlen map crypto: ccree - only try to map auth tag if needed Revert "drm/dp_mst: Remove VCPI while disabling topology mgr" drm/dp_mst: Fix clearing payload state on topology disable drm: Remove PageReserved manipulation from drm_pci_alloc ftrace/kprobe: Show the maxactive number on kprobe_events powerpc/fsl_booke: Avoid creating duplicate tlb1 entry misc: echo: Remove unnecessary parentheses and simplify check for zero etnaviv: perfmon: fix total and idle HI cyleces readout mfd: dln2: Fix sanity checking for endpoints efi/x86: Fix the deletion of variables in mixed mode Linux 4.19.116 Change-Id: If09fbb53fcb11ea01eaaa7fee7ed21ed6234f352 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Remi Pommarel
|
19e119d4b4 |
ath9k: Handle txpower changes even when TPC is disabled
commit 968ae2caad0782db5dbbabb560d3cdefd2945d38 upstream.
When TPC is disabled IEEE80211_CONF_CHANGE_POWER event can be handled to
reconfigure HW's maximum txpower.
This fixes 0dBm txpower setting when user attaches to an interface for
the first time with the following scenario:
ieee80211_do_open()
ath9k_add_interface()
ath9k_set_txpower() /* Set TX power with not yet initialized
sc->hw->conf.power_level */
ieee80211_hw_config() /* Iniatilize sc->hw->conf.power_level and
raise IEEE80211_CONF_CHANGE_POWER */
ath9k_config() /* IEEE80211_CONF_CHANGE_POWER is ignored */
This issue can be reproduced with the following:
$ modprobe -r ath9k
$ modprobe ath9k
$ wpa_supplicant -i wlan0 -c /tmp/wpa.conf &
$ iw dev /* Here TX power is either 0 or 3 depending on RF chain */
$ killall wpa_supplicant
$ iw dev /* TX power goes back to calibrated value and subsequent
calls will be fine */
Fixes:
|
||
Alexei Avshalom Lazar
|
0b546fb9b5 |
BACKPORT: nl80211: Add support for EDMG channels
802.11ay specification defines Enhanced Directional Multi-Gigabit
(EDMG) STA and AP which allow channel bonding of 2 channels and more.
Introduce new NL attributes that are needed for enabling and
configuring EDMG support.
Two new attributes are used by kernel to publish driver's EDMG
capabilities to the userspace:
NL80211_BAND_ATTR_EDMG_CHANNELS - bitmap field that indicates the 2.16
GHz channel(s) that are supported by the driver.
When this attribute is not set it means driver does not support EDMG.
NL80211_BAND_ATTR_EDMG_BW_CONFIG - represent the channel bandwidth
configurations supported by the driver.
Additional two new attributes are used by the userspace for connect
command and for AP configuration:
NL80211_ATTR_WIPHY_EDMG_CHANNELS
NL80211_ATTR_WIPHY_EDMG_BW_CONFIG
New rate info flag - RATE_INFO_FLAGS_EDMG, can be reported from driver
and used for bitrate calculation that will take into account EDMG
according to the 802.11ay specification.
Change-Id: I06d3f04d16b68d35c1dd9cd3624916302e8725a1
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Link: https://lore.kernel.org/r/1566138918-3823-2-git-send-email-ailizaro@codeaurora.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 2a38075cd0beefa4da326380cf54c7b365ddc035
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
[ailizaro@codeaurora.org: fix conflict due to missing NLA policy]
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
(cherry picked from commit
|
||
Greg Kroah-Hartman
|
bfe2901c20 |
This is the 4.19.111 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5xvNEACgkQONu9yGCS aT6VUg//SJSSC5IX7gulaIm8IzvVijE7EKkdkjukJ4TD672J1QqzXVlhKp8tSvAV ZBknOar0AP5sDNtvF3cgz0t6w6IJHrLWGyWqcMfUTC75M9HVZH6YUgHDkPmi0g8f dyTrVe20/lC5yBNAFmS0pnYB+UfL8biJEF6N++pULZQhOY0eRr6BMKdl2npxH7D3 YL/jipdGHmwkr/OgOtRaOBgEP6HIu1xKnZUkGzvhF0BOxAM/ib/5lQognOD6x4Hm 9vHzc8+nBXlWj6N7XkE+I3RiZumUx+vEr2kLljdrTE7cH7ALzJQl4GQ6Db6lbd0E q78Y44FhrfKiwxDeGPHKOX39sgzVwCsKhwTg3a4Rq4Aq0I7QQoPikAyCUj9kaeFq q8bI0Wub+4nQhzuyv6UgRWaQnIBZxXe56M8z3u4CTy6ljwvn4hXeZ9bkVRyXdQtS D4h3WtxFwBed0tQGb5ypv83Wg/lwK8bQHab4LDV9AZNZ3Jrbg70ldlea0GiA8Csc Y3MncS6zF9mnAU8ZdsYT3GNkRQS3OTFNeb7+V5MRgdCnG3xk5GltHTy0JYhZKmXH 8zMXlUgUeyihFx6f7LwFhYk8NTSg3+W700SKND/zd+VK8m7mqT7PB1bkny5zJ6aC teehBWmHlxZlL1ENXya8lUEEsOieAWxi3IMlhOEo2roidPW1N0o= =ryZW -----END PGP SIGNATURE----- Merge 4.19.111 into android-4.19 Changes in 4.19.111 phy: Revert toggling reset changes. net: phy: Avoid multiple suspends cgroup, netclassid: periodically release file_lock on classid updating gre: fix uninit-value in __iptunnel_pull_header inet_diag: return classid for all socket types ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface ipvlan: add cond_resched_rcu() while processing muticast backlog ipvlan: do not add hardware address of master to its unicast filter list ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() ipvlan: don't deref eth hdr before checking it's set net/ipv6: use configured metric when add peer route netlink: Use netlink header as base to calculate bad attribute offset net: macsec: update SCI upon MAC address change. net: nfc: fix bounds checking bugs on "pipe" net/packet: tpacket_rcv: do not increment ring index on drop net: stmmac: dwmac1000: Disable ACS if enhanced descs are not used net: systemport: fix index check to avoid an array out of bounds access r8152: check disconnect status after long sleep sfc: detach from cb_page in efx_copy_channel() bnxt_en: reinitialize IRQs when MTU is modified cgroup: memcg: net: do not associate sock with unrelated cgroup net: memcg: late association of sock to memcg net: memcg: fix lockdep splat in inet_csk_accept() devlink: validate length of param values fib: add missing attribute validation for tun_id nl802154: add missing attribute validation nl802154: add missing attribute validation for dev_type can: add missing attribute validation for termination macsec: add missing attribute validation for port net: fq: add missing attribute validation for orphan mask team: add missing attribute validation for port ifindex team: add missing attribute validation for array index nfc: add missing attribute validation for SE API nfc: add missing attribute validation for deactivate target nfc: add missing attribute validation for vendor subcommand net: phy: fix MDIO bus PM PHY resuming selftests/net/fib_tests: update addr_metric_test for peer route testing net/ipv6: need update peer route when modify metric net/ipv6: remove the old peer route if change it to a new one tipc: add missing attribute validation for MTU property devlink: validate length of region addr/len bonding/alb: make sure arp header is pulled before accessing it slip: make slhc_compress() more robust against malicious packets net: fec: validate the new settings in fec_enet_set_coalesce() macvlan: add cond_resched() during multicast processing cgroup: cgroup_procs_next should increase position index cgroup: Iterate tasks that did not finish do_exit() iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices virtio-blk: fix hw_queue stopped on arbitrary error iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint netfilter: nf_conntrack: ct_cpu_seq_next should increase position index netfilter: synproxy: synproxy_cpu_seq_next should increase position index netfilter: xt_recent: recent_seq_next should increase position index netfilter: x_tables: xt_mttg_seq_next should increase position index workqueue: don't use wq_select_unbound_cpu() for bound works drm/amd/display: remove duplicated assignment to grph_obj_type ktest: Add timeout for ssh sync testing cifs_atomic_open(): fix double-put on late allocation failure gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache KVM: x86: clear stale x86_emulate_ctxt->intercept value ARC: define __ALIGN_STR and __ALIGN symbols for ARC macintosh: windfarm: fix MODINFO regression efi: Fix a race and a buffer overflow while reading efivars via sysfs efi: Make efi_rts_work accessible to efi page fault handler mt76: fix array overflow on receiving too many fragments for a packet x86/mce: Fix logic and comments around MSR_PPIN_CTL iommu/dma: Fix MSI reservation allocation iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page batman-adv: Don't schedule OGM for disabled interface pinctrl: meson-gxl: fix GPIOX sdio pins pinctrl: core: Remove extra kref_get which blocks hogs being freed drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits i2c: gpio: suppress error on probe defer nl80211: add missing attribute validation for critical protocol indication nl80211: add missing attribute validation for beacon report scanning nl80211: add missing attribute validation for channel switch perf bench futex-wake: Restore thread count default to online CPU count netfilter: cthelper: add missing attribute validation for cthelper netfilter: nft_payload: add missing attribute validation for payload csum flags netfilter: nft_tunnel: add missing attribute validation for tunnels iommu/vt-d: Fix the wrong printing in RHSA parsing iommu/vt-d: Ignore devices with out-of-spec domain number i2c: acpi: put device when verifying client fails ipv6: restrict IPV6_ADDRFORM operation net/smc: check for valid ib_client_data net/smc: cancel event worker during device removal efi: Add a sanity check to efivar_store_raw() batman-adv: Avoid free/alloc race when handling OGM2 buffer Linux 4.19.111 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ide220f0b6a12d291bda4a83f17cde25bbe64e2ff |
||
Felix Fietkau
|
319478cbd2 |
mt76: fix array overflow on receiving too many fragments for a packet
commit b102f0c522cf668c8382c56a4f771b37d011cda2 upstream. If the hardware receives an oversized packet with too many rx fragments, skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages. This becomes especially visible if it corrupts the freelist pointer of a slab page. Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Dan Moulding
|
30fa84ae81 |
iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices
commit a9149d243f259ad8f02b1e23dfe8ba06128f15e1 upstream. The logic for checking required NVM sections was recently fixed in commit b3f20e098293 ("iwlwifi: mvm: fix NVM check for 3168 devices"). However, with that fixed the else is now taken for 3168 devices and within the else clause there is a mandatory check for the PHY_SKU section. This causes the parsing to fail for 3168 devices. The PHY_SKU section is really only mandatory for the IWL_NVM_EXT layout (the phy_sku parameter of iwl_parse_nvm_data is only used when the NVM type is IWL_NVM_EXT). So this changes the PHY_SKU section check so that it's only mandatory for IWL_NVM_EXT. Fixes: b3f20e098293 ("iwlwifi: mvm: fix NVM check for 3168 devices") Signed-off-by: Dan Moulding <dmoulding@me.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Kroah-Hartman
|
8290fa4ad8 |
This is the 4.19.108 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5hHeEACgkQONu9yGCS aT7uFQ/+KcS1brUUid3C+zewoJ7vvB7wspMRogdJk5/9Y/ty4uxolFRNxM7Fq2Sj 2Uq0jyt8TiiOQBguqpRfJN/GqPX7HBLPR6e9B4Pq67BR34VT6azqb5F7tKjhCa4I CGmA5XvCCQSGwqmwyP4biV0yOdN6Fy0B/9q7+7RSOsY/Mr86RyEHQgarRxaMy2QW v/dh/yIsdPXG27ZicETudKqIWaMiXL5k0zXr81HY4TcOzBrKW66nuqcI0uXZ6r54 RwqxfGVTGQeGIN4bBAFGTlEvvMDO0NAENGA0vOpt8Mqf7yRIye78GCmn8A/nOgd/ +ZsrS9y+baJun0O/7zmuYSFd37GDecRu6kNYI+fc1Hbf784wLj05A52kNZ5ndYPB CdHgcow63QV3DGTXsfQOi/yZEDm/YMUzhMoL2/KP/LlJzq8raXMf95pB3fgs6zmX HI3sA4AuyWQaQb/ogzW+8m8v1oHzT4+aNaBi9rBS1uqCg5q6AhTBRApUNpbybgsG vkiTwhIc2y74Y7M5wV0Fp29pQBPPn033smIq3V/qxgyMvoBbMXxNGZ7jTK882h5g UBjprtX/wyHgVLEXITiz1BPJTinweJarRCL6iGn5w7IOfd3enSamfph5wh5vuXR6 ea0SCw3Dni5G930BMldxubZRtiYTiqvDCeC/IpG7trP9mpczGeE= =/2bv -----END PGP SIGNATURE----- Merge 4.19.108 into android-4.19 Changes in 4.19.108 irqchip/gic-v3-its: Fix misuse of GENMASK macro iwlwifi: pcie: fix rb_allocator workqueue allocation ipmi:ssif: Handle a possible NULL pointer reference drm/msm: Set dma maximum segment size for mdss dax: pass NOWAIT flag to iomap_apply mac80211: consider more elements in parsing CRC cfg80211: check wiphy driver existence for drvinfo report s390/zcrypt: fix card and queue total counter wrap qmi_wwan: re-add DW5821e pre-production variant qmi_wwan: unconditionally reject 2 ep interfaces ARM: dts: sti: fixup sound frame-inversion for stihxxx-b2120.dtsi soc/tegra: fuse: Fix build with Tegra194 configuration net: ena: fix potential crash when rxfh key is NULL net: ena: fix uses of round_jiffies() net: ena: add missing ethtool TX timestamping indication net: ena: fix incorrect default RSS key net: ena: rss: fix failure to get indirection table net: ena: rss: store hash function as values and not bits net: ena: fix incorrectly saving queue numbers when setting RSS indirection table net: ena: ethtool: use correct value for crc32 hash net: ena: ena-com.c: prevent NULL pointer dereference cifs: Fix mode output in debugging statements cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE sysrq: Restore original console_loglevel when sysrq disabled sysrq: Remove duplicated sysrq message net: fib_rules: Correctly set table field when table number exceeds 8 bits net: mscc: fix in frame extraction net: phy: restore mdio regs in the iproc mdio driver net: sched: correct flower port blocking nfc: pn544: Fix occasional HW initialization failure sctp: move the format error check out of __sctp_sf_do_9_1_abort ipv6: Fix route replacement with dev-only route ipv6: Fix nlmsg_flags when splitting a multipath route qede: Fix race between rdma destroy workqueue and link change event net/tls: Fix to avoid gettig invalid tls record ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() audit: fix error handling in audit_data_to_entry() ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro ACPI: watchdog: Fix gas->access_width usage KVM: VMX: check descriptor table exits on instruction emulation HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock HID: core: fix off-by-one memset in hid_report_raw_event() HID: core: increase HID report buffer size to 8KiB macintosh: therm_windtunnel: fix regression when instantiating devices tracing: Disable trace_printk() on post poned tests Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" amdgpu/gmc_v9: save/restore sdpif regs during S3 vhost: Check docket sk_family instead of call getname HID: alps: Fix an error handling path in 'alps_input_configured()' HID: hiddev: Fix race in in hiddev_disconnect() MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()' i2c: altera: Fix potential integer overflow i2c: jz4780: silence log flood on txabrt drm/i915/gvt: Fix orphan vgpu dmabuf_objs' lifetime drm/i915/gvt: Separate display reset from ALL_ENGINES reset hv_netvsc: Fix unwanted wakeup in netvsc_attach() usb: charger: assign specific number for enum value s390/qeth: vnicc Fix EOPNOTSUPP precedence net: netlink: cap max groups which will be considered in netlink_bind() net: atlantic: fix use after free kasan warn net: atlantic: fix potential error handling net/smc: no peer ID in CLC decline for SMCD net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE namei: only return -ECHILD from follow_dotdot_rcu() mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() mwifiex: delete unused mwifiex_get_intf_num() KVM: SVM: Override default MMIO mask if memory encryption is enabled KVM: Check for a bad hva before dropping into the ghc slow path sched/fair: Optimize update_blocked_averages() sched/fair: Fix O(nr_cgroups) in the load balancing path perf stat: Use perf_evsel__is_clocki() for clock events perf stat: Fix shadow stats for clock events drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' kprobes: Set unoptimized flag after unoptimizing code pwm: omap-dmtimer: put_device() after of_find_device_by_node() perf hists browser: Restore ESC as "Zoom out" of DSO/thread/etc KVM: x86: Remove spurious kvm_mmu_unload() from vcpu destruction path KVM: x86: Remove spurious clearing of async #PF MSR thermal: brcmstb_thermal: Do not use DT coefficients netfilter: nft_tunnel: no need to call htons() when dumping ports netfilter: nf_flowtable: fix documentation mm/huge_memory.c: use head to check huge zero page mm, thp: fix defrag setting if newline is not used audit: always check the netlink payload length in audit_receive_msg() Linux 4.19.108 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib98db500eded0a83d89c38900bbdf9ff5d6a37e0 |
||
Brian Norris
|
6390f6ba90 |
mwifiex: delete unused mwifiex_get_intf_num()
commit 1c9f329b084b7b8ea6d60d91a202e884cdcf6aae upstream. Commit 7afb94da3cd8 ("mwifiex: update set_mac_address logic") fixed the only user of this function, partly because the author seems to have noticed that, as written, it's on the borderline between highly misleading and buggy. Anyway, no sense in keeping dead code around: let's drop it. Fixes: 7afb94da3cd8 ("mwifiex: update set_mac_address logic") Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Brian Norris
|
8892a7b91e |
mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame()
commit 70e5b8f445fd27fde0c5583460e82539a7242424 upstream. Before commit 1e58252e334d ("mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()"), mwifiex_process_tdls_action_frame() already had too many magic numbers. But this commit just added a ton more, in the name of checking for buffer overflows. That seems like a really bad idea. Let's make these magic numbers a little less magic, by (a) factoring out 'pos[1]' as 'ie_len' (b) using 'sizeof' on the appropriate source or destination fields where possible, instead of bare numbers (c) dropping redundant checks, per below. Regarding redundant checks: the beginning of the loop has this: if (pos + 2 + pos[1] > end) break; but then individual 'case's include stuff like this: if (pos > end - 3) return; if (pos[1] != 1) return; Note that the second 'return' (validating the length, pos[1]) combined with the above condition (ensuring 'pos + 2 + length' doesn't exceed 'end'), makes the first 'return' (whose 'if' can be reworded as 'pos > end - pos[1] - 2') redundant. Rather than unwind the magic numbers there, just drop those conditions. Fixes: 1e58252e334d ("mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()") Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Johannes Berg
|
1d8780188c |
iwlwifi: pcie: fix rb_allocator workqueue allocation
commit 8188a18ee2e48c9a7461139838048363bfce3fef upstream We don't handle failures in the rb_allocator workqueue allocation correctly. To fix that, move the code earlier so the cleanup is easier and we don't have to undo all the interrupt allocations in this case. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> [Ajay: Modified to apply on v4.19.y and v4.14.y] Signed-off-by: Ajay Kaher <akaher@vmware.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
4dc4199770 |
This is the 4.19.106 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5TfLwACgkQONu9yGCS aT5wlRAAhZELK39c78NMCTZKHtKGLsGb2os2IiI7zIRbqNNwnvJi+jAc3kgbS9jP +W+wnhYFtFisDvqdCQ009I6A0NA1p3Nqy166JplW0iIg1e7rgUKKUfabCN9sJmjh HGK913cJlHwGmkSxq//sBucBwWhYYGaHec28pZ7uCFATjWrTaH3G4VrvLStuicYR YgS9MH261tWJKJm5+V2MxnOOI0103+Uey+xVqwSnLlV+qmasxwDCMU5ae+SK7e7f cXIkNZwvDph1zunekHg+jd64GN3GYswXVcRighWP0n7Lr+0tGPN7SY5pvZIjZLv/ sdroyrqAxytTYP32hypIUgsToVvJr7zXD09LGdsgOCKVwFVn8yl1e4zgGKH3L9Xu OK2krI90v1MVevibyaNndZ4UDKilF75oE2YYDOFW/BU1lorFAIzk4hh15CfKc8s1 KHRjePfcgQREs/SGK8k2BAmf/JwxFN1/Ro5dl7MvKn07ZYqx6QOwUoMhgxspIntN 9TlFw6elu1RSwu2BFts9wvoHO1tr7GZBa1cVkNF8qV1rzaGVY68aLDvvHGdffD6W JgX+BCfr6vcN7R4izak1RxzAoqDrRxS0vWoC1vVsPqeIIZydSxpYDquaFnbZm+Wc MRuh5gpQ2PzTXuMLeBB+ig6UnzsAO3x+3yIG/l5ZmmYxJbMFBKU= =zE/i -----END PGP SIGNATURE----- Merge 4.19.106 into android-4.19 Changes in 4.19.106 core: Don't skip generic XDP program execution for cloned SKBs enic: prevent waking up stopped tx queues over watchdog reset net/smc: fix leak of kernel memory to user space net: dsa: tag_qca: Make sure there is headroom for tag net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS net/sched: flower: add missing validation of TCA_FLOWER_FLAGS Revert "KVM: nVMX: Use correct root level for nested EPT shadow page tables" Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs" KVM: nVMX: Use correct root level for nested EPT shadow page tables drm/gma500: Fixup fbdev stolen size usage evaluation cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order brcmfmac: Fix use after free in brcmf_sdio_readframes() leds: pca963x: Fix open-drain initialization ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT ALSA: ctl: allow TLV read operation for callback type of element in locked case gianfar: Fix TX timestamping with a stacked DSA driver pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs pxa168fb: Fix the function used to release some memory in an error handling path media: i2c: mt9v032: fix enum mbus codes and frame sizes powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap() iommu/vt-d: Fix off-by-one in PASID allocation char/random: silence a lockdep splat with printk() media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run() pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins efi/x86: Map the entire EFI vendor string before copying it MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init() sparc: Add .exit.data section. uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe() usb: dwc2: Fix IN FIFO allocation clocksource/drivers/bcm2835_timer: Fix memory leak of timer kselftest: Minimise dependency of get_size on C library interfaces jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal x86/sysfb: Fix check for bad VRAM size pwm: omap-dmtimer: Simplify error handling s390/pci: Fix possible deadlock in recover_store() powerpc/iov: Move VF pdev fixup into pcibios_fixup_iov() tracing: Fix tracing_stat return values in error handling paths tracing: Fix very unlikely race of registering two stat tracers ARM: 8952/1: Disable kmemleak on XIP kernels ext4, jbd2: ensure panic when aborting with zero errno ath10k: Correct the DMA direction for management tx buffers drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero nbd: add a flush_workqueue in nbd_start_device KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups kconfig: fix broken dependency in randconfig-generated .config clk: qcom: rcg2: Don't crash if our parent can't be found; return an error drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table drm/amdgpu: Ensure ret is always initialized when using SOC15_WAIT_ON_RREG regulator: rk808: Lower log level on optional GPIOs being not available net/wan/fsl_ucc_hdlc: reject muram offsets above 64K NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu(). selinux: fall back to ref-walk if audit is required arm64: dts: allwinner: H6: Add PMU mode arm: dts: allwinner: H3: Add PMU node selinux: ensure we cleanup the internal AVC counters on error in avc_insert() arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3 ARM: dts: imx6: rdu2: Limit USBH1 to Full Speed PCI: iproc: Apply quirk_paxc_bridge() for module as well as built-in media: cx23885: Add support for AVerMedia CE310B PCI: Add generic quirk for increasing D3hot delay PCI: Increase D3 delay for AMD Ryzen5/7 XHCI controllers media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling r8169: check that Realtek PHY driver module is loaded fore200e: Fix incorrect checks of NULL pointer dereference netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status b43legacy: Fix -Wcast-function-type ipw2x00: Fix -Wcast-function-type iwlegacy: Fix -Wcast-function-type rtlwifi: rtl_pci: Fix -Wcast-function-type orinoco: avoid assertion in case of NULL pointer ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 scsi: ufs: Complete pending requests in host reset and restore path scsi: aic7xxx: Adjust indentation in ahc_find_syncrate drm/mediatek: handle events when enabling/disabling crtc ARM: dts: r8a7779: Add device node for ARM global timer selinux: ensure we cleanup the internal AVC counters on error in avc_update() dmaengine: Store module owner in dma_device struct dmaengine: imx-sdma: Fix memory leak crypto: chtls - Fixed memory leak x86/vdso: Provide missing include file PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs reset: uniphier: Add SCSSI reset control for each channel RDMA/rxe: Fix error type of mmap_offset clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock ALSA: sh: Fix unused variable warnings clk: uniphier: Add SCSSI clock gate for each channel ALSA: sh: Fix compile warning wrt const tools lib api fs: Fix gcc9 stringop-truncation compilation error ACPI: button: Add DMI quirk for Razer Blade Stealth 13 late 2019 lid switch mlx5: work around high stack usage with gcc drm: remove the newline for CRC source name. ARM: dts: stm32: Add power-supply for DSI panel on stm32f469-disco usbip: Fix unsafe unaligned pointer usage udf: Fix free space reporting for metadata and virtual partitions staging: rtl8188: avoid excessive stack usage IB/hfi1: Add software counter for ctxt0 seq drop soc/tegra: fuse: Correct straps' address for older Tegra124 device trees efi/x86: Don't panic or BUG() on non-critical error conditions rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls Input: edt-ft5x06 - work around first register access error x86/nmi: Remove irq_work from the long duration NMI handler wan: ixp4xx_hss: fix compile-testing on 64-bit ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m tty: synclinkmp: Adjust indentation in several functions tty: synclink_gt: Adjust indentation in several functions visorbus: fix uninitialized variable access driver core: platform: Prevent resouce overflow from causing infinite loops driver core: Print device when resources present in really_probe() bpf: Return -EBADRQC for invalid map type in __bpf_tx_xdp_map vme: bridges: reduce stack usage drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler drm/nouveau/drm/ttm: Remove set but not used variable 'mem' drm/nouveau/fault/gv100-: fix memory leak on module unload drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE f2fs: set I_LINKABLE early to avoid wrong access by vfs f2fs: free sysfs kobject scsi: iscsi: Don't destroy session if there are outstanding connections arm64: fix alternatives with LLVM's integrated assembler drm/amd/display: fixup DML dependencies watchdog/softlockup: Enforce that timestamp is valid on boot f2fs: fix memleak of kobject x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional cmd64x: potential buffer overflow in cmd64x_program_timings() ide: serverworks: potential overflow in svwks_set_pio_mode() pwm: Remove set but not set variable 'pwm' btrfs: fix possible NULL-pointer dereference in integrity checks btrfs: safely advance counter when looking up bio csums btrfs: device stats, log when stats are zeroed module: avoid setting info->name early in case we can fall back to info->mod->name remoteproc: Initialize rproc_class before use irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove problems ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() kbuild: use -S instead of -E for precise cc-option test in Kconfig x86/decoder: Add TEST opcode to Group3-2 s390: adjust -mpacked-stack support check for clang 10 s390/ftrace: generate traced function stack frame driver core: platform: fix u32 greater or equal to zero comparison ALSA: hda - Add docking station support for Lenovo Thinkpad T420s drm/nouveau/mmu: fix comptag memory leak powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV bcache: cached_dev_free needs to put the sb page iommu/vt-d: Remove unnecessary WARN_ON_ONCE() selftests: bpf: Reset global state between reuseport test runs jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record jbd2: make sure ESHUTDOWN to be recorded in the journal superblock ARM: 8951/1: Fix Kexec compilation issue. hostap: Adjust indentation in prism2_hostapd_add_sta iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop cifs: fix NULL dereference in match_prepath bpf: map_seq_next should always increase position index ceph: check availability of mds cluster on mount after wait timeout rbd: work around -Wuninitialized warning irqchip/gic-v3: Only provision redistributors that are enabled in ACPI drm/nouveau/disp/nv50-: prevent oops when no channel method map provided ftrace: fpid_next() should increase position index trigger_next should increase position index radeon: insert 10ms sleep in dce5_crtc_load_lut ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans() lib/scatterlist.c: adjust indentation in __sg_alloc_table reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() bcache: explicity type cast in bset_bkey_last() irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL iwlwifi: mvm: Fix thermal zone registration microblaze: Prevent the overflow of the start brd: check and limit max_part par drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_latency drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_voltage NFS: Fix memory leaks help_next should increase position index cifs: log warning message (once) if out of disk space virtio_balloon: prevent pfn array overflow mlxsw: spectrum_dpipe: Add missing error path drm/amdgpu/display: handle multiple numbers of fclks in dcn_calcs.c (v2) Linux 4.19.106 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia1032b50dd82b42e13973120dcbf94ae7b864648 |
||
Andrei Otcheretianski
|
af9be1a3b4 |
iwlwifi: mvm: Fix thermal zone registration
[ Upstream commit baa6cf8450b72dcab11f37c47efce7c5b9b8ad0f ] Use a unique name when registering a thermal zone. Otherwise, with multiple NICS, we hit the following warning during the unregistration. WARNING: CPU: 2 PID: 3525 at fs/sysfs/group.c:255 RIP: 0010:sysfs_remove_group+0x80/0x90 Call Trace: dpm_sysfs_remove+0x57/0x60 device_del+0x5a/0x350 ? sscanf+0x4e/0x70 device_unregister+0x1a/0x60 hwmon_device_unregister+0x4a/0xa0 thermal_remove_hwmon_sysfs+0x175/0x1d0 thermal_zone_device_unregister+0x188/0x1e0 iwl_mvm_thermal_exit+0xe7/0x100 [iwlmvm] iwl_op_mode_mvm_stop+0x27/0x180 [iwlmvm] _iwl_op_mode_stop.isra.3+0x2b/0x50 [iwlwifi] iwl_opmode_deregister+0x90/0xa0 [iwlwifi] __exit_compat+0x10/0x2c7 [iwlmvm] __x64_sys_delete_module+0x13f/0x270 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Colin Ian King
|
d84a6da925 |
iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
[ Upstream commit c2f9a4e4a5abfc84c01b738496b3fd2d471e0b18 ]
The loop counter addr is a u16 where as the upper limit of the loop
is an int. In the unlikely event that the il->cfg->eeprom_size is
greater than 64K then we end up with an infinite loop since addr will
wrap around an never reach upper loop limit. Fix this by making addr
an int.
Addresses-Coverity: ("Infinite loop")
Fixes:
|
||
Nathan Chancellor
|
9c298c4e77 |
hostap: Adjust indentation in prism2_hostapd_add_sta
[ Upstream commit b61156fba74f659d0bc2de8f2dbf5bad9f4b8faf ]
Clang warns:
../drivers/net/wireless/intersil/hostap/hostap_ap.c:2511:3: warning:
misleading indentation; statement is not part of the previous 'if'
[-Wmisleading-indentation]
if (sta->tx_supp_rates & WLAN_RATE_5M5)
^
../drivers/net/wireless/intersil/hostap/hostap_ap.c:2509:2: note:
previous statement is here
if (sta->tx_supp_rates & WLAN_RATE_2M)
^
1 warning generated.
This warning occurs because there is a space before the tab on this
line. Remove it so that the indentation is consistent with the Linux
kernel coding style and clang no longer warns.
Fixes:
|
||
Aditya Pakki
|
4f96316a11 |
orinoco: avoid assertion in case of NULL pointer
[ Upstream commit c705f9fc6a1736dcf6ec01f8206707c108dca824 ] In ezusb_init, if upriv is NULL, the code crashes. However, the caller in ezusb_probe can handle the error and print the failure message. The patch replaces the BUG_ON call to error return. Signed-off-by: Aditya Pakki <pakki001@umn.edu> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Phong Tran
|
6d91568410 |
rtlwifi: rtl_pci: Fix -Wcast-function-type
[ Upstream commit cb775c88da5d48a85d99d95219f637b6fad2e0e9 ] correct usage prototype of callback in tasklet_init(). Report by https://github.com/KSPP/linux/issues/20 Signed-off-by: Phong Tran <tranmanphong@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Phong Tran
|
b33327e505 |
iwlegacy: Fix -Wcast-function-type
[ Upstream commit da5e57e8a6a3e69dac2937ba63fa86355628fbb2 ] correct usage prototype of callback in tasklet_init(). Report by https://github.com/KSPP/linux/issues/20 Signed-off-by: Phong Tran <tranmanphong@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Phong Tran
|
0bfca57ef2 |
ipw2x00: Fix -Wcast-function-type
[ Upstream commit ebd77feb27e91bb5fe35a7818b7c13ea7435fb98 ] correct usage prototype of callback in tasklet_init(). Report by https://github.com/KSPP/linux/issues/20 Signed-off-by: Phong Tran <tranmanphong@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Phong Tran
|
b213d7453a |
b43legacy: Fix -Wcast-function-type
[ Upstream commit 475eec112e4267232d10f4afe2f939a241692b6c ] correct usage prototype of callback in tasklet_init(). Report by https://github.com/KSPP/linux/issues/20 Tested-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Phong Tran <tranmanphong@gmail.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Rakesh Pillai
|
2a044ba370 |
ath10k: Correct the DMA direction for management tx buffers
[ Upstream commit 6ba8b3b6bd772f575f7736c8fd893c6981fcce16 ]
The management packets, send to firmware via WMI, are
mapped using the direction DMA_TO_DEVICE. Currently in
case of wmi cleanup, these buffers are being unmapped
using an incorrect DMA direction. This can cause unwanted
behavior when the host driver is handling a restart
of the wlan firmware.
We might see a trace like below
[<ffffff8008098b18>] __dma_inv_area+0x28/0x58
[<ffffff8001176734>] ath10k_wmi_mgmt_tx_clean_up_pending+0x60/0xb0 [ath10k_core]
[<ffffff80088c7c50>] idr_for_each+0x78/0xe4
[<ffffff80011766a4>] ath10k_wmi_detach+0x4c/0x7c [ath10k_core]
[<ffffff8001163d7c>] ath10k_core_stop+0x58/0x68 [ath10k_core]
[<ffffff800114fb74>] ath10k_halt+0xec/0x13c [ath10k_core]
[<ffffff8001165110>] ath10k_core_restart+0x11c/0x1a8 [ath10k_core]
[<ffffff80080c36bc>] process_one_work+0x16c/0x31c
Fix the incorrect DMA direction during the wmi
management tx buffer cleanup.
Tested HW: WCN3990
Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1
Fixes:
|
||
Dan Carpenter
|
ead1cee889 |
brcmfmac: Fix use after free in brcmf_sdio_readframes()
[ Upstream commit 216b44000ada87a63891a8214c347e05a4aea8fe ]
The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
static checker warning:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
error: dereferencing freed memory 'pkt'
It looks like there was supposed to be a continue after we free "pkt".
Fixes:
|
||
Greg Kroah-Hartman
|
4eee97caec |
This is the 4.19.104 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5HEigACgkQONu9yGCS aT7Gcw/6AkDGkK5U/aDpKMqWiRmZUqDIg8U9xR+44Gl57Q71vicrzq8NGPHxxbsF slWoCyXLVSD7bMWGsTD0qJR8muROAraMxDl8dCxojEXHnXFMx4A4Cf0h1E0lY0mu Jq/O9m33ZMSppjio88sCcLpo0pbXF+cCX1CY87NI5QUitUzHgRh18W8BtyFpMMI8 eC0Fc+hMWax3+qqHt/hFVpufaTKm35zLCpGjGAJiHd7GFvqUJnuAzBYCs1Cf8NO1 KrrL3l/IWk8z3Z0Wc9PbBz309a9H6FVpjrXSXj6URkxjtqJ0F0mBMaIYxhaUF8PD CHY5xLyqKodC8/7O5zNOrP80oT9nqJvsmKwUwlG34IJuMVaq/o+hZu+88JVB02Yw v9XVcaQda5aZgWF9cBWzFQEcNwHFDCQ9VNidLDcHJLGPyFo/BogvMo8T4yPM9tI0 O0PSFm/yYu0airZSCzIbPzuF2Iv+iilVtq+o10VRDsGtEYAOzTL7nA01MkdXFhwy 4V+Q51C90TGo13BnnZ6xpEqjspuDWgeOD71/xkQ5cnyFgam0XQq/5R6JJghJIHOP 7p8NMMyNhK2FnOGrFUgqvwBCp6Dap1ISZyKvie1Z8vuCJsZcwMVIw8fxAzoZWOjj MlmmePjlbC7XTFxjdo0jrQTdvBwq+gFgNitD7UAlfHAdqKJKKA4= =8ktI -----END PGP SIGNATURE----- Merge 4.19.104 into android-4.19 Changes in 4.19.104 ASoC: pcm: update FE/BE trigger order based on the command hv_sock: Remove the accept port restriction IB/mlx4: Fix memory leak in add_gid error flow RDMA/netlink: Do not always generate an ACK for some netlink operations RDMA/core: Fix locking in ib_uverbs_event_read RDMA/uverbs: Verify MR access flags scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails PCI/IOV: Fix memory leak in pci_iov_add_virtfn() ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe PCI/switchtec: Fix vep_vector_number ioread width PCI: Don't disable bridge BARs when assigning bus resources nfs: NFS_SWAP should depend on SWAP NFS: Revalidate the file size on a fatal write error NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() NFSv4: try lease recovery on NFS4ERR_EXPIRED serial: uartps: Add a timeout to the tx empty wait gpio: zynq: Report gpio direction at boot spi: spi-mem: Add extra sanity checks on the op param spi: spi-mem: Fix inverted logic in op sanity check rtc: hym8563: Return -EINVAL if the time is known to be invalid rtc: cmos: Stop using shared IRQ ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node platform/x86: intel_mid_powerbtn: Take a copy of ddata ARM: dts: at91: Reenable UART TX pull-ups ARM: dts: am43xx: add support for clkout1 clock ARM: dts: at91: sama5d3: fix maximum peripheral clock rates ARM: dts: at91: sama5d3: define clock rate range for tcb1 tools/power/acpi: fix compilation error powerpc/pseries/vio: Fix iommu_table use-after-free refcount warning powerpc/pseries: Allow not having ibm, hypertas-functions::hcall-multi-tce for DDW iommu/arm-smmu-v3: Populate VMID field for CMDQ_OP_TLBI_NH_VA KVM: arm/arm64: vgic-its: Fix restoration of unmapped collections ARM: 8949/1: mm: mark free_memmap as __init arm64: cpufeature: Fix the type of no FP/SIMD capability arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations KVM: arm/arm64: Fix young bit from mmu notifier KVM: arm: Fix DFSR setting for non-LPAE aarch32 guests KVM: arm: Make inject_abt32() inject an external abort instead KVM: arm64: pmu: Don't increment SW_INCR if PMCR.E is unset mtd: onenand_base: Adjust indentation in onenand_read_ops_nolock mtd: sharpslpart: Fix unsigned comparison to zero crypto: artpec6 - return correct error code for failed setkey() crypto: atmel-sha - fix error handling when setting hmac key media: i2c: adv748x: Fix unsafe macros pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held libertas: make lbs_ibss_join_existing() return error code on rates overflow scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state x86/stackframe: Move ENCODE_FRAME_POINTER to asm/frame.h x86/stackframe, x86/ftrace: Add pt_regs frame annotations serial: uartps: Move the spinlock after the read of the tx empty padata: fix null pointer deref of pd->pinst Linux 4.19.104 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I42a465b140183dcc8cf49e19903d0e8f4b688930 |
||
Nicolai Stange
|
1de085c83f |
libertas: make lbs_ibss_join_existing() return error code on rates overflow
[ Upstream commit 1754c4f60aaf1e17d886afefee97e94d7f27b4cb ] Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") introduced a bounds check on the number of supplied rates to lbs_ibss_join_existing() and made it to return on overflow. However, the aforementioned commit doesn't set the return value accordingly and thus, lbs_ibss_join_existing() would return with zero even though it failed. Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the number of supplied rates fails. Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Nicolai Stange
|
8ffeb2114d |
libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
[ Upstream commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 ] Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") introduced a bounds check on the number of supplied rates to lbs_ibss_join_existing(). Unfortunately, it introduced a return path from within a RCU read side critical section without a corresponding rcu_read_unlock(). Fix this. Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") Signed-off-by: Nicolai Stange <nstange@suse.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Qing Xu
|
48247f7e14 |
mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
[ Upstream commit b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d ] mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu <m1s5p6688@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Qing Xu
|
fab5ca7996 |
mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()
[ Upstream commit 3a9b153c5591548612c3955c9600a98150c81875 ] mwifiex_ret_wmm_get_status() calls memcpy() without checking the destination size.Since the source is given from remote AP which contains illegal wmm elements , this may trigger a heap buffer overflow. Fix it by putting the length check before calling memcpy(). Signed-off-by: Qing Xu <m1s5p6688@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Bryan O'Donoghue
|
654ba8dcc3 |
ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe
commit d239380196c4e27a26fa4bea73d2bf994c14ec2d upstream.
ath10k_pci_dump_memory_reg() will try to access memory of type
ATH10K_MEM_REGION_TYPE_IOREG however, if a hardware restart is in progress
this can crash a system.
Individual ioread32() time has been observed to jump from 15-20 ticks to >
80k ticks followed by a secure-watchdog bite and a system reset.
Work around this corner case by only issuing the read transaction when the
driver state is ATH10K_STATE_ON.
Tested-on: QCA9988 PCI 10.4-3.9.0.2-00044
Fixes:
|
||
Greg Kroah-Hartman
|
3389e56d31 |
This is the 4.19.103 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5Cn0wACgkQONu9yGCS aT584xAAtePSlzTxst/jukREoyrpAfTM1BeovMdsZEBpKh+/F3n1udqHeo+iNAAN qSOig012aW2qP7b5/4CrEU9ZRTvd0AM4fog7ABLJVahMYMqoJgod8TRaE4v0nVut eRans6w3NbZJCZwdw2aiu5gwFfjwJLSUckBNmj4XVYdyfh7q0BgnZV5OY0V+zhuG 1MWXaylbRqjguR/ZFk0UPAmRaqNKHbwfCJ1V0ygL9xQkJM0cUn7hX9/CqM4aYnm6 m1oux4ektLAmF1XK4NiQEuRBMeFO74XlKcsZqQHf/b4FZfcPergcPwIj8ugtCHzJ kx2QgURDjgH4Tnu+Q0ScPrjj2kjU8rWmjqlcv1PcUyOWm+MR0OK9bW7TLEntMSF8 HOEe9j6SsjQNIOoYh1YcMnuGjKNIZjl2L3VbDzpVN2GxZxwAutY6G68tV7sbA2pu wtsrAVOqdcjoo0ruRmwognBqQAdNdsbiBx7bgcNjVEXWL0N3Ddiv6CNYwnehA5Hq cvQwVQpFGP9ZGYUcCMbdwR+7kJzVy6V2S615M8GkE9FouOwTfV60zM/sZ1rFVt1J 70zxfRX5ys19aTAVkbi6pHHCUJ0ZAiTgWujp5Hp4kPt7gEz01Ur0s1kI3b7b6iWh cuycRFULvqeXCApQacs//lOVDoUV20uFcL/zqOFM33v/+YzkyjA= =3D8z -----END PGP SIGNATURE----- Merge 4.19.103 into android-4.19 Changes in 4.19.103 Revert "drm/sun4i: dsi: Change the start delay calculation" ovl: fix lseek overflow on 32bit kernel/module: Fix memleak in module_add_modinfo_attrs() media: iguanair: fix endpoint sanity check ocfs2: fix oops when writing cloned file x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR udf: Allow writing to 'Rewritable' partitions printk: fix exclusive_console replaying iwlwifi: mvm: fix NVM check for 3168 devices sparc32: fix struct ipc64_perm type definition cls_rsvp: fix rsvp_policy gtp: use __GFP_NOWARN to avoid memalloc warning l2tp: Allow duplicate session creation with UDP net: hsr: fix possible NULL deref in hsr_handle_frame() net_sched: fix an OOB access in cls_tcindex net: stmmac: Delete txtimer in suspend() bnxt_en: Fix TC queue mapping. tcp: clear tp->total_retrans in tcp_disconnect() tcp: clear tp->delivered in tcp_disconnect() tcp: clear tp->data_segs{in|out} in tcp_disconnect() tcp: clear tp->segs_{in|out} in tcp_disconnect() rxrpc: Fix use-after-free in rxrpc_put_local() rxrpc: Fix insufficient receive notification generation rxrpc: Fix missing active use pinning of rxrpc_local object rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors mfd: dln2: More sanity checking for endpoints ipc/msg.c: consolidate all xxxctl_down() functions tracing: Fix sched switch start/stop refcount racy updates rcu: Avoid data-race in rcu_gp_fqs_check_wake() brcmfmac: Fix memory leak in brcmf_usbdev_qinit usb: typec: tcpci: mask event interrupts when remove driver usb: gadget: legacy: set max_speed to super-speed usb: gadget: f_ncm: Use atomic_t to track in-flight request usb: gadget: f_ecm: Use atomic_t to track in-flight request ALSA: usb-audio: Fix endianess in descriptor validation ALSA: dummy: Fix PCM format loop in proc output mm/memory_hotplug: fix remove_memory() lockdep splat mm: move_pages: report the number of non-attempted pages media/v4l2-core: set pages dirty upon releasing DMA buffers media: v4l2-core: compat: ignore native command codes media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() irqdomain: Fix a memory leak in irq_domain_push_irq() platform/x86: intel_scu_ipc: Fix interrupt support ALSA: hda: Add Clevo W65_67SB the power_save blacklist KVM: arm64: Correct PSTATE on exception entry KVM: arm/arm64: Correct CPSR on exception entry KVM: arm/arm64: Correct AArch32 SPSR on exception entry KVM: arm64: Only sign-extend MMIO up to register width MIPS: fix indentation of the 'RELOCS' message MIPS: boot: fix typo in 'vmlinux.lzma.its' target s390/mm: fix dynamic pagetable upgrade for hugetlbfs powerpc/xmon: don't access ASDR in VMs powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() smb3: fix signing verification of large reads PCI: tegra: Fix return value check of pm_runtime_get_sync() mmc: spi: Toggle SPI polarity, do not hardcode it ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards ACPI / battery: Deal with design or full capacity being reported as -1 ACPI / battery: Use design-cap for capacity calculations if full-cap is not available ACPI / battery: Deal better with neither design nor full capacity not being reported alarmtimer: Unregister wakeup source when module get fails ubifs: Reject unsupported ioctl flags explicitly ubifs: don't trigger assertion on invalid no-key filename ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag ubifs: Fix deadlock in concurrent bulk-read and writepage crypto: geode-aes - convert to skcipher API and make thread-safe PCI: keystone: Fix link training retries initiation mmc: sdhci-of-at91: fix memleak on clk_get failure hv_balloon: Balloon up according to request page number mfd: axp20x: Mark AXP20X_VBUS_IPSOUT_MGMT as volatile crypto: api - Check spawn->alg under lock in crypto_drop_spawn crypto: ccree - fix backlog memory leak crypto: ccree - fix pm wrongful error reporting crypto: ccree - fix PM race condition scripts/find-unused-docs: Fix massive false positives scsi: qla2xxx: Fix mtcp dump collection failure power: supply: ltc2941-battery-gauge: fix use-after-free ovl: fix wrong WARN_ON() in ovl_cache_update_ino() f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_project() f2fs: fix miscounted block limit in f2fs_statfs_project() f2fs: code cleanup for f2fs_statfs_project() PM: core: Fix handling of devices deleted during system-wide resume of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc dm zoned: support zone sizes smaller than 128MiB dm space map common: fix to ensure new block isn't already in use dm crypt: fix benbi IV constructor crash if used in authenticated mode dm: fix potential for q->make_request_fn NULL pointer dm writecache: fix incorrect flush sequence when doing SSD mode commit padata: Remove broken queue flushing tracing: Annotate ftrace_graph_hash pointer with __rcu tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu ftrace: Add comment to why rcu_dereference_sched() is open coded ftrace: Protect ftrace_graph_hash with ftrace_sync samples/bpf: Don't try to remove user's homedir on clean crypto: ccp - set max RSA modulus size for v3 platform devices as well crypto: pcrypt - Do not clear MAY_SLEEP flag in original request crypto: atmel-aes - Fix counter overflow in CTR mode crypto: api - Fix race condition in crypto_spawn_alg crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill scsi: qla2xxx: Fix unbound NVME response length NFS: Fix memory leaks and corruption in readdir NFS: Directory page cache pages need to be locked when read jbd2_seq_info_next should increase position index Btrfs: fix missing hole after hole punching and fsync when using NO_HOLES btrfs: set trans->drity in btrfs_commit_transaction Btrfs: fix race between adding and putting tree mod seq elements and nodes ARM: tegra: Enable PLLP bypass during Tegra124 LP1 iwlwifi: don't throw error when trying to remove IGTK mwifiex: fix unbalanced locking in mwifiex_process_country_ie() sunrpc: expiry_time should be seconds not timeval gfs2: move setting current->backing_dev_info gfs2: fix O_SYNC write handling drm/rect: Avoid division by zero media: rc: ensure lirc is initialized before registering input device tools/kvm_stat: Fix kvm_exit filter name xen/balloon: Support xend-based toolstack take two watchdog: fix UAF in reboot notifier handling in watchdog core code bcache: add readahead cache policy options via sysfs interface eventfd: track eventfd_signal() recursion depth aio: prevent potential eventfd recursion on poll KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks KVM: x86: Fix potential put_fpu() w/o load_fpu() on MPX platform KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails KVM: PPC: Book3S PR: Free shared page if mmu initialization fails x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit KVM: x86: Don't let userspace set host-reserved cr4 bits KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails KVM: s390: do not clobber registers during guest reset/store status clk: tegra: Mark fuse clock as critical drm/amd/dm/mst: Ignore payload update failures percpu: Separate decrypted varaibles anytime encryption can be enabled scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type scsi: csiostor: Adjust indentation in csio_device_reset scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free scsi: ufs: Recheck bkops level if bkops is disabled phy: qualcomm: Adjust indentation in read_poll_timeout ext2: Adjust indentation in ext2_fill_super powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable NFC: pn544: Adjust indentation in pn544_hci_check_presence ppp: Adjust indentation into ppp_async_input net: smc911x: Adjust indentation in smc911x_phy_configure net: tulip: Adjust indentation in {dmfe, uli526x}_init_module IB/mlx5: Fix outstanding_pi index for GSI qps IB/core: Fix ODP get user pages flow nfsd: fix delay timer on 32-bit architectures nfsd: fix jiffies/time_t mixup in LRU list nfsd: Return the correct number of bytes written to the file ubi: fastmap: Fix inverted logic in seen selfcheck ubi: Fix an error pointer dereference in error handling code mfd: da9062: Fix watchdog compatible string mfd: rn5t618: Mark ADC control register volatile bonding/alb: properly access headers in bond_alb_xmit() net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port net: mvneta: move rx_dropped and rx_errors in per-cpu stats net_sched: fix a resource leak in tcindex_set_parms() net: systemport: Avoid RBUF stuck in Wake-on-LAN mode net/mlx5: IPsec, Fix esp modify function attribute net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx net: macb: Remove unnecessary alignment check for TSO net: macb: Limit maximum GEM TX length in TSO net: dsa: b53: Always use dev->vlan_enabled in b53_configure_vlan() ext4: fix deadlock allocating crypto bounce page from mempool btrfs: use bool argument in free_root_pointers() btrfs: free block groups after free'ing fs trees drm: atmel-hlcdc: enable clock before configuring timing engine drm/dp_mst: Remove VCPI while disabling topology mgr btrfs: flush write bio if we loop in extent_write_cache_pages KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM KVM: x86: Use gpa_t for cr2/gpa to fix TDP support on 32-bit KVM KVM: VMX: Add non-canonical check on writes to RTIT address MSRs KVM: nVMX: vmread should not set rflags to specify success in case of #PF KVM: Use vcpu-specific gva->hva translation when querying host page size KVM: Play nice with read-only memslots when querying host page size mm: zero remaining unavailable struct pages mm: return zero_resv_unavail optimization mm/page_alloc.c: fix uninitialized memmaps on a partially populated last section cifs: fail i/o on soft mounts if sessionsetup errors out x86/apic/msi: Plug non-maskable MSI affinity race clocksource: Prevent double add_timer_on() for watchdog_timer perf/core: Fix mlock accounting in perf_mmap() rxrpc: Fix service call disconnection Linux 4.19.103 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d7f09085c3541373e0fd6b2e3ffacc5e34f7d55 |
||
Brian Norris
|
eab22172e9 |
mwifiex: fix unbalanced locking in mwifiex_process_country_ie()
commit 65b1aae0d9d5962faccc06bdb8e91a2a0b09451c upstream. We called rcu_read_lock(), so we need to call rcu_read_unlock() before we return. Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()") Cc: stable@vger.kernel.org Cc: huangwen <huangwenabc@gmail.com> Cc: Ganapathi Bhat <ganapathi.bhat@nxp.com> Signed-off-by: Brian Norris <briannorris@chromium.org> Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Luca Coelho
|
d07acc5e16 |
iwlwifi: don't throw error when trying to remove IGTK
commit 197288d5ba8a5289f22d3aeb4fca3824bfd9b4af upstream. The IGTK keys are only removed by mac80211 after it has already removed the AP station. This causes the driver to throw an error because mac80211 is trying to remove the IGTK when the station doesn't exist anymore. The firmware is aware that the station has been removed and can deal with it the next time we try to add an IGTK for a station, so we shouldn't try to remove the key if the station ID is IWL_MVM_INVALID_STA. Do this by removing the check for mvm_sta before calling iwl_mvm_send_sta_igtk() and check return from that function gracefully if the station ID is invalid. Cc: stable@vger.kernel.org # 4.12+ Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Navid Emamdoost
|
0eb1a43563 |
brcmfmac: Fix memory leak in brcmf_usbdev_qinit
commit 4282dc057d750c6a7dd92953564b15c26b54c22c upstream.
In the implementation of brcmf_usbdev_qinit() the allocated memory for
reqs is leaking if usb_alloc_urb() fails. Release reqs in the error
handling path.
Fixes:
|
||
Luca Coelho
|
9940e10dd2 |
iwlwifi: mvm: fix NVM check for 3168 devices
[ Upstream commit b3f20e098293892388d6a0491d6bbb2efb46fbff ] We had a check on !NVM_EXT and then a check for NVM_SDP in the else block of this if. The else block, obviously, could only be reached if using NVM_EXT, so it would never be NVM_SDP. Fix that by checking whether the nvm_type is IWL_NVM instead of checking for !IWL_NVM_EXT to solve this issue. Reported-by: Stefan Sperling <stsp@stsp.name> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
83b584a64c |
This is the 4.19.102 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl461NIACgkQONu9yGCS aT6Mqw//W5xIIcs0Ut+P+QYNN6lCTRJ0AvFUolz79M3pyK/rHUluwTvYJbDAeGE3 sckv96rE1pxj5ZSf6LegXIoALrA4RlYHS8xXkYnRrt6xfrb7UwpqsJtt4Mx+IrJ3 9uFfaWRSvuDfRCraZxLiE2Bl9xVYvaPfFJYBmH383VB+deYNfpwORFsqNDQT+gR6 PZLuV0x//Kerwmd4OvaaHR/fIl8YVKmIz5lu3+3WIuVKxTK6Bbd3YzVu13dhVaX2 mETflLEAO/sYsUQiS4SO22ejLAiWyD8LyMV8s9KeTFQXzML3JpibKnt3ySDfzsFE m8VRlaLcQwB0Ca2AVGHA5QV0+V+2+6qh/IcZl630feBueGQX59qLQkOurD4e/9lm Na6ZkLPTh9UipIfTu9fvA5HY5lPt2VcSWwG2nLluckfJIpKNFVQEB7vuk9zd7468 qkXmj/J1YDdJzt2YgD0WZuKu3f1/No7rXbNmT2Oj0+HNWWvIU9xFNFlIPAxo7pJy kwekd9+gHI0n1OhLRjzYUyf0pD+j0o75ZHsYYsUW0y6cGoWX/LmQ8JPFi+waHiov FOe8FJz/uDtfQnJ4+izAM5Jjbu1LE+L8uGoIExYAv4DuXgPZtI2wtHvP4HHM3Aov mDWLesMgizsroViv57aXC0C1ZPksPpGeHT+HcH7RnDQ0kQmpe3E= =2XGW -----END PGP SIGNATURE----- Merge 4.19.102 into android-4.19 Changes in 4.19.102 vfs: fix do_last() regression x86/resctrl: Fix use-after-free when deleting resource groups x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup x86/resctrl: Fix a deadlock due to inaccurate reference crypto: pcrypt - Fix user-after-free on module unload rsi: add hci detach for hibernation and poweroff rsi: fix use-after-free on failed probe and unbind perf c2c: Fix return type for histogram sorting comparision functions PM / devfreq: Add new name attribute for sysfs tools lib: Fix builds when glibc contains strlcpy() arm64: kbuild: remove compressed images on 'make ARCH=arm64 (dist)clean' ext4: validate the debug_want_extra_isize mount option at parse time mm/mempolicy.c: fix out of bounds write in mpol_parse_str() reiserfs: Fix memory leak of journal device string media: digitv: don't continue if remote control state can't be read media: af9005: uninitialized variable printked media: vp7045: do not read uninitialized values if usb transfer fails media: gspca: zero usb_buf media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 tomoyo: Use atomic_t for statistics counter ttyprintk: fix a potential deadlock in interrupt context issue Bluetooth: Fix race condition in hci_release_sock() cgroup: Prevent double killing of css when enabling threaded cgroup media: si470x-i2c: Move free() past last use of 'radio' ARM: dts: sun8i: a83t: Correct USB3503 GPIOs polarity ARM: dts: am57xx-beagle-x15/am57xx-idk: Remove "gpios" for endpoint dt nodes ARM: dts: beagle-x15-common: Model 5V0 regulator soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot tools lib traceevent: Fix memory leakage in filter_event rseq: Unregister rseq for clone CLONE_VM clk: sunxi-ng: h6-r: Fix AR100/R_APB2 parent order mac80211: mesh: restrict airtime metric to peered established plinks clk: mmp2: Fix the order of timer mux parents ASoC: rt5640: Fix NULL dereference on module unload ixgbevf: Remove limit of 10 entries for unicast filter list ixgbe: Fix calculation of queue with VFs and flow director on interface flap igb: Fix SGMII SFP module discovery for 100FX/LX. platform/x86: GPD pocket fan: Allow somewhat lower/higher temperature limits ASoC: sti: fix possible sleep-in-atomic qmi_wwan: Add support for Quectel RM500Q parisc: Use proper printk format for resource_size_t wireless: fix enabling channel 12 for custom regulatory domain cfg80211: Fix radar event during another phy CAC mac80211: Fix TKIP replay protection immediately after key setup wireless: wext: avoid gcc -O3 warning netfilter: nft_tunnel: ERSPAN_VERSION must not be null net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec bnxt_en: Fix ipv6 RFS filter matching logic. riscv: delete temporary files iwlwifi: Don't ignore the cap field upon mcc update ARM: dts: am335x-boneblack-common: fix memory size vti[6]: fix packet tx through bpf_redirect() xfrm interface: fix packet tx through bpf_redirect() xfrm: interface: do not confirm neighbor when do pmtu update scsi: fnic: do not queue commands during fwreset ARM: 8955/1: virt: Relax arch timer version check during early boot tee: optee: Fix compilation issue with nommu airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE r8152: get default setting of WOL before initializing ARM: dts: am43x-epos-evm: set data pin directions for spi0 and spi1 qlcnic: Fix CPU soft lockup while collecting firmware dump powerpc/fsl/dts: add fsl,erratum-a011043 net/fsl: treat fsl,erratum-a011043 net: fsl/fman: rename IF_MODE_XGMII to IF_MODE_10G seq_tab_next() should increase position index l2t_seq_next should increase position index net: Fix skb->csum update in inet_proto_csum_replace16(). btrfs: do not zero f_bavail if we have available space perf report: Fix no libunwind compiled warning break s390 issue mm/migrate.c: also overwrite error when it is bigger than zero Linux 4.19.102 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia9b63c7932b66f469ab0e88467e1e07741408f0b |
||
Michael Ellerman
|
c82866b251 |
airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE
[ Upstream commit 78f7a7566f5eb59321e99b55a6fdb16ea05b37d1 ] The driver for Cisco Aironet 4500 and 4800 series cards (airo.c), implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl(). The ioctl handler copies an aironet_ioctl struct from userspace, which includes a command. Some of the commands are handled in readrids(), where the user controlled command is converted into a driver-internal value called "ridcode". There are two command values, AIROGWEPKTMP and AIROGWEPKNV, which correspond to ridcode values of RID_WEP_TEMP and RID_WEP_PERM respectively. These commands both have checks that the user has CAP_NET_ADMIN, with the comment that "Only super-user can read WEP keys", otherwise they return -EPERM. However there is another command value, AIRORRID, that lets the user specify the ridcode value directly, with no other checks. This means the user can bypass the CAP_NET_ADMIN check on AIROGWEPKTMP and AIROGWEPKNV. Fix it by moving the CAP_NET_ADMIN check out of the command handling and instead do it later based on the ridcode. That way regardless of whether the ridcode is set via AIROGWEPKTMP or AIROGWEPKNV, or passed in using AIRORID, we always do the CAP_NET_ADMIN check. Found by Ilja by code inspection, not tested as I don't have the required hardware. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Michael Ellerman
|
eb935b3440 |
airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE
[ Upstream commit d6bce2137f5d6bb1093e96d2f801479099b28094 ] The driver for Cisco Aironet 4500 and 4800 series cards (airo.c), implements AIROOLDIOCTL/SIOCDEVPRIVATE in airo_ioctl(). The ioctl handler copies an aironet_ioctl struct from userspace, which includes a command and a length. Some of the commands are handled in readrids(), which kmalloc()'s a buffer of RIDSIZE (2048) bytes. That buffer is then passed to PC4500_readrid(), which has two cases. The else case does some setup and then reads up to RIDSIZE bytes from the hardware into the kmalloc()'ed buffer. Here len == RIDSIZE, pBuf is the kmalloc()'ed buffer: // read the rid length field bap_read(ai, pBuf, 2, BAP1); // length for remaining part of rid len = min(len, (int)le16_to_cpu(*(__le16*)pBuf)) - 2; ... // read remainder of the rid rc = bap_read(ai, ((__le16*)pBuf)+1, len, BAP1); PC4500_readrid() then returns to readrids() which does: len = comp->len; if (copy_to_user(comp->data, iobuf, min(len, (int)RIDSIZE))) { Where comp->len is the user controlled length field. So if the "rid length field" returned by the hardware is < 2048, and the user requests 2048 bytes in comp->len, we will leak the previous contents of the kmalloc()'ed buffer to userspace. Fix it by kzalloc()'ing the buffer. Found by Ilja by code inspection, not tested as I don't have the required hardware. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Haim Dreyfuss
|
2c00f819a7 |
iwlwifi: Don't ignore the cap field upon mcc update
[ Upstream commit 2763bba6328c53c455d8f7f5302b80030551c31b ] When receiving a new MCC driver get all the data about the new country code and its regulatory information. Mistakenly, we ignored the cap field, which includes global regulatory information which should be applies to every channel. Fix it. Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Johan Hovold
|
94b4f57a9c |
rsi: fix use-after-free on failed probe and unbind
[ Upstream commit e93cd35101b61e4c79149be2cfc927c4b28dc60c ] Make sure to stop both URBs before returning after failed probe as well as on disconnect to avoid use-after-free in the completion handler. Reported-by: syzbot+b563b7f8dbe8223a51e8@syzkaller.appspotmail.com Fixes: |
||
Siva Rebbagondla
|
28fc6259cf |
rsi: add hci detach for hibernation and poweroff
[ Upstream commit cbde979b33fa16e06dadc2c81093699a2bc787db ] As we missed to detach HCI, while entering power off or hibernation, an extra hci interface gets created whenever system is woken up, to avoid this we added hci_detach() in rsi_disconnect(), rsi_freeze(), and rsi_shutdown() functions which are invoked for these tests. This patch fixes the issue Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
1b44c9bd91 |
This is the 4.19.101 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl41RsgACgkQONu9yGCS aT4P7A/+PZVt4c6phHZ9tj0OV4TjAWfu3IX9nLypzyBxjmBeJu8yt1pkNrfKj6fT +N3MjDlmAYss5CV6SOACPWXdhAQF3SsM6PR+CSrzwpS3+iAVTqNTaHpZqJFBgr3R cDe+MksbMLDpw3x+hXWV1E6WKcJZZJVeANuaD09HQDRVqKw1hRGxGEdyPChEjT71 Ml3o9a2TYzOvRClBtBHPRQNy/MP4cVv06kS7jefDNh1z9PMsD2w01W54ur44WFJb aujt6bLyJlcs0cPdSkU7D8pmgzs/0cxW8N+4gCpfW66P6FJL8SU4RDTujUARlyvC oP5d62XrARXAO0hh1NYdWyUqpQjOFJRTWfEqW+lFGo5s9yL9oPW8vcCBKBuZfg+u HlVCCTCyU/IJN0DMeqdneThDg8sxirlzHu/NllgGIf7rhyMRqRmruQZXc1W3/7e8 UgqqAEFkgVmJgq3mVWlHsV5Fmgb+PQlqj4rSB05wlAbXsQwF0nbSS/lsvwDR8qqE 8nO/PQoxpQyAOYJ+iyaCsq51IsJUCwWOto8L/RpdYSbFpLTn+BRmNdDr7jHOVnPl FshugoXijE6IrVGIJhJBGGy/E+eG8Dru7IZEsi2UZLsw+bBvucqv7raIHAJ2YRaL 8ZuwwmvpZpCOdYSWa7lIgqZb0qOTyR+b6UQ57X8hS5U3MZ2jMOE= =+bpt -----END PGP SIGNATURE----- Merge 4.19.101 into android-4.19 Changes in 4.19.101 orinoco_usb: fix interface sanity check rsi_91x_usb: fix interface sanity check usb: dwc3: pci: add ID for the Intel Comet Lake -V variant USB: serial: ir-usb: add missing endpoint sanity check USB: serial: ir-usb: fix link-speed handling USB: serial: ir-usb: fix IrLAP framing usb: dwc3: turn off VBUS when leaving host mode staging: most: net: fix buffer overflow staging: wlan-ng: ensure error return is actually returned staging: vt6656: correct packet types for CTS protect, mode. staging: vt6656: use NULLFUCTION stack on mac80211 staging: vt6656: Fix false Tx excessive retries reporting. serial: 8250_bcm2835aux: Fix line mismatch on driver unbind component: do not dereference opaque pointer in debugfs mei: me: add comet point (lake) H device ids iio: st_gyro: Correct data for LSM9DS0 gyro crypto: chelsio - fix writing tfm flags to wrong place cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() ath9k: fix storage endpoint lookup brcmfmac: fix interface sanity check rtl8xxxu: fix interface sanity check zd1211rw: fix storage endpoint lookup net_sched: ematch: reject invalid TCF_EM_SIMPLE net_sched: fix ops->bind_class() implementations HID: multitouch: Add LG MELF0410 I2C touchscreen support arc: eznps: fix allmodconfig kconfig warning HID: Add quirk for Xin-Mo Dual Controller HID: ite: Add USB id match for Acer SW5-012 keyboard dock HID: Add quirk for incorrect input length on Lenovo Y720 drivers/hid/hid-multitouch.c: fix a possible null pointer access. phy: qcom-qmp: Increase PHY ready timeout phy: cpcap-usb: Prevent USB line glitches from waking up modem watchdog: max77620_wdt: fix potential build errors watchdog: rn5t618_wdt: fix module aliases spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls drivers/net/b44: Change to non-atomic bit operations on pwol_mask net: wan: sdla: Fix cast from pointer to integer of different size gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP atm: eni: fix uninitialized variable warning HID: steam: Fix input device disappearing platform/x86: dell-laptop: disable kbd backlight on Inspiron 10xx PCI: Add DMA alias quirk for Intel VCA NTB iommu/amd: Support multiple PCI DMA aliases in IRQ Remapping ARM: OMAP2+: SmartReflex: add omap_sr_pdata definition usb-storage: Disable UAS on JMicron SATA enclosure sched/fair: Add tmp_alone_branch assertion sched/fair: Fix insertion in rq->leaf_cfs_rq_list rsi: fix use-after-free on probe errors rsi: fix memory leak on failed URB submission rsi: fix non-atomic allocation in completion handler crypto: af_alg - Use bh_lock_sock in sk_destruct random: try to actively add entropy rather than passively wait for it block: cleanup __blkdev_issue_discard() block: fix 32 bit overflow in __blkdev_issue_discard() KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE Linux 4.19.101 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I801cd8d04eea35b4b53957cc69c0987d88094992 |