OSDN Git Service
Yunyun Cao [Thu, 6 Sep 2018 03:37:11 +0000 (11:37 +0800)]
drm/msm/hdmi: add rgb flag for HDMI customized mode
Add rgb flag to make sure HDMI customized mode pass
the format check.
Change-Id: I2d1df731bef493e15f83dac569673589e2408c68
Signed-off-by: Yunyun Cao <yunyunc@codeaurora.org>
Gerrit - the friendly Code Review server [Wed, 5 Sep 2018 18:56:52 +0000 (11:56 -0700)]
Merge changes into msm-4.4
Linux Build Service Account [Wed, 5 Sep 2018 11:32:32 +0000 (04:32 -0700)]
Merge "nl80211: nl80211_update_ft_ies to validate NL80211_ATTR_IE"
Arunk Khandavalli [Wed, 5 Sep 2018 07:11:22 +0000 (12:41 +0530)]
nl80211: nl80211_update_ft_ies to validate NL80211_ATTR_IE
Current nl80211_update_ft_ies doesn't validate NL80211_ATTR_IE
before dereferencing it, which leads to a null pointer exception
if not passed.
This commit validates this attribute too.
Change-Id: Ia40b02fc218bc26a07bc6b2153f425b8cae3bd82
CRs-Fixed:
2261685
Signed-off-by: Arunk Khandavalli <akhandav@codeaurora.org>
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Linux Build Service Account [Wed, 5 Sep 2018 04:18:58 +0000 (21:18 -0700)]
Merge "net: Include additional rmnet header in flow_dissector"
Gustavo Solaira [Fri, 24 Aug 2018 22:03:55 +0000 (15:03 -0700)]
net: Include additional rmnet header in flow_dissector
Add an additional header in flow_dissector since it
provides some structs that are needed for it.
Change-Id: I654ce9838f704c71b5c5015ef30d88a01a528f0b
Signed-off-by: Gustavo Solaira <gustavos@codeaurora.org>
Gustavo Solaira [Fri, 24 Aug 2018 22:02:24 +0000 (15:02 -0700)]
diag: Only include MHI headers if it is enabled
Only include the MHI header file if CONFIG_MSM_MHI
is enabled, avoid compilation errors if the platform
does not support MHI.
Change-Id: Ic2d84a8bbd066d0d8e50711a7499ae9a959a0b71
Signed-off-by: Gustavo Solaira <gustavos@codeaurora.org>
Linux Build Service Account [Tue, 4 Sep 2018 18:41:12 +0000 (11:41 -0700)]
Merge "asoc : msm: Fix zero size pointer issue"
Linux Build Service Account [Tue, 4 Sep 2018 18:41:11 +0000 (11:41 -0700)]
Merge "net: hns: Fix a skb used after free bug"
Soumya Managoli [Tue, 31 Jul 2018 13:08:29 +0000 (18:38 +0530)]
asoc : msm: Fix zero size pointer issue
APPS crashes randomly due to invalid memory allocation
in q6asm_audio_client_buf_free_contiguous.
Added check to return error if memory allocation size is 0.
Change-Id: I40f49aa147d513b29b56224a5ee77ccbb2dcc110
CRs-Fixed:
2285272
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
Yunsheng Lin [Thu, 6 Jul 2017 02:22:00 +0000 (10:22 +0800)]
net: hns: Fix a skb used after free bug
skb maybe freed in hns_nic_net_xmit_hw() and return NETDEV_TX_OK,
which cause hns_nic_net_xmit to use a freed skb.
BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x62c/0x940...
[17659.112635] alloc_debug_processing+0x18c/0x1a0
[17659.117208] __slab_alloc+0x52c/0x560
[17659.120909] kmem_cache_alloc_node+0xac/0x2c0
[17659.125309] __alloc_skb+0x6c/0x260
[17659.128837] tcp_send_ack+0x8c/0x280
[17659.132449] __tcp_ack_snd_check+0x9c/0xf0
[17659.136587] tcp_rcv_established+0x5a4/0xa70
[17659.140899] tcp_v4_do_rcv+0x27c/0x620
[17659.144687] tcp_prequeue_process+0x108/0x170
[17659.149085] tcp_recvmsg+0x940/0x1020
[17659.152787] inet_recvmsg+0x124/0x180
[17659.156488] sock_recvmsg+0x64/0x80
[17659.160012] SyS_recvfrom+0xd8/0x180
[17659.163626] __sys_trace_return+0x0/0x4
[17659.167506] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=23 cpu=1 pid=13
[17659.174000] free_debug_processing+0x1d4/0x2c0
[17659.178486] __slab_free+0x240/0x390
[17659.182100] kmem_cache_free+0x24c/0x270
[17659.186062] kfree_skbmem+0xa0/0xb0
[17659.189587] __kfree_skb+0x28/0x40
[17659.193025] napi_gro_receive+0x168/0x1c0
[17659.197074] hns_nic_rx_up_pro+0x58/0x90
[17659.201038] hns_nic_rx_poll_one+0x518/0xbc0
[17659.205352] hns_nic_common_poll+0x94/0x140
[17659.209576] net_rx_action+0x458/0x5e0
[17659.213363] __do_softirq+0x1b8/0x480
[17659.217062] run_ksoftirqd+0x64/0x80
[17659.220679] smpboot_thread_fn+0x224/0x310
[17659.224821] kthread+0x150/0x170
[17659.228084] ret_from_fork+0x10/0x40
BUG: KASAN: use-after-free in hns_nic_net_xmit+0x8c/0xc0...
[17751.080490] __slab_alloc+0x52c/0x560
[17751.084188] kmem_cache_alloc+0x244/0x280
[17751.088238] __build_skb+0x40/0x150
[17751.091764] build_skb+0x28/0x100
[17751.095115] __alloc_rx_skb+0x94/0x150
[17751.098900] __napi_alloc_skb+0x34/0x90
[17751.102776] hns_nic_rx_poll_one+0x180/0xbc0
[17751.107097] hns_nic_common_poll+0x94/0x140
[17751.111333] net_rx_action+0x458/0x5e0
[17751.115123] __do_softirq+0x1b8/0x480
[17751.118823] run_ksoftirqd+0x64/0x80
[17751.122437] smpboot_thread_fn+0x224/0x310
[17751.126575] kthread+0x150/0x170
[17751.129838] ret_from_fork+0x10/0x40
[17751.133454] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=19 cpu=7 pid=43
[17751.139951] free_debug_processing+0x1d4/0x2c0
[17751.144436] __slab_free+0x240/0x390
[17751.148051] kmem_cache_free+0x24c/0x270
[17751.152014] kfree_skbmem+0xa0/0xb0
[17751.155543] __kfree_skb+0x28/0x40
[17751.159022] napi_gro_receive+0x168/0x1c0
[17751.163074] hns_nic_rx_up_pro+0x58/0x90
[17751.167041] hns_nic_rx_poll_one+0x518/0xbc0
[17751.171358] hns_nic_common_poll+0x94/0x140
[17751.175585] net_rx_action+0x458/0x5e0
[17751.179373] __do_softirq+0x1b8/0x480
[17751.183076] run_ksoftirqd+0x64/0x80
[17751.186691] smpboot_thread_fn+0x224/0x310
[17751.190826] kthread+0x150/0x170
[17751.194093] ret_from_fork+0x10/0x40
Change-Id: I5fbdea5d0264c79dbcc91f8519cda1004b667866
Fixes:
13ac695e7ea1 ("net:hns: Add support of Hip06 SoC to the Hislicon Network Subsystem")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Reported-by: Jun He <hjat2005@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-commit:
27463ad99f738ed93c7c8b3e2e5bc8c4853a2ff2
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
Acked-By: Chinmay Agarwal <chinagar@qti.qualcomm.com>
[ tejaswit@codeaurora.org : resolved minor conflicts ]
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
Akhil P Oommen [Fri, 6 Jul 2018 09:56:11 +0000 (15:26 +0530)]
msm: kgsl: Replace scm call api with its atomic version
scm_call2() API can block indefinitely if another client is using
this API. This is due to a mutex in this API to serialize calls to
the TZ. This blocks the GPU wake up which in turn can result in
kgsl fence timeouts. Since CPZ register programing is handled at
the hypervisor, we can safely avoid this serialization by using
scm_call2_atomic() API which doesn't block.
Change-Id: I48ba3e1a682e1027463a1c6b067e6cfcb4a0e8bc
Signed-off-by: Akhil P Oommen <akhilpo@codeaurora.org>
Linux Build Service Account [Mon, 3 Sep 2018 01:27:50 +0000 (18:27 -0700)]
Merge "ARM: dts: msm: Add 8GB DDR device tree for msm8996 ivi vplatform"
Linux Build Service Account [Sat, 1 Sep 2018 23:12:40 +0000 (16:12 -0700)]
Merge "drm: Pass CRTC ID in userspace vblank events"
Linux Build Service Account [Sat, 1 Sep 2018 23:12:37 +0000 (16:12 -0700)]
Merge "cnss: Use the nosync API in cnss when disabling irq"
Linux Build Service Account [Sat, 1 Sep 2018 23:12:34 +0000 (16:12 -0700)]
Merge "diag: Add protection before accessing md_session_map"
Linux Build Service Account [Sat, 1 Sep 2018 04:18:41 +0000 (21:18 -0700)]
Merge "drm: msm: sde: Fix SMMU fault during DRM test"
Linux Build Service Account [Fri, 31 Aug 2018 19:34:15 +0000 (12:34 -0700)]
Merge "Merge android-4.4.150 (
5541782) into msm-4.4"
Linux Build Service Account [Thu, 30 Aug 2018 20:05:57 +0000 (13:05 -0700)]
Merge "icnss: Add a flag to indicare FW rejuvenate"
Linux Build Service Account [Thu, 30 Aug 2018 20:05:56 +0000 (13:05 -0700)]
Merge "msm:ais:Handling bigger value than upper bound in msm_cpp_irq api"
Linux Build Service Account [Thu, 30 Aug 2018 20:05:55 +0000 (13:05 -0700)]
Merge "USB: core: only clean up what we allocated"
Anurag Chouhan [Thu, 30 Aug 2018 08:59:14 +0000 (14:29 +0530)]
icnss: Add a flag to indicare FW rejuvenate
Add a flag to maintain fw rejuvenate state,
set if fw rejuvenate happens and reset at fw ready.
export an API to the wlan host driver to distinguish the
case of ssr or pdr with the FW rejuventae.
Change-Id: I7a01cc4996f68f78aa13eacf36648331a701882a
Signed-off-by: Anurag Chouhan <achouhan@codeaurora.org>
Linux Build Service Account [Thu, 30 Aug 2018 09:20:54 +0000 (02:20 -0700)]
Merge "Revert "power: wakeup_reason: send uevent to user space""
Zhiqiang Tu [Tue, 21 Aug 2018 06:23:58 +0000 (14:23 +0800)]
ARM: dts: msm: Add 8GB DDR device tree for msm8996 ivi vplatform
Add a new device tree to support 8GB DDR target for msm8996 IVI
virtual platform.
Change-Id: Ia3be942de1c3064aecc59560743849335e8ff60d
Signed-off-by: Anant Goel <anantg@codeaurora.org>
Signed-off-by: Zhiqiang Tu <ztu@codeaurora.org>
Linux Build Service Account [Thu, 30 Aug 2018 00:20:36 +0000 (17:20 -0700)]
Merge "msm: ipa3: Add mutex to prevent race condition"
Linux Build Service Account [Thu, 30 Aug 2018 00:20:35 +0000 (17:20 -0700)]
Merge "msm:ipa: Prevent NAT table deletion only if public ip is not assigned"
Mohammed Javid [Fri, 8 Jun 2018 11:25:32 +0000 (16:55 +0530)]
msm: ipa3: Add mutex to prevent race condition
There is a race condition between ipa3_nat_init_cmd
and ipa_read_nat4. The two thread will R/W the critical
global variables. This will result in race conditions
and possibly buffer overread/ overwrite issues. Add code
to prevent this race condition.
Change-Id: I6bf9a837ae941cf3ad9413da6e44821916acf196
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Linux Build Service Account [Wed, 29 Aug 2018 04:19:00 +0000 (21:19 -0700)]
Merge "defconfig : Enable Hibernation support for msm8996AU."
Atul Raut [Mon, 2 Apr 2018 23:25:42 +0000 (16:25 -0700)]
defconfig : Enable Hibernation support for msm8996AU.
Add support to Hibernation for msm8996AU based auto
platform.
Change-Id: I6db195dbf33a146c01b3d097ef9b34cb11019f60
Signed-off-by: Atul Raut <araut@codeaurora.org>
Linux Build Service Account [Tue, 28 Aug 2018 19:48:51 +0000 (12:48 -0700)]
Merge "diag: Update msg mask's ranges properly"
Linux Build Service Account [Tue, 28 Aug 2018 19:48:50 +0000 (12:48 -0700)]
Merge "msm: ipa: Validate routing rule id"
Mohammed Javid [Mon, 27 Aug 2018 10:02:35 +0000 (15:32 +0530)]
msm:ipa: Prevent NAT table deletion only if public ip is not assigned
Currnetly NAT table is not deleted even if public ip is assigned to
NAT table. Add check to prevent deletion only if public ip is not assigned.
Change-Id: I4855b21472d3f6bf541d07733b18592e9e677ce6
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Hardik Arya [Wed, 8 Aug 2018 09:16:20 +0000 (14:46 +0530)]
diag: Update msg mask's ranges properly
There is a possibility of out-of-bound read if msg mask
ranges received from peripheral are more than max ssid per
range. Cap msg mask's ssid ranges to MAX_SSID_PER_RANGE if
ranges received from peripheral are greater than the same.
Change-Id: I886692ad223e16678bfaecbe381c62fdf3503cb5
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Srinivasarao P [Tue, 28 Aug 2018 11:10:15 +0000 (16:40 +0530)]
Merge android-4.4.150 (
5541782) into msm-4.4
* refs/heads/tmp-
5541782
Linux 4.4.150
x86/speculation/l1tf: Exempt zeroed PTEs from inversion
Linux 4.4.149
x86/mm: Add TLB purge to free pmd/pte page interfaces
ioremap: Update pgtable free interfaces with addr
Bluetooth: hidp: buffer overflow in hidp_process_report
ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization
crypto: ablkcipher - fix crash flushing dcache in error path
crypto: blkcipher - fix crash flushing dcache in error path
crypto: vmac - separate tfm and request context
crypto: vmac - require a block cipher with 128-bit block size
kbuild: verify that $DEPMOD is installed
i2c: ismt: fix wrong device address when unmap the data buffer
kasan: don't emit builtin calls when sanitization is off
tcp: Fix missing range_truesize enlargement in the backport
x86/mm: Disable ioremap free page handling on x86-PAE
Conflicts:
Makefile
Change-Id: I9cbfedbeb3bdb1df021d4f192a2a7392010cd627
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Linux Build Service Account [Tue, 28 Aug 2018 11:03:01 +0000 (04:03 -0700)]
Merge "soc: qcom: subsystem_notif_virt: Added support for virtual subsystems"
Linux Build Service Account [Tue, 28 Aug 2018 11:03:00 +0000 (04:03 -0700)]
Merge "diag: Prevent out of bound access while initializing msg mask"
Linux Build Service Account [Tue, 28 Aug 2018 11:02:59 +0000 (04:02 -0700)]
Merge "defconfig: msm: Disable configs for GVM platforms"
Linux Build Service Account [Tue, 28 Aug 2018 11:02:58 +0000 (04:02 -0700)]
Merge "diag: Fix HSIC read complete work function"
Linux Build Service Account [Tue, 28 Aug 2018 11:02:57 +0000 (04:02 -0700)]
Merge "ARM: dts: msm: Modify subsys notif virtualization on msm8996 vplatform"
Linux Build Service Account [Tue, 28 Aug 2018 11:02:56 +0000 (04:02 -0700)]
Merge "net: memset smsg to avoid the padding data"
Linux Build Service Account [Tue, 28 Aug 2018 11:02:54 +0000 (04:02 -0700)]
Merge "drm: msm: remove hdcp related error messages"
Mohammed Javid [Mon, 6 Aug 2018 07:28:30 +0000 (12:58 +0530)]
msm: ipa: Validate routing rule id
IPA driver expose routing rule id IOCTL's to user space.
There is a chance of getting invalid routing rule-id.
Validate it before committing it to IPA hardware.
Change-Id: If80b94d3a055f9212d25aff9a57d1b45001ba586
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Suprith Malligere Shankaregowda [Thu, 23 Aug 2018 07:39:50 +0000 (13:09 +0530)]
msm:ais:Handling bigger value than upper bound in msm_cpp_irq api
In msm_cpp_irq function, tx_level is read using msm_carmera_io_r(),
However, this value is never verified to lower than
MSM_CPP_TX_FIFO_LEVEL (16), As tx_level is used as the upper bound
for the following loop, any value bigger than 16 will result in a
buffer overflow. Hence handling this case as error with error log.
Change-Id: I13222b315c3c9ee46bedb8b4e8e161179fea321d
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Anant Goel [Tue, 5 Jun 2018 02:08:21 +0000 (19:08 -0700)]
soc: qcom: subsystem_notif_virt: Added support for virtual subsystems
The driver is modified to allow communication between a virtual
subsystem, and its native clients.
Change-Id: I40854327431f3691f76df9d781dbd0a24090594e
Signed-off-by: Anant Goel <anantg@codeaurora.org>
Anant Goel [Tue, 21 Aug 2018 23:26:57 +0000 (16:26 -0700)]
defconfig: msm: Disable configs for GVM platforms
Remove configs for SMD, SMEM and SMP2P. These configs
are not required for the GVM platform.
Change-Id: I93d154085c6f249cd26949b40a953e66f010e72b
Signed-off-by: Anant Goel <anantg@codeaurora.org>
Linux Build Service Account [Tue, 28 Aug 2018 01:28:20 +0000 (18:28 -0700)]
Merge "drm/msm: check HDMI HFVSDB block before adding formats"
Linux Build Service Account [Tue, 28 Aug 2018 01:28:19 +0000 (18:28 -0700)]
Merge "msm: ais: Fix out-of-bounds read in string class name"
Linux Build Service Account [Tue, 28 Aug 2018 01:28:18 +0000 (18:28 -0700)]
Merge "ARM: dts: msm: Add a reset gpio for ethernet on msm8996 CV2X boards"
Linux Build Service Account [Tue, 28 Aug 2018 01:28:17 +0000 (18:28 -0700)]
Merge "cfg80211: never ignore user regulatory hint"
Linux Build Service Account [Tue, 28 Aug 2018 01:28:16 +0000 (18:28 -0700)]
Merge "Merge android-4.4.148 (
f057ff9) into msm-4.4"
Linux Build Service Account [Tue, 28 Aug 2018 01:28:15 +0000 (18:28 -0700)]
Merge "icnss: Clear ICNSS_MSA0_ASSIGNED flag in cap failure case"
Linux Build Service Account [Tue, 28 Aug 2018 01:28:14 +0000 (18:28 -0700)]
Merge "msm: ais: change csid to avoid overflow"
Anant Goel [Tue, 5 Jun 2018 01:58:24 +0000 (18:58 -0700)]
ARM: dts: msm: Modify subsys notif virtualization on msm8996 vplatform
Modify subsys_notif_virt device to enable communication between
subsystems and their registered clients.
Change-Id: Id44081a391c55f1326082e6b629e69b7de5dbb9e
Signed-off-by: Anant Goel <anantg@codeaurora.org>
Manoj Prabhu B [Thu, 16 Aug 2018 09:22:04 +0000 (14:52 +0530)]
diag: Prevent out of bound access while initializing msg mask
Move the mask_info mutex initialization outside mask structure
to facilitate prevention of out of bound access while initializing
msg mask during md session creation. Use separate msg_mask_tbl_count
for ODL session msg mask and regular msg mask to prevent out of
bound access in a possible race condition of accessing mask ranges.
Change-Id: I87497c67daff8cc1797a1266d50456bdbd3a9c23
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Aditya Mathur [Fri, 24 Aug 2018 19:12:04 +0000 (12:12 -0700)]
ARM: dts: msm: Add a reset gpio for ethernet on msm8996 CV2X boards
Enable reset gpio for Neutrino ethernet for
msm8996 CV2X boards
Change-Id: I6b00a76640184d34feee382cd1c6de1427464719
Signed-off-by: Aditya Mathur <aditmath@codeaurora.org>
Hardik Kantilal Patel [Tue, 21 Aug 2018 09:10:19 +0000 (14:40 +0530)]
icnss: Clear ICNSS_MSA0_ASSIGNED flag in cap failure case
During capability qmi message failure ICNSS_MSA0_ASSIGNED
flag is not getting clear. Due to this after PDR/SSR next
time it is not configuring the MSA0 permission to q6 which
result into NOC error as q6 is not having access permission.
To address above issue clear ICNSS_MSA0_ASSIGNED bit in
failure case.
CRs-Fixed:
2300877
Change-Id: I6aeaedb5a394b843c4f1c8ef1e0be47a6947b331
Signed-off-by: Hardik Kantilal Patel <hkpatel@codeaurora.org>
Linux Build Service Account [Fri, 24 Aug 2018 06:15:46 +0000 (23:15 -0700)]
Merge "soc: qcom: hab: fix the incompatible pointer initialization warning"
Linux Build Service Account [Fri, 24 Aug 2018 06:15:44 +0000 (23:15 -0700)]
Merge "defconfig: gvm: enable TCPMSS and RPFILTER"
Linux Build Service Account [Fri, 24 Aug 2018 06:15:40 +0000 (23:15 -0700)]
Merge "ARM: dts: msm: Enable upscaling on Sharp Dual DSI panel"
Amar Singhal [Fri, 20 Jul 2018 19:15:18 +0000 (12:15 -0700)]
cfg80211: never ignore user regulatory hint
Currently user regulatory hint is ignored if all wiphys
in the system are self managed. But the hint is not ignored
if there is no wiphy in the system. This affects the global
regulatory setting. Global regulatory setting needs to be
maintained so that it can be applied to a new wiphy entering
the system. Therefore, do not ignore user regulatory setting
even if all wiphys in the system are self managed.
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Change-Id: I468fcd3403259b03369e011fa41b003e8ff33d3c
CRs-Fixed:
2276224
Git-commit:
e31f6456c01c76f154e1b25cd54df97809a49edb
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
Srinivasarao P [Thu, 16 Aug 2018 05:01:30 +0000 (10:31 +0530)]
Merge android-4.4.148 (
f057ff9) into msm-4.4
* refs/heads/tmp-
f057ff9
Linux 4.4.148
x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures
x86/init: fix build with CONFIG_SWAP=n
x86/speculation/l1tf: Fix up CPU feature flags
x86/mm/kmmio: Make the tracer robust against L1TF
x86/mm/pat: Make set_memory_np() L1TF safe
x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert
x86/speculation/l1tf: Invert all not present mappings
x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
x86/speculation/l1tf: Protect PAE swap entries against L1TF
x86/cpufeatures: Add detection of L1D cache flush support.
x86/speculation/l1tf: Extend 64bit swap file size limit
x86/bugs: Move the l1tf function and define pr_fmt properly
x86/speculation/l1tf: Limit swap file size to MAX_PA/2
x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings
mm: fix cache mode tracking in vm_insert_mixed()
mm: Add vm_insert_pfn_prot()
x86/speculation/l1tf: Add sysfs reporting for l1tf
x86/speculation/l1tf: Make sure the first page is always reserved
x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation
x86/speculation/l1tf: Protect swap entries against L1TF
x86/speculation/l1tf: Change order of offset/type in swap entry
mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1
x86/mm: Fix swap entry comment and macro
x86/mm: Move swap offset/type up in PTE to work around erratum
x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT
x86/irqflags: Provide a declaration for native_save_fl
kprobes/x86: Fix %p uses in error messages
x86/speculation: Protect against userspace-userspace spectreRSB
x86/paravirt: Fix spectre-v2 mitigations for paravirt guests
ARM: dts: imx6sx: fix irq for pcie bridge
IB/ocrdma: fix out of bounds access to local buffer
IB/mlx4: Mark user MR as writable if actual virtual memory is writable
IB/core: Make testing MR flags for writability a static inline function
fix __legitimize_mnt()/mntput() race
fix mntput/mntput race
root dentries need RCU-delayed freeing
scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
xen/netfront: don't cache skb_shinfo()
parisc: Define mb() and add memory barriers to assembler unlock sequences
parisc: Enable CONFIG_MLONGCALLS by default
fork: unconditionally clear stack on fork
ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
tpm: fix race condition in tpm_common_write()
ext4: fix check to prevent initializing reserved inodes
Linux 4.4.147
jfs: Fix inconsistency between memory allocation and ea_buf->max_size
i2c: imx: Fix reinit_completion() use
ring_buffer: tracing: Inherit the tracing setting to next ring buffer
ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle
ext4: fix false negatives *and* false positives in ext4_check_descriptors()
netlink: Don't shift on 64 for ngroups
netlink: Don't shift with UB on nlk->ngroups
netlink: Do not subscribe to non-existent groups
nohz: Fix local_timer_softirq_pending()
genirq: Make force irq threading setup more robust
scsi: qla2xxx: Return error when TMF returns
scsi: qla2xxx: Fix ISP recovery on unload
Conflicts:
include/linux/swapfile.h
Removed CONFIG_CRYPTO_ECHAINIV from defconfig files since this upmerge is
adding this config to Kconfig file.
Change-Id: Ide96c29f919d76590c2bdccf356d1d464a892fd7
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Kaustubh Pandey [Mon, 20 Aug 2018 07:30:36 +0000 (13:00 +0530)]
net: memset smsg to avoid the padding data
memset smsg to avoid the padding data of kernel to be shared
with user space. Fix is to set fields event to all "0", but there is
actually 6 bytes padding between "sktype" and "skflags", so memset was
done to set all the padding bits to 0.
CRs-Fixed:
2287852
Change-Id: I435486b80ad19c5fa54b098680623e7a4f080198
Signed-off-by: Kaustubh Pandey <kapandey@codeaurora.org>
Acked-by: Chinmay Agarwal <chinagar@qti.qualcomm.com>
Yong Ding [Wed, 22 Aug 2018 02:43:57 +0000 (10:43 +0800)]
soc: qcom: hab: fix the incompatible pointer initialization warning
Such warning of "initialization from incompatible pointer type"
is found in the build time, and it's good to fix it.
Change-Id: Iaf820ae7ec4a7851185febbdebaaab3706fb2402
Signed-off-by: Yong Ding <yongding@codeaurora.org>
Nijun Gong [Wed, 22 Aug 2018 12:14:20 +0000 (20:14 +0800)]
defconfig: gvm: enable TCPMSS and RPFILTER
wlan tether function depends on these
Change-Id: Ia00c752b46b23e9e4955e09bb9d69231a3b6cabc
Signed-off-by: Nijun Gong <ngong@codeaurora.org>
Abhinav Kumar [Sat, 4 Aug 2018 02:15:28 +0000 (19:15 -0700)]
drm/msm: check HDMI HFVSDB block before adding formats
Currently, the EDID parser adds the formats based on the
parsing of the Video data blocks and other CTA blocks.
However, there is no input validation based on the
HDMI HFVSDB block to check whether the mode advertised
by the sink actually falls in the TMDS char rate limits.
Add this check in the EDID parser to make sure invalid
formats are not added to the list.
Change-Id: I9a8e8f023924421710cf27402be98150554d0271
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
Ander Conselvan de Oliveira [Tue, 4 Apr 2017 16:52:21 +0000 (17:52 +0100)]
drm: Pass CRTC ID in userspace vblank events
With the atomic API, it is possible that a single commit affects
multiple crtcs. If the user requests an event with that commit, one
event will be sent for each CRTC, but it is not possible to distinguish
which crtc an event is for in user space. To solve this, the reserved
field in struct drm_vblank_event is repurposed to include the crtc_id
which the event is for.
The DRM_CAP_CRTC_IN_VBLANK_EVENT is added to allow userspace to query if
the crtc field will be set properly.
[daniels: Rebased, using Maarten's forward-port.]
Change-Id: I48b6b3ab4c97b20b79ebff0cb367acb1f53e95cc
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Signed-off-by: Daniel Stone <daniels@collabora.com>
Cc: Maarten Lankhorst <maarten.lankhorst@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170404165221.28240-2-daniels@collabora.com
[abhinavk@codeaurora.org: resolved trivial merge conflicts]
Git-commit:
5db06a8a98f515f67446a69c57577c4c363ec65d
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
Linux Build Service Account [Tue, 21 Aug 2018 20:10:24 +0000 (13:10 -0700)]
Merge "iommu/arm-smmu: Add Hibernation support"
Siddhartha Agrawal [Fri, 22 Jun 2018 20:09:03 +0000 (13:09 -0700)]
iommu/arm-smmu: Add Hibernation support
This adds support for saving the arm-smmu client's context
just before going into hibernation. This context is restored
on the subesequent hibernate restore.
Also, invalidate the TLB during the restore phase to avoid
wrong translations post-resume.
Change-Id: Idd8d12bb4d13f8a62bd51e0adaad82bd92f658ee
Signed-off-by: vkakani <vkakani@codeaurora.org>
Signed-off-by: Arun KS <arunks@codeaurora.org>
Signed-off-by: Atul Raut <araut@codeaurora.org>
Signed-off-by: Siddhartha Agrawal <agrawals@codeaurora.org>
Chunhuan Zhan [Mon, 13 Aug 2018 10:02:12 +0000 (18:02 +0800)]
msm: ais: change csid to avoid overflow
Check the cid number to be less than MAX_CID in csid.
Change-Id: I16777dc8e8c72e01dc10490cd4c205c939adb7b5
Signed-off-by: Chunhuan Zhan <zhanc@codeaurora.org>
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>
Deepak Shankar [Thu, 16 Aug 2018 09:29:17 +0000 (14:59 +0530)]
msm: ais: Fix out-of-bounds read in string class name
jpeg driver is calling class_create with stack variable, which
can be overwritten by other stack variables.
Change-Id: I92ccd4629cef8a06b7715b8483cf53a9607bd22f
Signed-off-by: Deepak Shankar <dees@codeaurora.org>
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>
Jack Pham [Sat, 18 Aug 2018 07:06:58 +0000 (00:06 -0700)]
Revert "usb: phy: dual-role: update sysfs attrs when changed"
This reverts commit
563b2f7a6bed72d34560df5f4358e948eb52a43f.
The previous approach of dynamically updating the writeable
permission bits of the power/data_role attributes only works
if the userspace application has root permission since the
call to sysfs_update_group() removes and re-adds the files. If
they had previously been chown/chgrp'ed, the ownership would be
reset. On the other hand, if there was a ueventd rule to
dynamically update the ownership, then the mode would always
be overridden with the static umask given in the ueventd rule,
contradicting the driver's determination of writeability.
Hence, the more comprehensive fix should be done in userspace
to not rely solely on writeability. Still, this change needs
to be reverted since it can still cause a race between ueventd
and the userspace service trying to check writability.
Change-Id: Ic667a97f2bae41e5a86ee45565518b06db959b36
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Linux Build Service Account [Mon, 20 Aug 2018 15:15:53 +0000 (08:15 -0700)]
Merge "platform: msm: resolve NULL pointer dereference issue"
Linux Build Service Account [Mon, 20 Aug 2018 07:38:29 +0000 (00:38 -0700)]
Merge "msm: adsprpc: DSP device node to provide restricted access to ADSP/SLPI"
Greg Kroah-Hartman [Sat, 18 Aug 2018 09:35:52 +0000 (11:35 +0200)]
Merge 4.4.150 into android-4.4
Changes in 4.4.150
x86/speculation/l1tf: Exempt zeroed PTEs from inversion
Linux 4.4.150
Change-Id: I2dfd6e160998ae2f55f3b7621df62e96a4511f7c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Sat, 18 Aug 2018 08:45:38 +0000 (10:45 +0200)]
Linux 4.4.150
Sean Christopherson [Fri, 17 Aug 2018 17:27:36 +0000 (10:27 -0700)]
x86/speculation/l1tf: Exempt zeroed PTEs from inversion
commit
f19f5c49bbc3ffcc9126cc245fc1b24cc29f4a37 upstream.
It turns out that we should *not* invert all not-present mappings,
because the all zeroes case is obviously special.
clear_page() does not undergo the XOR logic to invert the address bits,
i.e. PTE, PMD and PUD entries that have not been individually written
will have val=0 and so will trigger __pte_needs_invert(). As a result,
{pte,pmd,pud}_pfn() will return the wrong PFN value, i.e. all ones
(adjusted by the max PFN mask) instead of zero. A zeroed entry is ok
because the page at physical address 0 is reserved early in boot
specifically to mitigate L1TF, so explicitly exempt them from the
inversion when reading the PFN.
Manifested as an unexpected mprotect(..., PROT_NONE) failure when called
on a VMA that has VM_PFNMAP and was mmap'd to as something other than
PROT_NONE but never used. mprotect() sends the PROT_NONE request down
prot_none_walk(), which walks the PTEs to check the PFNs.
prot_none_pte_entry() gets the bogus PFN from pte_pfn() and returns
-EACCES because it thinks mprotect() is trying to adjust a high MMIO
address.
[ This is a very modified version of Sean's original patch, but all
credit goes to Sean for doing this and also pointing out that
sometimes the __pte_needs_invert() function only gets the protection
bits, not the full eventual pte. But zero remains special even in
just protection bits, so that's ok. - Linus ]
Fixes:
f22cc87f6c1f ("x86/speculation/l1tf: Invert all not present mappings")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Acked-by: Andi Kleen <ak@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Fri, 17 Aug 2018 19:25:15 +0000 (21:25 +0200)]
Merge 4.4.149 into android-4.4
Changes in 4.4.149
x86/mm: Disable ioremap free page handling on x86-PAE
tcp: Fix missing range_truesize enlargement in the backport
kasan: don't emit builtin calls when sanitization is off
i2c: ismt: fix wrong device address when unmap the data buffer
kbuild: verify that $DEPMOD is installed
crypto: vmac - require a block cipher with 128-bit block size
crypto: vmac - separate tfm and request context
crypto: blkcipher - fix crash flushing dcache in error path
crypto: ablkcipher - fix crash flushing dcache in error path
ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization
Bluetooth: hidp: buffer overflow in hidp_process_report
ioremap: Update pgtable free interfaces with addr
x86/mm: Add TLB purge to free pmd/pte page interfaces
Linux 4.4.149
Change-Id: I1e23095dd229992359341bda5c05e9b5b59fec45
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Fri, 17 Aug 2018 18:56:45 +0000 (20:56 +0200)]
Linux 4.4.149
Toshi Kani [Wed, 27 Jun 2018 14:13:48 +0000 (08:13 -0600)]
x86/mm: Add TLB purge to free pmd/pte page interfaces
commit
5e0fb5df2ee871b841f96f9cb6a7f2784e96aa4e upstream.
ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates
a pud / pmd map. The following preconditions are met at their entry.
- All pte entries for a target pud/pmd address range have been cleared.
- System-wide TLB purges have been peformed for a target pud/pmd address
range.
The preconditions assure that there is no stale TLB entry for the range.
Speculation may not cache TLB entries since it requires all levels of page
entries, including ptes, to have P & A-bits set for an associated address.
However, speculation may cache pud/pmd entries (paging-structure caches)
when they have P-bit set.
Add a system-wide TLB purge (INVLPG) to a single page after clearing
pud/pmd entry's P-bit.
SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches,
states that:
INVLPG invalidates all paging-structure caches associated with the
current PCID regardless of the liner addresses to which they correspond.
Fixes:
28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces")
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: mhocko@suse.com
Cc: akpm@linux-foundation.org
Cc: hpa@zytor.com
Cc: cpandya@codeaurora.org
Cc: linux-mm@kvack.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: Joerg Roedel <joro@8bytes.org>
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20180627141348.21777-4-toshi.kani@hpe.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chintan Pandya [Wed, 27 Jun 2018 14:13:47 +0000 (08:13 -0600)]
ioremap: Update pgtable free interfaces with addr
commit
785a19f9d1dd8a4ab2d0633be4656653bd3de1fc upstream.
The following kernel panic was observed on ARM64 platform due to a stale
TLB entry.
1. ioremap with 4K size, a valid pte page table is set.
2. iounmap it, its pte entry is set to 0.
3. ioremap the same address with 2M size, update its pmd entry with
a new value.
4. CPU may hit an exception because the old pmd entry is still in TLB,
which leads to a kernel panic.
Commit
b6bdb7517c3d ("mm/vmalloc: add interfaces to free unmapped page
table") has addressed this panic by falling to pte mappings in the above
case on ARM64.
To support pmd mappings in all cases, TLB purge needs to be performed
in this case on ARM64.
Add a new arg, 'addr', to pud_free_pmd_page() and pmd_free_pte_page()
so that TLB purge can be added later in seprate patches.
[toshi.kani@hpe.com: merge changes, rewrite patch description]
Fixes:
28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces")
Signed-off-by: Chintan Pandya <cpandya@codeaurora.org>
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: mhocko@suse.com
Cc: akpm@linux-foundation.org
Cc: hpa@zytor.com
Cc: linux-mm@kvack.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: Will Deacon <will.deacon@arm.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20180627141348.21777-3-toshi.kani@hpe.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mark Salyzyn [Tue, 31 Jul 2018 22:02:13 +0000 (15:02 -0700)]
Bluetooth: hidp: buffer overflow in hidp_process_report
commit
7992c18810e568b95c869b227137a2215702a805 upstream.
CVE-2018-9363
The buffer length is unsigned at all layers, but gets cast to int and
checked in hidp_process_report and can lead to a buffer overflow.
Switch len parameter to unsigned int to resolve issue.
This affects 3.18 and newer kernels.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Fixes:
a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: security@kernel.org
Cc: kernel-team@android.com
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thierry Escande [Fri, 8 Sep 2017 05:13:08 +0000 (00:13 -0500)]
ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization
commit
3bbda5a38601f7675a214be2044e41d7749e6c7b upstream.
If the ts3a227e audio accessory detection hardware is present and its
driver probed, the jack needs to be created before enabling jack
detection in the ts3a227e driver. With this patch, the jack is
instantiated in the max98090 headset init function if the ts3a227e is
present. This fixes a null pointer dereference as the jack detection
enabling function in the ts3a driver was called before the jack is
created.
[minor correction to keep error handling on jack creation the same
as before by Pierre Bossart]
Signed-off-by: Thierry Escande <thierry.escande@collabora.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Acked-By: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Mon, 23 Jul 2018 17:54:58 +0000 (10:54 -0700)]
crypto: ablkcipher - fix crash flushing dcache in error path
commit
318abdfbe708aaaa652c79fb500e9bd60521f9dc upstream.
Like the skcipher_walk and blkcipher_walk cases:
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
ablkcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing ablkcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes:
bf06099db18a ("crypto: skcipher - Add ablkcipher_walk interfaces")
Cc: <stable@vger.kernel.org> # v2.6.35+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Mon, 23 Jul 2018 17:54:57 +0000 (10:54 -0700)]
crypto: blkcipher - fix crash flushing dcache in error path
commit
0868def3e4100591e7a1fdbf3eed1439cc8f7ca3 upstream.
Like the skcipher_walk case:
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
blkcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing blkcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
This bug was found by syzkaller fuzzing.
Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "ecb(aes-generic)",
};
char buffer[4096] __attribute__((aligned(4096))) = { 0 };
int fd;
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
fd = accept(fd, NULL, NULL);
write(fd, buffer, 15);
read(fd, buffer, 15);
}
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes:
5cde0af2a982 ("[CRYPTO] cipher: Added block cipher type")
Cc: <stable@vger.kernel.org> # v2.6.19+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Mon, 18 Jun 2018 17:22:38 +0000 (10:22 -0700)]
crypto: vmac - separate tfm and request context
commit
bb29648102335586e9a66289a1d98a0cb392b6e5 upstream.
syzbot reported a crash in vmac_final() when multiple threads
concurrently use the same "vmac(aes)" transform through AF_ALG. The bug
is pretty fundamental: the VMAC template doesn't separate per-request
state from per-tfm (per-key) state like the other hash algorithms do,
but rather stores it all in the tfm context. That's wrong.
Also, vmac_final() incorrectly zeroes most of the state including the
derived keys and cached pseudorandom pad. Therefore, only the first
VMAC invocation with a given key calculates the correct digest.
Fix these bugs by splitting the per-tfm state from the per-request state
and using the proper init/update/final sequencing for requests.
Reproducer for the crash:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int fd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "vmac(aes)",
};
char buf[256] = { 0 };
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
fork();
fd = accept(fd, NULL, NULL);
for (;;)
write(fd, buf, 256);
}
The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
VMAC_NHBYTES, causing vmac_final() to memset() a negative length.
Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
Fixes:
f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: <stable@vger.kernel.org> # v2.6.32+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Mon, 18 Jun 2018 17:22:37 +0000 (10:22 -0700)]
crypto: vmac - require a block cipher with 128-bit block size
commit
73bf20ef3df262026c3470241ae4ac8196943ffa upstream.
The VMAC template assumes the block cipher has a 128-bit block size, but
it failed to check for that. Thus it was possible to instantiate it
using a 64-bit block size cipher, e.g. "vmac(cast5)", causing
uninitialized memory to be used.
Add the needed check when instantiating the template.
Fixes:
f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: <stable@vger.kernel.org> # v2.6.32+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Randy Dunlap [Mon, 2 Jul 2018 02:46:06 +0000 (19:46 -0700)]
kbuild: verify that $DEPMOD is installed
commit
934193a654c1f4d0643ddbf4b2529b508cae926e upstream.
Verify that 'depmod' ($DEPMOD) is installed.
This is a partial revert of commit
620c231c7a7f
("kbuild: do not check for ancient modutils tools").
Also update Documentation/process/changes.rst to refer to
kmod instead of module-init-tools.
Fixes kernel bugzilla #198965:
https://bugzilla.kernel.org/show_bug.cgi?id=198965
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
Cc: Michal Marek <michal.lkml@markovi.net>
Cc: Jessica Yu <jeyu@kernel.org>
Cc: Chih-Wei Huang <cwhuang@linux.org.tw>
Cc: stable@vger.kernel.org # any kernel since 2012
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Liwei Song [Tue, 13 Jun 2017 04:59:53 +0000 (00:59 -0400)]
i2c: ismt: fix wrong device address when unmap the data buffer
commit
17e83549e199d89aace7788a9f11c108671eecf5 upstream.
Fix the following kernel bug:
kernel BUG at drivers/iommu/intel-iommu.c:3260!
invalid opcode: 0000 [#5] PREEMPT SMP
Hardware name: Intel Corp. Harcuvar/Server, BIOS HAVLCRB0.X64.0013.D39.
1608311820 08/31/2016
task:
ffff880175389950 ti:
ffff880176bec000 task.ti:
ffff880176bec000
RIP: 0010:[<
ffffffff8150a83b>] [<
ffffffff8150a83b>] intel_unmap+0x25b/0x260
RSP: 0018:
ffff880176bef5e8 EFLAGS:
00010296
RAX:
0000000000000024 RBX:
ffff8800773c7c88 RCX:
000000000000ce04
RDX:
0000000080000000 RSI:
0000000000000000 RDI:
0000000000000009
RBP:
ffff880176bef638 R08:
0000000000000010 R09:
0000000000000004
R10:
ffff880175389c78 R11:
0000000000000a4f R12:
ffff8800773c7868
R13:
00000000ffffac88 R14:
ffff8800773c7818 R15:
0000000000000001
FS:
00007fef21258700(0000) GS:
ffff88017b5c0000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
000000000066d6d8 CR3:
000000007118c000 CR4:
00000000003406e0
Stack:
00000000ffffac88 ffffffff8199867f ffff880176bef5f8 ffff880100000030
ffff880176bef668 ffff8800773c7c88 ffff880178288098 ffff8800772c0010
ffff8800773c7818 0000000000000001 ffff880176bef648 ffffffff8150a86e
Call Trace:
[<
ffffffff8199867f>] ? printk+0x46/0x48
[<
ffffffff8150a86e>] intel_unmap_page+0xe/0x10
[<
ffffffffa039d99b>] ismt_access+0x27b/0x8fa [i2c_ismt]
[<
ffffffff81554420>] ? __pm_runtime_suspend+0xa0/0xa0
[<
ffffffff815544a0>] ? pm_suspend_timer_fn+0x80/0x80
[<
ffffffff81554420>] ? __pm_runtime_suspend+0xa0/0xa0
[<
ffffffff815544a0>] ? pm_suspend_timer_fn+0x80/0x80
[<
ffffffff8143dfd0>] ? pci_bus_read_dev_vendor_id+0xf0/0xf0
[<
ffffffff8172b36c>] i2c_smbus_xfer+0xec/0x4b0
[<
ffffffff810aa4d5>] ? vprintk_emit+0x345/0x530
[<
ffffffffa038936b>] i2cdev_ioctl_smbus+0x12b/0x240 [i2c_dev]
[<
ffffffff810aa829>] ? vprintk_default+0x29/0x40
[<
ffffffffa0389b33>] i2cdev_ioctl+0x63/0x1ec [i2c_dev]
[<
ffffffff811b04c8>] do_vfs_ioctl+0x328/0x5d0
[<
ffffffff8119d8ec>] ? vfs_write+0x11c/0x190
[<
ffffffff8109d449>] ? rt_up_read+0x19/0x20
[<
ffffffff811b07f1>] SyS_ioctl+0x81/0xa0
[<
ffffffff819a351b>] system_call_fastpath+0x16/0x6e
This happen When run "i2cdetect -y 0" detect SMBus iSMT adapter.
After finished I2C block read/write, when unmap the data buffer,
a wrong device address was pass to dma_unmap_single().
To fix this, give dma_unmap_single() the "dev" parameter, just like
what dma_map_single() does, then unmap can find the right devices.
Fixes:
13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Liwei Song <liwei.song@windriver.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andrey Konovalov [Tue, 6 Feb 2018 23:36:00 +0000 (15:36 -0800)]
kasan: don't emit builtin calls when sanitization is off
commit
0e410e158e5baa1300bdf678cea4f4e0cf9d8b94 upstream.
With KASAN enabled the kernel has two different memset() functions, one
with KASAN checks (memset) and one without (__memset). KASAN uses some
macro tricks to use the proper version where required. For example
memset() calls in mm/slub.c are without KASAN checks, since they operate
on poisoned slab object metadata.
The issue is that clang emits memset() calls even when there is no
memset() in the source code. They get linked with improper memset()
implementation and the kernel fails to boot due to a huge amount of KASAN
reports during early boot stages.
The solution is to add -fno-builtin flag for files with KASAN_SANITIZE :=
n marker.
Link: http://lkml.kernel.org/r/8ffecfffe04088c52c42b92739c2bd8a0bcb3f5e.1516384594.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Nick Desaulniers <ndesaulniers@google.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Michal Marek <michal.lkml@markovi.net>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Nick : Backported to 4.4 avoiding KUBSAN ]
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Takashi Iwai [Wed, 15 Aug 2018 09:58:46 +0000 (11:58 +0200)]
tcp: Fix missing range_truesize enlargement in the backport
The 4.4.y stable backport
dc6ae4dffd65 for the upstream commit
3d4bf93ac120 ("tcp: detect malicious patterns in
tcp_collapse_ofo_queue()") missed a line that enlarges the
range_truesize value, which broke the whole check.
Fixes:
dc6ae4dffd65 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Michal Kubecek <mkubecek@suse.cz>
Toshi Kani [Wed, 27 Jun 2018 14:13:46 +0000 (08:13 -0600)]
x86/mm: Disable ioremap free page handling on x86-PAE
commit
f967db0b9ed44ec3057a28f3b28efc51df51b835 upstream.
ioremap() supports pmd mappings on x86-PAE. However, kernel's pmd
tables are not shared among processes on x86-PAE. Therefore, any
update to sync'd pmd entries need re-syncing. Freeing a pte page
also leads to a vmalloc fault and hits the BUG_ON in vmalloc_sync_one().
Disable free page handling on x86-PAE. pud_free_pmd_page() and
pmd_free_pte_page() simply return 0 if a given pud/pmd entry is present.
This assures that ioremap() does not update sync'd pmd entries at the
cost of falling back to pte mappings.
Fixes:
28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces")
Reported-by: Joerg Roedel <joro@8bytes.org>
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: mhocko@suse.com
Cc: akpm@linux-foundation.org
Cc: hpa@zytor.com
Cc: cpandya@codeaurora.org
Cc: linux-mm@kvack.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20180627141348.21777-2-toshi.kani@hpe.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux Build Service Account [Fri, 17 Aug 2018 14:09:10 +0000 (07:09 -0700)]
Merge "drm: msm: update dsi state context when splash is on"
Suprith Malligere Shankaregowda [Thu, 26 Jul 2018 11:20:59 +0000 (16:50 +0530)]
drm: msm: sde: Fix SMMU fault during DRM test
This change is done to detach all pipes first before the first commit
proceed, Kernel will have to do the pipe detach when kernel got the first
valid frame and we want to detach all the splash pipes after the LK is
being notified to stop.
Change-Id: I3a599a102286596333a35273e27d8a363f2134b7
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Suprith Malligere Shankaregowda [Thu, 19 Jul 2018 09:02:30 +0000 (14:32 +0530)]
drm: msm: remove hdcp related error messages
HDMI display on auto boards has disabled pluggable function
and hardcoded 1080p mode for output. So ddc related function
should also be skipped. Otherwise, some HDCP related error
messages are printed during boot up when accessing ddc.
Change-Id: I0fea0470dd11cc599bc7eb86d7fe3fb4ccf96693
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Ankit Jain [Mon, 9 Jul 2018 10:09:52 +0000 (15:39 +0530)]
ARM: dts: msm: set qcom,guard-memory property for rmtfs on sdm660
This is needed to address the XPU limitation, so that the
shared memory is not contiguous with other memory allocations
that may happen from other clients in the system.
Change-Id: Ibc9961245f32ecc63892007a3d12b7956cf63e67
Signed-off-by: Ankit Jain <jankit@codeaurora.org>
Sahitya Tummala [Thu, 5 Oct 2017 09:09:40 +0000 (14:39 +0530)]
uio: msm_sharedmem: add guard page around shared memory
If guard_memory dtsi property is set, then the shared memory
region will be guarded by SZ_4K at the start and at the end.
This is needed to overcome the XPU limitation on few MSM HW,
so as to make this memory not contiguous with other allocations
that may possibly happen from other clients in the system.
Change-Id: I57637619cea8fe7f0f7254624e07177ea4a4fce0
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Guisen Yang [Wed, 1 Aug 2018 07:23:04 +0000 (15:23 +0800)]
cnss: Use the nosync API in cnss when disabling irq
The disable_irq API will wait for IRQ handler completion
when pcie link down, this will cause system error. Use
the nosync API to disable irq.
Change-Id: Ib8e1c160cb748c2007bd24089e09b0ee6694d04d
CRs-Fixed:
2157312
Signed-off-by: Guisen Yang <guiseny@codeaurora.org>
Yao Jiang [Mon, 13 Aug 2018 04:20:57 +0000 (12:20 +0800)]
platform: msm: resolve NULL pointer dereference issue
Fix some null pointer dereference flaw and parameter not init issues.
change-Id: I0ed5f3f62c3794775bf97d353c4e50dd8ceb32da
Signed-off-by: Yao Jiang <yaojia@codeaurora.org>
Greg Kroah-Hartman [Wed, 15 Aug 2018 16:20:41 +0000 (18:20 +0200)]
Merge 4.4.148 into android-4.4
Changes in 4.4.148
ext4: fix check to prevent initializing reserved inodes
tpm: fix race condition in tpm_common_write()
ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
fork: unconditionally clear stack on fork
parisc: Enable CONFIG_MLONGCALLS by default
parisc: Define mb() and add memory barriers to assembler unlock sequences
xen/netfront: don't cache skb_shinfo()
ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
root dentries need RCU-delayed freeing
fix mntput/mntput race
fix __legitimize_mnt()/mntput() race
IB/core: Make testing MR flags for writability a static inline function
IB/mlx4: Mark user MR as writable if actual virtual memory is writable
IB/ocrdma: fix out of bounds access to local buffer
ARM: dts: imx6sx: fix irq for pcie bridge
x86/paravirt: Fix spectre-v2 mitigations for paravirt guests
x86/speculation: Protect against userspace-userspace spectreRSB
kprobes/x86: Fix %p uses in error messages
x86/irqflags: Provide a declaration for native_save_fl
x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT
x86/mm: Move swap offset/type up in PTE to work around erratum
x86/mm: Fix swap entry comment and macro
mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1
x86/speculation/l1tf: Change order of offset/type in swap entry
x86/speculation/l1tf: Protect swap entries against L1TF
x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation
x86/speculation/l1tf: Make sure the first page is always reserved
x86/speculation/l1tf: Add sysfs reporting for l1tf
mm: Add vm_insert_pfn_prot()
mm: fix cache mode tracking in vm_insert_mixed()
x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings
x86/speculation/l1tf: Limit swap file size to MAX_PA/2
x86/bugs: Move the l1tf function and define pr_fmt properly
x86/speculation/l1tf: Extend 64bit swap file size limit
x86/cpufeatures: Add detection of L1D cache flush support.
x86/speculation/l1tf: Protect PAE swap entries against L1TF
x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
x86/speculation/l1tf: Invert all not present mappings
x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert
x86/mm/pat: Make set_memory_np() L1TF safe
x86/mm/kmmio: Make the tracer robust against L1TF
x86/speculation/l1tf: Fix up CPU feature flags
x86/init: fix build with CONFIG_SWAP=n
x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures
Linux 4.4.148
Change-Id: I83c857d9d9d74ee47e61d15eb411f276f057ba3d
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Wed, 15 Aug 2018 15:42:11 +0000 (17:42 +0200)]
Linux 4.4.148