user/sven/linux.git, branch v4.4.194 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.4.194 2019-09-21T05:12:54Z Linux 4.4.194 2019-09-21T05:12:54Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2019-09-21T05:12:54Z urn:sha1:5f090d837b1f61ba12780a8b8196b69a00d7cd70 net_sched: let qdisc_put() accept NULL pointer 2019-09-21T05:12:54Z Cong Wang xiyou.wangcong@gmail.com 2019-09-12T17:22:30Z urn:sha1:00ff438addf8e0d6853094a5ab97fc83d8e1c996 [ Upstream commit 6efb971ba8edfbd80b666f29de12882852f095ae ] When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL pointer which leads to a crash in sfb_destroy(). Similar for sch_dsmark. Instead of fixing each separately, Linus suggested to just accept NULL pointer in qdisc_put(), which would make callers easier. (For sch_dsmark, the bug probably exists long before commit 6529eaba33f0.) Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure") Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Jiri Pirko <jiri@resnulli.us> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ARC: export "abort" for modules 2019-09-21T05:12:54Z Vineet Gupta Vineet.Gupta1@synopsys.com 2019-09-19T20:58:47Z urn:sha1:6b011ece4cdfb018d067b6c72a1237e52c73c41c This is a custom patch (no mainline equivalent) for stable backport only to address 0-Day kernel test infra ARC 4.x.y builds errors. The reason for this custom patch as that it is a single patch, touches only ARC, vs. atleast two 7c2c11b208be09c1, dc8635b78cd8669 which touch atleast 3 other arches (one long removed) and could potentially have a fallout. Reported-by: kbuild test robot <lkp@intel.com> CC: stable@vger.kernel.org # 4.4, 4.9 Signed-off-by: Vineet Gupta <vgupta@synopsys.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> media: technisat-usb2: break out of loop at end of buffer 2019-09-21T05:12:53Z Sean Young sean@mess.org 2019-07-03T14:52:39Z urn:sha1:db38be77199f16dd23d1504a9dfddf7e4479652a commit 0c4df39e504bf925ab666132ac3c98d6cbbe380b upstream. Ensure we do not access the buffer beyond the end if no 0xff byte is encountered. Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com Signed-off-by: Sean Young <sean@mess.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> floppy: fix usercopy direction 2019-09-21T05:12:53Z Jann Horn jannh@google.com 2019-03-26T22:03:48Z urn:sha1:f5282fe2730562fa4052e7210f80d213e20b6c7a commit 52f6f9d74f31078964ca1574f7bb612da7877ac8 upstream. As sparse points out, these two copy_from_user() should actually be copy_to_user(). Fixes: 229b53c9bf4e ("take floppy compat ioctls to sodding floppy.c") Cc: stable@vger.kernel.org Acked-by: Alexander Popov <alex.popov@linux.com> Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> keys: Fix missing null pointer check in request_key_auth_describe() 2019-09-21T05:12:53Z Hillf Danton hdanton@sina.com 2019-09-02T12:37:29Z urn:sha1:c08c6b9eb55e17e701770f2573248d402586b82a [ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ] If a request_key authentication token key gets revoked, there's a window in which request_key_auth_describe() can see it with a NULL payload - but it makes no check for this and something like the following oops may occur: BUG: Kernel NULL pointer dereference at 0x00000038 Faulting instruction address: 0xc0000000004ddf30 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [...] request_key_auth_describe+0x90/0xd0 LR [...] request_key_auth_describe+0x54/0xd0 Call Trace: [...] request_key_auth_describe+0x54/0xd0 (unreliable) [...] proc_keys_show+0x308/0x4c0 [...] seq_read+0x3d0/0x540 [...] proc_reg_read+0x90/0x110 [...] __vfs_read+0x3c/0x70 [...] vfs_read+0xb4/0x1b0 [...] ksys_read+0x7c/0x130 [...] system_call+0x5c/0x70 Fix this by checking for a NULL pointer when describing such a key. Also make the read routine check for a NULL pointer to be on the safe side. [DH: Modified to not take already-held rcu lock and modified to also check in the read routine] Fixes: 04c567d9313e ("[PATCH] Keys: Fix race between two instantiators of a key") Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com> Signed-off-by: Hillf Danton <hdanton@sina.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() 2019-09-21T05:12:52Z Wenwen Wang wenwen@cs.uga.edu 2019-08-16T06:56:08Z urn:sha1:c9670a4e6d7bf8762a065cf5ce53236a823ecfee [ Upstream commit 962411b05a6d3342aa649e39cda1704c1fc042c6 ] If devm_request_irq() fails to disable all interrupts, no cleanup is performed before retuning the error. To fix this issue, invoke omap_dma_free() to do the cleanup. Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu> Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com> Link: https://lore.kernel.org/r/1565938570-7528-1-git-send-email-wenwen@cs.uga.edu Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> net: seeq: Fix the function used to release some memory in an error handling path 2019-09-21T05:12:52Z Christophe JAILLET christophe.jaillet@wanadoo.fr 2019-08-31T07:17:51Z urn:sha1:8636e178385b3ec46f5409fac028b546dbd0d3a7 [ Upstream commit e1e54ec7fb55501c33b117c111cb0a045b8eded2 ] In commit 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv"), a call to 'get_zeroed_page()' has been turned into a call to 'dma_alloc_coherent()'. Only the remove function has been updated to turn the corresponding 'free_page()' into 'dma_free_attrs()'. The error hndling path of the probe function has not been updated. Fix it now. Rename the corresponding label to something more in line. Fixes: 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Reviewed-by: Thomas Bogendoerfer <tbogendoerfer@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> tools/power turbostat: fix buffer overrun 2019-09-21T05:12:52Z Naoya Horiguchi n-horiguchi@ah.jp.nec.com 2019-04-03T07:02:14Z urn:sha1:a96b6b408c7e8b7e741e7820f76a6e8215d417a6 [ Upstream commit eeb71c950bc6eee460f2070643ce137e067b234c ] turbostat could be terminated by general protection fault on some latest hardwares which (for example) support 9 levels of C-states and show 18 "tADDED" lines. That bloats the total output and finally causes buffer overrun. So let's extend the buffer to avoid this. Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> sky2: Disable MSI on yet another ASUS boards (P6Xxxx) 2019-09-21T05:12:52Z Takashi Iwai tiwai@suse.de 2019-08-28T06:31:19Z urn:sha1:015c9eff13ac9c2234134b47355b5af52c535cd4 [ Upstream commit 189308d5823a089b56e2299cd96589507dac7319 ] A similar workaround for the suspend/resume problem is needed for yet another ASUS machines, P6X models. Like the previous fix, the BIOS doesn't provide the standard DMI_SYS_* entry, so again DMI_BOARD_* entries are used instead. Reported-and-tested-by: SteveM <swm@swm1.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>