Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.4.3 2019-12-13T07:43:30Z 2019-12-13T07:43:30Z Robert Richter rrichter@marvell.com 2019-11-05T20:07:51Z urn:sha1:d2136afb5193440c2fb62ae20e98f44b431e45ef [ Upstream commit 23f61b9fc5cc10d87f66e50518707eec2a0fbda1 ] The ghes registration and refcount is broken in several ways: * ghes_edac_register() returns with success for a 2nd instance even if a first instance's registration is still running. This is not correct as the first instance may fail later. A subsequent registration may not finish before the first. Parallel registrations must be avoided. * The refcount was increased even if a registration failed. This leads to stale counters preventing the device from being released. * The ghes refcount may not be decremented properly on unregistration. Always decrement the refcount once ghes_edac_unregister() is called to keep the refcount sane. * The ghes_pvt pointer is handed to the irq handler before registration finished. * The mci structure could be freed while the irq handler is running. Fix this by adding a mutex to ghes_edac_register(). This mutex serializes instances to register and unregister. The refcount is only increased if the registration succeeded. This makes sure the refcount is in a consistent state after registering or unregistering a device. Note: A spinlock cannot be used here as the code section may sleep. The ghes_pvt is protected by ghes_lock now. This ensures the pointer is not updated before registration was finished or while the irq handler is running. It is unset before unregistering the device including necessary (implicit) memory barriers making the changes visible to other CPUs. Thus, the device can not be used anymore by an interrupt. Also, rename ghes_init to ghes_refcount for better readability and switch to refcount API. A refcount is needed because there can be multiple GHES structures being defined (see ACPI 6.3 specification, 18.3.2.7 Generic Hardware Error Source, "Some platforms may describe multiple Generic Hardware Error Source structures with different notification types, ..."). Another approach to use the mci's device refcount (get_device()) and have a release function does not work here. A release function will be called only for device_release() with the last put_device() call. The device must be deleted *before* that with device_del(). This is only possible by maintaining an own refcount. [ bp: touchups. ] Fixes: 0fe5f281f749 ("EDAC, ghes: Model a single, logical memory controller") Fixes: 1e72e673b9d1 ("EDAC/ghes: Fix Use after free in ghes_edac remove path") Co-developed-by: James Morse <james.morse@arm.com> Signed-off-by: James Morse <james.morse@arm.com> Co-developed-by: Borislav Petkov <bp@suse.de> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Robert Richter <rrichter@marvell.com> Signed-off-by: Borislav Petkov <bp@suse.de> Cc: "linux-edac@vger.kernel.org" <linux-edac@vger.kernel.org> Cc: Mauro Carvalho Chehab <mchehab@kernel.org> Cc: Tony Luck <tony.luck@intel.com> Link: https://lkml.kernel.org/r/20191105200732.3053-1-rrichter@marvell.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-12-13T07:43:30Z Joel Stanley joel@jms.id.au 2019-11-08T03:29:05Z urn:sha1:8a13daae81fe712e1c6cf274b4934a26d6b9a4de [ Upstream commit c04571251b3d842096f1597f5d4badb508be016d ] The ast2600 no longer uses bit 4 in the control register to indicate a 1MHz clock (It now controls whether this watchdog is reset by a SOC reset). This means we do not want to set it. It also does not need to be set for the ast2500, as it is read-only on that SoC. The comment next to the clock rate selection wandered away from where it was set, so put it back next to the register setting it's describing. Fixes: b3528b487448 ("watchdog: aspeed: Add support for AST2600") Signed-off-by: Joel Stanley <joel@jms.id.au> Reviewed-by: Cédric Le Goater <clg@kaod.org> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Link: https://lore.kernel.org/r/20191108032905.22463-1-joel@jms.id.au Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-12-13T07:43:29Z Christophe JAILLET christophe.jaillet@wanadoo.fr 2019-08-22T21:15:18Z urn:sha1:6dc2a7e67e1fe4eee30a9bca40bffe308ac884cb [ Upstream commit 15c665bb4637310bc8ce5f357b6a6e5a8aafc7c1 ] If we don't find any matching components, we should go through the error handling path, in order to free some resources. Fixes: ca5be902a87d ("drm/mcde: Fix uninitialized variable") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Link: https://patchwork.freedesktop.org/patch/msgid/20190822211518.5578-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-12-13T07:43:29Z Dan Carpenter dan.carpenter@oracle.com 2019-09-21T06:00:31Z urn:sha1:526152a23915a1bc8380bf11e497548b8b03968d [ Upstream commit e3fc3f3d0943b126f76b8533960e4168412d9e5a ] The first argument to WARN() is supposed to be a condition. The original code will just print the mdname() instead of the full warning message. Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Song Liu <songliubraving@fb.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-12-13T07:43:28Z Anson Huang Anson.Huang@nxp.com 2019-10-22T08:33:19Z urn:sha1:7a5e10c1d67150eeeb31928db5df9de4f038db5b [ Upstream commit af44d180e3de4cb411ce327b147ea3513f0bbbcb ] i.MX8MN has different speed grade definition compared to i.MX8MQ/i.MX8MM, when fuses are NOT written, the default speed_grade should be set to minimum available OPP defined in DT which is 1.2GHz, the corresponding speed_grade value should be 0xb. Fixes: 5b8010ba70d5 ("cpufreq: imx-cpufreq-dt: Add i.MX8MN support") Signed-off-by: Anson Huang <Anson.Huang@nxp.com> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-12-13T07:43:25Z Jann Horn jannh@google.com 2019-10-18T20:56:31Z urn:sha1:e8f669921edd97b089691fed09946e5860523ba9 commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream. The old loop wouldn't stop when reaching `start` if `start==NULL`, instead continuing backwards to index -1 and crashing. Luckily you need to be highly privileged to map things at NULL, so it's not a big problem. Fix it by adjusting the loop so that the loop variable is always in bounds. This patch is deliberately minimal to simplify backporting, but IMO this function could use a refactor. The jump labels in the second loop body are horrible (the error gotos should be jumping to free_range instead), and both loops would look nicer if they just iterated upwards through indices. And the up_read()+mmput() shouldn't be duplicated like that. Cc: stable@vger.kernel.org Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-13T07:43:25Z Jann Horn jannh@google.com 2019-10-18T20:56:30Z urn:sha1:015c08bc707e2478ad678564c2351e4830432832 commit a7a74d7ff55a0c657bc46238b050460b9eacea95 upstream. binder_alloc_mmap_handler() attempts to detect the use of ->mmap() on a binder_proc whose binder_alloc has already been initialized by checking whether alloc->buffer is non-zero. Before commit 880211667b20 ("binder: remove kernel vm_area for buffer space"), alloc->buffer was a kernel mapping address, which is always non-zero, but since that commit, it is a userspace mapping address. A sufficiently privileged user can map /dev/binder at NULL, tricking binder_alloc_mmap_handler() into assuming that the binder_proc has not been mapped yet. This leads to memory unsafety. Luckily, no context on Android has such privileges, and on a typical Linux desktop system, you need to be root to do that. Fix it by using the mapping size instead of the mapping address to distinguish the mapped case. A valid VMA can't have size zero. Fixes: 880211667b20 ("binder: remove kernel vm_area for buffer space") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20191018205631.248274-2-jannh@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-13T07:43:23Z Jann Horn jannh@google.com 2019-10-18T20:56:29Z urn:sha1:6e0efd9e9e0549099ff428a88f6d73fb4653c947 commit 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 upstream. binder_alloc_print_pages() iterates over alloc->pages[0..alloc->buffer_size-1] under alloc->mutex. binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size without holding that lock, and even writes them before the last bailout point. Unfortunately we can't take the alloc->mutex in the ->mmap() handler because mmap_sem can be taken while alloc->mutex is held. So instead, we have to locklessly check whether the binder_alloc has been fully initialized with binder_alloc_get_vma(), like in binder_alloc_new_buf_locked(). Fixes: 8ef4665aa129 ("android: binder: Add page usage in binder stats") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Link: https://lore.kernel.org/r/20191018205631.248274-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-13T07:43:22Z Je Yen Tam je.yen.tam@ni.com 2019-11-27T07:53:01Z urn:sha1:0bbb506cd52f8090ecdd32b2c2bdf8f93425ec73 commit 27ed14d0ecb38516b6f3c6fdcd62c25c9454f979 upstream. This reverts commit fdc2de87124f5183a98ea7eced1f76dbdba22951 ("serial/8250: Add support for NI-Serial PXI/PXIe+485 devices"). The commit fdc2de87124f ("serial/8250: Add support for NI-Serial PXI/PXIe+485 devices") introduced a breakage on NI-Serial PXI(e)-RS485 devices, RS-232 variants have no issue. The Linux system can enumerate the NI-Serial PXI(e)-RS485 devices, but it broke the R/W operation on the ports. However, the implementation is working on the NI internal Linux RT kernel but it does not work in the Linux main tree kernel. This is only affecting NI products, specifically the RS-485 variants. Reverting the upstream until a proper implementation that can apply to both NI internal Linux kernel and Linux mainline kernel is figured out. Signed-off-by: Je Yen Tam <je.yen.tam@ni.com> Fixes: fdc2de87124f ("serial/8250: Add support for NI-Serial PXI/PXIe+485 devices") Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20191127075301.9866-1-je.yen.tam@ni.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-13T07:43:22Z Nicolas Pitre nico@fluxnic.net 2019-11-05T09:33:16Z urn:sha1:0b0923bb6d2808bc6f3b03028fec685144227ba8 commit 0c9acb1af77a3cb8707e43f45b72c95266903cee upstream. Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded against using devices containing attributes as this is not yet implemented. It however failed to guard against writes to any devices as this is also unimplemented. Reported-by: Or Cohen <orcohen@paloaltonetworks.com> Signed-off-by: Nicolas Pitre <npitre@baylibre.com> Cc: <stable@vger.kernel.org> # v4.19+ Cc: Jiri Slaby <jslaby@suse.com> Fixes: d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1911051030580.30289@knanqh.ubzr Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>