November 2017 - Linux-stable-mirror

[Linux-stable-mirror] [PATCH] soc/tegra: pmc: fix child-node lookup

by Johan Hovold

Fix child-node lookup during probe, which ended up searching the whole device tree depth-first starting at the parent rather than just matching on its children. To make things worse, the parent pmc node could end up being prematurely freed as of_find_node_by_name() drops a reference to its first argument. Fixes: 3568df3d31d6 ("soc: tegra: Add thermal reset (thermtrip) support to PMC") Cc: stable <stable(a)vger.kernel.org> # 4.0 Cc: Mikko Perttunen <mperttunen(a)nvidia.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/soc/tegra/pmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c index 0453ff6839a7..7e9ef3431bea 100644 --- a/drivers/soc/tegra/pmc.c +++ b/drivers/soc/tegra/pmc.c @@ -1321,7 +1321,7 @@ static void tegra_pmc_init_tsense_reset(struct tegra_pmc *pmc) if (!pmc->soc->has_tsense_reset) return; - np = of_find_node_by_name(pmc->dev->of_node, "i2c-thermtrip"); + np = of_get_child_by_name(pmc->dev->of_node, "i2c-thermtrip"); if (!np) { dev_warn(dev, "i2c-thermtrip node not found, %s.\n", disabled); return; -- 2.15.0

6 years, 3 months

3
5
0 0

[Linux-stable-mirror] FAILED: patch "[PATCH] tpm-dev-common: Reject too short writes" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From ee70bc1e7b63ac8023c9ff9475d8741e397316e7 Mon Sep 17 00:00:00 2001 From: Alexander Steffen <Alexander.Steffen(a)infineon.com> Date: Fri, 8 Sep 2017 17:21:32 +0200 Subject: [PATCH] tpm-dev-common: Reject too short writes tpm_transmit() does not offer an explicit interface to indicate the number of valid bytes in the communication buffer. Instead, it relies on the commandSize field in the TPM header that is encoded within the buffer. Therefore, ensure that a) enough data has been written to the buffer, so that the commandSize field is present and b) the commandSize field does not announce more data than has been written to the buffer. This should have been fixed with CVE-2011-1161 long ago, but apparently a correct version of that patch never made it into the kernel. Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Steffen <Alexander.Steffen(a)infineon.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 610638a80383..461bf0b8a094 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -110,6 +110,12 @@ ssize_t tpm_common_write(struct file *file, const char __user *buf, return -EFAULT; } + if (in_size < 6 || + in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2)))) { + mutex_unlock(&priv->buffer_mutex); + return -EINVAL; + } + /* atomic tpm command send and result receive. We only hold the ops * lock during this period so that the tpm can be unregistered even if * the char dev is held open.

6 years, 8 months

3
2
0 0

[Linux-stable-mirror] [PATCH] arm: ensure symbol is a thumb symbol in new binutils

by Jason A. Donenfeld

On older versions of binutils, \sym points to an aligned address. On newer versions of binutils, \sym sometimes points to the unaligned thumb address in mysterious and buggy circumstances. In order to homogenize this behavior, rather than adding 1, we simply OR in 1, so that already unaligned instructions don't change. This fix is required for a pedestrian THUMB2_KERNEL to boot without crashing when built with non-old binutils. While it works, the downside is that we have to add an `orr` instruction to a fast path. The assembler can't do this at assemble time via "|1" because "invalid operands (.text and *ABS* sections) for `|'", so we're forced to do this. A better solution would be to have consistent binutils behavior, or to have some kind of \sym feature detection that won't turn into a maze of version comparisons. However, it's at the moment unclear how to achieve this. The rest of this commit message contains all of the relevant information. My tests concerned these versions: broken: GNU ld (Gentoo 2.29.1 p3) 2.29.1 working: GNU ld (GNU Binutils for Ubuntu) 2.26.1 These produced the following code: --- broken 2017-11-21 17:44:14.523416082 +0100 +++ working 2017-11-21 17:44:44.548461234 +0100 @@ -133,7 +133,7 @@ 160: f01a 0ff0 tst.w sl, #240 ; 0xf0 164: d111 bne.n 18a <__sys_trace> 166: f5b7 7fc8 cmp.w r7, #400 ; 0x190 - 16a: f2af 1e6a subw lr, pc, #362 ; 0x16a + 16a: f2af 1e6b subw lr, pc, #363 ; 0x16b 16e: bf38 it cc 170: f858 f027 ldrcc.w pc, [r8, r7, lsl #2] 174: a902 add r1, sp, #8 The differing instruction corresponds with this actual line in arch/arm/kernel/entry-common.S: badr lr, ret_fast_syscall @ return address Running the broken kernel results in a runtime OOPS with: PC is at ret_fast_syscall+0x4/0x52 LR is at ret_fast_syscall+0x2/0x52 The disassembly of that function for the crashing kernel is: .text:00000000 ret_fast_syscall ; CODE XREF: sys_syscall+1C↓j .text:00000000 CPSID I ; jumptable 00000840 cases 15,18-376 .text:00000002 .text:00000002 loc_2 ; DATA XREF: sys_syscall-6BA↓o .text:00000002 LDR.W R2, [R9,#8] .text:00000006 CMP.W R2, #0xBF000000 Signed-off-by: Jason A. Donenfeld <Jason(a)zx2c4.com> Cc: stable(a)vger.kernel.org --- arch/arm/include/asm/assembler.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h index ad301f107dd2..c62a3b6b0a3e 100644 --- a/arch/arm/include/asm/assembler.h +++ b/arch/arm/include/asm/assembler.h @@ -194,10 +194,9 @@ */ .irp c,,eq,ne,cs,cc,mi,pl,vs,vc,hi,ls,ge,lt,gt,le,hs,lo .macro badr\c, rd, sym -#ifdef CONFIG_THUMB2_KERNEL - adr\c \rd, \sym + 1 -#else adr\c \rd, \sym +#ifdef CONFIG_THUMB2_KERNEL + orr\c \rd, \rd, 1 #endif .endm .endr -- 2.15.0

6 years, 10 months

5
12
0 0

[Linux-stable-mirror] [PATCH 1/3] Input: twl4030-vibra: fix sibling-node lookup

by Johan Hovold

A helper purported to look up a child node based on its name was using the wrong of-helper and ended up prematurely freeing the parent of-node while searching the whole device tree depth-first starting at the parent node. Fixes: 64b9e4d803b1 ("input: twl4030-vibra: Support for DT booted kernel") Fixes: e661d0a04462 ("Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning") Cc: stable <stable(a)vger.kernel.org> # 3.7 Cc: Peter Ujfalusi <peter.ujfalusi(a)ti.com> Cc: Marek Belisko <marek(a)goldelico.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/input/misc/twl4030-vibra.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/input/misc/twl4030-vibra.c b/drivers/input/misc/twl4030-vibra.c index 6c51d404874b..c37aea9ac272 100644 --- a/drivers/input/misc/twl4030-vibra.c +++ b/drivers/input/misc/twl4030-vibra.c @@ -178,12 +178,14 @@ static SIMPLE_DEV_PM_OPS(twl4030_vibra_pm_ops, twl4030_vibra_suspend, twl4030_vibra_resume); static bool twl4030_vibra_check_coexist(struct twl4030_vibra_data *pdata, - struct device_node *node) + struct device_node *parent) { + struct device_node *node; + if (pdata && pdata->coexist) return true; - node = of_find_node_by_name(node, "codec"); + node = of_get_child_by_name(parent, "codec"); if (node) { of_node_put(node); return true; -- 2.15.0

6 years, 10 months

5
24
0 0

[Linux-stable-mirror] [PATCH 0/2] net: dsa: lan9303: check error value from devm_gpiod_get_optional()

by Phil Reid

Replaces Pan Bian <bianpan2016(a)163.com> patch "net: dsa: lan9303: correctly check return value of devm_gpiod_get_optional" Errors need to be prograted back from probe. Note: I have only compile tested the code as I don't have the hardware. Phil Reid (2): net: dsa: lan9303: make lan9303_handle_reset() a void function net: dsa: lan9303: check error value from devm_gpiod_get_optional() drivers/net/dsa/lan9303-core.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) -- 1.8.3.1

6 years, 10 months

2
5
0 0

[Linux-stable-mirror] [PATCH] video: fbdev: atmel_lcdfb: fix display-timings lookup

by Johan Hovold

Fix child-node lookup during probe, which ended up searching the whole device tree depth-first starting at the parent rather than just matching on its children. To make things worse, the parent display node was also prematurely freed. Note that the display and timings node references are never put after a successful dt-initialisation so the nodes would leak on later probe deferrals and on driver unbind. Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport") Cc: stable <stable(a)vger.kernel.org> # 3.13 Cc: Jean-Christophe PLAGNIOL-VILLARD <plagnioj(a)jcrosoft.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/video/fbdev/atmel_lcdfb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/atmel_lcdfb.c b/drivers/video/fbdev/atmel_lcdfb.c index e06358da4b99..3dee267d7c75 100644 --- a/drivers/video/fbdev/atmel_lcdfb.c +++ b/drivers/video/fbdev/atmel_lcdfb.c @@ -1119,7 +1119,7 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info *sinfo) goto put_display_node; } - timings_np = of_find_node_by_name(display_np, "display-timings"); + timings_np = of_get_child_by_name(display_np, "display-timings"); if (!timings_np) { dev_err(dev, "failed to find display-timings node\n"); ret = -ENODEV; @@ -1140,6 +1140,12 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info *sinfo) fb_add_videomode(&fb_vm, &info->modelist); } + /* + * FIXME: Make sure we are not referencing any fields in display_np + * and timings_np and drop our references to them before returning to + * avoid leaking the nodes on probe deferral and driver unbind. + */ + return 0; put_timings_node: -- 2.15.0

6 years, 10 months

2
1
0 0

[Linux-stable-mirror] FAILED: patch "[PATCH] MIPS: math-emu: Fix final emulation phase for certain" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 409fcace9963c1e8d2cb0f7ac62e8b34d47ef979 Mon Sep 17 00:00:00 2001 From: Aleksandar Markovic <aleksandar.markovic(a)mips.com> Date: Thu, 2 Nov 2017 12:13:58 +0100 Subject: [PATCH] MIPS: math-emu: Fix final emulation phase for certain instructions Fix final phase of <CLASS|MADDF|MSUBF|MAX|MIN|MAXA|MINA>.<D|S> emulation. Provide proper generation of SIGFPE signal and updating debugfs FP exception stats in cases of any exception flags set in preceding phases of emulation. CLASS.<D|S> instruction may generate "Unimplemented Operation" FP exception. <MADDF|MSUBF>.<D|S> instructions may generate "Inexact", "Unimplemented Operation", "Invalid Operation", "Overflow", and "Underflow" FP exceptions. <MAX|MIN|MAXA|MINA>.<D|S> instructions can generate "Unimplemented Operation" and "Invalid Operation" FP exceptions. The proper final processing of the cases when any FP exception flag is set is achieved by replacing "break" statement with "goto copcsr" statement. With such solution, this patch brings the final phase of emulation of the above instructions consistent with the one corresponding to the previously implemented emulation of other related FPU instructions (ADD, SUB, etc.). Fixes: 38db37ba069f ("MIPS: math-emu: Add support for the MIPS R6 CLASS FPU instruction") Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU instruction") Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU instruction") Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU instruction") Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU instruction") Signed-off-by: Aleksandar Markovic <aleksandar.markovic(a)mips.com> Cc: Ralf Baechle <ralf(a)linux-mips.org> Cc: Douglas Leung <douglas.leung(a)mips.com> Cc: Goran Ferenc <goran.ferenc(a)mips.com> Cc: "Maciej W. Rozycki" <macro(a)imgtec.com> Cc: Miodrag Dinic <miodrag.dinic(a)mips.com> Cc: Paul Burton <paul.burton(a)mips.com> Cc: Petar Jovanovic <petar.jovanovic(a)mips.com> Cc: Raghu Gandham <raghu.gandham(a)mips.com> Cc: linux-mips(a)linux-mips.org Cc: <stable(a)vger.kernel.org> # 4.3+ Patchwork: https://patchwork.linux-mips.org/patch/17581/ Signed-off-by: James Hogan <jhogan(a)kernel.org> diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c index 192542dbd972..d2fcb3084279 100644 --- a/arch/mips/math-emu/cp1emu.c +++ b/arch/mips/math-emu/cp1emu.c @@ -1795,7 +1795,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, SPFROMREG(fs, MIPSInst_FS(ir)); SPFROMREG(fd, MIPSInst_FD(ir)); rv.s = ieee754sp_maddf(fd, fs, ft); - break; + goto copcsr; } case fmsubf_op: { @@ -1809,7 +1809,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, SPFROMREG(fs, MIPSInst_FS(ir)); SPFROMREG(fd, MIPSInst_FD(ir)); rv.s = ieee754sp_msubf(fd, fs, ft); - break; + goto copcsr; } case frint_op: { @@ -1834,7 +1834,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, SPFROMREG(fs, MIPSInst_FS(ir)); rv.w = ieee754sp_2008class(fs); rfmt = w_fmt; - break; + goto copcsr; } case fmin_op: { @@ -1847,7 +1847,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, SPFROMREG(ft, MIPSInst_FT(ir)); SPFROMREG(fs, MIPSInst_FS(ir)); rv.s = ieee754sp_fmin(fs, ft); - break; + goto copcsr; } case fmina_op: { @@ -1860,7 +1860,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, SPFROMREG(ft, MIPSInst_FT(ir)); SPFROMREG(fs, MIPSInst_FS(ir)); rv.s = ieee754sp_fmina(fs, ft); - break; + goto copcsr; } case fmax_op: { @@ -1873,7 +1873,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, SPFROMREG(ft, MIPSInst_FT(ir)); SPFROMREG(fs, MIPSInst_FS(ir)); rv.s = ieee754sp_fmax(fs, ft); - break; + goto copcsr; } case fmaxa_op: { @@ -1886,7 +1886,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, SPFROMREG(ft, MIPSInst_FT(ir)); SPFROMREG(fs, MIPSInst_FS(ir)); rv.s = ieee754sp_fmaxa(fs, ft); - break; + goto copcsr; } case fabs_op: @@ -2165,7 +2165,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, DPFROMREG(fs, MIPSInst_FS(ir)); DPFROMREG(fd, MIPSInst_FD(ir)); rv.d = ieee754dp_maddf(fd, fs, ft); - break; + goto copcsr; } case fmsubf_op: { @@ -2179,7 +2179,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, DPFROMREG(fs, MIPSInst_FS(ir)); DPFROMREG(fd, MIPSInst_FD(ir)); rv.d = ieee754dp_msubf(fd, fs, ft); - break; + goto copcsr; } case frint_op: { @@ -2204,7 +2204,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, DPFROMREG(fs, MIPSInst_FS(ir)); rv.l = ieee754dp_2008class(fs); rfmt = l_fmt; - break; + goto copcsr; } case fmin_op: { @@ -2217,7 +2217,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, DPFROMREG(ft, MIPSInst_FT(ir)); DPFROMREG(fs, MIPSInst_FS(ir)); rv.d = ieee754dp_fmin(fs, ft); - break; + goto copcsr; } case fmina_op: { @@ -2230,7 +2230,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, DPFROMREG(ft, MIPSInst_FT(ir)); DPFROMREG(fs, MIPSInst_FS(ir)); rv.d = ieee754dp_fmina(fs, ft); - break; + goto copcsr; } case fmax_op: { @@ -2243,7 +2243,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, DPFROMREG(ft, MIPSInst_FT(ir)); DPFROMREG(fs, MIPSInst_FS(ir)); rv.d = ieee754dp_fmax(fs, ft); - break; + goto copcsr; } case fmaxa_op: { @@ -2256,7 +2256,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, DPFROMREG(ft, MIPSInst_FT(ir)); DPFROMREG(fs, MIPSInst_FS(ir)); rv.d = ieee754dp_fmaxa(fs, ft); - break; + goto copcsr; } case fabs_op:

6 years, 11 months

2
2
0 0

[Linux-stable-mirror] [PATCH V2] block-throttle: avoid double charge

by Shaohua Li

If a bio is throttled and splitted after throttling, the bio could be resubmited and enters the throttling again. This will cause part of the bio is charged multiple times. If the cgroup has an IO limit, the double charge will significantly harm the performance. The bio split becomes quite common after arbitrary bio size change. To fix this, we always set the BIO_THROTTLED flag if a bio is throttled. If the bio is cloned/slitted, we copy the flag to new bio too to avoid double charge. However cloned bio could be directed to a new disk, keeping the flag will have problem. The observation is we always set new disk for the bio in this case, so we can clear the flag in bio_set_dev(). This issue exists a long time, arbitrary bio size change makes it worse, so this should go into stable at least since v4.2. V1-> V2: Not add extra field in bio based on discussion with Tejun Cc: Tejun Heo <tj(a)kernel.org> Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Shaohua Li <shli(a)fb.com> --- block/bio.c | 2 ++ block/blk-throttle.c | 8 +------- include/linux/bio.h | 2 ++ 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/block/bio.c b/block/bio.c index 8338304..d1d4d51 100644 --- a/block/bio.c +++ b/block/bio.c @@ -598,6 +598,8 @@ void __bio_clone_fast(struct bio *bio, struct bio *bio_src) */ bio->bi_disk = bio_src->bi_disk; bio_set_flag(bio, BIO_CLONED); + if (bio_flagged(bio_src, BIO_THROTTLED)) + bio_set_flag(bio, BIO_THROTTLED); bio->bi_opf = bio_src->bi_opf; bio->bi_write_hint = bio_src->bi_write_hint; bio->bi_iter = bio_src->bi_iter; diff --git a/block/blk-throttle.c b/block/blk-throttle.c index ee6d7b0..f90fec1 100644 --- a/block/blk-throttle.c +++ b/block/blk-throttle.c @@ -2222,13 +2222,7 @@ bool blk_throtl_bio(struct request_queue *q, struct blkcg_gq *blkg, out_unlock: spin_unlock_irq(q->queue_lock); out: - /* - * As multiple blk-throtls may stack in the same issue path, we - * don't want bios to leave with the flag set. Clear the flag if - * being issued. - */ - if (!throttled) - bio_clear_flag(bio, BIO_THROTTLED); + bio_set_flag(bio, BIO_THROTTLED); #ifdef CONFIG_BLK_DEV_THROTTLING_LOW if (throttled || !td->track_bio_latency) diff --git a/include/linux/bio.h b/include/linux/bio.h index 9c75f58..27b5bac 100644 --- a/include/linux/bio.h +++ b/include/linux/bio.h @@ -504,6 +504,8 @@ extern unsigned int bvec_nr_vecs(unsigned short idx); #define bio_set_dev(bio, bdev) \ do { \ + if ((bio)->bi_disk != (bdev)->bd_disk) \ + bio_clear_flag(bio, BIO_THROTTLED);\ (bio)->bi_disk = (bdev)->bd_disk; \ (bio)->bi_partno = (bdev)->bd_partno; \ } while (0) -- 2.9.5

6 years, 11 months

5
4
0 0

[Linux-stable-mirror] [PATCH 4.13 00/28] 4.13.15-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.13.15-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.13.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.13.15-rc1 Hans de Goede <hdegoede(a)redhat.com> staging: rtl8188eu: Revert 4 commits breaking ARP Hans de Goede <hdegoede(a)redhat.com> staging: vboxvideo: Fix reporting invalid suggested-offset-properties Johan Hovold <johan(a)kernel.org> staging: greybus: spilib: fix use-after-free after deregistration Gilad Ben-Yossef <gilad(a)benyossef.com> staging: ccree: fix 64 bit scatter/gather DMA ops Huacai Chen <chenhc(a)lemote.com> staging: sm750fb: Fix parameter mistake in poke32 Aditya Shankar <aditya.shankar(a)microchip.com> staging: wilc1000: Fix bssid buffer offset in Txq Jason Gerecke <killertofu(a)gmail.com> HID: wacom: generic: Recognize WACOM_HID_WD_PEN as a type of pen collection Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> HID: cp2112: add HIDRAW dependency Hans de Goede <hdegoede(a)redhat.com> platform/x86: peaq_wmi: Fix missing terminating entry for peaq_dmi_table Hans de Goede <hdegoede(a)redhat.com> platform/x86: peaq-wmi: Add DMI check before binding to the WMI interface Yazen Ghannam <yazen.ghannam(a)amd.com> x86/MCE/AMD: Always give panic severity for UC errors in kernel context Andy Lutomirski <luto(a)kernel.org> selftests/x86/protection_keys: Fix syscall NR redefinition warnings Johan Hovold <johan(a)kernel.org> USB: serial: garmin_gps: fix memory leak on probe errors Johan Hovold <johan(a)kernel.org> USB: serial: garmin_gps: fix I/O after failed probe and remove Douglas Fischer <douglas.fischer(a)outlook.com> USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update Lu Baolu <baolu.lu(a)linux.intel.com> USB: serial: Change DbC debug device binding ID Johan Hovold <johan(a)kernel.org> USB: serial: metro-usb: stop I/O after failed open Andrew Gabbasov <andrew_gabbasov(a)mentor.com> usb: gadget: f_fs: Fix use-after-free in ffs_free_inst Bernhard Rosenkraenzer <bernhard.rosenkranzer(a)linaro.org> USB: Add delay-init quirk for Corsair K70 LUX keyboards Alan Stern <stern(a)rowland.harvard.edu> USB: usbfs: compute urb->actual_length for isochronous Lu Baolu <baolu.lu(a)linux.intel.com> USB: early: Use new USB product ID and strings for DbC device raveendra padasalagi <raveendra.padasalagi(a)broadcom.com> crypto: brcm - Explicity ACK mailbox message Eric Biggers <ebiggers(a)google.com> crypto: dh - Don't permit 'key' or 'g' size longer than 'p' Eric Biggers <ebiggers(a)google.com> crypto: dh - Don't permit 'p' to be 0 Eric Biggers <ebiggers(a)google.com> crypto: dh - Fix double free of ctx->p Leif Liddy <leif.linux(a)gmail.com> Bluetooth: btusb: fix QCA Rome suspend/resume Andrey Konovalov <andreyknvl(a)google.com> media: dib0700: fix invalid dvb_detach argument Arvind Yadav <arvind.yadav.cs(a)gmail.com> media: imon: Fix null-ptr-deref in imon_probe ------------- Diffstat: Makefile | 4 +- arch/x86/kernel/cpu/mcheck/mce-severity.c | 7 +- crypto/dh.c | 33 ++++----- crypto/dh_helper.c | 16 ++++ drivers/bluetooth/btusb.c | 6 ++ drivers/crypto/bcm/cipher.c | 101 ++++++++++++-------------- drivers/hid/Kconfig | 2 +- drivers/hid/wacom_wac.h | 1 + drivers/media/rc/imon.c | 5 ++ drivers/media/usb/dvb-usb/dib0700_devices.c | 24 +++--- drivers/platform/x86/peaq-wmi.c | 19 +++++ drivers/staging/ccree/cc_lli_defs.h | 2 +- drivers/staging/greybus/spilib.c | 8 +- drivers/staging/rtl8188eu/core/rtw_recv.c | 83 ++++++++++++--------- drivers/staging/rtl8188eu/os_dep/mon.c | 34 ++------- drivers/staging/sm750fb/ddk750_chip.h | 2 +- drivers/staging/vboxvideo/vbox_drv.h | 8 +- drivers/staging/vboxvideo/vbox_irq.c | 4 +- drivers/staging/vboxvideo/vbox_mode.c | 26 +++++-- drivers/staging/wilc1000/wilc_wlan.c | 2 +- drivers/usb/core/devio.c | 14 ++++ drivers/usb/core/quirks.c | 3 + drivers/usb/early/xhci-dbc.h | 6 +- drivers/usb/gadget/function/f_fs.c | 1 + drivers/usb/serial/garmin_gps.c | 22 +++++- drivers/usb/serial/metro-usb.c | 11 ++- drivers/usb/serial/qcserial.c | 1 + drivers/usb/serial/usb_debug.c | 4 +- tools/testing/selftests/x86/protection_keys.c | 24 ++++-- 29 files changed, 280 insertions(+), 193 deletions(-)

6 years, 11 months

7
43
0 0

[Linux-stable-mirror] [PATCH v2] PCI: keystone: fix interrupt-controller-node lookup

by Johan Hovold

Fix child-node lookup during initialisation which was using the wrong OF-helper and ended up searching the whole device tree depth-first starting at the parent rather than just matching on its children. To make things worse, the parent pci node could end up being prematurely freed as of_find_node_by_name() drops a reference to its first argument. Any matching child interrupt-controller node was also leaked. Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") Cc: stable <stable(a)vger.kernel.org> # 3.18 Acked-by: Murali Karicheri <m-karicheri2(a)ti.com> Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi(a)arm.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- v2 - amend commit message and mention explicitly that of_find_node_by_name() drops a reference to the start node - add Murali's and Lorenzo's acks drivers/pci/dwc/pci-keystone.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/pci/dwc/pci-keystone.c b/drivers/pci/dwc/pci-keystone.c index 5bee3af47588..39405598b22d 100644 --- a/drivers/pci/dwc/pci-keystone.c +++ b/drivers/pci/dwc/pci-keystone.c @@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie, } /* interrupt controller is in a child node */ - *np_temp = of_find_node_by_name(np_pcie, controller); + *np_temp = of_get_child_by_name(np_pcie, controller); if (!(*np_temp)) { dev_err(dev, "Node for %s is absent\n", controller); return -EINVAL; @@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie, temp = of_irq_count(*np_temp); if (!temp) { dev_err(dev, "No IRQ entries in %s\n", controller); + of_node_put(*np_temp); return -EINVAL; } @@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_info(struct keystone_pcie *ks_pcie, break; } + of_node_put(*np_temp); + if (temp) { *num_irqs = temp; return 0; -- 2.15.0

6 years, 11 months

3
6
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2017