1. 10 Jan, 2019 5 commits
  2. 09 Jan, 2019 19 commits
  3. 08 Jan, 2019 10 commits
    • Amadeusz Sławiński's avatar
      ALSA: usb-audio: fix CM6206 register definitions · f5c9571e
      Amadeusz Sławiński authored
      fix typo after a recent commit causing headphones to have no sound
      
      Fixes: ad43d528 (ALSA: usb-audio: Define registers for CM6206)
      Signed-off-by: default avatarAmadeusz Sławiński <amade@asmblr.net>
      Signed-off-by: Takashi Iwai's avatarTakashi Iwai <tiwai@suse.de>
      f5c9571e
    • David Herrmann's avatar
      fork: record start_time late · 7b558513
      David Herrmann authored
      This changes the fork(2) syscall to record the process start_time after
      initializing the basic task structure but still before making the new
      process visible to user-space.
      
      Technically, we could record the start_time anytime during fork(2).  But
      this might lead to scenarios where a start_time is recorded long before
      a process becomes visible to user-space.  For instance, with
      userfaultfd(2) and TLS, user-space can delay the execution of fork(2)
      for an indefinite amount of time (and will, if this causes network
      access, or similar).
      
      By recording the start_time late, it much closer reflects the point in
      time where the process becomes live and can be observed by other
      processes.
      
      Lastly, this makes it much harder for user-space to predict and control
      the start_time they get assigned.  Previously, user-space could fork a
      process and stall it in copy_thread_tls() before its pid is allocated,
      but after its start_time is recorded.  This can be misused to later-on
      cycle through PIDs and resume the stalled fork(2) yielding a process
      that has the same pid and start_time as a process that existed before.
      This can be used to circumvent security systems that identify processes
      by their pid+start_time combination.
      
      Even though user-space was always aware that start_time recording is
      flaky (but several projects are known to still rely on start_time-based
      identification), changing the start_time to be recorded late will help
      mitigate existing attacks and make it much harder for user-space to
      control the start_time a process gets assigned.
      Reported-by: Jann Horn's avatarJann Horn <jannh@google.com>
      Signed-off-by: Tom Gundersen's avatarTom Gundersen <teg@jklm.no>
      Signed-off-by: David Rheinsberg's avatarDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7b558513
    • Alex Williamson's avatar
      vfio/type1: Fix unmap overflow off-by-one · 58fec830
      Alex Williamson authored
      The below referenced commit adds a test for integer overflow, but in
      doing so prevents the unmap ioctl from ever including the last page of
      the address space.  Subtract one to compare to the last address of the
      unmap to avoid the overflow and wrap-around.
      
      Fixes: 71a7d3d7 ("vfio/type1: silence integer overflow warning")
      Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
      Cc: stable@vger.kernel.org # v4.15+
      Reported-by: default avatarPei Zhang <pezhang@redhat.com>
      Debugged-by: default avatarPeter Xu <peterx@redhat.com>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarPeter Xu <peterx@redhat.com>
      Tested-by: default avatarPeter Xu <peterx@redhat.com>
      Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      58fec830
    • Guo Ren's avatar
      irqchip/csky: fixup handle_irq_perbit break irq · 56752b21
      Guo Ren authored
      The handle_irq_perbit function loop every bit in hwirq local variable.
      
      handle_irq_perbit(hwirq) {
        for_everyt_bit_in(hwirq) {
      	handle_domain_irq()
      		->irq_exit()
      		->invoke_softirq()
      		->__do_softirq()
      		->local_irq_enable() // Here will cause new interrupt.
        }
      }
      
      When new interrupt coming at local_irq_enable, it will finish another
      interrupt handler and pull down the interrupt source. But hwirq is the
      local variable for handle_irq_perbit(), it can't get new interrupt
      controller pending reg status. So we need update hwirq with pending reg
      in every loop.
      
      Also change write_relax to writel could prevent stw from fast retire.
      When local_irq is enabled, intc regs is really set-in.
      Signed-off-by: default avatarGuo Ren <ren_guo@c-sky.com>
      Cc: Lu Baoquan <lu.baoquan@intellif.com>
      56752b21
    • Guo Ren's avatar
      csky: fixup compile error with pte_alloc · 2a60aa14
      Guo Ren authored
      Commit: 4cf58924 remove the address argument of pte_alloc without
      modify csky related code. linux-5.0-rc1 compile failed with csky.
      
      Remove the unnecessary address testing in pte_alloc().
      Signed-off-by: default avatarGuo Ren <ren_guo@c-sky.com>
      Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      2a60aa14
    • Masahiro Yamada's avatar
      vfio/pci: set TRACE_INCLUDE_PATH to fix the build error · d1fc1176
      Masahiro Yamada authored
      drivers/vfio/pci/vfio_pci_nvlink2.c cannot be compiled for in-tree
      building.
      
          CC      drivers/vfio/pci/vfio_pci_nvlink2.o
        In file included from drivers/vfio/pci/trace.h:102,
                         from drivers/vfio/pci/vfio_pci_nvlink2.c:29:
        ./include/trace/define_trace.h:89:42: fatal error: ./trace.h: No such file or directory
         #include TRACE_INCLUDE(TRACE_INCLUDE_FILE)
                                                ^
        compilation terminated.
        make[1]: *** [scripts/Makefile.build;277: drivers/vfio/pci/vfio_pci_nvlink2.o] Error 1
      
      To fix the build error, let's tell include/trace/define_trace.h the
      location of drivers/vfio/pci/trace.h
      
      Fixes: 7f928917 ("vfio_pci: Add NVIDIA GV100GL [Tesla V100 SXM2] subdriver")
      Reported-by: default avatarLaura Abbott <labbott@redhat.com>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      d1fc1176
    • Guo Ren's avatar
      csky: fixup CACHEV1 store instruction fast retire · 96354ad7
      Guo Ren authored
      For I/O access, 810/807 store instruction fast retire will cause wrong
      primitive. For example:
      
      	stw (clear interrupt source)
      	stw (unmask interrupt controller)
      	enable interrupt
      
      stw is fast retire instruction. When PC is run at enable interrupt
      stage, the clear interrupt source hasn't finished. It will cause another
      wrong irq-enter.
      
      So use mb() to prevent above.
      Signed-off-by: default avatarGuo Ren <ren_guo@c-sky.com>
      Cc: Lu Baoquan <lu.baoquan@intellif.com>
      96354ad7
    • Guo Ren's avatar
      csky: fixup relocation error with 807 & 860 · f553aa1c
      Guo Ren authored
      810 doesn't support jsri instruction and csky-as will leave
      jsri + nop for relocation. Module-probe need replace them with
      lrw + jsr.
      Signed-off-by: default avatarGuo Ren <ren_guo@c-sky.com>
      Cc: Hui Kai <huikai@acoinfo.com>
      f553aa1c
    • Christian Lamparter's avatar
      mtd: rawnand: qcom: fix memory corruption that causes panic · 81d9bdf5
      Christian Lamparter authored
      This patch fixes a memory corruption that occurred in the
      qcom-nandc driver since it was converted to nand_scan().
      
      On boot, an affected device will panic from a NPE at a weird place:
      | Unable to handle kernel NULL pointer dereference at virtual address 0
      | pgd = (ptrval)
      | [00000000] *pgd=00000000
      | Internal error: Oops: 80000005 [#1] SMP ARM
      | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.9 #0
      | Hardware name: Generic DT based system
      | PC is at   (null)
      | LR is at nand_block_isbad+0x90/0xa4
      | pc : [<00000000>]    lr : [<c0592240>]    psr: 80000013
      | sp : cf839d40  ip : 00000000  fp : cfae9e20
      | r10: cf815810  r9 : 00000000  r8 : 00000000
      | r7 : 00000000  r6 : 00000000  r5 : 00000001  r4 : cf815810
      | r3 : 00000000  r2 : cfae9810  r1 : ffffffff  r0 : cf815810
      | Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      | Control: 10c5387d  Table: 8020406a  DAC: 00000051
      | Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
      | [<c0592240>] (nand_block_isbad) from [<c0580a94>]
      | [<c0580a94>] (allocate_partition) from [<c05811e4>]
      | [<c05811e4>] (add_mtd_partitions) from [<c0581164>]
      | [<c0581164>] (parse_mtd_partitions) from [<c057def4>]
      | [<c057def4>] (mtd_device_parse_register) from [<c059d274>]
      | [<c059d274>] (qcom_nandc_probe) from [<c0567f00>]
      
      The problem is that the nand_scan()'s qcom_nand_attach_chip callback
      is updating the nandc->max_cwperpage from 1 to 4. This causes the
      sg_init_table of clear_bam_transaction() in the driver's
      qcom_nandc_block_bad() to memset much more than what was initially
      allocated by alloc_bam_transaction().
      
      This patch restores the old behavior by reallocating the shared bam
      transaction alloc_bam_transaction() after the chip was identified,
      but before mtd_device_parse_register() (which is an alias for
      mtd_device_register() - see panic) gets called. This fixes the
      corruption and the driver is working again.
      
      Cc: stable@vger.kernel.org
      Fixes: 6a3cec64 ("mtd: rawnand: qcom: convert driver to nand_scan()")
      Signed-off-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Acked-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: default avatarBoris Brezillon <bbrezillon@kernel.org>
      81d9bdf5
    • Dan Carpenter's avatar
      ALSA: cs46xx: Potential NULL dereference in probe · 1524f4e4
      Dan Carpenter authored
      The "chip->dsp_spos_instance" can be NULL on some of the ealier error
      paths in snd_cs46xx_create().
      Reported-by: default avatar"Yavuz, Tuba" <tuba@ece.ufl.edu>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: Takashi Iwai's avatarTakashi Iwai <tiwai@suse.de>
      1524f4e4
  4. 07 Jan, 2019 6 commits
    • Guo Ren's avatar
      Documentation/features: Add csky kernel features · 8a5aaf97
      Guo Ren authored
            core/ cBPF-JIT             : TODO |
            core/ eBPF-JIT             : TODO |
            core/ generic-idle-thread  :  ok  |
            core/ jump-labels          : TODO |
            core/ tracehook            :  ok  |
           debug/ KASAN                : TODO |
           debug/ gcov-profile-all     : TODO |
           debug/ kgdb                 : TODO |
           debug/ kprobes-on-ftrace    : TODO |
           debug/ kprobes              : TODO |
           debug/ kretprobes           : TODO |
           debug/ optprobes            : TODO |
           debug/ stackprotector       : TODO |
           debug/ uprobes              : TODO |
           debug/ user-ret-profiler    : TODO |
              io/ dma-contiguous       :  ok  |
         locking/ cmpxchg-local        : TODO |
         locking/ lockdep              : TODO |
         locking/ queued-rwlocks       :  ok  |
         locking/ queued-spinlocks     : TODO |
         locking/ rwsem-optimized      : TODO |
            perf/ kprobes-event        : TODO |
            perf/ perf-regs            : TODO |
            perf/ perf-stackdump       : TODO |
           sched/ membarrier-sync-core : TODO |
           sched/ numa-balancing       :  ..  |
         seccomp/ seccomp-filter       : TODO |
            time/ arch-tick-broadcast  : TODO |
            time/ clockevents          :  ok  |
            time/ context-tracking     : TODO |
            time/ irq-time-acct        : TODO |
            time/ modern-timekeeping   :  ok  |
            time/ virt-cpuacct         : TODO |
              vm/ ELF-ASLR             : TODO |
              vm/ PG_uncached          : TODO |
              vm/ THP                  :  ..  |
              vm/ batch-unmap-tlb-flush: TODO |
              vm/ huge-vmap            : TODO |
              vm/ ioremap_prot         : TODO |
              vm/ numa-memblock        :  ..  |
              vm/ pte_special          : TODO |
      Signed-off-by: default avatarGuo Ren <ren_guo@c-sky.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      8a5aaf97
    • Boris Brezillon's avatar
      mtd: Check add_mtd_device() ret code · 2b6f0090
      Boris Brezillon authored
      add_mtd_device() can fail. We should always check its return value
      and gracefully handle the failure case. Fix the call sites where this
      not done (in mtdpart.c) and add a __must_check attribute to the
      prototype to avoid this kind of mistakes.
      Signed-off-by: default avatarBoris Brezillon <bbrezillon@kernel.org>
      2b6f0090
    • Boris Brezillon's avatar
      mtd: Fix the check on nvmem_register() ret code · 19e16fb4
      Boris Brezillon authored
      Commit 20167b70 ("nvmem: use EOPNOTSUPP instead of ENOSYS") changed
      the nvmem_register() ret code from ENOSYS to EOPNOTSUPP when
      CONFIG_NVMEM is not enabled, but the check in mtd_nvmem_add() was not
      adjusted accordingly.
      
      Cc: Bartosz Golaszewski <brgl@bgdev.pl>
      Cc: Alban Bedel <albeu@free.fr>
      Fixes: c4dfa25a ("mtd: add support for reading MTD devices via the nvmem API")
      Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: default avatarBoris Brezillon <bbrezillon@kernel.org>
      Reviewed-by: default avatarBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: default avatarBoris Brezillon <bbrezillon@kernel.org>
      19e16fb4
    • Kailang Yang's avatar
      ALSA: hda/realtek - Support Dell headset mode for New AIO platform · c2a7c55a
      Kailang Yang authored
      Dell has new platform for ALC274.
      This will support to enable headset mode.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: Takashi Iwai's avatarTakashi Iwai <tiwai@suse.de>
      c2a7c55a
    • Hui Peng's avatar
      ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks · cbb2ebf7
      Hui Peng authored
      In `create_composite_quirk`, the terminating condition of for loops is
      `quirk->ifnum < 0`. So any composite quirks should end with `struct
      snd_usb_audio_quirk` object with ifnum < 0.
      
          for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) {
      
          	.....
          }
      
      the data field of Bower's & Wilkins PX headphones usb device device quirks
      do not end with {.ifnum = -1}, wihch may result in out-of-bound read.
      
      This Patch fix the bug by adding an ending quirk object.
      
      Fixes: 240a8af9 ("ALSA: usb-audio: Add a quirck for B&W PX headphones")
      Signed-off-by: default avatarHui Peng <benquike@163.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: Takashi Iwai's avatarTakashi Iwai <tiwai@suse.de>
      cbb2ebf7
    • Takashi Iwai's avatar
      ALSA: usb-audio: Always check descriptor sizes in parser code · 3e96d728
      Takashi Iwai authored
      There are a few places where we access the data without checking the
      actual object size from the USB audio descriptor.  This may result in
      OOB access, as recently reported.
      
      This patch addresses these missing checks.  Most of added codes are
      simple bLength checks in the caller side.  For the input and output
      terminal parsers, we put the length check in the parser functions.
      For the input terminal, a new argument is added to distinguish between
      UAC1 and the rest, as they treat different objects.
      Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Reported-by: default avatarHui Peng <benquike@163.com>
      Tested-by: default avatarHui Peng <benquike@163.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: Takashi Iwai's avatarTakashi Iwai <tiwai@suse.de>
      3e96d728