Fix to clear enable/disable/change source handlers in the media device
when media device is unregistered in au0828_unregister_media_device().
When au0828 module is removed, snd-usb-audio shouldn't call the handlers.
Clearing will ensure snd-usb-audio won't call them once au0828 is removed.
[mchehab@osg.samsung.com: fix a compilation breakage]
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
A previous patch removing dtv_demod needed to be rebased,
but the hunk removing the data was not merged by mistake.
Fixes: 840f5b0572 ('media: au0828 disable tuner to demod link in au0828_media_device_register()']
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
For au0828_enable_source() to work, the tuner links should be
disabled and the tuner/decoder should be cached at au0828 struct.
While here, put dev->decoder cache together with dev->tuner, as
it makes easier to drop both latter if/when we move the enable
routines to the V4L2 core.
Fixes: 9822f4173f ('[media] au0828: use v4l2_mc_create_media_graph()')
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>
Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
If first_bad == this_sector when we get the WriteMostly disk
in read_balance(), valid disk will be returned with zero
max_sectors. It'll lead to a dead loop in make_request(), and
OOM will happen because of endless allocation of struct bio.
Since we can't get data from this disk in this case, so
continue for another disk.
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.
See: http://seclists.org/bugtraq/2016/Mar/61
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
[johan: fix OOB endpoint check and add error messages ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
[johan: add error message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.
This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.
Based on a patch by Takashi Iwai <tiwai@suse.de>
[Note for stable backports:
this patch requires the commit 902eb7fd1e ('ALSA: usb-audio: Minor
code cleanup in create_fixed_stream_quirk()')]
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: <stable@vger.kernel.org> # see the note above
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This was quite an oversight. After a readdir, the module could not be
unloaded, the number of slots is wrong, and memory near the slot bitmap
is possibly corrupt. Oops.
Signed-off-by: Martin Brandenburg <martin@omnibond.com>
The utilization update hook in the intel_pstate driver is set too
early, as it only should be set after the policy has been fully
initialized by the core. That may cause intel_pstate_update_util()
to use incorrect data and put the CPUs into incorrect P-states as
a result.
To prevent that from happening, make intel_pstate_set_policy() set
the utilization update hook instead of intel_pstate_init_cpu() so
intel_pstate_update_util() only runs when all things have been
initialized as appropriate.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Jeff Kirsher says:
====================
Intel Wired LAN Driver Updates 2016-03-29
This series contains fixes to ixgbe and ixgbevf.
Tushar fixes an issue which was introduced with an earlier commit, where
hardware register RAR0 default MAC address does not get set properly.
Alex fixes two issues, first being the VXLAN port number should be stored
in network order instead of in host order. The second fix corrects the ATR
code to handle IPv6 extension headers. The issue was ATR code was assuming
that it would be able to use tcp_hdr for every TCP frame that came through,
but that is not the case, which resulted in bad filters being setup.
Mark fixes a use of usleep_range() to udelay() in the case where a lock
is being held.
Stefan fixes the offline self tests where ndo_stop() should be used instead
of ndo_close(), which causes IFF_UP to be cleared and interface routes get
removed.
Emil fixes the error case where we need to return an error when a MAC
address change is rejected by the PF. This helps prevent the user from
modifying the MAC address when the operation is not permitted.
Sridhar provides three fixes for ixgbe, all dealing with traffic class
offload handling.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
A sequence of pairs [class_idx -> corresponding chain_key iteration]
is printed for both the current held_lock chain and the cached chain.
That exposes the two different class_idx sequences that led to that
particular hash value.
This helps with debugging hash chain collision reports.
Signed-off-by: Alfredo Alvarez Fernandez <alfredoalvarezfernandez@gmail.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-fsdevel@vger.kernel.org
Cc: sedat.dilek@gmail.com
Cc: tytso@mit.edu
Link: http://lkml.kernel.org/r/1459357416-19190-1-git-send-email-alfredoalvarezernandez@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
This commit fixes garbled audio on Polaris-10/11 variants
Signed-off-by: Maruthi Bayyavarapu <maruthi.bayyavarapu@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Pull parisc fixes from Helge Deller:
"Fix seccomp filter support and SIGSYS signals on compat kernel.
Both patches are tagged for v4.5 stable kernel"
* 'parisc-4.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
parisc: Fix and enable seccomp filter support
parisc: Fix SIGSYS signals in compat case
Pull vfs fix from Al Viro.
Automount handling was broken by commit e3c1392808 ("namei: massage
lookup_slow() to be usable by lookup_one_len_unlocked()") moving the
test for negative dentry too early.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
fix the braino in "namei: massage lookup_slow() to be usable by lookup_one_len_unlocked()"
- Prevent NULL dereference in the Xgene driver
- Fix an uninitialized spinlock in the menz127 driver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJW/NY4AAoJEEEQszewGV1z0DoQAJmNSTJnLBrx91NCiklZQFi2
d8plB1CiyuZklqP2sR9g+CzbVIx2u2kNTe0vR4U0R8XdOpO7ozphLWgPBn83FZ2E
c3OCvwvKnHe0W+75g5ljVgYzTiC1OuOAN45Mgx01vLIOsEKk39hGrW7Wh+LuTam7
yHEf7qZljt7mDXqzHjs/ZEkuwHi2dpQN1sWTjJtmpo48P6kUuD0eibdYzrxgSgOS
qcHZNPOejdcZK9rTGoAPt3JTMHPImXmhNonie53t5jlKOEkZ/fwNLGbEpr+YI84B
CZK5b41Yl//4tnmiI1AFuz9fpQEPF+WxJzzu9/uqry/bx9z53IXbwWhwZqJ5wX9L
xuMFVPSwliBx58B/+1rH50g8iwWm0CAjjxbi4zBrkk3DlmJbl2lS06JSrd9j7Kfh
Y/xAxRx15QyhCtVS3LWz6mNbL02k43urv2TQj+ajDiDXEwt8Hdxup7pq3LnbTtcN
GU5NOs3boBv5jX5yCVV+tukm2apoxkE/cQR0OCi/spHllZi+aokOWN9pcrLH2mDl
3NIPHxooquQT6Xww7aXLDvnas8oHPOffuRvggGa/z2b69nT3RbO9poJS/0QK2F31
2Xb2euVZW38NxzyzTWlrVceGBsxQfQPuS9B9Wih/5JOkfAfrPIVqPibvWgzYv1uu
K3UzEw4thAlUqgyAMi1u
=l6OY
-----END PGP SIGNATURE-----
Merge tag 'gpio-v4.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Here are two GPIO fixes for the v4.6 series, both in drivers:
- Prevent NULL dereference in the Xgene driver
- Fix an uninitialized spinlock in the menz127 driver"
* tag 'gpio-v4.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: xgene: Prevent NULL pointer dereference
gpio: menz127: Drop lock field from struct men_z127_gpio
Pull nvdimm mcsafe_memcpy use from Dan Williams:
"Now that mcsafe_memcpy() has landed, and the return value was been
clarified in commit cbf8b5a2b6 ("x86/mm, x86/mce: Fix return
type/value for memcpy_mcsafe()"), let's hook up its primary usage in
the pmem driver.
The compilation problems from the initial posting have been fixed,
this has appeared in a -next release with no reported issues, and it
picked up an ack from Ingo. There is no pressing need to merge this
in 4.6- rc2. However, if we wait until 4.7 the new memcpy_mcsafe()
capability will ship without a user in 4.6-final"
* 'libnvdimm-for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
x86, pmem: use memcpy_mcsafe() for memcpy_from_pmem()
The seccomp filter support requires careful handling of task registers. This
includes reloading of the return value (%r28) and proper syscall exit if
secure_computing() returned -1.
Additionally we need to sign-extend the syscall number from signed 32bit to
signed 64bit in do_syscall_trace_enter() since the ptrace interface only allows
storing 32bit values in compat mode.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v4.5
For this SoC the register offsets changed from previous versions to be
separated by a larger amount.
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Without this, we would fail to set the mode to gpio if trying to
configure for that mode
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
This should have been bumped to 100 when the extra pins
were added in the original pinctrl patch
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
imx doesn't have any functions for setting the gamma table, so this is
completely defunct.
Not nice to lie to userspace, so let's stop!
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Just as the function ipu_dmfc_config_wait4eot() tells, the DMFC wait4eot bit
depends on the number of DMFC slots to be used, so it should be called after
the slots are determined in the function ipu_dmfc_alloc_bandwidth().
Based on tests, this patch may eliminate display distortion issue on overlay
plane with small resolutions. To reproduce the issue, we may run this drm
modetest case - 'modetest -P 19:64x64'.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
The function name 'ipu_dmfc_config_wait4eot' matches the implementation of
the function better than 'ipu_dmfc_init_channel', since it only touches the
wait4eot bits.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Since the function ipu_dmfc_init_channel() always returns zero, we may
change the return type to void to simplify the code.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
To avoid race condition issue, we should protect the function
ipu_dmfc_init_channel() with the mutex dmfc->priv->mutex, since it
configures the register DMFC_GENERAL1 at runtime which contains
several control bits for various display channels. This matches
better with fine grained locking logic in upper layer.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
The IMX dw_hdmi driver just called platform_set_drvdata() to get
your hopes up that maybe, somehow, you'd be able to retrieve the 'struct
imx_hdmi' from a pointer to the 'struct device'. You can't. When
we call dw_hdmi_bind() the main driver calls dev_set_drvdata(), which
clobbers our setting.
Let's just remove the platform_set_drvdata() to avoid dashing people's
hopes.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
The drm_encoder_cleanup() was missing both from the error path of
dw_hdmi_imx_bind(). This caused a crash when slub_debug was
enabled and we ended up deferring probe of HDMI at boot.
This call isn't needed from unbind() because if dw_hdmi_bind() returns
no error then it takes over the job of freeing the encoder (in
dw_hdmi_unbind).
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
The driver already advertises multi-planar YUV support, but
previously the U/V offset and stride setup was missing.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
The IPU addresses multiplanar formats using a base address and relative
offsets for the secondary planes. Since those offsets must be positive
and not too large, and none of the plane parameters except the base address
may be changed while scanout is active, store the pitches and u/v offsets
and check all values against IDMAC limitations.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Let ipu_cpmem_set_yuv_planar_full take a DRM_FORMAT instead of a
V4L2_PIXFMT and allow better control over U/V stride, U offset and
V offset settings in the CPMEM.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Pull up was reported as pull down and vice versa. Fix this.
Fixes: 8f1774a2a9 "pinctrl: nomadik: improve GPIO debug prints"
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
When the kernel is running at EL2, it doesn't need init_hyp_mode() to
configure page tables for HYP. This function also registers the CPU
hotplug and lower power notifiers that cause HYP to be re-initialised
after the CPU has been reset.
To avoid losing the register state that controls stage2 translation, move
the registering of these notifiers into init_subsystems(), and add a
is_kernel_in_hyp_mode() path to each callback.
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
Fixes: 1e947bad0b ("arm64: KVM: Skip HYP setup when already running in HYP")
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
In the error path, event_file not being NULL is used to determine
whether the event itself still needs to be free'd, so fix it up to
avoid leaking.
Reported-by: Leon Yu <chianglungyu@gmail.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 130056275a ("perf: Do not double free")
Link: http://lkml.kernel.org/r/87twk06yxp.fsf@ashishki-desk.ger.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Stephane reported that commit:
3cbaa59069 ("perf: Fix ctx time tracking by introducing EVENT_TIME")
introduced a regression wrt. time tracking, as easily observed by:
> This patch introduce a bug in the time tracking of events when
> multiplexing is used.
>
> The issue is easily reproducible with the following perf run:
>
> $ perf stat -a -C 0 -e branches,branches,branches,branches,branches,branches -I 1000
> 1.000730239 652,394 branches (66.41%)
> 1.000730239 597,809 branches (66.41%)
> 1.000730239 593,870 branches (66.63%)
> 1.000730239 651,440 branches (67.03%)
> 1.000730239 656,725 branches (66.96%)
> 1.000730239 <not counted> branches
>
> One branches event is shown as not having run. Yet, with
> multiplexing, all events should run especially with a 1s (-I 1000)
> interval. The delta for time_running comes out to 0. Yet, the event
> has run because the kernel is actually multiplexing the events. The
> problem is that the time tracking is the kernel and especially in
> ctx_sched_out() is wrong now.
>
> The problem is that in case that the kernel enters ctx_sched_out() with the
> following state:
> ctx->is_active=0x7 event_type=0x1
> Call Trace:
> [<ffffffff813ddd41>] dump_stack+0x63/0x82
> [<ffffffff81182bdc>] ctx_sched_out+0x2bc/0x2d0
> [<ffffffff81183896>] perf_mux_hrtimer_handler+0xf6/0x2c0
> [<ffffffff811837a0>] ? __perf_install_in_context+0x130/0x130
> [<ffffffff810f5818>] __hrtimer_run_queues+0xf8/0x2f0
> [<ffffffff810f6097>] hrtimer_interrupt+0xb7/0x1d0
> [<ffffffff810509a8>] local_apic_timer_interrupt+0x38/0x60
> [<ffffffff8175ca9d>] smp_apic_timer_interrupt+0x3d/0x50
> [<ffffffff8175ac7c>] apic_timer_interrupt+0x8c/0xa0
>
> In that case, the test:
> if (is_active & EVENT_TIME)
>
> will be false and the time will not be updated. Time must always be updated on
> sched out.
Fix this by always updating time if EVENT_TIME was set, as opposed to
only updating time when EVENT_TIME changed.
Reported-by: Stephane Eranian <eranian@google.com>
Tested-by: Stephane Eranian <eranian@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: kan.liang@intel.com
Cc: namhyung@kernel.org
Fixes: 3cbaa59069 ("perf: Fix ctx time tracking by introducing EVENT_TIME")
Link: http://lkml.kernel.org/r/20160329072644.GB3408@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
- Fix determination of a callchain node's childlessness in
the top/report TUI, which was preventing navigating some
callchains, --stdio unnaffected (Andres Freund)
- Fix jitdump's genelf assumption that PowerPC is big endian
only (Anton Blanchard)
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJW/E8lAAoJENZQFvNTUqpA0DAQAKla2HujOsB8P1ZppvnVoBe5
YqLrW3ePesc8oSzU7daWHnBonO0Twrrhrd1E1daBsTqamRnjvXRdJsLRROX4oEKj
2nTjGT2oieTJ2Zqch5a+j+Z8DL94EdNijgGcoXovI/N/E4t5VU+no3iTG6i8EaVp
LPFfINT0UtRIqVPzXqd25c+LxSHYsuH4Y0qRypDUPiJ9umpr6mlelBMBxnLCfzxs
mV4V7XeSSm2zVfy1rYiZ1CHe7tYSVpenaihKiq7m0p5nUjNAofbloIr+b99ppwTr
HCrgTxz+xm9AFiMYHrz4kDbrcT5ud3BJ9N2a/eA0xLsTJIMkLtpleqjjLgjTLIs9
/b6j/tEK0Qv39ZxZNLFwOO7kcqSGs8MVTp2lSTGnjzX1HEEIByh1hJ9z185Jo7Rq
0+iAYf2yrKC5ELhFmrhcA/aXH2AheFAaZ/vZR7+2WhGEhmU3cNr+JH4qfjc4SYXy
wGn7AXVBygc72PQ1Zc5UI/pvRtlg72BcFZD4jo0Nfh74eWGP9aKSezl505MwXWx8
IQCxZKaxpcKjPAqfs2qWZR9OYb2rl+23ZDyD4wZ73P5sANIPUXYBEVy8rqhoGp4M
eOh4d7+fPf+5wmxWNK+ON7cIE1WVKsqB+M+7/K74U9HXBzf88orPov/2xTFU6qEQ
VJuj5JHXfzmkwofqayk6
=GmW5
-----END PGP SIGNATURE-----
Merge tag 'perf-urgent-for-mingo-20160330' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent
Pull perf/urgent fixes from Arnaldo Carvalho de Melo:
- Fix determination of a callchain node's childlessness in
the top/report TUI, which was preventing navigating some
callchains, --stdio unnaffected (Andres Freund)
- Fix jitdump's genelf assumption that PowerPC is big endian
only (Anton Blanchard)
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
commit b37d83a6a4 ("usb: Parse the new USB 3.1 SuperSpeedPlus Isoc
endpoint companion descriptor") caused a regression in 4.6-rc1 and fails
to parse SuperSpeed endpoint companion descriptors.
The new SuperSpeedPlus Isoc endpoint companion parsing code incorrectly
decreased the the remaining buffer size before comparing the size with the
expected length of the descriptor.
This lead to possible failure in reading the SuperSpeed endpoint companion
descriptor of the last endpoint, displaying a message like:
"No SuperSpeed endpoint companion for config 1 interface 0 altsetting 0
ep 129: using minimum values"
Fix it by decreasing the size after comparing it.
Also finish all the SS endpoint companion parsing before calling SSP isoc
endpoint parsing function.
Fixes: b37d83a6a4
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.
Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
A couple fixes for the new SuperSpeedPlus that went
in during this merge window. Also two minor fixes
for dwc3 (one for setting endpoint naming correctly
and another to improve time spent in our reset
sequence) and an old bug fix on Atmel UDC which was
disabling endpoints when it shouldn't.
There's also a build breakage fix to the qcom phy
driver and a fix to the f_midi gadget to avoid a
race condition with f_midi_transmit().
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJW+64KAAoJEIaOsuA1yqRE4GIP/jjyMQct/zUKhmYwc4HHh0e5
cBN30H8hv6d7vz24ilxw6xOCfwOgr2YQKFh7i6hSORhP1yKc7orlx8M8QXqhvGbB
nCWvCSpNyNQTQUM3D42Ty71mVNBumQvDdSUDtBoEit/t8VxzoYvIz/7TZquKCAoG
R+nSb4grFWurFi61EgszOFm3/w37S0XDUfHkjIwuJWkUGTn2x1UpPef7ALzilDeg
WNKCC7ZMJa4pXBWcpjof6OE3slKB0/5Qqb5j5mHcL+BQ2uvQdN5LW3rxSfJiFDBQ
DNxuHhwScXk1oWrs6bwAPbbSdyNJo+1KfIpMqIQAgCsVh4O+ANLU5g5JQwHDdEUy
lPRzRTOQT1Cowmh/yV8VA47UX7sx9kz3qU1uGJRbVKzgW/k9TzkOU7RlN2UU5R/Y
VbDripDMnZqf8oraDMWClbpLX48hrb456tEjqigE4baiqEc5qY8nj+FfO2QVjluS
fOMPFiQbLFwD5w7CXT+i9HzgR/hHVS1CoYc7mHP52+YRF9GUd3LZYmAL+UND864D
aS+6NzgVMvSAvJDYPzhtLo7dzkEnjs6l8rl2yHlkiMg0i/V2G5vq1r1f6SgnVyZR
UrSollFuIuI2G/PdemM0aHmJZ+MerbiNxq0Rf14cJqJPuRRbXtcuZGyb3m/3vdMJ
2In8/60pWpw6fYj2iSeH
=cLYy
-----END PGP SIGNATURE-----
Merge tag 'fixes-for-v4.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus
Felipe writes:
usb: fixes for v4.6-rc2
A couple fixes for the new SuperSpeedPlus that went
in during this merge window. Also two minor fixes
for dwc3 (one for setting endpoint naming correctly
and another to improve time spent in our reset
sequence) and an old bug fix on Atmel UDC which was
disabling endpoints when it shouldn't.
There's also a build breakage fix to the qcom phy
driver and a fix to the f_midi gadget to avoid a
race condition with f_midi_transmit().
We should try to trigger automount *before* bailing out on negative dentry.
Reported-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Reported-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Reported-by: Arend van Spriel <arend@broadcom.com>
Tested-by: Arend van Spriel <arend@broadcom.com>
Tested-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
We need to have the WWN fully initialized before addig default groups to it,
so add a new method to add these groups after the WWN has been initialized.
Also remove the default groups in the core while we're at it.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
The iSCSI targets wants to add a default group, for which we need to
have the list of default groups initialized previously.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Instead we can clean up the list of default ACLs in core code.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Now the rdma core offers a QP draining service in v4.6-rc1,
use it instead of our own.
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Reported-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
If a directory has a large number of empty blocks, iterating over all
of them can take a long time, leading to scheduler warnings and users
getting irritated when they can't kill a process in the middle of one
of these long-running readdir operations. Fix this by adding checks to
ext4_readdir() and ext4_htree_fill_tree().
Reported-by: Benjamin LaHaise <bcrl@kvack.org>
Google-Bug-Id: 27880676
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Shuah Khan