1. 21 11月, 2019 17 次提交
    • A
      Input: synaptics-rmi4 - do not consume more data than we have (F11, F12) · fbe9849f
      Andrew Duggan 提交于
      commit 5d40d95e7e64756cc30606c2ba169271704d47cb upstream.
      
      Currently, rmi_f11_attention() and rmi_f12_attention() functions update
      the attn_data data pointer and size based on the size of the expected
      size of the attention data. However, if the actual valid data in the
      attn buffer is less then the expected value then the updated data
      pointer will point to memory beyond the end of the attn buffer. Using
      the calculated valid_bytes instead will prevent this from happening.
      Signed-off-by: NAndrew Duggan <aduggan@synaptics.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20191025002527.3189-3-aduggan@synaptics.comSigned-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fbe9849f
    • A
      Input: synaptics-rmi4 - disable the relative position IRQ in the F12 driver · 924a8f2c
      Andrew Duggan 提交于
      commit f6aabe1ff1d9d7bad0879253011216438bdb2530 upstream.
      
      This patch fixes an issue seen on HID touchpads which report finger
      positions using RMI4 Function 12. The issue manifests itself as
      spurious button presses as described in:
      https://www.spinics.net/lists/linux-input/msg58618.html
      
      Commit 24d28e4f ("Input: synaptics-rmi4 - convert irq distribution
      to irq_domain") switched the RMI4 driver to using an irq_domain to handle
      RMI4 function interrupts. Functions with more then one interrupt now have
      each interrupt mapped to their own IRQ and IRQ handler. The result of
      this change is that the F12 IRQ handler was now getting called twice. Once
      for the absolute data interrupt and once for the relative data interrupt.
      For HID devices, calling rmi_f12_attention() a second time causes the
      attn_data data pointer and size to be set incorrectly. When the touchpad
      button is pressed, F30 will generate an interrupt and attempt to read the
      F30 data from the invalid attn_data data pointer and report incorrect
      button events.
      
      This patch disables the F12 relative interrupt which prevents
      rmi_f12_attention() from being called twice.
      Signed-off-by: NAndrew Duggan <aduggan@synaptics.com>
      Reported-by: NSimon Wood <simon@mungewell.org>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20191025002527.3189-2-aduggan@synaptics.comSigned-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      924a8f2c
    • L
      Input: synaptics-rmi4 - fix video buffer size · 8e347aa4
      Lucas Stach 提交于
      commit 003f01c780020daa9a06dea1db495b553a868c29 upstream.
      
      The video buffer used by the queue is a vb2_v4l2_buffer, not a plain
      vb2_buffer. Using the wrong type causes the allocation of the buffer
      storage to be too small, causing a out of bounds write when
      __init_vb2_v4l2_buffer initializes the buffer.
      Signed-off-by: NLucas Stach <l.stach@pengutronix.de>
      Fixes: 3a762dbd ("[media] Input: synaptics-rmi4 - add support for F54 diagnostics")
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20191104114454.10500-1-l.stach@pengutronix.deSigned-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e347aa4
    • O
      Input: ff-memless - kill timer in destroy() · c0223081
      Oliver Neukum 提交于
      commit fa3a5a1880c91bb92594ad42dfe9eedad7996b86 upstream.
      
      No timer must be left running when the device goes away.
      Signed-off-by: NOliver Neukum <oneukum@suse.com>
      Reported-and-tested-by: syzbot+b6c55daa701fc389e286@syzkaller.appspotmail.com
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/1573726121.17351.3.camel@suse.comSigned-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0223081
    • F
      Btrfs: fix log context list corruption after rename exchange operation · 47d06a15
      Filipe Manana 提交于
      commit e6c617102c7e4ac1398cb0b98ff1f0727755b520 upstream.
      
      During rename exchange we might have successfully log the new name in the
      source root's log tree, in which case we leave our log context (allocated
      on stack) in the root's list of log contextes. However we might fail to
      log the new name in the destination root, in which case we fallback to
      a transaction commit later and never sync the log of the source root,
      which causes the source root log context to remain in the list of log
      contextes. This later causes invalid memory accesses because the context
      was allocated on stack and after rename exchange finishes the stack gets
      reused and overwritten for other purposes.
      
      The kernel's linked list corruption detector (CONFIG_DEBUG_LIST=y) can
      detect this and report something like the following:
      
        [  691.489929] ------------[ cut here ]------------
        [  691.489947] list_add corruption. prev->next should be next (ffff88819c944530), but was ffff8881c23f7be4. (prev=ffff8881c23f7a38).
        [  691.489967] WARNING: CPU: 2 PID: 28933 at lib/list_debug.c:28 __list_add_valid+0x95/0xe0
        (...)
        [  691.489998] CPU: 2 PID: 28933 Comm: fsstress Not tainted 5.4.0-rc6-btrfs-next-62 #1
        [  691.490001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
        [  691.490003] RIP: 0010:__list_add_valid+0x95/0xe0
        (...)
        [  691.490007] RSP: 0018:ffff8881f0b3faf8 EFLAGS: 00010282
        [  691.490010] RAX: 0000000000000000 RBX: ffff88819c944530 RCX: 0000000000000000
        [  691.490011] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffa2c497e0
        [  691.490013] RBP: ffff8881f0b3fe68 R08: ffffed103eaa4115 R09: ffffed103eaa4114
        [  691.490015] R10: ffff88819c944000 R11: ffffed103eaa4115 R12: 7fffffffffffffff
        [  691.490016] R13: ffff8881b4035610 R14: ffff8881e7b84728 R15: 1ffff1103e167f7b
        [  691.490019] FS:  00007f4b25ea2e80(0000) GS:ffff8881f5500000(0000) knlGS:0000000000000000
        [  691.490021] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [  691.490022] CR2: 00007fffbb2d4eec CR3: 00000001f2a4a004 CR4: 00000000003606e0
        [  691.490025] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        [  691.490027] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        [  691.490029] Call Trace:
        [  691.490058]  btrfs_log_inode_parent+0x667/0x2730 [btrfs]
        [  691.490083]  ? join_transaction+0x24a/0xce0 [btrfs]
        [  691.490107]  ? btrfs_end_log_trans+0x80/0x80 [btrfs]
        [  691.490111]  ? dget_parent+0xb8/0x460
        [  691.490116]  ? lock_downgrade+0x6b0/0x6b0
        [  691.490121]  ? rwlock_bug.part.0+0x90/0x90
        [  691.490127]  ? do_raw_spin_unlock+0x142/0x220
        [  691.490151]  btrfs_log_dentry_safe+0x65/0x90 [btrfs]
        [  691.490172]  btrfs_sync_file+0x9f1/0xc00 [btrfs]
        [  691.490195]  ? btrfs_file_write_iter+0x1800/0x1800 [btrfs]
        [  691.490198]  ? rcu_read_lock_any_held.part.11+0x20/0x20
        [  691.490204]  ? __do_sys_newstat+0x88/0xd0
        [  691.490207]  ? cp_new_stat+0x5d0/0x5d0
        [  691.490218]  ? do_fsync+0x38/0x60
        [  691.490220]  do_fsync+0x38/0x60
        [  691.490224]  __x64_sys_fdatasync+0x32/0x40
        [  691.490228]  do_syscall_64+0x9f/0x540
        [  691.490233]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [  691.490235] RIP: 0033:0x7f4b253ad5f0
        (...)
        [  691.490239] RSP: 002b:00007fffbb2d6078 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
        [  691.490242] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f4b253ad5f0
        [  691.490244] RDX: 00007fffbb2d5fe0 RSI: 00007fffbb2d5fe0 RDI: 0000000000000003
        [  691.490245] RBP: 000000000000000d R08: 0000000000000001 R09: 00007fffbb2d608c
        [  691.490247] R10: 00000000000002e8 R11: 0000000000000246 R12: 00000000000001f4
        [  691.490248] R13: 0000000051eb851f R14: 00007fffbb2d6120 R15: 00005635a498bda0
      
      This started happening recently when running some test cases from fstests
      like btrfs/004 for example, because support for rename exchange was added
      last week to fsstress from fstests.
      
      So fix this by deleting the log context for the source root from the list
      if we have logged the new name in the source root.
      Reported-by: NSu Yue <Damenly_Su@gmx.com>
      Fixes: d4682ba0 ("Btrfs: sync log after logging new name")
      CC: stable@vger.kernel.org # 4.19+
      Tested-by: NSu Yue <Damenly_Su@gmx.com>
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47d06a15
    • T
      ALSA: usb-audio: Fix incorrect size check for processing/extension units · f2465526
      Takashi Iwai 提交于
      commit 976a68f06b2ea49e2ab67a5f84919a8b105db8be upstream.
      
      The recently introduced unit descriptor validation had some bug for
      processing and extension units, it counts a bControlSize byte twice so
      it expected a bigger size than it should have been.  This seems
      resulting in a probe error on a few devices.
      
      Fix the calculation for proper checks of PU and EU.
      
      Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191114165613.7422-1-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2465526
    • T
      ALSA: usb-audio: Fix incorrect NULL check in create_yamaha_midi_quirk() · 420433f6
      Takashi Iwai 提交于
      commit cc9dbfa9707868fb0ca864c05e0c42d3f4d15cf2 upstream.
      
      The commit 60849562a5db ("ALSA: usb-audio: Fix possible NULL
      dereference at create_yamaha_midi_quirk()") added NULL checks in
      create_yamaha_midi_quirk(), but there was an overlook.  The code
      allows one of either injd or outjd is NULL, but the second if check
      made returning -ENODEV if any of them is NULL.  Fix it in a proper
      form.
      
      Fixes: 60849562a5db ("ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk()")
      Reported-by: NPavel Machek <pavel@denx.de>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191113111259.24123-1-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      420433f6
    • H
      ALSA: usb-audio: not submit urb for stopped endpoint · ab2ee429
      Henry Lin 提交于
      commit 528699317dd6dc722dccc11b68800cf945109390 upstream.
      
      While output urb's snd_complete_urb() is executing, calling
      prepare_outbound_urb() may cause endpoint stopped before
      prepare_outbound_urb() returns and result in next urb submitted
      to stopped endpoint. usb-audio driver cannot re-use it afterwards as
      the urb is still hold by usb stack.
      
      This change checks EP_FLAG_RUNNING flag after prepare_outbound_urb() again
      to let snd_complete_urb() know the endpoint already stopped and does not
      submit next urb. Below kind of error will be fixed:
      
      [  213.153103] usb 1-2: timeout: still 1 active urbs on EP #1
      [  213.164121] usb 1-2: cannot submit urb 0, error -16: unknown error
      Signed-off-by: NHenry Lin <henryl@nvidia.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191113021420.13377-1-henryl@nvidia.comSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ab2ee429
    • T
      ALSA: usb-audio: Fix missing error check at mixer resolution test · a2c763cd
      Takashi Iwai 提交于
      commit 167beb1756791e0806365a3f86a0da10d7a327ee upstream.
      
      A check of the return value from get_cur_mix_raw() is missing at the
      resolution test code in get_min_max_with_quirks(), which may leave the
      variable untouched, leading to a random uninitialized value, as
      detected by syzkaller fuzzer.
      
      Add the missing return error check for fixing that.
      
      Reported-and-tested-by: syzbot+abe1ab7afc62c6bb6377@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191109181658.30368-1-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2c763cd
    • J
      slip: Fix memory leak in slip_open error path · edc47103
      Jouni Hogander 提交于
      [ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ]
      
      Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
      by Syzkaller in slcan. Same issue exists in slip.c and this patch is
      addressing the leak in slip.c.
      
      Here is the slcan memory leak trace reported by Syzkaller:
      
      BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
        comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
        hex dump (first 32 bytes):
          73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
        backtrace:
          [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
          [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
          [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
          [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
          [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
          [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
          [<000000004de5a617>] tty_ioctl+0x48d/0x1590
          [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
          [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
          [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
          [<0000000053d0332e>] do_syscall_64+0x16f/0x580
          [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [<000000008ea75434>] 0xfffffffffffffff
      
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Oliver Hartkopp <socketcan@hartkopp.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: NJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      edc47103
    • A
      net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules · 4cd50a31
      Aleksander Morgado 提交于
      [ Upstream commit 802753cb0b141cf5170ab97fe7e79f5ca10d06b0 ]
      
      These are the Foxconn-branded variants of the Dell DW5821e modules,
      same USB layout as those.
      
      The QMI interface is exposed in USB configuration #1:
      
      P:  Vendor=0489 ProdID=e0b4 Rev=03.18
      S:  Manufacturer=FII
      S:  Product=T77W968 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      Signed-off-by: NAleksander Morgado <aleksander@aleksander.es>
      Acked-by: NBjørn Mork <bjorn@mork.no>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4cd50a31
    • C
      net: gemini: add missed free_netdev · 0a772b2a
      Chuhong Yuan 提交于
      [ Upstream commit 18d647ae74116bfee38953978501cea2960a0c25 ]
      
      This driver forgets to free allocated netdev in remove like
      what is done in probe failure.
      Add the free to fix it.
      Signed-off-by: NChuhong Yuan <hslester96@gmail.com>
      Reviewed-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a772b2a
    • G
      ipmr: Fix skb headroom in ipmr_get_route(). · 66daa057
      Guillaume Nault 提交于
      [ Upstream commit 7901cd97963d6cbde88fa25a4a446db3554c16c6 ]
      
      In route.c, inet_rtm_getroute_build_skb() creates an skb with no
      headroom. This skb is then used by inet_rtm_getroute() which may pass
      it to rt_fill_info() and, from there, to ipmr_get_route(). The later
      might try to reuse this skb by cloning it and prepending an IPv4
      header. But since the original skb has no headroom, skb_push() triggers
      skb_under_panic():
      
      skbuff: skb_under_panic: text:00000000ca46ad8a len:80 put:20 head:00000000cd28494e data:000000009366fd6b tail:0x3c end:0xec0 dev:veth0
      ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:108!
      invalid opcode: 0000 [#1] SMP KASAN PTI
      CPU: 6 PID: 587 Comm: ip Not tainted 5.4.0-rc6+ #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
      RIP: 0010:skb_panic+0xbf/0xd0
      Code: 41 a2 ff 8b 4b 70 4c 8b 4d d0 48 c7 c7 20 76 f5 8b 44 8b 45 bc 48 8b 55 c0 48 8b 75 c8 41 54 41 57 41 56 41 55 e8 75 dc 7a ff <0f> 0b 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
      RSP: 0018:ffff888059ddf0b0 EFLAGS: 00010286
      RAX: 0000000000000086 RBX: ffff888060a315c0 RCX: ffffffff8abe4822
      RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88806c9a79cc
      RBP: ffff888059ddf118 R08: ffffed100d9361b1 R09: ffffed100d9361b0
      R10: ffff88805c68aee3 R11: ffffed100d9361b1 R12: ffff88805d218000
      R13: ffff88805c689fec R14: 000000000000003c R15: 0000000000000ec0
      FS:  00007f6af184b700(0000) GS:ffff88806c980000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007ffc8204a000 CR3: 0000000057b40006 CR4: 0000000000360ee0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       skb_push+0x7e/0x80
       ipmr_get_route+0x459/0x6fa
       rt_fill_info+0x692/0x9f0
       inet_rtm_getroute+0xd26/0xf20
       rtnetlink_rcv_msg+0x45d/0x630
       netlink_rcv_skb+0x1a5/0x220
       rtnetlink_rcv+0x15/0x20
       netlink_unicast+0x305/0x3a0
       netlink_sendmsg+0x575/0x730
       sock_sendmsg+0xb5/0xc0
       ___sys_sendmsg+0x497/0x4f0
       __sys_sendmsg+0xcb/0x150
       __x64_sys_sendmsg+0x48/0x50
       do_syscall_64+0xd2/0xac0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Actually the original skb used to have enough headroom, but the
      reserve_skb() call was lost with the introduction of
      inet_rtm_getroute_build_skb() by commit 404eb77e ("ipv4: support
      sport, dport and ip_proto in RTM_GETROUTE").
      
      We could reserve some headroom again in inet_rtm_getroute_build_skb(),
      but this function shouldn't be responsible for handling the special
      case of ipmr_get_route(). Let's handle that directly in
      ipmr_get_route() by calling skb_realloc_headroom() instead of
      skb_clone().
      
      Fixes: 404eb77e ("ipv4: support sport, dport and ip_proto in RTM_GETROUTE")
      Signed-off-by: NGuillaume Nault <gnault@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66daa057
    • O
      ax88172a: fix information leak on short answers · 20beeb30
      Oliver Neukum 提交于
      [ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ]
      
      If a malicious device gives a short MAC it can elicit up to
      5 bytes of leaked memory out of the driver. We need to check for
      ETH_ALEN instead.
      
      Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
      Signed-off-by: NOliver Neukum <oneukum@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20beeb30
    • M
      scsi: core: Handle drivers which set sg_tablesize to zero · c4a0f567
      Michael Schmitz 提交于
      commit 9393c8de628cf0968d81a17cc11841e42191e041 upstream.
      
      In scsi_mq_setup_tags(), cmd_size is calculated based on zero size for the
      scatter-gather list in case the low level driver uses SG_NONE in its host
      template.
      
      cmd_size is passed on to the block layer for calculation of the request
      size, and we've seen NULL pointer dereference errors from the block layer
      in drivers where SG_NONE is used and a mq IO scheduler is active,
      apparently as a consequence of this (see commit 68ab2d76 ("scsi:
      cxlflash: Set sg_tablesize to 1 instead of SG_NONE"), and a recent patch by
      Finn Thain converting the three m68k NFR5380 drivers to avoid setting
      SG_NONE).
      
      Try to avoid these errors by accounting for at least one sg list entry when
      calculating cmd_size, regardless of whether the low level driver set a zero
      sg_tablesize.
      
      Tested on 030 m68k with the atari_scsi driver - setting sg_tablesize to
      SG_NONE no longer results in a crash when loading this driver.
      
      CC: Finn Thain <fthain@telegraphics.com.au>
      Link: https://lore.kernel.org/r/1572922150-4358-1-git-send-email-schmitzmic@gmail.comSigned-off-by: NMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      c4a0f567
    • J
      MIPS: BCM63XX: fix switch core reset on BCM6368 · 81adf034
      Jonas Gorski 提交于
      commit 8a38dacf87180738d42b058334c951eba15d2d47 upstream.
      
      The Ethernet Switch core mask was set to 0, causing the switch core to
      be not reset on BCM6368 on boot. Provide the proper mask so the switch
      core gets reset to a known good state.
      
      Fixes: 799faa62 ("MIPS: BCM63XX: add core reset helper")
      Signed-off-by: NJonas Gorski <jonas.gorski@gmail.com>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: linux-mips@vger.kernel.org
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81adf034
    • P
      KVM: x86: introduce is_pae_paging · dbf1ef2d
      Paolo Bonzini 提交于
      [ Upstream commit bf03d4f9334728bf7c8ffc7de787df48abd6340e ]
      
      Checking for 32-bit PAE is quite common around code that fiddles with
      the PDPTRs.  Add a function to compress all checks into a single
      invocation.
      
      Moving to the common helper also fixes a subtle bug in kvm_set_cr3()
      where it fails to check is_long_mode() and results in KVM incorrectly
      attempting to load PDPTRs for a 64-bit guest.
      Reviewed-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      [sean: backport to 4.x; handle vmx.c split in 5.x, call out the bugfix]
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Acked-by: NPaolo Bonzini <pbonzini@redhat.com>
      Tested-by: NThomas Lamprecht <t.lamprecht@proxmox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dbf1ef2d
  2. 13 11月, 2019 23 次提交