| Age | Commit message (Collapse) | Author |
|---|
|
User-Mode Linux supplies an alternate TTY_MAJOR driver for stdio console,
so the noctty check in tty_open() must apply only to VT driver tty0
devnode and not the UML console driver tty0 devnode.
Fixes: 11e1d4aa4da1 ("tty: Consolidate noctty checks in tty_open()")
Reported-by: Richard Weinberger <richard.weinberger@gmail.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Telit LE910 V2 is a mobile broadband card with no ARP capabilities:
the patch makes this device to use wwan_noarp_info struct
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Reviewed-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Commit 4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as
MEMBLOCK_NOMAP") updated the mapping logic of both the RuntimeServices
regions as well as the kernel's copy of the UEFI memory map to set the
MEMBLOCK_NOMAP flag, which causes these regions to be omitted from the
kernel direct mapping, and from being covered by a struct page.
For the RuntimeServices regions, this is an obvious win, since the contents
of these regions have significance to the firmware executable code itself,
and are mapped in the EFI page tables using attributes that are described in
the UEFI memory map, and which may differ from the attributes we use for
mapping system RAM. It also prevents the contents from being modified
inadvertently, since the EFI page tables are only live during runtime
service invocations.
None of these concerns apply to the allocation that covers the UEFI memory
map, since it is entirely owned by the kernel. Setting the MEMBLOCK_NOMAP on
the region did allow us to use ioremap_cache() to map it both on arm64 and
on ARM, since the latter does not allow ioremap_cache() to be used on
regions that are covered by a struct page.
The ioremap_cache() on ARM restriction will be lifted in the v4.7 timeframe,
but in the mean time, it has been reported that commit 4dffbfc48d65 causes
a regression on 64k granule kernels. This is due to the fact that, given
the 64 KB page size, the region that we end up removing from the kernel
direct mapping is rounded up to 64 KB, and this 64 KB page frame may be
shared with the initrd when booting via GRUB (which does not align its
EFI_LOADER_DATA allocations to 64 KB like the stub does). This will crash
the kernel as soon as it tries to access the initrd.
Since the issue is specific to arm64, revert back to memblock_reserve()'ing
the UEFI memory map when running on arm64. This is a temporary fix for v4.5
and v4.6, and will be superseded in the v4.7 timeframe when we will be able
to move back to memblock_reserve() unconditionally.
Fixes: 4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP")
Reported-by: Mark Salter <msalter@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Jeremy Linton <jeremy.linton@arm.com>
Cc: Mark Langsdorf <mlangsdo@redhat.com>
Cc: <stable@vger.kernel.org> # v4.5
Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
|
|
Commit 55cd48c821de ("net: fec: stop the "rcv is not +last, " error
messages") introduces a write to a register that does not exist in
Coldfire.
Move the FEC_FTRL register access inside the FEC_QUIRK_HAS_RACC 'if' block,
so that we guarantee it will not be used on Coldfire CPUs.
Reported-by: Greg Ungerer <gerg@uclinux.org>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The mvneta is also used in some Marvell berlin family SoCs which may
have 64bytes cacheline size. Replace the MVNETA_CPU_D_CACHE_LINE_SIZE
usage with L1_CACHE_BYTES.
And since dma_alloc_coherent() is always cacheline size aligned, so
remove the align checks.
Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The mvpp2 ip maybe used in SoCs which may have have 64bytes cacheline
size. Replace the MVPP2_CPU_D_CACHE_LINE_SIZE with L1_CACHE_BYTES.
And since dma_alloc_coherent() is always cacheline size aligned, so
remove the align checks.
Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Some of the vendor-specific bootloaders set up this part
of the initialization for us, so this was never added.
However, since upstream bootloaders don't initialize the
chip specifically, they leave the fiber MII's PDOWN flag
set, which means that the CPU port doesn't connect.
This patch checks whether this flag has been clear prior
by something else, and if not make us clear it.
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
Tested-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Add versions of the phy_page_read and _write functions to
be used in a context where the SMI mutex is held.
Tested-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Reviewed-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Use dma_request_chan instead of dma_request_slave_channel,
in this case we can check EPROBE_DEFER without static
warning.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
|
|
API"
Extending the lifetime of the media_device struct is not handled well
by the core, as it will erase some data from the struct, when
media_device_cleanup() is called after unregistering it.
While we have a fixup patch for it already, the usage of those new
functions are needed only when we share data with other drivers.
So, better to revert the changes.
This reverts commit 182dde7c5d4c ("[media] media: au0828 change
to use Managed Media Controller API")
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
The au0828 dev_state is actually a bit mask. It should not be
checking with "==" but, instead, with a logic and. There are some
places where it was doing it wrong.
Fix that by replacing the dev_state set/clear/test with the
bitops.
As reviewed by Shuah:
"Looks good. Tested running bind/unbind au0828 loop for 1000 times.
Didn't see any problems and the v4l2_querycap() problem has been
fixed with this patch.
After the above test, ran bind/unbind snd_usb_audio 1000 times.
Didn't see any problems. Generated media graph and the graph
looks good."
Cc: stable@vger.kernel.org
Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>
Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
au0828_v4l2_close() check for dev_state == DEV_DISCONNECTED will fail to
detect the device disconnected state correctly, if au0828_v4l2_open() runs
to set the DEV_INITIALIZED bit. A loop test of bind/unbind found this bug
by increasing the likelihood of au0828_v4l2_open() occurring while unbind
is in progress. When au0828_v4l2_close() fails to detect that the device
is in disconnect state, it attempts to power down the device and fails with
the following general protection fault:
[ 260.992962] Call Trace:
[ 260.993008] [<ffffffffa0f80f0f>] ? xc5000_sleep+0x8f/0xd0 [xc5000]
[ 260.993095] [<ffffffffa0f6803c>] ? fe_standby+0x3c/0x50 [tuner]
[ 260.993186] [<ffffffffa0ef541c>] au0828_v4l2_close+0x53c/0x620 [au0828]
[ 260.993298] [<ffffffffa0d08ec0>] v4l2_release+0xf0/0x210 [videodev]
[ 260.993382] [<ffffffff81570f9c>] __fput+0x1fc/0x6c0
[ 260.993449] [<ffffffff815714ce>] ____fput+0xe/0x10
[ 260.993519] [<ffffffff8116eb83>] task_work_run+0x133/0x1f0
[ 260.993602] [<ffffffff810035d0>] exit_to_usermode_loop+0x140/0x170
[ 260.993681] [<ffffffff810061ca>] syscall_return_slowpath+0x16a/0x1a0
[ 260.993754] [<ffffffff82835fb3>] entry_SYSCALL_64_fastpath+0xa6/0xa8
Cc: stable@vger.kernel.org
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
Fix to clear enable/disable/change source handlers in the media device
when media device is unregistered in au0828_unregister_media_device().
When au0828 module is removed, snd-usb-audio shouldn't call the handlers.
Clearing will ensure snd-usb-audio won't call them once au0828 is removed.
[mchehab@osg.samsung.com: fix a compilation breakage]
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
A previous patch removing dtv_demod needed to be rebased,
but the hunk removing the data was not merged by mistake.
Fixes: 840f5b0572ea ('media: au0828 disable tuner to demod link in au0828_media_device_register()']
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
|
For au0828_enable_source() to work, the tuner links should be
disabled and the tuner/decoder should be cached at au0828 struct.
While here, put dev->decoder cache together with dev->tuner, as
it makes easier to drop both latter if/when we move the enable
routines to the V4L2 core.
Fixes: 9822f4173f84 ('[media] au0828: use v4l2_mc_create_media_graph()')
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>
Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
|
|
Xiao Ni reported below crash:
[26396.335146] BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
[26396.342990] IP: [<ffffffffa0425b00>] super_written+0x20/0x80 [md_mod]
[26396.349449] PGD 0
[26396.351468] Oops: 0002 [#1] SMP
[26396.354898] Modules linked in: ext4 mbcache jbd2 raid456 async_raid6_recov async_memcpy async_pq async_xor xor async_td
[26396.408404] CPU: 5 PID: 3261 Comm: loop0 Not tainted 4.5.0 #1
[26396.414140] Hardware name: Dell Inc. PowerEdge R715/0G2DP3, BIOS 3.2.2 09/15/2014
[26396.421608] task: ffff8808339be680 ti: ffff8808365f4000 task.ti: ffff8808365f4000
[26396.429074] RIP: 0010:[<ffffffffa0425b00>] [<ffffffffa0425b00>] super_written+0x20/0x80 [md_mod]
[26396.437952] RSP: 0018:ffff8808365f7c38 EFLAGS: 00010046
[26396.443252] RAX: ffffffffa0425ae0 RBX: ffff8804336a7900 RCX: ffffe8f9f7b41198
[26396.450371] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8804336a7900
[26396.457489] RBP: ffff8808365f7c50 R08: 0000000000000005 R09: 00001801e02ce3d7
[26396.464608] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[26396.471728] R13: ffff8808338d9a00 R14: 0000000000000000 R15: ffff880833f9fe00
[26396.478849] FS: 00007f9e5066d740(0000) GS:ffff880237b40000(0000) knlGS:0000000000000000
[26396.486922] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[26396.492656] CR2: 00000000000002a8 CR3: 00000000019ea000 CR4: 00000000000006e0
[26396.499775] Stack:
[26396.501781] ffff8804336a7900 0000000000000000 0000000000000000 ffff8808365f7c68
[26396.509199] ffffffff81308cd0 ffff8804336a7900 ffff8808365f7ca8 ffffffff81310637
[26396.516618] 00000000a0233a00 ffff880833f9fe00 0000000000000000 ffff880833fb0000
[26396.524038] Call Trace:
[26396.526485] [<ffffffff81308cd0>] bio_endio+0x40/0x60
[26396.531529] [<ffffffff81310637>] blk_update_request+0x87/0x320
[26396.537439] [<ffffffff8131a20a>] blk_mq_end_request+0x1a/0x70
[26396.543261] [<ffffffff81313889>] blk_flush_complete_seq+0xd9/0x2a0
[26396.549517] [<ffffffff81313ccf>] flush_end_io+0x15f/0x240
[26396.554993] [<ffffffff8131a22a>] blk_mq_end_request+0x3a/0x70
[26396.560815] [<ffffffff8131a314>] __blk_mq_complete_request+0xb4/0xe0
[26396.567246] [<ffffffff8131a35c>] blk_mq_complete_request+0x1c/0x20
[26396.573506] [<ffffffffa04182df>] loop_queue_work+0x6f/0x72c [loop]
[26396.579764] [<ffffffff81697844>] ? __schedule+0x2b4/0x8f0
[26396.585242] [<ffffffff810a7812>] kthread_worker_fn+0x52/0x170
[26396.591065] [<ffffffff810a77c0>] ? kthread_create_on_node+0x1a0/0x1a0
[26396.597582] [<ffffffff810a7238>] kthread+0xd8/0xf0
[26396.602453] [<ffffffff810a7160>] ? kthread_park+0x60/0x60
[26396.607929] [<ffffffff8169bdcf>] ret_from_fork+0x3f/0x70
[26396.613319] [<ffffffff810a7160>] ? kthread_park+0x60/0x60
md_super_write() and corresponding md_super_wait() generally are called
with reconfig_mutex locked, which prevents disk disappears. There is one
case this rule is broken. write_sb_page of bitmap.c doesn't hold the
mutex. next_active_rdev does increase rdev reference, but it decreases
the reference too early (eg, before IO finish). disk can disappear at
the window. We unconditionally increase rdev reference in
md_super_write() to avoid the race.
Reported-and-tested-by: Xiao Ni <xni@redhat.com>
Reviewed-by: Neil Brown <neilb@suse.de>
Signed-off-by: Shaohua Li <shli@fb.com>
|
|
Fix a trivial typo in md_ioctl().
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
|
|
If first_bad == this_sector when we get the WriteMostly disk
in read_balance(), valid disk will be returned with zero
max_sectors. It'll lead to a dead loop in make_request(), and
OOM will happen because of endless allocation of struct bio.
Since we can't get data from this disk in this case, so
continue for another disk.
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
|
|
The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.
See: http://seclists.org/bugtraq/2016/Mar/61
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
[johan: fix OOB endpoint check and add error messages ]
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
An attack using missing endpoints exists.
CVE-2016-3137
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.
CVE-2016-3136
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
[johan: add error message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
The utilization update hook in the intel_pstate driver is set too
early, as it only should be set after the policy has been fully
initialized by the core. That may cause intel_pstate_update_util()
to use incorrect data and put the CPUs into incorrect P-states as
a result.
To prevent that from happening, make intel_pstate_set_policy() set
the utilization update hook instead of intel_pstate_init_cpu() so
intel_pstate_update_util() only runs when all things have been
initialized as appropriate.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue
Jeff Kirsher says:
====================
Intel Wired LAN Driver Updates 2016-03-29
This series contains fixes to ixgbe and ixgbevf.
Tushar fixes an issue which was introduced with an earlier commit, where
hardware register RAR0 default MAC address does not get set properly.
Alex fixes two issues, first being the VXLAN port number should be stored
in network order instead of in host order. The second fix corrects the ATR
code to handle IPv6 extension headers. The issue was ATR code was assuming
that it would be able to use tcp_hdr for every TCP frame that came through,
but that is not the case, which resulted in bad filters being setup.
Mark fixes a use of usleep_range() to udelay() in the case where a lock
is being held.
Stefan fixes the offline self tests where ndo_stop() should be used instead
of ndo_close(), which causes IFF_UP to be cleared and interface routes get
removed.
Emil fixes the error case where we need to return an error when a MAC
address change is rejected by the PF. This helps prevent the user from
modifying the MAC address when the operation is not permitted.
Sridhar provides three fixes for ixgbe, all dealing with traffic class
offload handling.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Here are two GPIO fixes for the v4.6 series, both in drivers:
- Prevent NULL dereference in the Xgene driver
- Fix an uninitialized spinlock in the menz127 driver"
* tag 'gpio-v4.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: xgene: Prevent NULL pointer dereference
gpio: menz127: Drop lock field from struct men_z127_gpio
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull nvdimm mcsafe_memcpy use from Dan Williams:
"Now that mcsafe_memcpy() has landed, and the return value was been
clarified in commit cbf8b5a2b649 ("x86/mm, x86/mce: Fix return
type/value for memcpy_mcsafe()"), let's hook up its primary usage in
the pmem driver.
The compilation problems from the initial posting have been fixed,
this has appeared in a -next release with no reported issues, and it
picked up an ack from Ingo. There is no pressing need to merge this
in 4.6- rc2. However, if we wait until 4.7 the new memcpy_mcsafe()
capability will ship without a user in 4.6-final"
* 'libnvdimm-for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
x86, pmem: use memcpy_mcsafe() for memcpy_from_pmem()
|
|
For this SoC the register offsets changed from previous versions to be
separated by a larger amount.
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
|
Without this, we would fail to set the mode to gpio if trying to
configure for that mode
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
|
This should have been bumped to 100 when the extra pins
were added in the original pinctrl patch
Signed-off-by: Matthew McClintock <mmcclint@codeaurora.org>
Acked-by: Björn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
|
imx doesn't have any functions for setting the gamma table, so this is
completely defunct.
Not nice to lie to userspace, so let's stop!
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Just as the function ipu_dmfc_config_wait4eot() tells, the DMFC wait4eot bit
depends on the number of DMFC slots to be used, so it should be called after
the slots are determined in the function ipu_dmfc_alloc_bandwidth().
Based on tests, this patch may eliminate display distortion issue on overlay
plane with small resolutions. To reproduce the issue, we may run this drm
modetest case - 'modetest -P 19:64x64'.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The function name 'ipu_dmfc_config_wait4eot' matches the implementation of
the function better than 'ipu_dmfc_init_channel', since it only touches the
wait4eot bits.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Since the function ipu_dmfc_init_channel() always returns zero, we may
change the return type to void to simplify the code.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
To avoid race condition issue, we should protect the function
ipu_dmfc_init_channel() with the mutex dmfc->priv->mutex, since it
configures the register DMFC_GENERAL1 at runtime which contains
several control bits for various display channels. This matches
better with fine grained locking logic in upper layer.
Signed-off-by: Liu Ying <gnuiyl@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The IMX dw_hdmi driver just called platform_set_drvdata() to get
your hopes up that maybe, somehow, you'd be able to retrieve the 'struct
imx_hdmi' from a pointer to the 'struct device'. You can't. When
we call dw_hdmi_bind() the main driver calls dev_set_drvdata(), which
clobbers our setting.
Let's just remove the platform_set_drvdata() to avoid dashing people's
hopes.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The drm_encoder_cleanup() was missing both from the error path of
dw_hdmi_imx_bind(). This caused a crash when slub_debug was
enabled and we ended up deferring probe of HDMI at boot.
This call isn't needed from unbind() because if dw_hdmi_bind() returns
no error then it takes over the job of freeing the encoder (in
dw_hdmi_unbind).
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The driver already advertises multi-planar YUV support, but
previously the U/V offset and stride setup was missing.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
The IPU addresses multiplanar formats using a base address and relative
offsets for the secondary planes. Since those offsets must be positive
and not too large, and none of the plane parameters except the base address
may be changed while scanout is active, store the pitches and u/v offsets
and check all values against IDMAC limitations.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Let ipu_cpmem_set_yuv_planar_full take a DRM_FORMAT instead of a
V4L2_PIXFMT and allow better control over U/V stride, U offset and
V offset settings in the CPMEM.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
|
|
Pull up was reported as pull down and vice versa. Fix this.
Fixes: 8f1774a2a971 "pinctrl: nomadik: improve GPIO debug prints"
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
|
|
The SPICE protocol considers the position of a cursor to be the location
of its active pixel on the display, so the cursor is drawn with its
top-left corner at "(x - hot_spot_x, y - hot_spot_y)" but the DRM cursor
position gives the location where the top-left corner should be drawn,
with the hotspot being a hint for drivers that need it.
This fixes the location of the window resize cursors when using Fluxbox
with the QXL DRM driver and both the QXL and modesetting X drivers.
Signed-off-by: John Keeping <john@metanate.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: stable@vger.kernel.org
Link: http://patchwork.freedesktop.org/patch/msgid/1447845445-2116-1-git-send-email-john@metanate.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
|
commit b37d83a6a414 ("usb: Parse the new USB 3.1 SuperSpeedPlus Isoc
endpoint companion descriptor") caused a regression in 4.6-rc1 and fails
to parse SuperSpeed endpoint companion descriptors.
The new SuperSpeedPlus Isoc endpoint companion parsing code incorrectly
decreased the the remaining buffer size before comparing the size with the
expected length of the descriptor.
This lead to possible failure in reading the SuperSpeed endpoint companion
descriptor of the last endpoint, displaying a message like:
"No SuperSpeed endpoint companion for config 1 interface 0 altsetting 0
ep 129: using minimum values"
Fix it by decreasing the size after comparing it.
Also finish all the SS endpoint companion parsing before calling SSP isoc
endpoint parsing function.
Fixes: b37d83a6a414
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.
Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
We need to have the WWN fully initialized before addig default groups to it,
so add a new method to add these groups after the WWN has been initialized.
Also remove the default groups in the core while we're at it.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
The iSCSI targets wants to add a default group, for which we need to
have the list of default groups initialized previously.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
Instead we can clean up the list of default ACLs in core code.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
Now the rdma core offers a QP draining service in v4.6-rc1,
use it instead of our own.
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Reported-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
To report flow control tx/rx settings accurately regardless of autoneg
setting, we should use link_info->req_flow_ctrl. Before this patch,
the reported settings were only correct when autoneg was on.
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The typo caused the wrong flow control bit to be set.
Reported by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The size of every padded firmware message is specified in the first
HWRM_VER_GET response message. Use this value to pad every message
after that.
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The existing code does the following:
allocate completion ring
initialize completion ring doorbell
disable interrupts on this completion ring by writing to the doorbell
We can have a race where firmware sends an asynchronous event to the host
after completion ring allocation and before doorbell is initialized.
When this happens driver can crash while ringing the doorbell using
uninitialized value as part of handling the IRQ/napi request.
Signed-off-by: Prashant Sreedharan <prashant.sreedharan@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
