1. 05 Jun, 2018 8 commits
    • Kees Cook's avatar
      device: Use overflow helpers for devm_kmalloc() · 2509b561
      Kees Cook authored
      Use the overflow helpers both in existing multiplication-using inlines as
      well as the addition-overflow case in the core allocation routine.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      2509b561
    • Kees Cook's avatar
      mm: Use overflow helpers in kvmalloc() · 3b3b1a29
      Kees Cook authored
      Instead of open-coded multiplication and bounds checking, use the new
      overflow helper. Additionally prepare for vmalloc() users to add
      array_size()-family helpers in the future.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      3b3b1a29
    • Kees Cook's avatar
      mm: Use overflow helpers in kmalloc_array*() · 49b7f898
      Kees Cook authored
      Instead of open-coded multiplication and bounds checking, use the new
      overflow helper.
      Suggested-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      49b7f898
    • Kees Cook's avatar
      test_overflow: Add memory allocation overflow tests · ca90800a
      Kees Cook authored
      Make sure that the memory allocators are behaving as expected in the face
      of overflows of multiplied arguments or when using the array_size()-family
      helpers.
      
      Example output of new tests (with the expected __alloc_pages_slowpath
      and vmalloc warnings about refusing giant allocations removed):
      
      [   93.062076] test_overflow: kmalloc detected saturation
      [   93.062988] test_overflow: kmalloc_node detected saturation
      [   93.063818] test_overflow: kzalloc detected saturation
      [   93.064539] test_overflow: kzalloc_node detected saturation
      [   93.120386] test_overflow: kvmalloc detected saturation
      [   93.143458] test_overflow: kvmalloc_node detected saturation
      [   93.166861] test_overflow: kvzalloc detected saturation
      [   93.189924] test_overflow: kvzalloc_node detected saturation
      [   93.221671] test_overflow: vmalloc detected saturation
      [   93.246326] test_overflow: vmalloc_node detected saturation
      [   93.270260] test_overflow: vzalloc detected saturation
      [   93.293824] test_overflow: vzalloc_node detected saturation
      [   93.294597] test_overflow: devm_kmalloc detected saturation
      [   93.295383] test_overflow: devm_kzalloc detected saturation
      [   93.296217] test_overflow: all tests passed
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      ca90800a
    • Kees Cook's avatar
      overflow.h: Add allocation size calculation helpers · 610b15c5
      Kees Cook authored
      In preparation for replacing unchecked overflows for memory allocations,
      this creates helpers for the 3 most common calculations:
      
      array_size(a, b): 2-dimensional array
      array3_size(a, b, c): 3-dimensional array
      struct_size(ptr, member, n): struct followed by n-many trailing members
      
      Each of these return SIZE_MAX on overflow instead of wrapping around.
      
      (Additionally renames a variable named "array_size" to avoid future
      collision.)
      Co-developed-by: default avatarMatthew Wilcox <mawilcox@microsoft.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      610b15c5
    • Kees Cook's avatar
      test_overflow: Report test failures · 8fee81aa
      Kees Cook authored
      This adjusts the overflow test to report failures, and prepares to
      add allocation tests.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      8fee81aa
    • Rasmus Villemoes's avatar
      test_overflow: macrofy some more, do more tests for free · 6d334432
      Rasmus Villemoes authored
      Obviously a+b==b+a and a*b==b*a, but the implementation of the fallback
      checks are not entirely symmetric in how they treat a and b. So we might
      as well check the (b,a,r,of) tuple as well as the (a,b,r,of) one for +
      and *. Rather than more copy-paste, factor out the common part to
      check_one_op.
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      6d334432
    • Rasmus Villemoes's avatar
      lib: add runtime test of check_*_overflow functions · 455a35a6
      Rasmus Villemoes authored
      This adds a small module for testing that the check_*_overflow
      functions work as expected, whether implemented in C or using gcc
      builtins.
      
      Example output:
      
      test_overflow: u8 : 18 tests
      test_overflow: s8 : 19 tests
      test_overflow: u16: 17 tests
      test_overflow: s16: 17 tests
      test_overflow: u32: 17 tests
      test_overflow: s32: 17 tests
      test_overflow: u64: 17 tests
      test_overflow: s64: 21 tests
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      [kees: add output to commit log, drop u64 tests on 32-bit]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      455a35a6
  2. 31 May, 2018 1 commit
    • Rasmus Villemoes's avatar
      compiler.h: enable builtin overflow checkers and add fallback code · f0907827
      Rasmus Villemoes authored
      This adds wrappers for the __builtin overflow checkers present in gcc
      5.1+ as well as fallback implementations for earlier compilers. It's not
      that easy to implement the fully generic __builtin_X_overflow(T1 a, T2
      b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are
      the same. We obviously don't want the wrappers to have different
      semantics depending on $GCC_VERSION, so we also insist on that even when
      using the builtins.
      
      There are a few problems with the 'a+b < a' idiom for checking for
      overflow: For signed types, it relies on undefined behaviour and is
      not actually complete (it doesn't check underflow;
      e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it
      is wrong for all types (signed and unsigned) narrower than
      int. Similarly, when a and b does not have the same type, there are
      subtle cases like
      
        u32 a;
      
        if (a + sizeof(foo) < a)
          return -EOVERFLOW;
        a += sizeof(foo);
      
      where the test is always false on 64 bit platforms. Add to that that it
      is not always possible to determine the types involved at a glance.
      
      The new overflow.h is somewhat bulky, but that's mostly a result of
      trying to be type-generic, complete (e.g. catching not only overflow
      but also signed underflow) and not relying on undefined behaviour.
      
      Linus is of course right [1] that for unsigned subtraction a-b, the
      right way to check for overflow (underflow) is "b > a" and not
      "__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases
      covered here, and included mostly for completeness.
      
      So is it worth it? I think it is, if nothing else for the documentation
      value of seeing
      
        if (check_add_overflow(a, b, &d))
          return -EGOAWAY;
        do_stuff_with(d);
      
      instead of the open-coded (and possibly wrong and/or incomplete and/or
      UBsan-tickling)
      
        if (a+b < a)
          return -EGOAWAY;
        do_stuff_with(a+b);
      
      While gcc does recognize the 'a+b < a' idiom for testing unsigned add
      overflow, it doesn't do nearly as good for unsigned multiplication
      (there's also no single well-established idiom). So using
      check_mul_overflow in kcalloc and friends may also make gcc generate
      slightly better code.
      
      [1] https://lkml.org/lkml/2015/11/2/658Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      f0907827
  3. 07 May, 2018 1 commit
  4. 06 May, 2018 7 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 701e39d0
      Linus Torvalds authored
      Pll KVM fixes from Radim Krčmář:
       "ARM:
         - Fix proxying of GICv2 CPU interface accesses
         - Fix crash when switching to BE
         - Track source vcpu git GICv2 SGIs
         - Fix an outdated bit of documentation
      
        x86:
         - Speed up injection of expired timers (for stable)"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: remove APIC Timer periodic/oneshot spikes
        arm64: vgic-v2: Fix proxying of cpuif access
        KVM: arm/arm64: vgic_init: Cleanup reference to process_maintenance
        KVM: arm64: Fix order of vcpu_write_sys_reg() arguments
        KVM: arm/arm64: vgic: Fix source vcpu issues for GICv2 SGI
      701e39d0
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 772d4f84
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
      
       - fix a compile warning in the AMD IOMMU driver with irq remapping
         disabled
      
       - fix for VT-d interrupt remapping and invalidation size (caused a
         BUG_ON when trying to invalidate more than 4GB)
      
       - build fix and a regression fix for broken graphics with old DTS for
         the rockchip iommu driver
      
       - a revert in the PCI window reservation code which fixes a regression
         with VFIO.
      
      * tag 'iommu-fixes-v4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu: rockchip: fix building without CONFIG_OF
        iommu/vt-d: Use WARN_ON_ONCE instead of BUG_ON in qi_flush_dev_iotlb()
        iommu/vt-d: fix shift-out-of-bounds in bug checking
        iommu/dma: Move PCI window region reservation back into dma specific path.
        iommu/rockchip: Make clock handling optional
        iommu/amd: Hide unused iommu_table_lock
        iommu/vt-d: Fix usage of force parameter in intel_ir_reconfigure_irte()
      772d4f84
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9c48eb6a
      Linus Torvalds authored
      Pull x86 fix from Thomas Gleixner:
       "Unbreak the CPUID CPUID_8000_0008_EBX reload which got dropped when
        the evaluation of physical and virtual bits which uses the same CPUID
        leaf was moved out of get_cpu_cap()"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/cpu: Restore CPUID_8000_0008_EBX reload
      9c48eb6a
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fe282c60
      Linus Torvalds authored
      Pull clocksource fixes from Thomas Gleixner:
       "The recent addition of the early TSC clocksource breaks on machines
        which have an unstable TSC because in case that TSC is disabled, then
        the clocksource selection logic falls back to the early TSC which is
        obviously bogus.
      
        That also unearthed a few robustness issues in the clocksource
        derating code which are addressed as well"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        clocksource: Rework stale comment
        clocksource: Consistent de-rate when marking unstable
        x86/tsc: Fix mark_tsc_unstable()
        clocksource: Initialize cs->wd_list
        clocksource: Allow clocksource_mark_unstable() on unregistered clocksources
        x86/tsc: Always unregister clocksource_tsc_early
      fe282c60
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 03b5f0c1
      Linus Torvalds authored
      Pull irq fix from Thomas Gleixner:
       "A single fix to prevent false positives in the spurious interrupt
        detector when more than a single demultiplex register is evaluated in
        the Qualcom irq combiner driver"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/qcom: Fix check for spurious interrupts
      03b5f0c1
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.17-2' of git://git.infradead.org/linux-platform-drivers-x86 · ee946c36
      Linus Torvalds authored
      Pull x86 platform driver fixes from Darren Hart:
      
       - We missed a case in the Dell config dependencies resulting in a
         possible bad configuration, resolve it by giving up on trying to keep
         DELL_LAPTOP visible in the menu and make it depend on DELL_SMBIOS.
      
       - Fix a null pointer dereference at module unload for the asus-wireless
         driver.
      
      * tag 'platform-drivers-x86-v4.17-2' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: Kconfig: Fix dell-laptop dependency chain.
        platform/x86: asus-wireless: Fix NULL pointer dereference
      ee946c36
    • Linus Torvalds's avatar
      Merge tag 'usb-4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 8e95cb33
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some USB driver fixes for 4.17-rc4.
      
        The majority of them are some USB gadget fixes that missed my last
        pull request. The "largest" patch in here is a fix for the old visor
        driver that syzbot found 6 months or so ago and I finally remembered
        to fix it.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-4.17-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        Revert "usb: host: ehci: Use dma_pool_zalloc()"
        usb: typec: tps6598x: handle block reads separately with plain-I2C adapters
        usb: typec: tcpm: Release the role mux when exiting
        USB: Accept bulk endpoints with 1024-byte maxpacket
        xhci: Fix use-after-free in xhci_free_virt_device
        USB: serial: visor: handle potential invalid device configuration
        USB: serial: option: adding support for ublox R410M
        usb: musb: trace: fix NULL pointer dereference in musb_g_tx()
        usb: musb: host: fix potential NULL pointer dereference
        usb: gadget: composite Allow for larger configuration descriptors
        usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue
        usb: dwc3: gadget: dwc3_gadget_del_and_unmap_request() can be static
        usb: dwc2: pci: Fix error return code in dwc2_pci_probe()
        usb: dwc2: WA for Full speed ISOC IN in DDMA mode.
        usb: dwc2: dwc2_vbus_supply_init: fix error check
        usb: gadget: f_phonet: fix pn_net_xmit()'s return type
      8e95cb33
  5. 05 May, 2018 15 commits
    • Anthoine Bourgeois's avatar
      KVM: x86: remove APIC Timer periodic/oneshot spikes · ecf08dad
      Anthoine Bourgeois authored
      Since the commit "8003c9ae: add APIC Timer periodic/oneshot mode VMX
      preemption timer support", a Windows 10 guest has some erratic timer
      spikes.
      
      Here the results on a 150000 times 1ms timer without any load:
      	  Before 8003c9ae | After 8003c9ae
      Max           1834us          |  86000us
      Mean          1100us          |   1021us
      Deviation       59us          |    149us
      Here the results on a 150000 times 1ms timer with a cpu-z stress test:
      	  Before 8003c9ae | After 8003c9ae
      Max          32000us          | 140000us
      Mean          1006us          |   1997us
      Deviation      140us          |  11095us
      
      The root cause of the problem is starting hrtimer with an expiry time
      already in the past can take more than 20 milliseconds to trigger the
      timer function.  It can be solved by forward such past timers
      immediately, rather than submitting them to hrtimer_start().
      In case the timer is periodic, update the target expiration and call
      hrtimer_start with it.
      
      v2: Check if the tsc deadline is already expired. Thank you Mika.
      v3: Execute the past timers immediately rather than submitting them to
      hrtimer_start().
      v4: Rearm the periodic timer with advance_periodic_target_expiration() a
      simpler version of set_target_expiration(). Thank you Paolo.
      
      Cc: Mika Penttilä <mika.penttila@nextfour.com>
      Cc: Wanpeng Li <kernellwp@gmail.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAnthoine Bourgeois <anthoine.bourgeois@blade-group.com>
      8003c9ae ("KVM: LAPIC: add APIC Timer periodic/oneshot mode VMX preemption timer support")
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      ecf08dad
    • Radim Krčmář's avatar
      Merge tag 'kvmarm-fixes-for-4.17-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm · f3351c60
      Radim Krčmář authored
      KVM/arm fixes for 4.17, take #2
      
      - Fix proxying of GICv2 CPU interface accesses
      - Fix crash when switching to BE
      - Track source vcpu git GICv2 SGIs
      - Fix an outdated bit of documentation
      f3351c60
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v4.17' of... · c1c07416
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - remove state comment in modpost
      
       - extend MAINTAINERS entry to cover modpost and more makefiles
      
       - fix missed building of SANCOV gcc-plugin
      
       - replace left-over 'bison' with $(YACC)
      
       - display short log when generating parer of genksyms
      
      * tag 'kbuild-fixes-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        genksyms: fix typo in parse.tab.{c,h} generation rules
        kbuild: replace hardcoded bison in cmd_bison_h with $(YACC)
        gcc-plugins: fix build condition of SANCOV plugin
        MAINTAINERS: Update Kbuild entry with a few paths
        modpost: delete stale comment
      c1c07416
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 4a7a7729
      Linus Torvalds authored
      Pull clk fixes froom Stephen Boyd:
       "A handful of fixes for the stm32mp1 clk driver came in during the
        merge window for the driver that got merged in the merge window.
      
        Plus a warning fix for unused PM ops and a couple fixes for the meson
        clk driver clk names that went unnoticed with the regmap rework.
      
        There's also another fix in here for the mux rounding flag which
        wasn't doing what it said it did, but now it does"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: meson: meson8b: fix meson8b_cpu_clk parent clock name
        clk: meson: meson8b: fix meson8b_fclk_div3_div clock name
        clk: meson: drop meson_aoclk_gate_regmap_ops
        clk: meson: honor CLK_MUX_ROUND_CLOSEST in clk_regmap
        clk: honor CLK_MUX_ROUND_CLOSEST in generic clk mux
        clk: cs2000: mark resume function as __maybe_unused
        clk: stm32mp1: remove ck_apb_dbg clock
        clk: stm32mp1: set stgen_k clock as critical
        clk: stm32mp1: add missing tzc2 clock
        clk: stm32mp1: fix SAI3 & SAI4 clocks
        clk: stm32mp1: remove unused dfsdm_src[] const
        clk: stm32mp1: add missing static
      4a7a7729
    • Linus Torvalds's avatar
      Merge tag 'rproc-v4.17-1' of git://github.com/andersson/remoteproc · f9331473
      Linus Torvalds authored
      Pull remoteproc and rpmsg fixes from Bjorn Andersson:
      
       - fix screw-up when reversing boolean for rproc_stop()
      
       - add missing OF node refcounting dereferences
      
       - add missing MODULE_ALIAS in rpmsg_char
      
      * tag 'rproc-v4.17-1' of git://github.com/andersson/remoteproc:
        rpmsg: added MODULE_ALIAS for rpmsg_char
        remoteproc: qcom: Fix potential device node leaks
        remoteproc: fix crashed parameter logic on stop call
      f9331473
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.17-rc4' of git://people.freedesktop.org/~airlied/linux · c12fd0fe
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "vmwgfx, i915, vc4, vga dac fixes.
      
        This seems eerily quiet, so I expect it will explode next week or
        something.
      
        One i915 model firmware, two vmwgfx fixes, one vc4 fix and one bridge
        leak fix"
      
      * tag 'drm-fixes-for-v4.17-rc4' of git://people.freedesktop.org/~airlied/linux:
        drm/bridge: vga-dac: Fix edid memory leak
        drm/vc4: Make sure vc4_bo_{inc,dec}_usecnt() calls are balanced
        drm/i915/glk: Add MODULE_FIRMWARE for Geminilake
        drm/vmwgfx: Fix a buffer object leak
        drm/vmwgfx: Clean up fbdev modeset locking
      c12fd0fe
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.17-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 4b293907
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "Some of the files in the tracing directory show file mode 0444 when
        they are writable by root. To fix the confusion, they should be 0644.
        Note, either case root can still write to them.
      
        Zhengyuan asked why I never applied that patch (the first one is from
        2014!). I simply forgot about it. /me lowers head in shame"
      
      * tag 'trace-v4.17-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix the file mode of stack tracer
        ftrace: Have set_graph_* files have normal file modes
      4b293907
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · eb4f959b
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "This is our first pull request of the rc cycle. It's not that it's
        been overly quiet, we were just waiting on a few things before sending
        this off.
      
        For instance, the 6 patch series from Intel for the hfi1 driver had
        actually been pulled in on Tuesday for a Wednesday pull request, only
        to have Jason notice something I missed, so we held off for some
        testing, and then on Thursday had to respin the series because the
        very first patch needed a minor fix (unnecessary cast is all).
      
        There is a sizable hns patch series in here, as well as a reasonably
        largish hfi1 patch series, then all of the lines of uapi updates are
        just the change to the new official Linux-OpenIB SPDX tag (a bunch of
        our files had what amounts to a BSD-2-Clause + MIT Warranty statement
        as their license as a result of the initial code submission years ago,
        and the SPDX folks decided it was unique enough to warrant a unique
        tag), then the typical mlx4 and mlx5 updates, and finally some cxgb4
        and core/cache/cma updates to round out the bunch.
      
        None of it was overly large by itself, but in the 2 1/2 weeks we've
        been collecting patches, it has added up :-/.
      
        As best I can tell, it's been through 0day (I got a notice about my
        last for-next push, but not for my for-rc push, but Jason seems to
        think that failure messages are prioritized and success messages not
        so much). It's also been through linux-next. And yes, we did notice in
        the context portion of the CMA query gid fix patch that there is a
        dubious BUG_ON() in the code, and have plans to audit our BUG_ON usage
        and remove it anywhere we can.
      
        Summary:
      
         - Various build fixes (USER_ACCESS=m and ADDR_TRANS turned off)
      
         - SPDX license tag cleanups (new tag Linux-OpenIB)
      
         - RoCE GID fixes related to default GIDs
      
         - Various fixes to: cxgb4, uverbs, cma, iwpm, rxe, hns (big batch),
           mlx4, mlx5, and hfi1 (medium batch)"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (52 commits)
        RDMA/cma: Do not query GID during QP state transition to RTR
        IB/mlx4: Fix integer overflow when calculating optimal MTT size
        IB/hfi1: Fix memory leak in exception path in get_irq_affinity()
        IB/{hfi1, rdmavt}: Fix memory leak in hfi1_alloc_devdata() upon failure
        IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used
        IB/hfi1: Fix loss of BECN with AHG
        IB/hfi1 Use correct type for num_user_context
        IB/hfi1: Fix handling of FECN marked multicast packet
        IB/core: Make ib_mad_client_id atomic
        iw_cxgb4: Atomically flush per QP HW CQEs
        IB/uverbs: Fix kernel crash during MR deregistration flow
        IB/uverbs: Prevent reregistration of DM_MR to regular MR
        RDMA/mlx4: Add missed RSS hash inner header flag
        RDMA/hns: Fix a couple misspellings
        RDMA/hns: Submit bad wr
        RDMA/hns: Update assignment method for owner field of send wqe
        RDMA/hns: Adjust the order of cleanup hem table
        RDMA/hns: Only assign dqpn if IB_QP_PATH_DEST_QPN bit is set
        RDMA/hns: Remove some unnecessary attr_mask judgement
        RDMA/hns: Only assign mtu if IB_QP_PATH_MTU bit is set
        ...
      eb4f959b
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20180504' of git://git.kernel.dk/linux-block · 2f50037a
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A collection of fixes that should to into this release. This contains:
      
         - Set of bcache fixes from Coly, fixing regression in patches that
           went into this series.
      
         - Set of NVMe fixes by way of Keith.
      
         - Set of bdi related fixes, one from Jan and two from Tetsuo Handa,
           fixing various issues around device addition/removal.
      
         - Two block inflight fixes from Omar, fixing issues around the
           transition to using tags for blk-mq inflight accounting that we
           did a few releases ago"
      
      * tag 'for-linus-20180504' of git://git.kernel.dk/linux-block:
        bdi: Fix oops in wb_workfn()
        nvmet: switch loopback target state to connecting when resetting
        nvme/multipath: Fix multipath disabled naming collisions
        nvme/multipath: Disable runtime writable enabling parameter
        nvme: Set integrity flag for user passthrough commands
        nvme: fix potential memory leak in option parsing
        bdi: Fix use after free bug in debugfs_remove()
        bdi: wake up concurrent wb_shutdown() callers.
        bcache: use pr_info() to inform duplicated CACHE_SET_IO_DISABLE set
        bcache: set dc->io_disable to true in conditional_stop_bcache_device()
        bcache: add wait_for_kthread_stop() in bch_allocator_thread()
        bcache: count backing device I/O error for writeback I/O
        bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()
        bcache: store disk name in struct cache and struct cached_dev
        blk-mq: fix sysfs inflight counter
        blk-mq: count allocated but not started requests in iostats inflight
      2f50037a
    • Linus Torvalds's avatar
      Merge tag 'xfs-4.17-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 2e171ffc
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "I've got one more bug fix for xfs for 4.17-rc4, which caps the amount
        of data we try to handle in one dedupe request so that userspace can't
        livelock the kernel.
      
        This series has been run through a full xfstests run during the week
        and through a quick xfstests run against this morning's master, with
        no ajor failures reported.
      
        Summary:
      
        - Cap the maximum length of a deduplication request at MAX_RW_COUNT/2
          to avoid kernel livelock due to excessively large IO requests"
      
      * tag 'xfs-4.17-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: cap the length of deduplication requests
      2e171ffc
    • Linus Torvalds's avatar
      Merge tag 'for-4.17-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 4148d388
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "Two regression fixes and one fix for stable"
      
      * tag 'for-4.17-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        Btrfs: send, fix missing truncate for inode with prealloc extent past eof
        btrfs: Take trans lock before access running trans in check_delayed_ref
        btrfs: Fix wrong first_key parameter in replace_path
      4148d388
    • Mauro Rossi's avatar
      genksyms: fix typo in parse.tab.{c,h} generation rules · 0da7e432
      Mauro Rossi authored
      'quet' is replaced by 'quiet' in scripts/genksyms/Makefile
      Signed-off-by: default avatarMauro Rossi <issor.oruam@gmail.com>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      0da7e432
    • Masahiro Yamada's avatar
      kbuild: replace hardcoded bison in cmd_bison_h with $(YACC) · d59fbbd0
      Masahiro Yamada authored
      Commit 73a4f6db ("kbuild: add LEX and YACC variables") missed to
      update cmd_bison_h somehow.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      d59fbbd0
    • Masahiro Yamada's avatar
      gcc-plugins: fix build condition of SANCOV plugin · 642ef99b
      Masahiro Yamada authored
      Since commit d677a4d6 ("Makefile: support flag
      -fsanitizer-coverage=trace-cmp"), you miss to build the SANCOV
      plugin under some circumstances.
      
        CONFIG_KCOV=y
        CONFIG_KCOV_ENABLE_COMPARISONS=y
        Your compiler does not support -fsanitize-coverage=trace-pc
        Your compiler does not support -fsanitize-coverage=trace-cmp
      
      Under this condition, $(CFLAGS_KCOV) is not empty but contains a
      space, so the following ifeq-conditional is false.
      
          ifeq ($(CFLAGS_KCOV),)
      
      Then, scripts/Makefile.gcc-plugins misses to add sancov_plugin.so to
      gcc-plugin-y while the SANCOV plugin is necessary as an alternative
      means.
      
      Fixes: d677a4d6 ("Makefile: support flag -fsanitizer-coverage=trace-cmp")
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      642ef99b
    • Rasmus Villemoes's avatar
      MAINTAINERS: Update Kbuild entry with a few paths · 1cd4023b
      Rasmus Villemoes authored
      I managed to send some modpost patches to old addresses of both
      Masahiro and Michal, and omitted linux-kbuild from cc, because my
      tried and trusted scripts/get_maintainer wrapper failed me. Add the
      modpost directory to the MAINTAINERS entry, and while at it make the
      Makefile glob match scripts/Makefile itself, and add one matching the
      Kbuild.include file as well.
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      1cd4023b
  6. 04 May, 2018 8 commits
    • Greg Kroah-Hartman's avatar
      Merge tag 'usb-serial-4.17-rc4' of... · 6844dc42
      Greg Kroah-Hartman authored
      Merge tag 'usb-serial-4.17-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
      
      Johan writes:
      
      USB-serial fixes for v4.17-rc4
      
      Here's a fix for a long-standing issue in the visor driver, which could
      have security implications. Included is also a new modem device id.
      
      Both commits have been in linux-next for a couple of days with no
      reported issues.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      6844dc42
    • Greg Kroah-Hartman's avatar
      Revert "usb: host: ehci: Use dma_pool_zalloc()" · 43b78f11
      Greg Kroah-Hartman authored
      This reverts commit 22072e83 as it is
      broken.
      
      Alan writes:
      	What you can't see just from reading the patch is that in both
      	cases (ehci->itd_pool and ehci->sitd_pool) there are two
      	allocation paths -- the two branches of an "if" statement -- and
      	only one of the paths calls dma_pool_[z]alloc.  However, the
      	memset is needed for both paths, and so it can't be eliminated.
      	Given that it must be present, there's no advantage to calling
      	dma_pool_zalloc rather than dma_pool_alloc.
      Reported-by: default avatarErick Cafferata <erick@cafferata.me>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Cc: Souptick Joarder <jrdr.linux@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43b78f11
    • Mario Limonciello's avatar
      platform/x86: Kconfig: Fix dell-laptop dependency chain. · 7fe3fa3b
      Mario Limonciello authored
      As reported by Randy Dunlap:
      >> WARNING: unmet direct dependencies detected for DELL_SMBIOS
      >>   Depends on [m]: X86 [=y] && X86_PLATFORM_DEVICES [=y]
      >>	&& (DCDBAS [=m] ||
      >> DCDBAS [=m]=n) && (ACPI_WMI [=n] || ACPI_WMI [=n]=n)
      >>   Selected by [y]:
      >>   - DELL_LAPTOP [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y]
      >> && DMI [=y]
      >> && BACKLIGHT_CLASS_DEVICE [=y] && (ACPI_VIDEO [=n] ||
      >>	ACPI_VIDEO [=n]=n)
      >> && (RFKILL [=n] || RFKILL [=n]=n) && SERIO_I8042 [=y]
      >>
      
      Right now it's possible to set dell laptop to compile in but this
      causes dell-smbios to compile in which breaks if dcdbas is a module.
      
      Dell laptop shouldn't select dell-smbios anymore, but depend on it.
      
      Fixes: 32d7b19b (platform/x86: dell-smbios: Resolve dependency error on DCDBAS)
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarMario Limonciello <mario.limonciello@dell.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDarren Hart (VMware) <dvhart@infradead.org>
      7fe3fa3b
    • João Paulo Rechi Vita's avatar
      platform/x86: asus-wireless: Fix NULL pointer dereference · 9f0a93de
      João Paulo Rechi Vita authored
      When the module is removed the led workqueue is destroyed in the remove
      callback, before the led device is unregistered from the led subsystem.
      
      This leads to a NULL pointer derefence when the led device is
      unregistered automatically later as part of the module removal cleanup.
      Bellow is the backtrace showing the problem.
      
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: __queue_work+0x8c/0x410
        PGD 0 P4D 0
        Oops: 0000 [#1] SMP NOPTI
        Modules linked in: ccm edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 joydev crypto_simd asus_nb_wmi glue_helper uvcvideo snd_hda_codec_conexant snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel asus_wmi snd_hda_codec cryptd snd_hda_core sparse_keymap videobuf2_vmalloc arc4 videobuf2_memops snd_hwdep input_leds videobuf2_v4l2 ath9k psmouse videobuf2_core videodev ath9k_common snd_pcm ath9k_hw media fam15h_power ath k10temp snd_timer mac80211 i2c_piix4 r8169 mii mac_hid cfg80211 asus_wireless(-) snd soundcore wmi shpchp 8250_dw ip_tables x_tables amdkfd amd_iommu_v2 amdgpu radeon chash i2c_algo_bit drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ahci ttm libahci drm video
        CPU: 3 PID: 2177 Comm: rmmod Not tainted 4.15.0-5-generic #6+dev94.b4287e5bem1-Endless
        Hardware name: ASUSTeK COMPUTER INC. X555DG/X555DG, BIOS 5.011 05/05/2015
        RIP: 0010:__queue_work+0x8c/0x410
        RSP: 0018:ffffbe8cc249fcd8 EFLAGS: 00010086
        RAX: ffff992ac6810800 RBX: 0000000000000000 RCX: 0000000000000008
        RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff992ac6400e18
        RBP: ffffbe8cc249fd18 R08: ffff992ac6400db0 R09: 0000000000000000
        R10: 0000000000000040 R11: ffff992ac6400dd8 R12: 0000000000002000
        R13: ffff992abd762e00 R14: ffff992abd763e38 R15: 000000000001ebe0
        FS:  00007f318203e700(0000) GS:ffff992aced80000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 00000001c720e000 CR4: 00000000001406e0
        Call Trace:
         queue_work_on+0x38/0x40
         led_state_set+0x2c/0x40 [asus_wireless]
         led_set_brightness_nopm+0x14/0x40
         led_set_brightness+0x37/0x60
         led_trigger_set+0xfc/0x1d0
         led_classdev_unregister+0x32/0xd0
         devm_led_classdev_release+0x11/0x20
         release_nodes+0x109/0x1f0
         devres_release_all+0x3c/0x50
         device_release_driver_internal+0x16d/0x220
         driver_detach+0x3f/0x80
         bus_remove_driver+0x55/0xd0
         driver_unregister+0x2c/0x40
         acpi_bus_unregister_driver+0x15/0x20
         asus_wireless_driver_exit+0x10/0xb7c [asus_wireless]
         SyS_delete_module+0x1da/0x2b0
         entry_SYSCALL_64_fastpath+0x24/0x87
        RIP: 0033:0x7f3181b65fd7
        RSP: 002b:00007ffe74bcbe18 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3181b65fd7
        RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000555ea2559258
        RBP: 0000555ea25591f0 R08: 00007ffe74bcad91 R09: 000000000000000a
        R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003
        R13: 00007ffe74bcae00 R14: 0000000000000000 R15: 0000555ea25591f0
        Code: 01 00 00 02 0f 85 7d 01 00 00 48 63 45 d4 48 c7 c6 00 f4 fa 87 49 8b 9d 08 01 00 00 48 03 1c c6 4c 89 f7 e8 87 fb ff ff 48 85 c0 <48> 8b 3b 0f 84 c5 01 00 00 48 39 f8 0f 84 bc 01 00 00 48 89 c7
        RIP: __queue_work+0x8c/0x410 RSP: ffffbe8cc249fcd8
        CR2: 0000000000000000
        ---[ end trace 7aa4f4a232e9c39c ]---
      
      Unregistering the led device on the remove callback before destroying the
      workqueue avoids this problem.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=196097Reported-by: default avatarDun Hum <bitter.taste@gmx.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJoão Paulo Rechi Vita <jprvita@endlessm.com>
      Signed-off-by: default avatarDarren Hart (VMware) <dvhart@infradead.org>
      9f0a93de
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.17-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 625e2001
      Linus Torvalds authored
      Pull xen cleanup from Juergen Gross:
       "One cleanup to remove VLAs from the kernel"
      
      * tag 'for-linus-4.17-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        x86/xen: Remove use of VLAs
      625e2001
    • James Morse's avatar
      arm64: vgic-v2: Fix proxying of cpuif access · b220244d
      James Morse authored
      Proxying the cpuif accesses at EL2 makes use of vcpu_data_guest_to_host
      and co, which check the endianness, which call into vcpu_read_sys_reg...
      which isn't mapped at EL2 (it was inlined before, and got moved OoL
      with the VHE optimizations).
      
      The result is of course a nice panic. Let's add some specialized
      cruft to keep the broken platforms that require this hack alive.
      
      But, this code used vcpu_data_guest_to_host(), which expected us to
      write the value to host memory, instead we have trapped the guest's
      read or write to an mmio-device, and are about to replay it using the
      host's readl()/writel() which also perform swabbing based on the host
      endianness. This goes wrong when both host and guest are big-endian,
      as readl()/writel() will undo the guest's swabbing, causing the
      big-endian value to be written to device-memory.
      
      What needs doing?
      A big-endian guest will have pre-swabbed data before storing, undo this.
      If its necessary for the host, writel() will re-swab it.
      
      For a read a big-endian guest expects to swab the data after the load.
      The hosts's readl() will correct for host endianness, giving us the
      device-memory's value in the register. For a big-endian guest, swab it
      as if we'd only done the load.
      
      For a little-endian guest, nothing needs doing as readl()/writel() leave
      the correct device-memory value in registers.
      
      Tested on Juno with that rarest of things: a big-endian 64K host.
      Based on a patch from Marc Zyngier.
      Reported-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Fixes: bf8feb39 ("arm64: KVM: vgic-v2: Add GICV access from HYP")
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      b220244d
    • Valentin Schneider's avatar
      KVM: arm/arm64: vgic_init: Cleanup reference to process_maintenance · c3616a07
      Valentin Schneider authored
      One comment still mentioned process_maintenance operations after
      commit af061499 ("KVM: arm/arm64: vgic: Get rid of unnecessary
      process_maintenance operation")
      
      Update the comment to point to vgic_fold_lr_state instead, which
      is where maintenance interrupts are taken care of.
      Acked-by: default avatarChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: default avatarValentin Schneider <valentin.schneider@arm.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      c3616a07
    • James Morse's avatar
      KVM: arm64: Fix order of vcpu_write_sys_reg() arguments · 1975fa56
      James Morse authored
      A typo in kvm_vcpu_set_be()'s call:
      | vcpu_write_sys_reg(vcpu, SCTLR_EL1, sctlr)
      causes us to use the 32bit register value as an index into the sys_reg[]
      array, and sail off the end of the linear map when we try to bring up
      big-endian secondaries.
      
      | Unable to handle kernel paging request at virtual address ffff80098b982c00
      | Mem abort info:
      |  ESR = 0x96000045
      |  Exception class = DABT (current EL), IL = 32 bits
      |   SET = 0, FnV = 0
      |   EA = 0, S1PTW = 0
      | Data abort info:
      |   ISV = 0, ISS = 0x00000045
      |   CM = 0, WnR = 1
      | swapper pgtable: 4k pages, 48-bit VAs, pgdp = 000000002ea0571a
      | [ffff80098b982c00] pgd=00000009ffff8803, pud=0000000000000000
      | Internal error: Oops: 96000045 [#1] PREEMPT SMP
      | Modules linked in:
      | CPU: 2 PID: 1561 Comm: kvm-vcpu-0 Not tainted 4.17.0-rc3-00001-ga912e2261ca6-dirty #1323
      | Hardware name: ARM Juno development board (r1) (DT)
      | pstate: 60000005 (nZCv daif -PAN -UAO)
      | pc : vcpu_write_sys_reg+0x50/0x134
      | lr : vcpu_write_sys_reg+0x50/0x134
      
      | Process kvm-vcpu-0 (pid: 1561, stack limit = 0x000000006df4728b)
      | Call trace:
      |  vcpu_write_sys_reg+0x50/0x134
      |  kvm_psci_vcpu_on+0x14c/0x150
      |  kvm_psci_0_2_call+0x244/0x2a4
      |  kvm_hvc_call_handler+0x1cc/0x258
      |  handle_hvc+0x20/0x3c
      |  handle_exit+0x130/0x1ec
      |  kvm_arch_vcpu_ioctl_run+0x340/0x614
      |  kvm_vcpu_ioctl+0x4d0/0x840
      |  do_vfs_ioctl+0xc8/0x8d0
      |  ksys_ioctl+0x78/0xa8
      |  sys_ioctl+0xc/0x18
      |  el0_svc_naked+0x30/0x34
      | Code: 73620291 604d00b0 00201891 1ab10194 (957a33f8)
      |---[ end trace 4b4a4f9628596602 ]---
      
      Fix the order of the arguments.
      
      Fixes: 8d404c4c ("KVM: arm64: Rewrite system register accessors to read/write functions")
      CC: Christoffer Dall <cdall@cs.columbia.edu>
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      1975fa56