1. 18 Oct, 2017 9 commits
    • Eric Sesterhenn's avatar
      pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. · 68a1fdbb
      Eric Sesterhenn authored
      The ASN.1 parser does not necessarily set the sinfo field,
      this patch prevents a NULL pointer dereference on broken
      input.
      
      Fixes: 99db4435 ("PKCS#7: Appropriately restrict authenticated attributes and content type")
      Signed-off-by: default avatarEric Sesterhenn <eric.sesterhenn@x41-dsec.de>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: stable@vger.kernel.org # 4.3+
      68a1fdbb
    • Eric Biggers's avatar
      KEYS: load key flags and expiry time atomically in proc_keys_show() · ab5c69f0
      Eric Biggers authored
      In proc_keys_show(), the key semaphore is not held, so the key ->flags
      and ->expiry can be changed concurrently.  We therefore should read them
      atomically just once.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      ab5c69f0
    • Eric Biggers's avatar
      KEYS: Load key expiry time atomically in keyring_search_iterator() · 9d6c8711
      Eric Biggers authored
      Similar to the case for key_validate(), we should load the key ->expiry
      once atomically in keyring_search_iterator(), since it can be changed
      concurrently with the flags whenever the key semaphore isn't held.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      9d6c8711
    • Eric Biggers's avatar
      KEYS: load key flags and expiry time atomically in key_validate() · 1823d475
      Eric Biggers authored
      In key_validate(), load the flags and expiry time once atomically, since
      these can change concurrently if key_validate() is called without the
      key semaphore held.  And we don't want to get inconsistent results if a
      variable is referenced multiple times.  For example, key->expiry was
      referenced in both 'if (key->expiry)' and in 'if (now.tv_sec >=
      key->expiry)', making it theoretically possible to see a spurious
      EKEYEXPIRED while the expiration time was being removed, i.e. set to 0.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      1823d475
    • David Howells's avatar
      KEYS: don't let add_key() update an uninstantiated key · 60ff5b2f
      David Howells authored
      Currently, when passed a key that already exists, add_key() will call the
      key's ->update() method if such exists.  But this is heavily broken in the
      case where the key is uninstantiated because it doesn't call
      __key_instantiate_and_link().  Consequently, it doesn't do most of the
      things that are supposed to happen when the key is instantiated, such as
      setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
      awakening tasks waiting on it, and incrementing key->user->nikeys.
      
      It also never takes key_construction_mutex, which means that
      ->instantiate() can run concurrently with ->update() on the same key.  In
      the case of the "user" and "logon" key types this causes a memory leak, at
      best.  Maybe even worse, the ->update() methods of the "encrypted" and
      "trusted" key types actually just dereference a NULL pointer when passed an
      uninstantiated key.
      
      Change key_create_or_update() to wait interruptibly for the key to finish
      construction before continuing.
      
      This patch only affects *uninstantiated* keys.  For now we still allow a
      negatively instantiated key to be updated (thereby positively
      instantiating it), although that's broken too (the next patch fixes it)
      and I'm not sure that anyone actually uses that functionality either.
      
      Here is a simple reproducer for the bug using the "encrypted" key type
      (requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
      pertained to more than just the "encrypted" key type:
      
          #include <stdlib.h>
          #include <unistd.h>
          #include <keyutils.h>
      
          int main(void)
          {
              int ringid = keyctl_join_session_keyring(NULL);
      
              if (fork()) {
                  for (;;) {
                      const char payload[] = "update user:foo 32";
      
                      usleep(rand() % 10000);
                      add_key("encrypted", "desc", payload, sizeof(payload), ringid);
                      keyctl_clear(ringid);
                  }
              } else {
                  for (;;)
                      request_key("encrypted", "desc", "callout_info", ringid);
              }
          }
      
      It causes:
      
          BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
          IP: encrypted_update+0xb0/0x170
          PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0
          PREEMPT SMP
          CPU: 0 PID: 340 Comm: reproduce Tainted: G      D         4.14.0-rc1-00025-g428490e3 #796
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
          task: ffff8a467a39a340 task.stack: ffffb15c40770000
          RIP: 0010:encrypted_update+0xb0/0x170
          RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246
          RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000
          RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303
          RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17
          R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000
          R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f
          FS:  00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0
          Call Trace:
           key_create_or_update+0x2bc/0x460
           SyS_add_key+0x10c/0x1d0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
          RIP: 0033:0x7f5d7f211259
          RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
          RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259
          RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04
          RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004
          R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868
          R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000
          Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b
          RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8
          CR2: 0000000000000018
      
      Cc: <stable@vger.kernel.org> # v2.6.12+
      Reported-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Eric Biggers <ebiggers@google.com>
      60ff5b2f
    • David Howells's avatar
      KEYS: Fix race between updating and finding a negative key · 363b02da
      David Howells authored
      Consolidate KEY_FLAG_INSTANTIATED, KEY_FLAG_NEGATIVE and the rejection
      error into one field such that:
      
       (1) The instantiation state can be modified/read atomically.
      
       (2) The error can be accessed atomically with the state.
      
       (3) The error isn't stored unioned with the payload pointers.
      
      This deals with the problem that the state is spread over three different
      objects (two bits and a separate variable) and reading or updating them
      atomically isn't practical, given that not only can uninstantiated keys
      change into instantiated or rejected keys, but rejected keys can also turn
      into instantiated keys - and someone accessing the key might not be using
      any locking.
      
      The main side effect of this problem is that what was held in the payload
      may change, depending on the state.  For instance, you might observe the
      key to be in the rejected state.  You then read the cached error, but if
      the key semaphore wasn't locked, the key might've become instantiated
      between the two reads - and you might now have something in hand that isn't
      actually an error code.
      
      The state is now KEY_IS_UNINSTANTIATED, KEY_IS_POSITIVE or a negative error
      code if the key is negatively instantiated.  The key_is_instantiated()
      function is replaced with key_is_positive() to avoid confusion as negative
      keys are also 'instantiated'.
      
      Additionally, barriering is included:
      
       (1) Order payload-set before state-set during instantiation.
      
       (2) Order state-read before payload-read when using the key.
      
      Further separate barriering is necessary if RCU is being used to access the
      payload content after reading the payload pointers.
      
      Fixes: 146aa8b1 ("KEYS: Merge the type-specific data with the payload data")
      Cc: stable@vger.kernel.org # v4.4+
      Reported-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      363b02da
    • Chun-Yi Lee's avatar
      KEYS: checking the input id parameters before finding asymmetric key · b3811d36
      Chun-Yi Lee authored
      For finding asymmetric key, the input id_0 and id_1 parameters can
      not be NULL at the same time. This patch adds the BUG_ON checking
      for id_0 and id_1.
      
      Cc: David Howells <dhowells@redhat.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarChun-Yi Lee <jlee@suse.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      b3811d36
    • Chun-Yi Lee's avatar
      KEYS: Fix the wrong index when checking the existence of second id · 6a6d2a77
      Chun-Yi Lee authored
      Fix the wrong index number when checking the existence of second
      id in function of finding asymmetric key. The id_1 is the second
      id that the index in array must be 1 but not 0.
      
      Fixes: 9eb02989 (KEYS: Generalise x509_request_asymmetric_key())
      Cc: David Howells <dhowells@redhat.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarChun-Yi Lee <jlee@suse.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      6a6d2a77
    • Arnd Bergmann's avatar
      security/keys: BIG_KEY requires CONFIG_CRYPTO · 3cd18d19
      Arnd Bergmann authored
      The recent rework introduced a possible randconfig build failure
      when CONFIG_CRYPTO configured to only allow modules:
      
      security/keys/big_key.o: In function `big_key_crypt':
      big_key.c:(.text+0x29f): undefined reference to `crypto_aead_setkey'
      security/keys/big_key.o: In function `big_key_init':
      big_key.c:(.init.text+0x1a): undefined reference to `crypto_alloc_aead'
      big_key.c:(.init.text+0x45): undefined reference to `crypto_aead_setauthsize'
      big_key.c:(.init.text+0x77): undefined reference to `crypto_destroy_tfm'
      crypto/gcm.o: In function `gcm_hash_crypt_remain_continue':
      gcm.c:(.text+0x167): undefined reference to `crypto_ahash_finup'
      crypto/gcm.o: In function `crypto_gcm_exit_tfm':
      gcm.c:(.text+0x847): undefined reference to `crypto_destroy_tfm'
      
      When we 'select CRYPTO' like the other users, we always get a
      configuration that builds.
      
      Fixes: 428490e3 ("security/keys: rewrite all of big_key crypto")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      3cd18d19
  2. 12 Oct, 2017 5 commits
    • Eric Biggers's avatar
      ecryptfs: fix dereference of NULL user_key_payload · f66665c0
      Eric Biggers authored
      In eCryptfs, we failed to verify that the authentication token keys are
      not revoked before dereferencing their payloads, which is problematic
      because the payload of a revoked key is NULL.  request_key() *does* skip
      revoked keys, but there is still a window where the key can be revoked
      before we acquire the key semaphore.
      
      Fix it by updating ecryptfs_get_key_payload_data() to return
      -EKEYREVOKED if the key payload is NULL.  For completeness we check this
      for "encrypted" keys as well as "user" keys, although encrypted keys
      cannot be revoked currently.
      
      Alternatively we could use key_validate(), but since we'll also need to
      fix ecryptfs_get_key_payload_data() to validate the payload length, it
      seems appropriate to just check the payload pointer.
      
      Fixes: 237fead6 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Cc: <stable@vger.kernel.org>    [v2.6.19+]
      Cc: Michael Halcrow <mhalcrow@google.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f66665c0
    • Eric Biggers's avatar
      fscrypt: fix dereference of NULL user_key_payload · d60b5b78
      Eric Biggers authored
      When an fscrypt-encrypted file is opened, we request the file's master
      key from the keyrings service as a logon key, then access its payload.
      However, a revoked key has a NULL payload, and we failed to check for
      this.  request_key() *does* skip revoked keys, but there is still a
      window where the key can be revoked before we acquire its semaphore.
      
      Fix it by checking for a NULL payload, treating it like a key which was
      already revoked at the time it was requested.
      
      Fixes: 88bd6ccd ("ext4 crypto: add encryption key management facilities")
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Cc: <stable@vger.kernel.org>    [v4.1+]
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      d60b5b78
    • Eric Biggers's avatar
      lib/digsig: fix dereference of NULL user_key_payload · 192cabd6
      Eric Biggers authored
      digsig_verify() requests a user key, then accesses its payload.
      However, a revoked key has a NULL payload, and we failed to check for
      this.  request_key() *does* skip revoked keys, but there is still a
      window where the key can be revoked before we acquire its semaphore.
      
      Fix it by checking for a NULL payload, treating it like a key which was
      already revoked at the time it was requested.
      
      Fixes: 051dbb91 ("crypto: digital signature verification support")
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Cc: <stable@vger.kernel.org>    [v3.3+]
      Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      192cabd6
    • Eric Biggers's avatar
      FS-Cache: fix dereference of NULL user_key_payload · d124b2c5
      Eric Biggers authored
      When the file /proc/fs/fscache/objects (available with
      CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with
      description "fscache:objlist", then access its payload.  However, a
      revoked key has a NULL payload, and we failed to check for this.
      request_key() *does* skip revoked keys, but there is still a window
      where the key can be revoked before we access its payload.
      
      Fix it by checking for a NULL payload, treating it like a key which was
      already revoked at the time it was requested.
      
      Fixes: 4fbf4291 ("FS-Cache: Allow the current state of all objects to be dumped")
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Cc: <stable@vger.kernel.org>    [v2.6.32+]
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      d124b2c5
    • Eric Biggers's avatar
      KEYS: encrypted: fix dereference of NULL user_key_payload · 13923d08
      Eric Biggers authored
      A key of type "encrypted" references a "master key" which is used to
      encrypt and decrypt the encrypted key's payload.  However, when we
      accessed the master key's payload, we failed to handle the case where
      the master key has been revoked, which sets the payload pointer to NULL.
      Note that request_key() *does* skip revoked keys, but there is still a
      window where the key can be revoked before we acquire its semaphore.
      
      Fix it by checking for a NULL payload, treating it like a key which was
      already revoked at the time it was requested.
      
      This was an issue for master keys of type "user" only.  Master keys can
      also be of type "trusted", but those cannot be revoked.
      
      Fixes: 7e70cb49 ("keys: add new key-type encrypted")
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Cc: <stable@vger.kernel.org>    [v2.6.38+]
      Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
      Cc: David Safford <safford@us.ibm.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      13923d08
  3. 01 Oct, 2017 9 commits
    • Linus Torvalds's avatar
      Linux 4.14-rc3 · 9e66317d
      Linus Torvalds authored
      9e66317d
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 368f8998
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "This contains the following fixes and improvements:
      
         - Avoid dereferencing an unprotected VMA pointer in the fault signal
           generation code
      
         - Fix inline asm call constraints for GCC 4.4
      
         - Use existing register variable to retrieve the stack pointer
           instead of forcing the compiler to create another indirect access
           which results in excessive extra 'mov %rsp, %<dst>' instructions
      
         - Disable branch profiling for the memory encryption code to prevent
           an early boot crash
      
         - Fix a sparse warning caused by casting the __user annotation in
           __get_user_asm_u64() away
      
         - Fix an off by one error in the loop termination of the error patch
           in the x86 sysfs init code
      
         - Add missing CPU IDs to various Intel specific drivers to enable the
           functionality on recent hardware
      
         - More (init) constification in the numachip code"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/asm: Use register variable to get stack pointer value
        x86/mm: Disable branch profiling in mem_encrypt.c
        x86/asm: Fix inline asm call constraints for GCC 4.4
        perf/x86/intel/uncore: Correct num_boxes for IIO and IRP
        perf/x86/intel/rapl: Add missing CPU IDs
        perf/x86/msr: Add missing CPU IDs
        perf/x86/intel/cstate: Add missing CPU IDs
        x86: Don't cast away the __user in __get_user_asm_u64()
        x86/sysfs: Fix off-by-one error in loop termination
        x86/mm: Fix fault error path using unsafe vma pointer
        x86/numachip: Add const and __initconst to numachip2_clockevent
      368f8998
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c42ed9f9
      Linus Torvalds authored
      Pull timer fixes from Thomas Gleixner:
       "This adds a new timer wheel function which is required for the
        conversion of the timer callback function from the 'unsigned long
        data' argument to 'struct timer_list *timer'. This conversion has two
        benefits:
      
         1) It makes struct timer_list smaller
      
         2) Many callers hand in a pointer to the timer or to the structure
            containing the timer, which happens via type casting both at setup
            and in the callback. This change gets rid of the typecasts.
      
        Once the conversion is complete, which is planned for 4.15, the old
        setup function and the intermediate typecast in the new setup function
        go away along with the data field in struct timer_list.
      
        Merging this now into mainline allows a smooth queueing of the actual
        conversion in the affected maintainer trees without creating
        dependencies"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        um/time: Fixup namespace collision
        timer: Prepare to change timer callback argument type
      c42ed9f9
    • Linus Torvalds's avatar
      Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 82513545
      Linus Torvalds authored
      Pull smp/hotplug fixes from Thomas Gleixner:
       "This addresses the fallout of the new lockdep mechanism which covers
        completions in the CPU hotplug code.
      
        The lockdep splats are false positives, but there is no way to
        annotate that reliably. The solution is to split the completions for
        CPU up and down, which requires some reshuffling of the failure
        rollback handling as well"
      
      * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        smp/hotplug: Hotplug state fail injection
        smp/hotplug: Differentiate the AP completion between up and down
        smp/hotplug: Differentiate the AP-work lockdep class between up and down
        smp/hotplug: Callback vs state-machine consistency
        smp/hotplug: Rewrite AP state machine core
        smp/hotplug: Allow external multi-instance rollback
        smp/hotplug: Add state diagram
      82513545
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7e103ace
      Linus Torvalds authored
      Pull scheduler fixes from Thomas Gleixner:
       "The scheduler pull request comes with the following updates:
      
         - Prevent a divide by zero issue by validating the input value of
           sysctl_sched_time_avg
      
         - Make task state printing consistent all over the place and have
           explicit state characters for IDLE and PARKED so they wont be
           displayed as 'D' state which confuses tools"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/sysctl: Check user input value of sysctl_sched_time_avg
        sched/debug: Add explicit TASK_PARKED printing
        sched/debug: Ignore TASK_IDLE for SysRq-W
        sched/debug: Add explicit TASK_IDLE printing
        sched/tracing: Use common task-state helpers
        sched/tracing: Fix trace_sched_switch task-state printing
        sched/debug: Remove unused variable
        sched/debug: Convert TASK_state to hex
        sched/debug: Implement consistent task-state printing
      7e103ace
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1c6f705b
      Linus Torvalds authored
      Pull perf fixes from Thomas Gleixner:
      
       - Prevent a division by zero in the perf aux buffer handling
      
       - Sync kernel headers with perf tool headers
      
       - Fix a build failure in the syscalltbl code
      
       - Make the debug messages of perf report --call-graph work correctly
      
       - Make sure that all required perf files are in the MANIFEST for
         container builds
      
       - Fix the atrr.exclude kernel handling so it respects the
         perf_event_paranoid and the user permissions
      
       - Make perf test on s390x work correctly
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/aux: Only update ->aux_wakeup in non-overwrite mode
        perf test: Fix vmlinux failure on s390x part 2
        perf test: Fix vmlinux failure on s390x
        perf tools: Fix syscalltbl build failure
        perf report: Fix debug messages with --call-graph option
        perf evsel: Fix attr.exclude_kernel setting for default cycles:p
        tools include: Sync kernel ABI headers with tooling headers
        perf tools: Get all of tools/{arch,include}/ in the MANIFEST
      1c6f705b
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1de47f3c
      Linus Torvalds authored
      Pull  locking fixes from Thomas Gleixner:
       "Two fixes for locking:
      
         - Plug a hole the pi_stat->owner serialization which was changed
           recently and failed to fixup two usage sites.
      
         - Prevent reordering of the rwsem_has_spinner() check vs the
           decrement of rwsem count in up_write() which causes a missed
           wakeup"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/rwsem-xadd: Fix missed wakeup due to reordering of load
        futex: Fix pi_state->owner serialization
      1de47f3c
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 3d9d62b9
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
      
       - Add a missing NULL pointer check in free_irq()
      
       - Fix a memory leak/memory corruption in the generic irq chip
      
       - Add missing rcu annotations for radix tree access
      
       - Use ffs instead of fls when extracting data from a chip register in
         the MIPS GIC irq driver
      
       - Fix the unmasking of IPI interrupts in the MIPS GIC driver so they
         end up at the target CPU and not at CPU0
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irq/generic-chip: Don't replace domain's name
        irqdomain: Add __rcu annotations to radix tree accessors
        irqchip/mips-gic: Use effective affinity to unmask
        irqchip/mips-gic: Fix shifts to extract register fields
        genirq: Check __free_irq() return value for NULL
      3d9d62b9
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 156069f8
      Linus Torvalds authored
      Pull objtool fixes from Thomas Gleixner:
       "Two small fixes for objtool:
      
         - Support frame pointer setup via 'lea (%rsp), %rbp' which was not
           yet supported and caused build warnings
      
         - Disable unreacahble warnings for GCC4.4 and older to avoid false
           positives caused by the compiler itself"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Support unoptimized frame pointer setup
        objtool: Skip unreachable warnings for GCC 4.4 and older
      156069f8
  4. 30 Sep, 2017 4 commits
  5. 29 Sep, 2017 13 commits