1. 01 Feb, 2019 2 commits
    • Vincent Whitchurch's avatar
      mic: vop: Fix use-after-free on remove · 70ed7148
      Vincent Whitchurch authored
      KASAN detects a use-after-free when vop devices are removed.
      
      This problem was introduced by commit 0063e8bb ("virtio_vop:
      don't kfree device on register failure").  That patch moved the freeing
      of the struct _vop_vdev to the release function, but failed to ensure
      that vop holds a reference to the device when it doesn't want it to go
      away.  A kfree() was replaced with a put_device() in the unregistration
      path, but the last reference to the device is already dropped in
      unregister_virtio_device() so the struct is freed before vop is done
      with it.
      
      Fix it by holding a reference until cleanup is done.  This is similar to
      the fix in virtio_pci in commit 2989be09 ("virtio_pci: fix use
      after free on release").
      
       ==================================================================
       BUG: KASAN: use-after-free in vop_scan_devices+0xc6c/0xe50 [vop]
       Read of size 8 at addr ffff88800da18580 by task kworker/0:1/12
      
       CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.0.0-rc4+ #53
       Workqueue: events vop_hotplug_devices [vop]
       Call Trace:
        dump_stack+0x74/0xbb
        print_address_description+0x5d/0x2b0
        ? vop_scan_devices+0xc6c/0xe50 [vop]
        kasan_report+0x152/0x1aa
        ? vop_scan_devices+0xc6c/0xe50 [vop]
        ? vop_scan_devices+0xc6c/0xe50 [vop]
        vop_scan_devices+0xc6c/0xe50 [vop]
        ? vop_loopback_free_irq+0x160/0x160 [vop_loopback]
        process_one_work+0x7c0/0x14b0
        ? pwq_dec_nr_in_flight+0x2d0/0x2d0
        ? do_raw_spin_lock+0x120/0x280
        worker_thread+0x8f/0xbf0
        ? __kthread_parkme+0x78/0xf0
        ? process_one_work+0x14b0/0x14b0
        kthread+0x2ae/0x3a0
        ? kthread_park+0x120/0x120
        ret_from_fork+0x3a/0x50
      
       Allocated by task 12:
        kmem_cache_alloc_trace+0x13a/0x2a0
        vop_scan_devices+0x473/0xe50 [vop]
        process_one_work+0x7c0/0x14b0
        worker_thread+0x8f/0xbf0
        kthread+0x2ae/0x3a0
        ret_from_fork+0x3a/0x50
      
       Freed by task 12:
        kfree+0x104/0x310
        device_release+0x73/0x1d0
        kobject_put+0x14f/0x420
        unregister_virtio_device+0x32/0x50
        vop_scan_devices+0x19d/0xe50 [vop]
        process_one_work+0x7c0/0x14b0
        worker_thread+0x8f/0xbf0
        kthread+0x2ae/0x3a0
        ret_from_fork+0x3a/0x50
      
       The buggy address belongs to the object at ffff88800da18008
        which belongs to the cache kmalloc-2k of size 2048
       The buggy address is located 1400 bytes inside of
        2048-byte region [ffff88800da18008, ffff88800da18808)
       The buggy address belongs to the page:
       page:ffffea0000368600 count:1 mapcount:0 mapping:ffff88801440dbc0 index:0x0 compound_mapcount: 0
       flags: 0x4000000000010200(slab|head)
       raw: 4000000000010200 ffffea0000378608 ffffea000037a008 ffff88801440dbc0
       raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
       page dumped because: kasan: bad access detected
      
       Memory state around the buggy address:
        ffff88800da18480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff88800da18500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       >ffff88800da18580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                          ^
        ffff88800da18600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff88800da18680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ==================================================================
      
      Fixes: 0063e8bb ("virtio_vop: don't kfree device on register failure")
      Signed-off-by: default avatarVincent Whitchurch <vincent.whitchurch@axis.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70ed7148
    • Christian Brauner's avatar
      binderfs: remove separate device_initcall() · 5b9633af
      Christian Brauner authored
      binderfs should not have a separate device_initcall(). When a kernel is
      compiled with CONFIG_ANDROID_BINDERFS register the filesystem alongside
      CONFIG_ANDROID_IPC. This use-case is especially sensible when users specify
      CONFIG_ANDROID_IPC=y, CONFIG_ANDROID_BINDERFS=y and
      ANDROID_BINDER_DEVICES="".
      When CONFIG_ANDROID_BINDERFS=n then this always succeeds so there's no
      regression potential for legacy workloads.
      Signed-off-by: default avatarChristian Brauner <christian@brauner.io>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b9633af
  2. 31 Jan, 2019 1 commit
  3. 30 Jan, 2019 7 commits
    • Vincent Whitchurch's avatar
      mic: vop: Fix broken virtqueues · 5aa60834
      Vincent Whitchurch authored
      VOP is broken in mainline since commit 1ce9e605 ("virtio_ring:
      introduce packed ring support"); attempting to use the virtqueues leads
      to various kernel crashes.  I'm testing it with my not-yet-merged
      loopback patches, but even the in-tree MIC hardware cannot work.
      
      The problem is not in the referenced commit per se, but is due to the
      following hack in vop_find_vq() which depends on the layout of private
      structures in other source files, which that commit happened to change:
      
        /*
         * To reassign the used ring here we are directly accessing
         * struct vring_virtqueue which is a private data structure
         * in virtio_ring.c. At the minimum, a BUILD_BUG_ON() in
         * vring_new_virtqueue() would ensure that
         *  (&vq->vring == (struct vring *) (&vq->vq + 1));
         */
        vr = (struct vring *)(vq + 1);
        vr->used = used;
      
      Fix vop by using __vring_new_virtqueue() to create the needed vring
      layout from the start, instead of attempting to patch in the used ring
      later.  __vring_new_virtqueue() was added way back in commit
      2a2d1382 ("virtio: Add improved queue allocation API") in order to
      address mic's usecase, according to the commit message.
      
      Fixes: 1ce9e605 ("virtio_ring: introduce packed ring support")
      Signed-off-by: default avatarVincent Whitchurch <vincent.whitchurch@axis.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5aa60834
    • Alexander Usyskin's avatar
      mei: free read cb on ctrl_wr list flush · cee4c4d6
      Alexander Usyskin authored
      There is a little window during disconnection flow
      when read cb is moved between lists and may be not freed.
      Remove moving read cbs explicitly during flash fixes this memory
      leak.
      Signed-off-by: default avatarAlexander Usyskin <alexander.usyskin@intel.com>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cee4c4d6
    • Tomas Winkler's avatar
      samples: mei: use /dev/mei0 instead of /dev/mei · c4a46acf
      Tomas Winkler authored
      The device was moved from misc device to character devices
      to support multiple mei devices.
      
      Cc: <stable@vger.kernel.org> #v4.9+
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c4a46acf
    • Tomas Winkler's avatar
      mei: me: add ice lake point device id. · efe814e9
      Tomas Winkler authored
      Add icelake mei device id.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efe814e9
    • Christian Brauner's avatar
      binderfs: respect limit on binder control creation · da8ddba5
      Christian Brauner authored
      We currently adhere to the reserved devices limit when creating new
      binderfs devices in binderfs instances not located in the inital ipc
      namespace. But it is still possible to rob the host instances of their 4
      reserved devices by creating the maximum allowed number of devices in a
      single binderfs instance located in a non-initial ipc namespace and then
      mounting 4 separate binderfs instances in non-initial ipc namespaces. That
      happens because the limit is currently not respected for the creation of
      the initial binder-control device node. Block this nonsense by performing
      the same check in binderfs_binder_ctl_create() that we perform in
      binderfs_binder_device_create().
      
      Fixes: 36bdf3ca ("binderfs: reserve devices for initial mount")
      Signed-off-by: default avatarChristian Brauner <christian@brauner.io>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da8ddba5
    • Christian Brauner's avatar
      binder: fix CONFIG_ANDROID_BINDER_DEVICES · 793c8232
      Christian Brauner authored
      Several users have tried to only rely on binderfs to provide binder devices
      and set CONFIG_ANDROID_BINDER_DEVICES="" empty. This is a great use-case of
      binderfs and one that was always intended to work. However, this is
      currently not possible since setting CONFIG_ANDROID_BINDER_DEVICES="" emtpy
      will simply panic the kernel:
      
      kobject: (00000000028c2f79): attempted to be registered with empty name!
      WARNING: CPU: 7 PID: 1703 at lib/kobject.c:228 kobject_add_internal+0x288/0x2b0
      Modules linked in: binder_linux(+) bridge stp llc ipmi_ssif gpio_ich dcdbas coretemp kvm_intel kvm irqbypass serio_raw input_leds lpc_ich i5100_edac mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel ib_i
      CPU: 7 PID: 1703 Comm: modprobe Not tainted 5.0.0-rc2-brauner-binderfs #263
      Hardware name: Dell      DCS XS24-SC2          /XS24-SC2              , BIOS S59_3C20 04/07/2011
      RIP: 0010:kobject_add_internal+0x288/0x2b0
      Code: 12 95 48 c7 c7 78 63 3b 95 e8 77 35 71 ff e9 91 fe ff ff 0f 0b eb a7 0f 0b eb 9a 48 89 de 48 c7 c7 00 63 3b 95 e8 f8 95 6a ff <0f> 0b 41 bc ea ff ff ff e9 6d fe ff ff 41 bc fe ff ff ff e9 62 fe
      RSP: 0018:ffff973f84237a30 EFLAGS: 00010282
      RAX: 0000000000000000 RBX: ffff8b53e2472010 RCX: 0000000000000006
      RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffff8b53edbd63a0
      RBP: ffff973f84237a60 R08: 0000000000000342 R09: 0000000000000004
      R10: ffff973f84237af0 R11: 0000000000000001 R12: 0000000000000000
      R13: ffff8b53e9f1a1e0 R14: 00000000e9f1a1e0 R15: 0000000000a00037
      FS:  00007fbac36f7540(0000) GS:ffff8b53edbc0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fbac364cfa7 CR3: 00000004a6d48000 CR4: 00000000000406e0
      Call Trace:
       kobject_add+0x71/0xd0
       ? _cond_resched+0x19/0x40
       ? mutex_lock+0x12/0x40
       device_add+0x12e/0x6b0
       device_create_groups_vargs+0xe4/0xf0
       device_create_with_groups+0x3f/0x60
       ? _cond_resched+0x19/0x40
       misc_register+0x140/0x180
       binder_init+0x1ed/0x2d4 [binder_linux]
       ? trace_event_define_fields_binder_transaction_fd_send+0x8e/0x8e [binder_linux]
       do_one_initcall+0x4a/0x1c9
       ? _cond_resched+0x19/0x40
       ? kmem_cache_alloc_trace+0x151/0x1c0
       do_init_module+0x5f/0x216
       load_module+0x223d/0x2b20
       __do_sys_finit_module+0xfc/0x120
       ? __do_sys_finit_module+0xfc/0x120
       __x64_sys_finit_module+0x1a/0x20
       do_syscall_64+0x5a/0x120
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x7fbac3202839
      Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
      RSP: 002b:00007ffd1494a908 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000055b629ebec60 RCX: 00007fbac3202839
      RDX: 0000000000000000 RSI: 000055b629c20d2e RDI: 0000000000000003
      RBP: 000055b629c20d2e R08: 0000000000000000 R09: 000055b629ec2310
      R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
      R13: 000055b629ebed70 R14: 0000000000040000 R15: 000055b629ebec60
      
      So check for the empty string since strsep() will otherwise return the
      emtpy string which will cause kobject_add_internal() to panic when trying
      to add a kobject with an emtpy name.
      
      Fixes: ac4812c5 ("binder: Support multiple /dev instances")
      Cc: Martijn Coenen <maco@google.com>
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Acked-by: default avatarTodd Kjos <tkjos@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      793c8232
    • Christian Brauner's avatar
      selftests: add binderfs selftests · 75abec73
      Christian Brauner authored
      This adds the promised selftest for binderfs. It will verify the following
      things:
      - binderfs mounting works
      - binder device allocation works
      - performing a binder ioctl() request through a binderfs device works
      - binder device removal works
      - binder-control removal fails
      - binderfs unmounting works
      
      The tests are performed both privileged and unprivileged. The latter
      verifies that binderfs behaves correctly in user namespaces.
      
      Cc: Todd Kjos <tkjos@google.com>
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Acked-by: default avatarShuah Khan <shuah@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75abec73
  4. 27 Jan, 2019 14 commits
    • Linus Torvalds's avatar
      Linux 5.0-rc4 · f17b5f06
      Linus Torvalds authored
      f17b5f06
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8a5f0605
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of fixes for x86:
      
         - Fix the swapped outb() parameters in the KASLR code
      
         - Fix the PKEY handling at fork which missed to preserve the pkey
           state for the child. Comes with a test case to validate that.
      
         - Fix the entry stack handling for XEN PV to respect that XEN PV
           systems enter the function already on the current thread stack and
           not on the trampoline.
      
         - Fix kexec load failure caused by using a stale value when the
           kexec_buf structure is reused for subsequent allocations.
      
         - Fix a bogus sizeof() in the memory encryption code
      
         - Enforce PCI dependency for the Intel Low Power Subsystem
      
         - Enforce PCI_LOCKLESS_CONFIG when PCI is enabled"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/Kconfig: Select PCI_LOCKLESS_CONFIG if PCI is enabled
        x86/entry/64/compat: Fix stack switching for XEN PV
        x86/kexec: Fix a kexec_file_load() failure
        x86/mm/mem_encrypt: Fix erroneous sizeof()
        x86/selftests/pkeys: Fork() to check for state being preserved
        x86/pkeys: Properly copy pkey state at fork()
        x86/kaslr: Fix incorrect i8254 outb() parameters
        x86/intel/lpss: Make PCI dependency explicit
      8a5f0605
    • Linus Torvalds's avatar
      Merge branch 'x86-timers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 351e1aa6
      Linus Torvalds authored
      Pull x86 timer fixes from Thomas Gleixner:
       "Two commits which were missed to be sent during the merge window.
      
         - The TSC calibration fix turns out to be more urgent as recent
           Skylake-X systems seem to have massive trouble with calibration
           disturbance. This should go back into stable for that reason and it
           the risk of breakage is rather low.
      
         - Drop an unused define"
      
      * 'x86-timers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/hpet: Remove unused FSEC_PER_NSEC define
        x86/tsc: Make calibration refinement more robust
      351e1aa6
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f907bb4c
      Linus Torvalds authored
      Pull timer fix from Thomas Glexiner:
       "A single regression fix to address the unintended breakage of posix
        cpu timers.
      
        This is caused by a new sanity check in the common code, which fails
        for posix cpu timers under certain conditions because the posix cpu
        timer code never updates the variable which is checked"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        posix-cpu-timers: Unbreak timer rearming
      f907bb4c
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 98810518
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "A small series of fixes which all address possible missed wakeups:
      
         - Document and fix the wakeup ordering of wake_q
      
         - Add the missing barrier in rcuwait_wake_up(), which was documented
           in the comment but missing in the code
      
         - Fix the possible missed wakeups in the rwsem and futex code"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/rwsem: Fix (possible) missed wakeup
        futex: Fix (possible) missed wakeup
        sched/wake_q: Fix wakeup ordering for wake_q
        sched/wake_q: Document wake_q_add()
        sched/wait: Fix rcuwait_wake_up() ordering
      98810518
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0d484375
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "A small set of fixes for the interrupt subsystem:
      
         - Fix a double increment in the irq descriptor allocator which
           resulted in a sanity check only being done for every second
           affinity mask
      
         - Add a missing device tree translation in the stm32-exti driver.
           Without that the interrupt association is completely wrong.
      
         - Initialize the mutex in the GIC-V3 MBI driver
      
         - Fix the alignment for aliasing devices in the GIC-V3-ITS driver so
           multi MSI allocations work correctly
      
         - Ensure that the initial affinity of a interrupt is not empty at
           startup time.
      
         - Drop bogus include in the madera irq chip driver
      
         - Fix KernelDoc regression"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size
        genirq/irqdesc: Fix double increment in alloc_descs()
        genirq: Fix the kerneldoc comment for struct irq_affinity_desc
        irqchip/madera: Drop GPIO includes
        irqchip/gic-v3-mbi: Fix uninitialized mbi_lock
        irqchip/stm32-exti: Add domain translate function
        genirq: Make sure the initial affinity is not empty
      0d484375
    • Linus Torvalds's avatar
      Merge tag 'edac_fix_for_5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp · 98354243
      Linus Torvalds authored
      Pull EDAC fix from Borislav Petkov:
       "Fix persistent register offsets of altera_edac, from Thor Thayer"
      
      * tag 'edac_fix_for_5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
        EDAC, altera: Fix S10 persistent register offset
      98354243
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190127' of git://git.kernel.dk/linux-block · 419967d5
      Linus Torvalds authored
      Pull block revert from Jens Axboe:
       "Silly error snuck into a patch from the last series, let's do a revert
        to avoid a potential use-after-free"
      
      * tag 'for-linus-20190127' of git://git.kernel.dk/linux-block:
        Revert "block: cover another queue enter recursion via BIO_QUEUE_ENTERED"
      419967d5
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 1fc7f56d
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "Quite a few fixes for x86: nested virtualization save/restore, AMD
        nested virtualization and virtual APIC, 32-bit fixes, an important fix
        to restore operation on older processors, and a bunch of hyper-v
        bugfixes. Several are marked stable.
      
        There are also fixes for GCC warnings and for a GCC/objtool interaction"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Mark expected switch fall-throughs
        KVM: x86: fix TRACE_INCLUDE_PATH and remove -I. header search paths
        KVM: selftests: check returned evmcs version range
        x86/kvm/hyper-v: nested_enable_evmcs() sets vmcs_version incorrectly
        KVM: VMX: Move vmx_vcpu_run()'s VM-Enter asm blob to a helper function
        kvm: selftests: Fix region overlap check in kvm_util
        kvm: vmx: fix some -Wmissing-prototypes warnings
        KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1
        svm: Fix AVIC incomplete IPI emulation
        svm: Add warning message for AVIC IPI invalid target
        KVM: x86: WARN_ONCE if sending a PV IPI returns a fatal error
        KVM: x86: Fix PV IPIs for 32-bit KVM host
        x86/kvm/hyper-v: recommend using eVMCS only when it is enabled
        x86/kvm/hyper-v: don't recommend doing reset via synthetic MSR
        kvm: x86/vmx: Use kzalloc for cached_vmcs12
        KVM: VMX: Use the correct field var when clearing VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL
        KVM: x86: Fix single-step debugging
        x86/kvm/hyper-v: don't announce GUEST IDLE MSR support
      1fc7f56d
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-5.0-2' of git://git.infradead.org/users/hch/dma-mapping · c180f1b0
      Linus Torvalds authored
      Pull dma-mapping fix from Christoph Hellwig:
       "Fix a xen-swiotlb regression on arm64"
      
      * tag 'dma-mapping-5.0-2' of git://git.infradead.org/users/hch/dma-mapping:
        arm64/xen: fix xen-swiotlb cache flushing
      c180f1b0
    • Linus Torvalds's avatar
      Merge tag 'libnvdimm-fixes-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 6a2651b5
      Linus Torvalds authored
      Pull libnvdimm fixes from Dan Williams:
       "A fix for namespace label support for non-Intel NVDIMMs that implement
        the ACPI standard label method.
      
        This has apparently never worked and could wait for v5.1. However it
        has enough visibility with hardware vendors [1] and distro bug
        trackers [2], and low enough risk that I decided it should go in for
        -rc4. The other fixups target the new, for v5.0, nvdimm security
        functionality. The larger init path fixup closes a memory leak and a
        potential userspace lockup due to missed notifications.
      
          [1] https://github.com/pmem/ndctl/issues/78
          [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811785
      
        These have all soaked in -next for a week with no reported issues.
      
        Summary:
      
         - Fix support for NVDIMMs that implement the ACPI standard label
           methods.
      
         - Fix error handling for security overwrite (memory leak / userspace
           hang condition), and another one-line security cleanup"
      
      * tag 'libnvdimm-fixes-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        acpi/nfit: Fix command-supported detection
        acpi/nfit: Block function zero DSMs
        libnvdimm/security: Require nvdimm_security_setup_events() to succeed
        nfit_test: fix security state pull for nvdimm security nfit_test
      6a2651b5
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 78e372e6
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
       "A fixup for the input_event fix for y2038 Sparc64, and couple other
        minor fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: input_event - fix the CONFIG_SPARC64 mixup
        Input: olpc_apsp - assign priv->dev earlier
        Input: uinput - fix undefined behavior in uinput_validate_absinfo()
        Input: raspberrypi-ts - fix link error
        Input: xpad - add support for SteelSeries Stratus Duo
        Input: input_event - provide override for sparc64
      78e372e6
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 037222ad
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Count ttl-dropped frames properly in mac80211, from Bob Copeland.
      
       2) Integer overflow in ktime handling of bcm can code, from Oliver
          Hartkopp.
      
       3) Fix RX desc handling wrt. hw checksumming in ravb, from Simon
          Horman.
      
       4) Various hash key fixes in hv_netvsc, from Haiyang Zhang.
      
       5) Use after free in ax25, from Eric Dumazet.
      
       6) Several fixes to the SSN support in SCTP, from Xin Long.
      
       7) Do not process frames after a NAPI reschedule in ibmveth, from
          Thomas Falcon.
      
       8) Fix NLA_POLICY_NESTED arguments, from Johannes Berg.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (42 commits)
        qed: Revert error handling changes.
        cfg80211: extend range deviation for DMG
        cfg80211: reg: remove warn_on for a normal case
        mac80211: Add attribute aligned(2) to struct 'action'
        mac80211: don't initiate TDLS connection if station is not associated to AP
        nl80211: fix NLA_POLICY_NESTED() arguments
        ibmveth: Do not process frames after calling napi_reschedule
        net: dev_is_mac_header_xmit() true for ARPHRD_RAWIP
        net: usb: asix: ax88772_bind return error when hw_reset fail
        MAINTAINERS: Update cavium networking drivers
        net/mlx4_core: Fix error handling when initializing CQ bufs in the driver
        net/mlx4_core: Add masking for a few queries on HCA caps
        sctp: set flow sport from saddr only when it's 0
        sctp: set chunk transport correctly when it's a new asoc
        sctp: improve the events for sctp stream adding
        sctp: improve the events for sctp stream reset
        ip_tunnel: Make none-tunnel-dst tunnel port work with lwtunnel
        ax25: fix possible use-after-free
        sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe
        hv_netvsc: fix typos in code comments
        ...
      037222ad
    • Jens Axboe's avatar
      Revert "block: cover another queue enter recursion via BIO_QUEUE_ENTERED" · 947b7ac1
      Jens Axboe authored
      We can't touch a bio after ->make_request_fn(), for all we know it could
      already have been completed by the time this function returns.
      
      This reverts commit 698cef17.
      
      Reported-by: syzbot+4df6ca820108fd248943@syzkaller.appspotmail.com
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      947b7ac1
  5. 26 Jan, 2019 4 commits
    • Linus Torvalds's avatar
      Merge tag '5.0-rc3-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 7c2614bf
      Linus Torvalds authored
      Pull smb3 fixes from Steve French:
       "A set of small smb3 fixes, some fixing various crediting issues
        discovered during xfstest runs, five for stable"
      
      * tag '5.0-rc3-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: print CIFSMaxBufSize as part of /proc/fs/cifs/DebugData
        smb3: add credits we receive from oplock/break PDUs
        CIFS: Fix mounts if the client is low on credits
        CIFS: Do not assume one credit for async responses
        CIFS: Fix credit calculations in compound mid callback
        CIFS: Fix credit calculation for encrypted reads with errors
        CIFS: Fix credits calculations for reads with errors
        CIFS: Do not reconnect TCP session in add_credits()
        smb3: Cleanup license mess
        CIFS: Fix possible hang during async MTU reads and writes
        cifs: fix memory leak of an allocated cifs_ntsd structure
      7c2614bf
    • Linus Torvalds's avatar
      Merge tag 'vfio-v5.0-rc4' of git://github.com/awilliam/linux-vfio · 2580acb2
      Linus Torvalds authored
      Pull VFIO fixes from Alex Williamson:
      
       - cleanup licenses in new files (Thomas Gleixner)
      
       - cleanup new compiler warnings (Alexey Kardashevskiy)
      
      * tag 'vfio-v5.0-rc4' of git://github.com/awilliam/linux-vfio:
        vfio-pci/nvlink2: Fix ancient gcc warnings
        vfio/pci: Cleanup license mess
      2580acb2
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 7930851e
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Six fixes, all of which appear to have user visible consequences.
      
        The DMA one is a regression fix from the merge window and of the
        others, four are driver specific and one specific to the target code"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ufs: Use explicit access size in ufshcd_dump_regs
        scsi: tcmu: fix use after free
        scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state()
        scsi: lpfc: nvmet: avoid hang / use-after-free when destroying targetport
        scsi: lpfc: nvme: avoid hang / use-after-free when destroying localport
        scsi: communicate max segment size to the DMA mapping code
      7930851e
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190125' of git://git.kernel.dk/linux-block · 6b8f9159
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A collection of fixes for this release. This contains:
      
         - Silence sparse rightfully complaining about non-static wbt
           functions (Bart)
      
         - Fixes for the zoned comments/ioctl documentation (Damien)
      
         - direct-io fix that's been lingering for a while (Ernesto)
      
         - cgroup writeback fix (Tejun)
      
         - Set of NVMe patches for nvme-rdma/tcp (Sagi, Hannes, Raju)
      
         - Block recursion tracking fix (Ming)
      
         - Fix debugfs command flag naming for a few flags (Jianchao)"
      
      * tag 'for-linus-20190125' of git://git.kernel.dk/linux-block:
        block: Fix comment typo
        uapi: fix ioctl documentation
        blk-wbt: Declare local functions static
        blk-mq: fix the cmd_flag_name array
        nvme-multipath: drop optimization for static ANA group IDs
        nvmet-rdma: fix null dereference under heavy load
        nvme-rdma: rework queue maps handling
        nvme-tcp: fix timeout handler
        nvme-rdma: fix timeout handler
        writeback: synchronize sync(2) against cgroup writeback membership switches
        block: cover another queue enter recursion via BIO_QUEUE_ENTERED
        direct-io: allow direct writes to empty inodes
      6b8f9159
  6. 25 Jan, 2019 12 commits
    • David S. Miller's avatar
      qed: Revert error handling changes. · abfd04f7
      David S. Miller authored
      This is new code and not bug fixes.
      
      This reverts all changes added by merge commit
      8fb18be9Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      abfd04f7
    • Linus Torvalds's avatar
      Merge tag 'mmc-v5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · ba606975
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
      
       - sdhci-acpi: Fixup build dependency for PCI
      
       - sdhci-omap: Resolve Kconfig warnings on keystone
      
       - sdhci-iproc: Propagate errors from DT parsing
      
       - meson-gx: Fixup IRQ handling in release callback
      
       - meson-gx: Use signal re-sampling to fixup tuning
      
       - dw_mmc-bluefield: Fix the license information
      
      * tag 'mmc-v5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: dw_mmc-bluefield: : Fix the license information
        mmc: meson-gx: enable signal re-sampling together with tuning
        mmc: sdhci-iproc: handle mmc_of_parse() errors during probe
        mmc: meson-gx: Free irq in release() callback
        mmc: host: Fix Kconfig warnings on keystone_defconfig
        mmc: sdhci-acpi: Make PCI dependency explicit
      ba606975
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · d488bd21
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char and misc driver fixes to resolve some
        reported issues, as well as a number of binderfs fixups that were
        found after auditing the filesystem code by Al Viro. As binderfs
        hasn't been in a previous release yet, it's good to get these in now
        before the first users show up.
      
        All of these have been in linux-next for a bit with no reported
        issues"
      
      * tag 'char-misc-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (26 commits)
        i3c: master: Fix an error checking typo in 'cdns_i3c_master_probe()'
        binderfs: switch from d_add() to d_instantiate()
        binderfs: drop lock in binderfs_binder_ctl_create
        binderfs: kill_litter_super() before cleanup
        binderfs: rework binderfs_binder_device_create()
        binderfs: rework binderfs_fill_super()
        binderfs: prevent renaming the control dentry
        binderfs: remove outdated comment
        binderfs: use __u32 for device numbers
        binderfs: use correct include guards in header
        misc: pvpanic: fix warning implicit declaration
        char/mwave: fix potential Spectre v1 vulnerability
        misc: ibmvsm: Fix potential NULL pointer dereference
        binderfs: fix error return code in binderfs_fill_super()
        mei: me: add denverton innovation engine device IDs
        mei: me: mark LBG devices as having dma support
        mei: dma: silent the reject message
        binderfs: handle !CONFIG_IPC_NS builds
        binderfs: reserve devices for initial mount
        binderfs: rename header to binderfs.h
        ...
      d488bd21
    • Linus Torvalds's avatar
      Merge tag 'staging-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 96f18cb8
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are some small staging driver fixes for 5.0-rc4.
      
        They resolve some reported bugs and add a new device id for one
        driver. Nothing major at all, but all good to have.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: android: ion: Support cpu access during dma_buf_detach
        staging: rtl8723bs: Fix build error with Clang when inlining is disabled
        staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1
        staging: vchiq: Fix local event signalling
        Staging: wilc1000: unlock on error in init_chip()
        staging: wilc1000: fix memory leak in wilc_add_rx_gtk
        staging: wilc1000: fix registration frame size
      96f18cb8
    • Linus Torvalds's avatar
      Merge tag 'tty-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 473721f9
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are a number of small tty core and serial driver fixes for
        5.0-rc4 to resolve some reported issues.
      
        Nothing major, the small serial driver fixes, a tty core fixup for a
        crash that was reported, and some good vt fixes from Nicolas Pitre as
        he seems to be auditing that chunk of code a lot lately.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'tty-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling
        tty: serial: qcom_geni_serial: Allow mctrl when flow control is disabled
        tty: Handle problem if line discipline does not have receive_buf
        vgacon: unconfuse vc_origin when using soft scrollback
        vt: invoke notifier on screen size change
        vt: always call notifier with the console lock held
        vt: make vt_console_print() compatible with the unicode screen buffer
        tty/n_hdlc: fix __might_sleep warning
        serial: 8250: Fix serial8250 initialization crash
        uart: Fix crash in uart_write and uart_put_char
      473721f9
    • Linus Torvalds's avatar
      Merge tag 'usb-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · b48cef32
      Linus Torvalds authored
      Pull USB/PHY fixes from Greg KH:
       "Here are a number of small USB and PHY driver fixes for 5.0-rc4.
      
        Nothing major at all, just the usual selection of USB gadget bugfixes,
        some new USB serial driver ids, some SPDX fixes, and some PHY driver
        fixes for reported issues.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'usb-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: serial: keyspan_usa: add proper SPDX lines for .h files
        USB: EHCI: ehci-mv: add MODULE_DEVICE_TABLE
        USB: leds: fix regression in usbport led trigger
        usb: chipidea: fix static checker warning for NULL pointer
        MAINTAINERS: email address update in MAINTAINERS entries
        USB: usbip: delete README file
        USB: serial: pl2303: add new PID to support PL2303TB
        usb: dwc2: gadget: Fix Remote Wakeup interrupt bit clearing
        phy: ath79-usb: Fix the main reset name to match the DT binding
        phy: ath79-usb: Fix the power on error path
        phy: fix build breakage: add PHY_MODE_SATA
        phy: ti: ensure priv is not null before dereferencing it
        USB: serial: ftdi_sio: fix GPIO not working in autosuspend
        usb: gadget: Potential NULL dereference on allocation error
        usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
        usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup
        usb: dwc3: gadget: synchronize_irq dwc irq in suspend
        USB: serial: simple: add Motorola Tetra TPG2200 device id
      b48cef32
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2019-01-25' of... · 51795275
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2019-01-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      Just a few small fixes:
       * avoid trying to operate TDLS when not connection,
         this is not valid and led to issues
       * count TTL-dropped frames in mesh better
       * deal with new WiGig channels in regulatory code
       * remove a WARN_ON() that can trigger due to benign
         races during device/driver registration
       * fix nested netlink policy maxattrs (syzkaller)
       * fix hwsim n_limits (syzkaller)
       * propagate __aligned(2) to a surrounding struct
       * return proper error in virt_wifi error path
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51795275
    • Gustavo A. R. Silva's avatar
      KVM: x86: Mark expected switch fall-throughs · b2869f28
      Gustavo A. R. Silva authored
      In preparation to enabling -Wimplicit-fallthrough, mark switch
      cases where we are expecting to fall through.
      
      This patch fixes the following warnings:
      
      arch/x86/kvm/lapic.c:1037:27: warning: this statement may fall through [-Wimplicit-fallthrough=]
      arch/x86/kvm/lapic.c:1876:3: warning: this statement may fall through [-Wimplicit-fallthrough=]
      arch/x86/kvm/hyperv.c:1637:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
      arch/x86/kvm/svm.c:4396:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
      arch/x86/kvm/mmu.c:4372:36: warning: this statement may fall through [-Wimplicit-fallthrough=]
      arch/x86/kvm/x86.c:3835:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
      arch/x86/kvm/x86.c:7938:23: warning: this statement may fall through [-Wimplicit-fallthrough=]
      arch/x86/kvm/vmx/vmx.c:2015:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
      arch/x86/kvm/vmx/vmx.c:1773:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
      
      Warning level 3 was used: -Wimplicit-fallthrough=3
      
      This patch is part of the ongoing efforts to enabling -Wimplicit-fallthrough.
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b2869f28
    • Masahiro Yamada's avatar
      KVM: x86: fix TRACE_INCLUDE_PATH and remove -I. header search paths · 5cd5548f
      Masahiro Yamada authored
      The header search path -I. in kernel Makefiles is very suspicious;
      it allows the compiler to search for headers in the top of $(srctree),
      where obviously no header file exists.
      
      The reason of having -I. here is to make the incorrectly set
      TRACE_INCLUDE_PATH working.
      
      As the comment block in include/trace/define_trace.h says,
      TRACE_INCLUDE_PATH should be a relative path to the define_trace.h
      
      Fix the TRACE_INCLUDE_PATH, and remove the iffy include paths.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      5cd5548f
    • Vitaly Kuznetsov's avatar
      KVM: selftests: check returned evmcs version range · 35b531a1
      Vitaly Kuznetsov authored
      Check that KVM_CAP_HYPERV_ENLIGHTENED_VMCS returns correct version range.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      35b531a1
    • Vitaly Kuznetsov's avatar
      x86/kvm/hyper-v: nested_enable_evmcs() sets vmcs_version incorrectly · 3a2f5773
      Vitaly Kuznetsov authored
      Commit e2e871ab ("x86/kvm/hyper-v: Introduce nested_get_evmcs_version()
      helper") broke EVMCS enablement: to set vmcs_version we now call
      nested_get_evmcs_version() but this function checks
      enlightened_vmcs_enabled flag which is not yet set so we end up returning
      zero.
      
      Fix the issue by re-arranging things in nested_enable_evmcs().
      
      Fixes: e2e871ab ("x86/kvm/hyper-v: Introduce nested_get_evmcs_version() helper")
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      3a2f5773
    • Sean Christopherson's avatar
      KVM: VMX: Move vmx_vcpu_run()'s VM-Enter asm blob to a helper function · 5ad6ece8
      Sean Christopherson authored
      ...along with the function's STACK_FRAME_NON_STANDARD tag.  Moving the
      asm blob results in a significantly smaller amount of code that is
      marked with STACK_FRAME_NON_STANDARD, which makes it far less likely
      that gcc will split the function and trigger a spurious objtool warning.
      As a bonus, removing STACK_FRAME_NON_STANDARD from vmx_vcpu_run() allows
      the bulk of code to be properly checked by objtool.
      
      Because %rbp is not loaded via VMCS fields, vmx_vcpu_run() must manually
      save/restore the host's RBP and load the guest's RBP prior to calling
      vmx_vmenter().  Modifying %rbp triggers objtool's stack validation code,
      and so vmx_vcpu_run() is tagged with STACK_FRAME_NON_STANDARD since it's
      impossible to avoid modifying %rbp.
      
      Unfortunately, vmx_vcpu_run() is also a gigantic function that gcc will
      split into separate functions, e.g. so that pieces of the function can
      be inlined.  Splitting the function means that the compiled Elf file
      will contain one or more vmx_vcpu_run.part.* functions in addition to
      a vmx_vcpu_run function.  Depending on where the function is split,
      objtool may warn about a "call without frame pointer save/setup" in
      vmx_vcpu_run.part.* since objtool's stack validation looks for exact
      names when whitelisting functions tagged with STACK_FRAME_NON_STANDARD.
      
      Up until recently, the undesirable function splitting was effectively
      blocked because vmx_vcpu_run() was tagged with __noclone.  At the time,
      __noclone had an unintended side effect that put vmx_vcpu_run() into a
      separate optimization unit, which in turn prevented gcc from inlining
      the function (or any of its own function calls) and thus eliminated gcc's
      motivation to split the function.  Removing the __noclone attribute
      allowed gcc to optimize vmx_vcpu_run(), exposing the objtool warning.
      
      Kudos to Qian Cai for root causing that the fnsplit optimization is what
      caused objtool to complain.
      
      Fixes: 453eafbe ("KVM: VMX: Move VM-Enter + VM-Exit handling to non-inline sub-routines")
      Tested-by: default avatarQian Cai <cai@lca.pw>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      5ad6ece8