1. 30 Mar, 2018 7 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 72573481
      Linus Torvalds authored
      Pull KVM fixes from Radim Krčmář:
       "PPC:
         - Fix a bug causing occasional machine check exceptions on POWER8
           hosts (introduced in 4.16-rc1)
      
        x86:
         - Fix a guest crashing regression with nested VMX and restricted
           guest (introduced in 4.16-rc1)
      
         - Fix dependency check for pv tlb flush (the wrong dependency that
           effectively disabled the feature was added in 4.16-rc4, the
           original feature in 4.16-rc1, so it got decent testing)"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Fix pv tlb flush dependencies
        KVM: nVMX: sync vmcs02 segment regs prior to vmx_set_cr0
        KVM: PPC: Book3S HV: Fix duplication of host SLB entries
      72573481
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · bd886137
      Linus Torvalds authored
      Pull i2c fix from Wolfram Sang:
       "A simple but worthwhile I2C driver fix for 4.16"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: i2c-stm32f7: fix no check on returned setup
      bd886137
    • Linus Torvalds's avatar
      Merge tag 'sound-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · ef82f598
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Very small fixes (all one-liners) at this time.
      
        One fix is for a PCM core stuff to correct the mmap behavior on
        non-x86. It doesn't show on most machines but mostly only for exotic
        non-interleaved formats"
      
      * tag 'sound-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: pcm: potential uninitialized return values
        ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
        ALSA: usb-audio: Add native DSD support for TEAC UD-301
      ef82f598
    • Linus Torvalds's avatar
      Merge tag 'for-4.16/dm-fixes-4' of... · c2a98384
      Linus Torvalds authored
      Merge tag 'for-4.16/dm-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Fix a DM multipath regression introduced in a v4.16-rc6 commit:
         restore support for loading, and attaching, scsi_dh modules during
         multipath table load. Otherwise some users may find themselves unable
         to boot, as was reported today:
      
           https://marc.info/?l=linux-scsi&m=152231276114962&w=2
      
       - Fix a DM core ioctl permission check regression introduced in a
         v4.16-rc5 commit.
      
      * tag 'for-4.16/dm-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm: fix dropped return code from dm_get_bdev_for_ioctl
        dm mpath: fix support for loading scsi_dh modules during table load
      c2a98384
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · d89b9f50
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "It has been fairly silent lately on our -rc front. Big queue of
        patches on the mailing list going to for-next though.
      
        Bug fixes:
         - qedr driver bugfixes causing application hangs, wrong uapi errnos,
           and a race condition
         - three syzkaller found bugfixes in the ucma uapi
      
        Regression fixes for things introduced in 4.16:
         - Crash on error introduced in mlx5 UMR flow
         - Crash on module unload/etc introduced by bad interaction of
           restrack and mlx5 patches this cycle
         - Typo in a two line syzkaller bugfix causing a bad regression
         - Coverity report of nonsense code in hns driver"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/ucma: Introduce safer rdma_addr_size() variants
        RDMA/hns: ensure for-loop actually iterates and free's buffers
        RDMA/ucma: Check that device exists prior to accessing it
        RDMA/ucma: Check that device is connected prior to access it
        RDMA/rdma_cm: Fix use after free race with process_one_req
        RDMA/qedr: Fix QP state initialization race
        RDMA/qedr: Fix rc initialization on CNQ allocation failure
        RDMA/qedr: fix QP's ack timeout configuration
        RDMA/ucma: Correct option size check using optlen
        RDMA/restrack: Move restrack_clean to be symmetrical to restrack_init
        IB/mlx5: Don't clean uninitialized UMR resources
      d89b9f50
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-4.16' of git://git.infradead.org/linux-mtd · ab12762b
      Linus Torvalds authored
      Pull MTD fixes from Boris Brezillon:
       "Two fixes, one in the atmel NAND driver and another one in the
        CFI/JEDEC code.
      
        Summary:
      
         - Fix a bug in Atmel ECC engine driver
      
         - Fix a bug in the CFI/JEDEC driver"
      
      * tag 'mtd/fixes-for-4.16' of git://git.infradead.org/linux-mtd:
        mtd: jedec_probe: Fix crash in jedec_read_mfr()
        mtd: nand: atmel: Fix get_sectorsize() function
      ab12762b
    • Mike Snitzer's avatar
      dm: fix dropped return code from dm_get_bdev_for_ioctl · da5dadb4
      Mike Snitzer authored
      dm_get_bdev_for_ioctl()'s return of 0 or 1 must be the result from
      prepare_ioctl (1 means the ioctl was issued to a partition, 0 means it
      wasn't).  Unfortunately commit 519049af ("dm: use blkdev_get rather
      than bdgrab when issuing pass-through ioctl") reused the variable 'r'
      to store the return from blkdev_get() that follows prepare_ioctl()
      -- whereby dropping prepare_ioctl()'s result on the floor.
      
      This can lead to an ioctl or persistent reservation being issued to a
      partition going unnoticed, which implies the extra permission check for
      CAP_SYS_RAWIO is skipped.
      
      Fix this by using a different variable to store blkdev_get()'s return.
      
      Fixes: 519049af ("dm: use blkdev_get rather than bdgrab when issuing pass-through ioctl")
      Reported-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      da5dadb4
  2. 29 Mar, 2018 5 commits
  3. 28 Mar, 2018 16 commits
  4. 27 Mar, 2018 9 commits
    • Colin Ian King's avatar
      RDMA/hns: ensure for-loop actually iterates and free's buffers · 38759d61
      Colin Ian King authored
      The current for-loop zeros variable i and only loops once, hence
      not all the buffers are free'd.  Fix this by setting i correctly.
      
      Detected by CoverityScan, CID#1463415 ("Operands don't affect result")
      
      Fixes: a5073d60 ("RDMA/hns: Add eq support of hip08")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarYixian Liu <liuyixian@huawei.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      38759d61
    • Leon Romanovsky's avatar
      RDMA/ucma: Check that device exists prior to accessing it · c8d3bcbf
      Leon Romanovsky authored
      Ensure that device exists prior to accessing its properties.
      
      Reported-by: <syzbot+71655d44855ac3e76366@syzkaller.appspotmail.com>
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      c8d3bcbf
    • Leon Romanovsky's avatar
      RDMA/ucma: Check that device is connected prior to access it · 4b658d1b
      Leon Romanovsky authored
      Add missing check that device is connected prior to access it.
      
      [   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
      [   55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
      [   55.360255]
      [   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b #91
      [   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [   55.363264] Call Trace:
      [   55.363833]  dump_stack+0x5c/0x77
      [   55.364215]  kasan_report+0x163/0x380
      [   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
      [   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
      [   55.366410]  ucma_init_qp_attr+0x111/0x200
      [   55.366846]  ? ucma_notify+0xf0/0xf0
      [   55.367405]  ? _get_random_bytes+0xea/0x1b0
      [   55.367846]  ? urandom_read+0x2f0/0x2f0
      [   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
      [   55.369104]  ? refcount_inc_not_zero+0x9/0x60
      [   55.369583]  ? refcount_inc+0x5/0x30
      [   55.370155]  ? rdma_create_id+0x215/0x240
      [   55.370937]  ? _copy_to_user+0x4f/0x60
      [   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
      [   55.372127]  ? _copy_from_user+0x5e/0x90
      [   55.372720]  ucma_write+0x174/0x1f0
      [   55.373090]  ? ucma_close_id+0x40/0x40
      [   55.373805]  ? __lru_cache_add+0xa8/0xd0
      [   55.374403]  __vfs_write+0xc4/0x350
      [   55.374774]  ? kernel_read+0xa0/0xa0
      [   55.375173]  ? fsnotify+0x899/0x8f0
      [   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
      [   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
      [   55.377522]  ? handle_mm_fault+0x174/0x320
      [   55.378169]  vfs_write+0xf7/0x280
      [   55.378864]  SyS_write+0xa1/0x120
      [   55.379270]  ? SyS_read+0x120/0x120
      [   55.379643]  ? mm_fault_error+0x180/0x180
      [   55.380071]  ? task_work_run+0x7d/0xd0
      [   55.380910]  ? __task_pid_nr_ns+0x120/0x140
      [   55.381366]  ? SyS_read+0x120/0x120
      [   55.381739]  do_syscall_64+0xeb/0x250
      [   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   55.382841] RIP: 0033:0x7fc2ef803e99
      [   55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
      [   55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
      [   55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
      [   55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
      [   55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
      [   55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
      [   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
      8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
      48 89 04 24 e8 3a 4f 1e ff 48
      [   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
      [   55.532648] CR2: 00000000000000b0
      [   55.534396] ---[ end trace 70cee64090251c0b ]---
      
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Fixes: d541e455 ("IB/core: Convert ah_attr from OPA to IB when copying to user")
      Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      4b658d1b
    • Jason Gunthorpe's avatar
      RDMA/rdma_cm: Fix use after free race with process_one_req · 9137108c
      Jason Gunthorpe authored
      process_one_req() can race with rdma_addr_cancel():
      
                 CPU0                                 CPU1
                 ====                                 ====
       process_one_work()
        debug_work_deactivate(work);
        process_one_req()
                                              rdma_addr_cancel()
      	                                  mutex_lock(&lock);
       			    	           set_timeout(&req->work,..);
                                                    __queue_work()
      				   	       debug_work_activate(work);
      	                                  mutex_unlock(&lock);
      
         mutex_lock(&lock);
      [..]
      	list_del(&req->list);
         mutex_unlock(&lock);
      [..]
      
         // ODEBUG explodes since the work is still queued.
         kfree(req);
      
      Causing ODEBUG to detect the use after free:
      
      ODEBUG: free active (active state 0) object type: work_struct hint: process_one_req+0x0/0x6c0 include/net/dst.h:165
      WARNING: CPU: 0 PID: 79 at lib/debugobjects.c:291 debug_print_object+0x166/0x220 lib/debugobjects.c:288
      kvm: emulating exchange as write
      Kernel panic - not syncing: panic_on_warn set ...
      
      CPU: 0 PID: 79 Comm: kworker/u4:3 Not tainted 4.16.0-rc6+ #361
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: ib_addr process_one_req
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x24d lib/dump_stack.c:53
       panic+0x1e4/0x41c kernel/panic.c:183
       __warn+0x1dc/0x200 kernel/panic.c:547
       report_bug+0x1f4/0x2b0 lib/bug.c:186
       fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
       fixup_bug arch/x86/kernel/traps.c:247 [inline]
       do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
       do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
       invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
      RIP: 0010:debug_print_object+0x166/0x220 lib/debugobjects.c:288
      RSP: 0000:ffff8801d966f210 EFLAGS: 00010086
      RAX: dffffc0000000008 RBX: 0000000000000003 RCX: ffffffff815acd6e
      RDX: 0000000000000000 RSI: 1ffff1003b2cddf2 RDI: 0000000000000000
      RBP: ffff8801d966f250 R08: 0000000000000000 R09: 1ffff1003b2cddc8
      R10: ffffed003b2cde71 R11: ffffffff86f39a98 R12: 0000000000000001
      R13: ffffffff86f15540 R14: ffffffff86408700 R15: ffffffff8147c0a0
       __debug_check_no_obj_freed lib/debugobjects.c:745 [inline]
       debug_check_no_obj_freed+0x662/0xf1f lib/debugobjects.c:774
       kfree+0xc7/0x260 mm/slab.c:3799
       process_one_req+0x2e7/0x6c0 drivers/infiniband/core/addr.c:592
       process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113
       worker_thread+0x223/0x1990 kernel/workqueue.c:2247
       kthread+0x33c/0x400 kernel/kthread.c:238
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406
      
      Fixes: 5fff41e1 ("IB/core: Fix race condition in resolving IP to MAC")
      Reported-by: <syzbot+3b4acab09b6463472d0a@syzkaller.appspotmail.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      9137108c
    • Dan Carpenter's avatar
      ALSA: pcm: potential uninitialized return values · 5607dddb
      Dan Carpenter authored
      Smatch complains that "tmp" can be uninitialized if we do a zero size
      write.
      
      Fixes: 02a5d692 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      5607dddb
    • Arnd Bergmann's avatar
      Merge tag 'sunxi-fixes-for-4.16' of... · bbad2093
      Arnd Bergmann authored
      Merge tag 'sunxi-fixes-for-4.16' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into fixes
      
      Pull "Allwinner Fixes for 4.16" from Maxime Ripard:
      
      The first and second patches fix the regulator support for the Bananapi M2
      board.
      
      The last one updates my email address in MAINTAINERS.
      
      * tag 'sunxi-fixes-for-4.16' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/sunxi/linux:
        MAINTAINERS: update email address for Maxime Ripard
        ARM: dts: sun6i: a31s: bpi-m2: add missing regulators
        ARM: dts: sun6i: a31s: bpi-m2: improve pmic properties
      bbad2093
    • Arnd Bergmann's avatar
      Merge tag 'omap-for-v4.16/sram-fix-signed' of... · 66f3731f
      Arnd Bergmann authored
      Merge tag 'omap-for-v4.16/sram-fix-signed' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes
      
      Pull "Two fixes for omap variants for v4.16-rc cycle" from Tony Lindgren:
      
      Fix insecure W+X mapping warning for SRAM for omaps that
      don't yet use drivers/misc/*sram*.c code. An earlier attempt
      at fixing this turned out to cause problems with PM on omap3,
      this version works with PM on omap3.
      
      Also fix dmtimer probe for omap16xx devices that was noticed
      with the pending dmtimer move to drivers. It seems this has
      been broken for a while and is a non-critical for booting.
      It is needed for PM on omap16xx though.
      
      * tag 'omap-for-v4.16/sram-fix-signed' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
        ARM: OMAP: Fix SRAM W+X mapping
        ARM: OMAP: Fix dmtimer init for omap1
      66f3731f
    • Arnd Bergmann's avatar
      Merge tag 'tegra-for-4.17-misc' of... · c27a2cbe
      Arnd Bergmann authored
      Merge tag 'tegra-for-4.17-misc' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/tegra/linux into fixes
      
      Pull "ARM: tegra: Miscellaneous changes for v4.17-rc1" from Thierry Reding:
      
      This contains a single patch to update the MAINTAINERS entry for the
      Tegra SMMU driver.
      
      * tag 'tegra-for-4.17-misc' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/tegra/linux:
        MAINTAINERS: Update Tegra IOMMU maintainer
      c27a2cbe
    • Dave Airlie's avatar
      Merge tag 'drm-amdkfd-fixes-2018-03-25' of... · 97130968
      Dave Airlie authored
      Merge tag 'drm-amdkfd-fixes-2018-03-25' of git://people.freedesktop.org/~gabbayo/linux into drm-fixes
      
      - Programming VMID correctly for scratch memory with HWS
      - deallocating SDMA queues correctly in various situations
      
      * tag 'drm-amdkfd-fixes-2018-03-25' of git://people.freedesktop.org/~gabbayo/linux:
        drm/amdkfd: Deallocate SDMA queues correctly
        drm/amdkfd: Fix scratch memory with HWS enabled
      97130968
  5. 26 Mar, 2018 1 commit
    • Stefan Roese's avatar
      ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() · 9066ae7f
      Stefan Roese authored
      When trying to use the driver (e.g. aplay *.wav), the 4MiB DMA buffer
      will get mmapp'ed in 16KiB chunks. But this fails with the 2nd 16KiB
      area, as the page offset is outside of the VMA range (size), which is
      currently used as size parameter in snd_pcm_lib_default_mmap(). By
      using the DMA buffer size (dma_bytes) instead, the complete DMA buffer
      can be mmapp'ed and the issue is fixed.
      
      This issue was detected on an ARM platform (TI AM57xx) using the RME
      HDSP MADI PCIe soundcard.
      
      Fixes: 657b1989 ("ALSA: pcm - Use dma_mmap_coherent() if available")
      Signed-off-by: default avatarStefan Roese <sr@denx.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9066ae7f
  6. 25 Mar, 2018 2 commits