1. 11 Jul, 2018 6 commits
    • Linus Torvalds's avatar
      Merge branch 'for-4.18-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · 86125df7
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
      
       - Jens's patches to expand the usable command depth from 31 to 32 broke
         sata_fsl due to a subtle command iteration bug. Fixed by introducing
         explicit iteration helpers and using the correct variant.
      
       - On some laptops, enabling LPM by default reportedly led to occasional
         hard hangs. Blacklist the affected cases.
      
       - Other misc fixes / changes.
      
      * 'for-4.18-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ata: Remove depends on HAS_DMA in case of platform dependency
        ata: Fix ZBC_OUT all bit handling
        ata: Fix ZBC_OUT command block check
        ahci: Add Intel Ice Lake LP PCI ID
        ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS
        sata_nv: remove redundant pointers sdev0 and sdev1
        sata_fsl: remove dead code in tag retrieval
        sata_fsl: convert to command iterator
        libata: convert eh to command iterators
        libata: add command iterator helpers
        ata: ahci_mvebu: ahci_mvebu_stop_engine() can be static
        libahci: Fix possible Spectre-v1 pmp indexing in ahci_led_store()
      86125df7
    • Linus Torvalds's avatar
      Merge tag 'char-misc-4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · a74aa967
      Linus Torvalds authored
      Pull char/misc fixes from Greg KH:
       "Here are a few char/misc driver fixes for 4.18-rc5.
      
        The "largest" stuff here is fixes for the UIO changes in 4.18-rc1 that
        caused breakages for some people. Thanks to Xiubo Li for fixing them
        quickly. Other than that, minor fixes for thunderbolt, vmw_balloon,
        nvmem, mei, ibmasm, and mei drivers. There's also a MAINTAINERS update
        where Rafael is offering to help out with reviewing driver core
        patches.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'char-misc-4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        nvmem: Don't let a NULL cell_id for nvmem_cell_get() crash us
        thunderbolt: Notify userspace when boot_acl is changed
        uio: fix crash after the device is unregistered
        uio: change to use the mutex lock instead of the spin lock
        uio: use request_threaded_irq instead
        fpga: altera-cvp: Fix an error handling path in 'altera_cvp_probe()'
        ibmasm: don't write out of bounds in read handler
        MAINTAINERS: Add myself as driver core changes reviewer
        mei: discard messages from not connected client during power down.
        vmw_balloon: fix inflation with batching
      a74aa967
    • Linus Torvalds's avatar
      Merge tag 'staging-4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 1dc85ac2
      Linus Torvalds authored
      Pull staging fixes from Greg KH:
       "Here are two tiny staging driver fixes for reported issues for
        4.18-rc5.
      
        One fixes the r8822be driver to properly work on lots of new laptops,
        the other is for the rtl8723bs driver to fix an underflow error.
      
        Both have been in linux-next for a while with no reported issues"
      
      * tag 'staging-4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: r8822be: Fix RTL8822be can't find any wireless AP
        staging: rtl8723bs: Prevent an underflow in rtw_check_beacon_data().
      1dc85ac2
    • Linus Torvalds's avatar
      Merge tag 'usb-4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 24d5b287
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a number of small USB fixes for 4.18-rc5.
      
        Nothing major here, just the normal set of new device ids, xhci fixes,
        and some typec fixes. The typec fix required some tiny changes in an
        i2c driver, which that maintainer acked to come through my tree.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'usb-4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: yurex: fix out-of-bounds uaccess in read handler
        usb: quirks: add delay quirks for Corsair Strafe
        xhci: xhci-mem: off by one in xhci_stream_id_to_ring()
        usb/gadget: aspeed-vhub: add USB_LIBCOMPOSITE dependency
        docs: kernel-parameters.txt: document xhci-hcd.quirks parameter
        USB: serial: mos7840: fix status-register error handling
        USB: serial: keyspan_pda: fix modem-status error handling
        USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick
        USB: serial: ch341: fix type promotion bug in ch341_control_in()
        i2c-cht-wc: Fix bq24190 supplier
        typec: tcpm: Correctly report power_supply current and voltage for non pd supply
        usb: xhci: dbc: Don't decrement runtime PM counter if DBC is not started
      24d5b287
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · f1454959
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Fixup devname in /proc/interrupts for card detect GPIO
      
        MMC host:
         - sdhci-esdhc-imx: Allow 1.8V speed-modes without 100/200MHz pinctrls
         - sunxi: Disable IRQ in low power state to prevent IRQ storm
         - dw_mmc: Fix card threshold control configuration
         - renesas_sdhi_internal_dmac: Fixup DMA error paths"
      
      * tag 'mmc-v4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states
        mmc: sunxi: Disable irq during pm_suspend
        mmc: dw_mmc: fix card threshold control configuration
        mmc: core: cd_label must be last entry of mmc_gpio struct
        mmc: renesas_sdhi_internal_dmac: Cannot clear the RX_IN_USE in abort
        mmc: renesas_sdhi_internal_dmac: Fix missing unmap in error patch
      f1454959
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 5d580932
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "Address a regression in ACPICA that ceased to clear the status of GPEs
        and fixed events before entering the ACPI S5 (off) system state during
        the 4.17 cycle which caused some systems to power up immediately after
        they had been turned off"
      
      * tag 'acpi-4.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPICA: Clear status of all events when entering S5
      5d580932
  2. 10 Jul, 2018 5 commits
  3. 09 Jul, 2018 5 commits
    • Russell King - ARM Linux's avatar
      Update TDA998x maintainer entry · bdf33113
      Russell King - ARM Linux authored
      Update my TDA998x HDMI encoder MAINTAINERS entry to include the
      dt-bindings header, and a keyword pattern to catch patches containing
      the DT compatible.  Also change the status to "maintained" rather than
      "supported".
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bdf33113
    • Gustavo A. R. Silva's avatar
      HID: hiddev: fix potential Spectre v1 · 4f65245f
      Gustavo A. R. Silva authored
      uref->field_index, uref->usage_index, finfo.field_index and cinfo.index can be
      indirectly controlled by user-space, hence leading to a potential exploitation
      of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/hid/usbhid/hiddev.c:473 hiddev_ioctl_usage() warn: potential spectre issue 'report->field' (local cap)
      drivers/hid/usbhid/hiddev.c:477 hiddev_ioctl_usage() warn: potential spectre issue 'field->usage' (local cap)
      drivers/hid/usbhid/hiddev.c:757 hiddev_ioctl() warn: potential spectre issue 'report->field' (local cap)
      drivers/hid/usbhid/hiddev.c:801 hiddev_ioctl() warn: potential spectre issue 'hid->collection' (local cap)
      
      Fix this by sanitizing such structure fields before using them to index
      report->field, field->usage and hid->collection
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      4f65245f
    • Jason Andryuk's avatar
      HID: i2c-hid: Fix "incomplete report" noise · ef6eaf27
      Jason Andryuk authored
      Commit ac75a041 ("HID: i2c-hid: fix size check and type usage") started
      writing messages when the ret_size is <= 2 from i2c_master_recv.  However, my
      device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop
      moving the pointing stick or touchpad.  It varies, but you get ~50 messages
      each time which spams the log hard.
      
      [  95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)
      
      This has also been observed with a i2c-ALP0017.
      
      [ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)
      
      Only print the message when ret_size is totally invalid and less than 2 to cut
      down on the log spam.
      
      Fixes: ac75a041 ("HID: i2c-hid: fix size check and type usage")
      Reported-by: default avatarJohn Smith <john-s-84@gmx.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJason Andryuk <jandryuk@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      ef6eaf27
    • Stefan Agner's avatar
      mmc: sdhci-esdhc-imx: allow 1.8V modes without 100/200MHz pinctrl states · 92748bea
      Stefan Agner authored
      If pinctrl nodes for 100/200MHz are missing, the controller should
      not select any mode which need signal frequencies 100MHz or higher.
      To prevent such speed modes the driver currently uses the quirk flag
      SDHCI_QUIRK2_NO_1_8_V. This works nicely for SD cards since 1.8V
      signaling is required for all faster modes and slower modes use 3.3V
      signaling only.
      
      However, there are eMMC modes which use 1.8V signaling and run below
      100MHz, e.g. DDR52 at 1.8V. With using SDHCI_QUIRK2_NO_1_8_V this
      mode is prevented. When using a fixed 1.8V regulator as vqmmc-supply
      the stack has no valid mode to use. In this tenuous situation the
      kernel continuously prints voltage switching errors:
        mmc1: Switching to 3.3V signalling voltage failed
      
      Avoid using SDHCI_QUIRK2_NO_1_8_V and prevent faster modes by
      altering the SDHCI capability register. With that the stack is able
      to select 1.8V modes even if no faster pinctrl states are available:
        # cat /sys/kernel/debug/mmc1/ios
        ...
        timing spec:    8 (mmc DDR52)
        signal voltage: 1 (1.80 V)
        ...
      
      Link: http://lkml.kernel.org/r/20180628081331.13051-1-stefan@agner.chSigned-off-by: default avatarStefan Agner <stefan@agner.ch>
      Fixes: ad93220d ("mmc: sdhci-esdhc-imx: change pinctrl state according
      to uhs mode")
      Cc: <stable@vger.kernel.org> # v4.13+
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      92748bea
    • Rafael J. Wysocki's avatar
      ACPICA: Clear status of all events when entering S5 · fa85015c
      Rafael J. Wysocki authored
      After commit 18996f2d (ACPICA: Events: Stop unconditionally
      clearing ACPI IRQs during suspend/resume) the status of ACPI events
      is not cleared any more when entering the ACPI S5 system state (power
      off) which causes some systems to power up immediately after turing
      off power in certain situations.
      
      That is a functional regression, so address it by making the code
      clear the status of all ACPI events again when entering S5 (for
      system-wide suspend or hibernation the clearing of the status of all
      events is not desirable, as it might cause the kernel to miss wakeup
      events sometimes).
      
      Fixes: 18996f2d (ACPICA: Events: Stop unconditionally clearing ACPI IRQs during suspend/resume)
      Reported-by: default avatarTakashi Iwai <tiwai@suse.de>
      Tested-by: default avatarThomas Hänig <haenig@cosifan.de>
      Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      fa85015c
  4. 08 Jul, 2018 13 commits
    • Linus Torvalds's avatar
      Linux 4.18-rc4 · 1e4b044d
      Linus Torvalds authored
      1e4b044d
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · ca04b3cc
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A small collection of fixes, sort of the usual at this point, all for
        i.MX or OMAP:
      
         - Enable ULPI drivers on i.MX to avoid a hang
      
         - Pinctrl fix for touchscreen on i.MX51 ZII RDU1
      
         - Fixes for ethernet clock references on am3517
      
         - mmc0 write protect detection fix for am335x
      
         - kzalloc->kcalloc conversion in an OMAP driver
      
         - USB metastability fix for USB on dra7
      
         - Fix touchscreen wakeup on am437x"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: imx_v4_v5_defconfig: Select ULPI support
        ARM: imx_v6_v7_defconfig: Select ULPI support
        ARM: dts: omap3: Fix am3517 mdio and emac clock references
        ARM: dts: am335x-bone-common: Fix mmc0 Write Protect
        bus: ti-sysc: Use 2-factor allocator arguments
        ARM: dts: dra7: Disable metastability workaround for USB2
        ARM: dts: imx51-zii-rdu1: fix touchscreen pinctrl
        ARM: dts: am437x: make edt-ft5x06 a wakeup source
      ca04b3cc
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 23adbe6f
      Linus Torvalds authored
      Pull x86/pti updates from Thomas Gleixner:
       "Two small fixes correcting the handling of SSB mitigations on AMD
        processors"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
        x86/bugs: Update when to check for the LS_CFG SSBD mitigation
      23adbe6f
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 6f27a640
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
      
       - Prevent an out-of-bounds access in mtrr_write()
      
       - Break a circular dependency in the new hyperv IPI acceleration code
      
       - Address the build breakage related to inline functions by enforcing
         gnu_inline and explicitly bringing native_save_fl() out of line,
         which also adds a set of _ARM_ARG macros which provide 32/64bit
         safety.
      
       - Initialize the shadow CR4 per cpu variable before using it.
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mtrr: Don't copy out-of-bounds data in mtrr_write
        x86/hyper-v: Fix the circular dependency in IPI enlightenment
        x86/paravirt: Make native_save_fl() extern inline
        x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h>
        compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations
        x86/mm/32: Initialize the CR4 shadow before __flush_tlb_all()
      6f27a640
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 6fb2489d
      Linus Torvalds authored
      Pull scheduler fixes from Thomas Gleixner:
      
       - The hopefully final fix for the reported race problems in
         kthread_parkme(). The previous attempt still left a hole and was
         partially wrong.
      
       - Plug a race in the remote tick mechanism which triggers a warning
         about updates not being done correctly. That's a false positive if
         the race condition is hit as the remote CPU is idle. Plug it by
         checking the condition again when holding run queue lock.
      
       - Fix a bug in the utilization estimation of a run queue which causes
         the estimation to be 0 when a run queue is throttled.
      
       - Advance the global expiration of the period timer when the timer is
         restarted after a idle period. Otherwise the expiry time is stale and
         the timer fires prematurely.
      
       - Cure the drift between the bandwidth timer and the runqueue
         accounting, which leads to bogus throttling of runqueues
      
       - Place the call to cpufreq_update_util() correctly so the function
         will observe the correct number of running RT tasks and not a stale
         one.
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        kthread, sched/core: Fix kthread_parkme() (again...)
        sched/util_est: Fix util_est_dequeue() for throttled cfs_rq
        sched/fair: Advance global expiration when period timer is restarted
        sched/fair: Fix bandwidth timer clock drift condition
        sched/rt: Fix call to cpufreq_update_util()
        sched/nohz: Skip remote tick on idle task entirely
      6fb2489d
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f5c926b9
      Linus Torvalds authored
      Pull objtool fix from Thomas Gleixner:
       "A single fix for objtool to address a bug in handling the cold
        subfunction detection for aliased functions which was added recently.
        The bug causes objtool to enter an infinite loop"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Support GCC 8 '-fnoreorder-functions'
      f5c926b9
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 124b99fb
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
      
       - add missing RETs in x86 aegis/morus
      
       - fix build error in arm speck
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: x86 - Add missing RETs
        crypto: arm/speck - fix building in Thumb2 mode
      124b99fb
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 70a2dc6a
      Linus Torvalds authored
      Pull ext4 bugfixes from Ted Ts'o:
       "Bug fixes for ext4; most of which relate to vulnerabilities where a
        maliciously crafted file system image can result in a kernel OOPS or
        hang.
      
        At least one fix addresses an inline data bug could be triggered by
        userspace without the need of a crafted file system (although it does
        require that the inline data feature be enabled)"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: check superblock mapped prior to committing
        ext4: add more mount time checks of the superblock
        ext4: add more inode number paranoia checks
        ext4: avoid running out of journal credits when appending to an inline file
        jbd2: don't mark block as modified if the handle is out of credits
        ext4: never move the system.data xattr out of the inode body
        ext4: clear i_data in ext4_inode_info when removing inline data
        ext4: include the illegal physical block in the bad map ext4_error msg
        ext4: verify the depth of extent tree in ext4_find_extent()
        ext4: only look at the bg_flags field if it is valid
        ext4: make sure bitmaps and the inode table don't overlap with bg descriptors
        ext4: always check block group bounds in ext4_init_block_bitmap()
        ext4: always verify the magic number in xattr blocks
        ext4: add corruption check in ext4_xattr_set_entry()
        ext4: add warn_on_error mount option
      70a2dc6a
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 8979319f
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - Fix a use-after-free in the endpoint code (Dan Carpenter)
      
       - Stop defaulting CONFIG_PCIE_DW_PLAT_HOST to yes (Geert Uytterhoeven)
      
       - Fix an nfp regression caused by a change in how we limit the number
         of VFs we can enable (Jakub Kicinski)
      
       - Fix failure path cleanup issues in the new R-Car gen3 PHY support
         (Marek Vasut)
      
       - Fix leaks of OF nodes in faraday, xilinx-nwl, xilinx (Nicholas Mc
         Guire)
      
      * tag 'pci-v4.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        nfp: stop limiting VFs to 0
        PCI/IOV: Reset total_VFs limit after detaching PF driver
        PCI: faraday: Add missing of_node_put()
        PCI: xilinx-nwl: Add missing of_node_put()
        PCI: xilinx: Add missing of_node_put()
        PCI: endpoint: Use after free in pci_epf_unregister_driver()
        PCI: controller: dwc: Do not let PCIE_DW_PLAT_HOST default to yes
        PCI: rcar: Clean up PHY init on failure
        PCI: rcar: Shut the PHY down in failpath
      8979319f
    • Linus Torvalds's avatar
      Merge tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6 · b2d44d14
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Five smb3/cifs fixes for stable (including for some leaks and memory
        overwrites) and also a few fixes for recent regressions in packet
        signing.
      
        Additional testing at the recent SMB3 test event, and some good work
        by Paulo and others spotted the issues fixed here. In addition to my
        xfstest runs on these, Aurelien and Stefano did additional test runs
        to verify this set"
      
      * tag '4.18-rc3-smb3fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
        cifs: Fix infinite loop when using hard mount option
        cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting
        cifs: Fix memory leak in smb2_set_ea()
        cifs: fix SMB1 breakage
        cifs: Fix validation of signed data in smb2
        cifs: Fix validation of signed data in smb3+
        cifs: Fix use after free of a mid_q_entry
      b2d44d14
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-4.18-3' of git://git.infradead.org/users/hch/dma-mapping · 4f572efd
      Linus Torvalds authored
      Pull dma-mapping fix from Christoph Hellwig:
       "Revert an incorrect dma-mapping commit for 4.18-rc"
      
      * tag 'dma-mapping-4.18-3' of git://git.infradead.org/users/hch/dma-mapping:
        Revert "iommu/intel-iommu: Enable CONFIG_DMA_DIRECT_OPS=y and clean up intel_{alloc,free}_coherent()"
      4f572efd
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-4.18-rc4' of git://git.infradead.org/users/vkoul/slave-dma · 89ac2233
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "We have few odd driver fixes and one email update change for you this
        time:
      
         - Driver fixes for k3dma (off by one), pl330 (burst residue
           granularity) and omap-dma (incorrect residue_granularity)
      
         - Sinan's email update"
      
      * tag 'dmaengine-fix-4.18-rc4' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
        dmaengine: pl330: report BURST residue granularity
        MAINTAINERS: Update email-id of Sinan Kaya
        dmaengine: ti: omap-dma: Fix OMAP1510 incorrect residue_granularity
      89ac2233
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.18-2' of git://github.com/cminyard/linux-ipmi · ea9561cf
      Linus Torvalds authored
      Pull IPMI fixes from Corey Minyard:
       "A couple of small fixes: one to the BMC side of things that fixes an
        interrupt issue, and one oops fix if init fails in a certain way on
        the client driver"
      
      * tag 'for-linus-4.18-2' of git://github.com/cminyard/linux-ipmi:
        ipmi: kcs_bmc: fix IRQ exception if the channel is not open
        ipmi: Cleanup oops on initialization failure
      ea9561cf
  5. 07 Jul, 2018 11 commits
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 43b6b6ec
      Linus Torvalds authored
      Pull arm64 LDFLAGS clean-up from Catalin Marinas:
      
       - use aarch64elf instead of aarch64linux
      
       - move endianness options to LDFLAGS instead from LD
      
       - remove no-op '-p' linker flag
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: remove no-op -p linker flag
        arm64: add endianness option to LDFLAGS instead of LD
        arm64: Use aarch64elf and aarch64elfb emulation mode variants
      43b6b6ec
    • Jann Horn's avatar
      x86/mtrr: Don't copy out-of-bounds data in mtrr_write · 15279df6
      Jann Horn authored
      Don't access the provided buffer out of bounds - this can cause a kernel
      out-of-bounds read when invoked through sys_splice() or other things that
      use kernel_write()/__kernel_write().
      
      Fixes: 7f8ec5a4 ("x86/mtrr: Convert to use strncpy_from_user() helper")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20180706215003.156702-1-jannh@google.com
      15279df6
    • Douglas Anderson's avatar
      nvmem: Don't let a NULL cell_id for nvmem_cell_get() crash us · 87ed1405
      Douglas Anderson authored
      In commit ca04d9d3 ("phy: qcom-qusb2: New driver for QUSB2 PHY on
      Qcom chips") you can see a call like:
      
        devm_nvmem_cell_get(dev, NULL);
      
      Note that the cell ID passed to the function is NULL.  This is because
      the qcom-qusb2 driver is expected to work only on systems where the
      PHY node is hooked up via device-tree and is nameless.
      
      This works OK for the most part.  The first thing nvmem_cell_get()
      does is to call of_nvmem_cell_get() and there it's documented that a
      NULL name is fine.  The problem happens when the call to
      of_nvmem_cell_get() returns -EINVAL.  In such a case we'll fall back
      to nvmem_cell_get_from_list() and eventually might (if nvmem_cells
      isn't an empty list) crash with something that looks like:
      
       strcmp
       nvmem_find_cell
       __nvmem_device_get
       nvmem_cell_get_from_list
       nvmem_cell_get
       devm_nvmem_cell_get
       qusb2_phy_probe
      
      There are several different ways we could fix this problem:
      
      One could argue that perhaps the qcom-qusb2 driver should be changed
      to use of_nvmem_cell_get() which is allowed to have a NULL name.  In
      that case, we'd need to add a patche to introduce
      devm_of_nvmem_cell_get() since the qcom-qusb2 driver is using devm
      managed resources.
      
      One could also argue that perhaps we could just add a name to
      qcom-qusb2.  That would be OK but I believe it effectively changes the
      device tree bindings, so maybe it's a no-go.
      
      In this patch I have chosen to fix the problem by simply not crashing
      when a NULL cell_id is passed to nvmem_cell_get().
      
      NOTE: that for the qcom-qusb2 driver the "nvmem-cells" property is
      defined to be optional and thus it's expected to be a common case that
      we would hit this crash and this is more than just a theoretical fix.
      
      Fixes: ca04d9d3 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips")
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87ed1405
    • Mika Westerberg's avatar
      thunderbolt: Notify userspace when boot_acl is changed · 007a7490
      Mika Westerberg authored
      The commit 9aaa3b8b ("thunderbolt: Add support for preboot ACL")
      introduced boot_acl attribute but missed the fact that now userspace
      needs to poll the attribute constantly to find out whether it has
      changed or not. Fix this by sending notification to the userspace
      whenever the boot_acl attribute is changed.
      
      Fixes: 9aaa3b8b ("thunderbolt: Add support for preboot ACL")
      Reported-and-tested-by: default avatarChristian Kellner <christian@kellner.me>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarChristian Kellner <christian@kellner.me>
      Acked-by: default avatarYehezkel Bernat <yehezkelshb@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      007a7490
    • Xiubo Li's avatar
      uio: fix crash after the device is unregistered · 57c5f4df
      Xiubo Li authored
      For the target_core_user use case, after the device is unregistered
      it maybe still opened in user space, then the kernel will crash, like:
      
      [  251.163692] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      [  251.163820] IP: [<ffffffffc0736213>] show_name+0x23/0x40 [uio]
      [  251.163965] PGD 8000000062694067 PUD 62696067 PMD 0
      [  251.164097] Oops: 0000 [#1] SMP
      ...
      [  251.165605]  e1000 mptscsih mptbase drm_panel_orientation_quirks dm_mirror dm_region_hash dm_log dm_mod
      [  251.166014] CPU: 0 PID: 13380 Comm: tcmu-runner Kdump: loaded Not tainted 3.10.0-916.el7.test.x86_64 #1
      [  251.166381] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
      [  251.166747] task: ffff971eb91db0c0 ti: ffff971e9e384000 task.ti: ffff971e9e384000
      [  251.167137] RIP: 0010:[<ffffffffc0736213>]  [<ffffffffc0736213>] show_name+0x23/0x40 [uio]
      [  251.167563] RSP: 0018:ffff971e9e387dc8  EFLAGS: 00010282
      [  251.167978] RAX: 0000000000000000 RBX: ffff971e9e3f8000 RCX: ffff971eb8368d98
      [  251.168408] RDX: ffff971e9e3f8000 RSI: ffffffffc0738084 RDI: ffff971e9e3f8000
      [  251.168856] RBP: ffff971e9e387dd0 R08: ffff971eb8bc0018 R09: 0000000000000000
      [  251.169296] R10: 0000000000001000 R11: ffffffffa09d444d R12: ffffffffa1076e80
      [  251.169750] R13: ffff971e9e387f18 R14: 0000000000000001 R15: ffff971e9cfb1c80
      [  251.170213] FS:  00007ff37d175880(0000) GS:ffff971ebb600000(0000) knlGS:0000000000000000
      [  251.170693] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  251.171248] CR2: 0000000000000008 CR3: 00000000001f6000 CR4: 00000000003607f0
      [  251.172071] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  251.172640] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  251.173236] Call Trace:
      [  251.173789]  [<ffffffffa0c9b2d3>] dev_attr_show+0x23/0x60
      [  251.174356]  [<ffffffffa0f561b2>] ? mutex_lock+0x12/0x2f
      [  251.174892]  [<ffffffffa0ac6d9f>] sysfs_kf_seq_show+0xcf/0x1f0
      [  251.175433]  [<ffffffffa0ac54e6>] kernfs_seq_show+0x26/0x30
      [  251.175981]  [<ffffffffa0a63be0>] seq_read+0x110/0x3f0
      [  251.176609]  [<ffffffffa0ac5d45>] kernfs_fop_read+0xf5/0x160
      [  251.177158]  [<ffffffffa0a3d3af>] vfs_read+0x9f/0x170
      [  251.177707]  [<ffffffffa0a3e27f>] SyS_read+0x7f/0xf0
      [  251.178268]  [<ffffffffa0f648af>] system_call_fastpath+0x1c/0x21
      [  251.178823] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 53 48 89 d3 e8 7e 96 56 e0 48 8b 80 d8 02 00 00 48 89 df 48 c7 c6 84 80 73 c0 <48> 8b 50 08 31 c0 e8 e2 67 44 e0 5b 48 98 5d c3 0f 1f 00 66 2e
      [  251.180115] RIP  [<ffffffffc0736213>] show_name+0x23/0x40 [uio]
      [  251.180820]  RSP <ffff971e9e387dc8>
      [  251.181473] CR2: 0000000000000008
      
      CC: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
      CC: Mike Christie <mchristi@redhat.com>
      Reviewed-by: default avatarHamish Martin <hamish.martin@alliedtelesis.co.nz>
      Signed-off-by: default avatarXiubo Li <xiubli@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57c5f4df
    • Xiubo Li's avatar
      uio: change to use the mutex lock instead of the spin lock · 543af586
      Xiubo Li authored
      We are hitting a regression with the following commit:
      
      commit a93e7b33
      Author: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
      Date:   Mon May 14 13:32:23 2018 +1200
      
          uio: Prevent device destruction while fds are open
      
      The problem is the addition of spin_lock_irqsave in uio_write. This
      leads to hitting  uio_write -> copy_from_user -> _copy_from_user ->
      might_fault and the logs filling up with sleeping warnings.
      
      I also noticed some uio drivers allocate memory, sleep, grab mutexes
      from callouts like open() and release and uio is now doing
      spin_lock_irqsave while calling them.
      Reported-by: default avatarMike Christie <mchristi@redhat.com>
      CC: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
      Reviewed-by: default avatarHamish Martin <hamish.martin@alliedtelesis.co.nz>
      Signed-off-by: default avatarXiubo Li <xiubli@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      543af586
    • Xiubo Li's avatar
      uio: use request_threaded_irq instead · 9421e45f
      Xiubo Li authored
      Prepraing for changing to use mutex lock.
      Signed-off-by: default avatarXiubo Li <xiubli@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9421e45f
    • Christophe Jaillet's avatar
      fpga: altera-cvp: Fix an error handling path in 'altera_cvp_probe()' · 122c5770
      Christophe Jaillet authored
      If 'fpga_mgr_create()' fails, we should release some resources, as done
      in the other error handling path of the function.
      
      Fixes: 7085e2a9 ("fpga: manager: change api, don't use drvdata")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarMoritz Fischer <mdf@kernel.org>
      Acked-by: default avatarAlan Tull <atull@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      122c5770
    • Jann Horn's avatar
      ibmasm: don't write out of bounds in read handler · a0341fc1
      Jann Horn authored
      This read handler had a lot of custom logic and wrote outside the bounds of
      the provided buffer. This could lead to kernel and userspace memory
      corruption. Just use simple_read_from_buffer() with a stack buffer.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0341fc1
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 624434af
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is two minor bug fixes (aacraid, target) and a fix for a
        potential exploit in the way sg handles teardown"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sg: mitigate read/write abuse
        scsi: aacraid: Fix PD performance regression over incorrect qd being set
        scsi: target: Fix truncated PR-in ReadKeys response
      624434af
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20180706' of git://git.kernel.dk/linux-block · 29119529
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Two minor fixes for this series:
      
         - add LOOP_SET_BLOCK_SIZE as compat ioctl (Evan Green)
      
         - drbd use-after-free fix (Lars Ellenberg)"
      
      * tag 'for-linus-20180706' of git://git.kernel.dk/linux-block:
        loop: Add LOOP_SET_BLOCK_SIZE in compat ioctl
        drbd: fix access after free
      29119529