1. 23 May, 2018 4 commits
  2. 22 May, 2018 2 commits
  3. 21 May, 2018 14 commits
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 5997aab0
      Linus Torvalds authored
      Pull vfs fixes from Al Viro:
       "Assorted fixes all over the place"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        aio: fix io_destroy(2) vs. lookup_ioctx() race
        ext2: fix a block leak
        nfsd: vfs_mkdir() might succeed leaving dentry negative unhashed
        cachefiles: vfs_mkdir() might succeed leaving dentry negative unhashed
        unfuck sysfs_mount()
        kernfs: deal with kernfs_fill_super() failures
        cramfs: Fix IS_ENABLED typo
        befs_lookup(): use d_splice_alias()
        affs_lookup: switch to d_splice_alias()
        affs_lookup(): close a race with affs_remove_link()
        fix breakage caused by d_find_alias() semantics change
        fs: don't scan the inode cache before SB_BORN is set
        do d_instantiate/unlock_new_inode combinations safely
        iov_iter: fix memory leak in pipe_get_pages_alloc()
        iov_iter: fix return type of __pipe_get_pages()
      5997aab0
    • Al Viro's avatar
      aio: fix io_destroy(2) vs. lookup_ioctx() race · baf10564
      Al Viro authored
      kill_ioctx() used to have an explicit RCU delay between removing the
      reference from ->ioctx_table and percpu_ref_kill() dropping the refcount.
      At some point that delay had been removed, on the theory that
      percpu_ref_kill() itself contained an RCU delay.  Unfortunately, that was
      the wrong kind of RCU delay and it didn't care about rcu_read_lock() used
      by lookup_ioctx().  As the result, we could get ctx freed right under
      lookup_ioctx().  Tejun has fixed that in a6d7cff4 ("fs/aio: Add explicit
      RCU grace period when freeing kioctx"); however, that fix is not enough.
      
      Suppose io_destroy() from one thread races with e.g. io_setup() from another;
      CPU1 removes the reference from current->mm->ioctx_table[...] just as CPU2
      has picked it (under rcu_read_lock()).  Then CPU1 proceeds to drop the
      refcount, getting it to 0 and triggering a call of free_ioctx_users(),
      which proceeds to drop the secondary refcount and once that reaches zero
      calls free_ioctx_reqs().  That does
              INIT_RCU_WORK(&ctx->free_rwork, free_ioctx);
              queue_rcu_work(system_wq, &ctx->free_rwork);
      and schedules freeing the whole thing after RCU delay.
      
      In the meanwhile CPU2 has gotten around to percpu_ref_get(), bumping the
      refcount from 0 to 1 and returned the reference to io_setup().
      
      Tejun's fix (that queue_rcu_work() in there) guarantees that ctx won't get
      freed until after percpu_ref_get().  Sure, we'd increment the counter before
      ctx can be freed.  Now we are out of rcu_read_lock() and there's nothing to
      stop freeing of the whole thing.  Unfortunately, CPU2 assumes that since it
      has grabbed the reference, ctx is *NOT* going away until it gets around to
      dropping that reference.
      
      The fix is obvious - use percpu_ref_tryget_live() and treat failure as miss.
      It's not costlier than what we currently do in normal case, it's safe to
      call since freeing *is* delayed and it closes the race window - either
      lookup_ioctx() comes before percpu_ref_kill() (in which case ctx->users
      won't reach 0 until the caller of lookup_ioctx() drops it) or lookup_ioctx()
      fails, ctx->users is unaffected and caller of lookup_ioctx() doesn't see
      the object in question at all.
      
      Cc: stable@kernel.org
      Fixes: a6d7cff4 "fs/aio: Add explicit RCU grace period when freeing kioctx"
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      baf10564
    • Al Viro's avatar
      ext2: fix a block leak · 5aa1437d
      Al Viro authored
      open file, unlink it, then use ioctl(2) to make it immutable or
      append only.  Now close it and watch the blocks *not* freed...
      
      Immutable/append-only checks belong in ->setattr().
      Note: the bug is old and backport to anything prior to 737f2e93
      ("ext2: convert to use the new truncate convention") will need
      these checks lifted into ext2_setattr().
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5aa1437d
    • Al Viro's avatar
      nfsd: vfs_mkdir() might succeed leaving dentry negative unhashed · 3819bb0d
      Al Viro authored
      That can (and does, on some filesystems) happen - ->mkdir() (and thus
      vfs_mkdir()) can legitimately leave its argument negative and just
      unhash it, counting upon the lookup to pick the object we'd created
      next time we try to look at that name.
      
      Some vfs_mkdir() callers forget about that possibility...
      Acked-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3819bb0d
    • Al Viro's avatar
      cachefiles: vfs_mkdir() might succeed leaving dentry negative unhashed · 9c3e9025
      Al Viro authored
      That can (and does, on some filesystems) happen - ->mkdir() (and thus
      vfs_mkdir()) can legitimately leave its argument negative and just
      unhash it, counting upon the lookup to pick the object we'd created
      next time we try to look at that name.
      
      Some vfs_mkdir() callers forget about that possibility...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9c3e9025
    • Al Viro's avatar
      unfuck sysfs_mount() · 7b745a4e
      Al Viro authored
      new_sb is left uninitialized in case of early failures in kernfs_mount_ns(),
      and while IS_ERR(root) is true in all such cases, using IS_ERR(root) || !new_sb
      is not a solution - IS_ERR(root) is true in some cases when new_sb is true.
      
      Make sure new_sb is initialized (and matches the reality) in all cases and
      fix the condition for dropping kobj reference - we want it done precisely
      in those situations where the reference has not been transferred into a new
      super_block instance.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      7b745a4e
    • Al Viro's avatar
      kernfs: deal with kernfs_fill_super() failures · 82382ace
      Al Viro authored
      make sure that info->node is initialized early, so that kernfs_kill_sb()
      can list_del() it safely.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      82382ace
    • Joe Perches's avatar
      cramfs: Fix IS_ENABLED typo · 08a8f308
      Joe Perches authored
      There's an extra C here...
      
      Fixes: 99c18ce5 ("cramfs: direct memory access support")
      Acked-by: default avatarNicolas Pitre <nico@linaro.org>
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      08a8f308
    • Al Viro's avatar
      befs_lookup(): use d_splice_alias() · f4e4d434
      Al Viro authored
      RTFS(Documentation/filesystems/nfs/Exporting) if you try to make
      something exportable.
      
      Fixes: ac632f5b "befs: add NFS export support"
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      f4e4d434
    • Al Viro's avatar
      affs_lookup: switch to d_splice_alias() · 87fbd639
      Al Viro authored
      Making something exportable takes more than providing ->s_export_ops.
      In particular, ->lookup() *MUST* use d_splice_alias() instead of
      d_add().
      
      Reading Documentation/filesystems/nfs/Exporting would've been a good idea;
      as it is, exporting AFFS is badly (and exploitably) broken.
      
      Partially-Fixes: ed4433d7 "fs/affs: make affs exportable"
      Acked-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      87fbd639
    • Al Viro's avatar
      affs_lookup(): close a race with affs_remove_link() · 30da870c
      Al Viro authored
      we unlock the directory hash too early - if we are looking at secondary
      link and primary (in another directory) gets removed just as we unlock,
      we could have the old primary moved in place of the secondary, leaving
      us to look into freed entry (and leaving our dentry with ->d_fsdata
      pointing to a freed entry).
      
      Cc: stable@vger.kernel.org # 2.4.4+
      Acked-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      30da870c
    • Linus Torvalds's avatar
      Merge branch 'speck-v20' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 3b78ce4a
      Linus Torvalds authored
      Merge speculative store buffer bypass fixes from Thomas Gleixner:
      
       - rework of the SPEC_CTRL MSR management to accomodate the new fancy
         SSBD (Speculative Store Bypass Disable) bit handling.
      
       - the CPU bug and sysfs infrastructure for the exciting new Speculative
         Store Bypass 'feature'.
      
       - support for disabling SSB via LS_CFG MSR on AMD CPUs including
         Hyperthread synchronization on ZEN.
      
       - PRCTL support for dynamic runtime control of SSB
      
       - SECCOMP integration to automatically disable SSB for sandboxed
         processes with a filter flag for opt-out.
      
       - KVM integration to allow guests fiddling with SSBD including the new
         software MSR VIRT_SPEC_CTRL to handle the LS_CFG based oddities on
         AMD.
      
       - BPF protection against SSB
      
      .. this is just the core and x86 side, other architecture support will
      come separately.
      
      * 'speck-v20' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (49 commits)
        bpf: Prevent memory disambiguation attack
        x86/bugs: Rename SSBD_NO to SSB_NO
        KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
        x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
        x86/bugs: Rework spec_ctrl base and mask logic
        x86/bugs: Remove x86_spec_ctrl_set()
        x86/bugs: Expose x86_spec_ctrl_base directly
        x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
        x86/speculation: Rework speculative_store_bypass_update()
        x86/speculation: Add virtualized speculative store bypass disable support
        x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
        x86/speculation: Handle HT correctly on AMD
        x86/cpufeatures: Add FEATURE_ZEN
        x86/cpufeatures: Disentangle SSBD enumeration
        x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
        x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
        KVM: SVM: Move spec control call after restore of GS
        x86/cpu: Make alternative_msr_write work for 32-bit code
        x86/bugs: Fix the parameters alignment and missing void
        x86/bugs: Make cpu_show_common() static
        ...
      3b78ce4a
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · 6741c4bb
      Linus Torvalds authored
      Pull MIPS fixes from James Hogan:
      
       - fix build with DEBUG_ZBOOT and MACH_JZ4770 (4.16)
      
       - include xilfpga FDT in fitImage and stop generating dtb.o (4.15)
      
       - fix software IO coherence on CM SMP systems (4.8)
      
       - ptrace: Fix PEEKUSR/POKEUSR to o32 FGRs (3.14)
      
       - ptrace: Expose FIR register through FP regset (3.13)
      
       - fix typo in KVM debugfs file name (3.10)
      
      * tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
        MIPS: xilfpga: Actually include FDT in fitImage
        MIPS: xilfpga: Stop generating useless dtb.o
        KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
        MIPS: ptrace: Expose FIR register through FP regset
        MIPS: Fix build with DEBUG_ZBOOT and MACH_JZ4770
        MIPS: c-r4k: Fix data corruption related to cache coherence
      6741c4bb
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 5aef268a
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix refcounting bug for connections in on-packet scheduling mode of
          IPVS, from Julian Anastasov.
      
       2) Set network header properly in AF_PACKET's packet_snd, from Willem
          de Bruijn.
      
       3) Fix regressions in 3c59x by converting to generic DMA API. It was
          relying upon the hack that the PCI DMA interfaces would accept NULL
          for EISA devices. From Christoph Hellwig.
      
       4) Remove RDMA devices before unregistering netdev in QEDE driver, from
          Michal Kalderon.
      
       5) Use after free in TUN driver ptr_ring usage, from Jason Wang.
      
       6) Properly check for missing netlink attributes in SMC_PNETID
          requests, from Eric Biggers.
      
       7) Set DMA mask before performaing any DMA operations in vmxnet3
          driver, from Regis Duchesne.
      
       8) Fix mlx5 build with SMP=n, from Saeed Mahameed.
      
       9) Classifier fixes in bcm_sf2 driver from Florian Fainelli.
      
      10) Tuntap use after free during release, from Jason Wang.
      
      11) Don't use stack memory in scatterlists in tls code, from Matt
          Mullins.
      
      12) Not fully initialized flow key object in ipv4 routing code, from
          David Ahern.
      
      13) Various packet headroom bug fixes in ip6_gre driver, from Petr
          Machata.
      
      14) Remove queues from XPS maps using correct index, from Amritha
          Nambiar.
      
      15) Fix use after free in sock_diag, from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (64 commits)
        net: ip6_gre: fix tunnel metadata device sharing.
        cxgb4: fix offset in collecting TX rate limit info
        net: sched: red: avoid hashing NULL child
        sock_diag: fix use-after-free read in __sk_free
        sh_eth: Change platform check to CONFIG_ARCH_RENESAS
        net: dsa: Do not register devlink for unused ports
        net: Fix a bug in removing queues from XPS map
        bpf: fix truncated jump targets on heavy expansions
        bpf: parse and verdict prog attach may race with bpf map update
        bpf: sockmap update rollback on error can incorrectly dec prog refcnt
        net: test tailroom before appending to linear skb
        net: ip6_gre: Fix ip6erspan hlen calculation
        net: ip6_gre: Split up ip6gre_changelink()
        net: ip6_gre: Split up ip6gre_newlink()
        net: ip6_gre: Split up ip6gre_tnl_change()
        net: ip6_gre: Split up ip6gre_tnl_link_config()
        net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit()
        net: ip6_gre: Request headroom in __gre6_xmit()
        selftests/bpf: check return value of fopen in test_verifier.c
        erspan: fix invalid erspan version.
        ...
      5aef268a
  4. 20 May, 2018 15 commits
    • Linus Torvalds's avatar
      Linux 4.17-rc6 · 771c577c
      Linus Torvalds authored
      771c577c
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 6fd5a36a
      Linus Torvalds authored
      Pull parisc fixlets from Helge Deller:
       "Three small section mismatch fixes, one of them was found by 0-day
        test infrastructure"
      
      * 'parisc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Move ccio_cujo20_fixup() into init section
        parisc: Move setup_profiling_timer() out of init section
        parisc: Move find_pa_parent_type() out of init section
      6fd5a36a
    • Linus Torvalds's avatar
      Merge tag 'for-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · e5e03ad9
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "We've accumulated some fixes during the last week, some of them were
        in the works for a longer time but there are some newer ones too.
      
        Most of the fixes have a reproducer and fix user visible problems,
        also candidates for stable kernels. They IMHO qualify for a late rc,
        though I did not expect that many"
      
      * tag 'for-4.17-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix crash when trying to resume balance without the resume flag
        btrfs: Fix delalloc inodes invalidation during transaction abort
        btrfs: Split btrfs_del_delalloc_inode into 2 functions
        btrfs: fix reading stale metadata blocks after degraded raid1 mounts
        btrfs: property: Set incompat flag if lzo/zstd compression is set
        Btrfs: fix duplicate extents after fsync of file with prealloc extents
        Btrfs: fix xattr loss after power failure
        Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting
      e5e03ad9
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 132ce5d4
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
      
       - Łukasz Stelmach spotted a couple of issues with the decompressor.
      
       - a couple of kdump fixes found while testing kdump
      
       - replace some perl with shell code
      
       - resolve SIGFPE breakage
      
       - kprobes fixes
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: fix kill( ,SIGFPE) breakage
        ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions
        ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr
        ARM: 8770/1: kprobes: Prohibit probing on optimized_callback
        ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
        ARM: replace unnecessary perl with sed and the shell $(( )) operator
        ARM: kexec: record parent context registers for non-crash CPUs
        ARM: kexec: fix kdump register saving on panic()
        ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel
        ARM: 8753/1: decompressor: add a missing parameter to the addruart macro
      132ce5d4
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8a6bd2f4
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "An unfortunately larger set of fixes, but a large portion is
        selftests:
      
         - Fix the missing clusterid initializaiton for x2apic cluster
           management which caused boot failures due to IPIs being sent to the
           wrong cluster
      
         - Drop TX_COMPAT when a 64bit executable is exec()'ed from a compat
           task
      
         - Wrap access to __supported_pte_mask in __startup_64() where clang
           compile fails due to a non PC relative access being generated.
      
         - Two fixes for 5 level paging fallout in the decompressor:
      
            - Handle GOT correctly for paging_prepare() and
              cleanup_trampoline()
      
            - Fix the page table handling in cleanup_trampoline() to avoid
              page table corruption.
      
         - Stop special casing protection key 0 as this is inconsistent with
           the manpage and also inconsistent with the allocation map handling.
      
         - Override the protection key wen moving away from PROT_EXEC to
           prevent inaccessible memory.
      
         - Fix and update the protection key selftests to address breakage and
           to cover the above issue
      
         - Add a MOV SS self test"
      
      [ Part of the x86 fixes were in the earlier core pull due to dependencies ]
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (21 commits)
        x86/mm: Drop TS_COMPAT on 64-bit exec() syscall
        x86/apic/x2apic: Initialize cluster ID properly
        x86/boot/compressed/64: Fix moving page table out of trampoline memory
        x86/boot/compressed/64: Set up GOT for paging_prepare() and cleanup_trampoline()
        x86/pkeys: Do not special case protection key 0
        x86/pkeys/selftests: Add a test for pkey 0
        x86/pkeys/selftests: Save off 'prot' for allocations
        x86/pkeys/selftests: Fix pointer math
        x86/pkeys: Override pkey when moving away from PROT_EXEC
        x86/pkeys/selftests: Fix pkey exhaustion test off-by-one
        x86/pkeys/selftests: Add PROT_EXEC test
        x86/pkeys/selftests: Factor out "instruction page"
        x86/pkeys/selftests: Allow faults on unknown keys
        x86/pkeys/selftests: Avoid printf-in-signal deadlocks
        x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal
        x86/pkeys/selftests: Stop using assert()
        x86/pkeys/selftests: Give better unexpected fault error messages
        x86/selftests: Add mov_to_ss test
        x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI
        x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI
        ...
      8a6bd2f4
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b9aad922
      Linus Torvalds authored
      Pull UP timer fix from Thomas Gleixner:
       "Work around the for_each_cpu() oddity on UP kernels in the tick
        broadcast code which causes boot failures because the CPU0 bit is
        always reported as set independent of the cpumask content"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        tick/broadcast: Use for_each_cpu() specially on UP kernels
      b9aad922
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 441cab96
      Linus Torvalds authored
      Pull scheduler fixlets from Thomas Gleixner:
       "Three trivial fixlets for the scheduler:
      
         - move print_rt_rq() and print_dl_rq() declarations to the right
           place
      
         - make grub_reclaim() static
      
         - fix the bogus documentation reference in Kconfig"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/fair: Fix documentation file path
        sched/deadline: Make the grub_reclaim() function static
        sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h
      441cab96
    • Linus Torvalds's avatar
      Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 74cce52f
      Linus Torvalds authored
      Pull RAS fix from Thomas Gleixner:
       "Fix a regression in the new AMD SMCA code which issues an SMP function
        call from the early interrupt disabled region of CPU hotplug. To avoid
        that, use cached block addresses which can be used directly"
      
      * 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/MCE/AMD: Cache SMCA MISC block addresses
      74cce52f
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 95bcce4d
      Linus Torvalds authored
      Pull perf tooling fixes from Thomas Gleixner:
      
       - fix segfault when processing unknown threads in cs-etm
      
       - fix "perf test inet_pton" on s390 failing due to missing inline
      
       - display all available events on 'perf annotate --stdio'
      
       - add missing newline when parsing an empty BPF program
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf tools: Add missing newline when parsing empty BPF proggie
        perf cs-etm: Remove redundant space
        perf cs-etm: Support unknown_thread in cs_etm_auxtrace
        perf annotate: Display all available events on --stdio
        perf test: "probe libc's inet_pton" fails on s390 due to missing inline
      95bcce4d
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4b65f455
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "Two fixes to address shortcomings of the rwsem/percpu-rwsem lock
        debugging code which emits false positive warnings when the rwsem is
        anonymously locked and unlocked"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN
        locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag
      4b65f455
    • Linus Torvalds's avatar
      Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 056ad121
      Linus Torvalds authored
      Pull EFI fixes from Thomas Gleixner:
      
       - Use explicitely sized type for the romimage pointer in the 32bit EFI
         protocol struct so a 64bit kernel does not expand it to 64bit. Ditto
         for the 64bit struct to avoid the reverse issue on 32bit kernels.
      
       - Handle randomized tex offset correctly in the ARM64 EFI stub to avoid
         unaligned data resulting in stack corruption and other hard to
         diagnose wreckage.
      
      * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi/libstub/arm64: Handle randomized TEXT_OFFSET
        efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode
      056ad121
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 583dbad3
      Linus Torvalds authored
      Pull core fixes from Thomas Gleixner:
      
       - Unbreak the BPF compilation which got broken by the unconditional
         requirement of asm-goto, which is not supported by clang.
      
       - Prevent probing on exception masking instructions in uprobes and
         kprobes to avoid the issues of the delayed exceptions instead of
         having an ugly workaround.
      
       - Prevent a double free_page() in the error path of do_kexec_load()
      
       - A set of objtool updates addressing various issues mostly related to
         switch tables and the noreturn detection for recursive sibling calls
      
       - Header sync for tools.
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        objtool: Detect RIP-relative switch table references, part 2
        objtool: Detect RIP-relative switch table references
        objtool: Support GCC 8 switch tables
        objtool: Support GCC 8's cold subfunctions
        objtool: Fix "noreturn" detection for recursive sibling calls
        objtool, kprobes/x86: Sync the latest <asm/insn.h> header with tools/objtool/arch/x86/include/asm/insn.h
        x86/cpufeature: Guard asm_volatile_goto usage for BPF compilation
        uprobes/x86: Prohibit probing on MOV SS instruction
        kprobes/x86: Prohibit probing on exception masking instructions
        x86/kexec: Avoid double free_page() upon do_kexec_load() failure
      583dbad3
    • William Tu's avatar
      net: ip6_gre: fix tunnel metadata device sharing. · b80d0b93
      William Tu authored
      Currently ip6gre and ip6erspan share single metadata mode device,
      using 'collect_md_tun'.  Thus, when doing:
        ip link add dev ip6gre11 type ip6gretap external
        ip link add dev ip6erspan12 type ip6erspan external
        RTNETLINK answers: File exists
      simply fails due to the 2nd tries to create the same collect_md_tun.
      
      The patch fixes it by adding a separate collect md tunnel device
      for the ip6erspan, 'collect_md_tun_erspan'.  As a result, a couple
      of places need to refactor/split up in order to distinguish ip6gre
      and ip6erspan.
      
      First, move the collect_md check at ip6gre_tunnel_{unlink,link} and
      create separate function {ip6gre,ip6ersapn}_tunnel_{link_md,unlink_md}.
      Then before link/unlink, make sure the link_md/unlink_md is called.
      Finally, a separate ndo_uninit is created for ip6erspan.  Tested it
      using the samples/bpf/test_tunnel_bpf.sh.
      
      Fixes: ef7baf5e ("ip6_gre: add ip6 erspan collect_md mode")
      Signed-off-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b80d0b93
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 203ec2fe
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A handful of fixes. I've been queuing them up a bit too long so the
        list is longer than it otherwise would have been spread out across a
        few -rcs.
      
        In general, it's a scattering of fixes across several platforms,
        nothing truly serious enough to point out.
      
        There's a slightly larger batch of them for the Davinci platforms due
        to work to bring them back to life after some time, so there's a
        handful of regressions, some of them going back very far, others more
        recent.
      
        There's also a few patches fixing DT on Renesas platforms since they
        changed some bindings without remaining backwards compatible,
        splitting up describing LVDS as a proper bridge instead of having it
        as part of the display unit.
      
        We could push for them to be backwards compatible with old device
        trees, but it's likely to regress eventually if nobody's actually
        using said compatibility"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (36 commits)
        ARM: davinci: board-dm646x-evm: set VPIF capture card name
        ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF
        ARM: davinci: dm646x: fix timer interrupt generation
        ARM: keystone: fix platform_domain_notifier array overrun
        arm64: dts: exynos: Fix interrupt type for I2S1 device on Exynos5433
        ARM: dts: imx51-zii-rdu1: fix touchscreen bindings
        firmware: arm_scmi: Use after free in scmi_create_protocol_device()
        ARM: dts: cygnus: fix irq type for arm global timer
        Revert "ARM: dts: logicpd-som-lv: Fix pinmux controller references"
        tee: check shm references are consistent in offset/size
        tee: shm: fix use-after-free via temporarily dropped reference
        ARM: dts: imx7s: Pass the 'fsl,sec-era' property
        ARM: dts: tegra20: Revert "Fix ULPI regression on Tegra20"
        ARM: dts: correct missing "compatible" entry for ti81xx SoCs
        ARM: OMAP1: ams-delta: fix deferred_fiq handler
        arm64: tegra: Make BCM89610 PHY interrupt as active low
        ARM: davinci: fix GPIO lookup for I2C
        ARM: dts: logicpd-som-lv: Fix pinmux controller references
        ARM: dts: logicpd-som-lv: Fix Audio Mute
        ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues
        ...
      203ec2fe
    • Olof Johansson's avatar
      Merge tag 'tegra-for-4.17-fixes-2' of... · 709f490d
      Olof Johansson authored
      Merge tag 'tegra-for-4.17-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into fixes
      
      arm64: tegra: Device tree fixes for v4.17
      
      This contains a one-line update to the device tree of the Tegra186 P3310
      processor module, fixing the polarity of the PHY interrupt. Originally,
      this was queued to go into v4.18, but the PHY ID matching patch has now
      found its way into v4.17-rc5, which means that the PHY driver will know
      how to identify the PHY on this board and try to use the interrupt. This
      will unfortunately cause networking to break on P3310, hence why I think
      this should go into v4.17.
      
      * tag 'tegra-for-4.17-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux:
        arm64: tegra: Make BCM89610 PHY interrupt as active low
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      709f490d
  5. 19 May, 2018 5 commits
    • Alexei Starovoitov's avatar
      bpf: Prevent memory disambiguation attack · af86ca4e
      Alexei Starovoitov authored
      Detect code patterns where malicious 'speculative store bypass' can be used
      and sanitize such patterns.
      
       39: (bf) r3 = r10
       40: (07) r3 += -216
       41: (79) r8 = *(u64 *)(r7 +0)   // slow read
       42: (7a) *(u64 *)(r10 -72) = 0  // verifier inserts this instruction
       43: (7b) *(u64 *)(r8 +0) = r3   // this store becomes slow due to r8
       44: (79) r1 = *(u64 *)(r6 +0)   // cpu speculatively executes this load
       45: (71) r2 = *(u8 *)(r1 +0)    // speculatively arbitrary 'load byte'
                                       // is now sanitized
      
      Above code after x86 JIT becomes:
       e5: mov    %rbp,%rdx
       e8: add    $0xffffffffffffff28,%rdx
       ef: mov    0x0(%r13),%r14
       f3: movq   $0x0,-0x48(%rbp)
       fb: mov    %rdx,0x0(%r14)
       ff: mov    0x0(%rbx),%rdi
      103: movzbq 0x0(%rdi),%rsi
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      af86ca4e
    • Russell King's avatar
      ARM: fix kill( ,SIGFPE) breakage · 92d44a42
      Russell King authored
      Commit 7771c664 ("signal/arm: Document conflicts with SI_USER and
      SIGFPE") broke the siginfo structure for userspace triggered signals,
      causing the strace testsuite to regress.  Fix this by eliminating
      the FPE_FIXME definition (which is at the root of the breakage) and
      use FPE_FLTINV instead for the case where the hardware appears to be
      reporting nonsense.
      
      Fixes: 7771c664 ("signal/arm: Document conflicts with SI_USER and SIGFPE")
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      92d44a42
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-4.17-rc6' of git://git.infradead.org/users/vkoul/slave-dma · 0b449a44
      Linus Torvalds authored
      Pull dmaengine fix from Vinod Koul:
      
       - qcom bam runtime_pm fix
      
       - email update for Vinod
      
      * tag 'dmaengine-fix-4.17-rc6' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: qcom: bam_dma: check if the runtime pm enabled
        dmaengine: Update email address for Vinod
      0b449a44
    • Linus Torvalds's avatar
      mmap: relax file size limit for regular files · 423913ad
      Linus Torvalds authored
      Commit be83bbf8 ("mmap: introduce sane default mmap limits") was
      introduced to catch problems in various ad-hoc character device drivers
      doing mmap and getting the size limits wrong.  In the process, it used
      "known good" limits for the normal cases of mapping regular files and
      block device drivers.
      
      It turns out that the "s_maxbytes" limit was less "known good" than I
      thought.  In particular, /proc doesn't set it, but exposes one regular
      file to mmap: /proc/vmcore.  As a result, that file got limited to the
      default MAX_INT s_maxbytes value.
      
      This went unnoticed for a while, because apparently the only thing that
      needs it is the s390 kernel zfcpdump, but there might be other tools
      that use this too.
      
      Vasily suggested just changing s_maxbytes for all of /proc, which isn't
      wrong, but makes me nervous at this stage.  So instead, just make the
      new mmap limit always be MAX_LFS_FILESIZE for regular files, which won't
      affect anything else.  It wasn't the regular file case I was worried
      about.
      
      I'd really prefer for maxsize to have been per-inode, but that is not
      how things are today.
      
      Fixes: be83bbf8 ("mmap: introduce sane default mmap limits")
      Reported-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      423913ad
    • Borislav Petkov's avatar
      x86/MCE/AMD: Cache SMCA MISC block addresses · 78ce2410
      Borislav Petkov authored
      ... into a global, two-dimensional array and service subsequent reads from
      that cache to avoid rdmsr_on_cpu() calls during CPU hotplug (IPIs with IRQs
      disabled).
      
      In addition, this fixes a KASAN slab-out-of-bounds read due to wrong usage
      of the bank->blocks pointer.
      
      Fixes: 27bd5950 ("x86/mce/AMD: Get address from already initialized block")
      Reported-by: default avatarJohannes Hirte <johannes.hirte@datenkhaos.de>
      Tested-by: default avatarJohannes Hirte <johannes.hirte@datenkhaos.de>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Yazen Ghannam <yazen.ghannam@amd.com>
      Link: http://lkml.kernel.org/r/20180414004230.GA2033@probook
      78ce2410