1. 25 Jan, 2019 4 commits
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · d488bd21
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char and misc driver fixes to resolve some
        reported issues, as well as a number of binderfs fixups that were
        found after auditing the filesystem code by Al Viro. As binderfs
        hasn't been in a previous release yet, it's good to get these in now
        before the first users show up.
      
        All of these have been in linux-next for a bit with no reported
        issues"
      
      * tag 'char-misc-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (26 commits)
        i3c: master: Fix an error checking typo in 'cdns_i3c_master_probe()'
        binderfs: switch from d_add() to d_instantiate()
        binderfs: drop lock in binderfs_binder_ctl_create
        binderfs: kill_litter_super() before cleanup
        binderfs: rework binderfs_binder_device_create()
        binderfs: rework binderfs_fill_super()
        binderfs: prevent renaming the control dentry
        binderfs: remove outdated comment
        binderfs: use __u32 for device numbers
        binderfs: use correct include guards in header
        misc: pvpanic: fix warning implicit declaration
        char/mwave: fix potential Spectre v1 vulnerability
        misc: ibmvsm: Fix potential NULL pointer dereference
        binderfs: fix error return code in binderfs_fill_super()
        mei: me: add denverton innovation engine device IDs
        mei: me: mark LBG devices as having dma support
        mei: dma: silent the reject message
        binderfs: handle !CONFIG_IPC_NS builds
        binderfs: reserve devices for initial mount
        binderfs: rename header to binderfs.h
        ...
      d488bd21
    • Linus Torvalds's avatar
      Merge tag 'staging-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 96f18cb8
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are some small staging driver fixes for 5.0-rc4.
      
        They resolve some reported bugs and add a new device id for one
        driver. Nothing major at all, but all good to have.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: android: ion: Support cpu access during dma_buf_detach
        staging: rtl8723bs: Fix build error with Clang when inlining is disabled
        staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1
        staging: vchiq: Fix local event signalling
        Staging: wilc1000: unlock on error in init_chip()
        staging: wilc1000: fix memory leak in wilc_add_rx_gtk
        staging: wilc1000: fix registration frame size
      96f18cb8
    • Linus Torvalds's avatar
      Merge tag 'tty-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 473721f9
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are a number of small tty core and serial driver fixes for
        5.0-rc4 to resolve some reported issues.
      
        Nothing major, the small serial driver fixes, a tty core fixup for a
        crash that was reported, and some good vt fixes from Nicolas Pitre as
        he seems to be auditing that chunk of code a lot lately.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'tty-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling
        tty: serial: qcom_geni_serial: Allow mctrl when flow control is disabled
        tty: Handle problem if line discipline does not have receive_buf
        vgacon: unconfuse vc_origin when using soft scrollback
        vt: invoke notifier on screen size change
        vt: always call notifier with the console lock held
        vt: make vt_console_print() compatible with the unicode screen buffer
        tty/n_hdlc: fix __might_sleep warning
        serial: 8250: Fix serial8250 initialization crash
        uart: Fix crash in uart_write and uart_put_char
      473721f9
    • Linus Torvalds's avatar
      Merge tag 'usb-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · b48cef32
      Linus Torvalds authored
      Pull USB/PHY fixes from Greg KH:
       "Here are a number of small USB and PHY driver fixes for 5.0-rc4.
      
        Nothing major at all, just the usual selection of USB gadget bugfixes,
        some new USB serial driver ids, some SPDX fixes, and some PHY driver
        fixes for reported issues.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'usb-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: serial: keyspan_usa: add proper SPDX lines for .h files
        USB: EHCI: ehci-mv: add MODULE_DEVICE_TABLE
        USB: leds: fix regression in usbport led trigger
        usb: chipidea: fix static checker warning for NULL pointer
        MAINTAINERS: email address update in MAINTAINERS entries
        USB: usbip: delete README file
        USB: serial: pl2303: add new PID to support PL2303TB
        usb: dwc2: gadget: Fix Remote Wakeup interrupt bit clearing
        phy: ath79-usb: Fix the main reset name to match the DT binding
        phy: ath79-usb: Fix the power on error path
        phy: fix build breakage: add PHY_MODE_SATA
        phy: ti: ensure priv is not null before dereferencing it
        USB: serial: ftdi_sio: fix GPIO not working in autosuspend
        usb: gadget: Potential NULL dereference on allocation error
        usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
        usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup
        usb: dwc3: gadget: synchronize_irq dwc irq in suspend
        USB: serial: simple: add Motorola Tetra TPG2200 device id
      b48cef32
  2. 24 Jan, 2019 18 commits
  3. 23 Jan, 2019 12 commits
    • Linus Torvalds's avatar
      Revert "Change mincore() to count "mapped" pages rather than "cached" pages" · 30bac164
      Linus Torvalds authored
      This reverts commit 574823bf.
      
      It turns out that my hope that we could just remove the code that
      exposes the cache residency status from mincore() was too optimistic.
      
      There are various random users that want it, and one example would be
      the Netflix database cluster maintenance. To quote Josh Snyder:
      
       "For Netflix, losing accurate information from the mincore syscall
        would lengthen database cluster maintenance operations from days to
        months. We rely on cross-process mincore to migrate the contents of a
        page cache from machine to machine, and across reboots.
      
        To do this, I wrote and maintain happycache [1], a page cache
        dumper/loader tool. It is quite similar in architecture to pgfincore,
        except that it is agnostic to workload. The gist of happycache's
        operation is "produce a dump of residence status for each page, do
        some operation, then reload exactly the same pages which were present
        before." happycache is entirely dependent on accurate reporting of the
        in-core status of file-backed pages, as accessed by another process.
      
        We primarily use happycache with Cassandra, which (like Postgres +
        pgfincore) relies heavily on OS page cache to reduce disk accesses.
        Because our workloads never experience a cold page cache, we are able
        to provision hardware for a peak utilization level that is far lower
        than the hypothetical "every query is a cache miss" peak.
      
        A database warmed by happycache can be ready for service in seconds
        (bounded only by the performance of the drives and the I/O subsystem),
        with no period of in-service degradation. By contrast, putting a
        database in service without a page cache entails a potentially
        unbounded period of degradation (at Netflix, the time to populate a
        single node's cache via natural cache misses varies by workload from
        hours to weeks). If a single node upgrade were to take weeks, then
        upgrading an entire cluster would take months. Since we want to apply
        security upgrades (and other things) on a somewhat tighter schedule,
        we would have to develop more complex solutions to provide the same
        functionality already provided by mincore.
      
        At the bottom line, happycache is designed to benignly exploit the
        same information leak documented in the paper [2]. I think it makes
        perfect sense to remove cross-process mincore functionality from
        unprivileged users, but not to remove it entirely"
      
      We do have an alternate approach that limits the cache residency
      reporting only to processes that have write permissions to the file, so
      we can fix the original information leak issue that way.  It involves
      _adding_ code rather than removing it, which is sad, but hey, at least
      we haven't found any users that would find the restrictions
      unacceptable.
      
      So revert the optimistic first approach to make room for that alternate
      fix instead.
      Reported-by: default avatarJosh Snyder <joshs@netflix.com>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Dominique Martinet <asmadeus@codewreck.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Kevin Easton <kevin@guarana.org>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: Cyril Hrubis <chrubis@suse.cz>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Kirill A. Shutemov <kirill@shutemov.name>
      Cc: Daniel Gruss <daniel@gruss.cc>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      30bac164
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.0' of git://github.com/cminyard/linux-ipmi · db781446
      Linus Torvalds authored
      Pull IPMI fixes from Corey Minyard:
       "I missed the merge window, which wasn't really important at the time
        as there was nothing that critical that I had for 5.0.
      
        However, I say that,and then a number of critical fixes come in:
      
         - ipmi: fix use-after-free of user->release_barrier.rda
         - ipmi: Prevent use-after-free in deliver_response
         - ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
      
        which are obvious candidates for 5.0.  Then there is:
      
         - ipmi:ssif: Fix handling of multi-part return messages
      
        which is less critical, but it still has some off-by-one things that
        are not great, so it seemed appropriate. Some machines are broken
        without it. Then:
      
         - ipmi: Don't initialize anything in the core until something uses it
      
        It turns out that using SRCU causes large chunks of memory to be used
        on big iron machines, even if IPMI is never used. This was causing
        some issues for people on those machines.
      
        Everything here is destined for stable"
      
      * tag 'for-linus-5.0' of git://github.com/cminyard/linux-ipmi:
        ipmi: Don't initialize anything in the core until something uses it
        ipmi: fix use-after-free of user->release_barrier.rda
        ipmi: Prevent use-after-free in deliver_response
        ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
        ipmi:ssif: Fix handling of multi-part return messages
      db781446
    • Linus Torvalds's avatar
      Merge tag 's390-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 09c2fe60
      Linus Torvalds authored
      Pull s390 fixes from Martin Schwidefsky:
      
       - Do not claim to run under z/VM if the hypervisor can not be
         identified
      
       - Fix crashes due to outdated ASCEs in CR1
      
       - Avoid a deadlock in regard to CPU hotplug
      
       - Really fix the vdso mapping issue for compat tasks
      
       - Avoid crash on restart due to an incorrect stack address
      
      * tag 's390-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU
        s390/vdso: correct vdso mapping for compat tasks
        s390/smp: fix CPU hotplug deadlock with CPU rescan
        s390/mm: always force a load of the primary ASCE on context switch
        s390/early: improve machine detection
      09c2fe60
    • Corey Minyard's avatar
      ipmi: Don't initialize anything in the core until something uses it · 913a89f0
      Corey Minyard authored
      The IPMI driver was recently modified to use SRCU, but it turns out
      this uses a chunk of percpu memory, even if IPMI is never used.
      
      So modify thing to on initialize on the first use.  There was already
      code to sort of handle this for handling init races, so piggy back
      on top of that, and simplify it in the process.
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Reported-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
      Reviewed-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Cc: stable@vger.kernel.org # 4.18
      913a89f0
    • Yang Yingliang's avatar
      ipmi: fix use-after-free of user->release_barrier.rda · 77f82696
      Yang Yingliang authored
      When we do the following test, we got oops in ipmi_msghandler driver
      while((1))
      do
      	service ipmievd restart & service ipmievd restart
      done
      
      ---------------------------------------------------------------
      [  294.230186] Unable to handle kernel paging request at virtual address 0000803fea6ea008
      [  294.230188] Mem abort info:
      [  294.230190]   ESR = 0x96000004
      [  294.230191]   Exception class = DABT (current EL), IL = 32 bits
      [  294.230193]   SET = 0, FnV = 0
      [  294.230194]   EA = 0, S1PTW = 0
      [  294.230195] Data abort info:
      [  294.230196]   ISV = 0, ISS = 0x00000004
      [  294.230197]   CM = 0, WnR = 0
      [  294.230199] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000a1c1b75a
      [  294.230201] [0000803fea6ea008] pgd=0000000000000000
      [  294.230204] Internal error: Oops: 96000004 [#1] SMP
      [  294.235211] Modules linked in: nls_utf8 isofs rpcrdma ib_iser ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_umad rdma_cm ib_cm iw_cm dm_mirror dm_region_hash dm_log dm_mod aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce sha2_ce ses sha256_arm64 sha1_ce hibmc_drm hisi_sas_v2_hw enclosure sg hisi_sas_main sbsa_gwdt ip_tables mlx5_ib ib_uverbs marvell ib_core mlx5_core ixgbe ipmi_si mdio hns_dsaf ipmi_devintf ipmi_msghandler hns_enet_drv hns_mdio
      [  294.277745] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted 5.0.0-rc2+ #113
      [  294.285511] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.37 11/21/2017
      [  294.292835] pstate: 80000005 (Nzcv daif -PAN -UAO)
      [  294.297695] pc : __srcu_read_lock+0x38/0x58
      [  294.301940] lr : acquire_ipmi_user+0x2c/0x70 [ipmi_msghandler]
      [  294.307853] sp : ffff00001001bc80
      [  294.311208] x29: ffff00001001bc80 x28: ffff0000117e5000
      [  294.316594] x27: 0000000000000000 x26: dead000000000100
      [  294.321980] x25: dead000000000200 x24: ffff803f6bd06800
      [  294.327366] x23: 0000000000000000 x22: 0000000000000000
      [  294.332752] x21: ffff00001001bd04 x20: ffff80df33d19018
      [  294.338137] x19: ffff80df33d19018 x18: 0000000000000000
      [  294.343523] x17: 0000000000000000 x16: 0000000000000000
      [  294.348908] x15: 0000000000000000 x14: 0000000000000002
      [  294.354293] x13: 0000000000000000 x12: 0000000000000000
      [  294.359679] x11: 0000000000000000 x10: 0000000000100000
      [  294.365065] x9 : 0000000000000000 x8 : 0000000000000004
      [  294.370451] x7 : 0000000000000000 x6 : ffff80df34558678
      [  294.375836] x5 : 000000000000000c x4 : 0000000000000000
      [  294.381221] x3 : 0000000000000001 x2 : 0000803fea6ea000
      [  294.386607] x1 : 0000803fea6ea008 x0 : 0000000000000001
      [  294.391994] Process swapper/3 (pid: 0, stack limit = 0x0000000083087293)
      [  294.398791] Call trace:
      [  294.401266]  __srcu_read_lock+0x38/0x58
      [  294.405154]  acquire_ipmi_user+0x2c/0x70 [ipmi_msghandler]
      [  294.410716]  deliver_response+0x80/0xf8 [ipmi_msghandler]
      [  294.416189]  deliver_local_response+0x28/0x68 [ipmi_msghandler]
      [  294.422193]  handle_one_recv_msg+0x158/0xcf8 [ipmi_msghandler]
      [  294.432050]  handle_new_recv_msgs+0xc0/0x210 [ipmi_msghandler]
      [  294.441984]  smi_recv_tasklet+0x8c/0x158 [ipmi_msghandler]
      [  294.451618]  tasklet_action_common.isra.5+0x88/0x138
      [  294.460661]  tasklet_action+0x2c/0x38
      [  294.468191]  __do_softirq+0x120/0x2f8
      [  294.475561]  irq_exit+0x134/0x140
      [  294.482445]  __handle_domain_irq+0x6c/0xc0
      [  294.489954]  gic_handle_irq+0xb8/0x178
      [  294.497037]  el1_irq+0xb0/0x140
      [  294.503381]  arch_cpu_idle+0x34/0x1a8
      [  294.510096]  do_idle+0x1d4/0x290
      [  294.516322]  cpu_startup_entry+0x28/0x30
      [  294.523230]  secondary_start_kernel+0x184/0x1d0
      [  294.530657] Code: d538d082 d2800023 8b010c81 8b020021 (c85f7c25)
      [  294.539746] ---[ end trace 8a7a880dee570b29 ]---
      [  294.547341] Kernel panic - not syncing: Fatal exception in interrupt
      [  294.556837] SMP: stopping secondary CPUs
      [  294.563996] Kernel Offset: disabled
      [  294.570515] CPU features: 0x002,21006008
      [  294.577638] Memory Limit: none
      [  294.587178] Starting crashdump kernel...
      [  294.594314] Bye!
      
      Because the user->release_barrier.rda is freed in ipmi_destroy_user(), but
      the refcount is not zero, when acquire_ipmi_user() uses user->release_barrier.rda
      in __srcu_read_lock(), it causes oops.
      Fix this by calling cleanup_srcu_struct() when the refcount is zero.
      
      Fixes: e86ee2d4 ("ipmi: Rework locking and shutdown for hot remove")
      Cc: stable@vger.kernel.org # 4.18
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      77f82696
    • Fred Klassen's avatar
      ipmi: Prevent use-after-free in deliver_response · 479d6b39
      Fred Klassen authored
      Some IPMI modules (e.g. ibmpex_msg_handler()) will have ipmi_usr_hdlr
      handlers that call ipmi_free_recv_msg() directly. This will essentially
      kfree(msg), leading to use-after-free.
      
      This does not happen in the ipmi_devintf module, which will queue the
      message and run ipmi_free_recv_msg() later.
      
      BUG: KASAN: use-after-free in deliver_response+0x12f/0x1b0
      Read of size 8 at addr ffff888a7bf20018 by task ksoftirqd/3/27
      CPU: 3 PID: 27 Comm: ksoftirqd/3 Tainted: G           O      4.19.11-amd64-ani99-debug #12.0.1.601133+pv
      Hardware name: AppNeta r1000/X11SPW-TF, BIOS 2.1a-AP 09/17/2018
      Call Trace:
      dump_stack+0x92/0xeb
      print_address_description+0x73/0x290
      kasan_report+0x258/0x380
      deliver_response+0x12f/0x1b0
      ? ipmi_free_recv_msg+0x50/0x50
      deliver_local_response+0xe/0x50
      handle_one_recv_msg+0x37a/0x21d0
      handle_new_recv_msgs+0x1ce/0x440
      ...
      
      Allocated by task 9885:
      kasan_kmalloc+0xa0/0xd0
      kmem_cache_alloc_trace+0x116/0x290
      ipmi_alloc_recv_msg+0x28/0x70
      i_ipmi_request+0xb4a/0x1640
      ipmi_request_settime+0x1b8/0x1e0
      ...
      
      Freed by task 27:
      __kasan_slab_free+0x12e/0x180
      kfree+0xe9/0x280
      deliver_response+0x122/0x1b0
      deliver_local_response+0xe/0x50
      handle_one_recv_msg+0x37a/0x21d0
      handle_new_recv_msgs+0x1ce/0x440
      tasklet_action_common.isra.19+0xc4/0x250
      __do_softirq+0x11f/0x51f
      
      Fixes: e86ee2d4 ("ipmi: Rework locking and shutdown for hot remove")
      Cc: stable@vger.kernel.org # 4.18
      Signed-off-by: default avatarFred Klassen <fklassen@appneta.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      479d6b39
    • Gustavo A. R. Silva's avatar
      ipmi: msghandler: Fix potential Spectre v1 vulnerabilities · a7102c74
      Gustavo A. R. Silva authored
      channel and addr->channel are indirectly controlled by user-space,
      hence leading to a potential exploitation of the Spectre variant 1
      vulnerability.
      
      These issues were detected with the help of Smatch:
      
      drivers/char/ipmi/ipmi_msghandler.c:1381 ipmi_set_my_address() warn: potential spectre issue 'user->intf->addrinfo' [w] (local cap)
      drivers/char/ipmi/ipmi_msghandler.c:1401 ipmi_get_my_address() warn: potential spectre issue 'user->intf->addrinfo' [r] (local cap)
      drivers/char/ipmi/ipmi_msghandler.c:1421 ipmi_set_my_LUN() warn: potential spectre issue 'user->intf->addrinfo' [w] (local cap)
      drivers/char/ipmi/ipmi_msghandler.c:1441 ipmi_get_my_LUN() warn: potential spectre issue 'user->intf->addrinfo' [r] (local cap)
      drivers/char/ipmi/ipmi_msghandler.c:2260 check_addr() warn: potential spectre issue 'intf->addrinfo' [r] (local cap)
      
      Fix this by sanitizing channel and addr->channel before using them to
      index user->intf->addrinfo and intf->addrinfo, correspondingly.
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      a7102c74
    • Corey Minyard's avatar
      ipmi:ssif: Fix handling of multi-part return messages · 7d6380cd
      Corey Minyard authored
      The block number was not being compared right, it was off by one
      when checking the response.
      
      Some statistics wouldn't be incremented properly in some cases.
      
      Check to see if that middle-part messages always have 31 bytes of
      data.
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Cc: stable@vger.kernel.org # 4.4
      7d6380cd
    • Weinan Li's avatar
      drm/i915/gvt: release shadow batch buffer and wa_ctx before destroy one workload · 0f755512
      Weinan Li authored
      GVT-g will shadow the privilege batch buffer and the indirect context
      during command scan, move the release process into
      intel_vgpu_destroy_workload() to ensure the resources are recycled
      properly.
      
      Fixes: 0cce2823 ("drm/i915/gvt/kvmgt:Refine error handling for prepare_execlist_workload")
      Reviewed-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      Signed-off-by: default avatarWeinan Li <weinan.z.li@intel.com>
      Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      0f755512
    • Linus Torvalds's avatar
      Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux · 333478a7
      Linus Torvalds authored
      Pull thermal management fixes from Zhang Rui:
      
       - Fix a race condition that sysfs could be accessed before necessary
         initialization in int340x thermal driver. (Aaron Hill)
      
       - Fix a NULL vs IS_ERR() check in int340x thermal driver. (Dan
         Carpenter)
      
      * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
        drivers: thermal: int340x_thermal: Fix sysfs race condition
        thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
      333478a7
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 0b0d4be6
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "This is a sort of random collection of clk fixes that have come in
        since the merge window:
      
         - Handful of memory allocation and potentially bad pointer usage
           fixes
      
         - JSON format was incorrect for clk_dump because it missed a comma
      
         - Two Kconfig fixes, one duplicate and one missing select line
      
         - Compiler warning fix for the VC5 clk driver
      
         - Name and rate fixes for PLLs in the stratix10 driver so it can
           properly detect PLL rates and parents"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: socfpga: stratix10: fix naming convention for the fixed-clocks
        clk: socfpga: stratix10: fix rate calculation for pll clocks
        clk: qcom: Select QCOM_GDSC with MSM_GCC_8998
        clk: vc5: Abort clock configuration without upstream clock
        clk: sysfs: fix invalid JSON in clk_dump
        clk: imx: Remove Kconfig duplicate include
        clk: zynqmp: Fix memory allocation in zynqmp_clk_setup
        clk: tegra: dfll: Fix a potential Oop in remove()
        clk: imx: fix potential NULL dereference in imx8qxp_lpcg_clk_probe()
      0b0d4be6
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-5.0-rc4' of... · 8f45fa27
      Linus Torvalds authored
      Merge tag 'linux-kselftest-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
       "Fixes to rtc, seccomp and other tests"
      
      * tag 'linux-kselftest-5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        selftests/seccomp: Abort without user notification support
        selftests: gpio-mockup-chardev: Check asprintf() for error
        selftests: seccomp: use LDLIBS instead of LDFLAGS
        selftests/vm/gup_benchmark.c: match gup struct to kernel
        tools/testing/selftests/x86/unwind_vdso.c: Remove duplicate header
        x86/mpx/selftests: fix spelling mistake "succeded" -> "succeeded"
        selftests: rtc: rtctest: add alarm test on minute boundary
        selftests: rtc: rtctest: fix alarm tests
      8f45fa27
  4. 22 Jan, 2019 6 commits
    • Mike Snitzer's avatar
      dm: add missing trace_block_split() to __split_and_process_bio() · 075c18c3
      Mike Snitzer authored
      Provides useful context about bio splits in blktrace.
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      075c18c3
    • Mike Snitzer's avatar
      dm: fix dm_wq_work() to only use __split_and_process_bio() if appropriate · 6548c7c5
      Mike Snitzer authored
      Otherwise targets that don't support/expect IO splitting could resubmit
      bios using code paths with unnecessary IO splitting complexity.
      
      Depends-on: 24113d48 ("dm: avoid indirect call in __dm_make_request")
      Fixes: 978e51ba ("dm: optimize bio-based NVMe IO submission")
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      6548c7c5
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · 787a3b43
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - descriptor parsing regression fix for devices that have more than 16
         collections, from Peter Hutterer (and followup cleanup from Philipp
         Zabel)
      
       - quirk for Goodix touchpad
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: core: simplify active collection tracking
        HID: i2c-hid: Disable runtime PM on Goodix touchpad
        HID: core: replace the collection tree pointers with indices
      787a3b43
    • Christophe JAILLET's avatar
      i3c: master: Fix an error checking typo in 'cdns_i3c_master_probe()' · 52768f32
      Christophe JAILLET authored
      Fix a cut'n'paste typo.
      Checking 'master->sysclk' is expected here.
      
      Fixes: 603f2bee ("i3c: master: Add driver for Cadence IP")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52768f32
    • Christian Brauner's avatar
      binderfs: switch from d_add() to d_instantiate() · 01684db9
      Christian Brauner authored
      In a previous commit we switched from a d_alloc_name() + d_lookup()
      combination to setup a new dentry and find potential duplicates to the more
      idiomatic lookup_one_len(). As far as I understand, this also means we need
      to switch from d_add() to d_instantiate() since lookup_one_len() will
      create a new dentry when it doesn't find an existing one and add the new
      dentry to the hash queues. So we only need to call d_instantiate() to
      connect the dentry to the inode and turn it into a positive dentry.
      
      If we were to use d_add() we sure see stack traces like the following
      indicating that adding the same dentry twice over the same inode:
      
      [  744.441889] CPU: 4 PID: 2849 Comm: landscape-sysin Not tainted 5.0.0-rc1-brauner-binderfs #243
      [  744.441889] Hardware name: Dell      DCS XS24-SC2          /XS24-SC2              , BIOS S59_3C20 04/07/2011
      [  744.441889] RIP: 0010:__d_lookup_rcu+0x76/0x190
      [  744.441889] Code: 89 75 c0 49 c1 e9 20 49 89 fd 45 89 ce 41 83 e6 07 42 8d 04 f5 00 00 00 00 89 45 c8 eb 0c 48 8b 1b 48 85 db 0f 84 81 00 00 00 <44> 8b 63 fc 4c 3b 6b 10 75 ea 48 83 7b 08 00 74 e3 41 83 e4 fe 41
      [  744.441889] RSP: 0018:ffffb8c984e27ad0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
      [  744.441889] RAX: 0000000000000038 RBX: ffff9407ef770c08 RCX: ffffb8c980011000
      [  744.441889] RDX: ffffb8c984e27b54 RSI: ffffb8c984e27ce0 RDI: ffff9407e6689600
      [  744.441889] RBP: ffffb8c984e27b28 R08: ffffb8c984e27ba4 R09: 0000000000000007
      [  744.441889] R10: ffff9407e5c4f05c R11: 973f3eb9d84a94e5 R12: 0000000000000002
      [  744.441889] R13: ffff9407e6689600 R14: 0000000000000007 R15: 00000007bfef7a13
      [  744.441889] FS:  00007f0db13bb740(0000) GS:ffff9407f3b00000(0000) knlGS:0000000000000000
      [  744.441889] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  744.441889] CR2: 00007f0dacc51024 CR3: 000000032961a000 CR4: 00000000000006e0
      [  744.441889] Call Trace:
      [  744.441889]  lookup_fast+0x53/0x300
      [  744.441889]  walk_component+0x49/0x350
      [  744.441889]  ? inode_permission+0x63/0x1a0
      [  744.441889]  link_path_walk.part.33+0x1bc/0x5a0
      [  744.441889]  ? path_init+0x190/0x310
      [  744.441889]  path_lookupat+0x95/0x210
      [  744.441889]  filename_lookup+0xb6/0x190
      [  744.441889]  ? __check_object_size+0xb8/0x1b0
      [  744.441889]  ? strncpy_from_user+0x50/0x1a0
      [  744.441889]  user_path_at_empty+0x36/0x40
      [  744.441889]  ? user_path_at_empty+0x36/0x40
      [  744.441889]  vfs_statx+0x76/0xe0
      [  744.441889]  __do_sys_newstat+0x3d/0x70
      [  744.441889]  __x64_sys_newstat+0x16/0x20
      [  744.441889]  do_syscall_64+0x5a/0x120
      [  744.441889]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  744.441889] RIP: 0033:0x7f0db0ec2775
      [  744.441889] Code: 00 00 00 75 05 48 83 c4 18 c3 e8 26 55 02 00 66 0f 1f 44 00 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 04 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 e1 b6 2d 00 f7 d8 64 89
      [  744.441889] RSP: 002b:00007ffc36bc9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000004
      [  744.441889] RAX: ffffffffffffffda RBX: 00007ffc36bc9300 RCX: 00007f0db0ec2775
      [  744.441889] RDX: 00007ffc36bc9400 RSI: 00007ffc36bc9400 RDI: 00007f0dad26f050
      [  744.441889] RBP: 0000000000c0bc60 R08: 0000000000000000 R09: 0000000000000001
      [  744.441889] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc36bc9400
      [  744.441889] R13: 0000000000000001 R14: 00000000ffffff9c R15: 0000000000c0bc60
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarChristian Brauner <christian@brauner.io>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01684db9
    • Christian Brauner's avatar
      binderfs: drop lock in binderfs_binder_ctl_create · 29ef1c8e
      Christian Brauner authored
      The binderfs_binder_ctl_create() call is a no-op on subsequent calls and
      the first call is done before we unlock the suberblock. Hence, there is no
      need to take inode_lock() in there. Let's remove it.
      Suggested-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarChristian Brauner <christian@brauner.io>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29ef1c8e