1. 13 Oct, 2017 4 commits
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.14-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · e18e8844
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "A fix for a bad bug (written by me) in our livepatch handler. Removal
        of an over-zealous lockdep_assert_cpus_held() in our topology code. A
        fix to the recently added emulation of cntlz[wd]. And three small
        fixes to the recently added IMC PMU driver.
      
        Thanks to: Anju T Sudhakar, Balbir Singh, Kamalesh Babulal, Naveen N.
        Rao, Sandipan Das, Santosh Sivaraj, Thiago Jung Bauermann"
      
      * tag 'powerpc-4.14-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/perf: Fix IMC initialization crash
        powerpc/perf: Add ___GFP_NOWARN flag to alloc_pages_node()
        powerpc/perf: Fix for core/nest imc call trace on cpuhotplug
        powerpc: Don't call lockdep_assert_cpus_held() from arch_update_cpu_topology()
        powerpc/lib/sstep: Fix count leading zeros instructions
        powerpc/livepatch: Fix livepatch stack access
      e18e8844
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.14c-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 3be5f884
      Linus Torvalds authored
      Pull xen fixlet from Juergen Gross:
       "A minor fix correcting the cpu hotplug name for Xen guests"
      
      * tag 'for-linus-4.14c-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/vcpu: Use a unified name about cpu hotplug state for pv and pvhvm
      3be5f884
    • Anju T Sudhakar's avatar
      powerpc/perf: Fix IMC initialization crash · 0d8ba162
      Anju T Sudhakar authored
      Panic observed with latest firmware, and upstream kernel:
      
       NIP init_imc_pmu+0x8c/0xcf0
       LR  init_imc_pmu+0x2f8/0xcf0
       Call Trace:
         init_imc_pmu+0x2c8/0xcf0 (unreliable)
         opal_imc_counters_probe+0x300/0x400
         platform_drv_probe+0x64/0x110
         driver_probe_device+0x3d8/0x580
         __driver_attach+0x14c/0x1a0
         bus_for_each_dev+0x8c/0xf0
         driver_attach+0x34/0x50
         bus_add_driver+0x298/0x350
         driver_register+0x9c/0x180
         __platform_driver_register+0x5c/0x70
         opal_imc_driver_init+0x2c/0x40
         do_one_initcall+0x64/0x1d0
         kernel_init_freeable+0x280/0x374
         kernel_init+0x24/0x160
         ret_from_kernel_thread+0x5c/0x74
      
      While registering nest imc at init, cpu-hotplug callback
      nest_pmu_cpumask_init() makes an OPAL call to stop the engine. And if
      the OPAL call fails, imc_common_cpuhp_mem_free() is invoked to cleanup
      memory and cpuhotplug setup.
      
      But when cleaning up the attribute group, we are dereferencing the
      attribute element array without checking whether the backing element
      is not NULL. This causes the kernel panic.
      
      Add a check for the backing element prior to dereferencing the
      attribute element, to handle the failing case gracefully.
      Signed-off-by: default avatarAnju T Sudhakar <anju@linux.vnet.ibm.com>
      Reported-by: default avatarPridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
      [mpe: Trim change log]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      0d8ba162
    • Linus Torvalds's avatar
      Merge tag 'devprop-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 3d788276
      Linus Torvalds authored
      Pull device properties framework fixes from Rafael Wysocki:
       "These fix an issue related to device removal introduced during the 4.9
        cycle and fix up new functionality added recently.
      
        Specifics:
      
         - Fix a device properties management issue, introduced during the 4.9
           cycle, that causes device properties associated with a parent
           device to go away on a removal of its child in some cases (Jarkko
           Nikula).
      
         - Fix inconsistencies in error codes returned by a new function
           helper in the device properties framework depending on the
           underlying low-level firmware interface, DT or ACPI, by making the
           meaning of error codes returned in the ACPI case agree with the
           meaning of DT error codes in analogous situations (Sakari Ailus)"
      
      * tag 'devprop-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: properties: Fix __acpi_node_get_property_reference() return codes
        ACPI: properties: Align return codes of __acpi_node_get_property_reference()
        device property: Track owner device of device property
      3d788276
  2. 12 Oct, 2017 13 commits
    • Linus Torvalds's avatar
      Merge tag 'xfs-4.14-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 8ff0b97c
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
      
       - Fix a stale kernel memory exposure when logging inodes.
      
       - Fix some build problems with CONFIG_XFS_RT=n
      
       - Don't change inode mode if the acl write fails, leaving the file
         totally inaccessible.
      
       - Fix a dangling pointer problem when removing an attr fork under
         memory pressure.
      
       - Don't crash while trying to invalidate a null buffer associated with
         a corrupt metadata pointer.
      
      * tag 'xfs-4.14-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: handle error if xfs_btree_get_bufs fails
        xfs: reinit btree pointer on attr tree inactivation walk
        xfs: Fix bool initialization/comparison
        xfs: don't change inode mode if ACL update fails
        xfs: move more RT specific code under CONFIG_XFS_RT
        xfs: Don't log uninitialised fields in inode structures
      8ff0b97c
    • NeilBrown's avatar
      scripts: fix faddr2line to work on last symbol · 2aab9c3c
      NeilBrown authored
      If faddr2line is given a function name which is the last one listed by
      "nm -n", it will fail because it never finds the next symbol.
      
      So teach the awk script to catch that possibility, and use 'size' to
      provide the end point of the last function.
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      2aab9c3c
    • Linus Torvalds's avatar
      Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 3206e7d5
      Linus Torvalds authored
      Pull quota fix from Jan Kara:
       "A fix for a regression in handling of quota grace times and warnings"
      
      * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        quota: Generate warnings for DQUOT_SPACE_NOFAIL allocations
      3206e7d5
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · cbaff876
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "Another latent bug related to PCID, an out-of-bounds access, and a
        submaintainer change being finally made official"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        MAINTAINERS: Add Paul Mackerras as maintainer for KVM/powerpc
        KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
        KVM: MMU: always terminate page walks at level 1
        KVM: nVMX: update last_nonleaf_level when initializing nested EPT
      cbaff876
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 73a752cc
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
      
       - fix crashes in skcipher/shash from zero-length input.
      
       - fix softirq GFP_KERNEL allocation in shash_setkey_unaligned.
      
       - error path bug fix in xts create function.
      
       - fix compiler warning regressions in axis and stm32
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: shash - Fix zero-length shash ahash digest crash
        crypto: skcipher - Fix crash on zero-length input
        crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
        crypto: xts - Fix an error handling path in 'create()'
        crypto: stm32 - Try to fix hash padding
        crypto: axis - hide an unused variable
      73a752cc
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching · 0de50ea7
      Linus Torvalds authored
      Pull livepatching fix from Jiri Kosina:
      
       - bugfix for handling of coming modules (incorrect handling of failure)
         from Joe Lawrence
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching:
        livepatch: unpatch all klp_objects if klp_module_coming fails
      0de50ea7
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · be7484ac
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - fix for potential out-of-bounds memory access (found by fuzzing,
         likely requires specially crafted device to trigger) by Jaejoong Kim
      
       - two new device IDs for elecom driver from Alex Manoussakis
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: hid-elecom: extend to fix descriptor for HUGE trackball
        HID: usbhid: fix out-of-bounds bug
      be7484ac
    • Linus Torvalds's avatar
      Merge tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7702f476
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "It's been a busy week for defending the attacks from fuzzer people.
      
        This contains various USB-audio driver fixes and sequencer core fixes
        spotted by syzkaller and other fuzzer, as well as one quirk for a
        Plantronics USB audio device"
      
      * tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: caiaq: Fix stray URB at probe error path
        ALSA: seq: Fix use-after-free at creating a port
        ALSA: usb-audio: Kill stray URB at exiting
        ALSA: line6: Fix leftover URB at error-path during probe
        ALSA: line6: Fix NULL dereference at podhd_disconnect()
        ALSA: line6: Fix missing initialization before error path
        ALSA: seq: Fix copy_from_user() call inside lock
        ALSA: usb-audio: Add sample rate quirk for Plantronics P610
      7702f476
    • Linus Torvalds's avatar
      Merge branch 'waitid-fix' · 467251c6
      Linus Torvalds authored
      Merge waitid() fix from Kees Cook.
      
      I'd have hoped that the unsafe_{get|put}_user() naming would have
      avoided these kinds of stupid bugs, but no such luck.
      
      * waitid-fix:
        waitid(): Add missing access_ok() checks
      467251c6
    • Anju T Sudhakar's avatar
      powerpc/perf: Add ___GFP_NOWARN flag to alloc_pages_node() · cd4f2b30
      Anju T Sudhakar authored
      Stack trace output during a stress test:
       [    4.310049] Freeing initrd memory: 22592K
      [    4.310646] rtas_flash: no firmware flash support
      [    4.313341] cpuhp/64: page allocation failure: order:0, mode:0x14480c0(GFP_KERNEL|__GFP_ZERO|__GFP_THISNODE), nodemask=(null)
      [    4.313465] cpuhp/64 cpuset=/ mems_allowed=0
      [    4.313521] CPU: 64 PID: 392 Comm: cpuhp/64 Not tainted 4.11.0-39.el7a.ppc64le #1
      [    4.313588] Call Trace:
      [    4.313622] [c000000f1fb1b8e0] [c000000000c09388] dump_stack+0xb0/0xf0 (unreliable)
      [    4.313694] [c000000f1fb1b920] [c00000000030ef6c] warn_alloc+0x12c/0x1c0
      [    4.313753] [c000000f1fb1b9c0] [c00000000030ff68] __alloc_pages_nodemask+0xea8/0x1000
      [    4.313823] [c000000f1fb1bbb0] [c000000000113a8c] core_imc_mem_init+0xbc/0x1c0
      [    4.313892] [c000000f1fb1bc00] [c000000000113cdc] ppc_core_imc_cpu_online+0x14c/0x170
      [    4.313962] [c000000f1fb1bc90] [c000000000125758] cpuhp_invoke_callback+0x198/0x5d0
      [    4.314031] [c000000f1fb1bd00] [c00000000012782c] cpuhp_thread_fun+0x8c/0x3d0
      [    4.314101] [c000000f1fb1bd60] [c0000000001678d0] smpboot_thread_fn+0x290/0x2a0
      [    4.314169] [c000000f1fb1bdc0] [c00000000015ee78] kthread+0x168/0x1b0
      [    4.314229] [c000000f1fb1be30] [c00000000000b368] ret_from_kernel_thread+0x5c/0x74
      [    4.314313] Mem-Info:
      [    4.314356] active_anon:0 inactive_anon:0 isolated_anon:0
      
      core_imc_mem_init() at system boot use alloc_pages_node() to get memory
      and alloc_pages_node() throws this stack dump when tried to allocate
      memory from a node which has no memory behind it. Add a ___GFP_NOWARN
      flag in allocation request as a fix.
      Signed-off-by: default avatarAnju T Sudhakar <anju@linux.vnet.ibm.com>
      Reported-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Reported-by: default avatarVenkat R.B <venkatb3@in.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      cd4f2b30
    • Anju T Sudhakar's avatar
      powerpc/perf: Fix for core/nest imc call trace on cpuhotplug · 0d923820
      Anju T Sudhakar authored
      Nest/core pmu units are enabled only when it is used. A reference count is
      maintained for the events which uses the nest/core pmu units. Currently in
      *_imc_counters_release function a WARN() is used for notification of any
      underflow of ref count.
      
      The case where event ref count hit a negative value is, when perf session is
      started, followed by offlining of all cpus in a given core.
      i.e. in cpuhotplug offline path ppc_core_imc_cpu_offline() function set the
      ref->count to zero, if the current cpu which is about to offline is the last
      cpu in a given core and make an OPAL call to disable the engine in that core.
      And on perf session termination, perf->destroy (core_imc_counters_release) will
      first decrement the ref->count for this core and based on the ref->count value
      an opal call is made to disable the core-imc engine.
      Now, since cpuhotplug path already clears the ref->count for core and disabled
      the engine, perf->destroy() decrementing again at event termination make it
      negative which in turn fires the WARN_ON. The same happens for nest units.
      
      Add a check to see if the reference count is alreday zero, before decrementing
      the count, so that the ref count will not hit a negative value.
      Signed-off-by: default avatarAnju T Sudhakar <anju@linux.vnet.ibm.com>
      Reviewed-by: default avatarSantosh Sivaraj <santosh@fossix.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      0d923820
    • Thomas Huth's avatar
      MAINTAINERS: Add Paul Mackerras as maintainer for KVM/powerpc · 8a60aea6
      Thomas Huth authored
      Paul is handling almost all of the powerpc related KVM patches nowadays,
      so he should be mentioned in the MAINTAINERS file accordingly.
      Signed-off-by: default avatarThomas Huth <thuth@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      8a60aea6
    • Haozhong Zhang's avatar
      KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit · 8eb3f87d
      Haozhong Zhang authored
      When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
      guest CR4. Before this CR4 loading, the guest CR4 refers to L2
      CR4. Because these two CR4's are in different levels of guest, we
      should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
      is used to handle guest writes to its CR4, checks the guest change to
      CR4 and may fail if the change is invalid.
      
      The failure may cause trouble. Consider we start
        a L1 guest with non-zero L1 PCID in use,
           (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
      and
        a L2 guest with L2 PCID disabled,
           (i.e. L2 CR4.PCIDE == 0)
      and following events may happen:
      
      1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
         into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
         of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
         vcpu->arch.cr4) is left to the value of L2 CR4.
      
      2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
         kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
         because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
         CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
      
      Fixes: 4704d0be ("KVM: nVMX: Exiting from L2 to L1")
      Cc: qemu-stable@nongnu.org
      Signed-off-by: default avatarHaozhong Zhang <haozhong.zhang@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      8eb3f87d
  3. 11 Oct, 2017 23 commits
    • Sakari Ailus's avatar
      ACPI: properties: Fix __acpi_node_get_property_reference() return codes · 51858a27
      Sakari Ailus authored
      Fix more return codes for device property: Align return codes of
      __acpi_node_get_property_reference().
      
      In particular, what was missed previously:
      
       -EPROTO could be returned in certain cases, now -EINVAL;
       -EINVAL was returned if the property was not found, now -ENOENT;
       -EINVAL was returned also if the index was higher than the number of
               entries in a package, now -ENOENT.
      Reported-by: default avatarHyungwoo Yang <hyungwoo.yang@intel.com>
      Fixes: 3e3119d3 (device property: Introduce fwnode_property_get_reference_args)
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Tested-by: default avatarHyungwoo Yang <hyungwoo.yang@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      51858a27
    • Sakari Ailus's avatar
      ACPI: properties: Align return codes of __acpi_node_get_property_reference() · c343bc2c
      Sakari Ailus authored
      acpi_fwnode_get_reference_args(), the function implementing ACPI
      support for fwnode_property_get_reference_args(), returns directly
      error codes from __acpi_node_get_property_reference(). The latter
      uses different error codes than the OF implementation. In particular,
      the OF implementation uses -ENOENT to indicate that the property is
      not found, a reference entry is empty and there are no more
      references.
      
      Document and align the error codes for property for
      fwnode_property_get_reference_args() so that they match with
      of_parse_phandle_with_args().
      
      Fixes: 3e3119d3 (device property: Introduce fwnode_property_get_reference_args)
      Signed-off-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      c343bc2c
    • Linus Torvalds's avatar
      Merge tag 'rpmsg-v4.14-fixes' of git://github.com/andersson/remoteproc · ff5abbe7
      Linus Torvalds authored
      Pull rpmsg fixes from Bjorn Andersson:
       "This corrects two mistakes in the Qualcomm GLINK SMEM driver"
      
      * tag 'rpmsg-v4.14-fixes' of git://github.com/andersson/remoteproc:
        rpmsg: glink: Fix memory leak in qcom_glink_alloc_intent()
        rpmsg: glink: Unlock on error in qcom_glink_request_intent()
      ff5abbe7
    • Linus Torvalds's avatar
      Merge tag 'rproc-v4.14-fixes' of git://github.com/andersson/remoteproc · 9add7e3e
      Linus Torvalds authored
      Pull remoteproc fixes from Bjorn Andersson:
       "This fixes a couple of issues in the imx_rproc driver and corrects the
        Kconfig dependencies of the Qualcomm remoteproc drivers"
      
      * tag 'rproc-v4.14-fixes' of git://github.com/andersson/remoteproc:
        remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init()
        remoteproc: qcom: fix RPMSG_QCOM_GLINK_SMEM dependencies
        remoteproc: imx_rproc: fix a couple off by one bugs
      9add7e3e
    • Wei Yongjun's avatar
      remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init() · 68a39a3e
      Wei Yongjun authored
      In case of error, the function devm_ioremap() returns NULL pointer
      not ERR_PTR(). The IS_ERR() test in the return value check should
      be replaced with NULL test.
      Reviewed-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      68a39a3e
    • Eric Sandeen's avatar
      xfs: handle error if xfs_btree_get_bufs fails · 93e8befc
      Eric Sandeen authored
      Jason reported that a corrupted filesystem failed to replay
      the log with a metadata block out of bounds warning:
      
      XFS (dm-2): _xfs_buf_find: Block out of range: block 0x80270fff8, EOFS 0x9c40000
      
      _xfs_buf_find() and xfs_btree_get_bufs() return NULL if
      that happens, and then when xfs_alloc_fix_freelist() calls
      xfs_trans_binval() on that NULL bp, we oops with:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000000000f8
      
      We don't handle _xfs_buf_find errors very well, every
      caller higher up the stack gets to guess at why it failed.
      But we should at least handle it somehow, so return
      EFSCORRUPTED here.
      Reported-by: default avatarJason L Tibbitts III <tibbs@math.uh.edu>
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      93e8befc
    • Brian Foster's avatar
      xfs: reinit btree pointer on attr tree inactivation walk · f35c5e10
      Brian Foster authored
      xfs_attr3_root_inactive() walks the attr fork tree to invalidate the
      associated blocks. xfs_attr3_node_inactive() recursively descends
      from internal blocks to leaf blocks, caching block address values
      along the way to revisit parent blocks, locate the next entry and
      descend down that branch of the tree.
      
      The code that attempts to reread the parent block is unsafe because
      it assumes that the local xfs_da_node_entry pointer remains valid
      after an xfs_trans_brelse() and re-read of the parent buffer. Under
      heavy memory pressure, it is possible that the buffer has been
      reclaimed and reallocated by the time the parent block is reread.
      This means that 'btree' can point to an invalid memory address, lead
      to a random/garbage value for child_fsb and cause the subsequent
      read of the attr fork to go off the rails and return a NULL buffer
      for an attr fork offset that is most likely not allocated.
      
      Note that this problem can be manufactured by setting
      XFS_ATTR_BTREE_REF to 0 to prevent LRU caching of attr buffers,
      creating a file with a multi-level attr fork and removing it to
      trigger inactivation.
      
      To address this problem, reinit the node/btree pointers to the
      parent buffer after it has been re-read. This ensures btree points
      to a valid record and allows the walk to proceed.
      Signed-off-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      f35c5e10
    • Thomas Meyer's avatar
      xfs: Fix bool initialization/comparison · 749f24f3
      Thomas Meyer authored
      Bool initializations should use true and false. Bool tests don't need
      comparisons.
      Signed-off-by: default avatarThomas Meyer <thomas@m3y3r.de>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      749f24f3
    • Dave Chinner's avatar
      xfs: don't change inode mode if ACL update fails · 67f2ffe3
      Dave Chinner authored
      If we get ENOSPC half way through setting the ACL, the inode mode
      can still be changed even though the ACL does not exist. Reorder the
      operation to only change the mode of the inode if the ACL is set
      correctly.
      
      Whilst this does not fix the problem with crash consistency (that requires
      attribute addition to be a deferred op) it does prevent ENOSPC and other
      non-fatal errors setting an xattr to be handled sanely.
      
      This fixes xfstests generic/449.
      Signed-Off-By: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      67f2ffe3
    • Dave Chinner's avatar
      xfs: move more RT specific code under CONFIG_XFS_RT · bb9c2e54
      Dave Chinner authored
      Various utility functions and interfaces that iterate internal
      devices try to reference the realtime device even when RT support is
      not compiled into the kernel.
      
      Make sure this code is excluded from the CONFIG_XFS_RT=n build,
      and where appropriate stub functions to return fatal errors if
      they ever get called when RT support is not present.
      Signed-Off-By: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      bb9c2e54
    • Dave Chinner's avatar
      xfs: Don't log uninitialised fields in inode structures · 20413e37
      Dave Chinner authored
      Prevent kmemcheck from throwing warnings about reading uninitialised
      memory when formatting inodes into the incore log buffer. There are
      several issues here - we don't always log all the fields in the
      inode log format item, and we never log the inode the
      di_next_unlinked field.
      
      In the case of the inode log format item, this is exacerbated
      by the old xfs_inode_log_format structure padding issue. Hence make
      the padded, 64 bit aligned version of the structure the one we always
      use for formatting the log and get rid of the 64 bit variant. This
      means we'll always log the 64-bit version and so recovery only needs
      to convert from the unpadded 32 bit version from older 32 bit
      kernels.
      Signed-Off-By: default avatarDave Chinner <dchinner@redhat.com>
      Tested-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      20413e37
    • Alexander Levin's avatar
      9p: set page uptodate when required in write_end() · 56ae414e
      Alexander Levin authored
      Commit 77469c3f prevented setting the page as uptodate when we wrote
      the right amount of data, fix that.
      
      Fixes: 77469c3f ("9p: saner ->write_end() on failing copy into non-uptodate page")
      Reviewed-by: default avatarJan Kara <jack@suse.com>
      Signed-off-by: default avatarAlexander Levin <alexander.levin@verizon.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      56ae414e
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · a0db2890
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "Here are some smallish GPIO fixes for v4.14. Like with pin control:
        some build/Kconfig noise and one serious bug in a specific driver.
      
         - Three Kconfig/build warning fixes
      
         - A fix for lost edge IRQs in the OMAP driver"
      
      * tag 'gpio-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: omap: Fix lost edge interrupts
        gpio: omap: omap_gpio_show_rev is not __init
        gpio: acpi: work around false-positive -Wstring-overflow warning
        gpio: thunderx: select IRQ_DOMAIN_HIERARCHY instead of depends on
      a0db2890
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v4.14-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · cc74613b
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Two small things and a slightly larger thing in the Intel Cherryview.
      
         - Fix two build problems
      
         - Fix a regression on the Intel Cherryview interrupt path"
      
      * tag 'pinctrl-v4.14-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: cherryview: fix issues caused by dynamic gpio irqs mapping
        pinctrl/amd: Fix build dependency on pinmux code
        pinctrl: bcm2835: fix build warning in bcm2835_gpio_irq_handle_bank
      cc74613b
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · ce386181
      Linus Torvalds authored
      Pull vfs fixes from Al Viro:
       "Fairly old DIO bug caught by Andreas (3.10+) and several slightly
        younger blk_rq_map_user_iov() bugs, both on map and copy codepaths
        (Vitaly and me)"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        bio_copy_user_iov(): don't ignore ->iov_offset
        more bio_map_user_iov() leak fixes
        fix unbalanced page refcounting in bio_map_user_iov
        direct-io: Prevent NULL pointer access in submit_page_section
      ce386181
    • Takashi Iwai's avatar
      ALSA: caiaq: Fix stray URB at probe error path · 99fee508
      Takashi Iwai authored
      caiaq driver doesn't kill the URB properly at its error path during
      the probe, which may lead to a use-after-free error later.  This patch
      addresses it.
      Reported-by: default avatarJohan Hovold <johan@kernel.org>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      99fee508
    • Alex Manoussakis's avatar
      HID: hid-elecom: extend to fix descriptor for HUGE trackball · a0933a45
      Alex Manoussakis authored
      In addition to DEFT, Elecom introduced a larger trackball called HUGE, in
      both wired (M-HT1URBK) and wireless (M-HT1DRBK) versions. It has the same
      buttons and behavior as the DEFT. This patch adds the two relevant USB IDs
      to enable operation of the three Fn buttons on the top of the device.
      
      Cc: Diego Elio Petteno <flameeyes@flameeyes.eu>
      Signed-off-by: default avatarAlex Manoussakis <amanou@gnu.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      a0933a45
    • Jaejoong Kim's avatar
      HID: usbhid: fix out-of-bounds bug · f043bfc9
      Jaejoong Kim authored
      The hid descriptor identifies the length and type of subordinate
      descriptors for a device. If the received hid descriptor is smaller than
      the size of the struct hid_descriptor, it is possible to cause
      out-of-bounds.
      
      In addition, if bNumDescriptors of the hid descriptor have an incorrect
      value, this can also cause out-of-bounds while approaching hdesc->desc[n].
      
      So check the size of hid descriptor and bNumDescriptors.
      
      	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
      	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261
      
      	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
      	4.14.0-rc1-42251-gebb2c243 #169
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      	Workqueue: usb_hub_wq hub_event
      	Call Trace:
      	__dump_stack lib/dump_stack.c:16
      	dump_stack+0x292/0x395 lib/dump_stack.c:52
      	print_address_description+0x78/0x280 mm/kasan/report.c:252
      	kasan_report_error mm/kasan/report.c:351
      	kasan_report+0x22f/0x340 mm/kasan/report.c:409
      	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
      	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
      	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
      	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
      	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
      	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
      	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
      	really_probe drivers/base/dd.c:413
      	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
      	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
      	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
      	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
      	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
      	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
      	device_add+0xd0b/0x1660 drivers/base/core.c:1835
      	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
      	hub_port_connect drivers/usb/core/hub.c:4903
      	hub_port_connect_change drivers/usb/core/hub.c:5009
      	port_event drivers/usb/core/hub.c:5115
      	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
      	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
      	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
      	kthread+0x3a1/0x470 kernel/kthread.c:231
      	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarJaejoong Kim <climbbb.kim@gmail.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      f043bfc9
    • Joe Lawrence's avatar
      livepatch: unpatch all klp_objects if klp_module_coming fails · ef8daf8e
      Joe Lawrence authored
      When an incoming module is considered for livepatching by
      klp_module_coming(), it iterates over multiple patches and multiple
      kernel objects in this order:
      
      	list_for_each_entry(patch, &klp_patches, list) {
      		klp_for_each_object(patch, obj) {
      
      which means that if one of the kernel objects fails to patch,
      klp_module_coming()'s error path needs to unpatch and cleanup any kernel
      objects that were already patched by a previous patch.
      Reported-by: default avatarMiroslav Benes <mbenes@suse.cz>
      Suggested-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarJoe Lawrence <joe.lawrence@redhat.com>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Reviewed-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      ef8daf8e
    • Takashi Iwai's avatar
      ALSA: seq: Fix use-after-free at creating a port · 71105998
      Takashi Iwai authored
      There is a potential race window opened at creating and deleting a
      port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
      a port object and returns its pointer, but it doesn't take the
      refcount, thus it can be deleted immediately by another thread.
      Meanwhile, snd_seq_ioctl_create_port() still calls the function
      snd_seq_system_client_ev_port_start() with the created port object
      that is being deleted, and this triggers use-after-free like:
      
       BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
       =============================================================================
       BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
       -----------------------------------------------------------------------------
       INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
       	___slab_alloc+0x425/0x460
       	__slab_alloc+0x20/0x40
        	kmem_cache_alloc_trace+0x150/0x190
      	snd_seq_create_port+0x94/0x9b0 [snd_seq]
      	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
       	__slab_free+0x204/0x310
       	kfree+0x15f/0x180
       	port_delete+0x136/0x1a0 [snd_seq]
       	snd_seq_delete_port+0x235/0x350 [snd_seq]
       	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
       	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
       	snd_seq_ioctl+0x40/0x80 [snd_seq]
       	do_vfs_ioctl+0x54b/0xda0
       	SyS_ioctl+0x79/0x90
       	entry_SYSCALL_64_fastpath+0x16/0x75
       Call Trace:
        [<ffffffff81b03781>] dump_stack+0x63/0x82
        [<ffffffff81531b3b>] print_trailer+0xfb/0x160
        [<ffffffff81536db4>] object_err+0x34/0x40
        [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
        [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
        [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
        [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
        [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
        [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
        [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
        [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
        [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
        .....
      
      We may fix this in a few different ways, and in this patch, it's fixed
      simply by taking the refcount properly at snd_seq_create_port() and
      letting the caller unref the object after use.  Also, there is another
      potential use-after-free by sprintf() call in snd_seq_create_port(),
      and this is moved inside the lock.
      
      This fix covers CVE-2017-15265.
      Reported-and-tested-by: default avatarMichael23 Yu <ycqzsy@gmail.com>
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      71105998
    • Al Viro's avatar
      bio_copy_user_iov(): don't ignore ->iov_offset · 1cfd0ddd
      Al Viro authored
      Since "block: support large requests in blk_rq_map_user_iov" we
      started to call it with partially drained iter; that works fine
      on the write side, but reads create a copy of iter for completion
      time.  And that needs to take the possibility of ->iov_iter != 0
      into account...
      
      Cc: stable@vger.kernel.org #v4.5+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      1cfd0ddd
    • Al Viro's avatar
      more bio_map_user_iov() leak fixes · 2b04e8f6
      Al Viro authored
      we need to take care of failure exit as well - pages already
      in bio should be dropped by analogue of bio_unmap_pages(),
      since their refcounts had been bumped only once per reference
      in bio.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      2b04e8f6
    • Vitaly Mayatskikh's avatar
      fix unbalanced page refcounting in bio_map_user_iov · 95d78c28
      Vitaly Mayatskikh authored
      bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if
      IO vector has small consecutive buffers belonging to the same page.
      bio_add_pc_page merges them into one, but the page reference is never
      dropped.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVitaly Mayatskikh <v.mayatskih@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      95d78c28