1. 21 Jan, 2019 3 commits
    • Peter Zijlstra's avatar
      sched/wake_q: Fix wakeup ordering for wake_q · 4c4e3731
      Peter Zijlstra authored
      Notable cmpxchg() does not provide ordering when it fails, however
      wake_q_add() requires ordering in this specific case too. Without this
      it would be possible for the concurrent wakeup to not observe our
      prior state.
      
      Andrea Parri provided:
      
        C wake_up_q-wake_q_add
      
        {
      	int next = 0;
      	int y = 0;
        }
      
        P0(int *next, int *y)
        {
      	int r0;
      
      	/* in wake_up_q() */
      
      	WRITE_ONCE(*next, 1);   /* node->next = NULL */
      	smp_mb();               /* implied by wake_up_process() */
      	r0 = READ_ONCE(*y);
        }
      
        P1(int *next, int *y)
        {
      	int r1;
      
      	/* in wake_q_add() */
      
      	WRITE_ONCE(*y, 1);      /* wake_cond = true */
      	smp_mb__before_atomic();
      	r1 = cmpxchg_relaxed(next, 1, 2);
        }
      
        exists (0:r0=0 /\ 1:r1=0)
      
        This "exists" clause cannot be satisfied according to the LKMM:
      
        Test wake_up_q-wake_q_add Allowed
        States 3
        0:r0=0; 1:r1=1;
        0:r0=1; 1:r1=0;
        0:r0=1; 1:r1=1;
        No
        Witnesses
        Positive: 0 Negative: 3
        Condition exists (0:r0=0 /\ 1:r1=0)
        Observation wake_up_q-wake_q_add Never 0 3
      Reported-by: default avatarYongji Xie <elohimes@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Waiman Long <longman@redhat.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      4c4e3731
    • Peter Zijlstra's avatar
      sched/wake_q: Document wake_q_add() · e6018c0f
      Peter Zijlstra authored
      The only guarantee provided by wake_q_add() is that a wakeup will
      happen after it, it does _NOT_ guarantee the wakeup will be delayed
      until the matching wake_up_q().
      
      If wake_q_add() fails the cmpxchg() a concurrent wakeup is pending and
      that can happen at any time after the cmpxchg(). This means we should
      not rely on the wakeup happening at wake_q_up(), but should be ready
      for wake_q_add() to issue the wakeup.
      
      The delay; if provided (most likely); should only result in more efficient
      behaviour.
      Reported-by: default avatarYongji Xie <elohimes@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Waiman Long <longman@redhat.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      e6018c0f
    • Prateek Sood's avatar
      sched/wait: Fix rcuwait_wake_up() ordering · 6dc080ee
      Prateek Sood authored
      For some peculiar reason rcuwait_wake_up() has the right barrier in
      the comment, but not in the code.
      
      This mistake has been observed to cause a deadlock in the following
      situation:
      
          P1					P2
      
          percpu_up_read()			percpu_down_write()
            rcu_sync_is_idle() // false
      					  rcu_sync_enter()
      					  ...
            __percpu_up_read()
      
      [S] ,-  __this_cpu_dec(*sem->read_count)
          |   smp_rmb();
      [L] |   task = rcu_dereference(w->task) // NULL
          |
          |				    [S]	    w->task = current
          |					    smp_mb();
          |				    [L]	    readers_active_check() // fail
          `-> <store happens here>
      
      Where the smp_rmb() (obviously) fails to constrain the store.
      
      [ peterz: Added changelog. ]
      Signed-off-by: default avatarPrateek Sood <prsood@codeaurora.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarAndrea Parri <andrea.parri@amarulasolutions.com>
      Acked-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 8f95c90c ("sched/wait, RCU: Introduce rcuwait machinery")
      Link: https://lkml.kernel.org/r/1543590656-7157-1-git-send-email-prsood@codeaurora.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      6dc080ee
  2. 18 Jan, 2019 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · d7393226
      Linus Torvalds authored
      Pull rdma fixes frfom Jason Gunthorpe:
       "Not much so far. We have the usual batch of bugs and two fixes to code
        merged this cycle:
      
         - Restore valgrind support for the ioctl verbs interface merged this
           window, and fix a missed error code on an error path from that
           conversion
      
         - A user reported crash on obsolete mthca hardware
      
         - pvrdma was using the wrong command opcode toward the hypervisor
      
         - NULL pointer crash regression when dumping rdma-cm over netlink
      
         - Be conservative about exposing the global rkey"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/uverbs: Mark ioctl responses with UVERBS_ATTR_F_VALID_OUTPUT
        RDMA/mthca: Clear QP objects during their allocation
        RDMA/vmw_pvrdma: Return the correct opcode when creating WR
        RDMA/cma: Add cm_id restrack resource based on kernel or user cm_id type
        RDMA/nldev: Don't expose unsafe global rkey to regular user
        RDMA/uverbs: Fix post send success return value in case of error
      d7393226
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-01-18' of git://anongit.freedesktop.org/drm/drm · 1092a94f
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "The rc3 fixes are a bit scattered:
      
         - meson, sun4i and rockchip all had missing of_node_put.
      
         - qxl and virtio both were advertising dma-buf to userspace when they
           really shouldn't have.
      
        Otherwise:
      
        meson:
         - modesetting regression fix
      
        i915 GVT:
         - one cmd parser failure fix
         - region cleanup fix in vGPU destroy
      
        amdgpu:
         - KFD fixes for arm64 mixed APU/DGPU
         - vega12 powerplay fix
         - raven DC fixes
         - freesync fix"
      
      * tag 'drm-fixes-2019-01-18' of git://anongit.freedesktop.org/drm/drm:
        drm/amd/display: Detach backlight from stream
        drm/sun4i: backend: add missing of_node_puts
        Revert "drm/amdgpu: validate user pitch alignment"
        Revert "drm/amdgpu: validate user GEM object size"
        drm/meson: Fix atomic mode switching regression
        drm/i915/gvt: Fix mmap range check
        drm/i915/gvt: free VFIO region space in vgpu detach
        drm/amd/display: Fix disabled cursor on top screen edge
        drm/amd/display: fix warning on raven hotplug
        drm/amd/display: fix PME notification not working in RV desktop
        drm/amd/display: Only get the connector state for VRR when toggled
        drm/amd/display: Pack DMCU iRAM alignment
        drm/amd/powerplay: run acg btc for Vega12
        drm/amdkfd: Don't assign dGPUs to APU topology devices
        drm/amdkfd: Allow building KFD on ARM64 (v2)
        drm/meson: add missing of_node_put
        drm/virtio: drop prime import/export callbacks
        drm/qxl: drop prime import/export callbacks
        drm/i915/gvt: Allow F_CMD_ACCESS on mmio 0x21f0
        drm/rockchip: add missing of_node_put
      1092a94f
    • Linus Torvalds's avatar
      Merge tag 'led-fix-for-5.0-rc3' of... · 2451f371
      Linus Torvalds authored
      Merge tag 'led-fix-for-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED fix from Jacek Anaszewski.
      
      * tag 'led-fix-for-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        leds: lp5523: fix a missing check of return value of lp55xx_read
      2451f371
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.0-rc3' of... · 0a2fbed8
      Linus Torvalds authored
      Merge tag 'hwmon-for-v5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
       "Minor fixes/regressions"
      
      * tag 'hwmon-for-v5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (tmp421) Correct the misspelling of the tmp442 compatible attribute in OF device ID table
        hwmon: (occ) Fix potential integer overflow
        hwmon: (lm80) Fix missing unlock on error in set_fan_div()
        hwmon: (nct6775) Enable IO mapping for NCT6797D and NCT6798D
        hwmon: (nct6775) Fix chip ID for NCT6798D
      0a2fbed8
  3. 17 Jan, 2019 18 commits
  4. 16 Jan, 2019 11 commits
  5. 15 Jan, 2019 4 commits
    • Julia Lawall's avatar
      drm/sun4i: backend: add missing of_node_puts · 4bb0e6d7
      Julia Lawall authored
      The device node iterators perform an of_node_get on each
      iteration, so a jump out of the loop requires an of_node_put.
      
      Remote and port also have augmented reference counts, so drop them
      on each iteration and at the end of the function, respectively.
      Remote is only used for the address it contains, not for the
      contents of that address, so the reference count can be dropped
      immediately.
      
      The semantic patch that fixes the first part of this problem is
      as follows (http://coccinelle.lip6.fr):
      
      // <smpl>
      @@
      expression root,e;
      local idexpression child;
      iterator name for_each_child_of_node;
      @@
      
       for_each_available_child_of_node(root, child) {
         ... when != of_node_put(child)
             when != e = child
      +  of_node_put(child);
      ?  break;
         ...
      }
      ... when != child
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@bootlin.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/1547369264-24831-5-git-send-email-Julia.Lawall@lip6.fr
      4bb0e6d7
    • Tycho Andersen's avatar
      seccomp: fix UAF in user-trap code · a811dc61
      Tycho Andersen authored
      On the failure path, we do an fput() of the listener fd if the filter fails
      to install (e.g. because of a TSYNC race that's lost, or if the thread is
      killed, etc.). fput() doesn't actually release the fd, it just ads it to a
      work queue. Then the thread proceeds to free the filter, even though the
      listener struct file has a reference to it.
      
      To fix this, on the failure path let's set the private data to null, so we
      know in ->release() to ignore the filter.
      
      Reported-by: syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com
      Fixes: 6a21cc50 ("seccomp: add a return code to trap to userspace")
      Signed-off-by: default avatarTycho Andersen <tycho@tycho.ws>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      a811dc61
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 7939f8be
      Linus Torvalds authored
      Pull tracing fix from Steven Rostedt:
       "Andrea Righi fixed a NULL pointer dereference in trace_kprobe_create()
      
        It is possible to trigger a NULL pointer dereference by writing an
        incorrectly formatted string to the krpobe_events file"
      
      * tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()
      7939f8be
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · e8746440
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix regression in multi-SKB responses to RTM_GETADDR, from Arthur
          Gautier.
      
       2) Fix ipv6 frag parsing in openvswitch, from Yi-Hung Wei.
      
       3) Unbounded recursion in ipv4 and ipv6 GUE tunnels, from Stefano
          Brivio.
      
       4) Use after free in hns driver, from Yonglong Liu.
      
       5) icmp6_send() needs to handle the case of NULL skb, from Eric
          Dumazet.
      
       6) Missing rcu read lock in __inet6_bind() when operating on mapped
          addresses, from David Ahern.
      
       7) Memory leak in tipc-nl_compat_publ_dump(), from Gustavo A. R. Silva.
      
       8) Fix PHY vs r8169 module loading ordering issues, from Heiner
          Kallweit.
      
       9) Fix bridge vlan memory leak, from Ido Schimmel.
      
      10) Dev refcount leak in AF_PACKET, from Jason Gunthorpe.
      
      11) Infoleak in ipv6_local_error(), flow label isn't completely
          initialized. From Eric Dumazet.
      
      12) Handle mv88e6390 errata, from Andrew Lunn.
      
      13) Making vhost/vsock CID hashing consistent, from Zha Bin.
      
      14) Fix lack of UMH cleanup when it unexpectedly exits, from Taehee Yoo.
      
      15) Bridge forwarding must clear skb->tstamp, from Paolo Abeni.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
        bnxt_en: Fix context memory allocation.
        bnxt_en: Fix ring checking logic on 57500 chips.
        mISDN: hfcsusb: Use struct_size() in kzalloc()
        net: clear skb->tstamp in bridge forwarding path
        net: bpfilter: disallow to remove bpfilter module while being used
        net: bpfilter: restart bpfilter_umh when error occurred
        net: bpfilter: use cleanup callback to release umh_info
        umh: add exit routine for UMH process
        isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
        vhost/vsock: fix vhost vsock cid hashing inconsistent
        net: stmmac: Prevent RX starvation in stmmac_napi_poll()
        net: stmmac: Fix the logic of checking if RX Watchdog must be enabled
        net: stmmac: Check if CBS is supported before configuring
        net: stmmac: dwxgmac2: Only clear interrupts that are active
        net: stmmac: Fix PCI module removal leak
        tools/bpf: fix bpftool map dump with bitfields
        tools/bpf: test btf bitfield with >=256 struct member offset
        bpf: fix bpffs bitfield pretty print
        net: ethernet: mediatek: fix warning in phy_start_aneg
        tcp: change txhash on SYN-data timeout
        ...
      e8746440