1. 16 Apr, 2019 2 commits
    • Ian Abbott's avatar
      staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf · 663d294b
      Ian Abbott authored
      `vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to
      allocate RX and TX buffers for USB transfers.  It allocates
      `devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`.  If the
      allocation of `devpriv->usb_tx_buf` fails, it frees
      `devpriv->usb_rx_buf`,  leaving the pointer set dangling, and returns an
      error.  Later, `vmk80xx_detach()` will be called from the core comedi
      module code to clean up.  `vmk80xx_detach()` also frees both
      `devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
      `devpriv->usb_rx_buf` may have already been freed, leading to a
      double-free error.  Fix it by removing the call to
      `kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying
      on `vmk80xx_detach()` to free the memory.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      663d294b
    • Ian Abbott's avatar
      staging: comedi: vmk80xx: Fix use of uninitialized semaphore · 08b7c2f9
      Ian Abbott authored
      If `vmk80xx_auto_attach()` returns an error, the core comedi module code
      will call `vmk80xx_detach()` to clean up.  If `vmk80xx_auto_attach()`
      successfully allocated the comedi device private data,
      `vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained
      in the private data has been initialized and uses it.  Unfortunately,
      there are a couple of places where `vmk80xx_auto_attach()` can return an
      error after allocating the device private data but before initializing
      the semaphore, so this assumption is invalid.  Fix it by initializing
      the semaphore just after allocating the private data in
      `vmk80xx_auto_attach()` before any other errors can be returned.
      
      I believe this was the cause of the following syzbot crash report
      <https://syzkaller.appspot.com/bug?extid=54c2f58f15fe6876b6ad>:
      
      usb 1-1: config 0 has no interface number 0
      usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d
      usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
      usb 1-1: config 0 descriptor??
      vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device.
      INFO: trying to register non-static key.
      the code is fine but needs lockdep annotation.
      turning off the locking correctness validator.
      CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xe8/0x16e lib/dump_stack.c:113
       assign_lock_key kernel/locking/lockdep.c:786 [inline]
       register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
       __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
       lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
       down+0x12/0x80 kernel/locking/semaphore.c:58
       vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829
       comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
       comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
       comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
       comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
       comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
       comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
       comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
       usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
       generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
       usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
       really_probe+0x2da/0xb10 drivers/base/dd.c:509
       driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
       __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
       bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
       __device_attach+0x223/0x3a0 drivers/base/dd.c:844
       bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
       device_add+0xad2/0x16e0 drivers/base/core.c:2106
       usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
       hub_port_connect drivers/usb/core/hub.c:5089 [inline]
       hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
       port_event drivers/usb/core/hub.c:5350 [inline]
       hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
       process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
       worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
       kthread+0x313/0x420 kernel/kthread.c:253
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      
      Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      08b7c2f9
  2. 02 Apr, 2019 2 commits
    • Christian Gromm's avatar
      staging: most: core: use device description as name · 131ac622
      Christian Gromm authored
      This patch uses the device description to clearly identity a device
      attached to the bus. It is needed as the currently useed mdevX
      notation is not sufficiant in case more than one network
      interface controller is being used at the same time.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristian Gromm <christian.gromm@microchip.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      131ac622
    • Greg Kroah-Hartman's avatar
      Merge tag 'iio-fixes-for-5.1a' of... · 360b921b
      Greg Kroah-Hartman authored
      Merge tag 'iio-fixes-for-5.1a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus
      
      Jonathan writes:
      
      First set of IIO fixes for the 5.1 cycle.
      
      Mostly the usual mix, but the bme680 SPI fix is much larger than
      I would normally like.  It never worked, but conversely we have
      code there that would make people expect it to do so.  Chances
      of side effects are very low.
      
      * core
        - Fix an uninitialised bitaks that could potentially result in random
          channels being enabled on startup.
      * ad7192
        - Fix a wrong channel address for ad7193.
      * ade7854
        - Fix a typo that results in returning peak voltage instead of peak current.
      * at91
        - Fix a potential hang due to a race on interrupt setting.
      * bmg160
        - Fix scale factor of temperature
      * bme680
        - Fix scale factor of temperature
        - Fix SPI read interface.  This is a bit of a large patch as it seems
          that it never worked.  It's major for this driver but is unlikely to
          have any negative side effects.
      * kxcjk1013
        - restore sensor range setting after resume.
      * mcp4725
        - make sure to store powerdown bits when storing to the eeprom.
      * mpu3050
        - Mask the chip ID correctly as we have chips that set the bother bits of
          this register.
      * sgp30
        - Fix a missing Kconfig block that means the driver doesn't actually ever
          get built.
      
      * tag 'iio-fixes-for-5.1a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio:
        iio: core: fix a possible circular locking dependency
        iio: ad_sigma_delta: select channel when reading register
        iio: pms7003: select IIO_TRIGGERED_BUFFER
        iio: cros_ec: Fix the maths for gyro scale calculation
        iio: adc: xilinx: prevent touching unclocked h/w on remove
        iio: adc: xilinx: fix potential use-after-free on probe
        iio: adc: xilinx: fix potential use-after-free on remove
        iio: dac: mcp4725: add missing powerdown bits in store eeprom
        io: accel: kxcjk1013: restore the range after resume.
        iio:chemical:bme680: Fix SPI read interface
        iio:chemical:bme680: Fix, report temperature in millidegrees
        iio: chemical: fix missing Kconfig block for sgp30
        iio: adc: at91: disable adc channel interrupt in timeout case
        iio: gyro: mpu3050: fix chip ID reading
        iio: Fix scan mask selection
        staging: iio: ad7192: Fix ad7193 channel address
        iio/gyro/bmg160: Use millidegrees for temperature scale
        Staging: iio: meter: fixed typo
      360b921b
  3. 31 Mar, 2019 10 commits
    • Linus Torvalds's avatar
      Linux 5.1-rc3 · 79a3aaa7
      Linus Torvalds authored
      79a3aaa7
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 63fc9c23
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "A collection of x86 and ARM bugfixes, and some improvements to
        documentation.
      
        On top of this, a cleanup of kvm_para.h headers, which were exported
        by some architectures even though they not support KVM at all. This is
        responsible for all the Kbuild changes in the diffstat"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (28 commits)
        Documentation: kvm: clarify KVM_SET_USER_MEMORY_REGION
        KVM: doc: Document the life cycle of a VM and its resources
        KVM: selftests: complete IO before migrating guest state
        KVM: selftests: disable stack protector for all KVM tests
        KVM: selftests: explicitly disable PIE for tests
        KVM: selftests: assert on exit reason in CR4/cpuid sync test
        KVM: x86: update %rip after emulating IO
        x86/kvm/hyper-v: avoid spurious pending stimer on vCPU init
        kvm/x86: Move MSR_IA32_ARCH_CAPABILITIES to array emulated_msrs
        KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts
        kvm: don't redefine flags as something else
        kvm: mmu: Used range based flushing in slot_handle_level_range
        KVM: export <linux/kvm_para.h> and <asm/kvm_para.h> iif KVM is supported
        KVM: x86: remove check on nr_mmu_pages in kvm_arch_commit_memory_region()
        kvm: nVMX: Add a vmentry check for HOST_SYSENTER_ESP and HOST_SYSENTER_EIP fields
        KVM: SVM: Workaround errata#1096 (insn_len maybe zero on SMAP violation)
        KVM: Reject device ioctls from processes other than the VM's creator
        KVM: doc: Fix incorrect word ordering regarding supported use of APIs
        KVM: x86: fix handling of role.cr4_pae and rename it to 'gpte_size'
        KVM: nVMX: Do not inherit quadrant and invalid for the root shadow EPT
        ...
      63fc9c23
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 915ee0da
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A pile of x86 updates:
      
         - Prevent exceeding he valid physical address space in the /dev/mem
           limit checks.
      
         - Move all header content inside the header guard to prevent compile
           failures.
      
         - Fix the bogus __percpu annotation in this_cpu_has() which makes
           sparse very noisy.
      
         - Disable switch jump tables completely when retpolines are enabled.
      
         - Prevent leaking the trampoline address"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/realmode: Make set_real_mode_mem() static inline
        x86/cpufeature: Fix __percpu annotation in this_cpu_has()
        x86/mm: Don't exceed the valid physical address space
        x86/retpolines: Disable switch jump tables when retpolines are enabled
        x86/realmode: Don't leak the trampoline kernel address
        x86/boot: Fix incorrect ifdeffery scope
        x86/resctrl: Remove unused variable
      915ee0da
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 590627f7
      Linus Torvalds authored
      Pull perf tooling fixes from Thomas Gleixner:
       "Core libraries:
         - Fix max perf_event_attr.precise_ip detection.
         - Fix parser error for uncore event alias
         - Fixup ordering of kernel maps after obtaining the main kernel map
           address.
      
        Intel PT:
         - Fix TSC slip where A TSC packet can slip past MTC packets so that
           the timestamp appears to go backwards.
         - Fixes for exported-sql-viewer GUI conversion to python3.
      
        ARM coresight:
         - Fix the build by adding a missing case value for enumeration value
           introduced in newer library, that now is the required one.
      
        tool headers:
         - Syncronize kernel headers with the kernel, getting new io_uring and
           pidfd_send_signal syscalls so that 'perf trace' can handle them"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf pmu: Fix parser error for uncore event alias
        perf scripts python: exported-sql-viewer.py: Fix python3 support
        perf scripts python: exported-sql-viewer.py: Fix never-ending loop
        perf machine: Update kernel map address and re-order properly
        tools headers uapi: Sync powerpc's asm/kvm.h copy with the kernel sources
        tools headers: Update x86's syscall_64.tbl and uapi/asm-generic/unistd
        tools headers uapi: Update drm/i915_drm.h
        tools arch x86: Sync asm/cpufeatures.h with the kernel sources
        tools headers uapi: Sync linux/fcntl.h to get the F_SEAL_FUTURE_WRITE addition
        tools headers uapi: Sync asm-generic/mman-common.h and linux/mman.h
        perf evsel: Fix max perf_event_attr.precise_ip detection
        perf intel-pt: Fix TSC slip
        perf cs-etm: Add missing case value
      590627f7
    • Linus Torvalds's avatar
      Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · c29d8541
      Linus Torvalds authored
      Pull CPU hotplug fixes from Thomas Gleixner:
       "Two SMT/hotplug related fixes:
      
         - Prevent crash when HOTPLUG_CPU is disabled and the CPU bringup
           aborts. This is triggered with the 'nosmt' command line option, but
           can happen by any abort condition. As the real unplug code is not
           compiled in, prevent the fail by keeping the CPU in zombie state.
      
         - Enforce HOTPLUG_CPU for SMP on x86 to avoid the above situation
           completely. With 'nosmt' being a popular option it's required to
           unplug the half brought up sibling CPUs (due to the MCE wreckage)
           completely"
      
      * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y
        cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n
      c29d8541
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 573efdc5
      Linus Torvalds authored
      Pull locking fixlet from Thomas Gleixner:
       "Trivial update to the maintainers file"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        MAINTAINERS: Remove deleted file from futex file pattern
      573efdc5
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f78b5be2
      Linus Torvalds authored
      Pull core fixes from Thomas Gleixner:
       "A small set of core updates:
      
         - Make the watchdog respect the selected CPU mask again. That was
           broken by the rework of the watchdog thread management and caused
           inconsistent state and NMI watchdog being unstoppable.
      
         - Ensure that the objtool build can find the libelf location.
      
         - Remove dead kcore stub code"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        watchdog: Respect watchdog cpumask on CPU hotplug
        objtool: Query pkg-config for libelf location
        proc/kcore: Remove unused kclist_add_remap()
      f78b5be2
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 6536c5f2
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Three non-regression fixes.
      
         - Our optimised memcmp could read past the end of one of the buffers
           and potentially trigger a page fault leading to an oops.
      
         - Some of our code to read energy management data on PowerVM had an
           endian bug leading to bogus results.
      
         - When reporting a machine check exception we incorrectly reported
           TLB multihits as D-Cache multhits due to a missing entry in the
           array of causes.
      
        Thanks to: Chandan Rajendra, Gautham R. Shenoy, Mahesh Salgaonkar,
        Segher Boessenkool, Vaidyanathan Srinivasan"
      
      * tag 'powerpc-5.1-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries/mce: Fix misleading print for TLB mutlihit
        powerpc/pseries/energy: Use OF accessor functions to read ibm,drc-indexes
        powerpc/64: Fix memcmp reading past the end of src/dest
      6536c5f2
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.1-rc3' of git://git.infradead.org/users/vkoul/slave-dma · c877b3df
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
      
       - Revert "dmaengine: stm32-mdma: Add a check on read_u32_array" as that
         caused regression
      
       - Fix MAINTAINER file uniphier-mdmac.c file path
      
      * tag 'dmaengine-fix-5.1-rc3' of git://git.infradead.org/users/vkoul/slave-dma:
        MAINTAINERS: Fix uniphier-mdmac.c file path
        dmaengine: stm32-mdma: Revert "dmaengine: stm32-mdma: Add a check on read_u32_array"
      c877b3df
    • Fabrice Gasnier's avatar
      iio: core: fix a possible circular locking dependency · 7f75591f
      Fabrice Gasnier authored
      This fixes a possible circular locking dependency detected warning seen
      with:
      - CONFIG_PROVE_LOCKING=y
      - consumer/provider IIO devices (ex: "voltage-divider" consumer of "adc")
      
      When using the IIO consumer interface, e.g. iio_channel_get(), the consumer
      device will likely call iio_read_channel_raw() or similar that rely on
      'info_exist_lock' mutex.
      
      typically:
      ...
      	mutex_lock(&chan->indio_dev->info_exist_lock);
      	if (chan->indio_dev->info == NULL) {
      		ret = -ENODEV;
      		goto err_unlock;
      	}
      	ret = do_some_ops()
      err_unlock:
      	mutex_unlock(&chan->indio_dev->info_exist_lock);
      	return ret;
      ...
      
      Same mutex is also hold in iio_device_unregister().
      
      The following deadlock warning happens when:
      - the consumer device has called an API like iio_read_channel_raw()
        at least once.
      - the consumer driver is unregistered, removed (unbind from sysfs)
      
      ======================================================
      WARNING: possible circular locking dependency detected
      4.19.24 #577 Not tainted
      ------------------------------------------------------
      sh/372 is trying to acquire lock:
      (kn->count#30){++++}, at: kernfs_remove_by_name_ns+0x3c/0x84
      
      but task is already holding lock:
      (&dev->info_exist_lock){+.+.}, at: iio_device_unregister+0x18/0x60
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #1 (&dev->info_exist_lock){+.+.}:
             __mutex_lock+0x70/0xa3c
             mutex_lock_nested+0x1c/0x24
             iio_read_channel_raw+0x1c/0x60
             iio_read_channel_info+0xa8/0xb0
             dev_attr_show+0x1c/0x48
             sysfs_kf_seq_show+0x84/0xec
             seq_read+0x154/0x528
             __vfs_read+0x2c/0x15c
             vfs_read+0x8c/0x110
             ksys_read+0x4c/0xac
             ret_fast_syscall+0x0/0x28
             0xbedefb60
      
      -> #0 (kn->count#30){++++}:
             lock_acquire+0xd8/0x268
             __kernfs_remove+0x288/0x374
             kernfs_remove_by_name_ns+0x3c/0x84
             remove_files+0x34/0x78
             sysfs_remove_group+0x40/0x9c
             sysfs_remove_groups+0x24/0x34
             device_remove_attrs+0x38/0x64
             device_del+0x11c/0x360
             cdev_device_del+0x14/0x2c
             iio_device_unregister+0x24/0x60
             release_nodes+0x1bc/0x200
             device_release_driver_internal+0x1a0/0x230
             unbind_store+0x80/0x130
             kernfs_fop_write+0x100/0x1e4
             __vfs_write+0x2c/0x160
             vfs_write+0xa4/0x17c
             ksys_write+0x4c/0xac
             ret_fast_syscall+0x0/0x28
             0xbe906840
      
      other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&dev->info_exist_lock);
                                     lock(kn->count#30);
                                     lock(&dev->info_exist_lock);
        lock(kn->count#30);
      
       *** DEADLOCK ***
      ...
      
      cdev_device_del() can be called without holding the lock. It should be safe
      as info_exist_lock prevents kernelspace consumers to use the exported
      routines during/after provider removal. cdev_device_del() is for userspace.
      
      Help to reproduce:
      See example: Documentation/devicetree/bindings/iio/afe/voltage-divider.txt
      sysv {
      	compatible = "voltage-divider";
      	io-channels = <&adc 0>;
      	output-ohms = <22>;
      	full-ohms = <222>;
      };
      
      First, go to iio:deviceX for the "voltage-divider", do one read:
      $ cd /sys/bus/iio/devices/iio:deviceX
      $ cat in_voltage0_raw
      
      Then, unbind the consumer driver. It triggers above deadlock warning.
      $ cd /sys/bus/platform/drivers/iio-rescale/
      $ echo sysv > unbind
      
      Note I don't actually expect stable will pick this up all the
      way back into IIO being in staging, but if's probably valid that
      far back.
      Signed-off-by: default avatarFabrice Gasnier <fabrice.gasnier@st.com>
      Fixes: ac917a81 ("staging:iio:core set the iio_dev.info pointer to null on unregister")
      Cc: <Stable@vger.kernel.org>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      7f75591f
  4. 30 Mar, 2019 10 commits
    • Linus Torvalds's avatar
      Merge tag 'led-fixes-for-5.1-rc3' of... · b5c8314f
      Linus Torvalds authored
      Merge tag 'led-fixes-for-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED fixes from Jacek Anaszewski:
      
       - fix refcnt leak on interface rename
      
       - use memcpy in device_name_store() to avoid including garbage from a
         previous, longer value in the device_name
      
       - fix a potential NULL pointer dereference in case of_match_device()
         cannot find a match
      
      * tag 'led-fixes-for-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        leds: trigger: netdev: use memcpy in device_name_store
        leds: pca9532: fix a potential NULL pointer dereference
        leds: trigger: netdev: fix refcnt leak on interface rename
      b5c8314f
    • Linus Torvalds's avatar
      Merge tag 'gpio-v5.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 3af9a525
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "As you can see [in the git history] I was away on leave and Bartosz
        kindly stepped in and collected a slew of fixes, I pulled them into my
        tree in two sets and merged some two more fixes (fixing my own caused
        bugs) on top.
      
        Summary:
      
         - Revert the extended use of gpio_set_config() and think about how we
           can do this properly.
      
         - Fix up the SPI CS GPIO handling so it now works properly on the SPI
           bus children, as intended.
      
         - Error paths and driver fixes"
      
      * tag 'gpio-v5.1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: mockup: use simple_read_from_buffer() in debugfs read callback
        gpio: of: Fix of_gpiochip_add() error path
        gpio: of: Check for "spi-cs-high" in child instead of parent node
        gpio: of: Check propname before applying "cs-gpios" quirks
        gpio: mockup: fix debugfs read
        Revert "gpio: use new gpio_set_config() helper in more places"
        gpio: aspeed: fix a potential NULL pointer dereference
        gpio: amd-fch: Fix bogus SPDX identifier
        gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input
        gpio: exar: add a check for the return value of ida_simple_get fails
      3af9a525
    • Rasmus Villemoes's avatar
      leds: trigger: netdev: use memcpy in device_name_store · 90934643
      Rasmus Villemoes authored
      If userspace doesn't end the input with a newline (which can easily
      happen if the write happens from a C program that does write(fd,
      iface, strlen(iface))), we may end up including garbage from a
      previous, longer value in the device_name. For example
      
      # cat device_name
      
      # printf 'eth12' > device_name
      # cat device_name
      eth12
      # printf 'eth3' > device_name
      # cat device_name
      eth32
      
      I highly doubt anybody is relying on this behaviour, so switch to
      simply copying the bytes (we've already checked that size is <
      IFNAMSIZ) and unconditionally zero-terminate it; of course, we also
      still have to strip a trailing newline.
      
      This is also preparation for future patches.
      
      Fixes: 06f502f5 ("leds: trigger: Introduce a NETDEV trigger")
      Signed-off-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      90934643
    • Kangjie Lu's avatar
      leds: pca9532: fix a potential NULL pointer dereference · 0aab8e4d
      Kangjie Lu authored
      In case of_match_device cannot find a match, return -EINVAL to avoid
      NULL pointer dereference.
      
      Fixes: fa4191a6 ("leds: pca9532: Add device tree support")
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      0aab8e4d
    • Linus Torvalds's avatar
      Merge tag 'staging-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 32faca66
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are some small staging driver fixes for 5.1-rc3, and one driver
        removal.
      
        The biggest thing here is the removal of the mt7621-eth driver as a
        "real" network driver was merged in 5.1-rc1 for this hardware, so this
        old driver can now be removed.
      
        Other than that, there are just a number of small fixes, all resolving
        reported issues and some potential corner cases for error handling
        paths.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'staging-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: vt6655: Remove vif check from vnt_interrupt
        staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()
        staging: octeon-ethernet: fix incorrect PHY mode
        staging: vc04_services: Fix an error code in vchiq_probe()
        staging: erofs: fix error handling when failed to read compresssed data
        staging: vt6655: Fix interrupt race condition on device start up.
        staging: rtlwifi: Fix potential NULL pointer dereference of kzalloc
        staging: rtl8712: uninitialized memory in read_bbreg_hdl()
        staging: rtlwifi: rtl8822b: fix to avoid potential NULL pointer dereference
        staging: rtl8188eu: Fix potential NULL pointer dereference of kcalloc
        staging, mt7621-pci: fix build without pci support
        staging: speakup_soft: Fix alternate speech with other synths
        staging: axis-fifo: add CONFIG_OF dependency
        staging: olpc_dcon_xo_1: add missing 'const' qualifier
        staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest
        staging: erofs: fix to handle error path of erofs_vmap()
        staging: mt7621-dts: update ethernet settings.
        staging: remove mt7621-eth
      32faca66
    • Linus Torvalds's avatar
      Merge tag 'tty-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 52afe190
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small tty and serial driver fixes for 5.1-rc3.
      
        Nothing major here, just a number of potential problems fixes for
        error handling paths, as well as some other minor bugfixes for
        reported issues with 5.1-rc1.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'tty-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        tty: fix NULL pointer issue when tty_port ops is not set
        Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc
        dt-bindings: serial: Add compatible for Mediatek MT8183
        tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped
        tty/serial: atmel: Add is_half_duplex helper
        serial: sh-sci: Fix setting SCSCR_TIE while transferring data
        serial: ar933x_uart: Fix build failure with disabled console
        tty: serial: qcom_geni_serial: Initialize baud in qcom_geni_console_setup
        sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()
        tty: mxs-auart: fix a potential NULL pointer dereference
        tty: atmel_serial: fix a potential NULL pointer dereference
        serial: max310x: Fix to avoid potential NULL pointer dereference
        serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference
      52afe190
    • Linus Torvalds's avatar
      Merge tag 'usb-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 8d02a9a8
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes for 5.1-rc3.
      
        Nothing major at all here, just a small collection of fixes for
        reported issues, and potential problems with error handling paths.
        Also a few new device ids, as normal.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (25 commits)
        USB: serial: option: add Olicard 600
        USB: serial: cp210x: add new device id
        usb: u132-hcd: fix resource leak
        usb: cdc-acm: fix race during wakeup blocking TX traffic
        usb: mtu3: fix EXTCON dependency
        usb: usb251xb: fix to avoid potential NULL pointer dereference
        usb: core: Try generic PHY_MODE_USB_HOST if usb_phy_roothub_set_mode fails
        phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs
        xhci: Don't let USB3 ports stuck in polling state prevent suspend
        usb: xhci: dbc: Don't free all memory with spinlock held
        xhci: Fix port resume done detection for SS ports with LPM enabled
        USB: serial: mos7720: fix mos_parport refcount imbalance on error path
        USB: gadget: f_hid: fix deadlock in f_hidg_write()
        usb: gadget: net2272: Fix net2272_dequeue()
        usb: gadget: net2280: Fix net2280_dequeue()
        usb: gadget: net2280: Fix overrun of OUT messages
        usb: dwc3: pci: add support for Comet Lake PCH ID
        usb: usb251xb: Remove unnecessary comparison of unsigned integer with >= 0
        usb: common: Consider only available nodes for dr_mode
        usb: typec: tcpm: Try PD-2.0 if sink does not respond to 3.0 source-caps
        ...
      8d02a9a8
    • Linus Torvalds's avatar
      Merge tag 'acpi-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 782492a7
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "This corrects a previous attempt to make Linux use its own set of ACPI
        debug flags different from the upstream ACPICA's default (Erik
        Schmauss)"
      
      * tag 'acpi-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: use different default debug value than ACPICA
      782492a7
    • Linus Torvalds's avatar
      Merge tag 'pm-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 8e377a1c
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix CPU base frequency reporting in the intel_pstate driver and
        a use-after-free in the scpi-cpufreq driver.
      
        Specifics:
      
         - Fix the ACPI CPPC library to actually follow the specification when
           decoding the guaranteed performance register information and make
           the intel_pstate driver to fall back to the nominal frequency when
           reporting the base frequency if the guaranteed performance register
           information is not there (Srinivas Pandruvada).
      
         - Fix use-after-free in the exit callback of the scpi-cpufreq left
           after an update during the 5.0 development cycle (Vincent Stehlé)"
      
      * tag 'pm-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: scpi: Fix use after free
        cpufreq: intel_pstate: Also use CPPC nominal_perf for base_frequency
        ACPI / CPPC: Fix guaranteed performance handling
      8e377a1c
    • Linus Torvalds's avatar
      Merge branch 'fixes-v5.1-a' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 12195302
      Linus Torvalds authored
      Pull security layer fixes from James Morris:
       "Yama and LSM config fixes"
      
      * 'fixes-v5.1-a' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        LSM: Revive CONFIG_DEFAULT_SECURITY_* for "make oldconfig"
        Yama: mark local symbols as static
      12195302
  5. 29 Mar, 2019 16 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 922c010c
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "22 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (22 commits)
        fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links
        fs: fs_parser: fix printk format warning
        checkpatch: add %pt as a valid vsprintf extension
        mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate
        drivers/block/zram/zram_drv.c: fix idle/writeback string compare
        mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate()
        mm/memory_hotplug.c: fix notification in offline error path
        ptrace: take into account saved_sigmask in PTRACE{GET,SET}SIGMASK
        fs/proc/kcore.c: make kcore_modules static
        include/linux/list.h: fix list_is_first() kernel-doc
        mm/debug.c: fix __dump_page when mapping->host is not set
        mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified
        include/linux/hugetlb.h: convert to use vm_fault_t
        iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging
        mm: add support for kmem caches in DMA32 zone
        ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock
        mm/hotplug: fix offline undo_isolate_page_range()
        fs/open.c: allow opening only regular files during execve()
        mailmap: add Changbin Du
        mm/debug.c: add a cast to u64 for atomic64_read()
        ...
      922c010c
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · f9007cc6
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Use memblock_alloc() instead of memblock_alloc_low() in
        request_standard_resources(), the latter being limited to the low 4G
        memory range on arm64"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: replace memblock_alloc_low with memblock_alloc
      f9007cc6
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · c0b7f2a5
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
      
       - Fix a bug in the AMD IOMMU driver not handling exclusion ranges
         correctly. In fact the driver did not reserve these ranges for IOVA
         allocations, so that dma-handles could be allocated in an exclusion
         range, leading to data corruption. Exclusion ranges have not been
         used by any firmware up to now, so this issue remained undiscovered
         for quite some time.
      
       - Fix wrong warning messages that the IOMMU core code prints when it
         tries to allocate the default domain for an iommu group and the
         driver does not support any of the default domain types (like Intel
         VT-d).
      
      * tag 'iommu-fixes-v5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/amd: Reserve exclusion range in iova-domain
        iommu: Don't print warning when IOMMU driver only supports unmanaged domains
      c0b7f2a5
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · eed4897d
      Linus Torvalds authored
      Pull driver core fix from Greg KH:
       "Here is a single driver core patch for 5.1-rc3.
      
        After 5.1-rc1, all of the users of BUS_ATTR() are finally removed, so
        we can now drop this macro from include/linux/device.h so that no more
        new users will be created.
      
        This patch has been in linux-next for a while, with no reported
        issues"
      
      * tag 'driver-core-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        driver core: remove BUS_ATTR()
      eed4897d
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 6f510923
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some binder, habanalabs, and vboxguest driver fixes for
        5.1-rc3.
      
        The Binder fixes resolve some reported issues found by testing, first
        by the selinux developers, and then earlier today by syzbot.
      
        The habanalabs fixes are all minor, resolving a number of tiny things.
      
        The vboxguest patches are a bit larger. They resolve the fact that
        virtual box decided to change their api in their latest release in a
        way that broke the existing kernel code, despite saying that they were
        never going to do that. So this is a bit of a "new feature", but is
        good to get merged so that 5.1 will work with the latest release. The
        changes are not large and of course virtual box "swears" they will not
        break this again, but no one is holding their breath here.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'char-misc-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        virt: vbox: Implement passing requestor info to the host for VirtualBox 6.0.x
        binder: fix race between munmap() and direct reclaim
        binder: fix BUG_ON found by selinux-testsuite
        habanalabs: cast to expected type
        habanalabs: prevent host crash during suspend/resume
        habanalabs: perform accounting for active CS
        habanalabs: fix mapping with page size bigger than 4KB
        habanalabs: complete user context cleanup before hard reset
        habanalabs: fix bug when mapping very large memory area
        habanalabs: fix MMU number of pages calculation
      6f510923
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 3467b907
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Thirteen fixes, seven of which are for IBM fibre channel and three
        additional for fairly serious bugs in drivers (qla2xxx, mpt3sas,
        aacraid).
      
        Of the three core fixes, the most significant is probably the missed
        run queue causing an indefinite hang. The others are fixing a
        potential use after free on device close and silencing an incorrect
        warning"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ibmvfc: Clean up transport events
        scsi: ibmvfc: Byte swap status and error codes when logging
        scsi: ibmvfc: Add failed PRLI to cmd_status lookup array
        scsi: ibmvfc: Remove "failed" from logged errors
        scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN
        scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices
        scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host
        scsi: sd: Quiesce warning if device does not report optimal I/O size
        scsi: sd: Fix a race between closing an sd device and sd I/O
        scsi: core: Run queue when state is set to running after being blocked
        scsi: qla4xxx: fix a potential NULL pointer dereference
        scsi: aacraid: Insure we don't access PCIe space during AER/EEH
        scsi: mpt3sas: Fix kernel panic during expander reset
      3467b907
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 4ad52836
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "A new ID for the i801 driver and some Documentation fixes to make it
        easier for people to find the bindings (which is also a basis for
        further improvements in that area)"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: wmt: make bindings file name match the driver
        i2c: sun6i-p2wi: make bindings file name match the driver
        i2c: stu300: make bindings file name match the driver
        i2c: mt65xx: make bindings file name match the driver
        i2c: iop3xx: make bindings file name match the driver
        i2c: i801: Add support for Intel Comet Lake
      4ad52836
    • Linus Torvalds's avatar
      Merge tag 'sound-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 9a4a6f0d
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "The important fixes at this time are a couple fixes in ALSA core: a
        fix for PCM is about the OOB access in PCM OSS plugins that has been
        for long time, but hasn't hit so often until now just because we
        allocated a large buffer via vmalloc(), and surfaced more often after
        switching to kvmalloc(). Another fix is for a long-standing PCM
        problem wrt racy PM resume.
      
        Others are trivial nospec coverage and usual HD-audio quirks"
      
      * tag 'sound-5.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Fix speakers on Acer Predator Helios 500 Ryzen laptops
        ALSA: pcm: Don't suspend stream in unrecoverable PCM state
        ALSA: hda/ca0132 - Simplify alt firmware loading code
        ALSA: pcm: Fix possible OOB access in PCM oss plugins
        ALSA: hda/realtek: Enable headset MIC of ASUS X430UN and X512DK with ALC256
        ALSA: hda/realtek: Enable headset mic of ASUS P5440FF with ALC256
        ALSA: hda/realtek: Enable ASUS X441MB and X705FD headset MIC with ALC256
        ALSA: hda/realtek - Add support for Acer Aspire E5-523G/ES1-432 headset mic
        ALSA: hda/realtek: Enable headset MIC of Acer Aspire Z24-890 with ALC286
        ALSA: seq: oss: Fix Spectre v1 vulnerability
        ALSA: rawmidi: Fix potential Spectre v1 vulnerability
      9a4a6f0d
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v5.1' of... · 0e40da3e
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - Remove harmful -Oz option of Clang
      
       - Get back the original behavior (no recursion for in-tree build) for
         GNU Make 4.x
      
       - Some minor fixes for coccinelle patches
      
       - Do not overwrite .gitignore in the output directory in case it is
         version-controlled
      
       - Fix missed record-mcount bug for dynamic ftrace
      
       - Fix endianness bug in modversions for relative CRC
      
       - Cater to '^H' key code in Kconfig ncurses programs
      
      * tag 'kbuild-fixes-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kconfig/[mn]conf: handle backspace (^H) key
        kbuild: modversions: Fix relative CRC byte order interpretation
        scripts: coccinelle: Fix description of badty.cocci
        kbuild: strip whitespace in cmd_record_mcount findstring
        kbuild: do not overwrite .gitignore in output directory
        kbuild: skip parsing pre sub-make code for recursion
        coccinelle: put_device: reduce false positives
        kbuild: skip sub-make for in-tree build with GNU Make 4.x
        Revert "kbuild: use -Oz instead of -Os when using clang"
      0e40da3e
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190329' of git://git.kernel.dk/linux-block · ffb8e45c
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Small set of fixes that should go into this series. This contains:
      
         - compat signal mask fix for io_uring (Arnd)
      
         - EAGAIN corner case for direct vs buffered writes for io_uring
           (Roman)
      
         - NVMe pull request from Christoph with various little fixes
      
         - sbitmap ws_active fix, which caused a perf regression for shared
           tags (me)
      
         - sbitmap bit ordering fix (Ming)
      
         - libata on-stack DMA fix (Raymond)"
      
      * tag 'for-linus-20190329' of git://git.kernel.dk/linux-block:
        nvmet: fix error flow during ns enable
        nvmet: fix building bvec from sg list
        nvme-multipath: relax ANA state check
        nvme-tcp: fix an endianess miss-annotation
        libata: fix using DMA buffers on stack
        io_uring: offload write to async worker in case of -EAGAIN
        sbitmap: order READ/WRITE freed instance and setting clear bit
        blk-mq: fix sbitmap ws_active for shared tags
        io_uring: fix big-endian compat signal mask handling
        blk-mq: update comment for blk_mq_hctx_has_pending()
        blk-mq: use blk_mq_put_driver_tag() to put tag
      ffb8e45c
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client · 7376e39a
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "A patch to avoid choking on multipage bvecs in the messenger and a
        small use-after-free fix"
      
      * tag 'ceph-for-5.1-rc3' of git://github.com/ceph/ceph-client:
        ceph: fix use-after-free on symlink traversal
        libceph: fix breakage caused by multipage bvecs
      7376e39a
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.1-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · c6503f12
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "Here are a few fixes for some corruption bugs and uninitialized
        variable problems. The few patches here have gone through a few days
        worth of fstest runs with no new problems observed.
      
        Changes since last update:
      
         - Fix a bunch of static checker complaints about uninitialized
           variables and insufficient range checks.
      
         - Avoid a crash when incore extent map data are corrupt.
      
         - Disallow FITRIM when we haven't recovered the log and know the
           metadata are stale.
      
         - Fix a data corruption when doing unaligned overlapping dio writes"
      
      * tag 'xfs-5.1-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: serialize unaligned dio writes against all other dio writes
        xfs: prohibit fstrim in norecovery mode
        xfs: always init bma in xfs_bmapi_write
        xfs: fix btree scrub checking with regards to root-in-inode
        xfs: dabtree scrub needs to range-check level
        xfs: don't trip over uninitialized buffer on extent read of corrupted inode
      c6503f12
    • Kees Cook's avatar
      LSM: Revive CONFIG_DEFAULT_SECURITY_* for "make oldconfig" · 2623c4fb
      Kees Cook authored
      Commit 70b62c25 ("LoadPin: Initialize as ordered LSM") removed
      CONFIG_DEFAULT_SECURITY_{SELINUX,SMACK,TOMOYO,APPARMOR,DAC} from
      security/Kconfig and changed CONFIG_LSM to provide a fixed ordering as a
      default value. That commit expected that existing users (upgrading from
      Linux 5.0 and earlier) will edit CONFIG_LSM value in accordance with
      their CONFIG_DEFAULT_SECURITY_* choice in their old kernel configs. But
      since users might forget to edit CONFIG_LSM value, this patch revives
      the choice (only for providing the default value for CONFIG_LSM) in order
      to make sure that CONFIG_LSM reflects CONFIG_DEFAULT_SECURITY_* from their
      old kernel configs.
      
      Note that since TOMOYO can be fully stacked against the other legacy
      major LSMs, when it is selected, it explicitly disables the other LSMs
      to avoid them also initializing since TOMOYO does not expect this
      currently.
      Reported-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Fixes: 70b62c25 ("LoadPin: Initialize as ordered LSM")
      Co-developed-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      2623c4fb
    • Thomas Gleixner's avatar
      Merge tag 'perf-urgent-for-mingo-5.1-20190329' of... · 22261fdf
      Thomas Gleixner authored
      Merge tag 'perf-urgent-for-mingo-5.1-20190329' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent
      
      Pull perf/urgent fixes from Arnaldo:
      
      Core libraries:
        Jiri Olsa:
        - Fix max perf_event_attr.precise_ip detection.
      
        Kan Liang:
        - Fix parser error for uncore event alias
      
        Wei Lin:
        - Fixup ordering of kernel maps after obtaining the main kernel map address.
      
      Intel PT:
        Adrian Hunter:
        - Fix TSC slip where A TSC packet can slip past MTC packets so that the
          timestamp appears to go backwards.
      
        - Fixes for exported-sql-viewer GUI conversion to python3.
      
      ARM coresight:
        Solomon Tan:
        - Fix the build by adding a missing case value for enumeration value introduced
          in newer library, that now is the required one.
      
      tool headers:
        Arnaldo Carvalho de Melo:
        - Syncronize kernel headers with the kernel, getting new io_uring and
          pidfd_send_signal syscalls so that 'perf trace' can handle them.
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      22261fdf
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-03-29' of git://anongit.freedesktop.org/drm/drm · 9df0ef6c
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Weekly fixes roundup, nothing two serious, some usb device regressions
        are fixed, and i915 GVT has a bigger fix but otherwise not really much
        happening here.
      
        core:
         - fb bpp check regression fix
         - release/unplug fix
         - use after free fixes
      
        i915:
         - fix mmap range checks
         - fix gvt ppgtt mm LRU list access races
         - fix selftest error pointer check
         - fix a macro definition (pre-emptive for potential further backports)
         - fix one AML SKU ULX status
      
        amdgpu:
         - one variable refresh rate fix
      
        udl:
         - fix EDID reading
      
        tegra:
         - build/warning fixes
      
        meson:
         - cleanup path fixes
         - TMDS clock filter fix
      
        rockchip:
         - NV12 buffers and scalar fix"
      
      * tag 'drm-fixes-2019-03-29' of git://anongit.freedesktop.org/drm/drm: (22 commits)
        drm/i915/icl: Fix VEBOX mismatch BUG_ON()
        drm/i915/selftests: Fix an IS_ERR() vs NULL check
        drm/i915: Mark AML 0x87CA as ULX
        drm/meson: fix TMDS clock filtering for DMT monitors
        drm/meson: Uninstall IRQ handler
        drm/meson: Fix invalid pointer in meson_drv_unbind()
        drm/udl: Refactor edid retrieving in UDL driver (v2)
        drm: Fix drm_release() and device unplug
        drm/fb: avoid setting 0 depth.
        drm/tegra: vic: Fix implicit function declaration warning
        drm/tegra: hub: Fix dereference before check
        drm/i915/icl: Fix the TRANS_DDI_FUNC_CTL2 bitfield macro
        drm/amd/display: Only allow VRR when vrefresh is within supported range
        drm/rockchip: vop: reset scale mode when win is disabled
        drm/vkms: fix use-after-free when drm_gem_handle_create() fails
        drm/vgem: fix use-after-free when drm_gem_handle_create() fails
        drm/i915/gvt: Add mutual lock for ppgtt mm LRU list
        drm/i915/gvt: Only assign ppgtt root at dispatch time
        drm/i915/gvt: Don't submit request for error workload dispatch
        drm/i915/gvt: stop scheduling workload when vgpu is inactive
        ...
      9df0ef6c
    • YueHaibing's avatar
      fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links · 23da9588
      YueHaibing authored
      Syzkaller reports:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      CPU: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:put_links+0x101/0x440 fs/proc/proc_sysctl.c:1599
      Code: 00 0f 85 3a 03 00 00 48 8b 43 38 48 89 44 24 20 48 83 c0 38 48 89 c2 48 89 44 24 28 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 02 00 00 48 8b 74 24 20 48 c7 c7 60 2a 9d 91
      RSP: 0018:ffff8881d828f238 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: ffff8881e01b1140 RCX: ffffffff8ee98267
      RDX: 0000000000000007 RSI: ffffc90001479000 RDI: ffff8881e01b1178
      RBP: dffffc0000000000 R08: ffffed103ee27259 R09: ffffed103ee27259
      R10: 0000000000000001 R11: ffffed103ee27258 R12: fffffffffffffff4
      R13: 0000000000000006 R14: ffff8881f59838c0 R15: dffffc0000000000
      FS:  00007f072254f700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fff8b286668 CR3: 00000001f0542002 CR4: 00000000007606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       drop_sysctl_table+0x152/0x9f0 fs/proc/proc_sysctl.c:1629
       get_subdir fs/proc/proc_sysctl.c:1022 [inline]
       __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
       br_netfilter_init+0xbc/0x1000 [br_netfilter]
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f072254ec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
      RBP: 00007f072254ec70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f072254f6bc
      R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
      Modules linked in: br_netfilter(+) dvb_usb_dibusb_mc_common dib3000mc dibx000_common dvb_usb_dibusb_common dvb_usb_dw2102 dvb_usb classmate_laptop palmas_regulator cn videobuf2_v4l2 v4l2_common snd_soc_bd28623 mptbase snd_usb_usx2y snd_usbmidi_lib snd_rawmidi wmi libnvdimm lockd sunrpc grace rc_kworld_pc150u rc_core rtc_da9063 sha1_ssse3 i2c_cros_ec_tunnel adxl34x_spi adxl34x nfnetlink lib80211 i5500_temp dvb_as102 dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops udc_core lnbp22 leds_lp3952 hid_roccat_ryos s1d13xxxfb mtd vport_geneve openvswitch nf_conncount nf_nat_ipv6 nsh geneve udp_tunnel ip6_udp_tunnel snd_soc_mt6351 sis_agp phylink snd_soc_adau1761_spi snd_soc_adau1761 snd_soc_adau17x1 snd_soc_core snd_pcm_dmaengine ac97_bus snd_compress snd_soc_adau_utils snd_soc_sigmadsp_regmap snd_soc_sigmadsp raid_class hid_roccat_konepure hid_roccat_common hid_roccat c2port_duramar2150 core mdio_bcm_unimac iptable_security iptable_raw iptable_mangle
       iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim devlink vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel joydev mousedev ide_pci_generic piix aesni_intel aes_x86_64 ide_core crypto_simd atkbd cryptd glue_helper serio_raw ata_generic pata_acpi i2c_piix4 floppy sch_fq_codel ip_tables x_tables ipv6 [last unloaded: lm73]
      Dumping ftrace buffer:
         (ftrace buffer empty)
      ---[ end trace 770020de38961fd0 ]---
      
      A new dir entry can be created in get_subdir and its 'header->parent' is
      set to NULL.  Only after insert_header success, it will be set to 'dir',
      otherwise 'header->parent' is set to NULL and drop_sysctl_table is called.
      However in err handling path of get_subdir, drop_sysctl_table also be
      called on 'new->header' regardless its value of parent pointer.  Then
      put_links is called, which triggers NULL-ptr deref when access member of
      header->parent.
      
      In fact we have multiple error paths which call drop_sysctl_table() there,
      upon failure on insert_links() we also call drop_sysctl_table().And even
      in the successful case on __register_sysctl_table() we still always call
      drop_sysctl_table().This patch fix it.
      
      Link: http://lkml.kernel.org/r/20190314085527.13244-1-yuehaibing@huawei.com
      Fixes: 0e47c99d ("sysctl: Replace root_list with links between sysctl_table_sets")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Acked-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: <stable@vger.kernel.org>    [3.4+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      23da9588