1. 27 Aug, 2016 2 commits
  2. 25 Aug, 2016 1 commit
    • Linus Torvalds's avatar
      Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux · 61c04572
      Linus Torvalds authored
      Pull thermal fixes from Zhang Rui:
      
       - Fix cpu_cooling to have separate thermal_cooling_device_ops
         structures for cpus with and without power model, to avoid NULL
         dereference in cpufreq_state2power.  From Brendan Jackman.
      
       - Fix a possible NULL dereference in imx_thermal driver.  From Corentin
         LABBE.
      
       - Another two trivial fixes, one typo fix and one deleting module
         owner.  From Caesar Wang and Markus Elfring.
      
      * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
        thermal: imx: fix a possible NULL dereference
        thermal: trivial: fix the typo
        Thermal-INT3406: Delete owner assignment
        thermal: cpu_cooling: Fix NULL dereference in cpufreq_state2power
      61c04572
  3. 24 Aug, 2016 7 commits
  4. 23 Aug, 2016 9 commits
    • Keith Busch's avatar
      x86/PCI: VMD: Fix infinite loop executing irq's · 21c80c9f
      Keith Busch authored
      We can't initialize the list head on deletion as this causes the node to
      point to itself, which causes an infinite loop if vmd_irq() happens to be
      servicing that node.
      
      The list initialization was trying to fix a bug from multiple calls to
      disable the same IRQ.  Fix this instead by having the VMD driver track if
      the interrupt is enabled.
      
      [bhelgaas: changelog, add "Fixes"]
      Fixes: 97e92306 ("x86/PCI: VMD: Initialize list item in IRQ disable")
      Reported-by: default avatarGrzegorz Koczot <grzegorz.koczot@intel.com>
      Tested-by: default avatarMiroslaw Drost <miroslaw.drost@intel.com>
      Signed-off-by: default avatarKeith Busch <keith.busch@intel.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by Jon Derrick: <jonathan.derrick@intel.com>
      21c80c9f
    • Andrey Ryabinin's avatar
      um: Don't discard .text.exit section · dad22328
      Andrey Ryabinin authored
      Commit e41f501d ("vmlinux.lds: account for destructor sections")
      added '.text.exit' to EXIT_TEXT which is discarded at link time by default.
      This breaks compilation of UML:
           `.text.exit' referenced in section `.fini_array' of
           /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libc.a(sdlerror.o):
           defined in discarded section `.text.exit' of
           /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libc.a(sdlerror.o)
      
      Apparently UML doesn't want to discard exit text, so let's place all EXIT_TEXT
      sections in .exit.text.
      
      Fixes: e41f501d ("vmlinux.lds: account for destructor sections")
      Reported-by: default avatarStefan Traby <stefan@hello-penguin.com>
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: <stable@vger.kernel.org>
      Acked-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      dad22328
    • Richard Weinberger's avatar
      ubifs: Fix xattr generic handler usage · 17ce1eb0
      Richard Weinberger authored
      UBIFS uses full names to work with xattrs, therefore we have to use
      xattr_full_name() to obtain the xattr prefix as string.
      
      Cc: <stable@vger.kernel.org>
      Cc: Andreas Gruenbacher <agruenba@redhat.com>
      Fixes: 2b88fc21 ("ubifs: Switch to generic xattr handlers")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Tested-by: default avatarDongsheng Yang <dongsheng081251@gmail.com>
      17ce1eb0
    • Vincent Stehlé's avatar
      ubifs: Fix assertion in layout_in_gaps() · c0082e98
      Vincent Stehlé authored
      An assertion in layout_in_gaps() verifies that the gap_lebs pointer is
      below the maximum bound. When computing this maximum bound the idx_lebs
      count is multiplied by sizeof(int), while C pointers arithmetic does take
      into account the size of the pointed elements implicitly already. Remove
      the multiplication to fix the assertion.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarVincent Stehlé <vincent.stehle@intel.com>
      Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      c0082e98
    • Linus Torvalds's avatar
      Merge tag 'usercopy-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 7a1dcf6a
      Linus Torvalds authored
      Pull hardened usercopy fixes from Kees Cook:
       - avoid signed math problems on unexpected compilers
       - avoid false positives at very end of kernel text range checks
      
      * tag 'usercopy-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        usercopy: fix overlap check for kernel text
        usercopy: avoid potentially undefined behavior in pointer math
      7a1dcf6a
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · d1fdafa1
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes a number of memory corruption bugs in the newly added
        sha256-mb/sha256-mb code"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: sha512-mb - fix ctx pointer
        crypto: sha256-mb - fix ctx pointer and digest copy
      d1fdafa1
    • Benjamin Coddington's avatar
      vhost/scsi: fix reuse of &vq->iov[out] in response · a77ec83a
      Benjamin Coddington authored
      The address of the iovec &vq->iov[out] is not guaranteed to contain the scsi
      command's response iovec throughout the lifetime of the command.  Rather, it
      is more likely to contain an iovec from an immediately following command
      after looping back around to vhost_get_vq_desc().  Pass along the iovec
      entirely instead.
      
      Fixes: 79c14141 ("vhost/scsi: Convert completion path to use copy_to_iter")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      a77ec83a
    • Josh Poimboeuf's avatar
      usercopy: fix overlap check for kernel text · 94cd97af
      Josh Poimboeuf authored
      When running with a local patch which moves the '_stext' symbol to the
      very beginning of the kernel text area, I got the following panic with
      CONFIG_HARDENED_USERCOPY:
      
        usercopy: kernel memory exposure attempt detected from ffff88103dfff000 (<linear kernel text>) (4096 bytes)
        ------------[ cut here ]------------
        kernel BUG at mm/usercopy.c:79!
        invalid opcode: 0000 [#1] SMP
        ...
        CPU: 0 PID: 4800 Comm: cp Not tainted 4.8.0-rc3.after+ #1
        Hardware name: Dell Inc. PowerEdge R720/0X3D66, BIOS 2.5.4 01/22/2016
        task: ffff880817444140 task.stack: ffff880816274000
        RIP: 0010:[<ffffffff8121c796>] __check_object_size+0x76/0x413
        RSP: 0018:ffff880816277c40 EFLAGS: 00010246
        RAX: 000000000000006b RBX: ffff88103dfff000 RCX: 0000000000000000
        RDX: 0000000000000000 RSI: ffff88081f80dfa8 RDI: ffff88081f80dfa8
        RBP: ffff880816277c90 R08: 000000000000054c R09: 0000000000000000
        R10: 0000000000000005 R11: 0000000000000006 R12: 0000000000001000
        R13: ffff88103e000000 R14: ffff88103dffffff R15: 0000000000000001
        FS:  00007fb9d1750800(0000) GS:ffff88081f800000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000021d2000 CR3: 000000081a08f000 CR4: 00000000001406f0
        Stack:
         ffff880816277cc8 0000000000010000 000000043de07000 0000000000000000
         0000000000001000 ffff880816277e60 0000000000001000 ffff880816277e28
         000000000000c000 0000000000001000 ffff880816277ce8 ffffffff8136c3a6
        Call Trace:
         [<ffffffff8136c3a6>] copy_page_to_iter_iovec+0xa6/0x1c0
         [<ffffffff8136e766>] copy_page_to_iter+0x16/0x90
         [<ffffffff811970e3>] generic_file_read_iter+0x3e3/0x7c0
         [<ffffffffa06a738d>] ? xfs_file_buffered_aio_write+0xad/0x260 [xfs]
         [<ffffffff816e6262>] ? down_read+0x12/0x40
         [<ffffffffa06a61b1>] xfs_file_buffered_aio_read+0x51/0xc0 [xfs]
         [<ffffffffa06a6692>] xfs_file_read_iter+0x62/0xb0 [xfs]
         [<ffffffff812224cf>] __vfs_read+0xdf/0x130
         [<ffffffff81222c9e>] vfs_read+0x8e/0x140
         [<ffffffff81224195>] SyS_read+0x55/0xc0
         [<ffffffff81003a47>] do_syscall_64+0x67/0x160
         [<ffffffff816e8421>] entry_SYSCALL64_slow_path+0x25/0x25
        RIP: 0033:[<00007fb9d0c33c00>] 0x7fb9d0c33c00
        RSP: 002b:00007ffc9c262f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
        RAX: ffffffffffffffda RBX: fffffffffff8ffff RCX: 00007fb9d0c33c00
        RDX: 0000000000010000 RSI: 00000000021c3000 RDI: 0000000000000004
        RBP: 00000000021c3000 R08: 0000000000000000 R09: 00007ffc9c264d6c
        R10: 00007ffc9c262c50 R11: 0000000000000246 R12: 0000000000010000
        R13: 00007ffc9c2630b0 R14: 0000000000000004 R15: 0000000000010000
        Code: 81 48 0f 44 d0 48 c7 c6 90 4d a3 81 48 c7 c0 bb b3 a2 81 48 0f 44 f0 4d 89 e1 48 89 d9 48 c7 c7 68 16 a3 81 31 c0 e8 f4 57 f7 ff <0f> 0b 48 8d 90 00 40 00 00 48 39 d3 0f 83 22 01 00 00 48 39 c3
        RIP  [<ffffffff8121c796>] __check_object_size+0x76/0x413
         RSP <ffff880816277c40>
      
      The checked object's range [ffff88103dfff000, ffff88103e000000) is
      valid, so there shouldn't have been a BUG.  The hardened usercopy code
      got confused because the range's ending address is the same as the
      kernel's text starting address at 0xffff88103e000000.  The overlap check
      is slightly off.
      
      Fixes: f5509cc1 ("mm: Hardened usercopy")
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      94cd97af
    • Eric Biggers's avatar
      usercopy: avoid potentially undefined behavior in pointer math · 7329a655
      Eric Biggers authored
      check_bogus_address() checked for pointer overflow using this expression,
      where 'ptr' has type 'const void *':
      
      	ptr + n < ptr
      
      Since pointer wraparound is undefined behavior, gcc at -O2 by default
      treats it like the following, which would not behave as intended:
      
      	(long)n < 0
      
      Fortunately, this doesn't currently happen for kernel code because kernel
      code is compiled with -fno-strict-overflow.  But the expression should be
      fixed anyway to use well-defined integer arithmetic, since it could be
      treated differently by different compilers in the future or could be
      reported by tools checking for undefined behavior.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      7329a655
  5. 22 Aug, 2016 6 commits
  6. 21 Aug, 2016 3 commits
  7. 20 Aug, 2016 2 commits
    • Helge Deller's avatar
      parisc: Fix order of EREFUSED define in errno.h · 3eb53b20
      Helge Deller authored
      When building gccgo in userspace, errno.h gets parsed and the go include file
      sysinfo.go is generated.
      
      Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED
      is defined later on in errno.h, this leads to go complaining that EREFUSED
      isn't defined yet.
      
      Fix this trivial problem by moving the define of EREFUSED down after
      ECONNREFUSED in errno.h (and clean up the indenting while touching this line).
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org
      3eb53b20
    • Helge Deller's avatar
      parisc: Fix automatic selection of cr16 clocksource · ae141830
      Helge Deller authored
      Commit 54b66800 (parisc: Add native high-resolution sched_clock()
      implementation) added support to use the CPU-internal cr16 counters as reliable
      clocksource with the help of HAVE_UNSTABLE_SCHED_CLOCK.
      
      Sadly the commit missed to remove the hack which prevented cr16 to become the
      default clocksource even on SMP systems.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: stable@vger.kernel.org # 4.7+
      ae141830
  8. 19 Aug, 2016 10 commits
    • Vineet Gupta's avatar
      ARC: export __udivdi3 for modules · c57653dc
      Vineet Gupta authored
      Some module using div_u64() was failing to link because the libgcc 64-bit
      divide assist routine was not being exported for modules
      
      Reported-by: avinashp@quantenna.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      c57653dc
    • Linus Torvalds's avatar
      Make the hardened user-copy code depend on having a hardened allocator · 6040e576
      Linus Torvalds authored
      The kernel test robot reported a usercopy failure in the new hardened
      sanity checks, due to a page-crossing copy of the FPU state into the
      task structure.
      
      This happened because the kernel test robot was testing with SLOB, which
      doesn't actually do the required book-keeping for slab allocations, and
      as a result the hardening code didn't realize that the task struct
      allocation was one single allocation - and the sanity checks fail.
      
      Since SLOB doesn't even claim to support hardening (and you really
      shouldn't use it), the straightforward solution is to just make the
      usercopy hardening code depend on the allocator supporting it.
      Reported-by: default avatarkernel test robot <xiaolong.ye@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6040e576
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 8cc9dddd
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "I2C has some pretty standard driver bugfixes and one minor cleanup"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: meson: Use complete() instead of complete_all()
        i2c: brcmstb: Use complete() instead of complete_all()
        i2c: bcm-kona: Use complete() instead of complete_all()
        i2c: bcm-iproc: Use complete() instead of complete_all()
        i2c: at91: fix support of the "alternative command" feature
        i2c: ocores: add missed clk_disable_unprepare() on failure paths
        i2c: cros-ec-tunnel: Fix usage of cros_ec_cmd_xfer()
        i2c: mux: demux-pinctrl: properly roll back when adding adapter fails
      8cc9dddd
    • Vineet Gupta's avatar
      ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS · 1c3c9093
      Vineet Gupta authored
      |  CC      mm/memory.o
      | In file included from ../mm/memory.c:53:0:
      | ../include/linux/pfn_t.h: In function ‘pfn_t_pte’:
      | ../include/linux/pfn_t.h:78:2: error: conversion to non-scalar type requested
      |  return pfn_pte(pfn_t_to_pfn(pfn), pgprot);
      
      With STRICT_MM_TYPECHECKS pte_t is a struct and the offending code
      forces a cast which ends up shifting a struct and hence the gcc warning.
      
      Note that in recent past some of the arches (aarch64, s390) made
      STRICT_MM_TYPECHECKS default, but we don't for ARC as this leads to slightly
      worse generated code, given ARC ABI definition of returning structs
      (which pte_t would become)
      
      Quoting from ARC ABI...
      
        "Results of type struct are returned in a caller-supplied temporary
        variable whose address is passed in r0.
        For such functions, the arguments are shifted so that they are
        passed in r1 and up."
      
      So
       - struct to be returned would be allocated on stack requiring extra
         code at call sites
       - callee updates stack memory to facilitate the return (vs. simple
         MOV into return reg r0)
      
      Hence STRICT_MM_TYPECHECKS is not enabled by default for ARC
      
      Cc: <stable@vger.kernel.org>   #4.4+
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      1c3c9093
    • Vineet Gupta's avatar
      ARC: export kmap · d77976c4
      Vineet Gupta authored
      |  MODPOST 7 modules
      | ERROR: "kmap" [fs/ext2/ext2.ko] undefined!
      | ../scripts/Makefile.modpost:91: recipe for target '__modpost' failed
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      d77976c4
    • Vineet Gupta's avatar
      ARC: Support syscall ABI v4 · 840c054f
      Vineet Gupta authored
      The syscall ABI includes the gcc functional calling ABI since a syscall
      implies userland caller and kernel callee.
      
      The current gcc ABI (v3) for ARCv2 ISA required 64-bit data be passed in
      even-odd register pairs, (potentially punching reg holes when passing such
      values as args). This was partly driven by the fact that the double-word
      LDD/STD instructions in ARCv2 expect the register alignment and thus gcc
      forcing this avoids extra MOV at the cost of a few unused register (which we
      have plenty anyways).
      
      This however was rejected as part of upstreaming gcc port to HS. So the new
      ABI v4 doesn't enforce the even-odd reg restriction.
      
      Do note that for ARCompact ISA builds v3 and v4 are practically the same in
      terms of gcc code generation.
      
      In terms of change management, we infer the new ABI if gcc 6.x onwards
      is used for building the kernel.
      
      This also needs a stable backport to enable older kernels to work with
      new tools/user-space
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      840c054f
    • Liav Rehana's avatar
      ARC: use correct offset in pt_regs for saving/restoring user mode r25 · 86147e3c
      Liav Rehana authored
      User mode callee regs are explicitly collected before signal delivery or
      breakpoint trap. r25 is special for kernel as it serves as task pointer,
      so user mode value is clobbered very early. It is saved in pt_regs where
      generally only scratch (aka caller saved) regs are saved.
      
      The code to access the corresponding pt_regs location had a subtle bug as
      it was using load/store with scaling of offset, whereas the offset was already
      byte wise correct. So fix this by replacing LD.AS with a standard LD
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarLiav Rehana <liavr@mellanox.com>
      Reviewed-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      [vgupta: rewrote title and commit log]
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      86147e3c
    • Dmitry Torokhov's avatar
      Input: i8042 - set up shared ps2_cmd_mutex for AUX ports · 47af45d6
      Dmitry Torokhov authored
      The commit 40974618 ("Input: i8042 - break load dependency ...")
      correctly set up ps2_cmd_mutex pointer for the KBD port but forgot to do
      the same for AUX port(s), which results in communication on KBD and AUX
      ports to clash with each other.
      
      Fixes: 40974618 ("Input: i8042 - break load dependency ...")
      Reported-by: default avatarBruno Wolff III <bruno@wolff.to>
      Tested-by: default avatarBruno Wolff III <bruno@wolff.to>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      47af45d6
    • Linus Torvalds's avatar
      Merge tag 'dm-4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 43f4d36c
      Linus Torvalds authored
      Pull device mapper fixes from Mike Snitzer:
      
       - a stable fix for DM round robin multipath path selector to disable
         preemption before using this_cpu_ptr()
      
       - a slight increase in DM crypt's mempool reserves to make swap ontop
         of DM crypt more performant
      
       - a few DM raid fixes to issues found while testing changes that were
         merged in v4.8-rc1
      
      * tag 'dm-4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm raid: support raid0 with missing metadata devices
        dm raid: enhance attempt_restore_of_faulty_devices() to support more devices
        dm raid: fix restoring of failed devices regression
        dm raid: fix frozen recovery regression
        dm crypt: increase mempool reserve to better support swapping
        dm round robin: do not use this_cpu_ptr() without having preemption disabled
      43f4d36c
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · b2848792
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Six fairly small fixes.  The ipr, mpt3sas and ses ones all trigger
        oopses.  The megaraid one fixes an attach failure on io mapped only
        cards, the fcoe one is an obvious problem in the error path and the
        aacraid one is a theoretical security issue (ability to trick the
        kernel into a buffer overrun)"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        ses: Fix racy cleanup of /sys in remove_dev()
        mpt3sas: Fix resume on WarpDrive flash cards
        ipr: Fix sync scsi scan
        megaraid_sas: Fix probing cards without io port
        aacraid: Check size values after double-fetch from user
        fcoe: Use kfree_skb() instead of kfree()
      b2848792