1. 22 Aug, 2019 1 commit
    • Alan Stern's avatar
      HID: hidraw: Fix invalid read in hidraw_ioctl · 416dacb8
      Alan Stern authored
      The syzbot fuzzer has reported a pair of problems in the
      hidraw_ioctl() function: slab-out-of-bounds read and use-after-free
      read.  An example of the first:
      
      BUG: KASAN: slab-out-of-bounds in strlen+0x79/0x90 lib/string.c:525
      Read of size 1 at addr ffff8881c8035f38 by task syz-executor.4/2833
      
      CPU: 1 PID: 2833 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #1
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x6a/0x32c mm/kasan/report.c:351
        __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
        kasan_report+0xe/0x12 mm/kasan/common.c:612
        strlen+0x79/0x90 lib/string.c:525
        strlen include/linux/string.h:281 [inline]
        hidraw_ioctl+0x245/0xae0 drivers/hid/hidraw.c:446
        vfs_ioctl fs/ioctl.c:46 [inline]
        file_ioctl fs/ioctl.c:509 [inline]
        do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
        ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
        __do_sys_ioctl fs/ioctl.c:720 [inline]
        __se_sys_ioctl fs/ioctl.c:718 [inline]
        __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
        do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x459829
      Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
      48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
      ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f7a68f6dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829
      RDX: 0000000000000000 RSI: 0000000080404805 RDI: 0000000000000004
      RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7a68f6e6d4
      R13: 00000000004c21de R14: 00000000004d5620 R15: 00000000ffffffff
      
      The two problems have the same cause: hidraw_ioctl() fails to test
      whether the device has been removed.  This patch adds the missing test.
      
      Reported-and-tested-by: syzbot+5a6c4ec678a0c6ee84ba@syzkaller.appspotmail.com
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      416dacb8
  2. 20 Aug, 2019 1 commit
  3. 19 Aug, 2019 3 commits
  4. 13 Aug, 2019 3 commits
  5. 06 Aug, 2019 5 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid · f4eb1423
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - functional regression fix for some of the Logitech unifying devices,
         from Hans de Goede
      
       - race condition fix in hid-sony for bug severely affecting
         Valve/Android deployments, from Roderick Colenbrander
      
       - several fixes for issues found by syzbot/kasan, from Oliver Neukum
         and Hillf Danton
      
       - functional regression fix for Wacom Cintiq device, from Aaron
         Armstrong Skomra
      
       - a few other assorted device-specific quirks
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
        HID: sony: Fix race condition between rumble and device remove.
        HID: hiddev: do cleanup in failure of opening a device
        HID: hiddev: avoid opening a disconnected device
        HID: input: fix a4tech horizontal wheel custom usage
        HID: Add quirk for HP X1200 PIXART OEM mouse
        HID: holtek: test for sanity of intfdata
        HID: wacom: fix bit shift for Cintiq Companion 2
        HID: quirks: Set the INCREMENT_USAGE_ON_DUPLICATE quirk on Saitek X52
        HID: logitech-dj: Really fix return value of logi_dj_recv_query_hidpp_devices
        HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
        HID: logitech-dj: add the Powerplay receiver
        HID: logitech-hidpp: add USB PID for a few more supported mice
        HID: logitech-dj: rename "gaming" receiver to "lightspeed"
      f4eb1423
    • Linus Torvalds's avatar
      Merge branch 'x86/grand-schemozzle' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4368c4bc
      Linus Torvalds authored
      Pull pti updates from Thomas Gleixner:
       "The performance deterioration departement is not proud at all to
        present yet another set of speculation fences to mitigate the next
        chapter in the 'what could possibly go wrong' story.
      
        The new vulnerability belongs to the Spectre class and affects GS
        based data accesses and has therefore been dubbed 'Grand Schemozzle'
        for secret communication purposes. It's officially listed as
        CVE-2019-1125.
      
        Conditional branches in the entry paths which contain a SWAPGS
        instruction (interrupts and exceptions) can be mis-speculated which
        results in speculative accesses with a wrong GS base.
      
        This can happen on entry from user mode through a mis-speculated
        branch which takes the entry from kernel mode path and therefore does
        not execute the SWAPGS instruction. The following speculative accesses
        are done with user GS base.
      
        On entry from kernel mode the mis-speculated branch executes the
        SWAPGS instruction in the entry from user mode path which has the same
        effect that the following GS based accesses are done with user GS
        base.
      
        If there is a disclosure gadget available in these code paths the
        mis-speculated data access can be leaked through the usual side
        channels.
      
        The entry from user mode issue affects all CPUs which have speculative
        execution. The entry from kernel mode issue affects only Intel CPUs
        which can speculate through SWAPGS. On CPUs from other vendors SWAPGS
        has semantics which prevent that.
      
        SMAP migitates both problems but only when the CPU is not affected by
        the Meltdown vulnerability.
      
        The mitigation is to issue LFENCE instructions in the entry from
        kernel mode path for all affected CPUs and on the affected Intel CPUs
        also in the entry from user mode path unless PTI is enabled because
        the CR3 write is serializing.
      
        The fences are as usual enabled conditionally and can be completely
        disabled on the kernel command line. The Spectre V1 documentation is
        updated accordingly.
      
        A big "Thank You!" goes to Josh for doing the heavy lifting for this
        round of hardware misfeature 'repair'. Of course also "Thank You!" to
        everybody else who contributed in one way or the other"
      
      * 'x86/grand-schemozzle' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        Documentation: Add swapgs description to the Spectre v1 documentation
        x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
        x86/entry/64: Use JMP instead of JMPQ
        x86/speculation: Enable Spectre v1 swapgs mitigations
        x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
      4368c4bc
    • Roderick Colenbrander's avatar
      HID: sony: Fix race condition between rumble and device remove. · e0f6974a
      Roderick Colenbrander authored
      Valve reported a kernel crash on Ubuntu 18.04 when disconnecting a DS4
      gamepad while rumble is enabled. This issue is reproducible with a
      frequency of 1 in 3 times in the game Borderlands 2 when using an
      automatic weapon, which triggers many rumble operations.
      
      We found the issue to be a race condition between sony_remove and the
      final device destruction by the HID / input system. The problem was
      that sony_remove didn't clean some of its work_item state in
      "struct sony_sc". After sony_remove work, the corresponding evdev
      node was around for sufficient time for applications to still queue
      rumble work after "sony_remove".
      
      On pre-4.19 kernels the race condition caused a kernel crash due to a
      NULL-pointer dereference as "sc->output_report_dmabuf" got freed during
      sony_remove. On newer kernels this crash doesn't happen due the buffer
      now being allocated using devm_kzalloc. However we can still queue work,
      while the driver is an undefined state.
      
      This patch fixes the described problem, by guarding the work_item
      "state_worker" with an initialized variable, which we are setting back
      to 0 on cleanup.
      Signed-off-by: default avatarRoderick Colenbrander <roderick.colenbrander@sony.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      e0f6974a
    • Hillf Danton's avatar
      HID: hiddev: do cleanup in failure of opening a device · 6d4472d7
      Hillf Danton authored
      Undo what we did for opening before releasing the memory slice.
      Reported-by: default avatarsyzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      6d4472d7
    • Hillf Danton's avatar
      HID: hiddev: avoid opening a disconnected device · 9c09b214
      Hillf Danton authored
      syzbot found the following crash on:
      
      HEAD commit:    e96407b4 usb-fuzzer: main usb gadget fuzzer driver
      git tree:       https://github.com/google/kasan.git usb-fuzzer
      console output: https://syzkaller.appspot.com/x/log.txt?x=147ac20c600000
      kernel config:  https://syzkaller.appspot.com/x/.config?x=792eb47789f57810
      dashboard link: https://syzkaller.appspot.com/bug?extid=62a1e04fd3ec2abf099e
      compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
      
      ==================================================================
      BUG: KASAN: use-after-free in __lock_acquire+0x302a/0x3b50
      kernel/locking/lockdep.c:3753
      Read of size 8 at addr ffff8881cf591a08 by task syz-executor.1/26260
      
      CPU: 1 PID: 26260 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #24
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x6a/0x32c mm/kasan/report.c:351
        __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
        kasan_report+0xe/0x12 mm/kasan/common.c:612
        __lock_acquire+0x302a/0x3b50 kernel/locking/lockdep.c:3753
        lock_acquire+0x127/0x320 kernel/locking/lockdep.c:4412
        __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
        _raw_spin_lock_irqsave+0x32/0x50 kernel/locking/spinlock.c:159
        hiddev_release+0x82/0x520 drivers/hid/usbhid/hiddev.c:221
        __fput+0x2d7/0x840 fs/file_table.c:280
        task_work_run+0x13f/0x1c0 kernel/task_work.c:113
        exit_task_work include/linux/task_work.h:22 [inline]
        do_exit+0x8ef/0x2c50 kernel/exit.c:878
        do_group_exit+0x125/0x340 kernel/exit.c:982
        get_signal+0x466/0x23d0 kernel/signal.c:2728
        do_signal+0x88/0x14e0 arch/x86/kernel/signal.c:815
        exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:159
        prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
        syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
        do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x459829
      Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
      48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
      ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f75b2a6ccf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
      RAX: fffffffffffffe00 RBX: 000000000075c078 RCX: 0000000000459829
      RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075c078
      RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075c07c
      R13: 00007ffcdfe1023f R14: 00007f75b2a6d9c0 R15: 000000000075c07c
      
      Allocated by task 104:
        save_stack+0x1b/0x80 mm/kasan/common.c:69
        set_track mm/kasan/common.c:77 [inline]
        __kasan_kmalloc mm/kasan/common.c:487 [inline]
        __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
        kmalloc include/linux/slab.h:552 [inline]
        kzalloc include/linux/slab.h:748 [inline]
        hiddev_connect+0x242/0x5b0 drivers/hid/usbhid/hiddev.c:900
        hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882
        hid_hw_start drivers/hid/hid-core.c:1981 [inline]
        hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972
        appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308
        hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
        usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
        usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
        generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
        usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
        hub_port_connect drivers/usb/core/hub.c:5098 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
        port_event drivers/usb/core/hub.c:5359 [inline]
        hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
        process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
        worker_thread+0x96/0xe20 kernel/workqueue.c:2415
        kthread+0x318/0x420 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Freed by task 104:
        save_stack+0x1b/0x80 mm/kasan/common.c:69
        set_track mm/kasan/common.c:77 [inline]
        __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
        slab_free_hook mm/slub.c:1423 [inline]
        slab_free_freelist_hook mm/slub.c:1470 [inline]
        slab_free mm/slub.c:3012 [inline]
        kfree+0xe4/0x2f0 mm/slub.c:3953
        hiddev_connect.cold+0x45/0x5c drivers/hid/usbhid/hiddev.c:914
        hid_connect+0x239/0xbb0 drivers/hid/hid-core.c:1882
        hid_hw_start drivers/hid/hid-core.c:1981 [inline]
        hid_hw_start+0xa2/0x130 drivers/hid/hid-core.c:1972
        appleir_probe+0x13e/0x1a0 drivers/hid/hid-appleir.c:308
        hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        hid_add_device+0x33c/0x990 drivers/hid/hid-core.c:2365
        usbhid_probe+0xa81/0xfa0 drivers/hid/usbhid/hid-core.c:1386
        usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
        generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
        usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
        really_probe+0x281/0x650 drivers/base/dd.c:548
        driver_probe_device+0x101/0x1b0 drivers/base/dd.c:709
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:816
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
        __device_attach+0x217/0x360 drivers/base/dd.c:882
        bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
        device_add+0xae6/0x16f0 drivers/base/core.c:2114
        usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
        hub_port_connect drivers/usb/core/hub.c:5098 [inline]
        hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
        port_event drivers/usb/core/hub.c:5359 [inline]
        hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
        process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
        worker_thread+0x96/0xe20 kernel/workqueue.c:2415
        kthread+0x318/0x420 kernel/kthread.c:255
        ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      The buggy address belongs to the object at ffff8881cf591900
        which belongs to the cache kmalloc-512 of size 512
      The buggy address is located 264 bytes inside of
        512-byte region [ffff8881cf591900, ffff8881cf591b00)
      The buggy address belongs to the page:
      page:ffffea00073d6400 refcount:1 mapcount:0 mapping:ffff8881da002500
      index:0x0 compound_mapcount: 0
      flags: 0x200000000010200(slab|head)
      raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da002500
      raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
        ffff8881cf591900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff8881cf591980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      > ffff8881cf591a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
        ffff8881cf591a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff8881cf591b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ==================================================================
      
      In order to avoid opening a disconnected device, we need to check exist
      again after acquiring the existance lock, and bail out if necessary.
      Reported-by: default avatarsyzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      9c09b214
  6. 05 Aug, 2019 10 commits
  7. 04 Aug, 2019 10 commits
  8. 03 Aug, 2019 7 commits
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · cf6c8aef
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "A set of driver fixes for the I2C subsystem"
      
      * 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: s3c2410: Mark expected switch fall-through
        i2c: at91: fix clk_offset for sama5d2
        i2c: at91: disable TXRDY interrupt after sending data
        i2c: iproc: Fix i2c master read more than 63 bytes
        eeprom: at24: make spd world-readable again
      cf6c8aef
    • Josh Poimboeuf's avatar
      Documentation: Add swapgs description to the Spectre v1 documentation · 4c920576
      Josh Poimboeuf authored
      Add documentation to the Spectre document about the new swapgs variant of
      Spectre v1.
      Signed-off-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      4c920576
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8b7fd679
      Linus Torvalds authored
      Pull perf tooling fixes from Thomas Gleixner:
       "A set of updates for perf tools and documentation:
      
        perf header:
          - Prevent a division by zero
          - Deal with an uninitialized warning proper
      
        libbpf:
          - Fix the missiong __WORDSIZE definition for musl & al
      
        UAPI headers:
          - Synchronize kernel headers
      
        Documentation:
          - Fix the memory units for perf.data size"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        libbpf: fix missing __WORDSIZE definition
        perf tools: Fix perf.data documentation units for memory size
        perf header: Fix use of unitialized value warning
        perf header: Fix divide by zero error if f_header.attr_size==0
        tools headers UAPI: Sync if_link.h with the kernel
        tools headers UAPI: Sync sched.h with the kernel
        tools headers UAPI: Sync usbdevice_fs.h with the kernels to get new ioctl
        tools perf beauty: Fix usbdevfs_ioctl table generator to handle _IOC()
        tools headers UAPI: Update tools's copy of drm.h headers
        tools headers UAPI: Update tools's copy of mman.h headers
        tools headers UAPI: Update tools's copy of kvm.h headers
        tools include UAPI: Sync x86's syscalls_64.tbl and generic unistd.h to pick up clone3 and pidfd_open
      8b7fd679
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0432a0a0
      Linus Torvalds authored
      Pull vdso timer fixes from Thomas Gleixner:
       "A series of commits to deal with the regression caused by the generic
        VDSO implementation.
      
        The usage of clock_gettime64() for 32bit compat fallback syscalls
        caused seccomp filters to kill innocent processes because they only
        allow clock_gettime().
      
        Handle the compat syscalls with clock_gettime() as before, which is
        not a functional problem for the VDSO as the legacy compat application
        interface is not y2038 safe anyway. It's just extra fallback code
        which needs to be implemented on every architecture.
      
        It's opt in for now so that it does not break the compile of already
        converted architectures in linux-next. Once these are fixed, the
        #ifdeffery goes away.
      
        So much for trying to be smart and reuse code..."
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        arm64: compat: vdso: Use legacy syscalls as fallback
        x86/vdso/32: Use 32bit syscall fallback
        lib/vdso/32: Provide legacy syscall fallbacks
        lib/vdso: Move fallback invocation to the callers
        lib/vdso/32: Remove inconsistent NULL pointer checks
      0432a0a0
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · af42e745
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "A small bunch of fixes from the irqchip department:
      
         - Fix a couple of UAF on error paths (RZA1, GICv3 ITS)
      
         - Fix iMX GPCv2 trigger setting
      
         - Add missing of_node_put() on error path in MBIGEN
      
         - Add another bunch of /* fall-through */ to silence warnings"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/renesas-rza1: Fix an use-after-free in rza1_irqc_probe()
        irqchip/irq-imx-gpcv2: Forward irq type to parent
        irqchip/irq-mbigen: Add of_node_put() before return
        irqchip/gic-v3-its: Free unused vpt_page when alloc vpe table fail
        irqchip/gic-v3: Mark expected switch fall-through
      af42e745
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.3-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · e12b243d
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
      
       - Avoid leaking kernel stack contents to userspace
      
       - Fix a potential null pointer dereference in the dabtree scrub code
      
      * tag 'xfs-5.3-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: Fix possible null-pointer dereferences in xchk_da_btree_block_check_sibling()
        xfs: fix stack contents leakage in the v1 inumber ioctls
      e12b243d
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · b7aea68a
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "17 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        drivers/acpi/scan.c: document why we don't need the device_hotplug_lock
        memremap: move from kernel/ to mm/
        lib/test_meminit.c: use GFP_ATOMIC in RCU critical section
        asm-generic: fix -Wtype-limits compiler warnings
        cgroup: kselftest: relax fs_spec checks
        mm/memory_hotplug.c: remove unneeded return for void function
        mm/migrate.c: initialize pud_entry in migrate_vma()
        coredump: split pipe command whitespace before expanding template
        page flags: prioritize kasan bits over last-cpuid
        ubsan: build ubsan.c more conservatively
        kasan: remove clang version check for KASAN_STACK
        mm: compaction: avoid 100% CPU usage during compaction when a task is killed
        mm: migrate: fix reference check race between __find_get_block() and migration
        mm: vmscan: check if mem cgroup is disabled or not before calling memcg slab shrinker
        ocfs2: remove set but not used variable 'last_hash'
        Revert "kmemleak: allow to coexist with fault injection"
        kernel/signal.c: fix a kernel-doc markup
      b7aea68a