1. 10 Dec, 2018 2 commits
    • Zhen Lei's avatar
      iommu/arm-smmu-v3: Avoid memory corruption from Hisilicon MSI payloads · 84a9a757
      Zhen Lei authored
      The GITS_TRANSLATER MMIO doorbell register in the ITS hardware is
      architected to be 4 bytes in size, yet on hi1620 and earlier, Hisilicon
      have allocated the adjacent 4 bytes to carry some IMPDEF sideband
      information which results in an 8-byte MSI payload being delivered when
      signalling an interrupt:
      
      MSIAddr:
      	 |----4bytes----|----4bytes----|
      	 |    MSIData   |    IMPDEF    |
      
      This poses no problem for the ITS hardware because the adjacent 4 bytes
      are reserved in the memory map. However, when delivering MSIs to memory,
      as we do in the SMMUv3 driver for signalling the completion of a SYNC
      command, the extended payload will corrupt the 4 bytes adjacent to the
      "sync_count" member in struct arm_smmu_device. Fortunately, the current
      layout allocates these bytes to padding, but this is fragile and we
      should make this explicit.
      Reviewed-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarZhen Lei <thunder.leizhen@huawei.com>
      [will: Rewrote commit message and comment]
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      84a9a757
    • Robin Murphy's avatar
      iommu/arm-smmu-v3: Fix big-endian CMD_SYNC writes · 3cd508a8
      Robin Murphy authored
      When we insert the sync sequence number into the CMD_SYNC.MSIData field,
      we do so in CPU-native byte order, before writing out the whole command
      as explicitly little-endian dwords. Thus on big-endian systems, the SMMU
      will receive and write back a byteswapped version of sync_nr, which would
      be perfect if it were targeting a similarly-little-endian ITS, but since
      it's actually writing back to memory being polled by the CPUs, they're
      going to end up seeing the wrong thing.
      
      Since the SMMU doesn't care what the MSIData actually contains, the
      minimal-overhead solution is to simply add an extra byteswap initially,
      such that it then writes back the big-endian format directly.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 37de98f8 ("iommu/arm-smmu-v3: Use CMD_SYNC completion MSI")
      Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      3cd508a8
  2. 18 Nov, 2018 23 commits
  3. 16 Nov, 2018 9 commits
    • Linus Torvalds's avatar
      Merge tag 'fsnotify_for_v4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 1ce80e0f
      Linus Torvalds authored
      Pull fsnotify fix from Jan Kara:
       "One small fsnotify fix for duplicate events"
      
      * tag 'fsnotify_for_v4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        fanotify: fix handling of events on child sub-directory
      1ce80e0f
    • Linus Torvalds's avatar
      Merge tag 'gfs2-4.20.fixes3' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · e6a2562f
      Linus Torvalds authored
      Pull bfs2 fixes from Andreas Gruenbacher:
       "Fix two bugs leading to leaked buffer head references:
      
         - gfs2: Put bitmap buffers in put_super
         - gfs2: Fix iomap buffer head reference counting bug
      
        And one bug leading to significant slow-downs when deleting large
        files:
      
         - gfs2: Fix metadata read-ahead during truncate (2)"
      
      * tag 'gfs2-4.20.fixes3' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        gfs2: Fix iomap buffer head reference counting bug
        gfs2: Fix metadata read-ahead during truncate (2)
        gfs2: Put bitmap buffers in put_super
      e6a2562f
    • Andreas Gruenbacher's avatar
      gfs2: Fix iomap buffer head reference counting bug · c26b5aa8
      Andreas Gruenbacher authored
      GFS2 passes the inode buffer head (dibh) from gfs2_iomap_begin to
      gfs2_iomap_end in iomap->private.  It sets that private pointer in
      gfs2_iomap_get.  Users of gfs2_iomap_get other than gfs2_iomap_begin
      would have to release iomap->private, but this isn't done correctly,
      leading to a leak of buffer head references.
      
      To fix this, move the code for setting iomap->private from
      gfs2_iomap_get to gfs2_iomap_begin.
      
      Fixes: 64bc06bb ("gfs2: iomap buffered write support")
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c26b5aa8
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 32e2524a
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes the following issues:
      
         - Potential memory overwrite in simd
      
         - Kernel info leaks in crypto_user
      
         - NULL dereference and use-after-free in hisilicon"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: user - Zeroize whole structure given to user space
        crypto: user - fix leaking uninitialized memory to userspace
        crypto: simd - correctly take reqsize of wrapped skcipher into account
        crypto: hisilicon - Fix reference after free of memories on error path
        crypto: hisilicon - Fix NULL dereference for same dst and src
      32e2524a
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2018-11-16' of git://anongit.freedesktop.org/drm/drm · 4efd3460
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Live from Vancouver, SoC maintainer talk, this weeks drm fixes pull
        for rc3:
      
        omapdrm:
         - regression fixes for the reordering bridge stuff that went into rc1
      
        i915:
         - incorrect EU count fix
         - HPD storm fix
         - MST fix
         - relocation fix for gen4/5
      
        amdgpu:
         - huge page handling fix
         - IH ring setup
         - XGMI aperture setup
         - watermark setup fix
      
        misc:
         - docs and MST fix"
      
      * tag 'drm-fixes-2018-11-16' of git://anongit.freedesktop.org/drm/drm: (23 commits)
        drm/i915: Account for scale factor when calculating initial phase
        drm/i915: Clean up skl_program_scaler()
        drm/i915: Move programming plane scaler to its own function.
        drm/i915/icl: Drop spurious register read from icl_dbuf_slices_update
        drm/i915: fix broadwell EU computation
        drm/amdgpu: fix huge page handling on Vega10
        drm/amd/pp: Fix truncated clock value when set watermark
        drm/amdgpu: fix bug with IH ring setup
        drm/meson: venc: dmt mode must use encp
        drm/amdgpu: set system aperture to cover whole FB region
        drm/i915: Fix hpd handling for pins with two encoders
        drm/i915/execlists: Force write serialisation into context image vs execution
        drm/i915/icl: Fix power well 2 wrt. DC-off toggling order
        drm/i915: Fix NULL deref when re-enabling HPD IRQs on systems with MST
        drm/i915: Fix possible race in intel_dp_add_mst_connector()
        drm/i915/ringbuffer: Delay after EMIT_INVALIDATE for gen4/gen5
        drm/omap: dsi: Fix missing of_platform_depopulate()
        drm/omap: Move DISPC runtime PM handling to omapdrm
        drm/omap: dsi: Ensure the device is active during probe
        drm/omap: hdmi4: Ensure the device is active during bind
        ...
      4efd3460
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · ef268de1
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Two weeks worth of fixes since rc1.
      
         - I broke 16-byte alignment of the stack when we moved PPR into
           pt_regs. Despite being required by the ABI this broke almost
           nothing, we eventually hit it in code where GCC does arithmetic on
           the stack pointer assuming the bottom 4 bits are clear. Fix it by
           padding the in-kernel pt_regs by 8 bytes.
      
         - A couple of commits fixing minor bugs in the recent SLB rewrite.
      
         - A build fix related to tracepoints in KVM in some configurations.
      
         - Our old "IO workarounds" code written for Cell couldn't coexist in
           a kernel that runs on Power9 with the Radix MMU, fix that.
      
         - Remove the NPU DMA ops, these just printed a warning and should
           never have been called.
      
         - Suppress an overly chatty message triggered by CPU hotplug in some
           configs.
      
         - Two small selftest fixes.
      
        Thanks to: Alistair Popple, Gustavo Romero, Nicholas Piggin, Satheesh
        Rajendran, Scott Wood"
      
      * tag 'powerpc-4.20-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        selftests/powerpc: Adjust wild_bctr to build with old binutils
        powerpc/64: Fix kernel stack 16-byte alignment
        powerpc/numa: Suppress "VPHN is not supported" messages
        selftests/powerpc: Fix wild_bctr test to work on ppc64
        powerpc/io: Fix the IO workarounds code to work with Radix
        powerpc/mm/64s: Fix preempt warning in slb_allocate_kernel()
        KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE
        powerpc/mm/64s: Only use slbfee on CPUs that support it
        powerpc/mm/64s: Use PPC_SLBFEE macro
        powerpc/mm/64s: Consolidate SLB assertions
        powerpc/powernv/npu: Remove NPU DMA ops
      ef268de1
    • Linus Torvalds's avatar
      Merge tag 'xtensa-20181115' of git://github.com/jcmvbkbc/linux-xtensa · 50d25bdc
      Linus Torvalds authored
      Pull Xtensa fixes from Max Filippov:
      
       - fix stack alignment for bFLT binaries.
      
       - fix physical-to-virtual address translation for boot parameters in
         MMUv3 256+256 and 512+512 virtual memory layouts.
      
      * tag 'xtensa-20181115' of git://github.com/jcmvbkbc/linux-xtensa:
        xtensa: fix boot parameters address translation
        xtensa: make sure bFLT stack is 16 byte aligned
      50d25bdc
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20181115' of git://git.kernel.dk/linux-block · 59749c2d
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Discard loop fix, caused by integer overflow (Dave)
      
       - Blacklist of Samsung drive that hangs with power management (Diego)
      
       - Copy bio priority when cloning it (Hannes)
      
       - Fix race condition exposed in floppy (me)
      
       - Fix SCSI queue cleanup regression. While elusive, it caused oopses in
         queue running (Ming)
      
       - Fix bad string copy in kyber tracing (Omar)
      
      * tag 'for-linus-20181115' of git://git.kernel.dk/linux-block:
        SCSI: fix queue cleanup race before queue initialization is done
        block: fix 32 bit overflow in __blkdev_issue_discard()
        libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD
        block: copy ioprio in __bio_clone_fast() and bounce
        kyber: fix wrong strlcpy() size in trace_kyber_latency()
        floppy: fix race condition in __floppy_read_block_0()
      59749c2d
    • Linus Torvalds's avatar
      Merge tag 'fuse-fixes-4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · 9b5f361a
      Linus Torvalds authored
      Pull fuse fixes from Miklos Szeredi:
       "A couple of fixes, all bound for -stable (i.e. not regressions in this
        cycle)"
      
      * tag 'fuse-fixes-4.20-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: fix use-after-free in fuse_direct_IO()
        fuse: fix possibly missed wake-up after abort
        fuse: fix leaked notify reply
      9b5f361a
  4. 15 Nov, 2018 6 commits