1. 03 Mar, 2020 4 commits
    • Christian Brauner's avatar
      binder: prevent UAF for binderfs devices II · f0fe2c0f
      Christian Brauner authored
      This is a necessary follow up to the first fix I proposed and we merged
      in 2669b8b0 ("binder: prevent UAF for binderfs devices"). I have been
      overly optimistic that the simple fix I proposed would work. But alas,
      ihold() + iput() won't work since the inodes won't survive the
      destruction of the superblock.
      So all we get with my prior fix is a different race with a tinier
      race-window but it doesn't solve the issue. Fwiw, the problem lies with
      generic_shutdown_super(). It even has this cozy Al-style comment:
      
                if (!list_empty(&sb->s_inodes)) {
                        printk("VFS: Busy inodes after unmount of %s. "
                           "Self-destruct in 5 seconds.  Have a nice day...\n",
                           sb->s_id);
                }
      
      On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
      called which punts the actual cleanup operation to a workqueue. At some
      point, binder_deferred_func() will be called which will end up calling
      binder_deferred_release() which will retrieve and cleanup the
      binder_context attach to this struct binder_proc.
      
      If we trace back where this binder_context is attached to binder_proc we
      see that it is set in binder_open() and is taken from the struct
      binder_device it is associated with. This obviously assumes that the
      struct binder_device that context is attached to is _never_ freed. While
      that might be true for devtmpfs binder devices it is most certainly
      wrong for binderfs binder devices.
      
      So, assume binder_open() is called on a binderfs binder devices. We now
      stash away the struct binder_context associated with that struct
      binder_devices:
      	proc->context = &binder_dev->context;
      	/* binderfs stashes devices in i_private */
      	if (is_binderfs_device(nodp)) {
      		binder_dev = nodp->i_private;
      		info = nodp->i_sb->s_fs_info;
      		binder_binderfs_dir_entry_proc = info->proc_log_dir;
      	} else {
      	.
      	.
      	.
      	proc->context = &binder_dev->context;
      
      Now let's assume that the binderfs instance for that binder devices is
      shutdown via umount() and/or the mount namespace associated with it goes
      away. As long as there is still an fd open for that binderfs binder
      device things are fine. But let's assume we now close the last fd for
      that binderfs binder device. Now binder_release() is called and punts to
      the workqueue. Assume that the workqueue has quite a bit of stuff to do
      and doesn't get to cleaning up the struct binder_proc and the associated
      struct binder_context with it for that binderfs binder device right
      away. In the meantime, the VFS is killing the super block and is
      ultimately calling sb->evict_inode() which means it will call
      binderfs_evict_inode() which does:
      
      static void binderfs_evict_inode(struct inode *inode)
      {
      	struct binder_device *device = inode->i_private;
      	struct binderfs_info *info = BINDERFS_I(inode);
      
      	clear_inode(inode);
      
      	if (!S_ISCHR(inode->i_mode) || !device)
      		return;
      
      	mutex_lock(&binderfs_minors_mutex);
      	--info->device_count;
      	ida_free(&binderfs_minors, device->miscdev.minor);
      	mutex_unlock(&binderfs_minors_mutex);
      
      	kfree(device->context.name);
      	kfree(device);
      }
      
      thereby freeing the struct binder_device including struct
      binder_context.
      
      Now the workqueue finally has time to get around to cleaning up struct
      binder_proc and is now trying to access the associate struct
      binder_context. Since it's already freed it will OOPs.
      
      Fix this by introducing a refounct on binder devices.
      
      This is an alternative fix to 51d8a7ec ("binder: prevent UAF read in
      print_binder_transaction_log_entry()").
      
      Fixes: 3ad20fe3 ("binder: implement binderfs")
      Fixes: 2669b8b0 ("binder: prevent UAF for binderfs devices")
      Fixes: 03e2e07e ("binder: Make transaction_log available in binderfs")
      Related : 51d8a7ec ("binder: prevent UAF read in print_binder_transaction_log_entry()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Acked-by: default avatarTodd Kjos <tkjos@google.com>
      Link: https://lore.kernel.org/r/20200303164340.670054-1-christian.brauner@ubuntu.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0fe2c0f
    • Georgi Djakov's avatar
      interconnect: Handle memory allocation errors · 37911636
      Georgi Djakov authored
      When we allocate memory, kasprintf() can fail and we must check its
      return value.
      
      Fixes: 05309830 ("interconnect: Add a name to struct icc_path")
      Signed-off-by: default avatarGeorgi Djakov <georgi.djakov@linaro.org>
      Link: https://lore.kernel.org/r/20200226110420.5357-2-georgi.djakov@linaro.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37911636
    • Daniel Axtens's avatar
      altera-stapl: altera_get_note: prevent write beyond end of 'key' · 3745488e
      Daniel Axtens authored
      altera_get_note is called from altera_init, where key is kzalloc(33).
      
      When the allocation functions are annotated to allow the compiler to see
      the sizes of objects, and with FORTIFY_SOURCE, we see:
      
      In file included from drivers/misc/altera-stapl/altera.c:14:0:
      In function ‘strlcpy’,
          inlined from ‘altera_init’ at drivers/misc/altera-stapl/altera.c:2189:5:
      include/linux/string.h:378:4: error: call to ‘__write_overflow’ declared with attribute error: detected write beyond size of object passed as 1st parameter
          __write_overflow();
          ^~~~~~~~~~~~~~~~~~
      
      That refers to this code in altera_get_note:
      
          if (key != NULL)
                  strlcpy(key, &p[note_strings +
                                  get_unaligned_be32(
                                  &p[note_table + (8 * i)])],
                          length);
      
      The error triggers because the length of 'key' is 33, but the copy
      uses length supplied as the 'length' parameter, which is always
      256. Split the size parameter into key_len and val_len, and use the
      appropriate length depending on what is being copied.
      
      Detected by compiler error, only compile-tested.
      
      Cc: "Igor M. Liplianin" <liplianin@netup.ru>
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Link: https://lore.kernel.org/r/20200120074344.504-2-dja@axtens.netSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Link: https://lore.kernel.org/r/202002251042.D898E67AC@keescookSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3745488e
    • Christian Brauner's avatar
      binder: prevent UAF for binderfs devices · 2669b8b0
      Christian Brauner authored
      On binder_release(), binder_defer_work(proc, BINDER_DEFERRED_RELEASE) is
      called which punts the actual cleanup operation to a workqueue. At some
      point, binder_deferred_func() will be called which will end up calling
      binder_deferred_release() which will retrieve and cleanup the
      binder_context attach to this struct binder_proc.
      
      If we trace back where this binder_context is attached to binder_proc we
      see that it is set in binder_open() and is taken from the struct
      binder_device it is associated with. This obviously assumes that the
      struct binder_device that context is attached to is _never_ freed. While
      that might be true for devtmpfs binder devices it is most certainly
      wrong for binderfs binder devices.
      
      So, assume binder_open() is called on a binderfs binder devices. We now
      stash away the struct binder_context associated with that struct
      binder_devices:
      	proc->context = &binder_dev->context;
      	/* binderfs stashes devices in i_private */
      	if (is_binderfs_device(nodp)) {
      		binder_dev = nodp->i_private;
      		info = nodp->i_sb->s_fs_info;
      		binder_binderfs_dir_entry_proc = info->proc_log_dir;
      	} else {
      	.
      	.
      	.
      	proc->context = &binder_dev->context;
      
      Now let's assume that the binderfs instance for that binder devices is
      shutdown via umount() and/or the mount namespace associated with it goes
      away. As long as there is still an fd open for that binderfs binder
      device things are fine. But let's assume we now close the last fd for
      that binderfs binder device. Now binder_release() is called and punts to
      the workqueue. Assume that the workqueue has quite a bit of stuff to do
      and doesn't get to cleaning up the struct binder_proc and the associated
      struct binder_context with it for that binderfs binder device right
      away. In the meantime, the VFS is killing the super block and is
      ultimately calling sb->evict_inode() which means it will call
      binderfs_evict_inode() which does:
      
      static void binderfs_evict_inode(struct inode *inode)
      {
      	struct binder_device *device = inode->i_private;
      	struct binderfs_info *info = BINDERFS_I(inode);
      
      	clear_inode(inode);
      
      	if (!S_ISCHR(inode->i_mode) || !device)
      		return;
      
      	mutex_lock(&binderfs_minors_mutex);
      	--info->device_count;
      	ida_free(&binderfs_minors, device->miscdev.minor);
      	mutex_unlock(&binderfs_minors_mutex);
      
      	kfree(device->context.name);
      	kfree(device);
      }
      
      thereby freeing the struct binder_device including struct
      binder_context.
      
      Now the workqueue finally has time to get around to cleaning up struct
      binder_proc and is now trying to access the associate struct
      binder_context. Since it's already freed it will OOPs.
      
      Fix this by holding an additional reference to the inode that is only
      released once the workqueue is done cleaning up struct binder_proc. This
      is an easy alternative to introducing separate refcounting on struct
      binder_device which we can always do later if it becomes necessary.
      
      This is an alternative fix to 51d8a7ec ("binder: prevent UAF read in
      print_binder_transaction_log_entry()").
      
      Fixes: 3ad20fe3 ("binder: implement binderfs")
      Fixes: 03e2e07e ("binder: Make transaction_log available in binderfs")
      Related : 51d8a7ec ("binder: prevent UAF read in print_binder_transaction_log_entry()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Acked-by: default avatarTodd Kjos <tkjos@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2669b8b0
  2. 24 Feb, 2020 1 commit
  3. 23 Feb, 2020 7 commits
    • Linus Torvalds's avatar
      Merge tag 'for-5.6-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · d2eee258
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "These are fixes that were found during testing with help of error
        injection, plus some other stable material.
      
        There's a fixup to patch added to rc1 causing locking in wrong context
        warnings, tests found one more deadlock scenario. The patches are
        tagged for stable, two of them now in the queue but we'd like all
        three released at the same time.
      
        I'm not happy about fixes to fixes in such a fast succession during
        rcs, but I hope we found all the fallouts of commit 28553fa9
        ('Btrfs: fix race between shrinking truncate and fiemap')"
      
      * tag 'for-5.6-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        Btrfs: fix deadlock during fast fsync when logging prealloc extents beyond eof
        Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents
        btrfs: fix bytes_may_use underflow in prealloc error condtition
        btrfs: handle logged extent failure properly
        btrfs: do not check delayed items are empty for single transaction cleanup
        btrfs: reset fs_root to NULL on error in open_ctree
        btrfs: destroy qgroup extent records on transaction abort
      d2eee258
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · a3163ca0
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "More miscellaneous ext4 bug fixes (all stable fodder)"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: fix mount failure with quota configured as module
        jbd2: fix ocfs2 corrupt when clearing block group bits
        ext4: fix race between writepages and enabling EXT4_EXTENTS_FL
        ext4: rename s_journal_flag_rwsem to s_writepages_rwsem
        ext4: fix potential race between s_flex_groups online resizing and access
        ext4: fix potential race between s_group_info online resizing and access
        ext4: fix potential race between online resizing and write operations
        ext4: add cond_resched() to __ext4_find_entry()
        ext4: fix a data race in EXT4_I(inode)->i_disksize
      a3163ca0
    • Linus Torvalds's avatar
      Merge tag 'csky-for-linus-5.6-rc3' of git://github.com/c-sky/csky-linux · c6188dff
      Linus Torvalds authored
      Pull csky updates from Guo Ren:
       "Sorry, I missed 5.6-rc1 merge window, but in this pull request the
        most are the fixes and the rests are between fixes and features. The
        only outside modification is the MAINTAINERS file update with our
        mailing list.
      
         - cache flush implementation fixes
      
         - ftrace modify panic fix
      
         - CONFIG_SMP boot problem fix
      
         - fix pt_regs saving for atomic.S
      
         - fix fixaddr_init without highmem.
      
         - fix stack protector support
      
         - fix fake Tightly-Coupled Memory code compile and use
      
         - fix some typos and coding convention"
      
      * tag 'csky-for-linus-5.6-rc3' of git://github.com/c-sky/csky-linux: (23 commits)
        csky: Replace <linux/clk-provider.h> by <linux/of_clk.h>
        csky: Implement copy_thread_tls
        csky: Add PCI support
        csky: Minimize defconfig to support buildroot config.fragment
        csky: Add setup_initrd check code
        csky: Cleanup old Kconfig options
        arch/csky: fix some Kconfig typos
        csky: Fixup compile warning for three unimplemented syscalls
        csky: Remove unused cache implementation
        csky: Fixup ftrace modify panic
        csky: Add flush_icache_mm to defer flush icache all
        csky: Optimize abiv2 copy_to_user_page with VM_EXEC
        csky: Enable defer flush_dcache_page for abiv2 cpus (807/810/860)
        csky: Remove unnecessary flush_icache_* implementation
        csky: Support icache flush without specific instructions
        csky/Kconfig: Add Kconfig.platforms to support some drivers
        csky/smp: Fixup boot failed when CONFIG_SMP
        csky: Set regs->usp to kernel sp, when the exception is from kernel
        csky/mm: Fixup export invalid_pte_table symbol
        csky: Separate fixaddr_init from highmem
        ...
      c6188dff
    • Geert Uytterhoeven's avatar
      csky: Replace <linux/clk-provider.h> by <linux/of_clk.h> · 99db590b
      Geert Uytterhoeven authored
      The C-Sky platform code is not a clock provider, and just needs to call
      of_clk_init().
      
      Hence it can include <linux/of_clk.h> instead of <linux/clk-provider.h>.
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarGuo Ren <guoren@linux.alibaba.com>
      99db590b
    • Linus Torvalds's avatar
      Merge tag 'ras-urgent-2020-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · dca132a6
      Linus Torvalds authored
      Pull RAS fixes from Thomas Gleixner:
       "Two fixes for the AMD MCE driver:
      
         - Populate the per CPU MCA bank descriptor pointer only after it has
           been completely set up to prevent a use-after-free in case that one
           of the subsequent initialization step fails
      
         - Implement a proper release function for the sysfs entries of MCA
           threshold controls instead of freeing the memory right in the CPU
           teardown code, which leads to another use-after-free when the
           associated sysfs file is opened and accessed"
      
      * tag 'ras-urgent-2020-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mce/amd: Fix kobject lifetime
        x86/mce/amd: Publish the bank pointer only after setup has succeeded
      dca132a6
    • Linus Torvalds's avatar
      Merge tag 'irq-urgent-2020-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f3cc2494
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "Two fixes for the irq core code which are follow ups to the recent MSI
        fixes:
      
         - The WARN_ON which was put into the MSI setaffinity callback for
           paranoia reasons actually triggered via a callchain which escaped
           when all the possible ways to reach that code were analyzed.
      
           The proc/irq/$N/*affinity interfaces have a quirk which came in
           when ALPHA moved to the generic interface: In case that the written
           affinity mask does not contain any online CPU it calls into ALPHAs
           magic auto affinity setting code.
      
           A few years later this mechanism was also made available to x86 for
           no good reasons and in a way which circumvents all sanity checks
           for interrupts which cannot have their affinity set from process
           context on X86 due to the way the X86 interrupt delivery works.
      
           It would be possible to make this work properly, but there is no
           point in doing so. If the interrupt is not yet started then the
           affinity setting has no effect and if it is started already then it
           is already assigned to an online CPU so there is no point to
           randomly move it to some other CPU. Just return EINVAL as the code
           has done before that change forever.
      
         - The new MSI quirk bit in the irq domain flags turned out to be
           already occupied, which escaped the author and the reviewers
           because the already in use bits were 0,6,2,3,4,5 listed in that
           order.
      
           That bit 6 was simply overlooked because the ordering was straight
           forward linear otherwise. So the new bit ended up being a
           duplicate.
      
           Fix it up by switching the oddball 6 to the obvious 1"
      
      * tag 'irq-urgent-2020-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        genirq/irqdomain: Make sure all irq domain flags are distinct
        genirq/proc: Reject invalid affinity masks (again)
      f3cc2494
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fca10378
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "Two fixes for x86:
      
         - Remove the __force_oder definiton from the kaslr boot code as it is
           already defined in the page table code which makes GCC 10 builds
           fail because it changed the default to -fno-common.
      
         - Address the AMD erratum 1054 concerning the IRPERF capability and
           enable the Instructions Retired fixed counter on machines which are
           not affected by the erratum"
      
      * tag 'x86-urgent-2020-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF
        x86/boot/compressed: Don't declare __force_order in kaslr_64.c
      fca10378
  4. 22 Feb, 2020 15 commits
    • Linus Torvalds's avatar
      Merge tag 'zonefs-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs · 0a115e5f
      Linus Torvalds authored
      Pull zonefs fix from Damien Le Moal:
       "A single patch fixing typos in the documentation file"
      
      * tag 'zonefs-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs:
        zonefs: fix documentation typos etc.
      0a115e5f
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.6-2020-02-22' of git://git.kernel.dk/linux-block · b88025ea
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Here's a small collection of fixes that were queued up:
      
         - Remove unnecessary NULL check (Dan)
      
         - Missing io_req_cancelled() call in fallocate (Pavel)
      
         - Put the cleanup check for aux data in the right spot (Pavel)
      
         - Two fixes for SQPOLL (Stefano, Xiaoguang)"
      
      * tag 'io_uring-5.6-2020-02-22' of git://git.kernel.dk/linux-block:
        io_uring: fix __io_iopoll_check deadlock in io_sq_thread
        io_uring: prevent sq_thread from spinning when it should stop
        io_uring: fix use-after-free by io_cleanup_req()
        io_uring: remove unnecessary NULL checks
        io_uring: add missing io_req_cancelled()
      b88025ea
    • Linus Torvalds's avatar
      Merge tag 'block-5.6-2020-02-22' of git://git.kernel.dk/linux-block · f6c69b7f
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Just a set of NVMe fixes via Keith"
      
      * tag 'block-5.6-2020-02-22' of git://git.kernel.dk/linux-block:
        nvme-multipath: Fix memory leak with ana_log_buf
        nvme: Fix uninitialized-variable warning
        nvme-pci: Use single IRQ vector for old Apple models
        nvme/pci: Add sleep quirk for Samsung and Toshiba drives
      f6c69b7f
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · b98b809c
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Four non-core fixes.
      
        Two are reverts of target fixes which turned out to have unwanted side
        effects, one is a revert of an RDMA fix with the same problem and the
        final one fixes an incorrect warning about memory allocation failures
        in megaraid_sas (the driver actually reduces the allocation size until
        it succeeds)"
      Signed-off-by: default avatarJames E.J. Bottomley <jejb@linux.ibm.com>
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
        scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout"
        scsi: megaraid_sas: silence a warning
        scsi: Revert "target/core: Inline transport_lun_remove_cmd()"
      b98b809c
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v5.6-rc3' of... · 5b442b1a
      Linus Torvalds authored
      Merge tag 'hwmon-for-v5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
      
       - Fix crash in w83627ehf driver seen with W83627DHG-P
      
       - Fix lockdep splat in acpi_power_meter driver
      
       - Fix xdpe12284 documentation Sphinx warnings
      
      * tag 'hwmon-for-v5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (w83627ehf) Fix crash seen with W83627DHG-P
        hwmon: (acpi_power_meter) Fix lockdep splat
        Documentation/hwmon: fix xdpe12284 Sphinx warnings
      5b442b1a
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · fea63021
      Linus Torvalds authored
      Pull devicetree fixes deom Rob Herring:
       "A handful of fixes in DT bindings for MDIO bus, Allwinner CSI, OMAP
        HSMMC, and Tegra124 EMC"
      
      * tag 'devicetree-fixes-for-5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: media: csi: Fix clocks description
        dt-bindings: media: csi: Add interconnects properties
        dt-bindings: net: mdio: remove compatible string from example
        dt-bindings: memory-controller: Update example for Tegra124 EMC
        dt-bindings: mmc: omap-hsmmc: Fix SDIO interrupt
      fea63021
    • Linus Torvalds's avatar
      Merge tag 's390-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 591dd4c1
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - Remove ieee_emulation_warnings sysctl which is a dead code.
      
       - Avoid triggering rebuild of the kernel during make install.
      
       - Enable protected virtualization guest support in default configs.
      
       - Fix cio_ignore seq_file .next function to increase position index.
         And use kobj_to_dev instead of container_of in cio code.
      
       - Fix storage block address lists to contain absolute addresses in qdio
         code.
      
       - Few clang warnings and spelling fixes.
      
      * tag 's390-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/qdio: fill SBALEs with absolute addresses
        s390/qdio: fill SL with absolute addresses
        s390: remove obsolete ieee_emulation_warnings
        s390: make 'install' not depend on vmlinux
        s390/kaslr: Fix casts in get_random
        s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range
        s390/pkey/zcrypt: spelling s/crytp/crypt/
        s390/cio: use kobj_to_dev() API
        s390/defconfig: enable CONFIG_PROTECTED_VIRTUALIZATION_GUEST
        s390/cio: cio_ignore_proc_seq_next should increase position index
      591dd4c1
    • Xiaoguang Wang's avatar
      io_uring: fix __io_iopoll_check deadlock in io_sq_thread · c7849be9
      Xiaoguang Wang authored
      Since commit a3a0e43f ("io_uring: don't enter poll loop if we have
      CQEs pending"), if we already events pending, we won't enter poll loop.
      In case SETUP_IOPOLL and SETUP_SQPOLL are both enabled, if app has
      been terminated and don't reap pending events which are already in cq
      ring, and there are some reqs in poll_list, io_sq_thread will enter
      __io_iopoll_check(), and find pending events, then return, this loop
      will never have a chance to exit.
      
      I have seen this issue in fio stress tests, to fix this issue, let
      io_sq_thread call io_iopoll_getevents() with argument 'min' being zero,
      and remove __io_iopoll_check().
      
      Fixes: a3a0e43f ("io_uring: don't enter poll loop if we have CQEs pending")
      Signed-off-by: default avatarXiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      c7849be9
    • Jan Kara's avatar
      ext4: fix mount failure with quota configured as module · 9db176bc
      Jan Kara authored
      When CONFIG_QFMT_V2 is configured as a module, the test in
      ext4_feature_set_ok() fails and so mount of filesystems with quota or
      project features fails. Fix the test to use IS_ENABLED macro which
      works properly even for modules.
      
      Link: https://lore.kernel.org/r/20200221100835.9332-1-jack@suse.cz
      Fixes: d65d87a0 ("ext4: improve explanation of a mount failure caused by a misconfigured kernel")
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      9db176bc
    • wangyan's avatar
      jbd2: fix ocfs2 corrupt when clearing block group bits · 8eedabfd
      wangyan authored
      I found a NULL pointer dereference in ocfs2_block_group_clear_bits().
      The running environment:
      	kernel version: 4.19
      	A cluster with two nodes, 5 luns mounted on two nodes, and do some
      	file operations like dd/fallocate/truncate/rm on every lun with storage
      	network disconnection.
      
      The fallocate operation on dm-23-45 caused an null pointer dereference.
      
      The information of NULL pointer dereference as follows:
      	[577992.878282] JBD2: Error -5 detected when updating journal superblock for dm-23-45.
      	[577992.878290] Aborting journal on device dm-23-45.
      	...
      	[577992.890778] JBD2: Error -5 detected when updating journal superblock for dm-24-46.
      	[577992.890908] __journal_remove_journal_head: freeing b_committed_data
      	[577992.890916] (fallocate,88392,52):ocfs2_extend_trans:474 ERROR: status = -30
      	[577992.890918] __journal_remove_journal_head: freeing b_committed_data
      	[577992.890920] (fallocate,88392,52):ocfs2_rotate_tree_right:2500 ERROR: status = -30
      	[577992.890922] __journal_remove_journal_head: freeing b_committed_data
      	[577992.890924] (fallocate,88392,52):ocfs2_do_insert_extent:4382 ERROR: status = -30
      	[577992.890928] (fallocate,88392,52):ocfs2_insert_extent:4842 ERROR: status = -30
      	[577992.890928] __journal_remove_journal_head: freeing b_committed_data
      	[577992.890930] (fallocate,88392,52):ocfs2_add_clusters_in_btree:4947 ERROR: status = -30
      	[577992.890933] __journal_remove_journal_head: freeing b_committed_data
      	[577992.890939] __journal_remove_journal_head: freeing b_committed_data
      	[577992.890949] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
      	[577992.890950] Mem abort info:
      	[577992.890951]   ESR = 0x96000004
      	[577992.890952]   Exception class = DABT (current EL), IL = 32 bits
      	[577992.890952]   SET = 0, FnV = 0
      	[577992.890953]   EA = 0, S1PTW = 0
      	[577992.890954] Data abort info:
      	[577992.890955]   ISV = 0, ISS = 0x00000004
      	[577992.890956]   CM = 0, WnR = 0
      	[577992.890958] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000f8da07a9
      	[577992.890960] [0000000000000020] pgd=0000000000000000
      	[577992.890964] Internal error: Oops: 96000004 [#1] SMP
      	[577992.890965] Process fallocate (pid: 88392, stack limit = 0x00000000013db2fd)
      	[577992.890968] CPU: 52 PID: 88392 Comm: fallocate Kdump: loaded Tainted: G        W  OE     4.19.36 #1
      	[577992.890969] Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 0.98 08/25/2019
      	[577992.890971] pstate: 60400009 (nZCv daif +PAN -UAO)
      	[577992.891054] pc : _ocfs2_free_suballoc_bits+0x63c/0x968 [ocfs2]
      	[577992.891082] lr : _ocfs2_free_suballoc_bits+0x618/0x968 [ocfs2]
      	[577992.891084] sp : ffff0000c8e2b810
      	[577992.891085] x29: ffff0000c8e2b820 x28: 0000000000000000
      	[577992.891087] x27: 00000000000006f3 x26: ffffa07957b02e70
      	[577992.891089] x25: ffff807c59d50000 x24: 00000000000006f2
      	[577992.891091] x23: 0000000000000001 x22: ffff807bd39abc30
      	[577992.891093] x21: ffff0000811d9000 x20: ffffa07535d6a000
      	[577992.891097] x19: ffff000001681638 x18: ffffffffffffffff
      	[577992.891098] x17: 0000000000000000 x16: ffff000080a03df0
      	[577992.891100] x15: ffff0000811d9708 x14: 203d207375746174
      	[577992.891101] x13: 73203a524f525245 x12: 20373439343a6565
      	[577992.891103] x11: 0000000000000038 x10: 0101010101010101
      	[577992.891106] x9 : ffffa07c68a85d70 x8 : 7f7f7f7f7f7f7f7f
      	[577992.891109] x7 : 0000000000000000 x6 : 0000000000000080
      	[577992.891110] x5 : 0000000000000000 x4 : 0000000000000002
      	[577992.891112] x3 : ffff000001713390 x2 : 2ff90f88b1c22f00
      	[577992.891114] x1 : ffff807bd39abc30 x0 : 0000000000000000
      	[577992.891116] Call trace:
      	[577992.891139]  _ocfs2_free_suballoc_bits+0x63c/0x968 [ocfs2]
      	[577992.891162]  _ocfs2_free_clusters+0x100/0x290 [ocfs2]
      	[577992.891185]  ocfs2_free_clusters+0x50/0x68 [ocfs2]
      	[577992.891206]  ocfs2_add_clusters_in_btree+0x198/0x5e0 [ocfs2]
      	[577992.891227]  ocfs2_add_inode_data+0x94/0xc8 [ocfs2]
      	[577992.891248]  ocfs2_extend_allocation+0x1bc/0x7a8 [ocfs2]
      	[577992.891269]  ocfs2_allocate_extents+0x14c/0x338 [ocfs2]
      	[577992.891290]  __ocfs2_change_file_space+0x3f8/0x610 [ocfs2]
      	[577992.891309]  ocfs2_fallocate+0xe4/0x128 [ocfs2]
      	[577992.891316]  vfs_fallocate+0x11c/0x250
      	[577992.891317]  ksys_fallocate+0x54/0x88
      	[577992.891319]  __arm64_sys_fallocate+0x28/0x38
      	[577992.891323]  el0_svc_common+0x78/0x130
      	[577992.891325]  el0_svc_handler+0x38/0x78
      	[577992.891327]  el0_svc+0x8/0xc
      
      My analysis process as follows:
      ocfs2_fallocate
        __ocfs2_change_file_space
          ocfs2_allocate_extents
            ocfs2_extend_allocation
              ocfs2_add_inode_data
                ocfs2_add_clusters_in_btree
                  ocfs2_insert_extent
                    ocfs2_do_insert_extent
                      ocfs2_rotate_tree_right
                        ocfs2_extend_rotate_transaction
                          ocfs2_extend_trans
                            jbd2_journal_restart
                              jbd2__journal_restart
                                /* handle->h_transaction is NULL,
                                 * is_handle_aborted(handle) is true
                                 */
                                handle->h_transaction = NULL;
                                start_this_handle
                                  return -EROFS;
                  ocfs2_free_clusters
                    _ocfs2_free_clusters
                      _ocfs2_free_suballoc_bits
                        ocfs2_block_group_clear_bits
                          ocfs2_journal_access_gd
                            __ocfs2_journal_access
                              jbd2_journal_get_undo_access
                                /* I think jbd2_write_access_granted() will
                                 * return true, because do_get_write_access()
                                 * will return -EROFS.
                                 */
                                if (jbd2_write_access_granted(...)) return 0;
                                do_get_write_access
                                  /* handle->h_transaction is NULL, it will
                                   * return -EROFS here, so do_get_write_access()
                                   * was not called.
                                   */
                                  if (is_handle_aborted(handle)) return -EROFS;
                          /* bh2jh(group_bh) is NULL, caused NULL
                             pointer dereference */
                          undo_bg = (struct ocfs2_group_desc *)
                                      bh2jh(group_bh)->b_committed_data;
      
      If handle->h_transaction == NULL, then jbd2_write_access_granted()
      does not really guarantee that journal_head will stay around,
      not even speaking of its b_committed_data. The bh2jh(group_bh)
      can be removed after ocfs2_journal_access_gd() and before call
      "bh2jh(group_bh)->b_committed_data". So, we should move
      is_handle_aborted() check from do_get_write_access() into
      jbd2_journal_get_undo_access() and jbd2_journal_get_write_access()
      before the call to jbd2_write_access_granted().
      
      Link: https://lore.kernel.org/r/f72a623f-b3f1-381a-d91d-d22a1c83a336@huawei.comSigned-off-by: default avatarYan Wang <wangyan122@huawei.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJun Piao <piaojun@huawei.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      8eedabfd
    • Eric Biggers's avatar
      ext4: fix race between writepages and enabling EXT4_EXTENTS_FL · cb85f4d2
      Eric Biggers authored
      If EXT4_EXTENTS_FL is set on an inode while ext4_writepages() is running
      on it, the following warning in ext4_add_complete_io() can be hit:
      
      WARNING: CPU: 1 PID: 0 at fs/ext4/page-io.c:234 ext4_put_io_end_defer+0xf0/0x120
      
      Here's a minimal reproducer (not 100% reliable) (root isn't required):
      
              while true; do
                      sync
              done &
              while true; do
                      rm -f file
                      touch file
                      chattr -e file
                      echo X >> file
                      chattr +e file
              done
      
      The problem is that in ext4_writepages(), ext4_should_dioread_nolock()
      (which only returns true on extent-based files) is checked once to set
      the number of reserved journal credits, and also again later to select
      the flags for ext4_map_blocks() and copy the reserved journal handle to
      ext4_io_end::handle.  But if EXT4_EXTENTS_FL is being concurrently set,
      the first check can see dioread_nolock disabled while the later one can
      see it enabled, causing the reserved handle to unexpectedly be NULL.
      
      Since changing EXT4_EXTENTS_FL is uncommon, and there may be other races
      related to doing so as well, fix this by synchronizing changing
      EXT4_EXTENTS_FL with ext4_writepages() via the existing
      s_writepages_rwsem (previously called s_journal_flag_rwsem).
      
      This was originally reported by syzbot without a reproducer at
      https://syzkaller.appspot.com/bug?extid=2202a584a00fffd19fbf,
      but now that dioread_nolock is the default I also started seeing this
      when running syzkaller locally.
      
      Link: https://lore.kernel.org/r/20200219183047.47417-3-ebiggers@kernel.org
      Reported-by: syzbot+2202a584a00fffd19fbf@syzkaller.appspotmail.com
      Fixes: 6b523df4 ("ext4: use transaction reservation for extent conversion in ext4_end_io")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      cb85f4d2
    • Eric Biggers's avatar
      ext4: rename s_journal_flag_rwsem to s_writepages_rwsem · bbd55937
      Eric Biggers authored
      In preparation for making s_journal_flag_rwsem synchronize
      ext4_writepages() with changes to both the EXTENTS and JOURNAL_DATA
      flags (rather than just JOURNAL_DATA as it does currently), rename it to
      s_writepages_rwsem.
      
      Link: https://lore.kernel.org/r/20200219183047.47417-2-ebiggers@kernel.orgSigned-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: stable@kernel.org
      bbd55937
    • Suraj Jitindar Singh's avatar
      ext4: fix potential race between s_flex_groups online resizing and access · 7c990728
      Suraj Jitindar Singh authored
      During an online resize an array of s_flex_groups structures gets replaced
      so it can get enlarged. If there is a concurrent access to the array and
      this memory has been reused then this can lead to an invalid memory access.
      
      The s_flex_group array has been converted into an array of pointers rather
      than an array of structures. This is to ensure that the information
      contained in the structures cannot get out of sync during a resize due to
      an accessor updating the value in the old structure after it has been
      copied but before the array pointer is updated. Since the structures them-
      selves are no longer copied but only the pointers to them this case is
      mitigated.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443
      Link: https://lore.kernel.org/r/20200221053458.730016-4-tytso@mit.eduSigned-off-by: default avatarSuraj Jitindar Singh <surajjs@amazon.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      7c990728
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.6-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 54dedb5b
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Two small fixes for Xen:
      
         - a fix to avoid warnings with new gcc
      
         - a fix for incorrectly disabled interrupts when calling
           _cond_resched()"
      
      * tag 'for-linus-5.6-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen: Enable interrupts when calling _cond_resched()
        x86/xen: Distribute switch variables for initialization
      54dedb5b
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 63f01d85
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "It's all straightforward apart from the changes to mmap()/mremap() in
        relation to their handling of address arguments from userspace with
        non-zero tag bits in the upper byte.
      
        The change to brk() is necessary to fix a nasty user-visible
        regression in malloc(), but we tightened up mmap() and mremap() at the
        same time because they also allow the user to create virtual aliases
        by accident. It's much less likely than brk() to matter in practice,
        but enforcing the principle of "don't permit the creation of mappings
        using tagged addresses" leads to a straightforward ABI without having
        to worry about the "but what if a crazy program did foo?" aspect of
        things.
      
        Summary:
      
         - Fix regression in malloc() caused by ignored address tags in brk()
      
         - Add missing brackets around argument to untagged_addr() macro
      
         - Fix clang build when using binutils assembler
      
         - Fix silly typo in virtual memory map documentation"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()
        docs: arm64: fix trivial spelling enought to enough in memory.rst
        arm64: memory: Add missing brackets to untagged_addr() macro
        arm64: lse: Fix LSE atomics with LLVM
      63f01d85
  5. 21 Feb, 2020 13 commits
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 28659362
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Some more powerpc fixes for 5.6. This is two weeks worth as I was out
        sick last week:
      
         - Three fixes for the recently added VMAP_STACK on 32-bit.
      
         - Three fixes related to hugepages on 8xx (32-bit).
      
         - A fix for a bug in our transactional memory handling that could
           lead to a kernel crash if we saw a page fault during signal
           delivery.
      
         - A fix for a deadlock in our PCI EEH (Enhanced Error Handling) code.
      
         - A couple of other minor fixes.
      
        Thanks to: Christophe Leroy, Erhard F, Frederic Barrat, Gustavo Luiz
        Duarte, Larry Finger, Leonardo Bras, Oliver O'Halloran, Sam Bobroff"
      
      * tag 'powerpc-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/entry: Fix an #if which should be an #ifdef in entry_32.S
        powerpc/xmon: Fix whitespace handling in getstring()
        powerpc/6xx: Fix power_save_ppc32_restore() with CONFIG_VMAP_STACK
        powerpc/chrp: Fix enter_rtas() with CONFIG_VMAP_STACK
        powerpc/32s: Fix DSI and ISI exceptions for CONFIG_VMAP_STACK
        powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery
        powerpc/8xx: Fix clearing of bits 20-23 in ITLB miss
        powerpc/hugetlb: Fix 8M hugepages on 8xx
        powerpc/hugetlb: Fix 512k hugepages on 8xx with 16k page size
        powerpc/eeh: Fix deadlock handling dead PHB
      28659362
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-5.6-rc3' of git://www.linux-watchdog.org/linux-watchdog · 0c0ddd6a
      Linus Torvalds authored
      Pull watchdog fixes from Wim Van Sebroeck:
      
       - mtk_wdt needs RESET_CONTROLLER to build
      
       - da9062 driver fixes:
           - fix power management ops
           - do not ping the hw during stop()
           - add dependency on I2C
      
      * tag 'linux-watchdog-5.6-rc3' of git://www.linux-watchdog.org/linux-watchdog:
        watchdog: da9062: Add dependency on I2C
        watchdog: da9062: fix power management ops
        watchdog: da9062: do not ping the hw during stop()
        watchdog: fix mtk_wdt.c RESET_CONTROLLER build error
      0c0ddd6a
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · bb65619e
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char/misc driver fixes for 5.6-rc3.
      
        Also included in here are some updates for some documentation files
        that I seem to be maintaining these days.
      
        The driver fixes are:
         - small fixes for the habanalabs driver
         - fsi driver bugfix
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'char-misc-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        Documentation/process: Swap out the ambassador for Canonical
        habanalabs: patched cb equals user cb in device memset
        habanalabs: do not halt CoreSight during hard reset
        habanalabs: halt the engines before hard-reset
        MAINTAINERS: remove unnecessary ':' characters
        fsi: aspeed: add unspecified HAS_IOMEM dependency
        COPYING: state that all contributions really are covered by this file
        Documentation/process: Change Microsoft contact for embargoed hardware issues
        embargoed-hardware-issues: drop Amazon contact as the email address now bounces
        Documentation/process: Add Arm contact for embargoed HW issues
      bb65619e
    • Linus Torvalds's avatar
      Merge tag 'staging-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · e5553ac7
      Linus Torvalds authored
      Pull staging driver fixes from Greg KH:
       "Here are some small staging driver fixes for 5.6-rc3, along with the
        removal of an unused/unneeded driver as well.
      
        The android vsoc driver is not needed anymore by anyone, so it was
        removed.
      
        The other driver fixes are:
         - ashmem bugfixes
         - greybus audio driver bugfix
         - wireless driver bugfixes and tiny cleanups to error paths
      
        All of these have been in linux-next for a while now with no reported
        issues"
      
      * tag 'staging-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: rtl8723bs: Remove unneeded goto statements
        staging: rtl8188eu: Remove some unneeded goto statements
        staging: rtl8723bs: Fix potential overuse of kernel memory
        staging: rtl8188eu: Fix potential overuse of kernel memory
        staging: rtl8723bs: Fix potential security hole
        staging: rtl8188eu: Fix potential security hole
        staging: greybus: use after free in gb_audio_manager_remove_all()
        staging: android: Delete the 'vsoc' driver
        staging: rtl8723bs: fix copy of overlapping memory
        staging: android: ashmem: Disallow ashmem memory from being remapped
        staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
      e5553ac7
    • Linus Torvalds's avatar
      Merge tag 'tty-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · ef11f1b7
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are a number of small tty and serial driver fixes for 5.6-rc3
        that resolve a bunch of reported issues.
      
        They are:
         - vt selection and ioctl fixes
         - serdev bugfix
         - atmel serial driver fixes
         - qcom serial driver fixes
         - other minor serial driver fixes
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'tty-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        vt: selection, close sel_buffer race
        vt: selection, handle pending signals in paste_selection
        serial: cpm_uart: call cpm_muram_init before registering console
        tty: serial: qcom_geni_serial: Fix RX cancel command failure
        serial: 8250: Check UPF_IRQ_SHARED in advance
        tty: serial: imx: setup the correct sg entry for tx dma
        vt: vt_ioctl: fix race in VT_RESIZEX
        vt: fix scrollback flushing on background consoles
        tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't started
        tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode
        serdev: ttyport: restore client ops on deregistration
        serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
      ef11f1b7
    • Linus Torvalds's avatar
      Merge tag 'usb-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · cee853e8
      Linus Torvalds authored
      Pull USB/Thunderbolt fixes from Greg KH:
       "Here are a number of small USB driver fixes for 5.6-rc3.
      
        Included in here are:
        - MAINTAINER file updates
        - USB gadget driver fixes
        - usb core quirk additions and fixes for regressions
        - xhci driver fixes
        - usb serial driver id additions and fixes
        - thunderbolt bugfix
      
        Thunderbolt patches come in through here now that USB4 is really
        thunderbolt.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'usb-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (34 commits)
        USB: misc: iowarrior: add support for the 100 device
        thunderbolt: Prevent crash if non-active NVMem file is read
        usb: gadget: udc-xilinx: Fix xudc_stop() kernel-doc format
        USB: misc: iowarrior: add support for the 28 and 28L devices
        USB: misc: iowarrior: add support for 2 OEMed devices
        USB: Fix novation SourceControl XL after suspend
        xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2
        Revert "xhci: Fix memory leak when caching protocol extended capability PSI tables"
        MAINTAINERS: Sort entries in database for THUNDERBOLT
        usb: dwc3: debug: fix string position formatting mixup with ret and len
        usb: gadget: serial: fix Tx stall after buffer overflow
        usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
        usb: dwc2: Fix SET/CLEAR_FEATURE and GET_STATUS flows
        usb: dwc2: Fix in ISOC request length checking
        usb: gadget: composite: Support more than 500mA MaxPower
        usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
        usb: gadget: u_audio: Fix high-speed max packet size
        usb: dwc3: gadget: Check for IOC/LST bit in TRB->ctrl fields
        USB: core: clean up endpoint-descriptor parsing
        USB: quirks: blacklist duplicate ep on Sound Devices USBPre2
        ...
      cee853e8
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-02-21' of git://anongit.freedesktop.org/drm/drm · 88f8bbfa
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Varied fixes for rc3.
      
        i915 is the largest, they are seeing some ACPI problems with their CI
        which hopefully get solved soon [1].
      
        msm has a bunch of fixes for new hw added in the merge, a bunch of
        amdgpu fixes, and nouveau adds support for some new firmwares for
        turing tu11x GPUs that were just released into linux-firmware by
        nvidia, they operate the same as the ones we already have for tu10x so
        should be fine to hook up.
      
        Otherwise it's just misc fixes for panfrost and sun4i.
      
        core:
         - Allow only one rotation argument, and allow zero rotation in video
           cmdline.
      
        i915:
         - Workaround missing Display Stream Compression (DSC) state readout
           by forcing modeset when its enabled at probe
         - Fix EHL port clock voltage level requirements
         - Fix queuing retire workers on the virtual engine
         - Fix use of partially initialized waiters
         - Stop using drm_pci_alloc/drm_pci/free
         - Fix rewind of RING_TAIL by forcing a context reload
         - Fix locking on resetting ring->head
         - Propagate our bug filing URL change to stable kernels
      
        panfrost:
         - Small compiler warning fix for panfrost.
         - Fix when using performance counters in panfrost when using per fd
           address space.
      
        sun4xi:
         - Fix dt binding
      
        nouveau:
         - tu11x modesetting fix
         - ACR/GR firmware support for tu11x (fw is public now)
      
        msm:
         - fix UBWC on GPU and display side for sc7180
         - fix DSI suspend/resume issue encountered on sc7180
         - fix some breakage on so called "linux-android" devices
            (fallout from sc7180/a618 support, not seen earlier due to
             bootloader/firmware differences)
         - couple other misc fixes
      
        amdgpu:
         - HDCP fixes
         - xclk fix for raven
         - GFXOFF fixes"
      
      [1] The Intel suspend testing should now be fixed by commit 63fb9623
          ("ACPI: PM: s2idle: Check fixed wakeup events in acpi_s2idle_wake()")
      
      * tag 'drm-fixes-2020-02-21' of git://anongit.freedesktop.org/drm/drm: (39 commits)
        drm/amdgpu/display: clean up hdcp workqueue handling
        drm/amdgpu: add is_raven_kicker judgement for raven1
        drm/i915/gt: Avoid resetting ring->head outside of its timeline mutex
        drm/i915/execlists: Always force a context reload when rewinding RING_TAIL
        drm/i915: Wean off drm_pci_alloc/drm_pci_free
        drm/i915/gt: Protect defer_request() from new waiters
        drm/i915/gt: Prevent queuing retire workers on the virtual engine
        drm/i915/dsc: force full modeset whenever DSC is enabled at probe
        drm/i915/ehl: Update port clock voltage level requirements
        drm/i915: Update drm/i915 bug filing URL
        MAINTAINERS: Update drm/i915 bug filing URL
        drm/i915: Initialise basic fence before acquiring seqno
        drm/i915/gem: Require per-engine reset support for non-persistent contexts
        drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets
        drm/nouveau/gr/tu11x: initial support
        drm/nouveau/acr/tu11x: initial support
        drm/amdgpu/gfx10: disable gfxoff when reading rlc clock
        drm/amdgpu/gfx9: disable gfxoff when reading rlc clock
        drm/amdgpu/soc15: fix xclk for raven
        drm/amd/powerplay: always refetch the enabled features status on dpm enablement
        ...
      88f8bbfa
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 3dc55dba
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Limit xt_hashlimit hash table size to avoid OOM or hung tasks, from
          Cong Wang.
      
       2) Fix deadlock in xsk by publishing global consumer pointers when NAPI
          is finished, from Magnus Karlsson.
      
       3) Set table field properly to RT_TABLE_COMPAT when necessary, from
          Jethro Beekman.
      
       4) NLA_STRING attributes are not necessary NULL terminated, deal wiht
          that in IFLA_ALT_IFNAME. From Eric Dumazet.
      
       5) Fix checksum handling in atlantic driver, from Dmitry Bezrukov.
      
       6) Handle mtu==0 devices properly in wireguard, from Jason A.
          Donenfeld.
      
       7) Fix several lockdep warnings in bonding, from Taehee Yoo.
      
       8) Fix cls_flower port blocking, from Jason Baron.
      
       9) Sanitize internal map names in libbpf, from Toke Høiland-Jørgensen.
      
      10) Fix RDMA race in qede driver, from Michal Kalderon.
      
      11) Fix several false lockdep warnings by adding conditions to
          list_for_each_entry_rcu(), from Madhuparna Bhowmik.
      
      12) Fix sleep in atomic in mlx5 driver, from Huy Nguyen.
      
      13) Fix potential deadlock in bpf_map_do_batch(), from Yonghong Song.
      
      14) Hey, variables declared in switch statement before any case
          statements are not initialized. I learn something every day. Get
          rids of this stuff in several parts of the networking, from Kees
          Cook.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (99 commits)
        bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs.
        bnxt_en: Improve device shutdown method.
        net: netlink: cap max groups which will be considered in netlink_bind()
        net: thunderx: workaround BGX TX Underflow issue
        ionic: fix fw_status read
        net: disable BRIDGE_NETFILTER by default
        net: macb: Properly handle phylink on at91rm9200
        s390/qeth: fix off-by-one in RX copybreak check
        s390/qeth: don't warn for napi with 0 budget
        s390/qeth: vnicc Fix EOPNOTSUPP precedence
        openvswitch: Distribute switch variables for initialization
        net: ip6_gre: Distribute switch variables for initialization
        net: core: Distribute switch variables for initialization
        udp: rehash on disconnect
        net/tls: Fix to avoid gettig invalid tls record
        bpf: Fix a potential deadlock with bpf_map_do_batch
        bpf: Do not grab the bucket spinlock by default on htab batch ops
        ice: Wait for VF to be reset/ready before configuration
        ice: Don't tell the OS that link is going down
        ice: Don't reject odd values of usecs set by user
        ...
      3dc55dba
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · b0dd1eb2
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
      
       - A few y2038 fixes which missed the merge window while dependencies
         in NFS were being sorted out.
      
       - A bunch of fixes. Some minor, some not.
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        MAINTAINERS: use tabs for SAFESETID
        lib/stackdepot.c: fix global out-of-bounds in stack_slabs
        mm/sparsemem: pfn_to_page is not valid yet on SPARSEMEM
        mm/vmscan.c: don't round up scan size for online memory cgroup
        lib/string.c: update match_string() doc-strings with correct behavior
        mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps()
        mm/swapfile.c: fix a comment in sys_swapon()
        scripts/get_maintainer.pl: deprioritize old Fixes: addresses
        get_maintainer: remove uses of P: for maintainer name
        selftests/vm: add missed tests in run_vmtests
        include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap
        Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
        y2038: hide timeval/timespec/itimerval/itimerspec types
        y2038: remove unused time32 interfaces
        y2038: remove ktime to/from timespec/timeval conversion
      b0dd1eb2
    • Randy Dunlap's avatar
      MAINTAINERS: use tabs for SAFESETID · bb8d00ff
      Randy Dunlap authored
      Use tabs for indentation instead of spaces for SAFESETID.  All (!) other
      entries in MAINTAINERS use tabs (according to my simple grepping).
      
      Link: http://lkml.kernel.org/r/2bb2e52a-2694-816d-57b4-6cabfadd6c1a@infradead.orgSigned-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Micah Morton <mortonm@chromium.org>
      Cc: James Morris <jmorris@namei.org>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bb8d00ff
    • Alexander Potapenko's avatar
      lib/stackdepot.c: fix global out-of-bounds in stack_slabs · 305e519c
      Alexander Potapenko authored
      Walter Wu has reported a potential case in which init_stack_slab() is
      called after stack_slabs[STACK_ALLOC_MAX_SLABS - 1] has already been
      initialized.  In that case init_stack_slab() will overwrite
      stack_slabs[STACK_ALLOC_MAX_SLABS], which may result in a memory
      corruption.
      
      Link: http://lkml.kernel.org/r/20200218102950.260263-1-glider@google.com
      Fixes: cd11016e ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Reported-by: default avatarWalter Wu <walter-zh.wu@mediatek.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Matthias Brugger <matthias.bgg@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Kate Stewart <kstewart@linuxfoundation.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      305e519c
    • Wei Yang's avatar
      mm/sparsemem: pfn_to_page is not valid yet on SPARSEMEM · 18e19f19
      Wei Yang authored
      When we use SPARSEMEM instead of SPARSEMEM_VMEMMAP, pfn_to_page()
      doesn't work before sparse_init_one_section() is called.
      
      This leads to a crash when hotplug memory:
      
          BUG: unable to handle page fault for address: 0000000006400000
          #PF: supervisor write access in kernel mode
          #PF: error_code(0x0002) - not-present page
          PGD 0 P4D 0
          Oops: 0002 [#1] SMP PTI
          CPU: 3 PID: 221 Comm: kworker/u16:1 Tainted: G        W         5.5.0-next-20200205+ #343
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
          Workqueue: kacpi_hotplug acpi_hotplug_work_fn
          RIP: 0010:__memset+0x24/0x30
          Code: cc cc cc cc cc cc 0f 1f 44 00 00 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
          RSP: 0018:ffffb43ac0373c80 EFLAGS: 00010a87
          RAX: ffffffffffffffff RBX: ffff8a1518800000 RCX: 0000000000050000
          RDX: 0000000000000000 RSI: 00000000000000ff RDI: 0000000006400000
          RBP: 0000000000140000 R08: 0000000000100000 R09: 0000000006400000
          R10: 0000000000000000 R11: 0000000000000002 R12: 0000000000000000
          R13: 0000000000000028 R14: 0000000000000000 R15: ffff8a153ffd9280
          FS:  0000000000000000(0000) GS:ffff8a153ab00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 0000000006400000 CR3: 0000000136fca000 CR4: 00000000000006e0
          DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
          DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
          Call Trace:
           sparse_add_section+0x1c9/0x26a
           __add_pages+0xbf/0x150
           add_pages+0x12/0x60
           add_memory_resource+0xc8/0x210
           __add_memory+0x62/0xb0
           acpi_memory_device_add+0x13f/0x300
           acpi_bus_attach+0xf6/0x200
           acpi_bus_scan+0x43/0x90
           acpi_device_hotplug+0x275/0x3d0
           acpi_hotplug_work_fn+0x1a/0x30
           process_one_work+0x1a7/0x370
           worker_thread+0x30/0x380
           kthread+0x112/0x130
           ret_from_fork+0x35/0x40
      
      We should use memmap as it did.
      
      On x86 the impact is limited to x86_32 builds, or x86_64 configurations
      that override the default setting for SPARSEMEM_VMEMMAP.
      
      Other memory hotplug archs (arm64, ia64, and ppc) also default to
      SPARSEMEM_VMEMMAP=y.
      
      [dan.j.williams@intel.com: changelog update]
      {rppt@linux.ibm.com: changelog update]
      Link: http://lkml.kernel.org/r/20200219030454.4844-1-bhe@redhat.com
      Fixes: ba72b4c8 ("mm/sparsemem: support sub-section hotplug")
      Signed-off-by: default avatarWei Yang <richardw.yang@linux.intel.com>
      Signed-off-by: default avatarBaoquan He <bhe@redhat.com>
      Acked-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reviewed-by: default avatarBaoquan He <bhe@redhat.com>
      Reviewed-by: default avatarDan Williams <dan.j.williams@intel.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Cc: Oscar Salvador <osalvador@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      18e19f19
    • Gavin Shan's avatar
      mm/vmscan.c: don't round up scan size for online memory cgroup · 76073c64
      Gavin Shan authored
      Commit 68600f62 ("mm: don't miss the last page because of round-off
      error") makes the scan size round up to @denominator regardless of the
      memory cgroup's state, online or offline.  This affects the overall
      reclaiming behavior: the corresponding LRU list is eligible for
      reclaiming only when its size logically right shifted by @sc->priority
      is bigger than zero in the former formula.
      
      For example, the inactive anonymous LRU list should have at least 0x4000
      pages to be eligible for reclaiming when we have 60/12 for
      swappiness/priority and without taking scan/rotation ratio into account.
      
      After the roundup is applied, the inactive anonymous LRU list becomes
      eligible for reclaiming when its size is bigger than or equal to 0x1000
      in the same condition.
      
          (0x4000 >> 12) * 60 / (60 + 140 + 1) = 1
          ((0x1000 >> 12) * 60) + 200) / (60 + 140 + 1) = 1
      
      aarch64 has 512MB huge page size when the base page size is 64KB.  The
      memory cgroup that has a huge page is always eligible for reclaiming in
      that case.
      
      The reclaiming is likely to stop after the huge page is reclaimed,
      meaing the further iteration on @sc->priority and the silbing and child
      memory cgroups will be skipped.  The overall behaviour has been changed.
      This fixes the issue by applying the roundup to offlined memory cgroups
      only, to give more preference to reclaim memory from offlined memory
      cgroup.  It sounds reasonable as those memory is unlikedly to be used by
      anyone.
      
      The issue was found by starting up 8 VMs on a Ampere Mustang machine,
      which has 8 CPUs and 16 GB memory.  Each VM is given with 2 vCPUs and
      2GB memory.  It took 264 seconds for all VMs to be completely up and
      784MB swap is consumed after that.  With this patch applied, it took 236
      seconds and 60MB swap to do same thing.  So there is 10% performance
      improvement for my case.  Note that KSM is disable while THP is enabled
      in the testing.
      
               total     used    free   shared  buff/cache   available
         Mem:  16196    10065    2049       16        4081        3749
         Swap:  8175      784    7391
               total     used    free   shared  buff/cache   available
         Mem:  16196    11324    3656       24        1215        2936
         Swap:  8175       60    8115
      
      Link: http://lkml.kernel.org/r/20200211024514.8730-1-gshan@redhat.com
      Fixes: 68600f62 ("mm: don't miss the last page because of round-off error")
      Signed-off-by: default avatarGavin Shan <gshan@redhat.com>
      Acked-by: default avatarRoman Gushchin <guro@fb.com>
      Cc: <stable@vger.kernel.org>	[4.20+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      76073c64