2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-23 20:53:53 +08:00
Commit Graph

812451 Commits

Author SHA1 Message Date
Eric Biggers
a08bf91ce2 KEYS: allow reaching the keys quotas exactly
If the sysctl 'kernel.keys.maxkeys' is set to some number n, then
actually users can only add up to 'n - 1' keys.  Likewise for
'kernel.keys.maxbytes' and the root_* versions of these sysctls.  But
these sysctls are apparently supposed to be *maximums*, as per their
names and all documentation I could find -- the keyrings(7) man page,
Documentation/security/keys/core.rst, and all the mentions of EDQUOT
meaning that the key quota was *exceeded* (as opposed to reached).

Thus, fix the code to allow reaching the quotas exactly.

Fixes: 0b77f5bfb4 ("keys: make the keyring quotas controllable through /proc/sys")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
2019-02-15 14:12:08 -08:00
Linus Torvalds
5ded587103 SCSI fixes on 20190215
Two fairly small fixes: the qla one is a panic inducing use after free
 and the entropy fix may seem minor but it has had huge userspace
 impact thanks to an unrelated change in openssl that causes sshd to
 refuse logins until it has enough entropy for the session keys, which
 causes tens of minutes delay before the affected systems allow logins
 after reboot.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCXGb2iiYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishfPmAQD/eR6G
 RkGbnLfXMcP5EfAnEJAYoD8SJsR7UAAV7tdaWwEAihagqOiFmzbDKlceahaZFl27
 mizmOjw4EnpIDG2W3Qw=
 =BGnV
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Two fairly small fixes: the qla one is a panic inducing use after free
  and the entropy fix may seem minor but it has had huge userspace
  impact thanks to an unrelated change in openssl that causes sshd to
  refuse logins until it has enough entropy for the session keys, which
  causes tens of minutes delay before the affected systems allow logins
  after reboot"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd
  scsi: sd: fix entropy gathering for most rotational disks
2019-02-15 13:36:43 -08:00
Scott Mayhew
e7afe6c1d4 sunrpc: fix 4 more call sites that were using stack memory with a scatterlist
While trying to reproduce a reported kernel panic on arm64, I discovered
that AUTH_GSS basically doesn't work at all with older enctypes on arm64
systems with CONFIG_VMAP_STACK enabled.  It turns out there still a few
places using stack memory with scatterlists, causing krb5_encrypt() and
krb5_decrypt() to produce incorrect results (or a BUG if CONFIG_DEBUG_SG
is enabled).

Tested with cthon on v4.0/v4.1/v4.2 with krb5/krb5i/krb5p using
des3-cbc-sha1 and arcfour-hmac-md5.

Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2019-02-15 14:56:51 -05:00
Arnd Bergmann
410d736054 Fix omap4 and later lost cpu1 interrupts for periodic timer
A fix from Russell that took a while to get applied into fixes as
 I thought Russell is merging this one.
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEEkgNvrZJU/QSQYIcQG9Q+yVyrpXMFAlxdqikRHHRvbnlAYXRv
 bWlkZS5jb20ACgkQG9Q+yVyrpXNnUhAAiroTD0SiwEj5CJU4YmECuBrk9vLonbM8
 8AF4RLtXb2hRIWV/uUEyRMctaHcPlMD2JFp96pie/cJng/6Ba8KlW1u780QZokOt
 iMTQ7CgWooqkFRF5xcOYsoY/MTivTUnZTR7jpWIIOtMKBul6xureqvwx7spBsERu
 PICl7oTep109jPB2gF4omcw4oS2iuSTo2M+q068Ut62OhBHdUowu3pE8z7bBPmbq
 9vGYs+vTPvwC7r61hIYr+ROdjjvegA01caC1r+pG6bm0t0L56/hpjO2x1uZaYcVF
 n63K56Jd1/eeZJ+9qupwekMPWd5JnQhVspNu8Jb3XcgAhGZE62eC4gTCj8yRMCC+
 ThDZ2GIjHqL8lzz2EWLeXq0Xy0HLbNOPkNTZoK2Gej2lRy67gvAH1lQy+T3kKzQU
 39dzC6kyMOhNM3i/rnBBqEHL4KyWvwZV2vsZtMbF2Kz5pJ1Sbttr0LrqrO/+ANJo
 VUQAo9rscjU0OExX9DUtu/M6WHH5UrpglEZVn29MBmQU5R7qJ+dZH9ADmchWn3Rb
 G42JUZMCja0BWsmlHJ5KCiUU6AHDecxNPVe13IT36WnGoU/Z1tSuSbhkZz3Inltu
 9d+fqeZ2Um4difa3QEq1j/2n+mMrQZfvAO1govNHxsDkEKvYOs52WNCR1kpRT+3w
 2RZtP9QxzT0=
 =0LSw
 -----END PGP SIGNATURE-----

Merge tag 'omap-for-v5.0/fixes-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into arm/fixes

Fix omap4 and later lost cpu1 interrupts for periodic timer

A fix from Russell that took a while to get applied into fixes as
I thought Russell is merging this one.

* tag 'omap-for-v5.0/fixes-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
  ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug
2019-02-15 20:39:46 +01:00
Miguel Ojeda
a6e60d8498 include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
The upcoming GCC 9 release extends the -Wmissing-attributes warnings
(enabled by -Wall) to C and aliases: it warns when particular function
attributes are missing in the aliases but not in their target.

In particular, it triggers for all the init/cleanup_module
aliases in the kernel (defined by the module_init/exit macros),
ending up being very noisy.

These aliases point to the __init/__exit functions of a module,
which are defined as __cold (among other attributes). However,
the aliases themselves do not have the __cold attribute.

Since the compiler behaves differently when compiling a __cold
function as well as when compiling paths leading to calls
to __cold functions, the warning is trying to point out
the possibly-forgotten attribute in the alias.

In order to keep the warning enabled, we decided to silence
this case. Ideally, we would mark the aliases directly
as __init/__exit. However, there are currently around 132 modules
in the kernel which are missing __init/__exit in their init/cleanup
functions (either because they are missing, or for other reasons,
e.g. the functions being called from somewhere else); and
a section mismatch is a hard error.

A conservative alternative was to mark the aliases as __cold only.
However, since we would like to eventually enforce __init/__exit
to be always marked,  we chose to use the new __copy function
attribute (introduced by GCC 9 as well to deal with this).
With it, we copy the attributes used by the target functions
into the aliases. This way, functions that were not marked
as __init/__exit won't have their aliases marked either,
and therefore there won't be a section mismatch.

Note that the warning would go away marking either the extern
declaration, the definition, or both. However, we only mark
the definition of the alias, since we do not want callers
(which only see the declaration) to be compiled as if the function
was __cold (and therefore the paths leading to those calls
would be assumed to be unlikely).

Link: https://lore.kernel.org/lkml/20190123173707.GA16603@gmail.com/
Link: https://lore.kernel.org/lkml/20190206175627.GA20399@gmail.com/
Suggested-by: Martin Sebor <msebor@gcc.gnu.org>
Acked-by: Jessica Yu <jeyu@kernel.org>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2019-02-15 19:52:56 +01:00
Miguel Ojeda
c0d9782f5b Compiler Attributes: add support for __copy (gcc >= 9)
From the GCC manual:

  copy
  copy(function)

    The copy attribute applies the set of attributes with which function
    has been declared to the declaration of the function to which
    the attribute is applied. The attribute is designed for libraries
    that define aliases or function resolvers that are expected
    to specify the same set of attributes as their targets. The copy
    attribute can be used with functions, variables, or types. However,
    the kind of symbol to which the attribute is applied (either
    function or variable) must match the kind of symbol to which
    the argument refers. The copy attribute copies only syntactic and
    semantic attributes but not attributes that affect a symbol’s
    linkage or visibility such as alias, visibility, or weak.
    The deprecated attribute is also not copied.

  https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html

The upcoming GCC 9 release extends the -Wmissing-attributes warnings
(enabled by -Wall) to C and aliases: it warns when particular function
attributes are missing in the aliases but not in their target, e.g.:

    void __cold f(void) {}
    void __alias("f") g(void);

diagnoses:

    warning: 'g' specifies less restrictive attribute than
    its target 'f': 'cold' [-Wmissing-attributes]

Using __copy(f) we can copy the __cold attribute from f to g:

    void __cold f(void) {}
    void __copy(f) __alias("f") g(void);

This attribute is most useful to deal with situations where an alias
is declared but we don't know the exact attributes the target has.

For instance, in the kernel, the widely used module_init/exit macros
define the init/cleanup_module aliases, but those cannot be marked
always as __init/__exit since some modules do not have their
functions marked as such.

Suggested-by: Martin Sebor <msebor@gcc.gnu.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2019-02-15 19:52:17 +01:00
Miguel Ojeda
ff98e20ef2 lib/crc32.c: mark crc32_le_base/__crc32c_le_base aliases as __pure
The upcoming GCC 9 release extends the -Wmissing-attributes warnings
(enabled by -Wall) to C and aliases: it warns when particular function
attributes are missing in the aliases but not in their target.

In particular, it triggers here because crc32_le_base/__crc32c_le_base
aren't __pure while their target crc32_le/__crc32c_le are.

These aliases are used by architectures as a fallback in accelerated
versions of CRC32. See commit 9784d82db3 ("lib/crc32: make core crc32()
routines weak so they can be overridden").

Therefore, being fallbacks, it is likely that even if the aliases
were called from C, there wouldn't be any optimizations possible.
Currently, the only user is arm64, which calls this from asm.

Still, marking the aliases as __pure makes sense and is a good idea
for documentation purposes and possible future optimizations,
which also silences the warning.

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2019-02-15 19:50:07 +01:00
Miguel Ojeda
69ef9bc547 auxdisplay: ht16k33: fix potential user-after-free on module unload
On module unload/remove, we need to ensure that work does not run
after we have freed resources. Concretely, cancel_delayed_work()
may return while the callback function is still running.

From kernel/workqueue.c:

    The work callback function may still be running on return,
    unless it returns true and the work doesn't re-arm itself.
    Explicitly flush or use cancel_delayed_work_sync() to wait on it.

Link: https://lore.kernel.org/lkml/20190204220952.30761-1-TheSven73@googlemail.com/
Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Sven Van Asbroeck <TheSven73@gmail.com>
Acked-by: Robin van der Gracht <robin@protonic.nl>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
2019-02-15 19:48:39 +01:00
Quentin Perret
9e7382153f tracing: Fix number of entries in trace header
The following commit

  441dae8f2f ("tracing: Add support for display of tgid in trace output")

removed the call to print_event_info() from print_func_help_header_irq()
which results in the ftrace header not reporting the number of entries
written in the buffer. As this wasn't the original intent of the patch,
re-introduce the call to print_event_info() to restore the orginal
behaviour.

Link: http://lkml.kernel.org/r/20190214152950.4179-1-quentin.perret@arm.com

Acked-by: Joel Fernandes <joelaf@google.com>
Cc: stable@vger.kernel.org
Fixes: 441dae8f2f ("tracing: Add support for display of tgid in trace output")
Signed-off-by: Quentin Perret <quentin.perret@arm.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
2019-02-15 12:42:26 -05:00
Changbin Du
2c4f1fcbef kprobe: Do not use uaccess functions to access kernel memory that can fault
The userspace can ask kprobe to intercept strings at any memory address,
including invalid kernel address. In this case, fetch_store_strlen()
would crash since it uses general usercopy function, and user access
functions are no longer allowed to access kernel memory.

For example, we can crash the kernel by doing something as below:

$ sudo kprobe 'p:do_sys_open +0(+0(%si)):string'

[  103.620391] BUG: GPF in non-whitelisted uaccess (non-canonical address?)
[  103.622104] general protection fault: 0000 [#1] SMP PTI
[  103.623424] CPU: 10 PID: 1046 Comm: cat Not tainted 5.0.0-rc3-00130-gd73aba1-dirty #96
[  103.625321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-2-g628b2e6-dirty-20190104_103505-linux 04/01/2014
[  103.628284] RIP: 0010:process_fetch_insn+0x1ab/0x4b0
[  103.629518] Code: 10 83 80 28 2e 00 00 01 31 d2 31 ff 48 8b 74 24 28 eb 0c 81 fa ff 0f 00 00 7f 1c 85 c0 75 18 66 66 90 0f ae e8 48 63
 ca 89 f8 <8a> 0c 31 66 66 90 83 c2 01 84 c9 75 dc 89 54 24 34 89 44 24 28 48
[  103.634032] RSP: 0018:ffff88845eb37ce0 EFLAGS: 00010246
[  103.635312] RAX: 0000000000000000 RBX: ffff888456c4e5a8 RCX: 0000000000000000
[  103.637057] RDX: 0000000000000000 RSI: 2e646c2f6374652f RDI: 0000000000000000
[  103.638795] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  103.640556] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[  103.642297] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  103.644040] FS:  0000000000000000(0000) GS:ffff88846f000000(0000) knlGS:0000000000000000
[  103.646019] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  103.647436] CR2: 00007ffc79758038 CR3: 0000000463360006 CR4: 0000000000020ee0
[  103.649147] Call Trace:
[  103.649781]  ? sched_clock_cpu+0xc/0xa0
[  103.650747]  ? do_sys_open+0x5/0x220
[  103.651635]  kprobe_trace_func+0x303/0x380
[  103.652645]  ? do_sys_open+0x5/0x220
[  103.653528]  kprobe_dispatcher+0x45/0x50
[  103.654682]  ? do_sys_open+0x1/0x220
[  103.655875]  kprobe_ftrace_handler+0x90/0xf0
[  103.657282]  ftrace_ops_assist_func+0x54/0xf0
[  103.658564]  ? __call_rcu+0x1dc/0x280
[  103.659482]  0xffffffffc00000bf
[  103.660384]  ? __ia32_sys_open+0x20/0x20
[  103.661682]  ? do_sys_open+0x1/0x220
[  103.662863]  do_sys_open+0x5/0x220
[  103.663988]  do_syscall_64+0x60/0x210
[  103.665201]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  103.666862] RIP: 0033:0x7fc22fadccdd
[  103.668034] Code: 48 89 54 24 e0 41 83 e2 40 75 32 89 f0 25 00 00 41 00 3d 00 00 41 00 74 24 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff
 ff 0f 05 <48> 3d 00 f0 ff ff 77 33 f3 c3 66 0f 1f 84 00 00 00 00 00 48 8d 44
[  103.674029] RSP: 002b:00007ffc7972c3a8 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
[  103.676512] RAX: ffffffffffffffda RBX: 0000562f86147a21 RCX: 00007fc22fadccdd
[  103.678853] RDX: 0000000000080000 RSI: 00007fc22fae1428 RDI: 00000000ffffff9c
[  103.681151] RBP: ffffffffffffffff R08: 0000000000000000 R09: 0000000000000000
[  103.683489] R10: 0000000000000000 R11: 0000000000000287 R12: 00007fc22fce90a8
[  103.685774] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
[  103.688056] Modules linked in:
[  103.689131] ---[ end trace 43792035c28984a1 ]---

This can be fixed by using probe_mem_read() instead, as it can handle faulting
kernel memory addresses, which kprobes can legitimately do.

Link: http://lkml.kernel.org/r/20190125151051.7381-1-changbin.du@gmail.com

Cc: stable@vger.kernel.org
Fixes: 9da3f2b740 ("x86/fault: BUG() when uaccess helpers fault on kernel addresses")
Signed-off-by: Changbin Du <changbin.du@gmail.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
2019-02-15 12:41:23 -05:00
Linus Torvalds
24f0a48743 for-linus-20190215
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAlxm7pAQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpl6JEACM5qHp7HEf7muuLKDUoX16G2eDOjacVxbL
 q1kqyHNvrYD/aGo+8vcshCef6xno9fL1akIxTyaTcMwYJUk9JSMicsVimxC1OvI6
 a5ZiWItX2L8Nh/heJe+FtutWbrT+Nd+3Q8DqI+U0YkRnjnXaRVgLFtBmjLOxBrqJ
 Ps/VepB4GaxA0oWdPbhos/N3wa42uFy3ixdv3Kv6WmHdqraB9uagt8PwwUti3WzQ
 uxWL6J+JOBSDha8l3fp68Okib1bm/6Nmmc9l8Yz1eFwf+Y+gVgw7wPQxkUD/XaFW
 bDJGwp3NawK07EanIAIzfXUEGfLvgeRJBEP3OGwV/TAiHX5q9zQo/tbM6x8j4aT9
 zGlwU/EnwFixgbRW/hOT5Ox4usBlfB1j0ZiNmgUm8QphHrELFnc35Kd+PR/KONNX
 sI6ZiifEAMR+4S99kTZ5YjHUqcUVm9ndd8iQGW9mvM6vt3o1L6QKeOeEKBMlhMcx
 V+JtViC50ojidYc82kEtQFY9OKRkc5x3k1wBsH49LGMT+fvEwETallOXHTarQKrv
 QAZNN1NINkMmrL5bgBXFqf0qpOy4xHnhis5AilUHNZwa4G8iAe8oqz/2eUCydiV1
 Ogx20a8T1ifeSkI2NXrwnBjVzqnfiO9wOb9py98BiLR6k59x3GYtbCdGtpIXfSFv
 hG79KKoz3Q==
 =8mjO
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-20190215' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:

 - Ensure we insert into the hctx dispatch list, if a request is marked
   as DONTPREP (Jianchao)

 - NVMe pull request, single missing unlock on error fix (Keith)

 - MD pull request, single fix for a potentially data corrupting issue
   (Nate)

 - Floppy check_events regression fix (Yufen)

* tag 'for-linus-20190215' of git://git.kernel.dk/linux-block:
  md/raid1: don't clear bitmap bits on interrupted recovery.
  floppy: check_events callback should not return a negative number
  nvme-pci: add missing unlock for reset error
  blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue
2019-02-15 09:12:28 -08:00
Linus Torvalds
ae3fa8bd73 - Fix bug in DM crypt's sizing of its block integrity tag space,
resulting in less memory use when DM crypt layers on DM integrity.
 
 - Fix a long-standing DM thinp crash consistency bug that was due to
   improper handling of FUA.  This issue is specific to writes that
   fill an entire thinp block which needs to be allocated.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJcZjtbAAoJEMUj8QotnQNaTxMIANdjCyW0LlpNNuDX8hyVzXAc
 HNqyFxfNk7LD4ck5jn3HuQo5nCRvne+ltjol0vOqBokITXe1a9t+GB/fWSz0yZd9
 69NvwgLoaZZ0pcxeddvUQ2TAOBxCdP8O4JokQL5QgnCt4nvUOWbGQBlSQNBf/8KO
 9xa+0z36pMAC2dCnClKSQgwj+ZRZOBwOKSDVl7SiM7SvbNcirtBEgtvjr8gOrKvl
 SbLtoFwj8hwJFCpllwIE4ec+bHw9XsCeFEBwGiSnp6GF2sgfLbx0/EpHj09M18Vt
 QCXtYxcm8IMsh0w2y4YnmSWDk8yV7P/vVyoBmMjzv/gYx+6Eyxynk8pk32LNnEc=
 =jC/2
 -----END PGP SIGNATURE-----

Merge tag 'for-5.0/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix bug in DM crypt's sizing of its block integrity tag space,
   resulting in less memory use when DM crypt layers on DM integrity.

 - Fix a long-standing DM thinp crash consistency bug that was due to
   improper handling of FUA. This issue is specific to writes that fill
   an entire thinp block which needs to be allocated.

* tag 'for-5.0/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm thin: fix bug where bio that overwrites thin block ignores FUA
  dm crypt: don't overallocate the integrity tag space
2019-02-15 08:50:48 -08:00
Linus Torvalds
dfeae33798 MMC core:
- Fix deadlock bug for block I/O requests
 
 MMC host:
  - sunxi: Disable broken HS-DDR mode for H5 by default
  - sunxi: Avoid unsupported speed modes declared via DT
  - meson-gx: Restore interrupt name
 -----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAlxmiakXHHVsZi5oYW5z
 c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCmsMRAAlcMKQlZ9sjnMpmrUcAGC6i4G
 nL6bRBkTSgcXCK/23ipY02PTkJV1ZqYuoPprNYd9+z5SM9bWmlMQM2JQvX4A6C4b
 wV0V/9iSeQmCZgx58K+hFMWjn0Wjpnn+FKTgho8gr++G2klG2XklKDhjT3nZsxuN
 cZIJwF9TkqP2Ie4r2lwNjIWGu9tcGA9ubgjqv1LLcKzf9yYeXuEGH7ToR+U1DW3y
 dV8x3Sqw8aBrvVyv8vWtAlaUVzUqgMunTqxRSK4bpfddEvdbQ1VfyUKXX+GWJATX
 C72Hv729nEEqWrbFoxaBPEMU8mL5Z0FhzIYFDWj2SJkjXOB8lxuGvrwMHaNM/zb/
 haDcZCt/C/DF3c3uKWAjCP1I0MKRCiaYvfv+WDIhFZNTSfOeKM/QlzzBt/nqiGkZ
 spFk+S9VJzcXGaYkOZ5K/ULr4FBYv6TRUatEWe3WafZtAgkpUTeyEZC8LP4wr+0M
 U2d+qyqdsl6V+df82qx21uutmxDvSx/W/pCfuamQmPiRJQQ+H7c7Jq6wL3jPeich
 1Vh4dDCPtlcxhHhW5QE/tujNVJjixXkY9J3DupEJLhGjJ2RF6nhn+HvNH6D/tSNB
 77IHSswYWa1rDxM73AOnbCLkyHdp236gnwpiWcz0sd5o3kQvQmY4q/xy+Pt3HfRn
 J1ffQBvXbERCUulRtDU=
 =ipwm
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC fixes from Ulf Hansson:
 "A couple of MMC fixes intended for v5.0-rc7.

  MMC core:
   - Fix deadlock bug for block I/O requests

  MMC host:
   - sunxi: Disable broken HS-DDR mode for H5 by default
   - sunxi: Avoid unsupported speed modes declared via DT
   - meson-gx: Restore interrupt name"

* tag 'mmc-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: meson-gx: fix interrupt name
  mmc: block: handle complete_work on separate workqueue
  mmc: sunxi: Filter out unsupported modes declared in the device tree
  mmc: sunxi: Disable HS-DDR mode for H5 eMMC controller by default
2019-02-15 08:45:28 -08:00
Linus Torvalds
545aabcbdc drm core, i915, amd, imx, vkms fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJcZi5LAAoJEAx081l5xIa+tSQQAKblf/Ca7QryDUbAN8JIxeJp
 NuJiNP4jvvZbCod/ISktU+0zY2uKnW09//ljkEdGVg+Ilww2HHm/drs1HRUMP6QP
 U6EKhoJQ99OfsBYy3J+PloBz9uS/ziGJB6YN0qcJkTZ1tvAenNqO88MWJittDZCu
 ao92sB0mwW3s+R/36OtCMce3LDGPuMst98z2+tN+C4JWZW4tktYyGo/fSsZ60Gry
 Hxo/X/K0F4qn5vPfPL41fH0DzXpKiuztp7WsK97YS3Wa2VeNynKaORdcWyBBQq/n
 t2NvLXyW58/wzHG0u1lbWEUEor2LJZ9Cd5aVl+i8e8giR2RogTEBVbqR+hXciTPe
 3lUfSXKwwus1tsiX8amcIVPIpIyZ5Hk5igfql/EHFki3zdbOESVgrFtzwas2oW6b
 GljURKcNe40ZK0btaogB8m1lZ1sN2poDgB3QYrIVFywzhv+Bm3TUexmWxbho/lYW
 jho3OkP3UlxHyN4TF0CjG2lEU+kCo8EPzkOoRCzjTo49DUorqjtAMcZrbFr3z5wK
 oq0m9G+itUqnKmsAA9ElHsGHK4pwRpA6hwFMnOZTWb6sVZGoT4fU6pAucZoZXE8j
 wlADT/HRZECes9PVqrxeqA4h8EVlira6fdV1S9YzuMHrMpwo335Suf8eghQpFkST
 oOXYb8/6GfKGyz3JDxb8
 =dYoy
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2019-02-15-1' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Usual pull request, little larger than I'd like but nothing too
  strange in it. Willy found an bug in the lease ioctl calculations, but
  it's a drm master only ioctl which makes it harder to mess with.

 i915:
   - combo phy programming fix
   - opregion version check fix for VBT RVDA lookup
   - gem mmap ioctl race fix
   - fbdev hpd during suspend fix
   - array size bounds check fix in pmu

  amdgpu:
   - Vega20 psp fix
   - Add vrr range to debugfs for freesync debugging

  sched:
   - Scheduler race fix

  vkms:
   - license header fixups

  imx:
   - Fix CSI register offsets for i.MX51 and i.MX53.
   - Fix delayed page flip completion events on i.MX6QP due to
     unexpected behaviour of the PRE when issuing NOP buffer updates to
     the same buffer address.
   - Stop throwing errors for plane updates on disabled CRTCs when a
     userspace process is killed while a plane update is pending.
   - Add missing of_node_put cleanup in imx_ldb_bind"

* tag 'drm-fixes-2019-02-15-1' of git://anongit.freedesktop.org/drm/drm:
  drm: Use array_size() when creating lease
  drm/amdgpu/psp11: TA firmware is optional (v3)
  drm/i915/opregion: rvda is relative from opregion base in opregion 2.1+
  drm/i915/opregion: fix version check
  drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set
  drm/i915: Block fbdev HPD processing during suspend
  drm/i915/pmu: Fix enable count array size and bounds checking
  drm/i915/cnl: Fix CNL macros for Voltage Swing programming
  drm/i915/icl: combo port vswing programming changes per BSPEC
  drm/vkms: Fix license inconsistent
  drm/amd/display: Expose connector VRR range via debugfs
  drm/sched: Always trace the dependencies we wait on, to fix a race.
  gpu: ipu-v3: pre: don't trigger update if buffer address doesn't change
  gpu: ipu-v3: Fix CSI offsets for imx53
  drm/imx: imx-ldb: add missing of_node_puts
  gpu: ipu-v3: Fix i.MX51 CSI control registers offset
  drm/imx: ignore plane updates on disabled crtcs
2019-02-15 08:20:33 -08:00
Linus Torvalds
2aba322074 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fix from Herbert Xu:
 "This fixes a crash on resume in the ccree driver"

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: ccree - fix resume race condition on init
2019-02-15 08:11:43 -08:00
Linus Torvalds
6e7bd3b549 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Fix MAC address setting in mac80211 pmsr code, from Johannes Berg.

 2) Probe SFP modules after being attached, from Russell King.

 3) Byte ordering bug in SMC rx_curs_confirmed code, from Ursula Braun.

 4) Revert some r8169 changes that are causing regressions, from Heiner
    Kallweit.

 5) Fix spurious connection timeouts in netfilter nat code, from Florian
    Westphal.

 6) SKB leak in tipc, from Hoang Le.

 7) Short packet checkum issue in mlx4, similar to a previous mlx5
    change, from Saeed Mahameed. The issue is that whilst padding bytes
    are usually zero, it is not guarateed and the hardware doesn't take
    the padding bytes into consideration when generating the checksum.

 8) Fix various races in cls_tcindex, from Cong Wang.

 9) Need to set stream ext to NULL before freeing in SCTP code, from Xin
    Long.

10) Fix locking in phy_is_started, from Heiner Kallweit.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
  net: ethernet: freescale: set FEC ethtool regs version
  net: hns: Fix object reference leaks in hns_dsaf_roce_reset()
  mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs
  net: phy: fix potential race in the phylib state machine
  net: phy: don't use locking in phy_is_started
  selftests: fix timestamping Makefile
  net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
  net: fix possible overflow in __sk_mem_raise_allocated()
  dsa: mv88e6xxx: Ensure all pending interrupts are handled prior to exit
  net: phy: fix interrupt handling in non-started states
  sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate
  sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment
  net/mlx5e: XDP, fix redirect resources availability check
  net/mlx5: Fix a compilation warning in events.c
  net/mlx5: No command allowed when command interface is not ready
  net/mlx5e: Fix NULL pointer derefernce in set channels error flow
  netfilter: nft_compat: use-after-free when deleting targets
  team: avoid complex list operations in team_nl_cmd_options_set()
  net_sched: fix two more memory leaks in cls_tcindex
  net_sched: fix a memory leak in cls_tcindex
  ...
2019-02-15 08:00:11 -08:00
Linus Torvalds
02d7504089 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull signal fix from Eric Biederman:
 "Just a single patch that restores PTRACE_EVENT_EXIT functionality that
  was accidentally broken by last weeks fixes"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  signal: Restore the stop PTRACE_EVENT_EXIT
2019-02-15 07:56:24 -08:00
Pablo Neira Ayuso
23b7ca4f74 netfilter: nf_tables: fix flush after rule deletion in the same batch
Flush after rule deletion bogusly hits -ENOENT. Skip rules that have
been already from nft_delrule_by_chain() which is always called from the
flush path.

Fixes: cf9dc09d09 ("netfilter: nf_tables: fix missing rules flushing per table")
Reported-by: Phil Sutter <phil@nwl.cc>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2019-02-15 15:32:32 +01:00
Hedi Berriche
f331e766c4 x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls
Calls into UV firmware must be protected against concurrency, expose the
efi_runtime_lock to the UV platform, and use it to serialise UV BIOS
calls.

Signed-off-by: Hedi Berriche <hedi.berriche@hpe.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Russ Anderson <rja@hpe.com>
Reviewed-by: Dimitri Sivanich <sivanich@hpe.com>
Reviewed-by: Mike Travis <mike.travis@hpe.com>
Cc: Andy Shevchenko <andy@infradead.org>
Cc: Bhupesh Sharma <bhsharma@redhat.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: linux-efi <linux-efi@vger.kernel.org>
Cc: platform-driver-x86@vger.kernel.org
Cc: stable@vger.kernel.org # v4.9+
Cc: Steve Wahl <steve.wahl@hpe.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20190213193413.25560-5-hedi.berriche@hpe.com
2019-02-15 15:19:56 +01:00
Arnd Bergmann
62a23bb006 i.MX fixes for 5.0, 3rd round:
It contains a fix for i.MX8MQ EVK board device tree, which makes the
 broken eMMC support work as expected.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJcVkZzAAoJEFBXWFqHsHzOjfwIALX4Sy/lU2X7M/ISKHwEIYP+
 aRQ8ymXjRldTmCQusQVez8wRnphVqFI0Iyk6ktt/xzktmCCrhPDoUSKJWpwOuXj7
 xTj5Rn13xNmanZ0Lox1d7w4dLEhWzYM+n2IAQT0UkcwQ6zhZQ+jx8dSbFVr15cd7
 grlv5/a98IU7RvpdZzzIJvfHhey4R0diZicE6Gwha94JDGZkeyovdJ+5LvCiU7QU
 lx632vsnIMWSlqNWmdKK8SvtduhRz099nhp+sZFrP/7CK8E+j1c6nV0rF2onUmkO
 kvRLpw/IbBheQb9lBmcTrlf6f6Om03juy0Q682bX78qcMLvIAMczNsJNpfrNl8o=
 =2/kD
 -----END PGP SIGNATURE-----

Merge tag 'imx-fixes-5.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes

i.MX fixes for 5.0, 3rd round:

It contains a fix for i.MX8MQ EVK board device tree, which makes the
broken eMMC support work as expected.

* tag 'imx-fixes-5.0-3' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux:
  arm64: dts: imx8mq: Fix boot from eMMC
2019-02-15 13:43:08 +01:00
Arnd Bergmann
d6780626db Fix for new dtc graph warnings and a regulator fix for rock64.
-----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCAAuFiEE7v+35S2Q1vLNA3Lx86Z5yZzRHYEFAlxS/OQQHGhlaWtvQHNu
 dGVjaC5kZQAKCRDzpnnJnNEdgbjLB/0XJqH9MerWA/J+OalNANjsXQemt8Vum4OA
 4C5/ViMxMbzRQm+Sc2wCAzsq30Q6pqV74aTJYtUk6J2RalaiMCbkf8zRVZKzokbj
 MKUdMmHu96ZA5LEqEEHK/eMOP4j70xz5VOnTBHQ2R759DkrS2U7rHIwx9ZX8XO9V
 dI8rlHot9lgF1l8DDYLuPaLsILwHPhT/Y/wUv2Js5dZ5PFHS962I76sjYlngarT5
 rd49Gv8ZvNDx1wftL4JtVMy/xuMKFRHhcxpF8TrdSS648U9Rvf9l2vXR6PErHfZP
 poSG5jy1vn0aPmOEWjw1sDSXPcK7ImUNTM7k8ffTPecCmmC5gCIO
 =qf0D
 -----END PGP SIGNATURE-----

Merge tag 'v5.0-rockchip-dts64fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes

Fix for new dtc graph warnings and a regulator fix for rock64.

* tag 'v5.0-rockchip-dts64fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip:
  arm64: dts: rockchip: enable usb-host regulators at boot on rk3328-rock64
  arm64: dts: rockchip: fix graph_port warning on rk3399 bob kevin and excavator
2019-02-15 13:41:45 +01:00
Arnd Bergmann
d50ce40a5a Drop one non-existent component from powerdomain list.
-----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCAAuFiEE7v+35S2Q1vLNA3Lx86Z5yZzRHYEFAlxS/KYQHGhlaWtvQHNu
 dGVjaC5kZQAKCRDzpnnJnNEdgUdCB/9d8IN+iZUxo1TX5QS0ov+1FYhkly6FNEj2
 JGQYL5zCDGe5RvgfyqL3vi3kHFQoDIHjsRQBUl14/ryo+InIl8ZJWl38tFjHYmdw
 o883g3zyJLbwKrsE2RBtWtWsoK5TSwbV7xR3JO8tHWFV+mXDUUcFFXpR5VRjnQ9l
 XsjvvzznfQQLpUzJy5OAjTAhtvkXExM74h4MpwIXtyeqrWUI73a6uBUeY6Js43rZ
 zTfyv8Ikla3eP+fMQqf60CwKjxhQwyG7/7UxWp7iIatsUMeC5VLRCZuM7l109pH0
 hKQLWybzcReCPfTqQ2rAwAhBQmQIpEvdwhFk5WA1mmqMi/d/Zdoh
 =oEEi
 -----END PGP SIGNATURE-----

Merge tag 'v5.0-rockchip-dts32fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes

Drop one non-existent component from powerdomain list.

* tag 'v5.0-rockchip-dts32fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip:
  ARM: dts: rockchip: remove qos_cif1 from rk3188 power-domain
2019-02-15 13:41:11 +01:00
Arnd Bergmann
2ed5c2e3f2 SoC fixes for omaps for v5.0-rc cycle
This series contains two SoC regression fixes and one uninitialized
 variable fix:
 
 - Fix inverted nirq pin handling for omap5 that started producing
   warnings with earlier GIC direction checks and took a while to
   understand and confirm. Basically there are two sys_nirq pins
   that are bypassing peripheral modules and inverted automatically
   by the SoC and need to be handled with a custom irq_set_type()
 
 - Recent ti-sysc changes caused a regression to the pwm-omap-dmtimer
   code where the device tree handling code for timer source clock
   gets confused. It looks like we can remove that code eventually,
   but for now we just drop a bogus pm_runtime_irq_safe() for the
   timers with the related quirks caused by pm_runtime_irq_safe(),
   and have the standard assigned-clocks and assigned-clock-parents
   deal with setting the source clock
 
 - Fix potentially uninitialized value for display init code if
   regmap_read() fails
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEEkgNvrZJU/QSQYIcQG9Q+yVyrpXMFAlxR8TERHHRvbnlAYXRv
 bWlkZS5jb20ACgkQG9Q+yVyrpXNhNQ/+JfJVPT4SyF0KQz8BJYYF2bVvJyFv0kBR
 XrGIi6KTdoiN9Bm3Trt1rM+YJpS2Ii2YAc2frGVE4qMHw6ZUZA1uDxDl6J6C04H+
 Eb7XrYnt0hqzuLfmx5ubX2eem92AgszWou85v8flwIk7dUJWtNkhUFTZtoDujLSM
 ZnBWcG+9MuSWGpcigu1O9Qt/ePwQerxAksE46fKlbjZrk03j/Eh3A3YCTInV7sgR
 Dl+jZhfva92GupcBzMsjWYaqLzdBG7Cq4pGfbhyTHdaapt26nK/osuNPh+zFgWZe
 ppKbyPcQQ9ph9qJWd6A/BN9uN3zQfBwwtjVWaGX0LqahsEcIQyjj6QSKMjbYdNOK
 fdXuL3Du6zMeQlez1mjS9xBU9s8B1N60F+vCVanDZW8ynkPZp7gBnG5vxC9ZEfR3
 ZVLzhWMwejmidnPi9Clm/OHiU7ExAKwS6ql7qnhZS/3l8sdzm6Rs9ZQ1UO7scdfc
 8MrB6wKNYQHPeoDLxmOa+DvSn64BPEboZtm2IoP+fvOvoJoffcM7FSxWTkkElrLO
 6jgtRRm6Raw4vJvWmSJVIH8lpzthnOmdhtf+Ni9ZKysAPmj2N2uROdcjlqgOBvCf
 xagW4iSUXMLNa2W1IgcTOxeAQs+ASVm3AvG02kx1ImMlnWrLJQO2yOW7DYdd6sCJ
 x23XUpsiFeA=
 =5oVS
 -----END PGP SIGNATURE-----

Merge tag 'omap-for-v5.0/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes

SoC fixes for omaps for v5.0-rc cycle

This series contains two SoC regression fixes and one uninitialized
variable fix:

- Fix inverted nirq pin handling for omap5 that started producing
  warnings with earlier GIC direction checks and took a while to
  understand and confirm. Basically there are two sys_nirq pins
  that are bypassing peripheral modules and inverted automatically
  by the SoC and need to be handled with a custom irq_set_type()

- Recent ti-sysc changes caused a regression to the pwm-omap-dmtimer
  code where the device tree handling code for timer source clock
  gets confused. It looks like we can remove that code eventually,
  but for now we just drop a bogus pm_runtime_irq_safe() for the
  timers with the related quirks caused by pm_runtime_irq_safe(),
  and have the standard assigned-clocks and assigned-clock-parents
  deal with setting the source clock

- Fix potentially uninitialized value for display init code if
  regmap_read() fails

* tag 'omap-for-v5.0/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
  ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
  ARM: dts: Configure clock parent for pwm vibra
  bus: ti-sysc: Fix timer handling with drop pm_runtime_irq_safe()
  ARM: OMAP5+: Fix inverted nirq pin interrupts with irq_set_type
  clocksource: timer-ti-dm: Fix pwm dmtimer usage of fck reparenting
2019-02-15 13:38:20 +01:00
Rakesh Pillai
83e37e0bdd mac80211: Restore vif beacon interval if start ap fails
The starting of AP interface can fail due to invalid
beacon interval, which does not match the minimum gcd
requirement set by the wifi driver. In such case, the
beacon interval of that interface gets updated with
that invalid beacon interval.

The next time that interface is brought up in AP mode,
an interface combination check is performed and the
beacon interval is taken from the previously set value.

In a case where an invalid beacon interval, i.e. a beacon
interval value which does not satisfy the minimum gcd criteria
set by the driver, is set, all the subsequent trials to
bring that interface in AP mode will fail, even if the
subsequent trials have a valid beacon interval.

To avoid this, in case of a failure in bringing up an
interface in AP mode due to interface combination error,
the interface beacon interval which is stored in bss
conf, needs to be restored with the last working value
of beacon interval.

Tested on ath10k using WCN3990.

Cc: stable@vger.kernel.org
Fixes: 0c317a02ca ("cfg80211: support virtual interfaces with different beacon intervals")
Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2019-02-15 13:30:24 +01:00
Herbert Xu
4ff3a9d14c mac80211: Free mpath object when rhashtable insertion fails
When rhashtable insertion fails the mesh table code doesn't free
the now-orphan mesh path object.  This patch fixes that.

Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2019-02-15 13:10:32 +01:00
Herbert Xu
b4c3fbe636 mac80211: Use linked list instead of rhashtable walk for mesh tables
The mesh table code walks over hash tables for two purposes.  First of
all it's used as part of a netlink dump process, but it is also used
for looking up entries to delete using criteria other than the hash
key.

The second purpose is directly contrary to the design specification
of rhashtable walks.  It is only meant for use by netlink dumps.

This is because rhashtable is resizable and you cannot obtain a
stable walk over it during a resize process.

In fact mesh's use of rhashtable for dumping is bogus too.  Rather
than using rhashtable walk's iterator to keep track of the current
position, it always converts the current position to an integer
which defeats the purpose of the iterator.

Therefore this patch converts all uses of rhashtable walk into a
simple linked list.

This patch also adds a new spin lock to protect the hash table
insertion/removal as well as the walk list modifications.  In fact
the previous code was buggy as the removals can race with each
other, potentially resulting in a double-free.

Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2019-02-15 13:10:10 +01:00
Paul Kocialkowski
f275a46594 i2c: bcm2835: Clear current buffer pointers and counts after a transfer
The driver's interrupt handler checks whether a message is currently
being handled with the curr_msg pointer. When it is NULL, the interrupt
is considered to be unexpected. Similarly, the i2c_start_transfer
routine checks for the remaining number of messages to handle in
num_msgs.

However, these values are never cleared and always keep the message and
number relevant to the latest transfer (which might be done already and
the underlying message memory might have been freed).

When an unexpected interrupt hits with the DONE bit set, the isr will
then try to access the flags field of the curr_msg structure, leading
to a fatal page fault.

The msg_buf and msg_buf_remaining fields are also never cleared at the
end of the transfer, which can lead to similar pitfalls.

Fix these issues by introducing a cleanup function and always calling
it after a transfer is finished.

Fixes: e247454103 ("i2c: bcm2835: Fix hang for writing messages larger than 16 bytes")
Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
2019-02-15 09:45:05 +01:00
Shubhrajyoti Datta
d358def706 i2c: cadence: Fix the hold bit setting
In case the hold bit is not needed we are carrying the old values.
Fix the same by resetting the bit when not needed.

Fixes the sporadic i2c bus lockups on National Instruments
Zynq-based devices.

Fixes: df8eb5691c ("i2c: Add driver for Cadence I2C controller")
Reported-by: Kyle Roeschley <kyle.roeschley@ni.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Tested-by: Kyle Roeschley <kyle.roeschley@ni.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
2019-02-15 09:42:17 +01:00
Matthew Wilcox
69ef943dbc drm: Use array_size() when creating lease
Passing an object_count of sufficient size will make
object_count * 4 wrap around to be very small, then a later function
will happily iterate off the end of the object_ids array.  Using
array_size() will saturate at SIZE_MAX, the kmalloc() will fail and
we'll return an -ENOMEM to the norty userspace.

Fixes: 62884cd386 ("drm: Add four ioctls for managing drm mode object leases [v7]")
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: <stable@vger.kernel.org> # v4.15+
Signed-off-by: Dave Airlie <airlied@redhat.com>
2019-02-15 13:08:08 +10:00
Dave Airlie
7abbb35ba9 Merge branch 'drm-fixes-5.0' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
amdgpu:
- Vega20 psp fix
- Add vrr range to debugfs for freesync debugging

sched:
- Scheduler race fix

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190213202958.3336-1-alexander.deucher@amd.com
2019-02-15 11:46:51 +10:00
Dave Airlie
5016bd2480 drm/i915 fixes for v5.0-rc7:
- combo phy programming fix
 - opregion version check fix for VBT RVDA lookup
 - gem mmap ioctl race fix
 - fbdev hpd during suspend fix
 - array size bounds check fix in pmu
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEFWWmW3ewYy4RJOWc05gHnSar7m8FAlxkELIACgkQ05gHnSar
 7m+4tA//W7PitAnfeSqnQN19dBkJ2kmxwfmoCFRRBne1998EOcx8PIoFtodi1ySF
 N2vy40gACINAcUssBqcXalBPQYmRhSvQzzMLl+y8jF7K1Xb4SnlGnKjkf2SbMSBM
 X/R1p3gTpjxRGE5KReUZtvuaSeJAvLm3Cc/Llj7Q5FoPUBTgTxg6ejjwN1SkvM4Y
 Hx8hX6cevNmk0+RRaet08nVTpG/3zHzqAp0mQs7HtJNDAxJWoF9FE9u9MkZbOI1g
 4ZPtecWB3gKu2lYVTCZ3HNZvsW42ZwgwfKWos8RwkG2Hp9L7Dq5xiNUcWA3fpK+1
 /DNj/taQx3a9fOqbakhuWB7refPRn2TMos+fKz0fnYK2nYNLLC7MMRQDO/dcLLTZ
 44Grdo7vx8sF7ZvNVV8tPTPvDeKQ6YiqPM+RMgY2fiNjxkIhAWR+UoXhZNfw1sT9
 3ECy6rGj2GZT8HfjKzkS7y/Ni8ReaQ79kkpMSqWMMNxhpjVwn/mYNplkXgTM1wD0
 HX/AYQTzbjI0mJc2YSyrI0r+lcaxz9NG4HuCo54ZFfTmTDpkeX+cWubjeE/i8Dh7
 g0P4nvzC2baQ9AWHEr3WGr6/8w00y2TIv7eyWIOi4IB5qRgv5vv5v4CPpbLGkB1l
 vrSqzpabIOtLLCIP78QFHQk+GvZxFiOtiohb3yIUIl0e4RDKH/Y=
 =i2Rn
 -----END PGP SIGNATURE-----

Merge tag 'drm-intel-fixes-2019-02-13' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

drm/i915 fixes for v5.0-rc7:
- combo phy programming fix
- opregion version check fix for VBT RVDA lookup
- gem mmap ioctl race fix
- fbdev hpd during suspend fix
- array size bounds check fix in pmu

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/877ee3504b.fsf@intel.com
2019-02-15 11:24:26 +10:00
Dave Airlie
d586d571ca drm-misc-fixes for v5.0:
- Fix license inconsistency in vkms.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEuXvWqAysSYEJGuVH/lWMcqZwE8MFAlxj6uUACgkQ/lWMcqZw
 E8MBcg/9FUObSwF3X3Oo7hQfQoDDXS9SFsTUBb3VQ03GbHpgaME20FsOmhTy3IGj
 c12AE2rbLeYeg7yGlBxR9/eQd4JEJbOP7ZGRH9igJoHis8ZGikY9xFl3An8DEpt3
 /8SzubtIvEon07lPJ1SAoCjwDzBOi8YiYEW+ONXa3MZiVeF4otYSVQ72i7sylrV2
 urwFBNBOQBZnpRH7LzTtwcpONTRYgFwO6WYgrJwa1PbR15w6ThVlfoN8R8pElAAl
 JDpoiYaXQ6Ifz5Vc0VrO+P8sqQnSkVAYqIAgzOvnEVDmCFsCIy0uaYnWOJhVm4ew
 NMx9EMF5FE6RPTBKNcYOA2AjQPvs/conm7KDn7Jaz3XIHiceD1qmHb9V4/6OqcR1
 VWzVF6F81E5y6iNO+FlwHPqGl3ONQE5LUbK1nxhMAwE6G9J5N45z/VvEF4iSP0Ha
 Ede1uSWtEI0MUCu+IHILXBsfY+2KDMRpzHIoyh0Urd5WQGO/N8YR7c5aKetvE53n
 4H41ygCWRHuOBcsGy7CfICEbvP4jFU4vynf65PYrW1x9WGYrOJi7FucPPrjIyUSy
 Rr/IUKH9zvzoRMKP4AhU6aDvqvs90KtHZVrM9BAgSHL4OgUGYXdmUKGcRH8vNV8D
 rGWUJd+5Wq/hX4HxgFa4FU/y1llDOMkgK8ckF0juZoDbYe+JdV8=
 =jh43
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2019-02-13' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

drm-misc-fixes for v5.0:
- Fix license inconsistency in vkms.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/812e2f53-d72a-8fba-6c8c-fde8f44cf141@linux.intel.com
2019-02-15 11:21:54 +10:00
Nikos Tsironis
4ae280b4ee dm thin: fix bug where bio that overwrites thin block ignores FUA
When provisioning a new data block for a virtual block, either because
the block was previously unallocated or because we are breaking sharing,
if the whole block of data is being overwritten the bio that triggered
the provisioning is issued immediately, skipping copying or zeroing of
the data block.

When this bio completes the new mapping is inserted in to the pool's
metadata by process_prepared_mapping(), where the bio completion is
signaled to the upper layers.

This completion is signaled without first committing the metadata.  If
the bio in question has the REQ_FUA flag set and the system crashes
right after its completion and before the next metadata commit, then the
write is lost despite the REQ_FUA flag requiring that I/O completion for
this request must only be signaled after the data has been committed to
non-volatile storage.

Fix this by deferring the completion of overwrite bios, with the REQ_FUA
flag set, until after the metadata has been committed.

Cc: stable@vger.kernel.org
Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Acked-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2019-02-14 19:02:29 -05:00
Linus Torvalds
cb5b020a8d Revert "exec: load_script: don't blindly truncate shebang string"
This reverts commit 8099b047ec.

It turns out that people do actually depend on the shebang string being
truncated, and on the fact that an interpreter (like perl) will often
just re-interpret it entirely to get the full argument list.

Reported-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-02-14 15:02:18 -08:00
Bob Peterson
23e93c9b2c Revert "gfs2: read journal in large chunks to locate the head"
This reverts commit 2a5f14f279.

This patch causes xfstests generic/311 to fail. Reverting this for
now until we have a proper fix.

Signed-off-by: Abhi Das <adas@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-02-14 09:52:51 -08:00
Vivien Didelot
f9bcc9f3ee net: ethernet: freescale: set FEC ethtool regs version
Currently the ethtool_regs version is set to 0 for FEC devices.

Use this field to store the register dump version exposed by the
kernel. The choosen version 2 corresponds to the kernel compile test:

        #if defined(CONFIG_M523x) || defined(CONFIG_M527x)
        || defined(CONFIG_M528x) || defined(CONFIG_M520x)
        || defined(CONFIG_M532x) || defined(CONFIG_ARM)
        || defined(CONFIG_ARM64) || defined(CONFIG_COMPILE_TEST)

and version 1 corresponds to the opposite. Binaries of ethtool unaware
of this version will dump the whole set as usual.

Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-14 12:45:35 -05:00
J. Bruce Fields
3bf6b57ec2 Revert "nfsd4: return default lease period"
This reverts commit d6ebf5088f.

I forgot that the kernel's default lease period should never be
decreased!

After a kernel upgrade, the kernel has no way of knowing on its own what
the previous lease time was.  Unless userspace tells it otherwise, it
will assume the previous lease period was the same.

So if we decrease this value in a kernel upgrade, we end up enforcing a
grace period that's too short, and clients will fail to reclaim state in
time.  Symptoms may include EIO and log messages like "NFS:
nfs4_reclaim_open_state: Lock reclaim failed!"

There was no real justification for the lease period decrease anyway.

Reported-by: Donald Buczek <buczek@molgen.mpg.de>
Fixes: d6ebf5088f "nfsd4: return default lease period"
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2019-02-14 12:33:19 -05:00
Huang Zijiang
c969c6e7ab net: hns: Fix object reference leaks in hns_dsaf_roce_reset()
The of_find_device_by_node() takes a reference to the underlying device
structure, we should release that reference.

Signed-off-by: Huang Zijiang <huang.zijiang@zte.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-14 12:28:52 -05:00
Jann Horn
2c2ade8174 mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs
The basic idea behind ->pagecnt_bias is: If we pre-allocate the maximum
number of references that we might need to create in the fastpath later,
the bump-allocation fastpath only has to modify the non-atomic bias value
that tracks the number of extra references we hold instead of the atomic
refcount. The maximum number of allocations we can serve (under the
assumption that no allocation is made with size 0) is nc->size, so that's
the bias used.

However, even when all memory in the allocation has been given away, a
reference to the page is still held; and in the `offset < 0` slowpath, the
page may be reused if everyone else has dropped their references.
This means that the necessary number of references is actually
`nc->size+1`.

Luckily, from a quick grep, it looks like the only path that can call
page_frag_alloc(fragsz=1) is TAP with the IFF_NAPI_FRAGS flag, which
requires CAP_NET_ADMIN in the init namespace and is only intended to be
used for kernel testing and fuzzing.

To test for this issue, put a `WARN_ON(page_ref_count(page) == 0)` in the
`offset < 0` path, below the virt_to_page() call, and then repeatedly call
writev() on a TAP device with IFF_TAP|IFF_NO_PI|IFF_NAPI_FRAGS|IFF_NAPI,
with a vector consisting of 15 elements containing 1 byte each.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-14 12:12:17 -05:00
David S. Miller
61c4c0bcff Merge branch 'net-phy-fix-locking-issue'
Heiner Kallweit says:

====================
net: phy: fix locking issue

Russell pointed out that the locking used in phy_is_started() isn't
needed and misleading. This locking also contributes to a race fixed
with patch 2.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-14 12:04:55 -05:00
Heiner Kallweit
a200490717 net: phy: fix potential race in the phylib state machine
Russell reported the following race in the phylib state machine
(quoting from his mail):

if (phy_polling_mode(phydev) && phy_is_started(phydev))
	phy_queue_state_machine(phydev, PHY_STATE_TIME);

state = PHY_UP
thread 0			thread 1
				phy_disconnect()
				+-phy_is_started()
phy_is_started()                |
				`-phy_stop()
				  +-phydev->state = PHY_HALTED
				  `-phy_stop_machine()
				    `-cancel_delayed_work_sync()
phy_queue_state_machine()
`-mod_delayed_work()

At this point, the phydev->state_queue() has been added back onto the
system workqueue despite phy_stop_machine() having been called and
cancel_delayed_work_sync() called on it.

Fix this by protecting the complete operation in thread 0.

Fixes: 2b3e88ea65 ("net: phy: improve phy state checking")
Reported-by: Russell King - ARM Linux admin <linux@armlinux.org.uk>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-14 12:04:55 -05:00
Heiner Kallweit
a2fc9d7e36 net: phy: don't use locking in phy_is_started
Russell suggested to remove the locking from phy_is_started() because
the read is atomic anyway and actually the locking may be more
misleading.

Fixes: 2b3e88ea65 ("net: phy: improve phy state checking")
Suggested-by: Russell King - ARM Linux admin <linux@armlinux.org.uk>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-14 12:04:55 -05:00
Deepa Dinamani
39c1331962 selftests: fix timestamping Makefile
The clean target in the makefile conflicts with the generic
kselftests lib.mk, and fails to properly remove the compiled
test programs.

Remove the redundant rule, the TEST_GEN_FILES will be already
removed by the CLEAN macro in lib.mk.

Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
Acked-by: Shuah Khan <shuah@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-14 12:03:16 -05:00
Chuck Lever
2c94b8eca1 SUNRPC: Use au_rslack when computing reply buffer size
au_rslack is significantly smaller than (au_cslack << 2). Using
that value results in smaller receive buffers. In some cases this
eliminates an extra segment in Reply chunks (RPC/RDMA).

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-02-14 11:58:44 -05:00
Chuck Lever
35e77d21ba SUNRPC: Add rpc_auth::au_ralign field
Currently rpc_inline_rcv_pages() uses au_rslack to estimate the
size of the upper layer reply header. This is fine for auth flavors
where au_verfsize == au_rslack.

However, some auth flavors have more going on. krb5i for example has
two more words after the verifier, and another blob following the
RPC message. The calculation involving au_rslack pushes the upper
layer reply header too far into the rcv_buf.

au_rslack is still valuable: it's the amount of buffer space needed
for the reply, and is used when allocating the reply buffer. We'll
keep that.

But, add a new field that can be used to properly estimate the
location of the upper layer header in each RPC reply, based on the
auth flavor in use.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-02-14 11:48:36 -05:00
Chuck Lever
a00275baa6 SUNRPC: Make AUTH_SYS and AUTH_NULL set au_verfsize
au_verfsize will be needed for a non-flavor-specific computation
in a subsequent patch.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-02-14 11:17:47 -05:00
Xiaoyao Li
98ae70cc47 kvm: vmx: Fix entry number check for add_atomic_switch_msr()
Commit ca83b4a7f2 ("x86/KVM/VMX: Add find_msr() helper function")
introduces the helper function find_msr(), which returns -ENOENT when
not find the msr in vmx->msr_autoload.guest/host. Correct checking contion
of no more available entry in vmx->msr_autoload.

Fixes: ca83b4a7f2 ("x86/KVM/VMX: Add find_msr() helper function")
Cc: stable@vger.kernel.org
Signed-off-by: Xiaoyao Li <xiaoyao.li@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-14 16:22:20 +01:00
Luwei Kang
c112b5f502 KVM: x86: Recompute PID.ON when clearing PID.SN
Some Posted-Interrupts from passthrough devices may be lost or
overwritten when the vCPU is in runnable state.

The SN (Suppress Notification) of PID (Posted Interrupt Descriptor) will
be set when the vCPU is preempted (vCPU in KVM_MP_STATE_RUNNABLE state but
not running on physical CPU). If a posted interrupt comes at this time,
the irq remapping facility will set the bit of PIR (Posted Interrupt
Requests) but not ON (Outstanding Notification).  Then, the interrupt
will not be seen by KVM, which always expects PID.ON=1 if PID.PIR=1
as documented in the Intel processor SDM but not in the VT-d specification.
To fix this, restore the invariant after PID.SN is cleared.

Signed-off-by: Luwei Kang <luwei.kang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-02-14 16:20:31 +01:00
Chuck Lever
02ef04e432 NFS: Account for XDR pad of buf->pages
Certain NFS results (eg. READLINK) might expect a data payload that
is not an exact multiple of 4 bytes. In this case, XDR encoding
is required to pad that payload so its length on the wire is a
multiple of 4 bytes. The constants that define the maximum size of
each NFS result do not appear to account for this extra word.

In each case where the data payload is to be received into pages:

- 1 word is added to the size of the receive buffer allocated by
  call_allocate

- rpc_inline_rcv_pages subtracts 1 word from @hdrsize so that the
  extra buffer space falls into the rcv_buf's tail iovec

- If buf->pagelen is word-aligned, an XDR pad is not needed and
  is thus removed from the tail

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-02-14 10:13:49 -05:00
Chuck Lever
cf500bac8f SUNRPC: Introduce rpc_prepare_reply_pages()
prepare_reply_buffer() and its NFSv4 equivalents expose the details
of the RPC header and the auth slack values to upper layer
consumers, creating a layering violation, and duplicating code.

Remedy these issues by adding a new RPC client API that hides those
details from upper layers in a common helper function.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2019-02-14 10:04:37 -05:00