1. 18 Jan, 2020 16 commits
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0cc2682d
      Linus Torvalds authored
      Pull x86 fixes from Ingo Molnar:
       "Misc fixes:
      
         - a resctrl fix for uninitialized objects found by debugobjects
      
         - a resctrl memory leak fix
      
         - fix the unintended re-enabling of the of SME and SEV CPU flags if
           memory encryption was disabled at bootup via the MSR space"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained
        x86/resctrl: Fix potential memory leak
        x86/resctrl: Fix an imbalance in domain_remove_cpu()
      0cc2682d
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7ff15cd0
      Linus Torvalds authored
      Pull timer fixes from Ingo Molnar:
       "Three fixes: fix link failure on Alpha, fix a Sparse warning and
        annotate/robustify a lockless access in the NOHZ code"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        tick/sched: Annotate lockless access to last_jiffies_update
        lib/vdso: Make __cvdso_clock_getres() static
        time/posix-stubs: Provide compat itimer supoprt for alpha
      7ff15cd0
    • Linus Torvalds's avatar
      Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9e79c523
      Linus Torvalds authored
      Pull cpu/SMT fix from Ingo Molnar:
       "Fix a build bug on CONFIG_HOTPLUG_SMT=y && !CONFIG_SYSFS kernels"
      
      * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        cpu/SMT: Fix x86 link error without CONFIG_SYSFS
      9e79c523
    • Linus Torvalds's avatar
      Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · a186c112
      Linus Torvalds authored
      Pull x86 RAS fix from Ingo Molnar:
       "Fix a thermal throttling race that can result in easy to trigger boot
        crashes on certain Ice Lake platforms"
      
      * 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mce/therm_throt: Do not access uninitialized therm_work
      a186c112
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b07b9e8d
      Linus Torvalds authored
      Pull perf fixes from Ingo Molnar:
       "Tooling fixes, three Intel uncore driver fixes, plus an AUX events fix
        uncovered by the perf fuzzer"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/intel/uncore: Remove PCIe3 unit for SNR
        perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events
        perf/x86/intel/uncore: Add PCI ID of IMC for Xeon E3 V5 Family
        perf: Correctly handle failed perf_get_aux_event()
        perf hists: Fix variable name's inconsistency in hists__for_each() macro
        perf map: Set kmap->kmaps backpointer for main kernel map chunks
        perf report: Fix incorrectly added dimensions as switch perf data file
        tools lib traceevent: Fix memory leakage in filter_event
      b07b9e8d
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 124b5547
      Linus Torvalds authored
      Pull locking fixes from Ingo Molnar:
       "Three fixes:
      
          - Fix an rwsem spin-on-owner crash, introduced in v5.4
      
          - Fix a lockdep bug when running out of stack_trace entries,
            introduced in v5.4
      
          - Docbook fix"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN
        futex: Fix kernel-doc notation warning
        locking/lockdep: Fix buffer overrun problem in stack_trace[]
      124b5547
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · a1c6f87e
      Linus Torvalds authored
      Pull irq fix from Ingo Molnar:
       "Fix a recent regression in the Ingenic SoCs irqchip driver that floods
        the syslog"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/ingenic: Get rid of the legacy IRQ domain
      a1c6f87e
    • Linus Torvalds's avatar
      Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · e2f73d1e
      Linus Torvalds authored
      Pull EFI fixes from Ingo Molnar:
       "Three EFI fixes:
      
         - Fix a slow-boot-scrolling regression but making sure we use WC for
           EFI earlycon framebuffer mappings on x86
      
         - Fix a mixed EFI mode boot crash
      
         - Disable paging explicitly before entering startup_32() in mixed
           mode bootup"
      
      * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/efistub: Disable paging at mixed mode entry
        efi/libstub/random: Initialize pointer variables to zero for mixed mode
        efi/earlycon: Fix write-combine mapping on x86
      e2f73d1e
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · ba0f4722
      Linus Torvalds authored
      Pull rseq fixes from Ingo Molnar:
       "Two rseq bugfixes:
      
         - CLONE_VM !CLONE_THREAD didn't work properly, the kernel would end
           up corrupting the TLS of the parent. Technically a change in the
           ABI but the previous behavior couldn't resonably have been relied
           on by applications so this looks like a valid exception to the ABI
           rule.
      
         - Make the RSEQ_FLAG_UNREGISTER ABI behavior consistent with the
           handling of other flags. This is not thought to impact any
           applications either"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        rseq: Unregister rseq for clone CLONE_VM
        rseq: Reject unknown flags on rseq unregister
      ba0f4722
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2020-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux · 8cac8990
      Linus Torvalds authored
      Pull thread fixes from Christian Brauner:
       "Here is an urgent fix for ptrace_may_access() permission checking.
      
        Commit 69f594a3 ("ptrace: do not audit capability check when
        outputing /proc/pid/stat") introduced the ability to opt out of audit
        messages for accesses to various proc files since they are not
        violations of policy.
      
        While doing so it switched the check from ns_capable() to
        has_ns_capability{_noaudit}(). That means it switched from checking
        the subjective credentials (ktask->cred) of the task to using the
        objective credentials (ktask->real_cred). This is appears to be wrong.
        ptrace_has_cap() is currently only used in ptrace_may_access() And is
        used to check whether the calling task (subject) has the
        CAP_SYS_PTRACE capability in the provided user namespace to operate on
        the target task (object). According to the cred.h comments this means
        the subjective credentials of the calling task need to be used.
      
        With this fix we switch ptrace_has_cap() to use security_capable() and
        thus back to using the subjective credentials.
      
        As one example where this might be particularly problematic, Jann
        pointed out that in combination with the upcoming IORING_OP_OPENAT{2}
        feature, this bug might allow unprivileged users to bypass the
        capability checks while asynchronously opening files like /proc/*/mem,
        because the capability checks for this would be performed against
        kernel credentials.
      
        To illustrate on the former point about this being exploitable: When
        io_uring creates a new context it records the subjective credentials
        of the caller. Later on, when it starts to do work it creates a kernel
        thread and registers a callback. The callback runs with kernel creds
        for ktask->real_cred and ktask->cred.
      
        To prevent this from becoming a full-blown 0-day io_uring will call
        override_cred() and override ktask->cred with the subjective
        credentials of the creator of the io_uring instance. With
        ptrace_has_cap() currently looking at ktask->real_cred this override
        will be ineffective and the caller will be able to open arbitray proc
        files as mentioned above.
      
        Luckily, this is currently not exploitable but would be so once
        IORING_OP_OPENAT{2} land in v5.6. Let's fix it now.
      
        To minimize potential regressions I successfully ran the criu
        testsuite. criu makes heavy use of ptrace() and extensively hits
        ptrace_may_access() codepaths and has a good change of detecting any
        regressions.
      
        Additionally, I succesfully ran the ptrace and seccomp kernel tests"
      
      * tag 'for-linus-2020-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
        ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
      8cac8990
    • Linus Torvalds's avatar
      Merge tag 's390-5.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 2324de6f
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - Fix printing misleading Secure-IPL enabled message when it is not.
      
       - Fix a race condition between host ap bus and guest ap bus doing
         device reset in crypto code.
      
       - Fix sanity check in CCA cipher key function (CCA AES cipher key
         support), which fails otherwise.
      
      * tag 's390-5.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/setup: Fix secure ipl message
        s390/zcrypt: move ap device reset from bus to driver code
        s390/zcrypt: Fix CCA cipher key gen with clear key value function
      2324de6f
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 8965de70
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Three fixes in drivers with no impact to core code.
      
        The mptfusion fix is enormous because the driver API had to be
        rethreaded to pass down the necessary iocp pointer, but once that's
        done a significant chunk of code is deleted.
      
        The other two patches are small"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: mptfusion: Fix double fetch bug in ioctl
        scsi: storvsc: Correctly set number of hardware queues for IDE disk
        scsi: fnic: fix invalid stack access
      8965de70
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · f04dba64
      Linus Torvalds authored
      Pull char/misc fixes from Greg KH:
       "Here are some small fixes for 5.5-rc7
      
        Included here are:
      
         -  two lkdtm fixes
      
         -  coresight build fix
      
         -  Documentation update for the hw process document
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'char-misc-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        Documentation/process: Add Amazon contact for embargoed hardware issues
        lkdtm/bugs: fix build error in lkdtm_UNSET_SMEP
        lkdtm/bugs: Make double-fault test always available
        coresight: etm4x: Fix unused function warning
      f04dba64
    • Linus Torvalds's avatar
      Merge tag 'staging-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · bf3f401d
      Linus Torvalds authored
      Pull staging and IIO driver fixes from Greg KH:
       "Here are some small staging and iio driver fixes for 5.5-rc7
      
        All of them are for some small reported issues. Nothing major, full
        details in the shortlog.
      
        All have been in linux-next with no reported issues"
      
      * tag 'staging-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: comedi: ni_routes: allow partial routing information
        staging: comedi: ni_routes: fix null dereference in ni_find_route_source()
        iio: light: vcnl4000: Fix scale for vcnl4040
        iio: buffer: align the size of scan bytes to size of the largest element
        iio: chemical: pms7003: fix unmet triggered buffer dependency
        iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID
        iio: adc: ad7124: Fix DT channel configuration
      bf3f401d
    • Linus Torvalds's avatar
      Merge tag 'usb-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · c5fd2c5b
      Linus Torvalds authored
      Pull USB driver fixes from Greg KH:
       "Here are some small USB driver and core fixes for 5.5-rc7
      
        There's one fix for hub wakeup issues and a number of small usb-serial
        driver fixes and device id updates.
      
        The hub fix has been in linux-next for a while with no reported
        issues, and the usb-serial ones have all passed 0-day with no
        problems"
      
      * tag 'usb-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: serial: quatech2: handle unbound ports
        USB: serial: keyspan: handle unbound ports
        USB: serial: io_edgeport: add missing active-port sanity check
        USB: serial: io_edgeport: handle unbound ports on URB completion
        USB: serial: ch341: handle unbound port at reset_resume
        USB: serial: suppress driver bind attributes
        USB: serial: option: add support for Quectel RM500Q in QDL mode
        usb: core: hub: Improved device recognition on remote wakeup
        USB: serial: opticon: fix control-message timeouts
        USB: serial: option: Add support for Quectel RM500Q
        USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
      c5fd2c5b
    • Christian Brauner's avatar
      ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() · 6b3ad664
      Christian Brauner authored
      Commit 69f594a3 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
      introduced the ability to opt out of audit messages for accesses to various
      proc files since they are not violations of policy.  While doing so it
      somehow switched the check from ns_capable() to
      has_ns_capability{_noaudit}(). That means it switched from checking the
      subjective credentials of the task to using the objective credentials. This
      is wrong since. ptrace_has_cap() is currently only used in
      ptrace_may_access() And is used to check whether the calling task (subject)
      has the CAP_SYS_PTRACE capability in the provided user namespace to operate
      on the target task (object). According to the cred.h comments this would
      mean the subjective credentials of the calling task need to be used.
      This switches ptrace_has_cap() to use security_capable(). Because we only
      call ptrace_has_cap() in ptrace_may_access() and in there we already have a
      stable reference to the calling task's creds under rcu_read_lock() there's
      no need to go through another series of dereferences and rcu locking done
      in ns_capable{_noaudit}().
      
      As one example where this might be particularly problematic, Jann pointed
      out that in combination with the upcoming IORING_OP_OPENAT feature, this
      bug might allow unprivileged users to bypass the capability checks while
      asynchronously opening files like /proc/*/mem, because the capability
      checks for this would be performed against kernel credentials.
      
      To illustrate on the former point about this being exploitable: When
      io_uring creates a new context it records the subjective credentials of the
      caller. Later on, when it starts to do work it creates a kernel thread and
      registers a callback. The callback runs with kernel creds for
      ktask->real_cred and ktask->cred. To prevent this from becoming a
      full-blown 0-day io_uring will call override_cred() and override
      ktask->cred with the subjective credentials of the creator of the io_uring
      instance. With ptrace_has_cap() currently looking at ktask->real_cred this
      override will be ineffective and the caller will be able to open arbitray
      proc files as mentioned above.
      Luckily, this is currently not exploitable but will turn into a 0-day once
      IORING_OP_OPENAT{2} land in v5.6. Fix it now!
      
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
      Reviewed-by: default avatarJann Horn <jannh@google.com>
      Fixes: 69f594a3 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      6b3ad664
  2. 17 Jan, 2020 23 commits
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.5-2020-01-16' of git://git.kernel.dk/linux-block · 25e73aad
      Linus Torvalds authored
      Pull io_uring fixes form Jens Axboe:
      
       - Ensure ->result is always set when IO is retried (Bijan)
      
       - In conjunction with the above, fix a regression in polled IO issue
         when retried (me/Bijan)
      
       - Don't setup async context for read/write fixed, otherwise we may
         wrongly map the iovec on retry (me)
      
       - Cancel io-wq work if we fail getting mm reference (me)
      
       - Ensure dependent work is always initialized correctly (me)
      
       - Only allow original task to submit IO, don't allow it from a passed
         ring fd (me)
      
      * tag 'io_uring-5.5-2020-01-16' of git://git.kernel.dk/linux-block:
        io_uring: only allow submit from owning task
        io_uring: ensure workqueue offload grabs ring mutex for poll list
        io_uring: clear req->result always before issuing a read/write request
        io_uring: be consistent in assigning next work from handler
        io-wq: cancel work if we fail getting a mm reference
        io_uring: don't setup async context for read/write fixed
      25e73aad
    • Linus Torvalds's avatar
      Merge tag 'for-5.5-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · effaf901
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "A few more fixes that have been in the works during last twp weeks.
        All have a user visible effect and are stable material:
      
         - scrub: properly update progress after calling cancel ioctl, calling
           'resume' would start from the beginning otherwise
      
         - fix subvolume reference removal, after moving out of the original
           path the reference is not recognized and will lead to transaction
           abort
      
         - fix reloc root lifetime checks, could lead to crashes when there's
           subvolume cleaning running in parallel
      
         - fix memory leak when quotas get disabled in the middle of extent
           accounting
      
         - fix transaction abort in case of balance being started on degraded
           mount on eg. RAID1"
      
      * tag 'for-5.5-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: check rw_devices, not num_devices for balance
        Btrfs: always copy scrub arguments back to user space
        btrfs: relocation: fix reloc_root lifespan and access
        btrfs: fix memory leak in qgroup accounting
        btrfs: do not delete mismatched root refs
        btrfs: fix invalid removal of root ref
        btrfs: rework arguments of btrfs_unlink_subvol
      effaf901
    • Greg Kroah-Hartman's avatar
      Merge tag 'usb-serial-5.5-rc7' of... · 453495d4
      Greg Kroah-Hartman authored
      Merge tag 'usb-serial-5.5-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus
      
      Johan writes:
      
      USB-serial fixes for 5.5-rc7
      
      Here are a few fixes for issues related to unbound port devices which
      could lead to NULL-pointer dereferences. Notably the bind attributes for
      usb-serial (port) drivers are removed as almost none of the drivers can
      handle individual ports going away once they've been bound.
      
      Included are also some new device ids.
      
      All but the unbound-port fixes have been in linux-next with no reported
      issues.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      
      * tag 'usb-serial-5.5-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
        USB: serial: quatech2: handle unbound ports
        USB: serial: keyspan: handle unbound ports
        USB: serial: io_edgeport: add missing active-port sanity check
        USB: serial: io_edgeport: handle unbound ports on URB completion
        USB: serial: ch341: handle unbound port at reset_resume
        USB: serial: suppress driver bind attributes
        USB: serial: option: add support for Quectel RM500Q in QDL mode
        USB: serial: opticon: fix control-message timeouts
        USB: serial: option: Add support for Quectel RM500Q
        USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
      453495d4
    • Linus Torvalds's avatar
      Merge tag 'fuse-fixes-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse · ab7541c3
      Linus Torvalds authored
      Pull fuse fix from Miklos Szeredi:
       "Fix a regression in the last release affecting the ftp module of the
        gvfs filesystem"
      
      * tag 'fuse-fixes-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
        fuse: fix fuse_send_readpages() in the syncronous read case
      ab7541c3
    • Linus Torvalds's avatar
      Merge tag 'sound-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 07d5ac6a
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This became bigger than I have hoped for rc7. But, the only large LOC
        is for stm32 fixes that are simple rewriting of register access
        helpers, while the rest are all nice and small fixes:
      
         - A few ASoC fixes for the remaining probe error handling bugs
      
         - ALSA sequencer core fix for racy proc file accesses
      
         - Revert the option rename of snd-hda-intel to make compatible again
      
         - Various device-specific fixes"
      
      * tag 'sound-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: seq: Fix racy access for queue timer in proc read
        ALSA: usb-audio: fix sync-ep altsetting sanity check
        ASoC: msm8916-wcd-digital: Reset RX interpolation path after use
        ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1
        ASoC: cros_ec_codec: Make the device acpi compatible
        ASoC: sti: fix possible sleep-in-atomic
        ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1
        ASoC: hdac_hda: Fix error in driver removal after failed probe
        ASoC: SOF: Intel: fix HDA codec driver probe with multiple controllers
        ASoC: SOF: Intel: lower print level to dbg if we will reinit DSP
        ALSA: dice: fix fallback from protocol extension into limited functionality
        ALSA: firewire-tascam: fix corruption due to spin lock without restoration in SoftIRQ context
        ALSA: hda: Rename back to dmic_detect option
        ASoC: stm32: dfsdm: fix 16 bits record
        ASoC: stm32: sai: fix possible circular locking
        ASoC: Fix NULL dereference at freeing
        ASoC: Intel: bytcht_es8316: Fix Irbis NB41 netbook quirk
        ASoC: rt5640: Fix NULL dereference on module unload
      07d5ac6a
    • Johan Hovold's avatar
      USB: serial: quatech2: handle unbound ports · 9715a43e
      Johan Hovold authored
      Check for NULL port data in the modem- and line-status handlers to avoid
      dereferencing a NULL pointer in the unlikely case where a port device
      isn't bound to a driver (e.g. after an allocation failure on port
      probe).
      
      Note that the other (stubbed) event handlers qt2_process_xmit_empty()
      and qt2_process_flush() would need similar sanity checks in case they
      are ever implemented.
      
      Fixes: f7a33e60 ("USB: serial: add quatech2 usb to serial driver")
      Cc: stable <stable@vger.kernel.org>     # 3.5
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      9715a43e
    • Johan Hovold's avatar
      USB: serial: keyspan: handle unbound ports · 3018dd3f
      Johan Hovold authored
      Check for NULL port data in the control URB completion handlers to avoid
      dereferencing a NULL pointer in the unlikely case where a port device
      isn't bound to a driver (e.g. after an allocation failure on port
      probe()).
      
      Fixes: 0ca1268e ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      3018dd3f
    • Johan Hovold's avatar
      USB: serial: io_edgeport: add missing active-port sanity check · 1568c58d
      Johan Hovold authored
      The driver receives the active port number from the device, but never
      made sure that the port number was valid. This could lead to a
      NULL-pointer dereference or memory corruption in case a device sends
      data for an invalid port.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      1568c58d
    • Johan Hovold's avatar
      USB: serial: io_edgeport: handle unbound ports on URB completion · e37d1aed
      Johan Hovold authored
      Check for NULL port data in the shared interrupt and bulk completion
      callbacks to avoid dereferencing a NULL pointer in case a device sends
      data for a port device which isn't bound to a driver (e.g. due to a
      malicious device having unexpected endpoints or after an allocation
      failure on port probe).
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      e37d1aed
    • Johan Hovold's avatar
      USB: serial: ch341: handle unbound port at reset_resume · 4d5ef53f
      Johan Hovold authored
      Check for NULL port data in reset_resume() to avoid dereferencing a NULL
      pointer in case the port device isn't bound to a driver (e.g. after a
      failed control request at port probe).
      
      Fixes: 1ded7ea4 ("USB: ch341 serial: fix port number changed after resume")
      Cc: stable <stable@vger.kernel.org>     # 2.6.30
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      4d5ef53f
    • Josef Bacik's avatar
      btrfs: check rw_devices, not num_devices for balance · b35cf1f0
      Josef Bacik authored
      The fstest btrfs/154 reports
      
        [ 8675.381709] BTRFS: Transaction aborted (error -28)
        [ 8675.383302] WARNING: CPU: 1 PID: 31900 at fs/btrfs/block-group.c:2038 btrfs_create_pending_block_groups+0x1e0/0x1f0 [btrfs]
        [ 8675.390925] CPU: 1 PID: 31900 Comm: btrfs Not tainted 5.5.0-rc6-default+ #935
        [ 8675.392780] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014
        [ 8675.395452] RIP: 0010:btrfs_create_pending_block_groups+0x1e0/0x1f0 [btrfs]
        [ 8675.402672] RSP: 0018:ffffb2090888fb00 EFLAGS: 00010286
        [ 8675.404413] RAX: 0000000000000000 RBX: ffff92026dfa91c8 RCX: 0000000000000001
        [ 8675.406609] RDX: 0000000000000000 RSI: ffffffff8e100899 RDI: ffffffff8e100971
        [ 8675.408775] RBP: ffff920247c61660 R08: 0000000000000000 R09: 0000000000000000
        [ 8675.410978] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffffe4
        [ 8675.412647] R13: ffff92026db74000 R14: ffff920247c616b8 R15: ffff92026dfbc000
        [ 8675.413994] FS:  00007fd5e57248c0(0000) GS:ffff92027d800000(0000) knlGS:0000000000000000
        [ 8675.416146] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [ 8675.417833] CR2: 0000564aa51682d8 CR3: 000000006dcbc004 CR4: 0000000000160ee0
        [ 8675.419801] Call Trace:
        [ 8675.420742]  btrfs_start_dirty_block_groups+0x355/0x480 [btrfs]
        [ 8675.422600]  btrfs_commit_transaction+0xc8/0xaf0 [btrfs]
        [ 8675.424335]  reset_balance_state+0x14a/0x190 [btrfs]
        [ 8675.425824]  btrfs_balance.cold+0xe7/0x154 [btrfs]
        [ 8675.427313]  ? kmem_cache_alloc_trace+0x235/0x2c0
        [ 8675.428663]  btrfs_ioctl_balance+0x298/0x350 [btrfs]
        [ 8675.430285]  btrfs_ioctl+0x466/0x2550 [btrfs]
        [ 8675.431788]  ? mem_cgroup_charge_statistics+0x51/0xf0
        [ 8675.433487]  ? mem_cgroup_commit_charge+0x56/0x400
        [ 8675.435122]  ? do_raw_spin_unlock+0x4b/0xc0
        [ 8675.436618]  ? _raw_spin_unlock+0x1f/0x30
        [ 8675.438093]  ? __handle_mm_fault+0x499/0x740
        [ 8675.439619]  ? do_vfs_ioctl+0x56e/0x770
        [ 8675.441034]  do_vfs_ioctl+0x56e/0x770
        [ 8675.442411]  ksys_ioctl+0x3a/0x70
        [ 8675.443718]  ? trace_hardirqs_off_thunk+0x1a/0x1c
        [ 8675.445333]  __x64_sys_ioctl+0x16/0x20
        [ 8675.446705]  do_syscall_64+0x50/0x210
        [ 8675.448059]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [ 8675.479187] BTRFS: error (device vdb) in btrfs_create_pending_block_groups:2038: errno=-28 No space left
      
      We now use btrfs_can_overcommit() to see if we can flip a block group
      read only.  Before this would fail because we weren't taking into
      account the usable un-allocated space for allocating chunks.  With my
      patches we were allowed to do the balance, which is technically correct.
      
      The test is trying to start balance on degraded mount.  So now we're
      trying to allocate a chunk and cannot because we want to allocate a
      RAID1 chunk, but there's only 1 device that's available for usage.  This
      results in an ENOSPC.
      
      But we shouldn't even be making it this far, we don't have enough
      devices to restripe.  The problem is we're using btrfs_num_devices(),
      that also includes missing devices. That's not actually what we want, we
      need to use rw_devices.
      
      The chunk_mutex is not needed here, rw_devices changes only in device
      add, remove or replace, all are excluded by EXCL_OP mechanism.
      
      Fixes: e4d8ec0f ("Btrfs: implement online profile changing")
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      [ add stacktrace, update changelog, drop chunk_mutex ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      b35cf1f0
    • Filipe Manana's avatar
      Btrfs: always copy scrub arguments back to user space · 5afe6ce7
      Filipe Manana authored
      If scrub returns an error we are not copying back the scrub arguments
      structure to user space. This prevents user space to know how much
      progress scrub has done if an error happened - this includes -ECANCELED
      which is returned when users ask for scrub to stop. A particular use
      case, which is used in btrfs-progs, is to resume scrub after it is
      canceled, in that case it relies on checking the progress from the scrub
      arguments structure and then use that progress in a call to resume
      scrub.
      
      So fix this by always copying the scrub arguments structure to user
      space, overwriting the value returned to user space with -EFAULT only if
      copying the structure failed to let user space know that either that
      copying did not happen, and therefore the structure is stale, or it
      happened partially and the structure is probably not valid and corrupt
      due to the partial copy.
      Reported-by: default avatarGraham Cobb <g.btrfs@cobb.uk.net>
      Link: https://lore.kernel.org/linux-btrfs/d0a97688-78be-08de-ca7d-bcb4c7fb397e@cobb.uk.net/
      Fixes: 06fe39ab ("Btrfs: do not overwrite scrub error with fault error in scrub ioctl")
      CC: stable@vger.kernel.org # 5.1+
      Reviewed-by: default avatarJohannes Thumshirn <johannes.thumshirn@wdc.com>
      Reviewed-by: default avatarQu Wenruo <wqu@suse.com>
      Tested-by: default avatarGraham Cobb <g.btrfs@cobb.uk.net>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      5afe6ce7
    • Linus Torvalds's avatar
      Merge tag 'gpio-v5.5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 13b2668d
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "This reverts the GPIOLIB_IRQCHIP in the ThunderX driver.
      
        ThunderX is a piece of Arm-based server chip. I converted the driver
        to hierarchical gpiochip without access to real silicon and failed
        miserably since I didn't take MSI's into account.
      
        Kevin Hao helpfully stepped in and fixed it properly, let's revert it
        for v5.5 and put the proper conversion into v5.6"
      
      * tag 'gpio-v5.5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        Revert "gpio: thunderx: Switch to GPIOLIB_IRQCHIP"
      13b2668d
    • Linus Torvalds's avatar
      Merge tag 'block-5.5-2020-01-16' of git://git.kernel.dk/linux-block · 5ffdff81
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Three fixes that should go into this release:
      
         - The 32-bit segment size fix that I mentioned last week (Ming)
      
         - Use uint for the block size (Mikulas)
      
         - A null_blk zone write handling fix (Damien)"
      
      * tag 'block-5.5-2020-01-16' of git://git.kernel.dk/linux-block:
        block: fix an integer overflow in logical block size
        null_blk: Fix zone write handling
        block: fix get_max_segment_size() overflow on 32bit arch
      5ffdff81
    • Kan Liang's avatar
      perf/x86/intel/uncore: Remove PCIe3 unit for SNR · 2167f162
      Kan Liang authored
      The PCIe Root Port driver for CPU Complex PCIe Root Ports are not
      loaded on SNR.
      
      The device ID for SNR PCIe3 unit is used by both uncore driver and the
      PCIe Root Port driver. If uncore driver is loaded, the PCIe Root Port
      driver never be probed.
      
      Remove the PCIe3 unit for SNR for now. The support for PCIe3 unit will
      be added later separately.
      Signed-off-by: default avatarKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Link: https://lkml.kernel.org/r/20200116200210.18937-2-kan.liang@linux.intel.com
      2167f162
    • Kan Liang's avatar
      perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events · fa694ae5
      Kan Liang authored
      An Oops during the boot is found on some SNR machines.  It turns out
      this is because the snr_uncore_imc_freerunning_events[] array was
      missing an end-marker.
      
      Fixes: ee49532b ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
      Reported-by: default avatarLike Xu <like.xu@linux.intel.com>
      Signed-off-by: default avatarKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Tested-by: default avatarLike Xu <like.xu@linux.intel.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20200116200210.18937-1-kan.liang@linux.intel.com
      fa694ae5
    • Kan Liang's avatar
      perf/x86/intel/uncore: Add PCI ID of IMC for Xeon E3 V5 Family · e7438304
      Kan Liang authored
      The IMC uncore support is missed for E3-1585 v5 CPU.
      
      Intel Xeon E3 V5 Family has Sky Lake CPU.
      Add the PCI ID of IMC for Intel Xeon E3 V5 Family.
      Reported-by: default avatarRosales-fernandez, Carlos <carlos.rosales-fernandez@intel.com>
      Signed-off-by: default avatarKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Tested-by: default avatarRosales-fernandez, Carlos <carlos.rosales-fernandez@intel.com>
      Link: https://lkml.kernel.org/r/1578687311-158748-1-git-send-email-kan.liang@linux.intel.com
      e7438304
    • Mark Rutland's avatar
      perf: Correctly handle failed perf_get_aux_event() · da9ec3d3
      Mark Rutland authored
      Vince reports a worrying issue:
      
      | so I was tracking down some odd behavior in the perf_fuzzer which turns
      | out to be because perf_even_open() sometimes returns 0 (indicating a file
      | descriptor of 0) even though as far as I can tell stdin is still open.
      
      ... and further the cause:
      
      | error is triggered if aux_sample_size has non-zero value.
      |
      | seems to be this line in kernel/events/core.c:
      |
      | if (perf_need_aux_event(event) && !perf_get_aux_event(event, group_leader))
      |                goto err_locked;
      |
      | (note, err is never set)
      
      This seems to be a thinko in commit:
      
        ab43762e ("perf: Allow normal events to output AUX data")
      
      ... and we should probably return -EINVAL here, as this should only
      happen when the new event is mis-configured or does not have a
      compatible aux_event group leader.
      
      Fixes: ab43762e ("perf: Allow normal events to output AUX data")
      Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Acked-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Tested-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      da9ec3d3
    • Johan Hovold's avatar
      USB: serial: suppress driver bind attributes · fdb838ef
      Johan Hovold authored
      USB-serial drivers must not be unbound from their ports before the
      corresponding USB driver is unbound from the parent interface so
      suppress the bind and unbind attributes.
      
      Unbinding a serial driver while it's port is open is a sure way to
      trigger a crash as any driver state is released on unbind while port
      hangup is handled on the parent USB interface level. Drivers for
      multiport devices where ports share a resource such as an interrupt
      endpoint also generally cannot handle individual ports going away.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      fdb838ef
    • Waiman Long's avatar
      locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN · 39e7234f
      Waiman Long authored
      The commit 91d2a812 ("locking/rwsem: Make handoff writer
      optimistically spin on owner") will allow a recently woken up waiting
      writer to spin on the owner. Unfortunately, if the owner happens to be
      RWSEM_OWNER_UNKNOWN, the code will incorrectly spin on it leading to a
      kernel crash. This is fixed by passing the proper non-spinnable bits
      to rwsem_spin_on_owner() so that RWSEM_OWNER_UNKNOWN will be treated
      as a non-spinnable target.
      
      Fixes: 91d2a812 ("locking/rwsem: Make handoff writer optimistically spin on owner")
      Reported-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarWaiman Long <longman@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Tested-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/20200115154336.8679-1-longman@redhat.com
      39e7234f
    • Jens Axboe's avatar
      io_uring: only allow submit from owning task · 44d28279
      Jens Axboe authored
      If the credentials or the mm doesn't match, don't allow the task to
      submit anything on behalf of this ring. The task that owns the ring can
      pass the file descriptor to another task, but we don't want to allow
      that task to submit an SQE that then assumes the ring mm and creds if
      it needs to go async.
      
      Cc: stable@vger.kernel.org
      Suggested-by: default avatarStefan Metzmacher <metze@samba.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      44d28279
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 575966e0
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "I've been sitting on these longer than I meant, so the patch count is
        a bit higher than ideal for this part of the release. There's also
        some reverts of double-applied patches that brings the diffstat up a
        bit.
      
        With that said, the biggest changes are:
      
         - Revert of duplicate i2c device addition on two Aspeed (BMC)
           Devicetrees.
      
         - Move of two device nodes that got applied to the wrong part of the
           tree on ASpeed G6.
      
         - Regulator fix for Beaglebone X15 (adding 12/5V supplies)
      
         - Use interrupts for keys on Amlogic SM1 to avoid missed polls
      
        In addition to that, there is a collection of smaller DT fixes:
      
         - Power supply assignment fixes for i.MX6
      
         - Fix of interrupt line for magnetometer on i.MX8 Librem5 devkit
      
         - Build fixlets (selects) for davinci/omap2+
      
         - More interrupt number fixes for Stratix10, Amlogic SM1, etc.
      
         - ... and more similar fixes across different platforms
      
        And some non-DT stuff:
      
         - optee fix to register multiple shared pages properly
      
         - Clock calculation fixes for MMP3
      
         - Clock fixes for OMAP as well"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (42 commits)
        MAINTAINERS: Add myself as the co-maintainer for Actions Semi platforms
        ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support
        ARM: dts: imx6sll-evk: Remove incorrect power supply assignment
        ARM: dts: imx6sl-evk: Remove incorrect power supply assignment
        ARM: dts: imx6sx-sdb: Remove incorrect power supply assignment
        ARM: dts: imx6qdl-sabresd: Remove incorrect power supply assignment
        ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL
        ARM: omap2plus: select RESET_CONTROLLER
        ARM: davinci: select CONFIG_RESET_CONTROLLER
        ARM: dts: aspeed: rainier: Fix fan fault and presence
        ARM: dts: aspeed: rainier: Remove duplicate i2c busses
        ARM: dts: aspeed: tacoma: Remove duplicate flash nodes
        ARM: dts: aspeed: tacoma: Remove duplicate i2c busses
        ARM: dts: aspeed: tacoma: Fix fsi master node
        ARM: dts: aspeed-g6: Fix FSI master location
        ARM: dts: mmp3: Fix the TWSI ranges
        clk: mmp2: Fix the order of timer mux parents
        ARM: mmp: do not divide the clock rate
        arm64: dts: rockchip: Fix IR on Beelink A1
        optee: Fix multi page dynamic shm pool alloc
        ...
      575966e0
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · ef64753c
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "Second collection of clk fixes for the next release.
      
        This one includes a fix for PM on TI SoCs with sysc devices and fixes
        a bunch of clks that are stuck always enabled on Qualcomm SDM845 SoCs.
      
        Allwinner SoCs get the usual set of fixes too, mostly correcting
        drivers to have the right bits that match the hardware.
      
        There's also a Samsung and Tegra fix in here to mark a clk critical
        and avoid a double free.
      
        And finally there's a fix for critical clks that silences a big
        warning splat about trying to enable a clk that couldn't even be
        prepared"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: ti: dra7-atl: Remove pm_runtime_irq_safe()
        clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs
        clk: sunxi-ng: h6-r: Fix AR100/R_APB2 parent order
        clk: sunxi-ng: h6-r: Simplify R_APB1 clock definition
        clk: sunxi-ng: sun8i-r: Fix divider on APB0 clock
        clk: Don't try to enable critical clocks if prepare failed
        clk: tegra: Fix double-free in tegra_clk_init()
        clk: samsung: exynos5420: Keep top G3D clocks enabled
        clk: sunxi-ng: r40: Allow setting parent rate for external clock outputs
        clk: sunxi-ng: v3s: Fix incorrect number of hw_clks.
      ef64753c
  3. 16 Jan, 2020 1 commit