1. 14 Jul, 2017 16 commits
    • Richard Weinberger's avatar
      ubifs: Don't leak kernel memory to the MTD · 4acadda7
      Richard Weinberger authored
      When UBIFS prepares data structures which will be written to the MTD it
      ensues that their lengths are multiple of 8. Since it uses kmalloc() the
      padded bytes are left uninitialized and we leak a few bytes of kernel
      memory to the MTD.
      To make sure that all bytes are initialized, let's switch to kzalloc().
      Kzalloc() is fine in this case because the buffers are not huge and in
      the IO path the performance bottleneck is anyway the MTD.
      
      Cc: stable@vger.kernel.org
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Reviewed-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      4acadda7
    • Hyunchul Lee's avatar
      ubifs: Change gfp flags in page allocation for bulk read · 480a1a6a
      Hyunchul Lee authored
      In low memory situations, page allocations for bulk read
      can kill applications for reclaiming memory, and print an
      failure message when allocations are failed.
      Because bulk read is just an optimization, we don't have
      to do these and can stop page allocations.
      
      Though this siutation happens rarely, add __GFP_NORETRY
      to prevent from excessive memory reclaim and killing
      applications, and __GFP_WARN to suppress this failure
      message.
      
      For this, Use readahead_gfp_mask for gfp flags when
      allocating pages.
      Signed-off-by: default avatarHyunchul Lee <cheol.lee@lge.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      480a1a6a
    • karam.lee's avatar
      ubifs: Fix oops when remounting with no_bulk_read. · 07d41c3c
      karam.lee authored
      When remounting with the no_bulk_read option,
      there is a problem accessing the "bulk_read buffer(bu.buf)"
      which has already been freed.
      
      If the bulk_read option is enabled,
      ubifs_tnc_bulk_read uses the pre-allocated bu.buf.
      
      While bu.buf is being used by ubifs_tnc_bulk_read,
      remounting with no_bulk_read frees bu.buf.
      
      So I added code to check the use of "bu.buf" to avoid this situation.
      
      ------
      I tested as follows(kernel v3.18) :
      
      Use the script to repeat "no_bulk_read <-> bulk_read"
      	remount.sh
      	#!/bin/sh
      	while true do;
      		mount -o remount,no_bulk_read ${MOUNT_POINT};
      		sleep 1;
      		mount -o remount,bulk_read ${MOUNT_POINT};
      		sleep 1;
      	done
      
      Perform read operation
      	cat ${MOUNT_POINT}/* > /dev/null
      
      The problem is reproduced immediately.
      
      [  234.256845][kernel.0]Internal error: Oops: 17 [#1] PREEMPT ARM
      [  234.258557][kernel.0]CPU: 0 PID: 2752 Comm: cat Tainted: G        W  O   3.18.31+ #51
      [  234.259531][kernel.0]task: cbff8580 ti: cbd66000 task.ti: cbd66000
      [  234.260306][kernel.0]PC is at validate_data_node+0x10/0x264
      [  234.260994][kernel.0]LR is at ubifs_tnc_bulk_read+0x388/0x3ec
      [  234.261712][kernel.0]pc : [<c01d98fc>]    lr : [<c01dc300>]    psr: 80000013
      [  234.261712][kernel.0]sp : cbd67ba0  ip : 00000001  fp : 00000000
      [  234.263337][kernel.0]r10: cd3e0260  r9 : c0df2008  r8 : 00000000
      [  234.264087][kernel.0]r7 : cd3e0000  r6 : 00000000  r5 : cd3e0278  r4 : cd3e0000
      [  234.264999][kernel.0]r3 : 00000003  r2 : cd3e0280  r1 : 00000000  r0 : cd3e0000
      [  234.265910][kernel.0]Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
      [  234.266896][kernel.0]Control: 10c53c7d  Table: 8c40c059  DAC: 00000015
      [  234.267711][kernel.0]Process cat (pid: 2752, stack limit = 0xcbd66400)
      [  234.268525][kernel.0]Stack: (0xcbd67ba0 to 0xcbd68000)
      [  234.269169][kernel.0]7ba0: cd7c3940 c03d8650 0001bfe0 00002ab2 00000000 cbd67c5c cbd67c58 0001bfe0
      [  234.270287][kernel.0]7bc0: cd3e0000 00002ab2 0001bfe0 00000014 cbd66000 cd3e0260 00000000 c01d6660
      [  234.271403][kernel.0]7be0: 00002ab2 00000000 c82a5800 ffffffff cd3e0298 cd3e0278 00000000 cd3e0000
      [  234.272520][kernel.0]7c00: 00000000 00000000 cd3e0260 c01dc300 00002ab2 00000000 60000013 d663affa
      [  234.273639][kernel.0]7c20: cd3e01f0 cd3e01f0 60000013 c09397ec 00000000 cd3e0278 00002ab2 00000000
      [  234.274755][kernel.0]7c40: cd3e0000 c01dbf48 00000014 00000003 00000160 00000015 00000004 d663affa
      [  234.275874][kernel.0]7c60: ccdaa978 cd3e0278 cd3e0000 cf32a5f4 ccdaa820 00000044 cbd66000 cd3e0260
      [  234.276992][kernel.0]7c80: 00000003 c01cec84 ccdaa8dc cbd67cc4 cbd67ec0 00000010 ccdaa978 00000000
      [  234.278108][kernel.0]7ca0: 0000015e ccdaa8dc 00000000 00000000 cf32a5d0 00000000 0000015f ccdaa8dc
      [  234.279228][kernel.0]7cc0: 00000000 c8488300 0009e5a4 0000000e cbd66000 0000015e cf32a5f4 c0113c04
      [  234.280346][kernel.0]7ce0: 0000009f 0000003c c00098c4 ffffffff 00001000 00000000 000000ad 00000010
      [  234.281463][kernel.0]7d00: 00000038 cd68f580 00000150 c8488360 00000000 cbd67d30 cbd67d70 0000000e
      [  234.282579][kernel.0]7d20: 00000010 00000000 c0951874 c0112a9c cf379b60 cf379b84 cf379890 cf3798b4
      [  234.283699][kernel.0]7d40: cf379578 cf37959c cf379380 cf3793a4 cf3790b0 cf3790d4 cf378fd8 cf378ffc
      [  234.284814][kernel.0]7d60: cf378f48 cf378f6c cf32a5f4 cf32a5d0 00000000 00001000 00000018 00000000
      [  234.285932][kernel.0]7d80: 00001000 c0050da4 00000000 00001000 cec04c00 00000000 00001000 c0e11328
      [  234.287049][kernel.0]7da0: 00000000 00001000 cbd66000 00000000 00001000 c0012a60 00000000 00001000
      [  234.288166][kernel.0]7dc0: cbd67dd4 00000000 00001000 80000013 00000000 00001000 cd68f580 00000000
      [  234.289285][kernel.0]7de0: 00001000 c915d600 00000000 00001000 cbd67e48 00000000 00001000 00000018
      [  234.290402][kernel.0]7e00: 00000000 00001000 00000000 00000000 00001000 c915d768 c915d768 c0113550
      [  234.291522][kernel.0]7e20: cd68f580 cbd67e48 cd68f580 cb6713c0 00010000 000ac5a4 00000000 001fc5a4
      [  234.292637][kernel.0]7e40: 00000000 c8488300 cbd67ec0 00eb0000 cd68f580 c0113ee4 00000000 cbd67ec0
      [  234.293754][kernel.0]7e60: cd68f580 c8488300 cbd67ec0 00eb0000 cd68f580 00150000 c8488300 00eb0000
      [  234.294874][kernel.0]7e80: 00010000 c0112fd0 00000000 cbd67ec0 cd68f580 00150000 00000000 cd68f580
      [  234.295991][kernel.0]7ea0: cbd67ef0 c011308c 00000000 00000002 cd768850 00010000 00000000 c01133fc
      [  234.297110][kernel.0]7ec0: 00150000 00000000 cbd67f50 00000000 00000000 cb6713c0 01000000 cbd67f48
      [  234.298226][kernel.0]7ee0: cbd67f50 c8488300 00000000 c0113204 00010000 01000000 00000000 cb6713c0
      [  234.299342][kernel.0]7f00: 00150000 00000000 cbd67f50 00000000 00000000 00000000 00000000 00000000
      [  234.300462][kernel.0]7f20: cbd67f50 01000000 01000000 cb6713c0 c8488300 c00ebba8 01000000 00000000
      [  234.301577][kernel.0]7f40: c8488300 cb6713c0 00000000 00000000 00000000 00000000 ccdaa820 00000000
      [  234.302697][kernel.0]7f60: 00000000 01000000 00000003 00000001 cbd66000 00000000 00000001 c00ec678
      [  234.303813][kernel.0]7f80: 00000000 00000200 00000000 01000000 01000000 00000000 00000000 000000ef
      [  234.304933][kernel.0]7fa0: c000e904 c000e780 01000000 00000000 00000001 00000003 00000000 01000000
      [  234.306049][kernel.0]7fc0: 01000000 00000000 00000000 000000ef 00000001 00000003 01000000 00000001
      [  234.307165][kernel.0]7fe0: 00000000 beafb78c 0000ad08 00128d1c 60000010 00000001 00000000 00000000
      [  234.308292][kernel.0][<c01d98fc>] (validate_data_node) from [<c01dc300>] (ubifs_tnc_bulk_read+0x388/0x3ec)
      [  234.309493][kernel.0][<c01dc300>] (ubifs_tnc_bulk_read) from [<c01cec84>] (ubifs_readpage+0x1dc/0x46c)
      [  234.310656][kernel.0][<c01cec84>] (ubifs_readpage) from [<c0113c04>] (__generic_file_splice_read+0x29c/0x4cc)
      [  234.311890][kernel.0][<c0113c04>] (__generic_file_splice_read) from [<c0113ee4>] (generic_file_splice_read+0xb0/0xf4)
      [  234.313214][kernel.0][<c0113ee4>] (generic_file_splice_read) from [<c0112fd0>] (do_splice_to+0x68/0x7c)
      [  234.314386][kernel.0][<c0112fd0>] (do_splice_to) from [<c011308c>] (splice_direct_to_actor+0xa8/0x190)
      [  234.315544][kernel.0][<c011308c>] (splice_direct_to_actor) from [<c0113204>] (do_splice_direct+0x90/0xb8)
      [  234.316741][kernel.0][<c0113204>] (do_splice_direct) from [<c00ebba8>] (do_sendfile+0x17c/0x2b8)
      [  234.317838][kernel.0][<c00ebba8>] (do_sendfile) from [<c00ec678>] (SyS_sendfile64+0xc4/0xcc)
      [  234.318890][kernel.0][<c00ec678>] (SyS_sendfile64) from [<c000e780>] (ret_fast_syscall+0x0/0x38)
      [  234.319983][kernel.0]Code: e92d47f0 e24dd050 e59f9228 e1a04000 (e5d18014)
      Signed-off-by: default avatarkaram.lee <karam.lee@lge.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      07d41c3c
    • Richard Weinberger's avatar
      ubifs: Fail commit if TNC is obviously inconsistent · df71b091
      Richard Weinberger authored
      A reference to LEB 0 or with length 0 in the TNC
      is never correct and could be caused by a memory corruption.
      Don't write such a bad index node to the MTD.
      Instead fail the commit which will turn UBIFS into read-only mode.
      
      This is less painful than having the bad reference on the MTD
      from where UBFIS has no chance to recover.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      df71b091
    • Rabin Vincent's avatar
      ubifs: allow userspace to map mounts to volumes · 319c1042
      Rabin Vincent authored
      There currently appears to be no way for userspace to find out the
      underlying volume number for a mounted ubifs file system, since ubifs
      uses anonymous block devices.  The volume name is present in
      /proc/mounts but UBI volumes can be renamed after the volume has been
      mounted.
      
      To remedy this, show the UBI number and UBI volume number as part of the
      options visible under /proc/mounts.
      
      Also, accept and ignore the ubi= vol= options if they are used mounting
      (patch from Richard Weinberger).
      
       # mount -t ubifs ubi:baz x
       # mount
       ubi:baz on /root/x type ubifs (rw,relatime,ubi=0,vol=2)
       # ubirename /dev/ubi0 baz bazz
       # mount
       ubi:baz on /root/x type ubifs (rw,relatime,ubi=0,vol=2)
       # ubinfo -d 0 -n 2
       Volume ID:   2 (on ubi0)
       Type:        dynamic
       Alignment:   1
       Size:        67 LEBs (1063424 bytes, 1.0 MiB)
       State:       OK
       Name:        bazz
       Character device major/minor: 254:3
      Signed-off-by: default avatarRabin Vincent <rabinv@axis.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      319c1042
    • Richard Weinberger's avatar
      ubifs: Wire-up statx() support · a02a6eba
      Richard Weinberger authored
      statx() can report what flags a file has, expose flags that UBIFS
      supports. Especially STATX_ATTR_COMPRESSED and STATX_ATTR_ENCRYPTED
      can be interesting for userspace.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      a02a6eba
    • Richard Weinberger's avatar
      ubifs: Remove dead code from ubifs_get_link() · d2eb8522
      Richard Weinberger authored
      We check the length already, no need to check later
      again for an empty string.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      d2eb8522
    • Richard Weinberger's avatar
      ubifs: Massage debug prints wrt. fscrypt · 35ee314c
      Richard Weinberger authored
      If file names are encrypted we can no longer print them.
      That's why we have to change these prints or remove them completely.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      35ee314c
    • Richard Weinberger's avatar
      ubifs: Add assert to dent_key_init() · 8b2900c0
      Richard Weinberger authored
      ...to make sure that we don't use it for double hashed lookups
      instead of dent_key_init_hash().
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      8b2900c0
    • Richard Weinberger's avatar
      ubifs: Fix unlink code wrt. double hash lookups · 781f675e
      Richard Weinberger authored
      When removing an encrypted file with a long name and without having
      the key we have to be able to locate and remove the directory entry
      via a double hash. This corner case was simply forgotten.
      
      Fixes: 528e3d17 ("ubifs: Add full hash lookup support")
      Reported-by: default avatarDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      781f675e
    • David Oberhollenzer's avatar
      ubifs: Fix data node size for truncating uncompressed nodes · 59a74990
      David Oberhollenzer authored
      Currently, the function truncate_data_node only updates the
      destination data node size if compression is used. For
      uncompressed nodes, the old length is incorrectly retained.
      
      This patch makes sure that the length is correctly set when
      compression is disabled.
      
      Fixes: 7799953b ("ubifs: Implement encrypt/decrypt for all IO")
      Signed-off-by: default avatarDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      59a74990
    • David Gstir's avatar
      ubifs: Don't encrypt special files on creation · f34e87f5
      David Gstir authored
      When a new inode is created, we check if the containing folder has a encryption
      policy set and inherit that. This should however only be done for regular
      files, links and subdirectories. Not for sockes fifos etc.
      
      Fixes: d475a507 ("ubifs: Add skeleton for fscrypto")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDavid Gstir <david@sigma-star.at>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      f34e87f5
    • Hyunchul Lee's avatar
      ubifs: Fix memory leak in RENAME_WHITEOUT error path in do_rename · bb50c632
      Hyunchul Lee authored
      in RENAME_WHITEOUT error path, fscrypt_name should be freed.
      Signed-off-by: default avatarHyunchul Lee <cheol.lee@lge.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      bb50c632
    • Hyunchul Lee's avatar
      ubifs: Fix inode data budget in ubifs_mknod · 4d35ca4f
      Hyunchul Lee authored
      Assign inode data budget to budget request correctly.
      Signed-off-by: default avatarHyunchul Lee <cheol.lee@lge.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      4d35ca4f
    • Richard Weinberger's avatar
      ubifs: Correctly evict xattr inodes · 272eda82
      Richard Weinberger authored
      UBIFS handles extended attributes just like files, as consequence of
      that, they also have inodes.
      Therefore UBIFS does all the inode machinery also for xattrs. Since new
      inodes have i_nlink of 1, a file or xattr inode will be evicted
      if i_nlink goes down to 0 after an unlink. UBIFS assumes this model also
      for xattrs, which is not correct.
      One can create a file "foo" with xattr "user.test". By reading
      "user.test" an inode will be created, and by deleting "user.test" it
      will get evicted later. The assumption breaks if the file "foo", which
      hosts the xattrs, will be removed. VFS nor UBIFS does not remove each
      xattr via ubifs_xattr_remove(), it just removes the host inode from
      the TNC and all underlying xattr nodes too and the inode will remain
      in the cache and wastes memory.
      
      To solve this problem, remove xattr inodes from the VFS inode cache in
      ubifs_xattr_remove() to make sure that they get evicted.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      272eda82
    • Richard Weinberger's avatar
      ubifs: Unexport ubifs_inode_slab · e996bfd4
      Richard Weinberger authored
      This SLAB is only being used in super.c, there is no need to expose
      it into the global namespace.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      e996bfd4
  2. 05 Jul, 2017 2 commits
  3. 11 Jun, 2017 15 commits
    • Linus Torvalds's avatar
      Linux 4.12-rc5 · 32c1431e
      Linus Torvalds authored
      32c1431e
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 32627645
      Linus Torvalds authored
      Pull key subsystem fixes from James Morris:
       "Here are a bunch of fixes for Linux keyrings, including:
      
         - Fix up the refcount handling now that key structs use the
           refcount_t type and the refcount_t ops don't allow a 0->1
           transition.
      
         - Fix a potential NULL deref after error in x509_cert_parse().
      
         - Don't put data for the crypto algorithms to use on the stack.
      
         - Fix the handling of a null payload being passed to add_key().
      
         - Fix incorrect cleanup an uninitialised key_preparsed_payload in
           key_update().
      
         - Explicit sanitisation of potentially secure data before freeing.
      
         - Fixes for the Diffie-Helman code"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (23 commits)
        KEYS: fix refcount_inc() on zero
        KEYS: Convert KEYCTL_DH_COMPUTE to use the crypto KPP API
        crypto : asymmetric_keys : verify_pefile:zero memory content before freeing
        KEYS: DH: add __user annotations to keyctl_kdf_params
        KEYS: DH: ensure the KDF counter is properly aligned
        KEYS: DH: don't feed uninitialized "otherinfo" into KDF
        KEYS: DH: forbid using digest_null as the KDF hash
        KEYS: sanitize key structs before freeing
        KEYS: trusted: sanitize all key material
        KEYS: encrypted: sanitize all key material
        KEYS: user_defined: sanitize key payloads
        KEYS: sanitize add_key() and keyctl() key payloads
        KEYS: fix freeing uninitialized memory in key_update()
        KEYS: fix dereferencing NULL payload with nonzero length
        KEYS: encrypted: use constant-time HMAC comparison
        KEYS: encrypted: fix race causing incorrect HMAC calculations
        KEYS: encrypted: fix buffer overread in valid_master_desc()
        KEYS: encrypted: avoid encrypting/decrypting stack buffers
        KEYS: put keyring if install_session_keyring_to_cred() fails
        KEYS: Delete an error message for a failed memory allocation in get_derived_key()
        ...
      32627645
    • Linus Torvalds's avatar
      compiler, clang: properly override 'inline' for clang · 6d53cefb
      Linus Torvalds authored
      Commit abb2ea7d ("compiler, clang: suppress warning for unused
      static inline functions") just caused more warnings due to re-defining
      the 'inline' macro.
      
      So undef it before re-defining it, and also add the 'notrace' attribute
      like the gcc version that this is overriding does.
      
      Maybe this makes clang happier.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6d53cefb
    • Linus Torvalds's avatar
      Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random · 5ad9345d
      Linus Torvalds authored
      Pull randomness fixes from Ted Ts'o:
       "Improve performance by using a lockless update mechanism suggested by
        Linus, and make sure we refresh per-CPU entropy returned get_random_*
        as soon as the CRNG is initialized"
      
      * tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random:
        random: invalidate batched entropy after crng init
        random: use lockless method of accessing and updating f->reg_idx
      5ad9345d
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 5e38b72a
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Fix various bug fixes in ext4 caused by races and memory allocation
        failures"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: fix fdatasync(2) after extent manipulation operations
        ext4: fix data corruption for mmap writes
        ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO
        ext4: fix quota charging for shared xattr blocks
        ext4: remove redundant check for encrypted file on dio write path
        ext4: remove unused d_name argument from ext4_search_dir() et al.
        ext4: fix off-by-one error when writing back pages before dio read
        ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff()
        ext4: keep existing extra fields when inode expands
        ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
        ext4: fix off-by-in in loop termination in ext4_find_unwritten_pgoff()
        ext4: fix SEEK_HOLE
        jbd2: preserve original nofs flag during journal restart
        ext4: clear lockdep subtype for quota files on quota off
      5e38b72a
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · f986e31b
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "A few overdue GPIO patches for the v4.12 kernel.
      
         - Fix debounce logic on the Aspeed platform.
      
         - Fix the "virtual gpio" things on the Intel Crystal Cove.
      
         - Fix the blink counter selection on the MVEBU platform"
      
      * tag 'gpio-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: mvebu: fix gpio bank registration when pwm is used
        gpio: mvebu: fix blink counter register selection
        MAINTAINERS: remove self from GPIO maintainers
        gpio: crystalcove: Do not write regular gpio registers for virtual GPIOs
        gpio: aspeed: Don't attempt to debounce if disabled
      f986e31b
    • Linus Torvalds's avatar
      Merge tag 'char-misc-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 9cd9cb0b
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small driver fixes for 4.12-rc5. Nothing major here,
        just some small bugfixes found by people testing, and a MAINTAINERS
        file update for the genwqe driver.
      
        All have been in linux-next with no reported issues"
      
      [ The cxl driver fix came in through the powerpc tree earlier ]
      
      * tag 'char-misc-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        cxl: Avoid double free_irq() for psl,slice interrupts
        mei: make sysfs modalias format similar as uevent modalias
        drivers: char: mem: Fix wraparound check to allow mappings up to the end
        MAINTAINERS: Change maintainer of genwqe driver
        goldfish_pipe: use GFP_ATOMIC under spin lock
        firmware: vpd: do not leak kobjects
        firmware: vpd: avoid potential use-after-free when destroying section
        firmware: vpd: do not leave freed section attributes to the list
      9cd9cb0b
    • Linus Torvalds's avatar
      Merge tag 'staging-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 21c9eb7c
      Linus Torvalds authored
      Pull staging/IIO fixes from Greg KH:
       "These are mostly all IIO driver fixes, resolving a number of tiny
        issues. There's also a ccree and lustre fix in here as well, both fix
        problems found in those codebases.
      
        All have been in linux-next with no reported issues"
      
      * tag 'staging-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: ccree: fix buffer copy
        staging/lustre/lov: remove set_fs() call from lov_getstripe()
        staging: ccree: add CRYPTO dependency
        iio: adc: sun4i-gpadc-iio: fix parent device being used in devm function
        iio: light: ltr501 Fix interchanged als/ps register field
        iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's
        iio: trigger: fix NULL pointer dereference in iio_trigger_write_current()
        iio: adc: max9611: Fix attribute measure unit
        iio: adc: ti_am335x_adc: allocating too much in probe
        iio: adc: sun4i-gpadc-iio: Fix module autoload when OF devices are registered
        iio: adc: sun4i-gpadc-iio: Fix module autoload when PLATFORM devices are registered
        iio: proximity: as3935: fix iio_trigger_poll issue
        iio: proximity: as3935: fix AS3935_INT mask
        iio: adc: Max9611: checking for ERR_PTR instead of NULL in probe
        iio: proximity: as3935: recalibrate RCO after resume
      21c9eb7c
    • Linus Torvalds's avatar
      Merge tag 'usb-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 246baac2
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes for 4.12-rc5
      
        They are for some reported issues in the chipidea and gadget drivers.
        Nothing major. All have been in linux-next for a while with no
        reported issues"
      
      * tag 'usb-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: gadget: udc: renesas_usb3: Fix PN_INT_ENA disabling timing
        usb: gadget: udc: renesas_usb3: lock for PN_ registers access
        usb: gadget: udc: renesas_usb3: fix deadlock by spinlock
        usb: gadget: udc: renesas_usb3: fix pm_runtime functions calling
        usb: gadget: f_mass_storage: Serialize wake and sleep execution
        usb: dwc2: add support for the DWC2 controller on Meson8 SoCs
        phy: qualcomm: phy-qcom-qmp: fix application of sizeof to pointer
        usb: musb: dsps: keep VBUS on for host-only mode
        usb: chipidea: core: check before accessing ci_role in ci_role_show
        usb: chipidea: debug: check before accessing ci_role
        phy: qcom-qmp: fix return value check in qcom_qmp_phy_create()
        usb: chipidea: udc: fix NULL pointer dereference if udc_start failed
        usb: chipidea: imx: Do not access CLKONOFF on i.MX51
      246baac2
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · ef918d3c
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is a set of user visible fixes (excepting one format string
        change).
      
        Four of the qla2xxx fixes only affect the firmware dump path, but it's
        still important to the enterprise. The rest are various NULL pointer
        crash conditions or outright driver hangs"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: cxgb4i: libcxgbi: in error case RST tcp conn
        scsi: scsi_debug: Avoid PI being disabled when TPGS is enabled
        scsi: qla2xxx: Fix extraneous ref on sp's after adapter break
        scsi: lpfc: prevent potential null pointer dereference
        scsi: lpfc: Avoid NULL pointer dereference in lpfc_els_abort()
        scsi: lpfc: nvmet_fc: fix format string
        scsi: qla2xxx: Fix crash due to NULL pointer dereference of ctx
        scsi: qla2xxx: Fix mailbox pointer error in fwdump capture
        scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC
        scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to debug customer issues
        scsi: qla2xxx: Fix crash due to mismatch mumber of Q-pair creation for Multi queue
        scsi: qla2xxx: Fix NULL pointer access due to redundant fc_host_port_name call
        scsi: qla2xxx: Fix recursive loop during target mode configuration for ISP25XX leaving system unresponsive
        scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats()
        scsi: qla2xxx: don't disable a not previously enabled PCI device
      ef918d3c
    • Linus Torvalds's avatar
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 8f56821d
      Linus Torvalds authored
      Pull libnvdimm fix from Dan Williams:
       "We expanded the device-dax fs type in 4.12 to be a generic provider of
        a struct dax_device with an embedded inode. However, Sasha found some
        basic negative testing was not run to verify that this fs cleanly
        handles being mounted directly.
      
        Note that the fresh rebase was done to remove an unnecessary Cc:
        <stable> tag, but this commit otherwise had a build success
        notification from the 0day robot."
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        device-dax: fix 'dax' device filesystem inode destruction crash
      8f56821d
    • Linus Torvalds's avatar
      Merge tag 'hexagon-for-linus-v4.12-rc5' of... · 9d66af6b
      Linus Torvalds authored
      Merge tag 'hexagon-for-linus-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hexagon fix from Guenter Roeck:
       "This fixes a build error seen when building hexagon images.
      
        Richard sent me an Ack, but didn't reply when asked if he wants me to
        send the patch to you directly, so I figured I'd just do it"
      
      * tag 'hexagon-for-linus-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hexagon: Use raw_copy_to_user
      9d66af6b
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 9d0eb462
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "Bug fixes (ARM, s390, x86)"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: async_pf: avoid async pf injection when in guest mode
        KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation
        arm: KVM: Allow unaligned accesses at HYP
        arm64: KVM: Allow unaligned accesses at EL2
        arm64: KVM: Preserve RES1 bits in SCTLR_EL2
        KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages
        KVM: nVMX: Fix exception injection
        kvm: async_pf: fix rcu_irq_enter() with irqs enabled
        KVM: arm/arm64: vgic-v3: Fix nr_pre_bits bitfield extraction
        KVM: s390: fix ais handling vs cpu model
        KVM: arm/arm64: Fix isues with GICv2 on GICv3 migration
      9d0eb462
    • Wanpeng Li's avatar
      KVM: async_pf: avoid async pf injection when in guest mode · 9bc1f09f
      Wanpeng Li authored
       INFO: task gnome-terminal-:1734 blocked for more than 120 seconds.
             Not tainted 4.12.0-rc4+ #8
       "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
       gnome-terminal- D    0  1734   1015 0x00000000
       Call Trace:
        __schedule+0x3cd/0xb30
        schedule+0x40/0x90
        kvm_async_pf_task_wait+0x1cc/0x270
        ? __vfs_read+0x37/0x150
        ? prepare_to_swait+0x22/0x70
        do_async_page_fault+0x77/0xb0
        ? do_async_page_fault+0x77/0xb0
        async_page_fault+0x28/0x30
      
      This is triggered by running both win7 and win2016 on L1 KVM simultaneously,
      and then gives stress to memory on L1, I can observed this hang on L1 when
      at least ~70% swap area is occupied on L0.
      
      This is due to async pf was injected to L2 which should be injected to L1,
      L2 guest starts receiving pagefault w/ bogus %cr2(apf token from the host
      actually), and L1 guest starts accumulating tasks stuck in D state in
      kvm_async_pf_task_wait() since missing PAGE_READY async_pfs.
      
      This patch fixes the hang by doing async pf when executing L1 guest.
      
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      9bc1f09f
    • Guenter Roeck's avatar
      hexagon: Use raw_copy_to_user · 4d801cca
      Guenter Roeck authored
      Commit ac4691fa ("hexagon: switch to RAW_COPY_USER") replaced
      __copy_to_user_hexagon() with raw_copy_to_user(), but did not catch
      all callers, resulting in the following build error.
      
      arch/hexagon/mm/uaccess.c: In function '__clear_user_hexagon':
      arch/hexagon/mm/uaccess.c:40:3: error:
      	implicit declaration of function '__copy_to_user_hexagon'
      
      Fixes: ac4691fa ("hexagon: switch to RAW_COPY_USER")
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarRichard Kuo <rkuo@codeaurora.org>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      4d801cca
  4. 10 Jun, 2017 7 commits