1. 09 Apr, 2020 1 commit
    • Eric W. Biederman's avatar
      proc: Use a dedicated lock in struct pid · 63f818f4
      Eric W. Biederman authored
      syzbot wrote:
      > ========================================================
      > WARNING: possible irq lock inversion dependency detected
      > 5.6.0-syzkaller #0 Not tainted
      > --------------------------------------------------------
      > swapper/1/0 just changed the state of lock:
      > ffffffff898090d8 (tasklist_lock){.+.?}-{2:2}, at: send_sigurg+0x9f/0x320 fs/fcntl.c:840
      > but this lock took another, SOFTIRQ-unsafe lock in the past:
      >  (&pid->wait_pidfd){+.+.}-{2:2}
      >
      >
      > and interrupts could create inverse lock ordering between them.
      >
      >
      > other info that might help us debug this:
      >  Possible interrupt unsafe locking scenario:
      >
      >        CPU0                    CPU1
      >        ----                    ----
      >   lock(&pid->wait_pidfd);
      >                                local_irq_disable();
      >                                lock(tasklist_lock);
      >                                lock(&pid->wait_pidfd);
      >   <Interrupt>
      >     lock(tasklist_lock);
      >
      >  *** DEADLOCK ***
      >
      > 4 locks held by swapper/1/0:
      
      The problem is that because wait_pidfd.lock is taken under the tasklist
      lock.  It must always be taken with irqs disabled as tasklist_lock can be
      taken from interrupt context and if wait_pidfd.lock was already taken this
      would create a lock order inversion.
      
      Oleg suggested just disabling irqs where I have added extra calls to
      wait_pidfd.lock.  That should be safe and I think the code will eventually
      do that.  It was rightly pointed out by Christian that sharing the
      wait_pidfd.lock was a premature optimization.
      
      It is also true that my pre-merge window testing was insufficient.  So
      remove the premature optimization and give struct pid a dedicated lock of
      it's own for struct pid things.  I have verified that lockdep sees all 3
      paths where we take the new pid->lock and lockdep does not complain.
      
      It is my current day dream that one day pid->lock can be used to guard the
      task lists as well and then the tasklist_lock won't need to be held to
      deliver signals.  That will require taking pid->lock with irqs disabled.
      Acked-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Link: https://lore.kernel.org/lkml/00000000000011d66805a25cd73f@google.com/
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Christian Brauner <christian.brauner@ubuntu.com>
      Reported-by: syzbot+343f75cdeea091340956@syzkaller.appspotmail.com
      Reported-by: syzbot+832aabf700bc3ec920b9@syzkaller.appspotmail.com
      Reported-by: syzbot+f675f964019f884dbd0f@syzkaller.appspotmail.com
      Reported-by: syzbot+a9fb1457d720a55d6dc5@syzkaller.appspotmail.com
      Fixes: 7bc3e6e5 ("proc: Use a list of inodes to flush from proc")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      63f818f4
  2. 01 Apr, 2020 1 commit
    • Eric W. Biederman's avatar
      signal: Extend exec_id to 64bits · d1e7fd64
      Eric W. Biederman authored
      Replace the 32bit exec_id with a 64bit exec_id to make it impossible
      to wrap the exec_id counter.  With care an attacker can cause exec_id
      wrap and send arbitrary signals to a newly exec'd parent.  This
      bypasses the signal sending checks if the parent changes their
      credentials during exec.
      
      The severity of this problem can been seen that in my limited testing
      of a 32bit exec_id it can take as little as 19s to exec 65536 times.
      Which means that it can take as little as 14 days to wrap a 32bit
      exec_id.  Adam Zabrocki has succeeded wrapping the self_exe_id in 7
      days.  Even my slower timing is in the uptime of a typical server.
      Which means self_exec_id is simply a speed bump today, and if exec
      gets noticably faster self_exec_id won't even be a speed bump.
      
      Extending self_exec_id to 64bits introduces a problem on 32bit
      architectures where reading self_exec_id is no longer atomic and can
      take two read instructions.  Which means that is is possible to hit
      a window where the read value of exec_id does not match the written
      value.  So with very lucky timing after this change this still
      remains expoiltable.
      
      I have updated the update of exec_id on exec to use WRITE_ONCE
      and the read of exec_id in do_notify_parent to use READ_ONCE
      to make it clear that there is no locking between these two
      locations.
      
      Link: https://lore.kernel.org/kernel-hardening/20200324215049.GA3710@pi3.com.pl
      Fixes: 2.3.23pre2
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      d1e7fd64
  3. 25 Mar, 2020 15 commits
  4. 02 Mar, 2020 1 commit
    • Eric W. Biederman's avatar
      Proc mount option handling is broken, and it has been since I · a0d4a141
      Eric W. Biederman authored
      accidentally broke it in the middle 2016.
      
      The problem is that because we perform an internal mount of proc
      before user space mounts proc all of the mount options that user
      specifies when mounting proc are ignored.
      
      You can set those mount options with a remount but that is rather
      surprising.
      
      This most directly affects android which is using hidpid=2 by default.
      
      Now that the sysctl system call support has been removed, and we have
      settled on way of flushing proc dentries when a process exits without
      using proc_mnt, there is an simple and easy fix.
      
      a) Give UML mconsole it's own private mount of proc to use.
      b) Stop creating the internal mount of proc
      
      We still need Alexey Gladkov's full patch to get proc mount options to
      work inside of UML, and to be generally useful.  This set of changes
      is just enough to get them working as well as they have in the past.
      
      If anyone sees any problem with this code please let me know.
      
      Otherwise I plan to merge these set of fixes through my tree.
      
      Link: https://lore.kernel.org/lkml/87r21tuulj.fsf@x220.int.ebiederm.org/
      Link: https://lore.kernel.org/lkml/871rqk2brn.fsf_-_@x220.int.ebiederm.org/
      Link: https://lore.kernel.org/lkml/20200210150519.538333-1-gladkov.alexey@gmail.com/
      Link: https://lore.kernel.org/lkml/20180611195744.154962-1-astrachan@google.com/
      Fixes: e94591d0 ("proc: Convert proc_mount to use mount_ns.")
      
      Eric W. Biederman (4):
            uml: Don't consult current to find the proc_mnt in mconsole_proc
            uml: Create a private mount of proc for mconsole
            proc: Remove the now unnecessary internal mount of proc
            pid: Improve the comment about waiting in zap_pid_ns_processes
      
       arch/um/drivers/mconsole_kern.c | 28 +++++++++++++++++++++++++++-
       fs/proc/root.c                  | 36 ------------------------------------
       include/linux/pid_namespace.h   |  2 --
       include/linux/proc_ns.h         |  5 -----
       kernel/pid.c                    |  8 --------
       kernel/pid_namespace.c          | 38 +++++++++++++++++++-------------------
       6 files changed, 46 insertions(+), 71 deletions(-)
      a0d4a141
  5. 28 Feb, 2020 5 commits
    • Eric W. Biederman's avatar
      pid: Improve the comment about waiting in zap_pid_ns_processes · af9fe6d6
      Eric W. Biederman authored
      Oleg wrote a very informative comment, but with the removal of
      proc_cleanup_work it is no longer accurate.
      
      Rewrite the comment so that it only talks about the details
      that are still relevant, and hopefully is a little clearer.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      af9fe6d6
    • Eric W. Biederman's avatar
      proc: Remove the now unnecessary internal mount of proc · 69879c01
      Eric W. Biederman authored
      There remains no more code in the kernel using pids_ns->proc_mnt,
      therefore remove it from the kernel.
      
      The big benefit of this change is that one of the most error prone and
      tricky parts of the pid namespace implementation, maintaining kernel
      mounts of proc is removed.
      
      In addition removing the unnecessary complexity of the kernel mount
      fixes a regression that caused the proc mount options to be ignored.
      Now that the initial mount of proc comes from userspace, those mount
      options are again honored.  This fixes Android's usage of the proc
      hidepid option.
      Reported-by: default avatarAlistair Strachan <astrachan@google.com>
      Fixes: e94591d0 ("proc: Convert proc_mount to use mount_ns.")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      69879c01
    • Eric W. Biederman's avatar
      uml: Create a private mount of proc for mconsole · 76313c70
      Eric W. Biederman authored
      The mconsole code only ever accesses proc for the initial pid
      namespace.  Instead of depending upon the proc_mnt which is
      for proc_flush_task have uml create it's own mount of proc
      instead.
      
      This allows proc_flush_task to evolve and remove the
      need for having a proc_mnt to do it's job.
      
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      76313c70
    • Eric W. Biederman's avatar
      uml: Don't consult current to find the proc_mnt in mconsole_proc · af1abab9
      Eric W. Biederman authored
      Inspection of the control flow reveals that mconsole_proc is either
      called from mconsole_stop called from mc_work_proc or from
      mc_work_proc directly.  The function mc_work_proc is dispatched to a
      kernel thread with schedule_work.
      
      All of the threads that run dispatched by schedule_work are in the
      init pid namespace.
      
      So make the code clearer and by using init_pid_ns instead of
      task_active_pid_ns(current).
      
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Richard Weinberger <richard@nod.at>
      Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      af1abab9
    • Eric W. Biederman's avatar
      proc: Dentry flushing without proc_mnt · a13ae697
      Eric W. Biederman authored
      Cleanly handling proc mount options require the internal mount of
      proc to be removed (so mount options are not ignored), and quite
      possibly multiple proc superblocks per pid namespace (so a
      second mount of proc does not silently get the mount options of the
      first mount of proc.  In either case being able to flush proc
      dentries on process exit needs to be made to work without going
      through proc_mnt.  After serveral discussions this is the set
      of changes that work and no one objects to.
      
      ---
      
      I have addressed all of the review comments as I understand them,
      and fixed the small oversight the kernel test robot was able to
      find. (I had failed to initialize the new field pid->inodes).
      
      I did not hear any concerns from the 10,000 foot level last time
      so I am assuming this set of changes (baring bugs) is good to go.
      
      Unless some new issues appear my plan is to put this in my tree
      and get this into linux-next.  Which will give Alexey something
      to build his changes on.
      
      I tested this set of changes by running:
       (while ls -1 -f /proc > /dev/null ; do :; done ) &
      And monitoring the amount of free memory.
      
      With the flushing disabled I saw the used memory in the system grow by
      20M before the shrinker would bring it back down to where it started.
      With the patch applied I saw the memory usage stay essentially fixed.
      
      So flushing definitely keeps things working better.
      
      Eric W. Biederman (6):
            proc: Rename in proc_inode rename sysctl_inodes sibling_inodes
            proc: Generalize proc_sys_prune_dcache into proc_prune_siblings_dcache
            proc: In proc_prune_siblings_dcache cache an aquired super block
            proc: Use d_invalidate in proc_prune_siblings_dcache
            proc: Clear the pieces of proc_inode that proc_evict_inode cares about
            proc: Use a list of inodes to flush from proc
      
       fs/proc/base.c          | 111 ++++++++++++++++--------------------------------
       fs/proc/inode.c         |  73 ++++++++++++++++++++++++++++---
       fs/proc/internal.h      |   4 +-
       fs/proc/proc_sysctl.c   |  45 +++-----------------
       include/linux/pid.h     |   1 +
       include/linux/proc_fs.h |   4 +-
       kernel/exit.c           |   4 +-
       kernel/pid.c            |   1 +
       8 files changed, 120 insertions(+), 123 deletions(-)
      
      Link: https://lore.kernel.org/lkml/871rqk2brn.fsf_-_@x220.int.ebiederm.org/Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      
      Merge branch 'proc-dentry-flushing-without-proc-mnt-v2' into HEAD
      a13ae697
  6. 24 Feb, 2020 3 commits
    • Eric W. Biederman's avatar
      proc: Use a list of inodes to flush from proc · 7bc3e6e5
      Eric W. Biederman authored
      Rework the flushing of proc to use a list of directory inodes that
      need to be flushed.
      
      The list is kept on struct pid not on struct task_struct, as there is
      a fixed connection between proc inodes and pids but at least for the
      case of de_thread the pid of a task_struct changes.
      
      This removes the dependency on proc_mnt which allows for different
      mounts of proc having different mount options even in the same pid
      namespace and this allows for the removal of proc_mnt which will
      trivially the first mount of proc to honor it's mount options.
      
      This flushing remains an optimization.  The functions
      pid_delete_dentry and pid_revalidate ensure that ordinary dcache
      management will not attempt to use dentries past the point their
      respective task has died.  When unused the shrinker will
      eventually be able to remove these dentries.
      
      There is a case in de_thread where proc_flush_pid can be
      called early for a given pid.  Which winds up being
      safe (if suboptimal) as this is just an optiimization.
      
      Only pid directories are put on the list as the other
      per pid files are children of those directories and
      d_invalidate on the directory will get them as well.
      
      So that the pid can be used during flushing it's reference count is
      taken in release_task and dropped in proc_flush_pid.  Further the call
      of proc_flush_pid is moved after the tasklist_lock is released in
      release_task so that it is certain that the pid has already been
      unhashed when flushing it taking place.  This removes a small race
      where a dentry could recreated.
      
      As struct pid is supposed to be small and I need a per pid lock
      I reuse the only lock that currently exists in struct pid the
      the wait_pidfd.lock.
      
      The net result is that this adds all of this functionality
      with just a little extra list management overhead and
      a single extra pointer in struct pid.
      
      v2: Initialize pid->inodes.  I somehow failed to get that
          initialization into the initial version of the patch.  A boot
          failure was reported by "kernel test robot <lkp@intel.com>", and
          failure to initialize that pid->inodes matches all of the reported
          symptoms.
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      7bc3e6e5
    • Eric W. Biederman's avatar
      proc: Clear the pieces of proc_inode that proc_evict_inode cares about · 71448011
      Eric W. Biederman authored
      This just keeps everything tidier, and allows for using flags like
      SLAB_TYPESAFE_BY_RCU where slabs are not always cleared before reuse.
      I don't see reuse without reinitializing happening with the proc_inode
      but I had a false alarm while reworking flushing of proc dentries and
      indoes when a process dies that caused me to tidy this up.
      
      The code is a little easier to follow and reason about this
      way so I figured the changes might as well be kept.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      71448011
    • Eric W. Biederman's avatar
      proc: Use d_invalidate in proc_prune_siblings_dcache · f90f3caf
      Eric W. Biederman authored
      The function d_prune_aliases has the problem that it will only prune
      aliases thare are completely unused.  It will not remove aliases for
      the dcache or even think of removing mounts from the dcache.  For that
      behavior d_invalidate is needed.
      
      To use d_invalidate replace d_prune_aliases with d_find_alias followed
      by d_invalidate and dput.
      
      For completeness the directory and the non-directory cases are
      separated because in theory (although not in currently in practice for
      proc) directories can only ever have a single dentry while
      non-directories can have hardlinks and thus multiple dentries.
      As part of this separation use d_find_any_alias for directories
      to spare d_find_alias the extra work of doing that.
      
      Plus the differences between d_find_any_alias and d_find_alias makes
      it clear why the directory and non-directory code and not share code.
      
      To make it clear these routines now invalidate dentries rename
      proc_prune_siblings_dache to proc_invalidate_siblings_dcache, and rename
      proc_sys_prune_dcache proc_sys_invalidate_dcache.
      
      V2: Split the directory and non-directory cases.  To make this
          code robust to future changes in proc.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      f90f3caf
  7. 21 Feb, 2020 1 commit
  8. 20 Feb, 2020 2 commits
  9. 16 Feb, 2020 10 commits
    • Linus Torvalds's avatar
      Linux 5.6-rc2 · 11a48a5a
      Linus Torvalds authored
      11a48a5a
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.6-1' of https://github.com/cminyard/linux-ipmi · ab02b61f
      Linus Torvalds authored
      Pull IPMI update from Corey Minyard:
       "Minor bug fixes for IPMI
      
        I know this is late; I've been travelling and, well, I've been
        distracted.
      
        This is just a few bug fixes and adding i2c support to the IPMB
        driver, which is something I wanted from the beginning for it"
      
      * tag 'for-linus-5.6-1' of https://github.com/cminyard/linux-ipmi:
        drivers: ipmi: fix off-by-one bounds check that leads to a out-of-bounds write
        ipmi:ssif: Handle a possible NULL pointer reference
        drivers: ipmi: Modify max length of IPMB packet
        drivers: ipmi: Support raw i2c packet in IPMB
      ab02b61f
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 44024adb
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "Bugfixes and improvements to selftests.
      
        On top of this, Mauro converted the KVM documentation to rst format,
        which was very welcome"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (44 commits)
        docs: virt: guest-halt-polling.txt convert to ReST
        docs: kvm: review-checklist.txt: rename to ReST
        docs: kvm: Convert timekeeping.txt to ReST format
        docs: kvm: Convert s390-diag.txt to ReST format
        docs: kvm: Convert ppc-pv.txt to ReST format
        docs: kvm: Convert nested-vmx.txt to ReST format
        docs: kvm: Convert mmu.txt to ReST format
        docs: kvm: Convert locking.txt to ReST format
        docs: kvm: Convert hypercalls.txt to ReST format
        docs: kvm: arm/psci.txt: convert to ReST
        docs: kvm: convert arm/hyp-abi.txt to ReST
        docs: kvm: Convert api.txt to ReST format
        docs: kvm: convert devices/xive.txt to ReST
        docs: kvm: convert devices/xics.txt to ReST
        docs: kvm: convert devices/vm.txt to ReST
        docs: kvm: convert devices/vfio.txt to ReST
        docs: kvm: convert devices/vcpu.txt to ReST
        docs: kvm: convert devices/s390_flic.txt to ReST
        docs: kvm: convert devices/mpic.txt to ReST
        docs: kvm: convert devices/arm-vgit.txt to ReST
        ...
      44024adb
    • Linus Torvalds's avatar
      Merge tag 'edac_urgent_for_5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras · b982df72
      Linus Torvalds authored
      Pull EDAC fixes from Borislav Petkov:
       "Two fixes for use-after-free and memory leaking in the EDAC core, by
        Robert Richter.
      
        Debug options like DEBUG_TEST_DRIVER_REMOVE, KASAN and DEBUG_KMEMLEAK
        unearthed issues with the lifespan of memory allocated by the EDAC
        memory controller descriptor due to misdesigned memory freeing, done
        partially by the EDAC core *and* the driver core, which is problematic
        to say the least.
      
        These two are minimal fixes to take care of stable - a proper rework
        is following which cleans up that mess properly"
      
      * tag 'edac_urgent_for_5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
        EDAC/sysfs: Remove csrow objects on errors
        EDAC/mc: Fix use-after-free and memleaks during device removal
      b982df72
    • Linus Torvalds's avatar
      Merge tag 'block-5.6-2020-02-16' of git://git.kernel.dk/linux-block · e29c6a13
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Not a lot here, which is great, basically just three small bcache
        fixes from Coly, and four NVMe fixes via Keith"
      
      * tag 'block-5.6-2020-02-16' of git://git.kernel.dk/linux-block:
        nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info
        nvme/pci: move cqe check after device shutdown
        nvme: prevent warning triggered by nvme_stop_keep_alive
        nvme/tcp: fix bug on double requeue when send fails
        bcache: remove macro nr_to_fifo_front()
        bcache: Revert "bcache: shrink btree node cache after bch_btree_check()"
        bcache: ignore pending signals when creating gc and allocator thread
      e29c6a13
    • Linus Torvalds's avatar
      Merge tag 'for-5.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 713db356
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "Two races fixed, memory leak fix, sysfs directory fixup and two new
        log messages:
      
         - two fixed race conditions: extent map merging and truncate vs
           fiemap
      
         - create the right sysfs directory with device information and move
           the individual device dirs under it
      
         - print messages when the tree-log is replayed at mount time or
           cannot be replayed on remount"
      
      * tag 'for-5.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: sysfs, move device id directories to UUID/devinfo
        btrfs: sysfs, add UUID/devinfo kobject
        Btrfs: fix race between shrinking truncate and fiemap
        btrfs: log message when rw remount is attempted with unclean tree-log
        btrfs: print message when tree-log replay starts
        Btrfs: fix race between using extent maps and merging them
        btrfs: ref-verify: fix memory leaks
      713db356
    • Linus Torvalds's avatar
      Merge tag '5.6-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 288b27a0
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Four small CIFS/SMB3 fixes. One (the EA overflow fix) for stable"
      
      * tag '5.6-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: make sure we do not overflow the max EA buffer size
        cifs: enable change notification for SMB2.1 dialect
        cifs: Fix mode output in debugging statements
        cifs: fix mount option display for sec=krb5i
      288b27a0
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · 8a8b8096
      Linus Torvalds authored
      Pull ext4 fixes from Ted Ts'o:
       "Miscellaneous ext4 bug fixes (all stable fodder)"
      
      * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: improve explanation of a mount failure caused by a misconfigured kernel
        jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer
        jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()
        ext4: add cond_resched() to ext4_protect_reserved_inode
        ext4: fix checksum errors with indexed dirs
        ext4: fix support for inode sizes > 1024 bytes
        ext4: simplify checking quota limits in ext4_statfs()
        ext4: don't assume that mmp_nodename/bdevname have NUL
      8a8b8096
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · db70e26e
      Linus Torvalds authored
      Pull input updates from Dmitry Torokhov:
      
       - a few drivers have been updated to use flexible-array syntax instead
         of GCC extension
      
       - ili210x touchscreen driver now supports the 2120 protocol flavor
      
       - a couple more of Synaptics devices have been switched over to RMI4
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: cyapa - replace zero-length array with flexible-array member
        Input: tca6416-keypad - replace zero-length array with flexible-array member
        Input: gpio_keys_polled - replace zero-length array with flexible-array member
        Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list
        Input: synaptics - enable SMBus on ThinkPad L470
        Input: synaptics - switch T470s to RMI4 by default
        Input: gpio_keys - replace zero-length array with flexible-array member
        Input: goldfish_events - replace zero-length array with flexible-array member
        Input: psmouse - switch to using i2c_new_scanned_device()
        Input: ili210x - add ili2120 support
        Input: ili210x - fix return value of is_visible function
      db70e26e
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 54654e14
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Not too much going on here, though there are about four fixes related
        to stuff merged during the last merge window.
      
        We also see the return of a syzkaller instance with access to RDMA
        devices, and a few bugs detected by that squished.
      
         - Fix three crashers and a memory memory leak for HFI1
      
         - Several bugs found by syzkaller
      
         - A bug fix for the recent QP counters feature on older mlx5 HW
      
         - Locking inversion in cxgb4
      
         - Unnecessary WARN_ON in siw
      
         - A umad crasher regression during unload, from a bug fix for
           something else
      
         - Bugs introduced in the merge window:
             - Missed list_del in uverbs file rework, core and mlx5 devx
             - Unexpected integer math truncation in the mlx5 VAR patches
             - Compilation bug fix for the VAR patches on 32 bit"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        IB/mlx5: Use div64_u64 for num_var_hw_entries calculation
        RDMA/core: Fix protection fault in get_pkey_idx_qp_list
        RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq
        RDMA/mlx5: Prevent overflow in mmap offset calculations
        IB/umad: Fix kernel crash while unloading ib_umad
        RDMA/mlx5: Fix async events cleanup flows
        RDMA/core: Add missing list deletion on freeing event queue
        RDMA/siw: Remove unwanted WARN_ON in siw_cm_llp_data_ready()
        RDMA/iw_cxgb4: initiate CLOSE when entering TERM
        IB/mlx5: Return failure when rts2rts_qp_counters_set_id is not supported
        RDMA/core: Fix invalid memory access in spec_filter_size
        IB/rdmavt: Reset all QPs when the device is shut down
        IB/hfi1: Close window for pq and request coliding
        IB/hfi1: Acquire lock to release TID entries when user file is closed
        RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create
      54654e14
  10. 15 Feb, 2020 1 commit
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · b719ae07
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "A handful of fixes that have come in since the merge window:
      
         - Fix of PCI interrupt map on arm64 fast model (SW emulator)
      
         - Fixlet for sound on ST platforms and a small cleanup of deprecated
           DT properties
      
         - A stack buffer overflow fix for moxtet
      
         - Fuse driver build fix for Tegra194
      
         - A few config updates to turn on new drivers merged this cycle"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        bus: moxtet: fix potential stack buffer overflow
        soc/tegra: fuse: Fix build with Tegra194 configuration
        ARM: dts: sti: fixup sound frame-inversion for stihxxx-b2120.dtsi
        ARM: dts: sti: Remove deprecated snps PHY properties for stih410-b2260
        arm64: defconfig: Enable DRM_SUN6I_DSI
        arm64: defconfig: Enable CONFIG_SUN8I_THERMAL
        ARM: sunxi: Enable CONFIG_SUN8I_THERMAL
        arm64: defconfig: Set bcm2835-dma as built-in
        ARM: configs: Cleanup old Kconfig options
        ARM: npcm: Bring back GPIOLIB support
        arm64: dts: fast models: Fix FVP PCI interrupt-map property
      b719ae07