1. 02 Jun, 2017 8 commits
  2. 01 Jun, 2017 14 commits
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.12-1' of git://linux-nfs.org/~bfields/linux · 3b1e342b
      Linus Torvalds authored
      Pull nfsd fixes from Bruce Fields:
       "Revert patch accidentally included in the merge window pull request,
        and fix a crash that was likely a result of buggy client behavior"
      
      * tag 'nfsd-4.12-1' of git://linux-nfs.org/~bfields/linux:
        nfsd4: fix null dereference on replay
        nfsd: Revert "nfsd: check for oversized NFSv2/v3 arguments"
      3b1e342b
    • Linus Torvalds's avatar
      Merge tag 'gcc-plugins-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 2f48641c
      Linus Torvalds authored
      Pull gcc-plugin prepwork from Kees Cook:
       "Use designated initializers for mtk-vcodec, powerplay, amdgpu, and
        sgi-xp. Use ERR_CAST() to avoid cross-structure cast in ocf2, ntfs,
        and NFS.
      
        Christoph Hellwig recommended that I send these fixes now, rather than
        waiting for the v4.13 merge window. These are all initializer and cast
        fixes needed for the future randstruct plugin that haven't been picked
        up by the respective maintainers"
      
      * tag 'gcc-plugins-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        mtk-vcodec: Use designated initializers
        drm/amd/powerplay: Use designated initializers
        drm/amdgpu: Use designated initializers
        sgi-xp: Use designated initializers
        ocfs2: Use ERR_CAST() to avoid cross-structure cast
        ntfs: Use ERR_CAST() to avoid cross-structure cast
        NFS: Use ERR_CAST() to avoid cross-structure cast
      2f48641c
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 9ea15a59
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "Many small x86 bug fixes: SVM segment registers access rights, nested
        VMX, preempt notifiers, LAPIC virtual wire mode, NMI injection"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Fix nmi injection failure when vcpu got blocked
        KVM: SVM: do not zero out segment attributes if segment is unusable or not present
        KVM: SVM: ignore type when setting segment registers
        KVM: nVMX: fix nested_vmx_check_vmptr failure paths under debugging
        KVM: x86: Fix virtual wire mode
        KVM: nVMX: Fix handling of lmsw instruction
        KVM: X86: Fix preempt the preemption timer cancel
      9ea15a59
    • Linus Torvalds's avatar
      Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 0bb23039
      Linus Torvalds authored
      Pull Reiserfs and GFS2 fixes from Jan Kara:
       "Fixes to GFS2 & Reiserfs for the fallout of the recent WRITE_FUA
        cleanup from Christoph.
      
        Fixes for other filesystems were already merged by respective
        maintainers."
      
      * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        reiserfs: Make flush bios explicitely sync
        gfs2: Make flush bios explicitely sync
      0bb23039
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · 393bcfae
      Linus Torvalds authored
      Pull SCSI target fixes from Nicholas Bellinger:
       "Here are the target-pending fixes for v4.12-rc4:
      
         - ibmviscsis ABORT_TASK handling fixes that missed the v4.12 merge
           window. (Bryant Ly and Michael Cyr)
      
         - Re-add a target-core check enforcing WRITE overflow reject that was
           relaxed in v4.3, to avoid unsupported iscsi-target immediate data
           overflow. (nab)
      
         - Fix a target-core-user OOPs during device removal. (MNC + Bryant
           Ly)
      
         - Fix a long standing iscsi-target potential issue where kthread exit
           did not wait for kthread_should_stop(). (Jiang Yi)
      
         - Fix a iscsi-target v3.12.y regression OOPs involving initial login
           PDU processing during asynchronous TCP connection close. (MNC +
           nab)
      
        This is a little larger than usual for an -rc4, primarily due to the
        iscsi-target v3.12.y regression OOPs bug-fix.
      
        However, it's an important patch as MNC + Hannes where both able to
        trigger it using a reduced iscsi initiator login timeout combined with
        a backend taking a long time to complete I/Os during iscsi login
        driven session reinstatement"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        iscsi-target: Always wait for kthread_should_stop() before kthread exit
        iscsi-target: Fix initial login PDU asynchronous socket close OOPs
        tcmu: fix crash during device removal
        target: Re-add check to reject control WRITEs with overflow data
        ibmvscsis: Fix the incorrect req_lim_delta
        ibmvscsis: Clear left-over abort_cmd pointers
      393bcfae
    • Ingo Molnar's avatar
      Revert "x86/PAT: Fix Xorg regression on CPUs that don't support PAT" · c08d5174
      Ingo Molnar authored
      This reverts commit cbed27cd.
      
      As Andy Lutomirski observed:
      
       "I think this patch is bogus. pat_enabled() sure looks like it's
        supposed to return true if PAT is *enabled*, and these days PAT is
        'enabled' even if there's no HW PAT support."
      Reported-by: default avatarBernhard Held <berny156@gmx.de>
      Reported-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Luis R. Rodriguez <mcgrof@suse.com>
      Cc: Mikulas Patocka <mpatocka@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Toshi Kani <toshi.kani@hp.com>
      Cc: stable@vger.kernel.org # v4.2+
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      c08d5174
    • ZhuangYanying's avatar
      KVM: x86: Fix nmi injection failure when vcpu got blocked · 47a66eed
      ZhuangYanying authored
      When spin_lock_irqsave() deadlock occurs inside the guest, vcpu threads,
      other than the lock-holding one, would enter into S state because of
      pvspinlock. Then inject NMI via libvirt API "inject-nmi", the NMI could
      not be injected into vm.
      
      The reason is:
      1 It sets nmi_queued to 1 when calling ioctl KVM_NMI in qemu, and sets
      cpu->kvm_vcpu_dirty to true in do_inject_external_nmi() meanwhile.
      2 It sets nmi_queued to 0 in process_nmi(), before entering guest, because
      cpu->kvm_vcpu_dirty is true.
      
      It's not enough just to check nmi_queued to decide whether to stay in
      vcpu_block() or not. NMI should be injected immediately at any situation.
      Add checking nmi_pending, and testing KVM_REQ_NMI replaces nmi_queued
      in vm_vcpu_has_events().
      
      Do the same change for SMIs.
      Signed-off-by: default avatarZhuang Yanying <ann.zhuangyanying@huawei.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      47a66eed
    • Roman Pen's avatar
      KVM: SVM: do not zero out segment attributes if segment is unusable or not present · d9c1b543
      Roman Pen authored
      This is a fix for the problem [1], where VMCB.CPL was set to 0 and interrupt
      was taken on userspace stack.  The root cause lies in the specific AMD CPU
      behaviour which manifests itself as unusable segment attributes on SYSRET.
      The corresponding work around for the kernel is the following:
      
      61f01dd9 ("x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue")
      
      In other turn virtualization side treated unusable segment incorrectly and
      restored CPL from SS attributes, which were zeroed out few lines above.
      
      In current patch it is assured only that P bit is cleared in VMCB.save state
      and segment attributes are not zeroed out if segment is not presented or is
      unusable, therefore CPL can be safely restored from DPL field.
      
      This is only one part of the fix, since QEMU side should be fixed accordingly
      not to zero out attributes on its side.  Corresponding patch will follow.
      
      [1] Message id: CAJrWOzD6Xq==b-zYCDdFLgSRMPM-NkNuTSDFEtX=7MreT45i7Q@mail.gmail.com
      Signed-off-by: default avatarRoman Pen <roman.penyaev@profitbricks.com>
      Signed-off-by: default avatarMikhail Sennikovskii <mikhail.sennikovskii@profitbricks.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim KrÄmáŠ<rkrcmar@redhat.com>
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      d9c1b543
    • Takashi Iwai's avatar
      ALSA: hda - Fix applying MSI dual-codec mobo quirk · d2c3b14e
      Takashi Iwai authored
      The previous commit [63691587: ALSA: hda - Apply dual-codec quirk
      for MSI Z270-Gaming mobo] attempted to apply the existing dual-codec
      quirk for a MSI mobo.  But it turned out that this isn't applied
      properly due to the MSI-vendor quirk before this entry.  I overlooked
      such two MSI entries just because they were put in the wrong position,
      although we have a list ordered by PCI SSID numbers.
      
      This patch fixes it by rearranging the unordered entries.
      
      Fixes: 63691587 ("ALSA: hda - Apply dual-codec quirk for MSI Z270-Gaming mobo")
      Reported-by: default avatarRudolf Schmidt <info@rudolfschmidt.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      d2c3b14e
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.12-rc4' of git://people.freedesktop.org/~airlied/linux · a3748463
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "This is the main set of fixes for rc4, one amdgpu fix, some exynos
        regression fixes, some msm fixes and some i915 and GVT fixes.
      
        I've got a second regression fix for some DP chips that might be a
        bit large, but I think we'd like to land it now, I'll send it along
        tomorrow, once you are happy with this set"
      
      * tag 'drm-fixes-for-v4.12-rc4' of git://people.freedesktop.org/~airlied/linux: (24 commits)
        drm/amdgpu: Program ring for vce instance 1 at its register space
        drm/exynos: clean up description of exynos_drm_crtc
        drm/exynos: dsi: Remove bridge node reference in removal
        drm/exynos: dsi: Fix the parse_dt function
        drm/exynos: Merge pre/postclose hooks
        drm/msm: Fix the check for the command size
        drm/msm: Take the mutex before calling msm_gem_new_impl
        drm/msm: for array in-fences, check if all backing fences are from our own context before waiting
        drm/msm: constify irq_domain_ops
        drm/msm/mdp5: release hwpipe(s) for unused planes
        drm/msm: Reuse dma_fence_release.
        drm/msm: Expose our reservation object when exporting a dmabuf.
        drm/msm/gpu: check legacy clk names in get_clocks()
        drm/msm/mdp5: use __drm_atomic_helper_plane_duplicate_state()
        drm/msm: select PM_OPP
        drm/i915: Stop pretending to mask/unmask LPE audio interrupts
        drm/i915/selftests: Silence compiler warning in igt_ctx_exec
        Revert "drm/i915: Restore lost "Initialized i915" welcome message"
        drm/i915/gvt: clean up unsubmited workloads before destroying kmem cache
        drm/i915/gvt: Disable compression workaround for Gen9
        ...
      a3748463
    • Dave Airlie's avatar
      Merge tag 'exynos-drm-fixes-for-v4.12' of... · 400129f0
      Dave Airlie authored
      Merge tag 'exynos-drm-fixes-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes
      
      - Fix a regression to description of exynos_drm_crtc
      - Remove preclose hook of Exynos
        . This was a exynos change of the patch series[1] merged already.
      - Fix one dt broken issue
      - Make sure to release bridge_node of Exynos MIPI-DSI driver.
      
      [1] https://lists.freedesktop.org/archives/dri-devel/2017-March/135111.html
      
      * tag 'exynos-drm-fixes-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
        drm/exynos: clean up description of exynos_drm_crtc
        drm/exynos: dsi: Remove bridge node reference in removal
        drm/exynos: dsi: Fix the parse_dt function
        drm/exynos: Merge pre/postclose hooks
      400129f0
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 8ef6fcc8
      Dave Airlie authored
      * 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux:
        drm/amdgpu: Program ring for vce instance 1 at its register space
      8ef6fcc8
    • Dave Airlie's avatar
      Merge branch 'msm-fixes-4.12-rc4' of git://people.freedesktop.org/~robclark/linux into drm-fixes · 58b58f6e
      Dave Airlie authored
      a few fixes for 4.12..
      
      * 'msm-fixes-4.12-rc4' of git://people.freedesktop.org/~robclark/linux:
        drm/msm: Fix the check for the command size
        drm/msm: Take the mutex before calling msm_gem_new_impl
        drm/msm: for array in-fences, check if all backing fences are from our own context before waiting
        drm/msm: constify irq_domain_ops
        drm/msm/mdp5: release hwpipe(s) for unused planes
        drm/msm: Reuse dma_fence_release.
        drm/msm: Expose our reservation object when exporting a dmabuf.
        drm/msm/gpu: check legacy clk names in get_clocks()
        drm/msm/mdp5: use __drm_atomic_helper_plane_duplicate_state()
        drm/msm: select PM_OPP
      58b58f6e
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2017-05-29' of... · 25f480e8
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2017-05-29' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes
      
      drm/i915 fixes for v4.12-rc4
      
      * tag 'drm-intel-fixes-2017-05-29' of git://anongit.freedesktop.org/git/drm-intel:
        drm/i915: Stop pretending to mask/unmask LPE audio interrupts
        drm/i915/selftests: Silence compiler warning in igt_ctx_exec
        Revert "drm/i915: Restore lost "Initialized i915" welcome message"
        drm/i915/gvt: clean up unsubmited workloads before destroying kmem cache
        drm/i915/gvt: Disable compression workaround for Gen9
        drm/i915: set initialised only when init_context callback is NULL
        drm/i915: Fix new -Wint-in-bool-context gcc compiler warning
        drm/i915: use vma->size for appgtt allocate_va_range
        drm/i915: Do not sync RCU during shrinking
      25f480e8
  3. 31 May, 2017 7 commits
    • Jiang Yi's avatar
      iscsi-target: Always wait for kthread_should_stop() before kthread exit · 5e0cf5e6
      Jiang Yi authored
      There are three timing problems in the kthread usages of iscsi_target_mod:
      
       - np_thread of struct iscsi_np
       - rx_thread and tx_thread of struct iscsi_conn
      
      In iscsit_close_connection(), it calls
      
       send_sig(SIGINT, conn->tx_thread, 1);
       kthread_stop(conn->tx_thread);
      
      In conn->tx_thread, which is iscsi_target_tx_thread(), when it receive
      SIGINT the kthread will exit without checking the return value of
      kthread_should_stop().
      
      So if iscsi_target_tx_thread() exit right between send_sig(SIGINT...)
      and kthread_stop(...), the kthread_stop() will try to stop an already
      stopped kthread.
      
      This is invalid according to the documentation of kthread_stop().
      
      (Fix -ECONNRESET logout handling in iscsi_target_tx_thread and
       early iscsi_target_rx_thread failure case - nab)
      Signed-off-by: default avatarJiang Yi <jiangyilism@gmail.com>
      Cc: <stable@vger.kernel.org> # v3.12+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      5e0cf5e6
    • Nicholas Bellinger's avatar
      iscsi-target: Fix initial login PDU asynchronous socket close OOPs · 25cdda95
      Nicholas Bellinger authored
      This patch fixes a OOPs originally introduced by:
      
         commit bb048357
         Author: Nicholas Bellinger <nab@linux-iscsi.org>
         Date:   Thu Sep 5 14:54:04 2013 -0700
      
         iscsi-target: Add sk->sk_state_change to cleanup after TCP failure
      
      which would trigger a NULL pointer dereference when a TCP connection
      was closed asynchronously via iscsi_target_sk_state_change(), but only
      when the initial PDU processing in iscsi_target_do_login() from iscsi_np
      process context was blocked waiting for backend I/O to complete.
      
      To address this issue, this patch makes the following changes.
      
      First, it introduces some common helper functions used for checking
      socket closing state, checking login_flags, and atomically checking
      socket closing state + setting login_flags.
      
      Second, it introduces a LOGIN_FLAGS_INITIAL_PDU bit to know when a TCP
      connection has dropped via iscsi_target_sk_state_change(), but the
      initial PDU processing within iscsi_target_do_login() in iscsi_np
      context is still running.  For this case, it sets LOGIN_FLAGS_CLOSED,
      but doesn't invoke schedule_delayed_work().
      
      The original NULL pointer dereference case reported by MNC is now handled
      by iscsi_target_do_login() doing a iscsi_target_sk_check_close() before
      transitioning to FFP to determine when the socket has already closed,
      or iscsi_target_start_negotiation() if the login needs to exchange
      more PDUs (eg: iscsi_target_do_login returned 0) but the socket has
      closed.  For both of these cases, the cleanup up of remaining connection
      resources will occur in iscsi_target_start_negotiation() from iscsi_np
      process context once the failure is detected.
      
      Finally, to handle to case where iscsi_target_sk_state_change() is
      called after the initial PDU procesing is complete, it now invokes
      conn->login_work -> iscsi_target_do_login_rx() to perform cleanup once
      existing iscsi_target_sk_check_close() checks detect connection failure.
      For this case, the cleanup of remaining connection resources will occur
      in iscsi_target_do_login_rx() from delayed workqueue process context
      once the failure is detected.
      Reported-by: default avatarMike Christie <mchristi@redhat.com>
      Reviewed-by: default avatarMike Christie <mchristi@redhat.com>
      Tested-by: default avatarMike Christie <mchristi@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Reported-by: default avatarHannes Reinecke <hare@suse.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Cc: Varun Prakash <varun@chelsio.com>
      Cc: <stable@vger.kernel.org> # v3.12+
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      25cdda95
    • Leo Liu's avatar
      drm/amdgpu: Program ring for vce instance 1 at its register space · 45cc6586
      Leo Liu authored
      We need program ring buffer on instance 1 register space domain,
      when only if instance 1 available, with two instances or instance 0,
      and we need only program instance 0 regsiter space domain for ring.
      Signed-off-by: default avatarLeo Liu <leo.liu@amd.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      45cc6586
    • Linus Torvalds's avatar
      Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · d602fb68
      Linus Torvalds authored
      Pull overlayfs fixes from Miklos Szeredi:
       "Fix regressions:
      
         - missing CONFIG_EXPORTFS dependency
      
         - failure if upper fs doesn't support xattr
      
         - bad error cleanup
      
        This also adds the concept of "impure" directories complementing the
        "origin" marking introduced in -rc1. Together they enable getting
        consistent st_ino and d_ino for directory listings.
      
        And there's a bug fix and a cleanup as well"
      
      * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: filter trusted xattr for non-admin
        ovl: mark upper merge dir with type origin entries "impure"
        ovl: mark upper dir with type origin entries "impure"
        ovl: remove unused arg from ovl_lookup_temp()
        ovl: handle rename when upper doesn't support xattr
        ovl: don't fail copy-up if upper doesn't support xattr
        ovl: check on mount time if upper fs supports setting xattr
        ovl: fix creds leak in copy up error path
        ovl: select EXPORTFS
      d602fb68
    • Takashi Iwai's avatar
      ALSA: usb: Avoid VLA in mixer_us16x08.c · e49a14fa
      Takashi Iwai authored
      This is another attempt to work around the VLA used in
      mixer_us16x08.c.  Basically the temporary array is used individually
      for two cases, and we can declare locally in each block, instead of
      hackish max() usage.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      e49a14fa
    • Takashi Iwai's avatar
      ALSA: usb: Fix a typo in Tascam US-16x08 mixer element · 617163fc
      Takashi Iwai authored
      A mixer element created in a quirk for Tascam US-16x08 contains a
      typo: it should be "EQ MidLow Q" instead of "EQ MidQLow Q".
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195875
      Fixes: d2bb390a ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
      Cc: <stable@vger.kernel.org> # v4.11+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      617163fc
    • Takashi Iwai's avatar
      Revert "ALSA: usb-audio: purge needless variable length array" · 64188cfb
      Takashi Iwai authored
      This reverts commit 89b593c3 ("ALSA: usb-audio: purge needless
      variable length array").  The patch turned out to cause a severe
      regression, triggering an Oops at snd_usb_ctl_msg().  It was overseen
      that snd_usb_ctl_msg() writes back the response to the given buffer,
      while the patch changed it to a read-only const buffer.  (One should
      always double-check when an extra pointer cast is present...)
      
      As a simple fix, just revert the affected commit.  It was merely a
      cleanup.  Although it brings VLA again, it's clearer as a fix.  We'll
      address the VLA later in another patch.
      
      Fixes: 89b593c3 ("ALSA: usb-audio: purge needless variable length array")
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195875
      Cc: <stable@vger.kernel.org> # v4.11+
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      64188cfb
  4. 30 May, 2017 4 commits
    • Linus Torvalds's avatar
      "Yes, people use FOLL_FORCE ;)" · f511c0b1
      Linus Torvalds authored
      This effectively reverts commit 8ee74a91 ("proc: try to remove use
      of FOLL_FORCE entirely")
      
      It turns out that people do depend on FOLL_FORCE for the /proc/<pid>/mem
      case, and we're talking not just debuggers. Talking to the affected people, the use-cases are:
      
      Keno Fischer:
       "We used these semantics as a hardening mechanism in the julia JIT. By
        opening /proc/self/mem and using these semantics, we could avoid
        needing RWX pages, or a dual mapping approach. We do have fallbacks to
        these other methods (though getting EIO here actually causes an assert
        in released versions - we'll updated that to make sure to take the
        fall back in that case).
      
        Nevertheless the /proc/self/mem approach was our favored approach
        because it a) Required an attacker to be able to execute syscalls
        which is a taller order than getting memory write and b) didn't double
        the virtual address space requirements (as a dual mapping approach
        would).
      
        I think in general this feature is very useful for anybody who needs
        to precisely control the execution of some other process. Various
        debuggers (gdb/lldb/rr) certainly fall into that category, but there's
        another class of such processes (wine, various emulators) which may
        want to do that kind of thing.
      
        Now, I suspect most of these will have the other process under ptrace
        control, so maybe allowing (same_mm || ptraced) would be ok, but at
        least for the sandbox/remote-jit use case, it would be perfectly
        reasonable to not have the jit server be a ptracer"
      
      Robert O'Callahan:
       "We write to readonly code and data mappings via /proc/.../mem in lots
        of different situations, particularly when we're adjusting program
        state during replay to match the recorded execution.
      
        Like Julia, we can add workarounds, but they could be expensive."
      
      so not only do people use FOLL_FORCE for both reads and writes, but they
      use it for both the local mm and remote mm.
      
      With these comments in mind, we likely also cannot add the "are we
      actively ptracing" check either, so this keeps the new code organization
      and does not do a real revert that would add back the original comment
      about "Maybe we should limit FOLL_FORCE to actual ptrace users?"
      Reported-by: default avatarKeno Fischer <keno@juliacomputing.com>
      Reported-by: default avatarRobert O'Callahan <robert@ocallahan.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Eric Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f511c0b1
    • Gioh Kim's avatar
      KVM: SVM: ignore type when setting segment registers · 8eae9570
      Gioh Kim authored
      Commit 19bca6ab ("KVM: SVM: Fix cross vendor migration issue with
      unusable bit") added checking type when setting unusable.
      So unusable can be set if present is 0 OR type is 0.
      According to the AMD processor manual, long mode ignores the type value
      in segment descriptor. And type can be 0 if it is read-only data segment.
      Therefore type value is not related to unusable flag.
      
      This patch is based on linux-next v4.12.0-rc3.
      Signed-off-by: default avatarGioh Kim <gi-oh.kim@profitbricks.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      8eae9570
    • Radim Krčmář's avatar
      KVM: nVMX: fix nested_vmx_check_vmptr failure paths under debugging · cbf71279
      Radim Krčmář authored
      kvm_skip_emulated_instruction() will return 0 if userspace is
      single-stepping the guest.
      
      kvm_skip_emulated_instruction() uses return status convention of exit
      handler: 0 means "exit to userspace" and 1 means "continue vm entries".
      The problem is that nested_vmx_check_vmptr() return status means
      something else: 0 is ok, 1 is error.
      
      This means we would continue executing after a failure.  Static checker
      noticed it because vmptr was not initialized.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 6affcbed ("KVM: x86: Add kvm_skip_emulated_instruction and use it.")
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      cbf71279
    • Kuninori Morimoto's avatar
      rcar-dmac: fixup descriptor pointer for descriptor mode · 56b17705
      Kuninori Morimoto authored
      In descriptor mode, the descriptor running pointer is not maintained
      by the interrupt handler, thus, driver finds the running descriptor
      from the descriptor pointer field in the CHCRB register.
      But, CHCRB::DPTR indicates *next* descriptor pointer, not current.
      Thus, The residue calculation will be missed. This patch fixup it.
      Signed-off-by: default avatarKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      56b17705
  5. 29 May, 2017 7 commits
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 3f173bde
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Here is an overdue pull request for pin control fixes, the most
        prominent feature is to make Intel Chromebooks (and I suspect any
        other Cherryview-based Intel thing) happy again, which we really want
        to see.
      
        There is a patch hitting drivers/firmware/* that I was uncertain to
        who actually manages, but I got Andy Shevchenko's and Dmitry Torokov's
        review tags on it and I trust them both 100% to do the right thing for
        Intel platform drivers.
      
        Summary:
      
         - Make a few Intel Chromebooks with Cherryview DMI firmware work
           smoothly.
      
         - A fix for some bogus allocations in the generic group management
           code.
      
         - Some GPIO descriptor lookup table stubs. Merged through the pin
           control tree for administrative reasons.
      
         - Revert the "bi-directional" and "output-enable" generic properties:
           we need more discussions around this. It seems other SoCs are using
           input/output gate enablement and these terms are not correct.
      
         - Fix mux and drive strength atomically in the MXS driver.
      
         - Fix the SPDIF function on sunxi A83T.
      
         - OF table terminators and other small fixes"
      
      * tag 'pinctrl-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: sunxi: Fix SPDIF function name for A83T
        pinctrl: mxs: atomically switch mux and drive strength config
        pinctrl: cherryview: Extend the Chromebook DMI quirk to Intel_Strago systems
        firmware: dmi: Add DMI_PRODUCT_FAMILY identification string
        pinctrl: core: Fix warning by removing bogus code
        gpiolib: Add stubs for gpiod lookup table interface
        Revert "pinctrl: generic: Add bi-directional and output-enable"
        pinctrl: cherryview: Add terminate entry for dmi_system_id tables
      3f173bde
    • Vegard Nossum's avatar
      kthread: fix boot hang (regression) on MIPS/OpenRISC · b0f5a8f3
      Vegard Nossum authored
      This fixes a regression in commit 4d6501dc where I didn't notice
      that MIPS and OpenRISC were reinitialising p->{set,clear}_child_tid to
      NULL after our initialisation in copy_process().
      
      We can simply get rid of the arch-specific initialisation here since it
      is now always done in copy_process() before hitting copy_thread{,_tls}().
      
      Review notes:
      
       - As far as I can tell, copy_process() is the only user of
         copy_thread_tls(), which is the only caller of copy_thread() for
         architectures that don't implement copy_thread_tls().
      
       - After this patch, there is no arch-specific code touching
         p->set_child_tid or p->clear_child_tid whatsoever.
      
       - It may look like MIPS/OpenRISC wanted to always have these fields be
         NULL, but that's not true, as copy_process() would unconditionally
         set them again _after_ calling copy_thread_tls() before commit
         4d6501dc.
      
      Fixes: 4d6501dc ("kthread: Fix use-after-free if kthread fork fails")
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Tested-by: Guenter Roeck <linux@roeck-us.net> # MIPS only
      Acked-by: default avatarStafford Horne <shorne@gmail.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: Jonas Bonn <jonas@southpole.se>
      Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
      Cc: openrisc@lists.librecores.org
      Cc: Jamie Iles <jamie.iles@oracle.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b0f5a8f3
    • Miklos Szeredi's avatar
      ovl: filter trusted xattr for non-admin · a082c6f6
      Miklos Szeredi authored
      Filesystems filter out extended attributes in the "trusted." domain for
      unprivlieged callers.
      
      Overlay calls underlying filesystem's method with elevated privs, so need
      to do the filtering in overlayfs too.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      a082c6f6
    • Hans de Goede's avatar
      HID: i2c: Call acpi_device_fix_up_power for ACPI-enumerated devices · f3d3eab6
      Hans de Goede authored
      For ACPI devices which do not have a _PSC method, the ACPI subsys cannot
      query their initial state at boot, so these devices are assumed to have
      been put in D0 by the BIOS, but for touchscreens that is not always true.
      
      This commit adds a call to acpi_device_fix_up_power to explicitly put
      devices without a _PSC method into D0 state (for devices with a _PSC
      method it is a nop). Note we only need to do this on probe, after a
      resume the ACPI subsys knows the device is in D3 and will properly
      put it in D0.
      
      This fixes the SIS0817 i2c-hid touchscreen on a Peaq C1010 2-in-1
      device failing to probe with a "hid_descr_cmd failed" error.
      Acked-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      f3d3eab6
    • Amir Goldstein's avatar
      ovl: mark upper merge dir with type origin entries "impure" · f3a15685
      Amir Goldstein authored
      An upper dir is marked "impure" to let ovl_iterate() know that this
      directory may contain non pure upper entries whose d_ino may need to be
      read from the origin inode.
      
      We already mark a non-merge dir "impure" when moving a non-pure child
      entry inside it, to let ovl_iterate() know not to iterate the non-merge
      dir directly.
      
      Mark also a merge dir "impure" when moving a non-pure child entry inside
      it and when copying up a child entry inside it.
      
      This can be used to optimize ovl_iterate() to perform a "pure merge" of
      upper and lower directories, merging the content of the directories,
      without having to read d_ino from origin inodes.
      Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      f3a15685
    • Borislav Petkov's avatar
      x86/debug/32: Convert a smp_processor_id() call to raw to avoid DEBUG_PREEMPT warning · 5d9070b1
      Borislav Petkov authored
      ... to raw_smp_processor_id() to not trip the
      
        BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
      
      check. The reasoning behind it is that __warn() already uses the raw_
      variants but the show_regs() path on 32-bit doesn't.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20170528092212.fiod7kygpjm23m3o@pd.tnicSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      5d9070b1
    • Borislav Petkov's avatar
      x86/microcode/AMD: Change load_microcode_amd()'s param to bool to fix preemptibility bug · dac6ca24
      Borislav Petkov authored
      With CONFIG_DEBUG_PREEMPT enabled, I get:
      
        BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
        caller is debug_smp_processor_id
        CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc2+ #2
        Call Trace:
         dump_stack
         check_preemption_disabled
         debug_smp_processor_id
         save_microcode_in_initrd_amd
         ? microcode_init
         save_microcode_in_initrd
         ...
      
      because, well, it says it above, we're using smp_processor_id() in
      preemptible code.
      
      But passing the CPU number is not really needed. It is only used to
      determine whether we're on the BSP, and, if so, to save the microcode
      patch for early loading.
      
       [ We don't absolutely need to do it on the BSP but we do that
         customarily there. ]
      
      Instead, convert that function parameter to a boolean which denotes
      whether the patch should be saved or not, thereby avoiding the use of
      smp_processor_id() in preemptible code.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/20170528200414.31305-1-bp@alien8.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      dac6ca24