1. 23 Sep, 2017 5 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · d32e5f44
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - fixes for two long standing issues (lock up and a crash) in force
         feedback handling in uinput driver
      
       - tweak to firmware update timing in Elan I2C touchpad driver.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: elan_i2c - extend Flash-Write delay
        Input: uinput - avoid crash when sending FF request to device going away
        Input: uinput - avoid FF flush when destroying device
      d32e5f44
    • Linus Torvalds's avatar
      Merge tag 'seccomp-v4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · c0a3a64e
      Linus Torvalds authored
      Pull seccomp updates from Kees Cook:
       "Major additions:
      
         - sysctl and seccomp operation to discover available actions
           (tyhicks)
      
         - new per-filter configurable logging infrastructure and sysctl
           (tyhicks)
      
         - SECCOMP_RET_LOG to log allowed syscalls (tyhicks)
      
         - SECCOMP_RET_KILL_PROCESS as the new strictest possible action
      
         - self-tests for new behaviors"
      
      [ This is the seccomp part of the security pull request during the merge
        window that was nixed due to unrelated problems   - Linus ]
      
      * tag 'seccomp-v4.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        samples: Unrename SECCOMP_RET_KILL
        selftests/seccomp: Test thread vs process killing
        seccomp: Implement SECCOMP_RET_KILL_PROCESS action
        seccomp: Introduce SECCOMP_RET_KILL_PROCESS
        seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
        seccomp: Action to log before allowing
        seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
        seccomp: Selftest for detection of filter flag support
        seccomp: Sysctl to configure actions that are allowed to be logged
        seccomp: Operation for checking if an action is available
        seccomp: Sysctl to display available actions
        seccomp: Provide matching filter for introspection
        selftests/seccomp: Refactor RET_ERRNO tests
        selftests/seccomp: Add simple seccomp overhead benchmark
        selftests/seccomp: Add tests for basic ptrace actions
      c0a3a64e
    • Linus Torvalds's avatar
      Merge tag '4.14-smb3-fixes-from-recent-test-events-for-stable' of... · 69c902f5
      Linus Torvalds authored
      Merge tag '4.14-smb3-fixes-from-recent-test-events-for-stable' of git://git.samba.org/sfrench/cifs-2.6
      
      Pull cifs fixes from Steve French:
       "Various SMB3 fixes for stable and security improvements from the
        recently completed SMB3/Samba test events
      
      * tag '4.14-smb3-fixes-from-recent-test-events-for-stable' of git://git.samba.org/sfrench/cifs-2.6:
        SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
        SMB3: handle new statx fields
        SMB: Validate negotiate (to protect against downgrade) even if signing off
        cifs: release auth_key.response for reconnect.
        cifs: release cifs root_cred after exit_cifs
        CIFS: make arrays static const, reduces object code size
        [SMB3] Update session and share information displayed for debugging SMB2/SMB3
        cifs: show 'soft' in the mount options for hard mounts
        SMB3: Warn user if trying to sign connection that authenticated as guest
        SMB3: Fix endian warning
        Fix SMB3.1.1 guest authentication to Samba
      69c902f5
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.14-rc2' of git://github.com/ceph/ceph-client · b03fcfae
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "Two small but important fixes: RADOS semantic change in upcoming v12.2.1
        release and a rare NULL dereference in create_session_open_msg()"
      
      * tag 'ceph-for-4.14-rc2' of git://github.com/ceph/ceph-client:
        ceph: avoid panic in create_session_open_msg() if utsname() returns NULL
        libceph: don't allow bidirectional swap of pg-upmap-items
      b03fcfae
    • Steve French's avatar
      SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags · 1013e760
      Steve French authored
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      CC: Stable <stable@vger.kernel.org>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      1013e760
  2. 22 Sep, 2017 15 commits
  3. 21 Sep, 2017 16 commits
    • Dmitry Torokhov's avatar
      Input: uinput - avoid crash when sending FF request to device going away · 6b4877c7
      Dmitry Torokhov authored
      If FF request comes in while uinput device is going away,
      uinput_request_send() will fail with -ENODEV, and uinput_request_submit()
      will attempt to mark the slot as unused by calling uinput_request_done().
      Unfortunately in this case we haven't initialized request->done completion
      yet, and we get a crash:
      
      [   39.402036] BUG: spinlock bad magic on CPU#1, fftest/3108
      [   39.402046]  lock: 0xffff88006a93bb00, .magic: 00000000, .owner: /39, .owner_cpu: 1217155072
      [   39.402055] CPU: 1 PID: 3108 Comm: fftest Tainted: G        W 4.13.0+ #15
      [   39.402059] Hardware name: LENOVO 20HQS0EG02/20HQS0EG02, BIOS N1MET37W (1.22 ) 07/04/2017
      [   39.402064]  0000000000000086 f0fad82f3ceaa120 ffff88006a93b9a0 ffffffff9de941bb
      [   39.402077]  ffff88026df8ae00 ffff88006a93bb00 ffff88006a93b9c0 ffffffff9dca62b7
      [   39.402088]  ffff88006a93bb00 ffff88006a93baf8 ffff88006a93b9e0 ffffffff9dca62e7
      [   39.402099] Call Trace:
      [   39.402112]  [<ffffffff9de941bb>] dump_stack+0x4d/0x63
      [   39.402123]  [<ffffffff9dca62b7>] spin_dump+0x97/0x9c
      [   39.402130]  [<ffffffff9dca62e7>] spin_bug+0x2b/0x2d
      [   39.402138]  [<ffffffff9dca6373>] do_raw_spin_lock+0x28/0xfd
      [   39.402147]  [<ffffffff9e3055cd>] _raw_spin_lock_irqsave+0x19/0x1f
      [   39.402154]  [<ffffffff9dca05b7>] complete+0x1d/0x48
      [   39.402162]  [<ffffffffc04f30af>] 0xffffffffc04f30af
      [   39.402167]  [<ffffffffc04f468c>] 0xffffffffc04f468c
      [   39.402177]  [<ffffffff9dd59c16>] ? __slab_free+0x22f/0x359
      [   39.402184]  [<ffffffff9dcc13e9>] ? tk_clock_read+0xc/0xe
      [   39.402189]  [<ffffffffc04f471f>] 0xffffffffc04f471f
      [   39.402195]  [<ffffffff9dc9ffe5>] ? __wake_up+0x44/0x4b
      [   39.402200]  [<ffffffffc04f3240>] ? 0xffffffffc04f3240
      [   39.402207]  [<ffffffff9e0f57f3>] erase_effect+0xa1/0xd2
      [   39.402214]  [<ffffffff9e0f58c6>] input_ff_flush+0x43/0x5c
      [   39.402219]  [<ffffffffc04f32ad>] 0xffffffffc04f32ad
      [   39.402227]  [<ffffffff9e0f174f>] input_flush_device+0x3d/0x51
      [   39.402234]  [<ffffffff9e0f69ae>] evdev_flush+0x49/0x5c
      [   39.402243]  [<ffffffff9dd62d6e>] filp_close+0x3f/0x65
      [   39.402253]  [<ffffffff9dd7dcf7>] put_files_struct+0x66/0xc1
      [   39.402261]  [<ffffffff9dd7ddeb>] exit_files+0x47/0x4e
      [   39.402270]  [<ffffffff9dc6b329>] do_exit+0x483/0x969
      [   39.402278]  [<ffffffff9dc73211>] ? recalc_sigpending_tsk+0x3d/0x44
      [   39.402285]  [<ffffffff9dc6c7a2>] do_group_exit+0x42/0xb0
      [   39.402293]  [<ffffffff9dc767e1>] get_signal+0x58d/0x5bf
      [   39.402300]  [<ffffffff9dc03701>] do_signal+0x37/0x53e
      [   39.402307]  [<ffffffff9e0f8401>] ? evdev_ioctl_handler+0xac8/0xb04
      [   39.402314]  [<ffffffff9e0f8464>] ? evdev_ioctl+0x10/0x12
      [   39.402321]  [<ffffffff9dd74cfa>] ? do_vfs_ioctl+0x42e/0x501
      [   39.402328]  [<ffffffff9dc0170e>] prepare_exit_to_usermode+0x66/0x90
      [   39.402333]  [<ffffffff9dc0181b>] syscall_return_slowpath+0xe3/0xec
      [   39.402339]  [<ffffffff9e305b7b>] int_ret_from_sys_call+0x25/0x8f
      
      While we could solve this by simply initializing the completion earlier, we
      are better off rearranging the code a bit so we avoid calling complete() on
      requests that we did not send out. This patch consolidates marking request
      slots as free in one place (in uinput_request_submit(), the same place
      where we acquire them) and having everyone else simply signal completion
      of the requests.
      
      Fixes: 00ce756c ("Input: uinput - mark failed submission requests as free")
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      6b4877c7
    • Dmitry Torokhov's avatar
      Input: uinput - avoid FF flush when destroying device · e8b95728
      Dmitry Torokhov authored
      Normally, when input device supporting force feedback effects is being
      destroyed, we try to "flush" currently playing effects, so that the
      physical device does not continue vibrating (or executing other effects).
      Unfortunately this does not work well for uinput as flushing of the effects
      deadlocks with the destroy action:
      
      - if device is being destroyed because the file descriptor is being closed,
        then there is noone to even service FF requests;
      
      - if device is being destroyed because userspace sent UI_DEV_DESTROY,
        while theoretically it could be possible to service FF requests,
        userspace is unlikely to do so (they'd need to make sure FF handling
        happens on a separate thread) even if kernel solves the issue with FF
        ioctls deadlocking with UI_DEV_DESTROY ioctl on udev->mutex.
      
      To avoid lockups like the one below, let's install a custom input device
      flush handler, and avoid trying to flush force feedback effects when we
      destroying the device, and instead rely on uinput to shut off the device
      properly.
      
      NMI watchdog: Watchdog detected hard LOCKUP on cpu 3
      ...
       <<EOE>>  [<ffffffff817a0307>] _raw_spin_lock_irqsave+0x37/0x40
       [<ffffffff810e633d>] complete+0x1d/0x50
       [<ffffffffa00ba08c>] uinput_request_done+0x3c/0x40 [uinput]
       [<ffffffffa00ba587>] uinput_request_submit.part.7+0x47/0xb0 [uinput]
       [<ffffffffa00bb62b>] uinput_dev_erase_effect+0x5b/0x76 [uinput]
       [<ffffffff815d91ad>] erase_effect+0xad/0xf0
       [<ffffffff815d929d>] flush_effects+0x4d/0x90
       [<ffffffff815d4cc0>] input_flush_device+0x40/0x60
       [<ffffffff815daf1c>] evdev_cleanup+0xac/0xc0
       [<ffffffff815daf5b>] evdev_disconnect+0x2b/0x60
       [<ffffffff815d74ac>] __input_unregister_device+0xac/0x150
       [<ffffffff815d75f7>] input_unregister_device+0x47/0x70
       [<ffffffffa00bac45>] uinput_destroy_device+0xb5/0xc0 [uinput]
       [<ffffffffa00bb2de>] uinput_ioctl_handler.isra.9+0x65e/0x740 [uinput]
       [<ffffffff811231ab>] ? do_futex+0x12b/0xad0
       [<ffffffffa00bb3f8>] uinput_ioctl+0x18/0x20 [uinput]
       [<ffffffff81241248>] do_vfs_ioctl+0x298/0x480
       [<ffffffff81337553>] ? security_file_ioctl+0x43/0x60
       [<ffffffff812414a9>] SyS_ioctl+0x79/0x90
       [<ffffffff817a04ee>] entry_SYSCALL_64_fastpath+0x12/0x71
      Reported-by: default avatarRodrigo Rivas Costa <rodrigorivascosta@gmail.com>
      Reported-by: default avatarClément VUCHENER <clement.vuchener@gmail.com>
      Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=193741Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      e8b95728
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v4.14' of... · 4a704d6d
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
       "Here are some early Kbuild fixes.
      
        The in-kernel firmware was removed during the previous merge window.
        Since then, some bug reports of broken rpm building are flying in ML.
        We need to fix it now.
      
        Summary:
      
         - remove firmware install from rpm-pkg / deb-pkg
      
         - fix mismatch between release number and UTS_VERSION for rpm-pkg"
      
      * tag 'kbuild-fixes-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: rpm-pkg: fix version number handling
        kbuild: deb-pkg: remove firmware package support
        kbuild: rpm-pkg: delete firmware_install to fix build error
      4a704d6d
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 449cd5d2
      Linus Torvalds authored
      Pull misc fixes from Al Viro:
       "A couple of regression fixes, one for this merge window, one for the
        previous cycle"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        ipc/shm: Fix order of parameters when calling copy_compat_shmid_to_user
        iov_iter: fix page_copy_sane for compound pages
      449cd5d2
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-4.14-rc2' of git://git.infradead.org/linux-mtd · d9fde269
      Linus Torvalds authored
      Pull mtd fixes from Boris Brezillon:
       "SPI NOR:
         - Fix the SFDP parsing code (bugs reported by Geert Uytterhoeven)
      
        NAND:
         - Fix a resource leak in the lpc32xx_mlc driver
         - Fix a build warning in the core"
      
      * tag 'mtd/fixes-for-4.14-rc2' of git://git.infradead.org/linux-mtd:
        mtd: nand: remove unused blockmask variable
        mtd: nand: lpc32xx_mlc: Fix an error handling path in lpc32xx_nand_probe()
        mtd: spi-nor: fix DMA unsafe buffer issue in spi_nor_read_sfdp()
        mtd: spi-nor: Check consistency of the memory size extracted from the SFDP
      d9fde269
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.14-rc2' of git://people.freedesktop.org/~airlied/linux · b6e78a6f
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "amdkfd, i915 and exynos fixes.
      
        I've ended up on unplanned + planned leave this week, but there were
        some fixes I decided to dequeue, some amdkfd bits missed the next pull
        but they are pretty trivial, so I included them.
      
        I'm not sure I'll see much else for rc2, lots of people are at XDC"
      
      * tag 'drm-fixes-for-v4.14-rc2' of git://people.freedesktop.org/~airlied/linux:
        drm/exynos/hdmi: Fix unsafe list iteration
        drm: exynos: include linux/irq.h
        drm/exynos: Fix suspend/resume support
        drm/exynos: Fix locking in the suspend/resume paths
        drm/i915: Remove unused 'in_vbl' from i915_get_crtc_scanoutpos()
        drm/i915/cnp: set min brightness from VBT
        Revert "drm/i915/bxt: Disable device ready before shutdown command"
        drm/i915/bxt: set min brightness from VBT
        drm/i915: Fix an error handling in 'intel_framebuffer_init()'
        drm/i915/gvt: Fix incorrect PCI BARs reporting
        drm/amdkfd: pass queue's mqd when destroying mqd
        drm/amdkfd: remove memset before memcpy
        uapi linux/kfd_ioctl.h: only use __u32 and __u64
      b6e78a6f
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-4.14-2' of git://git.infradead.org/users/hch/dma-mapping · 20c29a97
      Linus Torvalds authored
      Pull dma mapping fix from Christoph Hellwig:
       "A fix for a fix that went in this merge window from Arnd"
      
      * tag 'dma-mapping-4.14-2' of git://git.infradead.org/users/hch/dma-mapping:
        dma-coherent: fix rmem_dma_device_init regression
      20c29a97
    • Manuel Lauss's avatar
      MIPS: PCI: fix pcibios_map_irq section mismatch · 8eba3651
      Manuel Lauss authored
      Drop  the __init from pcibios_map_irq() to make this section mis-
      match go away:
      
      WARNING: vmlinux.o(.text+0x56acd4): Section mismatch in reference from the function pcibios_scanbus() to the function .init.text:pcibios_map_irq()
      The function pcibios_scanbus() references
      the function __init pcibios_map_irq().
      This is often because pcibios_scanbus lacks a __init
      annotation or the annotation of pcibios_map_irq is wrong.
      
      Run-Tested only on Alchemy.
      Signed-off-by: default avatarManuel Lauss <manuel.lauss@gmail.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/17267/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      8eba3651
    • James Hogan's avatar
      MIPS: Fix input modify in __write_64bit_c0_split() · c22c8043
      James Hogan authored
      The inline asm in __write_64bit_c0_split() modifies the 64-bit input
      operand by shifting the high register left by 32, and constructing the
      full 64-bit value in the low register (even on a 32-bit kernel), so if
      that value is used again it could cause breakage as GCC would assume the
      registers haven't changed when they have.
      
      To quote the GCC extended asm documentation:
      > Warning: Do not modify the contents of input-only operands (except for
      > inputs tied to outputs). The compiler assumes that on exit from the
      > asm statement these operands contain the same values as they had
      > before executing the statement.
      
      Avoid modifying the input by using a temporary variable as an output
      which is modified instead of the input and not otherwise used. The asm
      is always __volatile__ so GCC shouldn't optimise it out. The low
      register of the temporary output is written before the high register of
      the input is read, so we have two constraint alternatives, one where
      both use the same registers (for when the input value isn't subsequently
      used), and one with an early clobber on the output in case the low
      output uses the same register as the high input. This allows the
      resulting assembly to remain mostly unchanged.
      
      A diff of a MIPS32r6 kernel reveals only three differences, two in
      relation to write_c0_r10k_diag() in cpu_probe() (register allocation
      rearranged slightly but otherwise identical), and one in relation to
      write_c0_cvmmemctl2() in kvm_vz_local_flush_guesttlb_all(), but the
      octeon CPU is only supported on 64-bit kernels where
      __write_64bit_c0_split() isn't used so that shouldn't matter in
      practice. So there currently doesn't appear to be anything broken by
      this bug.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/17315/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      c22c8043
    • Arnd Bergmann's avatar
      MIPS: MSP71xx: Include asm/setup.h · 9bbe7dc0
      Arnd Bergmann authored
      msp71xx_defconfig can not be built at the in v4.14-rc1
      
      arch/mips/pmcs-msp71xx/msp_smp.c:72:2: error: implicit declaration of function 'set_vi_handler' [-Werror=implicit-function-declaration]
      
      I don't know what caused the regression, but including the right
      header is the obvious fix.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/17309/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      9bbe7dc0
    • Tyrel Datwyler's avatar
      powerpc/pseries: Fix parent_dn reference leak in add_dt_node() · b537ca6f
      Tyrel Datwyler authored
      A reference to the parent device node is held by add_dt_node() for the
      node to be added. If the call to dlpar_configure_connector() fails
      add_dt_node() returns ENOENT and that reference is not freed.
      
      Add a call to of_node_put(parent_dn) prior to bailing out after a
      failed dlpar_configure_connector() call.
      
      Fixes: 8d5ff320 ("powerpc/pseries: Make dlpar_configure_connector parent node aware")
      Cc: stable@vger.kernel.org # v3.12+
      Signed-off-by: default avatarTyrel Datwyler <tyreld@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      b537ca6f
    • Tyrel Datwyler's avatar
      powerpc/pseries: Fix "OF: ERROR: Bad of_node_put() on /cpus" during DLPAR · 087ff6a5
      Tyrel Datwyler authored
      Commit 215ee763 ("powerpc: pseries: remove dlpar_attach_node
      dependency on full path") reworked dlpar_attach_node() to no longer
      look up the parent node "/cpus", but instead to have the parent node
      passed by the caller in the function parameter list.
      
      As a result dlpar_attach_node() is no longer responsible for freeing
      the reference to the parent node. However, commit 215ee763 failed
      to remove the of_node_put(parent) call in dlpar_attach_node(), or to
      take into account that the reference to the parent in the caller
      dlpar_cpu_add() needs to be held until after dlpar_attach_node()
      returns.
      
      As a result doing repeated cpu add/remove dlpar operations will
      eventually result in the following error:
      
        OF: ERROR: Bad of_node_put() on /cpus
        CPU: 0 PID: 10896 Comm: drmgr Not tainted 4.13.0-autotest #1
        Call Trace:
         dump_stack+0x15c/0x1f8 (unreliable)
         of_node_release+0x1a4/0x1c0
         kobject_put+0x1a8/0x310
         kobject_del+0xbc/0xf0
         __of_detach_node_sysfs+0x144/0x210
         of_detach_node+0xf0/0x180
         dlpar_detach_node+0xc4/0x120
         dlpar_cpu_remove+0x280/0x560
         dlpar_cpu_release+0xbc/0x1b0
         arch_cpu_release+0x6c/0xb0
         cpu_release_store+0xa0/0x100
         dev_attr_store+0x68/0xa0
         sysfs_kf_write+0xa8/0xf0
         kernfs_fop_write+0x2cc/0x400
         __vfs_write+0x5c/0x340
         vfs_write+0x1a8/0x3d0
         SyS_write+0xa8/0x1a0
         system_call+0x58/0x6c
      
      Fix the issue by removing the of_node_put(parent) call from
      dlpar_attach_node(), and ensuring that the reference to the parent
      node is properly held and released by the caller dlpar_cpu_add().
      
      Fixes: 215ee763 ("powerpc: pseries: remove dlpar_attach_node dependency on full path")
      Signed-off-by: default avatarTyrel Datwyler <tyreld@linux.vnet.ibm.com>
      Reported-by: default avatarAbdul Haleem <abdhalee@linux.vnet.ibm.com>
      [mpe: Add a comment in the code and frob the change log slightly]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      087ff6a5
    • Benjamin Herrenschmidt's avatar
      powerpc/eeh: Create PHB PEs after EEH is initialized · 3e77adee
      Benjamin Herrenschmidt authored
      Otherwise we end up not yet having computed the right diag data size
      on powernv where EEH initialization is delayed, thus causing memory
      corruption later on when calling OPAL.
      
      Fixes: 5cb1f8fd ("powerpc/powernv/pci: Dynamically allocate PHB diag data")
      Cc: stable@vger.kernel.org # v4.13+
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Acked-by: default avatarRussell Currey <ruscur@russell.cc>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      3e77adee
    • Will Deacon's avatar
      ipc/shm: Fix order of parameters when calling copy_compat_shmid_to_user · 58aff0af
      Will Deacon authored
      Commit 553f770e ("ipc: move compat shmctl to native") moved the
      compat IPC syscall handling into ipc/shm.c and refactored the struct
      accessors in the process. Unfortunately, the call to
      copy_compat_shmid_to_user when handling a compat {IPC,SHM}_STAT command
      gets the arguments the wrong way round, passing a kernel stack address
      as the user buffer (destination) and the user buffer as the kernel stack
      address (source).
      
      This patch fixes the parameter ordering so the buffers are accessed
      correctly.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      58aff0af
    • Petar Penkov's avatar
      iov_iter: fix page_copy_sane for compound pages · a90bcb86
      Petar Penkov authored
      Issue is that if the data crosses a page boundary inside a compound
      page, this check will incorrectly trigger a WARN_ON.
      
      To fix this, compute the order using the head of the compound page and
      adjust the offset to be relative to that head.
      
      Fixes: 72e809ed ("iov_iter: sanity checks for copy to/from page
      primitives")
      Signed-off-by: default avatarPetar Penkov <ppenkov@google.com>
      CC: Al Viro <viro@zeniv.linux.org.uk>
      CC: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a90bcb86
    • Steve French's avatar
      SMB: Validate negotiate (to protect against downgrade) even if signing off · 0603c96f
      Steve French authored
      As long as signing is supported (ie not a guest user connection) and
      connection is SMB3 or SMB3.02, then validate negotiate (protect
      against man in the middle downgrade attacks).  We had been doing this
      only when signing was required, not when signing was just enabled,
      but this more closely matches recommended SMB3 behavior and is
      better security.  Suggested by Metze.
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Reviewed-by: default avatarJeremy Allison <jra@samba.org>
      Acked-by: default avatarStefan Metzmacher <metze@samba.org>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      CC: Stable <stable@vger.kernel.org>
      0603c96f
  4. 20 Sep, 2017 4 commits