Skip to main content

Browse the archive

https://github.com/torvalds/linux
05 April 2024, 19:05:47 UTC
sort by:
Revision Author Date Message Commit Date
32c1431 Linus Torvalds 11 June 2017, 23:48:20 UTC Linux 4.12-rc5 11 June 2017, 23:48:20 UTC
3262764 Linus Torvalds 11 June 2017, 23:17:29 UTC Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull key subsystem fixes from James Morris: "Here are a bunch of fixes for Linux keyrings, including: - Fix up the refcount handling now that key structs use the refcount_t type and the refcount_t ops don't allow a 0->1 transition. - Fix a potential NULL deref after error in x509_cert_parse(). - Don't put data for the crypto algorithms to use on the stack. - Fix the handling of a null payload being passed to add_key(). - Fix incorrect cleanup an uninitialised key_preparsed_payload in key_update(). - Explicit sanitisation of potentially secure data before freeing. - Fixes for the Diffie-Helman code" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (23 commits) KEYS: fix refcount_inc() on zero KEYS: Convert KEYCTL_DH_COMPUTE to use the crypto KPP API crypto : asymmetric_keys : verify_pefile:zero memory content before freeing KEYS: DH: add __user annotations to keyctl_kdf_params KEYS: DH: ensure the KDF counter is properly aligned KEYS: DH: don't feed uninitialized "otherinfo" into KDF KEYS: DH: forbid using digest_null as the KDF hash KEYS: sanitize key structs before freeing KEYS: trusted: sanitize all key material KEYS: encrypted: sanitize all key material KEYS: user_defined: sanitize key payloads KEYS: sanitize add_key() and keyctl() key payloads KEYS: fix freeing uninitialized memory in key_update() KEYS: fix dereferencing NULL payload with nonzero length KEYS: encrypted: use constant-time HMAC comparison KEYS: encrypted: fix race causing incorrect HMAC calculations KEYS: encrypted: fix buffer overread in valid_master_desc() KEYS: encrypted: avoid encrypting/decrypting stack buffers KEYS: put keyring if install_session_keyring_to_cred() fails KEYS: Delete an error message for a failed memory allocation in get_derived_key() ... 11 June 2017, 23:17:29 UTC
6d53cef Linus Torvalds 11 June 2017, 22:51:56 UTC compiler, clang: properly override 'inline' for clang Commit abb2ea7dfd82 ("compiler, clang: suppress warning for unused static inline functions") just caused more warnings due to re-defining the 'inline' macro. So undef it before re-defining it, and also add the 'notrace' attribute like the gcc version that this is overriding does. Maybe this makes clang happier. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 11 June 2017, 22:51:56 UTC
5ad9345 Linus Torvalds 11 June 2017, 19:02:01 UTC Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random Pull randomness fixes from Ted Ts'o: "Improve performance by using a lockless update mechanism suggested by Linus, and make sure we refresh per-CPU entropy returned get_random_* as soon as the CRNG is initialized" * tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: random: invalidate batched entropy after crng init random: use lockless method of accessing and updating f->reg_idx 11 June 2017, 19:02:01 UTC
5e38b72 Linus Torvalds 11 June 2017, 18:57:47 UTC Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull ext4 fixes from Ted Ts'o: "Fix various bug fixes in ext4 caused by races and memory allocation failures" * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: fix fdatasync(2) after extent manipulation operations ext4: fix data corruption for mmap writes ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO ext4: fix quota charging for shared xattr blocks ext4: remove redundant check for encrypted file on dio write path ext4: remove unused d_name argument from ext4_search_dir() et al. ext4: fix off-by-one error when writing back pages before dio read ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff() ext4: keep existing extra fields when inode expands ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors ext4: fix off-by-in in loop termination in ext4_find_unwritten_pgoff() ext4: fix SEEK_HOLE jbd2: preserve original nofs flag during journal restart ext4: clear lockdep subtype for quota files on quota off 11 June 2017, 18:57:47 UTC
f986e31 Linus Torvalds 11 June 2017, 18:34:27 UTC Merge tag 'gpio-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "A few overdue GPIO patches for the v4.12 kernel. - Fix debounce logic on the Aspeed platform. - Fix the "virtual gpio" things on the Intel Crystal Cove. - Fix the blink counter selection on the MVEBU platform" * tag 'gpio-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: mvebu: fix gpio bank registration when pwm is used gpio: mvebu: fix blink counter register selection MAINTAINERS: remove self from GPIO maintainers gpio: crystalcove: Do not write regular gpio registers for virtual GPIOs gpio: aspeed: Don't attempt to debounce if disabled 11 June 2017, 18:34:27 UTC
9cd9cb0 Linus Torvalds 11 June 2017, 18:29:15 UTC Merge tag 'char-misc-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small driver fixes for 4.12-rc5. Nothing major here, just some small bugfixes found by people testing, and a MAINTAINERS file update for the genwqe driver. All have been in linux-next with no reported issues" [ The cxl driver fix came in through the powerpc tree earlier ] * tag 'char-misc-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: cxl: Avoid double free_irq() for psl,slice interrupts mei: make sysfs modalias format similar as uevent modalias drivers: char: mem: Fix wraparound check to allow mappings up to the end MAINTAINERS: Change maintainer of genwqe driver goldfish_pipe: use GFP_ATOMIC under spin lock firmware: vpd: do not leak kobjects firmware: vpd: avoid potential use-after-free when destroying section firmware: vpd: do not leave freed section attributes to the list 11 June 2017, 18:29:15 UTC
21c9eb7 Linus Torvalds 11 June 2017, 18:25:51 UTC Merge tag 'staging-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging/IIO fixes from Greg KH: "These are mostly all IIO driver fixes, resolving a number of tiny issues. There's also a ccree and lustre fix in here as well, both fix problems found in those codebases. All have been in linux-next with no reported issues" * tag 'staging-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: ccree: fix buffer copy staging/lustre/lov: remove set_fs() call from lov_getstripe() staging: ccree: add CRYPTO dependency iio: adc: sun4i-gpadc-iio: fix parent device being used in devm function iio: light: ltr501 Fix interchanged als/ps register field iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's iio: trigger: fix NULL pointer dereference in iio_trigger_write_current() iio: adc: max9611: Fix attribute measure unit iio: adc: ti_am335x_adc: allocating too much in probe iio: adc: sun4i-gpadc-iio: Fix module autoload when OF devices are registered iio: adc: sun4i-gpadc-iio: Fix module autoload when PLATFORM devices are registered iio: proximity: as3935: fix iio_trigger_poll issue iio: proximity: as3935: fix AS3935_INT mask iio: adc: Max9611: checking for ERR_PTR instead of NULL in probe iio: proximity: as3935: recalibrate RCO after resume 11 June 2017, 18:25:51 UTC
246baac Linus Torvalds 11 June 2017, 18:23:10 UTC Merge tag 'usb-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB fixes for 4.12-rc5 They are for some reported issues in the chipidea and gadget drivers. Nothing major. All have been in linux-next for a while with no reported issues" * tag 'usb-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: gadget: udc: renesas_usb3: Fix PN_INT_ENA disabling timing usb: gadget: udc: renesas_usb3: lock for PN_ registers access usb: gadget: udc: renesas_usb3: fix deadlock by spinlock usb: gadget: udc: renesas_usb3: fix pm_runtime functions calling usb: gadget: f_mass_storage: Serialize wake and sleep execution usb: dwc2: add support for the DWC2 controller on Meson8 SoCs phy: qualcomm: phy-qcom-qmp: fix application of sizeof to pointer usb: musb: dsps: keep VBUS on for host-only mode usb: chipidea: core: check before accessing ci_role in ci_role_show usb: chipidea: debug: check before accessing ci_role phy: qcom-qmp: fix return value check in qcom_qmp_phy_create() usb: chipidea: udc: fix NULL pointer dereference if udc_start failed usb: chipidea: imx: Do not access CLKONOFF on i.MX51 11 June 2017, 18:23:10 UTC
ef918d3 Linus Torvalds 11 June 2017, 18:21:08 UTC Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "This is a set of user visible fixes (excepting one format string change). Four of the qla2xxx fixes only affect the firmware dump path, but it's still important to the enterprise. The rest are various NULL pointer crash conditions or outright driver hangs" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: cxgb4i: libcxgbi: in error case RST tcp conn scsi: scsi_debug: Avoid PI being disabled when TPGS is enabled scsi: qla2xxx: Fix extraneous ref on sp's after adapter break scsi: lpfc: prevent potential null pointer dereference scsi: lpfc: Avoid NULL pointer dereference in lpfc_els_abort() scsi: lpfc: nvmet_fc: fix format string scsi: qla2xxx: Fix crash due to NULL pointer dereference of ctx scsi: qla2xxx: Fix mailbox pointer error in fwdump capture scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to debug customer issues scsi: qla2xxx: Fix crash due to mismatch mumber of Q-pair creation for Multi queue scsi: qla2xxx: Fix NULL pointer access due to redundant fc_host_port_name call scsi: qla2xxx: Fix recursive loop during target mode configuration for ISP25XX leaving system unresponsive scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() scsi: qla2xxx: don't disable a not previously enabled PCI device 11 June 2017, 18:21:08 UTC
8f56821 Linus Torvalds 11 June 2017, 18:15:09 UTC Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fix from Dan Williams: "We expanded the device-dax fs type in 4.12 to be a generic provider of a struct dax_device with an embedded inode. However, Sasha found some basic negative testing was not run to verify that this fs cleanly handles being mounted directly. Note that the fresh rebase was done to remove an unnecessary Cc: <stable> tag, but this commit otherwise had a build success notification from the 0day robot." * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: device-dax: fix 'dax' device filesystem inode destruction crash 11 June 2017, 18:15:09 UTC
9d66af6 Linus Torvalds 11 June 2017, 18:09:15 UTC Merge tag 'hexagon-for-linus-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hexagon fix from Guenter Roeck: "This fixes a build error seen when building hexagon images. Richard sent me an Ack, but didn't reply when asked if he wants me to send the patch to you directly, so I figured I'd just do it" * tag 'hexagon-for-linus-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hexagon: Use raw_copy_to_user 11 June 2017, 18:09:15 UTC
9d0eb46 Linus Torvalds 11 June 2017, 18:07:25 UTC Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Paolo Bonzini: "Bug fixes (ARM, s390, x86)" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: async_pf: avoid async pf injection when in guest mode KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation arm: KVM: Allow unaligned accesses at HYP arm64: KVM: Allow unaligned accesses at EL2 arm64: KVM: Preserve RES1 bits in SCTLR_EL2 KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages KVM: nVMX: Fix exception injection kvm: async_pf: fix rcu_irq_enter() with irqs enabled KVM: arm/arm64: vgic-v3: Fix nr_pre_bits bitfield extraction KVM: s390: fix ais handling vs cpu model KVM: arm/arm64: Fix isues with GICv2 on GICv3 migration 11 June 2017, 18:07:25 UTC
9bc1f09 Wanpeng Li 09 June 2017, 03:13:40 UTC KVM: async_pf: avoid async pf injection when in guest mode INFO: task gnome-terminal-:1734 blocked for more than 120 seconds. Not tainted 4.12.0-rc4+ #8 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. gnome-terminal- D 0 1734 1015 0x00000000 Call Trace: __schedule+0x3cd/0xb30 schedule+0x40/0x90 kvm_async_pf_task_wait+0x1cc/0x270 ? __vfs_read+0x37/0x150 ? prepare_to_swait+0x22/0x70 do_async_page_fault+0x77/0xb0 ? do_async_page_fault+0x77/0xb0 async_page_fault+0x28/0x30 This is triggered by running both win7 and win2016 on L1 KVM simultaneously, and then gives stress to memory on L1, I can observed this hang on L1 when at least ~70% swap area is occupied on L0. This is due to async pf was injected to L2 which should be injected to L1, L2 guest starts receiving pagefault w/ bogus %cr2(apf token from the host actually), and L1 guest starts accumulating tasks stuck in D state in kvm_async_pf_task_wait() since missing PAGE_READY async_pfs. This patch fixes the hang by doing async pf when executing L1 guest. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 11 June 2017, 06:39:24 UTC
4d801cc Guenter Roeck 03 May 2017, 03:44:16 UTC hexagon: Use raw_copy_to_user Commit ac4691fac8ad ("hexagon: switch to RAW_COPY_USER") replaced __copy_to_user_hexagon() with raw_copy_to_user(), but did not catch all callers, resulting in the following build error. arch/hexagon/mm/uaccess.c: In function '__clear_user_hexagon': arch/hexagon/mm/uaccess.c:40:3: error: implicit declaration of function '__copy_to_user_hexagon' Fixes: ac4691fac8ad ("hexagon: switch to RAW_COPY_USER") Cc: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Richard Kuo <rkuo@codeaurora.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> 11 June 2017, 02:10:31 UTC
5faab9e Linus Torvalds 10 June 2017, 18:09:23 UTC Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull UFS fixes from Al Viro: "This is just the obvious backport fodder; I'm pretty sure that there will be more - definitely so wrt performance and quite possibly correctness as well" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ufs: we need to sync inode before freeing it excessive checks in ufs_write_failed() and ufs_evict_inode() ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() ufs: set correct ->s_maxsize ufs: restore maintaining ->i_blocks fix ufs_isblockset() ufs: restore proper tail allocation 10 June 2017, 18:09:23 UTC
66cea28 Linus Torvalds 10 June 2017, 18:06:05 UTC Merge branch 'for-linus-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "Some fixes that Dave Sterba collected. We've been hitting an early enospc problem on production machines that Omar tracked down to an old int->u64 mistake. I waited a bit on this pull to make sure it was really the problem from production, but it's on ~2100 hosts now and I think we're good. Omar also noticed a commit in the queue would make new early ENOSPC problems. I pulled that out for now, which is why the top three commits are younger than the rest. Otherwise these are all fixes, some explaining very old bugs that we've been poking at for a while" * 'for-linus-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: fix delalloc accounting leak caused by u32 overflow Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io btrfs: tree-log.c: Wrong printk information about namelen btrfs: fix race with relocation recovery and fs_root setup btrfs: fix memory leak in update_space_info failure path btrfs: use correct types for page indices in btrfs_page_exists_in_range btrfs: fix incorrect error return ret being passed to mapping_set_error btrfs: Make flush bios explicitely sync btrfs: fiemap: Cache and merge fiemap extent before submit it to user 10 June 2017, 18:06:05 UTC
ac1a14a Linus Torvalds 10 June 2017, 17:51:25 UTC Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: "Misc fixes: a Geode fix plus a microcode loader fix" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/microcode/intel: Clear patch pointer before jettisoning the initrd x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC 10 June 2017, 17:51:25 UTC
45b44f0 Linus Torvalds 10 June 2017, 17:49:42 UTC Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull CPU hotplug fix from Ingo Molnar: "An error handling corner case fix" * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: cpu/hotplug: Drop the device lock on error 10 June 2017, 17:49:42 UTC
6b7ed45 Linus Torvalds 10 June 2017, 17:22:35 UTC Merge branch 'rcu-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull RCU fixes from Ingo Molnar: "Fix an SRCU bug affecting KVM IRQ injection" * 'rcu-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: srcu: Allow use of Classic SRCU from both process and interrupt context srcu: Allow use of Tiny/Tree SRCU from both process and interrupt context 10 June 2017, 17:22:35 UTC
f701d86 Linus Torvalds 10 June 2017, 17:15:47 UTC Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "This is mostly tooling fixes, plus an instruction pointer filtering fix. It's more fixes than usual - Arnaldo got back from a longer vacation and there was a backlog" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (27 commits) perf symbols: Kill dso__build_id_is_kmod() perf symbols: Keep DSO->symtab_type after decompress perf tests: Decompress kernel module before objdump perf tools: Consolidate error path in __open_dso() perf tools: Decompress kernel module when reading DSO data perf annotate: Use dso__decompress_kmodule_path() perf tools: Introduce dso__decompress_kmodule_{fd,path} perf tools: Fix a memory leak in __open_dso() perf annotate: Fix symbolic link of build-id cache perf/core: Drop kernel samples even though :u is specified perf script python: Remove dups in documentation examples perf script python: Updated trace_unhandled() signature perf script python: Fix wrong code snippets in documentation perf script: Fix documentation errors perf script: Fix outdated comment for perf-trace-python perf probe: Fix examples section of documentation perf report: Ensure the perf DSO mapping matches what libdw sees perf report: Include partial stacks unwound with libdw perf annotate: Add missing powerpc triplet perf test: Disable breakpoint signal tests for powerpc ... 10 June 2017, 17:15:47 UTC
9376906 Linus Torvalds 10 June 2017, 17:12:14 UTC Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fix from Ingo Molnar: "A boot crash fix for certain systems where the kernel would trust a piece of firmware data it should not have" * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: efi: Fix boot panic because of invalid BGRT image address 10 June 2017, 17:12:14 UTC
67a7001 Al Viro 10 June 2017, 16:01:50 UTC ufs: we need to sync inode before freeing it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 10 June 2017, 16:02:28 UTC
179145e Linus Torvalds 10 June 2017, 05:30:55 UTC Merge tag 'iommu-fixes-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull IOMMU fixes from Joerg Roedel: - another compile-fix for my header cleanup - a couple of fixes for the recently merged IOMMU probe deferal code - fixes for ACPI/IORT code necessary with IOMMU probe deferal * tag 'iommu-fixes-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: arm: dma-mapping: Reset the device's dma_ops ACPI/IORT: Move the check to get iommu_ops from translated fwspec ARM: dma-mapping: Don't tear down third-party mappings ACPI/IORT: Ignore all errors except EPROBE_DEFER iommu/of: Ignore all errors except EPROBE_DEFER iommu/of: Fix check for returning EPROBE_DEFER iommu/dma: Fix function declaration 10 June 2017, 05:30:55 UTC
c7a1aef Linus Torvalds 10 June 2017, 05:28:33 UTC Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: - mark "guest" RMI device as pass-through port to avoid "phantom" ALPS toouchpad on newer Lenovo Carbons - add two more laptops to the Elantech's lists of devices using CRC mode * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: synaptics-rmi4 - register F03 port as pass-through serio Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled 10 June 2017, 05:28:33 UTC
2833b7e Linus Torvalds 10 June 2017, 05:24:23 UTC Merge tag 'md/4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md Pull MD bugfix from Shaohua Li: "One bug fix from Neil Brown for MD. The bug was introduced in this cycle" * tag 'md/4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md: md: initialise ->writes_pending in personality modules. 10 June 2017, 05:24:23 UTC
42211f6 Linus Torvalds 10 June 2017, 05:18:41 UTC Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "A set of fixes in the area of block IO, that should go into the next -rc release. This contains: - An OOPS fix from Dmitry, fixing a regression with the bio integrity code in this series. - Fix truncation of elevator io context cache name, from Eric Biggers. - NVMe pull from Christoph includes FC fixes from James, APST fixes/tweaks from Kai-Heng, removal fix from Rakesh, and an RDMA fix from Sagi. - Two tweaks for the block throttling code. One from Joseph Qi, fixing an oops from the timer code, and one from Shaohua, improving the behavior on rotatonal storage. - Two blk-mq fixes from Ming, fixing corner cases with the direct issue code. - Locking fix for bfq cgroups from Paolo" * 'for-linus' of git://git.kernel.dk/linux-block: block, bfq: access and cache blkg data only when safe Fix loop device flush before configure v3 blk-throttle: set default latency baseline for harddisk blk-throttle: fix NULL pointer dereference in throtl_schedule_pending_timer nvme: relax APST default max latency to 100ms nvme: only consider exit latency when choosing useful non-op power states nvme-fc: fix missing put reference on controller create failure nvme-fc: on lldd/transport io error, terminate association nvme-rdma: fast fail incoming requests while we reconnect nvme-pci: fix multiple ctrl removal scheduling nvme: fix hang in remove path elevator: fix truncation of icq_cache_name blk-mq: fix direct issue blk-mq: pass correct hctx to blk_mq_try_issue_directly bio-integrity: Do not allocate integrity context for bio w/o data 10 June 2017, 05:18:41 UTC
39e4edf Linus Torvalds 10 June 2017, 05:15:08 UTC Merge tag 'sound-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "This update contains a slightly hight amount of changes due to the pending ASoC fixes: - ALSA timer core got a couple of fixes for races between read and ioctl, leading to potential read of uninitialized kmalloced memory - ASoC core fixed the de-registration pattern for use-after-free bug - The rewrite of probe code in ASoC Intel Skylake for i915 component - ASoC R-snd got a series of fixes for SSI - ASoC simple-card, atmel, da7213, and rt286 trivial fixes - HD-audio ALC269 quirk and rearrangement of quirk table" * tag 'sound-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT ALSA: timer: Fix race between read and ioctl ALSA: hda/realtek - Reorder ALC269 ASUS quirk entries ALSA: hda/realtek: Fix mic and headset jack sense on Asus X705UD ASoC: rsnd: fixup parent_clk_name of AUDIO_CLKOUTx ASoC: Intel: Skylake: Fix to parse consecutive string tkns in manifest ASoC: Intel: Skylake: Fix IPC rx_list corruption ASoC: rsnd: SSI PIO adjust to 24bit mode MAINTAINERS: Update email address for patches to Wolfson parts ASoC: Fix use-after-free at card unregistration ASoC: simple-card: fix mic jack initialization ASoC: rsnd: don't call free_irq() on Parent SSI ASoC: atmel-classd: sync regcache when resuming ASoC: rsnd: don't use PDTA bit for 24bit on SSI ASoC: da7213: Fix incorrect usage of bitwise '&' operator for SRM check rt286: add Thinkpad Helix 2 to force_combo_jack_table ASoC: Intel: Skylake: Move i915 registration to worker thread 10 June 2017, 05:15:08 UTC
6107cc5 Linus Torvalds 10 June 2017, 05:12:06 UTC Merge tag 'drm-fixes-for-v4.12-rc5' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Intel, nouveau, rockchip, vmwgfx, imx, meson, mediatek and core fixes. Bit more spread out fixes this time, fixes for 7 drivers + a couple of core fixes. i915 and vmwgfx are the main ones. The vmwgfx ones fix a bunch of regressions in their atomic rework, and a few fixes destined for stable. i915 has some 4.12 regressions and older things that need to be fixed in stable as well. nouveau also has some runtime pm fixes and a timer list handling fix, otherwise a couple of core and small driver regression fixes" * tag 'drm-fixes-for-v4.12-rc5' of git://people.freedesktop.org/~airlied/linux: (37 commits) drm/i915: fix warning for unused variable drm/meson: Fix driver bind when only CVBS is available drm/i915: Fix 90/270 rotated coordinates for FBC drm/i915: Restore has_fbc=1 for ILK-M drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail drm/i915: Fix logical inversion for gen4 quirking drm/i915: Guard against i915_ggtt_disable_guc() being invoked unconditionally drm/i915: Always recompute watermarks when distrust_bios_wm is set, v2. drm/i915: Prevent the system suspend complete optimization drm/i915/psr: disable psr2 for resolution greater than 32X20 drm/i915: Hold a wakeref for probing the ring registers drm/i915: Short-circuit i915_gem_wait_for_idle() if already idle drm/i915: Disable decoupled MMIO drm/i915/guc: Remove stale comment for q_fail drm/vmwgfx: Bump driver minor and date drm/vmwgfx: Remove unused legacy cursor functions drm/vmwgfx: fix spelling mistake "exeeds" -> "exceeds" drm/vmwgfx: Fix large topology crash drm/vmwgfx: Make sure to update STDU when FB is updated drm/vmwgfx: Make sure backup_handle is always valid ... 10 June 2017, 05:12:06 UTC
babef37 Al Viro 09 June 2017, 20:20:34 UTC excessive checks in ufs_write_failed() and ufs_evict_inode() As it is, short copy in write() to append-only file will fail to truncate the excessive allocated blocks. As the matter of fact, all checks in ufs_truncate_blocks() are either redundant or wrong for that caller. As for the only other caller (ufs_evict_inode()), we only need the file type checks there. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 09 June 2017, 20:28:01 UTC
006351a Al Viro 09 June 2017, 03:28:53 UTC ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 09 June 2017, 20:28:01 UTC
940ef1a Al Viro 09 June 2017, 03:27:12 UTC ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() ... and it really needs splitting into "new" and "extend" cases, but that's for later Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 09 June 2017, 20:28:01 UTC
6b0d144 Al Viro 09 June 2017, 01:15:45 UTC ufs: set correct ->s_maxsize Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 09 June 2017, 20:28:01 UTC
eb315d2 Al Viro 09 June 2017, 01:15:03 UTC ufs: restore maintaining ->i_blocks Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 09 June 2017, 20:28:01 UTC
414cf71 Al Viro 08 June 2017, 22:15:18 UTC fix ufs_isblockset() Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 09 June 2017, 20:28:01 UTC
8785d84 Al Viro 08 June 2017, 06:42:03 UTC ufs: restore proper tail allocation Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 09 June 2017, 20:28:01 UTC
70e7af2 Omar Sandoval 02 June 2017, 08:20:01 UTC Btrfs: fix delalloc accounting leak caused by u32 overflow btrfs_calc_trans_metadata_size() does an unsigned 32-bit multiplication, which can overflow if num_items >= 4 GB / (nodesize * BTRFS_MAX_LEVEL * 2). For a nodesize of 16kB, this overflow happens at 16k items. Usually, num_items is a small constant passed to btrfs_start_transaction(), but we also use btrfs_calc_trans_metadata_size() for metadata reservations for extent items in btrfs_delalloc_{reserve,release}_metadata(). In drop_outstanding_extents(), num_items is calculated as inode->reserved_extents - inode->outstanding_extents. The difference between these two counters is usually small, but if many delalloc extents are reserved and then the outstanding extents are merged in btrfs_merge_extent_hook(), the difference can become large enough to overflow in btrfs_calc_trans_metadata_size(). The overflow manifests itself as a leak of a multiple of 4 GB in delalloc_block_rsv and the metadata bytes_may_use counter. This in turn can cause early ENOSPC errors. Additionally, these WARN_ONs in extent-tree.c will be hit when unmounting: WARN_ON(fs_info->delalloc_block_rsv.size > 0); WARN_ON(fs_info->delalloc_block_rsv.reserved > 0); WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_reserved > 0 || space_info->bytes_may_use > 0); Fix it by casting nodesize to a u64 so that btrfs_calc_trans_metadata_size() does a full 64-bit multiplication. While we're here, do the same in btrfs_calc_trunc_metadata_size(); this can't overflow with any existing uses, but it's better to be safe here than have another hard-to-debug problem later on. Cc: stable@vger.kernel.org Signed-off-by: Omar Sandoval <osandov@fb.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: Chris Mason <clm@fb.com> 09 June 2017, 19:48:36 UTC
452e62b Liu Bo 26 May 2017, 23:44:23 UTC Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io Before this, we use 'filled' mode here, ie. if all range has been filled with EXTENT_DEFRAG bits, get to clear it, but if the defrag range joins the adjacent delalloc range, then we'll have EXTENT_DEFRAG bits in extent_state until releasing this inode's pages, and that prevents extent_data from being freed. This clears the bit if any was found within the ordered extent. Signed-off-by: Liu Bo <bo.li.liu@oracle.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Chris Mason <clm@fb.com> 09 June 2017, 19:48:29 UTC
286b92f Su Yue 24 May 2017, 01:31:32 UTC btrfs: tree-log.c: Wrong printk information about namelen In verify_dir_item, it wants to printk name_len of dir_item but printk data_len acutally. Fix it by calling btrfs_dir_name_len instead of btrfs_dir_data_len. Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Chris Mason <clm@fb.com> 09 June 2017, 19:48:07 UTC
eb4125d Linus Torvalds 09 June 2017, 16:59:51 UTC Merge tag 'for-linus-4.12b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fix from Juergen Gross: "A fix for Xen on ARM when dealing with 64kB page size of a guest" * tag 'for-linus-4.12b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen/privcmd: Support correctly 64KB page granularity when mapping memory 09 June 2017, 16:59:51 UTC
a0897d5 Dmitry Torokhov 06 June 2017, 20:05:03 UTC Input: synaptics-rmi4 - register F03 port as pass-through serio The 5th generation Thinkpad X1 Carbons use Synaptics touchpads accessible over SMBus/RMI, combined with ALPS or Elantech trackpoint devices instead of classic IBM/Lenovo trackpoints. Unfortunately there is no way for ALPS driver to detect whether it is dealing with touchpad + trackpoint combination or just a trackpoint, so we end up with a "phantom" dualpoint ALPS device in addition to real touchpad and trackpoint. Given that we do not have any special advanced handling for ALPS or Elantech trackpoints (unlike IBM trackpoints that have separate driver and a host of options) we are better off keeping the trackpoints in PS/2 emulation mode. We achieve that by setting serio type to SERIO_PS_PSTHRU, which will limit number of protocols psmouse driver will try. In addition to getting rid of the "phantom" touchpads, this will also speed up probing of F03 pass-through port. Reported-by: Damjan Georgievski <gdamjan@gmail.com> Suggested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 09 June 2017, 16:57:19 UTC
a92f63c Linus Torvalds 09 June 2017, 16:44:46 UTC Merge tag 'powerpc-4.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Mostly fairly minor, of note are: - Fix percpu allocations to be NUMA aware - Limit 4k page size config to 64TB virtual address space - Avoid needlessly restoring FP and vector registers Thanks to Aneesh Kumar K.V, Breno Leitao, Christophe Leroy, Frederic Barrat, Madhavan Srinivasan, Michael Bringmann, Nicholas Piggin, Vaibhav Jain" * tag 'powerpc-4.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/book3s64: Move PPC_DT_CPU_FTRs and enable it by default powerpc/mm/4k: Limit 4k page size config to 64TB virtual address space cxl: Fix error path on bad ioctl powerpc/perf: Fix Power9 test_adder fields powerpc/numa: Fix percpu allocations to be NUMA aware cxl: Avoid double free_irq() for psl,slice interrupts powerpc/kernel: Initialize load_tm on task creation powerpc/kernel: Fix FP and vector register restoration powerpc/64: Reclaim CPU_FTR_SUBCORE powerpc/hotplug-mem: Fix missing endian conversion of aa_index powerpc/sysdev/simple_gpio: Fix oops in gpio save_regs function powerpc/spufs: Fix coredump of SPU contexts powerpc/64s: Add dt_cpu_ftrs boot time setup option 09 June 2017, 16:44:46 UTC
788a73f Linus Torvalds 09 June 2017, 16:40:08 UTC Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Olof Johansson: "Been sitting on these for a couple of weeks waiting on some larger batches to come in but it's been pretty quiet. Just your garden variety fixes here: - A few maintainers updates (ep93xx, Exynos, TI, Marvell) - Some PM fixes for Atmel/at91 and Marvell - A few DT fixes for Marvell, Versatile, TI Keystone, bcm283x - A reset driver patch to set module license for symbol access" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: MAINTAINERS: EP93XX: Update maintainership MAINTAINERS: remove kernel@stlinux.com obsolete mailing list ARM: dts: versatile: use #include "..." to include local DT MAINTAINERS: add device-tree files to TI DaVinci entry ARM: at91: select CONFIG_ARM_CPU_SUSPEND ARM: dts: keystone-k2l: fix broken Ethernet due to disabled OSR arm64: defconfig: enable some core options for 64bit Rockchip socs arm64: marvell: dts: fix interrupts in 7k/8k crypto nodes reset: hi6220: Set module license so that it can be loaded MAINTAINERS: add irqchip related drivers to Marvell EBU maintainers MAINTAINERS: sort F entries for Marvell EBU maintainers ARM: davinci: PM: Do not free useful resources in normal path in 'davinci_pm_init' ARM: davinci: PM: Free resources in error handling path in 'davinci_pm_init' ARM: dts: bcm283x: Reserve first page for firmware memory: atmel-ebi: mark PM ops as __maybe_unused MAINTAINERS: Remove Javier Martinez Canillas as reviewer for Exynos 09 June 2017, 16:40:08 UTC
b9d39d1 Dan Williams 09 June 2017, 15:50:49 UTC device-dax: fix 'dax' device filesystem inode destruction crash The inode destruction path for the 'dax' device filesystem incorrectly assumes that the inode was initialized through 'alloc_dax()'. However, if someone attempts to directly mount the dax filesystem with 'mount -t dax dax mnt' that will bypass 'alloc_dax()' and the following failure signatures may occur as a result: kill_dax() must be called before final iput() WARNING: CPU: 2 PID: 1188 at drivers/dax/super.c:243 dax_destroy_inode+0x48/0x50 RIP: 0010:dax_destroy_inode+0x48/0x50 Call Trace: destroy_inode+0x3b/0x60 evict+0x139/0x1c0 iput+0x1f9/0x2d0 dentry_unlink_inode+0xc3/0x160 __dentry_kill+0xcf/0x180 ? dput+0x37/0x3b0 dput+0x3a3/0x3b0 do_one_tree+0x36/0x40 shrink_dcache_for_umount+0x2d/0x90 generic_shutdown_super+0x1f/0x120 kill_anon_super+0x12/0x20 deactivate_locked_super+0x43/0x70 deactivate_super+0x4e/0x60 general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC RIP: 0010:kfree+0x6d/0x290 Call Trace: <IRQ> dax_i_callback+0x22/0x60 ? dax_destroy_inode+0x50/0x50 rcu_process_callbacks+0x298/0x740 ida_remove called for id=0 which is not allocated. WARNING: CPU: 0 PID: 0 at lib/idr.c:383 ida_remove+0x110/0x120 [..] Call Trace: <IRQ> ida_simple_remove+0x2b/0x50 ? dax_destroy_inode+0x50/0x50 dax_i_callback+0x3c/0x60 rcu_process_callbacks+0x298/0x740 Add missing initialization of the 'struct dax_device' and inode so that the destruction path does not kfree() or ida_simple_remove() uninitialized data. Fixes: 7b6be8444e0f ("dax: refactor dax-fs into a generic provider of 'struct dax_device' instances") Reported-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> 09 June 2017, 15:50:49 UTC
792ef14 Dave Young 09 June 2017, 08:45:58 UTC efi: Fix boot panic because of invalid BGRT image address Maniaxx reported a kernel boot crash in the EFI code, which I emulated by using same invalid phys addr in code: BUG: unable to handle kernel paging request at ffffffffff280001 IP: efi_bgrt_init+0xfb/0x153 ... Call Trace: ? bgrt_init+0xbc/0xbc acpi_parse_bgrt+0xe/0x12 acpi_table_parse+0x89/0xb8 acpi_boot_init+0x445/0x4e2 ? acpi_parse_x2apic+0x79/0x79 ? dmi_ignore_irq0_timer_override+0x33/0x33 setup_arch+0xb63/0xc82 ? early_idt_handler_array+0x120/0x120 start_kernel+0xb7/0x443 ? early_idt_handler_array+0x120/0x120 x86_64_start_reservations+0x29/0x2b x86_64_start_kernel+0x154/0x177 secondary_startup_64+0x9f/0x9f There is also a similar bug filed in bugzilla.kernel.org: https://bugzilla.kernel.org/show_bug.cgi?id=195633 The crash is caused by this commit: 7b0a911478c7 efi/x86: Move the EFI BGRT init code to early init code The root cause is the firmware on those machines provides invalid BGRT image addresses. In a kernel before above commit BGRT initializes late and uses ioremap() to map the image address. Ioremap validates the address, if it is not a valid physical address ioremap() just fails and returns. However in current kernel EFI BGRT initializes early and uses early_memremap() which does not validate the image address, and kernel panic happens. According to ACPI spec the BGRT image address should fall into EFI_BOOT_SERVICES_DATA, see the section 5.2.22.4 of below document: http://www.uefi.org/sites/default/files/resources/ACPI_6_1.pdf Fix this issue by validating the image address in efi_bgrt_init(). If the image address does not fall into any EFI_BOOT_SERVICES_DATA areas we just bail out with a warning message. Reported-by: Maniaxx <tripleshiftone@gmail.com> Signed-off-by: Dave Young <dyoung@redhat.com> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Matt Fleming <matt@codeblueprint.co.uk> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-efi@vger.kernel.org Fixes: 7b0a911478c7 ("efi/x86: Move the EFI BGRT init code to early init code") Link: http://lkml.kernel.org/r/20170609084558.26766-2-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar <mingo@kernel.org> 09 June 2017, 12:50:11 UTC
ed45509 Vaibhav Jain 02 June 2017, 16:56:48 UTC cxl: Avoid double free_irq() for psl,slice interrupts During an eeh call to cxl_remove can result in double free_irq of psl,slice interrupts. This can happen if perst_reloads_same_image == 1 and call to cxl_configure_adapter() fails during slot_reset callback. In such a case we see a kernel oops with following back-trace: Oops: Kernel access of bad area, sig: 11 [#1] Call Trace: free_irq+0x88/0xd0 (unreliable) cxl_unmap_irq+0x20/0x40 [cxl] cxl_native_release_psl_irq+0x78/0xd8 [cxl] pci_deconfigure_afu+0xac/0x110 [cxl] cxl_remove+0x104/0x210 [cxl] pci_device_remove+0x6c/0x110 device_release_driver_internal+0x204/0x2e0 pci_stop_bus_device+0xa0/0xd0 pci_stop_and_remove_bus_device+0x28/0x40 pci_hp_remove_devices+0xb0/0x150 pci_hp_remove_devices+0x68/0x150 eeh_handle_normal_event+0x140/0x580 eeh_handle_event+0x174/0x360 eeh_event_handler+0x1e8/0x1f0 This patch fixes the issue of double free_irq by checking that variables that hold the virqs (err_hwirq, serr_hwirq, psl_virq) are not '0' before un-mapping and resetting these variables to '0' when they are un-mapped. Cc: stable@vger.kernel.org Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 09 June 2017, 09:30:53 UTC
fc7a906 Richard Genoud 01 June 2017, 12:18:26 UTC gpio: mvebu: fix gpio bank registration when pwm is used If more than one gpio bank has the "pwm" property, only one will be registered successfully, all the others will fail with: mvebu-gpio: probe of f1018140.gpio failed with error -17 That's because in alloc_pwms(), the chip->base (aka "int pwm"), was not set (thus, ==0) ; and 0 is a meaningful start value in alloc_pwm(). What was intended is mvpwm->chip->base = -1. Like that, the numbering will be done auto-magically Moreover, as the region might be already occupied by another pwm, we shouldn't force: mvpwm->chip->base = 0 nor mvpwm->chip->base = id * MVEBU_MAX_GPIO_PER_BANK; Tested on clearfog-pro (Marvell 88F6828) Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") Signed-off-by: Richard Genoud <richard.genoud@gmail.com> Reviewed-by: Gregory CLEMENT <gregory.clement@free-electrons.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> 09 June 2017, 07:38:27 UTC
c528eb2 Richard Genoud 01 June 2017, 12:18:25 UTC gpio: mvebu: fix blink counter register selection The blink counter A was always selected because 0 was forced in the blink select counter register. The variable 'set' was obviously there to be used as the register value, selecting the B counter when id==1 and A counter when id==0. Tested on clearfog-pro (Marvell 88F6828) Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") Reviewed-by: Gregory CLEMENT <gregory.clement@free-electrons.com> Reviewed-by: Ralph Sennhauser <ralph.sennhauser@gmail.com> Signed-off-by: Richard Genoud <richard.genoud@gmail.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> 09 June 2017, 07:36:59 UTC
8affb06 Ingo Molnar 09 June 2017, 06:17:10 UTC Merge branch 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu into rcu/urgent Pull RCU fix from Paul E. McKenney: " This series enables srcu_read_lock() and srcu_read_unlock() to be used from interrupt handlers, which fixes a bug in KVM's use of SRCU in delivery of interrupts to guest OSes. " Signed-off-by: Ingo Molnar <mingo@kernel.org> 09 June 2017, 06:17:10 UTC
92347cf Mark Rutland 08 June 2017, 13:47:41 UTC KEYS: fix refcount_inc() on zero If a key's refcount is dropped to zero between key_lookup() peeking at the refcount and subsequently attempting to increment it, refcount_inc() will see a zero refcount. Here, refcount_inc() will WARN_ONCE(), and will *not* increment the refcount, which will remain zero. Once key_lookup() drops key_serial_lock, it is possible for the key to be freed behind our back. This patch uses refcount_inc_not_zero() to perform the peek and increment atomically. Fixes: fff292914d3a2f1e ("security, keys: convert key.usage from atomic_t to refcount_t") Signed-off-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: David Howells <dhowells@redhat.com> Cc: David Windsor <dwindsor@gmail.com> Cc: Elena Reshetova <elena.reshetova@intel.com> Cc: Hans Liljestrand <ishkamiel@gmail.com> Cc: James Morris <james.l.morris@oracle.com> Cc: Kees Cook <keescook@chromium.org> Cc: Peter Zijlstra <peterz@infradead.org> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:50 UTC
7cbe093 Mat Martineau 08 June 2017, 13:50:11 UTC KEYS: Convert KEYCTL_DH_COMPUTE to use the crypto KPP API The initial Diffie-Hellman computation made direct use of the MPI library because the crypto module did not support DH at the time. Now that KPP is implemented, KEYCTL_DH_COMPUTE should use it to get rid of duplicate code and leverage possible hardware acceleration. This fixes an issue whereby the input to the KDF computation would include additional uninitialized memory when the result of the Diffie-Hellman computation was shorter than the input prime number. Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:50 UTC
da7798a Loganaden Velvindron 08 June 2017, 13:50:04 UTC crypto : asymmetric_keys : verify_pefile:zero memory content before freeing Signed-off-by: Loganaden Velvindron <logan@hackers.mu> Signed-off-by: Yasir Auleear <yasirmx@hackers.mu> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:50 UTC
a773954 Eric Biggers 08 June 2017, 13:49:57 UTC KEYS: DH: add __user annotations to keyctl_kdf_params Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:49 UTC
0ddd9f1 Eric Biggers 08 June 2017, 13:49:49 UTC KEYS: DH: ensure the KDF counter is properly aligned Accessing a 'u8[4]' through a '__be32 *' violates alignment rules. Just make the counter a __be32 instead. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:49 UTC
281590b Eric Biggers 08 June 2017, 13:49:42 UTC KEYS: DH: don't feed uninitialized "otherinfo" into KDF If userspace called KEYCTL_DH_COMPUTE with kdf_params containing NULL otherinfo but nonzero otherinfolen, the kernel would allocate a buffer for the otherinfo, then feed it into the KDF without initializing it. Fix this by always doing the copy from userspace (which will fail with EFAULT in this scenario). Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:49 UTC
bbe2404 Eric Biggers 08 June 2017, 13:49:34 UTC KEYS: DH: forbid using digest_null as the KDF hash Requesting "digest_null" in the keyctl_kdf_params caused an infinite loop in kdf_ctr() because the "null" hash has a digest size of 0. Fix it by rejecting hash algorithms with a digest size of 0. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:49 UTC
0620fdd Eric Biggers 08 June 2017, 13:49:26 UTC KEYS: sanitize key structs before freeing While a 'struct key' itself normally does not contain sensitive information, Documentation/security/keys.txt actually encourages this: "Having a payload is not required; and the payload can, in fact, just be a value stored in the struct key itself." In case someone has taken this advice, or will take this advice in the future, zero the key structure before freeing it. We might as well, and as a bonus this could make it a bit more difficult for an adversary to determine which keys have recently been in use. This is safe because the key_jar cache does not use a constructor. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:48 UTC
ee618b4 Eric Biggers 08 June 2017, 13:49:18 UTC KEYS: trusted: sanitize all key material As the previous patch did for encrypted-keys, zero sensitive any potentially sensitive data related to the "trusted" key type before it is freed. Notably, we were not zeroing the tpm_buf structures in which the actual key is stored for TPM seal and unseal, nor were we zeroing the trusted_key_payload in certain error paths. Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: David Safford <safford@us.ibm.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:48 UTC
a9dd74b Eric Biggers 08 June 2017, 13:49:11 UTC KEYS: encrypted: sanitize all key material For keys of type "encrypted", consistently zero sensitive key material before freeing it. This was already being done for the decrypted payloads of encrypted keys, but not for the master key and the keys derived from the master key. Out of an abundance of caution and because it is trivial to do so, also zero buffers containing the key payload in encrypted form, although depending on how the encrypted-keys feature is used such information does not necessarily need to be kept secret. Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: David Safford <safford@us.ibm.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:48 UTC
6966c74 Eric Biggers 08 June 2017, 13:49:04 UTC KEYS: user_defined: sanitize key payloads Zero the payloads of user and logon keys before freeing them. This prevents sensitive key material from being kept around in the slab caches after a key is released. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:48 UTC
57070c8 Eric Biggers 08 June 2017, 13:48:57 UTC KEYS: sanitize add_key() and keyctl() key payloads Before returning from add_key() or one of the keyctl() commands that takes in a key payload, zero the temporary buffer that was allocated to hold the key payload copied from userspace. This may contain sensitive key material that should not be kept around in the slab caches. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:48 UTC
63a0b05 Eric Biggers 08 June 2017, 13:48:47 UTC KEYS: fix freeing uninitialized memory in key_update() key_update() freed the key_preparsed_payload even if it was not initialized first. This would cause a crash if userspace called keyctl_update() on a key with type like "asymmetric" that has a ->preparse() method but not an ->update() method. Possibly it could even be triggered for other key types by racing with keyctl_setperm() to make the KEY_NEED_WRITE check fail (the permission was already checked, so normally it wouldn't fail there). Reproducer with key type "asymmetric", given a valid cert.der: keyctl new_session keyid=$(keyctl padd asymmetric desc @s < cert.der) keyctl setperm $keyid 0x3f000000 keyctl update $keyid data [ 150.686666] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 [ 150.687601] IP: asymmetric_key_free_kids+0x12/0x30 [ 150.688139] PGD 38a3d067 [ 150.688141] PUD 3b3de067 [ 150.688447] PMD 0 [ 150.688745] [ 150.689160] Oops: 0000 [#1] SMP [ 150.689455] Modules linked in: [ 150.689769] CPU: 1 PID: 2478 Comm: keyctl Not tainted 4.11.0-rc4-xfstests-00187-ga9f6b6b8cd2f #742 [ 150.690916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 [ 150.692199] task: ffff88003b30c480 task.stack: ffffc90000350000 [ 150.692952] RIP: 0010:asymmetric_key_free_kids+0x12/0x30 [ 150.693556] RSP: 0018:ffffc90000353e58 EFLAGS: 00010202 [ 150.694142] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000004 [ 150.694845] RDX: ffffffff81ee3920 RSI: ffff88003d4b0700 RDI: 0000000000000001 [ 150.697569] RBP: ffffc90000353e60 R08: ffff88003d5d2140 R09: 0000000000000000 [ 150.702483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 150.707393] R13: 0000000000000004 R14: ffff880038a4d2d8 R15: 000000000040411f [ 150.709720] FS: 00007fcbcee35700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000 [ 150.711504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.712733] CR2: 0000000000000001 CR3: 0000000039eab000 CR4: 00000000003406e0 [ 150.714487] Call Trace: [ 150.714975] asymmetric_key_free_preparse+0x2f/0x40 [ 150.715907] key_update+0xf7/0x140 [ 150.716560] ? key_default_cmp+0x20/0x20 [ 150.717319] keyctl_update_key+0xb0/0xe0 [ 150.718066] SyS_keyctl+0x109/0x130 [ 150.718663] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 150.719440] RIP: 0033:0x7fcbce75ff19 [ 150.719926] RSP: 002b:00007ffd5d167088 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa [ 150.720918] RAX: ffffffffffffffda RBX: 0000000000404d80 RCX: 00007fcbce75ff19 [ 150.721874] RDX: 00007ffd5d16785e RSI: 000000002866cd36 RDI: 0000000000000002 [ 150.722827] RBP: 0000000000000006 R08: 000000002866cd36 R09: 00007ffd5d16785e [ 150.723781] R10: 0000000000000004 R11: 0000000000000206 R12: 0000000000404d80 [ 150.724650] R13: 00007ffd5d16784d R14: 00007ffd5d167238 R15: 000000000040411f [ 150.725447] Code: 83 c4 08 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 23 55 48 89 e5 53 48 89 fb <48> 8b 3f e8 06 21 c5 ff 48 8b 7b 08 e8 fd 20 c5 ff 48 89 df e8 [ 150.727489] RIP: asymmetric_key_free_kids+0x12/0x30 RSP: ffffc90000353e58 [ 150.728117] CR2: 0000000000000001 [ 150.728430] ---[ end trace f7f8fe1da2d5ae8d ]--- Fixes: 4d8c0250b841 ("KEYS: Call ->free_preparse() even after ->preparse() returns an error") Cc: stable@vger.kernel.org # 3.17+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:47 UTC
5649645 Eric Biggers 08 June 2017, 13:48:40 UTC KEYS: fix dereferencing NULL payload with nonzero length sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a NULL payload with nonzero length to be passed to the key type's ->preparse(), ->instantiate(), and/or ->update() methods. Various key types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did not handle this case, allowing an unprivileged user to trivially cause a NULL pointer dereference (kernel oops) if one of these key types was present. Fix it by doing the copy_from_user() when 'plen' is nonzero rather than when '_payload' is non-NULL, causing the syscall to fail with EFAULT as expected when an invalid buffer is specified. Cc: stable@vger.kernel.org # 2.6.10+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:47 UTC
0f534e4 Eric Biggers 08 June 2017, 13:48:32 UTC KEYS: encrypted: use constant-time HMAC comparison MACs should, in general, be compared using crypto_memneq() to prevent timing attacks. Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:47 UTC
64d107d Eric Biggers 08 June 2017, 13:48:25 UTC KEYS: encrypted: fix race causing incorrect HMAC calculations The encrypted-keys module was using a single global HMAC transform, which could be rekeyed by multiple threads concurrently operating on different keys, causing incorrect HMAC values to be calculated. Fix this by allocating a new HMAC transform whenever we need to calculate a HMAC. Also simplify things a bit by allocating the shash_desc's using SHASH_DESC_ON_STACK() for both the HMAC and unkeyed hashes. The following script reproduces the bug: keyctl new_session keyctl add user master "abcdefghijklmnop" @s for i in $(seq 2); do ( set -e for j in $(seq 1000); do keyid=$(keyctl add encrypted desc$i "new user:master 25" @s) datablob="$(keyctl pipe $keyid)" keyctl unlink $keyid > /dev/null keyid=$(keyctl add encrypted desc$i "load $datablob" @s) keyctl unlink $keyid > /dev/null done ) & done Output with bug: [ 439.691094] encrypted_key: bad hmac (-22) add_key: Invalid argument add_key: Invalid argument Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:47 UTC
794b4bc Eric Biggers 08 June 2017, 13:48:18 UTC KEYS: encrypted: fix buffer overread in valid_master_desc() With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:46 UTC
e9ff56a Eric Biggers 08 June 2017, 13:48:10 UTC KEYS: encrypted: avoid encrypting/decrypting stack buffers Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt stack buffers because the stack may be virtually mapped. Fix this for the padding buffers in encrypted-keys by using ZERO_PAGE for the encryption padding and by allocating a temporary heap buffer for the decryption padding. Tested with CONFIG_DEBUG_SG=y: keyctl new_session keyctl add user master "abcdefghijklmnop" @s keyid=$(keyctl add encrypted desc "new user:master 25" @s) datablob="$(keyctl pipe $keyid)" keyctl unlink $keyid keyid=$(keyctl add encrypted desc "load $datablob" @s) datablob2="$(keyctl pipe $keyid)" [ "$datablob" = "$datablob2" ] && echo "Success!" Cc: Andy Lutomirski <luto@kernel.org> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: stable@vger.kernel.org # 4.9+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:46 UTC
d636bd9 Eric Biggers 08 June 2017, 13:48:03 UTC KEYS: put keyring if install_session_keyring_to_cred() fails In join_session_keyring(), if install_session_keyring_to_cred() were to fail, we would leak the keyring reference, just like in the bug fixed by commit 23567fd052a9 ("KEYS: Fix keyring ref leak in join_session_keyring()"). Fortunately this cannot happen currently, but we really should be more careful. Do this by adding and using a new error label at which the keyring reference is dropped. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:46 UTC
41f1c53 Markus Elfring 08 June 2017, 13:47:56 UTC KEYS: Delete an error message for a failed memory allocation in get_derived_key() Omit an extra message for a memory allocation failure in this function. This issue was detected by using the Coccinelle software. Link: http://events.linuxfoundation.org/sites/events/files/slides/LCJ16-Refactor_Strings-WSang_0.pdf Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:46 UTC
4e88016 Dan Carpenter 08 June 2017, 13:47:49 UTC X.509: Fix error code in x509_cert_parse() We forgot to set the error code on this path so it could result in returning NULL which leads to a NULL dereference. Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:45 UTC
381f20f Davidlohr Bueso 08 June 2017, 13:47:34 UTC security: use READ_ONCE instead of deprecated ACCESS_ONCE With the new standardized functions, we can replace all ACCESS_ONCE() calls across relevant security/keyrings/. ACCESS_ONCE() does not work reliably on non-scalar types. For example gcc 4.6 and 4.7 might remove the volatile tag for such accesses during the SRA (scalar replacement of aggregates) step: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 Update the new calls regardless of if it is a scalar type, this is cleaner than having three alternatives. Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:45 UTC
47b2c3f Bilal Amarni 08 June 2017, 13:47:26 UTC security/keys: add CONFIG_KEYS_COMPAT to Kconfig CONFIG_KEYS_COMPAT is defined in arch-specific Kconfigs and is missing for several 64-bit architectures : mips, parisc, tile. At the moment and for those architectures, calling in 32-bit userspace the keyctl syscall would return an ENOSYS error. This patch moves the CONFIG_KEYS_COMPAT option to security/keys/Kconfig, to make sure the compatibility wrapper is registered by default for any 64-bit architecture as long as it is configured with CONFIG_COMPAT. [DH: Modified to remove arm64 compat enablement also as requested by Eric Biggers] Signed-off-by: Bilal Amarni <bilal.amarni@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Arnd Bergmann <arnd@arndb.de> cc: Eric Biggers <ebiggers3@gmail.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 09 June 2017, 03:29:45 UTC
6e88007 Dave Airlie 09 June 2017, 03:12:02 UTC Merge branch 'vmwgfx-fixes-4.12' of git://people.freedesktop.org/~thomash/linux into drm-fixes A bunch of fixes for vmwgfx 4.12 regressions and older stuff. In the latter case either trivial, cc'd stable or requiring backports for stable. * 'vmwgfx-fixes-4.12' of git://people.freedesktop.org/~thomash/linux: drm/vmwgfx: Bump driver minor and date drm/vmwgfx: Remove unused legacy cursor functions drm/vmwgfx: fix spelling mistake "exeeds" -> "exceeds" drm/vmwgfx: Fix large topology crash drm/vmwgfx: Make sure to update STDU when FB is updated drm/vmwgfx: Make sure backup_handle is always valid drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() drm/vmwgfx: Don't create proxy surface for cursor drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() 09 June 2017, 03:12:02 UTC
3d76917 Dave Airlie 09 June 2017, 02:18:07 UTC Merge tag 'drm-intel-fixes-2017-06-08' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes drm/i915 fixes for v4.12-rc5 * tag 'drm-intel-fixes-2017-06-08' of git://anongit.freedesktop.org/git/drm-intel: drm/i915: fix warning for unused variable drm/i915: Fix 90/270 rotated coordinates for FBC drm/i915: Restore has_fbc=1 for ILK-M drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail drm/i915: Fix logical inversion for gen4 quirking drm/i915: Guard against i915_ggtt_disable_guc() being invoked unconditionally drm/i915: Always recompute watermarks when distrust_bios_wm is set, v2. drm/i915: Prevent the system suspend complete optimization drm/i915/psr: disable psr2 for resolution greater than 32X20 drm/i915: Hold a wakeref for probing the ring registers drm/i915: Short-circuit i915_gem_wait_for_idle() if already idle drm/i915: Disable decoupled MMIO drm/i915/guc: Remove stale comment for q_fail drm/i915: Serialize GTT/Aperture accesses on BXT 09 June 2017, 02:18:07 UTC
b62dba5 Dave Airlie 09 June 2017, 02:17:27 UTC Merge tag 'drm-misc-fixes-2017-06-07' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes Driver Changes: - kirin: Use correct dt port for the bridge (John) - meson: Fix regression caused by adding HDMI support to allow board configurations without HDMI (Neil) Cc: John Stultz <john.stultz@linaro.org> Cc: Neil Armstrong <narmstrong@baylibre.com> * tag 'drm-misc-fixes-2017-06-07' of git://anongit.freedesktop.org/git/drm-misc: drm/meson: Fix driver bind when only CVBS is available drm: kirin: Fix drm_of_find_panel_or_bridge conversion 09 June 2017, 02:17:27 UTC
97f607f Dave Airlie 09 June 2017, 02:17:00 UTC Merge branch 'mediatek-drm-fixes-4.12-rc1' of https://github.com/ckhu-mediatek/linux.git-tags into drm-fixes mediatek fixes * 'mediatek-drm-fixes-4.12-rc1' of https://github.com/ckhu-mediatek/linux.git-tags: drm/mediatek: fix mtk_hdmi_setup_vendor_specific_infoframe mistake drm/mediatek: fix a timeout loop 09 June 2017, 02:17:00 UTC
dd44c95 Dave Airlie 09 June 2017, 02:16:25 UTC Merge tag 'imx-drm-fixes-2017-06-08' of git://git.pengutronix.de/git/pza/linux into drm-fixes imx-drm: PRE clock gating, panelless LDB, and VDIC CSI selection fixes - Keep the external clock input to the PRE ungated and only use the internal soft reset to keep the module in low power state, to avoid sporadic startup failures. - Ignore -ENODEV return values from drm_of_find_panel_or_bridge in the LDB driver to fix probing for devices that still do not specify a panel in the device tree. - Fix the CSI input selection to the VDIC. According to experiments, the real behaviour differs a bit from the documentation. * tag 'imx-drm-fixes-2017-06-08' of git://git.pengutronix.de/git/pza/linux: gpu: ipu-v3: Fix CSI selection for VDIC drm/imx: imx-ldb: Accept drm_of_find_panel_or_bridge failure gpu: ipu-v3: pre: only use internal clock gating 09 June 2017, 02:16:25 UTC
0d22df9 Linus Torvalds 09 June 2017, 00:40:32 UTC Merge tag 'pm-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These revert one problematic commit related to system sleep and fix one recent intel_pstate regression. Specifics: - Revert a recent commit that attempted to avoid spurious wakeups from suspend-to-idle via ACPI SCI, but introduced regressions on some systems (Rafael Wysocki). We will get back to the problem it tried to address in the next cycle. - Fix a possible division by 0 during intel_pstate initialization due to a missing check (Rafael Wysocki)" * tag 'pm-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: Revert "ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle" cpufreq: intel_pstate: Avoid division by 0 in min_perf_pct_min() 09 June 2017, 00:40:32 UTC
aea4156 Linus Torvalds 08 June 2017, 23:28:49 UTC Merge tag 'modules-for-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux Pull module maintainer address change from Jessica Yu: "A single patch that advertises my email address change" * tag 'modules-for-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux: MAINTAINERS: update email address for Jessica Yu 08 June 2017, 23:28:49 UTC
fbd78af Rafael J. Wysocki 08 June 2017, 23:25:16 UTC Merge branches 'intel_pstate' and 'pm-sleep' * intel_pstate: cpufreq: intel_pstate: Avoid division by 0 in min_perf_pct_min() * pm-sleep: Revert "ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle" 08 June 2017, 23:25:16 UTC
47c1ded Ingo Molnar 08 June 2017, 22:41:33 UTC Merge tag 'perf-urgent-for-mingo-4.12-20170608' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: - Fixes for handling compressed kernel modules (Namhyung Kim) - Fix handling old style build-id cache ($HOME/.debug/) (Namhyung Kim) - 'perf script' python/perl documentation fixes: outdated comments, invalid code snippets, etc (SeongJae Park) Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Ingo Molnar <mingo@kernel.org> 08 June 2017, 22:41:33 UTC
b89fe63 Namhyung Kim 08 June 2017, 07:31:09 UTC perf symbols: Kill dso__build_id_is_kmod() The commit e7ee40475760 ("perf symbols: Fix symbols searching for module in buildid-cache") added the function to check kernel modules reside in the build-id cache. This was because there's no way to identify a DSO which is actually a kernel module. So it searched linkname of the file and find ".ko" suffix. But this does not work for compressed kernel modules and now such DSOs hCcave correct symtab_type now. So no need to check it anymore. This patch essentially reverts the commit. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-10-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:39:34 UTC
c25ec42 Namhyung Kim 08 June 2017, 07:31:08 UTC perf symbols: Keep DSO->symtab_type after decompress The symsrc__init() overwrites dso->symtab_type as symsrc->type in dso__load_sym(). But for compressed kernel modules in the build-id cache, it should have original symtab type to be decompressed as needed. This fixes perf annotate to show disassembly of the function properly. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-9-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:39:26 UTC
94df104 Namhyung Kim 08 June 2017, 07:31:07 UTC perf tests: Decompress kernel module before objdump If a kernel modules is compressed, it should be decompressed before running objdump to parse binary data correctly. This fixes a failure of object code reading test for me. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Acked-by: Adrian Hunter <adrian.hunter@intel.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-8-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:39:19 UTC
8ba29ad Namhyung Kim 08 June 2017, 07:31:06 UTC perf tools: Consolidate error path in __open_dso() On failure, it should free the 'name', so clean up the error path using goto. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Suggested-by: Arnaldo Carvalho de Melo <acme@redhat.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-7-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:39:13 UTC
1d6b3c9 Namhyung Kim 08 June 2017, 07:31:05 UTC perf tools: Decompress kernel module when reading DSO data Currently perf decompresses kernel modules when loading the symbol table but it missed to do it when reading raw data. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-6-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:39:07 UTC
3c84fd5 Namhyung Kim 08 June 2017, 07:31:04 UTC perf annotate: Use dso__decompress_kmodule_path() Convert open-coded decompress routine to use the function. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-5-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:39:02 UTC
42b3fa6 Namhyung Kim 08 June 2017, 07:31:03 UTC perf tools: Introduce dso__decompress_kmodule_{fd,path} Move decompress_kmodule() to util/dso.c and split it into two functions returning fd and (decompressed) file path. The existing user only wants the fd version but the path version will be used soon. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-4-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:38:55 UTC
44ad6b8 Namhyung Kim 08 June 2017, 07:31:02 UTC perf tools: Fix a memory leak in __open_dso() The 'name' variable should be freed on the error path. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-3-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:38:47 UTC
3619ef7 Namhyung Kim 08 June 2017, 07:31:01 UTC perf annotate: Fix symbolic link of build-id cache The commit 6ebd2547dd24 ("perf annotate: Fix a bug following symbolic link of a build-id file") changed to use dirname to follow the symlink. But it only considers new-style build-id cache names so old names fail on readlink() and force to use system path which might not available. Signed-off-by: Namhyung Kim <namhyung@kernel.org> Acked-by: Jiri Olsa <jolsa@kernel.org> Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Taeung Song <treeze.taeung@gmail.com> Cc: Wang Nan <wangnan0@huawei.com> Cc: kernel-team@lge.com Fixes: 6ebd2547dd24 ("perf annotate: Fix a bug following symbolic link of a build-id file") Link: http://lkml.kernel.org/r/20170608073109.30699-2-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> 08 June 2017, 18:38:41 UTC
dc0cf5a Linus Torvalds 08 June 2017, 17:50:04 UTC Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk Pull printk fix from Petr Mladek: "This reverts a fix added into 4.12-rc1. It caused the kernel log to be printed on another console when two consoles of the same type were defined, e.g. console=ttyS0 console=ttyS1. This configuration was never supported by kernel itself, but it started to make sense with systemd. In other words, the commit broke userspace" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk: Revert "printk: fix double printing with earlycon" 08 June 2017, 17:50:04 UTC
d0aab7d Linus Torvalds 08 June 2017, 17:02:58 UTC Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a couple of places in the crypto code that were doing interruptible sleeps dangerously. They have been converted to use non-interruptible sleeps. This also fixes a bug in asymmetric_keys where it would trigger a use-after-free if a request returned EBUSY due to a full device queue" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: gcm - wait for crypto op not signal safe crypto: drbg - wait for crypto op not signal safe crypto: asymmetric_keys - handle EBUSY due to backlog correctly 08 June 2017, 17:02:58 UTC
8f9bebc Paolo Valente 05 June 2017, 08:11:15 UTC block, bfq: access and cache blkg data only when safe In blk-cgroup, operations on blkg objects are protected with the request_queue lock. This is no more the lock that protects I/O-scheduler operations in blk-mq. In fact, the latter are now protected with a finer-grained per-scheduler-instance lock. As a consequence, although blkg lookups are also rcu-protected, blk-mq I/O schedulers may see inconsistent data when they access blkg and blkg-related objects. BFQ does access these objects, and does incur this problem, in the following case. The blkg_lookup performed in bfq_get_queue, being protected (only) through rcu, may happen to return the address of a copy of the original blkg. If this is the case, then the blkg_get performed in bfq_get_queue, to pin down the blkg, is useless: it does not prevent blk-cgroup code from destroying both the original blkg and all objects directly or indirectly referred by the copy of the blkg. BFQ accesses these objects, which typically causes a crash for NULL-pointer dereference of memory-protection violation. Some additional protection mechanism should be added to blk-cgroup to address this issue. In the meantime, this commit provides a quick temporary fix for BFQ: cache (when safe) blkg data that might disappear right after a blkg_lookup. In particular, this commit exploits the following facts to achieve its goal without introducing further locks. Destroy operations on a blkg invoke, as a first step, hooks of the scheduler associated with the blkg. And these hooks are executed with bfqd->lock held for BFQ. As a consequence, for any blkg associated with the request queue an instance of BFQ is attached to, we are guaranteed that such a blkg is not destroyed, and that all the pointers it contains are consistent, while that instance is holding its bfqd->lock. A blkg_lookup performed with bfqd->lock held then returns a fully consistent blkg, which remains consistent until this lock is held. In more detail, this holds even if the returned blkg is a copy of the original one. Finally, also the object describing a group inside BFQ needs to be protected from destruction on the blkg_free of the original blkg (which invokes bfq_pd_free). This commit adds private refcounting for this object, to let it disappear only after no bfq_queue refers to it any longer. This commit also removes or updates some stale comments on locking issues related to blk-cgroup operations. Reported-by: Tomas Konir <tomas.konir@gmail.com> Reported-by: Lee Tibbert <lee.tibbert@gmail.com> Reported-by: Marco Piazza <mpiazza@gmail.com> Signed-off-by: Paolo Valente <paolo.valente@linaro.org> Tested-by: Tomas Konir <tomas.konir@gmail.com> Tested-by: Lee Tibbert <lee.tibbert@gmail.com> Tested-by: Marco Piazza <mpiazza@gmail.com> Signed-off-by: Jens Axboe <axboe@fb.com> 08 June 2017, 15:51:10 UTC
1123a60 Paolo Bonzini 31 May 2017, 12:03:11 UTC srcu: Allow use of Classic SRCU from both process and interrupt context Linu Cherian reported a WARN in cleanup_srcu_struct() when shutting down a guest running iperf on a VFIO assigned device. This happens because irqfd_wakeup() calls srcu_read_lock(&kvm->irq_srcu) in interrupt context, while a worker thread does the same inside kvm_set_irq(). If the interrupt happens while the worker thread is executing __srcu_read_lock(), updates to the Classic SRCU ->lock_count[] field or the Tree SRCU ->srcu_lock_count[] field can be lost. The docs say you are not supposed to call srcu_read_lock() and srcu_read_unlock() from irq context, but KVM interrupt injection happens from (host) interrupt context and it would be nice if SRCU supported the use case. KVM is using SRCU here not really for the "sleepable" part, but rather due to its IPI-free fast detection of grace periods. It is therefore not desirable to switch back to RCU, which would effectively revert commit 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING", 2014-01-16). However, the docs are overly conservative. You can have an SRCU instance only has users in irq context, and you can mix process and irq context as long as process context users disable interrupts. In addition, __srcu_read_unlock() actually uses this_cpu_dec() on both Tree SRCU and Classic SRCU. For those two implementations, only srcu_read_lock() is unsafe. When Classic SRCU's __srcu_read_unlock() was changed to use this_cpu_dec(), in commit 5a41344a3d83 ("srcu: Simplify __srcu_read_unlock() via this_cpu_dec()", 2012-11-29), __srcu_read_lock() did two increments. Therefore it kept __this_cpu_inc(), with preempt_disable/enable in the caller. Tree SRCU however only does one increment, so on most architectures it is more efficient for __srcu_read_lock() to use this_cpu_inc(), and any performance differences appear to be down in the noise. Cc: stable@vger.kernel.org Fixes: 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING") Reported-by: Linu Cherian <linuc.decode@gmail.com> Suggested-by: Linu Cherian <linuc.decode@gmail.com> Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> 08 June 2017, 15:25:19 UTC
cdf7abc Paolo Bonzini 31 May 2017, 12:03:10 UTC srcu: Allow use of Tiny/Tree SRCU from both process and interrupt context Linu Cherian reported a WARN in cleanup_srcu_struct() when shutting down a guest running iperf on a VFIO assigned device. This happens because irqfd_wakeup() calls srcu_read_lock(&kvm->irq_srcu) in interrupt context, while a worker thread does the same inside kvm_set_irq(). If the interrupt happens while the worker thread is executing __srcu_read_lock(), updates to the Classic SRCU ->lock_count[] field or the Tree SRCU ->srcu_lock_count[] field can be lost. The docs say you are not supposed to call srcu_read_lock() and srcu_read_unlock() from irq context, but KVM interrupt injection happens from (host) interrupt context and it would be nice if SRCU supported the use case. KVM is using SRCU here not really for the "sleepable" part, but rather due to its IPI-free fast detection of grace periods. It is therefore not desirable to switch back to RCU, which would effectively revert commit 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING", 2014-01-16). However, the docs are overly conservative. You can have an SRCU instance only has users in irq context, and you can mix process and irq context as long as process context users disable interrupts. In addition, __srcu_read_unlock() actually uses this_cpu_dec() on both Tree SRCU and Classic SRCU. For those two implementations, only srcu_read_lock() is unsafe. When Classic SRCU's __srcu_read_unlock() was changed to use this_cpu_dec(), in commit 5a41344a3d83 ("srcu: Simplify __srcu_read_unlock() via this_cpu_dec()", 2012-11-29), __srcu_read_lock() did two increments. Therefore it kept __this_cpu_inc(), with preempt_disable/enable in the caller. Tree SRCU however only does one increment, so on most architectures it is more efficient for __srcu_read_lock() to use this_cpu_inc(), and any performance differences appear to be down in the noise. Unlike Classic and Tree SRCU, Tiny SRCU does increments and decrements on a single variable. Therefore, as Peter Zijlstra pointed out, Tiny SRCU's implementation already supports mixed-context use of srcu_read_lock() and srcu_read_unlock(), at least as long as uses of srcu_read_lock() and srcu_read_unlock() in each handler are nested and paired properly. In other words, it is still illegal to (say) invoke srcu_read_lock() in an interrupt handler and to invoke the matching srcu_read_unlock() in a softirq handler. Therefore, the only change required for Tiny SRCU is to its comments. Fixes: 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING") Reported-by: Linu Cherian <linuc.decode@gmail.com> Suggested-by: Linu Cherian <linuc.decode@gmail.com> Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Tested-by: Paolo Bonzini <pbonzini@redhat.com> 08 June 2017, 15:24:26 UTC
9e53932 Paolo Bonzini 08 June 2017, 14:35:18 UTC Merge tag 'kvm-s390-master-4.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD KVM: s390: Fix for master (4.12) - The newly created AIS capability enables the feature unconditionally and ignores the cpu model 08 June 2017, 14:35:18 UTC
85d0331 Jens Axboe 08 June 2017, 14:33:45 UTC Merge branch 'nvme-4.12' of git://git.infradead.org/nvme into for-linus Christoph writes: "A few NVMe fixes for 4.12-rc, PCIe reset fixes and APST fixes, a RDMA reconnect fix, two FC fixes and a general controller removal fix." 08 June 2017, 14:33:45 UTC
ef6c4d7 Jani Nikula 08 June 2017, 13:58:23 UTC drm/i915: fix warning for unused variable drivers/gpu/drm/i915/intel_engine_cs.c: In function ‘intel_engine_is_idle’: drivers/gpu/drm/i915/intel_engine_cs.c:1103:27: error: unused variable ‘dev_priv’ [-Werror=unused-variable] struct drm_i915_private *dev_priv = engine->i915; ^~~~~~~~ Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Jani Nikula <jani.nikula@intel.com> 08 June 2017, 14:09:44 UTC
6460495 James Wang 08 June 2017, 06:52:51 UTC Fix loop device flush before configure v3 While installing SLES-12 (based on v4.4), I found that the installer will stall for 60+ seconds during LVM disk scan. The root cause was determined to be the removal of a bound device check in loop_flush() by commit b5dd2f6047ca ("block: loop: improve performance via blk-mq"). Restoring this check, examining ->lo_state as set by loop_set_fd() eliminates the bad behavior. Test method: modprobe loop max_loop=64 dd if=/dev/zero of=disk bs=512 count=200K for((i=0;i<4;i++))do losetup -f disk; done mkfs.ext4 -F /dev/loop0 for((i=0;i<4;i++))do mkdir t$i; mount /dev/loop$i t$i;done for f in `ls /dev/loop[0-9]*|sort`; do \ echo $f; dd if=$f of=/dev/null bs=512 count=1; \ done Test output: stock patched /dev/loop0 18.1217e-05 8.3842e-05 /dev/loop1 6.1114e-05 0.000147979 /dev/loop10 0.414701 0.000116564 /dev/loop11 0.7474 6.7942e-05 /dev/loop12 0.747986 8.9082e-05 /dev/loop13 0.746532 7.4799e-05 /dev/loop14 0.480041 9.3926e-05 /dev/loop15 1.26453 7.2522e-05 Note that from loop10 onward, the device is not mounted, yet the stock kernel consumes several orders of magnitude more wall time than it does for a mounted device. (Thanks for Mike Galbraith <efault@gmx.de>, give a changelog review.) Reviewed-by: Hannes Reinecke <hare@suse.com> Reviewed-by: Ming Lei <ming.lei@redhat.com> Signed-off-by: James Wang <jnwang@suse.com> Fixes: b5dd2f6047ca ("block: loop: improve performance via blk-mq") Signed-off-by: Jens Axboe <axboe@fb.com> 08 June 2017, 14:04:18 UTC
a364163 Wanpeng Li 08 June 2017, 08:22:07 UTC KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation If "i" is the last element in the vcpu->arch.cpuid_entries[] array, it potentially can be exploited the vulnerability. this will out-of-bounds read and write. Luckily, the effect is small: /* when no next entry is found, the current entry[i] is reselected */ for (j = i + 1; ; j = (j + 1) % nent) { struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j]; if (ej->function == e->function) { It reads ej->maxphyaddr, which is user controlled. However... ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; After cpuid_entries there is int maxphyaddr; struct x86_emulate_ctxt emulate_ctxt; /* 16-byte aligned */ So we have: - cpuid_entries at offset 1B50 (6992) - maxphyaddr at offset 27D0 (6992 + 3200 = 10192) - padding at 27D4...27DF - emulate_ctxt at 27E0 And it writes in the padding. Pfew, writing the ops field of emulate_ctxt would have been much worse. This patch fixes it by modding the index to avoid the out-of-bounds access. Worst case, i == j and ej->function == e->function, the loop can bail out. Reported-by: Moguofang <moguofang@huawei.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: Guofang Mo <moguofang@huawei.com> Cc: stable@vger.kernel.org Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> 08 June 2017, 13:38:21 UTC
back to top