Commit Graph

890675 Commits

Author SHA1 Message Date
Daniel Vetter 4b848f20ed drm/vgem: Close use-after-free race in vgem_gem_create
There's two references floating around here (for the object reference,
not the handle_count reference, that's a different thing):

- The temporary reference held by vgem_gem_create, acquired by
  creating the object and released by calling
  drm_gem_object_put_unlocked.

- The reference held by the object handle, created by
  drm_gem_handle_create. This one generally outlives the function,
  except if a 2nd thread races with a GEM_CLOSE ioctl call.

So usually everything is correct, except in that race case, where the
access to gem_object->size could be looking at freed data already.
Which again isn't a real problem (userspace shot its feet off already
with the race, we could return garbage), but maybe someone can exploit
this as an information leak.

Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Hillf Danton <hdanton@sina.com>
Reported-by: syzbot+0dc4444774d419e916c8@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Cc: Emil Velikov <emil.velikov@collabora.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Eric Anholt <eric@anholt.net>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Rob Clark <robdclark@chromium.org>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200202132133.1891846-1-daniel.vetter@ffwll.ch
2020-02-06 19:04:41 +01:00
Sean Paul db735fc403 drm/msm: Set dma maximum segment size for mdss
Turning on CONFIG_DMA_API_DEBUG_SG results in the following error:

[   12.078665] msm ae00000.mdss: DMA-API: mapping sg segment longer than device claims to support [len=3526656] [max=65536]
[   12.089870] WARNING: CPU: 6 PID: 334 at /mnt/host/source/src/third_party/kernel/v4.19/kernel/dma/debug.c:1301 debug_dma_map_sg+0x1dc/0x318
[   12.102655] Modules linked in: joydev
[   12.106442] CPU: 6 PID: 334 Comm: frecon Not tainted 4.19.0 #2
[   12.112450] Hardware name: Google Cheza (rev3+) (DT)
[   12.117566] pstate: 60400009 (nZCv daif +PAN -UAO)
[   12.122506] pc : debug_dma_map_sg+0x1dc/0x318
[   12.126995] lr : debug_dma_map_sg+0x1dc/0x318
[   12.131487] sp : ffffff800cc3ba80
[   12.134913] x29: ffffff800cc3ba80 x28: 0000000000000000
[   12.140395] x27: 0000000000000004 x26: 0000000000000004
[   12.145868] x25: ffffff8008e55b18 x24: 0000000000000000
[   12.151337] x23: 00000000ffffffff x22: ffffff800921c000
[   12.156809] x21: ffffffc0fa75b080 x20: ffffffc0f7195090
[   12.162280] x19: ffffffc0f1c53280 x18: 0000000000000000
[   12.167749] x17: 0000000000000000 x16: 0000000000000000
[   12.173218] x15: 0000000000000000 x14: 0720072007200720
[   12.178689] x13: 0720072007200720 x12: 0720072007200720
[   12.184161] x11: 0720072007200720 x10: 0720072007200720
[   12.189641] x9 : ffffffc0f1fc6b60 x8 : 0000000000000000
[   12.195110] x7 : ffffff8008132ce0 x6 : 0000000000000000
[   12.200585] x5 : 0000000000000000 x4 : ffffff8008134734
[   12.206058] x3 : ffffff800cc3b830 x2 : ffffffc0f1fc6240
[   12.211532] x1 : 25045a74f48a7400 x0 : 25045a74f48a7400
[   12.217006] Call trace:
[   12.219535]  debug_dma_map_sg+0x1dc/0x318
[   12.223671]  get_pages+0x19c/0x20c
[   12.227177]  msm_gem_fault+0x64/0xfc
[   12.230874]  __do_fault+0x3c/0x140
[   12.234383]  __handle_mm_fault+0x70c/0xdb8
[   12.238603]  handle_mm_fault+0xac/0xc4
[   12.242473]  do_page_fault+0x1bc/0x3d4
[   12.246342]  do_translation_fault+0x54/0x88
[   12.250652]  do_mem_abort+0x60/0xf0
[   12.254250]  el0_da+0x20/0x24
[   12.257317] irq event stamp: 67260
[   12.260828] hardirqs last  enabled at (67259): [<ffffff8008132d0c>] console_unlock+0x214/0x608
[   12.269693] hardirqs last disabled at (67260): [<ffffff8008080e0c>] do_debug_exception+0x5c/0x178
[   12.278820] softirqs last  enabled at (67256): [<ffffff8008081664>] __do_softirq+0x4d4/0x520
[   12.287510] softirqs last disabled at (67249): [<ffffff80080be574>] irq_exit+0xa8/0x100
[   12.295742] ---[ end trace e63cfc40c313ffab ]---

The root of the problem is that the default segment size for sgt is
(UINT_MAX & PAGE_MASK), and the default segment size for device dma is
64K. As such, if you compare the 2, you would deduce that the sg segment
will overflow the device's capacity. In reality, the hardware can
accommodate the larger sg segments, it's just not initializing its max
segment properly. This patch initializes the max segment size for the
mdss device, which gets rid of that pesky warning.

Reported-by: Stephen Boyd <swboyd@chromium.org>
Tested-by: Stephen Boyd <swboyd@chromium.org>
Tested-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20200121111813.REPOST.1.I92c66a35fb13f368095b05287bdabdbe88ca6922@changeid
2020-01-22 09:50:18 -05:00
Dave Airlie d7ca2d19c7 Merge tag 'drm-msm-next-2020-01-14' of https://gitlab.freedesktop.org/drm/msm into drm-next
+ sc7180 display + DSI support
+ a618 (sc7180) support
+ more UBWC (bandwidth compression) support
+ various cleanups to handle devices that use vs don't
  use zap fw, etc
+ usual random cleanups and fixes

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Rob Clark <robdclark@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/ <CAF6AEGvv03ifuP0tp7-dmqZtr1iS=s8Vc=az8BNGtEoSMD-dkw@mail.gmail.com
2020-01-20 14:09:43 +10:00
Dave Airlie 3d4743131b Linux 5.5-rc7
-----BEGIN PGP SIGNATURE-----
 
 iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl4k7i8eHHRvcnZhbGRz
 QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGvk0IAKRenVOdiudY77SQ
 VZjsteyrYTTQtPPv494ToIRjR0XQ+gYp8vyWzXTUC5Nm9Y9U3VzDqUPUjWszrSXE
 6mU+tzcMc9qwuUxnIFn8zfg64ygw+37sn/w3xqeH4QmF9Z5Wl3EX3SdXTs7jp3RS
 VxiztkUNI5ZBV2GDtla5K/9qLPqCQnUYXIiyi5lAtBtiitZDVXFp7dy7hMgEiaEO
 +78K5Kh3xlt5ndDsBFOlwIb2Oof3KL7bBXntdbSBc/bjol6IRvAgln48HWCv59G2
 jzAp2tj2KobX9GRAEPj+v4TQZEW0SXDNDi8MgQsM+3DYVCTmANsv57CBKRuf01+F
 nB1kAys=
 =zSnJ
 -----END PGP SIGNATURE-----

Backmerge v5.5-rc7 into drm-next

msm needs 5.5-rc4, go to the latest.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2020-01-20 11:42:57 +10:00
Linus Torvalds def9d27807 Linux 5.5-rc7 2020-01-19 16:02:49 -08:00
Linus Torvalds 7008ee1210 RISC-V updates for v5.5-rc7
Three fixes for RISC-V:
 
 - Don't free and reuse memory containing the code that CPUs parked at
   boot reside in.
 
 - Fix rv64 build problems for ubsan and some modules by adding logical
   and arithmetic shift helpers for 128-bit values.  These are from
   libgcc and are similar to what's present for ARM64.
 
 - Fix vDSO builds to clean up their own temporary files.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEElRDoIDdEz9/svf2Kx4+xDQu9KksFAl4klXMACgkQx4+xDQu9
 KkshPhAAiExCAl2JpZxoeuyQmjS7X68au5CWWJa+uB5osAgxJSPk4XJt9QeagOFw
 wpKmefQDwPKXQuoD0VmNSdJMioBvgzFLqftoc2D9GAv3A0MB4miSsZkUheVbUifN
 jtc3tc3jOCiVNOb0lbX+B6NL+qentvV6CTmujrf79wDBZpGPzKSM2S2OZMvFijVY
 B7ijF1bqXBZg6weE8xdefJhBfDmd7vDBKmMJtv1RUbiOgoBGqjM8QtaXVrUz4Px0
 NLlTleZL4grZVCepJ4psambm5gcZ8UilAe/ywhhrSFOSNCTYKB3ST+ci9VC4t5Vx
 TiR6MnDV1qAl2Uh6aoOhZECpggge9zQOyER7QGbleNplxavhi6jsRgeV9hbqeyBZ
 FCanzqO33irRwrtl7lNsPiUv3XWyyGH5yQLxA9wPq/W9dJkO6Z8pl5Fq0kI/oJNj
 WtlVIp2EnkXJUmXiMBTHerLoBJAVnu+S2HRIeRqOEUSKT4bFP28kq3T6ctP4QuoT
 3F2k9A3DOIZPY8dhXIdFSdcM0IbfRliFy/9hHLt6JdSa35poxGUBpOafDq87n9/3
 UtbkLbxJd56EWOSx5l2bLJ/b4FjJX6powfV9cwjrHjrzoiAqc8z0lfQRGlbGjeYb
 3XTTXhLIspGMK8acm8/p2I6uwDVGFMveEdsLJ8UWAiYjJkLSFEk=
 =SfqL
 -----END PGP SIGNATURE-----

Merge tag 'riscv/for-v5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux

Pull RISC-V fixes from Paul Walmsley:
 "Three fixes for RISC-V:

   - Don't free and reuse memory containing the code that CPUs parked at
     boot reside in.

   - Fix rv64 build problems for ubsan and some modules by adding
     logical and arithmetic shift helpers for 128-bit values. These are
     from libgcc and are similar to what's present for ARM64.

   - Fix vDSO builds to clean up their own temporary files"

* tag 'riscv/for-v5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: Less inefficient gcc tishift helpers (and export their symbols)
  riscv: delete temporary files
  riscv: make sure the cores stay looping in .Lsecondary_park
2020-01-19 12:10:28 -08:00
Linus Torvalds 11a8272947 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from David Miller:

 1) Fix non-blocking connect() in x25, from Martin Schiller.

 2) Fix spurious decryption errors in kTLS, from Jakub Kicinski.

 3) Netfilter use-after-free in mtype_destroy(), from Cong Wang.

 4) Limit size of TSO packets properly in lan78xx driver, from Eric
    Dumazet.

 5) r8152 probe needs an endpoint sanity check, from Johan Hovold.

 6) Prevent looping in tcp_bpf_unhash() during sockmap/tls free, from
    John Fastabend.

 7) hns3 needs short frames padded on transmit, from Yunsheng Lin.

 8) Fix netfilter ICMP header corruption, from Eyal Birger.

 9) Fix soft lockup when low on memory in hns3, from Yonglong Liu.

10) Fix NTUPLE firmware command failures in bnxt_en, from Michael Chan.

11) Fix memory leak in act_ctinfo, from Eric Dumazet.

* git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (91 commits)
  cxgb4: reject overlapped queues in TC-MQPRIO offload
  cxgb4: fix Tx multi channel port rate limit
  net: sched: act_ctinfo: fix memory leak
  bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal.
  bnxt_en: Fix ipv6 RFS filter matching logic.
  bnxt_en: Fix NTUPLE firmware command failures.
  net: systemport: Fixed queue mapping in internal ring map
  net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
  net: dsa: sja1105: Don't error out on disabled ports with no phy-mode
  net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset
  net: hns: fix soft lockup when there is not enough memory
  net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()
  net/sched: act_ife: initalize ife->metalist earlier
  netfilter: nat: fix ICMP header corruption on ICMP errors
  net: wan: lapbether.c: Use built-in RCU list checking
  netfilter: nf_tables: fix flowtable list del corruption
  netfilter: nf_tables: fix memory leak in nf_tables_parse_netdev_hooks()
  netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
  netfilter: nft_tunnel: ERSPAN_VERSION must not be null
  netfilter: nft_tunnel: fix null-attribute check
  ...
2020-01-19 12:03:53 -08:00
Linus Torvalds 5f43644394 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
 "Two runtime PM fixes and one leak fix"

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: iop3xx: Fix memory leak in probe error path
  i2c: tegra: Properly disable runtime PM on driver's probe error
  i2c: tegra: Fix suspending in active runtime PM state
2020-01-19 12:02:06 -08:00
Rahul Lakkireddy b2383ad987 cxgb4: reject overlapped queues in TC-MQPRIO offload
A queue can't belong to multiple traffic classes. So, reject
any such configuration that results in overlapped queues for a
traffic class.

Fixes: b1396c2bd6 ("cxgb4: parse and configure TC-MQPRIO offload")
Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-19 16:12:53 +01:00
Rahul Lakkireddy c856e2b6fc cxgb4: fix Tx multi channel port rate limit
T6 can support 2 egress traffic management channels per port to
double the total number of traffic classes that can be configured.
In this configuration, if the class belongs to the other channel,
then all the queues must be bound again explicitly to the new class,
for the rate limit parameters on the other channel to take effect.

So, always explicitly bind all queues to the port rate limit traffic
class, regardless of the traffic management channel that it belongs
to. Also, only bind queues to port rate limit traffic class, if all
the queues don't already belong to an existing different traffic
class.

Fixes: 4ec4762d8e ("cxgb4: add TC-MATCHALL classifier egress offload")
Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-19 16:12:02 +01:00
Eric Dumazet 09d4f10a5e net: sched: act_ctinfo: fix memory leak
Implement a cleanup method to properly free ci->params

BUG: memory leak
unreferenced object 0xffff88811746e2c0 (size 64):
  comm "syz-executor617", pid 7106, jiffies 4294943055 (age 14.250s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    c0 34 60 84 ff ff ff ff 00 00 00 00 00 00 00 00  .4`.............
  backtrace:
    [<0000000015aa236f>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<0000000015aa236f>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<0000000015aa236f>] slab_alloc mm/slab.c:3320 [inline]
    [<0000000015aa236f>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
    [<000000002c946bd1>] kmalloc include/linux/slab.h:556 [inline]
    [<000000002c946bd1>] kzalloc include/linux/slab.h:670 [inline]
    [<000000002c946bd1>] tcf_ctinfo_init+0x21a/0x530 net/sched/act_ctinfo.c:236
    [<0000000086952cca>] tcf_action_init_1+0x400/0x5b0 net/sched/act_api.c:944
    [<000000005ab29bf8>] tcf_action_init+0x135/0x1c0 net/sched/act_api.c:1000
    [<00000000392f56f9>] tcf_action_add+0x9a/0x200 net/sched/act_api.c:1410
    [<0000000088f3c5dd>] tc_ctl_action+0x14d/0x1bb net/sched/act_api.c:1465
    [<000000006b39d986>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
    [<00000000fd6ecace>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
    [<0000000047493d02>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
    [<00000000bdcf8286>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
    [<00000000bdcf8286>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
    [<00000000fc5b92d9>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
    [<00000000da84d076>] sock_sendmsg_nosec net/socket.c:639 [inline]
    [<00000000da84d076>] sock_sendmsg+0x54/0x70 net/socket.c:659
    [<0000000042fb2eee>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
    [<000000008f23f67e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
    [<00000000d838e4f6>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
    [<00000000289a9cb1>] __do_sys_sendmsg net/socket.c:2426 [inline]
    [<00000000289a9cb1>] __se_sys_sendmsg net/socket.c:2424 [inline]
    [<00000000289a9cb1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424

Fixes: 24ec483cec ("net: sched: Introduce act_ctinfo action")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-19 16:02:15 +01:00
Olof Johansson fc585d4a5c riscv: Less inefficient gcc tishift helpers (and export their symbols)
The existing __lshrti3 was really inefficient, and the other two helpers
are also needed to compile some modules.

Add the missing versions, and export all of the symbols like arm64
already does.

This code is based on the assembly generated by libgcc builds.

This fixes a build break triggered by ubsan:

riscv64-unknown-linux-gnu-ld: lib/ubsan.o: in function `.L2':
ubsan.c:(.text.unlikely+0x38): undefined reference to `__ashlti3'
riscv64-unknown-linux-gnu-ld: ubsan.c:(.text.unlikely+0x42): undefined reference to `__ashrti3'

Signed-off-by: Olof Johansson <olof@lixom.net>
[paul.walmsley@sifive.com: use SYM_FUNC_{START,END} instead of
 ENTRY/ENDPROC; note libgcc origin]
Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
2020-01-18 19:13:41 -08:00
Linus Torvalds 8f8972a312 Raw NAND:
* GPMI: Fix the suspend/resume
 
 SPI-NOR:
 * Fix quad enable on Spansion like flashes
 * Fix selection of 4-byte addressing opcodes on Spansion
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEE9HuaYnbmDhq/XIDIJWrqGEe9VoQFAl4jghcACgkQJWrqGEe9
 VoT7JAf9HTmCV03HW7/T46N+HxgRDwpMyHqxir6gEAHRlg7YnrsY6wLsChwtr1HQ
 CqXtNT7FWm5KxSSTNy+m2XbMOIu9CRsymuAWQRNFlSor90o/UjJGyGSqeXZebvlL
 nITGe089SfprmaPI9MAYeL5QdhfqX1Z6BBIauycu+9zeSEDlEMOGfPZ9GEGqxJD4
 KDzdTTHIznIV/esKuc38w+mv/pVRoYdc/DVrE6MwGTtC8MhPgIYymENk7Gna3EAR
 HxGhk+blCVCkgYKhMOTthpR/QMrCKkQrRlaaVO2EJALUr/b6fi1D2QpfhdFJILXA
 0Ku7JlBZ7lMnaKa1ty+wf9tyOYNHLA==
 =2wqK
 -----END PGP SIGNATURE-----

Merge tag 'mtd/fixes-for-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux

Pull MTD fixes from Miquel Raynal:
 "Raw NAND:
   - GPMI: Fix the suspend/resume

  SPI-NOR:
   - Fix quad enable on Spansion like flashes
   - Fix selection of 4-byte addressing opcodes on Spansion"

* tag 'mtd/fixes-for-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
  mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume
  mtd: rawnand: gpmi: Fix suspend/resume problem
  mtd: spi-nor: Fix quad enable for Spansion like flashes
  mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion
2020-01-18 16:34:17 -08:00
Linus Torvalds 244dc26890 drm fixes for 5.5-rc7
core mst:
 - serialize down messages and clear timeslots are on unplug
 
 amdgpu:
 - Update golden settings for renoir
 - eDP fix
 
 i915:
 - uAPI fix: Remove dash and colon from PMU names to comply with tools/perf
 - Fix for include file that was indirectly included
 - Two fixes to make sure VMA are marked active for error capture
 
 virtio:
 - maintain obj reservation lock when submitting cmds
 
 rockchip:
 - increase link rate var size to accommodate rates
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJeI3ZMAAoJEAx081l5xIa+iuUQAIIMTL86+QPr3CSu8fU7albJ
 MQWOzycWn0xP0KNYIvKz2X6dePWAEDi2kMM+6M/htzi32XmyG0oiAat2wAGkK3ir
 AtfOnbKdD6T0i5wwkAn8SvNYHOTHdg7HMKTzPw2rxlTlZ8IEdVxo1CZqHZMFg0PV
 UiK2VWVBPmBwdRgLu5K8XJy5LKbpx9BMWW5KdS96L2lKNVV3qeH3Q7NvAh1PtJp4
 W+83OsYxYNwS0//4v0i0MjCGVXq5qVw7tzplAPW2OpUCMZ4TtVUnW2/RcrqvU9/b
 v18M7thf2uccMXs7E1gyHgvrZp2lw6KsyJEpPnIp4k+2OXM0BVe9l4Pl0uUQhrDH
 EUvCkpmP1/Zu44CJhtmVAZlVyy3ShNY5NeF6OsCZDSL7z60YMZHFVKF1IgrBkOJF
 mXXq4eb0rMh3At6ABNliRo/bzEYfGgVy1xxNzOoTKCp6pNK/OGy4xQ/DEAkZbBBx
 ul6E+NjaHhul1daWqpuv37oxsjE0RI7asFBomC5HTNWVZHY8MN8+9p/TTZQJ8n0l
 yxMlPy2OOWVfwclwRSLant3Ny1hXNysMpWXMtrEtcB3Q5GI7H4ZCNh9b+VUPLjXT
 JPZU2ZSIjrYNBeKYjVGV75HKjyMWJv1aB3kiXq7lX1yFq7wQLd5nE5mjTSD9wr1I
 ZnhFSbHLcR7VMWUldPPi
 =Vwa3
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2020-01-19' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Back from LCA2020, fixes wasn't too busy last week, seems to have
  quieten down appropriately, some amdgpu, i915, then a core mst fix and
  one fix for virtio-gpu and one for rockchip:

  core mst:
   - serialize down messages and clear timeslots are on unplug

  amdgpu:
   - Update golden settings for renoir
   - eDP fix

  i915:
   - uAPI fix: Remove dash and colon from PMU names to comply with
     tools/perf
   - Fix for include file that was indirectly included
   - Two fixes to make sure VMA are marked active for error capture

  virtio:
   - maintain obj reservation lock when submitting cmds

  rockchip:
   - increase link rate var size to accommodate rates"

* tag 'drm-fixes-2020-01-19' of git://anongit.freedesktop.org/drm/drm:
  drm/amd/display: Reorder detect_edp_sink_caps before link settings read.
  drm/amdgpu: update goldensetting for renoir
  drm/dp_mst: Have DP_Tx send one msg at a time
  drm/dp_mst: clear time slots for ports invalid
  drm/i915/pmu: Do not use colons or dashes in PMU names
  drm/rockchip: fix integer type used for storing dp data rate
  drm/i915/gt: Mark ring->vma as active while pinned
  drm/i915/gt: Mark context->state vma as active while pinned
  drm/i915/gt: Skip trying to unbind in restore_ggtt_mappings
  drm/i915: Add missing include file <linux/math64.h>
  drm/virtio: add missing virtio_gpu_array_lock_resv call
2020-01-18 13:57:31 -08:00
Ilie Halip 95f4d9cced riscv: delete temporary files
Temporary files used in the VDSO build process linger on even after make
mrproper: vdso-dummy.o.tmp, vdso.so.dbg.tmp.

Delete them once they're no longer needed.

Signed-off-by: Ilie Halip <ilie.halip@gmail.com>
Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
2020-01-18 13:22:13 -08:00
Linus Torvalds 0cc2682d8b Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
 "Misc fixes:

   - a resctrl fix for uninitialized objects found by debugobjects

   - a resctrl memory leak fix

   - fix the unintended re-enabling of the of SME and SEV CPU flags if
     memory encryption was disabled at bootup via the MSR space"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained
  x86/resctrl: Fix potential memory leak
  x86/resctrl: Fix an imbalance in domain_remove_cpu()
2020-01-18 13:02:12 -08:00
Linus Torvalds 7ff15cd045 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fixes from Ingo Molnar:
 "Three fixes: fix link failure on Alpha, fix a Sparse warning and
  annotate/robustify a lockless access in the NOHZ code"

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  tick/sched: Annotate lockless access to last_jiffies_update
  lib/vdso: Make __cvdso_clock_getres() static
  time/posix-stubs: Provide compat itimer supoprt for alpha
2020-01-18 13:00:59 -08:00
Linus Torvalds 9e79c52332 Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull cpu/SMT fix from Ingo Molnar:
 "Fix a build bug on CONFIG_HOTPLUG_SMT=y && !CONFIG_SYSFS kernels"

* 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  cpu/SMT: Fix x86 link error without CONFIG_SYSFS
2020-01-18 12:57:41 -08:00
Linus Torvalds a186c112c7 Merge branch 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 RAS fix from Ingo Molnar:
 "Fix a thermal throttling race that can result in easy to trigger boot
  crashes on certain Ice Lake platforms"

* 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/mce/therm_throt: Do not access uninitialized therm_work
2020-01-18 12:56:36 -08:00
Linus Torvalds b07b9e8d63 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
 "Tooling fixes, three Intel uncore driver fixes, plus an AUX events fix
  uncovered by the perf fuzzer"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/intel/uncore: Remove PCIe3 unit for SNR
  perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events
  perf/x86/intel/uncore: Add PCI ID of IMC for Xeon E3 V5 Family
  perf: Correctly handle failed perf_get_aux_event()
  perf hists: Fix variable name's inconsistency in hists__for_each() macro
  perf map: Set kmap->kmaps backpointer for main kernel map chunks
  perf report: Fix incorrectly added dimensions as switch perf data file
  tools lib traceevent: Fix memory leakage in filter_event
2020-01-18 12:55:19 -08:00
Linus Torvalds 124b5547ec Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull locking fixes from Ingo Molnar:
 "Three fixes:

    - Fix an rwsem spin-on-owner crash, introduced in v5.4

    - Fix a lockdep bug when running out of stack_trace entries,
      introduced in v5.4

    - Docbook fix"

* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN
  futex: Fix kernel-doc notation warning
  locking/lockdep: Fix buffer overrun problem in stack_trace[]
2020-01-18 12:53:28 -08:00
Linus Torvalds a1c6f87efc Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull irq fix from Ingo Molnar:
 "Fix a recent regression in the Ingenic SoCs irqchip driver that floods
  the syslog"

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  irqchip/ingenic: Get rid of the legacy IRQ domain
2020-01-18 12:52:18 -08:00
Linus Torvalds e2f73d1e52 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull EFI fixes from Ingo Molnar:
 "Three EFI fixes:

   - Fix a slow-boot-scrolling regression but making sure we use WC for
     EFI earlycon framebuffer mappings on x86

   - Fix a mixed EFI mode boot crash

   - Disable paging explicitly before entering startup_32() in mixed
     mode bootup"

* 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/efistub: Disable paging at mixed mode entry
  efi/libstub/random: Initialize pointer variables to zero for mixed mode
  efi/earlycon: Fix write-combine mapping on x86
2020-01-18 12:50:14 -08:00
Linus Torvalds ba0f472203 Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull rseq fixes from Ingo Molnar:
 "Two rseq bugfixes:

   - CLONE_VM !CLONE_THREAD didn't work properly, the kernel would end
     up corrupting the TLS of the parent. Technically a change in the
     ABI but the previous behavior couldn't resonably have been relied
     on by applications so this looks like a valid exception to the ABI
     rule.

   - Make the RSEQ_FLAG_UNREGISTER ABI behavior consistent with the
     handling of other flags. This is not thought to impact any
     applications either"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  rseq: Unregister rseq for clone CLONE_VM
  rseq: Reject unknown flags on rseq unregister
2020-01-18 12:29:13 -08:00
Linus Torvalds 8cac89909a for-linus-2020-01-18
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCXiL/qwAKCRCRxhvAZXjc
 oln5AP9ITypHs2iNWl1Cbte++y2iflWevDyPUrmagegqpKwbJAD9EypY0RVDor8T
 LXWK4WaNgB0K0MK/gSPRAlgx9ejNwA4=
 =6xXo
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-2020-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux

Pull thread fixes from Christian Brauner:
 "Here is an urgent fix for ptrace_may_access() permission checking.

  Commit 69f594a389 ("ptrace: do not audit capability check when
  outputing /proc/pid/stat") introduced the ability to opt out of audit
  messages for accesses to various proc files since they are not
  violations of policy.

  While doing so it switched the check from ns_capable() to
  has_ns_capability{_noaudit}(). That means it switched from checking
  the subjective credentials (ktask->cred) of the task to using the
  objective credentials (ktask->real_cred). This is appears to be wrong.
  ptrace_has_cap() is currently only used in ptrace_may_access() And is
  used to check whether the calling task (subject) has the
  CAP_SYS_PTRACE capability in the provided user namespace to operate on
  the target task (object). According to the cred.h comments this means
  the subjective credentials of the calling task need to be used.

  With this fix we switch ptrace_has_cap() to use security_capable() and
  thus back to using the subjective credentials.

  As one example where this might be particularly problematic, Jann
  pointed out that in combination with the upcoming IORING_OP_OPENAT{2}
  feature, this bug might allow unprivileged users to bypass the
  capability checks while asynchronously opening files like /proc/*/mem,
  because the capability checks for this would be performed against
  kernel credentials.

  To illustrate on the former point about this being exploitable: When
  io_uring creates a new context it records the subjective credentials
  of the caller. Later on, when it starts to do work it creates a kernel
  thread and registers a callback. The callback runs with kernel creds
  for ktask->real_cred and ktask->cred.

  To prevent this from becoming a full-blown 0-day io_uring will call
  override_cred() and override ktask->cred with the subjective
  credentials of the creator of the io_uring instance. With
  ptrace_has_cap() currently looking at ktask->real_cred this override
  will be ineffective and the caller will be able to open arbitray proc
  files as mentioned above.

  Luckily, this is currently not exploitable but would be so once
  IORING_OP_OPENAT{2} land in v5.6. Let's fix it now.

  To minimize potential regressions I successfully ran the criu
  testsuite. criu makes heavy use of ptrace() and extensively hits
  ptrace_may_access() codepaths and has a good change of detecting any
  regressions.

  Additionally, I succesfully ran the ptrace and seccomp kernel tests"

* tag 'for-linus-2020-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
  ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
2020-01-18 12:23:31 -08:00
Linus Torvalds 2324de6fab s390 updates for 5.5-rc7
- Fix printing misleading Secure-IPL enabled message when it is not.
 
 - Fix a race condition between host ap bus and guest ap bus doing
   device reset in crypto code.
 
 - Fix sanity check in CCA cipher key function (CCA AES cipher key
   support), which fails otherwise.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE3QHqV+H2a8xAv27vjYWKoQLXFBgFAl4i+UgACgkQjYWKoQLX
 FBg0Pgf/VYdOoZCo868B6H7jR3xbPmaMz5wA57QfbPhmUkdF7ELBSDj7j+dvfmEy
 kb9Tkn2cZOj40H0jwKWawnz5HA+iKtkXBcB8THB55ThlD6hgpZo8nzul1EomcxDx
 NY7vxlaIpgWZgpT91Z1JxKOLpxIo0mIUH8+XITgZBU4qV9yrycpePzV7kz5vEieG
 9BFObo0VtNYBnNwm68YuXsg1FKkezWktFAmdLHvxQz6wXUL5kBb/1dZkKGkg/0Qc
 jsJSglY2I2uCqDesIRHxl6waWgj79nrb3T5WWYh9IL6btXfAFDTNfx7WaCWU55kd
 pCfViqDJYL3idW8AfPkgXNaSclWtaQ==
 =q9ev
 -----END PGP SIGNATURE-----

Merge tag 's390-5.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 fixes from Vasily Gorbik:

 - Fix printing misleading Secure-IPL enabled message when it is not.

 - Fix a race condition between host ap bus and guest ap bus doing
   device reset in crypto code.

 - Fix sanity check in CCA cipher key function (CCA AES cipher key
   support), which fails otherwise.

* tag 's390-5.5-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/setup: Fix secure ipl message
  s390/zcrypt: move ap device reset from bus to driver code
  s390/zcrypt: Fix CCA cipher key gen with clear key value function
2020-01-18 12:18:55 -08:00
Linus Torvalds 8965de70cb SCSI fixes on 20200118
Three fixes in drivers with no impact to core code. The mptfusion fix
 is enormous because the driver API had to be rethreaded to pass down
 the necessary iocp pointer, but once that's done a significant chunk
 of code is deleted.  The other two patches are small.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 
 iJwEABMIAEQWIQTnYEDbdso9F2cI+arnQslM7pishQUCXiNL7iYcamFtZXMuYm90
 dG9tbGV5QGhhbnNlbnBhcnRuZXJzaGlwLmNvbQAKCRDnQslM7pishd6OAP0dPFlB
 Nd8g0PR7OV4L6DpTcR2v6gaYZRoLeq0+p3b7yQD9EL5LiESIciLV2nk8pMoQVEqg
 i7Pz5L2RJnLDRoUgIgU=
 =YvR2
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Three fixes in drivers with no impact to core code.

  The mptfusion fix is enormous because the driver API had to be
  rethreaded to pass down the necessary iocp pointer, but once that's
  done a significant chunk of code is deleted.

  The other two patches are small"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: mptfusion: Fix double fetch bug in ioctl
  scsi: storvsc: Correctly set number of hardware queues for IDE disk
  scsi: fnic: fix invalid stack access
2020-01-18 12:12:36 -08:00
Linus Torvalds f04dba64d6 Char/Misc fixes for 5.5-rc7
Here are some small fixes for 5.5-rc7
 
 Included here are:
 	- two lkdtm fixes
 	- coresight build fix
 	- Documentation update for the hw process document
 
 All of these have been in linux-next with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXiMRTA8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+yl/wQCfZWeba9TGl++stdgDCjwCI7iqwL4AniHwhzWw
 h5G+rq9ZvbDDT9BT4tSi
 =MOkg
 -----END PGP SIGNATURE-----

Merge tag 'char-misc-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc fixes from Greg KH:
 "Here are some small fixes for 5.5-rc7

  Included here are:

   -  two lkdtm fixes

   -  coresight build fix

   -  Documentation update for the hw process document

  All of these have been in linux-next with no reported issues"

* tag 'char-misc-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  Documentation/process: Add Amazon contact for embargoed hardware issues
  lkdtm/bugs: fix build error in lkdtm_UNSET_SMEP
  lkdtm/bugs: Make double-fault test always available
  coresight: etm4x: Fix unused function warning
2020-01-18 12:08:57 -08:00
Linus Torvalds bf3f401db6 Staging/IIO driver fixes for 5.5-rc7
Here are some small staging and iio driver fixes for 5.5-rc7
 
 All of them are for some small reported issues.  Nothing major, full
 details in the shortlog.
 
 All have been in linux-next with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXiMR/w8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ymXKQCgv6VlsId1paPQkzVcTvencfBSSHMAn3sSdTus
 mTwGZKoNVhHs0AZqVx5H
 =x59R
 -----END PGP SIGNATURE-----

Merge tag 'staging-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging and IIO driver fixes from Greg KH:
 "Here are some small staging and iio driver fixes for 5.5-rc7

  All of them are for some small reported issues. Nothing major, full
  details in the shortlog.

  All have been in linux-next with no reported issues"

* tag 'staging-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: comedi: ni_routes: allow partial routing information
  staging: comedi: ni_routes: fix null dereference in ni_find_route_source()
  iio: light: vcnl4000: Fix scale for vcnl4040
  iio: buffer: align the size of scan bytes to size of the largest element
  iio: chemical: pms7003: fix unmet triggered buffer dependency
  iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID
  iio: adc: ad7124: Fix DT channel configuration
2020-01-18 12:06:09 -08:00
Linus Torvalds c5fd2c5b8b USB driver fixes for 5.5-rc7
Here are some small USB driver and core fixes for 5.5-rc7
 
 There's one fix for hub wakeup issues and a number of small usb-serial
 driver fixes and device id updates.
 
 The hub fix has been in linux-next for a while with no reported issues,
 and the usb-serial ones have all passed 0-day with no problems.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXiMUAw8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ym2EwCfY5TnNW+mY4kC9IJsuh67SHGkL+EAoMw7ppw1
 wLMKOMwTGnWCln7p3uCn
 =v2hz
 -----END PGP SIGNATURE-----

Merge tag 'usb-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB driver fixes from Greg KH:
 "Here are some small USB driver and core fixes for 5.5-rc7

  There's one fix for hub wakeup issues and a number of small usb-serial
  driver fixes and device id updates.

  The hub fix has been in linux-next for a while with no reported
  issues, and the usb-serial ones have all passed 0-day with no
  problems"

* tag 'usb-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: serial: quatech2: handle unbound ports
  USB: serial: keyspan: handle unbound ports
  USB: serial: io_edgeport: add missing active-port sanity check
  USB: serial: io_edgeport: handle unbound ports on URB completion
  USB: serial: ch341: handle unbound port at reset_resume
  USB: serial: suppress driver bind attributes
  USB: serial: option: add support for Quectel RM500Q in QDL mode
  usb: core: hub: Improved device recognition on remote wakeup
  USB: serial: opticon: fix control-message timeouts
  USB: serial: option: Add support for Quectel RM500Q
  USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
2020-01-18 12:02:33 -08:00
David S. Miller e02d9c4c68 Merge branch 'bnxt_en-fixes'
Michael Chan says:

====================
bnxt_en: Bug fixes.

3 small bug fix patches.  The 1st two are aRFS fixes and the last one
fixes a fatal driver load failure on some kernels without PCIe
extended config space support enabled.

Please also queue these for -stable.  Thanks.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-18 14:38:30 +01:00
Michael Chan d061b2411d bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal.
DSN read can fail, for example on a kdump kernel without PCIe extended
config space support.  If DSN read fails, don't set the
BNXT_FLAG_DSN_VALID flag and continue loading.  Check the flag
to see if the stored DSN is valid before using it.  Only VF reps
creation should fail without valid DSN.

Fixes: 03213a9965 ("bnxt: move bp->switch_id initialization to PF probe")
Reported-by: Marc Smith <msmith626@gmail.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-18 14:38:29 +01:00
Michael Chan 6fc7caa84e bnxt_en: Fix ipv6 RFS filter matching logic.
Fix bnxt_fltr_match() to match ipv6 source and destination addresses.
The function currently only checks ipv4 addresses and will not work
corrently on ipv6 filters.

Fixes: c0c050c58d ("bnxt_en: New Broadcom ethernet driver.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-18 14:38:29 +01:00
Michael Chan ceb3284c58 bnxt_en: Fix NTUPLE firmware command failures.
The NTUPLE related firmware commands are sent to the wrong firmware
channel, causing all these commands to fail on new firmware that
supports the new firmware channel.  Fix it by excluding the 3
NTUPLE firmware commands from the list for the new firmware channel.

Fixes: 760b6d3341 ("bnxt_en: Add support for 2nd firmware message channel.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-18 14:38:29 +01:00
Christian Brauner 6b3ad6649a
ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
Commit 69f594a389 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
introduced the ability to opt out of audit messages for accesses to various
proc files since they are not violations of policy.  While doing so it
somehow switched the check from ns_capable() to
has_ns_capability{_noaudit}(). That means it switched from checking the
subjective credentials of the task to using the objective credentials. This
is wrong since. ptrace_has_cap() is currently only used in
ptrace_may_access() And is used to check whether the calling task (subject)
has the CAP_SYS_PTRACE capability in the provided user namespace to operate
on the target task (object). According to the cred.h comments this would
mean the subjective credentials of the calling task need to be used.
This switches ptrace_has_cap() to use security_capable(). Because we only
call ptrace_has_cap() in ptrace_may_access() and in there we already have a
stable reference to the calling task's creds under rcu_read_lock() there's
no need to go through another series of dereferences and rcu locking done
in ns_capable{_noaudit}().

As one example where this might be particularly problematic, Jann pointed
out that in combination with the upcoming IORING_OP_OPENAT feature, this
bug might allow unprivileged users to bypass the capability checks while
asynchronously opening files like /proc/*/mem, because the capability
checks for this would be performed against kernel credentials.

To illustrate on the former point about this being exploitable: When
io_uring creates a new context it records the subjective credentials of the
caller. Later on, when it starts to do work it creates a kernel thread and
registers a callback. The callback runs with kernel creds for
ktask->real_cred and ktask->cred. To prevent this from becoming a
full-blown 0-day io_uring will call override_cred() and override
ktask->cred with the subjective credentials of the creator of the io_uring
instance. With ptrace_has_cap() currently looking at ktask->real_cred this
override will be ineffective and the caller will be able to open arbitray
proc files as mentioned above.
Luckily, this is currently not exploitable but will turn into a 0-day once
IORING_OP_OPENAT{2} land in v5.6. Fix it now!

Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Jann Horn <jannh@google.com>
Fixes: 69f594a389 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-01-18 13:51:39 +01:00
Dave Airlie df95968ff7 Merge tag 'amd-drm-next-5.6-2020-01-17' of git://people.freedesktop.org/~agd5f/linux into drm-next
amd-drm-next-5.6-2020-01-17:

amdgpu:
- Fix 32 bit harder
- Powerplay cleanups
- VCN fixes for Arcturus
- RAS fixes
- eDP/DP fixes
- SR-IOV fixes
- Re-enable S/G display for PCO/RV2
- Free stolen memory after init on gmc10
- DF hashing optimizations for Arcturus
- Properly handle runtime pm in sysfs and debugfs
- Unify more GC programming between amdgpu and amdkfd
- Golden settings updates for gfx10
- GDDR6 training fixes
- Freesync fixes
- DSC fixes
- TMDS fixes
- Renoir USB-C fixes
- DC dml updates from hw team
- Pollock support
- Mutex init regresson fix

amdkfd:
- Unify more GC programming between amdgpu and amdkfd
- Use KIQ to setup HIQ rather than using MMIO

scheduler:
- Documentation fixes
- Improve job distribution with load sharing

drm:
- DP MST fix

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200117213625.4722-1-alexander.deucher@amd.com
2020-01-18 13:00:24 +10:00
Dave Airlie f66d84c8b4 virtio: maintain obj reservation lock when submitting cmds (Gerd)
rockchip: increase link rate var size to accommodate rates (Tobias)
 mst: serialize down messages and clear timeslots are on unplug (Wayne)
 
 Cc: Gerd Hoffmann <kraxel@redhat.com>
 Cc: Tobias Schramm <t.schramm@manjaro.org>
 Cc: Wayne Lin <Wayne.Lin@amd.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCgAdFiEEHF6rntfJ3enn8gh8cywAJXLcr3kFAl4gjvAACgkQcywAJXLc
 r3knlgf8C0szUNBmHkmwuAivHLJz6XHKCtGSfPrZ3M67KDwU563BRXlzHEA3/q7p
 L3+RUW9CrohyMWA51fbmNJOR54mpy0zAu2ejLFll0Ntcw5CBbiYQ2ToBMmhW56h9
 lM2EDkD0stx/JYmumpU6Vc8o0CG3asiJsU7IfQZ4n2kXqboyHho+E74qri52aPtD
 ZZfXLmI9Yju8j0x0AjkZWxC6gfNWXH/HEnsC9X86JF+QXcnw5cVeHvi43doPjvs/
 sZQCeaRAhseJXpAPaiBhVemF8+jkwX2CZ0sggxZZP9BB26PEwonqWHj9ixQlYLyD
 bVC4Wson59D/0W1QK4R/AADpIO80IQ==
 =iVHE
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2020-01-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

virtio: maintain obj reservation lock when submitting cmds (Gerd)
rockchip: increase link rate var size to accommodate rates (Tobias)
mst: serialize down messages and clear timeslots are on unplug (Wayne)

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Tobias Schramm <t.schramm@manjaro.org>
Cc: Wayne Lin <Wayne.Lin@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Sean Paul <sean@poorly.run>
Link: https://patchwork.freedesktop.org/patch/msgid/20200116162856.GA11524@art_vandelay
2020-01-18 12:54:37 +10:00
Dave Airlie e33c7ba892 Merge tag 'drm-intel-fixes-2020-01-16' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
- uAPI fix: Remove dash and colon from PMU names to comply with tools/perf
- Fix for include file that was indirectly included
- Two fixes to make sure VMA are marked active for error capture

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200116161419.GA13594@jlahtine-desk.ger.corp.intel.com
2020-01-18 12:53:54 +10:00
Esben Haabendal d70486668c mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume
As we reset the GPMI block at resume, the timing parameters setup by a
previous exec_op is lost.  Rewriting GPMI timing registers on first exec_op
after resume fixes the problem.

Fixes: ef347c0cfd ("mtd: rawnand: gpmi: Implement exec_op")
Cc: stable@vger.kernel.org
Signed-off-by: Esben Haabendal <esben@geanix.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
2020-01-17 22:45:09 +01:00
Esben Haabendal 5bc6bb603b mtd: rawnand: gpmi: Fix suspend/resume problem
On system resume, the gpmi clock must be enabled before accessing gpmi
block.  Without this, resume causes something like

[  661.348790] gpmi_reset_block(5cbb0f7e): module reset timeout
[  661.348889] gpmi-nand 1806000.gpmi-nand: Error setting GPMI : -110
[  661.348928] PM: dpm_run_callback(): platform_pm_resume+0x0/0x44 returns -110
[  661.348961] PM: Device 1806000.gpmi-nand failed to resume: error -110

Fixes: ef347c0cfd ("mtd: rawnand: gpmi: Implement exec_op")
Cc: stable@vger.kernel.org
Signed-off-by: Esben Haabendal <esben@geanix.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
2020-01-17 22:45:07 +01:00
Michael Walle da2ef8124f mtd: spi-nor: Fix quad enable for Spansion like flashes
The commit 7b678c69c0 ("mtd: spi-nor: Merge spansion Quad Enable
methods") forgot to actually set the QE bit in some cases. Thus this
breaks quad mode accesses to flashes which support readback of the
status register-2. Fix it.

Fixes: 7b678c69c0 ("mtd: spi-nor: Merge spansion Quad Enable methods")
Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
2020-01-17 22:45:05 +01:00
Vignesh Raghavendra 440b6d5025 mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion
mtd->size is still unassigned when running spansion_post_sfdp_fixups()
hook, therefore use nor->params.size to determine the size of flash device.

This makes sure that 4-byte addressing opcodes are used on Spansion
flashes that are larger than 16MiB and don't have SFDP 4BAIT table
populated.

Fixes: 92094ebc38 ("mtd: spi-nor: Add spansion_post_sfdp_fixups()")
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
2020-01-17 22:44:49 +01:00
José Roberto de Souza 7b19914383 drm/mst: Don't do atomic checks over disabled managers
When a main MST port is disconnected drivers should call
drm_dp_mst_topology_mgr_set_mst() disabling the MST manager, this
function will set manager mst_primary to NULL and it will cause the
crash bellow on the next atomic check when trying to access
mst_primary->port.

As there is no use in running checks over managers that are not
active this patch will skip it.

[  305.616450] [drm:drm_dp_mst_atomic_check] [MST PORT:00000000cc2049e9] releases all VCPI slots
[  305.625085] [drm:drm_dp_mst_atomic_check] [MST PORT:00000000020ab43e] releases all VCPI slots
[  305.633729] [drm:drm_dp_mst_atomic_check] [MST MGR:00000000cdd467d4] mst state 00000000b67672eb VCPI avail=63 used=0
[  305.644405] BUG: kernel NULL pointer dereference, address: 0000000000000030
[  305.651448] #PF: supervisor read access in kernel mode
[  305.656640] #PF: error_code(0x0000) - not-present page
[  305.661807] PGD 0 P4D 0
[  305.664396] Oops: 0000 [#1] PREEMPT SMP NOPTI
[  305.668789] CPU: 3 PID: 183 Comm: kworker/3:2 Not tainted 5.5.0-rc6+ #1404
[  305.675703] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.3201.A00.1905140358 05/14/2019
[  305.689425] Workqueue: events drm_dp_delayed_destroy_work
[  305.694874] RIP: 0010:drm_dp_mst_atomic_check+0x138/0x2c0
[  305.700306] Code: 00 00 00 41 29 d9 41 89 d8 4c 89 fa 4c 89 f1 48 c7 c6 b0 b1 34 82 bf 10 00 00 00 45 31 ed e8 3f 99 02 00 4d 8b bf 80 04 00 00 <49> 8b 47 30 49 8d 5f 30 4c 8d 60 e8 48 39 c3 74 35 49 8b 7c 24 28
[  305.719169] RSP: 0018:ffffc90001687b58 EFLAGS: 00010246
[  305.724434] RAX: 0000000000000000 RBX: 000000000000003f RCX: 0000000000000000
[  305.731611] RDX: 0000000000000000 RSI: ffff88849fba8cb8 RDI: 00000000ffffffff
[  305.738785] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[  305.745962] R10: ffffc900016879a0 R11: ffffc900016879a5 R12: 0000000000000000
[  305.753139] R13: 0000000000000000 R14: ffff8884905c9bc0 R15: 0000000000000000
[  305.760315] FS:  0000000000000000(0000) GS:ffff88849fb80000(0000) knlGS:0000000000000000
[  305.768452] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  305.774263] CR2: 0000000000000030 CR3: 0000000005610006 CR4: 0000000000760ee0
[  305.781441] PKRU: 55555554
[  305.784228] Call Trace:
[  305.786739]  intel_atomic_check+0xb2e/0x2560 [i915]
[  305.791678]  ? printk+0x53/0x6a
[  305.794856]  ? drm_atomic_check_only+0x3e/0x810
[  305.799417]  ? __drm_dbg+0x82/0x90
[  305.802848]  drm_atomic_check_only+0x56a/0x810
[  305.807322]  drm_atomic_commit+0xe/0x50
[  305.811185]  drm_client_modeset_commit_atomic+0x1e2/0x250
[  305.816619]  drm_client_modeset_commit_force+0x4d/0x180
[  305.821921]  drm_fb_helper_restore_fbdev_mode_unlocked+0x46/0xa0
[  305.827963]  drm_fb_helper_set_par+0x2b/0x40
[  305.832265]  drm_fb_helper_hotplug_event.part.0+0xb2/0xd0
[  305.837755]  drm_kms_helper_hotplug_event+0x21/0x30
[  305.842694]  process_one_work+0x25b/0x5b0
[  305.846735]  worker_thread+0x4b/0x3b0
[  305.850439]  kthread+0x100/0x140
[  305.853690]  ? process_one_work+0x5b0/0x5b0
[  305.857901]  ? kthread_park+0x80/0x80
[  305.861588]  ret_from_fork+0x24/0x50
[  305.865202] Modules linked in: snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic i915 btusb btrtl btbcm btintel bluetooth prime_numbers snd_hda_intel snd_intel_dspcfg snd_hda_codec e1000e snd_hwdep snd_hda_core thunderbolt mei_hdcp mei_me asix cdc_ether x86_pkg_temp_thermal r8152 mei coretemp usbnet snd_pcm mii crct10dif_pclmul ptp crc32_pclmul ecdh_generic ghash_clmulni_intel pps_core ecc i2c_i801 intel_lpss_pci
[  305.903096] CR2: 0000000000000030
[  305.906431] ---[ end trace 70ee364eed801cb0 ]---
[  305.940816] RIP: 0010:drm_dp_mst_atomic_check+0x138/0x2c0
[  305.946261] Code: 00 00 00 41 29 d9 41 89 d8 4c 89 fa 4c 89 f1 48 c7 c6 b0 b1 34 82 bf 10 00 00 00 45 31 ed e8 3f 99 02 00 4d 8b bf 80 04 00 00 <49> 8b 47 30 49 8d 5f 30 4c 8d 60 e8 48 39 c3 74 35 49 8b 7c 24 28
[  305.965125] RSP: 0018:ffffc90001687b58 EFLAGS: 00010246
[  305.970382] RAX: 0000000000000000 RBX: 000000000000003f RCX: 0000000000000000
[  305.977571] RDX: 0000000000000000 RSI: ffff88849fba8cb8 RDI: 00000000ffffffff
[  305.984747] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[  305.991921] R10: ffffc900016879a0 R11: ffffc900016879a5 R12: 0000000000000000
[  305.999099] R13: 0000000000000000 R14: ffff8884905c9bc0 R15: 0000000000000000
[  306.006271] FS:  0000000000000000(0000) GS:ffff88849fb80000(0000) knlGS:0000000000000000
[  306.014407] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  306.020185] CR2: 0000000000000030 CR3: 000000048b3aa003 CR4: 0000000000760ee0
[  306.027404] PKRU: 55555554
[  306.030127] BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:38
[  306.039049] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 183, name: kworker/3:2
[  306.047272] INFO: lockdep is turned off.
[  306.051217] irq event stamp: 77505
[  306.054647] hardirqs last  enabled at (77505): [<ffffffff81a0c147>] _raw_spin_unlock_irqrestore+0x47/0x60
[  306.064270] hardirqs last disabled at (77504): [<ffffffff81a0bedf>] _raw_spin_lock_irqsave+0xf/0x50
[  306.073404] softirqs last  enabled at (77402): [<ffffffff81e00389>] __do_softirq+0x389/0x47f
[  306.081885] softirqs last disabled at (77395): [<ffffffff810b83a9>] irq_exit+0xa9/0xc0
[  306.089859] CPU: 3 PID: 183 Comm: kworker/3:2 Tainted: G      D           5.5.0-rc6+ #1404
[  306.098167] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.3201.A00.1905140358 05/14/2019
[  306.111882] Workqueue: events drm_dp_delayed_destroy_work
[  306.117314] Call Trace:
[  306.119780]  dump_stack+0x71/0xa0
[  306.123135]  ___might_sleep.cold+0xf7/0x10b
[  306.127399]  exit_signals+0x2b/0x360
[  306.131014]  do_exit+0xa7/0xc70
[  306.134189]  ? kthread+0x100/0x140
[  306.137615]  rewind_stack_do_exit+0x17/0x20

Fixes: cd82d82cbc ("drm/dp_mst: Add branch bandwidth validation to MST atomic check")
Cc: Mikita Lipski <mikita.lipski@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Lyude Paul <lyude@redhat.com>
Acked-by: Mikita Lipski <mikita.lipski@amd.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2020-01-17 16:04:19 -05:00
Pan, Xinhui bd05221123 drm/amdgpu: add the lost mutex_init back
Initialize notifier_lock.

Bug: https://gitlab.freedesktop.org/drm/amd/issues/1016
Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: xinhui pan <xinhui.pan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2020-01-17 16:03:09 -05:00
Linus Torvalds 25e73aadf2 io_uring-5.5-2020-01-16
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAl4hQEoQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpjZ0D/9X0JXHTlP8qebVw0Rjnb838TJtygwBZ8bm
 EsvEYP9lOJbR15V2WGWO2daNaaKMouglMQ8OWYMNGvREDtfNBxy3mE8ZVnpG385R
 RUweqCIK0rHpAfSRr4Nh9GwIeMyomLzOeumjVzXATsUS1o2+bCfv34pe22uikpgx
 njA2ab389hS2b9fMOFf78odazOMiCQSW7a2dwO1+5TNWtmYCei3SNPZuqZucvRPr
 9iSnZswJZb8KqyGyuJo6dQQhvurXgAM8LRglc6KIJ1NpyJCgPzyULYEYOvLyLHLo
 USvvivi5xFeUQy1x7w72Xu3dQ0Jg+i9nSDiAACM+ehCdVcKC0OcbFcvPJ06iH9V3
 RRdBUBJHHXSzklVHpo44iwZcmPNQNAWwM/vtlsrT9ln9fkgLeHG3zsScKOcv9fFw
 9YmtmZQkw9Zst5wghiOQsLhwsUndOPLLUbtiNGmUr1eKXeRYekFpO++HI/DwkWhN
 rFVJiHbMxIP0k7uk54sNPoHrXthfNiiFjOf4eZDV20xwVJ0xenmYpfW8XW447r3W
 C2dGRtRBbm598OCV0PzXFd1vIUKAr8b8fJwS3gZzZOH0uYbYr79AOn1cs2F//0M0
 MUXZo9LHfpfeGkMzimiPZj7lrZEI4LPAjYc1mnt4fXhuzPhYAinkcU3tQRY0T+ia
 4YqjdDtD3Q==
 =MhHp
 -----END PGP SIGNATURE-----

Merge tag 'io_uring-5.5-2020-01-16' of git://git.kernel.dk/linux-block

Pull io_uring fixes form Jens Axboe:

 - Ensure ->result is always set when IO is retried (Bijan)

 - In conjunction with the above, fix a regression in polled IO issue
   when retried (me/Bijan)

 - Don't setup async context for read/write fixed, otherwise we may
   wrongly map the iovec on retry (me)

 - Cancel io-wq work if we fail getting mm reference (me)

 - Ensure dependent work is always initialized correctly (me)

 - Only allow original task to submit IO, don't allow it from a passed
   ring fd (me)

* tag 'io_uring-5.5-2020-01-16' of git://git.kernel.dk/linux-block:
  io_uring: only allow submit from owning task
  io_uring: ensure workqueue offload grabs ring mutex for poll list
  io_uring: clear req->result always before issuing a read/write request
  io_uring: be consistent in assigning next work from handler
  io-wq: cancel work if we fail getting a mm reference
  io_uring: don't setup async context for read/write fixed
2020-01-17 11:25:45 -08:00
Linus Torvalds effaf90137 for-5.5-rc6-tag
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAl4h7wwACgkQxWXV+ddt
 WDtFgxAAqanZ3wqq8xNqybfWmmFNrKtdkakErRuQFWe/+kZH59HuBifTbYeVMD4Z
 hFgveFJpBIqo7uMUxUItSTtHcr3qx7TP9ejGYOaQO997oNPxPQXuEY8Lq5ebDBVB
 89Gn+Eg/Q+uPvCJSctxx4dblSiGZKb3iOEh+lJuWJV4bj8beekcTrqsg01ZchPRO
 Ygk1ltW7Vpf0wVkdts4FKiKiwX02M2C9zxh9NQjpNwH1DMow4XtBPsbqHbiHzRym
 SoD4+0dbhfdnKkNnBTFEJBbjbZcYwM9EQnfiyVL+/hDMHX4XTetqeFN1G8usfXXX
 2kxvwttPUtluJqlQXQnUU4mQEA4p5ORTgGgw1WBF3h+Aezumkql+27Bd6aiDKGZz
 SPc9sveft60R23TxorlrYVqfADgyZKEaZ+2wEM99Xoz4OdvP7jkqDentJW9us1Xh
 Xmfovq5xcRY17f9tdhiwqH5vgwxrLgmjBvTm/kcGX3ImhU8Yxk8xKw1JoV0P9cjW
 7awK4l8pyPbOUhekdT8hYqWXlL/DXhAMHraV1zfBKIbu1omlGByeg23jNM2iS/0B
 YtRkEEen0tRHpuKLB08twTKCak94wObBamKNFE6Snt1cDudLwGDpUosazM9l4uPR
 2D3SHs7UWNgtvTRCfq2LVoRMRSR2BA1b19EkylUig4ay7khmZ2k=
 =2e9q
 -----END PGP SIGNATURE-----

Merge tag 'for-5.5-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fixes from David Sterba:
 "A few more fixes that have been in the works during last twp weeks.
  All have a user visible effect and are stable material:

   - scrub: properly update progress after calling cancel ioctl, calling
     'resume' would start from the beginning otherwise

   - fix subvolume reference removal, after moving out of the original
     path the reference is not recognized and will lead to transaction
     abort

   - fix reloc root lifetime checks, could lead to crashes when there's
     subvolume cleaning running in parallel

   - fix memory leak when quotas get disabled in the middle of extent
     accounting

   - fix transaction abort in case of balance being started on degraded
     mount on eg. RAID1"

* tag 'for-5.5-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: check rw_devices, not num_devices for balance
  Btrfs: always copy scrub arguments back to user space
  btrfs: relocation: fix reloc_root lifespan and access
  btrfs: fix memory leak in qgroup accounting
  btrfs: do not delete mismatched root refs
  btrfs: fix invalid removal of root ref
  btrfs: rework arguments of btrfs_unlink_subvol
2020-01-17 11:21:05 -08:00
Greg Kroah-Hartman 453495d4e7 USB-serial fixes for 5.5-rc7
Here are a few fixes for issues related to unbound port devices which
 could lead to NULL-pointer dereferences. Notably the bind attributes for
 usb-serial (port) drivers are removed as almost none of the drivers can
 handle individual ports going away once they've been bound.
 
 Included are also some new device ids.
 
 All but the unbound-port fixes have been in linux-next with no reported
 issues.
 
 Signed-off-by: Johan Hovold <johan@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQQHbPq+cpGvN/peuzMLxc3C7H1lCAUCXiHp+QAKCRALxc3C7H1l
 CL7LAP0ebAAIpNu29R+K+fXCq/rnbAjulmmlfZH/E8rFPuk1lAD+N+XMGtpbABYm
 jO7G47KepbJsY+NkDu49xVoGtHDXUAk=
 =oImC
 -----END PGP SIGNATURE-----

Merge tag 'usb-serial-5.5-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus

Johan writes:

USB-serial fixes for 5.5-rc7

Here are a few fixes for issues related to unbound port devices which
could lead to NULL-pointer dereferences. Notably the bind attributes for
usb-serial (port) drivers are removed as almost none of the drivers can
handle individual ports going away once they've been bound.

Included are also some new device ids.

All but the unbound-port fixes have been in linux-next with no reported
issues.

Signed-off-by: Johan Hovold <johan@kernel.org>

* tag 'usb-serial-5.5-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
  USB: serial: quatech2: handle unbound ports
  USB: serial: keyspan: handle unbound ports
  USB: serial: io_edgeport: add missing active-port sanity check
  USB: serial: io_edgeport: handle unbound ports on URB completion
  USB: serial: ch341: handle unbound port at reset_resume
  USB: serial: suppress driver bind attributes
  USB: serial: option: add support for Quectel RM500Q in QDL mode
  USB: serial: opticon: fix control-message timeouts
  USB: serial: option: Add support for Quectel RM500Q
  USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
2020-01-17 19:40:06 +01:00
Linus Torvalds ab7541c3ad fuse fixes for 5.5-rc7
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQSQHSd0lITzzeNWNm3h3BK/laaZPAUCXiF1QwAKCRDh3BK/laaZ
 POf9AQCoPHnT7oH1gYUHfZAhS4cYX72+v6F75gYKUce0/jSDPQEAhbcMhoo31aO2
 BGTXRkeCVtg77IhxUmhXCLoQYjpSoQc=
 =UOsx
 -----END PGP SIGNATURE-----

Merge tag 'fuse-fixes-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse

Pull fuse fix from Miklos Szeredi:
 "Fix a regression in the last release affecting the ftp module of the
  gvfs filesystem"

* tag 'fuse-fixes-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
  fuse: fix fuse_send_readpages() in the syncronous read case
2020-01-17 08:42:02 -08:00
Linus Torvalds 07d5ac6a12 sound fixes for 5.5-rc7
This became bigger than I have hoped for rc7.  But, the only large LOC
 is for stm32 fixes that are simple rewriting of register access
 helpers, while the rest are all nice and small fixes:
 
 - A few ASoC fixes for the remaining probe error handling bugs
 
 - ALSA sequencer core fix for racy proc file accesses
 
 - Revert the option rename of snd-hda-intel to make compatible again
 
 - Various device-specific fixes
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAl4gjbEOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE8Pow/+KXlxZDprRwaW5jX23k7OOOdZOjyrM+XNNH1J
 ubCV5jHfZqT6FK2Ewo6ytxDOE7liiAZCs1r5D7of8sRHPVeMfgyRNdL4MbirR03n
 eGzREtynfPXymcnaKZuuantFNl4rq3ovwCUOTiqNgTdONZzakm3bISMf5RLF0SBU
 wuImY3PHepcjah3BXBTJHj8V9KpmDasd15DcrK0j/W+oS4eNnxSCoH4gzAwjAuDO
 v2bEsF/yXGDhriyl/squJjVBnNOkzn/fyRAQl7RGe8pNa4PWIvbAaqd5qaIch4EH
 perJfnvhB5SoB/s7mJ3jwnjA/vx0VKkCOw7Wufr/3+i1gKsuDbkvh8eaoN0/rnNk
 gn56hLux7nnbOW5uzVG12PekIf3T7uJMM7mMZGAMOeQpWK6xCpDHHlC/1rZd+idy
 SUgkqHEhQl9Qu5d7c7KkTy408FOzhaL4HZX5wqSghPUj2mFrWZGxpQvLlD1FYCE2
 NuFKzPNYaeLbUyhJJ2HBmjEov0R3ASZzVYx/fRarc+JET7jI/hyWfBJ+oe1qy1Ff
 X7gDrLpbXd61lgtCALlv9K1v5Ap7FSkAEXiHI4jtj/9m0yN/XTp5pqjd4itW7ZR9
 2EuQrsysh1JimFBauNdLVRCPooPkAqiEeWscMjqgBth2l7BhinYoXIMcA+fchUgC
 up9VJeQ=
 =M4pi
 -----END PGP SIGNATURE-----

Merge tag 'sound-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "This became bigger than I have hoped for rc7. But, the only large LOC
  is for stm32 fixes that are simple rewriting of register access
  helpers, while the rest are all nice and small fixes:

   - A few ASoC fixes for the remaining probe error handling bugs

   - ALSA sequencer core fix for racy proc file accesses

   - Revert the option rename of snd-hda-intel to make compatible again

   - Various device-specific fixes"

* tag 'sound-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: seq: Fix racy access for queue timer in proc read
  ALSA: usb-audio: fix sync-ep altsetting sanity check
  ASoC: msm8916-wcd-digital: Reset RX interpolation path after use
  ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1
  ASoC: cros_ec_codec: Make the device acpi compatible
  ASoC: sti: fix possible sleep-in-atomic
  ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1
  ASoC: hdac_hda: Fix error in driver removal after failed probe
  ASoC: SOF: Intel: fix HDA codec driver probe with multiple controllers
  ASoC: SOF: Intel: lower print level to dbg if we will reinit DSP
  ALSA: dice: fix fallback from protocol extension into limited functionality
  ALSA: firewire-tascam: fix corruption due to spin lock without restoration in SoftIRQ context
  ALSA: hda: Rename back to dmic_detect option
  ASoC: stm32: dfsdm: fix 16 bits record
  ASoC: stm32: sai: fix possible circular locking
  ASoC: Fix NULL dereference at freeing
  ASoC: Intel: bytcht_es8316: Fix Irbis NB41 netbook quirk
  ASoC: rt5640: Fix NULL dereference on module unload
2020-01-17 08:38:35 -08:00
Johan Hovold 9715a43eea USB: serial: quatech2: handle unbound ports
Check for NULL port data in the modem- and line-status handlers to avoid
dereferencing a NULL pointer in the unlikely case where a port device
isn't bound to a driver (e.g. after an allocation failure on port
probe).

Note that the other (stubbed) event handlers qt2_process_xmit_empty()
and qt2_process_flush() would need similar sanity checks in case they
are ever implemented.

Fixes: f7a33e608d ("USB: serial: add quatech2 usb to serial driver")
Cc: stable <stable@vger.kernel.org>     # 3.5
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
2020-01-17 16:22:59 +01:00