Commit Graph

810781 Commits

Author SHA1 Message Date
Tom Roeder
3a33d030da kvm: x86/vmx: Use kzalloc for cached_vmcs12
This changes the allocation of cached_vmcs12 to use kzalloc instead of
kmalloc. This removes the information leak found by Syzkaller (see
Reported-by) in this case and prevents similar leaks from happening
based on cached_vmcs12.

It also changes vmx_get_nested_state to copy out the full 4k VMCS12_SIZE
in copy_to_user rather than only the size of the struct.

Tested: rebuilt against head, booted, and ran the syszkaller repro
  https://syzkaller.appspot.com/text?tag=ReproC&x=174efca3400000 without
  observing any problems.

Reported-by: syzbot+ded1696f6b50b615b630@syzkaller.appspotmail.com
Fixes: 8fcc4b5923
Cc: stable@vger.kernel.org
Signed-off-by: Tom Roeder <tmroeder@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-25 18:53:10 +01:00
Sean Christopherson
85ba2b165d KVM: VMX: Use the correct field var when clearing VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL
Fix a recently introduced bug that results in the wrong VMCS control
field being updated when applying a IA32_PERF_GLOBAL_CTRL errata.

Fixes: c73da3fcab ("KVM: VMX: Properly handle dynamic VM Entry/Exit controls")
Reported-by: Harald Arnesen <harald@skogtun.org>
Tested-by: Harald Arnesen <harald@skogtun.org>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-25 18:52:54 +01:00
Alexander Popov
5cc244a20b KVM: x86: Fix single-step debugging
The single-step debugging of KVM guests on x86 is broken: if we run
gdb 'stepi' command at the breakpoint when the guest interrupts are
enabled, RIP always jumps to native_apic_mem_write(). Then other
nasty effects follow.

Long investigation showed that on Jun 7, 2017 the
commit c8401dda2f ("KVM: x86: fix singlestepping over syscall")
introduced the kvm_run.debug corruption: kvm_vcpu_do_singlestep() can
be called without X86_EFLAGS_TF set.

Let's fix it. Please consider that for -stable.

Signed-off-by: Alexander Popov <alex.popov@linux.com>
Cc: stable@vger.kernel.org
Fixes: c8401dda2f ("KVM: x86: fix singlestepping over syscall")
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-25 18:52:53 +01:00
Vitaly Kuznetsov
9699f970de x86/kvm/hyper-v: don't announce GUEST IDLE MSR support
HV_X64_MSR_GUEST_IDLE_AVAILABLE appeared in kvm_vcpu_ioctl_get_hv_cpuid()
by mistake: it announces support for HV_X64_MSR_GUEST_IDLE (0x400000F0)
which we don't support in KVM (yet).

Fixes: 2bc39970e9 ("x86/kvm/hyper-v: Introduce KVM_GET_SUPPORTED_HV_CPUID")
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-25 18:52:34 +01:00
Linus Torvalds
d7393226d1 First 5.0 rc pull request
Not much so far, but I'm feeling like the 2nd PR -rc will be larger than
 this. We have the usual batch of bugs and two fixes to code merged this cycle.
 
 - Restore valgrind support for the ioctl verbs interface merged this window,
   and fix a missed error code on an error path from that conversion
 
 - A user reported crash on obsolete mthca hardware
 
 - pvrdma was using the wrong command opcode toward the hypervisor
 
 - NULL pointer crash regression when dumping rdma-cm over netlink
 
 - Be conservative about exposing the global rkey
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEfB7FMLh+8QxL+6i3OG33FX4gmxoFAlxBTeMACgkQOG33FX4g
 mxrOIQ//YdZdU9J825DM4ppH/MWRoPgayI+cca5sW2EG/nkgsvFJoiVDDK5/ka1g
 ge5Q21ZLMSPCBR0Iu/e/JOq6fJI4fsbcJGZURbyKgRZqyCBCf6qJbhiZKifpQMVb
 w7RP8kRFRdaiQzkAYfZSv9TP93JLvTDLg6zZ74r4vc8YphIzkI410v568hs6FiVu
 MIcb53pBWUswpCAnBVB+54sw+phJyjd02kmY4xTlWmiEzwHBb0JQ+Kps72/G0IWy
 0vOlDI1UjwqoDfThzyT7mcXqnSbXxg/e8EecMpyFzlorQyxgZ5TsJgQ8ubSYxuiQ
 7+dZ4rsdoZD++3MGtpmqDMQzKSPb989WzJT8WLp5oSw4ryAXeJJ+tys/APLtvPkf
 EgKgVyEqfxMDXn02/ENwDPpZyKLZkhcHFLgvfYmxtlDvtai/rvTLmzV1mptEaxlF
 +2pwSQM4/E/8qrLglN9kdFSfjBMb7Bvd2NYQqZ9vah2omb7gPsaTEEpVw6l/E0NX
 oOxFKPEzb0nP9KmJmwO8KLCvcrruuRL8kpmhc6sQMQJ6z0h4hmZrHF5EZZH92g0p
 maHyrx66vqw/Yl+TLvAb/T6FV1ax5c1TauiNErAjnag2wgVWW42Q7lQzSFLFI8su
 GU8oRlbIclDQ/1bszsf0IShq0r9G17+2n6yyTX39rj62YioiDlI=
 =ymZq
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes frfom Jason Gunthorpe:
 "Not much so far. We have the usual batch of bugs and two fixes to code
  merged this cycle:

   - Restore valgrind support for the ioctl verbs interface merged this
     window, and fix a missed error code on an error path from that
     conversion

   - A user reported crash on obsolete mthca hardware

   - pvrdma was using the wrong command opcode toward the hypervisor

   - NULL pointer crash regression when dumping rdma-cm over netlink

   - Be conservative about exposing the global rkey"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/uverbs: Mark ioctl responses with UVERBS_ATTR_F_VALID_OUTPUT
  RDMA/mthca: Clear QP objects during their allocation
  RDMA/vmw_pvrdma: Return the correct opcode when creating WR
  RDMA/cma: Add cm_id restrack resource based on kernel or user cm_id type
  RDMA/nldev: Don't expose unsafe global rkey to regular user
  RDMA/uverbs: Fix post send success return value in case of error
2019-01-18 17:17:20 +12:00
Linus Torvalds
1092a94fcb drm amdgpu, i915 gvt, sun4i, meson, rockchip, qxl, virtio fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJcQRsZAAoJEAx081l5xIa+oKMP/A6jc+SmQgss3TD3WsrIMNUJ
 QoeKh5KQZqPDsz4sSQ27J6UIDKWuX9ZkzhOOgpKLECKK8CK5xpf14cKKwacyfW05
 8E9gB1kq4SRRNQxUvgrh6g3o3DHSanGtZUywMFN56MGfSxPMWytfzmQNDZ5XvAE5
 OrpRW+Nizs8uSrgvfoZoKOVuCaNVkZFxOTYXWwIPSJxmSuxGoX0nTnTdl0lNCSdE
 gSK82TIAxibfkeJ0K1MXCLbYTWXIvuoZY/JCWJ6wDAd21eK8IszsmVmn7Ou6q/sY
 aFNbKlaPuzdVe9MMRScAQLOBaoZSbiaIVA9UXXK/XR12K3Sqb6XU+NiRtrMWE5XF
 7Z8fkPCrfDG8oelcZW1iRRuZyL82I91xh7j+B20X+GMdHs+A+fT2YKLxbJBk1BMT
 3S/FdGfAnMqezgXDpqeoeYXoEsCaYtIls442FVcXSvQdOt7BjGlzXr+FBLFmvums
 4JL0yvcSTgo85N/hcM3FWLlBYVD6D65+fM42wPqyl05FgUTHF+Ev9503EjxsxQF6
 yCU4bsixnhxE21/v/Tw5Vhe3DU+zZqBWNpSocaWCfj7cyl1rDirZPbr/Tr6yuWgx
 mTR/B4tNGFiXsiPdQwmIGRSKWOWz+wDT7B9apKdIyn++hyFz6Rh/IScZFzqso5w8
 dq522vKrWbP5Jl/sA5GX
 =hgg/
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2019-01-18' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "The rc3 fixes are a bit scattered:

   - meson, sun4i and rockchip all had missing of_node_put.

   - qxl and virtio both were advertising dma-buf to userspace when they
     really shouldn't have.

  Otherwise:

  meson:
   - modesetting regression fix

  i915 GVT:
   - one cmd parser failure fix
   - region cleanup fix in vGPU destroy

  amdgpu:
   - KFD fixes for arm64 mixed APU/DGPU
   - vega12 powerplay fix
   - raven DC fixes
   - freesync fix"

* tag 'drm-fixes-2019-01-18' of git://anongit.freedesktop.org/drm/drm:
  drm/amd/display: Detach backlight from stream
  drm/sun4i: backend: add missing of_node_puts
  Revert "drm/amdgpu: validate user pitch alignment"
  Revert "drm/amdgpu: validate user GEM object size"
  drm/meson: Fix atomic mode switching regression
  drm/i915/gvt: Fix mmap range check
  drm/i915/gvt: free VFIO region space in vgpu detach
  drm/amd/display: Fix disabled cursor on top screen edge
  drm/amd/display: fix warning on raven hotplug
  drm/amd/display: fix PME notification not working in RV desktop
  drm/amd/display: Only get the connector state for VRR when toggled
  drm/amd/display: Pack DMCU iRAM alignment
  drm/amd/powerplay: run acg btc for Vega12
  drm/amdkfd: Don't assign dGPUs to APU topology devices
  drm/amdkfd: Allow building KFD on ARM64 (v2)
  drm/meson: add missing of_node_put
  drm/virtio: drop prime import/export callbacks
  drm/qxl: drop prime import/export callbacks
  drm/i915/gvt: Allow F_CMD_ACCESS on mmio 0x21f0
  drm/rockchip: add missing of_node_put
2019-01-18 17:14:02 +12:00
Linus Torvalds
2451f3717c LED fix for 5.0-rc3
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQQUwxxKyE5l/npt8ARiEGxRG/Sl2wUCXED1agAKCRBiEGxRG/Sl
 2125AP4+hSXiVYvxgQg4zeAHzd00GKAIcYTudrzZ/iX5E19UlQD7B3h7HiTgvNIo
 QOvU+0PChsk/qwg1+Ztw8Gw3WZxl/wM=
 =I9ym
 -----END PGP SIGNATURE-----

Merge tag 'led-fix-for-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds

Pull LED fix from Jacek Anaszewski.

* tag 'led-fix-for-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
  leds: lp5523: fix a missing check of return value of lp55xx_read
2019-01-18 16:58:07 +12:00
Linus Torvalds
0a2fbed84a hwmon fixes for v5.0-rc3
Minor fixes/regressions.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJcQOvDAAoJEMsfJm/On5mBKZgP/22R1XvbJtr7UYCukAe4auoq
 qnwFClb4CXn2sw0z7nLid4lOHEaw9QRu6QycDH8oUCb4osO/TzHAuRhROfiie7cV
 0l54IdTsQ206qw+zKuYExg0l5rRrdqlGgyRvW22R/hhseMFG7BDMIfL+osT3RY+r
 q/rJyRl2S+XojEvi58zPgEr0bVpxudkvmppXNJl5fdPVeo1lschcNgMPrCrAB+4D
 WhQserDi4biW50SWLMWF/cvmM50IfdYmwMM1fHJi6Win29SkM1cDKAOb4HR4z5K1
 xvRDLnwHTz60nOWSEcvjVH68uJB/bRuQUjolw8hjRUmvU1Iv/PyMvQy8n0XYLsMn
 5AtMwUKFc16kdclvRWljRpBx2TUtthgHEDllpiK0Z/u0INMEYyxJ6sZAEr6VQWTR
 yIQyZHAx1vm3+b51MrLlJDETDaAVKO/bbw/jEDyR9wOGePW79al2HTusBiCjaMbo
 5XdnpvSDv60c52nc72UlI7XqkttAYO9EpJwlwtv9WbZNdKIzlfCgJZumTG81GNo4
 tLsmcUnCPL4W1zUV//g0CEoaUtU3s95mW01sjf9GBCxbAhFtOTg0yNzXfRF0/sYz
 ekMPePOQw5MinCUaN4n8ACPDRkVI5HAvrGT2JfQ85Hgyz+yIwSCjLrsTeOb/LjEs
 qHgyRy6drkUkgzlfdTqy
 =kzWH
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-v5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:
 "Minor fixes/regressions"

* tag 'hwmon-for-v5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (tmp421) Correct the misspelling of the tmp442 compatible attribute in OF device ID table
  hwmon: (occ) Fix potential integer overflow
  hwmon: (lm80) Fix missing unlock on error in set_fan_div()
  hwmon: (nct6775) Enable IO mapping for NCT6797D and NCT6798D
  hwmon: (nct6775) Fix chip ID for NCT6798D
2019-01-18 16:55:49 +12:00
Dave Airlie
df0219b4f9 drm-misc-fixes for v5.0-rc3:
- Add missing calls to of_node_put to sun4i, meson, and rockchip.
 - Drop unimplemented prime callbacks in virtio and qxl, so support
   for prime is not advertised on those drivers.
 - Fix mode switching regression in meson.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEuXvWqAysSYEJGuVH/lWMcqZwE8MFAlxAYYYACgkQ/lWMcqZw
 E8PfkBAAixwwfhomr9XxcKZutV7BU3rcaq4CKpZb9hD1SGlRCHxFeilVhsfizXKe
 t8XPrf1wD589XC76XwDH/4qXQNWm2C89C7SUNt0KUULmnREDY1dRwy/QZeHtNXBg
 DoEwCaOPa8/fJZNTZ+d0nkNgiXkdWMAWie+1Z4TZKoRJ6vVqweMi3zaSDcFEXi23
 +gzsm2ueZ6qxXGP6YXNsMOVQmyXDaRe4n8xn2iO2ixSztVeywUyoBV4jlepxr7c8
 nwJwy0N7QUFI3QXlGezO7yBo1XZ6noeFfIAnDVL6U+zaDui1yjvJ0oYM5+nL1P8P
 HgolR96xJOYk9QA7uqPDA+c/w2DCaQ/VlxVaGZYXYh+oE7tpQCKKeTA7pUSMGFqR
 1FnigdQCKIKv+SdF1Gh1BdfZnje6kfKDcPYsBhUPv9oB83FvAXII7hQj7ITykgLt
 ExVS/WDUIWnICruJdo0E7QpzQ2AMjQgkvS4wd94aOodSab0GRkSdrGEdH/YR+xGv
 wvNJKwslizUC995G61OjWsbRPWd9mAg9SD/wn2L5nPKgZZ8hBapViGtQpz7b3fWS
 J+GeYdchueCISxP2zqgnQCLwEWoXq26EXC3x+yEOWxzl/pV+HJMl70HGsrq7nflA
 9I9eA0gk9Nx38o76yMJ/CQCp2k9LCzRqFwQMtkw6h6ZmYWlrdng=
 =r2rK
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2019-01-17' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

drm-misc-fixes for v5.0-rc3:
- Add missing calls to of_node_put to sun4i, meson, and rockchip.
- Drop unimplemented prime callbacks in virtio and qxl, so support
  for prime is not advertised on those drivers.
- Fix mode switching regression in meson.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/9af07312-f435-2fda-65a2-9fe92cdf5da4@linux.intel.com
2019-01-18 09:14:45 +10:00
Dave Airlie
4ac4cb70d1 drm/i915/gvt fixes for v5.0-rc3
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEFWWmW3ewYy4RJOWc05gHnSar7m8FAlxAVlYACgkQ05gHnSar
 7m/1/Q//ZwPlIUbWOS+PFklfoY9c0APwMWKzrnnDOxvnpA8KRsaY+yKn5FW91fcZ
 ee9S1fUlySuKVpsWLKhoiVM04tU+gQmO+UeGvNbMG1yTHIOq97sAP/cSIPnOuDkW
 2d1vSihmnx/RSuEgd9E+a8yMoIF+PtXKcSl4nUT4nurYPiUvC12nqS/C9sfF5JP0
 ZQc68ATj9wjJlhenAPjgsr6GP2YOzr9yqAQ1xV/PEg4Gth9uFM+dbbn+8vBOkjCt
 5fiB66cS8aGN5jwOlafqsMKjQeKHdV5bpJjpWirB9vdkiDHk/wOlzOUc2ySp0Krg
 1mJUL0KyWs6PfQvZvXCalQTOq9l6enCbq4N58/l4cC4LBU2Nx7LW7GwmHt9ONxjB
 aBQjTd2gku/DFyYHjCv7zAyHVLTu0TRWJpRlZGP5IpvECK21uFz8OtiiecoCvdm1
 bdQLr3cMXpT8JwLIr/N1lvMQTThFFvBCrnSruqbAikHFrZNkacczw7IqMUWQnsri
 SNTJ4s2hy6eThAIGGR61kXfnymKZ8GDKUYzi+De0OPaQ3VYFqaGQQk+1VkXpr0Qk
 S+r8oawzx5/FlDKZJqcDAXSaROcvFpbpVys+UozVp22lu/PPTwW0ReDG5uGQw/le
 tgEim6CnBj7wpDOZ4DOlH9npLbIvTrQ7M1HgjJ9DJ4DbNWu+R/s=
 =cHcP
 -----END PGP SIGNATURE-----

Merge tag 'drm-intel-fixes-2019-01-17' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

drm/i915/gvt fixes for v5.0-rc3

"This contains one cmd parser failure fix to allow cmd access for one
register, and fix region cleanup properly in vGPU destroy, and another
fix for critical mmap size check mistake."

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/87ef9bfusc.fsf@intel.com
2019-01-18 09:13:14 +10:00
Dave Airlie
586cdb0db7 Merge branch 'drm-fixes-5.0' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Fixes for 5.0:
- Fix KFD on ARM64
- Fix KFD topology with mixed APU and dGPU systems
- Powerplay fix for vega12
- DC Raven fixes
- Freesync fix

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190116224524.3314-1-alexander.deucher@amd.com
2019-01-18 09:10:21 +10:00
Kangjie Lu
248b57015f leds: lp5523: fix a missing check of return value of lp55xx_read
When lp55xx_read() fails, "status" is an uninitialized variable and thus
may contain random value; using it leads to undefined behaviors.

The fix inserts a check for the return value of lp55xx_read: if it
fails, returns with its error code.

Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
2019-01-17 22:27:39 +01:00
Cheng-Min Ao
f422449b58 hwmon: (tmp421) Correct the misspelling of the tmp442 compatible attribute in OF device ID table
Correct a typo in OF device ID table
The last one should be 'ti,tmp442'

Signed-off-by: Cheng-Min Ao <tony_ao@wiwynn.com>
Signed-off-by: Yu-Hsiang Chen <matt_chen@wiwynn.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2019-01-17 12:54:52 -08:00
Linus Torvalds
a3a80255d5 AFS fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIVAwUAXECcyPu3V2unywtrAQIpGw//ctcGHg2sfUEra17pvlKEbpZe9bMeJxp6
 UY2YR5gPpiYMmvNe8hLl3I68b43h03jGOx+KmqowqX7anNq3o2nMy0pDbuGmKtuS
 5NmIOECAml8k2uPSpacAF2s6TsxB2lTDYwZdyeuRmZ4scOTujNby33RlijGIxX4s
 87WJFRuCacm9I1KkiKKn4PWoYGjDdsZ7rsDyEeBmQ/MiKOSLG4QP5XuNr4X9zFMX
 r8uF3N8h/NzJWefEirc2DPFfiWLJqkyclq9tgsTB1Z3l+x5u/MHnIg3rZpZhH0uC
 GhGWjlGYqTxOwzYCaOOsNIDRF4rAGPi3lzuJXjONnhvbOO7DCGJ+Mo2obxkAqLL6
 PrtFuQvgXIOl/k8y6AdckuPPu/OMHT1hyY0PQXmTGhHAAfPP3RHoPl7owEjmAbRg
 hvRkFDSIKZ4Kr1nKP4vwaJYEKtxUQrkOwZKmN6ve31ZeJsyrH12MsCgWvp7oQwRJ
 fVbk8DWVRtYzy4RaO3Xr+0WfD+03dDi6KKCPPiC2gtNKOO+1Kco/EtIqPi6SXg0m
 ee/mFOkRsmEh++iNxS58qLxH37On6GSYOElSIMN0NJDNA2TzLrvidXlMSOTD1hj4
 n6gL38E3br/CIimKPYm87qi6yC59CAtrJCulYiPOoMc20eaEUP4DIXN8yjgjLNQp
 Hj5M9GRTwXk=
 =cUrU
 -----END PGP SIGNATURE-----

Merge tag 'afs-fixes-20190117' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull AFS fixes from David Howells:
 "Here's a set of fixes for AFS:

   - Use struct_size() for kzalloc() size calculation.

   - When calling YFS.CreateFile rather than AFS.CreateFile, it is
     possible to create a file with a file lock already held. The
     default value indicating no lock required is actually -1, not 0.

   - Fix an oops in inode/vnode validation if the target inode doesn't
     have a server interest assigned (ie. a server that will notify us
     of changes by third parties).

   - Fix refcounting of keys in file locking.

   - Fix a race in refcounting asynchronous operations in the event of
     an error during request transmission. The provision of a dedicated
     function to get an extra ref on a call is split into a separate
     commit"

* tag 'afs-fixes-20190117' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  afs: Fix race in async call refcounting
  afs: Provide a function to get a ref on a call
  afs: Fix key refcounting in file locking code
  afs: Don't set vnode->cb_s_break in afs_validate()
  afs: Set correct lock type for the yfs CreateFile
  afs: Use struct_size() in kzalloc()
2019-01-18 06:27:24 +12:00
Linus Torvalds
6d060fa390 Merge branch 'stable/for-linus-5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb
Pull swiotlb fix from Konrad Rzeszutek Wilk:
 "A tiny fix for v5.0-rc2:

  This fixes an issue with GPU cards not working anymore with the DMA
  mapping work Christopher did - as the SWIOTLB is initialized first and
  then free'd (as IOMMU is available) but we forgot to clear our start
  and end entries which are used and BOOM"

* 'stable/for-linus-5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb:
  swiotlb: clear io_tlb_start and io_tlb_end in swiotlb_exit
2019-01-18 06:22:08 +12:00
Linus Torvalds
e4484a4955 Kbuild fixes for v5.0
- clean generated files in scripts/kconfig/ by 'make mrproper'
 
  - fix conflict between dead code elimination and ftrace for GCC <= 4.7
 
  - fix external module build with CONFIG_STACKPROTECTOR
 
  - remove unused code
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJcQJS3AAoJED2LAQed4NsGkxQP/jBhAKwA4UGUiMexS/yV5bMj
 nb4uvZkRvd/3uoKChCZ0ljFg3SU+qevmmOG+hkqVfictM/ilinI4+3IrHvFWKJ8K
 lKG7BfYJRO0Af2cJ+7rlT5C8hSDRK8C3R43mfy1L6QR8LjqBU/u7ORs0fPPXbdJN
 Rr99UZgM1VUmaqfVRxtujM9jogihGjDSGElZ8a5dKe1tCjKjSlFr5I9VdTxthJR0
 6qVl1RE/+lgO5iiAdI0DRKmnq4jtK5hQU4+2EL/Ir0FAJORZ7Kp6ilh7UVAMislk
 rF/91f7rpDafDZnx7SzoP+sdPuiyT1vygzSbjLbFVZ4iXBZMjtRqdmYmWMTknKZQ
 KjqqoYXSCwgD4tVJg4CD8USnrFHPBEhLGGhI7tH2lcuRJT8d0xPkfXTmqT+2QOIs
 ETF3r0mwbV7tqjwVbGHBJ+SBI1HZ9s00kxzg6coTnkl6GQPSs0FWxUJhhOWF1jzB
 G2+sT/AhqjsuuJndF8jgLwcd+ncrzO5V1wNrbv5LQ49smwRddiE3tVCXy0NV5pQD
 pqaDybt8MQfOGrWsf6xDbrKXy4a1tVcxrFCERU8Ihw8/Q4Vvr9bLqaGt05CtVwgi
 lj7enlRJmRpz5B1ZvGRttYWRycKP8V+rsMKJmPdrdwxul6FC+QpGV9Cdnt87vbK0
 P+512kpmGJX4oe3BOaww
 =16cD
 -----END PGP SIGNATURE-----

Merge tag 'kbuild-fixes-v5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

Pull Kbuild fixes from Masahiro Yamada:

 - clean generated files in scripts/kconfig/ by 'make mrproper'

 - fix conflict between dead code elimination and ftrace for GCC <= 4.7

 - fix external module build with CONFIG_STACKPROTECTOR

 - remove unused code

* tag 'kbuild-fixes-v5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
  kbuild: mark prepare0 as PHONY to fix external module build
  openrisc: remove unneeded code in arch/openrisc/Makefile
  nds32: remove unneeded code in arch/nds32/Makefile
  ia64: remove redundant 'export AWK'
  kbuild: remove unused archmrproper
  kbuild: remove unused baseprereq
  kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7
  kconfig: clean generated *conf-cfg files
2019-01-18 06:20:09 +12:00
Linus Torvalds
d471c4dfa1 Devicetree fixes for v5.0:
- Remove now unused struct device_node.type pointer
 
 - Fix meson-axg reset header SPDX tag
 
 - Add missing of_node_put in of_graph_get_remote_port_parent
 
 - Fix several binding doc file references and typos
 -----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCgAuFiEEktVUI4SxYhzZyEuo+vtdtY28YcMFAlw/fpIQHHJvYmhAa2Vy
 bmVsLm9yZwAKCRD6+121jbxhw1QHD/9Qd6HF6S0hGIyYhcIDjJPRKLpQaMGeOToc
 MqUXF+UnK4QajMo8spmhYsSQmkzg0TXEDkc9DxVF0Jw9sluho+c9vdycxwmf6DqU
 VF2x1tVqWMOfgcBBCLWkC3pHeq98JQfwEnFVUWKjYpanFN7Y5G9GMnBnkQAfUJ62
 pW7ScprcWa9xKNdWXbf9cas7RF4YAaoLcxrWaAZTbx/c0DaDl5taA4w2Vule6PfU
 v9V4fstaemxwVsXdkLxmsfsdI9RsBNFYvePA0D1E7rAZ2n6FnYrlfdYDN4ZYXepu
 8CXBgONA26hq1/K/m7sulRZoeAZ4rU82ytF+bOOq8BhTdveAydqPfwk3j7D3edkp
 Jh93KaqBbyZ9MUdf7dbvl5camct/Nj/8fVB77cZkE3TDLHZRp3M8OW/S4RrQ+34e
 Xecuofz1Xb6YL2Fk69UI7AE/RhWMzGTpq74wWgqQ+CHb4CyjJ2l5NI2pWW7YnKFa
 VzOi7ws7KUfHp3slJHf+dAAp01yYmA4nKL5iOBeqv8kQHvZUrHgtxKCI3Ve97qeQ
 tm0gksdvvxVI4sOVOdXLfU3j9oB6+X7HnwihAWbIlCkvNQxrzXus+I9Z70qdUS3/
 gGOQaY4kx/hDk2ucEUUitIDdoMSnx/dovHS/nMN/zS5APePigCVRDSOV3YejW2Gm
 2iwU22AJYw==
 =tHMW
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-fixes-for-5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

Pull Devicetree fixes from Rob Herring:

 - Remove now unused struct device_node.type pointer

 - Fix meson-axg reset header SPDX tag

 - Add missing of_node_put in of_graph_get_remote_port_parent

 - Fix several binding doc file references and typos

* tag 'devicetree-fixes-for-5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  dt-bindings: reset: meson-axg: fix SPDX license id
  dt-bindings: soc: qcom: Fix trivial language typos
  doc: gpio-mvebu: fix broken reference to cp110-system-controller0.txt file
  OF: properties: add missing of_node_put
  doc: bindings: fix bad reference to ARM CPU bindings
  dt-bindings: marvell,mmp2: fix typos in bindings doc
  of: Remove struct device_node.type pointer
2019-01-18 06:15:28 +12:00
David Howells
34fa47612b afs: Fix race in async call refcounting
There's a race between afs_make_call() and afs_wake_up_async_call() in the
case that an error is returned from rxrpc_kernel_send_data() after it has
queued the final packet.

afs_make_call() will try and clean up the mess, but the call state may have
been moved on thereby causing afs_process_async_call() to also try and to
delete the call.

Fix this by:

 (1) Getting an extra ref for an asynchronous call for the call itself to
     hold.  This makes sure the call doesn't evaporate on us accidentally
     and will allow the call to be retained by the caller in a future
     patch.  The ref is released on leaving afs_make_call() or
     afs_wait_for_call_to_complete().

 (2) In the event of an error from rxrpc_kernel_send_data():

     (a) Don't set the call state to AFS_CALL_COMPLETE until *after* the
     	 call has been aborted and ended.  This prevents
     	 afs_deliver_to_call() from doing anything with any notifications
     	 it gets.

     (b) Explicitly end the call immediately to prevent further callbacks.

     (c) Cancel any queued async_work and wait for the work if it's
     	 executing.  This allows us to be sure the race won't recur when we
     	 change the state.  We put the work queue's ref on the call if we
     	 managed to cancel it.

     (d) Put the call's ref that we got in (1).  This belongs to us as long
     	 as the call is in state AFS_CALL_CL_REQUESTING.

Fixes: 341f741f04 ("afs: Refcount the afs_call struct")
Signed-off-by: David Howells <dhowells@redhat.com>
2019-01-17 15:17:28 +00:00
David Howells
7a75b0079a afs: Provide a function to get a ref on a call
Provide a function to get a reference on an afs_call struct.

Signed-off-by: David Howells <dhowells@redhat.com>
2019-01-17 15:17:28 +00:00
David Howells
59d49076ae afs: Fix key refcounting in file locking code
Fix the refcounting of the authentication keys in the file locking code.
The vnode->lock_key member points to a key on which it expects to be
holding a ref, but it isn't always given an extra ref, however.

Fixes: 0fafdc9f88 ("afs: Fix file locking")
Signed-off-by: David Howells <dhowells@redhat.com>
2019-01-17 15:17:28 +00:00
Marc Dionne
4882a27cec afs: Don't set vnode->cb_s_break in afs_validate()
A cb_interest record is not necessarily attached to the vnode on entry to
afs_validate(), which can cause an oops when we try to bring the vnode's
cb_s_break up to date in the default case (ie. no current callback promise
and the vnode has not been deleted).

Fix this by simply removing the line, as vnode->cb_s_break will be set when
needed by afs_register_server_cb_interest() when we next get a callback
promise from RPC call.

The oops looks something like:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
    ...
    RIP: 0010:afs_validate+0x66/0x250 [kafs]
    ...
    Call Trace:
     afs_d_revalidate+0x8d/0x340 [kafs]
     ? __d_lookup+0x61/0x150
     lookup_dcache+0x44/0x70
     ? lookup_dcache+0x44/0x70
     __lookup_hash+0x24/0xa0
     do_unlinkat+0x11d/0x2c0
     __x64_sys_unlink+0x23/0x30
     do_syscall_64+0x4d/0xf0
     entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: ae3b7361dc ("afs: Fix validation/callback interaction")
Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2019-01-17 15:15:52 +00:00
Masahiro Yamada
e00d888048 kbuild: mark prepare0 as PHONY to fix external module build
Commit c3ff2a5193 ("powerpc/32: add stack protector support")
caused kernel panic on PowerPC when an external module is used with
CONFIG_STACKPROTECTOR because the 'prepare' target was not executed
for the external module build.

Commit e07db28eea ("kbuild: fix single target build for external
module") turned it into a build error because the 'prepare' target is
now executed but the 'prepare0' target is missing for the external
module build.

External module on arm/arm64 with CONFIG_STACKPROTECTOR_PER_TASK is
also broken in the same way.

Move 'PHONY += prepare0' to the common place. GNU Make is fine with
missing rule for phony targets. I also removed the comment which is
wrong irrespective of this commit.

I minimize the change so it can be easily backported to 4.20.x

To fix v4.20, please backport e07db28eea ("kbuild: fix single target
build for external module"), and then this commit.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=201891
Fixes: e07db28eea ("kbuild: fix single target build for external module")
Fixes: c3ff2a5193 ("powerpc/32: add stack protector support")
Fixes: 189af46571 ("ARM: smp: add support for per-task stack canaries")
Fixes: 0a1213fa74 ("arm64: enable per-task stack canaries")
Cc: linux-stable <stable@vger.kernel.org> # v4.20
Reported-by: Samuel Holland <samuel@sholland.org>
Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
2019-01-17 23:42:59 +09:00
Masahiro Yamada
1b504a7bb1 openrisc: remove unneeded code in arch/openrisc/Makefile
- LDFLAGS_vmlinux is cleared by the top Makefile

 - 'all: vmlinux' is specified by the top Makefile

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2019-01-17 23:42:59 +09:00
Masahiro Yamada
558ee616d1 nds32: remove unneeded code in arch/nds32/Makefile
- scripts/Kbuild.include already defined 'comma'

 - The top Makefile has 'PHONY += FORCE'

 - include/asm-*/ was moved to arch/*/include/asm/ a decade ago

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2019-01-17 23:42:37 +09:00
Jani Nikula
15c05196ff Merge tag 'gvt-fixes-2018-01-17' of https://github.com/intel/gvt-linux into drm-intel-fixes
gvt-fixes-2018-01-17

- Fix one register cmd parser failure (Colin)
- Fix region cleanup for vGPU destroy (Henry)
- Fix mmap size check (Zhenyu)

Signed-off-by: Jani Nikula <jani.nikula@intel.com>
From: Zhenyu Wang <zhenyuw@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190117074604.GI18272@zhen-hp.sh.intel.com
2019-01-17 11:49:51 +02:00
Linus Torvalds
7fbfee7c80 Merge branch 'fixes-v5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem fixes from James Morris:
 "Fixes for the security subsystem.

  The first (by Casey actually - it's misattributed) fixes a regression
  introduced with the LSM stacking changes"

* 'fixes-v5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  LSM: Check for NULL cred-security on free
  Yama: Check for pid death before checking ancestry
  seccomp: fix UAF in user-trap code
2019-01-17 16:54:58 +12:00
James Morris
a5795fd38e LSM: Check for NULL cred-security on free
From: Casey Schaufler <casey@schaufler-ca.com>

Check that the cred security blob has been set before trying
to clean it up. There is a case during credential initialization
that could result in this.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Reported-by: syzbot+69ca07954461f189e808@syzkaller.appspotmail.com
2019-01-16 15:41:11 -08:00
David Francis
35dad45d5c drm/amd/display: Detach backlight from stream
[Why]
Backlight is conceptually a property of links, not streams.
All backlight programming is done on links, but there is a
stream property bl_pwm_level that is used to restore backlight
on dpms on and s3 resume.  This is unnecessary, as backlight
is already restored by hardware with no driver intervention.

[How]
Remove bl_pwm_level, and the stream argument to set_backlight

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=109375
Signed-off-by: David Francis <David.Francis@amd.com>
Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
Acked-by: Anthony Koo <Anthony.Koo@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 923fe49512)
2019-01-16 17:11:47 -05:00
Kees Cook
9474f4e7cd Yama: Check for pid death before checking ancestry
It's possible that a pid has died before we take the rcu lock, in which
case we can't walk the ancestry list as it may be detached. Instead, check
for death first before doing the walk.

Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
Fixes: 2d514487fa ("security: Yama LSM")
Cc: stable@vger.kernel.org
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-16 12:00:56 -08:00
Jerome Brunet
3705add0b7 dt-bindings: reset: meson-axg: fix SPDX license id
As reported, the SPDX license id is not placed correctly and the variant
of the BSD License used should be specified.

Fixes: c16292578f ("dt-bindings: reset: Add bindings for the Meson-AXG SoC Reset Controller")
Reported-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-16 12:50:27 -06:00
Krzysztof Kozlowski
9eac0ae168 dt-bindings: soc: qcom: Fix trivial language typos
Fix few trivial language typos in bindings.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-16 12:50:27 -06:00
Otto Sabart
889f4ce60e doc: gpio-mvebu: fix broken reference to cp110-system-controller0.txt file
The cp110-system-controller0.txt file was renamed to
cp110-system-controller.txt.

Fixes: 4aa5496980 ("dt-bindings: cp110: rename cp110 syscon file")
Signed-off-by: Otto Sabart <ottosabart@seberm.com>
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-16 12:50:27 -06:00
Julia Lawall
28b170e88b OF: properties: add missing of_node_put
Add an of_node_put when the result of of_graph_get_remote_port_parent is
not available.

The semantic match that finds this problem is as follows
(http://coccinelle.lip6.fr):

// <smpl>
@r exists@
local idexpression e;
expression x;
@@
e = of_graph_get_remote_port_parent(...);
... when != x = e
    when != true e == NULL
    when != of_node_put(e)
    when != of_fwnode_handle(e)
(
return e;
|
*return ...;
)
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring <robh@kernel.org>
2019-01-16 12:49:53 -06:00
Christoph Hellwig
227a76b647 swiotlb: clear io_tlb_start and io_tlb_end in swiotlb_exit
Otherwise is_swiotlb_buffer will return false positives when
we first initialize a swiotlb buffer, but then free it because
we have an IOMMU available.

Fixes: 55897af630 ("dma-direct: merge swiotlb_dma_ops into the dma_direct code")
Reported-by: Sibren Vasse <sibren@sibrenvasse.nl>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: Sibren Vasse <sibren@sibrenvasse.nl>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2019-01-16 09:59:17 -05:00
Masahiro Yamada
be3bb599d8 ia64: remove redundant 'export AWK'
This is exported by the top Makefile.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2019-01-16 23:31:18 +09:00
Masahiro Yamada
b421b8a6cb kbuild: remove unused archmrproper
No one uses archmrproper.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
2019-01-16 23:31:17 +09:00
Linus Torvalds
47bfa6d9dc selinux/stable-5.0 PR 20190115
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAlw+Wt4UHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXOY3BAAmt/SYdllI8fVgDruU8hK8y0OLSYS
 fuCNN4kzrcKl7O2/eh1r6Db6mV/1aMKDFvQAhVj/bZbRXy1IsphRSgJE8AMpeTB/
 ZWLiFWybpq37/TwTVarH/NH9qbjJ3KWouqkfmlgaLW6Jk/JfFGof44UVObEShwIJ
 pS95qnQ5JNSYEDZE3CDBQhhUpXgc29re6GgbiYRAwAqjY5DY9Rg4foPiWfOx6iZt
 DYx1f7rK3IQS383ZpFoe8dRDSypdVlcYwtyPkQN9GUOn9XkhsFN7yX35RfIUuZNn
 887LYNnkuqKFkTPxzaIsSNbp7cMI2X+IbQCzs6SXCH6Klb7ZQ9wzse/y3N7zV6DL
 DvniUBPIztkpmYQjsCYPxcSiGOOj/0ObyH6YULTFKij7iwYRYX3UJchoty2XWFkc
 UU3xYLG4grk7CAQBHqXRA6neKR70nehrCgJfIeDO6c6kYvAzQ9TJ9pc32bcPNVca
 avPB/8Y00SfQzkazfdIFB2NKYrr5sSsmAScibFlf9JubSSkO2OeOBwHbpjJI5REz
 ZnowzJovTjZXMgYXDKTOp1EHrhDSNI0vvrf1SiumtB4Lnwto5PLSzDzK/leavz4i
 S5Fw/afsacXNG+GM3lQvyB6mUkHtK2EoKYE4GGmb3/ip2UusLbu67ldEI6QecFEN
 cQmeJpf6ILW8qxw=
 =hMwM
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20190115' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull SELinux fix from Paul Moore:
 "One small patch to fix a potential NULL dereference on a failed
  SELinux policy load"

* tag 'selinux-pr-20190115' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: fix GPF on invalid policy
2019-01-16 17:06:39 +12:00
Julia Lawall
4bb0e6d725
drm/sun4i: backend: add missing of_node_puts
The device node iterators perform an of_node_get on each
iteration, so a jump out of the loop requires an of_node_put.

Remote and port also have augmented reference counts, so drop them
on each iteration and at the end of the function, respectively.
Remote is only used for the address it contains, not for the
contents of that address, so the reference count can be dropped
immediately.

The semantic patch that fixes the first part of this problem is
as follows (http://coccinelle.lip6.fr):

// <smpl>
@@
expression root,e;
local idexpression child;
iterator name for_each_child_of_node;
@@

 for_each_available_child_of_node(root, child) {
   ... when != of_node_put(child)
       when != e = child
+  of_node_put(child);
?  break;
   ...
}
... when != child
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1547369264-24831-5-git-send-email-Julia.Lawall@lip6.fr
2019-01-15 21:46:10 +01:00
Tycho Andersen
a811dc6155 seccomp: fix UAF in user-trap code
On the failure path, we do an fput() of the listener fd if the filter fails
to install (e.g. because of a TSYNC race that's lost, or if the thread is
killed, etc.). fput() doesn't actually release the fd, it just ads it to a
work queue. Then the thread proceeds to free the filter, even though the
listener struct file has a reference to it.

To fix this, on the failure path let's set the private data to null, so we
know in ->release() to ignore the filter.

Reported-by: syzbot+981c26489b2d1c6316ba@syzkaller.appspotmail.com
Fixes: 6a21cc50f0 ("seccomp: add a return code to trap to userspace")
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-15 09:43:12 -08:00
Linus Torvalds
7939f8beec Andrea Righi fixed a NULL pointer dereference in trace_kprobe_create()
It is possible to trigger a NULL pointer dereference by writing an
 incorrectly formatted string to the krpobe_events file.
 -----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQRRSw7ePDh/lE+zeZMp5XQQmuv6qgUCXD4L1RQccm9zdGVkdEBn
 b29kbWlzLm9yZwAKCRAp5XQQmuv6qsv7AP9nzekt94AQC2t5OQ38ph/nYGBjLc3T
 yLqFMshqUSgyVAEAgFB88fvniwLOMFyAqbfRb0+4mq1SDeThBY7TtJBzSQI=
 =+Pyh
 -----END PGP SIGNATURE-----

Merge tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace

Pull tracing fix from Steven Rostedt:
 "Andrea Righi fixed a NULL pointer dereference in trace_kprobe_create()

  It is possible to trigger a NULL pointer dereference by writing an
  incorrectly formatted string to the krpobe_events file"

* tag 'trace-v5.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
  tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()
2019-01-16 05:28:26 +12:00
Linus Torvalds
e8746440bf Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Fix regression in multi-SKB responses to RTM_GETADDR, from Arthur
    Gautier.

 2) Fix ipv6 frag parsing in openvswitch, from Yi-Hung Wei.

 3) Unbounded recursion in ipv4 and ipv6 GUE tunnels, from Stefano
    Brivio.

 4) Use after free in hns driver, from Yonglong Liu.

 5) icmp6_send() needs to handle the case of NULL skb, from Eric
    Dumazet.

 6) Missing rcu read lock in __inet6_bind() when operating on mapped
    addresses, from David Ahern.

 7) Memory leak in tipc-nl_compat_publ_dump(), from Gustavo A. R. Silva.

 8) Fix PHY vs r8169 module loading ordering issues, from Heiner
    Kallweit.

 9) Fix bridge vlan memory leak, from Ido Schimmel.

10) Dev refcount leak in AF_PACKET, from Jason Gunthorpe.

11) Infoleak in ipv6_local_error(), flow label isn't completely
    initialized. From Eric Dumazet.

12) Handle mv88e6390 errata, from Andrew Lunn.

13) Making vhost/vsock CID hashing consistent, from Zha Bin.

14) Fix lack of UMH cleanup when it unexpectedly exits, from Taehee Yoo.

15) Bridge forwarding must clear skb->tstamp, from Paolo Abeni.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
  bnxt_en: Fix context memory allocation.
  bnxt_en: Fix ring checking logic on 57500 chips.
  mISDN: hfcsusb: Use struct_size() in kzalloc()
  net: clear skb->tstamp in bridge forwarding path
  net: bpfilter: disallow to remove bpfilter module while being used
  net: bpfilter: restart bpfilter_umh when error occurred
  net: bpfilter: use cleanup callback to release umh_info
  umh: add exit routine for UMH process
  isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
  vhost/vsock: fix vhost vsock cid hashing inconsistent
  net: stmmac: Prevent RX starvation in stmmac_napi_poll()
  net: stmmac: Fix the logic of checking if RX Watchdog must be enabled
  net: stmmac: Check if CBS is supported before configuring
  net: stmmac: dwxgmac2: Only clear interrupts that are active
  net: stmmac: Fix PCI module removal leak
  tools/bpf: fix bpftool map dump with bitfields
  tools/bpf: test btf bitfield with >=256 struct member offset
  bpf: fix bpffs bitfield pretty print
  net: ethernet: mediatek: fix warning in phy_start_aneg
  tcp: change txhash on SYN-data timeout
  ...
2019-01-16 05:13:36 +12:00
Andrea Righi
8b05a3a750 tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()
It is possible to trigger a NULL pointer dereference by writing an
incorrectly formatted string to krpobe_events (trying to create a
kretprobe omitting the symbol).

Example:

 echo "r:event_1 " >> /sys/kernel/debug/tracing/kprobe_events

That triggers this:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
 #PF error: [normal kernel read fault]
 PGD 0 P4D 0
 Oops: 0000 [#1] SMP PTI
 CPU: 6 PID: 1757 Comm: bash Not tainted 5.0.0-rc1+ #125
 Hardware name: Dell Inc. XPS 13 9370/0F6P3V, BIOS 1.5.1 08/09/2018
 RIP: 0010:kstrtoull+0x2/0x20
 Code: 28 00 00 00 75 17 48 83 c4 18 5b 41 5c 5d c3 b8 ea ff ff ff eb e1 b8 de ff ff ff eb da e8 d6 36 bb ff 66 0f 1f 44 00 00 31 c0 <80> 3f 2b 55 48 89 e5 0f 94 c0 48 01 c7 e8 5c ff ff ff 5d c3 66 2e
 RSP: 0018:ffffb5d482e57cb8 EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff82b12720
 RDX: ffffb5d482e57cf8 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: ffffb5d482e57d70 R08: ffffa0c05e5a7080 R09: ffffa0c05e003980
 R10: 0000000000000000 R11: 0000000040000000 R12: ffffa0c04fe87b08
 R13: 0000000000000001 R14: 000000000000000b R15: ffffa0c058d749e1
 FS:  00007f137c7f7740(0000) GS:ffffa0c05e580000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000000 CR3: 0000000497d46004 CR4: 00000000003606e0
 Call Trace:
  ? trace_kprobe_create+0xb6/0x840
  ? _cond_resched+0x19/0x40
  ? _cond_resched+0x19/0x40
  ? __kmalloc+0x62/0x210
  ? argv_split+0x8f/0x140
  ? trace_kprobe_create+0x840/0x840
  ? trace_kprobe_create+0x840/0x840
  create_or_delete_trace_kprobe+0x11/0x30
  trace_run_command+0x50/0x90
  trace_parse_run_command+0xc1/0x160
  probes_write+0x10/0x20
  __vfs_write+0x3a/0x1b0
  ? apparmor_file_permission+0x1a/0x20
  ? security_file_permission+0x31/0xf0
  ? _cond_resched+0x19/0x40
  vfs_write+0xb1/0x1a0
  ksys_write+0x55/0xc0
  __x64_sys_write+0x1a/0x20
  do_syscall_64+0x5a/0x120
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fix by doing the proper argument checks in trace_kprobe_create().

Cc: Ingo Molnar <mingo@redhat.com>
Link: https://lore.kernel.org/lkml/20190111095108.b79a2ee026185cbd62365977@kernel.org
Link: http://lkml.kernel.org/r/20190111060113.GA22841@xps-13
Fixes: 6212dd2968 ("tracing/kprobes: Use dyn_event framework for kprobe events")
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
2019-01-15 11:33:45 -05:00
Michel Dänzer
92b0730eaf Revert "drm/amdgpu: validate user pitch alignment"
The check turned out to be too strict in some cases.

Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2019-01-15 11:14:25 -05:00
Alex Deucher
25ec429e86 Revert "drm/amdgpu: validate user GEM object size"
It was at the same time too strict (for linear tiling modes, where no
height alignment is required) and too lenient (for 2D tiling modes,
where height may need to be aligned to values > 8).

Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2019-01-15 11:14:21 -05:00
Neil Armstrong
ce0210c124 drm/meson: Fix atomic mode switching regression
Since commit 2bcd3ecab7 when switching mode from X11 (ubuntu mate for
example) the display gets blurry, looking like an invalid framebuffer width.

This commit fixed atomic crtc modesetting in a totally wrong way and
introduced a local unnecessary ->enabled crtc state.

This commit reverts the crctc _begin() and _enable() changes and simply
adds drm_atomic_helper_commit_tail_rpm as helper.

Reported-by: Tony McKahan <tonymckahan@gmail.com>
Suggested-by: Daniel Vetter <daniel@ffwll.ch>
Fixes: 2bcd3ecab7 ("drm/meson: Fixes for drm_crtc_vblank_on/off support")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[narmstrong: fixed blank line issue from checkpatch]
Link: https://patchwork.freedesktop.org/patch/msgid/20190114153118.8024-1-narmstrong@baylibre.com
2019-01-15 13:21:32 +01:00
Zhenyu Wang
51b00d8509 drm/i915/gvt: Fix mmap range check
This is to fix missed mmap range check on vGPU bar2 region
and only allow to map vGPU allocated GMADDR range, which means
user space should support sparse mmap to get proper offset for
mmap vGPU aperture. And this takes care of actual pgoff in mmap
request as original code always does from beginning of vGPU
aperture.

Fixes: 659643f7d8 ("drm/i915/gvt/kvmgt: add vfio/mdev support to KVMGT")
Cc: "Monroy, Rodrigo Axel" <rodrigo.axel.monroy@intel.com>
Cc: "Orrala Contreras, Alfredo" <alfredo.orrala.contreras@intel.com>
Cc: stable@vger.kernel.org # v4.10+
Reviewed-by: Hang Yuan <hang.yuan@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
2019-01-15 19:04:45 +08:00
Hang Yuan
6c2d0f9976 drm/i915/gvt: free VFIO region space in vgpu detach
VFIO region space is allocated when one region is registered for
one vgpu. So free the space when destroy the vgpu.

Also change the parameter of detach_vgpu callback to use vgpu directly.

Fixes: b851adeac0 ("drm/i915/gvt: Add opregion support")
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Hang Yuan <hang.yuan@linux.intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
2019-01-15 18:28:15 +08:00
Ming Lei
fe76fc6aaf sbitmap: Protect swap_lock from hardirq
Because we may call blk_mq_get_driver_tag() directly from
blk_mq_dispatch_rq_list() without holding any lock, then HARDIRQ may
come and the above DEADLOCK is triggered.

Commit ab53dcfb3e7b ("sbitmap: Protect swap_lock from hardirq") tries to
fix this issue by using 'spin_lock_bh', which isn't enough because we
complete request from hardirq context direclty in case of multiqueue.

Cc: Clark Williams <williams@redhat.com>
Fixes: ab53dcfb3e7b ("sbitmap: Protect swap_lock from hardirq")
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-15 16:29:57 +12:00
Jason Gunthorpe
d6f4a21f30 RDMA/uverbs: Mark ioctl responses with UVERBS_ATTR_F_VALID_OUTPUT
When the ioctl interface for the write commands was introduced it did
not mark the core response with UVERBS_ATTR_F_VALID_OUTPUT. This causes
rdma-core in userspace to not mark the buffers as written for valgrind.

Along the same lines it turns out we have always missed marking the driver
data. Fixing both of these makes valgrind work properly with rdma-core and
ioctl.

Fixes: 4785860e04 ("RDMA/uverbs: Implement an ioctl that can call write and write_ex handlers")
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Reviewed-by: Artemy Kovalyov <artemyko@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
2019-01-14 14:02:22 -07:00
Nicholas Kazlauskas
ae1cf20df7 drm/amd/display: Fix disabled cursor on top screen edge
[Why]
The cursor vanishes when touching the top of edge of the screen for
Raven on Linux.

This occurs because the cursor height is not taken into account when
deciding to disable the cursor.

[How]
Factor in the cursor height into the cursor calculations - and mimic
the existing x position calculations.

Fixes: 94a4ffd1d4 ("drm/amd/display: fix PIP bugs on Dal3")

Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
Acked-by: Leo Li <sunpeng.li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2019-01-14 16:01:52 -05:00