Skip to content
Snippets Groups Projects
  1. Jun 03, 2018
  2. Jun 02, 2018
  3. Jun 01, 2018
  4. May 31, 2018
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.17-4' of git://git.infradead.org/linux-platform-drivers-x86 · dd52cb87
      Linus Torvalds authored
      Pull x86 platform driver fix from Andy Shevchenko:
       "Fix NULL pointer dereference in asus-wmi on rfkill cleanup.
      
        The effective change is just one new condition - two lines of code.
        But it required moving one static helper function, which is why the
        diff looks a bit bigger"
      
      * tag 'platform-drivers-x86-v4.17-4' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: asus-wmi: Fix NULL pointer dereference
      dd52cb87
    • João Paulo Rechi Vita's avatar
      platform/x86: asus-wmi: Fix NULL pointer dereference · 32ffd6e8
      João Paulo Rechi Vita authored
      Do not perform the rfkill cleanup routine when
      (asus->driver->wlan_ctrl_by_user && ashs_present()) is true, since
      nothing is registered with the rfkill subsystem in that case. Doing so
      leads to the following kernel NULL pointer dereference:
      
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
        PGD 1a3aa8067
        PUD 1a3b3d067
        PMD 0
      
        Oops: 0002 [#1] PREEMPT SMP
        Modules linked in: bnep ccm binfmt_misc uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core hid_a4tech videodev x86_pkg_temp_thermal intel_powerclamp coretemp ath3k btusb btrtl btintel bluetooth kvm_intel snd_hda_codec_hdmi kvm snd_hda_codec_realtek snd_hda_codec_generic irqbypass crc32c_intel arc4 i915 snd_hda_intel snd_hda_codec ath9k ath9k_common ath9k_hw ath i2c_algo_bit snd_hwdep mac80211 ghash_clmulni_intel snd_hda_core snd_pcm snd_timer cfg80211 ehci_pci xhci_pci drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm xhci_hcd ehci_hcd asus_nb_wmi(-) asus_wmi sparse_keymap r8169 rfkill mxm_wmi serio_raw snd mii mei_me lpc_ich i2c_i801 video soundcore mei i2c_smbus wmi i2c_core mfd_core
        CPU: 3 PID: 3275 Comm: modprobe Not tainted 4.9.34-gentoo #34
        Hardware name: ASUSTeK COMPUTER INC. K56CM/K56CM, BIOS K56CM.206 08/21/2012
        task: ffff8801a639ba00 task.stack: ffffc900014cc000
        RIP: 0010:[<ffffffff816c7348>]  [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
        RSP: 0018:ffffc900014cfce0  EFLAGS: 00010282
        RAX: 0000000000000000 RBX: ffff8801a54315b0 RCX: 00000000c0000100
        RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8801a54315b4
        RBP: ffffc900014cfd30 R08: 0000000000000000 R09: 0000000000000002
        R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801a54315b4
        R13: ffff8801a639ba00 R14: 00000000ffffffff R15: ffff8801a54315b8
        FS:  00007faa254fb700(0000) GS:ffff8801aef80000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 00000001a3b1b000 CR4: 00000000001406e0
        Stack:
         ffff8801a54315b8 0000000000000000 ffffffff814733ae ffffc900014cfd28
         ffffffff8146a28c ffff8801a54315b0 0000000000000000 ffff8801a54315b0
         ffff8801a66f3820 0000000000000000 ffffc900014cfd48 ffffffff816c73e7
        Call Trace:
         [<ffffffff814733ae>] ? acpi_ut_release_mutex+0x5d/0x61
         [<ffffffff8146a28c>] ? acpi_ns_get_node+0x49/0x52
         [<ffffffff816c73e7>] mutex_lock+0x17/0x30
         [<ffffffffa00a3bb4>] asus_rfkill_hotplug+0x24/0x1a0 [asus_wmi]
         [<ffffffffa00a4421>] asus_wmi_rfkill_exit+0x61/0x150 [asus_wmi]
         [<ffffffffa00a49f1>] asus_wmi_remove+0x61/0xb0 [asus_wmi]
         [<ffffffff814a5128>] platform_drv_remove+0x28/0x40
         [<ffffffff814a2901>] __device_release_driver+0xa1/0x160
         [<ffffffff814a29e3>] device_release_driver+0x23/0x30
         [<ffffffff814a1ffd>] bus_remove_device+0xfd/0x170
         [<ffffffff8149e5a9>] device_del+0x139/0x270
         [<ffffffff814a5028>] platform_device_del+0x28/0x90
         [<ffffffff814a50a2>] platform_device_unregister+0x12/0x30
         [<ffffffffa00a4209>] asus_wmi_unregister_driver+0x19/0x30 [asus_wmi]
         [<ffffffffa00da0ea>] asus_nb_wmi_exit+0x10/0xf26 [asus_nb_wmi]
         [<ffffffff8110c692>] SyS_delete_module+0x192/0x270
         [<ffffffff810022b2>] ? exit_to_usermode_loop+0x92/0xa0
         [<ffffffff816ca560>] entry_SYSCALL_64_fastpath+0x13/0x94
        Code: e8 5e 30 00 00 8b 03 83 f8 01 0f 84 93 00 00 00 48 8b 43 10 4c 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48> 89 20 4c 89 6c 24 10 eb 1d 4c 89 e7 49 c7 45 08 02 00 00 00
        RIP  [<ffffffff816c7348>] __mutex_lock_slowpath+0x98/0x120
         RSP <ffffc900014cfce0>
        CR2: 0000000000000000
        ---[ end trace 8d484233fa7cb512 ]---
        note: modprobe[3275] exited with preempt_count 2
      
      https://bugzilla.kernel.org/show_bug.cgi?id=196467
      
      
      
      Reported-by: default avatar <red.f0xyz@gmail.com>
      Signed-off-by: default avatarJoão Paulo Rechi Vita <jprvita@endlessm.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      32ffd6e8
    • Darrick J. Wong's avatar
      fs: clear writeback errors in inode_init_always · 829bc787
      Darrick J. Wong authored
      
      In inode_init_always(), we clear the inode mapping flags, which clears
      any retained error (AS_EIO, AS_ENOSPC) bits.  Unfortunately, we do not
      also clear wb_err, which means that old mapping errors can leak through
      to new inodes.
      
      This is crucial for the XFS inode allocation path because we recycle old
      in-core inodes and we do not want error state from an old file to leak
      into the new file.  This bug was discovered by running generic/036 and
      generic/047 in a loop and noticing that the EIOs generated by the
      collision of direct and buffered writes in generic/036 would survive the
      remount between 036 and 047, and get reported to the fsyncs (on
      different files!) in generic/047.
      
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      829bc787
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2018-05-30' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · 0e333751
      Dave Airlie authored
      dw-hdmi: Fix Oops regression from rc1 (Neil)
      
      Cc: Neil Armstrong <narmstrong@baylibre.com>
      
      * tag 'drm-misc-fixes-2018-05-30' of git://anongit.freedesktop.org/drm/drm-misc:
        drm/bridge/synopsys: dw-hdmi: fix dw_hdmi_setup_rx_sense
      0e333751
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20180530' of git://git.kernel.dk/linux-block · 88a86765
      Linus Torvalds authored
      Pull block fix from Jens Axboe:
       "Just a single fix that should make it into this release, fixing a
        regression with T10-DIF on NVMe"
      
      * tag 'for-linus-20180530' of git://git.kernel.dk/linux-block:
        nvme: fix extended data LBA supported setting
      88a86765
    • Linus Torvalds's avatar
      Merge tag 'selinux-pr-20180530' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux · 943cf9f3
      Linus Torvalds authored
      Pull SELinux fix from Paul Moore:
       "One more small fix for SELinux: a small string length fix found by
        KASAN.
      
        I dislike sending patches this late in the release cycle, but this
        patch fixes a legitimate problem, is very small, limited in scope, and
        well understood.
      
        There are two threads with more information on the problem, the latest
        is linked below:
      
          https://marc.info/?t=152723737400001&r=1&w=2
      
        Stephen points out in the thread linked above:
      
         'Such a setxattr() call can only be performed by a process with
          CAP_MAC_ADMIN that is also allowed mac_admin permission in SELinux
          policy. Consequently, this is never possible on Android (no process
          is allowed mac_admin permission, always enforcing) and is only
          possible in Fedora/RHEL for a few domains (if enforcing)'"
      
      * tag 'selinux-pr-20180530' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
        selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
      943cf9f3
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · c462f16b
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "This fixes a potential kernel panic in the inside-secure driver"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: inside-secure - do not use memset on MMIO
      c462f16b
    • Neil Armstrong's avatar
      drm/bridge/synopsys: dw-hdmi: fix dw_hdmi_setup_rx_sense · c32048d9
      Neil Armstrong authored
      
      The dw_hdmi_setup_rx_sense exported function should not use struct device
      to recover the dw-hdmi context using drvdata, but take struct dw_hdmi
      directly like other exported functions.
      
      This caused a regression using Meson DRM on S905X since v4.17-rc1 :
      
      Internal error: Oops: 96000007 [#1] PREEMPT SMP
      [...]
      CPU: 0 PID: 124 Comm: irq/32-dw_hdmi_ Not tainted 4.17.0-rc7 #2
      Hardware name: Libre Technology CC (DT)
      [...]
      pc : osq_lock+0x54/0x188
      lr : __mutex_lock.isra.0+0x74/0x530
      [...]
      Process irq/32-dw_hdmi_ (pid: 124, stack limit = 0x00000000adf418cb)
      Call trace:
        osq_lock+0x54/0x188
        __mutex_lock_slowpath+0x10/0x18
        mutex_lock+0x30/0x38
        __dw_hdmi_setup_rx_sense+0x28/0x98
        dw_hdmi_setup_rx_sense+0x10/0x18
        dw_hdmi_top_thread_irq+0x2c/0x50
        irq_thread_fn+0x28/0x68
        irq_thread+0x10c/0x1a0
        kthread+0x128/0x130
        ret_from_fork+0x10/0x18
       Code: 34000964 d00050a2 51000484 9135c042 (f864d844)
       ---[ end trace 945641e1fbbc07da ]---
       note: irq/32-dw_hdmi_[124] exited with preempt_count 1
       genirq: exiting task "irq/32-dw_hdmi_" (124) is an active IRQ thread (irq 32)
      
      Fixes: eea034af ("drm/bridge/synopsys: dw-hdmi: don't clobber drvdata")
      Signed-off-by: default avatarNeil Armstrong <narmstrong@baylibre.com>
      Tested-by: default avatarKoen Kooi <koen@dominion.thruhere.net>
      Signed-off-by: default avatarSean Paul <seanpaul@chromium.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/1527673438-20643-1-git-send-email-narmstrong@baylibre.com
      c32048d9
  5. May 30, 2018
  6. May 29, 2018
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.17-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 3d661e2a
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "While writing selftests for a new feature, I triggered two existing
        bugs that deal with triggers and instances.
      
         - a generic trigger bug where the triggers are not removed from a
           linked list properly when deleting an instance.
      
         - a bug specific to snapshots, where the snapshot is done in the top
           level buffer, when it is supposed to snapshot the buffer associated
           to the instance the snapshot trigger exists in"
      
      * tag 'trace-v4.17-rc4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Make the snapshot trigger work with instances
        tracing: Fix crash when freeing instances with event triggers
      3d661e2a
    • Chris Wilson's avatar
      drm/i915/query: nospec expects no more than an unsigned long · 65b3bdc8
      Chris Wilson authored
      
      nospec quite reasonably asserts that it will never be used with an index
      larger than unsigned long (that being the largest possibly index into an
      C array). However, our ubi uses the convention of u64 for any large
      integer, running afoul of the assertion on 32b. Reduce our index to an
      unsigned long, checking for type overflow first.
      
        drivers/gpu/drm/i915/i915_query.c: In function 'i915_query_ioctl':
        include/linux/compiler.h:339:38: error: call to '__compiletime_assert_119' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
      
      Reported-by: default avatar <kbuild-all@01.org>
      Fixes: 84b510e2 ("drm/i915/query: Protect tainted function pointer lookup")
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
      Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
      Reviewed-by: default avatarLionel Landwerlin <lionel.g.landwerlin@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20180522121018.15199-1-chris@chris-wilson.co.uk
      
      
      (cherry picked from commit a33b1dc8)
      Signed-off-by: default avatarJoonas Lahtinen <joonas.lahtinen@linux.intel.com>
      65b3bdc8
    • Bart Van Assche's avatar
      scsi: scsi_transport_srp: Fix shost to rport translation · c9ddf734
      Bart Van Assche authored
      
      Since an SRP remote port is attached as a child to shost->shost_gendev
      and as the only child, the translation from the shost pointer into an
      rport pointer must happen by looking up the shost child that is an
      rport. This patch fixes the following KASAN complaint:
      
      BUG: KASAN: slab-out-of-bounds in srp_timed_out+0x57/0x110 [scsi_transport_srp]
      Read of size 4 at addr ffff880035d3fcc0 by task kworker/1:0H/19
      
      CPU: 1 PID: 19 Comm: kworker/1:0H Not tainted 4.16.0-rc3-dbg+ #1
      Workqueue: kblockd blk_mq_timeout_work
      Call Trace:
      dump_stack+0x85/0xc7
      print_address_description+0x65/0x270
      kasan_report+0x231/0x350
      srp_timed_out+0x57/0x110 [scsi_transport_srp]
      scsi_times_out+0xc7/0x3f0 [scsi_mod]
      blk_mq_terminate_expired+0xc2/0x140
      bt_iter+0xbc/0xd0
      blk_mq_queue_tag_busy_iter+0x1c7/0x350
      blk_mq_timeout_work+0x325/0x3f0
      process_one_work+0x441/0xa50
      worker_thread+0x76/0x6c0
      kthread+0x1b2/0x1d0
      ret_from_fork+0x24/0x30
      
      Fixes: e68ca752 ("scsi_transport_srp: Reduce failover time")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Johannes Thumshirn <jthumshirn@suse.de>
      Cc: Jason Gunthorpe <jgg@mellanox.com>
      Cc: Doug Ledford <dledford@redhat.com>
      Cc: Laurence Oberman <loberman@redhat.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      c9ddf734
    • Steven Rostedt (VMware)'s avatar
      tracing: Make the snapshot trigger work with instances · 2824f503
      Steven Rostedt (VMware) authored
      
      The snapshot trigger currently only affects the main ring buffer, even when
      it is used by the instances. This can be confusing as the snapshot trigger
      is listed in the instance.
      
       > # cd /sys/kernel/tracing
       > # mkdir instances/foo
       > # echo snapshot > instances/foo/events/syscalls/sys_enter_fchownat/trigger
       > # echo top buffer > trace_marker
       > # echo foo buffer > instances/foo/trace_marker
       > # touch /tmp/bar
       > # chown rostedt /tmp/bar
       > # cat instances/foo/snapshot
       # tracer: nop
       #
       #
       # * Snapshot is freed *
       #
       # Snapshot commands:
       # echo 0 > snapshot : Clears and frees snapshot buffer
       # echo 1 > snapshot : Allocates snapshot buffer, if not already allocated.
       #                      Takes a snapshot of the main buffer.
       # echo 2 > snapshot : Clears snapshot buffer (but does not allocate or free)
       #                      (Doesn't have to be '2' works with any number that
       #                       is not a '0' or '1')
      
       > # cat snapshot
       # tracer: nop
       #
       #                              _-----=> irqs-off
       #                             / _----=> need-resched
       #                            | / _---=> hardirq/softirq
       #                            || / _--=> preempt-depth
       #                            ||| /     delay
       #           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
       #              | |       |   ||||       |         |
                   bash-1189  [000] ....   111.488323: tracing_mark_write: top buffer
      
      Not only did the snapshot occur in the top level buffer, but the instance
      snapshot buffer should have been allocated, and it is still free.
      
      Cc: stable@vger.kernel.org
      Fixes: 85f2b082 ("tracing: Add basic event trigger framework")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      2824f503