Commit Graph

707227 Commits

Author SHA1 Message Date
Zi Yan
af0db981f3 mm: remove unnecessary WARN_ONCE in page_vma_mapped_walk().
A non present pmd entry can appear after pmd_lock is taken in
page_vma_mapped_walk(), even if THP migration is not enabled.  The
WARN_ONCE is unnecessary.

Link: http://lkml.kernel.org/r/20171003142606.12324-1-zi.yan@sent.com
Fixes: 616b837153 ("mm: thp: enable thp migration in generic path")
Signed-off-by: Zi Yan <zi.yan@cs.rutgers.edu>
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Tested-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-13 16:18:32 -07:00
Andrey Ryabinin
de55c8b251 mm/mempolicy: fix NUMA_INTERLEAVE_HIT counter
Commit 3a321d2a3d ("mm: change the call sites of numa statistics
items") separated NUMA counters from zone counters, but the
NUMA_INTERLEAVE_HIT call site wasn't updated to use the new interface.
So alloc_page_interleave() actually increments NR_ZONE_INACTIVE_FILE
instead of NUMA_INTERLEAVE_HIT.

Fix this by using __inc_numa_state() interface to increment
NUMA_INTERLEAVE_HIT.

Link: http://lkml.kernel.org/r/20171003191003.8573-1-aryabinin@virtuozzo.com
Fixes: 3a321d2a3d ("mm: change the call sites of numa statistics items")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Kemi Wang <kemi.wang@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-13 16:18:32 -07:00
Arnd Bergmann
8a1ac5dc7b include/linux/of.h: provide of_n_{addr,size}_cells wrappers for !CONFIG_OF
The pci-rcar driver is enabled for compile tests, and this has shown that
the driver cannot build without CONFIG_OF, following the inclusion of
commit f8f2fe7355 ("PCI: rcar: Use new OF interrupt mapping when possible"):

  drivers/pci/host/pcie-rcar.c: In function 'pci_dma_range_parser_init':
  drivers/pci/host/pcie-rcar.c:1039:2: error: implicit declaration of function 'of_n_addr_cells' [-Werror=implicit-function-declaration]
    parser->pna = of_n_addr_cells(node);
    ^

As pointed out by Ben Dooks and Geert Uytterhoeven, this is actually
supposed to build fine, which we can achieve if we make the declaration
of of_irq_parse_and_map_pci conditional on CONFIG_OF and provide an
empty inline function otherwise, as we do for a lot of other of
interfaces.

This lets us build the rcar_pci driver again without CONFIG_OF for build
testing.  All platforms using this driver select OF, so this doesn't
change anything for the users.

[akpm@linux-foundation.org: be consistent with surrounding code]
Link: http://lkml.kernel.org/r/20170911200805.3363318-1-arnd@arndb.de
Fixes: c25da47788 ("PCI: rcar: Add Renesas R-Car PCIe driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Frank Rowand <frank.rowand@sony.com>
Acked-by: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Magnus Damm <damm@opensource.se>
Cc: Ben Dooks <ben.dooks@codethink.co.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-13 16:18:32 -07:00
Yang Shi
c02c300932 mm/madvise.c: add description for MADV_WIPEONFORK and MADV_KEEPONFORK
mm/madvise.c has a brief description about all MADV_ flags.  Add a
description for the newly added MADV_WIPEONFORK and MADV_KEEPONFORK.

Although man page has the similar information, but it'd better to keep
the consistent with other flags.

Link: http://lkml.kernel.org/r/1506117328-88228-1-git-send-email-yang.s@alibaba-inc.com
Signed-off-by: Yang Shi <yang.s@alibaba-inc.com>
Reviewed-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-13 16:18:32 -07:00
Randy Dunlap
cc3fa84045 lib/Kconfig.debug: kernel hacking menu: runtime testing: keep tests together
Expand the "Runtime testing" menu by including more entries inside it
instead of after it.  This is just Kconfig symbol movement.

This causes the (arch-independent) Runtime tests to be presented
(listed) all in one place instead of in multiple places.

Link: http://lkml.kernel.org/r/c194e5c4-2042-bf94-a2d8-7aa13756e257@infradead.org
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-13 16:18:32 -07:00
Mark Hairgrove
e20d103b6c mm/migrate: fix indexing bug (off by one) and avoid out of bound access
Index was incremented before last use and thus the second array could
dereference to an invalid address (not mentioning the fact that it did
not properly clear the entry we intended to clear).

Link: http://lkml.kernel.org/r/1506973525-16491-1-git-send-email-jglisse@redhat.com
Fixes: 8315ada7f0 ("mm/migrate: allow migrate_vma() to alloc new page on empty entry")
Signed-off-by: Mark Hairgrove <mhairgrove@nvidia.com>
Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
Cc: Reza Arbab <arbab@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-13 16:18:32 -07:00
Linus Torvalds
997301a860 IOMMU Fixes for Linux v4.14-rc4
Three fixes:
 
 	- Keep an important data structure in the Exynos driver around
 	  after kernel-init to fix a kernel-oops
 
 	- Keep SWIOTLB enabled when SME is active in the AMD IOMMU
 	  driver
 
 	- Add a missing IOTLB sync to the AMD IOMMU driver
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJZ4N1tAAoJECvwRC2XARrjcSUQAKCKqEdHdwDTFqePcKn/0PzY
 ES32fokdA1R12ssNTDc3yVMDSApQF0XdZ7Szz9BtGCvklT7ZFfL6hTyR8dfsnA6n
 MLH3j5cKJS6fnhUbK5wMKNHnsOanjkUIwROvtV5YLghKT9+Sf+YBeiv6yUfqrk+m
 7/VoY9k/TgKO9E37ji5kMCBOI+J/QZQONEbMLNR9OmKQkMEA/fvpxlSAEVin+9T0
 0eg8awtFjUZaSTfIQTEdLoc4Fw8PuftBYDNq4wYTSHII7TZ46qPQpfPdGrytd0Lp
 uQ75kYZEXvhaUpA8AvSRdoQqA0hLM76BUjL1u/78ZlitsqfEGSHvkFAirSGFtH4z
 D/NybUVAxvpclaBZy1qIITdM+odsNy8H/duJzwr1ETdhTzsZioYBenyzOgWjMd85
 zeu32dSyblLkYEDFNjbDZM2dvBjXlcQHZ3yoouD5AbSOF04ajzBoZInx2VlyqMVA
 v2Zjj/Vmetu+yiB+yWvfiCKH1mmfzMiQyHW6jf5A7M2yrqJ1471Jdo3bqwAKRvkN
 3b3H19a6dQWTDwW8eBTa46nt8Agb2miXs+mFuy6mC7iSD1b8/saoeXvJOjnwYfug
 Pb9m7m9wIWmPi47edzdWHNQMGx/LwMOjPFjfeXnn8oHMDjpYWPB82/5bFMczvOWK
 rsj7q10FbEjhoFa319I7
 =RLFr
 -----END PGP SIGNATURE-----

Merge tag 'iommu-fixes-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

Pull IOMMU fixes from Joerg Roedel:

 - keep an important data structure in the Exynos driver around after
   kernel-init to fix a kernel-oops

 - keep SWIOTLB enabled when SME is active in the AMD IOMMU driver

 - add a missing IOTLB sync to the AMD IOMMU driver

* tag 'iommu-fixes-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/amd: Finish TLB flush in amd_iommu_unmap()
  iommu/exynos: Remove initconst attribute to avoid potential kernel oops
  iommu/amd: Do not disable SWIOTLB if SME is active
2017-10-13 11:49:38 -07:00
Linus Torvalds
0c080ceee7 DeviceTree fixes for 4.14:
- Fix memory leak in error case of of_console_check
 
 - Increase number of reserved memory regions to 32. 16 was not enough on
   some Power systems.
 
 - Fix OF node refcounting for of_fwnode_graph_get_port_parent
 -----BEGIN PGP SIGNATURE-----
 
 iQItBAABCAAXBQJZ37DnEBxyb2JoQGtlcm5lbC5vcmcACgkQ+vtdtY28YcPMvxAA
 rmzCNgX5Wyh8l4Oe+dg3J641J7ggWD4dGbYejsk+fGADg+4HB57RWytVNjUa59kH
 97uyawizUdLh+w0kfGfajDWhkMu8+D9+4a5OVkUGFTCVjR6FChc/r62IxL/D+KaU
 EqMiKILZGgT0pwb6DFbQPQt3tPpH//iKvOUSgrMVr1ouM86nkSJPcYdmVNh8i90q
 l5UFDqrP1DDkB3pXV8OZF4oa9wncLg8sd9AL62sFHlMM5J+Q2Gtg6oM8yh3x3OCU
 imKdYZ2re7FZuXpzuifV8U3SGkYdlJX8QodAZxFHObgtTZLK5GVi4oj2uLUs62o0
 4dp4fKQc4ZfCnQ+hLAShta49e+Sjl/5s/Y7byI4IQrPvOEkVMVrfi+eQ5D7NSHVf
 cyLGfzpHQ8qXGC03zI6ZW+KAlEpZC8ZegiHeuTVW73tEew437TUICYKf4VBJxilu
 V4ToyyirPFzCB9NDJeOpITYIbUgGwCpcIcar80XCcZdDd5BKByY3AC4wSCLRQrwj
 /5WnWlAR1aFfAC0AYp+j8L91Ok6xqTLW5ZEgjEQGBaA4+zVfEHNlJ970CBRQf8UP
 9Xe+g8na543dXX1+b/E9ii3TW7uG5vtUGIN3cWcK0zWfs1DSB+2yoPDwhbi7oOPE
 sX/OKm/AqkD9nkyvTVYq976nA8vrfS4gYau/zhhWz+o=
 =LVMp
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-fixes-for-4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

Pull DeviceTree fixes from Rob Herring:

 - Fix memory leak in error case of of_console_check

 - Increase number of reserved memory regions to 32. 16 was not enough
   on some Power systems.

 - Fix OF node refcounting for of_fwnode_graph_get_port_parent

* tag 'devicetree-fixes-for-4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  device property: preserve usecount for node passed to of_fwnode_graph_get_port_parent()
  drivers: of: increase MAX_RESERVED_REGIONS to 32
  of: do not leak console options
2017-10-13 11:44:09 -07:00
Linus Torvalds
e18e884445 powerpc fixes for 4.14 #5
A fix for a bad bug (written by me) in our livepatch handler. Removal of an
 over-zealous lockdep_assert_cpus_held() in our topology code. A fix to the
 recently added emulation of cntlz[wd]. And three small fixes to the recently
 added IMC PMU driver.
 
 Thanks to:
   Anju T Sudhakar, Balbir Singh, Kamalesh Babulal, Naveen N. Rao, Sandipan Das,
   Santosh Sivaraj, Thiago Jung Bauermann.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ4JXVAAoJEFHr6jzI4aWAi9MQAMBJLPG62uDmuhRY6v1MLp44
 8iVvNqTSGXuzz2c293Zo3Y8LHQ28S7f5wdwZs75fZ6GVup033pkuhL8XipFTB87m
 RzotMwJ1V1H0J7RRsDZ+QcyybwfE4GdqRHLjSU5VIUwJu7cQSIjjNWdkPUqswzXI
 g3BbNoxEOlEx31NbyNB+as7AnSvS0lLMvwB7TEy9rf3mmadN3UiAl3OJ93M/7Nm2
 qCWjCib/gUQ5U4N5STKWl62yGyvJ330OHoWdsTlHzHgYsEatQFHN8mjnW+UPN3rR
 Mz+xCIkt6PnYMdiJNXND42iwdx/7C7BR9JhQ5t6150Swfnbe+CT5nBxk2+IDKpQu
 V1rSX4S18TLQ+YCQm0wKuaQs/0EZ4kiHqUDZYVP/YQLSSYM5Ftf4W94Dwu+AZdtr
 wWX3szZxqvCZjvdT8HWQQW8vAIqpdxOkr019fjoUzcDoUIYKs3cLDJVx6CAY6n3t
 GGN3oGhffKbg1NyldDrZRDBJ+ie7gGincxlcMe1YrXDsXNum6edAhu01cUz7o9vO
 b9/fIPjWAWotS7kqWXgGfZL6vlRx3cdSh58vKaThmNAbZLaIAnPTYUynXqXZ++Nn
 bBDQUE9zwJ42ZgzYDr3bT6+9pwqPQ3w8zmOjZGB/J1ygS8k9/0gYVe1FO2N8vElM
 w5VBKl69v2RwItwHuSRJ
 =wWnt
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-4.14-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:
 "A fix for a bad bug (written by me) in our livepatch handler. Removal
  of an over-zealous lockdep_assert_cpus_held() in our topology code. A
  fix to the recently added emulation of cntlz[wd]. And three small
  fixes to the recently added IMC PMU driver.

  Thanks to: Anju T Sudhakar, Balbir Singh, Kamalesh Babulal, Naveen N.
  Rao, Sandipan Das, Santosh Sivaraj, Thiago Jung Bauermann"

* tag 'powerpc-4.14-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/perf: Fix IMC initialization crash
  powerpc/perf: Add ___GFP_NOWARN flag to alloc_pages_node()
  powerpc/perf: Fix for core/nest imc call trace on cpuhotplug
  powerpc: Don't call lockdep_assert_cpus_held() from arch_update_cpu_topology()
  powerpc/lib/sstep: Fix count leading zeros instructions
  powerpc/livepatch: Fix livepatch stack access
2017-10-13 11:39:28 -07:00
Linus Torvalds
3be5f884f6 xen: fixes for 4.14 rc5
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABAgAGBQJZ4FJ0AAoJELDendYovxMvyxAH/jb1FqvfHj/WowQoREYxaPjb
 WJ8Vqj5qpeeN14jePlp6++5ceT+EHBUWGlQqEpEzaOd9Y0bkvp0tBBKpIbAiWkA8
 0LE7N/lqVSZrLuvV9vx5p4NIIQ7oVss6YeWEQ4t/ZynAT2VGrusvoL4iLSpZEVvY
 8m88P6GlbZ8mlaDeZarIP/eSFMNkoyvf9ssFysY4HsrDe80mYATGf9ZcGDbEuRs+
 QSUsaxbBee+wIWiryfD2SKjtrEucFyFIvtZr9YfElDIBiv/M6TrxxUt5w0YJWPqk
 syZIMImlEI1bgJJTJ4cObUixL1Amk7yw+slNMa8kUp0kmSbR3wRKimFYYD0JnXs=
 =7ThA
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-4.14c-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixlet from Juergen Gross:
 "A minor fix correcting the cpu hotplug name for Xen guests"

* tag 'for-linus-4.14c-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/vcpu: Use a unified name about cpu hotplug state for pv and pvhvm
2017-10-13 11:35:03 -07:00
Joerg Roedel
ce76353f16 iommu/amd: Finish TLB flush in amd_iommu_unmap()
The function only sends the flush command to the IOMMU(s),
but does not wait for its completion when it returns. Fix
that.

Fixes: 601367d76b ('x86/amd-iommu: Remove iommu_flush_domain function')
Cc: stable@vger.kernel.org # >= 2.6.33
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-10-13 17:32:19 +02:00
Anju T Sudhakar
0d8ba16278 powerpc/perf: Fix IMC initialization crash
Panic observed with latest firmware, and upstream kernel:

 NIP init_imc_pmu+0x8c/0xcf0
 LR  init_imc_pmu+0x2f8/0xcf0
 Call Trace:
   init_imc_pmu+0x2c8/0xcf0 (unreliable)
   opal_imc_counters_probe+0x300/0x400
   platform_drv_probe+0x64/0x110
   driver_probe_device+0x3d8/0x580
   __driver_attach+0x14c/0x1a0
   bus_for_each_dev+0x8c/0xf0
   driver_attach+0x34/0x50
   bus_add_driver+0x298/0x350
   driver_register+0x9c/0x180
   __platform_driver_register+0x5c/0x70
   opal_imc_driver_init+0x2c/0x40
   do_one_initcall+0x64/0x1d0
   kernel_init_freeable+0x280/0x374
   kernel_init+0x24/0x160
   ret_from_kernel_thread+0x5c/0x74

While registering nest imc at init, cpu-hotplug callback
nest_pmu_cpumask_init() makes an OPAL call to stop the engine. And if
the OPAL call fails, imc_common_cpuhp_mem_free() is invoked to cleanup
memory and cpuhotplug setup.

But when cleaning up the attribute group, we are dereferencing the
attribute element array without checking whether the backing element
is not NULL. This causes the kernel panic.

Add a check for the backing element prior to dereferencing the
attribute element, to handle the failing case gracefully.

Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
[mpe: Trim change log]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-13 20:08:40 +11:00
Linus Torvalds
3d7882769b Device properties framework fixes for v4.14-rc5
- Fix a device properties management issue, introduced during the
    4.9 cycle, that causes device properties associated with a
    parent device to go away on a removal of its child in some
    cases (Jarkko Nikula).
 
  - Fix inconsistencies in error codes returned by a new function
    helper in the device properties framework depending on the
    underlying low-level firmware interface, DT or ACPI, by making the
    meaning of error codes returned in the ACPI case agree with the
    meaning of DT error codes in analogous situations (Sakari Ailus).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJZ3+/jAAoJEILEb/54YlRxRyIP/1i/tz2SIMIusuIc2gdgdDJn
 OTVQ1jWMl1psn83Ef77WO68yLdopRH2Jv5PT3NoY4IwOfT7jGpuZGqTqoSIHte71
 0KeJTbHwjZMgeMz8bbKLFxWqyA17kj37R/ed8/ki9fb6EKG7CKdOGqvoKnKB9Cha
 ZZHravo3te4tECTuUWWwJNqiqdDpOOfRu4GMfRWJz17MW+0rFCu2aDbP2C0shDVc
 OQuhonBJ2YHykfsRPoQ9lANXn+nQCvo2qVGwmiWh3ooMSu0Q3Yknw5et/bHpbLnH
 xrcAuX/jT9A2FFZvPI5GI1DpF7sYOet7dPFV0KO2kapNN8BQm0sWANPqUUdJuhlg
 hp/qHIMAd3gj4lQLdbq7yDA2NxDI4XghVryktY5Iiyu5clJv/hgK1QoNPL23tbg6
 A+aq1P3z/kFmzHDvVJpY7o3gcxpiwspwQ0azdO50QTqqjhAa70S+O3I+skH/hzFn
 U76oUZS9xcElJbIjFEhj9ZSJZ8fDh5eT5o7xqhyNcX2756GrUdZ4T8mPTl8T4jCK
 TLaErPNfSMgnfkcUPfdJKpVdaYmaqJNSMMCPIHaCE4i0aE6w6SyACqK2VboKCnB9
 RTSZFcC38pSJ9YASU4zC3BOxH8U6VwVEvMRKMCROkNjGf8r0YVRo8niCjuWT9hdP
 bCn8zTAC6Wa1YPDOB530
 =gO65
 -----END PGP SIGNATURE-----

Merge tag 'devprop-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull device properties framework fixes from Rafael Wysocki:
 "These fix an issue related to device removal introduced during the 4.9
  cycle and fix up new functionality added recently.

  Specifics:

   - Fix a device properties management issue, introduced during the 4.9
     cycle, that causes device properties associated with a parent
     device to go away on a removal of its child in some cases (Jarkko
     Nikula).

   - Fix inconsistencies in error codes returned by a new function
     helper in the device properties framework depending on the
     underlying low-level firmware interface, DT or ACPI, by making the
     meaning of error codes returned in the ACPI case agree with the
     meaning of DT error codes in analogous situations (Sakari Ailus)"

* tag 'devprop-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI: properties: Fix __acpi_node_get_property_reference() return codes
  ACPI: properties: Align return codes of __acpi_node_get_property_reference()
  device property: Track owner device of device property
2017-10-12 17:37:23 -07:00
Linus Torvalds
8ff0b97cf2 Changes since last update:
- Fix a stale kernel memory exposure when logging inodes.
 - Fix some build problems with CONFIG_XFS_RT=n
 - Don't change inode mode if the acl write fails, leaving the file totally
   inaccessible.
 - Fix a dangling pointer problem when removing an attr fork under memory
   pressure.
 - Don't crash while trying to invalidate a null buffer associated with a
   corrupt metadata pointer.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCgAGBQJZ3lPiAAoJEPh/dxk0SrTrfuMP/Axy7VSX71tE/eXPOmzxCVZD
 w4/usqO+OsQj+q8o+rwwuX9hz0VGF8kWZJOdgGdXpYT7pWqPmcf88wbThheTetLF
 fjevusqva0Ds+U4AE7DCNWSKQQRhu2jDgnhQXTv1hdYhWIF59qGwioIijbEvb72I
 0QW+/uV9yXmODjWL6KfRh9zRT9N4npMtszukScONwJr9t0/5ub8H03H/ktv8T9oi
 C3ljEWwyMk5lEYH8p6tpta8EbY0mrIZgo+kj33PU5s9rHvcrTGtyPNqidREUm1fL
 X3+STMytcDQFAcZdBBXHN0nFMwa8ADTrVvKmEgaR8OsXmOmrlcPn7HfVVlWrY31w
 X3awJ0b0+IXUrsbbQOPeqgTo5hIkMDkMOga5AP/rqpx1yCCOrlMHaRPXB2NxNcVw
 dyTj6IpKybhsQ4GkcqmFcgnxPPaogNpYlp6SXV5Dm+8zEJdIQNUuci/EGsNz7UcV
 msxNlJJkxczXOew6JzCyw45wTnJCxduX7Y1xrOTLaDfa9pkWO2zQBXukCJNIqVIq
 35Q4P4JVYtmwQr8XkkX9tiqU0gBWTCTG9KjmTCMm5MYkutEYM0uTNR5Jvyiobl7L
 Nn+RydssVw7ssnNfgsLhzQHPElUivRdYoYFSBa2DQp6ViILrefqQegd5INAjK63W
 7vnHVZyJMHPM0YFoiX8w
 =6Yvh
 -----END PGP SIGNATURE-----

Merge tag 'xfs-4.14-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fixes from Darrick Wong:

 - Fix a stale kernel memory exposure when logging inodes.

 - Fix some build problems with CONFIG_XFS_RT=n

 - Don't change inode mode if the acl write fails, leaving the file
   totally inaccessible.

 - Fix a dangling pointer problem when removing an attr fork under
   memory pressure.

 - Don't crash while trying to invalidate a null buffer associated with
   a corrupt metadata pointer.

* tag 'xfs-4.14-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: handle error if xfs_btree_get_bufs fails
  xfs: reinit btree pointer on attr tree inactivation walk
  xfs: Fix bool initialization/comparison
  xfs: don't change inode mode if ACL update fails
  xfs: move more RT specific code under CONFIG_XFS_RT
  xfs: Don't log uninitialised fields in inode structures
2017-10-12 14:51:13 -07:00
NeilBrown
2aab9c3ca4 scripts: fix faddr2line to work on last symbol
If faddr2line is given a function name which is the last one listed by
"nm -n", it will fail because it never finds the next symbol.

So teach the awk script to catch that possibility, and use 'size' to
provide the end point of the last function.

Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-12 12:26:52 -07:00
Linus Torvalds
3206e7d5e2 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
Pull quota fix from Jan Kara:
 "A fix for a regression in handling of quota grace times and warnings"

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  quota: Generate warnings for DQUOT_SPACE_NOFAIL allocations
2017-10-12 10:56:06 -07:00
Linus Torvalds
cbaff8763d Another latent bug related to PCID, an out-of-bounds access,
and a submaintainer change being finally made official.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJZ31h8AAoJEL/70l94x66DR74H/jPtBYV77TZw0xMbqXmoFaiQ
 fmq/knkj6uLcQ/i80HqhQZEaoo+McgknzVXBSlAL2JyNPcSRqye7zolIOahq7yya
 tjvbqu0+g1n9YxPIgcPxghb/Ye1cs9VkSRf4xtvInl4BEiOZdmYvI7v87enUAKdO
 PbLaht4VCk3jVpeL/oSEhZYadlP6fRsxCkwiBc6nM+P7Sbo92FHJpaRfbjc4mqw0
 BGKQvSiLWv3cZpf2dw7t+eiFjDamIR/5XI0eJhugYA+8DsG5PiPvqBffkskjNW19
 mfLqiu9/Zl3O0y1oBRj0xLqFsDWH2UNe0HNszr1T/ayDLn07aWvAxH71EEc6Yu0=
 =i1Gv
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "Another latent bug related to PCID, an out-of-bounds access, and a
  submaintainer change being finally made official"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  MAINTAINERS: Add Paul Mackerras as maintainer for KVM/powerpc
  KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
  KVM: MMU: always terminate page walks at level 1
  KVM: nVMX: update last_nonleaf_level when initializing nested EPT
2017-10-12 10:42:03 -07:00
Niklas Söderlund
3314c6bdd2 device property: preserve usecount for node passed to of_fwnode_graph_get_port_parent()
Using CONFIG_OF_DYNAMIC=y uncovered an imbalance in the usecount of the
node being passed to of_fwnode_graph_get_port_parent(). Preserve the
usecount by using of_get_parent() instead of of_get_next_parent() which
don't decrement the usecount of the node passed to it.

Fixes: 3b27d00e7b ("device property: Move fwnode graph ops to firmware specific locations")
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-10-12 12:26:14 -05:00
Stewart Smith
22f8cc6e33 drivers: of: increase MAX_RESERVED_REGIONS to 32
There are two types of memory reservations firmware can ask the kernel
to make in the device tree: static and dynamic.
See Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt

If you have greater than 16 entries in /reserved-memory (as we do on
POWER9 systems) you would get this scary looking error message:
 [    0.000000] OF: reserved mem: not enough space all defined regions.

This is harmless if all your reservations are static (which with OPAL on
POWER9, they are).

It is not harmless if you have any dynamic reservations after the 16th.

In the first pass over the fdt to find reservations, the child nodes of
/reserved-memory are added to a static array in of_reserved_mem.c so that
memory can be reserved in a 2nd pass. The array has 16 entries. This is why,
on my dual socket POWER9 system, I get that error 4 times with 20 static
reservations.

We don't have a problem on ppc though, as in arch/powerpc/kernel/prom.c
we look at the new style /reserved-ranges property to do reservations,
and this logic was introduced in 0962e8004e (well before any powernv
system shipped).

A Google search shows up no occurances of that exact error message, so we're
probably safe in that no machine that people use has memory not being reserved
when it should be.

The simple fix is to bump the length of the array to 32 which "should be
enough for everyone(TM)". The simple fix of not recording static allocations
in the array would cause problems for devices with "memory-region" properties.
A more future-proof fix is likely possible, although more invasive and this
simple fix is perfectly suitable in the meantime while a more future-proof
fix is developed.

Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Tested-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-10-12 12:23:45 -05:00
Sergey Senozhatsky
db179e0d0d of: do not leak console options
Do not strdup() console options. It seems that the only reason for
it to be strdup()-ed was a compilation warning: printk, UART and
console drivers, for some reason, expect char pointer instead of
const char pointer. So we can just pass `of_stdout_options', but
need to cast it to char pointer. A better fix would be to change
printk, console drivers and UART to accept const char `options';
but that will take time - there are lots of drivers to update.

The patch also fixes a possible memory leak: add_preferred_console()
can fail, but we don't kfree() options.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-10-12 12:22:04 -05:00
Linus Torvalds
73a752cce2 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:

 - fix crashes in skcipher/shash from zero-length input.

 - fix softirq GFP_KERNEL allocation in shash_setkey_unaligned.

 - error path bug fix in xts create function.

 - fix compiler warning regressions in axis and stm32

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: shash - Fix zero-length shash ahash digest crash
  crypto: skcipher - Fix crash on zero-length input
  crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
  crypto: xts - Fix an error handling path in 'create()'
  crypto: stm32 - Try to fix hash padding
  crypto: axis - hide an unused variable
2017-10-12 09:32:53 -07:00
Linus Torvalds
0de50ea7b5 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching
Pull livepatching fix from Jiri Kosina:

 - bugfix for handling of coming modules (incorrect handling of failure)
   from Joe Lawrence

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching:
  livepatch: unpatch all klp_objects if klp_module_coming fails
2017-10-12 09:21:56 -07:00
Linus Torvalds
be7484acc6 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:

 - fix for potential out-of-bounds memory access (found by fuzzing,
   likely requires specially crafted device to trigger) by Jaejoong Kim

 - two new device IDs for elecom driver from Alex Manoussakis

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: hid-elecom: extend to fix descriptor for HUGE trackball
  HID: usbhid: fix out-of-bounds bug
2017-10-12 09:08:56 -07:00
Linus Torvalds
7702f47623 sound fixes for 4.14-rc5
It's been a busy week for defending the attacks from fuzzer people;
 this pull request contains various USB-audio driver fixes and
 sequencer core fixes spotted by syzkaller and other fuzzer, as well
 as one quirk for a Plantronics USB audio device.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEECxfAB4MH3rD5mfB6bDGAVD0pKaQFAlnePkwOHHRpd2FpQHN1
 c2UuZGUACgkQbDGAVD0pKaSL3w/+Pc7+JNUwuhoXFbN3aq7/cH3v10+/2RMqfI9m
 TSi/F4u7wyYCSOkJOjK7CetSrMrzi6FVHhTqtTTKB4r9lcqLYuHOWRhE/6R4l8mx
 J8ZJaMiTXjSXl4nDWbNkBoDHxWH+JMN4XTaCTxJPUb/AKrxOYotahKIfTPgbWjAW
 GixnvGRpkmoRAKyAPlJDCFiD2pahDhf9zLFNkkQuYNH7oZH82nuXKS8h73oq9WDY
 7TiGlLxK1afFSTcXFYOFd1njE8czocibVuarBlFA1CLLaCxZAYTo87Hg+WtYp30V
 3nBK6ru/c0lQzhH9vv7uuT4XGzDKX1RfykF9AT8FNllNR/KqORu9O2gk9Zy+3ptq
 xWWPxjoWHUdPlp5igHGsSbjw6Y5MNAL0jc+SmfYzTI2aTrNji5ljwX2f9aNdsLf5
 fW7AWSQk2KEd7i70TJ5TzMs30tF875wggoQYIFjUu+UF4ML728Ri/XvWmDIUaamq
 E+JVaCEAcFQ8HBEmwBGCT4ZL5P0cyZSH6DCnP4okg0nCBVwnsDkGJoWZayBP5lLL
 ts2f3PL1Vo0TdYlzY0HWQfiQvdlYPfJgmMPR5Hm8U1QptxbXZVnPkYAYzW3wGwnS
 tscgHHxW5zUl9/lQrc4VbGbzKCbGsCKlUoyrLbZ67LGN97lkq+u0bvNPf1UCkno/
 3ScZZFo=
 =sl20
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "It's been a busy week for defending the attacks from fuzzer people.

  This contains various USB-audio driver fixes and sequencer core fixes
  spotted by syzkaller and other fuzzer, as well as one quirk for a
  Plantronics USB audio device"

* tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: caiaq: Fix stray URB at probe error path
  ALSA: seq: Fix use-after-free at creating a port
  ALSA: usb-audio: Kill stray URB at exiting
  ALSA: line6: Fix leftover URB at error-path during probe
  ALSA: line6: Fix NULL dereference at podhd_disconnect()
  ALSA: line6: Fix missing initialization before error path
  ALSA: seq: Fix copy_from_user() call inside lock
  ALSA: usb-audio: Add sample rate quirk for Plantronics P610
2017-10-12 09:01:18 -07:00
Linus Torvalds
467251c69b Merge branch 'waitid-fix'
Merge waitid() fix from Kees Cook.

I'd have hoped that the unsafe_{get|put}_user() naming would have
avoided these kinds of stupid bugs, but no such luck.

* waitid-fix:
  waitid(): Add missing access_ok() checks
2017-10-12 08:36:47 -07:00
Anju T Sudhakar
cd4f2b30e5 powerpc/perf: Add ___GFP_NOWARN flag to alloc_pages_node()
Stack trace output during a stress test:
 [    4.310049] Freeing initrd memory: 22592K
[    4.310646] rtas_flash: no firmware flash support
[    4.313341] cpuhp/64: page allocation failure: order:0, mode:0x14480c0(GFP_KERNEL|__GFP_ZERO|__GFP_THISNODE), nodemask=(null)
[    4.313465] cpuhp/64 cpuset=/ mems_allowed=0
[    4.313521] CPU: 64 PID: 392 Comm: cpuhp/64 Not tainted 4.11.0-39.el7a.ppc64le #1
[    4.313588] Call Trace:
[    4.313622] [c000000f1fb1b8e0] [c000000000c09388] dump_stack+0xb0/0xf0 (unreliable)
[    4.313694] [c000000f1fb1b920] [c00000000030ef6c] warn_alloc+0x12c/0x1c0
[    4.313753] [c000000f1fb1b9c0] [c00000000030ff68] __alloc_pages_nodemask+0xea8/0x1000
[    4.313823] [c000000f1fb1bbb0] [c000000000113a8c] core_imc_mem_init+0xbc/0x1c0
[    4.313892] [c000000f1fb1bc00] [c000000000113cdc] ppc_core_imc_cpu_online+0x14c/0x170
[    4.313962] [c000000f1fb1bc90] [c000000000125758] cpuhp_invoke_callback+0x198/0x5d0
[    4.314031] [c000000f1fb1bd00] [c00000000012782c] cpuhp_thread_fun+0x8c/0x3d0
[    4.314101] [c000000f1fb1bd60] [c0000000001678d0] smpboot_thread_fn+0x290/0x2a0
[    4.314169] [c000000f1fb1bdc0] [c00000000015ee78] kthread+0x168/0x1b0
[    4.314229] [c000000f1fb1be30] [c00000000000b368] ret_from_kernel_thread+0x5c/0x74
[    4.314313] Mem-Info:
[    4.314356] active_anon:0 inactive_anon:0 isolated_anon:0

core_imc_mem_init() at system boot use alloc_pages_node() to get memory
and alloc_pages_node() throws this stack dump when tried to allocate
memory from a node which has no memory behind it. Add a ___GFP_NOWARN
flag in allocation request as a fix.

Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
Reported-by: Michael Ellerman <mpe@ellerman.id.au>
Reported-by: Venkat R.B <venkatb3@in.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-12 23:12:12 +11:00
Anju T Sudhakar
0d923820c6 powerpc/perf: Fix for core/nest imc call trace on cpuhotplug
Nest/core pmu units are enabled only when it is used. A reference count is
maintained for the events which uses the nest/core pmu units. Currently in
*_imc_counters_release function a WARN() is used for notification of any
underflow of ref count.

The case where event ref count hit a negative value is, when perf session is
started, followed by offlining of all cpus in a given core.
i.e. in cpuhotplug offline path ppc_core_imc_cpu_offline() function set the
ref->count to zero, if the current cpu which is about to offline is the last
cpu in a given core and make an OPAL call to disable the engine in that core.
And on perf session termination, perf->destroy (core_imc_counters_release) will
first decrement the ref->count for this core and based on the ref->count value
an opal call is made to disable the core-imc engine.
Now, since cpuhotplug path already clears the ref->count for core and disabled
the engine, perf->destroy() decrementing again at event termination make it
negative which in turn fires the WARN_ON. The same happens for nest units.

Add a check to see if the reference count is alreday zero, before decrementing
the count, so that the ref count will not hit a negative value.

Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
Reviewed-by: Santosh Sivaraj <santosh@fossix.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-12 23:11:56 +11:00
Thomas Huth
8a60aea621 MAINTAINERS: Add Paul Mackerras as maintainer for KVM/powerpc
Paul is handling almost all of the powerpc related KVM patches nowadays,
so he should be mentioned in the MAINTAINERS file accordingly.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-10-12 13:55:08 +02:00
Haozhong Zhang
8eb3f87d90 KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
guest CR4. Before this CR4 loading, the guest CR4 refers to L2
CR4. Because these two CR4's are in different levels of guest, we
should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
is used to handle guest writes to its CR4, checks the guest change to
CR4 and may fail if the change is invalid.

The failure may cause trouble. Consider we start
  a L1 guest with non-zero L1 PCID in use,
     (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
and
  a L2 guest with L2 PCID disabled,
     (i.e. L2 CR4.PCIDE == 0)
and following events may happen:

1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
   into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
   of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
   vcpu->arch.cr4) is left to the value of L2 CR4.

2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
   kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
   because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
   CR3.PCID != 0, L0 KVM will inject GP to L1 guest.

Fixes: 4704d0befb ("KVM: nVMX: Exiting from L2 to L1")
Cc: qemu-stable@nongnu.org
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-10-12 13:54:56 +02:00
Marek Szyprowski
9d25e3cc83 iommu/exynos: Remove initconst attribute to avoid potential kernel oops
Exynos SYSMMU registers standard platform device with sysmmu_of_match
table, what means that this table is accessed every time a new platform
device is registered in a system. This might happen also after the boot,
so the table must not be attributed as initconst to avoid potential kernel
oops caused by access to freed memory.

Fixes: 6b21a5db36 ("iommu/exynos: Support for device tree")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-10-12 10:25:11 +02:00
Sakari Ailus
51858a2777 ACPI: properties: Fix __acpi_node_get_property_reference() return codes
Fix more return codes for device property: Align return codes of
__acpi_node_get_property_reference().

In particular, what was missed previously:

 -EPROTO could be returned in certain cases, now -EINVAL;
 -EINVAL was returned if the property was not found, now -ENOENT;
 -EINVAL was returned also if the index was higher than the number of
         entries in a package, now -ENOENT.

Reported-by: Hyungwoo Yang <hyungwoo.yang@intel.com>
Fixes: 3e3119d308 (device property: Introduce fwnode_property_get_reference_args)
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Tested-by: Hyungwoo Yang <hyungwoo.yang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2017-10-11 21:16:37 +02:00
Sakari Ailus
c343bc2ce2 ACPI: properties: Align return codes of __acpi_node_get_property_reference()
acpi_fwnode_get_reference_args(), the function implementing ACPI
support for fwnode_property_get_reference_args(), returns directly
error codes from __acpi_node_get_property_reference(). The latter
uses different error codes than the OF implementation. In particular,
the OF implementation uses -ENOENT to indicate that the property is
not found, a reference entry is empty and there are no more
references.

Document and align the error codes for property for
fwnode_property_get_reference_args() so that they match with
of_parse_phandle_with_args().

Fixes: 3e3119d308 (device property: Introduce fwnode_property_get_reference_args)
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2017-10-11 21:15:44 +02:00
Linus Torvalds
ff5abbe799 rpmsg fixes for v4.14
This corrects two mistakes in the Qualcomm GLINK SMEM driver.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ3ltDAAoJEAsfOT8Nma3F/BIP/1IwopdNG2ABOsGhydSemz58
 3g6ED5/X+h6ufmFqyhP7EJ6PIqag0lv3b6+XYeFrXoXx9PlCAtp9kk6jVFjMR8+/
 DDDrD3zUDbHpDU4HH8q1j3AnvUj8gjmB3sBoPSAG0zdqCSLzEsn/MRfd45G/Be7N
 zV/J5MQzXAubvlQpsqsVbRoXQPdo8NQIE2WTRAne0voUiJce7NbcTS6m8OdXoh1Q
 W0PLq9fyU6YxwOkR1LdW8mU1b430nYE49FdBn4glYw9kRPJxT/PRIUXApIr6Fo1V
 zV/+nBAoP+ZrFdre6NT8CBzOdhbuVNbHEdIjQQEIHxsOLWwCk2XBZHLbKFgCVXi3
 IKqGDnfrz4nAKotq3illXzZacav+78pZCkObsfMyRnj9P/O5ZuC9GwUNJNFWz61B
 n4ZGJHeXOOWSxI0yNY4W/T9q+gpzAanCt+iETc3rQ+oBDHMUC8GRuaFGzV+nDkyG
 pK/nhdx3Zz5ev/hsRX33R21HNlfuAJZo0XU6gvy7TrNpiJbgTePoA7FzndpBJWm4
 nilDIzhPML+MtqcyBcFkj3Z4/OjyQELeVq9cnfp1PqeLUv+b/NzE6BVw2bGsxrWK
 iibr9sbumvMVjNZohSsYFVJAudSNQzuIt8cF/KldHcSpt4A3sHAw+QKGGAQYkIf6
 /kKJBNuF9Yb5gMJAEJ4Z
 =W1P1
 -----END PGP SIGNATURE-----

Merge tag 'rpmsg-v4.14-fixes' of git://github.com/andersson/remoteproc

Pull rpmsg fixes from Bjorn Andersson:
 "This corrects two mistakes in the Qualcomm GLINK SMEM driver"

* tag 'rpmsg-v4.14-fixes' of git://github.com/andersson/remoteproc:
  rpmsg: glink: Fix memory leak in qcom_glink_alloc_intent()
  rpmsg: glink: Unlock on error in qcom_glink_request_intent()
2017-10-11 12:01:38 -07:00
Linus Torvalds
9add7e3e36 remoteproc fixes for v4.14
This fixes a couple of issues in the imx_rproc driver and corrects the Kconfig
 dependencies of the Qualcomm remoteproc drivers.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ3loeAAoJEAsfOT8Nma3FEggP/2UveVYr35QLDqPd6cSvenIF
 Rj7iXLAi1E8ro4pJKAghk+haxKOOhtFIYqZTgzE1SAqsZkMj2wySwg4IPsyvOyiN
 zyKtjvP4SDlxFc7oC05yHmSAHJp+wok5zx4YJ6+/ETjhJjhQqs9Edx0xNNFHrt5N
 +q2F0i8H4l6RahXdh9VzEH7BuKyEoi/00mbEpjMruRxZDb6KnVPuYUfjN5MiuOo2
 ctjpHp4FDnoggTjpJAL2JNpfaGlU63gTVd6ms5PU+5jIexvwxQ+dJtz5XSCb6VDb
 /D5K1rMIRo+/VsTcTroW7oIuVrQJ5X3wmy3ypIBcnblf/Mxk/8v1p6J0DpOLPQC/
 X619DcOURw1tcbMawXTLvTZi0+l3vZC1XKCO7O3ukucA7v2a6Pcwf1kISHXxumgp
 mw4ptBEtNHUj7vy64B2k8D0k1jOeefnev8Fy+fh6Ds/GgybirfXl6HSh0vJkz2Tu
 5ZSWvW0ycRbirrW6jsoFRnSEUu7SwVPfK/LdUUoydMtRCYT8Tgn+fUDly3L6rVrx
 0tUosHgBdFcS+W+1+FRdPg+vKqVTQelWXLCOcW+RwOWP80DLW+2lII4xmdwZwA5a
 redIhTH7NHleFDmLAOVD5YstkPlYrAyitgY5xE72+j3PI3NXuxLSaZC/i24JscJP
 q94TCrnoYAfRJzveAwuS
 =KwYX
 -----END PGP SIGNATURE-----

Merge tag 'rproc-v4.14-fixes' of git://github.com/andersson/remoteproc

Pull remoteproc fixes from Bjorn Andersson:
 "This fixes a couple of issues in the imx_rproc driver and corrects the
  Kconfig dependencies of the Qualcomm remoteproc drivers"

* tag 'rproc-v4.14-fixes' of git://github.com/andersson/remoteproc:
  remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init()
  remoteproc: qcom: fix RPMSG_QCOM_GLINK_SMEM dependencies
  remoteproc: imx_rproc: fix a couple off by one bugs
2017-10-11 11:58:23 -07:00
Wei Yongjun
68a39a3e9f remoteproc: imx_rproc: fix return value check in imx_rproc_addr_init()
In case of error, the function devm_ioremap() returns NULL pointer
not ERR_PTR(). The IS_ERR() test in the return value check should
be replaced with NULL test.

Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
2017-10-11 10:47:47 -07:00
Eric Sandeen
93e8befc17 xfs: handle error if xfs_btree_get_bufs fails
Jason reported that a corrupted filesystem failed to replay
the log with a metadata block out of bounds warning:

XFS (dm-2): _xfs_buf_find: Block out of range: block 0x80270fff8, EOFS 0x9c40000

_xfs_buf_find() and xfs_btree_get_bufs() return NULL if
that happens, and then when xfs_alloc_fix_freelist() calls
xfs_trans_binval() on that NULL bp, we oops with:

BUG: unable to handle kernel NULL pointer dereference at 00000000000000f8

We don't handle _xfs_buf_find errors very well, every
caller higher up the stack gets to guess at why it failed.
But we should at least handle it somehow, so return
EFSCORRUPTED here.

Reported-by: Jason L Tibbitts III <tibbs@math.uh.edu>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-10-11 10:21:07 -07:00
Brian Foster
f35c5e10c6 xfs: reinit btree pointer on attr tree inactivation walk
xfs_attr3_root_inactive() walks the attr fork tree to invalidate the
associated blocks. xfs_attr3_node_inactive() recursively descends
from internal blocks to leaf blocks, caching block address values
along the way to revisit parent blocks, locate the next entry and
descend down that branch of the tree.

The code that attempts to reread the parent block is unsafe because
it assumes that the local xfs_da_node_entry pointer remains valid
after an xfs_trans_brelse() and re-read of the parent buffer. Under
heavy memory pressure, it is possible that the buffer has been
reclaimed and reallocated by the time the parent block is reread.
This means that 'btree' can point to an invalid memory address, lead
to a random/garbage value for child_fsb and cause the subsequent
read of the attr fork to go off the rails and return a NULL buffer
for an attr fork offset that is most likely not allocated.

Note that this problem can be manufactured by setting
XFS_ATTR_BTREE_REF to 0 to prevent LRU caching of attr buffers,
creating a file with a multi-level attr fork and removing it to
trigger inactivation.

To address this problem, reinit the node/btree pointers to the
parent buffer after it has been re-read. This ensures btree points
to a valid record and allows the walk to proceed.

Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-10-11 10:21:07 -07:00
Thomas Meyer
749f24f33e xfs: Fix bool initialization/comparison
Bool initializations should use true and false. Bool tests don't need
comparisons.

Signed-off-by: Thomas Meyer <thomas@m3y3r.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-10-11 10:21:06 -07:00
Dave Chinner
67f2ffe31d xfs: don't change inode mode if ACL update fails
If we get ENOSPC half way through setting the ACL, the inode mode
can still be changed even though the ACL does not exist. Reorder the
operation to only change the mode of the inode if the ACL is set
correctly.

Whilst this does not fix the problem with crash consistency (that requires
attribute addition to be a deferred op) it does prevent ENOSPC and other
non-fatal errors setting an xattr to be handled sanely.

This fixes xfstests generic/449.

Signed-Off-By: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-10-11 10:21:06 -07:00
Dave Chinner
bb9c2e5433 xfs: move more RT specific code under CONFIG_XFS_RT
Various utility functions and interfaces that iterate internal
devices try to reference the realtime device even when RT support is
not compiled into the kernel.

Make sure this code is excluded from the CONFIG_XFS_RT=n build,
and where appropriate stub functions to return fatal errors if
they ever get called when RT support is not present.

Signed-Off-By: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-10-11 10:21:06 -07:00
Dave Chinner
20413e37d7 xfs: Don't log uninitialised fields in inode structures
Prevent kmemcheck from throwing warnings about reading uninitialised
memory when formatting inodes into the incore log buffer. There are
several issues here - we don't always log all the fields in the
inode log format item, and we never log the inode the
di_next_unlinked field.

In the case of the inode log format item, this is exacerbated
by the old xfs_inode_log_format structure padding issue. Hence make
the padded, 64 bit aligned version of the structure the one we always
use for formatting the log and get rid of the 64 bit variant. This
means we'll always log the 64-bit version and so recovery only needs
to convert from the unpadded 32 bit version from older 32 bit
kernels.

Signed-Off-By: Dave Chinner <dchinner@redhat.com>
Tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2017-10-11 10:21:06 -07:00
Alexander Levin
56ae414e9d 9p: set page uptodate when required in write_end()
Commit 77469c3f57 prevented setting the page as uptodate when we wrote
the right amount of data, fix that.

Fixes: 77469c3f57 ("9p: saner ->write_end() on failing copy into non-uptodate page")
Reviewed-by: Jan Kara <jack@suse.com>
Signed-off-by: Alexander Levin <alexander.levin@verizon.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-11 09:30:08 -07:00
Linus Torvalds
a0db28909e GPIO fixes for the v4.14 series:
- Three Kconfig/build warning fixes.
 
 - A fix for lost edge IRQs in the OMAP driver.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJZ3cfMAAoJEEEQszewGV1zaewP/0c0CGNHzk111V6lDd56wA9L
 Y4oCeAQAxcTtmSaZfVyxBazS2S6r/mSqD5rw3Ji5sjtFu7NzE322bJgzS51Fd4VR
 hoNGkok3AO+QyUXHrkEBjv4S54+AO4kNs0sSes1/kTDGocwm3hGrKBJe5frM+Drf
 zLo1EiDUg9a30tzwEWrDB4auWRXTuMocGNwwqnyFWkXq1Q4Fe6msAsUiF7KTh6Y0
 iE/hkYNIHX65QN2Pln6xEKdqxJWHuiXT82mUC1s6b2OeL7LVwuDJ+Kadzn4gTSOj
 ZGQEYvMTo1/u54paOqZljSkOn4cm+HH1j/4lZ/KMOAFCpgfTMpf76Eu5ArUODfcs
 roulpmZFHBwq854u4Z5L2v7T3lnfW3qurS1G93F0A4RDTHBA+SJUeWBdr1SSpjFY
 Uzwy6L/RV6/BMZorfvam1RUhLfopU2MUQN1Kg4brMz/GFkq+X+93x6i/sVlChyO+
 JbR4eJJIQuoji78QdxHAbD+2sIr4q3zlAi83koMdYn388YdgVFiBY/D84LmC4W++
 LKRD2/gJFHmW8TVuG8rt4xW2OvLWxIWhRc7s0TJlG0EQ5tS8fam5lTpqcEDHW/PD
 1Q25WeRc0z22m1W/ZIL8NKzsXO+xt4NyHp2Lp+iQOANLlDG5N2IRndLbWuAGXlLh
 M+vAz6HY3nUsKLCHF/3Z
 =3jQF
 -----END PGP SIGNATURE-----

Merge tag 'gpio-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio

Pull GPIO fixes from Linus Walleij:
 "Here are some smallish GPIO fixes for v4.14. Like with pin control:
  some build/Kconfig noise and one serious bug in a specific driver.

   - Three Kconfig/build warning fixes

   - A fix for lost edge IRQs in the OMAP driver"

* tag 'gpio-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpio: omap: Fix lost edge interrupts
  gpio: omap: omap_gpio_show_rev is not __init
  gpio: acpi: work around false-positive -Wstring-overflow warning
  gpio: thunderx: select IRQ_DOMAIN_HIERARCHY instead of depends on
2017-10-11 09:16:38 -07:00
Linus Torvalds
cc74613b13 Pin control fixes for the v4.14 series:
- Fix two build problems.
 
 - Fix a regression on the Intel Cherryview interrupt path.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJZ3caJAAoJEEEQszewGV1z7RYP/3yMMiSuy3IX2s6OT2WX+mhu
 TzOGbMC7No41aIxEqKRXfOVUkYNNwcQ/j0MvACJLDDpZ1p3FmvqQUJ5X3xs1XKOT
 f3oXKfgED342YZOf1k8MlRULiZFP4kW9cHfZ3J7LPRvmXpwPttnXfL45TKUn2Izr
 DFcJLpKquVAe46XK4bZCYpazSTMwYe3l0oEiiZjy5CI9odE0w//QTxPs+JX0ORa0
 mqNn1beNr6QF0bOa5pm6ZoNVk2yjxuSjdMwih8xAiTdlpkksKvH24Tpn8g8r6D4v
 7/6bN1ySS+LGhqNW+5P/f6AT0VLq/o0DVw49HWOFknVdm83Uishw7+FXgJkdx1Cc
 v5nrnuK8tC+5vpXXCmpiiPhGzPnnlpKHQ+90vm5eH2GPxxXKy6iO5lMCPgsdp2up
 Df3Yzy34y/gGyLKUDDngpEGsYABySFqqYA4zKG7WWfStRKjfKzv+C4sG2mBXD67R
 +XYdZ3G7OsSlKmJgg6OXLPK89+e0/tBNVv1atk2piEC30rT4X7cWEp3cmokgQ8Qz
 JypvvNmuX7b+OUK6K/cs47lrhrlxccL/x5GUbYrJjKpc0r3jY3Tt9qV43IYNLMPI
 PvDcjBD5WYJ9IWnK4QZ/lMHir5a0FJOAVjJy8rFn1W+rhLpmECm+LtOuxc2ffXBj
 QkXiqtNk+K8Yhq9zakuj
 =geFS
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-v4.14-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:
 "Two small things and a slightly larger thing in the Intel Cherryview.

   - Fix two build problems

   - Fix a regression on the Intel Cherryview interrupt path"

* tag 'pinctrl-v4.14-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: cherryview: fix issues caused by dynamic gpio irqs mapping
  pinctrl/amd: Fix build dependency on pinmux code
  pinctrl: bcm2835: fix build warning in bcm2835_gpio_irq_handle_bank
2017-10-11 09:09:22 -07:00
Linus Torvalds
ce3861819a Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro:
 "Fairly old DIO bug caught by Andreas (3.10+) and several slightly
  younger blk_rq_map_user_iov() bugs, both on map and copy codepaths
  (Vitaly and me)"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  bio_copy_user_iov(): don't ignore ->iov_offset
  more bio_map_user_iov() leak fixes
  fix unbalanced page refcounting in bio_map_user_iov
  direct-io: Prevent NULL pointer access in submit_page_section
2017-10-11 09:00:22 -07:00
Takashi Iwai
99fee50824 ALSA: caiaq: Fix stray URB at probe error path
caiaq driver doesn't kill the URB properly at its error path during
the probe, which may lead to a use-after-free error later.  This patch
addresses it.

Reported-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 17:01:18 +02:00
Alex Manoussakis
a0933a456f HID: hid-elecom: extend to fix descriptor for HUGE trackball
In addition to DEFT, Elecom introduced a larger trackball called HUGE, in
both wired (M-HT1URBK) and wireless (M-HT1DRBK) versions. It has the same
buttons and behavior as the DEFT. This patch adds the two relevant USB IDs
to enable operation of the three Fn buttons on the top of the device.

Cc: Diego Elio Petteno <flameeyes@flameeyes.eu>
Signed-off-by: Alex Manoussakis <amanou@gnu.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-10-11 15:46:22 +02:00
Jaejoong Kim
f043bfc98c HID: usbhid: fix out-of-bounds bug
The hid descriptor identifies the length and type of subordinate
descriptors for a device. If the received hid descriptor is smaller than
the size of the struct hid_descriptor, it is possible to cause
out-of-bounds.

In addition, if bNumDescriptors of the hid descriptor have an incorrect
value, this can also cause out-of-bounds while approaching hdesc->desc[n].

So check the size of hid descriptor and bNumDescriptors.

	BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20
	Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261

	CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted
	4.14.0-rc1-42251-gebb2c2437d80 #169
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
	Workqueue: usb_hub_wq hub_event
	Call Trace:
	__dump_stack lib/dump_stack.c:16
	dump_stack+0x292/0x395 lib/dump_stack.c:52
	print_address_description+0x78/0x280 mm/kasan/report.c:252
	kasan_report_error mm/kasan/report.c:351
	kasan_report+0x22f/0x340 mm/kasan/report.c:409
	__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
	usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004
	hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944
	usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369
	usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
	really_probe drivers/base/dd.c:413
	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
	device_add+0xd0b/0x1660 drivers/base/core.c:1835
	usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
	generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
	usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
	really_probe drivers/base/dd.c:413
	driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
	__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
	bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
	__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
	device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
	bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
	device_add+0xd0b/0x1660 drivers/base/core.c:1835
	usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
	hub_port_connect drivers/usb/core/hub.c:4903
	hub_port_connect_change drivers/usb/core/hub.c:5009
	port_event drivers/usb/core/hub.c:5115
	hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
	process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
	worker_thread+0x221/0x1850 kernel/workqueue.c:2253
	kthread+0x3a1/0x470 kernel/kthread.c:231
	ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Cc: stable@vger.kernel.org
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-10-11 15:40:31 +02:00
Joe Lawrence
ef8daf8eeb livepatch: unpatch all klp_objects if klp_module_coming fails
When an incoming module is considered for livepatching by
klp_module_coming(), it iterates over multiple patches and multiple
kernel objects in this order:

	list_for_each_entry(patch, &klp_patches, list) {
		klp_for_each_object(patch, obj) {

which means that if one of the kernel objects fails to patch,
klp_module_coming()'s error path needs to unpatch and cleanup any kernel
objects that were already patched by a previous patch.

Reported-by: Miroslav Benes <mbenes@suse.cz>
Suggested-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-10-11 15:38:46 +02:00
Takashi Iwai
7110599884 ALSA: seq: Fix use-after-free at creating a port
There is a potential race window opened at creating and deleting a
port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
a port object and returns its pointer, but it doesn't take the
refcount, thus it can be deleted immediately by another thread.
Meanwhile, snd_seq_ioctl_create_port() still calls the function
snd_seq_system_client_ev_port_start() with the created port object
that is being deleted, and this triggers use-after-free like:

 BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
 =============================================================================
 BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
 -----------------------------------------------------------------------------
 INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
 	___slab_alloc+0x425/0x460
 	__slab_alloc+0x20/0x40
  	kmem_cache_alloc_trace+0x150/0x190
	snd_seq_create_port+0x94/0x9b0 [snd_seq]
	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
 	__slab_free+0x204/0x310
 	kfree+0x15f/0x180
 	port_delete+0x136/0x1a0 [snd_seq]
 	snd_seq_delete_port+0x235/0x350 [snd_seq]
 	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
 	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
 	snd_seq_ioctl+0x40/0x80 [snd_seq]
 	do_vfs_ioctl+0x54b/0xda0
 	SyS_ioctl+0x79/0x90
 	entry_SYSCALL_64_fastpath+0x16/0x75
 Call Trace:
  [<ffffffff81b03781>] dump_stack+0x63/0x82
  [<ffffffff81531b3b>] print_trailer+0xfb/0x160
  [<ffffffff81536db4>] object_err+0x34/0x40
  [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
  [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
  [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
  [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
  [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
  [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
  [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
  [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
  [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
  .....

We may fix this in a few different ways, and in this patch, it's fixed
simply by taking the refcount properly at snd_seq_create_port() and
letting the caller unref the object after use.  Also, there is another
potential use-after-free by sprintf() call in snd_seq_create_port(),
and this is moved inside the lock.

This fix covers CVE-2017-15265.

Reported-and-tested-by: Michael23 Yu <ycqzsy@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-11 09:58:18 +02:00