22 Feb, 2020
4 commits
-
This reverts commit a97955844807e327df11aa33869009d14d6b7de0.
Commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage
in exit_sem()") removes a lock that is needed. This leads to a process
looping infinitely in exit_sem() and can also lead to a crash. There is
a reproducer available in [1] and with the commit reverted the issue
does not reproduce anymore.Using the reproducer found in [1] is fairly easy to reach a point where
one of the child processes is looping infinitely in exit_sem between
for(;;) and if (semid == -1) block, while it's trying to free its last
sem_undo structure which has already been freed by freeary().Each sem_undo struct is on two lists: one per semaphore set (list_id)
and one per process (list_proc). The list_id list tracks undos by
semaphore set, and the list_proc by process.Undo structures are removed either by freeary() or by exit_sem(). The
freeary function is invoked when the user invokes a syscall to remove a
semaphore set. During this operation freeary() traverses the list_id
associated with the semaphore set and removes the undo structures from
both the list_id and list_proc lists.For this case, exit_sem() is called at process exit. Each process
contains a struct sem_undo_list (referred to as "ulp") which contains
the head for the list_proc list. When the process exits, exit_sem()
traverses this list to remove each sem_undo struct. As in freeary(),
whenever a sem_undo struct is removed from list_proc, it is also removed
from the list_id list.Removing elements from list_id is safe for both exit_sem() and freeary()
due to sem_lock(). Removing elements from list_proc is not safe;
freeary() locks &un->ulp->lock when it performs
list_del_rcu(&un->list_proc) but exit_sem() does not (locking was
removed by commit a97955844807 ("ipc,sem: remove uneeded sem_undo_list
lock usage in exit_sem()").This can result in the following situation while executing the
reproducer [1] : Consider a child process in exit_sem() and the parent
in freeary() (because of semctl(sid[i], NSEM, IPC_RMID)).- The list_proc for the child contains the last two undo structs A and
B (the rest have been removed either by exit_sem() or freeary()).- The semid for A is 1 and semid for B is 2.
- exit_sem() removes A and at the same time freeary() removes B.
- Since A and B have different semid sem_lock() will acquire different
locks for each process and both can proceed.The bug is that they remove A and B from the same list_proc at the same
time because only freeary() acquires the ulp lock. When exit_sem()
removes A it makes ulp->list_proc.next to point at B and at the same
time freeary() removes B setting B->semid=-1.At the next iteration of for(;;) loop exit_sem() will try to remove B.
The only way to break from for(;;) is for (&un->list_proc ==
&ulp->list_proc) to be true which is not. Then exit_sem() will check if
B->semid=-1 which is and will continue looping in for(;;) until the
memory for B is reallocated and the value at B->semid is changed.At that point, exit_sem() will crash attempting to unlink B from the
lists (this can be easily triggered by running the reproducer [1] a
second time).To prove this scenario instrumentation was added to keep information
about each sem_undo (un) struct that is removed per process and per
semaphore set (sma).CPU0 CPU1
[caller holds sem_lock(sma for A)] ...
freeary() exit_sem()
... ...
... sem_lock(sma for B)
spin_lock(A->ulp->lock) ...
list_del_rcu(un_A->list_proc) list_del_rcu(un_B->list_proc)Undo structures A and B have different semid and sem_lock() operations
proceed. However they belong to the same list_proc list and they are
removed at the same time. This results into ulp->list_proc.next
pointing to the address of B which is already removed.After reverting commit a97955844807 ("ipc,sem: remove uneeded
sem_undo_list lock usage in exit_sem()") the issue was no longer
reproducible.[1] https://bugzilla.redhat.com/show_bug.cgi?id=1694779
Link: http://lkml.kernel.org/r/20191211191318.11860-1-ioanna-maria.alifieraki@canonical.com
Fixes: a97955844807 ("ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()")
Signed-off-by: Ioanna Alifieraki
Acked-by: Manfred Spraul
Acked-by: Herton R. Krzesinski
Cc: Arnd Bergmann
Cc: Catalin Marinas
Cc:
Cc: Joel Fernandes (Google)
Cc: Davidlohr Bueso
Cc: Jay Vosburgh
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
There are no in-kernel users remaining, but there may still be users that
include linux/time.h instead of sys/time.h from user space, so leave the
types available to user space while hiding them from kernel space.Only the __kernel_old_* versions of these types remain now.
Link: http://lkml.kernel.org/r/20200110154232.4104492-4-arnd@arndb.de
Signed-off-by: Arnd Bergmann
Acked-by: Thomas Gleixner
Cc: Deepa Dinamani
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
No users remain, so kill these off before we grow new ones.
Link: http://lkml.kernel.org/r/20200110154232.4104492-3-arnd@arndb.de
Signed-off-by: Arnd Bergmann
Acked-by: Thomas Gleixner
Cc: Deepa Dinamani
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
A couple of helpers are now obsolete and can be removed, so drivers can no
longer start using them and instead use y2038-safe interfaces.Link: http://lkml.kernel.org/r/20200110154232.4104492-2-arnd@arndb.de
Signed-off-by: Arnd Bergmann
Acked-by: Thomas Gleixner
Cc: Deepa Dinamani
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
20 Feb, 2020
3 commits
-
…/git/shuah/linux-kselftest
Pull Kselftest fixes from Shuah Khan:
"Fixes to build failures and other test bugs"* tag 'linux-kselftest-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
selftests: openat2: fix build error on newer glibc
selftests: use LDLIBS for libraries instead of LDFLAGS
selftests: fix too long argument
selftests: allow detection of build failures
Kernel selftests: tpm2: check for tpm support
selftests/ftrace: Have pid filter test use instance flag
selftests: fix spelling mistaked "chaigned" -> "chained" -
Pull iommu fixes from Joerg Roedel:
- Compile warning fix for the Intel IOMMU driver
- Fix kdump boot with Intel IOMMU enabled and in passthrough mode
- Disable AMD IOMMU on a Laptop/Embedded platform because the delay it
introduces in DMA transactions causes screen flickering there with 4k
monitors- Make domain_free function in QCOM IOMMU driver robust and not leak
memory/dereference NULL pointers- Fix ARM-SMMU module parameter prefix names
* tag 'iommu-fixes-v5.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
iommu/arm-smmu: Restore naming of driver parameter prefix
iommu/qcom: Fix bogus detach logic
iommu/amd: Disable IOMMU on Stoney Ridge systems
iommu/vt-d: Simplify check in identity_mapping()
iommu/vt-d: Remove deferred_attach_domain()
iommu/vt-d: Do deferred attachment in iommu_need_mapping()
iommu/vt-d: Move deferred device attachment into helper function
iommu/vt-d: Add attach_deferred() helper
iommu/vt-d: Fix compile warning from intel-svm.h -
Pull sound fixes from Takashi Iwai:
"The only largish change in this pull request is about the revert of
the recent max98090 and its relevant patches due to regressions.Other than that, all small fixes for ALSA core (covering KCSAN fuzzer
warnings in ALSA sequencer and rawmidi), Intel SOF HD-audio fixes, AMD
ACP fixes, usual HD-audio quirks, and various ASoC fixes"* tag 'sound-5.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs
ALSA: hda/realtek - Apply quirk for yet another MSI laptop
ASoC: sun8i-codec: Fix setting DAI data format
ALSA: hda/realtek - Apply quirk for MSI GP63, too
ASoC: amd: ACP needs to be powered off in BIOS.
ASoC: hdmi-codec: set plugged_cb to NULL when component removing
ASoC: dapm: remove snd_soc_dapm_put_enum_double_locked
ASoC: max98090: revert invalid fix for handling SHDN
ALSA: rawmidi: Avoid bit fields for state flags
ALSA: seq: Fix concurrent access to queue current tick/time
ALSA: seq: Avoid concurrent access to queue flags
ASoC: codec2codec: avoid invalid/double-free of pcm runtime
ASoC: amd: Buffer Size instead of MAX Buffer
ASoC: SOF: Intel: hda: move i915 init earlier
ASoC: SOF: Intel: hda: fix ordering bug in resume flow
ALSA: hda: do not override bus codec_mask in link_get()
ASoC: atmel: fix atmel_ssc_set_audio link failure
ASoC: fsl_sai: Fix exiting path on probing failure
19 Feb, 2020
11 commits
-
Extending the Arm SMMU driver to allow for modular builds changed
KBUILD_MODNAME to be "arm_smmu_mod" so that a single module could be
built from the multiple existing object files without the need to rename
any source files.This inadvertently changed the name of the driver parameters, which may
lead to runtime issues if bootloaders are relying on the old names for
correctness (e.g. "arm-smmu.disable_bypass=0").Although MODULE_PARAM_PREFIX can be overridden to restore the old naming
for builtin parameters, only the new name is matched by modprobe and so
loading the driver as a module would cause parameters specified on the
kernel command line to be ignored. Instead, rename "arm_smmu_mod" to
"arm_smmu". Whilst it's a bit of a bodge, this allows us to create a
single module without renaming any files and makes use of the fact that
underscores and hyphens can be used interchangeably in parameter names.Cc: Robin Murphy
Cc: Russell King
Reported-by: Li Yang
Fixes: cd221bd24ff5 ("iommu/arm-smmu: Allow building as a module")
Signed-off-by: Will Deacon
Reviewed-by: Robin Murphy
Signed-off-by: Joerg Roedel -
Currently, the implementation of qcom_iommu_domain_free() is guaranteed
to do one of two things: WARN() and leak everything, or dereference NULL
and crash. That alone is terrible, but in fact the whole idea of trying
to track the liveness of a domain via the qcom_domain->iommu pointer as
a sanity check is full of fundamentally flawed assumptions. Make things
robust and actually functional by not trying to be quite so clever.Reported-by: Brian Masney
Tested-by: Brian Masney
Reported-by: Naresh Kamboju
Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu")
Signed-off-by: Robin Murphy
Tested-by: Stephan Gerhold
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Joerg Roedel -
Serious screen flickering when Stoney Ridge outputs to a 4K monitor.
Use identity-mapping and PCI ATS doesn't help this issue.
According to Alex Deucher, IOMMU isn't enabled on Windows, so let's do
the same here to avoid screen flickering on 4K monitor.Cc: Alex Deucher
Bug: https://gitlab.freedesktop.org/drm/amd/issues/961
Signed-off-by: Kai-Heng Feng
Acked-by: Alex Deucher
Signed-off-by: Joerg Roedel -
Pull dma-mapping fixes from Christoph Hellwig:
- give command line cma= precedence over the CONFIG_ option (Nicolas
Saenz Julienne)- always allow 32-bit DMA, even for weirdly placed ZONE_DMA
- improve the debug printks when memory is not addressable, to help
find problems with swiotlb initialization* tag 'dma-mapping-5.6' of git://git.infradead.org/users/hch/dma-mapping:
dma-direct: improve DMA mask overflow reporting
dma-direct: improve swiotlb error reporting
dma-direct: relax addressability checks in dma_direct_supported
dma-contiguous: CMA: give precedence to cmdline -
Pull tpm fixes from Jarkko Sakkinen:
"Two bug fixes"* tag 'tpmdd-next-20200217' of git://git.infradead.org/users/jjs/linux-tpmdd:
tpm: Initialize crypto_id of allocated_banks to HASH_ALGO__LAST
tpm: Revert tpm_tis_spi_mod.ko to tpm_tis_spi.ko. -
Andrei Vagin reported that commit 0ddad21d3e99 ("pipe: use exclusive
waits when reading or writing") broke one of the CRIU tests. He even
has a trivial reproducer:#include
#include
#includeint main()
{
int p[2];
pid_t p1, p2;
int status;if (pipe(p) == -1)
return 1;p1 = fork();
if (p1 == 0) {
close(p[1]);
read(p[0], &status, sizeof(status));
return 0;
}
p2 = fork();
if (p2 == 0) {
close(p[1]);
read(p[0], &status, sizeof(status));
return 0;
}
sleep(1);
close(p[1]);
wait(&status);
wait(&status);return 0;
}and the problem - once he points it out - is obvious. We use these nice
exclusive waits, but when the last writer goes away, it then needs to
wake up _every_ reader (and conversely, the last reader disappearing
needs to wake every writer, of course).In fact, when going through this, we had several small oddities around
how to wake things. We did in fact wake every reader when we changed
the size of the pipe buffers. But that's entirely pointless, since that
just acts as a possible source of new space - no new data to read.And when we change the size of the buffer, we don't need to wake all
writers even when we add space - that case acts just as if somebody made
space by reading, and any writer that finds itself not filling it up
entirely will wake the next one.On the other hand, on the exit path, we tried to limit the wakeups with
the proper poll keys etc, which is entirely pointless, because at that
point we obviously need to wake up everybody. So don't do that: just
wake up everybody - but only do that if the counts changed to zero.So fix those non-IO wakeups to be more proper: space change doesn't add
any new data, but it might make room for writers, so it wakes up a
writer. And the actual changes to reader/writer counts should wake up
everybody, since everybody is affected (ie readers will all see EOF if
the writers have gone away, and writers will all get EPIPE if all
readers have gone away).Fixes: 0ddad21d3e99 ("pipe: use exclusive waits when reading or writing")
Reported-and-tested-by: Andrei Vagin
Cc: Josh Triplett
Cc: Matthew Wilcox
Signed-off-by: Linus Torvalds -
The function only has one call-site and there it is never called with
dummy or deferred devices. Simplify the check in the function to
account for that.Fixes: 1ee0186b9a12 ("iommu/vt-d: Refactor find_domain() helper")
Cc: stable@vger.kernel.org # v5.5
Reviewed-by: Jerry Snitselaar
Acked-by: Lu Baolu
Signed-off-by: Joerg Roedel -
The function is now only a wrapper around find_domain(). Remove the
function and call find_domain() directly at the call-sites.Fixes: 1ee0186b9a12 ("iommu/vt-d: Refactor find_domain() helper")
Cc: stable@vger.kernel.org # v5.5
Reviewed-by: Jerry Snitselaar
Acked-by: Lu Baolu
Signed-off-by: Joerg Roedel -
The attachment of deferred devices needs to happen before the check
whether the device is identity mapped or not. Otherwise the check will
return wrong results, cause warnings boot failures in kdump kernels, likeWARNING: CPU: 0 PID: 318 at ../drivers/iommu/intel-iommu.c:592 domain_get_iommu+0x61/0x70
[...]
Call Trace:
__intel_map_single+0x55/0x190
intel_alloc_coherent+0xac/0x110
dmam_alloc_attrs+0x50/0xa0
ahci_port_start+0xfb/0x1f0 [libahci]
ata_host_start.part.39+0x104/0x1e0 [libata]With the earlier check the kdump boot succeeds and a crashdump is written.
Fixes: 1ee0186b9a12 ("iommu/vt-d: Refactor find_domain() helper")
Cc: stable@vger.kernel.org # v5.5
Reviewed-by: Jerry Snitselaar
Acked-by: Lu Baolu
Signed-off-by: Joerg Roedel -
Move the code that does the deferred device attachment into a separate
helper function.Fixes: 1ee0186b9a12 ("iommu/vt-d: Refactor find_domain() helper")
Cc: stable@vger.kernel.org # v5.5
Reviewed-by: Jerry Snitselaar
Acked-by: Lu Baolu
Signed-off-by: Joerg Roedel -
Implement a helper function to check whether a device's attach process
is deferred.Fixes: 1ee0186b9a12 ("iommu/vt-d: Refactor find_domain() helper")
Cc: stable@vger.kernel.org # v5.5
Reviewed-by: Jerry Snitselaar
Acked-by: Lu Baolu
Signed-off-by: Joerg Roedel
18 Feb, 2020
8 commits
-
…/broonie/sound into for-linus
ASoC: Fixes for v5.6
A few fixes sent in since the merge window, none of them with global
impact but all important for the users they affect. -
Some code in HD-audio driver calls snprintf() in a loop and still
expects that the return value were actually written size, while
snprintf() returns the expected would-be length instead. When the
given buffer limit were small, this leads to a buffer overflow.Use scnprintf() for addressing those issues. It returns the actually
written size unlike snprintf().Cc:
Link: https://lore.kernel.org/r/20200218091409.27162-1-tiwai@suse.de
Signed-off-by: Takashi Iwai -
MSI GP65 laptop with SSID 1462:1293 requires the same quirk as other
MSI models.BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204159
Cc:
Link: https://lore.kernel.org/r/20200218080915.3433-1-tiwai@suse.de
Signed-off-by: Takashi Iwai -
Pull eCryptfs fixes from Tyler Hicks:
- downgrade the eCryptfs maintenance status to "Odd Fixes"
- change my email address
- fix a couple memory leaks in error paths
- stability improvement to avoid a needless BUG_ON()
* tag 'ecryptfs-5.6-rc3-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
ecryptfs: replace BUG_ON with error handling code
eCryptfs: Replace deactivated email address
MAINTAINERS: eCryptfs: Update maintainer address and downgrade status
ecryptfs: fix a memory leak bug in ecryptfs_init_messaging()
ecryptfs: fix a memory leak bug in parse_tag_1_packet() -
Use the correct mask for this two-bit field. This fixes setting the DAI
data format to RIGHT_J or DSP_A.Fixes: 36c684936fae ("ASoC: Add sun8i digital audio codec")
Signed-off-by: Samuel Holland
Acked-by: Chen-Yu Tsai
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20200217064250.15516-7-samuel@sholland.org
Signed-off-by: Mark Brown -
Pull btrfs fix from David Sterba:
"This is the fix for sleeping in a locked section bug reported by Dave
Jones, caused by a patch dependence in development and pulled
branches.I picked the existing patch over the fixup that Filipe sent, as it's a
bit more generic fix. I've verified it with a specific test case, some
rsync stress and one round of fstests"* tag 'for-5.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
btrfs: don't set path->leave_spinning for truncate -
chip->allocated_banks, an array of tpm_bank_info structures, contains the
list of TPM algorithm IDs of allocated PCR banks. It also contains the
corresponding ID of the crypto subsystem, so that users of the TPM driver
can calculate a digest for a PCR extend operation.However, if there is no mapping between TPM algorithm ID and crypto ID, the
crypto_id field of tpm_bank_info remains set to zero (the array is
allocated and initialized with kcalloc() in tpm2_get_pcr_allocation()).
Zero should not be used as value for unknown mappings, as it is a valid
crypto ID (HASH_ALGO_MD4).Thus, initialize crypto_id to HASH_ALGO__LAST.
Cc: stable@vger.kernel.org # 5.1.x
Fixes: 879b589210a9 ("tpm: retrieve digest size of unknown algorithms with PCR read")
Signed-off-by: Roberto Sassu
Reviewed-by: Petr Vorel
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen -
Revert tpm_tis_spi_mod.ko back to tpm_tis_spi.ko as the rename could
break user space scripts. This can be achieved by renaming tpm_tis_spi.c
as tpm_tis_spi_main.c. Then tpm_tis_spi-y can be used inside the
makefile.Cc: Andrey Pronin
Cc: Stephen Boyd
Cc: stable@vger.kernel.org # 5.5.x
Fixes: 797c0113c9a4 ("tpm: tpm_tis_spi: Support cr50 devices")
Reported-by: Alexander Steffen
Tested-by: Alexander Steffen
Reviewed-by: Stephen Boyd
Signed-off-by: Jarkko Sakkinen
17 Feb, 2020
12 commits
-
The only time we actually leave the path spinning is if we're truncating
a small amount and don't actually free an extent, which is not a common
occurrence. We have to set the path blocking in order to add the
delayed ref anyway, so the first extent we find we set the path to
blocking and stay blocking for the duration of the operation. With the
upcoming file extent map stuff there will be another case that we have
to have the path blocking, so just swap to blocking always.Note: this patch also fixes a warning after 28553fa992cb ("Btrfs: fix
race between shrinking truncate and fiemap") got merged that inserts
extent locks around truncation so the path must not leave spinning locks
after btrfs_search_slot.[70.794783] BUG: sleeping function called from invalid context at mm/slab.h:565
[70.794834] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1141, name: rsync
[70.794863] 5 locks held by rsync/1141:
[70.794876] #0: ffff888417b9c408 (sb_writers#17){.+.+}, at: mnt_want_write+0x20/0x50
[70.795030] #1: ffff888428de28e8 (&type->i_mutex_dir_key#13/1){+.+.}, at: lock_rename+0xf1/0x100
[70.795051] #2: ffff888417b9c608 (sb_internal#2){.+.+}, at: start_transaction+0x394/0x560
[70.795124] #3: ffff888403081768 (btrfs-fs-01){++++}, at: btrfs_try_tree_write_lock+0x2f/0x160
[70.795203] #4: ffff888403086568 (btrfs-fs-00){++++}, at: btrfs_try_tree_write_lock+0x2f/0x160
[70.795222] CPU: 5 PID: 1141 Comm: rsync Not tainted 5.6.0-rc2-backup+ #2
[70.795362] Call Trace:
[70.795374] dump_stack+0x71/0xa0
[70.795445] ___might_sleep.part.96.cold.106+0xa6/0xb6
[70.795459] kmem_cache_alloc+0x1d3/0x290
[70.795471] alloc_extent_state+0x22/0x1c0
[70.795544] __clear_extent_bit+0x3ba/0x580
[70.795557] ? _raw_spin_unlock_irq+0x24/0x30
[70.795569] btrfs_truncate_inode_items+0x339/0xe50
[70.795647] btrfs_evict_inode+0x269/0x540
[70.795659] ? dput.part.38+0x29/0x460
[70.795671] evict+0xcd/0x190
[70.795682] __dentry_kill+0xd6/0x180
[70.795754] dput.part.38+0x2ad/0x460
[70.795765] do_renameat2+0x3cb/0x540
[70.795777] __x64_sys_rename+0x1c/0x20Reported-by: Dave Jones
Fixes: 28553fa992cb ("Btrfs: fix race between shrinking truncate and fiemap")
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana
Signed-off-by: Josef Bacik
Reviewed-by: David Sterba
[ add note ]
Signed-off-by: David Sterba -
The same quirk that was applied to MSI GL73 is needed for MSI GP63,
too. Adding the entry with the SSID 1462:1228.BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206503
Cc:
Link: https://lore.kernel.org/r/20200217151947.17528-1-tiwai@suse.de
Signed-off-by: Takashi Iwai -
Removed this logic because It is BIOS which needs to
power off the ACP power domian through ACP_PGFSM_CTRL
register when you De-initialize ACP Engine.Signed-off-by: Ravulapati Vishnu vardhan rao
Link: https://lore.kernel.org/r/1581935964-15059-1-git-send-email-Vishnuvardhanrao.Ravulapati@amd.com
Signed-off-by: Mark Brown -
Sets plugged_cb to NULL when component removing to notify its consumers
: no further plugged status report is required.Signed-off-by: Tzung-Bi Shih
Link: https://lore.kernel.org/r/20200217105513.1.Icc323daaf71ad02f191fd8d91136b01b61eca5e3@changeid
Signed-off-by: Mark Brown -
Pull IPMI update from Corey Minyard:
"Minor bug fixes for IPMII know this is late; I've been travelling and, well, I've been
distracted.This is just a few bug fixes and adding i2c support to the IPMB
driver, which is something I wanted from the beginning for it"* tag 'for-linus-5.6-1' of https://github.com/cminyard/linux-ipmi:
drivers: ipmi: fix off-by-one bounds check that leads to a out-of-bounds write
ipmi:ssif: Handle a possible NULL pointer reference
drivers: ipmi: Modify max length of IPMB packet
drivers: ipmi: Support raw i2c packet in IPMB -
Pull KVM fixes from Paolo Bonzini:
"Bugfixes and improvements to selftests.On top of this, Mauro converted the KVM documentation to rst format,
which was very welcome"* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (44 commits)
docs: virt: guest-halt-polling.txt convert to ReST
docs: kvm: review-checklist.txt: rename to ReST
docs: kvm: Convert timekeeping.txt to ReST format
docs: kvm: Convert s390-diag.txt to ReST format
docs: kvm: Convert ppc-pv.txt to ReST format
docs: kvm: Convert nested-vmx.txt to ReST format
docs: kvm: Convert mmu.txt to ReST format
docs: kvm: Convert locking.txt to ReST format
docs: kvm: Convert hypercalls.txt to ReST format
docs: kvm: arm/psci.txt: convert to ReST
docs: kvm: convert arm/hyp-abi.txt to ReST
docs: kvm: Convert api.txt to ReST format
docs: kvm: convert devices/xive.txt to ReST
docs: kvm: convert devices/xics.txt to ReST
docs: kvm: convert devices/vm.txt to ReST
docs: kvm: convert devices/vfio.txt to ReST
docs: kvm: convert devices/vcpu.txt to ReST
docs: kvm: convert devices/s390_flic.txt to ReST
docs: kvm: convert devices/mpic.txt to ReST
docs: kvm: convert devices/arm-vgit.txt to ReST
... -
Pull EDAC fixes from Borislav Petkov:
"Two fixes for use-after-free and memory leaking in the EDAC core, by
Robert Richter.Debug options like DEBUG_TEST_DRIVER_REMOVE, KASAN and DEBUG_KMEMLEAK
unearthed issues with the lifespan of memory allocated by the EDAC
memory controller descriptor due to misdesigned memory freeing, done
partially by the EDAC core *and* the driver core, which is problematic
to say the least.These two are minimal fixes to take care of stable - a proper rework
is following which cleans up that mess properly"* tag 'edac_urgent_for_5.6' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
EDAC/sysfs: Remove csrow objects on errors
EDAC/mc: Fix use-after-free and memleaks during device removal -
Pull block fixes from Jens Axboe:
"Not a lot here, which is great, basically just three small bcache
fixes from Coly, and four NVMe fixes via Keith"* tag 'block-5.6-2020-02-16' of git://git.kernel.dk/linux-block:
nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info
nvme/pci: move cqe check after device shutdown
nvme: prevent warning triggered by nvme_stop_keep_alive
nvme/tcp: fix bug on double requeue when send fails
bcache: remove macro nr_to_fifo_front()
bcache: Revert "bcache: shrink btree node cache after bch_btree_check()"
bcache: ignore pending signals when creating gc and allocator thread -
Pull btrfs fixes from David Sterba:
"Two races fixed, memory leak fix, sysfs directory fixup and two new
log messages:- two fixed race conditions: extent map merging and truncate vs
fiemap- create the right sysfs directory with device information and move
the individual device dirs under it- print messages when the tree-log is replayed at mount time or
cannot be replayed on remount"* tag 'for-5.6-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
btrfs: sysfs, move device id directories to UUID/devinfo
btrfs: sysfs, add UUID/devinfo kobject
Btrfs: fix race between shrinking truncate and fiemap
btrfs: log message when rw remount is attempted with unclean tree-log
btrfs: print message when tree-log replay starts
Btrfs: fix race between using extent maps and merging them
btrfs: ref-verify: fix memory leaks -
Pull cifs fixes from Steve French:
"Four small CIFS/SMB3 fixes. One (the EA overflow fix) for stable"* tag '5.6-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
cifs: make sure we do not overflow the max EA buffer size
cifs: enable change notification for SMB2.1 dialect
cifs: Fix mode output in debugging statements
cifs: fix mount option display for sec=krb5i -
Pull ext4 fixes from Ted Ts'o:
"Miscellaneous ext4 bug fixes (all stable fodder)"* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: improve explanation of a mount failure caused by a misconfigured kernel
jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer
jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()
ext4: add cond_resched() to ext4_protect_reserved_inode
ext4: fix checksum errors with indexed dirs
ext4: fix support for inode sizes > 1024 bytes
ext4: simplify checking quota limits in ext4_statfs()
ext4: don't assume that mmp_nodename/bdevname have NUL
16 Feb, 2020
2 commits
-
Pull input updates from Dmitry Torokhov:
- a few drivers have been updated to use flexible-array syntax instead
of GCC extension- ili210x touchscreen driver now supports the 2120 protocol flavor
- a couple more of Synaptics devices have been switched over to RMI4
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: cyapa - replace zero-length array with flexible-array member
Input: tca6416-keypad - replace zero-length array with flexible-array member
Input: gpio_keys_polled - replace zero-length array with flexible-array member
Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list
Input: synaptics - enable SMBus on ThinkPad L470
Input: synaptics - switch T470s to RMI4 by default
Input: gpio_keys - replace zero-length array with flexible-array member
Input: goldfish_events - replace zero-length array with flexible-array member
Input: psmouse - switch to using i2c_new_scanned_device()
Input: ili210x - add ili2120 support
Input: ili210x - fix return value of is_visible function -
Pull rdma fixes from Jason Gunthorpe:
"Not too much going on here, though there are about four fixes related
to stuff merged during the last merge window.We also see the return of a syzkaller instance with access to RDMA
devices, and a few bugs detected by that squished.- Fix three crashers and a memory memory leak for HFI1
- Several bugs found by syzkaller
- A bug fix for the recent QP counters feature on older mlx5 HW
- Locking inversion in cxgb4
- Unnecessary WARN_ON in siw
- A umad crasher regression during unload, from a bug fix for
something else- Bugs introduced in the merge window:
- Missed list_del in uverbs file rework, core and mlx5 devx
- Unexpected integer math truncation in the mlx5 VAR patches
- Compilation bug fix for the VAR patches on 32 bit"* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
IB/mlx5: Use div64_u64 for num_var_hw_entries calculation
RDMA/core: Fix protection fault in get_pkey_idx_qp_list
RDMA/rxe: Fix soft lockup problem due to using tasklets in softirq
RDMA/mlx5: Prevent overflow in mmap offset calculations
IB/umad: Fix kernel crash while unloading ib_umad
RDMA/mlx5: Fix async events cleanup flows
RDMA/core: Add missing list deletion on freeing event queue
RDMA/siw: Remove unwanted WARN_ON in siw_cm_llp_data_ready()
RDMA/iw_cxgb4: initiate CLOSE when entering TERM
IB/mlx5: Return failure when rts2rts_qp_counters_set_id is not supported
RDMA/core: Fix invalid memory access in spec_filter_size
IB/rdmavt: Reset all QPs when the device is shut down
IB/hfi1: Close window for pq and request coliding
IB/hfi1: Acquire lock to release TID entries when user file is closed
RDMA/hfi1: Fix memory leak in _dev_comp_vect_mappings_create