Commit Graph

901805 Commits

Author SHA1 Message Date
Christoph Hellwig
d981cb5b9f block: fix a device invalidation regression
Historically we only set the capacity to zero for devices that support
partitions (independ of actually having partitions created).  Doing that
is rather inconsistent, but changing it broke legacy udisks polling for
legacy ide-cdrom devices.  Use the crude a crude check for devices that
either are non-removable or partitionable to get the sane behavior for
most device while not breaking userspace for this particular setup.

Fixes: a1548b6744 ("block: move rescan_partitions to fs/block_dev.c")
Reported-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-18 08:47:04 -06:00
Alexey Dobriyan
11bde98600 block, zoned: fix integer overflow with BLKRESETZONE et al
Check for overflow in addition before checking for end-of-block-device.

Steps to reproduce:

	#define _GNU_SOURCE 1
	#include <sys/ioctl.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <fcntl.h>

	typedef unsigned long long __u64;

	struct blk_zone_range {
	        __u64 sector;
	        __u64 nr_sectors;
	};

	#define BLKRESETZONE    _IOW(0x12, 131, struct blk_zone_range)

	int main(void)
	{
	        int fd = open("/dev/nullb0", O_RDWR|O_DIRECT);
	        struct blk_zone_range zr = {4096, 0xfffffffffffff000ULL};
	        ioctl(fd, BLKRESETZONE, &zr);
	        return 0;
	}

BUG: KASAN: null-ptr-deref in submit_bio_wait+0x74/0xe0
Write of size 8 at addr 0000000000000040 by task a.out/1590

CPU: 8 PID: 1590 Comm: a.out Not tainted 5.6.0-rc1-00019-g359c92c02bfa #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190711_202441-buildvm-armv7-10.arm.fedoraproject.org-2.fc31 04/01/2014
Call Trace:
 dump_stack+0x76/0xa0
 __kasan_report.cold+0x5/0x3e
 kasan_report+0xe/0x20
 submit_bio_wait+0x74/0xe0
 blkdev_zone_mgmt+0x26f/0x2a0
 blkdev_zone_mgmt_ioctl+0x14b/0x1b0
 blkdev_ioctl+0xb28/0xe60
 block_ioctl+0x69/0x80
 ksys_ioctl+0x3af/0xa50

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alexey Dobriyan (SK hynix) <adobriyan@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 09:10:52 -06:00
Weiping Zhang
fa800d73c8 blk-iocost: remove duplicated lines in comments
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Weiping Zhang <zhangweiping@didiglobal.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 08:02:20 -06:00
Revanth Rajashekar
88d6041d07 block: sed-opal: Change the check condition for regular session validity
This patch changes the check condition for the validity/authentication
of the session.

1. The Host Session Number(HSN) in the response should match the HSN for
   the session.
2. The TPER Session Number(TSN) can never be less than 4096 for a regular
   session.

Reference:
Section 3.2.2.1   of https://trustedcomputinggroup.org/wp-content/uploads/TCG_Storage_Opal_SSC_Application_Note_1-00_1-00-Final.pdf
Section 3.3.7.1.1 of https://trustedcomputinggroup.org/wp-content/uploads/TCG_Storage_Architecture_Core_Spec_v2.01_r1.00.pdf

Co-developed-by: Andrzej Jakowski <andrzej.jakowski@linux.intel.com>
Signed-off-by: Andrzej Jakowski <andrzej.jakowski@linux.intel.com>
Signed-off-by: Revanth Rajashekar <revanth.rajashekar@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 08:00:10 -06:00
Stephen Kitt
9243c6f3e0 block: Document genhd capability flags
The kernel documentation includes a brief section about genhd
capabilities, but it turns out that the only documented
capability (GENHD_FL_MEDIA_CHANGE_NOTIFY) isn't used any more.

This patch removes that flag, and documents the rest, based on my
understanding of the current uses of these flags in the kernel. The
documentation is kept in the header file, alongside the declarations,
in the hope that it will be kept up-to-date in future; the kernel
documentation is changed to include the documentation generated from
the header file.

Because the ultimate goal is to provide some end-user
documentation (or end-administrator documentation), the comments are
perhaps more user-oriented than might be expected. Since the values
are shown to users in hexadecimal, the documentation lists them in
hexadecimal, and the constant declarations are adjusted to match.

Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Stephen Kitt <steve@sk2.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 07:47:22 -06:00
Guoqing Jiang
ce24f736f2 block: cleanup comment for blk_flush_complete_seq
Remove the comment about return value, since it is not valid after
commit 404b8f5a03 ("block: cleanup kick/queued handling").

Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 07:42:54 -06:00
Guoqing Jiang
754a15726f block: remove unneeded argument from blk_alloc_flush_queue
Remove 'q' from arguments since it is not used anymore after
commit 7e992f847a ("block: remove non mq parts from the
flush code").

Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 07:42:54 -06:00
Guoqing Jiang
361301a222 block: cleanup for _blk/blk_rq_prep_clone
Both cmd and sense had been moved to scsi_request, so remove
the related comments to avoid confusion.

And as Bart suggested, move _blk_rq_prep_clone into the only
caller (blk_rq_prep_clone).

Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 07:42:54 -06:00
Guoqing Jiang
fc4cc77210 block: remove redundant setting of QUEUE_FLAG_DYING
Previously, blk_cleanup_queue has called blk_set_queue_dying to set the
flag, no need to do it again.

Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 07:42:54 -06:00
Guoqing Jiang
35ed78b32c block: use bio_{wouldblock,io}_error in direct_make_request
Use the two functions to simplify code.

Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 07:42:54 -06:00
Guoqing Jiang
0d72031820 block: fix comment for blk_cloned_rq_check_limits
Since the later description mentioned "checked against the new queue
limits", so make the change to avoid confusion.

Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 07:42:54 -06:00
Sahitya Tummala
30a2da7b7e block: Fix use-after-free issue accessing struct io_cq
There is a potential race between ioc_release_fn() and
ioc_clear_queue() as shown below, due to which below kernel
crash is observed. It also can result into use-after-free
issue.

context#1:				context#2:
ioc_release_fn()			__ioc_clear_queue() gets the same icq
->spin_lock(&ioc->lock);		->spin_lock(&ioc->lock);
->ioc_destroy_icq(icq);
  ->list_del_init(&icq->q_node);
  ->call_rcu(&icq->__rcu_head,
  	icq_free_icq_rcu);
->spin_unlock(&ioc->lock);
					->ioc_destroy_icq(icq);
					  ->hlist_del_init(&icq->ioc_node);
					  This results into below crash as this memory
					  is now used by icq->__rcu_head in context#1.
					  There is a chance that icq could be free'd
					  as well.

22150.386550:   <6> Unable to handle kernel write to read-only memory
at virtual address ffffffaa8d31ca50
...
Call trace:
22150.607350:   <2>  ioc_destroy_icq+0x44/0x110
22150.611202:   <2>  ioc_clear_queue+0xac/0x148
22150.615056:   <2>  blk_cleanup_queue+0x11c/0x1a0
22150.619174:   <2>  __scsi_remove_device+0xdc/0x128
22150.623465:   <2>  scsi_forget_host+0x2c/0x78
22150.627315:   <2>  scsi_remove_host+0x7c/0x2a0
22150.631257:   <2>  usb_stor_disconnect+0x74/0xc8
22150.635371:   <2>  usb_unbind_interface+0xc8/0x278
22150.639665:   <2>  device_release_driver_internal+0x198/0x250
22150.644897:   <2>  device_release_driver+0x24/0x30
22150.649176:   <2>  bus_remove_device+0xec/0x140
22150.653204:   <2>  device_del+0x270/0x460
22150.656712:   <2>  usb_disable_device+0x120/0x390
22150.660918:   <2>  usb_disconnect+0xf4/0x2e0
22150.664684:   <2>  hub_event+0xd70/0x17e8
22150.668197:   <2>  process_one_work+0x210/0x480
22150.672222:   <2>  worker_thread+0x32c/0x4c8

Fix this by adding a new ICQ_DESTROYED flag in ioc_destroy_icq() to
indicate this icq is once marked as destroyed. Also, ensure
__ioc_clear_queue() is accessing icq within rcu_read_lock/unlock so
that icq doesn't get free'd up while it is still using it.

Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Co-developed-by: Pradeep P V K <ppvk@codeaurora.org>
Signed-off-by: Pradeep P V K <ppvk@codeaurora.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-12 07:07:38 -06:00
Bart Van Assche
596444e757 null_blk: Add support for init_hctx() fault injection
This makes it possible to test the error path in blk_mq_realloc_hw_ctxs()
and also several error paths in null_blk.

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Cc: Johannes Thumshirn <jth@kernel.org>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-10 07:09:59 -06:00
Bart Van Assche
9b03b71308 null_blk: Handle null_add_dev() failures properly
If null_add_dev() fails then null_del_dev() is called with a NULL argument.
Make null_del_dev() handle this scenario correctly. This patch fixes the
following KASAN complaint:

null-ptr-deref in null_del_dev+0x28/0x280 [null_blk]
Read of size 8 at addr 0000000000000000 by task find/1062

Call Trace:
 dump_stack+0xa5/0xe6
 __kasan_report.cold+0x65/0x99
 kasan_report+0x16/0x20
 __asan_load8+0x58/0x90
 null_del_dev+0x28/0x280 [null_blk]
 nullb_group_drop_item+0x7e/0xa0 [null_blk]
 client_drop_item+0x53/0x80 [configfs]
 configfs_rmdir+0x395/0x4e0 [configfs]
 vfs_rmdir+0xb6/0x220
 do_rmdir+0x238/0x2c0
 __x64_sys_unlinkat+0x75/0x90
 do_syscall_64+0x6f/0x2f0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Cc: Johannes Thumshirn <jth@kernel.org>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-10 07:09:59 -06:00
Bart Van Assche
2004bfdef9 null_blk: Fix the null_add_dev() error path
If null_add_dev() fails, clear dev->nullb.

This patch fixes the following KASAN complaint:

BUG: KASAN: use-after-free in nullb_device_submit_queues_store+0xcf/0x160 [null_blk]
Read of size 8 at addr ffff88803280fc30 by task check/8409

Call Trace:
 dump_stack+0xa5/0xe6
 print_address_description.constprop.0+0x26/0x260
 __kasan_report.cold+0x7b/0x99
 kasan_report+0x16/0x20
 __asan_load8+0x58/0x90
 nullb_device_submit_queues_store+0xcf/0x160 [null_blk]
 configfs_write_file+0x1c4/0x250 [configfs]
 __vfs_write+0x4c/0x90
 vfs_write+0x145/0x2c0
 ksys_write+0xd7/0x180
 __x64_sys_write+0x47/0x50
 do_syscall_64+0x6f/0x2f0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7ff370926317
Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007fff2dd2da48 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff370926317
RDX: 0000000000000002 RSI: 0000559437ef23f0 RDI: 0000000000000001
RBP: 0000559437ef23f0 R08: 000000000000000a R09: 0000000000000001
R10: 0000559436703471 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ff370a006a0 R14: 00007ff370a014a0 R15: 00007ff370a008a0

Allocated by task 8409:
 save_stack+0x23/0x90
 __kasan_kmalloc.constprop.0+0xcf/0xe0
 kasan_kmalloc+0xd/0x10
 kmem_cache_alloc_node_trace+0x129/0x4c0
 null_add_dev+0x24a/0xe90 [null_blk]
 nullb_device_power_store+0x1b6/0x270 [null_blk]
 configfs_write_file+0x1c4/0x250 [configfs]
 __vfs_write+0x4c/0x90
 vfs_write+0x145/0x2c0
 ksys_write+0xd7/0x180
 __x64_sys_write+0x47/0x50
 do_syscall_64+0x6f/0x2f0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8409:
 save_stack+0x23/0x90
 __kasan_slab_free+0x112/0x160
 kasan_slab_free+0x12/0x20
 kfree+0xdf/0x250
 null_add_dev+0xaf3/0xe90 [null_blk]
 nullb_device_power_store+0x1b6/0x270 [null_blk]
 configfs_write_file+0x1c4/0x250 [configfs]
 __vfs_write+0x4c/0x90
 vfs_write+0x145/0x2c0
 ksys_write+0xd7/0x180
 __x64_sys_write+0x47/0x50
 do_syscall_64+0x6f/0x2f0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 2984c8684f ("nullb: factor disk parameters")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Cc: Johannes Thumshirn <jth@kernel.org>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-10 07:09:59 -06:00
Bart Van Assche
78b10be23d null_blk: Fix changing the number of hardware queues
Instead of initializing null_blk hardware queues explicitly after the
request queue has been created, provide .init_hctx() and .exit_hctx()
callback functions. The latter functions are not only called during
request queue allocation but also when the number of hardware queues
changes. Allocate nr_cpu_ids queues during initialization to support
increasing the number of hardware queues above the initial hardware
queue count.

This change fixes increasing the number of hardware queues above the
initial number of hardware queues and also keeps nullb->nr_queues in
sync with the number of hardware queues.

Fixes: 45919fbfe1 ("null_blk: Enable modifying 'submit_queues' after an instance has been configured")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Cc: Johannes Thumshirn <jth@kernel.org>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-10 07:09:59 -06:00
Bart Van Assche
b9853b4d6f null_blk: Suppress an UBSAN complaint triggered when setting 'memory_backed'
Although it is not clear to me why UBSAN complains when 'memory_backed'
is set, this patch suppresses the UBSAN complaint that is triggered when
setting that configfs attribute.

UBSAN: Undefined behaviour in drivers/block/null_blk_main.c:327:1
load of value 16 is not a valid value for type '_Bool'
CPU: 2 PID: 8396 Comm: check Not tainted 5.6.0-rc1-dbg+ #14
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
 dump_stack+0xa5/0xe6
 ubsan_epilogue+0x9/0x26
 __ubsan_handle_load_invalid_value+0x6d/0x76
 nullb_device_memory_backed_store.cold+0x2c/0x38 [null_blk]
 configfs_write_file+0x1c4/0x250 [configfs]
 __vfs_write+0x4c/0x90
 vfs_write+0x145/0x2c0
 ksys_write+0xd7/0x180
 __x64_sys_write+0x47/0x50
 do_syscall_64+0x6f/0x2f0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Cc: Johannes Thumshirn <jth@kernel.org>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-10 07:09:59 -06:00
Bart Van Assche
d0930bb8f4 blk-mq: Fix a recently introduced regression in blk_mq_realloc_hw_ctxs()
q->nr_hw_queues must only be updated once it is known that
blk_mq_realloc_hw_ctxs() has succeeded. Otherwise it can happen that
reallocation fails and that q->nr_hw_queues is larger than the number of
allocated hardware queues. This patch fixes the following crash if
increasing the number of hardware queues fails:

BUG: KASAN: null-ptr-deref in blk_mq_map_swqueue+0x775/0x810
Write of size 8 at addr 0000000000000118 by task check/977

CPU: 3 PID: 977 Comm: check Not tainted 5.6.0-rc1-dbg+ #8
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
 dump_stack+0xa5/0xe6
 __kasan_report.cold+0x65/0x99
 kasan_report+0x16/0x20
 check_memory_region+0x140/0x1b0
 memset+0x28/0x40
 blk_mq_map_swqueue+0x775/0x810
 blk_mq_update_nr_hw_queues+0x468/0x710
 nullb_device_submit_queues_store+0xf7/0x1a0 [null_blk]
 configfs_write_file+0x1c4/0x250 [configfs]
 __vfs_write+0x4c/0x90
 vfs_write+0x145/0x2c0
 ksys_write+0xd7/0x180
 __x64_sys_write+0x47/0x50
 do_syscall_64+0x6f/0x2f0
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: ac0d6b926e ("block: Reduce the amount of memory required per request queue")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Cc: Keith Busch <kbusch@kernel.org>
Cc: Johannes Thumshirn <jth@kernel.org>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-10 07:09:59 -06:00
Bart Van Assche
6e66b49392 blk-mq: Keep set->nr_hw_queues and set->map[].nr_queues in sync
blk_mq_map_queues() and multiple .map_queues() implementations expect that
set->map[HCTX_TYPE_DEFAULT].nr_queues is set to the number of hardware
queues. Hence set .nr_queues before calling these functions. This patch
fixes the following kernel warning:

WARNING: CPU: 0 PID: 2501 at include/linux/cpumask.h:137
Call Trace:
 blk_mq_run_hw_queue+0x19d/0x350 block/blk-mq.c:1508
 blk_mq_run_hw_queues+0x112/0x1a0 block/blk-mq.c:1525
 blk_mq_requeue_work+0x502/0x780 block/blk-mq.c:775
 process_one_work+0x9af/0x1740 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x361/0x430 kernel/kthread.c:255

Fixes: ed76e329d7 ("blk-mq: abstract out queue map") # v5.0
Reported-by: syzbot+d44e1b26ce5c3e77458d@syzkaller.appspotmail.com
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Cc: Johannes Thumshirn <jth@kernel.org>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-10 07:09:59 -06:00
Bart Van Assche
2dd209f00f blk-mq: Fix a comment in include/linux/blk-mq.h
The 'hctx_list' member of struct blk_mq_hw_ctx is not a list head but
instead an entry in q->unused_hctx_list. Fix the comment above this
struct member.

Fixes: d386732bc1 ("blk-mq: fill header with kernel-doc")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Cc: André Almeida <andrealmeid@collabora.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-10 07:09:59 -06:00
Linus Torvalds
2c523b344d Linux 5.6-rc5 2020-03-08 17:44:44 -07:00
Linus Torvalds
62790268e4 ARM: SoC fixes
We've been accruing these for a couple of weeks, so the batch is a bit
 bigger than usual.
 
 Largest delta is due to a led-bl driver that is added -- there was
 a miscommunication before the merge window and the driver didn't make it
 in. Due to this, the platforms needing it regressed. At this point, it
 seemed easier to add the new driver than unwind the changes.
 
 Besides that, there are a handful of various fixes:
 
  - AMD tee memory leak fix
 
  - A handful of fixlets for i.MX SCU communication
 
  - A few maintainers woke up and realized DEBUG_FS had been missing for
    a while, so a few updates of that.
 
  ... and the usual collection of smaller fixes to various platforms.
 -----BEGIN PGP SIGNATURE-----
 
 iQJDBAABCAAtFiEElf+HevZ4QCAJmMQ+jBrnPN6EHHcFAl5lhi0PHG9sb2ZAbGl4
 b20ubmV0AAoJEIwa5zzehBx3C6gQAJHXpED85K94DH2jycwMFkWdGh+DnR1ATDaK
 +zK04ZanoQrtGi0mK0KY8DMaYCGCKvAgvBbRYdNXPK1S2DQfpZceSTiAN7fh6NJ2
 F2XOGocH+IWrYmB+OA/rG6Sv2PFHibH34zf7TQ5w29jxCgv6zUTGF5qOoAnrhQzF
 SJNO08Ew0TjZ8mYXIoDHLsHaThT3rLF5f9yNMO0eG6gHrFKZHFfqhsDLqG6nSk+z
 L1M+WsfbxM0ijZDlIdJmxQLi4AlYkj3l8te4ikM6lngVSvQyYyEpnS2vw6h0OrZ9
 y6PYw+gAzDOZgFSHqwwH/Ha2Or6eqS4eAv5JvIEqGhGslzNvmWc8FzElIG4qJKbu
 sshrcmTSe0Dt7W0zR8dsCY6tA2Ze1hpxbOpuhoh4H+dngANKAAMlko5s4Vw76ZYy
 B5mryFkyzyLI2QcZK/QmVQq2KSoeBOUg2SUtOrbBb5xQhhKCwhJBmJ0lw8H5O4dA
 TRNXL3p1ydve0z3DIKYCzM++MX1EJEa9O4uMTxKDPB6P9XrKvkx0rwC7wepc00jf
 /aXdVQsaQvnOYVs1R5oGISWLrheSJ28tHi3dI+xAdkdA26WWzPfomK9R7ok1/91T
 uuTpfmK6uhMvPkfg85/7n3/sojS6K9c0cP5wdd8Y0d2avvgQHCISgNZOZf3vlaYH
 xEcSJ4Vd
 =gCNz
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fixes from Olof Johansson:
 "We've been accruing these for a couple of weeks, so the batch is a bit
  bigger than usual.

  Largest delta is due to a led-bl driver that is added -- there was a
  miscommunication before the merge window and the driver didn't make it
  in. Due to this, the platforms needing it regressed. At this point, it
  seemed easier to add the new driver than unwind the changes.

  Besides that, there are a handful of various fixes:

   - AMD tee memory leak fix

   - A handful of fixlets for i.MX SCU communication

   - A few maintainers woke up and realized DEBUG_FS had been missing
     for a while, so a few updates of that.

  ... and the usual collection of smaller fixes to various platforms"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (37 commits)
  ARM: socfpga_defconfig: Add back DEBUG_FS
  arm64: dts: socfpga: agilex: Fix gmac compatible
  ARM: bcm2835_defconfig: Explicitly restore CONFIG_DEBUG_FS
  arm64: dts: meson: fix gxm-khadas-vim2 wifi
  arm64: dts: meson-sm1-sei610: add missing interrupt-names
  ARM: meson: Drop unneeded select of COMMON_CLK
  ARM: dts: bcm2711: Add pcie0 alias
  ARM: dts: bcm283x: Add missing properties to the PWR LED
  tee: amdtee: fix memory leak in amdtee_open_session()
  ARM: OMAP2+: Fix compile if CONFIG_HAVE_ARM_SMCCC is not set
  arm: dts: dra76x: Fix mmc3 max-frequency
  ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes
  bus: ti-sysc: Fix 1-wire reset quirk
  ARM: dts: r8a7779: Remove deprecated "renesas, rcar-sata" compatible value
  soc: imx-scu: Align imx sc msg structs to 4
  firmware: imx: Align imx_sc_msg_req_cpu_start to 4
  firmware: imx: scu-pd: Align imx sc msg structs to 4
  firmware: imx: misc: Align imx sc msg structs to 4
  firmware: imx: scu: Ensure sequential TX
  ARM: dts: imx7-colibri: Fix frequency for sd/mmc
  ...
2020-03-08 17:36:22 -07:00
Linus Torvalds
efe582a137 * Do not overwrite partial decoded error message in synopsys_edac (Sherry Sun)
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAl5lHUYACgkQEsHwGGHe
 VUpoFg/+LXwnQNh9WRx9fgY3DzYdfzpVwyVPxWjN5MGB87aOW0O8s6z0aVtTZyQL
 VZnG1IUmasFdObYb66zfxdQyveUSRwR9oEGlIOjlyEojAUtXG+slljR5XcHyY3tH
 XzKFuUhHiy8+U3qw5Rnq+9mh1fa8Wl+Yjak8OysyyMHYCXuG/A0eJsU28Ifn8FnP
 Eanbx/MctaY2qMHYLqkvv8r8VzkqyMToIwDuHgDkhgPnHV1H3NKS2Mq9I6qBLo7G
 X2QQO9M/jNAnoShKNsmW5oI6p4WK9odyb7cJ/01jRFsMWJRoneiNN1yiQE569e9c
 C3QO+g7WNia1oZ+4mbED0awDK9ToM/U183N8FirrSD2paIJMtmTQ0HpUa+n1iS2H
 /sdcdFgz9AUylSn/mLxCScikGWWL7kQ9YCaGa95ZS3FGapLrg/Z977Cz94kXPTvx
 JX9fT3wIRgVN44qcWFGx80z1+2jadmoaJxii2ayvnZ7QzR/879FXstjVDnQJoiQA
 Q92qi5w6PKV+XEOXUY9C//6F0gfYsFNaha1IW30S5s/OTGJ5PBjX7bd9ofYjLGbA
 HewpLfYxeW5sndfglMtJrfDJyfrIidOCzzysrp5lEjub65FC3izcyk6ACF9VazHn
 1B5UC2YPs4bpHOXdGNqpwCAhroSlmUKyW1ZFL6pLja5TXqfk+4Y=
 =GHur
 -----END PGP SIGNATURE-----

Merge tag 'edac_urgent-2020-03-08' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras

Pull EDAC fix from Borislav Petkov:
 "Error reporting fix for synopsys_edac: do not overwrite partial
  decoded error message (Sherry Sun)"

* tag 'edac_urgent-2020-03-08' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras:
  EDAC/synopsys: Do not print an error with back-to-back snprintf() calls
2020-03-08 17:33:52 -07:00
Linus Torvalds
378fee2e6b Char/Misc fixes for 5.6-rc5
Here are 4 small char/misc driver fixes for reported issues for 5.6-rc5.
 
 These fixes are:
 	- binder fix for a potential use-after-free problem found (took
 	  2 tries to get it right)
 	- interconnect core fix
 	- altera-stapl driver fix
 
 All 4 of these have been in linux-next for a while with no reported
 issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXmSzSg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ymzLwCg2CKlHDefZEuCI7d4Pgd5cgknMKgAoLQdQLrO
 Pza+JqgZ8dSmUg8lyNw7
 =3wFd
 -----END PGP SIGNATURE-----

Merge tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc fixes from Greg KH:
 "Here are four small char/misc driver fixes for reported issues for
  5.6-rc5.

  These fixes are:

   - binder fix for a potential use-after-free problem found (took two
     tries to get it right)

   - interconnect core fix

   - altera-stapl driver fix

  All four of these have been in linux-next for a while with no reported
  issues"

* tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  binder: prevent UAF for binderfs devices II
  interconnect: Handle memory allocation errors
  altera-stapl: altera_get_note: prevent write beyond end of 'key'
  binder: prevent UAF for binderfs devices
2020-03-08 10:49:44 -05:00
Linus Torvalds
b34e5c1332 Driver core / debugfs fixes for 5.6-rc5
Here are 4 small driver core / debugfs patches for 5.6-rc3
 
 They are:
 	- debugfs api cleanup now that all callers for
 	  debugfs_create_regset32() have been fixed up.  This was
 	  waiting until after the -rc1 merge as these fixes came in
 	  through different trees
 	- driver core sync state fixes based on reports of minor issues
 	  found in the feature
 
 All of these have been in linux-next with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXmS2Lg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ylvNgCfbnALILZh05QJPCfZv/seNFcFYLIAnRNAzxAU
 mTPqUqTp5+WMXSzGigMa
 =NyIX
 -----END PGP SIGNATURE-----

Merge tag 'driver-core-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull driver core and debugfs fixes from Greg KH:
 "Here are four small driver core / debugfs patches for 5.6-rc3:

   - debugfs api cleanup now that all debugfs_create_regset32() callers
     have been fixed up. This was waiting until after the -rc1 merge as
     these fixes came in through different trees

   - driver core sync state fixes based on reports of minor issues found
     in the feature

  All of these have been in linux-next with no reported issues"

* tag 'driver-core-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  driver core: Skip unnecessary work when device doesn't have sync_state()
  driver core: Add dev_has_sync_state()
  driver core: Call sync_state() even if supplier has no consumers
  debugfs: remove return value of debugfs_create_regset32()
2020-03-08 10:39:40 -05:00
Linus Torvalds
cc432aee7d TTY/Serial fixes for 5.6-rc5
Here are some small tty/serial fixes for 5.6-rc5
 
 Just some small serial driver fixes, and a vt core fixup, full details
 are:
 	- vt fixes for issues found by syzbot
 	- serdev fix for Apple boxes
 	- fsl_lpuart serial driver fixes
 	- MAINTAINER update for incorrect serial files
 	- new device ids for 8250_exar driver
 	- mvebu-uart fix
 
 All of these have been in linux-next with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXmS5vg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+yn2pQCgxOELj7OkuHatZxw+hz5CjL5jO3sAn1jzrYeb
 xnKsOnjMypc3nyMjCE7/
 =1QlE
 -----END PGP SIGNATURE-----

Merge tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

Pull tty/serial fixes from Greg KH:
 "Here are some small tty/serial fixes for 5.6-rc5

  Just some small serial driver fixes, and a vt core fixup, full details
  are:

   - vt fixes for issues found by syzbot

   - serdev fix for Apple boxes

   - fsl_lpuart serial driver fixes

   - MAINTAINER update for incorrect serial files

   - new device ids for 8250_exar driver

   - mvebu-uart fix

  All of these have been in linux-next with no reported issues"

* tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  tty: serial: fsl_lpuart: free IDs allocated by IDA
  Revert "tty: serial: fsl_lpuart: drop EARLYCON_DECLARE"
  serdev: Fix detection of UART devices on Apple machines.
  MAINTAINERS: Add missed files related to Synopsys DesignWare UART
  serial: 8250_exar: add support for ACCES cards
  tty:serial:mvebu-uart:fix a wrong return
  vt: selection, push sel_lock up
  vt: selection, push console lock down
2020-03-08 10:35:04 -05:00
Linus Torvalds
fd3f6cc980 USB/PHY fixes for 5.6-rc5
Here are some small USB and PHY driver fixes for reported issues for
 5.6-rc5.
 
 Included in here are:
 	- phy driver fixes
 	- new USB quirks
 	- USB cdns3 gadget driver fixes
 	- USB hub core fixes
 
 All of these have been in linux-next with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCXmS/qw8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ynEUwCfWN11rUIm4gI3qL3IBnbDdyOwN+wAnj8Nt6gh
 nNJi+MAmGC1hWaB5CiJY
 =4eZ8
 -----END PGP SIGNATURE-----

Merge tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB/PHY fixes from Greg KH:
 "Here are some small USB and PHY driver fixes for reported issues for
  5.6-rc5.

  Included in here are:

   - phy driver fixes

   - new USB quirks

   - USB cdns3 gadget driver fixes

   - USB hub core fixes

  All of these have been in linux-next with no reported issues"

* tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  usb: dwc3: gadget: Update chain bit correctly when using sg list
  usb: core: port: do error out if usb_autopm_get_interface() fails
  usb: core: hub: do error out if usb_autopm_get_interface() fails
  usb: core: hub: fix unhandled return by employing a void function
  usb: storage: Add quirk for Samsung Fit flash
  usb: quirks: add NO_LPM quirk for Logitech Screen Share
  usb: usb251xb: fix regulator probe and error handling
  phy: allwinner: Fix GENMASK misuse
  usb: cdns3: gadget: toggle cycle bit before reset endpoint
  usb: cdns3: gadget: link trb should point to next request
  phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling
  phy: brcm-sata: Correct MDIO operations for 40nm platforms
  phy: ti: gmii-sel: do not fail in case of gmii
  phy: ti: gmii-sel: fix set of copy-paste errors
  phy: core: Fix phy_get() to not return error on link creation failure
  phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval
2020-03-08 10:32:23 -05:00
Linus Torvalds
61a09258f2 Second RDMA 5.6 pull request
- Fix busted syzkaller fix in 'get_new_pps' - this turned out to crash on
   certain HW configurations
 
 - Bug fixes for various missed things in error unwinds
 
 - Add a missing rcu_read_lock annotation in hfi/qib
 
 - Fix two ODP related regressions from the recent mmu notifier changes
 
 - Several more syzkaller bugs in siw, RDMA netlink, verbs and iwcm
 
 - Revert an old patch in CMA as it is now shown to not be allocating port
   numbers properly
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEfB7FMLh+8QxL+6i3OG33FX4gmxoFAl5iWSQACgkQOG33FX4g
 mxoadw//ZkIcG25OMhgc4iqOXT+brCCYosdi1MB8ptcW/lx+t2jH8VD9cd8kOW4M
 VfFIpiuqVc6U06BpoRJkSV3Ix5Hiw0nQVD9q1mNiqSs0fyAuJG0NGtVeqWWXSFFC
 ptHzn1z5Aw9GV2necS+nJcZ3NceMW/rP255LHioqVfj7xSFJiymXfncH7YwQZOop
 S88Dr3m+DibW+ueVwvtLPvSPaWL40NGZo4sNuITrfiJuHYvstWedUMtYkGCGjrmT
 bUI7lpYgsakVTlM2LTtlAFrAoL/adkfrNbiCVLqGLpoy3DIdXVscQzt9CRnCP1iF
 t1l0jY+2YNAMMfjktLDnhUU7wfAwgw/XTNoqzlRCAAiTp7D8+eo560Txj9xyjGw+
 spxGOWuDEVWlBOFHHltRbQ13QZ06vA7yg0YqoIuEg86c+X38NoVEA3sRf59v05qM
 XqPcdIBusjRfd8kZsk07uYbp5VQsNHSfL2ZtxAFwiWFr4stjBcwqrx3sFw5610uZ
 Pt6uWN6JlGRb7A35I0ZuRwWhN1HTFkd7rIKK3d5hTWcqefH6JAkZldMsG0qt/YW2
 nRnoZhUNwtP2YI6eOTpskQCyK41tqP5tC84k1GMBuAxMYw40FFqN9/M7v0h9NWq7
 Eq8BMjbLB6DDR8cBJk7uoYfpYM6slnGLlDGfrLRR9j1oWv6iuCY=
 =SFSu
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma

Pull rdma fixes from Jason Gunthorpe:
 "Nothing particularly exciting, some small ODP regressions from the mmu
  notifier rework, another bunch of syzkaller fixes, and a bug fix for a
  botched syzkaller fix in the first rc pull request.

   - Fix busted syzkaller fix in 'get_new_pps' - this turned out to
     crash on certain HW configurations

   - Bug fixes for various missed things in error unwinds

   - Add a missing rcu_read_lock annotation in hfi/qib

   - Fix two ODP related regressions from the recent mmu notifier
     changes

   - Several more syzkaller bugs in siw, RDMA netlink, verbs and iwcm

   - Revert an old patch in CMA as it is now shown to not be allocating
     port numbers properly"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
  RDMA/iwcm: Fix iwcm work deallocation
  RDMA/siw: Fix failure handling during device creation
  RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
  RDMA/odp: Ensure the mm is still alive before creating an implicit child
  RDMA/core: Fix protection fault in ib_mr_pool_destroy
  IB/mlx5: Fix implicit ODP race
  IB/hfi1, qib: Ensure RCU is locked when accessing list
  RDMA/core: Fix pkey and port assignment in get_new_pps
  RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
  RDMA/rw: Fix error flow during RDMA context initialization
  RDMA/core: Fix use of logical OR in get_new_pps
  Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"
2020-03-07 19:52:55 -06:00
Linus Torvalds
c200376527 io_uring-5.6-2020-03-07
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAl5j8gkQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgphtKEADIid1/6xG6EO965jKjR1G3e7pnA7M6Ek01
 T0svGLMSYtPV9aRERiWDWdyCE01C0kjwWvmpiTCmWr0sm3bJYBB+NaDXkCtwa1IW
 uFPMNDpeCQijQI1sImbeP2yN2ufGY5r7Y9RCMU7+iKgcao3pFaR136y7UfBHykJ8
 Iyp/sir5FRHlEzrGyoXOe1j131BZrDGCa+cuPyAOlr75abN+TDazJAv05MGBQVfI
 wc4hOHy0+D07juXP3ZD8UptoLTXPNk+tcAIqAEIaEuPxmRxq1lOfnM506rWyp2sy
 XZrQhUblkL8nqfqXASYGQcY/DaNxhEvbzn86MaCKm4qf12uCiP0/DS3hFY/32lAt
 VX9eOYenX1zTRLQoRNwvVHT4+m+Splp7IpICFK9bSGk1jp3rbclSXmWITqSWkOgi
 C45wAAmWw4lzrbxcEDfBAns/lcwsrPwHn12WdM9ofk2I1jTDubO47c/oFEzEn0w/
 IixdKeMVnifNoytP9XFcUcotNzc/NPiPvMNgCkNm59kUHfXMXx6HHyTLO/JUzjZ9
 B/s2LkC23EksjEGC3gQiQxighyvNCsN0Wv9L7InaCjJY5IpcOoL495fnPCPfaOaW
 7c6xrkRxvHN8bSsKmESywcFjtBv23OtlTfbma7hjdByaGkW/M62qdT6DOiQcoiX/
 Ts7YOMtPdQ==
 =aukx
 -----END PGP SIGNATURE-----

Merge tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block

Pull io_uring fixes from Jens Axboe:
 "Here are a few io_uring fixes that should go into this release. This
  contains:

   - Removal of (now) unused io_wq_flush() and associated flag (Pavel)

   - Fix cancelation lockup with linked timeouts (Pavel)

   - Fix for potential use-after-free when freeing percpu ref for fixed
     file sets

   - io-wq cancelation fixups (Pavel)"

* tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
  io_uring: fix lockup with timeouts
  io_uring: free fixed_file_data after RCU grace period
  io-wq: remove io_wq_flush and IO_WQ_WORK_INTERNAL
  io-wq: fix IO_WQ_WORK_NO_CANCEL cancellation
2020-03-07 14:20:29 -06:00
Linus Torvalds
5dfcc13902 block-5.6-2020-03-07
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAl5j8hwQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpnjID/4/XVrqtVNUzVoVOtkOyxyesBrJVMHEQEpJ
 PZssv835IStw0ENhxQJfGjPaIFc9Ff6PMkeN5KRAlMoEc+NkrJShF3owGf+6Bps7
 rxpblPxaw+CJFa31YBDZVjMCvbVkDm40G5SsJh+xzdIjlWz7MppkkMPdrErPwY8V
 0vnrIc+mKBKfBMZTwVkycYtp17LVgfXguledoWzxM1y47IW5UasKh8jdzhbu8Hvt
 zztdQrigUdb+9XnLGCZIY0JQOyrhJ5zQpZ40FzbvxdYrQZXOoYT8L7iFu/z0Wi7K
 p3a+G+B4WowtLYW78me4Uut5RrHq2XOehSypfujanQlpgXPGjS3TdHT3an2T8XPQ
 NyGsZsn/eLm3btNbhGUd8vqpQy5EmWhqmwvYk9tFAoSFLiLcvCC624b/TCYPL+gk
 3ZiI7mXBMjHnUZ0J/RF6kZWTAZDvr/tE7UZt1f8r1eEr8VDzCNp5Pst+HCVIguYD
 g9eWF8oH6wYoj39UKf1k+vW2GjXGFsnfivObaxhyz03sAPXK2wQlzAe/4jZ24XNr
 TRtOXh97c3CbLAwdUHehlzzdR3U7h0n2KsmrTC5AGmLABmR79s7BJ0+pexuZituO
 LwU8+gpf7AugHTrLg1eNXAmBHW44I1ticXYiWcT4iSPn99kNIhlW+Jb1iTGoiu7n
 nXyS3b5SCw==
 =xwKl
 -----END PGP SIGNATURE-----

Merge tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:
 "Here are a few fixes that should go into this release. This contains:

   - Revert of a bad bcache patch from this merge window

   - Removed unused function (Daniel)

   - Fixup for the blktrace fix from Jan from this release (Cengiz)

   - Fix of deeper level bfqq overwrite in BFQ (Carlo)"

* tag 'block-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
  block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
  blktrace: fix dereference after null check
  Revert "bcache: ignore pending signals when creating gc and allocator thread"
  block: Remove used kblockd_schedule_work_on()
2020-03-07 14:14:38 -06:00
Linus Torvalds
6f784a3179 media fixes for v5.6-rc5
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE+QmuaPwR3wnBdVwACF8+vY7k4RUFAl5jnhoACgkQCF8+vY7k
 4RX6Hw/8DRlnp6D+nTBk1Tb0LyGAo/FP8XgA+EUtiJ+FZpt2op/6tnC0dS3Czj1W
 g6jt/94bV+38htb+xR0MxKQz25fQywh7iyxgLH3xLjjHnmQoZrDbWrjGjQqt5MIF
 rOskkvBBVwmA2auuyKCDZ3YIWxV4HT1wz0ptsGYu3zK1PY2NR980zvTnlUkWBJES
 IZ7Y58MV/wI4kLSWW8HcK2WAKD5NW613spae1szZ44OoKUw/tULY31+TAeMCd+uA
 Hi0ApS2PdSr/RBG9glHrguueWJp34oW9xUnbXRYZUJng8jiJtkoa4BDLxDXgBTZm
 TCi9XGjm4oh5RLS6C+lWwFrRW4ifvc0Hc2Uo1z5boxwiEoJV7YTn7+Lz9U3/Aeie
 J37LgEHyTdK8+yvqt+fi0CwLfaQ6OSyCO0euQ+gXOTNnhHMcskwjqWsXAW5/QPqV
 H6njqOi2yCEaotDKYbXXfBUfBJQveYeC15Lj529Zs6h0lGLHNRms3/kMrv8H9Nec
 VLu/NX6m0JyAhBdQJKKOO+j1PqGTBiAfga0Pf0lWn8lPWfGxjv5WNnh+Zx4pyL8M
 nJn4v7agbAwiSaL9Sv2FQSj0LhfBWBBpWu5LPQ/WjG5cIf83ZOYfsYagFUbvdd9a
 LG4qSins/hXT91vhyPGx54/BhrkCx2NAmtwtwRQiWO2HgL96ff4=
 =ch+J
 -----END PGP SIGNATURE-----

Merge tag 'media/v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:

 - a fix for the media controller links in both hantro driver and in
   v4l2-mem2mem core

 - some fixes for the pulse8-cec driver

 - vicodec: handle alpha channel for RGB32 formats, as it may be used

 - mc-entity.c: fix handling of pad flags

* tag 'media/v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  media: hantro: Fix broken media controller links
  media: mc-entity.c: use & to check pad flags, not ==
  media: v4l2-mem2mem.c: fix broken links
  media: vicodec: process all 4 components for RGB32 formats
  media: pulse8-cec: close serio in disconnect, not adap_free
  media: pulse8-cec: INIT_DELAYED_WORK was called too late
2020-03-07 12:00:13 -06:00
Pavel Begunkov
f0e20b8943 io_uring: fix lockup with timeouts
There is a recipe to deadlock the kernel: submit a timeout sqe with a
linked_timeout (e.g.  test_single_link_timeout_ception() from liburing),
and SIGKILL the process.

Then, io_kill_timeouts() takes @ctx->completion_lock, but the timeout
isn't flagged with REQ_F_COMP_LOCKED, and will try to double grab it
during io_put_free() to cancel the linked timeout. Probably, the same
can happen with another io_kill_timeout() call site, that is
io_commit_cqring().

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-03-07 08:35:56 -07:00
Linus Torvalds
9d588f6360 s390 updates for 5.6-rc5
- Fix panic in gup_fast on large pud by providing an implementation of
   pud_write. This has been overlooked during migration to common gup code.
 
 - Fix unexpected write combining on PCI stores.
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE3QHqV+H2a8xAv27vjYWKoQLXFBgFAl5jmrQACgkQjYWKoQLX
 FBi/iQf9E50AKMRH7x0CNdzItCC3owNT/t06IPxJP397OmKafXI2Ke9a6Xya/LpT
 C68ndxxMVd4RuYhLc1aOtW2Jo04Owc9E/wWdQVuIO7joK/evZj9JNR3jb6f4HhXc
 PXPs432LfYPTrCmC4JvDW7PQXuhKAcjav8iqwE9nlyTvGFOaBupuB+1qum0wIUeE
 bDvdkEgzRirWrK7TOqB680e+hRmBqeoy/HBSrmP30yxjv/9xv6C2VGiPajH4mOhU
 Cw6lY7G/qLNUUvANBREKLhIXlI+PuApn/zFBbb6iqihd67wQ+v8lun2kA2Anyvv8
 j0evq/fLXFwCYFGnJWiYzVody8ak0A==
 =vECk
 -----END PGP SIGNATURE-----

Merge tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 fixes from Vasily Gorbik:

 - Fix panic in gup_fast on large pud by providing an implementation of
   pud_write. This has been overlooked during migration to common gup
   code.

 - Fix unexpected write combining on PCI stores.

* tag 's390-5.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/pci: Fix unexpected write combine on resource
  s390/mm: fix panic in gup_fast on large pud
2020-03-07 08:12:47 -06:00
Linus Torvalds
5236647adb powerpc fixes for 5.6 #4
One fix for a recent regression to our breakpoint/watchpoint code.
 
 Another fix for our KUAP support, this time a missing annotation in a rarely
 used path in signal handling.
 
 A fix for our handling of a CPU feature that effects the PMU, when booting
 guests in some configurations.
 
 A minor fix to our linker script to explicitly include the .BTF section.
 
 Thanks to:
   Christophe Leroy, Desnes A. Nunes do Rosario, Leonardo Bras, Naveen N. Rao,
   Ravi Bangoria, Stefan Berger.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEEJFGtCPCthwEv2Y/bUevqPMjhpYAFAl5jhLUTHG1wZUBlbGxl
 cm1hbi5pZC5hdQAKCRBR6+o8yOGlgIWYEACRI3ikfcO3V/QtV6wcgceBtXKyuEUz
 +E54neKhgpxRa66IUKXe9NgI4n9G6YTyG3Ee+iFfP4BR6bJpjiGxtypBSqTpDfql
 19QACPJtn+hft/YT2zy0S8SS6CE9TCC25PpOURYb7VVoAn3PG1nmdBj1zoEdsVoZ
 WZgkj2we03FQton8ctangP2Atd4L9ngUEUw7m1XvyX+MaMVE2Ev24Q5Es1Xu4tUs
 4U/g+TZvZeVB/Y44Km7bur3OTis0YcB7LBSD5goJSgj3PQXYhq9/7AegaH5cpiLu
 sDfBfEOjCnU5zuUwZkmlfmnm6YfqBinRpiUZzePuY3LTH5IjYlWXBzsFaiKUaP+8
 /mPypoR2ufhJ+pAKWqGs+iU19F5rqN0gVS0ELzxQTn7yT0yAPtVtpym4CyXYQTlF
 sQSqEK/S0U+NEP0jvHBnv9sIjwNXvGo+r8mdHDrxIYKFEm54fZDhS088/vq7Zc+2
 BrHfp6XCE7Eo0qn+5DV8ei456QkkR9McG2Ile6u0M1eh06EqqcnGfs6wrrD3nQe8
 Ptf+VWWdJM8W7Dv8dc7+JbLhtcVT+tRPyUOPdmRqT93ve/epsfNeujX5+ewhfIbG
 n22Ypm0zOIoq4ceaCY+vl56vUyXYXP5oz72WqjVuTncQrbAWjaNy2iklDyxbjQkI
 T25co1MTGsMjEA==
 =AjkM
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:
 "Some more powerpc fixes for 5.6:

   - One fix for a recent regression to our breakpoint/watchpoint code.

   - Another fix for our KUAP support, this time a missing annotation in
     a rarely used path in signal handling.

   - A fix for our handling of a CPU feature that effects the PMU, when
     booting guests in some configurations.

   - A minor fix to our linker script to explicitly include the .BTF
     section.

  Thanks to: Christophe Leroy, Desnes A. Nunes do Rosario, Leonardo
  Bras, Naveen N. Rao, Ravi Bangoria, Stefan Berger"

* tag 'powerpc-5.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()
  powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
  powerpc: Include .BTF section
  powerpc/watchpoint: Don't call dar_within_range() for Book3S
2020-03-07 08:10:34 -06:00
Linus Torvalds
cbee7c8b44 xen: branch for v5.6-rc5
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQRTLbB6QfY48x44uB6AXGG7T9hjvgUCXmNp4AAKCRCAXGG7T9hj
 vmPeAP42nekgUNbUzEuei1/v4bJoepxIg22UXTVnjWwx9JVQKgEA+fgswmyy4NN2
 Ab7ty2zw1s3Vwhoq909lWNIJdz/+1wI=
 =C3CJ
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:
 "Four fixes and a small cleanup patch:

   - two fixes by Dongli Zhang fixing races in the xenbus driver

   - two fixes by me fixing issues introduced in 5.6

   - a small cleanup by Gustavo Silva replacing a zero-length array with
     a flexible-array"

* tag 'for-linus-5.6b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/blkfront: fix ring info addressing
  xen/xenbus: fix locking
  xenbus: req->err should be updated before req->state
  xenbus: req->body should be updated before req->state
  xen: Replace zero-length array with flexible-array member
2020-03-07 08:04:54 -06:00
Linus Torvalds
fa883d6afb for-linus-2020-03-07
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCXmNvpgAKCRCRxhvAZXjc
 ouFvAQDCzfOx1vcEP/nNhYBP2MPuafKclJcoJggC9rSmIvcLiQD/TI+LyHzplD+m
 MWSu9NZJ6h6qyjKJivja3/bs8DVEewU=
 =4gyS
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux

Pull thread fixes from Christian Brauner:
 "Here are a few hopefully uncontroversial fixes:

   - Use RCU_INIT_POINTER() when initializing rcu protected members in
     task_struct to fix sparse warnings.

   - Add pidfd_fdinfo_test binary to .gitignore file"

* tag 'for-linus-2020-03-07' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux:
  selftests: pidfd: Add pidfd_fdinfo_test in .gitignore
  exit: Fix Sparse errors and warnings
  fork: Use RCU_INIT_POINTER() instead of rcu_access_pointer()
2020-03-07 08:01:43 -06:00
Linus Torvalds
676fc8de31 sound fixes for 5.6-rc5
The regular "bump-in-the-middle" updates, containing mostly ASoC-
 related fixes at this time.  All changes are reasonably small.
 A few entries are for ASoC and ALSA core parts (DAPM, PCM, topology)
 for followups of the recent changes and potential buffer overflow by
 snprintf(), while the rest are (both new and old) device-specific
 fixes for Intel, meson, tas2562, rt1015, as well as the usual
 HD-audio quirks.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAl5jYRkOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE9m8A//e8LzyaIohaPa6bfC3wU5go0EVgTfEUF4oAEg
 it6dDm6ukxuigxXiMP1mIP2VATfBGUOIiOgzB2E9UJF00vbOUpdGaoIJYfejz6SI
 PYHDs8McMPbu0KtZANMccO7x52A7HeVcQ0166CqazhvcxBAxcqiGBLqo8z0WvBaA
 dbyiuh4TBcdObv6MFN/cCQejtmXP+W0vVbx+Kf0gs9lSOWnY26X5NXjlVI0WD60o
 fvBzoGcRGuBPALl20aSH0aybtD3My2Y17+xzDqP/Rlfzb9IAc/i3ifMuA7HWuVIT
 CYjCe/LGTsvPjwGCAvx0+aSV4Mq/zeQghF/Rg67QfdO+8iGyc2AYYxEFQzp0QW5F
 GsTpyawm3GXOUa9DzavzNjYB6wgA64+stm+OTr+HOrl/cYzRlgqEU4GCL8lKltWt
 Sqn1fXaBy6KlgkAdkEMabURN6JlegYJATzFZ0rConqIU3uKBZ2gWwuetfQW83guK
 MhUl6OGBrKjak08Un571XT5Y1bn/pWgVB5o4vOzImr75TFuZ1ledjNfefLHGuTTH
 IjyDh4O40IxOKQtT8Pau0oOUcMkSOXSLP0YzfYxflnJsC8Dj+0vLc+J9sVZisI2K
 WFcfVajiqWVzoS7oMkdNRYIWF4LXPA2v/73BfarmsBOrTnErKRzJ+FJGFLgBBg+5
 6EdUrUw=
 =zLTR
 -----END PGP SIGNATURE-----

Merge tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "The regular "bump-in-the-middle" updates, containing mostly ASoC-
  related fixes at this time. All changes are reasonably small.

  A few entries are for ASoC and ALSA core parts (DAPM, PCM, topology)
  for followups of the recent changes and potential buffer overflow by
  snprintf(), while the rest are (both new and old) device-specific
  fixes for Intel, meson, tas2562, rt1015, as well as the usual HD-audio
  quirks"

* tag 'sound-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (25 commits)
  ALSA: sgio2audio: Remove usage of dropped hw_params/hw_free functions
  ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
  ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Master
  ALSA: hda/realtek - Add Headset Button supported for ThinkPad X1
  ALSA: hda/realtek - Add Headset Mic supported
  ASoC: wm8741: Fix typo in Kconfig prompt
  ASoC: stm32: sai: manage rebind issue
  ASoC: SOF: Fix snd_sof_ipc_stream_posn()
  ASoC: rt1015: modify pre-divider for sysclk
  ASoC: rt1015: add operation callback function for rt1015_dai[]
  ASoC: soc-component: tidyup snd_soc_pcm_component_sync_stop()
  ASoC: dapm: Correct DAPM handling of active widgets during shutdown
  ASoC: tas2562: Fix sample rate error message
  ASoC: Intel: Skylake: Fix available clock counter incrementation
  ASoC: soc-pcm/soc-compress: don't use snd_soc_dapm_stream_stop()
  ASoC: meson: g12a: add tohdmitx reset
  ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
  ASoC: soc-core: fix for_rtd_codec_dai_rollback() macro
  ASoC: topology: Fix memleak in soc_tplg_manifest_load()
  ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
  ...
2020-03-07 07:59:30 -06:00
Takashi Iwai
5a56996b0f ASoC: Fixes for v5.6
More fixes that have arrived since the merge window, spread out all
 over.  There's a few things like the operation callback addition for
 rt1015 and the meson reset addition which add small new bits of
 functionality to fix non-working systems, they're all very small and for
 parts of newly added functionality.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5iebkTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0MR4B/wJq8zrpsPAA2jCoBfN0qMzrVBEt9QD
 5oF/r36ZH5G6x0QZzyiwVOUbapNT1TVs51tw0S5esxJ+npkT2kgABPlIMYF2tgp6
 rmLOaFEPC+Bgf/dNGIWLV21B+EZCHDxTz1zD7VjfaXLDPRop+sZg1VfXLR7IvXos
 1VQLVx1y6vFJRr56EU5xQo1CAeFGB1x5K52aF4D90ALL7lYT6dt7m/soBmxImEpq
 aZUCE6xwX8WMH4OX6sTfqOvB+g6q+DzshCP2+Fas/0OIQZQA9mmIKId+/xpb6QcY
 A0AzMlSv49uAsBsa3CZmSingGVqL/PEMkCI4wvJPl/paQXUsMi9HYV0E
 =YlPP
 -----END PGP SIGNATURE-----

Merge tag 'asoc-fix-v5.6-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v5.6

More fixes that have arrived since the merge window, spread out all
over.  There's a few things like the operation callback addition for
rt1015 and the meson reset addition which add small new bits of
functionality to fix non-working systems, they're all very small and for
parts of newly added functionality.
2020-03-07 07:24:36 +01:00
Linus Torvalds
63849c8f41 linux-kselftest-5.6-rc5
This Kselftest update for Linux 5.6-rc5 consists of a cleanup patch
 to undo changes to global .gitignore that added selftests/lkdtm
 objects and add them to a local selftests/lkdtm/.gitignore.
 
 Summary of Linus's comments on local vs. global gitignore scope:
 
 - Keep local gitignore patterns in local files.
 - Put only global gitignore patterns in the top-level gitignore file.
 
 Local scope keeps things much better separated. It also incidentally
 means that if a directory gets renamed, the gitignore file continues
 to work unless in the case of renaming the actual files themselves that
 are named in the gitignore.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEPZKym/RZuOCGeA/kCwJExA0NQxwFAl5izzwACgkQCwJExA0N
 QxxGpBAArJzDZp02xR8QfCrFyY8qXsFOEkFhjc22jNx6nl5cMb6nRUFbDszCEq05
 0QmVb1Hfh+tsz5PXtcugC/pfulUPmho8mN6sXEfwjqcyQFj/4y94wfpRig/KqMXj
 ECV3zjm39wb3iAh5PQxrymzWrv0ZmmKphpi9fpUDGCGEoG7cemsfIfwkRKBUFBOa
 O1PTz0sLbhMQs02N/5mwJk0WGxtjFQ5ShM5EQh1nzxgA3ObXcjybMarusWhVx2SN
 oO3UR7hrJTTozgcisiK8xz8SP4Hq1i6E11HE06PfE52YsVAEwNjsXf0KushKxWHo
 sm9B4dtkcy1qM+JfbVRKS9LPSyKiGEDUzmqKQy2dgVUX2K3ScJ6scXNnLSnPbqjX
 OPjaMTkIYUyxZ4Z4vn8a9+b3xc6fLxi9aiaxqfpdfbIJyiIyGhAvVwS1zWa1AUqW
 /mEPRE9BplpQTthkBHNHCdwG1NGAzV/gwtZHDeuiy/BdtlQNjzqr0vh26sTN1z0M
 NPMAl2Teqv2NOfOcHvhphyNXuuW9IE96ZoYDyFz6ZF6jN+J9jZtWpHRCnnd7dK9Q
 fLwbJUZtfr7v0r/1jsYag0MPJlyBaW1rvuEH9rpbF+Z/+ODrDPiAt05bPmrk9BYO
 hwmvcWsCalQUlOYQdhpEUFJgHoWoy4GJMMI3ao+xCooXiAylTt0=
 =8sYZ
 -----END PGP SIGNATURE-----

Merge tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest

Pull kselftest update from Shuah Khan:
 "This consists of a cleanup patch to undo changes to global .gitignore
  that added selftests/lkdtm objects and add them to a local
  selftests/lkdtm/.gitignore.

  Summary of Linus's comments on local vs. global gitignore scope:

   - Keep local gitignore patterns in local files.

   - Put only global gitignore patterns in the top-level gitignore file.

  Local scope keeps things much better separated. It also incidentally
  means that if a directory gets renamed, the gitignore file continues
  to work unless in the case of renaming the actual files themselves
  that are named in the gitignore"

* tag 'linux-kselftest-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
  selftest/lkdtm: Use local .gitignore
2020-03-06 17:03:37 -06:00
Linus Torvalds
7e6582ef32 RISC-V Fixes for 5.6-rc5
This tag contains a handful of fixes that I would like to target for 5.6:
 
 * A pair of fixes to module loading, which we hope solve the last of the issues
   with module text being loaded too sparsely for our call relocations.
 * A Kconfig fix that disallows selecting memory models not supported by NOMMU.
 * A series of Kconfig updates to ease selecting the drivers necessary to run on
   QEMU's virt platform.
 * DTS updates for SiFive's HiFive Unleashed.
 * A fix to our seccomp support that avoids mangling restartable syscalls.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCgAxFiEEKzw3R0RoQ7JKlDp6LhMZ81+7GIkFAl5iudATHHBhbG1lckBk
 YWJiZWx0LmNvbQAKCRAuExnzX7sYiUXbEACWGtDcZNmGbuZVnvqfYrA6GBYAdv24
 06Rh/y+jx2nye9Od8qI/K3TUYx44ZbdwAgeclvJ2H/XiL3W05ERdh8M5rLeK28DT
 Dt4xyG0FY0euWNXsUyPJLC8RAmvBR6aUnlHNbKbFYag2FpZ3Vfp8G+3x9Crj4rqw
 eQDpzx/aBHRUAs3IAjS9Wz17/wOP57AIwRxIpcQ4AOy8ZhECpPdkmBXH/9nGtQ54
 P5+lk59sw+KoVLo/uGyAbFINAMncfYIolcdlnH2rsNuYzeXhkoGqieMKGGwb2M5I
 0zhEPSNbiTe3uEyFtuywrYjzHwlGULAhx9me5Q0qBCwyIq56n5u7FEqPp3XukXU8
 OJXe/X8a8cPQn7gHaK3kffUeYUmmsgb8+Zf974B7yAiOryzn0sBpsFyV3u4uYnGq
 k4u3fLcSoRNU/1AuU1J5in1IrYsia/sxbQ58tG34z3W+zNrLthet/9bgtkaDK+TF
 Gm17BYPcQu0FPHa4p/smSn+AEyD3sNfZVVzBANo5qtGSkOhx9qpwM3ComrET5sDY
 +F7iaOHh7zyFhLaCFQ1aLniOuJ81pKis6HcZGcdKp++mlyKyDNvwXQO6Tl9KYbZC
 8cCQJysX3baILf00OpVfxV9P1oHaGhebyjHP1eWOGRonQhNI6KSUKINV2tb5vPxh
 758BLES4+e7lzQ==
 =3jih
 -----END PGP SIGNATURE-----

Merge tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux

Pull RISC-V fixes from Palmer Dabbelt:
 "This contains a handful of fixes that I would like to target for 5.6:

   - A pair of fixes to module loading, which we hope solve the last of
     the issues with module text being loaded too sparsely for our call
     relocations.

   - A Kconfig fix that disallows selecting memory models not supported
     by NOMMU.

   - A series of Kconfig updates to ease selecting the drivers necessary
     to run on QEMU's virt platform.

   - DTS updates for SiFive's HiFive Unleashed.

   - A fix to our seccomp support that avoids mangling restartable
     syscalls"

* tag 'riscv-for-linus-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: fix seccomp reject syscall code path
  riscv: dts: Add GPIO reboot method to HiFive Unleashed DTS file
  RISC-V: Select Goldfish RTC driver for QEMU virt machine
  RISC-V: Select SYSCON Reboot and Poweroff for QEMU virt machine
  RISC-V: Enable QEMU virt machine support in defconfigs
  RISC-V: Add kconfig option for QEMU virt machine
  riscv: Fix range looking for kernel image memblock
  riscv: Force flat memory model with no-mmu
  riscv: Change code model of module to medany to improve data accessing
  riscv: avoid the PIC offset of static percpu data in module beyond 2G limits
2020-03-06 16:38:33 -06:00
Jonathan Neuschäfer
611d61f9ac parse-maintainers: Mark as executable
This makes the script more convenient to run.

Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-03-06 16:29:21 -06:00
Linus Torvalds
bdf1ea7ca8 Devicetree fixes for v5.6, take 3:
- Fixes for warnings introduced by hierarchical PSCI binding changes
 
 - Fixes for broken doc references due to DT schema conversions
 
 - Several grammar and typo fixes
 
 - Fix a bunch of dtc warnings in examples
 -----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCgAuFiEEktVUI4SxYhzZyEuo+vtdtY28YcMFAl5iwicQHHJvYmhAa2Vy
 bmVsLm9yZwAKCRD6+121jbxhwxZQD/0VmRBeLZaCg1jiTfj2a+/AbR+x6sGh1izC
 yKI/GRRpVDuyYKN4vNZrY/Z3O5wNwbxZ4mRot/R1EL0on0WPKoLTbioyFFAO3kk0
 7ar6lQCKJHikAz7olT89D0vMD86KGCuUIa0Cju31SCRwdASRtgm36q7ozvs7kt9T
 jkTHfH121sLrSDQCHHq1NPBct6tL6ldtfbClqNSs4HsR/9Bzvnd5Sd3hsjLcotnO
 WpXezH5smBssguJJs0kHySg9gis2DCWnRkejb+7fGC7b8N/vTZA2EWierD0cvpy6
 45SRfRtUeCb8OuTn2V8J8CaPmYTmwUvxrSLR/l3vyB+BvxLULsAMFH9gE5AcgHVY
 eQAj2l8d+Q+bFSUaV3sKPhV3xquBTi6d26pu2uZDjK6MmeLIi3mkOW1bonD5xWbz
 o7KB67g36ENwleou01AbK/bs211hSSHfqKe1pCWIKq9t7xJAkBklSfymr3kAgj9/
 1mwnzwvm2dr8MWH8CNYmNcNb2NAgh2mSgS3yW6WjJcEOUeran+/kn7Ivs/fpDlxF
 JUyYD+ZGQxccYn1c+urrMbzG16HjtqyV6UWUHGJxA2YGs15kSLRvEEIPRbxIsARs
 YPymRSFchmggyb+CLr8XH5XxDDaHm/3ZTsqA3PgFuQopX7OdCmcb7CGGNCmvzhxk
 NC5jllsiLw==
 =sbhb
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

Pull devicetree fixes from Rob Herring:
 "Another batch of DT fixes. I think this should be the last of it, but
  sending pull requests seems to cause people to send more fixes.

  Summary:

   - Fixes for warnings introduced by hierarchical PSCI binding changes

   - Fixes for broken doc references due to DT schema conversions

   - Several grammar and typo fixes

   - Fix a bunch of dtc warnings in examples"

* tag 'devicetree-fixes-for-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  dt-bindings: arm: Fixup the DT bindings for hierarchical PSCI states
  dt-bindings: power: Extend nodename pattern for power-domain providers
  MAINTAINERS: update ALLWINNER CPUFREQ DRIVER entry
  dt-bindings: bus: Drop empty compatible string in example
  dt-bindings: power: Convert domain-idle-states bindings to json-schema
  dt-bindings: arm: Fix cpu compatibles in the hierarchical example for PSCI
  dt-bindings: arm: Correct links to idle states definitions
  dt-bindings: mfd: Fix typo in file name of twl-familly.txt
  dt-bindings: mfd: tps65910: Improve grammar
  dt-bindings: mfd: zii,rave-sp: Fix a typo ("onborad")
  dt-bindings: arm: fsl: fix APF6Dev compatible
  dt-bindings: Fix dtc warnings in examples
  docs: dt: fix several broken doc references
  docs: dt: fix several broken references due to renames
  MAINTAINERS: clean up PCIE DRIVER FOR CAVIUM THUNDERX
2020-03-06 16:11:34 -06:00
Linus Torvalds
2f501bb180 one vgacon input check for stable
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEb4nG6jLu8Y5XI+PfTA9ye/CYqnEFAl5iu10ACgkQTA9ye/CY
 qnFOHQ//Z8JV3DmnvwfAYytRos08EVfMoZsZKXKXGPNTGklcytrWaunT3B0OQ8GN
 uv3HK18otmjTet6VPDezeHzLMDLV8O5bV/WGX01J7dSXsMH3lolasCv37l5ZHqvd
 WHRFYLUaTntn9bnLGqp9uqe50eAxC5yP9IHGIq+7PS2d3/8tX9ZCnbIYIpuWXGkZ
 eD9s/wMPb+bl03WEP5ghO/SQ/nb8IIDM/Mp220YmZ1dW9sV+G1g7b9Yu9q2ggo7s
 +P6etSDZjtgcICE+WlcyzM51HLiXEEngn3SWMI0gEqGkDzsDHEe4CKgl9g7FfJoV
 Gjc4+nw5cRUrhhOWNPQGY7c5YhlptRWTKy/I0ahXSe17CFoi3lNIzHD9azj2iib+
 Sio8yfZ58GWfocNamnlv9sBkpad39Xjj8djGMOWlGpkoqzM+P3N5qKPbtt3gy8Sz
 GeojqxLenMrNSNmXa+wsvxbZ8iZDwy4cYFKjLgNd6Q0sd18636iQXlNtP1JY1KeO
 ctgbXcoj7AMeS8Zigtie/L+nzKwxhw3r9VeE+02xj/9IkhvFSGIzzIof1uatMol6
 LWic1HdtdqwAzJ7256aEt2npzEZn0bg4QaOoN6LB9w+Yw30j7mPQ7YZjsP4g+oTo
 KIKz+GaMA8UgDZsf9WU2suEnXWhQ4VN72yo5EzoTGEtdosOVNk0=
 =38Vy
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm

Pull vgacon fix from Daniel Vetter:
 "One vgacon input check for stable"

* tag 'drm-fixes-2020-03-06-1' of git://anongit.freedesktop.org/drm/drm:
  vgacon: Fix a UAF in vgacon_invert_region
2020-03-06 16:08:48 -06:00
Linus Torvalds
30fe0d07fd for-5.6-rc4-tag
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE8rQSAMVO+zA4DBdWxWXV+ddtWDsFAl5iXe8ACgkQxWXV+ddt
 WDvWGg/+LFP+Y8Qz6xHTl3vXuGJKjCr7X/MIi69r2N0JFoCUeXyOdxeSlOuNCfhb
 HiLZzfA5TYoptsdLJAXQLy7nPKFCQcc+J19Mbt2+aebpdGqfgN+YZEGkltfKL8Ao
 xjOGu5HROFFpNTtnwa1dYOQkyVuZ8oafuJxwVJ8T28fxepRvBbi5jmy3lb1ypL3W
 NoIPBe+67g5z/W0ATFmBMF7cCbvS5gsEGWKpbbjh7r8ZHJkhUaxVU7YdxPqlXrAO
 ejZfiJUwi8rTGm0zd8A5TX/wsxSeBEXolvh91k5tatTljjzROHa028KRg2voUZIW
 C5/7X+Z2C3gzuT0o7TGLBOR6CkVhkSutDV8/QIE6hDjZ/aCMNi0mIFco1hG8jjd1
 jQfjemjj7PWuVEnZ6EuVSoHSXjZvBvX66of40YhTQEtSaJpcZU4jP26+8cXENN6+
 6WbWcQpEQbT0cp0YKWhWvAIwGMf0jmWESISeFMEaF0eQd8BtzrH1qYcs3JTmXvHC
 XmC47hoEJLhjQkAgQ4oNa5PZQzR1wEfW/4FPdqlADOR2frE1wDiKdrpN/dkAYHdQ
 edNlo9u0+bRWCP40p04i2IUX/aUAc+me9QxiZwxT3Fw0g5QBSE2035Ly4spvT8NZ
 gIvwnq1KGxmtrJSo5Lpkv4bjHYbByYMOiGJUMOTCIEdqajFI224=
 =06pr
 -----END PGP SIGNATURE-----

Merge tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux

Pull btrfs fix from David Sterba:
 "One fixup for DIO when in use with the new checksums, a missed case
  where the checksum size was still assuming u32"

* tag 'for-5.6-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  btrfs: fix RAID direct I/O reads with alternate csums
2020-03-06 14:56:46 -06:00
Linus Torvalds
0b25d45803 File locking fixes for v5.6
-----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEES8DXskRxsqGE6vXTAA5oQRlWghUFAl5igvYTHGpsYXl0b25A
 a2VybmVsLm9yZwAKCRAADmhBGVaCFdbFD/9ZP3XDY+ngnN5nsSYS4QuzudlncnZL
 ceRLD5YykNPLOAesr7DWI8EDky+IFL5w4wRHVxAbOeHpj3haySLefV9vsM/G6sm4
 CiHdikx7uls184r5WYK3jfB19UF3UIePUjTnAtxOpemjkLv58Z15nPNGGQv9lkFJ
 dJbCk1kdwaEA3LYEyXiGC/ianaxLtiqBy+C0d581OZn3ty551c8vmF0Ziz5tcuot
 aObPE3f8sYNxDuTDZcseRxvXUfMS1Qj/tMxeDDIXryX71zIsFbQ6PMPUNHGHGit/
 uoeuprDy90mLqGuEEuUfVaXjn8zEPFlW8IHy1OJ4fFNQ0X/HYa2/CFTA2BiVrpfM
 1lVYKWuMz+mCq9i8wzF/+ikQ9QVMG2cSb0i4kyuAb+RBP+PDjNTbTLjFeEIJVz6O
 yN9MUXWH5XS8liFq2F5VbITwpSJEk7vxiTGDT1zU38HXFdrxL0FRC60TKhkplLzO
 9xsj9jUBV/sD5ohwq9Ga+kcXOB/KA/9iW3TMfBApq7oWIxaEfW7rQ6A/O5tuF/hX
 q2mwrRoEx6tpCy77KFBLT89iF0gzV3xzadwWcnpDkFC7x2OkMmZPPr2nWeJS6qbN
 hPOD1fiWW/NXMXs7foQ9HZ7HdbQMDI7olnf1sjkh4pq2MKDWsJLvNB4fYwZUxhpn
 8K4B+9yfIofvpg==
 =H/ky
 -----END PGP SIGNATURE-----

Merge tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux

Pull file locking fixes from Jeff Layton:
 "Just a couple of late-breaking patches for the file locking code. The
  second patch (from yangerkun) fixes a rather nasty looking potential
  use-after-free that should go to stable.

  The other patch could technically wait for 5.7, but it's fairly
  innocuous so I figured we might as well take it"

* tag 'filelock-v5.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux:
  locks: fix a potential use-after-free problem when wakeup a waiter
  fcntl: Distribute switch variables for initialization
2020-03-06 14:55:27 -06:00
Linus Torvalds
ae24a21bbd spi: Fixes for v5.6
A selection of small fixes, mostly for drivers, that have arrived since
 the merge window.  None of them are earth shattering in themselves but
 all useful for affected systems.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5iiroTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0ALxB/0TAEys4X1IxDku7N4E9vivlTQP+Yy5
 LmJ7Oc+z1aCWX3LrpMa3M9JInnY44iahjariaZgcQ9GXXTO4rEoOSTVL99fXzj0h
 wRS23p+h8GNFQ0s6Bzni8HSITz+vzCUJjYQe4i8iJIpQBRIErFSrqzB4uRGd7SPI
 PIgYeTSA3rFuVvdAgijRg3hPTW2rpn328G/k35JpUNo9OdZ/v6NDQl1Sbg/FedFu
 iY0feUaQ1FafHGkja/+OYN43bCraDo7Fo4COyF9cHGIJ8nBzMZJumhjgei26nviM
 OQ15zRewFpnLGlK8ffPykrnynOhqo3GF7JbFWvI5pga/G5XzzLY8mi19
 =bFsu
 -----END PGP SIGNATURE-----

Merge tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A selection of small fixes, mostly for drivers, that have arrived
  since the merge window. None of them are earth shattering in
  themselves but all useful for affected systems"

* tag 'spi-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: spi_register_controller(): free bus id on error paths
  spi: bcm63xx-hsspi: Really keep pll clk enabled
  spi: atmel-quadspi: fix possible MMIO window size overrun
  spi/zynqmp: remove entry that causes a cs glitch
  spi: pxa2xx: Add CS control clock quirk
  spi: spidev: Fix CS polarity if GPIO descriptors are used
  spi: qup: call spi_qup_pm_resume_runtime before suspending
  spi: spi-omap2-mcspi: Support probe deferral for DMA channels
  spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x
2020-03-06 14:50:16 -06:00
Linus Torvalds
43c63729c9 regulator: Fixes for v5.6
A couple of small fixes, one for a minor issue in the stm32-vrefbuf
 driver and a documentation fix in the Qualcomm code.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5ie5ITHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0J5lB/wOdphcQj9YKbq1fO5Z2i4zROn85dbT
 JREqpS5SNY+znox3WFct08L7xyrUBwFgZwzlF0KTnoBfNLznjcdY34YNSswWMZzY
 vo0frRtEzdetjtQOYzuKfr+cWSozNLFCz4rGb9eMZicR28yaU+WluKlNLtwgkgq0
 WEqyDZKK1KhVZYDJPVY6gb3NgTYlUvaJyRKEFGxSNHTDR9qL5koP7ym1yIqBjAu/
 N596CtL8A24z9x7Wlmt2I9m13S/YXPUbDibYU10UC6amFWfsiuZ0hi577ToXvr1X
 PruiRr63WgFlHGedAjsyfW1y1O9oBvGksb9rlBmwYzssgnuqV5DTuxsB
 =s+Ng
 -----END PGP SIGNATURE-----

Merge tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "A couple of small fixes, one for a minor issue in the stm32-vrefbuf
  driver and a documentation fix in the Qualcomm code"

* tag 'regulator-fix-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: stm32-vrefbuf: fix a possible overshoot when re-enabling
  regulator: qcom_spmi: Fix docs for PM8004
2020-03-06 14:48:30 -06:00
Linus Torvalds
08e39fcb92 hwmon fixes for v5.6-rc5
Fix an error return in the adt7462 driver, bad voltage limits
 reported by the xdpe12284 driver, and a broken documentation
 reference in the adm1177 driver documentation.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEiHPvMQj9QTOCiqgVyx8mb86fmYEFAl5idy0ACgkQyx8mb86f
 mYFiRQ//Xp5JP1QMSTJqcGlM98ai/ZesCM0OB7ocBTt592T/VON8D2eEJapuECve
 /065OGs1L25HBqPV+1riPUZ+Q9bkhnqyqXZuDx92ShClOpSK9Yy7GQXhXT3Y6D5g
 bdrwnJK0dwGMR0nkNPKomSodeXP+qub3z5am/5QGIqfhG+ssckNhWYI7eYaKV0js
 +4L/NcRAJF+hvcmeWQ+mOxKOWkcCAXYCIxo7iJWnnc3BeNplFjKRknUu9FER/bDh
 gb9tJFZ7zVdH4TsPvl1axJtWYN2whTRljv/Xn5gSeJUM+0X1nrFJ2vP72nOm4goV
 TZG2vTu3PZvw7uvCXC7P/q0qalgju2cdGr6b91brjrOCzxzj9uijzMGmmEG58rD2
 Ls5qnWl5gyit5KuKjKyiyMzkZi0q5OycZaZeIKHenu9TqmHB1tj9h5S9EzKT+gJ/
 8wWEsNR8kw73iTKtB09loxXnAUhxNtNcCzx05zPP5m+MG/iVgJslfaRRxmwnprxG
 bq4VWT6DQwMCx+98olVURASkl+bIwpkKXvCMIzKRg8oAy7/WKqw0YgXZWUFop7Hi
 qsWqBjjYTZfB1nz/i9gTRarpLtYAi7xQ8ib6VTP3qsOA/Nws43ffOqDqIZD5YGob
 fA5Ytdk+c5cwO5Wrjsh9v7TuWpXlC+AQbZkD3icuXWlN9orD4Ck=
 =AHoG
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:
 "Fix an error return in the adt7462 driver, bad voltage limits reported
  by the xdpe12284 driver, and a broken documentation reference in the
  adm1177 driver documentation"

* tag 'hwmon-for-v5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
  hwmon: (pmbus/xdpe12284) Add callback for vout limits conversion
  docs: adm1177: fix a broken reference
2020-03-06 14:47:06 -06:00
Linus Torvalds
c20c4a084a arm64 fixes for -rc5
- Fix misreporting of ASID limit when KPTI is enabled
 
 - Fix busted NULL pointer checks for GICC structure in ACPI PMU code
 
 - Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them
 -----BEGIN PGP SIGNATURE-----
 
 iQFEBAABCgAuFiEEPxTL6PPUbjXGY88ct6xw3ITBYzQFAl5iMUgQHHdpbGxAa2Vy
 bmVsLm9yZwAKCRC3rHDchMFjNMpPB/9OH2pp6QaosJKz6zHawyvG6K1RxCQC7TZw
 PCXKWF1N9b1z/ZBq47goDC0rRxVzx+OAO9MY4DMLojWvv51GT/Z/LhrYkpXek48I
 Dkfz8ZmhSyO54M8LDQQ79zKG4FzpLVsvVP2z9bMaq9Ut5BSNcKmjvY7h27/znk7N
 fW0lRVBt3C7Cu5DTBqq3BN3AXEwoANb4QvqmmA6D/pZvl5MUXolulww6czknYyIE
 VD7m7s6A3bPUWWVSWHuYxL9/N8fP7HbcBL09dEtIKI4n1O+mvvCx9uHxxokBGuSV
 ENu7BWfm0LJ5JibbW/rSOT8u2tw4xY4njhXu06PnxWXQSF8RcaOV
 =7zhy
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:
 "Here are another three arm64 fixes for 5.6, all pretty minor. Main
  thing is fixing a silly bug in the fsl_imx8_ddr PMU driver where we
  would zero the counters when disabling them.

   - Fix misreporting of ASID limit when KPTI is enabled

   - Fix busted NULL pointer checks for GICC structure in ACPI PMU code

   - Avoid nobbling the "fsl_imx8_ddr" PMU counters when disabling them"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: context: Fix ASID limit in boot messages
  drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
  drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition
2020-03-06 14:35:47 -06:00
Zhang Xiaoxu
513dc792d6 vgacon: Fix a UAF in vgacon_invert_region
When syzkaller tests, there is a UAF:
  BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
    ffff880000100000
  Read of size 2 by task syz-executor.1/16489
  page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
  index:0x0
  page flags: 0xfffff00000000()
  page dumped because: kasan: bad access detected
  CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
  Call Trace:
    [<ffffffffb119f309>] dump_stack+0x1e/0x20
    [<ffffffffb04af957>] kasan_report+0x577/0x950
    [<ffffffffb04ae652>] __asan_load2+0x62/0x80
    [<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
    [<ffffffffb0a39d95>] invert_screen+0xe5/0x470
    [<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
    [<ffffffffb0a3bfae>] tioclinux+0xee/0x490
    [<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
    [<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
    [<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
    [<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
    [<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
    Memory state around the buggy address:
     ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00
     ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00
    >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff

It can be reproduce in the linux mainline by the program:
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  #include <fcntl.h>
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <sys/ioctl.h>
  #include <linux/vt.h>

  struct tiocl_selection {
    unsigned short xs;      /* X start */
    unsigned short ys;      /* Y start */
    unsigned short xe;      /* X end */
    unsigned short ye;      /* Y end */
    unsigned short sel_mode; /* selection mode */
  };

  #define TIOCL_SETSEL    2
  struct tiocl {
    unsigned char type;
    unsigned char pad;
    struct tiocl_selection sel;
  };

  int main()
  {
    int fd = 0;
    const char *dev = "/dev/char/4:1";

    struct vt_consize v = {0};
    struct tiocl tioc = {0};

    fd = open(dev, O_RDWR, 0);

    v.v_rows = 3346;
    ioctl(fd, VT_RESIZEX, &v);

    tioc.type = TIOCL_SETSEL;
    ioctl(fd, TIOCLINUX, &tioc);

    return 0;
  }

When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.

So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.

Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:

	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
		return -EINVAL;

Fixes: 0aec4867dc ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
2020-03-06 21:06:34 +01:00