1. 25 5月, 2018 4 次提交
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 34b48b87
      Linus Torvalds 提交于
      Pull rdma fixes from Jason Gunthorpe:
       "This is pretty much just the usual array of smallish driver bugs.
      
         - remove bouncing addresses from the MAINTAINERS file
      
         - kernel oops and bad error handling fixes for hfi, i40iw, cxgb4, and
           hns drivers
      
         - various small LOC behavioral/operational bugs in mlx5, hns, qedr
           and i40iw drivers
      
         - two fixes for patches already sent during the merge window
      
         - a long-standing bug related to not decreasing the pinned pages
           count in the right MM was found and fixed"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: (28 commits)
        RDMA/hns: Move the location for initializing tmp_len
        RDMA/hns: Bugfix for cq record db for kernel
        IB/uverbs: Fix uverbs_attr_get_obj
        RDMA/qedr: Fix doorbell bar mapping for dpi > 1
        IB/umem: Use the correct mm during ib_umem_release
        iw_cxgb4: Fix an error handling path in 'c4iw_get_dma_mr()'
        RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint
        RDMA/i40iw: Avoid reference leaks when processing the AEQ
        RDMA/i40iw: Avoid panic when objects are being created and destroyed
        RDMA/hns: Fix the bug with NULL pointer
        RDMA/hns: Set NULL for __internal_mr
        RDMA/hns: Enable inner_pa_vld filed of mpt
        RDMA/hns: Set desc_dma_addr for zero when free cmq desc
        RDMA/hns: Fix the bug with rq sge
        RDMA/hns: Not support qp transition from reset to reset for hip06
        RDMA/hns: Add return operation when configured global param fail
        RDMA/hns: Update convert function of endian format
        RDMA/hns: Load the RoCE dirver automatically
        RDMA/hns: Bugfix for rq record db for kernel
        RDMA/hns: Add rq inline flags judgement
        ...
      34b48b87
    • L
      Merge tag 'for-4.17-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · d7b66b4a
      Linus Torvalds 提交于
      Pull btrfs fix from David Sterba:
       "A one-liner that prevents leaking an internal error value 1 out of the
        ftruncate syscall.
      
        This has been observed in practice. The steps to reproduce make a
        common pattern (open/write/fync/ftruncate) but also need the
        application to not check only for negative values and happens only for
        compressed inlined files.
      
        The conditions are narrow but as this could break userspace I think
        it's better to merge it now and not wait for the merge window"
      
      * tag 'for-4.17-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        Btrfs: fix error handling in btrfs_truncate()
      d7b66b4a
    • J
      Revert "mm/cma: manage the memory of the CMA area by using the ZONE_MOVABLE" · d883c6cf
      Joonsoo Kim 提交于
      This reverts the following commits that change CMA design in MM.
      
       3d2054ad ("ARM: CMA: avoid double mapping to the CMA area if CONFIG_HIGHMEM=y")
      
       1d47a3ec ("mm/cma: remove ALLOC_CMA")
      
       bad8c6c0 ("mm/cma: manage the memory of the CMA area by using the ZONE_MOVABLE")
      
      Ville reported a following error on i386.
      
        Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
        microcode: microcode updated early to revision 0x4, date = 2013-06-28
        Initializing CPU#0
        Initializing HighMem for node 0 (000377fe:00118000)
        Initializing Movable for node 0 (00000001:00118000)
        BUG: Bad page state in process swapper  pfn:377fe
        page:f53effc0 count:0 mapcount:-127 mapping:00000000 index:0x0
        flags: 0x80000000()
        raw: 80000000 00000000 00000000 ffffff80 00000000 00000100 00000200 00000001
        page dumped because: nonzero mapcount
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper Not tainted 4.17.0-rc5-elk+ #145
        Hardware name: Dell Inc. Latitude E5410/03VXMC, BIOS A15 07/11/2013
        Call Trace:
         dump_stack+0x60/0x96
         bad_page+0x9a/0x100
         free_pages_check_bad+0x3f/0x60
         free_pcppages_bulk+0x29d/0x5b0
         free_unref_page_commit+0x84/0xb0
         free_unref_page+0x3e/0x70
         __free_pages+0x1d/0x20
         free_highmem_page+0x19/0x40
         add_highpages_with_active_regions+0xab/0xeb
         set_highmem_pages_init+0x66/0x73
         mem_init+0x1b/0x1d7
         start_kernel+0x17a/0x363
         i386_start_kernel+0x95/0x99
         startup_32_smp+0x164/0x168
      
      The reason for this error is that the span of MOVABLE_ZONE is extended
      to whole node span for future CMA initialization, and, normal memory is
      wrongly freed here.  I submitted the fix and it seems to work, but,
      another problem happened.
      
      It's so late time to fix the later problem so I decide to reverting the
      series.
      Reported-by: NVille Syrjälä <ville.syrjala@linux.intel.com>
      Acked-by: NLaura Abbott <labbott@redhat.com>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NJoonsoo Kim <iamjoonsoo.kim@lge.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d883c6cf
    • L
      Merge branch 'for-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · 577e75e0
      Linus Torvalds 提交于
      Pull libata fixes from Tejun Heo:
       "Nothing too interesting.  Four patches to update the blacklist and
        add a controller ID"
      
      * 'for-4.17-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        ahci: Add PCI ID for Cannon Lake PCH-LP AHCI
        libata: blacklist Micron 500IT SSD with MU01 firmware
        libata: Apply NOLPM quirk for SAMSUNG PM830 CXM13D1Q.
        libata: Blacklist some Sandisk SSDs for NCQ
      577e75e0
  2. 24 5月, 2018 8 次提交
  3. 23 5月, 2018 6 次提交
    • L
      Merge tag 'mfd-fixes-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd · bee79752
      Linus Torvalds 提交于
      Pull MFD fix from Lee Jones:
       "A single cros_ec_spi fix correcting the handling for long-running
        commands"
      
      * tag 'mfd-fixes-4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
        mfd: cros_ec: Retry commands when EC is known to be busy
      bee79752
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha · 9ce86543
      Linus Torvalds 提交于
      Pull alpha fixes from Matt Turner:
       "A few small changes for alpha"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mattst88/alpha:
        alpha: io: reorder barriers to guarantee writeX() and iowriteX() ordering #2
        alpha: simplify get_arch_dma_ops
        alpha: use dma_direct_ops for jensen
      9ce86543
    • B
      mfd: cros_ec: Retry commands when EC is known to be busy · 11799564
      Brian Norris 提交于
      Commit 001dde94 ("mfd: cros ec: spi: Fix "in progress" error
      signaling") pointed out some bad code, but its analysis and conclusion
      was not 100% correct.
      
      It *is* correct that we should not propagate result==EC_RES_IN_PROGRESS
      for transport errors, because this has a special meaning -- that we
      should follow up with EC_CMD_GET_COMMS_STATUS until the EC is no longer
      busy. This is definitely the wrong thing for many commands, because
      among other problems, EC_CMD_GET_COMMS_STATUS doesn't actually retrieve
      any RX data from the EC, so commands that expected some data back will
      instead start processing junk.
      
      For such commands, the right answer is to either propagate the error
      (and return that error to the caller) or resend the original command
      (*not* EC_CMD_GET_COMMS_STATUS).
      
      Unfortunately, commit 001dde94 forgets a crucial point: that for
      some long-running operations, the EC physically cannot respond to
      commands any more. For example, with EC_CMD_FLASH_ERASE, the EC may be
      re-flashing its own code regions, so it can't respond to SPI interrupts.
      Instead, the EC prepares us ahead of time for being busy for a "long"
      time, and fills its hardware buffer with EC_SPI_PAST_END. Thus, we
      expect to see several "transport" errors (or, messages filled with
      EC_SPI_PAST_END). So we should really translate that to a retryable
      error (-EAGAIN) and continue sending EC_CMD_GET_COMMS_STATUS until we
      get a ready status.
      
      IOW, it is actually important to treat some of these "junk" values as
      retryable errors.
      
      Together with commit 001dde94, this resolves bugs like the
      following:
      
      1. EC_CMD_FLASH_ERASE now works again (with commit 001dde94, we
         would abort the first time we saw EC_SPI_PAST_END)
      2. Before commit 001dde94, transport errors (e.g.,
         EC_SPI_RX_BAD_DATA) seen in other commands (e.g.,
         EC_CMD_RTC_GET_VALUE) used to yield junk data in the RX buffer; they
         will now yield -EAGAIN return values, and tools like 'hwclock' will
         simply fail instead of retrieving and re-programming undefined time
         values
      
      Fixes: 001dde94 ("mfd: cros ec: spi: Fix "in progress" error signaling")
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NLee Jones <lee.jones@linaro.org>
      11799564
    • S
      alpha: io: reorder barriers to guarantee writeX() and iowriteX() ordering #2 · 92d7223a
      Sinan Kaya 提交于
      memory-barriers.txt has been updated with the following requirement.
      
      "When using writel(), a prior wmb() is not needed to guarantee that the
      cache coherent memory writes have completed before writing to the MMIO
      region."
      
      Current writeX() and iowriteX() implementations on alpha are not
      satisfying this requirement as the barrier is after the register write.
      
      Move mb() in writeX() and iowriteX() functions to guarantee that HW
      observes memory changes before performing register operations.
      Signed-off-by: NSinan Kaya <okaya@codeaurora.org>
      Reported-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NMatt Turner <mattst88@gmail.com>
      92d7223a
    • C
      alpha: simplify get_arch_dma_ops · f5e82fa2
      Christoph Hellwig 提交于
      Remove the dma_ops indirection.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NMatt Turner <mattst88@gmail.com>
      f5e82fa2
    • C
      alpha: use dma_direct_ops for jensen · 6db61543
      Christoph Hellwig 提交于
      The generic dma_direct implementation does the same thing as the alpha
      pci-noop implementation, just with more bells and whistles.  And unlike
      the current code it at least has a theoretical chance to actually compile.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NMatt Turner <mattst88@gmail.com>
      6db61543
  4. 22 5月, 2018 17 次提交
    • R
      PM / core: Fix direct_complete handling for devices with no callbacks · c62ec461
      Rafael J. Wysocki 提交于
      Commit 08810a41 (PM / core: Add NEVER_SKIP and SMART_PREPARE
      driver flags) inadvertently prevented the power.direct_complete flag
      from being set for devices without PM callbacks and with disabled
      runtime PM which also prevents power.direct_complete from being set
      for their parents.  That led to problems including a resume crash on
      HP ZBook 14u.
      
      Restore the previous behavior by causing power.direct_complete to be
      set for those devices again, but do that in a more direct way to
      avoid overlooking that case in the future.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199693
      Fixes: 08810a41 (PM / core: Add NEVER_SKIP and SMART_PREPARE driver flags)
      Reported-by: NThomas Martitz <kugel@rockbox.org>
      Tested-by: NThomas Martitz <kugel@rockbox.org>
      Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
      Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Reviewed-by: NUlf Hansson <ulf.hansson@linaro.org>
      Reviewed-by: NJohan Hovold <johan@kernel.org>
      c62ec461
    • N
      powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit · a048a07d
      Nicholas Piggin 提交于
      On some CPUs we can prevent a vulnerability related to store-to-load
      forwarding by preventing store forwarding between privilege domains,
      by inserting a barrier in kernel entry and exit paths.
      
      This is known to be the case on at least Power7, Power8 and Power9
      powerpc CPUs.
      
      Barriers must be inserted generally before the first load after moving
      to a higher privilege, and after the last store before moving to a
      lower privilege, HV and PR privilege transitions must be protected.
      
      Barriers are added as patch sections, with all kernel/hypervisor entry
      points patched, and the exit points to lower privilge levels patched
      similarly to the RFI flush patching.
      
      Firmware advertisement is not implemented yet, so CPU flush types
      are hard coded.
      
      Thanks to Michal Suchánek for bug fixes and review.
      Signed-off-by: NNicholas Piggin <npiggin@gmail.com>
      Signed-off-by: NMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Signed-off-by: NMichael Neuling <mikey@neuling.org>
      Signed-off-by: NMichal Suchánek <msuchanek@suse.de>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a048a07d
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · c85061e6
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "Two driver fixes (zfcp and target core), one information leak in sg
        and one build clean up"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
        scsi: core: clean up generated file scsi_devinfo_tbl.c
        scsi: target: tcmu: fix error resetting qfull_time_out to default
        scsi: zfcp: fix infinite iteration on ERP ready list
      c85061e6
    • L
      Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 5997aab0
      Linus Torvalds 提交于
      Pull vfs fixes from Al Viro:
       "Assorted fixes all over the place"
      
      * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        aio: fix io_destroy(2) vs. lookup_ioctx() race
        ext2: fix a block leak
        nfsd: vfs_mkdir() might succeed leaving dentry negative unhashed
        cachefiles: vfs_mkdir() might succeed leaving dentry negative unhashed
        unfuck sysfs_mount()
        kernfs: deal with kernfs_fill_super() failures
        cramfs: Fix IS_ENABLED typo
        befs_lookup(): use d_splice_alias()
        affs_lookup: switch to d_splice_alias()
        affs_lookup(): close a race with affs_remove_link()
        fix breakage caused by d_find_alias() semantics change
        fs: don't scan the inode cache before SB_BORN is set
        do d_instantiate/unlock_new_inode combinations safely
        iov_iter: fix memory leak in pipe_get_pages_alloc()
        iov_iter: fix return type of __pipe_get_pages()
      5997aab0
    • J
      loop: clear wb_err in bd_inode when detaching backing file · eedffa28
      Jeff Layton 提交于
      When a loop block device encounters a writeback error, that error will
      get propagated to the bd_inode's wb_err field. If we then detach the
      backing file from it, attach another and fsync it, we'll get back the
      writeback error that we had from the previous backing file.
      
      This is a bit of a grey area as POSIX doesn't cover loop devices, but it
      is somewhat counterintuitive.
      
      If we detach a backing file from the loopdev while there are still
      unreported errors, take it as a sign that we're no longer interested in
      the previous file, and clear out the wb_err in the loop blockdev.
      Reported-and-Tested-by: NTheodore Y. Ts'o <tytso@mit.edu>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      eedffa28
    • A
      aio: fix io_destroy(2) vs. lookup_ioctx() race · baf10564
      Al Viro 提交于
      kill_ioctx() used to have an explicit RCU delay between removing the
      reference from ->ioctx_table and percpu_ref_kill() dropping the refcount.
      At some point that delay had been removed, on the theory that
      percpu_ref_kill() itself contained an RCU delay.  Unfortunately, that was
      the wrong kind of RCU delay and it didn't care about rcu_read_lock() used
      by lookup_ioctx().  As the result, we could get ctx freed right under
      lookup_ioctx().  Tejun has fixed that in a6d7cff4 ("fs/aio: Add explicit
      RCU grace period when freeing kioctx"); however, that fix is not enough.
      
      Suppose io_destroy() from one thread races with e.g. io_setup() from another;
      CPU1 removes the reference from current->mm->ioctx_table[...] just as CPU2
      has picked it (under rcu_read_lock()).  Then CPU1 proceeds to drop the
      refcount, getting it to 0 and triggering a call of free_ioctx_users(),
      which proceeds to drop the secondary refcount and once that reaches zero
      calls free_ioctx_reqs().  That does
              INIT_RCU_WORK(&ctx->free_rwork, free_ioctx);
              queue_rcu_work(system_wq, &ctx->free_rwork);
      and schedules freeing the whole thing after RCU delay.
      
      In the meanwhile CPU2 has gotten around to percpu_ref_get(), bumping the
      refcount from 0 to 1 and returned the reference to io_setup().
      
      Tejun's fix (that queue_rcu_work() in there) guarantees that ctx won't get
      freed until after percpu_ref_get().  Sure, we'd increment the counter before
      ctx can be freed.  Now we are out of rcu_read_lock() and there's nothing to
      stop freeing of the whole thing.  Unfortunately, CPU2 assumes that since it
      has grabbed the reference, ctx is *NOT* going away until it gets around to
      dropping that reference.
      
      The fix is obvious - use percpu_ref_tryget_live() and treat failure as miss.
      It's not costlier than what we currently do in normal case, it's safe to
      call since freeing *is* delayed and it closes the race window - either
      lookup_ioctx() comes before percpu_ref_kill() (in which case ctx->users
      won't reach 0 until the caller of lookup_ioctx() drops it) or lookup_ioctx()
      fails, ctx->users is unaffected and caller of lookup_ioctx() doesn't see
      the object in question at all.
      
      Cc: stable@kernel.org
      Fixes: a6d7cff4 "fs/aio: Add explicit RCU grace period when freeing kioctx"
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      baf10564
    • A
      ext2: fix a block leak · 5aa1437d
      Al Viro 提交于
      open file, unlink it, then use ioctl(2) to make it immutable or
      append only.  Now close it and watch the blocks *not* freed...
      
      Immutable/append-only checks belong in ->setattr().
      Note: the bug is old and backport to anything prior to 737f2e93
      ("ext2: convert to use the new truncate convention") will need
      these checks lifted into ext2_setattr().
      
      Cc: stable@kernel.org
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5aa1437d
    • A
      nfsd: vfs_mkdir() might succeed leaving dentry negative unhashed · 3819bb0d
      Al Viro 提交于
      That can (and does, on some filesystems) happen - ->mkdir() (and thus
      vfs_mkdir()) can legitimately leave its argument negative and just
      unhash it, counting upon the lookup to pick the object we'd created
      next time we try to look at that name.
      
      Some vfs_mkdir() callers forget about that possibility...
      Acked-by: NJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      3819bb0d
    • A
      cachefiles: vfs_mkdir() might succeed leaving dentry negative unhashed · 9c3e9025
      Al Viro 提交于
      That can (and does, on some filesystems) happen - ->mkdir() (and thus
      vfs_mkdir()) can legitimately leave its argument negative and just
      unhash it, counting upon the lookup to pick the object we'd created
      next time we try to look at that name.
      
      Some vfs_mkdir() callers forget about that possibility...
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      9c3e9025
    • A
      unfuck sysfs_mount() · 7b745a4e
      Al Viro 提交于
      new_sb is left uninitialized in case of early failures in kernfs_mount_ns(),
      and while IS_ERR(root) is true in all such cases, using IS_ERR(root) || !new_sb
      is not a solution - IS_ERR(root) is true in some cases when new_sb is true.
      
      Make sure new_sb is initialized (and matches the reality) in all cases and
      fix the condition for dropping kobj reference - we want it done precisely
      in those situations where the reference has not been transferred into a new
      super_block instance.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      7b745a4e
    • A
      kernfs: deal with kernfs_fill_super() failures · 82382ace
      Al Viro 提交于
      make sure that info->node is initialized early, so that kernfs_kill_sb()
      can list_del() it safely.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      82382ace
    • J
      cramfs: Fix IS_ENABLED typo · 08a8f308
      Joe Perches 提交于
      There's an extra C here...
      
      Fixes: 99c18ce5 ("cramfs: direct memory access support")
      Acked-by: NNicolas Pitre <nico@linaro.org>
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      08a8f308
    • A
      befs_lookup(): use d_splice_alias() · f4e4d434
      Al Viro 提交于
      RTFS(Documentation/filesystems/nfs/Exporting) if you try to make
      something exportable.
      
      Fixes: ac632f5b "befs: add NFS export support"
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      f4e4d434
    • A
      affs_lookup: switch to d_splice_alias() · 87fbd639
      Al Viro 提交于
      Making something exportable takes more than providing ->s_export_ops.
      In particular, ->lookup() *MUST* use d_splice_alias() instead of
      d_add().
      
      Reading Documentation/filesystems/nfs/Exporting would've been a good idea;
      as it is, exporting AFFS is badly (and exploitably) broken.
      
      Partially-Fixes: ed4433d7 "fs/affs: make affs exportable"
      Acked-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      87fbd639
    • A
      affs_lookup(): close a race with affs_remove_link() · 30da870c
      Al Viro 提交于
      we unlock the directory hash too early - if we are looking at secondary
      link and primary (in another directory) gets removed just as we unlock,
      we could have the old primary moved in place of the secondary, leaving
      us to look into freed entry (and leaving our dentry with ->d_fsdata
      pointing to a freed entry).
      
      Cc: stable@vger.kernel.org # 2.4.4+
      Acked-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      30da870c
    • L
      Merge branch 'speck-v20' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 3b78ce4a
      Linus Torvalds 提交于
      Merge speculative store buffer bypass fixes from Thomas Gleixner:
      
       - rework of the SPEC_CTRL MSR management to accomodate the new fancy
         SSBD (Speculative Store Bypass Disable) bit handling.
      
       - the CPU bug and sysfs infrastructure for the exciting new Speculative
         Store Bypass 'feature'.
      
       - support for disabling SSB via LS_CFG MSR on AMD CPUs including
         Hyperthread synchronization on ZEN.
      
       - PRCTL support for dynamic runtime control of SSB
      
       - SECCOMP integration to automatically disable SSB for sandboxed
         processes with a filter flag for opt-out.
      
       - KVM integration to allow guests fiddling with SSBD including the new
         software MSR VIRT_SPEC_CTRL to handle the LS_CFG based oddities on
         AMD.
      
       - BPF protection against SSB
      
      .. this is just the core and x86 side, other architecture support will
      come separately.
      
      * 'speck-v20' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (49 commits)
        bpf: Prevent memory disambiguation attack
        x86/bugs: Rename SSBD_NO to SSB_NO
        KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
        x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
        x86/bugs: Rework spec_ctrl base and mask logic
        x86/bugs: Remove x86_spec_ctrl_set()
        x86/bugs: Expose x86_spec_ctrl_base directly
        x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
        x86/speculation: Rework speculative_store_bypass_update()
        x86/speculation: Add virtualized speculative store bypass disable support
        x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
        x86/speculation: Handle HT correctly on AMD
        x86/cpufeatures: Add FEATURE_ZEN
        x86/cpufeatures: Disentangle SSBD enumeration
        x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
        x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
        KVM: SVM: Move spec control call after restore of GS
        x86/cpu: Make alternative_msr_write work for 32-bit code
        x86/bugs: Fix the parameters alignment and missing void
        x86/bugs: Make cpu_show_common() static
        ...
      3b78ce4a
    • J
      sr: pass down correctly sized SCSI sense buffer · f7068114
      Jens Axboe 提交于
      We're casting the CDROM layer request_sense to the SCSI sense
      buffer, but the former is 64 bytes and the latter is 96 bytes.
      As we generally allocate these on the stack, we end up blowing
      up the stack.
      
      Fix this by wrapping the scsi_execute() call with a properly
      sized sense buffer, and copying back the bits for the CDROM
      layer.
      
      Cc: stable@vger.kernel.org
      Reported-by: NPiotr Gabriel Kosinski <pg.kosinski@gmail.com>
      Reported-by: NDaniel Shapira <daniel@twistlock.com>
      Tested-by: NKees Cook <keescook@chromium.org>
      Fixes: 82ed4db4 ("block: split scsi_request out of struct request")
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      f7068114
  5. 21 5月, 2018 5 次提交
    • L
      Merge tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · 6741c4bb
      Linus Torvalds 提交于
      Pull MIPS fixes from James Hogan:
      
       - fix build with DEBUG_ZBOOT and MACH_JZ4770 (4.16)
      
       - include xilfpga FDT in fitImage and stop generating dtb.o (4.15)
      
       - fix software IO coherence on CM SMP systems (4.8)
      
       - ptrace: Fix PEEKUSR/POKEUSR to o32 FGRs (3.14)
      
       - ptrace: Expose FIR register through FP regset (3.13)
      
       - fix typo in KVM debugfs file name (3.10)
      
      * tag 'mips_fixes_4.17_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
        MIPS: xilfpga: Actually include FDT in fitImage
        MIPS: xilfpga: Stop generating useless dtb.o
        KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
        MIPS: ptrace: Expose FIR register through FP regset
        MIPS: Fix build with DEBUG_ZBOOT and MACH_JZ4770
        MIPS: c-r4k: Fix data corruption related to cache coherence
      6741c4bb
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 5aef268a
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix refcounting bug for connections in on-packet scheduling mode of
          IPVS, from Julian Anastasov.
      
       2) Set network header properly in AF_PACKET's packet_snd, from Willem
          de Bruijn.
      
       3) Fix regressions in 3c59x by converting to generic DMA API. It was
          relying upon the hack that the PCI DMA interfaces would accept NULL
          for EISA devices. From Christoph Hellwig.
      
       4) Remove RDMA devices before unregistering netdev in QEDE driver, from
          Michal Kalderon.
      
       5) Use after free in TUN driver ptr_ring usage, from Jason Wang.
      
       6) Properly check for missing netlink attributes in SMC_PNETID
          requests, from Eric Biggers.
      
       7) Set DMA mask before performaing any DMA operations in vmxnet3
          driver, from Regis Duchesne.
      
       8) Fix mlx5 build with SMP=n, from Saeed Mahameed.
      
       9) Classifier fixes in bcm_sf2 driver from Florian Fainelli.
      
      10) Tuntap use after free during release, from Jason Wang.
      
      11) Don't use stack memory in scatterlists in tls code, from Matt
          Mullins.
      
      12) Not fully initialized flow key object in ipv4 routing code, from
          David Ahern.
      
      13) Various packet headroom bug fixes in ip6_gre driver, from Petr
          Machata.
      
      14) Remove queues from XPS maps using correct index, from Amritha
          Nambiar.
      
      15) Fix use after free in sock_diag, from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (64 commits)
        net: ip6_gre: fix tunnel metadata device sharing.
        cxgb4: fix offset in collecting TX rate limit info
        net: sched: red: avoid hashing NULL child
        sock_diag: fix use-after-free read in __sk_free
        sh_eth: Change platform check to CONFIG_ARCH_RENESAS
        net: dsa: Do not register devlink for unused ports
        net: Fix a bug in removing queues from XPS map
        bpf: fix truncated jump targets on heavy expansions
        bpf: parse and verdict prog attach may race with bpf map update
        bpf: sockmap update rollback on error can incorrectly dec prog refcnt
        net: test tailroom before appending to linear skb
        net: ip6_gre: Fix ip6erspan hlen calculation
        net: ip6_gre: Split up ip6gre_changelink()
        net: ip6_gre: Split up ip6gre_newlink()
        net: ip6_gre: Split up ip6gre_tnl_change()
        net: ip6_gre: Split up ip6gre_tnl_link_config()
        net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit()
        net: ip6_gre: Request headroom in __gre6_xmit()
        selftests/bpf: check return value of fopen in test_verifier.c
        erspan: fix invalid erspan version.
        ...
      5aef268a
    • S
      libata: blacklist Micron 500IT SSD with MU01 firmware · 136d769e
      Sudip Mukherjee 提交于
      While whitelisting Micron M500DC drives, the tweaked blacklist entry
      enabled queued TRIM from M500IT variants also. But these do not support
      queued TRIM. And while using those SSDs with the latest kernel we have
      seen errors and even the partition table getting corrupted.
      
      Some part from the dmesg:
      [    6.727384] ata1.00: ATA-9: Micron_M500IT_MTFDDAK060MBD, MU01, max UDMA/133
      [    6.727390] ata1.00: 117231408 sectors, multi 16: LBA48 NCQ (depth 31/32), AA
      [    6.741026] ata1.00: supports DRM functions and may not be fully accessible
      [    6.759887] ata1.00: configured for UDMA/133
      [    6.762256] scsi 0:0:0:0: Direct-Access     ATA      Micron_M500IT_MT MU01 PQ: 0 ANSI: 5
      
      and then for the error:
      [  120.860334] ata1.00: exception Emask 0x1 SAct 0x7ffc0007 SErr 0x0 action 0x6 frozen
      [  120.860338] ata1.00: irq_stat 0x40000008
      [  120.860342] ata1.00: failed command: SEND FPDMA QUEUED
      [  120.860351] ata1.00: cmd 64/01:00:00:00:00/00:00:00:00:00/a0 tag 0 ncq dma 512 out
               res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x5 (timeout)
      [  120.860353] ata1.00: status: { DRDY }
      [  120.860543] ata1: hard resetting link
      [  121.166128] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
      [  121.166376] ata1.00: supports DRM functions and may not be fully accessible
      [  121.186238] ata1.00: supports DRM functions and may not be fully accessible
      [  121.204445] ata1.00: configured for UDMA/133
      [  121.204454] ata1.00: device reported invalid CHS sector 0
      [  121.204541] sd 0:0:0:0: [sda] tag#18 UNKNOWN(0x2003) Result: hostbyte=0x00 driverbyte=0x08
      [  121.204546] sd 0:0:0:0: [sda] tag#18 Sense Key : 0x5 [current]
      [  121.204550] sd 0:0:0:0: [sda] tag#18 ASC=0x21 ASCQ=0x4
      [  121.204555] sd 0:0:0:0: [sda] tag#18 CDB: opcode=0x93 93 08 00 00 00 00 00 04 28 80 00 00 00 30 00 00
      [  121.204559] print_req_error: I/O error, dev sda, sector 272512
      
      After few reboots with these errors, and the SSD is corrupted.
      After blacklisting it, the errors are not seen and the SSD does not get
      corrupted any more.
      
      Fixes: 243918be ("libata: Do not blacklist Micron M500DC")
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: NTejun Heo <tj@kernel.org>
      136d769e
    • L
      Linux 4.17-rc6 · 771c577c
      Linus Torvalds 提交于
      771c577c
    • L
      Merge branch 'parisc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 6fd5a36a
      Linus Torvalds 提交于
      Pull parisc fixlets from Helge Deller:
       "Three small section mismatch fixes, one of them was found by 0-day
        test infrastructure"
      
      * 'parisc-4.17-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Move ccio_cujo20_fixup() into init section
        parisc: Move setup_profiling_timer() out of init section
        parisc: Move find_pa_parent_type() out of init section
      6fd5a36a